1 diff -urNp linux-2.6.37/arch/alpha/include/asm/dma-mapping.h linux-2.6.37/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.37/arch/alpha/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
3 +++ linux-2.6.37/arch/alpha/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.37/arch/alpha/include/asm/elf.h linux-2.6.37/arch/alpha/include/asm/elf.h
17 --- linux-2.6.37/arch/alpha/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
18 +++ linux-2.6.37/arch/alpha/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.37/arch/alpha/include/asm/pgtable.h linux-2.6.37/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.37/arch/alpha/include/asm/pgtable.h 2011-01-04 19:50:19.000000000 -0500
35 +++ linux-2.6.37/arch/alpha/include/asm/pgtable.h 2011-01-17 02:41:00.000000000 -0500
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.37/arch/alpha/kernel/module.c linux-2.6.37/arch/alpha/kernel/module.c
55 --- linux-2.6.37/arch/alpha/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
56 +++ linux-2.6.37/arch/alpha/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.37/arch/alpha/kernel/osf_sys.c linux-2.6.37/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.37/arch/alpha/kernel/osf_sys.c 2011-01-04 19:50:19.000000000 -0500
68 +++ linux-2.6.37/arch/alpha/kernel/osf_sys.c 2011-01-17 02:41:00.000000000 -0500
69 @@ -1165,7 +1165,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1201,6 +1201,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1208,8 +1212,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.37/arch/alpha/kernel/pci_iommu.c linux-2.6.37/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.37/arch/alpha/kernel/pci_iommu.c 2011-01-04 19:50:19.000000000 -0500
102 +++ linux-2.6.37/arch/alpha/kernel/pci_iommu.c 2011-01-17 02:41:00.000000000 -0500
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.37/arch/alpha/kernel/pci-noop.c linux-2.6.37/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.37/arch/alpha/kernel/pci-noop.c 2011-01-04 19:50:19.000000000 -0500
121 +++ linux-2.6.37/arch/alpha/kernel/pci-noop.c 2011-01-17 02:41:00.000000000 -0500
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.37/arch/alpha/mm/fault.c linux-2.6.37/arch/alpha/mm/fault.c
141 --- linux-2.6.37/arch/alpha/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
142 +++ linux-2.6.37/arch/alpha/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.37/arch/arm/include/asm/elf.h linux-2.6.37/arch/arm/include/asm/elf.h
300 --- linux-2.6.37/arch/arm/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
301 +++ linux-2.6.37/arch/arm/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
302 @@ -113,7 +113,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 @@ -123,10 +130,6 @@ int dump_task_regs(struct task_struct *t
319 extern void elf_set_personality(const struct elf32_hdr *);
320 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
323 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
324 -#define arch_randomize_brk arch_randomize_brk
326 extern int vectors_user_mapping(void);
327 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
328 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
329 diff -urNp linux-2.6.37/arch/arm/include/asm/kmap_types.h linux-2.6.37/arch/arm/include/asm/kmap_types.h
330 --- linux-2.6.37/arch/arm/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
331 +++ linux-2.6.37/arch/arm/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
332 @@ -21,6 +21,7 @@ enum km_type {
340 diff -urNp linux-2.6.37/arch/arm/include/asm/uaccess.h linux-2.6.37/arch/arm/include/asm/uaccess.h
341 --- linux-2.6.37/arch/arm/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
342 +++ linux-2.6.37/arch/arm/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
343 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
345 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
350 if (access_ok(VERIFY_READ, from, n))
351 n = __copy_from_user(to, from, n);
352 else /* security hole - plug it */
353 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
355 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
360 if (access_ok(VERIFY_WRITE, to, n))
361 n = __copy_to_user(to, from, n);
363 diff -urNp linux-2.6.37/arch/arm/kernel/kgdb.c linux-2.6.37/arch/arm/kernel/kgdb.c
364 --- linux-2.6.37/arch/arm/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
365 +++ linux-2.6.37/arch/arm/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
366 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
367 * and we handle the normal undef case within the do_undefinstr
370 -struct kgdb_arch arch_kgdb_ops = {
371 +const struct kgdb_arch arch_kgdb_ops = {
373 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
374 #else /* ! __ARMEB__ */
375 diff -urNp linux-2.6.37/arch/arm/kernel/process.c linux-2.6.37/arch/arm/kernel/process.c
376 --- linux-2.6.37/arch/arm/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
377 +++ linux-2.6.37/arch/arm/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
379 #include <linux/tick.h>
380 #include <linux/utsname.h>
381 #include <linux/uaccess.h>
382 -#include <linux/random.h>
383 #include <linux/hw_breakpoint.h>
385 #include <asm/cacheflush.h>
386 @@ -477,12 +476,6 @@ unsigned long get_wchan(struct task_stru
390 -unsigned long arch_randomize_brk(struct mm_struct *mm)
392 - unsigned long range_end = mm->brk + 0x02000000;
393 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
397 * The vectors page is always readable from user space for the
398 * atomic helpers and the signal restart code. Let's declare a mapping
399 diff -urNp linux-2.6.37/arch/arm/mach-at91/pm.c linux-2.6.37/arch/arm/mach-at91/pm.c
400 --- linux-2.6.37/arch/arm/mach-at91/pm.c 2011-01-04 19:50:19.000000000 -0500
401 +++ linux-2.6.37/arch/arm/mach-at91/pm.c 2011-01-17 02:41:00.000000000 -0500
402 @@ -301,7 +301,7 @@ static void at91_pm_end(void)
406 -static struct platform_suspend_ops at91_pm_ops ={
407 +static const struct platform_suspend_ops at91_pm_ops ={
408 .valid = at91_pm_valid_state,
409 .begin = at91_pm_begin,
410 .enter = at91_pm_enter,
411 diff -urNp linux-2.6.37/arch/arm/mach-davinci/pm.c linux-2.6.37/arch/arm/mach-davinci/pm.c
412 --- linux-2.6.37/arch/arm/mach-davinci/pm.c 2011-01-04 19:50:19.000000000 -0500
413 +++ linux-2.6.37/arch/arm/mach-davinci/pm.c 2011-01-17 02:41:00.000000000 -0500
414 @@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
418 -static struct platform_suspend_ops davinci_pm_ops = {
419 +static const struct platform_suspend_ops davinci_pm_ops = {
420 .enter = davinci_pm_enter,
421 .valid = suspend_valid_only_mem,
423 diff -urNp linux-2.6.37/arch/arm/mach-imx/pm-imx27.c linux-2.6.37/arch/arm/mach-imx/pm-imx27.c
424 --- linux-2.6.37/arch/arm/mach-imx/pm-imx27.c 2011-01-04 19:50:19.000000000 -0500
425 +++ linux-2.6.37/arch/arm/mach-imx/pm-imx27.c 2011-01-17 02:41:00.000000000 -0500
426 @@ -32,7 +32,7 @@ static int mx27_suspend_enter(suspend_st
430 -static struct platform_suspend_ops mx27_suspend_ops = {
431 +static const struct platform_suspend_ops mx27_suspend_ops = {
432 .enter = mx27_suspend_enter,
433 .valid = suspend_valid_only_mem,
435 diff -urNp linux-2.6.37/arch/arm/mach-lpc32xx/pm.c linux-2.6.37/arch/arm/mach-lpc32xx/pm.c
436 --- linux-2.6.37/arch/arm/mach-lpc32xx/pm.c 2011-01-04 19:50:19.000000000 -0500
437 +++ linux-2.6.37/arch/arm/mach-lpc32xx/pm.c 2011-01-17 02:41:00.000000000 -0500
438 @@ -123,7 +123,7 @@ static int lpc32xx_pm_enter(suspend_stat
442 -static struct platform_suspend_ops lpc32xx_pm_ops = {
443 +static const struct platform_suspend_ops lpc32xx_pm_ops = {
444 .valid = suspend_valid_only_mem,
445 .enter = lpc32xx_pm_enter,
447 diff -urNp linux-2.6.37/arch/arm/mach-msm/last_radio_log.c linux-2.6.37/arch/arm/mach-msm/last_radio_log.c
448 --- linux-2.6.37/arch/arm/mach-msm/last_radio_log.c 2011-01-04 19:50:19.000000000 -0500
449 +++ linux-2.6.37/arch/arm/mach-msm/last_radio_log.c 2011-01-17 02:41:00.000000000 -0500
450 @@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
454 +/* cannot be const, see msm_init_last_radio_log */
455 static struct file_operations last_radio_log_fops = {
456 .read = last_radio_log_read,
457 .llseek = default_llseek,
458 diff -urNp linux-2.6.37/arch/arm/mach-omap1/pm.c linux-2.6.37/arch/arm/mach-omap1/pm.c
459 --- linux-2.6.37/arch/arm/mach-omap1/pm.c 2011-01-04 19:50:19.000000000 -0500
460 +++ linux-2.6.37/arch/arm/mach-omap1/pm.c 2011-01-17 02:41:00.000000000 -0500
461 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
465 -static struct platform_suspend_ops omap_pm_ops ={
466 +static const struct platform_suspend_ops omap_pm_ops ={
467 .prepare = omap_pm_prepare,
468 .enter = omap_pm_enter,
469 .finish = omap_pm_finish,
470 diff -urNp linux-2.6.37/arch/arm/mach-omap2/pm24xx.c linux-2.6.37/arch/arm/mach-omap2/pm24xx.c
471 --- linux-2.6.37/arch/arm/mach-omap2/pm24xx.c 2011-01-04 19:50:19.000000000 -0500
472 +++ linux-2.6.37/arch/arm/mach-omap2/pm24xx.c 2011-01-17 02:41:00.000000000 -0500
473 @@ -359,7 +359,7 @@ static void omap2_pm_end(void)
474 suspend_state = PM_SUSPEND_ON;
477 -static struct platform_suspend_ops omap_pm_ops = {
478 +static const struct platform_suspend_ops omap_pm_ops = {
479 .begin = omap2_pm_begin,
480 .prepare = omap2_pm_prepare,
481 .enter = omap2_pm_enter,
482 diff -urNp linux-2.6.37/arch/arm/mach-omap2/pm34xx.c linux-2.6.37/arch/arm/mach-omap2/pm34xx.c
483 --- linux-2.6.37/arch/arm/mach-omap2/pm34xx.c 2011-01-04 19:50:19.000000000 -0500
484 +++ linux-2.6.37/arch/arm/mach-omap2/pm34xx.c 2011-01-17 02:41:00.000000000 -0500
485 @@ -617,7 +617,7 @@ static void omap3_pm_end(void)
489 -static struct platform_suspend_ops omap_pm_ops = {
490 +static const struct platform_suspend_ops omap_pm_ops = {
491 .begin = omap3_pm_begin,
493 .prepare = omap3_pm_prepare,
494 diff -urNp linux-2.6.37/arch/arm/mach-omap2/pm44xx.c linux-2.6.37/arch/arm/mach-omap2/pm44xx.c
495 --- linux-2.6.37/arch/arm/mach-omap2/pm44xx.c 2011-01-04 19:50:19.000000000 -0500
496 +++ linux-2.6.37/arch/arm/mach-omap2/pm44xx.c 2011-01-17 02:41:00.000000000 -0500
497 @@ -75,7 +75,7 @@ static void omap4_pm_end(void)
501 -static struct platform_suspend_ops omap_pm_ops = {
502 +static const struct platform_suspend_ops omap_pm_ops = {
503 .begin = omap4_pm_begin,
505 .prepare = omap4_pm_prepare,
506 diff -urNp linux-2.6.37/arch/arm/mach-pnx4008/pm.c linux-2.6.37/arch/arm/mach-pnx4008/pm.c
507 --- linux-2.6.37/arch/arm/mach-pnx4008/pm.c 2011-01-04 19:50:19.000000000 -0500
508 +++ linux-2.6.37/arch/arm/mach-pnx4008/pm.c 2011-01-17 02:41:00.000000000 -0500
509 @@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
510 (state == PM_SUSPEND_MEM);
513 -static struct platform_suspend_ops pnx4008_pm_ops = {
514 +static const struct platform_suspend_ops pnx4008_pm_ops = {
515 .enter = pnx4008_pm_enter,
516 .valid = pnx4008_pm_valid,
518 diff -urNp linux-2.6.37/arch/arm/mach-pxa/pm.c linux-2.6.37/arch/arm/mach-pxa/pm.c
519 --- linux-2.6.37/arch/arm/mach-pxa/pm.c 2011-01-04 19:50:19.000000000 -0500
520 +++ linux-2.6.37/arch/arm/mach-pxa/pm.c 2011-01-17 02:41:00.000000000 -0500
521 @@ -96,7 +96,7 @@ void pxa_pm_finish(void)
522 pxa_cpu_pm_fns->finish();
525 -static struct platform_suspend_ops pxa_pm_ops = {
526 +static const struct platform_suspend_ops pxa_pm_ops = {
527 .valid = pxa_pm_valid,
528 .enter = pxa_pm_enter,
529 .prepare = pxa_pm_prepare,
530 diff -urNp linux-2.6.37/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.37/arch/arm/mach-pxa/sharpsl_pm.c
531 --- linux-2.6.37/arch/arm/mach-pxa/sharpsl_pm.c 2011-01-04 19:50:19.000000000 -0500
532 +++ linux-2.6.37/arch/arm/mach-pxa/sharpsl_pm.c 2011-01-17 02:41:00.000000000 -0500
533 @@ -868,7 +868,7 @@ static void sharpsl_apm_get_power_status
537 -static struct platform_suspend_ops sharpsl_pm_ops = {
538 +static const struct platform_suspend_ops sharpsl_pm_ops = {
539 .prepare = pxa_pm_prepare,
540 .finish = pxa_pm_finish,
541 .enter = corgi_pxa_pm_enter,
542 diff -urNp linux-2.6.37/arch/arm/mach-sa1100/pm.c linux-2.6.37/arch/arm/mach-sa1100/pm.c
543 --- linux-2.6.37/arch/arm/mach-sa1100/pm.c 2011-01-04 19:50:19.000000000 -0500
544 +++ linux-2.6.37/arch/arm/mach-sa1100/pm.c 2011-01-17 02:41:00.000000000 -0500
545 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
546 return virt_to_phys(sp);
549 -static struct platform_suspend_ops sa11x0_pm_ops = {
550 +static const struct platform_suspend_ops sa11x0_pm_ops = {
551 .enter = sa11x0_pm_enter,
552 .valid = suspend_valid_only_mem,
554 diff -urNp linux-2.6.37/arch/arm/mm/fault.c linux-2.6.37/arch/arm/mm/fault.c
555 --- linux-2.6.37/arch/arm/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
556 +++ linux-2.6.37/arch/arm/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
557 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
561 +#ifdef CONFIG_PAX_PAGEEXEC
562 + if (fsr & FSR_LNX_PF) {
563 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
564 + do_group_exit(SIGKILL);
568 tsk->thread.address = addr;
569 tsk->thread.error_code = fsr;
570 tsk->thread.trap_no = 14;
571 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
573 #endif /* CONFIG_MMU */
575 +#ifdef CONFIG_PAX_PAGEEXEC
576 +void pax_report_insns(void *pc, void *sp)
580 + printk(KERN_ERR "PAX: bytes at PC: ");
581 + for (i = 0; i < 20; i++) {
583 + if (get_user(c, (__force unsigned char __user *)pc+i))
584 + printk(KERN_CONT "?? ");
586 + printk(KERN_CONT "%02x ", c);
590 + printk(KERN_ERR "PAX: bytes at SP-4: ");
591 + for (i = -1; i < 20; i++) {
593 + if (get_user(c, (__force unsigned long __user *)sp+i))
594 + printk(KERN_CONT "???????? ");
596 + printk(KERN_CONT "%08lx ", c);
603 * First Level Translation Fault Handler
605 diff -urNp linux-2.6.37/arch/arm/mm/mmap.c linux-2.6.37/arch/arm/mm/mmap.c
606 --- linux-2.6.37/arch/arm/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
607 +++ linux-2.6.37/arch/arm/mm/mmap.c 2011-01-17 02:41:00.000000000 -0500
608 @@ -64,6 +64,10 @@ arch_get_unmapped_area(struct file *filp
612 +#ifdef CONFIG_PAX_RANDMMAP
613 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
618 addr = COLOUR_ALIGN(addr, pgoff);
619 @@ -71,15 +75,14 @@ arch_get_unmapped_area(struct file *filp
620 addr = PAGE_ALIGN(addr);
622 vma = find_vma(mm, addr);
623 - if (TASK_SIZE - len >= addr &&
624 - (!vma || addr + len <= vma->vm_start))
625 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
628 if (len > mm->cached_hole_size) {
629 - start_addr = addr = mm->free_area_cache;
630 + start_addr = addr = mm->free_area_cache;
632 - start_addr = addr = TASK_UNMAPPED_BASE;
633 - mm->cached_hole_size = 0;
634 + start_addr = addr = mm->mmap_base;
635 + mm->cached_hole_size = 0;
637 /* 8 bits of randomness in 20 address space bits */
638 if (current->flags & PF_RANDOMIZE)
639 @@ -98,14 +101,14 @@ full_search:
640 * Start a new search - just in case we missed
643 - if (start_addr != TASK_UNMAPPED_BASE) {
644 - start_addr = addr = TASK_UNMAPPED_BASE;
645 + if (start_addr != mm->mmap_base) {
646 + start_addr = addr = mm->mmap_base;
647 mm->cached_hole_size = 0;
652 - if (!vma || addr + len <= vma->vm_start) {
653 + if (check_heap_stack_gap(vma, addr, len)) {
655 * Remember the place where we stopped the search:
657 diff -urNp linux-2.6.37/arch/arm/plat-samsung/pm.c linux-2.6.37/arch/arm/plat-samsung/pm.c
658 --- linux-2.6.37/arch/arm/plat-samsung/pm.c 2011-01-04 19:50:19.000000000 -0500
659 +++ linux-2.6.37/arch/arm/plat-samsung/pm.c 2011-01-17 02:41:00.000000000 -0500
660 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
661 s3c_pm_check_cleanup();
664 -static struct platform_suspend_ops s3c_pm_ops = {
665 +static const struct platform_suspend_ops s3c_pm_ops = {
666 .enter = s3c_pm_enter,
667 .prepare = s3c_pm_prepare,
668 .finish = s3c_pm_finish,
669 diff -urNp linux-2.6.37/arch/avr32/include/asm/elf.h linux-2.6.37/arch/avr32/include/asm/elf.h
670 --- linux-2.6.37/arch/avr32/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
671 +++ linux-2.6.37/arch/avr32/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
672 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
673 the loader. We need to make sure that it is out of the way of the program
674 that it will "exec", and that there is sufficient room for the brk. */
676 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
677 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
679 +#ifdef CONFIG_PAX_ASLR
680 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
682 +#define PAX_DELTA_MMAP_LEN 15
683 +#define PAX_DELTA_STACK_LEN 15
686 /* This yields a mask that user programs can use to figure out what
687 instruction set this CPU supports. This could be done in user space,
688 diff -urNp linux-2.6.37/arch/avr32/include/asm/kmap_types.h linux-2.6.37/arch/avr32/include/asm/kmap_types.h
689 --- linux-2.6.37/arch/avr32/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
690 +++ linux-2.6.37/arch/avr32/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
691 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
701 diff -urNp linux-2.6.37/arch/avr32/mach-at32ap/pm.c linux-2.6.37/arch/avr32/mach-at32ap/pm.c
702 --- linux-2.6.37/arch/avr32/mach-at32ap/pm.c 2011-01-04 19:50:19.000000000 -0500
703 +++ linux-2.6.37/arch/avr32/mach-at32ap/pm.c 2011-01-17 02:41:00.000000000 -0500
704 @@ -176,7 +176,7 @@ out:
708 -static struct platform_suspend_ops avr32_pm_ops = {
709 +static const struct platform_suspend_ops avr32_pm_ops = {
710 .valid = avr32_pm_valid_state,
711 .enter = avr32_pm_enter,
713 diff -urNp linux-2.6.37/arch/avr32/mm/fault.c linux-2.6.37/arch/avr32/mm/fault.c
714 --- linux-2.6.37/arch/avr32/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
715 +++ linux-2.6.37/arch/avr32/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
716 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
718 int exception_trace = 1;
720 +#ifdef CONFIG_PAX_PAGEEXEC
721 +void pax_report_insns(void *pc, void *sp)
725 + printk(KERN_ERR "PAX: bytes at PC: ");
726 + for (i = 0; i < 20; i++) {
728 + if (get_user(c, (unsigned char *)pc+i))
729 + printk(KERN_CONT "???????? ");
731 + printk(KERN_CONT "%02x ", c);
738 * This routine handles page faults. It determines the address and the
739 * problem, and then passes it off to one of the appropriate routines.
740 @@ -156,6 +173,16 @@ bad_area:
741 up_read(&mm->mmap_sem);
743 if (user_mode(regs)) {
745 +#ifdef CONFIG_PAX_PAGEEXEC
746 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
747 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
748 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
749 + do_group_exit(SIGKILL);
754 if (exception_trace && printk_ratelimit())
755 printk("%s%s[%d]: segfault at %08lx pc %08lx "
756 "sp %08lx ecr %lu\n",
757 diff -urNp linux-2.6.37/arch/blackfin/kernel/kgdb.c linux-2.6.37/arch/blackfin/kernel/kgdb.c
758 --- linux-2.6.37/arch/blackfin/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
759 +++ linux-2.6.37/arch/blackfin/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
760 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
761 return -1; /* this means that we do not want to exit from the handler */
764 -struct kgdb_arch arch_kgdb_ops = {
765 +const struct kgdb_arch arch_kgdb_ops = {
766 .gdb_bpt_instr = {0xa1},
768 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
769 diff -urNp linux-2.6.37/arch/blackfin/mach-common/pm.c linux-2.6.37/arch/blackfin/mach-common/pm.c
770 --- linux-2.6.37/arch/blackfin/mach-common/pm.c 2011-01-04 19:50:19.000000000 -0500
771 +++ linux-2.6.37/arch/blackfin/mach-common/pm.c 2011-01-17 02:41:00.000000000 -0500
772 @@ -233,7 +233,7 @@ static int bfin_pm_enter(suspend_state_t
776 -struct platform_suspend_ops bfin_pm_ops = {
777 +const struct platform_suspend_ops bfin_pm_ops = {
778 .enter = bfin_pm_enter,
779 .valid = bfin_pm_valid,
781 diff -urNp linux-2.6.37/arch/blackfin/mm/maccess.c linux-2.6.37/arch/blackfin/mm/maccess.c
782 --- linux-2.6.37/arch/blackfin/mm/maccess.c 2011-01-04 19:50:19.000000000 -0500
783 +++ linux-2.6.37/arch/blackfin/mm/maccess.c 2011-01-17 02:41:00.000000000 -0500
784 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
785 return bfin_mem_access_type(addr, size);
788 -long probe_kernel_read(void *dst, void *src, size_t size)
789 +long probe_kernel_read(void *dst, const void *src, size_t size)
791 unsigned long lsrc = (unsigned long)src;
793 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
797 -long probe_kernel_write(void *dst, void *src, size_t size)
798 +long probe_kernel_write(void *dst, const void *src, size_t size)
800 unsigned long ldst = (unsigned long)dst;
802 diff -urNp linux-2.6.37/arch/frv/include/asm/kmap_types.h linux-2.6.37/arch/frv/include/asm/kmap_types.h
803 --- linux-2.6.37/arch/frv/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
804 +++ linux-2.6.37/arch/frv/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
805 @@ -23,6 +23,7 @@ enum km_type {
813 diff -urNp linux-2.6.37/arch/frv/mm/elf-fdpic.c linux-2.6.37/arch/frv/mm/elf-fdpic.c
814 --- linux-2.6.37/arch/frv/mm/elf-fdpic.c 2011-01-04 19:50:19.000000000 -0500
815 +++ linux-2.6.37/arch/frv/mm/elf-fdpic.c 2011-01-17 02:41:00.000000000 -0500
816 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
818 addr = PAGE_ALIGN(addr);
819 vma = find_vma(current->mm, addr);
820 - if (TASK_SIZE - len >= addr &&
821 - (!vma || addr + len <= vma->vm_start))
822 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
826 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
827 for (; vma; vma = vma->vm_next) {
830 - if (addr + len <= vma->vm_start)
831 + if (check_heap_stack_gap(vma, addr, len))
835 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
836 for (; vma; vma = vma->vm_next) {
839 - if (addr + len <= vma->vm_start)
840 + if (check_heap_stack_gap(vma, addr, len))
844 diff -urNp linux-2.6.37/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.37/arch/ia64/hp/common/hwsw_iommu.c
845 --- linux-2.6.37/arch/ia64/hp/common/hwsw_iommu.c 2011-01-04 19:50:19.000000000 -0500
846 +++ linux-2.6.37/arch/ia64/hp/common/hwsw_iommu.c 2011-01-17 02:41:00.000000000 -0500
848 #include <linux/swiotlb.h>
849 #include <asm/machvec.h>
851 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
852 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
854 /* swiotlb declarations & definitions: */
855 extern int swiotlb_late_init_with_default_size (size_t size);
856 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
857 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
860 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
861 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
863 if (use_swiotlb(dev))
864 return &swiotlb_dma_ops;
865 diff -urNp linux-2.6.37/arch/ia64/hp/common/sba_iommu.c linux-2.6.37/arch/ia64/hp/common/sba_iommu.c
866 --- linux-2.6.37/arch/ia64/hp/common/sba_iommu.c 2011-01-04 19:50:19.000000000 -0500
867 +++ linux-2.6.37/arch/ia64/hp/common/sba_iommu.c 2011-01-17 02:41:00.000000000 -0500
868 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
872 -extern struct dma_map_ops swiotlb_dma_ops;
873 +extern const struct dma_map_ops swiotlb_dma_ops;
877 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
879 __setup("sbapagesize=",sba_page_override);
881 -struct dma_map_ops sba_dma_ops = {
882 +const struct dma_map_ops sba_dma_ops = {
883 .alloc_coherent = sba_alloc_coherent,
884 .free_coherent = sba_free_coherent,
885 .map_page = sba_map_page,
886 diff -urNp linux-2.6.37/arch/ia64/include/asm/dma-mapping.h linux-2.6.37/arch/ia64/include/asm/dma-mapping.h
887 --- linux-2.6.37/arch/ia64/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
888 +++ linux-2.6.37/arch/ia64/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
891 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
893 -extern struct dma_map_ops *dma_ops;
894 +extern const struct dma_map_ops *dma_ops;
895 extern struct ia64_machine_vector ia64_mv;
896 extern void set_iommu_machvec(void);
898 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
899 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
900 dma_addr_t *daddr, gfp_t gfp)
902 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
903 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
906 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
907 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
908 static inline void dma_free_coherent(struct device *dev, size_t size,
909 void *caddr, dma_addr_t daddr)
911 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
912 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
913 debug_dma_free_coherent(dev, size, caddr, daddr);
914 ops->free_coherent(dev, size, caddr, daddr);
916 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
918 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
920 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
921 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
922 return ops->mapping_error(dev, daddr);
925 static inline int dma_supported(struct device *dev, u64 mask)
927 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
928 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
929 return ops->dma_supported(dev, mask);
932 diff -urNp linux-2.6.37/arch/ia64/include/asm/elf.h linux-2.6.37/arch/ia64/include/asm/elf.h
933 --- linux-2.6.37/arch/ia64/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
934 +++ linux-2.6.37/arch/ia64/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
937 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
939 +#ifdef CONFIG_PAX_ASLR
940 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
942 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
943 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
946 #define PT_IA_64_UNWIND 0x70000001
948 /* IA-64 relocations: */
949 diff -urNp linux-2.6.37/arch/ia64/include/asm/machvec.h linux-2.6.37/arch/ia64/include/asm/machvec.h
950 --- linux-2.6.37/arch/ia64/include/asm/machvec.h 2011-01-04 19:50:19.000000000 -0500
951 +++ linux-2.6.37/arch/ia64/include/asm/machvec.h 2011-01-17 02:41:00.000000000 -0500
952 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
953 /* DMA-mapping interface: */
954 typedef void ia64_mv_dma_init (void);
955 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
956 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
957 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
960 * WARNING: The legacy I/O space is _architected_. Platforms are
961 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
962 # endif /* CONFIG_IA64_GENERIC */
964 extern void swiotlb_dma_init(void);
965 -extern struct dma_map_ops *dma_get_ops(struct device *);
966 +extern const struct dma_map_ops *dma_get_ops(struct device *);
969 * Define default versions so we can extend machvec for new platforms without having
970 diff -urNp linux-2.6.37/arch/ia64/include/asm/pgtable.h linux-2.6.37/arch/ia64/include/asm/pgtable.h
971 --- linux-2.6.37/arch/ia64/include/asm/pgtable.h 2011-01-04 19:50:19.000000000 -0500
972 +++ linux-2.6.37/arch/ia64/include/asm/pgtable.h 2011-01-17 02:41:00.000000000 -0500
974 * David Mosberger-Tang <davidm@hpl.hp.com>
978 +#include <linux/const.h>
979 #include <asm/mman.h>
980 #include <asm/page.h>
981 #include <asm/processor.h>
983 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
984 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
985 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
987 +#ifdef CONFIG_PAX_PAGEEXEC
988 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
989 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
990 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
992 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
993 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
994 +# define PAGE_COPY_NOEXEC PAGE_COPY
997 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
998 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
999 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1000 diff -urNp linux-2.6.37/arch/ia64/include/asm/uaccess.h linux-2.6.37/arch/ia64/include/asm/uaccess.h
1001 --- linux-2.6.37/arch/ia64/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
1002 +++ linux-2.6.37/arch/ia64/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
1003 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1004 const void *__cu_from = (from); \
1005 long __cu_len = (n); \
1007 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1008 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1009 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1012 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1013 long __cu_len = (n); \
1015 __chk_user_ptr(__cu_from); \
1016 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1017 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1018 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1021 diff -urNp linux-2.6.37/arch/ia64/kernel/dma-mapping.c linux-2.6.37/arch/ia64/kernel/dma-mapping.c
1022 --- linux-2.6.37/arch/ia64/kernel/dma-mapping.c 2011-01-04 19:50:19.000000000 -0500
1023 +++ linux-2.6.37/arch/ia64/kernel/dma-mapping.c 2011-01-17 02:41:00.000000000 -0500
1025 /* Set this to 1 if there is a HW IOMMU in the system */
1026 int iommu_detected __read_mostly;
1028 -struct dma_map_ops *dma_ops;
1029 +const struct dma_map_ops *dma_ops;
1030 EXPORT_SYMBOL(dma_ops);
1032 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1033 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1035 fs_initcall(dma_init);
1037 -struct dma_map_ops *dma_get_ops(struct device *dev)
1038 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1042 diff -urNp linux-2.6.37/arch/ia64/kernel/module.c linux-2.6.37/arch/ia64/kernel/module.c
1043 --- linux-2.6.37/arch/ia64/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
1044 +++ linux-2.6.37/arch/ia64/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
1045 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1047 module_free (struct module *mod, void *module_region)
1049 - if (mod && mod->arch.init_unw_table &&
1050 - module_region == mod->module_init) {
1051 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1052 unw_remove_unwind_table(mod->arch.init_unw_table);
1053 mod->arch.init_unw_table = NULL;
1055 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1059 +in_init_rx (const struct module *mod, uint64_t addr)
1061 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1065 +in_init_rw (const struct module *mod, uint64_t addr)
1067 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1071 in_init (const struct module *mod, uint64_t addr)
1073 - return addr - (uint64_t) mod->module_init < mod->init_size;
1074 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1078 +in_core_rx (const struct module *mod, uint64_t addr)
1080 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1084 +in_core_rw (const struct module *mod, uint64_t addr)
1086 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1090 in_core (const struct module *mod, uint64_t addr)
1092 - return addr - (uint64_t) mod->module_core < mod->core_size;
1093 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1097 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1101 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1102 + if (in_init_rx(mod, val))
1103 + val -= (uint64_t) mod->module_init_rx;
1104 + else if (in_init_rw(mod, val))
1105 + val -= (uint64_t) mod->module_init_rw;
1106 + else if (in_core_rx(mod, val))
1107 + val -= (uint64_t) mod->module_core_rx;
1108 + else if (in_core_rw(mod, val))
1109 + val -= (uint64_t) mod->module_core_rw;
1113 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1114 * addresses have been selected...
1117 - if (mod->core_size > MAX_LTOFF)
1118 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1120 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1121 * at the end of the module.
1123 - gp = mod->core_size - MAX_LTOFF / 2;
1124 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1126 - gp = mod->core_size / 2;
1127 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1128 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1129 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1131 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1133 diff -urNp linux-2.6.37/arch/ia64/kernel/pci-dma.c linux-2.6.37/arch/ia64/kernel/pci-dma.c
1134 --- linux-2.6.37/arch/ia64/kernel/pci-dma.c 2011-01-04 19:50:19.000000000 -0500
1135 +++ linux-2.6.37/arch/ia64/kernel/pci-dma.c 2011-01-17 02:41:00.000000000 -0500
1136 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1137 .dma_mask = &fallback_dev.coherent_dma_mask,
1140 -extern struct dma_map_ops intel_dma_ops;
1141 +extern const struct dma_map_ops intel_dma_ops;
1143 static int __init pci_iommu_init(void)
1145 diff -urNp linux-2.6.37/arch/ia64/kernel/pci-swiotlb.c linux-2.6.37/arch/ia64/kernel/pci-swiotlb.c
1146 --- linux-2.6.37/arch/ia64/kernel/pci-swiotlb.c 2011-01-04 19:50:19.000000000 -0500
1147 +++ linux-2.6.37/arch/ia64/kernel/pci-swiotlb.c 2011-01-17 02:41:00.000000000 -0500
1148 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1149 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1152 -struct dma_map_ops swiotlb_dma_ops = {
1153 +const struct dma_map_ops swiotlb_dma_ops = {
1154 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1155 .free_coherent = swiotlb_free_coherent,
1156 .map_page = swiotlb_map_page,
1157 diff -urNp linux-2.6.37/arch/ia64/kernel/sys_ia64.c linux-2.6.37/arch/ia64/kernel/sys_ia64.c
1158 --- linux-2.6.37/arch/ia64/kernel/sys_ia64.c 2011-01-04 19:50:19.000000000 -0500
1159 +++ linux-2.6.37/arch/ia64/kernel/sys_ia64.c 2011-01-17 02:41:00.000000000 -0500
1160 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1161 if (REGION_NUMBER(addr) == RGN_HPAGE)
1165 +#ifdef CONFIG_PAX_RANDMMAP
1166 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1167 + addr = mm->free_area_cache;
1172 addr = mm->free_area_cache;
1174 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1175 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1176 /* At this point: (!vma || addr < vma->vm_end). */
1177 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1178 - if (start_addr != TASK_UNMAPPED_BASE) {
1179 + if (start_addr != mm->mmap_base) {
1180 /* Start a new search --- just in case we missed some holes. */
1181 - addr = TASK_UNMAPPED_BASE;
1182 + addr = mm->mmap_base;
1187 - if (!vma || addr + len <= vma->vm_start) {
1188 + if (check_heap_stack_gap(vma, addr, len)) {
1189 /* Remember the address where we stopped this search: */
1190 mm->free_area_cache = addr + len;
1192 diff -urNp linux-2.6.37/arch/ia64/kernel/vmlinux.lds.S linux-2.6.37/arch/ia64/kernel/vmlinux.lds.S
1193 --- linux-2.6.37/arch/ia64/kernel/vmlinux.lds.S 2011-01-04 19:50:19.000000000 -0500
1194 +++ linux-2.6.37/arch/ia64/kernel/vmlinux.lds.S 2011-01-17 02:41:00.000000000 -0500
1195 @@ -199,7 +199,7 @@ SECTIONS {
1197 . = ALIGN(PERCPU_PAGE_SIZE);
1198 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1199 - __phys_per_cpu_start = __per_cpu_load;
1200 + __phys_per_cpu_start = per_cpu_load;
1202 * ensure percpu data fits
1203 * into percpu page size
1204 diff -urNp linux-2.6.37/arch/ia64/mm/fault.c linux-2.6.37/arch/ia64/mm/fault.c
1205 --- linux-2.6.37/arch/ia64/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
1206 +++ linux-2.6.37/arch/ia64/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
1207 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1208 return pte_present(pte);
1211 +#ifdef CONFIG_PAX_PAGEEXEC
1212 +void pax_report_insns(void *pc, void *sp)
1216 + printk(KERN_ERR "PAX: bytes at PC: ");
1217 + for (i = 0; i < 8; i++) {
1219 + if (get_user(c, (unsigned int *)pc+i))
1220 + printk(KERN_CONT "???????? ");
1222 + printk(KERN_CONT "%08x ", c);
1229 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1231 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1232 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1233 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1235 - if ((vma->vm_flags & mask) != mask)
1236 + if ((vma->vm_flags & mask) != mask) {
1238 +#ifdef CONFIG_PAX_PAGEEXEC
1239 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1240 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1243 + up_read(&mm->mmap_sem);
1244 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1245 + do_group_exit(SIGKILL);
1254 * If for any reason at all we couldn't handle the fault, make
1255 * sure we exit gracefully rather than endlessly redo the
1256 diff -urNp linux-2.6.37/arch/ia64/mm/hugetlbpage.c linux-2.6.37/arch/ia64/mm/hugetlbpage.c
1257 --- linux-2.6.37/arch/ia64/mm/hugetlbpage.c 2011-01-04 19:50:19.000000000 -0500
1258 +++ linux-2.6.37/arch/ia64/mm/hugetlbpage.c 2011-01-17 02:41:00.000000000 -0500
1259 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1260 /* At this point: (!vmm || addr < vmm->vm_end). */
1261 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1263 - if (!vmm || (addr + len) <= vmm->vm_start)
1264 + if (check_heap_stack_gap(vmm, addr, len))
1266 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1268 diff -urNp linux-2.6.37/arch/ia64/mm/init.c linux-2.6.37/arch/ia64/mm/init.c
1269 --- linux-2.6.37/arch/ia64/mm/init.c 2011-01-04 19:50:19.000000000 -0500
1270 +++ linux-2.6.37/arch/ia64/mm/init.c 2011-01-17 02:41:00.000000000 -0500
1271 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1272 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1273 vma->vm_end = vma->vm_start + PAGE_SIZE;
1274 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1276 +#ifdef CONFIG_PAX_PAGEEXEC
1277 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1278 + vma->vm_flags &= ~VM_EXEC;
1280 +#ifdef CONFIG_PAX_MPROTECT
1281 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1282 + vma->vm_flags &= ~VM_MAYEXEC;
1288 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1289 down_write(¤t->mm->mmap_sem);
1290 if (insert_vm_struct(current->mm, vma)) {
1291 diff -urNp linux-2.6.37/arch/ia64/sn/pci/pci_dma.c linux-2.6.37/arch/ia64/sn/pci/pci_dma.c
1292 --- linux-2.6.37/arch/ia64/sn/pci/pci_dma.c 2011-01-04 19:50:19.000000000 -0500
1293 +++ linux-2.6.37/arch/ia64/sn/pci/pci_dma.c 2011-01-17 02:41:00.000000000 -0500
1294 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1298 -static struct dma_map_ops sn_dma_ops = {
1299 +static const struct dma_map_ops sn_dma_ops = {
1300 .alloc_coherent = sn_dma_alloc_coherent,
1301 .free_coherent = sn_dma_free_coherent,
1302 .map_page = sn_dma_map_page,
1303 diff -urNp linux-2.6.37/arch/m32r/lib/usercopy.c linux-2.6.37/arch/m32r/lib/usercopy.c
1304 --- linux-2.6.37/arch/m32r/lib/usercopy.c 2011-01-04 19:50:19.000000000 -0500
1305 +++ linux-2.6.37/arch/m32r/lib/usercopy.c 2011-01-17 02:41:00.000000000 -0500
1308 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1314 if (access_ok(VERIFY_WRITE, to, n))
1315 __copy_user(to,from,n);
1316 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1318 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1324 if (access_ok(VERIFY_READ, from, n))
1325 __copy_user_zeroing(to,from,n);
1326 diff -urNp linux-2.6.37/arch/microblaze/include/asm/device.h linux-2.6.37/arch/microblaze/include/asm/device.h
1327 --- linux-2.6.37/arch/microblaze/include/asm/device.h 2011-01-04 19:50:19.000000000 -0500
1328 +++ linux-2.6.37/arch/microblaze/include/asm/device.h 2011-01-17 02:41:00.000000000 -0500
1329 @@ -13,7 +13,7 @@ struct device_node;
1331 struct dev_archdata {
1332 /* DMA operations on that device */
1333 - struct dma_map_ops *dma_ops;
1334 + const struct dma_map_ops *dma_ops;
1338 diff -urNp linux-2.6.37/arch/microblaze/include/asm/dma-mapping.h linux-2.6.37/arch/microblaze/include/asm/dma-mapping.h
1339 --- linux-2.6.37/arch/microblaze/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
1340 +++ linux-2.6.37/arch/microblaze/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
1341 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1342 return 0xfffffffful;
1345 -extern struct dma_map_ops *dma_ops;
1346 +extern const struct dma_map_ops *dma_ops;
1349 * Available generic sets of operations
1351 -extern struct dma_map_ops dma_direct_ops;
1352 +extern const struct dma_map_ops dma_direct_ops;
1354 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1355 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1357 /* We don't handle the NULL dev case for ISA for now. We could
1358 * do it via an out of line call but it is not needed for now. The
1359 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1360 return dev->archdata.dma_ops;
1363 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1364 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1366 dev->archdata.dma_ops = ops;
1369 static inline int dma_supported(struct device *dev, u64 mask)
1371 - struct dma_map_ops *ops = get_dma_ops(dev);
1372 + const struct dma_map_ops *ops = get_dma_ops(dev);
1376 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1378 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1380 - struct dma_map_ops *ops = get_dma_ops(dev);
1381 + const struct dma_map_ops *ops = get_dma_ops(dev);
1383 if (unlikely(ops == NULL))
1385 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1387 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1389 - struct dma_map_ops *ops = get_dma_ops(dev);
1390 + const struct dma_map_ops *ops = get_dma_ops(dev);
1391 if (ops->mapping_error)
1392 return ops->mapping_error(dev, dma_addr);
1394 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1395 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1396 dma_addr_t *dma_handle, gfp_t flag)
1398 - struct dma_map_ops *ops = get_dma_ops(dev);
1399 + const struct dma_map_ops *ops = get_dma_ops(dev);
1403 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1404 static inline void dma_free_coherent(struct device *dev, size_t size,
1405 void *cpu_addr, dma_addr_t dma_handle)
1407 - struct dma_map_ops *ops = get_dma_ops(dev);
1408 + const struct dma_map_ops *ops = get_dma_ops(dev);
1411 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1412 diff -urNp linux-2.6.37/arch/microblaze/include/asm/pci.h linux-2.6.37/arch/microblaze/include/asm/pci.h
1413 --- linux-2.6.37/arch/microblaze/include/asm/pci.h 2011-01-04 19:50:19.000000000 -0500
1414 +++ linux-2.6.37/arch/microblaze/include/asm/pci.h 2011-01-17 02:41:00.000000000 -0500
1415 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1419 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1420 -extern struct dma_map_ops *get_pci_dma_ops(void);
1421 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1422 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1423 #else /* CONFIG_PCI */
1424 #define set_pci_dma_ops(d)
1425 #define get_pci_dma_ops() NULL
1426 diff -urNp linux-2.6.37/arch/microblaze/kernel/dma.c linux-2.6.37/arch/microblaze/kernel/dma.c
1427 --- linux-2.6.37/arch/microblaze/kernel/dma.c 2011-01-04 19:50:19.000000000 -0500
1428 +++ linux-2.6.37/arch/microblaze/kernel/dma.c 2011-01-17 02:41:00.000000000 -0500
1429 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1430 __dma_sync_page(dma_address, 0 , size, direction);
1433 -struct dma_map_ops dma_direct_ops = {
1434 +const struct dma_map_ops dma_direct_ops = {
1435 .alloc_coherent = dma_direct_alloc_coherent,
1436 .free_coherent = dma_direct_free_coherent,
1437 .map_sg = dma_direct_map_sg,
1438 diff -urNp linux-2.6.37/arch/microblaze/kernel/kgdb.c linux-2.6.37/arch/microblaze/kernel/kgdb.c
1439 --- linux-2.6.37/arch/microblaze/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
1440 +++ linux-2.6.37/arch/microblaze/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
1441 @@ -141,10 +141,11 @@ void kgdb_arch_exit(void)
1445 -struct kgdb_arch arch_kgdb_ops = {
1446 +const struct kgdb_arch arch_kgdb_ops = {
1447 #ifdef __MICROBLAZEEL__
1448 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
1451 .gdb_bpt_instr = {0xba, 0x0c, 0x00, 0x18}, /* brki r16, 0x18 */
1454 diff -urNp linux-2.6.37/arch/microblaze/pci/pci-common.c linux-2.6.37/arch/microblaze/pci/pci-common.c
1455 --- linux-2.6.37/arch/microblaze/pci/pci-common.c 2011-01-04 19:50:19.000000000 -0500
1456 +++ linux-2.6.37/arch/microblaze/pci/pci-common.c 2011-01-17 02:41:00.000000000 -0500
1457 @@ -47,14 +47,14 @@ resource_size_t isa_mem_base;
1458 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1459 unsigned int pci_flags;
1461 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1462 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1464 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1465 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1467 pci_dma_ops = dma_ops;
1470 -struct dma_map_ops *get_pci_dma_ops(void)
1471 +const struct dma_map_ops *get_pci_dma_ops(void)
1475 diff -urNp linux-2.6.37/arch/mips/alchemy/devboards/pm.c linux-2.6.37/arch/mips/alchemy/devboards/pm.c
1476 --- linux-2.6.37/arch/mips/alchemy/devboards/pm.c 2011-01-04 19:50:19.000000000 -0500
1477 +++ linux-2.6.37/arch/mips/alchemy/devboards/pm.c 2011-01-17 02:41:00.000000000 -0500
1478 @@ -110,7 +110,7 @@ static void db1x_pm_end(void)
1482 -static struct platform_suspend_ops db1x_pm_ops = {
1483 +static const struct platform_suspend_ops db1x_pm_ops = {
1484 .valid = suspend_valid_only_mem,
1485 .begin = db1x_pm_begin,
1486 .enter = db1x_pm_enter,
1487 diff -urNp linux-2.6.37/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.37/arch/mips/cavium-octeon/dma-octeon.c
1488 --- linux-2.6.37/arch/mips/cavium-octeon/dma-octeon.c 2011-01-04 19:50:19.000000000 -0500
1489 +++ linux-2.6.37/arch/mips/cavium-octeon/dma-octeon.c 2011-01-17 02:41:00.000000000 -0500
1490 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
1493 struct octeon_dma_map_ops {
1494 - struct dma_map_ops dma_map_ops;
1495 + const struct dma_map_ops dma_map_ops;
1496 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
1497 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
1499 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
1503 -struct dma_map_ops *octeon_pci_dma_map_ops;
1504 +const struct dma_map_ops *octeon_pci_dma_map_ops;
1506 void __init octeon_pci_dma_init(void)
1508 diff -urNp linux-2.6.37/arch/mips/include/asm/device.h linux-2.6.37/arch/mips/include/asm/device.h
1509 --- linux-2.6.37/arch/mips/include/asm/device.h 2011-01-04 19:50:19.000000000 -0500
1510 +++ linux-2.6.37/arch/mips/include/asm/device.h 2011-01-17 02:41:00.000000000 -0500
1511 @@ -10,7 +10,7 @@ struct dma_map_ops;
1513 struct dev_archdata {
1514 /* DMA operations on that device */
1515 - struct dma_map_ops *dma_ops;
1516 + const struct dma_map_ops *dma_ops;
1519 struct pdev_archdata {
1520 diff -urNp linux-2.6.37/arch/mips/include/asm/dma-mapping.h linux-2.6.37/arch/mips/include/asm/dma-mapping.h
1521 --- linux-2.6.37/arch/mips/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
1522 +++ linux-2.6.37/arch/mips/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
1525 #include <dma-coherence.h>
1527 -extern struct dma_map_ops *mips_dma_map_ops;
1528 +extern const struct dma_map_ops *mips_dma_map_ops;
1530 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1531 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1533 if (dev && dev->archdata.dma_ops)
1534 return dev->archdata.dma_ops;
1535 @@ -31,13 +31,13 @@ static inline void dma_mark_clean(void *
1537 static inline int dma_supported(struct device *dev, u64 mask)
1539 - struct dma_map_ops *ops = get_dma_ops(dev);
1540 + const struct dma_map_ops *ops = get_dma_ops(dev);
1541 return ops->dma_supported(dev, mask);
1544 static inline int dma_mapping_error(struct device *dev, u64 mask)
1546 - struct dma_map_ops *ops = get_dma_ops(dev);
1547 + const struct dma_map_ops *ops = get_dma_ops(dev);
1548 return ops->mapping_error(dev, mask);
1551 @@ -59,7 +59,7 @@ static inline void *dma_alloc_coherent(s
1552 dma_addr_t *dma_handle, gfp_t gfp)
1555 - struct dma_map_ops *ops = get_dma_ops(dev);
1556 + const struct dma_map_ops *ops = get_dma_ops(dev);
1558 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
1560 @@ -71,7 +71,7 @@ static inline void *dma_alloc_coherent(s
1561 static inline void dma_free_coherent(struct device *dev, size_t size,
1562 void *vaddr, dma_addr_t dma_handle)
1564 - struct dma_map_ops *ops = get_dma_ops(dev);
1565 + const struct dma_map_ops *ops = get_dma_ops(dev);
1567 ops->free_coherent(dev, size, vaddr, dma_handle);
1569 diff -urNp linux-2.6.37/arch/mips/include/asm/elf.h linux-2.6.37/arch/mips/include/asm/elf.h
1570 --- linux-2.6.37/arch/mips/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
1571 +++ linux-2.6.37/arch/mips/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
1572 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
1573 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1576 +#ifdef CONFIG_PAX_ASLR
1577 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1579 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1580 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1583 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1584 struct linux_binprm;
1585 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1589 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1590 -#define arch_randomize_brk arch_randomize_brk
1592 #endif /* _ASM_ELF_H */
1593 diff -urNp linux-2.6.37/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.37/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
1594 --- linux-2.6.37/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-01-04 19:50:19.000000000 -0500
1595 +++ linux-2.6.37/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-01-17 02:41:00.000000000 -0500
1596 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
1597 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
1600 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
1601 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
1602 extern char *octeon_swiotlb;
1604 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
1605 diff -urNp linux-2.6.37/arch/mips/include/asm/page.h linux-2.6.37/arch/mips/include/asm/page.h
1606 --- linux-2.6.37/arch/mips/include/asm/page.h 2011-01-04 19:50:19.000000000 -0500
1607 +++ linux-2.6.37/arch/mips/include/asm/page.h 2011-01-17 02:41:00.000000000 -0500
1608 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1609 #ifdef CONFIG_CPU_MIPS32
1610 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1611 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1612 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1613 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1615 typedef struct { unsigned long long pte; } pte_t;
1616 #define pte_val(x) ((x).pte)
1617 diff -urNp linux-2.6.37/arch/mips/include/asm/system.h linux-2.6.37/arch/mips/include/asm/system.h
1618 --- linux-2.6.37/arch/mips/include/asm/system.h 2011-01-04 19:50:19.000000000 -0500
1619 +++ linux-2.6.37/arch/mips/include/asm/system.h 2011-01-17 02:41:00.000000000 -0500
1621 #include <asm/dsp.h>
1622 #include <asm/watch.h>
1623 #include <asm/war.h>
1624 +#include <asm/asm.h>
1628 @@ -230,6 +231,6 @@ extern void per_cpu_trap_init(void);
1630 #define __ARCH_WANT_UNLOCKED_CTXSW
1632 -extern unsigned long arch_align_stack(unsigned long sp);
1633 +#define arch_align_stack(x) ((x) & ALMASK)
1635 #endif /* _ASM_SYSTEM_H */
1636 diff -urNp linux-2.6.37/arch/mips/jz4740/pm.c linux-2.6.37/arch/mips/jz4740/pm.c
1637 --- linux-2.6.37/arch/mips/jz4740/pm.c 2011-01-04 19:50:19.000000000 -0500
1638 +++ linux-2.6.37/arch/mips/jz4740/pm.c 2011-01-17 02:41:00.000000000 -0500
1639 @@ -42,7 +42,7 @@ static int jz4740_pm_enter(suspend_state
1643 -static struct platform_suspend_ops jz4740_pm_ops = {
1644 +static const struct platform_suspend_ops jz4740_pm_ops = {
1645 .valid = suspend_valid_only_mem,
1646 .enter = jz4740_pm_enter,
1648 diff -urNp linux-2.6.37/arch/mips/kernel/binfmt_elfn32.c linux-2.6.37/arch/mips/kernel/binfmt_elfn32.c
1649 --- linux-2.6.37/arch/mips/kernel/binfmt_elfn32.c 2011-01-04 19:50:19.000000000 -0500
1650 +++ linux-2.6.37/arch/mips/kernel/binfmt_elfn32.c 2011-01-17 02:41:00.000000000 -0500
1651 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1652 #undef ELF_ET_DYN_BASE
1653 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1655 +#ifdef CONFIG_PAX_ASLR
1656 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1658 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1659 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1662 #include <asm/processor.h>
1663 #include <linux/module.h>
1664 #include <linux/elfcore.h>
1665 diff -urNp linux-2.6.37/arch/mips/kernel/binfmt_elfo32.c linux-2.6.37/arch/mips/kernel/binfmt_elfo32.c
1666 --- linux-2.6.37/arch/mips/kernel/binfmt_elfo32.c 2011-01-04 19:50:19.000000000 -0500
1667 +++ linux-2.6.37/arch/mips/kernel/binfmt_elfo32.c 2011-01-17 02:41:00.000000000 -0500
1668 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1669 #undef ELF_ET_DYN_BASE
1670 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1672 +#ifdef CONFIG_PAX_ASLR
1673 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1675 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1676 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1679 #include <asm/processor.h>
1682 diff -urNp linux-2.6.37/arch/mips/kernel/kgdb.c linux-2.6.37/arch/mips/kernel/kgdb.c
1683 --- linux-2.6.37/arch/mips/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
1684 +++ linux-2.6.37/arch/mips/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
1685 @@ -351,6 +351,7 @@ int kgdb_arch_handle_exception(int vecto
1689 +/* cannot be const, see kgdb_arch_init */
1690 struct kgdb_arch arch_kgdb_ops;
1693 diff -urNp linux-2.6.37/arch/mips/kernel/process.c linux-2.6.37/arch/mips/kernel/process.c
1694 --- linux-2.6.37/arch/mips/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
1695 +++ linux-2.6.37/arch/mips/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
1696 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
1702 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1703 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1705 -unsigned long arch_align_stack(unsigned long sp)
1707 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1708 - sp -= get_random_int() & ~PAGE_MASK;
1710 - return sp & ALMASK;
1712 diff -urNp linux-2.6.37/arch/mips/kernel/syscall.c linux-2.6.37/arch/mips/kernel/syscall.c
1713 --- linux-2.6.37/arch/mips/kernel/syscall.c 2011-01-04 19:50:19.000000000 -0500
1714 +++ linux-2.6.37/arch/mips/kernel/syscall.c 2011-01-17 02:41:00.000000000 -0500
1715 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
1717 if (filp || (flags & MAP_SHARED))
1720 +#ifdef CONFIG_PAX_RANDMMAP
1721 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1726 addr = COLOUR_ALIGN(addr, pgoff);
1728 addr = PAGE_ALIGN(addr);
1729 vmm = find_vma(current->mm, addr);
1730 - if (task_size - len >= addr &&
1731 - (!vmm || addr + len <= vmm->vm_start))
1732 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1735 addr = current->mm->mmap_base;
1736 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
1737 /* At this point: (!vmm || addr < vmm->vm_end). */
1738 if (task_size - len < addr)
1740 - if (!vmm || addr + len <= vmm->vm_start)
1741 + if (check_heap_stack_gap(vmm, addr, len))
1745 @@ -168,19 +172,6 @@ static inline unsigned long brk_rnd(void
1749 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1751 - unsigned long base = mm->brk;
1752 - unsigned long ret;
1754 - ret = PAGE_ALIGN(base + brk_rnd());
1756 - if (ret < mm->brk)
1762 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
1763 unsigned long, prot, unsigned long, flags, unsigned long,
1765 diff -urNp linux-2.6.37/arch/mips/loongson/common/pm.c linux-2.6.37/arch/mips/loongson/common/pm.c
1766 --- linux-2.6.37/arch/mips/loongson/common/pm.c 2011-01-04 19:50:19.000000000 -0500
1767 +++ linux-2.6.37/arch/mips/loongson/common/pm.c 2011-01-17 02:41:00.000000000 -0500
1768 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1772 -static struct platform_suspend_ops loongson_pm_ops = {
1773 +static const struct platform_suspend_ops loongson_pm_ops = {
1774 .valid = loongson_pm_valid_state,
1775 .enter = loongson_pm_enter,
1777 diff -urNp linux-2.6.37/arch/mips/mm/dma-default.c linux-2.6.37/arch/mips/mm/dma-default.c
1778 --- linux-2.6.37/arch/mips/mm/dma-default.c 2011-01-04 19:50:19.000000000 -0500
1779 +++ linux-2.6.37/arch/mips/mm/dma-default.c 2011-01-17 02:41:00.000000000 -0500
1780 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
1782 EXPORT_SYMBOL(dma_cache_sync);
1784 -static struct dma_map_ops mips_default_dma_map_ops = {
1785 +static const struct dma_map_ops mips_default_dma_map_ops = {
1786 .alloc_coherent = mips_dma_alloc_coherent,
1787 .free_coherent = mips_dma_free_coherent,
1788 .map_page = mips_dma_map_page,
1789 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
1790 .dma_supported = mips_dma_supported
1793 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1794 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1795 EXPORT_SYMBOL(mips_dma_map_ops);
1797 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1798 diff -urNp linux-2.6.37/arch/mips/mm/fault.c linux-2.6.37/arch/mips/mm/fault.c
1799 --- linux-2.6.37/arch/mips/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
1800 +++ linux-2.6.37/arch/mips/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
1802 #include <asm/highmem.h> /* For VMALLOC_END */
1803 #include <linux/kdebug.h>
1805 +#ifdef CONFIG_PAX_PAGEEXEC
1806 +void pax_report_insns(void *pc, void *sp)
1810 + printk(KERN_ERR "PAX: bytes at PC: ");
1811 + for (i = 0; i < 5; i++) {
1813 + if (get_user(c, (unsigned int *)pc+i))
1814 + printk(KERN_CONT "???????? ");
1816 + printk(KERN_CONT "%08x ", c);
1823 * This routine handles page faults. It determines the address,
1824 * and the problem, and then passes it off to one of the appropriate
1825 diff -urNp linux-2.6.37/arch/parisc/include/asm/elf.h linux-2.6.37/arch/parisc/include/asm/elf.h
1826 --- linux-2.6.37/arch/parisc/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
1827 +++ linux-2.6.37/arch/parisc/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
1828 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1830 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1832 +#ifdef CONFIG_PAX_ASLR
1833 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1835 +#define PAX_DELTA_MMAP_LEN 16
1836 +#define PAX_DELTA_STACK_LEN 16
1839 /* This yields a mask that user programs can use to figure out what
1840 instruction set this CPU supports. This could be done in user space,
1841 but it's not easy, and we've already done it here. */
1842 diff -urNp linux-2.6.37/arch/parisc/include/asm/pgtable.h linux-2.6.37/arch/parisc/include/asm/pgtable.h
1843 --- linux-2.6.37/arch/parisc/include/asm/pgtable.h 2011-01-04 19:50:19.000000000 -0500
1844 +++ linux-2.6.37/arch/parisc/include/asm/pgtable.h 2011-01-17 02:41:00.000000000 -0500
1845 @@ -207,6 +207,17 @@
1846 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1847 #define PAGE_COPY PAGE_EXECREAD
1848 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1850 +#ifdef CONFIG_PAX_PAGEEXEC
1851 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1852 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1853 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1855 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1856 +# define PAGE_COPY_NOEXEC PAGE_COPY
1857 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1860 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1861 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1862 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1863 diff -urNp linux-2.6.37/arch/parisc/kernel/module.c linux-2.6.37/arch/parisc/kernel/module.c
1864 --- linux-2.6.37/arch/parisc/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
1865 +++ linux-2.6.37/arch/parisc/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
1868 /* three functions to determine where in the module core
1869 * or init pieces the location is */
1870 +static inline int in_init_rx(struct module *me, void *loc)
1872 + return (loc >= me->module_init_rx &&
1873 + loc < (me->module_init_rx + me->init_size_rx));
1876 +static inline int in_init_rw(struct module *me, void *loc)
1878 + return (loc >= me->module_init_rw &&
1879 + loc < (me->module_init_rw + me->init_size_rw));
1882 static inline int in_init(struct module *me, void *loc)
1884 - return (loc >= me->module_init &&
1885 - loc <= (me->module_init + me->init_size));
1886 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1889 +static inline int in_core_rx(struct module *me, void *loc)
1891 + return (loc >= me->module_core_rx &&
1892 + loc < (me->module_core_rx + me->core_size_rx));
1895 +static inline int in_core_rw(struct module *me, void *loc)
1897 + return (loc >= me->module_core_rw &&
1898 + loc < (me->module_core_rw + me->core_size_rw));
1901 static inline int in_core(struct module *me, void *loc)
1903 - return (loc >= me->module_core &&
1904 - loc <= (me->module_core + me->core_size));
1905 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1908 static inline int in_local(struct module *me, void *loc)
1909 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1912 /* align things a bit */
1913 - me->core_size = ALIGN(me->core_size, 16);
1914 - me->arch.got_offset = me->core_size;
1915 - me->core_size += gots * sizeof(struct got_entry);
1917 - me->core_size = ALIGN(me->core_size, 16);
1918 - me->arch.fdesc_offset = me->core_size;
1919 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1920 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1921 + me->arch.got_offset = me->core_size_rw;
1922 + me->core_size_rw += gots * sizeof(struct got_entry);
1924 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1925 + me->arch.fdesc_offset = me->core_size_rw;
1926 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1928 me->arch.got_max = gots;
1929 me->arch.fdesc_max = fdescs;
1930 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1934 - got = me->module_core + me->arch.got_offset;
1935 + got = me->module_core_rw + me->arch.got_offset;
1936 for (i = 0; got[i].addr; i++)
1937 if (got[i].addr == value)
1939 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1941 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1943 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1944 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1947 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1948 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1950 /* Create new one */
1951 fdesc->addr = value;
1952 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1953 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1954 return (Elf_Addr)fdesc;
1956 #endif /* CONFIG_64BIT */
1957 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1959 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1960 end = table + sechdrs[me->arch.unwind_section].sh_size;
1961 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1962 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1964 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1965 me->arch.unwind_section, table, end, gp);
1966 diff -urNp linux-2.6.37/arch/parisc/kernel/sys_parisc.c linux-2.6.37/arch/parisc/kernel/sys_parisc.c
1967 --- linux-2.6.37/arch/parisc/kernel/sys_parisc.c 2011-01-04 19:50:19.000000000 -0500
1968 +++ linux-2.6.37/arch/parisc/kernel/sys_parisc.c 2011-01-17 02:41:00.000000000 -0500
1969 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1970 /* At this point: (!vma || addr < vma->vm_end). */
1971 if (TASK_SIZE - len < addr)
1973 - if (!vma || addr + len <= vma->vm_start)
1974 + if (check_heap_stack_gap(vma, addr, len))
1978 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1979 /* At this point: (!vma || addr < vma->vm_end). */
1980 if (TASK_SIZE - len < addr)
1982 - if (!vma || addr + len <= vma->vm_start)
1983 + if (check_heap_stack_gap(vma, addr, len))
1985 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1986 if (addr < vma->vm_end) /* handle wraparound */
1987 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1988 if (flags & MAP_FIXED)
1991 - addr = TASK_UNMAPPED_BASE;
1992 + addr = current->mm->mmap_base;
1995 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1996 diff -urNp linux-2.6.37/arch/parisc/kernel/traps.c linux-2.6.37/arch/parisc/kernel/traps.c
1997 --- linux-2.6.37/arch/parisc/kernel/traps.c 2011-01-04 19:50:19.000000000 -0500
1998 +++ linux-2.6.37/arch/parisc/kernel/traps.c 2011-01-17 02:41:00.000000000 -0500
1999 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
2001 down_read(¤t->mm->mmap_sem);
2002 vma = find_vma(current->mm,regs->iaoq[0]);
2003 - if (vma && (regs->iaoq[0] >= vma->vm_start)
2004 - && (vma->vm_flags & VM_EXEC)) {
2006 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
2007 fault_address = regs->iaoq[0];
2008 fault_space = regs->iasq[0];
2010 diff -urNp linux-2.6.37/arch/parisc/mm/fault.c linux-2.6.37/arch/parisc/mm/fault.c
2011 --- linux-2.6.37/arch/parisc/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
2012 +++ linux-2.6.37/arch/parisc/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
2014 #include <linux/sched.h>
2015 #include <linux/interrupt.h>
2016 #include <linux/module.h>
2017 +#include <linux/unistd.h>
2019 #include <asm/uaccess.h>
2020 #include <asm/traps.h>
2021 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
2022 static unsigned long
2023 parisc_acctyp(unsigned long code, unsigned int inst)
2025 - if (code == 6 || code == 16)
2026 + if (code == 6 || code == 7 || code == 16)
2029 switch (inst & 0xf0000000) {
2030 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
2034 +#ifdef CONFIG_PAX_PAGEEXEC
2036 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
2038 + * returns 1 when task should be killed
2039 + * 2 when rt_sigreturn trampoline was detected
2040 + * 3 when unpatched PLT trampoline was detected
2042 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2045 +#ifdef CONFIG_PAX_EMUPLT
2048 + do { /* PaX: unpatched PLT emulation */
2049 + unsigned int bl, depwi;
2051 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
2052 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
2057 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
2058 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
2060 + err = get_user(ldw, (unsigned int *)addr);
2061 + err |= get_user(bv, (unsigned int *)(addr+4));
2062 + err |= get_user(ldw2, (unsigned int *)(addr+8));
2067 + if (ldw == 0x0E801096U &&
2068 + bv == 0xEAC0C000U &&
2069 + ldw2 == 0x0E881095U)
2071 + unsigned int resolver, map;
2073 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
2074 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
2078 + regs->gr[20] = instruction_pointer(regs)+8;
2079 + regs->gr[21] = map;
2080 + regs->gr[22] = resolver;
2081 + regs->iaoq[0] = resolver | 3UL;
2082 + regs->iaoq[1] = regs->iaoq[0] + 4;
2089 +#ifdef CONFIG_PAX_EMUTRAMP
2091 +#ifndef CONFIG_PAX_EMUSIGRT
2092 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
2096 + do { /* PaX: rt_sigreturn emulation */
2097 + unsigned int ldi1, ldi2, bel, nop;
2099 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
2100 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
2101 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
2102 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
2107 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
2108 + ldi2 == 0x3414015AU &&
2109 + bel == 0xE4008200U &&
2110 + nop == 0x08000240U)
2112 + regs->gr[25] = (ldi1 & 2) >> 1;
2113 + regs->gr[20] = __NR_rt_sigreturn;
2114 + regs->gr[31] = regs->iaoq[1] + 16;
2115 + regs->sr[0] = regs->iasq[1];
2116 + regs->iaoq[0] = 0x100UL;
2117 + regs->iaoq[1] = regs->iaoq[0] + 4;
2118 + regs->iasq[0] = regs->sr[2];
2119 + regs->iasq[1] = regs->sr[2];
2128 +void pax_report_insns(void *pc, void *sp)
2132 + printk(KERN_ERR "PAX: bytes at PC: ");
2133 + for (i = 0; i < 5; i++) {
2135 + if (get_user(c, (unsigned int *)pc+i))
2136 + printk(KERN_CONT "???????? ");
2138 + printk(KERN_CONT "%08x ", c);
2144 int fixup_exception(struct pt_regs *regs)
2146 const struct exception_table_entry *fix;
2147 @@ -192,8 +303,33 @@ good_area:
2149 acc_type = parisc_acctyp(code,regs->iir);
2151 - if ((vma->vm_flags & acc_type) != acc_type)
2152 + if ((vma->vm_flags & acc_type) != acc_type) {
2154 +#ifdef CONFIG_PAX_PAGEEXEC
2155 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
2156 + (address & ~3UL) == instruction_pointer(regs))
2158 + up_read(&mm->mmap_sem);
2159 + switch (pax_handle_fetch_fault(regs)) {
2161 +#ifdef CONFIG_PAX_EMUPLT
2166 +#ifdef CONFIG_PAX_EMUTRAMP
2172 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
2173 + do_group_exit(SIGKILL);
2181 * If for any reason at all we couldn't handle the fault, make
2182 diff -urNp linux-2.6.37/arch/powerpc/include/asm/device.h linux-2.6.37/arch/powerpc/include/asm/device.h
2183 --- linux-2.6.37/arch/powerpc/include/asm/device.h 2011-01-04 19:50:19.000000000 -0500
2184 +++ linux-2.6.37/arch/powerpc/include/asm/device.h 2011-01-17 02:41:00.000000000 -0500
2185 @@ -11,7 +11,7 @@ struct device_node;
2187 struct dev_archdata {
2188 /* DMA operations on that device */
2189 - struct dma_map_ops *dma_ops;
2190 + const struct dma_map_ops *dma_ops;
2193 * When an iommu is in use, dma_data is used as a ptr to the base of the
2194 diff -urNp linux-2.6.37/arch/powerpc/include/asm/dma-mapping.h linux-2.6.37/arch/powerpc/include/asm/dma-mapping.h
2195 --- linux-2.6.37/arch/powerpc/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
2196 +++ linux-2.6.37/arch/powerpc/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
2197 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2199 * Available generic sets of operations
2201 +/* cannot be const */
2203 -extern struct dma_map_ops dma_iommu_ops;
2204 +extern const struct dma_map_ops dma_iommu_ops;
2206 -extern struct dma_map_ops dma_direct_ops;
2207 +extern const struct dma_map_ops dma_direct_ops;
2209 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2210 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2212 /* We don't handle the NULL dev case for ISA for now. We could
2213 * do it via an out of line call but it is not needed for now. The
2214 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2215 return dev->archdata.dma_ops;
2218 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2219 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2221 dev->archdata.dma_ops = ops;
2223 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2225 static inline int dma_supported(struct device *dev, u64 mask)
2227 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2228 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2230 if (unlikely(dma_ops == NULL))
2232 @@ -132,7 +133,7 @@ extern int dma_set_mask(struct device *d
2233 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2234 dma_addr_t *dma_handle, gfp_t flag)
2236 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2237 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2241 @@ -147,7 +148,7 @@ static inline void *dma_alloc_coherent(s
2242 static inline void dma_free_coherent(struct device *dev, size_t size,
2243 void *cpu_addr, dma_addr_t dma_handle)
2245 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2246 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2250 @@ -158,7 +159,7 @@ static inline void dma_free_coherent(str
2252 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2254 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2255 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2257 if (dma_ops->mapping_error)
2258 return dma_ops->mapping_error(dev, dma_addr);
2259 diff -urNp linux-2.6.37/arch/powerpc/include/asm/elf.h linux-2.6.37/arch/powerpc/include/asm/elf.h
2260 --- linux-2.6.37/arch/powerpc/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
2261 +++ linux-2.6.37/arch/powerpc/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
2262 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2263 the loader. We need to make sure that it is out of the way of the program
2264 that it will "exec", and that there is sufficient room for the brk. */
2266 -extern unsigned long randomize_et_dyn(unsigned long base);
2267 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2268 +#define ELF_ET_DYN_BASE (0x20000000)
2270 +#ifdef CONFIG_PAX_ASLR
2271 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2273 +#ifdef __powerpc64__
2274 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
2275 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
2277 +#define PAX_DELTA_MMAP_LEN 15
2278 +#define PAX_DELTA_STACK_LEN 15
2283 * Our registers are always unsigned longs, whether we're a 32 bit
2284 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2285 (0x7ff >> (PAGE_SHIFT - 12)) : \
2286 (0x3ffff >> (PAGE_SHIFT - 12)))
2288 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2289 -#define arch_randomize_brk arch_randomize_brk
2291 #endif /* __KERNEL__ */
2294 diff -urNp linux-2.6.37/arch/powerpc/include/asm/iommu.h linux-2.6.37/arch/powerpc/include/asm/iommu.h
2295 --- linux-2.6.37/arch/powerpc/include/asm/iommu.h 2011-01-04 19:50:19.000000000 -0500
2296 +++ linux-2.6.37/arch/powerpc/include/asm/iommu.h 2011-01-17 02:41:00.000000000 -0500
2297 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2298 extern void iommu_init_early_dart(void);
2299 extern void iommu_init_early_pasemi(void);
2302 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2305 extern void pci_iommu_init(void);
2306 extern void pci_direct_iommu_init(void);
2307 diff -urNp linux-2.6.37/arch/powerpc/include/asm/kmap_types.h linux-2.6.37/arch/powerpc/include/asm/kmap_types.h
2308 --- linux-2.6.37/arch/powerpc/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
2309 +++ linux-2.6.37/arch/powerpc/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
2310 @@ -27,6 +27,7 @@ enum km_type {
2318 diff -urNp linux-2.6.37/arch/powerpc/include/asm/page_64.h linux-2.6.37/arch/powerpc/include/asm/page_64.h
2319 --- linux-2.6.37/arch/powerpc/include/asm/page_64.h 2011-01-04 19:50:19.000000000 -0500
2320 +++ linux-2.6.37/arch/powerpc/include/asm/page_64.h 2011-01-17 02:41:00.000000000 -0500
2321 @@ -172,15 +172,18 @@ do { \
2322 * stack by default, so in the absense of a PT_GNU_STACK program header
2323 * we turn execute permission off.
2325 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2326 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2327 +#define VM_STACK_DEFAULT_FLAGS32 \
2328 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2329 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2331 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2332 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2334 +#ifndef CONFIG_PAX_PAGEEXEC
2335 #define VM_STACK_DEFAULT_FLAGS \
2336 (is_32bit_task() ? \
2337 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2340 #include <asm-generic/getorder.h>
2342 diff -urNp linux-2.6.37/arch/powerpc/include/asm/page.h linux-2.6.37/arch/powerpc/include/asm/page.h
2343 --- linux-2.6.37/arch/powerpc/include/asm/page.h 2011-01-04 19:50:19.000000000 -0500
2344 +++ linux-2.6.37/arch/powerpc/include/asm/page.h 2011-01-17 02:41:00.000000000 -0500
2345 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2346 * and needs to be executable. This means the whole heap ends
2347 * up being executable.
2349 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2350 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2351 +#define VM_DATA_DEFAULT_FLAGS32 \
2352 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2353 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2355 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2356 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2357 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2358 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2361 +#define ktla_ktva(addr) (addr)
2362 +#define ktva_ktla(addr) (addr)
2364 #ifndef __ASSEMBLY__
2366 #undef STRICT_MM_TYPECHECKS
2367 diff -urNp linux-2.6.37/arch/powerpc/include/asm/pci.h linux-2.6.37/arch/powerpc/include/asm/pci.h
2368 --- linux-2.6.37/arch/powerpc/include/asm/pci.h 2011-01-04 19:50:19.000000000 -0500
2369 +++ linux-2.6.37/arch/powerpc/include/asm/pci.h 2011-01-17 02:41:00.000000000 -0500
2370 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2374 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2375 -extern struct dma_map_ops *get_pci_dma_ops(void);
2376 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2377 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2378 #else /* CONFIG_PCI */
2379 #define set_pci_dma_ops(d)
2380 #define get_pci_dma_ops() NULL
2381 diff -urNp linux-2.6.37/arch/powerpc/include/asm/pte-hash32.h linux-2.6.37/arch/powerpc/include/asm/pte-hash32.h
2382 --- linux-2.6.37/arch/powerpc/include/asm/pte-hash32.h 2011-01-04 19:50:19.000000000 -0500
2383 +++ linux-2.6.37/arch/powerpc/include/asm/pte-hash32.h 2011-01-17 02:41:00.000000000 -0500
2385 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2386 #define _PAGE_USER 0x004 /* usermode access allowed */
2387 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2388 +#define _PAGE_EXEC _PAGE_GUARDED
2389 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2390 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2391 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2392 diff -urNp linux-2.6.37/arch/powerpc/include/asm/reg.h linux-2.6.37/arch/powerpc/include/asm/reg.h
2393 --- linux-2.6.37/arch/powerpc/include/asm/reg.h 2011-01-04 19:50:19.000000000 -0500
2394 +++ linux-2.6.37/arch/powerpc/include/asm/reg.h 2011-01-17 02:41:00.000000000 -0500
2396 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2397 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2398 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2399 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2400 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2401 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2402 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2403 diff -urNp linux-2.6.37/arch/powerpc/include/asm/swiotlb.h linux-2.6.37/arch/powerpc/include/asm/swiotlb.h
2404 --- linux-2.6.37/arch/powerpc/include/asm/swiotlb.h 2011-01-04 19:50:19.000000000 -0500
2405 +++ linux-2.6.37/arch/powerpc/include/asm/swiotlb.h 2011-01-17 02:41:00.000000000 -0500
2408 #include <linux/swiotlb.h>
2410 -extern struct dma_map_ops swiotlb_dma_ops;
2411 +extern const struct dma_map_ops swiotlb_dma_ops;
2413 static inline void dma_mark_clean(void *addr, size_t size) {}
2415 diff -urNp linux-2.6.37/arch/powerpc/include/asm/system.h linux-2.6.37/arch/powerpc/include/asm/system.h
2416 --- linux-2.6.37/arch/powerpc/include/asm/system.h 2011-01-04 19:50:19.000000000 -0500
2417 +++ linux-2.6.37/arch/powerpc/include/asm/system.h 2011-01-17 02:41:00.000000000 -0500
2418 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2419 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2422 -extern unsigned long arch_align_stack(unsigned long sp);
2423 +#define arch_align_stack(x) ((x) & ~0xfUL)
2425 /* Used in very early kernel initialization. */
2426 extern unsigned long reloc_offset(void);
2427 diff -urNp linux-2.6.37/arch/powerpc/include/asm/uaccess.h linux-2.6.37/arch/powerpc/include/asm/uaccess.h
2428 --- linux-2.6.37/arch/powerpc/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
2429 +++ linux-2.6.37/arch/powerpc/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
2431 #define VERIFY_READ 0
2432 #define VERIFY_WRITE 1
2434 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2437 * The fs value determines whether argument validity checking should be
2438 * performed or not. If get_fs() == USER_DS, checking is performed, with
2439 @@ -327,52 +329,6 @@ do { \
2440 extern unsigned long __copy_tofrom_user(void __user *to,
2441 const void __user *from, unsigned long size);
2443 -#ifndef __powerpc64__
2445 -static inline unsigned long copy_from_user(void *to,
2446 - const void __user *from, unsigned long n)
2448 - unsigned long over;
2450 - if (access_ok(VERIFY_READ, from, n))
2451 - return __copy_tofrom_user((__force void __user *)to, from, n);
2452 - if ((unsigned long)from < TASK_SIZE) {
2453 - over = (unsigned long)from + n - TASK_SIZE;
2454 - return __copy_tofrom_user((__force void __user *)to, from,
2460 -static inline unsigned long copy_to_user(void __user *to,
2461 - const void *from, unsigned long n)
2463 - unsigned long over;
2465 - if (access_ok(VERIFY_WRITE, to, n))
2466 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2467 - if ((unsigned long)to < TASK_SIZE) {
2468 - over = (unsigned long)to + n - TASK_SIZE;
2469 - return __copy_tofrom_user(to, (__force void __user *)from,
2475 -#else /* __powerpc64__ */
2477 -#define __copy_in_user(to, from, size) \
2478 - __copy_tofrom_user((to), (from), (size))
2480 -extern unsigned long copy_from_user(void *to, const void __user *from,
2482 -extern unsigned long copy_to_user(void __user *to, const void *from,
2484 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2487 -#endif /* __powerpc64__ */
2489 static inline unsigned long __copy_from_user_inatomic(void *to,
2490 const void __user *from, unsigned long n)
2492 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2497 + if (!__builtin_constant_p(n))
2498 + check_object_size(to, n, false);
2500 return __copy_tofrom_user((__force void __user *)to, from, n);
2503 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2508 + if (!__builtin_constant_p(n))
2509 + check_object_size(from, n, true);
2511 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2514 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2515 return __copy_to_user_inatomic(to, from, size);
2518 +#ifndef __powerpc64__
2520 +static inline unsigned long __must_check copy_from_user(void *to,
2521 + const void __user *from, unsigned long n)
2523 + unsigned long over;
2528 + if (access_ok(VERIFY_READ, from, n)) {
2529 + if (!__builtin_constant_p(n))
2530 + check_object_size(to, n, false);
2531 + return __copy_tofrom_user((__force void __user *)to, from, n);
2533 + if ((unsigned long)from < TASK_SIZE) {
2534 + over = (unsigned long)from + n - TASK_SIZE;
2535 + if (!__builtin_constant_p(n - over))
2536 + check_object_size(to, n - over, false);
2537 + return __copy_tofrom_user((__force void __user *)to, from,
2543 +static inline unsigned long __must_check copy_to_user(void __user *to,
2544 + const void *from, unsigned long n)
2546 + unsigned long over;
2551 + if (access_ok(VERIFY_WRITE, to, n)) {
2552 + if (!__builtin_constant_p(n))
2553 + check_object_size(from, n, true);
2554 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2556 + if ((unsigned long)to < TASK_SIZE) {
2557 + over = (unsigned long)to + n - TASK_SIZE;
2558 + if (!__builtin_constant_p(n))
2559 + check_object_size(from, n - over, true);
2560 + return __copy_tofrom_user(to, (__force void __user *)from,
2566 +#else /* __powerpc64__ */
2568 +#define __copy_in_user(to, from, size) \
2569 + __copy_tofrom_user((to), (from), (size))
2571 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2573 + if ((long)n < 0 || n > INT_MAX)
2576 + if (!__builtin_constant_p(n))
2577 + check_object_size(to, n, false);
2579 + if (likely(access_ok(VERIFY_READ, from, n)))
2580 + n = __copy_from_user(to, from, n);
2586 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2588 + if ((long)n < 0 || n > INT_MAX)
2591 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2592 + if (!__builtin_constant_p(n))
2593 + check_object_size(from, n, true);
2594 + n = __copy_to_user(to, from, n);
2599 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2602 +#endif /* __powerpc64__ */
2604 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2606 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2607 diff -urNp linux-2.6.37/arch/powerpc/kernel/dma.c linux-2.6.37/arch/powerpc/kernel/dma.c
2608 --- linux-2.6.37/arch/powerpc/kernel/dma.c 2011-01-04 19:50:19.000000000 -0500
2609 +++ linux-2.6.37/arch/powerpc/kernel/dma.c 2011-01-17 02:41:00.000000000 -0500
2610 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
2614 -struct dma_map_ops dma_direct_ops = {
2615 +const struct dma_map_ops dma_direct_ops = {
2616 .alloc_coherent = dma_direct_alloc_coherent,
2617 .free_coherent = dma_direct_free_coherent,
2618 .map_sg = dma_direct_map_sg,
2619 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
2621 int dma_set_mask(struct device *dev, u64 dma_mask)
2623 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2624 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2626 if (ppc_md.dma_set_mask)
2627 return ppc_md.dma_set_mask(dev, dma_mask);
2628 diff -urNp linux-2.6.37/arch/powerpc/kernel/dma-iommu.c linux-2.6.37/arch/powerpc/kernel/dma-iommu.c
2629 --- linux-2.6.37/arch/powerpc/kernel/dma-iommu.c 2011-01-04 19:50:19.000000000 -0500
2630 +++ linux-2.6.37/arch/powerpc/kernel/dma-iommu.c 2011-01-17 02:41:00.000000000 -0500
2631 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2634 /* We support DMA to/from any memory page via the iommu */
2635 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2636 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2638 struct iommu_table *tbl = get_iommu_table_base(dev);
2640 @@ -90,6 +90,7 @@ static int dma_iommu_dma_supported(struc
2644 +/* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
2645 struct dma_map_ops dma_iommu_ops = {
2646 .alloc_coherent = dma_iommu_alloc_coherent,
2647 .free_coherent = dma_iommu_free_coherent,
2648 diff -urNp linux-2.6.37/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.37/arch/powerpc/kernel/dma-swiotlb.c
2649 --- linux-2.6.37/arch/powerpc/kernel/dma-swiotlb.c 2011-01-04 19:50:19.000000000 -0500
2650 +++ linux-2.6.37/arch/powerpc/kernel/dma-swiotlb.c 2011-01-17 02:41:00.000000000 -0500
2651 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2652 * map_page, and unmap_page on highmem, use normal dma_ops
2653 * for everything else.
2655 -struct dma_map_ops swiotlb_dma_ops = {
2656 +const struct dma_map_ops swiotlb_dma_ops = {
2657 .alloc_coherent = dma_direct_alloc_coherent,
2658 .free_coherent = dma_direct_free_coherent,
2659 .map_sg = swiotlb_map_sg_attrs,
2660 diff -urNp linux-2.6.37/arch/powerpc/kernel/exceptions-64e.S linux-2.6.37/arch/powerpc/kernel/exceptions-64e.S
2661 --- linux-2.6.37/arch/powerpc/kernel/exceptions-64e.S 2011-01-04 19:50:19.000000000 -0500
2662 +++ linux-2.6.37/arch/powerpc/kernel/exceptions-64e.S 2011-01-17 02:41:00.000000000 -0500
2663 @@ -495,6 +495,7 @@ storage_fault_common:
2666 addi r3,r1,STACK_FRAME_OVERHEAD
2670 ld r14,PACA_EXGEN+EX_R14(r13)
2671 @@ -504,8 +505,7 @@ storage_fault_common:
2674 b .ret_from_except_lite
2678 addi r3,r1,STACK_FRAME_OVERHEAD
2681 diff -urNp linux-2.6.37/arch/powerpc/kernel/exceptions-64s.S linux-2.6.37/arch/powerpc/kernel/exceptions-64s.S
2682 --- linux-2.6.37/arch/powerpc/kernel/exceptions-64s.S 2011-01-04 19:50:19.000000000 -0500
2683 +++ linux-2.6.37/arch/powerpc/kernel/exceptions-64s.S 2011-01-17 02:41:00.000000000 -0500
2684 @@ -847,10 +847,10 @@ handle_page_fault:
2687 addi r3,r1,STACK_FRAME_OVERHEAD
2694 addi r3,r1,STACK_FRAME_OVERHEAD
2696 diff -urNp linux-2.6.37/arch/powerpc/kernel/ibmebus.c linux-2.6.37/arch/powerpc/kernel/ibmebus.c
2697 --- linux-2.6.37/arch/powerpc/kernel/ibmebus.c 2011-01-04 19:50:19.000000000 -0500
2698 +++ linux-2.6.37/arch/powerpc/kernel/ibmebus.c 2011-01-17 02:41:00.000000000 -0500
2699 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2703 -static struct dma_map_ops ibmebus_dma_ops = {
2704 +static const struct dma_map_ops ibmebus_dma_ops = {
2705 .alloc_coherent = ibmebus_alloc_coherent,
2706 .free_coherent = ibmebus_free_coherent,
2707 .map_sg = ibmebus_map_sg,
2708 diff -urNp linux-2.6.37/arch/powerpc/kernel/kgdb.c linux-2.6.37/arch/powerpc/kernel/kgdb.c
2709 --- linux-2.6.37/arch/powerpc/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
2710 +++ linux-2.6.37/arch/powerpc/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
2711 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
2715 -struct kgdb_arch arch_kgdb_ops = {
2716 +const struct kgdb_arch arch_kgdb_ops = {
2717 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2720 diff -urNp linux-2.6.37/arch/powerpc/kernel/module_32.c linux-2.6.37/arch/powerpc/kernel/module_32.c
2721 --- linux-2.6.37/arch/powerpc/kernel/module_32.c 2011-01-04 19:50:19.000000000 -0500
2722 +++ linux-2.6.37/arch/powerpc/kernel/module_32.c 2011-01-17 02:41:00.000000000 -0500
2723 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2724 me->arch.core_plt_section = i;
2726 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2727 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2728 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2732 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2734 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2735 /* Init, or core PLT? */
2736 - if (location >= mod->module_core
2737 - && location < mod->module_core + mod->core_size)
2738 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2739 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2740 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2742 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2743 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2744 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2746 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2750 /* Find this entry, or if that fails, the next avail. entry */
2751 while (entry->jump[0]) {
2752 diff -urNp linux-2.6.37/arch/powerpc/kernel/module.c linux-2.6.37/arch/powerpc/kernel/module.c
2753 --- linux-2.6.37/arch/powerpc/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
2754 +++ linux-2.6.37/arch/powerpc/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
2757 LIST_HEAD(module_bug_list);
2759 +#ifdef CONFIG_PAX_KERNEXEC
2760 void *module_alloc(unsigned long size)
2765 + return vmalloc(size);
2768 +void *module_alloc_exec(unsigned long size)
2770 +void *module_alloc(unsigned long size)
2777 return vmalloc_exec(size);
2780 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2781 vfree(module_region);
2784 +#ifdef CONFIG_PAX_KERNEXEC
2785 +void module_free_exec(struct module *mod, void *module_region)
2787 + module_free(mod, module_region);
2791 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2792 const Elf_Shdr *sechdrs,
2794 diff -urNp linux-2.6.37/arch/powerpc/kernel/pci-common.c linux-2.6.37/arch/powerpc/kernel/pci-common.c
2795 --- linux-2.6.37/arch/powerpc/kernel/pci-common.c 2011-01-04 19:50:19.000000000 -0500
2796 +++ linux-2.6.37/arch/powerpc/kernel/pci-common.c 2011-01-17 02:41:00.000000000 -0500
2797 @@ -52,14 +52,14 @@ resource_size_t isa_mem_base;
2798 unsigned int ppc_pci_flags = 0;
2801 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2802 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2804 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2805 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2807 pci_dma_ops = dma_ops;
2810 -struct dma_map_ops *get_pci_dma_ops(void)
2811 +const struct dma_map_ops *get_pci_dma_ops(void)
2815 diff -urNp linux-2.6.37/arch/powerpc/kernel/process.c linux-2.6.37/arch/powerpc/kernel/process.c
2816 --- linux-2.6.37/arch/powerpc/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
2817 +++ linux-2.6.37/arch/powerpc/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
2818 @@ -653,8 +653,8 @@ void show_regs(struct pt_regs * regs)
2819 * Lookup NIP late so we have the best change of getting the
2820 * above info out without failing
2822 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2823 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2824 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2825 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2827 show_stack(current, (unsigned long *) regs->gpr[1]);
2828 if (!user_mode(regs))
2829 @@ -1144,10 +1144,10 @@ void show_stack(struct task_struct *tsk,
2831 ip = stack[STACK_FRAME_LR_SAVE];
2832 if (!firstframe || ip != lr) {
2833 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2834 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2835 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2836 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2839 (void *)current->ret_stack[curr_frame].ret);
2842 @@ -1167,7 +1167,7 @@ void show_stack(struct task_struct *tsk,
2843 struct pt_regs *regs = (struct pt_regs *)
2844 (sp + STACK_FRAME_OVERHEAD);
2846 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2847 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2848 regs->trap, (void *)regs->nip, (void *)lr);
2851 @@ -1242,58 +1242,3 @@ void thread_info_cache_init(void)
2854 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2856 -unsigned long arch_align_stack(unsigned long sp)
2858 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2859 - sp -= get_random_int() & ~PAGE_MASK;
2863 -static inline unsigned long brk_rnd(void)
2865 - unsigned long rnd = 0;
2867 - /* 8MB for 32bit, 1GB for 64bit */
2868 - if (is_32bit_task())
2869 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2871 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2873 - return rnd << PAGE_SHIFT;
2876 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2878 - unsigned long base = mm->brk;
2879 - unsigned long ret;
2881 -#ifdef CONFIG_PPC_STD_MMU_64
2883 - * If we are using 1TB segments and we are allowed to randomise
2884 - * the heap, we can put it above 1TB so it is backed by a 1TB
2885 - * segment. Otherwise the heap will be in the bottom 1TB
2886 - * which always uses 256MB segments and this may result in a
2887 - * performance penalty.
2889 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2890 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2893 - ret = PAGE_ALIGN(base + brk_rnd());
2895 - if (ret < mm->brk)
2901 -unsigned long randomize_et_dyn(unsigned long base)
2903 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2910 diff -urNp linux-2.6.37/arch/powerpc/kernel/signal_32.c linux-2.6.37/arch/powerpc/kernel/signal_32.c
2911 --- linux-2.6.37/arch/powerpc/kernel/signal_32.c 2011-01-04 19:50:19.000000000 -0500
2912 +++ linux-2.6.37/arch/powerpc/kernel/signal_32.c 2011-01-17 02:41:00.000000000 -0500
2913 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
2914 /* Save user registers on the stack */
2915 frame = &rt_sf->uc.uc_mcontext;
2917 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2918 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2919 if (save_user_regs(regs, frame, 0, 1))
2921 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2922 diff -urNp linux-2.6.37/arch/powerpc/kernel/signal_64.c linux-2.6.37/arch/powerpc/kernel/signal_64.c
2923 --- linux-2.6.37/arch/powerpc/kernel/signal_64.c 2011-01-04 19:50:19.000000000 -0500
2924 +++ linux-2.6.37/arch/powerpc/kernel/signal_64.c 2011-01-17 02:41:00.000000000 -0500
2925 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2926 current->thread.fpscr.val = 0;
2928 /* Set up to return from userspace. */
2929 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2930 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2931 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2933 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2934 diff -urNp linux-2.6.37/arch/powerpc/kernel/vdso.c linux-2.6.37/arch/powerpc/kernel/vdso.c
2935 --- linux-2.6.37/arch/powerpc/kernel/vdso.c 2011-01-04 19:50:19.000000000 -0500
2936 +++ linux-2.6.37/arch/powerpc/kernel/vdso.c 2011-01-17 02:41:00.000000000 -0500
2938 #include <asm/firmware.h>
2939 #include <asm/vdso.h>
2940 #include <asm/vdso_datapage.h>
2941 +#include <asm/mman.h>
2945 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2946 vdso_base = VDSO32_MBASE;
2949 - current->mm->context.vdso_base = 0;
2950 + current->mm->context.vdso_base = ~0UL;
2952 /* vDSO has a problem and was disabled, just don't "enable" it for the
2954 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2955 vdso_base = get_unmapped_area(NULL, vdso_base,
2956 (vdso_pages << PAGE_SHIFT) +
2957 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2959 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2960 if (IS_ERR_VALUE(vdso_base)) {
2963 diff -urNp linux-2.6.37/arch/powerpc/kernel/vio.c linux-2.6.37/arch/powerpc/kernel/vio.c
2964 --- linux-2.6.37/arch/powerpc/kernel/vio.c 2011-01-04 19:50:19.000000000 -0500
2965 +++ linux-2.6.37/arch/powerpc/kernel/vio.c 2011-01-17 02:41:00.000000000 -0500
2966 @@ -600,11 +600,12 @@ static void vio_dma_iommu_unmap_sg(struc
2967 vio_cmo_dealloc(viodev, alloc_size);
2970 -struct dma_map_ops vio_dma_mapping_ops = {
2971 +static const struct dma_map_ops vio_dma_mapping_ops = {
2972 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2973 .free_coherent = vio_dma_iommu_free_coherent,
2974 .map_sg = vio_dma_iommu_map_sg,
2975 .unmap_sg = vio_dma_iommu_unmap_sg,
2976 + .dma_supported = dma_iommu_dma_supported,
2977 .map_page = vio_dma_iommu_map_page,
2978 .unmap_page = vio_dma_iommu_unmap_page,
2980 @@ -858,7 +859,6 @@ static void vio_cmo_bus_remove(struct vi
2982 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2984 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2985 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2988 diff -urNp linux-2.6.37/arch/powerpc/lib/usercopy_64.c linux-2.6.37/arch/powerpc/lib/usercopy_64.c
2989 --- linux-2.6.37/arch/powerpc/lib/usercopy_64.c 2011-01-04 19:50:19.000000000 -0500
2990 +++ linux-2.6.37/arch/powerpc/lib/usercopy_64.c 2011-01-17 02:41:00.000000000 -0500
2992 #include <linux/module.h>
2993 #include <asm/uaccess.h>
2995 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2997 - if (likely(access_ok(VERIFY_READ, from, n)))
2998 - n = __copy_from_user(to, from, n);
3004 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3006 - if (likely(access_ok(VERIFY_WRITE, to, n)))
3007 - n = __copy_to_user(to, from, n);
3011 unsigned long copy_in_user(void __user *to, const void __user *from,
3014 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
3018 -EXPORT_SYMBOL(copy_from_user);
3019 -EXPORT_SYMBOL(copy_to_user);
3020 EXPORT_SYMBOL(copy_in_user);
3022 diff -urNp linux-2.6.37/arch/powerpc/mm/fault.c linux-2.6.37/arch/powerpc/mm/fault.c
3023 --- linux-2.6.37/arch/powerpc/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
3024 +++ linux-2.6.37/arch/powerpc/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
3026 #include <linux/kdebug.h>
3027 #include <linux/perf_event.h>
3028 #include <linux/magic.h>
3029 +#include <linux/slab.h>
3030 +#include <linux/pagemap.h>
3031 +#include <linux/compiler.h>
3032 +#include <linux/unistd.h>
3034 #include <asm/firmware.h>
3035 #include <asm/page.h>
3037 #include <asm/tlbflush.h>
3038 #include <asm/siginfo.h>
3039 #include <mm/mmu_decl.h>
3040 +#include <asm/ptrace.h>
3042 #ifdef CONFIG_KPROBES
3043 static inline int notify_page_fault(struct pt_regs *regs)
3044 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
3048 +#ifdef CONFIG_PAX_PAGEEXEC
3050 + * PaX: decide what to do with offenders (regs->nip = fault address)
3052 + * returns 1 when task should be killed
3054 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3059 +void pax_report_insns(void *pc, void *sp)
3063 + printk(KERN_ERR "PAX: bytes at PC: ");
3064 + for (i = 0; i < 5; i++) {
3066 + if (get_user(c, (unsigned int __user *)pc+i))
3067 + printk(KERN_CONT "???????? ");
3069 + printk(KERN_CONT "%08x ", c);
3076 * Check whether the instruction at regs->nip is a store using
3077 * an update addressing form which will update r1.
3078 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
3079 * indicate errors in DSISR but can validly be set in SRR1.
3082 - error_code &= 0x48200000;
3083 + error_code &= 0x58200000;
3085 is_write = error_code & DSISR_ISSTORE;
3087 @@ -258,7 +290,7 @@ good_area:
3088 * "undefined". Of those that can be set, this is the only
3089 * one which seems bad.
3091 - if (error_code & 0x10000000)
3092 + if (error_code & DSISR_GUARDED)
3093 /* Guarded storage error. */
3095 #endif /* CONFIG_8xx */
3096 @@ -273,7 +305,7 @@ good_area:
3097 * processors use the same I/D cache coherency mechanism
3100 - if (error_code & DSISR_PROTFAULT)
3101 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
3103 #endif /* CONFIG_PPC_STD_MMU */
3105 @@ -342,6 +374,23 @@ bad_area:
3106 bad_area_nosemaphore:
3107 /* User mode accesses cause a SIGSEGV */
3108 if (user_mode(regs)) {
3110 +#ifdef CONFIG_PAX_PAGEEXEC
3111 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
3112 +#ifdef CONFIG_PPC_STD_MMU
3113 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
3115 + if (is_exec && regs->nip == address) {
3117 + switch (pax_handle_fetch_fault(regs)) {
3120 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
3121 + do_group_exit(SIGKILL);
3126 _exception(SIGSEGV, regs, code, address);
3129 diff -urNp linux-2.6.37/arch/powerpc/mm/mmap_64.c linux-2.6.37/arch/powerpc/mm/mmap_64.c
3130 --- linux-2.6.37/arch/powerpc/mm/mmap_64.c 2011-01-04 19:50:19.000000000 -0500
3131 +++ linux-2.6.37/arch/powerpc/mm/mmap_64.c 2011-01-17 02:41:00.000000000 -0500
3132 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
3134 if (mmap_is_legacy()) {
3135 mm->mmap_base = TASK_UNMAPPED_BASE;
3137 +#ifdef CONFIG_PAX_RANDMMAP
3138 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3139 + mm->mmap_base += mm->delta_mmap;
3142 mm->get_unmapped_area = arch_get_unmapped_area;
3143 mm->unmap_area = arch_unmap_area;
3145 mm->mmap_base = mmap_base();
3147 +#ifdef CONFIG_PAX_RANDMMAP
3148 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3149 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3152 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3153 mm->unmap_area = arch_unmap_area_topdown;
3155 diff -urNp linux-2.6.37/arch/powerpc/mm/slice.c linux-2.6.37/arch/powerpc/mm/slice.c
3156 --- linux-2.6.37/arch/powerpc/mm/slice.c 2011-01-04 19:50:19.000000000 -0500
3157 +++ linux-2.6.37/arch/powerpc/mm/slice.c 2011-01-17 02:41:00.000000000 -0500
3158 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
3159 if ((mm->task_size - len) < addr)
3161 vma = find_vma(mm, addr);
3162 - return (!vma || (addr + len) <= vma->vm_start);
3163 + return check_heap_stack_gap(vma, addr, len);
3166 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
3167 @@ -256,7 +256,7 @@ full_search:
3168 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
3171 - if (!vma || addr + len <= vma->vm_start) {
3172 + if (check_heap_stack_gap(vma, addr, len)) {
3174 * Remember the place where we stopped the search:
3176 @@ -336,7 +336,7 @@ static unsigned long slice_find_area_top
3177 * return with success:
3179 vma = find_vma(mm, addr);
3180 - if (!vma || (addr + len) <= vma->vm_start) {
3181 + if (check_heap_stack_gap(vma, addr, len)) {
3182 /* remember the address as a hint for next time */
3184 mm->free_area_cache = addr;
3185 @@ -426,6 +426,11 @@ unsigned long slice_get_unmapped_area(un
3186 if (fixed && addr > (mm->task_size - len))
3189 +#ifdef CONFIG_PAX_RANDMMAP
3190 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3194 /* If hint, make sure it matches our alignment restrictions */
3195 if (!fixed && addr) {
3196 addr = _ALIGN_UP(addr, 1ul << pshift);
3197 diff -urNp linux-2.6.37/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.37/arch/powerpc/platforms/52xx/lite5200_pm.c
3198 --- linux-2.6.37/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-01-04 19:50:19.000000000 -0500
3199 +++ linux-2.6.37/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-01-17 02:41:00.000000000 -0500
3200 @@ -232,7 +232,7 @@ static void lite5200_pm_end(void)
3201 lite5200_pm_target_state = PM_SUSPEND_ON;
3204 -static struct platform_suspend_ops lite5200_pm_ops = {
3205 +static const struct platform_suspend_ops lite5200_pm_ops = {
3206 .valid = lite5200_pm_valid,
3207 .begin = lite5200_pm_begin,
3208 .prepare = lite5200_pm_prepare,
3209 diff -urNp linux-2.6.37/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.37/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3210 --- linux-2.6.37/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-01-04 19:50:19.000000000 -0500
3211 +++ linux-2.6.37/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-01-17 02:41:00.000000000 -0500
3212 @@ -186,7 +186,7 @@ void mpc52xx_pm_finish(void)
3216 -static struct platform_suspend_ops mpc52xx_pm_ops = {
3217 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
3218 .valid = mpc52xx_pm_valid,
3219 .prepare = mpc52xx_pm_prepare,
3220 .enter = mpc52xx_pm_enter,
3221 diff -urNp linux-2.6.37/arch/powerpc/platforms/83xx/suspend.c linux-2.6.37/arch/powerpc/platforms/83xx/suspend.c
3222 --- linux-2.6.37/arch/powerpc/platforms/83xx/suspend.c 2011-01-04 19:50:19.000000000 -0500
3223 +++ linux-2.6.37/arch/powerpc/platforms/83xx/suspend.c 2011-01-17 02:41:00.000000000 -0500
3224 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
3228 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
3229 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3230 .valid = mpc83xx_suspend_valid,
3231 .begin = mpc83xx_suspend_begin,
3232 .enter = mpc83xx_suspend_enter,
3233 diff -urNp linux-2.6.37/arch/powerpc/platforms/cell/iommu.c linux-2.6.37/arch/powerpc/platforms/cell/iommu.c
3234 --- linux-2.6.37/arch/powerpc/platforms/cell/iommu.c 2011-01-04 19:50:19.000000000 -0500
3235 +++ linux-2.6.37/arch/powerpc/platforms/cell/iommu.c 2011-01-17 02:41:00.000000000 -0500
3236 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3238 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3240 -struct dma_map_ops dma_iommu_fixed_ops = {
3241 +const struct dma_map_ops dma_iommu_fixed_ops = {
3242 .alloc_coherent = dma_fixed_alloc_coherent,
3243 .free_coherent = dma_fixed_free_coherent,
3244 .map_sg = dma_fixed_map_sg,
3245 diff -urNp linux-2.6.37/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.37/arch/powerpc/platforms/ps3/system-bus.c
3246 --- linux-2.6.37/arch/powerpc/platforms/ps3/system-bus.c 2011-01-04 19:50:19.000000000 -0500
3247 +++ linux-2.6.37/arch/powerpc/platforms/ps3/system-bus.c 2011-01-17 02:41:00.000000000 -0500
3248 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3249 return mask >= DMA_BIT_MASK(32);
3252 -static struct dma_map_ops ps3_sb_dma_ops = {
3253 +static const struct dma_map_ops ps3_sb_dma_ops = {
3254 .alloc_coherent = ps3_alloc_coherent,
3255 .free_coherent = ps3_free_coherent,
3256 .map_sg = ps3_sb_map_sg,
3257 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3258 .unmap_page = ps3_unmap_page,
3261 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3262 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3263 .alloc_coherent = ps3_alloc_coherent,
3264 .free_coherent = ps3_free_coherent,
3265 .map_sg = ps3_ioc0_map_sg,
3266 diff -urNp linux-2.6.37/arch/powerpc/platforms/pseries/suspend.c linux-2.6.37/arch/powerpc/platforms/pseries/suspend.c
3267 --- linux-2.6.37/arch/powerpc/platforms/pseries/suspend.c 2011-01-04 19:50:19.000000000 -0500
3268 +++ linux-2.6.37/arch/powerpc/platforms/pseries/suspend.c 2011-01-17 02:41:00.000000000 -0500
3269 @@ -153,7 +153,7 @@ static struct sysdev_class suspend_sysde
3273 -static struct platform_suspend_ops pseries_suspend_ops = {
3274 +static const struct platform_suspend_ops pseries_suspend_ops = {
3275 .valid = suspend_valid_only_mem,
3276 .begin = pseries_suspend_begin,
3277 .prepare_late = pseries_prepare_late,
3278 diff -urNp linux-2.6.37/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.37/arch/powerpc/sysdev/fsl_pmc.c
3279 --- linux-2.6.37/arch/powerpc/sysdev/fsl_pmc.c 2011-01-04 19:50:19.000000000 -0500
3280 +++ linux-2.6.37/arch/powerpc/sysdev/fsl_pmc.c 2011-01-17 02:41:00.000000000 -0500
3281 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
3285 -static struct platform_suspend_ops pmc_suspend_ops = {
3286 +static const struct platform_suspend_ops pmc_suspend_ops = {
3287 .valid = pmc_suspend_valid,
3288 .enter = pmc_suspend_enter,
3290 diff -urNp linux-2.6.37/arch/s390/include/asm/elf.h linux-2.6.37/arch/s390/include/asm/elf.h
3291 --- linux-2.6.37/arch/s390/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
3292 +++ linux-2.6.37/arch/s390/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
3293 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
3294 that it will "exec", and that there is sufficient room for the brk. */
3295 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3297 +#ifdef CONFIG_PAX_ASLR
3298 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3300 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3301 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3304 /* This yields a mask that user programs can use to figure out what
3305 instruction set this CPU supports. */
3307 diff -urNp linux-2.6.37/arch/s390/include/asm/uaccess.h linux-2.6.37/arch/s390/include/asm/uaccess.h
3308 --- linux-2.6.37/arch/s390/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
3309 +++ linux-2.6.37/arch/s390/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
3310 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3311 copy_to_user(void __user *to, const void *from, unsigned long n)
3318 if (access_ok(VERIFY_WRITE, to, n))
3319 n = __copy_to_user(to, from, n);
3321 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3322 static inline unsigned long __must_check
3323 __copy_from_user(void *to, const void __user *from, unsigned long n)
3328 if (__builtin_constant_p(n) && (n <= 256))
3329 return uaccess.copy_from_user_small(n, from, to);
3331 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3332 unsigned int sz = __compiletime_object_size(to);
3339 if (unlikely(sz != -1 && sz < n)) {
3340 copy_from_user_overflow();
3342 diff -urNp linux-2.6.37/arch/s390/Kconfig linux-2.6.37/arch/s390/Kconfig
3343 --- linux-2.6.37/arch/s390/Kconfig 2011-01-04 19:50:19.000000000 -0500
3344 +++ linux-2.6.37/arch/s390/Kconfig 2011-01-17 02:41:00.000000000 -0500
3345 @@ -242,13 +242,12 @@ config AUDIT_ARCH
3347 config S390_EXEC_PROTECT
3348 bool "Data execute protection"
3351 This option allows to enable a buffer overflow protection for user
3352 - space programs and it also selects the addressing mode option above.
3353 - The kernel parameter noexec=on will enable this feature and also
3354 - switch the addressing modes, default is disabled. Enabling this (via
3355 - kernel parameter) on machines earlier than IBM System z9 this will
3356 - reduce system performance.
3358 + Enabling this (via kernel parameter) on machines earlier than IBM
3359 + System z9 will reduce system performance.
3361 comment "Code generation options"
3363 diff -urNp linux-2.6.37/arch/s390/kernel/module.c linux-2.6.37/arch/s390/kernel/module.c
3364 --- linux-2.6.37/arch/s390/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
3365 +++ linux-2.6.37/arch/s390/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
3366 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3368 /* Increase core size by size of got & plt and set start
3369 offsets for got and plt. */
3370 - me->core_size = ALIGN(me->core_size, 4);
3371 - me->arch.got_offset = me->core_size;
3372 - me->core_size += me->arch.got_size;
3373 - me->arch.plt_offset = me->core_size;
3374 - me->core_size += me->arch.plt_size;
3375 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3376 + me->arch.got_offset = me->core_size_rw;
3377 + me->core_size_rw += me->arch.got_size;
3378 + me->arch.plt_offset = me->core_size_rx;
3379 + me->core_size_rx += me->arch.plt_size;
3383 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3384 if (info->got_initialized == 0) {
3387 - gotent = me->module_core + me->arch.got_offset +
3388 + gotent = me->module_core_rw + me->arch.got_offset +
3391 info->got_initialized = 1;
3392 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3393 else if (r_type == R_390_GOTENT ||
3394 r_type == R_390_GOTPLTENT)
3395 *(unsigned int *) loc =
3396 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3397 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3398 else if (r_type == R_390_GOT64 ||
3399 r_type == R_390_GOTPLT64)
3400 *(unsigned long *) loc = val;
3401 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3402 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3403 if (info->plt_initialized == 0) {
3405 - ip = me->module_core + me->arch.plt_offset +
3406 + ip = me->module_core_rx + me->arch.plt_offset +
3408 #ifndef CONFIG_64BIT
3409 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3410 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3411 val - loc + 0xffffUL < 0x1ffffeUL) ||
3412 (r_type == R_390_PLT32DBL &&
3413 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3414 - val = (Elf_Addr) me->module_core +
3415 + val = (Elf_Addr) me->module_core_rx +
3416 me->arch.plt_offset +
3418 val += rela->r_addend - loc;
3419 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3420 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3421 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3422 val = val + rela->r_addend -
3423 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3424 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3425 if (r_type == R_390_GOTOFF16)
3426 *(unsigned short *) loc = val;
3427 else if (r_type == R_390_GOTOFF32)
3428 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3430 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3431 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3432 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3433 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3434 rela->r_addend - loc;
3435 if (r_type == R_390_GOTPC)
3436 *(unsigned int *) loc = val;
3437 diff -urNp linux-2.6.37/arch/s390/kernel/setup.c linux-2.6.37/arch/s390/kernel/setup.c
3438 --- linux-2.6.37/arch/s390/kernel/setup.c 2011-01-04 19:50:19.000000000 -0500
3439 +++ linux-2.6.37/arch/s390/kernel/setup.c 2011-01-17 02:41:00.000000000 -0500
3440 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3442 early_param("mem", early_parse_mem);
3444 -unsigned int user_mode = HOME_SPACE_MODE;
3445 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3446 EXPORT_SYMBOL_GPL(user_mode);
3448 static int set_amode_and_uaccess(unsigned long user_amode,
3449 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3454 - * Switch kernel/user addressing modes?
3456 -static int __init early_parse_switch_amode(char *p)
3458 - if (user_mode != SECONDARY_SPACE_MODE)
3459 - user_mode = PRIMARY_SPACE_MODE;
3462 -early_param("switch_amode", early_parse_switch_amode);
3464 static int __init early_parse_user_mode(char *p)
3466 if (p && strcmp(p, "primary") == 0)
3467 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3469 early_param("user_mode", early_parse_user_mode);
3471 -#ifdef CONFIG_S390_EXEC_PROTECT
3473 - * Enable execute protection?
3475 -static int __init early_parse_noexec(char *p)
3477 - if (!strncmp(p, "off", 3))
3479 - user_mode = SECONDARY_SPACE_MODE;
3482 -early_param("noexec", early_parse_noexec);
3483 -#endif /* CONFIG_S390_EXEC_PROTECT */
3485 static void setup_addressing_mode(void)
3487 if (user_mode == SECONDARY_SPACE_MODE) {
3488 diff -urNp linux-2.6.37/arch/s390/mm/maccess.c linux-2.6.37/arch/s390/mm/maccess.c
3489 --- linux-2.6.37/arch/s390/mm/maccess.c 2011-01-04 19:50:19.000000000 -0500
3490 +++ linux-2.6.37/arch/s390/mm/maccess.c 2011-01-17 02:41:00.000000000 -0500
3491 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3492 return rc ? rc : count;
3495 -long probe_kernel_write(void *dst, void *src, size_t size)
3496 +long probe_kernel_write(void *dst, const void *src, size_t size)
3500 diff -urNp linux-2.6.37/arch/s390/mm/mmap.c linux-2.6.37/arch/s390/mm/mmap.c
3501 --- linux-2.6.37/arch/s390/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
3502 +++ linux-2.6.37/arch/s390/mm/mmap.c 2011-01-17 02:41:00.000000000 -0500
3503 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3505 if (mmap_is_legacy()) {
3506 mm->mmap_base = TASK_UNMAPPED_BASE;
3508 +#ifdef CONFIG_PAX_RANDMMAP
3509 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3510 + mm->mmap_base += mm->delta_mmap;
3513 mm->get_unmapped_area = arch_get_unmapped_area;
3514 mm->unmap_area = arch_unmap_area;
3516 mm->mmap_base = mmap_base();
3518 +#ifdef CONFIG_PAX_RANDMMAP
3519 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3520 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3523 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3524 mm->unmap_area = arch_unmap_area_topdown;
3526 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3528 if (mmap_is_legacy()) {
3529 mm->mmap_base = TASK_UNMAPPED_BASE;
3531 +#ifdef CONFIG_PAX_RANDMMAP
3532 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3533 + mm->mmap_base += mm->delta_mmap;
3536 mm->get_unmapped_area = s390_get_unmapped_area;
3537 mm->unmap_area = arch_unmap_area;
3539 mm->mmap_base = mmap_base();
3541 +#ifdef CONFIG_PAX_RANDMMAP
3542 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3543 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3546 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3547 mm->unmap_area = arch_unmap_area_topdown;
3549 diff -urNp linux-2.6.37/arch/score/include/asm/system.h linux-2.6.37/arch/score/include/asm/system.h
3550 --- linux-2.6.37/arch/score/include/asm/system.h 2011-01-04 19:50:19.000000000 -0500
3551 +++ linux-2.6.37/arch/score/include/asm/system.h 2011-01-17 02:41:00.000000000 -0500
3552 @@ -17,7 +17,7 @@ do { \
3553 #define finish_arch_switch(prev) do {} while (0)
3555 typedef void (*vi_handler_t)(void);
3556 -extern unsigned long arch_align_stack(unsigned long sp);
3557 +#define arch_align_stack(x) (x)
3559 #define mb() barrier()
3560 #define rmb() barrier()
3561 diff -urNp linux-2.6.37/arch/score/kernel/process.c linux-2.6.37/arch/score/kernel/process.c
3562 --- linux-2.6.37/arch/score/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
3563 +++ linux-2.6.37/arch/score/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
3564 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3566 return task_pt_regs(task)->cp0_epc;
3569 -unsigned long arch_align_stack(unsigned long sp)
3573 diff -urNp linux-2.6.37/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.37/arch/sh/boards/mach-hp6xx/pm.c
3574 --- linux-2.6.37/arch/sh/boards/mach-hp6xx/pm.c 2011-01-04 19:50:19.000000000 -0500
3575 +++ linux-2.6.37/arch/sh/boards/mach-hp6xx/pm.c 2011-01-17 02:41:00.000000000 -0500
3576 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3580 -static struct platform_suspend_ops hp6x0_pm_ops = {
3581 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3582 .enter = hp6x0_pm_enter,
3583 .valid = suspend_valid_only_mem,
3585 diff -urNp linux-2.6.37/arch/sh/include/asm/dma-mapping.h linux-2.6.37/arch/sh/include/asm/dma-mapping.h
3586 --- linux-2.6.37/arch/sh/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
3587 +++ linux-2.6.37/arch/sh/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
3589 #ifndef __ASM_SH_DMA_MAPPING_H
3590 #define __ASM_SH_DMA_MAPPING_H
3592 -extern struct dma_map_ops *dma_ops;
3593 +extern const struct dma_map_ops *dma_ops;
3594 extern void no_iommu_init(void);
3596 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3597 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3601 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3603 static inline int dma_supported(struct device *dev, u64 mask)
3605 - struct dma_map_ops *ops = get_dma_ops(dev);
3606 + const struct dma_map_ops *ops = get_dma_ops(dev);
3608 if (ops->dma_supported)
3609 return ops->dma_supported(dev, mask);
3610 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3612 static inline int dma_set_mask(struct device *dev, u64 mask)
3614 - struct dma_map_ops *ops = get_dma_ops(dev);
3615 + const struct dma_map_ops *ops = get_dma_ops(dev);
3617 if (!dev->dma_mask || !dma_supported(dev, mask))
3619 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
3621 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3623 - struct dma_map_ops *ops = get_dma_ops(dev);
3624 + const struct dma_map_ops *ops = get_dma_ops(dev);
3626 if (ops->mapping_error)
3627 return ops->mapping_error(dev, dma_addr);
3628 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
3629 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3630 dma_addr_t *dma_handle, gfp_t gfp)
3632 - struct dma_map_ops *ops = get_dma_ops(dev);
3633 + const struct dma_map_ops *ops = get_dma_ops(dev);
3636 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3637 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
3638 static inline void dma_free_coherent(struct device *dev, size_t size,
3639 void *vaddr, dma_addr_t dma_handle)
3641 - struct dma_map_ops *ops = get_dma_ops(dev);
3642 + const struct dma_map_ops *ops = get_dma_ops(dev);
3644 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3646 diff -urNp linux-2.6.37/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.37/arch/sh/kernel/cpu/shmobile/pm.c
3647 --- linux-2.6.37/arch/sh/kernel/cpu/shmobile/pm.c 2011-01-04 19:50:19.000000000 -0500
3648 +++ linux-2.6.37/arch/sh/kernel/cpu/shmobile/pm.c 2011-01-17 02:41:00.000000000 -0500
3649 @@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
3653 -static struct platform_suspend_ops sh_pm_ops = {
3654 +static const struct platform_suspend_ops sh_pm_ops = {
3655 .enter = sh_pm_enter,
3656 .valid = suspend_valid_only_mem,
3658 diff -urNp linux-2.6.37/arch/sh/kernel/dma-nommu.c linux-2.6.37/arch/sh/kernel/dma-nommu.c
3659 --- linux-2.6.37/arch/sh/kernel/dma-nommu.c 2011-01-04 19:50:19.000000000 -0500
3660 +++ linux-2.6.37/arch/sh/kernel/dma-nommu.c 2011-01-17 02:41:00.000000000 -0500
3661 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3665 -struct dma_map_ops nommu_dma_ops = {
3666 +const struct dma_map_ops nommu_dma_ops = {
3667 .alloc_coherent = dma_generic_alloc_coherent,
3668 .free_coherent = dma_generic_free_coherent,
3669 .map_page = nommu_map_page,
3670 diff -urNp linux-2.6.37/arch/sh/kernel/kgdb.c linux-2.6.37/arch/sh/kernel/kgdb.c
3671 --- linux-2.6.37/arch/sh/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
3672 +++ linux-2.6.37/arch/sh/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
3673 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3674 unregister_die_notifier(&kgdb_notifier);
3677 -struct kgdb_arch arch_kgdb_ops = {
3678 +const struct kgdb_arch arch_kgdb_ops = {
3679 /* Breakpoint instruction: trapa #0x3c */
3680 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3681 .gdb_bpt_instr = { 0x3c, 0xc3 },
3682 diff -urNp linux-2.6.37/arch/sh/mm/consistent.c linux-2.6.37/arch/sh/mm/consistent.c
3683 --- linux-2.6.37/arch/sh/mm/consistent.c 2011-01-04 19:50:19.000000000 -0500
3684 +++ linux-2.6.37/arch/sh/mm/consistent.c 2011-01-17 02:41:00.000000000 -0500
3687 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3689 -struct dma_map_ops *dma_ops;
3690 +const struct dma_map_ops *dma_ops;
3691 EXPORT_SYMBOL(dma_ops);
3693 static int __init dma_init(void)
3694 diff -urNp linux-2.6.37/arch/sh/mm/mmap.c linux-2.6.37/arch/sh/mm/mmap.c
3695 --- linux-2.6.37/arch/sh/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
3696 +++ linux-2.6.37/arch/sh/mm/mmap.c 2011-01-17 02:41:00.000000000 -0500
3697 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3698 addr = PAGE_ALIGN(addr);
3700 vma = find_vma(mm, addr);
3701 - if (TASK_SIZE - len >= addr &&
3702 - (!vma || addr + len <= vma->vm_start))
3703 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3707 @@ -106,7 +105,7 @@ full_search:
3711 - if (likely(!vma || addr + len <= vma->vm_start)) {
3712 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3714 * Remember the place where we stopped the search:
3716 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3717 addr = PAGE_ALIGN(addr);
3719 vma = find_vma(mm, addr);
3720 - if (TASK_SIZE - len >= addr &&
3721 - (!vma || addr + len <= vma->vm_start))
3722 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3726 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3727 /* make sure it can fit in the remaining address space */
3728 if (likely(addr > len)) {
3729 vma = find_vma(mm, addr-len);
3730 - if (!vma || addr <= vma->vm_start) {
3731 + if (check_heap_stack_gap(vma, addr - len, len)) {
3732 /* remember the address as a hint for next time */
3733 return (mm->free_area_cache = addr-len);
3735 @@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3736 * return with success:
3738 vma = find_vma(mm, addr);
3739 - if (likely(!vma || addr+len <= vma->vm_start)) {
3740 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3741 /* remember the address as a hint for next time */
3742 return (mm->free_area_cache = addr);
3744 diff -urNp linux-2.6.37/arch/sparc/include/asm/atomic_64.h linux-2.6.37/arch/sparc/include/asm/atomic_64.h
3745 --- linux-2.6.37/arch/sparc/include/asm/atomic_64.h 2011-01-04 19:50:19.000000000 -0500
3746 +++ linux-2.6.37/arch/sparc/include/asm/atomic_64.h 2011-01-17 02:41:00.000000000 -0500
3748 #define ATOMIC64_INIT(i) { (i) }
3750 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3751 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3753 + return v->counter;
3755 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3756 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3758 + return v->counter;
3761 #define atomic_set(v, i) (((v)->counter) = i)
3762 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3766 #define atomic64_set(v, i) (((v)->counter) = i)
3767 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3772 extern void atomic_add(int, atomic_t *);
3773 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3774 extern void atomic64_add(long, atomic64_t *);
3775 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3776 extern void atomic_sub(int, atomic_t *);
3777 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3778 extern void atomic64_sub(long, atomic64_t *);
3779 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3781 extern int atomic_add_ret(int, atomic_t *);
3782 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3783 extern long atomic64_add_ret(long, atomic64_t *);
3784 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3785 extern int atomic_sub_ret(int, atomic_t *);
3786 extern long atomic64_sub_ret(long, atomic64_t *);
3788 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3789 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3791 #define atomic_inc_return(v) atomic_add_ret(1, v)
3792 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3794 + return atomic_add_ret_unchecked(1, v);
3796 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3797 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3799 + return atomic64_add_ret_unchecked(1, v);
3802 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3803 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3805 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3806 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3808 + return atomic_add_ret_unchecked(i, v);
3810 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3813 @@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi
3814 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3816 #define atomic_inc(v) atomic_add(1, v)
3817 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3819 + atomic_add_unchecked(1, v);
3821 #define atomic64_inc(v) atomic64_add(1, v)
3822 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3824 + atomic64_add_unchecked(1, v);
3827 #define atomic_dec(v) atomic_sub(1, v)
3828 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3830 + atomic_sub_unchecked(1, v);
3832 #define atomic64_dec(v) atomic64_sub(1, v)
3833 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3835 + atomic64_sub_unchecked(1, v);
3838 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3839 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3840 @@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi
3842 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3848 - if (unlikely(c == (u)))
3849 + if (unlikely(c == u))
3851 - old = atomic_cmpxchg((v), c, c + (a));
3853 + asm volatile("addcc %2, %0, %0\n"
3855 +#ifdef CONFIG_PAX_REFCOUNT
3860 + : "0" (c), "ir" (a)
3863 + old = atomic_cmpxchg(v, c, new);
3864 if (likely(old == c))
3872 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3873 @@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom
3875 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3879 c = atomic64_read(v);
3881 - if (unlikely(c == (u)))
3882 + if (unlikely(c == u))
3884 - old = atomic64_cmpxchg((v), c, c + (a));
3886 + asm volatile("addcc %2, %0, %0\n"
3888 +#ifdef CONFIG_PAX_REFCOUNT
3893 + : "0" (c), "ir" (a)
3896 + old = atomic64_cmpxchg(v, c, new);
3897 if (likely(old == c))
3905 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3906 diff -urNp linux-2.6.37/arch/sparc/include/asm/dma-mapping.h linux-2.6.37/arch/sparc/include/asm/dma-mapping.h
3907 --- linux-2.6.37/arch/sparc/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
3908 +++ linux-2.6.37/arch/sparc/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
3909 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
3910 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
3911 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3913 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3914 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3915 extern struct bus_type pci_bus_type;
3917 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3918 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3920 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3921 if (dev->bus == &pci_bus_type)
3922 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
3923 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3924 dma_addr_t *dma_handle, gfp_t flag)
3926 - struct dma_map_ops *ops = get_dma_ops(dev);
3927 + const struct dma_map_ops *ops = get_dma_ops(dev);
3930 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3931 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
3932 static inline void dma_free_coherent(struct device *dev, size_t size,
3933 void *cpu_addr, dma_addr_t dma_handle)
3935 - struct dma_map_ops *ops = get_dma_ops(dev);
3936 + const struct dma_map_ops *ops = get_dma_ops(dev);
3938 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3939 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3940 diff -urNp linux-2.6.37/arch/sparc/include/asm/elf_32.h linux-2.6.37/arch/sparc/include/asm/elf_32.h
3941 --- linux-2.6.37/arch/sparc/include/asm/elf_32.h 2011-01-04 19:50:19.000000000 -0500
3942 +++ linux-2.6.37/arch/sparc/include/asm/elf_32.h 2011-01-17 02:41:00.000000000 -0500
3943 @@ -114,6 +114,13 @@ typedef struct {
3945 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3947 +#ifdef CONFIG_PAX_ASLR
3948 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3950 +#define PAX_DELTA_MMAP_LEN 16
3951 +#define PAX_DELTA_STACK_LEN 16
3954 /* This yields a mask that user programs can use to figure out what
3955 instruction set this cpu supports. This can NOT be done in userspace
3957 diff -urNp linux-2.6.37/arch/sparc/include/asm/elf_64.h linux-2.6.37/arch/sparc/include/asm/elf_64.h
3958 --- linux-2.6.37/arch/sparc/include/asm/elf_64.h 2011-01-04 19:50:19.000000000 -0500
3959 +++ linux-2.6.37/arch/sparc/include/asm/elf_64.h 2011-01-17 02:41:00.000000000 -0500
3960 @@ -162,6 +162,12 @@ typedef struct {
3961 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3962 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3964 +#ifdef CONFIG_PAX_ASLR
3965 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3967 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3968 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3971 /* This yields a mask that user programs can use to figure out what
3972 instruction set this cpu supports. */
3973 diff -urNp linux-2.6.37/arch/sparc/include/asm/pgtable_32.h linux-2.6.37/arch/sparc/include/asm/pgtable_32.h
3974 --- linux-2.6.37/arch/sparc/include/asm/pgtable_32.h 2011-01-04 19:50:19.000000000 -0500
3975 +++ linux-2.6.37/arch/sparc/include/asm/pgtable_32.h 2011-01-17 02:41:00.000000000 -0500
3976 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3977 BTFIXUPDEF_INT(page_none)
3978 BTFIXUPDEF_INT(page_copy)
3979 BTFIXUPDEF_INT(page_readonly)
3981 +#ifdef CONFIG_PAX_PAGEEXEC
3982 +BTFIXUPDEF_INT(page_shared_noexec)
3983 +BTFIXUPDEF_INT(page_copy_noexec)
3984 +BTFIXUPDEF_INT(page_readonly_noexec)
3987 BTFIXUPDEF_INT(page_kernel)
3989 #define PMD_SHIFT SUN4C_PMD_SHIFT
3990 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3991 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3992 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3994 +#ifdef CONFIG_PAX_PAGEEXEC
3995 +extern pgprot_t PAGE_SHARED_NOEXEC;
3996 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3997 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3999 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
4000 +# define PAGE_COPY_NOEXEC PAGE_COPY
4001 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
4004 extern unsigned long page_kernel;
4007 diff -urNp linux-2.6.37/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.37/arch/sparc/include/asm/pgtsrmmu.h
4008 --- linux-2.6.37/arch/sparc/include/asm/pgtsrmmu.h 2011-01-04 19:50:19.000000000 -0500
4009 +++ linux-2.6.37/arch/sparc/include/asm/pgtsrmmu.h 2011-01-17 02:41:00.000000000 -0500
4010 @@ -115,6 +115,13 @@
4011 SRMMU_EXEC | SRMMU_REF)
4012 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
4013 SRMMU_EXEC | SRMMU_REF)
4015 +#ifdef CONFIG_PAX_PAGEEXEC
4016 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
4017 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4018 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4021 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
4022 SRMMU_DIRTY | SRMMU_REF)
4024 diff -urNp linux-2.6.37/arch/sparc/include/asm/spinlock_64.h linux-2.6.37/arch/sparc/include/asm/spinlock_64.h
4025 --- linux-2.6.37/arch/sparc/include/asm/spinlock_64.h 2011-01-04 19:50:19.000000000 -0500
4026 +++ linux-2.6.37/arch/sparc/include/asm/spinlock_64.h 2011-01-17 02:41:00.000000000 -0500
4027 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
4028 __asm__ __volatile__ (
4029 "1: ldsw [%2], %0\n"
4031 -"4: add %0, 1, %1\n"
4032 +"4: addcc %0, 1, %1\n"
4034 +#ifdef CONFIG_PAX_REFCOUNT
4038 " cas [%2], %0, %1\n"
4040 " bne,pn %%icc, 1b\n"
4041 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
4043 : "=&r" (tmp1), "=&r" (tmp2)
4046 + : "memory", "cc");
4049 static int inline arch_read_trylock(arch_rwlock_t *lock)
4050 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
4051 "1: ldsw [%2], %0\n"
4052 " brlz,a,pn %0, 2f\n"
4055 +" addcc %0, 1, %1\n"
4057 +#ifdef CONFIG_PAX_REFCOUNT
4061 " cas [%2], %0, %1\n"
4063 " bne,pn %%icc, 1b\n"
4064 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
4066 __asm__ __volatile__(
4067 "1: lduw [%2], %0\n"
4069 +" subcc %0, 1, %1\n"
4071 +#ifdef CONFIG_PAX_REFCOUNT
4075 " cas [%2], %0, %1\n"
4077 " bne,pn %%xcc, 1b\n"
4078 diff -urNp linux-2.6.37/arch/sparc/include/asm/uaccess_32.h linux-2.6.37/arch/sparc/include/asm/uaccess_32.h
4079 --- linux-2.6.37/arch/sparc/include/asm/uaccess_32.h 2011-01-04 19:50:19.000000000 -0500
4080 +++ linux-2.6.37/arch/sparc/include/asm/uaccess_32.h 2011-01-17 02:41:00.000000000 -0500
4081 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
4083 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4085 - if (n && __access_ok((unsigned long) to, n))
4089 + if (n && __access_ok((unsigned long) to, n)) {
4090 + if (!__builtin_constant_p(n))
4091 + check_object_size(from, n, true);
4092 return __copy_user(to, (__force void __user *) from, n);
4098 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
4103 + if (!__builtin_constant_p(n))
4104 + check_object_size(from, n, true);
4106 return __copy_user(to, (__force void __user *) from, n);
4109 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4111 - if (n && __access_ok((unsigned long) from, n))
4115 + if (n && __access_ok((unsigned long) from, n)) {
4116 + if (!__builtin_constant_p(n))
4117 + check_object_size(to, n, false);
4118 return __copy_user((__force void __user *) to, from, n);
4124 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4129 return __copy_user((__force void __user *) to, from, n);
4132 diff -urNp linux-2.6.37/arch/sparc/include/asm/uaccess_64.h linux-2.6.37/arch/sparc/include/asm/uaccess_64.h
4133 --- linux-2.6.37/arch/sparc/include/asm/uaccess_64.h 2011-01-04 19:50:19.000000000 -0500
4134 +++ linux-2.6.37/arch/sparc/include/asm/uaccess_64.h 2011-01-17 02:41:00.000000000 -0500
4136 #include <linux/compiler.h>
4137 #include <linux/string.h>
4138 #include <linux/thread_info.h>
4139 +#include <linux/kernel.h>
4140 #include <asm/asi.h>
4141 #include <asm/system.h>
4142 #include <asm/spitfire.h>
4143 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
4144 static inline unsigned long __must_check
4145 copy_from_user(void *to, const void __user *from, unsigned long size)
4147 - unsigned long ret = ___copy_from_user(to, from, size);
4148 + unsigned long ret;
4150 + if ((long)size < 0 || size > INT_MAX)
4153 + if (!__builtin_constant_p(size))
4154 + check_object_size(to, size, false);
4156 + ret = ___copy_from_user(to, from, size);
4158 ret = copy_from_user_fixup(to, from, size);
4160 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
4161 static inline unsigned long __must_check
4162 copy_to_user(void __user *to, const void *from, unsigned long size)
4164 - unsigned long ret = ___copy_to_user(to, from, size);
4165 + unsigned long ret;
4167 + if ((long)size < 0 || size > INT_MAX)
4170 + if (!__builtin_constant_p(size))
4171 + check_object_size(from, size, true);
4173 + ret = ___copy_to_user(to, from, size);
4175 ret = copy_to_user_fixup(to, from, size);
4177 diff -urNp linux-2.6.37/arch/sparc/include/asm/uaccess.h linux-2.6.37/arch/sparc/include/asm/uaccess.h
4178 --- linux-2.6.37/arch/sparc/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
4179 +++ linux-2.6.37/arch/sparc/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
4181 #ifndef ___ASM_SPARC_UACCESS_H
4182 #define ___ASM_SPARC_UACCESS_H
4185 +#ifndef __ASSEMBLY__
4186 +#include <linux/types.h>
4187 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4191 #if defined(__sparc__) && defined(__arch64__)
4192 #include <asm/uaccess_64.h>
4194 diff -urNp linux-2.6.37/arch/sparc/kernel/iommu.c linux-2.6.37/arch/sparc/kernel/iommu.c
4195 --- linux-2.6.37/arch/sparc/kernel/iommu.c 2011-01-04 19:50:19.000000000 -0500
4196 +++ linux-2.6.37/arch/sparc/kernel/iommu.c 2011-01-17 02:41:00.000000000 -0500
4197 @@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4198 spin_unlock_irqrestore(&iommu->lock, flags);
4201 -static struct dma_map_ops sun4u_dma_ops = {
4202 +static const struct dma_map_ops sun4u_dma_ops = {
4203 .alloc_coherent = dma_4u_alloc_coherent,
4204 .free_coherent = dma_4u_free_coherent,
4205 .map_page = dma_4u_map_page,
4206 @@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
4207 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4210 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4211 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4212 EXPORT_SYMBOL(dma_ops);
4214 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4215 diff -urNp linux-2.6.37/arch/sparc/kernel/ioport.c linux-2.6.37/arch/sparc/kernel/ioport.c
4216 --- linux-2.6.37/arch/sparc/kernel/ioport.c 2011-01-04 19:50:19.000000000 -0500
4217 +++ linux-2.6.37/arch/sparc/kernel/ioport.c 2011-01-17 02:41:00.000000000 -0500
4218 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
4222 -struct dma_map_ops sbus_dma_ops = {
4223 +const struct dma_map_ops sbus_dma_ops = {
4224 .alloc_coherent = sbus_alloc_coherent,
4225 .free_coherent = sbus_free_coherent,
4226 .map_page = sbus_map_page,
4227 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
4228 .sync_sg_for_device = sbus_sync_sg_for_device,
4231 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4232 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4233 EXPORT_SYMBOL(dma_ops);
4235 static int __init sparc_register_ioport(void)
4236 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
4240 -struct dma_map_ops pci32_dma_ops = {
4241 +const struct dma_map_ops pci32_dma_ops = {
4242 .alloc_coherent = pci32_alloc_coherent,
4243 .free_coherent = pci32_free_coherent,
4244 .map_page = pci32_map_page,
4245 diff -urNp linux-2.6.37/arch/sparc/kernel/kgdb_32.c linux-2.6.37/arch/sparc/kernel/kgdb_32.c
4246 --- linux-2.6.37/arch/sparc/kernel/kgdb_32.c 2011-01-04 19:50:19.000000000 -0500
4247 +++ linux-2.6.37/arch/sparc/kernel/kgdb_32.c 2011-01-17 02:41:00.000000000 -0500
4248 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4249 regs->npc = regs->pc + 4;
4252 -struct kgdb_arch arch_kgdb_ops = {
4253 +const struct kgdb_arch arch_kgdb_ops = {
4254 /* Breakpoint instruction: ta 0x7d */
4255 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4257 diff -urNp linux-2.6.37/arch/sparc/kernel/kgdb_64.c linux-2.6.37/arch/sparc/kernel/kgdb_64.c
4258 --- linux-2.6.37/arch/sparc/kernel/kgdb_64.c 2011-01-04 19:50:19.000000000 -0500
4259 +++ linux-2.6.37/arch/sparc/kernel/kgdb_64.c 2011-01-17 02:41:00.000000000 -0500
4260 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4261 regs->tnpc = regs->tpc + 4;
4264 -struct kgdb_arch arch_kgdb_ops = {
4265 +const struct kgdb_arch arch_kgdb_ops = {
4266 /* Breakpoint instruction: ta 0x72 */
4267 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4269 diff -urNp linux-2.6.37/arch/sparc/kernel/Makefile linux-2.6.37/arch/sparc/kernel/Makefile
4270 --- linux-2.6.37/arch/sparc/kernel/Makefile 2011-01-04 19:50:19.000000000 -0500
4271 +++ linux-2.6.37/arch/sparc/kernel/Makefile 2011-01-17 02:41:00.000000000 -0500
4276 -ccflags-y := -Werror
4277 +#ccflags-y := -Werror
4279 extra-y := head_$(BITS).o
4280 extra-y += init_task.o
4281 diff -urNp linux-2.6.37/arch/sparc/kernel/pci_sun4v.c linux-2.6.37/arch/sparc/kernel/pci_sun4v.c
4282 --- linux-2.6.37/arch/sparc/kernel/pci_sun4v.c 2011-01-04 19:50:19.000000000 -0500
4283 +++ linux-2.6.37/arch/sparc/kernel/pci_sun4v.c 2011-01-17 02:41:00.000000000 -0500
4284 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4285 spin_unlock_irqrestore(&iommu->lock, flags);
4288 -static struct dma_map_ops sun4v_dma_ops = {
4289 +static const struct dma_map_ops sun4v_dma_ops = {
4290 .alloc_coherent = dma_4v_alloc_coherent,
4291 .free_coherent = dma_4v_free_coherent,
4292 .map_page = dma_4v_map_page,
4293 diff -urNp linux-2.6.37/arch/sparc/kernel/process_32.c linux-2.6.37/arch/sparc/kernel/process_32.c
4294 --- linux-2.6.37/arch/sparc/kernel/process_32.c 2011-01-04 19:50:19.000000000 -0500
4295 +++ linux-2.6.37/arch/sparc/kernel/process_32.c 2011-01-17 02:41:00.000000000 -0500
4296 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4297 rw->ins[4], rw->ins[5],
4300 - printk("%pS\n", (void *) rw->ins[7]);
4301 + printk("%pA\n", (void *) rw->ins[7]);
4302 rw = (struct reg_window32 *) rw->ins[6];
4304 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4305 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4307 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4308 r->psr, r->pc, r->npc, r->y, print_tainted());
4309 - printk("PC: <%pS>\n", (void *) r->pc);
4310 + printk("PC: <%pA>\n", (void *) r->pc);
4311 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4312 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4313 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4314 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4315 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4316 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4317 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4318 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4320 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4321 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4322 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4323 rw = (struct reg_window32 *) fp;
4325 printk("[%08lx : ", pc);
4326 - printk("%pS ] ", (void *) pc);
4327 + printk("%pA ] ", (void *) pc);
4329 } while (++count < 16);
4331 diff -urNp linux-2.6.37/arch/sparc/kernel/process_64.c linux-2.6.37/arch/sparc/kernel/process_64.c
4332 --- linux-2.6.37/arch/sparc/kernel/process_64.c 2011-01-04 19:50:19.000000000 -0500
4333 +++ linux-2.6.37/arch/sparc/kernel/process_64.c 2011-01-17 02:41:00.000000000 -0500
4334 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4335 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4336 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4337 if (regs->tstate & TSTATE_PRIV)
4338 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4339 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4342 void show_regs(struct pt_regs *regs)
4344 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4345 regs->tpc, regs->tnpc, regs->y, print_tainted());
4346 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4347 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4348 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4349 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4351 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4352 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4353 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4355 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4356 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4357 show_regwindow(regs);
4358 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
4360 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
4361 ((tp && tp->task) ? tp->task->pid : -1));
4363 if (gp->tstate & TSTATE_PRIV) {
4364 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4365 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4369 diff -urNp linux-2.6.37/arch/sparc/kernel/sys_sparc_32.c linux-2.6.37/arch/sparc/kernel/sys_sparc_32.c
4370 --- linux-2.6.37/arch/sparc/kernel/sys_sparc_32.c 2011-01-04 19:50:19.000000000 -0500
4371 +++ linux-2.6.37/arch/sparc/kernel/sys_sparc_32.c 2011-01-17 02:41:00.000000000 -0500
4372 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
4373 if (ARCH_SUN4C && len > 0x20000000)
4376 - addr = TASK_UNMAPPED_BASE;
4377 + addr = current->mm->mmap_base;
4379 if (flags & MAP_SHARED)
4380 addr = COLOUR_ALIGN(addr);
4381 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
4383 if (TASK_SIZE - PAGE_SIZE - len < addr)
4385 - if (!vmm || addr + len <= vmm->vm_start)
4386 + if (check_heap_stack_gap(vmm, addr, len))
4389 if (flags & MAP_SHARED)
4390 diff -urNp linux-2.6.37/arch/sparc/kernel/sys_sparc_64.c linux-2.6.37/arch/sparc/kernel/sys_sparc_64.c
4391 --- linux-2.6.37/arch/sparc/kernel/sys_sparc_64.c 2011-01-04 19:50:19.000000000 -0500
4392 +++ linux-2.6.37/arch/sparc/kernel/sys_sparc_64.c 2011-01-17 02:41:00.000000000 -0500
4393 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4394 /* We do not accept a shared mapping if it would violate
4395 * cache aliasing constraints.
4397 - if ((flags & MAP_SHARED) &&
4398 + if ((filp || (flags & MAP_SHARED)) &&
4399 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4402 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4403 if (filp || (flags & MAP_SHARED))
4406 +#ifdef CONFIG_PAX_RANDMMAP
4407 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4412 addr = COLOUR_ALIGN(addr, pgoff);
4413 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4414 addr = PAGE_ALIGN(addr);
4416 vma = find_vma(mm, addr);
4417 - if (task_size - len >= addr &&
4418 - (!vma || addr + len <= vma->vm_start))
4419 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4423 if (len > mm->cached_hole_size) {
4424 - start_addr = addr = mm->free_area_cache;
4425 + start_addr = addr = mm->free_area_cache;
4427 - start_addr = addr = TASK_UNMAPPED_BASE;
4428 + start_addr = addr = mm->mmap_base;
4429 mm->cached_hole_size = 0;
4432 @@ -174,14 +177,14 @@ full_search:
4433 vma = find_vma(mm, VA_EXCLUDE_END);
4435 if (unlikely(task_size < addr)) {
4436 - if (start_addr != TASK_UNMAPPED_BASE) {
4437 - start_addr = addr = TASK_UNMAPPED_BASE;
4438 + if (start_addr != mm->mmap_base) {
4439 + start_addr = addr = mm->mmap_base;
4440 mm->cached_hole_size = 0;
4445 - if (likely(!vma || addr + len <= vma->vm_start)) {
4446 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4448 * Remember the place where we stopped the search:
4450 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4451 /* We do not accept a shared mapping if it would violate
4452 * cache aliasing constraints.
4454 - if ((flags & MAP_SHARED) &&
4455 + if ((filp || (flags & MAP_SHARED)) &&
4456 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4459 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4460 addr = PAGE_ALIGN(addr);
4462 vma = find_vma(mm, addr);
4463 - if (task_size - len >= addr &&
4464 - (!vma || addr + len <= vma->vm_start))
4465 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4469 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4470 /* make sure it can fit in the remaining address space */
4471 if (likely(addr > len)) {
4472 vma = find_vma(mm, addr-len);
4473 - if (!vma || addr <= vma->vm_start) {
4474 + if (check_heap_stack_gap(vma, addr - len, len)) {
4475 /* remember the address as a hint for next time */
4476 return (mm->free_area_cache = addr-len);
4478 @@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4479 * return with success:
4481 vma = find_vma(mm, addr);
4482 - if (likely(!vma || addr+len <= vma->vm_start)) {
4483 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4484 /* remember the address as a hint for next time */
4485 return (mm->free_area_cache = addr);
4487 @@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
4488 gap == RLIM_INFINITY ||
4489 sysctl_legacy_va_layout) {
4490 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4492 +#ifdef CONFIG_PAX_RANDMMAP
4493 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4494 + mm->mmap_base += mm->delta_mmap;
4497 mm->get_unmapped_area = arch_get_unmapped_area;
4498 mm->unmap_area = arch_unmap_area;
4500 @@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
4501 gap = (task_size / 6 * 5);
4503 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4505 +#ifdef CONFIG_PAX_RANDMMAP
4506 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4507 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4510 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4511 mm->unmap_area = arch_unmap_area_topdown;
4513 diff -urNp linux-2.6.37/arch/sparc/kernel/traps_32.c linux-2.6.37/arch/sparc/kernel/traps_32.c
4514 --- linux-2.6.37/arch/sparc/kernel/traps_32.c 2011-01-04 19:50:19.000000000 -0500
4515 +++ linux-2.6.37/arch/sparc/kernel/traps_32.c 2011-01-17 02:41:00.000000000 -0500
4516 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
4518 (((unsigned long) rw) >= PAGE_OFFSET) &&
4519 !(((unsigned long) rw) & 0x7)) {
4520 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4521 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4522 (void *) rw->ins[7]);
4523 rw = (struct reg_window32 *)rw->ins[6];
4525 diff -urNp linux-2.6.37/arch/sparc/kernel/traps_64.c linux-2.6.37/arch/sparc/kernel/traps_64.c
4526 --- linux-2.6.37/arch/sparc/kernel/traps_64.c 2011-01-04 19:50:19.000000000 -0500
4527 +++ linux-2.6.37/arch/sparc/kernel/traps_64.c 2011-01-17 02:41:00.000000000 -0500
4528 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
4530 p->trapstack[i].tstate, p->trapstack[i].tpc,
4531 p->trapstack[i].tnpc, p->trapstack[i].tt);
4532 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4533 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4537 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4540 if (regs->tstate & TSTATE_PRIV) {
4542 +#ifdef CONFIG_PAX_REFCOUNT
4544 + pax_report_refcount_overflow(regs);
4547 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4548 die_if_kernel(buffer, regs);
4550 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4551 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4556 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4557 0, lvl, SIGTRAP) == NOTIFY_STOP)
4560 +#ifdef CONFIG_PAX_REFCOUNT
4562 + pax_report_refcount_overflow(regs);
4565 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4567 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4568 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4569 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4570 printk("%s" "ERROR(%d): ",
4571 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4572 - printk("TPC<%pS>\n", (void *) regs->tpc);
4573 + printk("TPC<%pA>\n", (void *) regs->tpc);
4574 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4575 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4576 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4577 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4579 (type & 0x1) ? 'I' : 'D',
4581 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4582 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4583 panic("Irrecoverable Cheetah+ parity error.");
4586 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4588 (type & 0x1) ? 'I' : 'D',
4590 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4591 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4594 struct sun4v_error_entry {
4595 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4597 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4599 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4600 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4601 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4602 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4603 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4604 (void *) regs->u_regs[UREG_I7]);
4605 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4606 "pte[%lx] error[%lx]\n",
4607 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4609 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4611 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4612 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4613 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4614 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4615 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4616 (void *) regs->u_regs[UREG_I7]);
4617 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4618 "pte[%lx] error[%lx]\n",
4619 @@ -2196,13 +2207,13 @@ void show_stack(struct task_struct *tsk,
4620 fp = (unsigned long)sf->fp + STACK_BIAS;
4623 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4624 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4625 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4626 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4627 int index = tsk->curr_ret_stack;
4628 if (tsk->ret_stack && index >= graph) {
4629 pc = tsk->ret_stack[index - graph].ret;
4630 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4631 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4635 @@ -2255,7 +2266,7 @@ void die_if_kernel(char *str, struct pt_
4638 kstack_valid(tp, (unsigned long) rw)) {
4639 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4640 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4641 (void *) rw->ins[7]);
4643 rw = kernel_stack_up(rw);
4644 diff -urNp linux-2.6.37/arch/sparc/kernel/unaligned_64.c linux-2.6.37/arch/sparc/kernel/unaligned_64.c
4645 --- linux-2.6.37/arch/sparc/kernel/unaligned_64.c 2011-01-04 19:50:19.000000000 -0500
4646 +++ linux-2.6.37/arch/sparc/kernel/unaligned_64.c 2011-01-17 02:41:00.000000000 -0500
4647 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
4648 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4650 if (__ratelimit(&ratelimit)) {
4651 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4652 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4653 regs->tpc, (void *) regs->tpc);
4656 diff -urNp linux-2.6.37/arch/sparc/lib/atomic_64.S linux-2.6.37/arch/sparc/lib/atomic_64.S
4657 --- linux-2.6.37/arch/sparc/lib/atomic_64.S 2011-01-04 19:50:19.000000000 -0500
4658 +++ linux-2.6.37/arch/sparc/lib/atomic_64.S 2011-01-17 02:41:00.000000000 -0500
4660 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4664 + addcc %g1, %o0, %g7
4666 +#ifdef CONFIG_PAX_REFCOUNT
4672 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4673 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4674 2: BACKOFF_SPIN(%o2, %o3, 1b)
4675 .size atomic_add, .-atomic_add
4677 + .globl atomic_add_unchecked
4678 + .type atomic_add_unchecked,#function
4679 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4680 + BACKOFF_SETUP(%o2)
4683 + cas [%o1], %g1, %g7
4689 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4690 + .size atomic_add_unchecked, .-atomic_add_unchecked
4693 .type atomic_sub,#function
4694 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4698 + subcc %g1, %o0, %g7
4700 +#ifdef CONFIG_PAX_REFCOUNT
4706 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4707 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4708 2: BACKOFF_SPIN(%o2, %o3, 1b)
4709 .size atomic_sub, .-atomic_sub
4711 + .globl atomic_sub_unchecked
4712 + .type atomic_sub_unchecked,#function
4713 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4714 + BACKOFF_SETUP(%o2)
4717 + cas [%o1], %g1, %g7
4723 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4724 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4726 .globl atomic_add_ret
4727 .type atomic_add_ret,#function
4728 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4732 + addcc %g1, %o0, %g7
4734 +#ifdef CONFIG_PAX_REFCOUNT
4740 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4741 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4742 2: BACKOFF_SPIN(%o2, %o3, 1b)
4743 .size atomic_add_ret, .-atomic_add_ret
4745 + .globl atomic_add_ret_unchecked
4746 + .type atomic_add_ret_unchecked,#function
4747 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4748 + BACKOFF_SETUP(%o2)
4750 + addcc %g1, %o0, %g7
4751 + cas [%o1], %g1, %g7
4758 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4759 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4761 .globl atomic_sub_ret
4762 .type atomic_sub_ret,#function
4763 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4767 + subcc %g1, %o0, %g7
4769 +#ifdef CONFIG_PAX_REFCOUNT
4775 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4776 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4777 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4781 + addcc %g1, %o0, %g7
4783 +#ifdef CONFIG_PAX_REFCOUNT
4787 casx [%o1], %g1, %g7
4789 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4790 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4791 2: BACKOFF_SPIN(%o2, %o3, 1b)
4792 .size atomic64_add, .-atomic64_add
4794 + .globl atomic64_add_unchecked
4795 + .type atomic64_add_unchecked,#function
4796 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4797 + BACKOFF_SETUP(%o2)
4799 + addcc %g1, %o0, %g7
4800 + casx [%o1], %g1, %g7
4806 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4807 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4810 .type atomic64_sub,#function
4811 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4815 + subcc %g1, %o0, %g7
4817 +#ifdef CONFIG_PAX_REFCOUNT
4821 casx [%o1], %g1, %g7
4823 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4824 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4825 2: BACKOFF_SPIN(%o2, %o3, 1b)
4826 .size atomic64_sub, .-atomic64_sub
4828 + .globl atomic64_sub_unchecked
4829 + .type atomic64_sub_unchecked,#function
4830 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4831 + BACKOFF_SETUP(%o2)
4833 + subcc %g1, %o0, %g7
4834 + casx [%o1], %g1, %g7
4840 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4841 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4843 .globl atomic64_add_ret
4844 .type atomic64_add_ret,#function
4845 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4849 + addcc %g1, %o0, %g7
4851 +#ifdef CONFIG_PAX_REFCOUNT
4855 casx [%o1], %g1, %g7
4857 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4858 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4859 2: BACKOFF_SPIN(%o2, %o3, 1b)
4860 .size atomic64_add_ret, .-atomic64_add_ret
4862 + .globl atomic64_add_ret_unchecked
4863 + .type atomic64_add_ret_unchecked,#function
4864 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4865 + BACKOFF_SETUP(%o2)
4867 + addcc %g1, %o0, %g7
4868 + casx [%o1], %g1, %g7
4875 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4876 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4878 .globl atomic64_sub_ret
4879 .type atomic64_sub_ret,#function
4880 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4884 + subcc %g1, %o0, %g7
4886 +#ifdef CONFIG_PAX_REFCOUNT
4890 casx [%o1], %g1, %g7
4892 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4893 diff -urNp linux-2.6.37/arch/sparc/lib/ksyms.c linux-2.6.37/arch/sparc/lib/ksyms.c
4894 --- linux-2.6.37/arch/sparc/lib/ksyms.c 2011-01-04 19:50:19.000000000 -0500
4895 +++ linux-2.6.37/arch/sparc/lib/ksyms.c 2011-01-17 02:41:00.000000000 -0500
4896 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4898 /* Atomic counter implementation. */
4899 EXPORT_SYMBOL(atomic_add);
4900 +EXPORT_SYMBOL(atomic_add_unchecked);
4901 EXPORT_SYMBOL(atomic_add_ret);
4902 EXPORT_SYMBOL(atomic_sub);
4903 +EXPORT_SYMBOL(atomic_sub_unchecked);
4904 EXPORT_SYMBOL(atomic_sub_ret);
4905 EXPORT_SYMBOL(atomic64_add);
4906 +EXPORT_SYMBOL(atomic64_add_unchecked);
4907 EXPORT_SYMBOL(atomic64_add_ret);
4908 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4909 EXPORT_SYMBOL(atomic64_sub);
4910 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4911 EXPORT_SYMBOL(atomic64_sub_ret);
4913 /* Atomic bit operations. */
4914 diff -urNp linux-2.6.37/arch/sparc/Makefile linux-2.6.37/arch/sparc/Makefile
4915 --- linux-2.6.37/arch/sparc/Makefile 2011-01-04 19:50:19.000000000 -0500
4916 +++ linux-2.6.37/arch/sparc/Makefile 2011-01-17 02:41:00.000000000 -0500
4917 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4918 # Export what is needed by arch/sparc/boot/Makefile
4919 export VMLINUX_INIT VMLINUX_MAIN
4920 VMLINUX_INIT := $(head-y) $(init-y)
4921 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4922 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4923 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4924 VMLINUX_MAIN += $(drivers-y) $(net-y)
4926 diff -urNp linux-2.6.37/arch/sparc/mm/fault_32.c linux-2.6.37/arch/sparc/mm/fault_32.c
4927 --- linux-2.6.37/arch/sparc/mm/fault_32.c 2011-01-04 19:50:19.000000000 -0500
4928 +++ linux-2.6.37/arch/sparc/mm/fault_32.c 2011-01-17 02:41:00.000000000 -0500
4930 #include <linux/interrupt.h>
4931 #include <linux/module.h>
4932 #include <linux/kdebug.h>
4933 +#include <linux/slab.h>
4934 +#include <linux/pagemap.h>
4935 +#include <linux/compiler.h>
4937 #include <asm/system.h>
4938 #include <asm/page.h>
4939 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4940 return safe_compute_effective_address(regs, insn);
4943 +#ifdef CONFIG_PAX_PAGEEXEC
4944 +#ifdef CONFIG_PAX_DLRESOLVE
4945 +static void pax_emuplt_close(struct vm_area_struct *vma)
4947 + vma->vm_mm->call_dl_resolve = 0UL;
4950 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4952 + unsigned int *kaddr;
4954 + vmf->page = alloc_page(GFP_HIGHUSER);
4956 + return VM_FAULT_OOM;
4958 + kaddr = kmap(vmf->page);
4959 + memset(kaddr, 0, PAGE_SIZE);
4960 + kaddr[0] = 0x9DE3BFA8U; /* save */
4961 + flush_dcache_page(vmf->page);
4962 + kunmap(vmf->page);
4963 + return VM_FAULT_MAJOR;
4966 +static const struct vm_operations_struct pax_vm_ops = {
4967 + .close = pax_emuplt_close,
4968 + .fault = pax_emuplt_fault
4971 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4975 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4976 + vma->vm_mm = current->mm;
4977 + vma->vm_start = addr;
4978 + vma->vm_end = addr + PAGE_SIZE;
4979 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4980 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4981 + vma->vm_ops = &pax_vm_ops;
4983 + ret = insert_vm_struct(current->mm, vma);
4987 + ++current->mm->total_vm;
4993 + * PaX: decide what to do with offenders (regs->pc = fault address)
4995 + * returns 1 when task should be killed
4996 + * 2 when patched PLT trampoline was detected
4997 + * 3 when unpatched PLT trampoline was detected
4999 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5002 +#ifdef CONFIG_PAX_EMUPLT
5005 + do { /* PaX: patched PLT emulation #1 */
5006 + unsigned int sethi1, sethi2, jmpl;
5008 + err = get_user(sethi1, (unsigned int *)regs->pc);
5009 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
5010 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
5015 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5016 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5017 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5019 + unsigned int addr;
5021 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5022 + addr = regs->u_regs[UREG_G1];
5023 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5025 + regs->npc = addr+4;
5030 + { /* PaX: patched PLT emulation #2 */
5033 + err = get_user(ba, (unsigned int *)regs->pc);
5035 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5036 + unsigned int addr;
5038 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5040 + regs->npc = addr+4;
5045 + do { /* PaX: patched PLT emulation #3 */
5046 + unsigned int sethi, jmpl, nop;
5048 + err = get_user(sethi, (unsigned int *)regs->pc);
5049 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
5050 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5055 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5056 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5057 + nop == 0x01000000U)
5059 + unsigned int addr;
5061 + addr = (sethi & 0x003FFFFFU) << 10;
5062 + regs->u_regs[UREG_G1] = addr;
5063 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5065 + regs->npc = addr+4;
5070 + do { /* PaX: unpatched PLT emulation step 1 */
5071 + unsigned int sethi, ba, nop;
5073 + err = get_user(sethi, (unsigned int *)regs->pc);
5074 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
5075 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5080 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5081 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5082 + nop == 0x01000000U)
5084 + unsigned int addr, save, call;
5086 + if ((ba & 0xFFC00000U) == 0x30800000U)
5087 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5089 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5091 + err = get_user(save, (unsigned int *)addr);
5092 + err |= get_user(call, (unsigned int *)(addr+4));
5093 + err |= get_user(nop, (unsigned int *)(addr+8));
5097 +#ifdef CONFIG_PAX_DLRESOLVE
5098 + if (save == 0x9DE3BFA8U &&
5099 + (call & 0xC0000000U) == 0x40000000U &&
5100 + nop == 0x01000000U)
5102 + struct vm_area_struct *vma;
5103 + unsigned long call_dl_resolve;
5105 + down_read(¤t->mm->mmap_sem);
5106 + call_dl_resolve = current->mm->call_dl_resolve;
5107 + up_read(¤t->mm->mmap_sem);
5108 + if (likely(call_dl_resolve))
5111 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5113 + down_write(¤t->mm->mmap_sem);
5114 + if (current->mm->call_dl_resolve) {
5115 + call_dl_resolve = current->mm->call_dl_resolve;
5116 + up_write(¤t->mm->mmap_sem);
5118 + kmem_cache_free(vm_area_cachep, vma);
5122 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5123 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5124 + up_write(¤t->mm->mmap_sem);
5126 + kmem_cache_free(vm_area_cachep, vma);
5130 + if (pax_insert_vma(vma, call_dl_resolve)) {
5131 + up_write(¤t->mm->mmap_sem);
5132 + kmem_cache_free(vm_area_cachep, vma);
5136 + current->mm->call_dl_resolve = call_dl_resolve;
5137 + up_write(¤t->mm->mmap_sem);
5140 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5141 + regs->pc = call_dl_resolve;
5142 + regs->npc = addr+4;
5147 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5148 + if ((save & 0xFFC00000U) == 0x05000000U &&
5149 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5150 + nop == 0x01000000U)
5152 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5153 + regs->u_regs[UREG_G2] = addr + 4;
5154 + addr = (save & 0x003FFFFFU) << 10;
5155 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5157 + regs->npc = addr+4;
5163 + do { /* PaX: unpatched PLT emulation step 2 */
5164 + unsigned int save, call, nop;
5166 + err = get_user(save, (unsigned int *)(regs->pc-4));
5167 + err |= get_user(call, (unsigned int *)regs->pc);
5168 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5172 + if (save == 0x9DE3BFA8U &&
5173 + (call & 0xC0000000U) == 0x40000000U &&
5174 + nop == 0x01000000U)
5176 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5178 + regs->u_regs[UREG_RETPC] = regs->pc;
5179 + regs->pc = dl_resolve;
5180 + regs->npc = dl_resolve+4;
5189 +void pax_report_insns(void *pc, void *sp)
5193 + printk(KERN_ERR "PAX: bytes at PC: ");
5194 + for (i = 0; i < 8; i++) {
5196 + if (get_user(c, (unsigned int *)pc+i))
5197 + printk(KERN_CONT "???????? ");
5199 + printk(KERN_CONT "%08x ", c);
5205 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
5208 @@ -282,6 +547,24 @@ good_area:
5209 if(!(vma->vm_flags & VM_WRITE))
5213 +#ifdef CONFIG_PAX_PAGEEXEC
5214 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5215 + up_read(&mm->mmap_sem);
5216 + switch (pax_handle_fetch_fault(regs)) {
5218 +#ifdef CONFIG_PAX_EMUPLT
5225 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5226 + do_group_exit(SIGKILL);
5230 /* Allow reads even for write-only mappings */
5231 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5233 diff -urNp linux-2.6.37/arch/sparc/mm/fault_64.c linux-2.6.37/arch/sparc/mm/fault_64.c
5234 --- linux-2.6.37/arch/sparc/mm/fault_64.c 2011-01-04 19:50:19.000000000 -0500
5235 +++ linux-2.6.37/arch/sparc/mm/fault_64.c 2011-01-17 02:41:00.000000000 -0500
5237 #include <linux/kprobes.h>
5238 #include <linux/kdebug.h>
5239 #include <linux/percpu.h>
5240 +#include <linux/slab.h>
5241 +#include <linux/pagemap.h>
5242 +#include <linux/compiler.h>
5244 #include <asm/page.h>
5245 #include <asm/pgtable.h>
5246 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
5247 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5249 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5250 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5251 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5252 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5254 unhandled_fault(regs->tpc, current, regs);
5255 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
5259 +#ifdef CONFIG_PAX_PAGEEXEC
5260 +#ifdef CONFIG_PAX_DLRESOLVE
5261 +static void pax_emuplt_close(struct vm_area_struct *vma)
5263 + vma->vm_mm->call_dl_resolve = 0UL;
5266 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5268 + unsigned int *kaddr;
5270 + vmf->page = alloc_page(GFP_HIGHUSER);
5272 + return VM_FAULT_OOM;
5274 + kaddr = kmap(vmf->page);
5275 + memset(kaddr, 0, PAGE_SIZE);
5276 + kaddr[0] = 0x9DE3BFA8U; /* save */
5277 + flush_dcache_page(vmf->page);
5278 + kunmap(vmf->page);
5279 + return VM_FAULT_MAJOR;
5282 +static const struct vm_operations_struct pax_vm_ops = {
5283 + .close = pax_emuplt_close,
5284 + .fault = pax_emuplt_fault
5287 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5291 + INIT_LIST_HEAD(&vma->anon_vma_chain);
5292 + vma->vm_mm = current->mm;
5293 + vma->vm_start = addr;
5294 + vma->vm_end = addr + PAGE_SIZE;
5295 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5296 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5297 + vma->vm_ops = &pax_vm_ops;
5299 + ret = insert_vm_struct(current->mm, vma);
5303 + ++current->mm->total_vm;
5309 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5311 + * returns 1 when task should be killed
5312 + * 2 when patched PLT trampoline was detected
5313 + * 3 when unpatched PLT trampoline was detected
5315 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5318 +#ifdef CONFIG_PAX_EMUPLT
5321 + do { /* PaX: patched PLT emulation #1 */
5322 + unsigned int sethi1, sethi2, jmpl;
5324 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5325 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5326 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5331 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5332 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5333 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5335 + unsigned long addr;
5337 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5338 + addr = regs->u_regs[UREG_G1];
5339 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5341 + if (test_thread_flag(TIF_32BIT))
5342 + addr &= 0xFFFFFFFFUL;
5345 + regs->tnpc = addr+4;
5350 + { /* PaX: patched PLT emulation #2 */
5353 + err = get_user(ba, (unsigned int *)regs->tpc);
5355 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5356 + unsigned long addr;
5358 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5360 + if (test_thread_flag(TIF_32BIT))
5361 + addr &= 0xFFFFFFFFUL;
5364 + regs->tnpc = addr+4;
5369 + do { /* PaX: patched PLT emulation #3 */
5370 + unsigned int sethi, jmpl, nop;
5372 + err = get_user(sethi, (unsigned int *)regs->tpc);
5373 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5374 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5379 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5380 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5381 + nop == 0x01000000U)
5383 + unsigned long addr;
5385 + addr = (sethi & 0x003FFFFFU) << 10;
5386 + regs->u_regs[UREG_G1] = addr;
5387 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5389 + if (test_thread_flag(TIF_32BIT))
5390 + addr &= 0xFFFFFFFFUL;
5393 + regs->tnpc = addr+4;
5398 + do { /* PaX: patched PLT emulation #4 */
5399 + unsigned int sethi, mov1, call, mov2;
5401 + err = get_user(sethi, (unsigned int *)regs->tpc);
5402 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5403 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5404 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5409 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5410 + mov1 == 0x8210000FU &&
5411 + (call & 0xC0000000U) == 0x40000000U &&
5412 + mov2 == 0x9E100001U)
5414 + unsigned long addr;
5416 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5417 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5419 + if (test_thread_flag(TIF_32BIT))
5420 + addr &= 0xFFFFFFFFUL;
5423 + regs->tnpc = addr+4;
5428 + do { /* PaX: patched PLT emulation #5 */
5429 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5431 + err = get_user(sethi, (unsigned int *)regs->tpc);
5432 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5433 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5434 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5435 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5436 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5437 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5438 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5443 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5444 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5445 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5446 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5447 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5448 + sllx == 0x83287020U &&
5449 + jmpl == 0x81C04005U &&
5450 + nop == 0x01000000U)
5452 + unsigned long addr;
5454 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5455 + regs->u_regs[UREG_G1] <<= 32;
5456 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5457 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5459 + regs->tnpc = addr+4;
5464 + do { /* PaX: patched PLT emulation #6 */
5465 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5467 + err = get_user(sethi, (unsigned int *)regs->tpc);
5468 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5469 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5470 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5471 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5472 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5473 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5478 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5479 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5480 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5481 + sllx == 0x83287020U &&
5482 + (or & 0xFFFFE000U) == 0x8A116000U &&
5483 + jmpl == 0x81C04005U &&
5484 + nop == 0x01000000U)
5486 + unsigned long addr;
5488 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5489 + regs->u_regs[UREG_G1] <<= 32;
5490 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5491 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5493 + regs->tnpc = addr+4;
5498 + do { /* PaX: unpatched PLT emulation step 1 */
5499 + unsigned int sethi, ba, nop;
5501 + err = get_user(sethi, (unsigned int *)regs->tpc);
5502 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5503 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5508 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5509 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5510 + nop == 0x01000000U)
5512 + unsigned long addr;
5513 + unsigned int save, call;
5514 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5516 + if ((ba & 0xFFC00000U) == 0x30800000U)
5517 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5519 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5521 + if (test_thread_flag(TIF_32BIT))
5522 + addr &= 0xFFFFFFFFUL;
5524 + err = get_user(save, (unsigned int *)addr);
5525 + err |= get_user(call, (unsigned int *)(addr+4));
5526 + err |= get_user(nop, (unsigned int *)(addr+8));
5530 +#ifdef CONFIG_PAX_DLRESOLVE
5531 + if (save == 0x9DE3BFA8U &&
5532 + (call & 0xC0000000U) == 0x40000000U &&
5533 + nop == 0x01000000U)
5535 + struct vm_area_struct *vma;
5536 + unsigned long call_dl_resolve;
5538 + down_read(¤t->mm->mmap_sem);
5539 + call_dl_resolve = current->mm->call_dl_resolve;
5540 + up_read(¤t->mm->mmap_sem);
5541 + if (likely(call_dl_resolve))
5544 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5546 + down_write(¤t->mm->mmap_sem);
5547 + if (current->mm->call_dl_resolve) {
5548 + call_dl_resolve = current->mm->call_dl_resolve;
5549 + up_write(¤t->mm->mmap_sem);
5551 + kmem_cache_free(vm_area_cachep, vma);
5555 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5556 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5557 + up_write(¤t->mm->mmap_sem);
5559 + kmem_cache_free(vm_area_cachep, vma);
5563 + if (pax_insert_vma(vma, call_dl_resolve)) {
5564 + up_write(¤t->mm->mmap_sem);
5565 + kmem_cache_free(vm_area_cachep, vma);
5569 + current->mm->call_dl_resolve = call_dl_resolve;
5570 + up_write(¤t->mm->mmap_sem);
5573 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5574 + regs->tpc = call_dl_resolve;
5575 + regs->tnpc = addr+4;
5580 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5581 + if ((save & 0xFFC00000U) == 0x05000000U &&
5582 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5583 + nop == 0x01000000U)
5585 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5586 + regs->u_regs[UREG_G2] = addr + 4;
5587 + addr = (save & 0x003FFFFFU) << 10;
5588 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5590 + if (test_thread_flag(TIF_32BIT))
5591 + addr &= 0xFFFFFFFFUL;
5594 + regs->tnpc = addr+4;
5598 + /* PaX: 64-bit PLT stub */
5599 + err = get_user(sethi1, (unsigned int *)addr);
5600 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5601 + err |= get_user(or1, (unsigned int *)(addr+8));
5602 + err |= get_user(or2, (unsigned int *)(addr+12));
5603 + err |= get_user(sllx, (unsigned int *)(addr+16));
5604 + err |= get_user(add, (unsigned int *)(addr+20));
5605 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5606 + err |= get_user(nop, (unsigned int *)(addr+28));
5610 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5611 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5612 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5613 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5614 + sllx == 0x89293020U &&
5615 + add == 0x8A010005U &&
5616 + jmpl == 0x89C14000U &&
5617 + nop == 0x01000000U)
5619 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5620 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5621 + regs->u_regs[UREG_G4] <<= 32;
5622 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5623 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5624 + regs->u_regs[UREG_G4] = addr + 24;
5625 + addr = regs->u_regs[UREG_G5];
5627 + regs->tnpc = addr+4;
5633 +#ifdef CONFIG_PAX_DLRESOLVE
5634 + do { /* PaX: unpatched PLT emulation step 2 */
5635 + unsigned int save, call, nop;
5637 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5638 + err |= get_user(call, (unsigned int *)regs->tpc);
5639 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5643 + if (save == 0x9DE3BFA8U &&
5644 + (call & 0xC0000000U) == 0x40000000U &&
5645 + nop == 0x01000000U)
5647 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5649 + if (test_thread_flag(TIF_32BIT))
5650 + dl_resolve &= 0xFFFFFFFFUL;
5652 + regs->u_regs[UREG_RETPC] = regs->tpc;
5653 + regs->tpc = dl_resolve;
5654 + regs->tnpc = dl_resolve+4;
5660 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5661 + unsigned int sethi, ba, nop;
5663 + err = get_user(sethi, (unsigned int *)regs->tpc);
5664 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5665 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5670 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5671 + (ba & 0xFFF00000U) == 0x30600000U &&
5672 + nop == 0x01000000U)
5674 + unsigned long addr;
5676 + addr = (sethi & 0x003FFFFFU) << 10;
5677 + regs->u_regs[UREG_G1] = addr;
5678 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5680 + if (test_thread_flag(TIF_32BIT))
5681 + addr &= 0xFFFFFFFFUL;
5684 + regs->tnpc = addr+4;
5694 +void pax_report_insns(void *pc, void *sp)
5698 + printk(KERN_ERR "PAX: bytes at PC: ");
5699 + for (i = 0; i < 8; i++) {
5701 + if (get_user(c, (unsigned int *)pc+i))
5702 + printk(KERN_CONT "???????? ");
5704 + printk(KERN_CONT "%08x ", c);
5710 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5712 struct mm_struct *mm = current->mm;
5713 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5717 +#ifdef CONFIG_PAX_PAGEEXEC
5718 + /* PaX: detect ITLB misses on non-exec pages */
5719 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5720 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5722 + if (address != regs->tpc)
5725 + up_read(&mm->mmap_sem);
5726 + switch (pax_handle_fetch_fault(regs)) {
5728 +#ifdef CONFIG_PAX_EMUPLT
5735 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5736 + do_group_exit(SIGKILL);
5740 /* Pure DTLB misses do not tell us whether the fault causing
5741 * load/store/atomic was a write or not, it only says that there
5742 * was no match. So in such a case we (carefully) read the
5743 diff -urNp linux-2.6.37/arch/sparc/mm/hugetlbpage.c linux-2.6.37/arch/sparc/mm/hugetlbpage.c
5744 --- linux-2.6.37/arch/sparc/mm/hugetlbpage.c 2011-01-04 19:50:19.000000000 -0500
5745 +++ linux-2.6.37/arch/sparc/mm/hugetlbpage.c 2011-01-17 02:41:00.000000000 -0500
5746 @@ -68,7 +68,7 @@ full_search:
5750 - if (likely(!vma || addr + len <= vma->vm_start)) {
5751 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5753 * Remember the place where we stopped the search:
5755 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5756 /* make sure it can fit in the remaining address space */
5757 if (likely(addr > len)) {
5758 vma = find_vma(mm, addr-len);
5759 - if (!vma || addr <= vma->vm_start) {
5760 + if (check_heap_stack_gap(vma, addr - len, len)) {
5761 /* remember the address as a hint for next time */
5762 return (mm->free_area_cache = addr-len);
5764 @@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5765 * return with success:
5767 vma = find_vma(mm, addr);
5768 - if (likely(!vma || addr+len <= vma->vm_start)) {
5769 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5770 /* remember the address as a hint for next time */
5771 return (mm->free_area_cache = addr);
5773 @@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5775 addr = ALIGN(addr, HPAGE_SIZE);
5776 vma = find_vma(mm, addr);
5777 - if (task_size - len >= addr &&
5778 - (!vma || addr + len <= vma->vm_start))
5779 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5782 if (mm->get_unmapped_area == arch_get_unmapped_area)
5783 diff -urNp linux-2.6.37/arch/sparc/mm/init_32.c linux-2.6.37/arch/sparc/mm/init_32.c
5784 --- linux-2.6.37/arch/sparc/mm/init_32.c 2011-01-04 19:50:19.000000000 -0500
5785 +++ linux-2.6.37/arch/sparc/mm/init_32.c 2011-01-17 02:41:00.000000000 -0500
5786 @@ -318,6 +318,9 @@ extern void device_scan(void);
5787 pgprot_t PAGE_SHARED __read_mostly;
5788 EXPORT_SYMBOL(PAGE_SHARED);
5790 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5791 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5793 void __init paging_init(void)
5795 switch(sparc_cpu_model) {
5796 @@ -346,17 +349,17 @@ void __init paging_init(void)
5798 /* Initialize the protection map with non-constant, MMU dependent values. */
5799 protection_map[0] = PAGE_NONE;
5800 - protection_map[1] = PAGE_READONLY;
5801 - protection_map[2] = PAGE_COPY;
5802 - protection_map[3] = PAGE_COPY;
5803 + protection_map[1] = PAGE_READONLY_NOEXEC;
5804 + protection_map[2] = PAGE_COPY_NOEXEC;
5805 + protection_map[3] = PAGE_COPY_NOEXEC;
5806 protection_map[4] = PAGE_READONLY;
5807 protection_map[5] = PAGE_READONLY;
5808 protection_map[6] = PAGE_COPY;
5809 protection_map[7] = PAGE_COPY;
5810 protection_map[8] = PAGE_NONE;
5811 - protection_map[9] = PAGE_READONLY;
5812 - protection_map[10] = PAGE_SHARED;
5813 - protection_map[11] = PAGE_SHARED;
5814 + protection_map[9] = PAGE_READONLY_NOEXEC;
5815 + protection_map[10] = PAGE_SHARED_NOEXEC;
5816 + protection_map[11] = PAGE_SHARED_NOEXEC;
5817 protection_map[12] = PAGE_READONLY;
5818 protection_map[13] = PAGE_READONLY;
5819 protection_map[14] = PAGE_SHARED;
5820 diff -urNp linux-2.6.37/arch/sparc/mm/Makefile linux-2.6.37/arch/sparc/mm/Makefile
5821 --- linux-2.6.37/arch/sparc/mm/Makefile 2011-01-04 19:50:19.000000000 -0500
5822 +++ linux-2.6.37/arch/sparc/mm/Makefile 2011-01-17 02:41:00.000000000 -0500
5827 -ccflags-y := -Werror
5828 +#ccflags-y := -Werror
5830 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5831 obj-y += fault_$(BITS).o
5832 diff -urNp linux-2.6.37/arch/sparc/mm/srmmu.c linux-2.6.37/arch/sparc/mm/srmmu.c
5833 --- linux-2.6.37/arch/sparc/mm/srmmu.c 2011-01-04 19:50:19.000000000 -0500
5834 +++ linux-2.6.37/arch/sparc/mm/srmmu.c 2011-01-17 02:41:00.000000000 -0500
5835 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5836 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5837 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5838 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5840 +#ifdef CONFIG_PAX_PAGEEXEC
5841 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5842 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5843 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5846 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5847 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5849 diff -urNp linux-2.6.37/arch/um/include/asm/kmap_types.h linux-2.6.37/arch/um/include/asm/kmap_types.h
5850 --- linux-2.6.37/arch/um/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
5851 +++ linux-2.6.37/arch/um/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
5852 @@ -23,6 +23,7 @@ enum km_type {
5860 diff -urNp linux-2.6.37/arch/um/include/asm/page.h linux-2.6.37/arch/um/include/asm/page.h
5861 --- linux-2.6.37/arch/um/include/asm/page.h 2011-01-04 19:50:19.000000000 -0500
5862 +++ linux-2.6.37/arch/um/include/asm/page.h 2011-01-17 02:41:00.000000000 -0500
5864 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5865 #define PAGE_MASK (~(PAGE_SIZE-1))
5867 +#define ktla_ktva(addr) (addr)
5868 +#define ktva_ktla(addr) (addr)
5870 #ifndef __ASSEMBLY__
5873 diff -urNp linux-2.6.37/arch/um/kernel/process.c linux-2.6.37/arch/um/kernel/process.c
5874 --- linux-2.6.37/arch/um/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
5875 +++ linux-2.6.37/arch/um/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
5876 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5881 - * Only x86 and x86_64 have an arch_align_stack().
5882 - * All other arches have "#define arch_align_stack(x) (x)"
5883 - * in their asm/system.h
5884 - * As this is included in UML from asm-um/system-generic.h,
5885 - * we can use it to behave as the subarch does.
5887 -#ifndef arch_align_stack
5888 -unsigned long arch_align_stack(unsigned long sp)
5890 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5891 - sp -= get_random_int() % 8192;
5896 unsigned long get_wchan(struct task_struct *p)
5898 unsigned long stack_page, sp, ip;
5899 diff -urNp linux-2.6.37/arch/um/sys-i386/syscalls.c linux-2.6.37/arch/um/sys-i386/syscalls.c
5900 --- linux-2.6.37/arch/um/sys-i386/syscalls.c 2011-01-04 19:50:19.000000000 -0500
5901 +++ linux-2.6.37/arch/um/sys-i386/syscalls.c 2011-01-17 02:41:00.000000000 -0500
5903 #include "asm/uaccess.h"
5904 #include "asm/unistd.h"
5906 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5908 + unsigned long pax_task_size = TASK_SIZE;
5910 +#ifdef CONFIG_PAX_SEGMEXEC
5911 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5912 + pax_task_size = SEGMEXEC_TASK_SIZE;
5915 + if (len > pax_task_size || addr > pax_task_size - len)
5922 * The prototype on i386 is:
5924 diff -urNp linux-2.6.37/arch/x86/boot/bitops.h linux-2.6.37/arch/x86/boot/bitops.h
5925 --- linux-2.6.37/arch/x86/boot/bitops.h 2011-01-04 19:50:19.000000000 -0500
5926 +++ linux-2.6.37/arch/x86/boot/bitops.h 2011-01-17 02:41:00.000000000 -0500
5927 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5929 const u32 *p = (const u32 *)addr;
5931 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5932 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5936 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5938 static inline void set_bit(int nr, void *addr)
5940 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5941 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5944 #endif /* BOOT_BITOPS_H */
5945 diff -urNp linux-2.6.37/arch/x86/boot/boot.h linux-2.6.37/arch/x86/boot/boot.h
5946 --- linux-2.6.37/arch/x86/boot/boot.h 2011-01-04 19:50:19.000000000 -0500
5947 +++ linux-2.6.37/arch/x86/boot/boot.h 2011-01-17 02:41:00.000000000 -0500
5948 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5949 static inline u16 ds(void)
5952 - asm("movw %%ds,%0" : "=rm" (seg));
5953 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5957 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5958 static inline int memcmp(const void *s1, const void *s2, size_t len)
5961 - asm("repe; cmpsb; setnz %0"
5962 + asm volatile("repe; cmpsb; setnz %0"
5963 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5966 diff -urNp linux-2.6.37/arch/x86/boot/compressed/head_32.S linux-2.6.37/arch/x86/boot/compressed/head_32.S
5967 --- linux-2.6.37/arch/x86/boot/compressed/head_32.S 2011-01-04 19:50:19.000000000 -0500
5968 +++ linux-2.6.37/arch/x86/boot/compressed/head_32.S 2011-01-17 02:41:00.000000000 -0500
5969 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5973 - movl $LOAD_PHYSICAL_ADDR, %ebx
5974 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5977 /* Target address to relocate to for decompression */
5978 @@ -162,7 +162,7 @@ relocated:
5979 * and where it was actually loaded.
5982 - subl $LOAD_PHYSICAL_ADDR, %ebx
5983 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5984 jz 2f /* Nothing to be done if loaded at compiled addr. */
5986 * Process relocations.
5987 @@ -170,8 +170,7 @@ relocated:
5994 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5997 diff -urNp linux-2.6.37/arch/x86/boot/compressed/head_64.S linux-2.6.37/arch/x86/boot/compressed/head_64.S
5998 --- linux-2.6.37/arch/x86/boot/compressed/head_64.S 2011-01-04 19:50:19.000000000 -0500
5999 +++ linux-2.6.37/arch/x86/boot/compressed/head_64.S 2011-01-17 02:41:00.000000000 -0500
6000 @@ -91,7 +91,7 @@ ENTRY(startup_32)
6004 - movl $LOAD_PHYSICAL_ADDR, %ebx
6005 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6008 /* Target address to relocate to for decompression */
6009 @@ -233,7 +233,7 @@ ENTRY(startup_64)
6013 - movq $LOAD_PHYSICAL_ADDR, %rbp
6014 + movq $____LOAD_PHYSICAL_ADDR, %rbp
6017 /* Target address to relocate to for decompression */
6018 diff -urNp linux-2.6.37/arch/x86/boot/compressed/misc.c linux-2.6.37/arch/x86/boot/compressed/misc.c
6019 --- linux-2.6.37/arch/x86/boot/compressed/misc.c 2011-01-04 19:50:19.000000000 -0500
6020 +++ linux-2.6.37/arch/x86/boot/compressed/misc.c 2011-01-17 02:41:00.000000000 -0500
6021 @@ -306,7 +306,7 @@ static void parse_elf(void *output)
6023 #ifdef CONFIG_RELOCATABLE
6025 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
6026 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
6028 dest = (void *)(phdr->p_paddr);
6030 @@ -359,7 +359,7 @@ asmlinkage void decompress_kernel(void *
6031 error("Destination address too large");
6033 #ifndef CONFIG_RELOCATABLE
6034 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
6035 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
6036 error("Wrong destination address");
6039 diff -urNp linux-2.6.37/arch/x86/boot/compressed/mkpiggy.c linux-2.6.37/arch/x86/boot/compressed/mkpiggy.c
6040 --- linux-2.6.37/arch/x86/boot/compressed/mkpiggy.c 2011-01-04 19:50:19.000000000 -0500
6041 +++ linux-2.6.37/arch/x86/boot/compressed/mkpiggy.c 2011-01-17 02:41:00.000000000 -0500
6042 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
6044 offs = (olen > ilen) ? olen - ilen : 0;
6045 offs += olen >> 12; /* Add 8 bytes for each 32K block */
6046 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
6047 + offs += 64*1024; /* Add 64K bytes slack */
6048 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
6050 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
6051 diff -urNp linux-2.6.37/arch/x86/boot/compressed/relocs.c linux-2.6.37/arch/x86/boot/compressed/relocs.c
6052 --- linux-2.6.37/arch/x86/boot/compressed/relocs.c 2011-01-04 19:50:19.000000000 -0500
6053 +++ linux-2.6.37/arch/x86/boot/compressed/relocs.c 2011-01-17 02:41:00.000000000 -0500
6056 static void die(char *fmt, ...);
6058 +#include "../../../../include/generated/autoconf.h"
6060 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
6061 static Elf32_Ehdr ehdr;
6062 +static Elf32_Phdr *phdr;
6063 static unsigned long reloc_count, reloc_idx;
6064 static unsigned long *relocs;
6066 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
6070 +static void read_phdrs(FILE *fp)
6074 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
6076 + die("Unable to allocate %d program headers\n",
6079 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
6080 + die("Seek to %d failed: %s\n",
6081 + ehdr.e_phoff, strerror(errno));
6083 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
6084 + die("Cannot read ELF program headers: %s\n",
6087 + for(i = 0; i < ehdr.e_phnum; i++) {
6088 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
6089 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
6090 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
6091 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
6092 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
6093 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
6094 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
6095 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
6100 static void read_shdrs(FILE *fp)
6106 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6107 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
6109 static void read_strtabs(FILE *fp)
6113 for (i = 0; i < ehdr.e_shnum; i++) {
6114 struct section *sec = &secs[i];
6115 if (sec->shdr.sh_type != SHT_STRTAB) {
6116 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
6118 static void read_symtabs(FILE *fp)
6122 for (i = 0; i < ehdr.e_shnum; i++) {
6123 struct section *sec = &secs[i];
6124 if (sec->shdr.sh_type != SHT_SYMTAB) {
6125 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
6127 static void read_relocs(FILE *fp)
6133 for (i = 0; i < ehdr.e_shnum; i++) {
6134 struct section *sec = &secs[i];
6135 if (sec->shdr.sh_type != SHT_REL) {
6136 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
6137 die("Cannot read symbol table: %s\n",
6141 + for (j = 0; j < ehdr.e_phnum; j++) {
6142 + if (phdr[j].p_type != PT_LOAD )
6144 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6146 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6149 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6150 Elf32_Rel *rel = &sec->reltab[j];
6151 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6152 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6153 rel->r_info = elf32_to_cpu(rel->r_info);
6156 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
6158 static void print_absolute_symbols(void)
6162 printf("Absolute symbols\n");
6163 printf(" Num: Value Size Type Bind Visibility Name\n");
6164 for (i = 0; i < ehdr.e_shnum; i++) {
6165 struct section *sec = &secs[i];
6167 Elf32_Sym *sh_symtab;
6171 if (sec->shdr.sh_type != SHT_SYMTAB) {
6173 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
6175 static void print_absolute_relocs(void)
6177 - int i, printed = 0;
6178 + unsigned int i, printed = 0;
6180 for (i = 0; i < ehdr.e_shnum; i++) {
6181 struct section *sec = &secs[i];
6182 struct section *sec_applies, *sec_symtab;
6184 Elf32_Sym *sh_symtab;
6187 if (sec->shdr.sh_type != SHT_REL) {
6190 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
6192 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6196 /* Walk through the relocations */
6197 for (i = 0; i < ehdr.e_shnum; i++) {
6199 Elf32_Sym *sh_symtab;
6200 struct section *sec_applies, *sec_symtab;
6203 struct section *sec = &secs[i];
6205 if (sec->shdr.sh_type != SHT_REL) {
6206 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
6207 !is_rel_reloc(sym_name(sym_strtab, sym))) {
6210 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6211 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6214 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6215 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6216 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6218 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6220 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6222 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6229 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
6231 static void emit_relocs(int as_text)
6235 /* Count how many relocations I have and allocate space for them. */
6237 walk_relocs(count_reloc);
6238 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
6239 fname, strerror(errno));
6246 diff -urNp linux-2.6.37/arch/x86/boot/cpucheck.c linux-2.6.37/arch/x86/boot/cpucheck.c
6247 --- linux-2.6.37/arch/x86/boot/cpucheck.c 2011-01-04 19:50:19.000000000 -0500
6248 +++ linux-2.6.37/arch/x86/boot/cpucheck.c 2011-01-17 02:41:00.000000000 -0500
6249 @@ -74,7 +74,7 @@ static int has_fpu(void)
6250 u16 fcw = -1, fsw = -1;
6253 - asm("movl %%cr0,%0" : "=r" (cr0));
6254 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6255 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6256 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6257 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6258 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6263 + asm volatile("pushfl ; "
6267 @@ -115,7 +115,7 @@ static void get_flags(void)
6268 set_bit(X86_FEATURE_FPU, cpu.flags);
6270 if (has_eflag(X86_EFLAGS_ID)) {
6272 + asm volatile("cpuid"
6273 : "=a" (max_intel_level),
6274 "=b" (cpu_vendor[0]),
6275 "=d" (cpu_vendor[1]),
6276 @@ -124,7 +124,7 @@ static void get_flags(void)
6278 if (max_intel_level >= 0x00000001 &&
6279 max_intel_level <= 0x0000ffff) {
6281 + asm volatile("cpuid"
6283 "=c" (cpu.flags[4]),
6285 @@ -136,7 +136,7 @@ static void get_flags(void)
6286 cpu.model += ((tfms >> 16) & 0xf) << 4;
6290 + asm volatile("cpuid"
6291 : "=a" (max_amd_level)
6293 : "ebx", "ecx", "edx");
6294 @@ -144,7 +144,7 @@ static void get_flags(void)
6295 if (max_amd_level >= 0x80000001 &&
6296 max_amd_level <= 0x8000ffff) {
6297 u32 eax = 0x80000001;
6299 + asm volatile("cpuid"
6301 "=c" (cpu.flags[6]),
6303 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6304 u32 ecx = MSR_K7_HWCR;
6307 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6308 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6310 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6311 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6313 get_flags(); /* Make sure it really did something */
6314 err = check_flags();
6315 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6316 u32 ecx = MSR_VIA_FCR;
6319 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6320 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6321 eax |= (1<<1)|(1<<7);
6322 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6323 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6325 set_bit(X86_FEATURE_CX8, cpu.flags);
6326 err = check_flags();
6327 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6331 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6332 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6334 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6335 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6336 + asm volatile("cpuid"
6337 : "+a" (level), "=d" (cpu.flags[0])
6339 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6340 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6342 err = check_flags();
6344 diff -urNp linux-2.6.37/arch/x86/boot/header.S linux-2.6.37/arch/x86/boot/header.S
6345 --- linux-2.6.37/arch/x86/boot/header.S 2011-01-04 19:50:19.000000000 -0500
6346 +++ linux-2.6.37/arch/x86/boot/header.S 2011-01-17 02:41:00.000000000 -0500
6347 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6348 # single linked list of
6351 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6352 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6354 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6355 #define VO_INIT_SIZE (VO__end - VO__text)
6356 diff -urNp linux-2.6.37/arch/x86/boot/memory.c linux-2.6.37/arch/x86/boot/memory.c
6357 --- linux-2.6.37/arch/x86/boot/memory.c 2011-01-04 19:50:19.000000000 -0500
6358 +++ linux-2.6.37/arch/x86/boot/memory.c 2011-01-17 02:41:00.000000000 -0500
6361 static int detect_memory_e820(void)
6364 + unsigned int count = 0;
6365 struct biosregs ireg, oreg;
6366 struct e820entry *desc = boot_params.e820_map;
6367 static struct e820entry buf; /* static so it is zeroed */
6368 diff -urNp linux-2.6.37/arch/x86/boot/video.c linux-2.6.37/arch/x86/boot/video.c
6369 --- linux-2.6.37/arch/x86/boot/video.c 2011-01-04 19:50:19.000000000 -0500
6370 +++ linux-2.6.37/arch/x86/boot/video.c 2011-01-17 02:41:00.000000000 -0500
6371 @@ -96,7 +96,7 @@ static void store_mode_params(void)
6372 static unsigned int get_entry(void)
6376 + unsigned int i, len = 0;
6380 diff -urNp linux-2.6.37/arch/x86/boot/video-vesa.c linux-2.6.37/arch/x86/boot/video-vesa.c
6381 --- linux-2.6.37/arch/x86/boot/video-vesa.c 2011-01-04 19:50:19.000000000 -0500
6382 +++ linux-2.6.37/arch/x86/boot/video-vesa.c 2011-01-17 02:41:00.000000000 -0500
6383 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6385 boot_params.screen_info.vesapm_seg = oreg.es;
6386 boot_params.screen_info.vesapm_off = oreg.di;
6387 + boot_params.screen_info.vesapm_size = oreg.cx;
6391 diff -urNp linux-2.6.37/arch/x86/ia32/ia32_aout.c linux-2.6.37/arch/x86/ia32/ia32_aout.c
6392 --- linux-2.6.37/arch/x86/ia32/ia32_aout.c 2011-01-04 19:50:19.000000000 -0500
6393 +++ linux-2.6.37/arch/x86/ia32/ia32_aout.c 2011-01-17 02:41:00.000000000 -0500
6394 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6395 unsigned long dump_start, dump_size;
6398 + memset(&dump, 0, sizeof(dump));
6403 diff -urNp linux-2.6.37/arch/x86/ia32/ia32entry.S linux-2.6.37/arch/x86/ia32/ia32entry.S
6404 --- linux-2.6.37/arch/x86/ia32/ia32entry.S 2011-01-04 19:50:19.000000000 -0500
6405 +++ linux-2.6.37/arch/x86/ia32/ia32entry.S 2011-01-17 02:41:00.000000000 -0500
6407 #include <asm/thread_info.h>
6408 #include <asm/segment.h>
6409 #include <asm/irqflags.h>
6410 +#include <asm/pgtable.h>
6411 #include <linux/linkage.h>
6413 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6414 @@ -120,6 +121,11 @@ ENTRY(ia32_sysenter_target)
6416 movq PER_CPU_VAR(kernel_stack), %rsp
6417 addq $(KERNEL_STACK_OFFSET),%rsp
6419 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6420 + call pax_enter_kernel_user
6424 * No need to follow this irqs on/off section: the syscall
6425 * disabled irqs, here we enable it straight after entry:
6426 @@ -150,6 +156,12 @@ ENTRY(ia32_sysenter_target)
6428 /* no need to do an access_ok check here because rbp has been
6429 32bit zero extended */
6431 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6432 + mov $PAX_USER_SHADOW_BASE,%r10
6437 .section __ex_table,"a"
6438 .quad 1b,ia32_badarg
6439 @@ -172,6 +184,11 @@ sysenter_dispatch:
6440 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6442 sysexit_from_sys_call:
6444 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6445 + call pax_exit_kernel_user
6448 andl $~TS_COMPAT,TI_status(%r10)
6449 /* clear IF, that popfq doesn't enable interrupts early */
6450 andl $~0x200,EFLAGS-R11(%rsp)
6451 @@ -290,6 +307,11 @@ ENTRY(ia32_cstar_target)
6454 movq PER_CPU_VAR(kernel_stack),%rsp
6456 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6457 + call pax_enter_kernel_user
6461 * No need to follow this irqs on/off section: the syscall
6462 * disabled irqs and here we enable it straight after entry:
6463 @@ -311,6 +333,12 @@ ENTRY(ia32_cstar_target)
6464 /* no need to do an access_ok check here because r8 has been
6465 32bit zero extended */
6466 /* hardware stack frame is complete now */
6468 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6469 + mov $PAX_USER_SHADOW_BASE,%r10
6474 .section __ex_table,"a"
6475 .quad 1b,ia32_badarg
6476 @@ -333,6 +361,11 @@ cstar_dispatch:
6477 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6479 sysretl_from_sys_call:
6481 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6482 + call pax_exit_kernel_user
6485 andl $~TS_COMPAT,TI_status(%r10)
6486 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6487 movl RIP-ARGOFFSET(%rsp),%ecx
6488 @@ -415,6 +448,11 @@ ENTRY(ia32_syscall)
6489 CFI_REL_OFFSET rip,RIP-RIP
6490 PARAVIRT_ADJUST_EXCEPTION_FRAME
6493 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6494 + call pax_enter_kernel_user
6498 * No need to follow this irqs on/off section: the syscall
6499 * disabled irqs and here we enable it straight after entry:
6500 diff -urNp linux-2.6.37/arch/x86/ia32/ia32_signal.c linux-2.6.37/arch/x86/ia32/ia32_signal.c
6501 --- linux-2.6.37/arch/x86/ia32/ia32_signal.c 2011-01-04 19:50:19.000000000 -0500
6502 +++ linux-2.6.37/arch/x86/ia32/ia32_signal.c 2011-01-17 02:41:00.000000000 -0500
6503 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6505 /* Align the stack pointer according to the i386 ABI,
6506 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6507 - sp = ((sp + 4) & -16ul) - 4;
6508 + sp = ((sp - 12) & -16ul) - 4;
6509 return (void __user *) sp;
6512 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6513 * These are actually not used anymore, but left because some
6514 * gdb versions depend on them as a marker.
6516 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6517 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6518 } put_user_catch(err);
6521 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6523 __NR_ia32_rt_sigreturn,
6529 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6530 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6532 if (ka->sa.sa_flags & SA_RESTORER)
6533 restorer = ka->sa.sa_restorer;
6534 + else if (current->mm->context.vdso)
6535 + /* Return stub is in 32bit vsyscall page */
6536 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6538 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6540 + restorer = &frame->retcode;
6541 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6544 * Not actually used anymore, but left because some gdb
6547 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6548 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6549 } put_user_catch(err);
6552 diff -urNp linux-2.6.37/arch/x86/include/asm/alternative.h linux-2.6.37/arch/x86/include/asm/alternative.h
6553 --- linux-2.6.37/arch/x86/include/asm/alternative.h 2011-01-04 19:50:19.000000000 -0500
6554 +++ linux-2.6.37/arch/x86/include/asm/alternative.h 2011-01-17 02:41:00.000000000 -0500
6555 @@ -93,7 +93,7 @@ static inline int alternatives_text_rese
6556 ".section .discard,\"aw\",@progbits\n" \
6557 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6559 - ".section .altinstr_replacement, \"ax\"\n" \
6560 + ".section .altinstr_replacement, \"a\"\n" \
6561 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6564 diff -urNp linux-2.6.37/arch/x86/include/asm/apm.h linux-2.6.37/arch/x86/include/asm/apm.h
6565 --- linux-2.6.37/arch/x86/include/asm/apm.h 2011-01-04 19:50:19.000000000 -0500
6566 +++ linux-2.6.37/arch/x86/include/asm/apm.h 2011-01-17 02:41:00.000000000 -0500
6567 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6568 __asm__ __volatile__(APM_DO_ZERO_SEGS
6571 - "lcall *%%cs:apm_bios_entry\n\t"
6572 + "lcall *%%ss:apm_bios_entry\n\t"
6576 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6577 __asm__ __volatile__(APM_DO_ZERO_SEGS
6580 - "lcall *%%cs:apm_bios_entry\n\t"
6581 + "lcall *%%ss:apm_bios_entry\n\t"
6585 diff -urNp linux-2.6.37/arch/x86/include/asm/atomic64_32.h linux-2.6.37/arch/x86/include/asm/atomic64_32.h
6586 --- linux-2.6.37/arch/x86/include/asm/atomic64_32.h 2011-01-04 19:50:19.000000000 -0500
6587 +++ linux-2.6.37/arch/x86/include/asm/atomic64_32.h 2011-01-17 02:41:00.000000000 -0500
6588 @@ -12,6 +12,14 @@ typedef struct {
6589 u64 __aligned(8) counter;
6592 +#ifdef CONFIG_PAX_REFCOUNT
6594 + u64 __aligned(8) counter;
6595 +} atomic64_unchecked_t;
6597 +typedef atomic64_t atomic64_unchecked_t;
6600 #define ATOMIC64_INIT(val) { (val) }
6602 #ifdef CONFIG_X86_CMPXCHG64
6603 diff -urNp linux-2.6.37/arch/x86/include/asm/atomic64_64.h linux-2.6.37/arch/x86/include/asm/atomic64_64.h
6604 --- linux-2.6.37/arch/x86/include/asm/atomic64_64.h 2011-01-04 19:50:19.000000000 -0500
6605 +++ linux-2.6.37/arch/x86/include/asm/atomic64_64.h 2011-01-17 02:41:00.000000000 -0500
6608 static inline long atomic64_read(const atomic64_t *v)
6610 - return (*(volatile long *)&(v)->counter);
6611 + return (*(volatile const long *)&(v)->counter);
6615 + * atomic64_read_unchecked - read atomic64 variable
6616 + * @v: pointer of type atomic64_unchecked_t
6618 + * Atomically reads the value of @v.
6619 + * Doesn't imply a read memory barrier.
6621 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6623 + return (*(volatile const long *)&(v)->counter);
6627 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6631 + * atomic64_set_unchecked - set atomic64 variable
6632 + * @v: pointer to type atomic64_unchecked_t
6633 + * @i: required value
6635 + * Atomically sets the value of @v to @i.
6637 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6643 * atomic64_add - add integer to atomic64 variable
6644 * @i: integer value to add
6645 * @v: pointer to type atomic64_t
6646 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6648 static inline void atomic64_add(long i, atomic64_t *v)
6650 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6652 +#ifdef CONFIG_PAX_REFCOUNT
6654 + LOCK_PREFIX "subq %1,%0\n"
6656 + _ASM_EXTABLE(0b, 0b)
6659 + : "=m" (v->counter)
6660 + : "er" (i), "m" (v->counter));
6664 + * atomic64_add_unchecked - add integer to atomic64 variable
6665 + * @i: integer value to add
6666 + * @v: pointer to type atomic64_unchecked_t
6668 + * Atomically adds @i to @v.
6670 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6672 asm volatile(LOCK_PREFIX "addq %1,%0"
6674 : "er" (i), "m" (v->counter));
6675 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6677 static inline void atomic64_sub(long i, atomic64_t *v)
6679 - asm volatile(LOCK_PREFIX "subq %1,%0"
6680 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6682 +#ifdef CONFIG_PAX_REFCOUNT
6684 + LOCK_PREFIX "addq %1,%0\n"
6686 + _ASM_EXTABLE(0b, 0b)
6689 + : "=m" (v->counter)
6690 + : "er" (i), "m" (v->counter));
6694 + * atomic64_sub_unchecked - subtract the atomic64 variable
6695 + * @i: integer value to subtract
6696 + * @v: pointer to type atomic64_unchecked_t
6698 + * Atomically subtracts @i from @v.
6700 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6702 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6704 : "er" (i), "m" (v->counter));
6706 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6710 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6711 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6713 +#ifdef CONFIG_PAX_REFCOUNT
6715 + LOCK_PREFIX "addq %2,%0\n"
6717 + _ASM_EXTABLE(0b, 0b)
6721 : "=m" (v->counter), "=qm" (c)
6722 : "er" (i), "m" (v->counter) : "memory");
6724 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6726 static inline void atomic64_inc(atomic64_t *v)
6728 + asm volatile(LOCK_PREFIX "incq %0\n"
6730 +#ifdef CONFIG_PAX_REFCOUNT
6732 + LOCK_PREFIX "decq %0\n"
6734 + _ASM_EXTABLE(0b, 0b)
6737 + : "=m" (v->counter)
6738 + : "m" (v->counter));
6742 + * atomic64_inc_unchecked - increment atomic64 variable
6743 + * @v: pointer to type atomic64_unchecked_t
6745 + * Atomically increments @v by 1.
6747 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6749 asm volatile(LOCK_PREFIX "incq %0"
6751 : "m" (v->counter));
6752 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6754 static inline void atomic64_dec(atomic64_t *v)
6756 - asm volatile(LOCK_PREFIX "decq %0"
6757 + asm volatile(LOCK_PREFIX "decq %0\n"
6759 +#ifdef CONFIG_PAX_REFCOUNT
6761 + LOCK_PREFIX "incq %0\n"
6763 + _ASM_EXTABLE(0b, 0b)
6766 + : "=m" (v->counter)
6767 + : "m" (v->counter));
6771 + * atomic64_dec_unchecked - decrement atomic64 variable
6772 + * @v: pointer to type atomic64_t
6774 + * Atomically decrements @v by 1.
6776 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6778 + asm volatile(LOCK_PREFIX "decq %0\n"
6780 : "m" (v->counter));
6782 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6786 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6787 + asm volatile(LOCK_PREFIX "decq %0\n"
6789 +#ifdef CONFIG_PAX_REFCOUNT
6791 + LOCK_PREFIX "incq %0\n"
6793 + _ASM_EXTABLE(0b, 0b)
6797 : "=m" (v->counter), "=qm" (c)
6798 : "m" (v->counter) : "memory");
6800 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6804 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6805 + asm volatile(LOCK_PREFIX "incq %0\n"
6807 +#ifdef CONFIG_PAX_REFCOUNT
6809 + LOCK_PREFIX "decq %0\n"
6811 + _ASM_EXTABLE(0b, 0b)
6815 : "=m" (v->counter), "=qm" (c)
6816 : "m" (v->counter) : "memory");
6818 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6822 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6823 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6825 +#ifdef CONFIG_PAX_REFCOUNT
6827 + LOCK_PREFIX "subq %2,%0\n"
6829 + _ASM_EXTABLE(0b, 0b)
6833 : "=m" (v->counter), "=qm" (c)
6834 : "er" (i), "m" (v->counter) : "memory");
6836 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6837 static inline long atomic64_add_return(long i, atomic64_t *v)
6840 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6841 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6843 +#ifdef CONFIG_PAX_REFCOUNT
6847 + _ASM_EXTABLE(0b, 0b)
6850 + : "+r" (i), "+m" (v->counter)
6856 + * atomic64_add_return_unchecked - add and return
6857 + * @i: integer value to add
6858 + * @v: pointer to type atomic64_unchecked_t
6860 + * Atomically adds @i to @v and returns @i + @v
6862 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6865 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6866 : "+r" (i), "+m" (v->counter)
6869 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6872 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6873 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6875 + return atomic64_add_return_unchecked(1, v);
6877 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6879 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6880 @@ -206,17 +380,30 @@ static inline long atomic64_xchg(atomic6
6882 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6886 c = atomic64_read(v);
6888 - if (unlikely(c == (u)))
6889 + if (unlikely(c == u))
6891 - old = atomic64_cmpxchg((v), c, c + (a));
6893 + asm volatile("add %2,%0\n"
6895 +#ifdef CONFIG_PAX_REFCOUNT
6899 + _ASM_EXTABLE(0b, 0b)
6903 + : "0" (c), "ir" (a));
6905 + old = atomic64_cmpxchg(v, c, new);
6906 if (likely(old == c))
6914 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6915 diff -urNp linux-2.6.37/arch/x86/include/asm/atomic.h linux-2.6.37/arch/x86/include/asm/atomic.h
6916 --- linux-2.6.37/arch/x86/include/asm/atomic.h 2011-01-04 19:50:19.000000000 -0500
6917 +++ linux-2.6.37/arch/x86/include/asm/atomic.h 2011-01-17 02:41:00.000000000 -0500
6920 static inline int atomic_read(const atomic_t *v)
6922 - return (*(volatile int *)&(v)->counter);
6923 + return (*(volatile const int *)&(v)->counter);
6927 + * atomic_read_unchecked - read atomic variable
6928 + * @v: pointer of type atomic_unchecked_t
6930 + * Atomically reads the value of @v.
6932 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6934 + return (*(volatile const int *)&(v)->counter);
6938 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6942 + * atomic_set_unchecked - set atomic variable
6943 + * @v: pointer of type atomic_unchecked_t
6944 + * @i: required value
6946 + * Atomically sets the value of @v to @i.
6948 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6954 * atomic_add - add integer to atomic variable
6955 * @i: integer value to add
6956 * @v: pointer of type atomic_t
6957 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6959 static inline void atomic_add(int i, atomic_t *v)
6961 - asm volatile(LOCK_PREFIX "addl %1,%0"
6962 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6964 +#ifdef CONFIG_PAX_REFCOUNT
6966 + LOCK_PREFIX "subl %1,%0\n"
6968 + _ASM_EXTABLE(0b, 0b)
6971 + : "+m" (v->counter)
6976 + * atomic_add_unchecked - add integer to atomic variable
6977 + * @i: integer value to add
6978 + * @v: pointer of type atomic_unchecked_t
6980 + * Atomically adds @i to @v.
6982 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6984 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6988 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6990 static inline void atomic_sub(int i, atomic_t *v)
6992 - asm volatile(LOCK_PREFIX "subl %1,%0"
6993 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6995 +#ifdef CONFIG_PAX_REFCOUNT
6997 + LOCK_PREFIX "addl %1,%0\n"
6999 + _ASM_EXTABLE(0b, 0b)
7002 + : "+m" (v->counter)
7007 + * atomic_sub_unchecked - subtract integer from atomic variable
7008 + * @i: integer value to subtract
7009 + * @v: pointer of type atomic_t
7011 + * Atomically subtracts @i from @v.
7013 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7015 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7019 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
7023 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7024 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7026 +#ifdef CONFIG_PAX_REFCOUNT
7028 + LOCK_PREFIX "addl %2,%0\n"
7030 + _ASM_EXTABLE(0b, 0b)
7034 : "+m" (v->counter), "=qm" (c)
7035 : "ir" (i) : "memory");
7037 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
7039 static inline void atomic_inc(atomic_t *v)
7041 - asm volatile(LOCK_PREFIX "incl %0"
7042 + asm volatile(LOCK_PREFIX "incl %0\n"
7044 +#ifdef CONFIG_PAX_REFCOUNT
7046 + LOCK_PREFIX "decl %0\n"
7048 + _ASM_EXTABLE(0b, 0b)
7051 + : "+m" (v->counter));
7055 + * atomic_inc_unchecked - increment atomic variable
7056 + * @v: pointer of type atomic_unchecked_t
7058 + * Atomically increments @v by 1.
7060 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7062 + asm volatile(LOCK_PREFIX "incl %0\n"
7063 : "+m" (v->counter));
7066 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
7068 static inline void atomic_dec(atomic_t *v)
7070 - asm volatile(LOCK_PREFIX "decl %0"
7071 + asm volatile(LOCK_PREFIX "decl %0\n"
7073 +#ifdef CONFIG_PAX_REFCOUNT
7075 + LOCK_PREFIX "incl %0\n"
7077 + _ASM_EXTABLE(0b, 0b)
7080 + : "+m" (v->counter));
7084 + * atomic_dec_unchecked - decrement atomic variable
7085 + * @v: pointer of type atomic_t
7087 + * Atomically decrements @v by 1.
7089 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7091 + asm volatile(LOCK_PREFIX "decl %0\n"
7092 : "+m" (v->counter));
7095 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
7099 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7100 + asm volatile(LOCK_PREFIX "decl %0\n"
7102 +#ifdef CONFIG_PAX_REFCOUNT
7104 + LOCK_PREFIX "incl %0\n"
7106 + _ASM_EXTABLE(0b, 0b)
7110 : "+m" (v->counter), "=qm" (c)
7113 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
7117 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7118 + asm volatile(LOCK_PREFIX "incl %0\n"
7120 +#ifdef CONFIG_PAX_REFCOUNT
7122 + LOCK_PREFIX "decl %0\n"
7124 + _ASM_EXTABLE(0b, 0b)
7128 : "+m" (v->counter), "=qm" (c)
7131 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
7135 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7136 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7138 +#ifdef CONFIG_PAX_REFCOUNT
7140 + LOCK_PREFIX "subl %2,%0\n"
7142 + _ASM_EXTABLE(0b, 0b)
7146 : "+m" (v->counter), "=qm" (c)
7147 : "ir" (i) : "memory");
7149 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
7151 /* Modern 486+ processor */
7153 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7155 +#ifdef CONFIG_PAX_REFCOUNT
7159 + _ASM_EXTABLE(0b, 0b)
7162 + : "+r" (i), "+m" (v->counter)
7167 +no_xadd: /* Legacy 386 processor */
7168 + local_irq_save(flags);
7169 + __i = atomic_read(v);
7170 + atomic_set(v, i + __i);
7171 + local_irq_restore(flags);
7177 + * atomic_add_return_unchecked - add integer and return
7178 + * @v: pointer of type atomic_unchecked_t
7179 + * @i: integer value to add
7181 + * Atomically adds @i to @v and returns @i + @v
7183 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7187 + unsigned long flags;
7188 + if (unlikely(boot_cpu_data.x86 <= 3))
7191 + /* Modern 486+ processor */
7193 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7194 : "+r" (i), "+m" (v->counter)
7196 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
7199 #define atomic_inc_return(v) (atomic_add_return(1, v))
7200 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7202 + return atomic_add_return_unchecked(1, v);
7204 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7206 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
7207 @@ -231,17 +418,30 @@ static inline int atomic_xchg(atomic_t *
7209 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7215 - if (unlikely(c == (u)))
7216 + if (unlikely(c == u))
7218 - old = atomic_cmpxchg((v), c, c + (a));
7220 + asm volatile("addl %2,%0\n"
7222 +#ifdef CONFIG_PAX_REFCOUNT
7226 + _ASM_EXTABLE(0b, 0b)
7230 + : "0" (c), "ir" (a));
7232 + old = atomic_cmpxchg(v, c, new);
7233 if (likely(old == c))
7241 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7242 diff -urNp linux-2.6.37/arch/x86/include/asm/bitops.h linux-2.6.37/arch/x86/include/asm/bitops.h
7243 --- linux-2.6.37/arch/x86/include/asm/bitops.h 2011-01-04 19:50:19.000000000 -0500
7244 +++ linux-2.6.37/arch/x86/include/asm/bitops.h 2011-01-17 02:41:00.000000000 -0500
7246 * a mask operation on a byte.
7248 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7249 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7250 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7251 #define CONST_MASK(nr) (1 << ((nr) & 7))
7254 diff -urNp linux-2.6.37/arch/x86/include/asm/boot.h linux-2.6.37/arch/x86/include/asm/boot.h
7255 --- linux-2.6.37/arch/x86/include/asm/boot.h 2011-01-04 19:50:19.000000000 -0500
7256 +++ linux-2.6.37/arch/x86/include/asm/boot.h 2011-01-17 02:41:00.000000000 -0500
7258 #include <asm/pgtable_types.h>
7260 /* Physical address where kernel should be loaded. */
7261 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7262 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7263 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7264 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7266 +#ifndef __ASSEMBLY__
7267 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7268 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7271 /* Minimum kernel alignment, as a power of two */
7272 #ifdef CONFIG_X86_64
7273 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7274 diff -urNp linux-2.6.37/arch/x86/include/asm/cacheflush.h linux-2.6.37/arch/x86/include/asm/cacheflush.h
7275 --- linux-2.6.37/arch/x86/include/asm/cacheflush.h 2011-01-04 19:50:19.000000000 -0500
7276 +++ linux-2.6.37/arch/x86/include/asm/cacheflush.h 2011-01-17 02:41:00.000000000 -0500
7277 @@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
7278 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7280 if (pg_flags == _PGMT_DEFAULT)
7283 else if (pg_flags == _PGMT_WC)
7284 return _PAGE_CACHE_WC;
7285 else if (pg_flags == _PGMT_UC_MINUS)
7286 diff -urNp linux-2.6.37/arch/x86/include/asm/cache.h linux-2.6.37/arch/x86/include/asm/cache.h
7287 --- linux-2.6.37/arch/x86/include/asm/cache.h 2011-01-04 19:50:19.000000000 -0500
7288 +++ linux-2.6.37/arch/x86/include/asm/cache.h 2011-01-17 02:41:00.000000000 -0500
7290 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7292 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7293 +#define __read_only __attribute__((__section__(".data..read_only")))
7295 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7296 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7297 diff -urNp linux-2.6.37/arch/x86/include/asm/checksum_32.h linux-2.6.37/arch/x86/include/asm/checksum_32.h
7298 --- linux-2.6.37/arch/x86/include/asm/checksum_32.h 2011-01-04 19:50:19.000000000 -0500
7299 +++ linux-2.6.37/arch/x86/include/asm/checksum_32.h 2011-01-17 02:41:00.000000000 -0500
7300 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7301 int len, __wsum sum,
7302 int *src_err_ptr, int *dst_err_ptr);
7304 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7305 + int len, __wsum sum,
7306 + int *src_err_ptr, int *dst_err_ptr);
7308 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7309 + int len, __wsum sum,
7310 + int *src_err_ptr, int *dst_err_ptr);
7313 * Note: when you get a NULL pointer exception here this means someone
7314 * passed in an incorrect kernel address to one of these functions.
7315 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7319 - return csum_partial_copy_generic((__force void *)src, dst,
7320 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7321 len, sum, err_ptr, NULL);
7324 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7327 if (access_ok(VERIFY_WRITE, dst, len))
7328 - return csum_partial_copy_generic(src, (__force void *)dst,
7329 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7330 len, sum, NULL, err_ptr);
7333 diff -urNp linux-2.6.37/arch/x86/include/asm/cpufeature.h linux-2.6.37/arch/x86/include/asm/cpufeature.h
7334 --- linux-2.6.37/arch/x86/include/asm/cpufeature.h 2011-01-04 19:50:19.000000000 -0500
7335 +++ linux-2.6.37/arch/x86/include/asm/cpufeature.h 2011-01-17 02:41:00.000000000 -0500
7336 @@ -349,7 +349,7 @@ static __always_inline __pure bool __sta
7337 ".section .discard,\"aw\",@progbits\n"
7338 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7340 - ".section .altinstr_replacement,\"ax\"\n"
7341 + ".section .altinstr_replacement,\"a\"\n"
7345 diff -urNp linux-2.6.37/arch/x86/include/asm/desc.h linux-2.6.37/arch/x86/include/asm/desc.h
7346 --- linux-2.6.37/arch/x86/include/asm/desc.h 2011-01-04 19:50:19.000000000 -0500
7347 +++ linux-2.6.37/arch/x86/include/asm/desc.h 2011-01-17 02:41:00.000000000 -0500
7349 #include <asm/desc_defs.h>
7350 #include <asm/ldt.h>
7351 #include <asm/mmu.h>
7352 +#include <asm/pgtable.h>
7353 #include <linux/smp.h>
7355 static inline void fill_ldt(struct desc_struct *desc,
7356 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7357 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7358 desc->type = (info->read_exec_only ^ 1) << 1;
7359 desc->type |= info->contents << 2;
7360 + desc->type |= info->seg_not_present ^ 1;
7363 desc->p = info->seg_not_present ^ 1;
7364 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7367 extern struct desc_ptr idt_descr;
7368 -extern gate_desc idt_table[];
7371 - struct desc_struct gdt[GDT_ENTRIES];
7372 -} __attribute__((aligned(PAGE_SIZE)));
7373 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7374 +extern gate_desc idt_table[256];
7376 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7377 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7379 - return per_cpu(gdt_page, cpu).gdt;
7380 + return cpu_gdt_table[cpu];
7383 #ifdef CONFIG_X86_64
7384 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
7385 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7386 const gate_desc *gate)
7388 + pax_open_kernel();
7389 memcpy(&idt[entry], gate, sizeof(*gate));
7390 + pax_close_kernel();
7393 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7396 + pax_open_kernel();
7397 memcpy(&ldt[entry], desc, 8);
7398 + pax_close_kernel();
7401 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7402 const void *desc, int type)
7408 size = sizeof(tss_desc);
7409 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
7410 size = sizeof(struct desc_struct);
7414 + pax_open_kernel();
7415 memcpy(&gdt[entry], desc, size);
7416 + pax_close_kernel();
7419 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7420 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
7422 static inline void native_load_tr_desc(void)
7424 + pax_open_kernel();
7425 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7426 + pax_close_kernel();
7429 static inline void native_load_gdt(const struct desc_ptr *dtr)
7430 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
7432 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7434 + pax_open_kernel();
7435 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7436 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7437 + pax_close_kernel();
7440 #define _LDT_empty(info) \
7441 @@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
7442 desc->limit = (limit >> 16) & 0xf;
7445 -static inline void _set_gate(int gate, unsigned type, void *addr,
7446 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7447 unsigned dpl, unsigned ist, unsigned seg)
7450 @@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
7451 * Pentium F0 0F bugfix can have resulted in the mapped
7452 * IDT being write-protected.
7454 -static inline void set_intr_gate(unsigned int n, void *addr)
7455 +static inline void set_intr_gate(unsigned int n, const void *addr)
7457 BUG_ON((unsigned)n > 0xFF);
7458 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7459 @@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
7461 * This routine sets up an interrupt gate at directory privilege level 3.
