1 diff -urNp linux-3.1.1/arch/alpha/include/asm/elf.h linux-3.1.1/arch/alpha/include/asm/elf.h
2 --- linux-3.1.1/arch/alpha/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
3 +++ linux-3.1.1/arch/alpha/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
4 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
8 +#ifdef CONFIG_PAX_ASLR
9 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
11 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18 diff -urNp linux-3.1.1/arch/alpha/include/asm/pgtable.h linux-3.1.1/arch/alpha/include/asm/pgtable.h
19 --- linux-3.1.1/arch/alpha/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
20 +++ linux-3.1.1/arch/alpha/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
21 @@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26 +#ifdef CONFIG_PAX_PAGEEXEC
27 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
31 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
32 +# define PAGE_COPY_NOEXEC PAGE_COPY
33 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39 diff -urNp linux-3.1.1/arch/alpha/kernel/module.c linux-3.1.1/arch/alpha/kernel/module.c
40 --- linux-3.1.1/arch/alpha/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
41 +++ linux-3.1.1/arch/alpha/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
42 @@ -160,7 +160,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46 - gp = (u64)me->module_core + me->core_size - 0x8000;
47 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
50 for (i = 0; i < n; i++) {
51 diff -urNp linux-3.1.1/arch/alpha/kernel/osf_sys.c linux-3.1.1/arch/alpha/kernel/osf_sys.c
52 --- linux-3.1.1/arch/alpha/kernel/osf_sys.c 2011-11-11 15:19:27.000000000 -0500
53 +++ linux-3.1.1/arch/alpha/kernel/osf_sys.c 2011-11-16 18:39:07.000000000 -0500
54 @@ -1147,7 +1147,7 @@ arch_get_unmapped_area_1(unsigned long a
55 /* At this point: (!vma || addr < vma->vm_end). */
56 if (limit - len < addr)
58 - if (!vma || addr + len <= vma->vm_start)
59 + if (check_heap_stack_gap(vma, addr, len))
63 @@ -1183,6 +1183,10 @@ arch_get_unmapped_area(struct file *filp
64 merely specific addresses, but regions of memory -- perhaps
65 this feature should be incorporated into all ports? */
67 +#ifdef CONFIG_PAX_RANDMMAP
68 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
72 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
73 if (addr != (unsigned long) -ENOMEM)
74 @@ -1190,8 +1194,8 @@ arch_get_unmapped_area(struct file *filp
77 /* Next, try allocating at TASK_UNMAPPED_BASE. */
78 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
80 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
82 if (addr != (unsigned long) -ENOMEM)
85 diff -urNp linux-3.1.1/arch/alpha/mm/fault.c linux-3.1.1/arch/alpha/mm/fault.c
86 --- linux-3.1.1/arch/alpha/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
87 +++ linux-3.1.1/arch/alpha/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
88 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
92 +#ifdef CONFIG_PAX_PAGEEXEC
94 + * PaX: decide what to do with offenders (regs->pc = fault address)
96 + * returns 1 when task should be killed
97 + * 2 when patched PLT trampoline was detected
98 + * 3 when unpatched PLT trampoline was detected
100 +static int pax_handle_fetch_fault(struct pt_regs *regs)
103 +#ifdef CONFIG_PAX_EMUPLT
106 + do { /* PaX: patched PLT emulation #1 */
107 + unsigned int ldah, ldq, jmp;
109 + err = get_user(ldah, (unsigned int *)regs->pc);
110 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
111 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
116 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
117 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
118 + jmp == 0x6BFB0000U)
120 + unsigned long r27, addr;
121 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
122 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
124 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
125 + err = get_user(r27, (unsigned long *)addr);
135 + do { /* PaX: patched PLT emulation #2 */
136 + unsigned int ldah, lda, br;
138 + err = get_user(ldah, (unsigned int *)regs->pc);
139 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
140 + err |= get_user(br, (unsigned int *)(regs->pc+8));
145 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
146 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
147 + (br & 0xFFE00000U) == 0xC3E00000U)
149 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
150 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
151 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
153 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
154 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
159 + do { /* PaX: unpatched PLT emulation */
162 + err = get_user(br, (unsigned int *)regs->pc);
164 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
165 + unsigned int br2, ldq, nop, jmp;
166 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
168 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
169 + err = get_user(br2, (unsigned int *)addr);
170 + err |= get_user(ldq, (unsigned int *)(addr+4));
171 + err |= get_user(nop, (unsigned int *)(addr+8));
172 + err |= get_user(jmp, (unsigned int *)(addr+12));
173 + err |= get_user(resolver, (unsigned long *)(addr+16));
178 + if (br2 == 0xC3600000U &&
179 + ldq == 0xA77B000CU &&
180 + nop == 0x47FF041FU &&
181 + jmp == 0x6B7B0000U)
183 + regs->r28 = regs->pc+4;
184 + regs->r27 = addr+16;
185 + regs->pc = resolver;
195 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
199 + printk(KERN_ERR "PAX: bytes at PC: ");
200 + for (i = 0; i < 5; i++) {
202 + if (get_user(c, (unsigned int *)pc+i))
203 + printk(KERN_CONT "???????? ");
205 + printk(KERN_CONT "%08x ", c);
212 * This routine handles page faults. It determines the address,
213 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
215 si_code = SEGV_ACCERR;
217 - if (!(vma->vm_flags & VM_EXEC))
218 + if (!(vma->vm_flags & VM_EXEC)) {
220 +#ifdef CONFIG_PAX_PAGEEXEC
221 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
224 + up_read(&mm->mmap_sem);
225 + switch (pax_handle_fetch_fault(regs)) {
227 +#ifdef CONFIG_PAX_EMUPLT
234 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
235 + do_group_exit(SIGKILL);
242 /* Allow reads even for write-only mappings */
243 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
244 diff -urNp linux-3.1.1/arch/arm/include/asm/elf.h linux-3.1.1/arch/arm/include/asm/elf.h
245 --- linux-3.1.1/arch/arm/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
246 +++ linux-3.1.1/arch/arm/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
247 @@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t
248 the loader. We need to make sure that it is out of the way of the program
249 that it will "exec", and that there is sufficient room for the brk. */
251 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
252 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
254 +#ifdef CONFIG_PAX_ASLR
255 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
257 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
258 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
261 /* When the program starts, a1 contains a pointer to a function to be
262 registered with atexit, as per the SVR4 ABI. A value of 0 means we
263 @@ -126,10 +133,6 @@ int dump_task_regs(struct task_struct *t
264 extern void elf_set_personality(const struct elf32_hdr *);
265 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
268 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
269 -#define arch_randomize_brk arch_randomize_brk
271 extern int vectors_user_mapping(void);
272 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
273 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
274 diff -urNp linux-3.1.1/arch/arm/include/asm/kmap_types.h linux-3.1.1/arch/arm/include/asm/kmap_types.h
275 --- linux-3.1.1/arch/arm/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
276 +++ linux-3.1.1/arch/arm/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
277 @@ -21,6 +21,7 @@ enum km_type {
285 diff -urNp linux-3.1.1/arch/arm/include/asm/uaccess.h linux-3.1.1/arch/arm/include/asm/uaccess.h
286 --- linux-3.1.1/arch/arm/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
287 +++ linux-3.1.1/arch/arm/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
289 #define VERIFY_READ 0
290 #define VERIFY_WRITE 1
292 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
295 * The exception table consists of pairs of addresses: the first is the
296 * address of an instruction that is allowed to fault, and the second is
297 @@ -387,8 +389,23 @@ do { \
301 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
302 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
303 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
304 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
306 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
308 + if (!__builtin_constant_p(n))
309 + check_object_size(to, n, false);
310 + return ___copy_from_user(to, from, n);
313 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
315 + if (!__builtin_constant_p(n))
316 + check_object_size(from, n, true);
317 + return ___copy_to_user(to, from, n);
320 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
321 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
322 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
323 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
325 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
330 if (access_ok(VERIFY_READ, from, n))
331 n = __copy_from_user(to, from, n);
332 else /* security hole - plug it */
333 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
335 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
340 if (access_ok(VERIFY_WRITE, to, n))
341 n = __copy_to_user(to, from, n);
343 diff -urNp linux-3.1.1/arch/arm/kernel/armksyms.c linux-3.1.1/arch/arm/kernel/armksyms.c
344 --- linux-3.1.1/arch/arm/kernel/armksyms.c 2011-11-11 15:19:27.000000000 -0500
345 +++ linux-3.1.1/arch/arm/kernel/armksyms.c 2011-11-16 18:39:07.000000000 -0500
346 @@ -98,8 +98,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
348 EXPORT_SYMBOL(copy_page);
350 -EXPORT_SYMBOL(__copy_from_user);
351 -EXPORT_SYMBOL(__copy_to_user);
352 +EXPORT_SYMBOL(___copy_from_user);
353 +EXPORT_SYMBOL(___copy_to_user);
354 EXPORT_SYMBOL(__clear_user);
356 EXPORT_SYMBOL(__get_user_1);
357 diff -urNp linux-3.1.1/arch/arm/kernel/process.c linux-3.1.1/arch/arm/kernel/process.c
358 --- linux-3.1.1/arch/arm/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
359 +++ linux-3.1.1/arch/arm/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
361 #include <linux/tick.h>
362 #include <linux/utsname.h>
363 #include <linux/uaccess.h>
364 -#include <linux/random.h>
365 #include <linux/hw_breakpoint.h>
366 #include <linux/cpuidle.h>
368 @@ -481,12 +480,6 @@ unsigned long get_wchan(struct task_stru
372 -unsigned long arch_randomize_brk(struct mm_struct *mm)
374 - unsigned long range_end = mm->brk + 0x02000000;
375 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
380 * The vectors page is always readable from user space for the
381 diff -urNp linux-3.1.1/arch/arm/kernel/traps.c linux-3.1.1/arch/arm/kernel/traps.c
382 --- linux-3.1.1/arch/arm/kernel/traps.c 2011-11-11 15:19:27.000000000 -0500
383 +++ linux-3.1.1/arch/arm/kernel/traps.c 2011-11-16 18:40:08.000000000 -0500
384 @@ -257,6 +257,8 @@ static int __die(const char *str, int er
386 static DEFINE_SPINLOCK(die_lock);
388 +extern void gr_handle_kernel_exploit(void);
391 * This function is protected against re-entrancy.
393 @@ -284,6 +286,9 @@ void die(const char *str, struct pt_regs
394 panic("Fatal exception in interrupt");
396 panic("Fatal exception");
398 + gr_handle_kernel_exploit();
400 if (ret != NOTIFY_STOP)
403 diff -urNp linux-3.1.1/arch/arm/lib/copy_from_user.S linux-3.1.1/arch/arm/lib/copy_from_user.S
404 --- linux-3.1.1/arch/arm/lib/copy_from_user.S 2011-11-11 15:19:27.000000000 -0500
405 +++ linux-3.1.1/arch/arm/lib/copy_from_user.S 2011-11-16 18:39:07.000000000 -0500
410 - * size_t __copy_from_user(void *to, const void *from, size_t n)
411 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
419 -ENTRY(__copy_from_user)
420 +ENTRY(___copy_from_user)
422 #include "copy_template.S"
424 -ENDPROC(__copy_from_user)
425 +ENDPROC(___copy_from_user)
427 .pushsection .fixup,"ax"
429 diff -urNp linux-3.1.1/arch/arm/lib/copy_to_user.S linux-3.1.1/arch/arm/lib/copy_to_user.S
430 --- linux-3.1.1/arch/arm/lib/copy_to_user.S 2011-11-11 15:19:27.000000000 -0500
431 +++ linux-3.1.1/arch/arm/lib/copy_to_user.S 2011-11-16 18:39:07.000000000 -0500
436 - * size_t __copy_to_user(void *to, const void *from, size_t n)
437 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
444 ENTRY(__copy_to_user_std)
445 -WEAK(__copy_to_user)
446 +WEAK(___copy_to_user)
448 #include "copy_template.S"
450 -ENDPROC(__copy_to_user)
451 +ENDPROC(___copy_to_user)
452 ENDPROC(__copy_to_user_std)
454 .pushsection .fixup,"ax"
455 diff -urNp linux-3.1.1/arch/arm/lib/uaccess.S linux-3.1.1/arch/arm/lib/uaccess.S
456 --- linux-3.1.1/arch/arm/lib/uaccess.S 2011-11-11 15:19:27.000000000 -0500
457 +++ linux-3.1.1/arch/arm/lib/uaccess.S 2011-11-16 18:39:07.000000000 -0500
460 #define PAGE_SHIFT 12
462 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
463 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
464 * Purpose : copy a block to user memory from kernel memory
465 * Params : to - user memory
466 * : from - kernel memory
467 @@ -40,7 +40,7 @@ USER( T(strgtb) r3, [r0], #1) @ May f
471 -ENTRY(__copy_to_user)
472 +ENTRY(___copy_to_user)
473 stmfd sp!, {r2, r4 - r7, lr}
476 @@ -278,14 +278,14 @@ USER( T(strgeb) r3, [r0], #1) @ May f
478 USER( T(strgtb) r3, [r0], #1) @ May fault
480 -ENDPROC(__copy_to_user)
481 +ENDPROC(___copy_to_user)
483 .pushsection .fixup,"ax"
485 9001: ldmfd sp!, {r0, r4 - r7, pc}
488 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
489 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
490 * Purpose : copy a block from user memory to kernel memory
491 * Params : to - kernel memory
492 * : from - user memory
493 @@ -304,7 +304,7 @@ USER( T(ldrgtb) r3, [r1], #1) @ May f
497 -ENTRY(__copy_from_user)
498 +ENTRY(___copy_from_user)
499 stmfd sp!, {r0, r2, r4 - r7, lr}
502 @@ -544,7 +544,7 @@ USER( T(ldrgeb) r3, [r1], #1) @ May f
503 USER( T(ldrgtb) r3, [r1], #1) @ May fault
506 -ENDPROC(__copy_from_user)
507 +ENDPROC(___copy_from_user)
509 .pushsection .fixup,"ax"
511 diff -urNp linux-3.1.1/arch/arm/lib/uaccess_with_memcpy.c linux-3.1.1/arch/arm/lib/uaccess_with_memcpy.c
512 --- linux-3.1.1/arch/arm/lib/uaccess_with_memcpy.c 2011-11-11 15:19:27.000000000 -0500
513 +++ linux-3.1.1/arch/arm/lib/uaccess_with_memcpy.c 2011-11-16 18:39:07.000000000 -0500
514 @@ -103,7 +103,7 @@ out:
518 -__copy_to_user(void __user *to, const void *from, unsigned long n)
519 +___copy_to_user(void __user *to, const void *from, unsigned long n)
522 * This test is stubbed out of the main function above to keep
523 diff -urNp linux-3.1.1/arch/arm/mach-ux500/mbox-db5500.c linux-3.1.1/arch/arm/mach-ux500/mbox-db5500.c
524 --- linux-3.1.1/arch/arm/mach-ux500/mbox-db5500.c 2011-11-11 15:19:27.000000000 -0500
525 +++ linux-3.1.1/arch/arm/mach-ux500/mbox-db5500.c 2011-11-16 18:40:08.000000000 -0500
526 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
527 return sprintf(buf, "0x%X\n", mbox_value);
530 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
531 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
533 static int mbox_show(struct seq_file *s, void *data)
535 diff -urNp linux-3.1.1/arch/arm/mm/fault.c linux-3.1.1/arch/arm/mm/fault.c
536 --- linux-3.1.1/arch/arm/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
537 +++ linux-3.1.1/arch/arm/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
538 @@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk,
542 +#ifdef CONFIG_PAX_PAGEEXEC
543 + if (fsr & FSR_LNX_PF) {
544 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
545 + do_group_exit(SIGKILL);
549 tsk->thread.address = addr;
550 tsk->thread.error_code = fsr;
551 tsk->thread.trap_no = 14;
552 @@ -383,6 +390,33 @@ do_page_fault(unsigned long addr, unsign
554 #endif /* CONFIG_MMU */
556 +#ifdef CONFIG_PAX_PAGEEXEC
557 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
561 + printk(KERN_ERR "PAX: bytes at PC: ");
562 + for (i = 0; i < 20; i++) {
564 + if (get_user(c, (__force unsigned char __user *)pc+i))
565 + printk(KERN_CONT "?? ");
567 + printk(KERN_CONT "%02x ", c);
571 + printk(KERN_ERR "PAX: bytes at SP-4: ");
572 + for (i = -1; i < 20; i++) {
574 + if (get_user(c, (__force unsigned long __user *)sp+i))
575 + printk(KERN_CONT "???????? ");
577 + printk(KERN_CONT "%08lx ", c);
584 * First Level Translation Fault Handler
586 diff -urNp linux-3.1.1/arch/arm/mm/mmap.c linux-3.1.1/arch/arm/mm/mmap.c
587 --- linux-3.1.1/arch/arm/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
588 +++ linux-3.1.1/arch/arm/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
589 @@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp
593 +#ifdef CONFIG_PAX_RANDMMAP
594 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
599 addr = COLOUR_ALIGN(addr, pgoff);
600 @@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp
601 addr = PAGE_ALIGN(addr);
603 vma = find_vma(mm, addr);
604 - if (TASK_SIZE - len >= addr &&
605 - (!vma || addr + len <= vma->vm_start))
606 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
609 if (len > mm->cached_hole_size) {
610 - start_addr = addr = mm->free_area_cache;
611 + start_addr = addr = mm->free_area_cache;
613 - start_addr = addr = TASK_UNMAPPED_BASE;
614 - mm->cached_hole_size = 0;
615 + start_addr = addr = mm->mmap_base;
616 + mm->cached_hole_size = 0;
618 /* 8 bits of randomness in 20 address space bits */
619 if ((current->flags & PF_RANDOMIZE) &&
620 @@ -100,14 +103,14 @@ full_search:
621 * Start a new search - just in case we missed
624 - if (start_addr != TASK_UNMAPPED_BASE) {
625 - start_addr = addr = TASK_UNMAPPED_BASE;
626 + if (start_addr != mm->mmap_base) {
627 + start_addr = addr = mm->mmap_base;
628 mm->cached_hole_size = 0;
633 - if (!vma || addr + len <= vma->vm_start) {
634 + if (check_heap_stack_gap(vma, addr, len)) {
636 * Remember the place where we stopped the search:
638 diff -urNp linux-3.1.1/arch/avr32/include/asm/elf.h linux-3.1.1/arch/avr32/include/asm/elf.h
639 --- linux-3.1.1/arch/avr32/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
640 +++ linux-3.1.1/arch/avr32/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
641 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
642 the loader. We need to make sure that it is out of the way of the program
643 that it will "exec", and that there is sufficient room for the brk. */
645 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
646 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
648 +#ifdef CONFIG_PAX_ASLR
649 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
651 +#define PAX_DELTA_MMAP_LEN 15
652 +#define PAX_DELTA_STACK_LEN 15
655 /* This yields a mask that user programs can use to figure out what
656 instruction set this CPU supports. This could be done in user space,
657 diff -urNp linux-3.1.1/arch/avr32/include/asm/kmap_types.h linux-3.1.1/arch/avr32/include/asm/kmap_types.h
658 --- linux-3.1.1/arch/avr32/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
659 +++ linux-3.1.1/arch/avr32/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
660 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
670 diff -urNp linux-3.1.1/arch/avr32/mm/fault.c linux-3.1.1/arch/avr32/mm/fault.c
671 --- linux-3.1.1/arch/avr32/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
672 +++ linux-3.1.1/arch/avr32/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
673 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
675 int exception_trace = 1;
677 +#ifdef CONFIG_PAX_PAGEEXEC
678 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
682 + printk(KERN_ERR "PAX: bytes at PC: ");
683 + for (i = 0; i < 20; i++) {
685 + if (get_user(c, (unsigned char *)pc+i))
686 + printk(KERN_CONT "???????? ");
688 + printk(KERN_CONT "%02x ", c);
695 * This routine handles page faults. It determines the address and the
696 * problem, and then passes it off to one of the appropriate routines.
697 @@ -156,6 +173,16 @@ bad_area:
698 up_read(&mm->mmap_sem);
700 if (user_mode(regs)) {
702 +#ifdef CONFIG_PAX_PAGEEXEC
703 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
704 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
705 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
706 + do_group_exit(SIGKILL);
711 if (exception_trace && printk_ratelimit())
712 printk("%s%s[%d]: segfault at %08lx pc %08lx "
713 "sp %08lx ecr %lu\n",
714 diff -urNp linux-3.1.1/arch/frv/include/asm/kmap_types.h linux-3.1.1/arch/frv/include/asm/kmap_types.h
715 --- linux-3.1.1/arch/frv/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
716 +++ linux-3.1.1/arch/frv/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
717 @@ -23,6 +23,7 @@ enum km_type {
725 diff -urNp linux-3.1.1/arch/frv/mm/elf-fdpic.c linux-3.1.1/arch/frv/mm/elf-fdpic.c
726 --- linux-3.1.1/arch/frv/mm/elf-fdpic.c 2011-11-11 15:19:27.000000000 -0500
727 +++ linux-3.1.1/arch/frv/mm/elf-fdpic.c 2011-11-16 18:39:07.000000000 -0500
728 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
730 addr = PAGE_ALIGN(addr);
731 vma = find_vma(current->mm, addr);
732 - if (TASK_SIZE - len >= addr &&
733 - (!vma || addr + len <= vma->vm_start))
734 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
738 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
739 for (; vma; vma = vma->vm_next) {
742 - if (addr + len <= vma->vm_start)
743 + if (check_heap_stack_gap(vma, addr, len))
747 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
748 for (; vma; vma = vma->vm_next) {
751 - if (addr + len <= vma->vm_start)
752 + if (check_heap_stack_gap(vma, addr, len))
756 diff -urNp linux-3.1.1/arch/ia64/include/asm/elf.h linux-3.1.1/arch/ia64/include/asm/elf.h
757 --- linux-3.1.1/arch/ia64/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
758 +++ linux-3.1.1/arch/ia64/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
761 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
763 +#ifdef CONFIG_PAX_ASLR
764 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
766 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
767 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
770 #define PT_IA_64_UNWIND 0x70000001
772 /* IA-64 relocations: */
773 diff -urNp linux-3.1.1/arch/ia64/include/asm/pgtable.h linux-3.1.1/arch/ia64/include/asm/pgtable.h
774 --- linux-3.1.1/arch/ia64/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
775 +++ linux-3.1.1/arch/ia64/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
777 * David Mosberger-Tang <davidm@hpl.hp.com>
781 +#include <linux/const.h>
782 #include <asm/mman.h>
783 #include <asm/page.h>
784 #include <asm/processor.h>
786 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
787 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
788 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
790 +#ifdef CONFIG_PAX_PAGEEXEC
791 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
792 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
793 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
795 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
796 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
797 +# define PAGE_COPY_NOEXEC PAGE_COPY
800 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
801 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
802 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
803 diff -urNp linux-3.1.1/arch/ia64/include/asm/spinlock.h linux-3.1.1/arch/ia64/include/asm/spinlock.h
804 --- linux-3.1.1/arch/ia64/include/asm/spinlock.h 2011-11-11 15:19:27.000000000 -0500
805 +++ linux-3.1.1/arch/ia64/include/asm/spinlock.h 2011-11-16 18:39:07.000000000 -0500
806 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
807 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
809 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
810 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
811 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
814 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
815 diff -urNp linux-3.1.1/arch/ia64/include/asm/uaccess.h linux-3.1.1/arch/ia64/include/asm/uaccess.h
816 --- linux-3.1.1/arch/ia64/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
817 +++ linux-3.1.1/arch/ia64/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
818 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
819 const void *__cu_from = (from); \
820 long __cu_len = (n); \
822 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
823 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
824 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
827 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
828 long __cu_len = (n); \
830 __chk_user_ptr(__cu_from); \
831 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
832 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
833 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
836 diff -urNp linux-3.1.1/arch/ia64/kernel/module.c linux-3.1.1/arch/ia64/kernel/module.c
837 --- linux-3.1.1/arch/ia64/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
838 +++ linux-3.1.1/arch/ia64/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
839 @@ -307,8 +307,7 @@ plt_target (struct plt_entry *plt)
841 module_free (struct module *mod, void *module_region)
843 - if (mod && mod->arch.init_unw_table &&
844 - module_region == mod->module_init) {
845 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
846 unw_remove_unwind_table(mod->arch.init_unw_table);
847 mod->arch.init_unw_table = NULL;
849 @@ -494,15 +493,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
853 +in_init_rx (const struct module *mod, uint64_t addr)
855 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
859 +in_init_rw (const struct module *mod, uint64_t addr)
861 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
865 in_init (const struct module *mod, uint64_t addr)
867 - return addr - (uint64_t) mod->module_init < mod->init_size;
868 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
872 +in_core_rx (const struct module *mod, uint64_t addr)
874 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
878 +in_core_rw (const struct module *mod, uint64_t addr)
880 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
884 in_core (const struct module *mod, uint64_t addr)
886 - return addr - (uint64_t) mod->module_core < mod->core_size;
887 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
891 @@ -685,7 +708,14 @@ do_reloc (struct module *mod, uint8_t r_
895 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
896 + if (in_init_rx(mod, val))
897 + val -= (uint64_t) mod->module_init_rx;
898 + else if (in_init_rw(mod, val))
899 + val -= (uint64_t) mod->module_init_rw;
900 + else if (in_core_rx(mod, val))
901 + val -= (uint64_t) mod->module_core_rx;
902 + else if (in_core_rw(mod, val))
903 + val -= (uint64_t) mod->module_core_rw;
907 @@ -820,15 +850,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
908 * addresses have been selected...
911 - if (mod->core_size > MAX_LTOFF)
912 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
914 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
915 * at the end of the module.