7463 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7464 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7466 BUG_ON((unsigned)n > 0xFF);
7467 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7470 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7471 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7473 BUG_ON((unsigned)n > 0xFF);
7474 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7477 -static inline void set_trap_gate(unsigned int n, void *addr)
7478 +static inline void set_trap_gate(unsigned int n, const void *addr)
7480 BUG_ON((unsigned)n > 0xFF);
7481 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7482 @@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
7483 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7485 BUG_ON((unsigned)n > 0xFF);
7486 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7487 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7490 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7491 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7493 BUG_ON((unsigned)n > 0xFF);
7494 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7497 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7498 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7500 BUG_ON((unsigned)n > 0xFF);
7501 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7504 +#ifdef CONFIG_X86_32
7505 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7507 + struct desc_struct d;
7509 + if (likely(limit))
7510 + limit = (limit - 1UL) >> PAGE_SHIFT;
7511 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7512 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7516 #endif /* _ASM_X86_DESC_H */
7517 diff -urNp linux-2.6.37/arch/x86/include/asm/device.h linux-2.6.37/arch/x86/include/asm/device.h
7518 --- linux-2.6.37/arch/x86/include/asm/device.h 2011-01-04 19:50:19.000000000 -0500
7519 +++ linux-2.6.37/arch/x86/include/asm/device.h 2011-01-17 02:41:00.000000000 -0500
7520 @@ -6,7 +6,7 @@ struct dev_archdata {
7523 #ifdef CONFIG_X86_64
7524 -struct dma_map_ops *dma_ops;
7525 + const struct dma_map_ops *dma_ops;
7527 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7528 void *iommu; /* hook for IOMMU specific extension */
7529 diff -urNp linux-2.6.37/arch/x86/include/asm/dma-mapping.h linux-2.6.37/arch/x86/include/asm/dma-mapping.h
7530 --- linux-2.6.37/arch/x86/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
7531 +++ linux-2.6.37/arch/x86/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
7532 @@ -26,9 +26,9 @@ extern int iommu_merge;
7533 extern struct device x86_dma_fallback_dev;
7534 extern int panic_on_overflow;
7536 -extern struct dma_map_ops *dma_ops;
7537 +extern const struct dma_map_ops *dma_ops;
7539 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7540 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7542 #ifdef CONFIG_X86_32
7544 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7545 /* Make sure we keep the same behaviour */
7546 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7548 - struct dma_map_ops *ops = get_dma_ops(dev);
7549 + const struct dma_map_ops *ops = get_dma_ops(dev);
7550 if (ops->mapping_error)
7551 return ops->mapping_error(dev, dma_addr);
7553 @@ -115,7 +115,7 @@ static inline void *
7554 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7557 - struct dma_map_ops *ops = get_dma_ops(dev);
7558 + const struct dma_map_ops *ops = get_dma_ops(dev);
7561 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7562 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
7563 static inline void dma_free_coherent(struct device *dev, size_t size,
7564 void *vaddr, dma_addr_t bus)
7566 - struct dma_map_ops *ops = get_dma_ops(dev);
7567 + const struct dma_map_ops *ops = get_dma_ops(dev);
7569 WARN_ON(irqs_disabled()); /* for portability */
7571 diff -urNp linux-2.6.37/arch/x86/include/asm/e820.h linux-2.6.37/arch/x86/include/asm/e820.h
7572 --- linux-2.6.37/arch/x86/include/asm/e820.h 2011-01-04 19:50:19.000000000 -0500
7573 +++ linux-2.6.37/arch/x86/include/asm/e820.h 2011-01-17 02:41:00.000000000 -0500
7574 @@ -69,7 +69,7 @@ struct e820map {
7575 #define ISA_START_ADDRESS 0xa0000
7576 #define ISA_END_ADDRESS 0x100000
7578 -#define BIOS_BEGIN 0x000a0000
7579 +#define BIOS_BEGIN 0x000c0000
7580 #define BIOS_END 0x00100000
7582 #define BIOS_ROM_BASE 0xffe00000
7583 diff -urNp linux-2.6.37/arch/x86/include/asm/elf.h linux-2.6.37/arch/x86/include/asm/elf.h
7584 --- linux-2.6.37/arch/x86/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
7585 +++ linux-2.6.37/arch/x86/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
7586 @@ -237,7 +237,25 @@ extern int force_personality32;
7587 the loader. We need to make sure that it is out of the way of the program
7588 that it will "exec", and that there is sufficient room for the brk. */
7590 +#ifdef CONFIG_PAX_SEGMEXEC
7591 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7593 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7596 +#ifdef CONFIG_PAX_ASLR
7597 +#ifdef CONFIG_X86_32
7598 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7600 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7601 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7603 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7605 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7606 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7610 /* This yields a mask that user programs can use to figure out what
7611 instruction set this CPU supports. This could be done in user space,
7612 @@ -291,8 +309,7 @@ do { \
7613 #define ARCH_DLINFO \
7616 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7617 - (unsigned long)current->mm->context.vdso); \
7618 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7621 #define AT_SYSINFO 32
7622 @@ -303,7 +320,7 @@ do { \
7624 #endif /* !CONFIG_X86_32 */
7626 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7627 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7629 #define VDSO_ENTRY \
7630 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7631 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7632 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7633 #define compat_arch_setup_additional_pages syscall32_setup_pages
7635 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7636 -#define arch_randomize_brk arch_randomize_brk
7638 #endif /* _ASM_X86_ELF_H */
7639 diff -urNp linux-2.6.37/arch/x86/include/asm/futex.h linux-2.6.37/arch/x86/include/asm/futex.h
7640 --- linux-2.6.37/arch/x86/include/asm/futex.h 2011-01-04 19:50:19.000000000 -0500
7641 +++ linux-2.6.37/arch/x86/include/asm/futex.h 2011-01-25 20:24:56.000000000 -0500
7643 #include <asm/system.h>
7645 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7646 + typecheck(u32 *, uaddr); \
7647 asm volatile("1:\t" insn "\n" \
7648 "2:\t.section .fixup,\"ax\"\n" \
7649 "3:\tmov\t%3, %1\n" \
7652 _ASM_EXTABLE(1b, 3b) \
7653 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7654 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
7655 : "i" (-EFAULT), "0" (oparg), "1" (0))
7657 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7658 + typecheck(u32 *, uaddr); \
7659 asm volatile("1:\tmovl %2, %0\n" \
7660 "\tmovl\t%0, %3\n" \
7663 _ASM_EXTABLE(1b, 4b) \
7664 _ASM_EXTABLE(2b, 4b) \
7665 : "=&a" (oldval), "=&r" (ret), \
7666 - "+m" (*uaddr), "=&r" (tem) \
7667 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
7668 : "r" (oparg), "i" (-EFAULT), "1" (0))
7670 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7671 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7673 int op = (encoded_op >> 28) & 7;
7674 int cmp = (encoded_op >> 24) & 15;
7675 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7679 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7680 + __futex_atomic_op1("xchgl %0, "__copyuser_seg"%2", ret, oldval, uaddr, oparg);
7683 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7684 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, "__copyuser_seg"%2", ret, oldval,
7688 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
7692 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7693 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7697 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
7701 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7702 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7705 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7706 + asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, "__copyuser_seg"%1\n"
7707 "2:\t.section .fixup, \"ax\"\n"
7711 _ASM_EXTABLE(1b, 3b)
7712 - : "=a" (oldval), "+m" (*uaddr)
7713 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
7714 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7717 diff -urNp linux-2.6.37/arch/x86/include/asm/i387.h linux-2.6.37/arch/x86/include/asm/i387.h
7718 --- linux-2.6.37/arch/x86/include/asm/i387.h 2011-01-04 19:50:19.000000000 -0500
7719 +++ linux-2.6.37/arch/x86/include/asm/i387.h 2011-01-17 02:41:00.000000000 -0500
7720 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7724 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7725 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7726 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7729 /* See comment in fxsave() below. */
7730 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7732 @@ -109,6 +114,11 @@ static inline int fxsave_user(struct i38
7736 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7737 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7738 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7742 * Clear the bytes not touched by the fxsave and reserved
7744 @@ -189,13 +199,8 @@ static inline void fpu_fxsave(struct fpu
7745 #endif /* CONFIG_X86_64 */
7747 /* We need a safe address that is cheap to find and that is already
7748 - in L1 during context switch. The best choices are unfortunately
7749 - different for UP and SMP */
7751 -#define safe_address (__per_cpu_offset[0])
7753 -#define safe_address (kstat_cpu(0).cpustat.user)
7755 + in L1 during context switch. */
7756 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7759 * These must be called with preempt disabled
7760 diff -urNp linux-2.6.37/arch/x86/include/asm/io.h linux-2.6.37/arch/x86/include/asm/io.h
7761 --- linux-2.6.37/arch/x86/include/asm/io.h 2011-01-04 19:50:19.000000000 -0500
7762 +++ linux-2.6.37/arch/x86/include/asm/io.h 2011-01-27 22:37:21.000000000 -0500
7763 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
7765 #include <linux/vmalloc.h>
7767 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7768 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7770 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7773 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7775 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7779 * Convert a virtual cached pointer to an uncached pointer
7781 diff -urNp linux-2.6.37/arch/x86/include/asm/iommu.h linux-2.6.37/arch/x86/include/asm/iommu.h
7782 --- linux-2.6.37/arch/x86/include/asm/iommu.h 2011-01-04 19:50:19.000000000 -0500
7783 +++ linux-2.6.37/arch/x86/include/asm/iommu.h 2011-01-17 02:41:00.000000000 -0500
7785 #ifndef _ASM_X86_IOMMU_H
7786 #define _ASM_X86_IOMMU_H
7788 -extern struct dma_map_ops nommu_dma_ops;
7789 +extern const struct dma_map_ops nommu_dma_ops;
7790 extern int force_iommu, no_iommu;
7791 extern int iommu_detected;
7792 extern int iommu_pass_through;
7793 diff -urNp linux-2.6.37/arch/x86/include/asm/irqflags.h linux-2.6.37/arch/x86/include/asm/irqflags.h
7794 --- linux-2.6.37/arch/x86/include/asm/irqflags.h 2011-01-04 19:50:19.000000000 -0500
7795 +++ linux-2.6.37/arch/x86/include/asm/irqflags.h 2011-01-17 02:41:00.000000000 -0500
7796 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
7800 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7801 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7802 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7803 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7806 #define INTERRUPT_RETURN iret
7807 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7808 diff -urNp linux-2.6.37/arch/x86/include/asm/kvm_host.h linux-2.6.37/arch/x86/include/asm/kvm_host.h
7809 --- linux-2.6.37/arch/x86/include/asm/kvm_host.h 2011-01-04 19:50:19.000000000 -0500
7810 +++ linux-2.6.37/arch/x86/include/asm/kvm_host.h 2011-01-17 02:41:00.000000000 -0500
7811 @@ -585,7 +585,7 @@ struct kvm_x86_ops {
7812 const struct trace_print_flags *exit_reasons_str;
7815 -extern struct kvm_x86_ops *kvm_x86_ops;
7816 +extern const struct kvm_x86_ops *kvm_x86_ops;
7818 int kvm_mmu_module_init(void);
7819 void kvm_mmu_module_exit(void);
7820 diff -urNp linux-2.6.37/arch/x86/include/asm/local.h linux-2.6.37/arch/x86/include/asm/local.h
7821 --- linux-2.6.37/arch/x86/include/asm/local.h 2011-01-04 19:50:19.000000000 -0500
7822 +++ linux-2.6.37/arch/x86/include/asm/local.h 2011-01-17 02:41:00.000000000 -0500
7823 @@ -18,26 +18,58 @@ typedef struct {
7825 static inline void local_inc(local_t *l)
7827 - asm volatile(_ASM_INC "%0"
7828 + asm volatile(_ASM_INC "%0\n"
7830 +#ifdef CONFIG_PAX_REFCOUNT
7834 + _ASM_EXTABLE(0b, 0b)
7837 : "+m" (l->a.counter));
7840 static inline void local_dec(local_t *l)
7842 - asm volatile(_ASM_DEC "%0"
7843 + asm volatile(_ASM_DEC "%0\n"
7845 +#ifdef CONFIG_PAX_REFCOUNT
7849 + _ASM_EXTABLE(0b, 0b)
7852 : "+m" (l->a.counter));
7855 static inline void local_add(long i, local_t *l)
7857 - asm volatile(_ASM_ADD "%1,%0"
7858 + asm volatile(_ASM_ADD "%1,%0\n"
7860 +#ifdef CONFIG_PAX_REFCOUNT
7862 + _ASM_SUB "%1,%0\n"
7864 + _ASM_EXTABLE(0b, 0b)
7867 : "+m" (l->a.counter)
7871 static inline void local_sub(long i, local_t *l)
7873 - asm volatile(_ASM_SUB "%1,%0"
7874 + asm volatile(_ASM_SUB "%1,%0\n"
7876 +#ifdef CONFIG_PAX_REFCOUNT
7878 + _ASM_ADD "%1,%0\n"
7880 + _ASM_EXTABLE(0b, 0b)
7883 : "+m" (l->a.counter)
7886 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
7890 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7891 + asm volatile(_ASM_SUB "%2,%0\n"
7893 +#ifdef CONFIG_PAX_REFCOUNT
7895 + _ASM_ADD "%2,%0\n"
7897 + _ASM_EXTABLE(0b, 0b)
7901 : "+m" (l->a.counter), "=qm" (c)
7902 : "ir" (i) : "memory");
7904 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
7908 - asm volatile(_ASM_DEC "%0; sete %1"
7909 + asm volatile(_ASM_DEC "%0\n"
7911 +#ifdef CONFIG_PAX_REFCOUNT
7915 + _ASM_EXTABLE(0b, 0b)
7919 : "+m" (l->a.counter), "=qm" (c)
7922 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
7926 - asm volatile(_ASM_INC "%0; sete %1"
7927 + asm volatile(_ASM_INC "%0\n"
7929 +#ifdef CONFIG_PAX_REFCOUNT
7933 + _ASM_EXTABLE(0b, 0b)
7937 : "+m" (l->a.counter), "=qm" (c)
7940 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
7944 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7945 + asm volatile(_ASM_ADD "%2,%0\n"
7947 +#ifdef CONFIG_PAX_REFCOUNT
7949 + _ASM_SUB "%2,%0\n"
7951 + _ASM_EXTABLE(0b, 0b)
7955 : "+m" (l->a.counter), "=qm" (c)
7956 : "ir" (i) : "memory");
7958 @@ -133,7 +201,15 @@ static inline long local_add_return(long
7960 /* Modern 486+ processor */
7962 - asm volatile(_ASM_XADD "%0, %1;"
7963 + asm volatile(_ASM_XADD "%0, %1\n"
7965 +#ifdef CONFIG_PAX_REFCOUNT
7967 + _ASM_MOV "%0,%1\n"
7969 + _ASM_EXTABLE(0b, 0b)
7972 : "+r" (i), "+m" (l->a.counter)
7975 diff -urNp linux-2.6.37/arch/x86/include/asm/mc146818rtc.h linux-2.6.37/arch/x86/include/asm/mc146818rtc.h
7976 --- linux-2.6.37/arch/x86/include/asm/mc146818rtc.h 2011-01-04 19:50:19.000000000 -0500
7977 +++ linux-2.6.37/arch/x86/include/asm/mc146818rtc.h 2011-01-17 02:41:00.000000000 -0500
7978 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7980 #define lock_cmos_prefix(reg) do {} while (0)
7981 #define lock_cmos_suffix(reg) do {} while (0)
7982 -#define lock_cmos(reg)
7983 -#define unlock_cmos()
7984 +#define lock_cmos(reg) do {} while (0)
7985 +#define unlock_cmos() do {} while (0)
7986 #define do_i_have_lock_cmos() 0
7987 #define current_lock_cmos_reg() 0
7989 diff -urNp linux-2.6.37/arch/x86/include/asm/microcode.h linux-2.6.37/arch/x86/include/asm/microcode.h
7990 --- linux-2.6.37/arch/x86/include/asm/microcode.h 2011-01-04 19:50:19.000000000 -0500
7991 +++ linux-2.6.37/arch/x86/include/asm/microcode.h 2011-01-17 02:41:00.000000000 -0500
7992 @@ -12,13 +12,13 @@ struct device;
7993 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7995 struct microcode_ops {
7996 - enum ucode_state (*request_microcode_user) (int cpu,
7997 + enum ucode_state (* const request_microcode_user) (int cpu,
7998 const void __user *buf, size_t size);
8000 - enum ucode_state (*request_microcode_fw) (int cpu,
8001 + enum ucode_state (* const request_microcode_fw) (int cpu,
8002 struct device *device);
8004 - void (*microcode_fini_cpu) (int cpu);
8005 + void (* const microcode_fini_cpu) (int cpu);
8008 * The generic 'microcode_core' part guarantees that
8009 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
8010 extern struct ucode_cpu_info ucode_cpu_info[];
8012 #ifdef CONFIG_MICROCODE_INTEL
8013 -extern struct microcode_ops * __init init_intel_microcode(void);
8014 +extern const struct microcode_ops * __init init_intel_microcode(void);
8016 -static inline struct microcode_ops * __init init_intel_microcode(void)
8017 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8021 #endif /* CONFIG_MICROCODE_INTEL */
8023 #ifdef CONFIG_MICROCODE_AMD
8024 -extern struct microcode_ops * __init init_amd_microcode(void);
8025 +extern const struct microcode_ops * __init init_amd_microcode(void);
8027 -static inline struct microcode_ops * __init init_amd_microcode(void)
8028 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8032 diff -urNp linux-2.6.37/arch/x86/include/asm/mman.h linux-2.6.37/arch/x86/include/asm/mman.h
8033 --- linux-2.6.37/arch/x86/include/asm/mman.h 2011-01-04 19:50:19.000000000 -0500
8034 +++ linux-2.6.37/arch/x86/include/asm/mman.h 2011-01-17 02:41:00.000000000 -0500
8037 #include <asm-generic/mman.h>
8040 +#ifndef __ASSEMBLY__
8041 +#ifdef CONFIG_X86_32
8042 +#define arch_mmap_check i386_mmap_check
8043 +int i386_mmap_check(unsigned long addr, unsigned long len,
8044 + unsigned long flags);
8049 #endif /* _ASM_X86_MMAN_H */
8050 diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86/include/asm/mmu_context.h
8051 --- linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-04 19:50:19.000000000 -0500
8052 +++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-17 02:41:00.000000000 -0500
8053 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
8055 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8058 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8062 + pax_open_kernel();
8063 + pgd = get_cpu_pgd(smp_processor_id());
8064 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8065 + if (paravirt_enabled())
8066 + set_pgd(pgd+i, native_make_pgd(0));
8068 + pgd[i] = native_make_pgd(0);
8069 + pax_close_kernel();
8073 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8074 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8075 @@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
8076 struct task_struct *tsk)
8078 unsigned cpu = smp_processor_id();
8079 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
8080 + int tlbstate = TLBSTATE_OK;
8083 if (likely(prev != next)) {
8084 /* stop flush ipis for the previous mm */
8085 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8087 +#ifdef CONFIG_X86_32
8088 + tlbstate = percpu_read(cpu_tlbstate.state);
8090 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8091 percpu_write(cpu_tlbstate.active_mm, next);
8093 cpumask_set_cpu(cpu, mm_cpumask(next));
8095 /* Re-load page tables */
8096 +#ifdef CONFIG_PAX_PER_CPU_PGD
8097 + pax_open_kernel();
8098 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8099 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8100 + pax_close_kernel();
8101 + load_cr3(get_cpu_pgd(cpu));
8103 load_cr3(next->pgd);
8107 * load the LDT, if the LDT is different:
8109 if (unlikely(prev->context.ldt != next->context.ldt))
8110 load_LDT_nolock(&next->context);
8113 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8114 + if (!(__supported_pte_mask & _PAGE_NX)) {
8115 + smp_mb__before_clear_bit();
8116 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8117 + smp_mb__after_clear_bit();
8118 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8122 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8123 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8124 + prev->context.user_cs_limit != next->context.user_cs_limit))
8125 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8127 + else if (unlikely(tlbstate != TLBSTATE_OK))
8128 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8135 +#ifdef CONFIG_PAX_PER_CPU_PGD
8136 + pax_open_kernel();
8137 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8138 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8139 + pax_close_kernel();
8140 + load_cr3(get_cpu_pgd(cpu));
8144 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8145 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8147 @@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
8148 * tlb flush IPI delivery. We must reload CR3
8149 * to make sure to use no freed page tables.
8152 +#ifndef CONFIG_PAX_PER_CPU_PGD
8153 load_cr3(next->pgd);
8156 load_LDT_nolock(&next->context);
8158 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8159 + if (!(__supported_pte_mask & _PAGE_NX))
8160 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8163 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8164 +#ifdef CONFIG_PAX_PAGEEXEC
8165 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8167 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8176 #define activate_mm(prev, next) \
8177 diff -urNp linux-2.6.37/arch/x86/include/asm/mmu.h linux-2.6.37/arch/x86/include/asm/mmu.h
8178 --- linux-2.6.37/arch/x86/include/asm/mmu.h 2011-01-04 19:50:19.000000000 -0500
8179 +++ linux-2.6.37/arch/x86/include/asm/mmu.h 2011-01-17 02:41:00.000000000 -0500
8181 * we put the segment information here.
8185 + struct desc_struct *ldt;
8189 + unsigned long vdso;
8191 +#ifdef CONFIG_X86_32
8192 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8193 + unsigned long user_cs_base;
8194 + unsigned long user_cs_limit;
8196 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8197 + cpumask_t cpu_user_cs_mask;
8206 diff -urNp linux-2.6.37/arch/x86/include/asm/module.h linux-2.6.37/arch/x86/include/asm/module.h
8207 --- linux-2.6.37/arch/x86/include/asm/module.h 2011-01-04 19:50:19.000000000 -0500
8208 +++ linux-2.6.37/arch/x86/include/asm/module.h 2011-01-17 02:41:00.000000000 -0500
8210 #error unknown processor family
8213 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8214 +#define MODULE_PAX_UDEREF "UDEREF "
8216 +#define MODULE_PAX_UDEREF ""
8219 #ifdef CONFIG_X86_32
8220 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
8221 +# ifdef CONFIG_PAX_KERNEXEC
8222 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
8224 +# define MODULE_PAX_KERNEXEC ""
8226 +# ifdef CONFIG_GRKERNSEC
8227 +# define MODULE_GRSEC "GRSECURITY "
8229 +# define MODULE_GRSEC ""
8231 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8233 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
8236 #endif /* _ASM_X86_MODULE_H */
8237 diff -urNp linux-2.6.37/arch/x86/include/asm/page_64_types.h linux-2.6.37/arch/x86/include/asm/page_64_types.h
8238 --- linux-2.6.37/arch/x86/include/asm/page_64_types.h 2011-01-04 19:50:19.000000000 -0500
8239 +++ linux-2.6.37/arch/x86/include/asm/page_64_types.h 2011-01-17 02:41:00.000000000 -0500
8240 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8242 /* duplicated to the one in bootmem.h */
8243 extern unsigned long max_pfn;
8244 -extern unsigned long phys_base;
8245 +extern const unsigned long phys_base;
8247 extern unsigned long __phys_addr(unsigned long);
8248 #define __phys_reloc_hide(x) (x)
8249 diff -urNp linux-2.6.37/arch/x86/include/asm/paravirt.h linux-2.6.37/arch/x86/include/asm/paravirt.h
8250 --- linux-2.6.37/arch/x86/include/asm/paravirt.h 2011-01-04 19:50:19.000000000 -0500
8251 +++ linux-2.6.37/arch/x86/include/asm/paravirt.h 2011-01-17 02:41:00.000000000 -0500
8252 @@ -715,6 +715,21 @@ static inline void __set_fixmap(unsigned
8253 pv_mmu_ops.set_fixmap(idx, phys, flags);
8256 +#ifdef CONFIG_PAX_KERNEXEC
8257 +static inline unsigned long pax_open_kernel(void)
8259 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8262 +static inline unsigned long pax_close_kernel(void)
8264 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8267 +static inline unsigned long pax_open_kernel(void) { return 0; }
8268 +static inline unsigned long pax_close_kernel(void) { return 0; }
8271 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8273 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8274 @@ -931,7 +946,7 @@ extern void default_banner(void);
8276 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8277 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8278 -#define PARA_INDIRECT(addr) *%cs:addr
8279 +#define PARA_INDIRECT(addr) *%ss:addr
8282 #define INTERRUPT_RETURN \
8283 @@ -1008,6 +1023,21 @@ extern void default_banner(void);
8284 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8286 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8288 +#define GET_CR0_INTO_RDI \
8289 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8292 +#define SET_RDI_INTO_CR0 \
8293 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8295 +#define GET_CR3_INTO_RDI \
8296 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8299 +#define SET_RDI_INTO_CR3 \
8300 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8302 #endif /* CONFIG_X86_32 */
8304 #endif /* __ASSEMBLY__ */
8305 diff -urNp linux-2.6.37/arch/x86/include/asm/paravirt_types.h linux-2.6.37/arch/x86/include/asm/paravirt_types.h
8306 --- linux-2.6.37/arch/x86/include/asm/paravirt_types.h 2011-01-04 19:50:19.000000000 -0500
8307 +++ linux-2.6.37/arch/x86/include/asm/paravirt_types.h 2011-01-17 02:41:00.000000000 -0500
8308 @@ -311,6 +311,12 @@ struct pv_mmu_ops {
8309 an mfn. We can tell which is which from the index. */
8310 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8311 phys_addr_t phys, pgprot_t flags);
8313 +#ifdef CONFIG_PAX_KERNEXEC
8314 + unsigned long (*pax_open_kernel)(void);
8315 + unsigned long (*pax_close_kernel)(void);
8320 struct arch_spinlock;
8321 diff -urNp linux-2.6.37/arch/x86/include/asm/pci_x86.h linux-2.6.37/arch/x86/include/asm/pci_x86.h
8322 --- linux-2.6.37/arch/x86/include/asm/pci_x86.h 2011-01-04 19:50:19.000000000 -0500
8323 +++ linux-2.6.37/arch/x86/include/asm/pci_x86.h 2011-01-17 02:41:01.000000000 -0500
8324 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
8325 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8327 struct pci_raw_ops {
8328 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8329 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8330 int reg, int len, u32 *val);
8331 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8332 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8333 int reg, int len, u32 val);
8336 -extern struct pci_raw_ops *raw_pci_ops;
8337 -extern struct pci_raw_ops *raw_pci_ext_ops;
8338 +extern const struct pci_raw_ops *raw_pci_ops;
8339 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8341 -extern struct pci_raw_ops pci_direct_conf1;
8342 +extern const struct pci_raw_ops pci_direct_conf1;
8343 extern bool port_cf9_safe;
8345 /* arch_initcall level */
8346 diff -urNp linux-2.6.37/arch/x86/include/asm/pgalloc.h linux-2.6.37/arch/x86/include/asm/pgalloc.h
8347 --- linux-2.6.37/arch/x86/include/asm/pgalloc.h 2011-01-04 19:50:19.000000000 -0500
8348 +++ linux-2.6.37/arch/x86/include/asm/pgalloc.h 2011-01-17 02:41:01.000000000 -0500
8349 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8350 pmd_t *pmd, pte_t *pte)
8352 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8353 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8356 +static inline void pmd_populate_user(struct mm_struct *mm,
8357 + pmd_t *pmd, pte_t *pte)
8359 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8360 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8363 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable-2level.h linux-2.6.37/arch/x86/include/asm/pgtable-2level.h
8364 --- linux-2.6.37/arch/x86/include/asm/pgtable-2level.h 2011-01-04 19:50:19.000000000 -0500
8365 +++ linux-2.6.37/arch/x86/include/asm/pgtable-2level.h 2011-01-17 02:41:01.000000000 -0500
8366 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8368 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8370 + pax_open_kernel();
8372 + pax_close_kernel();
8375 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8376 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_32.h linux-2.6.37/arch/x86/include/asm/pgtable_32.h
8377 --- linux-2.6.37/arch/x86/include/asm/pgtable_32.h 2011-01-04 19:50:19.000000000 -0500
8378 +++ linux-2.6.37/arch/x86/include/asm/pgtable_32.h 2011-01-17 02:41:01.000000000 -0500
8381 struct vm_area_struct;
8383 -extern pgd_t swapper_pg_dir[1024];
8384 -extern pgd_t initial_page_table[1024];
8386 static inline void pgtable_cache_init(void) { }
8387 static inline void check_pgt_cache(void) { }
8388 void paging_init(void);
8389 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8390 # include <asm/pgtable-2level.h>
8393 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8394 +extern pgd_t initial_page_table[PTRS_PER_PGD];
8395 +#ifdef CONFIG_X86_PAE
8396 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8399 #if defined(CONFIG_HIGHPTE)
8400 #define pte_offset_map(dir, address) \
8401 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8402 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8403 /* Clear a kernel PTE and flush it from the TLB */
8404 #define kpte_clear_flush(ptep, vaddr) \
8406 + pax_open_kernel(); \
8407 pte_clear(&init_mm, (vaddr), (ptep)); \
8408 + pax_close_kernel(); \
8409 __flush_tlb_one((vaddr)); \
8412 @@ -74,6 +79,9 @@ do { \
8414 #endif /* !__ASSEMBLY__ */
8416 +#define HAVE_ARCH_UNMAPPED_AREA
8417 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8420 * kern_addr_valid() is (1) for FLATMEM and (0) for
8421 * SPARSEMEM and DISCONTIGMEM
8422 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_32_types.h linux-2.6.37/arch/x86/include/asm/pgtable_32_types.h
8423 --- linux-2.6.37/arch/x86/include/asm/pgtable_32_types.h 2011-01-04 19:50:19.000000000 -0500
8424 +++ linux-2.6.37/arch/x86/include/asm/pgtable_32_types.h 2011-01-17 02:41:01.000000000 -0500
8427 #ifdef CONFIG_X86_PAE
8428 # include <asm/pgtable-3level_types.h>
8429 -# define PMD_SIZE (1UL << PMD_SHIFT)
8430 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8431 # define PMD_MASK (~(PMD_SIZE - 1))
8433 # include <asm/pgtable-2level_types.h>
8434 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8435 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8438 +#ifdef CONFIG_PAX_KERNEXEC
8439 +#ifndef __ASSEMBLY__
8440 +extern unsigned char MODULES_EXEC_VADDR[];
8441 +extern unsigned char MODULES_EXEC_END[];
8443 +#include <asm/boot.h>
8444 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8445 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8447 +#define ktla_ktva(addr) (addr)
8448 +#define ktva_ktla(addr) (addr)
8451 #define MODULES_VADDR VMALLOC_START
8452 #define MODULES_END VMALLOC_END
8453 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8454 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable-3level.h linux-2.6.37/arch/x86/include/asm/pgtable-3level.h
8455 --- linux-2.6.37/arch/x86/include/asm/pgtable-3level.h 2011-01-04 19:50:19.000000000 -0500
8456 +++ linux-2.6.37/arch/x86/include/asm/pgtable-3level.h 2011-01-17 02:41:01.000000000 -0500
8457 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8459 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8461 + pax_open_kernel();
8462 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8463 + pax_close_kernel();
8466 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8468 + pax_open_kernel();
8469 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8470 + pax_close_kernel();
8474 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_64.h linux-2.6.37/arch/x86/include/asm/pgtable_64.h
8475 --- linux-2.6.37/arch/x86/include/asm/pgtable_64.h 2011-01-04 19:50:19.000000000 -0500
8476 +++ linux-2.6.37/arch/x86/include/asm/pgtable_64.h 2011-01-17 02:41:01.000000000 -0500
8479 extern pud_t level3_kernel_pgt[512];
8480 extern pud_t level3_ident_pgt[512];
8481 +extern pud_t level3_vmalloc_pgt[512];
8482 +extern pud_t level3_vmemmap_pgt[512];
8483 +extern pud_t level2_vmemmap_pgt[512];
8484 extern pmd_t level2_kernel_pgt[512];
8485 extern pmd_t level2_fixmap_pgt[512];
8486 -extern pmd_t level2_ident_pgt[512];
8487 -extern pgd_t init_level4_pgt[];
8488 +extern pmd_t level2_ident_pgt[512*2];
8489 +extern pgd_t init_level4_pgt[512];
8491 #define swapper_pg_dir init_level4_pgt
8493 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8495 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8497 + pax_open_kernel();
8499 + pax_close_kernel();
8502 static inline void native_pmd_clear(pmd_t *pmd)
8503 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8505 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8507 + pax_open_kernel();
8509 + pax_close_kernel();
8512 static inline void native_pgd_clear(pgd_t *pgd)
8513 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_64_types.h linux-2.6.37/arch/x86/include/asm/pgtable_64_types.h
8514 --- linux-2.6.37/arch/x86/include/asm/pgtable_64_types.h 2011-01-04 19:50:19.000000000 -0500
8515 +++ linux-2.6.37/arch/x86/include/asm/pgtable_64_types.h 2011-01-17 02:41:01.000000000 -0500
8516 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8517 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8518 #define MODULES_END _AC(0xffffffffff000000, UL)
8519 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8520 +#define MODULES_EXEC_VADDR MODULES_VADDR
8521 +#define MODULES_EXEC_END MODULES_END
8523 +#define ktla_ktva(addr) (addr)
8524 +#define ktva_ktla(addr) (addr)
8526 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8527 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable.h linux-2.6.37/arch/x86/include/asm/pgtable.h
8528 --- linux-2.6.37/arch/x86/include/asm/pgtable.h 2011-01-04 19:50:19.000000000 -0500
8529 +++ linux-2.6.37/arch/x86/include/asm/pgtable.h 2011-01-17 02:41:01.000000000 -0500
8530 @@ -78,12 +78,51 @@ extern struct mm_struct *pgd_page_get_mm
8532 #define arch_end_context_switch(prev) do {} while(0)
8534 +#define pax_open_kernel() native_pax_open_kernel()
8535 +#define pax_close_kernel() native_pax_close_kernel()
8536 #endif /* CONFIG_PARAVIRT */
8538 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8539 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8541 +#ifdef CONFIG_PAX_KERNEXEC
8542 +static inline unsigned long native_pax_open_kernel(void)
8544 + unsigned long cr0;
8546 + preempt_disable();
8548 + cr0 = read_cr0() ^ X86_CR0_WP;
8549 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8551 + return cr0 ^ X86_CR0_WP;
8554 +static inline unsigned long native_pax_close_kernel(void)
8556 + unsigned long cr0;
8558 + cr0 = read_cr0() ^ X86_CR0_WP;
8559 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8562 + preempt_enable_no_resched();
8563 + return cr0 ^ X86_CR0_WP;
8566 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8567 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8571 * The following only work if pte_present() is true.
8572 * Undefined behaviour if not..
8574 +static inline int pte_user(pte_t pte)
8576 + return pte_val(pte) & _PAGE_USER;
8579 static inline int pte_dirty(pte_t pte)
8581 return pte_flags(pte) & _PAGE_DIRTY;
8582 @@ -171,9 +210,29 @@ static inline pte_t pte_wrprotect(pte_t
8583 return pte_clear_flags(pte, _PAGE_RW);
8586 +static inline pte_t pte_mkread(pte_t pte)
8588 + return __pte(pte_val(pte) | _PAGE_USER);
8591 static inline pte_t pte_mkexec(pte_t pte)
8593 - return pte_clear_flags(pte, _PAGE_NX);
8594 +#ifdef CONFIG_X86_PAE
8595 + if (__supported_pte_mask & _PAGE_NX)
8596 + return pte_clear_flags(pte, _PAGE_NX);
8599 + return pte_set_flags(pte, _PAGE_USER);
8602 +static inline pte_t pte_exprotect(pte_t pte)
8604 +#ifdef CONFIG_X86_PAE
8605 + if (__supported_pte_mask & _PAGE_NX)
8606 + return pte_set_flags(pte, _PAGE_NX);
8609 + return pte_clear_flags(pte, _PAGE_USER);
8612 static inline pte_t pte_mkdirty(pte_t pte)
8613 @@ -306,6 +365,15 @@ pte_t *populate_extra_pte(unsigned long
8616 #ifndef __ASSEMBLY__
8618 +#ifdef CONFIG_PAX_PER_CPU_PGD
8619 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8620 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8622 + return cpu_pgd[cpu];
8626 #include <linux/mm_types.h>
8628 static inline int pte_none(pte_t pte)
8629 @@ -476,7 +544,7 @@ static inline pud_t *pud_offset(pgd_t *p
8631 static inline int pgd_bad(pgd_t pgd)
8633 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8634 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8637 static inline int pgd_none(pgd_t pgd)
8638 @@ -499,7 +567,12 @@ static inline int pgd_none(pgd_t pgd)
8639 * pgd_offset() returns a (pgd_t *)
8640 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8642 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8643 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8645 +#ifdef CONFIG_PAX_PER_CPU_PGD
8646 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8650 * a shortcut which implies the use of the kernel's pgd, instead
8652 @@ -510,6 +583,20 @@ static inline int pgd_none(pgd_t pgd)
8653 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8654 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8656 +#ifdef CONFIG_X86_32
8657 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8659 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8660 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8662 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8663 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8665 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8670 #ifndef __ASSEMBLY__
8672 extern int direct_gbpages;
8673 @@ -617,11 +704,23 @@ static inline void ptep_set_wrprotect(st
8674 * dst and src can be on the same page, but the range must not overlap,
8675 * and must not cross a page boundary.
8677 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8678 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8680 - memcpy(dst, src, count * sizeof(pgd_t));
8681 + pax_open_kernel();
8684 + pax_close_kernel();
8687 +#ifdef CONFIG_PAX_PER_CPU_PGD
8688 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8691 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8692 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8694 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8697 #include <asm-generic/pgtable.h>
8698 #endif /* __ASSEMBLY__ */
8699 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_types.h linux-2.6.37/arch/x86/include/asm/pgtable_types.h
8700 --- linux-2.6.37/arch/x86/include/asm/pgtable_types.h 2011-01-04 19:50:19.000000000 -0500
8701 +++ linux-2.6.37/arch/x86/include/asm/pgtable_types.h 2011-01-17 02:41:01.000000000 -0500
8703 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8704 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8705 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8706 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8707 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8708 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8709 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8710 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8711 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8712 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8713 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8714 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8716 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8718 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8719 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8720 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8721 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8722 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8723 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8724 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8727 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8728 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8730 +#elif defined(CONFIG_KMEMCHECK)
8731 #define _PAGE_NX (_AT(pteval_t, 0))
8733 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8736 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8738 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8741 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8742 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8744 #define __PAGE_KERNEL_EXEC \
8745 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8746 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8748 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8749 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8750 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8751 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8752 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8753 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8754 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8755 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8756 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8757 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8759 * bits are combined, this will alow user to access the high address mapped
8760 * VDSO in the presence of CONFIG_COMPAT_VDSO
8762 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8763 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8764 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8765 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8766 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8769 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8771 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8775 +#if PAGETABLE_LEVELS == 3
8776 +#include <asm-generic/pgtable-nopud.h>
8779 +#if PAGETABLE_LEVELS == 2
8780 +#include <asm-generic/pgtable-nopmd.h>
8783 +#ifndef __ASSEMBLY__
8784 #if PAGETABLE_LEVELS > 3
8785 typedef struct { pudval_t pud; } pud_t;
8787 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8791 -#include <asm-generic/pgtable-nopud.h>
8793 static inline pudval_t native_pud_val(pud_t pud)
8795 return native_pgd_val(pud.pgd);
8796 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8800 -#include <asm-generic/pgtable-nopmd.h>
8802 static inline pmdval_t native_pmd_val(pmd_t pmd)
8804 return native_pgd_val(pmd.pud.pgd);
8805 @@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
8807 extern pteval_t __supported_pte_mask;
8808 extern void set_nx(void);
8809 -extern int nx_enabled;
8811 #define pgprot_writecombine pgprot_writecombine
8812 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8813 diff -urNp linux-2.6.37/arch/x86/include/asm/processor.h linux-2.6.37/arch/x86/include/asm/processor.h
8814 --- linux-2.6.37/arch/x86/include/asm/processor.h 2011-01-04 19:50:19.000000000 -0500
8815 +++ linux-2.6.37/arch/x86/include/asm/processor.h 2011-01-17 02:41:01.000000000 -0500
8816 @@ -271,7 +271,7 @@ struct tss_struct {
8818 } ____cacheline_aligned;
8820 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8821 +extern struct tss_struct init_tss[NR_CPUS];
8824 * Save the original ist values for checking stack pointers during debugging
8825 @@ -864,8 +864,15 @@ static inline void spin_lock_prefetch(co
8827 #define TASK_SIZE PAGE_OFFSET
8828 #define TASK_SIZE_MAX TASK_SIZE
8830 +#ifdef CONFIG_PAX_SEGMEXEC
8831 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8832 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8834 #define STACK_TOP TASK_SIZE
8835 -#define STACK_TOP_MAX STACK_TOP
8838 +#define STACK_TOP_MAX TASK_SIZE
8840 #define INIT_THREAD { \
8841 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8842 @@ -882,7 +889,7 @@ static inline void spin_lock_prefetch(co
8844 #define INIT_TSS { \
8846 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8847 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8848 .ss0 = __KERNEL_DS, \
8849 .ss1 = __KERNEL_CS, \
8850 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8851 @@ -893,11 +900,7 @@ static inline void spin_lock_prefetch(co
8852 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8854 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8855 -#define KSTK_TOP(info) \
8857 - unsigned long *__ptr = (unsigned long *)(info); \
8858 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8860 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8863 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8864 @@ -912,7 +915,7 @@ extern unsigned long thread_saved_pc(str
8865 #define task_pt_regs(task) \
8867 struct pt_regs *__regs__; \
8868 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8869 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8873 @@ -922,13 +925,13 @@ extern unsigned long thread_saved_pc(str
8875 * User space process size. 47bits minus one guard page.
8877 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8878 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8880 /* This decides where the kernel will search for a free chunk of vm
8881 * space during mmap's.
8883 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8884 - 0xc0000000 : 0xFFFFe000)
8885 + 0xc0000000 : 0xFFFFf000)
8887 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8888 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8889 @@ -965,6 +968,10 @@ extern void start_thread(struct pt_regs
8891 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8893 +#ifdef CONFIG_PAX_SEGMEXEC
8894 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8897 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8899 /* Get/set a process' ability to use the timestamp counter instruction */
8900 diff -urNp linux-2.6.37/arch/x86/include/asm/ptrace.h linux-2.6.37/arch/x86/include/asm/ptrace.h
8901 --- linux-2.6.37/arch/x86/include/asm/ptrace.h 2011-01-04 19:50:19.000000000 -0500
8902 +++ linux-2.6.37/arch/x86/include/asm/ptrace.h 2011-01-17 02:41:01.000000000 -0500
8903 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8907 - * user_mode_vm(regs) determines whether a register set came from user mode.
8908 + * user_mode(regs) determines whether a register set came from user mode.
8909 * This is true if V8086 mode was enabled OR if the register set was from
8910 * protected mode with RPL-3 CS value. This tricky test checks that with
8911 * one comparison. Many places in the kernel can bypass this full check
8912 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8913 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8916 -static inline int user_mode(struct pt_regs *regs)
8917 +static inline int user_mode_novm(struct pt_regs *regs)
8919 #ifdef CONFIG_X86_32
8920 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8922 - return !!(regs->cs & 3);
8923 + return !!(regs->cs & SEGMENT_RPL_MASK);
8927 -static inline int user_mode_vm(struct pt_regs *regs)
8928 +static inline int user_mode(struct pt_regs *regs)
8930 #ifdef CONFIG_X86_32
8931 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8934 - return user_mode(regs);
8935 + return user_mode_novm(regs);
8939 diff -urNp linux-2.6.37/arch/x86/include/asm/reboot.h linux-2.6.37/arch/x86/include/asm/reboot.h
8940 --- linux-2.6.37/arch/x86/include/asm/reboot.h 2011-01-04 19:50:19.000000000 -0500
8941 +++ linux-2.6.37/arch/x86/include/asm/reboot.h 2011-01-17 02:41:01.000000000 -0500
8942 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8944 void native_machine_crash_shutdown(struct pt_regs *regs);
8945 void native_machine_shutdown(void);
8946 -void machine_real_restart(const unsigned char *code, int length);
8947 +void machine_real_restart(const unsigned char *code, unsigned int length);
8949 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8950 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8951 diff -urNp linux-2.6.37/arch/x86/include/asm/rwsem.h linux-2.6.37/arch/x86/include/asm/rwsem.h
8952 --- linux-2.6.37/arch/x86/include/asm/rwsem.h 2011-01-04 19:50:19.000000000 -0500
8953 +++ linux-2.6.37/arch/x86/include/asm/rwsem.h 2011-01-17 02:41:01.000000000 -0500
8954 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
8956 asm volatile("# beginning down_read\n\t"
8957 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8959 +#ifdef CONFIG_PAX_REFCOUNT
8961 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8963 + _ASM_EXTABLE(0b, 0b)
8966 /* adds 0x00000001 */
8968 " call call_rwsem_down_read_failed\n"
8969 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
8974 +#ifdef CONFIG_PAX_REFCOUNT
8978 + _ASM_EXTABLE(0b, 0b)
8982 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8984 @@ -158,6 +174,14 @@ static inline void __down_write_nested(s
8986 asm volatile("# beginning down_write\n\t"
8987 LOCK_PREFIX " xadd %1,(%2)\n\t"
8989 +#ifdef CONFIG_PAX_REFCOUNT
8993 + _ASM_EXTABLE(0b, 0b)
8996 /* adds 0xffff0001, returns the old value */
8998 /* was the count 0 before? */
8999 @@ -196,6 +220,14 @@ static inline void __up_read(struct rw_s
9001 asm volatile("# beginning __up_read\n\t"
9002 LOCK_PREFIX " xadd %1,(%2)\n\t"
9004 +#ifdef CONFIG_PAX_REFCOUNT
9008 + _ASM_EXTABLE(0b, 0b)
9011 /* subtracts 1, returns the old value */
9013 " call call_rwsem_wake\n" /* expects old value in %edx */
9014 @@ -214,6 +246,14 @@ static inline void __up_write(struct rw_
9016 asm volatile("# beginning __up_write\n\t"
9017 LOCK_PREFIX " xadd %1,(%2)\n\t"
9019 +#ifdef CONFIG_PAX_REFCOUNT
9023 + _ASM_EXTABLE(0b, 0b)
9026 /* subtracts 0xffff0001, returns the old value */
9028 " call call_rwsem_wake\n" /* expects old value in %edx */
9029 @@ -231,6 +271,14 @@ static inline void __downgrade_write(str
9031 asm volatile("# beginning __downgrade_write\n\t"
9032 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9034 +#ifdef CONFIG_PAX_REFCOUNT
9036 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9038 + _ASM_EXTABLE(0b, 0b)
9042 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9043 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9044 @@ -250,7 +298,15 @@ static inline void __downgrade_write(str
9045 static inline void rwsem_atomic_add(rwsem_count_t delta,
9046 struct rw_semaphore *sem)
9048 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9049 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9051 +#ifdef CONFIG_PAX_REFCOUNT
9053 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9055 + _ASM_EXTABLE(0b, 0b)
9061 @@ -263,7 +319,15 @@ static inline rwsem_count_t rwsem_atomic
9063 rwsem_count_t tmp = delta;
9065 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9066 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9068 +#ifdef CONFIG_PAX_REFCOUNT
9072 + _ASM_EXTABLE(0b, 0b)
9075 : "+r" (tmp), "+m" (sem->count)
9078 diff -urNp linux-2.6.37/arch/x86/include/asm/segment.h linux-2.6.37/arch/x86/include/asm/segment.h
9079 --- linux-2.6.37/arch/x86/include/asm/segment.h 2011-01-04 19:50:19.000000000 -0500
9080 +++ linux-2.6.37/arch/x86/include/asm/segment.h 2011-01-17 02:41:01.000000000 -0500
9082 * 26 - ESPFIX small SS
9083 * 27 - per-cpu [ offset to per-cpu data area ]
9084 * 28 - stack_canary-20 [ for stack protector ]
9087 + * 29 - PCI BIOS CS
9088 + * 30 - PCI BIOS DS
9089 * 31 - TSS for double fault handler
9091 #define GDT_ENTRY_TLS_MIN 6
9094 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
9096 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9098 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
9100 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
9101 @@ -102,6 +104,12 @@
9102 #define __KERNEL_STACK_CANARY 0
9105 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
9106 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9108 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
9109 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9111 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9117 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9118 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9119 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9124 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9125 #define __USER32_DS __USER_DS
9127 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9129 #define GDT_ENTRY_TSS 8 /* needs two entries */
9130 #define GDT_ENTRY_LDT 10 /* needs two entries */
9131 #define GDT_ENTRY_TLS_MIN 12
9135 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
9136 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
9137 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
9138 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
9139 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
9140 diff -urNp linux-2.6.37/arch/x86/include/asm/smp.h linux-2.6.37/arch/x86/include/asm/smp.h
9141 --- linux-2.6.37/arch/x86/include/asm/smp.h 2011-01-04 19:50:19.000000000 -0500
9142 +++ linux-2.6.37/arch/x86/include/asm/smp.h 2011-01-17 02:41:01.000000000 -0500
9143 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9144 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9145 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9146 DECLARE_PER_CPU(u16, cpu_llc_id);
9147 -DECLARE_PER_CPU(int, cpu_number);
9148 +DECLARE_PER_CPU(unsigned int, cpu_number);
9150 static inline struct cpumask *cpu_sibling_mask(int cpu)
9152 diff -urNp linux-2.6.37/arch/x86/include/asm/spinlock.h linux-2.6.37/arch/x86/include/asm/spinlock.h
9153 --- linux-2.6.37/arch/x86/include/asm/spinlock.h 2011-01-04 19:50:19.000000000 -0500
9154 +++ linux-2.6.37/arch/x86/include/asm/spinlock.h 2011-01-17 02:41:01.000000000 -0500
9155 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
9156 static inline void arch_read_lock(arch_rwlock_t *rw)
9158 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9160 +#ifdef CONFIG_PAX_REFCOUNT
9162 + LOCK_PREFIX " addl $1,(%0)\n"
9164 + _ASM_EXTABLE(0b, 0b)
9168 "call __read_lock_failed\n\t"
9170 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
9171 static inline void arch_write_lock(arch_rwlock_t *rw)
9173 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9175 +#ifdef CONFIG_PAX_REFCOUNT
9177 + LOCK_PREFIX " addl %1,(%0)\n"
9179 + _ASM_EXTABLE(0b, 0b)
9183 "call __write_lock_failed\n\t"
9185 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
9187 static inline void arch_read_unlock(arch_rwlock_t *rw)
9189 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9190 + asm volatile(LOCK_PREFIX "incl %0\n"
9192 +#ifdef CONFIG_PAX_REFCOUNT
9194 + LOCK_PREFIX "decl %0\n"
9196 + _ASM_EXTABLE(0b, 0b)
9199 + :"+m" (rw->lock) : : "memory");
9202 static inline void arch_write_unlock(arch_rwlock_t *rw)
9204 - asm volatile(LOCK_PREFIX "addl %1, %0"
9205 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9207 +#ifdef CONFIG_PAX_REFCOUNT
9209 + LOCK_PREFIX "subl %1, %0\n"
9211 + _ASM_EXTABLE(0b, 0b)
9214 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9217 diff -urNp linux-2.6.37/arch/x86/include/asm/stackprotector.h linux-2.6.37/arch/x86/include/asm/stackprotector.h
9218 --- linux-2.6.37/arch/x86/include/asm/stackprotector.h 2011-01-04 19:50:19.000000000 -0500
9219 +++ linux-2.6.37/arch/x86/include/asm/stackprotector.h 2011-01-17 02:41:01.000000000 -0500
9220 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9222 static inline void load_stack_canary_segment(void)
9224 -#ifdef CONFIG_X86_32
9225 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9226 asm volatile ("mov %0, %%gs" : : "r" (0));
9229 diff -urNp linux-2.6.37/arch/x86/include/asm/system.h linux-2.6.37/arch/x86/include/asm/system.h
9230 --- linux-2.6.37/arch/x86/include/asm/system.h 2011-01-04 19:50:19.000000000 -0500
9231 +++ linux-2.6.37/arch/x86/include/asm/system.h 2011-01-17 02:41:01.000000000 -0500
9232 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9234 unsigned long __limit;
9235 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9236 - return __limit + 1;
9240 static inline void native_clts(void)
9241 @@ -342,7 +342,7 @@ void enable_hlt(void);
9243 void cpu_idle_wait(void);
9245 -extern unsigned long arch_align_stack(unsigned long sp);
9246 +#define arch_align_stack(x) ((x) & ~0xfUL)
9247 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9249 void default_idle(void);
9250 diff -urNp linux-2.6.37/arch/x86/include/asm/uaccess_32.h linux-2.6.37/arch/x86/include/asm/uaccess_32.h
9251 --- linux-2.6.37/arch/x86/include/asm/uaccess_32.h 2011-01-04 19:50:19.000000000 -0500
9252 +++ linux-2.6.37/arch/x86/include/asm/uaccess_32.h 2011-01-17 02:41:01.000000000 -0500
9253 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9254 static __always_inline unsigned long __must_check
9255 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9260 if (__builtin_constant_p(n)) {
9263 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9267 + if (!__builtin_constant_p(n))
9268 + check_object_size(from, n, true);
9269 return __copy_to_user_ll(to, from, n);
9272 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9273 static __always_inline unsigned long
9274 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9279 /* Avoid zeroing the tail if the copy fails..
9280 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9281 * but as the zeroing behaviour is only significant when n is not
9282 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9283 __copy_from_user(void *to, const void __user *from, unsigned long n)
9290 if (__builtin_constant_p(n)) {
9293 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9297 + if (!__builtin_constant_p(n))
9298 + check_object_size(to, n, false);
9299 return __copy_from_user_ll(to, from, n);
9302 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9303 const void __user *from, unsigned long n)
9310 if (__builtin_constant_p(n)) {
9313 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9314 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9317 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9322 -unsigned long __must_check copy_to_user(void __user *to,
9323 - const void *from, unsigned long n);
9324 -unsigned long __must_check _copy_from_user(void *to,
9325 - const void __user *from,
9327 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9330 +extern void copy_to_user_overflow(void)
9331 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9332 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9334 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9338 extern void copy_from_user_overflow(void)
9339 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9340 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9344 -static inline unsigned long __must_check copy_from_user(void *to,
9345 - const void __user *from,
9348 + * copy_to_user: - Copy a block of data into user space.
9349 + * @to: Destination address, in user space.
9350 + * @from: Source address, in kernel space.
9351 + * @n: Number of bytes to copy.
9353 + * Context: User context only. This function may sleep.
9355 + * Copy data from kernel space to user space.
9357 + * Returns number of bytes that could not be copied.
9358 + * On success, this will be zero.
9360 +static inline unsigned long __must_check
9361 +copy_to_user(void __user *to, const void *from, unsigned long n)
9363 + int sz = __compiletime_object_size(from);
9365 + if (unlikely(sz != -1 && sz < n))
9366 + copy_to_user_overflow();
9367 + else if (access_ok(VERIFY_WRITE, to, n))
9368 + n = __copy_to_user(to, from, n);
9373 + * copy_from_user: - Copy a block of data from user space.
9374 + * @to: Destination address, in kernel space.
9375 + * @from: Source address, in user space.
9376 + * @n: Number of bytes to copy.
9378 + * Context: User context only. This function may sleep.
9380 + * Copy data from user space to kernel space.
9382 + * Returns number of bytes that could not be copied.
9383 + * On success, this will be zero.
9385 + * If some data could not be copied, this function will pad the copied
9386 + * data to the requested size using zero bytes.
9388 +static inline unsigned long __must_check
9389 +copy_from_user(void *to, const void __user *from, unsigned long n)
9391 int sz = __compiletime_object_size(to);
9393 - if (likely(sz == -1 || sz >= n))
9394 - n = _copy_from_user(to, from, n);
9396 + if (unlikely(sz != -1 && sz < n))
9397 copy_from_user_overflow();
9399 + else if (access_ok(VERIFY_READ, from, n))
9400 + n = __copy_from_user(to, from, n);
9401 + else if ((long)n > 0) {
9402 + if (!__builtin_constant_p(n))
9403 + check_object_size(to, n, false);
9409 diff -urNp linux-2.6.37/arch/x86/include/asm/uaccess_64.h linux-2.6.37/arch/x86/include/asm/uaccess_64.h
9410 --- linux-2.6.37/arch/x86/include/asm/uaccess_64.h 2011-01-04 19:50:19.000000000 -0500
9411 +++ linux-2.6.37/arch/x86/include/asm/uaccess_64.h 2011-01-17 02:41:01.000000000 -0500
9413 #include <asm/alternative.h>
9414 #include <asm/cpufeature.h>
9415 #include <asm/page.h>
9416 +#include <asm/pgtable.h>
9418 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9421 * Copy To/From Userspace
9422 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
9426 -__must_check unsigned long
9427 -_copy_to_user(void __user *to, const void *from, unsigned len);
9428 -__must_check unsigned long
9429 -_copy_from_user(void *to, const void __user *from, unsigned len);
9430 +static __always_inline __must_check unsigned long
9431 +__copy_to_user(void __user *to, const void *from, unsigned len);
9432 +static __always_inline __must_check unsigned long
9433 +__copy_from_user(void *to, const void __user *from, unsigned len);
9434 __must_check unsigned long
9435 copy_in_user(void __user *to, const void __user *from, unsigned len);
9437 static inline unsigned long __must_check copy_from_user(void *to,
9438 const void __user *from,
9442 - int sz = __compiletime_object_size(to);
9445 - if (likely(sz == -1 || sz >= n))
9446 - n = _copy_from_user(to, from, n);
9447 -#ifdef CONFIG_DEBUG_VM
9449 - WARN(1, "Buffer overflow detected!\n");
9452 + if (access_ok(VERIFY_READ, from, n))
9453 + n = __copy_from_user(to, from, n);
9454 + else if ((int)n > 0) {
9455 + if (!__builtin_constant_p(n))
9456 + check_object_size(to, n, false);
9462 @@ -65,110 +68,174 @@ int copy_to_user(void __user *dst, const
9466 - return _copy_to_user(dst, src, size);
9467 + if (access_ok(VERIFY_WRITE, dst, size))
9468 + size = __copy_to_user(dst, src, size);
9472 static __always_inline __must_check
9473 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9474 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9477 + int sz = __compiletime_object_size(dst);
9481 - if (!__builtin_constant_p(size))
9482 - return copy_user_generic(dst, (__force void *)src, size);
9484 + if ((int)size < 0)
9487 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9488 + if (!__access_ok(VERIFY_READ, src, size))
9492 + if (unlikely(sz != -1 && sz < size)) {
9493 +#ifdef CONFIG_DEBUG_VM
9494 + WARN(1, "Buffer overflow detected!\n");
9499 + if (!__builtin_constant_p(size)) {
9500 + check_object_size(dst, size, false);
9501 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9502 + src += PAX_USER_SHADOW_BASE;
9503 + return copy_user_generic(dst, (__force const void *)src, size);
9506 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9507 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9508 ret, "b", "b", "=q", 1);
9510 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9511 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9512 ret, "w", "w", "=r", 2);
9514 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9515 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9516 ret, "l", "k", "=r", 4);
9518 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9519 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9520 ret, "q", "", "=r", 8);
9523 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9524 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9525 ret, "q", "", "=r", 10);
9528 __get_user_asm(*(u16 *)(8 + (char *)dst),
9529 - (u16 __user *)(8 + (char __user *)src),
9530 + (const u16 __user *)(8 + (const char __user *)src),
9531 ret, "w", "w", "=r", 2);
9534 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9535 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9536 ret, "q", "", "=r", 16);
9539 __get_user_asm(*(u64 *)(8 + (char *)dst),
9540 - (u64 __user *)(8 + (char __user *)src),
9541 + (const u64 __user *)(8 + (const char __user *)src),
9542 ret, "q", "", "=r", 8);
9545 - return copy_user_generic(dst, (__force void *)src, size);
9546 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9547 + src += PAX_USER_SHADOW_BASE;
9548 + return copy_user_generic(dst, (__force const void *)src, size);
9552 static __always_inline __must_check
9553 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9554 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9557 + int sz = __compiletime_object_size(src);
9561 - if (!__builtin_constant_p(size))
9563 + if ((int)size < 0)
9566 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9567 + if (!__access_ok(VERIFY_WRITE, dst, size))
9571 + if (unlikely(sz != -1 && sz < size)) {
9572 +#ifdef CONFIG_DEBUG_VM
9573 + WARN(1, "Buffer overflow detected!\n");
9578 + if (!__builtin_constant_p(size)) {
9579 + check_object_size(src, size, true);
9580 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9581 + dst += PAX_USER_SHADOW_BASE;
9582 return copy_user_generic((__force void *)dst, src, size);
9585 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9586 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9587 ret, "b", "b", "iq", 1);
9589 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9590 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9591 ret, "w", "w", "ir", 2);
9593 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9594 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9595 ret, "l", "k", "ir", 4);
9597 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9598 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9599 ret, "q", "", "er", 8);
9602 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9603 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9604 ret, "q", "", "er", 10);
9608 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9609 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9610 ret, "w", "w", "ir", 2);
9613 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9614 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9615 ret, "q", "", "er", 16);
9619 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9620 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9621 ret, "q", "", "er", 8);
9624 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9625 + dst += PAX_USER_SHADOW_BASE;
9626 return copy_user_generic((__force void *)dst, src, size);
9630 static __always_inline __must_check
9631 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9632 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9638 - if (!__builtin_constant_p(size))
9640 + if ((int)size < 0)
9643 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9644 + if (!__access_ok(VERIFY_READ, src, size))
9646 + if (!__access_ok(VERIFY_WRITE, dst, size))
9650 + if (!__builtin_constant_p(size)) {
9651 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9652 + src += PAX_USER_SHADOW_BASE;
9653 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9654 + dst += PAX_USER_SHADOW_BASE;
9655 return copy_user_generic((__force void *)dst,
9656 - (__force void *)src, size);
9657 + (__force const void *)src, size);
9662 - __get_user_asm(tmp, (u8 __user *)src,
9663 + __get_user_asm(tmp, (const u8 __user *)src,
9664 ret, "b", "b", "=q", 1);
9666 __put_user_asm(tmp, (u8 __user *)dst,
9667 @@ -177,7 +244,7 @@ int __copy_in_user(void __user *dst, con
9671 - __get_user_asm(tmp, (u16 __user *)src,
9672 + __get_user_asm(tmp, (const u16 __user *)src,
9673 ret, "w", "w", "=r", 2);
9675 __put_user_asm(tmp, (u16 __user *)dst,
9676 @@ -187,7 +254,7 @@ int __copy_in_user(void __user *dst, con
9680 - __get_user_asm(tmp, (u32 __user *)src,
9681 + __get_user_asm(tmp, (const u32 __user *)src,
9682 ret, "l", "k", "=r", 4);
9684 __put_user_asm(tmp, (u32 __user *)dst,
9685 @@ -196,7 +263,7 @@ int __copy_in_user(void __user *dst, con
9689 - __get_user_asm(tmp, (u64 __user *)src,
9690 + __get_user_asm(tmp, (const u64 __user *)src,
9691 ret, "q", "", "=r", 8);
9693 __put_user_asm(tmp, (u64 __user *)dst,
9694 @@ -204,8 +271,12 @@ int __copy_in_user(void __user *dst, con
9698 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9699 + src += PAX_USER_SHADOW_BASE;
9700 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9701 + dst += PAX_USER_SHADOW_BASE;
9702 return copy_user_generic((__force void *)dst,
9703 - (__force void *)src, size);
9704 + (__force const void *)src, size);
9708 @@ -222,33 +293,68 @@ __must_check unsigned long __clear_user(
9709 static __must_check __always_inline int
9710 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9712 + if ((int)size < 0)
9715 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9716 + if (!__access_ok(VERIFY_READ, src, size))
9720 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9721 + src += PAX_USER_SHADOW_BASE;
9722 return copy_user_generic(dst, (__force const void *)src, size);
9725 -static __must_check __always_inline int
9726 +static __must_check __always_inline unsigned long
9727 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9729 + if ((int)size < 0)
9732 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9733 + if (!__access_ok(VERIFY_WRITE, dst, size))
9737 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9738 + dst += PAX_USER_SHADOW_BASE;
9739 return copy_user_generic((__force void *)dst, src, size);
9742 -extern long __copy_user_nocache(void *dst, const void __user *src,
9743 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9744 unsigned size, int zerorest);
9747 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9748 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9752 + if ((int)size < 0)
9755 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9756 + if (!__access_ok(VERIFY_READ, src, size))
9760 return __copy_user_nocache(dst, src, size, 1);
9764 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9765 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9768 + if ((int)size < 0)
9771 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9772 + if (!__access_ok(VERIFY_READ, src, size))
9776 return __copy_user_nocache(dst, src, size, 0);
9780 +extern unsigned long
9781 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9783 #endif /* _ASM_X86_UACCESS_64_H */
9784 diff -urNp linux-2.6.37/arch/x86/include/asm/uaccess.h linux-2.6.37/arch/x86/include/asm/uaccess.h
9785 --- linux-2.6.37/arch/x86/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
9786 +++ linux-2.6.37/arch/x86/include/asm/uaccess.h 2011-01-17 02:41:01.000000000 -0500
9788 #include <linux/thread_info.h>
9789 #include <linux/prefetch.h>
9790 #include <linux/string.h>
9791 +#include <linux/sched.h>
9792 #include <asm/asm.h>
9793 #include <asm/page.h>
9795 #define VERIFY_READ 0
9796 #define VERIFY_WRITE 1
9798 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9801 * The fs value determines whether argument validity checking should be
9802 * performed or not. If get_fs() == USER_DS, checking is performed, with
9805 #define get_ds() (KERNEL_DS)
9806 #define get_fs() (current_thread_info()->addr_limit)
9807 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9808 +void __set_fs(mm_segment_t x);
9809 +void set_fs(mm_segment_t x);
9811 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9814 #define segment_eq(a, b) ((a).seg == (b).seg)
9817 * checks that the pointer is in the user space range - after calling
9818 * this function, memory access functions may still return -EFAULT.
9820 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9821 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9822 +#define access_ok(type, addr, size) \
9824 + long __size = size; \
9825 + unsigned long __addr = (unsigned long)addr; \
9826 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9827 + unsigned long __end_ao = __addr + __size - 1; \
9828 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9829 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9830 + while(__addr_ao <= __end_ao) { \
9832 + __addr_ao += PAGE_SIZE; \
9833 + if (__size > PAGE_SIZE) \
9835 + if (__get_user(__c_ao, (char __user *)__addr)) \
9837 + if (type != VERIFY_WRITE) { \
9838 + __addr = __addr_ao; \
9841 + if (__put_user(__c_ao, (char __user *)__addr)) \
9843 + __addr = __addr_ao; \
9850 * The exception table consists of pairs of addresses: the first is the
9851 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
9852 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9853 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9856 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9857 +#define __copyuser_seg "%%gs:"
9858 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
9859 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
9861 +#define __copyuser_seg
9862 +#define __COPYUSER_SET_ES
9863 +#define __COPYUSER_RESTORE_ES
9866 #ifdef CONFIG_X86_32
9867 #define __put_user_asm_u64(x, addr, err, errret) \
9868 - asm volatile("1: movl %%eax,0(%2)\n" \
9869 - "2: movl %%edx,4(%2)\n" \
9870 + asm volatile("1: movl %%eax," __copyuser_seg"0(%2)\n" \
9871 + "2: movl %%edx," __copyuser_seg"4(%2)\n" \
9873 ".section .fixup,\"ax\"\n" \
9875 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
9876 : "A" (x), "r" (addr), "i" (errret), "0" (err))
9878 #define __put_user_asm_ex_u64(x, addr) \
9879 - asm volatile("1: movl %%eax,0(%1)\n" \
9880 - "2: movl %%edx,4(%1)\n" \
9881 + asm volatile("1: movl %%eax," __copyuser_seg"0(%1)\n" \
9882 + "2: movl %%edx," __copyuser_seg"4(%1)\n" \
9884 _ASM_EXTABLE(1b, 2b - 1b) \
9885 _ASM_EXTABLE(2b, 3b - 2b) \
9886 @@ -374,7 +416,7 @@ do { \
9889 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9890 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9891 + asm volatile("1: mov"itype" "__copyuser_seg"%2,%"rtype"1\n"\
9893 ".section .fixup,\"ax\"\n" \
9895 @@ -382,7 +424,7 @@ do { \
9898 _ASM_EXTABLE(1b, 3b) \
9899 - : "=r" (err), ltype(x) \
9900 + : "=r" (err), ltype (x) \
9901 : "m" (__m(addr)), "i" (errret), "0" (err))
9903 #define __get_user_size_ex(x, ptr, size) \
9904 @@ -407,7 +449,7 @@ do { \
9907 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9908 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9909 + asm volatile("1: mov"itype" "__copyuser_seg"%1,%"rtype"0\n"\
9911 _ASM_EXTABLE(1b, 2b - 1b) \
9912 : ltype(x) : "m" (__m(addr)))
9913 @@ -424,13 +466,24 @@ do { \
9915 unsigned long __gu_val; \
9916 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9917 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9918 + (x) = (__typeof__(*(ptr)))__gu_val; \
9922 /* FIXME: this hack is definitely wrong -AK */
9923 struct __large_struct { unsigned long buf[100]; };
9924 -#define __m(x) (*(struct __large_struct __user *)(x))
9925 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9928 + unsigned long ____x = (unsigned long)(x); \
9929 + if (____x < PAX_USER_SHADOW_BASE) \
9930 + ____x += PAX_USER_SHADOW_BASE; \
9931 + (void __user *)____x; \
9934 +#define ____m(x) (x)
9936 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9939 * Tell gcc we read from memory instead of writing: this is because
9940 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
9943 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9944 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9945 + asm volatile("1: mov"itype" %"rtype"1," __copyuser_seg"%2\n"\
9947 ".section .fixup,\"ax\"\n" \
9949 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
9951 _ASM_EXTABLE(1b, 3b) \
9953 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9954 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
9956 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9957 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9958 + asm volatile("1: mov"itype" %"rtype"0," __copyuser_seg"%1\n"\
9960 _ASM_EXTABLE(1b, 2b - 1b) \
9961 : : ltype(x), "m" (__m(addr)))
9962 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
9963 * On error, the variable @x is set to zero.
9966 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9967 +#define __get_user(x, ptr) get_user((x), (ptr))
9969 #define __get_user(x, ptr) \
9970 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
9974 * __put_user: - Write a simple value into user space, with less checking.
9975 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
9976 * Returns zero on success, or -EFAULT on error.
9979 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9980 +#define __put_user(x, ptr) put_user((x), (ptr))
9982 #define __put_user(x, ptr) \
9983 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
9986 #define __get_user_unaligned __get_user
9987 #define __put_user_unaligned __put_user
9988 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
9989 #define get_user_ex(x, ptr) do { \
9990 unsigned long __gue_val; \
9991 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9992 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9993 + (x) = (__typeof__(*(ptr)))__gue_val; \
9996 #ifdef CONFIG_X86_WP_WORKS_OK
9997 @@ -567,6 +628,7 @@ extern struct movsl_mask {
9999 #define ARCH_HAS_NOCACHE_UACCESS 1
10001 +#define ARCH_HAS_SORT_EXTABLE
10002 #ifdef CONFIG_X86_32
10003 # include "uaccess_32.h"
10005 diff -urNp linux-2.6.37/arch/x86/include/asm/vgtod.h linux-2.6.37/arch/x86/include/asm/vgtod.h
10006 --- linux-2.6.37/arch/x86/include/asm/vgtod.h 2011-01-04 19:50:19.000000000 -0500
10007 +++ linux-2.6.37/arch/x86/include/asm/vgtod.h 2011-01-17 02:41:01.000000000 -0500
10008 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
10009 int sysctl_enabled;
10010 struct timezone sys_tz;
10011 struct { /* extract of a clocksource struct */
10013 cycle_t (*vread)(void);
10014 cycle_t cycle_last;
10016 diff -urNp linux-2.6.37/arch/x86/include/asm/vsyscall.h linux-2.6.37/arch/x86/include/asm/vsyscall.h
10017 --- linux-2.6.37/arch/x86/include/asm/vsyscall.h 2011-01-04 19:50:19.000000000 -0500
10018 +++ linux-2.6.37/arch/x86/include/asm/vsyscall.h 2011-01-17 02:41:01.000000000 -0500
10019 @@ -15,9 +15,10 @@ enum vsyscall_num {
10022 #include <linux/seqlock.h>
10023 +#include <linux/getcpu.h>
10024 +#include <linux/time.h>
10026 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
10027 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
10029 /* Definitions for CONFIG_GENERIC_TIME definitions */
10030 #define __section_vsyscall_gtod_data __attribute__ \
10031 @@ -31,7 +32,6 @@ enum vsyscall_num {
10032 #define VGETCPU_LSL 2
10034 extern int __vgetcpu_mode;
10035 -extern volatile unsigned long __jiffies;
10037 /* kernel space (writeable) */
10038 extern int vgetcpu_mode;
10039 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
10041 extern void map_vsyscall(void);
10043 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
10044 +extern time_t vtime(time_t *t);
10045 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
10046 #endif /* __KERNEL__ */
10048 #endif /* _ASM_X86_VSYSCALL_H */
10049 diff -urNp linux-2.6.37/arch/x86/include/asm/xsave.h linux-2.6.37/arch/x86/include/asm/xsave.h
10050 --- linux-2.6.37/arch/x86/include/asm/xsave.h 2011-01-04 19:50:19.000000000 -0500
10051 +++ linux-2.6.37/arch/x86/include/asm/xsave.h 2011-01-17 02:41:01.000000000 -0500
10052 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10056 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10057 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10058 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10062 * Clear the xsave header first, so that reserved fields are
10063 * initialized to zero.
10064 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
10066 u32 hmask = mask >> 32;
10068 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10069 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10070 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10073 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10075 ".section .fixup,\"ax\"\n"
10076 diff -urNp linux-2.6.37/arch/x86/Kconfig linux-2.6.37/arch/x86/Kconfig
10077 --- linux-2.6.37/arch/x86/Kconfig 2011-01-04 19:50:19.000000000 -0500
10078 +++ linux-2.6.37/arch/x86/Kconfig 2011-01-17 02:41:01.000000000 -0500
10079 @@ -225,7 +225,7 @@ config X86_TRAMPOLINE
10081 config X86_32_LAZY_GS
10083 - depends on X86_32 && !CC_STACKPROTECTOR
10084 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10086 config ARCH_HWEIGHT_CFLAGS
10088 @@ -992,7 +992,7 @@ choice
10092 - depends on !X86_NUMAQ
10093 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10095 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10096 However, the address space of 32-bit x86 processors is only 4
10097 @@ -1029,7 +1029,7 @@ config NOHIGHMEM
10101 - depends on !X86_NUMAQ
10102 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10104 Select this if you have a 32-bit processor and between 1 and 4
10105 gigabytes of physical RAM.
10106 @@ -1083,7 +1083,7 @@ config PAGE_OFFSET
10108 default 0xB0000000 if VMSPLIT_3G_OPT
10109 default 0x80000000 if VMSPLIT_2G
10110 - default 0x78000000 if VMSPLIT_2G_OPT
10111 + default 0x70000000 if VMSPLIT_2G_OPT
10112 default 0x40000000 if VMSPLIT_1G
10115 @@ -1427,7 +1427,7 @@ config ARCH_USES_PG_UNCACHED
10118 bool "EFI runtime service support"
10120 + depends on ACPI && !PAX_KERNEXEC
10122 This enables the kernel to use EFI runtime services that are
10123 available (such as the EFI variable services).
10124 @@ -1457,6 +1457,7 @@ config SECCOMP
10126 config CC_STACKPROTECTOR
10127 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10128 + depends on X86_64 || !PAX_MEMORY_UDEREF
10130 This option turns on the -fstack-protector GCC feature. This
10131 feature puts, at the beginning of functions, a canary value on
10132 @@ -1514,6 +1515,7 @@ config KEXEC_JUMP
10133 config PHYSICAL_START
10134 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
10135 default "0x1000000"
10136 + range 0x400000 0x40000000
10138 This gives the physical address where the kernel is loaded.
10140 @@ -1577,6 +1579,7 @@ config X86_NEED_RELOCS
10141 config PHYSICAL_ALIGN
10142 hex "Alignment value to which kernel should be aligned" if X86_32
10143 default "0x1000000"
10144 + range 0x400000 0x1000000 if PAX_KERNEXEC
10145 range 0x2000 0x1000000
10147 This value puts the alignment restrictions on physical address
10148 @@ -1608,9 +1611,10 @@ config HOTPLUG_CPU
10149 Say N if you want to disable CPU hotplug.
10154 prompt "Compat VDSO support"
10155 depends on X86_32 || IA32_EMULATION
10156 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10158 Map the 32-bit VDSO to the predictable old-style address too.
10160 diff -urNp linux-2.6.37/arch/x86/Kconfig.cpu linux-2.6.37/arch/x86/Kconfig.cpu
10161 --- linux-2.6.37/arch/x86/Kconfig.cpu 2011-01-04 19:50:19.000000000 -0500
10162 +++ linux-2.6.37/arch/x86/Kconfig.cpu 2011-01-17 02:41:01.000000000 -0500
10163 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
10165 config X86_F00F_BUG
10167 - depends on M586MMX || M586TSC || M586 || M486 || M386
10168 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10170 config X86_INVD_BUG
10172 @@ -360,7 +360,7 @@ config X86_POPAD_OK
10174 config X86_ALIGNMENT_16
10176 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10177 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10179 config X86_INTEL_USERCOPY
10181 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
10185 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10186 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10188 config X86_MINIMUM_CPU_FAMILY
10190 diff -urNp linux-2.6.37/arch/x86/Kconfig.debug linux-2.6.37/arch/x86/Kconfig.debug
10191 --- linux-2.6.37/arch/x86/Kconfig.debug 2011-01-04 19:50:19.000000000 -0500
10192 +++ linux-2.6.37/arch/x86/Kconfig.debug 2011-01-17 02:41:01.000000000 -0500
10193 @@ -101,7 +101,7 @@ config X86_PTDUMP
10194 config DEBUG_RODATA
10195 bool "Write protect kernel read-only data structures"
10197 - depends on DEBUG_KERNEL
10198 + depends on DEBUG_KERNEL && BROKEN
10200 Mark the kernel read-only data as write-protected in the pagetables,
10201 in order to catch accidental (and incorrect) writes to such const
10202 diff -urNp linux-2.6.37/arch/x86/kernel/acpi/boot.c linux-2.6.37/arch/x86/kernel/acpi/boot.c
10203 --- linux-2.6.37/arch/x86/kernel/acpi/boot.c 2011-01-04 19:50:19.000000000 -0500
10204 +++ linux-2.6.37/arch/x86/kernel/acpi/boot.c 2011-01-17 02:41:01.000000000 -0500
10205 @@ -1498,7 +1498,7 @@ static struct dmi_system_id __initdata a
10206 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10210 + { NULL, NULL, {{0, {0}}}, NULL}
10214 diff -urNp linux-2.6.37/arch/x86/kernel/acpi/sleep.c linux-2.6.37/arch/x86/kernel/acpi/sleep.c
10215 --- linux-2.6.37/arch/x86/kernel/acpi/sleep.c 2011-01-04 19:50:19.000000000 -0500
10216 +++ linux-2.6.37/arch/x86/kernel/acpi/sleep.c 2011-01-17 02:41:01.000000000 -0500
10218 #include <linux/cpumask.h>
10219 #include <asm/segment.h>
10220 #include <asm/desc.h>
10221 +#include <asm/e820.h>
10223 #ifdef CONFIG_X86_32
10224 #include <asm/pgtable.h>
10226 #include "realmode/wakeup.h"
10229 -unsigned long acpi_wakeup_address;
10230 +unsigned long acpi_wakeup_address = 0x2000;
10231 unsigned long acpi_realmode_flags;
10233 /* address in low memory of the wakeup routine. */
10234 @@ -101,8 +102,12 @@ int acpi_save_state_mem(void)
10235 header->trampoline_segment = setup_trampoline() >> 4;
10237 stack_start.sp = temp_stack + sizeof(temp_stack);
10239 + pax_open_kernel();
10240 early_gdt_descr.address =
10241 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10242 + pax_close_kernel();
10244 initial_gs = per_cpu_offset(smp_processor_id());
10246 initial_code = (unsigned long)wakeup_long64;
10247 diff -urNp linux-2.6.37/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.37/arch/x86/kernel/acpi/wakeup_32.S
10248 --- linux-2.6.37/arch/x86/kernel/acpi/wakeup_32.S 2011-01-04 19:50:19.000000000 -0500
10249 +++ linux-2.6.37/arch/x86/kernel/acpi/wakeup_32.S 2011-01-17 02:41:01.000000000 -0500
10250 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10251 # and restore the stack ... but you need gdt for this to work
10252 movl saved_context_esp, %esp
10254 - movl %cs:saved_magic, %eax
10255 - cmpl $0x12345678, %eax
10256 + cmpl $0x12345678, saved_magic
10259 # jump to place where we left off
10260 - movl saved_eip, %eax
10266 diff -urNp linux-2.6.37/arch/x86/kernel/alternative.c linux-2.6.37/arch/x86/kernel/alternative.c
10267 --- linux-2.6.37/arch/x86/kernel/alternative.c 2011-01-04 19:50:19.000000000 -0500
10268 +++ linux-2.6.37/arch/x86/kernel/alternative.c 2011-01-17 02:41:01.000000000 -0500
10269 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
10270 if (!*poff || ptr < text || ptr >= text_end)
10272 /* turn DS segment override prefix into lock prefix */
10273 - if (*ptr == 0x3e)
10274 + if (*ktla_ktva(ptr) == 0x3e)
10275 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10277 mutex_unlock(&text_mutex);
10278 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
10279 if (!*poff || ptr < text || ptr >= text_end)
10281 /* turn lock prefix into DS segment override prefix */
10282 - if (*ptr == 0xf0)
10283 + if (*ktla_ktva(ptr) == 0xf0)
10284 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10286 mutex_unlock(&text_mutex);
10287 @@ -437,7 +437,7 @@ void __init_or_module apply_paravirt(str
10289 BUG_ON(p->len > MAX_PATCH_LEN);
10290 /* prep the buffer with the original instructions */
10291 - memcpy(insnbuf, p->instr, p->len);
10292 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10293 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10294 (unsigned long)p->instr, p->len);
10296 @@ -505,7 +505,7 @@ void __init alternative_instructions(voi
10298 free_init_pages("SMP alternatives",
10299 (unsigned long)__smp_locks,
10300 - (unsigned long)__smp_locks_end);
10301 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10305 @@ -522,13 +522,17 @@ void __init alternative_instructions(voi
10306 * instructions. And on the local CPU you need to be protected again NMI or MCE
10307 * handlers seeing an inconsistent instruction while you patch.
10309 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
10310 +void *__kprobes text_poke_early(void *addr, const void *opcode,
10313 unsigned long flags;
10314 local_irq_save(flags);
10315 - memcpy(addr, opcode, len);
10317 + pax_open_kernel();
10318 + memcpy(ktla_ktva(addr), opcode, len);
10320 + pax_close_kernel();
10322 local_irq_restore(flags);
10323 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10324 that causes hangs on some VIA CPUs. */
10325 @@ -550,36 +554,22 @@ void *__init_or_module text_poke_early(v
10327 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10329 - unsigned long flags;
10331 + unsigned char *vaddr = ktla_ktva(addr);
10332 struct page *pages[2];
10336 if (!core_kernel_text((unsigned long)addr)) {
10337 - pages[0] = vmalloc_to_page(addr);
10338 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10339 + pages[0] = vmalloc_to_page(vaddr);
10340 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10342 - pages[0] = virt_to_page(addr);
10343 + pages[0] = virt_to_page(vaddr);
10344 WARN_ON(!PageReserved(pages[0]));
10345 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10346 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10349 - local_irq_save(flags);
10350 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10352 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10353 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10354 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10355 - clear_fixmap(FIX_TEXT_POKE0);
10357 - clear_fixmap(FIX_TEXT_POKE1);
10358 - local_flush_tlb();
10360 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10361 - that causes hangs on some VIA CPUs. */
10362 + text_poke_early(addr, opcode, len);
10363 for (i = 0; i < len; i++)
10364 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10365 - local_irq_restore(flags);
10366 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10370 @@ -645,9 +635,9 @@ void *__kprobes text_poke_smp(void *addr
10371 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
10373 #ifdef CONFIG_X86_64
10374 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10375 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10377 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10378 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10381 void __init arch_init_ideal_nop5(void)
10382 diff -urNp linux-2.6.37/arch/x86/kernel/amd_iommu.c linux-2.6.37/arch/x86/kernel/amd_iommu.c
10383 --- linux-2.6.37/arch/x86/kernel/amd_iommu.c 2011-01-04 19:50:19.000000000 -0500
10384 +++ linux-2.6.37/arch/x86/kernel/amd_iommu.c 2011-01-17 02:41:01.000000000 -0500
10385 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
10389 -static struct dma_map_ops amd_iommu_dma_ops = {
10390 +static const struct dma_map_ops amd_iommu_dma_ops = {
10391 .alloc_coherent = alloc_coherent,
10392 .free_coherent = free_coherent,
10393 .map_page = map_page,
10394 diff -urNp linux-2.6.37/arch/x86/kernel/apic/io_apic.c linux-2.6.37/arch/x86/kernel/apic/io_apic.c
10395 --- linux-2.6.37/arch/x86/kernel/apic/io_apic.c 2011-01-04 19:50:19.000000000 -0500
10396 +++ linux-2.6.37/arch/x86/kernel/apic/io_apic.c 2011-01-17 02:41:01.000000000 -0500
10397 @@ -597,7 +597,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10398 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10400 if (!ioapic_entries)
10404 for (apic = 0; apic < nr_ioapics; apic++) {
10405 ioapic_entries[apic] =
10406 @@ -614,7 +614,7 @@ nomem:
10407 kfree(ioapic_entries[apic]);
10408 kfree(ioapic_entries);
10415 @@ -1024,7 +1024,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10417 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10419 -void lock_vector_lock(void)
10420 +void lock_vector_lock(void) __acquires(vector_lock)
10422 /* Used to the online set of cpus does not change
10423 * during assign_irq_vector.
10424 @@ -1032,7 +1032,7 @@ void lock_vector_lock(void)
10425 raw_spin_lock(&vector_lock);
10428 -void unlock_vector_lock(void)
10429 +void unlock_vector_lock(void) __releases(vector_lock)
10431 raw_spin_unlock(&vector_lock);
10433 diff -urNp linux-2.6.37/arch/x86/kernel/apm_32.c linux-2.6.37/arch/x86/kernel/apm_32.c
10434 --- linux-2.6.37/arch/x86/kernel/apm_32.c 2011-01-04 19:50:19.000000000 -0500
10435 +++ linux-2.6.37/arch/x86/kernel/apm_32.c 2011-01-17 02:41:01.000000000 -0500
10436 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10437 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10438 * even though they are called in protected mode.
10440 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10441 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10442 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10444 static const char driver_version[] = "1.16ac"; /* no spaces */
10445 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10447 gdt = get_cpu_gdt_table(cpu);
10448 save_desc_40 = gdt[0x40 / 8];
10450 + pax_open_kernel();
10451 gdt[0x40 / 8] = bad_bios_desc;
10452 + pax_close_kernel();
10454 apm_irq_save(flags);
10456 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10458 APM_DO_RESTORE_SEGS;
10459 apm_irq_restore(flags);
10461 + pax_open_kernel();
10462 gdt[0x40 / 8] = save_desc_40;
10463 + pax_close_kernel();
10467 return call->eax & 0xff;
10468 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10470 gdt = get_cpu_gdt_table(cpu);
10471 save_desc_40 = gdt[0x40 / 8];
10473 + pax_open_kernel();
10474 gdt[0x40 / 8] = bad_bios_desc;
10475 + pax_close_kernel();
10477 apm_irq_save(flags);
10479 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10481 APM_DO_RESTORE_SEGS;
10482 apm_irq_restore(flags);
10484 + pax_open_kernel();
10485 gdt[0x40 / 8] = save_desc_40;
10486 + pax_close_kernel();
10491 @@ -975,7 +989,7 @@ recalc:
10493 static void apm_power_off(void)
10495 - unsigned char po_bios_call[] = {
10496 + const unsigned char po_bios_call[] = {
10497 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10498 0x8e, 0xd0, /* movw ax,ss */
10499 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10500 @@ -1932,7 +1946,10 @@ static const struct file_operations apm_
10501 static struct miscdevice apm_device = {
10512 @@ -2253,7 +2270,7 @@ static struct dmi_system_id __initdata a
10513 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10517 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10521 @@ -2356,12 +2373,15 @@ static int __init apm_init(void)
10522 * code to that CPU.
10524 gdt = get_cpu_gdt_table(0);
10526 + pax_open_kernel();
10527 set_desc_base(&gdt[APM_CS >> 3],
10528 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10529 set_desc_base(&gdt[APM_CS_16 >> 3],
10530 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10531 set_desc_base(&gdt[APM_DS >> 3],
10532 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10533 + pax_close_kernel();
10535 proc_create("apm", 0, NULL, &apm_file_ops);
10537 diff -urNp linux-2.6.37/arch/x86/kernel/asm-offsets_32.c linux-2.6.37/arch/x86/kernel/asm-offsets_32.c
10538 --- linux-2.6.37/arch/x86/kernel/asm-offsets_32.c 2011-01-04 19:50:19.000000000 -0500
10539 +++ linux-2.6.37/arch/x86/kernel/asm-offsets_32.c 2011-01-17 02:41:01.000000000 -0500
10540 @@ -113,6 +113,11 @@ void foo(void)
10541 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10542 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10543 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10545 +#ifdef CONFIG_PAX_KERNEXEC
10546 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10552 diff -urNp linux-2.6.37/arch/x86/kernel/asm-offsets_64.c linux-2.6.37/arch/x86/kernel/asm-offsets_64.c
10553 --- linux-2.6.37/arch/x86/kernel/asm-offsets_64.c 2011-01-04 19:50:19.000000000 -0500
10554 +++ linux-2.6.37/arch/x86/kernel/asm-offsets_64.c 2011-01-17 02:41:01.000000000 -0500
10555 @@ -63,6 +63,18 @@ int main(void)
10556 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10557 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10558 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10560 +#ifdef CONFIG_PAX_KERNEXEC
10561 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10562 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10565 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10566 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10567 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10568 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10574 @@ -115,6 +127,7 @@ int main(void)
10578 + DEFINE(TSS_size, sizeof(struct tss_struct));
10579 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10581 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10582 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/common.c linux-2.6.37/arch/x86/kernel/cpu/common.c
10583 --- linux-2.6.37/arch/x86/kernel/cpu/common.c 2011-01-04 19:50:19.000000000 -0500
10584 +++ linux-2.6.37/arch/x86/kernel/cpu/common.c 2011-01-17 02:41:01.000000000 -0500
10585 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10587 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10589 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10590 -#ifdef CONFIG_X86_64
10592 - * We need valid kernel segments for data and code in long mode too
10593 - * IRET will check the segment types kkeil 2000/10/28
10594 - * Also sysret mandates a special GDT layout
10596 - * TLS descriptors are currently at a different place compared to i386.
10597 - * Hopefully nobody expects them at a fixed place (Wine?)
10599 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10600 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10601 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10602 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10603 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10604 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10606 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10607 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10608 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10609 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10611 - * Segments used for calling PnP BIOS have byte granularity.
10612 - * They code segments and data segments have fixed 64k limits,
10613 - * the transfer segment sizes are set at run time.
10615 - /* 32-bit code */
10616 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10617 - /* 16-bit code */
10618 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10619 - /* 16-bit data */
10620 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10621 - /* 16-bit data */
10622 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10623 - /* 16-bit data */
10624 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10626 - * The APM segments have byte granularity and their bases
10627 - * are set at run time. All have 64k limits.
10629 - /* 32-bit code */
10630 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10631 - /* 16-bit code */
10632 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10634 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10636 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10637 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10638 - GDT_STACK_CANARY_INIT
10641 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10643 static int __init x86_xsave_setup(char *s)
10645 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10646 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
10648 struct desc_ptr gdt_descr;
10650 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10651 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10652 gdt_descr.size = GDT_SIZE - 1;
10653 load_gdt(&gdt_descr);
10654 /* Reload the per-cpu base */
10655 @@ -825,6 +771,10 @@ static void __cpuinit identify_cpu(struc
10656 /* Filter out anything that depends on CPUID levels we don't have */
10657 filter_cpuid_features(c, true);
10659 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10660 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10663 /* If the model name is still unset, do table lookup. */
10664 if (!c->x86_model_id[0]) {
10666 @@ -1085,7 +1035,7 @@ struct pt_regs * __cpuinit idle_regs(str
10668 memset(regs, 0, sizeof(struct pt_regs));
10669 regs->fs = __KERNEL_PERCPU;
10670 - regs->gs = __KERNEL_STACK_CANARY;
10671 + savesegment(gs, regs->gs);
10675 @@ -1140,7 +1090,7 @@ void __cpuinit cpu_init(void)
10678 cpu = stack_smp_processor_id();
10679 - t = &per_cpu(init_tss, cpu);
10680 + t = init_tss + cpu;
10681 oist = &per_cpu(orig_ist, cpu);
10684 @@ -1166,7 +1116,7 @@ void __cpuinit cpu_init(void)
10685 switch_to_new_gdt(cpu);
10686 loadsegment(fs, 0);
10688 - load_idt((const struct desc_ptr *)&idt_descr);
10689 + load_idt(&idt_descr);
10691 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10693 @@ -1175,7 +1125,6 @@ void __cpuinit cpu_init(void)
10694 wrmsrl(MSR_KERNEL_GS_BASE, 0);
10697 - x86_configure_nx();
10701 @@ -1229,7 +1178,7 @@ void __cpuinit cpu_init(void)
10703 int cpu = smp_processor_id();
10704 struct task_struct *curr = current;
10705 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10706 + struct tss_struct *t = init_tss + cpu;
10707 struct thread_struct *thread = &curr->thread;
10709 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10710 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.37/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10711 --- linux-2.6.37/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-01-04 19:50:19.000000000 -0500
10712 +++ linux-2.6.37/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-01-17 02:41:01.000000000 -0500
10713 @@ -481,7 +481,7 @@ static const struct dmi_system_id sw_any
10714 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10718 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10721 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10722 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.37/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10723 --- linux-2.6.37/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-01-04 19:50:19.000000000 -0500
10724 +++ linux-2.6.37/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-01-17 02:41:01.000000000 -0500
10725 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10726 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10727 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10730 + { NULL, NULL, 0, NULL}
10734 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/intel.c linux-2.6.37/arch/x86/kernel/cpu/intel.c
10735 --- linux-2.6.37/arch/x86/kernel/cpu/intel.c 2011-01-04 19:50:19.000000000 -0500
10736 +++ linux-2.6.37/arch/x86/kernel/cpu/intel.c 2011-01-17 02:41:01.000000000 -0500
10737 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
10738 * Update the IDT descriptor and reload the IDT so that
10739 * it uses the read-only mapped virtual address.
10741 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10742 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10743 load_idt(&idt_descr);
10746 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/Makefile linux-2.6.37/arch/x86/kernel/cpu/Makefile
10747 --- linux-2.6.37/arch/x86/kernel/cpu/Makefile 2011-01-04 19:50:19.000000000 -0500
10748 +++ linux-2.6.37/arch/x86/kernel/cpu/Makefile 2011-01-17 02:41:01.000000000 -0500
10749 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10750 CFLAGS_REMOVE_perf_event.o = -pg
10753 -# Make sure load_percpu_segment has no stackprotector
10754 -nostackp := $(call cc-option, -fno-stack-protector)
10755 -CFLAGS_common.o := $(nostackp)
10757 obj-y := intel_cacheinfo.o scattered.o topology.o
10758 obj-y += proc.o capflags.o powerflags.o common.o
10759 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10760 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.37/arch/x86/kernel/cpu/mcheck/mce.c
10761 --- linux-2.6.37/arch/x86/kernel/cpu/mcheck/mce.c 2011-01-04 19:50:19.000000000 -0500
10762 +++ linux-2.6.37/arch/x86/kernel/cpu/mcheck/mce.c 2011-01-25 20:24:56.000000000 -0500
10764 #include <asm/ipi.h>
10765 #include <asm/mce.h>
10766 #include <asm/msr.h>
10767 +#include <asm/local.h>
10769 #include "mce-internal.h"
10771 @@ -219,7 +220,7 @@ static void print_mce(struct mce *m)
10772 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10775 - if (m->cs == __KERNEL_CS)
10776 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10777 print_symbol("{%s}", m->ip);
10780 @@ -1460,14 +1461,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10783 static DEFINE_SPINLOCK(mce_state_lock);
10784 -static int open_count; /* #times opened */
10785 +static local_t open_count; /* #times opened */
10786 static int open_exclu; /* already open exclusive? */
10788 static int mce_open(struct inode *inode, struct file *file)
10790 spin_lock(&mce_state_lock);
10792 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10793 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
10794 spin_unlock(&mce_state_lock);
10797 @@ -1475,7 +1476,7 @@ static int mce_open(struct inode *inode,
10799 if (file->f_flags & O_EXCL)
10802 + local_inc(&open_count);
10804 spin_unlock(&mce_state_lock);
10806 @@ -1486,7 +1487,7 @@ static int mce_release(struct inode *ino
10808 spin_lock(&mce_state_lock);
10811 + local_dec(&open_count);
10814 spin_unlock(&mce_state_lock);
10815 @@ -1673,6 +1674,7 @@ static struct miscdevice mce_log_device
10819 + {NULL, NULL}, NULL, NULL
10823 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.37/arch/x86/kernel/cpu/mtrr/generic.c
10824 --- linux-2.6.37/arch/x86/kernel/cpu/mtrr/generic.c 2011-01-04 19:50:19.000000000 -0500
10825 +++ linux-2.6.37/arch/x86/kernel/cpu/mtrr/generic.c 2011-01-17 02:41:01.000000000 -0500
10826 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10827 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10828 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10829 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10834 static unsigned long smp_changes_mask;
10835 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.37/arch/x86/kernel/cpu/mtrr/main.c
10836 --- linux-2.6.37/arch/x86/kernel/cpu/mtrr/main.c 2011-01-04 19:50:19.000000000 -0500
10837 +++ linux-2.6.37/arch/x86/kernel/cpu/mtrr/main.c 2011-01-17 02:41:01.000000000 -0500
10838 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10839 u64 size_or_mask, size_and_mask;
10840 static bool mtrr_aps_delayed_init;
10842 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10843 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10845 const struct mtrr_ops *mtrr_if;
10847 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.37/arch/x86/kernel/cpu/mtrr/mtrr.h
10848 --- linux-2.6.37/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-01-04 19:50:19.000000000 -0500
10849 +++ linux-2.6.37/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-01-17 02:41:01.000000000 -0500
10850 @@ -12,19 +12,19 @@
10851 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10855 - u32 use_intel_if;
10856 - void (*set)(unsigned int reg, unsigned long base,
10857 + const u32 vendor;
10858 + const u32 use_intel_if;
10859 + void (* const set)(unsigned int reg, unsigned long base,
10860 unsigned long size, mtrr_type type);
10861 - void (*set_all)(void);
10862 + void (* const set_all)(void);
10864 - void (*get)(unsigned int reg, unsigned long *base,
10865 + void (* const get)(unsigned int reg, unsigned long *base,
10866 unsigned long *size, mtrr_type *type);
10867 - int (*get_free_region)(unsigned long base, unsigned long size,
10868 + int (* const get_free_region)(unsigned long base, unsigned long size,
10870 - int (*validate_add_page)(unsigned long base, unsigned long size,
10871 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10872 unsigned int type);
10873 - int (*have_wrcomb)(void);
10874 + int (* const have_wrcomb)(void);
10877 extern int generic_get_free_region(unsigned long base, unsigned long size,
10878 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.37/arch/x86/kernel/cpu/perfctr-watchdog.c
10879 --- linux-2.6.37/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-01-04 19:50:19.000000000 -0500
10880 +++ linux-2.6.37/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-01-17 02:41:01.000000000 -0500
10881 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
10883 /* Interface defining a CPU specific perfctr watchdog */
10885 - int (*reserve)(void);
10886 - void (*unreserve)(void);
10887 - int (*setup)(unsigned nmi_hz);
10888 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10889 - void (*stop)(void);
10890 + int (* const reserve)(void);
10891 + void (* const unreserve)(void);
10892 + int (* const setup)(unsigned nmi_hz);
10893 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10894 + void (* const stop)(void);
10898 @@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
10899 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
10900 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
10902 +/* cannot be const, see probe_nmi_watchdog */
10903 static struct wd_ops intel_arch_wd_ops;
10905 static int setup_intel_arch_watchdog(unsigned nmi_hz)
10906 @@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
10910 +/* cannot be const */
10911 static struct wd_ops intel_arch_wd_ops __read_mostly = {
10912 .reserve = single_msr_reserve,
10913 .unreserve = single_msr_unreserve,
10914 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/perf_event.c linux-2.6.37/arch/x86/kernel/cpu/perf_event.c
10915 --- linux-2.6.37/arch/x86/kernel/cpu/perf_event.c 2011-01-04 19:50:19.000000000 -0500
10916 +++ linux-2.6.37/arch/x86/kernel/cpu/perf_event.c 2011-01-17 02:41:01.000000000 -0500
10917 @@ -1757,7 +1757,7 @@ perf_callchain_user(struct perf_callchai
10920 perf_callchain_store(entry, frame.return_address);
10921 - fp = frame.next_frame;
10922 + fp = (__force const void __user *)frame.next_frame;
10926 diff -urNp linux-2.6.37/arch/x86/kernel/crash.c linux-2.6.37/arch/x86/kernel/crash.c
10927 --- linux-2.6.37/arch/x86/kernel/crash.c 2011-01-04 19:50:19.000000000 -0500
10928 +++ linux-2.6.37/arch/x86/kernel/crash.c 2011-01-17 02:41:01.000000000 -0500
10929 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
10932 #ifdef CONFIG_X86_32
10933 - if (!user_mode_vm(regs)) {
10934 + if (!user_mode(regs)) {
10935 crash_fixup_ss_esp(&fixed_regs, regs);
10936 regs = &fixed_regs;
10938 diff -urNp linux-2.6.37/arch/x86/kernel/doublefault_32.c linux-2.6.37/arch/x86/kernel/doublefault_32.c
10939 --- linux-2.6.37/arch/x86/kernel/doublefault_32.c 2011-01-04 19:50:19.000000000 -0500
10940 +++ linux-2.6.37/arch/x86/kernel/doublefault_32.c 2011-01-17 02:41:01.000000000 -0500
10943 #define DOUBLEFAULT_STACKSIZE (1024)
10944 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10945 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10946 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10948 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10950 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10951 unsigned long gdt, tss;
10953 store_gdt(&gdt_desc);
10954 - gdt = gdt_desc.address;
10955 + gdt = (unsigned long)gdt_desc.address;
10957 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10959 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10960 /* 0x2 bit is always set */
10961 .flags = X86_EFLAGS_SF | 0x2,
10964 + .es = __KERNEL_DS,
10968 + .ds = __KERNEL_DS,
10969 .fs = __KERNEL_PERCPU,
10971 .__cr3 = __pa_nodebug(swapper_pg_dir),
10972 diff -urNp linux-2.6.37/arch/x86/kernel/dumpstack_32.c linux-2.6.37/arch/x86/kernel/dumpstack_32.c
10973 --- linux-2.6.37/arch/x86/kernel/dumpstack_32.c 2011-01-04 19:50:19.000000000 -0500
10974 +++ linux-2.6.37/arch/x86/kernel/dumpstack_32.c 2011-01-17 02:41:01.000000000 -0500
10975 @@ -105,11 +105,12 @@ void show_registers(struct pt_regs *regs
10976 * When in-kernel, we also print out the stack and code at the
10977 * time of the fault..
10979 - if (!user_mode_vm(regs)) {
10980 + if (!user_mode(regs)) {
10981 unsigned int code_prologue = code_bytes * 43 / 64;
10982 unsigned int code_len = code_bytes;
10985 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10987 printk(KERN_EMERG "Stack:\n");
10988 show_stack_log_lvl(NULL, regs, ®s->sp,
10989 @@ -117,10 +118,10 @@ void show_registers(struct pt_regs *regs
10991 printk(KERN_EMERG "Code: ");
10993 - ip = (u8 *)regs->ip - code_prologue;
10994 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10995 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10996 /* try starting at IP */
10997 - ip = (u8 *)regs->ip;
10998 + ip = (u8 *)regs->ip + cs_base;
10999 code_len = code_len - code_prologue + 1;
11001 for (i = 0; i < code_len; i++, ip++) {
11002 @@ -129,7 +130,7 @@ void show_registers(struct pt_regs *regs
11003 printk(" Bad EIP value.");
11006 - if (ip == (u8 *)regs->ip)
11007 + if (ip == (u8 *)regs->ip + cs_base)
11008 printk("<%02x> ", c);
11010 printk("%02x ", c);
11011 @@ -142,6 +143,7 @@ int is_valid_bugaddr(unsigned long ip)
11013 unsigned short ud2;
11015 + ip = ktla_ktva(ip);
11016 if (ip < PAGE_OFFSET)
11018 if (probe_kernel_address((unsigned short *)ip, ud2))
11019 diff -urNp linux-2.6.37/arch/x86/kernel/dumpstack.c linux-2.6.37/arch/x86/kernel/dumpstack.c
11020 --- linux-2.6.37/arch/x86/kernel/dumpstack.c 2011-01-04 19:50:19.000000000 -0500
11021 +++ linux-2.6.37/arch/x86/kernel/dumpstack.c 2011-01-17 02:41:01.000000000 -0500
11023 * Copyright (C) 1991, 1992 Linus Torvalds
11024 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11026 +#ifdef CONFIG_GRKERNSEC_HIDESYM
11027 +#define __INCLUDED_BY_HIDESYM 1
11029 #include <linux/kallsyms.h>
11030 #include <linux/kprobes.h>
11031 #include <linux/uaccess.h>
11032 @@ -27,7 +30,7 @@ static int die_counter;
11034 void printk_address(unsigned long address, int reliable)
11036 - printk(" [<%p>] %s%pS\n", (void *) address,
11037 + printk(" [<%p>] %s%pA\n", (void *) address,
11038 reliable ? "" : "? ", (void *) address);
11041 @@ -206,7 +209,7 @@ void dump_stack(void)
11044 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11045 - current->pid, current->comm, current->xid, print_tainted(),
11046 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
11047 init_utsname()->release,
11048 (int)strcspn(init_utsname()->version, " "),
11049 init_utsname()->version);
11050 @@ -262,7 +265,7 @@ void __kprobes oops_end(unsigned long fl
11051 panic("Fatal exception in interrupt");
11053 panic("Fatal exception");
11055 + do_group_exit(signr);
11058 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11059 @@ -289,7 +292,7 @@ int __kprobes __die(const char *str, str
11061 show_registers(regs);
11062 #ifdef CONFIG_X86_32
11063 - if (user_mode_vm(regs)) {
11064 + if (user_mode(regs)) {
11066 ss = regs->ss & 0xffff;
11068 @@ -317,7 +320,7 @@ void die(const char *str, struct pt_regs
11069 unsigned long flags = oops_begin();
11072 - if (!user_mode_vm(regs))
11073 + if (!user_mode(regs))
11074 report_bug(regs->ip, regs);
11076 if (__die(str, regs, err))
11077 diff -urNp linux-2.6.37/arch/x86/kernel/entry_32.S linux-2.6.37/arch/x86/kernel/entry_32.S
11078 --- linux-2.6.37/arch/x86/kernel/entry_32.S 2011-01-04 19:50:19.000000000 -0500
11079 +++ linux-2.6.37/arch/x86/kernel/entry_32.S 2011-01-17 02:41:01.000000000 -0500
11080 @@ -183,13 +183,81 @@
11081 /*CFI_REL_OFFSET gs, PT_GS*/
11083 .macro SET_KERNEL_GS reg
11085 +#ifdef CONFIG_CC_STACKPROTECTOR
11086 movl $(__KERNEL_STACK_CANARY), \reg
11087 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11088 + movl $(__USER_DS), \reg
11096 #endif /* CONFIG_X86_32_LAZY_GS */
11099 +.macro PAX_EXIT_KERNEL
11100 +#ifdef CONFIG_PAX_KERNEXEC
11101 +#ifdef CONFIG_PARAVIRT
11102 + push %eax; push %ecx
11105 + cmp $__KERNEXEC_KERNEL_CS, %esi
11107 +#ifdef CONFIG_PARAVIRT
11108 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11114 + ljmp $__KERNEL_CS, $1f
11116 +#ifdef CONFIG_PARAVIRT
11118 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11123 +#ifdef CONFIG_PARAVIRT
11124 + pop %ecx; pop %eax
11129 +.macro PAX_ENTER_KERNEL
11130 +#ifdef CONFIG_PAX_KERNEXEC
11131 +#ifdef CONFIG_PARAVIRT
11132 + push %eax; push %ecx
11133 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11141 + cmp $__KERNEL_CS, %esi
11143 + ljmp $__KERNEL_CS, $3f
11144 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11146 +#ifdef CONFIG_PARAVIRT
11148 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11153 +#ifdef CONFIG_PARAVIRT
11154 + pop %ecx; pop %eax
11159 +.macro __SAVE_ALL _DS
11163 @@ -212,7 +280,7 @@
11164 CFI_REL_OFFSET ecx, 0
11166 CFI_REL_OFFSET ebx, 0
11167 - movl $(__USER_DS), %edx
11171 movl $(__KERNEL_PERCPU), %edx
11172 @@ -220,6 +288,15 @@
11177 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11178 + __SAVE_ALL __KERNEL_DS
11181 + __SAVE_ALL __USER_DS
11185 .macro RESTORE_INT_REGS
11188 @@ -330,7 +407,15 @@ check_userspace:
11189 movb PT_CS(%esp), %al
11190 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11191 cmpl $USER_RPL, %eax
11193 +#ifdef CONFIG_PAX_KERNEXEC
11194 + jae resume_userspace
11197 + jmp resume_kernel
11199 jb resume_kernel # not returning to v8086 or userspace
11202 ENTRY(resume_userspace)
11204 @@ -392,10 +477,9 @@ sysenter_past_esp:
11205 /*CFI_REL_OFFSET cs, 0*/
11207 * Push current_thread_info()->sysenter_return to the stack.
11208 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11209 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11211 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE_asm+8+4*4)(%esp)
11212 + GET_THREAD_INFO(%ebp)
11213 + pushl_cfi TI_sysenter_return(%ebp)
11214 CFI_REL_OFFSET eip, 0
11217 @@ -406,9 +490,19 @@ sysenter_past_esp:
11218 * Load the potential sixth argument from user stack.
11219 * Careful about security.
11221 + movl PT_OLDESP(%esp),%ebp
11223 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11224 + mov PT_OLDSS(%esp),%ds
11225 +1: movl %ds:(%ebp),%ebp
11229 cmpl $__PAGE_OFFSET-3,%ebp
11231 1: movl (%ebp),%ebp
11234 movl %ebp,PT_EBP(%esp)
11235 .section __ex_table,"a"
11237 @@ -431,12 +525,23 @@ sysenter_do_call:
11238 testl $_TIF_ALLWORK_MASK, %ecx
11242 +#ifdef CONFIG_PAX_RANDKSTACK
11244 + CFI_ADJUST_CFA_OFFSET 4
11245 + call pax_randomize_kstack
11247 + CFI_ADJUST_CFA_OFFSET -4
11250 /* if something modifies registers it must also disable sysexit */
11251 movl PT_EIP(%esp), %edx
11252 movl PT_OLDESP(%esp), %ecx
11255 1: mov PT_FS(%esp), %fs
11256 +2: mov PT_DS(%esp), %ds
11257 +3: mov PT_ES(%esp), %es
11259 ENABLE_INTERRUPTS_SYSEXIT
11261 @@ -479,11 +584,17 @@ sysexit_audit:
11264 .pushsection .fixup,"ax"
11265 -2: movl $0,PT_FS(%esp)
11266 +4: movl $0,PT_FS(%esp)
11268 +5: movl $0,PT_DS(%esp)
11270 +6: movl $0,PT_ES(%esp)
11272 .section __ex_table,"a"
11280 ENDPROC(ia32_sysenter_target)
11281 @@ -516,6 +627,10 @@ syscall_exit:
11282 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11283 jne syscall_exit_work
11285 +#ifdef CONFIG_PAX_RANDKSTACK
11286 + call pax_randomize_kstack
11291 restore_all_notrace:
11292 @@ -575,14 +690,21 @@ ldt_ss:
11293 * compensating for the offset by changing to the ESPFIX segment with
11294 * a base address that matches for the difference.
11296 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11297 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11298 mov %esp, %edx /* load kernel esp */
11299 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11300 mov %dx, %ax /* eax: new kernel esp */
11301 sub %eax, %edx /* offset (low word is 0) */
11303 + movl PER_CPU_VAR(cpu_number), %ebx
11304 + shll $PAGE_SHIFT_asm, %ebx
11305 + addl $cpu_gdt_table, %ebx
11307 + movl $cpu_gdt_table, %ebx
11310 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11311 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11312 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11313 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11314 pushl_cfi $__ESPFIX_SS
11315 pushl_cfi %eax /* new kernel esp */
11316 /* Disable interrupts, but do not irqtrace this section: we
11317 @@ -617,23 +739,17 @@ work_resched:
11319 work_notifysig: # deal with pending signals and
11320 # notify-resume requests
11323 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11325 - jne work_notifysig_v86 # returning to kernel-space or
11326 + jz 1f # returning to kernel-space or
11329 - call do_notify_resume
11330 - jmp resume_userspace_sig
11333 -work_notifysig_v86:
11334 pushl_cfi %ecx # save ti_flags for do_notify_resume
11335 call save_v86_state # %eax contains pt_regs pointer
11343 call do_notify_resume
11344 @@ -668,6 +784,10 @@ END(syscall_exit_work)
11346 RING0_INT_FRAME # can't unwind into user space anyway
11348 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11352 GET_THREAD_INFO(%ebp)
11353 movl $-EFAULT,PT_EAX(%esp)
11354 jmp resume_userspace
11355 @@ -750,6 +870,36 @@ ptregs_clone:
11357 ENDPROC(ptregs_clone)
11360 +ENTRY(kernel_execve)
11363 + sub $PT_OLDSS+4,%esp
11367 + lea 3*4(%esp),%edi
11368 + mov $PT_OLDSS/4+1,%ecx
11374 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
11378 + CFI_ADJUST_CFA_OFFSET -4
11379 + GET_THREAD_INFO(%ebp)
11382 + add $PT_OLDSS+4,%esp
11383 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
11387 +ENDPROC(kernel_execve)
11389 .macro FIXUP_ESPFIX_STACK
11391 * Switch back for ESPFIX stack to the normal zerobased stack
11392 @@ -759,8 +909,15 @@ ENDPROC(ptregs_clone)
11393 * normal stack and adjusts ESP with the matching offset.
11395 /* fixup the stack */
11396 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
11397 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
11399 + movl PER_CPU_VAR(cpu_number), %ebx
11400 + shll $PAGE_SHIFT_asm, %ebx
11401 + addl $cpu_gdt_table, %ebx
11403 + movl $cpu_gdt_table, %ebx
11405 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
11406 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
11408 addl %esp, %eax /* the adjusted stack pointer */
11409 pushl_cfi $__KERNEL_DS
11410 @@ -1211,7 +1368,6 @@ return_to_handler:
11414 -.section .rodata,"a"
11415 #include "syscall_table_32.S"
11417 syscall_table_size=(.-sys_call_table)
11418 @@ -1257,9 +1413,12 @@ error_code:
11419 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11422 - movl $(__USER_DS), %ecx
11423 + movl $(__KERNEL_DS), %ecx
11430 movl %esp,%eax # pt_regs pointer
11432 @@ -1344,6 +1503,9 @@ nmi_stack_correct:
11433 xorl %edx,%edx # zero error code
11434 movl %esp,%eax # pt_regs pointer
11439 jmp restore_all_notrace
11442 @@ -1380,6 +1542,9 @@ nmi_espfix_stack:
11443 FIXUP_ESPFIX_STACK # %eax == %esp
11444 xorl %edx,%edx # zero error code
11450 lss 12+4(%esp), %esp # back to espfix stack
11451 CFI_ADJUST_CFA_OFFSET -24
11452 diff -urNp linux-2.6.37/arch/x86/kernel/entry_64.S linux-2.6.37/arch/x86/kernel/entry_64.S
11453 --- linux-2.6.37/arch/x86/kernel/entry_64.S 2011-01-04 19:50:19.000000000 -0500
11454 +++ linux-2.6.37/arch/x86/kernel/entry_64.S 2011-01-17 02:41:01.000000000 -0500
11456 #include <asm/paravirt.h>
11457 #include <asm/ftrace.h>
11458 #include <asm/percpu.h>
11459 +#include <asm/pgtable.h>
11461 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11462 #include <linux/elf-em.h>
11463 @@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11464 ENDPROC(native_usergs_sysret64)
11465 #endif /* CONFIG_PARAVIRT */
11467 + .macro ljmpq sel, off
11468 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11469 + .byte 0x48; ljmp *1234f(%rip)
11470 + .pushsection .rodata
11472 + 1234: .quad \off; .word \sel
11481 +ENTRY(pax_enter_kernel)
11483 +#ifdef CONFIG_PAX_KERNEXEC
11486 +#ifdef CONFIG_PARAVIRT
11487 + PV_SAVE_REGS(CLBR_RDI)
11494 + cmp $__KERNEL_CS,%edi
11496 + ljmpq __KERNEL_CS,3f
11497 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11498 +2: SET_RDI_INTO_CR0
11501 +#ifdef CONFIG_PARAVIRT
11502 + PV_RESTORE_REGS(CLBR_RDI)
11509 +ENDPROC(pax_enter_kernel)
11511 +ENTRY(pax_exit_kernel)
11513 +#ifdef CONFIG_PAX_KERNEXEC
11516 +#ifdef CONFIG_PARAVIRT
11517 + PV_SAVE_REGS(CLBR_RDI)
11521 + cmp $__KERNEXEC_KERNEL_CS,%edi
11525 + ljmpq __KERNEL_CS,1f
11526 +1: SET_RDI_INTO_CR0
11529 +#ifdef CONFIG_PARAVIRT
11530 + PV_RESTORE_REGS(CLBR_RDI);
11537 +ENDPROC(pax_exit_kernel)
11539 +ENTRY(pax_enter_kernel_user)
11541 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11545 +#ifdef CONFIG_PARAVIRT
11546 + PV_SAVE_REGS(CLBR_RDI)
11551 + add $__START_KERNEL_map,%rbx
11552 + sub phys_base(%rip),%rbx
11554 +#ifdef CONFIG_PARAVIRT
11556 + cmpl $0, pv_info+PARAVIRT_enabled
11559 + .rept USER_PGD_PTRS
11560 + mov i*8(%rbx),%rsi
11562 + lea i*8(%rbx),%rdi
11563 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11571 + .rept USER_PGD_PTRS
11572 + movb $0,i*8(%rbx)
11576 +#ifdef CONFIG_PARAVIRT
11581 +#ifdef CONFIG_PAX_KERNEXEC
11587 +#ifdef CONFIG_PARAVIRT
11588 + PV_RESTORE_REGS(CLBR_RDI)
11596 +ENDPROC(pax_enter_kernel_user)
11598 +ENTRY(pax_exit_kernel_user)
11600 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11603 +#ifdef CONFIG_PARAVIRT
11605 + PV_SAVE_REGS(CLBR_RDI)
11608 +#ifdef CONFIG_PAX_KERNEXEC
11615 + add $__START_KERNEL_map,%rdi
11616 + sub phys_base(%rip),%rdi
11618 +#ifdef CONFIG_PARAVIRT
11619 + cmpl $0, pv_info+PARAVIRT_enabled
11623 + .rept USER_PGD_PTRS
11624 + mov i*8(%rbx),%rsi
11626 + lea i*8(%rbx),%rdi
11627 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11635 + .rept USER_PGD_PTRS
11636 + movb $0x67,i*8(%rdi)
11640 +#ifdef CONFIG_PARAVIRT
11641 +2: PV_RESTORE_REGS(CLBR_RDI)
11649 +ENDPROC(pax_exit_kernel_user)
11651 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11652 #ifdef CONFIG_TRACE_IRQFLAGS
11653 @@ -312,7 +496,7 @@ ENTRY(save_args)
11654 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11655 movq_cfi rbp, 8 /* push %rbp */
11656 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11657 - testl $3, CS(%rdi)
11658 + testb $3, CS(%rdi)
11662 @@ -403,7 +587,7 @@ ENTRY(ret_from_fork)
11666 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11667 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11668 je int_ret_from_sys_call
11670 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11671 @@ -462,6 +646,11 @@ ENTRY(system_call_after_swapgs)
11673 movq %rsp,PER_CPU_VAR(old_rsp)
11674 movq PER_CPU_VAR(kernel_stack),%rsp
11676 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11677 + call pax_enter_kernel_user
11681 * No need to follow this irqs off/on section - it's straight
11683 @@ -496,6 +685,11 @@ sysret_check:
11688 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11689 + call pax_exit_kernel_user
11693 * sysretq will re-enable interrupts:
11695 @@ -605,7 +799,7 @@ tracesys:
11696 GLOBAL(int_ret_from_sys_call)
11697 DISABLE_INTERRUPTS(CLBR_NONE)
11699 - testl $3,CS-ARGOFFSET(%rsp)
11700 + testb $3,CS-ARGOFFSET(%rsp)
11701 je retint_restore_args
11702 movl $_TIF_ALLWORK_MASK,%edi
11703 /* edi: mask to check */
11704 @@ -786,6 +980,16 @@ END(interrupt)
11705 CFI_ADJUST_CFA_OFFSET ORIG_RAX-ARGOFFSET+8
11708 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11709 + testb $3, CS(%rdi)
11711 + call pax_enter_kernel
11713 +1: call pax_enter_kernel_user
11716 + call pax_enter_kernel
11721 @@ -813,7 +1017,7 @@ ret_from_intr:
11722 CFI_ADJUST_CFA_OFFSET -8
11724 GET_THREAD_INFO(%rcx)
11725 - testl $3,CS-ARGOFFSET(%rsp)
11726 + testb $3,CS-ARGOFFSET(%rsp)
11729 /* Interrupt came from user space */
11730 @@ -835,12 +1039,18 @@ retint_swapgs: /* return to user-space
11731 * The iretq could re-enable interrupts:
11733 DISABLE_INTERRUPTS(CLBR_ANY)
11735 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11736 + call pax_exit_kernel_user
11743 retint_restore_args: /* return to kernel space */
11744 DISABLE_INTERRUPTS(CLBR_ANY)
11745 + call pax_exit_kernel
11747 * The iretq could re-enable interrupts:
11749 @@ -1012,6 +1222,16 @@ ENTRY(\sym)
11750 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11753 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11754 + testb $3, CS(%rsp)
11756 + call pax_enter_kernel
11758 +1: call pax_enter_kernel_user
11761 + call pax_enter_kernel
11763 movq %rsp,%rdi /* pt_regs pointer */
11764 xorl %esi,%esi /* no error code */
11766 @@ -1029,6 +1249,16 @@ ENTRY(\sym)
11767 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11770 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11771 + testb $3, CS(%rsp)
11773 + call pax_enter_kernel
11775 +1: call pax_enter_kernel_user
11778 + call pax_enter_kernel
11780 movq %rsp,%rdi /* pt_regs pointer */
11781 xorl %esi,%esi /* no error code */
11783 @@ -1037,7 +1267,7 @@ ENTRY(\sym)
11787 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
11788 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
11789 .macro paranoidzeroentry_ist sym do_sym ist
11792 @@ -1047,8 +1277,24 @@ ENTRY(\sym)
11793 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11796 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11797 + testb $3, CS(%rsp)
11799 + call pax_enter_kernel
11801 +1: call pax_enter_kernel_user
11804 + call pax_enter_kernel
11806 movq %rsp,%rdi /* pt_regs pointer */
11807 xorl %esi,%esi /* no error code */
11809 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11810 + lea init_tss(%r12), %r12
11812 + lea init_tss(%rip), %r12
11814 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11816 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11817 @@ -1065,6 +1311,16 @@ ENTRY(\sym)
11818 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11821 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11822 + testb $3, CS(%rsp)
11824 + call pax_enter_kernel
11826 +1: call pax_enter_kernel_user
11829 + call pax_enter_kernel
11831 movq %rsp,%rdi /* pt_regs pointer */
11832 movq ORIG_RAX(%rsp),%rsi /* get error code */
11833 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11834 @@ -1084,6 +1340,16 @@ ENTRY(\sym)
11838 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11839 + testb $3, CS(%rsp)
11841 + call pax_enter_kernel
11843 +1: call pax_enter_kernel_user
11846 + call pax_enter_kernel
11848 movq %rsp,%rdi /* pt_regs pointer */
11849 movq ORIG_RAX(%rsp),%rsi /* get error code */
11850 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11851 @@ -1343,14 +1609,27 @@ ENTRY(paranoid_exit)
11853 testl %ebx,%ebx /* swapgs needed? */
11854 jnz paranoid_restore
11855 - testl $3,CS(%rsp)
11856 + testb $3,CS(%rsp)
11857 jnz paranoid_userspace
11858 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11859 + call pax_exit_kernel
11860 + TRACE_IRQS_IRETQ 0
11861 + SWAPGS_UNSAFE_STACK
11866 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11867 + call pax_exit_kernel_user
11869 + call pax_exit_kernel
11872 SWAPGS_UNSAFE_STACK
11876 + call pax_exit_kernel
11880 @@ -1408,7 +1687,7 @@ ENTRY(error_entry)
11881 movq_cfi r14, R14+8
11882 movq_cfi r15, R15+8
11884 - testl $3,CS+8(%rsp)
11885 + testb $3,CS+8(%rsp)
11886 je error_kernelspace
11889 @@ -1472,6 +1751,16 @@ ENTRY(nmi)
11890 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11893 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11894 + testb $3, CS(%rsp)
11896 + call pax_enter_kernel
11898 +1: call pax_enter_kernel_user
11901 + call pax_enter_kernel
11903 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11906 @@ -1482,11 +1771,12 @@ ENTRY(nmi)
11907 DISABLE_INTERRUPTS(CLBR_NONE)
11908 testl %ebx,%ebx /* swapgs needed? */
11910 - testl $3,CS(%rsp)
11911 + testb $3,CS(%rsp)
11914 SWAPGS_UNSAFE_STACK
11916 + call pax_exit_kernel
11920 diff -urNp linux-2.6.37/arch/x86/kernel/ftrace.c linux-2.6.37/arch/x86/kernel/ftrace.c
11921 --- linux-2.6.37/arch/x86/kernel/ftrace.c 2011-01-04 19:50:19.000000000 -0500
11922 +++ linux-2.6.37/arch/x86/kernel/ftrace.c 2011-01-17 02:41:01.000000000 -0500
11923 @@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
11925 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11927 + pax_open_kernel();
11929 + pax_close_kernel();
11930 atomic_inc(&nmi_update_count);
11932 /* Must have previous changes seen before executions */
11933 @@ -268,6 +270,8 @@ ftrace_modify_code(unsigned long ip, uns
11935 unsigned char replaced[MCOUNT_INSN_SIZE];
11937 + ip = ktla_ktva(ip);
11940 * Note: Due to modules and __init, code can
11941 * disappear and change, we need to protect against faulting
11942 @@ -324,7 +328,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11943 unsigned char old[MCOUNT_INSN_SIZE], *new;
11946 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11947 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11948 new = ftrace_call_replace(ip, (unsigned long)func);
11949 ret = ftrace_modify_code(ip, old, new);
11951 @@ -350,6 +354,8 @@ static int ftrace_mod_jmp(unsigned long
11953 unsigned char code[MCOUNT_INSN_SIZE];
11955 + ip = ktla_ktva(ip);
11957 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11960 diff -urNp linux-2.6.37/arch/x86/kernel/head32.c linux-2.6.37/arch/x86/kernel/head32.c
11961 --- linux-2.6.37/arch/x86/kernel/head32.c 2011-01-04 19:50:19.000000000 -0500
11962 +++ linux-2.6.37/arch/x86/kernel/head32.c 2011-01-17 02:41:01.000000000 -0500
11964 #include <asm/io_apic.h>
11965 #include <asm/bios_ebda.h>
11966 #include <asm/tlbflush.h>
11967 +#include <asm/boot.h>
11969 static void __init i386_default_early_setup(void)
11971 @@ -43,7 +44,7 @@ void __init i386_start_kernel(void)
11972 memblock_x86_reserve_range(PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE");
11975 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11976 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11978 #ifdef CONFIG_BLK_DEV_INITRD
11979 /* Reserve INITRD */
11980 diff -urNp linux-2.6.37/arch/x86/kernel/head_32.S linux-2.6.37/arch/x86/kernel/head_32.S
11981 --- linux-2.6.37/arch/x86/kernel/head_32.S 2011-01-04 19:50:19.000000000 -0500
11982 +++ linux-2.6.37/arch/x86/kernel/head_32.S 2011-01-25 20:24:56.000000000 -0500
11984 /* Physical address */
11985 #define pa(X) ((X) - __PAGE_OFFSET)
11987 +#ifdef CONFIG_PAX_KERNEXEC
11990 +#define ta(X) ((X) - __PAGE_OFFSET)
11994 * References to members of the new_cpu_data structure.
11997 * and small than max_low_pfn, otherwise will waste some page table entries
12000 -#if PTRS_PER_PMD > 1
12001 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
12003 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
12005 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
12007 /* Number of possible pages in the lowmem region */
12008 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
12009 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
12010 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12013 + * Real beginning of normal "text" segment
12019 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
12020 * %esi points to the real-mode code as a 32-bit pointer.
12021 * CS and DS must be 4 GB flat segments, but we don't depend on
12022 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12027 +#ifdef CONFIG_PAX_KERNEXEC
12029 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
12030 +.fill PAGE_SIZE-5,1,0xcc
12034 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
12035 us to not reload segments */
12036 @@ -101,6 +116,57 @@ ENTRY(startup_32)
12041 + movl $pa(cpu_gdt_table),%edi
12042 + movl $__per_cpu_load,%eax
12043 + movw %ax,__KERNEL_PERCPU + 2(%edi)
12045 + movb %al,__KERNEL_PERCPU + 4(%edi)
12046 + movb %ah,__KERNEL_PERCPU + 7(%edi)
12047 + movl $__per_cpu_end - 1,%eax
12048 + subl $__per_cpu_start,%eax
12049 + movw %ax,__KERNEL_PERCPU + 0(%edi)
12052 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12053 + movl $NR_CPUS,%ecx
12054 + movl $pa(cpu_gdt_table),%edi
12056 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
12057 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
12058 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
12059 + addl $PAGE_SIZE_asm,%edi
12063 +#ifdef CONFIG_PAX_KERNEXEC
12064 + movl $pa(boot_gdt),%edi
12065 + movl $__LOAD_PHYSICAL_ADDR,%eax
12066 + movw %ax,__BOOT_CS + 2(%edi)
12068 + movb %al,__BOOT_CS + 4(%edi)
12069 + movb %ah,__BOOT_CS + 7(%edi)
12072 + ljmp $(__BOOT_CS),$1f
12075 + movl $NR_CPUS,%ecx
12076 + movl $pa(cpu_gdt_table),%edi
12077 + addl $__PAGE_OFFSET,%eax
12079 + movw %ax,__KERNEL_CS + 2(%edi)
12080 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
12082 + movb %al,__KERNEL_CS + 4(%edi)
12083 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
12084 + movb %ah,__KERNEL_CS + 7(%edi)
12085 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
12087 + addl $PAGE_SIZE_asm,%edi
12092 * Clear BSS first so that there are no surprises...
12094 @@ -150,9 +216,7 @@ ENTRY(startup_32)
12095 cmpl $num_subarch_entries, %eax
12098 - movl pa(subarch_entries)(,%eax,4), %eax
12099 - subl $__PAGE_OFFSET, %eax
12101 + jmp *pa(subarch_entries)(,%eax,4)
12105 @@ -164,10 +228,10 @@ WEAK(xen_entry)
12109 - .long default_entry /* normal x86/PC */
12110 - .long lguest_entry /* lguest hypervisor */
12111 - .long xen_entry /* Xen hypervisor */
12112 - .long default_entry /* Moorestown MID */
12113 + .long ta(default_entry) /* normal x86/PC */
12114 + .long ta(lguest_entry) /* lguest hypervisor */
12115 + .long ta(xen_entry) /* Xen hypervisor */
12116 + .long ta(default_entry) /* Moorestown MID */
12117 num_subarch_entries = (. - subarch_entries) / 4
12119 #endif /* CONFIG_PARAVIRT */
12120 @@ -227,8 +291,11 @@ default_entry:
12121 movl %eax, pa(max_pfn_mapped)
12123 /* Do early initialization of the fixmap area */
12124 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12125 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
12126 +#ifdef CONFIG_COMPAT_VDSO
12127 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
12129 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
12131 #else /* Not PAE */
12133 page_pde_offset = (__PAGE_OFFSET >> 20);
12134 @@ -258,8 +325,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12135 movl %eax, pa(max_pfn_mapped)
12137 /* Do early initialization of the fixmap area */
12138 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12139 - movl %eax,pa(initial_page_table+0xffc)
12140 +#ifdef CONFIG_COMPAT_VDSO
12141 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
12143 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
12148 @@ -306,6 +376,7 @@ ENTRY(startup_32_smp)
12152 +#ifdef CONFIG_X86_PAE
12153 testb $X86_CR4_PAE, %al # check if PAE is enabled
12156 @@ -330,6 +401,9 @@ ENTRY(startup_32_smp)
12157 /* Make changes effective */
12160 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
12166 @@ -355,9 +429,7 @@ ENTRY(startup_32_smp)
12170 - jz 1f /* Initial CPU cleans BSS */
12173 + jnz checkCPUtype /* Initial CPU cleans BSS */
12174 #endif /* CONFIG_SMP */
12177 @@ -435,7 +507,7 @@ is386: movl $2,%ecx # set MP
12178 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12179 movl %eax,%ss # after changing gdt.
12181 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
12182 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12186 @@ -449,15 +521,22 @@ is386: movl $2,%ecx # set MP
12190 - movl $gdt_page,%eax
12191 + movl $cpu_gdt_table,%eax
12192 movl $stack_canary,%ecx
12194 + addl $__per_cpu_load,%ecx
12196 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12198 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
12199 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
12202 movl $(__KERNEL_STACK_CANARY),%eax
12203 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
12204 + movl $(__USER_DS),%eax
12210 xorl %eax,%eax # Clear LDT
12211 @@ -468,10 +547,6 @@ is386: movl $2,%ecx # set MP
12215 - cmpb $0,%cl # the first CPU calls start_kernel
12217 - movl (stack_start), %esp
12219 #endif /* CONFIG_SMP */
12220 jmp *(initial_code)
12222 @@ -557,22 +632,22 @@ early_page_fault:
12227 #ifdef CONFIG_PRINTK
12228 + cmpl $1,%ss:early_recursion_flag
12230 + incl %ss:early_recursion_flag
12233 movl $(__KERNEL_DS),%eax
12236 - cmpl $2,early_recursion_flag
12238 - incl early_recursion_flag
12241 pushl %edx /* trapno */
12250 @@ -580,8 +655,11 @@ hlt_loop:
12251 /* This is the default interrupt "handler" :-) */
12255 #ifdef CONFIG_PRINTK
12256 + cmpl $2,%ss:early_recursion_flag
12258 + incl %ss:early_recursion_flag
12263 @@ -590,9 +668,6 @@ ignore_int:
12264 movl $(__KERNEL_DS),%eax
12267 - cmpl $2,early_recursion_flag
12269 - incl early_recursion_flag
12273 @@ -619,29 +694,43 @@ ENTRY(initial_code)
12277 -__PAGE_ALIGNED_BSS
12278 - .align PAGE_SIZE_asm
12279 #ifdef CONFIG_X86_PAE
12280 +.section .initial_pg_pmd,"a",@progbits
12281 ENTRY(initial_pg_pmd)
12282 .fill 1024*KPMDS,4,0
12284 +.section .initial_page_table,"a",@progbits
12285 ENTRY(initial_page_table)
12288 +.section .initial_pg_fixmap,"a",@progbits
12289 ENTRY(initial_pg_fixmap)
12291 +.section .empty_zero_page,"a",@progbits
12292 ENTRY(empty_zero_page)
12294 +.section .swapper_pg_dir,"a",@progbits
12295 ENTRY(swapper_pg_dir)
12296 +#ifdef CONFIG_X86_PAE
12303 + * The IDT has to be page-aligned to simplify the Pentium
12304 + * F0 0F bug workaround.. We have a special link segment
12307 +.section .idt,"a",@progbits
12312 * This starts the data section.
12314 #ifdef CONFIG_X86_PAE
12315 -__PAGE_ALIGNED_DATA
12316 - /* Page-aligned for the benefit of paravirt? */
12317 - .align PAGE_SIZE_asm
12318 +.section .initial_page_table,"a",@progbits
12319 ENTRY(initial_page_table)
12320 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12322 @@ -660,15 +749,24 @@ ENTRY(initial_page_table)
12323 # error "Kernel PMDs should be 1, 2 or 3"
12325 .align PAGE_SIZE_asm /* needs to be page-sized too */
12327 +#ifdef CONFIG_PAX_PER_CPU_PGD
12338 - .long init_thread_union+THREAD_SIZE
12339 + .long init_thread_union+THREAD_SIZE-8
12344 +.section .rodata,"a",@progbits
12345 early_recursion_flag:
12348 @@ -704,7 +802,7 @@ fault_msg:
12349 .word 0 # 32 bit align gdt_desc.address
12352 - .long boot_gdt - __PAGE_OFFSET
12353 + .long pa(boot_gdt)
12355 .word 0 # 32-bit align idt_desc.address
12357 @@ -715,7 +813,7 @@ idt_descr:
12358 .word 0 # 32 bit align gdt_desc.address
12359 ENTRY(early_gdt_descr)
12360 .word GDT_ENTRIES*8-1
12361 - .long gdt_page /* Overwritten for secondary CPUs */
12362 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12365 * The boot_gdt must mirror the equivalent in setup.S and is
12366 @@ -724,5 +822,65 @@ ENTRY(early_gdt_descr)
12367 .align L1_CACHE_BYTES
12369 .fill GDT_ENTRY_BOOT_CS,8,0
12370 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12371 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12372 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12373 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12375 + .align PAGE_SIZE_asm
12376 +ENTRY(cpu_gdt_table)
12378 + .quad 0x0000000000000000 /* NULL descriptor */
12379 + .quad 0x0000000000000000 /* 0x0b reserved */
12380 + .quad 0x0000000000000000 /* 0x13 reserved */
12381 + .quad 0x0000000000000000 /* 0x1b reserved */
12383 +#ifdef CONFIG_PAX_KERNEXEC
12384 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12386 + .quad 0x0000000000000000 /* 0x20 unused */
12389 + .quad 0x0000000000000000 /* 0x28 unused */
12390 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12391 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12392 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12393 + .quad 0x0000000000000000 /* 0x4b reserved */
12394 + .quad 0x0000000000000000 /* 0x53 reserved */
12395 + .quad 0x0000000000000000 /* 0x5b reserved */
12397 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12398 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12399 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12400 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12402 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12403 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12406 + * Segments used for calling PnP BIOS have byte granularity.
12407 + * The code segments and data segments have fixed 64k limits,
12408 + * the transfer segment sizes are set at run time.
12410 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12411 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12412 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12413 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12414 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12417 + * The APM segments have byte granularity and their bases
12418 + * are set at run time. All have 64k limits.
12420 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12421 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12422 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12424 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12425 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12426 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12427 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12428 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12429 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12431 + /* Be sure this is zeroed to avoid false validations in Xen */
12432 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12434 diff -urNp linux-2.6.37/arch/x86/kernel/head_64.S linux-2.6.37/arch/x86/kernel/head_64.S
12435 --- linux-2.6.37/arch/x86/kernel/head_64.S 2011-01-04 19:50:19.000000000 -0500
12436 +++ linux-2.6.37/arch/x86/kernel/head_64.S 2011-01-17 02:41:01.000000000 -0500
12438 #include <asm/cache.h>
12439 #include <asm/processor-flags.h>
12440 #include <asm/percpu.h>
12441 +#include <asm/cpufeature.h>
12443 #ifdef CONFIG_PARAVIRT
12444 #include <asm/asm-offsets.h>
12445 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12446 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12447 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12448 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12449 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12450 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12451 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12452 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12456 @@ -85,35 +90,22 @@ startup_64:
12458 addq %rbp, init_level4_pgt + 0(%rip)
12459 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12460 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12461 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12462 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12464 addq %rbp, level3_ident_pgt + 0(%rip)
12465 +#ifndef CONFIG_XEN
12466 + addq %rbp, level3_ident_pgt + 8(%rip)
12469 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12470 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12471 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12473 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12474 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12475 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12477 - /* Add an Identity mapping if I am above 1G */
12478 - leaq _text(%rip), %rdi
12479 - andq $PMD_PAGE_MASK, %rdi
12482 - shrq $PUD_SHIFT, %rax
12483 - andq $(PTRS_PER_PUD - 1), %rax
12484 - jz ident_complete
12486 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12487 - leaq level3_ident_pgt(%rip), %rbx
12488 - movq %rdx, 0(%rbx, %rax, 8)
12491 - shrq $PMD_SHIFT, %rax
12492 - andq $(PTRS_PER_PMD - 1), %rax
12493 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12494 - leaq level2_spare_pgt(%rip), %rbx
12495 - movq %rdx, 0(%rbx, %rax, 8)
12497 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12498 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12501 * Fixup the kernel text+data virtual addresses. Note that
12502 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12503 * after the boot processor executes this code.
12506 - /* Enable PAE mode and PGE */
12507 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12508 + /* Enable PAE mode and PSE/PGE */
12509 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12512 /* Setup early boot stage 4 level pagetables. */
12513 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12514 movl $MSR_EFER, %ecx
12516 btsl $_EFER_SCE, %eax /* Enable System Call */
12517 - btl $20,%edi /* No Execute supported? */
12518 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12520 btsl $_EFER_NX, %eax
12521 + leaq init_level4_pgt(%rip), %rdi
12522 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12523 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12524 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12525 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12526 1: wrmsr /* Make changes effective */
12529 @@ -270,7 +267,7 @@ ENTRY(secondary_startup_64)
12533 - .section ".init.text","ax"
12535 #ifdef CONFIG_EARLY_PRINTK
12536 .globl early_idt_handlers
12537 early_idt_handlers:
12538 @@ -315,18 +312,23 @@ ENTRY(early_idt_handler)
12539 #endif /* EARLY_PRINTK */
12544 #ifdef CONFIG_EARLY_PRINTK
12546 early_recursion_flag:
12550 + .section .rodata,"a",@progbits
12552 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12555 -#endif /* CONFIG_EARLY_PRINTK */
12557 +#endif /* CONFIG_EARLY_PRINTK */
12559 + .section .rodata,"a",@progbits
12560 #define NEXT_PAGE(name) \
12561 .balign PAGE_SIZE; \
12563 @@ -339,7 +341,6 @@ ENTRY(name)
12569 * This default setting generates an ident mapping at address 0x100000
12570 * and a mapping for the kernel that precisely maps virtual address
12571 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
12572 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12573 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12574 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12575 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12576 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12577 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12578 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12579 .org init_level4_pgt + L4_START_KERNEL*8, 0
12580 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12581 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12583 +#ifdef CONFIG_PAX_PER_CPU_PGD
12584 +NEXT_PAGE(cpu_pgd)
12590 NEXT_PAGE(level3_ident_pgt)
12591 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12595 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12599 +NEXT_PAGE(level3_vmalloc_pgt)
12602 +NEXT_PAGE(level3_vmemmap_pgt)
12603 + .fill L3_VMEMMAP_START,8,0
12604 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12606 NEXT_PAGE(level3_kernel_pgt)
12607 .fill L3_START_KERNEL,8,0
12608 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
12609 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12610 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12612 +NEXT_PAGE(level2_vmemmap_pgt)
12615 NEXT_PAGE(level2_fixmap_pgt)
12617 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12618 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12621 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12622 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12625 -NEXT_PAGE(level1_fixmap_pgt)
12626 +NEXT_PAGE(level1_vsyscall_pgt)
12629 -NEXT_PAGE(level2_ident_pgt)
12630 - /* Since I easily can, map the first 1G.
12631 + /* Since I easily can, map the first 2G.
12632 * Don't set NX because code runs from these pages.
12634 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12635 +NEXT_PAGE(level2_ident_pgt)
12636 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12638 NEXT_PAGE(level2_kernel_pgt)
12640 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
12641 * If you want to increase this then increase MODULES_VADDR
12644 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12645 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12647 -NEXT_PAGE(level2_spare_pgt)
12649 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12656 +ENTRY(cpu_gdt_table)
12658 + .quad 0x0000000000000000 /* NULL descriptor */
12659 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12660 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12661 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12662 + .quad 0x00cffb000000ffff /* __USER32_CS */
12663 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12664 + .quad 0x00affb000000ffff /* __USER_CS */
12666 +#ifdef CONFIG_PAX_KERNEXEC
12667 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12669 + .quad 0x0 /* unused */
12672 + .quad 0,0 /* TSS */
12673 + .quad 0,0 /* LDT */
12674 + .quad 0,0,0 /* three TLS descriptors */
12675 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12676 + /* asm/segment.h:GDT_ENTRIES must match this */
12678 + /* zero the remaining page */
12679 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12683 .globl early_gdt_descr
12685 .word GDT_ENTRIES*8-1
12686 early_gdt_descr_base:
12687 - .quad INIT_PER_CPU_VAR(gdt_page)
12688 + .quad cpu_gdt_table
12691 /* This must match the first entry in level2_kernel_pgt */
12692 .quad 0x0000000000000000
12694 #include "../../x86/xen/xen-head.S"
12696 - .section .bss, "aw", @nobits
12698 + .section .rodata,"a",@progbits
12699 .align L1_CACHE_BYTES
12701 - .skip IDT_ENTRIES * 16
12706 diff -urNp linux-2.6.37/arch/x86/kernel/i386_ksyms_32.c linux-2.6.37/arch/x86/kernel/i386_ksyms_32.c
12707 --- linux-2.6.37/arch/x86/kernel/i386_ksyms_32.c 2011-01-04 19:50:19.000000000 -0500
12708 +++ linux-2.6.37/arch/x86/kernel/i386_ksyms_32.c 2011-01-17 02:41:01.000000000 -0500
12709 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12710 EXPORT_SYMBOL(cmpxchg8b_emu);
12713 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12715 /* Networking helper routines. */
12716 EXPORT_SYMBOL(csum_partial_copy_generic);
12717 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12718 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12720 EXPORT_SYMBOL(__get_user_1);
12721 EXPORT_SYMBOL(__get_user_2);
12722 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12724 EXPORT_SYMBOL(csum_partial);
12725 EXPORT_SYMBOL(empty_zero_page);
12727 +#ifdef CONFIG_PAX_KERNEXEC
12728 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12730 diff -urNp linux-2.6.37/arch/x86/kernel/init_task.c linux-2.6.37/arch/x86/kernel/init_task.c
12731 --- linux-2.6.37/arch/x86/kernel/init_task.c 2011-01-04 19:50:19.000000000 -0500
12732 +++ linux-2.6.37/arch/x86/kernel/init_task.c 2011-01-17 02:41:01.000000000 -0500
12733 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12734 * section. Since TSS's are completely CPU-local, we want them
12735 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12737 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12739 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12740 +EXPORT_SYMBOL(init_tss);
12741 diff -urNp linux-2.6.37/arch/x86/kernel/ioport.c linux-2.6.37/arch/x86/kernel/ioport.c
12742 --- linux-2.6.37/arch/x86/kernel/ioport.c 2011-01-04 19:50:19.000000000 -0500
12743 +++ linux-2.6.37/arch/x86/kernel/ioport.c 2011-01-17 02:41:01.000000000 -0500
12745 #include <linux/sched.h>
12746 #include <linux/kernel.h>
12747 #include <linux/capability.h>
12748 +#include <linux/security.h>
12749 #include <linux/errno.h>
12750 #include <linux/types.h>
12751 #include <linux/ioport.h>
12752 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12754 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12756 +#ifdef CONFIG_GRKERNSEC_IO
12757 + if (turn_on && grsec_disable_privio) {
12758 + gr_handle_ioperm();
12762 if (turn_on && !capable(CAP_SYS_RAWIO))
12765 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12766 * because the ->io_bitmap_max value must match the bitmap
12769 - tss = &per_cpu(init_tss, get_cpu());
12770 + tss = init_tss + get_cpu();
12772 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12774 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12776 /* Trying to gain more privileges? */
12778 +#ifdef CONFIG_GRKERNSEC_IO
12779 + if (grsec_disable_privio) {
12780 + gr_handle_iopl();
12784 if (!capable(CAP_SYS_RAWIO))
12787 diff -urNp linux-2.6.37/arch/x86/kernel/irq_32.c linux-2.6.37/arch/x86/kernel/irq_32.c
12788 --- linux-2.6.37/arch/x86/kernel/irq_32.c 2011-01-04 19:50:19.000000000 -0500
12789 +++ linux-2.6.37/arch/x86/kernel/irq_32.c 2011-01-24 18:04:15.000000000 -0500
12790 @@ -91,7 +91,7 @@ execute_on_irq_stack(int overflow, struc
12793 /* build the stack frame on the IRQ stack */
12794 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12795 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12796 irqctx->tinfo.task = curctx->tinfo.task;
12797 irqctx->tinfo.previous_esp = current_stack_pointer;
12799 @@ -103,6 +103,10 @@ execute_on_irq_stack(int overflow, struc
12800 (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
12801 (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
12803 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12804 + __set_fs(irqctx->tinfo.addr_limit);
12807 if (unlikely(overflow))
12808 call_on_stack(print_stack_overflow, isp);
12810 @@ -113,6 +117,11 @@ execute_on_irq_stack(int overflow, struc
12811 : "0" (irq), "1" (desc), "2" (isp),
12812 "D" (desc->handle_irq)
12813 : "memory", "cc", "ecx");
12815 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12816 + __set_fs(curctx->tinfo.addr_limit);
12822 @@ -129,8 +138,7 @@ void __cpuinit irq_ctx_init(int cpu)
12823 irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
12826 - irqctx->tinfo.task = NULL;
12827 - irqctx->tinfo.exec_domain = NULL;
12828 + memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
12829 irqctx->tinfo.cpu = cpu;
12830 irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
12831 irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
12832 @@ -140,10 +148,8 @@ void __cpuinit irq_ctx_init(int cpu)
12833 irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
12836 - irqctx->tinfo.task = NULL;
12837 - irqctx->tinfo.exec_domain = NULL;
12838 + memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
12839 irqctx->tinfo.cpu = cpu;
12840 - irqctx->tinfo.preempt_count = 0;
12841 irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
12843 per_cpu(softirq_ctx, cpu) = irqctx;
12844 @@ -171,9 +177,18 @@ asmlinkage void do_softirq(void)
12845 irqctx->tinfo.previous_esp = current_stack_pointer;
12847 /* build the stack frame on the softirq stack */
12848 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12849 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12851 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12852 + __set_fs(irqctx->tinfo.addr_limit);
12855 call_on_stack(__do_softirq, isp);
12857 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12858 + __set_fs(curctx->addr_limit);
12862 * Shouldnt happen, we returned above if in_interrupt():
12864 diff -urNp linux-2.6.37/arch/x86/kernel/kgdb.c linux-2.6.37/arch/x86/kernel/kgdb.c
12865 --- linux-2.6.37/arch/x86/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
12866 +++ linux-2.6.37/arch/x86/kernel/kgdb.c 2011-01-17 02:41:01.000000000 -0500
12867 @@ -123,11 +123,11 @@ char *dbg_get_reg(int regno, void *mem,
12869 #ifdef CONFIG_X86_32
12871 - if (!user_mode_vm(regs))
12872 + if (!user_mode(regs))
12873 *(unsigned long *)mem = __KERNEL_DS;
12876 - if (!user_mode_vm(regs))
12877 + if (!user_mode(regs))
12878 *(unsigned long *)mem = kernel_stack_pointer(regs);
12881 @@ -722,7 +722,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12885 -struct kgdb_arch arch_kgdb_ops = {
12886 +const struct kgdb_arch arch_kgdb_ops = {
12887 /* Breakpoint instruction: */
12888 .gdb_bpt_instr = { 0xcc },
12889 .flags = KGDB_HW_BREAKPOINT,
12890 diff -urNp linux-2.6.37/arch/x86/kernel/kprobes.c linux-2.6.37/arch/x86/kernel/kprobes.c
12891 --- linux-2.6.37/arch/x86/kernel/kprobes.c 2011-01-04 19:50:19.000000000 -0500
12892 +++ linux-2.6.37/arch/x86/kernel/kprobes.c 2011-01-17 02:41:01.000000000 -0500
12893 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
12894 } __attribute__((packed)) *insn;
12896 insn = (struct __arch_relative_insn *)from;
12898 + pax_open_kernel();
12899 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12901 + pax_close_kernel();
12904 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12905 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
12906 kprobe_opcode_t opcode;
12907 kprobe_opcode_t *orig_opcodes = opcodes;
12909 - if (search_exception_tables((unsigned long)opcodes))
12910 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
12911 return 0; /* Page fault may occur on this address. */
12914 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
12917 insn_get_length(&insn);
12918 + pax_open_kernel();
12919 memcpy(dest, insn.kaddr, insn.length);
12920 + pax_close_kernel();
12922 #ifdef CONFIG_X86_64
12923 if (insn_rip_relative(&insn)) {
12924 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
12926 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12927 disp = (u8 *) dest + insn_offset_displacement(&insn);
12928 + pax_open_kernel();
12929 *(s32 *) disp = (s32) newdisp;
12930 + pax_close_kernel();
12933 return insn.length;
12934 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
12936 __copy_instruction(p->ainsn.insn, p->addr, 0);
12938 - if (can_boost(p->addr))
12939 + if (can_boost(ktla_ktva(p->addr)))
12940 p->ainsn.boostable = 0;
12942 p->ainsn.boostable = -1;
12944 - p->opcode = *p->addr;
12945 + p->opcode = *(ktla_ktva(p->addr));
12948 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12949 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
12950 * nor set current_kprobe, because it doesn't use single
12953 - regs->ip = (unsigned long)p->ainsn.insn;
12954 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12955 preempt_enable_no_resched();
12958 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
12959 if (p->opcode == BREAKPOINT_INSTRUCTION)
12960 regs->ip = (unsigned long)p->addr;
12962 - regs->ip = (unsigned long)p->ainsn.insn;
12963 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12967 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
12968 setup_singlestep(p, regs, kcb, 0);
12971 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12972 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12974 * The breakpoint instruction was removed right
12975 * after we hit it. Another cpu has removed
12976 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
12977 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12979 unsigned long *tos = stack_addr(regs);
12980 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12981 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12982 unsigned long orig_ip = (unsigned long)p->addr;
12983 kprobe_opcode_t *insn = p->ainsn.insn;
12985 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
12986 struct die_args *args = data;
12987 int ret = NOTIFY_DONE;
12989 - if (args->regs && user_mode_vm(args->regs))
12990 + if (args->regs && user_mode(args->regs))
12994 @@ -1368,7 +1375,7 @@ int __kprobes arch_prepare_optimized_kpr
12995 * Verify if the address gap is in 2GB range, because this uses
12998 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
12999 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
13000 if (abs(rel) > 0x7fffffff)
13003 @@ -1389,11 +1396,11 @@ int __kprobes arch_prepare_optimized_kpr
13004 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
13006 /* Set probe function call */
13007 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
13008 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
13010 /* Set returning jmp instruction at the tail of out-of-line buffer */
13011 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
13012 - (u8 *)op->kp.addr + op->optinsn.size);
13013 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
13015 flush_icache_range((unsigned long) buf,
13016 (unsigned long) buf + TMPL_END_IDX +
13017 @@ -1409,7 +1416,7 @@ int __kprobes arch_optimize_kprobe(struc
13018 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
13020 /* Backup instructions which will be replaced by jump address */
13021 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
13022 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
13023 RELATIVE_ADDR_SIZE);
13025 jmp_code[0] = RELATIVEJUMP_OPCODE;
13026 diff -urNp linux-2.6.37/arch/x86/kernel/ldt.c linux-2.6.37/arch/x86/kernel/ldt.c
13027 --- linux-2.6.37/arch/x86/kernel/ldt.c 2011-01-04 19:50:19.000000000 -0500
13028 +++ linux-2.6.37/arch/x86/kernel/ldt.c 2011-01-17 02:41:01.000000000 -0500
13029 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
13034 + load_LDT_nolock(pc);
13035 if (!cpumask_equal(mm_cpumask(current->mm),
13036 cpumask_of(smp_processor_id())))
13037 smp_call_function(flush_ldt, current->mm, 1);
13041 + load_LDT_nolock(pc);
13045 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
13048 for (i = 0; i < old->size; i++)
13049 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
13050 + write_ldt_entry(new->ldt, i, old->ldt + i);
13054 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
13055 retval = copy_ldt(&mm->context, &old_mm->context);
13056 mutex_unlock(&old_mm->context.lock);
13059 + if (tsk == current) {
13060 + mm->context.vdso = 0;
13062 +#ifdef CONFIG_X86_32
13063 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
13064 + mm->context.user_cs_base = 0UL;
13065 + mm->context.user_cs_limit = ~0UL;
13067 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
13068 + cpus_clear(mm->context.cpu_user_cs_mask);
13079 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
13083 +#ifdef CONFIG_PAX_SEGMEXEC
13084 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
13090 fill_ldt(&ldt, &ldt_info);
13093 diff -urNp linux-2.6.37/arch/x86/kernel/machine_kexec_32.c linux-2.6.37/arch/x86/kernel/machine_kexec_32.c
13094 --- linux-2.6.37/arch/x86/kernel/machine_kexec_32.c 2011-01-04 19:50:19.000000000 -0500
13095 +++ linux-2.6.37/arch/x86/kernel/machine_kexec_32.c 2011-01-17 02:41:01.000000000 -0500
13097 #include <asm/cacheflush.h>
13098 #include <asm/debugreg.h>
13100 -static void set_idt(void *newidt, __u16 limit)
13101 +static void set_idt(struct desc_struct *newidt, __u16 limit)
13103 struct desc_ptr curidt;
13105 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
13109 -static void set_gdt(void *newgdt, __u16 limit)
13110 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
13112 struct desc_ptr curgdt;
13114 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
13117 control_page = page_address(image->control_code_page);
13118 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
13119 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
13121 relocate_kernel_ptr = control_page;
13122 page_list[PA_CONTROL_PAGE] = __pa(control_page);
13123 diff -urNp linux-2.6.37/arch/x86/kernel/microcode_amd.c linux-2.6.37/arch/x86/kernel/microcode_amd.c
13124 --- linux-2.6.37/arch/x86/kernel/microcode_amd.c 2011-01-04 19:50:19.000000000 -0500
13125 +++ linux-2.6.37/arch/x86/kernel/microcode_amd.c 2011-01-17 02:41:01.000000000 -0500
13126 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
13130 -static struct microcode_ops microcode_amd_ops = {
13131 +static const struct microcode_ops microcode_amd_ops = {
13132 .request_microcode_user = request_microcode_user,
13133 .request_microcode_fw = request_microcode_fw,
13134 .collect_cpu_info = collect_cpu_info_amd,
13135 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
13136 .microcode_fini_cpu = microcode_fini_cpu_amd,
13139 -struct microcode_ops * __init init_amd_microcode(void)
13140 +const struct microcode_ops * __init init_amd_microcode(void)
13142 return µcode_amd_ops;
13144 diff -urNp linux-2.6.37/arch/x86/kernel/microcode_core.c linux-2.6.37/arch/x86/kernel/microcode_core.c
13145 --- linux-2.6.37/arch/x86/kernel/microcode_core.c 2011-01-04 19:50:19.000000000 -0500
13146 +++ linux-2.6.37/arch/x86/kernel/microcode_core.c 2011-01-17 02:41:01.000000000 -0500
13147 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
13149 #define MICROCODE_VERSION "2.00"
13151 -static struct microcode_ops *microcode_ops;
13152 +static const struct microcode_ops *microcode_ops;
13156 diff -urNp linux-2.6.37/arch/x86/kernel/microcode_intel.c linux-2.6.37/arch/x86/kernel/microcode_intel.c
13157 --- linux-2.6.37/arch/x86/kernel/microcode_intel.c 2011-01-04 19:50:19.000000000 -0500
13158 +++ linux-2.6.37/arch/x86/kernel/microcode_intel.c 2011-01-17 02:41:01.000000000 -0500
13159 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
13161 static int get_ucode_user(void *to, const void *from, size_t n)
13163 - return copy_from_user(to, from, n);
13164 + return copy_from_user(to, (__force const void __user *)from, n);
13167 static enum ucode_state
13168 request_microcode_user(int cpu, const void __user *buf, size_t size)
13170 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
13171 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
13174 static void microcode_fini_cpu(int cpu)
13175 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
13179 -static struct microcode_ops microcode_intel_ops = {
13180 +static const struct microcode_ops microcode_intel_ops = {
13181 .request_microcode_user = request_microcode_user,
13182 .request_microcode_fw = request_microcode_fw,
13183 .collect_cpu_info = collect_cpu_info,
13184 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
13185 .microcode_fini_cpu = microcode_fini_cpu,
13188 -struct microcode_ops * __init init_intel_microcode(void)
13189 +const struct microcode_ops * __init init_intel_microcode(void)
13191 return µcode_intel_ops;
13193 diff -urNp linux-2.6.37/arch/x86/kernel/module.c linux-2.6.37/arch/x86/kernel/module.c
13194 --- linux-2.6.37/arch/x86/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
13195 +++ linux-2.6.37/arch/x86/kernel/module.c 2011-01-17 02:41:01.000000000 -0500
13197 #define DEBUGP(fmt...)
13200 -void *module_alloc(unsigned long size)
13201 +static void *__module_alloc(unsigned long size, pgprot_t prot)
13203 struct vm_struct *area;
13205 @@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
13209 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
13210 - PAGE_KERNEL_EXEC);
13211 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
13214 +void *module_alloc(unsigned long size)
13217 +#ifdef CONFIG_PAX_KERNEXEC
13218 + return __module_alloc(size, PAGE_KERNEL);
13220 + return __module_alloc(size, PAGE_KERNEL_EXEC);
13225 /* Free memory returned from module_alloc */
13226 @@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
13227 vfree(module_region);
13230 +#ifdef CONFIG_PAX_KERNEXEC
13231 +#ifdef CONFIG_X86_32
13232 +void *module_alloc_exec(unsigned long size)
13234 + struct vm_struct *area;
13239 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
13240 + return area ? area->addr : NULL;
13242 +EXPORT_SYMBOL(module_alloc_exec);
13244 +void module_free_exec(struct module *mod, void *module_region)
13246 + vunmap(module_region);
13248 +EXPORT_SYMBOL(module_free_exec);
13250 +void module_free_exec(struct module *mod, void *module_region)
13252 + module_free(mod, module_region);
13254 +EXPORT_SYMBOL(module_free_exec);
13256 +void *module_alloc_exec(unsigned long size)
13258 + return __module_alloc(size, PAGE_KERNEL_RX);
13260 +EXPORT_SYMBOL(module_alloc_exec);
13264 /* We don't need anything special. */
13265 int module_frob_arch_sections(Elf_Ehdr *hdr,
13267 @@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13269 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13271 - uint32_t *location;
13272 + uint32_t *plocation, location;
13274 DEBUGP("Applying relocate section %u to %u\n", relsec,
13275 sechdrs[relsec].sh_info);
13276 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13277 /* This is where to make the change */
13278 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13279 - + rel[i].r_offset;
13280 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13281 + location = (uint32_t)plocation;
13282 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13283 + plocation = ktla_ktva((void *)plocation);
13284 /* This is the symbol it is referring to. Note that all
13285 undefined symbols have been resolved. */
13286 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
13287 @@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13288 switch (ELF32_R_TYPE(rel[i].r_info)) {
13290 /* We add the value into the location given */
13291 - *location += sym->st_value;
13292 + pax_open_kernel();
13293 + *plocation += sym->st_value;
13294 + pax_close_kernel();
13297 /* Add the value, subtract its postition */
13298 - *location += sym->st_value - (uint32_t)location;
13299 + pax_open_kernel();
13300 + *plocation += sym->st_value - location;
13301 + pax_close_kernel();
13304 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
13305 @@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
13306 case R_X86_64_NONE:
13309 + pax_open_kernel();
13311 + pax_close_kernel();
13314 + pax_open_kernel();
13316 + pax_close_kernel();
13317 if (val != *(u32 *)loc)
13321 + pax_open_kernel();
13323 + pax_close_kernel();
13324 if ((s64)val != *(s32 *)loc)
13327 case R_X86_64_PC32:
13329 + pax_open_kernel();
13331 + pax_close_kernel();
13334 if ((s64)val != *(s32 *)loc)
13336 diff -urNp linux-2.6.37/arch/x86/kernel/paravirt.c linux-2.6.37/arch/x86/kernel/paravirt.c
13337 --- linux-2.6.37/arch/x86/kernel/paravirt.c 2011-01-04 19:50:19.000000000 -0500
13338 +++ linux-2.6.37/arch/x86/kernel/paravirt.c 2011-01-17 02:41:01.000000000 -0500
13339 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
13340 * corresponding structure. */
13341 static void *get_call_destination(u8 type)
13343 - struct paravirt_patch_template tmpl = {
13344 + const struct paravirt_patch_template tmpl = {
13345 .pv_init_ops = pv_init_ops,
13346 .pv_time_ops = pv_time_ops,
13347 .pv_cpu_ops = pv_cpu_ops,
13348 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
13349 if (opfunc == NULL)
13350 /* If there's no function, patch it with a ud2a (BUG) */
13351 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13352 - else if (opfunc == _paravirt_nop)
13353 + else if (opfunc == (void *)_paravirt_nop)
13354 /* If the operation is a nop, then nop the callsite */
13355 ret = paravirt_patch_nop();
13357 /* identity functions just return their single argument */
13358 - else if (opfunc == _paravirt_ident_32)
13359 + else if (opfunc == (void *)_paravirt_ident_32)
13360 ret = paravirt_patch_ident_32(insnbuf, len);
13361 - else if (opfunc == _paravirt_ident_64)
13362 + else if (opfunc == (void *)_paravirt_ident_64)
13363 ret = paravirt_patch_ident_64(insnbuf, len);
13365 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13366 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13367 if (insn_len > len || start == NULL)
13370 - memcpy(insnbuf, start, insn_len);
13371 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13375 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13379 -struct pv_info pv_info = {
13380 +struct pv_info pv_info __read_only = {
13381 .name = "bare hardware",
13382 .paravirt_enabled = 0,
13384 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13387 -struct pv_init_ops pv_init_ops = {
13388 +struct pv_init_ops pv_init_ops __read_only = {
13389 .patch = native_patch,
13392 -struct pv_time_ops pv_time_ops = {
13393 +struct pv_time_ops pv_time_ops __read_only = {
13394 .sched_clock = native_sched_clock,
13397 -struct pv_irq_ops pv_irq_ops = {
13398 +struct pv_irq_ops pv_irq_ops __read_only = {
13399 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13400 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13401 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13402 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13406 -struct pv_cpu_ops pv_cpu_ops = {
13407 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13408 .cpuid = native_cpuid,
13409 .get_debugreg = native_get_debugreg,
13410 .set_debugreg = native_set_debugreg,
13411 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13412 .end_context_switch = paravirt_nop,
13415 -struct pv_apic_ops pv_apic_ops = {
13416 +struct pv_apic_ops pv_apic_ops __read_only = {
13417 #ifdef CONFIG_X86_LOCAL_APIC
13418 .startup_ipi_hook = paravirt_nop,
13420 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13421 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13424 -struct pv_mmu_ops pv_mmu_ops = {
13425 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13427 .read_cr2 = native_read_cr2,
13428 .write_cr2 = native_write_cr2,
13429 @@ -462,6 +462,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13432 .set_fixmap = native_set_fixmap,
13434 +#ifdef CONFIG_PAX_KERNEXEC
13435 + .pax_open_kernel = native_pax_open_kernel,
13436 + .pax_close_kernel = native_pax_close_kernel,
13441 EXPORT_SYMBOL_GPL(pv_time_ops);
13442 diff -urNp linux-2.6.37/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.37/arch/x86/kernel/paravirt-spinlocks.c
13443 --- linux-2.6.37/arch/x86/kernel/paravirt-spinlocks.c 2011-01-04 19:50:19.000000000 -0500
13444 +++ linux-2.6.37/arch/x86/kernel/paravirt-spinlocks.c 2011-01-17 02:41:01.000000000 -0500
13445 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13446 arch_spin_lock(lock);
13449 -struct pv_lock_ops pv_lock_ops = {
13450 +struct pv_lock_ops pv_lock_ops __read_only = {
13452 .spin_is_locked = __ticket_spin_is_locked,
13453 .spin_is_contended = __ticket_spin_is_contended,
13454 diff -urNp linux-2.6.37/arch/x86/kernel/pci-calgary_64.c linux-2.6.37/arch/x86/kernel/pci-calgary_64.c
13455 --- linux-2.6.37/arch/x86/kernel/pci-calgary_64.c 2011-01-04 19:50:19.000000000 -0500
13456 +++ linux-2.6.37/arch/x86/kernel/pci-calgary_64.c 2011-01-17 02:41:01.000000000 -0500
13457 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
13458 free_pages((unsigned long)vaddr, get_order(size));
13461 -static struct dma_map_ops calgary_dma_ops = {
13462 +static const struct dma_map_ops calgary_dma_ops = {
13463 .alloc_coherent = calgary_alloc_coherent,
13464 .free_coherent = calgary_free_coherent,
13465 .map_sg = calgary_map_sg,
13466 diff -urNp linux-2.6.37/arch/x86/kernel/pci-dma.c linux-2.6.37/arch/x86/kernel/pci-dma.c
13467 --- linux-2.6.37/arch/x86/kernel/pci-dma.c 2011-01-04 19:50:19.000000000 -0500
13468 +++ linux-2.6.37/arch/x86/kernel/pci-dma.c 2011-01-17 02:41:01.000000000 -0500
13471 static int forbid_dac __read_mostly;
13473 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13474 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13475 EXPORT_SYMBOL(dma_ops);
13477 static int iommu_sac_force __read_mostly;
13478 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
13480 int dma_supported(struct device *dev, u64 mask)
13482 - struct dma_map_ops *ops = get_dma_ops(dev);
13483 + const struct dma_map_ops *ops = get_dma_ops(dev);
13486 if (mask > 0xffffffff && forbid_dac > 0) {
13487 diff -urNp linux-2.6.37/arch/x86/kernel/pci-gart_64.c linux-2.6.37/arch/x86/kernel/pci-gart_64.c
13488 --- linux-2.6.37/arch/x86/kernel/pci-gart_64.c 2011-01-04 19:50:19.000000000 -0500
13489 +++ linux-2.6.37/arch/x86/kernel/pci-gart_64.c 2011-01-17 02:41:01.000000000 -0500
13490 @@ -706,7 +706,7 @@ static __init int init_k8_gatt(struct ag
13494 -static struct dma_map_ops gart_dma_ops = {
13495 +static const struct dma_map_ops gart_dma_ops = {
13496 .map_sg = gart_map_sg,
13497 .unmap_sg = gart_unmap_sg,
13498 .map_page = gart_map_page,
13499 diff -urNp linux-2.6.37/arch/x86/kernel/pci-nommu.c linux-2.6.37/arch/x86/kernel/pci-nommu.c
13500 --- linux-2.6.37/arch/x86/kernel/pci-nommu.c 2011-01-04 19:50:19.000000000 -0500
13501 +++ linux-2.6.37/arch/x86/kernel/pci-nommu.c 2011-01-17 02:41:01.000000000 -0500
13502 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13503 flush_write_buffers();
13506 -struct dma_map_ops nommu_dma_ops = {
13507 +const struct dma_map_ops nommu_dma_ops = {
13508 .alloc_coherent = dma_generic_alloc_coherent,
13509 .free_coherent = nommu_free_coherent,
13510 .map_sg = nommu_map_sg,
13511 diff -urNp linux-2.6.37/arch/x86/kernel/pci-swiotlb.c linux-2.6.37/arch/x86/kernel/pci-swiotlb.c
13512 --- linux-2.6.37/arch/x86/kernel/pci-swiotlb.c 2011-01-04 19:50:19.000000000 -0500
13513 +++ linux-2.6.37/arch/x86/kernel/pci-swiotlb.c 2011-01-17 02:41:01.000000000 -0500
13514 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
13515 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13518 -static struct dma_map_ops swiotlb_dma_ops = {
13519 +static const struct dma_map_ops swiotlb_dma_ops = {
13520 .mapping_error = swiotlb_dma_mapping_error,
13521 .alloc_coherent = x86_swiotlb_alloc_coherent,
13522 .free_coherent = swiotlb_free_coherent,
13523 diff -urNp linux-2.6.37/arch/x86/kernel/process_32.c linux-2.6.37/arch/x86/kernel/process_32.c
13524 --- linux-2.6.37/arch/x86/kernel/process_32.c 2011-01-04 19:50:19.000000000 -0500
13525 +++ linux-2.6.37/arch/x86/kernel/process_32.c 2011-01-17 02:41:01.000000000 -0500
13526 @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
13527 unsigned long thread_saved_pc(struct task_struct *tsk)
13529 return ((unsigned long *)tsk->thread.sp)[3];
13530 +//XXX return tsk->thread.eip;
13534 @@ -130,15 +131,14 @@ void __show_regs(struct pt_regs *regs, i
13536 unsigned short ss, gs;
13538 - if (user_mode_vm(regs)) {
13539 + if (user_mode(regs)) {
13541 ss = regs->ss & 0xffff;
13542 - gs = get_user_gs(regs);
13544 sp = kernel_stack_pointer(regs);
13545 savesegment(ss, ss);
13546 - savesegment(gs, gs);
13548 + gs = get_user_gs(regs);
13550 show_regs_common();
13552 @@ -200,7 +200,7 @@ int copy_thread(unsigned long clone_flag
13553 struct task_struct *tsk;
13556 - childregs = task_pt_regs(p);
13557 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13558 *childregs = *regs;
13560 childregs->sp = sp;
13561 @@ -297,7 +297,7 @@ __switch_to(struct task_struct *prev_p,
13562 struct thread_struct *prev = &prev_p->thread,
13563 *next = &next_p->thread;
13564 int cpu = smp_processor_id();
13565 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13566 + struct tss_struct *tss = init_tss + cpu;
13569 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13570 @@ -332,6 +332,10 @@ __switch_to(struct task_struct *prev_p,
13572 lazy_save_gs(prev->gs);
13574 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13575 + __set_fs(task_thread_info(next_p)->addr_limit);
13579 * Load the per-thread Thread-Local Storage descriptor.
13581 @@ -408,3 +412,27 @@ unsigned long get_wchan(struct task_stru
13585 +#ifdef CONFIG_PAX_RANDKSTACK
13586 +asmlinkage void pax_randomize_kstack(void)
13588 + struct thread_struct *thread = ¤t->thread;
13589 + unsigned long time;
13591 + if (!randomize_va_space)
13596 + /* P4 seems to return a 0 LSB, ignore it */
13597 +#ifdef CONFIG_MPENTIUM4
13605 + thread->sp0 ^= time;
13606 + load_sp0(init_tss + smp_processor_id(), thread);
13609 diff -urNp linux-2.6.37/arch/x86/kernel/process_64.c linux-2.6.37/arch/x86/kernel/process_64.c
13610 --- linux-2.6.37/arch/x86/kernel/process_64.c 2011-01-04 19:50:19.000000000 -0500
13611 +++ linux-2.6.37/arch/x86/kernel/process_64.c 2011-01-17 02:41:01.000000000 -0500
13612 @@ -89,7 +89,7 @@ static void __exit_idle(void)
13613 void exit_idle(void)
13615 /* idle loop has pid 0 */
13616 - if (current->pid)
13617 + if (task_pid_nr(current))
13621 @@ -380,7 +380,7 @@ __switch_to(struct task_struct *prev_p,
13622 struct thread_struct *prev = &prev_p->thread;
13623 struct thread_struct *next = &next_p->thread;
13624 int cpu = smp_processor_id();
13625 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13626 + struct tss_struct *tss = init_tss + cpu;
13627 unsigned fsindex, gsindex;
13630 @@ -533,12 +533,11 @@ unsigned long get_wchan(struct task_stru
13631 if (!p || p == current || p->state == TASK_RUNNING)
13633 stack = (unsigned long)task_stack_page(p);
13634 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13635 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13637 fp = *(u64 *)(p->thread.sp);
13639 - if (fp < (unsigned long)stack ||
13640 - fp >= (unsigned long)stack+THREAD_SIZE)
13641 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13643 ip = *(u64 *)(fp+8);
13644 if (!in_sched_functions(ip))
13645 diff -urNp linux-2.6.37/arch/x86/kernel/process.c linux-2.6.37/arch/x86/kernel/process.c
13646 --- linux-2.6.37/arch/x86/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
13647 +++ linux-2.6.37/arch/x86/kernel/process.c 2011-01-17 02:41:01.000000000 -0500
13648 @@ -74,7 +74,7 @@ void exit_thread(void)
13649 unsigned long *bp = t->io_bitmap_ptr;
13652 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13653 + struct tss_struct *tss = init_tss + get_cpu();
13655 t->io_bitmap_ptr = NULL;
13656 clear_thread_flag(TIF_IO_BITMAP);
13657 @@ -118,6 +118,9 @@ void flush_thread(void)
13659 struct task_struct *tsk = current;
13661 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
13662 + loadsegment(gs, 0);
13664 flush_ptrace_hw_breakpoint(tsk);
13665 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13667 @@ -280,10 +283,10 @@ int kernel_thread(int (*fn)(void *), voi
13668 regs.di = (unsigned long) arg;
13670 #ifdef CONFIG_X86_32
13671 - regs.ds = __USER_DS;
13672 - regs.es = __USER_DS;
13673 + regs.ds = __KERNEL_DS;
13674 + regs.es = __KERNEL_DS;
13675 regs.fs = __KERNEL_PERCPU;
13676 - regs.gs = __KERNEL_STACK_CANARY;
13677 + savesegment(gs, regs.gs);
13679 regs.ss = __KERNEL_DS;
13681 @@ -658,17 +661,3 @@ static int __init idle_setup(char *str)
13684 early_param("idle", idle_setup);
13686 -unsigned long arch_align_stack(unsigned long sp)
13688 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13689 - sp -= get_random_int() % 8192;
13690 - return sp & ~0xf;
13693 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13695 - unsigned long range_end = mm->brk + 0x02000000;
13696 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13699 diff -urNp linux-2.6.37/arch/x86/kernel/ptrace.c linux-2.6.37/arch/x86/kernel/ptrace.c
13700 --- linux-2.6.37/arch/x86/kernel/ptrace.c 2011-01-04 19:50:19.000000000 -0500
13701 +++ linux-2.6.37/arch/x86/kernel/ptrace.c 2011-01-17 02:41:01.000000000 -0500
13702 @@ -805,7 +805,7 @@ long arch_ptrace(struct task_struct *chi
13703 unsigned long addr, unsigned long data)
13706 - unsigned long __user *datap = (unsigned long __user *)data;
13707 + unsigned long __user *datap = (__force unsigned long __user *)data;
13710 /* read the word at location addr in the USER area. */
13711 @@ -890,14 +890,14 @@ long arch_ptrace(struct task_struct *chi
13712 if ((int) addr < 0)
13714 ret = do_get_thread_area(child, addr,
13715 - (struct user_desc __user *)data);
13716 + (__force struct user_desc __user *) data);
13719 case PTRACE_SET_THREAD_AREA:
13720 if ((int) addr < 0)
13722 ret = do_set_thread_area(child, addr,
13723 - (struct user_desc __user *)data, 0);
13724 + (__force struct user_desc __user *) data, 0);
13728 @@ -1314,7 +1314,7 @@ static void fill_sigtrap_info(struct tas
13729 memset(info, 0, sizeof(*info));
13730 info->si_signo = SIGTRAP;
13731 info->si_code = si_code;
13732 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13733 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13736 void user_single_step_siginfo(struct task_struct *tsk,
13737 diff -urNp linux-2.6.37/arch/x86/kernel/reboot.c linux-2.6.37/arch/x86/kernel/reboot.c
13738 --- linux-2.6.37/arch/x86/kernel/reboot.c 2011-01-04 19:50:19.000000000 -0500
13739 +++ linux-2.6.37/arch/x86/kernel/reboot.c 2011-01-17 02:41:01.000000000 -0500
13740 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
13741 EXPORT_SYMBOL(pm_power_off);
13743 static const struct desc_ptr no_idt = {};
13744 -static int reboot_mode;
13745 +static unsigned short reboot_mode;
13746 enum reboot_type reboot_type = BOOT_KBD;
13749 @@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
13750 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
13754 + { NULL, NULL, {{0, {0}}}, NULL}
13757 static int __init reboot_init(void)
13758 @@ -300,12 +300,12 @@ core_initcall(reboot_init);
13759 controller to pulse the CPU reset line, which is more thorough, but
13760 doesn't work with at least one type of 486 motherboard. It is easy
13761 to stop this code working; hence the copious comments. */
13762 -static const unsigned long long
13763 -real_mode_gdt_entries [3] =
13764 +static struct desc_struct
13765 +real_mode_gdt_entries [3] __read_only =
13767 - 0x0000000000000000ULL, /* Null descriptor */
13768 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13769 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13770 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13771 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13772 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13775 static const struct desc_ptr
13776 @@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
13777 * specified by the code and length parameters.
13778 * We assume that length will aways be less that 100!
13780 -void machine_real_restart(const unsigned char *code, int length)
13781 +void machine_real_restart(const unsigned char *code, unsigned int length)
13783 local_irq_disable();
13785 @@ -381,16 +381,15 @@ void machine_real_restart(const unsigned
13786 boot)". This seems like a fairly standard thing that gets set by
13787 REBOOT.COM programs, and the previous reset routine did this
13789 - *((unsigned short *)0x472) = reboot_mode;
13790 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13792 /* For the switch to real mode, copy some code to low memory. It has
13793 to be in the first 64k because it is running in 16-bit mode, and it
13794 has to have the same physical and virtual address, because it turns
13795 off paging. Copy it near the end of the first page, out of the way
13796 of BIOS variables. */
13797 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13798 - real_mode_switch, sizeof (real_mode_switch));
13799 - memcpy((void *)(0x1000 - 100), code, length);
13800 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13801 + memcpy(__va(0x1000 - 100), code, length);
13803 /* Set up the IDT for real mode. */
13804 load_idt(&real_mode_idt);
13805 diff -urNp linux-2.6.37/arch/x86/kernel/setup.c linux-2.6.37/arch/x86/kernel/setup.c
13806 --- linux-2.6.37/arch/x86/kernel/setup.c 2011-01-04 19:50:19.000000000 -0500
13807 +++ linux-2.6.37/arch/x86/kernel/setup.c 2011-01-17 02:41:01.000000000 -0500
13808 @@ -654,7 +654,7 @@ static void __init trim_bios_range(void)
13809 * area (640->1Mb) as ram even though it is not.
13812 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13813 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13814 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13817 @@ -790,14 +790,14 @@ void __init setup_arch(char **cmdline_p)
13819 if (!boot_params.hdr.root_flags)
13820 root_mountflags &= ~MS_RDONLY;
13821 - init_mm.start_code = (unsigned long) _text;
13822 - init_mm.end_code = (unsigned long) _etext;
13823 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13824 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13825 init_mm.end_data = (unsigned long) _edata;
13826 init_mm.brk = _brk_end;
13828 - code_resource.start = virt_to_phys(_text);
13829 - code_resource.end = virt_to_phys(_etext)-1;
13830 - data_resource.start = virt_to_phys(_etext);
13831 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13832 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13833 + data_resource.start = virt_to_phys(_sdata);
13834 data_resource.end = virt_to_phys(_edata)-1;
13835 bss_resource.start = virt_to_phys(&__bss_start);
13836 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13837 diff -urNp linux-2.6.37/arch/x86/kernel/setup_percpu.c linux-2.6.37/arch/x86/kernel/setup_percpu.c
13838 --- linux-2.6.37/arch/x86/kernel/setup_percpu.c 2011-01-04 19:50:19.000000000 -0500
13839 +++ linux-2.6.37/arch/x86/kernel/setup_percpu.c 2011-01-17 02:41:01.000000000 -0500
13840 @@ -21,19 +21,17 @@
13841 #include <asm/cpu.h>
13842 #include <asm/stackprotector.h>
13844 -DEFINE_PER_CPU(int, cpu_number);
13846 +DEFINE_PER_CPU(unsigned int, cpu_number);
13847 EXPORT_PER_CPU_SYMBOL(cpu_number);
13850 -#ifdef CONFIG_X86_64
13851 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13853 -#define BOOT_PERCPU_OFFSET 0
13856 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13857 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13859 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13860 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13861 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13863 EXPORT_SYMBOL(__per_cpu_offset);
13864 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
13866 #ifdef CONFIG_X86_32
13867 struct desc_struct gdt;
13868 + unsigned long base = per_cpu_offset(cpu);
13870 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13871 - 0x2 | DESCTYPE_S, 0x8);
13873 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13874 + 0x83 | DESCTYPE_S, 0xC);
13875 write_gdt_entry(get_cpu_gdt_table(cpu),
13876 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13878 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
13879 /* alrighty, percpu areas up and running */
13880 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13881 for_each_possible_cpu(cpu) {
13882 +#ifdef CONFIG_CC_STACKPROTECTOR
13883 +#ifdef CONFIG_x86_32
13884 + unsigned long canary = per_cpu(stack_canary, cpu);
13887 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13888 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13889 per_cpu(cpu_number, cpu) = cpu;
13890 @@ -243,6 +246,12 @@ void __init setup_per_cpu_areas(void)
13891 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13894 +#ifdef CONFIG_CC_STACKPROTECTOR
13895 +#ifdef CONFIG_x86_32
13896 + if (cpu == boot_cpu_id)
13897 + per_cpu(stack_canary, cpu) = canary;
13901 * Up to this point, the boot CPU has been using .init.data
13902 * area. Reload any changed state for the boot CPU.
13903 diff -urNp linux-2.6.37/arch/x86/kernel/signal.c linux-2.6.37/arch/x86/kernel/signal.c
13904 --- linux-2.6.37/arch/x86/kernel/signal.c 2011-01-04 19:50:19.000000000 -0500
13905 +++ linux-2.6.37/arch/x86/kernel/signal.c 2011-01-17 02:41:01.000000000 -0500
13906 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13907 * Align the stack pointer according to the i386 ABI,
13908 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13910 - sp = ((sp + 4) & -16ul) - 4;
13911 + sp = ((sp - 12) & -16ul) - 4;
13912 #else /* !CONFIG_X86_32 */
13913 sp = round_down(sp, 16) - 8;
13915 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13916 * Return an always-bogus address instead so we will die with SIGSEGV.
13918 if (onsigstack && !likely(on_sig_stack(sp)))
13919 - return (void __user *)-1L;
13920 + return (__force void __user *)-1L;
13922 /* save i387 state */
13923 if (used_math() && save_i387_xstate(*fpstate) < 0)
13924 - return (void __user *)-1L;
13925 + return (__force void __user *)-1L;
13927 return (void __user *)sp;
13929 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13932 if (current->mm->context.vdso)
13933 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13934 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13936 - restorer = &frame->retcode;
13937 + restorer = (void __user *)&frame->retcode;
13938 if (ka->sa.sa_flags & SA_RESTORER)
13939 restorer = ka->sa.sa_restorer;
13941 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13942 * reasons and because gdb uses it as a signature to notice
13943 * signal handler stack frames.
13945 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13946 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13950 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
13951 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13953 /* Set up to return from userspace. */
13954 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13955 + if (current->mm->context.vdso)
13956 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13958 + restorer = (void __user *)&frame->retcode;
13959 if (ka->sa.sa_flags & SA_RESTORER)
13960 restorer = ka->sa.sa_restorer;
13961 put_user_ex(restorer, &frame->pretcode);
13962 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
13963 * reasons and because gdb uses it as a signature to notice
13964 * signal handler stack frames.
13966 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13967 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13968 } put_user_catch(err);
13971 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
13972 * X86_32: vm86 regs switched out by assembly code before reaching
13973 * here, so testing against kernel CS suffices.
13975 - if (!user_mode(regs))
13976 + if (!user_mode_novm(regs))
13979 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13980 diff -urNp linux-2.6.37/arch/x86/kernel/smpboot.c linux-2.6.37/arch/x86/kernel/smpboot.c
13981 --- linux-2.6.37/arch/x86/kernel/smpboot.c 2011-01-04 19:50:19.000000000 -0500
13982 +++ linux-2.6.37/arch/x86/kernel/smpboot.c 2011-01-17 02:41:01.000000000 -0500
13983 @@ -786,7 +786,11 @@ do_rest:
13984 (unsigned long)task_stack_page(c_idle.idle) -
13985 KERNEL_STACK_OFFSET + THREAD_SIZE;
13988 + pax_open_kernel();
13989 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13990 + pax_close_kernel();
13992 initial_code = (unsigned long)start_secondary;
13993 stack_start.sp = (void *) c_idle.idle->thread.sp;
13995 @@ -926,6 +930,12 @@ int __cpuinit native_cpu_up(unsigned int
13997 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13999 +#ifdef CONFIG_PAX_PER_CPU_PGD
14000 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
14001 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
14002 + KERNEL_PGD_PTRS);
14005 err = do_boot_cpu(apicid, cpu);
14007 pr_debug("do_boot_cpu failed %d\n", err);
14008 diff -urNp linux-2.6.37/arch/x86/kernel/step.c linux-2.6.37/arch/x86/kernel/step.c
14009 --- linux-2.6.37/arch/x86/kernel/step.c 2011-01-04 19:50:19.000000000 -0500
14010 +++ linux-2.6.37/arch/x86/kernel/step.c 2011-01-17 02:41:01.000000000 -0500
14011 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
14012 struct desc_struct *desc;
14013 unsigned long base;
14018 mutex_lock(&child->mm->context.lock);
14019 - if (unlikely((seg >> 3) >= child->mm->context.size))
14020 + if (unlikely(seg >= child->mm->context.size))
14021 addr = -1L; /* bogus selector, access would fault */
14023 desc = child->mm->context.ldt + seg;
14024 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
14027 mutex_unlock(&child->mm->context.lock);
14029 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
14030 + addr = ktla_ktva(addr);
14034 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
14035 unsigned char opcode[15];
14036 unsigned long addr = convert_ip_to_linear(child, regs);
14038 + if (addr == -EINVAL)
14041 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
14042 for (i = 0; i < copied; i++) {
14043 switch (opcode[i]) {
14044 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
14046 #ifdef CONFIG_X86_64
14047 case 0x40 ... 0x4f:
14048 - if (regs->cs != __USER_CS)
14049 + if ((regs->cs & 0xffff) != __USER_CS)
14050 /* 32-bit mode: register increment */
14052 /* 64-bit mode: REX prefix */
14053 diff -urNp linux-2.6.37/arch/x86/kernel/syscall_table_32.S linux-2.6.37/arch/x86/kernel/syscall_table_32.S
14054 --- linux-2.6.37/arch/x86/kernel/syscall_table_32.S 2011-01-04 19:50:19.000000000 -0500
14055 +++ linux-2.6.37/arch/x86/kernel/syscall_table_32.S 2011-01-17 02:41:01.000000000 -0500
14057 +.section .rodata,"a",@progbits
14058 ENTRY(sys_call_table)
14059 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
14061 diff -urNp linux-2.6.37/arch/x86/kernel/sys_i386_32.c linux-2.6.37/arch/x86/kernel/sys_i386_32.c
14062 --- linux-2.6.37/arch/x86/kernel/sys_i386_32.c 2011-01-04 19:50:19.000000000 -0500
14063 +++ linux-2.6.37/arch/x86/kernel/sys_i386_32.c 2011-01-17 02:41:01.000000000 -0500
14064 @@ -24,17 +24,224 @@
14066 #include <asm/syscalls.h>
14069 - * Do a system call from kernel instead of calling sys_execve so we
14070 - * end up with proper pt_regs.
14072 -int kernel_execve(const char *filename,
14073 - const char *const argv[],
14074 - const char *const envp[])
14075 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
14078 - asm volatile ("int $0x80"
14080 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
14082 + unsigned long pax_task_size = TASK_SIZE;
14084 +#ifdef CONFIG_PAX_SEGMEXEC
14085 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
14086 + pax_task_size = SEGMEXEC_TASK_SIZE;
14089 + if (len > pax_task_size || addr > pax_task_size - len)
14096 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
14097 + unsigned long len, unsigned long pgoff, unsigned long flags)
14099 + struct mm_struct *mm = current->mm;
14100 + struct vm_area_struct *vma;
14101 + unsigned long start_addr, pax_task_size = TASK_SIZE;
14103 +#ifdef CONFIG_PAX_SEGMEXEC
14104 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14105 + pax_task_size = SEGMEXEC_TASK_SIZE;
14108 + pax_task_size -= PAGE_SIZE;
14110 + if (len > pax_task_size)
14113 + if (flags & MAP_FIXED)
14116 +#ifdef CONFIG_PAX_RANDMMAP
14117 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14121 + addr = PAGE_ALIGN(addr);
14122 + if (pax_task_size - len >= addr) {
14123 + vma = find_vma(mm, addr);
14124 + if (check_heap_stack_gap(vma, addr, len))
14128 + if (len > mm->cached_hole_size) {
14129 + start_addr = addr = mm->free_area_cache;
14131 + start_addr = addr = mm->mmap_base;
14132 + mm->cached_hole_size = 0;
14135 +#ifdef CONFIG_PAX_PAGEEXEC
14136 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
14137 + start_addr = 0x00110000UL;
14139 +#ifdef CONFIG_PAX_RANDMMAP
14140 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14141 + start_addr += mm->delta_mmap & 0x03FFF000UL;
14144 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
14145 + start_addr = addr = mm->mmap_base;
14147 + addr = start_addr;
14152 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
14153 + /* At this point: (!vma || addr < vma->vm_end). */
14154 + if (pax_task_size - len < addr) {
14156 + * Start a new search - just in case we missed
14159 + if (start_addr != mm->mmap_base) {
14160 + start_addr = addr = mm->mmap_base;
14161 + mm->cached_hole_size = 0;
14162 + goto full_search;
14166 + if (check_heap_stack_gap(vma, addr, len))
14168 + if (addr + mm->cached_hole_size < vma->vm_start)
14169 + mm->cached_hole_size = vma->vm_start - addr;
14170 + addr = vma->vm_end;
14171 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
14172 + start_addr = addr = mm->mmap_base;
14173 + mm->cached_hole_size = 0;
14174 + goto full_search;
14179 + * Remember the place where we stopped the search:
14181 + mm->free_area_cache = addr + len;
14186 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
14187 + const unsigned long len, const unsigned long pgoff,
14188 + const unsigned long flags)
14190 + struct vm_area_struct *vma;
14191 + struct mm_struct *mm = current->mm;
14192 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
14194 +#ifdef CONFIG_PAX_SEGMEXEC
14195 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14196 + pax_task_size = SEGMEXEC_TASK_SIZE;
14199 + pax_task_size -= PAGE_SIZE;
14201 + /* requested length too big for entire address space */
14202 + if (len > pax_task_size)
14205 + if (flags & MAP_FIXED)
14208 +#ifdef CONFIG_PAX_PAGEEXEC
14209 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
14213 +#ifdef CONFIG_PAX_RANDMMAP
14214 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14217 + /* requesting a specific address */
14219 + addr = PAGE_ALIGN(addr);
14220 + if (pax_task_size - len >= addr) {
14221 + vma = find_vma(mm, addr);
14222 + if (check_heap_stack_gap(vma, addr, len))
14227 + /* check if free_area_cache is useful for us */
14228 + if (len <= mm->cached_hole_size) {
14229 + mm->cached_hole_size = 0;
14230 + mm->free_area_cache = mm->mmap_base;
14233 + /* either no address requested or can't fit in requested address hole */
14234 + addr = mm->free_area_cache;
14236 + /* make sure it can fit in the remaining address space */
14237 + if (addr > len) {
14238 + vma = find_vma(mm, addr-len);
14239 + if (check_heap_stack_gap(vma, addr - len, len))
14240 + /* remember the address as a hint for next time */
14241 + return (mm->free_area_cache = addr-len);
14244 + if (mm->mmap_base < len)
14247 + addr = mm->mmap_base-len;
14251 + * Lookup failure means no vma is above this address,
14252 + * else if new region fits below vma->vm_start,
14253 + * return with success:
14255 + vma = find_vma(mm, addr);
14256 + if (check_heap_stack_gap(vma, addr, len))
14257 + /* remember the address as a hint for next time */
14258 + return (mm->free_area_cache = addr);
14260 + /* remember the largest hole we saw so far */
14261 + if (addr + mm->cached_hole_size < vma->vm_start)
14262 + mm->cached_hole_size = vma->vm_start - addr;
14264 + /* try just below the current vma->vm_start */
14265 + addr = vma->vm_start-len;
14266 + } while (len < vma->vm_start);
14270 + * A failed mmap() very likely causes application failure,
14271 + * so fall back to the bottom-up function here. This scenario
14272 + * can happen with large stack limits and large mmap()
14276 +#ifdef CONFIG_PAX_SEGMEXEC
14277 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14278 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14282 + mm->mmap_base = TASK_UNMAPPED_BASE;
14284 +#ifdef CONFIG_PAX_RANDMMAP
14285 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14286 + mm->mmap_base += mm->delta_mmap;
14289 + mm->free_area_cache = mm->mmap_base;
14290 + mm->cached_hole_size = ~0UL;
14291 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14293 + * Restore the topdown base:
14295 + mm->mmap_base = base;
14296 + mm->free_area_cache = base;
14297 + mm->cached_hole_size = ~0UL;
14301 diff -urNp linux-2.6.37/arch/x86/kernel/sys_x86_64.c linux-2.6.37/arch/x86/kernel/sys_x86_64.c
14302 --- linux-2.6.37/arch/x86/kernel/sys_x86_64.c 2011-01-04 19:50:19.000000000 -0500
14303 +++ linux-2.6.37/arch/x86/kernel/sys_x86_64.c 2011-01-17 02:41:01.000000000 -0500
14304 @@ -32,8 +32,8 @@ out:
14308 -static void find_start_end(unsigned long flags, unsigned long *begin,
14309 - unsigned long *end)
14310 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
14311 + unsigned long *begin, unsigned long *end)
14313 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
14314 unsigned long new_begin;
14315 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
14316 *begin = new_begin;
14319 - *begin = TASK_UNMAPPED_BASE;
14320 + *begin = mm->mmap_base;
14324 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
14325 if (flags & MAP_FIXED)
14328 - find_start_end(flags, &begin, &end);
14329 + find_start_end(mm, flags, &begin, &end);
14334 +#ifdef CONFIG_PAX_RANDMMAP
14335 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14339 addr = PAGE_ALIGN(addr);
14340 vma = find_vma(mm, addr);
14341 - if (end - len >= addr &&
14342 - (!vma || addr + len <= vma->vm_start))
14343 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
14346 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
14347 @@ -106,7 +109,7 @@ full_search:
14351 - if (!vma || addr + len <= vma->vm_start) {
14352 + if (check_heap_stack_gap(vma, addr, len)) {
14354 * Remember the place where we stopped the search:
14356 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
14358 struct vm_area_struct *vma;
14359 struct mm_struct *mm = current->mm;
14360 - unsigned long addr = addr0;
14361 + unsigned long base = mm->mmap_base, addr = addr0;
14363 /* requested length too big for entire address space */
14364 if (len > TASK_SIZE)
14365 @@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
14366 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
14369 +#ifdef CONFIG_PAX_RANDMMAP
14370 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14373 /* requesting a specific address */
14375 addr = PAGE_ALIGN(addr);
14376 vma = find_vma(mm, addr);
14377 - if (TASK_SIZE - len >= addr &&
14378 - (!vma || addr + len <= vma->vm_start))
14379 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
14383 @@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
14384 /* make sure it can fit in the remaining address space */
14386 vma = find_vma(mm, addr-len);
14387 - if (!vma || addr <= vma->vm_start)
14388 + if (check_heap_stack_gap(vma, addr - len, len))
14389 /* remember the address as a hint for next time */
14390 return mm->free_area_cache = addr-len;
14392 @@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
14393 * return with success:
14395 vma = find_vma(mm, addr);
14396 - if (!vma || addr+len <= vma->vm_start)
14397 + if (check_heap_stack_gap(vma, addr, len))
14398 /* remember the address as a hint for next time */
14399 return mm->free_area_cache = addr;
14401 @@ -198,13 +204,21 @@ bottomup:
14402 * can happen with large stack limits and large mmap()
14405 + mm->mmap_base = TASK_UNMAPPED_BASE;
14407 +#ifdef CONFIG_PAX_RANDMMAP
14408 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14409 + mm->mmap_base += mm->delta_mmap;
14412 + mm->free_area_cache = mm->mmap_base;
14413 mm->cached_hole_size = ~0UL;
14414 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14415 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14417 * Restore the topdown base:
14419 - mm->free_area_cache = mm->mmap_base;
14420 + mm->mmap_base = base;
14421 + mm->free_area_cache = base;
14422 mm->cached_hole_size = ~0UL;
14425 diff -urNp linux-2.6.37/arch/x86/kernel/time.c linux-2.6.37/arch/x86/kernel/time.c
14426 --- linux-2.6.37/arch/x86/kernel/time.c 2011-01-04 19:50:19.000000000 -0500
14427 +++ linux-2.6.37/arch/x86/kernel/time.c 2011-01-17 02:41:01.000000000 -0500
14428 @@ -26,17 +26,13 @@
14432 -#ifdef CONFIG_X86_64
14433 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14436 unsigned long profile_pc(struct pt_regs *regs)
14438 unsigned long pc = instruction_pointer(regs);
14440 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14441 + if (!user_mode(regs) && in_lock_functions(pc)) {
14442 #ifdef CONFIG_FRAME_POINTER
14443 - return *(unsigned long *)(regs->bp + sizeof(long));
14444 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14446 unsigned long *sp =
14447 (unsigned long *)kernel_stack_pointer(regs);
14448 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14449 * or above a saved flags. Eflags has bits 22-31 zero,
14450 * kernel addresses don't.
14453 +#ifdef CONFIG_PAX_KERNEXEC
14454 + return ktla_ktva(sp[0]);
14466 diff -urNp linux-2.6.37/arch/x86/kernel/tls.c linux-2.6.37/arch/x86/kernel/tls.c
14467 --- linux-2.6.37/arch/x86/kernel/tls.c 2011-01-04 19:50:19.000000000 -0500
14468 +++ linux-2.6.37/arch/x86/kernel/tls.c 2011-01-17 02:41:01.000000000 -0500
14469 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14470 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14473 +#ifdef CONFIG_PAX_SEGMEXEC
14474 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14478 set_tls_desc(p, idx, &info, 1);
14481 diff -urNp linux-2.6.37/arch/x86/kernel/trampoline_32.S linux-2.6.37/arch/x86/kernel/trampoline_32.S
14482 --- linux-2.6.37/arch/x86/kernel/trampoline_32.S 2011-01-04 19:50:19.000000000 -0500
14483 +++ linux-2.6.37/arch/x86/kernel/trampoline_32.S 2011-01-17 02:41:01.000000000 -0500
14485 #include <asm/segment.h>
14486 #include <asm/page_types.h>
14488 +#ifdef CONFIG_PAX_KERNEXEC
14491 +#define ta(X) ((X) - __PAGE_OFFSET)
14494 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14497 @@ -60,7 +66,7 @@ r_base = .
14498 inc %ax # protected mode (PE) bit
14499 lmsw %ax # into protected mode
14500 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14501 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14502 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14504 # These need to be in the same 64K segment as the above;
14505 # hence we don't use the boot_gdt_descr defined in head.S
14506 diff -urNp linux-2.6.37/arch/x86/kernel/trampoline_64.S linux-2.6.37/arch/x86/kernel/trampoline_64.S
14507 --- linux-2.6.37/arch/x86/kernel/trampoline_64.S 2011-01-04 19:50:19.000000000 -0500
14508 +++ linux-2.6.37/arch/x86/kernel/trampoline_64.S 2011-01-17 02:41:01.000000000 -0500
14509 @@ -91,7 +91,7 @@ startup_32:
14510 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
14513 - movl $X86_CR4_PAE, %eax
14514 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
14515 movl %eax, %cr4 # Enable PAE mode
14517 # Setup trampoline 4 level pagetables
14518 @@ -138,7 +138,7 @@ tidt:
14519 # so the kernel can live anywhere
14522 - .short tgdt_end - tgdt # gdt limit
14523 + .short tgdt_end - tgdt - 1 # gdt limit
14524 .long tgdt - r_base
14526 .quad 0x00cf9b000000ffff # __KERNEL32_CS
14527 diff -urNp linux-2.6.37/arch/x86/kernel/traps.c linux-2.6.37/arch/x86/kernel/traps.c
14528 --- linux-2.6.37/arch/x86/kernel/traps.c 2011-01-04 19:50:19.000000000 -0500
14529 +++ linux-2.6.37/arch/x86/kernel/traps.c 2011-01-17 02:41:01.000000000 -0500
14530 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14532 /* Do we ignore FPU interrupts ? */
14533 char ignore_fpu_irq;
14536 - * The IDT has to be page-aligned to simplify the Pentium
14537 - * F0 0F bug workaround.
14539 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14542 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14543 @@ -110,13 +104,13 @@ static inline void preempt_conditional_c
14546 static void __kprobes
14547 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14548 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14549 long error_code, siginfo_t *info)
14551 struct task_struct *tsk = current;
14553 #ifdef CONFIG_X86_32
14554 - if (regs->flags & X86_VM_MASK) {
14555 + if (v8086_mode(regs)) {
14557 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14558 * On nmi (interrupt 2), do_trap should not be called.
14559 @@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
14563 - if (!user_mode(regs))
14564 + if (!user_mode_novm(regs))
14567 #ifdef CONFIG_X86_32
14568 @@ -150,7 +144,7 @@ trap_signal:
14569 printk_ratelimit()) {
14571 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14572 - tsk->comm, tsk->pid, str,
14573 + tsk->comm, task_pid_nr(tsk), str,
14574 regs->ip, regs->sp, error_code);
14575 print_vma_addr(" in ", regs->ip);
14577 @@ -167,8 +161,20 @@ kernel_trap:
14578 if (!fixup_exception(regs)) {
14579 tsk->thread.error_code = error_code;
14580 tsk->thread.trap_no = trapnr;
14582 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14583 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14584 + str = "PAX: suspicious stack segment fault";
14587 die(str, regs, error_code);
14590 +#ifdef CONFIG_PAX_REFCOUNT
14592 + pax_report_refcount_overflow(regs);
14597 #ifdef CONFIG_X86_32
14598 @@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
14599 conditional_sti(regs);
14601 #ifdef CONFIG_X86_32
14602 - if (regs->flags & X86_VM_MASK)
14603 + if (v8086_mode(regs))
14608 - if (!user_mode(regs))
14609 + if (!user_mode_novm(regs))
14612 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14613 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14614 + struct mm_struct *mm = tsk->mm;
14615 + unsigned long limit;
14617 + down_write(&mm->mmap_sem);
14618 + limit = mm->context.user_cs_limit;
14619 + if (limit < TASK_SIZE) {
14620 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14621 + up_write(&mm->mmap_sem);
14624 + up_write(&mm->mmap_sem);
14628 tsk->thread.error_code = error_code;
14629 tsk->thread.trap_no = 13;
14631 @@ -297,6 +319,13 @@ gp_in_kernel:
14632 if (notify_die(DIE_GPF, "general protection fault", regs,
14633 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14636 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14637 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14638 + die("PAX: suspicious general protection fault", regs, error_code);
14642 die("general protection fault", regs, error_code);
14645 @@ -572,7 +601,7 @@ dotraplinkage void __kprobes do_debug(st
14646 /* It's safe to allow irq's after DR6 has been saved */
14647 preempt_conditional_sti(regs);
14649 - if (regs->flags & X86_VM_MASK) {
14650 + if (v8086_mode(regs)) {
14651 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14653 preempt_conditional_cli(regs);
14654 @@ -586,7 +615,7 @@ dotraplinkage void __kprobes do_debug(st
14655 * We already checked v86 mode above, so we can check for kernel mode
14656 * by just checking the CPL of CS.
14658 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14659 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14660 tsk->thread.debugreg6 &= ~DR_STEP;
14661 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14662 regs->flags &= ~X86_EFLAGS_TF;
14663 @@ -615,7 +644,7 @@ void math_error(struct pt_regs *regs, in
14665 conditional_sti(regs);
14667 - if (!user_mode_vm(regs))
14668 + if (!user_mode(regs))
14670 if (!fixup_exception(regs)) {
14671 task->thread.error_code = error_code;
14672 diff -urNp linux-2.6.37/arch/x86/kernel/tsc.c linux-2.6.37/arch/x86/kernel/tsc.c
14673 --- linux-2.6.37/arch/x86/kernel/tsc.c 2011-01-04 19:50:19.000000000 -0500
14674 +++ linux-2.6.37/arch/x86/kernel/tsc.c 2011-01-17 02:41:01.000000000 -0500
14675 @@ -837,7 +837,7 @@ static struct dmi_system_id __initdata b
14676 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14680 + { NULL, NULL, {{0, {0}}}, NULL}
14683 static void __init check_system_tsc_reliable(void)
14684 diff -urNp linux-2.6.37/arch/x86/kernel/vm86_32.c linux-2.6.37/arch/x86/kernel/vm86_32.c
14685 --- linux-2.6.37/arch/x86/kernel/vm86_32.c 2011-01-04 19:50:19.000000000 -0500
14686 +++ linux-2.6.37/arch/x86/kernel/vm86_32.c 2011-01-17 02:41:01.000000000 -0500
14688 #include <linux/ptrace.h>
14689 #include <linux/audit.h>
14690 #include <linux/stddef.h>
14691 +#include <linux/grsecurity.h>
14693 #include <asm/uaccess.h>
14694 #include <asm/io.h>
14695 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14699 - tss = &per_cpu(init_tss, get_cpu());
14700 + tss = init_tss + get_cpu();
14701 current->thread.sp0 = current->thread.saved_sp0;
14702 current->thread.sysenter_cs = __KERNEL_CS;
14703 load_sp0(tss, ¤t->thread);
14704 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14705 struct task_struct *tsk;
14706 int tmp, ret = -EPERM;
14708 +#ifdef CONFIG_GRKERNSEC_VM86
14709 + if (!capable(CAP_SYS_RAWIO)) {
14710 + gr_handle_vm86();
14716 if (tsk->thread.saved_sp0)
14718 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14720 struct vm86plus_struct __user *v86;
14722 +#ifdef CONFIG_GRKERNSEC_VM86
14723 + if (!capable(CAP_SYS_RAWIO)) {
14724 + gr_handle_vm86();
14732 case VM86_REQUEST_IRQ:
14733 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
14734 tsk->thread.saved_fs = info->regs32->fs;
14735 tsk->thread.saved_gs = get_user_gs(info->regs32);
14737 - tss = &per_cpu(init_tss, get_cpu());
14738 + tss = init_tss + get_cpu();
14739 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14741 tsk->thread.sysenter_cs = 0;
14742 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14743 goto cannot_handle;
14744 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14745 goto cannot_handle;
14746 - intr_ptr = (unsigned long __user *) (i << 2);
14747 + intr_ptr = (__force unsigned long __user *) (i << 2);
14748 if (get_user(segoffs, intr_ptr))
14749 goto cannot_handle;
14750 if ((segoffs >> 16) == BIOSSEG)
14751 diff -urNp linux-2.6.37/arch/x86/kernel/vmlinux.lds.S linux-2.6.37/arch/x86/kernel/vmlinux.lds.S
14752 --- linux-2.6.37/arch/x86/kernel/vmlinux.lds.S 2011-01-04 19:50:19.000000000 -0500
14753 +++ linux-2.6.37/arch/x86/kernel/vmlinux.lds.S 2011-01-17 02:41:01.000000000 -0500
14755 #include <asm/page_types.h>
14756 #include <asm/cache.h>
14757 #include <asm/boot.h>
14758 +#include <asm/segment.h>
14760 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14761 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14763 +#define __KERNEL_TEXT_OFFSET 0
14766 #undef i386 /* in case the preprocessor is a 32bit one */
14768 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14769 #ifdef CONFIG_X86_32
14771 ENTRY(phys_startup_32)
14772 -jiffies = jiffies_64;
14774 OUTPUT_ARCH(i386:x86-64)
14775 ENTRY(phys_startup_64)
14776 -jiffies_64 = jiffies;
14779 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14780 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
14783 text PT_LOAD FLAGS(5); /* R_E */
14784 - data PT_LOAD FLAGS(7); /* RWE */
14785 +#ifdef CONFIG_X86_32
14786 + module PT_LOAD FLAGS(5); /* R_E */
14789 + rodata PT_LOAD FLAGS(5); /* R_E */
14791 + rodata PT_LOAD FLAGS(4); /* R__ */
14793 + data PT_LOAD FLAGS(6); /* RW_ */
14794 #ifdef CONFIG_X86_64
14795 user PT_LOAD FLAGS(5); /* R_E */
14797 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14799 percpu PT_LOAD FLAGS(6); /* RW_ */
14801 + text.init PT_LOAD FLAGS(5); /* R_E */
14802 + text.exit PT_LOAD FLAGS(5); /* R_E */
14803 init PT_LOAD FLAGS(7); /* RWE */
14805 note PT_NOTE FLAGS(0); /* ___ */
14810 #ifdef CONFIG_X86_32
14811 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14812 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14813 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14815 - . = __START_KERNEL;
14816 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14817 + . = __START_KERNEL;
14820 /* Text and read-only data */
14821 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14823 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14824 /* bootstrapping code */
14825 +#ifdef CONFIG_X86_32
14826 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14828 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14830 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14833 #ifdef CONFIG_X86_32
14834 . = ALIGN(PAGE_SIZE);
14835 @@ -108,13 +128,47 @@ SECTIONS
14839 - /* End of text section */
14843 - NOTES :text :note
14844 + . += __KERNEL_TEXT_OFFSET;
14846 +#ifdef CONFIG_X86_32
14847 + . = ALIGN(PAGE_SIZE);
14848 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14850 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14851 + MODULES_EXEC_VADDR = .;
14853 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14854 + . = ALIGN(HPAGE_SIZE);
14855 + MODULES_EXEC_END = . - 1;
14861 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14862 + /* End of text section */
14863 + _etext = . - __KERNEL_TEXT_OFFSET;
14866 - EXCEPTION_TABLE(16) :text = 0x9090
14867 +#ifdef CONFIG_X86_32
14868 + . = ALIGN(PAGE_SIZE);
14869 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14871 + . = ALIGN(PAGE_SIZE);
14872 + *(.empty_zero_page)
14873 + *(.initial_pg_fixmap)
14874 + *(.initial_pg_pmd)
14875 + *(.initial_page_table)
14876 + *(.swapper_pg_dir)
14880 + . = ALIGN(PAGE_SIZE);
14881 + NOTES :rodata :note
14883 + EXCEPTION_TABLE(16) :rodata
14885 X64_ALIGN_DEBUG_RODATA_BEGIN
14887 @@ -122,16 +176,20 @@ SECTIONS
14890 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14892 +#ifdef CONFIG_PAX_KERNEXEC
14893 + . = ALIGN(HPAGE_SIZE);
14895 + . = ALIGN(PAGE_SIZE);
14898 /* Start of data section */
14902 INIT_TASK_DATA(THREAD_SIZE)
14904 -#ifdef CONFIG_X86_32
14905 - /* 32 bit has nosave before _edata */
14909 PAGE_ALIGNED_DATA(PAGE_SIZE)
14911 @@ -140,6 +198,8 @@ SECTIONS
14915 + jiffies = jiffies_64;
14917 /* rarely changed data like cpu maps */
14918 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
14920 @@ -194,12 +254,6 @@ SECTIONS
14922 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14924 - . = ALIGN(L1_CACHE_BYTES);
14925 - .jiffies : AT(VLOAD(.jiffies)) {
14928 - jiffies = VVIRT(.jiffies);
14930 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14933 @@ -215,12 +269,19 @@ SECTIONS
14934 #endif /* CONFIG_X86_64 */
14936 /* Init code and data - will be freed after init */
14937 - . = ALIGN(PAGE_SIZE);
14938 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14941 +#ifdef CONFIG_PAX_KERNEXEC
14942 + . = ALIGN(HPAGE_SIZE);
14944 + . = ALIGN(PAGE_SIZE);
14947 __init_begin = .; /* paired with __init_end */
14951 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14954 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14955 * output PHDR, so the next output section - .init.text - should
14956 @@ -229,12 +290,27 @@ SECTIONS
14957 PERCPU_VADDR(0, :percpu)
14960 - INIT_TEXT_SECTION(PAGE_SIZE)
14961 -#ifdef CONFIG_X86_64
14964 + . = ALIGN(PAGE_SIZE);
14966 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14967 + VMLINUX_SYMBOL(_sinittext) = .;
14969 + VMLINUX_SYMBOL(_einittext) = .;
14970 + . = ALIGN(PAGE_SIZE);
14973 - INIT_DATA_SECTION(16)
14975 + * .exit.text is discard at runtime, not link time, to deal with
14976 + * references from .altinstructions and .eh_frame
14978 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14982 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
14984 + . = ALIGN(PAGE_SIZE);
14985 + INIT_DATA_SECTION(16) :init
14987 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14988 __x86_cpu_dev_start = .;
14989 @@ -288,19 +364,12 @@ SECTIONS
14990 __iommu_table_end = .;
14994 - * .exit.text is discard at runtime, not link time, to deal with
14995 - * references from .altinstructions and .eh_frame
14997 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
15001 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
15005 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
15006 +#ifndef CONFIG_SMP
15007 PERCPU(THREAD_SIZE)
15010 @@ -319,16 +388,10 @@ SECTIONS
15011 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
15014 - . = ALIGN(PAGE_SIZE);
15015 __smp_locks_end = .;
15016 + . = ALIGN(PAGE_SIZE);
15019 -#ifdef CONFIG_X86_64
15020 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
15026 . = ALIGN(PAGE_SIZE);
15027 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
15028 @@ -344,6 +407,7 @@ SECTIONS
15030 . += 64 * 1024; /* 64k alignment slop space */
15031 *(.brk_reservation) /* areas brk users have reserved */
15032 + . = ALIGN(HPAGE_SIZE);
15036 @@ -370,13 +434,12 @@ SECTIONS
15037 * for the boot processor.
15039 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
15040 -INIT_PER_CPU(gdt_page);
15041 INIT_PER_CPU(irq_stack_union);
15044 * Build-time check on the image size:
15046 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
15047 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
15048 "kernel image bigger than KERNEL_IMAGE_SIZE");
15051 diff -urNp linux-2.6.37/arch/x86/kernel/vsyscall_64.c linux-2.6.37/arch/x86/kernel/vsyscall_64.c
15052 --- linux-2.6.37/arch/x86/kernel/vsyscall_64.c 2011-01-04 19:50:19.000000000 -0500
15053 +++ linux-2.6.37/arch/x86/kernel/vsyscall_64.c 2011-01-17 02:41:01.000000000 -0500
15054 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
15056 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
15057 /* copy vsyscall data */
15058 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
15059 vsyscall_gtod_data.clock.vread = clock->vread;
15060 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
15061 vsyscall_gtod_data.clock.mask = clock->mask;
15062 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
15063 We do this here because otherwise user space would do it on
15064 its own in a likely inferior way (no access to jiffies).
15065 If you don't like it pass NULL. */
15066 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
15067 + if (tcache && tcache->blob[0] == (j = jiffies)) {
15068 p = tcache->blob[1];
15069 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
15070 /* Load per CPU data from RDTSCP */
15071 diff -urNp linux-2.6.37/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.37/arch/x86/kernel/x8664_ksyms_64.c
15072 --- linux-2.6.37/arch/x86/kernel/x8664_ksyms_64.c 2011-01-04 19:50:19.000000000 -0500
15073 +++ linux-2.6.37/arch/x86/kernel/x8664_ksyms_64.c 2011-01-17 02:41:01.000000000 -0500
15074 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
15075 EXPORT_SYMBOL(copy_user_generic_string);
15076 EXPORT_SYMBOL(copy_user_generic_unrolled);
15077 EXPORT_SYMBOL(__copy_user_nocache);
15078 -EXPORT_SYMBOL(_copy_from_user);
15079 -EXPORT_SYMBOL(_copy_to_user);
15081 EXPORT_SYMBOL(copy_page);
15082 EXPORT_SYMBOL(clear_page);
15083 diff -urNp linux-2.6.37/arch/x86/kernel/xsave.c linux-2.6.37/arch/x86/kernel/xsave.c
15084 --- linux-2.6.37/arch/x86/kernel/xsave.c 2011-01-04 19:50:19.000000000 -0500
15085 +++ linux-2.6.37/arch/x86/kernel/xsave.c 2011-01-17 02:41:01.000000000 -0500
15086 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
15087 fx_sw_user->xstate_size > fx_sw_user->extended_size)
15090 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
15091 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
15092 fx_sw_user->extended_size -
15093 FP_XSTATE_MAGIC2_SIZE));
15095 @@ -267,7 +267,7 @@ fx_only:
15096 * the other extended state.
15098 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
15099 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
15100 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
15104 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
15106 err = restore_user_xstate(buf);
15108 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
15109 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
15111 if (unlikely(err)) {
15113 diff -urNp linux-2.6.37/arch/x86/kvm/emulate.c linux-2.6.37/arch/x86/kvm/emulate.c
15114 --- linux-2.6.37/arch/x86/kvm/emulate.c 2011-01-04 19:50:19.000000000 -0500
15115 +++ linux-2.6.37/arch/x86/kvm/emulate.c 2011-01-17 02:41:01.000000000 -0500
15117 #define Src2ImmByte (2<<29)
15118 #define Src2One (3<<29)
15119 #define Src2Imm (4<<29)
15120 -#define Src2Mask (7<<29)
15121 +#define Src2Mask (7U<<29)
15123 #define X2(x...) x, x
15124 #define X3(x...) X2(x), x
15125 @@ -197,6 +197,7 @@ struct group_dual {
15127 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
15129 + unsigned long _tmp; \
15130 __asm__ __volatile__ ( \
15131 _PRE_EFLAGS("0", "4", "2") \
15132 _op _suffix " %"_x"3,%1; " \
15133 @@ -210,8 +211,6 @@ struct group_dual {
15134 /* Raw emulation: instruction has two explicit operands. */
15135 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15137 - unsigned long _tmp; \
15139 switch ((_dst).bytes) { \
15141 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
15142 @@ -227,7 +226,6 @@ struct group_dual {
15144 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15146 - unsigned long _tmp; \
15147 switch ((_dst).bytes) { \
15149 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
15150 diff -urNp linux-2.6.37/arch/x86/kvm/lapic.c linux-2.6.37/arch/x86/kvm/lapic.c
15151 --- linux-2.6.37/arch/x86/kvm/lapic.c 2011-01-04 19:50:19.000000000 -0500
15152 +++ linux-2.6.37/arch/x86/kvm/lapic.c 2011-01-17 02:41:01.000000000 -0500
15154 #define APIC_BUS_CYCLE_NS 1
15156 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15157 -#define apic_debug(fmt, arg...)