917 - gp = mod->core_size - MAX_LTOFF / 2;
918 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
920 - gp = mod->core_size / 2;
921 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
922 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
923 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
925 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
927 diff -urNp linux-3.1.1/arch/ia64/kernel/sys_ia64.c linux-3.1.1/arch/ia64/kernel/sys_ia64.c
928 --- linux-3.1.1/arch/ia64/kernel/sys_ia64.c 2011-11-11 15:19:27.000000000 -0500
929 +++ linux-3.1.1/arch/ia64/kernel/sys_ia64.c 2011-11-16 18:39:07.000000000 -0500
930 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
931 if (REGION_NUMBER(addr) == RGN_HPAGE)
935 +#ifdef CONFIG_PAX_RANDMMAP
936 + if (mm->pax_flags & MF_PAX_RANDMMAP)
937 + addr = mm->free_area_cache;
942 addr = mm->free_area_cache;
944 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
945 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
946 /* At this point: (!vma || addr < vma->vm_end). */
947 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
948 - if (start_addr != TASK_UNMAPPED_BASE) {
949 + if (start_addr != mm->mmap_base) {
950 /* Start a new search --- just in case we missed some holes. */
951 - addr = TASK_UNMAPPED_BASE;
952 + addr = mm->mmap_base;
957 - if (!vma || addr + len <= vma->vm_start) {
958 + if (check_heap_stack_gap(vma, addr, len)) {
959 /* Remember the address where we stopped this search: */
960 mm->free_area_cache = addr + len;
962 diff -urNp linux-3.1.1/arch/ia64/kernel/vmlinux.lds.S linux-3.1.1/arch/ia64/kernel/vmlinux.lds.S
963 --- linux-3.1.1/arch/ia64/kernel/vmlinux.lds.S 2011-11-11 15:19:27.000000000 -0500
964 +++ linux-3.1.1/arch/ia64/kernel/vmlinux.lds.S 2011-11-16 18:39:07.000000000 -0500
965 @@ -199,7 +199,7 @@ SECTIONS {
967 . = ALIGN(PERCPU_PAGE_SIZE);
968 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
969 - __phys_per_cpu_start = __per_cpu_load;
970 + __phys_per_cpu_start = per_cpu_load;
972 * ensure percpu data fits
973 * into percpu page size
974 diff -urNp linux-3.1.1/arch/ia64/mm/fault.c linux-3.1.1/arch/ia64/mm/fault.c
975 --- linux-3.1.1/arch/ia64/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
976 +++ linux-3.1.1/arch/ia64/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
977 @@ -73,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
978 return pte_present(pte);
981 +#ifdef CONFIG_PAX_PAGEEXEC
982 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
986 + printk(KERN_ERR "PAX: bytes at PC: ");
987 + for (i = 0; i < 8; i++) {
989 + if (get_user(c, (unsigned int *)pc+i))
990 + printk(KERN_CONT "???????? ");
992 + printk(KERN_CONT "%08x ", c);
999 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1001 @@ -146,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
1002 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1003 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1005 - if ((vma->vm_flags & mask) != mask)
1006 + if ((vma->vm_flags & mask) != mask) {
1008 +#ifdef CONFIG_PAX_PAGEEXEC
1009 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1010 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1013 + up_read(&mm->mmap_sem);
1014 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1015 + do_group_exit(SIGKILL);
1024 * If for any reason at all we couldn't handle the fault, make
1025 * sure we exit gracefully rather than endlessly redo the
1026 diff -urNp linux-3.1.1/arch/ia64/mm/hugetlbpage.c linux-3.1.1/arch/ia64/mm/hugetlbpage.c
1027 --- linux-3.1.1/arch/ia64/mm/hugetlbpage.c 2011-11-11 15:19:27.000000000 -0500
1028 +++ linux-3.1.1/arch/ia64/mm/hugetlbpage.c 2011-11-16 18:39:07.000000000 -0500
1029 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1030 /* At this point: (!vmm || addr < vmm->vm_end). */
1031 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1033 - if (!vmm || (addr + len) <= vmm->vm_start)
1034 + if (check_heap_stack_gap(vmm, addr, len))
1036 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1038 diff -urNp linux-3.1.1/arch/ia64/mm/init.c linux-3.1.1/arch/ia64/mm/init.c
1039 --- linux-3.1.1/arch/ia64/mm/init.c 2011-11-11 15:19:27.000000000 -0500
1040 +++ linux-3.1.1/arch/ia64/mm/init.c 2011-11-16 18:39:07.000000000 -0500
1041 @@ -120,6 +120,19 @@ ia64_init_addr_space (void)
1042 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1043 vma->vm_end = vma->vm_start + PAGE_SIZE;
1044 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1046 +#ifdef CONFIG_PAX_PAGEEXEC
1047 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1048 + vma->vm_flags &= ~VM_EXEC;
1050 +#ifdef CONFIG_PAX_MPROTECT
1051 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1052 + vma->vm_flags &= ~VM_MAYEXEC;
1058 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1059 down_write(¤t->mm->mmap_sem);
1060 if (insert_vm_struct(current->mm, vma)) {
1061 diff -urNp linux-3.1.1/arch/m32r/lib/usercopy.c linux-3.1.1/arch/m32r/lib/usercopy.c
1062 --- linux-3.1.1/arch/m32r/lib/usercopy.c 2011-11-11 15:19:27.000000000 -0500
1063 +++ linux-3.1.1/arch/m32r/lib/usercopy.c 2011-11-16 18:39:07.000000000 -0500
1066 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1072 if (access_ok(VERIFY_WRITE, to, n))
1073 __copy_user(to,from,n);
1074 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1076 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1082 if (access_ok(VERIFY_READ, from, n))
1083 __copy_user_zeroing(to,from,n);
1084 diff -urNp linux-3.1.1/arch/mips/include/asm/elf.h linux-3.1.1/arch/mips/include/asm/elf.h
1085 --- linux-3.1.1/arch/mips/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
1086 +++ linux-3.1.1/arch/mips/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
1087 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
1088 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1091 +#ifdef CONFIG_PAX_ASLR
1092 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1094 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1095 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1098 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1099 struct linux_binprm;
1100 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1104 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1105 -#define arch_randomize_brk arch_randomize_brk
1107 #endif /* _ASM_ELF_H */
1108 diff -urNp linux-3.1.1/arch/mips/include/asm/page.h linux-3.1.1/arch/mips/include/asm/page.h
1109 --- linux-3.1.1/arch/mips/include/asm/page.h 2011-11-11 15:19:27.000000000 -0500
1110 +++ linux-3.1.1/arch/mips/include/asm/page.h 2011-11-16 18:39:07.000000000 -0500
1111 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1112 #ifdef CONFIG_CPU_MIPS32
1113 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1114 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1115 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1116 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1118 typedef struct { unsigned long long pte; } pte_t;
1119 #define pte_val(x) ((x).pte)
1120 diff -urNp linux-3.1.1/arch/mips/include/asm/system.h linux-3.1.1/arch/mips/include/asm/system.h
1121 --- linux-3.1.1/arch/mips/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
1122 +++ linux-3.1.1/arch/mips/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
1123 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1125 #define __ARCH_WANT_UNLOCKED_CTXSW
1127 -extern unsigned long arch_align_stack(unsigned long sp);
1128 +#define arch_align_stack(x) ((x) & ~0xfUL)
1130 #endif /* _ASM_SYSTEM_H */
1131 diff -urNp linux-3.1.1/arch/mips/kernel/binfmt_elfn32.c linux-3.1.1/arch/mips/kernel/binfmt_elfn32.c
1132 --- linux-3.1.1/arch/mips/kernel/binfmt_elfn32.c 2011-11-11 15:19:27.000000000 -0500
1133 +++ linux-3.1.1/arch/mips/kernel/binfmt_elfn32.c 2011-11-16 18:39:07.000000000 -0500
1134 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1135 #undef ELF_ET_DYN_BASE
1136 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1138 +#ifdef CONFIG_PAX_ASLR
1139 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1141 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1142 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1145 #include <asm/processor.h>
1146 #include <linux/module.h>
1147 #include <linux/elfcore.h>
1148 diff -urNp linux-3.1.1/arch/mips/kernel/binfmt_elfo32.c linux-3.1.1/arch/mips/kernel/binfmt_elfo32.c
1149 --- linux-3.1.1/arch/mips/kernel/binfmt_elfo32.c 2011-11-11 15:19:27.000000000 -0500
1150 +++ linux-3.1.1/arch/mips/kernel/binfmt_elfo32.c 2011-11-16 18:39:07.000000000 -0500
1151 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1152 #undef ELF_ET_DYN_BASE
1153 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1155 +#ifdef CONFIG_PAX_ASLR
1156 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1158 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1159 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1162 #include <asm/processor.h>
1165 diff -urNp linux-3.1.1/arch/mips/kernel/process.c linux-3.1.1/arch/mips/kernel/process.c
1166 --- linux-3.1.1/arch/mips/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
1167 +++ linux-3.1.1/arch/mips/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
1168 @@ -481,15 +481,3 @@ unsigned long get_wchan(struct task_stru
1174 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1175 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1177 -unsigned long arch_align_stack(unsigned long sp)
1179 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1180 - sp -= get_random_int() & ~PAGE_MASK;
1182 - return sp & ALMASK;
1184 diff -urNp linux-3.1.1/arch/mips/mm/fault.c linux-3.1.1/arch/mips/mm/fault.c
1185 --- linux-3.1.1/arch/mips/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
1186 +++ linux-3.1.1/arch/mips/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
1188 #include <asm/highmem.h> /* For VMALLOC_END */
1189 #include <linux/kdebug.h>
1191 +#ifdef CONFIG_PAX_PAGEEXEC
1192 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1196 + printk(KERN_ERR "PAX: bytes at PC: ");
1197 + for (i = 0; i < 5; i++) {
1199 + if (get_user(c, (unsigned int *)pc+i))
1200 + printk(KERN_CONT "???????? ");
1202 + printk(KERN_CONT "%08x ", c);
1209 * This routine handles page faults. It determines the address,
1210 * and the problem, and then passes it off to one of the appropriate
1211 diff -urNp linux-3.1.1/arch/mips/mm/mmap.c linux-3.1.1/arch/mips/mm/mmap.c
1212 --- linux-3.1.1/arch/mips/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
1213 +++ linux-3.1.1/arch/mips/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
1214 @@ -95,6 +95,11 @@ static unsigned long arch_get_unmapped_a
1217 /* requesting a specific address */
1219 +#ifdef CONFIG_PAX_RANDMMAP
1220 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1225 addr = COLOUR_ALIGN(addr, pgoff);
1226 @@ -102,8 +107,7 @@ static unsigned long arch_get_unmapped_a
1227 addr = PAGE_ALIGN(addr);
1229 vma = find_vma(mm, addr);
1230 - if (TASK_SIZE - len >= addr &&
1231 - (!vma || addr + len <= vma->vm_start))
1232 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vmm, addr, len))
1236 @@ -118,7 +122,7 @@ static unsigned long arch_get_unmapped_a
1237 /* At this point: (!vma || addr < vma->vm_end). */
1238 if (TASK_SIZE - len < addr)
1240 - if (!vma || addr + len <= vma->vm_start)
1241 + if (check_heap_stack_gap(vmm, addr, len))
1245 @@ -145,7 +149,7 @@ static unsigned long arch_get_unmapped_a
1246 /* make sure it can fit in the remaining address space */
1247 if (likely(addr > len)) {
1248 vma = find_vma(mm, addr - len);
1249 - if (!vma || addr <= vma->vm_start) {
1250 + if (check_heap_stack_gap(vmm, addr - len, len))
1251 /* cache the address as a hint for next time */
1252 return mm->free_area_cache = addr - len;
1254 @@ -165,7 +169,7 @@ static unsigned long arch_get_unmapped_a
1255 * return with success:
1257 vma = find_vma(mm, addr);
1258 - if (likely(!vma || addr + len <= vma->vm_start)) {
1259 + if (check_heap_stack_gap(vmm, addr, len)) {
1260 /* cache the address as a hint for next time */
1261 return mm->free_area_cache = addr;
1263 @@ -242,30 +246,3 @@ void arch_pick_mmap_layout(struct mm_str
1264 mm->unmap_area = arch_unmap_area_topdown;
1268 -static inline unsigned long brk_rnd(void)
1270 - unsigned long rnd = get_random_int();
1272 - rnd = rnd << PAGE_SHIFT;
1273 - /* 8MB for 32bit, 256MB for 64bit */
1274 - if (TASK_IS_32BIT_ADDR)
1275 - rnd = rnd & 0x7ffffful;
1277 - rnd = rnd & 0xffffffful;
1282 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1284 - unsigned long base = mm->brk;
1285 - unsigned long ret;
1287 - ret = PAGE_ALIGN(base + brk_rnd());
1289 - if (ret < mm->brk)
1294 diff -urNp linux-3.1.1/arch/parisc/include/asm/elf.h linux-3.1.1/arch/parisc/include/asm/elf.h
1295 --- linux-3.1.1/arch/parisc/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
1296 +++ linux-3.1.1/arch/parisc/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
1297 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1299 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1301 +#ifdef CONFIG_PAX_ASLR
1302 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1304 +#define PAX_DELTA_MMAP_LEN 16
1305 +#define PAX_DELTA_STACK_LEN 16
1308 /* This yields a mask that user programs can use to figure out what
1309 instruction set this CPU supports. This could be done in user space,
1310 but it's not easy, and we've already done it here. */
1311 diff -urNp linux-3.1.1/arch/parisc/include/asm/pgtable.h linux-3.1.1/arch/parisc/include/asm/pgtable.h
1312 --- linux-3.1.1/arch/parisc/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
1313 +++ linux-3.1.1/arch/parisc/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
1314 @@ -210,6 +210,17 @@ struct vm_area_struct;
1315 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1316 #define PAGE_COPY PAGE_EXECREAD
1317 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1319 +#ifdef CONFIG_PAX_PAGEEXEC
1320 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1321 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1322 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1324 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1325 +# define PAGE_COPY_NOEXEC PAGE_COPY
1326 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1329 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1330 #define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC)
1331 #define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX)
1332 diff -urNp linux-3.1.1/arch/parisc/kernel/module.c linux-3.1.1/arch/parisc/kernel/module.c
1333 --- linux-3.1.1/arch/parisc/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
1334 +++ linux-3.1.1/arch/parisc/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
1337 /* three functions to determine where in the module core
1338 * or init pieces the location is */
1339 +static inline int in_init_rx(struct module *me, void *loc)
1341 + return (loc >= me->module_init_rx &&
1342 + loc < (me->module_init_rx + me->init_size_rx));
1345 +static inline int in_init_rw(struct module *me, void *loc)
1347 + return (loc >= me->module_init_rw &&
1348 + loc < (me->module_init_rw + me->init_size_rw));
1351 static inline int in_init(struct module *me, void *loc)
1353 - return (loc >= me->module_init &&
1354 - loc <= (me->module_init + me->init_size));
1355 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1358 +static inline int in_core_rx(struct module *me, void *loc)
1360 + return (loc >= me->module_core_rx &&
1361 + loc < (me->module_core_rx + me->core_size_rx));
1364 +static inline int in_core_rw(struct module *me, void *loc)
1366 + return (loc >= me->module_core_rw &&
1367 + loc < (me->module_core_rw + me->core_size_rw));
1370 static inline int in_core(struct module *me, void *loc)
1372 - return (loc >= me->module_core &&
1373 - loc <= (me->module_core + me->core_size));
1374 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1377 static inline int in_local(struct module *me, void *loc)
1378 @@ -373,13 +395,13 @@ int module_frob_arch_sections(CONST Elf_
1381 /* align things a bit */
1382 - me->core_size = ALIGN(me->core_size, 16);
1383 - me->arch.got_offset = me->core_size;
1384 - me->core_size += gots * sizeof(struct got_entry);
1386 - me->core_size = ALIGN(me->core_size, 16);
1387 - me->arch.fdesc_offset = me->core_size;
1388 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1389 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1390 + me->arch.got_offset = me->core_size_rw;
1391 + me->core_size_rw += gots * sizeof(struct got_entry);
1393 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1394 + me->arch.fdesc_offset = me->core_size_rw;
1395 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1397 me->arch.got_max = gots;
1398 me->arch.fdesc_max = fdescs;
1399 @@ -397,7 +419,7 @@ static Elf64_Word get_got(struct module
1403 - got = me->module_core + me->arch.got_offset;
1404 + got = me->module_core_rw + me->arch.got_offset;
1405 for (i = 0; got[i].addr; i++)
1406 if (got[i].addr == value)
1408 @@ -415,7 +437,7 @@ static Elf64_Word get_got(struct module
1410 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1412 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1413 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1416 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1417 @@ -433,7 +455,7 @@ static Elf_Addr get_fdesc(struct module
1419 /* Create new one */
1420 fdesc->addr = value;
1421 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1422 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1423 return (Elf_Addr)fdesc;
1425 #endif /* CONFIG_64BIT */
1426 @@ -845,7 +867,7 @@ register_unwind_table(struct module *me,
1428 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1429 end = table + sechdrs[me->arch.unwind_section].sh_size;
1430 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1431 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1433 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1434 me->arch.unwind_section, table, end, gp);
1435 diff -urNp linux-3.1.1/arch/parisc/kernel/sys_parisc.c linux-3.1.1/arch/parisc/kernel/sys_parisc.c
1436 --- linux-3.1.1/arch/parisc/kernel/sys_parisc.c 2011-11-11 15:19:27.000000000 -0500
1437 +++ linux-3.1.1/arch/parisc/kernel/sys_parisc.c 2011-11-16 18:39:07.000000000 -0500
1438 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1439 /* At this point: (!vma || addr < vma->vm_end). */
1440 if (TASK_SIZE - len < addr)
1442 - if (!vma || addr + len <= vma->vm_start)
1443 + if (check_heap_stack_gap(vma, addr, len))
1447 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1448 /* At this point: (!vma || addr < vma->vm_end). */
1449 if (TASK_SIZE - len < addr)
1451 - if (!vma || addr + len <= vma->vm_start)
1452 + if (check_heap_stack_gap(vma, addr, len))
1454 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1455 if (addr < vma->vm_end) /* handle wraparound */
1456 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1457 if (flags & MAP_FIXED)
1460 - addr = TASK_UNMAPPED_BASE;
1461 + addr = current->mm->mmap_base;
1464 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1465 diff -urNp linux-3.1.1/arch/parisc/kernel/traps.c linux-3.1.1/arch/parisc/kernel/traps.c
1466 --- linux-3.1.1/arch/parisc/kernel/traps.c 2011-11-11 15:19:27.000000000 -0500
1467 +++ linux-3.1.1/arch/parisc/kernel/traps.c 2011-11-16 18:39:07.000000000 -0500
1468 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1470 down_read(¤t->mm->mmap_sem);
1471 vma = find_vma(current->mm,regs->iaoq[0]);
1472 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1473 - && (vma->vm_flags & VM_EXEC)) {
1475 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1476 fault_address = regs->iaoq[0];
1477 fault_space = regs->iasq[0];
1479 diff -urNp linux-3.1.1/arch/parisc/mm/fault.c linux-3.1.1/arch/parisc/mm/fault.c
1480 --- linux-3.1.1/arch/parisc/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
1481 +++ linux-3.1.1/arch/parisc/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
1483 #include <linux/sched.h>
1484 #include <linux/interrupt.h>
1485 #include <linux/module.h>
1486 +#include <linux/unistd.h>
1488 #include <asm/uaccess.h>
1489 #include <asm/traps.h>
1490 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1491 static unsigned long
1492 parisc_acctyp(unsigned long code, unsigned int inst)
1494 - if (code == 6 || code == 16)
1495 + if (code == 6 || code == 7 || code == 16)
1498 switch (inst & 0xf0000000) {
1499 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1503 +#ifdef CONFIG_PAX_PAGEEXEC
1505 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1507 + * returns 1 when task should be killed
1508 + * 2 when rt_sigreturn trampoline was detected
1509 + * 3 when unpatched PLT trampoline was detected
1511 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1514 +#ifdef CONFIG_PAX_EMUPLT
1517 + do { /* PaX: unpatched PLT emulation */
1518 + unsigned int bl, depwi;
1520 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1521 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1526 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1527 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1529 + err = get_user(ldw, (unsigned int *)addr);
1530 + err |= get_user(bv, (unsigned int *)(addr+4));
1531 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1536 + if (ldw == 0x0E801096U &&
1537 + bv == 0xEAC0C000U &&
1538 + ldw2 == 0x0E881095U)
1540 + unsigned int resolver, map;
1542 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1543 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1547 + regs->gr[20] = instruction_pointer(regs)+8;
1548 + regs->gr[21] = map;
1549 + regs->gr[22] = resolver;
1550 + regs->iaoq[0] = resolver | 3UL;
1551 + regs->iaoq[1] = regs->iaoq[0] + 4;
1558 +#ifdef CONFIG_PAX_EMUTRAMP
1560 +#ifndef CONFIG_PAX_EMUSIGRT
1561 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1565 + do { /* PaX: rt_sigreturn emulation */
1566 + unsigned int ldi1, ldi2, bel, nop;
1568 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1569 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1570 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1571 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1576 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1577 + ldi2 == 0x3414015AU &&
1578 + bel == 0xE4008200U &&
1579 + nop == 0x08000240U)
1581 + regs->gr[25] = (ldi1 & 2) >> 1;
1582 + regs->gr[20] = __NR_rt_sigreturn;
1583 + regs->gr[31] = regs->iaoq[1] + 16;
1584 + regs->sr[0] = regs->iasq[1];
1585 + regs->iaoq[0] = 0x100UL;
1586 + regs->iaoq[1] = regs->iaoq[0] + 4;
1587 + regs->iasq[0] = regs->sr[2];
1588 + regs->iasq[1] = regs->sr[2];
1597 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1601 + printk(KERN_ERR "PAX: bytes at PC: ");
1602 + for (i = 0; i < 5; i++) {
1604 + if (get_user(c, (unsigned int *)pc+i))
1605 + printk(KERN_CONT "???????? ");
1607 + printk(KERN_CONT "%08x ", c);
1613 int fixup_exception(struct pt_regs *regs)
1615 const struct exception_table_entry *fix;
1616 @@ -192,8 +303,33 @@ good_area:
1618 acc_type = parisc_acctyp(code,regs->iir);
1620 - if ((vma->vm_flags & acc_type) != acc_type)
1621 + if ((vma->vm_flags & acc_type) != acc_type) {
1623 +#ifdef CONFIG_PAX_PAGEEXEC
1624 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1625 + (address & ~3UL) == instruction_pointer(regs))
1627 + up_read(&mm->mmap_sem);
1628 + switch (pax_handle_fetch_fault(regs)) {
1630 +#ifdef CONFIG_PAX_EMUPLT
1635 +#ifdef CONFIG_PAX_EMUTRAMP
1641 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1642 + do_group_exit(SIGKILL);
1650 * If for any reason at all we couldn't handle the fault, make
1651 diff -urNp linux-3.1.1/arch/powerpc/include/asm/elf.h linux-3.1.1/arch/powerpc/include/asm/elf.h
1652 --- linux-3.1.1/arch/powerpc/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
1653 +++ linux-3.1.1/arch/powerpc/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
1654 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
1655 the loader. We need to make sure that it is out of the way of the program
1656 that it will "exec", and that there is sufficient room for the brk. */
1658 -extern unsigned long randomize_et_dyn(unsigned long base);
1659 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
1660 +#define ELF_ET_DYN_BASE (0x20000000)
1662 +#ifdef CONFIG_PAX_ASLR
1663 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
1665 +#ifdef __powerpc64__
1666 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
1667 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
1669 +#define PAX_DELTA_MMAP_LEN 15
1670 +#define PAX_DELTA_STACK_LEN 15
1675 * Our registers are always unsigned longs, whether we're a 32 bit
1676 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
1677 (0x7ff >> (PAGE_SHIFT - 12)) : \
1678 (0x3ffff >> (PAGE_SHIFT - 12)))
1680 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1681 -#define arch_randomize_brk arch_randomize_brk
1683 #endif /* __KERNEL__ */
1686 diff -urNp linux-3.1.1/arch/powerpc/include/asm/kmap_types.h linux-3.1.1/arch/powerpc/include/asm/kmap_types.h
1687 --- linux-3.1.1/arch/powerpc/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
1688 +++ linux-3.1.1/arch/powerpc/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
1689 @@ -27,6 +27,7 @@ enum km_type {
1697 diff -urNp linux-3.1.1/arch/powerpc/include/asm/mman.h linux-3.1.1/arch/powerpc/include/asm/mman.h
1698 --- linux-3.1.1/arch/powerpc/include/asm/mman.h 2011-11-11 15:19:27.000000000 -0500
1699 +++ linux-3.1.1/arch/powerpc/include/asm/mman.h 2011-11-16 18:39:07.000000000 -0500
1700 @@ -44,7 +44,7 @@ static inline unsigned long arch_calc_vm
1702 #define arch_calc_vm_prot_bits(prot) arch_calc_vm_prot_bits(prot)
1704 -static inline pgprot_t arch_vm_get_page_prot(unsigned long vm_flags)
1705 +static inline pgprot_t arch_vm_get_page_prot(vm_flags_t vm_flags)
1707 return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0);
1709 diff -urNp linux-3.1.1/arch/powerpc/include/asm/page_64.h linux-3.1.1/arch/powerpc/include/asm/page_64.h
1710 --- linux-3.1.1/arch/powerpc/include/asm/page_64.h 2011-11-11 15:19:27.000000000 -0500
1711 +++ linux-3.1.1/arch/powerpc/include/asm/page_64.h 2011-11-16 18:39:07.000000000 -0500
1712 @@ -155,15 +155,18 @@ do { \
1713 * stack by default, so in the absence of a PT_GNU_STACK program header
1714 * we turn execute permission off.
1716 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1717 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1718 +#define VM_STACK_DEFAULT_FLAGS32 \
1719 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1720 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1722 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1723 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1725 +#ifndef CONFIG_PAX_PAGEEXEC
1726 #define VM_STACK_DEFAULT_FLAGS \
1727 (is_32bit_task() ? \
1728 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
1731 #include <asm-generic/getorder.h>
1733 diff -urNp linux-3.1.1/arch/powerpc/include/asm/page.h linux-3.1.1/arch/powerpc/include/asm/page.h
1734 --- linux-3.1.1/arch/powerpc/include/asm/page.h 2011-11-11 15:19:27.000000000 -0500
1735 +++ linux-3.1.1/arch/powerpc/include/asm/page.h 2011-11-16 18:39:07.000000000 -0500
1736 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
1737 * and needs to be executable. This means the whole heap ends
1738 * up being executable.
1740 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1741 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1742 +#define VM_DATA_DEFAULT_FLAGS32 \
1743 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1744 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1746 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1747 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1748 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
1749 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
1752 +#define ktla_ktva(addr) (addr)
1753 +#define ktva_ktla(addr) (addr)
1755 #ifndef __ASSEMBLY__
1757 #undef STRICT_MM_TYPECHECKS
1758 diff -urNp linux-3.1.1/arch/powerpc/include/asm/pgtable.h linux-3.1.1/arch/powerpc/include/asm/pgtable.h
1759 --- linux-3.1.1/arch/powerpc/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
1760 +++ linux-3.1.1/arch/powerpc/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
1762 #define _ASM_POWERPC_PGTABLE_H
1765 +#include <linux/const.h>
1766 #ifndef __ASSEMBLY__
1767 #include <asm/processor.h> /* For TASK_SIZE */
1768 #include <asm/mmu.h>
1769 diff -urNp linux-3.1.1/arch/powerpc/include/asm/pte-hash32.h linux-3.1.1/arch/powerpc/include/asm/pte-hash32.h
1770 --- linux-3.1.1/arch/powerpc/include/asm/pte-hash32.h 2011-11-11 15:19:27.000000000 -0500
1771 +++ linux-3.1.1/arch/powerpc/include/asm/pte-hash32.h 2011-11-16 18:39:07.000000000 -0500
1773 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
1774 #define _PAGE_USER 0x004 /* usermode access allowed */
1775 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
1776 +#define _PAGE_EXEC _PAGE_GUARDED
1777 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
1778 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
1779 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
1780 diff -urNp linux-3.1.1/arch/powerpc/include/asm/reg.h linux-3.1.1/arch/powerpc/include/asm/reg.h
1781 --- linux-3.1.1/arch/powerpc/include/asm/reg.h 2011-11-11 15:19:27.000000000 -0500
1782 +++ linux-3.1.1/arch/powerpc/include/asm/reg.h 2011-11-16 18:39:07.000000000 -0500
1784 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
1785 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
1786 #define DSISR_NOHPTE 0x40000000 /* no translation found */
1787 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
1788 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
1789 #define DSISR_ISSTORE 0x02000000 /* access was a store */
1790 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
1791 diff -urNp linux-3.1.1/arch/powerpc/include/asm/system.h linux-3.1.1/arch/powerpc/include/asm/system.h
1792 --- linux-3.1.1/arch/powerpc/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
1793 +++ linux-3.1.1/arch/powerpc/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
1794 @@ -530,7 +530,7 @@ __cmpxchg_local(volatile void *ptr, unsi
1795 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
1798 -extern unsigned long arch_align_stack(unsigned long sp);
1799 +#define arch_align_stack(x) ((x) & ~0xfUL)
1801 /* Used in very early kernel initialization. */
1802 extern unsigned long reloc_offset(void);
1803 diff -urNp linux-3.1.1/arch/powerpc/include/asm/uaccess.h linux-3.1.1/arch/powerpc/include/asm/uaccess.h
1804 --- linux-3.1.1/arch/powerpc/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
1805 +++ linux-3.1.1/arch/powerpc/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
1807 #define VERIFY_READ 0
1808 #define VERIFY_WRITE 1
1810 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
1813 * The fs value determines whether argument validity checking should be
1814 * performed or not. If get_fs() == USER_DS, checking is performed, with
1815 @@ -327,52 +329,6 @@ do { \
1816 extern unsigned long __copy_tofrom_user(void __user *to,
1817 const void __user *from, unsigned long size);
1819 -#ifndef __powerpc64__
1821 -static inline unsigned long copy_from_user(void *to,
1822 - const void __user *from, unsigned long n)
1824 - unsigned long over;
1826 - if (access_ok(VERIFY_READ, from, n))
1827 - return __copy_tofrom_user((__force void __user *)to, from, n);
1828 - if ((unsigned long)from < TASK_SIZE) {
1829 - over = (unsigned long)from + n - TASK_SIZE;
1830 - return __copy_tofrom_user((__force void __user *)to, from,
1836 -static inline unsigned long copy_to_user(void __user *to,
1837 - const void *from, unsigned long n)
1839 - unsigned long over;
1841 - if (access_ok(VERIFY_WRITE, to, n))
1842 - return __copy_tofrom_user(to, (__force void __user *)from, n);
1843 - if ((unsigned long)to < TASK_SIZE) {
1844 - over = (unsigned long)to + n - TASK_SIZE;
1845 - return __copy_tofrom_user(to, (__force void __user *)from,
1851 -#else /* __powerpc64__ */
1853 -#define __copy_in_user(to, from, size) \
1854 - __copy_tofrom_user((to), (from), (size))
1856 -extern unsigned long copy_from_user(void *to, const void __user *from,
1858 -extern unsigned long copy_to_user(void __user *to, const void *from,
1860 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
1863 -#endif /* __powerpc64__ */
1865 static inline unsigned long __copy_from_user_inatomic(void *to,
1866 const void __user *from, unsigned long n)
1868 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
1873 + if (!__builtin_constant_p(n))
1874 + check_object_size(to, n, false);
1876 return __copy_tofrom_user((__force void __user *)to, from, n);
1879 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
1884 + if (!__builtin_constant_p(n))
1885 + check_object_size(from, n, true);
1887 return __copy_tofrom_user(to, (__force const void __user *)from, n);
1890 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
1891 return __copy_to_user_inatomic(to, from, size);
1894 +#ifndef __powerpc64__
1896 +static inline unsigned long __must_check copy_from_user(void *to,
1897 + const void __user *from, unsigned long n)
1899 + unsigned long over;
1904 + if (access_ok(VERIFY_READ, from, n)) {
1905 + if (!__builtin_constant_p(n))
1906 + check_object_size(to, n, false);
1907 + return __copy_tofrom_user((__force void __user *)to, from, n);
1909 + if ((unsigned long)from < TASK_SIZE) {
1910 + over = (unsigned long)from + n - TASK_SIZE;
1911 + if (!__builtin_constant_p(n - over))
1912 + check_object_size(to, n - over, false);
1913 + return __copy_tofrom_user((__force void __user *)to, from,
1919 +static inline unsigned long __must_check copy_to_user(void __user *to,
1920 + const void *from, unsigned long n)
1922 + unsigned long over;
1927 + if (access_ok(VERIFY_WRITE, to, n)) {
1928 + if (!__builtin_constant_p(n))
1929 + check_object_size(from, n, true);
1930 + return __copy_tofrom_user(to, (__force void __user *)from, n);
1932 + if ((unsigned long)to < TASK_SIZE) {
1933 + over = (unsigned long)to + n - TASK_SIZE;
1934 + if (!__builtin_constant_p(n))
1935 + check_object_size(from, n - over, true);
1936 + return __copy_tofrom_user(to, (__force void __user *)from,
1942 +#else /* __powerpc64__ */
1944 +#define __copy_in_user(to, from, size) \
1945 + __copy_tofrom_user((to), (from), (size))
1947 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
1949 + if ((long)n < 0 || n > INT_MAX)
1952 + if (!__builtin_constant_p(n))
1953 + check_object_size(to, n, false);
1955 + if (likely(access_ok(VERIFY_READ, from, n)))
1956 + n = __copy_from_user(to, from, n);
1962 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
1964 + if ((long)n < 0 || n > INT_MAX)
1967 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
1968 + if (!__builtin_constant_p(n))
1969 + check_object_size(from, n, true);
1970 + n = __copy_to_user(to, from, n);
1975 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
1978 +#endif /* __powerpc64__ */
1980 extern unsigned long __clear_user(void __user *addr, unsigned long size);
1982 static inline unsigned long clear_user(void __user *addr, unsigned long size)
1983 diff -urNp linux-3.1.1/arch/powerpc/kernel/exceptions-64e.S linux-3.1.1/arch/powerpc/kernel/exceptions-64e.S
1984 --- linux-3.1.1/arch/powerpc/kernel/exceptions-64e.S 2011-11-11 15:19:27.000000000 -0500
1985 +++ linux-3.1.1/arch/powerpc/kernel/exceptions-64e.S 2011-11-16 18:39:07.000000000 -0500
1986 @@ -587,6 +587,7 @@ storage_fault_common:
1989 addi r3,r1,STACK_FRAME_OVERHEAD
1993 ld r14,PACA_EXGEN+EX_R14(r13)
1994 @@ -596,8 +597,7 @@ storage_fault_common:
1997 b .ret_from_except_lite
2001 addi r3,r1,STACK_FRAME_OVERHEAD
2004 diff -urNp linux-3.1.1/arch/powerpc/kernel/exceptions-64s.S linux-3.1.1/arch/powerpc/kernel/exceptions-64s.S
2005 --- linux-3.1.1/arch/powerpc/kernel/exceptions-64s.S 2011-11-11 15:19:27.000000000 -0500
2006 +++ linux-3.1.1/arch/powerpc/kernel/exceptions-64s.S 2011-11-16 18:39:07.000000000 -0500
2007 @@ -1014,10 +1014,10 @@ handle_page_fault:
2010 addi r3,r1,STACK_FRAME_OVERHEAD
2017 addi r3,r1,STACK_FRAME_OVERHEAD
2019 diff -urNp linux-3.1.1/arch/powerpc/kernel/module_32.c linux-3.1.1/arch/powerpc/kernel/module_32.c
2020 --- linux-3.1.1/arch/powerpc/kernel/module_32.c 2011-11-11 15:19:27.000000000 -0500
2021 +++ linux-3.1.1/arch/powerpc/kernel/module_32.c 2011-11-16 18:39:07.000000000 -0500
2022 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2023 me->arch.core_plt_section = i;
2025 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2026 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2027 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2031 @@ -192,11 +192,16 @@ static uint32_t do_plt_call(void *locati
2033 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2034 /* Init, or core PLT? */
2035 - if (location >= mod->module_core
2036 - && location < mod->module_core + mod->core_size)
2037 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2038 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2039 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2041 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2042 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2043 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2045 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2049 /* Find this entry, or if that fails, the next avail. entry */
2050 while (entry->jump[0]) {
2051 diff -urNp linux-3.1.1/arch/powerpc/kernel/process.c linux-3.1.1/arch/powerpc/kernel/process.c
2052 --- linux-3.1.1/arch/powerpc/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
2053 +++ linux-3.1.1/arch/powerpc/kernel/process.c 2011-11-16 18:40:08.000000000 -0500
2054 @@ -682,8 +682,8 @@ void show_regs(struct pt_regs * regs)
2055 * Lookup NIP late so we have the best change of getting the
2056 * above info out without failing
2058 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2059 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2060 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2061 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2063 show_stack(current, (unsigned long *) regs->gpr[1]);
2064 if (!user_mode(regs))
2065 @@ -1187,10 +1187,10 @@ void show_stack(struct task_struct *tsk,
2067 ip = stack[STACK_FRAME_LR_SAVE];
2068 if (!firstframe || ip != lr) {
2069 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2070 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2071 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2072 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2075 (void *)current->ret_stack[curr_frame].ret);
2078 @@ -1210,7 +1210,7 @@ void show_stack(struct task_struct *tsk,
2079 struct pt_regs *regs = (struct pt_regs *)
2080 (sp + STACK_FRAME_OVERHEAD);
2082 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2083 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2084 regs->trap, (void *)regs->nip, (void *)lr);
2087 @@ -1285,58 +1285,3 @@ void thread_info_cache_init(void)
2090 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2092 -unsigned long arch_align_stack(unsigned long sp)
2094 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2095 - sp -= get_random_int() & ~PAGE_MASK;
2099 -static inline unsigned long brk_rnd(void)
2101 - unsigned long rnd = 0;
2103 - /* 8MB for 32bit, 1GB for 64bit */
2104 - if (is_32bit_task())
2105 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2107 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2109 - return rnd << PAGE_SHIFT;
2112 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2114 - unsigned long base = mm->brk;
2115 - unsigned long ret;
2117 -#ifdef CONFIG_PPC_STD_MMU_64
2119 - * If we are using 1TB segments and we are allowed to randomise
2120 - * the heap, we can put it above 1TB so it is backed by a 1TB
2121 - * segment. Otherwise the heap will be in the bottom 1TB
2122 - * which always uses 256MB segments and this may result in a
2123 - * performance penalty.