15158 +#define apic_debug(fmt, arg...) do {} while (0)
15160 #define APIC_LVT_NUM 6
15161 /* 14 is the version for Xeon and Pentium 8.4.8*/
15162 diff -urNp linux-2.6.37/arch/x86/kvm/svm.c linux-2.6.37/arch/x86/kvm/svm.c
15163 --- linux-2.6.37/arch/x86/kvm/svm.c 2011-01-04 19:50:19.000000000 -0500
15164 +++ linux-2.6.37/arch/x86/kvm/svm.c 2011-01-17 02:41:01.000000000 -0500
15165 @@ -3023,7 +3023,11 @@ static void reload_tss(struct kvm_vcpu *
15166 int cpu = raw_smp_processor_id();
15168 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
15170 + pax_open_kernel();
15171 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15172 + pax_close_kernel();
15177 @@ -3600,7 +3604,7 @@ static void svm_fpu_deactivate(struct kv
15178 update_cr0_intercept(svm);
15181 -static struct kvm_x86_ops svm_x86_ops = {
15182 +static const struct kvm_x86_ops svm_x86_ops = {
15183 .cpu_has_kvm_support = has_svm,
15184 .disabled_by_bios = is_disabled,
15185 .hardware_setup = svm_hardware_setup,
15186 diff -urNp linux-2.6.37/arch/x86/kvm/vmx.c linux-2.6.37/arch/x86/kvm/vmx.c
15187 --- linux-2.6.37/arch/x86/kvm/vmx.c 2011-01-04 19:50:19.000000000 -0500
15188 +++ linux-2.6.37/arch/x86/kvm/vmx.c 2011-01-17 02:41:01.000000000 -0500
15189 @@ -705,7 +705,11 @@ static void reload_tss(void)
15190 struct desc_struct *descs;
15192 descs = (void *)gdt->address;
15194 + pax_open_kernel();
15195 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15196 + pax_close_kernel();
15201 @@ -1589,8 +1593,11 @@ static __init int hardware_setup(void)
15202 if (!cpu_has_vmx_flexpriority())
15203 flexpriority_enabled = 0;
15205 - if (!cpu_has_vmx_tpr_shadow())
15206 - kvm_x86_ops->update_cr8_intercept = NULL;
15207 + if (!cpu_has_vmx_tpr_shadow()) {
15208 + pax_open_kernel();
15209 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15210 + pax_close_kernel();
15213 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15214 kvm_disable_largepages();
15215 @@ -2575,7 +2582,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15216 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15218 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15219 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15220 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15221 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15222 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15223 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15224 @@ -3959,6 +3966,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15225 "jmp .Lkvm_vmx_return \n\t"
15226 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15227 ".Lkvm_vmx_return: "
15229 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15230 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15231 + ".Lkvm_vmx_return2: "
15234 /* Save guest registers, load host registers, keep flags */
15235 "xchg %0, (%%"R"sp) \n\t"
15236 "mov %%"R"ax, %c[rax](%0) \n\t"
15237 @@ -4005,6 +4018,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
15238 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15240 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15242 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15243 + ,[cs]"i"(__KERNEL_CS)
15247 , R"ax", R"bx", R"di", R"si"
15248 #ifdef CONFIG_X86_64
15249 @@ -4018,7 +4036,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15251 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
15253 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15254 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
15257 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
15258 @@ -4253,7 +4271,7 @@ static void vmx_set_supported_cpuid(u32
15262 -static struct kvm_x86_ops vmx_x86_ops = {
15263 +static const struct kvm_x86_ops vmx_x86_ops = {
15264 .cpu_has_kvm_support = cpu_has_kvm_support,
15265 .disabled_by_bios = vmx_disabled_by_bios,
15266 .hardware_setup = hardware_setup,
15267 diff -urNp linux-2.6.37/arch/x86/kvm/x86.c linux-2.6.37/arch/x86/kvm/x86.c
15268 --- linux-2.6.37/arch/x86/kvm/x86.c 2011-01-04 19:50:19.000000000 -0500
15269 +++ linux-2.6.37/arch/x86/kvm/x86.c 2011-01-17 02:41:01.000000000 -0500
15270 @@ -92,7 +92,7 @@ static void update_cr8_intercept(struct
15271 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15272 struct kvm_cpuid_entry2 __user *entries);
15274 -struct kvm_x86_ops *kvm_x86_ops;
15275 +const struct kvm_x86_ops *kvm_x86_ops;
15276 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15278 int ignore_msrs = 0;
15279 @@ -118,38 +118,38 @@ static struct kvm_shared_msrs_global __r
15280 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15282 struct kvm_stats_debugfs_item debugfs_entries[] = {
15283 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15284 - { "pf_guest", VCPU_STAT(pf_guest) },
15285 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15286 - { "invlpg", VCPU_STAT(invlpg) },
15287 - { "exits", VCPU_STAT(exits) },
15288 - { "io_exits", VCPU_STAT(io_exits) },
15289 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15290 - { "signal_exits", VCPU_STAT(signal_exits) },
15291 - { "irq_window", VCPU_STAT(irq_window_exits) },
15292 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15293 - { "halt_exits", VCPU_STAT(halt_exits) },
15294 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15295 - { "hypercalls", VCPU_STAT(hypercalls) },
15296 - { "request_irq", VCPU_STAT(request_irq_exits) },
15297 - { "irq_exits", VCPU_STAT(irq_exits) },
15298 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15299 - { "efer_reload", VCPU_STAT(efer_reload) },
15300 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15301 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15302 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15303 - { "irq_injections", VCPU_STAT(irq_injections) },
15304 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15305 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15306 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15307 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15308 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15309 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15310 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15311 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15312 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15313 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15314 - { "largepages", VM_STAT(lpages) },
15315 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15316 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15317 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15318 + { "invlpg", VCPU_STAT(invlpg), NULL },
15319 + { "exits", VCPU_STAT(exits), NULL },
15320 + { "io_exits", VCPU_STAT(io_exits), NULL },
15321 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15322 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15323 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15324 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15325 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15326 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15327 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15328 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15329 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15330 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15331 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15332 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15333 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15334 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15335 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15336 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15337 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15338 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15339 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15340 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15341 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15342 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15343 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15344 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15345 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15346 + { "largepages", VM_STAT(lpages), NULL },
15350 @@ -1979,6 +1979,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15351 if (n < msr_list.nmsrs)
15354 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15356 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15357 num_msrs_to_save * sizeof(u32)))
15359 @@ -2446,7 +2448,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15360 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15361 struct kvm_interrupt *irq)
15363 - if (irq->irq < 0 || irq->irq >= 256)
15364 + if (irq->irq >= 256)
15366 if (irqchip_in_kernel(vcpu->kvm))
15368 @@ -4623,10 +4625,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15370 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15372 -int kvm_arch_init(void *opaque)
15373 +int kvm_arch_init(const void *opaque)
15376 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15377 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15380 printk(KERN_ERR "kvm: already loaded the other module\n");
15381 diff -urNp linux-2.6.37/arch/x86/lib/atomic64_cx8_32.S linux-2.6.37/arch/x86/lib/atomic64_cx8_32.S
15382 --- linux-2.6.37/arch/x86/lib/atomic64_cx8_32.S 2011-01-04 19:50:19.000000000 -0500
15383 +++ linux-2.6.37/arch/x86/lib/atomic64_cx8_32.S 2011-01-17 02:41:01.000000000 -0500
15384 @@ -86,13 +86,23 @@ ENTRY(atomic64_\func\()_return_cx8)
15386 \ins\()l %esi, %ebx
15387 \insc\()l %edi, %ecx
15389 +#ifdef CONFIG_PAX_REFCOUNT
15392 + _ASM_EXTABLE(2b, 3f)
15403 +#ifdef CONFIG_PAX_REFCOUNT
15410 @@ -116,13 +126,24 @@ ENTRY(atomic64_\func\()_return_cx8)
15415 +#ifdef CONFIG_PAX_REFCOUNT
15418 + _ASM_EXTABLE(2b, 3f)
15429 +#ifdef CONFIG_PAX_REFCOUNT
15436 @@ -176,6 +197,13 @@ ENTRY(atomic64_add_unless_cx8)
15441 +#ifdef CONFIG_PAX_REFCOUNT
15444 + _ASM_EXTABLE(1234b, 1234b)
15450 @@ -208,6 +236,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
15455 +#ifdef CONFIG_PAX_REFCOUNT
15458 + _ASM_EXTABLE(1234b, 1234b)
15464 diff -urNp linux-2.6.37/arch/x86/lib/checksum_32.S linux-2.6.37/arch/x86/lib/checksum_32.S
15465 --- linux-2.6.37/arch/x86/lib/checksum_32.S 2011-01-04 19:50:19.000000000 -0500
15466 +++ linux-2.6.37/arch/x86/lib/checksum_32.S 2011-01-17 02:41:01.000000000 -0500
15468 #include <linux/linkage.h>
15469 #include <asm/dwarf2.h>
15470 #include <asm/errno.h>
15472 +#include <asm/segment.h>
15475 * computes a partial checksum, e.g. for TCP/UDP fragments
15477 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
15482 -ENTRY(csum_partial_copy_generic)
15484 +ENTRY(csum_partial_copy_generic_to_user)
15487 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15489 + CFI_ADJUST_CFA_OFFSET 4
15491 + CFI_ADJUST_CFA_OFFSET -4
15492 + jmp csum_partial_copy_generic
15495 +ENTRY(csum_partial_copy_generic_from_user)
15497 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15499 + CFI_ADJUST_CFA_OFFSET 4
15501 + CFI_ADJUST_CFA_OFFSET -4
15504 +ENTRY(csum_partial_copy_generic)
15506 CFI_ADJUST_CFA_OFFSET 4
15508 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
15510 SRC(1: movw (%esi), %bx )
15512 -DST( movw %bx, (%edi) )
15513 +DST( movw %bx, %es:(%edi) )
15517 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
15518 SRC(1: movl (%esi), %ebx )
15519 SRC( movl 4(%esi), %edx )
15521 -DST( movl %ebx, (%edi) )
15522 +DST( movl %ebx, %es:(%edi) )
15524 -DST( movl %edx, 4(%edi) )
15525 +DST( movl %edx, %es:4(%edi) )
15527 SRC( movl 8(%esi), %ebx )
15528 SRC( movl 12(%esi), %edx )
15530 -DST( movl %ebx, 8(%edi) )
15531 +DST( movl %ebx, %es:8(%edi) )
15533 -DST( movl %edx, 12(%edi) )
15534 +DST( movl %edx, %es:12(%edi) )
15536 SRC( movl 16(%esi), %ebx )
15537 SRC( movl 20(%esi), %edx )
15539 -DST( movl %ebx, 16(%edi) )
15540 +DST( movl %ebx, %es:16(%edi) )
15542 -DST( movl %edx, 20(%edi) )
15543 +DST( movl %edx, %es:20(%edi) )
15545 SRC( movl 24(%esi), %ebx )
15546 SRC( movl 28(%esi), %edx )
15548 -DST( movl %ebx, 24(%edi) )
15549 +DST( movl %ebx, %es:24(%edi) )
15551 -DST( movl %edx, 28(%edi) )
15552 +DST( movl %edx, %es:28(%edi) )
15556 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
15557 shrl $2, %edx # This clears CF
15558 SRC(3: movl (%esi), %ebx )
15560 -DST( movl %ebx, (%edi) )
15561 +DST( movl %ebx, %es:(%edi) )
15565 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
15567 SRC( movw (%esi), %cx )
15569 -DST( movw %cx, (%edi) )
15570 +DST( movw %cx, %es:(%edi) )
15574 SRC(5: movb (%esi), %cl )
15575 -DST( movb %cl, (%edi) )
15576 +DST( movb %cl, %es:(%edi) )
15580 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
15583 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15584 - movl $-EFAULT, (%ebx)
15585 + movl $-EFAULT, %ss:(%ebx)
15587 # zero the complete destination - computing the rest
15589 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
15592 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15593 - movl $-EFAULT,(%ebx)
15594 + movl $-EFAULT,%ss:(%ebx)
15600 + CFI_ADJUST_CFA_OFFSET 4
15602 + CFI_ADJUST_CFA_OFFSET -4
15604 + CFI_ADJUST_CFA_OFFSET 4
15606 + CFI_ADJUST_CFA_OFFSET -4
15608 CFI_ADJUST_CFA_OFFSET -4
15610 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
15611 CFI_ADJUST_CFA_OFFSET -4
15614 -ENDPROC(csum_partial_copy_generic)
15615 +ENDPROC(csum_partial_copy_generic_to_user)
15619 /* Version for PentiumII/PPro */
15621 #define ROUND1(x) \
15623 SRC(movl x(%esi), %ebx ) ; \
15624 addl %ebx, %eax ; \
15625 - DST(movl %ebx, x(%edi) ) ;
15626 + DST(movl %ebx, %es:x(%edi)) ;
15630 SRC(movl x(%esi), %ebx ) ; \
15631 adcl %ebx, %eax ; \
15632 - DST(movl %ebx, x(%edi) ) ;
15633 + DST(movl %ebx, %es:x(%edi)) ;
15637 -ENTRY(csum_partial_copy_generic)
15639 +ENTRY(csum_partial_copy_generic_to_user)
15642 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15644 + CFI_ADJUST_CFA_OFFSET 4
15646 + CFI_ADJUST_CFA_OFFSET -4
15647 + jmp csum_partial_copy_generic
15650 +ENTRY(csum_partial_copy_generic_from_user)
15652 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15654 + CFI_ADJUST_CFA_OFFSET 4
15656 + CFI_ADJUST_CFA_OFFSET -4
15659 +ENTRY(csum_partial_copy_generic)
15661 CFI_ADJUST_CFA_OFFSET 4
15662 CFI_REL_OFFSET ebx, 0
15663 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
15667 - lea 3f(%ebx,%ebx), %ebx
15668 + lea 3f(%ebx,%ebx,2), %ebx
15672 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
15674 SRC( movw (%esi), %dx )
15676 -DST( movw %dx, (%edi) )
15677 +DST( movw %dx, %es:(%edi) )
15682 SRC( movb (%esi), %dl )
15683 -DST( movb %dl, (%edi) )
15684 +DST( movb %dl, %es:(%edi) )
15688 .section .fixup, "ax"
15689 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15690 - movl $-EFAULT, (%ebx)
15691 + movl $-EFAULT, %ss:(%ebx)
15692 # zero the complete destination (computing the rest is too much work)
15693 movl ARGBASE+8(%esp),%edi # dst
15694 movl ARGBASE+12(%esp),%ecx # len
15695 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
15698 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15699 - movl $-EFAULT, (%ebx)
15700 + movl $-EFAULT, %ss:(%ebx)
15704 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15706 + CFI_ADJUST_CFA_OFFSET 4
15708 + CFI_ADJUST_CFA_OFFSET -4
15710 + CFI_ADJUST_CFA_OFFSET 4
15712 + CFI_ADJUST_CFA_OFFSET -4
15716 CFI_ADJUST_CFA_OFFSET -4
15718 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
15722 -ENDPROC(csum_partial_copy_generic)
15723 +ENDPROC(csum_partial_copy_generic_to_user)
15727 diff -urNp linux-2.6.37/arch/x86/lib/clear_page_64.S linux-2.6.37/arch/x86/lib/clear_page_64.S
15728 --- linux-2.6.37/arch/x86/lib/clear_page_64.S 2011-01-04 19:50:19.000000000 -0500
15729 +++ linux-2.6.37/arch/x86/lib/clear_page_64.S 2011-01-17 02:41:01.000000000 -0500
15730 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15732 #include <asm/cpufeature.h>
15734 - .section .altinstr_replacement,"ax"
15735 + .section .altinstr_replacement,"a"
15736 1: .byte 0xeb /* jmp <disp8> */
15737 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15739 diff -urNp linux-2.6.37/arch/x86/lib/copy_page_64.S linux-2.6.37/arch/x86/lib/copy_page_64.S
15740 --- linux-2.6.37/arch/x86/lib/copy_page_64.S 2011-01-04 19:50:19.000000000 -0500
15741 +++ linux-2.6.37/arch/x86/lib/copy_page_64.S 2011-01-17 02:41:01.000000000 -0500
15742 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15744 #include <asm/cpufeature.h>
15746 - .section .altinstr_replacement,"ax"
15747 + .section .altinstr_replacement,"a"
15748 1: .byte 0xeb /* jmp <disp8> */
15749 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15751 diff -urNp linux-2.6.37/arch/x86/lib/copy_user_64.S linux-2.6.37/arch/x86/lib/copy_user_64.S
15752 --- linux-2.6.37/arch/x86/lib/copy_user_64.S 2011-01-04 19:50:19.000000000 -0500
15753 +++ linux-2.6.37/arch/x86/lib/copy_user_64.S 2011-01-17 02:41:01.000000000 -0500
15754 @@ -15,13 +15,14 @@
15755 #include <asm/asm-offsets.h>
15756 #include <asm/thread_info.h>
15757 #include <asm/cpufeature.h>
15758 +#include <asm/pgtable.h>
15760 .macro ALTERNATIVE_JUMP feature,orig,alt
15762 .byte 0xe9 /* 32bit jump */
15763 .long \orig-1f /* by default jump to orig */
15765 - .section .altinstr_replacement,"ax"
15766 + .section .altinstr_replacement,"a"
15767 2: .byte 0xe9 /* near jump with 32bit immediate */
15768 .long \alt-1b /* offset */ /* or alternatively to alt */
15770 @@ -64,37 +65,13 @@
15774 -/* Standard copy_to_user with segment limit checking */
15775 -ENTRY(_copy_to_user)
15777 - GET_THREAD_INFO(%rax)
15781 - cmpq TI_addr_limit(%rax),%rcx
15783 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15785 -ENDPROC(_copy_to_user)
15787 -/* Standard copy_from_user with segment limit checking */
15788 -ENTRY(_copy_from_user)
15790 - GET_THREAD_INFO(%rax)
15794 - cmpq TI_addr_limit(%rax),%rcx
15795 - jae bad_from_user
15796 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15798 -ENDPROC(_copy_from_user)
15800 .section .fixup,"ax"
15801 /* must zero dest */
15802 ENTRY(bad_from_user)
15810 diff -urNp linux-2.6.37/arch/x86/lib/copy_user_nocache_64.S linux-2.6.37/arch/x86/lib/copy_user_nocache_64.S
15811 --- linux-2.6.37/arch/x86/lib/copy_user_nocache_64.S 2011-01-04 19:50:19.000000000 -0500
15812 +++ linux-2.6.37/arch/x86/lib/copy_user_nocache_64.S 2011-01-17 02:41:01.000000000 -0500
15814 #include <asm/current.h>
15815 #include <asm/asm-offsets.h>
15816 #include <asm/thread_info.h>
15817 +#include <asm/pgtable.h>
15819 .macro ALIGN_DESTINATION
15820 #ifdef FIX_ALIGNMENT
15823 ENTRY(__copy_user_nocache)
15826 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15827 + mov $PAX_USER_SHADOW_BASE,%rcx
15835 jb 20f /* less then 8 bytes, go to byte copy loop */
15837 diff -urNp linux-2.6.37/arch/x86/lib/csum-wrappers_64.c linux-2.6.37/arch/x86/lib/csum-wrappers_64.c
15838 --- linux-2.6.37/arch/x86/lib/csum-wrappers_64.c 2011-01-04 19:50:19.000000000 -0500
15839 +++ linux-2.6.37/arch/x86/lib/csum-wrappers_64.c 2011-01-17 02:41:01.000000000 -0500
15840 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15844 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15845 + src += PAX_USER_SHADOW_BASE;
15846 isum = csum_partial_copy_generic((__force const void *)src,
15847 dst, len, isum, errp, NULL);
15848 if (unlikely(*errp))
15849 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15853 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15854 + dst += PAX_USER_SHADOW_BASE;
15855 return csum_partial_copy_generic(src, (void __force *)dst,
15856 len, isum, NULL, errp);
15858 diff -urNp linux-2.6.37/arch/x86/lib/getuser.S linux-2.6.37/arch/x86/lib/getuser.S
15859 --- linux-2.6.37/arch/x86/lib/getuser.S 2011-01-04 19:50:19.000000000 -0500
15860 +++ linux-2.6.37/arch/x86/lib/getuser.S 2011-01-17 02:41:01.000000000 -0500
15861 @@ -33,14 +33,35 @@
15862 #include <asm/asm-offsets.h>
15863 #include <asm/thread_info.h>
15864 #include <asm/asm.h>
15865 +#include <asm/segment.h>
15866 +#include <asm/pgtable.h>
15868 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15869 +#define __copyuser_seg %gs:
15871 +#define __copyuser_seg
15875 ENTRY(__get_user_1)
15878 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15879 GET_THREAD_INFO(%_ASM_DX)
15880 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15882 -1: movzb (%_ASM_AX),%edx
15884 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15885 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15886 + cmp %_ASM_DX,%_ASM_AX
15888 + add %_ASM_DX,%_ASM_AX
15894 +1: movzb __copyuser_seg (%_ASM_AX),%edx
15898 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
15899 ENTRY(__get_user_2)
15903 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15905 GET_THREAD_INFO(%_ASM_DX)
15906 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15908 -2: movzwl -1(%_ASM_AX),%edx
15910 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15911 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15912 + cmp %_ASM_DX,%_ASM_AX
15914 + add %_ASM_DX,%_ASM_AX
15920 +2: movzwl __copyuser_seg -1(%_ASM_AX),%edx
15924 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
15925 ENTRY(__get_user_4)
15929 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15931 GET_THREAD_INFO(%_ASM_DX)
15932 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15934 -3: mov -3(%_ASM_AX),%edx
15936 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15937 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15938 + cmp %_ASM_DX,%_ASM_AX
15940 + add %_ASM_DX,%_ASM_AX
15946 +3: mov __copyuser_seg -3(%_ASM_AX),%edx
15950 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
15951 GET_THREAD_INFO(%_ASM_DX)
15952 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15955 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15956 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15957 + cmp %_ASM_DX,%_ASM_AX
15959 + add %_ASM_DX,%_ASM_AX
15963 4: movq -7(%_ASM_AX),%_ASM_DX
15966 diff -urNp linux-2.6.37/arch/x86/lib/insn.c linux-2.6.37/arch/x86/lib/insn.c
15967 --- linux-2.6.37/arch/x86/lib/insn.c 2011-01-04 19:50:19.000000000 -0500
15968 +++ linux-2.6.37/arch/x86/lib/insn.c 2011-01-24 18:04:15.000000000 -0500
15970 #include <linux/string.h>
15971 #include <asm/inat.h>
15972 #include <asm/insn.h>
15974 +#include <asm/pgtable_types.h>
15976 +#define ktla_ktva(addr) addr
15979 #define get_next(t, insn) \
15980 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15982 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15984 memset(insn, 0, sizeof(*insn));
15985 - insn->kaddr = kaddr;
15986 - insn->next_byte = kaddr;
15987 + insn->kaddr = ktla_ktva(kaddr);
15988 + insn->next_byte = ktla_ktva(kaddr);
15989 insn->x86_64 = x86_64 ? 1 : 0;
15990 insn->opnd_bytes = 4;
15992 diff -urNp linux-2.6.37/arch/x86/lib/mmx_32.c linux-2.6.37/arch/x86/lib/mmx_32.c
15993 --- linux-2.6.37/arch/x86/lib/mmx_32.c 2011-01-04 19:50:19.000000000 -0500
15994 +++ linux-2.6.37/arch/x86/lib/mmx_32.c 2011-01-17 02:41:01.000000000 -0500
15995 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
15999 + unsigned long cr0;
16001 if (unlikely(in_interrupt()))
16002 return __memcpy(to, from, len);
16003 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
16004 kernel_fpu_begin();
16006 __asm__ __volatile__ (
16007 - "1: prefetch (%0)\n" /* This set is 28 bytes */
16008 - " prefetch 64(%0)\n"
16009 - " prefetch 128(%0)\n"
16010 - " prefetch 192(%0)\n"
16011 - " prefetch 256(%0)\n"
16012 + "1: prefetch (%1)\n" /* This set is 28 bytes */
16013 + " prefetch 64(%1)\n"
16014 + " prefetch 128(%1)\n"
16015 + " prefetch 192(%1)\n"
16016 + " prefetch 256(%1)\n"
16018 ".section .fixup, \"ax\"\n"
16019 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16022 +#ifdef CONFIG_PAX_KERNEXEC
16023 + " movl %%cr0, %0\n"
16024 + " movl %0, %%eax\n"
16025 + " andl $0xFFFEFFFF, %%eax\n"
16026 + " movl %%eax, %%cr0\n"
16029 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16031 +#ifdef CONFIG_PAX_KERNEXEC
16032 + " movl %0, %%cr0\n"
16037 _ASM_EXTABLE(1b, 3b)
16039 + : "=&r" (cr0) : "r" (from) : "ax");
16041 for ( ; i > 5; i--) {
16042 __asm__ __volatile__ (
16043 - "1: prefetch 320(%0)\n"
16044 - "2: movq (%0), %%mm0\n"
16045 - " movq 8(%0), %%mm1\n"
16046 - " movq 16(%0), %%mm2\n"
16047 - " movq 24(%0), %%mm3\n"
16048 - " movq %%mm0, (%1)\n"
16049 - " movq %%mm1, 8(%1)\n"
16050 - " movq %%mm2, 16(%1)\n"
16051 - " movq %%mm3, 24(%1)\n"
16052 - " movq 32(%0), %%mm0\n"
16053 - " movq 40(%0), %%mm1\n"
16054 - " movq 48(%0), %%mm2\n"
16055 - " movq 56(%0), %%mm3\n"
16056 - " movq %%mm0, 32(%1)\n"
16057 - " movq %%mm1, 40(%1)\n"
16058 - " movq %%mm2, 48(%1)\n"
16059 - " movq %%mm3, 56(%1)\n"
16060 + "1: prefetch 320(%1)\n"
16061 + "2: movq (%1), %%mm0\n"
16062 + " movq 8(%1), %%mm1\n"
16063 + " movq 16(%1), %%mm2\n"
16064 + " movq 24(%1), %%mm3\n"
16065 + " movq %%mm0, (%2)\n"
16066 + " movq %%mm1, 8(%2)\n"
16067 + " movq %%mm2, 16(%2)\n"
16068 + " movq %%mm3, 24(%2)\n"
16069 + " movq 32(%1), %%mm0\n"
16070 + " movq 40(%1), %%mm1\n"
16071 + " movq 48(%1), %%mm2\n"
16072 + " movq 56(%1), %%mm3\n"
16073 + " movq %%mm0, 32(%2)\n"
16074 + " movq %%mm1, 40(%2)\n"
16075 + " movq %%mm2, 48(%2)\n"
16076 + " movq %%mm3, 56(%2)\n"
16077 ".section .fixup, \"ax\"\n"
16078 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16081 +#ifdef CONFIG_PAX_KERNEXEC
16082 + " movl %%cr0, %0\n"
16083 + " movl %0, %%eax\n"
16084 + " andl $0xFFFEFFFF, %%eax\n"
16085 + " movl %%eax, %%cr0\n"
16088 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16090 +#ifdef CONFIG_PAX_KERNEXEC
16091 + " movl %0, %%cr0\n"
16096 _ASM_EXTABLE(1b, 3b)
16097 - : : "r" (from), "r" (to) : "memory");
16098 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16102 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
16103 static void fast_copy_page(void *to, void *from)
16106 + unsigned long cr0;
16108 kernel_fpu_begin();
16110 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
16111 * but that is for later. -AV
16113 __asm__ __volatile__(
16114 - "1: prefetch (%0)\n"
16115 - " prefetch 64(%0)\n"
16116 - " prefetch 128(%0)\n"
16117 - " prefetch 192(%0)\n"
16118 - " prefetch 256(%0)\n"
16119 + "1: prefetch (%1)\n"
16120 + " prefetch 64(%1)\n"
16121 + " prefetch 128(%1)\n"
16122 + " prefetch 192(%1)\n"
16123 + " prefetch 256(%1)\n"
16125 ".section .fixup, \"ax\"\n"
16126 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16129 +#ifdef CONFIG_PAX_KERNEXEC
16130 + " movl %%cr0, %0\n"
16131 + " movl %0, %%eax\n"
16132 + " andl $0xFFFEFFFF, %%eax\n"
16133 + " movl %%eax, %%cr0\n"
16136 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16138 +#ifdef CONFIG_PAX_KERNEXEC
16139 + " movl %0, %%cr0\n"
16144 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16145 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16147 for (i = 0; i < (4096-320)/64; i++) {
16148 __asm__ __volatile__ (
16149 - "1: prefetch 320(%0)\n"
16150 - "2: movq (%0), %%mm0\n"
16151 - " movntq %%mm0, (%1)\n"
16152 - " movq 8(%0), %%mm1\n"
16153 - " movntq %%mm1, 8(%1)\n"
16154 - " movq 16(%0), %%mm2\n"
16155 - " movntq %%mm2, 16(%1)\n"
16156 - " movq 24(%0), %%mm3\n"
16157 - " movntq %%mm3, 24(%1)\n"
16158 - " movq 32(%0), %%mm4\n"
16159 - " movntq %%mm4, 32(%1)\n"
16160 - " movq 40(%0), %%mm5\n"
16161 - " movntq %%mm5, 40(%1)\n"
16162 - " movq 48(%0), %%mm6\n"
16163 - " movntq %%mm6, 48(%1)\n"
16164 - " movq 56(%0), %%mm7\n"
16165 - " movntq %%mm7, 56(%1)\n"
16166 + "1: prefetch 320(%1)\n"
16167 + "2: movq (%1), %%mm0\n"
16168 + " movntq %%mm0, (%2)\n"
16169 + " movq 8(%1), %%mm1\n"
16170 + " movntq %%mm1, 8(%2)\n"
16171 + " movq 16(%1), %%mm2\n"
16172 + " movntq %%mm2, 16(%2)\n"
16173 + " movq 24(%1), %%mm3\n"
16174 + " movntq %%mm3, 24(%2)\n"
16175 + " movq 32(%1), %%mm4\n"
16176 + " movntq %%mm4, 32(%2)\n"
16177 + " movq 40(%1), %%mm5\n"
16178 + " movntq %%mm5, 40(%2)\n"
16179 + " movq 48(%1), %%mm6\n"
16180 + " movntq %%mm6, 48(%2)\n"
16181 + " movq 56(%1), %%mm7\n"
16182 + " movntq %%mm7, 56(%2)\n"
16183 ".section .fixup, \"ax\"\n"
16184 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16187 +#ifdef CONFIG_PAX_KERNEXEC
16188 + " movl %%cr0, %0\n"
16189 + " movl %0, %%eax\n"
16190 + " andl $0xFFFEFFFF, %%eax\n"
16191 + " movl %%eax, %%cr0\n"
16194 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16196 +#ifdef CONFIG_PAX_KERNEXEC
16197 + " movl %0, %%cr0\n"
16202 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16203 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16207 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16208 static void fast_copy_page(void *to, void *from)
16211 + unsigned long cr0;
16213 kernel_fpu_begin();
16215 __asm__ __volatile__ (
16216 - "1: prefetch (%0)\n"
16217 - " prefetch 64(%0)\n"
16218 - " prefetch 128(%0)\n"
16219 - " prefetch 192(%0)\n"
16220 - " prefetch 256(%0)\n"
16221 + "1: prefetch (%1)\n"
16222 + " prefetch 64(%1)\n"
16223 + " prefetch 128(%1)\n"
16224 + " prefetch 192(%1)\n"
16225 + " prefetch 256(%1)\n"
16227 ".section .fixup, \"ax\"\n"
16228 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16231 +#ifdef CONFIG_PAX_KERNEXEC
16232 + " movl %%cr0, %0\n"
16233 + " movl %0, %%eax\n"
16234 + " andl $0xFFFEFFFF, %%eax\n"
16235 + " movl %%eax, %%cr0\n"
16238 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16240 +#ifdef CONFIG_PAX_KERNEXEC
16241 + " movl %0, %%cr0\n"
16246 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16247 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16249 for (i = 0; i < 4096/64; i++) {
16250 __asm__ __volatile__ (
16251 - "1: prefetch 320(%0)\n"
16252 - "2: movq (%0), %%mm0\n"
16253 - " movq 8(%0), %%mm1\n"
16254 - " movq 16(%0), %%mm2\n"
16255 - " movq 24(%0), %%mm3\n"
16256 - " movq %%mm0, (%1)\n"
16257 - " movq %%mm1, 8(%1)\n"
16258 - " movq %%mm2, 16(%1)\n"
16259 - " movq %%mm3, 24(%1)\n"
16260 - " movq 32(%0), %%mm0\n"
16261 - " movq 40(%0), %%mm1\n"
16262 - " movq 48(%0), %%mm2\n"
16263 - " movq 56(%0), %%mm3\n"
16264 - " movq %%mm0, 32(%1)\n"
16265 - " movq %%mm1, 40(%1)\n"
16266 - " movq %%mm2, 48(%1)\n"
16267 - " movq %%mm3, 56(%1)\n"
16268 + "1: prefetch 320(%1)\n"
16269 + "2: movq (%1), %%mm0\n"
16270 + " movq 8(%1), %%mm1\n"
16271 + " movq 16(%1), %%mm2\n"
16272 + " movq 24(%1), %%mm3\n"
16273 + " movq %%mm0, (%2)\n"
16274 + " movq %%mm1, 8(%2)\n"
16275 + " movq %%mm2, 16(%2)\n"
16276 + " movq %%mm3, 24(%2)\n"
16277 + " movq 32(%1), %%mm0\n"
16278 + " movq 40(%1), %%mm1\n"
16279 + " movq 48(%1), %%mm2\n"
16280 + " movq 56(%1), %%mm3\n"
16281 + " movq %%mm0, 32(%2)\n"
16282 + " movq %%mm1, 40(%2)\n"
16283 + " movq %%mm2, 48(%2)\n"
16284 + " movq %%mm3, 56(%2)\n"
16285 ".section .fixup, \"ax\"\n"
16286 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16289 +#ifdef CONFIG_PAX_KERNEXEC
16290 + " movl %%cr0, %0\n"
16291 + " movl %0, %%eax\n"
16292 + " andl $0xFFFEFFFF, %%eax\n"
16293 + " movl %%eax, %%cr0\n"
16296 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16298 +#ifdef CONFIG_PAX_KERNEXEC
16299 + " movl %0, %%cr0\n"
16304 _ASM_EXTABLE(1b, 3b)
16305 - : : "r" (from), "r" (to) : "memory");
16306 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16310 diff -urNp linux-2.6.37/arch/x86/lib/putuser.S linux-2.6.37/arch/x86/lib/putuser.S
16311 --- linux-2.6.37/arch/x86/lib/putuser.S 2011-01-04 19:50:19.000000000 -0500
16312 +++ linux-2.6.37/arch/x86/lib/putuser.S 2011-01-17 02:41:01.000000000 -0500
16314 #include <asm/thread_info.h>
16315 #include <asm/errno.h>
16316 #include <asm/asm.h>
16318 +#include <asm/segment.h>
16319 +#include <asm/pgtable.h>
16323 @@ -29,52 +30,119 @@
16324 * as they get called from within inline assembly.
16327 -#define ENTER CFI_STARTPROC ; \
16328 - GET_THREAD_INFO(%_ASM_BX)
16329 +#define ENTER CFI_STARTPROC
16330 #define EXIT ret ; \
16333 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16334 +#define _DEST %_ASM_CX,%_ASM_BX
16336 +#define _DEST %_ASM_CX
16339 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16340 +#define __copyuser_seg %gs:
16342 +#define __copyuser_seg
16346 ENTRY(__put_user_1)
16349 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16350 + GET_THREAD_INFO(%_ASM_BX)
16351 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16353 -1: movb %al,(%_ASM_CX)
16355 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16356 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16357 + cmp %_ASM_BX,%_ASM_CX
16365 +1: movb %al,__copyuser_seg (_DEST)
16368 ENDPROC(__put_user_1)
16370 ENTRY(__put_user_2)
16373 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16374 + GET_THREAD_INFO(%_ASM_BX)
16375 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16377 cmp %_ASM_BX,%_ASM_CX
16379 -2: movw %ax,(%_ASM_CX)
16381 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16382 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16383 + cmp %_ASM_BX,%_ASM_CX
16391 +2: movw %ax,__copyuser_seg (_DEST)
16394 ENDPROC(__put_user_2)
16396 ENTRY(__put_user_4)
16399 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16400 + GET_THREAD_INFO(%_ASM_BX)
16401 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16403 cmp %_ASM_BX,%_ASM_CX
16405 -3: movl %eax,(%_ASM_CX)
16407 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16408 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16409 + cmp %_ASM_BX,%_ASM_CX
16417 +3: movl %eax,__copyuser_seg (_DEST)
16420 ENDPROC(__put_user_4)
16422 ENTRY(__put_user_8)
16425 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16426 + GET_THREAD_INFO(%_ASM_BX)
16427 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16429 cmp %_ASM_BX,%_ASM_CX
16431 -4: mov %_ASM_AX,(%_ASM_CX)
16433 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16434 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16435 + cmp %_ASM_BX,%_ASM_CX
16443 +4: mov %_ASM_AX,__copyuser_seg (_DEST)
16444 #ifdef CONFIG_X86_32
16445 -5: movl %edx,4(%_ASM_CX)
16446 +5: movl %edx,__copyuser_seg 4(_DEST)
16450 diff -urNp linux-2.6.37/arch/x86/lib/usercopy_32.c linux-2.6.37/arch/x86/lib/usercopy_32.c
16451 --- linux-2.6.37/arch/x86/lib/usercopy_32.c 2011-01-04 19:50:19.000000000 -0500
16452 +++ linux-2.6.37/arch/x86/lib/usercopy_32.c 2011-01-17 02:41:01.000000000 -0500
16453 @@ -43,7 +43,7 @@ do { \
16454 __asm__ __volatile__( \
16458 + "0: lodsb " __copyuser_seg" (%%esi)\n" \
16460 " testb %%al,%%al\n" \
16462 @@ -128,10 +128,12 @@ do { \
16465 __asm__ __volatile__( \
16466 + __COPYUSER_SET_ES \
16467 "0: rep; stosl\n" \
16469 "1: rep; stosb\n" \
16471 + __COPYUSER_RESTORE_ES \
16472 ".section .fixup,\"ax\"\n" \
16473 "3: lea 0(%2,%0,4),%0\n" \
16475 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
16478 __asm__ __volatile__(
16479 + __COPYUSER_SET_ES
16483 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
16487 + __COPYUSER_RESTORE_ES
16488 ".section .fixup,\"ax\"\n"
16489 "2: xorl %%eax,%%eax\n"
16491 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
16493 #ifdef CONFIG_X86_INTEL_USERCOPY
16494 static unsigned long
16495 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16496 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16499 __asm__ __volatile__(
16500 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
16502 "3: movl 0(%4), %%eax\n"
16503 "4: movl 4(%4), %%edx\n"
16504 - "5: movl %%eax, 0(%3)\n"
16505 - "6: movl %%edx, 4(%3)\n"
16506 + "5: movl %%eax, "__copyuser_seg" 0(%3)\n"
16507 + "6: movl %%edx, "__copyuser_seg" 4(%3)\n"
16508 "7: movl 8(%4), %%eax\n"
16509 "8: movl 12(%4),%%edx\n"
16510 - "9: movl %%eax, 8(%3)\n"
16511 - "10: movl %%edx, 12(%3)\n"
16512 + "9: movl %%eax, "__copyuser_seg" 8(%3)\n"
16513 + "10: movl %%edx, "__copyuser_seg" 12(%3)\n"
16514 "11: movl 16(%4), %%eax\n"
16515 "12: movl 20(%4), %%edx\n"
16516 - "13: movl %%eax, 16(%3)\n"
16517 - "14: movl %%edx, 20(%3)\n"
16518 + "13: movl %%eax, "__copyuser_seg" 16(%3)\n"
16519 + "14: movl %%edx, "__copyuser_seg" 20(%3)\n"
16520 "15: movl 24(%4), %%eax\n"
16521 "16: movl 28(%4), %%edx\n"
16522 - "17: movl %%eax, 24(%3)\n"
16523 - "18: movl %%edx, 28(%3)\n"
16524 + "17: movl %%eax, "__copyuser_seg" 24(%3)\n"
16525 + "18: movl %%edx, "__copyuser_seg" 28(%3)\n"
16526 "19: movl 32(%4), %%eax\n"
16527 "20: movl 36(%4), %%edx\n"
16528 - "21: movl %%eax, 32(%3)\n"
16529 - "22: movl %%edx, 36(%3)\n"
16530 + "21: movl %%eax, "__copyuser_seg" 32(%3)\n"
16531 + "22: movl %%edx, "__copyuser_seg" 36(%3)\n"
16532 "23: movl 40(%4), %%eax\n"
16533 "24: movl 44(%4), %%edx\n"
16534 - "25: movl %%eax, 40(%3)\n"
16535 - "26: movl %%edx, 44(%3)\n"
16536 + "25: movl %%eax, "__copyuser_seg" 40(%3)\n"
16537 + "26: movl %%edx, "__copyuser_seg" 44(%3)\n"
16538 "27: movl 48(%4), %%eax\n"
16539 "28: movl 52(%4), %%edx\n"
16540 - "29: movl %%eax, 48(%3)\n"
16541 - "30: movl %%edx, 52(%3)\n"
16542 + "29: movl %%eax, "__copyuser_seg" 48(%3)\n"
16543 + "30: movl %%edx, "__copyuser_seg" 52(%3)\n"
16544 "31: movl 56(%4), %%eax\n"
16545 "32: movl 60(%4), %%edx\n"
16546 - "33: movl %%eax, 56(%3)\n"
16547 - "34: movl %%edx, 60(%3)\n"
16548 + "33: movl %%eax, "__copyuser_seg" 56(%3)\n"
16549 + "34: movl %%edx, "__copyuser_seg" 60(%3)\n"
16553 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
16555 " andl $3, %%eax\n"
16557 + __COPYUSER_SET_ES
16559 "36: movl %%eax, %0\n"
16562 + __COPYUSER_RESTORE_ES
16563 + ".section .fixup,\"ax\"\n"
16564 + "101: lea 0(%%eax,%0,4),%0\n"
16567 + ".section __ex_table,\"a\"\n"
16569 + " .long 1b,100b\n"
16570 + " .long 2b,100b\n"
16571 + " .long 3b,100b\n"
16572 + " .long 4b,100b\n"
16573 + " .long 5b,100b\n"
16574 + " .long 6b,100b\n"
16575 + " .long 7b,100b\n"
16576 + " .long 8b,100b\n"
16577 + " .long 9b,100b\n"
16578 + " .long 10b,100b\n"
16579 + " .long 11b,100b\n"
16580 + " .long 12b,100b\n"
16581 + " .long 13b,100b\n"
16582 + " .long 14b,100b\n"
16583 + " .long 15b,100b\n"
16584 + " .long 16b,100b\n"
16585 + " .long 17b,100b\n"
16586 + " .long 18b,100b\n"
16587 + " .long 19b,100b\n"
16588 + " .long 20b,100b\n"
16589 + " .long 21b,100b\n"
16590 + " .long 22b,100b\n"
16591 + " .long 23b,100b\n"
16592 + " .long 24b,100b\n"
16593 + " .long 25b,100b\n"
16594 + " .long 26b,100b\n"
16595 + " .long 27b,100b\n"
16596 + " .long 28b,100b\n"
16597 + " .long 29b,100b\n"
16598 + " .long 30b,100b\n"
16599 + " .long 31b,100b\n"
16600 + " .long 32b,100b\n"
16601 + " .long 33b,100b\n"
16602 + " .long 34b,100b\n"
16603 + " .long 35b,100b\n"
16604 + " .long 36b,100b\n"
16605 + " .long 37b,100b\n"
16606 + " .long 99b,101b\n"
16608 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16609 + : "1"(to), "2"(from), "0"(size)
16610 + : "eax", "edx", "memory");
16614 +static unsigned long
16615 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16618 + __asm__ __volatile__(
16619 + " .align 2,0x90\n"
16620 + "1: movl "__copyuser_seg" 32(%4), %%eax\n"
16621 + " cmpl $67, %0\n"
16623 + "2: movl "__copyuser_seg" 64(%4), %%eax\n"
16624 + " .align 2,0x90\n"
16625 + "3: movl "__copyuser_seg" 0(%4), %%eax\n"
16626 + "4: movl "__copyuser_seg" 4(%4), %%edx\n"
16627 + "5: movl %%eax, 0(%3)\n"
16628 + "6: movl %%edx, 4(%3)\n"
16629 + "7: movl "__copyuser_seg" 8(%4), %%eax\n"
16630 + "8: movl "__copyuser_seg" 12(%4),%%edx\n"
16631 + "9: movl %%eax, 8(%3)\n"
16632 + "10: movl %%edx, 12(%3)\n"
16633 + "11: movl "__copyuser_seg" 16(%4), %%eax\n"
16634 + "12: movl "__copyuser_seg" 20(%4), %%edx\n"
16635 + "13: movl %%eax, 16(%3)\n"
16636 + "14: movl %%edx, 20(%3)\n"
16637 + "15: movl "__copyuser_seg" 24(%4), %%eax\n"
16638 + "16: movl "__copyuser_seg" 28(%4), %%edx\n"
16639 + "17: movl %%eax, 24(%3)\n"
16640 + "18: movl %%edx, 28(%3)\n"
16641 + "19: movl "__copyuser_seg" 32(%4), %%eax\n"
16642 + "20: movl "__copyuser_seg" 36(%4), %%edx\n"
16643 + "21: movl %%eax, 32(%3)\n"
16644 + "22: movl %%edx, 36(%3)\n"
16645 + "23: movl "__copyuser_seg" 40(%4), %%eax\n"
16646 + "24: movl "__copyuser_seg" 44(%4), %%edx\n"
16647 + "25: movl %%eax, 40(%3)\n"
16648 + "26: movl %%edx, 44(%3)\n"
16649 + "27: movl "__copyuser_seg" 48(%4), %%eax\n"
16650 + "28: movl "__copyuser_seg" 52(%4), %%edx\n"
16651 + "29: movl %%eax, 48(%3)\n"
16652 + "30: movl %%edx, 52(%3)\n"
16653 + "31: movl "__copyuser_seg" 56(%4), %%eax\n"
16654 + "32: movl "__copyuser_seg" 60(%4), %%edx\n"
16655 + "33: movl %%eax, 56(%3)\n"
16656 + "34: movl %%edx, 60(%3)\n"
16657 + " addl $-64, %0\n"
16658 + " addl $64, %4\n"
16659 + " addl $64, %3\n"
16660 + " cmpl $63, %0\n"
16662 + "35: movl %0, %%eax\n"
16664 + " andl $3, %%eax\n"
16666 + "99: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n"
16667 + "36: movl %%eax, %0\n"
16668 + "37: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n"
16670 ".section .fixup,\"ax\"\n"
16671 "101: lea 0(%%eax,%0,4),%0\n"
16673 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
16675 __asm__ __volatile__(
16677 - "0: movl 32(%4), %%eax\n"
16678 + "0: movl "__copyuser_seg" 32(%4), %%eax\n"
16681 - "1: movl 64(%4), %%eax\n"
16682 + "1: movl "__copyuser_seg" 64(%4), %%eax\n"
16684 - "2: movl 0(%4), %%eax\n"
16685 - "21: movl 4(%4), %%edx\n"
16686 + "2: movl "__copyuser_seg" 0(%4), %%eax\n"
16687 + "21: movl "__copyuser_seg" 4(%4), %%edx\n"
16688 " movl %%eax, 0(%3)\n"
16689 " movl %%edx, 4(%3)\n"
16690 - "3: movl 8(%4), %%eax\n"
16691 - "31: movl 12(%4),%%edx\n"
16692 + "3: movl "__copyuser_seg" 8(%4), %%eax\n"
16693 + "31: movl "__copyuser_seg" 12(%4),%%edx\n"
16694 " movl %%eax, 8(%3)\n"
16695 " movl %%edx, 12(%3)\n"
16696 - "4: movl 16(%4), %%eax\n"
16697 - "41: movl 20(%4), %%edx\n"
16698 + "4: movl "__copyuser_seg" 16(%4), %%eax\n"
16699 + "41: movl "__copyuser_seg" 20(%4), %%edx\n"
16700 " movl %%eax, 16(%3)\n"
16701 " movl %%edx, 20(%3)\n"
16702 - "10: movl 24(%4), %%eax\n"
16703 - "51: movl 28(%4), %%edx\n"
16704 + "10: movl "__copyuser_seg" 24(%4), %%eax\n"
16705 + "51: movl "__copyuser_seg" 28(%4), %%edx\n"
16706 " movl %%eax, 24(%3)\n"
16707 " movl %%edx, 28(%3)\n"
16708 - "11: movl 32(%4), %%eax\n"
16709 - "61: movl 36(%4), %%edx\n"
16710 + "11: movl "__copyuser_seg" 32(%4), %%eax\n"
16711 + "61: movl "__copyuser_seg" 36(%4), %%edx\n"
16712 " movl %%eax, 32(%3)\n"
16713 " movl %%edx, 36(%3)\n"
16714 - "12: movl 40(%4), %%eax\n"
16715 - "71: movl 44(%4), %%edx\n"
16716 + "12: movl "__copyuser_seg" 40(%4), %%eax\n"
16717 + "71: movl "__copyuser_seg" 44(%4), %%edx\n"
16718 " movl %%eax, 40(%3)\n"
16719 " movl %%edx, 44(%3)\n"
16720 - "13: movl 48(%4), %%eax\n"
16721 - "81: movl 52(%4), %%edx\n"
16722 + "13: movl "__copyuser_seg" 48(%4), %%eax\n"
16723 + "81: movl "__copyuser_seg" 52(%4), %%edx\n"
16724 " movl %%eax, 48(%3)\n"
16725 " movl %%edx, 52(%3)\n"
16726 - "14: movl 56(%4), %%eax\n"
16727 - "91: movl 60(%4), %%edx\n"
16728 + "14: movl "__copyuser_seg" 56(%4), %%eax\n"
16729 + "91: movl "__copyuser_seg" 60(%4), %%edx\n"
16730 " movl %%eax, 56(%3)\n"
16731 " movl %%edx, 60(%3)\n"
16733 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
16735 " andl $3, %%eax\n"
16737 - "6: rep; movsl\n"
16738 + "6: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n"
16740 - "7: rep; movsb\n"
16741 + "7: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n"
16743 ".section .fixup,\"ax\"\n"
16744 "9: lea 0(%%eax,%0,4),%0\n"
16745 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
16747 __asm__ __volatile__(
16749 - "0: movl 32(%4), %%eax\n"
16750 + "0: movl "__copyuser_seg" 32(%4), %%eax\n"
16753 - "1: movl 64(%4), %%eax\n"
16754 + "1: movl "__copyuser_seg" 64(%4), %%eax\n"
16756 - "2: movl 0(%4), %%eax\n"
16757 - "21: movl 4(%4), %%edx\n"
16758 + "2: movl "__copyuser_seg" 0(%4), %%eax\n"
16759 + "21: movl "__copyuser_seg" 4(%4), %%edx\n"
16760 " movnti %%eax, 0(%3)\n"
16761 " movnti %%edx, 4(%3)\n"
16762 - "3: movl 8(%4), %%eax\n"
16763 - "31: movl 12(%4),%%edx\n"
16764 + "3: movl "__copyuser_seg" 8(%4), %%eax\n"
16765 + "31: movl "__copyuser_seg" 12(%4),%%edx\n"
16766 " movnti %%eax, 8(%3)\n"
16767 " movnti %%edx, 12(%3)\n"
16768 - "4: movl 16(%4), %%eax\n"
16769 - "41: movl 20(%4), %%edx\n"
16770 + "4: movl "__copyuser_seg" 16(%4), %%eax\n"
16771 + "41: movl "__copyuser_seg" 20(%4), %%edx\n"
16772 " movnti %%eax, 16(%3)\n"
16773 " movnti %%edx, 20(%3)\n"
16774 - "10: movl 24(%4), %%eax\n"
16775 - "51: movl 28(%4), %%edx\n"
16776 + "10: movl "__copyuser_seg" 24(%4), %%eax\n"
16777 + "51: movl "__copyuser_seg" 28(%4), %%edx\n"
16778 " movnti %%eax, 24(%3)\n"
16779 " movnti %%edx, 28(%3)\n"
16780 - "11: movl 32(%4), %%eax\n"
16781 - "61: movl 36(%4), %%edx\n"
16782 + "11: movl "__copyuser_seg" 32(%4), %%eax\n"
16783 + "61: movl "__copyuser_seg" 36(%4), %%edx\n"
16784 " movnti %%eax, 32(%3)\n"
16785 " movnti %%edx, 36(%3)\n"
16786 - "12: movl 40(%4), %%eax\n"
16787 - "71: movl 44(%4), %%edx\n"
16788 + "12: movl "__copyuser_seg" 40(%4), %%eax\n"
16789 + "71: movl "__copyuser_seg" 44(%4), %%edx\n"
16790 " movnti %%eax, 40(%3)\n"
16791 " movnti %%edx, 44(%3)\n"
16792 - "13: movl 48(%4), %%eax\n"
16793 - "81: movl 52(%4), %%edx\n"
16794 + "13: movl "__copyuser_seg" 48(%4), %%eax\n"
16795 + "81: movl "__copyuser_seg" 52(%4), %%edx\n"
16796 " movnti %%eax, 48(%3)\n"
16797 " movnti %%edx, 52(%3)\n"
16798 - "14: movl 56(%4), %%eax\n"
16799 - "91: movl 60(%4), %%edx\n"
16800 + "14: movl "__copyuser_seg" 56(%4), %%eax\n"
16801 + "91: movl "__copyuser_seg" 60(%4), %%edx\n"
16802 " movnti %%eax, 56(%3)\n"
16803 " movnti %%edx, 60(%3)\n"
16805 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
16807 " andl $3, %%eax\n"
16809 - "6: rep; movsl\n"
16810 + "6: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n"
16812 - "7: rep; movsb\n"
16813 + "7: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n"
16815 ".section .fixup,\"ax\"\n"
16816 "9: lea 0(%%eax,%0,4),%0\n"
16817 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
16819 __asm__ __volatile__(
16821 - "0: movl 32(%4), %%eax\n"
16822 + "0: movl "__copyuser_seg" 32(%4), %%eax\n"
16825 - "1: movl 64(%4), %%eax\n"
16826 + "1: movl "__copyuser_seg" 64(%4), %%eax\n"
16828 - "2: movl 0(%4), %%eax\n"
16829 - "21: movl 4(%4), %%edx\n"
16830 + "2: movl "__copyuser_seg" 0(%4), %%eax\n"
16831 + "21: movl "__copyuser_seg" 4(%4), %%edx\n"
16832 " movnti %%eax, 0(%3)\n"
16833 " movnti %%edx, 4(%3)\n"
16834 - "3: movl 8(%4), %%eax\n"
16835 - "31: movl 12(%4),%%edx\n"
16836 + "3: movl "__copyuser_seg" 8(%4), %%eax\n"
16837 + "31: movl "__copyuser_seg" 12(%4),%%edx\n"
16838 " movnti %%eax, 8(%3)\n"
16839 " movnti %%edx, 12(%3)\n"
16840 - "4: movl 16(%4), %%eax\n"
16841 - "41: movl 20(%4), %%edx\n"
16842 + "4: movl "__copyuser_seg" 16(%4), %%eax\n"
16843 + "41: movl "__copyuser_seg" 20(%4), %%edx\n"
16844 " movnti %%eax, 16(%3)\n"
16845 " movnti %%edx, 20(%3)\n"
16846 - "10: movl 24(%4), %%eax\n"
16847 - "51: movl 28(%4), %%edx\n"
16848 + "10: movl "__copyuser_seg" 24(%4), %%eax\n"
16849 + "51: movl "__copyuser_seg" 28(%4), %%edx\n"
16850 " movnti %%eax, 24(%3)\n"
16851 " movnti %%edx, 28(%3)\n"
16852 - "11: movl 32(%4), %%eax\n"
16853 - "61: movl 36(%4), %%edx\n"
16854 + "11: movl "__copyuser_seg" 32(%4), %%eax\n"
16855 + "61: movl "__copyuser_seg" 36(%4), %%edx\n"
16856 " movnti %%eax, 32(%3)\n"
16857 " movnti %%edx, 36(%3)\n"
16858 - "12: movl 40(%4), %%eax\n"
16859 - "71: movl 44(%4), %%edx\n"
16860 + "12: movl "__copyuser_seg" 40(%4), %%eax\n"
16861 + "71: movl "__copyuser_seg" 44(%4), %%edx\n"
16862 " movnti %%eax, 40(%3)\n"
16863 " movnti %%edx, 44(%3)\n"
16864 - "13: movl 48(%4), %%eax\n"
16865 - "81: movl 52(%4), %%edx\n"
16866 + "13: movl "__copyuser_seg" 48(%4), %%eax\n"
16867 + "81: movl "__copyuser_seg" 52(%4), %%edx\n"
16868 " movnti %%eax, 48(%3)\n"
16869 " movnti %%edx, 52(%3)\n"
16870 - "14: movl 56(%4), %%eax\n"
16871 - "91: movl 60(%4), %%edx\n"
16872 + "14: movl "__copyuser_seg" 56(%4), %%eax\n"
16873 + "91: movl "__copyuser_seg" 60(%4), %%edx\n"
16874 " movnti %%eax, 56(%3)\n"
16875 " movnti %%edx, 60(%3)\n"
16877 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
16879 " andl $3, %%eax\n"
16881 - "6: rep; movsl\n"
16882 + "6: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n"
16884 - "7: rep; movsb\n"
16885 + "7: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n"
16887 ".section .fixup,\"ax\"\n"
16888 "9: lea 0(%%eax,%0,4),%0\n"
16889 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
16891 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16892 unsigned long size);
16893 -unsigned long __copy_user_intel(void __user *to, const void *from,
16894 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16895 + unsigned long size);
16896 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16897 unsigned long size);
16898 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16899 const void __user *from, unsigned long size);
16900 #endif /* CONFIG_X86_INTEL_USERCOPY */
16902 /* Generic arbitrary sized copy. */
16903 -#define __copy_user(to, from, size) \
16904 +#define __copy_user(to, from, size, prefix, set, restore) \
16906 int __d0, __d1, __d2; \
16907 __asm__ __volatile__( \
16915 - "4: rep; movsb\n" \
16916 + "4: rep; movsb "prefix" (%%esi), (%%edi)\n" \
16920 " .align 2,0x90\n" \
16921 - "0: rep; movsl\n" \
16922 + "0: rep; movsl "prefix" (%%esi), (%%edi)\n" \
16924 - "1: rep; movsb\n" \
16925 + "1: rep; movsb "prefix" (%%esi), (%%edi)\n" \
16928 ".section .fixup,\"ax\"\n" \
16929 "5: addl %3,%0\n" \
16931 @@ -682,14 +799,14 @@ do { \
16935 - "4: rep; movsb\n" \
16936 + "4: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n" \
16940 " .align 2,0x90\n" \
16941 - "0: rep; movsl\n" \
16942 + "0: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n" \
16944 - "1: rep; movsb\n" \
16945 + "1: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n" \
16947 ".section .fixup,\"ax\"\n" \
16948 "5: addl %3,%0\n" \
16949 @@ -775,9 +892,9 @@ survive:
16952 if (movsl_is_ok(to, from, n))
16953 - __copy_user(to, from, n);
16954 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
16956 - n = __copy_user_intel(to, from, n);
16957 + n = __generic_copy_to_user_intel(to, from, n);
16960 EXPORT_SYMBOL(__copy_to_user_ll);
16961 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
16964 if (movsl_is_ok(to, from, n))
16965 - __copy_user(to, from, n);
16966 + __copy_user(to, from, n, __copyuser_seg, "", "");
16968 - n = __copy_user_intel((void __user *)to,
16969 - (const void *)from, n);
16970 + n = __generic_copy_from_user_intel(to, from, n);
16973 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
16974 @@ -827,65 +943,49 @@ unsigned long __copy_from_user_ll_nocach
16975 if (n > 64 && cpu_has_xmm2)
16976 n = __copy_user_intel_nocache(to, from, n);
16978 - __copy_user(to, from, n);
16979 + __copy_user(to, from, n, __copyuser_seg, "", "");
16981 - __copy_user(to, from, n);
16982 + __copy_user(to, from, n, __copyuser_seg, "", "");
16986 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
16989 - * copy_to_user: - Copy a block of data into user space.
16990 - * @to: Destination address, in user space.
16991 - * @from: Source address, in kernel space.
16992 - * @n: Number of bytes to copy.
16994 - * Context: User context only. This function may sleep.
16996 - * Copy data from kernel space to user space.
16998 - * Returns number of bytes that could not be copied.
16999 - * On success, this will be zero.
17002 -copy_to_user(void __user *to, const void *from, unsigned long n)
17003 +void copy_from_user_overflow(void)
17005 - if (access_ok(VERIFY_WRITE, to, n))
17006 - n = __copy_to_user(to, from, n);
17008 + WARN(1, "Buffer overflow detected!\n");
17010 -EXPORT_SYMBOL(copy_to_user);
17011 +EXPORT_SYMBOL(copy_from_user_overflow);
17014 - * copy_from_user: - Copy a block of data from user space.
17015 - * @to: Destination address, in kernel space.
17016 - * @from: Source address, in user space.
17017 - * @n: Number of bytes to copy.
17019 - * Context: User context only. This function may sleep.
17021 - * Copy data from user space to kernel space.
17023 - * Returns number of bytes that could not be copied.
17024 - * On success, this will be zero.
17026 - * If some data could not be copied, this function will pad the copied
17027 - * data to the requested size using zero bytes.
17030 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17031 +void copy_to_user_overflow(void)
17033 - if (access_ok(VERIFY_READ, from, n))
17034 - n = __copy_from_user(to, from, n);
17036 - memset(to, 0, n);
17038 + WARN(1, "Buffer overflow detected!\n");
17040 -EXPORT_SYMBOL(_copy_from_user);
17041 +EXPORT_SYMBOL(copy_to_user_overflow);
17043 -void copy_from_user_overflow(void)
17044 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17045 +void __set_fs(mm_segment_t x)
17047 - WARN(1, "Buffer overflow detected!\n");
17050 + loadsegment(gs, 0);
17052 + case TASK_SIZE_MAX:
17053 + loadsegment(gs, __USER_DS);
17056 + loadsegment(gs, __KERNEL_DS);
17063 -EXPORT_SYMBOL(copy_from_user_overflow);
17065 +void set_fs(mm_segment_t x)
17067 + current_thread_info()->addr_limit = x;
17070 +EXPORT_SYMBOL(set_fs);
17072 diff -urNp linux-2.6.37/arch/x86/lib/usercopy_64.c linux-2.6.37/arch/x86/lib/usercopy_64.c
17073 --- linux-2.6.37/arch/x86/lib/usercopy_64.c 2011-01-04 19:50:19.000000000 -0500
17074 +++ linux-2.6.37/arch/x86/lib/usercopy_64.c 2011-01-17 02:41:01.000000000 -0500
17075 @@ -42,6 +42,8 @@ long
17076 __strncpy_from_user(char *dst, const char __user *src, long count)
17079 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17080 + src += PAX_USER_SHADOW_BASE;
17081 __do_strncpy_from_user(dst, src, count, res);
17084 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17088 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17089 + addr += PAX_USER_SHADOW_BASE;
17090 /* no memory constraint because it doesn't change any memory gcc knows
17093 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17095 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17097 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17098 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17099 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17100 + to += PAX_USER_SHADOW_BASE;
17101 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17102 + from += PAX_USER_SHADOW_BASE;
17103 return copy_user_generic((__force void *)to, (__force void *)from, len);
17109 EXPORT_SYMBOL(copy_in_user);
17111 diff -urNp linux-2.6.37/arch/x86/Makefile linux-2.6.37/arch/x86/Makefile
17112 --- linux-2.6.37/arch/x86/Makefile 2011-01-04 19:50:19.000000000 -0500
17113 +++ linux-2.6.37/arch/x86/Makefile 2011-01-17 02:41:01.000000000 -0500
17114 @@ -195,3 +195,12 @@ define archhelp
17115 echo ' FDARGS="..." arguments for the booted kernel'
17116 echo ' FDINITRD=file initrd for the booted kernel'
17121 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17122 +*** Please upgrade your binutils to 2.18 or newer
17126 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17127 diff -urNp linux-2.6.37/arch/x86/mm/extable.c linux-2.6.37/arch/x86/mm/extable.c
17128 --- linux-2.6.37/arch/x86/mm/extable.c 2011-01-04 19:50:19.000000000 -0500
17129 +++ linux-2.6.37/arch/x86/mm/extable.c 2011-01-17 02:41:01.000000000 -0500
17131 #include <linux/module.h>
17132 #include <linux/spinlock.h>
17133 +#include <linux/sort.h>
17134 #include <asm/uaccess.h>
17135 +#include <asm/pgtable.h>
17138 + * The exception table needs to be sorted so that the binary
17139 + * search that we use to find entries in it works properly.
17140 + * This is used both for the kernel exception table and for
17141 + * the exception tables of modules that get loaded.
17143 +static int cmp_ex(const void *a, const void *b)
17145 + const struct exception_table_entry *x = a, *y = b;
17147 + /* avoid overflow */
17148 + if (x->insn > y->insn)
17150 + if (x->insn < y->insn)
17155 +static void swap_ex(void *a, void *b, int size)
17157 + struct exception_table_entry t, *x = a, *y = b;
17161 + pax_open_kernel();
17164 + pax_close_kernel();
17167 +void sort_extable(struct exception_table_entry *start,
17168 + struct exception_table_entry *finish)
17170 + sort(start, finish - start, sizeof(struct exception_table_entry),
17171 + cmp_ex, swap_ex);
17174 +#ifdef CONFIG_MODULES
17176 + * If the exception table is sorted, any referring to the module init
17177 + * will be at the beginning or the end.
17179 +void trim_init_extable(struct module *m)
17181 + /*trim the beginning*/
17182 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17184 + m->num_exentries--;
17187 + while (m->num_exentries &&
17188 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17189 + m->num_exentries--;
17191 +#endif /* CONFIG_MODULES */
17193 int fixup_exception(struct pt_regs *regs)
17195 const struct exception_table_entry *fixup;
17197 #ifdef CONFIG_PNPBIOS
17198 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17199 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17200 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17201 extern u32 pnp_bios_is_utter_crap;
17202 pnp_bios_is_utter_crap = 1;
17203 diff -urNp linux-2.6.37/arch/x86/mm/fault.c linux-2.6.37/arch/x86/mm/fault.c
17204 --- linux-2.6.37/arch/x86/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
17205 +++ linux-2.6.37/arch/x86/mm/fault.c 2011-01-17 02:41:01.000000000 -0500
17206 @@ -12,10 +12,18 @@
17207 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17208 #include <linux/perf_event.h> /* perf_sw_event */
17209 #include <linux/hugetlb.h> /* hstate_index_to_shift */
17210 +#include <linux/unistd.h>
17211 +#include <linux/compiler.h>
17213 #include <asm/traps.h> /* dotraplinkage, ... */
17214 #include <asm/pgalloc.h> /* pgd_*(), ... */
17215 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17216 +#include <asm/vsyscall.h>
17217 +#include <asm/tlbflush.h>
17219 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17220 +#include <asm/stacktrace.h>
17224 * Page fault error code bits:
17225 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
17228 /* kprobe_running() needs smp_processor_id() */
17229 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17230 + if (kprobes_built_in() && !user_mode(regs)) {
17232 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17234 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
17235 return !instr_lo || (instr_lo>>1) == 1;
17237 /* Prefetch instruction is 0x0F0D or 0x0F18 */
17238 - if (probe_kernel_address(instr, opcode))
17239 + if (user_mode(regs)) {
17240 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
17242 + } else if (probe_kernel_address(instr, opcode))
17245 *prefetch = (instr_lo == 0xF) &&
17246 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
17247 while (instr < max_instr) {
17248 unsigned char opcode;
17250 - if (probe_kernel_address(instr, opcode))
17251 + if (user_mode(regs)) {
17252 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
17254 + } else if (probe_kernel_address(instr, opcode))
17258 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
17259 force_sig_info(si_signo, &info, tsk);
17262 +#ifdef CONFIG_PAX_EMUTRAMP
17263 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17266 +#ifdef CONFIG_PAX_PAGEEXEC
17267 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17273 + pgd = pgd_offset(mm, address);
17274 + if (!pgd_present(*pgd))
17276 + pud = pud_offset(pgd, address);
17277 + if (!pud_present(*pud))
17279 + pmd = pmd_offset(pud, address);
17280 + if (!pmd_present(*pmd))
17286 DEFINE_SPINLOCK(pgd_lock);
17287 LIST_HEAD(pgd_list);
17289 @@ -231,18 +269,35 @@ void vmalloc_sync_all(void)
17290 address += PMD_SIZE) {
17292 unsigned long flags;
17294 +#ifdef CONFIG_PAX_PER_CPU_PGD
17295 + unsigned long cpu;
17300 spin_lock_irqsave(&pgd_lock, flags);
17302 +#ifdef CONFIG_PAX_PER_CPU_PGD
17303 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17304 + pgd_t *pgd = get_cpu_pgd(cpu);
17307 list_for_each_entry(page, &pgd_list, lru) {
17308 + pgd_t *pgd = page_address(page);
17309 spinlock_t *pgt_lock;
17312 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
17314 spin_lock(pgt_lock);
17315 - ret = vmalloc_sync_one(page_address(page), address);
17318 + ret = vmalloc_sync_one(pgd, address);
17320 +#ifndef CONFIG_PAX_PER_CPU_PGD
17321 spin_unlock(pgt_lock);
17326 @@ -276,6 +331,11 @@ static noinline __kprobes int vmalloc_fa
17327 * an interrupt in the middle of a task switch..
17329 pgd_paddr = read_cr3();
17331 +#ifdef CONFIG_PAX_PER_CPU_PGD
17332 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17335 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17338 @@ -371,7 +431,14 @@ static noinline __kprobes int vmalloc_fa
17339 * happen within a race in page table update. In the later
17343 +#ifdef CONFIG_PAX_PER_CPU_PGD
17344 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17345 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17347 pgd = pgd_offset(current->active_mm, address);
17350 pgd_ref = pgd_offset_k(address);
17351 if (pgd_none(*pgd_ref))
17353 @@ -533,7 +600,7 @@ static int is_errata93(struct pt_regs *r
17354 static int is_errata100(struct pt_regs *regs, unsigned long address)
17356 #ifdef CONFIG_X86_64
17357 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17358 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17362 @@ -560,7 +627,7 @@ static int is_f00f_bug(struct pt_regs *r
17365 static const char nx_warning[] = KERN_CRIT
17366 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17367 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17370 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17371 @@ -569,15 +636,26 @@ show_fault_oops(struct pt_regs *regs, un
17372 if (!oops_may_print())
17375 - if (error_code & PF_INSTR) {
17376 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17377 unsigned int level;
17379 pte_t *pte = lookup_address(address, &level);
17381 if (pte && pte_present(*pte) && !pte_exec(*pte))
17382 - printk(nx_warning, current_uid());
17383 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17386 +#ifdef CONFIG_PAX_KERNEXEC
17387 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17388 + if (current->signal->curr_ip)
17389 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17390 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17392 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17393 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17397 printk(KERN_ALERT "BUG: unable to handle kernel ");
17398 if (address < PAGE_SIZE)
17399 printk(KERN_CONT "NULL pointer dereference");
17400 @@ -702,6 +780,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17401 unsigned long address, int si_code)
17403 struct task_struct *tsk = current;
17404 + struct mm_struct *mm = tsk->mm;
17406 +#ifdef CONFIG_X86_64
17407 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
17408 + if (regs->ip == (unsigned long)vgettimeofday) {
17409 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17411 + } else if (regs->ip == (unsigned long)vtime) {
17412 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17414 + } else if (regs->ip == (unsigned long)vgetcpu) {
17415 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17421 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17422 + if (mm && (error_code & PF_USER)) {
17423 + unsigned long ip = regs->ip;
17425 + if (v8086_mode(regs))
17426 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
17429 + * It's possible to have interrupts off here:
17431 + local_irq_enable();
17433 +#ifdef CONFIG_PAX_PAGEEXEC
17434 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17435 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
17437 +#ifdef CONFIG_PAX_EMUTRAMP
17438 + switch (pax_handle_fetch_fault(regs)) {
17444 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17445 + do_group_exit(SIGKILL);
17449 +#ifdef CONFIG_PAX_SEGMEXEC
17450 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
17452 +#ifdef CONFIG_PAX_EMUTRAMP
17453 + switch (pax_handle_fetch_fault(regs)) {
17459 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17460 + do_group_exit(SIGKILL);
17467 /* User mode accesses just cause a SIGSEGV */
17468 if (error_code & PF_USER) {
17469 @@ -849,6 +989,99 @@ static int spurious_fault_check(unsigned
17473 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17474 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17479 + unsigned char pte_mask;
17481 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17482 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17485 + /* PaX: it's our fault, let's handle it if we can */
17487 + /* PaX: take a look at read faults before acquiring any locks */
17488 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17489 + /* instruction fetch attempt from a protected page in user mode */
17490 + up_read(&mm->mmap_sem);
17492 +#ifdef CONFIG_PAX_EMUTRAMP
17493 + switch (pax_handle_fetch_fault(regs)) {
17499 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17500 + do_group_exit(SIGKILL);
17503 + pmd = pax_get_pmd(mm, address);
17504 + if (unlikely(!pmd))
17507 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17508 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17509 + pte_unmap_unlock(pte, ptl);
17513 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17514 + /* write attempt to a protected page in user mode */
17515 + pte_unmap_unlock(pte, ptl);
17520 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17522 + if (likely(address > get_limit(regs->cs)))
17525 + set_pte(pte, pte_mkread(*pte));
17526 + __flush_tlb_one(address);
17527 + pte_unmap_unlock(pte, ptl);
17528 + up_read(&mm->mmap_sem);
17532 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17535 + * PaX: fill DTLB with user rights and retry
17537 + __asm__ __volatile__ (
17539 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17541 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17542 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17543 + * page fault when examined during a TLB load attempt. this is true not only
17544 + * for PTEs holding a non-present entry but also present entries that will
17545 + * raise a page fault (such as those set up by PaX, or the copy-on-write
17546 + * mechanism). in effect it means that we do *not* need to flush the TLBs
17547 + * for our target pages since their PTEs are simply not in the TLBs at all.
17549 + * the best thing in omitting it is that we gain around 15-20% speed in the
17550 + * fast path of the page fault handler and can get rid of tracing since we
17551 + * can no longer flush unintended entries.
17555 + "testb $0,"__copyuser_seg"(%0)\n"
17558 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
17559 + : "memory", "cc");
17560 + pte_unmap_unlock(pte, ptl);
17561 + up_read(&mm->mmap_sem);
17567 * Handle a spurious fault caused by a stale TLB entry.
17569 @@ -921,6 +1154,9 @@ int show_unhandled_signals = 1;
17571 access_error(unsigned long error_code, struct vm_area_struct *vma)
17573 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
17576 if (error_code & PF_WRITE) {
17577 /* write, present and write, not present: */
17578 if (unlikely(!(vma->vm_flags & VM_WRITE)))
17579 @@ -954,19 +1190,33 @@ do_page_fault(struct pt_regs *regs, unsi
17581 struct vm_area_struct *vma;
17582 struct task_struct *tsk;
17583 - unsigned long address;
17584 struct mm_struct *mm;
17586 int write = error_code & PF_WRITE;
17587 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
17588 (write ? FAULT_FLAG_WRITE : 0);
17590 + /* Get the faulting address: */
17591 + unsigned long address = read_cr2();
17593 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17594 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17595 + if (!search_exception_tables(regs->ip)) {
17596 + bad_area_nosemaphore(regs, error_code, address);
17599 + if (address < PAX_USER_SHADOW_BASE) {
17600 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17601 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
17602 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
17604 + address -= PAX_USER_SHADOW_BASE;
17611 - /* Get the faulting address: */
17612 - address = read_cr2();
17615 * Detect and handle instructions that would cause a page fault for
17616 * both a tracked kernel page and a userspace page.
17617 @@ -1026,7 +1276,7 @@ do_page_fault(struct pt_regs *regs, unsi
17618 * User-mode registers count as a user access even for any
17619 * potential system fault or CPU buglet:
17621 - if (user_mode_vm(regs)) {
17622 + if (user_mode(regs)) {
17623 local_irq_enable();
17624 error_code |= PF_USER;
17626 @@ -1081,6 +1331,11 @@ retry:
17630 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17631 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17635 vma = find_vma(mm, address);
17636 if (unlikely(!vma)) {
17637 bad_area(regs, error_code, address);
17638 @@ -1092,18 +1347,24 @@ retry:
17639 bad_area(regs, error_code, address);
17642 - if (error_code & PF_USER) {
17644 - * Accessing the stack below %sp is always a bug.
17645 - * The large cushion allows instructions like enter
17646 - * and pusha to work. ("enter $65535, $31" pushes
17647 - * 32 pointers and then decrements %sp by 65535.)
17649 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17650 - bad_area(regs, error_code, address);
17654 + * Accessing the stack below %sp is always a bug.
17655 + * The large cushion allows instructions like enter
17656 + * and pusha to work. ("enter $65535, $31" pushes
17657 + * 32 pointers and then decrements %sp by 65535.)
17659 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17660 + bad_area(regs, error_code, address);
17664 +#ifdef CONFIG_PAX_SEGMEXEC
17665 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17666 + bad_area(regs, error_code, address);
17671 if (unlikely(expand_stack(vma, address))) {
17672 bad_area(regs, error_code, address);
17674 @@ -1158,3 +1419,199 @@ good_area:
17676 up_read(&mm->mmap_sem);
17679 +#ifdef CONFIG_PAX_EMUTRAMP
17680 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17684 + do { /* PaX: gcc trampoline emulation #1 */
17685 + unsigned char mov1, mov2;
17686 + unsigned short jmp;
17687 + unsigned int addr1, addr2;
17689 +#ifdef CONFIG_X86_64
17690 + if ((regs->ip + 11) >> 32)
17694 + err = get_user(mov1, (unsigned char __user *)regs->ip);
17695 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17696 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17697 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17698 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17703 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17704 + regs->cx = addr1;
17705 + regs->ax = addr2;
17706 + regs->ip = addr2;
17711 + do { /* PaX: gcc trampoline emulation #2 */
17712 + unsigned char mov, jmp;
17713 + unsigned int addr1, addr2;
17715 +#ifdef CONFIG_X86_64
17716 + if ((regs->ip + 9) >> 32)
17720 + err = get_user(mov, (unsigned char __user *)regs->ip);
17721 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17722 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17723 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17728 + if (mov == 0xB9 && jmp == 0xE9) {
17729 + regs->cx = addr1;
17730 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17735 + return 1; /* PaX in action */
17738 +#ifdef CONFIG_X86_64
17739 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17743 + do { /* PaX: gcc trampoline emulation #1 */
17744 + unsigned short mov1, mov2, jmp1;
17745 + unsigned char jmp2;
17746 + unsigned int addr1;
17747 + unsigned long addr2;
17749 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17750 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17751 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
17752 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
17753 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
17754 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
17759 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17760 + regs->r11 = addr1;
17761 + regs->r10 = addr2;
17762 + regs->ip = addr1;
17767 + do { /* PaX: gcc trampoline emulation #2 */
17768 + unsigned short mov1, mov2, jmp1;
17769 + unsigned char jmp2;
17770 + unsigned long addr1, addr2;
17772 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17773 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
17774 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
17775 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
17776 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
17777 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
17782 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17783 + regs->r11 = addr1;
17784 + regs->r10 = addr2;
17785 + regs->ip = addr1;
17790 + return 1; /* PaX in action */
17795 + * PaX: decide what to do with offenders (regs->ip = fault address)
17797 + * returns 1 when task should be killed
17798 + * 2 when gcc trampoline was detected
17800 +static int pax_handle_fetch_fault(struct pt_regs *regs)
17802 + if (v8086_mode(regs))
17805 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
17808 +#ifdef CONFIG_X86_32
17809 + return pax_handle_fetch_fault_32(regs);
17811 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
17812 + return pax_handle_fetch_fault_32(regs);
17814 + return pax_handle_fetch_fault_64(regs);
17819 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17820 +void pax_report_insns(void *pc, void *sp)
17824 + printk(KERN_ERR "PAX: bytes at PC: ");
17825 + for (i = 0; i < 20; i++) {
17827 + if (get_user(c, (__force unsigned char __user *)pc+i))
17828 + printk(KERN_CONT "?? ");
17830 + printk(KERN_CONT "%02x ", c);
17834 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
17835 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
17837 + if (get_user(c, (__force unsigned long __user *)sp+i))
17838 +#ifdef CONFIG_X86_32
17839 + printk(KERN_CONT "???????? ");
17841 + printk(KERN_CONT "???????????????? ");
17844 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
17851 + * probe_kernel_write(): safely attempt to write to a location
17852 + * @dst: address to write to
17853 + * @src: pointer to the data that shall be written
17854 + * @size: size of the data chunk
17856 + * Safely write to address @dst from the buffer at @src. If a kernel fault
17857 + * happens, handle that and return -EFAULT.
17859 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
17862 + mm_segment_t old_fs = get_fs();
17864 + set_fs(KERNEL_DS);
17865 + pagefault_disable();
17866 + pax_open_kernel();
17867 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
17868 + pax_close_kernel();
17869 + pagefault_enable();
17872 + return ret ? -EFAULT : 0;
17874 diff -urNp linux-2.6.37/arch/x86/mm/gup.c linux-2.6.37/arch/x86/mm/gup.c
17875 --- linux-2.6.37/arch/x86/mm/gup.c 2011-01-04 19:50:19.000000000 -0500
17876 +++ linux-2.6.37/arch/x86/mm/gup.c 2011-01-17 02:41:01.000000000 -0500
17877 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
17879 len = (unsigned long) nr_pages << PAGE_SHIFT;
17881 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17882 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17883 (void __user *)start, len)))
17886 diff -urNp linux-2.6.37/arch/x86/mm/highmem_32.c linux-2.6.37/arch/x86/mm/highmem_32.c
17887 --- linux-2.6.37/arch/x86/mm/highmem_32.c 2011-01-04 19:50:19.000000000 -0500
17888 +++ linux-2.6.37/arch/x86/mm/highmem_32.c 2011-01-17 02:41:01.000000000 -0500
17889 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
17890 idx = type + KM_TYPE_NR*smp_processor_id();
17891 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17892 BUG_ON(!pte_none(*(kmap_pte-idx)));
17894 + pax_open_kernel();
17895 set_pte(kmap_pte-idx, mk_pte(page, prot));
17896 + pax_close_kernel();
17898 return (void *)vaddr;
17900 diff -urNp linux-2.6.37/arch/x86/mm/hugetlbpage.c linux-2.6.37/arch/x86/mm/hugetlbpage.c
17901 --- linux-2.6.37/arch/x86/mm/hugetlbpage.c 2011-01-04 19:50:19.000000000 -0500
17902 +++ linux-2.6.37/arch/x86/mm/hugetlbpage.c 2011-01-17 02:41:01.000000000 -0500
17903 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
17904 struct hstate *h = hstate_file(file);
17905 struct mm_struct *mm = current->mm;
17906 struct vm_area_struct *vma;
17907 - unsigned long start_addr;
17908 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17910 +#ifdef CONFIG_PAX_SEGMEXEC
17911 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17912 + pax_task_size = SEGMEXEC_TASK_SIZE;
17915 + pax_task_size -= PAGE_SIZE;
17917 if (len > mm->cached_hole_size) {
17918 - start_addr = mm->free_area_cache;
17919 + start_addr = mm->free_area_cache;
17921 - start_addr = TASK_UNMAPPED_BASE;
17922 - mm->cached_hole_size = 0;
17923 + start_addr = mm->mmap_base;
17924 + mm->cached_hole_size = 0;
17928 @@ -280,26 +287,27 @@ full_search:
17930 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17931 /* At this point: (!vma || addr < vma->vm_end). */
17932 - if (TASK_SIZE - len < addr) {
17933 + if (pax_task_size - len < addr) {
17935 * Start a new search - just in case we missed
17938 - if (start_addr != TASK_UNMAPPED_BASE) {
17939 - start_addr = TASK_UNMAPPED_BASE;
17940 + if (start_addr != mm->mmap_base) {
17941 + start_addr = mm->mmap_base;
17942 mm->cached_hole_size = 0;
17947 - if (!vma || addr + len <= vma->vm_start) {
17948 - mm->free_area_cache = addr + len;
17951 + if (check_heap_stack_gap(vma, addr, len))
17953 if (addr + mm->cached_hole_size < vma->vm_start)
17954 mm->cached_hole_size = vma->vm_start - addr;
17955 addr = ALIGN(vma->vm_end, huge_page_size(h));
17958 + mm->free_area_cache = addr + len;
17962 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
17963 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
17965 struct hstate *h = hstate_file(file);
17966 struct mm_struct *mm = current->mm;
17967 - struct vm_area_struct *vma, *prev_vma;
17968 - unsigned long base = mm->mmap_base, addr = addr0;
17969 + struct vm_area_struct *vma;
17970 + unsigned long base = mm->mmap_base, addr;
17971 unsigned long largest_hole = mm->cached_hole_size;
17972 - int first_time = 1;
17974 /* don't allow allocations above current base */
17975 if (mm->free_area_cache > base)
17976 @@ -321,7 +328,7 @@ static unsigned long hugetlb_get_unmappe
17978 mm->free_area_cache = base;
17982 /* make sure it can fit in the remaining address space */
17983 if (mm->free_area_cache < len)
17985 @@ -329,33 +336,27 @@ try_again:
17986 /* either no address requested or cant fit in requested address hole */
17987 addr = (mm->free_area_cache - len) & huge_page_mask(h);
17989 + vma = find_vma(mm, addr);
17991 * Lookup failure means no vma is above this address,
17992 * i.e. return with success:
17994 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
17998 * new region fits between prev_vma->vm_end and
17999 * vma->vm_start, use it:
18001 - if (addr + len <= vma->vm_start &&
18002 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18003 + if (check_heap_stack_gap(vma, addr, len)) {
18004 /* remember the address as a hint for next time */
18005 - mm->cached_hole_size = largest_hole;
18006 - return (mm->free_area_cache = addr);
18008 - /* pull free_area_cache down to the first hole */
18009 - if (mm->free_area_cache == vma->vm_end) {
18010 - mm->free_area_cache = vma->vm_start;
18011 - mm->cached_hole_size = largest_hole;
18013 + mm->cached_hole_size = largest_hole;
18014 + return (mm->free_area_cache = addr);
18016 + /* pull free_area_cache down to the first hole */
18017 + if (mm->free_area_cache == vma->vm_end) {
18018 + mm->free_area_cache = vma->vm_start;
18019 + mm->cached_hole_size = largest_hole;
18022 /* remember the largest hole we saw so far */
18023 if (addr + largest_hole < vma->vm_start)
18024 - largest_hole = vma->vm_start - addr;
18025 + largest_hole = vma->vm_start - addr;
18027 /* try just below the current vma->vm_start */
18028 addr = (vma->vm_start - len) & huge_page_mask(h);
18029 @@ -363,22 +364,26 @@ try_again:
18033 - * if hint left us with no space for the requested
18034 - * mapping then try again:
18036 - if (first_time) {
18037 - mm->free_area_cache = base;
18038 - largest_hole = 0;
18043 * A failed mmap() very likely causes application failure,
18044 * so fall back to the bottom-up function here. This scenario
18045 * can happen with large stack limits and large mmap()
18048 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18050 +#ifdef CONFIG_PAX_SEGMEXEC
18051 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18052 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18056 + mm->mmap_base = TASK_UNMAPPED_BASE;
18058 +#ifdef CONFIG_PAX_RANDMMAP
18059 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18060 + mm->mmap_base += mm->delta_mmap;
18063 + mm->free_area_cache = mm->mmap_base;
18064 mm->cached_hole_size = ~0UL;
18065 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18066 len, pgoff, flags);
18067 @@ -386,6 +391,7 @@ fail:
18069 * Restore the topdown base:
18071 + mm->mmap_base = base;
18072 mm->free_area_cache = base;
18073 mm->cached_hole_size = ~0UL;
18075 @@ -399,10 +405,19 @@ hugetlb_get_unmapped_area(struct file *f
18076 struct hstate *h = hstate_file(file);
18077 struct mm_struct *mm = current->mm;
18078 struct vm_area_struct *vma;
18079 + unsigned long pax_task_size = TASK_SIZE;
18081 if (len & ~huge_page_mask(h))
18083 - if (len > TASK_SIZE)
18085 +#ifdef CONFIG_PAX_SEGMEXEC
18086 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18087 + pax_task_size = SEGMEXEC_TASK_SIZE;
18090 + pax_task_size -= PAGE_SIZE;
18092 + if (len > pax_task_size)
18095 if (flags & MAP_FIXED) {
18096 @@ -414,8 +429,7 @@ hugetlb_get_unmapped_area(struct file *f
18098 addr = ALIGN(addr, huge_page_size(h));
18099 vma = find_vma(mm, addr);
18100 - if (TASK_SIZE - len >= addr &&
18101 - (!vma || addr + len <= vma->vm_start))
18102 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18105 if (mm->get_unmapped_area == arch_get_unmapped_area)
18106 diff -urNp linux-2.6.37/arch/x86/mm/init_32.c linux-2.6.37/arch/x86/mm/init_32.c
18107 --- linux-2.6.37/arch/x86/mm/init_32.c 2011-01-04 19:50:19.000000000 -0500
18108 +++ linux-2.6.37/arch/x86/mm/init_32.c 2011-01-17 02:41:01.000000000 -0500
18109 @@ -73,36 +73,6 @@ static __init void *alloc_low_page(void)
18113 - * Creates a middle page table and puts a pointer to it in the
18114 - * given global directory entry. This only returns the gd entry
18115 - * in non-PAE compilation mode, since the middle layer is folded.
18117 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18120 - pmd_t *pmd_table;
18122 -#ifdef CONFIG_X86_PAE
18123 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18124 - if (after_bootmem)
18125 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18127 - pmd_table = (pmd_t *)alloc_low_page();
18128 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18129 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18130 - pud = pud_offset(pgd, 0);
18131 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18133 - return pmd_table;
18136 - pud = pud_offset(pgd, 0);
18137 - pmd_table = pmd_offset(pud, 0);
18139 - return pmd_table;
18143 * Create a page table and place a pointer to it in a middle page
18146 @@ -122,13 +92,28 @@ static pte_t * __init one_page_table_ini
18147 page_table = (pte_t *)alloc_low_page();
18149 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18150 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18151 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18153 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18155 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18158 return pte_offset_kernel(pmd, 0);
18161 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18164 + pmd_t *pmd_table;
18166 + pud = pud_offset(pgd, 0);
18167 + pmd_table = pmd_offset(pud, 0);
18169 + return pmd_table;
18172 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18174 int pgd_idx = pgd_index(vaddr);
18175 @@ -202,6 +187,7 @@ page_table_range_init(unsigned long star
18176 int pgd_idx, pmd_idx;
18177 unsigned long vaddr;
18183 @@ -211,8 +197,13 @@ page_table_range_init(unsigned long star
18184 pgd = pgd_base + pgd_idx;
18186 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18187 - pmd = one_md_table_init(pgd);
18188 - pmd = pmd + pmd_index(vaddr);
18189 + pud = pud_offset(pgd, vaddr);
18190 + pmd = pmd_offset(pud, vaddr);
18192 +#ifdef CONFIG_X86_PAE
18193 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18196 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18197 pmd++, pmd_idx++) {
18198 pte = page_table_kmap_check(one_page_table_init(pmd),
18199 @@ -224,11 +215,20 @@ page_table_range_init(unsigned long star
18203 -static inline int is_kernel_text(unsigned long addr)
18204 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18206 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18209 + if ((start > ktla_ktva((unsigned long)_etext) ||
18210 + end <= ktla_ktva((unsigned long)_stext)) &&
18211 + (start > ktla_ktva((unsigned long)_einittext) ||
18212 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18214 +#ifdef CONFIG_ACPI_SLEEP
18215 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18218 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18224 @@ -245,9 +245,10 @@ kernel_physical_mapping_init(unsigned lo
18225 unsigned long last_map_addr = end;
18226 unsigned long start_pfn, end_pfn;
18227 pgd_t *pgd_base = swapper_pg_dir;
18228 - int pgd_idx, pmd_idx, pte_ofs;
18229 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18235 unsigned pages_2m, pages_4k;
18236 @@ -280,8 +281,13 @@ repeat:
18238 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18239 pgd = pgd_base + pgd_idx;
18240 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18241 - pmd = one_md_table_init(pgd);
18242 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18243 + pud = pud_offset(pgd, 0);
18244 + pmd = pmd_offset(pud, 0);
18246 +#ifdef CONFIG_X86_PAE
18247 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18250 if (pfn >= end_pfn)
18252 @@ -293,14 +299,13 @@ repeat:
18254 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18255 pmd++, pmd_idx++) {
18256 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18257 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18260 * Map with big pages if possible, otherwise
18261 * create normal page tables:
18264 - unsigned int addr2;
18265 pgprot_t prot = PAGE_KERNEL_LARGE;
18267 * first pass will use the same initial
18268 @@ -310,11 +315,7 @@ repeat:
18269 __pgprot(PTE_IDENT_ATTR |
18272 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18273 - PAGE_OFFSET + PAGE_SIZE-1;
18275 - if (is_kernel_text(addr) ||
18276 - is_kernel_text(addr2))
18277 + if (is_kernel_text(address, address + PMD_SIZE))
18278 prot = PAGE_KERNEL_LARGE_EXEC;
18281 @@ -331,7 +332,7 @@ repeat:
18282 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18284 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18285 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18286 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18287 pgprot_t prot = PAGE_KERNEL;
18289 * first pass will use the same initial
18290 @@ -339,7 +340,7 @@ repeat:
18292 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18294 - if (is_kernel_text(addr))
18295 + if (is_kernel_text(address, address + PAGE_SIZE))
18296 prot = PAGE_KERNEL_EXEC;
18299 @@ -471,7 +472,7 @@ void __init native_pagetable_setup_start
18301 pud = pud_offset(pgd, va);
18302 pmd = pmd_offset(pud, va);
18303 - if (!pmd_present(*pmd))
18304 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18307 pte = pte_offset_kernel(pmd, va);
18308 @@ -523,12 +524,10 @@ void __init early_ioremap_page_table_ran
18310 static void __init pagetable_init(void)
18312 - pgd_t *pgd_base = swapper_pg_dir;
18314 - permanent_kmaps_init(pgd_base);
18315 + permanent_kmaps_init(swapper_pg_dir);
18318 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18319 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18320 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18322 /* user-defined highmem size */
18323 @@ -753,6 +752,12 @@ void __init mem_init(void)
18327 +#ifdef CONFIG_PAX_PER_CPU_PGD
18328 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18329 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18330 + KERNEL_PGD_PTRS);
18333 #ifdef CONFIG_FLATMEM
18336 @@ -770,7 +775,7 @@ void __init mem_init(void)
18337 set_highmem_pages_init();
18339 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18340 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18341 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18342 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18344 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18345 @@ -811,10 +816,10 @@ void __init mem_init(void)
18346 ((unsigned long)&__init_end -
18347 (unsigned long)&__init_begin) >> 10,
18349 - (unsigned long)&_etext, (unsigned long)&_edata,
18350 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18351 + (unsigned long)&_sdata, (unsigned long)&_edata,
18352 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18354 - (unsigned long)&_text, (unsigned long)&_etext,
18355 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18356 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18359 @@ -892,6 +897,7 @@ void set_kernel_text_rw(void)
18360 if (!kernel_set_to_readonly)
18363 + start = ktla_ktva(start);
18364 pr_debug("Set kernel text: %lx - %lx for read write\n",
18365 start, start+size);
18367 @@ -906,6 +912,7 @@ void set_kernel_text_ro(void)
18368 if (!kernel_set_to_readonly)
18371 + start = ktla_ktva(start);
18372 pr_debug("Set kernel text: %lx - %lx for read only\n",
18373 start, start+size);
18375 @@ -917,6 +924,7 @@ void mark_rodata_ro(void)
18376 unsigned long start = PFN_ALIGN(_text);
18377 unsigned long size = PFN_ALIGN(_etext) - start;
18379 + start = ktla_ktva(start);
18380 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18381 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18383 diff -urNp linux-2.6.37/arch/x86/mm/init_64.c linux-2.6.37/arch/x86/mm/init_64.c
18384 --- linux-2.6.37/arch/x86/mm/init_64.c 2011-01-04 19:50:19.000000000 -0500
18385 +++ linux-2.6.37/arch/x86/mm/init_64.c 2011-01-17 02:41:01.000000000 -0500
18386 @@ -72,7 +72,7 @@ early_param("gbpages", parse_direct_gbpa
18387 * around without checking the pgd every time.
18390 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18391 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18392 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18394 int force_personality32;
18395 @@ -106,12 +106,22 @@ void sync_global_pgds(unsigned long star
18396 for (address = start; address <= end; address += PGDIR_SIZE) {
18397 const pgd_t *pgd_ref = pgd_offset_k(address);
18398 unsigned long flags;
18400 +#ifdef CONFIG_PAX_PER_CPU_PGD
18401 + unsigned long cpu;
18406 if (pgd_none(*pgd_ref))
18409 spin_lock_irqsave(&pgd_lock, flags);
18411 +#ifdef CONFIG_PAX_PER_CPU_PGD
18412 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18413 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
18415 list_for_each_entry(page, &pgd_list, lru) {
18417 spinlock_t *pgt_lock;
18418 @@ -119,6 +129,7 @@ void sync_global_pgds(unsigned long star
18419 pgd = (pgd_t *)page_address(page) + pgd_index(address);
18420 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
18421 spin_lock(pgt_lock);
18424 if (pgd_none(*pgd))
18425 set_pgd(pgd, *pgd_ref);
18426 @@ -126,7 +137,10 @@ void sync_global_pgds(unsigned long star
18427 BUG_ON(pgd_page_vaddr(*pgd)
18428 != pgd_page_vaddr(*pgd_ref));
18430 +#ifndef CONFIG_PAX_PER_CPU_PGD
18431 spin_unlock(pgt_lock);
18435 spin_unlock_irqrestore(&pgd_lock, flags);
18437 @@ -200,7 +214,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18438 pmd = fill_pmd(pud, vaddr);
18439 pte = fill_pte(pmd, vaddr);
18441 + pax_open_kernel();
18442 set_pte(pte, new_pte);
18443 + pax_close_kernel();
18446 * It's enough to flush this one mapping.
18447 @@ -259,14 +275,12 @@ static void __init __init_extra_mapping(
18448 pgd = pgd_offset_k((unsigned long)__va(phys));
18449 if (pgd_none(*pgd)) {
18450 pud = (pud_t *) spp_getpage();
18451 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18453 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18455 pud = pud_offset(pgd, (unsigned long)__va(phys));
18456 if (pud_none(*pud)) {
18457 pmd = (pmd_t *) spp_getpage();
18458 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18460 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18462 pmd = pmd_offset(pud, phys);
18463 BUG_ON(!pmd_none(*pmd));
18464 @@ -706,6 +720,12 @@ void __init mem_init(void)
18468 +#ifdef CONFIG_PAX_PER_CPU_PGD
18469 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18470 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18471 + KERNEL_PGD_PTRS);
18474 /* clear_bss() already clear the empty_zero_page */
18477 @@ -866,8 +886,8 @@ int kern_addr_valid(unsigned long addr)
18478 static struct vm_area_struct gate_vma = {
18479 .vm_start = VSYSCALL_START,
18480 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18481 - .vm_page_prot = PAGE_READONLY_EXEC,
18482 - .vm_flags = VM_READ | VM_EXEC
18483 + .vm_page_prot = PAGE_READONLY,
18484 + .vm_flags = VM_READ
18487 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18488 @@ -901,7 +921,7 @@ int in_gate_area_no_task(unsigned long a
18490 const char *arch_vma_name(struct vm_area_struct *vma)
18492 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18493 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18495 if (vma == &gate_vma)
18496 return "[vsyscall]";
18497 diff -urNp linux-2.6.37/arch/x86/mm/init.c linux-2.6.37/arch/x86/mm/init.c
18498 --- linux-2.6.37/arch/x86/mm/init.c 2011-01-04 19:50:19.000000000 -0500
18499 +++ linux-2.6.37/arch/x86/mm/init.c 2011-01-17 02:41:01.000000000 -0500
18500 @@ -72,11 +72,7 @@ static void __init find_early_table_spac
18501 * cause a hotspot and fill up ZONE_DMA. The page tables
18502 * need roughly 0.5KB per GB.
18504 -#ifdef CONFIG_X86_32
18509 + start = 0x100000;
18510 base = memblock_find_in_range(start, max_pfn_mapped<<PAGE_SHIFT,
18511 tables, PAGE_SIZE);
18512 if (base == MEMBLOCK_ERROR)
18513 @@ -323,7 +319,13 @@ unsigned long __init_refok init_memory_m
18515 int devmem_is_allowed(unsigned long pagenr)
18517 - if (pagenr <= 256)
18520 +#ifdef CONFIG_VM86
18521 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18524 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18526 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18528 @@ -382,6 +384,86 @@ void free_init_pages(char *what, unsigne
18530 void free_initmem(void)
18533 +#ifdef CONFIG_PAX_KERNEXEC
18534 +#ifdef CONFIG_X86_32
18535 + /* PaX: limit KERNEL_CS to actual size */
18536 + unsigned long addr, limit;
18537 + struct desc_struct d;
18540 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18541 + limit = (limit - 1UL) >> PAGE_SHIFT;
18543 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18544 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
18545 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18546 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18549 + /* PaX: make KERNEL_CS read-only */
18550 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18551 + if (!paravirt_enabled())
18552 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18554 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18555 + pgd = pgd_offset_k(addr);
18556 + pud = pud_offset(pgd, addr);
18557 + pmd = pmd_offset(pud, addr);
18558 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18561 +#ifdef CONFIG_X86_PAE
18562 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18564 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18565 + pgd = pgd_offset_k(addr);
18566 + pud = pud_offset(pgd, addr);
18567 + pmd = pmd_offset(pud, addr);
18568 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18573 +#ifdef CONFIG_MODULES
18574 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18581 + unsigned long addr, end;
18583 + /* PaX: make kernel code/rodata read-only, rest non-executable */
18584 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18585 + pgd = pgd_offset_k(addr);
18586 + pud = pud_offset(pgd, addr);
18587 + pmd = pmd_offset(pud, addr);
18588 + if (!pmd_present(*pmd))
18590 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18591 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18593 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18596 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18597 + end = addr + KERNEL_IMAGE_SIZE;
18598 + for (; addr < end; addr += PMD_SIZE) {
18599 + pgd = pgd_offset_k(addr);
18600 + pud = pud_offset(pgd, addr);
18601 + pmd = pmd_offset(pud, addr);
18602 + if (!pmd_present(*pmd))
18604 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18605 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18612 free_init_pages("unused kernel memory",
18613 (unsigned long)(&__init_begin),
18614 (unsigned long)(&__init_end));
18615 diff -urNp linux-2.6.37/arch/x86/mm/iomap_32.c linux-2.6.37/arch/x86/mm/iomap_32.c
18616 --- linux-2.6.37/arch/x86/mm/iomap_32.c 2011-01-04 19:50:19.000000000 -0500
18617 +++ linux-2.6.37/arch/x86/mm/iomap_32.c 2011-01-17 02:41:01.000000000 -0500
18618 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
18619 type = kmap_atomic_idx_push();
18620 idx = type + KM_TYPE_NR * smp_processor_id();
18621 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18623 + pax_open_kernel();
18624 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
18625 + pax_close_kernel();
18627 arch_flush_lazy_mmu_mode();
18629 return (void *)vaddr;
18630 diff -urNp linux-2.6.37/arch/x86/mm/ioremap.c linux-2.6.37/arch/x86/mm/ioremap.c
18631 --- linux-2.6.37/arch/x86/mm/ioremap.c 2011-01-04 19:50:19.000000000 -0500
18632 +++ linux-2.6.37/arch/x86/mm/ioremap.c 2011-01-17 02:41:01.000000000 -0500
18633 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
18634 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
18635 int is_ram = page_is_ram(pfn);
18637 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18638 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18640 WARN_ON_ONCE(is_ram);
18642 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
18643 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18645 static __initdata int after_paging_init;
18646 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18647 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18649 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18651 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
18652 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18654 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18655 - memset(bm_pte, 0, sizeof(bm_pte));
18656 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
18657 + pmd_populate_user(&init_mm, pmd, bm_pte);
18660 * The boot-ioremap range spans multiple pmds, for which
18661 diff -urNp linux-2.6.37/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.37/arch/x86/mm/kmemcheck/kmemcheck.c
18662 --- linux-2.6.37/arch/x86/mm/kmemcheck/kmemcheck.c 2011-01-04 19:50:19.000000000 -0500
18663 +++ linux-2.6.37/arch/x86/mm/kmemcheck/kmemcheck.c 2011-01-17 02:41:01.000000000 -0500
18664 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18665 * memory (e.g. tracked pages)? For now, we need this to avoid
18666 * invoking kmemcheck for PnP BIOS calls.
18668 - if (regs->flags & X86_VM_MASK)
18669 + if (v8086_mode(regs))
18671 - if (regs->cs != __KERNEL_CS)
18672 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18675 pte = kmemcheck_pte_lookup(address);
18676 diff -urNp linux-2.6.37/arch/x86/mm/mmap.c linux-2.6.37/arch/x86/mm/mmap.c
18677 --- linux-2.6.37/arch/x86/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
18678 +++ linux-2.6.37/arch/x86/mm/mmap.c 2011-01-17 02:41:01.000000000 -0500
18679 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18680 * Leave an at least ~128 MB hole with possible stack randomization.
18682 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
18683 -#define MAX_GAP (TASK_SIZE/6*5)
18684 +#define MAX_GAP (pax_task_size/6*5)
18687 * True on X86_32 or when emulating IA32 on X86_64
18688 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
18689 return rnd << PAGE_SHIFT;
18692 -static unsigned long mmap_base(void)
18693 +static unsigned long mmap_base(struct mm_struct *mm)
18695 unsigned long gap = rlimit(RLIMIT_STACK);
18696 + unsigned long pax_task_size = TASK_SIZE;
18698 +#ifdef CONFIG_PAX_SEGMEXEC
18699 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18700 + pax_task_size = SEGMEXEC_TASK_SIZE;
18705 else if (gap > MAX_GAP)
18708 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18709 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18713 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18714 * does, but not when emulating X86_32
18716 -static unsigned long mmap_legacy_base(void)
18717 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
18719 - if (mmap_is_ia32())
18720 + if (mmap_is_ia32()) {
18722 +#ifdef CONFIG_PAX_SEGMEXEC
18723 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18724 + return SEGMEXEC_TASK_UNMAPPED_BASE;
18728 return TASK_UNMAPPED_BASE;
18731 return TASK_UNMAPPED_BASE + mmap_rnd();
18734 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
18735 void arch_pick_mmap_layout(struct mm_struct *mm)
18737 if (mmap_is_legacy()) {
18738 - mm->mmap_base = mmap_legacy_base();
18739 + mm->mmap_base = mmap_legacy_base(mm);
18741 +#ifdef CONFIG_PAX_RANDMMAP
18742 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18743 + mm->mmap_base += mm->delta_mmap;
18746 mm->get_unmapped_area = arch_get_unmapped_area;
18747 mm->unmap_area = arch_unmap_area;
18749 - mm->mmap_base = mmap_base();
18750 + mm->mmap_base = mmap_base(mm);
18752 +#ifdef CONFIG_PAX_RANDMMAP
18753 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18754 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
18757 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
18758 mm->unmap_area = arch_unmap_area_topdown;
18760 diff -urNp linux-2.6.37/arch/x86/mm/numa_32.c linux-2.6.37/arch/x86/mm/numa_32.c
18761 --- linux-2.6.37/arch/x86/mm/numa_32.c 2011-01-04 19:50:19.000000000 -0500
18762 +++ linux-2.6.37/arch/x86/mm/numa_32.c 2011-01-17 02:41:01.000000000 -0500
18763 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
18767 -extern unsigned long find_max_low_pfn(void);
18768 extern unsigned long highend_pfn, highstart_pfn;
18770 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
18771 diff -urNp linux-2.6.37/arch/x86/mm/pageattr.c linux-2.6.37/arch/x86/mm/pageattr.c
18772 --- linux-2.6.37/arch/x86/mm/pageattr.c 2011-01-04 19:50:19.000000000 -0500
18773 +++ linux-2.6.37/arch/x86/mm/pageattr.c 2011-01-17 02:41:01.000000000 -0500
18774 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
18775 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
18777 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
18778 - pgprot_val(forbidden) |= _PAGE_NX;
18779 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18782 * The kernel text needs to be executable for obvious reasons
18783 * Does not cover __inittext since that is gone later on. On
18784 * 64bit we do not enforce !NX on the low mapping
18786 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
18787 - pgprot_val(forbidden) |= _PAGE_NX;
18788 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
18789 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18791 +#ifdef CONFIG_DEBUG_RODATA
18793 * The .rodata section needs to be read-only. Using the pfn
18794 * catches all aliases.
18795 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
18796 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
18797 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
18798 pgprot_val(forbidden) |= _PAGE_RW;
18801 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18803 @@ -316,6 +318,13 @@ static inline pgprot_t static_protection
18807 +#ifdef CONFIG_PAX_KERNEXEC
18808 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
18809 + pgprot_val(forbidden) |= _PAGE_RW;
18810 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18814 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
18817 @@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
18818 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
18820 /* change init_mm */
18821 + pax_open_kernel();
18822 set_pte_atomic(kpte, pte);
18824 #ifdef CONFIG_X86_32
18825 if (!SHARED_KERNEL_PMD) {
18827 +#ifdef CONFIG_PAX_PER_CPU_PGD
18828 + unsigned long cpu;
18833 +#ifdef CONFIG_PAX_PER_CPU_PGD
18834 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18835 + pgd_t *pgd = get_cpu_pgd(cpu);
18837 list_for_each_entry(page, &pgd_list, lru) {
18839 + pgd_t *pgd = (pgd_t *)page_address(page);
18845 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
18846 + pgd += pgd_index(address);
18847 pud = pud_offset(pgd, address);
18848 pmd = pmd_offset(pud, address);
18849 set_pte_atomic((pte_t *)pmd, pte);
18853 + pax_close_kernel();
18857 diff -urNp linux-2.6.37/arch/x86/mm/pageattr-test.c linux-2.6.37/arch/x86/mm/pageattr-test.c
18858 --- linux-2.6.37/arch/x86/mm/pageattr-test.c 2011-01-04 19:50:19.000000000 -0500
18859 +++ linux-2.6.37/arch/x86/mm/pageattr-test.c 2011-01-17 02:41:01.000000000 -0500
18860 @@ -36,7 +36,7 @@ enum {
18862 static int pte_testbit(pte_t pte)
18864 - return pte_flags(pte) & _PAGE_UNUSED1;
18865 + return pte_flags(pte) & _PAGE_CPA_TEST;
18868 struct split_state {
18869 diff -urNp linux-2.6.37/arch/x86/mm/pat.c linux-2.6.37/arch/x86/mm/pat.c
18870 --- linux-2.6.37/arch/x86/mm/pat.c 2011-01-04 19:50:19.000000000 -0500
18871 +++ linux-2.6.37/arch/x86/mm/pat.c 2011-01-17 02:41:01.000000000 -0500
18872 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
18875 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
18876 - current->comm, current->pid, start, end);
18877 + current->comm, task_pid_nr(current), start, end);
18881 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
18882 while (cursor < to) {
18883 if (!devmem_is_allowed(pfn)) {
18885 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
18886 - current->comm, from, to);
18887 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
18888 + current->comm, from, to, cursor);
18891 cursor += PAGE_SIZE;
18892 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
18894 "%s:%d ioremap_change_attr failed %s "
18896 - current->comm, current->pid,
18897 + current->comm, task_pid_nr(current),
18899 base, (unsigned long long)(base + size));
18901 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
18902 if (want_flags != flags) {
18903 printk(KERN_WARNING
18904 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
18905 - current->comm, current->pid,
18906 + current->comm, task_pid_nr(current),
18907 cattr_name(want_flags),
18908 (unsigned long long)paddr,
18909 (unsigned long long)(paddr + size),
18910 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
18911 free_memtype(paddr, paddr + size);
18912 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
18913 " for %Lx-%Lx, got %s\n",
18914 - current->comm, current->pid,
18915 + current->comm, task_pid_nr(current),
18916 cattr_name(want_flags),
18917 (unsigned long long)paddr,
18918 (unsigned long long)(paddr + size),
18919 diff -urNp linux-2.6.37/arch/x86/mm/pgtable_32.c linux-2.6.37/arch/x86/mm/pgtable_32.c
18920 --- linux-2.6.37/arch/x86/mm/pgtable_32.c 2011-01-04 19:50:19.000000000 -0500
18921 +++ linux-2.6.37/arch/x86/mm/pgtable_32.c 2011-01-17 02:41:01.000000000 -0500
18922 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
18925 pte = pte_offset_kernel(pmd, vaddr);
18927 + pax_open_kernel();
18928 if (pte_val(pteval))
18929 set_pte_at(&init_mm, vaddr, pte, pteval);
18931 pte_clear(&init_mm, vaddr, pte);
18932 + pax_close_kernel();
18935 * It's enough to flush this one mapping.
18936 diff -urNp linux-2.6.37/arch/x86/mm/pgtable.c linux-2.6.37/arch/x86/mm/pgtable.c
18937 --- linux-2.6.37/arch/x86/mm/pgtable.c 2011-01-04 19:50:19.000000000 -0500
18938 +++ linux-2.6.37/arch/x86/mm/pgtable.c 2011-01-17 02:41:01.000000000 -0500
18939 @@ -84,9 +84,58 @@ static inline void pgd_list_del(pgd_t *p
18940 list_del(&page->lru);
18943 -#define UNSHARED_PTRS_PER_PGD \
18944 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
18945 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18946 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
18948 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
18951 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
18955 +#ifdef CONFIG_PAX_PER_CPU_PGD
18956 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
18960 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18961 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
18969 +#ifdef CONFIG_PAX_PER_CPU_PGD
18970 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
18971 +static inline void pgd_dtor(pgd_t *pgd) {}
18972 +#ifdef CONFIG_X86_64
18973 +#define pxd_t pud_t
18974 +#define pyd_t pgd_t
18975 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
18976 +#define pxd_free(mm, pud) pud_free((mm), (pud))
18977 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
18978 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
18979 +#define PYD_SIZE PGDIR_SIZE
18981 +#define pxd_t pmd_t
18982 +#define pyd_t pud_t
18983 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
18984 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
18985 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
18986 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
18987 +#define PYD_SIZE PUD_SIZE
18990 +#define pxd_t pmd_t
18991 +#define pyd_t pud_t
18992 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
18993 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
18994 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
18995 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
18996 +#define PYD_SIZE PUD_SIZE
18998 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
19000 @@ -130,6 +179,7 @@ static void pgd_dtor(pgd_t *pgd)
19002 spin_unlock_irqrestore(&pgd_lock, flags);
19007 * List of all pgd's needed for non-PAE so it can invalidate entries
19008 @@ -142,7 +192,7 @@ static void pgd_dtor(pgd_t *pgd)
19012 -#ifdef CONFIG_X86_PAE
19013 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19015 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19016 * updating the top-level pagetable entries to guarantee the
19017 @@ -154,7 +204,7 @@ static void pgd_dtor(pgd_t *pgd)
19018 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19019 * and initialize the kernel pmds here.
19021 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19022 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19024 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19026 @@ -173,36 +223,38 @@ void pud_populate(struct mm_struct *mm,
19027 if (mm == current->active_mm)
19028 write_cr3(read_cr3());
19030 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19031 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19032 #else /* !CONFIG_X86_PAE */
19034 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19035 -#define PREALLOCATED_PMDS 0
19036 +#define PREALLOCATED_PXDS 0
19038 #endif /* CONFIG_X86_PAE */
19040 -static void free_pmds(pmd_t *pmds[])
19041 +static void free_pxds(pxd_t *pxds[])
19045 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19047 - free_page((unsigned long)pmds[i]);
19048 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19050 + free_page((unsigned long)pxds[i]);
19053 -static int preallocate_pmds(pmd_t *pmds[])
19054 +static int preallocate_pxds(pxd_t *pxds[])
19057 bool failed = false;
19059 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19060 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19062 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19063 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19076 @@ -215,51 +267,56 @@ static int preallocate_pmds(pmd_t *pmds[
19077 * preallocate which never got a corresponding vma will need to be
19080 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19081 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19085 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19086 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19087 pgd_t pgd = pgdp[i];
19089 if (pgd_val(pgd) != 0) {
19090 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19091 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19093 - pgdp[i] = native_make_pgd(0);
19094 + set_pgd(pgdp + i, native_make_pgd(0));
19096 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19097 - pmd_free(mm, pmd);
19098 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19099 + pxd_free(mm, pxd);
19104 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19105 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19109 unsigned long addr;
19112 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19113 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19116 - pud = pud_offset(pgd, 0);
19117 +#ifdef CONFIG_X86_64
19118 + pyd = pyd_offset(mm, 0L);
19120 + pyd = pyd_offset(pgd, 0L);
19123 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19124 - i++, pud++, addr += PUD_SIZE) {
19125 - pmd_t *pmd = pmds[i];
19126 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19127 + i++, pyd++, addr += PYD_SIZE) {
19128 + pxd_t *pxd = pxds[i];
19130 if (i >= KERNEL_PGD_BOUNDARY)
19131 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19132 - sizeof(pmd_t) * PTRS_PER_PMD);
19133 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19134 + sizeof(pxd_t) * PTRS_PER_PMD);
19136 - pud_populate(mm, pud, pmd);
19137 + pyd_populate(mm, pyd, pxd);
19141 pgd_t *pgd_alloc(struct mm_struct *mm)
19144 - pmd_t *pmds[PREALLOCATED_PMDS];
19145 + pxd_t *pxds[PREALLOCATED_PXDS];
19147 unsigned long flags;
19149 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19150 @@ -269,11 +326,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19154 - if (preallocate_pmds(pmds) != 0)
19155 + if (preallocate_pxds(pxds) != 0)
19158 if (paravirt_pgd_alloc(mm) != 0)
19159 - goto out_free_pmds;
19160 + goto out_free_pxds;
19163 * Make sure that pre-populating the pmds is atomic with
19164 @@ -283,14 +340,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19165 spin_lock_irqsave(&pgd_lock, flags);
19168 - pgd_prepopulate_pmd(mm, pgd, pmds);
19169 + pgd_prepopulate_pxd(mm, pgd, pxds);
19171 spin_unlock_irqrestore(&pgd_lock, flags);
19180 free_page((unsigned long)pgd);
19182 @@ -299,7 +356,7 @@ out:
19184 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19186 - pgd_mop_up_pmds(mm, pgd);
19187 + pgd_mop_up_pxds(mm, pgd);
19189 paravirt_pgd_free(mm, pgd);
19190 free_page((unsigned long)pgd);
19191 diff -urNp linux-2.6.37/arch/x86/mm/setup_nx.c linux-2.6.37/arch/x86/mm/setup_nx.c
19192 --- linux-2.6.37/arch/x86/mm/setup_nx.c 2011-01-04 19:50:19.000000000 -0500
19193 +++ linux-2.6.37/arch/x86/mm/setup_nx.c 2011-01-17 02:41:01.000000000 -0500
19195 #include <asm/pgtable.h>
19196 #include <asm/proto.h>
19198 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19199 static int disable_nx __cpuinitdata;
19201 +#ifndef CONFIG_PAX_PAGEEXEC
19205 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19208 early_param("noexec", noexec_setup);
19213 void __cpuinit x86_configure_nx(void)
19215 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19216 if (cpu_has_nx && !disable_nx)
19217 __supported_pte_mask |= _PAGE_NX;
19220 __supported_pte_mask &= ~_PAGE_NX;
19223 diff -urNp linux-2.6.37/arch/x86/mm/tlb.c linux-2.6.37/arch/x86/mm/tlb.c
19224 --- linux-2.6.37/arch/x86/mm/tlb.c 2011-01-04 19:50:19.000000000 -0500
19225 +++ linux-2.6.37/arch/x86/mm/tlb.c 2011-01-17 02:41:01.000000000 -0500
19227 #include <asm/uv/uv.h>
19229 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19230 - = { &init_mm, 0, };
19231 + = { &init_mm, 0 };
19234 * Smarter SMP flushing macros.
19235 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
19237 cpumask_clear_cpu(cpu,
19238 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19240 +#ifndef CONFIG_PAX_PER_CPU_PGD
19241 load_cr3(swapper_pg_dir);
19245 EXPORT_SYMBOL_GPL(leave_mm);
19247 diff -urNp linux-2.6.37/arch/x86/oprofile/backtrace.c linux-2.6.37/arch/x86/oprofile/backtrace.c
19248 --- linux-2.6.37/arch/x86/oprofile/backtrace.c 2011-01-04 19:50:19.000000000 -0500
19249 +++ linux-2.6.37/arch/x86/oprofile/backtrace.c 2011-01-17 02:41:01.000000000 -0500
19250 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
19251 struct stack_frame_ia32 *fp;
19253 /* Also check accessibility of one struct frame_head beyond */
19254 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19255 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19257 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19259 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
19261 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
19263 - if (!user_mode_vm(regs)) {
19264 + if (!user_mode(regs)) {
19265 unsigned long stack = kernel_stack_pointer(regs);
19267 dump_trace(NULL, regs, (unsigned long *)stack, 0,
19268 diff -urNp linux-2.6.37/arch/x86/oprofile/op_model_p4.c linux-2.6.37/arch/x86/oprofile/op_model_p4.c
19269 --- linux-2.6.37/arch/x86/oprofile/op_model_p4.c 2011-01-04 19:50:19.000000000 -0500
19270 +++ linux-2.6.37/arch/x86/oprofile/op_model_p4.c 2011-01-17 02:41:01.000000000 -0500
19271 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19275 -static int inline addr_increment(void)
19276 +static inline int addr_increment(void)
19279 return smp_num_siblings == 2 ? 2 : 1;
19280 diff -urNp linux-2.6.37/arch/x86/pci/common.c linux-2.6.37/arch/x86/pci/common.c
19281 --- linux-2.6.37/arch/x86/pci/common.c 2011-01-04 19:50:19.000000000 -0500
19282 +++ linux-2.6.37/arch/x86/pci/common.c 2011-01-17 02:41:01.000000000 -0500
19283 @@ -32,8 +32,8 @@ int noioapicreroute = 1;
19284 int pcibios_last_bus = -1;
19285 unsigned long pirq_table_addr;
19286 struct pci_bus *pci_root_bus;
19287 -struct pci_raw_ops *raw_pci_ops;
19288 -struct pci_raw_ops *raw_pci_ext_ops;
19289 +const struct pci_raw_ops *raw_pci_ops;
19290 +const struct pci_raw_ops *raw_pci_ext_ops;
19292 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19293 int reg, int len, u32 *val)
19294 @@ -382,7 +382,7 @@ static const struct dmi_system_id __devi
19295 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19299 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19302 void __init dmi_check_pciprobe(void)
19303 diff -urNp linux-2.6.37/arch/x86/pci/direct.c linux-2.6.37/arch/x86/pci/direct.c
19304 --- linux-2.6.37/arch/x86/pci/direct.c 2011-01-04 19:50:19.000000000 -0500
19305 +++ linux-2.6.37/arch/x86/pci/direct.c 2011-01-17 02:41:01.000000000 -0500
19306 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19308 #undef PCI_CONF1_ADDRESS
19310 -struct pci_raw_ops pci_direct_conf1 = {
19311 +const struct pci_raw_ops pci_direct_conf1 = {
19312 .read = pci_conf1_read,
19313 .write = pci_conf1_write,
19315 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19317 #undef PCI_CONF2_ADDRESS
19319 -struct pci_raw_ops pci_direct_conf2 = {
19320 +const struct pci_raw_ops pci_direct_conf2 = {
19321 .read = pci_conf2_read,
19322 .write = pci_conf2_write,
19324 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19325 * This should be close to trivial, but it isn't, because there are buggy
19326 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19328 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19329 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19333 diff -urNp linux-2.6.37/arch/x86/pci/fixup.c linux-2.6.37/arch/x86/pci/fixup.c
19334 --- linux-2.6.37/arch/x86/pci/fixup.c 2011-01-04 19:50:19.000000000 -0500
19335 +++ linux-2.6.37/arch/x86/pci/fixup.c 2011-01-17 02:41:01.000000000 -0500
19336 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19337 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19341 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19345 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19346 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19350 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19353 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19354 diff -urNp linux-2.6.37/arch/x86/pci/irq.c linux-2.6.37/arch/x86/pci/irq.c
19355 --- linux-2.6.37/arch/x86/pci/irq.c 2011-01-04 19:50:19.000000000 -0500
19356 +++ linux-2.6.37/arch/x86/pci/irq.c 2011-01-17 02:41:01.000000000 -0500
19357 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19358 static struct pci_device_id __initdata pirq_440gx[] = {
19359 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19360 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19362 + { PCI_DEVICE(0, 0) }
19365 /* 440GX has a proprietary PIRQ router -- don't use it */
19366 @@ -1114,7 +1114,7 @@ static struct dmi_system_id __initdata p
19367 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19371 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19374 void __init pcibios_irq_init(void)
19375 diff -urNp linux-2.6.37/arch/x86/pci/mmconfig_32.c linux-2.6.37/arch/x86/pci/mmconfig_32.c
19376 --- linux-2.6.37/arch/x86/pci/mmconfig_32.c 2011-01-04 19:50:19.000000000 -0500
19377 +++ linux-2.6.37/arch/x86/pci/mmconfig_32.c 2011-01-17 02:41:01.000000000 -0500
19378 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19382 -static struct pci_raw_ops pci_mmcfg = {
19383 +static const struct pci_raw_ops pci_mmcfg = {
19384 .read = pci_mmcfg_read,
19385 .write = pci_mmcfg_write,
19387 diff -urNp linux-2.6.37/arch/x86/pci/mmconfig_64.c linux-2.6.37/arch/x86/pci/mmconfig_64.c
19388 --- linux-2.6.37/arch/x86/pci/mmconfig_64.c 2011-01-04 19:50:19.000000000 -0500
19389 +++ linux-2.6.37/arch/x86/pci/mmconfig_64.c 2011-01-17 02:41:01.000000000 -0500
19390 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19394 -static struct pci_raw_ops pci_mmcfg = {
19395 +static const struct pci_raw_ops pci_mmcfg = {
19396 .read = pci_mmcfg_read,
19397 .write = pci_mmcfg_write,
19399 diff -urNp linux-2.6.37/arch/x86/pci/numaq_32.c linux-2.6.37/arch/x86/pci/numaq_32.c
19400 --- linux-2.6.37/arch/x86/pci/numaq_32.c 2011-01-04 19:50:19.000000000 -0500
19401 +++ linux-2.6.37/arch/x86/pci/numaq_32.c 2011-01-17 02:41:01.000000000 -0500
19402 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19404 #undef PCI_CONF1_MQ_ADDRESS
19406 -static struct pci_raw_ops pci_direct_conf1_mq = {
19407 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19408 .read = pci_conf1_mq_read,
19409 .write = pci_conf1_mq_write
19411 diff -urNp linux-2.6.37/arch/x86/pci/olpc.c linux-2.6.37/arch/x86/pci/olpc.c
19412 --- linux-2.6.37/arch/x86/pci/olpc.c 2011-01-04 19:50:19.000000000 -0500
19413 +++ linux-2.6.37/arch/x86/pci/olpc.c 2011-01-17 02:41:01.000000000 -0500
19414 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19418 -static struct pci_raw_ops pci_olpc_conf = {
19419 +static const struct pci_raw_ops pci_olpc_conf = {
19420 .read = pci_olpc_read,
19421 .write = pci_olpc_write,
19423 diff -urNp linux-2.6.37/arch/x86/pci/pcbios.c linux-2.6.37/arch/x86/pci/pcbios.c
19424 --- linux-2.6.37/arch/x86/pci/pcbios.c 2011-01-04 19:50:19.000000000 -0500
19425 +++ linux-2.6.37/arch/x86/pci/pcbios.c 2011-01-17 02:41:01.000000000 -0500
19426 @@ -57,50 +57,93 @@ union bios32 {
19428 unsigned long address;
19429 unsigned short segment;
19430 -} bios32_indirect = { 0, __KERNEL_CS };
19431 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19434 * Returns the entry point for the given service, NULL on error
19437 -static unsigned long bios32_service(unsigned long service)
19438 +static unsigned long __devinit bios32_service(unsigned long service)
19440 unsigned char return_code; /* %al */
19441 unsigned long address; /* %ebx */
19442 unsigned long length; /* %ecx */
19443 unsigned long entry; /* %edx */
19444 unsigned long flags;
19445 + struct desc_struct d, *gdt;
19447 local_irq_save(flags);
19448 - __asm__("lcall *(%%edi); cld"
19450 + gdt = get_cpu_gdt_table(smp_processor_id());
19452 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19453 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19454 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19455 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19457 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19458 : "=a" (return_code),
19464 - "D" (&bios32_indirect));
19465 + "D" (&bios32_indirect),
19466 + "r"(__PCIBIOS_DS)
19469 + pax_open_kernel();
19470 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19471 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19472 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19473 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19474 + pax_close_kernel();
19476 local_irq_restore(flags);
19478 switch (return_code) {
19480 - return address + entry;
19481 - case 0x80: /* Not present */
19482 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19484 - default: /* Shouldn't happen */
19485 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19486 - service, return_code);
19489 + unsigned char flags;
19491 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19492 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19493 + printk(KERN_WARNING "bios32_service: not valid\n");
19496 + address = address + PAGE_OFFSET;
19497 + length += 16UL; /* some BIOSs underreport this... */
19499 + if (length >= 64*1024*1024) {
19500 + length >>= PAGE_SHIFT;
19504 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19505 + gdt = get_cpu_gdt_table(cpu);
19506 + pack_descriptor(&d, address, length, 0x9b, flags);
19507 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19508 + pack_descriptor(&d, address, length, 0x93, flags);
19509 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19513 + case 0x80: /* Not present */
19514 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19516 + default: /* Shouldn't happen */
19517 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19518 + service, return_code);
19524 unsigned long address;
19525 unsigned short segment;
19526 -} pci_indirect = { 0, __KERNEL_CS };
19527 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19529 -static int pci_bios_present;
19530 +static int pci_bios_present __read_only;
19532 static int __devinit check_pcibios(void)
19534 @@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
19535 unsigned long flags, pcibios_entry;
19537 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19538 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19539 + pci_indirect.address = pcibios_entry;
19541 local_irq_save(flags);
19543 - "lcall *(%%edi); cld\n\t"
19544 + __asm__("movw %w6, %%ds\n\t"
19545 + "lcall *%%ss:(%%edi); cld\n\t"
19551 @@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
19554 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19555 - "D" (&pci_indirect)
19556 + "D" (&pci_indirect),
19557 + "r" (__PCIBIOS_DS)
19559 local_irq_restore(flags);
19561 @@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
19565 - __asm__("lcall *(%%esi); cld\n\t"
19566 + __asm__("movw %w6, %%ds\n\t"
19567 + "lcall *%%ss:(%%esi); cld\n\t"
19573 @@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
19574 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19577 - "S" (&pci_indirect));
19578 + "S" (&pci_indirect),
19579 + "r" (__PCIBIOS_DS));
19581 * Zero-extend the result beyond 8 bits, do not trust the
19582 * BIOS having done it:
19583 @@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
19587 - __asm__("lcall *(%%esi); cld\n\t"
19588 + __asm__("movw %w6, %%ds\n\t"
19589 + "lcall *%%ss:(%%esi); cld\n\t"
19595 @@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
19596 : "1" (PCIBIOS_READ_CONFIG_WORD),
19599 - "S" (&pci_indirect));
19600 + "S" (&pci_indirect),
19601 + "r" (__PCIBIOS_DS));
19603 * Zero-extend the result beyond 16 bits, do not trust the
19604 * BIOS having done it:
19605 @@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
19609 - __asm__("lcall *(%%esi); cld\n\t"
19610 + __asm__("movw %w6, %%ds\n\t"
19611 + "lcall *%%ss:(%%esi); cld\n\t"
19617 @@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
19618 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19621 - "S" (&pci_indirect));
19622 + "S" (&pci_indirect),
19623 + "r" (__PCIBIOS_DS));
19627 @@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
19631 - __asm__("lcall *(%%esi); cld\n\t"
19632 + __asm__("movw %w6, %%ds\n\t"
19633 + "lcall *%%ss:(%%esi); cld\n\t"
19639 @@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
19643 - "S" (&pci_indirect));
19644 + "S" (&pci_indirect),
19645 + "r" (__PCIBIOS_DS));
19648 - __asm__("lcall *(%%esi); cld\n\t"
19649 + __asm__("movw %w6, %%ds\n\t"
19650 + "lcall *%%ss:(%%esi); cld\n\t"
19656 @@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
19660 - "S" (&pci_indirect));
19661 + "S" (&pci_indirect),
19662 + "r" (__PCIBIOS_DS));
19665 - __asm__("lcall *(%%esi); cld\n\t"
19666 + __asm__("movw %w6, %%ds\n\t"
19667 + "lcall *%%ss:(%%esi); cld\n\t"
19673 @@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
19677 - "S" (&pci_indirect));
19678 + "S" (&pci_indirect),
19679 + "r" (__PCIBIOS_DS));
19683 @@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
19684 * Function table for BIOS32 access
19687 -static struct pci_raw_ops pci_bios_access = {
19688 +static const struct pci_raw_ops pci_bios_access = {
19689 .read = pci_bios_read,
19690 .write = pci_bios_write
19692 @@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
19693 * Try to find PCI BIOS.
19696 -static struct pci_raw_ops * __devinit pci_find_bios(void)
19697 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
19699 union bios32 *check;
19701 @@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
19703 DBG("PCI: Fetching IRQ routing table... ");
19704 __asm__("push %%es\n\t"
19705 + "movw %w8, %%ds\n\t"
19708 - "lcall *(%%esi); cld\n\t"
19709 + "lcall *%%ss:(%%esi); cld\n\t"
19716 @@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
19719 "S" (&pci_indirect),
19722 + "r" (__PCIBIOS_DS)
19724 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19726 @@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
19730 - __asm__("lcall *(%%esi); cld\n\t"
19731 + __asm__("movw %w5, %%ds\n\t"
19732 + "lcall *%%ss:(%%esi); cld\n\t"
19738 @@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
19739 : "0" (PCIBIOS_SET_PCI_HW_INT),
19740 "b" ((dev->bus->number << 8) | dev->devfn),
19741 "c" ((irq << 8) | (pin + 10)),
19742 - "S" (&pci_indirect));
19743 + "S" (&pci_indirect),
19744 + "r" (__PCIBIOS_DS));
19745 return !(ret & 0xff00);
19747 EXPORT_SYMBOL(pcibios_set_irq_routing);
19748 diff -urNp linux-2.6.37/arch/x86/platform/efi/efi_32.c linux-2.6.37/arch/x86/platform/efi/efi_32.c
19749 --- linux-2.6.37/arch/x86/platform/efi/efi_32.c 2011-01-04 19:50:19.000000000 -0500
19750 +++ linux-2.6.37/arch/x86/platform/efi/efi_32.c 2011-01-17 02:41:01.000000000 -0500
19751 @@ -38,70 +38,37 @@
19754 static unsigned long efi_rt_eflags;
19755 -static pgd_t efi_bak_pg_dir_pointer[2];
19756 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
19758 -void efi_call_phys_prelog(void)
19759 +void __init efi_call_phys_prelog(void)
19761 - unsigned long cr4;
19762 - unsigned long temp;
19763 struct desc_ptr gdt_descr;
19765 local_irq_save(efi_rt_eflags);
19768 - * If I don't have PAE, I should just duplicate two entries in page
19769 - * directory. If I have PAE, I just need to duplicate one entry in
19770 - * page directory.
19772 - cr4 = read_cr4_safe();
19774 - if (cr4 & X86_CR4_PAE) {
19775 - efi_bak_pg_dir_pointer[0].pgd =
19776 - swapper_pg_dir[pgd_index(0)].pgd;
19777 - swapper_pg_dir[0].pgd =
19778 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
19780 - efi_bak_pg_dir_pointer[0].pgd =
19781 - swapper_pg_dir[pgd_index(0)].pgd;
19782 - efi_bak_pg_dir_pointer[1].pgd =
19783 - swapper_pg_dir[pgd_index(0x400000)].pgd;
19784 - swapper_pg_dir[pgd_index(0)].pgd =
19785 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
19786 - temp = PAGE_OFFSET + 0x400000;
19787 - swapper_pg_dir[pgd_index(0x400000)].pgd =
19788 - swapper_pg_dir[pgd_index(temp)].pgd;
19790 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
19791 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19792 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
19795 * After the lock is released, the original page table is restored.
19799 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
19800 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
19801 gdt_descr.size = GDT_SIZE - 1;
19802 load_gdt(&gdt_descr);
19805 -void efi_call_phys_epilog(void)
19806 +void __init efi_call_phys_epilog(void)
19808 - unsigned long cr4;
19809 struct desc_ptr gdt_descr;
19811 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
19812 + gdt_descr.address = get_cpu_gdt_table(0);
19813 gdt_descr.size = GDT_SIZE - 1;
19814 load_gdt(&gdt_descr);
19816 - cr4 = read_cr4_safe();
19818 - if (cr4 & X86_CR4_PAE) {
19819 - swapper_pg_dir[pgd_index(0)].pgd =
19820 - efi_bak_pg_dir_pointer[0].pgd;
19822 - swapper_pg_dir[pgd_index(0)].pgd =
19823 - efi_bak_pg_dir_pointer[0].pgd;
19824 - swapper_pg_dir[pgd_index(0x400000)].pgd =
19825 - efi_bak_pg_dir_pointer[1].pgd;
19827 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
19830 * After the lock is released, the original page table is restored.
19831 diff -urNp linux-2.6.37/arch/x86/platform/efi/efi_stub_32.S linux-2.6.37/arch/x86/platform/efi/efi_stub_32.S
19832 --- linux-2.6.37/arch/x86/platform/efi/efi_stub_32.S 2011-01-04 19:50:19.000000000 -0500
19833 +++ linux-2.6.37/arch/x86/platform/efi/efi_stub_32.S 2011-01-17 02:41:01.000000000 -0500
19837 #include <linux/linkage.h>
19838 +#include <linux/init.h>
19839 #include <asm/page_types.h>
19843 * service functions will comply with gcc calling convention, too.
19848 ENTRY(efi_call_phys)
19850 * 0. The function can only be called in Linux kernel. So CS has been
19851 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
19852 * The mapping of lower virtual memory has been created in prelog and
19856 - subl $__PAGE_OFFSET, %edx
19858 + jmp 1f-__PAGE_OFFSET
19862 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
19863 * parameter 2, ..., param n. To make things easy, we save the return
19864 * address of efi_call_phys in a global variable.
19867 - movl %edx, saved_return_addr
19868 - /* get the function pointer into ECX*/
19870 - movl %ecx, efi_rt_function_ptr
19872 - subl $__PAGE_OFFSET, %edx
19874 + popl (saved_return_addr)
19875 + popl (efi_rt_function_ptr)
19878 * 3. Clear PG bit in %CR0.
19879 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
19881 * 5. Call the physical function.
19884 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
19888 * 6. After EFI runtime service returns, control will return to
19889 * following instruction. We'd better readjust stack pointer first.
19890 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
19892 orl $0x80000000, %edx
19898 * 8. Now restore the virtual mode from flat mode by
19899 * adding EIP with PAGE_OFFSET.
19903 + jmp 1f+__PAGE_OFFSET
19907 * 9. Balance the stack. And because EAX contain the return value,
19908 * we'd better not clobber it.
19910 - leal efi_rt_function_ptr, %edx
19911 - movl (%edx), %ecx
19913 + pushl (efi_rt_function_ptr)
19916 - * 10. Push the saved return address onto the stack and return.
19917 + * 10. Return to the saved return address.
19919 - leal saved_return_addr, %edx
19920 - movl (%edx), %ecx
19923 + jmpl *(saved_return_addr)
19924 ENDPROC(efi_call_phys)
19931 efi_rt_function_ptr:
19932 diff -urNp linux-2.6.37/arch/x86/power/cpu.c linux-2.6.37/arch/x86/power/cpu.c
19933 --- linux-2.6.37/arch/x86/power/cpu.c 2011-01-04 19:50:19.000000000 -0500
19934 +++ linux-2.6.37/arch/x86/power/cpu.c 2011-01-17 02:41:01.000000000 -0500
19935 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
19936 static void fix_processor_context(void)
19938 int cpu = smp_processor_id();
19939 - struct tss_struct *t = &per_cpu(init_tss, cpu);
19940 + struct tss_struct *t = init_tss + cpu;
19942 set_tss_desc(cpu, t); /*
19943 * This just modifies memory; should not be
19944 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
19947 #ifdef CONFIG_X86_64
19948 + pax_open_kernel();
19949 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
19950 + pax_close_kernel();
19952 syscall_init(); /* This sets MSR_*STAR and related */
19954 diff -urNp linux-2.6.37/arch/x86/vdso/Makefile linux-2.6.37/arch/x86/vdso/Makefile
19955 --- linux-2.6.37/arch/x86/vdso/Makefile 2011-01-04 19:50:19.000000000 -0500
19956 +++ linux-2.6.37/arch/x86/vdso/Makefile 2011-01-17 02:41:01.000000000 -0500
19957 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
19958 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
19959 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
19961 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19962 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19966 diff -urNp linux-2.6.37/arch/x86/vdso/vclock_gettime.c linux-2.6.37/arch/x86/vdso/vclock_gettime.c
19967 --- linux-2.6.37/arch/x86/vdso/vclock_gettime.c 2011-01-04 19:50:19.000000000 -0500
19968 +++ linux-2.6.37/arch/x86/vdso/vclock_gettime.c 2011-01-17 02:41:01.000000000 -0500
19969 @@ -22,24 +22,48 @@
19970 #include <asm/hpet.h>
19971 #include <asm/unistd.h>
19972 #include <asm/io.h>
19973 +#include <asm/fixmap.h>
19974 #include "vextern.h"
19976 #define gtod vdso_vsyscall_gtod_data
19978 +notrace noinline long __vdso_fallback_time(long *t)
19981 + asm volatile("syscall"
19983 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
19987 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
19990 asm("syscall" : "=a" (ret) :
19991 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
19992 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
19996 +notrace static inline cycle_t __vdso_vread_hpet(void)
19998 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20001 +notrace static inline cycle_t __vdso_vread_tsc(void)
20003 + cycle_t ret = (cycle_t)vget_cycles();
20005 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20008 notrace static inline long vgetns(void)
20011 - cycles_t (*vread)(void);
20012 - vread = gtod->clock.vread;
20013 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20014 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20015 + v = __vdso_vread_tsc();
20017 + v = __vdso_vread_hpet();
20018 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20019 return (v * gtod->clock.mult) >> gtod->clock.shift;
20022 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
20024 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20026 - if (likely(gtod->sysctl_enabled))
20027 + if (likely(gtod->sysctl_enabled &&
20028 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20029 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20031 case CLOCK_REALTIME:
20032 if (likely(gtod->clock.vread))
20033 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20034 int clock_gettime(clockid_t, struct timespec *)
20035 __attribute__((weak, alias("__vdso_clock_gettime")));
20037 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20038 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20041 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20042 + asm("syscall" : "=a" (ret) :
20043 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20047 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20049 + if (likely(gtod->sysctl_enabled &&
20050 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20051 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20053 if (likely(tv != NULL)) {
20054 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20055 offsetof(struct timespec, tv_nsec) ||
20056 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20060 - asm("syscall" : "=a" (ret) :
20061 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20063 + return __vdso_fallback_gettimeofday(tv, tz);
20065 int gettimeofday(struct timeval *, struct timezone *)
20066 __attribute__((weak, alias("__vdso_gettimeofday")));
20067 diff -urNp linux-2.6.37/arch/x86/vdso/vdso32-setup.c linux-2.6.37/arch/x86/vdso/vdso32-setup.c
20068 --- linux-2.6.37/arch/x86/vdso/vdso32-setup.c 2011-01-04 19:50:19.000000000 -0500
20069 +++ linux-2.6.37/arch/x86/vdso/vdso32-setup.c 2011-01-17 02:41:01.000000000 -0500
20071 #include <asm/tlbflush.h>
20072 #include <asm/vdso.h>
20073 #include <asm/proto.h>
20074 +#include <asm/mman.h>
20078 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20079 void enable_sep_cpu(void)
20081 int cpu = get_cpu();
20082 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20083 + struct tss_struct *tss = init_tss + cpu;
20085 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20087 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20088 gate_vma.vm_start = FIXADDR_USER_START;
20089 gate_vma.vm_end = FIXADDR_USER_END;
20090 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20091 - gate_vma.vm_page_prot = __P101;
20092 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20094 * Make sure the vDSO gets into every core dump.
20095 * Dumping its contents makes post-mortem fully interpretable later
20096 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20098 addr = VDSO_HIGH_BASE;
20100 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20101 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20102 if (IS_ERR_VALUE(addr)) {
20108 - current->mm->context.vdso = (void *)addr;
20109 + current->mm->context.vdso = addr;
20111 if (compat_uses_vma || !compat) {
20113 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20116 current_thread_info()->sysenter_return =
20117 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20118 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20122 - current->mm->context.vdso = NULL;
20123 + current->mm->context.vdso = 0;
20125 up_write(&mm->mmap_sem);
20127 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20129 const char *arch_vma_name(struct vm_area_struct *vma)
20131 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20132 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20135 +#ifdef CONFIG_PAX_SEGMEXEC
20136 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20143 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20144 struct mm_struct *mm = tsk->mm;
20146 /* Check to see if this task was created in compat vdso mode */
20147 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20148 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20152 diff -urNp linux-2.6.37/arch/x86/vdso/vdso.lds.S linux-2.6.37/arch/x86/vdso/vdso.lds.S
20153 --- linux-2.6.37/arch/x86/vdso/vdso.lds.S 2011-01-04 19:50:19.000000000 -0500
20154 +++ linux-2.6.37/arch/x86/vdso/vdso.lds.S 2011-01-17 02:41:01.000000000 -0500
20155 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20156 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20157 #include "vextern.h"
20160 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20161 +VEXTERN(fallback_gettimeofday)
20162 +VEXTERN(fallback_time)
20165 diff -urNp linux-2.6.37/arch/x86/vdso/vextern.h linux-2.6.37/arch/x86/vdso/vextern.h
20166 --- linux-2.6.37/arch/x86/vdso/vextern.h 2011-01-04 19:50:19.000000000 -0500
20167 +++ linux-2.6.37/arch/x86/vdso/vextern.h 2011-01-17 02:41:01.000000000 -0500
20169 put into vextern.h and be referenced as a pointer with vdso prefix.
20170 The main kernel later fills in the values. */
20173 VEXTERN(vgetcpu_mode)
20174 VEXTERN(vsyscall_gtod_data)
20175 diff -urNp linux-2.6.37/arch/x86/vdso/vma.c linux-2.6.37/arch/x86/vdso/vma.c
20176 --- linux-2.6.37/arch/x86/vdso/vma.c 2011-01-04 19:50:19.000000000 -0500
20177 +++ linux-2.6.37/arch/x86/vdso/vma.c 2011-01-17 02:41:01.000000000 -0500
20178 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20182 - if (memcmp(vbase, "\177ELF", 4)) {
20183 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20184 printk("VDSO: I'm broken; not ELF\n");
20187 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
20191 - current->mm->context.vdso = (void *)addr;
20192 + current->mm->context.vdso = addr;
20194 ret = install_special_mapping(mm, addr, vdso_size,
20196 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
20200 - current->mm->context.vdso = NULL;
20201 + current->mm->context.vdso = 0;
20205 @@ -134,10 +134,3 @@ up_fail:
20206 up_write(&mm->mmap_sem);
20210 -static __init int vdso_setup(char *s)
20212 - vdso_enabled = simple_strtoul(s, NULL, 0);
20215 -__setup("vdso=", vdso_setup);
20216 diff -urNp linux-2.6.37/arch/x86/xen/enlighten.c linux-2.6.37/arch/x86/xen/enlighten.c
20217 --- linux-2.6.37/arch/x86/xen/enlighten.c 2011-01-04 19:50:19.000000000 -0500
20218 +++ linux-2.6.37/arch/x86/xen/enlighten.c 2011-01-17 02:41:01.000000000 -0500
20219 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20221 struct shared_info xen_dummy_shared_info;
20223 -void *xen_initial_gdt;
20225 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
20226 __read_mostly int xen_have_vector_callback;
20227 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
20228 @@ -574,7 +572,7 @@ static void xen_write_idt_entry(gate_des
20232 - start = __get_cpu_var(idt_desc).address;
20233 + start = (unsigned long)__get_cpu_var(idt_desc).address;
20234 end = start + __get_cpu_var(idt_desc).size + 1;
20237 @@ -1134,7 +1132,17 @@ asmlinkage void __init xen_start_kernel(
20238 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20240 /* Work out if we support NX */
20241 - x86_configure_nx();
20242 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20243 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20244 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20247 + __supported_pte_mask |= _PAGE_NX;
20248 + rdmsr(MSR_EFER, l, h);
20250 + wrmsr(MSR_EFER, l, h);
20254 xen_setup_features();
20256 @@ -1165,13 +1173,6 @@ asmlinkage void __init xen_start_kernel(
20258 machine_ops = xen_machine_ops;
20261 - * The only reliable way to retain the initial address of the
20262 - * percpu gdt_page is to remember it here, so we can go and
20263 - * mark it RW later, when the initial percpu area is freed.
20265 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20269 pgd = (pgd_t *)xen_start_info->pt_base;
20270 diff -urNp linux-2.6.37/arch/x86/xen/mmu.c linux-2.6.37/arch/x86/xen/mmu.c
20271 --- linux-2.6.37/arch/x86/xen/mmu.c 2011-01-04 19:50:19.000000000 -0500
20272 +++ linux-2.6.37/arch/x86/xen/mmu.c 2011-01-17 02:41:01.000000000 -0500
20273 @@ -2084,6 +2084,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20274 convert_pfn_mfn(init_level4_pgt);
20275 convert_pfn_mfn(level3_ident_pgt);
20276 convert_pfn_mfn(level3_kernel_pgt);
20277 + convert_pfn_mfn(level3_vmalloc_pgt);
20278 + convert_pfn_mfn(level3_vmemmap_pgt);
20280 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20281 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20282 @@ -2102,7 +2104,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20283 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20284 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20285 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20286 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20287 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20288 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20289 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20290 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20291 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20293 diff -urNp linux-2.6.37/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.37/arch/x86/xen/pci-swiotlb-xen.c
20294 --- linux-2.6.37/arch/x86/xen/pci-swiotlb-xen.c 2011-01-04 19:50:19.000000000 -0500
20295 +++ linux-2.6.37/arch/x86/xen/pci-swiotlb-xen.c 2011-01-17 02:41:01.000000000 -0500
20298 int xen_swiotlb __read_mostly;
20300 -static struct dma_map_ops xen_swiotlb_dma_ops = {
20301 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
20302 .mapping_error = xen_swiotlb_dma_mapping_error,
20303 .alloc_coherent = xen_swiotlb_alloc_coherent,
20304 .free_coherent = xen_swiotlb_free_coherent,
20305 diff -urNp linux-2.6.37/arch/x86/xen/smp.c linux-2.6.37/arch/x86/xen/smp.c
20306 --- linux-2.6.37/arch/x86/xen/smp.c 2011-01-04 19:50:19.000000000 -0500
20307 +++ linux-2.6.37/arch/x86/xen/smp.c 2011-01-17 02:41:01.000000000 -0500
20308 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
20310 BUG_ON(smp_processor_id() != 0);
20311 native_smp_prepare_boot_cpu();
20313 - /* We've switched to the "real" per-cpu gdt, so make sure the
20314 - old memory can be recycled */
20315 - make_lowmem_page_readwrite(xen_initial_gdt);
20317 xen_filter_cpu_maps();
20318 xen_setup_vcpu_info_placement();
20320 @@ -259,12 +254,12 @@ cpu_initialize_context(unsigned int cpu,
20321 gdt = get_cpu_gdt_table(cpu);
20323 ctxt->flags = VGCF_IN_KERNEL;
20324 - ctxt->user_regs.ds = __USER_DS;
20325 - ctxt->user_regs.es = __USER_DS;
20326 + ctxt->user_regs.ds = __KERNEL_DS;
20327 + ctxt->user_regs.es = __KERNEL_DS;
20328 ctxt->user_regs.ss = __KERNEL_DS;
20329 #ifdef CONFIG_X86_32
20330 ctxt->user_regs.fs = __KERNEL_PERCPU;
20331 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
20332 + savesegment(gs, ctxt->user_regs.gs);
20334 ctxt->gs_base_kernel = per_cpu_offset(cpu);
20336 diff -urNp linux-2.6.37/arch/x86/xen/xen-head.S linux-2.6.37/arch/x86/xen/xen-head.S
20337 --- linux-2.6.37/arch/x86/xen/xen-head.S 2011-01-04 19:50:19.000000000 -0500
20338 +++ linux-2.6.37/arch/x86/xen/xen-head.S 2011-01-17 02:41:01.000000000 -0500
20339 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20340 #ifdef CONFIG_X86_32
20341 mov %esi,xen_start_info
20342 mov $init_thread_union+THREAD_SIZE,%esp
20344 + movl $cpu_gdt_table,%edi
20345 + movl $__per_cpu_load,%eax
20346 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20348 + movb %al,__KERNEL_PERCPU + 4(%edi)
20349 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20350 + movl $__per_cpu_end - 1,%eax
20351 + subl $__per_cpu_start,%eax
20352 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20355 mov %rsi,xen_start_info
20356 mov $init_thread_union+THREAD_SIZE,%rsp
20357 diff -urNp linux-2.6.37/arch/x86/xen/xen-ops.h linux-2.6.37/arch/x86/xen/xen-ops.h
20358 --- linux-2.6.37/arch/x86/xen/xen-ops.h 2011-01-04 19:50:19.000000000 -0500
20359 +++ linux-2.6.37/arch/x86/xen/xen-ops.h 2011-01-17 02:41:01.000000000 -0500
20361 extern const char xen_hypervisor_callback[];
20362 extern const char xen_failsafe_callback[];
20364 -extern void *xen_initial_gdt;
20367 void xen_copy_trap_info(struct trap_info *traps);
20369 diff -urNp linux-2.6.37/block/blk-iopoll.c linux-2.6.37/block/blk-iopoll.c
20370 --- linux-2.6.37/block/blk-iopoll.c 2011-01-04 19:50:19.000000000 -0500
20371 +++ linux-2.6.37/block/blk-iopoll.c 2011-01-17 02:41:01.000000000 -0500
20372 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20374 EXPORT_SYMBOL(blk_iopoll_complete);
20376 -static void blk_iopoll_softirq(struct softirq_action *h)
20377 +static void blk_iopoll_softirq(void)
20379 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20380 int rearm = 0, budget = blk_iopoll_budget;
20381 diff -urNp linux-2.6.37/block/blk-map.c linux-2.6.37/block/blk-map.c
20382 --- linux-2.6.37/block/blk-map.c 2011-01-04 19:50:19.000000000 -0500
20383 +++ linux-2.6.37/block/blk-map.c 2011-01-17 02:41:01.000000000 -0500
20384 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
20388 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
20389 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
20391 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20393 diff -urNp linux-2.6.37/block/blk-softirq.c linux-2.6.37/block/blk-softirq.c
20394 --- linux-2.6.37/block/blk-softirq.c 2011-01-04 19:50:19.000000000 -0500
20395 +++ linux-2.6.37/block/blk-softirq.c 2011-01-17 02:41:01.000000000 -0500
20396 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20397 * Softirq action handler - move entries to local list and loop over them
20398 * while passing them to the queue registered handler.
20400 -static void blk_done_softirq(struct softirq_action *h)
20401 +static void blk_done_softirq(void)
20403 struct list_head *cpu_list, local_list;
20405 diff -urNp linux-2.6.37/crypto/lrw.c linux-2.6.37/crypto/lrw.c
20406 --- linux-2.6.37/crypto/lrw.c 2011-01-04 19:50:19.000000000 -0500
20407 +++ linux-2.6.37/crypto/lrw.c 2011-01-17 02:41:01.000000000 -0500
20408 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20409 struct priv *ctx = crypto_tfm_ctx(parent);
20410 struct crypto_cipher *child = ctx->child;
20412 - be128 tmp = { 0 };
20413 + be128 tmp = { 0, 0 };
20414 int bsize = crypto_cipher_blocksize(child);
20416 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20417 diff -urNp linux-2.6.37/Documentation/dontdiff linux-2.6.37/Documentation/dontdiff
20418 --- linux-2.6.37/Documentation/dontdiff 2011-01-04 19:50:19.000000000 -0500
20419 +++ linux-2.6.37/Documentation/dontdiff 2011-01-17 02:41:01.000000000 -0500
20439 @@ -49,11 +52,16 @@
20456 @@ -62,6 +70,7 @@ aic7*reg_print.c*
20464 @@ -76,7 +85,10 @@ btfixupprep
20475 @@ -100,19 +112,23 @@ fore200e_mkfirm
20490 initramfs_data.cpio
20491 +initramfs_data.cpio.bz2
20492 initramfs_data.cpio.gz
20500 @@ -136,10 +152,13 @@ mkboot
20514 @@ -151,7 +170,9 @@ parse.h
20524 @@ -160,15 +181,18 @@ qconf
20543 @@ -189,14 +213,20 @@ version.h*
20564 diff -urNp linux-2.6.37/Documentation/filesystems/sysfs.txt linux-2.6.37/Documentation/filesystems/sysfs.txt
20565 --- linux-2.6.37/Documentation/filesystems/sysfs.txt 2011-01-04 19:50:19.000000000 -0500
20566 +++ linux-2.6.37/Documentation/filesystems/sysfs.txt 2011-01-17 02:41:01.000000000 -0500
20567 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20568 show and store methods of the attribute owners.
20571 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20572 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
20573 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20574 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
20577 [ Subsystems should have already defined a struct kobj_type as a
20578 diff -urNp linux-2.6.37/Documentation/kernel-parameters.txt linux-2.6.37/Documentation/kernel-parameters.txt
20579 --- linux-2.6.37/Documentation/kernel-parameters.txt 2011-01-04 19:50:19.000000000 -0500
20580 +++ linux-2.6.37/Documentation/kernel-parameters.txt 2011-01-17 02:41:01.000000000 -0500
20581 @@ -1849,6 +1849,13 @@ and is between 256 and 4096 characters.
20582 the specified number of seconds. This is to be used if
20583 your oopses keep scrolling off the screen.
20585 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
20586 + virtualization environments that don't cope well with the
20587 + expand down segment used by UDEREF on X86-32 or the frequent
20588 + page table updates on X86-64.
20590 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
20595 diff -urNp linux-2.6.37/drivers/acpi/battery.c linux-2.6.37/drivers/acpi/battery.c
20596 --- linux-2.6.37/drivers/acpi/battery.c 2011-01-04 19:50:19.000000000 -0500
20597 +++ linux-2.6.37/drivers/acpi/battery.c 2011-01-17 02:41:01.000000000 -0500
20598 @@ -851,7 +851,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20601 static struct battery_file {
20602 - struct file_operations ops;
20603 + const struct file_operations ops;
20606 } acpi_battery_file[] = {
20607 diff -urNp linux-2.6.37/drivers/acpi/blacklist.c linux-2.6.37/drivers/acpi/blacklist.c
20608 --- linux-2.6.37/drivers/acpi/blacklist.c 2011-01-04 19:50:19.000000000 -0500
20609 +++ linux-2.6.37/drivers/acpi/blacklist.c 2011-01-17 02:41:01.000000000 -0500
20610 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20611 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20612 "Incorrect _ADR", 1},
20615 + {"", "", 0, NULL, all_versions, NULL, 0}
20618 #if CONFIG_ACPI_BLACKLIST_YEAR
20619 diff -urNp linux-2.6.37/drivers/acpi/dock.c linux-2.6.37/drivers/acpi/dock.c
20620 --- linux-2.6.37/drivers/acpi/dock.c 2011-01-04 19:50:19.000000000 -0500
20621 +++ linux-2.6.37/drivers/acpi/dock.c 2011-01-17 02:41:01.000000000 -0500
20622 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20623 struct list_head list;
20624 struct list_head hotplug_list;
20625 acpi_handle handle;
20626 - struct acpi_dock_ops *ops;
20627 + const struct acpi_dock_ops *ops;
20631 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20632 * the dock driver after _DCK is executed.
20635 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20636 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20639 struct dock_dependent_device *dd;
20640 diff -urNp linux-2.6.37/drivers/acpi/ec_sys.c linux-2.6.37/drivers/acpi/ec_sys.c
20641 --- linux-2.6.37/drivers/acpi/ec_sys.c 2011-01-04 19:50:19.000000000 -0500
20642 +++ linux-2.6.37/drivers/acpi/ec_sys.c 2011-01-17 02:41:01.000000000 -0500
20643 @@ -96,7 +96,7 @@ static ssize_t acpi_ec_write_io(struct f
20647 -static struct file_operations acpi_ec_io_ops = {
20648 +static const struct file_operations acpi_ec_io_ops = {
20649 .owner = THIS_MODULE,
20650 .open = acpi_ec_open_io,
20651 .read = acpi_ec_read_io,
20652 diff -urNp linux-2.6.37/drivers/acpi/osl.c linux-2.6.37/drivers/acpi/osl.c
20653 --- linux-2.6.37/drivers/acpi/osl.c 2011-01-04 19:50:19.000000000 -0500
20654 +++ linux-2.6.37/drivers/acpi/osl.c 2011-01-17 02:41:01.000000000 -0500
20655 @@ -643,6 +643,8 @@ acpi_os_read_memory(acpi_physical_addres
20658 virt_addr = ioremap(phys_addr, size);
20660 + return AE_NO_MEMORY;
20664 @@ -679,6 +681,8 @@ acpi_os_write_memory(acpi_physical_addre
20667 virt_addr = ioremap(phys_addr, size);
20669 + return AE_NO_MEMORY;
20673 diff -urNp linux-2.6.37/drivers/acpi/power_meter.c linux-2.6.37/drivers/acpi/power_meter.c
20674 --- linux-2.6.37/drivers/acpi/power_meter.c 2011-01-04 19:50:19.000000000 -0500
20675 +++ linux-2.6.37/drivers/acpi/power_meter.c 2011-01-17 02:41:01.000000000 -0500
20676 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20683 mutex_lock(&resource->lock);
20684 resource->trip[attr->index - 7] = temp;
20685 diff -urNp linux-2.6.37/drivers/acpi/proc.c linux-2.6.37/drivers/acpi/proc.c
20686 --- linux-2.6.37/drivers/acpi/proc.c 2011-01-04 19:50:19.000000000 -0500
20687 +++ linux-2.6.37/drivers/acpi/proc.c 2011-01-17 02:41:01.000000000 -0500
20688 @@ -338,20 +338,15 @@ acpi_system_write_wakeup_device(struct f
20689 size_t count, loff_t * ppos)
20691 struct list_head *node, *next;
20693 - char str[5] = "";
20694 - unsigned int len = count;
20695 + char strbuf[5] = {0};
20696 struct acpi_device *found_dev = NULL;
20705 - if (copy_from_user(strbuf, buffer, len))
20706 + if (copy_from_user(strbuf, buffer, count))
20708 - strbuf[len] = '\0';
20709 - sscanf(strbuf, "%s", str);
20710 + strbuf[count] = '\0';
20712 mutex_lock(&acpi_device_lock);
20713 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20714 @@ -360,7 +355,7 @@ acpi_system_write_wakeup_device(struct f
20715 if (!dev->wakeup.flags.valid)
20718 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
20719 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20720 dev->wakeup.state.enabled =
20721 dev->wakeup.state.enabled ? 0 : 1;
20723 diff -urNp linux-2.6.37/drivers/acpi/processor_driver.c linux-2.6.37/drivers/acpi/processor_driver.c
20724 --- linux-2.6.37/drivers/acpi/processor_driver.c 2011-01-04 19:50:19.000000000 -0500
20725 +++ linux-2.6.37/drivers/acpi/processor_driver.c 2011-01-17 02:41:01.000000000 -0500
20726 @@ -519,7 +519,7 @@ static int __cpuinit acpi_processor_add(
20730 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20731 + BUG_ON(pr->id >= nr_cpu_ids);
20735 diff -urNp linux-2.6.37/drivers/acpi/processor_idle.c linux-2.6.37/drivers/acpi/processor_idle.c
20736 --- linux-2.6.37/drivers/acpi/processor_idle.c 2011-01-04 19:50:19.000000000 -0500
20737 +++ linux-2.6.37/drivers/acpi/processor_idle.c 2011-01-17 02:41:01.000000000 -0500
20738 @@ -114,7 +114,7 @@ static struct dmi_system_id __cpuinitdat
20739 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20740 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20743 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20747 diff -urNp linux-2.6.37/drivers/acpi/sleep.c linux-2.6.37/drivers/acpi/sleep.c
20748 --- linux-2.6.37/drivers/acpi/sleep.c 2011-01-04 19:50:19.000000000 -0500
20749 +++ linux-2.6.37/drivers/acpi/sleep.c 2011-01-17 02:41:01.000000000 -0500
20750 @@ -319,7 +319,7 @@ static int acpi_suspend_state_valid(susp
20754 -static struct platform_suspend_ops acpi_suspend_ops = {
20755 +static const struct platform_suspend_ops acpi_suspend_ops = {
20756 .valid = acpi_suspend_state_valid,
20757 .begin = acpi_suspend_begin,
20758 .prepare_late = acpi_pm_prepare,
20759 @@ -347,7 +347,7 @@ static int acpi_suspend_begin_old(suspen
20760 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20763 -static struct platform_suspend_ops acpi_suspend_ops_old = {
20764 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
20765 .valid = acpi_suspend_state_valid,
20766 .begin = acpi_suspend_begin_old,
20767 .prepare_late = acpi_pm_pre_suspend,
20768 @@ -506,7 +506,7 @@ static void acpi_pm_thaw(void)
20769 acpi_enable_all_runtime_gpes();
20772 -static struct platform_hibernation_ops acpi_hibernation_ops = {
20773 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
20774 .begin = acpi_hibernation_begin,
20775 .end = acpi_pm_end,
20776 .pre_snapshot = acpi_pm_prepare,
20777 @@ -549,7 +549,7 @@ static int acpi_hibernation_begin_old(vo
20778 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20781 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
20782 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
20783 .begin = acpi_hibernation_begin_old,
20784 .end = acpi_pm_end,
20785 .pre_snapshot = acpi_pm_pre_suspend,
20786 diff -urNp linux-2.6.37/drivers/acpi/video.c linux-2.6.37/drivers/acpi/video.c
20787 --- linux-2.6.37/drivers/acpi/video.c 2011-01-04 19:50:19.000000000 -0500
20788 +++ linux-2.6.37/drivers/acpi/video.c 2011-01-17 02:41:01.000000000 -0500
20789 @@ -260,7 +260,7 @@ static int acpi_video_set_brightness(str
20790 vd->brightness->levels[request_level]);
20793 -static struct backlight_ops acpi_backlight_ops = {
20794 +static const struct backlight_ops acpi_backlight_ops = {
20795 .get_brightness = acpi_video_get_brightness,
20796 .update_status = acpi_video_set_brightness,
20798 diff -urNp linux-2.6.37/drivers/ata/ahci.c linux-2.6.37/drivers/ata/ahci.c
20799 --- linux-2.6.37/drivers/ata/ahci.c 2011-01-04 19:50:19.000000000 -0500
20800 +++ linux-2.6.37/drivers/ata/ahci.c 2011-01-17 02:41:01.000000000 -0500
20801 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
20805 -static struct ata_port_operations ahci_vt8251_ops = {
20806 +static const struct ata_port_operations ahci_vt8251_ops = {
20807 .inherits = &ahci_ops,
20808 .hardreset = ahci_vt8251_hardreset,
20811 -static struct ata_port_operations ahci_p5wdh_ops = {
20812 +static const struct ata_port_operations ahci_p5wdh_ops = {
20813 .inherits = &ahci_ops,
20814 .hardreset = ahci_p5wdh_hardreset,
20817 -static struct ata_port_operations ahci_sb600_ops = {
20818 +static const struct ata_port_operations ahci_sb600_ops = {
20819 .inherits = &ahci_ops,
20820 .softreset = ahci_sb600_softreset,
20821 .pmp_softreset = ahci_sb600_softreset,
20822 @@ -388,7 +388,7 @@ static const struct pci_device_id ahci_p
20823 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20824 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20826 - { } /* terminate list */
20827 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20831 diff -urNp linux-2.6.37/drivers/ata/ahci.h linux-2.6.37/drivers/ata/ahci.h
20832 --- linux-2.6.37/drivers/ata/ahci.h 2011-01-04 19:50:19.000000000 -0500
20833 +++ linux-2.6.37/drivers/ata/ahci.h 2011-01-17 02:41:01.000000000 -0500
20834 @@ -309,7 +309,7 @@ extern struct device_attribute *ahci_sde
20835 .shost_attrs = ahci_shost_attrs, \
20836 .sdev_attrs = ahci_sdev_attrs
20838 -extern struct ata_port_operations ahci_ops;
20839 +extern const struct ata_port_operations ahci_ops;
20841 void ahci_save_initial_config(struct device *dev,
20842 struct ahci_host_priv *hpriv,
20843 diff -urNp linux-2.6.37/drivers/ata/ata_generic.c linux-2.6.37/drivers/ata/ata_generic.c
20844 --- linux-2.6.37/drivers/ata/ata_generic.c 2011-01-04 19:50:19.000000000 -0500
20845 +++ linux-2.6.37/drivers/ata/ata_generic.c 2011-01-17 02:41:01.000000000 -0500
20846 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
20847 ATA_BMDMA_SHT(DRV_NAME),
20850 -static struct ata_port_operations generic_port_ops = {
20851 +static const struct ata_port_operations generic_port_ops = {
20852 .inherits = &ata_bmdma_port_ops,
20853 .cable_detect = ata_cable_unknown,
20854 .set_mode = generic_set_mode,
20855 diff -urNp linux-2.6.37/drivers/ata/ata_piix.c linux-2.6.37/drivers/ata/ata_piix.c
20856 --- linux-2.6.37/drivers/ata/ata_piix.c 2011-01-04 19:50:19.000000000 -0500
20857 +++ linux-2.6.37/drivers/ata/ata_piix.c 2011-01-17 02:41:01.000000000 -0500
20858 @@ -309,7 +309,7 @@ static const struct pci_device_id piix_p
20859 { 0x8086, 0x1d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
20860 /* SATA Controller IDE (PBG) */
20861 { 0x8086, 0x1d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20862 - { } /* terminate list */
20863 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20866 static struct pci_driver piix_pci_driver = {
20867 @@ -327,12 +327,12 @@ static struct scsi_host_template piix_sh
20868 ATA_BMDMA_SHT(DRV_NAME),
20871 -static struct ata_port_operations piix_sata_ops = {
20872 +static const struct ata_port_operations piix_sata_ops = {
20873 .inherits = &ata_bmdma32_port_ops,
20874 .sff_irq_check = piix_irq_check,
20877 -static struct ata_port_operations piix_pata_ops = {
20878 +static const struct ata_port_operations piix_pata_ops = {
20879 .inherits = &piix_sata_ops,
20880 .cable_detect = ata_cable_40wire,
20881 .set_piomode = piix_set_piomode,
20882 @@ -340,12 +340,12 @@ static struct ata_port_operations piix_p
20883 .prereset = piix_pata_prereset,
20886 -static struct ata_port_operations piix_vmw_ops = {
20887 +static const struct ata_port_operations piix_vmw_ops = {
20888 .inherits = &piix_pata_ops,
20889 .bmdma_status = piix_vmw_bmdma_status,
20892 -static struct ata_port_operations ich_pata_ops = {
20893 +static const struct ata_port_operations ich_pata_ops = {
20894 .inherits = &piix_pata_ops,
20895 .cable_detect = ich_pata_cable_detect,
20896 .set_dmamode = ich_set_dmamode,
20897 @@ -361,7 +361,7 @@ static struct scsi_host_template piix_si
20898 .shost_attrs = piix_sidpr_shost_attrs,
20901 -static struct ata_port_operations piix_sidpr_sata_ops = {
20902 +static const struct ata_port_operations piix_sidpr_sata_ops = {
20903 .inherits = &piix_sata_ops,
20904 .hardreset = sata_std_hardreset,
20905 .scr_read = piix_sidpr_scr_read,
20906 @@ -638,7 +638,7 @@ static const struct ich_laptop ich_lapto
20907 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20908 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20915 @@ -1130,7 +1130,7 @@ static int piix_broken_suspend(void)
20919 - { } /* terminate list */
20920 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20922 static const char *oemstrs[] = {
20924 diff -urNp linux-2.6.37/drivers/ata/libahci.c linux-2.6.37/drivers/ata/libahci.c
20925 --- linux-2.6.37/drivers/ata/libahci.c 2011-01-04 19:50:19.000000000 -0500
20926 +++ linux-2.6.37/drivers/ata/libahci.c 2011-01-17 02:41:01.000000000 -0500
20927 @@ -140,7 +140,7 @@ struct device_attribute *ahci_sdev_attrs
20929 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
20931 -struct ata_port_operations ahci_ops = {
20932 +const struct ata_port_operations ahci_ops = {
20933 .inherits = &sata_pmp_port_ops,
20935 .qc_defer = ahci_pmp_qc_defer,
20936 diff -urNp linux-2.6.37/drivers/ata/libata-acpi.c linux-2.6.37/drivers/ata/libata-acpi.c
20937 --- linux-2.6.37/drivers/ata/libata-acpi.c 2011-01-04 19:50:19.000000000 -0500
20938 +++ linux-2.6.37/drivers/ata/libata-acpi.c 2011-01-17 02:41:01.000000000 -0500
20939 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
20940 ata_acpi_uevent(dev->link->ap, dev, event);
20943 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20944 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20945 .handler = ata_acpi_dev_notify_dock,
20946 .uevent = ata_acpi_dev_uevent,
20949 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20950 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20951 .handler = ata_acpi_ap_notify_dock,
20952 .uevent = ata_acpi_ap_uevent,
20954 diff -urNp linux-2.6.37/drivers/ata/libata-core.c linux-2.6.37/drivers/ata/libata-core.c
20955 --- linux-2.6.37/drivers/ata/libata-core.c 2011-01-04 19:50:19.000000000 -0500
20956 +++ linux-2.6.37/drivers/ata/libata-core.c 2011-01-17 02:41:01.000000000 -0500
20957 @@ -897,7 +897,7 @@ static const struct ata_xfer_ent {
20958 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20959 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20960 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20966 @@ -2885,7 +2885,7 @@ static const struct ata_timing ata_timin
20967 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
20968 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
20971 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
20974 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
20975 @@ -4140,7 +4140,7 @@ static const struct ata_blacklist_entry
20976 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
20980 + { NULL, NULL, 0 }
20984 @@ -4745,7 +4745,7 @@ void ata_qc_free(struct ata_queued_cmd *
20985 struct ata_port *ap;
20988 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20989 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20993 @@ -4761,7 +4761,7 @@ void __ata_qc_complete(struct ata_queued
20994 struct ata_port *ap;
20995 struct ata_link *link;
20997 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20998 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20999 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
21001 link = qc->dev->link;
21002 @@ -5754,7 +5754,7 @@ static void ata_host_stop(struct device
21006 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
21007 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
21009 static DEFINE_SPINLOCK(lock);
21010 const struct ata_port_operations *cur;
21011 @@ -5766,6 +5766,7 @@ static void ata_finalize_port_ops(struct
21015 + pax_open_kernel();
21017 for (cur = ops->inherits; cur; cur = cur->inherits) {
21018 void **inherit = (void **)cur;
21019 @@ -5779,8 +5780,9 @@ static void ata_finalize_port_ops(struct
21023 - ops->inherits = NULL;
21024 + ((struct ata_port_operations *)ops)->inherits = NULL;
21026 + pax_close_kernel();
21027 spin_unlock(&lock);
21030 @@ -5877,7 +5879,7 @@ int ata_host_start(struct ata_host *host
21032 /* KILLME - the only user left is ipr */
21033 void ata_host_init(struct ata_host *host, struct device *dev,
21034 - unsigned long flags, struct ata_port_operations *ops)
21035 + unsigned long flags, const struct ata_port_operations *ops)
21037 spin_lock_init(&host->lock);
21038 mutex_init(&host->eh_mutex);
21039 @@ -6583,7 +6585,7 @@ static void ata_dummy_error_handler(stru
21043 -struct ata_port_operations ata_dummy_port_ops = {
21044 +const struct ata_port_operations ata_dummy_port_ops = {
21045 .qc_prep = ata_noop_qc_prep,
21046 .qc_issue = ata_dummy_qc_issue,
21047 .error_handler = ata_dummy_error_handler,
21048 diff -urNp linux-2.6.37/drivers/ata/libata-eh.c linux-2.6.37/drivers/ata/libata-eh.c
21049 --- linux-2.6.37/drivers/ata/libata-eh.c 2011-01-04 19:50:19.000000000 -0500
21050 +++ linux-2.6.37/drivers/ata/libata-eh.c 2011-01-17 02:41:01.000000000 -0500
21051 @@ -3880,7 +3880,7 @@ void ata_do_eh(struct ata_port *ap, ata_
21053 void ata_std_error_handler(struct ata_port *ap)
21055 - struct ata_port_operations *ops = ap->ops;
21056 + const struct ata_port_operations *ops = ap->ops;
21057 ata_reset_fn_t hardreset = ops->hardreset;
21059 /* ignore built-in hardreset if SCR access is not available */
21060 diff -urNp linux-2.6.37/drivers/ata/libata-pmp.c linux-2.6.37/drivers/ata/libata-pmp.c
21061 --- linux-2.6.37/drivers/ata/libata-pmp.c 2011-01-04 19:50:19.000000000 -0500
21062 +++ linux-2.6.37/drivers/ata/libata-pmp.c 2011-01-17 02:41:01.000000000 -0500
21063 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
21065 static int sata_pmp_eh_recover(struct ata_port *ap)
21067 - struct ata_port_operations *ops = ap->ops;
21068 + const struct ata_port_operations *ops = ap->ops;
21069 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21070 struct ata_link *pmp_link = &ap->link;
21071 struct ata_device *pmp_dev = pmp_link->device;
21072 diff -urNp linux-2.6.37/drivers/ata/pata_acpi.c linux-2.6.37/drivers/ata/pata_acpi.c
21073 --- linux-2.6.37/drivers/ata/pata_acpi.c 2011-01-04 19:50:19.000000000 -0500
21074 +++ linux-2.6.37/drivers/ata/pata_acpi.c 2011-01-17 02:41:01.000000000 -0500
21075 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
21076 ATA_BMDMA_SHT(DRV_NAME),
21079 -static struct ata_port_operations pacpi_ops = {
21080 +static const struct ata_port_operations pacpi_ops = {
21081 .inherits = &ata_bmdma_port_ops,
21082 .qc_issue = pacpi_qc_issue,
21083 .cable_detect = pacpi_cable_detect,
21084 diff -urNp linux-2.6.37/drivers/ata/pata_ali.c linux-2.6.37/drivers/ata/pata_ali.c
21085 --- linux-2.6.37/drivers/ata/pata_ali.c 2011-01-04 19:50:19.000000000 -0500
21086 +++ linux-2.6.37/drivers/ata/pata_ali.c 2011-01-17 02:41:01.000000000 -0500
21087 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21088 * Port operations for PIO only ALi
21091 -static struct ata_port_operations ali_early_port_ops = {
21092 +static const struct ata_port_operations ali_early_port_ops = {
21093 .inherits = &ata_sff_port_ops,
21094 .cable_detect = ata_cable_40wire,
21095 .set_piomode = ali_set_piomode,
21096 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21097 * Port operations for DMA capable ALi without cable
21100 -static struct ata_port_operations ali_20_port_ops = {
21101 +static const struct ata_port_operations ali_20_port_ops = {
21102 .inherits = &ali_dma_base_ops,
21103 .cable_detect = ata_cable_40wire,
21104 .mode_filter = ali_20_filter,
21105 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21107 * Port operations for DMA capable ALi with cable detect
21109 -static struct ata_port_operations ali_c2_port_ops = {
21110 +static const struct ata_port_operations ali_c2_port_ops = {
21111 .inherits = &ali_dma_base_ops,
21112 .check_atapi_dma = ali_check_atapi_dma,
21113 .cable_detect = ali_c2_cable_detect,
21114 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21116 * Port operations for DMA capable ALi with cable detect
21118 -static struct ata_port_operations ali_c4_port_ops = {
21119 +static const struct ata_port_operations ali_c4_port_ops = {
21120 .inherits = &ali_dma_base_ops,
21121 .check_atapi_dma = ali_check_atapi_dma,
21122 .cable_detect = ali_c2_cable_detect,
21123 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21125 * Port operations for DMA capable ALi with cable detect and LBA48
21127 -static struct ata_port_operations ali_c5_port_ops = {
21128 +static const struct ata_port_operations ali_c5_port_ops = {
21129 .inherits = &ali_dma_base_ops,
21130 .check_atapi_dma = ali_check_atapi_dma,
21131 .dev_config = ali_warn_atapi_dma,
21132 diff -urNp linux-2.6.37/drivers/ata/pata_amd.c linux-2.6.37/drivers/ata/pata_amd.c
21133 --- linux-2.6.37/drivers/ata/pata_amd.c 2011-01-04 19:50:19.000000000 -0500
21134 +++ linux-2.6.37/drivers/ata/pata_amd.c 2011-01-17 02:41:01.000000000 -0500
21135 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21136 .prereset = amd_pre_reset,
21139 -static struct ata_port_operations amd33_port_ops = {
21140 +static const struct ata_port_operations amd33_port_ops = {
21141 .inherits = &amd_base_port_ops,
21142 .cable_detect = ata_cable_40wire,
21143 .set_piomode = amd33_set_piomode,
21144 .set_dmamode = amd33_set_dmamode,
21147 -static struct ata_port_operations amd66_port_ops = {
21148 +static const struct ata_port_operations amd66_port_ops = {
21149 .inherits = &amd_base_port_ops,
21150 .cable_detect = ata_cable_unknown,
21151 .set_piomode = amd66_set_piomode,
21152 .set_dmamode = amd66_set_dmamode,
21155 -static struct ata_port_operations amd100_port_ops = {
21156 +static const struct ata_port_operations amd100_port_ops = {
21157 .inherits = &amd_base_port_ops,
21158 .cable_detect = ata_cable_unknown,
21159 .set_piomode = amd100_set_piomode,
21160 .set_dmamode = amd100_set_dmamode,
21163 -static struct ata_port_operations amd133_port_ops = {
21164 +static const struct ata_port_operations amd133_port_ops = {
21165 .inherits = &amd_base_port_ops,
21166 .cable_detect = amd_cable_detect,
21167 .set_piomode = amd133_set_piomode,
21168 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21169 .host_stop = nv_host_stop,
21172 -static struct ata_port_operations nv100_port_ops = {
21173 +static const struct ata_port_operations nv100_port_ops = {
21174 .inherits = &nv_base_port_ops,
21175 .set_piomode = nv100_set_piomode,
21176 .set_dmamode = nv100_set_dmamode,
21179 -static struct ata_port_operations nv133_port_ops = {
21180 +static const struct ata_port_operations nv133_port_ops = {
21181 .inherits = &nv_base_port_ops,
21182 .set_piomode = nv133_set_piomode,
21183 .set_dmamode = nv133_set_dmamode,
21184 diff -urNp linux-2.6.37/drivers/ata/pata_artop.c linux-2.6.37/drivers/ata/pata_artop.c
21185 --- linux-2.6.37/drivers/ata/pata_artop.c 2011-01-04 19:50:19.000000000 -0500
21186 +++ linux-2.6.37/drivers/ata/pata_artop.c 2011-01-17 02:41:01.000000000 -0500
21187 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
21188 ATA_BMDMA_SHT(DRV_NAME),
21191 -static struct ata_port_operations artop6210_ops = {
21192 +static const struct ata_port_operations artop6210_ops = {
21193 .inherits = &ata_bmdma_port_ops,
21194 .cable_detect = ata_cable_40wire,
21195 .set_piomode = artop6210_set_piomode,
21196 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
21197 .qc_defer = artop6210_qc_defer,
21200 -static struct ata_port_operations artop6260_ops = {
21201 +static const struct ata_port_operations artop6260_ops = {
21202 .inherits = &ata_bmdma_port_ops,
21203 .cable_detect = artop6260_cable_detect,
21204 .set_piomode = artop6260_set_piomode,
21205 diff -urNp linux-2.6.37/drivers/ata/pata_at32.c linux-2.6.37/drivers/ata/pata_at32.c
21206 --- linux-2.6.37/drivers/ata/pata_at32.c 2011-01-04 19:50:19.000000000 -0500
21207 +++ linux-2.6.37/drivers/ata/pata_at32.c 2011-01-17 02:41:01.000000000 -0500
21208 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21209 ATA_PIO_SHT(DRV_NAME),
21212 -static struct ata_port_operations at32_port_ops = {
21213 +static const struct ata_port_operations at32_port_ops = {
21214 .inherits = &ata_sff_port_ops,
21215 .cable_detect = ata_cable_40wire,
21216 .set_piomode = pata_at32_set_piomode,
21217 diff -urNp linux-2.6.37/drivers/ata/pata_at91.c linux-2.6.37/drivers/ata/pata_at91.c
21218 --- linux-2.6.37/drivers/ata/pata_at91.c 2011-01-04 19:50:19.000000000 -0500
21219 +++ linux-2.6.37/drivers/ata/pata_at91.c 2011-01-17 02:41:01.000000000 -0500
21220 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21221 ATA_PIO_SHT(DRV_NAME),
21224 -static struct ata_port_operations pata_at91_port_ops = {
21225 +static const struct ata_port_operations pata_at91_port_ops = {
21226 .inherits = &ata_sff_port_ops,
21228 .sff_data_xfer = pata_at91_data_xfer_noirq,
21229 diff -urNp linux-2.6.37/drivers/ata/pata_atiixp.c linux-2.6.37/drivers/ata/pata_atiixp.c
21230 --- linux-2.6.37/drivers/ata/pata_atiixp.c 2011-01-04 19:50:19.000000000 -0500
21231 +++ linux-2.6.37/drivers/ata/pata_atiixp.c 2011-01-17 02:41:01.000000000 -0500
21232 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21233 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21236 -static struct ata_port_operations atiixp_port_ops = {
21237 +static const struct ata_port_operations atiixp_port_ops = {
21238 .inherits = &ata_bmdma_port_ops,
21240 .qc_prep = ata_bmdma_dumb_qc_prep,
21241 diff -urNp linux-2.6.37/drivers/ata/pata_atp867x.c linux-2.6.37/drivers/ata/pata_atp867x.c
21242 --- linux-2.6.37/drivers/ata/pata_atp867x.c 2011-01-04 19:50:19.000000000 -0500
21243 +++ linux-2.6.37/drivers/ata/pata_atp867x.c 2011-01-17 02:41:01.000000000 -0500
21244 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21245 ATA_BMDMA_SHT(DRV_NAME),
21248 -static struct ata_port_operations atp867x_ops = {
21249 +static const struct ata_port_operations atp867x_ops = {
21250 .inherits = &ata_bmdma_port_ops,
21251 .cable_detect = atp867x_cable_detect,
21252 .set_piomode = atp867x_set_piomode,
21253 diff -urNp linux-2.6.37/drivers/ata/pata_bf54x.c linux-2.6.37/drivers/ata/pata_bf54x.c
21254 --- linux-2.6.37/drivers/ata/pata_bf54x.c 2011-01-04 19:50:19.000000000 -0500
21255 +++ linux-2.6.37/drivers/ata/pata_bf54x.c 2011-01-17 02:41:01.000000000 -0500
21256 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21257 .dma_boundary = ATA_DMA_BOUNDARY,
21260 -static struct ata_port_operations bfin_pata_ops = {
21261 +static const struct ata_port_operations bfin_pata_ops = {
21262 .inherits = &ata_bmdma_port_ops,
21264 .set_piomode = bfin_set_piomode,
21265 diff -urNp linux-2.6.37/drivers/ata/pata_cmd640.c linux-2.6.37/drivers/ata/pata_cmd640.c
21266 --- linux-2.6.37/drivers/ata/pata_cmd640.c 2011-01-04 19:50:19.000000000 -0500
21267 +++ linux-2.6.37/drivers/ata/pata_cmd640.c 2011-01-17 02:41:01.000000000 -0500
21268 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
21269 ATA_PIO_SHT(DRV_NAME),
21272 -static struct ata_port_operations cmd640_port_ops = {
21273 +static const struct ata_port_operations cmd640_port_ops = {
21274 .inherits = &ata_sff_port_ops,
21275 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21276 .sff_data_xfer = ata_sff_data_xfer_noirq,
21277 diff -urNp linux-2.6.37/drivers/ata/pata_cmd64x.c linux-2.6.37/drivers/ata/pata_cmd64x.c
21278 --- linux-2.6.37/drivers/ata/pata_cmd64x.c 2011-01-04 19:50:19.000000000 -0500
21279 +++ linux-2.6.37/drivers/ata/pata_cmd64x.c 2011-01-17 02:41:01.000000000 -0500
21280 @@ -268,18 +268,18 @@ static const struct ata_port_operations
21281 .set_dmamode = cmd64x_set_dmamode,
21284 -static struct ata_port_operations cmd64x_port_ops = {
21285 +static const struct ata_port_operations cmd64x_port_ops = {
21286 .inherits = &cmd64x_base_ops,
21287 .cable_detect = ata_cable_40wire,
21290 -static struct ata_port_operations cmd646r1_port_ops = {
21291 +static const struct ata_port_operations cmd646r1_port_ops = {
21292 .inherits = &cmd64x_base_ops,
21293 .bmdma_stop = cmd646r1_bmdma_stop,
21294 .cable_detect = ata_cable_40wire,
21297 -static struct ata_port_operations cmd648_port_ops = {
21298 +static const struct ata_port_operations cmd648_port_ops = {
21299 .inherits = &cmd64x_base_ops,
21300 .bmdma_stop = cmd648_bmdma_stop,
21301 .cable_detect = cmd648_cable_detect,
21302 diff -urNp linux-2.6.37/drivers/ata/pata_cs5520.c linux-2.6.37/drivers/ata/pata_cs5520.c
21303 --- linux-2.6.37/drivers/ata/pata_cs5520.c 2011-01-04 19:50:19.000000000 -0500
21304 +++ linux-2.6.37/drivers/ata/pata_cs5520.c 2011-01-17 02:41:01.000000000 -0500
21305 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21306 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21309 -static struct ata_port_operations cs5520_port_ops = {
21310 +static const struct ata_port_operations cs5520_port_ops = {
21311 .inherits = &ata_bmdma_port_ops,
21312 .qc_prep = ata_bmdma_dumb_qc_prep,
21313 .cable_detect = ata_cable_40wire,
21314 diff -urNp linux-2.6.37/drivers/ata/pata_cs5530.c linux-2.6.37/drivers/ata/pata_cs5530.c
21315 --- linux-2.6.37/drivers/ata/pata_cs5530.c 2011-01-04 19:50:19.000000000 -0500
21316 +++ linux-2.6.37/drivers/ata/pata_cs5530.c 2011-01-17 02:41:01.000000000 -0500
21317 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21318 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21321 -static struct ata_port_operations cs5530_port_ops = {
21322 +static const struct ata_port_operations cs5530_port_ops = {
21323 .inherits = &ata_bmdma_port_ops,
21325 .qc_prep = ata_bmdma_dumb_qc_prep,
21326 diff -urNp linux-2.6.37/drivers/ata/pata_cs5535.c linux-2.6.37/drivers/ata/pata_cs5535.c
21327 --- linux-2.6.37/drivers/ata/pata_cs5535.c 2011-01-04 19:50:19.000000000 -0500
21328 +++ linux-2.6.37/drivers/ata/pata_cs5535.c 2011-01-17 02:41:01.000000000 -0500
21329 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21330 ATA_BMDMA_SHT(DRV_NAME),
21333 -static struct ata_port_operations cs5535_port_ops = {
21334 +static const struct ata_port_operations cs5535_port_ops = {
21335 .inherits = &ata_bmdma_port_ops,
21336 .cable_detect = cs5535_cable_detect,
21337 .set_piomode = cs5535_set_piomode,
21338 diff -urNp linux-2.6.37/drivers/ata/pata_cs5536.c linux-2.6.37/drivers/ata/pata_cs5536.c
21339 --- linux-2.6.37/drivers/ata/pata_cs5536.c 2011-01-04 19:50:19.000000000 -0500
21340 +++ linux-2.6.37/drivers/ata/pata_cs5536.c 2011-01-17 02:41:01.000000000 -0500
21341 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
21342 ATA_BMDMA_SHT(DRV_NAME),
21345 -static struct ata_port_operations cs5536_port_ops = {
21346 +static const struct ata_port_operations cs5536_port_ops = {
21347 .inherits = &ata_bmdma32_port_ops,
21348 .cable_detect = cs5536_cable_detect,
21349 .set_piomode = cs5536_set_piomode,
21350 diff -urNp linux-2.6.37/drivers/ata/pata_cypress.c linux-2.6.37/drivers/ata/pata_cypress.c
21351 --- linux-2.6.37/drivers/ata/pata_cypress.c 2011-01-04 19:50:19.000000000 -0500
21352 +++ linux-2.6.37/drivers/ata/pata_cypress.c 2011-01-17 02:41:01.000000000 -0500
21353 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21354 ATA_BMDMA_SHT(DRV_NAME),
21357 -static struct ata_port_operations cy82c693_port_ops = {
21358 +static const struct ata_port_operations cy82c693_port_ops = {
21359 .inherits = &ata_bmdma_port_ops,
21360 .cable_detect = ata_cable_40wire,
21361 .set_piomode = cy82c693_set_piomode,
21362 diff -urNp linux-2.6.37/drivers/ata/pata_efar.c linux-2.6.37/drivers/ata/pata_efar.c
21363 --- linux-2.6.37/drivers/ata/pata_efar.c 2011-01-04 19:50:19.000000000 -0500
21364 +++ linux-2.6.37/drivers/ata/pata_efar.c 2011-01-17 02:41:01.000000000 -0500
21365 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21366 ATA_BMDMA_SHT(DRV_NAME),
21369 -static struct ata_port_operations efar_ops = {
21370 +static const struct ata_port_operations efar_ops = {
21371 .inherits = &ata_bmdma_port_ops,
21372 .cable_detect = efar_cable_detect,
21373 .set_piomode = efar_set_piomode,
21374 diff -urNp linux-2.6.37/drivers/ata/pata_hpt366.c linux-2.6.37/drivers/ata/pata_hpt366.c
21375 --- linux-2.6.37/drivers/ata/pata_hpt366.c 2011-01-04 19:50:19.000000000 -0500
21376 +++ linux-2.6.37/drivers/ata/pata_hpt366.c 2011-01-17 02:41:01.000000000 -0500
21377 @@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
21378 * Configuration for HPT366/68
21381 -static struct ata_port_operations hpt366_port_ops = {
21382 +static const struct ata_port_operations hpt366_port_ops = {
21383 .inherits = &ata_bmdma_port_ops,
21384 .cable_detect = hpt36x_cable_detect,
21385 .mode_filter = hpt366_filter,
21386 diff -urNp linux-2.6.37/drivers/ata/pata_hpt37x.c linux-2.6.37/drivers/ata/pata_hpt37x.c
21387 --- linux-2.6.37/drivers/ata/pata_hpt37x.c 2011-01-04 19:50:19.000000000 -0500
21388 +++ linux-2.6.37/drivers/ata/pata_hpt37x.c 2011-01-17 02:41:01.000000000 -0500
21389 @@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
21390 * Configuration for HPT370
21393 -static struct ata_port_operations hpt370_port_ops = {
21394 +static const struct ata_port_operations hpt370_port_ops = {
21395 .inherits = &ata_bmdma_port_ops,
21397 .bmdma_stop = hpt370_bmdma_stop,
21398 @@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
21399 * Configuration for HPT370A. Close to 370 but less filters
21402 -static struct ata_port_operations hpt370a_port_ops = {
21403 +static const struct ata_port_operations hpt370a_port_ops = {
21404 .inherits = &hpt370_port_ops,
21405 .mode_filter = hpt370a_filter,
21407 @@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
21408 * and DMA mode setting functionality.
21411 -static struct ata_port_operations hpt372_port_ops = {
21412 +static const struct ata_port_operations hpt372_port_ops = {
21413 .inherits = &ata_bmdma_port_ops,
21415 .bmdma_stop = hpt37x_bmdma_stop,
21416 @@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
21417 * but we have a different cable detection procedure for function 1.
21420 -static struct ata_port_operations hpt374_fn1_port_ops = {
21421 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21422 .inherits = &hpt372_port_ops,
21423 .cable_detect = hpt374_fn1_cable_detect,
21424 .prereset = hpt37x_pre_reset,
21425 diff -urNp linux-2.6.37/drivers/ata/pata_hpt3x2n.c linux-2.6.37/drivers/ata/pata_hpt3x2n.c
21426 --- linux-2.6.37/drivers/ata/pata_hpt3x2n.c 2011-01-04 19:50:19.000000000 -0500
21427 +++ linux-2.6.37/drivers/ata/pata_hpt3x2n.c 2011-01-17 02:41:01.000000000 -0500
21428 @@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
21429 * Configuration for HPT3x2n.
21432 -static struct ata_port_operations hpt3x2n_port_ops = {
21433 +static const struct ata_port_operations hpt3x2n_port_ops = {
21434 .inherits = &ata_bmdma_port_ops,
21436 .bmdma_stop = hpt3x2n_bmdma_stop,
21437 diff -urNp linux-2.6.37/drivers/ata/pata_hpt3x3.c linux-2.6.37/drivers/ata/pata_hpt3x3.c
21438 --- linux-2.6.37/drivers/ata/pata_hpt3x3.c 2011-01-04 19:50:19.000000000 -0500
21439 +++ linux-2.6.37/drivers/ata/pata_hpt3x3.c 2011-01-17 02:41:01.000000000 -0500
21440 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21441 ATA_BMDMA_SHT(DRV_NAME),
21444 -static struct ata_port_operations hpt3x3_port_ops = {
21445 +static const struct ata_port_operations hpt3x3_port_ops = {
21446 .inherits = &ata_bmdma_port_ops,
21447 .cable_detect = ata_cable_40wire,
21448 .set_piomode = hpt3x3_set_piomode,
21449 diff -urNp linux-2.6.37/drivers/ata/pata_icside.c linux-2.6.37/drivers/ata/pata_icside.c
21450 --- linux-2.6.37/drivers/ata/pata_icside.c 2011-01-04 19:50:19.000000000 -0500
21451 +++ linux-2.6.37/drivers/ata/pata_icside.c 2011-01-17 02:41:01.000000000 -0500
21452 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21456 -static struct ata_port_operations pata_icside_port_ops = {
21457 +static const struct ata_port_operations pata_icside_port_ops = {
21458 .inherits = &ata_bmdma_port_ops,
21459 /* no need to build any PRD tables for DMA */
21460 .qc_prep = ata_noop_qc_prep,
21461 diff -urNp linux-2.6.37/drivers/ata/pata_isapnp.c linux-2.6.37/drivers/ata/pata_isapnp.c
21462 --- linux-2.6.37/drivers/ata/pata_isapnp.c 2011-01-04 19:50:19.000000000 -0500
21463 +++ linux-2.6.37/drivers/ata/pata_isapnp.c 2011-01-17 02:41:01.000000000 -0500
21464 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21465 ATA_PIO_SHT(DRV_NAME),
21468 -static struct ata_port_operations isapnp_port_ops = {
21469 +static const struct ata_port_operations isapnp_port_ops = {
21470 .inherits = &ata_sff_port_ops,
21471 .cable_detect = ata_cable_40wire,
21474 -static struct ata_port_operations isapnp_noalt_port_ops = {
21475 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21476 .inherits = &ata_sff_port_ops,
21477 .cable_detect = ata_cable_40wire,
21478 /* No altstatus so we don't want to use the lost interrupt poll */
21479 diff -urNp linux-2.6.37/drivers/ata/pata_it8213.c linux-2.6.37/drivers/ata/pata_it8213.c
21480 --- linux-2.6.37/drivers/ata/pata_it8213.c 2011-01-04 19:50:19.000000000 -0500
21481 +++ linux-2.6.37/drivers/ata/pata_it8213.c 2011-01-17 02:41:01.000000000 -0500
21482 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21486 -static struct ata_port_operations it8213_ops = {
21487 +static const struct ata_port_operations it8213_ops = {
21488 .inherits = &ata_bmdma_port_ops,
21489 .cable_detect = it8213_cable_detect,
21490 .set_piomode = it8213_set_piomode,
21491 diff -urNp linux-2.6.37/drivers/ata/pata_it821x.c linux-2.6.37/drivers/ata/pata_it821x.c
21492 --- linux-2.6.37/drivers/ata/pata_it821x.c 2011-01-04 19:50:19.000000000 -0500
21493 +++ linux-2.6.37/drivers/ata/pata_it821x.c 2011-01-17 02:41:01.000000000 -0500
21494 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21495 ATA_BMDMA_SHT(DRV_NAME),
21498 -static struct ata_port_operations it821x_smart_port_ops = {
21499 +static const struct ata_port_operations it821x_smart_port_ops = {
21500 .inherits = &ata_bmdma_port_ops,
21502 .check_atapi_dma= it821x_check_atapi_dma,
21503 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21504 .port_start = it821x_port_start,
21507 -static struct ata_port_operations it821x_passthru_port_ops = {
21508 +static const struct ata_port_operations it821x_passthru_port_ops = {
21509 .inherits = &ata_bmdma_port_ops,
21511 .check_atapi_dma= it821x_check_atapi_dma,
21512 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21513 .port_start = it821x_port_start,
21516 -static struct ata_port_operations it821x_rdc_port_ops = {
21517 +static const struct ata_port_operations it821x_rdc_port_ops = {
21518 .inherits = &ata_bmdma_port_ops,
21520 .check_atapi_dma= it821x_check_atapi_dma,
21521 diff -urNp linux-2.6.37/drivers/ata/pata_ixp4xx_cf.c linux-2.6.37/drivers/ata/pata_ixp4xx_cf.c
21522 --- linux-2.6.37/drivers/ata/pata_ixp4xx_cf.c 2011-01-04 19:50:19.000000000 -0500
21523 +++ linux-2.6.37/drivers/ata/pata_ixp4xx_cf.c 2011-01-17 02:41:01.000000000 -0500
21524 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21525 ATA_PIO_SHT(DRV_NAME),
21528 -static struct ata_port_operations ixp4xx_port_ops = {
21529 +static const struct ata_port_operations ixp4xx_port_ops = {
21530 .inherits = &ata_sff_port_ops,
21531 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21532 .cable_detect = ata_cable_40wire,
21533 diff -urNp linux-2.6.37/drivers/ata/pata_jmicron.c linux-2.6.37/drivers/ata/pata_jmicron.c
21534 --- linux-2.6.37/drivers/ata/pata_jmicron.c 2011-01-04 19:50:19.000000000 -0500
21535 +++ linux-2.6.37/drivers/ata/pata_jmicron.c 2011-01-17 02:41:01.000000000 -0500
21536 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21537 ATA_BMDMA_SHT(DRV_NAME),
21540 -static struct ata_port_operations jmicron_ops = {
21541 +static const struct ata_port_operations jmicron_ops = {
21542 .inherits = &ata_bmdma_port_ops,
21543 .prereset = jmicron_pre_reset,
21545 diff -urNp linux-2.6.37/drivers/ata/pata_legacy.c linux-2.6.37/drivers/ata/pata_legacy.c
21546 --- linux-2.6.37/drivers/ata/pata_legacy.c 2011-01-04 19:50:19.000000000 -0500
21547 +++ linux-2.6.37/drivers/ata/pata_legacy.c 2011-01-17 02:41:01.000000000 -0500
21548 @@ -116,7 +116,7 @@ struct legacy_probe {
21550 struct legacy_controller {
21552 - struct ata_port_operations *ops;
21553 + const struct ata_port_operations *ops;
21554 unsigned int pio_mask;
21555 unsigned int flags;
21556 unsigned int pflags;
21557 @@ -239,12 +239,12 @@ static const struct ata_port_operations
21558 * pio_mask as well.
21561 -static struct ata_port_operations simple_port_ops = {
21562 +static const struct ata_port_operations simple_port_ops = {
21563 .inherits = &legacy_base_port_ops,
21564 .sff_data_xfer = ata_sff_data_xfer_noirq,
21567 -static struct ata_port_operations legacy_port_ops = {
21568 +static const struct ata_port_operations legacy_port_ops = {
21569 .inherits = &legacy_base_port_ops,
21570 .sff_data_xfer = ata_sff_data_xfer_noirq,
21571 .set_mode = legacy_set_mode,
21572 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
21576 -static struct ata_port_operations pdc20230_port_ops = {
21577 +static const struct ata_port_operations pdc20230_port_ops = {
21578 .inherits = &legacy_base_port_ops,
21579 .set_piomode = pdc20230_set_piomode,
21580 .sff_data_xfer = pdc_data_xfer_vlb,
21581 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
21582 ioread8(ap->ioaddr.status_addr);
21585 -static struct ata_port_operations ht6560a_port_ops = {
21586 +static const struct ata_port_operations ht6560a_port_ops = {
21587 .inherits = &legacy_base_port_ops,
21588 .set_piomode = ht6560a_set_piomode,
21590 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
21591 ioread8(ap->ioaddr.status_addr);
21594 -static struct ata_port_operations ht6560b_port_ops = {
21595 +static const struct ata_port_operations ht6560b_port_ops = {
21596 .inherits = &legacy_base_port_ops,
21597 .set_piomode = ht6560b_set_piomode,
21599 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
21603 -static struct ata_port_operations opti82c611a_port_ops = {
21604 +static const struct ata_port_operations opti82c611a_port_ops = {
21605 .inherits = &legacy_base_port_ops,
21606 .set_piomode = opti82c611a_set_piomode,
21608 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
21609 return ata_sff_qc_issue(qc);
21612 -static struct ata_port_operations opti82c46x_port_ops = {
21613 +static const struct ata_port_operations opti82c46x_port_ops = {
21614 .inherits = &legacy_base_port_ops,
21615 .set_piomode = opti82c46x_set_piomode,
21616 .qc_issue = opti82c46x_qc_issue,
21617 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
21621 -static struct ata_port_operations qdi6500_port_ops = {
21622 +static const struct ata_port_operations qdi6500_port_ops = {
21623 .inherits = &legacy_base_port_ops,
21624 .set_piomode = qdi6500_set_piomode,
21625 .qc_issue = qdi_qc_issue,
21626 .sff_data_xfer = vlb32_data_xfer,
21629 -static struct ata_port_operations qdi6580_port_ops = {
21630 +static const struct ata_port_operations qdi6580_port_ops = {
21631 .inherits = &legacy_base_port_ops,
21632 .set_piomode = qdi6580_set_piomode,
21633 .sff_data_xfer = vlb32_data_xfer,
21636 -static struct ata_port_operations qdi6580dp_port_ops = {
21637 +static const struct ata_port_operations qdi6580dp_port_ops = {
21638 .inherits = &legacy_base_port_ops,
21639 .set_piomode = qdi6580dp_set_piomode,
21640 .qc_issue = qdi_qc_issue,
21641 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
21645 -static struct ata_port_operations winbond_port_ops = {
21646 +static const struct ata_port_operations winbond_port_ops = {
21647 .inherits = &legacy_base_port_ops,
21648 .set_piomode = winbond_set_piomode,
21649 .sff_data_xfer = vlb32_data_xfer,
21650 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
21651 int pio_modes = controller->pio_mask;
21652 unsigned long io = probe->port;
21653 u32 mask = (1 << probe->slot);
21654 - struct ata_port_operations *ops = controller->ops;
21655 + const struct ata_port_operations *ops = controller->ops;
21656 struct legacy_data *ld = &legacy_data[probe->slot];
21657 struct ata_host *host = NULL;
21658 struct ata_port *ap;
21659 diff -urNp linux-2.6.37/drivers/ata/pata_macio.c linux-2.6.37/drivers/ata/pata_macio.c
21660 --- linux-2.6.37/drivers/ata/pata_macio.c 2011-01-04 19:50:19.000000000 -0500
21661 +++ linux-2.6.37/drivers/ata/pata_macio.c 2011-01-17 02:41:01.000000000 -0500
21662 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
21663 .slave_configure = pata_macio_slave_config,
21666 -static struct ata_port_operations pata_macio_ops = {
21667 +static const struct ata_port_operations pata_macio_ops = {
21668 .inherits = &ata_bmdma_port_ops,
21670 .freeze = pata_macio_freeze,
21671 .set_piomode = pata_macio_set_timings,
21672 .set_dmamode = pata_macio_set_timings,
21673 diff -urNp linux-2.6.37/drivers/ata/pata_marvell.c linux-2.6.37/drivers/ata/pata_marvell.c
21674 --- linux-2.6.37/drivers/ata/pata_marvell.c 2011-01-04 19:50:19.000000000 -0500
21675 +++ linux-2.6.37/drivers/ata/pata_marvell.c 2011-01-17 02:41:01.000000000 -0500
21676 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21677 ATA_BMDMA_SHT(DRV_NAME),
21680 -static struct ata_port_operations marvell_ops = {
21681 +static const struct ata_port_operations marvell_ops = {
21682 .inherits = &ata_bmdma_port_ops,
21683 .cable_detect = marvell_cable_detect,
21684 .prereset = marvell_pre_reset,
21685 diff -urNp linux-2.6.37/drivers/ata/pata_mpc52xx.c linux-2.6.37/drivers/ata/pata_mpc52xx.c
21686 --- linux-2.6.37/drivers/ata/pata_mpc52xx.c 2011-01-04 19:50:19.000000000 -0500
21687 +++ linux-2.6.37/drivers/ata/pata_mpc52xx.c 2011-01-17 02:41:01.000000000 -0500
21688 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21689 ATA_PIO_SHT(DRV_NAME),
21692 -static struct ata_port_operations mpc52xx_ata_port_ops = {
21693 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
21694 .inherits = &ata_sff_port_ops,
21695 .sff_dev_select = mpc52xx_ata_dev_select,
21696 .set_piomode = mpc52xx_ata_set_piomode,
21697 diff -urNp linux-2.6.37/drivers/ata/pata_mpiix.c linux-2.6.37/drivers/ata/pata_mpiix.c
21698 --- linux-2.6.37/drivers/ata/pata_mpiix.c 2011-01-04 19:50:19.000000000 -0500
21699 +++ linux-2.6.37/drivers/ata/pata_mpiix.c 2011-01-17 02:41:01.000000000 -0500
21700 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21701 ATA_PIO_SHT(DRV_NAME),
21704 -static struct ata_port_operations mpiix_port_ops = {
21705 +static const struct ata_port_operations mpiix_port_ops = {
21706 .inherits = &ata_sff_port_ops,
21707 .qc_issue = mpiix_qc_issue,
21708 .cable_detect = ata_cable_40wire,
21709 diff -urNp linux-2.6.37/drivers/ata/pata_netcell.c linux-2.6.37/drivers/ata/pata_netcell.c
21710 --- linux-2.6.37/drivers/ata/pata_netcell.c 2011-01-04 19:50:19.000000000 -0500
21711 +++ linux-2.6.37/drivers/ata/pata_netcell.c 2011-01-17 02:41:01.000000000 -0500
21712 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21713 ATA_BMDMA_SHT(DRV_NAME),
21716 -static struct ata_port_operations netcell_ops = {
21717 +static const struct ata_port_operations netcell_ops = {
21718 .inherits = &ata_bmdma_port_ops,
21719 .cable_detect = ata_cable_80wire,
21720 .read_id = netcell_read_id,
21721 diff -urNp linux-2.6.37/drivers/ata/pata_ninja32.c linux-2.6.37/drivers/ata/pata_ninja32.c
21722 --- linux-2.6.37/drivers/ata/pata_ninja32.c 2011-01-04 19:50:19.000000000 -0500
21723 +++ linux-2.6.37/drivers/ata/pata_ninja32.c 2011-01-17 02:41:01.000000000 -0500
21724 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21725 ATA_BMDMA_SHT(DRV_NAME),
21728 -static struct ata_port_operations ninja32_port_ops = {
21729 +static const struct ata_port_operations ninja32_port_ops = {
21730 .inherits = &ata_bmdma_port_ops,
21731 .sff_dev_select = ninja32_dev_select,
21732 .cable_detect = ata_cable_40wire,
21733 diff -urNp linux-2.6.37/drivers/ata/pata_ns87410.c linux-2.6.37/drivers/ata/pata_ns87410.c
21734 --- linux-2.6.37/drivers/ata/pata_ns87410.c 2011-01-04 19:50:19.000000000 -0500
21735 +++ linux-2.6.37/drivers/ata/pata_ns87410.c 2011-01-17 02:41:01.000000000 -0500
21736 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21737 ATA_PIO_SHT(DRV_NAME),
21740 -static struct ata_port_operations ns87410_port_ops = {
21741 +static const struct ata_port_operations ns87410_port_ops = {
21742 .inherits = &ata_sff_port_ops,
21743 .qc_issue = ns87410_qc_issue,
21744 .cable_detect = ata_cable_40wire,
21745 diff -urNp linux-2.6.37/drivers/ata/pata_ns87415.c linux-2.6.37/drivers/ata/pata_ns87415.c
21746 --- linux-2.6.37/drivers/ata/pata_ns87415.c 2011-01-04 19:50:19.000000000 -0500
21747 +++ linux-2.6.37/drivers/ata/pata_ns87415.c 2011-01-17 02:41:01.000000000 -0500
21748 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21750 #endif /* 87560 SuperIO Support */
21752 -static struct ata_port_operations ns87415_pata_ops = {
21753 +static const struct ata_port_operations ns87415_pata_ops = {
21754 .inherits = &ata_bmdma_port_ops,
21756 .check_atapi_dma = ns87415_check_atapi_dma,
21757 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21760 #if defined(CONFIG_SUPERIO)
21761 -static struct ata_port_operations ns87560_pata_ops = {
21762 +static const struct ata_port_operations ns87560_pata_ops = {
21763 .inherits = &ns87415_pata_ops,
21764 .sff_tf_read = ns87560_tf_read,
21765 .sff_check_status = ns87560_check_status,
21766 diff -urNp linux-2.6.37/drivers/ata/pata_octeon_cf.c linux-2.6.37/drivers/ata/pata_octeon_cf.c
21767 --- linux-2.6.37/drivers/ata/pata_octeon_cf.c 2011-01-04 19:50:19.000000000 -0500
21768 +++ linux-2.6.37/drivers/ata/pata_octeon_cf.c 2011-01-17 02:41:01.000000000 -0500
21769 @@ -780,6 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
21773 +/* cannot be const */
21774 static struct ata_port_operations octeon_cf_ops = {
21775 .inherits = &ata_sff_port_ops,
21776 .check_atapi_dma = octeon_cf_check_atapi_dma,
21777 diff -urNp linux-2.6.37/drivers/ata/pata_oldpiix.c linux-2.6.37/drivers/ata/pata_oldpiix.c
21778 --- linux-2.6.37/drivers/ata/pata_oldpiix.c 2011-01-04 19:50:19.000000000 -0500
21779 +++ linux-2.6.37/drivers/ata/pata_oldpiix.c 2011-01-17 02:41:01.000000000 -0500
21780 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21781 ATA_BMDMA_SHT(DRV_NAME),
21784 -static struct ata_port_operations oldpiix_pata_ops = {
21785 +static const struct ata_port_operations oldpiix_pata_ops = {
21786 .inherits = &ata_bmdma_port_ops,
21787 .qc_issue = oldpiix_qc_issue,
21788 .cable_detect = ata_cable_40wire,
21789 diff -urNp linux-2.6.37/drivers/ata/pata_opti.c linux-2.6.37/drivers/ata/pata_opti.c
21790 --- linux-2.6.37/drivers/ata/pata_opti.c 2011-01-04 19:50:19.000000000 -0500
21791 +++ linux-2.6.37/drivers/ata/pata_opti.c 2011-01-17 02:41:01.000000000 -0500
21792 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21793 ATA_PIO_SHT(DRV_NAME),
21796 -static struct ata_port_operations opti_port_ops = {
21797 +static const struct ata_port_operations opti_port_ops = {
21798 .inherits = &ata_sff_port_ops,
21799 .cable_detect = ata_cable_40wire,
21800 .set_piomode = opti_set_piomode,
21801 diff -urNp linux-2.6.37/drivers/ata/pata_optidma.c linux-2.6.37/drivers/ata/pata_optidma.c
21802 --- linux-2.6.37/drivers/ata/pata_optidma.c 2011-01-04 19:50:19.000000000 -0500
21803 +++ linux-2.6.37/drivers/ata/pata_optidma.c 2011-01-17 02:41:01.000000000 -0500
21804 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21805 ATA_BMDMA_SHT(DRV_NAME),
21808 -static struct ata_port_operations optidma_port_ops = {
21809 +static const struct ata_port_operations optidma_port_ops = {
21810 .inherits = &ata_bmdma_port_ops,
21811 .cable_detect = ata_cable_40wire,
21812 .set_piomode = optidma_set_pio_mode,
21813 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21814 .prereset = optidma_pre_reset,
21817 -static struct ata_port_operations optiplus_port_ops = {
21818 +static const struct ata_port_operations optiplus_port_ops = {
21819 .inherits = &optidma_port_ops,
21820 .set_piomode = optiplus_set_pio_mode,
21821 .set_dmamode = optiplus_set_dma_mode,
21822 diff -urNp linux-2.6.37/drivers/ata/pata_palmld.c linux-2.6.37/drivers/ata/pata_palmld.c
21823 --- linux-2.6.37/drivers/ata/pata_palmld.c 2011-01-04 19:50:19.000000000 -0500
21824 +++ linux-2.6.37/drivers/ata/pata_palmld.c 2011-01-17 02:41:01.000000000 -0500
21825 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21826 ATA_PIO_SHT(DRV_NAME),
21829 -static struct ata_port_operations palmld_port_ops = {
21830 +static const struct ata_port_operations palmld_port_ops = {
21831 .inherits = &ata_sff_port_ops,
21832 .sff_data_xfer = ata_sff_data_xfer_noirq,
21833 .cable_detect = ata_cable_40wire,
21834 diff -urNp linux-2.6.37/drivers/ata/pata_pcmcia.c linux-2.6.37/drivers/ata/pata_pcmcia.c
21835 --- linux-2.6.37/drivers/ata/pata_pcmcia.c 2011-01-04 19:50:19.000000000 -0500
21836 +++ linux-2.6.37/drivers/ata/pata_pcmcia.c 2011-01-17 02:41:01.000000000 -0500
21837 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
21838 ATA_PIO_SHT(DRV_NAME),
21841 -static struct ata_port_operations pcmcia_port_ops = {
21842 +static const struct ata_port_operations pcmcia_port_ops = {
21843 .inherits = &ata_sff_port_ops,
21844 .sff_data_xfer = ata_sff_data_xfer_noirq,
21845 .cable_detect = ata_cable_40wire,
21846 .set_mode = pcmcia_set_mode,
21849 -static struct ata_port_operations pcmcia_8bit_port_ops = {
21850 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
21851 .inherits = &ata_sff_port_ops,
21852 .sff_data_xfer = ata_data_xfer_8bit,
21853 .cable_detect = ata_cable_40wire,
21854 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
21855 unsigned long io_base, ctl_base;
21856 void __iomem *io_addr, *ctl_addr;
21858 - struct ata_port_operations *ops = &pcmcia_port_ops;
21859 + const struct ata_port_operations *ops = &pcmcia_port_ops;
21861 /* Set up attributes in order to probe card and get resources */
21862 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
21863 diff -urNp linux-2.6.37/drivers/ata/pata_pdc2027x.c linux-2.6.37/drivers/ata/pata_pdc2027x.c
21864 --- linux-2.6.37/drivers/ata/pata_pdc2027x.c 2011-01-04 19:50:19.000000000 -0500
21865 +++ linux-2.6.37/drivers/ata/pata_pdc2027x.c 2011-01-17 02:41:01.000000000 -0500
21866 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21867 ATA_BMDMA_SHT(DRV_NAME),
21870 -static struct ata_port_operations pdc2027x_pata100_ops = {
21871 +static const struct ata_port_operations pdc2027x_pata100_ops = {
21872 .inherits = &ata_bmdma_port_ops,
21873 .check_atapi_dma = pdc2027x_check_atapi_dma,
21874 .cable_detect = pdc2027x_cable_detect,
21875 .prereset = pdc2027x_prereset,
21878 -static struct ata_port_operations pdc2027x_pata133_ops = {
21879 +static const struct ata_port_operations pdc2027x_pata133_ops = {
21880 .inherits = &pdc2027x_pata100_ops,
21881 .mode_filter = pdc2027x_mode_filter,
21882 .set_piomode = pdc2027x_set_piomode,
21883 diff -urNp linux-2.6.37/drivers/ata/pata_pdc202xx_old.c linux-2.6.37/drivers/ata/pata_pdc202xx_old.c
21884 --- linux-2.6.37/drivers/ata/pata_pdc202xx_old.c 2011-01-04 19:50:19.000000000 -0500
21885 +++ linux-2.6.37/drivers/ata/pata_pdc202xx_old.c 2011-01-17 02:41:01.000000000 -0500
21886 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
21887 ATA_BMDMA_SHT(DRV_NAME),
21890 -static struct ata_port_operations pdc2024x_port_ops = {
21891 +static const struct ata_port_operations pdc2024x_port_ops = {
21892 .inherits = &ata_bmdma_port_ops,
21894 .cable_detect = ata_cable_40wire,
21895 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
21896 .sff_irq_check = pdc202xx_irq_check,
21899 -static struct ata_port_operations pdc2026x_port_ops = {
21900 +static const struct ata_port_operations pdc2026x_port_ops = {
21901 .inherits = &pdc2024x_port_ops,
21903 .check_atapi_dma = pdc2026x_check_atapi_dma,
21904 diff -urNp linux-2.6.37/drivers/ata/pata_piccolo.c linux-2.6.37/drivers/ata/pata_piccolo.c
21905 --- linux-2.6.37/drivers/ata/pata_piccolo.c 2011-01-04 19:50:19.000000000 -0500
21906 +++ linux-2.6.37/drivers/ata/pata_piccolo.c 2011-01-17 02:41:01.000000000 -0500
21907 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21908 ATA_BMDMA_SHT(DRV_NAME),
21911 -static struct ata_port_operations tosh_port_ops = {
21912 +static const struct ata_port_operations tosh_port_ops = {
21913 .inherits = &ata_bmdma_port_ops,
21914 .cable_detect = ata_cable_unknown,
21915 .set_piomode = tosh_set_piomode,
21916 diff -urNp linux-2.6.37/drivers/ata/pata_platform.c linux-2.6.37/drivers/ata/pata_platform.c
21917 --- linux-2.6.37/drivers/ata/pata_platform.c 2011-01-04 19:50:19.000000000 -0500
21918 +++ linux-2.6.37/drivers/ata/pata_platform.c 2011-01-17 02:41:01.000000000 -0500
21919 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21920 ATA_PIO_SHT(DRV_NAME),
21923 -static struct ata_port_operations pata_platform_port_ops = {
21924 +static const struct ata_port_operations pata_platform_port_ops = {
21925 .inherits = &ata_sff_port_ops,
21926 .sff_data_xfer = ata_sff_data_xfer_noirq,
21927 .cable_detect = ata_cable_unknown,
21928 diff -urNp linux-2.6.37/drivers/ata/pata_pxa.c linux-2.6.37/drivers/ata/pata_pxa.c
21929 --- linux-2.6.37/drivers/ata/pata_pxa.c 2011-01-04 19:50:19.000000000 -0500
21930 +++ linux-2.6.37/drivers/ata/pata_pxa.c 2011-01-17 02:41:01.000000000 -0500
21931 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
21932 ATA_BMDMA_SHT(DRV_NAME),
21935 -static struct ata_port_operations pxa_ata_port_ops = {
21936 +static const struct ata_port_operations pxa_ata_port_ops = {
21937 .inherits = &ata_bmdma_port_ops,
21938 .cable_detect = ata_cable_40wire,
21940 diff -urNp linux-2.6.37/drivers/ata/pata_qdi.c linux-2.6.37/drivers/ata/pata_qdi.c
21941 --- linux-2.6.37/drivers/ata/pata_qdi.c 2011-01-04 19:50:19.000000000 -0500
21942 +++ linux-2.6.37/drivers/ata/pata_qdi.c 2011-01-17 02:41:01.000000000 -0500
21943 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21944 ATA_PIO_SHT(DRV_NAME),
21947 -static struct ata_port_operations qdi6500_port_ops = {
21948 +static const struct ata_port_operations qdi6500_port_ops = {
21949 .inherits = &ata_sff_port_ops,
21950 .qc_issue = qdi_qc_issue,
21951 .sff_data_xfer = qdi_data_xfer,
21952 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21953 .set_piomode = qdi6500_set_piomode,
21956 -static struct ata_port_operations qdi6580_port_ops = {
21957 +static const struct ata_port_operations qdi6580_port_ops = {
21958 .inherits = &qdi6500_port_ops,
21959 .set_piomode = qdi6580_set_piomode,
21961 diff -urNp linux-2.6.37/drivers/ata/pata_radisys.c linux-2.6.37/drivers/ata/pata_radisys.c
21962 --- linux-2.6.37/drivers/ata/pata_radisys.c 2011-01-04 19:50:19.000000000 -0500
21963 +++ linux-2.6.37/drivers/ata/pata_radisys.c 2011-01-17 02:41:01.000000000 -0500
21964 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21965 ATA_BMDMA_SHT(DRV_NAME),
21968 -static struct ata_port_operations radisys_pata_ops = {
21969 +static const struct ata_port_operations radisys_pata_ops = {
21970 .inherits = &ata_bmdma_port_ops,
21971 .qc_issue = radisys_qc_issue,
21972 .cable_detect = ata_cable_unknown,
21973 diff -urNp linux-2.6.37/drivers/ata/pata_rb532_cf.c linux-2.6.37/drivers/ata/pata_rb532_cf.c
21974 --- linux-2.6.37/drivers/ata/pata_rb532_cf.c 2011-01-04 19:50:19.000000000 -0500
21975 +++ linux-2.6.37/drivers/ata/pata_rb532_cf.c 2011-01-17 02:41:01.000000000 -0500
21976 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
21977 return IRQ_HANDLED;
21980 -static struct ata_port_operations rb532_pata_port_ops = {
21981 +static const struct ata_port_operations rb532_pata_port_ops = {
21982 .inherits = &ata_sff_port_ops,
21983 .sff_data_xfer = ata_sff_data_xfer32,
21985 diff -urNp linux-2.6.37/drivers/ata/pata_rdc.c linux-2.6.37/drivers/ata/pata_rdc.c
21986 --- linux-2.6.37/drivers/ata/pata_rdc.c 2011-01-04 19:50:19.000000000 -0500
21987 +++ linux-2.6.37/drivers/ata/pata_rdc.c 2011-01-17 02:41:01.000000000 -0500
21988 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
21989 pci_write_config_byte(dev, 0x48, udma_enable);
21992 -static struct ata_port_operations rdc_pata_ops = {
21993 +static const struct ata_port_operations rdc_pata_ops = {
21994 .inherits = &ata_bmdma32_port_ops,
21995 .cable_detect = rdc_pata_cable_detect,
21996 .set_piomode = rdc_set_piomode,
21997 diff -urNp linux-2.6.37/drivers/ata/pata_rz1000.c linux-2.6.37/drivers/ata/pata_rz1000.c
21998 --- linux-2.6.37/drivers/ata/pata_rz1000.c 2011-01-04 19:50:19.000000000 -0500
21999 +++ linux-2.6.37/drivers/ata/pata_rz1000.c 2011-01-17 02:41:01.000000000 -0500
22000 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
22001 ATA_PIO_SHT(DRV_NAME),
22004 -static struct ata_port_operations rz1000_port_ops = {
22005 +static const struct ata_port_operations rz1000_port_ops = {
22006 .inherits = &ata_sff_port_ops,
22007 .cable_detect = ata_cable_40wire,
22008 .set_mode = rz1000_set_mode,
22009 diff -urNp linux-2.6.37/drivers/ata/pata_samsung_cf.c linux-2.6.37/drivers/ata/pata_samsung_cf.c
22010 --- linux-2.6.37/drivers/ata/pata_samsung_cf.c 2011-01-04 19:50:19.000000000 -0500
22011 +++ linux-2.6.37/drivers/ata/pata_samsung_cf.c 2011-01-17 02:41:01.000000000 -0500
22012 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
22013 ATA_PIO_SHT(DRV_NAME),
22016 -static struct ata_port_operations pata_s3c_port_ops = {
22017 +static const struct ata_port_operations pata_s3c_port_ops = {
22018 .inherits = &ata_sff_port_ops,
22019 .sff_check_status = pata_s3c_check_status,
22020 .sff_check_altstatus = pata_s3c_check_altstatus,
22021 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
22022 .set_piomode = pata_s3c_set_piomode,
22025 -static struct ata_port_operations pata_s5p_port_ops = {
22026 +static const struct ata_port_operations pata_s5p_port_ops = {
22027 .inherits = &ata_sff_port_ops,
22028 .set_piomode = pata_s3c_set_piomode,
22030 diff -urNp linux-2.6.37/drivers/ata/pata_sc1200.c linux-2.6.37/drivers/ata/pata_sc1200.c
22031 --- linux-2.6.37/drivers/ata/pata_sc1200.c 2011-01-04 19:50:19.000000000 -0500
22032 +++ linux-2.6.37/drivers/ata/pata_sc1200.c 2011-01-17 02:41:01.000000000 -0500
22033 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
22034 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22037 -static struct ata_port_operations sc1200_port_ops = {
22038 +static const struct ata_port_operations sc1200_port_ops = {
22039 .inherits = &ata_bmdma_port_ops,
22040 .qc_prep = ata_bmdma_dumb_qc_prep,
22041 .qc_issue = sc1200_qc_issue,
22042 diff -urNp linux-2.6.37/drivers/ata/pata_scc.c linux-2.6.37/drivers/ata/pata_scc.c
22043 --- linux-2.6.37/drivers/ata/pata_scc.c 2011-01-04 19:50:19.000000000 -0500
22044 +++ linux-2.6.37/drivers/ata/pata_scc.c 2011-01-17 02:41:01.000000000 -0500
22045 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
22046 ATA_BMDMA_SHT(DRV_NAME),
22049 -static struct ata_port_operations scc_pata_ops = {
22050 +static const struct ata_port_operations scc_pata_ops = {
22051 .inherits = &ata_bmdma_port_ops,
22053 .set_piomode = scc_set_piomode,
22054 diff -urNp linux-2.6.37/drivers/ata/pata_sch.c linux-2.6.37/drivers/ata/pata_sch.c
22055 --- linux-2.6.37/drivers/ata/pata_sch.c 2011-01-04 19:50:19.000000000 -0500
22056 +++ linux-2.6.37/drivers/ata/pata_sch.c 2011-01-17 02:41:01.000000000 -0500
22057 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22058 ATA_BMDMA_SHT(DRV_NAME),
22061 -static struct ata_port_operations sch_pata_ops = {
22062 +static const struct ata_port_operations sch_pata_ops = {
22063 .inherits = &ata_bmdma_port_ops,
22064 .cable_detect = ata_cable_unknown,
22065 .set_piomode = sch_set_piomode,
22066 diff -urNp linux-2.6.37/drivers/ata/pata_serverworks.c linux-2.6.37/drivers/ata/pata_serverworks.c
22067 --- linux-2.6.37/drivers/ata/pata_serverworks.c 2011-01-04 19:50:19.000000000 -0500
22068 +++ linux-2.6.37/drivers/ata/pata_serverworks.c 2011-01-17 02:41:01.000000000 -0500
22069 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22070 ATA_BMDMA_SHT(DRV_NAME),
22073 -static struct ata_port_operations serverworks_osb4_port_ops = {
22074 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22075 .inherits = &ata_bmdma_port_ops,
22076 .cable_detect = serverworks_cable_detect,
22077 .mode_filter = serverworks_osb4_filter,
22078 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22079 .set_dmamode = serverworks_set_dmamode,
22082 -static struct ata_port_operations serverworks_csb_port_ops = {
22083 +static const struct ata_port_operations serverworks_csb_port_ops = {
22084 .inherits = &serverworks_osb4_port_ops,
22085 .mode_filter = serverworks_csb_filter,
22087 diff -urNp linux-2.6.37/drivers/ata/pata_sil680.c linux-2.6.37/drivers/ata/pata_sil680.c
22088 --- linux-2.6.37/drivers/ata/pata_sil680.c 2011-01-04 19:50:19.000000000 -0500
22089 +++ linux-2.6.37/drivers/ata/pata_sil680.c 2011-01-17 02:41:01.000000000 -0500
22090 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
22091 ATA_BMDMA_SHT(DRV_NAME),
22095 -static struct ata_port_operations sil680_port_ops = {
22096 +static const struct ata_port_operations sil680_port_ops = {
22097 .inherits = &ata_bmdma32_port_ops,
22098 .sff_exec_command = sil680_sff_exec_command,
22099 .sff_irq_check = sil680_sff_irq_check,
22100 diff -urNp linux-2.6.37/drivers/ata/pata_sis.c linux-2.6.37/drivers/ata/pata_sis.c
22101 --- linux-2.6.37/drivers/ata/pata_sis.c 2011-01-04 19:50:19.000000000 -0500
22102 +++ linux-2.6.37/drivers/ata/pata_sis.c 2011-01-17 02:41:01.000000000 -0500
22103 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22104 ATA_BMDMA_SHT(DRV_NAME),
22107 -static struct ata_port_operations sis_133_for_sata_ops = {
22108 +static const struct ata_port_operations sis_133_for_sata_ops = {
22109 .inherits = &ata_bmdma_port_ops,
22110 .set_piomode = sis_133_set_piomode,
22111 .set_dmamode = sis_133_set_dmamode,
22112 .cable_detect = sis_133_cable_detect,
22115 -static struct ata_port_operations sis_base_ops = {
22116 +static const struct ata_port_operations sis_base_ops = {
22117 .inherits = &ata_bmdma_port_ops,
22118 .prereset = sis_pre_reset,
22121 -static struct ata_port_operations sis_133_ops = {
22122 +static const struct ata_port_operations sis_133_ops = {
22123 .inherits = &sis_base_ops,
22124 .set_piomode = sis_133_set_piomode,
22125 .set_dmamode = sis_133_set_dmamode,
22126 .cable_detect = sis_133_cable_detect,
22129 -static struct ata_port_operations sis_133_early_ops = {
22130 +static const struct ata_port_operations sis_133_early_ops = {
22131 .inherits = &sis_base_ops,
22132 .set_piomode = sis_100_set_piomode,
22133 .set_dmamode = sis_133_early_set_dmamode,
22134 .cable_detect = sis_66_cable_detect,
22137 -static struct ata_port_operations sis_100_ops = {
22138 +static const struct ata_port_operations sis_100_ops = {
22139 .inherits = &sis_base_ops,
22140 .set_piomode = sis_100_set_piomode,
22141 .set_dmamode = sis_100_set_dmamode,
22142 .cable_detect = sis_66_cable_detect,
22145 -static struct ata_port_operations sis_66_ops = {
22146 +static const struct ata_port_operations sis_66_ops = {
22147 .inherits = &sis_base_ops,
22148 .set_piomode = sis_old_set_piomode,
22149 .set_dmamode = sis_66_set_dmamode,
22150 .cable_detect = sis_66_cable_detect,
22153 -static struct ata_port_operations sis_old_ops = {
22154 +static const struct ata_port_operations sis_old_ops = {
22155 .inherits = &sis_base_ops,
22156 .set_piomode = sis_old_set_piomode,
22157 .set_dmamode = sis_old_set_dmamode,
22158 diff -urNp linux-2.6.37/drivers/ata/pata_sl82c105.c linux-2.6.37/drivers/ata/pata_sl82c105.c
22159 --- linux-2.6.37/drivers/ata/pata_sl82c105.c 2011-01-04 19:50:19.000000000 -0500
22160 +++ linux-2.6.37/drivers/ata/pata_sl82c105.c 2011-01-17 02:41:01.000000000 -0500
22161 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
22162 ATA_BMDMA_SHT(DRV_NAME),
22165 -static struct ata_port_operations sl82c105_port_ops = {
22166 +static const struct ata_port_operations sl82c105_port_ops = {
22167 .inherits = &ata_bmdma_port_ops,
22168 .qc_defer = sl82c105_qc_defer,
22169 .bmdma_start = sl82c105_bmdma_start,
22170 diff -urNp linux-2.6.37/drivers/ata/pata_triflex.c linux-2.6.37/drivers/ata/pata_triflex.c
22171 --- linux-2.6.37/drivers/ata/pata_triflex.c 2011-01-04 19:50:19.000000000 -0500
22172 +++ linux-2.6.37/drivers/ata/pata_triflex.c 2011-01-17 02:41:01.000000000 -0500
22173 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22174 ATA_BMDMA_SHT(DRV_NAME),
22177 -static struct ata_port_operations triflex_port_ops = {
22178 +static const struct ata_port_operations triflex_port_ops = {
22179 .inherits = &ata_bmdma_port_ops,
22180 .bmdma_start = triflex_bmdma_start,
22181 .bmdma_stop = triflex_bmdma_stop,
22182 diff -urNp linux-2.6.37/drivers/ata/pata_via.c linux-2.6.37/drivers/ata/pata_via.c
22183 --- linux-2.6.37/drivers/ata/pata_via.c 2011-01-04 19:50:19.000000000 -0500
22184 +++ linux-2.6.37/drivers/ata/pata_via.c 2011-01-17 02:41:01.000000000 -0500
22185 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
22186 ATA_BMDMA_SHT(DRV_NAME),
22189 -static struct ata_port_operations via_port_ops = {
22190 +static const struct ata_port_operations via_port_ops = {
22191 .inherits = &ata_bmdma_port_ops,
22192 .cable_detect = via_cable_detect,
22193 .set_piomode = via_set_piomode,
22194 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
22195 .mode_filter = via_mode_filter,
22198 -static struct ata_port_operations via_port_ops_noirq = {
22199 +static const struct ata_port_operations via_port_ops_noirq = {
22200 .inherits = &via_port_ops,
22201 .sff_data_xfer = ata_sff_data_xfer_noirq,
22203 diff -urNp linux-2.6.37/drivers/ata/pdc_adma.c linux-2.6.37/drivers/ata/pdc_adma.c
22204 --- linux-2.6.37/drivers/ata/pdc_adma.c 2011-01-04 19:50:19.000000000 -0500
22205 +++ linux-2.6.37/drivers/ata/pdc_adma.c 2011-01-17 02:41:01.000000000 -0500
22206 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22207 .dma_boundary = ADMA_DMA_BOUNDARY,
22210 -static struct ata_port_operations adma_ata_ops = {
22211 +static const struct ata_port_operations adma_ata_ops = {
22212 .inherits = &ata_sff_port_ops,
22214 .lost_interrupt = ATA_OP_NULL,
22215 diff -urNp linux-2.6.37/drivers/ata/sata_dwc_460ex.c linux-2.6.37/drivers/ata/sata_dwc_460ex.c
22216 --- linux-2.6.37/drivers/ata/sata_dwc_460ex.c 2011-01-04 19:50:19.000000000 -0500
22217 +++ linux-2.6.37/drivers/ata/sata_dwc_460ex.c 2011-01-17 02:41:01.000000000 -0500
22218 @@ -1560,7 +1560,7 @@ static struct scsi_host_template sata_dw
22219 .dma_boundary = ATA_DMA_BOUNDARY,
22222 -static struct ata_port_operations sata_dwc_ops = {
22223 +static const struct ata_port_operations sata_dwc_ops = {
22224 .inherits = &ata_sff_port_ops,
22226 .error_handler = sata_dwc_error_handler,
22227 diff -urNp linux-2.6.37/drivers/ata/sata_fsl.c linux-2.6.37/drivers/ata/sata_fsl.c
22228 --- linux-2.6.37/drivers/ata/sata_fsl.c 2011-01-04 19:50:19.000000000 -0500
22229 +++ linux-2.6.37/drivers/ata/sata_fsl.c 2011-01-17 02:41:01.000000000 -0500
22230 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
22231 .dma_boundary = ATA_DMA_BOUNDARY,
22234 -static struct ata_port_operations sata_fsl_ops = {
22235 +static const struct ata_port_operations sata_fsl_ops = {
22236 .inherits = &sata_pmp_port_ops,
22238 .qc_defer = ata_std_qc_defer,
22239 diff -urNp linux-2.6.37/drivers/ata/sata_inic162x.c linux-2.6.37/drivers/ata/sata_inic162x.c
22240 --- linux-2.6.37/drivers/ata/sata_inic162x.c 2011-01-04 19:50:19.000000000 -0500
22241 +++ linux-2.6.37/drivers/ata/sata_inic162x.c 2011-01-17 02:41:01.000000000 -0500
22242 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22246 -static struct ata_port_operations inic_port_ops = {
22247 +static const struct ata_port_operations inic_port_ops = {
22248 .inherits = &sata_port_ops,
22250 .check_atapi_dma = inic_check_atapi_dma,
22251 diff -urNp linux-2.6.37/drivers/ata/sata_mv.c linux-2.6.37/drivers/ata/sata_mv.c
22252 --- linux-2.6.37/drivers/ata/sata_mv.c 2011-01-04 19:50:19.000000000 -0500
22253 +++ linux-2.6.37/drivers/ata/sata_mv.c 2011-01-17 02:41:01.000000000 -0500
22254 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22255 .dma_boundary = MV_DMA_BOUNDARY,
22258 -static struct ata_port_operations mv5_ops = {
22259 +static const struct ata_port_operations mv5_ops = {
22260 .inherits = &ata_sff_port_ops,
22262 .lost_interrupt = ATA_OP_NULL,
22263 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22264 .port_stop = mv_port_stop,
22267 -static struct ata_port_operations mv6_ops = {
22268 +static const struct ata_port_operations mv6_ops = {
22269 .inherits = &ata_bmdma_port_ops,
22271 .lost_interrupt = ATA_OP_NULL,
22272 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22273 .port_stop = mv_port_stop,
22276 -static struct ata_port_operations mv_iie_ops = {
22277 +static const struct ata_port_operations mv_iie_ops = {
22278 .inherits = &mv6_ops,
22279 .dev_config = ATA_OP_NULL,
22280 .qc_prep = mv_qc_prep_iie,
22281 diff -urNp linux-2.6.37/drivers/ata/sata_nv.c linux-2.6.37/drivers/ata/sata_nv.c
22282 --- linux-2.6.37/drivers/ata/sata_nv.c 2011-01-04 19:50:19.000000000 -0500
22283 +++ linux-2.6.37/drivers/ata/sata_nv.c 2011-01-17 02:41:01.000000000 -0500
22284 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22285 * cases. Define nv_hardreset() which only kicks in for post-boot
22286 * probing and use it for all variants.