2125 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2126 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2129 - ret = PAGE_ALIGN(base + brk_rnd());
2131 - if (ret < mm->brk)
2137 -unsigned long randomize_et_dyn(unsigned long base)
2139 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2146 diff -urNp linux-3.1.1/arch/powerpc/kernel/signal_32.c linux-3.1.1/arch/powerpc/kernel/signal_32.c
2147 --- linux-3.1.1/arch/powerpc/kernel/signal_32.c 2011-11-11 15:19:27.000000000 -0500
2148 +++ linux-3.1.1/arch/powerpc/kernel/signal_32.c 2011-11-16 18:39:07.000000000 -0500
2149 @@ -859,7 +859,7 @@ int handle_rt_signal32(unsigned long sig
2150 /* Save user registers on the stack */
2151 frame = &rt_sf->uc.uc_mcontext;
2153 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2154 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2155 if (save_user_regs(regs, frame, 0, 1))
2157 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2158 diff -urNp linux-3.1.1/arch/powerpc/kernel/signal_64.c linux-3.1.1/arch/powerpc/kernel/signal_64.c
2159 --- linux-3.1.1/arch/powerpc/kernel/signal_64.c 2011-11-11 15:19:27.000000000 -0500
2160 +++ linux-3.1.1/arch/powerpc/kernel/signal_64.c 2011-11-16 18:39:07.000000000 -0500
2161 @@ -430,7 +430,7 @@ int handle_rt_signal64(int signr, struct
2162 current->thread.fpscr.val = 0;
2164 /* Set up to return from userspace. */
2165 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2166 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2167 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2169 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2170 diff -urNp linux-3.1.1/arch/powerpc/kernel/traps.c linux-3.1.1/arch/powerpc/kernel/traps.c
2171 --- linux-3.1.1/arch/powerpc/kernel/traps.c 2011-11-11 15:19:27.000000000 -0500
2172 +++ linux-3.1.1/arch/powerpc/kernel/traps.c 2011-11-16 18:40:08.000000000 -0500
2173 @@ -98,6 +98,8 @@ static void pmac_backlight_unblank(void)
2174 static inline void pmac_backlight_unblank(void) { }
2177 +extern void gr_handle_kernel_exploit(void);
2179 int die(const char *str, struct pt_regs *regs, long err)
2182 @@ -171,6 +173,8 @@ int die(const char *str, struct pt_regs
2184 panic("Fatal exception");
2186 + gr_handle_kernel_exploit();
2191 diff -urNp linux-3.1.1/arch/powerpc/kernel/vdso.c linux-3.1.1/arch/powerpc/kernel/vdso.c
2192 --- linux-3.1.1/arch/powerpc/kernel/vdso.c 2011-11-11 15:19:27.000000000 -0500
2193 +++ linux-3.1.1/arch/powerpc/kernel/vdso.c 2011-11-16 18:39:07.000000000 -0500
2195 #include <asm/firmware.h>
2196 #include <asm/vdso.h>
2197 #include <asm/vdso_datapage.h>
2198 +#include <asm/mman.h>
2202 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2203 vdso_base = VDSO32_MBASE;
2206 - current->mm->context.vdso_base = 0;
2207 + current->mm->context.vdso_base = ~0UL;
2209 /* vDSO has a problem and was disabled, just don't "enable" it for the
2211 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2212 vdso_base = get_unmapped_area(NULL, vdso_base,
2213 (vdso_pages << PAGE_SHIFT) +
2214 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2216 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2217 if (IS_ERR_VALUE(vdso_base)) {
2220 diff -urNp linux-3.1.1/arch/powerpc/lib/usercopy_64.c linux-3.1.1/arch/powerpc/lib/usercopy_64.c
2221 --- linux-3.1.1/arch/powerpc/lib/usercopy_64.c 2011-11-11 15:19:27.000000000 -0500
2222 +++ linux-3.1.1/arch/powerpc/lib/usercopy_64.c 2011-11-16 18:39:07.000000000 -0500
2224 #include <linux/module.h>
2225 #include <asm/uaccess.h>
2227 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2229 - if (likely(access_ok(VERIFY_READ, from, n)))
2230 - n = __copy_from_user(to, from, n);
2236 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2238 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2239 - n = __copy_to_user(to, from, n);
2243 unsigned long copy_in_user(void __user *to, const void __user *from,
2246 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2250 -EXPORT_SYMBOL(copy_from_user);
2251 -EXPORT_SYMBOL(copy_to_user);
2252 EXPORT_SYMBOL(copy_in_user);
2254 diff -urNp linux-3.1.1/arch/powerpc/mm/fault.c linux-3.1.1/arch/powerpc/mm/fault.c
2255 --- linux-3.1.1/arch/powerpc/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
2256 +++ linux-3.1.1/arch/powerpc/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
2258 #include <linux/perf_event.h>
2259 #include <linux/magic.h>
2260 #include <linux/ratelimit.h>
2261 +#include <linux/slab.h>
2262 +#include <linux/pagemap.h>
2263 +#include <linux/compiler.h>
2264 +#include <linux/unistd.h>
2266 #include <asm/firmware.h>
2267 #include <asm/page.h>
2269 #include <asm/tlbflush.h>
2270 #include <asm/siginfo.h>
2271 #include <mm/mmu_decl.h>
2272 +#include <asm/ptrace.h>
2274 #ifdef CONFIG_KPROBES
2275 static inline int notify_page_fault(struct pt_regs *regs)
2276 @@ -66,6 +71,33 @@ static inline int notify_page_fault(stru
2280 +#ifdef CONFIG_PAX_PAGEEXEC
2282 + * PaX: decide what to do with offenders (regs->nip = fault address)
2284 + * returns 1 when task should be killed
2286 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2291 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
2295 + printk(KERN_ERR "PAX: bytes at PC: ");
2296 + for (i = 0; i < 5; i++) {
2298 + if (get_user(c, (unsigned int __user *)pc+i))
2299 + printk(KERN_CONT "???????? ");
2301 + printk(KERN_CONT "%08x ", c);
2308 * Check whether the instruction at regs->nip is a store using
2309 * an update addressing form which will update r1.
2310 @@ -136,7 +168,7 @@ int __kprobes do_page_fault(struct pt_re
2311 * indicate errors in DSISR but can validly be set in SRR1.
2314 - error_code &= 0x48200000;
2315 + error_code &= 0x58200000;
2317 is_write = error_code & DSISR_ISSTORE;
2319 @@ -259,7 +291,7 @@ good_area:
2320 * "undefined". Of those that can be set, this is the only
2321 * one which seems bad.
2323 - if (error_code & 0x10000000)
2324 + if (error_code & DSISR_GUARDED)
2325 /* Guarded storage error. */
2327 #endif /* CONFIG_8xx */
2328 @@ -274,7 +306,7 @@ good_area:
2329 * processors use the same I/D cache coherency mechanism
2332 - if (error_code & DSISR_PROTFAULT)
2333 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2335 #endif /* CONFIG_PPC_STD_MMU */
2337 @@ -343,6 +375,23 @@ bad_area:
2338 bad_area_nosemaphore:
2339 /* User mode accesses cause a SIGSEGV */
2340 if (user_mode(regs)) {
2342 +#ifdef CONFIG_PAX_PAGEEXEC
2343 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2344 +#ifdef CONFIG_PPC_STD_MMU
2345 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2347 + if (is_exec && regs->nip == address) {
2349 + switch (pax_handle_fetch_fault(regs)) {
2352 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2353 + do_group_exit(SIGKILL);
2358 _exception(SIGSEGV, regs, code, address);
2361 diff -urNp linux-3.1.1/arch/powerpc/mm/mmap_64.c linux-3.1.1/arch/powerpc/mm/mmap_64.c
2362 --- linux-3.1.1/arch/powerpc/mm/mmap_64.c 2011-11-11 15:19:27.000000000 -0500
2363 +++ linux-3.1.1/arch/powerpc/mm/mmap_64.c 2011-11-16 18:39:07.000000000 -0500
2364 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2366 if (mmap_is_legacy()) {
2367 mm->mmap_base = TASK_UNMAPPED_BASE;
2369 +#ifdef CONFIG_PAX_RANDMMAP
2370 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2371 + mm->mmap_base += mm->delta_mmap;
2374 mm->get_unmapped_area = arch_get_unmapped_area;
2375 mm->unmap_area = arch_unmap_area;
2377 mm->mmap_base = mmap_base();
2379 +#ifdef CONFIG_PAX_RANDMMAP
2380 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2381 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2384 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2385 mm->unmap_area = arch_unmap_area_topdown;
2387 diff -urNp linux-3.1.1/arch/powerpc/mm/slice.c linux-3.1.1/arch/powerpc/mm/slice.c
2388 --- linux-3.1.1/arch/powerpc/mm/slice.c 2011-11-11 15:19:27.000000000 -0500
2389 +++ linux-3.1.1/arch/powerpc/mm/slice.c 2011-11-16 18:39:07.000000000 -0500
2390 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2391 if ((mm->task_size - len) < addr)
2393 vma = find_vma(mm, addr);
2394 - return (!vma || (addr + len) <= vma->vm_start);
2395 + return check_heap_stack_gap(vma, addr, len);
2398 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2399 @@ -256,7 +256,7 @@ full_search:
2400 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2403 - if (!vma || addr + len <= vma->vm_start) {
2404 + if (check_heap_stack_gap(vma, addr, len)) {
2406 * Remember the place where we stopped the search:
2408 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
2412 - addr = mm->mmap_base;
2413 - while (addr > len) {
2414 + if (mm->mmap_base < len)
2417 + addr = mm->mmap_base - len;
2419 + while (!IS_ERR_VALUE(addr)) {
2420 /* Go down by chunk size */
2421 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
2422 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
2424 /* Check for hit with different page size */
2425 mask = slice_range_to_mask(addr, len);
2426 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
2427 * return with success:
2429 vma = find_vma(mm, addr);
2430 - if (!vma || (addr + len) <= vma->vm_start) {
2431 + if (check_heap_stack_gap(vma, addr, len)) {
2432 /* remember the address as a hint for next time */
2434 mm->free_area_cache = addr;
2435 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
2436 mm->cached_hole_size = vma->vm_start - addr;
2438 /* try just below the current vma->vm_start */
2439 - addr = vma->vm_start;
2440 + addr = skip_heap_stack_gap(vma, len);
2444 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
2445 if (fixed && addr > (mm->task_size - len))
2448 +#ifdef CONFIG_PAX_RANDMMAP
2449 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2453 /* If hint, make sure it matches our alignment restrictions */
2454 if (!fixed && addr) {
2455 addr = _ALIGN_UP(addr, 1ul << pshift);
2456 diff -urNp linux-3.1.1/arch/s390/include/asm/elf.h linux-3.1.1/arch/s390/include/asm/elf.h
2457 --- linux-3.1.1/arch/s390/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
2458 +++ linux-3.1.1/arch/s390/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
2459 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
2460 the loader. We need to make sure that it is out of the way of the program
2461 that it will "exec", and that there is sufficient room for the brk. */
2463 -extern unsigned long randomize_et_dyn(unsigned long base);
2464 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
2465 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2467 +#ifdef CONFIG_PAX_ASLR
2468 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2470 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2471 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2474 /* This yields a mask that user programs can use to figure out what
2475 instruction set this CPU supports. */
2476 @@ -211,7 +217,4 @@ struct linux_binprm;
2477 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
2478 int arch_setup_additional_pages(struct linux_binprm *, int);
2480 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2481 -#define arch_randomize_brk arch_randomize_brk
2484 diff -urNp linux-3.1.1/arch/s390/include/asm/system.h linux-3.1.1/arch/s390/include/asm/system.h
2485 --- linux-3.1.1/arch/s390/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
2486 +++ linux-3.1.1/arch/s390/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
2487 @@ -256,7 +256,7 @@ extern void (*_machine_restart)(char *co
2488 extern void (*_machine_halt)(void);
2489 extern void (*_machine_power_off)(void);
2491 -extern unsigned long arch_align_stack(unsigned long sp);
2492 +#define arch_align_stack(x) ((x) & ~0xfUL)
2494 static inline int tprot(unsigned long addr)
2496 diff -urNp linux-3.1.1/arch/s390/include/asm/uaccess.h linux-3.1.1/arch/s390/include/asm/uaccess.h
2497 --- linux-3.1.1/arch/s390/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
2498 +++ linux-3.1.1/arch/s390/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
2499 @@ -235,6 +235,10 @@ static inline unsigned long __must_check
2500 copy_to_user(void __user *to, const void *from, unsigned long n)
2507 if (access_ok(VERIFY_WRITE, to, n))
2508 n = __copy_to_user(to, from, n);
2510 @@ -260,6 +264,9 @@ copy_to_user(void __user *to, const void
2511 static inline unsigned long __must_check
2512 __copy_from_user(void *to, const void __user *from, unsigned long n)
2517 if (__builtin_constant_p(n) && (n <= 256))
2518 return uaccess.copy_from_user_small(n, from, to);
2520 @@ -294,6 +301,10 @@ copy_from_user(void *to, const void __us
2521 unsigned int sz = __compiletime_object_size(to);
2528 if (unlikely(sz != -1 && sz < n)) {
2529 copy_from_user_overflow();
2531 diff -urNp linux-3.1.1/arch/s390/kernel/module.c linux-3.1.1/arch/s390/kernel/module.c
2532 --- linux-3.1.1/arch/s390/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
2533 +++ linux-3.1.1/arch/s390/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
2534 @@ -161,11 +161,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2536 /* Increase core size by size of got & plt and set start
2537 offsets for got and plt. */
2538 - me->core_size = ALIGN(me->core_size, 4);
2539 - me->arch.got_offset = me->core_size;
2540 - me->core_size += me->arch.got_size;
2541 - me->arch.plt_offset = me->core_size;
2542 - me->core_size += me->arch.plt_size;
2543 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
2544 + me->arch.got_offset = me->core_size_rw;
2545 + me->core_size_rw += me->arch.got_size;
2546 + me->arch.plt_offset = me->core_size_rx;
2547 + me->core_size_rx += me->arch.plt_size;
2551 @@ -242,7 +242,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2552 if (info->got_initialized == 0) {
2555 - gotent = me->module_core + me->arch.got_offset +
2556 + gotent = me->module_core_rw + me->arch.got_offset +
2559 info->got_initialized = 1;
2560 @@ -266,7 +266,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2561 else if (r_type == R_390_GOTENT ||
2562 r_type == R_390_GOTPLTENT)
2563 *(unsigned int *) loc =
2564 - (val + (Elf_Addr) me->module_core - loc) >> 1;
2565 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2566 else if (r_type == R_390_GOT64 ||
2567 r_type == R_390_GOTPLT64)
2568 *(unsigned long *) loc = val;
2569 @@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2570 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2571 if (info->plt_initialized == 0) {
2573 - ip = me->module_core + me->arch.plt_offset +
2574 + ip = me->module_core_rx + me->arch.plt_offset +
2576 #ifndef CONFIG_64BIT
2577 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
2578 @@ -305,7 +305,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2579 val - loc + 0xffffUL < 0x1ffffeUL) ||
2580 (r_type == R_390_PLT32DBL &&
2581 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
2582 - val = (Elf_Addr) me->module_core +
2583 + val = (Elf_Addr) me->module_core_rx +
2584 me->arch.plt_offset +
2586 val += rela->r_addend - loc;
2587 @@ -327,7 +327,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2588 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2589 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2590 val = val + rela->r_addend -
2591 - ((Elf_Addr) me->module_core + me->arch.got_offset);
2592 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2593 if (r_type == R_390_GOTOFF16)
2594 *(unsigned short *) loc = val;
2595 else if (r_type == R_390_GOTOFF32)
2596 @@ -337,7 +337,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2598 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2599 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2600 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
2601 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2602 rela->r_addend - loc;
2603 if (r_type == R_390_GOTPC)
2604 *(unsigned int *) loc = val;
2605 diff -urNp linux-3.1.1/arch/s390/kernel/process.c linux-3.1.1/arch/s390/kernel/process.c
2606 --- linux-3.1.1/arch/s390/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
2607 +++ linux-3.1.1/arch/s390/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
2608 @@ -319,39 +319,3 @@ unsigned long get_wchan(struct task_stru
2613 -unsigned long arch_align_stack(unsigned long sp)
2615 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2616 - sp -= get_random_int() & ~PAGE_MASK;
2620 -static inline unsigned long brk_rnd(void)
2622 - /* 8MB for 32bit, 1GB for 64bit */
2623 - if (is_32bit_task())
2624 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
2626 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
2629 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2631 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
2633 - if (ret < mm->brk)
2638 -unsigned long randomize_et_dyn(unsigned long base)
2640 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2642 - if (!(current->flags & PF_RANDOMIZE))
2648 diff -urNp linux-3.1.1/arch/s390/kernel/setup.c linux-3.1.1/arch/s390/kernel/setup.c
2649 --- linux-3.1.1/arch/s390/kernel/setup.c 2011-11-11 15:19:27.000000000 -0500
2650 +++ linux-3.1.1/arch/s390/kernel/setup.c 2011-11-16 18:39:07.000000000 -0500
2651 @@ -271,7 +271,7 @@ static int __init early_parse_mem(char *
2653 early_param("mem", early_parse_mem);
2655 -unsigned int user_mode = HOME_SPACE_MODE;
2656 +unsigned int user_mode = SECONDARY_SPACE_MODE;
2657 EXPORT_SYMBOL_GPL(user_mode);
2659 static int set_amode_and_uaccess(unsigned long user_amode,
2660 diff -urNp linux-3.1.1/arch/s390/mm/mmap.c linux-3.1.1/arch/s390/mm/mmap.c
2661 --- linux-3.1.1/arch/s390/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
2662 +++ linux-3.1.1/arch/s390/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
2663 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
2665 if (mmap_is_legacy()) {
2666 mm->mmap_base = TASK_UNMAPPED_BASE;
2668 +#ifdef CONFIG_PAX_RANDMMAP
2669 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2670 + mm->mmap_base += mm->delta_mmap;
2673 mm->get_unmapped_area = arch_get_unmapped_area;
2674 mm->unmap_area = arch_unmap_area;
2676 mm->mmap_base = mmap_base();
2678 +#ifdef CONFIG_PAX_RANDMMAP
2679 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2680 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2683 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2684 mm->unmap_area = arch_unmap_area_topdown;
2686 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
2688 if (mmap_is_legacy()) {
2689 mm->mmap_base = TASK_UNMAPPED_BASE;
2691 +#ifdef CONFIG_PAX_RANDMMAP
2692 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2693 + mm->mmap_base += mm->delta_mmap;
2696 mm->get_unmapped_area = s390_get_unmapped_area;
2697 mm->unmap_area = arch_unmap_area;
2699 mm->mmap_base = mmap_base();
2701 +#ifdef CONFIG_PAX_RANDMMAP
2702 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2703 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2706 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
2707 mm->unmap_area = arch_unmap_area_topdown;
2709 diff -urNp linux-3.1.1/arch/score/include/asm/system.h linux-3.1.1/arch/score/include/asm/system.h
2710 --- linux-3.1.1/arch/score/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
2711 +++ linux-3.1.1/arch/score/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
2712 @@ -17,7 +17,7 @@ do { \
2713 #define finish_arch_switch(prev) do {} while (0)
2715 typedef void (*vi_handler_t)(void);
2716 -extern unsigned long arch_align_stack(unsigned long sp);
2717 +#define arch_align_stack(x) (x)
2719 #define mb() barrier()
2720 #define rmb() barrier()
2721 diff -urNp linux-3.1.1/arch/score/kernel/process.c linux-3.1.1/arch/score/kernel/process.c
2722 --- linux-3.1.1/arch/score/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
2723 +++ linux-3.1.1/arch/score/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
2724 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
2726 return task_pt_regs(task)->cp0_epc;
2729 -unsigned long arch_align_stack(unsigned long sp)
2733 diff -urNp linux-3.1.1/arch/sh/mm/mmap.c linux-3.1.1/arch/sh/mm/mmap.c
2734 --- linux-3.1.1/arch/sh/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
2735 +++ linux-3.1.1/arch/sh/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
2736 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
2737 addr = PAGE_ALIGN(addr);
2739 vma = find_vma(mm, addr);
2740 - if (TASK_SIZE - len >= addr &&
2741 - (!vma || addr + len <= vma->vm_start))
2742 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
2746 @@ -106,7 +105,7 @@ full_search:
2750 - if (likely(!vma || addr + len <= vma->vm_start)) {
2751 + if (likely(check_heap_stack_gap(vma, addr, len))) {
2753 * Remember the place where we stopped the search:
2755 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
2756 addr = PAGE_ALIGN(addr);
2758 vma = find_vma(mm, addr);
2759 - if (TASK_SIZE - len >= addr &&
2760 - (!vma || addr + len <= vma->vm_start))
2761 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
2765 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
2766 /* make sure it can fit in the remaining address space */
2767 if (likely(addr > len)) {
2768 vma = find_vma(mm, addr-len);
2769 - if (!vma || addr <= vma->vm_start) {
2770 + if (check_heap_stack_gap(vma, addr - len, len)) {
2771 /* remember the address as a hint for next time */
2772 return (mm->free_area_cache = addr-len);
2774 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
2775 if (unlikely(mm->mmap_base < len))
2778 - addr = mm->mmap_base-len;
2779 - if (do_colour_align)
2780 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
2781 + addr = mm->mmap_base - len;
2784 + if (do_colour_align)
2785 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
2787 * Lookup failure means no vma is above this address,
2788 * else if new region fits below vma->vm_start,
2789 * return with success:
2791 vma = find_vma(mm, addr);
2792 - if (likely(!vma || addr+len <= vma->vm_start)) {
2793 + if (likely(check_heap_stack_gap(vma, addr, len))) {
2794 /* remember the address as a hint for next time */
2795 return (mm->free_area_cache = addr);
2797 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
2798 mm->cached_hole_size = vma->vm_start - addr;
2800 /* try just below the current vma->vm_start */
2801 - addr = vma->vm_start-len;
2802 - if (do_colour_align)
2803 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
2804 - } while (likely(len < vma->vm_start));
2805 + addr = skip_heap_stack_gap(vma, len);
2806 + } while (!IS_ERR_VALUE(addr));
2810 diff -urNp linux-3.1.1/arch/sparc/include/asm/atomic_64.h linux-3.1.1/arch/sparc/include/asm/atomic_64.h
2811 --- linux-3.1.1/arch/sparc/include/asm/atomic_64.h 2011-11-11 15:19:27.000000000 -0500
2812 +++ linux-3.1.1/arch/sparc/include/asm/atomic_64.h 2011-11-16 18:39:07.000000000 -0500
2814 #define ATOMIC64_INIT(i) { (i) }
2816 #define atomic_read(v) (*(volatile int *)&(v)->counter)
2817 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
2819 + return v->counter;
2821 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
2822 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
2824 + return v->counter;
2827 #define atomic_set(v, i) (((v)->counter) = i)
2828 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
2832 #define atomic64_set(v, i) (((v)->counter) = i)
2833 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
2838 extern void atomic_add(int, atomic_t *);
2839 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
2840 extern void atomic64_add(long, atomic64_t *);
2841 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
2842 extern void atomic_sub(int, atomic_t *);
2843 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
2844 extern void atomic64_sub(long, atomic64_t *);
2845 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
2847 extern int atomic_add_ret(int, atomic_t *);
2848 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
2849 extern long atomic64_add_ret(long, atomic64_t *);
2850 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
2851 extern int atomic_sub_ret(int, atomic_t *);
2852 extern long atomic64_sub_ret(long, atomic64_t *);
2854 @@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
2855 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
2857 #define atomic_inc_return(v) atomic_add_ret(1, v)
2858 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
2860 + return atomic_add_ret_unchecked(1, v);
2862 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
2863 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
2865 + return atomic64_add_ret_unchecked(1, v);
2868 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
2869 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
2871 #define atomic_add_return(i, v) atomic_add_ret(i, v)
2872 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
2874 + return atomic_add_ret_unchecked(i, v);
2876 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
2877 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
2879 + return atomic64_add_ret_unchecked(i, v);
2883 * atomic_inc_and_test - increment and test
2884 @@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomi
2887 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
2888 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
2890 + return atomic_inc_return_unchecked(v) == 0;
2892 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
2894 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
2895 @@ -59,25 +101,60 @@ extern long atomic64_sub_ret(long, atomi
2896 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
2898 #define atomic_inc(v) atomic_add(1, v)
2899 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
2901 + atomic_add_unchecked(1, v);
2903 #define atomic64_inc(v) atomic64_add(1, v)
2904 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
2906 + atomic64_add_unchecked(1, v);
2909 #define atomic_dec(v) atomic_sub(1, v)
2910 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
2912 + atomic_sub_unchecked(1, v);
2914 #define atomic64_dec(v) atomic64_sub(1, v)
2915 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
2917 + atomic64_sub_unchecked(1, v);
2920 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
2921 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
2923 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
2924 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
2926 + return cmpxchg(&v->counter, old, new);
2928 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
2929 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
2931 + return xchg(&v->counter, new);
2934 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
2940 - if (unlikely(c == (u)))
2941 + if (unlikely(c == u))
2943 - old = atomic_cmpxchg((v), c, c + (a));
2945 + asm volatile("addcc %2, %0, %0\n"
2947 +#ifdef CONFIG_PAX_REFCOUNT
2952 + : "0" (c), "ir" (a)
2955 + old = atomic_cmpxchg(v, c, new);
2956 if (likely(old == c))
2959 @@ -89,20 +166,35 @@ static inline int __atomic_add_unless(at
2960 #define atomic64_cmpxchg(v, o, n) \
2961 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
2962 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
2963 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
2965 + return xchg(&v->counter, new);
2968 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
2972 c = atomic64_read(v);
2974 - if (unlikely(c == (u)))
2975 + if (unlikely(c == u))
2977 - old = atomic64_cmpxchg((v), c, c + (a));
2979 + asm volatile("addcc %2, %0, %0\n"
2981 +#ifdef CONFIG_PAX_REFCOUNT
2986 + : "0" (c), "ir" (a)
2989 + old = atomic64_cmpxchg(v, c, new);
2990 if (likely(old == c))
2998 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
2999 diff -urNp linux-3.1.1/arch/sparc/include/asm/cache.h linux-3.1.1/arch/sparc/include/asm/cache.h
3000 --- linux-3.1.1/arch/sparc/include/asm/cache.h 2011-11-11 15:19:27.000000000 -0500
3001 +++ linux-3.1.1/arch/sparc/include/asm/cache.h 2011-11-16 18:39:07.000000000 -0500
3003 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
3005 #define L1_CACHE_SHIFT 5
3006 -#define L1_CACHE_BYTES 32
3007 +#define L1_CACHE_BYTES 32UL
3009 #ifdef CONFIG_SPARC32
3010 #define SMP_CACHE_BYTES_SHIFT 5
3011 diff -urNp linux-3.1.1/arch/sparc/include/asm/elf_32.h linux-3.1.1/arch/sparc/include/asm/elf_32.h
3012 --- linux-3.1.1/arch/sparc/include/asm/elf_32.h 2011-11-11 15:19:27.000000000 -0500
3013 +++ linux-3.1.1/arch/sparc/include/asm/elf_32.h 2011-11-16 18:39:07.000000000 -0500
3014 @@ -114,6 +114,13 @@ typedef struct {
3016 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3018 +#ifdef CONFIG_PAX_ASLR
3019 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3021 +#define PAX_DELTA_MMAP_LEN 16
3022 +#define PAX_DELTA_STACK_LEN 16
3025 /* This yields a mask that user programs can use to figure out what
3026 instruction set this cpu supports. This can NOT be done in userspace
3028 diff -urNp linux-3.1.1/arch/sparc/include/asm/elf_64.h linux-3.1.1/arch/sparc/include/asm/elf_64.h
3029 --- linux-3.1.1/arch/sparc/include/asm/elf_64.h 2011-11-11 15:19:27.000000000 -0500
3030 +++ linux-3.1.1/arch/sparc/include/asm/elf_64.h 2011-11-16 18:39:07.000000000 -0500
3031 @@ -180,6 +180,13 @@ typedef struct {
3032 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3033 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3035 +#ifdef CONFIG_PAX_ASLR
3036 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3038 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3039 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3042 extern unsigned long sparc64_elf_hwcap;
3043 #define ELF_HWCAP sparc64_elf_hwcap
3045 diff -urNp linux-3.1.1/arch/sparc/include/asm/pgtable_32.h linux-3.1.1/arch/sparc/include/asm/pgtable_32.h
3046 --- linux-3.1.1/arch/sparc/include/asm/pgtable_32.h 2011-11-11 15:19:27.000000000 -0500
3047 +++ linux-3.1.1/arch/sparc/include/asm/pgtable_32.h 2011-11-16 18:39:07.000000000 -0500
3048 @@ -45,6 +45,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3049 BTFIXUPDEF_INT(page_none)
3050 BTFIXUPDEF_INT(page_copy)
3051 BTFIXUPDEF_INT(page_readonly)
3053 +#ifdef CONFIG_PAX_PAGEEXEC
3054 +BTFIXUPDEF_INT(page_shared_noexec)
3055 +BTFIXUPDEF_INT(page_copy_noexec)
3056 +BTFIXUPDEF_INT(page_readonly_noexec)
3059 BTFIXUPDEF_INT(page_kernel)
3061 #define PMD_SHIFT SUN4C_PMD_SHIFT
3062 @@ -66,6 +73,16 @@ extern pgprot_t PAGE_SHARED;
3063 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3064 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3066 +#ifdef CONFIG_PAX_PAGEEXEC
3067 +extern pgprot_t PAGE_SHARED_NOEXEC;
3068 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3069 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3071 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3072 +# define PAGE_COPY_NOEXEC PAGE_COPY
3073 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3076 extern unsigned long page_kernel;