22288 -static struct ata_port_operations nv_generic_ops = {
22289 +static const struct ata_port_operations nv_generic_ops = {
22290 .inherits = &ata_bmdma_port_ops,
22291 .lost_interrupt = ATA_OP_NULL,
22292 .scr_read = nv_scr_read,
22293 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22294 .hardreset = nv_hardreset,
22297 -static struct ata_port_operations nv_nf2_ops = {
22298 +static const struct ata_port_operations nv_nf2_ops = {
22299 .inherits = &nv_generic_ops,
22300 .freeze = nv_nf2_freeze,
22301 .thaw = nv_nf2_thaw,
22304 -static struct ata_port_operations nv_ck804_ops = {
22305 +static const struct ata_port_operations nv_ck804_ops = {
22306 .inherits = &nv_generic_ops,
22307 .freeze = nv_ck804_freeze,
22308 .thaw = nv_ck804_thaw,
22309 .host_stop = nv_ck804_host_stop,
22312 -static struct ata_port_operations nv_adma_ops = {
22313 +static const struct ata_port_operations nv_adma_ops = {
22314 .inherits = &nv_ck804_ops,
22316 .check_atapi_dma = nv_adma_check_atapi_dma,
22317 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22318 .host_stop = nv_adma_host_stop,
22321 -static struct ata_port_operations nv_swncq_ops = {
22322 +static const struct ata_port_operations nv_swncq_ops = {
22323 .inherits = &nv_generic_ops,
22325 .qc_defer = ata_std_qc_defer,
22326 diff -urNp linux-2.6.37/drivers/ata/sata_promise.c linux-2.6.37/drivers/ata/sata_promise.c
22327 --- linux-2.6.37/drivers/ata/sata_promise.c 2011-01-04 19:50:19.000000000 -0500
22328 +++ linux-2.6.37/drivers/ata/sata_promise.c 2011-01-17 02:41:01.000000000 -0500
22329 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22330 .error_handler = pdc_error_handler,
22333 -static struct ata_port_operations pdc_sata_ops = {
22334 +static const struct ata_port_operations pdc_sata_ops = {
22335 .inherits = &pdc_common_ops,
22336 .cable_detect = pdc_sata_cable_detect,
22337 .freeze = pdc_sata_freeze,
22338 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22340 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22341 and ->freeze/thaw that ignore the hotplug controls. */
22342 -static struct ata_port_operations pdc_old_sata_ops = {
22343 +static const struct ata_port_operations pdc_old_sata_ops = {
22344 .inherits = &pdc_sata_ops,
22345 .freeze = pdc_freeze,
22347 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22350 -static struct ata_port_operations pdc_pata_ops = {
22351 +static const struct ata_port_operations pdc_pata_ops = {
22352 .inherits = &pdc_common_ops,
22353 .cable_detect = pdc_pata_cable_detect,
22354 .freeze = pdc_freeze,
22355 diff -urNp linux-2.6.37/drivers/ata/sata_qstor.c linux-2.6.37/drivers/ata/sata_qstor.c
22356 --- linux-2.6.37/drivers/ata/sata_qstor.c 2011-01-04 19:50:19.000000000 -0500
22357 +++ linux-2.6.37/drivers/ata/sata_qstor.c 2011-01-17 02:41:01.000000000 -0500
22358 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22359 .dma_boundary = QS_DMA_BOUNDARY,
22362 -static struct ata_port_operations qs_ata_ops = {
22363 +static const struct ata_port_operations qs_ata_ops = {
22364 .inherits = &ata_sff_port_ops,
22366 .check_atapi_dma = qs_check_atapi_dma,
22367 diff -urNp linux-2.6.37/drivers/ata/sata_sil24.c linux-2.6.37/drivers/ata/sata_sil24.c
22368 --- linux-2.6.37/drivers/ata/sata_sil24.c 2011-01-04 19:50:19.000000000 -0500
22369 +++ linux-2.6.37/drivers/ata/sata_sil24.c 2011-01-17 02:41:01.000000000 -0500
22370 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22371 .dma_boundary = ATA_DMA_BOUNDARY,
22374 -static struct ata_port_operations sil24_ops = {
22375 +static const struct ata_port_operations sil24_ops = {
22376 .inherits = &sata_pmp_port_ops,
22378 .qc_defer = sil24_qc_defer,
22379 diff -urNp linux-2.6.37/drivers/ata/sata_sil.c linux-2.6.37/drivers/ata/sata_sil.c
22380 --- linux-2.6.37/drivers/ata/sata_sil.c 2011-01-04 19:50:19.000000000 -0500
22381 +++ linux-2.6.37/drivers/ata/sata_sil.c 2011-01-17 02:41:01.000000000 -0500
22382 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22383 .sg_tablesize = ATA_MAX_PRD
22386 -static struct ata_port_operations sil_ops = {
22387 +static const struct ata_port_operations sil_ops = {
22388 .inherits = &ata_bmdma32_port_ops,
22389 .dev_config = sil_dev_config,
22390 .set_mode = sil_set_mode,
22391 diff -urNp linux-2.6.37/drivers/ata/sata_sis.c linux-2.6.37/drivers/ata/sata_sis.c
22392 --- linux-2.6.37/drivers/ata/sata_sis.c 2011-01-04 19:50:19.000000000 -0500
22393 +++ linux-2.6.37/drivers/ata/sata_sis.c 2011-01-17 02:41:01.000000000 -0500
22394 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22395 ATA_BMDMA_SHT(DRV_NAME),
22398 -static struct ata_port_operations sis_ops = {
22399 +static const struct ata_port_operations sis_ops = {
22400 .inherits = &ata_bmdma_port_ops,
22401 .scr_read = sis_scr_read,
22402 .scr_write = sis_scr_write,
22403 diff -urNp linux-2.6.37/drivers/ata/sata_svw.c linux-2.6.37/drivers/ata/sata_svw.c
22404 --- linux-2.6.37/drivers/ata/sata_svw.c 2011-01-04 19:50:19.000000000 -0500
22405 +++ linux-2.6.37/drivers/ata/sata_svw.c 2011-01-17 02:41:01.000000000 -0500
22406 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22410 -static struct ata_port_operations k2_sata_ops = {
22411 +static const struct ata_port_operations k2_sata_ops = {
22412 .inherits = &ata_bmdma_port_ops,
22413 .sff_tf_load = k2_sata_tf_load,
22414 .sff_tf_read = k2_sata_tf_read,
22415 diff -urNp linux-2.6.37/drivers/ata/sata_sx4.c linux-2.6.37/drivers/ata/sata_sx4.c
22416 --- linux-2.6.37/drivers/ata/sata_sx4.c 2011-01-04 19:50:19.000000000 -0500
22417 +++ linux-2.6.37/drivers/ata/sata_sx4.c 2011-01-17 02:41:01.000000000 -0500
22418 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22421 /* TODO: inherit from base port_ops after converting to new EH */
22422 -static struct ata_port_operations pdc_20621_ops = {
22423 +static const struct ata_port_operations pdc_20621_ops = {
22424 .inherits = &ata_sff_port_ops,
22426 .check_atapi_dma = pdc_check_atapi_dma,
22427 diff -urNp linux-2.6.37/drivers/ata/sata_uli.c linux-2.6.37/drivers/ata/sata_uli.c
22428 --- linux-2.6.37/drivers/ata/sata_uli.c 2011-01-04 19:50:19.000000000 -0500
22429 +++ linux-2.6.37/drivers/ata/sata_uli.c 2011-01-17 02:41:01.000000000 -0500
22430 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22431 ATA_BMDMA_SHT(DRV_NAME),
22434 -static struct ata_port_operations uli_ops = {
22435 +static const struct ata_port_operations uli_ops = {
22436 .inherits = &ata_bmdma_port_ops,
22437 .scr_read = uli_scr_read,
22438 .scr_write = uli_scr_write,
22439 diff -urNp linux-2.6.37/drivers/ata/sata_via.c linux-2.6.37/drivers/ata/sata_via.c
22440 --- linux-2.6.37/drivers/ata/sata_via.c 2011-01-04 19:50:19.000000000 -0500
22441 +++ linux-2.6.37/drivers/ata/sata_via.c 2011-01-17 02:41:01.000000000 -0500
22442 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22443 ATA_BMDMA_SHT(DRV_NAME),
22446 -static struct ata_port_operations svia_base_ops = {
22447 +static const struct ata_port_operations svia_base_ops = {
22448 .inherits = &ata_bmdma_port_ops,
22449 .sff_tf_load = svia_tf_load,
22452 -static struct ata_port_operations vt6420_sata_ops = {
22453 +static const struct ata_port_operations vt6420_sata_ops = {
22454 .inherits = &svia_base_ops,
22455 .freeze = svia_noop_freeze,
22456 .prereset = vt6420_prereset,
22457 .bmdma_start = vt6420_bmdma_start,
22460 -static struct ata_port_operations vt6421_pata_ops = {
22461 +static const struct ata_port_operations vt6421_pata_ops = {
22462 .inherits = &svia_base_ops,
22463 .cable_detect = vt6421_pata_cable_detect,
22464 .set_piomode = vt6421_set_pio_mode,
22465 .set_dmamode = vt6421_set_dma_mode,
22468 -static struct ata_port_operations vt6421_sata_ops = {
22469 +static const struct ata_port_operations vt6421_sata_ops = {
22470 .inherits = &svia_base_ops,
22471 .scr_read = svia_scr_read,
22472 .scr_write = svia_scr_write,
22475 -static struct ata_port_operations vt8251_ops = {
22476 +static const struct ata_port_operations vt8251_ops = {
22477 .inherits = &svia_base_ops,
22478 .hardreset = sata_std_hardreset,
22479 .scr_read = vt8251_scr_read,
22480 diff -urNp linux-2.6.37/drivers/ata/sata_vsc.c linux-2.6.37/drivers/ata/sata_vsc.c
22481 --- linux-2.6.37/drivers/ata/sata_vsc.c 2011-01-04 19:50:19.000000000 -0500
22482 +++ linux-2.6.37/drivers/ata/sata_vsc.c 2011-01-17 02:41:01.000000000 -0500
22483 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22487 -static struct ata_port_operations vsc_sata_ops = {
22488 +static const struct ata_port_operations vsc_sata_ops = {
22489 .inherits = &ata_bmdma_port_ops,
22490 /* The IRQ handling is not quite standard SFF behaviour so we
22491 cannot use the default lost interrupt handler */
22492 diff -urNp linux-2.6.37/drivers/atm/adummy.c linux-2.6.37/drivers/atm/adummy.c
22493 --- linux-2.6.37/drivers/atm/adummy.c 2011-01-04 19:50:19.000000000 -0500
22494 +++ linux-2.6.37/drivers/atm/adummy.c 2011-01-17 02:41:01.000000000 -0500
22495 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
22496 vcc->pop(vcc, skb);
22498 dev_kfree_skb_any(skb);
22499 - atomic_inc(&vcc->stats->tx);
22500 + atomic_inc_unchecked(&vcc->stats->tx);
22504 diff -urNp linux-2.6.37/drivers/atm/ambassador.c linux-2.6.37/drivers/atm/ambassador.c
22505 --- linux-2.6.37/drivers/atm/ambassador.c 2011-01-04 19:50:19.000000000 -0500
22506 +++ linux-2.6.37/drivers/atm/ambassador.c 2011-01-17 02:41:01.000000000 -0500
22507 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22508 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22511 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22512 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22514 // free the descriptor
22516 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22517 dump_skb ("<<<", vc, skb);
22520 - atomic_inc(&atm_vcc->stats->rx);
22521 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22522 __net_timestamp(skb);
22523 // end of our responsability
22524 atm_vcc->push (atm_vcc, skb);
22525 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22527 PRINTK (KERN_INFO, "dropped over-size frame");
22528 // should we count this?
22529 - atomic_inc(&atm_vcc->stats->rx_drop);
22530 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22534 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22537 if (check_area (skb->data, skb->len)) {
22538 - atomic_inc(&atm_vcc->stats->tx_err);
22539 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22540 return -ENOMEM; // ?
22543 diff -urNp linux-2.6.37/drivers/atm/atmtcp.c linux-2.6.37/drivers/atm/atmtcp.c
22544 --- linux-2.6.37/drivers/atm/atmtcp.c 2011-01-04 19:50:19.000000000 -0500
22545 +++ linux-2.6.37/drivers/atm/atmtcp.c 2011-01-17 02:41:01.000000000 -0500
22546 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22547 if (vcc->pop) vcc->pop(vcc,skb);
22548 else dev_kfree_skb(skb);
22549 if (dev_data) return 0;
22550 - atomic_inc(&vcc->stats->tx_err);
22551 + atomic_inc_unchecked(&vcc->stats->tx_err);
22554 size = skb->len+sizeof(struct atmtcp_hdr);
22555 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22557 if (vcc->pop) vcc->pop(vcc,skb);
22558 else dev_kfree_skb(skb);
22559 - atomic_inc(&vcc->stats->tx_err);
22560 + atomic_inc_unchecked(&vcc->stats->tx_err);
22563 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22564 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22565 if (vcc->pop) vcc->pop(vcc,skb);
22566 else dev_kfree_skb(skb);
22567 out_vcc->push(out_vcc,new_skb);
22568 - atomic_inc(&vcc->stats->tx);
22569 - atomic_inc(&out_vcc->stats->rx);
22570 + atomic_inc_unchecked(&vcc->stats->tx);
22571 + atomic_inc_unchecked(&out_vcc->stats->rx);
22575 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22576 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22577 read_unlock(&vcc_sklist_lock);
22579 - atomic_inc(&vcc->stats->tx_err);
22580 + atomic_inc_unchecked(&vcc->stats->tx_err);
22583 skb_pull(skb,sizeof(struct atmtcp_hdr));
22584 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22585 __net_timestamp(new_skb);
22586 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22587 out_vcc->push(out_vcc,new_skb);
22588 - atomic_inc(&vcc->stats->tx);
22589 - atomic_inc(&out_vcc->stats->rx);
22590 + atomic_inc_unchecked(&vcc->stats->tx);
22591 + atomic_inc_unchecked(&out_vcc->stats->rx);
22593 if (vcc->pop) vcc->pop(vcc,skb);
22594 else dev_kfree_skb(skb);
22595 diff -urNp linux-2.6.37/drivers/atm/eni.c linux-2.6.37/drivers/atm/eni.c
22596 --- linux-2.6.37/drivers/atm/eni.c 2011-01-04 19:50:19.000000000 -0500
22597 +++ linux-2.6.37/drivers/atm/eni.c 2011-01-17 02:41:01.000000000 -0500
22598 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22599 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22602 - atomic_inc(&vcc->stats->rx_err);
22603 + atomic_inc_unchecked(&vcc->stats->rx_err);
22606 length = ATM_CELL_SIZE-1; /* no HEC */
22607 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22611 - atomic_inc(&vcc->stats->rx_err);
22612 + atomic_inc_unchecked(&vcc->stats->rx_err);
22615 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22616 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22617 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22618 vcc->dev->number,vcc->vci,length,size << 2,descr);
22620 - atomic_inc(&vcc->stats->rx_err);
22621 + atomic_inc_unchecked(&vcc->stats->rx_err);
22624 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22625 @@ -771,7 +771,7 @@ rx_dequeued++;
22626 vcc->push(vcc,skb);
22629 - atomic_inc(&vcc->stats->rx);
22630 + atomic_inc_unchecked(&vcc->stats->rx);
22632 wake_up(&eni_dev->rx_wait);
22634 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22636 if (vcc->pop) vcc->pop(vcc,skb);
22637 else dev_kfree_skb_irq(skb);
22638 - atomic_inc(&vcc->stats->tx);
22639 + atomic_inc_unchecked(&vcc->stats->tx);
22640 wake_up(&eni_dev->tx_wait);
22643 diff -urNp linux-2.6.37/drivers/atm/firestream.c linux-2.6.37/drivers/atm/firestream.c
22644 --- linux-2.6.37/drivers/atm/firestream.c 2011-01-04 19:50:19.000000000 -0500
22645 +++ linux-2.6.37/drivers/atm/firestream.c 2011-01-17 02:41:01.000000000 -0500
22646 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22650 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22651 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22653 fs_dprintk (FS_DEBUG_TXMEM, "i");
22654 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22655 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22657 skb_put (skb, qe->p1 & 0xffff);
22658 ATM_SKB(skb)->vcc = atm_vcc;
22659 - atomic_inc(&atm_vcc->stats->rx);
22660 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22661 __net_timestamp(skb);
22662 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22663 atm_vcc->push (atm_vcc, skb);
22664 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
22668 - atomic_inc(&atm_vcc->stats->rx_drop);
22669 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22671 case 0x1f: /* Reassembly abort: no buffers. */
22672 /* Silently increment error counter. */
22674 - atomic_inc(&atm_vcc->stats->rx_drop);
22675 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22677 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22678 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
22679 diff -urNp linux-2.6.37/drivers/atm/fore200e.c linux-2.6.37/drivers/atm/fore200e.c
22680 --- linux-2.6.37/drivers/atm/fore200e.c 2011-01-04 19:50:19.000000000 -0500
22681 +++ linux-2.6.37/drivers/atm/fore200e.c 2011-01-17 02:41:01.000000000 -0500
22682 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
22684 /* check error condition */
22685 if (*entry->status & STATUS_ERROR)
22686 - atomic_inc(&vcc->stats->tx_err);
22687 + atomic_inc_unchecked(&vcc->stats->tx_err);
22689 - atomic_inc(&vcc->stats->tx);
22690 + atomic_inc_unchecked(&vcc->stats->tx);
22694 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
22696 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22698 - atomic_inc(&vcc->stats->rx_drop);
22699 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22703 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
22705 dev_kfree_skb_any(skb);
22707 - atomic_inc(&vcc->stats->rx_drop);
22708 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22712 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22714 vcc->push(vcc, skb);
22715 - atomic_inc(&vcc->stats->rx);
22716 + atomic_inc_unchecked(&vcc->stats->rx);
22718 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22720 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
22721 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22722 fore200e->atm_dev->number,
22723 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22724 - atomic_inc(&vcc->stats->rx_err);
22725 + atomic_inc_unchecked(&vcc->stats->rx_err);
22729 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
22733 - atomic_inc(&vcc->stats->tx_err);
22734 + atomic_inc_unchecked(&vcc->stats->tx_err);
22736 fore200e->tx_sat++;
22737 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
22738 diff -urNp linux-2.6.37/drivers/atm/he.c linux-2.6.37/drivers/atm/he.c
22739 --- linux-2.6.37/drivers/atm/he.c 2011-01-04 19:50:19.000000000 -0500
22740 +++ linux-2.6.37/drivers/atm/he.c 2011-01-17 02:41:01.000000000 -0500
22741 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22743 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22744 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22745 - atomic_inc(&vcc->stats->rx_drop);
22746 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22747 goto return_host_buffers;
22750 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22751 RBRQ_LEN_ERR(he_dev->rbrq_head)
22753 vcc->vpi, vcc->vci);
22754 - atomic_inc(&vcc->stats->rx_err);
22755 + atomic_inc_unchecked(&vcc->stats->rx_err);
22756 goto return_host_buffers;
22759 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22760 vcc->push(vcc, skb);
22761 spin_lock(&he_dev->global_lock);
22763 - atomic_inc(&vcc->stats->rx);
22764 + atomic_inc_unchecked(&vcc->stats->rx);
22766 return_host_buffers:
22768 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
22769 tpd->vcc->pop(tpd->vcc, tpd->skb);
22771 dev_kfree_skb_any(tpd->skb);
22772 - atomic_inc(&tpd->vcc->stats->tx_err);
22773 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22775 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22777 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22778 vcc->pop(vcc, skb);
22780 dev_kfree_skb_any(skb);
22781 - atomic_inc(&vcc->stats->tx_err);
22782 + atomic_inc_unchecked(&vcc->stats->tx_err);
22786 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22787 vcc->pop(vcc, skb);
22789 dev_kfree_skb_any(skb);
22790 - atomic_inc(&vcc->stats->tx_err);
22791 + atomic_inc_unchecked(&vcc->stats->tx_err);
22795 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22796 vcc->pop(vcc, skb);
22798 dev_kfree_skb_any(skb);
22799 - atomic_inc(&vcc->stats->tx_err);
22800 + atomic_inc_unchecked(&vcc->stats->tx_err);
22801 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22804 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22805 vcc->pop(vcc, skb);
22807 dev_kfree_skb_any(skb);
22808 - atomic_inc(&vcc->stats->tx_err);
22809 + atomic_inc_unchecked(&vcc->stats->tx_err);
22810 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22813 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22814 __enqueue_tpd(he_dev, tpd, cid);
22815 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22817 - atomic_inc(&vcc->stats->tx);
22818 + atomic_inc_unchecked(&vcc->stats->tx);
22822 diff -urNp linux-2.6.37/drivers/atm/horizon.c linux-2.6.37/drivers/atm/horizon.c
22823 --- linux-2.6.37/drivers/atm/horizon.c 2011-01-04 19:50:19.000000000 -0500
22824 +++ linux-2.6.37/drivers/atm/horizon.c 2011-01-17 02:41:01.000000000 -0500
22825 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
22827 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22829 - atomic_inc(&vcc->stats->rx);
22830 + atomic_inc_unchecked(&vcc->stats->rx);
22831 __net_timestamp(skb);
22832 // end of our responsability
22833 vcc->push (vcc, skb);
22834 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
22835 dev->tx_iovec = NULL;
22838 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22839 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22842 hrz_kfree_skb (skb);
22843 diff -urNp linux-2.6.37/drivers/atm/idt77252.c linux-2.6.37/drivers/atm/idt77252.c
22844 --- linux-2.6.37/drivers/atm/idt77252.c 2011-01-04 19:50:19.000000000 -0500
22845 +++ linux-2.6.37/drivers/atm/idt77252.c 2011-01-17 02:41:01.000000000 -0500
22846 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
22848 dev_kfree_skb(skb);
22850 - atomic_inc(&vcc->stats->tx);
22851 + atomic_inc_unchecked(&vcc->stats->tx);
22854 atomic_dec(&scq->used);
22855 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
22856 if ((sb = dev_alloc_skb(64)) == NULL) {
22857 printk("%s: Can't allocate buffers for aal0.\n",
22859 - atomic_add(i, &vcc->stats->rx_drop);
22860 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
22863 if (!atm_charge(vcc, sb->truesize)) {
22864 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22866 - atomic_add(i - 1, &vcc->stats->rx_drop);
22867 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22871 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
22872 ATM_SKB(sb)->vcc = vcc;
22873 __net_timestamp(sb);
22874 vcc->push(vcc, sb);
22875 - atomic_inc(&vcc->stats->rx);
22876 + atomic_inc_unchecked(&vcc->stats->rx);
22878 cell += ATM_CELL_PAYLOAD;
22880 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
22882 card->name, len, rpp->len, readl(SAR_REG_CDC));
22883 recycle_rx_pool_skb(card, rpp);
22884 - atomic_inc(&vcc->stats->rx_err);
22885 + atomic_inc_unchecked(&vcc->stats->rx_err);
22888 if (stat & SAR_RSQE_CRC) {
22889 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22890 recycle_rx_pool_skb(card, rpp);
22891 - atomic_inc(&vcc->stats->rx_err);
22892 + atomic_inc_unchecked(&vcc->stats->rx_err);
22895 if (skb_queue_len(&rpp->queue) > 1) {
22896 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
22897 RXPRINTK("%s: Can't alloc RX skb.\n",
22899 recycle_rx_pool_skb(card, rpp);
22900 - atomic_inc(&vcc->stats->rx_err);
22901 + atomic_inc_unchecked(&vcc->stats->rx_err);
22904 if (!atm_charge(vcc, skb->truesize)) {
22905 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
22906 __net_timestamp(skb);
22908 vcc->push(vcc, skb);
22909 - atomic_inc(&vcc->stats->rx);
22910 + atomic_inc_unchecked(&vcc->stats->rx);
22914 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
22915 __net_timestamp(skb);
22917 vcc->push(vcc, skb);
22918 - atomic_inc(&vcc->stats->rx);
22919 + atomic_inc_unchecked(&vcc->stats->rx);
22921 if (skb->truesize > SAR_FB_SIZE_3)
22922 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
22923 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
22924 if (vcc->qos.aal != ATM_AAL0) {
22925 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22926 card->name, vpi, vci);
22927 - atomic_inc(&vcc->stats->rx_drop);
22928 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22932 if ((sb = dev_alloc_skb(64)) == NULL) {
22933 printk("%s: Can't allocate buffers for AAL0.\n",
22935 - atomic_inc(&vcc->stats->rx_err);
22936 + atomic_inc_unchecked(&vcc->stats->rx_err);
22940 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
22941 ATM_SKB(sb)->vcc = vcc;
22942 __net_timestamp(sb);
22943 vcc->push(vcc, sb);
22944 - atomic_inc(&vcc->stats->rx);
22945 + atomic_inc_unchecked(&vcc->stats->rx);
22948 skb_pull(queue, 64);
22949 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22952 printk("%s: NULL connection in send().\n", card->name);
22953 - atomic_inc(&vcc->stats->tx_err);
22954 + atomic_inc_unchecked(&vcc->stats->tx_err);
22955 dev_kfree_skb(skb);
22958 if (!test_bit(VCF_TX, &vc->flags)) {
22959 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22960 - atomic_inc(&vcc->stats->tx_err);
22961 + atomic_inc_unchecked(&vcc->stats->tx_err);
22962 dev_kfree_skb(skb);
22965 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22968 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22969 - atomic_inc(&vcc->stats->tx_err);
22970 + atomic_inc_unchecked(&vcc->stats->tx_err);
22971 dev_kfree_skb(skb);
22975 if (skb_shinfo(skb)->nr_frags != 0) {
22976 printk("%s: No scatter-gather yet.\n", card->name);
22977 - atomic_inc(&vcc->stats->tx_err);
22978 + atomic_inc_unchecked(&vcc->stats->tx_err);
22979 dev_kfree_skb(skb);
22982 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22984 err = queue_skb(card, vc, skb, oam);
22986 - atomic_inc(&vcc->stats->tx_err);
22987 + atomic_inc_unchecked(&vcc->stats->tx_err);
22988 dev_kfree_skb(skb);
22991 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
22992 skb = dev_alloc_skb(64);
22994 printk("%s: Out of memory in send_oam().\n", card->name);
22995 - atomic_inc(&vcc->stats->tx_err);
22996 + atomic_inc_unchecked(&vcc->stats->tx_err);
22999 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
23000 diff -urNp linux-2.6.37/drivers/atm/iphase.c linux-2.6.37/drivers/atm/iphase.c
23001 --- linux-2.6.37/drivers/atm/iphase.c 2011-01-04 19:50:19.000000000 -0500
23002 +++ linux-2.6.37/drivers/atm/iphase.c 2011-01-17 02:41:01.000000000 -0500
23003 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
23004 status = (u_short) (buf_desc_ptr->desc_mode);
23005 if (status & (RX_CER | RX_PTE | RX_OFL))
23007 - atomic_inc(&vcc->stats->rx_err);
23008 + atomic_inc_unchecked(&vcc->stats->rx_err);
23009 IF_ERR(printk("IA: bad packet, dropping it");)
23010 if (status & RX_CER) {
23011 IF_ERR(printk(" cause: packet CRC error\n");)
23012 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
23013 len = dma_addr - buf_addr;
23014 if (len > iadev->rx_buf_sz) {
23015 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
23016 - atomic_inc(&vcc->stats->rx_err);
23017 + atomic_inc_unchecked(&vcc->stats->rx_err);
23018 goto out_free_desc;
23021 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
23022 ia_vcc = INPH_IA_VCC(vcc);
23023 if (ia_vcc == NULL)
23025 - atomic_inc(&vcc->stats->rx_err);
23026 + atomic_inc_unchecked(&vcc->stats->rx_err);
23027 dev_kfree_skb_any(skb);
23028 atm_return(vcc, atm_guess_pdu2truesize(len));
23030 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
23031 if ((length > iadev->rx_buf_sz) || (length >
23032 (skb->len - sizeof(struct cpcs_trailer))))
23034 - atomic_inc(&vcc->stats->rx_err);
23035 + atomic_inc_unchecked(&vcc->stats->rx_err);
23036 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23037 length, skb->len);)
23038 dev_kfree_skb_any(skb);
23039 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
23041 IF_RX(printk("rx_dle_intr: skb push");)
23042 vcc->push(vcc,skb);
23043 - atomic_inc(&vcc->stats->rx);
23044 + atomic_inc_unchecked(&vcc->stats->rx);
23045 iadev->rx_pkt_cnt++;
23048 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
23050 struct k_sonet_stats *stats;
23051 stats = &PRIV(_ia_dev[board])->sonet_stats;
23052 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23053 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23054 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23055 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23056 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23057 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23058 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23059 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23060 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23061 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23062 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23063 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23064 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23065 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23066 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23067 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23068 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23069 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23071 ia_cmds.status = 0;
23073 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23074 if ((desc == 0) || (desc > iadev->num_tx_desc))
23076 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23077 - atomic_inc(&vcc->stats->tx);
23078 + atomic_inc_unchecked(&vcc->stats->tx);
23080 vcc->pop(vcc, skb);
23082 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23083 ATM_DESC(skb) = vcc->vci;
23084 skb_queue_tail(&iadev->tx_dma_q, skb);
23086 - atomic_inc(&vcc->stats->tx);
23087 + atomic_inc_unchecked(&vcc->stats->tx);
23088 iadev->tx_pkt_cnt++;
23089 /* Increment transaction counter */
23090 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23093 /* add flow control logic */
23094 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23095 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23096 if (iavcc->vc_desc_cnt > 10) {
23097 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23098 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23099 diff -urNp linux-2.6.37/drivers/atm/lanai.c linux-2.6.37/drivers/atm/lanai.c
23100 --- linux-2.6.37/drivers/atm/lanai.c 2011-01-04 19:50:19.000000000 -0500
23101 +++ linux-2.6.37/drivers/atm/lanai.c 2011-01-17 02:41:01.000000000 -0500
23102 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23103 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23104 lanai_endtx(lanai, lvcc);
23105 lanai_free_skb(lvcc->tx.atmvcc, skb);
23106 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23107 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23110 /* Try to fill the buffer - don't call unless there is backlog */
23111 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23112 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23113 __net_timestamp(skb);
23114 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23115 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23116 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23118 lvcc->rx.buf.ptr = end;
23119 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23120 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23121 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23122 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23123 lanai->stats.service_rxnotaal5++;
23124 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23125 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23128 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23129 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23131 read_unlock(&vcc_sklist_lock);
23132 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23133 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23134 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23135 lvcc->stats.x.aal5.service_trash++;
23136 bytes = (SERVICE_GET_END(s) * 16) -
23137 (((unsigned long) lvcc->rx.buf.ptr) -
23138 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23140 if (s & SERVICE_STREAM) {
23141 read_unlock(&vcc_sklist_lock);
23142 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23143 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23144 lvcc->stats.x.aal5.service_stream++;
23145 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23146 "PDU on VCI %d!\n", lanai->number, vci);
23147 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23150 DPRINTK("got rx crc error on vci %d\n", vci);
23151 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23152 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23153 lvcc->stats.x.aal5.service_rxcrc++;
23154 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23155 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23156 diff -urNp linux-2.6.37/drivers/atm/nicstar.c linux-2.6.37/drivers/atm/nicstar.c
23157 --- linux-2.6.37/drivers/atm/nicstar.c 2011-01-04 19:50:19.000000000 -0500
23158 +++ linux-2.6.37/drivers/atm/nicstar.c 2011-01-17 02:41:01.000000000 -0500
23159 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
23160 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
23161 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
23163 - atomic_inc(&vcc->stats->tx_err);
23164 + atomic_inc_unchecked(&vcc->stats->tx_err);
23165 dev_kfree_skb_any(skb);
23168 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
23170 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
23172 - atomic_inc(&vcc->stats->tx_err);
23173 + atomic_inc_unchecked(&vcc->stats->tx_err);
23174 dev_kfree_skb_any(skb);
23177 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
23178 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
23179 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
23181 - atomic_inc(&vcc->stats->tx_err);
23182 + atomic_inc_unchecked(&vcc->stats->tx_err);
23183 dev_kfree_skb_any(skb);
23187 if (skb_shinfo(skb)->nr_frags != 0) {
23188 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23189 - atomic_inc(&vcc->stats->tx_err);
23190 + atomic_inc_unchecked(&vcc->stats->tx_err);
23191 dev_kfree_skb_any(skb);
23194 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
23197 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
23198 - atomic_inc(&vcc->stats->tx_err);
23199 + atomic_inc_unchecked(&vcc->stats->tx_err);
23200 dev_kfree_skb_any(skb);
23203 - atomic_inc(&vcc->stats->tx);
23204 + atomic_inc_unchecked(&vcc->stats->tx);
23208 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
23210 ("nicstar%d: Can't allocate buffers for aal0.\n",
23212 - atomic_add(i, &vcc->stats->rx_drop);
23213 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23216 if (!atm_charge(vcc, sb->truesize)) {
23218 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
23220 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23221 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23222 dev_kfree_skb_any(sb);
23225 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
23226 ATM_SKB(sb)->vcc = vcc;
23227 __net_timestamp(sb);
23228 vcc->push(vcc, sb);
23229 - atomic_inc(&vcc->stats->rx);
23230 + atomic_inc_unchecked(&vcc->stats->rx);
23231 cell += ATM_CELL_PAYLOAD;
23234 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
23235 if (iovb == NULL) {
23236 printk("nicstar%d: Out of iovec buffers.\n",
23238 - atomic_inc(&vcc->stats->rx_drop);
23239 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23240 recycle_rx_buf(card, skb);
23243 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
23244 small or large buffer itself. */
23245 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
23246 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23247 - atomic_inc(&vcc->stats->rx_err);
23248 + atomic_inc_unchecked(&vcc->stats->rx_err);
23249 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23251 NS_PRV_IOVCNT(iovb) = 0;
23252 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
23253 ("nicstar%d: Expected a small buffer, and this is not one.\n",
23255 which_list(card, skb);
23256 - atomic_inc(&vcc->stats->rx_err);
23257 + atomic_inc_unchecked(&vcc->stats->rx_err);
23258 recycle_rx_buf(card, skb);
23260 recycle_iov_buf(card, iovb);
23261 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
23262 ("nicstar%d: Expected a large buffer, and this is not one.\n",
23264 which_list(card, skb);
23265 - atomic_inc(&vcc->stats->rx_err);
23266 + atomic_inc_unchecked(&vcc->stats->rx_err);
23267 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23268 NS_PRV_IOVCNT(iovb));
23270 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
23271 printk(" - PDU size mismatch.\n");
23274 - atomic_inc(&vcc->stats->rx_err);
23275 + atomic_inc_unchecked(&vcc->stats->rx_err);
23276 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23277 NS_PRV_IOVCNT(iovb));
23279 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
23280 /* skb points to a small buffer */
23281 if (!atm_charge(vcc, skb->truesize)) {
23282 push_rxbufs(card, skb);
23283 - atomic_inc(&vcc->stats->rx_drop);
23284 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23287 dequeue_sm_buf(card, skb);
23288 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
23289 ATM_SKB(skb)->vcc = vcc;
23290 __net_timestamp(skb);
23291 vcc->push(vcc, skb);
23292 - atomic_inc(&vcc->stats->rx);
23293 + atomic_inc_unchecked(&vcc->stats->rx);
23295 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
23296 struct sk_buff *sb;
23297 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
23298 if (len <= NS_SMBUFSIZE) {
23299 if (!atm_charge(vcc, sb->truesize)) {
23300 push_rxbufs(card, sb);
23301 - atomic_inc(&vcc->stats->rx_drop);
23302 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23305 dequeue_sm_buf(card, sb);
23306 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
23307 ATM_SKB(sb)->vcc = vcc;
23308 __net_timestamp(sb);
23309 vcc->push(vcc, sb);
23310 - atomic_inc(&vcc->stats->rx);
23311 + atomic_inc_unchecked(&vcc->stats->rx);
23314 push_rxbufs(card, skb);
23315 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
23317 if (!atm_charge(vcc, skb->truesize)) {
23318 push_rxbufs(card, skb);
23319 - atomic_inc(&vcc->stats->rx_drop);
23320 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23322 dequeue_lg_buf(card, skb);
23323 #ifdef NS_USE_DESTRUCTORS
23324 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
23325 ATM_SKB(skb)->vcc = vcc;
23326 __net_timestamp(skb);
23327 vcc->push(vcc, skb);
23328 - atomic_inc(&vcc->stats->rx);
23329 + atomic_inc_unchecked(&vcc->stats->rx);
23332 push_rxbufs(card, sb);
23333 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
23335 ("nicstar%d: Out of huge buffers.\n",
23337 - atomic_inc(&vcc->stats->rx_drop);
23338 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23339 recycle_iovec_rx_bufs(card,
23342 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
23343 card->hbpool.count++;
23345 dev_kfree_skb_any(hb);
23346 - atomic_inc(&vcc->stats->rx_drop);
23347 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23349 /* Copy the small buffer to the huge buffer */
23350 sb = (struct sk_buff *)iov->iov_base;
23351 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
23352 #endif /* NS_USE_DESTRUCTORS */
23353 __net_timestamp(hb);
23354 vcc->push(vcc, hb);
23355 - atomic_inc(&vcc->stats->rx);
23356 + atomic_inc_unchecked(&vcc->stats->rx);
23360 diff -urNp linux-2.6.37/drivers/atm/solos-pci.c linux-2.6.37/drivers/atm/solos-pci.c
23361 --- linux-2.6.37/drivers/atm/solos-pci.c 2011-01-04 19:50:19.000000000 -0500
23362 +++ linux-2.6.37/drivers/atm/solos-pci.c 2011-01-17 02:41:01.000000000 -0500
23363 @@ -717,7 +717,7 @@ void solos_bh(unsigned long card_arg)
23365 atm_charge(vcc, skb->truesize);
23366 vcc->push(vcc, skb);
23367 - atomic_inc(&vcc->stats->rx);
23368 + atomic_inc_unchecked(&vcc->stats->rx);
23372 @@ -1025,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
23373 vcc = SKB_CB(oldskb)->vcc;
23376 - atomic_inc(&vcc->stats->tx);
23377 + atomic_inc_unchecked(&vcc->stats->tx);
23378 solos_pop(vcc, oldskb);
23380 dev_kfree_skb_irq(oldskb);
23381 diff -urNp linux-2.6.37/drivers/atm/suni.c linux-2.6.37/drivers/atm/suni.c
23382 --- linux-2.6.37/drivers/atm/suni.c 2011-01-04 19:50:19.000000000 -0500
23383 +++ linux-2.6.37/drivers/atm/suni.c 2011-01-17 02:41:01.000000000 -0500
23384 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23387 #define ADD_LIMITED(s,v) \
23388 - atomic_add((v),&stats->s); \
23389 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23390 + atomic_add_unchecked((v),&stats->s); \
23391 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23394 static void suni_hz(unsigned long from_timer)
23395 diff -urNp linux-2.6.37/drivers/atm/uPD98402.c linux-2.6.37/drivers/atm/uPD98402.c
23396 --- linux-2.6.37/drivers/atm/uPD98402.c 2011-01-04 19:50:19.000000000 -0500
23397 +++ linux-2.6.37/drivers/atm/uPD98402.c 2011-01-17 02:41:01.000000000 -0500
23398 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23399 struct sonet_stats tmp;
23402 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23403 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23404 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23405 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23406 if (zero && !error) {
23407 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23410 #define ADD_LIMITED(s,v) \
23411 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23412 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23413 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23414 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23415 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23416 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23419 static void stat_event(struct atm_dev *dev)
23420 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23421 if (reason & uPD98402_INT_PFM) stat_event(dev);
23422 if (reason & uPD98402_INT_PCO) {
23423 (void) GET(PCOCR); /* clear interrupt cause */
23424 - atomic_add(GET(HECCT),
23425 + atomic_add_unchecked(GET(HECCT),
23426 &PRIV(dev)->sonet_stats.uncorr_hcs);
23428 if ((reason & uPD98402_INT_RFO) &&
23429 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23430 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23431 uPD98402_INT_LOS),PIMR); /* enable them */
23432 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23433 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23434 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23435 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23436 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23437 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23438 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23442 diff -urNp linux-2.6.37/drivers/atm/zatm.c linux-2.6.37/drivers/atm/zatm.c
23443 --- linux-2.6.37/drivers/atm/zatm.c 2011-01-04 19:50:19.000000000 -0500
23444 +++ linux-2.6.37/drivers/atm/zatm.c 2011-01-17 02:41:01.000000000 -0500
23445 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23448 dev_kfree_skb_irq(skb);
23449 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23450 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23453 if (!atm_charge(vcc,skb->truesize)) {
23454 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23456 ATM_SKB(skb)->vcc = vcc;
23457 vcc->push(vcc,skb);
23458 - atomic_inc(&vcc->stats->rx);
23459 + atomic_inc_unchecked(&vcc->stats->rx);
23461 zout(pos & 0xffff,MTA(mbx));
23462 #if 0 /* probably a stupid idea */
23463 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23464 skb_queue_head(&zatm_vcc->backlog,skb);
23467 - atomic_inc(&vcc->stats->tx);
23468 + atomic_inc_unchecked(&vcc->stats->tx);
23469 wake_up(&zatm_vcc->tx_wait);
23472 diff -urNp linux-2.6.37/drivers/block/cciss.c linux-2.6.37/drivers/block/cciss.c
23473 --- linux-2.6.37/drivers/block/cciss.c 2011-01-04 19:50:19.000000000 -0500
23474 +++ linux-2.6.37/drivers/block/cciss.c 2011-01-17 02:41:01.000000000 -0500
23475 @@ -1112,6 +1112,8 @@ static int cciss_ioctl32_passthru(struct
23479 + memset(&arg64, 0, sizeof(arg64));
23483 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
23484 diff -urNp linux-2.6.37/drivers/char/agp/frontend.c linux-2.6.37/drivers/char/agp/frontend.c
23485 --- linux-2.6.37/drivers/char/agp/frontend.c 2011-01-04 19:50:19.000000000 -0500
23486 +++ linux-2.6.37/drivers/char/agp/frontend.c 2011-01-17 02:41:01.000000000 -0500
23487 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
23488 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23491 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23492 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23495 client = agp_find_client_by_pid(reserve.pid);
23496 diff -urNp linux-2.6.37/drivers/char/agp/intel-agp.c linux-2.6.37/drivers/char/agp/intel-agp.c
23497 --- linux-2.6.37/drivers/char/agp/intel-agp.c 2011-01-04 19:50:19.000000000 -0500
23498 +++ linux-2.6.37/drivers/char/agp/intel-agp.c 2011-01-17 02:41:01.000000000 -0500
23499 @@ -903,7 +903,7 @@ static struct pci_device_id agp_intel_pc
23500 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23501 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23502 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
23504 + { 0, 0, 0, 0, 0, 0, 0 }
23507 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23508 diff -urNp linux-2.6.37/drivers/char/hpet.c linux-2.6.37/drivers/char/hpet.c
23509 --- linux-2.6.37/drivers/char/hpet.c 2011-01-04 19:50:19.000000000 -0500
23510 +++ linux-2.6.37/drivers/char/hpet.c 2011-01-17 02:41:01.000000000 -0500
23511 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23515 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
23516 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
23517 struct hpet_info *info)
23519 struct hpet_timer __iomem *timer;
23520 @@ -1043,7 +1043,7 @@ static struct acpi_driver hpet_acpi_driv
23524 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23525 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23527 static int __init hpet_init(void)
23529 diff -urNp linux-2.6.37/drivers/char/hvc_console.h linux-2.6.37/drivers/char/hvc_console.h
23530 --- linux-2.6.37/drivers/char/hvc_console.h 2011-01-04 19:50:19.000000000 -0500
23531 +++ linux-2.6.37/drivers/char/hvc_console.h 2011-01-17 02:41:01.000000000 -0500
23532 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
23533 /* register a vterm for hvc tty operation (module_init or hotplug add) */
23534 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
23535 const struct hv_ops *ops, int outbuf_size);
23537 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
23538 extern int hvc_remove(struct hvc_struct *hp);
23540 diff -urNp linux-2.6.37/drivers/char/hvcs.c linux-2.6.37/drivers/char/hvcs.c
23541 --- linux-2.6.37/drivers/char/hvcs.c 2011-01-04 19:50:19.000000000 -0500
23542 +++ linux-2.6.37/drivers/char/hvcs.c 2011-01-25 20:24:56.000000000 -0500
23544 #include <asm/hvcserver.h>
23545 #include <asm/uaccess.h>
23546 #include <asm/vio.h>
23547 +#include <asm/local.h>
23550 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
23551 @@ -270,7 +271,7 @@ struct hvcs_struct {
23552 unsigned int index;
23554 struct tty_struct *tty;
23556 + local_t open_count;
23559 * Used to tell the driver kernel_thread what operations need to take
23560 @@ -420,7 +421,7 @@ static ssize_t hvcs_vterm_state_store(st
23562 spin_lock_irqsave(&hvcsd->lock, flags);
23564 - if (hvcsd->open_count > 0) {
23565 + if (local_read(&hvcsd->open_count) > 0) {
23566 spin_unlock_irqrestore(&hvcsd->lock, flags);
23567 printk(KERN_INFO "HVCS: vterm state unchanged. "
23568 "The hvcs device node is still in use.\n");
23569 @@ -1136,7 +1137,7 @@ static int hvcs_open(struct tty_struct *
23570 if ((retval = hvcs_partner_connect(hvcsd)))
23571 goto error_release;
23573 - hvcsd->open_count = 1;
23574 + local_set(&hvcsd->open_count, 1);
23576 tty->driver_data = hvcsd;
23578 @@ -1170,7 +1171,7 @@ fast_open:
23580 spin_lock_irqsave(&hvcsd->lock, flags);
23581 kref_get(&hvcsd->kref);
23582 - hvcsd->open_count++;
23583 + local_inc(&hvcsd->open_count);
23584 hvcsd->todo_mask |= HVCS_SCHED_READ;
23585 spin_unlock_irqrestore(&hvcsd->lock, flags);
23587 @@ -1214,7 +1215,7 @@ static void hvcs_close(struct tty_struct
23588 hvcsd = tty->driver_data;
23590 spin_lock_irqsave(&hvcsd->lock, flags);
23591 - if (--hvcsd->open_count == 0) {
23592 + if (local_dec_and_test(&hvcsd->open_count)) {
23594 vio_disable_interrupts(hvcsd->vdev);
23596 @@ -1240,10 +1241,10 @@ static void hvcs_close(struct tty_struct
23597 free_irq(irq, hvcsd);
23598 kref_put(&hvcsd->kref, destroy_hvcs_struct);
23600 - } else if (hvcsd->open_count < 0) {
23601 + } else if (local_read(&hvcsd->open_count) < 0) {
23602 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
23603 " is missmanaged.\n",
23604 - hvcsd->vdev->unit_address, hvcsd->open_count);
23605 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
23608 spin_unlock_irqrestore(&hvcsd->lock, flags);
23609 @@ -1259,7 +1260,7 @@ static void hvcs_hangup(struct tty_struc
23611 spin_lock_irqsave(&hvcsd->lock, flags);
23612 /* Preserve this so that we know how many kref refs to put */
23613 - temp_open_count = hvcsd->open_count;
23614 + temp_open_count = local_read(&hvcsd->open_count);
23617 * Don't kref put inside the spinlock because the destruction
23618 @@ -1274,7 +1275,7 @@ static void hvcs_hangup(struct tty_struc
23619 hvcsd->tty->driver_data = NULL;
23622 - hvcsd->open_count = 0;
23623 + local_set(&hvcsd->open_count, 0);
23625 /* This will drop any buffered data on the floor which is OK in a hangup
23627 @@ -1345,7 +1346,7 @@ static int hvcs_write(struct tty_struct
23628 * the middle of a write operation? This is a crummy place to do this
23629 * but we want to keep it all in the spinlock.
23631 - if (hvcsd->open_count <= 0) {
23632 + if (local_read(&hvcsd->open_count) <= 0) {
23633 spin_unlock_irqrestore(&hvcsd->lock, flags);
23636 @@ -1419,7 +1420,7 @@ static int hvcs_write_room(struct tty_st
23638 struct hvcs_struct *hvcsd = tty->driver_data;
23640 - if (!hvcsd || hvcsd->open_count <= 0)
23641 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
23644 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
23645 diff -urNp linux-2.6.37/drivers/char/hvc_xen.c linux-2.6.37/drivers/char/hvc_xen.c
23646 --- linux-2.6.37/drivers/char/hvc_xen.c 2011-01-04 19:50:19.000000000 -0500
23647 +++ linux-2.6.37/drivers/char/hvc_xen.c 2011-01-17 02:41:01.000000000 -0500
23648 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
23652 -static struct hv_ops domU_hvc_ops = {
23653 +static const struct hv_ops domU_hvc_ops = {
23654 .get_chars = domU_read_console,
23655 .put_chars = domU_write_console,
23656 .notifier_add = notifier_add_irq,
23657 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
23661 -static struct hv_ops dom0_hvc_ops = {
23662 +static const struct hv_ops dom0_hvc_ops = {
23663 .get_chars = dom0_read_console,
23664 .put_chars = dom0_write_console,
23665 .notifier_add = notifier_add_irq,
23666 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
23667 static int __init xen_hvc_init(void)
23669 struct hvc_struct *hp;
23670 - struct hv_ops *ops;
23671 + const struct hv_ops *ops;
23673 if (!xen_pv_domain())
23675 @@ -203,7 +203,7 @@ static void __exit xen_hvc_fini(void)
23677 static int xen_cons_init(void)
23679 - struct hv_ops *ops;
23680 + const struct hv_ops *ops;
23682 if (!xen_pv_domain())
23684 diff -urNp linux-2.6.37/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.37/drivers/char/ipmi/ipmi_msghandler.c
23685 --- linux-2.6.37/drivers/char/ipmi/ipmi_msghandler.c 2011-01-04 19:50:19.000000000 -0500
23686 +++ linux-2.6.37/drivers/char/ipmi/ipmi_msghandler.c 2011-01-17 02:41:01.000000000 -0500
23687 @@ -414,7 +414,7 @@ struct ipmi_smi {
23688 struct proc_dir_entry *proc_dir;
23689 char proc_dir_name[10];
23691 - atomic_t stats[IPMI_NUM_STATS];
23692 + atomic_unchecked_t stats[IPMI_NUM_STATS];
23695 * run_to_completion duplicate of smb_info, smi_info
23696 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
23699 #define ipmi_inc_stat(intf, stat) \
23700 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23701 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23702 #define ipmi_get_stat(intf, stat) \
23703 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23704 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23706 static int is_lan_addr(struct ipmi_addr *addr)
23708 @@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
23709 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23710 init_waitqueue_head(&intf->waitq);
23711 for (i = 0; i < IPMI_NUM_STATS; i++)
23712 - atomic_set(&intf->stats[i], 0);
23713 + atomic_set_unchecked(&intf->stats[i], 0);
23715 intf->proc_dir = NULL;
23717 diff -urNp linux-2.6.37/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.37/drivers/char/ipmi/ipmi_si_intf.c
23718 --- linux-2.6.37/drivers/char/ipmi/ipmi_si_intf.c 2011-01-04 19:50:19.000000000 -0500
23719 +++ linux-2.6.37/drivers/char/ipmi/ipmi_si_intf.c 2011-01-17 02:41:01.000000000 -0500
23720 @@ -286,7 +286,7 @@ struct smi_info {
23721 unsigned char slave_addr;
23723 /* Counters and things for the proc filesystem. */
23724 - atomic_t stats[SI_NUM_STATS];
23725 + atomic_unchecked_t stats[SI_NUM_STATS];
23727 struct task_struct *thread;
23729 @@ -294,9 +294,9 @@ struct smi_info {
23732 #define smi_inc_stat(smi, stat) \
23733 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23734 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23735 #define smi_get_stat(smi, stat) \
23736 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23737 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23739 #define SI_MAX_PARMS 4
23741 @@ -3178,7 +3178,7 @@ static int try_smi_init(struct smi_info
23742 atomic_set(&new_smi->req_events, 0);
23743 new_smi->run_to_completion = 0;
23744 for (i = 0; i < SI_NUM_STATS; i++)
23745 - atomic_set(&new_smi->stats[i], 0);
23746 + atomic_set_unchecked(&new_smi->stats[i], 0);
23748 new_smi->interrupt_disabled = 1;
23749 atomic_set(&new_smi->stop_operation, 0);
23750 diff -urNp linux-2.6.37/drivers/char/mem.c linux-2.6.37/drivers/char/mem.c
23751 --- linux-2.6.37/drivers/char/mem.c 2011-01-04 19:50:19.000000000 -0500
23752 +++ linux-2.6.37/drivers/char/mem.c 2011-01-17 02:41:01.000000000 -0500
23754 #include <linux/raw.h>
23755 #include <linux/tty.h>
23756 #include <linux/capability.h>
23757 +#include <linux/security.h>
23758 #include <linux/ptrace.h>
23759 #include <linux/device.h>
23760 #include <linux/highmem.h>
23762 # include <linux/efi.h>
23765 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23766 +extern struct file_operations grsec_fops;
23769 static inline unsigned long size_inside_page(unsigned long start,
23770 unsigned long size)
23772 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23774 while (count > 0) {
23775 unsigned long remaining;
23778 sz = size_inside_page(p, count);
23780 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23784 - remaining = copy_to_user(buf, ptr, sz);
23785 +#ifdef CONFIG_PAX_USERCOPY
23786 + temp = kmalloc(sz, GFP_KERNEL);
23788 + unxlate_dev_mem_ptr(p, ptr);
23791 + memcpy(temp, ptr, sz);
23796 + remaining = copy_to_user(buf, temp, sz);
23798 +#ifdef CONFIG_PAX_USERCOPY
23802 unxlate_dev_mem_ptr(p, ptr);
23805 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
23806 if (!valid_phys_addr_range(p, count))
23809 +#ifdef CONFIG_GRKERNSEC_KMEM
23810 + gr_handle_mem_write();
23816 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
23817 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
23818 &vma->vm_page_prot))
23821 +#ifdef CONFIG_GRKERNSEC_KMEM
23822 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23826 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23828 vma->vm_page_prot);
23829 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23830 size_t count, loff_t *ppos)
23832 unsigned long p = *ppos;
23833 - ssize_t low_count, read, sz;
23834 + ssize_t low_count, read, sz, err = 0;
23835 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23839 if (p < (unsigned long) high_memory) {
23840 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23843 while (low_count > 0) {
23846 sz = size_inside_page(p, low_count);
23849 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23851 kbuf = xlate_dev_kmem_ptr((char *)p);
23853 - if (copy_to_user(buf, kbuf, sz))
23854 +#ifdef CONFIG_PAX_USERCOPY
23855 + temp = kmalloc(sz, GFP_KERNEL);
23858 + memcpy(temp, kbuf, sz);
23863 + err = copy_to_user(buf, temp, sz);
23865 +#ifdef CONFIG_PAX_USERCOPY
23873 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
23874 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
23877 +#ifdef CONFIG_GRKERNSEC_KMEM
23878 + gr_handle_kmem_write();
23882 if (p < (unsigned long) high_memory) {
23883 unsigned long to_write = min_t(unsigned long, count,
23884 (unsigned long)high_memory - p);
23885 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
23887 static int open_port(struct inode * inode, struct file * filp)
23889 +#ifdef CONFIG_GRKERNSEC_KMEM
23890 + gr_handle_open_port();
23894 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23897 +static int open_mem(struct inode * inode, struct file * filp)
23899 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23902 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
23903 #define full_lseek null_lseek
23904 #define write_zero write_null
23905 #define read_full read_zero
23906 -#define open_mem open_port
23907 #define open_kmem open_mem
23908 #define open_oldmem open_mem
23910 @@ -857,6 +919,9 @@ static const struct memdev {
23911 #ifdef CONFIG_CRASH_DUMP
23912 [12] = { "oldmem", 0, &oldmem_fops, NULL },
23914 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23915 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
23919 static int memory_open(struct inode *inode, struct file *filp)
23920 diff -urNp linux-2.6.37/drivers/char/nvram.c linux-2.6.37/drivers/char/nvram.c
23921 --- linux-2.6.37/drivers/char/nvram.c 2011-01-04 19:50:19.000000000 -0500
23922 +++ linux-2.6.37/drivers/char/nvram.c 2011-01-17 02:41:01.000000000 -0500
23923 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
23925 spin_unlock_irq(&rtc_lock);
23927 - if (copy_to_user(buf, contents, tmp - contents))
23928 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23932 @@ -435,7 +435,10 @@ static const struct file_operations nvra
23933 static struct miscdevice nvram_dev = {
23943 static int __init nvram_init(void)
23944 diff -urNp linux-2.6.37/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.37/drivers/char/pcmcia/ipwireless/tty.c
23945 --- linux-2.6.37/drivers/char/pcmcia/ipwireless/tty.c 2011-01-04 19:50:19.000000000 -0500
23946 +++ linux-2.6.37/drivers/char/pcmcia/ipwireless/tty.c 2011-01-25 20:24:56.000000000 -0500
23948 #include <linux/tty_driver.h>
23949 #include <linux/tty_flip.h>
23950 #include <linux/uaccess.h>
23951 +#include <asm/local.h>
23954 #include "network.h"
23955 @@ -51,7 +52,7 @@ struct ipw_tty {
23957 struct ipw_network *network;
23958 struct tty_struct *linux_tty;
23960 + local_t open_count;
23961 unsigned int control_lines;
23962 struct mutex ipw_tty_mutex;
23963 int tx_bytes_queued;
23964 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
23965 mutex_unlock(&tty->ipw_tty_mutex);
23968 - if (tty->open_count == 0)
23969 + if (local_read(&tty->open_count) == 0)
23970 tty->tx_bytes_queued = 0;
23972 - tty->open_count++;
23973 + local_inc(&tty->open_count);
23975 tty->linux_tty = linux_tty;
23976 linux_tty->driver_data = tty;
23977 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
23979 static void do_ipw_close(struct ipw_tty *tty)
23981 - tty->open_count--;
23983 - if (tty->open_count == 0) {
23984 + if (local_dec_return(&tty->open_count) == 0) {
23985 struct tty_struct *linux_tty = tty->linux_tty;
23987 if (linux_tty != NULL) {
23988 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
23991 mutex_lock(&tty->ipw_tty_mutex);
23992 - if (tty->open_count == 0) {
23993 + if (local_read(&tty->open_count) == 0) {
23994 mutex_unlock(&tty->ipw_tty_mutex);
23997 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
24001 - if (!tty->open_count) {
24002 + if (!local_read(&tty->open_count)) {
24003 mutex_unlock(&tty->ipw_tty_mutex);
24006 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
24009 mutex_lock(&tty->ipw_tty_mutex);
24010 - if (!tty->open_count) {
24011 + if (!local_read(&tty->open_count)) {
24012 mutex_unlock(&tty->ipw_tty_mutex);
24015 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
24019 - if (!tty->open_count)
24020 + if (!local_read(&tty->open_count))
24023 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
24024 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
24028 - if (!tty->open_count)
24029 + if (!local_read(&tty->open_count))
24032 return tty->tx_bytes_queued;
24033 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
24037 - if (!tty->open_count)
24038 + if (!local_read(&tty->open_count))
24041 return get_control_lines(tty);
24042 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
24046 - if (!tty->open_count)
24047 + if (!local_read(&tty->open_count))
24050 return set_control_lines(tty, set, clear);
24051 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
24055 - if (!tty->open_count)
24056 + if (!local_read(&tty->open_count))
24059 /* FIXME: Exactly how is the tty object locked here .. */
24060 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
24061 against a parallel ioctl etc */
24062 mutex_lock(&ttyj->ipw_tty_mutex);
24064 - while (ttyj->open_count)
24065 + while (local_read(&ttyj->open_count))
24066 do_ipw_close(ttyj);
24067 ipwireless_disassociate_network_ttys(network,
24068 ttyj->channel_idx);
24069 diff -urNp linux-2.6.37/drivers/char/random.c linux-2.6.37/drivers/char/random.c
24070 --- linux-2.6.37/drivers/char/random.c 2011-01-04 19:50:19.000000000 -0500
24071 +++ linux-2.6.37/drivers/char/random.c 2011-01-17 02:41:01.000000000 -0500
24072 @@ -254,8 +254,13 @@
24074 * Configuration information
24076 +#ifdef CONFIG_GRKERNSEC_RANDNET
24077 +#define INPUT_POOL_WORDS 512
24078 +#define OUTPUT_POOL_WORDS 128
24080 #define INPUT_POOL_WORDS 128
24081 #define OUTPUT_POOL_WORDS 32
24083 #define SEC_XFER_SIZE 512
24084 #define EXTRACT_SIZE 10
24086 @@ -293,10 +298,17 @@ static struct poolinfo {
24088 int tap1, tap2, tap3, tap4, tap5;
24089 } poolinfo_table[] = {
24090 +#ifdef CONFIG_GRKERNSEC_RANDNET
24091 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
24092 + { 512, 411, 308, 208, 104, 1 },
24093 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
24094 + { 128, 103, 76, 51, 25, 1 },
24096 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
24097 { 128, 103, 76, 51, 25, 1 },
24098 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
24099 { 32, 26, 20, 14, 7, 1 },
24102 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
24103 { 2048, 1638, 1231, 819, 411, 1 },
24104 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
24106 extract_buf(r, tmp);
24107 i = min_t(int, nbytes, EXTRACT_SIZE);
24108 - if (copy_to_user(buf, tmp, i)) {
24109 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
24113 @@ -1207,7 +1219,7 @@ EXPORT_SYMBOL(generate_random_uuid);
24114 #include <linux/sysctl.h>
24116 static int min_read_thresh = 8, min_write_thresh;
24117 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
24118 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
24119 static int max_write_thresh = INPUT_POOL_WORDS * 32;
24120 static char sysctl_bootid[16];
24122 diff -urNp linux-2.6.37/drivers/char/sonypi.c linux-2.6.37/drivers/char/sonypi.c
24123 --- linux-2.6.37/drivers/char/sonypi.c 2011-01-04 19:50:19.000000000 -0500
24124 +++ linux-2.6.37/drivers/char/sonypi.c 2011-01-25 20:24:56.000000000 -0500
24126 #include <asm/uaccess.h>
24127 #include <asm/io.h>
24128 #include <asm/system.h>
24129 +#include <asm/local.h>
24131 #include <linux/sonypi.h>
24133 @@ -491,7 +492,7 @@ static struct sonypi_device {
24134 spinlock_t fifo_lock;
24135 wait_queue_head_t fifo_proc_list;
24136 struct fasync_struct *fifo_async;
24138 + local_t open_count;
24140 struct input_dev *input_jog_dev;
24141 struct input_dev *input_key_dev;
24142 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
24143 static int sonypi_misc_release(struct inode *inode, struct file *file)
24145 mutex_lock(&sonypi_device.lock);
24146 - sonypi_device.open_count--;
24147 + local_dec(&sonypi_device.open_count);
24148 mutex_unlock(&sonypi_device.lock);
24151 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
24153 mutex_lock(&sonypi_device.lock);
24154 /* Flush input queue on first open */
24155 - if (!sonypi_device.open_count)
24156 + if (!local_read(&sonypi_device.open_count))
24157 kfifo_reset(&sonypi_device.fifo);
24158 - sonypi_device.open_count++;
24159 + local_inc(&sonypi_device.open_count);
24160 mutex_unlock(&sonypi_device.lock);
24163 diff -urNp linux-2.6.37/drivers/char/tpm/tpm_bios.c linux-2.6.37/drivers/char/tpm/tpm_bios.c
24164 --- linux-2.6.37/drivers/char/tpm/tpm_bios.c 2011-01-04 19:50:19.000000000 -0500
24165 +++ linux-2.6.37/drivers/char/tpm/tpm_bios.c 2011-01-17 02:41:01.000000000 -0500
24166 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24169 if ((event->event_type == 0 && event->event_size == 0) ||
24170 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24171 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24175 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24178 if ((event->event_type == 0 && event->event_size == 0) ||
24179 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24180 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24184 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24187 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24188 - seq_putc(m, data[i]);
24189 + if (!seq_putc(m, data[i]))
24194 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24195 log->bios_event_log_end = log->bios_event_log + len;
24197 virt = acpi_os_map_memory(start, len);
24199 + kfree(log->bios_event_log);
24200 + log->bios_event_log = NULL;
24204 memcpy(log->bios_event_log, virt, len);
24206 diff -urNp linux-2.6.37/drivers/cpuidle/sysfs.c linux-2.6.37/drivers/cpuidle/sysfs.c
24207 --- linux-2.6.37/drivers/cpuidle/sysfs.c 2011-01-04 19:50:19.000000000 -0500
24208 +++ linux-2.6.37/drivers/cpuidle/sysfs.c 2011-01-17 02:41:01.000000000 -0500
24209 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24210 .release = cpuidle_state_sysfs_release,
24213 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24214 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24216 kobject_put(&device->kobjs[i]->kobj);
24217 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24218 diff -urNp linux-2.6.37/drivers/edac/edac_core.h linux-2.6.37/drivers/edac/edac_core.h
24219 --- linux-2.6.37/drivers/edac/edac_core.h 2011-01-04 19:50:19.000000000 -0500
24220 +++ linux-2.6.37/drivers/edac/edac_core.h 2011-01-17 02:41:01.000000000 -0500
24221 @@ -87,11 +87,11 @@ extern const char *edac_mem_types[];
24223 #else /* !CONFIG_EDAC_DEBUG */
24225 -#define debugf0( ... )
24226 -#define debugf1( ... )
24227 -#define debugf2( ... )
24228 -#define debugf3( ... )
24229 -#define debugf4( ... )
24230 +#define debugf0( ... ) do {} while (0)
24231 +#define debugf1( ... ) do {} while (0)
24232 +#define debugf2( ... ) do {} while (0)
24233 +#define debugf3( ... ) do {} while (0)
24234 +#define debugf4( ... ) do {} while (0)
24236 #endif /* !CONFIG_EDAC_DEBUG */
24238 diff -urNp linux-2.6.37/drivers/edac/edac_mc_sysfs.c linux-2.6.37/drivers/edac/edac_mc_sysfs.c
24239 --- linux-2.6.37/drivers/edac/edac_mc_sysfs.c 2011-01-04 19:50:19.000000000 -0500
24240 +++ linux-2.6.37/drivers/edac/edac_mc_sysfs.c 2011-01-17 02:41:01.000000000 -0500
24241 @@ -762,7 +762,7 @@ static void edac_inst_grp_release(struct
24244 /* Intermediate show/store table */
24245 -static struct sysfs_ops inst_grp_ops = {
24246 +static const struct sysfs_ops inst_grp_ops = {
24247 .show = inst_grp_show,
24248 .store = inst_grp_store
24250 diff -urNp linux-2.6.37/drivers/firewire/core-cdev.c linux-2.6.37/drivers/firewire/core-cdev.c
24251 --- linux-2.6.37/drivers/firewire/core-cdev.c 2011-01-04 19:50:19.000000000 -0500
24252 +++ linux-2.6.37/drivers/firewire/core-cdev.c 2011-01-17 02:41:01.000000000 -0500
24253 @@ -1329,8 +1329,7 @@ static int init_iso_resource(struct clie
24256 if ((request->channels == 0 && request->bandwidth == 0) ||
24257 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24258 - request->bandwidth < 0)
24259 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24262 r = kmalloc(sizeof(*r), GFP_KERNEL);
24263 diff -urNp linux-2.6.37/drivers/firmware/dmi_scan.c linux-2.6.37/drivers/firmware/dmi_scan.c
24264 --- linux-2.6.37/drivers/firmware/dmi_scan.c 2011-01-04 19:50:19.000000000 -0500
24265 +++ linux-2.6.37/drivers/firmware/dmi_scan.c 2011-01-17 02:41:01.000000000 -0500
24266 @@ -442,11 +442,6 @@ void __init dmi_scan_machine(void)
24271 - * no iounmap() for that ioremap(); it would be a no-op, but
24272 - * it's so early in setup that sucker gets confused into doing
24273 - * what it shouldn't if we actually call it.
24275 p = dmi_ioremap(0xF0000, 0x10000);
24278 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.37/drivers/gpu/drm/drm_crtc_helper.c
24279 --- linux-2.6.37/drivers/gpu/drm/drm_crtc_helper.c 2011-01-04 19:50:19.000000000 -0500
24280 +++ linux-2.6.37/drivers/gpu/drm/drm_crtc_helper.c 2011-01-17 02:41:01.000000000 -0500
24281 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
24282 struct drm_crtc *tmp;
24285 - WARN(!crtc, "checking null crtc?\n");
24290 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_drv.c linux-2.6.37/drivers/gpu/drm/drm_drv.c
24291 --- linux-2.6.37/drivers/gpu/drm/drm_drv.c 2011-01-04 19:50:19.000000000 -0500
24292 +++ linux-2.6.37/drivers/gpu/drm/drm_drv.c 2011-01-17 02:41:01.000000000 -0500
24293 @@ -425,7 +425,7 @@ long drm_ioctl(struct file *filp,
24295 dev = file_priv->minor->dev;
24296 atomic_inc(&dev->ioctl_count);
24297 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24298 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24299 ++file_priv->ioctl_count;
24301 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24302 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_fops.c linux-2.6.37/drivers/gpu/drm/drm_fops.c
24303 --- linux-2.6.37/drivers/gpu/drm/drm_fops.c 2011-01-04 19:50:19.000000000 -0500
24304 +++ linux-2.6.37/drivers/gpu/drm/drm_fops.c 2011-01-24 18:04:15.000000000 -0500
24305 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
24308 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24309 - atomic_set(&dev->counts[i], 0);
24310 + atomic_set_unchecked(&dev->counts[i], 0);
24312 dev->sigdata.lock = NULL;
24314 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
24316 retcode = drm_open_helper(inode, filp, dev);
24318 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24319 - if (!dev->open_count++)
24320 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24321 + if (local_inc_return(&dev->open_count) == 1)
24322 retcode = drm_setup(dev);
24325 @@ -470,7 +470,7 @@ int drm_release(struct inode *inode, str
24327 mutex_lock(&drm_global_mutex);
24329 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24330 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
24332 if (dev->driver->preclose)
24333 dev->driver->preclose(dev, file_priv);
24334 @@ -482,7 +482,7 @@ int drm_release(struct inode *inode, str
24335 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24336 task_pid_nr(current),
24337 (long)old_encode_dev(file_priv->minor->device),
24338 - dev->open_count);
24339 + local_read(&dev->open_count));
24341 /* if the master has gone away we can't do anything with the lock */
24342 if (file_priv->minor->master)
24343 @@ -563,8 +563,8 @@ int drm_release(struct inode *inode, str
24344 * End inline drm_release
24347 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24348 - if (!--dev->open_count) {
24349 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24350 + if (local_dec_and_test(&dev->open_count)) {
24351 if (atomic_read(&dev->ioctl_count)) {
24352 DRM_ERROR("Device busy: %d\n",
24353 atomic_read(&dev->ioctl_count));
24354 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_global.c linux-2.6.37/drivers/gpu/drm/drm_global.c
24355 --- linux-2.6.37/drivers/gpu/drm/drm_global.c 2011-01-04 19:50:19.000000000 -0500
24356 +++ linux-2.6.37/drivers/gpu/drm/drm_global.c 2011-01-17 02:41:01.000000000 -0500
24358 struct drm_global_item {
24359 struct mutex mutex;
24362 + atomic_t refcount;
24365 static struct drm_global_item glob[DRM_GLOBAL_NUM];
24366 @@ -49,7 +49,7 @@ void drm_global_init(void)
24367 struct drm_global_item *item = &glob[i];
24368 mutex_init(&item->mutex);
24369 item->object = NULL;
24370 - item->refcount = 0;
24371 + atomic_set(&item->refcount, 0);
24375 @@ -59,7 +59,7 @@ void drm_global_release(void)
24376 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
24377 struct drm_global_item *item = &glob[i];
24378 BUG_ON(item->object != NULL);
24379 - BUG_ON(item->refcount != 0);
24380 + BUG_ON(atomic_read(&item->refcount) != 0);
24384 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
24387 mutex_lock(&item->mutex);
24388 - if (item->refcount == 0) {
24389 + if (atomic_read(&item->refcount) == 0) {
24390 item->object = kzalloc(ref->size, GFP_KERNEL);
24391 if (unlikely(item->object == NULL)) {
24393 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
24397 - ++item->refcount;
24398 + atomic_inc(&item->refcount);
24399 ref->object = item->object;
24400 object = item->object;
24401 mutex_unlock(&item->mutex);
24402 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
24403 struct drm_global_item *item = &glob[ref->global_type];
24405 mutex_lock(&item->mutex);
24406 - BUG_ON(item->refcount == 0);
24407 + BUG_ON(atomic_read(&item->refcount) == 0);
24408 BUG_ON(ref->object != item->object);
24409 - if (--item->refcount == 0) {
24410 + if (atomic_dec_and_test(&item->refcount)) {
24412 item->object = NULL;
24414 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_info.c linux-2.6.37/drivers/gpu/drm/drm_info.c
24415 --- linux-2.6.37/drivers/gpu/drm/drm_info.c 2011-01-04 19:50:19.000000000 -0500
24416 +++ linux-2.6.37/drivers/gpu/drm/drm_info.c 2011-01-17 02:41:01.000000000 -0500
24417 @@ -86,10 +86,14 @@ int drm_vm_info(struct seq_file *m, void
24418 struct drm_local_map *map;
24419 struct drm_map_list *r_list;
24421 - /* Hardcoded from _DRM_FRAME_BUFFER,
24422 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
24423 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
24424 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
24425 + static const char * const types[] = {
24426 + [_DRM_FRAME_BUFFER] = "FB",
24427 + [_DRM_REGISTERS] = "REG",
24428 + [_DRM_SHM] = "SHM",
24429 + [_DRM_AGP] = "AGP",
24430 + [_DRM_SCATTER_GATHER] = "SG",
24431 + [_DRM_CONSISTENT] = "PCI",
24432 + [_DRM_GEM] = "GEM" };
24436 @@ -100,7 +104,7 @@ int drm_vm_info(struct seq_file *m, void
24440 - if (map->type < 0 || map->type > 5)
24441 + if (map->type >= ARRAY_SIZE(types))
24444 type = types[map->type];
24445 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_ioctl.c linux-2.6.37/drivers/gpu/drm/drm_ioctl.c
24446 --- linux-2.6.37/drivers/gpu/drm/drm_ioctl.c 2011-01-04 19:50:19.000000000 -0500
24447 +++ linux-2.6.37/drivers/gpu/drm/drm_ioctl.c 2011-01-17 02:41:01.000000000 -0500
24448 @@ -353,7 +353,7 @@ int drm_getstats(struct drm_device *dev,
24449 stats->data[i].value =
24450 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24452 - stats->data[i].value = atomic_read(&dev->counts[i]);
24453 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24454 stats->data[i].type = dev->types[i];
24457 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_lock.c linux-2.6.37/drivers/gpu/drm/drm_lock.c
24458 --- linux-2.6.37/drivers/gpu/drm/drm_lock.c 2011-01-04 19:50:19.000000000 -0500
24459 +++ linux-2.6.37/drivers/gpu/drm/drm_lock.c 2011-01-17 02:41:01.000000000 -0500
24460 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
24461 if (drm_lock_take(&master->lock, lock->context)) {
24462 master->lock.file_priv = file_priv;
24463 master->lock.lock_time = jiffies;
24464 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24465 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24466 break; /* Got lock */
24469 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
24473 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24474 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24476 if (drm_lock_free(&master->lock, lock->context)) {
24477 /* FIXME: Should really bail out here. */
24478 diff -urNp linux-2.6.37/drivers/gpu/drm/i810/i810_dma.c linux-2.6.37/drivers/gpu/drm/i810/i810_dma.c
24479 --- linux-2.6.37/drivers/gpu/drm/i810/i810_dma.c 2011-01-04 19:50:19.000000000 -0500
24480 +++ linux-2.6.37/drivers/gpu/drm/i810/i810_dma.c 2011-01-17 02:41:01.000000000 -0500
24481 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
24482 dma->buflist[vertex->idx],
24483 vertex->discard, vertex->used);
24485 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24486 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24487 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24488 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24489 sarea_priv->last_enqueue = dev_priv->counter - 1;
24490 sarea_priv->last_dispatch = (int)hw_status[5];
24492 @@ -1114,8 +1114,8 @@ static int i810_dma_mc(struct drm_device
24493 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24496 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24497 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24498 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24499 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24500 sarea_priv->last_enqueue = dev_priv->counter - 1;
24501 sarea_priv->last_dispatch = (int)hw_status[5];
24503 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7017.c
24504 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7017.c 2011-01-04 19:50:19.000000000 -0500
24505 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7017.c 2011-01-17 02:41:01.000000000 -0500
24506 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
24510 -struct intel_dvo_dev_ops ch7017_ops = {
24511 +const struct intel_dvo_dev_ops ch7017_ops = {
24512 .init = ch7017_init,
24513 .detect = ch7017_detect,
24514 .mode_valid = ch7017_mode_valid,
24515 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7xxx.c
24516 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-01-04 19:50:19.000000000 -0500
24517 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-01-17 02:41:01.000000000 -0500
24518 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
24522 -struct intel_dvo_dev_ops ch7xxx_ops = {
24523 +const struct intel_dvo_dev_ops ch7xxx_ops = {
24524 .init = ch7xxx_init,
24525 .detect = ch7xxx_detect,
24526 .mode_valid = ch7xxx_mode_valid,
24527 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo.h linux-2.6.37/drivers/gpu/drm/i915/dvo.h
24528 --- linux-2.6.37/drivers/gpu/drm/i915/dvo.h 2011-01-04 19:50:19.000000000 -0500
24529 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo.h 2011-01-17 02:41:01.000000000 -0500
24530 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
24532 * \return singly-linked list of modes or NULL if no modes found.
24534 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24535 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24538 * Clean up driver-specific bits of the output
24540 - void (*destroy) (struct intel_dvo_device *dvo);
24541 + void (* const destroy) (struct intel_dvo_device *dvo);
24544 * Debugging hook to dump device registers to log file
24546 - void (*dump_regs)(struct intel_dvo_device *dvo);
24547 + void (* const dump_regs)(struct intel_dvo_device *dvo);
24550 -extern struct intel_dvo_dev_ops sil164_ops;
24551 -extern struct intel_dvo_dev_ops ch7xxx_ops;
24552 -extern struct intel_dvo_dev_ops ivch_ops;
24553 -extern struct intel_dvo_dev_ops tfp410_ops;
24554 -extern struct intel_dvo_dev_ops ch7017_ops;
24555 +extern const struct intel_dvo_dev_ops sil164_ops;
24556 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
24557 +extern const struct intel_dvo_dev_ops ivch_ops;
24558 +extern const struct intel_dvo_dev_ops tfp410_ops;
24559 +extern const struct intel_dvo_dev_ops ch7017_ops;
24561 #endif /* _INTEL_DVO_H */
24562 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.37/drivers/gpu/drm/i915/dvo_ivch.c
24563 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_ivch.c 2011-01-04 19:50:19.000000000 -0500
24564 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_ivch.c 2011-01-17 02:41:01.000000000 -0500
24565 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
24569 -struct intel_dvo_dev_ops ivch_ops= {
24570 +const struct intel_dvo_dev_ops ivch_ops= {
24573 .mode_valid = ivch_mode_valid,
24574 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.37/drivers/gpu/drm/i915/dvo_sil164.c
24575 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_sil164.c 2011-01-04 19:50:19.000000000 -0500
24576 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_sil164.c 2011-01-17 02:41:01.000000000 -0500
24577 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
24581 -struct intel_dvo_dev_ops sil164_ops = {
24582 +const struct intel_dvo_dev_ops sil164_ops = {
24583 .init = sil164_init,
24584 .detect = sil164_detect,
24585 .mode_valid = sil164_mode_valid,
24586 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.37/drivers/gpu/drm/i915/dvo_tfp410.c
24587 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_tfp410.c 2011-01-04 19:50:19.000000000 -0500
24588 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_tfp410.c 2011-01-17 02:41:01.000000000 -0500
24589 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
24593 -struct intel_dvo_dev_ops tfp410_ops = {
24594 +const struct intel_dvo_dev_ops tfp410_ops = {
24595 .init = tfp410_init,
24596 .detect = tfp410_detect,
24597 .mode_valid = tfp410_mode_valid,
24598 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/i915_dma.c linux-2.6.37/drivers/gpu/drm/i915/i915_dma.c
24599 --- linux-2.6.37/drivers/gpu/drm/i915/i915_dma.c 2011-01-04 19:50:19.000000000 -0500
24600 +++ linux-2.6.37/drivers/gpu/drm/i915/i915_dma.c 2011-01-24 18:04:15.000000000 -0500
24601 @@ -1191,7 +1191,7 @@ static bool i915_switcheroo_can_switch(s
24604 spin_lock(&dev->count_lock);
24605 - can_switch = (dev->open_count == 0);
24606 + can_switch = (local_read(&dev->open_count) == 0);
24607 spin_unlock(&dev->count_lock);
24610 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/i915_drv.c linux-2.6.37/drivers/gpu/drm/i915/i915_drv.c
24611 --- linux-2.6.37/drivers/gpu/drm/i915/i915_drv.c 2011-01-04 19:50:19.000000000 -0500
24612 +++ linux-2.6.37/drivers/gpu/drm/i915/i915_drv.c 2011-01-17 02:41:01.000000000 -0500
24613 @@ -579,7 +579,7 @@ static const struct dev_pm_ops i915_pm_o
24614 .restore = i915_pm_resume,
24617 -static struct vm_operations_struct i915_gem_vm_ops = {
24618 +static const struct vm_operations_struct i915_gem_vm_ops = {
24619 .fault = i915_gem_fault,
24620 .open = drm_gem_vm_open,
24621 .close = drm_gem_vm_close,
24622 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/i915_gem.c linux-2.6.37/drivers/gpu/drm/i915/i915_gem.c
24623 --- linux-2.6.37/drivers/gpu/drm/i915/i915_gem.c 2011-01-04 19:50:19.000000000 -0500
24624 +++ linux-2.6.37/drivers/gpu/drm/i915/i915_gem.c 2011-01-17 02:41:01.000000000 -0500
24625 @@ -587,6 +587,7 @@ i915_gem_pread_ioctl(struct drm_device *
24630 if (!i915_gem_object_needs_bit17_swizzle(obj))
24631 ret = i915_gem_shmem_pread_fast(dev, obj, args, file_priv);
24632 if (ret == -EFAULT)
24633 diff -urNp linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_backlight.c
24634 --- linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_backlight.c 2011-01-04 19:50:19.000000000 -0500
24635 +++ linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_backlight.c 2011-01-17 02:41:01.000000000 -0500
24636 @@ -59,7 +59,7 @@ static int nv40_set_intensity(struct bac
24640 -static struct backlight_ops nv40_bl_ops = {
24641 +static const struct backlight_ops nv40_bl_ops = {
24642 .options = BL_CORE_SUSPENDRESUME,
24643 .get_brightness = nv40_get_intensity,
24644 .update_status = nv40_set_intensity,
24645 @@ -82,7 +82,7 @@ static int nv50_set_intensity(struct bac
24649 -static struct backlight_ops nv50_bl_ops = {
24650 +static const struct backlight_ops nv50_bl_ops = {
24651 .options = BL_CORE_SUSPENDRESUME,
24652 .get_brightness = nv50_get_intensity,
24653 .update_status = nv50_set_intensity,
24654 diff -urNp linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_state.c
24655 --- linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_state.c 2011-01-04 19:50:19.000000000 -0500
24656 +++ linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_state.c 2011-01-24 18:04:15.000000000 -0500
24657 @@ -546,7 +546,7 @@ static bool nouveau_switcheroo_can_switc
24660 spin_lock(&dev->count_lock);
24661 - can_switch = (dev->open_count == 0);
24662 + can_switch = (local_read(&dev->open_count) == 0);
24663 spin_unlock(&dev->count_lock);
24666 diff -urNp linux-2.6.37/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.37/drivers/gpu/drm/radeon/mkregtable.c
24667 --- linux-2.6.37/drivers/gpu/drm/radeon/mkregtable.c 2011-01-04 19:50:19.000000000 -0500
24668 +++ linux-2.6.37/drivers/gpu/drm/radeon/mkregtable.c 2011-01-17 02:41:01.000000000 -0500
24669 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24671 regmatch_t match[4];
24679 struct offset *offset;
24680 char last_reg_s[10];
24682 + unsigned long last_reg;
24685 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
24686 diff -urNp linux-2.6.37/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.37/drivers/gpu/drm/radeon/radeon_device.c
24687 --- linux-2.6.37/drivers/gpu/drm/radeon/radeon_device.c 2011-01-04 19:50:19.000000000 -0500
24688 +++ linux-2.6.37/drivers/gpu/drm/radeon/radeon_device.c 2011-01-24 18:04:15.000000000 -0500
24689 @@ -659,7 +659,7 @@ static bool radeon_switcheroo_can_switch
24692 spin_lock(&dev->count_lock);
24693 - can_switch = (dev->open_count == 0);
24694 + can_switch = (local_read(&dev->open_count) == 0);
24695 spin_unlock(&dev->count_lock);
24698 diff -urNp linux-2.6.37/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.37/drivers/gpu/drm/radeon/radeon_state.c
24699 --- linux-2.6.37/drivers/gpu/drm/radeon/radeon_state.c 2011-01-04 19:50:19.000000000 -0500
24700 +++ linux-2.6.37/drivers/gpu/drm/radeon/radeon_state.c 2011-01-17 02:41:01.000000000 -0500
24701 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
24702 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24703 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24705 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24706 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24707 sarea_priv->nbox * sizeof(depth_boxes[0])))
24710 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
24712 drm_radeon_private_t *dev_priv = dev->dev_private;
24713 drm_radeon_getparam_t *param = data;
24717 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24719 diff -urNp linux-2.6.37/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.37/drivers/gpu/drm/radeon/radeon_ttm.c
24720 --- linux-2.6.37/drivers/gpu/drm/radeon/radeon_ttm.c 2011-01-04 19:50:19.000000000 -0500
24721 +++ linux-2.6.37/drivers/gpu/drm/radeon/radeon_ttm.c 2011-01-17 02:41:01.000000000 -0500
24722 @@ -589,8 +589,9 @@ void radeon_ttm_fini(struct radeon_devic
24723 DRM_INFO("radeon: ttm finalized\n");
24726 -static struct vm_operations_struct radeon_ttm_vm_ops;
24727 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
24728 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24729 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24730 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24732 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24734 @@ -598,17 +599,22 @@ static int radeon_ttm_fault(struct vm_ar
24735 struct radeon_device *rdev;
24738 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
24739 - if (bo == NULL) {
24740 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
24742 return VM_FAULT_NOPAGE;
24744 rdev = radeon_get_rdev(bo->bdev);
24745 mutex_lock(&rdev->vram_mutex);
24746 - r = ttm_vm_ops->fault(vma, vmf);
24747 + r = ttm_bo_vm_fault(vma, vmf);
24748 mutex_unlock(&rdev->vram_mutex);
24752 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
24753 + .fault = radeon_ttm_fault,
24754 + .open = ttm_bo_vm_open,
24755 + .close = ttm_bo_vm_close
24758 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24760 struct drm_file *file_priv;
24761 @@ -621,18 +627,11 @@ int radeon_mmap(struct file *filp, struc
24763 file_priv = filp->private_data;
24764 rdev = file_priv->minor->dev->dev_private;
24765 - if (rdev == NULL) {
24769 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
24770 - if (unlikely(r != 0)) {
24774 - if (unlikely(ttm_vm_ops == NULL)) {
24775 - ttm_vm_ops = vma->vm_ops;
24776 - radeon_ttm_vm_ops = *ttm_vm_ops;
24777 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24779 vma->vm_ops = &radeon_ttm_vm_ops;
24782 diff -urNp linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo.c
24783 --- linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo.c 2011-01-04 19:50:19.000000000 -0500
24784 +++ linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo.c 2011-01-17 02:41:01.000000000 -0500
24786 #include <asm/atomic.h>
24788 #define TTM_ASSERT_LOCKED(param)
24789 -#define TTM_DEBUG(fmt, arg...)
24790 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
24791 #define TTM_BO_HASH_ORDER 13
24793 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
24794 diff -urNp linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo_vm.c
24795 --- linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-01-04 19:50:19.000000000 -0500
24796 +++ linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-01-17 02:41:01.000000000 -0500
24797 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
24801 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24802 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24804 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
24805 vma->vm_private_data;
24806 - struct ttm_bo_device *bdev = bo->bdev;
24807 + struct ttm_bo_device *bdev;
24808 unsigned long page_offset;
24809 unsigned long page_last;
24811 @@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
24812 unsigned long address = (unsigned long)vmf->virtual_address;
24813 int retval = VM_FAULT_NOPAGE;
24816 + return VM_FAULT_NOPAGE;
24820 * Work around locking order reversal in fault / nopfn
24821 * between mmap_sem and bo_reserve: Perform a trylock operation
24822 @@ -212,22 +216,25 @@ out_unlock:
24823 ttm_bo_unreserve(bo);
24826 +EXPORT_SYMBOL(ttm_bo_vm_fault);
24828 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
24829 +void ttm_bo_vm_open(struct vm_area_struct *vma)
24831 struct ttm_buffer_object *bo =
24832 (struct ttm_buffer_object *)vma->vm_private_data;
24834 (void)ttm_bo_reference(bo);
24836 +EXPORT_SYMBOL(ttm_bo_vm_open);
24838 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
24839 +void ttm_bo_vm_close(struct vm_area_struct *vma)
24841 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
24844 vma->vm_private_data = NULL;
24846 +EXPORT_SYMBOL(ttm_bo_vm_close);
24848 static const struct vm_operations_struct ttm_bo_vm_ops = {
24849 .fault = ttm_bo_vm_fault,
24850 diff -urNp linux-2.6.37/drivers/hid/usbhid/hiddev.c linux-2.6.37/drivers/hid/usbhid/hiddev.c
24851 --- linux-2.6.37/drivers/hid/usbhid/hiddev.c 2011-01-04 19:50:19.000000000 -0500
24852 +++ linux-2.6.37/drivers/hid/usbhid/hiddev.c 2011-01-17 02:41:01.000000000 -0500
24853 @@ -611,7 +611,7 @@ static long hiddev_ioctl(struct file *fi
24854 return put_user(HID_VERSION, (int __user *)arg);
24856 case HIDIOCAPPLICATION:
24857 - if (arg < 0 || arg >= hid->maxapplication)
24858 + if (arg >= hid->maxapplication)
24861 for (i = 0; i < hid->maxcollection; i++)
24862 diff -urNp linux-2.6.37/drivers/hwmon/k8temp.c linux-2.6.37/drivers/hwmon/k8temp.c
24863 --- linux-2.6.37/drivers/hwmon/k8temp.c 2011-01-04 19:50:19.000000000 -0500
24864 +++ linux-2.6.37/drivers/hwmon/k8temp.c 2011-01-17 02:41:01.000000000 -0500
24865 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
24867 static const struct pci_device_id k8temp_ids[] = {
24868 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
24870 + { 0, 0, 0, 0, 0, 0, 0 },
24873 MODULE_DEVICE_TABLE(pci, k8temp_ids);
24874 diff -urNp linux-2.6.37/drivers/hwmon/sis5595.c linux-2.6.37/drivers/hwmon/sis5595.c
24875 --- linux-2.6.37/drivers/hwmon/sis5595.c 2011-01-04 19:50:19.000000000 -0500
24876 +++ linux-2.6.37/drivers/hwmon/sis5595.c 2011-01-17 02:41:01.000000000 -0500
24877 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
24879 static const struct pci_device_id sis5595_pci_ids[] = {
24880 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24882 + { 0, 0, 0, 0, 0, 0, 0 }
24885 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
24886 diff -urNp linux-2.6.37/drivers/hwmon/via686a.c linux-2.6.37/drivers/hwmon/via686a.c
24887 --- linux-2.6.37/drivers/hwmon/via686a.c 2011-01-04 19:50:19.000000000 -0500
24888 +++ linux-2.6.37/drivers/hwmon/via686a.c 2011-01-17 02:41:01.000000000 -0500
24889 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
24891 static const struct pci_device_id via686a_pci_ids[] = {
24892 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
24894 + { 0, 0, 0, 0, 0, 0, 0 }
24897 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
24898 diff -urNp linux-2.6.37/drivers/hwmon/vt8231.c linux-2.6.37/drivers/hwmon/vt8231.c
24899 --- linux-2.6.37/drivers/hwmon/vt8231.c 2011-01-04 19:50:19.000000000 -0500
24900 +++ linux-2.6.37/drivers/hwmon/vt8231.c 2011-01-17 02:41:01.000000000 -0500
24901 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
24903 static const struct pci_device_id vt8231_pci_ids[] = {
24904 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
24906 + { 0, 0, 0, 0, 0, 0, 0 }
24909 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
24910 diff -urNp linux-2.6.37/drivers/hwmon/w83791d.c linux-2.6.37/drivers/hwmon/w83791d.c
24911 --- linux-2.6.37/drivers/hwmon/w83791d.c 2011-01-04 19:50:19.000000000 -0500
24912 +++ linux-2.6.37/drivers/hwmon/w83791d.c 2011-01-17 02:41:01.000000000 -0500
24913 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
24914 struct i2c_board_info *info);
24915 static int w83791d_remove(struct i2c_client *client);
24917 -static int w83791d_read(struct i2c_client *client, u8 register);
24918 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
24919 +static int w83791d_read(struct i2c_client *client, u8 reg);
24920 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
24921 static struct w83791d_data *w83791d_update_device(struct device *dev);
24924 diff -urNp linux-2.6.37/drivers/i2c/busses/i2c-i801.c linux-2.6.37/drivers/i2c/busses/i2c-i801.c
24925 --- linux-2.6.37/drivers/i2c/busses/i2c-i801.c 2011-01-04 19:50:19.000000000 -0500
24926 +++ linux-2.6.37/drivers/i2c/busses/i2c-i801.c 2011-01-17 02:41:01.000000000 -0500
24927 @@ -620,7 +620,7 @@ static const struct pci_device_id i801_i
24928 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF0) },
24929 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF1) },
24930 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF2) },
24932 + { 0, 0, 0, 0, 0, 0, 0 }
24935 MODULE_DEVICE_TABLE(pci, i801_ids);
24936 diff -urNp linux-2.6.37/drivers/i2c/busses/i2c-piix4.c linux-2.6.37/drivers/i2c/busses/i2c-piix4.c
24937 --- linux-2.6.37/drivers/i2c/busses/i2c-piix4.c 2011-01-04 19:50:19.000000000 -0500
24938 +++ linux-2.6.37/drivers/i2c/busses/i2c-piix4.c 2011-01-17 02:41:01.000000000 -0500
24939 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
24941 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
24944 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
24947 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
24948 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
24949 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
24950 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
24951 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
24953 + { 0, 0, 0, 0, 0, 0, 0 }
24956 MODULE_DEVICE_TABLE (pci, piix4_ids);
24957 diff -urNp linux-2.6.37/drivers/i2c/busses/i2c-sis630.c linux-2.6.37/drivers/i2c/busses/i2c-sis630.c
24958 --- linux-2.6.37/drivers/i2c/busses/i2c-sis630.c 2011-01-04 19:50:19.000000000 -0500
24959 +++ linux-2.6.37/drivers/i2c/busses/i2c-sis630.c 2011-01-17 02:41:01.000000000 -0500
24960 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
24961 static const struct pci_device_id sis630_ids[] __devinitconst = {
24962 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24963 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
24965 + { 0, 0, 0, 0, 0, 0, 0 }
24968 MODULE_DEVICE_TABLE (pci, sis630_ids);
24969 diff -urNp linux-2.6.37/drivers/i2c/busses/i2c-sis96x.c linux-2.6.37/drivers/i2c/busses/i2c-sis96x.c
24970 --- linux-2.6.37/drivers/i2c/busses/i2c-sis96x.c 2011-01-04 19:50:19.000000000 -0500
24971 +++ linux-2.6.37/drivers/i2c/busses/i2c-sis96x.c 2011-01-17 02:41:01.000000000 -0500
24972 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
24974 static const struct pci_device_id sis96x_ids[] = {
24975 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
24977 + { 0, 0, 0, 0, 0, 0, 0 }
24980 MODULE_DEVICE_TABLE (pci, sis96x_ids);
24981 diff -urNp linux-2.6.37/drivers/ide/ide-cd.c linux-2.6.37/drivers/ide/ide-cd.c
24982 --- linux-2.6.37/drivers/ide/ide-cd.c 2011-01-04 19:50:19.000000000 -0500
24983 +++ linux-2.6.37/drivers/ide/ide-cd.c 2011-01-17 02:41:01.000000000 -0500
24984 @@ -776,7 +776,7 @@ static void cdrom_do_block_pc(ide_drive_
24985 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
24986 if ((unsigned long)buf & alignment
24987 || blk_rq_bytes(rq) & q->dma_pad_mask
24988 - || object_is_on_stack(buf))
24989 + || object_starts_on_stack(buf))
24993 diff -urNp linux-2.6.37/drivers/infiniband/core/cm.c linux-2.6.37/drivers/infiniband/core/cm.c
24994 --- linux-2.6.37/drivers/infiniband/core/cm.c 2011-01-04 19:50:19.000000000 -0500
24995 +++ linux-2.6.37/drivers/infiniband/core/cm.c 2011-01-17 02:41:01.000000000 -0500
24996 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
24998 struct cm_counter_group {
24999 struct kobject obj;
25000 - atomic_long_t counter[CM_ATTR_COUNT];
25001 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25004 struct cm_counter_attribute {
25005 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
25006 struct ib_mad_send_buf *msg = NULL;
25009 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25010 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25011 counter[CM_REQ_COUNTER]);
25013 /* Quick state check to discard duplicate REQs. */
25014 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
25018 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25019 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25020 counter[CM_REP_COUNTER]);
25021 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25023 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
25024 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25025 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25026 spin_unlock_irq(&cm_id_priv->lock);
25027 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25028 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25029 counter[CM_RTU_COUNTER]);
25032 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
25033 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25034 dreq_msg->local_comm_id);
25036 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25037 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25038 counter[CM_DREQ_COUNTER]);
25039 cm_issue_drep(work->port, work->mad_recv_wc);
25041 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
25042 case IB_CM_MRA_REP_RCVD:
25044 case IB_CM_TIMEWAIT:
25045 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25046 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25047 counter[CM_DREQ_COUNTER]);
25048 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25050 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25053 case IB_CM_DREQ_RCVD:
25054 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25055 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25056 counter[CM_DREQ_COUNTER]);
25059 @@ -2504,7 +2504,7 @@ static int cm_mra_handler(struct cm_work
25060 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25061 cm_id_priv->msg, timeout)) {
25062 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25063 - atomic_long_inc(&work->port->
25064 + atomic_long_inc_unchecked(&work->port->
25065 counter_group[CM_RECV_DUPLICATES].
25066 counter[CM_MRA_COUNTER]);
25068 @@ -2513,7 +2513,7 @@ static int cm_mra_handler(struct cm_work
25070 case IB_CM_MRA_REQ_RCVD:
25071 case IB_CM_MRA_REP_RCVD:
25072 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25073 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25074 counter[CM_MRA_COUNTER]);
25077 @@ -2675,7 +2675,7 @@ static int cm_lap_handler(struct cm_work
25078 case IB_CM_LAP_IDLE:
25080 case IB_CM_MRA_LAP_SENT:
25081 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25082 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25083 counter[CM_LAP_COUNTER]);
25084 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25086 @@ -2691,7 +2691,7 @@ static int cm_lap_handler(struct cm_work
25089 case IB_CM_LAP_RCVD:
25090 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25091 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25092 counter[CM_LAP_COUNTER]);
25095 @@ -2975,7 +2975,7 @@ static int cm_sidr_req_handler(struct cm
25096 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25097 if (cur_cm_id_priv) {
25098 spin_unlock_irq(&cm.lock);
25099 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25100 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25101 counter[CM_SIDR_REQ_COUNTER]);
25102 goto out; /* Duplicate message. */
25104 @@ -3186,10 +3186,10 @@ static void cm_send_handler(struct ib_ma
25105 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25108 - atomic_long_add(1 + msg->retries,
25109 + atomic_long_add_unchecked(1 + msg->retries,
25110 &port->counter_group[CM_XMIT].counter[attr_index]);
25112 - atomic_long_add(msg->retries,
25113 + atomic_long_add_unchecked(msg->retries,
25114 &port->counter_group[CM_XMIT_RETRIES].
25115 counter[attr_index]);
25117 @@ -3399,7 +3399,7 @@ static void cm_recv_handler(struct ib_ma
25120 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25121 - atomic_long_inc(&port->counter_group[CM_RECV].
25122 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25123 counter[attr_id - CM_ATTR_ID_OFFSET]);
25125 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25126 @@ -3597,7 +3597,7 @@ static ssize_t cm_show_counter(struct ko
25127 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25129 return sprintf(buf, "%ld\n",
25130 - atomic_long_read(&group->counter[cm_attr->index]));
25131 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25134 static const struct sysfs_ops cm_counter_ops = {
25135 diff -urNp linux-2.6.37/drivers/infiniband/hw/qib/qib.h linux-2.6.37/drivers/infiniband/hw/qib/qib.h
25136 --- linux-2.6.37/drivers/infiniband/hw/qib/qib.h 2011-01-04 19:50:19.000000000 -0500
25137 +++ linux-2.6.37/drivers/infiniband/hw/qib/qib.h 2011-01-17 02:41:01.000000000 -0500
25139 #include <linux/completion.h>
25140 #include <linux/kref.h>
25141 #include <linux/sched.h>
25142 +#include <linux/slab.h>
25144 #include "qib_common.h"
25145 #include "qib_verbs.h"
25146 diff -urNp linux-2.6.37/drivers/input/keyboard/atkbd.c linux-2.6.37/drivers/input/keyboard/atkbd.c
25147 --- linux-2.6.37/drivers/input/keyboard/atkbd.c 2011-01-04 19:50:19.000000000 -0500
25148 +++ linux-2.6.37/drivers/input/keyboard/atkbd.c 2011-01-17 02:41:01.000000000 -0500
25149 @@ -1250,7 +1250,7 @@ static struct serio_device_id atkbd_seri
25151 .extra = SERIO_ANY,
25157 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
25158 diff -urNp linux-2.6.37/drivers/input/mouse/lifebook.c linux-2.6.37/drivers/input/mouse/lifebook.c
25159 --- linux-2.6.37/drivers/input/mouse/lifebook.c 2011-01-04 19:50:19.000000000 -0500
25160 +++ linux-2.6.37/drivers/input/mouse/lifebook.c 2011-01-17 02:41:01.000000000 -0500
25161 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
25162 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25166 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25169 void __init lifebook_module_init(void)
25170 diff -urNp linux-2.6.37/drivers/input/mouse/psmouse-base.c linux-2.6.37/drivers/input/mouse/psmouse-base.c
25171 --- linux-2.6.37/drivers/input/mouse/psmouse-base.c 2011-01-04 19:50:19.000000000 -0500
25172 +++ linux-2.6.37/drivers/input/mouse/psmouse-base.c 2011-01-17 02:41:01.000000000 -0500
25173 @@ -1462,7 +1462,7 @@ static struct serio_device_id psmouse_se
25175 .extra = SERIO_ANY,
25181 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
25182 diff -urNp linux-2.6.37/drivers/input/mouse/synaptics.c linux-2.6.37/drivers/input/mouse/synaptics.c
25183 --- linux-2.6.37/drivers/input/mouse/synaptics.c 2011-01-04 19:50:19.000000000 -0500
25184 +++ linux-2.6.37/drivers/input/mouse/synaptics.c 2011-01-17 02:41:01.000000000 -0500
25185 @@ -499,7 +499,7 @@ static void synaptics_process_packet(str
25188 if (SYN_MODEL_PEN(priv->model_id))
25189 - ; /* Nothing, treat a pen as a single finger */
25190 + break; /* Nothing, treat a pen as a single finger */
25193 if (SYN_CAP_PALMDETECT(priv->capabilities))
25194 @@ -729,7 +729,6 @@ static const struct dmi_system_id __init
25195 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
25196 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25201 /* Toshiba Portege M300 */
25202 @@ -738,9 +737,8 @@ static const struct dmi_system_id __init
25203 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25204 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25209 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25213 diff -urNp linux-2.6.37/drivers/input/mousedev.c linux-2.6.37/drivers/input/mousedev.c
25214 --- linux-2.6.37/drivers/input/mousedev.c 2011-01-04 19:50:19.000000000 -0500
25215 +++ linux-2.6.37/drivers/input/mousedev.c 2011-01-17 02:41:01.000000000 -0500
25216 @@ -762,7 +762,7 @@ static ssize_t mousedev_read(struct file
25218 spin_unlock_irq(&client->packet_lock);
25220 - if (copy_to_user(buffer, data, count))
25221 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25225 @@ -1065,7 +1065,7 @@ static struct input_handler mousedev_han
25227 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25228 static struct miscdevice psaux_mouse = {
25229 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25230 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25232 static int psaux_registered;
25234 diff -urNp linux-2.6.37/drivers/input/serio/i8042-x86ia64io.h linux-2.6.37/drivers/input/serio/i8042-x86ia64io.h
25235 --- linux-2.6.37/drivers/input/serio/i8042-x86ia64io.h 2011-01-04 19:50:19.000000000 -0500
25236 +++ linux-2.6.37/drivers/input/serio/i8042-x86ia64io.h 2011-01-17 02:41:01.000000000 -0500
25237 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25238 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25242 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25246 @@ -424,7 +424,7 @@ static const struct dmi_system_id __init
25247 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
25251 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25254 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
25255 @@ -498,7 +498,7 @@ static const struct dmi_system_id __init
25256 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
25260 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25264 @@ -517,7 +517,7 @@ static const struct dmi_system_id __init
25265 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25269 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25272 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
25273 @@ -541,7 +541,7 @@ static const struct dmi_system_id __init
25274 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25278 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25282 @@ -615,7 +615,7 @@ static const struct dmi_system_id __init
25283 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25287 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25290 #endif /* CONFIG_X86 */
25291 diff -urNp linux-2.6.37/drivers/input/serio/serio_raw.c linux-2.6.37/drivers/input/serio/serio_raw.c
25292 --- linux-2.6.37/drivers/input/serio/serio_raw.c 2011-01-04 19:50:19.000000000 -0500
25293 +++ linux-2.6.37/drivers/input/serio/serio_raw.c 2011-01-17 02:41:01.000000000 -0500
25294 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
25296 .extra = SERIO_ANY,
25302 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
25303 diff -urNp linux-2.6.37/drivers/isdn/gigaset/common.c linux-2.6.37/drivers/isdn/gigaset/common.c
25304 --- linux-2.6.37/drivers/isdn/gigaset/common.c 2011-01-04 19:50:19.000000000 -0500
25305 +++ linux-2.6.37/drivers/isdn/gigaset/common.c 2011-01-24 18:04:15.000000000 -0500
25306 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
25307 cs->commands_pending = 0;
25308 cs->cur_at_seq = 0;
25310 - cs->open_count = 0;
25311 + local_set(&cs->open_count, 0);
25314 cs->tty_dev = NULL;
25315 diff -urNp linux-2.6.37/drivers/isdn/gigaset/gigaset.h linux-2.6.37/drivers/isdn/gigaset/gigaset.h
25316 --- linux-2.6.37/drivers/isdn/gigaset/gigaset.h 2011-01-04 19:50:19.000000000 -0500
25317 +++ linux-2.6.37/drivers/isdn/gigaset/gigaset.h 2011-01-25 20:24:56.000000000 -0500
25319 #include <linux/tty_driver.h>
25320 #include <linux/list.h>
25321 #include <asm/atomic.h>
25322 +#include <asm/local.h>
25324 #define GIG_VERSION {0, 5, 0, 0}
25325 #define GIG_COMPAT {0, 4, 0, 0}
25326 @@ -433,7 +434,7 @@ struct cardstate {
25327 spinlock_t cmdlock;
25328 unsigned curlen, cmdbytes;
25330 - unsigned open_count;
25331 + local_t open_count;
25332 struct tty_struct *tty;
25333 struct tasklet_struct if_wake_tasklet;
25334 unsigned control_state;
25335 diff -urNp linux-2.6.37/drivers/isdn/gigaset/interface.c linux-2.6.37/drivers/isdn/gigaset/interface.c
25336 --- linux-2.6.37/drivers/isdn/gigaset/interface.c 2011-01-04 19:50:19.000000000 -0500
25337 +++ linux-2.6.37/drivers/isdn/gigaset/interface.c 2011-01-24 18:04:15.000000000 -0500
25338 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
25339 return -ERESTARTSYS;
25340 tty->driver_data = cs;
25342 - ++cs->open_count;
25344 - if (cs->open_count == 1) {
25345 + if (local_inc_return(&cs->open_count) == 1) {
25346 spin_lock_irqsave(&cs->lock, flags);
25348 spin_unlock_irqrestore(&cs->lock, flags);
25349 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
25351 if (!cs->connected)
25352 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25353 - else if (!cs->open_count)
25354 + else if (!local_read(&cs->open_count))
25355 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25357 - if (!--cs->open_count) {
25358 + if (!local_dec_return(&cs->open_count)) {
25359 spin_lock_irqsave(&cs->lock, flags);
25361 spin_unlock_irqrestore(&cs->lock, flags);
25362 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
25363 if (!cs->connected) {
25364 gig_dbg(DEBUG_IF, "not connected");
25366 - } else if (!cs->open_count)
25367 + } else if (!local_read(&cs->open_count))
25368 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25371 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
25375 - if (!cs->open_count) {
25376 + if (!local_read(&cs->open_count)) {
25377 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25380 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
25381 if (!cs->connected) {
25382 gig_dbg(DEBUG_IF, "not connected");
25384 - } else if (!cs->open_count)
25385 + } else if (!local_read(&cs->open_count))
25386 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25387 else if (cs->mstate != MS_LOCKED) {
25388 dev_warn(cs->dev, "can't write to unlocked device\n");
25389 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
25391 if (!cs->connected)
25392 gig_dbg(DEBUG_IF, "not connected");
25393 - else if (!cs->open_count)
25394 + else if (!local_read(&cs->open_count))
25395 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25396 else if (cs->mstate != MS_LOCKED)
25397 dev_warn(cs->dev, "can't write to unlocked device\n");
25398 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
25400 if (!cs->connected)
25401 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25402 - else if (!cs->open_count)
25403 + else if (!local_read(&cs->open_count))
25404 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25406 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25407 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
25409 if (!cs->connected)
25410 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25411 - else if (!cs->open_count)
25412 + else if (!local_read(&cs->open_count))
25413 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25415 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25416 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
25420 - if (!cs->open_count) {
25421 + if (!local_read(&cs->open_count)) {
25422 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25425 diff -urNp linux-2.6.37/drivers/isdn/hardware/avm/b1.c linux-2.6.37/drivers/isdn/hardware/avm/b1.c
25426 --- linux-2.6.37/drivers/isdn/hardware/avm/b1.c 2011-01-04 19:50:19.000000000 -0500
25427 +++ linux-2.6.37/drivers/isdn/hardware/avm/b1.c 2011-01-17 02:41:01.000000000 -0500
25428 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
25431 if (t4file->user) {
25432 - if (copy_from_user(buf, dp, left))
25433 + if (left > sizeof buf || copy_from_user(buf, dp, left))
25436 memcpy(buf, dp, left);
25437 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
25440 if (config->user) {
25441 - if (copy_from_user(buf, dp, left))
25442 + if (left > sizeof buf || copy_from_user(buf, dp, left))
25445 memcpy(buf, dp, left);
25446 diff -urNp linux-2.6.37/drivers/isdn/icn/icn.c linux-2.6.37/drivers/isdn/icn/icn.c
25447 --- linux-2.6.37/drivers/isdn/icn/icn.c 2011-01-04 19:50:19.000000000 -0500
25448 +++ linux-2.6.37/drivers/isdn/icn/icn.c 2011-01-17 02:41:01.000000000 -0500
25449 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
25453 - if (copy_from_user(msg, buf, count))
25454 + if (count > sizeof msg || copy_from_user(msg, buf, count))
25457 memcpy(msg, buf, count);
25458 diff -urNp linux-2.6.37/drivers/lguest/core.c linux-2.6.37/drivers/lguest/core.c
25459 --- linux-2.6.37/drivers/lguest/core.c 2011-01-04 19:50:19.000000000 -0500
25460 +++ linux-2.6.37/drivers/lguest/core.c 2011-01-17 02:41:01.000000000 -0500
25461 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
25462 * it's worked so far. The end address needs +1 because __get_vm_area
25463 * allocates an extra guard page, so we need space for that.
25466 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25467 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25468 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25469 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25471 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25472 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25473 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25476 if (!switcher_vma) {
25478 printk("lguest: could not map switcher pages high\n");
25479 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
25480 * Now the Switcher is mapped at the right address, we can't fail!
25481 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
25483 - memcpy(switcher_vma->addr, start_switcher_text,
25484 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
25485 end_switcher_text - start_switcher_text);
25487 printk(KERN_INFO "lguest: mapped switcher at %p\n",
25488 diff -urNp linux-2.6.37/drivers/lguest/x86/core.c linux-2.6.37/drivers/lguest/x86/core.c
25489 --- linux-2.6.37/drivers/lguest/x86/core.c 2011-01-04 19:50:19.000000000 -0500
25490 +++ linux-2.6.37/drivers/lguest/x86/core.c 2011-01-17 02:41:01.000000000 -0500
25491 @@ -59,7 +59,7 @@ static struct {
25492 /* Offset from where switcher.S was compiled to where we've copied it */
25493 static unsigned long switcher_offset(void)
25495 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
25496 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
25499 /* This cpu's struct lguest_pages. */
25500 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
25501 * These copies are pretty cheap, so we do them unconditionally: */
25502 /* Save the current Host top-level page directory.
25505 +#ifdef CONFIG_PAX_PER_CPU_PGD
25506 + pages->state.host_cr3 = read_cr3();
25508 pages->state.host_cr3 = __pa(current->mm->pgd);
25512 * Set up the Guest's page tables to see this CPU's pages (and no
25513 * other CPU's pages).
25514 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
25515 * compiled-in switcher code and the high-mapped copy we just made.
25517 for (i = 0; i < IDT_ENTRIES; i++)
25518 - default_idt_entries[i] += switcher_offset();
25519 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
25522 * Set up the Switcher's per-cpu areas.
25523 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
25524 * it will be undisturbed when we switch. To change %cs and jump we
25525 * need this structure to feed to Intel's "lcall" instruction.
25527 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
25528 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
25529 lguest_entry.segment = LGUEST_CS;
25532 diff -urNp linux-2.6.37/drivers/lguest/x86/switcher_32.S linux-2.6.37/drivers/lguest/x86/switcher_32.S
25533 --- linux-2.6.37/drivers/lguest/x86/switcher_32.S 2011-01-04 19:50:19.000000000 -0500
25534 +++ linux-2.6.37/drivers/lguest/x86/switcher_32.S 2011-01-17 02:41:01.000000000 -0500
25536 #include <asm/page.h>
25537 #include <asm/segment.h>
25538 #include <asm/lguest.h>
25539 +#include <asm/processor-flags.h>
25541 // We mark the start of the code to copy
25542 // It's placed in .text tho it's never run here
25543 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
25544 // Changes type when we load it: damn Intel!
25545 // For after we switch over our page tables
25546 // That entry will be read-only: we'd crash.
25548 +#ifdef CONFIG_PAX_KERNEXEC
25550 + xor $X86_CR0_WP, %edx
25554 movl $(GDT_ENTRY_TSS*8), %edx
25557 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
25558 // Let's clear it again for our return.
25559 // The GDT descriptor of the Host
25560 // Points to the table after two "size" bytes
25561 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
25562 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
25563 // Clear "used" from type field (byte 5, bit 2)
25564 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
25565 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
25567 +#ifdef CONFIG_PAX_KERNEXEC
25569 + xor $X86_CR0_WP, %eax
25573 // Once our page table's switched, the Guest is live!
25574 // The Host fades as we run this final step.
25575 @@ -295,13 +309,12 @@ deliver_to_host:
25576 // I consulted gcc, and it gave
25577 // These instructions, which I gladly credit:
25578 leal (%edx,%ebx,8), %eax
25579 - movzwl (%eax),%edx
25580 - movl 4(%eax), %eax
25583 + movl 4(%eax), %edx
25585 // Now the address of the handler's in %edx
25586 // We call it now: its "iret" drops us home.
25588 + ljmp $__KERNEL_CS, $1f
25591 // Every interrupt can come to us here
25592 // But we must truly tell each apart.
25593 diff -urNp linux-2.6.37/drivers/macintosh/via-pmu-backlight.c linux-2.6.37/drivers/macintosh/via-pmu-backlight.c
25594 --- linux-2.6.37/drivers/macintosh/via-pmu-backlight.c 2011-01-04 19:50:19.000000000 -0500
25595 +++ linux-2.6.37/drivers/macintosh/via-pmu-backlight.c 2011-01-17 02:41:01.000000000 -0500
25598 #define MAX_PMU_LEVEL 0xFF
25600 -static struct backlight_ops pmu_backlight_data;
25601 +static const struct backlight_ops pmu_backlight_data;
25602 static DEFINE_SPINLOCK(pmu_backlight_lock);
25603 static int sleeping, uses_pmu_bl;
25604 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
25605 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
25606 return bd->props.brightness;
25609 -static struct backlight_ops pmu_backlight_data = {
25610 +static const struct backlight_ops pmu_backlight_data = {
25611 .get_brightness = pmu_backlight_get_brightness,
25612 .update_status = pmu_backlight_update_status,
25614 diff -urNp linux-2.6.37/drivers/macintosh/via-pmu.c linux-2.6.37/drivers/macintosh/via-pmu.c
25615 --- linux-2.6.37/drivers/macintosh/via-pmu.c 2011-01-04 19:50:19.000000000 -0500
25616 +++ linux-2.6.37/drivers/macintosh/via-pmu.c 2011-01-17 02:41:01.000000000 -0500
25617 @@ -2257,7 +2257,7 @@ static int pmu_sleep_valid(suspend_state
25618 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
25621 -static struct platform_suspend_ops pmu_pm_ops = {
25622 +static const struct platform_suspend_ops pmu_pm_ops = {
25623 .enter = powerbook_sleep,
25624 .valid = pmu_sleep_valid,
25626 diff -urNp linux-2.6.37/drivers/md/bitmap.c linux-2.6.37/drivers/md/bitmap.c
25627 --- linux-2.6.37/drivers/md/bitmap.c 2011-01-04 19:50:19.000000000 -0500
25628 +++ linux-2.6.37/drivers/md/bitmap.c 2011-01-17 02:41:01.000000000 -0500
25631 # define PRINTK(x...) printk(KERN_DEBUG x)
25633 -# define PRINTK(x...)
25634 +# define PRINTK(x...) do {} while (0)
25638 diff -urNp linux-2.6.37/drivers/md/dm-table.c linux-2.6.37/drivers/md/dm-table.c
25639 --- linux-2.6.37/drivers/md/dm-table.c 2011-01-04 19:50:19.000000000 -0500
25640 +++ linux-2.6.37/drivers/md/dm-table.c 2011-01-17 02:41:01.000000000 -0500
25641 @@ -366,7 +366,7 @@ static int device_area_is_invalid(struct
25645 - if ((start >= dev_size) || (start + len > dev_size)) {
25646 + if ((start >= dev_size) || (len > dev_size - start)) {
25647 DMWARN("%s: %s too small for target: "
25648 "start=%llu, len=%llu, dev_size=%llu",
25649 dm_device_name(ti->table->md), bdevname(bdev, b),
25650 diff -urNp linux-2.6.37/drivers/md/md.c linux-2.6.37/drivers/md/md.c
25651 --- linux-2.6.37/drivers/md/md.c 2011-01-04 19:50:19.000000000 -0500
25652 +++ linux-2.6.37/drivers/md/md.c 2011-01-17 02:41:01.000000000 -0500
25653 @@ -1875,7 +1875,7 @@ static int bind_rdev_to_array(mdk_rdev_t
25655 ko = &part_to_dev(rdev->bdev->bd_part)->kobj;
25656 if (sysfs_create_link(&rdev->kobj, ko, "block"))
25657 - /* failure here is OK */;
25658 + /* failure here is OK */{}
25659 rdev->sysfs_state = sysfs_get_dirent_safe(rdev->kobj.sd, "state");
25661 list_add_rcu(&rdev->same_set, &mddev->disks);
25662 @@ -2487,7 +2487,7 @@ slot_store(mdk_rdev_t *rdev, const char
25663 sysfs_notify_dirent_safe(rdev->sysfs_state);
25664 sprintf(nm, "rd%d", rdev->raid_disk);
25665 if (sysfs_create_link(&rdev->mddev->kobj, &rdev->kobj, nm))
25666 - /* failure here is OK */;
25667 + /* failure here is OK */{}
25668 /* don't wakeup anyone, leave that to userspace. */
25670 if (slot >= rdev->mddev->raid_disks)
25671 @@ -4570,7 +4570,7 @@ int md_run(mddev_t *mddev)
25673 sprintf(nm, "rd%d", rdev->raid_disk);
25674 if (sysfs_create_link(&mddev->kobj, &rdev->kobj, nm))
25675 - /* failure here is OK */;
25676 + /* failure here is OK */{}
25679 set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
25680 @@ -6408,7 +6408,7 @@ static int md_seq_show(struct seq_file *
25681 chunk_kb ? "KB" : "B");
25682 if (bitmap->file) {
25683 seq_printf(seq, ", file: ");
25684 - seq_path(seq, &bitmap->file->f_path, " \t\n");
25685 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25688 seq_printf(seq, "\n");
25689 @@ -6502,7 +6502,7 @@ static int is_mddev_idle(mddev_t *mddev,
25690 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25691 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25692 (int)part_stat_read(&disk->part0, sectors[1]) -
25693 - atomic_read(&disk->sync_io);
25694 + atomic_read_unchecked(&disk->sync_io);
25695 /* sync IO will cause sync_io to increase before the disk_stats
25696 * as sync_io is counted when a request starts, and
25697 * disk_stats is counted when it completes.
25698 @@ -7020,7 +7020,7 @@ static int remove_and_add_spares(mddev_t
25699 sprintf(nm, "rd%d", rdev->raid_disk);
25700 if (sysfs_create_link(&mddev->kobj,
25702 - /* failure here is OK */;
25703 + /* failure here is OK */{}
25705 md_new_event(mddev);
25706 set_bit(MD_CHANGE_DEVS, &mddev->flags);
25707 diff -urNp linux-2.6.37/drivers/md/md.h linux-2.6.37/drivers/md/md.h
25708 --- linux-2.6.37/drivers/md/md.h 2011-01-04 19:50:19.000000000 -0500
25709 +++ linux-2.6.37/drivers/md/md.h 2011-01-17 02:41:01.000000000 -0500
25710 @@ -353,7 +353,7 @@ static inline void rdev_dec_pending(mdk_
25712 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25714 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25715 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25718 struct mdk_personality
25719 diff -urNp linux-2.6.37/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.37/drivers/media/dvb/dvb-core/dvbdev.c
25720 --- linux-2.6.37/drivers/media/dvb/dvb-core/dvbdev.c 2011-01-04 19:50:19.000000000 -0500
25721 +++ linux-2.6.37/drivers/media/dvb/dvb-core/dvbdev.c 2011-01-17 02:41:01.000000000 -0500
25722 @@ -192,6 +192,7 @@ int dvb_register_device(struct dvb_adapt
25723 const struct dvb_device *template, void *priv, int type)
25725 struct dvb_device *dvbdev;
25726 + /* cannot be const, see this function */
25727 struct file_operations *dvbdevfops;
25728 struct device *clsdev;
25730 diff -urNp linux-2.6.37/drivers/media/dvb/ttpci/av7110_ca.c linux-2.6.37/drivers/media/dvb/ttpci/av7110_ca.c
25731 --- linux-2.6.37/drivers/media/dvb/ttpci/av7110_ca.c 2011-01-04 19:50:19.000000000 -0500
25732 +++ linux-2.6.37/drivers/media/dvb/ttpci/av7110_ca.c 2011-01-24 18:13:05.000000000 -0500
25733 @@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *fil
25735 ca_slot_info_t *info=(ca_slot_info_t *)parg;
25737 - if (info->num > 1)
25738 + if (info->num < 0 || info->num > 1)
25740 av7110->ci_slot[info->num].num = info->num;
25741 av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
25742 diff -urNp linux-2.6.37/drivers/media/IR/ir-lirc-codec.c linux-2.6.37/drivers/media/IR/ir-lirc-codec.c
25743 --- linux-2.6.37/drivers/media/IR/ir-lirc-codec.c 2011-01-04 19:50:19.000000000 -0500
25744 +++ linux-2.6.37/drivers/media/IR/ir-lirc-codec.c 2011-01-17 02:41:01.000000000 -0500
25745 @@ -275,7 +275,7 @@ static void ir_lirc_close(void *data)
25749 -static struct file_operations lirc_fops = {
25750 +static const struct file_operations lirc_fops = {
25751 .owner = THIS_MODULE,
25752 .write = ir_lirc_transmit_ir,
25753 .unlocked_ioctl = ir_lirc_ioctl,
25754 diff -urNp linux-2.6.37/drivers/media/IR/lirc_dev.c linux-2.6.37/drivers/media/IR/lirc_dev.c
25755 --- linux-2.6.37/drivers/media/IR/lirc_dev.c 2011-01-04 19:50:19.000000000 -0500
25756 +++ linux-2.6.37/drivers/media/IR/lirc_dev.c 2011-01-17 02:41:01.000000000 -0500
25757 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
25761 -static struct file_operations lirc_dev_fops = {
25762 +static const struct file_operations lirc_dev_fops = {
25763 .owner = THIS_MODULE,
25764 .read = lirc_dev_fop_read,
25765 .write = lirc_dev_fop_write,
25766 diff -urNp linux-2.6.37/drivers/media/radio/radio-cadet.c linux-2.6.37/drivers/media/radio/radio-cadet.c
25767 --- linux-2.6.37/drivers/media/radio/radio-cadet.c 2011-01-04 19:50:19.000000000 -0500
25768 +++ linux-2.6.37/drivers/media/radio/radio-cadet.c 2011-01-17 02:41:01.000000000 -0500
25769 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
25770 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
25771 mutex_unlock(&dev->lock);
25773 - if (copy_to_user(data, readbuf, i))
25774 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
25778 diff -urNp linux-2.6.37/drivers/media/video/saa7164/saa7164-core.c linux-2.6.37/drivers/media/video/saa7164/saa7164-core.c
25779 --- linux-2.6.37/drivers/media/video/saa7164/saa7164-core.c 2011-01-04 19:50:19.000000000 -0500
25780 +++ linux-2.6.37/drivers/media/video/saa7164/saa7164-core.c 2011-01-17 02:41:01.000000000 -0500
25781 @@ -1169,7 +1169,7 @@ static int saa7164_proc_open(struct inod
25782 return single_open(filp, saa7164_proc_show, NULL);
25785 -static struct file_operations saa7164_proc_fops = {
25786 +static const struct file_operations saa7164_proc_fops = {
25787 .open = saa7164_proc_open,
25789 .llseek = seq_lseek,
25790 diff -urNp linux-2.6.37/drivers/message/fusion/mptbase.c linux-2.6.37/drivers/message/fusion/mptbase.c
25791 --- linux-2.6.37/drivers/message/fusion/mptbase.c 2011-01-04 19:50:19.000000000 -0500
25792 +++ linux-2.6.37/drivers/message/fusion/mptbase.c 2011-01-17 02:41:01.000000000 -0500
25793 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
25794 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
25795 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
25797 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25798 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
25800 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25801 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
25805 * Rounding UP to nearest 4-kB boundary here...
25807 diff -urNp linux-2.6.37/drivers/message/fusion/mptdebug.h linux-2.6.37/drivers/message/fusion/mptdebug.h
25808 --- linux-2.6.37/drivers/message/fusion/mptdebug.h 2011-01-04 19:50:19.000000000 -0500
25809 +++ linux-2.6.37/drivers/message/fusion/mptdebug.h 2011-01-17 02:41:01.000000000 -0500
25814 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
25815 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
25819 diff -urNp linux-2.6.37/drivers/message/fusion/mptsas.c linux-2.6.37/drivers/message/fusion/mptsas.c
25820 --- linux-2.6.37/drivers/message/fusion/mptsas.c 2011-01-04 19:50:19.000000000 -0500
25821 +++ linux-2.6.37/drivers/message/fusion/mptsas.c 2011-01-17 02:41:01.000000000 -0500
25822 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
25826 +static inline void
25827 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25829 + if (phy_info->port_details) {
25830 + phy_info->port_details->rphy = rphy;
25831 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25832 + ioc->name, rphy));
25836 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25837 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25838 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25839 + ioc->name, rphy, rphy->dev.release));
25845 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
25846 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
25850 -static inline void
25851 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25853 - if (phy_info->port_details) {
25854 - phy_info->port_details->rphy = rphy;
25855 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25856 - ioc->name, rphy));
25860 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25861 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25862 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25863 - ioc->name, rphy, rphy->dev.release));
25867 static inline struct sas_port *
25868 mptsas_get_port(struct mptsas_phyinfo *phy_info)
25870 diff -urNp linux-2.6.37/drivers/message/fusion/mptscsih.c linux-2.6.37/drivers/message/fusion/mptscsih.c
25871 --- linux-2.6.37/drivers/message/fusion/mptscsih.c 2011-01-04 19:50:19.000000000 -0500
25872 +++ linux-2.6.37/drivers/message/fusion/mptscsih.c 2011-01-17 02:41:01.000000000 -0500
25873 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
25875 h = shost_priv(SChost);
25878 - if (h->info_kbuf == NULL)
25879 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
25880 - return h->info_kbuf;
25881 - h->info_kbuf[0] = '\0';
25885 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
25886 - h->info_kbuf[size-1] = '\0';
25888 + if (h->info_kbuf == NULL)
25889 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
25890 + return h->info_kbuf;
25891 + h->info_kbuf[0] = '\0';
25893 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
25894 + h->info_kbuf[size-1] = '\0';
25896 return h->info_kbuf;
25898 diff -urNp linux-2.6.37/drivers/message/i2o/i2o_proc.c linux-2.6.37/drivers/message/i2o/i2o_proc.c
25899 --- linux-2.6.37/drivers/message/i2o/i2o_proc.c 2011-01-04 19:50:19.000000000 -0500
25900 +++ linux-2.6.37/drivers/message/i2o/i2o_proc.c 2011-01-17 02:41:01.000000000 -0500
25901 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
25902 "Array Controller Device"
25905 -static char *chtostr(u8 * chars, int n)
25909 - return strncat(tmp, (char *)chars, n);
25912 static int i2o_report_query_status(struct seq_file *seq, int block_status,
25915 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
25917 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
25918 seq_printf(seq, "%-#8x", ddm_table.module_id);
25919 - seq_printf(seq, "%-29s",
25920 - chtostr(ddm_table.module_name_version, 28));
25921 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
25922 seq_printf(seq, "%9d ", ddm_table.data_size);
25923 seq_printf(seq, "%8d", ddm_table.code_size);
25925 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
25927 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
25928 seq_printf(seq, "%-#8x", dst->module_id);
25929 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
25930 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
25931 + seq_printf(seq, "%-.28s", dst->module_name_version);
25932 + seq_printf(seq, "%-.8s", dst->date);
25933 seq_printf(seq, "%8d ", dst->module_size);
25934 seq_printf(seq, "%8d ", dst->mpb_size);
25935 seq_printf(seq, "0x%04x", dst->module_flags);
25936 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
25937 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
25938 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
25939 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
25940 - seq_printf(seq, "Vendor info : %s\n",
25941 - chtostr((u8 *) (work32 + 2), 16));
25942 - seq_printf(seq, "Product info : %s\n",
25943 - chtostr((u8 *) (work32 + 6), 16));
25944 - seq_printf(seq, "Description : %s\n",
25945 - chtostr((u8 *) (work32 + 10), 16));
25946 - seq_printf(seq, "Product rev. : %s\n",
25947 - chtostr((u8 *) (work32 + 14), 8));
25948 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
25949 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
25950 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
25951 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
25953 seq_printf(seq, "Serial number : ");
25954 print_serial_number(seq, (u8 *) (work32 + 16),
25955 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
25958 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
25959 - seq_printf(seq, "Module name : %s\n",
25960 - chtostr(result.module_name, 24));
25961 - seq_printf(seq, "Module revision : %s\n",
25962 - chtostr(result.module_rev, 8));
25963 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
25964 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
25966 seq_printf(seq, "Serial number : ");
25967 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
25968 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
25972 - seq_printf(seq, "Device name : %s\n",
25973 - chtostr(result.device_name, 64));
25974 - seq_printf(seq, "Service name : %s\n",
25975 - chtostr(result.service_name, 64));
25976 - seq_printf(seq, "Physical name : %s\n",
25977 - chtostr(result.physical_location, 64));
25978 - seq_printf(seq, "Instance number : %s\n",
25979 - chtostr(result.instance_number, 4));
25980 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
25981 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
25982 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
25983 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
25987 diff -urNp linux-2.6.37/drivers/mfd/janz-cmodio.c linux-2.6.37/drivers/mfd/janz-cmodio.c
25988 --- linux-2.6.37/drivers/mfd/janz-cmodio.c 2011-01-04 19:50:19.000000000 -0500
25989 +++ linux-2.6.37/drivers/mfd/janz-cmodio.c 2011-01-17 02:41:01.000000000 -0500
25992 #include <linux/kernel.h>
25993 #include <linux/module.h>
25994 +#include <linux/slab.h>
25995 #include <linux/init.h>
25996 #include <linux/pci.h>
25997 #include <linux/interrupt.h>
25998 diff -urNp linux-2.6.37/drivers/misc/kgdbts.c linux-2.6.37/drivers/misc/kgdbts.c
25999 --- linux-2.6.37/drivers/misc/kgdbts.c 2011-01-04 19:50:19.000000000 -0500
26000 +++ linux-2.6.37/drivers/misc/kgdbts.c 2011-01-17 02:41:01.000000000 -0500
26001 @@ -118,7 +118,7 @@
26003 #define MAX_CONFIG_LEN 40
26005 -static struct kgdb_io kgdbts_io_ops;
26006 +static const struct kgdb_io kgdbts_io_ops;
26007 static char get_buf[BUFMAX];
26008 static int get_buf_cnt;
26009 static char put_buf[BUFMAX];
26010 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
26011 module_put(THIS_MODULE);
26014 -static struct kgdb_io kgdbts_io_ops = {
26015 +static const struct kgdb_io kgdbts_io_ops = {
26017 .read_char = kgdbts_get_char,
26018 .write_char = kgdbts_put_char,
26019 diff -urNp linux-2.6.37/drivers/misc/sgi-gru/gruhandles.c linux-2.6.37/drivers/misc/sgi-gru/gruhandles.c
26020 --- linux-2.6.37/drivers/misc/sgi-gru/gruhandles.c 2011-01-04 19:50:19.000000000 -0500
26021 +++ linux-2.6.37/drivers/misc/sgi-gru/gruhandles.c 2011-01-17 02:41:01.000000000 -0500
26022 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
26023 unsigned long nsec;
26025 nsec = CLKS2NSEC(clks);
26026 - atomic_long_inc(&mcs_op_statistics[op].count);
26027 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
26028 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
26029 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
26030 if (mcs_op_statistics[op].max < nsec)
26031 mcs_op_statistics[op].max = nsec;
26033 diff -urNp linux-2.6.37/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.37/drivers/misc/sgi-gru/gruprocfs.c
26034 --- linux-2.6.37/drivers/misc/sgi-gru/gruprocfs.c 2011-01-04 19:50:19.000000000 -0500
26035 +++ linux-2.6.37/drivers/misc/sgi-gru/gruprocfs.c 2011-01-17 02:41:01.000000000 -0500
26038 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
26040 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
26041 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
26043 - unsigned long val = atomic_long_read(v);
26044 + unsigned long val = atomic_long_read_unchecked(v);
26046 seq_printf(s, "%16lu %s\n", val, id);
26048 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
26050 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
26051 for (op = 0; op < mcsop_last; op++) {
26052 - count = atomic_long_read(&mcs_op_statistics[op].count);
26053 - total = atomic_long_read(&mcs_op_statistics[op].total);
26054 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
26055 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
26056 max = mcs_op_statistics[op].max;
26057 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
26058 count ? total / count : 0, max);
26059 diff -urNp linux-2.6.37/drivers/misc/sgi-gru/grutables.h linux-2.6.37/drivers/misc/sgi-gru/grutables.h
26060 --- linux-2.6.37/drivers/misc/sgi-gru/grutables.h 2011-01-04 19:50:19.000000000 -0500
26061 +++ linux-2.6.37/drivers/misc/sgi-gru/grutables.h 2011-01-17 02:41:01.000000000 -0500
26062 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
26065 struct gru_stats_s {
26066 - atomic_long_t vdata_alloc;
26067 - atomic_long_t vdata_free;
26068 - atomic_long_t gts_alloc;
26069 - atomic_long_t gts_free;
26070 - atomic_long_t gms_alloc;
26071 - atomic_long_t gms_free;
26072 - atomic_long_t gts_double_allocate;
26073 - atomic_long_t assign_context;
26074 - atomic_long_t assign_context_failed;
26075 - atomic_long_t free_context;
26076 - atomic_long_t load_user_context;
26077 - atomic_long_t load_kernel_context;
26078 - atomic_long_t lock_kernel_context;
26079 - atomic_long_t unlock_kernel_context;
26080 - atomic_long_t steal_user_context;
26081 - atomic_long_t steal_kernel_context;
26082 - atomic_long_t steal_context_failed;
26083 - atomic_long_t nopfn;
26084 - atomic_long_t asid_new;
26085 - atomic_long_t asid_next;
26086 - atomic_long_t asid_wrap;
26087 - atomic_long_t asid_reuse;
26088 - atomic_long_t intr;
26089 - atomic_long_t intr_cbr;
26090 - atomic_long_t intr_tfh;
26091 - atomic_long_t intr_spurious;
26092 - atomic_long_t intr_mm_lock_failed;
26093 - atomic_long_t call_os;
26094 - atomic_long_t call_os_wait_queue;
26095 - atomic_long_t user_flush_tlb;
26096 - atomic_long_t user_unload_context;
26097 - atomic_long_t user_exception;
26098 - atomic_long_t set_context_option;
26099 - atomic_long_t check_context_retarget_intr;
26100 - atomic_long_t check_context_unload;
26101 - atomic_long_t tlb_dropin;
26102 - atomic_long_t tlb_preload_page;
26103 - atomic_long_t tlb_dropin_fail_no_asid;
26104 - atomic_long_t tlb_dropin_fail_upm;
26105 - atomic_long_t tlb_dropin_fail_invalid;
26106 - atomic_long_t tlb_dropin_fail_range_active;
26107 - atomic_long_t tlb_dropin_fail_idle;
26108 - atomic_long_t tlb_dropin_fail_fmm;
26109 - atomic_long_t tlb_dropin_fail_no_exception;
26110 - atomic_long_t tfh_stale_on_fault;
26111 - atomic_long_t mmu_invalidate_range;
26112 - atomic_long_t mmu_invalidate_page;
26113 - atomic_long_t flush_tlb;
26114 - atomic_long_t flush_tlb_gru;
26115 - atomic_long_t flush_tlb_gru_tgh;
26116 - atomic_long_t flush_tlb_gru_zero_asid;
26118 - atomic_long_t copy_gpa;
26119 - atomic_long_t read_gpa;
26121 - atomic_long_t mesq_receive;
26122 - atomic_long_t mesq_receive_none;
26123 - atomic_long_t mesq_send;
26124 - atomic_long_t mesq_send_failed;
26125 - atomic_long_t mesq_noop;
26126 - atomic_long_t mesq_send_unexpected_error;
26127 - atomic_long_t mesq_send_lb_overflow;
26128 - atomic_long_t mesq_send_qlimit_reached;
26129 - atomic_long_t mesq_send_amo_nacked;
26130 - atomic_long_t mesq_send_put_nacked;
26131 - atomic_long_t mesq_page_overflow;
26132 - atomic_long_t mesq_qf_locked;
26133 - atomic_long_t mesq_qf_noop_not_full;
26134 - atomic_long_t mesq_qf_switch_head_failed;
26135 - atomic_long_t mesq_qf_unexpected_error;
26136 - atomic_long_t mesq_noop_unexpected_error;
26137 - atomic_long_t mesq_noop_lb_overflow;
26138 - atomic_long_t mesq_noop_qlimit_reached;
26139 - atomic_long_t mesq_noop_amo_nacked;
26140 - atomic_long_t mesq_noop_put_nacked;
26141 - atomic_long_t mesq_noop_page_overflow;
26142 + atomic_long_unchecked_t vdata_alloc;
26143 + atomic_long_unchecked_t vdata_free;
26144 + atomic_long_unchecked_t gts_alloc;
26145 + atomic_long_unchecked_t gts_free;
26146 + atomic_long_unchecked_t gms_alloc;
26147 + atomic_long_unchecked_t gms_free;
26148 + atomic_long_unchecked_t gts_double_allocate;
26149 + atomic_long_unchecked_t assign_context;
26150 + atomic_long_unchecked_t assign_context_failed;
26151 + atomic_long_unchecked_t free_context;
26152 + atomic_long_unchecked_t load_user_context;
26153 + atomic_long_unchecked_t load_kernel_context;
26154 + atomic_long_unchecked_t lock_kernel_context;
26155 + atomic_long_unchecked_t unlock_kernel_context;
26156 + atomic_long_unchecked_t steal_user_context;
26157 + atomic_long_unchecked_t steal_kernel_context;
26158 + atomic_long_unchecked_t steal_context_failed;
26159 + atomic_long_unchecked_t nopfn;
26160 + atomic_long_unchecked_t asid_new;
26161 + atomic_long_unchecked_t asid_next;
26162 + atomic_long_unchecked_t asid_wrap;
26163 + atomic_long_unchecked_t asid_reuse;
26164 + atomic_long_unchecked_t intr;
26165 + atomic_long_unchecked_t intr_cbr;
26166 + atomic_long_unchecked_t intr_tfh;
26167 + atomic_long_unchecked_t intr_spurious;
26168 + atomic_long_unchecked_t intr_mm_lock_failed;
26169 + atomic_long_unchecked_t call_os;
26170 + atomic_long_unchecked_t call_os_wait_queue;
26171 + atomic_long_unchecked_t user_flush_tlb;
26172 + atomic_long_unchecked_t user_unload_context;
26173 + atomic_long_unchecked_t user_exception;
26174 + atomic_long_unchecked_t set_context_option;
26175 + atomic_long_unchecked_t check_context_retarget_intr;
26176 + atomic_long_unchecked_t check_context_unload;
26177 + atomic_long_unchecked_t tlb_dropin;
26178 + atomic_long_unchecked_t tlb_preload_page;
26179 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26180 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26181 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26182 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26183 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26184 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26185 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26186 + atomic_long_unchecked_t tfh_stale_on_fault;
26187 + atomic_long_unchecked_t mmu_invalidate_range;
26188 + atomic_long_unchecked_t mmu_invalidate_page;
26189 + atomic_long_unchecked_t flush_tlb;
26190 + atomic_long_unchecked_t flush_tlb_gru;
26191 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26192 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26194 + atomic_long_unchecked_t copy_gpa;
26195 + atomic_long_unchecked_t read_gpa;
26197 + atomic_long_unchecked_t mesq_receive;
26198 + atomic_long_unchecked_t mesq_receive_none;
26199 + atomic_long_unchecked_t mesq_send;
26200 + atomic_long_unchecked_t mesq_send_failed;
26201 + atomic_long_unchecked_t mesq_noop;
26202 + atomic_long_unchecked_t mesq_send_unexpected_error;
26203 + atomic_long_unchecked_t mesq_send_lb_overflow;
26204 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26205 + atomic_long_unchecked_t mesq_send_amo_nacked;
26206 + atomic_long_unchecked_t mesq_send_put_nacked;
26207 + atomic_long_unchecked_t mesq_page_overflow;
26208 + atomic_long_unchecked_t mesq_qf_locked;
26209 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26210 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26211 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26212 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26213 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26214 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26215 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26216 + atomic_long_unchecked_t mesq_noop_put_nacked;
26217 + atomic_long_unchecked_t mesq_noop_page_overflow;
26221 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26222 tghop_invalidate, mcsop_last};
26224 struct mcs_op_statistic {
26225 - atomic_long_t count;
26226 - atomic_long_t total;
26227 + atomic_long_unchecked_t count;
26228 + atomic_long_unchecked_t total;
26232 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26234 #define STAT(id) do { \
26235 if (gru_options & OPT_STATS) \
26236 - atomic_long_inc(&gru_stats.id); \
26237 + atomic_long_inc_unchecked(&gru_stats.id); \
26240 #ifdef CONFIG_SGI_GRU_DEBUG
26241 diff -urNp linux-2.6.37/drivers/mtd/devices/doc2000.c linux-2.6.37/drivers/mtd/devices/doc2000.c
26242 --- linux-2.6.37/drivers/mtd/devices/doc2000.c 2011-01-04 19:50:19.000000000 -0500
26243 +++ linux-2.6.37/drivers/mtd/devices/doc2000.c 2011-01-17 02:41:01.000000000 -0500
26244 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26246 /* The ECC will not be calculated correctly if less than 512 is written */
26248 - if (len != 0x200 && eccbuf)
26249 + if (len != 0x200)
26250 printk(KERN_WARNING
26251 "ECC needs a full sector write (adr: %lx size %lx)\n",
26252 (long) to, (long) len);
26253 diff -urNp linux-2.6.37/drivers/mtd/devices/doc2001.c linux-2.6.37/drivers/mtd/devices/doc2001.c
26254 --- linux-2.6.37/drivers/mtd/devices/doc2001.c 2011-01-04 19:50:19.000000000 -0500
26255 +++ linux-2.6.37/drivers/mtd/devices/doc2001.c 2011-01-17 02:41:01.000000000 -0500
26256 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26257 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26259 /* Don't allow read past end of device */
26260 - if (from >= this->totlen)
26261 + if (from >= this->totlen || !len)
26264 /* Don't allow a single read to cross a 512-byte block boundary */
26265 diff -urNp linux-2.6.37/drivers/mtd/nand/denali.c linux-2.6.37/drivers/mtd/nand/denali.c
26266 --- linux-2.6.37/drivers/mtd/nand/denali.c 2011-01-04 19:50:19.000000000 -0500
26267 +++ linux-2.6.37/drivers/mtd/nand/denali.c 2011-01-17 02:41:01.000000000 -0500
26269 #include <linux/pci.h>
26270 #include <linux/mtd/mtd.h>
26271 #include <linux/module.h>
26272 +#include <linux/slab.h>
26274 #include "denali.h"
26276 diff -urNp linux-2.6.37/drivers/mtd/ubi/build.c linux-2.6.37/drivers/mtd/ubi/build.c
26277 --- linux-2.6.37/drivers/mtd/ubi/build.c 2011-01-04 19:50:19.000000000 -0500
26278 +++ linux-2.6.37/drivers/mtd/ubi/build.c 2011-01-17 02:41:01.000000000 -0500
26279 @@ -1285,7 +1285,7 @@ module_exit(ubi_exit);
26280 static int __init bytes_str_to_int(const char *str)
26283 - unsigned long result;
26284 + unsigned long result, scale = 1;
26286 result = simple_strtoul(str, &endp, 0);
26287 if (str == endp || result >= INT_MAX) {
26288 @@ -1296,11 +1296,11 @@ static int __init bytes_str_to_int(const
26300 if (endp[1] == 'i' && endp[2] == 'B')
26303 @@ -1311,7 +1311,13 @@ static int __init bytes_str_to_int(const
26308 + if ((intoverflow_t)result*scale >= INT_MAX) {
26309 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26314 + return result*scale;
26318 diff -urNp linux-2.6.37/drivers/net/e1000e/82571.c linux-2.6.37/drivers/net/e1000e/82571.c
26319 --- linux-2.6.37/drivers/net/e1000e/82571.c 2011-01-04 19:50:19.000000000 -0500
26320 +++ linux-2.6.37/drivers/net/e1000e/82571.c 2011-01-17 02:41:01.000000000 -0500
26321 @@ -211,6 +211,7 @@ static s32 e1000_init_mac_params_82571(s
26323 struct e1000_hw *hw = &adapter->hw;
26324 struct e1000_mac_info *mac = &hw->mac;
26325 + /* cannot be const */
26326 struct e1000_mac_operations *func = &mac->ops;
26329 @@ -1740,7 +1741,7 @@ static void e1000_clear_hw_cntrs_82571(s
26333 -static struct e1000_mac_operations e82571_mac_ops = {
26334 +static const struct e1000_mac_operations e82571_mac_ops = {
26335 /* .check_mng_mode: mac type dependent */
26336 /* .check_for_link: media type dependent */
26337 .id_led_init = e1000e_id_led_init,
26338 @@ -1762,7 +1763,7 @@ static struct e1000_mac_operations e8257
26339 .read_mac_addr = e1000_read_mac_addr_82571,
26342 -static struct e1000_phy_operations e82_phy_ops_igp = {
26343 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26344 .acquire = e1000_get_hw_semaphore_82571,
26345 .check_polarity = e1000_check_polarity_igp,
26346 .check_reset_block = e1000e_check_reset_block_generic,
26347 @@ -1780,7 +1781,7 @@ static struct e1000_phy_operations e82_p
26348 .cfg_on_link_up = NULL,
26351 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26352 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26353 .acquire = e1000_get_hw_semaphore_82571,
26354 .check_polarity = e1000_check_polarity_m88,
26355 .check_reset_block = e1000e_check_reset_block_generic,
26356 @@ -1798,7 +1799,7 @@ static struct e1000_phy_operations e82_p
26357 .cfg_on_link_up = NULL,
26360 -static struct e1000_phy_operations e82_phy_ops_bm = {
26361 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26362 .acquire = e1000_get_hw_semaphore_82571,
26363 .check_polarity = e1000_check_polarity_m88,
26364 .check_reset_block = e1000e_check_reset_block_generic,
26365 @@ -1816,7 +1817,7 @@ static struct e1000_phy_operations e82_p
26366 .cfg_on_link_up = NULL,
26369 -static struct e1000_nvm_operations e82571_nvm_ops = {
26370 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26371 .acquire = e1000_acquire_nvm_82571,
26372 .read = e1000e_read_nvm_eerd,
26373 .release = e1000_release_nvm_82571,
26374 diff -urNp linux-2.6.37/drivers/net/e1000e/e1000.h linux-2.6.37/drivers/net/e1000e/e1000.h
26375 --- linux-2.6.37/drivers/net/e1000e/e1000.h 2011-01-04 19:50:19.000000000 -0500
26376 +++ linux-2.6.37/drivers/net/e1000e/e1000.h 2011-01-17 02:41:01.000000000 -0500
26377 @@ -407,9 +407,9 @@ struct e1000_info {
26379 u32 max_hw_frame_size;
26380 s32 (*get_variants)(struct e1000_adapter *);
26381 - struct e1000_mac_operations *mac_ops;
26382 - struct e1000_phy_operations *phy_ops;
26383 - struct e1000_nvm_operations *nvm_ops;
26384 + const struct e1000_mac_operations *mac_ops;
26385 + const struct e1000_phy_operations *phy_ops;
26386 + const struct e1000_nvm_operations *nvm_ops;
26389 /* hardware capability, feature, and workaround flags */
26390 diff -urNp linux-2.6.37/drivers/net/e1000e/es2lan.c linux-2.6.37/drivers/net/e1000e/es2lan.c
26391 --- linux-2.6.37/drivers/net/e1000e/es2lan.c 2011-01-04 19:50:19.000000000 -0500
26392 +++ linux-2.6.37/drivers/net/e1000e/es2lan.c 2011-01-17 02:41:01.000000000 -0500
26393 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
26395 struct e1000_hw *hw = &adapter->hw;
26396 struct e1000_mac_info *mac = &hw->mac;
26397 + /* cannot be const */
26398 struct e1000_mac_operations *func = &mac->ops;
26400 /* Set media type */
26401 @@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
26405 -static struct e1000_mac_operations es2_mac_ops = {
26406 +static const struct e1000_mac_operations es2_mac_ops = {
26407 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26408 .id_led_init = e1000e_id_led_init,
26409 .check_mng_mode = e1000e_check_mng_mode_generic,
26410 @@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
26411 .setup_led = e1000e_setup_led_generic,
26414 -static struct e1000_phy_operations es2_phy_ops = {
26415 +static const struct e1000_phy_operations es2_phy_ops = {
26416 .acquire = e1000_acquire_phy_80003es2lan,
26417 .check_polarity = e1000_check_polarity_m88,
26418 .check_reset_block = e1000e_check_reset_block_generic,
26419 @@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
26420 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26423 -static struct e1000_nvm_operations es2_nvm_ops = {
26424 +static const struct e1000_nvm_operations es2_nvm_ops = {
26425 .acquire = e1000_acquire_nvm_80003es2lan,
26426 .read = e1000e_read_nvm_eerd,
26427 .release = e1000_release_nvm_80003es2lan,
26428 diff -urNp linux-2.6.37/drivers/net/e1000e/hw.h linux-2.6.37/drivers/net/e1000e/hw.h
26429 --- linux-2.6.37/drivers/net/e1000e/hw.h 2011-01-04 19:50:19.000000000 -0500
26430 +++ linux-2.6.37/drivers/net/e1000e/hw.h 2011-01-17 02:41:01.000000000 -0500
26431 @@ -800,16 +800,17 @@ struct e1000_phy_operations {
26433 /* Function pointers for the NVM. */
26434 struct e1000_nvm_operations {
26435 - s32 (*acquire)(struct e1000_hw *);
26436 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26437 - void (*release)(struct e1000_hw *);
26438 - s32 (*update)(struct e1000_hw *);
26439 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26440 - s32 (*validate)(struct e1000_hw *);
26441 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26442 + s32 (* const acquire)(struct e1000_hw *);
26443 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26444 + void (* const release)(struct e1000_hw *);
26445 + s32 (* const update)(struct e1000_hw *);
26446 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26447 + s32 (* const validate)(struct e1000_hw *);
26448 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26451 struct e1000_mac_info {
26452 + /* cannot be const see e1000_init_mac_params_ich8lan */
26453 struct e1000_mac_operations ops;
26456 @@ -852,6 +853,7 @@ struct e1000_mac_info {
26459 struct e1000_phy_info {
26460 + /* Cannot be const see e1000_init_phy_params_82571() */
26461 struct e1000_phy_operations ops;
26463 enum e1000_phy_type type;
26464 @@ -886,6 +888,7 @@ struct e1000_phy_info {
26467 struct e1000_nvm_info {
26468 + /* cannot be const */
26469 struct e1000_nvm_operations ops;
26471 enum e1000_nvm_type type;
26472 diff -urNp linux-2.6.37/drivers/net/e1000e/ich8lan.c linux-2.6.37/drivers/net/e1000e/ich8lan.c
26473 --- linux-2.6.37/drivers/net/e1000e/ich8lan.c 2011-01-04 19:50:19.000000000 -0500
26474 +++ linux-2.6.37/drivers/net/e1000e/ich8lan.c 2011-01-17 02:41:01.000000000 -0500
26475 @@ -3856,7 +3856,7 @@ static void e1000_clear_hw_cntrs_ich8lan
26479 -static struct e1000_mac_operations ich8_mac_ops = {
26480 +static const struct e1000_mac_operations ich8_mac_ops = {
26481 .id_led_init = e1000e_id_led_init,
26482 /* check_mng_mode dependent on mac type */
26483 .check_for_link = e1000_check_for_copper_link_ich8lan,
26484 @@ -3875,7 +3875,7 @@ static struct e1000_mac_operations ich8_
26485 /* id_led_init dependent on mac type */
26488 -static struct e1000_phy_operations ich8_phy_ops = {
26489 +static const struct e1000_phy_operations ich8_phy_ops = {
26490 .acquire = e1000_acquire_swflag_ich8lan,
26491 .check_reset_block = e1000_check_reset_block_ich8lan,
26493 @@ -3889,7 +3889,7 @@ static struct e1000_phy_operations ich8_
26494 .write_reg = e1000e_write_phy_reg_igp,
26497 -static struct e1000_nvm_operations ich8_nvm_ops = {
26498 +static const struct e1000_nvm_operations ich8_nvm_ops = {
26499 .acquire = e1000_acquire_nvm_ich8lan,
26500 .read = e1000_read_nvm_ich8lan,
26501 .release = e1000_release_nvm_ich8lan,
26502 diff -urNp linux-2.6.37/drivers/net/igb/e1000_82575.c linux-2.6.37/drivers/net/igb/e1000_82575.c
26503 --- linux-2.6.37/drivers/net/igb/e1000_82575.c 2011-01-04 19:50:19.000000000 -0500
26504 +++ linux-2.6.37/drivers/net/igb/e1000_82575.c 2011-01-17 02:41:01.000000000 -0500
26505 @@ -1712,7 +1712,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
26509 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
26510 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26511 .init_hw = igb_init_hw_82575,
26512 .check_for_link = igb_check_for_link_82575,
26513 .rar_set = igb_rar_set,
26514 @@ -1720,13 +1720,13 @@ static struct e1000_mac_operations e1000
26515 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26518 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
26519 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26520 .acquire = igb_acquire_phy_82575,
26521 .get_cfg_done = igb_get_cfg_done_82575,
26522 .release = igb_release_phy_82575,
26525 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26526 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26527 .acquire = igb_acquire_nvm_82575,
26528 .read = igb_read_nvm_eerd,
26529 .release = igb_release_nvm_82575,
26530 diff -urNp linux-2.6.37/drivers/net/igb/e1000_hw.h linux-2.6.37/drivers/net/igb/e1000_hw.h
26531 --- linux-2.6.37/drivers/net/igb/e1000_hw.h 2011-01-04 19:50:19.000000000 -0500
26532 +++ linux-2.6.37/drivers/net/igb/e1000_hw.h 2011-01-17 02:41:01.000000000 -0500
26533 @@ -325,22 +325,23 @@ struct e1000_phy_operations {
26536 struct e1000_nvm_operations {
26537 - s32 (*acquire)(struct e1000_hw *);
26538 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26539 - void (*release)(struct e1000_hw *);
26540 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26541 + s32 (* const acquire)(struct e1000_hw *);
26542 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26543 + void (* const release)(struct e1000_hw *);
26544 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26547 struct e1000_info {
26548 s32 (*get_invariants)(struct e1000_hw *);
26549 - struct e1000_mac_operations *mac_ops;
26550 - struct e1000_phy_operations *phy_ops;
26551 - struct e1000_nvm_operations *nvm_ops;
26552 + const struct e1000_mac_operations *mac_ops;
26553 + const struct e1000_phy_operations *phy_ops;
26554 + const struct e1000_nvm_operations *nvm_ops;
26557 extern const struct e1000_info e1000_82575_info;
26559 struct e1000_mac_info {
26560 + /* cannot be const see igb_get_invariants_82575() */
26561 struct e1000_mac_operations ops;
26564 @@ -379,6 +380,7 @@ struct e1000_mac_info {
26567 struct e1000_phy_info {
26568 + /* cannot be const see igb_get_invariants_82575() */
26569 struct e1000_phy_operations ops;
26571 enum e1000_phy_type type;
26572 @@ -414,6 +416,7 @@ struct e1000_phy_info {
26575 struct e1000_nvm_info {
26576 + /* cannot be const */
26577 struct e1000_nvm_operations ops;
26579 enum e1000_nvm_type type;
26580 diff -urNp linux-2.6.37/drivers/net/igbvf/vf.h linux-2.6.37/drivers/net/igbvf/vf.h
26581 --- linux-2.6.37/drivers/net/igbvf/vf.h 2011-01-04 19:50:19.000000000 -0500
26582 +++ linux-2.6.37/drivers/net/igbvf/vf.h 2011-01-17 02:41:01.000000000 -0500
26583 @@ -189,6 +189,7 @@ struct e1000_mac_operations {
26586 struct e1000_mac_info {
26587 + /* cannot be const see e1000_init_mac_params_vf() */
26588 struct e1000_mac_operations ops;
26591 diff -urNp linux-2.6.37/drivers/net/irda/vlsi_ir.c linux-2.6.37/drivers/net/irda/vlsi_ir.c
26592 --- linux-2.6.37/drivers/net/irda/vlsi_ir.c 2011-01-04 19:50:19.000000000 -0500
26593 +++ linux-2.6.37/drivers/net/irda/vlsi_ir.c 2011-01-17 02:41:01.000000000 -0500
26594 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
26595 /* no race - tx-ring already empty */
26596 vlsi_set_baud(idev, iobase);
26597 netif_wake_queue(ndev);
26602 /* keep the speed change pending like it would
26603 * for any len>0 packet. tx completion interrupt
26604 * will apply it when the tx ring becomes empty.
26607 spin_unlock_irqrestore(&idev->lock, flags);
26608 dev_kfree_skb_any(skb);
26609 return NETDEV_TX_OK;
26610 diff -urNp linux-2.6.37/drivers/net/macvtap.c linux-2.6.37/drivers/net/macvtap.c
26611 --- linux-2.6.37/drivers/net/macvtap.c 2011-01-04 19:50:19.000000000 -0500
26612 +++ linux-2.6.37/drivers/net/macvtap.c 2011-01-17 02:41:01.000000000 -0500
26613 @@ -529,8 +529,9 @@ static ssize_t macvtap_get_user(struct m
26614 vnet_hdr_len = q->vnet_hdr_sz;
26617 - if ((len -= vnet_hdr_len) < 0)
26618 + if (len < vnet_hdr_len)
26620 + len -= vnet_hdr_len;
26622 err = memcpy_fromiovecend((void *)&vnet_hdr, iv, 0,
26624 diff -urNp linux-2.6.37/drivers/net/pcnet32.c linux-2.6.37/drivers/net/pcnet32.c
26625 --- linux-2.6.37/drivers/net/pcnet32.c 2011-01-04 19:50:19.000000000 -0500
26626 +++ linux-2.6.37/drivers/net/pcnet32.c 2011-01-17 02:41:01.000000000 -0500
26627 @@ -82,7 +82,7 @@ static int cards_found;
26629 * VLB I/O addresses
26631 -static unsigned int pcnet32_portlist[] __initdata =
26632 +static unsigned int pcnet32_portlist[] __devinitdata =
26633 { 0x300, 0x320, 0x340, 0x360, 0 };
26635 static int pcnet32_debug;
26636 diff -urNp linux-2.6.37/drivers/net/ppp_generic.c linux-2.6.37/drivers/net/ppp_generic.c
26637 --- linux-2.6.37/drivers/net/ppp_generic.c 2011-01-04 19:50:19.000000000 -0500
26638 +++ linux-2.6.37/drivers/net/ppp_generic.c 2011-01-17 02:41:01.000000000 -0500
26639 @@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, st
26640 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26641 struct ppp_stats stats;
26642 struct ppp_comp_stats cstats;
26646 case SIOCGPPPSTATS:
26647 @@ -1008,8 +1007,7 @@ ppp_net_ioctl(struct net_device *dev, st
26651 - vers = PPP_VERSION;
26652 - if (copy_to_user(addr, vers, strlen(vers) + 1))
26653 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26657 diff -urNp linux-2.6.37/drivers/net/tg3.h linux-2.6.37/drivers/net/tg3.h
26658 --- linux-2.6.37/drivers/net/tg3.h 2011-01-04 19:50:19.000000000 -0500
26659 +++ linux-2.6.37/drivers/net/tg3.h 2011-01-17 02:41:01.000000000 -0500
26660 @@ -131,6 +131,7 @@
26661 #define CHIPREV_ID_5750_A0 0x4000
26662 #define CHIPREV_ID_5750_A1 0x4001
26663 #define CHIPREV_ID_5750_A3 0x4003
26664 +#define CHIPREV_ID_5750_C1 0x4201
26665 #define CHIPREV_ID_5750_C2 0x4202
26666 #define CHIPREV_ID_5752_A0_HW 0x5000
26667 #define CHIPREV_ID_5752_A0 0x6000
26668 diff -urNp linux-2.6.37/drivers/net/tulip/de4x5.c linux-2.6.37/drivers/net/tulip/de4x5.c
26669 --- linux-2.6.37/drivers/net/tulip/de4x5.c 2011-01-04 19:50:19.000000000 -0500
26670 +++ linux-2.6.37/drivers/net/tulip/de4x5.c 2011-01-17 02:41:01.000000000 -0500
26671 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
26672 for (i=0; i<ETH_ALEN; i++) {
26673 tmp.addr[i] = dev->dev_addr[i];
26675 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26676 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26679 case DE4X5_SET_HWADDR: /* Set the hardware address */
26680 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
26681 spin_lock_irqsave(&lp->lock, flags);
26682 memcpy(&statbuf, &lp->pktStats, ioc->len);
26683 spin_unlock_irqrestore(&lp->lock, flags);
26684 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
26685 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
26689 diff -urNp linux-2.6.37/drivers/net/usb/hso.c linux-2.6.37/drivers/net/usb/hso.c
26690 --- linux-2.6.37/drivers/net/usb/hso.c 2011-01-04 19:50:19.000000000 -0500
26691 +++ linux-2.6.37/drivers/net/usb/hso.c 2011-01-24 18:04:15.000000000 -0500
26693 #include <asm/byteorder.h>
26694 #include <linux/serial_core.h>
26695 #include <linux/serial.h>
26697 +#include <asm/local.h>
26699 #define MOD_AUTHOR "Option Wireless"
26700 #define MOD_DESCRIPTION "USB High Speed Option driver"
26701 @@ -257,7 +257,7 @@ struct hso_serial {
26703 /* from usb_serial_port */
26704 struct tty_struct *tty;
26706 + local_t open_count;
26707 spinlock_t serial_lock;
26709 int (*write_data) (struct hso_serial *serial);
26710 @@ -1187,7 +1187,7 @@ static void put_rxbuf_data_and_resubmit_
26713 urb = serial->rx_urb[0];
26714 - if (serial->open_count > 0) {
26715 + if (local_read(&serial->open_count) > 0) {
26716 count = put_rxbuf_data(urb, serial);
26719 @@ -1223,7 +1223,7 @@ static void hso_std_serial_read_bulk_cal
26720 DUMP1(urb->transfer_buffer, urb->actual_length);
26722 /* Anyone listening? */
26723 - if (serial->open_count == 0)
26724 + if (local_read(&serial->open_count) == 0)
26728 @@ -1318,8 +1318,7 @@ static int hso_serial_open(struct tty_st
26729 spin_unlock_irq(&serial->serial_lock);
26731 /* check for port already opened, if not set the termios */
26732 - serial->open_count++;
26733 - if (serial->open_count == 1) {
26734 + if (local_inc_return(&serial->open_count) == 1) {
26735 serial->rx_state = RX_IDLE;
26736 /* Force default termio settings */
26737 _hso_serial_set_termios(tty, NULL);
26738 @@ -1331,7 +1330,7 @@ static int hso_serial_open(struct tty_st
26739 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
26741 hso_stop_serial_device(serial->parent);
26742 - serial->open_count--;
26743 + local_dec(&serial->open_count);
26744 kref_put(&serial->parent->ref, hso_serial_ref_free);
26747 @@ -1368,10 +1367,10 @@ static void hso_serial_close(struct tty_
26749 /* reset the rts and dtr */
26750 /* do the actual close */
26751 - serial->open_count--;
26752 + local_dec(&serial->open_count);
26754 - if (serial->open_count <= 0) {
26755 - serial->open_count = 0;
26756 + if (local_read(&serial->open_count) <= 0) {
26757 + local_set(&serial->open_count, 0);
26758 spin_lock_irq(&serial->serial_lock);
26759 if (serial->tty == tty) {
26760 serial->tty->driver_data = NULL;
26761 @@ -1453,7 +1452,7 @@ static void hso_serial_set_termios(struc
26763 /* the actual setup */
26764 spin_lock_irqsave(&serial->serial_lock, flags);
26765 - if (serial->open_count)
26766 + if (local_read(&serial->open_count))
26767 _hso_serial_set_termios(tty, old);
26769 tty->termios = old;
26770 @@ -1913,7 +1912,7 @@ static void intr_callback(struct urb *ur
26771 D1("Pending read interrupt on port %d\n", i);
26772 spin_lock(&serial->serial_lock);
26773 if (serial->rx_state == RX_IDLE &&
26774 - serial->open_count > 0) {
26775 + local_read(&serial->open_count) > 0) {
26776 /* Setup and send a ctrl req read on
26778 if (!serial->rx_urb_filled[0]) {
26779 @@ -3105,7 +3104,7 @@ static int hso_resume(struct usb_interfa
26780 /* Start all serial ports */
26781 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
26782 if (serial_table[i] && (serial_table[i]->interface == iface)) {
26783 - if (dev2ser(serial_table[i])->open_count) {
26784 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
26786 hso_start_serial_device(serial_table[i], GFP_NOIO);
26787 hso_kick_transmit(dev2ser(serial_table[i]));
26788 diff -urNp linux-2.6.37/drivers/net/wireless/b43/debugfs.c linux-2.6.37/drivers/net/wireless/b43/debugfs.c
26789 --- linux-2.6.37/drivers/net/wireless/b43/debugfs.c 2011-01-04 19:50:19.000000000 -0500
26790 +++ linux-2.6.37/drivers/net/wireless/b43/debugfs.c 2011-01-17 02:41:01.000000000 -0500
26791 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
26792 struct b43_debugfs_fops {
26793 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
26794 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
26795 - struct file_operations fops;
26796 + const struct file_operations fops;
26797 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
26798 size_t file_struct_offset;
26800 diff -urNp linux-2.6.37/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.37/drivers/net/wireless/b43legacy/debugfs.c
26801 --- linux-2.6.37/drivers/net/wireless/b43legacy/debugfs.c 2011-01-04 19:50:19.000000000 -0500
26802 +++ linux-2.6.37/drivers/net/wireless/b43legacy/debugfs.c 2011-01-17 02:41:01.000000000 -0500
26803 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
26804 struct b43legacy_debugfs_fops {
26805 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
26806 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
26807 - struct file_operations fops;
26808 + const struct file_operations fops;
26809 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
26810 size_t file_struct_offset;
26811 /* Take wl->irq_lock before calling read/write? */
26812 diff -urNp linux-2.6.37/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.37/drivers/net/wireless/iwlwifi/iwl-debug.h
26813 --- linux-2.6.37/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-01-04 19:50:19.000000000 -0500
26814 +++ linux-2.6.37/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-01-17 02:41:01.000000000 -0500
26815 @@ -68,8 +68,8 @@ do {
26819 -#define IWL_DEBUG(__priv, level, fmt, args...)
26820 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
26821 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
26822 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
26823 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
26824 const void *p, u32 len)
26826 diff -urNp linux-2.6.37/drivers/net/wireless/libertas/debugfs.c linux-2.6.37/drivers/net/wireless/libertas/debugfs.c
26827 --- linux-2.6.37/drivers/net/wireless/libertas/debugfs.c 2011-01-04 19:50:19.000000000 -0500
26828 +++ linux-2.6.37/drivers/net/wireless/libertas/debugfs.c 2011-01-17 02:41:01.000000000 -0500
26829 @@ -702,7 +702,7 @@ out_unlock:
26830 struct lbs_debugfs_files {
26833 - struct file_operations fops;
26834 + const struct file_operations fops;
26837 static const struct lbs_debugfs_files debugfs_files[] = {
26838 diff -urNp linux-2.6.37/drivers/net/wireless/rndis_wlan.c linux-2.6.37/drivers/net/wireless/rndis_wlan.c
26839 --- linux-2.6.37/drivers/net/wireless/rndis_wlan.c 2011-01-04 19:50:19.000000000 -0500
26840 +++ linux-2.6.37/drivers/net/wireless/rndis_wlan.c 2011-01-17 02:41:01.000000000 -0500
26841 @@ -1236,7 +1236,7 @@ static int set_rts_threshold(struct usbn
26843 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
26845 - if (rts_threshold < 0 || rts_threshold > 2347)
26846 + if (rts_threshold > 2347)
26847 rts_threshold = 2347;
26849 tmp = cpu_to_le32(rts_threshold);
26850 diff -urNp linux-2.6.37/drivers/oprofile/buffer_sync.c linux-2.6.37/drivers/oprofile/buffer_sync.c
26851 --- linux-2.6.37/drivers/oprofile/buffer_sync.c 2011-01-04 19:50:19.000000000 -0500
26852 +++ linux-2.6.37/drivers/oprofile/buffer_sync.c 2011-01-17 02:41:01.000000000 -0500
26853 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
26854 if (cookie == NO_COOKIE)
26856 if (cookie == INVALID_COOKIE) {
26857 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26858 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26861 if (cookie != last_cookie) {
26862 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
26863 /* add userspace sample */
26866 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
26867 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
26871 cookie = lookup_dcookie(mm, s->eip, &offset);
26873 if (cookie == INVALID_COOKIE) {
26874 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26875 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26879 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
26880 /* ignore backtraces if failed to add a sample */
26881 if (state == sb_bt_start) {
26882 state = sb_bt_ignore;
26883 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
26884 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
26888 diff -urNp linux-2.6.37/drivers/oprofile/event_buffer.c linux-2.6.37/drivers/oprofile/event_buffer.c
26889 --- linux-2.6.37/drivers/oprofile/event_buffer.c 2011-01-04 19:50:19.000000000 -0500
26890 +++ linux-2.6.37/drivers/oprofile/event_buffer.c 2011-01-17 02:41:01.000000000 -0500
26891 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
26894 if (buffer_pos == buffer_size) {
26895 - atomic_inc(&oprofile_stats.event_lost_overflow);
26896 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
26900 diff -urNp linux-2.6.37/drivers/oprofile/oprof.c linux-2.6.37/drivers/oprofile/oprof.c
26901 --- linux-2.6.37/drivers/oprofile/oprof.c 2011-01-04 19:50:19.000000000 -0500
26902 +++ linux-2.6.37/drivers/oprofile/oprof.c 2011-01-17 02:41:01.000000000 -0500
26903 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
26904 if (oprofile_ops.switch_events())
26907 - atomic_inc(&oprofile_stats.multiplex_counter);
26908 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
26909 start_switch_worker();
26912 diff -urNp linux-2.6.37/drivers/oprofile/oprofilefs.c linux-2.6.37/drivers/oprofile/oprofilefs.c
26913 --- linux-2.6.37/drivers/oprofile/oprofilefs.c 2011-01-04 19:50:19.000000000 -0500
26914 +++ linux-2.6.37/drivers/oprofile/oprofilefs.c 2011-01-17 02:41:01.000000000 -0500
26915 @@ -186,7 +186,7 @@ static const struct file_operations atom
26918 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
26919 - char const *name, atomic_t *val)
26920 + char const *name, atomic_unchecked_t *val)
26922 return __oprofilefs_create_file(sb, root, name,
26923 &atomic_ro_fops, 0444, val);
26924 diff -urNp linux-2.6.37/drivers/oprofile/oprofile_stats.c linux-2.6.37/drivers/oprofile/oprofile_stats.c
26925 --- linux-2.6.37/drivers/oprofile/oprofile_stats.c 2011-01-04 19:50:19.000000000 -0500
26926 +++ linux-2.6.37/drivers/oprofile/oprofile_stats.c 2011-01-17 02:41:01.000000000 -0500
26927 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
26928 cpu_buf->sample_invalid_eip = 0;
26931 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
26932 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
26933 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
26934 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
26935 - atomic_set(&oprofile_stats.multiplex_counter, 0);
26936 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
26937 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
26938 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
26939 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
26940 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
26944 diff -urNp linux-2.6.37/drivers/oprofile/oprofile_stats.h linux-2.6.37/drivers/oprofile/oprofile_stats.h
26945 --- linux-2.6.37/drivers/oprofile/oprofile_stats.h 2011-01-04 19:50:19.000000000 -0500
26946 +++ linux-2.6.37/drivers/oprofile/oprofile_stats.h 2011-01-17 02:41:01.000000000 -0500
26947 @@ -13,11 +13,11 @@
26948 #include <asm/atomic.h>
26950 struct oprofile_stat_struct {
26951 - atomic_t sample_lost_no_mm;
26952 - atomic_t sample_lost_no_mapping;
26953 - atomic_t bt_lost_no_mapping;
26954 - atomic_t event_lost_overflow;
26955 - atomic_t multiplex_counter;
26956 + atomic_unchecked_t sample_lost_no_mm;
26957 + atomic_unchecked_t sample_lost_no_mapping;
26958 + atomic_unchecked_t bt_lost_no_mapping;
26959 + atomic_unchecked_t event_lost_overflow;
26960 + atomic_unchecked_t multiplex_counter;
26963 extern struct oprofile_stat_struct oprofile_stats;
26964 diff -urNp linux-2.6.37/drivers/parport/procfs.c linux-2.6.37/drivers/parport/procfs.c
26965 --- linux-2.6.37/drivers/parport/procfs.c 2011-01-04 19:50:19.000000000 -0500
26966 +++ linux-2.6.37/drivers/parport/procfs.c 2011-01-17 02:41:01.000000000 -0500
26967 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
26971 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
26972 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
26975 #ifdef CONFIG_PARPORT_1284
26976 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
26980 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
26981 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
26983 #endif /* IEEE1284.3 support. */
26985 diff -urNp linux-2.6.37/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.37/drivers/pci/hotplug/acpiphp_glue.c
26986 --- linux-2.6.37/drivers/pci/hotplug/acpiphp_glue.c 2011-01-04 19:50:19.000000000 -0500
26987 +++ linux-2.6.37/drivers/pci/hotplug/acpiphp_glue.c 2011-01-17 02:41:01.000000000 -0500
26988 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
26992 -static struct acpi_dock_ops acpiphp_dock_ops = {
26993 +static const struct acpi_dock_ops acpiphp_dock_ops = {
26994 .handler = handle_hotplug_event_func,
26997 diff -urNp linux-2.6.37/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.37/drivers/pci/hotplug/cpqphp_nvram.c
26998 --- linux-2.6.37/drivers/pci/hotplug/cpqphp_nvram.c 2011-01-04 19:50:19.000000000 -0500
26999 +++ linux-2.6.37/drivers/pci/hotplug/cpqphp_nvram.c 2011-01-17 02:41:01.000000000 -0500
27000 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
27002 void compaq_nvram_init (void __iomem *rom_start)
27005 +#ifndef CONFIG_PAX_KERNEXEC
27007 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
27011 dbg("int15 entry = %p\n", compaq_int15_entry_point);
27013 /* initialize our int15 lock */
27014 diff -urNp linux-2.6.37/drivers/pci/intel-iommu.c linux-2.6.37/drivers/pci/intel-iommu.c
27015 --- linux-2.6.37/drivers/pci/intel-iommu.c 2011-01-04 19:50:19.000000000 -0500
27016 +++ linux-2.6.37/drivers/pci/intel-iommu.c 2011-01-17 02:41:01.000000000 -0500
27017 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
27021 -struct dma_map_ops intel_dma_ops = {
27022 +const struct dma_map_ops intel_dma_ops = {
27023 .alloc_coherent = intel_alloc_coherent,
27024 .free_coherent = intel_free_coherent,
27025 .map_sg = intel_map_sg,
27026 diff -urNp linux-2.6.37/drivers/pci/pcie/portdrv_pci.c linux-2.6.37/drivers/pci/pcie/portdrv_pci.c
27027 --- linux-2.6.37/drivers/pci/pcie/portdrv_pci.c 2011-01-04 19:50:19.000000000 -0500
27028 +++ linux-2.6.37/drivers/pci/pcie/portdrv_pci.c 2011-01-17 02:41:01.000000000 -0500
27029 @@ -276,7 +276,7 @@ static void pcie_portdrv_err_resume(stru
27030 static const struct pci_device_id port_pci_ids[] = { {
27031 /* handle any PCI-Express port */
27032 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
27033 - }, { /* end: all zeroes */ }
27034 + }, { 0, 0, 0, 0, 0, 0, 0 }
27036 MODULE_DEVICE_TABLE(pci, port_pci_ids);
27038 diff -urNp linux-2.6.37/drivers/pci/probe.c linux-2.6.37/drivers/pci/probe.c
27039 --- linux-2.6.37/drivers/pci/probe.c 2011-01-04 19:50:19.000000000 -0500
27040 +++ linux-2.6.37/drivers/pci/probe.c 2011-01-17 02:41:01.000000000 -0500
27041 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
27045 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
27046 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
27047 struct device_attribute *attr,
27050 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
27053 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
27054 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
27055 struct device_attribute *attr,
27058 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
27062 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
27063 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
27065 if (!dev->mmio_always_on) {
27066 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
27067 diff -urNp linux-2.6.37/drivers/pci/proc.c linux-2.6.37/drivers/pci/proc.c
27068 --- linux-2.6.37/drivers/pci/proc.c 2011-01-04 19:50:19.000000000 -0500
27069 +++ linux-2.6.37/drivers/pci/proc.c 2011-01-17 02:41:01.000000000 -0500
27070 @@ -476,7 +476,16 @@ static const struct file_operations proc
27071 static int __init pci_proc_init(void)
27073 struct pci_dev *dev = NULL;
27075 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
27076 +#ifdef CONFIG_GRKERNSEC_PROC_USER
27077 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
27078 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27079 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27082 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27084 proc_create("devices", 0, proc_bus_pci_dir,
27085 &proc_bus_pci_dev_operations);
27086 proc_initialized = 1;
27087 diff -urNp linux-2.6.37/drivers/pcmcia/ti113x.h linux-2.6.37/drivers/pcmcia/ti113x.h
27088 --- linux-2.6.37/drivers/pcmcia/ti113x.h 2011-01-04 19:50:19.000000000 -0500
27089 +++ linux-2.6.37/drivers/pcmcia/ti113x.h 2011-01-17 02:41:01.000000000 -0500
27090 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27091 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27092 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27095 + { 0, 0, 0, 0, 0, 0, 0 }
27098 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27099 diff -urNp linux-2.6.37/drivers/pcmcia/yenta_socket.c linux-2.6.37/drivers/pcmcia/yenta_socket.c
27100 --- linux-2.6.37/drivers/pcmcia/yenta_socket.c 2011-01-04 19:50:19.000000000 -0500
27101 +++ linux-2.6.37/drivers/pcmcia/yenta_socket.c 2011-01-17 02:41:01.000000000 -0500
27102 @@ -1426,7 +1426,7 @@ static struct pci_device_id yenta_table[
27104 /* match any cardbus bridge */
27105 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27106 - { /* all zeroes */ }
27107 + { 0, 0, 0, 0, 0, 0, 0 }
27109 MODULE_DEVICE_TABLE(pci, yenta_table);
27111 diff -urNp linux-2.6.37/drivers/platform/x86/acer-wmi.c linux-2.6.37/drivers/platform/x86/acer-wmi.c
27112 --- linux-2.6.37/drivers/platform/x86/acer-wmi.c 2011-01-04 19:50:19.000000000 -0500
27113 +++ linux-2.6.37/drivers/platform/x86/acer-wmi.c 2011-01-17 02:41:01.000000000 -0500
27114 @@ -915,7 +915,7 @@ static int update_bl_status(struct backl
27118 -static struct backlight_ops acer_bl_ops = {
27119 +static const struct backlight_ops acer_bl_ops = {
27120 .get_brightness = read_brightness,
27121 .update_status = update_bl_status,
27123 diff -urNp linux-2.6.37/drivers/platform/x86/asus_acpi.c linux-2.6.37/drivers/platform/x86/asus_acpi.c
27124 --- linux-2.6.37/drivers/platform/x86/asus_acpi.c 2011-01-04 19:50:19.000000000 -0500
27125 +++ linux-2.6.37/drivers/platform/x86/asus_acpi.c 2011-01-17 02:41:01.000000000 -0500
27126 @@ -1467,7 +1467,7 @@ static int asus_hotk_remove(struct acpi_
27130 -static struct backlight_ops asus_backlight_data = {
27131 +static const struct backlight_ops asus_backlight_data = {
27132 .get_brightness = read_brightness,
27133 .update_status = set_brightness_status,
27135 diff -urNp linux-2.6.37/drivers/platform/x86/asus-laptop.c linux-2.6.37/drivers/platform/x86/asus-laptop.c
27136 --- linux-2.6.37/drivers/platform/x86/asus-laptop.c 2011-01-04 19:50:19.000000000 -0500
27137 +++ linux-2.6.37/drivers/platform/x86/asus-laptop.c 2011-01-17 02:41:01.000000000 -0500
27138 @@ -243,7 +243,6 @@ struct asus_laptop {
27139 struct asus_led gled;
27140 struct asus_led kled;
27141 struct workqueue_struct *led_workqueue;
27143 int wireless_status;
27146 @@ -640,7 +639,7 @@ static int update_bl_status(struct backl
27147 return asus_lcd_set(asus, value);
27150 -static struct backlight_ops asusbl_ops = {
27151 +static const struct backlight_ops asusbl_ops = {
27152 .get_brightness = asus_read_brightness,
27153 .update_status = update_bl_status,
27155 diff -urNp linux-2.6.37/drivers/platform/x86/dell-laptop.c linux-2.6.37/drivers/platform/x86/dell-laptop.c
27156 --- linux-2.6.37/drivers/platform/x86/dell-laptop.c 2011-01-04 19:50:19.000000000 -0500
27157 +++ linux-2.6.37/drivers/platform/x86/dell-laptop.c 2011-01-17 02:41:01.000000000 -0500
27158 @@ -546,7 +546,7 @@ out:
27159 return buffer->output[1];
27162 -static struct backlight_ops dell_ops = {
27163 +static const struct backlight_ops dell_ops = {
27164 .get_brightness = dell_get_intensity,
27165 .update_status = dell_send_intensity,
27167 diff -urNp linux-2.6.37/drivers/platform/x86/eeepc-laptop.c linux-2.6.37/drivers/platform/x86/eeepc-laptop.c
27168 --- linux-2.6.37/drivers/platform/x86/eeepc-laptop.c 2011-01-04 19:50:19.000000000 -0500
27169 +++ linux-2.6.37/drivers/platform/x86/eeepc-laptop.c 2011-01-17 02:41:01.000000000 -0500
27170 @@ -1115,7 +1115,7 @@ static int update_bl_status(struct backl
27171 return set_brightness(bd, bd->props.brightness);
27174 -static struct backlight_ops eeepcbl_ops = {
27175 +static const struct backlight_ops eeepcbl_ops = {
27176 .get_brightness = read_brightness,
27177 .update_status = update_bl_status,
27179 diff -urNp linux-2.6.37/drivers/platform/x86/fujitsu-laptop.c linux-2.6.37/drivers/platform/x86/fujitsu-laptop.c
27180 --- linux-2.6.37/drivers/platform/x86/fujitsu-laptop.c 2011-01-04 19:50:19.000000000 -0500
27181 +++ linux-2.6.37/drivers/platform/x86/fujitsu-laptop.c 2011-01-17 02:41:01.000000000 -0500
27182 @@ -437,7 +437,7 @@ static int bl_update_status(struct backl
27186 -static struct backlight_ops fujitsubl_ops = {
27187 +static const struct backlight_ops fujitsubl_ops = {
27188 .get_brightness = bl_get_brightness,
27189 .update_status = bl_update_status,
27191 diff -urNp linux-2.6.37/drivers/platform/x86/sony-laptop.c linux-2.6.37/drivers/platform/x86/sony-laptop.c
27192 --- linux-2.6.37/drivers/platform/x86/sony-laptop.c 2011-01-04 19:50:19.000000000 -0500
27193 +++ linux-2.6.37/drivers/platform/x86/sony-laptop.c 2011-01-17 02:41:01.000000000 -0500
27194 @@ -856,7 +856,7 @@ static int sony_backlight_get_brightness
27197 static struct backlight_device *sony_backlight_device;
27198 -static struct backlight_ops sony_backlight_ops = {
27199 +static const struct backlight_ops sony_backlight_ops = {
27200 .update_status = sony_backlight_update_status,
27201 .get_brightness = sony_backlight_get_brightness,
27203 diff -urNp linux-2.6.37/drivers/platform/x86/thinkpad_acpi.c linux-2.6.37/drivers/platform/x86/thinkpad_acpi.c
27204 --- linux-2.6.37/drivers/platform/x86/thinkpad_acpi.c 2011-01-04 19:50:19.000000000 -0500
27205 +++ linux-2.6.37/drivers/platform/x86/thinkpad_acpi.c 2011-01-17 02:41:01.000000000 -0500
27206 @@ -6109,7 +6109,7 @@ static void tpacpi_brightness_notify_cha
27207 BACKLIGHT_UPDATE_HOTKEY);
27210 -static struct backlight_ops ibm_backlight_data = {
27211 +static const struct backlight_ops ibm_backlight_data = {
27212 .get_brightness = brightness_get,
27213 .update_status = brightness_update_status,
27215 diff -urNp linux-2.6.37/drivers/platform/x86/toshiba_acpi.c linux-2.6.37/drivers/platform/x86/toshiba_acpi.c
27216 --- linux-2.6.37/drivers/platform/x86/toshiba_acpi.c 2011-01-04 19:50:19.000000000 -0500
27217 +++ linux-2.6.37/drivers/platform/x86/toshiba_acpi.c 2011-01-17 02:41:01.000000000 -0500
27218 @@ -841,7 +841,7 @@ static void remove_toshiba_proc_entries(
27219 remove_proc_entry("version", toshiba_proc_dir);
27222 -static struct backlight_ops toshiba_backlight_data = {
27223 +static const struct backlight_ops toshiba_backlight_data = {
27224 .get_brightness = get_lcd,
27225 .update_status = set_lcd_status,
27227 diff -urNp linux-2.6.37/drivers/pnp/pnpbios/bioscalls.c linux-2.6.37/drivers/pnp/pnpbios/bioscalls.c
27228 --- linux-2.6.37/drivers/pnp/pnpbios/bioscalls.c 2011-01-04 19:50:19.000000000 -0500
27229 +++ linux-2.6.37/drivers/pnp/pnpbios/bioscalls.c 2011-01-17 02:41:01.000000000 -0500
27230 @@ -59,7 +59,7 @@ do { \
27231 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27234 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27235 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27236 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27239 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27242 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27244 + pax_open_kernel();
27245 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27246 + pax_close_kernel();
27248 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27249 spin_lock_irqsave(&pnp_bios_lock, flags);
27250 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27252 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27254 + pax_open_kernel();
27255 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27256 + pax_close_kernel();
27260 /* If we get here and this is set then the PnP BIOS faulted on us. */
27261 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27265 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27266 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27270 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27271 pnp_bios_callpoint.offset = header->fields.pm16offset;
27272 pnp_bios_callpoint.segment = PNP_CS16;
27274 + pax_open_kernel();
27276 for_each_possible_cpu(i) {
27277 struct desc_struct *gdt = get_cpu_gdt_table(i);
27279 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27280 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27281 (unsigned long)__va(header->fields.pm16dseg));
27284 + pax_close_kernel();
27286 diff -urNp linux-2.6.37/drivers/pnp/quirks.c linux-2.6.37/drivers/pnp/quirks.c
27287 --- linux-2.6.37/drivers/pnp/quirks.c 2011-01-04 19:50:19.000000000 -0500
27288 +++ linux-2.6.37/drivers/pnp/quirks.c 2011-01-17 02:41:01.000000000 -0500
27289 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27290 /* PnP resources that might overlap PCI BARs */
27291 {"PNP0c01", quirk_system_pci_resources},
27292 {"PNP0c02", quirk_system_pci_resources},
27297 void pnp_fixup_device(struct pnp_dev *dev)
27298 diff -urNp linux-2.6.37/drivers/pnp/resource.c linux-2.6.37/drivers/pnp/resource.c
27299 --- linux-2.6.37/drivers/pnp/resource.c 2011-01-04 19:50:19.000000000 -0500
27300 +++ linux-2.6.37/drivers/pnp/resource.c 2011-01-17 02:41:01.000000000 -0500
27301 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27304 /* check if the resource is valid */
27305 - if (*irq < 0 || *irq > 15)
27309 /* check if the resource is reserved */
27310 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27313 /* check if the resource is valid */
27314 - if (*dma < 0 || *dma == 4 || *dma > 7)
27315 + if (*dma == 4 || *dma > 7)
27318 /* check if the resource is reserved */
27319 diff -urNp linux-2.6.37/drivers/rtc/rtc-dev.c linux-2.6.37/drivers/rtc/rtc-dev.c
27320 --- linux-2.6.37/drivers/rtc/rtc-dev.c 2011-01-04 19:50:19.000000000 -0500
27321 +++ linux-2.6.37/drivers/rtc/rtc-dev.c 2011-01-17 02:41:01.000000000 -0500
27323 #include <linux/module.h>
27324 #include <linux/rtc.h>
27325 #include <linux/sched.h>
27326 +#include <linux/grsecurity.h>
27327 #include "rtc-core.h"
27329 static dev_t rtc_devt;
27330 @@ -357,6 +358,8 @@ static long rtc_dev_ioctl(struct file *f
27331 if (copy_from_user(&tm, uarg, sizeof(tm)))
27334 + gr_log_timechange();
27336 return rtc_set_time(rtc, &tm);
27339 diff -urNp linux-2.6.37/drivers/s390/cio/qdio_debug.c linux-2.6.37/drivers/s390/cio/qdio_debug.c
27340 --- linux-2.6.37/drivers/s390/cio/qdio_debug.c 2011-01-04 19:50:19.000000000 -0500
27341 +++ linux-2.6.37/drivers/s390/cio/qdio_debug.c 2011-01-17 02:41:01.000000000 -0500
27342 @@ -224,7 +224,7 @@ static int qperf_seq_open(struct inode *
27343 filp->f_path.dentry->d_inode->i_private);
27346 -static struct file_operations debugfs_perf_fops = {
27347 +static const struct file_operations debugfs_perf_fops = {
27348 .owner = THIS_MODULE,
27349 .open = qperf_seq_open,
27351 diff -urNp linux-2.6.37/drivers/scsi/hpsa.c linux-2.6.37/drivers/scsi/hpsa.c
27352 --- linux-2.6.37/drivers/scsi/hpsa.c 2011-01-04 19:50:19.000000000 -0500
27353 +++ linux-2.6.37/drivers/scsi/hpsa.c 2011-01-17 02:41:01.000000000 -0500
27354 @@ -2292,6 +2292,8 @@ static int hpsa_ioctl32_passthru(struct
27358 + memset(&arg64, 0, sizeof(arg64));
27361 err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27362 sizeof(arg64.LUN_info));
27363 diff -urNp linux-2.6.37/drivers/scsi/ipr.c linux-2.6.37/drivers/scsi/ipr.c
27364 --- linux-2.6.37/drivers/scsi/ipr.c 2011-01-04 19:50:19.000000000 -0500
27365 +++ linux-2.6.37/drivers/scsi/ipr.c 2011-01-17 02:41:01.000000000 -0500
27366 @@ -6202,7 +6202,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27370 -static struct ata_port_operations ipr_sata_ops = {
27371 +static const struct ata_port_operations ipr_sata_ops = {
27372 .phy_reset = ipr_ata_phy_reset,
27373 .hardreset = ipr_sata_reset,
27374 .post_internal_cmd = ipr_ata_post_internal,
27375 diff -urNp linux-2.6.37/drivers/scsi/libfc/fc_exch.c linux-2.6.37/drivers/scsi/libfc/fc_exch.c
27376 --- linux-2.6.37/drivers/scsi/libfc/fc_exch.c 2011-01-04 19:50:19.000000000 -0500
27377 +++ linux-2.6.37/drivers/scsi/libfc/fc_exch.c 2011-01-17 02:41:01.000000000 -0500
27378 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
27379 * all together if not used XXX
27382 - atomic_t no_free_exch;
27383 - atomic_t no_free_exch_xid;
27384 - atomic_t xid_not_found;
27385 - atomic_t xid_busy;
27386 - atomic_t seq_not_found;
27387 - atomic_t non_bls_resp;
27388 + atomic_unchecked_t no_free_exch;
27389 + atomic_unchecked_t no_free_exch_xid;
27390 + atomic_unchecked_t xid_not_found;
27391 + atomic_unchecked_t xid_busy;
27392 + atomic_unchecked_t seq_not_found;
27393 + atomic_unchecked_t non_bls_resp;
27396 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
27397 @@ -670,7 +670,7 @@ static struct fc_exch *fc_exch_em_alloc(
27398 /* allocate memory for exchange */
27399 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27401 - atomic_inc(&mp->stats.no_free_exch);
27402 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27405 memset(ep, 0, sizeof(*ep));
27406 @@ -718,7 +718,7 @@ out:
27409 spin_unlock_bh(&pool->lock);
27410 - atomic_inc(&mp->stats.no_free_exch_xid);
27411 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27412 mempool_free(ep, mp->ep_pool);
27415 @@ -863,7 +863,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27416 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27417 ep = fc_exch_find(mp, xid);
27419 - atomic_inc(&mp->stats.xid_not_found);
27420 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27421 reject = FC_RJT_OX_ID;
27424 @@ -893,7 +893,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27425 ep = fc_exch_find(mp, xid);
27426 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27428 - atomic_inc(&mp->stats.xid_busy);
27429 + atomic_inc_unchecked(&mp->stats.xid_busy);
27430 reject = FC_RJT_RX_ID;
27433 @@ -904,7 +904,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27435 xid = ep->xid; /* get our XID */
27437 - atomic_inc(&mp->stats.xid_not_found);
27438 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27439 reject = FC_RJT_RX_ID; /* XID not found */
27442 @@ -921,7 +921,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27445 if (sp->id != fh->fh_seq_id) {
27446 - atomic_inc(&mp->stats.seq_not_found);
27447 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27448 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27451 @@ -1338,22 +1338,22 @@ static void fc_exch_recv_seq_resp(struct
27453 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27455 - atomic_inc(&mp->stats.xid_not_found);
27456 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27459 if (ep->esb_stat & ESB_ST_COMPLETE) {
27460 - atomic_inc(&mp->stats.xid_not_found);
27461 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27464 if (ep->rxid == FC_XID_UNKNOWN)
27465 ep->rxid = ntohs(fh->fh_rx_id);
27466 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27467 - atomic_inc(&mp->stats.xid_not_found);
27468 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27471 if (ep->did != ntoh24(fh->fh_s_id) &&
27472 ep->did != FC_FID_FLOGI) {
27473 - atomic_inc(&mp->stats.xid_not_found);
27474 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27478 @@ -1362,7 +1362,7 @@ static void fc_exch_recv_seq_resp(struct
27479 sp->ssb_stat |= SSB_ST_RESP;
27480 sp->id = fh->fh_seq_id;
27481 } else if (sp->id != fh->fh_seq_id) {
27482 - atomic_inc(&mp->stats.seq_not_found);
27483 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27487 @@ -1425,9 +1425,9 @@ static void fc_exch_recv_resp(struct fc_
27488 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
27491 - atomic_inc(&mp->stats.xid_not_found);
27492 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27494 - atomic_inc(&mp->stats.non_bls_resp);
27495 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
27499 diff -urNp linux-2.6.37/drivers/scsi/libsas/sas_ata.c linux-2.6.37/drivers/scsi/libsas/sas_ata.c
27500 --- linux-2.6.37/drivers/scsi/libsas/sas_ata.c 2011-01-04 19:50:19.000000000 -0500
27501 +++ linux-2.6.37/drivers/scsi/libsas/sas_ata.c 2011-01-17 02:41:01.000000000 -0500
27502 @@ -348,10 +348,10 @@ static int sas_ata_scr_read(struct ata_l
27506 -static struct ata_port_operations sas_sata_ops = {
27507 +static const struct ata_port_operations sas_sata_ops = {
27508 .phy_reset = sas_ata_phy_reset,
27509 .post_internal_cmd = sas_ata_post_internal,
27510 - .qc_defer = ata_std_qc_defer,
27511 + .qc_defer = ata_std_qc_defer,
27512 .qc_prep = ata_noop_qc_prep,
27513 .qc_issue = sas_ata_qc_issue,
27514 .qc_fill_rtf = sas_ata_qc_fill_rtf,
27515 diff -urNp linux-2.6.37/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.37/drivers/scsi/mpt2sas/mpt2sas_debug.h
27516 --- linux-2.6.37/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-01-04 19:50:19.000000000 -0500
27517 +++ linux-2.6.37/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-01-17 02:41:01.000000000 -0500
27522 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27523 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27524 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27527 diff -urNp linux-2.6.37/drivers/scsi/qla2xxx/qla_os.c linux-2.6.37/drivers/scsi/qla2xxx/qla_os.c
27528 --- linux-2.6.37/drivers/scsi/qla2xxx/qla_os.c 2011-01-04 19:50:19.000000000 -0500
27529 +++ linux-2.6.37/drivers/scsi/qla2xxx/qla_os.c 2011-01-17 02:41:01.000000000 -0500
27530 @@ -4083,7 +4083,7 @@ static struct pci_driver qla2xxx_pci_dri
27531 .err_handler = &qla2xxx_err_handler,
27534 -static struct file_operations apidev_fops = {
27535 +static const struct file_operations apidev_fops = {
27536 .owner = THIS_MODULE,
27537 .llseek = noop_llseek,
27539 diff -urNp linux-2.6.37/drivers/scsi/scsi_logging.h linux-2.6.37/drivers/scsi/scsi_logging.h
27540 --- linux-2.6.37/drivers/scsi/scsi_logging.h 2011-01-04 19:50:19.000000000 -0500
27541 +++ linux-2.6.37/drivers/scsi/scsi_logging.h 2011-01-17 02:41:01.000000000 -0500
27542 @@ -51,7 +51,7 @@ do { \
27546 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27547 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27548 #endif /* CONFIG_SCSI_LOGGING */
27551 diff -urNp linux-2.6.37/drivers/scsi/sg.c linux-2.6.37/drivers/scsi/sg.c
27552 --- linux-2.6.37/drivers/scsi/sg.c 2011-01-04 19:50:19.000000000 -0500
27553 +++ linux-2.6.37/drivers/scsi/sg.c 2011-01-17 02:41:01.000000000 -0500
27554 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
27555 const struct file_operations * fops;
27558 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27559 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27560 {"allow_dio", &adio_fops},
27561 {"debug", &debug_fops},
27562 {"def_reserved_size", &dressz_fops},
27563 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
27566 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27567 - struct sg_proc_leaf * leaf;
27568 + const struct sg_proc_leaf * leaf;
27570 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27572 diff -urNp linux-2.6.37/drivers/serial/8250_pci.c linux-2.6.37/drivers/serial/8250_pci.c
27573 --- linux-2.6.37/drivers/serial/8250_pci.c 2011-01-04 19:50:19.000000000 -0500
27574 +++ linux-2.6.37/drivers/serial/8250_pci.c 2011-01-17 02:41:01.000000000 -0500
27575 @@ -3782,7 +3782,7 @@ static struct pci_device_id serial_pci_t
27576 PCI_ANY_ID, PCI_ANY_ID,
27577 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27578 0xffff00, pbn_default },
27580 + { 0, 0, 0, 0, 0, 0, 0 }
27583 static struct pci_driver serial_pci_driver = {
27584 diff -urNp linux-2.6.37/drivers/serial/kgdboc.c linux-2.6.37/drivers/serial/kgdboc.c
27585 --- linux-2.6.37/drivers/serial/kgdboc.c 2011-01-04 19:50:19.000000000 -0500
27586 +++ linux-2.6.37/drivers/serial/kgdboc.c 2011-01-17 02:41:01.000000000 -0500
27589 #define MAX_CONFIG_LEN 40
27591 -static struct kgdb_io kgdboc_io_ops;
27592 +/* cannot be const, see configure_kgdboc() */
27593 +static struct kgdb_io kgdboc_io_ops;
27595 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27596 static int configured = -1;
27597 @@ -293,6 +294,7 @@ static void kgdboc_post_exp_handler(void
27598 kgdboc_restore_input();
27601 +/* cannot be const, see configure_kgdboc() */
27602 static struct kgdb_io kgdboc_io_ops = {
27604 .read_char = kgdboc_get_char,
27605 diff -urNp linux-2.6.37/drivers/staging/autofs/root.c linux-2.6.37/drivers/staging/autofs/root.c
27606 --- linux-2.6.37/drivers/staging/autofs/root.c 2011-01-04 19:50:19.000000000 -0500
27607 +++ linux-2.6.37/drivers/staging/autofs/root.c 2011-01-24 18:04:18.000000000 -0500
27608 @@ -308,7 +308,8 @@ static int autofs_root_symlink(struct in
27609 set_bit(n,sbi->symlink_bitmap);
27610 sl = &sbi->symlink[n];
27611 sl->len = strlen(symname);
27612 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
27613 + slsize = sl->len + 1;
27614 + sl->data = kmalloc(slsize, GFP_KERNEL);
27616 clear_bit(n,sbi->symlink_bitmap);
27618 diff -urNp linux-2.6.37/drivers/staging/bcm/Bcmchar.c linux-2.6.37/drivers/staging/bcm/Bcmchar.c
27619 --- linux-2.6.37/drivers/staging/bcm/Bcmchar.c 2011-01-04 19:50:19.000000000 -0500
27620 +++ linux-2.6.37/drivers/staging/bcm/Bcmchar.c 2011-01-17 02:41:01.000000000 -0500
27621 @@ -2386,7 +2386,7 @@ static long bcm_char_ioctl(struct file *
27625 -static struct file_operations bcm_fops = {
27626 +static const struct file_operations bcm_fops = {
27627 .owner = THIS_MODULE,
27628 .open = bcm_char_open,
27629 .release = bcm_char_release,
27630 diff -urNp linux-2.6.37/drivers/staging/bcm/InterfaceInit.c linux-2.6.37/drivers/staging/bcm/InterfaceInit.c
27631 --- linux-2.6.37/drivers/staging/bcm/InterfaceInit.c 2011-01-04 19:50:19.000000000 -0500
27632 +++ linux-2.6.37/drivers/staging/bcm/InterfaceInit.c 2011-01-17 02:41:01.000000000 -0500
27633 @@ -157,7 +157,7 @@ VOID ConfigureEndPointTypesThroughEEPROM
27637 -static struct file_operations usbbcm_fops = {
27638 +static const struct file_operations usbbcm_fops = {
27639 .open = usbbcm_open,
27640 .release = usbbcm_release,
27641 .read = usbbcm_read,
27642 diff -urNp linux-2.6.37/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.37/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
27643 --- linux-2.6.37/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-01-04 19:50:19.000000000 -0500
27644 +++ linux-2.6.37/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-01-24 18:04:18.000000000 -0500
27645 @@ -864,14 +864,14 @@ static void dhd_op_if(dhd_if_t *ifp)
27646 free_netdev(ifp->net);
27648 /* Allocate etherdev, including space for private structure */
27649 - ifp->net = alloc_etherdev(sizeof(dhd));
27650 + ifp->net = alloc_etherdev(sizeof(*dhd));
27652 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
27656 strcpy(ifp->net->name, ifp->name);
27657 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
27658 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
27659 err = dhd_net_attach(&dhd->pub, ifp->idx);
27661 DHD_ERROR(("%s: dhd_net_attach failed, "
27662 @@ -1891,25 +1891,23 @@ dhd_pub_t *dhd_attach(osl_t *osh, struct
27663 strcpy(nv_path, nvram_path);
27665 /* Allocate etherdev, including space for private structure */
27666 - net = alloc_etherdev(sizeof(dhd));
27667 + net = alloc_etherdev(sizeof(*dhd));
27669 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
27673 /* Allocate primary dhd_info */
27674 - dhd = kmalloc(sizeof(dhd_info_t), GFP_ATOMIC);
27675 + dhd = kzalloc(sizeof(dhd_info_t), GFP_ATOMIC);
27677 DHD_ERROR(("%s: OOM - alloc dhd_info\n", __func__));
27681 - memset(dhd, 0, sizeof(dhd_info_t));
27684 * Save the dhd_info into the priv
27686 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
27687 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
27688 dhd->pub.osh = osh;
27690 /* Set network interface name if it was provided as module parameter */
27691 @@ -2027,7 +2025,7 @@ dhd_pub_t *dhd_attach(osl_t *osh, struct
27693 * Save the dhd_info into the priv
27695 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
27696 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
27698 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
27700 diff -urNp linux-2.6.37/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.37/drivers/staging/brcm80211/brcmfmac/wl_iw.c
27701 --- linux-2.6.37/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-01-04 19:50:19.000000000 -0500
27702 +++ linux-2.6.37/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-01-24 18:04:18.000000000 -0500
27703 @@ -514,7 +514,7 @@ wl_iw_get_range(struct net_device *dev,
27704 list = (wl_u32_list_t *) channels;
27706 dwrq->length = sizeof(struct iw_range);
27707 - memset(range, 0, sizeof(range));
27708 + memset(range, 0, sizeof(*range));
27710 range->min_nwid = range->max_nwid = 0;
27712 diff -urNp linux-2.6.37/drivers/staging/comedi/comedi_fops.c linux-2.6.37/drivers/staging/comedi/comedi_fops.c
27713 --- linux-2.6.37/drivers/staging/comedi/comedi_fops.c 2011-01-04 19:50:19.000000000 -0500
27714 +++ linux-2.6.37/drivers/staging/comedi/comedi_fops.c 2011-01-17 02:41:01.000000000 -0500
27715 @@ -1426,7 +1426,7 @@ static void comedi_unmap(struct vm_area_
27716 mutex_unlock(&dev->mutex);
27719 -static struct vm_operations_struct comedi_vm_ops = {
27720 +static const struct vm_operations_struct comedi_vm_ops = {
27721 .close = comedi_unmap,
27724 diff -urNp linux-2.6.37/drivers/staging/ft1000/ft1000-usb/ft1000_chdev.c linux-2.6.37/drivers/staging/ft1000/ft1000-usb/ft1000_chdev.c
27725 --- linux-2.6.37/drivers/staging/ft1000/ft1000-usb/ft1000_chdev.c 2011-01-04 19:50:19.000000000 -0500
27726 +++ linux-2.6.37/drivers/staging/ft1000/ft1000-usb/ft1000_chdev.c 2011-01-17 02:41:01.000000000 -0500
27727 @@ -69,7 +69,7 @@ int numofmsgbuf = 0;
27729 // Table of entry-point routines for char device
27731 -static struct file_operations ft1000fops =
27732 +static const struct file_operations ft1000fops =
27734 .unlocked_ioctl = ft1000_ChIoctl,
27735 .poll = ft1000_ChPoll,
27736 diff -urNp linux-2.6.37/drivers/staging/go7007/go7007-v4l2.c linux-2.6.37/drivers/staging/go7007/go7007-v4l2.c
27737 --- linux-2.6.37/drivers/staging/go7007/go7007-v4l2.c 2011-01-04 19:50:19.000000000 -0500
27738 +++ linux-2.6.37/drivers/staging/go7007/go7007-v4l2.c 2011-01-17 02:41:01.000000000 -0500
27739 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
27743 -static struct vm_operations_struct go7007_vm_ops = {
27744 +static const struct vm_operations_struct go7007_vm_ops = {
27745 .open = go7007_vm_open,
27746 .close = go7007_vm_close,
27747 .fault = go7007_vm_fault,
27748 diff -urNp linux-2.6.37/drivers/staging/hv/hv.c linux-2.6.37/drivers/staging/hv/hv.c
27749 --- linux-2.6.37/drivers/staging/hv/hv.c 2011-01-04 19:50:19.000000000 -0500
27750 +++ linux-2.6.37/drivers/staging/hv/hv.c 2011-01-17 02:41:01.000000000 -0500
27751 @@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
27752 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
27753 u32 outputAddressHi = outputAddress >> 32;
27754 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
27755 - volatile void *hypercallPage = gHvContext.HypercallPage;
27756 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
27758 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
27759 Control, Input, Output);
27760 diff -urNp linux-2.6.37/drivers/staging/msm/msm_fb_bl.c linux-2.6.37/drivers/staging/msm/msm_fb_bl.c
27761 --- linux-2.6.37/drivers/staging/msm/msm_fb_bl.c 2011-01-04 19:50:19.000000000 -0500
27762 +++ linux-2.6.37/drivers/staging/msm/msm_fb_bl.c 2011-01-17 02:41:01.000000000 -0500
27763 @@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
27767 -static struct backlight_ops msm_fb_bl_ops = {
27768 +static const struct backlight_ops msm_fb_bl_ops = {
27769 .get_brightness = msm_fb_bl_get_brightness,
27770 .update_status = msm_fb_bl_update_status,
27772 diff -urNp linux-2.6.37/drivers/staging/olpc_dcon/olpc_dcon.c linux-2.6.37/drivers/staging/olpc_dcon/olpc_dcon.c
27773 --- linux-2.6.37/drivers/staging/olpc_dcon/olpc_dcon.c 2011-01-04 19:50:19.000000000 -0500
27774 +++ linux-2.6.37/drivers/staging/olpc_dcon/olpc_dcon.c 2011-01-17 02:41:01.000000000 -0500
27775 @@ -615,7 +615,7 @@ static struct device_attribute dcon_devi
27776 __ATTR(resumeline, 0644, dcon_resumeline_show, dcon_resumeline_store),
27779 -static struct backlight_ops dcon_bl_ops = {
27780 +static const struct backlight_ops dcon_bl_ops = {
27781 .get_brightness = dconbl_get,
27782 .update_status = dconbl_set
27784 diff -urNp linux-2.6.37/drivers/staging/phison/phison.c linux-2.6.37/drivers/staging/phison/phison.c
27785 --- linux-2.6.37/drivers/staging/phison/phison.c 2011-01-04 19:50:19.000000000 -0500
27786 +++ linux-2.6.37/drivers/staging/phison/phison.c 2011-01-17 02:41:01.000000000 -0500
27787 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
27788 ATA_BMDMA_SHT(DRV_NAME),
27791 -static struct ata_port_operations phison_ops = {
27792 +static const struct ata_port_operations phison_ops = {
27793 .inherits = &ata_bmdma_port_ops,
27794 .prereset = phison_pre_reset,
27796 diff -urNp linux-2.6.37/drivers/staging/pohmelfs/inode.c linux-2.6.37/drivers/staging/pohmelfs/inode.c
27797 --- linux-2.6.37/drivers/staging/pohmelfs/inode.c 2011-01-04 19:50:19.000000000 -0500
27798 +++ linux-2.6.37/drivers/staging/pohmelfs/inode.c 2011-01-17 02:41:01.000000000 -0500
27799 @@ -1848,7 +1848,7 @@ static int pohmelfs_fill_super(struct su
27800 mutex_init(&psb->mcache_lock);
27801 psb->mcache_root = RB_ROOT;
27802 psb->mcache_timeout = msecs_to_jiffies(5000);
27803 - atomic_long_set(&psb->mcache_gen, 0);
27804 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
27806 psb->trans_max_pages = 100;
27808 diff -urNp linux-2.6.37/drivers/staging/pohmelfs/mcache.c linux-2.6.37/drivers/staging/pohmelfs/mcache.c
27809 --- linux-2.6.37/drivers/staging/pohmelfs/mcache.c 2011-01-04 19:50:19.000000000 -0500
27810 +++ linux-2.6.37/drivers/staging/pohmelfs/mcache.c 2011-01-17 02:41:01.000000000 -0500
27811 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
27815 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
27816 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
27818 mutex_lock(&psb->mcache_lock);
27819 err = pohmelfs_mcache_insert(psb, m);
27820 diff -urNp linux-2.6.37/drivers/staging/pohmelfs/netfs.h linux-2.6.37/drivers/staging/pohmelfs/netfs.h
27821 --- linux-2.6.37/drivers/staging/pohmelfs/netfs.h 2011-01-04 19:50:19.000000000 -0500
27822 +++ linux-2.6.37/drivers/staging/pohmelfs/netfs.h 2011-01-17 02:41:01.000000000 -0500
27823 @@ -571,7 +571,7 @@ struct pohmelfs_config;
27824 struct pohmelfs_sb {
27825 struct rb_root mcache_root;
27826 struct mutex mcache_lock;
27827 - atomic_long_t mcache_gen;
27828 + atomic_long_unchecked_t mcache_gen;
27829 unsigned long mcache_timeout;
27832 diff -urNp linux-2.6.37/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.37/drivers/staging/rtl8192u/ieee80211/proc.c
27833 --- linux-2.6.37/drivers/staging/rtl8192u/ieee80211/proc.c 2011-01-04 19:50:19.000000000 -0500
27834 +++ linux-2.6.37/drivers/staging/rtl8192u/ieee80211/proc.c 2011-01-17 02:41:01.000000000 -0500
27835 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
27836 return seq_open(file, &crypto_seq_ops);
27839 -static struct file_operations proc_crypto_ops = {
27840 +static const struct file_operations proc_crypto_ops = {
27841 .open = crypto_info_open,
27843 .llseek = seq_lseek,
27844 diff -urNp linux-2.6.37/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.37/drivers/staging/samsung-laptop/samsung-laptop.c
27845 --- linux-2.6.37/drivers/staging/samsung-laptop/samsung-laptop.c 2011-01-04 19:50:19.000000000 -0500
27846 +++ linux-2.6.37/drivers/staging/samsung-laptop/samsung-laptop.c 2011-01-17 02:41:01.000000000 -0500
27847 @@ -269,7 +269,7 @@ static int update_status(struct backligh
27851 -static struct backlight_ops backlight_ops = {
27852 +static const struct backlight_ops backlight_ops = {
27853 .get_brightness = get_brightness,
27854 .update_status = update_status,
27856 diff -urNp linux-2.6.37/drivers/staging/spectra/ffsport.c linux-2.6.37/drivers/staging/spectra/ffsport.c
27857 --- linux-2.6.37/drivers/staging/spectra/ffsport.c 2011-01-04 19:50:19.000000000 -0500
27858 +++ linux-2.6.37/drivers/staging/spectra/ffsport.c 2011-01-17 02:41:01.000000000 -0500
27859 @@ -603,7 +603,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
27863 -static struct block_device_operations GLOB_SBD_ops = {
27864 +static const struct block_device_operations GLOB_SBD_ops = {
27865 .owner = THIS_MODULE,
27866 .open = GLOB_SBD_open,
27867 .release = GLOB_SBD_release,
27868 diff -urNp linux-2.6.37/drivers/staging/vme/devices/vme_user.c linux-2.6.37/drivers/staging/vme/devices/vme_user.c
27869 --- linux-2.6.37/drivers/staging/vme/devices/vme_user.c 2011-01-04 19:50:19.000000000 -0500
27870 +++ linux-2.6.37/drivers/staging/vme/devices/vme_user.c 2011-01-17 02:41:01.000000000 -0500
27871 @@ -137,7 +137,7 @@ static long vme_user_unlocked_ioctl(stru
27872 static int __init vme_user_probe(struct device *, int, int);
27873 static int __exit vme_user_remove(struct device *, int, int);
27875 -static struct file_operations vme_user_fops = {
27876 +static const struct file_operations vme_user_fops = {
27877 .open = vme_user_open,
27878 .release = vme_user_release,
27879 .read = vme_user_read,
27880 diff -urNp linux-2.6.37/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.37/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
27881 --- linux-2.6.37/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-01-04 19:50:19.000000000 -0500
27882 +++ linux-2.6.37/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-01-17 02:41:01.000000000 -0500
27883 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
27886 /*standard block device driver interface */
27887 -static struct block_device_operations cyasblkdev_bdops = {
27888 +static const struct block_device_operations cyasblkdev_bdops = {
27889 .open = cyasblkdev_blk_open,
27890 .release = cyasblkdev_blk_release,
27891 .ioctl = cyasblkdev_blk_ioctl,
27892 diff -urNp linux-2.6.37/drivers/tty/n_gsm.c linux-2.6.37/drivers/tty/n_gsm.c
27893 --- linux-2.6.37/drivers/tty/n_gsm.c 2011-01-04 19:50:19.000000000 -0500
27894 +++ linux-2.6.37/drivers/tty/n_gsm.c 2011-01-17 02:41:01.000000000 -0500
27895 @@ -1579,7 +1579,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
27897 spin_lock_init(&dlci->lock);
27898 dlci->fifo = &dlci->_fifo;
27899 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
27900 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
27904 diff -urNp linux-2.6.37/drivers/tty/n_tty.c linux-2.6.37/drivers/tty/n_tty.c
27905 --- linux-2.6.37/drivers/tty/n_tty.c 2011-01-04 19:50:19.000000000 -0500
27906 +++ linux-2.6.37/drivers/tty/n_tty.c 2011-01-17 02:41:01.000000000 -0500
27907 @@ -2116,6 +2116,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
27909 *ops = tty_ldisc_N_TTY;
27911 - ops->refcount = ops->flags = 0;
27912 + atomic_set(&ops->refcount, 0);
27915 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
27916 diff -urNp linux-2.6.37/drivers/tty/pty.c linux-2.6.37/drivers/tty/pty.c
27917 --- linux-2.6.37/drivers/tty/pty.c 2011-01-04 19:50:19.000000000 -0500
27918 +++ linux-2.6.37/drivers/tty/pty.c 2011-01-17 02:41:01.000000000 -0500
27919 @@ -700,7 +700,18 @@ out:
27923 -static struct file_operations ptmx_fops;
27924 +static const struct file_operations ptmx_fops = {
27925 + .llseek = no_llseek,
27926 + .read = tty_read,
27927 + .write = tty_write,
27928 + .poll = tty_poll,
27929 + .unlocked_ioctl = tty_ioctl,
27930 + .compat_ioctl = tty_compat_ioctl,
27931 + .open = ptmx_open,
27932 + .release = tty_release,
27933 + .fasync = tty_fasync,
27937 static void __init unix98_pty_init(void)
27939 @@ -753,10 +764,6 @@ static void __init unix98_pty_init(void)
27941 register_sysctl_table(pty_root_table);
27943 - /* Now create the /dev/ptmx special device */
27944 - tty_default_fops(&ptmx_fops);
27945 - ptmx_fops.open = ptmx_open;
27947 cdev_init(&ptmx_cdev, &ptmx_fops);
27948 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
27949 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
27950 diff -urNp linux-2.6.37/drivers/tty/tty_io.c linux-2.6.37/drivers/tty/tty_io.c
27951 --- linux-2.6.37/drivers/tty/tty_io.c 2011-01-04 19:50:19.000000000 -0500
27952 +++ linux-2.6.37/drivers/tty/tty_io.c 2011-01-17 02:41:01.000000000 -0500
27953 @@ -140,21 +140,11 @@ EXPORT_SYMBOL(tty_mutex);
27954 /* Spinlock to protect the tty->tty_files list */
27955 DEFINE_SPINLOCK(tty_files_lock);
27957 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
27958 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
27959 ssize_t redirected_tty_write(struct file *, const char __user *,
27961 -static unsigned int tty_poll(struct file *, poll_table *);
27962 static int tty_open(struct inode *, struct file *);
27963 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
27964 -#ifdef CONFIG_COMPAT
27965 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
27966 - unsigned long arg);
27968 -#define tty_compat_ioctl NULL
27970 static int __tty_fasync(int fd, struct file *filp, int on);
27971 -static int tty_fasync(int fd, struct file *filp, int on);
27972 static void release_tty(struct tty_struct *tty, int idx);
27973 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27974 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27975 @@ -938,7 +928,7 @@ EXPORT_SYMBOL(start_tty);
27976 * read calls may be outstanding in parallel.