3079 diff -urNp linux-3.1.1/arch/sparc/include/asm/pgtsrmmu.h linux-3.1.1/arch/sparc/include/asm/pgtsrmmu.h
3080 --- linux-3.1.1/arch/sparc/include/asm/pgtsrmmu.h 2011-11-11 15:19:27.000000000 -0500
3081 +++ linux-3.1.1/arch/sparc/include/asm/pgtsrmmu.h 2011-11-16 18:39:07.000000000 -0500
3082 @@ -115,6 +115,13 @@
3083 SRMMU_EXEC | SRMMU_REF)
3084 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3085 SRMMU_EXEC | SRMMU_REF)
3087 +#ifdef CONFIG_PAX_PAGEEXEC
3088 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3089 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3090 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3093 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3094 SRMMU_DIRTY | SRMMU_REF)
3096 diff -urNp linux-3.1.1/arch/sparc/include/asm/spinlock_64.h linux-3.1.1/arch/sparc/include/asm/spinlock_64.h
3097 --- linux-3.1.1/arch/sparc/include/asm/spinlock_64.h 2011-11-11 15:19:27.000000000 -0500
3098 +++ linux-3.1.1/arch/sparc/include/asm/spinlock_64.h 2011-11-16 18:39:07.000000000 -0500
3099 @@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
3101 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
3103 -static void inline arch_read_lock(arch_rwlock_t *lock)
3104 +static inline void arch_read_lock(arch_rwlock_t *lock)
3106 unsigned long tmp1, tmp2;
3108 __asm__ __volatile__ (
3109 "1: ldsw [%2], %0\n"
3111 -"4: add %0, 1, %1\n"
3112 +"4: addcc %0, 1, %1\n"
3114 +#ifdef CONFIG_PAX_REFCOUNT
3118 " cas [%2], %0, %1\n"
3120 " bne,pn %%icc, 1b\n"
3121 @@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
3123 : "=&r" (tmp1), "=&r" (tmp2)
3126 + : "memory", "cc");
3129 -static int inline arch_read_trylock(arch_rwlock_t *lock)
3130 +static inline int arch_read_trylock(arch_rwlock_t *lock)
3134 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3135 "1: ldsw [%2], %0\n"
3136 " brlz,a,pn %0, 2f\n"
3139 +" addcc %0, 1, %1\n"
3141 +#ifdef CONFIG_PAX_REFCOUNT
3145 " cas [%2], %0, %1\n"
3147 " bne,pn %%icc, 1b\n"
3148 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
3152 -static void inline arch_read_unlock(arch_rwlock_t *lock)
3153 +static inline void arch_read_unlock(arch_rwlock_t *lock)
3155 unsigned long tmp1, tmp2;
3157 __asm__ __volatile__(
3158 "1: lduw [%2], %0\n"
3160 +" subcc %0, 1, %1\n"
3162 +#ifdef CONFIG_PAX_REFCOUNT
3166 " cas [%2], %0, %1\n"
3168 " bne,pn %%xcc, 1b\n"
3169 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
3173 -static void inline arch_write_lock(arch_rwlock_t *lock)
3174 +static inline void arch_write_lock(arch_rwlock_t *lock)
3176 unsigned long mask, tmp1, tmp2;
3178 @@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
3182 -static void inline arch_write_unlock(arch_rwlock_t *lock)
3183 +static inline void arch_write_unlock(arch_rwlock_t *lock)
3185 __asm__ __volatile__(
3187 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
3191 -static int inline arch_write_trylock(arch_rwlock_t *lock)
3192 +static inline int arch_write_trylock(arch_rwlock_t *lock)
3194 unsigned long mask, tmp1, tmp2, result;
3196 diff -urNp linux-3.1.1/arch/sparc/include/asm/thread_info_32.h linux-3.1.1/arch/sparc/include/asm/thread_info_32.h
3197 --- linux-3.1.1/arch/sparc/include/asm/thread_info_32.h 2011-11-11 15:19:27.000000000 -0500
3198 +++ linux-3.1.1/arch/sparc/include/asm/thread_info_32.h 2011-11-16 18:39:07.000000000 -0500
3199 @@ -50,6 +50,8 @@ struct thread_info {
3200 unsigned long w_saved;
3202 struct restart_block restart_block;
3204 + unsigned long lowest_stack;
3208 diff -urNp linux-3.1.1/arch/sparc/include/asm/thread_info_64.h linux-3.1.1/arch/sparc/include/asm/thread_info_64.h
3209 --- linux-3.1.1/arch/sparc/include/asm/thread_info_64.h 2011-11-11 15:19:27.000000000 -0500
3210 +++ linux-3.1.1/arch/sparc/include/asm/thread_info_64.h 2011-11-16 18:39:07.000000000 -0500
3211 @@ -63,6 +63,8 @@ struct thread_info {
3212 struct pt_regs *kern_una_regs;
3213 unsigned int kern_una_insn;
3215 + unsigned long lowest_stack;
3217 unsigned long fpregs[0] __attribute__ ((aligned(64)));
3220 diff -urNp linux-3.1.1/arch/sparc/include/asm/uaccess_32.h linux-3.1.1/arch/sparc/include/asm/uaccess_32.h
3221 --- linux-3.1.1/arch/sparc/include/asm/uaccess_32.h 2011-11-11 15:19:27.000000000 -0500
3222 +++ linux-3.1.1/arch/sparc/include/asm/uaccess_32.h 2011-11-16 18:39:07.000000000 -0500
3223 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3225 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3227 - if (n && __access_ok((unsigned long) to, n))
3231 + if (n && __access_ok((unsigned long) to, n)) {
3232 + if (!__builtin_constant_p(n))
3233 + check_object_size(from, n, true);
3234 return __copy_user(to, (__force void __user *) from, n);
3240 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3245 + if (!__builtin_constant_p(n))
3246 + check_object_size(from, n, true);
3248 return __copy_user(to, (__force void __user *) from, n);
3251 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3253 - if (n && __access_ok((unsigned long) from, n))
3257 + if (n && __access_ok((unsigned long) from, n)) {
3258 + if (!__builtin_constant_p(n))
3259 + check_object_size(to, n, false);
3260 return __copy_user((__force void __user *) to, from, n);
3266 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3271 return __copy_user((__force void __user *) to, from, n);
3274 diff -urNp linux-3.1.1/arch/sparc/include/asm/uaccess_64.h linux-3.1.1/arch/sparc/include/asm/uaccess_64.h
3275 --- linux-3.1.1/arch/sparc/include/asm/uaccess_64.h 2011-11-11 15:19:27.000000000 -0500
3276 +++ linux-3.1.1/arch/sparc/include/asm/uaccess_64.h 2011-11-16 18:39:07.000000000 -0500
3278 #include <linux/compiler.h>
3279 #include <linux/string.h>
3280 #include <linux/thread_info.h>
3281 +#include <linux/kernel.h>
3282 #include <asm/asi.h>
3283 #include <asm/system.h>
3284 #include <asm/spitfire.h>
3285 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
3286 static inline unsigned long __must_check
3287 copy_from_user(void *to, const void __user *from, unsigned long size)
3289 - unsigned long ret = ___copy_from_user(to, from, size);
3290 + unsigned long ret;
3292 + if ((long)size < 0 || size > INT_MAX)
3295 + if (!__builtin_constant_p(size))
3296 + check_object_size(to, size, false);
3298 + ret = ___copy_from_user(to, from, size);
3300 ret = copy_from_user_fixup(to, from, size);
3302 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
3303 static inline unsigned long __must_check
3304 copy_to_user(void __user *to, const void *from, unsigned long size)
3306 - unsigned long ret = ___copy_to_user(to, from, size);
3307 + unsigned long ret;
3309 + if ((long)size < 0 || size > INT_MAX)
3312 + if (!__builtin_constant_p(size))
3313 + check_object_size(from, size, true);
3315 + ret = ___copy_to_user(to, from, size);
3317 ret = copy_to_user_fixup(to, from, size);
3319 diff -urNp linux-3.1.1/arch/sparc/include/asm/uaccess.h linux-3.1.1/arch/sparc/include/asm/uaccess.h
3320 --- linux-3.1.1/arch/sparc/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
3321 +++ linux-3.1.1/arch/sparc/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
3323 #ifndef ___ASM_SPARC_UACCESS_H
3324 #define ___ASM_SPARC_UACCESS_H
3327 +#ifndef __ASSEMBLY__
3328 +#include <linux/types.h>
3329 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3333 #if defined(__sparc__) && defined(__arch64__)
3334 #include <asm/uaccess_64.h>
3336 diff -urNp linux-3.1.1/arch/sparc/kernel/Makefile linux-3.1.1/arch/sparc/kernel/Makefile
3337 --- linux-3.1.1/arch/sparc/kernel/Makefile 2011-11-11 15:19:27.000000000 -0500
3338 +++ linux-3.1.1/arch/sparc/kernel/Makefile 2011-11-16 18:39:07.000000000 -0500
3343 -ccflags-y := -Werror
3344 +#ccflags-y := -Werror
3346 extra-y := head_$(BITS).o
3347 extra-y += init_task.o
3348 diff -urNp linux-3.1.1/arch/sparc/kernel/process_32.c linux-3.1.1/arch/sparc/kernel/process_32.c
3349 --- linux-3.1.1/arch/sparc/kernel/process_32.c 2011-11-11 15:19:27.000000000 -0500
3350 +++ linux-3.1.1/arch/sparc/kernel/process_32.c 2011-11-16 18:40:08.000000000 -0500
3351 @@ -204,7 +204,7 @@ void __show_backtrace(unsigned long fp)
3352 rw->ins[4], rw->ins[5],
3355 - printk("%pS\n", (void *) rw->ins[7]);
3356 + printk("%pA\n", (void *) rw->ins[7]);
3357 rw = (struct reg_window32 *) rw->ins[6];
3359 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
3360 @@ -271,14 +271,14 @@ void show_regs(struct pt_regs *r)
3362 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
3363 r->psr, r->pc, r->npc, r->y, print_tainted());
3364 - printk("PC: <%pS>\n", (void *) r->pc);
3365 + printk("PC: <%pA>\n", (void *) r->pc);
3366 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3367 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
3368 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
3369 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3370 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
3371 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
3372 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
3373 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
3375 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3376 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
3377 @@ -313,7 +313,7 @@ void show_stack(struct task_struct *tsk,
3378 rw = (struct reg_window32 *) fp;
3380 printk("[%08lx : ", pc);
3381 - printk("%pS ] ", (void *) pc);
3382 + printk("%pA ] ", (void *) pc);
3384 } while (++count < 16);
3386 diff -urNp linux-3.1.1/arch/sparc/kernel/process_64.c linux-3.1.1/arch/sparc/kernel/process_64.c
3387 --- linux-3.1.1/arch/sparc/kernel/process_64.c 2011-11-11 15:19:27.000000000 -0500
3388 +++ linux-3.1.1/arch/sparc/kernel/process_64.c 2011-11-16 18:40:08.000000000 -0500
3389 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
3390 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
3391 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
3392 if (regs->tstate & TSTATE_PRIV)
3393 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
3394 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
3397 void show_regs(struct pt_regs *regs)
3399 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
3400 regs->tpc, regs->tnpc, regs->y, print_tainted());
3401 - printk("TPC: <%pS>\n", (void *) regs->tpc);
3402 + printk("TPC: <%pA>\n", (void *) regs->tpc);
3403 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
3404 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
3406 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
3407 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
3408 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
3410 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
3411 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
3412 show_regwindow(regs);
3413 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
3415 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
3416 ((tp && tp->task) ? tp->task->pid : -1));
3418 if (gp->tstate & TSTATE_PRIV) {
3419 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
3420 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
3424 diff -urNp linux-3.1.1/arch/sparc/kernel/sys_sparc_32.c linux-3.1.1/arch/sparc/kernel/sys_sparc_32.c
3425 --- linux-3.1.1/arch/sparc/kernel/sys_sparc_32.c 2011-11-11 15:19:27.000000000 -0500
3426 +++ linux-3.1.1/arch/sparc/kernel/sys_sparc_32.c 2011-11-16 18:39:07.000000000 -0500
3427 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
3428 if (ARCH_SUN4C && len > 0x20000000)
3431 - addr = TASK_UNMAPPED_BASE;
3432 + addr = current->mm->mmap_base;
3434 if (flags & MAP_SHARED)
3435 addr = COLOUR_ALIGN(addr);
3436 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
3438 if (TASK_SIZE - PAGE_SIZE - len < addr)
3440 - if (!vmm || addr + len <= vmm->vm_start)
3441 + if (check_heap_stack_gap(vmm, addr, len))
3444 if (flags & MAP_SHARED)
3445 diff -urNp linux-3.1.1/arch/sparc/kernel/sys_sparc_64.c linux-3.1.1/arch/sparc/kernel/sys_sparc_64.c
3446 --- linux-3.1.1/arch/sparc/kernel/sys_sparc_64.c 2011-11-11 15:19:27.000000000 -0500
3447 +++ linux-3.1.1/arch/sparc/kernel/sys_sparc_64.c 2011-11-16 18:39:07.000000000 -0500
3448 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
3449 /* We do not accept a shared mapping if it would violate
3450 * cache aliasing constraints.
3452 - if ((flags & MAP_SHARED) &&
3453 + if ((filp || (flags & MAP_SHARED)) &&
3454 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3457 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
3458 if (filp || (flags & MAP_SHARED))
3461 +#ifdef CONFIG_PAX_RANDMMAP
3462 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
3467 addr = COLOUR_ALIGN(addr, pgoff);
3468 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
3469 addr = PAGE_ALIGN(addr);
3471 vma = find_vma(mm, addr);
3472 - if (task_size - len >= addr &&
3473 - (!vma || addr + len <= vma->vm_start))
3474 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
3478 if (len > mm->cached_hole_size) {
3479 - start_addr = addr = mm->free_area_cache;
3480 + start_addr = addr = mm->free_area_cache;
3482 - start_addr = addr = TASK_UNMAPPED_BASE;
3483 + start_addr = addr = mm->mmap_base;
3484 mm->cached_hole_size = 0;
3487 @@ -174,14 +177,14 @@ full_search:
3488 vma = find_vma(mm, VA_EXCLUDE_END);
3490 if (unlikely(task_size < addr)) {
3491 - if (start_addr != TASK_UNMAPPED_BASE) {
3492 - start_addr = addr = TASK_UNMAPPED_BASE;
3493 + if (start_addr != mm->mmap_base) {
3494 + start_addr = addr = mm->mmap_base;
3495 mm->cached_hole_size = 0;
3500 - if (likely(!vma || addr + len <= vma->vm_start)) {
3501 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3503 * Remember the place where we stopped the search:
3505 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
3506 /* We do not accept a shared mapping if it would violate
3507 * cache aliasing constraints.
3509 - if ((flags & MAP_SHARED) &&
3510 + if ((filp || (flags & MAP_SHARED)) &&
3511 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3514 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
3515 addr = PAGE_ALIGN(addr);
3517 vma = find_vma(mm, addr);
3518 - if (task_size - len >= addr &&
3519 - (!vma || addr + len <= vma->vm_start))
3520 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
3524 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
3525 /* make sure it can fit in the remaining address space */
3526 if (likely(addr > len)) {
3527 vma = find_vma(mm, addr-len);
3528 - if (!vma || addr <= vma->vm_start) {
3529 + if (check_heap_stack_gap(vma, addr - len, len)) {
3530 /* remember the address as a hint for next time */
3531 return (mm->free_area_cache = addr-len);
3533 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
3534 if (unlikely(mm->mmap_base < len))
3537 - addr = mm->mmap_base-len;
3538 - if (do_color_align)
3539 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3540 + addr = mm->mmap_base - len;
3543 + if (do_color_align)
3544 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3546 * Lookup failure means no vma is above this address,
3547 * else if new region fits below vma->vm_start,
3548 * return with success:
3550 vma = find_vma(mm, addr);
3551 - if (likely(!vma || addr+len <= vma->vm_start)) {
3552 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3553 /* remember the address as a hint for next time */
3554 return (mm->free_area_cache = addr);
3556 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
3557 mm->cached_hole_size = vma->vm_start - addr;
3559 /* try just below the current vma->vm_start */
3560 - addr = vma->vm_start-len;
3561 - if (do_color_align)
3562 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3563 - } while (likely(len < vma->vm_start));
3564 + addr = skip_heap_stack_gap(vma, len);
3565 + } while (!IS_ERR_VALUE(addr));
3569 @@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
3570 gap == RLIM_INFINITY ||
3571 sysctl_legacy_va_layout) {
3572 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
3574 +#ifdef CONFIG_PAX_RANDMMAP
3575 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3576 + mm->mmap_base += mm->delta_mmap;
3579 mm->get_unmapped_area = arch_get_unmapped_area;
3580 mm->unmap_area = arch_unmap_area;
3582 @@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
3583 gap = (task_size / 6 * 5);
3585 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
3587 +#ifdef CONFIG_PAX_RANDMMAP
3588 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3589 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3592 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3593 mm->unmap_area = arch_unmap_area_topdown;
3595 diff -urNp linux-3.1.1/arch/sparc/kernel/traps_32.c linux-3.1.1/arch/sparc/kernel/traps_32.c
3596 --- linux-3.1.1/arch/sparc/kernel/traps_32.c 2011-11-11 15:19:27.000000000 -0500
3597 +++ linux-3.1.1/arch/sparc/kernel/traps_32.c 2011-11-16 18:40:08.000000000 -0500
3598 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
3599 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
3600 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
3602 +extern void gr_handle_kernel_exploit(void);
3604 void die_if_kernel(char *str, struct pt_regs *regs)
3606 static int die_counter;
3607 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
3609 (((unsigned long) rw) >= PAGE_OFFSET) &&
3610 !(((unsigned long) rw) & 0x7)) {
3611 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
3612 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
3613 (void *) rw->ins[7]);
3614 rw = (struct reg_window32 *)rw->ins[6];
3617 printk("Instruction DUMP:");
3618 instruction_dump ((unsigned long *) regs->pc);
3619 - if(regs->psr & PSR_PS)
3620 + if(regs->psr & PSR_PS) {
3621 + gr_handle_kernel_exploit();
3627 diff -urNp linux-3.1.1/arch/sparc/kernel/traps_64.c linux-3.1.1/arch/sparc/kernel/traps_64.c
3628 --- linux-3.1.1/arch/sparc/kernel/traps_64.c 2011-11-11 15:19:27.000000000 -0500
3629 +++ linux-3.1.1/arch/sparc/kernel/traps_64.c 2011-11-16 18:40:08.000000000 -0500
3630 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
3632 p->trapstack[i].tstate, p->trapstack[i].tpc,
3633 p->trapstack[i].tnpc, p->trapstack[i].tt);
3634 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
3635 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
3639 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
3642 if (regs->tstate & TSTATE_PRIV) {
3644 +#ifdef CONFIG_PAX_REFCOUNT
3646 + pax_report_refcount_overflow(regs);
3649 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
3650 die_if_kernel(buffer, regs);
3652 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
3653 void bad_trap_tl1(struct pt_regs *regs, long lvl)
3658 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
3659 0, lvl, SIGTRAP) == NOTIFY_STOP)
3662 +#ifdef CONFIG_PAX_REFCOUNT
3664 + pax_report_refcount_overflow(regs);
3667 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
3669 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
3670 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
3671 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
3672 printk("%s" "ERROR(%d): ",
3673 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
3674 - printk("TPC<%pS>\n", (void *) regs->tpc);
3675 + printk("TPC<%pA>\n", (void *) regs->tpc);
3676 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
3677 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
3678 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
3679 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
3681 (type & 0x1) ? 'I' : 'D',
3683 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
3684 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
3685 panic("Irrecoverable Cheetah+ parity error.");
3688 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
3690 (type & 0x1) ? 'I' : 'D',
3692 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
3693 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
3696 struct sun4v_error_entry {
3697 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
3699 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
3701 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
3702 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
3703 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
3704 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
3705 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
3706 (void *) regs->u_regs[UREG_I7]);
3707 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
3708 "pte[%lx] error[%lx]\n",
3709 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
3711 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
3713 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
3714 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
3715 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
3716 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
3717 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
3718 (void *) regs->u_regs[UREG_I7]);
3719 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
3720 "pte[%lx] error[%lx]\n",
3721 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
3722 fp = (unsigned long)sf->fp + STACK_BIAS;
3725 - printk(" [%016lx] %pS\n", pc, (void *) pc);
3726 + printk(" [%016lx] %pA\n", pc, (void *) pc);
3727 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
3728 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
3729 int index = tsk->curr_ret_stack;
3730 if (tsk->ret_stack && index >= graph) {
3731 pc = tsk->ret_stack[index - graph].ret;
3732 - printk(" [%016lx] %pS\n", pc, (void *) pc);
3733 + printk(" [%016lx] %pA\n", pc, (void *) pc);
3737 @@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_
3738 return (struct reg_window *) (fp + STACK_BIAS);
3741 +extern void gr_handle_kernel_exploit(void);
3743 void die_if_kernel(char *str, struct pt_regs *regs)
3745 static int die_counter;
3746 @@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_
3749 kstack_valid(tp, (unsigned long) rw)) {
3750 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
3751 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
3752 (void *) rw->ins[7]);
3754 rw = kernel_stack_up(rw);
3755 @@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_
3757 user_instruction_dump ((unsigned int __user *) regs->tpc);
3759 - if (regs->tstate & TSTATE_PRIV)
3760 + if (regs->tstate & TSTATE_PRIV) {
3761 + gr_handle_kernel_exploit();
3766 EXPORT_SYMBOL(die_if_kernel);
3767 diff -urNp linux-3.1.1/arch/sparc/kernel/unaligned_64.c linux-3.1.1/arch/sparc/kernel/unaligned_64.c
3768 --- linux-3.1.1/arch/sparc/kernel/unaligned_64.c 2011-11-11 15:19:27.000000000 -0500
3769 +++ linux-3.1.1/arch/sparc/kernel/unaligned_64.c 2011-11-16 18:40:08.000000000 -0500
3770 @@ -279,7 +279,7 @@ static void log_unaligned(struct pt_regs
3771 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
3773 if (__ratelimit(&ratelimit)) {
3774 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
3775 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
3776 regs->tpc, (void *) regs->tpc);
3779 diff -urNp linux-3.1.1/arch/sparc/lib/atomic_64.S linux-3.1.1/arch/sparc/lib/atomic_64.S
3780 --- linux-3.1.1/arch/sparc/lib/atomic_64.S 2011-11-11 15:19:27.000000000 -0500
3781 +++ linux-3.1.1/arch/sparc/lib/atomic_64.S 2011-11-16 18:39:07.000000000 -0500
3783 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
3787 + addcc %g1, %o0, %g7
3789 +#ifdef CONFIG_PAX_REFCOUNT
3795 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3796 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
3797 2: BACKOFF_SPIN(%o2, %o3, 1b)
3798 .size atomic_add, .-atomic_add
3800 + .globl atomic_add_unchecked
3801 + .type atomic_add_unchecked,#function
3802 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3803 + BACKOFF_SETUP(%o2)
3806 + cas [%o1], %g1, %g7
3812 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3813 + .size atomic_add_unchecked, .-atomic_add_unchecked
3816 .type atomic_sub,#function
3817 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3821 + subcc %g1, %o0, %g7
3823 +#ifdef CONFIG_PAX_REFCOUNT
3829 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3830 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
3831 2: BACKOFF_SPIN(%o2, %o3, 1b)
3832 .size atomic_sub, .-atomic_sub
3834 + .globl atomic_sub_unchecked
3835 + .type atomic_sub_unchecked,#function
3836 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3837 + BACKOFF_SETUP(%o2)
3840 + cas [%o1], %g1, %g7
3846 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3847 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
3849 .globl atomic_add_ret
3850 .type atomic_add_ret,#function
3851 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3855 + addcc %g1, %o0, %g7
3857 +#ifdef CONFIG_PAX_REFCOUNT
3863 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3864 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
3865 2: BACKOFF_SPIN(%o2, %o3, 1b)
3866 .size atomic_add_ret, .-atomic_add_ret
3868 + .globl atomic_add_ret_unchecked
3869 + .type atomic_add_ret_unchecked,#function
3870 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3871 + BACKOFF_SETUP(%o2)
3873 + addcc %g1, %o0, %g7
3874 + cas [%o1], %g1, %g7
3881 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3882 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
3884 .globl atomic_sub_ret
3885 .type atomic_sub_ret,#function
3886 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3890 + subcc %g1, %o0, %g7
3892 +#ifdef CONFIG_PAX_REFCOUNT
3898 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3899 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
3900 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
3904 + addcc %g1, %o0, %g7
3906 +#ifdef CONFIG_PAX_REFCOUNT
3910 casx [%o1], %g1, %g7
3912 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
3913 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
3914 2: BACKOFF_SPIN(%o2, %o3, 1b)
3915 .size atomic64_add, .-atomic64_add
3917 + .globl atomic64_add_unchecked
3918 + .type atomic64_add_unchecked,#function
3919 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3920 + BACKOFF_SETUP(%o2)
3922 + addcc %g1, %o0, %g7
3923 + casx [%o1], %g1, %g7
3929 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3930 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
3933 .type atomic64_sub,#function
3934 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3938 + subcc %g1, %o0, %g7
3940 +#ifdef CONFIG_PAX_REFCOUNT
3944 casx [%o1], %g1, %g7
3946 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
3947 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
3948 2: BACKOFF_SPIN(%o2, %o3, 1b)
3949 .size atomic64_sub, .-atomic64_sub
3951 + .globl atomic64_sub_unchecked
3952 + .type atomic64_sub_unchecked,#function
3953 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3954 + BACKOFF_SETUP(%o2)
3956 + subcc %g1, %o0, %g7
3957 + casx [%o1], %g1, %g7
3963 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3964 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
3966 .globl atomic64_add_ret
3967 .type atomic64_add_ret,#function
3968 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3972 + addcc %g1, %o0, %g7
3974 +#ifdef CONFIG_PAX_REFCOUNT
3978 casx [%o1], %g1, %g7
3980 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
3981 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
3982 2: BACKOFF_SPIN(%o2, %o3, 1b)
3983 .size atomic64_add_ret, .-atomic64_add_ret
3985 + .globl atomic64_add_ret_unchecked
3986 + .type atomic64_add_ret_unchecked,#function
3987 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3988 + BACKOFF_SETUP(%o2)
3990 + addcc %g1, %o0, %g7
3991 + casx [%o1], %g1, %g7
3998 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3999 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4001 .globl atomic64_sub_ret
4002 .type atomic64_sub_ret,#function
4003 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4007 + subcc %g1, %o0, %g7
4009 +#ifdef CONFIG_PAX_REFCOUNT
4013 casx [%o1], %g1, %g7
4015 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4016 diff -urNp linux-3.1.1/arch/sparc/lib/ksyms.c linux-3.1.1/arch/sparc/lib/ksyms.c
4017 --- linux-3.1.1/arch/sparc/lib/ksyms.c 2011-11-11 15:19:27.000000000 -0500
4018 +++ linux-3.1.1/arch/sparc/lib/ksyms.c 2011-11-16 18:39:07.000000000 -0500
4019 @@ -142,12 +142,18 @@ EXPORT_SYMBOL(__downgrade_write);
4021 /* Atomic counter implementation. */
4022 EXPORT_SYMBOL(atomic_add);
4023 +EXPORT_SYMBOL(atomic_add_unchecked);
4024 EXPORT_SYMBOL(atomic_add_ret);
4025 +EXPORT_SYMBOL(atomic_add_ret_unchecked);
4026 EXPORT_SYMBOL(atomic_sub);
4027 +EXPORT_SYMBOL(atomic_sub_unchecked);
4028 EXPORT_SYMBOL(atomic_sub_ret);
4029 EXPORT_SYMBOL(atomic64_add);
4030 +EXPORT_SYMBOL(atomic64_add_unchecked);
4031 EXPORT_SYMBOL(atomic64_add_ret);
4032 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4033 EXPORT_SYMBOL(atomic64_sub);
4034 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4035 EXPORT_SYMBOL(atomic64_sub_ret);
4037 /* Atomic bit operations. */
4038 diff -urNp linux-3.1.1/arch/sparc/lib/Makefile linux-3.1.1/arch/sparc/lib/Makefile
4039 --- linux-3.1.1/arch/sparc/lib/Makefile 2011-11-11 15:19:27.000000000 -0500
4040 +++ linux-3.1.1/arch/sparc/lib/Makefile 2011-11-16 18:39:07.000000000 -0500
4044 asflags-y := -ansi -DST_DIV0=0x02
4045 -ccflags-y := -Werror
4046 +#ccflags-y := -Werror
4048 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
4049 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
4050 diff -urNp linux-3.1.1/arch/sparc/Makefile linux-3.1.1/arch/sparc/Makefile
4051 --- linux-3.1.1/arch/sparc/Makefile 2011-11-11 15:19:27.000000000 -0500
4052 +++ linux-3.1.1/arch/sparc/Makefile 2011-11-16 18:40:08.000000000 -0500
4053 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4054 # Export what is needed by arch/sparc/boot/Makefile
4055 export VMLINUX_INIT VMLINUX_MAIN
4056 VMLINUX_INIT := $(head-y) $(init-y)
4057 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4058 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4059 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4060 VMLINUX_MAIN += $(drivers-y) $(net-y)
4062 diff -urNp linux-3.1.1/arch/sparc/mm/fault_32.c linux-3.1.1/arch/sparc/mm/fault_32.c
4063 --- linux-3.1.1/arch/sparc/mm/fault_32.c 2011-11-11 15:19:27.000000000 -0500
4064 +++ linux-3.1.1/arch/sparc/mm/fault_32.c 2011-11-16 18:39:07.000000000 -0500
4066 #include <linux/interrupt.h>
4067 #include <linux/module.h>
4068 #include <linux/kdebug.h>
4069 +#include <linux/slab.h>
4070 +#include <linux/pagemap.h>
4071 +#include <linux/compiler.h>
4073 #include <asm/system.h>
4074 #include <asm/page.h>
4075 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4076 return safe_compute_effective_address(regs, insn);
4079 +#ifdef CONFIG_PAX_PAGEEXEC
4080 +#ifdef CONFIG_PAX_DLRESOLVE
4081 +static void pax_emuplt_close(struct vm_area_struct *vma)
4083 + vma->vm_mm->call_dl_resolve = 0UL;
4086 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4088 + unsigned int *kaddr;
4090 + vmf->page = alloc_page(GFP_HIGHUSER);
4092 + return VM_FAULT_OOM;
4094 + kaddr = kmap(vmf->page);
4095 + memset(kaddr, 0, PAGE_SIZE);
4096 + kaddr[0] = 0x9DE3BFA8U; /* save */
4097 + flush_dcache_page(vmf->page);
4098 + kunmap(vmf->page);
4099 + return VM_FAULT_MAJOR;
4102 +static const struct vm_operations_struct pax_vm_ops = {
4103 + .close = pax_emuplt_close,
4104 + .fault = pax_emuplt_fault
4107 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4111 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4112 + vma->vm_mm = current->mm;
4113 + vma->vm_start = addr;
4114 + vma->vm_end = addr + PAGE_SIZE;
4115 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4116 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4117 + vma->vm_ops = &pax_vm_ops;
4119 + ret = insert_vm_struct(current->mm, vma);
4123 + ++current->mm->total_vm;
4129 + * PaX: decide what to do with offenders (regs->pc = fault address)
4131 + * returns 1 when task should be killed
4132 + * 2 when patched PLT trampoline was detected
4133 + * 3 when unpatched PLT trampoline was detected
4135 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4138 +#ifdef CONFIG_PAX_EMUPLT
4141 + do { /* PaX: patched PLT emulation #1 */
4142 + unsigned int sethi1, sethi2, jmpl;
4144 + err = get_user(sethi1, (unsigned int *)regs->pc);
4145 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4146 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4151 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4152 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4153 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4155 + unsigned int addr;
4157 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4158 + addr = regs->u_regs[UREG_G1];
4159 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4161 + regs->npc = addr+4;
4166 + { /* PaX: patched PLT emulation #2 */
4169 + err = get_user(ba, (unsigned int *)regs->pc);
4171 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4172 + unsigned int addr;
4174 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4176 + regs->npc = addr+4;
4181 + do { /* PaX: patched PLT emulation #3 */
4182 + unsigned int sethi, jmpl, nop;
4184 + err = get_user(sethi, (unsigned int *)regs->pc);
4185 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4186 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4191 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4192 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4193 + nop == 0x01000000U)
4195 + unsigned int addr;
4197 + addr = (sethi & 0x003FFFFFU) << 10;
4198 + regs->u_regs[UREG_G1] = addr;
4199 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4201 + regs->npc = addr+4;
4206 + do { /* PaX: unpatched PLT emulation step 1 */
4207 + unsigned int sethi, ba, nop;
4209 + err = get_user(sethi, (unsigned int *)regs->pc);
4210 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4211 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4216 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4217 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4218 + nop == 0x01000000U)
4220 + unsigned int addr, save, call;
4222 + if ((ba & 0xFFC00000U) == 0x30800000U)
4223 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4225 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4227 + err = get_user(save, (unsigned int *)addr);
4228 + err |= get_user(call, (unsigned int *)(addr+4));
4229 + err |= get_user(nop, (unsigned int *)(addr+8));
4233 +#ifdef CONFIG_PAX_DLRESOLVE
4234 + if (save == 0x9DE3BFA8U &&
4235 + (call & 0xC0000000U) == 0x40000000U &&
4236 + nop == 0x01000000U)
4238 + struct vm_area_struct *vma;
4239 + unsigned long call_dl_resolve;
4241 + down_read(¤t->mm->mmap_sem);
4242 + call_dl_resolve = current->mm->call_dl_resolve;
4243 + up_read(¤t->mm->mmap_sem);
4244 + if (likely(call_dl_resolve))
4247 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4249 + down_write(¤t->mm->mmap_sem);
4250 + if (current->mm->call_dl_resolve) {
4251 + call_dl_resolve = current->mm->call_dl_resolve;
4252 + up_write(¤t->mm->mmap_sem);
4254 + kmem_cache_free(vm_area_cachep, vma);
4258 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4259 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4260 + up_write(¤t->mm->mmap_sem);
4262 + kmem_cache_free(vm_area_cachep, vma);
4266 + if (pax_insert_vma(vma, call_dl_resolve)) {
4267 + up_write(¤t->mm->mmap_sem);
4268 + kmem_cache_free(vm_area_cachep, vma);
4272 + current->mm->call_dl_resolve = call_dl_resolve;
4273 + up_write(¤t->mm->mmap_sem);
4276 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4277 + regs->pc = call_dl_resolve;
4278 + regs->npc = addr+4;
4283 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4284 + if ((save & 0xFFC00000U) == 0x05000000U &&
4285 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4286 + nop == 0x01000000U)
4288 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4289 + regs->u_regs[UREG_G2] = addr + 4;
4290 + addr = (save & 0x003FFFFFU) << 10;
4291 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4293 + regs->npc = addr+4;
4299 + do { /* PaX: unpatched PLT emulation step 2 */
4300 + unsigned int save, call, nop;
4302 + err = get_user(save, (unsigned int *)(regs->pc-4));
4303 + err |= get_user(call, (unsigned int *)regs->pc);
4304 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4308 + if (save == 0x9DE3BFA8U &&
4309 + (call & 0xC0000000U) == 0x40000000U &&
4310 + nop == 0x01000000U)
4312 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4314 + regs->u_regs[UREG_RETPC] = regs->pc;
4315 + regs->pc = dl_resolve;
4316 + regs->npc = dl_resolve+4;
4325 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
4329 + printk(KERN_ERR "PAX: bytes at PC: ");
4330 + for (i = 0; i < 8; i++) {
4332 + if (get_user(c, (unsigned int *)pc+i))
4333 + printk(KERN_CONT "???????? ");
4335 + printk(KERN_CONT "%08x ", c);
4341 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4344 @@ -281,6 +546,24 @@ good_area:
4345 if(!(vma->vm_flags & VM_WRITE))
4349 +#ifdef CONFIG_PAX_PAGEEXEC
4350 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4351 + up_read(&mm->mmap_sem);
4352 + switch (pax_handle_fetch_fault(regs)) {
4354 +#ifdef CONFIG_PAX_EMUPLT
4361 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4362 + do_group_exit(SIGKILL);
4366 /* Allow reads even for write-only mappings */
4367 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4369 diff -urNp linux-3.1.1/arch/sparc/mm/fault_64.c linux-3.1.1/arch/sparc/mm/fault_64.c
4370 --- linux-3.1.1/arch/sparc/mm/fault_64.c 2011-11-11 15:19:27.000000000 -0500
4371 +++ linux-3.1.1/arch/sparc/mm/fault_64.c 2011-11-16 18:40:08.000000000 -0500
4373 #include <linux/kprobes.h>
4374 #include <linux/kdebug.h>
4375 #include <linux/percpu.h>
4376 +#include <linux/slab.h>
4377 +#include <linux/pagemap.h>
4378 +#include <linux/compiler.h>
4380 #include <asm/page.h>
4381 #include <asm/pgtable.h>
4382 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
4383 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
4385 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
4386 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
4387 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
4388 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
4390 unhandled_fault(regs->tpc, current, regs);
4391 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
4395 +#ifdef CONFIG_PAX_PAGEEXEC
4396 +#ifdef CONFIG_PAX_DLRESOLVE
4397 +static void pax_emuplt_close(struct vm_area_struct *vma)
4399 + vma->vm_mm->call_dl_resolve = 0UL;
4402 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4404 + unsigned int *kaddr;
4406 + vmf->page = alloc_page(GFP_HIGHUSER);
4408 + return VM_FAULT_OOM;
4410 + kaddr = kmap(vmf->page);
4411 + memset(kaddr, 0, PAGE_SIZE);
4412 + kaddr[0] = 0x9DE3BFA8U; /* save */
4413 + flush_dcache_page(vmf->page);
4414 + kunmap(vmf->page);
4415 + return VM_FAULT_MAJOR;
4418 +static const struct vm_operations_struct pax_vm_ops = {
4419 + .close = pax_emuplt_close,
4420 + .fault = pax_emuplt_fault
4423 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4427 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4428 + vma->vm_mm = current->mm;
4429 + vma->vm_start = addr;
4430 + vma->vm_end = addr + PAGE_SIZE;
4431 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4432 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4433 + vma->vm_ops = &pax_vm_ops;
4435 + ret = insert_vm_struct(current->mm, vma);
4439 + ++current->mm->total_vm;
4445 + * PaX: decide what to do with offenders (regs->tpc = fault address)
4447 + * returns 1 when task should be killed
4448 + * 2 when patched PLT trampoline was detected
4449 + * 3 when unpatched PLT trampoline was detected
4451 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4454 +#ifdef CONFIG_PAX_EMUPLT
4457 + do { /* PaX: patched PLT emulation #1 */
4458 + unsigned int sethi1, sethi2, jmpl;
4460 + err = get_user(sethi1, (unsigned int *)regs->tpc);
4461 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4462 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4467 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4468 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4469 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4471 + unsigned long addr;
4473 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4474 + addr = regs->u_regs[UREG_G1];
4475 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4477 + if (test_thread_flag(TIF_32BIT))
4478 + addr &= 0xFFFFFFFFUL;
4481 + regs->tnpc = addr+4;
4486 + { /* PaX: patched PLT emulation #2 */
4489 + err = get_user(ba, (unsigned int *)regs->tpc);
4491 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4492 + unsigned long addr;
4494 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4496 + if (test_thread_flag(TIF_32BIT))
4497 + addr &= 0xFFFFFFFFUL;
4500 + regs->tnpc = addr+4;
4505 + do { /* PaX: patched PLT emulation #3 */
4506 + unsigned int sethi, jmpl, nop;
4508 + err = get_user(sethi, (unsigned int *)regs->tpc);
4509 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4510 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4515 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4516 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4517 + nop == 0x01000000U)
4519 + unsigned long addr;
4521 + addr = (sethi & 0x003FFFFFU) << 10;
4522 + regs->u_regs[UREG_G1] = addr;
4523 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4525 + if (test_thread_flag(TIF_32BIT))
4526 + addr &= 0xFFFFFFFFUL;
4529 + regs->tnpc = addr+4;
4534 + do { /* PaX: patched PLT emulation #4 */
4535 + unsigned int sethi, mov1, call, mov2;
4537 + err = get_user(sethi, (unsigned int *)regs->tpc);
4538 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4539 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
4540 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4545 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4546 + mov1 == 0x8210000FU &&
4547 + (call & 0xC0000000U) == 0x40000000U &&
4548 + mov2 == 0x9E100001U)
4550 + unsigned long addr;
4552 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4553 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4555 + if (test_thread_flag(TIF_32BIT))
4556 + addr &= 0xFFFFFFFFUL;
4559 + regs->tnpc = addr+4;
4564 + do { /* PaX: patched PLT emulation #5 */
4565 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
4567 + err = get_user(sethi, (unsigned int *)regs->tpc);
4568 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4569 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4570 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
4571 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
4572 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
4573 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
4574 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
4579 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4580 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
4581 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4582 + (or1 & 0xFFFFE000U) == 0x82106000U &&
4583 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
4584 + sllx == 0x83287020U &&
4585 + jmpl == 0x81C04005U &&
4586 + nop == 0x01000000U)
4588 + unsigned long addr;
4590 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4591 + regs->u_regs[UREG_G1] <<= 32;
4592 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4593 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4595 + regs->tnpc = addr+4;
4600 + do { /* PaX: patched PLT emulation #6 */
4601 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
4603 + err = get_user(sethi, (unsigned int *)regs->tpc);
4604 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4605 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4606 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
4607 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
4608 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
4609 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
4614 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4615 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
4616 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4617 + sllx == 0x83287020U &&
4618 + (or & 0xFFFFE000U) == 0x8A116000U &&
4619 + jmpl == 0x81C04005U &&
4620 + nop == 0x01000000U)
4622 + unsigned long addr;
4624 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
4625 + regs->u_regs[UREG_G1] <<= 32;
4626 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
4627 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4629 + regs->tnpc = addr+4;
4634 + do { /* PaX: unpatched PLT emulation step 1 */
4635 + unsigned int sethi, ba, nop;
4637 + err = get_user(sethi, (unsigned int *)regs->tpc);
4638 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4639 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4644 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4645 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4646 + nop == 0x01000000U)
4648 + unsigned long addr;
4649 + unsigned int save, call;
4650 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
4652 + if ((ba & 0xFFC00000U) == 0x30800000U)
4653 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4655 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4657 + if (test_thread_flag(TIF_32BIT))
4658 + addr &= 0xFFFFFFFFUL;
4660 + err = get_user(save, (unsigned int *)addr);
4661 + err |= get_user(call, (unsigned int *)(addr+4));
4662 + err |= get_user(nop, (unsigned int *)(addr+8));
4666 +#ifdef CONFIG_PAX_DLRESOLVE
4667 + if (save == 0x9DE3BFA8U &&
4668 + (call & 0xC0000000U) == 0x40000000U &&
4669 + nop == 0x01000000U)
4671 + struct vm_area_struct *vma;
4672 + unsigned long call_dl_resolve;
4674 + down_read(¤t->mm->mmap_sem);
4675 + call_dl_resolve = current->mm->call_dl_resolve;
4676 + up_read(¤t->mm->mmap_sem);
4677 + if (likely(call_dl_resolve))
4680 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4682 + down_write(¤t->mm->mmap_sem);
4683 + if (current->mm->call_dl_resolve) {
4684 + call_dl_resolve = current->mm->call_dl_resolve;
4685 + up_write(¤t->mm->mmap_sem);
4687 + kmem_cache_free(vm_area_cachep, vma);
4691 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4692 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4693 + up_write(¤t->mm->mmap_sem);
4695 + kmem_cache_free(vm_area_cachep, vma);
4699 + if (pax_insert_vma(vma, call_dl_resolve)) {
4700 + up_write(¤t->mm->mmap_sem);
4701 + kmem_cache_free(vm_area_cachep, vma);
4705 + current->mm->call_dl_resolve = call_dl_resolve;
4706 + up_write(¤t->mm->mmap_sem);
4709 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4710 + regs->tpc = call_dl_resolve;
4711 + regs->tnpc = addr+4;
4716 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4717 + if ((save & 0xFFC00000U) == 0x05000000U &&
4718 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4719 + nop == 0x01000000U)
4721 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4722 + regs->u_regs[UREG_G2] = addr + 4;
4723 + addr = (save & 0x003FFFFFU) << 10;
4724 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4726 + if (test_thread_flag(TIF_32BIT))
4727 + addr &= 0xFFFFFFFFUL;
4730 + regs->tnpc = addr+4;
4734 + /* PaX: 64-bit PLT stub */
4735 + err = get_user(sethi1, (unsigned int *)addr);
4736 + err |= get_user(sethi2, (unsigned int *)(addr+4));
4737 + err |= get_user(or1, (unsigned int *)(addr+8));
4738 + err |= get_user(or2, (unsigned int *)(addr+12));
4739 + err |= get_user(sllx, (unsigned int *)(addr+16));
4740 + err |= get_user(add, (unsigned int *)(addr+20));
4741 + err |= get_user(jmpl, (unsigned int *)(addr+24));
4742 + err |= get_user(nop, (unsigned int *)(addr+28));
4746 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
4747 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4748 + (or1 & 0xFFFFE000U) == 0x88112000U &&
4749 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
4750 + sllx == 0x89293020U &&
4751 + add == 0x8A010005U &&
4752 + jmpl == 0x89C14000U &&
4753 + nop == 0x01000000U)
4755 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4756 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4757 + regs->u_regs[UREG_G4] <<= 32;
4758 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4759 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
4760 + regs->u_regs[UREG_G4] = addr + 24;
4761 + addr = regs->u_regs[UREG_G5];
4763 + regs->tnpc = addr+4;
4769 +#ifdef CONFIG_PAX_DLRESOLVE
4770 + do { /* PaX: unpatched PLT emulation step 2 */
4771 + unsigned int save, call, nop;
4773 + err = get_user(save, (unsigned int *)(regs->tpc-4));
4774 + err |= get_user(call, (unsigned int *)regs->tpc);
4775 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
4779 + if (save == 0x9DE3BFA8U &&
4780 + (call & 0xC0000000U) == 0x40000000U &&
4781 + nop == 0x01000000U)
4783 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4785 + if (test_thread_flag(TIF_32BIT))
4786 + dl_resolve &= 0xFFFFFFFFUL;
4788 + regs->u_regs[UREG_RETPC] = regs->tpc;
4789 + regs->tpc = dl_resolve;
4790 + regs->tnpc = dl_resolve+4;
4796 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
4797 + unsigned int sethi, ba, nop;
4799 + err = get_user(sethi, (unsigned int *)regs->tpc);
4800 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4801 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4806 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4807 + (ba & 0xFFF00000U) == 0x30600000U &&
4808 + nop == 0x01000000U)
4810 + unsigned long addr;
4812 + addr = (sethi & 0x003FFFFFU) << 10;
4813 + regs->u_regs[UREG_G1] = addr;
4814 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4816 + if (test_thread_flag(TIF_32BIT))
4817 + addr &= 0xFFFFFFFFUL;
4820 + regs->tnpc = addr+4;
4830 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
4834 + printk(KERN_ERR "PAX: bytes at PC: ");
4835 + for (i = 0; i < 8; i++) {
4837 + if (get_user(c, (unsigned int *)pc+i))
4838 + printk(KERN_CONT "???????? ");
4840 + printk(KERN_CONT "%08x ", c);
4846 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
4848 struct mm_struct *mm = current->mm;
4849 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
4853 +#ifdef CONFIG_PAX_PAGEEXEC
4854 + /* PaX: detect ITLB misses on non-exec pages */
4855 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
4856 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
4858 + if (address != regs->tpc)
4861 + up_read(&mm->mmap_sem);
4862 + switch (pax_handle_fetch_fault(regs)) {
4864 +#ifdef CONFIG_PAX_EMUPLT
4871 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
4872 + do_group_exit(SIGKILL);
4876 /* Pure DTLB misses do not tell us whether the fault causing
4877 * load/store/atomic was a write or not, it only says that there
4878 * was no match. So in such a case we (carefully) read the
4879 diff -urNp linux-3.1.1/arch/sparc/mm/hugetlbpage.c linux-3.1.1/arch/sparc/mm/hugetlbpage.c
4880 --- linux-3.1.1/arch/sparc/mm/hugetlbpage.c 2011-11-11 15:19:27.000000000 -0500
4881 +++ linux-3.1.1/arch/sparc/mm/hugetlbpage.c 2011-11-16 18:39:07.000000000 -0500
4882 @@ -68,7 +68,7 @@ full_search:
4886 - if (likely(!vma || addr + len <= vma->vm_start)) {
4887 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4889 * Remember the place where we stopped the search:
4891 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
4892 /* make sure it can fit in the remaining address space */
4893 if (likely(addr > len)) {
4894 vma = find_vma(mm, addr-len);
4895 - if (!vma || addr <= vma->vm_start) {
4896 + if (check_heap_stack_gap(vma, addr - len, len)) {
4897 /* remember the address as a hint for next time */
4898 return (mm->free_area_cache = addr-len);
4900 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
4901 if (unlikely(mm->mmap_base < len))
4904 - addr = (mm->mmap_base-len) & HPAGE_MASK;
4905 + addr = mm->mmap_base - len;
4908 + addr &= HPAGE_MASK;
4910 * Lookup failure means no vma is above this address,
4911 * else if new region fits below vma->vm_start,
4912 * return with success:
4914 vma = find_vma(mm, addr);
4915 - if (likely(!vma || addr+len <= vma->vm_start)) {
4916 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4917 /* remember the address as a hint for next time */
4918 return (mm->free_area_cache = addr);
4920 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
4921 mm->cached_hole_size = vma->vm_start - addr;
4923 /* try just below the current vma->vm_start */
4924 - addr = (vma->vm_start-len) & HPAGE_MASK;
4925 - } while (likely(len < vma->vm_start));
4926 + addr = skip_heap_stack_gap(vma, len);
4927 + } while (!IS_ERR_VALUE(addr));
4931 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
4933 addr = ALIGN(addr, HPAGE_SIZE);
4934 vma = find_vma(mm, addr);
4935 - if (task_size - len >= addr &&
4936 - (!vma || addr + len <= vma->vm_start))
4937 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4940 if (mm->get_unmapped_area == arch_get_unmapped_area)
4941 diff -urNp linux-3.1.1/arch/sparc/mm/init_32.c linux-3.1.1/arch/sparc/mm/init_32.c
4942 --- linux-3.1.1/arch/sparc/mm/init_32.c 2011-11-11 15:19:27.000000000 -0500
4943 +++ linux-3.1.1/arch/sparc/mm/init_32.c 2011-11-16 18:39:07.000000000 -0500
4944 @@ -316,6 +316,9 @@ extern void device_scan(void);
4945 pgprot_t PAGE_SHARED __read_mostly;
4946 EXPORT_SYMBOL(PAGE_SHARED);
4948 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
4949 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
4951 void __init paging_init(void)
4953 switch(sparc_cpu_model) {
4954 @@ -344,17 +347,17 @@ void __init paging_init(void)
4956 /* Initialize the protection map with non-constant, MMU dependent values. */
4957 protection_map[0] = PAGE_NONE;
4958 - protection_map[1] = PAGE_READONLY;
4959 - protection_map[2] = PAGE_COPY;
4960 - protection_map[3] = PAGE_COPY;
4961 + protection_map[1] = PAGE_READONLY_NOEXEC;
4962 + protection_map[2] = PAGE_COPY_NOEXEC;
4963 + protection_map[3] = PAGE_COPY_NOEXEC;
4964 protection_map[4] = PAGE_READONLY;
4965 protection_map[5] = PAGE_READONLY;
4966 protection_map[6] = PAGE_COPY;
4967 protection_map[7] = PAGE_COPY;
4968 protection_map[8] = PAGE_NONE;
4969 - protection_map[9] = PAGE_READONLY;
4970 - protection_map[10] = PAGE_SHARED;
4971 - protection_map[11] = PAGE_SHARED;
4972 + protection_map[9] = PAGE_READONLY_NOEXEC;
4973 + protection_map[10] = PAGE_SHARED_NOEXEC;
4974 + protection_map[11] = PAGE_SHARED_NOEXEC;
4975 protection_map[12] = PAGE_READONLY;
4976 protection_map[13] = PAGE_READONLY;
4977 protection_map[14] = PAGE_SHARED;
4978 diff -urNp linux-3.1.1/arch/sparc/mm/Makefile linux-3.1.1/arch/sparc/mm/Makefile
4979 --- linux-3.1.1/arch/sparc/mm/Makefile 2011-11-11 15:19:27.000000000 -0500
4980 +++ linux-3.1.1/arch/sparc/mm/Makefile 2011-11-16 18:39:07.000000000 -0500
4985 -ccflags-y := -Werror
4986 +#ccflags-y := -Werror
4988 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o gup.o
4989 obj-y += fault_$(BITS).o
4990 diff -urNp linux-3.1.1/arch/sparc/mm/srmmu.c linux-3.1.1/arch/sparc/mm/srmmu.c
4991 --- linux-3.1.1/arch/sparc/mm/srmmu.c 2011-11-11 15:19:27.000000000 -0500
4992 +++ linux-3.1.1/arch/sparc/mm/srmmu.c 2011-11-16 18:39:07.000000000 -0500
4993 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
4994 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
4995 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
4996 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
4998 +#ifdef CONFIG_PAX_PAGEEXEC
4999 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5000 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5001 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5004 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5005 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5007 diff -urNp linux-3.1.1/arch/um/include/asm/kmap_types.h linux-3.1.1/arch/um/include/asm/kmap_types.h
5008 --- linux-3.1.1/arch/um/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
5009 +++ linux-3.1.1/arch/um/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
5010 @@ -23,6 +23,7 @@ enum km_type {
5018 diff -urNp linux-3.1.1/arch/um/include/asm/page.h linux-3.1.1/arch/um/include/asm/page.h
5019 --- linux-3.1.1/arch/um/include/asm/page.h 2011-11-11 15:19:27.000000000 -0500
5020 +++ linux-3.1.1/arch/um/include/asm/page.h 2011-11-16 18:39:07.000000000 -0500
5022 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5023 #define PAGE_MASK (~(PAGE_SIZE-1))
5025 +#define ktla_ktva(addr) (addr)
5026 +#define ktva_ktla(addr) (addr)
5028 #ifndef __ASSEMBLY__
5031 diff -urNp linux-3.1.1/arch/um/kernel/process.c linux-3.1.1/arch/um/kernel/process.c
5032 --- linux-3.1.1/arch/um/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
5033 +++ linux-3.1.1/arch/um/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
5034 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5039 - * Only x86 and x86_64 have an arch_align_stack().
5040 - * All other arches have "#define arch_align_stack(x) (x)"
5041 - * in their asm/system.h
5042 - * As this is included in UML from asm-um/system-generic.h,
5043 - * we can use it to behave as the subarch does.
5045 -#ifndef arch_align_stack
5046 -unsigned long arch_align_stack(unsigned long sp)
5048 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5049 - sp -= get_random_int() % 8192;
5054 unsigned long get_wchan(struct task_struct *p)
5056 unsigned long stack_page, sp, ip;
5057 diff -urNp linux-3.1.1/arch/um/Makefile linux-3.1.1/arch/um/Makefile
5058 --- linux-3.1.1/arch/um/Makefile 2011-11-11 15:19:27.000000000 -0500
5059 +++ linux-3.1.1/arch/um/Makefile 2011-11-16 18:39:07.000000000 -0500
5060 @@ -49,6 +49,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINE
5061 $(patsubst -I%,,$(KBUILD_CFLAGS)))) $(ARCH_INCLUDE) $(MODE_INCLUDE) \
5062 $(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64
5064 +ifdef CONSTIFY_PLUGIN
5065 +USER_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5068 include $(srctree)/$(ARCH_DIR)/Makefile-$(SUBARCH)
5070 #This will adjust *FLAGS accordingly to the platform.
5071 diff -urNp linux-3.1.1/arch/um/sys-i386/shared/sysdep/system.h linux-3.1.1/arch/um/sys-i386/shared/sysdep/system.h
5072 --- linux-3.1.1/arch/um/sys-i386/shared/sysdep/system.h 2011-11-11 15:19:27.000000000 -0500
5073 +++ linux-3.1.1/arch/um/sys-i386/shared/sysdep/system.h 2011-11-16 18:39:07.000000000 -0500
5075 # define AT_VECTOR_SIZE_ARCH 1
5078 -extern unsigned long arch_align_stack(unsigned long sp);
5079 +#define arch_align_stack(x) ((x) & ~0xfUL)
5081 void default_idle(void);
5083 diff -urNp linux-3.1.1/arch/um/sys-i386/syscalls.c linux-3.1.1/arch/um/sys-i386/syscalls.c
5084 --- linux-3.1.1/arch/um/sys-i386/syscalls.c 2011-11-11 15:19:27.000000000 -0500
5085 +++ linux-3.1.1/arch/um/sys-i386/syscalls.c 2011-11-16 18:39:07.000000000 -0500
5087 #include "asm/uaccess.h"
5088 #include "asm/unistd.h"
5090 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5092 + unsigned long pax_task_size = TASK_SIZE;
5094 +#ifdef CONFIG_PAX_SEGMEXEC
5095 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5096 + pax_task_size = SEGMEXEC_TASK_SIZE;
5099 + if (len > pax_task_size || addr > pax_task_size - len)
5106 * The prototype on i386 is:
5108 diff -urNp linux-3.1.1/arch/um/sys-x86_64/shared/sysdep/system.h linux-3.1.1/arch/um/sys-x86_64/shared/sysdep/system.h
5109 --- linux-3.1.1/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-11 15:19:27.000000000 -0500
5110 +++ linux-3.1.1/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-16 18:39:07.000000000 -0500
5112 # define AT_VECTOR_SIZE_ARCH 1
5115 -extern unsigned long arch_align_stack(unsigned long sp);
5116 +#define arch_align_stack(x) ((x) & ~0xfUL)
5118 void default_idle(void);
5120 diff -urNp linux-3.1.1/arch/x86/boot/bitops.h linux-3.1.1/arch/x86/boot/bitops.h
5121 --- linux-3.1.1/arch/x86/boot/bitops.h 2011-11-11 15:19:27.000000000 -0500
5122 +++ linux-3.1.1/arch/x86/boot/bitops.h 2011-11-16 18:39:07.000000000 -0500
5123 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5125 const u32 *p = (const u32 *)addr;
5127 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5128 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5132 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5134 static inline void set_bit(int nr, void *addr)
5136 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5137 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5140 #endif /* BOOT_BITOPS_H */
5141 diff -urNp linux-3.1.1/arch/x86/boot/boot.h linux-3.1.1/arch/x86/boot/boot.h
5142 --- linux-3.1.1/arch/x86/boot/boot.h 2011-11-11 15:19:27.000000000 -0500
5143 +++ linux-3.1.1/arch/x86/boot/boot.h 2011-11-16 18:39:07.000000000 -0500
5144 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5145 static inline u16 ds(void)
5148 - asm("movw %%ds,%0" : "=rm" (seg));
5149 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5153 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5154 static inline int memcmp(const void *s1, const void *s2, size_t len)
5157 - asm("repe; cmpsb; setnz %0"
5158 + asm volatile("repe; cmpsb; setnz %0"
5159 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5162 diff -urNp linux-3.1.1/arch/x86/boot/compressed/head_32.S linux-3.1.1/arch/x86/boot/compressed/head_32.S
5163 --- linux-3.1.1/arch/x86/boot/compressed/head_32.S 2011-11-11 15:19:27.000000000 -0500
5164 +++ linux-3.1.1/arch/x86/boot/compressed/head_32.S 2011-11-16 18:39:07.000000000 -0500
5165 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5169 - movl $LOAD_PHYSICAL_ADDR, %ebx
5170 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5173 /* Target address to relocate to for decompression */
5174 @@ -162,7 +162,7 @@ relocated:
5175 * and where it was actually loaded.
5178 - subl $LOAD_PHYSICAL_ADDR, %ebx
5179 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5180 jz 2f /* Nothing to be done if loaded at compiled addr. */
5182 * Process relocations.