27979 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27980 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27984 @@ -964,6 +954,8 @@ static ssize_t tty_read(struct file *fil
27988 +EXPORT_SYMBOL(tty_read);
27990 void tty_write_unlock(struct tty_struct *tty)
27992 mutex_unlock(&tty->atomic_write_lock);
27993 @@ -1113,7 +1105,7 @@ void tty_write_message(struct tty_struct
27994 * write method will not be invoked in parallel for each device.
27997 -static ssize_t tty_write(struct file *file, const char __user *buf,
27998 +ssize_t tty_write(struct file *file, const char __user *buf,
27999 size_t count, loff_t *ppos)
28001 struct inode *inode = file->f_path.dentry->d_inode;
28002 @@ -1139,6 +1131,8 @@ static ssize_t tty_write(struct file *fi
28006 +EXPORT_SYMBOL(tty_write);
28008 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
28009 size_t count, loff_t *ppos)
28011 @@ -1778,6 +1772,8 @@ int tty_release(struct inode *inode, str
28015 +EXPORT_SYMBOL(tty_release);
28018 * tty_open - open a tty device
28019 * @inode: inode of device file
28020 @@ -1969,7 +1965,7 @@ got_driver:
28021 * may be re-entered freely by other callers.
28024 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
28025 +unsigned int tty_poll(struct file *filp, poll_table *wait)
28027 struct tty_struct *tty = file_tty(filp);
28028 struct tty_ldisc *ld;
28029 @@ -1985,6 +1981,8 @@ static unsigned int tty_poll(struct file
28033 +EXPORT_SYMBOL(tty_poll);
28035 static int __tty_fasync(int fd, struct file *filp, int on)
28037 struct tty_struct *tty = file_tty(filp);
28038 @@ -2026,7 +2024,7 @@ out:
28042 -static int tty_fasync(int fd, struct file *filp, int on)
28043 +int tty_fasync(int fd, struct file *filp, int on)
28047 @@ -2035,6 +2033,8 @@ static int tty_fasync(int fd, struct fil
28051 +EXPORT_SYMBOL(tty_fasync);
28054 * tiocsti - fake input character
28055 * @tty: tty to fake input into
28056 @@ -2687,8 +2687,10 @@ long tty_ioctl(struct file *file, unsign
28060 +EXPORT_SYMBOL(tty_ioctl);
28062 #ifdef CONFIG_COMPAT
28063 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
28064 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
28067 struct inode *inode = file->f_dentry->d_inode;
28068 @@ -2712,6 +2714,9 @@ static long tty_compat_ioctl(struct file
28073 +EXPORT_SYMBOL(tty_compat_ioctl);
28078 @@ -3190,11 +3195,6 @@ struct tty_struct *get_current_tty(void)
28080 EXPORT_SYMBOL_GPL(get_current_tty);
28082 -void tty_default_fops(struct file_operations *fops)
28084 - *fops = tty_fops;
28088 * Initialize the console device. This is called *early*, so
28089 * we can't necessarily depend on lots of kernel help here.
28090 diff -urNp linux-2.6.37/drivers/tty/tty_ldisc.c linux-2.6.37/drivers/tty/tty_ldisc.c
28091 --- linux-2.6.37/drivers/tty/tty_ldisc.c 2011-01-04 19:50:19.000000000 -0500
28092 +++ linux-2.6.37/drivers/tty/tty_ldisc.c 2011-01-17 02:41:01.000000000 -0500
28093 @@ -76,7 +76,7 @@ static void put_ldisc(struct tty_ldisc *
28094 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
28095 struct tty_ldisc_ops *ldo = ld->ops;
28098 + atomic_dec(&ldo->refcount);
28099 module_put(ldo->owner);
28100 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28102 @@ -111,7 +111,7 @@ int tty_register_ldisc(int disc, struct
28103 spin_lock_irqsave(&tty_ldisc_lock, flags);
28104 tty_ldiscs[disc] = new_ldisc;
28105 new_ldisc->num = disc;
28106 - new_ldisc->refcount = 0;
28107 + atomic_set(&new_ldisc->refcount, 0);
28108 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28111 @@ -139,7 +139,7 @@ int tty_unregister_ldisc(int disc)
28114 spin_lock_irqsave(&tty_ldisc_lock, flags);
28115 - if (tty_ldiscs[disc]->refcount)
28116 + if (atomic_read(&tty_ldiscs[disc]->refcount))
28119 tty_ldiscs[disc] = NULL;
28120 @@ -160,7 +160,7 @@ static struct tty_ldisc_ops *get_ldops(i
28122 ret = ERR_PTR(-EAGAIN);
28123 if (try_module_get(ldops->owner)) {
28124 - ldops->refcount++;
28125 + atomic_inc(&ldops->refcount);
28129 @@ -173,7 +173,7 @@ static void put_ldops(struct tty_ldisc_o
28130 unsigned long flags;
28132 spin_lock_irqsave(&tty_ldisc_lock, flags);
28133 - ldops->refcount--;
28134 + atomic_dec(&ldops->refcount);
28135 module_put(ldops->owner);
28136 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28138 diff -urNp linux-2.6.37/drivers/tty/vt/keyboard.c linux-2.6.37/drivers/tty/vt/keyboard.c
28139 --- linux-2.6.37/drivers/tty/vt/keyboard.c 2011-01-04 19:50:19.000000000 -0500
28140 +++ linux-2.6.37/drivers/tty/vt/keyboard.c 2011-01-17 02:41:01.000000000 -0500
28141 @@ -657,6 +657,16 @@ static void k_spec(struct vc_data *vc, u
28142 kbd->kbdmode == VC_MEDIUMRAW) &&
28143 value != KVAL(K_SAK))
28144 return; /* SAK is allowed even in raw mode */
28146 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
28148 + void *func = fn_handler[value];
28149 + if (func == fn_show_state || func == fn_show_ptregs ||
28150 + func == fn_show_mem)
28155 fn_handler[value](vc);
28158 @@ -1413,7 +1423,7 @@ static const struct input_device_id kbd_
28159 .evbit = { BIT_MASK(EV_SND) },
28162 - { }, /* Terminating entry */
28163 + { 0 }, /* Terminating entry */
28166 MODULE_DEVICE_TABLE(input, kbd_ids);
28167 diff -urNp linux-2.6.37/drivers/tty/vt/vt_ioctl.c linux-2.6.37/drivers/tty/vt/vt_ioctl.c
28168 --- linux-2.6.37/drivers/tty/vt/vt_ioctl.c 2011-01-04 19:50:19.000000000 -0500
28169 +++ linux-2.6.37/drivers/tty/vt/vt_ioctl.c 2011-01-17 02:41:01.000000000 -0500
28170 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28171 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
28174 - if (!capable(CAP_SYS_TTY_CONFIG))
28179 key_map = key_maps[s];
28180 @@ -224,6 +221,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28181 val = (i ? K_HOLE : K_NOSUCHMAP);
28182 return put_user(val, &user_kbe->kb_value);
28184 + if (!capable(CAP_SYS_TTY_CONFIG))
28189 if (!i && v == K_NOSUCHMAP) {
28190 @@ -325,9 +325,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28194 - if (!capable(CAP_SYS_TTY_CONFIG))
28197 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
28200 @@ -361,6 +358,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28202 return ((p && *p) ? -EOVERFLOW : 0);
28204 + if (!capable(CAP_SYS_TTY_CONFIG))
28210 diff -urNp linux-2.6.37/drivers/uio/uio.c linux-2.6.37/drivers/uio/uio.c
28211 --- linux-2.6.37/drivers/uio/uio.c 2011-01-04 19:50:19.000000000 -0500
28212 +++ linux-2.6.37/drivers/uio/uio.c 2011-01-24 18:04:18.000000000 -0500
28214 #include <linux/kobject.h>
28215 #include <linux/cdev.h>
28216 #include <linux/uio_driver.h>
28217 +#include <asm/local.h>
28219 #define UIO_MAX_DEVICES (1U << MINORBITS)
28221 @@ -35,7 +36,7 @@ struct uio_device {
28223 struct fasync_struct *async_queue;
28224 wait_queue_head_t wait;
28226 + local_t vma_count;
28227 struct uio_info *info;
28228 struct kobject *map_dir;
28229 struct kobject *portio_dir;
28230 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
28231 static void uio_vma_open(struct vm_area_struct *vma)
28233 struct uio_device *idev = vma->vm_private_data;
28234 - idev->vma_count++;
28235 + local_inc(&idev->vma_count);
28238 static void uio_vma_close(struct vm_area_struct *vma)
28240 struct uio_device *idev = vma->vm_private_data;
28241 - idev->vma_count--;
28242 + local_dec(&idev->vma_count);
28245 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
28246 diff -urNp linux-2.6.37/drivers/usb/atm/cxacru.c linux-2.6.37/drivers/usb/atm/cxacru.c
28247 --- linux-2.6.37/drivers/usb/atm/cxacru.c 2011-01-04 19:50:19.000000000 -0500
28248 +++ linux-2.6.37/drivers/usb/atm/cxacru.c 2011-01-17 02:41:01.000000000 -0500
28249 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
28250 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
28253 - if (index < 0 || index > 0x7f)
28254 + if (index > 0x7f)
28258 diff -urNp linux-2.6.37/drivers/usb/atm/usbatm.c linux-2.6.37/drivers/usb/atm/usbatm.c
28259 --- linux-2.6.37/drivers/usb/atm/usbatm.c 2011-01-04 19:50:19.000000000 -0500
28260 +++ linux-2.6.37/drivers/usb/atm/usbatm.c 2011-01-17 02:41:01.000000000 -0500
28261 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
28262 if (printk_ratelimit())
28263 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
28264 __func__, vpi, vci);
28265 - atomic_inc(&vcc->stats->rx_err);
28266 + atomic_inc_unchecked(&vcc->stats->rx_err);
28270 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
28271 if (length > ATM_MAX_AAL5_PDU) {
28272 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
28273 __func__, length, vcc);
28274 - atomic_inc(&vcc->stats->rx_err);
28275 + atomic_inc_unchecked(&vcc->stats->rx_err);
28279 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
28280 if (sarb->len < pdu_length) {
28281 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
28282 __func__, pdu_length, sarb->len, vcc);
28283 - atomic_inc(&vcc->stats->rx_err);
28284 + atomic_inc_unchecked(&vcc->stats->rx_err);
28288 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
28289 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
28291 - atomic_inc(&vcc->stats->rx_err);
28292 + atomic_inc_unchecked(&vcc->stats->rx_err);
28296 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
28297 if (printk_ratelimit())
28298 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
28300 - atomic_inc(&vcc->stats->rx_drop);
28301 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28305 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
28307 vcc->push(vcc, skb);
28309 - atomic_inc(&vcc->stats->rx);
28310 + atomic_inc_unchecked(&vcc->stats->rx);
28314 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
28315 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
28317 usbatm_pop(vcc, skb);
28318 - atomic_inc(&vcc->stats->tx);
28319 + atomic_inc_unchecked(&vcc->stats->tx);
28321 skb = skb_dequeue(&instance->sndqueue);
28323 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
28325 return sprintf(page,
28326 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
28327 - atomic_read(&atm_dev->stats.aal5.tx),
28328 - atomic_read(&atm_dev->stats.aal5.tx_err),
28329 - atomic_read(&atm_dev->stats.aal5.rx),
28330 - atomic_read(&atm_dev->stats.aal5.rx_err),
28331 - atomic_read(&atm_dev->stats.aal5.rx_drop));
28332 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
28333 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
28334 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
28335 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
28336 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
28339 if (instance->disconnected)
28340 diff -urNp linux-2.6.37/drivers/usb/class/cdc-acm.c linux-2.6.37/drivers/usb/class/cdc-acm.c
28341 --- linux-2.6.37/drivers/usb/class/cdc-acm.c 2011-01-04 19:50:19.000000000 -0500
28342 +++ linux-2.6.37/drivers/usb/class/cdc-acm.c 2011-01-17 02:41:01.000000000 -0500
28343 @@ -1634,7 +1634,7 @@ static const struct usb_device_id acm_id
28344 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
28345 USB_CDC_ACM_PROTO_AT_CDMA) },
28348 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
28351 MODULE_DEVICE_TABLE(usb, acm_ids);
28352 diff -urNp linux-2.6.37/drivers/usb/class/cdc-wdm.c linux-2.6.37/drivers/usb/class/cdc-wdm.c
28353 --- linux-2.6.37/drivers/usb/class/cdc-wdm.c 2011-01-04 19:50:19.000000000 -0500
28354 +++ linux-2.6.37/drivers/usb/class/cdc-wdm.c 2011-01-17 02:41:01.000000000 -0500
28355 @@ -342,7 +342,7 @@ static ssize_t wdm_write
28359 - if (!file->f_flags && O_NONBLOCK)
28360 + if (!(file->f_flags & O_NONBLOCK))
28361 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
28364 diff -urNp linux-2.6.37/drivers/usb/class/usblp.c linux-2.6.37/drivers/usb/class/usblp.c
28365 --- linux-2.6.37/drivers/usb/class/usblp.c 2011-01-04 19:50:19.000000000 -0500
28366 +++ linux-2.6.37/drivers/usb/class/usblp.c 2011-01-17 02:41:01.000000000 -0500
28367 @@ -227,7 +227,7 @@ static const struct quirk_printer_struct
28368 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
28369 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
28370 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
28375 static int usblp_wwait(struct usblp *usblp, int nonblock);
28376 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
28377 { USB_INTERFACE_INFO(7, 1, 2) },
28378 { USB_INTERFACE_INFO(7, 1, 3) },
28379 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
28380 - { } /* Terminating entry */
28381 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28384 MODULE_DEVICE_TABLE(usb, usblp_ids);
28385 diff -urNp linux-2.6.37/drivers/usb/core/hcd.c linux-2.6.37/drivers/usb/core/hcd.c
28386 --- linux-2.6.37/drivers/usb/core/hcd.c 2011-01-04 19:50:19.000000000 -0500
28387 +++ linux-2.6.37/drivers/usb/core/hcd.c 2011-01-17 02:41:01.000000000 -0500
28388 @@ -2431,7 +2431,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
28390 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
28392 -struct usb_mon_operations *mon_ops;
28393 +const struct usb_mon_operations *mon_ops;
28396 * The registration is unlocked.
28397 @@ -2441,7 +2441,7 @@ struct usb_mon_operations *mon_ops;
28398 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
28401 -int usb_mon_register (struct usb_mon_operations *ops)
28402 +int usb_mon_register (const struct usb_mon_operations *ops)
28406 diff -urNp linux-2.6.37/drivers/usb/core/hub.c linux-2.6.37/drivers/usb/core/hub.c
28407 --- linux-2.6.37/drivers/usb/core/hub.c 2011-01-04 19:50:19.000000000 -0500
28408 +++ linux-2.6.37/drivers/usb/core/hub.c 2011-01-17 02:41:01.000000000 -0500
28409 @@ -3461,7 +3461,7 @@ static const struct usb_device_id hub_id
28410 .bDeviceClass = USB_CLASS_HUB},
28411 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
28412 .bInterfaceClass = USB_CLASS_HUB},
28413 - { } /* Terminating entry */
28414 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28417 MODULE_DEVICE_TABLE (usb, hub_id_table);
28418 diff -urNp linux-2.6.37/drivers/usb/core/message.c linux-2.6.37/drivers/usb/core/message.c
28419 --- linux-2.6.37/drivers/usb/core/message.c 2011-01-04 19:50:19.000000000 -0500
28420 +++ linux-2.6.37/drivers/usb/core/message.c 2011-01-17 02:41:01.000000000 -0500
28421 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
28422 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
28424 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
28426 - smallbuf = kmalloc(++len, GFP_NOIO);
28428 + smallbuf = kmalloc(len, GFP_NOIO);
28431 memcpy(smallbuf, buf, len);
28432 diff -urNp linux-2.6.37/drivers/usb/early/ehci-dbgp.c linux-2.6.37/drivers/usb/early/ehci-dbgp.c
28433 --- linux-2.6.37/drivers/usb/early/ehci-dbgp.c 2011-01-04 19:50:19.000000000 -0500
28434 +++ linux-2.6.37/drivers/usb/early/ehci-dbgp.c 2011-01-17 02:41:01.000000000 -0500
28435 @@ -96,6 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
28439 +/* cannot be const, see kgdbdbgp_parse_config */
28440 static struct kgdb_io kgdbdbgp_io_ops;
28441 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
28443 @@ -1026,6 +1027,7 @@ static void kgdbdbgp_write_char(u8 chr)
28444 early_dbgp_write(NULL, &chr, 1);
28447 +/* cannot be const, see kgdbdbgp_parse_config() */
28448 static struct kgdb_io kgdbdbgp_io_ops = {
28449 .name = "kgdbdbgp",
28450 .read_char = kgdbdbgp_read_char,
28451 diff -urNp linux-2.6.37/drivers/usb/host/ehci-pci.c linux-2.6.37/drivers/usb/host/ehci-pci.c
28452 --- linux-2.6.37/drivers/usb/host/ehci-pci.c 2011-01-04 19:50:19.000000000 -0500
28453 +++ linux-2.6.37/drivers/usb/host/ehci-pci.c 2011-01-17 02:41:01.000000000 -0500
28454 @@ -470,7 +470,7 @@ static const struct pci_device_id pci_id
28455 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28456 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28458 - { /* end: all zeroes */ }
28459 + { 0, 0, 0, 0, 0, 0, 0 }
28461 MODULE_DEVICE_TABLE(pci, pci_ids);
28463 diff -urNp linux-2.6.37/drivers/usb/host/uhci-hcd.c linux-2.6.37/drivers/usb/host/uhci-hcd.c
28464 --- linux-2.6.37/drivers/usb/host/uhci-hcd.c 2011-01-04 19:50:19.000000000 -0500
28465 +++ linux-2.6.37/drivers/usb/host/uhci-hcd.c 2011-01-17 02:41:01.000000000 -0500
28466 @@ -948,7 +948,7 @@ static const struct pci_device_id uhci_p
28467 /* handle any USB UHCI controller */
28468 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28469 .driver_data = (unsigned long) &uhci_driver,
28470 - }, { /* end: all zeroes */ }
28471 + }, { 0, 0, 0, 0, 0, 0, 0 }
28474 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28475 diff -urNp linux-2.6.37/drivers/usb/mon/mon_main.c linux-2.6.37/drivers/usb/mon/mon_main.c
28476 --- linux-2.6.37/drivers/usb/mon/mon_main.c 2011-01-04 19:50:19.000000000 -0500
28477 +++ linux-2.6.37/drivers/usb/mon/mon_main.c 2011-01-17 02:41:01.000000000 -0500
28478 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
28482 -static struct usb_mon_operations mon_ops_0 = {
28483 +static const struct usb_mon_operations mon_ops_0 = {
28484 .urb_submit = mon_submit,
28485 .urb_submit_error = mon_submit_error,
28486 .urb_complete = mon_complete,
28487 diff -urNp linux-2.6.37/drivers/usb/storage/debug.h linux-2.6.37/drivers/usb/storage/debug.h
28488 --- linux-2.6.37/drivers/usb/storage/debug.h 2011-01-04 19:50:19.000000000 -0500
28489 +++ linux-2.6.37/drivers/usb/storage/debug.h 2011-01-17 02:41:01.000000000 -0500
28490 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28491 #define US_DEBUGPX(x...) printk( x )
28492 #define US_DEBUG(x) x
28494 -#define US_DEBUGP(x...)
28495 -#define US_DEBUGPX(x...)
28496 -#define US_DEBUG(x)
28497 +#define US_DEBUGP(x...) do {} while (0)
28498 +#define US_DEBUGPX(x...) do {} while (0)
28499 +#define US_DEBUG(x) do {} while (0)
28503 diff -urNp linux-2.6.37/drivers/usb/storage/usb.c linux-2.6.37/drivers/usb/storage/usb.c
28504 --- linux-2.6.37/drivers/usb/storage/usb.c 2011-01-04 19:50:19.000000000 -0500
28505 +++ linux-2.6.37/drivers/usb/storage/usb.c 2011-01-17 02:41:01.000000000 -0500
28506 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28508 static struct us_unusual_dev us_unusual_dev_list[] = {
28509 # include "unusual_devs.h"
28510 - { } /* Terminating entry */
28511 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28515 diff -urNp linux-2.6.37/drivers/usb/storage/usual-tables.c linux-2.6.37/drivers/usb/storage/usual-tables.c
28516 --- linux-2.6.37/drivers/usb/storage/usual-tables.c 2011-01-04 19:50:19.000000000 -0500
28517 +++ linux-2.6.37/drivers/usb/storage/usual-tables.c 2011-01-17 02:41:01.000000000 -0500
28520 struct usb_device_id usb_storage_usb_ids[] = {
28521 # include "unusual_devs.h"
28522 - { } /* Terminating entry */
28523 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28525 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28527 diff -urNp linux-2.6.37/drivers/vhost/vhost.c linux-2.6.37/drivers/vhost/vhost.c
28528 --- linux-2.6.37/drivers/vhost/vhost.c 2011-01-04 19:50:19.000000000 -0500
28529 +++ linux-2.6.37/drivers/vhost/vhost.c 2011-01-17 02:41:01.000000000 -0500
28530 @@ -560,7 +560,7 @@ static int init_used(struct vhost_virtqu
28531 return get_user(vq->last_used_idx, &used->idx);
28534 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28535 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28537 struct file *eventfp, *filep = NULL,
28538 *pollstart = NULL, *pollstop = NULL;
28539 diff -urNp linux-2.6.37/drivers/video/atmel_lcdfb.c linux-2.6.37/drivers/video/atmel_lcdfb.c
28540 --- linux-2.6.37/drivers/video/atmel_lcdfb.c 2011-01-04 19:50:19.000000000 -0500
28541 +++ linux-2.6.37/drivers/video/atmel_lcdfb.c 2011-01-17 02:41:01.000000000 -0500
28542 @@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
28543 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
28546 -static struct backlight_ops atmel_lcdc_bl_ops = {
28547 +static const struct backlight_ops atmel_lcdc_bl_ops = {
28548 .update_status = atmel_bl_update_status,
28549 .get_brightness = atmel_bl_get_brightness,
28551 diff -urNp linux-2.6.37/drivers/video/aty/aty128fb.c linux-2.6.37/drivers/video/aty/aty128fb.c
28552 --- linux-2.6.37/drivers/video/aty/aty128fb.c 2011-01-04 19:50:19.000000000 -0500
28553 +++ linux-2.6.37/drivers/video/aty/aty128fb.c 2011-01-17 02:41:01.000000000 -0500
28554 @@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
28555 return bd->props.brightness;
28558 -static struct backlight_ops aty128_bl_data = {
28559 +static const struct backlight_ops aty128_bl_data = {
28560 .get_brightness = aty128_bl_get_brightness,
28561 .update_status = aty128_bl_update_status,
28563 diff -urNp linux-2.6.37/drivers/video/aty/atyfb_base.c linux-2.6.37/drivers/video/aty/atyfb_base.c
28564 --- linux-2.6.37/drivers/video/aty/atyfb_base.c 2011-01-04 19:50:19.000000000 -0500
28565 +++ linux-2.6.37/drivers/video/aty/atyfb_base.c 2011-01-17 02:41:01.000000000 -0500
28566 @@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
28567 return bd->props.brightness;
28570 -static struct backlight_ops aty_bl_data = {
28571 +static const struct backlight_ops aty_bl_data = {
28572 .get_brightness = aty_bl_get_brightness,
28573 .update_status = aty_bl_update_status,
28575 diff -urNp linux-2.6.37/drivers/video/aty/radeon_backlight.c linux-2.6.37/drivers/video/aty/radeon_backlight.c
28576 --- linux-2.6.37/drivers/video/aty/radeon_backlight.c 2011-01-04 19:50:19.000000000 -0500
28577 +++ linux-2.6.37/drivers/video/aty/radeon_backlight.c 2011-01-17 02:41:01.000000000 -0500
28578 @@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
28579 return bd->props.brightness;
28582 -static struct backlight_ops radeon_bl_data = {
28583 +static const struct backlight_ops radeon_bl_data = {
28584 .get_brightness = radeon_bl_get_brightness,
28585 .update_status = radeon_bl_update_status,
28587 diff -urNp linux-2.6.37/drivers/video/backlight/88pm860x_bl.c linux-2.6.37/drivers/video/backlight/88pm860x_bl.c
28588 --- linux-2.6.37/drivers/video/backlight/88pm860x_bl.c 2011-01-04 19:50:19.000000000 -0500
28589 +++ linux-2.6.37/drivers/video/backlight/88pm860x_bl.c 2011-01-17 02:41:01.000000000 -0500
28590 @@ -155,7 +155,7 @@ out:
28594 -static struct backlight_ops pm860x_backlight_ops = {
28595 +static const struct backlight_ops pm860x_backlight_ops = {
28596 .options = BL_CORE_SUSPENDRESUME,
28597 .update_status = pm860x_backlight_update_status,
28598 .get_brightness = pm860x_backlight_get_brightness,
28599 diff -urNp linux-2.6.37/drivers/video/backlight/max8925_bl.c linux-2.6.37/drivers/video/backlight/max8925_bl.c
28600 --- linux-2.6.37/drivers/video/backlight/max8925_bl.c 2011-01-04 19:50:19.000000000 -0500
28601 +++ linux-2.6.37/drivers/video/backlight/max8925_bl.c 2011-01-17 02:41:01.000000000 -0500
28602 @@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
28606 -static struct backlight_ops max8925_backlight_ops = {
28607 +static const struct backlight_ops max8925_backlight_ops = {
28608 .options = BL_CORE_SUSPENDRESUME,
28609 .update_status = max8925_backlight_update_status,
28610 .get_brightness = max8925_backlight_get_brightness,
28611 diff -urNp linux-2.6.37/drivers/video/fbcmap.c linux-2.6.37/drivers/video/fbcmap.c
28612 --- linux-2.6.37/drivers/video/fbcmap.c 2011-01-04 19:50:19.000000000 -0500
28613 +++ linux-2.6.37/drivers/video/fbcmap.c 2011-01-17 02:41:01.000000000 -0500
28614 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28618 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28619 - !info->fbops->fb_setcmap)) {
28620 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28624 diff -urNp linux-2.6.37/drivers/video/fbmem.c linux-2.6.37/drivers/video/fbmem.c
28625 --- linux-2.6.37/drivers/video/fbmem.c 2011-01-04 19:50:19.000000000 -0500
28626 +++ linux-2.6.37/drivers/video/fbmem.c 2011-01-17 02:41:01.000000000 -0500
28627 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28628 image->dx += image->width + 8;
28630 } else if (rotate == FB_ROTATE_UD) {
28631 - for (x = 0; x < num && image->dx >= 0; x++) {
28632 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28633 info->fbops->fb_imageblit(info, image);
28634 image->dx -= image->width + 8;
28636 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28637 image->dy += image->height + 8;
28639 } else if (rotate == FB_ROTATE_CCW) {
28640 - for (x = 0; x < num && image->dy >= 0; x++) {
28641 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28642 info->fbops->fb_imageblit(info, image);
28643 image->dy -= image->height + 8;
28645 @@ -1101,7 +1101,7 @@ static long do_fb_ioctl(struct fb_info *
28647 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28649 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28650 + if (con2fb.framebuffer >= FB_MAX)
28652 if (!registered_fb[con2fb.framebuffer])
28653 request_module("fb%d", con2fb.framebuffer);
28654 diff -urNp linux-2.6.37/drivers/video/fbmon.c linux-2.6.37/drivers/video/fbmon.c
28655 --- linux-2.6.37/drivers/video/fbmon.c 2011-01-04 19:50:19.000000000 -0500
28656 +++ linux-2.6.37/drivers/video/fbmon.c 2011-01-17 02:41:01.000000000 -0500
28659 #define DPRINTK(fmt, args...) printk(fmt,## args)
28661 -#define DPRINTK(fmt, args...)
28662 +#define DPRINTK(fmt, args...) do {} while (0)
28665 #define FBMON_FIX_HEADER 1
28666 diff -urNp linux-2.6.37/drivers/video/i810/i810_accel.c linux-2.6.37/drivers/video/i810/i810_accel.c
28667 --- linux-2.6.37/drivers/video/i810/i810_accel.c 2011-01-04 19:50:19.000000000 -0500
28668 +++ linux-2.6.37/drivers/video/i810/i810_accel.c 2011-01-17 02:41:01.000000000 -0500
28669 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28672 printk("ringbuffer lockup!!!\n");
28673 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28674 i810_report_error(mmio);
28675 par->dev_flags |= LOCKUP;
28676 info->pixmap.scan_align = 1;
28677 diff -urNp linux-2.6.37/drivers/video/i810/i810_main.c linux-2.6.37/drivers/video/i810/i810_main.c
28678 --- linux-2.6.37/drivers/video/i810/i810_main.c 2011-01-04 19:50:19.000000000 -0500
28679 +++ linux-2.6.37/drivers/video/i810/i810_main.c 2011-01-17 02:41:01.000000000 -0500
28680 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28681 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28682 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28683 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28685 + { 0, 0, 0, 0, 0, 0, 0 },
28688 static struct pci_driver i810fb_driver = {
28689 diff -urNp linux-2.6.37/drivers/video/modedb.c linux-2.6.37/drivers/video/modedb.c
28690 --- linux-2.6.37/drivers/video/modedb.c 2011-01-04 19:50:19.000000000 -0500
28691 +++ linux-2.6.37/drivers/video/modedb.c 2011-01-17 02:41:01.000000000 -0500
28692 @@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
28694 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28695 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
28696 - 0, FB_VMODE_NONINTERLACED
28697 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28699 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28700 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
28701 - 0, FB_VMODE_NONINTERLACED
28702 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28704 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28705 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
28706 - 0, FB_VMODE_NONINTERLACED
28707 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28709 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28710 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
28711 - 0, FB_VMODE_INTERLACED
28712 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28714 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28715 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28716 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28717 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28719 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28720 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
28721 - 0, FB_VMODE_NONINTERLACED
28722 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28724 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28725 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
28726 - 0, FB_VMODE_NONINTERLACED
28727 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28729 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28730 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28731 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28732 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28734 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28735 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
28736 - 0, FB_VMODE_NONINTERLACED
28737 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28739 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28740 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
28741 - 0, FB_VMODE_INTERLACED
28742 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28744 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28745 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28746 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28747 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28749 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28750 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
28751 - 0, FB_VMODE_NONINTERLACED
28752 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28754 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28755 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
28756 - 0, FB_VMODE_NONINTERLACED
28757 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28759 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28760 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
28761 - 0, FB_VMODE_NONINTERLACED
28762 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28764 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28765 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
28766 - 0, FB_VMODE_NONINTERLACED
28767 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28769 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28770 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
28771 - 0, FB_VMODE_NONINTERLACED
28772 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28774 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28775 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
28776 - 0, FB_VMODE_INTERLACED
28777 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28779 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28780 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
28781 - 0, FB_VMODE_NONINTERLACED
28782 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28784 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28785 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
28786 - 0, FB_VMODE_NONINTERLACED
28787 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28789 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28790 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
28791 - 0, FB_VMODE_NONINTERLACED
28792 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28794 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28795 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
28796 - 0, FB_VMODE_NONINTERLACED
28797 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28799 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28800 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
28801 - 0, FB_VMODE_NONINTERLACED
28802 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28804 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28805 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28806 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28807 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28809 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28810 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28811 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28812 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28814 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28815 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
28816 - 0, FB_VMODE_NONINTERLACED
28817 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28819 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28820 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
28821 - 0, FB_VMODE_NONINTERLACED
28822 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28824 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28825 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
28826 - 0, FB_VMODE_NONINTERLACED
28827 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28829 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28830 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28831 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28832 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28834 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28835 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
28836 - 0, FB_VMODE_NONINTERLACED
28837 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28839 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28840 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
28841 - 0, FB_VMODE_NONINTERLACED
28842 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28844 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28845 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
28846 - 0, FB_VMODE_NONINTERLACED
28847 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28849 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28850 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
28851 - 0, FB_VMODE_NONINTERLACED
28852 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28854 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28855 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
28856 - 0, FB_VMODE_NONINTERLACED
28857 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28859 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28860 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
28861 - 0, FB_VMODE_NONINTERLACED
28862 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28864 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28865 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28866 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28867 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28869 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28870 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28871 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28872 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28874 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28875 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28876 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28877 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28879 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28880 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28881 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28882 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28884 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28885 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
28886 - 0, FB_VMODE_NONINTERLACED
28887 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28889 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28890 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28891 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28892 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28894 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28895 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28896 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28897 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28899 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28900 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
28901 - 0, FB_VMODE_NONINTERLACED
28902 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28904 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28905 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
28906 - 0, FB_VMODE_NONINTERLACED
28907 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28909 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28910 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
28911 - 0, FB_VMODE_DOUBLE
28912 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28914 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28915 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
28916 - 0, FB_VMODE_DOUBLE
28917 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28919 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28920 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
28921 - 0, FB_VMODE_DOUBLE
28922 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28924 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28925 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
28926 - 0, FB_VMODE_DOUBLE
28927 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28929 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28930 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
28931 - 0, FB_VMODE_DOUBLE
28932 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28934 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28935 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
28936 - 0, FB_VMODE_DOUBLE
28937 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28939 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28940 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
28941 - 0, FB_VMODE_DOUBLE
28942 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28944 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28945 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
28946 - 0, FB_VMODE_DOUBLE
28947 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28949 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28950 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
28951 - 0, FB_VMODE_DOUBLE
28952 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28954 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28955 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
28956 - 0, FB_VMODE_DOUBLE
28957 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28959 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28960 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28961 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28962 - FB_VMODE_NONINTERLACED
28963 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28965 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28966 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28967 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28968 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28970 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28971 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
28972 - 0, FB_VMODE_NONINTERLACED
28973 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28975 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28976 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
28977 - 0, FB_VMODE_NONINTERLACED
28978 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28980 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28981 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
28982 - 0, FB_VMODE_INTERLACED
28983 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28985 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28986 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
28987 - 0, FB_VMODE_INTERLACED
28988 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28992 diff -urNp linux-2.6.37/drivers/video/nvidia/nv_backlight.c linux-2.6.37/drivers/video/nvidia/nv_backlight.c
28993 --- linux-2.6.37/drivers/video/nvidia/nv_backlight.c 2011-01-04 19:50:19.000000000 -0500
28994 +++ linux-2.6.37/drivers/video/nvidia/nv_backlight.c 2011-01-17 02:41:01.000000000 -0500
28995 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
28996 return bd->props.brightness;
28999 -static struct backlight_ops nvidia_bl_ops = {
29000 +static const struct backlight_ops nvidia_bl_ops = {
29001 .get_brightness = nvidia_bl_get_brightness,
29002 .update_status = nvidia_bl_update_status,
29004 diff -urNp linux-2.6.37/drivers/video/omap2/displays/panel-taal.c linux-2.6.37/drivers/video/omap2/displays/panel-taal.c
29005 --- linux-2.6.37/drivers/video/omap2/displays/panel-taal.c 2011-01-04 19:50:19.000000000 -0500
29006 +++ linux-2.6.37/drivers/video/omap2/displays/panel-taal.c 2011-01-17 02:41:01.000000000 -0500
29007 @@ -465,7 +465,7 @@ static int taal_bl_get_intensity(struct
29011 -static struct backlight_ops taal_bl_ops = {
29012 +static const struct backlight_ops taal_bl_ops = {
29013 .get_brightness = taal_bl_get_intensity,
29014 .update_status = taal_bl_update_status,
29016 diff -urNp linux-2.6.37/drivers/video/riva/fbdev.c linux-2.6.37/drivers/video/riva/fbdev.c
29017 --- linux-2.6.37/drivers/video/riva/fbdev.c 2011-01-04 19:50:19.000000000 -0500
29018 +++ linux-2.6.37/drivers/video/riva/fbdev.c 2011-01-17 02:41:01.000000000 -0500
29019 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
29020 return bd->props.brightness;
29023 -static struct backlight_ops riva_bl_ops = {
29024 +static const struct backlight_ops riva_bl_ops = {
29025 .get_brightness = riva_bl_get_brightness,
29026 .update_status = riva_bl_update_status,
29028 diff -urNp linux-2.6.37/drivers/video/uvesafb.c linux-2.6.37/drivers/video/uvesafb.c
29029 --- linux-2.6.37/drivers/video/uvesafb.c 2011-01-04 19:50:19.000000000 -0500
29030 +++ linux-2.6.37/drivers/video/uvesafb.c 2011-01-17 02:41:01.000000000 -0500
29032 #include <linux/io.h>
29033 #include <linux/mutex.h>
29034 #include <linux/slab.h>
29035 +#include <linux/moduleloader.h>
29036 #include <video/edid.h>
29037 #include <video/uvesafb.h>
29039 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
29043 - return call_usermodehelper(v86d_path, argv, envp, 1);
29044 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
29048 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
29049 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
29050 par->pmi_setpal = par->ypan = 0;
29053 +#ifdef CONFIG_PAX_KERNEXEC
29054 +#ifdef CONFIG_MODULES
29055 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
29057 + if (!par->pmi_code) {
29058 + par->pmi_setpal = par->ypan = 0;
29063 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
29064 + task->t.regs.edi);
29066 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29067 + pax_open_kernel();
29068 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
29069 + pax_close_kernel();
29071 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
29072 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
29074 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
29075 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
29078 printk(KERN_INFO "uvesafb: protected mode interface info at "
29080 (u16)task->t.regs.es, (u16)task->t.regs.edi);
29081 @@ -1800,6 +1823,11 @@ out:
29082 if (par->vbe_modes)
29083 kfree(par->vbe_modes);
29085 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29086 + if (par->pmi_code)
29087 + module_free_exec(NULL, par->pmi_code);
29090 framebuffer_release(info);
29093 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
29094 kfree(par->vbe_state_orig);
29095 if (par->vbe_state_saved)
29096 kfree(par->vbe_state_saved);
29098 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29099 + if (par->pmi_code)
29100 + module_free_exec(NULL, par->pmi_code);
29105 framebuffer_release(info);
29106 diff -urNp linux-2.6.37/drivers/video/vesafb.c linux-2.6.37/drivers/video/vesafb.c
29107 --- linux-2.6.37/drivers/video/vesafb.c 2011-01-04 19:50:19.000000000 -0500
29108 +++ linux-2.6.37/drivers/video/vesafb.c 2011-01-17 02:41:01.000000000 -0500
29112 #include <linux/module.h>
29113 +#include <linux/moduleloader.h>
29114 #include <linux/kernel.h>
29115 #include <linux/errno.h>
29116 #include <linux/string.h>
29117 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
29118 static int vram_total __initdata; /* Set total amount of memory */
29119 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
29120 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
29121 -static void (*pmi_start)(void) __read_mostly;
29122 -static void (*pmi_pal) (void) __read_mostly;
29123 +static void (*pmi_start)(void) __read_only;
29124 +static void (*pmi_pal) (void) __read_only;
29125 static int depth __read_mostly;
29126 static int vga_compat __read_mostly;
29127 /* --------------------------------------------------------------------- */
29128 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
29129 unsigned int size_vmode;
29130 unsigned int size_remap;
29131 unsigned int size_total;
29132 + void *pmi_code = NULL;
29134 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
29136 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
29137 size_remap = size_total;
29138 vesafb_fix.smem_len = size_remap;
29141 - screen_info.vesapm_seg = 0;
29144 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
29145 printk(KERN_WARNING
29146 "vesafb: cannot reserve video memory at 0x%lx\n",
29147 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
29148 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
29149 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
29153 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29154 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
29156 +#elif !defined(CONFIG_PAX_KERNEXEC)
29161 + screen_info.vesapm_seg = 0;
29163 if (screen_info.vesapm_seg) {
29164 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
29165 - screen_info.vesapm_seg,screen_info.vesapm_off);
29166 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
29167 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
29170 if (screen_info.vesapm_seg < 0xc000)
29171 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
29173 if (ypan || pmi_setpal) {
29174 unsigned short *pmi_base;
29175 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29176 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
29177 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
29179 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29181 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29182 + pax_open_kernel();
29183 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
29185 + pmi_code = pmi_base;
29188 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
29189 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
29191 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29192 + pmi_start = ktva_ktla(pmi_start);
29193 + pmi_pal = ktva_ktla(pmi_pal);
29194 + pax_close_kernel();
29197 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
29199 printk(KERN_INFO "vesafb: pmi: ports = ");
29200 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
29201 info->node, info->fix.id);
29205 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29206 + module_free_exec(NULL, pmi_code);
29209 if (info->screen_base)
29210 iounmap(info->screen_base);
29211 framebuffer_release(info);
29212 diff -urNp linux-2.6.37/fs/9p/vfs_inode.c linux-2.6.37/fs/9p/vfs_inode.c
29213 --- linux-2.6.37/fs/9p/vfs_inode.c 2011-01-04 19:50:19.000000000 -0500
29214 +++ linux-2.6.37/fs/9p/vfs_inode.c 2011-01-17 02:41:01.000000000 -0500
29215 @@ -1598,7 +1598,7 @@ static void *v9fs_vfs_follow_link(struct
29217 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
29219 - char *s = nd_get_link(nd);
29220 + const char *s = nd_get_link(nd);
29222 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
29223 IS_ERR(s) ? "<error>" : s);
29224 diff -urNp linux-2.6.37/fs/aio.c linux-2.6.37/fs/aio.c
29225 --- linux-2.6.37/fs/aio.c 2011-01-04 19:50:19.000000000 -0500
29226 +++ linux-2.6.37/fs/aio.c 2011-01-17 02:41:01.000000000 -0500
29227 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
29228 size += sizeof(struct io_event) * nr_events;
29229 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
29231 - if (nr_pages < 0)
29232 + if (nr_pages <= 0)
29235 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
29236 diff -urNp linux-2.6.37/fs/attr.c linux-2.6.37/fs/attr.c
29237 --- linux-2.6.37/fs/attr.c 2011-01-04 19:50:19.000000000 -0500
29238 +++ linux-2.6.37/fs/attr.c 2011-01-17 02:41:01.000000000 -0500
29239 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
29240 unsigned long limit;
29242 limit = rlimit(RLIMIT_FSIZE);
29243 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
29244 if (limit != RLIM_INFINITY && offset > limit)
29246 if (offset > inode->i_sb->s_maxbytes)
29247 diff -urNp linux-2.6.37/fs/autofs4/symlink.c linux-2.6.37/fs/autofs4/symlink.c
29248 --- linux-2.6.37/fs/autofs4/symlink.c 2011-01-04 19:50:19.000000000 -0500
29249 +++ linux-2.6.37/fs/autofs4/symlink.c 2011-01-17 02:41:01.000000000 -0500
29251 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
29253 struct autofs_info *ino = autofs4_dentry_ino(dentry);
29254 - nd_set_link(nd, (char *)ino->u.symlink);
29255 + nd_set_link(nd, ino->u.symlink);
29259 diff -urNp linux-2.6.37/fs/befs/linuxvfs.c linux-2.6.37/fs/befs/linuxvfs.c
29260 --- linux-2.6.37/fs/befs/linuxvfs.c 2011-01-04 19:50:19.000000000 -0500
29261 +++ linux-2.6.37/fs/befs/linuxvfs.c 2011-01-17 02:41:01.000000000 -0500
29262 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
29264 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
29265 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
29266 - char *link = nd_get_link(nd);
29267 + const char *link = nd_get_link(nd);
29271 diff -urNp linux-2.6.37/fs/binfmt_aout.c linux-2.6.37/fs/binfmt_aout.c
29272 --- linux-2.6.37/fs/binfmt_aout.c 2011-01-04 19:50:19.000000000 -0500
29273 +++ linux-2.6.37/fs/binfmt_aout.c 2011-01-17 02:41:01.000000000 -0500
29275 #include <linux/string.h>
29276 #include <linux/fs.h>
29277 #include <linux/file.h>
29278 +#include <linux/security.h>
29279 #include <linux/stat.h>
29280 #include <linux/fcntl.h>
29281 #include <linux/ptrace.h>
29282 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
29284 # define START_STACK(u) ((void __user *)u.start_stack)
29286 + memset(&dump, 0, sizeof(dump));
29291 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
29293 /* If the size of the dump file exceeds the rlimit, then see what would happen
29294 if we wrote the stack, but not the data area. */
29295 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
29296 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
29299 /* Make sure we have enough room to write the stack and data areas. */
29300 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
29301 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
29304 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
29305 rlim = rlimit(RLIMIT_DATA);
29306 if (rlim >= RLIM_INFINITY)
29309 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
29310 if (ex.a_data + ex.a_bss > rlim)
29313 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
29314 install_exec_creds(bprm);
29315 current->flags &= ~PF_FORKNOEXEC;
29317 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29318 + current->mm->pax_flags = 0UL;
29321 +#ifdef CONFIG_PAX_PAGEEXEC
29322 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
29323 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
29325 +#ifdef CONFIG_PAX_EMUTRAMP
29326 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
29327 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
29330 +#ifdef CONFIG_PAX_MPROTECT
29331 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
29332 + current->mm->pax_flags |= MF_PAX_MPROTECT;
29338 if (N_MAGIC(ex) == OMAGIC) {
29339 unsigned long text_addr, map_size;
29341 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
29343 down_write(¤t->mm->mmap_sem);
29344 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
29345 - PROT_READ | PROT_WRITE | PROT_EXEC,
29346 + PROT_READ | PROT_WRITE,
29347 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29348 fd_offset + ex.a_text);
29349 up_write(¤t->mm->mmap_sem);
29350 diff -urNp linux-2.6.37/fs/binfmt_elf.c linux-2.6.37/fs/binfmt_elf.c
29351 --- linux-2.6.37/fs/binfmt_elf.c 2011-01-04 19:50:19.000000000 -0500
29352 +++ linux-2.6.37/fs/binfmt_elf.c 2011-01-17 02:41:01.000000000 -0500
29353 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29354 #define elf_core_dump NULL
29357 +#ifdef CONFIG_PAX_MPROTECT
29358 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29361 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29362 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29364 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29365 .load_binary = load_elf_binary,
29366 .load_shlib = load_elf_library,
29367 .core_dump = elf_core_dump,
29369 +#ifdef CONFIG_PAX_MPROTECT
29370 + .handle_mprotect= elf_handle_mprotect,
29373 .min_coredump = ELF_EXEC_PAGESIZE,
29376 @@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
29378 static int set_brk(unsigned long start, unsigned long end)
29380 + unsigned long e = end;
29382 start = ELF_PAGEALIGN(start);
29383 end = ELF_PAGEALIGN(end);
29385 @@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
29386 if (BAD_ADDR(addr))
29389 - current->mm->start_brk = current->mm->brk = end;
29390 + current->mm->start_brk = current->mm->brk = e;
29394 @@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
29395 elf_addr_t __user *u_rand_bytes;
29396 const char *k_platform = ELF_PLATFORM;
29397 const char *k_base_platform = ELF_BASE_PLATFORM;
29398 - unsigned char k_rand_bytes[16];
29399 + u32 k_rand_bytes[4];
29401 elf_addr_t *elf_info;
29403 @@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
29404 * Generate 16 random bytes for userspace PRNG seeding.
29406 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29407 - u_rand_bytes = (elf_addr_t __user *)
29408 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29409 + srandom32(k_rand_bytes[0] ^ random32());
29410 + srandom32(k_rand_bytes[1] ^ random32());
29411 + srandom32(k_rand_bytes[2] ^ random32());
29412 + srandom32(k_rand_bytes[3] ^ random32());
29413 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29414 + u_rand_bytes = (elf_addr_t __user *) p;
29415 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29418 @@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
29420 struct elf_phdr *elf_phdata;
29421 struct elf_phdr *eppnt;
29422 - unsigned long load_addr = 0;
29423 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29424 int load_addr_set = 0;
29425 unsigned long last_bss = 0, elf_bss = 0;
29426 - unsigned long error = ~0UL;
29427 + unsigned long error = -EINVAL;
29428 unsigned long total_size;
29429 int retval, i, size;
29431 @@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
29435 +#ifdef CONFIG_PAX_SEGMEXEC
29436 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29437 + pax_task_size = SEGMEXEC_TASK_SIZE;
29440 eppnt = elf_phdata;
29441 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29442 if (eppnt->p_type == PT_LOAD) {
29443 @@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
29444 k = load_addr + eppnt->p_vaddr;
29446 eppnt->p_filesz > eppnt->p_memsz ||
29447 - eppnt->p_memsz > TASK_SIZE ||
29448 - TASK_SIZE - eppnt->p_memsz < k) {
29449 + eppnt->p_memsz > pax_task_size ||
29450 + pax_task_size - eppnt->p_memsz < k) {
29454 @@ -533,6 +553,177 @@ out:
29458 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29459 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29461 + unsigned long pax_flags = 0UL;
29463 +#ifdef CONFIG_PAX_PAGEEXEC
29464 + if (elf_phdata->p_flags & PF_PAGEEXEC)
29465 + pax_flags |= MF_PAX_PAGEEXEC;
29468 +#ifdef CONFIG_PAX_SEGMEXEC
29469 + if (elf_phdata->p_flags & PF_SEGMEXEC)
29470 + pax_flags |= MF_PAX_SEGMEXEC;
29473 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29474 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29475 + if ((__supported_pte_mask & _PAGE_NX))
29476 + pax_flags &= ~MF_PAX_SEGMEXEC;
29478 + pax_flags &= ~MF_PAX_PAGEEXEC;
29482 +#ifdef CONFIG_PAX_EMUTRAMP
29483 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29484 + pax_flags |= MF_PAX_EMUTRAMP;
29487 +#ifdef CONFIG_PAX_MPROTECT
29488 + if (elf_phdata->p_flags & PF_MPROTECT)
29489 + pax_flags |= MF_PAX_MPROTECT;
29492 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29493 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29494 + pax_flags |= MF_PAX_RANDMMAP;
29497 + return pax_flags;
29501 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29502 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29504 + unsigned long pax_flags = 0UL;
29506 +#ifdef CONFIG_PAX_PAGEEXEC
29507 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29508 + pax_flags |= MF_PAX_PAGEEXEC;
29511 +#ifdef CONFIG_PAX_SEGMEXEC
29512 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29513 + pax_flags |= MF_PAX_SEGMEXEC;
29516 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29517 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29518 + if ((__supported_pte_mask & _PAGE_NX))
29519 + pax_flags &= ~MF_PAX_SEGMEXEC;
29521 + pax_flags &= ~MF_PAX_PAGEEXEC;
29525 +#ifdef CONFIG_PAX_EMUTRAMP
29526 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29527 + pax_flags |= MF_PAX_EMUTRAMP;
29530 +#ifdef CONFIG_PAX_MPROTECT
29531 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29532 + pax_flags |= MF_PAX_MPROTECT;
29535 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29536 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29537 + pax_flags |= MF_PAX_RANDMMAP;
29540 + return pax_flags;
29544 +#ifdef CONFIG_PAX_EI_PAX
29545 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29547 + unsigned long pax_flags = 0UL;
29549 +#ifdef CONFIG_PAX_PAGEEXEC
29550 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29551 + pax_flags |= MF_PAX_PAGEEXEC;
29554 +#ifdef CONFIG_PAX_SEGMEXEC
29555 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29556 + pax_flags |= MF_PAX_SEGMEXEC;
29559 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29560 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29561 + if ((__supported_pte_mask & _PAGE_NX))
29562 + pax_flags &= ~MF_PAX_SEGMEXEC;
29564 + pax_flags &= ~MF_PAX_PAGEEXEC;
29568 +#ifdef CONFIG_PAX_EMUTRAMP
29569 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29570 + pax_flags |= MF_PAX_EMUTRAMP;
29573 +#ifdef CONFIG_PAX_MPROTECT
29574 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29575 + pax_flags |= MF_PAX_MPROTECT;
29578 +#ifdef CONFIG_PAX_ASLR
29579 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29580 + pax_flags |= MF_PAX_RANDMMAP;
29583 + return pax_flags;
29587 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29588 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29590 + unsigned long pax_flags = 0UL;
29592 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29596 +#ifdef CONFIG_PAX_EI_PAX
29597 + pax_flags = pax_parse_ei_pax(elf_ex);
29600 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29601 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29602 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29603 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29604 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29605 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29606 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29607 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29610 +#ifdef CONFIG_PAX_SOFTMODE
29611 + if (pax_softmode)
29612 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29616 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29621 + if (0 > pax_check_flags(&pax_flags))
29624 + current->mm->pax_flags = pax_flags;
29630 * These are the functions used to load ELF style executables and shared
29631 * libraries. There is no binary dependent code anywhere else.
29632 @@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
29634 unsigned int random_variable = 0;
29636 +#ifdef CONFIG_PAX_RANDUSTACK
29637 + if (randomize_va_space)
29638 + return stack_top - current->mm->delta_stack;
29641 if ((current->flags & PF_RANDOMIZE) &&
29642 !(current->personality & ADDR_NO_RANDOMIZE)) {
29643 random_variable = get_random_int() & STACK_RND_MASK;
29644 @@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
29645 unsigned long load_addr = 0, load_bias = 0;
29646 int load_addr_set = 0;
29647 char * elf_interpreter = NULL;
29648 - unsigned long error;
29649 + unsigned long error = 0;
29650 struct elf_phdr *elf_ppnt, *elf_phdata;
29651 unsigned long elf_bss, elf_brk;
29653 @@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
29654 unsigned long start_code, end_code, start_data, end_data;
29655 unsigned long reloc_func_desc = 0;
29656 int executable_stack = EXSTACK_DEFAULT;
29657 - unsigned long def_flags = 0;
29659 struct elfhdr elf_ex;
29660 struct elfhdr interp_elf_ex;
29662 + unsigned long pax_task_size = TASK_SIZE;
29664 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29666 @@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
29668 /* OK, This is the point of no return */
29669 current->flags &= ~PF_FORKNOEXEC;
29670 - current->mm->def_flags = def_flags;
29672 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29673 + current->mm->pax_flags = 0UL;
29676 +#ifdef CONFIG_PAX_DLRESOLVE
29677 + current->mm->call_dl_resolve = 0UL;
29680 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29681 + current->mm->call_syscall = 0UL;
29684 +#ifdef CONFIG_PAX_ASLR
29685 + current->mm->delta_mmap = 0UL;
29686 + current->mm->delta_stack = 0UL;
29689 + current->mm->def_flags = 0;
29691 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29692 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29693 + send_sig(SIGKILL, current, 0);
29694 + goto out_free_dentry;
29698 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29699 + pax_set_initial_flags(bprm);
29700 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29701 + if (pax_set_initial_flags_func)
29702 + (pax_set_initial_flags_func)(bprm);
29705 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29706 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29707 + current->mm->context.user_cs_limit = PAGE_SIZE;
29708 + current->mm->def_flags |= VM_PAGEEXEC;
29712 +#ifdef CONFIG_PAX_SEGMEXEC
29713 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29714 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29715 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29716 + pax_task_size = SEGMEXEC_TASK_SIZE;
29720 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29721 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29722 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29727 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29728 may depend on the personality. */
29729 SET_PERSONALITY(loc->elf_ex);
29731 +#ifdef CONFIG_PAX_ASLR
29732 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29733 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29734 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29738 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29739 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29740 + executable_stack = EXSTACK_DISABLE_X;
29741 + current->personality &= ~READ_IMPLIES_EXEC;
29745 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29746 current->personality |= READ_IMPLIES_EXEC;
29748 @@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
29750 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29753 +#ifdef CONFIG_PAX_RANDMMAP
29754 + /* PaX: randomize base address at the default exe base if requested */
29755 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29756 +#ifdef CONFIG_SPARC64
29757 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29759 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29761 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29762 + elf_flags |= MAP_FIXED;
29768 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29769 @@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
29770 * allowed task size. Note that p_filesz must always be
29771 * <= p_memsz so it is only necessary to check p_memsz.
29773 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29774 - elf_ppnt->p_memsz > TASK_SIZE ||
29775 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29776 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29777 + elf_ppnt->p_memsz > pax_task_size ||
29778 + pax_task_size - elf_ppnt->p_memsz < k) {
29779 /* set_brk can never work. Avoid overflows. */
29780 send_sig(SIGKILL, current, 0);
29782 @@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
29783 start_data += load_bias;
29784 end_data += load_bias;
29786 +#ifdef CONFIG_PAX_RANDMMAP
29787 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29788 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29791 /* Calling set_brk effectively mmaps the pages that we need
29792 * for the bss and break sections. We must do this before
29793 * mapping in the interpreter, to make sure it doesn't wind
29794 @@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
29795 goto out_free_dentry;
29797 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29798 - send_sig(SIGSEGV, current, 0);
29799 - retval = -EFAULT; /* Nobody gets to see this, but.. */
29800 - goto out_free_dentry;
29802 + * This bss-zeroing can fail if the ELF
29803 + * file specifies odd protections. So
29804 + * we don't check the return value
29808 if (elf_interpreter) {
29809 @@ -1091,7 +1377,7 @@ out:
29810 * Decide what to dump of a segment, part, all or none.
29812 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29813 - unsigned long mm_flags)
29814 + unsigned long mm_flags, long signr)
29816 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29818 @@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
29819 if (vma->vm_file == NULL)
29822 - if (FILTER(MAPPED_PRIVATE))
29823 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29827 @@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
29829 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29834 - while (auxv[i - 2] != AT_NULL);
29835 + } while (auxv[i - 2] != AT_NULL);
29836 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29839 @@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
29842 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29843 - unsigned long mm_flags)
29844 + struct coredump_params *cprm)
29846 struct vm_area_struct *vma;
29849 for (vma = first_vma(current, gate_vma); vma != NULL;
29850 vma = next_vma(vma, gate_vma))
29851 - size += vma_dump_size(vma, mm_flags);
29852 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29856 @@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
29858 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29860 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29861 + offset += elf_core_vma_data_size(gate_vma, cprm);
29862 offset += elf_core_extra_data_size();
29865 @@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
29868 size += sizeof(*elf);
29869 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29870 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29873 size += sizeof(*phdr4note);
29874 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29875 if (size > cprm->limit
29876 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29878 @@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
29879 phdr.p_offset = offset;
29880 phdr.p_vaddr = vma->vm_start;
29882 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29883 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29884 phdr.p_memsz = vma->vm_end - vma->vm_start;
29885 offset += phdr.p_filesz;
29886 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
29887 @@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
29888 phdr.p_align = ELF_EXEC_PAGESIZE;
29890 size += sizeof(phdr);
29891 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29892 if (size > cprm->limit
29893 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29895 @@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
29896 unsigned long addr;
29899 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29900 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29902 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29904 @@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
29905 page = get_dump_page(addr);
29907 void *kaddr = kmap(page);
29908 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29909 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29910 !dump_write(cprm->file, kaddr,
29912 @@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
29914 if (e_phnum == PN_XNUM) {
29915 size += sizeof(*shdr4extnum);
29916 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29917 if (size > cprm->limit
29918 || !dump_write(cprm->file, shdr4extnum,
29919 sizeof(*shdr4extnum)))
29920 @@ -2068,6 +2359,97 @@ out:
29922 #endif /* CONFIG_ELF_CORE */
29924 +#ifdef CONFIG_PAX_MPROTECT
29925 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
29926 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29927 + * we'll remove VM_MAYWRITE for good on RELRO segments.
29929 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29930 + * basis because we want to allow the common case and not the special ones.
29932 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29934 + struct elfhdr elf_h;
29935 + struct elf_phdr elf_p;
29937 + unsigned long oldflags;
29938 + bool is_textrel_rw, is_textrel_rx, is_relro;
29940 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29943 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29944 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29946 +#ifdef CONFIG_PAX_ELFRELOCS
29947 + /* possible TEXTREL */
29948 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29949 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
29951 + is_textrel_rw = false;
29952 + is_textrel_rx = false;
29955 + /* possible RELRO */
29956 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29958 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29961 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29962 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29964 +#ifdef CONFIG_PAX_ETEXECRELOCS
29965 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29967 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29970 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29971 + !elf_check_arch(&elf_h) ||
29972 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29973 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29976 + for (i = 0UL; i < elf_h.e_phnum; i++) {
29977 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29979 + switch (elf_p.p_type) {
29981 + if (!is_textrel_rw && !is_textrel_rx)
29984 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29987 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29989 + if (dyn.d_tag == DT_NULL)
29991 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29992 + gr_log_textrel(vma);
29993 + if (is_textrel_rw)
29994 + vma->vm_flags |= VM_MAYWRITE;
29996 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29997 + vma->vm_flags &= ~VM_MAYWRITE;
30004 + case PT_GNU_RELRO:
30007 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
30008 + vma->vm_flags &= ~VM_MAYWRITE;
30015 static int __init init_elf_binfmt(void)
30017 return register_binfmt(&elf_format);
30018 diff -urNp linux-2.6.37/fs/binfmt_flat.c linux-2.6.37/fs/binfmt_flat.c
30019 --- linux-2.6.37/fs/binfmt_flat.c 2011-01-04 19:50:19.000000000 -0500
30020 +++ linux-2.6.37/fs/binfmt_flat.c 2011-01-17 02:41:01.000000000 -0500
30021 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
30022 realdatastart = (unsigned long) -ENOMEM;
30023 printk("Unable to allocate RAM for process data, errno %d\n",
30024 (int)-realdatastart);
30025 + down_write(¤t->mm->mmap_sem);
30026 do_munmap(current->mm, textpos, text_len);
30027 + up_write(¤t->mm->mmap_sem);
30028 ret = realdatastart;
30031 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
30033 if (IS_ERR_VALUE(result)) {
30034 printk("Unable to read data+bss, errno %d\n", (int)-result);
30035 + down_write(¤t->mm->mmap_sem);
30036 do_munmap(current->mm, textpos, text_len);
30037 do_munmap(current->mm, realdatastart, len);
30038 + up_write(¤t->mm->mmap_sem);
30042 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
30044 if (IS_ERR_VALUE(result)) {
30045 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
30046 + down_write(¤t->mm->mmap_sem);
30047 do_munmap(current->mm, textpos, text_len + data_len + extra +
30048 MAX_SHARED_LIBS * sizeof(unsigned long));
30049 + up_write(¤t->mm->mmap_sem);
30053 diff -urNp linux-2.6.37/fs/binfmt_misc.c linux-2.6.37/fs/binfmt_misc.c
30054 --- linux-2.6.37/fs/binfmt_misc.c 2011-01-04 19:50:19.000000000 -0500
30055 +++ linux-2.6.37/fs/binfmt_misc.c 2011-01-17 02:41:01.000000000 -0500
30056 @@ -698,7 +698,7 @@ static int bm_fill_super(struct super_bl
30057 static struct tree_descr bm_files[] = {
30058 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
30059 [3] = {"register", &bm_register_operations, S_IWUSR},
30060 - /* last one */ {""}
30061 + /* last one */ {"", NULL, 0}
30063 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
30065 diff -urNp linux-2.6.37/fs/bio.c linux-2.6.37/fs/bio.c
30066 --- linux-2.6.37/fs/bio.c 2011-01-04 19:50:19.000000000 -0500
30067 +++ linux-2.6.37/fs/bio.c 2011-01-17 02:41:01.000000000 -0500
30068 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
30069 const int read = bio_data_dir(bio) == READ;
30070 struct bio_map_data *bmd = bio->bi_private;
30072 - char *p = bmd->sgvecs[0].iov_base;
30073 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
30075 __bio_for_each_segment(bvec, bio, i, 0) {
30076 char *addr = page_address(bvec->bv_page);
30077 diff -urNp linux-2.6.37/fs/block_dev.c linux-2.6.37/fs/block_dev.c
30078 --- linux-2.6.37/fs/block_dev.c 2011-01-04 19:50:19.000000000 -0500
30079 +++ linux-2.6.37/fs/block_dev.c 2011-01-17 02:41:01.000000000 -0500
30080 @@ -662,7 +662,7 @@ static bool bd_may_claim(struct block_de
30081 else if (bdev->bd_contains == bdev)
30082 return true; /* is a whole device which isn't held */
30084 - else if (whole->bd_holder == bd_claim)
30085 + else if (whole->bd_holder == (void *)bd_claim)
30086 return true; /* is a partition of a device that is being partitioned */
30087 else if (whole->bd_holder != NULL)
30088 return false; /* is a partition of a held device */
30089 diff -urNp linux-2.6.37/fs/btrfs/ctree.c linux-2.6.37/fs/btrfs/ctree.c
30090 --- linux-2.6.37/fs/btrfs/ctree.c 2011-01-04 19:50:19.000000000 -0500
30091 +++ linux-2.6.37/fs/btrfs/ctree.c 2011-01-17 02:41:01.000000000 -0500
30092 @@ -466,9 +466,12 @@ static noinline int __btrfs_cow_block(st
30093 free_extent_buffer(buf);
30094 add_root_to_dirty_list(root);
30096 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
30097 - parent_start = parent->start;
30099 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
30101 + parent_start = parent->start;
30103 + parent_start = 0;
30107 WARN_ON(trans->transid != btrfs_header_generation(parent));
30108 @@ -3768,7 +3771,6 @@ setup_items_for_insert(struct btrfs_tran
30112 - struct btrfs_disk_key disk_key;
30113 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
30114 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
30116 diff -urNp linux-2.6.37/fs/btrfs/disk-io.c linux-2.6.37/fs/btrfs/disk-io.c
30117 --- linux-2.6.37/fs/btrfs/disk-io.c 2011-01-04 19:50:19.000000000 -0500
30118 +++ linux-2.6.37/fs/btrfs/disk-io.c 2011-01-17 02:41:01.000000000 -0500
30120 #include "tree-log.h"
30121 #include "free-space-cache.h"
30123 -static struct extent_io_ops btree_extent_io_ops;
30124 +static const struct extent_io_ops btree_extent_io_ops;
30125 static void end_workqueue_fn(struct btrfs_work *work);
30126 static void free_fs_root(struct btrfs_root *root);
30128 @@ -2619,7 +2619,7 @@ out:
30132 -static struct extent_io_ops btree_extent_io_ops = {
30133 +static const struct extent_io_ops btree_extent_io_ops = {
30134 .write_cache_pages_lock_hook = btree_lock_page_hook,
30135 .readpage_end_io_hook = btree_readpage_end_io_hook,
30136 .submit_bio_hook = btree_submit_bio_hook,
30137 diff -urNp linux-2.6.37/fs/btrfs/extent_io.h linux-2.6.37/fs/btrfs/extent_io.h
30138 --- linux-2.6.37/fs/btrfs/extent_io.h 2011-01-04 19:50:19.000000000 -0500
30139 +++ linux-2.6.37/fs/btrfs/extent_io.h 2011-01-17 02:41:01.000000000 -0500
30140 @@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
30141 struct bio *bio, int mirror_num,
30142 unsigned long bio_flags, u64 bio_offset);
30143 struct extent_io_ops {
30144 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
30145 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
30146 u64 start, u64 end, int *page_started,
30147 unsigned long *nr_written);
30148 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
30149 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
30150 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
30151 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
30152 extent_submit_bio_hook_t *submit_bio_hook;
30153 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
30154 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
30155 size_t size, struct bio *bio,
30156 unsigned long bio_flags);
30157 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
30158 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
30159 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
30160 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
30161 u64 start, u64 end,
30162 struct extent_state *state);
30163 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
30164 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
30165 u64 start, u64 end,
30166 struct extent_state *state);
30167 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30168 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30169 struct extent_state *state);
30170 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30171 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30172 struct extent_state *state, int uptodate);
30173 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
30174 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
30176 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
30177 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
30179 - int (*merge_extent_hook)(struct inode *inode,
30180 + int (* const merge_extent_hook)(struct inode *inode,
30181 struct extent_state *new,
30182 struct extent_state *other);
30183 - int (*split_extent_hook)(struct inode *inode,
30184 + int (* const split_extent_hook)(struct inode *inode,
30185 struct extent_state *orig, u64 split);
30186 - int (*write_cache_pages_lock_hook)(struct page *page);
30187 + int (* const write_cache_pages_lock_hook)(struct page *page);
30190 struct extent_io_tree {
30191 @@ -90,7 +90,7 @@ struct extent_io_tree {
30194 spinlock_t buffer_lock;
30195 - struct extent_io_ops *ops;
30196 + const struct extent_io_ops *ops;
30199 struct extent_state {
30200 diff -urNp linux-2.6.37/fs/btrfs/free-space-cache.c linux-2.6.37/fs/btrfs/free-space-cache.c
30201 --- linux-2.6.37/fs/btrfs/free-space-cache.c 2011-01-04 19:50:19.000000000 -0500
30202 +++ linux-2.6.37/fs/btrfs/free-space-cache.c 2011-01-17 02:41:01.000000000 -0500
30203 @@ -1828,8 +1828,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
30206 if (entry->bytes < bytes || entry->offset < min_start) {
30207 - struct rb_node *node;
30209 node = rb_next(&entry->offset_index);
30212 @@ -1980,7 +1978,7 @@ again:
30214 while (entry->bitmap || found_bitmap ||
30215 (!entry->bitmap && entry->bytes < min_bytes)) {
30216 - struct rb_node *node = rb_next(&entry->offset_index);
30217 + node = rb_next(&entry->offset_index);
30219 if (entry->bitmap && entry->bytes > bytes + empty_size) {
30220 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
30221 diff -urNp linux-2.6.37/fs/btrfs/inode.c linux-2.6.37/fs/btrfs/inode.c
30222 --- linux-2.6.37/fs/btrfs/inode.c 2011-01-04 19:50:19.000000000 -0500
30223 +++ linux-2.6.37/fs/btrfs/inode.c 2011-01-17 02:41:01.000000000 -0500
30224 @@ -64,7 +64,7 @@ static const struct inode_operations btr
30225 static const struct address_space_operations btrfs_aops;
30226 static const struct address_space_operations btrfs_symlink_aops;
30227 static const struct file_operations btrfs_dir_file_operations;
30228 -static struct extent_io_ops btrfs_extent_io_ops;
30229 +static const struct extent_io_ops btrfs_extent_io_ops;
30231 static struct kmem_cache *btrfs_inode_cachep;
30232 struct kmem_cache *btrfs_trans_handle_cachep;
30233 @@ -7246,7 +7246,7 @@ static const struct file_operations btrf
30234 .fsync = btrfs_sync_file,
30237 -static struct extent_io_ops btrfs_extent_io_ops = {
30238 +static const struct extent_io_ops btrfs_extent_io_ops = {
30239 .fill_delalloc = run_delalloc_range,
30240 .submit_bio_hook = btrfs_submit_bio_hook,
30241 .merge_bio_hook = btrfs_merge_bio_hook,
30242 diff -urNp linux-2.6.37/fs/btrfs/relocation.c linux-2.6.37/fs/btrfs/relocation.c
30243 --- linux-2.6.37/fs/btrfs/relocation.c 2011-01-04 19:50:19.000000000 -0500
30244 +++ linux-2.6.37/fs/btrfs/relocation.c 2011-01-17 02:41:01.000000000 -0500
30245 @@ -1238,7 +1238,7 @@ static int __update_reloc_root(struct bt
30247 spin_unlock(&rc->reloc_root_tree.lock);
30249 - BUG_ON((struct btrfs_root *)node->data != root);
30250 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
30253 spin_lock(&rc->reloc_root_tree.lock);
30254 diff -urNp linux-2.6.37/fs/cachefiles/bind.c linux-2.6.37/fs/cachefiles/bind.c
30255 --- linux-2.6.37/fs/cachefiles/bind.c 2011-01-04 19:50:19.000000000 -0500
30256 +++ linux-2.6.37/fs/cachefiles/bind.c 2011-01-17 02:41:01.000000000 -0500
30257 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
30260 /* start by checking things over */
30261 - ASSERT(cache->fstop_percent >= 0 &&
30262 - cache->fstop_percent < cache->fcull_percent &&
30263 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
30264 cache->fcull_percent < cache->frun_percent &&
30265 cache->frun_percent < 100);
30267 - ASSERT(cache->bstop_percent >= 0 &&
30268 - cache->bstop_percent < cache->bcull_percent &&
30269 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
30270 cache->bcull_percent < cache->brun_percent &&
30271 cache->brun_percent < 100);
30273 diff -urNp linux-2.6.37/fs/cachefiles/daemon.c linux-2.6.37/fs/cachefiles/daemon.c
30274 --- linux-2.6.37/fs/cachefiles/daemon.c 2011-01-04 19:50:19.000000000 -0500
30275 +++ linux-2.6.37/fs/cachefiles/daemon.c 2011-01-17 02:41:01.000000000 -0500
30276 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
30280 - if (copy_to_user(_buffer, buffer, n) != 0)
30281 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
30285 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
30286 if (test_bit(CACHEFILES_DEAD, &cache->flags))
30289 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
30290 + if (datalen > PAGE_SIZE - 1)
30291 return -EOPNOTSUPP;
30293 /* drag the command string into the kernel so we can parse it */
30294 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
30295 if (args[0] != '%' || args[1] != '\0')
30298 - if (fstop < 0 || fstop >= cache->fcull_percent)
30299 + if (fstop >= cache->fcull_percent)
30300 return cachefiles_daemon_range_error(cache, args);
30302 cache->fstop_percent = fstop;
30303 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
30304 if (args[0] != '%' || args[1] != '\0')
30307 - if (bstop < 0 || bstop >= cache->bcull_percent)
30308 + if (bstop >= cache->bcull_percent)
30309 return cachefiles_daemon_range_error(cache, args);
30311 cache->bstop_percent = bstop;
30312 diff -urNp linux-2.6.37/fs/cachefiles/rdwr.c linux-2.6.37/fs/cachefiles/rdwr.c
30313 --- linux-2.6.37/fs/cachefiles/rdwr.c 2011-01-04 19:50:19.000000000 -0500
30314 +++ linux-2.6.37/fs/cachefiles/rdwr.c 2011-01-17 02:41:01.000000000 -0500
30315 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
30318 ret = file->f_op->write(
30319 - file, (const void __user *) data, len, &pos);
30320 + file, (__force const void __user *) data, len, &pos);
30324 diff -urNp linux-2.6.37/fs/ceph/dir.c linux-2.6.37/fs/ceph/dir.c
30325 --- linux-2.6.37/fs/ceph/dir.c 2011-01-04 19:50:19.000000000 -0500
30326 +++ linux-2.6.37/fs/ceph/dir.c 2011-01-17 02:41:01.000000000 -0500
30327 @@ -223,7 +223,7 @@ static int ceph_readdir(struct file *fil
30328 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
30329 struct ceph_mds_client *mdsc = fsc->mdsc;
30330 unsigned frag = fpos_frag(filp->f_pos);
30331 - int off = fpos_off(filp->f_pos);
30332 + unsigned int off = fpos_off(filp->f_pos);
30335 struct ceph_mds_reply_info_parsed *rinfo;
30336 @@ -355,7 +355,7 @@ more:
30337 rinfo = &fi->last_readdir->r_reply_info;
30338 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
30339 rinfo->dir_nr, off, fi->offset);
30340 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
30341 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
30342 u64 pos = ceph_make_fpos(frag, off);
30343 struct ceph_mds_reply_inode *in =
30344 rinfo->dir_in[off - fi->offset].in;
30345 diff -urNp linux-2.6.37/fs/cifs/cifs_uniupr.h linux-2.6.37/fs/cifs/cifs_uniupr.h
30346 --- linux-2.6.37/fs/cifs/cifs_uniupr.h 2011-01-04 19:50:19.000000000 -0500
30347 +++ linux-2.6.37/fs/cifs/cifs_uniupr.h 2011-01-17 02:41:01.000000000 -0500
30348 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
30349 {0x0490, 0x04cc, UniCaseRangeU0490},
30350 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
30351 {0xff40, 0xff5a, UniCaseRangeUff40},
30357 diff -urNp linux-2.6.37/fs/cifs/link.c linux-2.6.37/fs/cifs/link.c
30358 --- linux-2.6.37/fs/cifs/link.c 2011-01-04 19:50:19.000000000 -0500
30359 +++ linux-2.6.37/fs/cifs/link.c 2011-01-17 02:41:01.000000000 -0500
30360 @@ -540,7 +540,7 @@ symlink_exit:
30362 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
30364 - char *p = nd_get_link(nd);
30365 + const char *p = nd_get_link(nd);
30369 diff -urNp linux-2.6.37/fs/compat_binfmt_elf.c linux-2.6.37/fs/compat_binfmt_elf.c
30370 --- linux-2.6.37/fs/compat_binfmt_elf.c 2011-01-04 19:50:19.000000000 -0500
30371 +++ linux-2.6.37/fs/compat_binfmt_elf.c 2011-01-17 02:41:01.000000000 -0500
30372 @@ -30,11 +30,13 @@
30378 #define elfhdr elf32_hdr
30379 #define elf_phdr elf32_phdr
30380 #define elf_shdr elf32_shdr
30381 #define elf_note elf32_note
30382 +#define elf_dyn Elf32_Dyn
30383 #define elf_addr_t Elf32_Addr
30386 diff -urNp linux-2.6.37/fs/compat.c linux-2.6.37/fs/compat.c
30387 --- linux-2.6.37/fs/compat.c 2011-01-04 19:50:19.000000000 -0500
30388 +++ linux-2.6.37/fs/compat.c 2011-01-17 02:41:01.000000000 -0500
30389 @@ -592,7 +592,7 @@ ssize_t compat_rw_copy_check_uvector(int
30393 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
30394 + if (nr_segs > UIO_MAXIOV)
30396 if (nr_segs > fast_segs) {
30398 @@ -876,6 +876,7 @@ struct compat_old_linux_dirent {
30400 struct compat_readdir_callback {
30401 struct compat_old_linux_dirent __user *dirent;
30402 + struct file * file;
30406 @@ -893,6 +894,10 @@ static int compat_fillonedir(void *__buf
30407 buf->result = -EOVERFLOW;
30411 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30415 dirent = buf->dirent;
30416 if (!access_ok(VERIFY_WRITE, dirent,
30417 @@ -925,6 +930,7 @@ asmlinkage long compat_sys_old_readdir(u
30420 buf.dirent = dirent;
30423 error = vfs_readdir(file, compat_fillonedir, &buf);
30425 @@ -945,6 +951,7 @@ struct compat_linux_dirent {
30426 struct compat_getdents_callback {
30427 struct compat_linux_dirent __user *current_dir;
30428 struct compat_linux_dirent __user *previous;
30429 + struct file * file;
30433 @@ -966,6 +973,10 @@ static int compat_filldir(void *__buf, c
30434 buf->error = -EOVERFLOW;
30438 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30441 dirent = buf->previous;
30443 if (__put_user(offset, &dirent->d_off))
30444 @@ -1013,6 +1024,7 @@ asmlinkage long compat_sys_getdents(unsi
30445 buf.previous = NULL;
30450 error = vfs_readdir(file, compat_filldir, &buf);
30452 @@ -1034,6 +1046,7 @@ out:
30453 struct compat_getdents_callback64 {
30454 struct linux_dirent64 __user *current_dir;
30455 struct linux_dirent64 __user *previous;
30456 + struct file * file;
30460 @@ -1050,6 +1063,10 @@ static int compat_filldir64(void * __buf
30461 buf->error = -EINVAL; /* only used if we fail.. */
30462 if (reclen > buf->count)
30465 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30468 dirent = buf->previous;
30471 @@ -1101,6 +1118,7 @@ asmlinkage long compat_sys_getdents64(un
30472 buf.previous = NULL;
30477 error = vfs_readdir(file, compat_filldir64, &buf);
30479 @@ -1419,6 +1437,7 @@ static int compat_copy_strings(int argc,
30481 page = get_arg_page(bprm, pos, 1);
30483 + /* We've exceed the stack rlimit. */
30487 @@ -1460,6 +1479,11 @@ int compat_do_execve(char * filename,
30488 compat_uptr_t __user *envp,
30489 struct pt_regs * regs)
30491 +#ifdef CONFIG_GRKERNSEC
30492 + struct file *old_exec_file;
30493 + struct acl_subject_label *old_acl;
30494 + struct rlimit old_rlim[RLIM_NLIMITS];
30496 struct linux_binprm *bprm;
30498 struct files_struct *displaced;
30499 @@ -1496,6 +1520,14 @@ int compat_do_execve(char * filename,
30500 bprm->filename = filename;
30501 bprm->interp = filename;
30503 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30504 + retval = -EAGAIN;
30505 + if (gr_handle_nproc())
30507 + retval = -EACCES;
30508 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30511 retval = bprm_mm_init(bprm);
30514 @@ -1525,9 +1557,40 @@ int compat_do_execve(char * filename,
30518 + if (!gr_tpe_allow(file)) {
30519 + retval = -EACCES;
30523 + if (gr_check_crash_exec(file)) {
30524 + retval = -EACCES;
30528 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30530 + gr_handle_exec_args_compat(bprm, argv);
30532 +#ifdef CONFIG_GRKERNSEC
30533 + old_acl = current->acl;
30534 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30535 + old_exec_file = current->exec_file;
30537 + current->exec_file = file;
30540 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30541 + bprm->unsafe & LSM_UNSAFE_SHARE);
30545 retval = search_binary_handler(bprm, regs);
30549 +#ifdef CONFIG_GRKERNSEC
30550 + if (old_exec_file)
30551 + fput(old_exec_file);
30554 /* execve succeeded */
30555 current->fs->in_exec = 0;
30556 @@ -1538,6 +1601,14 @@ int compat_do_execve(char * filename,
30557 put_files_struct(displaced);
30561 +#ifdef CONFIG_GRKERNSEC
30562 + current->acl = old_acl;
30563 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30564 + fput(current->exec_file);
30565 + current->exec_file = old_exec_file;
30570 acct_arg_size(bprm, 0);
30571 diff -urNp linux-2.6.37/fs/compat_ioctl.c linux-2.6.37/fs/compat_ioctl.c
30572 --- linux-2.6.37/fs/compat_ioctl.c 2011-01-04 19:50:19.000000000 -0500
30573 +++ linux-2.6.37/fs/compat_ioctl.c 2011-01-17 02:41:01.000000000 -0500
30574 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
30576 err = get_user(palp, &up->palette);
30577 err |= get_user(length, &up->length);
30581 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
30582 err = put_user(compat_ptr(palp), &up_native->palette);
30583 @@ -1637,8 +1639,8 @@ asmlinkage long compat_sys_ioctl(unsigne
30584 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
30587 - a = *(unsigned int *)p;
30588 - b = *(unsigned int *)q;
30589 + a = *(const unsigned int *)p;
30590 + b = *(const unsigned int *)q;
30594 diff -urNp linux-2.6.37/fs/debugfs/inode.c linux-2.6.37/fs/debugfs/inode.c
30595 --- linux-2.6.37/fs/debugfs/inode.c 2011-01-04 19:50:19.000000000 -0500
30596 +++ linux-2.6.37/fs/debugfs/inode.c 2011-01-17 02:41:01.000000000 -0500
30597 @@ -130,7 +130,7 @@ static inline int debugfs_positive(struc
30599 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30601 - static struct tree_descr debug_files[] = {{""}};
30602 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
30604 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30606 diff -urNp linux-2.6.37/fs/dlm/lockspace.c linux-2.6.37/fs/dlm/lockspace.c
30607 --- linux-2.6.37/fs/dlm/lockspace.c 2011-01-04 19:50:19.000000000 -0500
30608 +++ linux-2.6.37/fs/dlm/lockspace.c 2011-01-17 02:41:01.000000000 -0500
30609 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30613 -static struct kset_uevent_ops dlm_uevent_ops = {
30614 +static const struct kset_uevent_ops dlm_uevent_ops = {
30615 .uevent = dlm_uevent,
30618 diff -urNp linux-2.6.37/fs/ecryptfs/inode.c linux-2.6.37/fs/ecryptfs/inode.c
30619 --- linux-2.6.37/fs/ecryptfs/inode.c 2011-01-04 19:50:19.000000000 -0500
30620 +++ linux-2.6.37/fs/ecryptfs/inode.c 2011-01-17 02:41:01.000000000 -0500
30621 @@ -745,7 +745,7 @@ static int ecryptfs_readlink_lower(struc
30624 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30625 - (char __user *)lower_buf,
30626 + (__force char __user *)lower_buf,
30630 @@ -791,7 +791,7 @@ static void *ecryptfs_follow_link(struct
30634 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30635 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30639 @@ -806,7 +806,7 @@ out:
30641 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30643 - char *buf = nd_get_link(nd);
30644 + const char *buf = nd_get_link(nd);
30645 if (!IS_ERR(buf)) {
30646 /* Free the char* */
30648 diff -urNp linux-2.6.37/fs/ecryptfs/miscdev.c linux-2.6.37/fs/ecryptfs/miscdev.c
30649 --- linux-2.6.37/fs/ecryptfs/miscdev.c 2011-01-04 19:50:19.000000000 -0500
30650 +++ linux-2.6.37/fs/ecryptfs/miscdev.c 2011-01-17 02:41:01.000000000 -0500
30651 @@ -328,7 +328,7 @@ check_list:
30652 goto out_unlock_msg_ctx;
30654 if (msg_ctx->msg) {
30655 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30656 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30657 goto out_unlock_msg_ctx;
30658 i += packet_length_size;
30659 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30660 diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs/exec.c
30661 --- linux-2.6.37/fs/exec.c 2011-01-04 19:50:19.000000000 -0500
30662 +++ linux-2.6.37/fs/exec.c 2011-01-17 02:41:01.000000000 -0500
30663 @@ -55,12 +55,24 @@
30664 #include <linux/fs_struct.h>
30665 #include <linux/pipe_fs_i.h>
30666 #include <linux/oom.h>
30667 +#include <linux/random.h>
30668 +#include <linux/seq_file.h>
30670 +#ifdef CONFIG_PAX_REFCOUNT
30671 +#include <linux/kallsyms.h>
30672 +#include <linux/kdebug.h>
30675 #include <asm/uaccess.h>
30676 #include <asm/mmu_context.h>
30677 #include <asm/tlb.h>
30678 #include "internal.h"
30680 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30681 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30682 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30686 char core_pattern[CORENAME_MAX_SIZE] = "core";
30687 unsigned int core_pipe_limit;
30688 @@ -120,7 +132,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30691 file = do_filp_open(AT_FDCWD, tmp,
30692 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30693 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30694 MAY_READ | MAY_EXEC | MAY_OPEN);
30696 error = PTR_ERR(file);
30697 @@ -187,18 +199,10 @@ struct page *get_arg_page(struct linux_b
30703 -#ifdef CONFIG_STACK_GROWSUP
30705 - ret = expand_stack_downwards(bprm->vma, pos);
30710 - ret = get_user_pages(current, bprm->mm, pos,
30711 - 1, write, 1, &page, NULL);
30713 + if (0 > expand_stack_downwards(bprm->vma, pos))
30715 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30719 @@ -273,6 +277,11 @@ static int __bprm_mm_init(struct linux_b
30720 vma->vm_end = STACK_TOP_MAX;
30721 vma->vm_start = vma->vm_end - PAGE_SIZE;
30722 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30724 +#ifdef CONFIG_PAX_SEGMEXEC
30725 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30728 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30729 INIT_LIST_HEAD(&vma->anon_vma_chain);
30731 @@ -287,6 +296,12 @@ static int __bprm_mm_init(struct linux_b
30732 mm->stack_vm = mm->total_vm = 1;
30733 up_write(&mm->mmap_sem);
30734 bprm->p = vma->vm_end - sizeof(void *);
30736 +#ifdef CONFIG_PAX_RANDUSTACK
30737 + if (randomize_va_space)
30738 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30743 up_write(&mm->mmap_sem);
30744 @@ -522,7 +537,7 @@ int copy_strings_kernel(int argc, const
30746 mm_segment_t oldfs = get_fs();
30748 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
30749 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
30753 @@ -552,7 +567,8 @@ static int shift_arg_pages(struct vm_are
30754 unsigned long new_end = old_end - shift;
30755 struct mmu_gather *tlb;
30757 - BUG_ON(new_start > new_end);
30758 + if (new_start >= new_end || new_start < mmap_min_addr)
30762 * ensure there are no vmas between where we want to go
30763 @@ -561,6 +577,10 @@ static int shift_arg_pages(struct vm_are
30764 if (vma != find_vma(mm, new_start))
30767 +#ifdef CONFIG_PAX_SEGMEXEC
30768 + BUG_ON(pax_find_mirror_vma(vma));
30772 * cover the whole range: [new_start, old_end)
30774 @@ -641,10 +661,6 @@ int setup_arg_pages(struct linux_binprm
30775 stack_top = arch_align_stack(stack_top);
30776 stack_top = PAGE_ALIGN(stack_top);
30778 - if (unlikely(stack_top < mmap_min_addr) ||
30779 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
30782 stack_shift = vma->vm_end - stack_top;
30784 bprm->p -= stack_shift;
30785 @@ -656,8 +672,28 @@ int setup_arg_pages(struct linux_binprm
30786 bprm->exec -= stack_shift;
30788 down_write(&mm->mmap_sem);
30790 + /* Move stack pages down in memory. */
30791 + if (stack_shift) {
30792 + ret = shift_arg_pages(vma, stack_shift);
30797 vm_flags = VM_STACK_FLAGS;
30799 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30800 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30801 + vm_flags &= ~VM_EXEC;
30803 +#ifdef CONFIG_PAX_MPROTECT
30804 + if (mm->pax_flags & MF_PAX_MPROTECT)
30805 + vm_flags &= ~VM_MAYEXEC;
30812 * Adjust stack execute permissions; explicitly enable for
30813 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30814 @@ -676,13 +712,6 @@ int setup_arg_pages(struct linux_binprm
30816 BUG_ON(prev != vma);
30818 - /* Move stack pages down in memory. */
30819 - if (stack_shift) {
30820 - ret = shift_arg_pages(vma, stack_shift);
30825 /* mprotect_fixup is overkill to remove the temporary stack flags */
30826 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30828 @@ -723,7 +752,7 @@ struct file *open_exec(const char *name)
30831 file = do_filp_open(AT_FDCWD, name,
30832 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30833 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30834 MAY_EXEC | MAY_OPEN);
30837 @@ -760,7 +789,7 @@ int kernel_read(struct file *file, loff_
30840 /* The cast to a user pointer is valid due to the set_fs() */
30841 - result = vfs_read(file, (void __user *)addr, count, &pos);
30842 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
30846 @@ -1182,7 +1211,7 @@ int check_unsafe_exec(struct linux_binpr
30850 - if (p->fs->users > n_fs) {
30851 + if (atomic_read(&p->fs->users) > n_fs) {
30852 bprm->unsafe |= LSM_UNSAFE_SHARE;
30855 @@ -1378,6 +1407,11 @@ int do_execve(const char * filename,
30856 const char __user *const __user *envp,
30857 struct pt_regs * regs)
30859 +#ifdef CONFIG_GRKERNSEC
30860 + struct file *old_exec_file;
30861 + struct acl_subject_label *old_acl;
30862 + struct rlimit old_rlim[RLIM_NLIMITS];
30864 struct linux_binprm *bprm;
30866 struct files_struct *displaced;
30867 @@ -1414,6 +1448,18 @@ int do_execve(const char * filename,
30868 bprm->filename = filename;
30869 bprm->interp = filename;
30871 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30873 + if (gr_handle_nproc()) {
30874 + retval = -EAGAIN;
30878 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30879 + retval = -EACCES;
30883 retval = bprm_mm_init(bprm);
30886 @@ -1443,9 +1489,40 @@ int do_execve(const char * filename,
30890 + if (!gr_tpe_allow(file)) {
30891 + retval = -EACCES;
30895 + if (gr_check_crash_exec(file)) {
30896 + retval = -EACCES;
30900 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30902 + gr_handle_exec_args(bprm, argv);
30904 +#ifdef CONFIG_GRKERNSEC
30905 + old_acl = current->acl;
30906 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30907 + old_exec_file = current->exec_file;
30909 + current->exec_file = file;
30912 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30913 + bprm->unsafe & LSM_UNSAFE_SHARE);
30917 retval = search_binary_handler(bprm,regs);
30921 +#ifdef CONFIG_GRKERNSEC
30922 + if (old_exec_file)
30923 + fput(old_exec_file);
30926 /* execve succeeded */
30927 current->fs->in_exec = 0;
30928 @@ -1456,6 +1533,14 @@ int do_execve(const char * filename,
30929 put_files_struct(displaced);
30933 +#ifdef CONFIG_GRKERNSEC
30934 + current->acl = old_acl;
30935 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30936 + fput(current->exec_file);
30937 + current->exec_file = old_exec_file;
30942 acct_arg_size(bprm, 0);
30943 @@ -1642,6 +1727,217 @@ out:
30947 +int pax_check_flags(unsigned long *flags)
30951 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30952 + if (*flags & MF_PAX_SEGMEXEC)
30954 + *flags &= ~MF_PAX_SEGMEXEC;
30955 + retval = -EINVAL;
30959 + if ((*flags & MF_PAX_PAGEEXEC)
30961 +#ifdef CONFIG_PAX_PAGEEXEC
30962 + && (*flags & MF_PAX_SEGMEXEC)
30967 + *flags &= ~MF_PAX_PAGEEXEC;
30968 + retval = -EINVAL;
30971 + if ((*flags & MF_PAX_MPROTECT)
30973 +#ifdef CONFIG_PAX_MPROTECT
30974 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30979 + *flags &= ~MF_PAX_MPROTECT;
30980 + retval = -EINVAL;
30983 + if ((*flags & MF_PAX_EMUTRAMP)
30985 +#ifdef CONFIG_PAX_EMUTRAMP
30986 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30991 + *flags &= ~MF_PAX_EMUTRAMP;
30992 + retval = -EINVAL;
30998 +EXPORT_SYMBOL(pax_check_flags);
31000 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
31001 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
31003 + struct task_struct *tsk = current;
31004 + struct mm_struct *mm = current->mm;
31005 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
31006 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
31007 + char *path_exec = NULL;
31008 + char *path_fault = NULL;
31009 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
31011 + if (buffer_exec && buffer_fault) {
31012 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
31014 + down_read(&mm->mmap_sem);
31016 + while (vma && (!vma_exec || !vma_fault)) {
31017 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
31019 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
31021 + vma = vma->vm_next;
31024 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
31025 + if (IS_ERR(path_exec))
31026 + path_exec = "<path too long>";
31028 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
31031 + path_exec = buffer_exec;
31033 + path_exec = "<path too long>";
31037 + start = vma_fault->vm_start;
31038 + end = vma_fault->vm_end;
31039 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
31040 + if (vma_fault->vm_file) {
31041 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
31042 + if (IS_ERR(path_fault))
31043 + path_fault = "<path too long>";
31045 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
31046 + if (path_fault) {
31048 + path_fault = buffer_fault;
31050 + path_fault = "<path too long>";
31053 + path_fault = "<anonymous mapping>";
31055 + up_read(&mm->mmap_sem);
31057 + if (tsk->signal->curr_ip)
31058 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
31060 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
31061 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
31062 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
31063 + task_uid(tsk), task_euid(tsk), pc, sp);
31064 + free_page((unsigned long)buffer_exec);
31065 + free_page((unsigned long)buffer_fault);
31066 + pax_report_insns(pc, sp);
31067 + do_coredump(SIGKILL, SIGKILL, regs);
31071 +#ifdef CONFIG_PAX_REFCOUNT
31072 +void pax_report_refcount_overflow(struct pt_regs *regs)
31074 + if (current->signal->curr_ip)
31075 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31076 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
31078 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31079 + current->comm, task_pid_nr(current), current_uid(), current_euid());
31080 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
31082 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
31086 +#ifdef CONFIG_PAX_USERCOPY
31087 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
31088 +int object_is_on_stack(const void *obj, unsigned long len)
31090 + const void * const stack = task_stack_page(current);
31091 + const void * const stackend = stack + THREAD_SIZE;
31093 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31094 + const void *frame = NULL;
31095 + const void *oldframe;
31098 + if (obj + len < obj)
31101 + if (obj + len <= stack || stackend <= obj)
31104 + if (obj < stack || stackend < obj + len)
31107 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31108 + oldframe = __builtin_frame_address(1);
31110 + frame = __builtin_frame_address(2);
31112 + low ----------------------------------------------> high
31113 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
31114 + ^----------------^
31115 + allow copies only within here
31117 + while (stack <= frame && frame < stackend) {
31118 + /* if obj + len extends past the last frame, this
31119 + check won't pass and the next frame will be 0,
31120 + causing us to bail out and correctly report
31121 + the copy as invalid
31123 + if (obj + len <= frame)
31124 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
31125 + oldframe = frame;
31126 + frame = *(const void * const *)frame;
31135 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
31137 + if (current->signal->curr_ip)
31138 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
31139 + ¤t->signal->curr_ip, ptr, len);
31141 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
31143 + do_group_exit(SIGKILL);
31146 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
31148 + if (current->signal->curr_ip)
31149 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
31150 + ¤t->signal->curr_ip, ptr, len);
31152 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
31154 + do_group_exit(SIGKILL);
31158 static int zap_process(struct task_struct *start, int exit_code)
31160 struct task_struct *t;
31161 @@ -1852,17 +2148,17 @@ static void wait_for_dump_helpers(struct
31162 pipe = file->f_path.dentry->d_inode->i_pipe;
31167 + atomic_inc(&pipe->readers);
31168 + atomic_dec(&pipe->writers);
31170 - while ((pipe->readers > 1) && (!signal_pending(current))) {
31171 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
31172 wake_up_interruptible_sync(&pipe->wait);
31173 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
31179 + atomic_dec(&pipe->readers);
31180 + atomic_inc(&pipe->writers);
31184 @@ -1978,6 +2274,10 @@ void do_coredump(long signr, int exit_co
31185 goto fail_corename;
31188 + if (signr == SIGKILL || signr == SIGILL)
31189 + gr_handle_brute_attach(current);
31190 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
31194 char **helper_argv;
31195 diff -urNp linux-2.6.37/fs/ext2/balloc.c linux-2.6.37/fs/ext2/balloc.c
31196 --- linux-2.6.37/fs/ext2/balloc.c 2011-01-04 19:50:19.000000000 -0500
31197 +++ linux-2.6.37/fs/ext2/balloc.c 2011-01-17 02:41:01.000000000 -0500
31198 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
31200 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31201 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31202 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31203 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31204 sbi->s_resuid != current_fsuid() &&
31205 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31207 diff -urNp linux-2.6.37/fs/ext2/xattr.c linux-2.6.37/fs/ext2/xattr.c
31208 --- linux-2.6.37/fs/ext2/xattr.c 2011-01-04 19:50:19.000000000 -0500
31209 +++ linux-2.6.37/fs/ext2/xattr.c 2011-01-17 02:41:01.000000000 -0500
31214 -# define ea_idebug(f...)
31215 -# define ea_bdebug(f...)
31216 +# define ea_idebug(inode, f...) do {} while (0)
31217 +# define ea_bdebug(bh, f...) do {} while (0)
31220 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
31221 diff -urNp linux-2.6.37/fs/ext3/balloc.c linux-2.6.37/fs/ext3/balloc.c
31222 --- linux-2.6.37/fs/ext3/balloc.c 2011-01-04 19:50:19.000000000 -0500
31223 +++ linux-2.6.37/fs/ext3/balloc.c 2011-01-17 02:41:01.000000000 -0500
31224 @@ -1425,7 +1425,7 @@ static int ext3_has_free_blocks(struct e
31226 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31227 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31228 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31229 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31230 sbi->s_resuid != current_fsuid() &&
31231 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31233 diff -urNp linux-2.6.37/fs/ext3/namei.c linux-2.6.37/fs/ext3/namei.c
31234 --- linux-2.6.37/fs/ext3/namei.c 2011-01-04 19:50:19.000000000 -0500
31235 +++ linux-2.6.37/fs/ext3/namei.c 2011-01-17 02:41:01.000000000 -0500
31236 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
31237 char *data1 = (*bh)->b_data, *data2;
31238 unsigned split, move, size;
31239 struct ext3_dir_entry_2 *de = NULL, *de2;
31243 bh2 = ext3_append (handle, dir, &newblock, &err);
31245 diff -urNp linux-2.6.37/fs/ext3/xattr.c linux-2.6.37/fs/ext3/xattr.c
31246 --- linux-2.6.37/fs/ext3/xattr.c 2011-01-04 19:50:19.000000000 -0500
31247 +++ linux-2.6.37/fs/ext3/xattr.c 2011-01-17 02:41:01.000000000 -0500
31252 -# define ea_idebug(f...)
31253 -# define ea_bdebug(f...)
31254 +# define ea_idebug(f...) do {} while (0)
31255 +# define ea_bdebug(f...) do {} while (0)
31258 static void ext3_xattr_cache_insert(struct buffer_head *);
31259 diff -urNp linux-2.6.37/fs/ext4/balloc.c linux-2.6.37/fs/ext4/balloc.c
31260 --- linux-2.6.37/fs/ext4/balloc.c 2011-01-04 19:50:19.000000000 -0500
31261 +++ linux-2.6.37/fs/ext4/balloc.c 2011-01-17 02:41:01.000000000 -0500
31262 @@ -519,7 +519,7 @@ static int ext4_has_free_blocks(struct e
31263 /* Hm, nope. Are (enough) root reserved blocks available? */
31264 if (sbi->s_resuid == current_fsuid() ||
31265 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
31266 - capable(CAP_SYS_RESOURCE)) {
31267 + capable_nolog(CAP_SYS_RESOURCE)) {
31268 if (free_blocks >= (nblocks + dirty_blocks))
31271 diff -urNp linux-2.6.37/fs/ext4/ext4.h linux-2.6.37/fs/ext4/ext4.h
31272 --- linux-2.6.37/fs/ext4/ext4.h 2011-01-04 19:50:19.000000000 -0500
31273 +++ linux-2.6.37/fs/ext4/ext4.h 2011-01-17 02:41:01.000000000 -0500
31274 @@ -1164,19 +1164,19 @@ struct ext4_sb_info {
31275 unsigned long s_mb_last_start;
31277 /* stats for buddy allocator */
31278 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
31279 - atomic_t s_bal_success; /* we found long enough chunks */
31280 - atomic_t s_bal_allocated; /* in blocks */
31281 - atomic_t s_bal_ex_scanned; /* total extents scanned */
31282 - atomic_t s_bal_goals; /* goal hits */
31283 - atomic_t s_bal_breaks; /* too long searches */
31284 - atomic_t s_bal_2orders; /* 2^order hits */
31285 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
31286 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
31287 + atomic_unchecked_t s_bal_allocated; /* in blocks */
31288 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
31289 + atomic_unchecked_t s_bal_goals; /* goal hits */
31290 + atomic_unchecked_t s_bal_breaks; /* too long searches */
31291 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
31292 spinlock_t s_bal_lock;
31293 unsigned long s_mb_buddies_generated;
31294 unsigned long long s_mb_generation_time;
31295 - atomic_t s_mb_lost_chunks;
31296 - atomic_t s_mb_preallocated;
31297 - atomic_t s_mb_discarded;
31298 + atomic_unchecked_t s_mb_lost_chunks;
31299 + atomic_unchecked_t s_mb_preallocated;
31300 + atomic_unchecked_t s_mb_discarded;
31301 atomic_t s_lock_busy;
31303 /* locality groups */
31304 diff -urNp linux-2.6.37/fs/ext4/mballoc.c linux-2.6.37/fs/ext4/mballoc.c
31305 --- linux-2.6.37/fs/ext4/mballoc.c 2011-01-04 19:50:19.000000000 -0500
31306 +++ linux-2.6.37/fs/ext4/mballoc.c 2011-01-17 02:41:01.000000000 -0500
31307 @@ -1841,7 +1841,7 @@ void ext4_mb_simple_scan_group(struct ex
31308 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
31310 if (EXT4_SB(sb)->s_mb_stats)
31311 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
31312 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
31316 @@ -2135,7 +2135,7 @@ repeat:
31317 ac->ac_status = AC_STATUS_CONTINUE;
31318 ac->ac_flags |= EXT4_MB_HINT_FIRST;
31320 - atomic_inc(&sbi->s_mb_lost_chunks);
31321 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
31325 @@ -2577,25 +2577,25 @@ int ext4_mb_release(struct super_block *
31326 if (sbi->s_mb_stats) {
31328 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
31329 - atomic_read(&sbi->s_bal_allocated),
31330 - atomic_read(&sbi->s_bal_reqs),
31331 - atomic_read(&sbi->s_bal_success));
31332 + atomic_read_unchecked(&sbi->s_bal_allocated),
31333 + atomic_read_unchecked(&sbi->s_bal_reqs),
31334 + atomic_read_unchecked(&sbi->s_bal_success));
31336 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
31337 "%u 2^N hits, %u breaks, %u lost\n",
31338 - atomic_read(&sbi->s_bal_ex_scanned),
31339 - atomic_read(&sbi->s_bal_goals),
31340 - atomic_read(&sbi->s_bal_2orders),
31341 - atomic_read(&sbi->s_bal_breaks),
31342 - atomic_read(&sbi->s_mb_lost_chunks));
31343 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
31344 + atomic_read_unchecked(&sbi->s_bal_goals),
31345 + atomic_read_unchecked(&sbi->s_bal_2orders),
31346 + atomic_read_unchecked(&sbi->s_bal_breaks),
31347 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
31349 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
31350 sbi->s_mb_buddies_generated++,
31351 sbi->s_mb_generation_time);
31353 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
31354 - atomic_read(&sbi->s_mb_preallocated),
31355 - atomic_read(&sbi->s_mb_discarded));
31356 + atomic_read_unchecked(&sbi->s_mb_preallocated),
31357 + atomic_read_unchecked(&sbi->s_mb_discarded));
31360 free_percpu(sbi->s_locality_groups);
31361 @@ -3080,16 +3080,16 @@ static void ext4_mb_collect_stats(struct
31362 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
31364 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
31365 - atomic_inc(&sbi->s_bal_reqs);
31366 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
31367 + atomic_inc_unchecked(&sbi->s_bal_reqs);
31368 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
31369 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
31370 - atomic_inc(&sbi->s_bal_success);
31371 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
31372 + atomic_inc_unchecked(&sbi->s_bal_success);
31373 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
31374 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
31375 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
31376 - atomic_inc(&sbi->s_bal_goals);
31377 + atomic_inc_unchecked(&sbi->s_bal_goals);
31378 if (ac->ac_found > sbi->s_mb_max_to_scan)
31379 - atomic_inc(&sbi->s_bal_breaks);
31380 + atomic_inc_unchecked(&sbi->s_bal_breaks);
31383 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
31384 @@ -3487,7 +3487,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
31385 trace_ext4_mb_new_inode_pa(ac, pa);
31387 ext4_mb_use_inode_pa(ac, pa);
31388 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31389 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31391 ei = EXT4_I(ac->ac_inode);
31392 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
31393 @@ -3547,7 +3547,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
31394 trace_ext4_mb_new_group_pa(ac, pa);
31396 ext4_mb_use_group_pa(ac, pa);
31397 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31398 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31400 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
31402 @@ -3634,7 +3634,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
31403 * from the bitmap and continue.
31406 - atomic_add(free, &sbi->s_mb_discarded);
31407 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
31411 @@ -3652,7 +3652,7 @@ ext4_mb_release_group_pa(struct ext4_bud
31412 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
31413 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
31414 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
31415 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
31416 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
31417 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
31420 diff -urNp linux-2.6.37/fs/ext4/namei.c linux-2.6.37/fs/ext4/namei.c
31421 --- linux-2.6.37/fs/ext4/namei.c 2011-01-04 19:50:19.000000000 -0500
31422 +++ linux-2.6.37/fs/ext4/namei.c 2011-01-17 02:41:01.000000000 -0500
31423 @@ -1161,7 +1161,7 @@ static struct ext4_dir_entry_2 *do_split
31424 char *data1 = (*bh)->b_data, *data2;
31425 unsigned split, move, size;
31426 struct ext4_dir_entry_2 *de = NULL, *de2;
31430 bh2 = ext4_append (handle, dir, &newblock, &err);
31432 diff -urNp linux-2.6.37/fs/ext4/xattr.c linux-2.6.37/fs/ext4/xattr.c
31433 --- linux-2.6.37/fs/ext4/xattr.c 2011-01-04 19:50:19.000000000 -0500
31434 +++ linux-2.6.37/fs/ext4/xattr.c 2011-01-17 02:41:01.000000000 -0500
31439 -# define ea_idebug(f...)
31440 -# define ea_bdebug(f...)
31441 +# define ea_idebug(inode, f...) do {} while (0)
31442 +# define ea_bdebug(bh, f...) do {} while (0)
31445 static void ext4_xattr_cache_insert(struct buffer_head *);
31446 diff -urNp linux-2.6.37/fs/fcntl.c linux-2.6.37/fs/fcntl.c
31447 --- linux-2.6.37/fs/fcntl.c 2011-01-04 19:50:19.000000000 -0500
31448 +++ linux-2.6.37/fs/fcntl.c 2011-01-17 02:53:49.000000000 -0500
31449 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
31453 + if (gr_handle_chroot_fowner(pid, type))
31455 + if (gr_check_protected_task_fowner(pid, type))
31458 f_modown(filp, pid, type, force);
31461 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
31464 case F_DUPFD_CLOEXEC:
31465 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
31466 if (arg >= rlimit(RLIMIT_NOFILE))
31468 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
31469 @@ -808,14 +814,14 @@ static int __init fcntl_init(void)
31470 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
31471 * is defined as O_NONBLOCK on some platforms and not on others.
31473 - BUILD_BUG_ON(18 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
31474 + BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
31475 O_RDONLY | O_WRONLY | O_RDWR |
31476 O_CREAT | O_EXCL | O_NOCTTY |
31477 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
31478 __O_SYNC | O_DSYNC | FASYNC |
31479 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
31480 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
31482 + FMODE_EXEC | FMODE_GREXEC
31485 fasync_cache = kmem_cache_create("fasync_cache",
31486 diff -urNp linux-2.6.37/fs/fifo.c linux-2.6.37/fs/fifo.c
31487 --- linux-2.6.37/fs/fifo.c 2011-01-04 19:50:19.000000000 -0500
31488 +++ linux-2.6.37/fs/fifo.c 2011-01-17 02:41:01.000000000 -0500
31489 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
31491 filp->f_op = &read_pipefifo_fops;
31493 - if (pipe->readers++ == 0)
31494 + if (atomic_inc_return(&pipe->readers) == 1)
31495 wake_up_partner(inode);
31497 - if (!pipe->writers) {
31498 + if (!atomic_read(&pipe->writers)) {
31499 if ((filp->f_flags & O_NONBLOCK)) {
31500 /* suppress POLLHUP until we have
31502 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
31503 * errno=ENXIO when there is no process reading the FIFO.
31506 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
31507 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
31510 filp->f_op = &write_pipefifo_fops;
31512 - if (!pipe->writers++)
31513 + if (atomic_inc_return(&pipe->writers) == 1)
31514 wake_up_partner(inode);
31516 - if (!pipe->readers) {
31517 + if (!atomic_read(&pipe->readers)) {
31518 wait_for_partner(inode, &pipe->r_counter);
31519 if (signal_pending(current))
31521 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
31523 filp->f_op = &rdwr_pipefifo_fops;
31527 + atomic_inc(&pipe->readers);
31528 + atomic_inc(&pipe->writers);
31531 - if (pipe->readers == 1 || pipe->writers == 1)
31532 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
31533 wake_up_partner(inode);
31536 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
31540 - if (!--pipe->readers)
31541 + if (atomic_dec_and_test(&pipe->readers))
31542 wake_up_interruptible(&pipe->wait);
31543 ret = -ERESTARTSYS;
31547 - if (!--pipe->writers)
31548 + if (atomic_dec_and_test(&pipe->writers))
31549 wake_up_interruptible(&pipe->wait);
31550 ret = -ERESTARTSYS;
31554 - if (!pipe->readers && !pipe->writers)
31555 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
31556 free_pipe_info(inode);
31559 diff -urNp linux-2.6.37/fs/file.c linux-2.6.37/fs/file.c
31560 --- linux-2.6.37/fs/file.c 2011-01-04 19:50:19.000000000 -0500
31561 +++ linux-2.6.37/fs/file.c 2011-01-17 02:41:01.000000000 -0500
31563 #include <linux/slab.h>
31564 #include <linux/vmalloc.h>
31565 #include <linux/file.h>
31566 +#include <linux/security.h>
31567 #include <linux/fdtable.h>
31568 #include <linux/bitops.h>
31569 #include <linux/interrupt.h>
31570 @@ -250,6 +251,7 @@ int expand_files(struct files_struct *fi
31571 * N.B. For clone tasks sharing a files structure, this test
31572 * will limit the total number of files that can be opened.
31574 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
31575 if (nr >= rlimit(RLIMIT_NOFILE))
31578 diff -urNp linux-2.6.37/fs/fs_struct.c linux-2.6.37/fs/fs_struct.c
31579 --- linux-2.6.37/fs/fs_struct.c 2011-01-04 19:50:19.000000000 -0500
31580 +++ linux-2.6.37/fs/fs_struct.c 2011-01-17 02:41:01.000000000 -0500
31582 #include <linux/slab.h>
31583 #include <linux/fs_struct.h>
31584 #include <linux/vserver/global.h>
31585 +#include <linux/grsecurity.h>
31588 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
31589 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
31590 old_root = fs->root;
31593 + gr_set_chroot_entries(current, path);
31594 spin_unlock(&fs->lock);
31595 if (old_root.dentry)
31596 path_put(&old_root);
31597 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
31598 && fs->root.mnt == old_root->mnt) {
31599 path_get(new_root);
31600 fs->root = *new_root;
31601 + gr_set_chroot_entries(p, new_root);
31604 if (fs->pwd.dentry == old_root->dentry
31605 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
31607 spin_lock(&fs->lock);
31609 - kill = !--fs->users;
31610 + gr_clear_chroot_entries(tsk);
31611 + kill = !atomic_dec_return(&fs->users);
31612 spin_unlock(&fs->lock);
31615 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
31616 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
31617 /* We don't need to lock fs - think why ;-) */
31620 + atomic_set(&fs->users, 1);
31622 spin_lock_init(&fs->lock);
31623 fs->umask = old->umask;
31624 @@ -122,8 +126,9 @@ int unshare_fs_struct(void)
31626 task_lock(current);
31627 spin_lock(&fs->lock);
31628 - kill = !--fs->users;
31629 + kill = !atomic_dec_return(&fs->users);
31630 current->fs = new_fs;
31631 + gr_set_chroot_entries(current, &new_fs->root);
31632 spin_unlock(&fs->lock);
31633 task_unlock(current);
31635 @@ -142,7 +147,7 @@ EXPORT_SYMBOL(current_umask);
31637 /* to be mentioned only in INIT_TASK */
31638 struct fs_struct init_fs = {
31640 + .users = ATOMIC_INIT(1),
31641 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
31644 @@ -157,12 +162,13 @@ void daemonize_fs_struct(void)
31645 task_lock(current);
31647 spin_lock(&init_fs.lock);
31649 + atomic_inc(&init_fs.users);
31650 spin_unlock(&init_fs.lock);
31652 spin_lock(&fs->lock);
31653 current->fs = &init_fs;
31654 - kill = !--fs->users;
31655 + gr_set_chroot_entries(current, ¤t->fs->root);
31656 + kill = !atomic_dec_return(&fs->users);
31657 spin_unlock(&fs->lock);
31659 task_unlock(current);
31660 diff -urNp linux-2.6.37/fs/fuse/control.c linux-2.6.37/fs/fuse/control.c
31661 --- linux-2.6.37/fs/fuse/control.c 2011-01-04 19:50:19.000000000 -0500
31662 +++ linux-2.6.37/fs/fuse/control.c 2011-01-17 02:41:01.000000000 -0500
31663 @@ -298,7 +298,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31665 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31667 - struct tree_descr empty_descr = {""};
31668 + struct tree_descr empty_descr = {"", NULL, 0};
31669 struct fuse_conn *fc;
31672 diff -urNp linux-2.6.37/fs/fuse/cuse.c linux-2.6.37/fs/fuse/cuse.c
31673 --- linux-2.6.37/fs/fuse/cuse.c 2011-01-04 19:50:19.000000000 -0500
31674 +++ linux-2.6.37/fs/fuse/cuse.c 2011-01-17 02:41:01.000000000 -0500
31675 @@ -530,8 +530,18 @@ static int cuse_channel_release(struct i
31679 -static struct file_operations cuse_channel_fops; /* initialized during init */
31681 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
31682 + .owner = THIS_MODULE,
31683 + .llseek = no_llseek,
31684 + .read = do_sync_read,
31685 + .aio_read = fuse_dev_read,
31686 + .write = do_sync_write,
31687 + .aio_write = fuse_dev_write,
31688 + .poll = fuse_dev_poll,
31689 + .open = cuse_channel_open,
31690 + .release = cuse_channel_release,
31691 + .fasync = fuse_dev_fasync,
31694 /**************************************************************************
31695 * Misc stuff and module initializatiion
31696 @@ -577,12 +587,6 @@ static int __init cuse_init(void)
31697 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31698 INIT_LIST_HEAD(&cuse_conntbl[i]);
31700 - /* inherit and extend fuse_dev_operations */
31701 - cuse_channel_fops = fuse_dev_operations;
31702 - cuse_channel_fops.owner = THIS_MODULE;
31703 - cuse_channel_fops.open = cuse_channel_open;
31704 - cuse_channel_fops.release = cuse_channel_release;
31706 cuse_class = class_create(THIS_MODULE, "cuse");
31707 if (IS_ERR(cuse_class))
31708 return PTR_ERR(cuse_class);
31709 diff -urNp linux-2.6.37/fs/fuse/dev.c linux-2.6.37/fs/fuse/dev.c
31710 --- linux-2.6.37/fs/fuse/dev.c 2011-01-04 19:50:19.000000000 -0500
31711 +++ linux-2.6.37/fs/fuse/dev.c 2011-01-17 02:41:01.000000000 -0500
31712 @@ -1047,7 +1047,7 @@ static ssize_t fuse_dev_do_read(struct f
31716 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31717 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31718 unsigned long nr_segs, loff_t pos)
31720 struct fuse_copy_state cs;
31721 @@ -1061,6 +1061,8 @@ static ssize_t fuse_dev_read(struct kioc
31722 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
31725 +EXPORT_SYMBOL_GPL(fuse_dev_read);
31727 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31728 struct pipe_buffer *buf)
31730 @@ -1104,7 +1106,7 @@ static ssize_t fuse_dev_splice_read(stru
31734 - if (!pipe->readers) {
31735 + if (!atomic_read(&pipe->readers)) {
31736 send_sig(SIGPIPE, current, 0);
31739 @@ -1597,7 +1599,7 @@ static ssize_t fuse_dev_do_write(struct
31743 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31744 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31745 unsigned long nr_segs, loff_t pos)
31747 struct fuse_copy_state cs;
31748 @@ -1610,6 +1612,8 @@ static ssize_t fuse_dev_write(struct kio
31749 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
31752 +EXPORT_SYMBOL_GPL(fuse_dev_write);
31754 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31755 struct file *out, loff_t *ppos,
31756 size_t len, unsigned int flags)
31757 @@ -1688,7 +1692,7 @@ out:
31761 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31762 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31764 unsigned mask = POLLOUT | POLLWRNORM;
31765 struct fuse_conn *fc = fuse_get_conn(file);
31766 @@ -1707,6 +1711,8 @@ static unsigned fuse_dev_poll(struct fil
31770 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
31773 * Abort all requests on the given list (pending or processing)
31775 @@ -1824,7 +1830,7 @@ int fuse_dev_release(struct inode *inode
31777 EXPORT_SYMBOL_GPL(fuse_dev_release);
31779 -static int fuse_dev_fasync(int fd, struct file *file, int on)
31780 +int fuse_dev_fasync(int fd, struct file *file, int on)
31782 struct fuse_conn *fc = fuse_get_conn(file);
31784 @@ -1834,6 +1840,8 @@ static int fuse_dev_fasync(int fd, struc
31785 return fasync_helper(fd, file, on, &fc->fasync);
31788 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31790 const struct file_operations fuse_dev_operations = {
31791 .owner = THIS_MODULE,
31792 .llseek = no_llseek,
31793 diff -urNp linux-2.6.37/fs/fuse/dir.c linux-2.6.37/fs/fuse/dir.c
31794 --- linux-2.6.37/fs/fuse/dir.c 2011-01-04 19:50:19.000000000 -0500
31795 +++ linux-2.6.37/fs/fuse/dir.c 2011-01-17 02:41:01.000000000 -0500
31796 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
31800 -static void free_link(char *link)
31801 +static void free_link(const char *link)
31804 free_page((unsigned long) link);
31805 diff -urNp linux-2.6.37/fs/fuse/fuse_i.h linux-2.6.37/fs/fuse/fuse_i.h
31806 --- linux-2.6.37/fs/fuse/fuse_i.h 2011-01-04 19:50:19.000000000 -0500
31807 +++ linux-2.6.37/fs/fuse/fuse_i.h 2011-01-17 02:41:01.000000000 -0500
31808 @@ -525,6 +525,16 @@ extern const struct file_operations fuse
31810 extern const struct dentry_operations fuse_dentry_operations;
31812 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31813 + unsigned long nr_segs, loff_t pos);
31815 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31816 + unsigned long nr_segs, loff_t pos);
31818 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31820 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31823 * Inode to nodeid comparison.
31825 diff -urNp linux-2.6.37/fs/hfs/inode.c linux-2.6.37/fs/hfs/inode.c
31826 --- linux-2.6.37/fs/hfs/inode.c 2011-01-04 19:50:19.000000000 -0500
31827 +++ linux-2.6.37/fs/hfs/inode.c 2011-01-17 02:41:01.000000000 -0500
31828 @@ -447,7 +447,7 @@ int hfs_write_inode(struct inode *inode,
31830 if (S_ISDIR(main_inode->i_mode)) {
31831 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31834 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31835 sizeof(struct hfs_cat_dir));
31836 if (rec.type != HFS_CDR_DIR ||
31837 @@ -468,7 +468,7 @@ int hfs_write_inode(struct inode *inode,
31838 sizeof(struct hfs_cat_file));
31840 if (fd.entrylength < sizeof(struct hfs_cat_file))
31843 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31844 sizeof(struct hfs_cat_file));
31845 if (rec.type != HFS_CDR_FIL ||
31846 diff -urNp linux-2.6.37/fs/hfsplus/inode.c linux-2.6.37/fs/hfsplus/inode.c
31847 --- linux-2.6.37/fs/hfsplus/inode.c 2011-01-04 19:50:19.000000000 -0500
31848 +++ linux-2.6.37/fs/hfsplus/inode.c 2011-01-17 02:41:01.000000000 -0500
31849 @@ -478,7 +478,7 @@ int hfsplus_cat_read_inode(struct inode
31850 struct hfsplus_cat_folder *folder = &entry.folder;
31852 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31855 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31856 sizeof(struct hfsplus_cat_folder));
31857 hfsplus_get_perms(inode, &folder->permissions, 1);
31858 @@ -495,7 +495,7 @@ int hfsplus_cat_read_inode(struct inode
31859 struct hfsplus_cat_file *file = &entry.file;
31861 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31864 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31865 sizeof(struct hfsplus_cat_file));
31867 @@ -551,7 +551,7 @@ int hfsplus_cat_write_inode(struct inode
31868 struct hfsplus_cat_folder *folder = &entry.folder;
31870 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31873 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31874 sizeof(struct hfsplus_cat_folder));
31875 /* simple node checks? */
31876 @@ -573,7 +573,7 @@ int hfsplus_cat_write_inode(struct inode
31877 struct hfsplus_cat_file *file = &entry.file;
31879 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31882 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31883 sizeof(struct hfsplus_cat_file));
31884 hfsplus_inode_write_fork(inode, &file->data_fork);
31885 diff -urNp linux-2.6.37/fs/hugetlbfs/inode.c linux-2.6.37/fs/hugetlbfs/inode.c
31886 --- linux-2.6.37/fs/hugetlbfs/inode.c 2011-01-04 19:50:19.000000000 -0500
31887 +++ linux-2.6.37/fs/hugetlbfs/inode.c 2011-01-17 02:41:01.000000000 -0500
31888 @@ -908,7 +908,7 @@ static struct file_system_type hugetlbfs
31889 .kill_sb = kill_litter_super,
31892 -static struct vfsmount *hugetlbfs_vfsmount;
31893 +struct vfsmount *hugetlbfs_vfsmount;
31895 static int can_do_hugetlb_shm(void)
31897 diff -urNp linux-2.6.37/fs/ioctl.c linux-2.6.37/fs/ioctl.c
31898 --- linux-2.6.37/fs/ioctl.c 2011-01-04 19:50:19.000000000 -0500
31899 +++ linux-2.6.37/fs/ioctl.c 2011-01-17 02:41:01.000000000 -0500
31900 @@ -86,7 +86,7 @@ int fiemap_fill_next_extent(struct fiema
31901 u64 phys, u64 len, u32 flags)
31903 struct fiemap_extent extent;
31904 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
31905 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
31907 /* only count the extents */
31908 if (fieinfo->fi_extents_max == 0) {
31909 @@ -196,7 +196,7 @@ static int ioctl_fiemap(struct file *fil
31911 fieinfo.fi_flags = fiemap.fm_flags;
31912 fieinfo.fi_extents_max = fiemap.fm_extent_count;
31913 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
31914 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
31916 if (fiemap.fm_extent_count != 0 &&
31917 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
31918 @@ -209,7 +209,7 @@ static int ioctl_fiemap(struct file *fil
31919 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
31920 fiemap.fm_flags = fieinfo.fi_flags;
31921 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
31922 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
31923 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
31927 diff -urNp linux-2.6.37/fs/jffs2/debug.h linux-2.6.37/fs/jffs2/debug.h
31928 --- linux-2.6.37/fs/jffs2/debug.h 2011-01-04 19:50:19.000000000 -0500
31929 +++ linux-2.6.37/fs/jffs2/debug.h 2011-01-17 02:41:01.000000000 -0500
31930 @@ -53,13 +53,13 @@
31931 #if CONFIG_JFFS2_FS_DEBUG > 0
31935 +#define D1(x) do {} while (0);
31938 #if CONFIG_JFFS2_FS_DEBUG > 1
31942 +#define D2(x) do {} while (0);
31945 /* The prefixes of JFFS2 messages */
31946 @@ -115,73 +115,73 @@
31947 #ifdef JFFS2_DBG_READINODE_MESSAGES
31948 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31950 -#define dbg_readinode(fmt, ...)
31951 +#define dbg_readinode(fmt, ...) do {} while (0)
31953 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31954 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31956 -#define dbg_readinode2(fmt, ...)
31957 +#define dbg_readinode2(fmt, ...) do {} while (0)
31960 /* Fragtree build debugging messages */
31961 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31962 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31964 -#define dbg_fragtree(fmt, ...)
31965 +#define dbg_fragtree(fmt, ...) do {} while (0)
31967 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31968 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31970 -#define dbg_fragtree2(fmt, ...)
31971 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31974 /* Directory entry list manilulation debugging messages */
31975 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31976 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31978 -#define dbg_dentlist(fmt, ...)
31979 +#define dbg_dentlist(fmt, ...) do {} while (0)
31982 /* Print the messages about manipulating node_refs */
31983 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31984 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31986 -#define dbg_noderef(fmt, ...)
31987 +#define dbg_noderef(fmt, ...) do {} while (0)
31990 /* Manipulations with the list of inodes (JFFS2 inocache) */
31991 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31992 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31994 -#define dbg_inocache(fmt, ...)
31995 +#define dbg_inocache(fmt, ...) do {} while (0)
31998 /* Summary debugging messages */
31999 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
32000 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32002 -#define dbg_summary(fmt, ...)
32003 +#define dbg_summary(fmt, ...) do {} while (0)
32006 /* File system build messages */
32007 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
32008 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32010 -#define dbg_fsbuild(fmt, ...)
32011 +#define dbg_fsbuild(fmt, ...) do {} while (0)
32014 /* Watch the object allocations */
32015 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
32016 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32018 -#define dbg_memalloc(fmt, ...)
32019 +#define dbg_memalloc(fmt, ...) do {} while (0)
32022 /* Watch the XATTR subsystem */
32023 #ifdef JFFS2_DBG_XATTR_MESSAGES
32024 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32026 -#define dbg_xattr(fmt, ...)
32027 +#define dbg_xattr(fmt, ...) do {} while (0)
32030 /* "Sanity" checks */
32031 diff -urNp linux-2.6.37/fs/jffs2/erase.c linux-2.6.37/fs/jffs2/erase.c
32032 --- linux-2.6.37/fs/jffs2/erase.c 2011-01-04 19:50:19.000000000 -0500
32033 +++ linux-2.6.37/fs/jffs2/erase.c 2011-01-17 02:41:01.000000000 -0500
32034 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
32035 struct jffs2_unknown_node marker = {
32036 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
32037 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32038 - .totlen = cpu_to_je32(c->cleanmarker_size)
32039 + .totlen = cpu_to_je32(c->cleanmarker_size),
32040 + .hdr_crc = cpu_to_je32(0)
32043 jffs2_prealloc_raw_node_refs(c, jeb, 1);
32044 diff -urNp linux-2.6.37/fs/jffs2/summary.h linux-2.6.37/fs/jffs2/summary.h
32045 --- linux-2.6.37/fs/jffs2/summary.h 2011-01-04 19:50:19.000000000 -0500
32046 +++ linux-2.6.37/fs/jffs2/summary.h 2011-01-17 02:41:01.000000000 -0500
32047 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
32049 #define jffs2_sum_active() (0)
32050 #define jffs2_sum_init(a) (0)
32051 -#define jffs2_sum_exit(a)
32052 -#define jffs2_sum_disable_collecting(a)
32053 +#define jffs2_sum_exit(a) do {} while (0)
32054 +#define jffs2_sum_disable_collecting(a) do {} while (0)
32055 #define jffs2_sum_is_disabled(a) (0)
32056 -#define jffs2_sum_reset_collected(a)
32057 +#define jffs2_sum_reset_collected(a) do {} while (0)
32058 #define jffs2_sum_add_kvec(a,b,c,d) (0)
32059 -#define jffs2_sum_move_collected(a,b)
32060 +#define jffs2_sum_move_collected(a,b) do {} while (0)
32061 #define jffs2_sum_write_sumnode(a) (0)
32062 -#define jffs2_sum_add_padding_mem(a,b)
32063 -#define jffs2_sum_add_inode_mem(a,b,c)
32064 -#define jffs2_sum_add_dirent_mem(a,b,c)
32065 -#define jffs2_sum_add_xattr_mem(a,b,c)
32066 -#define jffs2_sum_add_xref_mem(a,b,c)
32067 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
32068 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
32069 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
32070 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
32071 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
32072 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
32074 #endif /* CONFIG_JFFS2_SUMMARY */
32075 diff -urNp linux-2.6.37/fs/jffs2/wbuf.c linux-2.6.37/fs/jffs2/wbuf.c
32076 --- linux-2.6.37/fs/jffs2/wbuf.c 2011-01-04 19:50:19.000000000 -0500
32077 +++ linux-2.6.37/fs/jffs2/wbuf.c 2011-01-17 02:41:01.000000000 -0500
32078 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
32080 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
32081 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32082 - .totlen = constant_cpu_to_je32(8)
32083 + .totlen = constant_cpu_to_je32(8),
32084 + .hdr_crc = constant_cpu_to_je32(0)
32088 diff -urNp linux-2.6.37/fs/Kconfig.binfmt linux-2.6.37/fs/Kconfig.binfmt
32089 --- linux-2.6.37/fs/Kconfig.binfmt 2011-01-04 19:50:19.000000000 -0500
32090 +++ linux-2.6.37/fs/Kconfig.binfmt 2011-01-17 02:41:01.000000000 -0500
32091 @@ -86,7 +86,7 @@ config HAVE_AOUT
32094 tristate "Kernel support for a.out and ECOFF binaries"
32095 - depends on HAVE_AOUT
32096 + depends on HAVE_AOUT && BROKEN
32098 A.out (Assembler.OUTput) is a set of formats for libraries and
32099 executables used in the earliest versions of UNIX. Linux used
32100 diff -urNp linux-2.6.37/fs/lockd/svc.c linux-2.6.37/fs/lockd/svc.c
32101 --- linux-2.6.37/fs/lockd/svc.c 2011-01-04 19:50:19.000000000 -0500
32102 +++ linux-2.6.37/fs/lockd/svc.c 2011-01-17 02:41:01.000000000 -0500
32105 static struct svc_program nlmsvc_program;
32107 -struct nlmsvc_binding * nlmsvc_ops;
32108 +const struct nlmsvc_binding * nlmsvc_ops;
32109 EXPORT_SYMBOL_GPL(nlmsvc_ops);
32111 static DEFINE_MUTEX(nlmsvc_mutex);
32112 diff -urNp linux-2.6.37/fs/locks.c linux-2.6.37/fs/locks.c
32113 --- linux-2.6.37/fs/locks.c 2011-01-04 19:50:19.000000000 -0500
32114 +++ linux-2.6.37/fs/locks.c 2011-01-17 02:41:01.000000000 -0500
32115 @@ -2050,16 +2050,16 @@ void locks_remove_flock(struct file *fil
32118 if (filp->f_op && filp->f_op->flock) {
32119 - struct file_lock fl = {
32120 + struct file_lock flock = {
32121 .fl_pid = current->tgid,
32123 .fl_flags = FL_FLOCK,
32124 .fl_type = F_UNLCK,
32125 .fl_end = OFFSET_MAX,
32127 - filp->f_op->flock(filp, F_SETLKW, &fl);
32128 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
32129 - fl.fl_ops->fl_release_private(&fl);
32130 + filp->f_op->flock(filp, F_SETLKW, &flock);
32131 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
32132 + flock.fl_ops->fl_release_private(&flock);
32136 diff -urNp linux-2.6.37/fs/namei.c linux-2.6.37/fs/namei.c
32137 --- linux-2.6.37/fs/namei.c 2011-01-04 19:50:19.000000000 -0500
32138 +++ linux-2.6.37/fs/namei.c 2011-01-17 11:57:48.000000000 -0500
32139 @@ -221,14 +221,6 @@ int generic_permission(struct inode *ino
32143 - * Read/write DACs are always overridable.
32144 - * Executable DACs are overridable if at least one exec bit is set.
32146 - if (!(mask & MAY_EXEC) || execute_ok(inode))
32147 - if (capable(CAP_DAC_OVERRIDE))
32151 * Searching includes executable on directories, else just read.
32153 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
32154 @@ -236,6 +228,14 @@ int generic_permission(struct inode *ino
32155 if (capable(CAP_DAC_READ_SEARCH))
32159 + * Read/write DACs are always overridable.
32160 + * Executable DACs are overridable if at least one exec bit is set.
32162 + if (!(mask & MAY_EXEC) || execute_ok(inode))
32163 + if (capable(CAP_DAC_OVERRIDE))
32169 @@ -473,7 +473,8 @@ static int exec_permission(struct inode
32173 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
32174 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
32175 + capable(CAP_DAC_OVERRIDE))
32179 @@ -542,7 +543,7 @@ __do_follow_link(struct path *path, stru
32180 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
32181 error = PTR_ERR(*p);
32183 - char *s = nd_get_link(nd);
32184 + const char *s = nd_get_link(nd);
32187 error = __vfs_follow_link(nd, s);
32188 @@ -575,6 +576,13 @@ static inline int do_follow_link(struct
32189 err = security_inode_follow_link(path->dentry, nd);
32193 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
32194 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
32199 current->link_count++;
32200 current->total_link_count++;
32202 @@ -967,11 +975,18 @@ return_reval:
32206 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
32207 + path_put(&nd->path);
32212 path_put_conditional(&next, nd);
32215 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
32218 path_put(&nd->path);
32221 @@ -1397,6 +1412,30 @@ int vfs_create(struct inode *dir, struct
32226 + * Note that while the flag value (low two bits) for sys_open means:
32228 + * 01 - write-only
32229 + * 10 - read-write
32231 + * it is changed into
32232 + * 00 - no permissions needed
32233 + * 01 - read-permission
32234 + * 10 - write-permission
32235 + * 11 - read-write
32236 + * for the internal routines (ie open_namei()/follow_link() etc)
32237 + * This is more logical, and also allows the 00 "no perm needed"
32238 + * to be used for symlinks (where the permissions are checked
32242 +static inline int open_to_namei_flags(int flag)
32244 + if ((flag+1) & O_ACCMODE)
32249 int may_open(struct path *path, int acc_mode, int flag)
32251 struct dentry *dentry = path->dentry;
32252 @@ -1445,7 +1484,26 @@ int may_open(struct path *path, int acc_
32254 * Ensure there are no outstanding leases on the file.
32256 - return break_lease(inode, flag);
32257 + error = break_lease(inode, flag);
32261 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
32266 + if (gr_handle_rawio(inode)) {
32271 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
32279 static int handle_truncate(struct path *path)
32280 @@ -1479,6 +1537,12 @@ static int __open_namei_create(struct na
32283 struct dentry *dir = nd->path.dentry;
32284 + int flag = open_to_namei_flags(open_flag);
32286 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
32291 if (!IS_POSIXACL(dir->d_inode))
32292 mode &= ~current_umask();
32293 @@ -1486,6 +1550,8 @@ static int __open_namei_create(struct na
32296 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
32298 + gr_handle_create(path->dentry, nd->path.mnt);
32300 mutex_unlock(&dir->d_inode->i_mutex);
32301 dput(nd->path.dentry);
32302 @@ -1496,30 +1562,6 @@ out_unlock:
32303 return may_open(&nd->path, 0, open_flag & ~O_TRUNC);
32307 - * Note that while the flag value (low two bits) for sys_open means:
32309 - * 01 - write-only
32310 - * 10 - read-write
32312 - * it is changed into
32313 - * 00 - no permissions needed
32314 - * 01 - read-permission
32315 - * 10 - write-permission
32316 - * 11 - read-write
32317 - * for the internal routines (ie open_namei()/follow_link() etc)
32318 - * This is more logical, and also allows the 00 "no perm needed"
32319 - * to be used for symlinks (where the permissions are checked
32323 -static inline int open_to_namei_flags(int flag)
32325 - if ((flag+1) & O_ACCMODE)
32330 static int open_will_truncate(int flag, struct inode *inode)
32333 @@ -1589,6 +1631,7 @@ static struct file *do_last(struct namei
32334 int mode, const char *pathname)
32336 struct dentry *dir = nd->path.dentry;
32337 + int flag = open_to_namei_flags(open_flag);
32339 int error = -EISDIR;
32341 @@ -1690,6 +1733,14 @@ static struct file *do_last(struct namei
32343 * It already exists.
32346 + /* only check if O_CREAT is specified, all other checks need to go
32348 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
32350 + goto exit_mutex_unlock;
32353 mutex_unlock(&dir->d_inode->i_mutex);
32354 audit_inode(pathname, path->dentry);
32356 @@ -1838,6 +1889,11 @@ reval:
32357 error = security_inode_follow_link(path.dentry, &nd);
32360 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode,
32361 + path.dentry->d_inode, path.dentry, nd.path.mnt)) {
32365 error = __do_follow_link(&path, &nd, &cookie);
32366 if (unlikely(error)) {
32367 /* nd.path had been dropped */
32368 @@ -2013,6 +2069,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32369 error = may_mknod(mode);
32373 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
32378 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
32383 error = mnt_want_write(nd.path.mnt);
32386 @@ -2033,6 +2100,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32389 mnt_drop_write(nd.path.mnt);
32392 + gr_handle_create(dentry, nd.path.mnt);
32396 @@ -2085,6 +2155,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32397 if (IS_ERR(dentry))
32400 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
32405 if (!IS_POSIXACL(nd.path.dentry->d_inode))
32406 mode &= ~current_umask();
32407 error = mnt_want_write(nd.path.mnt);
32408 @@ -2096,6 +2171,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32409 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
32411 mnt_drop_write(nd.path.mnt);
32414 + gr_handle_create(dentry, nd.path.mnt);
32419 @@ -2177,6 +2256,8 @@ static long do_rmdir(int dfd, const char
32421 struct dentry *dentry;
32422 struct nameidata nd;
32423 + ino_t saved_ino = 0;
32424 + dev_t saved_dev = 0;
32426 error = user_path_parent(dfd, pathname, &nd, &name);
32428 @@ -2201,6 +2282,19 @@ static long do_rmdir(int dfd, const char
32429 error = PTR_ERR(dentry);
32430 if (IS_ERR(dentry))
32433 + if (dentry->d_inode != NULL) {
32434 + if (dentry->d_inode->i_nlink <= 1) {
32435 + saved_ino = dentry->d_inode->i_ino;
32436 + saved_dev = dentry->d_inode->i_sb->s_dev;
32439 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
32445 error = mnt_want_write(nd.path.mnt);
32448 @@ -2208,6 +2302,8 @@ static long do_rmdir(int dfd, const char
32451 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
32452 + if (!error && (saved_dev || saved_ino))
32453 + gr_handle_delete(saved_ino, saved_dev);
32455 mnt_drop_write(nd.path.mnt);
32457 @@ -2270,6 +2366,8 @@ static long do_unlinkat(int dfd, const c
32458 struct dentry *dentry;
32459 struct nameidata nd;
32460 struct inode *inode = NULL;
32461 + ino_t saved_ino = 0;
32462 + dev_t saved_dev = 0;
32464 error = user_path_parent(dfd, pathname, &nd, &name);
32466 @@ -2289,8 +2387,17 @@ static long do_unlinkat(int dfd, const c
32467 if (nd.last.name[nd.last.len])
32469 inode = dentry->d_inode;
32473 + if (inode->i_nlink <= 1) {
32474 + saved_ino = inode->i_ino;
32475 + saved_dev = inode->i_sb->s_dev;
32477 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
32482 error = mnt_want_write(nd.path.mnt);
32485 @@ -2298,6 +2405,8 @@ static long do_unlinkat(int dfd, const c
32488 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
32489 + if (!error && (saved_ino || saved_dev))
32490 + gr_handle_delete(saved_ino, saved_dev);
32492 mnt_drop_write(nd.path.mnt);
32494 @@ -2375,6 +2484,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
32495 if (IS_ERR(dentry))
32498 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
32503 error = mnt_want_write(nd.path.mnt);
32506 @@ -2382,6 +2496,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
32508 goto out_drop_write;
32509 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
32511 + gr_handle_create(dentry, nd.path.mnt);
32513 mnt_drop_write(nd.path.mnt);
32515 @@ -2474,6 +2590,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32516 error = PTR_ERR(new_dentry);
32517 if (IS_ERR(new_dentry))
32520 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
32521 + old_path.dentry->d_inode,
32522 + old_path.dentry->d_inode->i_mode, to)) {
32527 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
32528 + old_path.dentry, old_path.mnt, to)) {
32533 error = mnt_want_write(nd.path.mnt);
32536 @@ -2481,6 +2611,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32538 goto out_drop_write;
32539 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
32541 + gr_handle_create(new_dentry, nd.path.mnt);
32543 mnt_drop_write(nd.path.mnt);
32545 @@ -2714,6 +2846,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32546 if (new_dentry == trap)
32549 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
32550 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
32555 error = mnt_want_write(oldnd.path.mnt);
32558 @@ -2723,6 +2861,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32560 error = vfs_rename(old_dir->d_inode, old_dentry,
32561 new_dir->d_inode, new_dentry);
32563 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
32564 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
32566 mnt_drop_write(oldnd.path.mnt);
32568 diff -urNp linux-2.6.37/fs/namespace.c linux-2.6.37/fs/namespace.c
32569 --- linux-2.6.37/fs/namespace.c 2011-01-04 19:50:19.000000000 -0500
32570 +++ linux-2.6.37/fs/namespace.c 2011-01-17 02:41:01.000000000 -0500
32571 @@ -1141,6 +1141,9 @@ static int do_umount(struct vfsmount *mn
32572 if (!(sb->s_flags & MS_RDONLY))
32573 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
32574 up_write(&sb->s_umount);
32576 + gr_log_remount(mnt->mnt_devname, retval);
32581 @@ -1160,6 +1163,9 @@ static int do_umount(struct vfsmount *mn
32582 br_write_unlock(vfsmount_lock);
32583 up_write(&namespace_sem);
32584 release_mounts(&umount_list);
32586 + gr_log_unmount(mnt->mnt_devname, retval);
32591 @@ -2053,6 +2059,16 @@ long do_mount(char *dev_name, char *dir_
32592 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
32595 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
32600 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
32605 if (flags & MS_REMOUNT)
32606 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
32608 @@ -2067,6 +2083,9 @@ long do_mount(char *dev_name, char *dir_
32609 dev_name, data_page);
32613 + gr_log_mount(dev_name, dir_name, retval);
32618 @@ -2273,6 +2292,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
32622 + if (gr_handle_chroot_pivot()) {
32628 get_fs_root(current->fs, &root);
32629 down_write(&namespace_sem);
32630 mutex_lock(&old.dentry->d_inode->i_mutex);
32631 diff -urNp linux-2.6.37/fs/nfs/inode.c linux-2.6.37/fs/nfs/inode.c
32632 --- linux-2.6.37/fs/nfs/inode.c 2011-01-04 19:50:19.000000000 -0500
32633 +++ linux-2.6.37/fs/nfs/inode.c 2011-01-17 02:41:01.000000000 -0500
32634 @@ -985,16 +985,16 @@ static int nfs_size_need_update(const st
32635 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
32638 -static atomic_long_t nfs_attr_generation_counter;
32639 +static atomic_long_unchecked_t nfs_attr_generation_counter;
32641 static unsigned long nfs_read_attr_generation_counter(void)
32643 - return atomic_long_read(&nfs_attr_generation_counter);
32644 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
32647 unsigned long nfs_inc_attr_generation_counter(void)
32649 - return atomic_long_inc_return(&nfs_attr_generation_counter);
32650 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
32653 void nfs_fattr_init(struct nfs_fattr *fattr)
32654 diff -urNp linux-2.6.37/fs/nfs/nfs4proc.c linux-2.6.37/fs/nfs/nfs4proc.c
32655 --- linux-2.6.37/fs/nfs/nfs4proc.c 2011-01-04 19:50:19.000000000 -0500
32656 +++ linux-2.6.37/fs/nfs/nfs4proc.c 2011-01-17 02:41:01.000000000 -0500
32657 @@ -1184,7 +1184,7 @@ static int _nfs4_do_open_reclaim(struct
32658 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
32660 struct nfs_server *server = NFS_SERVER(state->inode);
32661 - struct nfs4_exception exception = { };
32662 + struct nfs4_exception exception = {0, 0};
32665 err = _nfs4_do_open_reclaim(ctx, state);
32666 @@ -1226,7 +1226,7 @@ static int _nfs4_open_delegation_recall(
32668 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
32670 - struct nfs4_exception exception = { };
32671 + struct nfs4_exception exception = {0, 0};
32672 struct nfs_server *server = NFS_SERVER(state->inode);
32675 @@ -1602,7 +1602,7 @@ static int _nfs4_open_expired(struct nfs
32676 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
32678 struct nfs_server *server = NFS_SERVER(state->inode);
32679 - struct nfs4_exception exception = { };
32680 + struct nfs4_exception exception = {0, 0};
32684 @@ -1717,7 +1717,7 @@ out_err:
32686 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
32688 - struct nfs4_exception exception = { };
32689 + struct nfs4_exception exception = {0, 0};
32690 struct nfs4_state *res;
32693 @@ -1808,7 +1808,7 @@ static int nfs4_do_setattr(struct inode
32694 struct nfs4_state *state)
32696 struct nfs_server *server = NFS_SERVER(inode);
32697 - struct nfs4_exception exception = { };
32698 + struct nfs4_exception exception = {0, 0};
32701 err = nfs4_handle_exception(server,
32702 @@ -2081,7 +2081,7 @@ static int _nfs4_server_capabilities(str
32704 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
32706 - struct nfs4_exception exception = { };
32707 + struct nfs4_exception exception = {0, 0};
32710 err = nfs4_handle_exception(server,
32711 @@ -2115,7 +2115,7 @@ static int _nfs4_lookup_root(struct nfs_
32712 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
32713 struct nfs_fsinfo *info)
32715 - struct nfs4_exception exception = { };
32716 + struct nfs4_exception exception = {0, 0};
32719 err = nfs4_handle_exception(server,
32720 @@ -2203,7 +2203,7 @@ static int _nfs4_proc_getattr(struct nfs
32722 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32724 - struct nfs4_exception exception = { };
32725 + struct nfs4_exception exception = {0, 0};
32728 err = nfs4_handle_exception(server,
32729 @@ -2291,7 +2291,7 @@ static int nfs4_proc_lookupfh(struct nfs
32730 struct qstr *name, struct nfs_fh *fhandle,
32731 struct nfs_fattr *fattr)
32733 - struct nfs4_exception exception = { };
32734 + struct nfs4_exception exception = {0, 0};
32737 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
32738 @@ -2320,7 +2320,7 @@ static int _nfs4_proc_lookup(struct inod
32740 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32742 - struct nfs4_exception exception = { };
32743 + struct nfs4_exception exception = {0, 0};
32746 err = nfs4_handle_exception(NFS_SERVER(dir),
32747 @@ -2387,7 +2387,7 @@ static int _nfs4_proc_access(struct inod
32749 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32751 - struct nfs4_exception exception = { };
32752 + struct nfs4_exception exception = {0, 0};
32755 err = nfs4_handle_exception(NFS_SERVER(inode),
32756 @@ -2443,7 +2443,7 @@ static int _nfs4_proc_readlink(struct in
32757 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32758 unsigned int pgbase, unsigned int pglen)
32760 - struct nfs4_exception exception = { };
32761 + struct nfs4_exception exception = {0, 0};
32764 err = nfs4_handle_exception(NFS_SERVER(inode),
32765 @@ -2537,7 +2537,7 @@ out:
32767 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32769 - struct nfs4_exception exception = { };
32770 + struct nfs4_exception exception = {0, 0};
32773 err = nfs4_handle_exception(NFS_SERVER(dir),
32774 @@ -2642,7 +2642,7 @@ out:
32775 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32776 struct inode *new_dir, struct qstr *new_name)
32778 - struct nfs4_exception exception = { };
32779 + struct nfs4_exception exception = {0, 0};
32782 err = nfs4_handle_exception(NFS_SERVER(old_dir),
32783 @@ -2691,7 +2691,7 @@ out:
32785 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32787 - struct nfs4_exception exception = { };
32788 + struct nfs4_exception exception = {0, 0};
32791 err = nfs4_handle_exception(NFS_SERVER(inode),
32792 @@ -2783,7 +2783,7 @@ out:
32793 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32794 struct page *page, unsigned int len, struct iattr *sattr)
32796 - struct nfs4_exception exception = { };
32797 + struct nfs4_exception exception = {0, 0};
32800 err = nfs4_handle_exception(NFS_SERVER(dir),
32801 @@ -2814,7 +2814,7 @@ out:
32802 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32803 struct iattr *sattr)
32805 - struct nfs4_exception exception = { };
32806 + struct nfs4_exception exception = {0, 0};
32809 err = nfs4_handle_exception(NFS_SERVER(dir),
32810 @@ -2866,7 +2866,7 @@ static int _nfs4_proc_readdir(struct den
32811 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32812 u64 cookie, struct page **pages, unsigned int count, int plus)
32814 - struct nfs4_exception exception = { };
32815 + struct nfs4_exception exception = {0, 0};
32818 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
32819 @@ -2914,7 +2914,7 @@ out:
32820 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32821 struct iattr *sattr, dev_t rdev)
32823 - struct nfs4_exception exception = { };
32824 + struct nfs4_exception exception = {0, 0};
32827 err = nfs4_handle_exception(NFS_SERVER(dir),
32828 @@ -2946,7 +2946,7 @@ static int _nfs4_proc_statfs(struct nfs_
32830 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32832 - struct nfs4_exception exception = { };
32833 + struct nfs4_exception exception = {0, 0};
32836 err = nfs4_handle_exception(server,
32837 @@ -2977,7 +2977,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
32839 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32841 - struct nfs4_exception exception = { };
32842 + struct nfs4_exception exception = {0, 0};
32846 @@ -3023,7 +3023,7 @@ static int _nfs4_proc_pathconf(struct nf
32847 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32848 struct nfs_pathconf *pathconf)
32850 - struct nfs4_exception exception = { };
32851 + struct nfs4_exception exception = {0, 0};
32855 @@ -3340,7 +3340,7 @@ out_free:
32857 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32859 - struct nfs4_exception exception = { };
32860 + struct nfs4_exception exception = {0, 0};
32863 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
32864 @@ -3405,7 +3405,7 @@ static int __nfs4_proc_set_acl(struct in
32866 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32868 - struct nfs4_exception exception = { };
32869 + struct nfs4_exception exception = {0, 0};
32872 err = nfs4_handle_exception(NFS_SERVER(inode),
32873 @@ -3685,7 +3685,7 @@ out:
32874 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32876 struct nfs_server *server = NFS_SERVER(inode);
32877 - struct nfs4_exception exception = { };
32878 + struct nfs4_exception exception = {0, 0};
32881 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
32882 @@ -3758,7 +3758,7 @@ out:
32884 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32886 - struct nfs4_exception exception = { };
32887 + struct nfs4_exception exception = {0, 0};
32891 @@ -4167,7 +4167,7 @@ static int _nfs4_do_setlk(struct nfs4_st
32892 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32894 struct nfs_server *server = NFS_SERVER(state->inode);
32895 - struct nfs4_exception exception = { };
32896 + struct nfs4_exception exception = {0, 0};
32900 @@ -4185,7 +4185,7 @@ static int nfs4_lock_reclaim(struct nfs4
32901 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32903 struct nfs_server *server = NFS_SERVER(state->inode);
32904 - struct nfs4_exception exception = { };
32905 + struct nfs4_exception exception = {0, 0};
32908 err = nfs4_set_lock_state(state, request);
32909 @@ -4249,7 +4249,7 @@ out:
32911 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32913 - struct nfs4_exception exception = { };
32914 + struct nfs4_exception exception = {0, 0};
32918 @@ -4309,7 +4309,7 @@ nfs4_proc_lock(struct file *filp, int cm
32919 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32921 struct nfs_server *server = NFS_SERVER(state->inode);
32922 - struct nfs4_exception exception = { };
32923 + struct nfs4_exception exception = {0, 0};
32926 err = nfs4_set_lock_state(state, fl);
32927 diff -urNp linux-2.6.37/fs/nfsd/lockd.c linux-2.6.37/fs/nfsd/lockd.c
32928 --- linux-2.6.37/fs/nfsd/lockd.c 2011-01-04 19:50:19.000000000 -0500
32929 +++ linux-2.6.37/fs/nfsd/lockd.c 2011-01-17 02:41:01.000000000 -0500
32930 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32934 -static struct nlmsvc_binding nfsd_nlm_ops = {
32935 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32936 .fopen = nlm_fopen, /* open file for locking */
32937 .fclose = nlm_fclose, /* close file */
32939 diff -urNp linux-2.6.37/fs/nfsd/nfsctl.c linux-2.6.37/fs/nfsd/nfsctl.c
32940 --- linux-2.6.37/fs/nfsd/nfsctl.c 2011-01-04 19:50:19.000000000 -0500
32941 +++ linux-2.6.37/fs/nfsd/nfsctl.c 2011-01-17 02:41:01.000000000 -0500
32942 @@ -178,7 +178,7 @@ static int export_features_open(struct i
32943 return single_open(file, export_features_show, NULL);
32946 -static struct file_operations export_features_operations = {
32947 +static const struct file_operations export_features_operations = {
32948 .open = export_features_open,
32950 .llseek = seq_lseek,
32951 diff -urNp linux-2.6.37/fs/nfsd/vfs.c linux-2.6.37/fs/nfsd/vfs.c
32952 --- linux-2.6.37/fs/nfsd/vfs.c 2011-01-04 19:50:19.000000000 -0500
32953 +++ linux-2.6.37/fs/nfsd/vfs.c 2011-01-17 02:41:01.000000000 -0500
32954 @@ -916,7 +916,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32958 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32959 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32963 @@ -1029,7 +1029,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32965 /* Write the data. */
32966 oldfs = get_fs(); set_fs(KERNEL_DS);
32967 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32968 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32972 @@ -1546,7 +1546,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32975 oldfs = get_fs(); set_fs(KERNEL_DS);
32976 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32977 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32981 diff -urNp linux-2.6.37/fs/nls/nls_base.c linux-2.6.37/fs/nls/nls_base.c
32982 --- linux-2.6.37/fs/nls/nls_base.c 2011-01-04 19:50:19.000000000 -0500
32983 +++ linux-2.6.37/fs/nls/nls_base.c 2011-01-17 02:41:01.000000000 -0500
32984 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32985 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32986 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32987 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32988 - {0, /* end of table */}
32989 + {0, 0, 0, 0, 0, /* end of table */}
32992 #define UNICODE_MAX 0x0010ffff
32993 diff -urNp linux-2.6.37/fs/ntfs/dir.c linux-2.6.37/fs/ntfs/dir.c
32994 --- linux-2.6.37/fs/ntfs/dir.c 2011-01-04 19:50:19.000000000 -0500
32995 +++ linux-2.6.37/fs/ntfs/dir.c 2011-01-17 02:41:01.000000000 -0500
32996 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
32997 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
32998 ~(s64)(ndir->itype.index.block_size - 1)));
32999 /* Bounds checks. */
33000 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
33001 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
33002 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
33003 "inode 0x%lx or driver bug.", vdir->i_ino);
33005 diff -urNp linux-2.6.37/fs/ntfs/file.c linux-2.6.37/fs/ntfs/file.c
33006 --- linux-2.6.37/fs/ntfs/file.c 2011-01-04 19:50:19.000000000 -0500
33007 +++ linux-2.6.37/fs/ntfs/file.c 2011-01-17 02:41:01.000000000 -0500
33008 @@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
33009 #endif /* NTFS_RW */
33012 -const struct file_operations ntfs_empty_file_ops = {};
33013 +const struct file_operations ntfs_empty_file_ops __read_only;
33015 -const struct inode_operations ntfs_empty_inode_ops = {};
33016 +const struct inode_operations ntfs_empty_inode_ops __read_only;
33017 diff -urNp linux-2.6.37/fs/ocfs2/localalloc.c linux-2.6.37/fs/ocfs2/localalloc.c
33018 --- linux-2.6.37/fs/ocfs2/localalloc.c 2011-01-04 19:50:19.000000000 -0500
33019 +++ linux-2.6.37/fs/ocfs2/localalloc.c 2011-01-17 02:41:01.000000000 -0500
33020 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
33024 - atomic_inc(&osb->alloc_stats.moves);
33025 + atomic_inc_unchecked(&osb->alloc_stats.moves);
33029 diff -urNp linux-2.6.37/fs/ocfs2/ocfs2.h linux-2.6.37/fs/ocfs2/ocfs2.h
33030 --- linux-2.6.37/fs/ocfs2/ocfs2.h 2011-01-04 19:50:19.000000000 -0500
33031 +++ linux-2.6.37/fs/ocfs2/ocfs2.h 2011-01-17 02:41:01.000000000 -0500
33032 @@ -230,11 +230,11 @@ enum ocfs2_vol_state
33034 struct ocfs2_alloc_stats
33037 - atomic_t local_data;
33038 - atomic_t bitmap_data;
33039 - atomic_t bg_allocs;
33040 - atomic_t bg_extends;
33041 + atomic_unchecked_t moves;
33042 + atomic_unchecked_t local_data;
33043 + atomic_unchecked_t bitmap_data;
33044 + atomic_unchecked_t bg_allocs;
33045 + atomic_unchecked_t bg_extends;
33048 enum ocfs2_local_alloc_state
33049 diff -urNp linux-2.6.37/fs/ocfs2/suballoc.c linux-2.6.37/fs/ocfs2/suballoc.c
33050 --- linux-2.6.37/fs/ocfs2/suballoc.c 2011-01-04 19:50:19.000000000 -0500
33051 +++ linux-2.6.37/fs/ocfs2/suballoc.c 2011-01-17 02:41:01.000000000 -0500
33052 @@ -877,7 +877,7 @@ static int ocfs2_reserve_suballoc_bits(s
33053 mlog_errno(status);
33056 - atomic_inc(&osb->alloc_stats.bg_extends);
33057 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
33059 /* You should never ask for this much metadata */
33060 BUG_ON(bits_wanted >
33061 @@ -2012,7 +2012,7 @@ int ocfs2_claim_metadata(handle_t *handl
33062 mlog_errno(status);
33065 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33066 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33068 *suballoc_loc = res.sr_bg_blkno;
33069 *suballoc_bit_start = res.sr_bit_offset;
33070 @@ -2219,7 +2219,7 @@ int ocfs2_claim_new_inode(handle_t *hand
33071 mlog_errno(status);
33074 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33075 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33077 BUG_ON(res.sr_bits != 1);
33079 @@ -2324,7 +2324,7 @@ int __ocfs2_claim_clusters(handle_t *han
33083 - atomic_inc(&osb->alloc_stats.local_data);
33084 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
33086 if (min_clusters > (osb->bitmap_cpg - 1)) {
33087 /* The only paths asking for contiguousness
33088 @@ -2350,7 +2350,7 @@ int __ocfs2_claim_clusters(handle_t *han
33089 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
33091 res.sr_bit_offset);
33092 - atomic_inc(&osb->alloc_stats.bitmap_data);
33093 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
33094 *num_clusters = res.sr_bits;
33097 diff -urNp linux-2.6.37/fs/ocfs2/super.c linux-2.6.37/fs/ocfs2/super.c
33098 --- linux-2.6.37/fs/ocfs2/super.c 2011-01-04 19:50:19.000000000 -0500
33099 +++ linux-2.6.37/fs/ocfs2/super.c 2011-01-17 02:41:01.000000000 -0500
33100 @@ -297,11 +297,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
33101 "%10s => GlobalAllocs: %d LocalAllocs: %d "
33102 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
33104 - atomic_read(&osb->alloc_stats.bitmap_data),
33105 - atomic_read(&osb->alloc_stats.local_data),
33106 - atomic_read(&osb->alloc_stats.bg_allocs),
33107 - atomic_read(&osb->alloc_stats.moves),
33108 - atomic_read(&osb->alloc_stats.bg_extends));
33109 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
33110 + atomic_read_unchecked(&osb->alloc_stats.local_data),
33111 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
33112 + atomic_read_unchecked(&osb->alloc_stats.moves),
33113 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
33115 out += snprintf(buf + out, len - out,
33116 "%10s => State: %u Descriptor: %llu Size: %u bits "
33117 @@ -2122,11 +2122,11 @@ static int ocfs2_initialize_super(struct
33118 spin_lock_init(&osb->osb_xattr_lock);
33119 ocfs2_init_steal_slots(osb);
33121 - atomic_set(&osb->alloc_stats.moves, 0);
33122 - atomic_set(&osb->alloc_stats.local_data, 0);
33123 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
33124 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
33125 - atomic_set(&osb->alloc_stats.bg_extends, 0);
33126 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
33127 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
33128 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
33129 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
33130 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
33132 /* Copy the blockcheck stats from the superblock probe */
33133 osb->osb_ecc_stats = *stats;
33134 diff -urNp linux-2.6.37/fs/ocfs2/symlink.c linux-2.6.37/fs/ocfs2/symlink.c
33135 --- linux-2.6.37/fs/ocfs2/symlink.c 2011-01-04 19:50:19.000000000 -0500
33136 +++ linux-2.6.37/fs/ocfs2/symlink.c 2011-01-17 02:41:01.000000000 -0500
33137 @@ -148,7 +148,7 @@ bail:
33139 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33141 - char *link = nd_get_link(nd);
33142 + const char *link = nd_get_link(nd);
33146 diff -urNp linux-2.6.37/fs/open.c linux-2.6.37/fs/open.c
33147 --- linux-2.6.37/fs/open.c 2011-01-04 19:50:19.000000000 -0500
33148 +++ linux-2.6.37/fs/open.c 2011-01-17 02:49:14.000000000 -0500
33149 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
33150 error = locks_verify_truncate(inode, NULL, length);
33152 error = security_path_truncate(&path);
33154 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
33158 error = do_truncate(path.dentry, length, 0, NULL);
33160 @@ -345,6 +349,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
33161 if (__mnt_is_readonly(path.mnt))
33164 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
33170 @@ -371,6 +378,8 @@ SYSCALL_DEFINE1(chdir, const char __user
33174 + gr_log_chdir(path.dentry, path.mnt);
33176 set_fs_pwd(current->fs, &path);
33179 @@ -397,6 +406,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
33182 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
33184 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
33188 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
33191 set_fs_pwd(current->fs, &file->f_path);
33193 @@ -425,7 +441,18 @@ SYSCALL_DEFINE1(chroot, const char __use
33197 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
33198 + goto dput_and_out;
33200 + if (gr_handle_chroot_caps(&path)) {
33202 + goto dput_and_out;
33205 set_fs_root(current->fs, &path);
33207 + gr_handle_chroot_chdir(&path);
33212 @@ -453,12 +480,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
33213 err = mnt_want_write_file(file);
33217 mutex_lock(&inode->i_mutex);
33219 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
33224 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
33227 if (mode == (mode_t) -1)
33228 mode = inode->i_mode;
33230 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
33235 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33236 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33237 err = notify_change(dentry, &newattrs);
33238 @@ -486,12 +526,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
33239 error = mnt_want_write(path.mnt);
33243 mutex_lock(&inode->i_mutex);
33245 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
33250 error = security_path_chmod(path.dentry, path.mnt, mode);
33253 if (mode == (mode_t) -1)
33254 mode = inode->i_mode;
33256 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
33261 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33262 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33263 error = notify_change(path.dentry, &newattrs);
33264 @@ -515,6 +568,9 @@ static int chown_common(struct path *pat
33266 struct iattr newattrs;
33268 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
33271 newattrs.ia_valid = ATTR_CTIME;
33272 if (user != (uid_t) -1) {
33273 newattrs.ia_valid |= ATTR_UID;
33274 @@ -883,7 +939,10 @@ long do_sys_open(int dfd, const char __u
33275 if (!IS_ERR(tmp)) {
33276 fd = get_unused_fd_flags(flags);
33278 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
33280 + /* don't allow to be set by userland */
33281 + flags &= ~FMODE_GREXEC;
33282 + f = do_filp_open(dfd, tmp, flags, mode, 0);
33286 diff -urNp linux-2.6.37/fs/pipe.c linux-2.6.37/fs/pipe.c
33287 --- linux-2.6.37/fs/pipe.c 2011-01-04 19:50:19.000000000 -0500
33288 +++ linux-2.6.37/fs/pipe.c 2011-01-17 02:41:01.000000000 -0500
33289 @@ -420,9 +420,9 @@ redo:
33291 if (bufs) /* More to do? */
33293 - if (!pipe->writers)
33294 + if (!atomic_read(&pipe->writers))
33296 - if (!pipe->waiting_writers) {
33297 + if (!atomic_read(&pipe->waiting_writers)) {
33298 /* syscall merging: Usually we must not sleep
33299 * if O_NONBLOCK is set, or if we got some data.
33300 * But if a writer sleeps in kernel space, then
33301 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
33302 mutex_lock(&inode->i_mutex);
33303 pipe = inode->i_pipe;
33305 - if (!pipe->readers) {
33306 + if (!atomic_read(&pipe->readers)) {
33307 send_sig(SIGPIPE, current, 0);
33310 @@ -530,7 +530,7 @@ redo1:
33314 - if (!pipe->readers) {
33315 + if (!atomic_read(&pipe->readers)) {
33316 send_sig(SIGPIPE, current, 0);
33319 @@ -616,9 +616,9 @@ redo2:
33320 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
33323 - pipe->waiting_writers++;
33324 + atomic_inc(&pipe->waiting_writers);
33326 - pipe->waiting_writers--;
33327 + atomic_dec(&pipe->waiting_writers);
33330 mutex_unlock(&inode->i_mutex);
33331 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
33333 if (filp->f_mode & FMODE_READ) {
33334 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
33335 - if (!pipe->writers && filp->f_version != pipe->w_counter)
33336 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
33340 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
33341 * Most Unices do not set POLLERR for FIFOs but on Linux they
33342 * behave exactly like pipes for poll().
33344 - if (!pipe->readers)
33345 + if (!atomic_read(&pipe->readers))
33349 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
33351 mutex_lock(&inode->i_mutex);
33352 pipe = inode->i_pipe;
33353 - pipe->readers -= decr;
33354 - pipe->writers -= decw;
33355 + atomic_sub(decr, &pipe->readers);
33356 + atomic_sub(decw, &pipe->writers);
33358 - if (!pipe->readers && !pipe->writers) {
33359 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
33360 free_pipe_info(inode);
33362 wake_up_interruptible_sync(&pipe->wait);
33363 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
33365 if (inode->i_pipe) {
33367 - inode->i_pipe->readers++;
33368 + atomic_inc(&inode->i_pipe->readers);
33371 mutex_unlock(&inode->i_mutex);
33372 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
33374 if (inode->i_pipe) {
33376 - inode->i_pipe->writers++;
33377 + atomic_inc(&inode->i_pipe->writers);
33380 mutex_unlock(&inode->i_mutex);
33381 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
33382 if (inode->i_pipe) {
33384 if (filp->f_mode & FMODE_READ)
33385 - inode->i_pipe->readers++;
33386 + atomic_inc(&inode->i_pipe->readers);
33387 if (filp->f_mode & FMODE_WRITE)
33388 - inode->i_pipe->writers++;
33389 + atomic_inc(&inode->i_pipe->writers);
33392 mutex_unlock(&inode->i_mutex);
33393 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
33394 inode->i_pipe = NULL;
33397 -static struct vfsmount *pipe_mnt __read_mostly;
33398 +struct vfsmount *pipe_mnt __read_mostly;
33401 * pipefs_dname() is called from d_path().
33402 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
33404 inode->i_pipe = pipe;
33406 - pipe->readers = pipe->writers = 1;
33407 + atomic_set(&pipe->readers, 1);
33408 + atomic_set(&pipe->writers, 1);
33409 inode->i_fop = &rdwr_pipefifo_fops;
33412 diff -urNp linux-2.6.37/fs/proc/array.c linux-2.6.37/fs/proc/array.c
33413 --- linux-2.6.37/fs/proc/array.c 2011-01-04 19:50:19.000000000 -0500
33414 +++ linux-2.6.37/fs/proc/array.c 2011-01-17 02:41:01.000000000 -0500
33416 #include <linux/tty.h>
33417 #include <linux/string.h>
33418 #include <linux/mman.h>
33419 +#include <linux/grsecurity.h>
33420 #include <linux/proc_fs.h>
33421 #include <linux/ioport.h>
33422 #include <linux/uaccess.h>
33423 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
33424 seq_printf(m, "\n");
33427 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33428 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
33431 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
33432 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
33433 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
33434 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
33435 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
33436 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
33438 + seq_printf(m, "PaX:\t-----\n");
33442 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
33443 struct pid *pid, struct task_struct *task)
33445 @@ -357,9 +373,24 @@ int proc_pid_status(struct seq_file *m,
33446 task_show_regs(m, task);
33448 task_context_switch_counts(m, task);
33450 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33451 + task_pax(m, task);
33454 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
33455 + task_grsec_rbac(m, task);
33461 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33462 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33463 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33464 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33467 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
33468 struct pid *pid, struct task_struct *task, int whole)
33470 @@ -452,6 +483,19 @@ static int do_task_stat(struct seq_file
33471 gtime = task->gtime;
33474 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33475 + if (PAX_RAND_FLAGS(mm)) {
33481 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33487 /* scale priority and nice values from timeslices to -20..20 */
33488 /* to make it look like a "normal" Unix priority/nice value */
33489 priority = task_prio(task);
33490 @@ -492,9 +536,15 @@ static int do_task_stat(struct seq_file
33492 mm ? get_mm_rss(mm) : 0,
33494 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33495 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
33496 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
33497 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
33499 mm ? mm->start_code : 0,
33500 mm ? mm->end_code : 0,
33501 (permitted && mm) ? mm->start_stack : 0,
33505 /* The signal information here is obsolete.
33506 @@ -547,3 +597,10 @@ int proc_pid_statm(struct seq_file *m, s
33511 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33512 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
33514 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
33517 diff -urNp linux-2.6.37/fs/proc/base.c linux-2.6.37/fs/proc/base.c
33518 --- linux-2.6.37/fs/proc/base.c 2011-01-04 19:50:19.000000000 -0500
33519 +++ linux-2.6.37/fs/proc/base.c 2011-01-17 02:41:01.000000000 -0500
33520 @@ -104,6 +104,22 @@ struct pid_entry {
33524 +struct getdents_callback {
33525 + struct linux_dirent __user * current_dir;
33526 + struct linux_dirent __user * previous;
33527 + struct file * file;
33532 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
33533 + loff_t offset, u64 ino, unsigned int d_type)
33535 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
33536 + buf->error = -EINVAL;
33540 #define NOD(NAME, MODE, IOP, FOP, OP) { \
33542 .len = sizeof(NAME) - 1, \
33543 @@ -203,6 +219,9 @@ static int check_mem_permission(struct t
33544 if (task == current)
33547 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
33551 * If current is actively ptrace'ing, and would also be
33552 * permitted to freshly attach with ptrace now, permit it.
33553 @@ -250,6 +269,9 @@ static int proc_pid_cmdline(struct task_
33555 goto out_mm; /* Shh! No looking before we're done */
33557 + if (gr_acl_handle_procpidmem(task))
33560 len = mm->arg_end - mm->arg_start;
33562 if (len > PAGE_SIZE)
33563 @@ -277,12 +299,28 @@ out:
33567 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33568 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33569 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33570 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33573 static int proc_pid_auxv(struct task_struct *task, char *buffer)
33576 struct mm_struct *mm = get_task_mm(task);
33578 unsigned int nwords = 0;
33580 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33581 + /* allow if we're currently ptracing this task */
33582 + if (PAX_RAND_FLAGS(mm) &&
33583 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
33591 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
33592 @@ -296,7 +334,7 @@ static int proc_pid_auxv(struct task_str
33596 -#ifdef CONFIG_KALLSYMS
33597 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33599 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
33600 * Returns the resolved symbol. If that fails, simply return the address.
33601 @@ -318,7 +356,7 @@ static int proc_pid_wchan(struct task_st
33603 #endif /* CONFIG_KALLSYMS */
33605 -#ifdef CONFIG_STACKTRACE
33606 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33608 #define MAX_STACK_TRACE_DEPTH 64
33610 @@ -509,7 +547,7 @@ static int proc_pid_limits(struct task_s
33614 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33615 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33616 static int proc_pid_syscall(struct task_struct *task, char *buffer)
33619 @@ -930,6 +968,9 @@ static ssize_t environ_read(struct file
33623 + if (gr_acl_handle_procpidmem(task))
33626 if (!ptrace_may_access(task, PTRACE_MODE_READ))
33629 @@ -1663,7 +1704,11 @@ static struct inode *proc_pid_make_inode
33631 cred = __task_cred(task);
33632 inode->i_uid = cred->euid;
33633 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33634 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33636 inode->i_gid = cred->egid;
33640 security_task_to_inode(task, inode);
33641 @@ -1681,6 +1726,9 @@ static int pid_getattr(struct vfsmount *
33642 struct inode *inode = dentry->d_inode;
33643 struct task_struct *task;
33644 const struct cred *cred;
33645 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33646 + const struct cred *tmpcred = current_cred();
33649 generic_fillattr(inode, stat);
33651 @@ -1688,12 +1736,34 @@ static int pid_getattr(struct vfsmount *
33654 task = pid_task(proc_pid(inode), PIDTYPE_PID);
33656 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
33657 + rcu_read_unlock();
33662 + cred = __task_cred(task);
33663 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33664 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
33665 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33666 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33670 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33671 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33672 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33673 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33674 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33676 task_dumpable(task)) {
33677 - cred = __task_cred(task);
33678 stat->uid = cred->euid;
33679 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33680 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
33682 stat->gid = cred->egid;
33687 @@ -1725,11 +1795,20 @@ static int pid_revalidate(struct dentry
33690 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33691 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33692 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33693 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33694 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33696 task_dumpable(task)) {
33698 cred = __task_cred(task);
33699 inode->i_uid = cred->euid;
33700 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33701 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33703 inode->i_gid = cred->egid;
33708 @@ -1850,7 +1929,8 @@ static int proc_fd_info(struct inode *in
33709 int fd = proc_fd(inode);
33712 - files = get_files_struct(task);
33713 + if (!gr_acl_handle_procpidmem(task))
33714 + files = get_files_struct(task);
33715 put_task_struct(task);
33718 @@ -2104,12 +2184,22 @@ static const struct file_operations proc
33719 static int proc_fd_permission(struct inode *inode, int mask)
33722 + struct task_struct *task;
33724 rv = generic_permission(inode, mask, NULL);
33728 if (task_pid(current) == proc_pid(inode))
33731 + task = get_proc_task(inode);
33732 + if (task == NULL)
33735 + if (gr_acl_handle_procpidmem(task))
33738 + put_task_struct(task);
33743 @@ -2219,6 +2309,9 @@ static struct dentry *proc_pident_lookup
33747 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33751 * Yes, it does not scale. And it should not. Don't add
33752 * new entries into /proc/<tgid>/ without very good reasons.
33753 @@ -2263,6 +2356,9 @@ static int proc_pident_readdir(struct fi
33757 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33763 @@ -2533,7 +2629,7 @@ static void *proc_self_follow_link(struc
33764 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
33767 - char *s = nd_get_link(nd);
33768 + const char *s = nd_get_link(nd);
33772 @@ -2734,7 +2830,7 @@ static const struct pid_entry tgid_base_
33773 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33775 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33776 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33777 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33778 INF("syscall", S_IRUSR, proc_pid_syscall),
33780 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33781 @@ -2759,10 +2855,10 @@ static const struct pid_entry tgid_base_
33782 #ifdef CONFIG_SECURITY
33783 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33785 -#ifdef CONFIG_KALLSYMS
33786 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33787 INF("wchan", S_IRUGO, proc_pid_wchan),
33789 -#ifdef CONFIG_STACKTRACE
33790 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33791 ONE("stack", S_IRUSR, proc_pid_stack),
33793 #ifdef CONFIG_SCHEDSTATS
33794 @@ -2793,6 +2889,9 @@ static const struct pid_entry tgid_base_
33795 INF("io", S_IRUGO, proc_tgid_io_accounting),
33797 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
33798 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33799 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33803 static int proc_tgid_base_readdir(struct file * filp,
33804 @@ -2918,7 +3017,14 @@ static struct dentry *proc_pid_instantia
33808 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33809 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33810 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33811 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33812 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33814 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33816 inode->i_op = &proc_tgid_base_inode_operations;
33817 inode->i_fop = &proc_tgid_base_operations;
33818 inode->i_flags|=S_IMMUTABLE;
33819 @@ -2960,7 +3066,11 @@ struct dentry *proc_pid_lookup(struct in
33823 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33824 + goto out_put_task;
33826 result = proc_pid_instantiate(dir, dentry, task, NULL);
33828 put_task_struct(task);
33831 @@ -3025,6 +3135,11 @@ int proc_pid_readdir(struct file * filp,
33833 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33834 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
33835 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33836 + const struct cred *tmpcred = current_cred();
33837 + const struct cred *itercred;
33839 + filldir_t __filldir = filldir;
33840 struct tgid_iter iter;
33841 struct pid_namespace *ns;
33843 @@ -3043,8 +3158,27 @@ int proc_pid_readdir(struct file * filp,
33844 for (iter = next_tgid(ns, iter);
33846 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33847 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33849 + itercred = __task_cred(iter.task);
33851 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33852 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33853 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33854 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33855 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33860 + __filldir = &gr_fake_filldir;
33862 + __filldir = filldir;
33863 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33864 + rcu_read_unlock();
33866 filp->f_pos = iter.tgid + TGID_OFFSET;
33867 if (!vx_proc_task_visible(iter.task))
33869 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33870 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33871 put_task_struct(iter.task);
33872 @@ -3071,7 +3205,7 @@ static const struct pid_entry tid_base_s
33873 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33875 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33876 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33877 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33878 INF("syscall", S_IRUSR, proc_pid_syscall),
33880 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33881 @@ -3095,10 +3229,10 @@ static const struct pid_entry tid_base_s
33882 #ifdef CONFIG_SECURITY
33883 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33885 -#ifdef CONFIG_KALLSYMS
33886 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33887 INF("wchan", S_IRUGO, proc_pid_wchan),
33889 -#ifdef CONFIG_STACKTRACE
33890 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33891 ONE("stack", S_IRUSR, proc_pid_stack),
33893 #ifdef CONFIG_SCHEDSTATS
33894 diff -urNp linux-2.6.37/fs/proc/cmdline.c linux-2.6.37/fs/proc/cmdline.c
33895 --- linux-2.6.37/fs/proc/cmdline.c 2011-01-04 19:50:19.000000000 -0500
33896 +++ linux-2.6.37/fs/proc/cmdline.c 2011-01-17 02:41:01.000000000 -0500
33897 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
33899 static int __init proc_cmdline_init(void)
33901 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33902 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33904 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33908 module_init(proc_cmdline_init);
33909 diff -urNp linux-2.6.37/fs/proc/devices.c linux-2.6.37/fs/proc/devices.c
33910 --- linux-2.6.37/fs/proc/devices.c 2011-01-04 19:50:19.000000000 -0500
33911 +++ linux-2.6.37/fs/proc/devices.c 2011-01-17 02:41:01.000000000 -0500
33912 @@ -64,7 +64,11 @@ static const struct file_operations proc
33914 static int __init proc_devices_init(void)
33916 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33917 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33919 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33923 module_init(proc_devices_init);
33924 diff -urNp linux-2.6.37/fs/proc/inode.c linux-2.6.37/fs/proc/inode.c
33925 --- linux-2.6.37/fs/proc/inode.c 2011-01-04 19:50:19.000000000 -0500
33926 +++ linux-2.6.37/fs/proc/inode.c 2011-01-17 02:41:01.000000000 -0500
33927 @@ -425,7 +425,11 @@ struct inode *proc_get_inode(struct supe
33929 inode->i_mode = de->mode;
33930 inode->i_uid = de->uid;
33931 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33932 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33934 inode->i_gid = de->gid;
33938 inode->i_size = de->size;
33939 diff -urNp linux-2.6.37/fs/proc/internal.h linux-2.6.37/fs/proc/internal.h
33940 --- linux-2.6.37/fs/proc/internal.h 2011-01-04 19:50:19.000000000 -0500
33941 +++ linux-2.6.37/fs/proc/internal.h 2011-01-17 02:41:01.000000000 -0500
33942 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33943 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
33944 struct pid *pid, struct task_struct *task);
33946 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33947 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33949 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33951 extern const struct file_operations proc_maps_operations;
33952 diff -urNp linux-2.6.37/fs/proc/Kconfig linux-2.6.37/fs/proc/Kconfig
33953 --- linux-2.6.37/fs/proc/Kconfig 2011-01-04 19:50:19.000000000 -0500
33954 +++ linux-2.6.37/fs/proc/Kconfig 2011-01-17 02:41:01.000000000 -0500
33955 @@ -30,12 +30,12 @@ config PROC_FS
33958 bool "/proc/kcore support" if !ARM
33959 - depends on PROC_FS && MMU
33960 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33963 bool "/proc/vmcore support"
33964 - depends on PROC_FS && CRASH_DUMP
33966 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33969 Exports the dump image of crashed kernel in ELF format.
33971 @@ -59,8 +59,8 @@ config PROC_SYSCTL
33974 config PROC_PAGE_MONITOR
33976 - depends on PROC_FS && MMU
33978 + depends on PROC_FS && MMU && !GRKERNSEC
33979 bool "Enable /proc page monitoring" if EMBEDDED
33981 Various /proc files exist to monitor process memory utilization:
33982 diff -urNp linux-2.6.37/fs/proc/kcore.c linux-2.6.37/fs/proc/kcore.c
33983 --- linux-2.6.37/fs/proc/kcore.c 2011-01-04 19:50:19.000000000 -0500
33984 +++ linux-2.6.37/fs/proc/kcore.c 2011-01-17 02:41:01.000000000 -0500
33985 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33986 * the addresses in the elf_phdr on our list.
33988 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33989 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33990 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33991 + if (tsz > buflen)
33996 struct kcore_list *m;
33998 @@ -509,20 +510,23 @@ read_kcore(struct file *file, char __use
34001 if (kern_addr_valid(start)) {
34004 + mm_segment_t oldfs;
34006 - n = copy_to_user(buffer, (char *)start, tsz);
34008 - * We cannot distingush between fault on source
34009 - * and fault on destination. When this happens
34010 - * we clear too and hope it will trigger the
34014 - if (clear_user(buffer + tsz - n,
34016 + elf_buf = kmalloc(tsz, GFP_KERNEL);
34019 + oldfs = get_fs();
34020 + set_fs(KERNEL_DS);
34021 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
34023 + if (copy_to_user(buffer, elf_buf, tsz)) {
34031 if (clear_user(buffer, tsz))
34033 @@ -542,6 +546,9 @@ read_kcore(struct file *file, char __use
34035 static int open_kcore(struct inode *inode, struct file *filp)
34037 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
34040 if (!capable(CAP_SYS_RAWIO))
34042 if (kcore_need_update)
34043 diff -urNp linux-2.6.37/fs/proc/meminfo.c linux-2.6.37/fs/proc/meminfo.c
34044 --- linux-2.6.37/fs/proc/meminfo.c 2011-01-04 19:50:19.000000000 -0500
34045 +++ linux-2.6.37/fs/proc/meminfo.c 2011-01-17 02:41:01.000000000 -0500
34046 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
34048 vmi.largest_chunk >> 10
34049 #ifdef CONFIG_MEMORY_FAILURE
34050 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
34051 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
34055 diff -urNp linux-2.6.37/fs/proc/nommu.c linux-2.6.37/fs/proc/nommu.c
34056 --- linux-2.6.37/fs/proc/nommu.c 2011-01-04 19:50:19.000000000 -0500
34057 +++ linux-2.6.37/fs/proc/nommu.c 2011-01-17 02:41:01.000000000 -0500
34058 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
34061 seq_printf(m, "%*c", len, ' ');
34062 - seq_path(m, &file->f_path, "");
34063 + seq_path(m, &file->f_path, "\n\\");
34067 diff -urNp linux-2.6.37/fs/proc/proc_net.c linux-2.6.37/fs/proc/proc_net.c
34068 --- linux-2.6.37/fs/proc/proc_net.c 2011-01-04 19:50:19.000000000 -0500
34069 +++ linux-2.6.37/fs/proc/proc_net.c 2011-01-17 02:41:01.000000000 -0500
34070 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
34071 struct task_struct *task;
34072 struct nsproxy *ns;
34073 struct net *net = NULL;
34074 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34075 + const struct cred *cred = current_cred();
34078 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34081 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34082 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
34087 task = pid_task(proc_pid(dir), PIDTYPE_PID);
34088 diff -urNp linux-2.6.37/fs/proc/proc_sysctl.c linux-2.6.37/fs/proc/proc_sysctl.c
34089 --- linux-2.6.37/fs/proc/proc_sysctl.c 2011-01-04 19:50:19.000000000 -0500
34090 +++ linux-2.6.37/fs/proc/proc_sysctl.c 2011-01-17 02:41:01.000000000 -0500
34092 #include <linux/security.h>
34093 #include "internal.h"
34095 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
34097 static const struct dentry_operations proc_sys_dentry_operations;
34098 static const struct file_operations proc_sys_file_operations;
34099 static const struct inode_operations proc_sys_inode_operations;
34100 @@ -111,6 +113,9 @@ static struct dentry *proc_sys_lookup(st
34104 + if (gr_handle_sysctl(p, MAY_EXEC))
34107 err = ERR_PTR(-ENOMEM);
34108 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
34110 @@ -230,6 +235,9 @@ static int scan(struct ctl_table_header
34111 if (*pos < file->f_pos)
34114 + if (gr_handle_sysctl(table, 0))
34117 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
34120 @@ -355,6 +363,9 @@ static int proc_sys_getattr(struct vfsmo
34122 return PTR_ERR(head);
34124 + if (table && gr_handle_sysctl(table, MAY_EXEC))
34127 generic_fillattr(inode, stat);
34129 stat->mode = (stat->mode & S_IFMT) | table->mode;
34130 diff -urNp linux-2.6.37/fs/proc/root.c linux-2.6.37/fs/proc/root.c
34131 --- linux-2.6.37/fs/proc/root.c 2011-01-04 19:50:19.000000000 -0500
34132 +++ linux-2.6.37/fs/proc/root.c 2011-01-17 02:41:01.000000000 -0500
34133 @@ -132,7 +132,15 @@ void __init proc_root_init(void)
34134 #ifdef CONFIG_PROC_DEVICETREE
34135 proc_device_tree_init();
34137 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34138 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34139 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
34140 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34141 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
34144 proc_mkdir("bus", NULL);
34149 diff -urNp linux-2.6.37/fs/proc/task_mmu.c linux-2.6.37/fs/proc/task_mmu.c
34150 --- linux-2.6.37/fs/proc/task_mmu.c 2011-01-04 19:50:19.000000000 -0500
34151 +++ linux-2.6.37/fs/proc/task_mmu.c 2011-01-17 02:41:01.000000000 -0500
34152 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
34153 "VmExe:\t%8lu kB\n"
34154 "VmLib:\t%8lu kB\n"
34155 "VmPTE:\t%8lu kB\n"
34156 - "VmSwap:\t%8lu kB\n",
34157 - hiwater_vm << (PAGE_SHIFT-10),
34158 + "VmSwap:\t%8lu kB\n"
34160 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34161 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
34164 + ,hiwater_vm << (PAGE_SHIFT-10),
34165 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
34166 mm->locked_vm << (PAGE_SHIFT-10),
34167 hiwater_rss << (PAGE_SHIFT-10),
34168 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
34169 data << (PAGE_SHIFT-10),
34170 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
34171 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
34172 - swap << (PAGE_SHIFT-10));
34173 + swap << (PAGE_SHIFT-10)
34175 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34176 + , mm->context.user_cs_base, mm->context.user_cs_limit
34182 unsigned long task_vsize(struct mm_struct *mm)
34183 @@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
34187 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34188 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
34189 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
34190 + _mm->pax_flags & MF_PAX_SEGMEXEC))
34193 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
34195 struct mm_struct *mm = vma->vm_mm;
34196 @@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
34197 int flags = vma->vm_flags;
34198 unsigned long ino = 0;
34199 unsigned long long pgoff = 0;
34200 - unsigned long start;
34204 @@ -221,20 +237,24 @@ static void show_map_vma(struct seq_file
34205 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
34208 - /* We don't show the stack guard page in /proc/maps */
34209 - start = vma->vm_start;
34210 - if (vma->vm_flags & VM_GROWSDOWN)
34211 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
34212 - start += PAGE_SIZE;
34214 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
34216 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34217 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
34218 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
34223 flags & VM_READ ? 'r' : '-',
34224 flags & VM_WRITE ? 'w' : '-',
34225 flags & VM_EXEC ? 'x' : '-',
34226 flags & VM_MAYSHARE ? 's' : 'p',
34227 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34228 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
34232 MAJOR(dev), MINOR(dev), ino, &len);
34235 @@ -243,16 +263,16 @@ static void show_map_vma(struct seq_file
34238 pad_len_spaces(m, len);
34239 - seq_path(m, &file->f_path, "\n");
34240 + seq_path(m, &file->f_path, "\n\\");
34242 const char *name = arch_vma_name(vma);
34245 - if (vma->vm_start <= mm->start_brk &&
34246 - vma->vm_end >= mm->brk) {
34247 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
34249 - } else if (vma->vm_start <= mm->start_stack &&
34250 - vma->vm_end >= mm->start_stack) {
34251 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
34252 + (vma->vm_start <= mm->start_stack &&
34253 + vma->vm_end >= mm->start_stack)) {
34257 @@ -398,11 +418,16 @@ static int show_smap(struct seq_file *m,
34260 memset(&mss, 0, sizeof mss);
34262 - /* mmap_sem is held in m_start */
34263 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34264 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34266 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34267 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
34270 + /* mmap_sem is held in m_start */
34271 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34272 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34273 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34276 show_map_vma(m, vma);
34279 @@ -418,7 +443,11 @@ static int show_smap(struct seq_file *m,
34281 "KernelPageSize: %8lu kB\n"
34282 "MMUPageSize: %8lu kB\n",
34283 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34284 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
34286 (vma->vm_end - vma->vm_start) >> 10,
34288 mss.resident >> 10,
34289 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
34290 mss.shared_clean >> 10,
34291 diff -urNp linux-2.6.37/fs/proc/task_nommu.c linux-2.6.37/fs/proc/task_nommu.c
34292 --- linux-2.6.37/fs/proc/task_nommu.c 2011-01-04 19:50:19.000000000 -0500
34293 +++ linux-2.6.37/fs/proc/task_nommu.c 2011-01-17 02:41:01.000000000 -0500
34294 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
34296 bytes += kobjsize(mm);
34298 - if (current->fs && current->fs->users > 1)
34299 + if (current->fs && atomic_read(¤t->fs->users) > 1)
34300 sbytes += kobjsize(current->fs);
34302 bytes += kobjsize(current->fs);
34303 @@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
34306 pad_len_spaces(m, len);
34307 - seq_path(m, &file->f_path, "");
34308 + seq_path(m, &file->f_path, "\n\\");
34310 if (vma->vm_start <= mm->start_stack &&
34311 vma->vm_end >= mm->start_stack) {
34312 diff -urNp linux-2.6.37/fs/readdir.c linux-2.6.37/fs/readdir.c
34313 --- linux-2.6.37/fs/readdir.c 2011-01-04 19:50:19.000000000 -0500
34314 +++ linux-2.6.37/fs/readdir.c 2011-01-17 02:41:01.000000000 -0500
34316 #include <linux/security.h>
34317 #include <linux/syscalls.h>
34318 #include <linux/unistd.h>
34319 +#include <linux/namei.h>
34321 #include <asm/uaccess.h>
34323 @@ -67,6 +68,7 @@ struct old_linux_dirent {
34325 struct readdir_callback {
34326 struct old_linux_dirent __user * dirent;
34327 + struct file * file;
34331 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
34332 buf->result = -EOVERFLOW;
34336 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34340 dirent = buf->dirent;
34341 if (!access_ok(VERIFY_WRITE, dirent,
34342 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
34345 buf.dirent = dirent;
34348 error = vfs_readdir(file, fillonedir, &buf);
34350 @@ -142,6 +149,7 @@ struct linux_dirent {
34351 struct getdents_callback {
34352 struct linux_dirent __user * current_dir;
34353 struct linux_dirent __user * previous;
34354 + struct file * file;
34358 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
34359 buf->error = -EOVERFLOW;
34363 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34366 dirent = buf->previous;
34368 if (__put_user(offset, &dirent->d_off))
34369 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
34370 buf.previous = NULL;
34375 error = vfs_readdir(file, filldir, &buf);
34377 @@ -229,6 +242,7 @@ out:
34378 struct getdents_callback64 {
34379 struct linux_dirent64 __user * current_dir;
34380 struct linux_dirent64 __user * previous;
34381 + struct file *file;
34385 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
34386 buf->error = -EINVAL; /* only used if we fail.. */
34387 if (reclen > buf->count)
34390 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34393 dirent = buf->previous;
34395 if (__put_user(offset, &dirent->d_off))
34396 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
34398 buf.current_dir = dirent;
34399 buf.previous = NULL;
34404 diff -urNp linux-2.6.37/fs/reiserfs/do_balan.c linux-2.6.37/fs/reiserfs/do_balan.c
34405 --- linux-2.6.37/fs/reiserfs/do_balan.c 2011-01-04 19:50:19.000000000 -0500
34406 +++ linux-2.6.37/fs/reiserfs/do_balan.c 2011-01-17 02:41:02.000000000 -0500
34407 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
34411 - atomic_inc(&(fs_generation(tb->tb_sb)));
34412 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
34413 do_balance_starts(tb);
34415 /* balance leaf returns 0 except if combining L R and S into
34416 diff -urNp linux-2.6.37/fs/reiserfs/item_ops.c linux-2.6.37/fs/reiserfs/item_ops.c
34417 --- linux-2.6.37/fs/reiserfs/item_ops.c 2011-01-04 19:50:19.000000000 -0500
34418 +++ linux-2.6.37/fs/reiserfs/item_ops.c 2011-01-17 02:41:02.000000000 -0500
34419 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
34420 vi->vi_index, vi->vi_type, vi->vi_ih);
34423 -static struct item_operations stat_data_ops = {
34424 +static const struct item_operations stat_data_ops = {
34425 .bytes_number = sd_bytes_number,
34426 .decrement_key = sd_decrement_key,
34427 .is_left_mergeable = sd_is_left_mergeable,
34428 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
34429 vi->vi_index, vi->vi_type, vi->vi_ih);
34432 -static struct item_operations direct_ops = {
34433 +static const struct item_operations direct_ops = {
34434 .bytes_number = direct_bytes_number,
34435 .decrement_key = direct_decrement_key,
34436 .is_left_mergeable = direct_is_left_mergeable,
34437 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
34438 vi->vi_index, vi->vi_type, vi->vi_ih);
34441 -static struct item_operations indirect_ops = {
34442 +static const struct item_operations indirect_ops = {
34443 .bytes_number = indirect_bytes_number,
34444 .decrement_key = indirect_decrement_key,
34445 .is_left_mergeable = indirect_is_left_mergeable,
34446 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
34450 -static struct item_operations direntry_ops = {
34451 +static const struct item_operations direntry_ops = {
34452 .bytes_number = direntry_bytes_number,
34453 .decrement_key = direntry_decrement_key,
34454 .is_left_mergeable = direntry_is_left_mergeable,
34455 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
34456 "Invalid item type observed, run fsck ASAP");
34459 -static struct item_operations errcatch_ops = {
34460 +static const struct item_operations errcatch_ops = {
34461 errcatch_bytes_number,
34462 errcatch_decrement_key,
34463 errcatch_is_left_mergeable,
34464 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
34465 #error Item types must use disk-format assigned values.
34468 -struct item_operations *item_ops[TYPE_ANY + 1] = {
34469 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
34473 diff -urNp linux-2.6.37/fs/reiserfs/procfs.c linux-2.6.37/fs/reiserfs/procfs.c
34474 --- linux-2.6.37/fs/reiserfs/procfs.c 2011-01-04 19:50:19.000000000 -0500
34475 +++ linux-2.6.37/fs/reiserfs/procfs.c 2011-01-17 02:41:02.000000000 -0500
34476 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
34477 "SMALL_TAILS " : "NO_TAILS ",
34478 replay_only(sb) ? "REPLAY_ONLY " : "",
34479 convert_reiserfs(sb) ? "CONV " : "",
34480 - atomic_read(&r->s_generation_counter),
34481 + atomic_read_unchecked(&r->s_generation_counter),
34482 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
34483 SF(s_do_balance), SF(s_unneeded_left_neighbor),
34484 SF(s_good_search_by_key_reada), SF(s_bmaps),
34485 diff -urNp linux-2.6.37/fs/select.c linux-2.6.37/fs/select.c
34486 --- linux-2.6.37/fs/select.c 2011-01-04 19:50:19.000000000 -0500
34487 +++ linux-2.6.37/fs/select.c 2011-01-17 02:41:02.000000000 -0500
34489 #include <linux/module.h>
34490 #include <linux/slab.h>
34491 #include <linux/poll.h>
34492 +#include <linux/security.h>
34493 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
34494 #include <linux/file.h>
34495 #include <linux/fdtable.h>
34496 @@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
34497 struct poll_list *walk = head;
34498 unsigned long todo = nfds;
34500 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
34501 if (nfds > rlimit(RLIMIT_NOFILE))
34504 diff -urNp linux-2.6.37/fs/seq_file.c linux-2.6.37/fs/seq_file.c
34505 --- linux-2.6.37/fs/seq_file.c 2011-01-04 19:50:19.000000000 -0500
34506 +++ linux-2.6.37/fs/seq_file.c 2011-01-17 02:41:02.000000000 -0500
34507 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
34511 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34512 + m->size = PAGE_SIZE;
34513 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34517 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
34521 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34523 + m->buf = kmalloc(m->size, GFP_KERNEL);
34524 return !m->buf ? -ENOMEM : -EAGAIN;
34527 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
34528 m->version = file->f_version;
34529 /* grab buffer if we didn't have one */
34531 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34532 + m->size = PAGE_SIZE;
34533 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34537 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
34541 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34543 + m->buf = kmalloc(m->size, GFP_KERNEL);
34547 diff -urNp linux-2.6.37/fs/splice.c linux-2.6.37/fs/splice.c
34548 --- linux-2.6.37/fs/splice.c 2011-01-04 19:50:19.000000000 -0500
34549 +++ linux-2.6.37/fs/splice.c 2011-01-17 02:41:02.000000000 -0500
34550 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
34554 - if (!pipe->readers) {
34555 + if (!atomic_read(&pipe->readers)) {
34556 send_sig(SIGPIPE, current, 0);
34559 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
34563 - pipe->waiting_writers++;
34564 + atomic_inc(&pipe->waiting_writers);
34566 - pipe->waiting_writers--;
34567 + atomic_dec(&pipe->waiting_writers);
34571 @@ -556,7 +556,7 @@ static ssize_t kernel_readv(struct file
34574 /* The cast to a user pointer is valid due to the set_fs() */
34575 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
34576 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
34580 @@ -571,7 +571,7 @@ static ssize_t kernel_write(struct file
34583 /* The cast to a user pointer is valid due to the set_fs() */
34584 - res = vfs_write(file, (const char __user *)buf, count, &pos);
34585 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
34589 @@ -622,7 +622,7 @@ ssize_t default_file_splice_read(struct
34592 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
34593 - vec[i].iov_base = (void __user *) page_address(page);
34594 + vec[i].iov_base = (__force void __user *) page_address(page);
34595 vec[i].iov_len = this_len;
34596 spd.pages[i] = page;
34598 @@ -849,10 +849,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
34599 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
34601 while (!pipe->nrbufs) {
34602 - if (!pipe->writers)
34603 + if (!atomic_read(&pipe->writers))
34606 - if (!pipe->waiting_writers && sd->num_spliced)
34607 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
34610 if (sd->flags & SPLICE_F_NONBLOCK)
34611 @@ -1189,7 +1189,7 @@ ssize_t splice_direct_to_actor(struct fi
34612 * out of the pipe right after the splice_to_pipe(). So set
34613 * PIPE_READERS appropriately.
34615 - pipe->readers = 1;
34616 + atomic_set(&pipe->readers, 1);
34618 current->splice_pipe = pipe;
34620 @@ -1745,9 +1745,9 @@ static int ipipe_prep(struct pipe_inode_
34621 ret = -ERESTARTSYS;
34624 - if (!pipe->writers)
34625 + if (!atomic_read(&pipe->writers))
34627 - if (!pipe->waiting_writers) {
34628 + if (!atomic_read(&pipe->waiting_writers)) {
34629 if (flags & SPLICE_F_NONBLOCK) {
34632 @@ -1779,7 +1779,7 @@ static int opipe_prep(struct pipe_inode_
34635 while (pipe->nrbufs >= pipe->buffers) {
34636 - if (!pipe->readers) {
34637 + if (!atomic_read(&pipe->readers)) {
34638 send_sig(SIGPIPE, current, 0);
34641 @@ -1792,9 +1792,9 @@ static int opipe_prep(struct pipe_inode_
34642 ret = -ERESTARTSYS;
34645 - pipe->waiting_writers++;
34646 + atomic_inc(&pipe->waiting_writers);
34648 - pipe->waiting_writers--;
34649 + atomic_dec(&pipe->waiting_writers);
34653 @@ -1830,14 +1830,14 @@ retry:
34654 pipe_double_lock(ipipe, opipe);
34657 - if (!opipe->readers) {
34658 + if (!atomic_read(&opipe->readers)) {
34659 send_sig(SIGPIPE, current, 0);
34665 - if (!ipipe->nrbufs && !ipipe->writers)
34666 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
34670 @@ -1937,7 +1937,7 @@ static int link_pipe(struct pipe_inode_i
34671 pipe_double_lock(ipipe, opipe);
34674 - if (!opipe->readers) {
34675 + if (!atomic_read(&opipe->readers)) {
34676 send_sig(SIGPIPE, current, 0);
34679 @@ -1982,7 +1982,7 @@ static int link_pipe(struct pipe_inode_i
34680 * return EAGAIN if we have the potential of some data in the
34681 * future, otherwise just return 0
34683 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
34684 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
34687 pipe_unlock(ipipe);
34688 diff -urNp linux-2.6.37/fs/sysfs/symlink.c linux-2.6.37/fs/sysfs/symlink.c
34689 --- linux-2.6.37/fs/sysfs/symlink.c 2011-01-04 19:50:19.000000000 -0500
34690 +++ linux-2.6.37/fs/sysfs/symlink.c 2011-01-17 02:41:02.000000000 -0500
34691 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
34693 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
34695 - char *page = nd_get_link(nd);
34696 + const char *page = nd_get_link(nd);
34698 free_page((unsigned long)page);
34700 diff -urNp linux-2.6.37/fs/udf/misc.c linux-2.6.37/fs/udf/misc.c
34701 --- linux-2.6.37/fs/udf/misc.c 2011-01-04 19:50:19.000000000 -0500
34702 +++ linux-2.6.37/fs/udf/misc.c 2011-01-17 02:41:02.000000000 -0500
34703 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
34704 iinfo->i_lenEAttr += size;
34705 return (struct genericFormat *)&ea[offset];
34709 + if (loc & 0x02) {
34714 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
34716 u8 udf_tag_checksum(const struct tag *t)
34718 - u8 *data = (u8 *)t;
34719 + const u8 *data = (const u8 *)t;
34722 for (i = 0; i < sizeof(struct tag); ++i)
34723 diff -urNp linux-2.6.37/fs/udf/udfdecl.h linux-2.6.37/fs/udf/udfdecl.h
34724 --- linux-2.6.37/fs/udf/udfdecl.h 2011-01-04 19:50:19.000000000 -0500
34725 +++ linux-2.6.37/fs/udf/udfdecl.h 2011-01-17 02:41:02.000000000 -0500
34726 @@ -26,7 +26,7 @@ do { \
34730 -#define udf_debug(f, a...) /**/
34731 +#define udf_debug(f, a...) do {} while (0)
34734 #define udf_info(f, a...) \
34735 diff -urNp linux-2.6.37/fs/utimes.c linux-2.6.37/fs/utimes.c
34736 --- linux-2.6.37/fs/utimes.c 2011-01-04 19:50:19.000000000 -0500
34737 +++ linux-2.6.37/fs/utimes.c 2011-01-17 02:41:02.000000000 -0500
34739 #include <linux/compiler.h>
34740 #include <linux/file.h>
34741 #include <linux/fs.h>
34742 +#include <linux/security.h>
34743 #include <linux/linkage.h>
34744 #include <linux/mount.h>
34745 #include <linux/namei.h>
34746 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
34747 goto mnt_drop_write_and_out;
34751 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
34753 + goto mnt_drop_write_and_out;
34756 mutex_lock(&inode->i_mutex);
34757 error = notify_change(path->dentry, &newattrs);
34758 mutex_unlock(&inode->i_mutex);
34759 diff -urNp linux-2.6.37/fs/xattr_acl.c linux-2.6.37/fs/xattr_acl.c
34760 --- linux-2.6.37/fs/xattr_acl.c 2011-01-04 19:50:19.000000000 -0500
34761 +++ linux-2.6.37/fs/xattr_acl.c 2011-01-17 02:41:02.000000000 -0500
34764 posix_acl_from_xattr(const void *value, size_t size)
34766 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
34767 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
34768 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
34769 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
34771 struct posix_acl *acl;
34772 struct posix_acl_entry *acl_e;
34773 diff -urNp linux-2.6.37/fs/xattr.c linux-2.6.37/fs/xattr.c
34774 --- linux-2.6.37/fs/xattr.c 2011-01-04 19:50:19.000000000 -0500
34775 +++ linux-2.6.37/fs/xattr.c 2011-01-17 02:41:02.000000000 -0500
34776 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
34777 * Extended attribute SET operations
34780 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
34781 +setxattr(struct path *path, const char __user *name, const void __user *value,
34782 size_t size, int flags)
34785 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
34786 return PTR_ERR(kvalue);
34789 - error = vfs_setxattr(d, kname, kvalue, size, flags);
34790 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
34795 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
34800 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
34802 error = mnt_want_write(path.mnt);
34804 - error = setxattr(path.dentry, name, value, size, flags);
34805 + error = setxattr(&path, name, value, size, flags);
34806 mnt_drop_write(path.mnt);
34809 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
34811 error = mnt_want_write(path.mnt);
34813 - error = setxattr(path.dentry, name, value, size, flags);
34814 + error = setxattr(&path, name, value, size, flags);
34815 mnt_drop_write(path.mnt);
34818 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
34819 const void __user *,value, size_t, size, int, flags)
34822 - struct dentry *dentry;
34823 int error = -EBADF;
34828 - dentry = f->f_path.dentry;
34829 - audit_inode(NULL, dentry);
34830 + audit_inode(NULL, f->f_path.dentry);
34831 error = mnt_want_write_file(f);
34833 - error = setxattr(dentry, name, value, size, flags);
34834 + error = setxattr(&f->f_path, name, value, size, flags);
34835 mnt_drop_write(f->f_path.mnt);
34838 diff -urNp linux-2.6.37/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.37/fs/xfs/linux-2.6/xfs_ioctl.c
34839 --- linux-2.6.37/fs/xfs/linux-2.6/xfs_ioctl.c 2011-01-04 19:50:19.000000000 -0500
34840 +++ linux-2.6.37/fs/xfs/linux-2.6/xfs_ioctl.c 2011-01-17 02:41:02.000000000 -0500
34841 @@ -127,7 +127,7 @@ xfs_find_handle(
34845 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
34846 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
34847 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
34850 diff -urNp linux-2.6.37/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.37/fs/xfs/linux-2.6/xfs_iops.c
34851 --- linux-2.6.37/fs/xfs/linux-2.6/xfs_iops.c 2011-01-04 19:50:19.000000000 -0500
34852 +++ linux-2.6.37/fs/xfs/linux-2.6/xfs_iops.c 2011-01-17 02:41:02.000000000 -0500
34853 @@ -437,7 +437,7 @@ xfs_vn_put_link(
34854 struct nameidata *nd,
34857 - char *s = nd_get_link(nd);
34858 + const char *s = nd_get_link(nd);
34862 diff -urNp linux-2.6.37/fs/xfs/xfs_bmap.c linux-2.6.37/fs/xfs/xfs_bmap.c
34863 --- linux-2.6.37/fs/xfs/xfs_bmap.c 2011-01-04 19:50:19.000000000 -0500
34864 +++ linux-2.6.37/fs/xfs/xfs_bmap.c 2011-01-17 02:41:02.000000000 -0500
34865 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
34869 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
34870 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34874 diff -urNp linux-2.6.37/grsecurity/gracl_alloc.c linux-2.6.37/grsecurity/gracl_alloc.c
34875 --- linux-2.6.37/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34876 +++ linux-2.6.37/grsecurity/gracl_alloc.c 2011-01-17 02:41:02.000000000 -0500
34878 +#include <linux/kernel.h>
34879 +#include <linux/mm.h>
34880 +#include <linux/slab.h>
34881 +#include <linux/vmalloc.h>
34882 +#include <linux/gracl.h>
34883 +#include <linux/grsecurity.h>
34885 +static unsigned long alloc_stack_next = 1;
34886 +static unsigned long alloc_stack_size = 1;
34887 +static void **alloc_stack;
34889 +static __inline__ int
34892 + if (alloc_stack_next == 1)
34895 + kfree(alloc_stack[alloc_stack_next - 2]);
34897 + alloc_stack_next--;
34902 +static __inline__ int
34903 +alloc_push(void *buf)
34905 + if (alloc_stack_next >= alloc_stack_size)
34908 + alloc_stack[alloc_stack_next - 1] = buf;
34910 + alloc_stack_next++;
34916 +acl_alloc(unsigned long len)
34918 + void *ret = NULL;
34920 + if (!len || len > PAGE_SIZE)
34923 + ret = kmalloc(len, GFP_KERNEL);
34926 + if (alloc_push(ret)) {
34937 +acl_alloc_num(unsigned long num, unsigned long len)
34939 + if (!len || (num > (PAGE_SIZE / len)))
34942 + return acl_alloc(num * len);
34946 +acl_free_all(void)
34948 + if (gr_acl_is_enabled() || !alloc_stack)
34951 + while (alloc_pop()) ;
34953 + if (alloc_stack) {
34954 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
34955 + kfree(alloc_stack);
34957 + vfree(alloc_stack);
34960 + alloc_stack = NULL;
34961 + alloc_stack_size = 1;
34962 + alloc_stack_next = 1;
34968 +acl_alloc_stack_init(unsigned long size)
34970 + if ((size * sizeof (void *)) <= PAGE_SIZE)
34972 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
34974 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
34976 + alloc_stack_size = size;
34978 + if (!alloc_stack)
34983 diff -urNp linux-2.6.37/grsecurity/gracl.c linux-2.6.37/grsecurity/gracl.c
34984 --- linux-2.6.37/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
34985 +++ linux-2.6.37/grsecurity/gracl.c 2011-01-17 20:20:28.000000000 -0500
34987 +#include <linux/kernel.h>
34988 +#include <linux/module.h>
34989 +#include <linux/sched.h>
34990 +#include <linux/mm.h>
34991 +#include <linux/file.h>
34992 +#include <linux/fs.h>
34993 +#include <linux/namei.h>
34994 +#include <linux/mount.h>
34995 +#include <linux/tty.h>
34996 +#include <linux/proc_fs.h>
34997 +#include <linux/smp_lock.h>
34998 +#include <linux/lglock.h>
34999 +#include <linux/slab.h>
35000 +#include <linux/vmalloc.h>
35001 +#include <linux/types.h>
35002 +#include <linux/sysctl.h>
35003 +#include <linux/netdevice.h>
35004 +#include <linux/ptrace.h>
35005 +#include <linux/gracl.h>
35006 +#include <linux/gralloc.h>
35007 +#include <linux/grsecurity.h>
35008 +#include <linux/grinternal.h>
35009 +#include <linux/pid_namespace.h>
35010 +#include <linux/fdtable.h>
35011 +#include <linux/percpu.h>
35013 +#include <asm/uaccess.h>
35014 +#include <asm/errno.h>
35015 +#include <asm/mman.h>
35017 +static struct acl_role_db acl_role_set;
35018 +static struct name_db name_set;
35019 +static struct inodev_db inodev_set;
35021 +/* for keeping track of userspace pointers used for subjects, so we
35022 + can share references in the kernel as well
35025 +static struct path real_root;
35027 +static struct acl_subj_map_db subj_map_set;
35029 +static struct acl_role_label *default_role;
35031 +static struct acl_role_label *role_list;
35033 +static u16 acl_sp_role_value;
35035 +extern char *gr_shared_page[4];
35036 +static DEFINE_MUTEX(gr_dev_mutex);
35037 +DEFINE_RWLOCK(gr_inode_lock);
35039 +struct gr_arg *gr_usermode;
35041 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
35043 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
35044 +extern void gr_clear_learn_entries(void);
35046 +#ifdef CONFIG_GRKERNSEC_RESLOG
35047 +extern void gr_log_resource(const struct task_struct *task,
35048 + const int res, const unsigned long wanted, const int gt);
35051 +unsigned char *gr_system_salt;
35052 +unsigned char *gr_system_sum;
35054 +static struct sprole_pw **acl_special_roles = NULL;
35055 +static __u16 num_sprole_pws = 0;
35057 +static struct acl_role_label *kernel_role = NULL;
35059 +static unsigned int gr_auth_attempts = 0;
35060 +static unsigned long gr_auth_expires = 0UL;
35062 +extern struct vfsmount *sock_mnt;
35063 +extern struct vfsmount *pipe_mnt;
35064 +extern struct vfsmount *shm_mnt;
35065 +#ifdef CONFIG_HUGETLBFS
35066 +extern struct vfsmount *hugetlbfs_vfsmount;
35069 +static struct acl_object_label *fakefs_obj;
35071 +extern int gr_init_uidset(void);
35072 +extern void gr_free_uidset(void);
35073 +extern void gr_remove_uid(uid_t uid);
35074 +extern int gr_find_uid(uid_t uid);
35076 +DECLARE_BRLOCK(vfsmount_lock);
35079 +gr_acl_is_enabled(void)
35081 + return (gr_status & GR_READY);
35084 +static char gr_task_roletype_to_char(struct task_struct *task)
35086 + switch (task->role->roletype &
35087 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
35088 + GR_ROLE_SPECIAL)) {
35089 + case GR_ROLE_DEFAULT:
35091 + case GR_ROLE_USER:
35093 + case GR_ROLE_GROUP:
35095 + case GR_ROLE_SPECIAL:
35102 +char gr_roletype_to_char(void)
35104 + return gr_task_roletype_to_char(current);
35108 +gr_acl_tpe_check(void)
35110 + if (unlikely(!(gr_status & GR_READY)))
35112 + if (current->role->roletype & GR_ROLE_TPE)
35119 +gr_handle_rawio(const struct inode *inode)
35121 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
35122 + if (inode && S_ISBLK(inode->i_mode) &&
35123 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
35124 + !capable(CAP_SYS_RAWIO))
35131 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
35133 + if (likely(lena != lenb))
35136 + return !memcmp(a, b, lena);
35139 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
35141 + *buflen -= namelen;
35143 + return -ENAMETOOLONG;
35144 + *buffer -= namelen;
35145 + memcpy(*buffer, str, namelen);
35149 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
35151 + return prepend(buffer, buflen, name->name, name->len);
35154 +static int prepend_path(const struct path *path, struct path *root,
35155 + char **buffer, int *buflen)
35157 + struct dentry *dentry = path->dentry;
35158 + struct vfsmount *vfsmnt = path->mnt;
35159 + bool slash = false;
35162 + while (dentry != root->dentry || vfsmnt != root->mnt) {
35163 + struct dentry * parent;
35165 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
35166 + /* Global root? */
35167 + if (vfsmnt->mnt_parent == vfsmnt) {
35170 + dentry = vfsmnt->mnt_mountpoint;
35171 + vfsmnt = vfsmnt->mnt_parent;
35174 + parent = dentry->d_parent;
35175 + prefetch(parent);
35176 + error = prepend_name(buffer, buflen, &dentry->d_name);
35178 + error = prepend(buffer, buflen, "/", 1);
35187 + if (!error && !slash)
35188 + error = prepend(buffer, buflen, "/", 1);
35193 +/* this must be called with vfsmount_lock and dcache_lock held */
35195 +static char *__our_d_path(const struct path *path, struct path *root,
35196 + char *buf, int buflen)
35198 + char *res = buf + buflen;
35201 + prepend(&res, &buflen, "\0", 1);
35202 + error = prepend_path(path, root, &res, &buflen);
35204 + return ERR_PTR(error);
35210 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
35214 + retval = __our_d_path(path, root, buf, buflen);
35215 + if (unlikely(IS_ERR(retval)))
35216 + retval = strcpy(buf, "<path too long>");
35217 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
35218 + retval[1] = '\0';
35224 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35225 + char *buf, int buflen)
35227 + struct path path;
35230 + path.dentry = (struct dentry *)dentry;
35231 + path.mnt = (struct vfsmount *)vfsmnt;
35233 + /* we can use real_root.dentry, real_root.mnt, because this is only called
35234 + by the RBAC system */
35235 + res = gen_full_path(&path, &real_root, buf, buflen);
35241 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35242 + char *buf, int buflen)
35245 + struct path path;
35246 + struct path root;
35247 + struct task_struct *reaper = &init_task;
35249 + path.dentry = (struct dentry *)dentry;
35250 + path.mnt = (struct vfsmount *)vfsmnt;
35252 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
35253 + get_fs_root(reaper->fs, &root);
35255 + spin_lock(&dcache_lock);
35256 + br_read_lock(vfsmount_lock);
35257 + res = gen_full_path(&path, &root, buf, buflen);
35258 + br_read_unlock(vfsmount_lock);
35259 + spin_unlock(&dcache_lock);
35266 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
35269 + spin_lock(&dcache_lock);
35270 + br_read_lock(vfsmount_lock);
35271 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35273 + br_read_unlock(vfsmount_lock);
35274 + spin_unlock(&dcache_lock);
35279 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
35281 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35286 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
35288 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
35293 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
35295 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
35300 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
35302 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
35307 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
35309 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
35314 +to_gr_audit(const __u32 reqmode)
35316 + /* masks off auditable permission flags, then shifts them to create
35317 + auditing flags, and adds the special case of append auditing if
35318 + we're requesting write */
35319 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
35322 +struct acl_subject_label *
35323 +lookup_subject_map(const struct acl_subject_label *userp)
35325 + unsigned int index = shash(userp, subj_map_set.s_size);
35326 + struct subject_map *match;
35328 + match = subj_map_set.s_hash[index];
35330 + while (match && match->user != userp)
35331 + match = match->next;
35333 + if (match != NULL)
35334 + return match->kernel;
35340 +insert_subj_map_entry(struct subject_map *subjmap)
35342 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
35343 + struct subject_map **curr;
35345 + subjmap->prev = NULL;
35347 + curr = &subj_map_set.s_hash[index];
35348 + if (*curr != NULL)
35349 + (*curr)->prev = subjmap;
35351 + subjmap->next = *curr;
35357 +static struct acl_role_label *
35358 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
35361 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
35362 + struct acl_role_label *match;
35363 + struct role_allowed_ip *ipp;
35365 + u32 curr_ip = task->signal->curr_ip;
35367 + task->signal->saved_ip = curr_ip;
35369 + match = acl_role_set.r_hash[index];
35372 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
35373 + for (x = 0; x < match->domain_child_num; x++) {
35374 + if (match->domain_children[x] == uid)
35377 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
35379 + match = match->next;
35382 + if (match == NULL) {
35384 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
35385 + match = acl_role_set.r_hash[index];
35388 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
35389 + for (x = 0; x < match->domain_child_num; x++) {
35390 + if (match->domain_children[x] == gid)
35393 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
35395 + match = match->next;
35398 + if (match == NULL)
35399 + match = default_role;
35400 + if (match->allowed_ips == NULL)
35403 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35405 + ((ntohl(curr_ip) & ipp->netmask) ==
35406 + (ntohl(ipp->addr) & ipp->netmask)))
35409 + match = default_role;
35411 + } else if (match->allowed_ips == NULL) {
35414 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35416 + ((ntohl(curr_ip) & ipp->netmask) ==
35417 + (ntohl(ipp->addr) & ipp->netmask)))
35426 +struct acl_subject_label *
35427 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
35428 + const struct acl_role_label *role)
35430 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35431 + struct acl_subject_label *match;
35433 + match = role->subj_hash[index];
35435 + while (match && (match->inode != ino || match->device != dev ||
35436 + (match->mode & GR_DELETED))) {
35437 + match = match->next;
35440 + if (match && !(match->mode & GR_DELETED))
35446 +struct acl_subject_label *
35447 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
35448 + const struct acl_role_label *role)
35450 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35451 + struct acl_subject_label *match;
35453 + match = role->subj_hash[index];
35455 + while (match && (match->inode != ino || match->device != dev ||
35456 + !(match->mode & GR_DELETED))) {
35457 + match = match->next;
35460 + if (match && (match->mode & GR_DELETED))
35466 +static struct acl_object_label *
35467 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
35468 + const struct acl_subject_label *subj)
35470 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35471 + struct acl_object_label *match;
35473 + match = subj->obj_hash[index];
35475 + while (match && (match->inode != ino || match->device != dev ||
35476 + (match->mode & GR_DELETED))) {
35477 + match = match->next;
35480 + if (match && !(match->mode & GR_DELETED))
35486 +static struct acl_object_label *
35487 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
35488 + const struct acl_subject_label *subj)
35490 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35491 + struct acl_object_label *match;
35493 + match = subj->obj_hash[index];
35495 + while (match && (match->inode != ino || match->device != dev ||
35496 + !(match->mode & GR_DELETED))) {
35497 + match = match->next;
35500 + if (match && (match->mode & GR_DELETED))
35503 + match = subj->obj_hash[index];
35505 + while (match && (match->inode != ino || match->device != dev ||
35506 + (match->mode & GR_DELETED))) {
35507 + match = match->next;
35510 + if (match && !(match->mode & GR_DELETED))
35516 +static struct name_entry *
35517 +lookup_name_entry(const char *name)
35519 + unsigned int len = strlen(name);
35520 + unsigned int key = full_name_hash(name, len);
35521 + unsigned int index = key % name_set.n_size;
35522 + struct name_entry *match;
35524 + match = name_set.n_hash[index];
35526 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
35527 + match = match->next;
35532 +static struct name_entry *
35533 +lookup_name_entry_create(const char *name)
35535 + unsigned int len = strlen(name);
35536 + unsigned int key = full_name_hash(name, len);
35537 + unsigned int index = key % name_set.n_size;
35538 + struct name_entry *match;
35540 + match = name_set.n_hash[index];
35542 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35543 + !match->deleted))
35544 + match = match->next;
35546 + if (match && match->deleted)
35549 + match = name_set.n_hash[index];
35551 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35553 + match = match->next;
35555 + if (match && !match->deleted)
35561 +static struct inodev_entry *
35562 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
35564 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
35565 + struct inodev_entry *match;
35567 + match = inodev_set.i_hash[index];
35569 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
35570 + match = match->next;
35576 +insert_inodev_entry(struct inodev_entry *entry)
35578 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
35579 + inodev_set.i_size);
35580 + struct inodev_entry **curr;
35582 + entry->prev = NULL;
35584 + curr = &inodev_set.i_hash[index];
35585 + if (*curr != NULL)
35586 + (*curr)->prev = entry;
35588 + entry->next = *curr;
35595 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
35597 + unsigned int index =
35598 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
35599 + struct acl_role_label **curr;
35600 + struct acl_role_label *tmp;
35602 + curr = &acl_role_set.r_hash[index];
35604 + /* if role was already inserted due to domains and already has
35605 + a role in the same bucket as it attached, then we need to
35606 + combine these two buckets
35608 + if (role->next) {
35609 + tmp = role->next;
35610 + while (tmp->next)
35612 + tmp->next = *curr;
35614 + role->next = *curr;
35621 +insert_acl_role_label(struct acl_role_label *role)
35625 + if (role_list == NULL) {
35626 + role_list = role;
35627 + role->prev = NULL;
35629 + role->prev = role_list;
35630 + role_list = role;
35633 + /* used for hash chains */
35634 + role->next = NULL;
35636 + if (role->roletype & GR_ROLE_DOMAIN) {
35637 + for (i = 0; i < role->domain_child_num; i++)
35638 + __insert_acl_role_label(role, role->domain_children[i]);
35640 + __insert_acl_role_label(role, role->uidgid);
35644 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
35646 + struct name_entry **curr, *nentry;
35647 + struct inodev_entry *ientry;
35648 + unsigned int len = strlen(name);
35649 + unsigned int key = full_name_hash(name, len);
35650 + unsigned int index = key % name_set.n_size;
35652 + curr = &name_set.n_hash[index];
35654 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
35655 + curr = &((*curr)->next);
35657 + if (*curr != NULL)
35660 + nentry = acl_alloc(sizeof (struct name_entry));
35661 + if (nentry == NULL)
35663 + ientry = acl_alloc(sizeof (struct inodev_entry));
35664 + if (ientry == NULL)
35666 + ientry->nentry = nentry;
35668 + nentry->key = key;
35669 + nentry->name = name;
35670 + nentry->inode = inode;
35671 + nentry->device = device;
35672 + nentry->len = len;
35673 + nentry->deleted = deleted;
35675 + nentry->prev = NULL;
35676 + curr = &name_set.n_hash[index];
35677 + if (*curr != NULL)
35678 + (*curr)->prev = nentry;
35679 + nentry->next = *curr;
35682 + /* insert us into the table searchable by inode/dev */
35683 + insert_inodev_entry(ientry);
35689 +insert_acl_obj_label(struct acl_object_label *obj,
35690 + struct acl_subject_label *subj)
35692 + unsigned int index =
35693 + fhash(obj->inode, obj->device, subj->obj_hash_size);
35694 + struct acl_object_label **curr;
35697 + obj->prev = NULL;
35699 + curr = &subj->obj_hash[index];
35700 + if (*curr != NULL)
35701 + (*curr)->prev = obj;
35703 + obj->next = *curr;
35710 +insert_acl_subj_label(struct acl_subject_label *obj,
35711 + struct acl_role_label *role)
35713 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
35714 + struct acl_subject_label **curr;
35716 + obj->prev = NULL;
35718 + curr = &role->subj_hash[index];
35719 + if (*curr != NULL)
35720 + (*curr)->prev = obj;
35722 + obj->next = *curr;
35728 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
35731 +create_table(__u32 * len, int elementsize)
35733 + unsigned int table_sizes[] = {
35734 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
35735 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
35736 + 4194301, 8388593, 16777213, 33554393, 67108859
35738 + void *newtable = NULL;
35739 + unsigned int pwr = 0;
35741 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
35742 + table_sizes[pwr] <= *len)
35745 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
35748 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
35750 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
35752 + newtable = vmalloc(table_sizes[pwr] * elementsize);
35754 + *len = table_sizes[pwr];
35760 +init_variables(const struct gr_arg *arg)
35762 + struct task_struct *reaper = &init_task;
35763 + unsigned int stacksize;
35765 + subj_map_set.s_size = arg->role_db.num_subjects;
35766 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
35767 + name_set.n_size = arg->role_db.num_objects;
35768 + inodev_set.i_size = arg->role_db.num_objects;
35770 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
35771 + !name_set.n_size || !inodev_set.i_size)
35774 + if (!gr_init_uidset())
35777 + /* set up the stack that holds allocation info */
35779 + stacksize = arg->role_db.num_pointers + 5;
35781 + if (!acl_alloc_stack_init(stacksize))
35784 + /* grab reference for the real root dentry and vfsmount */
35785 + get_fs_root(reaper->fs, &real_root);
35787 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
35788 + if (fakefs_obj == NULL)
35790 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
35792 + subj_map_set.s_hash =
35793 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
35794 + acl_role_set.r_hash =
35795 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
35796 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
35797 + inodev_set.i_hash =
35798 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
35800 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
35801 + !name_set.n_hash || !inodev_set.i_hash)
35804 + memset(subj_map_set.s_hash, 0,
35805 + sizeof(struct subject_map *) * subj_map_set.s_size);
35806 + memset(acl_role_set.r_hash, 0,
35807 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
35808 + memset(name_set.n_hash, 0,
35809 + sizeof (struct name_entry *) * name_set.n_size);
35810 + memset(inodev_set.i_hash, 0,
35811 + sizeof (struct inodev_entry *) * inodev_set.i_size);
35816 +/* free information not needed after startup
35817 + currently contains user->kernel pointer mappings for subjects
35821 +free_init_variables(void)
35825 + if (subj_map_set.s_hash) {
35826 + for (i = 0; i < subj_map_set.s_size; i++) {
35827 + if (subj_map_set.s_hash[i]) {
35828 + kfree(subj_map_set.s_hash[i]);
35829 + subj_map_set.s_hash[i] = NULL;
35833 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
35835 + kfree(subj_map_set.s_hash);
35837 + vfree(subj_map_set.s_hash);
35844 +free_variables(void)
35846 + struct acl_subject_label *s;
35847 + struct acl_role_label *r;
35848 + struct task_struct *task, *task2;
35851 + gr_clear_learn_entries();
35853 + read_lock(&tasklist_lock);
35854 + do_each_thread(task2, task) {
35855 + task->acl_sp_role = 0;
35856 + task->acl_role_id = 0;
35857 + task->acl = NULL;
35858 + task->role = NULL;
35859 + } while_each_thread(task2, task);
35860 + read_unlock(&tasklist_lock);
35862 + /* release the reference to the real root dentry and vfsmount */
35863 + path_put(&real_root);
35865 + /* free all object hash tables */
35867 + FOR_EACH_ROLE_START(r)
35868 + if (r->subj_hash == NULL)
35870 + FOR_EACH_SUBJECT_START(r, s, x)
35871 + if (s->obj_hash == NULL)
35873 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35874 + kfree(s->obj_hash);
35876 + vfree(s->obj_hash);
35877 + FOR_EACH_SUBJECT_END(s, x)
35878 + FOR_EACH_NESTED_SUBJECT_START(r, s)
35879 + if (s->obj_hash == NULL)
35881 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35882 + kfree(s->obj_hash);
35884 + vfree(s->obj_hash);
35885 + FOR_EACH_NESTED_SUBJECT_END(s)
35886 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
35887 + kfree(r->subj_hash);
35889 + vfree(r->subj_hash);
35890 + r->subj_hash = NULL;
35892 + FOR_EACH_ROLE_END(r)
35896 + if (acl_role_set.r_hash) {
35897 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
35899 + kfree(acl_role_set.r_hash);
35901 + vfree(acl_role_set.r_hash);
35903 + if (name_set.n_hash) {
35904 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
35906 + kfree(name_set.n_hash);
35908 + vfree(name_set.n_hash);
35911 + if (inodev_set.i_hash) {
35912 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
35914 + kfree(inodev_set.i_hash);
35916 + vfree(inodev_set.i_hash);
35919 + gr_free_uidset();
35921 + memset(&name_set, 0, sizeof (struct name_db));
35922 + memset(&inodev_set, 0, sizeof (struct inodev_db));
35923 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
35924 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
35926 + default_role = NULL;
35927 + role_list = NULL;
35933 +count_user_objs(struct acl_object_label *userp)
35935 + struct acl_object_label o_tmp;
35939 + if (copy_from_user(&o_tmp, userp,
35940 + sizeof (struct acl_object_label)))
35943 + userp = o_tmp.prev;
35950 +static struct acl_subject_label *
35951 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
35954 +copy_user_glob(struct acl_object_label *obj)
35956 + struct acl_object_label *g_tmp, **guser;
35957 + unsigned int len;
35960 + if (obj->globbed == NULL)
35963 + guser = &obj->globbed;
35965 + g_tmp = (struct acl_object_label *)
35966 + acl_alloc(sizeof (struct acl_object_label));
35967 + if (g_tmp == NULL)
35970 + if (copy_from_user(g_tmp, *guser,
35971 + sizeof (struct acl_object_label)))
35974 + len = strnlen_user(g_tmp->filename, PATH_MAX);
35976 + if (!len || len >= PATH_MAX)
35979 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35982 + if (copy_from_user(tmp, g_tmp->filename, len))
35984 + tmp[len-1] = '\0';
35985 + g_tmp->filename = tmp;
35988 + guser = &(g_tmp->next);
35995 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
35996 + struct acl_role_label *role)
35998 + struct acl_object_label *o_tmp;
35999 + unsigned int len;
36004 + if ((o_tmp = (struct acl_object_label *)
36005 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
36008 + if (copy_from_user(o_tmp, userp,
36009 + sizeof (struct acl_object_label)))
36012 + userp = o_tmp->prev;
36014 + len = strnlen_user(o_tmp->filename, PATH_MAX);
36016 + if (!len || len >= PATH_MAX)
36019 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36022 + if (copy_from_user(tmp, o_tmp->filename, len))
36024 + tmp[len-1] = '\0';
36025 + o_tmp->filename = tmp;
36027 + insert_acl_obj_label(o_tmp, subj);
36028 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
36029 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
36032 + ret = copy_user_glob(o_tmp);
36036 + if (o_tmp->nested) {
36037 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
36038 + if (IS_ERR(o_tmp->nested))
36039 + return PTR_ERR(o_tmp->nested);
36041 + /* insert into nested subject list */
36042 + o_tmp->nested->next = role->hash->first;
36043 + role->hash->first = o_tmp->nested;
36051 +count_user_subjs(struct acl_subject_label *userp)
36053 + struct acl_subject_label s_tmp;
36057 + if (copy_from_user(&s_tmp, userp,
36058 + sizeof (struct acl_subject_label)))
36061 + userp = s_tmp.prev;
36062 + /* do not count nested subjects against this count, since
36063 + they are not included in the hash table, but are
36064 + attached to objects. We have already counted
36065 + the subjects in userspace for the allocation
36068 + if (!(s_tmp.mode & GR_NESTED))
36076 +copy_user_allowedips(struct acl_role_label *rolep)
36078 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
36080 + ruserip = rolep->allowed_ips;
36082 + while (ruserip) {
36085 + if ((rtmp = (struct role_allowed_ip *)
36086 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
36089 + if (copy_from_user(rtmp, ruserip,
36090 + sizeof (struct role_allowed_ip)))
36093 + ruserip = rtmp->prev;
36096 + rtmp->prev = NULL;
36097 + rolep->allowed_ips = rtmp;
36099 + rlast->next = rtmp;
36100 + rtmp->prev = rlast;
36104 + rtmp->next = NULL;
36111 +copy_user_transitions(struct acl_role_label *rolep)
36113 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
36115 + unsigned int len;
36118 + rusertp = rolep->transitions;
36120 + while (rusertp) {
36123 + if ((rtmp = (struct role_transition *)
36124 + acl_alloc(sizeof (struct role_transition))) == NULL)
36127 + if (copy_from_user(rtmp, rusertp,
36128 + sizeof (struct role_transition)))
36131 + rusertp = rtmp->prev;
36133 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
36135 + if (!len || len >= GR_SPROLE_LEN)
36138 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36141 + if (copy_from_user(tmp, rtmp->rolename, len))
36143 + tmp[len-1] = '\0';
36144 + rtmp->rolename = tmp;
36147 + rtmp->prev = NULL;
36148 + rolep->transitions = rtmp;
36150 + rlast->next = rtmp;
36151 + rtmp->prev = rlast;
36155 + rtmp->next = NULL;
36161 +static struct acl_subject_label *
36162 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
36164 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
36165 + unsigned int len;
36168 + struct acl_ip_label **i_tmp, *i_utmp2;
36169 + struct gr_hash_struct ghash;
36170 + struct subject_map *subjmap;
36171 + unsigned int i_num;
36174 + s_tmp = lookup_subject_map(userp);
36176 + /* we've already copied this subject into the kernel, just return
36177 + the reference to it, and don't copy it over again
36182 + if ((s_tmp = (struct acl_subject_label *)
36183 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
36184 + return ERR_PTR(-ENOMEM);
36186 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
36187 + if (subjmap == NULL)
36188 + return ERR_PTR(-ENOMEM);
36190 + subjmap->user = userp;
36191 + subjmap->kernel = s_tmp;
36192 + insert_subj_map_entry(subjmap);
36194 + if (copy_from_user(s_tmp, userp,
36195 + sizeof (struct acl_subject_label)))
36196 + return ERR_PTR(-EFAULT);
36198 + len = strnlen_user(s_tmp->filename, PATH_MAX);
36200 + if (!len || len >= PATH_MAX)
36201 + return ERR_PTR(-EINVAL);
36203 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36204 + return ERR_PTR(-ENOMEM);
36206 + if (copy_from_user(tmp, s_tmp->filename, len))
36207 + return ERR_PTR(-EFAULT);
36208 + tmp[len-1] = '\0';
36209 + s_tmp->filename = tmp;
36211 + if (!strcmp(s_tmp->filename, "/"))
36212 + role->root_label = s_tmp;
36214 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
36215 + return ERR_PTR(-EFAULT);
36217 + /* copy user and group transition tables */
36219 + if (s_tmp->user_trans_num) {
36222 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
36223 + if (uidlist == NULL)
36224 + return ERR_PTR(-ENOMEM);
36225 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
36226 + return ERR_PTR(-EFAULT);
36228 + s_tmp->user_transitions = uidlist;
36231 + if (s_tmp->group_trans_num) {
36234 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
36235 + if (gidlist == NULL)
36236 + return ERR_PTR(-ENOMEM);
36237 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
36238 + return ERR_PTR(-EFAULT);
36240 + s_tmp->group_transitions = gidlist;
36243 + /* set up object hash table */
36244 + num_objs = count_user_objs(ghash.first);
36246 + s_tmp->obj_hash_size = num_objs;
36247 + s_tmp->obj_hash =
36248 + (struct acl_object_label **)
36249 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
36251 + if (!s_tmp->obj_hash)
36252 + return ERR_PTR(-ENOMEM);
36254 + memset(s_tmp->obj_hash, 0,
36255 + s_tmp->obj_hash_size *
36256 + sizeof (struct acl_object_label *));
36258 + /* add in objects */
36259 + err = copy_user_objs(ghash.first, s_tmp, role);
36262 + return ERR_PTR(err);
36264 + /* set pointer for parent subject */
36265 + if (s_tmp->parent_subject) {
36266 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
36268 + if (IS_ERR(s_tmp2))
36271 + s_tmp->parent_subject = s_tmp2;
36274 + /* add in ip acls */
36276 + if (!s_tmp->ip_num) {
36277 + s_tmp->ips = NULL;
36282 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
36283 + sizeof (struct acl_ip_label *));
36286 + return ERR_PTR(-ENOMEM);
36288 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
36289 + *(i_tmp + i_num) =
36290 + (struct acl_ip_label *)
36291 + acl_alloc(sizeof (struct acl_ip_label));
36292 + if (!*(i_tmp + i_num))
36293 + return ERR_PTR(-ENOMEM);
36295 + if (copy_from_user
36296 + (&i_utmp2, s_tmp->ips + i_num,
36297 + sizeof (struct acl_ip_label *)))
36298 + return ERR_PTR(-EFAULT);
36300 + if (copy_from_user
36301 + (*(i_tmp + i_num), i_utmp2,
36302 + sizeof (struct acl_ip_label)))
36303 + return ERR_PTR(-EFAULT);
36305 + if ((*(i_tmp + i_num))->iface == NULL)
36308 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
36309 + if (!len || len >= IFNAMSIZ)
36310 + return ERR_PTR(-EINVAL);
36311 + tmp = acl_alloc(len);
36313 + return ERR_PTR(-ENOMEM);
36314 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
36315 + return ERR_PTR(-EFAULT);
36316 + (*(i_tmp + i_num))->iface = tmp;
36319 + s_tmp->ips = i_tmp;
36322 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
36323 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
36324 + return ERR_PTR(-ENOMEM);
36330 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
36332 + struct acl_subject_label s_pre;
36333 + struct acl_subject_label * ret;
36337 + if (copy_from_user(&s_pre, userp,
36338 + sizeof (struct acl_subject_label)))
36341 + /* do not add nested subjects here, add
36342 + while parsing objects
36345 + if (s_pre.mode & GR_NESTED) {
36346 + userp = s_pre.prev;
36350 + ret = do_copy_user_subj(userp, role);
36352 + err = PTR_ERR(ret);
36356 + insert_acl_subj_label(ret, role);
36358 + userp = s_pre.prev;
36365 +copy_user_acl(struct gr_arg *arg)
36367 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
36368 + struct sprole_pw *sptmp;
36369 + struct gr_hash_struct *ghash;
36370 + uid_t *domainlist;
36371 + unsigned int r_num;
36372 + unsigned int len;
36378 + /* we need a default and kernel role */
36379 + if (arg->role_db.num_roles < 2)
36382 + /* copy special role authentication info from userspace */
36384 + num_sprole_pws = arg->num_sprole_pws;
36385 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
36387 + if (!acl_special_roles) {
36392 + for (i = 0; i < num_sprole_pws; i++) {
36393 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
36398 + if (copy_from_user(sptmp, arg->sprole_pws + i,
36399 + sizeof (struct sprole_pw))) {
36405 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
36407 + if (!len || len >= GR_SPROLE_LEN) {
36412 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36417 + if (copy_from_user(tmp, sptmp->rolename, len)) {
36421 + tmp[len-1] = '\0';
36422 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36423 + printk(KERN_ALERT "Copying special role %s\n", tmp);
36425 + sptmp->rolename = tmp;
36426 + acl_special_roles[i] = sptmp;
36429 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
36431 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
36432 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
36439 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
36440 + sizeof (struct acl_role_label *))) {
36445 + if (copy_from_user(r_tmp, r_utmp2,
36446 + sizeof (struct acl_role_label))) {
36451 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
36453 + if (!len || len >= PATH_MAX) {
36458 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36462 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
36466 + tmp[len-1] = '\0';
36467 + r_tmp->rolename = tmp;
36469 + if (!strcmp(r_tmp->rolename, "default")
36470 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
36471 + default_role = r_tmp;
36472 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
36473 + kernel_role = r_tmp;
36476 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
36480 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
36485 + r_tmp->hash = ghash;
36487 + num_subjs = count_user_subjs(r_tmp->hash->first);
36489 + r_tmp->subj_hash_size = num_subjs;
36490 + r_tmp->subj_hash =
36491 + (struct acl_subject_label **)
36492 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
36494 + if (!r_tmp->subj_hash) {
36499 + err = copy_user_allowedips(r_tmp);
36503 + /* copy domain info */
36504 + if (r_tmp->domain_children != NULL) {
36505 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
36506 + if (domainlist == NULL) {
36510 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
36514 + r_tmp->domain_children = domainlist;
36517 + err = copy_user_transitions(r_tmp);
36521 + memset(r_tmp->subj_hash, 0,
36522 + r_tmp->subj_hash_size *
36523 + sizeof (struct acl_subject_label *));
36525 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
36530 + /* set nested subject list to null */
36531 + r_tmp->hash->first = NULL;
36533 + insert_acl_role_label(r_tmp);
36538 + free_variables();
36545 +gracl_init(struct gr_arg *args)
36549 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
36550 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
36552 + if (init_variables(args)) {
36553 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
36555 + free_variables();
36559 + error = copy_user_acl(args);
36560 + free_init_variables();
36562 + free_variables();
36566 + if ((error = gr_set_acls(0))) {
36567 + free_variables();
36571 + pax_open_kernel();
36572 + gr_status |= GR_READY;
36573 + pax_close_kernel();
36579 +/* derived from glibc fnmatch() 0: match, 1: no match*/
36582 +glob_match(const char *p, const char *n)
36586 + while ((c = *p++) != '\0') {
36591 + else if (*n == '/')
36599 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
36602 + else if (c == '?') {
36612 + const char *endp;
36614 + if ((endp = strchr(n, '/')) == NULL)
36615 + endp = n + strlen(n);
36618 + for (--p; n < endp; ++n)
36619 + if (!glob_match(p, n))
36621 + } else if (c == '/') {
36622 + while (*n != '\0' && *n != '/')
36624 + if (*n == '/' && !glob_match(p, n + 1))
36627 + for (--p; n < endp; ++n)
36628 + if (*n == c && !glob_match(p, n))
36639 + if (*n == '\0' || *n == '/')
36642 + not = (*p == '!' || *p == '^');
36648 + unsigned char fn = (unsigned char)*n;
36658 + if (c == '-' && *p != ']') {
36659 + unsigned char cend = *p++;
36661 + if (cend == '\0')
36664 + if (cold <= fn && fn <= cend)
36678 + while (c != ']') {
36705 +static struct acl_object_label *
36706 +chk_glob_label(struct acl_object_label *globbed,
36707 + struct dentry *dentry, struct vfsmount *mnt, char **path)
36709 + struct acl_object_label *tmp;
36711 + if (*path == NULL)
36712 + *path = gr_to_filename_nolock(dentry, mnt);
36717 + if (!glob_match(tmp->filename, *path))
36725 +static struct acl_object_label *
36726 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36727 + const ino_t curr_ino, const dev_t curr_dev,
36728 + const struct acl_subject_label *subj, char **path, const int checkglob)
36730 + struct acl_subject_label *tmpsubj;
36731 + struct acl_object_label *retval;
36732 + struct acl_object_label *retval2;
36734 + tmpsubj = (struct acl_subject_label *) subj;
36735 + read_lock(&gr_inode_lock);
36737 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
36739 + if (checkglob && retval->globbed) {
36740 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
36741 + (struct vfsmount *)orig_mnt, path);
36743 + retval = retval2;
36747 + } while ((tmpsubj = tmpsubj->parent_subject));
36748 + read_unlock(&gr_inode_lock);
36753 +static __inline__ struct acl_object_label *
36754 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36755 + const struct dentry *curr_dentry,
36756 + const struct acl_subject_label *subj, char **path, const int checkglob)
36758 + int newglob = checkglob;
36760 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
36761 + as we don't want a / * rule to match instead of the / object
36762 + don't do this for create lookups that call this function though, since they're looking up
36763 + on the parent and thus need globbing checks on all paths
36765 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
36766 + newglob = GR_NO_GLOB;
36768 + return __full_lookup(orig_dentry, orig_mnt,
36769 + curr_dentry->d_inode->i_ino,
36770 + curr_dentry->d_inode->i_sb->s_dev, subj, path, newglob);
36773 +static struct acl_object_label *
36774 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36775 + const struct acl_subject_label *subj, char *path, const int checkglob)
36777 + struct dentry *dentry = (struct dentry *) l_dentry;
36778 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36779 + struct acl_object_label *retval;
36781 + spin_lock(&dcache_lock);
36782 + br_read_lock(vfsmount_lock);
36784 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
36785 +#ifdef CONFIG_HUGETLBFS
36786 + mnt == hugetlbfs_vfsmount ||
36788 + /* ignore Eric Biederman */
36789 + IS_PRIVATE(l_dentry->d_inode))) {
36790 + retval = fakefs_obj;
36795 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36798 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36799 + if (mnt->mnt_parent == mnt)
36802 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36803 + if (retval != NULL)
36806 + dentry = mnt->mnt_mountpoint;
36807 + mnt = mnt->mnt_parent;
36811 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36812 + if (retval != NULL)
36815 + dentry = dentry->d_parent;
36818 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36820 + if (retval == NULL)
36821 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
36823 + br_read_unlock(vfsmount_lock);
36824 + spin_unlock(&dcache_lock);
36826 + BUG_ON(retval == NULL);
36831 +static __inline__ struct acl_object_label *
36832 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36833 + const struct acl_subject_label *subj)
36835 + char *path = NULL;
36836 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
36839 +static __inline__ struct acl_object_label *
36840 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36841 + const struct acl_subject_label *subj)
36843 + char *path = NULL;
36844 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
36847 +static __inline__ struct acl_object_label *
36848 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36849 + const struct acl_subject_label *subj, char *path)
36851 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
36854 +static struct acl_subject_label *
36855 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36856 + const struct acl_role_label *role)
36858 + struct dentry *dentry = (struct dentry *) l_dentry;
36859 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36860 + struct acl_subject_label *retval;
36862 + spin_lock(&dcache_lock);
36863 + br_read_lock(vfsmount_lock);
36866 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36868 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36869 + if (mnt->mnt_parent == mnt)
36872 + read_lock(&gr_inode_lock);
36874 + lookup_acl_subj_label(dentry->d_inode->i_ino,
36875 + dentry->d_inode->i_sb->s_dev, role);
36876 + read_unlock(&gr_inode_lock);
36877 + if (retval != NULL)
36880 + dentry = mnt->mnt_mountpoint;
36881 + mnt = mnt->mnt_parent;
36885 + read_lock(&gr_inode_lock);
36886 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36887 + dentry->d_inode->i_sb->s_dev, role);
36888 + read_unlock(&gr_inode_lock);
36889 + if (retval != NULL)
36892 + dentry = dentry->d_parent;
36895 + read_lock(&gr_inode_lock);
36896 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36897 + dentry->d_inode->i_sb->s_dev, role);
36898 + read_unlock(&gr_inode_lock);
36900 + if (unlikely(retval == NULL)) {
36901 + read_lock(&gr_inode_lock);
36902 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
36903 + real_root.dentry->d_inode->i_sb->s_dev, role);
36904 + read_unlock(&gr_inode_lock);
36907 + br_read_unlock(vfsmount_lock);
36908 + spin_unlock(&dcache_lock);
36910 + BUG_ON(retval == NULL);
36916 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
36918 + struct task_struct *task = current;
36919 + const struct cred *cred = current_cred();
36921 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36922 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36923 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36924 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
36930 +gr_log_learn_sysctl(const char *path, const __u32 mode)
36932 + struct task_struct *task = current;
36933 + const struct cred *cred = current_cred();
36935 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36936 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36937 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36938 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
36944 +gr_log_learn_id_change(const char type, const unsigned int real,
36945 + const unsigned int effective, const unsigned int fs)
36947 + struct task_struct *task = current;
36948 + const struct cred *cred = current_cred();
36950 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
36951 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36952 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36953 + type, real, effective, fs, &task->signal->saved_ip);
36959 +gr_check_link(const struct dentry * new_dentry,
36960 + const struct dentry * parent_dentry,
36961 + const struct vfsmount * parent_mnt,
36962 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
36964 + struct acl_object_label *obj;
36965 + __u32 oldmode, newmode;
36968 + if (unlikely(!(gr_status & GR_READY)))
36969 + return (GR_CREATE | GR_LINK);
36971 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
36972 + oldmode = obj->mode;
36974 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36975 + oldmode |= (GR_CREATE | GR_LINK);
36977 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
36978 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36979 + needmode |= GR_SETID | GR_AUDIT_SETID;
36982 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
36983 + oldmode | needmode);
36985 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
36986 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
36987 + GR_INHERIT | GR_AUDIT_INHERIT);
36989 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
36992 + if ((oldmode & needmode) != needmode)
36995 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
36996 + if ((newmode & needmode) != needmode)
36999 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
37002 + needmode = oldmode;
37003 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
37004 + needmode |= GR_SETID;
37006 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
37007 + gr_log_learn(old_dentry, old_mnt, needmode);
37008 + return (GR_CREATE | GR_LINK);
37009 + } else if (newmode & GR_SUPPRESS)
37010 + return GR_SUPPRESS;
37016 +gr_search_file(const struct dentry * dentry, const __u32 mode,
37017 + const struct vfsmount * mnt)
37019 + __u32 retval = mode;
37020 + struct acl_subject_label *curracl;
37021 + struct acl_object_label *currobj;
37023 + if (unlikely(!(gr_status & GR_READY)))
37024 + return (mode & ~GR_AUDITS);
37026 + curracl = current->acl;
37028 + currobj = chk_obj_label(dentry, mnt, curracl);
37029 + retval = currobj->mode & mode;
37032 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
37033 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
37034 + __u32 new_mode = mode;
37036 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37038 + retval = new_mode;
37040 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
37041 + new_mode |= GR_INHERIT;
37043 + if (!(mode & GR_NOLEARN))
37044 + gr_log_learn(dentry, mnt, new_mode);
37051 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
37052 + const struct vfsmount * mnt, const __u32 mode)
37054 + struct name_entry *match;
37055 + struct acl_object_label *matchpo;
37056 + struct acl_subject_label *curracl;
37060 + if (unlikely(!(gr_status & GR_READY)))
37061 + return (mode & ~GR_AUDITS);
37063 + preempt_disable();
37064 + path = gr_to_filename_rbac(new_dentry, mnt);
37065 + match = lookup_name_entry_create(path);
37068 + goto check_parent;
37070 + curracl = current->acl;
37072 + read_lock(&gr_inode_lock);
37073 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
37074 + read_unlock(&gr_inode_lock);
37077 + if ((matchpo->mode & mode) !=
37078 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
37079 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
37080 + __u32 new_mode = mode;
37082 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37084 + gr_log_learn(new_dentry, mnt, new_mode);
37086 + preempt_enable();
37089 + preempt_enable();
37090 + return (matchpo->mode & mode);
37094 + curracl = current->acl;
37096 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
37097 + retval = matchpo->mode & mode;
37099 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
37100 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
37101 + __u32 new_mode = mode;
37103 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37105 + gr_log_learn(new_dentry, mnt, new_mode);
37106 + preempt_enable();
37110 + preempt_enable();
37115 +gr_check_hidden_task(const struct task_struct *task)
37117 + if (unlikely(!(gr_status & GR_READY)))
37120 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
37127 +gr_check_protected_task(const struct task_struct *task)
37129 + if (unlikely(!(gr_status & GR_READY) || !task))
37132 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
37133 + task->acl != current->acl)
37140 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
37142 + struct task_struct *p;
37145 + if (unlikely(!(gr_status & GR_READY) || !pid))
37148 + read_lock(&tasklist_lock);
37149 + do_each_pid_task(pid, type, p) {
37150 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
37151 + p->acl != current->acl) {
37155 + } while_each_pid_task(pid, type, p);
37157 + read_unlock(&tasklist_lock);
37163 +gr_copy_label(struct task_struct *tsk)
37165 + tsk->signal->used_accept = 0;
37166 + tsk->acl_sp_role = 0;
37167 + tsk->acl_role_id = current->acl_role_id;
37168 + tsk->acl = current->acl;
37169 + tsk->role = current->role;
37170 + tsk->signal->curr_ip = current->signal->curr_ip;
37171 + tsk->signal->saved_ip = current->signal->saved_ip;
37172 + if (current->exec_file)
37173 + get_file(current->exec_file);
37174 + tsk->exec_file = current->exec_file;
37175 + tsk->is_writable = current->is_writable;
37176 + if (unlikely(current->signal->used_accept)) {
37177 + current->signal->curr_ip = 0;
37178 + current->signal->saved_ip = 0;
37185 +gr_set_proc_res(struct task_struct *task)
37187 + struct acl_subject_label *proc;
37188 + unsigned short i;
37190 + proc = task->acl;
37192 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
37195 + for (i = 0; i < RLIM_NLIMITS; i++) {
37196 + if (!(proc->resmask & (1 << i)))
37199 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
37200 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
37207 +gr_check_user_change(int real, int effective, int fs)
37214 + int effectiveok = 0;
37217 + if (unlikely(!(gr_status & GR_READY)))
37220 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37221 + gr_log_learn_id_change('u', real, effective, fs);
37223 + num = current->acl->user_trans_num;
37224 + uidlist = current->acl->user_transitions;
37226 + if (uidlist == NULL)
37231 + if (effective == -1)
37236 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
37237 + for (i = 0; i < num; i++) {
37238 + curuid = (int)uidlist[i];
37239 + if (real == curuid)
37241 + if (effective == curuid)
37243 + if (fs == curuid)
37246 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
37247 + for (i = 0; i < num; i++) {
37248 + curuid = (int)uidlist[i];
37249 + if (real == curuid)
37251 + if (effective == curuid)
37253 + if (fs == curuid)
37256 + /* not in deny list */
37264 + if (realok && effectiveok && fsok)
37267 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37273 +gr_check_group_change(int real, int effective, int fs)
37280 + int effectiveok = 0;
37283 + if (unlikely(!(gr_status & GR_READY)))
37286 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37287 + gr_log_learn_id_change('g', real, effective, fs);
37289 + num = current->acl->group_trans_num;
37290 + gidlist = current->acl->group_transitions;
37292 + if (gidlist == NULL)
37297 + if (effective == -1)
37302 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
37303 + for (i = 0; i < num; i++) {
37304 + curgid = (int)gidlist[i];
37305 + if (real == curgid)
37307 + if (effective == curgid)
37309 + if (fs == curgid)
37312 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
37313 + for (i = 0; i < num; i++) {
37314 + curgid = (int)gidlist[i];
37315 + if (real == curgid)
37317 + if (effective == curgid)
37319 + if (fs == curgid)
37322 + /* not in deny list */
37330 + if (realok && effectiveok && fsok)
37333 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37339 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
37341 + struct acl_role_label *role = task->role;
37342 + struct acl_subject_label *subj = NULL;
37343 + struct acl_object_label *obj;
37344 + struct file *filp;
37346 + if (unlikely(!(gr_status & GR_READY)))
37349 + filp = task->exec_file;
37351 + /* kernel process, we'll give them the kernel role */
37352 + if (unlikely(!filp)) {
37353 + task->role = kernel_role;
37354 + task->acl = kernel_role->root_label;
37356 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
37357 + role = lookup_acl_role_label(task, uid, gid);
37359 + /* perform subject lookup in possibly new role
37360 + we can use this result below in the case where role == task->role
37362 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
37364 + /* if we changed uid/gid, but result in the same role
37365 + and are using inheritance, don't lose the inherited subject
37366 + if current subject is other than what normal lookup
37367 + would result in, we arrived via inheritance, don't
37370 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
37371 + (subj == task->acl)))
37372 + task->acl = subj;
37374 + task->role = role;
37376 + task->is_writable = 0;
37378 + /* ignore additional mmap checks for processes that are writable
37379 + by the default ACL */
37380 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37381 + if (unlikely(obj->mode & GR_WRITE))
37382 + task->is_writable = 1;
37383 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37384 + if (unlikely(obj->mode & GR_WRITE))
37385 + task->is_writable = 1;
37387 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37388 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37391 + gr_set_proc_res(task);
37397 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
37398 + const int unsafe_share)
37400 + struct task_struct *task = current;
37401 + struct acl_subject_label *newacl;
37402 + struct acl_object_label *obj;
37405 + if (unlikely(!(gr_status & GR_READY)))
37408 + newacl = chk_subj_label(dentry, mnt, task->role);
37411 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
37412 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
37413 + !(task->role->roletype & GR_ROLE_GOD) &&
37414 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
37415 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
37416 + task_unlock(task);
37417 + if (unsafe_share)
37418 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
37420 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
37423 + task_unlock(task);
37425 + obj = chk_obj_label(dentry, mnt, task->acl);
37426 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
37428 + if (!(task->acl->mode & GR_INHERITLEARN) &&
37429 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
37431 + task->acl = obj->nested;
37433 + task->acl = newacl;
37434 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
37435 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
37437 + task->is_writable = 0;
37439 + /* ignore additional mmap checks for processes that are writable
37440 + by the default ACL */
37441 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
37442 + if (unlikely(obj->mode & GR_WRITE))
37443 + task->is_writable = 1;
37444 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
37445 + if (unlikely(obj->mode & GR_WRITE))
37446 + task->is_writable = 1;
37448 + gr_set_proc_res(task);
37450 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37451 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37456 +/* always called with valid inodev ptr */
37458 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
37460 + struct acl_object_label *matchpo;
37461 + struct acl_subject_label *matchps;
37462 + struct acl_subject_label *subj;
37463 + struct acl_role_label *role;
37466 + FOR_EACH_ROLE_START(role)
37467 + FOR_EACH_SUBJECT_START(role, subj, x)
37468 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
37469 + matchpo->mode |= GR_DELETED;
37470 + FOR_EACH_SUBJECT_END(subj,x)
37471 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37472 + if (subj->inode == ino && subj->device == dev)
37473 + subj->mode |= GR_DELETED;
37474 + FOR_EACH_NESTED_SUBJECT_END(subj)
37475 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
37476 + matchps->mode |= GR_DELETED;
37477 + FOR_EACH_ROLE_END(role)
37479 + inodev->nentry->deleted = 1;
37485 +gr_handle_delete(const ino_t ino, const dev_t dev)
37487 + struct inodev_entry *inodev;
37489 + if (unlikely(!(gr_status & GR_READY)))
37492 + write_lock(&gr_inode_lock);
37493 + inodev = lookup_inodev_entry(ino, dev);
37494 + if (inodev != NULL)
37495 + do_handle_delete(inodev, ino, dev);
37496 + write_unlock(&gr_inode_lock);
37502 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
37503 + const ino_t newinode, const dev_t newdevice,
37504 + struct acl_subject_label *subj)
37506 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
37507 + struct acl_object_label *match;
37509 + match = subj->obj_hash[index];
37511 + while (match && (match->inode != oldinode ||
37512 + match->device != olddevice ||
37513 + !(match->mode & GR_DELETED)))
37514 + match = match->next;
37516 + if (match && (match->inode == oldinode)
37517 + && (match->device == olddevice)
37518 + && (match->mode & GR_DELETED)) {
37519 + if (match->prev == NULL) {
37520 + subj->obj_hash[index] = match->next;
37521 + if (match->next != NULL)
37522 + match->next->prev = NULL;
37524 + match->prev->next = match->next;
37525 + if (match->next != NULL)
37526 + match->next->prev = match->prev;
37528 + match->prev = NULL;
37529 + match->next = NULL;
37530 + match->inode = newinode;
37531 + match->device = newdevice;
37532 + match->mode &= ~GR_DELETED;
37534 + insert_acl_obj_label(match, subj);
37541 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
37542 + const ino_t newinode, const dev_t newdevice,
37543 + struct acl_role_label *role)
37545 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
37546 + struct acl_subject_label *match;
37548 + match = role->subj_hash[index];
37550 + while (match && (match->inode != oldinode ||
37551 + match->device != olddevice ||
37552 + !(match->mode & GR_DELETED)))
37553 + match = match->next;
37555 + if (match && (match->inode == oldinode)
37556 + && (match->device == olddevice)
37557 + && (match->mode & GR_DELETED)) {
37558 + if (match->prev == NULL) {
37559 + role->subj_hash[index] = match->next;
37560 + if (match->next != NULL)
37561 + match->next->prev = NULL;
37563 + match->prev->next = match->next;
37564 + if (match->next != NULL)
37565 + match->next->prev = match->prev;
37567 + match->prev = NULL;
37568 + match->next = NULL;
37569 + match->inode = newinode;
37570 + match->device = newdevice;
37571 + match->mode &= ~GR_DELETED;
37573 + insert_acl_subj_label(match, role);
37580 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
37581 + const ino_t newinode, const dev_t newdevice)
37583 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
37584 + struct inodev_entry *match;
37586 + match = inodev_set.i_hash[index];
37588 + while (match && (match->nentry->inode != oldinode ||
37589 + match->nentry->device != olddevice || !match->nentry->deleted))
37590 + match = match->next;
37592 + if (match && (match->nentry->inode == oldinode)
37593 + && (match->nentry->device == olddevice) &&
37594 + match->nentry->deleted) {
37595 + if (match->prev == NULL) {
37596 + inodev_set.i_hash[index] = match->next;
37597 + if (match->next != NULL)
37598 + match->next->prev = NULL;
37600 + match->prev->next = match->next;
37601 + if (match->next != NULL)
37602 + match->next->prev = match->prev;
37604 + match->prev = NULL;
37605 + match->next = NULL;
37606 + match->nentry->inode = newinode;
37607 + match->nentry->device = newdevice;
37608 + match->nentry->deleted = 0;
37610 + insert_inodev_entry(match);
37617 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
37618 + const struct vfsmount *mnt)
37620 + struct acl_subject_label *subj;
37621 + struct acl_role_label *role;
37624 + FOR_EACH_ROLE_START(role)
37625 + update_acl_subj_label(matchn->inode, matchn->device,
37626 + dentry->d_inode->i_ino,
37627 + dentry->d_inode->i_sb->s_dev, role);
37629 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37630 + if ((subj->inode == dentry->d_inode->i_ino) &&
37631 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
37632 + subj->inode = dentry->d_inode->i_ino;
37633 + subj->device = dentry->d_inode->i_sb->s_dev;
37635 + FOR_EACH_NESTED_SUBJECT_END(subj)
37636 + FOR_EACH_SUBJECT_START(role, subj, x)
37637 + update_acl_obj_label(matchn->inode, matchn->device,
37638 + dentry->d_inode->i_ino,
37639 + dentry->d_inode->i_sb->s_dev, subj);
37640 + FOR_EACH_SUBJECT_END(subj,x)
37641 + FOR_EACH_ROLE_END(role)
37643 + update_inodev_entry(matchn->inode, matchn->device,
37644 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
37650 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
37652 + struct name_entry *matchn;
37654 + if (unlikely(!(gr_status & GR_READY)))
37657 + preempt_disable();
37658 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
37660 + if (unlikely((unsigned long)matchn)) {
37661 + write_lock(&gr_inode_lock);
37662 + do_handle_create(matchn, dentry, mnt);
37663 + write_unlock(&gr_inode_lock);
37665 + preempt_enable();
37671 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
37672 + struct dentry *old_dentry,
37673 + struct dentry *new_dentry,
37674 + struct vfsmount *mnt, const __u8 replace)
37676 + struct name_entry *matchn;
37677 + struct inodev_entry *inodev;
37679 + /* vfs_rename swaps the name and parent link for old_dentry and
37681 + at this point, old_dentry has the new name, parent link, and inode
37682 + for the renamed file
37683 + if a file is being replaced by a rename, new_dentry has the inode
37684 + and name for the replaced file
37687 + if (unlikely(!(gr_status & GR_READY)))
37690 + preempt_disable();
37691 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
37693 + /* we wouldn't have to check d_inode if it weren't for
37694 + NFS silly-renaming
37697 + write_lock(&gr_inode_lock);
37698 + if (unlikely(replace && new_dentry->d_inode)) {
37699 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
37700 + new_dentry->d_inode->i_sb->s_dev);
37701 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
37702 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
37703 + new_dentry->d_inode->i_sb->s_dev);
37706 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
37707 + old_dentry->d_inode->i_sb->s_dev);
37708 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
37709 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
37710 + old_dentry->d_inode->i_sb->s_dev);
37712 + if (unlikely((unsigned long)matchn))
37713 + do_handle_create(matchn, old_dentry, mnt);
37715 + write_unlock(&gr_inode_lock);
37716 + preempt_enable();
37722 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
37723 + unsigned char **sum)
37725 + struct acl_role_label *r;
37726 + struct role_allowed_ip *ipp;
37727 + struct role_transition *trans;
37730 + u32 curr_ip = current->signal->curr_ip;
37732 + current->signal->saved_ip = curr_ip;
37734 + /* check transition table */
37736 + for (trans = current->role->transitions; trans; trans = trans->next) {
37737 + if (!strcmp(rolename, trans->rolename)) {
37746 + /* handle special roles that do not require authentication
37749 + FOR_EACH_ROLE_START(r)
37750 + if (!strcmp(rolename, r->rolename) &&
37751 + (r->roletype & GR_ROLE_SPECIAL)) {
37753 + if (r->allowed_ips != NULL) {
37754 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
37755 + if ((ntohl(curr_ip) & ipp->netmask) ==
37756 + (ntohl(ipp->addr) & ipp->netmask))
37764 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
37765 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
37771 + FOR_EACH_ROLE_END(r)
37773 + for (i = 0; i < num_sprole_pws; i++) {
37774 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
37775 + *salt = acl_special_roles[i]->salt;
37776 + *sum = acl_special_roles[i]->sum;
37785 +assign_special_role(char *rolename)
37787 + struct acl_object_label *obj;
37788 + struct acl_role_label *r;
37789 + struct acl_role_label *assigned = NULL;
37790 + struct task_struct *tsk;
37791 + struct file *filp;
37793 + FOR_EACH_ROLE_START(r)
37794 + if (!strcmp(rolename, r->rolename) &&
37795 + (r->roletype & GR_ROLE_SPECIAL)) {
37799 + FOR_EACH_ROLE_END(r)
37804 + read_lock(&tasklist_lock);
37805 + read_lock(&grsec_exec_file_lock);
37807 + tsk = current->real_parent;
37811 + filp = tsk->exec_file;
37812 + if (filp == NULL)
37815 + tsk->is_writable = 0;
37817 + tsk->acl_sp_role = 1;
37818 + tsk->acl_role_id = ++acl_sp_role_value;
37819 + tsk->role = assigned;
37820 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
37822 + /* ignore additional mmap checks for processes that are writable
37823 + by the default ACL */
37824 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37825 + if (unlikely(obj->mode & GR_WRITE))
37826 + tsk->is_writable = 1;
37827 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
37828 + if (unlikely(obj->mode & GR_WRITE))
37829 + tsk->is_writable = 1;
37831 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37832 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
37836 + read_unlock(&grsec_exec_file_lock);
37837 + read_unlock(&tasklist_lock);
37841 +int gr_check_secure_terminal(struct task_struct *task)
37843 + struct task_struct *p, *p2, *p3;
37844 + struct files_struct *files;
37845 + struct fdtable *fdt;
37846 + struct file *our_file = NULL, *file;
37849 + if (task->signal->tty == NULL)
37852 + files = get_files_struct(task);
37853 + if (files != NULL) {
37855 + fdt = files_fdtable(files);
37856 + for (i=0; i < fdt->max_fds; i++) {
37857 + file = fcheck_files(files, i);
37858 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
37863 + rcu_read_unlock();
37864 + put_files_struct(files);
37867 + if (our_file == NULL)
37870 + read_lock(&tasklist_lock);
37871 + do_each_thread(p2, p) {
37872 + files = get_files_struct(p);
37873 + if (files == NULL ||
37874 + (p->signal && p->signal->tty == task->signal->tty)) {
37875 + if (files != NULL)
37876 + put_files_struct(files);
37880 + fdt = files_fdtable(files);
37881 + for (i=0; i < fdt->max_fds; i++) {
37882 + file = fcheck_files(files, i);
37883 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
37884 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
37886 + while (p3->pid > 0) {
37889 + p3 = p3->real_parent;
37893 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
37894 + gr_handle_alertkill(p);
37895 + rcu_read_unlock();
37896 + put_files_struct(files);
37897 + read_unlock(&tasklist_lock);
37902 + rcu_read_unlock();
37903 + put_files_struct(files);
37904 + } while_each_thread(p2, p);
37905 + read_unlock(&tasklist_lock);
37912 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
37914 + struct gr_arg_wrapper uwrap;
37915 + unsigned char *sprole_salt = NULL;
37916 + unsigned char *sprole_sum = NULL;
37917 + int error = sizeof (struct gr_arg_wrapper);
37920 + mutex_lock(&gr_dev_mutex);
37922 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
37927 + if (count != sizeof (struct gr_arg_wrapper)) {
37928 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
37934 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
37935 + gr_auth_expires = 0;
37936 + gr_auth_attempts = 0;
37939 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
37944 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
37949 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
37954 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37955 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37956 + time_after(gr_auth_expires, get_seconds())) {
37961 + /* if non-root trying to do anything other than use a special role,
37962 + do not attempt authentication, do not count towards authentication
37966 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
37967 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37973 + /* ensure pw and special role name are null terminated */
37975 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
37976 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
37979 + * We have our enough of the argument structure..(we have yet
37980 + * to copy_from_user the tables themselves) . Copy the tables
37981 + * only if we need them, i.e. for loading operations. */
37983 + switch (gr_usermode->mode) {
37985 + if (gr_status & GR_READY) {
37987 + if (!gr_check_secure_terminal(current))
37992 + case GR_SHUTDOWN:
37993 + if ((gr_status & GR_READY)
37994 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37995 + pax_open_kernel();
37996 + gr_status &= ~GR_READY;
37997 + pax_close_kernel();
37999 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
38000 + free_variables();
38001 + memset(gr_usermode, 0, sizeof (struct gr_arg));
38002 + memset(gr_system_salt, 0, GR_SALT_LEN);
38003 + memset(gr_system_sum, 0, GR_SHA_LEN);
38004 + } else if (gr_status & GR_READY) {
38005 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
38008 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
38013 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
38014 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
38016 + if (gr_status & GR_READY)
38020 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
38024 + if (!(gr_status & GR_READY)) {
38025 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
38027 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38028 + preempt_disable();
38030 + pax_open_kernel();
38031 + gr_status &= ~GR_READY;
38032 + pax_close_kernel();
38034 + free_variables();
38035 + if (!(error2 = gracl_init(gr_usermode))) {
38036 + preempt_enable();
38037 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
38039 + preempt_enable();
38041 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
38044 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
38049 + if (unlikely(!(gr_status & GR_READY))) {
38050 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
38055 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38056 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
38057 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
38058 + struct acl_subject_label *segvacl;
38060 + lookup_acl_subj_label(gr_usermode->segv_inode,
38061 + gr_usermode->segv_device,
38064 + segvacl->crashes = 0;
38065 + segvacl->expires = 0;
38067 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
38068 + gr_remove_uid(gr_usermode->segv_uid);
38071 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
38076 + case GR_SPROLEPAM:
38077 + if (unlikely(!(gr_status & GR_READY))) {
38078 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
38083 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
38084 + current->role->expires = 0;
38085 + current->role->auth_attempts = 0;
38088 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
38089 + time_after(current->role->expires, get_seconds())) {
38094 + if (lookup_special_role_auth
38095 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
38096 + && ((!sprole_salt && !sprole_sum)
38097 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
38099 + assign_special_role(gr_usermode->sp_role);
38100 + read_lock(&tasklist_lock);
38101 + if (current->real_parent)
38102 + p = current->real_parent->role->rolename;
38103 + read_unlock(&tasklist_lock);
38104 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
38105 + p, acl_sp_role_value);
38107 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
38109 + if(!(current->role->auth_attempts++))
38110 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
38115 + case GR_UNSPROLE:
38116 + if (unlikely(!(gr_status & GR_READY))) {
38117 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
38122 + if (current->role->roletype & GR_ROLE_SPECIAL) {
38126 + read_lock(&tasklist_lock);
38127 + if (current->real_parent) {
38128 + p = current->real_parent->role->rolename;
38129 + i = current->real_parent->acl_role_id;
38131 + read_unlock(&tasklist_lock);
38133 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
38141 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
38146 + if (error != -EPERM)
38149 + if(!(gr_auth_attempts++))
38150 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
38153 + mutex_unlock(&gr_dev_mutex);
38158 +gr_set_acls(const int type)
38160 + struct acl_object_label *obj;
38161 + struct task_struct *task, *task2;
38162 + struct file *filp;
38163 + struct acl_role_label *role = current->role;
38164 + __u16 acl_role_id = current->acl_role_id;
38165 + const struct cred *cred;
38167 + struct name_entry *nmatch;
38168 + struct acl_subject_label *tmpsubj;
38171 + read_lock(&tasklist_lock);
38172 + read_lock(&grsec_exec_file_lock);
38173 + do_each_thread(task2, task) {
38174 + /* check to see if we're called from the exit handler,
38175 + if so, only replace ACLs that have inherited the admin
38178 + if (type && (task->role != role ||
38179 + task->acl_role_id != acl_role_id))
38182 + task->acl_role_id = 0;
38183 + task->acl_sp_role = 0;
38185 + if ((filp = task->exec_file)) {
38186 + cred = __task_cred(task);
38187 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
38189 + /* the following is to apply the correct subject
38190 + on binaries running when the RBAC system
38191 + is enabled, when the binaries have been
38192 + replaced or deleted since their execution
38194 + when the RBAC system starts, the inode/dev
38195 + from exec_file will be one the RBAC system
38196 + is unaware of. It only knows the inode/dev
38197 + of the present file on disk, or the absence
38200 + preempt_disable();
38201 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
38203 + nmatch = lookup_name_entry(tmpname);
38204 + preempt_enable();
38207 + if (nmatch->deleted)
38208 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
38210 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
38211 + if (tmpsubj != NULL)
38212 + task->acl = tmpsubj;
38214 + if (tmpsubj == NULL)
38215 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
38218 + struct acl_subject_label *curr;
38219 + curr = task->acl;
38221 + task->is_writable = 0;
38222 + /* ignore additional mmap checks for processes that are writable
38223 + by the default ACL */
38224 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38225 + if (unlikely(obj->mode & GR_WRITE))
38226 + task->is_writable = 1;
38227 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
38228 + if (unlikely(obj->mode & GR_WRITE))
38229 + task->is_writable = 1;
38231 + gr_set_proc_res(task);
38233 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
38234 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38237 + read_unlock(&grsec_exec_file_lock);
38238 + read_unlock(&tasklist_lock);
38239 + rcu_read_unlock();
38240 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
38244 + // it's a kernel process
38245 + task->role = kernel_role;
38246 + task->acl = kernel_role->root_label;
38247 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
38248 + task->acl->mode &= ~GR_PROCFIND;
38251 + } while_each_thread(task2, task);
38252 + read_unlock(&grsec_exec_file_lock);
38253 + read_unlock(&tasklist_lock);
38254 + rcu_read_unlock();
38260 +gr_learn_resource(const struct task_struct *task,
38261 + const int res, const unsigned long wanted, const int gt)
38263 + struct acl_subject_label *acl;
38264 + const struct cred *cred;
38266 + if (unlikely((gr_status & GR_READY) &&
38267 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
38268 + goto skip_reslog;
38270 +#ifdef CONFIG_GRKERNSEC_RESLOG
38271 + gr_log_resource(task, res, wanted, gt);
38275 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
38280 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
38281 + !(acl->resmask & (1 << (unsigned short) res))))
38284 + if (wanted >= acl->res[res].rlim_cur) {
38285 + unsigned long res_add;
38287 + res_add = wanted;
38290 + res_add += GR_RLIM_CPU_BUMP;
38292 + case RLIMIT_FSIZE:
38293 + res_add += GR_RLIM_FSIZE_BUMP;
38295 + case RLIMIT_DATA:
38296 + res_add += GR_RLIM_DATA_BUMP;
38298 + case RLIMIT_STACK:
38299 + res_add += GR_RLIM_STACK_BUMP;
38301 + case RLIMIT_CORE:
38302 + res_add += GR_RLIM_CORE_BUMP;
38305 + res_add += GR_RLIM_RSS_BUMP;
38307 + case RLIMIT_NPROC:
38308 + res_add += GR_RLIM_NPROC_BUMP;
38310 + case RLIMIT_NOFILE:
38311 + res_add += GR_RLIM_NOFILE_BUMP;
38313 + case RLIMIT_MEMLOCK:
38314 + res_add += GR_RLIM_MEMLOCK_BUMP;
38317 + res_add += GR_RLIM_AS_BUMP;
38319 + case RLIMIT_LOCKS:
38320 + res_add += GR_RLIM_LOCKS_BUMP;
38322 + case RLIMIT_SIGPENDING:
38323 + res_add += GR_RLIM_SIGPENDING_BUMP;
38325 + case RLIMIT_MSGQUEUE:
38326 + res_add += GR_RLIM_MSGQUEUE_BUMP;
38328 + case RLIMIT_NICE:
38329 + res_add += GR_RLIM_NICE_BUMP;
38331 + case RLIMIT_RTPRIO:
38332 + res_add += GR_RLIM_RTPRIO_BUMP;
38334 + case RLIMIT_RTTIME:
38335 + res_add += GR_RLIM_RTTIME_BUMP;
38339 + acl->res[res].rlim_cur = res_add;
38341 + if (wanted > acl->res[res].rlim_max)
38342 + acl->res[res].rlim_max = res_add;
38344 + /* only log the subject filename, since resource logging is supported for
38345 + single-subject learning only */
38347 + cred = __task_cred(task);
38348 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38349 + task->role->roletype, cred->uid, cred->gid, acl->filename,
38350 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
38351 + "", (unsigned long) res, &task->signal->saved_ip);
38352 + rcu_read_unlock();
38358 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
38360 +pax_set_initial_flags(struct linux_binprm *bprm)
38362 + struct task_struct *task = current;
38363 + struct acl_subject_label *proc;
38364 + unsigned long flags;
38366 + if (unlikely(!(gr_status & GR_READY)))
38369 + flags = pax_get_flags(task);
38371 + proc = task->acl;
38373 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
38374 + flags &= ~MF_PAX_PAGEEXEC;
38375 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
38376 + flags &= ~MF_PAX_SEGMEXEC;
38377 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
38378 + flags &= ~MF_PAX_RANDMMAP;
38379 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
38380 + flags &= ~MF_PAX_EMUTRAMP;
38381 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
38382 + flags &= ~MF_PAX_MPROTECT;
38384 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
38385 + flags |= MF_PAX_PAGEEXEC;
38386 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
38387 + flags |= MF_PAX_SEGMEXEC;
38388 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
38389 + flags |= MF_PAX_RANDMMAP;
38390 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
38391 + flags |= MF_PAX_EMUTRAMP;
38392 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
38393 + flags |= MF_PAX_MPROTECT;
38395 + pax_set_flags(task, flags);
38401 +#ifdef CONFIG_SYSCTL
38402 +/* Eric Biederman likes breaking userland ABI and every inode-based security
38403 + system to save 35kb of memory */
38405 +/* we modify the passed in filename, but adjust it back before returning */
38406 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
38408 + struct name_entry *nmatch;
38409 + char *p, *lastp = NULL;
38410 + struct acl_object_label *obj = NULL, *tmp;
38411 + struct acl_subject_label *tmpsubj;
38414 + read_lock(&gr_inode_lock);
38416 + p = name + len - 1;
38418 + nmatch = lookup_name_entry(name);
38419 + if (lastp != NULL)
38422 + if (nmatch == NULL)
38423 + goto next_component;
38424 + tmpsubj = current->acl;
38426 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
38427 + if (obj != NULL) {
38428 + tmp = obj->globbed;
38430 + if (!glob_match(tmp->filename, name)) {
38438 + } while ((tmpsubj = tmpsubj->parent_subject));
38444 + while (*p != '/')
38456 + read_unlock(&gr_inode_lock);
38457 + /* obj returned will always be non-null */
38461 +/* returns 0 when allowing, non-zero on error
38462 + op of 0 is used for readdir, so we don't log the names of hidden files
38465 +gr_handle_sysctl(const struct ctl_table *table, const int op)
38467 + struct ctl_table *tmp;
38468 + const char *proc_sys = "/proc/sys";
38470 + struct acl_object_label *obj;
38471 + unsigned short len = 0, pos = 0, depth = 0, i;
38475 + if (unlikely(!(gr_status & GR_READY)))
38478 + /* for now, ignore operations on non-sysctl entries if it's not a
38480 + if (table->child != NULL && op != 0)
38484 + /* it's only a read if it's an entry, read on dirs is for readdir */
38485 + if (op & MAY_READ)
38487 + if (op & MAY_WRITE)
38488 + mode |= GR_WRITE;
38490 + preempt_disable();
38492 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
38494 + /* it's only a read/write if it's an actual entry, not a dir
38495 + (which are opened for readdir)
38498 + /* convert the requested sysctl entry into a pathname */
38500 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38501 + len += strlen(tmp->procname);
38506 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
38511 + memset(path, 0, PAGE_SIZE);
38513 + memcpy(path, proc_sys, strlen(proc_sys));
38515 + pos += strlen(proc_sys);
38517 + for (; depth > 0; depth--) {
38520 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38521 + if (depth == i) {
38522 + memcpy(path + pos, tmp->procname,
38523 + strlen(tmp->procname));
38524 + pos += strlen(tmp->procname);
38530 + obj = gr_lookup_by_name(path, pos);
38531 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
38533 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
38534 + ((err & mode) != mode))) {
38535 + __u32 new_mode = mode;
38537 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38540 + gr_log_learn_sysctl(path, new_mode);
38541 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
38542 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
38544 + } else if (!(err & GR_FIND)) {
38546 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
38547 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
38548 + path, (mode & GR_READ) ? " reading" : "",
38549 + (mode & GR_WRITE) ? " writing" : "");
38551 + } else if ((err & mode) != mode) {
38553 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
38554 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
38555 + path, (mode & GR_READ) ? " reading" : "",
38556 + (mode & GR_WRITE) ? " writing" : "");
38562 + preempt_enable();
38569 +gr_handle_proc_ptrace(struct task_struct *task)
38571 + struct file *filp;
38572 + struct task_struct *tmp = task;
38573 + struct task_struct *curtemp = current;
38576 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38577 + if (unlikely(!(gr_status & GR_READY)))
38581 + read_lock(&tasklist_lock);
38582 + read_lock(&grsec_exec_file_lock);
38583 + filp = task->exec_file;
38585 + while (tmp->pid > 0) {
38586 + if (tmp == curtemp)
38588 + tmp = tmp->real_parent;
38591 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38592 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
38593 + read_unlock(&grsec_exec_file_lock);
38594 + read_unlock(&tasklist_lock);
38598 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38599 + if (!(gr_status & GR_READY)) {
38600 + read_unlock(&grsec_exec_file_lock);
38601 + read_unlock(&tasklist_lock);
38606 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
38607 + read_unlock(&grsec_exec_file_lock);
38608 + read_unlock(&tasklist_lock);
38610 + if (retmode & GR_NOPTRACE)
38613 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
38614 + && (current->acl != task->acl || (current->acl != current->role->root_label
38615 + && current->pid != task->pid)))
38621 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
38623 + if (unlikely(!(gr_status & GR_READY)))
38626 + if (!(current->role->roletype & GR_ROLE_GOD))
38629 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
38630 + p->role->rolename, gr_task_roletype_to_char(p),
38631 + p->acl->filename);
38635 +gr_handle_ptrace(struct task_struct *task, const long request)
38637 + struct task_struct *tmp = task;
38638 + struct task_struct *curtemp = current;
38641 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38642 + if (unlikely(!(gr_status & GR_READY)))
38646 + read_lock(&tasklist_lock);
38647 + while (tmp->pid > 0) {
38648 + if (tmp == curtemp)
38650 + tmp = tmp->real_parent;
38653 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38654 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
38655 + read_unlock(&tasklist_lock);
38656 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38659 + read_unlock(&tasklist_lock);
38661 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38662 + if (!(gr_status & GR_READY))
38666 + read_lock(&grsec_exec_file_lock);
38667 + if (unlikely(!task->exec_file)) {
38668 + read_unlock(&grsec_exec_file_lock);
38672 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
38673 + read_unlock(&grsec_exec_file_lock);
38675 + if (retmode & GR_NOPTRACE) {
38676 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38680 + if (retmode & GR_PTRACERD) {
38681 + switch (request) {
38682 + case PTRACE_POKETEXT:
38683 + case PTRACE_POKEDATA:
38684 + case PTRACE_POKEUSR:
38685 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
38686 + case PTRACE_SETREGS:
38687 + case PTRACE_SETFPREGS:
38690 + case PTRACE_SETFPXREGS:
38692 +#ifdef CONFIG_ALTIVEC
38693 + case PTRACE_SETVRREGS:
38699 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
38700 + !(current->role->roletype & GR_ROLE_GOD) &&
38701 + (current->acl != task->acl)) {
38702 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38709 +static int is_writable_mmap(const struct file *filp)
38711 + struct task_struct *task = current;
38712 + struct acl_object_label *obj, *obj2;
38714 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
38715 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
38716 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38717 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
38718 + task->role->root_label);
38719 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
38720 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
38728 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
38732 + if (unlikely(!file || !(prot & PROT_EXEC)))
38735 + if (is_writable_mmap(file))
38739 + gr_search_file(file->f_path.dentry,
38740 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38741 + file->f_path.mnt);
38743 + if (!gr_tpe_allow(file))
38746 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38747 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38749 + } else if (unlikely(!(mode & GR_EXEC))) {
38751 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38752 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38760 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38764 + if (unlikely(!file || !(prot & PROT_EXEC)))
38767 + if (is_writable_mmap(file))
38771 + gr_search_file(file->f_path.dentry,
38772 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38773 + file->f_path.mnt);
38775 + if (!gr_tpe_allow(file))
38778 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38779 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38781 + } else if (unlikely(!(mode & GR_EXEC))) {
38783 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38784 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38792 +gr_acl_handle_psacct(struct task_struct *task, const long code)
38794 + unsigned long runtime;
38795 + unsigned long cputime;
38796 + unsigned int wday, cday;
38800 + struct timespec timeval;
38802 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
38803 + !(task->acl->mode & GR_PROCACCT)))
38806 + do_posix_clock_monotonic_gettime(&timeval);
38807 + runtime = timeval.tv_sec - task->start_time.tv_sec;
38808 + wday = runtime / (3600 * 24);
38809 + runtime -= wday * (3600 * 24);
38810 + whr = runtime / 3600;
38811 + runtime -= whr * 3600;
38812 + wmin = runtime / 60;
38813 + runtime -= wmin * 60;
38816 + cputime = (task->utime + task->stime) / HZ;
38817 + cday = cputime / (3600 * 24);
38818 + cputime -= cday * (3600 * 24);
38819 + chr = cputime / 3600;
38820 + cputime -= chr * 3600;
38821 + cmin = cputime / 60;
38822 + cputime -= cmin * 60;
38825 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
38830 +void gr_set_kernel_label(struct task_struct *task)
38832 + if (gr_status & GR_READY) {
38833 + task->role = kernel_role;
38834 + task->acl = kernel_role->root_label;
38839 +#ifdef CONFIG_TASKSTATS
38840 +int gr_is_taskstats_denied(int pid)
38842 + struct task_struct *task;
38843 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38844 + const struct cred *cred;
38848 + /* restrict taskstats viewing to un-chrooted root users
38849 + who have the 'view' subject flag if the RBAC system is enabled
38853 + read_lock(&tasklist_lock);
38854 + task = find_task_by_vpid(pid);
38856 +#ifdef CONFIG_GRKERNSEC_CHROOT
38857 + if (proc_is_chrooted(task))
38860 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38861 + cred = __task_cred(task);
38862 +#ifdef CONFIG_GRKERNSEC_PROC_USER
38863 + if (cred->uid != 0)
38865 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38866 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
38870 + if (gr_status & GR_READY) {
38871 + if (!(task->acl->mode & GR_VIEW))
38877 + read_unlock(&tasklist_lock);
38878 + rcu_read_unlock();
38884 +/* AUXV entries are filled via a descendant of search_binary_handler
38885 + after we've already applied the subject for the target
38887 +int gr_acl_enable_at_secure(void)
38889 + if (unlikely(!(gr_status & GR_READY)))
38892 + if (current->acl->mode & GR_ATSECURE)
38898 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
38900 + struct task_struct *task = current;
38901 + struct dentry *dentry = file->f_path.dentry;
38902 + struct vfsmount *mnt = file->f_path.mnt;
38903 + struct acl_object_label *obj, *tmp;
38904 + struct acl_subject_label *subj;
38905 + unsigned int bufsize;
38909 + if (unlikely(!(gr_status & GR_READY)))
38912 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38915 + /* ignore Eric Biederman */
38916 + if (IS_PRIVATE(dentry->d_inode))
38919 + subj = task->acl;
38921 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
38923 + return (obj->mode & GR_FIND) ? 1 : 0;
38924 + } while ((subj = subj->parent_subject));
38926 + /* this is purely an optimization since we're looking for an object
38927 + for the directory we're doing a readdir on
38928 + if it's possible for any globbed object to match the entry we're
38929 + filling into the directory, then the object we find here will be
38930 + an anchor point with attached globbed objects
38932 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
38933 + if (obj->globbed == NULL)
38934 + return (obj->mode & GR_FIND) ? 1 : 0;
38936 + is_not_root = ((obj->filename[0] == '/') &&
38937 + (obj->filename[1] == '\0')) ? 0 : 1;
38938 + bufsize = PAGE_SIZE - namelen - is_not_root;
38940 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
38941 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
38944 + preempt_disable();
38945 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
38948 + bufsize = strlen(path);
38950 + /* if base is "/", don't append an additional slash */
38952 + *(path + bufsize) = '/';
38953 + memcpy(path + bufsize + is_not_root, name, namelen);
38954 + *(path + bufsize + namelen + is_not_root) = '\0';
38956 + tmp = obj->globbed;
38958 + if (!glob_match(tmp->filename, path)) {
38959 + preempt_enable();
38960 + return (tmp->mode & GR_FIND) ? 1 : 0;
38964 + preempt_enable();
38965 + return (obj->mode & GR_FIND) ? 1 : 0;
38968 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
38969 +EXPORT_SYMBOL(gr_acl_is_enabled);
38971 +EXPORT_SYMBOL(gr_learn_resource);
38972 +EXPORT_SYMBOL(gr_set_kernel_label);
38973 +#ifdef CONFIG_SECURITY
38974 +EXPORT_SYMBOL(gr_check_user_change);
38975 +EXPORT_SYMBOL(gr_check_group_change);
38978 diff -urNp linux-2.6.37/grsecurity/gracl_cap.c linux-2.6.37/grsecurity/gracl_cap.c
38979 --- linux-2.6.37/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
38980 +++ linux-2.6.37/grsecurity/gracl_cap.c 2011-01-17 02:41:02.000000000 -0500
38982 +#include <linux/kernel.h>
38983 +#include <linux/module.h>
38984 +#include <linux/sched.h>
38985 +#include <linux/gracl.h>
38986 +#include <linux/grsecurity.h>
38987 +#include <linux/grinternal.h>
38989 +static const char *captab_log[] = {
38991 + "CAP_DAC_OVERRIDE",
38992 + "CAP_DAC_READ_SEARCH",
38999 + "CAP_LINUX_IMMUTABLE",
39000 + "CAP_NET_BIND_SERVICE",
39001 + "CAP_NET_BROADCAST",
39006 + "CAP_SYS_MODULE",
39008 + "CAP_SYS_CHROOT",
39009 + "CAP_SYS_PTRACE",
39014 + "CAP_SYS_RESOURCE",
39016 + "CAP_SYS_TTY_CONFIG",
39019 + "CAP_AUDIT_WRITE",
39020 + "CAP_AUDIT_CONTROL",
39022 + "CAP_MAC_OVERRIDE",
39026 +EXPORT_SYMBOL(gr_is_capable);
39027 +EXPORT_SYMBOL(gr_is_capable_nolog);
39030 +gr_is_capable(const int cap)
39032 + struct task_struct *task = current;
39033 + const struct cred *cred = current_cred();
39034 + struct acl_subject_label *curracl;
39035 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
39036 + kernel_cap_t cap_audit = __cap_empty_set;
39038 + if (!gr_acl_is_enabled())
39041 + curracl = task->acl;
39043 + cap_drop = curracl->cap_lower;
39044 + cap_mask = curracl->cap_mask;
39045 + cap_audit = curracl->cap_invert_audit;
39047 + while ((curracl = curracl->parent_subject)) {
39048 + /* if the cap isn't specified in the current computed mask but is specified in the
39049 + current level subject, and is lowered in the current level subject, then add
39050 + it to the set of dropped capabilities
39051 + otherwise, add the current level subject's mask to the current computed mask
39053 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
39054 + cap_raise(cap_mask, cap);
39055 + if (cap_raised(curracl->cap_lower, cap))
39056 + cap_raise(cap_drop, cap);
39057 + if (cap_raised(curracl->cap_invert_audit, cap))
39058 + cap_raise(cap_audit, cap);
39062 + if (!cap_raised(cap_drop, cap)) {
39063 + if (cap_raised(cap_audit, cap))
39064 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
39068 + curracl = task->acl;
39070 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
39071 + && cap_raised(cred->cap_effective, cap)) {
39072 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
39073 + task->role->roletype, cred->uid,
39074 + cred->gid, task->exec_file ?
39075 + gr_to_filename(task->exec_file->f_path.dentry,
39076 + task->exec_file->f_path.mnt) : curracl->filename,
39077 + curracl->filename, 0UL,
39078 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
39082 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
39083 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
39088 +gr_is_capable_nolog(const int cap)
39090 + struct acl_subject_label *curracl;
39091 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
39093 + if (!gr_acl_is_enabled())
39096 + curracl = current->acl;
39098 + cap_drop = curracl->cap_lower;
39099 + cap_mask = curracl->cap_mask;
39101 + while ((curracl = curracl->parent_subject)) {
39102 + /* if the cap isn't specified in the current computed mask but is specified in the
39103 + current level subject, and is lowered in the current level subject, then add
39104 + it to the set of dropped capabilities
39105 + otherwise, add the current level subject's mask to the current computed mask
39107 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
39108 + cap_raise(cap_mask, cap);
39109 + if (cap_raised(curracl->cap_lower, cap))
39110 + cap_raise(cap_drop, cap);
39114 + if (!cap_raised(cap_drop, cap))
39120 diff -urNp linux-2.6.37/grsecurity/gracl_fs.c linux-2.6.37/grsecurity/gracl_fs.c
39121 --- linux-2.6.37/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
39122 +++ linux-2.6.37/grsecurity/gracl_fs.c 2011-01-17 02:41:02.000000000 -0500
39124 +#include <linux/kernel.h>
39125 +#include <linux/sched.h>
39126 +#include <linux/types.h>
39127 +#include <linux/fs.h>
39128 +#include <linux/file.h>
39129 +#include <linux/stat.h>
39130 +#include <linux/grsecurity.h>
39131 +#include <linux/grinternal.h>
39132 +#include <linux/gracl.h>
39135 +gr_acl_handle_hidden_file(const struct dentry * dentry,
39136 + const struct vfsmount * mnt)
39140 + if (unlikely(!dentry->d_inode))
39144 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
39146 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
39147 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
39149 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
39150 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
39152 + } else if (unlikely(!(mode & GR_FIND)))
39159 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
39162 + __u32 reqmode = GR_FIND;
39165 + if (unlikely(!dentry->d_inode))
39168 + if (unlikely(fmode & O_APPEND))
39169 + reqmode |= GR_APPEND;
39170 + else if (unlikely(fmode & FMODE_WRITE))
39171 + reqmode |= GR_WRITE;
39172 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39173 + reqmode |= GR_READ;
39174 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
39175 + reqmode &= ~GR_READ;
39177 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39180 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39181 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39182 + reqmode & GR_READ ? " reading" : "",
39183 + reqmode & GR_WRITE ? " writing" : reqmode &
39184 + GR_APPEND ? " appending" : "");
39187 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39189 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39190 + reqmode & GR_READ ? " reading" : "",
39191 + reqmode & GR_WRITE ? " writing" : reqmode &
39192 + GR_APPEND ? " appending" : "");
39194 + } else if (unlikely((mode & reqmode) != reqmode))
39201 +gr_acl_handle_creat(const struct dentry * dentry,
39202 + const struct dentry * p_dentry,
39203 + const struct vfsmount * p_mnt, const int fmode,
39206 + __u32 reqmode = GR_WRITE | GR_CREATE;
39209 + if (unlikely(fmode & O_APPEND))
39210 + reqmode |= GR_APPEND;
39211 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39212 + reqmode |= GR_READ;
39213 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
39214 + reqmode |= GR_SETID;
39217 + gr_check_create(dentry, p_dentry, p_mnt,
39218 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39220 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39221 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39222 + reqmode & GR_READ ? " reading" : "",
39223 + reqmode & GR_WRITE ? " writing" : reqmode &
39224 + GR_APPEND ? " appending" : "");
39227 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39229 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39230 + reqmode & GR_READ ? " reading" : "",
39231 + reqmode & GR_WRITE ? " writing" : reqmode &
39232 + GR_APPEND ? " appending" : "");
39234 + } else if (unlikely((mode & reqmode) != reqmode))
39241 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
39244 + __u32 mode, reqmode = GR_FIND;
39246 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
39247 + reqmode |= GR_EXEC;
39248 + if (fmode & S_IWOTH)
39249 + reqmode |= GR_WRITE;
39250 + if (fmode & S_IROTH)
39251 + reqmode |= GR_READ;
39254 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39257 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39258 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39259 + reqmode & GR_READ ? " reading" : "",
39260 + reqmode & GR_WRITE ? " writing" : "",
39261 + reqmode & GR_EXEC ? " executing" : "");
39264 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39266 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39267 + reqmode & GR_READ ? " reading" : "",
39268 + reqmode & GR_WRITE ? " writing" : "",
39269 + reqmode & GR_EXEC ? " executing" : "");
39271 + } else if (unlikely((mode & reqmode) != reqmode))
39277 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
39281 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
39283 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39284 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
39286 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39287 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
39289 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39292 + return (reqmode);
39296 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
39298 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
39302 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
39304 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
39308 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
39310 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
39314 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
39316 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
39320 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
39323 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
39326 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39327 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39328 + GR_FCHMOD_ACL_MSG);
39330 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
39335 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
39338 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39339 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39340 + GR_CHMOD_ACL_MSG);
39342 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
39347 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
39349 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
39353 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
39355 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
39359 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
39361 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
39365 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
39367 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
39368 + GR_UNIXCONNECT_ACL_MSG);
39371 +/* hardlinks require at minimum create permission,
39372 + any additional privilege required is based on the
39373 + privilege of the file being linked to
39376 +gr_acl_handle_link(const struct dentry * new_dentry,
39377 + const struct dentry * parent_dentry,
39378 + const struct vfsmount * parent_mnt,
39379 + const struct dentry * old_dentry,
39380 + const struct vfsmount * old_mnt, const char *to)
39383 + __u32 needmode = GR_CREATE | GR_LINK;
39384 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
39387 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
39390 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
39391 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39393 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39394 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39396 + } else if (unlikely((mode & needmode) != needmode))
39403 +gr_acl_handle_symlink(const struct dentry * new_dentry,
39404 + const struct dentry * parent_dentry,
39405 + const struct vfsmount * parent_mnt, const char *from)
39407 + __u32 needmode = GR_WRITE | GR_CREATE;
39411 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
39412 + GR_CREATE | GR_AUDIT_CREATE |
39413 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
39415 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
39416 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39418 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39419 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39421 + } else if (unlikely((mode & needmode) != needmode))
39424 + return (GR_WRITE | GR_CREATE);
39427 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
39431 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39433 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39434 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
39436 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39437 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
39439 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39442 + return (reqmode);
39446 +gr_acl_handle_mknod(const struct dentry * new_dentry,
39447 + const struct dentry * parent_dentry,
39448 + const struct vfsmount * parent_mnt,
39451 + __u32 reqmode = GR_WRITE | GR_CREATE;
39452 + if (unlikely(mode & (S_ISUID | S_ISGID)))
39453 + reqmode |= GR_SETID;
39455 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39456 + reqmode, GR_MKNOD_ACL_MSG);
39460 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
39461 + const struct dentry *parent_dentry,
39462 + const struct vfsmount *parent_mnt)
39464 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39465 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
39468 +#define RENAME_CHECK_SUCCESS(old, new) \
39469 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
39470 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
39473 +gr_acl_handle_rename(struct dentry *new_dentry,
39474 + struct dentry *parent_dentry,
39475 + const struct vfsmount *parent_mnt,
39476 + struct dentry *old_dentry,
39477 + struct inode *old_parent_inode,
39478 + struct vfsmount *old_mnt, const char *newname)
39480 + __u32 comp1, comp2;
39483 + if (unlikely(!gr_acl_is_enabled()))
39486 + if (!new_dentry->d_inode) {
39487 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
39488 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
39489 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
39490 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
39491 + GR_DELETE | GR_AUDIT_DELETE |
39492 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39493 + GR_SUPPRESS, old_mnt);
39495 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
39496 + GR_CREATE | GR_DELETE |
39497 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
39498 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39499 + GR_SUPPRESS, parent_mnt);
39501 + gr_search_file(old_dentry,
39502 + GR_READ | GR_WRITE | GR_AUDIT_READ |
39503 + GR_DELETE | GR_AUDIT_DELETE |
39504 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
39507 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
39508 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
39509 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39510 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
39511 + && !(comp2 & GR_SUPPRESS)) {
39512 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39514 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
39521 +gr_acl_handle_exit(void)
39525 + struct file *exec_file;
39527 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
39528 + id = current->acl_role_id;
39529 + rolename = current->role->rolename;
39531 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
39534 + write_lock(&grsec_exec_file_lock);
39535 + exec_file = current->exec_file;
39536 + current->exec_file = NULL;
39537 + write_unlock(&grsec_exec_file_lock);
39544 +gr_acl_handle_procpidmem(const struct task_struct *task)
39546 + if (unlikely(!gr_acl_is_enabled()))
39549 + if (task != current && task->acl->mode & GR_PROTPROCFD)
39554 diff -urNp linux-2.6.37/grsecurity/gracl_ip.c linux-2.6.37/grsecurity/gracl_ip.c
39555 --- linux-2.6.37/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
39556 +++ linux-2.6.37/grsecurity/gracl_ip.c 2011-01-17 02:41:02.000000000 -0500
39558 +#include <linux/kernel.h>
39559 +#include <asm/uaccess.h>
39560 +#include <asm/errno.h>
39561 +#include <net/sock.h>
39562 +#include <linux/file.h>
39563 +#include <linux/fs.h>
39564 +#include <linux/net.h>
39565 +#include <linux/in.h>
39566 +#include <linux/skbuff.h>
39567 +#include <linux/ip.h>
39568 +#include <linux/udp.h>
39569 +#include <linux/smp_lock.h>
39570 +#include <linux/types.h>
39571 +#include <linux/sched.h>
39572 +#include <linux/netdevice.h>
39573 +#include <linux/inetdevice.h>
39574 +#include <linux/gracl.h>
39575 +#include <linux/grsecurity.h>
39576 +#include <linux/grinternal.h>
39578 +#define GR_BIND 0x01
39579 +#define GR_CONNECT 0x02
39580 +#define GR_INVERT 0x04
39581 +#define GR_BINDOVERRIDE 0x08
39582 +#define GR_CONNECTOVERRIDE 0x10
39583 +#define GR_SOCK_FAMILY 0x20
39585 +static const char * gr_protocols[IPPROTO_MAX] = {
39586 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
39587 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
39588 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
39589 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
39590 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
39591 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
39592 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
39593 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
39594 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
39595 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
39596 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
39597 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
39598 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
39599 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
39600 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
39601 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
39602 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
39603 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
39604 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
39605 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
39606 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
39607 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
39608 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
39609 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
39610 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
39611 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
39612 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
39613 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
39614 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
39615 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
39616 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
39617 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
39620 +static const char * gr_socktypes[SOCK_MAX] = {
39621 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
39622 + "unknown:7", "unknown:8", "unknown:9", "packet"
39625 +static const char * gr_sockfamilies[AF_MAX+1] = {
39626 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
39627 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
39628 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "tipc", "bluetooth",
39629 + "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
39633 +gr_proto_to_name(unsigned char proto)
39635 + return gr_protocols[proto];
39639 +gr_socktype_to_name(unsigned char type)
39641 + return gr_socktypes[type];
39645 +gr_sockfamily_to_name(unsigned char family)
39647 + return gr_sockfamilies[family];
39651 +gr_search_socket(const int domain, const int type, const int protocol)
39653 + struct acl_subject_label *curr;
39654 + const struct cred *cred = current_cred();
39656 + if (unlikely(!gr_acl_is_enabled()))
39659 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
39660 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
39661 + goto exit; // let the kernel handle it
39663 + curr = current->acl;
39665 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
39666 + /* the family is allowed, if this is PF_INET allow it only if
39667 + the extra sock type/protocol checks pass */
39668 + if (domain == PF_INET)
39672 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39673 + __u32 fakeip = 0;
39674 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39675 + current->role->roletype, cred->uid,
39676 + cred->gid, current->exec_file ?
39677 + gr_to_filename(current->exec_file->f_path.dentry,
39678 + current->exec_file->f_path.mnt) :
39679 + curr->filename, curr->filename,
39680 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
39681 + ¤t->signal->saved_ip);
39688 + /* the rest of this checking is for IPv4 only */
39692 + if ((curr->ip_type & (1 << type)) &&
39693 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
39696 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39697 + /* we don't place acls on raw sockets , and sometimes
39698 + dgram/ip sockets are opened for ioctl and not
39699 + bind/connect, so we'll fake a bind learn log */
39700 + if (type == SOCK_RAW || type == SOCK_PACKET) {
39701 + __u32 fakeip = 0;
39702 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39703 + current->role->roletype, cred->uid,
39704 + cred->gid, current->exec_file ?
39705 + gr_to_filename(current->exec_file->f_path.dentry,
39706 + current->exec_file->f_path.mnt) :
39707 + curr->filename, curr->filename,
39708 + &fakeip, 0, type,
39709 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
39710 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
39711 + __u32 fakeip = 0;
39712 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39713 + current->role->roletype, cred->uid,
39714 + cred->gid, current->exec_file ?
39715 + gr_to_filename(current->exec_file->f_path.dentry,
39716 + current->exec_file->f_path.mnt) :
39717 + curr->filename, curr->filename,
39718 + &fakeip, 0, type,
39719 + protocol, GR_BIND, ¤t->signal->saved_ip);
39721 + /* we'll log when they use connect or bind */
39726 + if (domain == PF_INET)
39727 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
39728 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
39730 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
39731 + gr_socktype_to_name(type), protocol);
39738 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
39740 + if ((ip->mode & mode) &&
39741 + (ip_port >= ip->low) &&
39742 + (ip_port <= ip->high) &&
39743 + ((ntohl(ip_addr) & our_netmask) ==
39744 + (ntohl(our_addr) & our_netmask))
39745 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
39746 + && (ip->type & (1 << type))) {
39747 + if (ip->mode & GR_INVERT)
39748 + return 2; // specifically denied
39750 + return 1; // allowed
39753 + return 0; // not specifically allowed, may continue parsing
39757 +gr_search_connectbind(const int full_mode, struct sock *sk,
39758 + struct sockaddr_in *addr, const int type)
39760 + char iface[IFNAMSIZ] = {0};
39761 + struct acl_subject_label *curr;
39762 + struct acl_ip_label *ip;
39763 + struct inet_sock *isk;
39764 + struct net_device *dev;
39765 + struct in_device *idev;
39768 + int mode = full_mode & (GR_BIND | GR_CONNECT);
39769 + __u32 ip_addr = 0;
39771 + __u32 our_netmask;
39773 + __u16 ip_port = 0;
39774 + const struct cred *cred = current_cred();
39776 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
39779 + curr = current->acl;
39780 + isk = inet_sk(sk);
39782 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
39783 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
39784 + addr->sin_addr.s_addr = curr->inaddr_any_override;
39785 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
39786 + struct sockaddr_in saddr;
39789 + saddr.sin_family = AF_INET;
39790 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
39791 + saddr.sin_port = isk->inet_sport;
39793 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39797 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39805 + ip_addr = addr->sin_addr.s_addr;
39806 + ip_port = ntohs(addr->sin_port);
39808 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39809 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39810 + current->role->roletype, cred->uid,
39811 + cred->gid, current->exec_file ?
39812 + gr_to_filename(current->exec_file->f_path.dentry,
39813 + current->exec_file->f_path.mnt) :
39814 + curr->filename, curr->filename,
39815 + &ip_addr, ip_port, type,
39816 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
39820 + for (i = 0; i < curr->ip_num; i++) {
39821 + ip = *(curr->ips + i);
39822 + if (ip->iface != NULL) {
39823 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
39824 + p = strchr(iface, ':');
39827 + dev = dev_get_by_name(sock_net(sk), iface);
39830 + idev = in_dev_get(dev);
39831 + if (idev == NULL) {
39837 + if (!strcmp(ip->iface, ifa->ifa_label)) {
39838 + our_addr = ifa->ifa_address;
39839 + our_netmask = 0xffffffff;
39840 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39842 + rcu_read_unlock();
39843 + in_dev_put(idev);
39846 + } else if (ret == 2) {
39847 + rcu_read_unlock();
39848 + in_dev_put(idev);
39853 + } endfor_ifa(idev);
39854 + rcu_read_unlock();
39855 + in_dev_put(idev);
39858 + our_addr = ip->addr;
39859 + our_netmask = ip->netmask;
39860 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39863 + else if (ret == 2)
39869 + if (mode == GR_BIND)
39870 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39871 + else if (mode == GR_CONNECT)
39872 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39878 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
39880 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
39884 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
39886 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
39889 +int gr_search_listen(struct socket *sock)
39891 + struct sock *sk = sock->sk;
39892 + struct sockaddr_in addr;
39894 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39895 + addr.sin_port = inet_sk(sk)->inet_sport;
39897 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39900 +int gr_search_accept(struct socket *sock)
39902 + struct sock *sk = sock->sk;
39903 + struct sockaddr_in addr;
39905 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39906 + addr.sin_port = inet_sk(sk)->inet_sport;
39908 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39912 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
39915 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
39917 + struct sockaddr_in sin;
39918 + const struct inet_sock *inet = inet_sk(sk);
39920 + sin.sin_addr.s_addr = inet->inet_daddr;
39921 + sin.sin_port = inet->inet_dport;
39923 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
39928 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
39930 + struct sockaddr_in sin;
39932 + if (unlikely(skb->len < sizeof (struct udphdr)))
39933 + return 0; // skip this packet
39935 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
39936 + sin.sin_port = udp_hdr(skb)->source;
39938 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
39940 diff -urNp linux-2.6.37/grsecurity/gracl_learn.c linux-2.6.37/grsecurity/gracl_learn.c
39941 --- linux-2.6.37/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
39942 +++ linux-2.6.37/grsecurity/gracl_learn.c 2011-01-17 02:41:02.000000000 -0500
39944 +#include <linux/kernel.h>
39945 +#include <linux/mm.h>
39946 +#include <linux/sched.h>
39947 +#include <linux/poll.h>
39948 +#include <linux/smp_lock.h>
39949 +#include <linux/string.h>
39950 +#include <linux/file.h>
39951 +#include <linux/types.h>
39952 +#include <linux/vmalloc.h>
39953 +#include <linux/grinternal.h>
39955 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
39956 + size_t count, loff_t *ppos);
39957 +extern int gr_acl_is_enabled(void);
39959 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
39960 +static int gr_learn_attached;
39962 +/* use a 512k buffer */
39963 +#define LEARN_BUFFER_SIZE (512 * 1024)
39965 +static DEFINE_SPINLOCK(gr_learn_lock);
39966 +static DEFINE_MUTEX(gr_learn_user_mutex);
39968 +/* we need to maintain two buffers, so that the kernel context of grlearn
39969 + uses a semaphore around the userspace copying, and the other kernel contexts
39970 + use a spinlock when copying into the buffer, since they cannot sleep
39972 +static char *learn_buffer;
39973 +static char *learn_buffer_user;
39974 +static int learn_buffer_len;
39975 +static int learn_buffer_user_len;
39978 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
39980 + DECLARE_WAITQUEUE(wait, current);
39981 + ssize_t retval = 0;
39983 + add_wait_queue(&learn_wait, &wait);
39984 + set_current_state(TASK_INTERRUPTIBLE);
39986 + mutex_lock(&gr_learn_user_mutex);
39987 + spin_lock(&gr_learn_lock);
39988 + if (learn_buffer_len)
39990 + spin_unlock(&gr_learn_lock);
39991 + mutex_unlock(&gr_learn_user_mutex);
39992 + if (file->f_flags & O_NONBLOCK) {
39993 + retval = -EAGAIN;
39996 + if (signal_pending(current)) {
39997 + retval = -ERESTARTSYS;
40004 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
40005 + learn_buffer_user_len = learn_buffer_len;
40006 + retval = learn_buffer_len;
40007 + learn_buffer_len = 0;
40009 + spin_unlock(&gr_learn_lock);
40011 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
40012 + retval = -EFAULT;
40014 + mutex_unlock(&gr_learn_user_mutex);
40016 + set_current_state(TASK_RUNNING);
40017 + remove_wait_queue(&learn_wait, &wait);
40021 +static unsigned int
40022 +poll_learn(struct file * file, poll_table * wait)
40024 + poll_wait(file, &learn_wait, wait);
40026 + if (learn_buffer_len)
40027 + return (POLLIN | POLLRDNORM);
40033 +gr_clear_learn_entries(void)
40037 + mutex_lock(&gr_learn_user_mutex);
40038 + if (learn_buffer != NULL) {
40039 + spin_lock(&gr_learn_lock);
40040 + tmp = learn_buffer;
40041 + learn_buffer = NULL;
40042 + spin_unlock(&gr_learn_lock);
40043 + vfree(learn_buffer);
40045 + if (learn_buffer_user != NULL) {
40046 + vfree(learn_buffer_user);
40047 + learn_buffer_user = NULL;
40049 + learn_buffer_len = 0;
40050 + mutex_unlock(&gr_learn_user_mutex);
40056 +gr_add_learn_entry(const char *fmt, ...)
40059 + unsigned int len;
40061 + if (!gr_learn_attached)
40064 + spin_lock(&gr_learn_lock);
40066 + /* leave a gap at the end so we know when it's "full" but don't have to
40067 + compute the exact length of the string we're trying to append
40069 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
40070 + spin_unlock(&gr_learn_lock);
40071 + wake_up_interruptible(&learn_wait);
40074 + if (learn_buffer == NULL) {
40075 + spin_unlock(&gr_learn_lock);
40079 + va_start(args, fmt);
40080 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
40083 + learn_buffer_len += len + 1;
40085 + spin_unlock(&gr_learn_lock);
40086 + wake_up_interruptible(&learn_wait);
40092 +open_learn(struct inode *inode, struct file *file)
40094 + if (file->f_mode & FMODE_READ && gr_learn_attached)
40096 + if (file->f_mode & FMODE_READ) {
40098 + mutex_lock(&gr_learn_user_mutex);
40099 + if (learn_buffer == NULL)
40100 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
40101 + if (learn_buffer_user == NULL)
40102 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
40103 + if (learn_buffer == NULL) {
40104 + retval = -ENOMEM;
40107 + if (learn_buffer_user == NULL) {
40108 + retval = -ENOMEM;
40111 + learn_buffer_len = 0;
40112 + learn_buffer_user_len = 0;
40113 + gr_learn_attached = 1;
40115 + mutex_unlock(&gr_learn_user_mutex);
40122 +close_learn(struct inode *inode, struct file *file)
40126 + if (file->f_mode & FMODE_READ) {
40127 + mutex_lock(&gr_learn_user_mutex);
40128 + if (learn_buffer != NULL) {
40129 + spin_lock(&gr_learn_lock);
40130 + tmp = learn_buffer;
40131 + learn_buffer = NULL;
40132 + spin_unlock(&gr_learn_lock);
40135 + if (learn_buffer_user != NULL) {
40136 + vfree(learn_buffer_user);
40137 + learn_buffer_user = NULL;
40139 + learn_buffer_len = 0;
40140 + learn_buffer_user_len = 0;
40141 + gr_learn_attached = 0;
40142 + mutex_unlock(&gr_learn_user_mutex);
40148 +const struct file_operations grsec_fops = {
40149 + .read = read_learn,
40150 + .write = write_grsec_handler,
40151 + .open = open_learn,
40152 + .release = close_learn,
40153 + .poll = poll_learn,
40155 diff -urNp linux-2.6.37/grsecurity/gracl_res.c linux-2.6.37/grsecurity/gracl_res.c
40156 --- linux-2.6.37/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
40157 +++ linux-2.6.37/grsecurity/gracl_res.c 2011-01-17 02:41:02.000000000 -0500
40159 +#include <linux/kernel.h>
40160 +#include <linux/sched.h>
40161 +#include <linux/gracl.h>
40162 +#include <linux/grinternal.h>
40164 +static const char *restab_log[] = {
40165 + [RLIMIT_CPU] = "RLIMIT_CPU",
40166 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
40167 + [RLIMIT_DATA] = "RLIMIT_DATA",
40168 + [RLIMIT_STACK] = "RLIMIT_STACK",
40169 + [RLIMIT_CORE] = "RLIMIT_CORE",
40170 + [RLIMIT_RSS] = "RLIMIT_RSS",
40171 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
40172 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
40173 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
40174 + [RLIMIT_AS] = "RLIMIT_AS",
40175 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
40176 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
40177 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
40178 + [RLIMIT_NICE] = "RLIMIT_NICE",
40179 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
40180 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
40181 + [GR_CRASH_RES] = "RLIMIT_CRASH"
40185 +gr_log_resource(const struct task_struct *task,
40186 + const int res, const unsigned long wanted, const int gt)
40188 + const struct cred *cred;
40189 + unsigned long rlim;
40191 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
40194 + // not yet supported resource
40195 + if (unlikely(!restab_log[res]))
40198 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
40199 + rlim = task_rlimit_max(task, res);
40201 + rlim = task_rlimit(task, res);
40203 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
40207 + cred = __task_cred(task);
40209 + if (res == RLIMIT_NPROC &&
40210 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
40211 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
40212 + goto out_rcu_unlock;
40213 + else if (res == RLIMIT_MEMLOCK &&
40214 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
40215 + goto out_rcu_unlock;
40216 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
40217 + goto out_rcu_unlock;
40218 + rcu_read_unlock();
40220 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
40224 + rcu_read_unlock();
40227 diff -urNp linux-2.6.37/grsecurity/gracl_segv.c linux-2.6.37/grsecurity/gracl_segv.c
40228 --- linux-2.6.37/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
40229 +++ linux-2.6.37/grsecurity/gracl_segv.c 2011-01-17 02:41:02.000000000 -0500
40231 +#include <linux/kernel.h>
40232 +#include <linux/mm.h>
40233 +#include <asm/uaccess.h>
40234 +#include <asm/errno.h>
40235 +#include <asm/mman.h>
40236 +#include <net/sock.h>
40237 +#include <linux/file.h>
40238 +#include <linux/fs.h>
40239 +#include <linux/net.h>
40240 +#include <linux/in.h>
40241 +#include <linux/smp_lock.h>
40242 +#include <linux/slab.h>
40243 +#include <linux/types.h>
40244 +#include <linux/sched.h>
40245 +#include <linux/timer.h>
40246 +#include <linux/gracl.h>
40247 +#include <linux/grsecurity.h>
40248 +#include <linux/grinternal.h>
40250 +static struct crash_uid *uid_set;
40251 +static unsigned short uid_used;
40252 +static DEFINE_SPINLOCK(gr_uid_lock);
40253 +extern rwlock_t gr_inode_lock;
40254 +extern struct acl_subject_label *
40255 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
40256 + struct acl_role_label *role);
40257 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
40260 +gr_init_uidset(void)
40263 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
40266 + return uid_set ? 1 : 0;
40270 +gr_free_uidset(void)
40279 +gr_find_uid(const uid_t uid)
40281 + struct crash_uid *tmp = uid_set;
40283 + int low = 0, high = uid_used - 1, mid;
40285 + while (high >= low) {
40286 + mid = (low + high) >> 1;
40287 + buid = tmp[mid].uid;
40299 +static __inline__ void
40300 +gr_insertsort(void)
40302 + unsigned short i, j;
40303 + struct crash_uid index;
40305 + for (i = 1; i < uid_used; i++) {
40306 + index = uid_set[i];
40308 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
40309 + uid_set[j] = uid_set[j - 1];
40312 + uid_set[j] = index;
40318 +static __inline__ void
40319 +gr_insert_uid(const uid_t uid, const unsigned long expires)
40323 + if (uid_used == GR_UIDTABLE_MAX)
40326 + loc = gr_find_uid(uid);
40329 + uid_set[loc].expires = expires;
40333 + uid_set[uid_used].uid = uid;
40334 + uid_set[uid_used].expires = expires;
40343 +gr_remove_uid(const unsigned short loc)
40345 + unsigned short i;
40347 + for (i = loc + 1; i < uid_used; i++)
40348 + uid_set[i - 1] = uid_set[i];
40356 +gr_check_crash_uid(const uid_t uid)
40361 + if (unlikely(!gr_acl_is_enabled()))
40364 + spin_lock(&gr_uid_lock);
40365 + loc = gr_find_uid(uid);
40370 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
40371 + gr_remove_uid(loc);
40376 + spin_unlock(&gr_uid_lock);
40380 +static __inline__ int
40381 +proc_is_setxid(const struct cred *cred)
40383 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
40384 + cred->uid != cred->fsuid)
40386 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
40387 + cred->gid != cred->fsgid)
40392 +static __inline__ int
40393 +gr_fake_force_sig(int sig, struct task_struct *t)
40395 + unsigned long int flags;
40396 + int ret, blocked, ignored;
40397 + struct k_sigaction *action;
40399 + spin_lock_irqsave(&t->sighand->siglock, flags);
40400 + action = &t->sighand->action[sig-1];
40401 + ignored = action->sa.sa_handler == SIG_IGN;
40402 + blocked = sigismember(&t->blocked, sig);
40403 + if (blocked || ignored) {
40404 + action->sa.sa_handler = SIG_DFL;
40406 + sigdelset(&t->blocked, sig);
40407 + recalc_sigpending_and_wake(t);
40410 + if (action->sa.sa_handler == SIG_DFL)
40411 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
40412 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
40414 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
40420 +gr_handle_crash(struct task_struct *task, const int sig)
40422 + struct acl_subject_label *curr;
40423 + struct acl_subject_label *curr2;
40424 + struct task_struct *tsk, *tsk2;
40425 + const struct cred *cred;
40426 + const struct cred *cred2;
40428 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
40431 + if (unlikely(!gr_acl_is_enabled()))
40434 + curr = task->acl;
40436 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
40439 + if (time_before_eq(curr->expires, get_seconds())) {
40440 + curr->expires = 0;
40441 + curr->crashes = 0;
40446 + if (!curr->expires)
40447 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
40449 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40450 + time_after(curr->expires, get_seconds())) {
40452 + cred = __task_cred(task);
40453 + if (cred->uid && proc_is_setxid(cred)) {
40454 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40455 + spin_lock(&gr_uid_lock);
40456 + gr_insert_uid(cred->uid, curr->expires);
40457 + spin_unlock(&gr_uid_lock);
40458 + curr->expires = 0;
40459 + curr->crashes = 0;
40460 + read_lock(&tasklist_lock);
40461 + do_each_thread(tsk2, tsk) {
40462 + cred2 = __task_cred(tsk);
40463 + if (tsk != task && cred2->uid == cred->uid)
40464 + gr_fake_force_sig(SIGKILL, tsk);
40465 + } while_each_thread(tsk2, tsk);
40466 + read_unlock(&tasklist_lock);
40468 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40469 + read_lock(&tasklist_lock);
40470 + do_each_thread(tsk2, tsk) {
40471 + if (likely(tsk != task)) {
40472 + curr2 = tsk->acl;
40474 + if (curr2->device == curr->device &&
40475 + curr2->inode == curr->inode)
40476 + gr_fake_force_sig(SIGKILL, tsk);
40478 + } while_each_thread(tsk2, tsk);
40479 + read_unlock(&tasklist_lock);
40481 + rcu_read_unlock();
40488 +gr_check_crash_exec(const struct file *filp)
40490 + struct acl_subject_label *curr;
40492 + if (unlikely(!gr_acl_is_enabled()))
40495 + read_lock(&gr_inode_lock);
40496 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
40497 + filp->f_path.dentry->d_inode->i_sb->s_dev,
40499 + read_unlock(&gr_inode_lock);
40501 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
40502 + (!curr->crashes && !curr->expires))
40505 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40506 + time_after(curr->expires, get_seconds()))
40508 + else if (time_before_eq(curr->expires, get_seconds())) {
40509 + curr->crashes = 0;
40510 + curr->expires = 0;
40517 +gr_handle_alertkill(struct task_struct *task)
40519 + struct acl_subject_label *curracl;
40521 + struct task_struct *p, *p2;
40523 + if (unlikely(!gr_acl_is_enabled()))
40526 + curracl = task->acl;
40527 + curr_ip = task->signal->curr_ip;
40529 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
40530 + read_lock(&tasklist_lock);
40531 + do_each_thread(p2, p) {
40532 + if (p->signal->curr_ip == curr_ip)
40533 + gr_fake_force_sig(SIGKILL, p);
40534 + } while_each_thread(p2, p);
40535 + read_unlock(&tasklist_lock);
40536 + } else if (curracl->mode & GR_KILLPROC)
40537 + gr_fake_force_sig(SIGKILL, task);
40541 diff -urNp linux-2.6.37/grsecurity/gracl_shm.c linux-2.6.37/grsecurity/gracl_shm.c
40542 --- linux-2.6.37/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
40543 +++ linux-2.6.37/grsecurity/gracl_shm.c 2011-01-17 02:41:02.000000000 -0500
40545 +#include <linux/kernel.h>
40546 +#include <linux/mm.h>
40547 +#include <linux/sched.h>
40548 +#include <linux/file.h>
40549 +#include <linux/ipc.h>
40550 +#include <linux/gracl.h>
40551 +#include <linux/grsecurity.h>
40552 +#include <linux/grinternal.h>
40555 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40556 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40558 + struct task_struct *task;
40560 + if (!gr_acl_is_enabled())
40564 + read_lock(&tasklist_lock);
40566 + task = find_task_by_vpid(shm_cprid);
40568 + if (unlikely(!task))
40569 + task = find_task_by_vpid(shm_lapid);
40571 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
40572 + (task->pid == shm_lapid)) &&
40573 + (task->acl->mode & GR_PROTSHM) &&
40574 + (task->acl != current->acl))) {
40575 + read_unlock(&tasklist_lock);
40576 + rcu_read_unlock();
40577 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
40580 + read_unlock(&tasklist_lock);
40581 + rcu_read_unlock();
40585 diff -urNp linux-2.6.37/grsecurity/grsec_chdir.c linux-2.6.37/grsecurity/grsec_chdir.c
40586 --- linux-2.6.37/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
40587 +++ linux-2.6.37/grsecurity/grsec_chdir.c 2011-01-17 02:41:02.000000000 -0500
40589 +#include <linux/kernel.h>
40590 +#include <linux/sched.h>
40591 +#include <linux/fs.h>
40592 +#include <linux/file.h>
40593 +#include <linux/grsecurity.h>
40594 +#include <linux/grinternal.h>
40597 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
40599 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40600 + if ((grsec_enable_chdir && grsec_enable_group &&
40601 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
40602 + !grsec_enable_group)) {
40603 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
40608 diff -urNp linux-2.6.37/grsecurity/grsec_chroot.c linux-2.6.37/grsecurity/grsec_chroot.c
40609 --- linux-2.6.37/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
40610 +++ linux-2.6.37/grsecurity/grsec_chroot.c 2011-01-17 02:41:02.000000000 -0500
40612 +#include <linux/kernel.h>
40613 +#include <linux/module.h>
40614 +#include <linux/sched.h>
40615 +#include <linux/file.h>
40616 +#include <linux/fs.h>
40617 +#include <linux/mount.h>
40618 +#include <linux/types.h>
40619 +#include <linux/pid_namespace.h>
40620 +#include <linux/grsecurity.h>
40621 +#include <linux/grinternal.h>
40623 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
40625 +#ifdef CONFIG_GRKERNSEC
40626 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
40627 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
40628 + task->gr_is_chrooted = 1;
40630 + task->gr_is_chrooted = 0;
40632 + task->gr_chroot_dentry = path->dentry;
40637 +void gr_clear_chroot_entries(struct task_struct *task)
40639 +#ifdef CONFIG_GRKERNSEC
40640 + task->gr_is_chrooted = 0;
40641 + task->gr_chroot_dentry = NULL;
40647 +gr_handle_chroot_unix(struct pid *pid)
40649 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40650 + struct task_struct *p;
40652 + if (unlikely(!grsec_enable_chroot_unix))
40655 + if (likely(!proc_is_chrooted(current)))
40659 + read_lock(&tasklist_lock);
40660 + p = pid_task(pid, PIDTYPE_PID);
40661 + if (unlikely(!have_same_root(current, p))) {
40662 + read_unlock(&tasklist_lock);
40663 + rcu_read_unlock();
40664 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
40667 + read_unlock(&tasklist_lock);
40668 + rcu_read_unlock();
40674 +gr_handle_chroot_nice(void)
40676 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40677 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
40678 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
40686 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
40688 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40689 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
40690 + && proc_is_chrooted(current)) {
40691 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
40699 +gr_handle_chroot_rawio(const struct inode *inode)
40701 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40702 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
40703 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
40710 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
40712 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40713 + struct task_struct *p;
40715 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
40718 + read_lock(&tasklist_lock);
40719 + do_each_pid_task(pid, type, p) {
40720 + if (!have_same_root(current, p)) {
40724 + } while_each_pid_task(pid, type, p);
40726 + read_unlock(&tasklist_lock);
40733 +gr_pid_is_chrooted(struct task_struct *p)
40735 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40736 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
40739 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
40740 + !have_same_root(current, p)) {
40747 +EXPORT_SYMBOL(gr_pid_is_chrooted);
40749 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
40750 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
40752 + struct dentry *dentry = (struct dentry *)u_dentry;
40753 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
40754 + struct path realroot, currentroot;
40755 + struct task_struct *reaper = &init_task;
40758 + get_fs_root(reaper->fs, &realroot);
40759 + get_fs_root(current->fs, ¤troot);
40761 + spin_lock(&dcache_lock);
40763 + if (unlikely((dentry == realroot.dentry && mnt == realroot.mnt)
40764 + || (dentry == currentroot.dentry && mnt == currentroot.mnt)))
40766 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
40767 + if (mnt->mnt_parent == mnt)
40769 + dentry = mnt->mnt_mountpoint;
40770 + mnt = mnt->mnt_parent;
40773 + dentry = dentry->d_parent;
40775 + spin_unlock(&dcache_lock);
40777 + path_put(¤troot);
40779 + /* access is outside of chroot */
40780 + if (dentry == realroot.dentry && mnt == realroot.mnt)
40783 + path_put(&realroot);
40789 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
40791 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40792 + if (!grsec_enable_chroot_fchdir)
40795 + if (!proc_is_chrooted(current))
40797 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
40798 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
40806 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40807 + const time_t shm_createtime)
40809 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40810 + struct pid *pid = NULL;
40811 + time_t starttime;
40813 + if (unlikely(!grsec_enable_chroot_shmat))
40816 + if (likely(!proc_is_chrooted(current)))
40820 + read_lock(&tasklist_lock);
40822 + pid = find_vpid(shm_cprid);
40824 + struct task_struct *p;
40825 + p = pid_task(pid, PIDTYPE_PID);
40826 + starttime = p->start_time.tv_sec;
40827 + if (unlikely(!have_same_root(current, p) &&
40828 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
40829 + read_unlock(&tasklist_lock);
40830 + rcu_read_unlock();
40831 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40835 + pid = find_vpid(shm_lapid);
40837 + struct task_struct *p;
40838 + p = pid_task(pid, PIDTYPE_PID);
40839 + if (unlikely(!have_same_root(current, p))) {
40840 + read_unlock(&tasklist_lock);
40841 + rcu_read_unlock();
40842 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40848 + read_unlock(&tasklist_lock);
40849 + rcu_read_unlock();
40855 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
40857 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40858 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
40859 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
40865 +gr_handle_chroot_mknod(const struct dentry *dentry,
40866 + const struct vfsmount *mnt, const int mode)
40868 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40869 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
40870 + proc_is_chrooted(current)) {
40871 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
40879 +gr_handle_chroot_mount(const struct dentry *dentry,
40880 + const struct vfsmount *mnt, const char *dev_name)
40882 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40883 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
40884 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
40892 +gr_handle_chroot_pivot(void)
40894 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40895 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
40896 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
40904 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
40906 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40907 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
40908 + !gr_is_outside_chroot(dentry, mnt)) {
40909 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
40917 +gr_handle_chroot_caps(struct path *path)
40919 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40920 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
40921 + (init_task.fs->root.dentry != path->dentry) &&
40922 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
40924 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
40925 + const struct cred *old = current_cred();
40926 + struct cred *new = prepare_creds();
40930 + new->cap_permitted = cap_drop(old->cap_permitted,
40932 + new->cap_inheritable = cap_drop(old->cap_inheritable,
40934 + new->cap_effective = cap_drop(old->cap_effective,
40937 + commit_creds(new);
40946 +gr_handle_chroot_sysctl(const int op)
40948 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
40949 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
40950 + proc_is_chrooted(current))
40957 +gr_handle_chroot_chdir(struct path *path)
40959 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40960 + if (grsec_enable_chroot_chdir)
40961 + set_fs_pwd(current->fs, path);
40967 +gr_handle_chroot_chmod(const struct dentry *dentry,
40968 + const struct vfsmount *mnt, const int mode)
40970 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40971 + /* allow chmod +s on directories, but not files */
40972 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
40973 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
40974 + proc_is_chrooted(current)) {
40975 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
40982 +#ifdef CONFIG_SECURITY
40983 +EXPORT_SYMBOL(gr_handle_chroot_caps);
40985 diff -urNp linux-2.6.37/grsecurity/grsec_disabled.c linux-2.6.37/grsecurity/grsec_disabled.c
40986 --- linux-2.6.37/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
40987 +++ linux-2.6.37/grsecurity/grsec_disabled.c 2011-01-17 02:41:02.000000000 -0500
40989 +#include <linux/kernel.h>
40990 +#include <linux/module.h>
40991 +#include <linux/sched.h>
40992 +#include <linux/file.h>
40993 +#include <linux/fs.h>
40994 +#include <linux/kdev_t.h>
40995 +#include <linux/net.h>
40996 +#include <linux/in.h>
40997 +#include <linux/ip.h>
40998 +#include <linux/skbuff.h>
40999 +#include <linux/sysctl.h>
41001 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
41003 +pax_set_initial_flags(struct linux_binprm *bprm)
41009 +#ifdef CONFIG_SYSCTL
41011 +gr_handle_sysctl(const struct ctl_table * table, const int op)
41017 +#ifdef CONFIG_TASKSTATS
41018 +int gr_is_taskstats_denied(int pid)
41025 +gr_acl_is_enabled(void)
41031 +gr_handle_rawio(const struct inode *inode)
41037 +gr_acl_handle_psacct(struct task_struct *task, const long code)
41043 +gr_handle_ptrace(struct task_struct *task, const long request)
41049 +gr_handle_proc_ptrace(struct task_struct *task)
41055 +gr_learn_resource(const struct task_struct *task,
41056 + const int res, const unsigned long wanted, const int gt)
41062 +gr_set_acls(const int type)
41068 +gr_check_hidden_task(const struct task_struct *tsk)
41074 +gr_check_protected_task(const struct task_struct *task)
41080 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
41086 +gr_copy_label(struct task_struct *tsk)
41092 +gr_set_pax_flags(struct task_struct *task)
41098 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
41099 + const int unsafe_share)
41105 +gr_handle_delete(const ino_t ino, const dev_t dev)
41111 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
41117 +gr_handle_crash(struct task_struct *task, const int sig)
41123 +gr_check_crash_exec(const struct file *filp)
41129 +gr_check_crash_uid(const uid_t uid)
41135 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
41136 + struct dentry *old_dentry,
41137 + struct dentry *new_dentry,
41138 + struct vfsmount *mnt, const __u8 replace)
41144 +gr_search_socket(const int family, const int type, const int protocol)
41150 +gr_search_connectbind(const int mode, const struct socket *sock,
41151 + const struct sockaddr_in *addr)
41157 +gr_is_capable(const int cap)
41163 +gr_is_capable_nolog(const int cap)
41169 +gr_handle_alertkill(struct task_struct *task)
41175 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
41181 +gr_acl_handle_hidden_file(const struct dentry * dentry,
41182 + const struct vfsmount * mnt)
41188 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
41195 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
41201 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
41207 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
41208 + unsigned int *vm_flags)
41214 +gr_acl_handle_truncate(const struct dentry * dentry,
41215 + const struct vfsmount * mnt)
41221 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
41227 +gr_acl_handle_access(const struct dentry * dentry,
41228 + const struct vfsmount * mnt, const int fmode)
41234 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
41241 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
41248 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
41254 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
41260 +grsecurity_init(void)
41266 +gr_acl_handle_mknod(const struct dentry * new_dentry,
41267 + const struct dentry * parent_dentry,
41268 + const struct vfsmount * parent_mnt,
41275 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
41276 + const struct dentry * parent_dentry,
41277 + const struct vfsmount * parent_mnt)
41283 +gr_acl_handle_symlink(const struct dentry * new_dentry,
41284 + const struct dentry * parent_dentry,
41285 + const struct vfsmount * parent_mnt, const char *from)
41291 +gr_acl_handle_link(const struct dentry * new_dentry,
41292 + const struct dentry * parent_dentry,
41293 + const struct vfsmount * parent_mnt,
41294 + const struct dentry * old_dentry,
41295 + const struct vfsmount * old_mnt, const char *to)
41301 +gr_acl_handle_rename(const struct dentry *new_dentry,
41302 + const struct dentry *parent_dentry,
41303 + const struct vfsmount *parent_mnt,
41304 + const struct dentry *old_dentry,
41305 + const struct inode *old_parent_inode,
41306 + const struct vfsmount *old_mnt, const char *newname)
41312 +gr_acl_handle_filldir(const struct file *file, const char *name,
41313 + const int namelen, const ino_t ino)
41319 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41320 + const time_t shm_createtime, const uid_t cuid, const int shmid)
41326 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
41332 +gr_search_accept(const struct socket *sock)
41338 +gr_search_listen(const struct socket *sock)
41344 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
41350 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
41356 +gr_acl_handle_creat(const struct dentry * dentry,
41357 + const struct dentry * p_dentry,
41358 + const struct vfsmount * p_mnt, const int fmode,
41365 +gr_acl_handle_exit(void)
41371 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
41377 +gr_set_role_label(const uid_t uid, const gid_t gid)
41383 +gr_acl_handle_procpidmem(const struct task_struct *task)
41389 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
41395 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
41401 +gr_set_kernel_label(struct task_struct *task)
41407 +gr_check_user_change(int real, int effective, int fs)
41413 +gr_check_group_change(int real, int effective, int fs)
41418 +int gr_acl_enable_at_secure(void)
41423 +EXPORT_SYMBOL(gr_is_capable);
41424 +EXPORT_SYMBOL(gr_is_capable_nolog);
41425 +EXPORT_SYMBOL(gr_learn_resource);
41426 +EXPORT_SYMBOL(gr_set_kernel_label);
41427 +#ifdef CONFIG_SECURITY
41428 +EXPORT_SYMBOL(gr_check_user_change);
41429 +EXPORT_SYMBOL(gr_check_group_change);
41431 diff -urNp linux-2.6.37/grsecurity/grsec_exec.c linux-2.6.37/grsecurity/grsec_exec.c
41432 --- linux-2.6.37/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
41433 +++ linux-2.6.37/grsecurity/grsec_exec.c 2011-01-17 02:41:02.000000000 -0500
41435 +#include <linux/kernel.h>
41436 +#include <linux/sched.h>
41437 +#include <linux/file.h>
41438 +#include <linux/binfmts.h>
41439 +#include <linux/smp_lock.h>
41440 +#include <linux/fs.h>
41441 +#include <linux/types.h>
41442 +#include <linux/grdefs.h>
41443 +#include <linux/grinternal.h>
41444 +#include <linux/capability.h>
41445 +#include <linux/compat.h>
41447 +#include <asm/uaccess.h>
41449 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41450 +static char gr_exec_arg_buf[132];
41451 +static DEFINE_MUTEX(gr_exec_arg_mutex);
41455 +gr_handle_nproc(void)
41457 +#ifdef CONFIG_GRKERNSEC_EXECVE
41458 + const struct cred *cred = current_cred();
41459 + if (grsec_enable_execve && cred->user &&
41460 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
41461 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
41462 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
41470 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
41472 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41473 + char *grarg = gr_exec_arg_buf;
41474 + unsigned int i, x, execlen = 0;
41477 + if (!((grsec_enable_execlog && grsec_enable_group &&
41478 + in_group_p(grsec_audit_gid))
41479 + || (grsec_enable_execlog && !grsec_enable_group)))
41482 + mutex_lock(&gr_exec_arg_mutex);
41483 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41485 + if (unlikely(argv == NULL))
41488 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41489 + const char __user *p;
41490 + unsigned int len;
41492 + if (copy_from_user(&p, argv + i, sizeof(p)))
41496 + len = strnlen_user(p, 128 - execlen);
41497 + if (len > 128 - execlen)
41498 + len = 128 - execlen;
41499 + else if (len > 0)
41501 + if (copy_from_user(grarg + execlen, p, len))
41504 + /* rewrite unprintable characters */
41505 + for (x = 0; x < len; x++) {
41506 + c = *(grarg + execlen + x);
41507 + if (c < 32 || c > 126)
41508 + *(grarg + execlen + x) = ' ';
41512 + *(grarg + execlen) = ' ';
41513 + *(grarg + execlen + 1) = '\0';
41518 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41519 + bprm->file->f_path.mnt, grarg);
41520 + mutex_unlock(&gr_exec_arg_mutex);
41525 +#ifdef CONFIG_COMPAT
41527 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
41529 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41530 + char *grarg = gr_exec_arg_buf;
41531 + unsigned int i, x, execlen = 0;
41534 + if (!((grsec_enable_execlog && grsec_enable_group &&
41535 + in_group_p(grsec_audit_gid))
41536 + || (grsec_enable_execlog && !grsec_enable_group)))
41539 + mutex_lock(&gr_exec_arg_mutex);
41540 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41542 + if (unlikely(argv == NULL))
41545 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41547 + unsigned int len;
41549 + if (get_user(p, argv + i))
41551 + len = strnlen_user(compat_ptr(p), 128 - execlen);
41552 + if (len > 128 - execlen)
41553 + len = 128 - execlen;
41554 + else if (len > 0)
41558 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
41561 + /* rewrite unprintable characters */
41562 + for (x = 0; x < len; x++) {
41563 + c = *(grarg + execlen + x);
41564 + if (c < 32 || c > 126)
41565 + *(grarg + execlen + x) = ' ';
41569 + *(grarg + execlen) = ' ';
41570 + *(grarg + execlen + 1) = '\0';
41575 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41576 + bprm->file->f_path.mnt, grarg);
41577 + mutex_unlock(&gr_exec_arg_mutex);
41582 diff -urNp linux-2.6.37/grsecurity/grsec_fifo.c linux-2.6.37/grsecurity/grsec_fifo.c
41583 --- linux-2.6.37/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
41584 +++ linux-2.6.37/grsecurity/grsec_fifo.c 2011-01-17 02:41:02.000000000 -0500
41586 +#include <linux/kernel.h>
41587 +#include <linux/sched.h>
41588 +#include <linux/fs.h>
41589 +#include <linux/file.h>
41590 +#include <linux/grinternal.h>
41593 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
41594 + const struct dentry *dir, const int flag, const int acc_mode)
41596 +#ifdef CONFIG_GRKERNSEC_FIFO
41597 + const struct cred *cred = current_cred();
41599 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
41600 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
41601 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
41602 + (cred->fsuid != dentry->d_inode->i_uid)) {
41603 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
41604 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
41610 diff -urNp linux-2.6.37/grsecurity/grsec_fork.c linux-2.6.37/grsecurity/grsec_fork.c
41611 --- linux-2.6.37/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
41612 +++ linux-2.6.37/grsecurity/grsec_fork.c 2011-01-17 02:41:02.000000000 -0500
41614 +#include <linux/kernel.h>
41615 +#include <linux/sched.h>
41616 +#include <linux/grsecurity.h>
41617 +#include <linux/grinternal.h>
41618 +#include <linux/errno.h>
41621 +gr_log_forkfail(const int retval)
41623 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41624 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
41625 + switch (retval) {
41627 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
41630 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
41637 diff -urNp linux-2.6.37/grsecurity/grsec_init.c linux-2.6.37/grsecurity/grsec_init.c
41638 --- linux-2.6.37/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
41639 +++ linux-2.6.37/grsecurity/grsec_init.c 2011-01-17 02:41:02.000000000 -0500
41641 +#include <linux/kernel.h>
41642 +#include <linux/sched.h>
41643 +#include <linux/mm.h>
41644 +#include <linux/smp_lock.h>
41645 +#include <linux/gracl.h>
41646 +#include <linux/slab.h>
41647 +#include <linux/vmalloc.h>
41648 +#include <linux/percpu.h>
41649 +#include <linux/module.h>
41651 +int grsec_enable_link;
41652 +int grsec_enable_dmesg;
41653 +int grsec_enable_harden_ptrace;
41654 +int grsec_enable_fifo;
41655 +int grsec_enable_execve;
41656 +int grsec_enable_execlog;
41657 +int grsec_enable_signal;
41658 +int grsec_enable_forkfail;
41659 +int grsec_enable_audit_ptrace;
41660 +int grsec_enable_time;
41661 +int grsec_enable_audit_textrel;
41662 +int grsec_enable_group;
41663 +int grsec_audit_gid;
41664 +int grsec_enable_chdir;
41665 +int grsec_enable_mount;
41666 +int grsec_enable_rofs;
41667 +int grsec_enable_chroot_findtask;
41668 +int grsec_enable_chroot_mount;
41669 +int grsec_enable_chroot_shmat;
41670 +int grsec_enable_chroot_fchdir;
41671 +int grsec_enable_chroot_double;
41672 +int grsec_enable_chroot_pivot;
41673 +int grsec_enable_chroot_chdir;
41674 +int grsec_enable_chroot_chmod;
41675 +int grsec_enable_chroot_mknod;
41676 +int grsec_enable_chroot_nice;
41677 +int grsec_enable_chroot_execlog;
41678 +int grsec_enable_chroot_caps;
41679 +int grsec_enable_chroot_sysctl;
41680 +int grsec_enable_chroot_unix;
41681 +int grsec_enable_tpe;
41682 +int grsec_tpe_gid;
41683 +int grsec_enable_blackhole;
41684 +#ifdef CONFIG_IPV6_MODULE
41685 +EXPORT_SYMBOL(grsec_enable_blackhole);
41687 +int grsec_lastack_retries;
41688 +int grsec_enable_tpe_all;
41689 +int grsec_enable_tpe_invert;
41690 +int grsec_enable_socket_all;
41691 +int grsec_socket_all_gid;
41692 +int grsec_enable_socket_client;
41693 +int grsec_socket_client_gid;
41694 +int grsec_enable_socket_server;
41695 +int grsec_socket_server_gid;
41696 +int grsec_resource_logging;
41697 +int grsec_disable_privio;
41698 +int grsec_enable_log_rwxmaps;
41701 +DEFINE_SPINLOCK(grsec_alert_lock);
41702 +unsigned long grsec_alert_wtime = 0;
41703 +unsigned long grsec_alert_fyet = 0;
41705 +DEFINE_SPINLOCK(grsec_audit_lock);
41707 +DEFINE_RWLOCK(grsec_exec_file_lock);
41709 +char *gr_shared_page[4];
41711 +char *gr_alert_log_fmt;
41712 +char *gr_audit_log_fmt;
41713 +char *gr_alert_log_buf;
41714 +char *gr_audit_log_buf;
41716 +extern struct gr_arg *gr_usermode;
41717 +extern unsigned char *gr_system_salt;
41718 +extern unsigned char *gr_system_sum;
41721 +grsecurity_init(void)
41724 + /* create the per-cpu shared pages */
41727 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
41730 + for (j = 0; j < 4; j++) {
41731 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
41732 + if (gr_shared_page[j] == NULL) {
41733 + panic("Unable to allocate grsecurity shared page");
41738 + /* allocate log buffers */
41739 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
41740 + if (!gr_alert_log_fmt) {
41741 + panic("Unable to allocate grsecurity alert log format buffer");
41744 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
41745 + if (!gr_audit_log_fmt) {
41746 + panic("Unable to allocate grsecurity audit log format buffer");
41749 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41750 + if (!gr_alert_log_buf) {
41751 + panic("Unable to allocate grsecurity alert log buffer");
41754 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41755 + if (!gr_audit_log_buf) {
41756 + panic("Unable to allocate grsecurity audit log buffer");
41760 + /* allocate memory for authentication structure */
41761 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
41762 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
41763 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
41765 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
41766 + panic("Unable to allocate grsecurity authentication structure");
41771 +#ifdef CONFIG_GRKERNSEC_IO
41772 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
41773 + grsec_disable_privio = 1;
41774 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41775 + grsec_disable_privio = 1;
41777 + grsec_disable_privio = 0;
41781 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41782 + /* for backward compatibility, tpe_invert always defaults to on if
41783 + enabled in the kernel
41785 + grsec_enable_tpe_invert = 1;
41788 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41789 +#ifndef CONFIG_GRKERNSEC_SYSCTL
41793 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
41794 + grsec_enable_audit_textrel = 1;
41796 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
41797 + grsec_enable_log_rwxmaps = 1;
41799 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
41800 + grsec_enable_group = 1;
41801 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
41803 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41804 + grsec_enable_chdir = 1;
41806 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
41807 + grsec_enable_harden_ptrace = 1;
41809 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41810 + grsec_enable_mount = 1;
41812 +#ifdef CONFIG_GRKERNSEC_LINK
41813 + grsec_enable_link = 1;
41815 +#ifdef CONFIG_GRKERNSEC_DMESG
41816 + grsec_enable_dmesg = 1;
41818 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41819 + grsec_enable_blackhole = 1;
41820 + grsec_lastack_retries = 4;
41822 +#ifdef CONFIG_GRKERNSEC_FIFO
41823 + grsec_enable_fifo = 1;
41825 +#ifdef CONFIG_GRKERNSEC_EXECVE
41826 + grsec_enable_execve = 1;
41828 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41829 + grsec_enable_execlog = 1;
41831 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41832 + grsec_enable_signal = 1;
41834 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41835 + grsec_enable_forkfail = 1;
41837 +#ifdef CONFIG_GRKERNSEC_TIME
41838 + grsec_enable_time = 1;
41840 +#ifdef CONFIG_GRKERNSEC_RESLOG
41841 + grsec_resource_logging = 1;
41843 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41844 + grsec_enable_chroot_findtask = 1;
41846 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41847 + grsec_enable_chroot_unix = 1;
41849 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41850 + grsec_enable_chroot_mount = 1;
41852 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41853 + grsec_enable_chroot_fchdir = 1;
41855 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41856 + grsec_enable_chroot_shmat = 1;
41858 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41859 + grsec_enable_audit_ptrace = 1;
41861 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41862 + grsec_enable_chroot_double = 1;
41864 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41865 + grsec_enable_chroot_pivot = 1;
41867 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41868 + grsec_enable_chroot_chdir = 1;
41870 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41871 + grsec_enable_chroot_chmod = 1;
41873 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41874 + grsec_enable_chroot_mknod = 1;
41876 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41877 + grsec_enable_chroot_nice = 1;
41879 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41880 + grsec_enable_chroot_execlog = 1;
41882 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41883 + grsec_enable_chroot_caps = 1;
41885 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41886 + grsec_enable_chroot_sysctl = 1;
41888 +#ifdef CONFIG_GRKERNSEC_TPE
41889 + grsec_enable_tpe = 1;
41890 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
41891 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
41892 + grsec_enable_tpe_all = 1;
41895 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41896 + grsec_enable_socket_all = 1;
41897 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
41899 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41900 + grsec_enable_socket_client = 1;
41901 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
41903 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41904 + grsec_enable_socket_server = 1;
41905 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
41911 diff -urNp linux-2.6.37/grsecurity/grsec_link.c linux-2.6.37/grsecurity/grsec_link.c
41912 --- linux-2.6.37/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
41913 +++ linux-2.6.37/grsecurity/grsec_link.c 2011-01-17 02:41:02.000000000 -0500
41915 +#include <linux/kernel.h>
41916 +#include <linux/sched.h>
41917 +#include <linux/fs.h>
41918 +#include <linux/file.h>
41919 +#include <linux/grinternal.h>
41922 +gr_handle_follow_link(const struct inode *parent,
41923 + const struct inode *inode,
41924 + const struct dentry *dentry, const struct vfsmount *mnt)
41926 +#ifdef CONFIG_GRKERNSEC_LINK
41927 + const struct cred *cred = current_cred();
41929 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
41930 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
41931 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
41932 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
41940 +gr_handle_hardlink(const struct dentry *dentry,
41941 + const struct vfsmount *mnt,
41942 + struct inode *inode, const int mode, const char *to)
41944 +#ifdef CONFIG_GRKERNSEC_LINK
41945 + const struct cred *cred = current_cred();
41947 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
41948 + (!S_ISREG(mode) || (mode & S_ISUID) ||
41949 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
41950 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
41951 + !capable(CAP_FOWNER) && cred->uid) {
41952 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
41958 diff -urNp linux-2.6.37/grsecurity/grsec_log.c linux-2.6.37/grsecurity/grsec_log.c
41959 --- linux-2.6.37/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
41960 +++ linux-2.6.37/grsecurity/grsec_log.c 2011-01-17 02:41:02.000000000 -0500
41962 +#include <linux/kernel.h>
41963 +#include <linux/sched.h>
41964 +#include <linux/file.h>
41965 +#include <linux/tty.h>
41966 +#include <linux/fs.h>
41967 +#include <linux/grinternal.h>
41969 +#ifdef CONFIG_TREE_PREEMPT_RCU
41970 +#define DISABLE_PREEMPT() preempt_disable()
41971 +#define ENABLE_PREEMPT() preempt_enable()
41973 +#define DISABLE_PREEMPT()
41974 +#define ENABLE_PREEMPT()
41977 +#define BEGIN_LOCKS(x) \
41978 + DISABLE_PREEMPT(); \
41979 + rcu_read_lock(); \
41980 + read_lock(&tasklist_lock); \
41981 + read_lock(&grsec_exec_file_lock); \
41982 + if (x != GR_DO_AUDIT) \
41983 + spin_lock(&grsec_alert_lock); \
41985 + spin_lock(&grsec_audit_lock)
41987 +#define END_LOCKS(x) \
41988 + if (x != GR_DO_AUDIT) \
41989 + spin_unlock(&grsec_alert_lock); \
41991 + spin_unlock(&grsec_audit_lock); \
41992 + read_unlock(&grsec_exec_file_lock); \
41993 + read_unlock(&tasklist_lock); \
41994 + rcu_read_unlock(); \
41995 + ENABLE_PREEMPT(); \
41996 + if (x == GR_DONT_AUDIT) \
41997 + gr_handle_alertkill(current)
42004 +extern char *gr_alert_log_fmt;
42005 +extern char *gr_audit_log_fmt;
42006 +extern char *gr_alert_log_buf;
42007 +extern char *gr_audit_log_buf;
42009 +static int gr_log_start(int audit)
42011 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
42012 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
42013 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42015 + if (audit == GR_DO_AUDIT)
42018 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
42019 + grsec_alert_wtime = jiffies;
42020 + grsec_alert_fyet = 0;
42021 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
42022 + grsec_alert_fyet++;
42023 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
42024 + grsec_alert_wtime = jiffies;
42025 + grsec_alert_fyet++;
42026 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
42028 + } else return FLOODING;
42031 + memset(buf, 0, PAGE_SIZE);
42032 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
42033 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
42034 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
42035 + } else if (current->signal->curr_ip) {
42036 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
42037 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
42038 + } else if (gr_acl_is_enabled()) {
42039 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
42040 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
42042 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
42043 + strcpy(buf, fmt);
42046 + return NO_FLOODING;
42049 +static void gr_log_middle(int audit, const char *msg, va_list ap)
42050 + __attribute__ ((format (printf, 2, 0)));
42052 +static void gr_log_middle(int audit, const char *msg, va_list ap)
42054 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42055 + unsigned int len = strlen(buf);
42057 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
42062 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
42063 + __attribute__ ((format (printf, 2, 3)));
42065 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
42067 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42068 + unsigned int len = strlen(buf);
42071 + va_start(ap, msg);
42072 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
42078 +static void gr_log_end(int audit)
42080 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42081 + unsigned int len = strlen(buf);
42083 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
42084 + printk("%s\n", buf);
42089 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
42092 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
42093 + char *str1, *str2, *str3;
42096 + unsigned long ulong1, ulong2;
42097 + struct dentry *dentry;
42098 + struct vfsmount *mnt;
42099 + struct file *file;
42100 + struct task_struct *task;
42101 + const struct cred *cred, *pcred;
42104 + BEGIN_LOCKS(audit);
42105 + logtype = gr_log_start(audit);
42106 + if (logtype == FLOODING) {
42107 + END_LOCKS(audit);
42110 + va_start(ap, argtypes);
42111 + switch (argtypes) {
42112 + case GR_TTYSNIFF:
42113 + task = va_arg(ap, struct task_struct *);
42114 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
42116 + case GR_SYSCTL_HIDDEN:
42117 + str1 = va_arg(ap, char *);
42118 + gr_log_middle_varargs(audit, msg, result, str1);
42121 + dentry = va_arg(ap, struct dentry *);
42122 + mnt = va_arg(ap, struct vfsmount *);
42123 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
42125 + case GR_RBAC_STR:
42126 + dentry = va_arg(ap, struct dentry *);
42127 + mnt = va_arg(ap, struct vfsmount *);
42128 + str1 = va_arg(ap, char *);
42129 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
42131 + case GR_STR_RBAC:
42132 + str1 = va_arg(ap, char *);
42133 + dentry = va_arg(ap, struct dentry *);
42134 + mnt = va_arg(ap, struct vfsmount *);
42135 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
42137 + case GR_RBAC_MODE2:
42138 + dentry = va_arg(ap, struct dentry *);
42139 + mnt = va_arg(ap, struct vfsmount *);
42140 + str1 = va_arg(ap, char *);
42141 + str2 = va_arg(ap, char *);
42142 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
42144 + case GR_RBAC_MODE3:
42145 + dentry = va_arg(ap, struct dentry *);
42146 + mnt = va_arg(ap, struct vfsmount *);
42147 + str1 = va_arg(ap, char *);
42148 + str2 = va_arg(ap, char *);
42149 + str3 = va_arg(ap, char *);
42150 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
42152 + case GR_FILENAME:
42153 + dentry = va_arg(ap, struct dentry *);
42154 + mnt = va_arg(ap, struct vfsmount *);
42155 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
42157 + case GR_STR_FILENAME:
42158 + str1 = va_arg(ap, char *);
42159 + dentry = va_arg(ap, struct dentry *);
42160 + mnt = va_arg(ap, struct vfsmount *);
42161 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
42163 + case GR_FILENAME_STR:
42164 + dentry = va_arg(ap, struct dentry *);
42165 + mnt = va_arg(ap, struct vfsmount *);
42166 + str1 = va_arg(ap, char *);
42167 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
42169 + case GR_FILENAME_TWO_INT:
42170 + dentry = va_arg(ap, struct dentry *);
42171 + mnt = va_arg(ap, struct vfsmount *);
42172 + num1 = va_arg(ap, int);
42173 + num2 = va_arg(ap, int);
42174 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
42176 + case GR_FILENAME_TWO_INT_STR:
42177 + dentry = va_arg(ap, struct dentry *);
42178 + mnt = va_arg(ap, struct vfsmount *);
42179 + num1 = va_arg(ap, int);
42180 + num2 = va_arg(ap, int);
42181 + str1 = va_arg(ap, char *);
42182 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
42185 + file = va_arg(ap, struct file *);
42186 + ulong1 = va_arg(ap, unsigned long);
42187 + ulong2 = va_arg(ap, unsigned long);
42188 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
42191 + task = va_arg(ap, struct task_struct *);
42192 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
42194 + case GR_RESOURCE:
42195 + task = va_arg(ap, struct task_struct *);
42196 + cred = __task_cred(task);
42197 + pcred = __task_cred(task->real_parent);
42198 + ulong1 = va_arg(ap, unsigned long);
42199 + str1 = va_arg(ap, char *);
42200 + ulong2 = va_arg(ap, unsigned long);
42201 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42204 + task = va_arg(ap, struct task_struct *);
42205 + cred = __task_cred(task);
42206 + pcred = __task_cred(task->real_parent);
42207 + str1 = va_arg(ap, char *);
42208 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42211 + str1 = va_arg(ap, char *);
42212 + voidptr = va_arg(ap, void *);
42213 + gr_log_middle_varargs(audit, msg, str1, voidptr);
42216 + task = va_arg(ap, struct task_struct *);
42217 + cred = __task_cred(task);
42218 + pcred = __task_cred(task->real_parent);
42219 + num1 = va_arg(ap, int);
42220 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42223 + task = va_arg(ap, struct task_struct *);
42224 + cred = __task_cred(task);
42225 + pcred = __task_cred(task->real_parent);
42226 + ulong1 = va_arg(ap, unsigned long);
42227 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
42230 + task = va_arg(ap, struct task_struct *);
42231 + cred = __task_cred(task);
42232 + pcred = __task_cred(task->real_parent);
42233 + ulong1 = va_arg(ap, unsigned long);
42234 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
42237 + file = va_arg(ap, struct file *);
42238 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
42242 + unsigned int wday, cday;
42246 + char cur_tty[64] = { 0 };
42247 + char parent_tty[64] = { 0 };
42249 + task = va_arg(ap, struct task_struct *);
42250 + wday = va_arg(ap, unsigned int);
42251 + cday = va_arg(ap, unsigned int);
42252 + whr = va_arg(ap, int);
42253 + chr = va_arg(ap, int);
42254 + wmin = va_arg(ap, int);
42255 + cmin = va_arg(ap, int);
42256 + wsec = va_arg(ap, int);
42257 + csec = va_arg(ap, int);
42258 + ulong1 = va_arg(ap, unsigned long);
42259 + cred = __task_cred(task);
42260 + pcred = __task_cred(task->real_parent);
42262 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42266 + gr_log_middle(audit, msg, ap);
42269 + gr_log_end(audit);
42270 + END_LOCKS(audit);
42272 diff -urNp linux-2.6.37/grsecurity/grsec_mem.c linux-2.6.37/grsecurity/grsec_mem.c
42273 --- linux-2.6.37/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
42274 +++ linux-2.6.37/grsecurity/grsec_mem.c 2011-01-17 02:41:02.000000000 -0500
42276 +#include <linux/kernel.h>
42277 +#include <linux/sched.h>
42278 +#include <linux/mm.h>
42279 +#include <linux/mman.h>
42280 +#include <linux/grinternal.h>
42283 +gr_handle_ioperm(void)
42285 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
42290 +gr_handle_iopl(void)
42292 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
42297 +gr_handle_mem_write(void)
42299 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
42304 +gr_handle_kmem_write(void)
42306 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
42311 +gr_handle_open_port(void)
42313 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
42318 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
42320 + unsigned long start, end;
42323 + end = start + vma->vm_end - vma->vm_start;
42325 + if (start > end) {
42326 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42330 + /* allowed ranges : ISA I/O BIOS */
42331 + if ((start >= __pa(high_memory))
42332 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
42333 + || (start >= 0x000a0000 && end <= 0x00100000)
42334 + || (start >= 0x00000000 && end <= 0x00001000)
42339 + if (vma->vm_flags & VM_WRITE) {
42340 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42343 + vma->vm_flags &= ~VM_MAYWRITE;
42349 +gr_log_nonroot_mod_load(const char *modname)
42351 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
42356 +gr_handle_vm86(void)
42358 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
42361 diff -urNp linux-2.6.37/grsecurity/grsec_mount.c linux-2.6.37/grsecurity/grsec_mount.c
42362 --- linux-2.6.37/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
42363 +++ linux-2.6.37/grsecurity/grsec_mount.c 2011-01-17 02:41:02.000000000 -0500
42365 +#include <linux/kernel.h>
42366 +#include <linux/sched.h>
42367 +#include <linux/mount.h>
42368 +#include <linux/grsecurity.h>
42369 +#include <linux/grinternal.h>
42372 +gr_log_remount(const char *devname, const int retval)
42374 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42375 + if (grsec_enable_mount && (retval >= 0))
42376 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
42382 +gr_log_unmount(const char *devname, const int retval)
42384 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42385 + if (grsec_enable_mount && (retval >= 0))
42386 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
42392 +gr_log_mount(const char *from, const char *to, const int retval)
42394 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42395 + if (grsec_enable_mount && (retval >= 0))
42396 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
42402 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
42404 +#ifdef CONFIG_GRKERNSEC_ROFS
42405 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
42406 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
42415 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
42417 +#ifdef CONFIG_GRKERNSEC_ROFS
42418 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
42419 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
42420 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
42427 diff -urNp linux-2.6.37/grsecurity/grsec_pax.c linux-2.6.37/grsecurity/grsec_pax.c
42428 --- linux-2.6.37/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
42429 +++ linux-2.6.37/grsecurity/grsec_pax.c 2011-01-17 02:41:02.000000000 -0500
42431 +#include <linux/kernel.h>
42432 +#include <linux/sched.h>
42433 +#include <linux/mm.h>
42434 +#include <linux/file.h>
42435 +#include <linux/grinternal.h>
42436 +#include <linux/grsecurity.h>
42439 +gr_log_textrel(struct vm_area_struct * vma)
42441 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42442 + if (grsec_enable_audit_textrel)
42443 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42449 +gr_log_rwxmmap(struct file *file)
42451 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42452 + if (grsec_enable_log_rwxmaps)
42453 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
42459 +gr_log_rwxmprotect(struct file *file)
42461 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42462 + if (grsec_enable_log_rwxmaps)
42463 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
42467 diff -urNp linux-2.6.37/grsecurity/grsec_ptrace.c linux-2.6.37/grsecurity/grsec_ptrace.c
42468 --- linux-2.6.37/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
42469 +++ linux-2.6.37/grsecurity/grsec_ptrace.c 2011-01-17 02:41:02.000000000 -0500
42471 +#include <linux/kernel.h>
42472 +#include <linux/sched.h>
42473 +#include <linux/grinternal.h>
42474 +#include <linux/grsecurity.h>
42477 +gr_audit_ptrace(struct task_struct *task)
42479 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42480 + if (grsec_enable_audit_ptrace)
42481 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
42485 diff -urNp linux-2.6.37/grsecurity/grsec_sig.c linux-2.6.37/grsecurity/grsec_sig.c
42486 --- linux-2.6.37/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
42487 +++ linux-2.6.37/grsecurity/grsec_sig.c 2011-01-17 02:41:02.000000000 -0500
42489 +#include <linux/kernel.h>
42490 +#include <linux/sched.h>
42491 +#include <linux/delay.h>
42492 +#include <linux/grsecurity.h>
42493 +#include <linux/grinternal.h>
42495 +char *signames[] = {
42496 + [SIGSEGV] = "Segmentation fault",
42497 + [SIGILL] = "Illegal instruction",
42498 + [SIGABRT] = "Abort",
42499 + [SIGBUS] = "Invalid alignment/Bus error"
42503 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
42505 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42506 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
42507 + (sig == SIGABRT) || (sig == SIGBUS))) {
42508 + if (t->pid == current->pid) {
42509 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
42511 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
42519 +gr_handle_signal(const struct task_struct *p, const int sig)
42521 +#ifdef CONFIG_GRKERNSEC
42522 + if (current->pid > 1 && gr_check_protected_task(p)) {
42523 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
42525 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
42532 +void gr_handle_brute_attach(struct task_struct *p)
42534 +#ifdef CONFIG_GRKERNSEC_BRUTE
42535 + read_lock(&tasklist_lock);
42536 + read_lock(&grsec_exec_file_lock);
42537 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
42538 + p->real_parent->brute = 1;
42539 + read_unlock(&grsec_exec_file_lock);
42540 + read_unlock(&tasklist_lock);
42545 +void gr_handle_brute_check(void)
42547 +#ifdef CONFIG_GRKERNSEC_BRUTE
42548 + if (current->brute)
42549 + msleep(30 * 1000);
42554 diff -urNp linux-2.6.37/grsecurity/grsec_sock.c linux-2.6.37/grsecurity/grsec_sock.c
42555 --- linux-2.6.37/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
42556 +++ linux-2.6.37/grsecurity/grsec_sock.c 2011-01-17 02:41:02.000000000 -0500
42558 +#include <linux/kernel.h>
42559 +#include <linux/module.h>
42560 +#include <linux/sched.h>
42561 +#include <linux/file.h>
42562 +#include <linux/net.h>
42563 +#include <linux/in.h>
42564 +#include <linux/ip.h>
42565 +#include <net/sock.h>
42566 +#include <net/inet_sock.h>
42567 +#include <linux/grsecurity.h>
42568 +#include <linux/grinternal.h>
42569 +#include <linux/gracl.h>
42571 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
42572 +EXPORT_SYMBOL(gr_cap_rtnetlink);
42574 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
42575 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
42577 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
42578 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
42580 +#ifdef CONFIG_UNIX_MODULE
42581 +EXPORT_SYMBOL(gr_acl_handle_unix);
42582 +EXPORT_SYMBOL(gr_acl_handle_mknod);
42583 +EXPORT_SYMBOL(gr_handle_chroot_unix);
42584 +EXPORT_SYMBOL(gr_handle_create);
42587 +#ifdef CONFIG_GRKERNSEC
42588 +#define gr_conn_table_size 32749
42589 +struct conn_table_entry {
42590 + struct conn_table_entry *next;
42591 + struct signal_struct *sig;
42594 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
42595 +DEFINE_SPINLOCK(gr_conn_table_lock);
42597 +extern const char * gr_socktype_to_name(unsigned char type);
42598 +extern const char * gr_proto_to_name(unsigned char proto);
42599 +extern const char * gr_sockfamily_to_name(unsigned char family);
42601 +static __inline__ int
42602 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
42604 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
42607 +static __inline__ int
42608 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
42609 + __u16 sport, __u16 dport)
42611 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
42612 + sig->gr_sport == sport && sig->gr_dport == dport))
42618 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
42620 + struct conn_table_entry **match;
42621 + unsigned int index;
42623 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42624 + sig->gr_sport, sig->gr_dport,
42625 + gr_conn_table_size);
42627 + newent->sig = sig;
42629 + match = &gr_conn_table[index];
42630 + newent->next = *match;
42636 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
42638 + struct conn_table_entry *match, *last = NULL;
42639 + unsigned int index;
42641 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42642 + sig->gr_sport, sig->gr_dport,
42643 + gr_conn_table_size);
42645 + match = gr_conn_table[index];
42646 + while (match && !conn_match(match->sig,
42647 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
42648 + sig->gr_dport)) {
42650 + match = match->next;
42655 + last->next = match->next;
42657 + gr_conn_table[index] = NULL;
42664 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
42665 + __u16 sport, __u16 dport)
42667 + struct conn_table_entry *match;
42668 + unsigned int index;
42670 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
42672 + match = gr_conn_table[index];
42673 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
42674 + match = match->next;
42677 + return match->sig;
42684 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
42686 +#ifdef CONFIG_GRKERNSEC
42687 + struct signal_struct *sig = task->signal;
42688 + struct conn_table_entry *newent;
42690 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
42691 + if (newent == NULL)
42693 + /* no bh lock needed since we are called with bh disabled */
42694 + spin_lock(&gr_conn_table_lock);
42695 + gr_del_task_from_ip_table_nolock(sig);
42696 + sig->gr_saddr = inet->inet_rcv_saddr;
42697 + sig->gr_daddr = inet->inet_daddr;
42698 + sig->gr_sport = inet->inet_sport;
42699 + sig->gr_dport = inet->inet_dport;
42700 + gr_add_to_task_ip_table_nolock(sig, newent);
42701 + spin_unlock(&gr_conn_table_lock);
42706 +void gr_del_task_from_ip_table(struct task_struct *task)
42708 +#ifdef CONFIG_GRKERNSEC
42709 + spin_lock_bh(&gr_conn_table_lock);
42710 + gr_del_task_from_ip_table_nolock(task->signal);
42711 + spin_unlock_bh(&gr_conn_table_lock);
42717 +gr_attach_curr_ip(const struct sock *sk)
42719 +#ifdef CONFIG_GRKERNSEC
42720 + struct signal_struct *p, *set;
42721 + const struct inet_sock *inet = inet_sk(sk);
42723 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
42726 + set = current->signal;
42728 + spin_lock_bh(&gr_conn_table_lock);
42729 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
42730 + inet->inet_dport, inet->inet_sport);
42731 + if (unlikely(p != NULL)) {
42732 + set->curr_ip = p->curr_ip;
42733 + set->used_accept = 1;
42734 + gr_del_task_from_ip_table_nolock(p);
42735 + spin_unlock_bh(&gr_conn_table_lock);
42738 + spin_unlock_bh(&gr_conn_table_lock);
42740 + set->curr_ip = inet->inet_daddr;
42741 + set->used_accept = 1;
42747 +gr_handle_sock_all(const int family, const int type, const int protocol)
42749 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42750 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
42751 + (family != AF_UNIX)) {
42752 + if (family == AF_INET)
42753 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
42755 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
42763 +gr_handle_sock_server(const struct sockaddr *sck)
42765 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42766 + if (grsec_enable_socket_server &&
42767 + in_group_p(grsec_socket_server_gid) &&
42768 + sck && (sck->sa_family != AF_UNIX) &&
42769 + (sck->sa_family != AF_LOCAL)) {
42770 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42778 +gr_handle_sock_server_other(const struct sock *sck)
42780 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42781 + if (grsec_enable_socket_server &&
42782 + in_group_p(grsec_socket_server_gid) &&
42783 + sck && (sck->sk_family != AF_UNIX) &&
42784 + (sck->sk_family != AF_LOCAL)) {
42785 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42793 +gr_handle_sock_client(const struct sockaddr *sck)
42795 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42796 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
42797 + sck && (sck->sa_family != AF_UNIX) &&
42798 + (sck->sa_family != AF_LOCAL)) {
42799 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
42807 +gr_cap_rtnetlink(struct sock *sock)
42809 +#ifdef CONFIG_GRKERNSEC
42810 + if (!gr_acl_is_enabled())
42811 + return current_cap();
42812 + else if (sock->sk_protocol == NETLINK_ISCSI &&
42813 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
42814 + gr_is_capable(CAP_SYS_ADMIN))
42815 + return current_cap();
42816 + else if (sock->sk_protocol == NETLINK_AUDIT &&
42817 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
42818 + gr_is_capable(CAP_AUDIT_WRITE) &&
42819 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
42820 + gr_is_capable(CAP_AUDIT_CONTROL))
42821 + return current_cap();
42822 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
42823 + ((sock->sk_protocol == NETLINK_ROUTE) ?
42824 + gr_is_capable_nolog(CAP_NET_ADMIN) :
42825 + gr_is_capable(CAP_NET_ADMIN)))
42826 + return current_cap();
42828 + return __cap_empty_set;
42830 + return current_cap();
42833 diff -urNp linux-2.6.37/grsecurity/grsec_sysctl.c linux-2.6.37/grsecurity/grsec_sysctl.c
42834 --- linux-2.6.37/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
42835 +++ linux-2.6.37/grsecurity/grsec_sysctl.c 2011-01-17 02:41:02.000000000 -0500
42837 +#include <linux/kernel.h>
42838 +#include <linux/sched.h>
42839 +#include <linux/sysctl.h>
42840 +#include <linux/grsecurity.h>
42841 +#include <linux/grinternal.h>
42844 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
42846 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42847 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
42848 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
42855 +#ifdef CONFIG_GRKERNSEC_ROFS
42856 +static int __maybe_unused one = 1;
42859 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
42860 +struct ctl_table grsecurity_table[] = {
42861 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42862 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
42863 +#ifdef CONFIG_GRKERNSEC_IO
42865 + .procname = "disable_priv_io",
42866 + .data = &grsec_disable_privio,
42867 + .maxlen = sizeof(int),
42869 + .proc_handler = &proc_dointvec,
42873 +#ifdef CONFIG_GRKERNSEC_LINK
42875 + .procname = "linking_restrictions",
42876 + .data = &grsec_enable_link,
42877 + .maxlen = sizeof(int),
42879 + .proc_handler = &proc_dointvec,
42882 +#ifdef CONFIG_GRKERNSEC_FIFO
42884 + .procname = "fifo_restrictions",
42885 + .data = &grsec_enable_fifo,
42886 + .maxlen = sizeof(int),
42888 + .proc_handler = &proc_dointvec,
42891 +#ifdef CONFIG_GRKERNSEC_EXECVE
42893 + .procname = "execve_limiting",
42894 + .data = &grsec_enable_execve,
42895 + .maxlen = sizeof(int),
42897 + .proc_handler = &proc_dointvec,
42900 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
42902 + .procname = "ip_blackhole",
42903 + .data = &grsec_enable_blackhole,
42904 + .maxlen = sizeof(int),
42906 + .proc_handler = &proc_dointvec,
42909 + .procname = "lastack_retries",
42910 + .data = &grsec_lastack_retries,
42911 + .maxlen = sizeof(int),
42913 + .proc_handler = &proc_dointvec,
42916 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42918 + .procname = "exec_logging",
42919 + .data = &grsec_enable_execlog,
42920 + .maxlen = sizeof(int),
42922 + .proc_handler = &proc_dointvec,
42925 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42927 + .procname = "rwxmap_logging",
42928 + .data = &grsec_enable_log_rwxmaps,
42929 + .maxlen = sizeof(int),
42931 + .proc_handler = &proc_dointvec,
42934 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42936 + .procname = "signal_logging",
42937 + .data = &grsec_enable_signal,
42938 + .maxlen = sizeof(int),
42940 + .proc_handler = &proc_dointvec,
42943 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
42945 + .procname = "forkfail_logging",
42946 + .data = &grsec_enable_forkfail,
42947 + .maxlen = sizeof(int),
42949 + .proc_handler = &proc_dointvec,
42952 +#ifdef CONFIG_GRKERNSEC_TIME
42954 + .procname = "timechange_logging",
42955 + .data = &grsec_enable_time,
42956 + .maxlen = sizeof(int),
42958 + .proc_handler = &proc_dointvec,
42961 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
42963 + .procname = "chroot_deny_shmat",
42964 + .data = &grsec_enable_chroot_shmat,
42965 + .maxlen = sizeof(int),
42967 + .proc_handler = &proc_dointvec,
42970 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
42972 + .procname = "chroot_deny_unix",
42973 + .data = &grsec_enable_chroot_unix,
42974 + .maxlen = sizeof(int),
42976 + .proc_handler = &proc_dointvec,
42979 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
42981 + .procname = "chroot_deny_mount",
42982 + .data = &grsec_enable_chroot_mount,
42983 + .maxlen = sizeof(int),
42985 + .proc_handler = &proc_dointvec,
42988 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
42990 + .procname = "chroot_deny_fchdir",
42991 + .data = &grsec_enable_chroot_fchdir,
42992 + .maxlen = sizeof(int),
42994 + .proc_handler = &proc_dointvec,
42997 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
42999 + .procname = "chroot_deny_chroot",
43000 + .data = &grsec_enable_chroot_double,
43001 + .maxlen = sizeof(int),
43003 + .proc_handler = &proc_dointvec,
43006 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
43008 + .procname = "chroot_deny_pivot",
43009 + .data = &grsec_enable_chroot_pivot,
43010 + .maxlen = sizeof(int),
43012 + .proc_handler = &proc_dointvec,
43015 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
43017 + .procname = "chroot_enforce_chdir",
43018 + .data = &grsec_enable_chroot_chdir,
43019 + .maxlen = sizeof(int),
43021 + .proc_handler = &proc_dointvec,
43024 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
43026 + .procname = "chroot_deny_chmod",
43027 + .data = &grsec_enable_chroot_chmod,
43028 + .maxlen = sizeof(int),
43030 + .proc_handler = &proc_dointvec,
43033 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
43035 + .procname = "chroot_deny_mknod",
43036 + .data = &grsec_enable_chroot_mknod,
43037 + .maxlen = sizeof(int),
43039 + .proc_handler = &proc_dointvec,
43042 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
43044 + .procname = "chroot_restrict_nice",
43045 + .data = &grsec_enable_chroot_nice,
43046 + .maxlen = sizeof(int),
43048 + .proc_handler = &proc_dointvec,
43051 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
43053 + .procname = "chroot_execlog",
43054 + .data = &grsec_enable_chroot_execlog,
43055 + .maxlen = sizeof(int),
43057 + .proc_handler = &proc_dointvec,
43060 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
43062 + .procname = "chroot_caps",
43063 + .data = &grsec_enable_chroot_caps,
43064 + .maxlen = sizeof(int),
43066 + .proc_handler = &proc_dointvec,
43069 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
43071 + .procname = "chroot_deny_sysctl",
43072 + .data = &grsec_enable_chroot_sysctl,
43073 + .maxlen = sizeof(int),
43075 + .proc_handler = &proc_dointvec,
43078 +#ifdef CONFIG_GRKERNSEC_TPE
43080 + .procname = "tpe",
43081 + .data = &grsec_enable_tpe,
43082 + .maxlen = sizeof(int),
43084 + .proc_handler = &proc_dointvec,
43087 + .procname = "tpe_gid",
43088 + .data = &grsec_tpe_gid,
43089 + .maxlen = sizeof(int),
43091 + .proc_handler = &proc_dointvec,
43094 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43096 + .procname = "tpe_invert",
43097 + .data = &grsec_enable_tpe_invert,
43098 + .maxlen = sizeof(int),
43100 + .proc_handler = &proc_dointvec,
43103 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43105 + .procname = "tpe_restrict_all",
43106 + .data = &grsec_enable_tpe_all,
43107 + .maxlen = sizeof(int),
43109 + .proc_handler = &proc_dointvec,
43112 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
43114 + .procname = "socket_all",
43115 + .data = &grsec_enable_socket_all,
43116 + .maxlen = sizeof(int),
43118 + .proc_handler = &proc_dointvec,
43121 + .procname = "socket_all_gid",
43122 + .data = &grsec_socket_all_gid,
43123 + .maxlen = sizeof(int),
43125 + .proc_handler = &proc_dointvec,
43128 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
43130 + .procname = "socket_client",
43131 + .data = &grsec_enable_socket_client,
43132 + .maxlen = sizeof(int),
43134 + .proc_handler = &proc_dointvec,
43137 + .procname = "socket_client_gid",
43138 + .data = &grsec_socket_client_gid,
43139 + .maxlen = sizeof(int),
43141 + .proc_handler = &proc_dointvec,
43144 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
43146 + .procname = "socket_server",
43147 + .data = &grsec_enable_socket_server,
43148 + .maxlen = sizeof(int),
43150 + .proc_handler = &proc_dointvec,
43153 + .procname = "socket_server_gid",
43154 + .data = &grsec_socket_server_gid,
43155 + .maxlen = sizeof(int),
43157 + .proc_handler = &proc_dointvec,
43160 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
43162 + .procname = "audit_group",
43163 + .data = &grsec_enable_group,
43164 + .maxlen = sizeof(int),
43166 + .proc_handler = &proc_dointvec,
43169 + .procname = "audit_gid",
43170 + .data = &grsec_audit_gid,
43171 + .maxlen = sizeof(int),
43173 + .proc_handler = &proc_dointvec,
43176 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
43178 + .procname = "audit_chdir",
43179 + .data = &grsec_enable_chdir,
43180 + .maxlen = sizeof(int),
43182 + .proc_handler = &proc_dointvec,
43185 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43187 + .procname = "audit_mount",
43188 + .data = &grsec_enable_mount,
43189 + .maxlen = sizeof(int),
43191 + .proc_handler = &proc_dointvec,
43194 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
43196 + .procname = "audit_textrel",
43197 + .data = &grsec_enable_audit_textrel,
43198 + .maxlen = sizeof(int),
43200 + .proc_handler = &proc_dointvec,
43203 +#ifdef CONFIG_GRKERNSEC_DMESG
43205 + .procname = "dmesg",
43206 + .data = &grsec_enable_dmesg,
43207 + .maxlen = sizeof(int),
43209 + .proc_handler = &proc_dointvec,
43212 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
43214 + .procname = "chroot_findtask",
43215 + .data = &grsec_enable_chroot_findtask,
43216 + .maxlen = sizeof(int),
43218 + .proc_handler = &proc_dointvec,
43221 +#ifdef CONFIG_GRKERNSEC_RESLOG
43223 + .procname = "resource_logging",
43224 + .data = &grsec_resource_logging,
43225 + .maxlen = sizeof(int),
43227 + .proc_handler = &proc_dointvec,
43230 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
43232 + .procname = "audit_ptrace",
43233 + .data = &grsec_enable_audit_ptrace,
43234 + .maxlen = sizeof(int),
43236 + .proc_handler = &proc_dointvec,
43239 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
43241 + .procname = "harden_ptrace",
43242 + .data = &grsec_enable_harden_ptrace,
43243 + .maxlen = sizeof(int),
43245 + .proc_handler = &proc_dointvec,
43249 + .procname = "grsec_lock",
43250 + .data = &grsec_lock,
43251 + .maxlen = sizeof(int),
43253 + .proc_handler = &proc_dointvec,
43256 +#ifdef CONFIG_GRKERNSEC_ROFS
43258 + .procname = "romount_protect",
43259 + .data = &grsec_enable_rofs,
43260 + .maxlen = sizeof(int),
43262 + .proc_handler = &proc_dointvec_minmax,
43270 diff -urNp linux-2.6.37/grsecurity/grsec_time.c linux-2.6.37/grsecurity/grsec_time.c
43271 --- linux-2.6.37/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
43272 +++ linux-2.6.37/grsecurity/grsec_time.c 2011-01-17 02:41:02.000000000 -0500
43274 +#include <linux/kernel.h>
43275 +#include <linux/sched.h>
43276 +#include <linux/grinternal.h>
43277 +#include <linux/module.h>
43280 +gr_log_timechange(void)
43282 +#ifdef CONFIG_GRKERNSEC_TIME
43283 + if (grsec_enable_time)
43284 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
43289 +EXPORT_SYMBOL(gr_log_timechange);
43290 diff -urNp linux-2.6.37/grsecurity/grsec_tpe.c linux-2.6.37/grsecurity/grsec_tpe.c
43291 --- linux-2.6.37/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
43292 +++ linux-2.6.37/grsecurity/grsec_tpe.c 2011-01-17 02:41:02.000000000 -0500
43294 +#include <linux/kernel.h>
43295 +#include <linux/sched.h>
43296 +#include <linux/file.h>
43297 +#include <linux/fs.h>
43298 +#include <linux/grinternal.h>
43300 +extern int gr_acl_tpe_check(void);
43303 +gr_tpe_allow(const struct file *file)
43305 +#ifdef CONFIG_GRKERNSEC
43306 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
43307 + const struct cred *cred = current_cred();
43309 + if (cred->uid && ((grsec_enable_tpe &&
43310 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43311 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
43312 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
43314 + in_group_p(grsec_tpe_gid)
43316 + ) || gr_acl_tpe_check()) &&
43317 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
43318 + (inode->i_mode & S_IWOTH))))) {
43319 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43322 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43323 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
43324 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
43325 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
43326 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43333 diff -urNp linux-2.6.37/grsecurity/grsum.c linux-2.6.37/grsecurity/grsum.c
43334 --- linux-2.6.37/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
43335 +++ linux-2.6.37/grsecurity/grsum.c 2011-01-17 02:41:02.000000000 -0500
43337 +#include <linux/err.h>
43338 +#include <linux/kernel.h>
43339 +#include <linux/sched.h>
43340 +#include <linux/mm.h>
43341 +#include <linux/scatterlist.h>
43342 +#include <linux/crypto.h>
43343 +#include <linux/gracl.h>
43346 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
43347 +#error "crypto and sha256 must be built into the kernel"
43351 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
43354 + struct crypto_hash *tfm;
43355 + struct hash_desc desc;
43356 + struct scatterlist sg;
43357 + unsigned char temp_sum[GR_SHA_LEN];
43358 + volatile int retval = 0;
43359 + volatile int dummy = 0;
43362 + sg_init_table(&sg, 1);
43364 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
43365 + if (IS_ERR(tfm)) {
43366 + /* should never happen, since sha256 should be built in */
43373 + crypto_hash_init(&desc);
43376 + sg_set_buf(&sg, p, GR_SALT_LEN);
43377 + crypto_hash_update(&desc, &sg, sg.length);
43380 + sg_set_buf(&sg, p, strlen(p));
43382 + crypto_hash_update(&desc, &sg, sg.length);
43384 + crypto_hash_final(&desc, temp_sum);
43386 + memset(entry->pw, 0, GR_PW_LEN);
43388 + for (i = 0; i < GR_SHA_LEN; i++)
43389 + if (sum[i] != temp_sum[i])
43392 + dummy = 1; // waste a cycle
43394 + crypto_free_hash(tfm);
43398 diff -urNp linux-2.6.37/grsecurity/Kconfig linux-2.6.37/grsecurity/Kconfig
43399 --- linux-2.6.37/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
43400 +++ linux-2.6.37/grsecurity/Kconfig 2011-01-17 02:41:02.000000000 -0500
43403 +# grecurity configuration
43409 + bool "Grsecurity"
43411 + select CRYPTO_SHA256
43413 + If you say Y here, you will be able to configure many features
43414 + that will enhance the security of your system. It is highly
43415 + recommended that you say Y here and read through the help
43416 + for each option so that you fully understand the features and
43417 + can evaluate their usefulness for your machine.
43420 + prompt "Security Level"
43421 + depends on GRKERNSEC
43422 + default GRKERNSEC_CUSTOM
43424 +config GRKERNSEC_LOW
43426 + select GRKERNSEC_LINK
43427 + select GRKERNSEC_FIFO
43428 + select GRKERNSEC_EXECVE
43429 + select GRKERNSEC_RANDNET
43430 + select GRKERNSEC_DMESG
43431 + select GRKERNSEC_CHROOT
43432 + select GRKERNSEC_CHROOT_CHDIR
43435 + If you choose this option, several of the grsecurity options will
43436 + be enabled that will give you greater protection against a number
43437 + of attacks, while assuring that none of your software will have any
43438 + conflicts with the additional security measures. If you run a lot
43439 + of unusual software, or you are having problems with the higher
43440 + security levels, you should say Y here. With this option, the
43441 + following features are enabled:
43443 + - Linking restrictions
43444 + - FIFO restrictions
43445 + - Enforcing RLIMIT_NPROC on execve
43446 + - Restricted dmesg
43447 + - Enforced chdir("/") on chroot
43448 + - Runtime module disabling
43450 +config GRKERNSEC_MEDIUM
43453 + select PAX_EI_PAX
43454 + select PAX_PT_PAX_FLAGS
43455 + select PAX_HAVE_ACL_FLAGS
43456 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43457 + select GRKERNSEC_CHROOT
43458 + select GRKERNSEC_CHROOT_SYSCTL
43459 + select GRKERNSEC_LINK
43460 + select GRKERNSEC_FIFO
43461 + select GRKERNSEC_EXECVE
43462 + select GRKERNSEC_DMESG
43463 + select GRKERNSEC_RANDNET
43464 + select GRKERNSEC_FORKFAIL
43465 + select GRKERNSEC_TIME
43466 + select GRKERNSEC_SIGNAL
43467 + select GRKERNSEC_CHROOT
43468 + select GRKERNSEC_CHROOT_UNIX
43469 + select GRKERNSEC_CHROOT_MOUNT
43470 + select GRKERNSEC_CHROOT_PIVOT
43471 + select GRKERNSEC_CHROOT_DOUBLE
43472 + select GRKERNSEC_CHROOT_CHDIR
43473 + select GRKERNSEC_CHROOT_MKNOD
43474 + select GRKERNSEC_PROC
43475 + select GRKERNSEC_PROC_USERGROUP
43476 + select PAX_RANDUSTACK
43478 + select PAX_RANDMMAP
43479 + select PAX_REFCOUNT if (X86 || SPARC64)
43480 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
43483 + If you say Y here, several features in addition to those included
43484 + in the low additional security level will be enabled. These
43485 + features provide even more security to your system, though in rare
43486 + cases they may be incompatible with very old or poorly written
43487 + software. If you enable this option, make sure that your auth
43488 + service (identd) is running as gid 1001. With this option,
43489 + the following features (in addition to those provided in the
43490 + low additional security level) will be enabled:
43492 + - Failed fork logging
43493 + - Time change logging
43495 + - Deny mounts in chroot
43496 + - Deny double chrooting
43497 + - Deny sysctl writes in chroot
43498 + - Deny mknod in chroot
43499 + - Deny access to abstract AF_UNIX sockets out of chroot
43500 + - Deny pivot_root in chroot
43501 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
43502 + - /proc restrictions with special GID set to 10 (usually wheel)
43503 + - Address Space Layout Randomization (ASLR)
43504 + - Prevent exploitation of most refcount overflows
43505 + - Bounds checking of copying between the kernel and userland
43507 +config GRKERNSEC_HIGH
43509 + select GRKERNSEC_LINK
43510 + select GRKERNSEC_FIFO
43511 + select GRKERNSEC_EXECVE
43512 + select GRKERNSEC_DMESG
43513 + select GRKERNSEC_FORKFAIL
43514 + select GRKERNSEC_TIME
43515 + select GRKERNSEC_SIGNAL
43516 + select GRKERNSEC_CHROOT
43517 + select GRKERNSEC_CHROOT_SHMAT
43518 + select GRKERNSEC_CHROOT_UNIX
43519 + select GRKERNSEC_CHROOT_MOUNT
43520 + select GRKERNSEC_CHROOT_FCHDIR
43521 + select GRKERNSEC_CHROOT_PIVOT
43522 + select GRKERNSEC_CHROOT_DOUBLE
43523 + select GRKERNSEC_CHROOT_CHDIR
43524 + select GRKERNSEC_CHROOT_MKNOD
43525 + select GRKERNSEC_CHROOT_CAPS
43526 + select GRKERNSEC_CHROOT_SYSCTL
43527 + select GRKERNSEC_CHROOT_FINDTASK
43528 + select GRKERNSEC_PROC
43529 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43530 + select GRKERNSEC_HIDESYM
43531 + select GRKERNSEC_BRUTE
43532 + select GRKERNSEC_PROC_USERGROUP
43533 + select GRKERNSEC_KMEM
43534 + select GRKERNSEC_RESLOG
43535 + select GRKERNSEC_RANDNET
43536 + select GRKERNSEC_PROC_ADD
43537 + select GRKERNSEC_CHROOT_CHMOD
43538 + select GRKERNSEC_CHROOT_NICE
43539 + select GRKERNSEC_AUDIT_MOUNT
43540 + select GRKERNSEC_MODHARDEN if (MODULES)
43541 + select GRKERNSEC_HARDEN_PTRACE
43542 + select GRKERNSEC_VM86 if (X86_32)
43544 + select PAX_RANDUSTACK
43546 + select PAX_RANDMMAP
43547 + select PAX_NOEXEC
43548 + select PAX_MPROTECT
43549 + select PAX_EI_PAX
43550 + select PAX_PT_PAX_FLAGS
43551 + select PAX_HAVE_ACL_FLAGS
43552 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
43553 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
43554 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
43555 + select PAX_SEGMEXEC if (X86_32)
43556 + select PAX_PAGEEXEC
43557 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
43558 + select PAX_EMUTRAMP if (PARISC)
43559 + select PAX_EMUSIGRT if (PARISC)
43560 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
43561 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
43562 + select PAX_REFCOUNT if (X86 || SPARC64)
43563 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
43565 + If you say Y here, many of the features of grsecurity will be
43566 + enabled, which will protect you against many kinds of attacks
43567 + against your system. The heightened security comes at a cost
43568 + of an increased chance of incompatibilities with rare software
43569 + on your machine. Since this security level enables PaX, you should
43570 + view <http://pax.grsecurity.net> and read about the PaX
43571 + project. While you are there, download chpax and run it on
43572 + binaries that cause problems with PaX. Also remember that
43573 + since the /proc restrictions are enabled, you must run your
43574 + identd as gid 1001. This security level enables the following
43575 + features in addition to those listed in the low and medium
43578 + - Additional /proc restrictions
43579 + - Chmod restrictions in chroot
43580 + - No signals, ptrace, or viewing of processes outside of chroot
43581 + - Capability restrictions in chroot
43582 + - Deny fchdir out of chroot
43583 + - Priority restrictions in chroot
43584 + - Segmentation-based implementation of PaX
43585 + - Mprotect restrictions
43586 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
43587 + - Kernel stack randomization
43588 + - Mount/unmount/remount logging
43589 + - Kernel symbol hiding
43590 + - Prevention of memory exhaustion-based exploits
43591 + - Hardening of module auto-loading
43592 + - Ptrace restrictions
43593 + - Restricted vm86 mode
43595 +config GRKERNSEC_CUSTOM
43598 + If you say Y here, you will be able to configure every grsecurity
43599 + option, which allows you to enable many more features that aren't
43600 + covered in the basic security levels. These additional features
43601 + include TPE, socket restrictions, and the sysctl system for
43602 + grsecurity. It is advised that you read through the help for
43603 + each option to determine its usefulness in your situation.
43607 +menu "Address Space Protection"
43608 +depends on GRKERNSEC
43610 +config GRKERNSEC_KMEM
43611 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
43613 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
43614 + be written to via mmap or otherwise to modify the running kernel.
43615 + /dev/port will also not be allowed to be opened. If you have module
43616 + support disabled, enabling this will close up four ways that are
43617 + currently used to insert malicious code into the running kernel.
43618 + Even with all these features enabled, we still highly recommend that
43619 + you use the RBAC system, as it is still possible for an attacker to
43620 + modify the running kernel through privileged I/O granted by ioperm/iopl.
43621 + If you are not using XFree86, you may be able to stop this additional
43622 + case by enabling the 'Disable privileged I/O' option. Though nothing
43623 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
43624 + but only to video memory, which is the only writing we allow in this
43625 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
43626 + not be allowed to mprotect it with PROT_WRITE later.
43627 + It is highly recommended that you say Y here if you meet all the
43628 + conditions above.
43630 +config GRKERNSEC_VM86
43631 + bool "Restrict VM86 mode"
43632 + depends on X86_32
43635 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
43636 + make use of a special execution mode on 32bit x86 processors called
43637 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
43638 + video cards and will still work with this option enabled. The purpose
43639 + of the option is to prevent exploitation of emulation errors in
43640 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
43641 + Nearly all users should be able to enable this option.
43643 +config GRKERNSEC_IO
43644 + bool "Disable privileged I/O"
43647 + select RTC_INTF_DEV
43648 + select RTC_DRV_CMOS
43651 + If you say Y here, all ioperm and iopl calls will return an error.
43652 + Ioperm and iopl can be used to modify the running kernel.
43653 + Unfortunately, some programs need this access to operate properly,
43654 + the most notable of which are XFree86 and hwclock. hwclock can be
43655 + remedied by having RTC support in the kernel, so real-time
43656 + clock support is enabled if this option is enabled, to ensure
43657 + that hwclock operates correctly. XFree86 still will not
43658 + operate correctly with this option enabled, so DO NOT CHOOSE Y
43659 + IF YOU USE XFree86. If you use XFree86 and you still want to
43660 + protect your kernel against modification, use the RBAC system.
43662 +config GRKERNSEC_PROC_MEMMAP
43663 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
43664 + default y if (PAX_NOEXEC || PAX_ASLR)
43665 + depends on PAX_NOEXEC || PAX_ASLR
43667 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
43668 + give no information about the addresses of its mappings if
43669 + PaX features that rely on random addresses are enabled on the task.
43670 + If you use PaX it is greatly recommended that you say Y here as it
43671 + closes up a hole that makes the full ASLR useless for suid
43674 +config GRKERNSEC_BRUTE
43675 + bool "Deter exploit bruteforcing"
43677 + If you say Y here, attempts to bruteforce exploits against forking
43678 + daemons such as apache or sshd will be deterred. When a child of a
43679 + forking daemon is killed by PaX or crashes due to an illegal
43680 + instruction, the parent process will be delayed 30 seconds upon every
43681 + subsequent fork until the administrator is able to assess the
43682 + situation and restart the daemon. It is recommended that you also
43683 + enable signal logging in the auditing section so that logs are
43684 + generated when a process performs an illegal instruction.
43686 +config GRKERNSEC_MODHARDEN
43687 + bool "Harden module auto-loading"
43688 + depends on MODULES
43690 + If you say Y here, module auto-loading in response to use of some
43691 + feature implemented by an unloaded module will be restricted to
43692 + root users. Enabling this option helps defend against attacks
43693 + by unprivileged users who abuse the auto-loading behavior to
43694 + cause a vulnerable module to load that is then exploited.
43696 + If this option prevents a legitimate use of auto-loading for a
43697 + non-root user, the administrator can execute modprobe manually
43698 + with the exact name of the module mentioned in the alert log.
43699 + Alternatively, the administrator can add the module to the list
43700 + of modules loaded at boot by modifying init scripts.
43702 + Modification of init scripts will most likely be needed on
43703 + Ubuntu servers with encrypted home directory support enabled,
43704 + as the first non-root user logging in will cause the ecb(aes),
43705 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
43707 +config GRKERNSEC_HIDESYM
43708 + bool "Hide kernel symbols"
43710 + If you say Y here, getting information on loaded modules, and
43711 + displaying all kernel symbols through a syscall will be restricted
43712 + to users with CAP_SYS_MODULE. For software compatibility reasons,
43713 + /proc/kallsyms will be restricted to the root user. The RBAC
43714 + system can hide that entry even from root.
43716 + This option also prevents leaking of kernel addresses through
43717 + several /proc entries.
43719 + Note that this option is only effective provided the following
43720 + conditions are met:
43721 + 1) The kernel using grsecurity is not precompiled by some distribution
43722 + 2) You have also enabled GRKERNSEC_DMESG
43723 + 3) You are using the RBAC system and hiding other files such as your
43724 + kernel image and System.map. Alternatively, enabling this option
43725 + causes the permissions on /boot, /lib/modules, and the kernel
43726 + source directory to change at compile time to prevent
43727 + reading by non-root users.
43728 + If the above conditions are met, this option will aid in providing a
43729 + useful protection against local kernel exploitation of overflows
43730 + and arbitrary read/write vulnerabilities.
43733 +menu "Role Based Access Control Options"
43734 +depends on GRKERNSEC
43736 +config GRKERNSEC_NO_RBAC
43737 + bool "Disable RBAC system"
43739 + If you say Y here, the /dev/grsec device will be removed from the kernel,
43740 + preventing the RBAC system from being enabled. You should only say Y
43741 + here if you have no intention of using the RBAC system, so as to prevent
43742 + an attacker with root access from misusing the RBAC system to hide files
43743 + and processes when loadable module support and /dev/[k]mem have been
43746 +config GRKERNSEC_ACL_HIDEKERN
43747 + bool "Hide kernel processes"
43749 + If you say Y here, all kernel threads will be hidden to all
43750 + processes but those whose subject has the "view hidden processes"
43753 +config GRKERNSEC_ACL_MAXTRIES
43754 + int "Maximum tries before password lockout"
43757 + This option enforces the maximum number of times a user can attempt
43758 + to authorize themselves with the grsecurity RBAC system before being
43759 + denied the ability to attempt authorization again for a specified time.
43760 + The lower the number, the harder it will be to brute-force a password.
43762 +config GRKERNSEC_ACL_TIMEOUT
43763 + int "Time to wait after max password tries, in seconds"
43766 + This option specifies the time the user must wait after attempting to
43767 + authorize to the RBAC system with the maximum number of invalid
43768 + passwords. The higher the number, the harder it will be to brute-force
43772 +menu "Filesystem Protections"
43773 +depends on GRKERNSEC
43775 +config GRKERNSEC_PROC
43776 + bool "Proc restrictions"
43778 + If you say Y here, the permissions of the /proc filesystem
43779 + will be altered to enhance system security and privacy. You MUST
43780 + choose either a user only restriction or a user and group restriction.
43781 + Depending upon the option you choose, you can either restrict users to
43782 + see only the processes they themselves run, or choose a group that can
43783 + view all processes and files normally restricted to root if you choose
43784 + the "restrict to user only" option. NOTE: If you're running identd as
43785 + a non-root user, you will have to run it as the group you specify here.
43787 +config GRKERNSEC_PROC_USER
43788 + bool "Restrict /proc to user only"
43789 + depends on GRKERNSEC_PROC
43791 + If you say Y here, non-root users will only be able to view their own
43792 + processes, and restricts them from viewing network-related information,
43793 + and viewing kernel symbol and module information.
43795 +config GRKERNSEC_PROC_USERGROUP
43796 + bool "Allow special group"
43797 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
43799 + If you say Y here, you will be able to select a group that will be
43800 + able to view all processes and network-related information. If you've
43801 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
43802 + remain hidden. This option is useful if you want to run identd as
43805 +config GRKERNSEC_PROC_GID
43806 + int "GID for special group"
43807 + depends on GRKERNSEC_PROC_USERGROUP
43810 +config GRKERNSEC_PROC_ADD
43811 + bool "Additional restrictions"
43812 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
43814 + If you say Y here, additional restrictions will be placed on
43815 + /proc that keep normal users from viewing device information and
43816 + slabinfo information that could be useful for exploits.
43818 +config GRKERNSEC_LINK
43819 + bool "Linking restrictions"
43821 + If you say Y here, /tmp race exploits will be prevented, since users
43822 + will no longer be able to follow symlinks owned by other users in
43823 + world-writable +t directories (i.e. /tmp), unless the owner of the
43824 + symlink is the owner of the directory. users will also not be
43825 + able to hardlink to files they do not own. If the sysctl option is
43826 + enabled, a sysctl option with name "linking_restrictions" is created.
43828 +config GRKERNSEC_FIFO
43829 + bool "FIFO restrictions"
43831 + If you say Y here, users will not be able to write to FIFOs they don't
43832 + own in world-writable +t directories (i.e. /tmp), unless the owner of
43833 + the FIFO is the same owner of the directory it's held in. If the sysctl
43834 + option is enabled, a sysctl option with name "fifo_restrictions" is
43837 +config GRKERNSEC_ROFS
43838 + bool "Runtime read-only mount protection"
43840 + If you say Y here, a sysctl option with name "romount_protect" will
43841 + be created. By setting this option to 1 at runtime, filesystems
43842 + will be protected in the following ways:
43843 + * No new writable mounts will be allowed
43844 + * Existing read-only mounts won't be able to be remounted read/write
43845 + * Write operations will be denied on all block devices
43846 + This option acts independently of grsec_lock: once it is set to 1,
43847 + it cannot be turned off. Therefore, please be mindful of the resulting
43848 + behavior if this option is enabled in an init script on a read-only
43849 + filesystem. This feature is mainly intended for secure embedded systems.
43851 +config GRKERNSEC_CHROOT
43852 + bool "Chroot jail restrictions"
43854 + If you say Y here, you will be able to choose several options that will
43855 + make breaking out of a chrooted jail much more difficult. If you
43856 + encounter no software incompatibilities with the following options, it
43857 + is recommended that you enable each one.
43859 +config GRKERNSEC_CHROOT_MOUNT
43860 + bool "Deny mounts"
43861 + depends on GRKERNSEC_CHROOT
43863 + If you say Y here, processes inside a chroot will not be able to
43864 + mount or remount filesystems. If the sysctl option is enabled, a
43865 + sysctl option with name "chroot_deny_mount" is created.
43867 +config GRKERNSEC_CHROOT_DOUBLE
43868 + bool "Deny double-chroots"
43869 + depends on GRKERNSEC_CHROOT
43871 + If you say Y here, processes inside a chroot will not be able to chroot
43872 + again outside the chroot. This is a widely used method of breaking
43873 + out of a chroot jail and should not be allowed. If the sysctl
43874 + option is enabled, a sysctl option with name
43875 + "chroot_deny_chroot" is created.
43877 +config GRKERNSEC_CHROOT_PIVOT
43878 + bool "Deny pivot_root in chroot"
43879 + depends on GRKERNSEC_CHROOT
43881 + If you say Y here, processes inside a chroot will not be able to use
43882 + a function called pivot_root() that was introduced in Linux 2.3.41. It
43883 + works similar to chroot in that it changes the root filesystem. This
43884 + function could be misused in a chrooted process to attempt to break out
43885 + of the chroot, and therefore should not be allowed. If the sysctl
43886 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
43889 +config GRKERNSEC_CHROOT_CHDIR
43890 + bool "Enforce chdir(\"/\") on all chroots"
43891 + depends on GRKERNSEC_CHROOT
43893 + If you say Y here, the current working directory of all newly-chrooted
43894 + applications will be set to the the root directory of the chroot.
43895 + The man page on chroot(2) states:
43896 + Note that this call does not change the current working
43897 + directory, so that `.' can be outside the tree rooted at
43898 + `/'. In particular, the super-user can escape from a
43899 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
43901 + It is recommended that you say Y here, since it's not known to break
43902 + any software. If the sysctl option is enabled, a sysctl option with
43903 + name "chroot_enforce_chdir" is created.
43905 +config GRKERNSEC_CHROOT_CHMOD
43906 + bool "Deny (f)chmod +s"
43907 + depends on GRKERNSEC_CHROOT
43909 + If you say Y here, processes inside a chroot will not be able to chmod
43910 + or fchmod files to make them have suid or sgid bits. This protects
43911 + against another published method of breaking a chroot. If the sysctl
43912 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
43915 +config GRKERNSEC_CHROOT_FCHDIR
43916 + bool "Deny fchdir out of chroot"
43917 + depends on GRKERNSEC_CHROOT
43919 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
43920 + to a file descriptor of the chrooting process that points to a directory
43921 + outside the filesystem will be stopped. If the sysctl option
43922 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
43924 +config GRKERNSEC_CHROOT_MKNOD
43925 + bool "Deny mknod"
43926 + depends on GRKERNSEC_CHROOT
43928 + If you say Y here, processes inside a chroot will not be allowed to
43929 + mknod. The problem with using mknod inside a chroot is that it
43930 + would allow an attacker to create a device entry that is the same
43931 + as one on the physical root of your system, which could range from
43932 + anything from the console device to a device for your harddrive (which
43933 + they could then use to wipe the drive or steal data). It is recommended
43934 + that you say Y here, unless you run into software incompatibilities.
43935 + If the sysctl option is enabled, a sysctl option with name
43936 + "chroot_deny_mknod" is created.
43938 +config GRKERNSEC_CHROOT_SHMAT
43939 + bool "Deny shmat() out of chroot"
43940 + depends on GRKERNSEC_CHROOT
43942 + If you say Y here, processes inside a chroot will not be able to attach
43943 + to shared memory segments that were created outside of the chroot jail.
43944 + It is recommended that you say Y here. If the sysctl option is enabled,
43945 + a sysctl option with name "chroot_deny_shmat" is created.
43947 +config GRKERNSEC_CHROOT_UNIX
43948 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
43949 + depends on GRKERNSEC_CHROOT
43951 + If you say Y here, processes inside a chroot will not be able to
43952 + connect to abstract (meaning not belonging to a filesystem) Unix
43953 + domain sockets that were bound outside of a chroot. It is recommended
43954 + that you say Y here. If the sysctl option is enabled, a sysctl option
43955 + with name "chroot_deny_unix" is created.
43957 +config GRKERNSEC_CHROOT_FINDTASK
43958 + bool "Protect outside processes"
43959 + depends on GRKERNSEC_CHROOT
43961 + If you say Y here, processes inside a chroot will not be able to
43962 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
43963 + getsid, or view any process outside of the chroot. If the sysctl
43964 + option is enabled, a sysctl option with name "chroot_findtask" is
43967 +config GRKERNSEC_CHROOT_NICE
43968 + bool "Restrict priority changes"
43969 + depends on GRKERNSEC_CHROOT
43971 + If you say Y here, processes inside a chroot will not be able to raise
43972 + the priority of processes in the chroot, or alter the priority of
43973 + processes outside the chroot. This provides more security than simply
43974 + removing CAP_SYS_NICE from the process' capability set. If the
43975 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
43978 +config GRKERNSEC_CHROOT_SYSCTL
43979 + bool "Deny sysctl writes"
43980 + depends on GRKERNSEC_CHROOT
43982 + If you say Y here, an attacker in a chroot will not be able to
43983 + write to sysctl entries, either by sysctl(2) or through a /proc
43984 + interface. It is strongly recommended that you say Y here. If the
43985 + sysctl option is enabled, a sysctl option with name
43986 + "chroot_deny_sysctl" is created.
43988 +config GRKERNSEC_CHROOT_CAPS
43989 + bool "Capability restrictions"
43990 + depends on GRKERNSEC_CHROOT
43992 + If you say Y here, the capabilities on all root processes within a
43993 + chroot jail will be lowered to stop module insertion, raw i/o,
43994 + system and net admin tasks, rebooting the system, modifying immutable
43995 + files, modifying IPC owned by another, and changing the system time.
43996 + This is left an option because it can break some apps. Disable this
43997 + if your chrooted apps are having problems performing those kinds of
43998 + tasks. If the sysctl option is enabled, a sysctl option with
43999 + name "chroot_caps" is created.
44002 +menu "Kernel Auditing"
44003 +depends on GRKERNSEC
44005 +config GRKERNSEC_AUDIT_GROUP
44006 + bool "Single group for auditing"
44008 + If you say Y here, the exec, chdir, and (un)mount logging features
44009 + will only operate on a group you specify. This option is recommended
44010 + if you only want to watch certain users instead of having a large
44011 + amount of logs from the entire system. If the sysctl option is enabled,
44012 + a sysctl option with name "audit_group" is created.
44014 +config GRKERNSEC_AUDIT_GID
44015 + int "GID for auditing"
44016 + depends on GRKERNSEC_AUDIT_GROUP
44019 +config GRKERNSEC_EXECLOG
44020 + bool "Exec logging"
44022 + If you say Y here, all execve() calls will be logged (since the
44023 + other exec*() calls are frontends to execve(), all execution
44024 + will be logged). Useful for shell-servers that like to keep track
44025 + of their users. If the sysctl option is enabled, a sysctl option with
44026 + name "exec_logging" is created.
44027 + WARNING: This option when enabled will produce a LOT of logs, especially
44028 + on an active system.
44030 +config GRKERNSEC_RESLOG
44031 + bool "Resource logging"
44033 + If you say Y here, all attempts to overstep resource limits will
44034 + be logged with the resource name, the requested size, and the current
44035 + limit. It is highly recommended that you say Y here. If the sysctl
44036 + option is enabled, a sysctl option with name "resource_logging" is
44037 + created. If the RBAC system is enabled, the sysctl value is ignored.
44039 +config GRKERNSEC_CHROOT_EXECLOG
44040 + bool "Log execs within chroot"
44042 + If you say Y here, all executions inside a chroot jail will be logged
44043 + to syslog. This can cause a large amount of logs if certain
44044 + applications (eg. djb's daemontools) are installed on the system, and
44045 + is therefore left as an option. If the sysctl option is enabled, a
44046 + sysctl option with name "chroot_execlog" is created.
44048 +config GRKERNSEC_AUDIT_PTRACE
44049 + bool "Ptrace logging"
44051 + If you say Y here, all attempts to attach to a process via ptrace
44052 + will be logged. If the sysctl option is enabled, a sysctl option
44053 + with name "audit_ptrace" is created.
44055 +config GRKERNSEC_AUDIT_CHDIR
44056 + bool "Chdir logging"
44058 + If you say Y here, all chdir() calls will be logged. If the sysctl
44059 + option is enabled, a sysctl option with name "audit_chdir" is created.
44061 +config GRKERNSEC_AUDIT_MOUNT
44062 + bool "(Un)Mount logging"
44064 + If you say Y here, all mounts and unmounts will be logged. If the
44065 + sysctl option is enabled, a sysctl option with name "audit_mount" is
44068 +config GRKERNSEC_SIGNAL
44069 + bool "Signal logging"
44071 + If you say Y here, certain important signals will be logged, such as
44072 + SIGSEGV, which will as a result inform you of when a error in a program
44073 + occurred, which in some cases could mean a possible exploit attempt.
44074 + If the sysctl option is enabled, a sysctl option with name
44075 + "signal_logging" is created.
44077 +config GRKERNSEC_FORKFAIL
44078 + bool "Fork failure logging"
44080 + If you say Y here, all failed fork() attempts will be logged.
44081 + This could suggest a fork bomb, or someone attempting to overstep
44082 + their process limit. If the sysctl option is enabled, a sysctl option
44083 + with name "forkfail_logging" is created.
44085 +config GRKERNSEC_TIME
44086 + bool "Time change logging"
44088 + If you say Y here, any changes of the system clock will be logged.
44089 + If the sysctl option is enabled, a sysctl option with name
44090 + "timechange_logging" is created.
44092 +config GRKERNSEC_PROC_IPADDR
44093 + bool "/proc/<pid>/ipaddr support"
44095 + If you say Y here, a new entry will be added to each /proc/<pid>
44096 + directory that contains the IP address of the person using the task.
44097 + The IP is carried across local TCP and AF_UNIX stream sockets.
44098 + This information can be useful for IDS/IPSes to perform remote response
44099 + to a local attack. The entry is readable by only the owner of the
44100 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
44101 + the RBAC system), and thus does not create privacy concerns.
44103 +config GRKERNSEC_RWXMAP_LOG
44104 + bool 'Denied RWX mmap/mprotect logging'
44105 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
44107 + If you say Y here, calls to mmap() and mprotect() with explicit
44108 + usage of PROT_WRITE and PROT_EXEC together will be logged when
44109 + denied by the PAX_MPROTECT feature. If the sysctl option is
44110 + enabled, a sysctl option with name "rwxmap_logging" is created.
44112 +config GRKERNSEC_AUDIT_TEXTREL
44113 + bool 'ELF text relocations logging (READ HELP)'
44114 + depends on PAX_MPROTECT
44116 + If you say Y here, text relocations will be logged with the filename
44117 + of the offending library or binary. The purpose of the feature is
44118 + to help Linux distribution developers get rid of libraries and
44119 + binaries that need text relocations which hinder the future progress
44120 + of PaX. Only Linux distribution developers should say Y here, and
44121 + never on a production machine, as this option creates an information
44122 + leak that could aid an attacker in defeating the randomization of
44123 + a single memory region. If the sysctl option is enabled, a sysctl
44124 + option with name "audit_textrel" is created.
44128 +menu "Executable Protections"
44129 +depends on GRKERNSEC
44131 +config GRKERNSEC_EXECVE
44132 + bool "Enforce RLIMIT_NPROC on execs"
44134 + If you say Y here, users with a resource limit on processes will
44135 + have the value checked during execve() calls. The current system
44136 + only checks the system limit during fork() calls. If the sysctl option
44137 + is enabled, a sysctl option with name "execve_limiting" is created.
44139 +config GRKERNSEC_DMESG
44140 + bool "Dmesg(8) restriction"
44142 + If you say Y here, non-root users will not be able to use dmesg(8)
44143 + to view up to the last 4kb of messages in the kernel's log buffer.
44144 + The kernel's log buffer often contains kernel addresses and other
44145 + identifying information useful to an attacker in fingerprinting a
44146 + system for a targeted exploit.
44147 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
44150 +config GRKERNSEC_HARDEN_PTRACE
44151 + bool "Deter ptrace-based process snooping"
44153 + If you say Y here, TTY sniffers and other malicious monitoring
44154 + programs implemented through ptrace will be defeated. If you
44155 + have been using the RBAC system, this option has already been
44156 + enabled for several years for all users, with the ability to make
44157 + fine-grained exceptions.
44159 + This option only affects the ability of non-root users to ptrace
44160 + processes that are not a descendent of the ptracing process.
44161 + This means that strace ./binary and gdb ./binary will still work,
44162 + but attaching to arbitrary processes will not. If the sysctl
44163 + option is enabled, a sysctl option with name "harden_ptrace" is
44166 +config GRKERNSEC_TPE
44167 + bool "Trusted Path Execution (TPE)"
44169 + If you say Y here, you will be able to choose a gid to add to the
44170 + supplementary groups of users you want to mark as "untrusted."
44171 + These users will not be able to execute any files that are not in
44172 + root-owned directories writable only by root. If the sysctl option
44173 + is enabled, a sysctl option with name "tpe" is created.
44175 +config GRKERNSEC_TPE_ALL
44176 + bool "Partially restrict all non-root users"
44177 + depends on GRKERNSEC_TPE
44179 + If you say Y here, all non-root users will be covered under
44180 + a weaker TPE restriction. This is separate from, and in addition to,
44181 + the main TPE options that you have selected elsewhere. Thus, if a
44182 + "trusted" GID is chosen, this restriction applies to even that GID.
44183 + Under this restriction, all non-root users will only be allowed to
44184 + execute files in directories they own that are not group or
44185 + world-writable, or in directories owned by root and writable only by
44186 + root. If the sysctl option is enabled, a sysctl option with name
44187 + "tpe_restrict_all" is created.
44189 +config GRKERNSEC_TPE_INVERT
44190 + bool "Invert GID option"
44191 + depends on GRKERNSEC_TPE
44193 + If you say Y here, the group you specify in the TPE configuration will
44194 + decide what group TPE restrictions will be *disabled* for. This
44195 + option is useful if you want TPE restrictions to be applied to most
44196 + users on the system. If the sysctl option is enabled, a sysctl option
44197 + with name "tpe_invert" is created. Unlike other sysctl options, this
44198 + entry will default to on for backward-compatibility.
44200 +config GRKERNSEC_TPE_GID
44201 + int "GID for untrusted users"
44202 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
44205 + Setting this GID determines what group TPE restrictions will be
44206 + *enabled* for. If the sysctl option is enabled, a sysctl option
44207 + with name "tpe_gid" is created.
44209 +config GRKERNSEC_TPE_GID
44210 + int "GID for trusted users"
44211 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
44214 + Setting this GID determines what group TPE restrictions will be
44215 + *disabled* for. If the sysctl option is enabled, a sysctl option
44216 + with name "tpe_gid" is created.
44219 +menu "Network Protections"
44220 +depends on GRKERNSEC
44222 +config GRKERNSEC_RANDNET
44223 + bool "Larger entropy pools"
44225 + If you say Y here, the entropy pools used for many features of Linux
44226 + and grsecurity will be doubled in size. Since several grsecurity
44227 + features use additional randomness, it is recommended that you say Y
44228 + here. Saying Y here has a similar effect as modifying
44229 + /proc/sys/kernel/random/poolsize.
44231 +config GRKERNSEC_BLACKHOLE
44232 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
44234 + If you say Y here, neither TCP resets nor ICMP
44235 + destination-unreachable packets will be sent in response to packets
44236 + sent to ports for which no associated listening process exists.
44237 + This feature supports both IPV4 and IPV6 and exempts the
44238 + loopback interface from blackholing. Enabling this feature
44239 + makes a host more resilient to DoS attacks and reduces network
44240 + visibility against scanners.
44242 + The blackhole feature as-implemented is equivalent to the FreeBSD
44243 + blackhole feature, as it prevents RST responses to all packets, not
44244 + just SYNs. Under most application behavior this causes no
44245 + problems, but applications (like haproxy) may not close certain
44246 + connections in a way that cleanly terminates them on the remote
44247 + end, leaving the remote host in LAST_ACK state. Because of this
44248 + side-effect and to prevent intentional LAST_ACK DoSes, this
44249 + feature also adds automatic mitigation against such attacks.
44250 + The mitigation drastically reduces the amount of time a socket
44251 + can spend in LAST_ACK state. If you're using haproxy and not
44252 + all servers it connects to have this option enabled, consider
44253 + disabling this feature on the haproxy host.
44255 + If the sysctl option is enabled, two sysctl options with names
44256 + "ip_blackhole" and "lastack_retries" will be created.
44257 + While "ip_blackhole" takes the standard zero/non-zero on/off
44258 + toggle, "lastack_retries" uses the same kinds of values as
44259 + "tcp_retries1" and "tcp_retries2". The default value of 4
44260 + prevents a socket from lasting more than 45 seconds in LAST_ACK
44263 +config GRKERNSEC_SOCKET
44264 + bool "Socket restrictions"
44266 + If you say Y here, you will be able to choose from several options.
44267 + If you assign a GID on your system and add it to the supplementary
44268 + groups of users you want to restrict socket access to, this patch
44269 + will perform up to three things, based on the option(s) you choose.
44271 +config GRKERNSEC_SOCKET_ALL
44272 + bool "Deny any sockets to group"
44273 + depends on GRKERNSEC_SOCKET
44275 + If you say Y here, you will be able to choose a GID of whose users will
44276 + be unable to connect to other hosts from your machine or run server
44277 + applications from your machine. If the sysctl option is enabled, a
44278 + sysctl option with name "socket_all" is created.
44280 +config GRKERNSEC_SOCKET_ALL_GID
44281 + int "GID to deny all sockets for"
44282 + depends on GRKERNSEC_SOCKET_ALL
44285 + Here you can choose the GID to disable socket access for. Remember to
44286 + add the users you want socket access disabled for to the GID
44287 + specified here. If the sysctl option is enabled, a sysctl option
44288 + with name "socket_all_gid" is created.
44290 +config GRKERNSEC_SOCKET_CLIENT
44291 + bool "Deny client sockets to group"
44292 + depends on GRKERNSEC_SOCKET
44294 + If you say Y here, you will be able to choose a GID of whose users will
44295 + be unable to connect to other hosts from your machine, but will be
44296 + able to run servers. If this option is enabled, all users in the group
44297 + you specify will have to use passive mode when initiating ftp transfers
44298 + from the shell on your machine. If the sysctl option is enabled, a
44299 + sysctl option with name "socket_client" is created.
44301 +config GRKERNSEC_SOCKET_CLIENT_GID
44302 + int "GID to deny client sockets for"
44303 + depends on GRKERNSEC_SOCKET_CLIENT
44306 + Here you can choose the GID to disable client socket access for.
44307 + Remember to add the users you want client socket access disabled for to
44308 + the GID specified here. If the sysctl option is enabled, a sysctl
44309 + option with name "socket_client_gid" is created.
44311 +config GRKERNSEC_SOCKET_SERVER
44312 + bool "Deny server sockets to group"
44313 + depends on GRKERNSEC_SOCKET
44315 + If you say Y here, you will be able to choose a GID of whose users will
44316 + be unable to run server applications from your machine. If the sysctl
44317 + option is enabled, a sysctl option with name "socket_server" is created.
44319 +config GRKERNSEC_SOCKET_SERVER_GID
44320 + int "GID to deny server sockets for"
44321 + depends on GRKERNSEC_SOCKET_SERVER
44324 + Here you can choose the GID to disable server socket access for.
44325 + Remember to add the users you want server socket access disabled for to
44326 + the GID specified here. If the sysctl option is enabled, a sysctl
44327 + option with name "socket_server_gid" is created.
44330 +menu "Sysctl support"
44331 +depends on GRKERNSEC && SYSCTL
44333 +config GRKERNSEC_SYSCTL
44334 + bool "Sysctl support"
44336 + If you say Y here, you will be able to change the options that
44337 + grsecurity runs with at bootup, without having to recompile your
44338 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
44339 + to enable (1) or disable (0) various features. All the sysctl entries
44340 + are mutable until the "grsec_lock" entry is set to a non-zero value.
44341 + All features enabled in the kernel configuration are disabled at boot
44342 + if you do not say Y to the "Turn on features by default" option.
44343 + All options should be set at startup, and the grsec_lock entry should
44344 + be set to a non-zero value after all the options are set.
44345 + *THIS IS EXTREMELY IMPORTANT*
44347 +config GRKERNSEC_SYSCTL_DISTRO
44348 + bool "Extra sysctl support for distro makers (READ HELP)"
44349 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
44351 + If you say Y here, additional sysctl options will be created
44352 + for features that affect processes running as root. Therefore,
44353 + it is critical when using this option that the grsec_lock entry be
44354 + enabled after boot. Only distros with prebuilt kernel packages
44355 + with this option enabled that can ensure grsec_lock is enabled
44356 + after boot should use this option.
44357 + *Failure to set grsec_lock after boot makes all grsec features
44358 + this option covers useless*
44360 + Currently this option creates the following sysctl entries:
44361 + "Disable Privileged I/O": "disable_priv_io"
44363 +config GRKERNSEC_SYSCTL_ON
44364 + bool "Turn on features by default"
44365 + depends on GRKERNSEC_SYSCTL
44367 + If you say Y here, instead of having all features enabled in the
44368 + kernel configuration disabled at boot time, the features will be
44369 + enabled at boot time. It is recommended you say Y here unless
44370 + there is some reason you would want all sysctl-tunable features to
44371 + be disabled by default. As mentioned elsewhere, it is important
44372 + to enable the grsec_lock entry once you have finished modifying
44373 + the sysctl entries.
44376 +menu "Logging Options"
44377 +depends on GRKERNSEC
44379 +config GRKERNSEC_FLOODTIME
44380 + int "Seconds in between log messages (minimum)"
44383 + This option allows you to enforce the number of seconds between
44384 + grsecurity log messages. The default should be suitable for most
44385 + people, however, if you choose to change it, choose a value small enough
44386 + to allow informative logs to be produced, but large enough to
44387 + prevent flooding.
44389 +config GRKERNSEC_FLOODBURST
44390 + int "Number of messages in a burst (maximum)"
44393 + This option allows you to choose the maximum number of messages allowed
44394 + within the flood time interval you chose in a separate option. The
44395 + default should be suitable for most people, however if you find that
44396 + many of your logs are being interpreted as flooding, you may want to
44397 + raise this value.
44402 diff -urNp linux-2.6.37/grsecurity/Makefile linux-2.6.37/grsecurity/Makefile
44403 --- linux-2.6.37/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
44404 +++ linux-2.6.37/grsecurity/Makefile 2011-01-17 02:41:02.000000000 -0500
44406 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
44407 +# during 2001-2009 it has been completely redesigned by Brad Spengler
44408 +# into an RBAC system
44410 +# All code in this directory and various hooks inserted throughout the kernel
44411 +# are copyright Brad Spengler - Open Source Security, Inc., and released
44412 +# under the GPL v2 or higher
44414 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
44415 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
44416 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
44418 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
44419 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
44420 + gracl_learn.o grsec_log.o
44421 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
44423 +ifndef CONFIG_GRKERNSEC
44424 +obj-y += grsec_disabled.o
44427 +ifdef CONFIG_GRKERNSEC_HIDESYM
44428 +extra-y := grsec_hidesym.o
44429 +$(obj)/grsec_hidesym.o:
44430 + @-chmod -f 500 /boot
44431 + @-chmod -f 500 /lib/modules
44433 + @echo ' grsec: protected kernel image paths'
44435 diff -urNp linux-2.6.37/include/acpi/acoutput.h linux-2.6.37/include/acpi/acoutput.h
44436 --- linux-2.6.37/include/acpi/acoutput.h 2011-01-04 19:50:19.000000000 -0500
44437 +++ linux-2.6.37/include/acpi/acoutput.h 2011-01-17 02:41:02.000000000 -0500
44438 @@ -269,8 +269,8 @@
44439 * leaving no executable debug code!
44441 #define ACPI_FUNCTION_NAME(a)
44442 -#define ACPI_DEBUG_PRINT(pl)
44443 -#define ACPI_DEBUG_PRINT_RAW(pl)
44444 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
44445 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
44447 #endif /* ACPI_DEBUG_OUTPUT */
44449 diff -urNp linux-2.6.37/include/acpi/acpi_drivers.h linux-2.6.37/include/acpi/acpi_drivers.h
44450 --- linux-2.6.37/include/acpi/acpi_drivers.h 2011-01-04 19:50:19.000000000 -0500
44451 +++ linux-2.6.37/include/acpi/acpi_drivers.h 2011-01-17 02:41:02.000000000 -0500
44452 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
44454 -------------------------------------------------------------------------- */
44455 struct acpi_dock_ops {
44456 - acpi_notify_handler handler;
44457 - acpi_notify_handler uevent;
44458 + const acpi_notify_handler handler;
44459 + const acpi_notify_handler uevent;
44462 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
44463 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
44464 extern int register_dock_notifier(struct notifier_block *nb);
44465 extern void unregister_dock_notifier(struct notifier_block *nb);
44466 extern int register_hotplug_dock_device(acpi_handle handle,
44467 - struct acpi_dock_ops *ops,
44468 + const struct acpi_dock_ops *ops,
44470 extern void unregister_hotplug_dock_device(acpi_handle handle);
44472 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
44475 static inline int register_hotplug_dock_device(acpi_handle handle,
44476 - struct acpi_dock_ops *ops,
44477 + const struct acpi_dock_ops *ops,
44481 diff -urNp linux-2.6.37/include/asm-generic/atomic-long.h linux-2.6.37/include/asm-generic/atomic-long.h
44482 --- linux-2.6.37/include/asm-generic/atomic-long.h 2011-01-04 19:50:19.000000000 -0500
44483 +++ linux-2.6.37/include/asm-generic/atomic-long.h 2011-01-17 02:41:02.000000000 -0500
44486 typedef atomic64_t atomic_long_t;
44488 +#ifdef CONFIG_PAX_REFCOUNT
44489 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
44491 +typedef atomic64_t atomic_long_unchecked_t;
44494 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
44496 static inline long atomic_long_read(atomic_long_t *l)
44497 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
44498 return (long)atomic64_read(v);
44501 +#ifdef CONFIG_PAX_REFCOUNT
44502 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44504 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44506 + return (long)atomic64_read_unchecked(v);
44510 static inline void atomic_long_set(atomic_long_t *l, long i)
44512 atomic64_t *v = (atomic64_t *)l;
44513 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
44514 atomic64_set(v, i);
44517 +#ifdef CONFIG_PAX_REFCOUNT
44518 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44520 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44522 + atomic64_set_unchecked(v, i);
44526 static inline void atomic_long_inc(atomic_long_t *l)
44528 atomic64_t *v = (atomic64_t *)l;
44529 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
44533 +#ifdef CONFIG_PAX_REFCOUNT
44534 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44536 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44538 + atomic64_inc_unchecked(v);
44542 static inline void atomic_long_dec(atomic_long_t *l)
44544 atomic64_t *v = (atomic64_t *)l;
44545 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
44549 +#ifdef CONFIG_PAX_REFCOUNT
44550 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44552 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44554 + atomic64_dec_unchecked(v);
44558 static inline void atomic_long_add(long i, atomic_long_t *l)
44560 atomic64_t *v = (atomic64_t *)l;
44561 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
44562 atomic64_add(i, v);
44565 +#ifdef CONFIG_PAX_REFCOUNT
44566 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44568 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44570 + atomic64_add_unchecked(i, v);
44574 static inline void atomic_long_sub(long i, atomic_long_t *l)
44576 atomic64_t *v = (atomic64_t *)l;
44577 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
44578 atomic64_sub(i, v);
44581 +#ifdef CONFIG_PAX_REFCOUNT
44582 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44584 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44586 + atomic64_sub_unchecked(i, v);
44590 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44592 atomic64_t *v = (atomic64_t *)l;
44593 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
44594 return (long)atomic64_inc_return(v);
44597 +#ifdef CONFIG_PAX_REFCOUNT
44598 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44600 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44602 + return (long)atomic64_inc_return_unchecked(v);
44606 static inline long atomic_long_dec_return(atomic_long_t *l)
44608 atomic64_t *v = (atomic64_t *)l;
44609 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
44611 typedef atomic_t atomic_long_t;
44613 +#ifdef CONFIG_PAX_REFCOUNT
44614 +typedef atomic_unchecked_t atomic_long_unchecked_t;
44616 +typedef atomic_t atomic_long_unchecked_t;
44619 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
44620 static inline long atomic_long_read(atomic_long_t *l)
44622 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
44623 return (long)atomic_read(v);
44626 +#ifdef CONFIG_PAX_REFCOUNT
44627 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44629 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44631 + return (long)atomic_read_unchecked(v);
44635 static inline void atomic_long_set(atomic_long_t *l, long i)
44637 atomic_t *v = (atomic_t *)l;
44638 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
44642 +#ifdef CONFIG_PAX_REFCOUNT
44643 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44645 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44647 + atomic_set_unchecked(v, i);
44651 static inline void atomic_long_inc(atomic_long_t *l)
44653 atomic_t *v = (atomic_t *)l;
44654 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
44658 +#ifdef CONFIG_PAX_REFCOUNT
44659 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44661 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44663 + atomic_inc_unchecked(v);
44667 static inline void atomic_long_dec(atomic_long_t *l)
44669 atomic_t *v = (atomic_t *)l;
44670 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
44674 +#ifdef CONFIG_PAX_REFCOUNT
44675 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44677 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44679 + atomic_dec_unchecked(v);
44683 static inline void atomic_long_add(long i, atomic_long_t *l)
44685 atomic_t *v = (atomic_t *)l;
44686 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
44690 +#ifdef CONFIG_PAX_REFCOUNT
44691 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44693 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44695 + atomic_add_unchecked(i, v);
44699 static inline void atomic_long_sub(long i, atomic_long_t *l)
44701 atomic_t *v = (atomic_t *)l;
44702 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
44706 +#ifdef CONFIG_PAX_REFCOUNT
44707 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44709 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44711 + atomic_sub_unchecked(i, v);
44715 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44717 atomic_t *v = (atomic_t *)l;
44718 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
44719 return (long)atomic_inc_return(v);
44722 +#ifdef CONFIG_PAX_REFCOUNT
44723 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44725 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44727 + return (long)atomic_inc_return_unchecked(v);
44731 static inline long atomic_long_dec_return(atomic_long_t *l)
44733 atomic_t *v = (atomic_t *)l;
44734 @@ -255,4 +393,41 @@ static inline long atomic_long_add_unles
44736 #endif /* BITS_PER_LONG == 64 */
44738 +#ifdef CONFIG_PAX_REFCOUNT
44739 +static inline void pax_refcount_needs_these_functions(void)
44741 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
44742 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
44743 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
44744 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
44745 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
44746 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
44747 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
44749 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
44750 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
44751 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
44752 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
44753 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
44754 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
44755 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
44758 +#define atomic_read_unchecked(v) atomic_read(v)
44759 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
44760 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
44761 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
44762 +#define atomic_inc_unchecked(v) atomic_inc(v)
44763 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
44764 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
44766 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
44767 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
44768 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
44769 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
44770 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
44771 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
44772 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
44775 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
44776 diff -urNp linux-2.6.37/include/asm-generic/dma-mapping-common.h linux-2.6.37/include/asm-generic/dma-mapping-common.h
44777 --- linux-2.6.37/include/asm-generic/dma-mapping-common.h 2011-01-04 19:50:19.000000000 -0500
44778 +++ linux-2.6.37/include/asm-generic/dma-mapping-common.h 2011-01-17 02:41:02.000000000 -0500
44779 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
44780 enum dma_data_direction dir,
44781 struct dma_attrs *attrs)
44783 - struct dma_map_ops *ops = get_dma_ops(dev);
44784 + const struct dma_map_ops *ops = get_dma_ops(dev);
44787 kmemcheck_mark_initialized(ptr, size);
44788 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
44789 enum dma_data_direction dir,
44790 struct dma_attrs *attrs)
44792 - struct dma_map_ops *ops = get_dma_ops(dev);
44793 + const struct dma_map_ops *ops = get_dma_ops(dev);
44795 BUG_ON(!valid_dma_direction(dir));
44796 if (ops->unmap_page)
44797 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
44798 int nents, enum dma_data_direction dir,
44799 struct dma_attrs *attrs)
44801 - struct dma_map_ops *ops = get_dma_ops(dev);
44802 + const struct dma_map_ops *ops = get_dma_ops(dev);
44804 struct scatterlist *s;
44806 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
44807 int nents, enum dma_data_direction dir,
44808 struct dma_attrs *attrs)
44810 - struct dma_map_ops *ops = get_dma_ops(dev);
44811 + const struct dma_map_ops *ops = get_dma_ops(dev);
44813 BUG_ON(!valid_dma_direction(dir));
44814 debug_dma_unmap_sg(dev, sg, nents, dir);
44815 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
44816 size_t offset, size_t size,
44817 enum dma_data_direction dir)
44819 - struct dma_map_ops *ops = get_dma_ops(dev);
44820 + const struct dma_map_ops *ops = get_dma_ops(dev);
44823 kmemcheck_mark_initialized(page_address(page) + offset, size);
44824 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
44825 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
44826 size_t size, enum dma_data_direction dir)
44828 - struct dma_map_ops *ops = get_dma_ops(dev);
44829 + const struct dma_map_ops *ops = get_dma_ops(dev);
44831 BUG_ON(!valid_dma_direction(dir));
44832 if (ops->unmap_page)
44833 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
44835 enum dma_data_direction dir)
44837 - struct dma_map_ops *ops = get_dma_ops(dev);
44838 + const struct dma_map_ops *ops = get_dma_ops(dev);
44840 BUG_ON(!valid_dma_direction(dir));
44841 if (ops->sync_single_for_cpu)
44842 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
44843 dma_addr_t addr, size_t size,
44844 enum dma_data_direction dir)
44846 - struct dma_map_ops *ops = get_dma_ops(dev);
44847 + const struct dma_map_ops *ops = get_dma_ops(dev);
44849 BUG_ON(!valid_dma_direction(dir));
44850 if (ops->sync_single_for_device)
44851 @@ -139,7 +139,7 @@ static inline void
44852 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
44853 int nelems, enum dma_data_direction dir)
44855 - struct dma_map_ops *ops = get_dma_ops(dev);
44856 + const struct dma_map_ops *ops = get_dma_ops(dev);
44858 BUG_ON(!valid_dma_direction(dir));
44859 if (ops->sync_sg_for_cpu)
44860 @@ -151,7 +151,7 @@ static inline void
44861 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
44862 int nelems, enum dma_data_direction dir)
44864 - struct dma_map_ops *ops = get_dma_ops(dev);
44865 + const struct dma_map_ops *ops = get_dma_ops(dev);
44867 BUG_ON(!valid_dma_direction(dir));
44868 if (ops->sync_sg_for_device)
44869 diff -urNp linux-2.6.37/include/asm-generic/futex.h linux-2.6.37/include/asm-generic/futex.h
44870 --- linux-2.6.37/include/asm-generic/futex.h 2011-01-04 19:50:19.000000000 -0500
44871 +++ linux-2.6.37/include/asm-generic/futex.h 2011-01-17 02:41:02.000000000 -0500
44873 #include <asm/errno.h>
44876 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
44877 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
44879 int op = (encoded_op >> 28) & 7;
44880 int cmp = (encoded_op >> 24) & 15;
44881 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
44885 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
44886 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
44890 diff -urNp linux-2.6.37/include/asm-generic/int-l64.h linux-2.6.37/include/asm-generic/int-l64.h
44891 --- linux-2.6.37/include/asm-generic/int-l64.h 2011-01-04 19:50:19.000000000 -0500
44892 +++ linux-2.6.37/include/asm-generic/int-l64.h 2011-01-17 02:41:02.000000000 -0500
44893 @@ -46,6 +46,8 @@ typedef unsigned int u32;
44894 typedef signed long s64;
44895 typedef unsigned long u64;
44897 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
44900 #define U8_C(x) x ## U
44902 diff -urNp linux-2.6.37/include/asm-generic/int-ll64.h linux-2.6.37/include/asm-generic/int-ll64.h
44903 --- linux-2.6.37/include/asm-generic/int-ll64.h 2011-01-04 19:50:19.000000000 -0500
44904 +++ linux-2.6.37/include/asm-generic/int-ll64.h 2011-01-17 02:41:02.000000000 -0500
44905 @@ -51,6 +51,8 @@ typedef unsigned int u32;
44906 typedef signed long long s64;
44907 typedef unsigned long long u64;
44909 +typedef unsigned long long intoverflow_t;
44912 #define U8_C(x) x ## U
44914 diff -urNp linux-2.6.37/include/asm-generic/kmap_types.h linux-2.6.37/include/asm-generic/kmap_types.h
44915 --- linux-2.6.37/include/asm-generic/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
44916 +++ linux-2.6.37/include/asm-generic/kmap_types.h 2011-01-17 02:41:02.000000000 -0500
44917 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
44919 KMAP_D(18) KM_NMI_PTE,
44921 +KMAP_D(20) KM_CLEARPAGE,
44923 * Remember to update debug_kmap_atomic() when adding new kmap types!