5183 @@ -170,8 +170,7 @@ relocated:
5190 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5193 diff -urNp linux-3.1.1/arch/x86/boot/compressed/head_64.S linux-3.1.1/arch/x86/boot/compressed/head_64.S
5194 --- linux-3.1.1/arch/x86/boot/compressed/head_64.S 2011-11-11 15:19:27.000000000 -0500
5195 +++ linux-3.1.1/arch/x86/boot/compressed/head_64.S 2011-11-16 18:39:07.000000000 -0500
5196 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5200 - movl $LOAD_PHYSICAL_ADDR, %ebx
5201 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5204 /* Target address to relocate to for decompression */
5205 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5209 - movq $LOAD_PHYSICAL_ADDR, %rbp
5210 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5213 /* Target address to relocate to for decompression */
5214 diff -urNp linux-3.1.1/arch/x86/boot/compressed/Makefile linux-3.1.1/arch/x86/boot/compressed/Makefile
5215 --- linux-3.1.1/arch/x86/boot/compressed/Makefile 2011-11-11 15:19:27.000000000 -0500
5216 +++ linux-3.1.1/arch/x86/boot/compressed/Makefile 2011-11-16 18:39:07.000000000 -0500
5217 @@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
5218 KBUILD_CFLAGS += $(cflags-y)
5219 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
5220 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
5221 +ifdef CONSTIFY_PLUGIN
5222 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5225 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
5227 diff -urNp linux-3.1.1/arch/x86/boot/compressed/misc.c linux-3.1.1/arch/x86/boot/compressed/misc.c
5228 --- linux-3.1.1/arch/x86/boot/compressed/misc.c 2011-11-11 15:19:27.000000000 -0500
5229 +++ linux-3.1.1/arch/x86/boot/compressed/misc.c 2011-11-16 18:39:07.000000000 -0500
5230 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
5232 #ifdef CONFIG_RELOCATABLE
5234 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5235 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5237 dest = (void *)(phdr->p_paddr);
5239 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
5240 error("Destination address too large");
5242 #ifndef CONFIG_RELOCATABLE
5243 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5244 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5245 error("Wrong destination address");
5248 diff -urNp linux-3.1.1/arch/x86/boot/compressed/relocs.c linux-3.1.1/arch/x86/boot/compressed/relocs.c
5249 --- linux-3.1.1/arch/x86/boot/compressed/relocs.c 2011-11-11 15:19:27.000000000 -0500
5250 +++ linux-3.1.1/arch/x86/boot/compressed/relocs.c 2011-11-16 18:39:07.000000000 -0500
5253 static void die(char *fmt, ...);
5255 +#include "../../../../include/generated/autoconf.h"
5257 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5258 static Elf32_Ehdr ehdr;
5259 +static Elf32_Phdr *phdr;
5260 static unsigned long reloc_count, reloc_idx;
5261 static unsigned long *relocs;
5263 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5267 +static void read_phdrs(FILE *fp)
5271 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5273 + die("Unable to allocate %d program headers\n",
5276 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5277 + die("Seek to %d failed: %s\n",
5278 + ehdr.e_phoff, strerror(errno));
5280 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5281 + die("Cannot read ELF program headers: %s\n",
5284 + for(i = 0; i < ehdr.e_phnum; i++) {
5285 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5286 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5287 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5288 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5289 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5290 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5291 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5292 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5297 static void read_shdrs(FILE *fp)
5303 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5304 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5306 static void read_strtabs(FILE *fp)
5310 for (i = 0; i < ehdr.e_shnum; i++) {
5311 struct section *sec = &secs[i];
5312 if (sec->shdr.sh_type != SHT_STRTAB) {
5313 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5315 static void read_symtabs(FILE *fp)
5319 for (i = 0; i < ehdr.e_shnum; i++) {
5320 struct section *sec = &secs[i];
5321 if (sec->shdr.sh_type != SHT_SYMTAB) {
5322 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5324 static void read_relocs(FILE *fp)
5330 for (i = 0; i < ehdr.e_shnum; i++) {
5331 struct section *sec = &secs[i];
5332 if (sec->shdr.sh_type != SHT_REL) {
5333 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5334 die("Cannot read symbol table: %s\n",
5338 + for (j = 0; j < ehdr.e_phnum; j++) {
5339 + if (phdr[j].p_type != PT_LOAD )
5341 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5343 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5346 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5347 Elf32_Rel *rel = &sec->reltab[j];
5348 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5349 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5350 rel->r_info = elf32_to_cpu(rel->r_info);
5353 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5355 static void print_absolute_symbols(void)
5359 printf("Absolute symbols\n");
5360 printf(" Num: Value Size Type Bind Visibility Name\n");
5361 for (i = 0; i < ehdr.e_shnum; i++) {
5362 struct section *sec = &secs[i];
5364 Elf32_Sym *sh_symtab;
5368 if (sec->shdr.sh_type != SHT_SYMTAB) {
5370 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5372 static void print_absolute_relocs(void)
5374 - int i, printed = 0;
5375 + unsigned int i, printed = 0;
5377 for (i = 0; i < ehdr.e_shnum; i++) {
5378 struct section *sec = &secs[i];
5379 struct section *sec_applies, *sec_symtab;
5381 Elf32_Sym *sh_symtab;
5384 if (sec->shdr.sh_type != SHT_REL) {
5387 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5389 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5393 /* Walk through the relocations */
5394 for (i = 0; i < ehdr.e_shnum; i++) {
5396 Elf32_Sym *sh_symtab;
5397 struct section *sec_applies, *sec_symtab;
5400 struct section *sec = &secs[i];
5402 if (sec->shdr.sh_type != SHT_REL) {
5403 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5404 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5407 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5408 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5411 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5412 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5413 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5415 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5417 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5419 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5426 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5428 static void emit_relocs(int as_text)
5432 /* Count how many relocations I have and allocate space for them. */
5434 walk_relocs(count_reloc);
5435 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5436 fname, strerror(errno));
5443 diff -urNp linux-3.1.1/arch/x86/boot/cpucheck.c linux-3.1.1/arch/x86/boot/cpucheck.c
5444 --- linux-3.1.1/arch/x86/boot/cpucheck.c 2011-11-11 15:19:27.000000000 -0500
5445 +++ linux-3.1.1/arch/x86/boot/cpucheck.c 2011-11-16 18:39:07.000000000 -0500
5446 @@ -74,7 +74,7 @@ static int has_fpu(void)
5447 u16 fcw = -1, fsw = -1;
5450 - asm("movl %%cr0,%0" : "=r" (cr0));
5451 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5452 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5453 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5454 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5455 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5460 + asm volatile("pushfl ; "
5464 @@ -115,7 +115,7 @@ static void get_flags(void)
5465 set_bit(X86_FEATURE_FPU, cpu.flags);
5467 if (has_eflag(X86_EFLAGS_ID)) {
5469 + asm volatile("cpuid"
5470 : "=a" (max_intel_level),
5471 "=b" (cpu_vendor[0]),
5472 "=d" (cpu_vendor[1]),
5473 @@ -124,7 +124,7 @@ static void get_flags(void)
5475 if (max_intel_level >= 0x00000001 &&
5476 max_intel_level <= 0x0000ffff) {
5478 + asm volatile("cpuid"
5480 "=c" (cpu.flags[4]),
5482 @@ -136,7 +136,7 @@ static void get_flags(void)
5483 cpu.model += ((tfms >> 16) & 0xf) << 4;
5487 + asm volatile("cpuid"
5488 : "=a" (max_amd_level)
5490 : "ebx", "ecx", "edx");
5491 @@ -144,7 +144,7 @@ static void get_flags(void)
5492 if (max_amd_level >= 0x80000001 &&
5493 max_amd_level <= 0x8000ffff) {
5494 u32 eax = 0x80000001;
5496 + asm volatile("cpuid"
5498 "=c" (cpu.flags[6]),
5500 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5501 u32 ecx = MSR_K7_HWCR;
5504 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5505 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5507 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5508 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5510 get_flags(); /* Make sure it really did something */
5511 err = check_flags();
5512 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5513 u32 ecx = MSR_VIA_FCR;
5516 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5517 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5518 eax |= (1<<1)|(1<<7);
5519 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5520 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5522 set_bit(X86_FEATURE_CX8, cpu.flags);
5523 err = check_flags();
5524 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5528 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5529 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5531 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5532 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5533 + asm volatile("cpuid"
5534 : "+a" (level), "=d" (cpu.flags[0])
5536 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5537 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5539 err = check_flags();
5541 diff -urNp linux-3.1.1/arch/x86/boot/header.S linux-3.1.1/arch/x86/boot/header.S
5542 --- linux-3.1.1/arch/x86/boot/header.S 2011-11-11 15:19:27.000000000 -0500
5543 +++ linux-3.1.1/arch/x86/boot/header.S 2011-11-16 18:39:07.000000000 -0500
5544 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5545 # single linked list of
5548 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5549 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5551 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5552 #define VO_INIT_SIZE (VO__end - VO__text)
5553 diff -urNp linux-3.1.1/arch/x86/boot/Makefile linux-3.1.1/arch/x86/boot/Makefile
5554 --- linux-3.1.1/arch/x86/boot/Makefile 2011-11-11 15:19:27.000000000 -0500
5555 +++ linux-3.1.1/arch/x86/boot/Makefile 2011-11-16 18:39:07.000000000 -0500
5556 @@ -63,6 +63,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
5557 $(call cc-option, -fno-stack-protector) \
5558 $(call cc-option, -mpreferred-stack-boundary=2)
5559 KBUILD_CFLAGS += $(call cc-option, -m32)
5560 +ifdef CONSTIFY_PLUGIN
5561 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5563 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
5566 diff -urNp linux-3.1.1/arch/x86/boot/memory.c linux-3.1.1/arch/x86/boot/memory.c
5567 --- linux-3.1.1/arch/x86/boot/memory.c 2011-11-11 15:19:27.000000000 -0500
5568 +++ linux-3.1.1/arch/x86/boot/memory.c 2011-11-16 18:39:07.000000000 -0500
5571 static int detect_memory_e820(void)
5574 + unsigned int count = 0;
5575 struct biosregs ireg, oreg;
5576 struct e820entry *desc = boot_params.e820_map;
5577 static struct e820entry buf; /* static so it is zeroed */
5578 diff -urNp linux-3.1.1/arch/x86/boot/video.c linux-3.1.1/arch/x86/boot/video.c
5579 --- linux-3.1.1/arch/x86/boot/video.c 2011-11-11 15:19:27.000000000 -0500
5580 +++ linux-3.1.1/arch/x86/boot/video.c 2011-11-16 18:39:07.000000000 -0500
5581 @@ -96,7 +96,7 @@ static void store_mode_params(void)
5582 static unsigned int get_entry(void)
5586 + unsigned int i, len = 0;
5590 diff -urNp linux-3.1.1/arch/x86/boot/video-vesa.c linux-3.1.1/arch/x86/boot/video-vesa.c
5591 --- linux-3.1.1/arch/x86/boot/video-vesa.c 2011-11-11 15:19:27.000000000 -0500
5592 +++ linux-3.1.1/arch/x86/boot/video-vesa.c 2011-11-16 18:39:07.000000000 -0500
5593 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5595 boot_params.screen_info.vesapm_seg = oreg.es;
5596 boot_params.screen_info.vesapm_off = oreg.di;
5597 + boot_params.screen_info.vesapm_size = oreg.cx;
5601 diff -urNp linux-3.1.1/arch/x86/crypto/aes-x86_64-asm_64.S linux-3.1.1/arch/x86/crypto/aes-x86_64-asm_64.S
5602 --- linux-3.1.1/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-11 15:19:27.000000000 -0500
5603 +++ linux-3.1.1/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-16 18:39:07.000000000 -0500
5605 * including this sentence is retained in full.
5608 +#include <asm/alternative-asm.h>
5610 .extern crypto_ft_tab
5611 .extern crypto_it_tab
5612 .extern crypto_fl_tab
5613 @@ -71,6 +73,8 @@ FUNC: movq r1,r2; \
5617 +#define ret pax_force_retaddr; ret
5619 #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \
5622 diff -urNp linux-3.1.1/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-3.1.1/arch/x86/crypto/salsa20-x86_64-asm_64.S
5623 --- linux-3.1.1/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-11 15:19:27.000000000 -0500
5624 +++ linux-3.1.1/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-16 18:39:07.000000000 -0500
5626 +#include <asm/alternative-asm.h>
5628 # enter ECRYPT_encrypt_bytes
5631 @@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes:
5639 @@ -891,6 +894,7 @@ ECRYPT_keysetup:
5645 # enter ECRYPT_ivsetup
5647 @@ -917,4 +921,5 @@ ECRYPT_ivsetup:
5653 diff -urNp linux-3.1.1/arch/x86/crypto/twofish-x86_64-asm_64.S linux-3.1.1/arch/x86/crypto/twofish-x86_64-asm_64.S
5654 --- linux-3.1.1/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-11 15:19:27.000000000 -0500
5655 +++ linux-3.1.1/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-16 18:39:07.000000000 -0500
5659 #include <asm/asm-offsets.h>
5660 +#include <asm/alternative-asm.h>
5664 @@ -269,6 +270,7 @@ twofish_enc_blk:
5672 @@ -321,4 +323,5 @@ twofish_dec_blk:
5678 diff -urNp linux-3.1.1/arch/x86/ia32/ia32_aout.c linux-3.1.1/arch/x86/ia32/ia32_aout.c
5679 --- linux-3.1.1/arch/x86/ia32/ia32_aout.c 2011-11-11 15:19:27.000000000 -0500
5680 +++ linux-3.1.1/arch/x86/ia32/ia32_aout.c 2011-11-16 18:40:08.000000000 -0500
5681 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
5682 unsigned long dump_start, dump_size;
5685 + memset(&dump, 0, sizeof(dump));
5690 diff -urNp linux-3.1.1/arch/x86/ia32/ia32entry.S linux-3.1.1/arch/x86/ia32/ia32entry.S
5691 --- linux-3.1.1/arch/x86/ia32/ia32entry.S 2011-11-11 15:19:27.000000000 -0500
5692 +++ linux-3.1.1/arch/x86/ia32/ia32entry.S 2011-11-16 18:40:08.000000000 -0500
5694 #include <asm/thread_info.h>
5695 #include <asm/segment.h>
5696 #include <asm/irqflags.h>
5697 +#include <asm/pgtable.h>
5698 #include <linux/linkage.h>
5699 +#include <asm/alternative-asm.h>
5701 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
5702 #include <linux/elf-em.h>
5703 @@ -95,6 +97,29 @@ ENTRY(native_irq_enable_sysexit)
5704 ENDPROC(native_irq_enable_sysexit)
5707 + .macro pax_enter_kernel_user
5708 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5709 + call pax_enter_kernel_user
5713 + .macro pax_exit_kernel_user
5714 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5715 + call pax_exit_kernel_user
5717 +#ifdef CONFIG_PAX_RANDKSTACK
5719 + call pax_randomize_kstack
5724 + .macro pax_erase_kstack
5725 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
5726 + call pax_erase_kstack
5731 * 32bit SYSENTER instruction entry.
5733 @@ -121,7 +146,7 @@ ENTRY(ia32_sysenter_target)
5734 CFI_REGISTER rsp,rbp
5736 movq PER_CPU_VAR(kernel_stack), %rsp
5737 - addq $(KERNEL_STACK_OFFSET),%rsp
5738 + pax_enter_kernel_user
5740 * No need to follow this irqs on/off section: the syscall
5741 * disabled irqs, here we enable it straight after entry:
5742 @@ -134,7 +159,8 @@ ENTRY(ia32_sysenter_target)
5743 CFI_REL_OFFSET rsp,0
5745 /*CFI_REL_OFFSET rflags,0*/
5746 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
5747 + GET_THREAD_INFO(%r10)
5748 + movl TI_sysenter_return(%r10), %r10d
5749 CFI_REGISTER rip,r10
5750 pushq_cfi $__USER32_CS
5751 /*CFI_REL_OFFSET cs,0*/
5752 @@ -146,6 +172,12 @@ ENTRY(ia32_sysenter_target)
5754 /* no need to do an access_ok check here because rbp has been
5755 32bit zero extended */
5757 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5758 + mov $PAX_USER_SHADOW_BASE,%r10
5763 .section __ex_table,"a"
5764 .quad 1b,ia32_badarg
5765 @@ -168,6 +200,8 @@ sysenter_dispatch:
5766 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
5768 sysexit_from_sys_call:
5769 + pax_exit_kernel_user
5771 andl $~TS_COMPAT,TI_status(%r10)
5772 /* clear IF, that popfq doesn't enable interrupts early */
5773 andl $~0x200,EFLAGS-R11(%rsp)
5774 @@ -194,6 +228,9 @@ sysexit_from_sys_call:
5775 movl %eax,%esi /* 2nd arg: syscall number */
5776 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
5777 call audit_syscall_entry
5781 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
5782 cmpq $(IA32_NR_syscalls-1),%rax
5784 @@ -246,6 +283,9 @@ sysenter_tracesys:
5785 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
5786 movq %rsp,%rdi /* &pt_regs -> arg1 */
5787 call syscall_trace_enter
5791 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
5793 cmpq $(IA32_NR_syscalls-1),%rax
5794 @@ -277,19 +317,24 @@ ENDPROC(ia32_sysenter_target)
5795 ENTRY(ia32_cstar_target)
5796 CFI_STARTPROC32 simple
5798 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
5800 CFI_REGISTER rip,rcx
5801 /*CFI_REGISTER rflags,r11*/
5805 movq PER_CPU_VAR(kernel_stack),%rsp
5807 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5808 + pax_enter_kernel_user
5812 * No need to follow this irqs on/off section: the syscall
5813 * disabled irqs and here we enable it straight after entry:
5815 ENABLE_INTERRUPTS(CLBR_NONE)
5818 movl %eax,%eax /* zero extension */
5819 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
5820 movq %rcx,RIP-ARGOFFSET(%rsp)
5821 @@ -305,6 +350,12 @@ ENTRY(ia32_cstar_target)
5822 /* no need to do an access_ok check here because r8 has been
5823 32bit zero extended */
5824 /* hardware stack frame is complete now */
5826 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5827 + mov $PAX_USER_SHADOW_BASE,%r10
5832 .section __ex_table,"a"
5833 .quad 1b,ia32_badarg
5834 @@ -327,6 +378,8 @@ cstar_dispatch:
5835 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
5837 sysretl_from_sys_call:
5838 + pax_exit_kernel_user
5840 andl $~TS_COMPAT,TI_status(%r10)
5841 RESTORE_ARGS 0,-ARG_SKIP,0,0,0
5842 movl RIP-ARGOFFSET(%rsp),%ecx
5843 @@ -364,6 +417,9 @@ cstar_tracesys:
5844 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
5845 movq %rsp,%rdi /* &pt_regs -> arg1 */
5846 call syscall_trace_enter
5850 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
5853 @@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
5854 CFI_REL_OFFSET rip,RIP-RIP
5855 PARAVIRT_ADJUST_EXCEPTION_FRAME
5857 + pax_enter_kernel_user
5859 * No need to follow this irqs on/off section: the syscall
5860 * disabled irqs and here we enable it straight after entry:
5861 @@ -441,6 +498,9 @@ ia32_tracesys:
5862 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
5863 movq %rsp,%rdi /* &pt_regs -> arg1 */
5864 call syscall_trace_enter
5868 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
5870 cmpq $(IA32_NR_syscalls-1),%rax
5871 @@ -455,6 +515,7 @@ ia32_badsys:
5879 diff -urNp linux-3.1.1/arch/x86/ia32/ia32_signal.c linux-3.1.1/arch/x86/ia32/ia32_signal.c
5880 --- linux-3.1.1/arch/x86/ia32/ia32_signal.c 2011-11-11 15:19:27.000000000 -0500
5881 +++ linux-3.1.1/arch/x86/ia32/ia32_signal.c 2011-11-16 18:39:07.000000000 -0500
5882 @@ -169,7 +169,7 @@ asmlinkage long sys32_sigaltstack(const
5886 - ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp);
5887 + ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp);
5889 if (ret >= 0 && uoss_ptr) {
5890 if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t)))
5891 @@ -370,7 +370,7 @@ static int ia32_setup_sigcontext(struct
5893 static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
5896 + void __user **fpstate)
5900 @@ -391,7 +391,7 @@ static void __user *get_sigframe(struct
5903 sp = sp - sig_xstate_ia32_size;
5904 - *fpstate = (struct _fpstate_ia32 *) sp;
5905 + *fpstate = (struct _fpstate_ia32 __user *) sp;
5906 if (save_i387_xstate_ia32(*fpstate) < 0)
5907 return (void __user *) -1L;
5909 @@ -399,7 +399,7 @@ static void __user *get_sigframe(struct
5911 /* Align the stack pointer according to the i386 ABI,
5912 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
5913 - sp = ((sp + 4) & -16ul) - 4;
5914 + sp = ((sp - 12) & -16ul) - 4;
5915 return (void __user *) sp;
5918 @@ -457,7 +457,7 @@ int ia32_setup_frame(int sig, struct k_s
5919 * These are actually not used anymore, but left because some
5920 * gdb versions depend on them as a marker.
5922 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
5923 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
5924 } put_user_catch(err);
5927 @@ -499,7 +499,7 @@ int ia32_setup_rt_frame(int sig, struct
5929 __NR_ia32_rt_sigreturn,
5935 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
5936 @@ -529,16 +529,18 @@ int ia32_setup_rt_frame(int sig, struct
5938 if (ka->sa.sa_flags & SA_RESTORER)
5939 restorer = ka->sa.sa_restorer;
5940 + else if (current->mm->context.vdso)
5941 + /* Return stub is in 32bit vsyscall page */
5942 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
5944 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
5946 + restorer = &frame->retcode;
5947 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
5950 * Not actually used anymore, but left because some gdb
5953 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
5954 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
5955 } put_user_catch(err);
5958 diff -urNp linux-3.1.1/arch/x86/ia32/sys_ia32.c linux-3.1.1/arch/x86/ia32/sys_ia32.c
5959 --- linux-3.1.1/arch/x86/ia32/sys_ia32.c 2011-11-11 15:19:27.000000000 -0500
5960 +++ linux-3.1.1/arch/x86/ia32/sys_ia32.c 2011-11-16 18:39:07.000000000 -0500
5961 @@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign
5963 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
5965 - typeof(ubuf->st_uid) uid = 0;
5966 - typeof(ubuf->st_gid) gid = 0;
5967 + typeof(((struct stat64 *)0)->st_uid) uid = 0;
5968 + typeof(((struct stat64 *)0)->st_gid) gid = 0;
5969 SET_UID(uid, stat->uid);
5970 SET_GID(gid, stat->gid);
5971 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
5972 @@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int
5975 ret = sys_rt_sigprocmask(how,
5976 - set ? (sigset_t __user *)&s : NULL,
5977 - oset ? (sigset_t __user *)&s : NULL,
5978 + set ? (sigset_t __force_user *)&s : NULL,
5979 + oset ? (sigset_t __force_user *)&s : NULL,
5983 @@ -332,7 +332,7 @@ asmlinkage long sys32_alarm(unsigned int
5984 return alarm_setitimer(seconds);
5987 -asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int *stat_addr,
5988 +asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int __user *stat_addr,
5991 return compat_sys_wait4(pid, stat_addr, options, NULL);
5992 @@ -353,7 +353,7 @@ asmlinkage long sys32_sched_rr_get_inter
5993 mm_segment_t old_fs = get_fs();
5996 - ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
5997 + ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
5999 if (put_compat_timespec(&t, interval))
6001 @@ -369,7 +369,7 @@ asmlinkage long sys32_rt_sigpending(comp
6002 mm_segment_t old_fs = get_fs();
6005 - ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize);
6006 + ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize);
6009 switch (_NSIG_WORDS) {
6010 @@ -394,7 +394,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in
6011 if (copy_siginfo_from_user32(&info, uinfo))
6014 - ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info);
6015 + ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info);
6019 @@ -439,7 +439,7 @@ asmlinkage long sys32_sendfile(int out_f
6023 - ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL,
6024 + ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL,
6028 diff -urNp linux-3.1.1/arch/x86/include/asm/alternative-asm.h linux-3.1.1/arch/x86/include/asm/alternative-asm.h
6029 --- linux-3.1.1/arch/x86/include/asm/alternative-asm.h 2011-11-11 15:19:27.000000000 -0500
6030 +++ linux-3.1.1/arch/x86/include/asm/alternative-asm.h 2011-11-16 18:39:07.000000000 -0500
6035 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
6036 + .macro pax_force_retaddr rip=0
6037 + btsq $63,\rip(%rsp)
6039 + .macro pax_force_fptr ptr
6043 + .macro pax_force_retaddr rip=0
6045 + .macro pax_force_fptr ptr
6049 .macro altinstruction_entry orig alt feature orig_len alt_len
6052 diff -urNp linux-3.1.1/arch/x86/include/asm/alternative.h linux-3.1.1/arch/x86/include/asm/alternative.h
6053 --- linux-3.1.1/arch/x86/include/asm/alternative.h 2011-11-11 15:19:27.000000000 -0500
6054 +++ linux-3.1.1/arch/x86/include/asm/alternative.h 2011-11-16 18:39:07.000000000 -0500
6055 @@ -89,7 +89,7 @@ static inline int alternatives_text_rese
6056 ".section .discard,\"aw\",@progbits\n" \
6057 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6059 - ".section .altinstr_replacement, \"ax\"\n" \
6060 + ".section .altinstr_replacement, \"a\"\n" \
6061 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6064 diff -urNp linux-3.1.1/arch/x86/include/asm/apic.h linux-3.1.1/arch/x86/include/asm/apic.h
6065 --- linux-3.1.1/arch/x86/include/asm/apic.h 2011-11-11 15:19:27.000000000 -0500
6066 +++ linux-3.1.1/arch/x86/include/asm/apic.h 2011-11-16 18:39:07.000000000 -0500
6067 @@ -45,7 +45,7 @@ static inline void generic_apic_probe(vo
6069 #ifdef CONFIG_X86_LOCAL_APIC
6071 -extern unsigned int apic_verbosity;
6072 +extern int apic_verbosity;
6073 extern int local_apic_timer_c2_ok;
6075 extern int disable_apic;
6076 diff -urNp linux-3.1.1/arch/x86/include/asm/apm.h linux-3.1.1/arch/x86/include/asm/apm.h
6077 --- linux-3.1.1/arch/x86/include/asm/apm.h 2011-11-11 15:19:27.000000000 -0500
6078 +++ linux-3.1.1/arch/x86/include/asm/apm.h 2011-11-16 18:39:07.000000000 -0500
6079 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6080 __asm__ __volatile__(APM_DO_ZERO_SEGS
6083 - "lcall *%%cs:apm_bios_entry\n\t"
6084 + "lcall *%%ss:apm_bios_entry\n\t"
6088 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6089 __asm__ __volatile__(APM_DO_ZERO_SEGS
6092 - "lcall *%%cs:apm_bios_entry\n\t"
6093 + "lcall *%%ss:apm_bios_entry\n\t"
6097 diff -urNp linux-3.1.1/arch/x86/include/asm/atomic64_32.h linux-3.1.1/arch/x86/include/asm/atomic64_32.h
6098 --- linux-3.1.1/arch/x86/include/asm/atomic64_32.h 2011-11-11 15:19:27.000000000 -0500
6099 +++ linux-3.1.1/arch/x86/include/asm/atomic64_32.h 2011-11-16 18:39:07.000000000 -0500
6100 @@ -12,6 +12,14 @@ typedef struct {
6101 u64 __aligned(8) counter;
6104 +#ifdef CONFIG_PAX_REFCOUNT
6106 + u64 __aligned(8) counter;
6107 +} atomic64_unchecked_t;
6109 +typedef atomic64_t atomic64_unchecked_t;
6112 #define ATOMIC64_INIT(val) { (val) }
6114 #ifdef CONFIG_X86_CMPXCHG64
6115 @@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
6119 + * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
6120 + * @p: pointer to type atomic64_unchecked_t
6121 + * @o: expected value
6124 + * Atomically sets @v to @n if it was equal to @o and returns
6128 +static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
6130 + return cmpxchg64(&v->counter, o, n);
6134 * atomic64_xchg - xchg atomic64 variable
6135 * @v: pointer to type atomic64_t
6136 * @n: value to assign
6137 @@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
6141 + * atomic64_set_unchecked - set atomic64 variable
6142 + * @v: pointer to type atomic64_unchecked_t
6143 + * @n: value to assign
6145 + * Atomically sets the value of @v to @n.
6147 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
6149 + unsigned high = (unsigned)(i >> 32);
6150 + unsigned low = (unsigned)i;
6151 + asm volatile(ATOMIC64_ALTERNATIVE(set)
6152 + : "+b" (low), "+c" (high)
6154 + : "eax", "edx", "memory"
6159 * atomic64_read - read atomic64 variable
6160 * @v: pointer to type atomic64_t
6162 @@ -93,6 +134,22 @@ static inline long long atomic64_read(at
6166 + * atomic64_read_unchecked - read atomic64 variable
6167 + * @v: pointer to type atomic64_unchecked_t
6169 + * Atomically reads the value of @v and returns it.
6171 +static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
6174 + asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
6175 + : "=A" (r), "+c" (v)
6182 * atomic64_add_return - add and return
6183 * @i: integer value to add
6184 * @v: pointer to type atomic64_t
6185 @@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
6190 + * atomic64_add_return_unchecked - add and return
6191 + * @i: integer value to add
6192 + * @v: pointer to type atomic64_unchecked_t
6194 + * Atomically adds @i to @v and returns @i + *@v
6196 +static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
6198 + asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
6199 + : "+A" (i), "+c" (v)
6206 * Other variants with different arithmetic operators:
6208 @@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
6212 +static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6215 + asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
6223 static inline long long atomic64_dec_return(atomic64_t *v)
6226 @@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
6230 + * atomic64_add_unchecked - add integer to atomic64 variable
6231 + * @i: integer value to add
6232 + * @v: pointer to type atomic64_unchecked_t
6234 + * Atomically adds @i to @v.
6236 +static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
6238 + asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
6239 + : "+A" (i), "+c" (v)
6246 * atomic64_sub - subtract the atomic64 variable
6247 * @i: integer value to subtract
6248 * @v: pointer to type atomic64_t
6249 diff -urNp linux-3.1.1/arch/x86/include/asm/atomic64_64.h linux-3.1.1/arch/x86/include/asm/atomic64_64.h
6250 --- linux-3.1.1/arch/x86/include/asm/atomic64_64.h 2011-11-11 15:19:27.000000000 -0500
6251 +++ linux-3.1.1/arch/x86/include/asm/atomic64_64.h 2011-11-16 18:39:07.000000000 -0500
6254 static inline long atomic64_read(const atomic64_t *v)
6256 - return (*(volatile long *)&(v)->counter);
6257 + return (*(volatile const long *)&(v)->counter);
6261 + * atomic64_read_unchecked - read atomic64 variable
6262 + * @v: pointer of type atomic64_unchecked_t
6264 + * Atomically reads the value of @v.
6265 + * Doesn't imply a read memory barrier.
6267 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6269 + return (*(volatile const long *)&(v)->counter);
6273 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6277 + * atomic64_set_unchecked - set atomic64 variable
6278 + * @v: pointer to type atomic64_unchecked_t
6279 + * @i: required value
6281 + * Atomically sets the value of @v to @i.
6283 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6289 * atomic64_add - add integer to atomic64 variable
6290 * @i: integer value to add
6291 * @v: pointer to type atomic64_t
6292 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6294 static inline void atomic64_add(long i, atomic64_t *v)
6296 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6298 +#ifdef CONFIG_PAX_REFCOUNT
6300 + LOCK_PREFIX "subq %1,%0\n"
6302 + _ASM_EXTABLE(0b, 0b)
6305 + : "=m" (v->counter)
6306 + : "er" (i), "m" (v->counter));
6310 + * atomic64_add_unchecked - add integer to atomic64 variable
6311 + * @i: integer value to add
6312 + * @v: pointer to type atomic64_unchecked_t
6314 + * Atomically adds @i to @v.
6316 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6318 asm volatile(LOCK_PREFIX "addq %1,%0"
6320 : "er" (i), "m" (v->counter));
6321 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6323 static inline void atomic64_sub(long i, atomic64_t *v)
6325 - asm volatile(LOCK_PREFIX "subq %1,%0"
6326 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6328 +#ifdef CONFIG_PAX_REFCOUNT
6330 + LOCK_PREFIX "addq %1,%0\n"
6332 + _ASM_EXTABLE(0b, 0b)
6335 + : "=m" (v->counter)
6336 + : "er" (i), "m" (v->counter));
6340 + * atomic64_sub_unchecked - subtract the atomic64 variable
6341 + * @i: integer value to subtract
6342 + * @v: pointer to type atomic64_unchecked_t
6344 + * Atomically subtracts @i from @v.
6346 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6348 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6350 : "er" (i), "m" (v->counter));
6352 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6356 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6357 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6359 +#ifdef CONFIG_PAX_REFCOUNT
6361 + LOCK_PREFIX "addq %2,%0\n"
6363 + _ASM_EXTABLE(0b, 0b)
6367 : "=m" (v->counter), "=qm" (c)
6368 : "er" (i), "m" (v->counter) : "memory");
6370 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6372 static inline void atomic64_inc(atomic64_t *v)
6374 + asm volatile(LOCK_PREFIX "incq %0\n"
6376 +#ifdef CONFIG_PAX_REFCOUNT
6378 + LOCK_PREFIX "decq %0\n"
6380 + _ASM_EXTABLE(0b, 0b)
6383 + : "=m" (v->counter)
6384 + : "m" (v->counter));
6388 + * atomic64_inc_unchecked - increment atomic64 variable
6389 + * @v: pointer to type atomic64_unchecked_t
6391 + * Atomically increments @v by 1.
6393 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6395 asm volatile(LOCK_PREFIX "incq %0"
6397 : "m" (v->counter));
6398 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6400 static inline void atomic64_dec(atomic64_t *v)
6402 - asm volatile(LOCK_PREFIX "decq %0"
6403 + asm volatile(LOCK_PREFIX "decq %0\n"
6405 +#ifdef CONFIG_PAX_REFCOUNT
6407 + LOCK_PREFIX "incq %0\n"
6409 + _ASM_EXTABLE(0b, 0b)
6412 + : "=m" (v->counter)
6413 + : "m" (v->counter));
6417 + * atomic64_dec_unchecked - decrement atomic64 variable
6418 + * @v: pointer to type atomic64_t
6420 + * Atomically decrements @v by 1.
6422 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6424 + asm volatile(LOCK_PREFIX "decq %0\n"
6426 : "m" (v->counter));
6428 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6432 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6433 + asm volatile(LOCK_PREFIX "decq %0\n"
6435 +#ifdef CONFIG_PAX_REFCOUNT
6437 + LOCK_PREFIX "incq %0\n"
6439 + _ASM_EXTABLE(0b, 0b)
6443 : "=m" (v->counter), "=qm" (c)
6444 : "m" (v->counter) : "memory");
6446 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6450 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6451 + asm volatile(LOCK_PREFIX "incq %0\n"
6453 +#ifdef CONFIG_PAX_REFCOUNT
6455 + LOCK_PREFIX "decq %0\n"
6457 + _ASM_EXTABLE(0b, 0b)
6461 : "=m" (v->counter), "=qm" (c)
6462 : "m" (v->counter) : "memory");
6464 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6468 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6469 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6471 +#ifdef CONFIG_PAX_REFCOUNT
6473 + LOCK_PREFIX "subq %2,%0\n"
6475 + _ASM_EXTABLE(0b, 0b)
6479 : "=m" (v->counter), "=qm" (c)
6480 : "er" (i), "m" (v->counter) : "memory");
6482 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6483 static inline long atomic64_add_return(long i, atomic64_t *v)
6486 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6487 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6489 +#ifdef CONFIG_PAX_REFCOUNT
6493 + _ASM_EXTABLE(0b, 0b)
6496 + : "+r" (i), "+m" (v->counter)
6502 + * atomic64_add_return_unchecked - add and return
6503 + * @i: integer value to add
6504 + * @v: pointer to type atomic64_unchecked_t
6506 + * Atomically adds @i to @v and returns @i + @v
6508 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6511 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6512 : "+r" (i), "+m" (v->counter)
6515 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6518 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6519 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6521 + return atomic64_add_return_unchecked(1, v);
6523 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6525 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6526 @@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
6527 return cmpxchg(&v->counter, old, new);
6530 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
6532 + return cmpxchg(&v->counter, old, new);
6535 static inline long atomic64_xchg(atomic64_t *v, long new)
6537 return xchg(&v->counter, new);
6538 @@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
6540 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6544 c = atomic64_read(v);
6546 - if (unlikely(c == (u)))
6547 + if (unlikely(c == u))
6549 - old = atomic64_cmpxchg((v), c, c + (a));
6551 + asm volatile("add %2,%0\n"
6553 +#ifdef CONFIG_PAX_REFCOUNT
6557 + _ASM_EXTABLE(0b, 0b)
6561 + : "0" (c), "ir" (a));
6563 + old = atomic64_cmpxchg(v, c, new);
6564 if (likely(old == c))
6572 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6573 diff -urNp linux-3.1.1/arch/x86/include/asm/atomic.h linux-3.1.1/arch/x86/include/asm/atomic.h
6574 --- linux-3.1.1/arch/x86/include/asm/atomic.h 2011-11-11 15:19:27.000000000 -0500
6575 +++ linux-3.1.1/arch/x86/include/asm/atomic.h 2011-11-16 18:39:07.000000000 -0500
6578 static inline int atomic_read(const atomic_t *v)
6580 - return (*(volatile int *)&(v)->counter);
6581 + return (*(volatile const int *)&(v)->counter);
6585 + * atomic_read_unchecked - read atomic variable
6586 + * @v: pointer of type atomic_unchecked_t
6588 + * Atomically reads the value of @v.