44925 -KMAP_D(20) KM_TYPE_NR
44926 +KMAP_D(21) KM_TYPE_NR
44930 diff -urNp linux-2.6.37/include/asm-generic/pgtable.h linux-2.6.37/include/asm-generic/pgtable.h
44931 --- linux-2.6.37/include/asm-generic/pgtable.h 2011-01-04 19:50:19.000000000 -0500
44932 +++ linux-2.6.37/include/asm-generic/pgtable.h 2011-01-17 02:41:02.000000000 -0500
44933 @@ -348,6 +348,14 @@ extern void untrack_pfn_vma(struct vm_ar
44934 unsigned long size);
44937 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
44938 +static inline unsigned long pax_open_kernel(void) { return 0; }
44941 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
44942 +static inline unsigned long pax_close_kernel(void) { return 0; }
44945 #endif /* !__ASSEMBLY__ */
44947 #endif /* _ASM_GENERIC_PGTABLE_H */
44948 diff -urNp linux-2.6.37/include/asm-generic/pgtable-nopmd.h linux-2.6.37/include/asm-generic/pgtable-nopmd.h
44949 --- linux-2.6.37/include/asm-generic/pgtable-nopmd.h 2011-01-04 19:50:19.000000000 -0500
44950 +++ linux-2.6.37/include/asm-generic/pgtable-nopmd.h 2011-01-17 02:41:02.000000000 -0500
44952 #ifndef _PGTABLE_NOPMD_H
44953 #define _PGTABLE_NOPMD_H
44955 -#ifndef __ASSEMBLY__
44957 #include <asm-generic/pgtable-nopud.h>
44961 #define __PAGETABLE_PMD_FOLDED
44963 +#define PMD_SHIFT PUD_SHIFT
44964 +#define PTRS_PER_PMD 1
44965 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
44966 +#define PMD_MASK (~(PMD_SIZE-1))
44968 +#ifndef __ASSEMBLY__
44973 * Having the pmd type consist of a pud gets the size right, and allows
44974 * us to conceptually access the pud entry that this pmd is folded into
44975 @@ -16,11 +21,6 @@ struct mm_struct;
44977 typedef struct { pud_t pud; } pmd_t;
44979 -#define PMD_SHIFT PUD_SHIFT
44980 -#define PTRS_PER_PMD 1
44981 -#define PMD_SIZE (1UL << PMD_SHIFT)
44982 -#define PMD_MASK (~(PMD_SIZE-1))
44985 * The "pud_xxx()" functions here are trivial for a folded two-level
44986 * setup: the pmd is never bad, and a pmd always exists (as it's folded
44987 diff -urNp linux-2.6.37/include/asm-generic/pgtable-nopud.h linux-2.6.37/include/asm-generic/pgtable-nopud.h
44988 --- linux-2.6.37/include/asm-generic/pgtable-nopud.h 2011-01-04 19:50:19.000000000 -0500
44989 +++ linux-2.6.37/include/asm-generic/pgtable-nopud.h 2011-01-17 02:41:02.000000000 -0500
44991 #ifndef _PGTABLE_NOPUD_H
44992 #define _PGTABLE_NOPUD_H
44994 -#ifndef __ASSEMBLY__
44996 #define __PAGETABLE_PUD_FOLDED
44998 +#define PUD_SHIFT PGDIR_SHIFT
44999 +#define PTRS_PER_PUD 1
45000 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
45001 +#define PUD_MASK (~(PUD_SIZE-1))
45003 +#ifndef __ASSEMBLY__
45006 * Having the pud type consist of a pgd gets the size right, and allows
45007 * us to conceptually access the pgd entry that this pud is folded into
45010 typedef struct { pgd_t pgd; } pud_t;
45012 -#define PUD_SHIFT PGDIR_SHIFT
45013 -#define PTRS_PER_PUD 1
45014 -#define PUD_SIZE (1UL << PUD_SHIFT)
45015 -#define PUD_MASK (~(PUD_SIZE-1))
45018 * The "pgd_xxx()" functions here are trivial for a folded two-level
45019 * setup: the pud is never bad, and a pud always exists (as it's folded
45020 diff -urNp linux-2.6.37/include/asm-generic/vmlinux.lds.h linux-2.6.37/include/asm-generic/vmlinux.lds.h
45021 --- linux-2.6.37/include/asm-generic/vmlinux.lds.h 2011-01-04 19:50:19.000000000 -0500
45022 +++ linux-2.6.37/include/asm-generic/vmlinux.lds.h 2011-01-17 02:41:02.000000000 -0500
45023 @@ -210,6 +210,7 @@
45024 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
45025 VMLINUX_SYMBOL(__start_rodata) = .; \
45026 *(.rodata) *(.rodata.*) \
45027 + *(.data..read_only) \
45028 *(__vermagic) /* Kernel version magic */ \
45029 *(__markers_strings) /* Markers: strings */ \
45030 *(__tracepoints_strings)/* Tracepoints: strings */ \
45031 @@ -679,14 +680,15 @@
45032 * section in the linker script will go there too. @phdr should have
45035 - * Note that this macros defines __per_cpu_load as an absolute symbol.
45036 + * Note that this macros defines per_cpu_load as an absolute symbol.
45037 * If there is no need to put the percpu section at a predetermined
45038 * address, use PERCPU().
45040 #define PERCPU_VADDR(vaddr, phdr) \
45041 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
45042 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
45043 + per_cpu_load = .; \
45044 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
45046 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
45047 VMLINUX_SYMBOL(__per_cpu_start) = .; \
45048 *(.data..percpu..first) \
45049 . = ALIGN(PAGE_SIZE); \
45050 @@ -696,7 +698,7 @@
45051 *(.data..percpu..shared_aligned) \
45052 VMLINUX_SYMBOL(__per_cpu_end) = .; \
45054 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
45055 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
45058 * PERCPU - define output section for percpu area, simple version
45059 diff -urNp linux-2.6.37/include/drm/drm_pciids.h linux-2.6.37/include/drm/drm_pciids.h
45060 --- linux-2.6.37/include/drm/drm_pciids.h 2011-01-04 19:50:19.000000000 -0500
45061 +++ linux-2.6.37/include/drm/drm_pciids.h 2011-01-17 02:41:02.000000000 -0500
45062 @@ -419,7 +419,7 @@
45063 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45064 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45065 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45067 + {0, 0, 0, 0, 0, 0}
45069 #define r128_PCI_IDS \
45070 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45071 @@ -459,14 +459,14 @@
45072 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45073 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45074 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45076 + {0, 0, 0, 0, 0, 0}
45078 #define mga_PCI_IDS \
45079 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
45080 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
45081 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
45082 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
45084 + {0, 0, 0, 0, 0, 0}
45086 #define mach64_PCI_IDS \
45087 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45088 @@ -489,7 +489,7 @@
45089 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45090 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45091 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45093 + {0, 0, 0, 0, 0, 0}
45095 #define sisdrv_PCI_IDS \
45096 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45097 @@ -500,7 +500,7 @@
45098 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45099 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
45100 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
45102 + {0, 0, 0, 0, 0, 0}
45104 #define tdfx_PCI_IDS \
45105 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45106 @@ -509,7 +509,7 @@
45107 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45108 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45109 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45111 + {0, 0, 0, 0, 0, 0}
45113 #define viadrv_PCI_IDS \
45114 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45115 @@ -521,14 +521,14 @@
45116 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45117 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
45118 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
45120 + {0, 0, 0, 0, 0, 0}
45122 #define i810_PCI_IDS \
45123 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45124 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45125 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45126 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45128 + {0, 0, 0, 0, 0, 0}
45130 #define i830_PCI_IDS \
45131 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45132 @@ -536,11 +536,11 @@
45133 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45134 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45135 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45137 + {0, 0, 0, 0, 0, 0}
45139 #define gamma_PCI_IDS \
45140 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45142 + {0, 0, 0, 0, 0, 0}
45144 #define savage_PCI_IDS \
45145 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
45146 @@ -566,10 +566,10 @@
45147 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
45148 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
45149 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
45151 + {0, 0, 0, 0, 0, 0}
45153 #define ffb_PCI_IDS \
45155 + {0, 0, 0, 0, 0, 0}
45157 #define i915_PCI_IDS \
45158 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45159 @@ -603,4 +603,4 @@
45160 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45161 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45162 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45164 + {0, 0, 0, 0, 0, 0}
45165 diff -urNp linux-2.6.37/include/drm/drmP.h linux-2.6.37/include/drm/drmP.h
45166 --- linux-2.6.37/include/drm/drmP.h 2011-01-04 19:50:19.000000000 -0500
45167 +++ linux-2.6.37/include/drm/drmP.h 2011-01-24 18:04:18.000000000 -0500
45169 #include <linux/workqueue.h>
45170 #include <linux/poll.h>
45171 #include <asm/pgalloc.h>
45172 +#include <asm/local.h>
45175 #include <linux/idr.h>
45176 @@ -804,7 +805,7 @@ struct drm_driver {
45177 void (*vgaarb_irq)(struct drm_device *dev, bool state);
45179 /* Driver private ops for this object */
45180 - struct vm_operations_struct *gem_vm_ops;
45181 + const struct vm_operations_struct *gem_vm_ops;
45185 @@ -817,7 +818,7 @@ struct drm_driver {
45187 struct drm_ioctl_desc *ioctls;
45189 - struct file_operations fops;
45190 + const struct file_operations fops;
45191 struct pci_driver pci_driver;
45192 struct platform_device *platform_device;
45193 /* List of devices hanging off this driver */
45194 @@ -914,7 +915,7 @@ struct drm_device {
45196 /** \name Usage Counters */
45198 - int open_count; /**< Outstanding files open */
45199 + local_t open_count; /**< Outstanding files open */
45200 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
45201 atomic_t vma_count; /**< Outstanding vma areas open */
45202 int buf_use; /**< Buffers in use -- cannot alloc */
45203 @@ -925,7 +926,7 @@ struct drm_device {
45205 unsigned long counters;
45206 enum drm_stat_type types[15];
45207 - atomic_t counts[15];
45208 + atomic_unchecked_t counts[15];
45211 struct list_head filelist;
45212 diff -urNp linux-2.6.37/include/linux/a.out.h linux-2.6.37/include/linux/a.out.h
45213 --- linux-2.6.37/include/linux/a.out.h 2011-01-04 19:50:19.000000000 -0500
45214 +++ linux-2.6.37/include/linux/a.out.h 2011-01-17 02:41:02.000000000 -0500
45215 @@ -39,6 +39,14 @@ enum machine_type {
45216 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
45219 +/* Constants for the N_FLAGS field */
45220 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45221 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
45222 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
45223 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
45224 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45225 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45227 #if !defined (N_MAGIC)
45228 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
45230 diff -urNp linux-2.6.37/include/linux/atmdev.h linux-2.6.37/include/linux/atmdev.h
45231 --- linux-2.6.37/include/linux/atmdev.h 2011-01-04 19:50:19.000000000 -0500
45232 +++ linux-2.6.37/include/linux/atmdev.h 2011-01-17 02:41:02.000000000 -0500
45233 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
45236 struct k_atm_aal_stats {
45237 -#define __HANDLE_ITEM(i) atomic_t i
45238 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
45240 #undef __HANDLE_ITEM
45242 diff -urNp linux-2.6.37/include/linux/binfmts.h linux-2.6.37/include/linux/binfmts.h
45243 --- linux-2.6.37/include/linux/binfmts.h 2011-01-04 19:50:19.000000000 -0500
45244 +++ linux-2.6.37/include/linux/binfmts.h 2011-01-17 02:41:02.000000000 -0500
45245 @@ -92,6 +92,7 @@ struct linux_binfmt {
45246 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
45247 int (*load_shlib)(struct file *);
45248 int (*core_dump)(struct coredump_params *cprm);
45249 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
45250 unsigned long min_coredump; /* minimal dump size */
45253 diff -urNp linux-2.6.37/include/linux/blkdev.h linux-2.6.37/include/linux/blkdev.h
45254 --- linux-2.6.37/include/linux/blkdev.h 2011-01-04 19:50:19.000000000 -0500
45255 +++ linux-2.6.37/include/linux/blkdev.h 2011-01-17 02:41:02.000000000 -0500
45256 @@ -1250,19 +1250,19 @@ queue_max_integrity_segments(struct requ
45257 #endif /* CONFIG_BLK_DEV_INTEGRITY */
45259 struct block_device_operations {
45260 - int (*open) (struct block_device *, fmode_t);
45261 - int (*release) (struct gendisk *, fmode_t);
45262 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45263 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45264 - int (*direct_access) (struct block_device *, sector_t,
45265 + int (* const open) (struct block_device *, fmode_t);
45266 + int (* const release) (struct gendisk *, fmode_t);
45267 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45268 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45269 + int (* const direct_access) (struct block_device *, sector_t,
45270 void **, unsigned long *);
45271 - int (*media_changed) (struct gendisk *);
45272 - void (*unlock_native_capacity) (struct gendisk *);
45273 - int (*revalidate_disk) (struct gendisk *);
45274 - int (*getgeo)(struct block_device *, struct hd_geometry *);
45275 + int (* const media_changed) (struct gendisk *);
45276 + void (* const unlock_native_capacity) (struct gendisk *);
45277 + int (* const revalidate_disk) (struct gendisk *);
45278 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
45279 /* this callback is with swap_lock and sometimes page table lock held */
45280 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
45281 - struct module *owner;
45282 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
45283 + struct module * const owner;
45286 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
45287 diff -urNp linux-2.6.37/include/linux/byteorder/little_endian.h linux-2.6.37/include/linux/byteorder/little_endian.h
45288 --- linux-2.6.37/include/linux/byteorder/little_endian.h 2011-01-04 19:50:19.000000000 -0500
45289 +++ linux-2.6.37/include/linux/byteorder/little_endian.h 2011-01-17 02:41:02.000000000 -0500
45290 @@ -42,51 +42,51 @@
45292 static inline __le64 __cpu_to_le64p(const __u64 *p)
45294 - return (__force __le64)*p;
45295 + return (__force const __le64)*p;
45297 static inline __u64 __le64_to_cpup(const __le64 *p)
45299 - return (__force __u64)*p;
45300 + return (__force const __u64)*p;
45302 static inline __le32 __cpu_to_le32p(const __u32 *p)
45304 - return (__force __le32)*p;
45305 + return (__force const __le32)*p;
45307 static inline __u32 __le32_to_cpup(const __le32 *p)
45309 - return (__force __u32)*p;
45310 + return (__force const __u32)*p;
45312 static inline __le16 __cpu_to_le16p(const __u16 *p)
45314 - return (__force __le16)*p;
45315 + return (__force const __le16)*p;
45317 static inline __u16 __le16_to_cpup(const __le16 *p)
45319 - return (__force __u16)*p;
45320 + return (__force const __u16)*p;
45322 static inline __be64 __cpu_to_be64p(const __u64 *p)
45324 - return (__force __be64)__swab64p(p);
45325 + return (__force const __be64)__swab64p(p);
45327 static inline __u64 __be64_to_cpup(const __be64 *p)
45329 - return __swab64p((__u64 *)p);
45330 + return __swab64p((const __u64 *)p);
45332 static inline __be32 __cpu_to_be32p(const __u32 *p)
45334 - return (__force __be32)__swab32p(p);
45335 + return (__force const __be32)__swab32p(p);
45337 static inline __u32 __be32_to_cpup(const __be32 *p)
45339 - return __swab32p((__u32 *)p);
45340 + return __swab32p((const __u32 *)p);
45342 static inline __be16 __cpu_to_be16p(const __u16 *p)
45344 - return (__force __be16)__swab16p(p);
45345 + return (__force const __be16)__swab16p(p);
45347 static inline __u16 __be16_to_cpup(const __be16 *p)
45349 - return __swab16p((__u16 *)p);
45350 + return __swab16p((const __u16 *)p);
45352 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
45353 #define __le64_to_cpus(x) do { (void)(x); } while (0)
45354 diff -urNp linux-2.6.37/include/linux/cache.h linux-2.6.37/include/linux/cache.h
45355 --- linux-2.6.37/include/linux/cache.h 2011-01-04 19:50:19.000000000 -0500
45356 +++ linux-2.6.37/include/linux/cache.h 2011-01-17 02:41:02.000000000 -0500
45358 #define __read_mostly
45361 +#ifndef __read_only
45362 +#define __read_only __read_mostly
45365 #ifndef ____cacheline_aligned
45366 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
45368 diff -urNp linux-2.6.37/include/linux/capability.h linux-2.6.37/include/linux/capability.h
45369 --- linux-2.6.37/include/linux/capability.h 2011-01-04 19:50:19.000000000 -0500
45370 +++ linux-2.6.37/include/linux/capability.h 2011-01-17 02:41:02.000000000 -0500
45371 @@ -558,6 +558,7 @@ extern const kernel_cap_t __cap_init_eff
45372 (security_real_capable_noaudit((t), (cap)) == 0)
45374 extern int capable(int cap);
45375 +int capable_nolog(int cap);
45377 /* audit system wants to get cap info from files as well */
45379 diff -urNp linux-2.6.37/include/linux/compiler-gcc4.h linux-2.6.37/include/linux/compiler-gcc4.h
45380 --- linux-2.6.37/include/linux/compiler-gcc4.h 2011-01-04 19:50:19.000000000 -0500
45381 +++ linux-2.6.37/include/linux/compiler-gcc4.h 2011-01-17 02:41:02.000000000 -0500
45386 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
45387 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
45388 +#define __bos0(ptr) __bos((ptr), 0)
45389 +#define __bos1(ptr) __bos((ptr), 1)
45392 #if __GNUC_MINOR__ > 0
45393 diff -urNp linux-2.6.37/include/linux/compiler.h linux-2.6.37/include/linux/compiler.h
45394 --- linux-2.6.37/include/linux/compiler.h 2011-01-04 19:50:19.000000000 -0500
45395 +++ linux-2.6.37/include/linux/compiler.h 2011-01-17 02:41:02.000000000 -0500
45396 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
45400 +#ifndef __alloc_size
45401 +#define __alloc_size
45416 /* Simple shorthand for a section definition */
45418 # define __section(S) __attribute__ ((__section__(#S)))
45419 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
45420 * use is to mediate communication between process-level code and irq/NMI
45421 * handlers, all running on the same CPU.
45423 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
45424 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
45425 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
45427 #endif /* __LINUX_COMPILER_H */
45428 diff -urNp linux-2.6.37/include/linux/cpuset.h linux-2.6.37/include/linux/cpuset.h
45429 --- linux-2.6.37/include/linux/cpuset.h 2011-01-04 19:50:19.000000000 -0500
45430 +++ linux-2.6.37/include/linux/cpuset.h 2011-01-17 02:41:02.000000000 -0500
45431 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
45435 - --ACCESS_ONCE(current->mems_allowed_change_disable);
45436 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
45439 static inline void set_mems_allowed(nodemask_t nodemask)
45440 diff -urNp linux-2.6.37/include/linux/decompress/mm.h linux-2.6.37/include/linux/decompress/mm.h
45441 --- linux-2.6.37/include/linux/decompress/mm.h 2011-01-04 19:50:19.000000000 -0500
45442 +++ linux-2.6.37/include/linux/decompress/mm.h 2011-01-17 02:41:02.000000000 -0500
45443 @@ -78,7 +78,7 @@ static void free(void *where)
45444 * warnings when not needed (indeed large_malloc / large_free are not
45445 * needed by inflate */
45447 -#define malloc(a) kmalloc(a, GFP_KERNEL)
45448 +#define malloc(a) kmalloc((a), GFP_KERNEL)
45449 #define free(a) kfree(a)
45451 #define large_malloc(a) vmalloc(a)
45452 diff -urNp linux-2.6.37/include/linux/dma-mapping.h linux-2.6.37/include/linux/dma-mapping.h
45453 --- linux-2.6.37/include/linux/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
45454 +++ linux-2.6.37/include/linux/dma-mapping.h 2011-01-17 02:41:02.000000000 -0500
45455 @@ -16,40 +16,40 @@ enum dma_data_direction {
45458 struct dma_map_ops {
45459 - void* (*alloc_coherent)(struct device *dev, size_t size,
45460 + void* (* const alloc_coherent)(struct device *dev, size_t size,
45461 dma_addr_t *dma_handle, gfp_t gfp);
45462 - void (*free_coherent)(struct device *dev, size_t size,
45463 + void (* const free_coherent)(struct device *dev, size_t size,
45464 void *vaddr, dma_addr_t dma_handle);
45465 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
45466 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
45467 unsigned long offset, size_t size,
45468 enum dma_data_direction dir,
45469 struct dma_attrs *attrs);
45470 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
45471 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
45472 size_t size, enum dma_data_direction dir,
45473 struct dma_attrs *attrs);
45474 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
45475 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
45476 int nents, enum dma_data_direction dir,
45477 struct dma_attrs *attrs);
45478 - void (*unmap_sg)(struct device *dev,
45479 + void (* const unmap_sg)(struct device *dev,
45480 struct scatterlist *sg, int nents,
45481 enum dma_data_direction dir,
45482 struct dma_attrs *attrs);
45483 - void (*sync_single_for_cpu)(struct device *dev,
45484 + void (* const sync_single_for_cpu)(struct device *dev,
45485 dma_addr_t dma_handle, size_t size,
45486 enum dma_data_direction dir);
45487 - void (*sync_single_for_device)(struct device *dev,
45488 + void (* const sync_single_for_device)(struct device *dev,
45489 dma_addr_t dma_handle, size_t size,
45490 enum dma_data_direction dir);
45491 - void (*sync_sg_for_cpu)(struct device *dev,
45492 + void (* const sync_sg_for_cpu)(struct device *dev,
45493 struct scatterlist *sg, int nents,
45494 enum dma_data_direction dir);
45495 - void (*sync_sg_for_device)(struct device *dev,
45496 + void (* const sync_sg_for_device)(struct device *dev,
45497 struct scatterlist *sg, int nents,
45498 enum dma_data_direction dir);
45499 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
45500 - int (*dma_supported)(struct device *dev, u64 mask);
45501 - int (*set_dma_mask)(struct device *dev, u64 mask);
45503 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
45504 + int (* const dma_supported)(struct device *dev, u64 mask);
45505 + int (* set_dma_mask)(struct device *dev, u64 mask);
45506 + const int is_phys;
45509 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
45510 diff -urNp linux-2.6.37/include/linux/elf.h linux-2.6.37/include/linux/elf.h
45511 --- linux-2.6.37/include/linux/elf.h 2011-01-04 19:50:19.000000000 -0500
45512 +++ linux-2.6.37/include/linux/elf.h 2011-01-17 02:41:02.000000000 -0500
45513 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
45514 #define PT_GNU_EH_FRAME 0x6474e550
45516 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
45517 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
45519 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
45521 +/* Constants for the e_flags field */
45522 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45523 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
45524 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
45525 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
45526 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45527 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45530 * Extended Numbering
45531 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
45532 #define DT_DEBUG 21
45533 #define DT_TEXTREL 22
45534 #define DT_JMPREL 23
45535 +#define DT_FLAGS 30
45536 + #define DF_TEXTREL 0x00000004
45537 #define DT_ENCODING 32
45538 #define OLD_DT_LOOS 0x60000000
45539 #define DT_LOOS 0x6000000d
45540 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
45544 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
45545 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
45546 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
45547 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
45548 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
45549 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
45550 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
45551 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
45552 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
45553 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
45554 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
45555 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
45557 typedef struct elf32_phdr{
45559 Elf32_Off p_offset;
45560 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
45566 #define ELFMAG0 0x7f /* EI_MAG */
45567 #define ELFMAG1 'E'
45568 #define ELFMAG2 'L'
45569 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
45570 #define elf_note elf32_note
45571 #define elf_addr_t Elf32_Off
45572 #define Elf_Half Elf32_Half
45573 +#define elf_dyn Elf32_Dyn
45577 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
45578 #define elf_note elf64_note
45579 #define elf_addr_t Elf64_Off
45580 #define Elf_Half Elf64_Half
45581 +#define elf_dyn Elf64_Dyn
45585 diff -urNp linux-2.6.37/include/linux/fs.h linux-2.6.37/include/linux/fs.h
45586 --- linux-2.6.37/include/linux/fs.h 2011-01-04 19:50:19.000000000 -0500
45587 +++ linux-2.6.37/include/linux/fs.h 2011-01-17 02:43:32.000000000 -0500
45588 @@ -105,6 +105,11 @@ struct inodes_stat_t {
45589 /* File was opened by fanotify and shouldn't generate fanotify events */
45590 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
45592 +/* Hack for grsec so as not to require read permission simply to execute
45595 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
45598 * The below are the various read and write types that we support. Some of
45599 * them include behavioral modifiers that send information down to the
45600 @@ -578,42 +583,42 @@ typedef int (*read_actor_t)(read_descrip
45601 unsigned long, unsigned long);
45603 struct address_space_operations {
45604 - int (*writepage)(struct page *page, struct writeback_control *wbc);
45605 - int (*readpage)(struct file *, struct page *);
45606 - void (*sync_page)(struct page *);
45607 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
45608 + int (* const readpage)(struct file *, struct page *);
45609 + void (* const sync_page)(struct page *);
45611 /* Write back some dirty pages from this mapping. */
45612 - int (*writepages)(struct address_space *, struct writeback_control *);
45613 + int (* const writepages)(struct address_space *, struct writeback_control *);
45615 /* Set a page dirty. Return true if this dirtied it */
45616 - int (*set_page_dirty)(struct page *page);
45617 + int (* const set_page_dirty)(struct page *page);
45619 - int (*readpages)(struct file *filp, struct address_space *mapping,
45620 + int (* const readpages)(struct file *filp, struct address_space *mapping,
45621 struct list_head *pages, unsigned nr_pages);
45623 - int (*write_begin)(struct file *, struct address_space *mapping,
45624 + int (* const write_begin)(struct file *, struct address_space *mapping,
45625 loff_t pos, unsigned len, unsigned flags,
45626 struct page **pagep, void **fsdata);
45627 - int (*write_end)(struct file *, struct address_space *mapping,
45628 + int (* const write_end)(struct file *, struct address_space *mapping,
45629 loff_t pos, unsigned len, unsigned copied,
45630 struct page *page, void *fsdata);
45632 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
45633 - sector_t (*bmap)(struct address_space *, sector_t);
45634 - void (*invalidatepage) (struct page *, unsigned long);
45635 - int (*releasepage) (struct page *, gfp_t);
45636 - void (*freepage)(struct page *);
45637 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
45638 + sector_t (* const bmap)(struct address_space *, sector_t);
45639 + void (* const invalidatepage) (struct page *, unsigned long);
45640 + int (* const releasepage) (struct page *, gfp_t);
45641 + void (* const freepage)(struct page *);
45642 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
45643 loff_t offset, unsigned long nr_segs);
45644 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
45645 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
45646 void **, unsigned long *);
45647 /* migrate the contents of a page to the specified target */
45648 - int (*migratepage) (struct address_space *,
45649 + int (* const migratepage) (struct address_space *,
45650 struct page *, struct page *);
45651 - int (*launder_page) (struct page *);
45652 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
45653 + int (* const launder_page) (struct page *);
45654 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
45656 - int (*error_remove_page)(struct address_space *, struct page *);
45657 + int (* const error_remove_page)(struct address_space *, struct page *);
45661 @@ -1049,18 +1054,18 @@ static inline int file_check_writeable(s
45662 typedef struct files_struct *fl_owner_t;
45664 struct file_lock_operations {
45665 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
45666 - void (*fl_release_private)(struct file_lock *);
45667 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
45668 + void (* const fl_release_private)(struct file_lock *);
45671 struct lock_manager_operations {
45672 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
45673 - void (*fl_notify)(struct file_lock *); /* unblock callback */
45674 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
45675 - void (*fl_release_private)(struct file_lock *);
45676 - void (*fl_break)(struct file_lock *);
45677 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
45678 - int (*fl_change)(struct file_lock **, int);
45679 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
45680 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
45681 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
45682 + void (* const fl_release_private)(struct file_lock *);
45683 + void (* const fl_break)(struct file_lock *);
45684 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
45685 + int (* const fl_change)(struct file_lock **, int);
45688 struct lock_manager {
45689 @@ -1474,7 +1479,7 @@ struct fiemap_extent_info {
45690 unsigned int fi_flags; /* Flags as passed from user */
45691 unsigned int fi_extents_mapped; /* Number of mapped extents */
45692 unsigned int fi_extents_max; /* Size of fiemap_extent array */
45693 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
45694 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
45697 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
45698 diff -urNp linux-2.6.37/include/linux/fs_struct.h linux-2.6.37/include/linux/fs_struct.h
45699 --- linux-2.6.37/include/linux/fs_struct.h 2011-01-04 19:50:19.000000000 -0500
45700 +++ linux-2.6.37/include/linux/fs_struct.h 2011-01-17 02:41:02.000000000 -0500
45702 #include <linux/path.h>
45710 diff -urNp linux-2.6.37/include/linux/genhd.h linux-2.6.37/include/linux/genhd.h
45711 --- linux-2.6.37/include/linux/genhd.h 2011-01-04 19:50:19.000000000 -0500
45712 +++ linux-2.6.37/include/linux/genhd.h 2011-01-17 02:41:02.000000000 -0500
45713 @@ -172,7 +172,7 @@ struct gendisk {
45715 struct timer_rand_state *random;
45717 - atomic_t sync_io; /* RAID */
45718 + atomic_unchecked_t sync_io; /* RAID */
45719 struct work_struct async_notify;
45720 #ifdef CONFIG_BLK_DEV_INTEGRITY
45721 struct blk_integrity *integrity;
45722 diff -urNp linux-2.6.37/include/linux/gracl.h linux-2.6.37/include/linux/gracl.h
45723 --- linux-2.6.37/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
45724 +++ linux-2.6.37/include/linux/gracl.h 2011-01-17 02:41:02.000000000 -0500
45729 +#include <linux/grdefs.h>
45730 +#include <linux/resource.h>
45731 +#include <linux/capability.h>
45732 +#include <linux/dcache.h>
45733 +#include <asm/resource.h>
45735 +/* Major status information */
45737 +#define GR_VERSION "grsecurity 2.2.1"
45738 +#define GRSECURITY_VERSION 0x2201
45749 + GR_SPROLEPAM = 8,
45752 +/* Password setup definitions
45753 + * kernel/grhash.c */
45756 + GR_SALT_LEN = 16,
45761 + GR_SPROLE_LEN = 64,
45770 +#define GR_NLIMITS 32
45772 +/* Begin Data Structures */
45774 +struct sprole_pw {
45775 + unsigned char *rolename;
45776 + unsigned char salt[GR_SALT_LEN];
45777 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
45780 +struct name_entry {
45787 + struct name_entry *prev;
45788 + struct name_entry *next;
45791 +struct inodev_entry {
45792 + struct name_entry *nentry;
45793 + struct inodev_entry *prev;
45794 + struct inodev_entry *next;
45797 +struct acl_role_db {
45798 + struct acl_role_label **r_hash;
45802 +struct inodev_db {
45803 + struct inodev_entry **i_hash;
45808 + struct name_entry **n_hash;
45812 +struct crash_uid {
45814 + unsigned long expires;
45817 +struct gr_hash_struct {
45819 + void **nametable;
45821 + __u32 table_size;
45826 +/* Userspace Grsecurity ACL data structures */
45828 +struct acl_subject_label {
45833 + kernel_cap_t cap_mask;
45834 + kernel_cap_t cap_lower;
45835 + kernel_cap_t cap_invert_audit;
45837 + struct rlimit res[GR_NLIMITS];
45840 + __u8 user_trans_type;
45841 + __u8 group_trans_type;
45842 + uid_t *user_transitions;
45843 + gid_t *group_transitions;
45844 + __u16 user_trans_num;
45845 + __u16 group_trans_num;
45847 + __u32 sock_families[2];
45848 + __u32 ip_proto[8];
45850 + struct acl_ip_label **ips;
45852 + __u32 inaddr_any_override;
45855 + unsigned long expires;
45857 + struct acl_subject_label *parent_subject;
45858 + struct gr_hash_struct *hash;
45859 + struct acl_subject_label *prev;
45860 + struct acl_subject_label *next;
45862 + struct acl_object_label **obj_hash;
45863 + __u32 obj_hash_size;
45867 +struct role_allowed_ip {
45871 + struct role_allowed_ip *prev;
45872 + struct role_allowed_ip *next;
45875 +struct role_transition {
45878 + struct role_transition *prev;
45879 + struct role_transition *next;
45882 +struct acl_role_label {
45887 + __u16 auth_attempts;
45888 + unsigned long expires;
45890 + struct acl_subject_label *root_label;
45891 + struct gr_hash_struct *hash;
45893 + struct acl_role_label *prev;
45894 + struct acl_role_label *next;
45896 + struct role_transition *transitions;
45897 + struct role_allowed_ip *allowed_ips;
45898 + uid_t *domain_children;
45899 + __u16 domain_child_num;
45901 + struct acl_subject_label **subj_hash;
45902 + __u32 subj_hash_size;
45905 +struct user_acl_role_db {
45906 + struct acl_role_label **r_table;
45907 + __u32 num_pointers; /* Number of allocations to track */
45908 + __u32 num_roles; /* Number of roles */
45909 + __u32 num_domain_children; /* Number of domain children */
45910 + __u32 num_subjects; /* Number of subjects */
45911 + __u32 num_objects; /* Number of objects */
45914 +struct acl_object_label {
45920 + struct acl_subject_label *nested;
45921 + struct acl_object_label *globbed;
45923 + /* next two structures not used */
45925 + struct acl_object_label *prev;
45926 + struct acl_object_label *next;
45929 +struct acl_ip_label {
45938 + /* next two structures not used */
45940 + struct acl_ip_label *prev;
45941 + struct acl_ip_label *next;
45945 + struct user_acl_role_db role_db;
45946 + unsigned char pw[GR_PW_LEN];
45947 + unsigned char salt[GR_SALT_LEN];
45948 + unsigned char sum[GR_SHA_LEN];
45949 + unsigned char sp_role[GR_SPROLE_LEN];
45950 + struct sprole_pw *sprole_pws;
45951 + dev_t segv_device;
45952 + ino_t segv_inode;
45954 + __u16 num_sprole_pws;
45958 +struct gr_arg_wrapper {
45959 + struct gr_arg *arg;
45964 +struct subject_map {
45965 + struct acl_subject_label *user;
45966 + struct acl_subject_label *kernel;
45967 + struct subject_map *prev;
45968 + struct subject_map *next;
45971 +struct acl_subj_map_db {
45972 + struct subject_map **s_hash;
45976 +/* End Data Structures Section */
45978 +/* Hash functions generated by empirical testing by Brad Spengler
45979 + Makes good use of the low bits of the inode. Generally 0-1 times
45980 + in loop for successful match. 0-3 for unsuccessful match.
45981 + Shift/add algorithm with modulus of table size and an XOR*/
45983 +static __inline__ unsigned int
45984 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
45986 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
45989 + static __inline__ unsigned int
45990 +shash(const struct acl_subject_label *userp, const unsigned int sz)
45992 + return ((const unsigned long)userp % sz);
45995 +static __inline__ unsigned int
45996 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
45998 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
46001 +static __inline__ unsigned int
46002 +nhash(const char *name, const __u16 len, const unsigned int sz)
46004 + return full_name_hash((const unsigned char *)name, len) % sz;
46007 +#define FOR_EACH_ROLE_START(role) \
46008 + role = role_list; \
46011 +#define FOR_EACH_ROLE_END(role) \
46012 + role = role->prev; \
46015 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
46018 + while (iter < role->subj_hash_size) { \
46019 + if (subj == NULL) \
46020 + subj = role->subj_hash[iter]; \
46021 + if (subj == NULL) { \
46026 +#define FOR_EACH_SUBJECT_END(subj,iter) \
46027 + subj = subj->next; \
46028 + if (subj == NULL) \
46033 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
46034 + subj = role->hash->first; \
46035 + while (subj != NULL) {
46037 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
46038 + subj = subj->next; \
46043 diff -urNp linux-2.6.37/include/linux/gralloc.h linux-2.6.37/include/linux/gralloc.h
46044 --- linux-2.6.37/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
46045 +++ linux-2.6.37/include/linux/gralloc.h 2011-01-17 02:41:02.000000000 -0500
46047 +#ifndef __GRALLOC_H
46048 +#define __GRALLOC_H
46050 +void acl_free_all(void);
46051 +int acl_alloc_stack_init(unsigned long size);
46052 +void *acl_alloc(unsigned long len);
46053 +void *acl_alloc_num(unsigned long num, unsigned long len);
46056 diff -urNp linux-2.6.37/include/linux/grdefs.h linux-2.6.37/include/linux/grdefs.h
46057 --- linux-2.6.37/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
46058 +++ linux-2.6.37/include/linux/grdefs.h 2011-01-17 02:41:02.000000000 -0500
46063 +/* Begin grsecurity status declarations */
46067 + GR_STATUS_INIT = 0x00 // disabled state
46070 +/* Begin ACL declarations */
46075 + GR_ROLE_USER = 0x0001,
46076 + GR_ROLE_GROUP = 0x0002,
46077 + GR_ROLE_DEFAULT = 0x0004,
46078 + GR_ROLE_SPECIAL = 0x0008,
46079 + GR_ROLE_AUTH = 0x0010,
46080 + GR_ROLE_NOPW = 0x0020,
46081 + GR_ROLE_GOD = 0x0040,
46082 + GR_ROLE_LEARN = 0x0080,
46083 + GR_ROLE_TPE = 0x0100,
46084 + GR_ROLE_DOMAIN = 0x0200,
46085 + GR_ROLE_PAM = 0x0400
46088 +/* ACL Subject and Object mode flags */
46090 + GR_DELETED = 0x80000000
46093 +/* ACL Object-only mode flags */
46095 + GR_READ = 0x00000001,
46096 + GR_APPEND = 0x00000002,
46097 + GR_WRITE = 0x00000004,
46098 + GR_EXEC = 0x00000008,
46099 + GR_FIND = 0x00000010,
46100 + GR_INHERIT = 0x00000020,
46101 + GR_SETID = 0x00000040,
46102 + GR_CREATE = 0x00000080,
46103 + GR_DELETE = 0x00000100,
46104 + GR_LINK = 0x00000200,
46105 + GR_AUDIT_READ = 0x00000400,
46106 + GR_AUDIT_APPEND = 0x00000800,
46107 + GR_AUDIT_WRITE = 0x00001000,
46108 + GR_AUDIT_EXEC = 0x00002000,
46109 + GR_AUDIT_FIND = 0x00004000,
46110 + GR_AUDIT_INHERIT= 0x00008000,
46111 + GR_AUDIT_SETID = 0x00010000,
46112 + GR_AUDIT_CREATE = 0x00020000,
46113 + GR_AUDIT_DELETE = 0x00040000,
46114 + GR_AUDIT_LINK = 0x00080000,
46115 + GR_PTRACERD = 0x00100000,
46116 + GR_NOPTRACE = 0x00200000,
46117 + GR_SUPPRESS = 0x00400000,
46118 + GR_NOLEARN = 0x00800000
46121 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
46122 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
46123 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
46125 +/* ACL subject-only mode flags */
46127 + GR_KILL = 0x00000001,
46128 + GR_VIEW = 0x00000002,
46129 + GR_PROTECTED = 0x00000004,
46130 + GR_LEARN = 0x00000008,
46131 + GR_OVERRIDE = 0x00000010,
46132 + /* just a placeholder, this mode is only used in userspace */
46133 + GR_DUMMY = 0x00000020,
46134 + GR_PROTSHM = 0x00000040,
46135 + GR_KILLPROC = 0x00000080,
46136 + GR_KILLIPPROC = 0x00000100,
46137 + /* just a placeholder, this mode is only used in userspace */
46138 + GR_NOTROJAN = 0x00000200,
46139 + GR_PROTPROCFD = 0x00000400,
46140 + GR_PROCACCT = 0x00000800,
46141 + GR_RELAXPTRACE = 0x00001000,
46142 + GR_NESTED = 0x00002000,
46143 + GR_INHERITLEARN = 0x00004000,
46144 + GR_PROCFIND = 0x00008000,
46145 + GR_POVERRIDE = 0x00010000,
46146 + GR_KERNELAUTH = 0x00020000,
46147 + GR_ATSECURE = 0x00040000
46151 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
46152 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
46153 + GR_PAX_ENABLE_MPROTECT = 0x0004,
46154 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
46155 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
46156 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
46157 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
46158 + GR_PAX_DISABLE_MPROTECT = 0x0400,
46159 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
46160 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
46164 + GR_ID_USER = 0x01,
46165 + GR_ID_GROUP = 0x02,
46169 + GR_ID_ALLOW = 0x01,
46170 + GR_ID_DENY = 0x02,
46173 +#define GR_CRASH_RES 31
46174 +#define GR_UIDTABLE_MAX 500
46176 +/* begin resource learning section */
46178 + GR_RLIM_CPU_BUMP = 60,
46179 + GR_RLIM_FSIZE_BUMP = 50000,
46180 + GR_RLIM_DATA_BUMP = 10000,
46181 + GR_RLIM_STACK_BUMP = 1000,
46182 + GR_RLIM_CORE_BUMP = 10000,
46183 + GR_RLIM_RSS_BUMP = 500000,
46184 + GR_RLIM_NPROC_BUMP = 1,
46185 + GR_RLIM_NOFILE_BUMP = 5,
46186 + GR_RLIM_MEMLOCK_BUMP = 50000,
46187 + GR_RLIM_AS_BUMP = 500000,
46188 + GR_RLIM_LOCKS_BUMP = 2,
46189 + GR_RLIM_SIGPENDING_BUMP = 5,
46190 + GR_RLIM_MSGQUEUE_BUMP = 10000,
46191 + GR_RLIM_NICE_BUMP = 1,
46192 + GR_RLIM_RTPRIO_BUMP = 1,
46193 + GR_RLIM_RTTIME_BUMP = 1000000
46197 diff -urNp linux-2.6.37/include/linux/grinternal.h linux-2.6.37/include/linux/grinternal.h
46198 --- linux-2.6.37/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
46199 +++ linux-2.6.37/include/linux/grinternal.h 2011-01-17 02:41:02.000000000 -0500
46201 +#ifndef __GRINTERNAL_H
46202 +#define __GRINTERNAL_H
46204 +#ifdef CONFIG_GRKERNSEC
46206 +#include <linux/fs.h>
46207 +#include <linux/mnt_namespace.h>
46208 +#include <linux/nsproxy.h>
46209 +#include <linux/gracl.h>
46210 +#include <linux/grdefs.h>
46211 +#include <linux/grmsg.h>
46213 +void gr_add_learn_entry(const char *fmt, ...)
46214 + __attribute__ ((format (printf, 1, 2)));
46215 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
46216 + const struct vfsmount *mnt);
46217 +__u32 gr_check_create(const struct dentry *new_dentry,
46218 + const struct dentry *parent,
46219 + const struct vfsmount *mnt, const __u32 mode);
46220 +int gr_check_protected_task(const struct task_struct *task);
46221 +__u32 to_gr_audit(const __u32 reqmode);
46222 +int gr_set_acls(const int type);
46224 +int gr_acl_is_enabled(void);
46225 +char gr_roletype_to_char(void);
46227 +void gr_handle_alertkill(struct task_struct *task);
46228 +char *gr_to_filename(const struct dentry *dentry,
46229 + const struct vfsmount *mnt);
46230 +char *gr_to_filename1(const struct dentry *dentry,
46231 + const struct vfsmount *mnt);
46232 +char *gr_to_filename2(const struct dentry *dentry,
46233 + const struct vfsmount *mnt);
46234 +char *gr_to_filename3(const struct dentry *dentry,
46235 + const struct vfsmount *mnt);
46237 +extern int grsec_enable_harden_ptrace;
46238 +extern int grsec_enable_link;
46239 +extern int grsec_enable_fifo;
46240 +extern int grsec_enable_execve;
46241 +extern int grsec_enable_shm;
46242 +extern int grsec_enable_execlog;
46243 +extern int grsec_enable_signal;
46244 +extern int grsec_enable_audit_ptrace;
46245 +extern int grsec_enable_forkfail;
46246 +extern int grsec_enable_time;
46247 +extern int grsec_enable_rofs;
46248 +extern int grsec_enable_chroot_shmat;
46249 +extern int grsec_enable_chroot_findtask;
46250 +extern int grsec_enable_chroot_mount;
46251 +extern int grsec_enable_chroot_double;
46252 +extern int grsec_enable_chroot_pivot;
46253 +extern int grsec_enable_chroot_chdir;
46254 +extern int grsec_enable_chroot_chmod;
46255 +extern int grsec_enable_chroot_mknod;
46256 +extern int grsec_enable_chroot_fchdir;
46257 +extern int grsec_enable_chroot_nice;
46258 +extern int grsec_enable_chroot_execlog;
46259 +extern int grsec_enable_chroot_caps;
46260 +extern int grsec_enable_chroot_sysctl;
46261 +extern int grsec_enable_chroot_unix;
46262 +extern int grsec_enable_tpe;
46263 +extern int grsec_tpe_gid;
46264 +extern int grsec_enable_tpe_all;
46265 +extern int grsec_enable_tpe_invert;
46266 +extern int grsec_enable_socket_all;
46267 +extern int grsec_socket_all_gid;
46268 +extern int grsec_enable_socket_client;
46269 +extern int grsec_socket_client_gid;
46270 +extern int grsec_enable_socket_server;
46271 +extern int grsec_socket_server_gid;
46272 +extern int grsec_audit_gid;
46273 +extern int grsec_enable_group;
46274 +extern int grsec_enable_audit_textrel;
46275 +extern int grsec_enable_log_rwxmaps;
46276 +extern int grsec_enable_mount;
46277 +extern int grsec_enable_chdir;
46278 +extern int grsec_resource_logging;
46279 +extern int grsec_enable_blackhole;
46280 +extern int grsec_lastack_retries;
46281 +extern int grsec_lock;
46283 +extern spinlock_t grsec_alert_lock;
46284 +extern unsigned long grsec_alert_wtime;
46285 +extern unsigned long grsec_alert_fyet;
46287 +extern spinlock_t grsec_audit_lock;
46289 +extern rwlock_t grsec_exec_file_lock;
46291 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
46292 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
46293 + (tsk)->exec_file->f_vfsmnt) : "/")
46295 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
46296 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
46297 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46299 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
46300 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
46301 + (tsk)->exec_file->f_vfsmnt) : "/")
46303 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
46304 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
46305 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46307 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
46309 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
46311 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
46312 + (task)->pid, (cred)->uid, \
46313 + (cred)->euid, (cred)->gid, (cred)->egid, \
46314 + gr_parent_task_fullpath(task), \
46315 + (task)->real_parent->comm, (task)->real_parent->pid, \
46316 + (pcred)->uid, (pcred)->euid, \
46317 + (pcred)->gid, (pcred)->egid
46319 +#define GR_CHROOT_CAPS {{ \
46320 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
46321 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
46322 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
46323 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
46324 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
46325 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
46327 +#define security_learn(normal_msg,args...) \
46329 + read_lock(&grsec_exec_file_lock); \
46330 + gr_add_learn_entry(normal_msg "\n", ## args); \
46331 + read_unlock(&grsec_exec_file_lock); \
46337 + GR_DONT_AUDIT_GOOD
46348 + GR_SYSCTL_HIDDEN,
46351 + GR_ONE_INT_TWO_STR,
46357 + GR_FIVE_INT_TWO_STR,
46363 + GR_FILENAME_TWO_INT,
46364 + GR_FILENAME_TWO_INT_STR,
46377 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
46378 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
46379 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
46380 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
46381 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
46382 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
46383 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
46384 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
46385 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
46386 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
46387 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
46388 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
46389 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
46390 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
46391 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
46392 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
46393 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
46394 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
46395 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
46396 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
46397 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
46398 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
46399 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
46400 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
46401 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
46402 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
46403 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
46404 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
46405 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
46406 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
46407 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
46408 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
46409 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
46410 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
46412 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
46417 diff -urNp linux-2.6.37/include/linux/grmsg.h linux-2.6.37/include/linux/grmsg.h
46418 --- linux-2.6.37/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
46419 +++ linux-2.6.37/include/linux/grmsg.h 2011-01-17 02:41:02.000000000 -0500
46421 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
46422 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
46423 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
46424 +#define GR_STOPMOD_MSG "denied modification of module state by "
46425 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
46426 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
46427 +#define GR_IOPERM_MSG "denied use of ioperm() by "
46428 +#define GR_IOPL_MSG "denied use of iopl() by "
46429 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
46430 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
46431 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
46432 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
46433 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
46434 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
46435 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
46436 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
46437 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
46438 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
46439 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
46440 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
46441 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
46442 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
46443 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
46444 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
46445 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
46446 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
46447 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
46448 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
46449 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
46450 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
46451 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
46452 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
46453 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
46454 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
46455 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
46456 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
46457 +#define GR_NPROC_MSG "denied overstep of process limit by "
46458 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
46459 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
46460 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
46461 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
46462 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
46463 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
46464 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
46465 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
46466 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
46467 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
46468 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
46469 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
46470 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
46471 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
46472 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
46473 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
46474 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
46475 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
46476 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
46477 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
46478 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
46479 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
46480 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
46481 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
46482 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
46483 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
46484 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
46485 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
46486 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
46487 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
46488 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
46489 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
46490 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
46491 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
46492 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
46493 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
46494 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
46495 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
46496 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
46497 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
46498 +#define GR_NICE_CHROOT_MSG "denied priority change by "
46499 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
46500 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
46501 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
46502 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
46503 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
46504 +#define GR_TIME_MSG "time set by "
46505 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
46506 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
46507 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
46508 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
46509 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
46510 +#define GR_BIND_MSG "denied bind() by "
46511 +#define GR_CONNECT_MSG "denied connect() by "
46512 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
46513 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
46514 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
46515 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
46516 +#define GR_CAP_ACL_MSG "use of %s denied for "
46517 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
46518 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
46519 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
46520 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
46521 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
46522 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
46523 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
46524 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
46525 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
46526 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
46527 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
46528 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
46529 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
46530 +#define GR_VM86_MSG "denied use of vm86 by "
46531 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
46532 diff -urNp linux-2.6.37/include/linux/grsecurity.h linux-2.6.37/include/linux/grsecurity.h
46533 --- linux-2.6.37/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
46534 +++ linux-2.6.37/include/linux/grsecurity.h 2011-01-17 02:41:02.000000000 -0500
46536 +#ifndef GR_SECURITY_H
46537 +#define GR_SECURITY_H
46538 +#include <linux/fs.h>
46539 +#include <linux/fs_struct.h>
46540 +#include <linux/binfmts.h>
46541 +#include <linux/gracl.h>
46542 +#include <linux/compat.h>
46544 +/* notify of brain-dead configs */
46545 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
46546 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
46548 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46549 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46551 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46552 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46554 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
46555 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
46557 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
46558 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
46561 +void gr_handle_brute_attach(struct task_struct *p);
46562 +void gr_handle_brute_check(void);
46564 +char gr_roletype_to_char(void);
46566 +int gr_acl_enable_at_secure(void);
46568 +int gr_check_user_change(int real, int effective, int fs);
46569 +int gr_check_group_change(int real, int effective, int fs);
46571 +void gr_del_task_from_ip_table(struct task_struct *p);
46573 +int gr_pid_is_chrooted(struct task_struct *p);
46574 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
46575 +int gr_handle_chroot_nice(void);
46576 +int gr_handle_chroot_sysctl(const int op);
46577 +int gr_handle_chroot_setpriority(struct task_struct *p,
46578 + const int niceval);
46579 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
46580 +int gr_handle_chroot_chroot(const struct dentry *dentry,
46581 + const struct vfsmount *mnt);
46582 +int gr_handle_chroot_caps(struct path *path);
46583 +void gr_handle_chroot_chdir(struct path *path);
46584 +int gr_handle_chroot_chmod(const struct dentry *dentry,
46585 + const struct vfsmount *mnt, const int mode);
46586 +int gr_handle_chroot_mknod(const struct dentry *dentry,
46587 + const struct vfsmount *mnt, const int mode);
46588 +int gr_handle_chroot_mount(const struct dentry *dentry,
46589 + const struct vfsmount *mnt,
46590 + const char *dev_name);
46591 +int gr_handle_chroot_pivot(void);
46592 +int gr_handle_chroot_unix(struct pid *pid);
46594 +int gr_handle_rawio(const struct inode *inode);
46595 +int gr_handle_nproc(void);
46597 +void gr_handle_ioperm(void);
46598 +void gr_handle_iopl(void);
46600 +int gr_tpe_allow(const struct file *file);
46602 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
46603 +void gr_clear_chroot_entries(struct task_struct *task);
46605 +void gr_log_forkfail(const int retval);
46606 +void gr_log_timechange(void);
46607 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
46608 +void gr_log_chdir(const struct dentry *dentry,
46609 + const struct vfsmount *mnt);
46610 +void gr_log_chroot_exec(const struct dentry *dentry,
46611 + const struct vfsmount *mnt);
46612 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
46613 +#ifdef CONFIG_COMPAT
46614 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
46616 +void gr_log_remount(const char *devname, const int retval);
46617 +void gr_log_unmount(const char *devname, const int retval);
46618 +void gr_log_mount(const char *from, const char *to, const int retval);
46619 +void gr_log_textrel(struct vm_area_struct *vma);
46620 +void gr_log_rwxmmap(struct file *file);
46621 +void gr_log_rwxmprotect(struct file *file);
46623 +int gr_handle_follow_link(const struct inode *parent,
46624 + const struct inode *inode,
46625 + const struct dentry *dentry,
46626 + const struct vfsmount *mnt);
46627 +int gr_handle_fifo(const struct dentry *dentry,
46628 + const struct vfsmount *mnt,
46629 + const struct dentry *dir, const int flag,
46630 + const int acc_mode);
46631 +int gr_handle_hardlink(const struct dentry *dentry,
46632 + const struct vfsmount *mnt,
46633 + struct inode *inode,
46634 + const int mode, const char *to);
46636 +int gr_is_capable(const int cap);
46637 +int gr_is_capable_nolog(const int cap);
46638 +void gr_learn_resource(const struct task_struct *task, const int limit,
46639 + const unsigned long wanted, const int gt);
46640 +void gr_copy_label(struct task_struct *tsk);
46641 +void gr_handle_crash(struct task_struct *task, const int sig);
46642 +int gr_handle_signal(const struct task_struct *p, const int sig);
46643 +int gr_check_crash_uid(const uid_t uid);
46644 +int gr_check_protected_task(const struct task_struct *task);
46645 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
46646 +int gr_acl_handle_mmap(const struct file *file,
46647 + const unsigned long prot);
46648 +int gr_acl_handle_mprotect(const struct file *file,
46649 + const unsigned long prot);
46650 +int gr_check_hidden_task(const struct task_struct *tsk);
46651 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
46652 + const struct vfsmount *mnt);
46653 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
46654 + const struct vfsmount *mnt);
46655 +__u32 gr_acl_handle_access(const struct dentry *dentry,
46656 + const struct vfsmount *mnt, const int fmode);
46657 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
46658 + const struct vfsmount *mnt, mode_t mode);
46659 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
46660 + const struct vfsmount *mnt, mode_t mode);
46661 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
46662 + const struct vfsmount *mnt);
46663 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
46664 + const struct vfsmount *mnt);
46665 +int gr_handle_ptrace(struct task_struct *task, const long request);
46666 +int gr_handle_proc_ptrace(struct task_struct *task);
46667 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
46668 + const struct vfsmount *mnt);
46669 +int gr_check_crash_exec(const struct file *filp);
46670 +int gr_acl_is_enabled(void);
46671 +void gr_set_kernel_label(struct task_struct *task);
46672 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
46673 + const gid_t gid);
46674 +int gr_set_proc_label(const struct dentry *dentry,
46675 + const struct vfsmount *mnt,
46676 + const int unsafe_share);
46677 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
46678 + const struct vfsmount *mnt);
46679 +__u32 gr_acl_handle_open(const struct dentry *dentry,
46680 + const struct vfsmount *mnt, const int fmode);
46681 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
46682 + const struct dentry *p_dentry,
46683 + const struct vfsmount *p_mnt, const int fmode,
46684 + const int imode);
46685 +void gr_handle_create(const struct dentry *dentry,
46686 + const struct vfsmount *mnt);
46687 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
46688 + const struct dentry *parent_dentry,
46689 + const struct vfsmount *parent_mnt,
46691 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
46692 + const struct dentry *parent_dentry,
46693 + const struct vfsmount *parent_mnt);
46694 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
46695 + const struct vfsmount *mnt);
46696 +void gr_handle_delete(const ino_t ino, const dev_t dev);
46697 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
46698 + const struct vfsmount *mnt);
46699 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
46700 + const struct dentry *parent_dentry,
46701 + const struct vfsmount *parent_mnt,
46702 + const char *from);
46703 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
46704 + const struct dentry *parent_dentry,
46705 + const struct vfsmount *parent_mnt,
46706 + const struct dentry *old_dentry,
46707 + const struct vfsmount *old_mnt, const char *to);
46708 +int gr_acl_handle_rename(struct dentry *new_dentry,
46709 + struct dentry *parent_dentry,
46710 + const struct vfsmount *parent_mnt,
46711 + struct dentry *old_dentry,
46712 + struct inode *old_parent_inode,
46713 + struct vfsmount *old_mnt, const char *newname);
46714 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
46715 + struct dentry *old_dentry,
46716 + struct dentry *new_dentry,
46717 + struct vfsmount *mnt, const __u8 replace);
46718 +__u32 gr_check_link(const struct dentry *new_dentry,
46719 + const struct dentry *parent_dentry,
46720 + const struct vfsmount *parent_mnt,
46721 + const struct dentry *old_dentry,
46722 + const struct vfsmount *old_mnt);
46723 +int gr_acl_handle_filldir(const struct file *file, const char *name,
46724 + const unsigned int namelen, const ino_t ino);
46726 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
46727 + const struct vfsmount *mnt);
46728 +void gr_acl_handle_exit(void);
46729 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
46730 +int gr_acl_handle_procpidmem(const struct task_struct *task);
46731 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
46732 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
46733 +void gr_audit_ptrace(struct task_struct *task);
46735 +#ifdef CONFIG_GRKERNSEC
46736 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
46737 +void gr_log_nonroot_mod_load(const char *modname);
46738 +void gr_handle_vm86(void);
46739 +void gr_handle_mem_write(void);
46740 +void gr_handle_kmem_write(void);
46741 +void gr_handle_open_port(void);
46742 +int gr_handle_mem_mmap(const unsigned long offset,
46743 + struct vm_area_struct *vma);
46745 +extern int grsec_enable_dmesg;
46746 +extern int grsec_disable_privio;
46750 diff -urNp linux-2.6.37/include/linux/grsock.h linux-2.6.37/include/linux/grsock.h
46751 --- linux-2.6.37/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
46752 +++ linux-2.6.37/include/linux/grsock.h 2011-01-17 02:41:02.000000000 -0500
46754 +#ifndef __GRSOCK_H
46755 +#define __GRSOCK_H
46757 +extern void gr_attach_curr_ip(const struct sock *sk);
46758 +extern int gr_handle_sock_all(const int family, const int type,
46759 + const int protocol);
46760 +extern int gr_handle_sock_server(const struct sockaddr *sck);
46761 +extern int gr_handle_sock_server_other(const struct sock *sck);
46762 +extern int gr_handle_sock_client(const struct sockaddr *sck);
46763 +extern int gr_search_connect(struct socket * sock,
46764 + struct sockaddr_in * addr);
46765 +extern int gr_search_bind(struct socket * sock,
46766 + struct sockaddr_in * addr);
46767 +extern int gr_search_listen(struct socket * sock);
46768 +extern int gr_search_accept(struct socket * sock);
46769 +extern int gr_search_socket(const int domain, const int type,
46770 + const int protocol);
46773 diff -urNp linux-2.6.37/include/linux/highmem.h linux-2.6.37/include/linux/highmem.h
46774 --- linux-2.6.37/include/linux/highmem.h 2011-01-04 19:50:19.000000000 -0500
46775 +++ linux-2.6.37/include/linux/highmem.h 2011-01-17 02:41:02.000000000 -0500
46776 @@ -182,6 +182,18 @@ static inline void clear_highpage(struct
46777 kunmap_atomic(kaddr, KM_USER0);
46780 +static inline void sanitize_highpage(struct page *page)
46783 + unsigned long flags;
46785 + local_irq_save(flags);
46786 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
46787 + clear_page(kaddr);
46788 + kunmap_atomic(kaddr, KM_CLEARPAGE);
46789 + local_irq_restore(flags);
46792 static inline void zero_user_segments(struct page *page,
46793 unsigned start1, unsigned end1,
46794 unsigned start2, unsigned end2)
46795 diff -urNp linux-2.6.37/include/linux/init.h linux-2.6.37/include/linux/init.h
46796 --- linux-2.6.37/include/linux/init.h 2011-01-04 19:50:19.000000000 -0500
46797 +++ linux-2.6.37/include/linux/init.h 2011-01-17 02:41:02.000000000 -0500
46798 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
46800 /* Each module must use one module_init(). */
46801 #define module_init(initfn) \
46802 - static inline initcall_t __inittest(void) \
46803 + static inline __used initcall_t __inittest(void) \
46804 { return initfn; } \
46805 int init_module(void) __attribute__((alias(#initfn)));
46807 /* This is only required if you want to be unloadable. */
46808 #define module_exit(exitfn) \
46809 - static inline exitcall_t __exittest(void) \
46810 + static inline __used exitcall_t __exittest(void) \
46811 { return exitfn; } \
46812 void cleanup_module(void) __attribute__((alias(#exitfn)));
46814 diff -urNp linux-2.6.37/include/linux/interrupt.h linux-2.6.37/include/linux/interrupt.h
46815 --- linux-2.6.37/include/linux/interrupt.h 2011-01-04 19:50:19.000000000 -0500
46816 +++ linux-2.6.37/include/linux/interrupt.h 2011-01-17 02:41:02.000000000 -0500
46817 @@ -393,7 +393,7 @@ enum
46818 /* map softirq index to softirq name. update 'softirq_to_name' in
46819 * kernel/softirq.c when adding a new softirq.
46821 -extern char *softirq_to_name[NR_SOFTIRQS];
46822 +extern const char * const softirq_to_name[NR_SOFTIRQS];
46824 /* softirq mask and active fields moved to irq_cpustat_t in
46825 * asm/hardirq.h to get better cache usage. KAO
46826 @@ -401,12 +401,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
46828 struct softirq_action
46830 - void (*action)(struct softirq_action *);
46831 + void (*action)(void);
46834 asmlinkage void do_softirq(void);
46835 asmlinkage void __do_softirq(void);
46836 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
46837 +extern void open_softirq(int nr, void (*action)(void));
46838 extern void softirq_init(void);
46839 static inline void __raise_softirq_irqoff(unsigned int nr)
46841 diff -urNp linux-2.6.37/include/linux/jbd2.h linux-2.6.37/include/linux/jbd2.h
46842 --- linux-2.6.37/include/linux/jbd2.h 2011-01-04 19:50:19.000000000 -0500
46843 +++ linux-2.6.37/include/linux/jbd2.h 2011-01-17 02:41:02.000000000 -0500
46844 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
46848 -#define jbd_debug(f, a...) /**/
46849 +#define jbd_debug(f, a...) do {} while (0)
46852 extern void *jbd2_alloc(size_t size, gfp_t flags);
46853 diff -urNp linux-2.6.37/include/linux/jbd.h linux-2.6.37/include/linux/jbd.h
46854 --- linux-2.6.37/include/linux/jbd.h 2011-01-04 19:50:19.000000000 -0500
46855 +++ linux-2.6.37/include/linux/jbd.h 2011-01-17 02:41:02.000000000 -0500
46856 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
46860 -#define jbd_debug(f, a...) /**/
46861 +#define jbd_debug(f, a...) do {} while (0)
46864 static inline void *jbd_alloc(size_t size, gfp_t flags)
46865 diff -urNp linux-2.6.37/include/linux/kallsyms.h linux-2.6.37/include/linux/kallsyms.h
46866 --- linux-2.6.37/include/linux/kallsyms.h 2011-01-04 19:50:19.000000000 -0500
46867 +++ linux-2.6.37/include/linux/kallsyms.h 2011-01-17 02:41:02.000000000 -0500
46872 -#ifdef CONFIG_KALLSYMS
46873 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
46874 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
46875 /* Lookup the address for a symbol. Returns 0 if not found. */
46876 unsigned long kallsyms_lookup_name(const char *name);
46878 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
46879 /* Stupid that this does nothing, but I didn't create this mess. */
46880 #define __print_symbol(fmt, addr)
46881 #endif /*CONFIG_KALLSYMS*/
46882 +#else /* when included by kallsyms.c, vsnprintf.c, or
46883 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
46884 +extern void __print_symbol(const char *fmt, unsigned long address);
46885 +extern int sprint_symbol(char *buffer, unsigned long address);
46886 +const char *kallsyms_lookup(unsigned long addr,
46887 + unsigned long *symbolsize,
46888 + unsigned long *offset,
46889 + char **modname, char *namebuf);
46892 /* This macro allows us to keep printk typechecking */
46893 static void __check_printsym_format(const char *fmt, ...)
46894 diff -urNp linux-2.6.37/include/linux/kgdb.h linux-2.6.37/include/linux/kgdb.h
46895 --- linux-2.6.37/include/linux/kgdb.h 2011-01-04 19:50:19.000000000 -0500
46896 +++ linux-2.6.37/include/linux/kgdb.h 2011-01-17 02:41:02.000000000 -0500
46897 @@ -269,22 +269,22 @@ struct kgdb_arch {
46901 - int (*read_char) (void);
46902 - void (*write_char) (u8);
46903 - void (*flush) (void);
46904 - int (*init) (void);
46905 - void (*pre_exception) (void);
46906 - void (*post_exception) (void);
46907 + int (* const read_char) (void);
46908 + void (* const write_char) (u8);
46909 + void (* const flush) (void);
46910 + int (* const init) (void);
46911 + void (* const pre_exception) (void);
46912 + void (* const post_exception) (void);
46916 -extern struct kgdb_arch arch_kgdb_ops;
46917 +extern const struct kgdb_arch arch_kgdb_ops;
46919 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
46921 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
46922 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
46923 -extern struct kgdb_io *dbg_io_ops;
46924 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
46925 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
46926 +extern const struct kgdb_io *dbg_io_ops;
46928 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
46929 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
46930 diff -urNp linux-2.6.37/include/linux/kvm_host.h linux-2.6.37/include/linux/kvm_host.h
46931 --- linux-2.6.37/include/linux/kvm_host.h 2011-01-04 19:50:19.000000000 -0500
46932 +++ linux-2.6.37/include/linux/kvm_host.h 2011-01-17 02:41:02.000000000 -0500
46933 @@ -246,7 +246,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
46934 void vcpu_load(struct kvm_vcpu *vcpu);
46935 void vcpu_put(struct kvm_vcpu *vcpu);
46937 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
46938 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
46939 struct module *module);
46940 void kvm_exit(void);
46942 @@ -375,7 +375,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
46943 struct kvm_guest_debug *dbg);
46944 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
46946 -int kvm_arch_init(void *opaque);
46947 +int kvm_arch_init(const void *opaque);
46948 void kvm_arch_exit(void);
46950 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
46951 diff -urNp linux-2.6.37/include/linux/libata.h linux-2.6.37/include/linux/libata.h
46952 --- linux-2.6.37/include/linux/libata.h 2011-01-04 19:50:19.000000000 -0500
46953 +++ linux-2.6.37/include/linux/libata.h 2011-01-17 02:41:02.000000000 -0500
46954 @@ -65,11 +65,11 @@
46955 #ifdef ATA_VERBOSE_DEBUG
46956 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
46958 -#define VPRINTK(fmt, args...)
46959 +#define VPRINTK(fmt, args...) do {} while (0)
46960 #endif /* ATA_VERBOSE_DEBUG */
46962 -#define DPRINTK(fmt, args...)
46963 -#define VPRINTK(fmt, args...)
46964 +#define DPRINTK(fmt, args...) do {} while (0)
46965 +#define VPRINTK(fmt, args...) do {} while (0)
46966 #endif /* ATA_DEBUG */
46968 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
46969 @@ -530,11 +530,11 @@ struct ata_ioports {
46973 - struct device *dev;
46974 + struct device *dev;
46975 void __iomem * const *iomap;
46976 unsigned int n_ports;
46977 void *private_data;
46978 - struct ata_port_operations *ops;
46979 + const struct ata_port_operations *ops;
46980 unsigned long flags;
46982 struct mutex eh_mutex;
46983 @@ -725,7 +725,7 @@ struct ata_link {
46986 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
46987 - struct ata_port_operations *ops;
46988 + const struct ata_port_operations *ops;
46990 /* Flags owned by the EH context. Only EH should touch these once the
46992 @@ -913,7 +913,7 @@ struct ata_port_info {
46993 unsigned long pio_mask;
46994 unsigned long mwdma_mask;
46995 unsigned long udma_mask;
46996 - struct ata_port_operations *port_ops;
46997 + const struct ata_port_operations *port_ops;
46998 void *private_data;
47001 @@ -937,7 +937,7 @@ extern const unsigned long sata_deb_timi
47002 extern const unsigned long sata_deb_timing_hotplug[];
47003 extern const unsigned long sata_deb_timing_long[];
47005 -extern struct ata_port_operations ata_dummy_port_ops;
47006 +extern const struct ata_port_operations ata_dummy_port_ops;
47007 extern const struct ata_port_info ata_dummy_port_info;
47009 static inline const unsigned long *
47010 @@ -983,7 +983,7 @@ extern int ata_host_activate(struct ata_
47011 struct scsi_host_template *sht);
47012 extern void ata_host_detach(struct ata_host *host);
47013 extern void ata_host_init(struct ata_host *, struct device *,
47014 - unsigned long, struct ata_port_operations *);
47015 + unsigned long, const struct ata_port_operations *);
47016 extern int ata_scsi_detect(struct scsi_host_template *sht);
47017 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
47018 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
47019 diff -urNp linux-2.6.37/include/linux/lockd/bind.h linux-2.6.37/include/linux/lockd/bind.h
47020 --- linux-2.6.37/include/linux/lockd/bind.h 2011-01-04 19:50:19.000000000 -0500
47021 +++ linux-2.6.37/include/linux/lockd/bind.h 2011-01-17 02:41:02.000000000 -0500
47022 @@ -23,13 +23,13 @@ struct svc_rqst;
47023 * This is the set of functions for lockd->nfsd communication
47025 struct nlmsvc_binding {
47026 - __be32 (*fopen)(struct svc_rqst *,
47027 + __be32 (* const fopen)(struct svc_rqst *,
47030 - void (*fclose)(struct file *);
47031 + void (* const fclose)(struct file *);
47034 -extern struct nlmsvc_binding * nlmsvc_ops;
47035 +extern const struct nlmsvc_binding * nlmsvc_ops;
47038 * Similar to nfs_client_initdata, but without the NFS-specific
47039 diff -urNp linux-2.6.37/include/linux/mm.h linux-2.6.37/include/linux/mm.h
47040 --- linux-2.6.37/include/linux/mm.h 2011-01-04 19:50:19.000000000 -0500
47041 +++ linux-2.6.37/include/linux/mm.h 2011-01-17 02:41:02.000000000 -0500
47042 @@ -107,7 +107,14 @@ extern unsigned int kobjsize(const void
47044 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
47045 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
47047 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
47048 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
47049 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
47051 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
47054 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
47055 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
47057 @@ -875,12 +882,6 @@ int set_page_dirty(struct page *page);
47058 int set_page_dirty_lock(struct page *page);
47059 int clear_page_dirty_for_io(struct page *page);
47061 -/* Is the vma a continuation of the stack vma above it? */
47062 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
47064 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
47067 extern unsigned long move_page_tables(struct vm_area_struct *vma,
47068 unsigned long old_addr, struct vm_area_struct *new_vma,
47069 unsigned long new_addr, unsigned long len);
47070 @@ -1032,6 +1033,15 @@ struct shrinker {
47071 extern void register_shrinker(struct shrinker *);
47072 extern void unregister_shrinker(struct shrinker *);
47075 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
47077 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
47079 + return __pgprot(0);
47083 int vma_wants_writenotify(struct vm_area_struct *vma);
47085 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
47086 @@ -1318,6 +1328,7 @@ out:
47089 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
47090 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
47092 extern unsigned long do_brk(unsigned long, unsigned long);
47094 @@ -1374,6 +1385,10 @@ extern struct vm_area_struct * find_vma(
47095 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
47096 struct vm_area_struct **pprev);
47098 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
47099 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
47100 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
47102 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
47103 NULL if none. Assume start_addr < end_addr. */
47104 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
47105 @@ -1390,15 +1405,6 @@ static inline unsigned long vma_pages(st
47106 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
47110 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
47112 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
47114 - return __pgprot(0);
47118 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
47119 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
47120 unsigned long pfn, unsigned long size, pgprot_t);
47121 @@ -1505,7 +1511,7 @@ extern int unpoison_memory(unsigned long
47122 extern int sysctl_memory_failure_early_kill;
47123 extern int sysctl_memory_failure_recovery;
47124 extern void shake_page(struct page *p, int access);
47125 -extern atomic_long_t mce_bad_pages;
47126 +extern atomic_long_unchecked_t mce_bad_pages;
47127 extern int soft_offline_page(struct page *page, int flags);
47128 #ifdef CONFIG_MEMORY_FAILURE
47129 int is_hwpoison_address(unsigned long addr);
47130 @@ -1518,5 +1524,11 @@ static inline int is_hwpoison_address(un
47132 extern void dump_page(struct page *page);
47134 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
47135 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
47137 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
47140 #endif /* __KERNEL__ */
47141 #endif /* _LINUX_MM_H */
47142 diff -urNp linux-2.6.37/include/linux/mm_types.h linux-2.6.37/include/linux/mm_types.h
47143 --- linux-2.6.37/include/linux/mm_types.h 2011-01-04 19:50:19.000000000 -0500
47144 +++ linux-2.6.37/include/linux/mm_types.h 2011-01-17 02:41:02.000000000 -0500
47145 @@ -183,6 +183,8 @@ struct vm_area_struct {
47147 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
47150 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
47153 struct core_thread {
47154 @@ -312,6 +314,24 @@ struct mm_struct {
47156 /* How many tasks sharing this mm are OOM_DISABLE */
47157 atomic_t oom_disable_count;
47159 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47160 + unsigned long pax_flags;
47163 +#ifdef CONFIG_PAX_DLRESOLVE
47164 + unsigned long call_dl_resolve;
47167 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
47168 + unsigned long call_syscall;
47171 +#ifdef CONFIG_PAX_ASLR
47172 + unsigned long delta_mmap; /* randomized offset */
47173 + unsigned long delta_stack; /* randomized offset */
47178 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
47179 diff -urNp linux-2.6.37/include/linux/mmu_notifier.h linux-2.6.37/include/linux/mmu_notifier.h
47180 --- linux-2.6.37/include/linux/mmu_notifier.h 2011-01-04 19:50:19.000000000 -0500
47181 +++ linux-2.6.37/include/linux/mmu_notifier.h 2011-01-17 02:41:02.000000000 -0500
47182 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
47184 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
47188 struct vm_area_struct *___vma = __vma; \
47189 unsigned long ___address = __address; \
47190 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
47191 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
47192 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
47197 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
47198 diff -urNp linux-2.6.37/include/linux/mmzone.h linux-2.6.37/include/linux/mmzone.h
47199 --- linux-2.6.37/include/linux/mmzone.h 2011-01-04 19:50:19.000000000 -0500
47200 +++ linux-2.6.37/include/linux/mmzone.h 2011-01-17 02:41:02.000000000 -0500
47201 @@ -354,7 +354,7 @@ struct zone {
47202 unsigned long flags; /* zone flags, see below */
47204 /* Zone statistics */
47205 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47206 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47209 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
47210 diff -urNp linux-2.6.37/include/linux/mod_devicetable.h linux-2.6.37/include/linux/mod_devicetable.h
47211 --- linux-2.6.37/include/linux/mod_devicetable.h 2011-01-04 19:50:19.000000000 -0500
47212 +++ linux-2.6.37/include/linux/mod_devicetable.h 2011-01-17 02:41:02.000000000 -0500
47214 typedef unsigned long kernel_ulong_t;
47217 -#define PCI_ANY_ID (~0)
47218 +#define PCI_ANY_ID ((__u16)~0)
47220 struct pci_device_id {
47221 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
47222 @@ -131,7 +131,7 @@ struct usb_device_id {
47223 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
47224 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
47226 -#define HID_ANY_ID (~0)
47227 +#define HID_ANY_ID (~0U)
47229 struct hid_device_id {
47231 diff -urNp linux-2.6.37/include/linux/module.h linux-2.6.37/include/linux/module.h
47232 --- linux-2.6.37/include/linux/module.h 2011-01-04 19:50:19.000000000 -0500
47233 +++ linux-2.6.37/include/linux/module.h 2011-01-17 02:41:02.000000000 -0500
47234 @@ -297,16 +297,16 @@ struct module
47237 /* If this is non-NULL, vfree after init() returns */
47238 - void *module_init;
47239 + void *module_init_rx, *module_init_rw;
47241 /* Here is the actual code + data, vfree'd on unload. */
47242 - void *module_core;
47243 + void *module_core_rx, *module_core_rw;
47245 /* Here are the sizes of the init and core sections */
47246 - unsigned int init_size, core_size;
47247 + unsigned int init_size_rw, core_size_rw;
47249 /* The size of the executable code in each section. */
47250 - unsigned int init_text_size, core_text_size;
47251 + unsigned int init_size_rx, core_size_rx;
47253 /* Arch-specific module values */
47254 struct mod_arch_specific arch;
47255 @@ -411,16 +411,46 @@ bool is_module_address(unsigned long add
47256 bool is_module_percpu_address(unsigned long addr);
47257 bool is_module_text_address(unsigned long addr);
47259 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
47262 +#ifdef CONFIG_PAX_KERNEXEC
47263 + if (ktla_ktva(addr) >= (unsigned long)start &&
47264 + ktla_ktva(addr) < (unsigned long)start + size)
47268 + return ((void *)addr >= start && (void *)addr < start + size);
47271 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
47273 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
47276 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
47278 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
47281 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
47283 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
47286 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
47288 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
47291 static inline int within_module_core(unsigned long addr, struct module *mod)
47293 - return (unsigned long)mod->module_core <= addr &&
47294 - addr < (unsigned long)mod->module_core + mod->core_size;
47295 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
47298 static inline int within_module_init(unsigned long addr, struct module *mod)
47300 - return (unsigned long)mod->module_init <= addr &&
47301 - addr < (unsigned long)mod->module_init + mod->init_size;
47302 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
47305 /* Search for module by name: must hold module_mutex. */
47306 diff -urNp linux-2.6.37/include/linux/moduleloader.h linux-2.6.37/include/linux/moduleloader.h
47307 --- linux-2.6.37/include/linux/moduleloader.h 2011-01-04 19:50:19.000000000 -0500
47308 +++ linux-2.6.37/include/linux/moduleloader.h 2011-01-17 02:41:02.000000000 -0500
47309 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
47310 sections. Returns NULL on failure. */
47311 void *module_alloc(unsigned long size);
47313 +#ifdef CONFIG_PAX_KERNEXEC
47314 +void *module_alloc_exec(unsigned long size);
47316 +#define module_alloc_exec(x) module_alloc(x)
47319 /* Free memory returned from module_alloc. */
47320 void module_free(struct module *mod, void *module_region);
47322 +#ifdef CONFIG_PAX_KERNEXEC
47323 +void module_free_exec(struct module *mod, void *module_region);
47325 +#define module_free_exec(x, y) module_free((x), (y))
47328 /* Apply the given relocation to the (simplified) ELF. Return -error
47330 int apply_relocate(Elf_Shdr *sechdrs,
47331 diff -urNp linux-2.6.37/include/linux/moduleparam.h linux-2.6.37/include/linux/moduleparam.h
47332 --- linux-2.6.37/include/linux/moduleparam.h 2011-01-04 19:50:19.000000000 -0500
47333 +++ linux-2.6.37/include/linux/moduleparam.h 2011-01-17 02:41:02.000000000 -0500
47334 @@ -253,7 +253,7 @@ static inline void __kernel_param_unlock
47335 * @len is usually just sizeof(string).
47337 #define module_param_string(name, string, len, perm) \
47338 - static const struct kparam_string __param_string_##name \
47339 + static const struct kparam_string __param_string_##name __used \
47340 = { len, string }; \
47341 __module_param_call(MODULE_PARAM_PREFIX, name, \
47342 ¶m_ops_string, \
47343 @@ -368,7 +368,7 @@ extern int param_get_invbool(char *buffe
47344 * module_param_named() for why this might be necessary.
47346 #define module_param_array_named(name, array, type, nump, perm) \
47347 - static const struct kparam_array __param_arr_##name \
47348 + static const struct kparam_array __param_arr_##name __used \
47349 = { ARRAY_SIZE(array), nump, ¶m_ops_##type, \
47350 sizeof(array[0]), array }; \
47351 __module_param_call(MODULE_PARAM_PREFIX, name, \
47352 diff -urNp linux-2.6.37/include/linux/namei.h linux-2.6.37/include/linux/namei.h
47353 --- linux-2.6.37/include/linux/namei.h 2011-01-04 19:50:19.000000000 -0500
47354 +++ linux-2.6.37/include/linux/namei.h 2011-01-17 02:41:02.000000000 -0500
47355 @@ -22,7 +22,7 @@ struct nameidata {
47356 unsigned int flags;
47359 - char *saved_names[MAX_NESTED_LINKS + 1];
47360 + const char *saved_names[MAX_NESTED_LINKS + 1];
47364 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
47365 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
47366 extern void unlock_rename(struct dentry *, struct dentry *);
47368 -static inline void nd_set_link(struct nameidata *nd, char *path)
47369 +static inline void nd_set_link(struct nameidata *nd, const char *path)
47371 nd->saved_names[nd->depth] = path;
47374 -static inline char *nd_get_link(struct nameidata *nd)
47375 +static inline const char *nd_get_link(const struct nameidata *nd)
47377 return nd->saved_names[nd->depth];
47379 diff -urNp linux-2.6.37/include/linux/netfilter/xt_gradm.h linux-2.6.37/include/linux/netfilter/xt_gradm.h
47380 --- linux-2.6.37/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
47381 +++ linux-2.6.37/include/linux/netfilter/xt_gradm.h 2011-01-17 02:41:02.000000000 -0500
47383 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
47384 +#define _LINUX_NETFILTER_XT_GRADM_H 1
47386 +struct xt_gradm_mtinfo {
47392 diff -urNp linux-2.6.37/include/linux/oprofile.h linux-2.6.37/include/linux/oprofile.h
47393 --- linux-2.6.37/include/linux/oprofile.h 2011-01-04 19:50:19.000000000 -0500
47394 +++ linux-2.6.37/include/linux/oprofile.h 2011-01-17 02:41:02.000000000 -0500
47395 @@ -130,9 +130,9 @@ int oprofilefs_create_ulong(struct super
47396 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
47397 char const * name, ulong * val);
47399 -/** Create a file for read-only access to an atomic_t. */
47400 +/** Create a file for read-only access to an atomic_unchecked_t. */
47401 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
47402 - char const * name, atomic_t * val);
47403 + char const * name, atomic_unchecked_t * val);
47405 /** create a directory */
47406 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
47407 diff -urNp linux-2.6.37/include/linux/pipe_fs_i.h linux-2.6.37/include/linux/pipe_fs_i.h
47408 --- linux-2.6.37/include/linux/pipe_fs_i.h 2011-01-04 19:50:19.000000000 -0500
47409 +++ linux-2.6.37/include/linux/pipe_fs_i.h 2011-01-17 02:41:02.000000000 -0500
47410 @@ -45,9 +45,9 @@ struct pipe_buffer {
47411 struct pipe_inode_info {
47412 wait_queue_head_t wait;
47413 unsigned int nrbufs, curbuf, buffers;
47414 - unsigned int readers;
47415 - unsigned int writers;
47416 - unsigned int waiting_writers;
47417 + atomic_t readers;
47418 + atomic_t writers;
47419 + atomic_t waiting_writers;
47420 unsigned int r_counter;
47421 unsigned int w_counter;
47422 struct page *tmp_page;
47423 diff -urNp linux-2.6.37/include/linux/pm_runtime.h linux-2.6.37/include/linux/pm_runtime.h
47424 --- linux-2.6.37/include/linux/pm_runtime.h 2011-01-04 19:50:19.000000000 -0500
47425 +++ linux-2.6.37/include/linux/pm_runtime.h 2011-01-17 02:41:02.000000000 -0500
47426 @@ -83,7 +83,7 @@ static inline bool pm_runtime_suspended(
47428 static inline void pm_runtime_mark_last_busy(struct device *dev)
47430 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
47431 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
47434 #else /* !CONFIG_PM_RUNTIME */
47435 diff -urNp linux-2.6.37/include/linux/poison.h linux-2.6.37/include/linux/poison.h
47436 --- linux-2.6.37/include/linux/poison.h 2011-01-04 19:50:19.000000000 -0500
47437 +++ linux-2.6.37/include/linux/poison.h 2011-01-17 02:41:02.000000000 -0500
47439 * under normal circumstances, used to verify that nobody uses
47440 * non-initialized list entries.
47442 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
47443 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
47444 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
47445 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
47447 /********** include/linux/timer.h **********/
47449 diff -urNp linux-2.6.37/include/linux/proc_fs.h linux-2.6.37/include/linux/proc_fs.h
47450 --- linux-2.6.37/include/linux/proc_fs.h 2011-01-04 19:50:19.000000000 -0500
47451 +++ linux-2.6.37/include/linux/proc_fs.h 2011-01-17 02:41:02.000000000 -0500
47452 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
47453 return proc_create_data(name, mode, parent, proc_fops, NULL);
47456 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
47457 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
47459 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47460 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
47461 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47462 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
47464 + return proc_create_data(name, mode, parent, proc_fops, NULL);
47469 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
47470 mode_t mode, struct proc_dir_entry *base,
47471 read_proc_t *read_proc, void * data)
47472 diff -urNp linux-2.6.37/include/linux/random.h linux-2.6.37/include/linux/random.h
47473 --- linux-2.6.37/include/linux/random.h 2011-01-04 19:50:19.000000000 -0500
47474 +++ linux-2.6.37/include/linux/random.h 2011-01-17 02:41:02.000000000 -0500
47475 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
47477 u32 prandom32(struct rnd_state *);
47479 +static inline unsigned long pax_get_random_long(void)
47481 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
47485 * Handle minimum values for seeds
47487 static inline u32 __seed(u32 x, u32 m)
47489 - return (x < m) ? x + m : x;
47490 + return (x <= m) ? x + m + 1 : x;
47494 diff -urNp linux-2.6.37/include/linux/reiserfs_fs.h linux-2.6.37/include/linux/reiserfs_fs.h
47495 --- linux-2.6.37/include/linux/reiserfs_fs.h 2011-01-04 19:50:19.000000000 -0500
47496 +++ linux-2.6.37/include/linux/reiserfs_fs.h 2011-01-17 02:41:02.000000000 -0500
47497 @@ -1403,7 +1403,7 @@ static inline loff_t max_reiserfs_offset
47498 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
47500 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
47501 -#define get_generation(s) atomic_read (&fs_generation(s))
47502 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
47503 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
47504 #define __fs_changed(gen,s) (gen != get_generation (s))
47505 #define fs_changed(gen,s) \
47506 @@ -1615,24 +1615,24 @@ static inline struct super_block *sb_fro
47509 struct item_operations {
47510 - int (*bytes_number) (struct item_head * ih, int block_size);
47511 - void (*decrement_key) (struct cpu_key *);
47512 - int (*is_left_mergeable) (struct reiserfs_key * ih,
47513 + int (* const bytes_number) (struct item_head * ih, int block_size);
47514 + void (* const decrement_key) (struct cpu_key *);
47515 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
47516 unsigned long bsize);
47517 - void (*print_item) (struct item_head *, char *item);
47518 - void (*check_item) (struct item_head *, char *item);
47519 + void (* const print_item) (struct item_head *, char *item);
47520 + void (* const check_item) (struct item_head *, char *item);
47522 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47523 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47524 int is_affected, int insert_size);
47525 - int (*check_left) (struct virtual_item * vi, int free,
47526 + int (* const check_left) (struct virtual_item * vi, int free,
47527 int start_skip, int end_skip);
47528 - int (*check_right) (struct virtual_item * vi, int free);
47529 - int (*part_size) (struct virtual_item * vi, int from, int to);
47530 - int (*unit_num) (struct virtual_item * vi);
47531 - void (*print_vi) (struct virtual_item * vi);
47532 + int (* const check_right) (struct virtual_item * vi, int free);
47533 + int (* const part_size) (struct virtual_item * vi, int from, int to);
47534 + int (* const unit_num) (struct virtual_item * vi);
47535 + void (* const print_vi) (struct virtual_item * vi);
47538 -extern struct item_operations *item_ops[TYPE_ANY + 1];
47539 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
47541 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
47542 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
47543 diff -urNp linux-2.6.37/include/linux/reiserfs_fs_sb.h linux-2.6.37/include/linux/reiserfs_fs_sb.h
47544 --- linux-2.6.37/include/linux/reiserfs_fs_sb.h 2011-01-04 19:50:19.000000000 -0500
47545 +++ linux-2.6.37/include/linux/reiserfs_fs_sb.h 2011-01-17 02:41:02.000000000 -0500
47546 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
47547 /* Comment? -Hans */
47548 wait_queue_head_t s_wait;
47549 /* To be obsoleted soon by per buffer seals.. -Hans */
47550 - atomic_t s_generation_counter; // increased by one every time the
47551 + atomic_unchecked_t s_generation_counter; // increased by one every time the
47552 // tree gets re-balanced
47553 unsigned long s_properties; /* File system properties. Currently holds
47554 on-disk FS format */
47555 diff -urNp linux-2.6.37/include/linux/rmap.h linux-2.6.37/include/linux/rmap.h
47556 --- linux-2.6.37/include/linux/rmap.h 2011-01-04 19:50:19.000000000 -0500
47557 +++ linux-2.6.37/include/linux/rmap.h 2011-01-17 02:41:02.000000000 -0500
47558 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock(struc
47559 void anon_vma_init(void); /* create anon_vma_cachep */
47560 int anon_vma_prepare(struct vm_area_struct *);
47561 void unlink_anon_vmas(struct vm_area_struct *);
47562 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
47563 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
47564 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
47565 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
47566 void __anon_vma_link(struct vm_area_struct *);
47567 void anon_vma_free(struct anon_vma *);
47569 diff -urNp linux-2.6.37/include/linux/sched.h linux-2.6.37/include/linux/sched.h
47570 --- linux-2.6.37/include/linux/sched.h 2011-01-04 19:50:19.000000000 -0500
47571 +++ linux-2.6.37/include/linux/sched.h 2011-01-17 02:41:02.000000000 -0500
47572 @@ -100,6 +100,7 @@ struct robust_list_head;
47575 struct perf_event_context;
47576 +struct linux_binprm;
47579 * List of flags we want to share for kernel threads,
47580 @@ -377,10 +378,12 @@ struct user_namespace;
47581 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
47583 extern int sysctl_max_map_count;
47584 +extern unsigned long sysctl_heap_stack_gap;
47586 #include <linux/aio.h>
47589 +extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
47590 extern void arch_pick_mmap_layout(struct mm_struct *mm);
47591 extern unsigned long
47592 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
47593 @@ -624,6 +627,16 @@ struct signal_struct {
47594 struct tty_audit_buf *tty_audit_buf;
47597 +#ifdef CONFIG_GRKERNSEC
47604 + u8 used_accept:1;
47607 int oom_adj; /* OOM kill score adjustment (bit shift) */
47608 int oom_score_adj; /* OOM kill score adjustment */
47610 @@ -1181,7 +1194,7 @@ enum perf_event_task_context {
47612 struct task_struct {
47613 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
47615 + struct thread_info *stack;
47617 unsigned int flags; /* per process flags, defined below */
47618 unsigned int ptrace;
47619 @@ -1291,8 +1304,8 @@ struct task_struct {
47620 struct list_head thread_group;
47622 struct completion *vfork_done; /* for vfork() */
47623 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
47624 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47625 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
47626 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47628 cputime_t utime, stime, utimescaled, stimescaled;
47630 @@ -1308,13 +1321,6 @@ struct task_struct {
47631 struct task_cputime cputime_expires;
47632 struct list_head cpu_timers[3];
47634 -/* process credentials */
47635 - const struct cred __rcu *real_cred; /* objective and real subjective task
47636 - * credentials (COW) */
47637 - const struct cred __rcu *cred; /* effective (overridable) subjective task
47638 - * credentials (COW) */
47639 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47641 char comm[TASK_COMM_LEN]; /* executable name excluding path
47642 - access with [gs]et_task_comm (which lock
47643 it with task_lock())
47644 @@ -1333,6 +1339,10 @@ struct task_struct {
47645 struct thread_struct thread;
47646 /* filesystem information */
47647 struct fs_struct *fs;
47649 + const struct cred __rcu *cred; /* effective (overridable) subjective task
47650 + * credentials (COW) */
47652 /* open file information */
47653 struct files_struct *files;
47655 @@ -1379,6 +1389,11 @@ struct task_struct {
47656 struct rt_mutex_waiter *pi_blocked_on;
47659 +/* process credentials */
47660 + const struct cred __rcu *real_cred; /* objective and real subjective task
47661 + * credentials (COW) */
47662 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47664 #ifdef CONFIG_DEBUG_MUTEXES
47665 /* mutex deadlock detection */
47666 struct mutex_waiter *blocked_on;
47667 @@ -1483,6 +1498,20 @@ struct task_struct {
47668 unsigned long default_timer_slack_ns;
47670 struct list_head *scm_work_list;
47672 +#ifdef CONFIG_GRKERNSEC
47674 + struct dentry *gr_chroot_dentry;
47675 + struct acl_subject_label *acl;
47676 + struct acl_role_label *role;
47677 + struct file *exec_file;
47682 + u8 gr_is_chrooted;
47685 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
47686 /* Index of current stored address in ret_stack */
47687 int curr_ret_stack;
47688 @@ -1514,6 +1543,52 @@ struct task_struct {
47692 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
47693 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
47694 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
47695 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
47696 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
47697 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
47699 +#ifdef CONFIG_PAX_SOFTMODE
47700 +extern unsigned int pax_softmode;
47703 +extern int pax_check_flags(unsigned long *);
47705 +/* if tsk != current then task_lock must be held on it */
47706 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47707 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
47709 + if (likely(tsk->mm))
47710 + return tsk->mm->pax_flags;
47715 +/* if tsk != current then task_lock must be held on it */
47716 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
47718 + if (likely(tsk->mm)) {
47719 + tsk->mm->pax_flags = flags;
47726 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
47727 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
47728 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
47729 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
47732 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
47733 +void pax_report_insns(void *pc, void *sp);
47734 +void pax_report_refcount_overflow(struct pt_regs *regs);
47735 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
47736 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
47738 /* Future-safe accessor for struct task_struct's cpus_allowed. */
47739 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
47741 @@ -2134,7 +2209,7 @@ extern void __cleanup_sighand(struct sig
47742 extern void exit_itimers(struct signal_struct *);
47743 extern void flush_itimer_signals(void);
47745 -extern NORET_TYPE void do_group_exit(int);
47746 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
47748 extern void daemonize(const char *, ...);
47749 extern int allow_signal(int);
47750 @@ -2259,8 +2334,8 @@ static inline void unlock_task_sighand(s
47752 #ifndef __HAVE_THREAD_FUNCTIONS
47754 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
47755 -#define task_stack_page(task) ((task)->stack)
47756 +#define task_thread_info(task) ((task)->stack)
47757 +#define task_stack_page(task) ((void *)(task)->stack)
47759 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
47761 @@ -2275,13 +2350,17 @@ static inline unsigned long *end_of_stac
47765 -static inline int object_is_on_stack(void *obj)
47766 +static inline int object_starts_on_stack(void *obj)
47768 - void *stack = task_stack_page(current);
47769 + const void *stack = task_stack_page(current);
47771 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
47774 +#ifdef CONFIG_PAX_USERCOPY
47775 +extern int object_is_on_stack(const void *obj, unsigned long len);
47778 extern void thread_info_cache_init(void);
47780 #ifdef CONFIG_DEBUG_STACK_USAGE
47781 diff -urNp linux-2.6.37/include/linux/screen_info.h linux-2.6.37/include/linux/screen_info.h
47782 --- linux-2.6.37/include/linux/screen_info.h 2011-01-04 19:50:19.000000000 -0500
47783 +++ linux-2.6.37/include/linux/screen_info.h 2011-01-17 02:41:02.000000000 -0500
47784 @@ -43,7 +43,8 @@ struct screen_info {
47785 __u16 pages; /* 0x32 */
47786 __u16 vesa_attributes; /* 0x34 */
47787 __u32 capabilities; /* 0x36 */
47788 - __u8 _reserved[6]; /* 0x3a */
47789 + __u16 vesapm_size; /* 0x3a */
47790 + __u8 _reserved[4]; /* 0x3c */
47791 } __attribute__((packed));
47793 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
47794 diff -urNp linux-2.6.37/include/linux/security.h linux-2.6.37/include/linux/security.h
47795 --- linux-2.6.37/include/linux/security.h 2011-01-04 19:50:19.000000000 -0500
47796 +++ linux-2.6.37/include/linux/security.h 2011-01-17 02:41:02.000000000 -0500
47798 #include <linux/key.h>
47799 #include <linux/xfrm.h>
47800 #include <linux/slab.h>
47801 +#include <linux/grsecurity.h>
47802 #include <net/flow.h>
47804 /* Maximum number of letters for an LSM name string */
47805 diff -urNp linux-2.6.37/include/linux/shm.h linux-2.6.37/include/linux/shm.h
47806 --- linux-2.6.37/include/linux/shm.h 2011-01-04 19:50:19.000000000 -0500
47807 +++ linux-2.6.37/include/linux/shm.h 2011-01-17 02:41:02.000000000 -0500
47808 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
47811 struct user_struct *mlock_user;
47812 +#ifdef CONFIG_GRKERNSEC
47813 + time_t shm_createtime;
47818 /* shm_mode upper byte flags */
47819 diff -urNp linux-2.6.37/include/linux/skbuff.h linux-2.6.37/include/linux/skbuff.h
47820 --- linux-2.6.37/include/linux/skbuff.h 2011-01-04 19:50:19.000000000 -0500
47821 +++ linux-2.6.37/include/linux/skbuff.h 2011-01-17 02:41:02.000000000 -0500
47822 @@ -581,7 +581,7 @@ static inline struct skb_shared_hwtstamp
47824 static inline int skb_queue_empty(const struct sk_buff_head *list)
47826 - return list->next == (struct sk_buff *)list;
47827 + return list->next == (const struct sk_buff *)list;
47831 @@ -594,7 +594,7 @@ static inline int skb_queue_empty(const
47832 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
47833 const struct sk_buff *skb)
47835 - return skb->next == (struct sk_buff *)list;
47836 + return skb->next == (const struct sk_buff *)list;
47840 @@ -607,7 +607,7 @@ static inline bool skb_queue_is_last(con
47841 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
47842 const struct sk_buff *skb)
47844 - return skb->prev == (struct sk_buff *)list;
47845 + return skb->prev == (const struct sk_buff *)list;
47849 diff -urNp linux-2.6.37/include/linux/slab.h linux-2.6.37/include/linux/slab.h
47850 --- linux-2.6.37/include/linux/slab.h 2011-01-04 19:50:19.000000000 -0500
47851 +++ linux-2.6.37/include/linux/slab.h 2011-01-17 02:41:02.000000000 -0500
47854 #include <linux/gfp.h>
47855 #include <linux/types.h>
47856 +#include <linux/err.h>
47859 * Flags to pass to kmem_cache_create().
47860 @@ -87,10 +88,13 @@
47861 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
47862 * Both make kfree a no-op.
47864 -#define ZERO_SIZE_PTR ((void *)16)
47865 +#define ZERO_SIZE_PTR \
47867 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
47868 + (void *)(-MAX_ERRNO-1L); \
47871 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
47872 - (unsigned long)ZERO_SIZE_PTR)
47873 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
47876 * struct kmem_cache related prototypes
47877 @@ -144,6 +148,7 @@ void * __must_check krealloc(const void
47878 void kfree(const void *);
47879 void kzfree(const void *);
47880 size_t ksize(const void *);
47881 +void check_object_size(const void *ptr, unsigned long n, bool to);
47884 * Allocator specific definitions. These are mainly used to establish optimized
47885 @@ -336,4 +341,37 @@ static inline void *kzalloc_node(size_t
47887 void __init kmem_cache_init_late(void);
47889 +#define kmalloc(x, y) \
47891 + void *___retval; \
47892 + intoverflow_t ___x = (intoverflow_t)x; \
47893 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
47894 + ___retval = NULL; \
47896 + ___retval = kmalloc((size_t)___x, (y)); \
47900 +#define kmalloc_node(x, y, z) \
47902 + void *___retval; \
47903 + intoverflow_t ___x = (intoverflow_t)x; \
47904 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
47905 + ___retval = NULL; \
47907 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
47911 +#define kzalloc(x, y) \
47913 + void *___retval; \
47914 + intoverflow_t ___x = (intoverflow_t)x; \
47915 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
47916 + ___retval = NULL; \
47918 + ___retval = kzalloc((size_t)___x, (y)); \
47922 #endif /* _LINUX_SLAB_H */
47923 diff -urNp linux-2.6.37/include/linux/slub_def.h linux-2.6.37/include/linux/slub_def.h
47924 --- linux-2.6.37/include/linux/slub_def.h 2011-01-04 19:50:19.000000000 -0500
47925 +++ linux-2.6.37/include/linux/slub_def.h 2011-01-17 02:41:02.000000000 -0500
47926 @@ -80,7 +80,7 @@ struct kmem_cache {
47927 struct kmem_cache_order_objects max;
47928 struct kmem_cache_order_objects min;
47929 gfp_t allocflags; /* gfp flags to use on each alloc */
47930 - int refcount; /* Refcount for slab cache destroy */
47931 + atomic_t refcount; /* Refcount for slab cache destroy */
47932 void (*ctor)(void *);
47933 int inuse; /* Offset to metadata */
47934 int align; /* Alignment */
47935 diff -urNp linux-2.6.37/include/linux/sonet.h linux-2.6.37/include/linux/sonet.h
47936 --- linux-2.6.37/include/linux/sonet.h 2011-01-04 19:50:19.000000000 -0500
47937 +++ linux-2.6.37/include/linux/sonet.h 2011-01-17 02:41:02.000000000 -0500
47938 @@ -61,7 +61,7 @@ struct sonet_stats {
47939 #include <asm/atomic.h>
47941 struct k_sonet_stats {
47942 -#define __HANDLE_ITEM(i) atomic_t i
47943 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
47945 #undef __HANDLE_ITEM
47947 diff -urNp linux-2.6.37/include/linux/sunrpc/clnt.h linux-2.6.37/include/linux/sunrpc/clnt.h
47948 --- linux-2.6.37/include/linux/sunrpc/clnt.h 2011-01-04 19:50:19.000000000 -0500
47949 +++ linux-2.6.37/include/linux/sunrpc/clnt.h 2011-01-17 02:41:02.000000000 -0500
47950 @@ -168,9 +168,9 @@ static inline unsigned short rpc_get_por
47952 switch (sap->sa_family) {
47954 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
47955 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
47957 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
47958 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
47962 @@ -203,7 +203,7 @@ static inline bool __rpc_cmp_addr4(const
47963 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
47964 const struct sockaddr *src)
47966 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
47967 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
47968 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
47970 dsin->sin_family = ssin->sin_family;
47971 @@ -300,7 +300,7 @@ static inline u32 rpc_get_scope_id(const
47972 if (sa->sa_family != AF_INET6)
47975 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
47976 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
47979 #endif /* __KERNEL__ */
47980 diff -urNp linux-2.6.37/include/linux/suspend.h linux-2.6.37/include/linux/suspend.h
47981 --- linux-2.6.37/include/linux/suspend.h 2011-01-04 19:50:19.000000000 -0500
47982 +++ linux-2.6.37/include/linux/suspend.h 2011-01-17 02:41:02.000000000 -0500
47983 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
47984 * which require special recovery actions in that situation.
47986 struct platform_suspend_ops {
47987 - int (*valid)(suspend_state_t state);
47988 - int (*begin)(suspend_state_t state);
47989 - int (*prepare)(void);
47990 - int (*prepare_late)(void);
47991 - int (*enter)(suspend_state_t state);
47992 - void (*wake)(void);
47993 - void (*finish)(void);
47994 - void (*end)(void);
47995 - void (*recover)(void);
47996 + int (* const valid)(suspend_state_t state);
47997 + int (* const begin)(suspend_state_t state);
47998 + int (* const prepare)(void);
47999 + int (* const prepare_late)(void);
48000 + int (* const enter)(suspend_state_t state);
48001 + void (* const wake)(void);
48002 + void (* const finish)(void);
48003 + void (* const end)(void);
48004 + void (* const recover)(void);
48007 #ifdef CONFIG_SUSPEND
48008 @@ -122,7 +122,7 @@ struct platform_suspend_ops {
48009 * suspend_set_ops - set platform dependent suspend operations
48010 * @ops: The new suspend operations to set.
48012 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
48013 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
48014 extern int suspend_valid_only_mem(suspend_state_t state);
48017 @@ -147,7 +147,7 @@ extern int pm_suspend(suspend_state_t st
48018 #else /* !CONFIG_SUSPEND */
48019 #define suspend_valid_only_mem NULL
48021 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
48022 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
48023 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
48024 #endif /* !CONFIG_SUSPEND */
48026 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
48027 * platforms which require special recovery actions in that situation.
48029 struct platform_hibernation_ops {
48030 - int (*begin)(void);
48031 - void (*end)(void);
48032 - int (*pre_snapshot)(void);
48033 - void (*finish)(void);
48034 - int (*prepare)(void);
48035 - int (*enter)(void);
48036 - void (*leave)(void);
48037 - int (*pre_restore)(void);
48038 - void (*restore_cleanup)(void);
48039 - void (*recover)(void);
48040 + int (* const begin)(void);
48041 + void (* const end)(void);
48042 + int (* const pre_snapshot)(void);
48043 + void (* const finish)(void);
48044 + int (* const prepare)(void);
48045 + int (* const enter)(void);
48046 + void (* const leave)(void);
48047 + int (* const pre_restore)(void);
48048 + void (* const restore_cleanup)(void);
48049 + void (* const recover)(void);
48052 #ifdef CONFIG_HIBERNATION
48053 @@ -245,7 +245,7 @@ extern void swsusp_set_page_free(struct
48054 extern void swsusp_unset_page_free(struct page *);
48055 extern unsigned long get_safe_page(gfp_t gfp_mask);
48057 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
48058 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
48059 extern int hibernate(void);
48060 extern bool system_entering_hibernation(void);
48061 #else /* CONFIG_HIBERNATION */
48062 @@ -253,7 +253,7 @@ static inline int swsusp_page_is_forbidd
48063 static inline void swsusp_set_page_free(struct page *p) {}
48064 static inline void swsusp_unset_page_free(struct page *p) {}
48066 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
48067 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
48068 static inline int hibernate(void) { return -ENOSYS; }
48069 static inline bool system_entering_hibernation(void) { return false; }
48070 #endif /* CONFIG_HIBERNATION */
48071 diff -urNp linux-2.6.37/include/linux/sysctl.h linux-2.6.37/include/linux/sysctl.h
48072 --- linux-2.6.37/include/linux/sysctl.h 2011-01-04 19:50:19.000000000 -0500
48073 +++ linux-2.6.37/include/linux/sysctl.h 2011-01-17 02:41:02.000000000 -0500
48074 @@ -155,7 +155,11 @@ enum
48075 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
48079 +#ifdef CONFIG_PAX_SOFTMODE
48081 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
48085 /* CTL_VM names: */
48087 @@ -966,6 +970,8 @@ typedef int proc_handler (struct ctl_tab
48089 extern int proc_dostring(struct ctl_table *, int,
48090 void __user *, size_t *, loff_t *);
48091 +extern int proc_dostring_modpriv(struct ctl_table *, int,
48092 + void __user *, size_t *, loff_t *);
48093 extern int proc_dointvec(struct ctl_table *, int,
48094 void __user *, size_t *, loff_t *);
48095 extern int proc_dointvec_minmax(struct ctl_table *, int,
48096 diff -urNp linux-2.6.37/include/linux/sysfs.h linux-2.6.37/include/linux/sysfs.h
48097 --- linux-2.6.37/include/linux/sysfs.h 2011-01-04 19:50:19.000000000 -0500
48098 +++ linux-2.6.37/include/linux/sysfs.h 2011-01-17 02:41:02.000000000 -0500
48099 @@ -110,8 +110,8 @@ struct bin_attribute {
48100 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
48103 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
48104 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
48105 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
48106 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
48109 struct sysfs_dirent;
48110 diff -urNp linux-2.6.37/include/linux/tty.h linux-2.6.37/include/linux/tty.h
48111 --- linux-2.6.37/include/linux/tty.h 2011-01-04 19:50:19.000000000 -0500
48112 +++ linux-2.6.37/include/linux/tty.h 2011-01-17 02:41:02.000000000 -0500
48114 #include <linux/tty_driver.h>
48115 #include <linux/tty_ldisc.h>
48116 #include <linux/mutex.h>
48117 +#include <linux/poll.h>
48118 +#include <linux/smp_lock.h>
48120 #include <asm/system.h>
48122 @@ -465,7 +467,6 @@ extern int tty_perform_flush(struct tty_
48123 extern dev_t tty_devnum(struct tty_struct *tty);
48124 extern void proc_clear_tty(struct task_struct *p);
48125 extern struct tty_struct *get_current_tty(void);
48126 -extern void tty_default_fops(struct file_operations *fops);
48127 extern struct tty_struct *alloc_tty_struct(void);
48128 extern int tty_add_file(struct tty_struct *tty, struct file *file);
48129 extern void free_tty_struct(struct tty_struct *tty);
48130 @@ -528,6 +529,18 @@ extern void tty_ldisc_begin(void);
48131 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
48132 extern void tty_ldisc_enable(struct tty_struct *tty);
48135 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
48136 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
48137 +extern unsigned int tty_poll(struct file *, poll_table *);
48138 +#ifdef CONFIG_COMPAT
48139 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
48140 + unsigned long arg);
48142 +#define tty_compat_ioctl NULL
48144 +extern int tty_release(struct inode *, struct file *);
48145 +extern int tty_fasync(int fd, struct file *filp, int on);
48148 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
48149 diff -urNp linux-2.6.37/include/linux/tty_ldisc.h linux-2.6.37/include/linux/tty_ldisc.h
48150 --- linux-2.6.37/include/linux/tty_ldisc.h 2011-01-04 19:50:19.000000000 -0500
48151 +++ linux-2.6.37/include/linux/tty_ldisc.h 2011-01-17 02:41:02.000000000 -0500
48152 @@ -147,7 +147,7 @@ struct tty_ldisc_ops {
48154 struct module *owner;
48157 + atomic_t refcount;
48161 diff -urNp linux-2.6.37/include/linux/types.h linux-2.6.37/include/linux/types.h
48162 --- linux-2.6.37/include/linux/types.h 2011-01-04 19:50:19.000000000 -0500
48163 +++ linux-2.6.37/include/linux/types.h 2011-01-17 02:41:02.000000000 -0500
48164 @@ -207,10 +207,26 @@ typedef struct {
48168 +#ifdef CONFIG_PAX_REFCOUNT
48171 +} atomic_unchecked_t;
48173 +typedef atomic_t atomic_unchecked_t;
48176 #ifdef CONFIG_64BIT
48181 +#ifdef CONFIG_PAX_REFCOUNT
48184 +} atomic64_unchecked_t;
48186 +typedef atomic64_t atomic64_unchecked_t;
48191 diff -urNp linux-2.6.37/include/linux/u64_stats_sync.h linux-2.6.37/include/linux/u64_stats_sync.h
48192 --- linux-2.6.37/include/linux/u64_stats_sync.h 2011-01-04 19:50:19.000000000 -0500
48193 +++ linux-2.6.37/include/linux/u64_stats_sync.h 2011-01-17 02:41:02.000000000 -0500
48194 @@ -67,21 +67,21 @@ struct u64_stats_sync {
48198 -static void inline u64_stats_update_begin(struct u64_stats_sync *syncp)
48199 +static inline void u64_stats_update_begin(struct u64_stats_sync *syncp)
48201 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48202 write_seqcount_begin(&syncp->seq);
48206 -static void inline u64_stats_update_end(struct u64_stats_sync *syncp)
48207 +static inline void u64_stats_update_end(struct u64_stats_sync *syncp)
48209 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48210 write_seqcount_end(&syncp->seq);
48214 -static unsigned int inline u64_stats_fetch_begin(const struct u64_stats_sync *syncp)
48215 +static inline unsigned int u64_stats_fetch_begin(const struct u64_stats_sync *syncp)
48217 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48218 return read_seqcount_begin(&syncp->seq);
48219 @@ -93,7 +93,7 @@ static unsigned int inline u64_stats_fet
48223 -static bool inline u64_stats_fetch_retry(const struct u64_stats_sync *syncp,
48224 +static inline bool u64_stats_fetch_retry(const struct u64_stats_sync *syncp,
48225 unsigned int start)
48227 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48228 @@ -112,7 +112,7 @@ static bool inline u64_stats_fetch_retry
48229 * - UP 32bit must disable BH.
48230 * - 64bit have no problem atomically reading u64 values, irq safe.
48232 -static unsigned int inline u64_stats_fetch_begin_bh(const struct u64_stats_sync *syncp)
48233 +static inline unsigned int u64_stats_fetch_begin_bh(const struct u64_stats_sync *syncp)
48235 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48236 return read_seqcount_begin(&syncp->seq);
48237 @@ -124,7 +124,7 @@ static unsigned int inline u64_stats_fet
48241 -static bool inline u64_stats_fetch_retry_bh(const struct u64_stats_sync *syncp,
48242 +static inline bool u64_stats_fetch_retry_bh(const struct u64_stats_sync *syncp,
48243 unsigned int start)
48245 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48246 diff -urNp linux-2.6.37/include/linux/uaccess.h linux-2.6.37/include/linux/uaccess.h
48247 --- linux-2.6.37/include/linux/uaccess.h 2011-01-04 19:50:19.000000000 -0500
48248 +++ linux-2.6.37/include/linux/uaccess.h 2011-01-17 02:41:02.000000000 -0500
48249 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
48251 mm_segment_t old_fs = get_fs(); \
48253 - set_fs(KERNEL_DS); \
48254 pagefault_disable(); \
48255 + set_fs(KERNEL_DS); \
48256 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
48257 - pagefault_enable(); \
48259 + pagefault_enable(); \
48263 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
48264 * Safely read from address @src to the buffer at @dst. If a kernel fault
48265 * happens, handle that and return -EFAULT.
48267 -extern long probe_kernel_read(void *dst, void *src, size_t size);
48268 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
48269 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
48270 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
48273 * probe_kernel_write(): safely attempt to write to a location
48274 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
48275 * Safely write to address @dst from the buffer at @src. If a kernel fault
48276 * happens, handle that and return -EFAULT.
48278 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
48279 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
48280 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
48281 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
48283 #endif /* __LINUX_UACCESS_H__ */
48284 diff -urNp linux-2.6.37/include/linux/unaligned/access_ok.h linux-2.6.37/include/linux/unaligned/access_ok.h
48285 --- linux-2.6.37/include/linux/unaligned/access_ok.h 2011-01-04 19:50:19.000000000 -0500
48286 +++ linux-2.6.37/include/linux/unaligned/access_ok.h 2011-01-17 02:41:02.000000000 -0500
48289 static inline u16 get_unaligned_le16(const void *p)
48291 - return le16_to_cpup((__le16 *)p);
48292 + return le16_to_cpup((const __le16 *)p);
48295 static inline u32 get_unaligned_le32(const void *p)
48297 - return le32_to_cpup((__le32 *)p);
48298 + return le32_to_cpup((const __le32 *)p);
48301 static inline u64 get_unaligned_le64(const void *p)
48303 - return le64_to_cpup((__le64 *)p);
48304 + return le64_to_cpup((const __le64 *)p);
48307 static inline u16 get_unaligned_be16(const void *p)
48309 - return be16_to_cpup((__be16 *)p);
48310 + return be16_to_cpup((const __be16 *)p);
48313 static inline u32 get_unaligned_be32(const void *p)
48315 - return be32_to_cpup((__be32 *)p);
48316 + return be32_to_cpup((const __be32 *)p);
48319 static inline u64 get_unaligned_be64(const void *p)
48321 - return be64_to_cpup((__be64 *)p);
48322 + return be64_to_cpup((const __be64 *)p);
48325 static inline void put_unaligned_le16(u16 val, void *p)
48326 diff -urNp linux-2.6.37/include/linux/usb/hcd.h linux-2.6.37/include/linux/usb/hcd.h
48327 --- linux-2.6.37/include/linux/usb/hcd.h 2011-01-04 19:50:19.000000000 -0500
48328 +++ linux-2.6.37/include/linux/usb/hcd.h 2011-01-17 02:41:02.000000000 -0500
48329 @@ -580,7 +580,7 @@ struct usb_mon_operations {
48330 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
48333 -extern struct usb_mon_operations *mon_ops;
48334 +extern const struct usb_mon_operations *mon_ops;
48336 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
48338 @@ -602,7 +602,7 @@ static inline void usbmon_urb_complete(s
48339 (*mon_ops->urb_complete)(bus, urb, status);
48342 -int usb_mon_register(struct usb_mon_operations *ops);
48343 +int usb_mon_register(const struct usb_mon_operations *ops);
48344 void usb_mon_deregister(void);
48347 diff -urNp linux-2.6.37/include/linux/vmalloc.h linux-2.6.37/include/linux/vmalloc.h
48348 --- linux-2.6.37/include/linux/vmalloc.h 2011-01-04 19:50:19.000000000 -0500
48349 +++ linux-2.6.37/include/linux/vmalloc.h 2011-01-17 02:41:02.000000000 -0500
48350 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
48351 #define VM_MAP 0x00000004 /* vmap()ed pages */
48352 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
48353 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
48355 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
48356 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
48359 /* bits [20..32] reserved for arch specific ioremap internals */
48362 @@ -125,4 +130,103 @@ struct vm_struct **pcpu_get_vm_areas(con
48363 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
48366 +#define vmalloc(x) \
48368 + void *___retval; \
48369 + intoverflow_t ___x = (intoverflow_t)x; \
48370 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
48371 + ___retval = NULL; \
48373 + ___retval = vmalloc((unsigned long)___x); \
48377 +#define vzalloc(x) \
48379 + void *___retval; \
48380 + intoverflow_t ___x = (intoverflow_t)x; \
48381 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
48382 + ___retval = NULL; \
48384 + ___retval = vzalloc((unsigned long)___x); \
48388 +#define __vmalloc(x, y, z) \
48390 + void *___retval; \
48391 + intoverflow_t ___x = (intoverflow_t)x; \
48392 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
48393 + ___retval = NULL; \
48395 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
48399 +#define vmalloc_user(x) \
48401 + void *___retval; \
48402 + intoverflow_t ___x = (intoverflow_t)x; \
48403 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
48404 + ___retval = NULL; \
48406 + ___retval = vmalloc_user((unsigned long)___x); \
48410 +#define vmalloc_exec(x) \
48412 + void *___retval; \
48413 + intoverflow_t ___x = (intoverflow_t)x; \
48414 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
48415 + ___retval = NULL; \
48417 + ___retval = vmalloc_exec((unsigned long)___x); \
48421 +#define vmalloc_node(x, y) \
48423 + void *___retval; \
48424 + intoverflow_t ___x = (intoverflow_t)x; \
48425 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
48426 + ___retval = NULL; \
48428 + ___retval = vmalloc_node((unsigned long)___x, (y));\
48432 +#define vzalloc_node(x, y) \
48434 + void *___retval; \
48435 + intoverflow_t ___x = (intoverflow_t)x; \
48436 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
48437 + ___retval = NULL; \
48439 + ___retval = vzalloc_node((unsigned long)___x, (y));\
48443 +#define vmalloc_32(x) \
48445 + void *___retval; \
48446 + intoverflow_t ___x = (intoverflow_t)x; \
48447 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
48448 + ___retval = NULL; \
48450 + ___retval = vmalloc_32((unsigned long)___x); \
48454 +#define vmalloc_32_user(x) \
48456 +void *___retval; \
48457 + intoverflow_t ___x = (intoverflow_t)x; \
48458 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
48459 + ___retval = NULL; \
48461 + ___retval = vmalloc_32_user((unsigned long)___x);\
48465 #endif /* _LINUX_VMALLOC_H */
48466 diff -urNp linux-2.6.37/include/linux/vmstat.h linux-2.6.37/include/linux/vmstat.h
48467 --- linux-2.6.37/include/linux/vmstat.h 2011-01-04 19:50:19.000000000 -0500
48468 +++ linux-2.6.37/include/linux/vmstat.h 2011-01-17 02:41:02.000000000 -0500
48469 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
48471 * Zone based page accounting with per cpu differentials.
48473 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48474 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48476 static inline void zone_page_state_add(long x, struct zone *zone,
48477 enum zone_stat_item item)
48479 - atomic_long_add(x, &zone->vm_stat[item]);
48480 - atomic_long_add(x, &vm_stat[item]);
48481 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
48482 + atomic_long_add_unchecked(x, &vm_stat[item]);
48485 static inline unsigned long global_page_state(enum zone_stat_item item)
48487 - long x = atomic_long_read(&vm_stat[item]);
48488 + long x = atomic_long_read_unchecked(&vm_stat[item]);
48492 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
48493 static inline unsigned long zone_page_state(struct zone *zone,
48494 enum zone_stat_item item)
48496 - long x = atomic_long_read(&zone->vm_stat[item]);
48497 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48501 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
48502 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
48503 enum zone_stat_item item)
48505 - long x = atomic_long_read(&zone->vm_stat[item]);
48506 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48510 @@ -268,8 +268,8 @@ static inline void __mod_zone_page_state
48512 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
48514 - atomic_long_inc(&zone->vm_stat[item]);
48515 - atomic_long_inc(&vm_stat[item]);
48516 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
48517 + atomic_long_inc_unchecked(&vm_stat[item]);
48520 static inline void __inc_zone_page_state(struct page *page,
48521 @@ -280,8 +280,8 @@ static inline void __inc_zone_page_state
48523 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
48525 - atomic_long_dec(&zone->vm_stat[item]);
48526 - atomic_long_dec(&vm_stat[item]);
48527 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
48528 + atomic_long_dec_unchecked(&vm_stat[item]);
48531 static inline void __dec_zone_page_state(struct page *page,
48532 diff -urNp linux-2.6.37/include/net/inetpeer.h linux-2.6.37/include/net/inetpeer.h
48533 --- linux-2.6.37/include/net/inetpeer.h 2011-01-04 19:50:19.000000000 -0500
48534 +++ linux-2.6.37/include/net/inetpeer.h 2011-01-17 02:41:02.000000000 -0500
48535 @@ -30,8 +30,8 @@ struct inet_peer {
48539 - atomic_t rid; /* Frag reception counter */
48540 - atomic_t ip_id_count; /* IP ID for the next packet */
48541 + atomic_unchecked_t rid; /* Frag reception counter */
48542 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
48544 __u32 tcp_ts_stamp;
48546 @@ -62,7 +62,7 @@ static inline __u16 inet_getid(struct in
48549 inet_peer_refcheck(p);
48550 - return atomic_add_return(more, &p->ip_id_count) - more;
48551 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
48554 #endif /* _NET_INETPEER_H */
48555 diff -urNp linux-2.6.37/include/net/irda/ircomm_tty.h linux-2.6.37/include/net/irda/ircomm_tty.h
48556 --- linux-2.6.37/include/net/irda/ircomm_tty.h 2011-01-04 19:50:19.000000000 -0500
48557 +++ linux-2.6.37/include/net/irda/ircomm_tty.h 2011-01-25 20:24:56.000000000 -0500
48559 #include <linux/termios.h>
48560 #include <linux/timer.h>
48561 #include <linux/tty.h> /* struct tty_struct */
48562 +#include <asm/local.h>
48564 #include <net/irda/irias_object.h>
48565 #include <net/irda/ircomm_core.h>
48566 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
48567 unsigned short close_delay;
48568 unsigned short closing_wait; /* time to wait before closing */
48571 - int blocked_open; /* # of blocked opens */
48572 + local_t open_count;
48573 + local_t blocked_open; /* # of blocked opens */
48575 /* Protect concurent access to :
48576 * o self->open_count
48577 diff -urNp linux-2.6.37/include/net/neighbour.h linux-2.6.37/include/net/neighbour.h
48578 --- linux-2.6.37/include/net/neighbour.h 2011-01-04 19:50:19.000000000 -0500
48579 +++ linux-2.6.37/include/net/neighbour.h 2011-01-17 02:41:02.000000000 -0500
48580 @@ -118,12 +118,12 @@ struct neighbour {
48584 - void (*solicit)(struct neighbour *, struct sk_buff*);
48585 - void (*error_report)(struct neighbour *, struct sk_buff*);
48586 - int (*output)(struct sk_buff*);
48587 - int (*connected_output)(struct sk_buff*);
48588 - int (*hh_output)(struct sk_buff*);
48589 - int (*queue_xmit)(struct sk_buff*);
48590 + void (* const solicit)(struct neighbour *, struct sk_buff*);
48591 + void (* const error_report)(struct neighbour *, struct sk_buff*);
48592 + int (* const output)(struct sk_buff*);
48593 + int (* const connected_output)(struct sk_buff*);
48594 + int (* const hh_output)(struct sk_buff*);
48595 + int (* const queue_xmit)(struct sk_buff*);
48598 struct pneigh_entry {
48599 diff -urNp linux-2.6.37/include/net/netlink.h linux-2.6.37/include/net/netlink.h
48600 --- linux-2.6.37/include/net/netlink.h 2011-01-04 19:50:19.000000000 -0500
48601 +++ linux-2.6.37/include/net/netlink.h 2011-01-17 02:41:02.000000000 -0500
48602 @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
48603 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
48606 - skb_trim(skb, (unsigned char *) mark - skb->data);
48607 + skb_trim(skb, (const unsigned char *) mark - skb->data);
48611 diff -urNp linux-2.6.37/include/net/sctp/sctp.h linux-2.6.37/include/net/sctp/sctp.h
48612 --- linux-2.6.37/include/net/sctp/sctp.h 2011-01-04 19:50:19.000000000 -0500
48613 +++ linux-2.6.37/include/net/sctp/sctp.h 2011-01-17 02:41:02.000000000 -0500
48614 @@ -316,9 +316,9 @@ do { \
48616 #else /* SCTP_DEBUG */
48618 -#define SCTP_DEBUG_PRINTK(whatever...)
48619 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
48620 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
48621 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
48622 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
48623 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
48624 #define SCTP_ENABLE_DEBUG
48625 #define SCTP_DISABLE_DEBUG
48626 #define SCTP_ASSERT(expr, str, func)
48627 diff -urNp linux-2.6.37/include/net/tcp.h linux-2.6.37/include/net/tcp.h
48628 --- linux-2.6.37/include/net/tcp.h 2011-01-04 19:50:19.000000000 -0500
48629 +++ linux-2.6.37/include/net/tcp.h 2011-01-17 02:41:02.000000000 -0500
48630 @@ -1380,6 +1380,7 @@ enum tcp_seq_states {
48631 struct tcp_seq_afinfo {
48633 sa_family_t family;
48634 + /* cannot be const */
48635 struct file_operations seq_fops;
48636 struct seq_operations seq_ops;
48638 diff -urNp linux-2.6.37/include/net/udp.h linux-2.6.37/include/net/udp.h
48639 --- linux-2.6.37/include/net/udp.h 2011-01-04 19:50:19.000000000 -0500
48640 +++ linux-2.6.37/include/net/udp.h 2011-01-17 02:41:02.000000000 -0500
48641 @@ -223,6 +223,7 @@ struct udp_seq_afinfo {
48643 sa_family_t family;
48644 struct udp_table *udp_table;
48645 + /* cannot be const */
48646 struct file_operations seq_fops;
48647 struct seq_operations seq_ops;
48649 diff -urNp linux-2.6.37/include/sound/ac97_codec.h linux-2.6.37/include/sound/ac97_codec.h
48650 --- linux-2.6.37/include/sound/ac97_codec.h 2011-01-04 19:50:19.000000000 -0500
48651 +++ linux-2.6.37/include/sound/ac97_codec.h 2011-01-17 02:41:02.000000000 -0500
48652 @@ -419,15 +419,15 @@
48655 struct snd_ac97_build_ops {
48656 - int (*build_3d) (struct snd_ac97 *ac97);
48657 - int (*build_specific) (struct snd_ac97 *ac97);
48658 - int (*build_spdif) (struct snd_ac97 *ac97);
48659 - int (*build_post_spdif) (struct snd_ac97 *ac97);
48660 + int (* const build_3d) (struct snd_ac97 *ac97);
48661 + int (* const build_specific) (struct snd_ac97 *ac97);
48662 + int (* const build_spdif) (struct snd_ac97 *ac97);
48663 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
48665 - void (*suspend) (struct snd_ac97 *ac97);
48666 - void (*resume) (struct snd_ac97 *ac97);
48667 + void (* const suspend) (struct snd_ac97 *ac97);
48668 + void (* const resume) (struct snd_ac97 *ac97);
48670 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48671 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48674 struct snd_ac97_bus_ops {
48675 @@ -477,7 +477,7 @@ struct snd_ac97_template {
48678 /* -- lowlevel (hardware) driver specific -- */
48679 - struct snd_ac97_build_ops * build_ops;
48680 + const struct snd_ac97_build_ops * build_ops;
48681 void *private_data;
48682 void (*private_free) (struct snd_ac97 *ac97);
48684 diff -urNp linux-2.6.37/include/trace/events/irq.h linux-2.6.37/include/trace/events/irq.h
48685 --- linux-2.6.37/include/trace/events/irq.h 2011-01-04 19:50:19.000000000 -0500
48686 +++ linux-2.6.37/include/trace/events/irq.h 2011-01-17 02:41:02.000000000 -0500
48687 @@ -36,7 +36,7 @@ struct softirq_action;
48689 TRACE_EVENT(irq_handler_entry,
48691 - TP_PROTO(int irq, struct irqaction *action),
48692 + TP_PROTO(int irq, const struct irqaction *action),
48694 TP_ARGS(irq, action),
48696 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
48698 TRACE_EVENT(irq_handler_exit,
48700 - TP_PROTO(int irq, struct irqaction *action, int ret),
48701 + TP_PROTO(int irq, const struct irqaction *action, int ret),
48703 TP_ARGS(irq, action, ret),
48705 diff -urNp linux-2.6.37/include/video/uvesafb.h linux-2.6.37/include/video/uvesafb.h
48706 --- linux-2.6.37/include/video/uvesafb.h 2011-01-04 19:50:19.000000000 -0500
48707 +++ linux-2.6.37/include/video/uvesafb.h 2011-01-17 02:41:02.000000000 -0500
48708 @@ -177,6 +177,7 @@ struct uvesafb_par {
48709 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
48710 u8 pmi_setpal; /* PMI for palette changes */
48711 u16 *pmi_base; /* protected mode interface location */
48712 + u8 *pmi_code; /* protected mode code location */
48715 u8 *vbe_state_orig; /*
48716 diff -urNp linux-2.6.37/init/do_mounts.c linux-2.6.37/init/do_mounts.c
48717 --- linux-2.6.37/init/do_mounts.c 2011-01-04 19:50:19.000000000 -0500
48718 +++ linux-2.6.37/init/do_mounts.c 2011-01-17 02:41:02.000000000 -0500
48719 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
48721 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
48723 - int err = sys_mount(name, "/root", fs, flags, data);
48724 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
48728 @@ -382,18 +382,18 @@ void __init change_floppy(char *fmt, ...
48729 va_start(args, fmt);
48730 vsprintf(buf, fmt, args);
48732 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
48733 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
48735 sys_ioctl(fd, FDEJECT, 0);
48738 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
48739 - fd = sys_open("/dev/console", O_RDWR, 0);
48740 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
48742 sys_ioctl(fd, TCGETS, (long)&termios);
48743 termios.c_lflag &= ~ICANON;
48744 sys_ioctl(fd, TCSETSF, (long)&termios);
48745 - sys_read(fd, &c, 1);
48746 + sys_read(fd, (char __user *)&c, 1);
48747 termios.c_lflag |= ICANON;
48748 sys_ioctl(fd, TCSETSF, (long)&termios);
48750 @@ -487,6 +487,6 @@ void __init prepare_namespace(void)
48753 devtmpfs_mount("dev");
48754 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48755 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48756 sys_chroot((const char __user __force *)".");
48758 diff -urNp linux-2.6.37/init/do_mounts.h linux-2.6.37/init/do_mounts.h
48759 --- linux-2.6.37/init/do_mounts.h 2011-01-04 19:50:19.000000000 -0500
48760 +++ linux-2.6.37/init/do_mounts.h 2011-01-17 02:41:02.000000000 -0500
48761 @@ -15,15 +15,15 @@ extern int root_mountflags;
48763 static inline int create_dev(char *name, dev_t dev)
48765 - sys_unlink(name);
48766 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
48767 + sys_unlink((__force char __user *)name);
48768 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
48771 #if BITS_PER_LONG == 32
48772 static inline u32 bstat(char *name)
48774 struct stat64 stat;
48775 - if (sys_stat64(name, &stat) != 0)
48776 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
48778 if (!S_ISBLK(stat.st_mode))
48780 diff -urNp linux-2.6.37/init/do_mounts_initrd.c linux-2.6.37/init/do_mounts_initrd.c
48781 --- linux-2.6.37/init/do_mounts_initrd.c 2011-01-04 19:50:19.000000000 -0500
48782 +++ linux-2.6.37/init/do_mounts_initrd.c 2011-01-17 02:41:02.000000000 -0500
48783 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
48784 create_dev("/dev/root.old", Root_RAM0);
48785 /* mount initrd on rootfs' /root */
48786 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
48787 - sys_mkdir("/old", 0700);
48788 - root_fd = sys_open("/", 0, 0);
48789 - old_fd = sys_open("/old", 0, 0);
48790 + sys_mkdir((__force const char __user *)"/old", 0700);
48791 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
48792 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
48793 /* move initrd over / and chdir/chroot in initrd root */
48794 - sys_chdir("/root");
48795 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48797 + sys_chdir((__force const char __user *)"/root");
48798 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48799 + sys_chroot((__force const char __user *)".");
48802 * In case that a resume from disk is carried out by linuxrc or one of
48803 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
48805 /* move initrd to rootfs' /old */
48806 sys_fchdir(old_fd);
48807 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
48808 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
48809 /* switch root and cwd back to / of rootfs */
48810 sys_fchdir(root_fd);
48812 + sys_chroot((__force const char __user *)".");
48814 sys_close(root_fd);
48816 if (new_decode_dev(real_root_dev) == Root_RAM0) {
48817 - sys_chdir("/old");
48818 + sys_chdir((__force const char __user *)"/old");
48822 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
48825 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
48826 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
48827 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
48831 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
48832 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
48833 if (error == -ENOENT)
48834 printk("/initrd does not exist. Ignored.\n");
48836 printk("failed\n");
48837 printk(KERN_NOTICE "Unmounting old root\n");
48838 - sys_umount("/old", MNT_DETACH);
48839 + sys_umount((__force char __user *)"/old", MNT_DETACH);
48840 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
48843 @@ -116,11 +116,11 @@ int __init initrd_load(void)
48844 * mounted in the normal path.
48846 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
48847 - sys_unlink("/initrd.image");
48848 + sys_unlink((__force const char __user *)"/initrd.image");
48853 - sys_unlink("/initrd.image");
48854 + sys_unlink((__force const char __user *)"/initrd.image");
48857 diff -urNp linux-2.6.37/init/do_mounts_md.c linux-2.6.37/init/do_mounts_md.c
48858 --- linux-2.6.37/init/do_mounts_md.c 2011-01-04 19:50:19.000000000 -0500
48859 +++ linux-2.6.37/init/do_mounts_md.c 2011-01-17 02:41:02.000000000 -0500
48860 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
48861 partitioned ? "_d" : "", minor,
48862 md_setup_args[ent].device_names);
48864 - fd = sys_open(name, 0, 0);
48865 + fd = sys_open((__force char __user *)name, 0, 0);
48867 printk(KERN_ERR "md: open failed - cannot start "
48868 "array %s\n", name);
48869 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
48873 - fd = sys_open(name, 0, 0);
48874 + fd = sys_open((__force char __user *)name, 0, 0);
48875 sys_ioctl(fd, BLKRRPART, 0);
48878 diff -urNp linux-2.6.37/init/initramfs.c linux-2.6.37/init/initramfs.c
48879 --- linux-2.6.37/init/initramfs.c 2011-01-04 19:50:19.000000000 -0500
48880 +++ linux-2.6.37/init/initramfs.c 2011-01-17 02:41:02.000000000 -0500
48881 @@ -74,7 +74,7 @@ static void __init free_hash(void)
48885 -static long __init do_utime(char __user *filename, time_t mtime)
48886 +static long __init do_utime(__force char __user *filename, time_t mtime)
48888 struct timespec t[2];
48890 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
48891 struct dir_entry *de, *tmp;
48892 list_for_each_entry_safe(de, tmp, &dir_list, list) {
48893 list_del(&de->list);
48894 - do_utime(de->name, de->mtime);
48895 + do_utime((__force char __user *)de->name, de->mtime);
48899 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
48901 char *old = find_link(major, minor, ino, mode, collected);
48903 - return (sys_link(old, collected) < 0) ? -1 : 1;
48904 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
48908 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
48912 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
48913 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
48914 if (S_ISDIR(st.st_mode))
48916 + sys_rmdir((__force char __user *)path);
48918 - sys_unlink(path);
48919 + sys_unlink((__force char __user *)path);
48923 @@ -305,7 +305,7 @@ static int __init do_name(void)
48924 int openflags = O_WRONLY|O_CREAT;
48926 openflags |= O_TRUNC;
48927 - wfd = sys_open(collected, openflags, mode);
48928 + wfd = sys_open((__force char __user *)collected, openflags, mode);
48931 sys_fchown(wfd, uid, gid);
48932 @@ -317,17 +317,17 @@ static int __init do_name(void)
48935 } else if (S_ISDIR(mode)) {
48936 - sys_mkdir(collected, mode);
48937 - sys_chown(collected, uid, gid);
48938 - sys_chmod(collected, mode);
48939 + sys_mkdir((__force char __user *)collected, mode);
48940 + sys_chown((__force char __user *)collected, uid, gid);
48941 + sys_chmod((__force char __user *)collected, mode);
48942 dir_add(collected, mtime);
48943 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
48944 S_ISFIFO(mode) || S_ISSOCK(mode)) {
48945 if (maybe_link() == 0) {
48946 - sys_mknod(collected, mode, rdev);
48947 - sys_chown(collected, uid, gid);
48948 - sys_chmod(collected, mode);
48949 - do_utime(collected, mtime);
48950 + sys_mknod((__force char __user *)collected, mode, rdev);
48951 + sys_chown((__force char __user *)collected, uid, gid);
48952 + sys_chmod((__force char __user *)collected, mode);
48953 + do_utime((__force char __user *)collected, mtime);
48957 @@ -336,15 +336,15 @@ static int __init do_name(void)
48958 static int __init do_copy(void)
48960 if (count >= body_len) {
48961 - sys_write(wfd, victim, body_len);
48962 + sys_write(wfd, (__force char __user *)victim, body_len);
48964 - do_utime(vcollected, mtime);
48965 + do_utime((__force char __user *)vcollected, mtime);
48971 - sys_write(wfd, victim, count);
48972 + sys_write(wfd, (__force char __user *)victim, count);
48976 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
48978 collected[N_ALIGN(name_len) + body_len] = '\0';
48979 clean_path(collected, 0);
48980 - sys_symlink(collected + N_ALIGN(name_len), collected);
48981 - sys_lchown(collected, uid, gid);
48982 - do_utime(collected, mtime);
48983 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
48984 + sys_lchown((__force char __user *)collected, uid, gid);
48985 + do_utime((__force char __user *)collected, mtime);
48987 next_state = Reset;
48989 diff -urNp linux-2.6.37/init/Kconfig linux-2.6.37/init/Kconfig
48990 --- linux-2.6.37/init/Kconfig 2011-01-04 19:50:19.000000000 -0500
48991 +++ linux-2.6.37/init/Kconfig 2011-01-17 02:41:02.000000000 -0500
48992 @@ -1108,7 +1108,7 @@ config SLUB_DEBUG
48995 bool "Disable heap randomization"
48999 Randomizing heap placement makes heap exploits harder, but it
49000 also breaks ancient binaries (including anything libc5 based).
49001 diff -urNp linux-2.6.37/init/main.c linux-2.6.37/init/main.c
49002 --- linux-2.6.37/init/main.c 2011-01-04 19:50:19.000000000 -0500
49003 +++ linux-2.6.37/init/main.c 2011-01-17 02:41:02.000000000 -0500
49004 @@ -94,6 +94,7 @@ static inline void mark_rodata_ro(void)
49006 extern void tc_init(void);
49008 +extern void grsecurity_init(void);
49010 enum system_states system_state __read_mostly;
49011 EXPORT_SYMBOL(system_state);
49012 @@ -196,6 +197,47 @@ static int __init set_reset_devices(char
49014 __setup("reset_devices", set_reset_devices);
49016 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
49017 +extern char pax_enter_kernel_user[];
49018 +extern char pax_exit_kernel_user[];
49019 +extern pgdval_t clone_pgd_mask;
49022 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
49023 +static int __init setup_pax_nouderef(char *str)
49025 +#ifdef CONFIG_X86_32
49026 + unsigned int cpu;
49028 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
49029 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
49030 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
49031 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
49032 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
49034 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
49036 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
49037 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
49038 + clone_pgd_mask = ~(pgdval_t)0UL;
49043 +early_param("pax_nouderef", setup_pax_nouderef);
49046 +#ifdef CONFIG_PAX_SOFTMODE
49047 +unsigned int pax_softmode;
49049 +static int __init setup_pax_softmode(char *str)
49051 + get_option(&str, &pax_softmode);
49054 +__setup("pax_softmode=", setup_pax_softmode);
49057 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
49058 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
49059 static const char *panic_later, *panic_param;
49060 @@ -740,6 +782,7 @@ int __init_or_module do_one_initcall(ini
49062 int count = preempt_count();
49064 + const char *msg1 = "", *msg2 = "";
49066 if (initcall_debug)
49067 ret = do_one_initcall_debug(fn);
49068 @@ -752,15 +795,15 @@ int __init_or_module do_one_initcall(ini
49069 sprintf(msgbuf, "error code %d ", ret);
49071 if (preempt_count() != count) {
49072 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
49073 + msg1 = " preemption imbalance";
49074 preempt_count() = count;
49076 if (irqs_disabled()) {
49077 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
49078 + msg2 = " disabled interrupts";
49079 local_irq_enable();
49082 - printk("initcall %pF returned with %s\n", fn, msgbuf);
49083 + if (msgbuf[0] || *msg1 || *msg2) {
49084 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
49088 @@ -889,7 +932,7 @@ static int __init kernel_init(void * unu
49091 /* Open the /dev/console on the rootfs, this should never fail */
49092 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
49093 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
49094 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
49097 @@ -902,11 +945,13 @@ static int __init kernel_init(void * unu
49098 if (!ramdisk_execute_command)
49099 ramdisk_execute_command = "/init";
49101 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
49102 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
49103 ramdisk_execute_command = NULL;
49104 prepare_namespace();
49107 + grsecurity_init();
49110 * Ok, we have completed the initial bootup, and
49111 * we're essentially up and running. Get rid of the
49112 diff -urNp linux-2.6.37/ipc/mqueue.c linux-2.6.37/ipc/mqueue.c
49113 --- linux-2.6.37/ipc/mqueue.c 2011-01-04 19:50:19.000000000 -0500
49114 +++ linux-2.6.37/ipc/mqueue.c 2011-01-17 02:41:02.000000000 -0500
49115 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
49116 mq_bytes = (mq_msg_tblsz +
49117 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
49119 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
49120 spin_lock(&mq_lock);
49121 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
49122 u->mq_bytes + mq_bytes >
49123 diff -urNp linux-2.6.37/ipc/shm.c linux-2.6.37/ipc/shm.c
49124 --- linux-2.6.37/ipc/shm.c 2011-01-04 19:50:19.000000000 -0500
49125 +++ linux-2.6.37/ipc/shm.c 2011-01-17 02:41:02.000000000 -0500
49126 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
49127 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
49130 +#ifdef CONFIG_GRKERNSEC
49131 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49132 + const time_t shm_createtime, const uid_t cuid,
49133 + const int shmid);
49134 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49135 + const time_t shm_createtime);
49138 void shm_init_ns(struct ipc_namespace *ns)
49140 ns->shm_ctlmax = SHMMAX;
49141 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
49142 shp->shm_lprid = 0;
49143 shp->shm_atim = shp->shm_dtim = 0;
49144 shp->shm_ctim = get_seconds();
49145 +#ifdef CONFIG_GRKERNSEC
49147 + struct timespec timeval;
49148 + do_posix_clock_monotonic_gettime(&timeval);
49150 + shp->shm_createtime = timeval.tv_sec;
49153 shp->shm_segsz = size;
49154 shp->shm_nattch = 0;
49155 shp->shm_file = file;
49156 @@ -895,9 +911,21 @@ long do_shmat(int shmid, char __user *sh
49160 +#ifdef CONFIG_GRKERNSEC
49161 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
49162 + shp->shm_perm.cuid, shmid) ||
49163 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
49169 path = shp->shm_file->f_path;
49172 +#ifdef CONFIG_GRKERNSEC
49173 + shp->shm_lapid = current->pid;
49175 size = i_size_read(path.dentry->d_inode);
49178 diff -urNp linux-2.6.37/kernel/acct.c linux-2.6.37/kernel/acct.c
49179 --- linux-2.6.37/kernel/acct.c 2011-01-04 19:50:19.000000000 -0500
49180 +++ linux-2.6.37/kernel/acct.c 2011-01-17 02:41:02.000000000 -0500
49181 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
49183 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
49184 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
49185 - file->f_op->write(file, (char *)&ac,
49186 + file->f_op->write(file, (__force char __user *)&ac,
49187 sizeof(acct_t), &file->f_pos);
49188 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
49190 diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c
49191 --- linux-2.6.37/kernel/capability.c 2011-01-04 19:50:19.000000000 -0500
49192 +++ linux-2.6.37/kernel/capability.c 2011-01-17 02:41:02.000000000 -0500
49193 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
49194 * before modification is attempted and the application
49197 + if (tocopy > ARRAY_SIZE(kdata))
49200 if (copy_to_user(dataptr, kdata, tocopy
49201 * sizeof(struct __user_cap_data_struct))) {
49203 @@ -306,10 +309,26 @@ int capable(int cap)
49207 - if (security_capable(cap) == 0) {
49208 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
49209 current->flags |= PF_SUPERPRIV;
49215 +int capable_nolog(int cap)
49217 + if (unlikely(!cap_valid(cap))) {
49218 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
49222 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
49223 + current->flags |= PF_SUPERPRIV;
49229 EXPORT_SYMBOL(capable);
49230 +EXPORT_SYMBOL(capable_nolog);
49231 diff -urNp linux-2.6.37/kernel/compat.c linux-2.6.37/kernel/compat.c
49232 --- linux-2.6.37/kernel/compat.c 2011-01-04 19:50:19.000000000 -0500
49233 +++ linux-2.6.37/kernel/compat.c 2011-01-17 02:41:02.000000000 -0500
49236 #include <linux/linkage.h>
49237 #include <linux/compat.h>
49238 +#include <linux/module.h>
49239 #include <linux/errno.h>
49240 #include <linux/time.h>
49241 #include <linux/signal.h>
49242 diff -urNp linux-2.6.37/kernel/configs.c linux-2.6.37/kernel/configs.c
49243 --- linux-2.6.37/kernel/configs.c 2011-01-04 19:50:19.000000000 -0500
49244 +++ linux-2.6.37/kernel/configs.c 2011-01-17 02:41:02.000000000 -0500
49245 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
49246 struct proc_dir_entry *entry;
49248 /* create the current config file */
49249 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
49250 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
49251 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
49252 + &ikconfig_file_ops);
49253 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49254 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
49255 + &ikconfig_file_ops);
49258 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
49259 &ikconfig_file_ops);
49265 diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.37/kernel/cred.c
49266 --- linux-2.6.37/kernel/cred.c 2011-01-04 19:50:19.000000000 -0500
49267 +++ linux-2.6.37/kernel/cred.c 2011-01-17 02:41:02.000000000 -0500
49268 @@ -483,6 +483,8 @@ int commit_creds(struct cred *new)
49270 get_cred(new); /* we will require a ref for the subj creds too */
49272 + gr_set_role_label(task, new->uid, new->gid);
49274 /* dumpability changes */
49275 if (old->euid != new->euid ||
49276 old->egid != new->egid ||
49277 diff -urNp linux-2.6.37/kernel/debug/debug_core.c linux-2.6.37/kernel/debug/debug_core.c
49278 --- linux-2.6.37/kernel/debug/debug_core.c 2011-01-04 19:50:19.000000000 -0500
49279 +++ linux-2.6.37/kernel/debug/debug_core.c 2011-01-17 02:41:02.000000000 -0500
49280 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
49281 /* Guard for recursive entry */
49282 static int exception_level;
49284 -struct kgdb_io *dbg_io_ops;
49285 +const struct kgdb_io *dbg_io_ops;
49286 static DEFINE_SPINLOCK(kgdb_registration_lock);
49288 /* kgdb console driver is loaded */
49289 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
49291 * Register it with the KGDB core.
49293 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
49294 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
49298 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
49300 * Unregister it with the KGDB core.
49302 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
49303 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
49305 BUG_ON(kgdb_connected);
49307 diff -urNp linux-2.6.37/kernel/debug/kdb/kdb_main.c linux-2.6.37/kernel/debug/kdb/kdb_main.c
49308 --- linux-2.6.37/kernel/debug/kdb/kdb_main.c 2011-01-04 19:50:19.000000000 -0500
49309 +++ linux-2.6.37/kernel/debug/kdb/kdb_main.c 2011-01-17 02:41:02.000000000 -0500
49310 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
49311 list_for_each_entry(mod, kdb_modules, list) {
49313 kdb_printf("%-20s%8u 0x%p ", mod->name,
49314 - mod->core_size, (void *)mod);
49315 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
49316 #ifdef CONFIG_MODULE_UNLOAD
49317 kdb_printf("%4d ", module_refcount(mod));
49319 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
49320 kdb_printf(" (Loading)");
49322 kdb_printf(" (Live)");
49323 - kdb_printf(" 0x%p", mod->module_core);
49324 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49326 #ifdef CONFIG_MODULE_UNLOAD
49328 diff -urNp linux-2.6.37/kernel/exit.c linux-2.6.37/kernel/exit.c
49329 --- linux-2.6.37/kernel/exit.c 2011-01-04 19:50:19.000000000 -0500
49330 +++ linux-2.6.37/kernel/exit.c 2011-01-17 02:41:02.000000000 -0500
49332 #include <asm/pgtable.h>
49333 #include <asm/mmu_context.h>
49335 +#ifdef CONFIG_GRKERNSEC
49336 +extern rwlock_t grsec_exec_file_lock;
49339 static void exit_mm(struct task_struct * tsk);
49341 static void __unhash_process(struct task_struct *p, bool group_dead)
49342 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
49343 struct task_struct *leader;
49346 + gr_del_task_from_ip_table(p);
49348 tracehook_prepare_release_task(p);
49349 /* don't need to get the RCU readlock here - the process is dead and
49350 * can't be modifying its own credentials. But shut RCU-lockdep up */
49351 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
49353 write_lock_irq(&tasklist_lock);
49355 +#ifdef CONFIG_GRKERNSEC
49356 + write_lock(&grsec_exec_file_lock);
49357 + if (current->exec_file) {
49358 + fput(current->exec_file);
49359 + current->exec_file = NULL;
49361 + write_unlock(&grsec_exec_file_lock);
49364 ptrace_unlink(current);
49365 /* Reparent to init */
49366 current->real_parent = current->parent = kthreadd_task;
49367 list_move_tail(¤t->sibling, ¤t->real_parent->children);
49369 + gr_set_kernel_label(current);
49371 /* Set the exit signal to SIGCHLD so we signal init on exit */
49372 current->exit_signal = SIGCHLD;
49374 @@ -394,7 +411,7 @@ int allow_signal(int sig)
49375 * know it'll be handled, so that they don't get converted to
49376 * SIGKILL or just silently dropped.
49378 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
49379 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
49380 recalc_sigpending();
49381 spin_unlock_irq(¤t->sighand->siglock);
49383 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
49384 vsnprintf(current->comm, sizeof(current->comm), name, args);
49387 +#ifdef CONFIG_GRKERNSEC
49388 + write_lock(&grsec_exec_file_lock);
49389 + if (current->exec_file) {
49390 + fput(current->exec_file);
49391 + current->exec_file = NULL;
49393 + write_unlock(&grsec_exec_file_lock);
49396 + gr_set_kernel_label(current);
49399 * If we were started as result of loading a module, close all of the
49400 * user space pages. We don't need them, and if we didn't close them
49401 @@ -905,17 +933,17 @@ NORET_TYPE void do_exit(long code)
49402 struct task_struct *tsk = current;
49405 - profile_task_exit(tsk);
49407 - WARN_ON(atomic_read(&tsk->fs_excl));
49410 + * Check this first since set_fs() below depends on
49411 + * current_thread_info(), which we better not access when we're in
49412 + * interrupt context. Other than that, we want to do the set_fs()
49413 + * as early as possible.
49415 if (unlikely(in_interrupt()))
49416 panic("Aiee, killing interrupt handler!");
49417 - if (unlikely(!tsk->pid))
49418 - panic("Attempted to kill the idle task!");
49421 - * If do_exit is called because this processes oopsed, it's possible
49422 + * If do_exit is called because this processes Oops'ed, it's possible
49423 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
49424 * continuing. Amongst other possible reasons, this is to prevent
49425 * mm_release()->clear_child_tid() from writing to a user-controlled
49426 @@ -923,6 +951,13 @@ NORET_TYPE void do_exit(long code)
49430 + profile_task_exit(tsk);
49432 + WARN_ON(atomic_read(&tsk->fs_excl));
49434 + if (unlikely(!tsk->pid))
49435 + panic("Attempted to kill the idle task!");
49437 tracehook_report_exit(&code);
49439 validate_creds_for_do_exit(tsk);
49440 @@ -983,6 +1018,9 @@ NORET_TYPE void do_exit(long code)
49441 tsk->exit_code = code;
49442 taskstats_exit(tsk, group_dead);
49444 + gr_acl_handle_psacct(tsk, code);
49445 + gr_acl_handle_exit();
49450 diff -urNp linux-2.6.37/kernel/fork.c linux-2.6.37/kernel/fork.c
49451 --- linux-2.6.37/kernel/fork.c 2011-01-04 19:50:19.000000000 -0500
49452 +++ linux-2.6.37/kernel/fork.c 2011-01-17 02:41:02.000000000 -0500
49453 @@ -278,7 +278,7 @@ static struct task_struct *dup_task_stru
49454 *stackend = STACK_END_MAGIC; /* for overflow detection */
49456 #ifdef CONFIG_CC_STACKPROTECTOR
49457 - tsk->stack_canary = get_random_int();
49458 + tsk->stack_canary = pax_get_random_long();
49461 /* One for us, one for whoever does the "release_task()" (usually parent) */
49462 @@ -300,13 +300,78 @@ out:
49466 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
49468 + struct vm_area_struct *tmp;
49469 + unsigned long charge;
49470 + struct mempolicy *pol;
49471 + struct file *file;
49474 + if (mpnt->vm_flags & VM_ACCOUNT) {
49475 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49476 + if (security_vm_enough_memory(len))
49480 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49485 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
49486 + pol = mpol_dup(vma_policy(mpnt));
49488 + goto fail_nomem_policy;
49489 + vma_set_policy(tmp, pol);
49490 + if (anon_vma_fork(tmp, mpnt))
49491 + goto fail_nomem_anon_vma_fork;
49492 + tmp->vm_flags &= ~VM_LOCKED;
49493 + tmp->vm_next = tmp->vm_prev = NULL;
49494 + tmp->vm_mirror = NULL;
49495 + file = tmp->vm_file;
49497 + struct inode *inode = file->f_path.dentry->d_inode;
49498 + struct address_space *mapping = file->f_mapping;
49501 + if (tmp->vm_flags & VM_DENYWRITE)
49502 + atomic_dec(&inode->i_writecount);
49503 + spin_lock(&mapping->i_mmap_lock);
49504 + if (tmp->vm_flags & VM_SHARED)
49505 + mapping->i_mmap_writable++;
49506 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
49507 + flush_dcache_mmap_lock(mapping);
49508 + /* insert tmp into the share list, just after mpnt */
49509 + vma_prio_tree_add(tmp, mpnt);
49510 + flush_dcache_mmap_unlock(mapping);
49511 + spin_unlock(&mapping->i_mmap_lock);
49515 + * Clear hugetlb-related page reserves for children. This only
49516 + * affects MAP_PRIVATE mappings. Faults generated by the child
49517 + * are not guaranteed to succeed, even if read-only
49519 + if (is_vm_hugetlb_page(tmp))
49520 + reset_vma_resv_huge_pages(tmp);
49524 +fail_nomem_anon_vma_fork:
49526 +fail_nomem_policy:
49527 + kmem_cache_free(vm_area_cachep, tmp);
49529 + vm_unacct_memory(charge);
49533 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
49535 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
49536 struct rb_node **rb_link, *rb_parent;
49538 - unsigned long charge;
49539 - struct mempolicy *pol;
49541 down_write(&oldmm->mmap_sem);
49542 flush_cache_dup_mm(oldmm);
49543 @@ -318,8 +383,8 @@ static int dup_mmap(struct mm_struct *mm
49546 mm->mmap_cache = NULL;
49547 - mm->free_area_cache = oldmm->mmap_base;
49548 - mm->cached_hole_size = ~0UL;
49549 + mm->free_area_cache = oldmm->free_area_cache;
49550 + mm->cached_hole_size = oldmm->cached_hole_size;
49552 cpumask_clear(mm_cpumask(mm));
49553 mm->mm_rb = RB_ROOT;
49554 @@ -332,8 +397,6 @@ static int dup_mmap(struct mm_struct *mm
49557 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
49558 - struct file *file;
49560 if (mpnt->vm_flags & VM_DONTCOPY) {
49561 long pages = vma_pages(mpnt);
49562 mm->total_vm -= pages;
49563 @@ -341,56 +404,13 @@ static int dup_mmap(struct mm_struct *mm
49568 - if (mpnt->vm_flags & VM_ACCOUNT) {
49569 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49570 - if (security_vm_enough_memory(len))
49574 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49578 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
49579 - pol = mpol_dup(vma_policy(mpnt));
49580 - retval = PTR_ERR(pol);
49582 - goto fail_nomem_policy;
49583 - vma_set_policy(tmp, pol);
49585 - if (anon_vma_fork(tmp, mpnt))
49586 - goto fail_nomem_anon_vma_fork;
49587 - tmp->vm_flags &= ~VM_LOCKED;
49588 - tmp->vm_next = tmp->vm_prev = NULL;
49589 - file = tmp->vm_file;
49591 - struct inode *inode = file->f_path.dentry->d_inode;
49592 - struct address_space *mapping = file->f_mapping;
49595 - if (tmp->vm_flags & VM_DENYWRITE)
49596 - atomic_dec(&inode->i_writecount);
49597 - spin_lock(&mapping->i_mmap_lock);
49598 - if (tmp->vm_flags & VM_SHARED)
49599 - mapping->i_mmap_writable++;
49600 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
49601 - flush_dcache_mmap_lock(mapping);
49602 - /* insert tmp into the share list, just after mpnt */
49603 - vma_prio_tree_add(tmp, mpnt);
49604 - flush_dcache_mmap_unlock(mapping);
49605 - spin_unlock(&mapping->i_mmap_lock);
49606 + tmp = dup_vma(mm, mpnt);
49608 + retval = -ENOMEM;
49613 - * Clear hugetlb-related page reserves for children. This only
49614 - * affects MAP_PRIVATE mappings. Faults generated by the child
49615 - * are not guaranteed to succeed, even if read-only
49617 - if (is_vm_hugetlb_page(tmp))
49618 - reset_vma_resv_huge_pages(tmp);
49621 * Link in the new vma and copy the page table entries.
49624 @@ -411,6 +431,31 @@ static int dup_mmap(struct mm_struct *mm
49629 +#ifdef CONFIG_PAX_SEGMEXEC
49630 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
49631 + struct vm_area_struct *mpnt_m;
49633 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
49634 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
49636 + if (!mpnt->vm_mirror)
49639 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
49640 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
49641 + mpnt->vm_mirror = mpnt_m;
49643 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
49644 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
49645 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
49646 + mpnt->vm_mirror->vm_mirror = mpnt;
49653 /* a new mm has just been created */
49654 arch_dup_mmap(oldmm, mm);
49656 @@ -419,14 +464,6 @@ out:
49657 flush_tlb_mm(oldmm);
49658 up_write(&oldmm->mmap_sem);
49660 -fail_nomem_anon_vma_fork:
49662 -fail_nomem_policy:
49663 - kmem_cache_free(vm_area_cachep, tmp);
49665 - retval = -ENOMEM;
49666 - vm_unacct_memory(charge);
49670 static inline int mm_alloc_pgd(struct mm_struct * mm)
49671 @@ -765,13 +802,14 @@ static int copy_fs(unsigned long clone_f
49672 spin_unlock(&fs->lock);
49676 + atomic_inc(&fs->users);
49677 spin_unlock(&fs->lock);
49680 tsk->fs = copy_fs_struct(fs);
49683 + gr_set_chroot_entries(tsk, &tsk->fs->root);
49687 @@ -1027,10 +1065,13 @@ static struct task_struct *copy_process(
49689 if (!vx_nproc_avail(1))
49690 goto bad_fork_free;
49692 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
49694 if (atomic_read(&p->real_cred->user->processes) >=
49695 task_rlimit(p, RLIMIT_NPROC)) {
49696 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
49697 - p->real_cred->user != INIT_USER)
49698 + if (p->real_cred->user != INIT_USER &&
49699 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
49700 goto bad_fork_free;
49703 @@ -1184,6 +1225,8 @@ static struct task_struct *copy_process(
49704 goto bad_fork_free_pid;
49707 + gr_copy_label(p);
49709 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
49711 * Clear TID on mm_release()?
49712 @@ -1341,6 +1384,8 @@ bad_fork_cleanup_count:
49716 + gr_log_forkfail(retval);
49718 return ERR_PTR(retval);
49721 @@ -1446,6 +1491,8 @@ long do_fork(unsigned long clone_flags,
49722 if (clone_flags & CLONE_PARENT_SETTID)
49723 put_user(nr, parent_tidptr);
49725 + gr_handle_brute_check();
49727 if (clone_flags & CLONE_VFORK) {
49728 p->vfork_done = &vfork;
49729 init_completion(&vfork);
49730 @@ -1570,7 +1617,7 @@ static int unshare_fs(unsigned long unsh
49733 /* don't need lock here; in the worst case we'll do useless copy */
49734 - if (fs->users == 1)
49735 + if (atomic_read(&fs->users) == 1)
49738 *new_fsp = copy_fs_struct(fs);
49739 @@ -1693,7 +1740,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
49741 spin_lock(&fs->lock);
49742 current->fs = new_fs;
49744 + gr_set_chroot_entries(current, ¤t->fs->root);
49745 + if (atomic_dec_return(&fs->users))
49749 diff -urNp linux-2.6.37/kernel/futex.c linux-2.6.37/kernel/futex.c
49750 --- linux-2.6.37/kernel/futex.c 2011-01-04 19:50:19.000000000 -0500
49751 +++ linux-2.6.37/kernel/futex.c 2011-01-17 02:41:02.000000000 -0500
49753 #include <linux/mount.h>
49754 #include <linux/pagemap.h>
49755 #include <linux/syscalls.h>
49756 +#include <linux/ptrace.h>
49757 #include <linux/signal.h>
49758 #include <linux/module.h>
49759 #include <linux/magic.h>
49760 @@ -222,6 +223,11 @@ get_futex_key(u32 __user *uaddr, int fsh
49764 +#ifdef CONFIG_PAX_SEGMEXEC
49765 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
49770 * The futex address must be "naturally" aligned.
49772 @@ -2384,7 +2390,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49774 struct robust_list_head __user *head;
49776 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49777 const struct cred *cred = current_cred(), *pcred;
49780 if (!futex_cmpxchg_enabled)
49782 @@ -2400,11 +2408,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49786 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49787 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49790 pcred = __task_cred(p);
49791 if (cred->euid != pcred->euid &&
49792 cred->euid != pcred->uid &&
49793 !capable(CAP_SYS_PTRACE))
49796 head = p->robust_list;
49799 @@ -2648,6 +2661,7 @@ static int __init futex_init(void)
49803 + mm_segment_t oldfs;
49806 * This will fail and we want it. Some arch implementations do
49807 @@ -2659,7 +2673,10 @@ static int __init futex_init(void)
49808 * implementation, the non-functional ones will return
49811 + oldfs = get_fs();
49813 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
49815 if (curval == -EFAULT)
49816 futex_cmpxchg_enabled = 1;
49818 diff -urNp linux-2.6.37/kernel/futex_compat.c linux-2.6.37/kernel/futex_compat.c
49819 --- linux-2.6.37/kernel/futex_compat.c 2011-01-04 19:50:19.000000000 -0500
49820 +++ linux-2.6.37/kernel/futex_compat.c 2011-01-17 02:41:02.000000000 -0500
49822 #include <linux/compat.h>
49823 #include <linux/nsproxy.h>
49824 #include <linux/futex.h>
49825 +#include <linux/ptrace.h>
49827 #include <asm/uaccess.h>
49829 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
49831 struct compat_robust_list_head __user *head;
49833 - const struct cred *cred = current_cred(), *pcred;
49834 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49835 + const struct cred *cred = current_cred();
49836 + const struct cred *pcred;
49839 if (!futex_cmpxchg_enabled)
49841 @@ -152,11 +156,16 @@ compat_sys_get_robust_list(int pid, comp
49845 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49846 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49849 pcred = __task_cred(p);
49850 if (cred->euid != pcred->euid &&
49851 cred->euid != pcred->uid &&
49852 !capable(CAP_SYS_PTRACE))
49855 head = p->compat_robust_list;
49858 diff -urNp linux-2.6.37/kernel/gcov/base.c linux-2.6.37/kernel/gcov/base.c
49859 --- linux-2.6.37/kernel/gcov/base.c 2011-01-04 19:50:19.000000000 -0500
49860 +++ linux-2.6.37/kernel/gcov/base.c 2011-01-17 02:41:02.000000000 -0500
49861 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
49864 #ifdef CONFIG_MODULES
49865 -static inline int within(void *addr, void *start, unsigned long size)
49867 - return ((addr >= start) && (addr < start + size));
49870 /* Update list and generate events when modules are unloaded. */
49871 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
49873 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
49875 /* Remove entries located in module from linked list. */
49876 for (info = gcov_info_head; info; info = info->next) {
49877 - if (within(info, mod->module_core, mod->core_size)) {
49878 + if (within_module_core_rw((unsigned long)info, mod)) {
49880 prev->next = info->next;
49882 diff -urNp linux-2.6.37/kernel/hrtimer.c linux-2.6.37/kernel/hrtimer.c
49883 --- linux-2.6.37/kernel/hrtimer.c 2011-01-04 19:50:19.000000000 -0500
49884 +++ linux-2.6.37/kernel/hrtimer.c 2011-01-17 02:41:02.000000000 -0500
49885 @@ -1401,7 +1401,7 @@ void hrtimer_peek_ahead_timers(void)
49886 local_irq_restore(flags);
49889 -static void run_hrtimer_softirq(struct softirq_action *h)
49890 +static void run_hrtimer_softirq(void)
49892 hrtimer_peek_ahead_timers();
49894 diff -urNp linux-2.6.37/kernel/jump_label.c linux-2.6.37/kernel/jump_label.c
49895 --- linux-2.6.37/kernel/jump_label.c 2011-01-04 19:50:19.000000000 -0500
49896 +++ linux-2.6.37/kernel/jump_label.c 2011-01-17 02:41:02.000000000 -0500
49897 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
49898 mutex_unlock(&jump_label_mutex);
49901 +static void jump_label_swap(void *a, void *b, int size)
49903 + struct jump_entry t;
49905 + t = *(struct jump_entry *)a;
49906 + pax_open_kernel();
49907 + *(struct jump_entry *)a = *(struct jump_entry *)b;
49908 + *(struct jump_entry *)b = t;
49909 + pax_close_kernel();
49912 static int jump_label_cmp(const void *a, const void *b)
49914 const struct jump_entry *jea = a;
49915 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
49917 size = (((unsigned long)stop - (unsigned long)start)
49918 / sizeof(struct jump_entry));
49919 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
49920 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
49923 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
49924 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
49925 count = e_module->nr_entries;
49926 iter = e_module->table;
49928 - if (within_module_init(iter->code, mod))
49929 + if (within_module_init(iter->code, mod)) {
49930 + pax_open_kernel();
49932 + pax_close_kernel();
49937 diff -urNp linux-2.6.37/kernel/kallsyms.c linux-2.6.37/kernel/kallsyms.c
49938 --- linux-2.6.37/kernel/kallsyms.c 2011-01-04 19:50:19.000000000 -0500
49939 +++ linux-2.6.37/kernel/kallsyms.c 2011-01-17 02:41:02.000000000 -0500
49941 * Changed the compression method from stem compression to "table lookup"
49942 * compression (see scripts/kallsyms.c for a more complete description)
49944 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49945 +#define __INCLUDED_BY_HIDESYM 1
49947 #include <linux/kallsyms.h>
49948 #include <linux/module.h>
49949 #include <linux/init.h>
49950 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
49952 static inline int is_kernel_inittext(unsigned long addr)
49954 + if (system_state != SYSTEM_BOOTING)
49957 if (addr >= (unsigned long)_sinittext
49958 && addr <= (unsigned long)_einittext)
49963 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49964 +#ifdef CONFIG_MODULES
49965 +static inline int is_module_text(unsigned long addr)
49967 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
49970 + addr = ktla_ktva(addr);
49971 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
49974 +static inline int is_module_text(unsigned long addr)
49981 static inline int is_kernel_text(unsigned long addr)
49983 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
49984 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
49986 static inline int is_kernel(unsigned long addr)
49989 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49990 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
49993 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
49995 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
49999 return in_gate_area_no_task(addr);
50002 static int is_ksym_addr(unsigned long addr)
50005 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50006 + if (is_module_text(addr))
50011 return is_kernel(addr);
50013 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
50015 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
50017 - iter->name[0] = '\0';
50018 iter->nameoff = get_symbol_offset(new_pos);
50019 iter->pos = new_pos;
50021 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
50023 struct kallsym_iter *iter = m->private;
50025 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50026 + if (current_uid())
50030 /* Some debugging symbols have no name. Ignore them. */
50031 if (!iter->name[0])
50033 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
50034 struct kallsym_iter *iter;
50037 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
50038 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
50041 reset_iter(iter, 0);
50042 diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.37/kernel/kmod.c
50043 --- linux-2.6.37/kernel/kmod.c 2011-01-04 19:50:19.000000000 -0500
50044 +++ linux-2.6.37/kernel/kmod.c 2011-01-17 02:41:02.000000000 -0500
50045 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
50049 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
50050 + /* we could do a tighter check here, but some distros
50051 + are taking it upon themselves to remove CAP_SYS_MODULE
50052 + from even root-running apps which cause modules to be
50055 + if (current_uid()) {
50056 + gr_log_nonroot_mod_load(module_name);
50061 /* If modprobe needs a service that is in a module, we get a recursive
50062 * loop. Limit the number of running kmod threads to max_threads/2 or
50063 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
50064 diff -urNp linux-2.6.37/kernel/kprobes.c linux-2.6.37/kernel/kprobes.c
50065 --- linux-2.6.37/kernel/kprobes.c 2011-01-04 19:50:19.000000000 -0500
50066 +++ linux-2.6.37/kernel/kprobes.c 2011-01-17 02:41:02.000000000 -0500
50067 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
50068 * kernel image and loaded module images reside. This is required
50069 * so x86_64 can correctly handle the %rip-relative fixups.
50071 - kip->insns = module_alloc(PAGE_SIZE);
50072 + kip->insns = module_alloc_exec(PAGE_SIZE);
50076 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
50078 if (!list_is_singular(&kip->list)) {
50079 list_del(&kip->list);
50080 - module_free(NULL, kip->insns);
50081 + module_free_exec(NULL, kip->insns);
50085 @@ -1724,7 +1724,7 @@ static int __init init_kprobes(void)
50088 unsigned long offset = 0, size = 0;
50089 - char *modname, namebuf[128];
50090 + char *modname, namebuf[KSYM_NAME_LEN];
50091 const char *symbol_name;
50093 struct kprobe_blackpoint *kb;
50094 @@ -1850,7 +1850,7 @@ static int __kprobes show_kprobe_addr(st
50095 const char *sym = NULL;
50096 unsigned int i = *(loff_t *) v;
50097 unsigned long offset = 0;
50098 - char *modname, namebuf[128];
50099 + char *modname, namebuf[KSYM_NAME_LEN];
50101 head = &kprobe_table[i];
50103 diff -urNp linux-2.6.37/kernel/lockdep.c linux-2.6.37/kernel/lockdep.c
50104 --- linux-2.6.37/kernel/lockdep.c 2011-01-04 19:50:19.000000000 -0500
50105 +++ linux-2.6.37/kernel/lockdep.c 2011-01-17 02:41:02.000000000 -0500
50106 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
50107 end = (unsigned long) &_end,
50108 addr = (unsigned long) obj;
50110 +#ifdef CONFIG_PAX_KERNEXEC
50111 + start = ktla_ktva(start);
50117 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
50118 if (!static_obj(lock->key)) {
50120 printk("INFO: trying to register non-static key.\n");
50121 + printk("lock:%pS key:%pS.\n", lock, lock->key);
50122 printk("the code is fine but needs lockdep annotation.\n");
50123 printk("turning off the locking correctness validator.\n");
50125 @@ -2768,7 +2773,7 @@ static int __lock_acquire(struct lockdep
50129 - atomic_inc((atomic_t *)&class->ops);
50130 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
50131 if (very_verbose(class)) {
50132 printk("\nacquire class [%p] %s", class->key, class->name);
50133 if (class->name_version > 1)
50134 diff -urNp linux-2.6.37/kernel/lockdep_proc.c linux-2.6.37/kernel/lockdep_proc.c
50135 --- linux-2.6.37/kernel/lockdep_proc.c 2011-01-04 19:50:19.000000000 -0500
50136 +++ linux-2.6.37/kernel/lockdep_proc.c 2011-01-17 02:41:02.000000000 -0500
50137 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
50139 static void print_name(struct seq_file *m, struct lock_class *class)
50142 + char str[KSYM_NAME_LEN];
50143 const char *name = class->name;
50146 diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c
50147 --- linux-2.6.37/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
50148 +++ linux-2.6.37/kernel/module.c 2011-01-17 02:41:02.000000000 -0500
50149 @@ -97,7 +97,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
50151 /* Bounds of module allocation, for speeding __module_address.
50152 * Protected by module_mutex. */
50153 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
50154 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
50155 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
50157 int register_module_notifier(struct notifier_block * nb)
50159 @@ -261,7 +262,7 @@ bool each_symbol(bool (*fn)(const struct
50162 list_for_each_entry_rcu(mod, &modules, list) {
50163 - struct symsearch arr[] = {
50164 + struct symsearch modarr[] = {
50165 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
50166 NOT_GPL_ONLY, false },
50167 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
50168 @@ -283,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
50172 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
50173 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
50177 @@ -394,7 +395,7 @@ static inline void __percpu *mod_percpu(
50178 static int percpu_modalloc(struct module *mod,
50179 unsigned long size, unsigned long align)
50181 - if (align > PAGE_SIZE) {
50182 + if (align-1 >= PAGE_SIZE) {
50183 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
50184 mod->name, align, PAGE_SIZE);
50186 @@ -1566,15 +1567,18 @@ static void free_module(struct module *m
50187 destroy_params(mod->kp, mod->num_kp);
50189 /* This may be NULL, but that's OK */
50190 - module_free(mod, mod->module_init);
50191 + module_free(mod, mod->module_init_rw);
50192 + module_free_exec(mod, mod->module_init_rx);
50194 percpu_modfree(mod);
50196 /* Free lock-classes: */
50197 - lockdep_free_key_range(mod->module_core, mod->core_size);
50198 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
50199 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
50201 /* Finally, free the core (containing the module structure) */
50202 - module_free(mod, mod->module_core);
50203 + module_free_exec(mod, mod->module_core_rx);
50204 + module_free(mod, mod->module_core_rw);
50207 update_protections(current->mm);
50208 @@ -1667,7 +1671,9 @@ static int simplify_symbols(struct modul
50209 ksym = resolve_symbol_wait(mod, info, name);
50210 /* Ok if resolved. */
50211 if (ksym && !IS_ERR(ksym)) {
50212 + pax_open_kernel();
50213 sym[i].st_value = ksym->value;
50214 + pax_close_kernel();
50218 @@ -1686,7 +1692,9 @@ static int simplify_symbols(struct modul
50219 secbase = (unsigned long)mod_percpu(mod);
50221 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
50222 + pax_open_kernel();
50223 sym[i].st_value += secbase;
50224 + pax_close_kernel();
50228 @@ -1774,11 +1782,12 @@ static void layout_sections(struct modul
50229 || s->sh_entsize != ~0UL
50230 || strstarts(sname, ".init"))
50232 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
50233 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50234 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
50236 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
50237 DEBUGP("\t%s\n", name);
50240 - mod->core_text_size = mod->core_size;
50243 DEBUGP("Init section allocation order:\n");
50244 @@ -1792,12 +1801,13 @@ static void layout_sections(struct modul
50245 || s->sh_entsize != ~0UL
50246 || !strstarts(sname, ".init"))
50248 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
50249 - | INIT_OFFSET_MASK);
50250 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50251 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
50253 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
50254 + s->sh_entsize |= INIT_OFFSET_MASK;
50255 DEBUGP("\t%s\n", sname);
50258 - mod->init_text_size = mod->init_size;
50262 @@ -1965,7 +1975,7 @@ static void layout_symtab(struct module
50264 /* Put symbol section at end of init part of module. */
50265 symsect->sh_flags |= SHF_ALLOC;
50266 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
50267 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
50268 info->index.sym) | INIT_OFFSET_MASK;
50269 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
50271 @@ -1982,19 +1992,19 @@ static void layout_symtab(struct module
50274 /* Append room for core symbols at end of core part. */
50275 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
50276 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
50277 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
50278 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
50280 /* Put string table section at end of init part of module. */
50281 strsect->sh_flags |= SHF_ALLOC;
50282 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
50283 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
50284 info->index.str) | INIT_OFFSET_MASK;
50285 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
50287 /* Append room for core symbols' strings at end of core part. */
50288 - info->stroffs = mod->core_size;
50289 + info->stroffs = mod->core_size_rx;
50290 __set_bit(0, info->strmap);
50291 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
50292 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
50295 static void add_kallsyms(struct module *mod, const struct load_info *info)
50296 @@ -2010,11 +2020,13 @@ static void add_kallsyms(struct module *
50297 /* Make sure we get permanent strtab: don't use info->strtab. */
50298 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
50300 + pax_open_kernel();
50302 /* Set types up while we still have access to sections. */
50303 for (i = 0; i < mod->num_symtab; i++)
50304 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
50306 - mod->core_symtab = dst = mod->module_core + info->symoffs;
50307 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
50310 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
50311 @@ -2027,10 +2039,12 @@ static void add_kallsyms(struct module *
50313 mod->core_num_syms = ndst;
50315 - mod->core_strtab = s = mod->module_core + info->stroffs;
50316 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
50317 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
50318 if (test_bit(i, info->strmap))
50319 *++s = mod->strtab[i];
50321 + pax_close_kernel();
50324 static inline void layout_symtab(struct module *mod, struct load_info *info)
50325 @@ -2059,17 +2073,33 @@ static void dynamic_debug_remove(struct
50326 ddebug_remove_module(debug->modname);
50329 -static void *module_alloc_update_bounds(unsigned long size)
50330 +static void *module_alloc_update_bounds_rw(unsigned long size)
50332 void *ret = module_alloc(size);
50335 mutex_lock(&module_mutex);
50336 /* Update module bounds. */
50337 - if ((unsigned long)ret < module_addr_min)
50338 - module_addr_min = (unsigned long)ret;
50339 - if ((unsigned long)ret + size > module_addr_max)
50340 - module_addr_max = (unsigned long)ret + size;
50341 + if ((unsigned long)ret < module_addr_min_rw)
50342 + module_addr_min_rw = (unsigned long)ret;
50343 + if ((unsigned long)ret + size > module_addr_max_rw)
50344 + module_addr_max_rw = (unsigned long)ret + size;
50345 + mutex_unlock(&module_mutex);
50350 +static void *module_alloc_update_bounds_rx(unsigned long size)
50352 + void *ret = module_alloc_exec(size);
50355 + mutex_lock(&module_mutex);
50356 + /* Update module bounds. */
50357 + if ((unsigned long)ret < module_addr_min_rx)
50358 + module_addr_min_rx = (unsigned long)ret;
50359 + if ((unsigned long)ret + size > module_addr_max_rx)
50360 + module_addr_max_rx = (unsigned long)ret + size;
50361 mutex_unlock(&module_mutex);
50364 @@ -2362,7 +2392,7 @@ static int move_module(struct module *mo
50367 /* Do the allocs. */
50368 - ptr = module_alloc_update_bounds(mod->core_size);
50369 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
50371 * The pointer to this block is stored in the module structure
50372 * which is inside the block. Just mark it as not being a
50373 @@ -2372,23 +2402,50 @@ static int move_module(struct module *mo
50377 - memset(ptr, 0, mod->core_size);
50378 - mod->module_core = ptr;
50379 + memset(ptr, 0, mod->core_size_rw);
50380 + mod->module_core_rw = ptr;
50382 - ptr = module_alloc_update_bounds(mod->init_size);
50383 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
50385 * The pointer to this block is stored in the module structure
50386 * which is inside the block. This block doesn't need to be
50387 * scanned as it contains data and code that will be freed
50388 * after the module is initialized.
50390 - kmemleak_ignore(ptr);
50391 - if (!ptr && mod->init_size) {
50392 - module_free(mod, mod->module_core);
50393 + kmemleak_not_leak(ptr);
50394 + if (!ptr && mod->init_size_rw) {
50395 + module_free(mod, mod->module_core_rw);
50398 + memset(ptr, 0, mod->init_size_rw);
50399 + mod->module_init_rw = ptr;
50401 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
50402 + kmemleak_not_leak(ptr);
50404 + module_free(mod, mod->module_init_rw);
50405 + module_free(mod, mod->module_core_rw);
50408 - memset(ptr, 0, mod->init_size);
50409 - mod->module_init = ptr;
50411 + pax_open_kernel();
50412 + memset(ptr, 0, mod->core_size_rx);
50413 + pax_close_kernel();
50414 + mod->module_core_rx = ptr;
50416 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
50417 + kmemleak_not_leak(ptr);
50418 + if (!ptr && mod->init_size_rx) {
50419 + module_free_exec(mod, mod->module_core_rx);
50420 + module_free(mod, mod->module_init_rw);
50421 + module_free(mod, mod->module_core_rw);
50425 + pax_open_kernel();
50426 + memset(ptr, 0, mod->init_size_rx);
50427 + pax_close_kernel();
50428 + mod->module_init_rx = ptr;
50430 /* Transfer each section which specifies SHF_ALLOC */
50431 DEBUGP("final section addresses:\n");
50432 @@ -2399,16 +2456,45 @@ static int move_module(struct module *mo
50433 if (!(shdr->sh_flags & SHF_ALLOC))
50436 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
50437 - dest = mod->module_init
50438 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50440 - dest = mod->module_core + shdr->sh_entsize;
50441 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
50442 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50443 + dest = mod->module_init_rw
50444 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50446 + dest = mod->module_init_rx
50447 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50449 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50450 + dest = mod->module_core_rw + shdr->sh_entsize;
50452 + dest = mod->module_core_rx + shdr->sh_entsize;
50455 + if (shdr->sh_type != SHT_NOBITS) {
50457 +#ifdef CONFIG_PAX_KERNEXEC
50458 +#ifdef CONFIG_X86_64
50459 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
50460 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
50462 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
50463 + pax_open_kernel();
50464 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50465 + pax_close_kernel();
50469 - if (shdr->sh_type != SHT_NOBITS)
50470 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50472 /* Update sh_addr to point to copy in image. */
50473 - shdr->sh_addr = (unsigned long)dest;
50475 +#ifdef CONFIG_PAX_KERNEXEC
50476 + if (shdr->sh_flags & SHF_EXECINSTR)
50477 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
50481 + shdr->sh_addr = (unsigned long)dest;
50482 DEBUGP("\t0x%lx %s\n",
50483 shdr->sh_addr, info->secstrings + shdr->sh_name);
50485 @@ -2459,12 +2545,12 @@ static void flush_module_icache(const st
50486 * Do it before processing of module parameters, so the module
50487 * can provide parameter accessor functions of its own.
50489 - if (mod->module_init)
50490 - flush_icache_range((unsigned long)mod->module_init,
50491 - (unsigned long)mod->module_init
50492 - + mod->init_size);
50493 - flush_icache_range((unsigned long)mod->module_core,
50494 - (unsigned long)mod->module_core + mod->core_size);
50495 + if (mod->module_init_rx)
50496 + flush_icache_range((unsigned long)mod->module_init_rx,
50497 + (unsigned long)mod->module_init_rx
50498 + + mod->init_size_rx);
50499 + flush_icache_range((unsigned long)mod->module_core_rx,
50500 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
50504 @@ -2536,8 +2622,10 @@ static void module_deallocate(struct mod
50506 kfree(info->strmap);
50507 percpu_modfree(mod);
50508 - module_free(mod, mod->module_init);
50509 - module_free(mod, mod->module_core);
50510 + module_free_exec(mod, mod->module_init_rx);
50511 + module_free_exec(mod, mod->module_core_rx);
50512 + module_free(mod, mod->module_init_rw);
50513 + module_free(mod, mod->module_core_rw);
50516 static int post_relocation(struct module *mod, const struct load_info *info)
50517 @@ -2765,10 +2853,12 @@ SYSCALL_DEFINE3(init_module, void __user
50518 mod->symtab = mod->core_symtab;
50519 mod->strtab = mod->core_strtab;
50521 - module_free(mod, mod->module_init);
50522 - mod->module_init = NULL;
50523 - mod->init_size = 0;
50524 - mod->init_text_size = 0;
50525 + module_free(mod, mod->module_init_rw);
50526 + module_free_exec(mod, mod->module_init_rx);
50527 + mod->module_init_rw = NULL;
50528 + mod->module_init_rx = NULL;
50529 + mod->init_size_rw = 0;
50530 + mod->init_size_rx = 0;
50531 mutex_unlock(&module_mutex);
50534 @@ -2799,10 +2889,16 @@ static const char *get_ksymbol(struct mo
50535 unsigned long nextval;
50537 /* At worse, next value is at end of module */
50538 - if (within_module_init(addr, mod))
50539 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
50540 + if (within_module_init_rx(addr, mod))
50541 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
50542 + else if (within_module_init_rw(addr, mod))
50543 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
50544 + else if (within_module_core_rx(addr, mod))
50545 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
50546 + else if (within_module_core_rw(addr, mod))
50547 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
50549 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
50552 /* Scan for closest preceeding symbol, and next symbol. (ELF
50553 starts real symbols at 1). */
50554 @@ -3048,7 +3144,7 @@ static int m_show(struct seq_file *m, vo
50557 seq_printf(m, "%s %u",
50558 - mod->name, mod->init_size + mod->core_size);
50559 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
50560 print_unload_info(m, mod);
50562 /* Informative for users. */
50563 @@ -3057,7 +3153,7 @@ static int m_show(struct seq_file *m, vo
50564 mod->state == MODULE_STATE_COMING ? "Loading":
50566 /* Used by oprofile and other similar tools. */
50567 - seq_printf(m, " 0x%p", mod->module_core);
50568 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
50572 @@ -3093,7 +3189,17 @@ static const struct file_operations proc
50574 static int __init proc_modules_init(void)
50576 +#ifndef CONFIG_GRKERNSEC_HIDESYM
50577 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50578 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50579 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50580 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
50582 proc_create("modules", 0, NULL, &proc_modules_operations);
50585 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50589 module_init(proc_modules_init);
50590 @@ -3152,12 +3258,12 @@ struct module *__module_address(unsigned
50592 struct module *mod;
50594 - if (addr < module_addr_min || addr > module_addr_max)
50595 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
50596 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
50599 list_for_each_entry_rcu(mod, &modules, list)
50600 - if (within_module_core(addr, mod)
50601 - || within_module_init(addr, mod))
50602 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
50606 @@ -3191,11 +3297,20 @@ bool is_module_text_address(unsigned lon
50608 struct module *__module_text_address(unsigned long addr)
50610 - struct module *mod = __module_address(addr);
50611 + struct module *mod;
50613 +#ifdef CONFIG_X86_32
50614 + addr = ktla_ktva(addr);
50617 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
50620 + mod = __module_address(addr);
50623 /* Make sure it's within the text section. */
50624 - if (!within(addr, mod->module_init, mod->init_text_size)
50625 - && !within(addr, mod->module_core, mod->core_text_size))
50626 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
50630 diff -urNp linux-2.6.37/kernel/panic.c linux-2.6.37/kernel/panic.c
50631 --- linux-2.6.37/kernel/panic.c 2011-01-04 19:50:19.000000000 -0500
50632 +++ linux-2.6.37/kernel/panic.c 2011-01-17 02:41:02.000000000 -0500
50633 @@ -368,7 +368,7 @@ static void warn_slowpath_common(const c
50636 printk(KERN_WARNING "------------[ cut here ]------------\n");
50637 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
50638 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
50639 board = dmi_get_system_info(DMI_PRODUCT_NAME);
50641 printk(KERN_WARNING "Hardware name: %s\n", board);
50642 @@ -423,7 +423,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
50644 void __stack_chk_fail(void)
50646 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
50648 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
50649 __builtin_return_address(0));
50651 EXPORT_SYMBOL(__stack_chk_fail);
50652 diff -urNp linux-2.6.37/kernel/pid.c linux-2.6.37/kernel/pid.c
50653 --- linux-2.6.37/kernel/pid.c 2011-01-04 19:50:19.000000000 -0500
50654 +++ linux-2.6.37/kernel/pid.c 2011-01-17 02:41:02.000000000 -0500
50656 #include <linux/rculist.h>
50657 #include <linux/bootmem.h>
50658 #include <linux/hash.h>
50659 +#include <linux/security.h>
50660 #include <linux/pid_namespace.h>
50661 #include <linux/init_task.h>
50662 #include <linux/syscalls.h>
50663 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
50665 int pid_max = PID_MAX_DEFAULT;
50667 -#define RESERVED_PIDS 300
50668 +#define RESERVED_PIDS 500
50670 int pid_max_min = RESERVED_PIDS + 1;
50671 int pid_max_max = PID_MAX_LIMIT;
50672 @@ -416,8 +417,15 @@ EXPORT_SYMBOL(pid_task);
50674 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
50676 + struct task_struct *task;
50678 rcu_lockdep_assert(rcu_read_lock_held());
50679 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50680 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50682 + if (gr_pid_is_chrooted(task))
50688 struct task_struct *find_task_by_vpid(pid_t vnr)
50689 diff -urNp linux-2.6.37/kernel/posix-cpu-timers.c linux-2.6.37/kernel/posix-cpu-timers.c
50690 --- linux-2.6.37/kernel/posix-cpu-timers.c 2011-01-04 19:50:19.000000000 -0500
50691 +++ linux-2.6.37/kernel/posix-cpu-timers.c 2011-01-17 02:41:02.000000000 -0500
50693 #include <linux/posix-timers.h>
50694 #include <linux/errno.h>
50695 #include <linux/math64.h>
50696 +#include <linux/security.h>
50697 #include <asm/uaccess.h>
50698 #include <linux/kernel_stat.h>
50699 #include <trace/events/timer.h>
50700 diff -urNp linux-2.6.37/kernel/posix-timers.c linux-2.6.37/kernel/posix-timers.c
50701 --- linux-2.6.37/kernel/posix-timers.c 2011-01-04 19:50:19.000000000 -0500
50702 +++ linux-2.6.37/kernel/posix-timers.c 2011-01-17 02:41:02.000000000 -0500
50704 #include <linux/compiler.h>
50705 #include <linux/idr.h>
50706 #include <linux/posix-timers.h>
50707 +#include <linux/grsecurity.h>
50708 #include <linux/syscalls.h>
50709 #include <linux/wait.h>
50710 #include <linux/workqueue.h>
50711 @@ -949,6 +950,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
50712 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
50715 + /* only the CLOCK_REALTIME clock can be set, all other clocks
50716 + have their clock_set fptr set to a nosettime dummy function
50717 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
50718 + call common_clock_set, which calls do_sys_settimeofday, which
50722 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
50725 diff -urNp linux-2.6.37/kernel/power/hibernate.c linux-2.6.37/kernel/power/hibernate.c
50726 --- linux-2.6.37/kernel/power/hibernate.c 2011-01-04 19:50:19.000000000 -0500
50727 +++ linux-2.6.37/kernel/power/hibernate.c 2011-01-17 02:41:02.000000000 -0500
50728 @@ -51,14 +51,14 @@ enum {
50730 static int hibernation_mode = HIBERNATION_SHUTDOWN;
50732 -static struct platform_hibernation_ops *hibernation_ops;
50733 +static const struct platform_hibernation_ops *hibernation_ops;
50736 * hibernation_set_ops - set the global hibernate operations
50737 * @ops: the hibernation operations to use in subsequent hibernation transitions
50740 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
50741 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
50743 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
50744 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
50745 diff -urNp linux-2.6.37/kernel/power/poweroff.c linux-2.6.37/kernel/power/poweroff.c
50746 --- linux-2.6.37/kernel/power/poweroff.c 2011-01-04 19:50:19.000000000 -0500
50747 +++ linux-2.6.37/kernel/power/poweroff.c 2011-01-17 02:41:02.000000000 -0500
50748 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
50749 .enable_mask = SYSRQ_ENABLE_BOOT,
50752 -static int pm_sysrq_init(void)
50753 +static int __init pm_sysrq_init(void)
50755 register_sysrq_key('o', &sysrq_poweroff_op);
50757 diff -urNp linux-2.6.37/kernel/power/process.c linux-2.6.37/kernel/power/process.c
50758 --- linux-2.6.37/kernel/power/process.c 2011-01-04 19:50:19.000000000 -0500
50759 +++ linux-2.6.37/kernel/power/process.c 2011-01-17 02:41:02.000000000 -0500
50760 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
50761 u64 elapsed_csecs64;
50762 unsigned int elapsed_csecs;
50763 bool wakeup = false;
50764 + bool timedout = false;
50766 do_gettimeofday(&start);
50768 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
50772 + if (time_after(jiffies, end_time))
50774 read_lock(&tasklist_lock);
50775 do_each_thread(g, p) {
50776 if (frozen(p) || !freezeable(p))
50777 @@ -65,9 +68,13 @@ static int try_to_freeze_tasks(bool sig_
50778 * It is "frozen enough". If the task does wake
50779 * up, it will immediately call try_to_freeze.
50781 - if (!task_is_stopped_or_traced(p) &&
50782 - !freezer_should_skip(p))
50783 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
50786 + printk(KERN_ERR "Task refusing to freeze:\n");
50787 + sched_show_task(p);
50790 } while_each_thread(g, p);
50791 read_unlock(&tasklist_lock);
50793 @@ -76,7 +83,7 @@ static int try_to_freeze_tasks(bool sig_
50797 - if (!todo || time_after(jiffies, end_time))
50798 + if (!todo || timedout)
50801 if (!pm_check_wakeup_events()) {
50802 diff -urNp linux-2.6.37/kernel/power/suspend.c linux-2.6.37/kernel/power/suspend.c
50803 --- linux-2.6.37/kernel/power/suspend.c 2011-01-04 19:50:19.000000000 -0500
50804 +++ linux-2.6.37/kernel/power/suspend.c 2011-01-17 02:41:02.000000000 -0500
50805 @@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
50806 [PM_SUSPEND_MEM] = "mem",
50809 -static struct platform_suspend_ops *suspend_ops;
50810 +static const struct platform_suspend_ops *suspend_ops;
50813 * suspend_set_ops - Set the global suspend method table.
50814 * @ops: Pointer to ops structure.
50816 -void suspend_set_ops(struct platform_suspend_ops *ops)
50817 +void suspend_set_ops(const struct platform_suspend_ops *ops)
50819 mutex_lock(&pm_mutex);
50821 diff -urNp linux-2.6.37/kernel/printk.c linux-2.6.37/kernel/printk.c
50822 --- linux-2.6.37/kernel/printk.c 2011-01-04 19:50:19.000000000 -0500
50823 +++ linux-2.6.37/kernel/printk.c 2011-01-17 02:41:02.000000000 -0500
50824 @@ -274,6 +274,11 @@ int do_syslog(int type, char __user *buf
50828 +#ifdef CONFIG_GRKERNSEC_DMESG
50829 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
50834 * If this is from /proc/kmsg we only do the capabilities checks
50836 diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.6.37/kernel/ptrace.c
50837 --- linux-2.6.37/kernel/ptrace.c 2011-01-04 19:50:19.000000000 -0500
50838 +++ linux-2.6.37/kernel/ptrace.c 2011-01-17 02:41:02.000000000 -0500
50839 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
50840 cred->gid != tcred->egid ||
50841 cred->gid != tcred->sgid ||
50842 cred->gid != tcred->gid) &&
50843 - !capable(CAP_SYS_PTRACE)) {
50844 + !capable_nolog(CAP_SYS_PTRACE)) {
50848 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
50851 dumpable = get_dumpable(task->mm);
50852 - if (!dumpable && !capable(CAP_SYS_PTRACE))
50853 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
50856 return security_ptrace_access_check(task, mode);
50857 @@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
50858 goto unlock_tasklist;
50860 task->ptrace = PT_PTRACED;
50861 - if (capable(CAP_SYS_PTRACE))
50862 + if (capable_nolog(CAP_SYS_PTRACE))
50863 task->ptrace |= PT_PTRACE_CAP;
50865 __ptrace_link(task, current);
50866 @@ -369,7 +369,7 @@ int ptrace_readdata(struct task_struct *
50870 - if (copy_to_user(dst, buf, retval))
50871 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
50875 @@ -565,7 +565,7 @@ int ptrace_request(struct task_struct *c
50879 - void __user *datavp = (void __user *) data;
50880 + void __user *datavp = (__force void __user *) data;
50881 unsigned long __user *datalp = datavp;
50884 @@ -713,14 +713,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
50885 if (!vx_check(vx_task_xid(child), VS_WATCH_P | VS_IDENT))
50886 goto out_put_task_struct;
50888 + if (gr_handle_ptrace(child, request)) {
50890 + goto out_put_task_struct;
50893 if (request == PTRACE_ATTACH) {
50894 ret = ptrace_attach(child);
50896 * Some architectures need to do book-keeping after
50901 arch_ptrace_attach(child);
50902 + gr_audit_ptrace(child);
50904 goto out_put_task_struct;
50907 @@ -855,14 +862,21 @@ asmlinkage long compat_sys_ptrace(compat
50911 + if (gr_handle_ptrace(child, request)) {
50913 + goto out_put_task_struct;
50916 if (request == PTRACE_ATTACH) {
50917 ret = ptrace_attach(child);
50919 * Some architectures need to do book-keeping after
50924 arch_ptrace_attach(child);
50925 + gr_audit_ptrace(child);
50927 goto out_put_task_struct;
50930 diff -urNp linux-2.6.37/kernel/rcutree.c linux-2.6.37/kernel/rcutree.c
50931 --- linux-2.6.37/kernel/rcutree.c 2011-01-04 19:50:19.000000000 -0500
50932 +++ linux-2.6.37/kernel/rcutree.c 2011-01-17 02:41:02.000000000 -0500
50933 @@ -1394,7 +1394,7 @@ __rcu_process_callbacks(struct rcu_state
50935 * Do softirq processing for the current CPU.
50937 -static void rcu_process_callbacks(struct softirq_action *unused)
50938 +static void rcu_process_callbacks(void)
50941 * Memory references from any prior RCU read-side critical sections
50942 diff -urNp linux-2.6.37/kernel/rcutree_plugin.h linux-2.6.37/kernel/rcutree_plugin.h
50943 --- linux-2.6.37/kernel/rcutree_plugin.h 2011-01-04 19:50:19.000000000 -0500
50944 +++ linux-2.6.37/kernel/rcutree_plugin.h 2011-01-17 02:41:02.000000000 -0500
50945 @@ -729,7 +729,7 @@ void synchronize_rcu_expedited(void)
50947 /* Clean up and exit. */
50948 smp_mb(); /* ensure expedited GP seen before counter increment. */
50949 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
50950 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
50952 mutex_unlock(&sync_rcu_preempt_exp_mutex);
50954 diff -urNp linux-2.6.37/kernel/resource.c linux-2.6.37/kernel/resource.c
50955 --- linux-2.6.37/kernel/resource.c 2011-01-04 19:50:19.000000000 -0500
50956 +++ linux-2.6.37/kernel/resource.c 2011-01-17 02:41:02.000000000 -0500
50957 @@ -133,8 +133,18 @@ static const struct file_operations proc
50959 static int __init ioresources_init(void)
50961 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50962 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50963 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
50964 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
50965 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50966 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
50967 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
50970 proc_create("ioports", 0, NULL, &proc_ioports_operations);
50971 proc_create("iomem", 0, NULL, &proc_iomem_operations);
50975 __initcall(ioresources_init);
50976 diff -urNp linux-2.6.37/kernel/rtmutex.c linux-2.6.37/kernel/rtmutex.c
50977 --- linux-2.6.37/kernel/rtmutex.c 2011-01-04 19:50:19.000000000 -0500
50978 +++ linux-2.6.37/kernel/rtmutex.c 2011-01-17 02:41:02.000000000 -0500
50979 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
50981 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
50983 - WARN_ON(!pendowner->pi_blocked_on);
50984 + BUG_ON(!pendowner->pi_blocked_on);
50985 WARN_ON(pendowner->pi_blocked_on != waiter);
50986 WARN_ON(pendowner->pi_blocked_on->lock != lock);
50988 diff -urNp linux-2.6.37/kernel/sched.c linux-2.6.37/kernel/sched.c
50989 --- linux-2.6.37/kernel/sched.c 2011-01-04 19:50:19.000000000 -0500
50990 +++ linux-2.6.37/kernel/sched.c 2011-01-17 02:41:02.000000000 -0500
50991 @@ -4770,6 +4770,8 @@ int can_nice(const struct task_struct *p
50992 /* convert nice value [19,-20] to rlimit style value [1,40] */
50993 int nice_rlim = 20 - nice;
50995 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
50997 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
50998 capable(CAP_SYS_NICE));
51000 @@ -4803,7 +4805,8 @@ SYSCALL_DEFINE1(nice, int, increment)
51004 - if (increment < 0 && !can_nice(current, nice))
51005 + if (increment < 0 && (!can_nice(current, nice) ||
51006 + gr_handle_chroot_nice()))
51007 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
51009 retval = security_task_setnice(current, nice);
51010 @@ -4946,6 +4949,7 @@ recheck:
51011 unsigned long rlim_rtprio =
51012 task_rlimit(p, RLIMIT_RTPRIO);
51014 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
51015 /* can't set/change the rt policy */
51016 if (policy != p->policy && !rlim_rtprio)
51018 @@ -7155,7 +7159,7 @@ static void init_sched_groups_power(int
51022 - WARN_ON(!sd || !sd->groups);
51023 + BUG_ON(!sd || !sd->groups);
51025 if (cpu != group_first_cpu(sd->groups))
51027 diff -urNp linux-2.6.37/kernel/sched_fair.c linux-2.6.37/kernel/sched_fair.c
51028 --- linux-2.6.37/kernel/sched_fair.c 2011-01-04 19:50:19.000000000 -0500
51029 +++ linux-2.6.37/kernel/sched_fair.c 2011-01-17 02:41:02.000000000 -0500
51030 @@ -3724,7 +3724,7 @@ static void nohz_idle_balance(int this_c
51031 * run_rebalance_domains is triggered when needed from the scheduler tick.
51032 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
51034 -static void run_rebalance_domains(struct softirq_action *h)
51035 +static void run_rebalance_domains(void)
51037 int this_cpu = smp_processor_id();
51038 struct rq *this_rq = cpu_rq(this_cpu);
51039 diff -urNp linux-2.6.37/kernel/signal.c linux-2.6.37/kernel/signal.c
51040 --- linux-2.6.37/kernel/signal.c 2011-01-04 19:50:19.000000000 -0500
51041 +++ linux-2.6.37/kernel/signal.c 2011-01-17 02:41:02.000000000 -0500
51042 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
51044 int print_fatal_signals __read_mostly;
51046 -static void __user *sig_handler(struct task_struct *t, int sig)
51047 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
51049 return t->sighand->action[sig - 1].sa.sa_handler;
51052 -static int sig_handler_ignored(void __user *handler, int sig)
51053 +static int sig_handler_ignored(__sighandler_t handler, int sig)
51055 /* Is it explicitly or implicitly ignored? */
51056 return handler == SIG_IGN ||
51057 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
51058 static int sig_task_ignored(struct task_struct *t, int sig,
51059 int from_ancestor_ns)
51061 - void __user *handler;
51062 + __sighandler_t handler;
51064 handler = sig_handler(t, sig);
51066 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
51067 atomic_inc(&user->sigpending);
51070 + if (!override_rlimit)
51071 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
51073 if (override_rlimit ||
51074 atomic_read(&user->sigpending) <=
51075 task_rlimit(t, RLIMIT_SIGPENDING)) {
51076 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
51078 int unhandled_signal(struct task_struct *tsk, int sig)
51080 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
51081 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
51082 if (is_global_init(tsk))
51084 if (handler != SIG_IGN && handler != SIG_DFL)
51085 @@ -705,6 +708,10 @@ static int check_kill_permission(int sig
51086 sig, info, t, vx_task_xid(t), t->pid, current->xid);
51090 + if (gr_handle_signal(t, sig))
51094 return security_task_kill(t, info, sig, 0);
51096 @@ -1025,7 +1032,7 @@ __group_send_sig_info(int sig, struct si
51097 return send_signal(sig, info, p, 1);
51102 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
51104 return send_signal(sig, info, t, 0);
51105 @@ -1079,6 +1086,9 @@ force_sig_info(int sig, struct siginfo *
51106 ret = specific_send_sig_info(sig, info, t);
51107 spin_unlock_irqrestore(&t->sighand->siglock, flags);
51109 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
51110 + gr_handle_crash(t, sig);
51115 @@ -1137,8 +1146,11 @@ int group_send_sig_info(int sig, struct
51116 ret = check_kill_permission(sig, info, p);
51120 + if (!ret && sig) {
51121 ret = do_send_sig_info(sig, info, p, true);
51123 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
51128 diff -urNp linux-2.6.37/kernel/smp.c linux-2.6.37/kernel/smp.c
51129 --- linux-2.6.37/kernel/smp.c 2011-01-04 19:50:19.000000000 -0500
51130 +++ linux-2.6.37/kernel/smp.c 2011-01-17 02:41:02.000000000 -0500
51131 @@ -510,22 +510,22 @@ int smp_call_function(smp_call_func_t fu
51133 EXPORT_SYMBOL(smp_call_function);
51135 -void ipi_call_lock(void)
51136 +void ipi_call_lock(void) __acquires(call_function.lock)
51138 raw_spin_lock(&call_function.lock);
51141 -void ipi_call_unlock(void)
51142 +void ipi_call_unlock(void) __releases(call_function.lock)
51144 raw_spin_unlock(&call_function.lock);
51147 -void ipi_call_lock_irq(void)
51148 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
51150 raw_spin_lock_irq(&call_function.lock);
51153 -void ipi_call_unlock_irq(void)
51154 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
51156 raw_spin_unlock_irq(&call_function.lock);
51158 diff -urNp linux-2.6.37/kernel/softirq.c linux-2.6.37/kernel/softirq.c
51159 --- linux-2.6.37/kernel/softirq.c 2011-01-04 19:50:19.000000000 -0500
51160 +++ linux-2.6.37/kernel/softirq.c 2011-01-17 02:41:02.000000000 -0500
51161 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
51163 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
51165 -char *softirq_to_name[NR_SOFTIRQS] = {
51166 +const char * const softirq_to_name[NR_SOFTIRQS] = {
51167 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
51168 "TASKLET", "SCHED", "HRTIMER", "RCU"
51170 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
51172 asmlinkage void __do_softirq(void)
51174 - struct softirq_action *h;
51175 + const struct softirq_action *h;
51177 int max_restart = MAX_SOFTIRQ_RESTART;
51179 @@ -235,7 +235,7 @@ restart:
51180 kstat_incr_softirqs_this_cpu(vec_nr);
51182 trace_softirq_entry(vec_nr);
51185 trace_softirq_exit(vec_nr);
51186 if (unlikely(prev_count != preempt_count())) {
51187 printk(KERN_ERR "huh, entered softirq %u %s %p"
51188 @@ -365,7 +365,7 @@ void raise_softirq(unsigned int nr)
51189 local_irq_restore(flags);
51192 -void open_softirq(int nr, void (*action)(struct softirq_action *))
51193 +void open_softirq(int nr, void (*action)(void))
51195 softirq_vec[nr].action = action;
51197 @@ -421,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
51199 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
51201 -static void tasklet_action(struct softirq_action *a)
51202 +static void tasklet_action(void)
51204 struct tasklet_struct *list;
51206 @@ -456,7 +456,7 @@ static void tasklet_action(struct softir
51210 -static void tasklet_hi_action(struct softirq_action *a)
51211 +static void tasklet_hi_action(void)
51213 struct tasklet_struct *list;
51215 diff -urNp linux-2.6.37/kernel/sys.c linux-2.6.37/kernel/sys.c
51216 --- linux-2.6.37/kernel/sys.c 2011-01-04 19:50:19.000000000 -0500
51217 +++ linux-2.6.37/kernel/sys.c 2011-01-17 02:41:02.000000000 -0500
51218 @@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
51223 + if (gr_handle_chroot_setpriority(p, niceval)) {
51228 no_nice = security_task_setnice(p, niceval);
51231 @@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
51235 + if (gr_check_group_change(new->gid, new->egid, -1))
51238 if (rgid != (gid_t) -1 ||
51239 (egid != (gid_t) -1 && egid != old->gid))
51240 new->sgid = new->egid;
51241 @@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
51242 old = current_cred();
51246 + if (gr_check_group_change(gid, gid, gid))
51249 if (capable(CAP_SETGID))
51250 new->gid = new->egid = new->sgid = new->fsgid = gid;
51251 else if (gid == old->gid || gid == old->sgid)
51252 @@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
51256 + if (gr_check_user_change(new->uid, new->euid, -1))
51259 if (new->uid != old->uid) {
51260 retval = set_user(new);
51262 @@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
51263 old = current_cred();
51267 + if (gr_check_crash_uid(uid))
51269 + if (gr_check_user_change(uid, uid, uid))
51272 if (capable(CAP_SETUID)) {
51273 new->suid = new->uid = uid;
51274 if (uid != old->uid) {
51275 @@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
51279 + if (gr_check_user_change(ruid, euid, -1))
51282 if (ruid != (uid_t) -1) {
51284 if (ruid != old->uid) {
51285 @@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
51289 + if (gr_check_group_change(rgid, egid, -1))
51292 if (rgid != (gid_t) -1)
51294 if (egid != (gid_t) -1)
51295 @@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51296 old = current_cred();
51297 old_fsuid = old->fsuid;
51299 + if (gr_check_user_change(-1, -1, uid))
51302 if (uid == old->uid || uid == old->euid ||
51303 uid == old->suid || uid == old->fsuid ||
51304 capable(CAP_SETUID)) {
51305 @@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51313 @@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
51314 if (gid == old->gid || gid == old->egid ||
51315 gid == old->sgid || gid == old->fsgid ||
51316 capable(CAP_SETGID)) {
51317 + if (gr_check_group_change(-1, -1, gid))
51320 if (gid != old_fsgid) {
51330 @@ -1607,7 +1643,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
51331 error = get_dumpable(me->mm);
51333 case PR_SET_DUMPABLE:
51334 - if (arg2 < 0 || arg2 > 1) {
51339 diff -urNp linux-2.6.37/kernel/sysctl.c linux-2.6.37/kernel/sysctl.c
51340 --- linux-2.6.37/kernel/sysctl.c 2011-01-04 19:50:19.000000000 -0500
51341 +++ linux-2.6.37/kernel/sysctl.c 2011-01-17 02:41:02.000000000 -0500
51345 #if defined(CONFIG_SYSCTL)
51346 +#include <linux/grsecurity.h>
51347 +#include <linux/grinternal.h>
51349 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
51350 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
51352 +extern int gr_handle_chroot_sysctl(const int op);
51354 /* External variables not in a header file. */
51355 extern int sysctl_overcommit_memory;
51356 @@ -188,6 +195,7 @@ static int sysrq_sysctl_handler(ctl_tabl
51360 +extern struct ctl_table grsecurity_table[];
51362 static struct ctl_table root_table[];
51363 static struct ctl_table_root sysctl_table_root;
51364 @@ -217,6 +225,20 @@ extern struct ctl_table epoll_table[];
51365 int sysctl_legacy_va_layout;
51368 +#ifdef CONFIG_PAX_SOFTMODE
51369 +static ctl_table pax_table[] = {
51371 + .procname = "softmode",
51372 + .data = &pax_softmode,
51373 + .maxlen = sizeof(unsigned int),
51375 + .proc_handler = &proc_dointvec,
51382 /* The default sysctl tables: */
51384 static struct ctl_table root_table[] = {
51385 @@ -269,6 +291,22 @@ static int max_extfrag_threshold = 1000;
51388 static struct ctl_table kern_table[] = {
51389 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
51391 + .procname = "grsecurity",
51393 + .child = grsecurity_table,
51397 +#ifdef CONFIG_PAX_SOFTMODE
51399 + .procname = "pax",
51401 + .child = pax_table,
51406 .procname = "sched_child_runs_first",
51407 .data = &sysctl_sched_child_runs_first,
51408 @@ -549,7 +587,7 @@ static struct ctl_table kern_table[] = {
51409 .data = &modprobe_path,
51410 .maxlen = KMOD_PATH_LEN,
51412 - .proc_handler = proc_dostring,
51413 + .proc_handler = proc_dostring_modpriv,
51416 .procname = "modules_disabled",
51417 @@ -1180,6 +1218,13 @@ static struct ctl_table vm_table[] = {
51418 .proc_handler = proc_dointvec_minmax,
51422 + .procname = "heap_stack_gap",
51423 + .data = &sysctl_heap_stack_gap,
51424 + .maxlen = sizeof(sysctl_heap_stack_gap),
51426 + .proc_handler = proc_doulongvec_minmax,
51430 .procname = "nr_trim_pages",
51431 @@ -1695,6 +1740,16 @@ int sysctl_perm(struct ctl_table_root *r
51435 + if (table->parent != NULL && table->parent->procname != NULL &&
51436 + table->procname != NULL &&
51437 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
51439 + if (gr_handle_chroot_sysctl(op))
51441 + error = gr_handle_sysctl(table, op);
51445 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
51448 @@ -2102,6 +2157,16 @@ int proc_dostring(struct ctl_table *tabl
51449 buffer, lenp, ppos);
51452 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51453 + void __user *buffer, size_t *lenp, loff_t *ppos)
51455 + if (write && !capable(CAP_SYS_MODULE))
51458 + return _proc_do_string(table->data, table->maxlen, write,
51459 + buffer, lenp, ppos);
51462 static size_t proc_skip_spaces(char **buf)
51465 @@ -2207,6 +2272,8 @@ static int proc_put_long(void __user **b
51469 + if (len > sizeof(tmp))
51470 + len = sizeof(tmp);
51471 if (copy_to_user(*buf, tmp, len))
51474 @@ -2512,8 +2579,11 @@ static int __do_proc_doulongvec_minmax(v
51477 val = convdiv * (*i) / convmul;
51480 err = proc_put_char(&buffer, &left, '\t');
51484 err = proc_put_long(&buffer, &left, val, false);
51487 @@ -2908,6 +2978,12 @@ int proc_dostring(struct ctl_table *tabl
51491 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51492 + void __user *buffer, size_t *lenp, loff_t *ppos)
51497 int proc_dointvec(struct ctl_table *table, int write,
51498 void __user *buffer, size_t *lenp, loff_t *ppos)
51500 @@ -2964,6 +3040,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
51501 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
51502 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
51503 EXPORT_SYMBOL(proc_dostring);
51504 +EXPORT_SYMBOL(proc_dostring_modpriv);
51505 EXPORT_SYMBOL(proc_doulongvec_minmax);
51506 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
51507 EXPORT_SYMBOL(register_sysctl_table);
51508 diff -urNp linux-2.6.37/kernel/sysctl_check.c linux-2.6.37/kernel/sysctl_check.c
51509 --- linux-2.6.37/kernel/sysctl_check.c 2011-01-04 19:50:19.000000000 -0500
51510 +++ linux-2.6.37/kernel/sysctl_check.c 2011-01-17 02:41:02.000000000 -0500
51511 @@ -131,6 +131,7 @@ int sysctl_check_table(struct nsproxy *n
51512 set_fail(&fail, table, "Directory with extra2");
51514 if ((table->proc_handler == proc_dostring) ||
51515 + (table->proc_handler == proc_dostring_modpriv) ||
51516 (table->proc_handler == proc_dointvec) ||
51517 (table->proc_handler == proc_dointvec_minmax) ||
51518 (table->proc_handler == proc_dointvec_jiffies) ||
51519 diff -urNp linux-2.6.37/kernel/taskstats.c linux-2.6.37/kernel/taskstats.c
51520 --- linux-2.6.37/kernel/taskstats.c 2011-01-04 19:50:19.000000000 -0500
51521 +++ linux-2.6.37/kernel/taskstats.c 2011-01-17 02:41:02.000000000 -0500
51523 #include <linux/cgroup.h>
51524 #include <linux/fs.h>
51525 #include <linux/file.h>
51526 +#include <linux/grsecurity.h>
51527 #include <net/genetlink.h>
51528 #include <asm/atomic.h>
51530 +extern int gr_is_taskstats_denied(int pid);
51533 * Maximum length of a cpumask that can be specified in
51534 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
51535 @@ -550,6 +553,9 @@ err:
51537 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
51539 + if (gr_is_taskstats_denied(current->pid))
51542 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
51543 return cmd_attr_register_cpumask(info);
51544 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
51545 diff -urNp linux-2.6.37/kernel/time/tick-broadcast.c linux-2.6.37/kernel/time/tick-broadcast.c
51546 --- linux-2.6.37/kernel/time/tick-broadcast.c 2011-01-04 19:50:19.000000000 -0500
51547 +++ linux-2.6.37/kernel/time/tick-broadcast.c 2011-01-17 02:41:02.000000000 -0500
51548 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
51549 * then clear the broadcast bit.
51551 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
51552 - int cpu = smp_processor_id();
51553 + cpu = smp_processor_id();
51555 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
51556 tick_broadcast_clear_oneshot(cpu);
51557 diff -urNp linux-2.6.37/kernel/time/timekeeping.c linux-2.6.37/kernel/time/timekeeping.c
51558 --- linux-2.6.37/kernel/time/timekeeping.c 2011-01-04 19:50:19.000000000 -0500
51559 +++ linux-2.6.37/kernel/time/timekeeping.c 2011-01-17 02:41:02.000000000 -0500
51561 #include <linux/init.h>
51562 #include <linux/mm.h>
51563 #include <linux/sched.h>
51564 +#include <linux/grsecurity.h>
51565 #include <linux/sysdev.h>
51566 #include <linux/clocksource.h>
51567 #include <linux/jiffies.h>
51568 @@ -314,6 +315,8 @@ int do_settimeofday(struct timespec *tv)
51569 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
51572 + gr_log_timechange();
51574 write_seqlock_irqsave(&xtime_lock, flags);
51576 timekeeping_forward_now();
51577 diff -urNp linux-2.6.37/kernel/time/timer_list.c linux-2.6.37/kernel/time/timer_list.c
51578 --- linux-2.6.37/kernel/time/timer_list.c 2011-01-04 19:50:19.000000000 -0500
51579 +++ linux-2.6.37/kernel/time/timer_list.c 2011-01-17 02:41:02.000000000 -0500
51580 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
51582 static void print_name_offset(struct seq_file *m, void *sym)
51584 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51585 + SEQ_printf(m, "<%p>", NULL);
51587 char symname[KSYM_NAME_LEN];
51589 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
51590 SEQ_printf(m, "<%p>", sym);
51592 SEQ_printf(m, "%s", symname);
51597 @@ -112,7 +116,11 @@ next_one:
51599 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
51601 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51602 + SEQ_printf(m, " .base: %p\n", NULL);
51604 SEQ_printf(m, " .base: %p\n", base);
51606 SEQ_printf(m, " .index: %d\n",
51608 SEQ_printf(m, " .resolution: %Lu nsecs\n",
51609 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
51611 struct proc_dir_entry *pe;
51613 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51614 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
51616 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
51621 diff -urNp linux-2.6.37/kernel/time/timer_stats.c linux-2.6.37/kernel/time/timer_stats.c
51622 --- linux-2.6.37/kernel/time/timer_stats.c 2011-01-04 19:50:19.000000000 -0500
51623 +++ linux-2.6.37/kernel/time/timer_stats.c 2011-01-17 02:41:02.000000000 -0500
51624 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
51626 static void print_name_offset(struct seq_file *m, unsigned long addr)
51628 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51629 + seq_printf(m, "<%p>", NULL);
51631 char symname[KSYM_NAME_LEN];
51633 if (lookup_symbol_name(addr, symname) < 0)
51634 seq_printf(m, "<%p>", (void *)addr);
51636 seq_printf(m, "%s", symname);
51640 static int tstats_show(struct seq_file *m, void *v)
51641 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
51643 struct proc_dir_entry *pe;
51645 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51646 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
51648 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
51653 diff -urNp linux-2.6.37/kernel/time.c linux-2.6.37/kernel/time.c
51654 --- linux-2.6.37/kernel/time.c 2011-01-04 19:50:19.000000000 -0500
51655 +++ linux-2.6.37/kernel/time.c 2011-01-17 02:41:02.000000000 -0500
51656 @@ -163,6 +163,11 @@ int do_sys_settimeofday(struct timespec
51660 + /* we log in do_settimeofday called below, so don't log twice
51663 + gr_log_timechange();
51665 /* SMP safe, global irq locking makes it work. */
51667 update_vsyscall_tz();
51668 @@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
51669 * Avoid unnecessary multiplications/divisions in the
51670 * two most common HZ cases:
51672 -unsigned int inline jiffies_to_msecs(const unsigned long j)
51673 +inline unsigned int jiffies_to_msecs(const unsigned long j)
51675 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
51676 return (MSEC_PER_SEC / HZ) * j;
51677 @@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
51679 EXPORT_SYMBOL(jiffies_to_msecs);
51681 -unsigned int inline jiffies_to_usecs(const unsigned long j)
51682 +inline unsigned int jiffies_to_usecs(const unsigned long j)
51684 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
51685 return (USEC_PER_SEC / HZ) * j;
51686 diff -urNp linux-2.6.37/kernel/timer.c linux-2.6.37/kernel/timer.c
51687 --- linux-2.6.37/kernel/timer.c 2011-01-04 19:50:19.000000000 -0500
51688 +++ linux-2.6.37/kernel/timer.c 2011-01-17 02:41:02.000000000 -0500
51689 @@ -1296,7 +1296,7 @@ void update_process_times(int user_tick)
51691 * This function runs timers and the timer-tq in bottom half context.
51693 -static void run_timer_softirq(struct softirq_action *h)
51694 +static void run_timer_softirq(void)
51696 struct tvec_base *base = __get_cpu_var(tvec_bases);
51698 diff -urNp linux-2.6.37/kernel/trace/ftrace.c linux-2.6.37/kernel/trace/ftrace.c
51699 --- linux-2.6.37/kernel/trace/ftrace.c 2011-01-04 19:50:19.000000000 -0500
51700 +++ linux-2.6.37/kernel/trace/ftrace.c 2011-01-17 02:41:02.000000000 -0500
51701 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
51705 + ret = ftrace_arch_code_modify_prepare();
51706 + FTRACE_WARN_ON(ret);
51710 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
51711 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
51713 ftrace_bug(ret, ip);
51714 rec->flags |= FTRACE_FL_FAILED;
51718 + return ret ? 0 : 1;
51722 diff -urNp linux-2.6.37/kernel/trace/ring_buffer.c linux-2.6.37/kernel/trace/ring_buffer.c
51723 --- linux-2.6.37/kernel/trace/ring_buffer.c 2011-01-04 19:50:19.000000000 -0500
51724 +++ linux-2.6.37/kernel/trace/ring_buffer.c 2011-01-17 02:41:02.000000000 -0500
51725 @@ -669,7 +669,7 @@ static struct list_head *rb_list_head(st
51726 * the reader page). But if the next page is a header page,
51727 * its flags will be non zero.
51731 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
51732 struct buffer_page *page, struct list_head *list)
51734 diff -urNp linux-2.6.37/kernel/trace/trace.c linux-2.6.37/kernel/trace/trace.c
51735 --- linux-2.6.37/kernel/trace/trace.c 2011-01-04 19:50:19.000000000 -0500
51736 +++ linux-2.6.37/kernel/trace/trace.c 2011-01-17 02:41:02.000000000 -0500
51737 @@ -3969,10 +3969,9 @@ static const struct file_operations trac
51741 -static struct dentry *d_tracer;
51743 struct dentry *tracing_init_dentry(void)
51745 + static struct dentry *d_tracer;
51749 @@ -3992,10 +3991,9 @@ struct dentry *tracing_init_dentry(void)
51753 -static struct dentry *d_percpu;
51755 struct dentry *tracing_dentry_percpu(void)
51757 + static struct dentry *d_percpu;
51759 struct dentry *d_tracer;
51761 diff -urNp linux-2.6.37/kernel/trace/trace_events.c linux-2.6.37/kernel/trace/trace_events.c
51762 --- linux-2.6.37/kernel/trace/trace_events.c 2011-01-04 19:50:19.000000000 -0500
51763 +++ linux-2.6.37/kernel/trace/trace_events.c 2011-01-17 02:41:02.000000000 -0500
51764 @@ -1231,6 +1231,7 @@ static LIST_HEAD(ftrace_module_file_list
51765 * Modules must own their file_operations to keep up with
51766 * reference counting.