6590 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6592 + return (*(volatile const int *)&(v)->counter);
6596 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6600 + * atomic_set_unchecked - set atomic variable
6601 + * @v: pointer of type atomic_unchecked_t
6602 + * @i: required value
6604 + * Atomically sets the value of @v to @i.
6606 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6612 * atomic_add - add integer to atomic variable
6613 * @i: integer value to add
6614 * @v: pointer of type atomic_t
6615 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6617 static inline void atomic_add(int i, atomic_t *v)
6619 - asm volatile(LOCK_PREFIX "addl %1,%0"
6620 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6622 +#ifdef CONFIG_PAX_REFCOUNT
6624 + LOCK_PREFIX "subl %1,%0\n"
6626 + _ASM_EXTABLE(0b, 0b)
6629 + : "+m" (v->counter)
6634 + * atomic_add_unchecked - add integer to atomic variable
6635 + * @i: integer value to add
6636 + * @v: pointer of type atomic_unchecked_t
6638 + * Atomically adds @i to @v.
6640 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6642 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6646 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6648 static inline void atomic_sub(int i, atomic_t *v)
6650 - asm volatile(LOCK_PREFIX "subl %1,%0"
6651 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6653 +#ifdef CONFIG_PAX_REFCOUNT
6655 + LOCK_PREFIX "addl %1,%0\n"
6657 + _ASM_EXTABLE(0b, 0b)
6660 + : "+m" (v->counter)
6665 + * atomic_sub_unchecked - subtract integer from atomic variable
6666 + * @i: integer value to subtract
6667 + * @v: pointer of type atomic_unchecked_t
6669 + * Atomically subtracts @i from @v.
6671 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6673 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6677 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6681 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6682 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6684 +#ifdef CONFIG_PAX_REFCOUNT
6686 + LOCK_PREFIX "addl %2,%0\n"
6688 + _ASM_EXTABLE(0b, 0b)
6692 : "+m" (v->counter), "=qm" (c)
6693 : "ir" (i) : "memory");
6695 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6697 static inline void atomic_inc(atomic_t *v)
6699 - asm volatile(LOCK_PREFIX "incl %0"
6700 + asm volatile(LOCK_PREFIX "incl %0\n"
6702 +#ifdef CONFIG_PAX_REFCOUNT
6704 + LOCK_PREFIX "decl %0\n"
6706 + _ASM_EXTABLE(0b, 0b)
6709 + : "+m" (v->counter));
6713 + * atomic_inc_unchecked - increment atomic variable
6714 + * @v: pointer of type atomic_unchecked_t
6716 + * Atomically increments @v by 1.
6718 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6720 + asm volatile(LOCK_PREFIX "incl %0\n"
6721 : "+m" (v->counter));
6724 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6726 static inline void atomic_dec(atomic_t *v)
6728 - asm volatile(LOCK_PREFIX "decl %0"
6729 + asm volatile(LOCK_PREFIX "decl %0\n"
6731 +#ifdef CONFIG_PAX_REFCOUNT
6733 + LOCK_PREFIX "incl %0\n"
6735 + _ASM_EXTABLE(0b, 0b)
6738 + : "+m" (v->counter));
6742 + * atomic_dec_unchecked - decrement atomic variable
6743 + * @v: pointer of type atomic_unchecked_t
6745 + * Atomically decrements @v by 1.
6747 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6749 + asm volatile(LOCK_PREFIX "decl %0\n"
6750 : "+m" (v->counter));
6753 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6757 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6758 + asm volatile(LOCK_PREFIX "decl %0\n"
6760 +#ifdef CONFIG_PAX_REFCOUNT
6762 + LOCK_PREFIX "incl %0\n"
6764 + _ASM_EXTABLE(0b, 0b)
6768 : "+m" (v->counter), "=qm" (c)
6771 @@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
6775 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
6776 + asm volatile(LOCK_PREFIX "incl %0\n"
6778 +#ifdef CONFIG_PAX_REFCOUNT
6780 + LOCK_PREFIX "decl %0\n"
6782 + _ASM_EXTABLE(0b, 0b)
6786 + : "+m" (v->counter), "=qm" (c)
6792 + * atomic_inc_and_test_unchecked - increment and test
6793 + * @v: pointer of type atomic_unchecked_t
6795 + * Atomically increments @v by 1
6796 + * and returns true if the result is zero, or false for all
6799 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
6803 + asm volatile(LOCK_PREFIX "incl %0\n"
6805 : "+m" (v->counter), "=qm" (c)
6808 @@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
6812 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6813 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6815 +#ifdef CONFIG_PAX_REFCOUNT
6817 + LOCK_PREFIX "subl %2,%0\n"
6819 + _ASM_EXTABLE(0b, 0b)
6823 : "+m" (v->counter), "=qm" (c)
6824 : "ir" (i) : "memory");
6826 @@ -180,6 +342,46 @@ static inline int atomic_add_return(int
6828 /* Modern 486+ processor */
6830 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6832 +#ifdef CONFIG_PAX_REFCOUNT
6836 + _ASM_EXTABLE(0b, 0b)
6839 + : "+r" (i), "+m" (v->counter)
6844 +no_xadd: /* Legacy 386 processor */
6845 + local_irq_save(flags);
6846 + __i = atomic_read(v);
6847 + atomic_set(v, i + __i);
6848 + local_irq_restore(flags);
6854 + * atomic_add_return_unchecked - add integer and return
6855 + * @v: pointer of type atomic_unchecked_t
6856 + * @i: integer value to add
6858 + * Atomically adds @i to @v and returns @i + @v
6860 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6864 + unsigned long flags;
6865 + if (unlikely(boot_cpu_data.x86 <= 3))
6868 + /* Modern 486+ processor */
6870 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6871 : "+r" (i), "+m" (v->counter)
6873 @@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
6876 #define atomic_inc_return(v) (atomic_add_return(1, v))
6877 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6879 + return atomic_add_return_unchecked(1, v);
6881 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6883 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6884 @@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
6885 return cmpxchg(&v->counter, old, new);
6888 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
6890 + return cmpxchg(&v->counter, old, new);
6893 static inline int atomic_xchg(atomic_t *v, int new)
6895 return xchg(&v->counter, new);
6898 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
6900 + return xchg(&v->counter, new);
6904 * __atomic_add_unless - add unless the number is already a given value
6905 * @v: pointer of type atomic_t
6906 @@ -231,12 +447,25 @@ static inline int atomic_xchg(atomic_t *
6908 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
6914 - if (unlikely(c == (u)))
6915 + if (unlikely(c == u))
6917 - old = atomic_cmpxchg((v), c, c + (a));
6919 + asm volatile("addl %2,%0\n"
6921 +#ifdef CONFIG_PAX_REFCOUNT
6925 + _ASM_EXTABLE(0b, 0b)
6929 + : "0" (c), "ir" (a));
6931 + old = atomic_cmpxchg(v, c, new);
6932 if (likely(old == c))
6935 @@ -244,6 +473,48 @@ static inline int __atomic_add_unless(at
6940 + * atomic_inc_not_zero_hint - increment if not null
6941 + * @v: pointer of type atomic_t
6942 + * @hint: probable value of the atomic before the increment
6944 + * This version of atomic_inc_not_zero() gives a hint of probable
6945 + * value of the atomic. This helps processor to not read the memory
6946 + * before doing the atomic read/modify/write cycle, lowering
6947 + * number of bus transactions on some arches.
6949 + * Returns: 0 if increment was not done, 1 otherwise.
6951 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
6952 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
6954 + int val, c = hint, new;
6956 + /* sanity test, should be removed by compiler if hint is a constant */
6958 + return __atomic_add_unless(v, 1, 0);
6961 + asm volatile("incl %0\n"
6963 +#ifdef CONFIG_PAX_REFCOUNT
6967 + _ASM_EXTABLE(0b, 0b)
6973 + val = atomic_cmpxchg(v, c, new);
6983 * atomic_dec_if_positive - decrement by 1 if old value positive
6984 diff -urNp linux-3.1.1/arch/x86/include/asm/bitops.h linux-3.1.1/arch/x86/include/asm/bitops.h
6985 --- linux-3.1.1/arch/x86/include/asm/bitops.h 2011-11-11 15:19:27.000000000 -0500
6986 +++ linux-3.1.1/arch/x86/include/asm/bitops.h 2011-11-16 18:39:07.000000000 -0500
6988 * a mask operation on a byte.
6990 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
6991 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
6992 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
6993 #define CONST_MASK(nr) (1 << ((nr) & 7))
6996 diff -urNp linux-3.1.1/arch/x86/include/asm/boot.h linux-3.1.1/arch/x86/include/asm/boot.h
6997 --- linux-3.1.1/arch/x86/include/asm/boot.h 2011-11-11 15:19:27.000000000 -0500
6998 +++ linux-3.1.1/arch/x86/include/asm/boot.h 2011-11-16 18:39:07.000000000 -0500
7000 #include <asm/pgtable_types.h>
7002 /* Physical address where kernel should be loaded. */
7003 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7004 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7005 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7006 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7008 +#ifndef __ASSEMBLY__
7009 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7010 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7013 /* Minimum kernel alignment, as a power of two */
7014 #ifdef CONFIG_X86_64
7015 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7016 diff -urNp linux-3.1.1/arch/x86/include/asm/cacheflush.h linux-3.1.1/arch/x86/include/asm/cacheflush.h
7017 --- linux-3.1.1/arch/x86/include/asm/cacheflush.h 2011-11-11 15:19:27.000000000 -0500
7018 +++ linux-3.1.1/arch/x86/include/asm/cacheflush.h 2011-11-16 18:39:07.000000000 -0500
7019 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
7020 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7022 if (pg_flags == _PGMT_DEFAULT)
7025 else if (pg_flags == _PGMT_WC)
7026 return _PAGE_CACHE_WC;
7027 else if (pg_flags == _PGMT_UC_MINUS)
7028 diff -urNp linux-3.1.1/arch/x86/include/asm/cache.h linux-3.1.1/arch/x86/include/asm/cache.h
7029 --- linux-3.1.1/arch/x86/include/asm/cache.h 2011-11-11 15:19:27.000000000 -0500
7030 +++ linux-3.1.1/arch/x86/include/asm/cache.h 2011-11-16 18:39:07.000000000 -0500
7033 /* L1 cache line size */
7034 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
7035 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7036 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7038 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7039 +#define __read_only __attribute__((__section__(".data..read_only")))
7041 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7042 -#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7043 +#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
7045 #ifdef CONFIG_X86_VSMP
7047 diff -urNp linux-3.1.1/arch/x86/include/asm/checksum_32.h linux-3.1.1/arch/x86/include/asm/checksum_32.h
7048 --- linux-3.1.1/arch/x86/include/asm/checksum_32.h 2011-11-11 15:19:27.000000000 -0500
7049 +++ linux-3.1.1/arch/x86/include/asm/checksum_32.h 2011-11-16 18:39:07.000000000 -0500
7050 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7051 int len, __wsum sum,
7052 int *src_err_ptr, int *dst_err_ptr);
7054 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7055 + int len, __wsum sum,
7056 + int *src_err_ptr, int *dst_err_ptr);
7058 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7059 + int len, __wsum sum,
7060 + int *src_err_ptr, int *dst_err_ptr);
7063 * Note: when you get a NULL pointer exception here this means someone
7064 * passed in an incorrect kernel address to one of these functions.
7065 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7069 - return csum_partial_copy_generic((__force void *)src, dst,
7070 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7071 len, sum, err_ptr, NULL);
7074 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7077 if (access_ok(VERIFY_WRITE, dst, len))
7078 - return csum_partial_copy_generic(src, (__force void *)dst,
7079 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7080 len, sum, NULL, err_ptr);
7083 diff -urNp linux-3.1.1/arch/x86/include/asm/cpufeature.h linux-3.1.1/arch/x86/include/asm/cpufeature.h
7084 --- linux-3.1.1/arch/x86/include/asm/cpufeature.h 2011-11-11 15:19:27.000000000 -0500
7085 +++ linux-3.1.1/arch/x86/include/asm/cpufeature.h 2011-11-16 18:39:07.000000000 -0500
7086 @@ -358,7 +358,7 @@ static __always_inline __pure bool __sta
7087 ".section .discard,\"aw\",@progbits\n"
7088 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7090 - ".section .altinstr_replacement,\"ax\"\n"
7091 + ".section .altinstr_replacement,\"a\"\n"
7095 diff -urNp linux-3.1.1/arch/x86/include/asm/desc_defs.h linux-3.1.1/arch/x86/include/asm/desc_defs.h
7096 --- linux-3.1.1/arch/x86/include/asm/desc_defs.h 2011-11-11 15:19:27.000000000 -0500
7097 +++ linux-3.1.1/arch/x86/include/asm/desc_defs.h 2011-11-16 18:39:07.000000000 -0500
7098 @@ -31,6 +31,12 @@ struct desc_struct {
7099 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7100 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7105 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7106 + unsigned offset_high: 16;
7109 } __attribute__((packed));
7111 diff -urNp linux-3.1.1/arch/x86/include/asm/desc.h linux-3.1.1/arch/x86/include/asm/desc.h
7112 --- linux-3.1.1/arch/x86/include/asm/desc.h 2011-11-11 15:19:27.000000000 -0500
7113 +++ linux-3.1.1/arch/x86/include/asm/desc.h 2011-11-16 18:39:07.000000000 -0500
7115 #include <asm/desc_defs.h>
7116 #include <asm/ldt.h>
7117 #include <asm/mmu.h>
7118 +#include <asm/pgtable.h>
7120 #include <linux/smp.h>
7122 @@ -16,6 +17,7 @@ static inline void fill_ldt(struct desc_
7124 desc->type = (info->read_exec_only ^ 1) << 1;
7125 desc->type |= info->contents << 2;
7126 + desc->type |= info->seg_not_present ^ 1;
7130 @@ -34,17 +36,12 @@ static inline void fill_ldt(struct desc_
7133 extern struct desc_ptr idt_descr;
7134 -extern gate_desc idt_table[];
7137 - struct desc_struct gdt[GDT_ENTRIES];
7138 -} __attribute__((aligned(PAGE_SIZE)));
7140 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7141 +extern gate_desc idt_table[256];
7143 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7144 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7146 - return per_cpu(gdt_page, cpu).gdt;
7147 + return cpu_gdt_table[cpu];
7150 #ifdef CONFIG_X86_64
7151 @@ -69,8 +66,14 @@ static inline void pack_gate(gate_desc *
7152 unsigned long base, unsigned dpl, unsigned flags,
7155 - gate->a = (seg << 16) | (base & 0xffff);
7156 - gate->b = (base & 0xffff0000) | (((0x80 | type | (dpl << 5)) & 0xff) << 8);
7157 + gate->gate.offset_low = base;
7158 + gate->gate.seg = seg;
7159 + gate->gate.reserved = 0;
7160 + gate->gate.type = type;
7162 + gate->gate.dpl = dpl;
7164 + gate->gate.offset_high = base >> 16;
7168 @@ -115,12 +118,16 @@ static inline void paravirt_free_ldt(str
7170 static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate)
7172 + pax_open_kernel();
7173 memcpy(&idt[entry], gate, sizeof(*gate));
7174 + pax_close_kernel();
7177 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
7179 + pax_open_kernel();
7180 memcpy(&ldt[entry], desc, 8);
7181 + pax_close_kernel();
7185 @@ -134,7 +141,9 @@ native_write_gdt_entry(struct desc_struc
7186 default: size = sizeof(*gdt); break;
7189 + pax_open_kernel();
7190 memcpy(&gdt[entry], desc, size);
7191 + pax_close_kernel();
7194 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7195 @@ -207,7 +216,9 @@ static inline void native_set_ldt(const
7197 static inline void native_load_tr_desc(void)
7199 + pax_open_kernel();
7200 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7201 + pax_close_kernel();
7204 static inline void native_load_gdt(const struct desc_ptr *dtr)
7205 @@ -244,8 +255,10 @@ static inline void native_load_tls(struc
7206 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7209 + pax_open_kernel();
7210 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7211 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7212 + pax_close_kernel();
7215 #define _LDT_empty(info) \
7216 @@ -307,7 +320,7 @@ static inline void set_desc_limit(struct
7217 desc->limit = (limit >> 16) & 0xf;
7220 -static inline void _set_gate(int gate, unsigned type, void *addr,
7221 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7222 unsigned dpl, unsigned ist, unsigned seg)
7225 @@ -326,7 +339,7 @@ static inline void _set_gate(int gate, u
7226 * Pentium F0 0F bugfix can have resulted in the mapped
7227 * IDT being write-protected.
7229 -static inline void set_intr_gate(unsigned int n, void *addr)
7230 +static inline void set_intr_gate(unsigned int n, const void *addr)
7232 BUG_ON((unsigned)n > 0xFF);
7233 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7234 @@ -356,19 +369,19 @@ static inline void alloc_intr_gate(unsig
7236 * This routine sets up an interrupt gate at directory privilege level 3.
7238 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7239 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7241 BUG_ON((unsigned)n > 0xFF);
7242 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7245 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7246 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7248 BUG_ON((unsigned)n > 0xFF);
7249 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7252 -static inline void set_trap_gate(unsigned int n, void *addr)
7253 +static inline void set_trap_gate(unsigned int n, const void *addr)
7255 BUG_ON((unsigned)n > 0xFF);
7256 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7257 @@ -377,19 +390,31 @@ static inline void set_trap_gate(unsigne
7258 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7260 BUG_ON((unsigned)n > 0xFF);
7261 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7262 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7265 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7266 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7268 BUG_ON((unsigned)n > 0xFF);
7269 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7272 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7273 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7275 BUG_ON((unsigned)n > 0xFF);
7276 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7279 +#ifdef CONFIG_X86_32
7280 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7282 + struct desc_struct d;
7284 + if (likely(limit))
7285 + limit = (limit - 1UL) >> PAGE_SHIFT;
7286 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7287 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7291 #endif /* _ASM_X86_DESC_H */
7292 diff -urNp linux-3.1.1/arch/x86/include/asm/e820.h linux-3.1.1/arch/x86/include/asm/e820.h
7293 --- linux-3.1.1/arch/x86/include/asm/e820.h 2011-11-11 15:19:27.000000000 -0500
7294 +++ linux-3.1.1/arch/x86/include/asm/e820.h 2011-11-16 18:39:07.000000000 -0500
7295 @@ -69,7 +69,7 @@ struct e820map {
7296 #define ISA_START_ADDRESS 0xa0000
7297 #define ISA_END_ADDRESS 0x100000
7299 -#define BIOS_BEGIN 0x000a0000
7300 +#define BIOS_BEGIN 0x000c0000
7301 #define BIOS_END 0x00100000
7303 #define BIOS_ROM_BASE 0xffe00000
7304 diff -urNp linux-3.1.1/arch/x86/include/asm/elf.h linux-3.1.1/arch/x86/include/asm/elf.h
7305 --- linux-3.1.1/arch/x86/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
7306 +++ linux-3.1.1/arch/x86/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
7307 @@ -237,7 +237,25 @@ extern int force_personality32;
7308 the loader. We need to make sure that it is out of the way of the program
7309 that it will "exec", and that there is sufficient room for the brk. */
7311 +#ifdef CONFIG_PAX_SEGMEXEC
7312 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7314 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7317 +#ifdef CONFIG_PAX_ASLR
7318 +#ifdef CONFIG_X86_32
7319 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7321 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7322 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7324 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7326 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7327 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7331 /* This yields a mask that user programs can use to figure out what
7332 instruction set this CPU supports. This could be done in user space,
7333 @@ -290,9 +308,7 @@ do { \
7335 #define ARCH_DLINFO \
7337 - if (vdso_enabled) \
7338 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7339 - (unsigned long)current->mm->context.vdso); \
7340 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
7343 #define AT_SYSINFO 32
7344 @@ -303,7 +319,7 @@ do { \
7346 #endif /* !CONFIG_X86_32 */
7348 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7349 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7351 #define VDSO_ENTRY \
7352 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7353 @@ -317,7 +333,4 @@ extern int arch_setup_additional_pages(s
7354 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7355 #define compat_arch_setup_additional_pages syscall32_setup_pages
7357 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7358 -#define arch_randomize_brk arch_randomize_brk
7360 #endif /* _ASM_X86_ELF_H */
7361 diff -urNp linux-3.1.1/arch/x86/include/asm/emergency-restart.h linux-3.1.1/arch/x86/include/asm/emergency-restart.h
7362 --- linux-3.1.1/arch/x86/include/asm/emergency-restart.h 2011-11-11 15:19:27.000000000 -0500
7363 +++ linux-3.1.1/arch/x86/include/asm/emergency-restart.h 2011-11-16 18:39:07.000000000 -0500
7364 @@ -15,6 +15,6 @@ enum reboot_type {
7366 extern enum reboot_type reboot_type;
7368 -extern void machine_emergency_restart(void);
7369 +extern void machine_emergency_restart(void) __noreturn;
7371 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
7372 diff -urNp linux-3.1.1/arch/x86/include/asm/futex.h linux-3.1.1/arch/x86/include/asm/futex.h
7373 --- linux-3.1.1/arch/x86/include/asm/futex.h 2011-11-11 15:19:27.000000000 -0500
7374 +++ linux-3.1.1/arch/x86/include/asm/futex.h 2011-11-16 18:39:07.000000000 -0500
7376 #include <asm/system.h>
7378 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7379 + typecheck(u32 __user *, uaddr); \
7380 asm volatile("1:\t" insn "\n" \
7381 "2:\t.section .fixup,\"ax\"\n" \
7382 "3:\tmov\t%3, %1\n" \
7385 _ASM_EXTABLE(1b, 3b) \
7386 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7387 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\
7388 : "i" (-EFAULT), "0" (oparg), "1" (0))
7390 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7391 + typecheck(u32 __user *, uaddr); \
7392 asm volatile("1:\tmovl %2, %0\n" \
7393 "\tmovl\t%0, %3\n" \
7396 _ASM_EXTABLE(1b, 4b) \
7397 _ASM_EXTABLE(2b, 4b) \
7398 : "=&a" (oldval), "=&r" (ret), \
7399 - "+m" (*uaddr), "=&r" (tem) \
7400 + "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
7401 : "r" (oparg), "i" (-EFAULT), "1" (0))
7403 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7404 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7408 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7409 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
7412 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7413 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
7417 @@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i
7418 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7421 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
7422 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
7423 "2:\t.section .fixup, \"ax\"\n"
7427 _ASM_EXTABLE(1b, 3b)
7428 - : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
7429 + : "+r" (ret), "=a" (oldval), "+m" (*(u32 __user *)____m(uaddr))
7430 : "i" (-EFAULT), "r" (newval), "1" (oldval)
7433 diff -urNp linux-3.1.1/arch/x86/include/asm/hw_irq.h linux-3.1.1/arch/x86/include/asm/hw_irq.h
7434 --- linux-3.1.1/arch/x86/include/asm/hw_irq.h 2011-11-11 15:19:27.000000000 -0500
7435 +++ linux-3.1.1/arch/x86/include/asm/hw_irq.h 2011-11-16 18:39:07.000000000 -0500
7436 @@ -136,8 +136,8 @@ extern void setup_ioapic_dest(void);
7437 extern void enable_IO_APIC(void);
7440 -extern atomic_t irq_err_count;
7441 -extern atomic_t irq_mis_count;
7442 +extern atomic_unchecked_t irq_err_count;
7443 +extern atomic_unchecked_t irq_mis_count;
7446 extern void eisa_set_level_irq(unsigned int irq);
7447 diff -urNp linux-3.1.1/arch/x86/include/asm/i387.h linux-3.1.1/arch/x86/include/asm/i387.h
7448 --- linux-3.1.1/arch/x86/include/asm/i387.h 2011-11-11 15:19:27.000000000 -0500
7449 +++ linux-3.1.1/arch/x86/include/asm/i387.h 2011-11-16 18:39:07.000000000 -0500
7450 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7454 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7455 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7456 + fx = (struct i387_fxsave_struct __user *)((void *)fx + PAX_USER_SHADOW_BASE);
7459 /* See comment in fxsave() below. */
7460 #ifdef CONFIG_AS_FXSAVEQ
7461 asm volatile("1: fxrstorq %[fx]\n\t"
7462 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
7466 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7467 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7468 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7472 * Clear the bytes not touched by the fxsave and reserved
7474 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
7475 #endif /* CONFIG_X86_64 */
7477 /* We need a safe address that is cheap to find and that is already
7478 - in L1 during context switch. The best choices are unfortunately
7479 - different for UP and SMP */
7481 -#define safe_address (__per_cpu_offset[0])
7483 -#define safe_address (kstat_cpu(0).cpustat.user)
7485 + in L1 during context switch. */
7486 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7489 * These must be called with preempt disabled
7490 @@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
7491 struct thread_info *me = current_thread_info();
7493 if (me->status & TS_USEDFPU)
7494 - __save_init_fpu(me->task);
7495 + __save_init_fpu(current);
7499 diff -urNp linux-3.1.1/arch/x86/include/asm/io.h linux-3.1.1/arch/x86/include/asm/io.h
7500 --- linux-3.1.1/arch/x86/include/asm/io.h 2011-11-11 15:19:27.000000000 -0500
7501 +++ linux-3.1.1/arch/x86/include/asm/io.h 2011-11-16 18:39:07.000000000 -0500
7502 @@ -194,6 +194,17 @@ extern void set_iounmap_nonlazy(void);
7504 #include <linux/vmalloc.h>
7506 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7507 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7509 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7512 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7514 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7518 * Convert a virtual cached pointer to an uncached pointer
7520 diff -urNp linux-3.1.1/arch/x86/include/asm/irqflags.h linux-3.1.1/arch/x86/include/asm/irqflags.h
7521 --- linux-3.1.1/arch/x86/include/asm/irqflags.h 2011-11-11 15:19:27.000000000 -0500
7522 +++ linux-3.1.1/arch/x86/include/asm/irqflags.h 2011-11-16 18:39:07.000000000 -0500
7523 @@ -141,6 +141,11 @@ static inline notrace unsigned long arch
7527 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7528 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7529 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7530 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7533 #define INTERRUPT_RETURN iret
7534 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7535 diff -urNp linux-3.1.1/arch/x86/include/asm/kprobes.h linux-3.1.1/arch/x86/include/asm/kprobes.h
7536 --- linux-3.1.1/arch/x86/include/asm/kprobes.h 2011-11-11 15:19:27.000000000 -0500
7537 +++ linux-3.1.1/arch/x86/include/asm/kprobes.h 2011-11-16 18:39:07.000000000 -0500
7538 @@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
7539 #define RELATIVEJUMP_SIZE 5
7540 #define RELATIVECALL_OPCODE 0xe8
7541 #define RELATIVE_ADDR_SIZE 4
7542 -#define MAX_STACK_SIZE 64
7543 -#define MIN_STACK_SIZE(ADDR) \
7544 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
7545 - THREAD_SIZE - (unsigned long)(ADDR))) \
7546 - ? (MAX_STACK_SIZE) \
7547 - : (((unsigned long)current_thread_info()) + \
7548 - THREAD_SIZE - (unsigned long)(ADDR)))
7549 +#define MAX_STACK_SIZE 64UL
7550 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
7552 #define flush_insn_slot(p) do { } while (0)
7554 diff -urNp linux-3.1.1/arch/x86/include/asm/kvm_host.h linux-3.1.1/arch/x86/include/asm/kvm_host.h
7555 --- linux-3.1.1/arch/x86/include/asm/kvm_host.h 2011-11-11 15:19:27.000000000 -0500
7556 +++ linux-3.1.1/arch/x86/include/asm/kvm_host.h 2011-11-16 18:39:07.000000000 -0500
7557 @@ -456,7 +456,7 @@ struct kvm_arch {
7558 unsigned int n_requested_mmu_pages;
7559 unsigned int n_max_mmu_pages;
7560 unsigned int indirect_shadow_pages;
7561 - atomic_t invlpg_counter;
7562 + atomic_unchecked_t invlpg_counter;
7563 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
7565 * Hash table of struct kvm_mmu_page.