51768 +/* cannot be const, see trace_create_file_ops() */
51769 struct ftrace_module_file_ops {
51770 struct list_head list;
51771 struct module *mod;
51772 diff -urNp linux-2.6.37/kernel/trace/trace_output.c linux-2.6.37/kernel/trace/trace_output.c
51773 --- linux-2.6.37/kernel/trace/trace_output.c 2011-01-04 19:50:19.000000000 -0500
51774 +++ linux-2.6.37/kernel/trace/trace_output.c 2011-01-17 02:41:02.000000000 -0500
51775 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
51777 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
51779 - p = mangle_path(s->buffer + s->len, p, "\n");
51780 + p = mangle_path(s->buffer + s->len, p, "\n\\");
51782 s->len = p - s->buffer;
51784 diff -urNp linux-2.6.37/kernel/trace/trace_stack.c linux-2.6.37/kernel/trace/trace_stack.c
51785 --- linux-2.6.37/kernel/trace/trace_stack.c 2011-01-04 19:50:19.000000000 -0500
51786 +++ linux-2.6.37/kernel/trace/trace_stack.c 2011-01-17 02:41:02.000000000 -0500
51787 @@ -50,7 +50,7 @@ static inline void check_stack(void)
51790 /* we do not handle interrupt stacks yet */
51791 - if (!object_is_on_stack(&this_size))
51792 + if (!object_starts_on_stack(&this_size))
51795 local_irq_save(flags);
51796 diff -urNp linux-2.6.37/lib/bug.c linux-2.6.37/lib/bug.c
51797 --- linux-2.6.37/lib/bug.c 2011-01-04 19:50:19.000000000 -0500
51798 +++ linux-2.6.37/lib/bug.c 2011-01-17 02:41:02.000000000 -0500
51799 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
51800 return BUG_TRAP_TYPE_NONE;
51802 bug = find_bug(bugaddr);
51804 + return BUG_TRAP_TYPE_NONE;
51808 diff -urNp linux-2.6.37/lib/debugobjects.c linux-2.6.37/lib/debugobjects.c
51809 --- linux-2.6.37/lib/debugobjects.c 2011-01-04 19:50:19.000000000 -0500
51810 +++ linux-2.6.37/lib/debugobjects.c 2011-01-17 02:41:02.000000000 -0500
51811 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
51815 - is_on_stack = object_is_on_stack(addr);
51816 + is_on_stack = object_starts_on_stack(addr);
51817 if (is_on_stack == onstack)
51820 diff -urNp linux-2.6.37/lib/dma-debug.c linux-2.6.37/lib/dma-debug.c
51821 --- linux-2.6.37/lib/dma-debug.c 2011-01-04 19:50:19.000000000 -0500
51822 +++ linux-2.6.37/lib/dma-debug.c 2011-01-17 02:41:02.000000000 -0500
51823 @@ -862,7 +862,7 @@ out:
51825 static void check_for_stack(struct device *dev, void *addr)
51827 - if (object_is_on_stack(addr))
51828 + if (object_starts_on_stack(addr))
51829 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
51830 "stack [addr=%p]\n", addr);
51832 diff -urNp linux-2.6.37/lib/inflate.c linux-2.6.37/lib/inflate.c
51833 --- linux-2.6.37/lib/inflate.c 2011-01-04 19:50:19.000000000 -0500
51834 +++ linux-2.6.37/lib/inflate.c 2011-01-17 02:41:02.000000000 -0500
51835 @@ -269,7 +269,7 @@ static void free(void *where)
51836 malloc_ptr = free_mem_ptr;
51839 -#define malloc(a) kmalloc(a, GFP_KERNEL)
51840 +#define malloc(a) kmalloc((a), GFP_KERNEL)
51841 #define free(a) kfree(a)
51844 diff -urNp linux-2.6.37/lib/Kconfig.debug linux-2.6.37/lib/Kconfig.debug
51845 --- linux-2.6.37/lib/Kconfig.debug 2011-01-04 19:50:19.000000000 -0500
51846 +++ linux-2.6.37/lib/Kconfig.debug 2011-01-17 02:41:02.000000000 -0500
51847 @@ -1065,6 +1065,7 @@ config LATENCYTOP
51848 depends on DEBUG_KERNEL
51849 depends on STACKTRACE_SUPPORT
51851 + depends on !GRKERNSEC_HIDESYM
51852 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
51854 select KALLSYMS_ALL
51855 diff -urNp linux-2.6.37/lib/kref.c linux-2.6.37/lib/kref.c
51856 --- linux-2.6.37/lib/kref.c 2011-01-04 19:50:19.000000000 -0500
51857 +++ linux-2.6.37/lib/kref.c 2011-01-17 02:41:02.000000000 -0500
51858 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
51860 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
51862 - WARN_ON(release == NULL);
51863 + BUG_ON(release == NULL);
51864 WARN_ON(release == (void (*)(struct kref *))kfree);
51866 if (atomic_dec_and_test(&kref->refcount)) {
51867 diff -urNp linux-2.6.37/lib/radix-tree.c linux-2.6.37/lib/radix-tree.c
51868 --- linux-2.6.37/lib/radix-tree.c 2011-01-04 19:50:19.000000000 -0500
51869 +++ linux-2.6.37/lib/radix-tree.c 2011-01-17 02:41:02.000000000 -0500
51870 @@ -80,7 +80,7 @@ struct radix_tree_preload {
51872 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
51874 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
51875 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
51877 static inline void *ptr_to_indirect(void *ptr)
51879 diff -urNp linux-2.6.37/lib/vsprintf.c linux-2.6.37/lib/vsprintf.c
51880 --- linux-2.6.37/lib/vsprintf.c 2011-01-04 19:50:19.000000000 -0500
51881 +++ linux-2.6.37/lib/vsprintf.c 2011-01-17 02:41:02.000000000 -0500
51883 * - scnprintf and vscnprintf
51886 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51887 +#define __INCLUDED_BY_HIDESYM 1
51889 #include <stdarg.h>
51890 #include <linux/module.h>
51891 #include <linux/types.h>
51892 @@ -574,7 +577,7 @@ char *symbol_string(char *buf, char *end
51893 unsigned long value = (unsigned long) ptr;
51894 #ifdef CONFIG_KALLSYMS
51895 char sym[KSYM_SYMBOL_LEN];
51896 - if (ext != 'f' && ext != 's')
51897 + if (ext != 'f' && ext != 's' && ext != 'a')
51898 sprint_symbol(sym, value);
51900 kallsyms_lookup(value, NULL, NULL, NULL, sym);
51901 @@ -947,6 +950,8 @@ char *uuid_string(char *buf, char *end,
51902 * - 'f' For simple symbolic function names without offset
51903 * - 'S' For symbolic direct pointers with offset
51904 * - 's' For symbolic direct pointers without offset
51905 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
51906 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
51907 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
51908 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
51909 * - 'M' For a 6-byte MAC address, it prints the address in the
51910 @@ -990,12 +995,12 @@ char *pointer(const char *fmt, char *buf
51914 - * Print (null) with the same width as a pointer so it makes
51915 + * Print (nil) with the same width as a pointer so it makes
51916 * tabular output look nice.
51918 if (spec.field_width == -1)
51919 spec.field_width = 2 * sizeof(void *);
51920 - return string(buf, end, "(null)", spec);
51921 + return string(buf, end, "(nil)", spec);
51925 @@ -1005,6 +1010,13 @@ char *pointer(const char *fmt, char *buf
51929 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51932 + return symbol_string(buf, end, ptr, spec, *fmt);
51936 return symbol_string(buf, end, ptr, spec, *fmt);
51939 @@ -1750,11 +1762,11 @@ int bstr_printf(char *buf, size_t size,
51940 typeof(type) value; \
51941 if (sizeof(type) == 8) { \
51942 args = PTR_ALIGN(args, sizeof(u32)); \
51943 - *(u32 *)&value = *(u32 *)args; \
51944 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
51945 + *(u32 *)&value = *(const u32 *)args; \
51946 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
51948 args = PTR_ALIGN(args, sizeof(type)); \
51949 - value = *(typeof(type) *)args; \
51950 + value = *(const typeof(type) *)args; \
51952 args += sizeof(type); \
51954 @@ -1817,7 +1829,7 @@ int bstr_printf(char *buf, size_t size,
51955 case FORMAT_TYPE_STR: {
51956 const char *str_arg = args;
51957 args += strlen(str_arg) + 1;
51958 - str = string(str, end, (char *)str_arg, spec);
51959 + str = string(str, end, str_arg, spec);
51963 diff -urNp linux-2.6.37/localversion-grsec linux-2.6.37/localversion-grsec
51964 --- linux-2.6.37/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
51965 +++ linux-2.6.37/localversion-grsec 2011-01-17 02:41:02.000000000 -0500
51968 diff -urNp linux-2.6.37/Makefile linux-2.6.37/Makefile
51969 --- linux-2.6.37/Makefile 2011-01-04 19:50:19.000000000 -0500
51970 +++ linux-2.6.37/Makefile 2011-01-17 02:41:02.000000000 -0500
51971 @@ -232,8 +232,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
51975 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
51976 -HOSTCXXFLAGS = -O2
51977 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
51978 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
51980 # Decide whether to build built-in, modular, or both.
51981 # Normally, just do built-in.
51982 @@ -680,7 +680,7 @@ export mod_strip_cmd
51985 ifeq ($(KBUILD_EXTMOD),)
51986 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
51987 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
51989 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
51990 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
51991 diff -urNp linux-2.6.37/mm/bootmem.c linux-2.6.37/mm/bootmem.c
51992 --- linux-2.6.37/mm/bootmem.c 2011-01-04 19:50:19.000000000 -0500
51993 +++ linux-2.6.37/mm/bootmem.c 2011-01-17 02:41:02.000000000 -0500
51994 @@ -201,19 +201,30 @@ static void __init __free_pages_memory(u
51995 unsigned long __init free_all_memory_core_early(int nodeid)
51999 + u64 start, end, startrange, endrange;
52000 unsigned long count = 0;
52001 - struct range *range = NULL;
52002 + struct range *range = NULL, rangerange = { 0, 0 };
52005 nr_range = get_free_all_memory_range(&range, nodeid);
52006 + startrange = __pa(range) >> PAGE_SHIFT;
52007 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
52009 for (i = 0; i < nr_range; i++) {
52010 start = range[i].start;
52011 end = range[i].end;
52012 + if (start <= endrange && startrange < end) {
52013 + BUG_ON(rangerange.start | rangerange.end);
52014 + rangerange = range[i];
52017 count += end - start;
52018 __free_pages_memory(start, end);
52020 + start = rangerange.start;
52021 + end = rangerange.end;
52022 + count += end - start;
52023 + __free_pages_memory(start, end);
52027 diff -urNp linux-2.6.37/mm/filemap.c linux-2.6.37/mm/filemap.c
52028 --- linux-2.6.37/mm/filemap.c 2011-01-04 19:50:19.000000000 -0500
52029 +++ linux-2.6.37/mm/filemap.c 2011-01-17 02:41:02.000000000 -0500
52030 @@ -1660,7 +1660,7 @@ int generic_file_mmap(struct file * file
52031 struct address_space *mapping = file->f_mapping;
52033 if (!mapping->a_ops->readpage)
52036 file_accessed(file);
52037 vma->vm_ops = &generic_file_vm_ops;
52038 vma->vm_flags |= VM_CAN_NONLINEAR;
52039 @@ -2056,6 +2056,7 @@ inline int generic_write_checks(struct f
52040 *pos = i_size_read(inode);
52042 if (limit != RLIM_INFINITY) {
52043 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
52044 if (*pos >= limit) {
52045 send_sig(SIGXFSZ, current, 0);
52047 diff -urNp linux-2.6.37/mm/fremap.c linux-2.6.37/mm/fremap.c
52048 --- linux-2.6.37/mm/fremap.c 2011-01-04 19:50:19.000000000 -0500
52049 +++ linux-2.6.37/mm/fremap.c 2011-01-17 02:41:02.000000000 -0500
52050 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
52052 vma = find_vma(mm, start);
52054 +#ifdef CONFIG_PAX_SEGMEXEC
52055 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
52060 * Make sure the vma is shared, that it supports prefaulting,
52061 * and that the remapped range is valid and fully within
52062 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
52064 * drop PG_Mlocked flag for over-mapped range
52066 - unsigned int saved_flags = vma->vm_flags;
52067 + unsigned long saved_flags = vma->vm_flags;
52068 munlock_vma_pages_range(vma, start, start + size);
52069 vma->vm_flags = saved_flags;
52071 diff -urNp linux-2.6.37/mm/highmem.c linux-2.6.37/mm/highmem.c
52072 --- linux-2.6.37/mm/highmem.c 2011-01-04 19:50:19.000000000 -0500
52073 +++ linux-2.6.37/mm/highmem.c 2011-01-17 02:41:02.000000000 -0500
52074 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
52075 * So no dangers, even with speculative execution.
52077 page = pte_page(pkmap_page_table[i]);
52078 + pax_open_kernel();
52079 pte_clear(&init_mm, (unsigned long)page_address(page),
52080 &pkmap_page_table[i]);
52082 + pax_close_kernel();
52083 set_page_address(page, NULL);
52086 @@ -186,9 +187,11 @@ start:
52089 vaddr = PKMAP_ADDR(last_pkmap_nr);
52091 + pax_open_kernel();
52092 set_pte_at(&init_mm, vaddr,
52093 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
52095 + pax_close_kernel();
52096 pkmap_count[last_pkmap_nr] = 1;
52097 set_page_address(page, (void *)vaddr);
52099 diff -urNp linux-2.6.37/mm/hugetlb.c linux-2.6.37/mm/hugetlb.c
52100 --- linux-2.6.37/mm/hugetlb.c 2011-01-04 19:50:19.000000000 -0500
52101 +++ linux-2.6.37/mm/hugetlb.c 2011-01-17 02:41:02.000000000 -0500
52102 @@ -2373,6 +2373,27 @@ static int unmap_ref_private(struct mm_s
52106 +#ifdef CONFIG_PAX_SEGMEXEC
52107 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
52109 + struct mm_struct *mm = vma->vm_mm;
52110 + struct vm_area_struct *vma_m;
52111 + unsigned long address_m;
52114 + vma_m = pax_find_mirror_vma(vma);
52118 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52119 + address_m = address + SEGMEXEC_TASK_SIZE;
52120 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
52121 + get_page(page_m);
52122 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
52123 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
52128 * Hugetlb_cow() should be called with page lock of the original hugepage held.
52130 @@ -2473,6 +2494,11 @@ retry_avoidcopy:
52131 make_huge_pte(vma, new_page, 1));
52132 page_remove_rmap(old_page);
52133 hugepage_add_new_anon_rmap(new_page, vma, address);
52135 +#ifdef CONFIG_PAX_SEGMEXEC
52136 + pax_mirror_huge_pte(vma, address, new_page);
52139 /* Make the old page be freed below */
52140 new_page = old_page;
52141 mmu_notifier_invalidate_range_end(mm,
52142 @@ -2624,6 +2650,10 @@ retry:
52143 && (vma->vm_flags & VM_SHARED)));
52144 set_huge_pte_at(mm, address, ptep, new_pte);
52146 +#ifdef CONFIG_PAX_SEGMEXEC
52147 + pax_mirror_huge_pte(vma, address, page);
52150 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
52151 /* Optimization, do the COW without a second fault */
52152 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
52153 @@ -2653,6 +2683,10 @@ int hugetlb_fault(struct mm_struct *mm,
52154 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
52155 struct hstate *h = hstate_vma(vma);
52157 +#ifdef CONFIG_PAX_SEGMEXEC
52158 + struct vm_area_struct *vma_m;
52161 ptep = huge_pte_offset(mm, address);
52163 entry = huge_ptep_get(ptep);
52164 @@ -2664,6 +2698,26 @@ int hugetlb_fault(struct mm_struct *mm,
52165 VM_FAULT_SET_HINDEX(h - hstates);
52168 +#ifdef CONFIG_PAX_SEGMEXEC
52169 + vma_m = pax_find_mirror_vma(vma);
52171 + unsigned long address_m;
52173 + if (vma->vm_start > vma_m->vm_start) {
52174 + address_m = address;
52175 + address -= SEGMEXEC_TASK_SIZE;
52177 + h = hstate_vma(vma);
52179 + address_m = address + SEGMEXEC_TASK_SIZE;
52181 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
52182 + return VM_FAULT_OOM;
52183 + address_m &= HPAGE_MASK;
52184 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
52188 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
52190 return VM_FAULT_OOM;
52191 diff -urNp linux-2.6.37/mm/Kconfig linux-2.6.37/mm/Kconfig
52192 --- linux-2.6.37/mm/Kconfig 2011-01-04 19:50:19.000000000 -0500
52193 +++ linux-2.6.37/mm/Kconfig 2011-01-17 02:41:02.000000000 -0500
52194 @@ -240,7 +240,7 @@ config KSM
52195 config DEFAULT_MMAP_MIN_ADDR
52196 int "Low address space to protect from user allocation"
52201 This is the portion of low virtual memory which should be protected
52202 from userspace allocation. Keeping a user from writing to low pages
52203 diff -urNp linux-2.6.37/mm/kmemleak.c linux-2.6.37/mm/kmemleak.c
52204 --- linux-2.6.37/mm/kmemleak.c 2011-01-04 19:50:19.000000000 -0500
52205 +++ linux-2.6.37/mm/kmemleak.c 2011-01-17 02:41:02.000000000 -0500
52206 @@ -355,7 +355,7 @@ static void print_unreferenced(struct se
52208 for (i = 0; i < object->trace_len; i++) {
52209 void *ptr = (void *)object->trace[i];
52210 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
52211 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
52215 diff -urNp linux-2.6.37/mm/maccess.c linux-2.6.37/mm/maccess.c
52216 --- linux-2.6.37/mm/maccess.c 2011-01-04 19:50:19.000000000 -0500
52217 +++ linux-2.6.37/mm/maccess.c 2011-01-17 02:41:02.000000000 -0500
52218 @@ -15,10 +15,10 @@
52219 * happens, handle that and return -EFAULT.
52222 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
52223 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
52224 __attribute__((alias("__probe_kernel_read")));
52226 -long __probe_kernel_read(void *dst, void *src, size_t size)
52227 +long __probe_kernel_read(void *dst, const void *src, size_t size)
52230 mm_segment_t old_fs = get_fs();
52231 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
52232 * Safely write to address @dst from the buffer at @src. If a kernel fault
52233 * happens, handle that and return -EFAULT.
52235 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
52236 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
52237 __attribute__((alias("__probe_kernel_write")));
52239 -long __probe_kernel_write(void *dst, void *src, size_t size)
52240 +long __probe_kernel_write(void *dst, const void *src, size_t size)
52243 mm_segment_t old_fs = get_fs();
52244 diff -urNp linux-2.6.37/mm/madvise.c linux-2.6.37/mm/madvise.c
52245 --- linux-2.6.37/mm/madvise.c 2011-01-04 19:50:19.000000000 -0500
52246 +++ linux-2.6.37/mm/madvise.c 2011-01-17 02:41:02.000000000 -0500
52247 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
52249 unsigned long new_flags = vma->vm_flags;
52251 +#ifdef CONFIG_PAX_SEGMEXEC
52252 + struct vm_area_struct *vma_m;
52255 switch (behavior) {
52257 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
52258 @@ -104,6 +108,13 @@ success:
52260 * vm_flags is protected by the mmap_sem held in write mode.
52263 +#ifdef CONFIG_PAX_SEGMEXEC
52264 + vma_m = pax_find_mirror_vma(vma);
52266 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
52269 vma->vm_flags = new_flags;
52272 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
52273 struct vm_area_struct ** prev,
52274 unsigned long start, unsigned long end)
52277 +#ifdef CONFIG_PAX_SEGMEXEC
52278 + struct vm_area_struct *vma_m;
52282 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
52284 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
52285 zap_page_range(vma, start, end - start, &details);
52287 zap_page_range(vma, start, end - start, NULL);
52289 +#ifdef CONFIG_PAX_SEGMEXEC
52290 + vma_m = pax_find_mirror_vma(vma);
52292 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
52293 + struct zap_details details = {
52294 + .nonlinear_vma = vma_m,
52295 + .last_index = ULONG_MAX,
52297 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
52299 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
52306 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
52310 +#ifdef CONFIG_PAX_SEGMEXEC
52311 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52312 + if (end > SEGMEXEC_TASK_SIZE)
52317 + if (end > TASK_SIZE)
52323 diff -urNp linux-2.6.37/mm/memory.c linux-2.6.37/mm/memory.c
52324 --- linux-2.6.37/mm/memory.c 2011-01-04 19:50:19.000000000 -0500
52325 +++ linux-2.6.37/mm/memory.c 2011-01-17 02:41:02.000000000 -0500
52326 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
52329 pmd = pmd_offset(pud, start);
52331 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
52333 pmd_free_tlb(tlb, pmd, start);
52338 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
52339 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
52340 if (end - 1 > ceiling - 1)
52343 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
52344 pud = pud_offset(pgd, start);
52346 pud_free_tlb(tlb, pud, start);
52352 @@ -1361,10 +1368,10 @@ int __get_user_pages(struct task_struct
52353 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
52357 + while (nr_pages) {
52358 struct vm_area_struct *vma;
52360 - vma = find_extend_vma(mm, start);
52361 + vma = find_vma(mm, start);
52362 if (!vma && in_gate_area(tsk, start)) {
52363 unsigned long pg = start & PAGE_MASK;
52364 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
52365 @@ -1416,7 +1423,7 @@ int __get_user_pages(struct task_struct
52370 + if (!vma || start < vma->vm_start ||
52371 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
52372 !(vm_flags & vma->vm_flags))
52373 return i ? : -EFAULT;
52374 @@ -1492,7 +1499,7 @@ int __get_user_pages(struct task_struct
52375 start += PAGE_SIZE;
52377 } while (nr_pages && start < vma->vm_end);
52378 - } while (nr_pages);
52383 @@ -1637,6 +1644,10 @@ static int insert_page(struct vm_area_st
52384 page_add_file_rmap(page);
52385 set_pte_at(mm, addr, pte, mk_pte(page, prot));
52387 +#ifdef CONFIG_PAX_SEGMEXEC
52388 + pax_mirror_file_pte(vma, addr, page, ptl);
52392 pte_unmap_unlock(pte, ptl);
52394 @@ -1671,10 +1682,22 @@ out:
52395 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
52399 +#ifdef CONFIG_PAX_SEGMEXEC
52400 + struct vm_area_struct *vma_m;
52403 if (addr < vma->vm_start || addr >= vma->vm_end)
52405 if (!page_count(page))
52408 +#ifdef CONFIG_PAX_SEGMEXEC
52409 + vma_m = pax_find_mirror_vma(vma);
52411 + vma_m->vm_flags |= VM_INSERTPAGE;
52414 vma->vm_flags |= VM_INSERTPAGE;
52415 return insert_page(vma, addr, page, vma->vm_page_prot);
52417 @@ -1760,6 +1783,7 @@ int vm_insert_mixed(struct vm_area_struc
52420 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
52421 + BUG_ON(vma->vm_mirror);
52423 if (addr < vma->vm_start || addr >= vma->vm_end)
52425 @@ -2087,6 +2111,186 @@ static inline void cow_user_page(struct
52426 copy_user_highpage(dst, src, va, vma);
52429 +#ifdef CONFIG_PAX_SEGMEXEC
52430 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
52432 + struct mm_struct *mm = vma->vm_mm;
52434 + pte_t *pte, entry;
52436 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
52438 + if (!pte_present(entry)) {
52439 + if (!pte_none(entry)) {
52440 + BUG_ON(pte_file(entry));
52441 + free_swap_and_cache(pte_to_swp_entry(entry));
52442 + pte_clear_not_present_full(mm, address, pte, 0);
52445 + struct page *page;
52447 + flush_cache_page(vma, address, pte_pfn(entry));
52448 + entry = ptep_clear_flush(vma, address, pte);
52449 + BUG_ON(pte_dirty(entry));
52450 + page = vm_normal_page(vma, address, entry);
52452 + update_hiwater_rss(mm);
52453 + if (PageAnon(page))
52454 + dec_mm_counter_fast(mm, MM_ANONPAGES);
52456 + dec_mm_counter_fast(mm, MM_FILEPAGES);
52457 + page_remove_rmap(page);
52458 + page_cache_release(page);
52461 + pte_unmap_unlock(pte, ptl);
52464 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
52466 + * the ptl of the lower mapped page is held on entry and is not released on exit
52467 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
52469 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52471 + struct mm_struct *mm = vma->vm_mm;
52472 + unsigned long address_m;
52473 + spinlock_t *ptl_m;
52474 + struct vm_area_struct *vma_m;
52476 + pte_t *pte_m, entry_m;
52478 + BUG_ON(!page_m || !PageAnon(page_m));
52480 + vma_m = pax_find_mirror_vma(vma);
52484 + BUG_ON(!PageLocked(page_m));
52485 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52486 + address_m = address + SEGMEXEC_TASK_SIZE;
52487 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52488 + pte_m = pte_offset_map(pmd_m, address_m);
52489 + ptl_m = pte_lockptr(mm, pmd_m);
52490 + if (ptl != ptl_m) {
52491 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52492 + if (!pte_none(*pte_m))
52496 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52497 + page_cache_get(page_m);
52498 + page_add_anon_rmap(page_m, vma_m, address_m);
52499 + inc_mm_counter_fast(mm, MM_ANONPAGES);
52500 + set_pte_at(mm, address_m, pte_m, entry_m);
52501 + update_mmu_cache(vma_m, address_m, entry_m);
52503 + if (ptl != ptl_m)
52504 + spin_unlock(ptl_m);
52505 + pte_unmap(pte_m);
52506 + unlock_page(page_m);
52509 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52511 + struct mm_struct *mm = vma->vm_mm;
52512 + unsigned long address_m;
52513 + spinlock_t *ptl_m;
52514 + struct vm_area_struct *vma_m;
52516 + pte_t *pte_m, entry_m;
52518 + BUG_ON(!page_m || PageAnon(page_m));
52520 + vma_m = pax_find_mirror_vma(vma);
52524 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52525 + address_m = address + SEGMEXEC_TASK_SIZE;
52526 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52527 + pte_m = pte_offset_map(pmd_m, address_m);
52528 + ptl_m = pte_lockptr(mm, pmd_m);
52529 + if (ptl != ptl_m) {
52530 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52531 + if (!pte_none(*pte_m))
52535 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52536 + page_cache_get(page_m);
52537 + page_add_file_rmap(page_m);
52538 + inc_mm_counter_fast(mm, MM_FILEPAGES);
52539 + set_pte_at(mm, address_m, pte_m, entry_m);
52540 + update_mmu_cache(vma_m, address_m, entry_m);
52542 + if (ptl != ptl_m)
52543 + spin_unlock(ptl_m);
52544 + pte_unmap(pte_m);
52547 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
52549 + struct mm_struct *mm = vma->vm_mm;
52550 + unsigned long address_m;
52551 + spinlock_t *ptl_m;
52552 + struct vm_area_struct *vma_m;
52554 + pte_t *pte_m, entry_m;
52556 + vma_m = pax_find_mirror_vma(vma);
52560 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52561 + address_m = address + SEGMEXEC_TASK_SIZE;
52562 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52563 + pte_m = pte_offset_map(pmd_m, address_m);
52564 + ptl_m = pte_lockptr(mm, pmd_m);
52565 + if (ptl != ptl_m) {
52566 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52567 + if (!pte_none(*pte_m))
52571 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
52572 + set_pte_at(mm, address_m, pte_m, entry_m);
52574 + if (ptl != ptl_m)
52575 + spin_unlock(ptl_m);
52576 + pte_unmap(pte_m);
52579 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
52581 + struct page *page_m;
52584 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
52588 + page_m = vm_normal_page(vma, address, entry);
52590 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
52591 + else if (PageAnon(page_m)) {
52592 + if (pax_find_mirror_vma(vma)) {
52593 + pte_unmap_unlock(pte, ptl);
52594 + lock_page(page_m);
52595 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
52596 + if (pte_same(entry, *pte))
52597 + pax_mirror_anon_pte(vma, address, page_m, ptl);
52599 + unlock_page(page_m);
52602 + pax_mirror_file_pte(vma, address, page_m, ptl);
52605 + pte_unmap_unlock(pte, ptl);
52610 * This routine handles present pages, when users try to write
52611 * to a shared page. It is done by copying the page to a new address
52612 @@ -2274,6 +2478,12 @@ gotten:
52614 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52615 if (likely(pte_same(*page_table, orig_pte))) {
52617 +#ifdef CONFIG_PAX_SEGMEXEC
52618 + if (pax_find_mirror_vma(vma))
52619 + BUG_ON(!trylock_page(new_page));
52623 if (!PageAnon(old_page)) {
52624 dec_mm_counter_fast(mm, MM_FILEPAGES);
52625 @@ -2325,6 +2535,10 @@ gotten:
52626 page_remove_rmap(old_page);
52629 +#ifdef CONFIG_PAX_SEGMEXEC
52630 + pax_mirror_anon_pte(vma, address, new_page, ptl);
52633 /* Free the old page.. */
52634 new_page = old_page;
52635 ret |= VM_FAULT_WRITE;
52636 @@ -2756,6 +2970,11 @@ static int do_swap_page(struct mm_struct
52638 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
52639 try_to_free_swap(page);
52641 +#ifdef CONFIG_PAX_SEGMEXEC
52642 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
52648 @@ -2779,6 +2998,11 @@ static int do_swap_page(struct mm_struct
52650 /* No need to invalidate - it was non-present before */
52651 update_mmu_cache(vma, address, page_table);
52653 +#ifdef CONFIG_PAX_SEGMEXEC
52654 + pax_mirror_anon_pte(vma, address, page, ptl);
52658 pte_unmap_unlock(page_table, ptl);
52660 @@ -2798,40 +3022,6 @@ out_release:
52664 - * This is like a special single-page "expand_{down|up}wards()",
52665 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
52666 - * doesn't hit another vma.
52668 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
52670 - address &= PAGE_MASK;
52671 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
52672 - struct vm_area_struct *prev = vma->vm_prev;
52675 - * Is there a mapping abutting this one below?
52677 - * That's only ok if it's the same stack mapping
52678 - * that has gotten split..
52680 - if (prev && prev->vm_end == address)
52681 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
52683 - expand_stack(vma, address - PAGE_SIZE);
52685 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
52686 - struct vm_area_struct *next = vma->vm_next;
52688 - /* As VM_GROWSDOWN but s/below/above/ */
52689 - if (next && next->vm_start == address + PAGE_SIZE)
52690 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
52692 - expand_upwards(vma, address + PAGE_SIZE);
52698 * We enter with non-exclusive mmap_sem (to exclude vma changes,
52699 * but allow concurrent faults), and pte mapped but not yet locked.
52700 * We return with mmap_sem still held, but pte unmapped and unlocked.
52701 @@ -2840,27 +3030,23 @@ static int do_anonymous_page(struct mm_s
52702 unsigned long address, pte_t *page_table, pmd_t *pmd,
52703 unsigned int flags)
52705 - struct page *page;
52706 + struct page *page = NULL;
52710 - pte_unmap(page_table);
52712 - /* Check if we need to add a guard page to the stack */
52713 - if (check_stack_guard_page(vma, address) < 0)
52714 - return VM_FAULT_SIGBUS;
52716 - /* Use the zero-page for reads */
52717 if (!(flags & FAULT_FLAG_WRITE)) {
52718 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
52719 vma->vm_page_prot));
52720 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52721 + ptl = pte_lockptr(mm, pmd);
52723 if (!pte_none(*page_table))
52728 /* Allocate our own private page. */
52729 + pte_unmap(page_table);
52731 if (unlikely(anon_vma_prepare(vma)))
52733 page = alloc_zeroed_user_highpage_movable(vma, address);
52734 @@ -2879,6 +3065,11 @@ static int do_anonymous_page(struct mm_s
52735 if (!pte_none(*page_table))
52738 +#ifdef CONFIG_PAX_SEGMEXEC
52739 + if (pax_find_mirror_vma(vma))
52740 + BUG_ON(!trylock_page(page));
52743 inc_mm_counter_fast(mm, MM_ANONPAGES);
52744 page_add_new_anon_rmap(page, vma, address);
52746 @@ -2886,6 +3077,12 @@ setpte:
52748 /* No need to invalidate - it was non-present before */
52749 update_mmu_cache(vma, address, page_table);
52751 +#ifdef CONFIG_PAX_SEGMEXEC
52753 + pax_mirror_anon_pte(vma, address, page, ptl);
52757 pte_unmap_unlock(page_table, ptl);
52759 @@ -3029,6 +3226,12 @@ static int __do_fault(struct mm_struct *
52761 /* Only go through if we didn't race with anybody else... */
52762 if (likely(pte_same(*page_table, orig_pte))) {
52764 +#ifdef CONFIG_PAX_SEGMEXEC
52765 + if (anon && pax_find_mirror_vma(vma))
52766 + BUG_ON(!trylock_page(page));
52769 flush_icache_page(vma, page);
52770 entry = mk_pte(page, vma->vm_page_prot);
52771 if (flags & FAULT_FLAG_WRITE)
52772 @@ -3048,6 +3251,14 @@ static int __do_fault(struct mm_struct *
52774 /* no need to invalidate: a not-present page won't be cached */
52775 update_mmu_cache(vma, address, page_table);
52777 +#ifdef CONFIG_PAX_SEGMEXEC
52779 + pax_mirror_anon_pte(vma, address, page, ptl);
52781 + pax_mirror_file_pte(vma, address, page, ptl);
52786 mem_cgroup_uncharge_page(page);
52787 @@ -3195,6 +3406,12 @@ static inline int handle_pte_fault(struc
52788 if (flags & FAULT_FLAG_WRITE)
52789 flush_tlb_fix_spurious_fault(vma, address);
52792 +#ifdef CONFIG_PAX_SEGMEXEC
52793 + pax_mirror_pte(vma, address, pte, pmd, ptl);
52798 pte_unmap_unlock(pte, ptl);
52800 @@ -3211,6 +3428,10 @@ int handle_mm_fault(struct mm_struct *mm
52804 +#ifdef CONFIG_PAX_SEGMEXEC
52805 + struct vm_area_struct *vma_m;
52808 __set_current_state(TASK_RUNNING);
52810 count_vm_event(PGFAULT);
52811 @@ -3221,6 +3442,34 @@ int handle_mm_fault(struct mm_struct *mm
52812 if (unlikely(is_vm_hugetlb_page(vma)))
52813 return hugetlb_fault(mm, vma, address, flags);
52815 +#ifdef CONFIG_PAX_SEGMEXEC
52816 + vma_m = pax_find_mirror_vma(vma);
52818 + unsigned long address_m;
52823 + if (vma->vm_start > vma_m->vm_start) {
52824 + address_m = address;
52825 + address -= SEGMEXEC_TASK_SIZE;
52828 + address_m = address + SEGMEXEC_TASK_SIZE;
52830 + pgd_m = pgd_offset(mm, address_m);
52831 + pud_m = pud_alloc(mm, pgd_m, address_m);
52833 + return VM_FAULT_OOM;
52834 + pmd_m = pmd_alloc(mm, pud_m, address_m);
52836 + return VM_FAULT_OOM;
52837 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
52838 + return VM_FAULT_OOM;
52839 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
52843 pgd = pgd_offset(mm, address);
52844 pud = pud_alloc(mm, pgd, address);
52846 @@ -3318,7 +3567,7 @@ static int __init gate_vma_init(void)
52847 gate_vma.vm_start = FIXADDR_USER_START;
52848 gate_vma.vm_end = FIXADDR_USER_END;
52849 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
52850 - gate_vma.vm_page_prot = __P101;
52851 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
52853 * Make sure the vDSO gets into every core dump.
52854 * Dumping its contents makes post-mortem fully interpretable later
52855 diff -urNp linux-2.6.37/mm/memory-failure.c linux-2.6.37/mm/memory-failure.c
52856 --- linux-2.6.37/mm/memory-failure.c 2011-01-04 19:50:19.000000000 -0500
52857 +++ linux-2.6.37/mm/memory-failure.c 2011-01-17 02:41:02.000000000 -0500
52858 @@ -58,7 +58,7 @@ int sysctl_memory_failure_early_kill __r
52860 int sysctl_memory_failure_recovery __read_mostly = 1;
52862 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
52863 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
52865 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
52867 @@ -967,7 +967,7 @@ int __memory_failure(unsigned long pfn,
52870 nr_pages = 1 << compound_order(hpage);
52871 - atomic_long_add(nr_pages, &mce_bad_pages);
52872 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
52875 * We need/can do nothing about count=0 pages.
52876 @@ -997,7 +997,7 @@ int __memory_failure(unsigned long pfn,
52877 if (!PageHWPoison(hpage)
52878 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
52879 || (p != hpage && TestSetPageHWPoison(hpage))) {
52880 - atomic_long_sub(nr_pages, &mce_bad_pages);
52881 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52884 set_page_hwpoison_huge_page(hpage);
52885 @@ -1052,7 +1052,7 @@ int __memory_failure(unsigned long pfn,
52887 if (hwpoison_filter(p)) {
52888 if (TestClearPageHWPoison(p))
52889 - atomic_long_sub(nr_pages, &mce_bad_pages);
52890 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52891 unlock_page(hpage);
52894 @@ -1178,7 +1178,7 @@ int unpoison_memory(unsigned long pfn)
52897 if (TestClearPageHWPoison(p))
52898 - atomic_long_sub(nr_pages, &mce_bad_pages);
52899 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52900 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
52903 @@ -1192,7 +1192,7 @@ int unpoison_memory(unsigned long pfn)
52905 if (TestClearPageHWPoison(page)) {
52906 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
52907 - atomic_long_sub(nr_pages, &mce_bad_pages);
52908 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52910 if (PageHuge(page))
52911 clear_page_hwpoison_huge_page(page);
52912 @@ -1301,7 +1301,7 @@ static int soft_offline_huge_page(struct
52915 if (!PageHWPoison(hpage))
52916 - atomic_long_add(1 << compound_order(hpage), &mce_bad_pages);
52917 + atomic_long_add_unchecked(1 << compound_order(hpage), &mce_bad_pages);
52918 set_page_hwpoison_huge_page(hpage);
52919 dequeue_hwpoisoned_huge_page(hpage);
52920 /* keep elevated page count for bad page */
52921 @@ -1428,7 +1428,7 @@ int soft_offline_page(struct page *page,
52925 - atomic_long_add(1, &mce_bad_pages);
52926 + atomic_long_add_unchecked(1, &mce_bad_pages);
52927 SetPageHWPoison(page);
52928 /* keep elevated page count for bad page */
52930 diff -urNp linux-2.6.37/mm/mempolicy.c linux-2.6.37/mm/mempolicy.c
52931 --- linux-2.6.37/mm/mempolicy.c 2011-01-04 19:50:19.000000000 -0500
52932 +++ linux-2.6.37/mm/mempolicy.c 2011-01-17 02:41:02.000000000 -0500
52933 @@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
52934 unsigned long vmstart;
52935 unsigned long vmend;
52937 +#ifdef CONFIG_PAX_SEGMEXEC
52938 + struct vm_area_struct *vma_m;
52941 vma = find_vma_prev(mm, start, &prev);
52942 if (!vma || vma->vm_start > start)
52944 @@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
52945 err = policy_vma(vma, new_pol);
52949 +#ifdef CONFIG_PAX_SEGMEXEC
52950 + vma_m = pax_find_mirror_vma(vma);
52952 + err = policy_vma(vma_m, new_pol);
52961 @@ -1104,6 +1118,17 @@ static long do_mbind(unsigned long start
52966 +#ifdef CONFIG_PAX_SEGMEXEC
52967 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
52968 + if (end > SEGMEXEC_TASK_SIZE)
52973 + if (end > TASK_SIZE)
52979 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
52983 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52984 + if (mm != current->mm &&
52985 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
52992 * Check if this process has the right to modify the specified
52993 * process. The right exists if the process has administrative
52994 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
52996 tcred = __task_cred(task);
52997 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
52998 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
52999 - !capable(CAP_SYS_NICE)) {
53000 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
53004 @@ -2632,7 +2664,7 @@ int show_numa_map(struct seq_file *m, vo
53007 seq_printf(m, " file=");
53008 - seq_path(m, &file->f_path, "\n\t= ");
53009 + seq_path(m, &file->f_path, "\n\t\\= ");
53010 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
53011 seq_printf(m, " heap");
53012 } else if (vma->vm_start <= mm->start_stack &&
53013 diff -urNp linux-2.6.37/mm/migrate.c linux-2.6.37/mm/migrate.c
53014 --- linux-2.6.37/mm/migrate.c 2011-01-04 19:50:19.000000000 -0500
53015 +++ linux-2.6.37/mm/migrate.c 2011-01-17 02:41:02.000000000 -0500
53016 @@ -1299,6 +1299,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
53020 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
53021 + if (mm != current->mm &&
53022 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
53029 * Check if this process has the right to modify the specified
53030 * process. The right exists if the process has administrative
53031 @@ -1308,8 +1316,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
53033 tcred = __task_cred(task);
53034 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
53035 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
53036 - !capable(CAP_SYS_NICE)) {
53037 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
53041 diff -urNp linux-2.6.37/mm/mlock.c linux-2.6.37/mm/mlock.c
53042 --- linux-2.6.37/mm/mlock.c 2011-01-04 19:50:19.000000000 -0500
53043 +++ linux-2.6.37/mm/mlock.c 2011-01-24 18:04:18.000000000 -0500
53045 #include <linux/pagemap.h>
53046 #include <linux/mempolicy.h>
53047 #include <linux/syscalls.h>
53048 +#include <linux/security.h>
53049 #include <linux/sched.h>
53050 #include <linux/module.h>
53051 #include <linux/rmap.h>
53052 @@ -135,13 +136,6 @@ void munlock_vma_page(struct page *page)
53056 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
53058 - return (vma->vm_flags & VM_GROWSDOWN) &&
53059 - (vma->vm_start == addr) &&
53060 - !vma_stack_continue(vma->vm_prev, addr);
53064 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
53066 @@ -174,12 +168,6 @@ static long __mlock_vma_pages_range(stru
53067 if (vma->vm_flags & VM_WRITE)
53068 gup_flags |= FOLL_WRITE;
53070 - /* We don't try to access the guard page of a stack vma */
53071 - if (stack_guard_page(vma, start)) {
53072 - addr += PAGE_SIZE;
53076 while (nr_pages > 0) {
53079 @@ -437,7 +425,7 @@ static int do_mlock(unsigned long start,
53081 unsigned long nstart, end, tmp;
53082 struct vm_area_struct * vma, * prev;
53084 + int error = -EINVAL;
53086 len = PAGE_ALIGN(len);
53088 @@ -445,6 +433,9 @@ static int do_mlock(unsigned long start,
53092 + if (end > TASK_SIZE)
53095 vma = find_vma_prev(current->mm, start, &prev);
53096 if (!vma || vma->vm_start > start)
53098 @@ -455,6 +446,11 @@ static int do_mlock(unsigned long start,
53099 for (nstart = start ; ; ) {
53100 unsigned int newflags;
53102 +#ifdef CONFIG_PAX_SEGMEXEC
53103 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
53107 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
53109 newflags = vma->vm_flags | VM_LOCKED;
53110 @@ -504,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
53111 lock_limit >>= PAGE_SHIFT;
53113 /* check against resource limits */
53114 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
53115 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
53116 error = do_mlock(start, len, 1);
53117 up_write(¤t->mm->mmap_sem);
53118 @@ -525,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
53119 static int do_mlockall(int flags)
53121 struct vm_area_struct * vma, * prev = NULL;
53122 - unsigned int def_flags = 0;
53124 if (flags & MCL_FUTURE)
53125 - def_flags = VM_LOCKED;
53126 - current->mm->def_flags = def_flags;
53127 + current->mm->def_flags |= VM_LOCKED;
53129 + current->mm->def_flags &= ~VM_LOCKED;
53130 if (flags == MCL_FUTURE)
53133 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
53134 - unsigned int newflags;
53135 + unsigned long newflags;
53137 +#ifdef CONFIG_PAX_SEGMEXEC
53138 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
53142 + BUG_ON(vma->vm_end > TASK_SIZE);
53143 newflags = vma->vm_flags | VM_LOCKED;
53144 if (!(flags & MCL_CURRENT))
53145 newflags &= ~VM_LOCKED;
53146 @@ -567,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
53147 lock_limit >>= PAGE_SHIFT;
53150 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
53151 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
53152 capable(CAP_IPC_LOCK))
53153 ret = do_mlockall(flags);
53154 diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
53155 --- linux-2.6.37/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
53156 +++ linux-2.6.37/mm/mmap.c 2011-01-17 02:41:02.000000000 -0500
53158 #define arch_rebalance_pgtables(addr, len) (addr)
53161 +static inline void verify_mm_writelocked(struct mm_struct *mm)
53163 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
53164 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
53165 + up_read(&mm->mmap_sem);
53171 static void unmap_region(struct mm_struct *mm,
53172 struct vm_area_struct *vma, struct vm_area_struct *prev,
53173 unsigned long start, unsigned long end);
53174 @@ -70,22 +80,32 @@ static void unmap_region(struct mm_struc
53175 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
53178 -pgprot_t protection_map[16] = {
53179 +pgprot_t protection_map[16] __read_only = {
53180 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
53181 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
53184 pgprot_t vm_get_page_prot(unsigned long vm_flags)
53186 - return __pgprot(pgprot_val(protection_map[vm_flags &
53187 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
53188 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
53189 pgprot_val(arch_vm_get_page_prot(vm_flags)));
53191 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53192 + if (!(__supported_pte_mask & _PAGE_NX) &&
53193 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
53194 + (vm_flags & (VM_READ | VM_WRITE)))
53195 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
53200 EXPORT_SYMBOL(vm_get_page_prot);
53202 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
53203 int sysctl_overcommit_ratio = 50; /* default is 50% */
53204 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
53205 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
53206 struct percpu_counter vm_committed_as;
53209 @@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma
53210 struct vm_area_struct *next = vma->vm_next;
53213 + BUG_ON(vma->vm_mirror);
53214 if (vma->vm_ops && vma->vm_ops->close)
53215 vma->vm_ops->close(vma);
53216 if (vma->vm_file) {
53217 @@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
53218 * not page aligned -Ram Gupta
53220 rlim = rlimit(RLIMIT_DATA);
53221 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
53222 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
53223 (mm->end_data - mm->start_data) > rlim)
53225 @@ -708,6 +730,12 @@ static int
53226 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
53227 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53230 +#ifdef CONFIG_PAX_SEGMEXEC
53231 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
53235 if (is_mergeable_vma(vma, file, vm_flags) &&
53236 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53237 if (vma->vm_pgoff == vm_pgoff)
53238 @@ -727,6 +755,12 @@ static int
53239 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
53240 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53243 +#ifdef CONFIG_PAX_SEGMEXEC
53244 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
53248 if (is_mergeable_vma(vma, file, vm_flags) &&
53249 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53251 @@ -769,13 +803,20 @@ can_vma_merge_after(struct vm_area_struc
53252 struct vm_area_struct *vma_merge(struct mm_struct *mm,
53253 struct vm_area_struct *prev, unsigned long addr,
53254 unsigned long end, unsigned long vm_flags,
53255 - struct anon_vma *anon_vma, struct file *file,
53256 + struct anon_vma *anon_vma, struct file *file,
53257 pgoff_t pgoff, struct mempolicy *policy)
53259 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
53260 struct vm_area_struct *area, *next;
53263 +#ifdef CONFIG_PAX_SEGMEXEC
53264 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
53265 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
53267 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
53271 * We later require that vma->vm_flags == vm_flags,
53272 * so this tests vma->vm_flags & VM_SPECIAL, too.
53273 @@ -791,6 +832,15 @@ struct vm_area_struct *vma_merge(struct
53274 if (next && next->vm_end == end) /* cases 6, 7, 8 */
53275 next = next->vm_next;
53277 +#ifdef CONFIG_PAX_SEGMEXEC
53279 + prev_m = pax_find_mirror_vma(prev);
53281 + area_m = pax_find_mirror_vma(area);
53283 + next_m = pax_find_mirror_vma(next);
53287 * Can it merge with the predecessor?
53289 @@ -810,9 +860,24 @@ struct vm_area_struct *vma_merge(struct
53291 err = vma_adjust(prev, prev->vm_start,
53292 next->vm_end, prev->vm_pgoff, NULL);
53293 - } else /* cases 2, 5, 7 */
53295 +#ifdef CONFIG_PAX_SEGMEXEC
53296 + if (!err && prev_m)
53297 + err = vma_adjust(prev_m, prev_m->vm_start,
53298 + next_m->vm_end, prev_m->vm_pgoff, NULL);
53301 + } else { /* cases 2, 5, 7 */
53302 err = vma_adjust(prev, prev->vm_start,
53303 end, prev->vm_pgoff, NULL);
53305 +#ifdef CONFIG_PAX_SEGMEXEC
53306 + if (!err && prev_m)
53307 + err = vma_adjust(prev_m, prev_m->vm_start,
53308 + end_m, prev_m->vm_pgoff, NULL);
53315 @@ -825,12 +890,27 @@ struct vm_area_struct *vma_merge(struct
53316 mpol_equal(policy, vma_policy(next)) &&
53317 can_vma_merge_before(next, vm_flags,
53318 anon_vma, file, pgoff+pglen)) {
53319 - if (prev && addr < prev->vm_end) /* case 4 */
53320 + if (prev && addr < prev->vm_end) { /* case 4 */
53321 err = vma_adjust(prev, prev->vm_start,
53322 addr, prev->vm_pgoff, NULL);
53323 - else /* cases 3, 8 */
53325 +#ifdef CONFIG_PAX_SEGMEXEC
53326 + if (!err && prev_m)
53327 + err = vma_adjust(prev_m, prev_m->vm_start,
53328 + addr_m, prev_m->vm_pgoff, NULL);
53331 + } else { /* cases 3, 8 */
53332 err = vma_adjust(area, addr, next->vm_end,
53333 next->vm_pgoff - pglen, NULL);
53335 +#ifdef CONFIG_PAX_SEGMEXEC
53336 + if (!err && area_m)
53337 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
53338 + next_m->vm_pgoff - pglen, NULL);
53345 @@ -945,14 +1025,11 @@ none:
53346 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
53347 struct file *file, long pages)
53349 - const unsigned long stack_flags
53350 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
53353 mm->shared_vm += pages;
53354 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
53355 mm->exec_vm += pages;
53356 - } else if (flags & stack_flags)
53357 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
53358 mm->stack_vm += pages;
53359 if (flags & (VM_RESERVED|VM_IO))
53360 mm->reserved_vm += pages;
53361 @@ -979,7 +1056,7 @@ unsigned long do_mmap_pgoff(struct file
53362 * (the exception is when the underlying filesystem is noexec
53363 * mounted, in which case we dont add PROT_EXEC.)
53365 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
53366 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
53367 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
53370 @@ -1005,7 +1082,7 @@ unsigned long do_mmap_pgoff(struct file
53371 /* Obtain the address to map to. we verify (or select) it and ensure
53372 * that it represents a valid section of the address space.
53374 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
53375 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
53376 if (addr & ~PAGE_MASK)
53379 @@ -1016,6 +1093,31 @@ unsigned long do_mmap_pgoff(struct file
53380 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
53381 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
53383 +#ifdef CONFIG_PAX_MPROTECT
53384 + if (mm->pax_flags & MF_PAX_MPROTECT) {
53385 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
53386 + gr_log_rwxmmap(file);
53388 +#ifdef CONFIG_PAX_EMUPLT
53389 + vm_flags &= ~VM_EXEC;
53396 + if (!(vm_flags & VM_EXEC))
53397 + vm_flags &= ~VM_MAYEXEC;
53399 + vm_flags &= ~VM_MAYWRITE;
53403 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53404 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
53405 + vm_flags &= ~VM_PAGEEXEC;
53408 if (flags & MAP_LOCKED)
53409 if (!can_do_mlock())
53411 @@ -1027,6 +1129,7 @@ unsigned long do_mmap_pgoff(struct file
53412 locked += mm->locked_vm;
53413 lock_limit = rlimit(RLIMIT_MEMLOCK);
53414 lock_limit >>= PAGE_SHIFT;
53415 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53416 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
53419 @@ -1097,6 +1200,9 @@ unsigned long do_mmap_pgoff(struct file
53423 + if (!gr_acl_handle_mmap(file, prot))
53426 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
53428 EXPORT_SYMBOL(do_mmap_pgoff);
53429 @@ -1174,10 +1280,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
53431 int vma_wants_writenotify(struct vm_area_struct *vma)
53433 - unsigned int vm_flags = vma->vm_flags;
53434 + unsigned long vm_flags = vma->vm_flags;
53436 /* If it was private or non-writable, the write bit is already clear */
53437 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
53438 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
53441 /* The backer wishes to know when pages are first written to? */
53442 @@ -1226,14 +1332,24 @@ unsigned long mmap_region(struct file *f
53443 unsigned long charged = 0;
53444 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
53446 +#ifdef CONFIG_PAX_SEGMEXEC
53447 + struct vm_area_struct *vma_m = NULL;
53451 + * mm->mmap_sem is required to protect against another thread
53452 + * changing the mappings in case we sleep.
53454 + verify_mm_writelocked(mm);
53456 /* Clear old maps */
53459 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53460 if (vma && vma->vm_start < addr + len) {
53461 if (do_munmap(mm, addr, len))
53463 - goto munmap_back;
53464 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53465 + BUG_ON(vma && vma->vm_start < addr + len);
53468 /* Check against address space limit. */
53469 @@ -1282,6 +1398,16 @@ munmap_back:
53473 +#ifdef CONFIG_PAX_SEGMEXEC
53474 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
53475 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53484 vma->vm_start = addr;
53485 vma->vm_end = addr + len;
53486 @@ -1305,6 +1431,19 @@ munmap_back:
53487 error = file->f_op->mmap(file, vma);
53489 goto unmap_and_free_vma;
53491 +#ifdef CONFIG_PAX_SEGMEXEC
53492 + if (vma_m && (vm_flags & VM_EXECUTABLE))
53493 + added_exe_file_vma(mm);
53496 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53497 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
53498 + vma->vm_flags |= VM_PAGEEXEC;
53499 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
53503 if (vm_flags & VM_EXECUTABLE)
53504 added_exe_file_vma(mm);
53506 @@ -1340,6 +1479,11 @@ munmap_back:
53507 vma_link(mm, vma, prev, rb_link, rb_parent);
53508 file = vma->vm_file;
53510 +#ifdef CONFIG_PAX_SEGMEXEC
53512 + BUG_ON(pax_mirror_vma(vma_m, vma));
53515 /* Once vma denies write, undo our temporary denial count */
53516 if (correct_wcount)
53517 atomic_inc(&inode->i_writecount);
53518 @@ -1348,6 +1492,7 @@ out:
53520 mm->total_vm += len >> PAGE_SHIFT;
53521 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
53522 + track_exec_limit(mm, addr, addr + len, vm_flags);
53523 if (vm_flags & VM_LOCKED) {
53524 if (!mlock_vma_pages_range(vma, addr, addr + len))
53525 mm->locked_vm += (len >> PAGE_SHIFT);
53526 @@ -1365,6 +1510,12 @@ unmap_and_free_vma:
53527 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
53531 +#ifdef CONFIG_PAX_SEGMEXEC
53533 + kmem_cache_free(vm_area_cachep, vma_m);
53536 kmem_cache_free(vm_area_cachep, vma);
53539 @@ -1372,6 +1523,33 @@ unacct_error:
53543 +bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
53546 +#ifdef CONFIG_STACK_GROWSUP
53547 + if (addr > sysctl_heap_stack_gap)
53548 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
53550 + vma = find_vma(current->mm, 0);
53551 + if (vma && (vma->vm_flags & VM_GROWSUP))
53557 + if (addr + len > vma->vm_start)
53560 + if (vma->vm_flags & VM_GROWSDOWN)
53561 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
53562 +#ifdef CONFIG_STACK_GROWSUP
53563 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
53564 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
53570 /* Get an address range which is currently unmapped.
53571 * For shmat() with addr=0.
53573 @@ -1398,18 +1576,23 @@ arch_get_unmapped_area(struct file *filp
53574 if (flags & MAP_FIXED)
53577 +#ifdef CONFIG_PAX_RANDMMAP
53578 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
53582 addr = PAGE_ALIGN(addr);
53583 - vma = find_vma(mm, addr);
53584 - if (TASK_SIZE - len >= addr &&
53585 - (!vma || addr + len <= vma->vm_start))
53587 + if (TASK_SIZE - len >= addr) {
53588 + vma = find_vma(mm, addr);
53589 + if (check_heap_stack_gap(vma, addr, len))
53593 if (len > mm->cached_hole_size) {
53594 - start_addr = addr = mm->free_area_cache;
53595 + start_addr = addr = mm->free_area_cache;
53597 - start_addr = addr = TASK_UNMAPPED_BASE;
53598 - mm->cached_hole_size = 0;
53599 + start_addr = addr = mm->mmap_base;
53600 + mm->cached_hole_size = 0;
53604 @@ -1420,34 +1603,40 @@ full_search:
53605 * Start a new search - just in case we missed
53608 - if (start_addr != TASK_UNMAPPED_BASE) {
53609 - addr = TASK_UNMAPPED_BASE;
53610 - start_addr = addr;
53611 + if (start_addr != mm->mmap_base) {
53612 + start_addr = addr = mm->mmap_base;
53613 mm->cached_hole_size = 0;
53618 - if (!vma || addr + len <= vma->vm_start) {
53620 - * Remember the place where we stopped the search:
53622 - mm->free_area_cache = addr + len;
53625 + if (check_heap_stack_gap(vma, addr, len))
53627 if (addr + mm->cached_hole_size < vma->vm_start)
53628 mm->cached_hole_size = vma->vm_start - addr;
53629 addr = vma->vm_end;
53633 + * Remember the place where we stopped the search:
53635 + mm->free_area_cache = addr + len;
53640 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
53643 +#ifdef CONFIG_PAX_SEGMEXEC
53644 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53649 * Is this a new hole at the lowest possible address?
53651 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
53652 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
53653 mm->free_area_cache = addr;
53654 mm->cached_hole_size = ~0UL;
53656 @@ -1465,7 +1654,7 @@ arch_get_unmapped_area_topdown(struct fi
53658 struct vm_area_struct *vma;
53659 struct mm_struct *mm = current->mm;
53660 - unsigned long addr = addr0;
53661 + unsigned long base = mm->mmap_base, addr = addr0;
53663 /* requested length too big for entire address space */
53664 if (len > TASK_SIZE)
53665 @@ -1474,13 +1663,18 @@ arch_get_unmapped_area_topdown(struct fi
53666 if (flags & MAP_FIXED)
53669 +#ifdef CONFIG_PAX_RANDMMAP
53670 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
53673 /* requesting a specific address */
53675 addr = PAGE_ALIGN(addr);
53676 - vma = find_vma(mm, addr);
53677 - if (TASK_SIZE - len >= addr &&
53678 - (!vma || addr + len <= vma->vm_start))
53680 + if (TASK_SIZE - len >= addr) {
53681 + vma = find_vma(mm, addr);
53682 + if (check_heap_stack_gap(vma, addr, len))
53687 /* check if free_area_cache is useful for us */
53688 @@ -1495,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
53689 /* make sure it can fit in the remaining address space */
53691 vma = find_vma(mm, addr-len);
53692 - if (!vma || addr <= vma->vm_start)
53693 + if (check_heap_stack_gap(vma, addr - len, len))
53694 /* remember the address as a hint for next time */
53695 return (mm->free_area_cache = addr-len);
53697 @@ -1512,7 +1706,7 @@ arch_get_unmapped_area_topdown(struct fi
53698 * return with success:
53700 vma = find_vma(mm, addr);
53701 - if (!vma || addr+len <= vma->vm_start)
53702 + if (check_heap_stack_gap(vma, addr, len))
53703 /* remember the address as a hint for next time */
53704 return (mm->free_area_cache = addr);
53706 @@ -1531,13 +1725,21 @@ bottomup:
53707 * can happen with large stack limits and large mmap()
53710 + mm->mmap_base = TASK_UNMAPPED_BASE;
53712 +#ifdef CONFIG_PAX_RANDMMAP
53713 + if (mm->pax_flags & MF_PAX_RANDMMAP)
53714 + mm->mmap_base += mm->delta_mmap;
53717 + mm->free_area_cache = mm->mmap_base;
53718 mm->cached_hole_size = ~0UL;
53719 - mm->free_area_cache = TASK_UNMAPPED_BASE;
53720 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
53722 * Restore the topdown base:
53724 - mm->free_area_cache = mm->mmap_base;
53725 + mm->mmap_base = base;
53726 + mm->free_area_cache = base;
53727 mm->cached_hole_size = ~0UL;
53730 @@ -1546,6 +1748,12 @@ bottomup:
53732 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
53735 +#ifdef CONFIG_PAX_SEGMEXEC
53736 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53741 * Is this a new hole at the highest possible address?
53743 @@ -1553,8 +1761,10 @@ void arch_unmap_area_topdown(struct mm_s
53744 mm->free_area_cache = addr;
53746 /* dont allow allocations above current base */
53747 - if (mm->free_area_cache > mm->mmap_base)
53748 + if (mm->free_area_cache > mm->mmap_base) {
53749 mm->free_area_cache = mm->mmap_base;
53750 + mm->cached_hole_size = ~0UL;
53755 @@ -1662,6 +1872,28 @@ out:
53756 return prev ? prev->vm_next : vma;
53759 +#ifdef CONFIG_PAX_SEGMEXEC
53760 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
53762 + struct vm_area_struct *vma_m;
53764 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
53765 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
53766 + BUG_ON(vma->vm_mirror);
53769 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
53770 + vma_m = vma->vm_mirror;
53771 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
53772 + BUG_ON(vma->vm_file != vma_m->vm_file);
53773 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
53774 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
53775 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
53776 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
53782 * Verify that the stack growth is acceptable and
53783 * update accounting. This is shared with both the
53784 @@ -1678,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
53787 /* Stack limit test */
53788 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
53789 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
53792 @@ -1688,6 +1921,7 @@ static int acct_stack_growth(struct vm_a
53793 locked = mm->locked_vm + grow;
53794 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
53795 limit >>= PAGE_SHIFT;
53796 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53797 if (locked > limit && !capable(CAP_IPC_LOCK))
53800 @@ -1718,37 +1952,48 @@ static int acct_stack_growth(struct vm_a
53801 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
53802 * vma is the last one with address > vma->vm_end. Have to extend vma.
53804 +#ifndef CONFIG_IA64
53807 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
53812 if (!(vma->vm_flags & VM_GROWSUP))
53815 + /* Also guard against wrapping around to address 0. */
53816 + if (address < PAGE_ALIGN(address+1))
53817 + address = PAGE_ALIGN(address+1);
53822 * We must make sure the anon_vma is allocated
53823 * so that the anon_vma locking is not a noop.
53825 if (unlikely(anon_vma_prepare(vma)))
53827 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
53828 + if (locknext && anon_vma_prepare(vma->vm_next))
53830 vma_lock_anon_vma(vma);
53832 + vma_lock_anon_vma(vma->vm_next);
53835 * vma->vm_start/vm_end cannot change under us because the caller
53836 * is required to hold the mmap_sem in read mode. We need the
53837 - * anon_vma lock to serialize against concurrent expand_stacks.
53838 - * Also guard against wrapping around to address 0.
53839 + * anon_vma locks to serialize against concurrent expand_stacks
53840 + * and expand_upwards.
53842 - if (address < PAGE_ALIGN(address+4))
53843 - address = PAGE_ALIGN(address+4);
53845 - vma_unlock_anon_vma(vma);
53850 /* Somebody else might have raced and expanded it already */
53851 - if (address > vma->vm_end) {
53852 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
53854 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
53855 unsigned long size, grow;
53857 size = address - vma->vm_start;
53858 @@ -1760,6 +2005,8 @@ int expand_upwards(struct vm_area_struct
53859 perf_event_mmap(vma);
53863 + vma_unlock_anon_vma(vma->vm_next);
53864 vma_unlock_anon_vma(vma);
53867 @@ -1772,6 +2019,8 @@ static int expand_downwards(struct vm_ar
53868 unsigned long address)
53871 + bool lockprev = false;
53872 + struct vm_area_struct *prev;
53875 * We must make sure the anon_vma is allocated
53876 @@ -1785,6 +2034,15 @@ static int expand_downwards(struct vm_ar
53880 + prev = vma->vm_prev;
53881 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
53882 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
53884 + if (lockprev && anon_vma_prepare(prev))
53887 + vma_lock_anon_vma(prev);
53889 vma_lock_anon_vma(vma);
53892 @@ -1794,9 +2052,17 @@ static int expand_downwards(struct vm_ar
53895 /* Somebody else might have raced and expanded it already */
53896 - if (address < vma->vm_start) {
53897 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
53899 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
53900 unsigned long size, grow;
53902 +#ifdef CONFIG_PAX_SEGMEXEC
53903 + struct vm_area_struct *vma_m;
53905 + vma_m = pax_find_mirror_vma(vma);
53908 size = vma->vm_end - address;
53909 grow = (vma->vm_start - address) >> PAGE_SHIFT;
53911 @@ -1804,10 +2070,21 @@ static int expand_downwards(struct vm_ar
53913 vma->vm_start = address;
53914 vma->vm_pgoff -= grow;
53915 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
53917 +#ifdef CONFIG_PAX_SEGMEXEC
53919 + vma_m->vm_start -= grow << PAGE_SHIFT;
53920 + vma_m->vm_pgoff -= grow;
53924 perf_event_mmap(vma);
53927 vma_unlock_anon_vma(vma);
53929 + vma_unlock_anon_vma(prev);
53933 @@ -1881,6 +2158,13 @@ static void remove_vma_list(struct mm_st
53935 long nrpages = vma_pages(vma);
53937 +#ifdef CONFIG_PAX_SEGMEXEC
53938 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
53939 + vma = remove_vma(vma);
53944 mm->total_vm -= nrpages;
53945 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
53946 vma = remove_vma(vma);
53947 @@ -1926,6 +2210,16 @@ detach_vmas_to_be_unmapped(struct mm_str
53948 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
53949 vma->vm_prev = NULL;
53952 +#ifdef CONFIG_PAX_SEGMEXEC
53953 + if (vma->vm_mirror) {
53954 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
53955 + vma->vm_mirror->vm_mirror = NULL;
53956 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
53957 + vma->vm_mirror = NULL;
53961 rb_erase(&vma->vm_rb, &mm->mm_rb);
53964 @@ -1954,14 +2248,33 @@ static int __split_vma(struct mm_struct
53965 struct vm_area_struct *new;
53968 +#ifdef CONFIG_PAX_SEGMEXEC
53969 + struct vm_area_struct *vma_m, *new_m = NULL;
53970 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
53973 if (is_vm_hugetlb_page(vma) && (addr &
53974 ~(huge_page_mask(hstate_vma(vma)))))
53977 +#ifdef CONFIG_PAX_SEGMEXEC
53978 + vma_m = pax_find_mirror_vma(vma);
53981 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
53985 +#ifdef CONFIG_PAX_SEGMEXEC
53987 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
53989 + kmem_cache_free(vm_area_cachep, new);
53995 /* most fields are the same, copy all, and then fixup */
53998 @@ -1974,6 +2287,22 @@ static int __split_vma(struct mm_struct
53999 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
54002 +#ifdef CONFIG_PAX_SEGMEXEC
54005 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
54006 + new_m->vm_mirror = new;
54007 + new->vm_mirror = new_m;
54010 + new_m->vm_end = addr_m;
54012 + new_m->vm_start = addr_m;
54013 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
54018 pol = mpol_dup(vma_policy(vma));
54020 err = PTR_ERR(pol);
54021 @@ -1999,6 +2328,42 @@ static int __split_vma(struct mm_struct
54023 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
54025 +#ifdef CONFIG_PAX_SEGMEXEC
54026 + if (!err && vma_m) {
54027 + if (anon_vma_clone(new_m, vma_m))
54028 + goto out_free_mpol;
54031 + vma_set_policy(new_m, pol);
54033 + if (new_m->vm_file) {
54034 + get_file(new_m->vm_file);
54035 + if (vma_m->vm_flags & VM_EXECUTABLE)
54036 + added_exe_file_vma(mm);
54039 + if (new_m->vm_ops && new_m->vm_ops->open)
54040 + new_m->vm_ops->open(new_m);
54043 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
54044 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
54046 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
54049 + if (new_m->vm_ops && new_m->vm_ops->close)
54050 + new_m->vm_ops->close(new_m);
54051 + if (new_m->vm_file) {
54052 + if (vma_m->vm_flags & VM_EXECUTABLE)
54053 + removed_exe_file_vma(mm);
54054 + fput(new_m->vm_file);
54064 @@ -2011,10 +2376,18 @@ static int __split_vma(struct mm_struct
54065 removed_exe_file_vma(mm);
54066 fput(new->vm_file);
54068 - unlink_anon_vmas(new);
54073 +#ifdef CONFIG_PAX_SEGMEXEC
54075 + unlink_anon_vmas(new_m);
54076 + kmem_cache_free(vm_area_cachep, new_m);
54080 + unlink_anon_vmas(new);
54081 kmem_cache_free(vm_area_cachep, new);
54084 @@ -2027,6 +2400,15 @@ static int __split_vma(struct mm_struct
54085 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
54086 unsigned long addr, int new_below)
54089 +#ifdef CONFIG_PAX_SEGMEXEC
54090 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
54091 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
54092 + if (mm->map_count >= sysctl_max_map_count-1)
54097 if (mm->map_count >= sysctl_max_map_count)
54100 @@ -2038,11 +2420,30 @@ int split_vma(struct mm_struct *mm, stru
54101 * work. This now handles partial unmappings.
54102 * Jeremy Fitzhardinge <jeremy@goop.org>
54104 +#ifdef CONFIG_PAX_SEGMEXEC
54105 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54107 + int ret = __do_munmap(mm, start, len);
54108 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
54111 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
54114 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54116 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54120 struct vm_area_struct *vma, *prev, *last;
54123 + * mm->mmap_sem is required to protect against another thread
54124 + * changing the mappings in case we sleep.
54126 + verify_mm_writelocked(mm);
54128 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
54131 @@ -2116,6 +2517,8 @@ int do_munmap(struct mm_struct *mm, unsi
54132 /* Fix up all other VM information */
54133 remove_vma_list(mm, vma);
54135 + track_exec_limit(mm, start, end, 0UL);
54140 @@ -2128,22 +2531,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
54142 profile_munmap(addr);
54144 +#ifdef CONFIG_PAX_SEGMEXEC
54145 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
54146 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
54150 down_write(&mm->mmap_sem);
54151 ret = do_munmap(mm, addr, len);
54152 up_write(&mm->mmap_sem);
54156 -static inline void verify_mm_writelocked(struct mm_struct *mm)
54158 -#ifdef CONFIG_DEBUG_VM
54159 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
54161 - up_read(&mm->mmap_sem);
54167 * this is really a simplified "do_mmap". it only handles
54168 * anonymous maps. eventually we may be able to do some
54169 @@ -2157,6 +2556,7 @@ unsigned long do_brk(unsigned long addr,
54170 struct rb_node ** rb_link, * rb_parent;
54171 pgoff_t pgoff = addr >> PAGE_SHIFT;
54173 + unsigned long charged;
54175 len = PAGE_ALIGN(len);
54177 @@ -2168,16 +2568,30 @@ unsigned long do_brk(unsigned long addr,
54179 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
54181 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
54182 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
54183 + flags &= ~VM_EXEC;
54185 +#ifdef CONFIG_PAX_MPROTECT
54186 + if (mm->pax_flags & MF_PAX_MPROTECT)
54187 + flags &= ~VM_MAYEXEC;
54193 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
54194 if (error & ~PAGE_MASK)
54197 + charged = len >> PAGE_SHIFT;
54200 * mlock MCL_FUTURE?
54202 if (mm->def_flags & VM_LOCKED) {
54203 unsigned long locked, lock_limit;
54204 - locked = len >> PAGE_SHIFT;
54205 + locked = charged;
54206 locked += mm->locked_vm;
54207 lock_limit = rlimit(RLIMIT_MEMLOCK);
54208 lock_limit >>= PAGE_SHIFT;
54209 @@ -2194,22 +2608,22 @@ unsigned long do_brk(unsigned long addr,
54211 * Clear old maps. this also does some error checking for us
54214 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54215 if (vma && vma->vm_start < addr + len) {
54216 if (do_munmap(mm, addr, len))
54218 - goto munmap_back;
54219 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54220 + BUG_ON(vma && vma->vm_start < addr + len);
54223 /* Check against address space limits *after* clearing old maps... */
54224 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
54225 + if (!may_expand_vm(mm, charged))
54228 if (mm->map_count > sysctl_max_map_count)
54231 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
54232 + if (security_vm_enough_memory(charged))
54235 /* Can we just expand an old private anonymous mapping? */
54236 @@ -2223,7 +2637,7 @@ unsigned long do_brk(unsigned long addr,
54238 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54240 - vm_unacct_memory(len >> PAGE_SHIFT);
54241 + vm_unacct_memory(charged);
54245 @@ -2237,11 +2651,12 @@ unsigned long do_brk(unsigned long addr,
54246 vma_link(mm, vma, prev, rb_link, rb_parent);
54248 perf_event_mmap(vma);
54249 - mm->total_vm += len >> PAGE_SHIFT;
54250 + mm->total_vm += charged;
54251 if (flags & VM_LOCKED) {
54252 if (!mlock_vma_pages_range(vma, addr, addr + len))
54253 - mm->locked_vm += (len >> PAGE_SHIFT);
54254 + mm->locked_vm += charged;
54256 + track_exec_limit(mm, addr, addr + len, flags);
54260 @@ -2288,8 +2703,10 @@ void exit_mmap(struct mm_struct *mm)
54261 * Walk the list again, actually closing and freeing it,
54262 * with preemption enabled, without holding any MM locks.
54266 + vma->vm_mirror = NULL;
54267 vma = remove_vma(vma);
54270 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
54272 @@ -2303,6 +2720,13 @@ int insert_vm_struct(struct mm_struct *
54273 struct vm_area_struct * __vma, * prev;
54274 struct rb_node ** rb_link, * rb_parent;
54276 +#ifdef CONFIG_PAX_SEGMEXEC
54277 + struct vm_area_struct *vma_m = NULL;
54280 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
54284 * The vm_pgoff of a purely anonymous vma should be irrelevant
54285 * until its first write fault, when page's anon_vma and index
54286 @@ -2325,7 +2749,22 @@ int insert_vm_struct(struct mm_struct *
54287 if ((vma->vm_flags & VM_ACCOUNT) &&
54288 security_vm_enough_memory_mm(mm, vma_pages(vma)))
54291 +#ifdef CONFIG_PAX_SEGMEXEC
54292 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
54293 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54299 vma_link(mm, vma, prev, rb_link, rb_parent);
54301 +#ifdef CONFIG_PAX_SEGMEXEC
54303 + BUG_ON(pax_mirror_vma(vma_m, vma));
54309 @@ -2343,6 +2782,8 @@ struct vm_area_struct *copy_vma(struct v
54310 struct rb_node **rb_link, *rb_parent;
54311 struct mempolicy *pol;
54313 + BUG_ON(vma->vm_mirror);
54316 * If anonymous vma has not yet been faulted, update new pgoff
54317 * to match new location, to increase its chance of merging.
54318 @@ -2392,6 +2833,39 @@ struct vm_area_struct *copy_vma(struct v
54319 kmem_cache_free(vm_area_cachep, new_vma);
54323 +#ifdef CONFIG_PAX_SEGMEXEC
54324 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
54326 + struct vm_area_struct *prev_m;
54327 + struct rb_node **rb_link_m, *rb_parent_m;
54328 + struct mempolicy *pol_m;
54330 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
54331 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
54332 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
54334 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
54335 + if (anon_vma_clone(vma_m, vma))
54337 + pol_m = vma_policy(vma_m);
54339 + vma_set_policy(vma_m, pol_m);
54340 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
54341 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
54342 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
54343 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
54344 + if (vma_m->vm_file)
54345 + get_file(vma_m->vm_file);
54346 + if (vma_m->vm_ops && vma_m->vm_ops->open)
54347 + vma_m->vm_ops->open(vma_m);
54348 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
54349 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
54350 + vma_m->vm_mirror = vma;
54351 + vma->vm_mirror = vma_m;
54357 * Return true if the calling process may expand its vm space by the passed
54358 @@ -2403,7 +2877,7 @@ int may_expand_vm(struct mm_struct *mm,
54361 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
54363 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
54364 if (cur + npages > lim)
54367 @@ -2474,6 +2948,17 @@ int install_special_mapping(struct mm_st
54368 vma->vm_start = addr;
54369 vma->vm_end = addr + len;
54371 +#ifdef CONFIG_PAX_MPROTECT
54372 + if (mm->pax_flags & MF_PAX_MPROTECT) {
54373 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
54375 + if (!(vm_flags & VM_EXEC))
54376 + vm_flags &= ~VM_MAYEXEC;
54378 + vm_flags &= ~VM_MAYWRITE;
54382 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
54383 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
54385 diff -urNp linux-2.6.37/mm/mprotect.c linux-2.6.37/mm/mprotect.c
54386 --- linux-2.6.37/mm/mprotect.c 2011-01-04 19:50:19.000000000 -0500
54387 +++ linux-2.6.37/mm/mprotect.c 2011-01-17 02:41:02.000000000 -0500
54388 @@ -23,10 +23,16 @@
54389 #include <linux/mmu_notifier.h>
54390 #include <linux/migrate.h>
54391 #include <linux/perf_event.h>
54393 +#ifdef CONFIG_PAX_MPROTECT
54394 +#include <linux/elf.h>
54397 #include <asm/uaccess.h>
54398 #include <asm/pgtable.h>
54399 #include <asm/cacheflush.h>
54400 #include <asm/tlbflush.h>
54401 +#include <asm/mmu_context.h>
54403 #ifndef pgprot_modify
54404 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
54405 @@ -131,6 +137,48 @@ static void change_protection(struct vm_
54406 flush_tlb_range(vma, start, end);
54409 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54410 +/* called while holding the mmap semaphor for writing except stack expansion */
54411 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
54413 + unsigned long oldlimit, newlimit = 0UL;
54415 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
54418 + spin_lock(&mm->page_table_lock);
54419 + oldlimit = mm->context.user_cs_limit;
54420 + if ((prot & VM_EXEC) && oldlimit < end)
54421 + /* USER_CS limit moved up */
54423 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
54424 + /* USER_CS limit moved down */
54425 + newlimit = start;
54428 + mm->context.user_cs_limit = newlimit;
54432 + cpus_clear(mm->context.cpu_user_cs_mask);
54433 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
54436 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
54438 + spin_unlock(&mm->page_table_lock);
54439 + if (newlimit == end) {
54440 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
54442 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
54443 + if (is_vm_hugetlb_page(vma))
54444 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
54446 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
54452 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
54453 unsigned long start, unsigned long end, unsigned long newflags)
54454 @@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
54456 int dirty_accountable = 0;
54458 +#ifdef CONFIG_PAX_SEGMEXEC
54459 + struct vm_area_struct *vma_m = NULL;
54460 + unsigned long start_m, end_m;
54462 + start_m = start + SEGMEXEC_TASK_SIZE;
54463 + end_m = end + SEGMEXEC_TASK_SIZE;
54466 if (newflags == oldflags) {
54471 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
54472 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
54474 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
54477 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
54482 * If we make a private mapping writable we increase our commit;
54483 * but (without finer accounting) cannot reduce our commit if we
54484 @@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
54488 +#ifdef CONFIG_PAX_SEGMEXEC
54489 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
54490 + if (start != vma->vm_start) {
54491 + error = split_vma(mm, vma, start, 1);
54494 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
54495 + *pprev = (*pprev)->vm_next;
54498 + if (end != vma->vm_end) {
54499 + error = split_vma(mm, vma, end, 0);
54504 + if (pax_find_mirror_vma(vma)) {
54505 + error = __do_munmap(mm, start_m, end_m - start_m);
54509 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54514 + vma->vm_flags = newflags;
54515 + error = pax_mirror_vma(vma_m, vma);
54517 + vma->vm_flags = oldflags;
54525 * First try to merge with previous and/or next vma.
54527 @@ -194,9 +296,21 @@ success:
54528 * vm_flags and vm_page_prot are protected by the mmap_sem
54529 * held in write mode.
54532 +#ifdef CONFIG_PAX_SEGMEXEC
54533 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
54534 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
54537 vma->vm_flags = newflags;
54539 +#ifdef CONFIG_PAX_MPROTECT
54540 + if (mm->binfmt && mm->binfmt->handle_mprotect)
54541 + mm->binfmt->handle_mprotect(vma, newflags);
54544 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
54545 - vm_get_page_prot(newflags));
54546 + vm_get_page_prot(vma->vm_flags));
54548 if (vma_wants_writenotify(vma)) {
54549 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
54550 @@ -238,6 +352,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54555 +#ifdef CONFIG_PAX_SEGMEXEC
54556 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
54557 + if (end > SEGMEXEC_TASK_SIZE)
54562 + if (end > TASK_SIZE)
54565 if (!arch_validate_prot(prot))
54568 @@ -245,7 +370,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54570 * Does the application expect PROT_READ to imply PROT_EXEC:
54572 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
54573 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
54576 vm_flags = calc_vm_prot_bits(prot);
54577 @@ -277,6 +402,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54578 if (start > vma->vm_start)
54581 +#ifdef CONFIG_PAX_MPROTECT
54582 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
54583 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
54586 for (nstart = start ; ; ) {
54587 unsigned long newflags;
54589 @@ -286,6 +416,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54591 /* newflags >> 4 shift VM_MAY% in place of VM_% */
54592 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
54593 + if (prot & (PROT_WRITE | PROT_EXEC))
54594 + gr_log_rwxmprotect(vma->vm_file);
54600 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
54604 @@ -300,6 +438,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54605 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
54609 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
54613 if (nstart < prev->vm_end)
54614 diff -urNp linux-2.6.37/mm/mremap.c linux-2.6.37/mm/mremap.c
54615 --- linux-2.6.37/mm/mremap.c 2011-01-04 19:50:19.000000000 -0500
54616 +++ linux-2.6.37/mm/mremap.c 2011-01-17 02:41:02.000000000 -0500
54617 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
54619 pte = ptep_clear_flush(vma, old_addr, old_pte);
54620 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
54622 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54623 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
54624 + pte = pte_exprotect(pte);
54627 set_pte_at(mm, new_addr, new_pte, pte);
54630 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
54631 if (is_vm_hugetlb_page(vma))
54634 +#ifdef CONFIG_PAX_SEGMEXEC
54635 + if (pax_find_mirror_vma(vma))
54639 /* We can't remap across vm area boundaries */
54640 if (old_len > vma->vm_end - addr)
54642 @@ -321,20 +332,25 @@ static unsigned long mremap_to(unsigned
54643 unsigned long ret = -EINVAL;
54644 unsigned long charged = 0;
54645 unsigned long map_flags;
54646 + unsigned long pax_task_size = TASK_SIZE;
54648 if (new_addr & ~PAGE_MASK)
54651 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
54652 +#ifdef CONFIG_PAX_SEGMEXEC
54653 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
54654 + pax_task_size = SEGMEXEC_TASK_SIZE;
54657 + pax_task_size -= PAGE_SIZE;
54659 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
54662 /* Check if the location we're moving into overlaps the
54663 * old location at all, and fail if it does.
54665 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
54668 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
54669 + if (addr + old_len > new_addr && new_addr + new_len > addr)
54672 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
54673 @@ -406,6 +422,7 @@ unsigned long do_mremap(unsigned long ad
54674 struct vm_area_struct *vma;
54675 unsigned long ret = -EINVAL;
54676 unsigned long charged = 0;
54677 + unsigned long pax_task_size = TASK_SIZE;
54679 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
54681 @@ -424,6 +441,17 @@ unsigned long do_mremap(unsigned long ad
54685 +#ifdef CONFIG_PAX_SEGMEXEC
54686 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
54687 + pax_task_size = SEGMEXEC_TASK_SIZE;
54690 + pax_task_size -= PAGE_SIZE;
54692 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
54693 + old_len > pax_task_size || addr > pax_task_size-old_len)
54696 if (flags & MREMAP_FIXED) {
54697 if (flags & MREMAP_MAYMOVE)
54698 ret = mremap_to(addr, old_len, new_addr, new_len);
54699 @@ -473,6 +501,7 @@ unsigned long do_mremap(unsigned long ad
54703 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
54707 @@ -499,7 +528,13 @@ unsigned long do_mremap(unsigned long ad
54708 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
54712 + map_flags = vma->vm_flags;
54713 ret = move_vma(vma, addr, old_len, new_len, new_addr);
54714 + if (!(ret & ~PAGE_MASK)) {
54715 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
54716 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
54720 if (ret & ~PAGE_MASK)
54721 diff -urNp linux-2.6.37/mm/nommu.c linux-2.6.37/mm/nommu.c
54722 --- linux-2.6.37/mm/nommu.c 2011-01-04 19:50:19.000000000 -0500
54723 +++ linux-2.6.37/mm/nommu.c 2011-01-17 02:41:02.000000000 -0500
54724 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
54725 int sysctl_overcommit_ratio = 50; /* default is 50% */
54726 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
54727 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
54728 -int heap_stack_gap = 0;
54730 atomic_long_t mmap_pages_allocated;
54732 @@ -831,15 +830,6 @@ struct vm_area_struct *find_vma(struct m
54733 EXPORT_SYMBOL(find_vma);
54737 - * - we don't extend stack VMAs under NOMMU conditions
54739 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
54741 - return find_vma(mm, addr);
54745 * expand a stack to a given address
54746 * - not supported under NOMMU conditions
54748 @@ -1561,6 +1551,7 @@ int split_vma(struct mm_struct *mm, stru
54750 /* most fields are the same, copy all, and then fixup */
54752 + INIT_LIST_HEAD(&new->anon_vma_chain);
54753 *region = *vma->vm_region;
54754 new->vm_region = region;
54756 diff -urNp linux-2.6.37/mm/page_alloc.c linux-2.6.37/mm/page_alloc.c
54757 --- linux-2.6.37/mm/page_alloc.c 2011-01-04 19:50:19.000000000 -0500
54758 +++ linux-2.6.37/mm/page_alloc.c 2011-01-17 02:41:02.000000000 -0500
54759 @@ -648,6 +648,10 @@ static bool free_pages_prepare(struct pa
54763 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54764 + unsigned long index = 1UL << order;
54767 trace_mm_page_free_direct(page, order);
54768 kmemcheck_free_shadow(page, order);
54770 @@ -666,6 +670,12 @@ static bool free_pages_prepare(struct pa
54771 debug_check_no_obj_freed(page_address(page),
54772 PAGE_SIZE << order);
54775 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54776 + for (; index; --index)
54777 + sanitize_highpage(page + index - 1);
54780 arch_free_page(page, order);
54781 kernel_map_pages(page, 1 << order, 0);
54783 @@ -780,8 +790,10 @@ static int prep_new_page(struct page *pa
54784 arch_alloc_page(page, order);
54785 kernel_map_pages(page, 1 << order, 1);
54787 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
54788 if (gfp_flags & __GFP_ZERO)
54789 prep_zero_page(page, order, gfp_flags);
54792 if (order && (gfp_flags & __GFP_COMP))
54793 prep_compound_page(page, order);
54794 @@ -4014,7 +4026,7 @@ static void __init setup_usemap(struct p
54795 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
54798 -static void inline setup_usemap(struct pglist_data *pgdat,
54799 +static inline void setup_usemap(struct pglist_data *pgdat,
54800 struct zone *zone, unsigned long zonesize) {}
54801 #endif /* CONFIG_SPARSEMEM */
54803 diff -urNp linux-2.6.37/mm/percpu.c linux-2.6.37/mm/percpu.c
54804 --- linux-2.6.37/mm/percpu.c 2011-01-04 19:50:19.000000000 -0500
54805 +++ linux-2.6.37/mm/percpu.c 2011-01-17 02:41:02.000000000 -0500
54806 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
54807 static unsigned int pcpu_last_unit_cpu __read_mostly;
54809 /* the address of the first chunk which starts with the kernel static area */
54810 -void *pcpu_base_addr __read_mostly;
54811 +void *pcpu_base_addr __read_only;
54812 EXPORT_SYMBOL_GPL(pcpu_base_addr);
54814 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
54815 diff -urNp linux-2.6.37/mm/rmap.c linux-2.6.37/mm/rmap.c
54816 --- linux-2.6.37/mm/rmap.c 2011-01-04 19:50:19.000000000 -0500
54817 +++ linux-2.6.37/mm/rmap.c 2011-01-17 02:41:02.000000000 -0500
54818 @@ -117,6 +117,10 @@ int anon_vma_prepare(struct vm_area_stru
54819 struct anon_vma *anon_vma = vma->anon_vma;
54820 struct anon_vma_chain *avc;
54822 +#ifdef CONFIG_PAX_SEGMEXEC
54823 + struct anon_vma_chain *avc_m = NULL;
54827 if (unlikely(!anon_vma)) {
54828 struct mm_struct *mm = vma->vm_mm;
54829 @@ -126,6 +130,12 @@ int anon_vma_prepare(struct vm_area_stru
54833 +#ifdef CONFIG_PAX_SEGMEXEC
54834 + avc_m = anon_vma_chain_alloc();
54836 + goto out_enomem_free_avc;
54839 anon_vma = find_mergeable_anon_vma(vma);
54842 @@ -144,6 +154,21 @@ int anon_vma_prepare(struct vm_area_stru
54843 /* page_table_lock to protect against threads */
54844 spin_lock(&mm->page_table_lock);
54845 if (likely(!vma->anon_vma)) {
54847 +#ifdef CONFIG_PAX_SEGMEXEC
54848 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
54851 + BUG_ON(vma_m->anon_vma);
54852 + vma_m->anon_vma = anon_vma;
54853 + avc_m->anon_vma = anon_vma;
54854 + avc_m->vma = vma;
54855 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
54856 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
54861 vma->anon_vma = anon_vma;
54862 avc->anon_vma = anon_vma;
54864 @@ -157,12 +182,24 @@ int anon_vma_prepare(struct vm_area_stru
54866 if (unlikely(allocated))
54867 anon_vma_free(allocated);
54869 +#ifdef CONFIG_PAX_SEGMEXEC
54870 + if (unlikely(avc_m))
54871 + anon_vma_chain_free(avc_m);
54875 anon_vma_chain_free(avc);
54879 out_enomem_free_avc:
54881 +#ifdef CONFIG_PAX_SEGMEXEC
54883 + anon_vma_chain_free(avc_m);
54886 anon_vma_chain_free(avc);
54889 @@ -185,7 +222,7 @@ static void anon_vma_chain_link(struct v
54890 * Attach the anon_vmas from src to dst.
54891 * Returns 0 on success, -ENOMEM on failure.
54893 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
54894 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
54896 struct anon_vma_chain *avc, *pavc;
54898 @@ -207,7 +244,7 @@ int anon_vma_clone(struct vm_area_struct
54899 * the corresponding VMA in the parent process is attached to.
54900 * Returns 0 on success, non-zero on failure.
54902 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
54903 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
54905 struct anon_vma_chain *avc;
54906 struct anon_vma *anon_vma;
54907 diff -urNp linux-2.6.37/mm/shmem.c linux-2.6.37/mm/shmem.c
54908 --- linux-2.6.37/mm/shmem.c 2011-01-04 19:50:19.000000000 -0500
54909 +++ linux-2.6.37/mm/shmem.c 2011-01-24 18:04:18.000000000 -0500
54911 #include <linux/percpu_counter.h>
54912 #include <linux/swap.h>
54914 -static struct vfsmount *shm_mnt;
54915 +struct vfsmount *shm_mnt;
54917 #ifdef CONFIG_SHMEM
54919 @@ -1070,6 +1070,8 @@ static int shmem_writepage(struct page *
54922 entry = shmem_swp_entry(info, index, NULL);
54927 * The more uptodate page coming down from a stacked
54928 diff -urNp linux-2.6.37/mm/slab.c linux-2.6.37/mm/slab.c
54929 --- linux-2.6.37/mm/slab.c 2011-01-04 19:50:19.000000000 -0500
54930 +++ linux-2.6.37/mm/slab.c 2011-01-17 02:41:02.000000000 -0500
54931 @@ -284,7 +284,7 @@ struct kmem_list3 {
54932 * Need this for bootstrapping a per node allocator.
54934 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
54935 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
54936 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
54937 #define CACHE_CACHE 0
54938 #define SIZE_AC MAX_NUMNODES
54939 #define SIZE_L3 (2 * MAX_NUMNODES)
54940 @@ -534,7 +534,7 @@ static inline void *index_to_obj(struct
54941 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
54943 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
54944 - const struct slab *slab, void *obj)
54945 + const struct slab *slab, const void *obj)
54947 u32 offset = (obj - slab->s_mem);
54948 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
54949 @@ -560,14 +560,14 @@ struct cache_names {
54950 static struct cache_names __initdata cache_names[] = {
54951 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
54952 #include <linux/kmalloc_sizes.h>
54958 static struct arraycache_init initarray_cache __initdata =
54959 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
54960 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
54961 static struct arraycache_init initarray_generic =
54962 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
54963 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
54965 /* internal cache of cache description objs */
54966 static struct kmem_cache cache_cache = {
54967 @@ -4557,15 +4557,66 @@ static const struct file_operations proc
54969 static int __init slab_proc_init(void)
54971 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
54972 + mode_t gr_mode = S_IRUGO;
54974 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
54975 + gr_mode = S_IRUSR;
54978 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
54979 #ifdef CONFIG_DEBUG_SLAB_LEAK
54980 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
54981 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
54985 module_init(slab_proc_init);
54988 +void check_object_size(const void *ptr, unsigned long n, bool to)
54991 +#ifdef CONFIG_PAX_USERCOPY
54992 + struct kmem_cache *cachep;
54993 + struct slab *slabp;
54994 + struct page *page;
54995 + unsigned int objnr;
54996 + unsigned long offset;
55001 + if (ZERO_OR_NULL_PTR(ptr))
55004 + if (!virt_addr_valid(ptr))
55007 + page = virt_to_head_page(ptr);
55009 + if (!PageSlab(page)) {
55010 + if (object_is_on_stack(ptr, n) == -1)
55015 + cachep = page_get_cache(page);
55016 + slabp = page_get_slab(page);
55017 + objnr = obj_to_index(cachep, slabp, ptr);
55018 + BUG_ON(objnr >= cachep->num);
55019 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
55020 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
55025 + pax_report_leak_to_user(ptr, n);
55027 + pax_report_overflow_from_user(ptr, n);
55031 +EXPORT_SYMBOL(check_object_size);
55034 * ksize - get the actual amount of memory allocated for a given object
55035 * @objp: Pointer to the object
55036 diff -urNp linux-2.6.37/mm/slob.c linux-2.6.37/mm/slob.c
55037 --- linux-2.6.37/mm/slob.c 2011-01-04 19:50:19.000000000 -0500
55038 +++ linux-2.6.37/mm/slob.c 2011-01-17 02:41:02.000000000 -0500
55040 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
55041 * alloc_pages() directly, allocating compound pages so the page order
55042 * does not have to be separately tracked, and also stores the exact
55043 - * allocation size in page->private so that it can be used to accurately
55044 + * allocation size in slob_page->size so that it can be used to accurately
55045 * provide ksize(). These objects are detected in kfree() because slob_page()
55046 * is false for them.
55051 #include <linux/kernel.h>
55052 +#include <linux/sched.h>
55053 #include <linux/slab.h>
55054 #include <linux/mm.h>
55055 #include <linux/swap.h> /* struct reclaim_state */
55056 @@ -102,7 +103,8 @@ struct slob_page {
55057 unsigned long flags; /* mandatory */
55058 atomic_t _count; /* mandatory */
55059 slobidx_t units; /* free units left in page */
55060 - unsigned long pad[2];
55061 + unsigned long pad[1];
55062 + unsigned long size; /* size when >=PAGE_SIZE */
55063 slob_t *free; /* first free slob_t in page */
55064 struct list_head list; /* linked list of free pages */
55066 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
55068 static inline int is_slob_page(struct slob_page *sp)
55070 - return PageSlab((struct page *)sp);
55071 + return PageSlab((struct page *)sp) && !sp->size;
55074 static inline void set_slob_page(struct slob_page *sp)
55075 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
55077 static inline struct slob_page *slob_page(const void *addr)
55079 - return (struct slob_page *)virt_to_page(addr);
55080 + return (struct slob_page *)virt_to_head_page(addr);
55084 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
55086 * Return the size of a slob block.
55088 -static slobidx_t slob_units(slob_t *s)
55089 +static slobidx_t slob_units(const slob_t *s)
55093 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
55095 * Return the next free slob block pointer after this one.
55097 -static slob_t *slob_next(slob_t *s)
55098 +static slob_t *slob_next(const slob_t *s)
55100 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
55102 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
55104 * Returns true if s is the last free block in its page.
55106 -static int slob_last(slob_t *s)
55107 +static int slob_last(const slob_t *s)
55109 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
55111 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
55115 + set_slob_page(page);
55116 return page_address(page);
55119 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
55123 - set_slob_page(sp);
55125 spin_lock_irqsave(&slob_lock, flags);
55126 sp->units = SLOB_UNITS(PAGE_SIZE);
55129 INIT_LIST_HEAD(&sp->list);
55130 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
55131 set_slob_page_free(sp, slob_list);
55132 @@ -476,10 +479,9 @@ out:
55133 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
55136 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
55137 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
55140 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55144 lockdep_trace_alloc(gfp);
55145 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
55150 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
55151 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
55152 + m[0].units = size;
55153 + m[1].units = align;
55154 ret = (void *)m + align;
55156 trace_kmalloc_node(_RET_IP_, ret,
55157 @@ -504,9 +509,9 @@ void *__kmalloc_node(size_t size, gfp_t
55159 ret = slob_new_pages(gfp, order, node);
55161 - struct page *page;
55162 - page = virt_to_page(ret);
55163 - page->private = size;
55164 + struct slob_page *sp;
55165 + sp = slob_page(ret);
55169 trace_kmalloc_node(_RET_IP_, ret,
55170 @@ -516,6 +521,13 @@ void *__kmalloc_node(size_t size, gfp_t
55171 kmemleak_alloc(ret, size, 1, gfp);
55175 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
55177 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55179 + return __kmalloc_node_align(size, gfp, node, align);
55181 EXPORT_SYMBOL(__kmalloc_node);
55183 void kfree(const void *block)
55184 @@ -531,13 +543,84 @@ void kfree(const void *block)
55185 sp = slob_page(block);
55186 if (is_slob_page(sp)) {
55187 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55188 - unsigned int *m = (unsigned int *)(block - align);
55189 - slob_free(m, *m + align);
55191 + slob_t *m = (slob_t *)(block - align);
55192 + slob_free(m, m[0].units + align);
55194 + clear_slob_page(sp);
55195 + free_slob_page(sp);
55197 put_page(&sp->page);
55200 EXPORT_SYMBOL(kfree);
55202 +void check_object_size(const void *ptr, unsigned long n, bool to)
55205 +#ifdef CONFIG_PAX_USERCOPY
55206 + struct slob_page *sp;
55207 + const slob_t *free;
55208 + const void *base;
55213 + if (ZERO_OR_NULL_PTR(ptr))
55216 + if (!virt_addr_valid(ptr))
55219 + sp = slob_page(ptr);
55220 + if (!PageSlab((struct page*)sp)) {
55221 + if (object_is_on_stack(ptr, n) == -1)
55227 + base = page_address(&sp->page);
55228 + if (base <= ptr && n <= sp->size - (ptr - base))
55233 + /* some tricky double walking to find the chunk */
55234 + base = (void *)((unsigned long)ptr & PAGE_MASK);
55237 + while (!slob_last(free) && (void *)free <= ptr) {
55238 + base = free + slob_units(free);
55239 + free = slob_next(free);
55242 + while (base < (void *)free) {
55243 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
55244 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
55247 + if (ptr < base + align)
55250 + offset = ptr - base - align;
55251 + if (offset < m) {
55252 + if (n <= m - offset)
55261 + pax_report_leak_to_user(ptr, n);
55263 + pax_report_overflow_from_user(ptr, n);
55267 +EXPORT_SYMBOL(check_object_size);
55269 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
55270 size_t ksize(const void *block)
55272 @@ -550,10 +633,10 @@ size_t ksize(const void *block)
55273 sp = slob_page(block);
55274 if (is_slob_page(sp)) {
55275 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55276 - unsigned int *m = (unsigned int *)(block - align);
55277 - return SLOB_UNITS(*m) * SLOB_UNIT;
55278 + slob_t *m = (slob_t *)(block - align);
55279 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
55281 - return sp->page.private;
55284 EXPORT_SYMBOL(ksize);
55286 @@ -608,17 +691,25 @@ void *kmem_cache_alloc_node(struct kmem_
55290 +#ifdef CONFIG_PAX_USERCOPY
55291 + b = __kmalloc_node_align(c->size, flags, node, c->align);
55293 if (c->size < PAGE_SIZE) {
55294 b = slob_alloc(c->size, flags, c->align, node);
55295 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55296 SLOB_UNITS(c->size) * SLOB_UNIT,
55299 + struct slob_page *sp;
55301 b = slob_new_pages(flags, get_order(c->size), node);
55302 + sp = slob_page(b);
55303 + sp->size = c->size;
55304 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55305 PAGE_SIZE << get_order(c->size),
55312 @@ -630,10 +721,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
55314 static void __kmem_cache_free(void *b, int size)
55316 - if (size < PAGE_SIZE)
55317 + struct slob_page *sp = slob_page(b);
55319 + if (is_slob_page(sp))
55320 slob_free(b, size);
55323 + clear_slob_page(sp);
55324 + free_slob_page(sp);
55326 slob_free_pages(b, get_order(size));
55330 static void kmem_rcu_free(struct rcu_head *head)
55331 @@ -646,14 +743,23 @@ static void kmem_rcu_free(struct rcu_hea
55333 void kmem_cache_free(struct kmem_cache *c, void *b)
55335 + int size = c->size;
55337 +#ifdef CONFIG_PAX_USERCOPY
55338 + if (size + c->align < PAGE_SIZE) {
55339 + size += c->align;
55344 kmemleak_free_recursive(b, c->flags);
55345 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
55346 struct slob_rcu *slob_rcu;
55347 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
55348 - slob_rcu->size = c->size;
55349 + slob_rcu = b + (size - sizeof(struct slob_rcu));
55350 + slob_rcu->size = size;
55351 call_rcu(&slob_rcu->head, kmem_rcu_free);
55353 - __kmem_cache_free(b, c->size);
55354 + __kmem_cache_free(b, size);
55357 trace_kmem_cache_free(_RET_IP_, b);
55358 diff -urNp linux-2.6.37/mm/slub.c linux-2.6.37/mm/slub.c
55359 --- linux-2.6.37/mm/slub.c 2011-01-04 19:50:19.000000000 -0500
55360 +++ linux-2.6.37/mm/slub.c 2011-01-17 02:41:02.000000000 -0500
55361 @@ -388,7 +388,7 @@ static void print_track(const char *s, s
55365 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
55366 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
55367 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
55370 @@ -1911,6 +1911,8 @@ void kmem_cache_free(struct kmem_cache *
55372 page = virt_to_head_page(x);
55374 + BUG_ON(!PageSlab(page));
55376 slab_free(s, page, x, _RET_IP_);
55378 trace_kmem_cache_free(_RET_IP_, x);
55379 @@ -1955,7 +1957,7 @@ static int slub_min_objects;
55380 * Merge control. If this is set then no merging of slab caches will occur.
55381 * (Could be removed. This was introduced to pacify the merge skeptics.)
55383 -static int slub_nomerge;
55384 +static int slub_nomerge = 1;
55387 * Calculate the order of allocation given an slab object size.
55388 @@ -2365,7 +2367,7 @@ static int kmem_cache_open(struct kmem_c
55389 * list to avoid pounding the page allocator excessively.
55391 set_min_partial(s, ilog2(s->size));
55393 + atomic_set(&s->refcount, 1);
55395 s->remote_node_defrag_ratio = 1000;
55397 @@ -2506,8 +2508,7 @@ static inline int kmem_cache_close(struc
55398 void kmem_cache_destroy(struct kmem_cache *s)
55400 down_write(&slub_lock);
55402 - if (!s->refcount) {
55403 + if (atomic_dec_and_test(&s->refcount)) {
55404 list_del(&s->list);
55405 if (kmem_cache_close(s)) {
55406 printk(KERN_ERR "SLUB %s: %s called for cache that "
55407 @@ -2717,6 +2718,46 @@ void *__kmalloc_node(size_t size, gfp_t
55408 EXPORT_SYMBOL(__kmalloc_node);
55411 +void check_object_size(const void *ptr, unsigned long n, bool to)
55414 +#ifdef CONFIG_PAX_USERCOPY
55415 + struct page *page;
55416 + struct kmem_cache *s;
55417 + unsigned long offset;
55422 + if (ZERO_OR_NULL_PTR(ptr))
55425 + if (!virt_addr_valid(ptr))
55428 + page = get_object_page(ptr);
55431 + if (object_is_on_stack(ptr, n) == -1)
55437 + offset = (ptr - page_address(page)) % s->size;
55438 + if (offset <= s->objsize && n <= s->objsize - offset)
55443 + pax_report_leak_to_user(ptr, n);
55445 + pax_report_overflow_from_user(ptr, n);
55449 +EXPORT_SYMBOL(check_object_size);
55451 size_t ksize(const void *object)
55454 @@ -2982,7 +3023,7 @@ static void __init kmem_cache_bootstrap_
55457 list_add(&s->list, &slab_caches);
55458 - s->refcount = -1;
55459 + atomic_set(&s->refcount, -1);
55461 for_each_node_state(node, N_NORMAL_MEMORY) {
55462 struct kmem_cache_node *n = get_node(s, node);
55463 @@ -3177,7 +3218,7 @@ static int slab_unmergeable(struct kmem_
55465 * We may have set a slab to be unmergeable during bootstrap.
55467 - if (s->refcount < 0)
55468 + if (atomic_read(&s->refcount) < 0)
55472 @@ -3236,7 +3277,7 @@ struct kmem_cache *kmem_cache_create(con
55473 down_write(&slub_lock);
55474 s = find_mergeable(size, align, flags, name, ctor);
55477 + atomic_inc(&s->refcount);
55479 * Adjust the object sizes so that we clear
55480 * the complete object on kzalloc.
55481 @@ -3245,7 +3286,7 @@ struct kmem_cache *kmem_cache_create(con
55482 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
55484 if (sysfs_slab_alias(s, name)) {
55486 + atomic_dec(&s->refcount);
55489 up_write(&slub_lock);
55490 @@ -3981,7 +4022,7 @@ SLAB_ATTR_RO(ctor);
55492 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
55494 - return sprintf(buf, "%d\n", s->refcount - 1);
55495 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
55497 SLAB_ATTR_RO(aliases);
55499 @@ -4718,7 +4759,13 @@ static const struct file_operations proc
55501 static int __init slab_proc_init(void)
55503 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
55504 + mode_t gr_mode = S_IRUGO;
55506 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55507 + gr_mode = S_IRUSR;
55510 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
55513 module_init(slab_proc_init);
55514 diff -urNp linux-2.6.37/mm/util.c linux-2.6.37/mm/util.c
55515 --- linux-2.6.37/mm/util.c 2011-01-04 19:50:19.000000000 -0500
55516 +++ linux-2.6.37/mm/util.c 2011-01-17 02:41:02.000000000 -0500
55517 @@ -240,6 +240,12 @@ EXPORT_SYMBOL(strndup_user);
55518 void arch_pick_mmap_layout(struct mm_struct *mm)
55520 mm->mmap_base = TASK_UNMAPPED_BASE;
55522 +#ifdef CONFIG_PAX_RANDMMAP
55523 + if (mm->pax_flags & MF_PAX_RANDMMAP)
55524 + mm->mmap_base += mm->delta_mmap;
55527 mm->get_unmapped_area = arch_get_unmapped_area;
55528 mm->unmap_area = arch_unmap_area;
55530 diff -urNp linux-2.6.37/mm/vmalloc.c linux-2.6.37/mm/vmalloc.c
55531 --- linux-2.6.37/mm/vmalloc.c 2011-01-04 19:50:19.000000000 -0500
55532 +++ linux-2.6.37/mm/vmalloc.c 2011-01-17 02:41:02.000000000 -0500
55533 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
55535 pte = pte_offset_kernel(pmd, addr);
55537 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55538 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55540 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55541 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
55542 + BUG_ON(!pte_exec(*pte));
55543 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
55549 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55550 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55552 } while (pte++, addr += PAGE_SIZE, addr != end);
55555 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
55556 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
55559 + int ret = -ENOMEM;
55562 * nr is a running index into the array which helps higher level
55563 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
55564 pte = pte_alloc_kernel(pmd, addr);
55568 + pax_open_kernel();
55570 struct page *page = pages[*nr];
55572 - if (WARN_ON(!pte_none(*pte)))
55574 - if (WARN_ON(!page))
55576 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55577 + if (pgprot_val(prot) & _PAGE_NX)
55580 + if (WARN_ON(!pte_none(*pte))) {
55584 + if (WARN_ON(!page)) {
55588 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
55590 } while (pte++, addr += PAGE_SIZE, addr != end);
55594 + pax_close_kernel();
55598 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
55599 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
55600 * and fall back on vmalloc() if that fails. Others
55601 * just put it in the vmalloc space.
55603 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
55604 +#ifdef CONFIG_MODULES
55605 +#ifdef MODULES_VADDR
55606 unsigned long addr = (unsigned long)x;
55607 if (addr >= MODULES_VADDR && addr < MODULES_END)
55611 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55612 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
55618 return is_vmalloc_addr(x);
55621 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
55623 if (!pgd_none(*pgd)) {
55624 pud_t *pud = pud_offset(pgd, addr);
55626 + if (!pud_large(*pud))
55628 if (!pud_none(*pud)) {
55629 pmd_t *pmd = pmd_offset(pud, addr);
55631 + if (!pmd_large(*pmd))
55633 if (!pmd_none(*pmd)) {
55636 @@ -1243,6 +1283,16 @@ static struct vm_struct *__get_vm_area_n
55637 struct vm_struct *area;
55639 BUG_ON(in_interrupt());
55641 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55642 + if (flags & VM_KERNEXEC) {
55643 + if (start != VMALLOC_START || end != VMALLOC_END)
55645 + start = (unsigned long)MODULES_EXEC_VADDR;
55646 + end = (unsigned long)MODULES_EXEC_END;
55650 if (flags & VM_IOREMAP) {
55651 int bit = fls(size);
55653 @@ -1468,6 +1518,11 @@ void *vmap(struct page **pages, unsigned
55654 if (count > totalram_pages)
55657 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55658 + if (!(pgprot_val(prot) & _PAGE_NX))
55659 + flags |= VM_KERNEXEC;
55662 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
55663 __builtin_return_address(0));
55665 @@ -1577,6 +1632,13 @@ static void *__vmalloc_node(unsigned lon
55666 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
55669 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55670 + if (!(pgprot_val(prot) & _PAGE_NX))
55671 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
55672 + node, gfp_mask, caller);
55676 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
55677 VMALLOC_END, node, gfp_mask, caller);
55679 @@ -1595,6 +1657,7 @@ static void *__vmalloc_node(unsigned lon
55684 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
55686 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
55687 @@ -1618,6 +1681,7 @@ static inline void *__vmalloc_node_flags
55688 * For tight control over page level allocator and protection flags
55689 * use __vmalloc() instead.
55692 void *vmalloc(unsigned long size)
55694 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
55695 @@ -1634,6 +1698,7 @@ EXPORT_SYMBOL(vmalloc);
55696 * For tight control over page level allocator and protection flags
55697 * use __vmalloc() instead.
55700 void *vzalloc(unsigned long size)
55702 return __vmalloc_node_flags(size, -1,
55703 @@ -1648,6 +1713,7 @@ EXPORT_SYMBOL(vzalloc);
55704 * The resulting memory area is zeroed so it can be mapped to userspace
55705 * without leaking data.
55707 +#undef vmalloc_user
55708 void *vmalloc_user(unsigned long size)
55710 struct vm_struct *area;
55711 @@ -1675,6 +1741,7 @@ EXPORT_SYMBOL(vmalloc_user);
55712 * For tight control over page level allocator and protection flags
55713 * use __vmalloc() instead.
55715 +#undef vmalloc_node
55716 void *vmalloc_node(unsigned long size, int node)
55718 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
55719 @@ -1694,6 +1761,7 @@ EXPORT_SYMBOL(vmalloc_node);
55720 * For tight control over page level allocator and protection flags
55721 * use __vmalloc_node() instead.
55723 +#undef vzalloc_node
55724 void *vzalloc_node(unsigned long size, int node)
55726 return __vmalloc_node_flags(size, node,
55727 @@ -1716,10 +1784,10 @@ EXPORT_SYMBOL(vzalloc_node);
55728 * For tight control over page level allocator and protection flags
55729 * use __vmalloc() instead.
55732 +#undef vmalloc_exec
55733 void *vmalloc_exec(unsigned long size)
55735 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
55736 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
55737 -1, __builtin_return_address(0));
55740 @@ -1738,6 +1806,7 @@ void *vmalloc_exec(unsigned long size)
55741 * Allocate enough 32bit PA addressable pages to cover @size from the
55742 * page level allocator and map them into contiguous kernel virtual space.
55745 void *vmalloc_32(unsigned long size)
55747 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
55748 @@ -1752,6 +1821,7 @@ EXPORT_SYMBOL(vmalloc_32);
55749 * The resulting memory area is 32bit addressable and zeroed so it can be
55750 * mapped to userspace without leaking data.
55752 +#undef vmalloc_32_user
55753 void *vmalloc_32_user(unsigned long size)
55755 struct vm_struct *area;
55756 @@ -2016,6 +2086,8 @@ int remap_vmalloc_range(struct vm_area_s
55757 unsigned long uaddr = vma->vm_start;
55758 unsigned long usize = vma->vm_end - vma->vm_start;
55760 + BUG_ON(vma->vm_mirror);
55762 if ((PAGE_SIZE-1) & (unsigned long)addr)
55765 diff -urNp linux-2.6.37/mm/vmstat.c linux-2.6.37/mm/vmstat.c
55766 --- linux-2.6.37/mm/vmstat.c 2011-01-04 19:50:19.000000000 -0500
55767 +++ linux-2.6.37/mm/vmstat.c 2011-01-17 02:41:02.000000000 -0500
55768 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
55770 * vm_stat contains the global counters
55772 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55773 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55774 EXPORT_SYMBOL(vm_stat);
55777 @@ -330,7 +330,7 @@ void refresh_cpu_vm_stats(int cpu)
55778 v = p->vm_stat_diff[i];
55779 p->vm_stat_diff[i] = 0;
55780 local_irq_restore(flags);
55781 - atomic_long_add(v, &zone->vm_stat[i]);
55782 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
55783 global_diff[i] += v;
55785 /* 3 seconds idle till flush */
55786 @@ -368,7 +368,7 @@ void refresh_cpu_vm_stats(int cpu)
55788 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
55789 if (global_diff[i])
55790 - atomic_long_add(global_diff[i], &vm_stat[i]);
55791 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
55795 @@ -1066,10 +1066,20 @@ static int __init setup_vmstat(void)
55796 start_cpu_timer(cpu);
55798 #ifdef CONFIG_PROC_FS
55799 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
55800 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
55801 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
55802 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
55804 + mode_t gr_mode = S_IRUGO;
55805 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55806 + gr_mode = S_IRUSR;
55808 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
55809 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
55810 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55811 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
55813 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
55815 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
55820 diff -urNp linux-2.6.37/net/8021q/vlan.c linux-2.6.37/net/8021q/vlan.c
55821 --- linux-2.6.37/net/8021q/vlan.c 2011-01-04 19:50:19.000000000 -0500
55822 +++ linux-2.6.37/net/8021q/vlan.c 2011-01-17 02:41:02.000000000 -0500
55823 @@ -588,8 +588,7 @@ static int vlan_ioctl_handler(struct net
55825 if (!capable(CAP_NET_ADMIN))
55827 - if ((args.u.name_type >= 0) &&
55828 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
55829 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
55830 struct vlan_net *vn;
55832 vn = net_generic(net, vlan_net_id);
55833 diff -urNp linux-2.6.37/net/atm/atm_misc.c linux-2.6.37/net/atm/atm_misc.c
55834 --- linux-2.6.37/net/atm/atm_misc.c 2011-01-04 19:50:19.000000000 -0500
55835 +++ linux-2.6.37/net/atm/atm_misc.c 2011-01-17 02:41:02.000000000 -0500
55836 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
55837 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
55839 atm_return(vcc, truesize);
55840 - atomic_inc(&vcc->stats->rx_drop);
55841 + atomic_inc_unchecked(&vcc->stats->rx_drop);
55844 EXPORT_SYMBOL(atm_charge);
55845 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
55848 atm_return(vcc, guess);
55849 - atomic_inc(&vcc->stats->rx_drop);
55850 + atomic_inc_unchecked(&vcc->stats->rx_drop);
55853 EXPORT_SYMBOL(atm_alloc_charge);
55854 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
55856 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
55858 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
55859 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
55861 #undef __HANDLE_ITEM
55863 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
55865 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
55867 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
55868 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
55870 #undef __HANDLE_ITEM
55872 diff -urNp linux-2.6.37/net/atm/proc.c linux-2.6.37/net/atm/proc.c
55873 --- linux-2.6.37/net/atm/proc.c 2011-01-04 19:50:19.000000000 -0500
55874 +++ linux-2.6.37/net/atm/proc.c 2011-01-17 02:41:02.000000000 -0500
55875 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
55876 const struct k_atm_aal_stats *stats)
55878 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
55879 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
55880 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
55881 - atomic_read(&stats->rx_drop));
55882 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
55883 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
55884 + atomic_read_unchecked(&stats->rx_drop));
55887 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
55888 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
55890 struct sock *sk = sk_atm(vcc);
55892 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55893 + seq_printf(seq, "%p ", NULL);
55895 seq_printf(seq, "%p ", vcc);
55899 seq_printf(seq, "Unassigned ");
55901 diff -urNp linux-2.6.37/net/atm/resources.c linux-2.6.37/net/atm/resources.c
55902 --- linux-2.6.37/net/atm/resources.c 2011-01-04 19:50:19.000000000 -0500
55903 +++ linux-2.6.37/net/atm/resources.c 2011-01-17 02:41:02.000000000 -0500
55904 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
55905 static void copy_aal_stats(struct k_atm_aal_stats *from,
55906 struct atm_aal_stats *to)
55908 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
55909 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
55911 #undef __HANDLE_ITEM
55913 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
55914 static void subtract_aal_stats(struct k_atm_aal_stats *from,
55915 struct atm_aal_stats *to)
55917 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
55918 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
55920 #undef __HANDLE_ITEM
55922 diff -urNp linux-2.6.37/net/ax25/af_ax25.c linux-2.6.37/net/ax25/af_ax25.c
55923 --- linux-2.6.37/net/ax25/af_ax25.c 2011-01-04 19:50:19.000000000 -0500
55924 +++ linux-2.6.37/net/ax25/af_ax25.c 2011-01-17 02:41:02.000000000 -0500
55925 @@ -1392,7 +1392,7 @@ static int ax25_getname(struct socket *s
55929 - memset(fsa, 0, sizeof(fsa));
55930 + memset(fsa, 0, sizeof(*fsa));
55932 ax25 = ax25_sk(sk);
55934 diff -urNp linux-2.6.37/net/bridge/br_multicast.c linux-2.6.37/net/bridge/br_multicast.c
55935 --- linux-2.6.37/net/bridge/br_multicast.c 2011-01-04 19:50:19.000000000 -0500
55936 +++ linux-2.6.37/net/bridge/br_multicast.c 2011-01-17 02:41:02.000000000 -0500
55937 @@ -1461,7 +1461,7 @@ static int br_multicast_ipv6_rcv(struct
55938 nexthdr = ip6h->nexthdr;
55939 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
55941 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
55942 + if (nexthdr != IPPROTO_ICMPV6)
55945 /* Okay, we found ICMPv6 header */
55946 diff -urNp linux-2.6.37/net/bridge/br_stp_if.c linux-2.6.37/net/bridge/br_stp_if.c
55947 --- linux-2.6.37/net/bridge/br_stp_if.c 2011-01-04 19:50:19.000000000 -0500
55948 +++ linux-2.6.37/net/bridge/br_stp_if.c 2011-01-17 02:41:02.000000000 -0500
55949 @@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
55950 char *envp[] = { NULL };
55952 if (br->stp_enabled == BR_USER_STP) {
55953 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
55954 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
55955 br_info(br, "userspace STP stopped, return code %d\n", r);
55957 /* To start timers on any ports left in blocking */
55958 diff -urNp linux-2.6.37/net/bridge/netfilter/ebtables.c linux-2.6.37/net/bridge/netfilter/ebtables.c
55959 --- linux-2.6.37/net/bridge/netfilter/ebtables.c 2011-01-04 19:50:19.000000000 -0500
55960 +++ linux-2.6.37/net/bridge/netfilter/ebtables.c 2011-01-17 02:41:02.000000000 -0500
55961 @@ -1511,7 +1511,7 @@ static int do_ebt_get_ctl(struct sock *s
55962 tmp.valid_hooks = t->table->valid_hooks;
55964 mutex_unlock(&ebt_mutex);
55965 - if (copy_to_user(user, &tmp, *len) != 0){
55966 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
55967 BUGPRINT("c2u Didn't work\n");
55970 diff -urNp linux-2.6.37/net/core/dev.c linux-2.6.37/net/core/dev.c
55971 --- linux-2.6.37/net/core/dev.c 2011-01-04 19:50:19.000000000 -0500
55972 +++ linux-2.6.37/net/core/dev.c 2011-01-17 02:41:02.000000000 -0500
55973 @@ -2654,7 +2654,7 @@ int netif_rx_ni(struct sk_buff *skb)
55975 EXPORT_SYMBOL(netif_rx_ni);
55977 -static void net_tx_action(struct softirq_action *h)
55978 +static void net_tx_action(void)
55980 struct softnet_data *sd = &__get_cpu_var(softnet_data);
55982 @@ -3570,7 +3570,7 @@ void netif_napi_del(struct napi_struct *
55984 EXPORT_SYMBOL(netif_napi_del);
55986 -static void net_rx_action(struct softirq_action *h)
55987 +static void net_rx_action(void)
55989 struct softnet_data *sd = &__get_cpu_var(softnet_data);
55990 unsigned long time_limit = jiffies + 2;
55991 diff -urNp linux-2.6.37/net/core/sock.c linux-2.6.37/net/core/sock.c
55992 --- linux-2.6.37/net/core/sock.c 2011-01-04 19:50:19.000000000 -0500
55993 +++ linux-2.6.37/net/core/sock.c 2011-01-17 02:41:02.000000000 -0500
55994 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
55998 - if (copy_to_user(optval, address, len))
55999 + if (len > sizeof(address) || copy_to_user(optval, address, len))
56003 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
56007 - if (copy_to_user(optval, &v, len))
56008 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
56011 if (put_user(len, optlen))
56012 diff -urNp linux-2.6.37/net/dccp/ccids/ccid3.c linux-2.6.37/net/dccp/ccids/ccid3.c
56013 --- linux-2.6.37/net/dccp/ccids/ccid3.c 2011-01-04 19:50:19.000000000 -0500
56014 +++ linux-2.6.37/net/dccp/ccids/ccid3.c 2011-01-17 02:41:02.000000000 -0500
56016 static int ccid3_debug;
56017 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
56019 -#define ccid3_pr_debug(format, a...)
56020 +#define ccid3_pr_debug(format, a...) do {} while (0)
56024 diff -urNp linux-2.6.37/net/dccp/dccp.h linux-2.6.37/net/dccp/dccp.h
56025 --- linux-2.6.37/net/dccp/dccp.h 2011-01-04 19:50:19.000000000 -0500
56026 +++ linux-2.6.37/net/dccp/dccp.h 2011-01-17 02:41:02.000000000 -0500
56027 @@ -44,9 +44,9 @@ extern int dccp_debug;
56028 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
56029 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
56031 -#define dccp_pr_debug(format, a...)
56032 -#define dccp_pr_debug_cat(format, a...)
56033 -#define dccp_debug(format, a...)
56034 +#define dccp_pr_debug(format, a...) do {} while (0)
56035 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
56036 +#define dccp_debug(format, a...) do {} while (0)
56039 extern struct inet_hashinfo dccp_hashinfo;
56040 diff -urNp linux-2.6.37/net/decnet/sysctl_net_decnet.c linux-2.6.37/net/decnet/sysctl_net_decnet.c
56041 --- linux-2.6.37/net/decnet/sysctl_net_decnet.c 2011-01-04 19:50:19.000000000 -0500
56042 +++ linux-2.6.37/net/decnet/sysctl_net_decnet.c 2011-01-17 02:41:02.000000000 -0500
56043 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
56045 if (len > *lenp) len = *lenp;
56047 - if (copy_to_user(buffer, addr, len))
56048 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
56052 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
56054 if (len > *lenp) len = *lenp;
56056 - if (copy_to_user(buffer, devname, len))
56057 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
56061 diff -urNp linux-2.6.37/net/econet/Kconfig linux-2.6.37/net/econet/Kconfig
56062 --- linux-2.6.37/net/econet/Kconfig 2011-01-04 19:50:19.000000000 -0500
56063 +++ linux-2.6.37/net/econet/Kconfig 2011-01-17 02:41:02.000000000 -0500
56067 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
56068 - depends on EXPERIMENTAL && INET
56069 + depends on EXPERIMENTAL && INET && BROKEN
56071 Econet is a fairly old and slow networking protocol mainly used by
56072 Acorn computers to access file and print servers. It uses native
56073 diff -urNp linux-2.6.37/net/ipv4/inet_diag.c linux-2.6.37/net/ipv4/inet_diag.c
56074 --- linux-2.6.37/net/ipv4/inet_diag.c 2011-01-04 19:50:19.000000000 -0500
56075 +++ linux-2.6.37/net/ipv4/inet_diag.c 2011-01-17 02:41:02.000000000 -0500
56076 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
56077 r->idiag_retrans = 0;
56079 r->id.idiag_if = sk->sk_bound_dev_if;
56081 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56082 + r->id.idiag_cookie[0] = 0;
56083 + r->id.idiag_cookie[1] = 0;
56085 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
56086 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
56089 r->id.idiag_sport = inet->inet_sport;
56090 r->id.idiag_dport = inet->inet_dport;
56091 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
56092 r->idiag_family = tw->tw_family;
56093 r->idiag_retrans = 0;
56094 r->id.idiag_if = tw->tw_bound_dev_if;
56096 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56097 + r->id.idiag_cookie[0] = 0;
56098 + r->id.idiag_cookie[1] = 0;
56100 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
56101 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
56104 r->id.idiag_sport = tw->tw_sport;
56105 r->id.idiag_dport = tw->tw_dport;
56106 r->id.idiag_src[0] = tw->tw_rcv_saddr;
56107 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
56111 +#ifndef CONFIG_GRKERNSEC_HIDESYM
56113 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
56114 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
56115 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
56116 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
56121 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
56122 @@ -582,8 +597,14 @@ static int inet_diag_fill_req(struct sk_
56123 r->idiag_retrans = req->retrans;
56125 r->id.idiag_if = sk->sk_bound_dev_if;
56127 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56128 + r->id.idiag_cookie[0] = 0;
56129 + r->id.idiag_cookie[1] = 0;
56131 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
56132 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
56135 tmo = req->expires - jiffies;
56137 diff -urNp linux-2.6.37/net/ipv4/inet_hashtables.c linux-2.6.37/net/ipv4/inet_hashtables.c
56138 --- linux-2.6.37/net/ipv4/inet_hashtables.c 2011-01-04 19:50:19.000000000 -0500
56139 +++ linux-2.6.37/net/ipv4/inet_hashtables.c 2011-01-17 02:41:02.000000000 -0500
56140 @@ -18,11 +18,14 @@
56141 #include <linux/sched.h>
56142 #include <linux/slab.h>
56143 #include <linux/wait.h>
56144 +#include <linux/security.h>
56146 #include <net/inet_connection_sock.h>
56147 #include <net/inet_hashtables.h>
56148 #include <net/route.h>
56149 #include <net/ip.h>
56151 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
56154 * Allocate and initialize a new local port bind bucket.
56155 * The bindhash mutex for snum's hash chain must be held here.
56156 @@ -529,6 +532,8 @@ ok:
56157 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
56158 spin_unlock(&head->lock);
56160 + gr_update_task_in_ip_table(current, inet_sk(sk));
56163 inet_twsk_deschedule(tw, death_row);
56165 diff -urNp linux-2.6.37/net/ipv4/inetpeer.c linux-2.6.37/net/ipv4/inetpeer.c
56166 --- linux-2.6.37/net/ipv4/inetpeer.c 2011-01-04 19:50:19.000000000 -0500
56167 +++ linux-2.6.37/net/ipv4/inetpeer.c 2011-01-17 02:41:02.000000000 -0500
56168 @@ -469,8 +469,8 @@ struct inet_peer *inet_getpeer(__be32 da
56170 p->v4daddr = daddr;
56171 atomic_set(&p->refcnt, 1);
56172 - atomic_set(&p->rid, 0);
56173 - atomic_set(&p->ip_id_count, secure_ip_id(daddr));
56174 + atomic_set_unchecked(&p->rid, 0);
56175 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr));
56176 p->tcp_ts_stamp = 0;
56177 INIT_LIST_HEAD(&p->unused);
56179 diff -urNp linux-2.6.37/net/ipv4/ip_fragment.c linux-2.6.37/net/ipv4/ip_fragment.c
56180 --- linux-2.6.37/net/ipv4/ip_fragment.c 2011-01-04 19:50:19.000000000 -0500
56181 +++ linux-2.6.37/net/ipv4/ip_fragment.c 2011-01-17 02:41:02.000000000 -0500
56182 @@ -279,7 +279,7 @@ static inline int ip_frag_too_far(struct
56186 - end = atomic_inc_return(&peer->rid);
56187 + end = atomic_inc_return_unchecked(&peer->rid);
56190 rc = qp->q.fragments && (end - start) > max;
56191 diff -urNp linux-2.6.37/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.37/net/ipv4/netfilter/nf_nat_snmp_basic.c
56192 --- linux-2.6.37/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-01-04 19:50:19.000000000 -0500
56193 +++ linux-2.6.37/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-01-17 02:41:02.000000000 -0500
56194 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
56198 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
56199 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
56200 if (*octets == NULL) {
56201 if (net_ratelimit())
56202 pr_notice("OOM in bsalg (%d)\n", __LINE__);
56203 diff -urNp linux-2.6.37/net/ipv4/route.c linux-2.6.37/net/ipv4/route.c
56204 --- linux-2.6.37/net/ipv4/route.c 2011-01-04 19:50:19.000000000 -0500
56205 +++ linux-2.6.37/net/ipv4/route.c 2011-01-17 02:41:02.000000000 -0500
56206 @@ -2876,7 +2876,7 @@ static int rt_fill_info(struct net *net,
56207 expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
56209 inet_peer_refcheck(rt->peer);
56210 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
56211 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
56212 if (rt->peer->tcp_ts_stamp) {
56213 ts = rt->peer->tcp_ts;
56214 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
56215 diff -urNp linux-2.6.37/net/ipv4/tcp_ipv4.c linux-2.6.37/net/ipv4/tcp_ipv4.c
56216 --- linux-2.6.37/net/ipv4/tcp_ipv4.c 2011-01-04 19:50:19.000000000 -0500
56217 +++ linux-2.6.37/net/ipv4/tcp_ipv4.c 2011-01-17 02:41:02.000000000 -0500
56218 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
56219 int sysctl_tcp_low_latency __read_mostly;
56220 EXPORT_SYMBOL(sysctl_tcp_low_latency);
56222 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56223 +extern int grsec_enable_blackhole;
56226 #ifdef CONFIG_TCP_MD5SIG
56227 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
56228 @@ -1599,6 +1602,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
56232 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56233 + if (!grsec_enable_blackhole)
56235 tcp_v4_send_reset(rsk, skb);
56238 @@ -1661,12 +1667,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
56239 TCP_SKB_CB(skb)->sacked = 0;
56241 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56244 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56247 goto no_tcp_socket;
56251 - if (sk->sk_state == TCP_TIME_WAIT)
56252 + if (sk->sk_state == TCP_TIME_WAIT) {
56253 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56259 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
56260 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56261 @@ -1716,6 +1729,10 @@ no_tcp_socket:
56263 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56265 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56266 + if (!grsec_enable_blackhole || (ret == 1 &&
56267 + (skb->dev->flags & IFF_LOOPBACK)))
56269 tcp_v4_send_reset(NULL, skb);
56272 @@ -2404,7 +2421,11 @@ static void get_openreq4(struct sock *sk
56273 0, /* non standard timer */
56274 0, /* open_requests have no inode */
56275 atomic_read(&sk->sk_refcnt),
56276 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56284 @@ -2454,7 +2475,12 @@ static void get_tcp4_sock(struct sock *s
56286 icsk->icsk_probes_out,
56288 - atomic_read(&sk->sk_refcnt), sk,
56289 + atomic_read(&sk->sk_refcnt),
56290 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56295 jiffies_to_clock_t(icsk->icsk_rto),
56296 jiffies_to_clock_t(icsk->icsk_ack.ato),
56297 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
56298 @@ -2482,7 +2508,13 @@ static void get_timewait4_sock(struct in
56299 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
56300 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
56301 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56302 - atomic_read(&tw->tw_refcnt), tw, len);
56303 + atomic_read(&tw->tw_refcnt),
56304 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56313 diff -urNp linux-2.6.37/net/ipv4/tcp_minisocks.c linux-2.6.37/net/ipv4/tcp_minisocks.c
56314 --- linux-2.6.37/net/ipv4/tcp_minisocks.c 2011-01-04 19:50:19.000000000 -0500
56315 +++ linux-2.6.37/net/ipv4/tcp_minisocks.c 2011-01-17 02:41:02.000000000 -0500
56317 #include <net/inet_common.h>
56318 #include <net/xfrm.h>
56320 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56321 +extern int grsec_enable_blackhole;
56324 int sysctl_tcp_syncookies __read_mostly = 1;
56325 EXPORT_SYMBOL(sysctl_tcp_syncookies);
56327 @@ -700,6 +704,10 @@ listen_overflow:
56330 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
56332 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56333 + if (!grsec_enable_blackhole)
56335 if (!(flg & TCP_FLAG_RST))
56336 req->rsk_ops->send_reset(sk, skb);
56338 diff -urNp linux-2.6.37/net/ipv4/tcp_probe.c linux-2.6.37/net/ipv4/tcp_probe.c
56339 --- linux-2.6.37/net/ipv4/tcp_probe.c 2011-01-04 19:50:19.000000000 -0500
56340 +++ linux-2.6.37/net/ipv4/tcp_probe.c 2011-01-17 02:41:02.000000000 -0500
56341 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
56342 if (cnt + width >= len)
56345 - if (copy_to_user(buf + cnt, tbuf, width))
56346 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
56350 diff -urNp linux-2.6.37/net/ipv4/tcp_timer.c linux-2.6.37/net/ipv4/tcp_timer.c
56351 --- linux-2.6.37/net/ipv4/tcp_timer.c 2011-01-04 19:50:19.000000000 -0500
56352 +++ linux-2.6.37/net/ipv4/tcp_timer.c 2011-01-17 02:41:02.000000000 -0500
56354 #include <linux/gfp.h>
56355 #include <net/tcp.h>
56357 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56358 +extern int grsec_lastack_retries;
56361 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
56362 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
56363 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
56364 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
56368 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56369 + if ((sk->sk_state == TCP_LAST_ACK) &&
56370 + (grsec_lastack_retries > 0) &&
56371 + (grsec_lastack_retries < retry_until))
56372 + retry_until = grsec_lastack_retries;
56375 if (retransmits_timed_out(sk, retry_until,
56376 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
56377 /* Has it gone just too far? */
56378 diff -urNp linux-2.6.37/net/ipv4/udp.c linux-2.6.37/net/ipv4/udp.c
56379 --- linux-2.6.37/net/ipv4/udp.c 2011-01-04 19:50:19.000000000 -0500
56380 +++ linux-2.6.37/net/ipv4/udp.c 2011-01-17 02:41:02.000000000 -0500
56382 #include <linux/types.h>
56383 #include <linux/fcntl.h>
56384 #include <linux/module.h>
56385 +#include <linux/security.h>
56386 #include <linux/socket.h>
56387 #include <linux/sockios.h>
56388 #include <linux/igmp.h>
56389 @@ -107,6 +108,10 @@
56390 #include <net/xfrm.h>
56391 #include "udp_impl.h"
56393 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56394 +extern int grsec_enable_blackhole;
56397 struct udp_table udp_table __read_mostly;
56398 EXPORT_SYMBOL(udp_table);
56400 @@ -564,6 +569,9 @@ found:
56404 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
56405 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
56408 * This routine is called by the ICMP module when it gets some
56409 * sort of error condition. If err < 0 then the socket should
56410 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
56411 dport = usin->sin_port;
56415 + err = gr_search_udp_sendmsg(sk, usin);
56419 if (sk->sk_state != TCP_ESTABLISHED)
56420 return -EDESTADDRREQ;
56422 + err = gr_search_udp_sendmsg(sk, NULL);
56426 daddr = inet->inet_daddr;
56427 dport = inet->inet_dport;
56428 /* Open fast path for connected socket.
56429 @@ -1141,6 +1158,10 @@ try_again:
56433 + err = gr_search_udp_recvmsg(sk, skb);
56437 ulen = skb->len - sizeof(struct udphdr);
56440 @@ -1625,6 +1646,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
56443 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
56444 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56445 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56447 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
56450 @@ -2052,7 +2076,12 @@ static void udp4_format_sock(struct sock
56451 sk_wmem_alloc_get(sp),
56452 sk_rmem_alloc_get(sp),
56453 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
56454 - atomic_read(&sp->sk_refcnt), sp,
56455 + atomic_read(&sp->sk_refcnt),
56456 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56461 atomic_read(&sp->sk_drops), len);
56464 diff -urNp linux-2.6.37/net/ipv6/exthdrs.c linux-2.6.37/net/ipv6/exthdrs.c
56465 --- linux-2.6.37/net/ipv6/exthdrs.c 2011-01-04 19:50:19.000000000 -0500
56466 +++ linux-2.6.37/net/ipv6/exthdrs.c 2011-01-17 02:41:02.000000000 -0500
56467 @@ -634,7 +634,7 @@ static struct tlvtype_proc tlvprochopopt
56468 .type = IPV6_TLV_JUMBO,
56469 .func = ipv6_hop_jumbo,
56475 int ipv6_parse_hopopts(struct sk_buff *skb)
56476 diff -urNp linux-2.6.37/net/ipv6/raw.c linux-2.6.37/net/ipv6/raw.c
56477 --- linux-2.6.37/net/ipv6/raw.c 2011-01-04 19:50:19.000000000 -0500
56478 +++ linux-2.6.37/net/ipv6/raw.c 2011-01-17 02:41:02.000000000 -0500
56479 @@ -601,7 +601,7 @@ out:
56483 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
56484 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
56485 struct flowi *fl, struct dst_entry **dstp,
56486 unsigned int flags)
56488 @@ -1243,7 +1243,13 @@ static void raw6_sock_seq_show(struct se
56492 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
56493 + atomic_read(&sp->sk_refcnt),
56494 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56499 + atomic_read(&sp->sk_drops));
56502 static int raw6_seq_show(struct seq_file *seq, void *v)
56503 diff -urNp linux-2.6.37/net/ipv6/tcp_ipv6.c linux-2.6.37/net/ipv6/tcp_ipv6.c
56504 --- linux-2.6.37/net/ipv6/tcp_ipv6.c 2011-01-04 19:50:19.000000000 -0500
56505 +++ linux-2.6.37/net/ipv6/tcp_ipv6.c 2011-01-17 02:41:02.000000000 -0500
56506 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
56510 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56511 +extern int grsec_enable_blackhole;
56514 static void tcp_v6_hash(struct sock *sk)
56516 if (sk->sk_state != TCP_CLOSE) {
56517 @@ -1631,6 +1635,9 @@ static int tcp_v6_do_rcv(struct sock *sk
56521 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56522 + if (!grsec_enable_blackhole)
56524 tcp_v6_send_reset(sk, skb);
56527 @@ -1710,12 +1717,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
56528 TCP_SKB_CB(skb)->sacked = 0;
56530 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56533 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56536 goto no_tcp_socket;
56540 - if (sk->sk_state == TCP_TIME_WAIT)
56541 + if (sk->sk_state == TCP_TIME_WAIT) {
56542 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56548 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
56549 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56550 @@ -1763,6 +1778,10 @@ no_tcp_socket:
56552 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56554 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56555 + if (!grsec_enable_blackhole || (ret == 1 &&
56556 + (skb->dev->flags & IFF_LOOPBACK)))
56558 tcp_v6_send_reset(NULL, skb);
56561 @@ -1991,7 +2010,13 @@ static void get_openreq6(struct seq_file
56563 0, /* non standard timer */
56564 0, /* open_requests have no inode */
56567 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56575 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
56576 @@ -2041,7 +2066,12 @@ static void get_tcp6_sock(struct seq_fil
56578 icsk->icsk_probes_out,
56580 - atomic_read(&sp->sk_refcnt), sp,
56581 + atomic_read(&sp->sk_refcnt),
56582 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56587 jiffies_to_clock_t(icsk->icsk_rto),
56588 jiffies_to_clock_t(icsk->icsk_ack.ato),
56589 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
56590 @@ -2076,7 +2106,13 @@ static void get_timewait6_sock(struct se
56591 dest->s6_addr32[2], dest->s6_addr32[3], destp,
56592 tw->tw_substate, 0, 0,
56593 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56594 - atomic_read(&tw->tw_refcnt), tw);
56595 + atomic_read(&tw->tw_refcnt),
56596 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56604 static int tcp6_seq_show(struct seq_file *seq, void *v)
56605 diff -urNp linux-2.6.37/net/ipv6/udp.c linux-2.6.37/net/ipv6/udp.c
56606 --- linux-2.6.37/net/ipv6/udp.c 2011-01-04 19:50:19.000000000 -0500
56607 +++ linux-2.6.37/net/ipv6/udp.c 2011-01-17 02:41:02.000000000 -0500
56609 #include <linux/seq_file.h>
56610 #include "udp_impl.h"
56612 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56613 +extern int grsec_enable_blackhole;
56616 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
56618 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
56619 @@ -773,6 +777,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
56620 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
56621 proto == IPPROTO_UDPLITE);
56623 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56624 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56626 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
56629 @@ -1407,7 +1414,12 @@ static void udp6_sock_seq_show(struct se
56633 - atomic_read(&sp->sk_refcnt), sp,
56634 + atomic_read(&sp->sk_refcnt),
56635 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56640 atomic_read(&sp->sk_drops));
56643 diff -urNp linux-2.6.37/net/irda/ircomm/ircomm_tty.c linux-2.6.37/net/irda/ircomm/ircomm_tty.c
56644 --- linux-2.6.37/net/irda/ircomm/ircomm_tty.c 2011-01-04 19:50:19.000000000 -0500
56645 +++ linux-2.6.37/net/irda/ircomm/ircomm_tty.c 2011-01-24 18:04:18.000000000 -0500
56646 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
56647 add_wait_queue(&self->open_wait, &wait);
56649 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
56650 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56651 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
56653 /* As far as I can see, we protect open_count - Jean II */
56654 spin_lock_irqsave(&self->spinlock, flags);
56655 if (!tty_hung_up_p(filp)) {
56657 - self->open_count--;
56658 + local_dec(&self->open_count);
56660 spin_unlock_irqrestore(&self->spinlock, flags);
56661 - self->blocked_open++;
56662 + local_inc(&self->blocked_open);
56665 if (tty->termios->c_cflag & CBAUD) {
56666 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
56669 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
56670 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56671 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
56675 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
56677 /* ++ is not atomic, so this should be protected - Jean II */
56678 spin_lock_irqsave(&self->spinlock, flags);
56679 - self->open_count++;
56680 + local_inc(&self->open_count);
56681 spin_unlock_irqrestore(&self->spinlock, flags);
56683 - self->blocked_open--;
56684 + local_dec(&self->blocked_open);
56686 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
56687 - __FILE__,__LINE__, tty->driver->name, self->open_count);
56688 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
56691 self->flags |= ASYNC_NORMAL_ACTIVE;
56692 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
56694 /* ++ is not atomic, so this should be protected - Jean II */
56695 spin_lock_irqsave(&self->spinlock, flags);
56696 - self->open_count++;
56697 + local_inc(&self->open_count);
56699 tty->driver_data = self;
56701 spin_unlock_irqrestore(&self->spinlock, flags);
56703 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
56704 - self->line, self->open_count);
56705 + self->line, local_read(&self->open_count));
56707 /* Not really used by us, but lets do it anyway */
56708 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
56709 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
56713 - if ((tty->count == 1) && (self->open_count != 1)) {
56714 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
56716 * Uh, oh. tty->count is 1, which means that the tty
56717 * structure will be freed. state->count should always
56718 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
56720 IRDA_DEBUG(0, "%s(), bad serial port count; "
56721 "tty->count is 1, state->count is %d\n", __func__ ,
56722 - self->open_count);
56723 - self->open_count = 1;
56724 + local_read(&self->open_count));
56725 + local_set(&self->open_count, 1);
56728 - if (--self->open_count < 0) {
56729 + if (local_dec_return(&self->open_count) < 0) {
56730 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
56731 - __func__, self->line, self->open_count);
56732 - self->open_count = 0;
56733 + __func__, self->line, local_read(&self->open_count));
56734 + local_set(&self->open_count, 0);
56736 - if (self->open_count) {
56737 + if (local_read(&self->open_count)) {
56738 spin_unlock_irqrestore(&self->spinlock, flags);
56740 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
56741 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
56745 - if (self->blocked_open) {
56746 + if (local_read(&self->blocked_open)) {
56747 if (self->close_delay)
56748 schedule_timeout_interruptible(self->close_delay);
56749 wake_up_interruptible(&self->open_wait);
56750 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
56751 spin_lock_irqsave(&self->spinlock, flags);
56752 self->flags &= ~ASYNC_NORMAL_ACTIVE;
56754 - self->open_count = 0;
56755 + local_set(&self->open_count, 0);
56756 spin_unlock_irqrestore(&self->spinlock, flags);
56758 wake_up_interruptible(&self->open_wait);
56759 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
56762 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
56763 - seq_printf(m, "Open count: %d\n", self->open_count);
56764 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
56765 seq_printf(m, "Max data size: %d\n", self->max_data_size);
56766 seq_printf(m, "Max header size: %d\n", self->max_header_size);
56768 diff -urNp linux-2.6.37/net/key/af_key.c linux-2.6.37/net/key/af_key.c
56769 --- linux-2.6.37/net/key/af_key.c 2011-01-04 19:50:19.000000000 -0500
56770 +++ linux-2.6.37/net/key/af_key.c 2011-01-17 02:41:02.000000000 -0500
56771 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
56772 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
56774 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
56775 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56780 atomic_read(&s->sk_refcnt),
56781 sk_rmem_alloc_get(s),
56782 sk_wmem_alloc_get(s),
56783 diff -urNp linux-2.6.37/net/mac80211/ieee80211_i.h linux-2.6.37/net/mac80211/ieee80211_i.h
56784 --- linux-2.6.37/net/mac80211/ieee80211_i.h 2011-01-04 19:50:19.000000000 -0500
56785 +++ linux-2.6.37/net/mac80211/ieee80211_i.h 2011-01-24 18:04:18.000000000 -0500
56787 #include <net/ieee80211_radiotap.h>
56788 #include <net/cfg80211.h>
56789 #include <net/mac80211.h>
56790 +#include <asm/local.h>
56792 #include "sta_info.h"
56794 @@ -704,7 +705,7 @@ struct ieee80211_local {
56795 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
56796 spinlock_t queue_stop_reason_lock;
56799 + local_t open_count;
56800 int monitors, cooked_mntrs;
56801 /* number of interfaces with corresponding FIF_ flags */
56802 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
56803 diff -urNp linux-2.6.37/net/mac80211/iface.c linux-2.6.37/net/mac80211/iface.c
56804 --- linux-2.6.37/net/mac80211/iface.c 2011-01-04 19:50:19.000000000 -0500
56805 +++ linux-2.6.37/net/mac80211/iface.c 2011-01-24 18:04:18.000000000 -0500
56806 @@ -216,7 +216,7 @@ static int ieee80211_do_open(struct net_
56810 - if (local->open_count == 0) {
56811 + if (local_read(&local->open_count) == 0) {
56812 res = drv_start(local);
56815 @@ -238,7 +238,7 @@ static int ieee80211_do_open(struct net_
56816 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
56818 if (!is_valid_ether_addr(dev->dev_addr)) {
56819 - if (!local->open_count)
56820 + if (!local_read(&local->open_count))
56822 return -EADDRNOTAVAIL;
56824 @@ -335,7 +335,7 @@ static int ieee80211_do_open(struct net_
56825 mutex_unlock(&local->mtx);
56828 - local->open_count++;
56829 + local_inc(&local->open_count);
56831 if (hw_reconf_flags) {
56832 ieee80211_hw_config(local, hw_reconf_flags);
56833 @@ -355,7 +355,7 @@ static int ieee80211_do_open(struct net_
56835 drv_remove_interface(local, &sdata->vif);
56837 - if (!local->open_count)
56838 + if (!local_read(&local->open_count))
56842 @@ -481,7 +481,7 @@ static void ieee80211_do_stop(struct iee
56846 - local->open_count--;
56847 + local_dec(&local->open_count);
56849 switch (sdata->vif.type) {
56850 case NL80211_IFTYPE_AP_VLAN:
56851 @@ -552,7 +552,7 @@ static void ieee80211_do_stop(struct iee
56853 ieee80211_recalc_ps(local, -1);
56855 - if (local->open_count == 0) {
56856 + if (local_read(&local->open_count) == 0) {
56857 if (local->ops->napi_poll)
56858 napi_disable(&local->napi);
56859 ieee80211_clear_tx_pending(local);
56860 diff -urNp linux-2.6.37/net/mac80211/main.c linux-2.6.37/net/mac80211/main.c
56861 --- linux-2.6.37/net/mac80211/main.c 2011-01-04 19:50:19.000000000 -0500
56862 +++ linux-2.6.37/net/mac80211/main.c 2011-01-24 18:04:18.000000000 -0500
56863 @@ -159,7 +159,7 @@ int ieee80211_hw_config(struct ieee80211
56864 local->hw.conf.power_level = power;
56867 - if (changed && local->open_count) {
56868 + if (changed && local_read(&local->open_count)) {
56869 ret = drv_config(local, changed);
56872 diff -urNp linux-2.6.37/net/mac80211/pm.c linux-2.6.37/net/mac80211/pm.c
56873 --- linux-2.6.37/net/mac80211/pm.c 2011-01-04 19:50:19.000000000 -0500
56874 +++ linux-2.6.37/net/mac80211/pm.c 2011-01-24 18:04:18.000000000 -0500
56875 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
56878 /* stop hardware - this must stop RX */
56879 - if (local->open_count)
56880 + if (local_read(&local->open_count))
56881 ieee80211_stop_device(local);
56883 local->suspended = true;
56884 diff -urNp linux-2.6.37/net/mac80211/rate.c linux-2.6.37/net/mac80211/rate.c
56885 --- linux-2.6.37/net/mac80211/rate.c 2011-01-04 19:50:19.000000000 -0500
56886 +++ linux-2.6.37/net/mac80211/rate.c 2011-01-24 18:04:18.000000000 -0500
56887 @@ -361,7 +361,7 @@ int ieee80211_init_rate_ctrl_alg(struct
56891 - if (local->open_count)
56892 + if (local_read(&local->open_count))
56895 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
56896 diff -urNp linux-2.6.37/net/mac80211/rc80211_pid_debugfs.c linux-2.6.37/net/mac80211/rc80211_pid_debugfs.c
56897 --- linux-2.6.37/net/mac80211/rc80211_pid_debugfs.c 2011-01-04 19:50:19.000000000 -0500
56898 +++ linux-2.6.37/net/mac80211/rc80211_pid_debugfs.c 2011-01-17 02:41:02.000000000 -0500
56899 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
56901 spin_unlock_irqrestore(&events->lock, status);
56903 - if (copy_to_user(buf, pb, p))
56904 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
56908 diff -urNp linux-2.6.37/net/mac80211/tx.c linux-2.6.37/net/mac80211/tx.c
56909 --- linux-2.6.37/net/mac80211/tx.c 2011-01-04 19:50:19.000000000 -0500
56910 +++ linux-2.6.37/net/mac80211/tx.c 2011-01-17 02:41:02.000000000 -0500
56911 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
56912 return cpu_to_le16(dur);
56915 -static int inline is_ieee80211_device(struct ieee80211_local *local,
56916 +static inline int is_ieee80211_device(struct ieee80211_local *local,
56917 struct net_device *dev)
56919 return local == wdev_priv(dev->ieee80211_ptr);
56920 diff -urNp linux-2.6.37/net/mac80211/util.c linux-2.6.37/net/mac80211/util.c
56921 --- linux-2.6.37/net/mac80211/util.c 2011-01-04 19:50:19.000000000 -0500
56922 +++ linux-2.6.37/net/mac80211/util.c 2011-01-24 18:04:18.000000000 -0500
56923 @@ -1111,7 +1111,7 @@ int ieee80211_reconfig(struct ieee80211_
56924 local->resuming = true;
56926 /* restart hardware */
56927 - if (local->open_count) {
56928 + if (local_read(&local->open_count)) {
56930 * Upon resume hardware can sometimes be goofy due to
56931 * various platform / driver / bus issues, so restarting
56932 diff -urNp linux-2.6.37/net/netfilter/Kconfig linux-2.6.37/net/netfilter/Kconfig
56933 --- linux-2.6.37/net/netfilter/Kconfig 2011-01-04 19:50:19.000000000 -0500
56934 +++ linux-2.6.37/net/netfilter/Kconfig 2011-01-17 02:41:02.000000000 -0500
56935 @@ -709,6 +709,16 @@ config NETFILTER_XT_MATCH_ESP
56937 To compile it as a module, choose M here. If unsure, say N.
56939 +config NETFILTER_XT_MATCH_GRADM
56940 + tristate '"gradm" match support'
56941 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
56942 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
56944 + The gradm match allows to match on grsecurity RBAC being enabled.
56945 + It is useful when iptables rules are applied early on bootup to
56946 + prevent connections to the machine (except from a trusted host)
56947 + while the RBAC system is disabled.
56949 config NETFILTER_XT_MATCH_HASHLIMIT
56950 tristate '"hashlimit" match support'
56951 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
56952 diff -urNp linux-2.6.37/net/netfilter/Makefile linux-2.6.37/net/netfilter/Makefile
56953 --- linux-2.6.37/net/netfilter/Makefile 2011-01-04 19:50:19.000000000 -0500
56954 +++ linux-2.6.37/net/netfilter/Makefile 2011-01-17 02:41:02.000000000 -0500
56955 @@ -74,6 +74,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=
56956 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
56957 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
56958 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
56959 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
56960 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
56961 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
56962 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
56963 diff -urNp linux-2.6.37/net/netfilter/nf_conntrack_netlink.c linux-2.6.37/net/netfilter/nf_conntrack_netlink.c
56964 --- linux-2.6.37/net/netfilter/nf_conntrack_netlink.c 2011-01-04 19:50:19.000000000 -0500
56965 +++ linux-2.6.37/net/netfilter/nf_conntrack_netlink.c 2011-01-17 02:41:02.000000000 -0500
56966 @@ -761,7 +761,7 @@ static const struct nla_policy tuple_nla
56968 ctnetlink_parse_tuple(const struct nlattr * const cda[],
56969 struct nf_conntrack_tuple *tuple,
56970 - enum ctattr_tuple type, u_int8_t l3num)
56971 + enum ctattr_type type, u_int8_t l3num)
56973 struct nlattr *tb[CTA_TUPLE_MAX+1];
56975 diff -urNp linux-2.6.37/net/netfilter/xt_gradm.c linux-2.6.37/net/netfilter/xt_gradm.c
56976 --- linux-2.6.37/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
56977 +++ linux-2.6.37/net/netfilter/xt_gradm.c 2011-01-17 02:41:02.000000000 -0500
56980 + * gradm match for netfilter
56981 + * Copyright © Zbigniew Krzystolik, 2010
56983 + * This program is free software; you can redistribute it and/or modify
56984 + * it under the terms of the GNU General Public License; either version
56985 + * 2 or 3 as published by the Free Software Foundation.
56987 +#include <linux/module.h>
56988 +#include <linux/moduleparam.h>
56989 +#include <linux/skbuff.h>
56990 +#include <linux/netfilter/x_tables.h>
56991 +#include <linux/grsecurity.h>
56992 +#include <linux/netfilter/xt_gradm.h>
56995 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
56997 + const struct xt_gradm_mtinfo *info = par->matchinfo;
56998 + bool retval = false;
56999 + if (gr_acl_is_enabled())
57001 + return retval ^ info->invflags;
57004 +static struct xt_match gradm_mt_reg __read_mostly = {
57007 + .family = NFPROTO_UNSPEC,
57008 + .match = gradm_mt,
57009 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
57010 + .me = THIS_MODULE,
57013 +static int __init gradm_mt_init(void)
57015 + return xt_register_match(&gradm_mt_reg);
57018 +static void __exit gradm_mt_exit(void)
57020 + xt_unregister_match(&gradm_mt_reg);
57023 +module_init(gradm_mt_init);
57024 +module_exit(gradm_mt_exit);
57025 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
57026 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
57027 +MODULE_LICENSE("GPL");
57028 +MODULE_ALIAS("ipt_gradm");
57029 +MODULE_ALIAS("ip6t_gradm");
57030 diff -urNp linux-2.6.37/net/netlink/af_netlink.c linux-2.6.37/net/netlink/af_netlink.c
57031 --- linux-2.6.37/net/netlink/af_netlink.c 2011-01-04 19:50:19.000000000 -0500
57032 +++ linux-2.6.37/net/netlink/af_netlink.c 2011-01-17 02:41:02.000000000 -0500
57033 @@ -1991,13 +1991,21 @@ static int netlink_seq_show(struct seq_f
57034 struct netlink_sock *nlk = nlk_sk(s);
57036 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
57037 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57044 nlk->groups ? (u32)nlk->groups[0] : 0,
57045 sk_rmem_alloc_get(s),
57046 sk_wmem_alloc_get(s),
57047 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57052 atomic_read(&s->sk_refcnt),
57053 atomic_read(&s->sk_drops),
57055 diff -urNp linux-2.6.37/net/netrom/af_netrom.c linux-2.6.37/net/netrom/af_netrom.c
57056 --- linux-2.6.37/net/netrom/af_netrom.c 2011-01-04 19:50:19.000000000 -0500
57057 +++ linux-2.6.37/net/netrom/af_netrom.c 2011-01-17 02:41:02.000000000 -0500
57058 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
57059 struct sock *sk = sock->sk;
57060 struct nr_sock *nr = nr_sk(sk);
57062 + memset(sax, 0, sizeof(*sax));
57065 if (sk->sk_state != TCP_ESTABLISHED) {
57066 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
57067 *uaddr_len = sizeof(struct full_sockaddr_ax25);
57069 sax->fsa_ax25.sax25_family = AF_NETROM;
57070 - sax->fsa_ax25.sax25_ndigis = 0;
57071 sax->fsa_ax25.sax25_call = nr->source_addr;
57072 *uaddr_len = sizeof(struct sockaddr_ax25);
57074 diff -urNp linux-2.6.37/net/packet/af_packet.c linux-2.6.37/net/packet/af_packet.c
57075 --- linux-2.6.37/net/packet/af_packet.c 2011-01-04 19:50:19.000000000 -0500
57076 +++ linux-2.6.37/net/packet/af_packet.c 2011-01-17 02:41:02.000000000 -0500
57077 @@ -2123,7 +2123,7 @@ static int packet_getsockopt(struct sock
57078 case PACKET_HDRLEN:
57079 if (len > sizeof(int))
57081 - if (copy_from_user(&val, optval, len))
57082 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
57086 @@ -2161,7 +2161,7 @@ static int packet_getsockopt(struct sock
57088 if (put_user(len, optlen))
57090 - if (copy_to_user(optval, data, len))
57091 + if (len > sizeof(st) || copy_to_user(optval, data, len))
57095 @@ -2640,7 +2640,11 @@ static int packet_seq_show(struct seq_fi
57098 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
57099 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57104 atomic_read(&s->sk_refcnt),
57107 diff -urNp linux-2.6.37/net/phonet/af_phonet.c linux-2.6.37/net/phonet/af_phonet.c
57108 --- linux-2.6.37/net/phonet/af_phonet.c 2011-01-04 19:50:19.000000000 -0500
57109 +++ linux-2.6.37/net/phonet/af_phonet.c 2011-01-17 02:41:02.000000000 -0500
57110 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
57112 struct phonet_protocol *pp;
57114 - if (protocol >= PHONET_NPROTO)
57115 + if (protocol < 0 || protocol >= PHONET_NPROTO)
57119 @@ -463,7 +463,7 @@ int __init_or_module phonet_proto_regist
57123 - if (protocol >= PHONET_NPROTO)
57124 + if (protocol < 0 || protocol >= PHONET_NPROTO)
57127 err = proto_register(pp->prot, 1);
57128 diff -urNp linux-2.6.37/net/phonet/socket.c linux-2.6.37/net/phonet/socket.c
57129 --- linux-2.6.37/net/phonet/socket.c 2011-01-04 19:50:19.000000000 -0500
57130 +++ linux-2.6.37/net/phonet/socket.c 2011-01-17 02:41:02.000000000 -0500
57131 @@ -637,7 +637,12 @@ static int pn_sock_seq_show(struct seq_f
57133 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
57134 sock_i_uid(sk), sock_i_ino(sk),
57135 - atomic_read(&sk->sk_refcnt), sk,
57136 + atomic_read(&sk->sk_refcnt),
57137 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57142 atomic_read(&sk->sk_drops), &len);
57144 seq_printf(seq, "%*s\n", 127 - len, "");
57145 diff -urNp linux-2.6.37/net/sctp/proc.c linux-2.6.37/net/sctp/proc.c
57146 --- linux-2.6.37/net/sctp/proc.c 2011-01-04 19:50:19.000000000 -0500
57147 +++ linux-2.6.37/net/sctp/proc.c 2011-01-17 02:41:02.000000000 -0500
57148 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
57149 sctp_for_each_hentry(epb, node, &head->chain) {
57152 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
57153 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
57154 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57159 sctp_sk(sk)->type, sk->sk_state, hash,
57160 epb->bind_addr.port,
57161 sock_i_uid(sk), sock_i_ino(sk));
57162 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
57164 "%8p %8p %-3d %-3d %-2d %-4d "
57165 "%4d %8d %8d %7d %5lu %-5d %5d ",
57166 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
57167 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57172 + sctp_sk(sk)->type, sk->sk_state,
57173 assoc->state, hash,
57175 assoc->sndbuf_used,
57176 diff -urNp linux-2.6.37/net/sctp/socket.c linux-2.6.37/net/sctp/socket.c
57177 --- linux-2.6.37/net/sctp/socket.c 2011-01-04 19:50:19.000000000 -0500
57178 +++ linux-2.6.37/net/sctp/socket.c 2011-01-17 02:41:02.000000000 -0500
57179 @@ -1496,7 +1496,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
57180 struct sctp_sndrcvinfo *sinfo;
57181 struct sctp_initmsg *sinit;
57182 sctp_assoc_t associd = 0;
57183 - sctp_cmsgs_t cmsgs = { NULL };
57184 + sctp_cmsgs_t cmsgs = { NULL, NULL };
57186 sctp_scope_t scope;
57188 @@ -4435,7 +4435,7 @@ static int sctp_getsockopt_peer_addrs(st
57189 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
57190 if (space_left < addrlen)
57192 - if (copy_to_user(to, &temp, addrlen))
57193 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
57197 diff -urNp linux-2.6.37/net/socket.c linux-2.6.37/net/socket.c
57198 --- linux-2.6.37/net/socket.c 2011-01-04 19:50:19.000000000 -0500
57199 +++ linux-2.6.37/net/socket.c 2011-01-17 02:41:02.000000000 -0500
57201 #include <linux/nsproxy.h>
57202 #include <linux/magic.h>
57203 #include <linux/slab.h>
57204 +#include <linux/in.h>
57206 #include <asm/uaccess.h>
57207 #include <asm/unistd.h>
57208 @@ -105,6 +106,8 @@
57209 #include <linux/sockios.h>
57210 #include <linux/atalk.h>
57212 +#include <linux/grsock.h>
57214 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
57215 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
57216 unsigned long nr_segs, loff_t pos);
57217 @@ -311,7 +314,7 @@ static struct dentry *sockfs_mount(struc
57218 return mount_pseudo(fs_type, "socket:", &sockfs_ops, SOCKFS_MAGIC);
57221 -static struct vfsmount *sock_mnt __read_mostly;
57222 +struct vfsmount *sock_mnt __read_mostly;
57224 static struct file_system_type sock_fs_type = {
57226 @@ -1173,6 +1176,8 @@ int __sock_create(struct net *net, int f
57227 return -EAFNOSUPPORT;
57228 if (type < 0 || type >= SOCK_MAX)
57230 + if (protocol < 0)
57235 @@ -1305,6 +1310,16 @@ SYSCALL_DEFINE3(socket, int, family, int
57236 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
57237 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
57239 + if(!gr_search_socket(family, type, protocol)) {
57240 + retval = -EACCES;
57244 + if (gr_handle_sock_all(family, type, protocol)) {
57245 + retval = -EACCES;
57249 retval = sock_create(family, type, protocol, &sock);
57252 @@ -1417,6 +1432,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57254 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
57256 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
57260 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
57264 err = security_socket_bind(sock,
57265 (struct sockaddr *)&address,
57267 @@ -1425,6 +1448,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57268 (struct sockaddr *)
57269 &address, addrlen);
57272 fput_light(sock->file, fput_needed);
57275 @@ -1448,10 +1472,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
57276 if ((unsigned)backlog > somaxconn)
57277 backlog = somaxconn;
57279 + if (gr_handle_sock_server_other(sock->sk)) {
57284 + err = gr_search_listen(sock);
57288 err = security_socket_listen(sock, backlog);
57290 err = sock->ops->listen(sock, backlog);
57293 fput_light(sock->file, fput_needed);
57296 @@ -1495,6 +1529,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57297 newsock->type = sock->type;
57298 newsock->ops = sock->ops;
57300 + if (gr_handle_sock_server_other(sock->sk)) {
57302 + sock_release(newsock);
57306 + err = gr_search_accept(sock);
57308 + sock_release(newsock);
57313 * We don't need try_module_get here, as the listening socket (sock)
57314 * has the protocol module (sock->ops->owner) held.
57315 @@ -1533,6 +1579,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57316 fd_install(newfd, newfile);
57319 + gr_attach_curr_ip(newsock->sk);
57322 fput_light(sock->file, fput_needed);
57324 @@ -1565,6 +1613,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57327 struct socket *sock;
57328 + struct sockaddr *sck;
57329 struct sockaddr_storage address;
57330 int err, fput_needed;
57332 @@ -1575,6 +1624,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57336 + sck = (struct sockaddr *)&address;
57338 + if (gr_handle_sock_client(sck)) {
57343 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
57348 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
57350 diff -urNp linux-2.6.37/net/sunrpc/sched.c linux-2.6.37/net/sunrpc/sched.c
57351 --- linux-2.6.37/net/sunrpc/sched.c 2011-01-04 19:50:19.000000000 -0500
57352 +++ linux-2.6.37/net/sunrpc/sched.c 2011-01-17 02:41:02.000000000 -0500
57353 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
57355 static void rpc_task_set_debuginfo(struct rpc_task *task)
57357 - static atomic_t rpc_pid;
57358 + static atomic_unchecked_t rpc_pid;
57360 - task->tk_pid = atomic_inc_return(&rpc_pid);
57361 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
57364 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
57365 diff -urNp linux-2.6.37/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.37/net/sunrpc/xprtrdma/svc_rdma.c
57366 --- linux-2.6.37/net/sunrpc/xprtrdma/svc_rdma.c 2011-01-04 19:50:19.000000000 -0500
57367 +++ linux-2.6.37/net/sunrpc/xprtrdma/svc_rdma.c 2011-01-17 02:41:02.000000000 -0500
57368 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
57372 - if (len && copy_to_user(buffer, str_buf, len))
57373 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
57377 diff -urNp linux-2.6.37/net/sysctl_net.c linux-2.6.37/net/sysctl_net.c
57378 --- linux-2.6.37/net/sysctl_net.c 2011-01-04 19:50:19.000000000 -0500
57379 +++ linux-2.6.37/net/sysctl_net.c 2011-01-17 02:41:02.000000000 -0500
57380 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
57381 struct ctl_table *table)
57383 /* Allow network administrator to have same access as root. */
57384 - if (capable(CAP_NET_ADMIN)) {
57385 + if (capable_nolog(CAP_NET_ADMIN)) {
57386 int mode = (table->mode >> 6) & 7;
57387 return (mode << 6) | (mode << 3) | mode;
57389 diff -urNp linux-2.6.37/net/tipc/socket.c linux-2.6.37/net/tipc/socket.c
57390 --- linux-2.6.37/net/tipc/socket.c 2011-01-04 19:50:19.000000000 -0500
57391 +++ linux-2.6.37/net/tipc/socket.c 2011-01-17 02:41:02.000000000 -0500
57392 @@ -1475,8 +1475,9 @@ static int connect(struct socket *sock,
57397 - ; /* leave "res" unchanged */
57399 + /* leave "res" unchanged */
57401 sock->state = SS_DISCONNECTING;
57404 diff -urNp linux-2.6.37/net/unix/af_unix.c linux-2.6.37/net/unix/af_unix.c
57405 --- linux-2.6.37/net/unix/af_unix.c 2011-01-04 19:50:19.000000000 -0500
57406 +++ linux-2.6.37/net/unix/af_unix.c 2011-01-17 02:41:02.000000000 -0500
57407 @@ -764,6 +764,12 @@ static struct sock *unix_find_other(stru
57408 err = -ECONNREFUSED;
57409 if (!S_ISSOCK(inode->i_mode))
57412 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
57417 u = unix_find_socket_byinode(inode);
57420 @@ -784,6 +790,13 @@ static struct sock *unix_find_other(stru
57422 struct dentry *dentry;
57423 dentry = unix_sk(u)->dentry;
57425 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
57432 touch_atime(unix_sk(u)->mnt, dentry);
57434 @@ -869,11 +882,18 @@ static int unix_bind(struct socket *sock
57435 err = security_path_mknod(&nd.path, dentry, mode, 0);
57437 goto out_mknod_drop_write;
57438 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
57440 + goto out_mknod_drop_write;
57442 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
57443 out_mknod_drop_write:
57444 mnt_drop_write(nd.path.mnt);
57446 goto out_mknod_dput;
57448 + gr_handle_create(dentry, nd.path.mnt);
57450 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
57451 dput(nd.path.dentry);
57452 nd.path.dentry = dentry;
57453 @@ -891,6 +911,11 @@ out_mknod_drop_write:
57457 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57458 + put_pid(sk->sk_peer_pid);
57459 + sk->sk_peer_pid = get_pid(task_tgid(current));
57462 list = &unix_socket_table[addr->hash];
57464 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
57465 @@ -2226,7 +2251,11 @@ static int unix_seq_show(struct seq_file
57466 unix_state_lock(s);
57468 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
57469 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57474 atomic_read(&s->sk_refcnt),
57476 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
57477 diff -urNp linux-2.6.37/net/wireless/reg.c linux-2.6.37/net/wireless/reg.c
57478 --- linux-2.6.37/net/wireless/reg.c 2011-01-04 19:50:19.000000000 -0500
57479 +++ linux-2.6.37/net/wireless/reg.c 2011-01-17 02:41:02.000000000 -0500
57481 printk(KERN_DEBUG format , ## args); \
57484 -#define REG_DBG_PRINT(args...)
57485 +#define REG_DBG_PRINT(args...) do {} while (0)
57488 /* Receipt of information from last regulatory request */
57489 diff -urNp linux-2.6.37/net/wireless/wext-core.c linux-2.6.37/net/wireless/wext-core.c
57490 --- linux-2.6.37/net/wireless/wext-core.c 2011-01-04 19:50:19.000000000 -0500
57491 +++ linux-2.6.37/net/wireless/wext-core.c 2011-01-17 02:41:02.000000000 -0500
57492 @@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
57495 /* Support for very large requests */
57496 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
57497 - (user_length > descr->max_tokens)) {
57498 + if (user_length > descr->max_tokens) {
57499 /* Allow userspace to GET more than max so
57500 * we can support any size GET requests.
57501 * There is still a limit : -ENOMEM.
57502 @@ -782,22 +781,6 @@ static int ioctl_standard_iw_point(struc
57506 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
57508 - * If this is a GET, but not NOMAX, it means that the extra
57509 - * data is not bounded by userspace, but by max_tokens. Thus
57510 - * set the length to max_tokens. This matches the extra data
57512 - * The driver should fill it with the number of tokens it
57513 - * provided, and it may check iwp->length rather than having
57514 - * knowledge of max_tokens. If the driver doesn't change the
57515 - * iwp->length, this ioctl just copies back max_token tokens
57516 - * filled with zeroes. Hopefully the driver isn't claiming
57517 - * them to be valid data.
57519 - iwp->length = descr->max_tokens;
57522 err = handler(dev, info, (union iwreq_data *) iwp, extra);
57524 iwp->length += essid_compat;
57525 diff -urNp linux-2.6.37/net/x25/x25_facilities.c linux-2.6.37/net/x25/x25_facilities.c
57526 --- linux-2.6.37/net/x25/x25_facilities.c 2011-01-04 19:50:19.000000000 -0500
57527 +++ linux-2.6.37/net/x25/x25_facilities.c 2011-01-17 02:41:02.000000000 -0500
57528 @@ -157,7 +157,8 @@ int x25_parse_facilities(struct sk_buff
57531 printk(KERN_DEBUG "X.25: unknown facility %02X,"
57532 - "length %d\n", p[0], p[1]);
57533 + "length %d, values %02X, %02X\n",
57534 + p[0], p[1], p[2], p[3]);
57538 diff -urNp linux-2.6.37/net/xfrm/xfrm_policy.c linux-2.6.37/net/xfrm/xfrm_policy.c
57539 --- linux-2.6.37/net/xfrm/xfrm_policy.c 2011-01-04 19:50:19.000000000 -0500
57540 +++ linux-2.6.37/net/xfrm/xfrm_policy.c 2011-01-17 02:41:02.000000000 -0500
57541 @@ -1504,7 +1504,7 @@ free_dst:
57547 xfrm_dst_alloc_copy(void **target, void *src, int size)
57550 @@ -1516,7 +1516,7 @@ xfrm_dst_alloc_copy(void **target, void
57556 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
57558 #ifdef CONFIG_XFRM_SUB_POLICY
57559 @@ -1528,7 +1528,7 @@ xfrm_dst_update_parent(struct dst_entry
57565 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
57567 #ifdef CONFIG_XFRM_SUB_POLICY
57568 diff -urNp linux-2.6.37/scripts/basic/fixdep.c linux-2.6.37/scripts/basic/fixdep.c
57569 --- linux-2.6.37/scripts/basic/fixdep.c 2011-01-04 19:50:19.000000000 -0500
57570 +++ linux-2.6.37/scripts/basic/fixdep.c 2011-01-17 02:41:02.000000000 -0500
57571 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
57573 static void parse_config_file(char *map, size_t len)
57575 - int *end = (int *) (map + len);
57576 + unsigned int *end = (unsigned int *) (map + len);
57577 /* start at +1, so that p can never be < map */
57578 - int *m = (int *) map + 1;
57579 + unsigned int *m = (unsigned int *) map + 1;
57582 for (; m < end; m++) {
57583 @@ -371,7 +371,7 @@ static void print_deps(void)
57584 static void traps(void)
57586 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
57587 - int *p = (int *)test;
57588 + unsigned int *p = (unsigned int *)test;
57590 if (*p != INT_CONF) {
57591 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
57592 diff -urNp linux-2.6.37/scripts/kallsyms.c linux-2.6.37/scripts/kallsyms.c
57593 --- linux-2.6.37/scripts/kallsyms.c 2011-01-04 19:50:19.000000000 -0500
57594 +++ linux-2.6.37/scripts/kallsyms.c 2011-01-17 02:41:02.000000000 -0500
57595 @@ -43,10 +43,10 @@ struct text_range {
57597 static unsigned long long _text;
57598 static struct text_range text_ranges[] = {
57599 - { "_stext", "_etext" },
57600 - { "_sinittext", "_einittext" },
57601 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
57602 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
57603 + { "_stext", "_etext", 0, 0 },
57604 + { "_sinittext", "_einittext", 0, 0 },
57605 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
57606 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
57608 #define text_range_text (&text_ranges[0])
57609 #define text_range_inittext (&text_ranges[1])
57610 diff -urNp linux-2.6.37/scripts/mod/file2alias.c linux-2.6.37/scripts/mod/file2alias.c
57611 --- linux-2.6.37/scripts/mod/file2alias.c 2011-01-04 19:50:19.000000000 -0500
57612 +++ linux-2.6.37/scripts/mod/file2alias.c 2011-01-17 02:41:02.000000000 -0500
57613 @@ -72,7 +72,7 @@ static void device_id_check(const char *
57614 unsigned long size, unsigned long id_size,
57620 if (size % id_size || size < id_size) {
57621 if (cross_build != 0)
57622 @@ -102,7 +102,7 @@ static void device_id_check(const char *
57623 /* USB is special because the bcdDevice can be matched against a numeric range */
57624 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
57625 static void do_usb_entry(struct usb_device_id *id,
57626 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
57627 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
57628 unsigned char range_lo, unsigned char range_hi,
57629 unsigned char max, struct module *mod)
57631 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
57632 for (i = 0; i < count; i++) {
57633 const char *id = (char *)devs[i].id;
57634 char acpi_id[sizeof(devs[0].id)];
57638 buf_printf(&mod->dev_table_buf,
57639 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57640 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
57642 for (j = 0; j < PNP_MAX_DEVICES; j++) {
57643 const char *id = (char *)card->devs[j].id;
57645 + unsigned int i2, j2;
57649 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
57650 /* add an individual alias for every device entry */
57652 char acpi_id[sizeof(card->devs[0].id)];
57656 buf_printf(&mod->dev_table_buf,
57657 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57658 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
57659 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
57663 + unsigned int i, j;
57665 sprintf(alias, "dmi*");
57667 diff -urNp linux-2.6.37/scripts/mod/modpost.c linux-2.6.37/scripts/mod/modpost.c
57668 --- linux-2.6.37/scripts/mod/modpost.c 2011-01-04 19:50:19.000000000 -0500
57669 +++ linux-2.6.37/scripts/mod/modpost.c 2011-01-17 02:41:02.000000000 -0500
57670 @@ -895,6 +895,7 @@ enum mismatch {
57671 ANY_INIT_TO_ANY_EXIT,
57672 ANY_EXIT_TO_ANY_INIT,
57673 EXPORT_TO_INIT_EXIT,
57677 struct sectioncheck {
57678 @@ -1003,6 +1004,12 @@ const struct sectioncheck sectioncheck[]
57679 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
57680 .mismatch = EXPORT_TO_INIT_EXIT,
57681 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
57683 +/* Do not reference code from writable data */
57685 + .fromsec = { DATA_SECTIONS, NULL },
57686 + .tosec = { TEXT_SECTIONS, NULL },
57687 + .mismatch = DATA_TO_TEXT
57691 @@ -1125,10 +1132,10 @@ static Elf_Sym *find_elf_symbol(struct e
57693 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
57695 - if (sym->st_value == addr)
57697 /* Find a symbol nearby - addr are maybe negative */
57698 d = sym->st_value - addr;
57702 d = addr - sym->st_value;
57703 if (d < distance) {
57704 @@ -1400,6 +1407,14 @@ static void report_sec_mismatch(const ch
57705 tosym, prl_to, prl_to, tosym);
57708 + case DATA_TO_TEXT:
57711 + "The variable %s references\n"
57712 + "the %s %s%s%s\n",
57713 + fromsym, to, sec2annotation(tosec), tosym, to_p);
57717 fprintf(stderr, "\n");
57719 @@ -1723,7 +1738,7 @@ void __attribute__((format(printf, 2, 3)
57723 -void buf_write(struct buffer *buf, const char *s, int len)
57724 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
57726 if (buf->size - buf->pos < len) {
57727 buf->size += len + SZ;
57728 @@ -1935,7 +1950,7 @@ static void write_if_changed(struct buff
57729 if (fstat(fileno(file), &st) < 0)
57732 - if (st.st_size != b->pos)
57733 + if (st.st_size != (off_t)b->pos)
57736 tmp = NOFAIL(malloc(b->pos));
57737 diff -urNp linux-2.6.37/scripts/mod/modpost.h linux-2.6.37/scripts/mod/modpost.h
57738 --- linux-2.6.37/scripts/mod/modpost.h 2011-01-04 19:50:19.000000000 -0500
57739 +++ linux-2.6.37/scripts/mod/modpost.h 2011-01-17 02:41:02.000000000 -0500
57740 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
57746 + unsigned int pos;
57747 + unsigned int size;
57750 void __attribute__((format(printf, 2, 3)))
57751 buf_printf(struct buffer *buf, const char *fmt, ...);
57754 -buf_write(struct buffer *buf, const char *s, int len);
57755 +buf_write(struct buffer *buf, const char *s, unsigned int len);
57758 struct module *next;
57759 diff -urNp linux-2.6.37/scripts/mod/sumversion.c linux-2.6.37/scripts/mod/sumversion.c
57760 --- linux-2.6.37/scripts/mod/sumversion.c 2011-01-04 19:50:19.000000000 -0500
57761 +++ linux-2.6.37/scripts/mod/sumversion.c 2011-01-17 02:41:02.000000000 -0500
57762 @@ -455,7 +455,7 @@ static void write_version(const char *fi
57766 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
57767 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
57768 warn("writing sum in %s failed: %s\n",
57769 filename, strerror(errno));
57771 diff -urNp linux-2.6.37/scripts/pnmtologo.c linux-2.6.37/scripts/pnmtologo.c
57772 --- linux-2.6.37/scripts/pnmtologo.c 2011-01-04 19:50:19.000000000 -0500
57773 +++ linux-2.6.37/scripts/pnmtologo.c 2011-01-17 02:41:02.000000000 -0500
57774 @@ -237,14 +237,14 @@ static void write_header(void)
57775 fprintf(out, " * Linux logo %s\n", logoname);
57776 fputs(" */\n\n", out);
57777 fputs("#include <linux/linux_logo.h>\n\n", out);
57778 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
57779 + fprintf(out, "static unsigned char %s_data[] = {\n",
57783 static void write_footer(void)
57785 fputs("\n};\n\n", out);
57786 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
57787 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
57788 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
57789 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
57790 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
57791 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
57792 fputs("\n};\n\n", out);
57794 /* write logo clut */
57795 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
57796 + fprintf(out, "static unsigned char %s_clut[] = {\n",
57799 for (i = 0; i < logo_clutsize; i++) {
57800 diff -urNp linux-2.6.37/security/apparmor/lsm.c linux-2.6.37/security/apparmor/lsm.c
57801 --- linux-2.6.37/security/apparmor/lsm.c 2011-01-04 19:50:19.000000000 -0500
57802 +++ linux-2.6.37/security/apparmor/lsm.c 2011-01-17 02:41:02.000000000 -0500
57803 @@ -619,7 +619,7 @@ static int apparmor_task_setrlimit(struc
57807 -static struct security_operations apparmor_ops = {
57808 +static struct security_operations apparmor_ops __read_only = {
57809 .name = "apparmor",
57811 .ptrace_access_check = apparmor_ptrace_access_check,
57812 diff -urNp linux-2.6.37/security/commoncap.c linux-2.6.37/security/commoncap.c
57813 --- linux-2.6.37/security/commoncap.c 2011-01-04 19:50:19.000000000 -0500
57814 +++ linux-2.6.37/security/commoncap.c 2011-01-17 02:41:02.000000000 -0500
57816 #include <linux/prctl.h>
57817 #include <linux/securebits.h>
57818 // #include <linux/vs_context.h>
57819 +#include <net/sock.h>
57822 * If a non-root user executes a setuid-root binary in
57823 @@ -50,9 +51,11 @@ static void warn_setuid_and_fcaps_mixed(
57827 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
57829 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
57831 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
57832 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
57836 @@ -534,6 +537,9 @@ int cap_bprm_secureexec(struct linux_bin
57838 const struct cred *cred = current_cred();
57840 + if (gr_acl_enable_at_secure())
57843 if (cred->uid != 0) {
57844 if (bprm->cap_effective)
57846 diff -urNp linux-2.6.37/security/integrity/ima/ima_api.c linux-2.6.37/security/integrity/ima/ima_api.c
57847 --- linux-2.6.37/security/integrity/ima/ima_api.c 2011-01-04 19:50:19.000000000 -0500
57848 +++ linux-2.6.37/security/integrity/ima/ima_api.c 2011-01-17 02:41:02.000000000 -0500
57849 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
57852 /* can overflow, only indicator */
57853 - atomic_long_inc(&ima_htable.violations);
57854 + atomic_long_inc_unchecked(&ima_htable.violations);
57856 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
57858 diff -urNp linux-2.6.37/security/integrity/ima/ima_fs.c linux-2.6.37/security/integrity/ima/ima_fs.c
57859 --- linux-2.6.37/security/integrity/ima/ima_fs.c 2011-01-04 19:50:19.000000000 -0500
57860 +++ linux-2.6.37/security/integrity/ima/ima_fs.c 2011-01-17 02:41:02.000000000 -0500
57861 @@ -28,12 +28,12 @@
57862 static int valid_policy = 1;
57863 #define TMPBUFLEN 12
57864 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
57865 - loff_t *ppos, atomic_long_t *val)
57866 + loff_t *ppos, atomic_long_unchecked_t *val)
57868 char tmpbuf[TMPBUFLEN];
57871 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
57872 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
57873 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
57876 diff -urNp linux-2.6.37/security/integrity/ima/ima.h linux-2.6.37/security/integrity/ima/ima.h
57877 --- linux-2.6.37/security/integrity/ima/ima.h 2011-01-04 19:50:19.000000000 -0500
57878 +++ linux-2.6.37/security/integrity/ima/ima.h 2011-01-17 02:41:02.000000000 -0500
57879 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
57880 extern spinlock_t ima_queue_lock;
57882 struct ima_h_table {
57883 - atomic_long_t len; /* number of stored measurements in the list */
57884 - atomic_long_t violations;
57885 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
57886 + atomic_long_unchecked_t violations;
57887 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
57889 extern struct ima_h_table ima_htable;
57890 diff -urNp linux-2.6.37/security/integrity/ima/ima_queue.c linux-2.6.37/security/integrity/ima/ima_queue.c
57891 --- linux-2.6.37/security/integrity/ima/ima_queue.c 2011-01-04 19:50:19.000000000 -0500
57892 +++ linux-2.6.37/security/integrity/ima/ima_queue.c 2011-01-17 02:41:02.000000000 -0500
57893 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
57894 INIT_LIST_HEAD(&qe->later);
57895 list_add_tail_rcu(&qe->later, &ima_measurements);
57897 - atomic_long_inc(&ima_htable.len);
57898 + atomic_long_inc_unchecked(&ima_htable.len);
57899 key = ima_hash_key(entry->digest);
57900 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
57902 diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig
57903 --- linux-2.6.37/security/Kconfig 2011-01-04 19:50:19.000000000 -0500
57904 +++ linux-2.6.37/security/Kconfig 2011-01-17 02:41:02.000000000 -0500
57907 menu "Security options"
57909 +source grsecurity/Kconfig
57913 + config ARCH_TRACK_EXEC_LIMIT
57916 + config PAX_PER_CPU_PGD
57919 + config TASK_SIZE_MAX_SHIFT
57921 + depends on X86_64
57922 + default 47 if !PAX_PER_CPU_PGD
57923 + default 42 if PAX_PER_CPU_PGD
57925 + config PAX_ENABLE_PAE
57927 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
57930 + bool "Enable various PaX features"
57931 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
57933 + This allows you to enable various PaX features. PaX adds
57934 + intrusion prevention mechanisms to the kernel that reduce
57935 + the risks posed by exploitable memory corruption bugs.
57937 +menu "PaX Control"
57940 +config PAX_SOFTMODE
57941 + bool 'Support soft mode'
57942 + select PAX_PT_PAX_FLAGS
57944 + Enabling this option will allow you to run PaX in soft mode, that
57945 + is, PaX features will not be enforced by default, only on executables
57946 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
57947 + is the only way to mark executables for soft mode use.
57949 + Soft mode can be activated by using the "pax_softmode=1" kernel command
57950 + line option on boot. Furthermore you can control various PaX features
57951 + at runtime via the entries in /proc/sys/kernel/pax.
57954 + bool 'Use legacy ELF header marking'
57956 + Enabling this option will allow you to control PaX features on
57957 + a per executable basis via the 'chpax' utility available at
57958 + http://pax.grsecurity.net/. The control flags will be read from
57959 + an otherwise reserved part of the ELF header. This marking has
57960 + numerous drawbacks (no support for soft-mode, toolchain does not
57961 + know about the non-standard use of the ELF header) therefore it
57962 + has been deprecated in favour of PT_PAX_FLAGS support.
57964 + If you have applications not marked by the PT_PAX_FLAGS ELF
57965 + program header then you MUST enable this option otherwise they
57966 + will not get any protection.
57968 + Note that if you enable PT_PAX_FLAGS marking support as well,
57969 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
57971 +config PAX_PT_PAX_FLAGS
57972 + bool 'Use ELF program header marking'
57974 + Enabling this option will allow you to control PaX features on
57975 + a per executable basis via the 'paxctl' utility available at
57976 + http://pax.grsecurity.net/. The control flags will be read from
57977 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
57978 + has the benefits of supporting both soft mode and being fully
57979 + integrated into the toolchain (the binutils patch is available
57980 + from http://pax.grsecurity.net).
57982 + If you have applications not marked by the PT_PAX_FLAGS ELF
57983 + program header then you MUST enable the EI_PAX marking support
57984 + otherwise they will not get any protection.
57986 + Note that if you enable the legacy EI_PAX marking support as well,
57987 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
57990 + prompt 'MAC system integration'
57991 + default PAX_HAVE_ACL_FLAGS
57993 + Mandatory Access Control systems have the option of controlling
57994 + PaX flags on a per executable basis, choose the method supported
57995 + by your particular system.
57997 + - "none": if your MAC system does not interact with PaX,
57998 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
57999 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
58001 + NOTE: this option is for developers/integrators only.
58003 + config PAX_NO_ACL_FLAGS
58006 + config PAX_HAVE_ACL_FLAGS
58009 + config PAX_HOOK_ACL_FLAGS
58015 +menu "Non-executable pages"
58019 + bool "Enforce non-executable pages"
58020 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
58022 + By design some architectures do not allow for protecting memory
58023 + pages against execution or even if they do, Linux does not make
58024 + use of this feature. In practice this means that if a page is
58025 + readable (such as the stack or heap) it is also executable.
58027 + There is a well known exploit technique that makes use of this
58028 + fact and a common programming mistake where an attacker can
58029 + introduce code of his choice somewhere in the attacked program's
58030 + memory (typically the stack or the heap) and then execute it.
58032 + If the attacked program was running with different (typically
58033 + higher) privileges than that of the attacker, then he can elevate
58034 + his own privilege level (e.g. get a root shell, write to files for
58035 + which he does not have write access to, etc).
58037 + Enabling this option will let you choose from various features
58038 + that prevent the injection and execution of 'foreign' code in
58041 + This will also break programs that rely on the old behaviour and
58042 + expect that dynamically allocated memory via the malloc() family
58043 + of functions is executable (which it is not). Notable examples
58044 + are the XFree86 4.x server, the java runtime and wine.
58046 +config PAX_PAGEEXEC
58047 + bool "Paging based non-executable pages"
58048 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
58049 + select S390_SWITCH_AMODE if S390
58050 + select S390_EXEC_PROTECT if S390
58051 + select ARCH_TRACK_EXEC_LIMIT if X86_32
58053 + This implementation is based on the paging feature of the CPU.
58054 + On i386 without hardware non-executable bit support there is a
58055 + variable but usually low performance impact, however on Intel's
58056 + P4 core based CPUs it is very high so you should not enable this
58057 + for kernels meant to be used on such CPUs.
58059 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
58060 + with hardware non-executable bit support there is no performance
58061 + impact, on ppc the impact is negligible.
58063 + Note that several architectures require various emulations due to
58064 + badly designed userland ABIs, this will cause a performance impact
58065 + but will disappear as soon as userland is fixed. For example, ppc
58066 + userland MUST have been built with secure-plt by a recent toolchain.
58068 +config PAX_SEGMEXEC
58069 + bool "Segmentation based non-executable pages"
58070 + depends on PAX_NOEXEC && X86_32
58072 + This implementation is based on the segmentation feature of the
58073 + CPU and has a very small performance impact, however applications
58074 + will be limited to a 1.5 GB address space instead of the normal
58077 +config PAX_EMUTRAMP
58078 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
58079 + default y if PARISC
58081 + There are some programs and libraries that for one reason or
58082 + another attempt to execute special small code snippets from
58083 + non-executable memory pages. Most notable examples are the
58084 + signal handler return code generated by the kernel itself and
58085 + the GCC trampolines.
58087 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
58088 + such programs will no longer work under your kernel.
58090 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
58091 + utilities to enable trampoline emulation for the affected programs
58092 + yet still have the protection provided by the non-executable pages.
58094 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
58095 + your system will not even boot.
58097 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
58098 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
58099 + for the affected files.
58101 + NOTE: enabling this feature *may* open up a loophole in the
58102 + protection provided by non-executable pages that an attacker
58103 + could abuse. Therefore the best solution is to not have any
58104 + files on your system that would require this option. This can
58105 + be achieved by not using libc5 (which relies on the kernel
58106 + signal handler return code) and not using or rewriting programs
58107 + that make use of the nested function implementation of GCC.
58108 + Skilled users can just fix GCC itself so that it implements
58109 + nested function calls in a way that does not interfere with PaX.
58111 +config PAX_EMUSIGRT
58112 + bool "Automatically emulate sigreturn trampolines"
58113 + depends on PAX_EMUTRAMP && PARISC
58116 + Enabling this option will have the kernel automatically detect
58117 + and emulate signal return trampolines executing on the stack
58118 + that would otherwise lead to task termination.
58120 + This solution is intended as a temporary one for users with
58121 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
58122 + Modula-3 runtime, etc) or executables linked to such, basically
58123 + everything that does not specify its own SA_RESTORER function in
58124 + normal executable memory like glibc 2.1+ does.
58126 + On parisc you MUST enable this option, otherwise your system will
58129 + NOTE: this feature cannot be disabled on a per executable basis
58130 + and since it *does* open up a loophole in the protection provided
58131 + by non-executable pages, the best solution is to not have any
58132 + files on your system that would require this option.
58134 +config PAX_MPROTECT
58135 + bool "Restrict mprotect()"
58136 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
58138 + Enabling this option will prevent programs from
58139 + - changing the executable status of memory pages that were
58140 + not originally created as executable,
58141 + - making read-only executable pages writable again,
58142 + - creating executable pages from anonymous memory,
58143 + - making read-only-after-relocations (RELRO) data pages writable again.
58145 + You should say Y here to complete the protection provided by
58146 + the enforcement of non-executable pages.
58148 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
58149 + this feature on a per file basis.
58151 +config PAX_ELFRELOCS
58152 + bool "Allow ELF text relocations (read help)"
58153 + depends on PAX_MPROTECT
58156 + Non-executable pages and mprotect() restrictions are effective
58157 + in preventing the introduction of new executable code into an
58158 + attacked task's address space. There remain only two venues
58159 + for this kind of attack: if the attacker can execute already
58160 + existing code in the attacked task then he can either have it
58161 + create and mmap() a file containing his code or have it mmap()
58162 + an already existing ELF library that does not have position
58163 + independent code in it and use mprotect() on it to make it
58164 + writable and copy his code there. While protecting against
58165 + the former approach is beyond PaX, the latter can be prevented
58166 + by having only PIC ELF libraries on one's system (which do not
58167 + need to relocate their code). If you are sure this is your case,
58168 + as is the case with all modern Linux distributions, then leave
58169 + this option disabled. You should say 'n' here.
58171 +config PAX_ETEXECRELOCS
58172 + bool "Allow ELF ET_EXEC text relocations"
58173 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
58174 + select PAX_ELFRELOCS
58177 + On some architectures there are incorrectly created applications
58178 + that require text relocations and would not work without enabling
58179 + this option. If you are an alpha, ia64 or parisc user, you should
58180 + enable this option and disable it once you have made sure that
58181 + none of your applications need it.
58184 + bool "Automatically emulate ELF PLT"
58185 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
58188 + Enabling this option will have the kernel automatically detect
58189 + and emulate the Procedure Linkage Table entries in ELF files.
58190 + On some architectures such entries are in writable memory, and
58191 + become non-executable leading to task termination. Therefore
58192 + it is mandatory that you enable this option on alpha, parisc,
58193 + sparc and sparc64, otherwise your system would not even boot.
58195 + NOTE: this feature *does* open up a loophole in the protection
58196 + provided by the non-executable pages, therefore the proper
58197 + solution is to modify the toolchain to produce a PLT that does
58198 + not need to be writable.
58200 +config PAX_DLRESOLVE
58201 + bool 'Emulate old glibc resolver stub'
58202 + depends on PAX_EMUPLT && SPARC
58205 + This option is needed if userland has an old glibc (before 2.4)
58206 + that puts a 'save' instruction into the runtime generated resolver
58207 + stub that needs special emulation.
58209 +config PAX_KERNEXEC
58210 + bool "Enforce non-executable kernel pages"
58211 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
58212 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
58214 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
58215 + that is, enabling this option will make it harder to inject
58216 + and execute 'foreign' code in kernel memory itself.
58218 +config PAX_KERNEXEC_MODULE_TEXT
58219 + int "Minimum amount of memory reserved for module code"
58221 + depends on PAX_KERNEXEC && X86_32 && MODULES
58223 + Due to implementation details the kernel must reserve a fixed
58224 + amount of memory for module code at compile time that cannot be
58225 + changed at runtime. Here you can specify the minimum amount
58226 + in MB that will be reserved. Due to the same implementation
58227 + details this size will always be rounded up to the next 2/4 MB
58228 + boundary (depends on PAE) so the actually available memory for
58229 + module code will usually be more than this minimum.
58231 + The default 4 MB should be enough for most users but if you have
58232 + an excessive number of modules (e.g., most distribution configs
58233 + compile many drivers as modules) or use huge modules such as
58234 + nvidia's kernel driver, you will need to adjust this amount.
58235 + A good rule of thumb is to look at your currently loaded kernel
58236 + modules and add up their sizes.
58240 +menu "Address Space Layout Randomization"
58244 + bool "Address Space Layout Randomization"
58245 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
58247 + Many if not most exploit techniques rely on the knowledge of
58248 + certain addresses in the attacked program. The following options
58249 + will allow the kernel to apply a certain amount of randomization
58250 + to specific parts of the program thereby forcing an attacker to
58251 + guess them in most cases. Any failed guess will most likely crash
58252 + the attacked program which allows the kernel to detect such attempts
58253 + and react on them. PaX itself provides no reaction mechanisms,
58254 + instead it is strongly encouraged that you make use of Nergal's
58255 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
58256 + (http://www.grsecurity.net/) built-in crash detection features or
58257 + develop one yourself.
58259 + By saying Y here you can choose to randomize the following areas:
58260 + - top of the task's kernel stack
58261 + - top of the task's userland stack
58262 + - base address for mmap() requests that do not specify one
58263 + (this includes all libraries)
58264 + - base address of the main executable
58266 + It is strongly recommended to say Y here as address space layout
58267 + randomization has negligible impact on performance yet it provides
58268 + a very effective protection.
58270 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
58271 + this feature on a per file basis.
58273 +config PAX_RANDKSTACK
58274 + bool "Randomize kernel stack base"
58275 + depends on PAX_ASLR && X86_TSC && X86_32
58277 + By saying Y here the kernel will randomize every task's kernel
58278 + stack on every system call. This will not only force an attacker
58279 + to guess it but also prevent him from making use of possible
58280 + leaked information about it.
58282 + Since the kernel stack is a rather scarce resource, randomization
58283 + may cause unexpected stack overflows, therefore you should very
58284 + carefully test your system. Note that once enabled in the kernel
58285 + configuration, this feature cannot be disabled on a per file basis.
58287 +config PAX_RANDUSTACK
58288 + bool "Randomize user stack base"
58289 + depends on PAX_ASLR
58291 + By saying Y here the kernel will randomize every task's userland
58292 + stack. The randomization is done in two steps where the second
58293 + one may apply a big amount of shift to the top of the stack and
58294 + cause problems for programs that want to use lots of memory (more
58295 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
58296 + For this reason the second step can be controlled by 'chpax' or
58297 + 'paxctl' on a per file basis.
58299 +config PAX_RANDMMAP
58300 + bool "Randomize mmap() base"
58301 + depends on PAX_ASLR
58303 + By saying Y here the kernel will use a randomized base address for
58304 + mmap() requests that do not specify one themselves. As a result
58305 + all dynamically loaded libraries will appear at random addresses
58306 + and therefore be harder to exploit by a technique where an attacker
58307 + attempts to execute library code for his purposes (e.g. spawn a
58308 + shell from an exploited program that is running at an elevated
58309 + privilege level).
58311 + Furthermore, if a program is relinked as a dynamic ELF file, its
58312 + base address will be randomized as well, completing the full
58313 + randomization of the address space layout. Attacking such programs
58314 + becomes a guess game. You can find an example of doing this at
58315 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
58316 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
58318 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
58319 + feature on a per file basis.
58323 +menu "Miscellaneous hardening features"
58325 +config PAX_MEMORY_SANITIZE
58326 + bool "Sanitize all freed memory"
58328 + By saying Y here the kernel will erase memory pages as soon as they
58329 + are freed. This in turn reduces the lifetime of data stored in the
58330 + pages, making it less likely that sensitive information such as
58331 + passwords, cryptographic secrets, etc stay in memory for too long.
58333 + This is especially useful for programs whose runtime is short, long
58334 + lived processes and the kernel itself benefit from this as long as
58335 + they operate on whole memory pages and ensure timely freeing of pages
58336 + that may hold sensitive information.
58338 + The tradeoff is performance impact, on a single CPU system kernel
58339 + compilation sees a 3% slowdown, other systems and workloads may vary
58340 + and you are advised to test this feature on your expected workload
58341 + before deploying it.
58343 + Note that this feature does not protect data stored in live pages,
58344 + e.g., process memory swapped to disk may stay there for a long time.
58346 +config PAX_MEMORY_UDEREF
58347 + bool "Prevent invalid userland pointer dereference"
58348 + depends on X86 && !UML_X86 && !XEN
58349 + select PAX_PER_CPU_PGD if X86_64
58351 + By saying Y here the kernel will be prevented from dereferencing
58352 + userland pointers in contexts where the kernel expects only kernel
58353 + pointers. This is both a useful runtime debugging feature and a
58354 + security measure that prevents exploiting a class of kernel bugs.
58356 + The tradeoff is that some virtualization solutions may experience
58357 + a huge slowdown and therefore you should not enable this feature
58358 + for kernels meant to run in such environments. Whether a given VM
58359 + solution is affected or not is best determined by simply trying it
58360 + out, the performance impact will be obvious right on boot as this
58361 + mechanism engages from very early on. A good rule of thumb is that
58362 + VMs running on CPUs without hardware virtualization support (i.e.,
58363 + the majority of IA-32 CPUs) will likely experience the slowdown.
58365 +config PAX_REFCOUNT
58366 + bool "Prevent various kernel object reference counter overflows"
58367 + depends on GRKERNSEC && (X86 || SPARC64)
58369 + By saying Y here the kernel will detect and prevent overflowing
58370 + various (but not all) kinds of object reference counters. Such
58371 + overflows can normally occur due to bugs only and are often, if
58372 + not always, exploitable.
58374 + The tradeoff is that data structures protected by an overflowed
58375 + refcount will never be freed and therefore will leak memory. Note
58376 + that this leak also happens even without this protection but in
58377 + that case the overflow can eventually trigger the freeing of the
58378 + data structure while it is still being used elsewhere, resulting
58379 + in the exploitable situation that this feature prevents.
58381 + Since this has a negligible performance impact, you should enable
58384 +config PAX_USERCOPY
58385 + bool "Bounds check heap object copies between kernel and userland"
58386 + depends on X86 || PPC || SPARC
58387 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
58389 + By saying Y here the kernel will enforce the size of heap objects
58390 + when they are copied in either direction between the kernel and
58391 + userland, even if only a part of the heap object is copied.
58393 + Specifically, this checking prevents information leaking from the
58394 + kernel heap during kernel to userland copies (if the kernel heap
58395 + object is otherwise fully initialized) and prevents kernel heap
58396 + overflows during userland to kernel copies.
58398 + Note that the current implementation provides the strictest checks
58399 + for the SLUB allocator.
58401 + If frame pointers are enabled on x86, this option will also restrict
58402 + copies into and out of the kernel stack to local variables within a
58405 + Since this has a negligible performance impact, you should enable
58413 bool "Enable access key retention support"
58415 @@ -136,7 +639,7 @@ config INTEL_TXT
58416 config LSM_MMAP_MIN_ADDR
58417 int "Low address space for LSM to protect from user allocation"
58418 depends on SECURITY && SECURITY_SELINUX
58422 This is the portion of low virtual memory which should be protected
58423 from userspace allocation. Keeping a user from writing to low pages
58424 diff -urNp linux-2.6.37/security/min_addr.c linux-2.6.37/security/min_addr.c
58425 --- linux-2.6.37/security/min_addr.c 2011-01-04 19:50:19.000000000 -0500
58426 +++ linux-2.6.37/security/min_addr.c 2011-01-17 02:41:02.000000000 -0500
58427 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
58429 static void update_mmap_min_addr(void)
58432 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
58433 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
58434 mmap_min_addr = dac_mmap_min_addr;
58435 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
58437 mmap_min_addr = dac_mmap_min_addr;
58443 diff -urNp linux-2.6.37/security/security.c linux-2.6.37/security/security.c
58444 --- linux-2.6.37/security/security.c 2011-01-04 19:50:19.000000000 -0500
58445 +++ linux-2.6.37/security/security.c 2011-01-17 02:41:02.000000000 -0500
58446 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
58447 /* things that live in capability.c */
58448 extern void __init security_fixup_ops(struct security_operations *ops);
58450 -static struct security_operations *security_ops;
58451 -static struct security_operations default_security_ops = {
58452 +static struct security_operations *security_ops __read_only;
58453 +static struct security_operations default_security_ops __read_only = {
58457 @@ -67,7 +67,9 @@ int __init security_init(void)
58459 void reset_security_ops(void)
58461 + pax_open_kernel();
58462 security_ops = &default_security_ops;
58463 + pax_close_kernel();
58466 /* Save user chosen LSM */
58467 diff -urNp linux-2.6.37/security/selinux/hooks.c linux-2.6.37/security/selinux/hooks.c
58468 --- linux-2.6.37/security/selinux/hooks.c 2011-01-04 19:50:19.000000000 -0500
58469 +++ linux-2.6.37/security/selinux/hooks.c 2011-01-17 02:41:02.000000000 -0500
58471 #define NUM_SEL_MNT_OPTS 5
58473 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
58474 -extern struct security_operations *security_ops;
58476 /* SECMARK reference count */
58477 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
58478 @@ -5388,7 +5387,7 @@ static int selinux_key_getsecurity(struc
58482 -static struct security_operations selinux_ops = {
58483 +static struct security_operations selinux_ops __read_only = {
58486 .ptrace_access_check = selinux_ptrace_access_check,
58487 diff -urNp linux-2.6.37/security/smack/smack_lsm.c linux-2.6.37/security/smack/smack_lsm.c
58488 --- linux-2.6.37/security/smack/smack_lsm.c 2011-01-04 19:50:19.000000000 -0500
58489 +++ linux-2.6.37/security/smack/smack_lsm.c 2011-01-17 02:41:02.000000000 -0500
58490 @@ -3052,7 +3052,7 @@ static int smack_inode_getsecctx(struct
58494 -struct security_operations smack_ops = {
58495 +struct security_operations smack_ops __read_only = {
58498 .ptrace_access_check = smack_ptrace_access_check,
58499 diff -urNp linux-2.6.37/security/tomoyo/tomoyo.c linux-2.6.37/security/tomoyo/tomoyo.c
58500 --- linux-2.6.37/security/tomoyo/tomoyo.c 2011-01-04 19:50:19.000000000 -0500
58501 +++ linux-2.6.37/security/tomoyo/tomoyo.c 2011-01-17 02:41:02.000000000 -0500
58502 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
58503 * tomoyo_security_ops is a "struct security_operations" which is used for
58504 * registering TOMOYO.
58506 -static struct security_operations tomoyo_security_ops = {
58507 +static struct security_operations tomoyo_security_ops __read_only = {
58509 .cred_alloc_blank = tomoyo_cred_alloc_blank,
58510 .cred_prepare = tomoyo_cred_prepare,
58511 diff -urNp linux-2.6.37/sound/aoa/codecs/onyx.c linux-2.6.37/sound/aoa/codecs/onyx.c
58512 --- linux-2.6.37/sound/aoa/codecs/onyx.c 2011-01-04 19:50:19.000000000 -0500
58513 +++ linux-2.6.37/sound/aoa/codecs/onyx.c 2011-01-24 18:04:18.000000000 -0500
58514 @@ -54,7 +54,7 @@ struct onyx {
58519 + local_t open_count;
58520 struct codec_info *codec_info;
58522 /* mutex serializes concurrent access to the device
58523 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
58524 struct onyx *onyx = cii->codec_data;
58526 mutex_lock(&onyx->mutex);
58527 - onyx->open_count++;
58528 + local_inc(&onyx->open_count);
58529 mutex_unlock(&onyx->mutex);
58532 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
58533 struct onyx *onyx = cii->codec_data;
58535 mutex_lock(&onyx->mutex);
58536 - onyx->open_count--;
58537 - if (!onyx->open_count)
58538 + if (local_dec_and_test(&onyx->open_count))
58539 onyx->spdif_locked = onyx->analog_locked = 0;
58540 mutex_unlock(&onyx->mutex);
58542 diff -urNp linux-2.6.37/sound/aoa/codecs/onyx.h linux-2.6.37/sound/aoa/codecs/onyx.h
58543 --- linux-2.6.37/sound/aoa/codecs/onyx.h 2011-01-04 19:50:19.000000000 -0500
58544 +++ linux-2.6.37/sound/aoa/codecs/onyx.h 2011-01-25 20:24:56.000000000 -0500
58546 #include <linux/i2c.h>
58547 #include <asm/pmac_low_i2c.h>
58548 #include <asm/prom.h>
58549 +#include <asm/local.h>
58551 /* PCM3052 register definitions */
58553 diff -urNp linux-2.6.37/sound/core/oss/pcm_oss.c linux-2.6.37/sound/core/oss/pcm_oss.c
58554 --- linux-2.6.37/sound/core/oss/pcm_oss.c 2011-01-04 19:50:19.000000000 -0500
58555 +++ linux-2.6.37/sound/core/oss/pcm_oss.c 2011-01-17 02:41:02.000000000 -0500
58556 @@ -2969,8 +2969,8 @@ static void snd_pcm_oss_proc_done(struct
58559 #else /* !CONFIG_SND_VERBOSE_PROCFS */
58560 -#define snd_pcm_oss_proc_init(pcm)
58561 -#define snd_pcm_oss_proc_done(pcm)
58562 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
58563 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
58564 #endif /* CONFIG_SND_VERBOSE_PROCFS */
58567 diff -urNp linux-2.6.37/sound/core/seq/seq_lock.h linux-2.6.37/sound/core/seq/seq_lock.h
58568 --- linux-2.6.37/sound/core/seq/seq_lock.h 2011-01-04 19:50:19.000000000 -0500
58569 +++ linux-2.6.37/sound/core/seq/seq_lock.h 2011-01-17 02:41:02.000000000 -0500
58570 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
58571 #else /* SMP || CONFIG_SND_DEBUG */
58573 typedef spinlock_t snd_use_lock_t; /* dummy */
58574 -#define snd_use_lock_init(lockp) /**/
58575 -#define snd_use_lock_use(lockp) /**/
58576 -#define snd_use_lock_free(lockp) /**/
58577 -#define snd_use_lock_sync(lockp) /**/
58578 +#define snd_use_lock_init(lockp) do {} while (0)
58579 +#define snd_use_lock_use(lockp) do {} while (0)
58580 +#define snd_use_lock_free(lockp) do {} while (0)
58581 +#define snd_use_lock_sync(lockp) do {} while (0)
58583 #endif /* SMP || CONFIG_SND_DEBUG */
58585 diff -urNp linux-2.6.37/sound/drivers/mts64.c linux-2.6.37/sound/drivers/mts64.c
58586 --- linux-2.6.37/sound/drivers/mts64.c 2011-01-04 19:50:19.000000000 -0500
58587 +++ linux-2.6.37/sound/drivers/mts64.c 2011-01-25 22:35:55.000000000 -0500
58589 #include <sound/initval.h>
58590 #include <sound/rawmidi.h>
58591 #include <sound/control.h>
58592 +#include <asm/local.h>
58594 #define CARD_NAME "Miditerminal 4140"
58595 #define DRIVER_NAME "MTS64"
58596 @@ -66,7 +67,7 @@ struct mts64 {
58597 struct pardevice *pardev;
58598 int pardev_claimed;
58601 + local_t open_count;
58602 int current_midi_output_port;
58603 int current_midi_input_port;
58604 u8 mode[MTS64_NUM_INPUT_PORTS];
58605 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
58607 struct mts64 *mts = substream->rmidi->private_data;
58609 - if (mts->open_count == 0) {
58610 + if (local_read(&mts->open_count) == 0) {
58611 /* We don't need a spinlock here, because this is just called
58612 if the device has not been opened before.
58613 So there aren't any IRQs from the device */
58614 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
58618 - ++(mts->open_count);
58619 + local_inc(&mts->open_count);
58623 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
58624 struct mts64 *mts = substream->rmidi->private_data;
58625 unsigned long flags;
58627 - --(mts->open_count);
58628 - if (mts->open_count == 0) {
58629 + if (local_dec_return(&mts->open_count) == 0) {
58630 /* We need the spinlock_irqsave here because we can still
58631 have IRQs at this point */
58632 spin_lock_irqsave(&mts->lock, flags);
58633 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
58637 - } else if (mts->open_count < 0)
58638 - mts->open_count = 0;
58639 + } else if (local_read(&mts->open_count) < 0)
58640 + local_set(&mts->open_count, 0);
58644 diff -urNp linux-2.6.37/sound/drivers/portman2x4.c linux-2.6.37/sound/drivers/portman2x4.c
58645 --- linux-2.6.37/sound/drivers/portman2x4.c 2011-01-04 19:50:19.000000000 -0500
58646 +++ linux-2.6.37/sound/drivers/portman2x4.c 2011-01-25 20:24:56.000000000 -0500
58648 #include <sound/initval.h>
58649 #include <sound/rawmidi.h>
58650 #include <sound/control.h>
58651 +#include <asm/local.h>
58653 #define CARD_NAME "Portman 2x4"
58654 #define DRIVER_NAME "portman"
58655 @@ -84,7 +85,7 @@ struct portman {
58656 struct pardevice *pardev;
58657 int pardev_claimed;
58660 + local_t open_count;
58661 int mode[PORTMAN_NUM_INPUT_PORTS];
58662 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
58664 diff -urNp linux-2.6.37/sound/oss/sb_audio.c linux-2.6.37/sound/oss/sb_audio.c
58665 --- linux-2.6.37/sound/oss/sb_audio.c 2011-01-04 19:50:19.000000000 -0500
58666 +++ linux-2.6.37/sound/oss/sb_audio.c 2011-01-17 02:41:02.000000000 -0500
58667 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
58668 buf16 = (signed short *)(localbuf + localoffs);
58671 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58672 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58673 if (copy_from_user(lbuf8,
58674 userbuf+useroffs + p,
58676 diff -urNp linux-2.6.37/sound/oss/swarm_cs4297a.c linux-2.6.37/sound/oss/swarm_cs4297a.c
58677 --- linux-2.6.37/sound/oss/swarm_cs4297a.c 2011-01-04 19:50:19.000000000 -0500
58678 +++ linux-2.6.37/sound/oss/swarm_cs4297a.c 2011-01-17 02:41:02.000000000 -0500
58679 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
58681 struct cs4297a_state *s;
58685 #ifndef CONFIG_BCM_CS4297A_CSWARM
58687 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
58689 char *sb1250_duart_present;
58696 val = SOUND_MASK_LINE;
58697 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
58698 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
58699 val = initvol[i].vol;
58700 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
58703 // cs4297a_write_ac97(s, 0x18, 0x0808);
58705 // cs4297a_write_ac97(s, 0x5e, 0x180);
58706 cs4297a_write_ac97(s, 0x02, 0x0808);
58707 cs4297a_write_ac97(s, 0x18, 0x0808);
58711 list_add(&s->list, &cs4297a_devs);
58713 diff -urNp linux-2.6.37/sound/pci/ac97/ac97_codec.c linux-2.6.37/sound/pci/ac97/ac97_codec.c
58714 --- linux-2.6.37/sound/pci/ac97/ac97_codec.c 2011-01-04 19:50:19.000000000 -0500
58715 +++ linux-2.6.37/sound/pci/ac97/ac97_codec.c 2011-01-17 02:41:02.000000000 -0500
58716 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
58719 /* build_ops to do nothing */
58720 -static struct snd_ac97_build_ops null_build_ops;
58721 +static const struct snd_ac97_build_ops null_build_ops;
58723 #ifdef CONFIG_SND_AC97_POWER_SAVE
58724 static void do_update_power(struct work_struct *work)
58725 diff -urNp linux-2.6.37/sound/pci/ac97/ac97_patch.c linux-2.6.37/sound/pci/ac97/ac97_patch.c
58726 --- linux-2.6.37/sound/pci/ac97/ac97_patch.c 2011-01-04 19:50:19.000000000 -0500
58727 +++ linux-2.6.37/sound/pci/ac97/ac97_patch.c 2011-01-17 02:41:02.000000000 -0500
58728 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
58732 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
58733 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
58734 .build_spdif = patch_yamaha_ymf743_build_spdif,
58735 .build_3d = patch_yamaha_ymf7x3_3d,
58737 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
58741 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
58742 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
58743 .build_3d = patch_yamaha_ymf7x3_3d,
58744 .build_post_spdif = patch_yamaha_ymf753_post_spdif
58746 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
58750 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
58751 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
58752 .build_specific = patch_wolfson_wm9703_specific,
58755 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
58759 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
58760 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
58761 .build_specific = patch_wolfson_wm9704_specific,
58764 @@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
58768 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
58769 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
58770 .build_specific = patch_wolfson_wm9711_specific,
58773 @@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
58777 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
58778 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
58779 .build_specific = patch_wolfson_wm9713_specific,
58780 .build_3d = patch_wolfson_wm9713_3d,
58782 @@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
58786 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
58787 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
58788 .build_3d = patch_sigmatel_stac9700_3d,
58789 .build_specific = patch_sigmatel_stac97xx_specific
58791 @@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
58792 return patch_sigmatel_stac97xx_specific(ac97);
58795 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
58796 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
58797 .build_3d = patch_sigmatel_stac9708_3d,
58798 .build_specific = patch_sigmatel_stac9708_specific
58800 @@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
58804 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
58805 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
58806 .build_3d = patch_sigmatel_stac9700_3d,
58807 .build_specific = patch_sigmatel_stac9758_specific
58809 @@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
58813 -static struct snd_ac97_build_ops patch_cirrus_ops = {
58814 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
58815 .build_spdif = patch_cirrus_build_spdif
58818 @@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
58822 -static struct snd_ac97_build_ops patch_conexant_ops = {
58823 +static const struct snd_ac97_build_ops patch_conexant_ops = {
58824 .build_spdif = patch_conexant_build_spdif
58827 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
58828 { AC97_VIDEO, 0x9f1f },
58829 { AC97_AUX, 0x9f1f },
58830 { AC97_PCM, 0x9f1f },
58831 - { } /* terminator */
58832 + { 0, 0 } /* terminator */
58835 static int patch_ad1819(struct snd_ac97 * ac97)
58836 @@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
58840 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
58841 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
58843 .resume = ad18xx_resume
58845 @@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
58849 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
58850 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
58851 .build_specific = &patch_ad1885_specific,
58853 .resume = ad18xx_resume
58854 @@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
58858 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
58859 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
58860 .build_specific = &patch_ad1886_specific,
58862 .resume = ad18xx_resume
58863 @@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
58864 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
58867 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
58868 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
58869 .build_post_spdif = patch_ad198x_post_spdif,
58870 .build_specific = patch_ad1981a_specific,
58872 @@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
58873 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
58876 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
58877 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
58878 .build_post_spdif = patch_ad198x_post_spdif,
58879 .build_specific = patch_ad1981b_specific,
58881 @@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
58882 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
58885 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
58886 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
58887 .build_post_spdif = patch_ad198x_post_spdif,
58888 .build_specific = patch_ad1888_specific,
58890 @@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
58891 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
58894 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
58895 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
58896 .build_post_spdif = patch_ad198x_post_spdif,
58897 .build_specific = patch_ad1980_specific,
58899 @@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
58900 ARRAY_SIZE(snd_ac97_ad1985_controls));
58903 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
58904 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
58905 .build_post_spdif = patch_ad198x_post_spdif,
58906 .build_specific = patch_ad1985_specific,
58908 @@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
58909 ARRAY_SIZE(snd_ac97_ad1985_controls));
58912 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
58913 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
58914 .build_post_spdif = patch_ad198x_post_spdif,
58915 .build_specific = patch_ad1986_specific,
58917 @@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
58921 -static struct snd_ac97_build_ops patch_alc650_ops = {
58922 +static const struct snd_ac97_build_ops patch_alc650_ops = {
58923 .build_specific = patch_alc650_specific,
58924 .update_jacks = alc650_update_jacks
58926 @@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
58930 -static struct snd_ac97_build_ops patch_alc655_ops = {
58931 +static const struct snd_ac97_build_ops patch_alc655_ops = {
58932 .build_specific = patch_alc655_specific,
58933 .update_jacks = alc655_update_jacks
58935 @@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
58939 -static struct snd_ac97_build_ops patch_alc850_ops = {
58940 +static const struct snd_ac97_build_ops patch_alc850_ops = {
58941 .build_specific = patch_alc850_specific,
58942 .update_jacks = alc850_update_jacks
58944 @@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
58945 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
58948 -static struct snd_ac97_build_ops patch_cm9738_ops = {
58949 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
58950 .build_specific = patch_cm9738_specific,
58951 .update_jacks = cm9738_update_jacks
58953 @@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
58954 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
58957 -static struct snd_ac97_build_ops patch_cm9739_ops = {
58958 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
58959 .build_specific = patch_cm9739_specific,
58960 .build_post_spdif = patch_cm9739_post_spdif,
58961 .update_jacks = cm9739_update_jacks
58962 @@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
58963 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
58966 -static struct snd_ac97_build_ops patch_cm9761_ops = {
58967 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
58968 .build_specific = patch_cm9761_specific,
58969 .build_post_spdif = patch_cm9761_post_spdif,
58970 .update_jacks = cm9761_update_jacks
58971 @@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
58972 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
58975 -static struct snd_ac97_build_ops patch_cm9780_ops = {
58976 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
58977 .build_specific = patch_cm9780_specific,
58978 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
58980 @@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
58984 -static struct snd_ac97_build_ops patch_vt1616_ops = {
58985 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
58986 .build_specific = patch_vt1616_specific
58989 @@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
58993 -static struct snd_ac97_build_ops patch_it2646_ops = {
58994 +static const struct snd_ac97_build_ops patch_it2646_ops = {
58995 .build_specific = patch_it2646_specific,
58996 .update_jacks = it2646_update_jacks
58998 @@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
59002 -static struct snd_ac97_build_ops patch_si3036_ops = {
59003 +static const struct snd_ac97_build_ops patch_si3036_ops = {
59004 .build_specific = patch_si3036_specific,
59007 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
59008 { AC97_AUX, 0x1f1f },
59009 { AC97_PCM, 0x1f1f },
59010 { AC97_REC_GAIN, 0x0f0f },
59011 - { } /* terminator */
59012 + { 0, 0 } /* terminator */
59015 static int patch_lm4550(struct snd_ac97 *ac97)
59016 @@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
59020 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
59021 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
59022 .build_specific = patch_ucb1400_specific,
59025 diff -urNp linux-2.6.37/sound/pci/ens1370.c linux-2.6.37/sound/pci/ens1370.c
59026 --- linux-2.6.37/sound/pci/ens1370.c 2011-01-04 19:50:19.000000000 -0500
59027 +++ linux-2.6.37/sound/pci/ens1370.c 2011-01-17 02:41:02.000000000 -0500
59028 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
59029 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
59030 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
59033 + { 0, 0, 0, 0, 0, 0, 0 }
59036 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
59037 diff -urNp linux-2.6.37/sound/pci/hda/patch_hdmi.c linux-2.6.37/sound/pci/hda/patch_hdmi.c
59038 --- linux-2.6.37/sound/pci/hda/patch_hdmi.c 2011-01-04 19:50:19.000000000 -0500
59039 +++ linux-2.6.37/sound/pci/hda/patch_hdmi.c 2011-01-17 02:41:02.000000000 -0500
59040 @@ -726,10 +726,10 @@ static void hdmi_non_intrinsic_event(str
59055 diff -urNp linux-2.6.37/sound/pci/intel8x0.c linux-2.6.37/sound/pci/intel8x0.c
59056 --- linux-2.6.37/sound/pci/intel8x0.c 2011-01-04 19:50:19.000000000 -0500
59057 +++ linux-2.6.37/sound/pci/intel8x0.c 2011-01-17 02:41:02.000000000 -0500
59058 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
59059 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
59060 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
59061 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
59063 + { 0, 0, 0, 0, 0, 0, 0 }
59066 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
59067 @@ -2141,7 +2141,7 @@ static struct ac97_quirk ac97_quirks[] _
59068 .type = AC97_TUNE_HP_ONLY
59071 - { } /* terminator */
59072 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
59075 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
59076 diff -urNp linux-2.6.37/sound/pci/intel8x0m.c linux-2.6.37/sound/pci/intel8x0m.c
59077 --- linux-2.6.37/sound/pci/intel8x0m.c 2011-01-04 19:50:19.000000000 -0500
59078 +++ linux-2.6.37/sound/pci/intel8x0m.c 2011-01-17 02:41:02.000000000 -0500
59079 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
59080 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
59081 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
59084 + { 0, 0, 0, 0, 0, 0, 0 }
59087 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
59088 @@ -1264,7 +1264,7 @@ static struct shortname_table {
59089 { 0x5455, "ALi M5455" },
59090 { 0x746d, "AMD AMD8111" },
59096 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
59097 diff -urNp linux-2.6.37/usr/gen_init_cpio.c linux-2.6.37/usr/gen_init_cpio.c
59098 --- linux-2.6.37/usr/gen_init_cpio.c 2011-01-04 19:50:19.000000000 -0500
59099 +++ linux-2.6.37/usr/gen_init_cpio.c 2011-01-17 02:41:02.000000000 -0500
59100 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
59109 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
59110 *env_var = *expanded = '\0';
59111 strncat(env_var, start + 2, end - start - 2);
59112 strncat(expanded, new_location, start - new_location);
59113 - strncat(expanded, getenv(env_var), PATH_MAX);
59114 - strncat(expanded, end + 1, PATH_MAX);
59115 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
59116 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
59117 strncpy(new_location, expanded, PATH_MAX);
59118 + new_location[PATH_MAX] = 0;
59122 diff -urNp linux-2.6.37/virt/kvm/kvm_main.c linux-2.6.37/virt/kvm/kvm_main.c
59123 --- linux-2.6.37/virt/kvm/kvm_main.c 2011-01-04 19:50:19.000000000 -0500
59124 +++ linux-2.6.37/virt/kvm/kvm_main.c 2011-01-17 02:41:02.000000000 -0500
59125 @@ -1344,6 +1344,7 @@ static int kvm_vcpu_release(struct inode
59129 +/* cannot be const */
59130 static struct file_operations kvm_vcpu_fops = {
59131 .release = kvm_vcpu_release,
59132 .unlocked_ioctl = kvm_vcpu_ioctl,
59133 @@ -1812,6 +1813,7 @@ static int kvm_vm_mmap(struct file *file
59137 +/* cannot be const */
59138 static struct file_operations kvm_vm_fops = {
59139 .release = kvm_vm_release,
59140 .unlocked_ioctl = kvm_vm_ioctl,
59141 @@ -1910,6 +1912,7 @@ out:
59145 +/* cannot be const */
59146 static struct file_operations kvm_chardev_ops = {
59147 .unlocked_ioctl = kvm_dev_ioctl,
59148 .compat_ioctl = kvm_dev_ioctl,
59149 @@ -1920,6 +1923,9 @@ static struct miscdevice kvm_dev = {
59158 static void hardware_enable(void *junk)
59159 @@ -2259,7 +2265,7 @@ static void kvm_sched_out(struct preempt
59160 kvm_arch_vcpu_put(vcpu);
59163 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59164 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59165 struct module *module)