7566 @@ -636,7 +636,7 @@ struct kvm_x86_ops {
7567 enum x86_intercept_stage stage);
7569 const struct trace_print_flags *exit_reasons_str;
7573 struct kvm_arch_async_pf {
7575 diff -urNp linux-3.1.1/arch/x86/include/asm/local.h linux-3.1.1/arch/x86/include/asm/local.h
7576 --- linux-3.1.1/arch/x86/include/asm/local.h 2011-11-11 15:19:27.000000000 -0500
7577 +++ linux-3.1.1/arch/x86/include/asm/local.h 2011-11-16 18:39:07.000000000 -0500
7578 @@ -18,26 +18,58 @@ typedef struct {
7580 static inline void local_inc(local_t *l)
7582 - asm volatile(_ASM_INC "%0"
7583 + asm volatile(_ASM_INC "%0\n"
7585 +#ifdef CONFIG_PAX_REFCOUNT
7589 + _ASM_EXTABLE(0b, 0b)
7592 : "+m" (l->a.counter));
7595 static inline void local_dec(local_t *l)
7597 - asm volatile(_ASM_DEC "%0"
7598 + asm volatile(_ASM_DEC "%0\n"
7600 +#ifdef CONFIG_PAX_REFCOUNT
7604 + _ASM_EXTABLE(0b, 0b)
7607 : "+m" (l->a.counter));
7610 static inline void local_add(long i, local_t *l)
7612 - asm volatile(_ASM_ADD "%1,%0"
7613 + asm volatile(_ASM_ADD "%1,%0\n"
7615 +#ifdef CONFIG_PAX_REFCOUNT
7617 + _ASM_SUB "%1,%0\n"
7619 + _ASM_EXTABLE(0b, 0b)
7622 : "+m" (l->a.counter)
7626 static inline void local_sub(long i, local_t *l)
7628 - asm volatile(_ASM_SUB "%1,%0"
7629 + asm volatile(_ASM_SUB "%1,%0\n"
7631 +#ifdef CONFIG_PAX_REFCOUNT
7633 + _ASM_ADD "%1,%0\n"
7635 + _ASM_EXTABLE(0b, 0b)
7638 : "+m" (l->a.counter)
7641 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
7645 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7646 + asm volatile(_ASM_SUB "%2,%0\n"
7648 +#ifdef CONFIG_PAX_REFCOUNT
7650 + _ASM_ADD "%2,%0\n"
7652 + _ASM_EXTABLE(0b, 0b)
7656 : "+m" (l->a.counter), "=qm" (c)
7657 : "ir" (i) : "memory");
7659 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
7663 - asm volatile(_ASM_DEC "%0; sete %1"
7664 + asm volatile(_ASM_DEC "%0\n"
7666 +#ifdef CONFIG_PAX_REFCOUNT
7670 + _ASM_EXTABLE(0b, 0b)
7674 : "+m" (l->a.counter), "=qm" (c)
7677 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
7681 - asm volatile(_ASM_INC "%0; sete %1"
7682 + asm volatile(_ASM_INC "%0\n"
7684 +#ifdef CONFIG_PAX_REFCOUNT
7688 + _ASM_EXTABLE(0b, 0b)
7692 : "+m" (l->a.counter), "=qm" (c)
7695 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
7699 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7700 + asm volatile(_ASM_ADD "%2,%0\n"
7702 +#ifdef CONFIG_PAX_REFCOUNT
7704 + _ASM_SUB "%2,%0\n"
7706 + _ASM_EXTABLE(0b, 0b)
7710 : "+m" (l->a.counter), "=qm" (c)
7711 : "ir" (i) : "memory");
7713 @@ -133,7 +201,15 @@ static inline long local_add_return(long
7715 /* Modern 486+ processor */
7717 - asm volatile(_ASM_XADD "%0, %1;"
7718 + asm volatile(_ASM_XADD "%0, %1\n"
7720 +#ifdef CONFIG_PAX_REFCOUNT
7722 + _ASM_MOV "%0,%1\n"
7724 + _ASM_EXTABLE(0b, 0b)
7727 : "+r" (i), "+m" (l->a.counter)
7730 diff -urNp linux-3.1.1/arch/x86/include/asm/mman.h linux-3.1.1/arch/x86/include/asm/mman.h
7731 --- linux-3.1.1/arch/x86/include/asm/mman.h 2011-11-11 15:19:27.000000000 -0500
7732 +++ linux-3.1.1/arch/x86/include/asm/mman.h 2011-11-16 18:39:07.000000000 -0500
7735 #include <asm-generic/mman.h>
7738 +#ifndef __ASSEMBLY__
7739 +#ifdef CONFIG_X86_32
7740 +#define arch_mmap_check i386_mmap_check
7741 +int i386_mmap_check(unsigned long addr, unsigned long len,
7742 + unsigned long flags);
7747 #endif /* _ASM_X86_MMAN_H */
7748 diff -urNp linux-3.1.1/arch/x86/include/asm/mmu_context.h linux-3.1.1/arch/x86/include/asm/mmu_context.h
7749 --- linux-3.1.1/arch/x86/include/asm/mmu_context.h 2011-11-11 15:19:27.000000000 -0500
7750 +++ linux-3.1.1/arch/x86/include/asm/mmu_context.h 2011-11-16 18:39:07.000000000 -0500
7751 @@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *m
7753 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7756 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7760 + pax_open_kernel();
7761 + pgd = get_cpu_pgd(smp_processor_id());
7762 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7763 + set_pgd_batched(pgd+i, native_make_pgd(0));
7764 + pax_close_kernel();
7768 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7769 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7770 @@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_s
7771 struct task_struct *tsk)
7773 unsigned cpu = smp_processor_id();
7774 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7775 + int tlbstate = TLBSTATE_OK;
7778 if (likely(prev != next)) {
7780 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7781 + tlbstate = percpu_read(cpu_tlbstate.state);
7783 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7784 percpu_write(cpu_tlbstate.active_mm, next);
7786 cpumask_set_cpu(cpu, mm_cpumask(next));
7788 /* Re-load page tables */
7789 +#ifdef CONFIG_PAX_PER_CPU_PGD
7790 + pax_open_kernel();
7791 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7792 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7793 + pax_close_kernel();
7794 + load_cr3(get_cpu_pgd(cpu));
7796 load_cr3(next->pgd);
7799 /* stop flush ipis for the previous mm */
7800 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7801 @@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_s
7803 if (unlikely(prev->context.ldt != next->context.ldt))
7804 load_LDT_nolock(&next->context);
7807 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7808 + if (!(__supported_pte_mask & _PAGE_NX)) {
7809 + smp_mb__before_clear_bit();
7810 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7811 + smp_mb__after_clear_bit();
7812 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7816 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7817 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7818 + prev->context.user_cs_limit != next->context.user_cs_limit))
7819 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7821 + else if (unlikely(tlbstate != TLBSTATE_OK))
7822 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7829 +#ifdef CONFIG_PAX_PER_CPU_PGD
7830 + pax_open_kernel();
7831 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7832 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7833 + pax_close_kernel();
7834 + load_cr3(get_cpu_pgd(cpu));
7838 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7839 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
7841 @@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_s
7842 * tlb flush IPI delivery. We must reload CR3
7843 * to make sure to use no freed page tables.
7846 +#ifndef CONFIG_PAX_PER_CPU_PGD
7847 load_cr3(next->pgd);
7850 load_LDT_nolock(&next->context);
7852 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7853 + if (!(__supported_pte_mask & _PAGE_NX))
7854 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7857 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7858 +#ifdef CONFIG_PAX_PAGEEXEC
7859 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7861 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7870 #define activate_mm(prev, next) \
7871 diff -urNp linux-3.1.1/arch/x86/include/asm/mmu.h linux-3.1.1/arch/x86/include/asm/mmu.h
7872 --- linux-3.1.1/arch/x86/include/asm/mmu.h 2011-11-11 15:19:27.000000000 -0500
7873 +++ linux-3.1.1/arch/x86/include/asm/mmu.h 2011-11-16 18:39:07.000000000 -0500
7875 * we put the segment information here.
7879 + struct desc_struct *ldt;
7882 #ifdef CONFIG_X86_64
7883 @@ -18,7 +18,19 @@ typedef struct {
7888 + unsigned long vdso;
7890 +#ifdef CONFIG_X86_32
7891 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7892 + unsigned long user_cs_base;
7893 + unsigned long user_cs_limit;
7895 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7896 + cpumask_t cpu_user_cs_mask;
7904 diff -urNp linux-3.1.1/arch/x86/include/asm/module.h linux-3.1.1/arch/x86/include/asm/module.h
7905 --- linux-3.1.1/arch/x86/include/asm/module.h 2011-11-11 15:19:27.000000000 -0500
7906 +++ linux-3.1.1/arch/x86/include/asm/module.h 2011-11-16 18:39:07.000000000 -0500
7909 #ifdef CONFIG_X86_64
7910 /* X86_64 does not define MODULE_PROC_FAMILY */
7911 +#define MODULE_PROC_FAMILY ""
7912 #elif defined CONFIG_M386
7913 #define MODULE_PROC_FAMILY "386 "
7914 #elif defined CONFIG_M486
7916 #error unknown processor family
7919 -#ifdef CONFIG_X86_32
7920 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
7921 +#ifdef CONFIG_PAX_KERNEXEC
7922 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
7924 +#define MODULE_PAX_KERNEXEC ""
7927 +#ifdef CONFIG_PAX_MEMORY_UDEREF
7928 +#define MODULE_PAX_UDEREF "UDEREF "
7930 +#define MODULE_PAX_UDEREF ""
7933 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
7935 #endif /* _ASM_X86_MODULE_H */
7936 diff -urNp linux-3.1.1/arch/x86/include/asm/page_64_types.h linux-3.1.1/arch/x86/include/asm/page_64_types.h
7937 --- linux-3.1.1/arch/x86/include/asm/page_64_types.h 2011-11-11 15:19:27.000000000 -0500
7938 +++ linux-3.1.1/arch/x86/include/asm/page_64_types.h 2011-11-16 18:39:07.000000000 -0500
7939 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
7941 /* duplicated to the one in bootmem.h */
7942 extern unsigned long max_pfn;
7943 -extern unsigned long phys_base;
7944 +extern const unsigned long phys_base;
7946 extern unsigned long __phys_addr(unsigned long);
7947 #define __phys_reloc_hide(x) (x)
7948 diff -urNp linux-3.1.1/arch/x86/include/asm/paravirt.h linux-3.1.1/arch/x86/include/asm/paravirt.h
7949 --- linux-3.1.1/arch/x86/include/asm/paravirt.h 2011-11-11 15:19:27.000000000 -0500
7950 +++ linux-3.1.1/arch/x86/include/asm/paravirt.h 2011-11-16 18:39:07.000000000 -0500
7951 @@ -667,6 +667,18 @@ static inline void set_pgd(pgd_t *pgdp,
7955 +static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
7957 + pgdval_t val = native_pgd_val(pgd);
7959 + if (sizeof(pgdval_t) > sizeof(long))
7960 + PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
7961 + val, (u64)val >> 32);
7963 + PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
7967 static inline void pgd_clear(pgd_t *pgdp)
7969 set_pgd(pgdp, __pgd(0));
7970 @@ -748,6 +760,21 @@ static inline void __set_fixmap(unsigned
7971 pv_mmu_ops.set_fixmap(idx, phys, flags);
7974 +#ifdef CONFIG_PAX_KERNEXEC
7975 +static inline unsigned long pax_open_kernel(void)
7977 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
7980 +static inline unsigned long pax_close_kernel(void)
7982 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
7985 +static inline unsigned long pax_open_kernel(void) { return 0; }
7986 +static inline unsigned long pax_close_kernel(void) { return 0; }
7989 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7991 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
7992 @@ -964,7 +991,7 @@ extern void default_banner(void);
7994 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7995 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7996 -#define PARA_INDIRECT(addr) *%cs:addr
7997 +#define PARA_INDIRECT(addr) *%ss:addr
8000 #define INTERRUPT_RETURN \
8001 @@ -1041,6 +1068,21 @@ extern void default_banner(void);
8002 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8004 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8006 +#define GET_CR0_INTO_RDI \
8007 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8010 +#define SET_RDI_INTO_CR0 \
8011 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8013 +#define GET_CR3_INTO_RDI \
8014 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8017 +#define SET_RDI_INTO_CR3 \
8018 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8020 #endif /* CONFIG_X86_32 */
8022 #endif /* __ASSEMBLY__ */
8023 diff -urNp linux-3.1.1/arch/x86/include/asm/paravirt_types.h linux-3.1.1/arch/x86/include/asm/paravirt_types.h
8024 --- linux-3.1.1/arch/x86/include/asm/paravirt_types.h 2011-11-11 15:19:27.000000000 -0500
8025 +++ linux-3.1.1/arch/x86/include/asm/paravirt_types.h 2011-11-16 18:39:07.000000000 -0500
8026 @@ -84,20 +84,20 @@ struct pv_init_ops {
8028 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
8029 unsigned long addr, unsigned len);
8034 struct pv_lazy_ops {
8035 /* Set deferred update mode, used for batching operations. */
8036 void (*enter)(void);
8037 void (*leave)(void);
8041 struct pv_time_ops {
8042 unsigned long long (*sched_clock)(void);
8043 unsigned long long (*steal_clock)(int cpu);
8044 unsigned long (*get_tsc_khz)(void);
8049 /* hooks for various privileged instructions */
8050 @@ -193,7 +193,7 @@ struct pv_cpu_ops {
8052 void (*start_context_switch)(struct task_struct *prev);
8053 void (*end_context_switch)(struct task_struct *next);
8059 @@ -224,7 +224,7 @@ struct pv_apic_ops {
8060 unsigned long start_eip,
8061 unsigned long start_esp);
8067 unsigned long (*read_cr2)(void);
8068 @@ -313,6 +313,7 @@ struct pv_mmu_ops {
8069 struct paravirt_callee_save make_pud;
8071 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
8072 + void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
8073 #endif /* PAGETABLE_LEVELS == 4 */
8074 #endif /* PAGETABLE_LEVELS >= 3 */
8076 @@ -324,6 +325,12 @@ struct pv_mmu_ops {
8077 an mfn. We can tell which is which from the index. */
8078 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8079 phys_addr_t phys, pgprot_t flags);
8081 +#ifdef CONFIG_PAX_KERNEXEC
8082 + unsigned long (*pax_open_kernel)(void);
8083 + unsigned long (*pax_close_kernel)(void);
8088 struct arch_spinlock;
8089 @@ -334,7 +341,7 @@ struct pv_lock_ops {
8090 void (*spin_lock_flags)(struct arch_spinlock *lock, unsigned long flags);
8091 int (*spin_trylock)(struct arch_spinlock *lock);
8092 void (*spin_unlock)(struct arch_spinlock *lock);
8096 /* This contains all the paravirt structures: we get a convenient
8097 * number for each function using the offset which we use to indicate
8098 diff -urNp linux-3.1.1/arch/x86/include/asm/pgalloc.h linux-3.1.1/arch/x86/include/asm/pgalloc.h
8099 --- linux-3.1.1/arch/x86/include/asm/pgalloc.h 2011-11-11 15:19:27.000000000 -0500
8100 +++ linux-3.1.1/arch/x86/include/asm/pgalloc.h 2011-11-16 18:39:07.000000000 -0500
8101 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8102 pmd_t *pmd, pte_t *pte)
8104 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8105 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8108 +static inline void pmd_populate_user(struct mm_struct *mm,
8109 + pmd_t *pmd, pte_t *pte)
8111 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8112 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8115 diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable-2level.h linux-3.1.1/arch/x86/include/asm/pgtable-2level.h
8116 --- linux-3.1.1/arch/x86/include/asm/pgtable-2level.h 2011-11-11 15:19:27.000000000 -0500
8117 +++ linux-3.1.1/arch/x86/include/asm/pgtable-2level.h 2011-11-16 18:39:07.000000000 -0500
8118 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8120 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8122 + pax_open_kernel();
8124 + pax_close_kernel();
8127 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8128 diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_32.h linux-3.1.1/arch/x86/include/asm/pgtable_32.h
8129 --- linux-3.1.1/arch/x86/include/asm/pgtable_32.h 2011-11-11 15:19:27.000000000 -0500
8130 +++ linux-3.1.1/arch/x86/include/asm/pgtable_32.h 2011-11-16 18:39:07.000000000 -0500
8133 struct vm_area_struct;
8135 -extern pgd_t swapper_pg_dir[1024];
8136 -extern pgd_t initial_page_table[1024];
8138 static inline void pgtable_cache_init(void) { }
8139 static inline void check_pgt_cache(void) { }
8140 void paging_init(void);
8141 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8142 # include <asm/pgtable-2level.h>
8145 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8146 +extern pgd_t initial_page_table[PTRS_PER_PGD];
8147 +#ifdef CONFIG_X86_PAE
8148 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8151 #if defined(CONFIG_HIGHPTE)
8152 #define pte_offset_map(dir, address) \
8153 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8154 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8155 /* Clear a kernel PTE and flush it from the TLB */
8156 #define kpte_clear_flush(ptep, vaddr) \
8158 + pax_open_kernel(); \
8159 pte_clear(&init_mm, (vaddr), (ptep)); \
8160 + pax_close_kernel(); \
8161 __flush_tlb_one((vaddr)); \
8164 @@ -74,6 +79,9 @@ do { \
8166 #endif /* !__ASSEMBLY__ */
8168 +#define HAVE_ARCH_UNMAPPED_AREA
8169 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8172 * kern_addr_valid() is (1) for FLATMEM and (0) for
8173 * SPARSEMEM and DISCONTIGMEM
8174 diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_32_types.h linux-3.1.1/arch/x86/include/asm/pgtable_32_types.h
8175 --- linux-3.1.1/arch/x86/include/asm/pgtable_32_types.h 2011-11-11 15:19:27.000000000 -0500
8176 +++ linux-3.1.1/arch/x86/include/asm/pgtable_32_types.h 2011-11-16 18:39:07.000000000 -0500
8179 #ifdef CONFIG_X86_PAE
8180 # include <asm/pgtable-3level_types.h>
8181 -# define PMD_SIZE (1UL << PMD_SHIFT)
8182 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8183 # define PMD_MASK (~(PMD_SIZE - 1))
8185 # include <asm/pgtable-2level_types.h>
8186 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8187 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8190 +#ifdef CONFIG_PAX_KERNEXEC
8191 +#ifndef __ASSEMBLY__
8192 +extern unsigned char MODULES_EXEC_VADDR[];
8193 +extern unsigned char MODULES_EXEC_END[];
8195 +#include <asm/boot.h>
8196 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8197 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8199 +#define ktla_ktva(addr) (addr)
8200 +#define ktva_ktla(addr) (addr)
8203 #define MODULES_VADDR VMALLOC_START
8204 #define MODULES_END VMALLOC_END
8205 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8206 diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable-3level.h linux-3.1.1/arch/x86/include/asm/pgtable-3level.h
8207 --- linux-3.1.1/arch/x86/include/asm/pgtable-3level.h 2011-11-11 15:19:27.000000000 -0500
8208 +++ linux-3.1.1/arch/x86/include/asm/pgtable-3level.h 2011-11-16 18:39:07.000000000 -0500
8209 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8211 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8213 + pax_open_kernel();
8214 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8215 + pax_close_kernel();
8218 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8220 + pax_open_kernel();
8221 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8222 + pax_close_kernel();
8226 diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_64.h linux-3.1.1/arch/x86/include/asm/pgtable_64.h
8227 --- linux-3.1.1/arch/x86/include/asm/pgtable_64.h 2011-11-11 15:19:27.000000000 -0500
8228 +++ linux-3.1.1/arch/x86/include/asm/pgtable_64.h 2011-11-16 18:39:07.000000000 -0500
8231 extern pud_t level3_kernel_pgt[512];
8232 extern pud_t level3_ident_pgt[512];
8233 +extern pud_t level3_vmalloc_pgt[512];
8234 +extern pud_t level3_vmemmap_pgt[512];
8235 +extern pud_t level2_vmemmap_pgt[512];
8236 extern pmd_t level2_kernel_pgt[512];
8237 extern pmd_t level2_fixmap_pgt[512];
8238 -extern pmd_t level2_ident_pgt[512];
8239 -extern pgd_t init_level4_pgt[];
8240 +extern pmd_t level2_ident_pgt[512*2];
8241 +extern pgd_t init_level4_pgt[512];
8243 #define swapper_pg_dir init_level4_pgt
8245 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
8247 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8249 + pax_open_kernel();
8251 + pax_close_kernel();
8254 static inline void native_pmd_clear(pmd_t *pmd)
8255 @@ -107,6 +112,13 @@ static inline void native_pud_clear(pud_
8257 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8259 + pax_open_kernel();
8261 + pax_close_kernel();
8264 +static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
8269 diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_64_types.h linux-3.1.1/arch/x86/include/asm/pgtable_64_types.h
8270 --- linux-3.1.1/arch/x86/include/asm/pgtable_64_types.h 2011-11-11 15:19:27.000000000 -0500
8271 +++ linux-3.1.1/arch/x86/include/asm/pgtable_64_types.h 2011-11-16 18:39:07.000000000 -0500
8272 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8273 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8274 #define MODULES_END _AC(0xffffffffff000000, UL)
8275 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8276 +#define MODULES_EXEC_VADDR MODULES_VADDR
8277 +#define MODULES_EXEC_END MODULES_END
8279 +#define ktla_ktva(addr) (addr)
8280 +#define ktva_ktla(addr) (addr)
8282 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8283 diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable.h linux-3.1.1/arch/x86/include/asm/pgtable.h
8284 --- linux-3.1.1/arch/x86/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
8285 +++ linux-3.1.1/arch/x86/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
8286 @@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm
8288 #ifndef __PAGETABLE_PUD_FOLDED
8289 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
8290 +#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
8291 #define pgd_clear(pgd) native_pgd_clear(pgd)
8294 @@ -81,12 +82,51 @@ extern struct mm_struct *pgd_page_get_mm
8296 #define arch_end_context_switch(prev) do {} while(0)
8298 +#define pax_open_kernel() native_pax_open_kernel()
8299 +#define pax_close_kernel() native_pax_close_kernel()
8300 #endif /* CONFIG_PARAVIRT */
8302 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8303 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8305 +#ifdef CONFIG_PAX_KERNEXEC
8306 +static inline unsigned long native_pax_open_kernel(void)
8308 + unsigned long cr0;
8310 + preempt_disable();
8312 + cr0 = read_cr0() ^ X86_CR0_WP;
8313 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8315 + return cr0 ^ X86_CR0_WP;
8318 +static inline unsigned long native_pax_close_kernel(void)
8320 + unsigned long cr0;
8322 + cr0 = read_cr0() ^ X86_CR0_WP;
8323 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8326 + preempt_enable_no_resched();
8327 + return cr0 ^ X86_CR0_WP;
8330 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8331 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8335 * The following only work if pte_present() is true.
8336 * Undefined behaviour if not..
8338 +static inline int pte_user(pte_t pte)
8340 + return pte_val(pte) & _PAGE_USER;
8343 static inline int pte_dirty(pte_t pte)
8345 return pte_flags(pte) & _PAGE_DIRTY;
8346 @@ -196,9 +236,29 @@ static inline pte_t pte_wrprotect(pte_t
8347 return pte_clear_flags(pte, _PAGE_RW);
8350 +static inline pte_t pte_mkread(pte_t pte)
8352 + return __pte(pte_val(pte) | _PAGE_USER);
8355 static inline pte_t pte_mkexec(pte_t pte)
8357 - return pte_clear_flags(pte, _PAGE_NX);
8358 +#ifdef CONFIG_X86_PAE
8359 + if (__supported_pte_mask & _PAGE_NX)
8360 + return pte_clear_flags(pte, _PAGE_NX);
8363 + return pte_set_flags(pte, _PAGE_USER);
8366 +static inline pte_t pte_exprotect(pte_t pte)
8368 +#ifdef CONFIG_X86_PAE
8369 + if (__supported_pte_mask & _PAGE_NX)
8370 + return pte_set_flags(pte, _PAGE_NX);
8373 + return pte_clear_flags(pte, _PAGE_USER);
8376 static inline pte_t pte_mkdirty(pte_t pte)
8377 @@ -390,6 +450,15 @@ pte_t *populate_extra_pte(unsigned long
8380 #ifndef __ASSEMBLY__
8382 +#ifdef CONFIG_PAX_PER_CPU_PGD
8383 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8384 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8386 + return cpu_pgd[cpu];
8390 #include <linux/mm_types.h>
8392 static inline int pte_none(pte_t pte)
8393 @@ -560,7 +629,7 @@ static inline pud_t *pud_offset(pgd_t *p
8395 static inline int pgd_bad(pgd_t pgd)
8397 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8398 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8401 static inline int pgd_none(pgd_t pgd)
8402 @@ -583,7 +652,12 @@ static inline int pgd_none(pgd_t pgd)
8403 * pgd_offset() returns a (pgd_t *)
8404 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8406 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8407 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8409 +#ifdef CONFIG_PAX_PER_CPU_PGD
8410 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8414 * a shortcut which implies the use of the kernel's pgd, instead
8416 @@ -594,6 +668,20 @@ static inline int pgd_none(pgd_t pgd)
8417 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8418 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8420 +#ifdef CONFIG_X86_32
8421 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8423 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8424 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8426 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8427 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8429 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8434 #ifndef __ASSEMBLY__
8436 extern int direct_gbpages;
8437 @@ -758,11 +846,23 @@ static inline void pmdp_set_wrprotect(st
8438 * dst and src can be on the same page, but the range must not overlap,
8439 * and must not cross a page boundary.
8441 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8442 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8444 - memcpy(dst, src, count * sizeof(pgd_t));
8445 + pax_open_kernel();
8448 + pax_close_kernel();
8451 +#ifdef CONFIG_PAX_PER_CPU_PGD
8452 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8455 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8456 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8458 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8461 #include <asm-generic/pgtable.h>
8462 #endif /* __ASSEMBLY__ */
8463 diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_types.h linux-3.1.1/arch/x86/include/asm/pgtable_types.h
8464 --- linux-3.1.1/arch/x86/include/asm/pgtable_types.h 2011-11-11 15:19:27.000000000 -0500
8465 +++ linux-3.1.1/arch/x86/include/asm/pgtable_types.h 2011-11-16 18:39:07.000000000 -0500
8467 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8468 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8469 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8470 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8471 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8472 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8473 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8474 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8475 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8476 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8477 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
8478 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8479 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
8480 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8482 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8484 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8485 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8486 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8487 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8488 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8489 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8490 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8493 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8494 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8496 +#elif defined(CONFIG_KMEMCHECK)
8497 #define _PAGE_NX (_AT(pteval_t, 0))
8499 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8502 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8504 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8507 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8508 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8510 #define __PAGE_KERNEL_EXEC \
8511 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8512 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8514 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8515 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8516 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8517 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8518 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8519 #define __PAGE_KERNEL_VVAR (__PAGE_KERNEL_RO | _PAGE_USER)
8520 #define __PAGE_KERNEL_VVAR_NOCACHE (__PAGE_KERNEL_VVAR | _PAGE_PCD | _PAGE_PWT)
8521 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8523 * bits are combined, this will alow user to access the high address mapped
8524 * VDSO in the presence of CONFIG_COMPAT_VDSO
8526 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8527 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8528 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8529 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8530 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8533 @@ -207,7 +210,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8535 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8539 +#if PAGETABLE_LEVELS == 3
8540 +#include <asm-generic/pgtable-nopud.h>
8543 +#if PAGETABLE_LEVELS == 2
8544 +#include <asm-generic/pgtable-nopmd.h>
8547 +#ifndef __ASSEMBLY__
8548 #if PAGETABLE_LEVELS > 3
8549 typedef struct { pudval_t pud; } pud_t;
8551 @@ -221,8 +234,6 @@ static inline pudval_t native_pud_val(pu
8555 -#include <asm-generic/pgtable-nopud.h>
8557 static inline pudval_t native_pud_val(pud_t pud)
8559 return native_pgd_val(pud.pgd);
8560 @@ -242,8 +253,6 @@ static inline pmdval_t native_pmd_val(pm
8564 -#include <asm-generic/pgtable-nopmd.h>
8566 static inline pmdval_t native_pmd_val(pmd_t pmd)
8568 return native_pgd_val(pmd.pud.pgd);
8569 @@ -283,7 +292,6 @@ typedef struct page *pgtable_t;
8571 extern pteval_t __supported_pte_mask;
8572 extern void set_nx(void);
8573 -extern int nx_enabled;
8575 #define pgprot_writecombine pgprot_writecombine
8576 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8577 diff -urNp linux-3.1.1/arch/x86/include/asm/processor.h linux-3.1.1/arch/x86/include/asm/processor.h
8578 --- linux-3.1.1/arch/x86/include/asm/processor.h 2011-11-11 15:19:27.000000000 -0500
8579 +++ linux-3.1.1/arch/x86/include/asm/processor.h 2011-11-16 18:39:07.000000000 -0500
8580 @@ -266,7 +266,7 @@ struct tss_struct {
8582 } ____cacheline_aligned;
8584 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8585 +extern struct tss_struct init_tss[NR_CPUS];
8588 * Save the original ist values for checking stack pointers during debugging
8589 @@ -858,11 +858,18 @@ static inline void spin_lock_prefetch(co
8591 #define TASK_SIZE PAGE_OFFSET
8592 #define TASK_SIZE_MAX TASK_SIZE
8594 +#ifdef CONFIG_PAX_SEGMEXEC
8595 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8596 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8598 #define STACK_TOP TASK_SIZE
8599 -#define STACK_TOP_MAX STACK_TOP
8602 +#define STACK_TOP_MAX TASK_SIZE
8604 #define INIT_THREAD { \
8605 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8606 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8607 .vm86_info = NULL, \
8608 .sysenter_cs = __KERNEL_CS, \
8609 .io_bitmap_ptr = NULL, \
8610 @@ -876,7 +883,7 @@ static inline void spin_lock_prefetch(co
8612 #define INIT_TSS { \
8614 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8615 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8616 .ss0 = __KERNEL_DS, \
8617 .ss1 = __KERNEL_CS, \
8618 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8619 @@ -887,11 +894,7 @@ static inline void spin_lock_prefetch(co
8620 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8622 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8623 -#define KSTK_TOP(info) \
8625 - unsigned long *__ptr = (unsigned long *)(info); \
8626 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8628 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
8631 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8632 @@ -906,7 +909,7 @@ extern unsigned long thread_saved_pc(str
8633 #define task_pt_regs(task) \
8635 struct pt_regs *__regs__; \
8636 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8637 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8641 @@ -916,13 +919,13 @@ extern unsigned long thread_saved_pc(str
8643 * User space process size. 47bits minus one guard page.
8645 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8646 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8648 /* This decides where the kernel will search for a free chunk of vm
8649 * space during mmap's.
8651 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8652 - 0xc0000000 : 0xFFFFe000)
8653 + 0xc0000000 : 0xFFFFf000)
8655 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8656 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8657 @@ -933,11 +936,11 @@ extern unsigned long thread_saved_pc(str
8658 #define STACK_TOP_MAX TASK_SIZE_MAX
8660 #define INIT_THREAD { \
8661 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
8662 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
8665 #define INIT_TSS { \
8666 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
8667 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
8671 @@ -959,6 +962,10 @@ extern void start_thread(struct pt_regs
8673 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8675 +#ifdef CONFIG_PAX_SEGMEXEC
8676 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8679 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8681 /* Get/set a process' ability to use the timestamp counter instruction */
8682 diff -urNp linux-3.1.1/arch/x86/include/asm/ptrace.h linux-3.1.1/arch/x86/include/asm/ptrace.h
8683 --- linux-3.1.1/arch/x86/include/asm/ptrace.h 2011-11-11 15:19:27.000000000 -0500
8684 +++ linux-3.1.1/arch/x86/include/asm/ptrace.h 2011-11-16 18:39:07.000000000 -0500
8685 @@ -156,28 +156,29 @@ static inline unsigned long regs_return_
8689 - * user_mode_vm(regs) determines whether a register set came from user mode.
8690 + * user_mode(regs) determines whether a register set came from user mode.
8691 * This is true if V8086 mode was enabled OR if the register set was from
8692 * protected mode with RPL-3 CS value. This tricky test checks that with
8693 * one comparison. Many places in the kernel can bypass this full check
8694 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8695 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8698 -static inline int user_mode(struct pt_regs *regs)
8699 +static inline int user_mode_novm(struct pt_regs *regs)
8701 #ifdef CONFIG_X86_32
8702 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8704 - return !!(regs->cs & 3);
8705 + return !!(regs->cs & SEGMENT_RPL_MASK);
8709 -static inline int user_mode_vm(struct pt_regs *regs)
8710 +static inline int user_mode(struct pt_regs *regs)
8712 #ifdef CONFIG_X86_32
8713 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8716 - return user_mode(regs);
8717 + return user_mode_novm(regs);
8721 @@ -193,15 +194,16 @@ static inline int v8086_mode(struct pt_r
8722 #ifdef CONFIG_X86_64
8723 static inline bool user_64bit_mode(struct pt_regs *regs)
8725 + unsigned long cs = regs->cs & 0xffff;
8726 #ifndef CONFIG_PARAVIRT
8728 * On non-paravirt systems, this is the only long mode CPL 3
8729 * selector. We do not allow long mode selectors in the LDT.
8731 - return regs->cs == __USER_CS;
8732 + return cs == __USER_CS;
8734 /* Headers are too twisted for this to go in paravirt.h. */
8735 - return regs->cs == __USER_CS || regs->cs == pv_info.extra_user_64bit_cs;
8736 + return cs == __USER_CS || cs == pv_info.extra_user_64bit_cs;
8740 diff -urNp linux-3.1.1/arch/x86/include/asm/reboot.h linux-3.1.1/arch/x86/include/asm/reboot.h
8741 --- linux-3.1.1/arch/x86/include/asm/reboot.h 2011-11-11 15:19:27.000000000 -0500
8742 +++ linux-3.1.1/arch/x86/include/asm/reboot.h 2011-11-16 18:39:07.000000000 -0500
8746 struct machine_ops {
8747 - void (*restart)(char *cmd);
8748 - void (*halt)(void);
8749 - void (*power_off)(void);
8750 + void (* __noreturn restart)(char *cmd);
8751 + void (* __noreturn halt)(void);
8752 + void (* __noreturn power_off)(void);
8753 void (*shutdown)(void);
8754 void (*crash_shutdown)(struct pt_regs *);
8755 - void (*emergency_restart)(void);
8757 + void (* __noreturn emergency_restart)(void);
8760 extern struct machine_ops machine_ops;
8762 void native_machine_crash_shutdown(struct pt_regs *regs);
8763 void native_machine_shutdown(void);
8764 -void machine_real_restart(unsigned int type);
8765 +void machine_real_restart(unsigned int type) __noreturn;
8766 /* These must match dispatch_table in reboot_32.S */
8769 diff -urNp linux-3.1.1/arch/x86/include/asm/rwsem.h linux-3.1.1/arch/x86/include/asm/rwsem.h
8770 --- linux-3.1.1/arch/x86/include/asm/rwsem.h 2011-11-11 15:19:27.000000000 -0500
8771 +++ linux-3.1.1/arch/x86/include/asm/rwsem.h 2011-11-16 18:39:07.000000000 -0500
8772 @@ -64,6 +64,14 @@ static inline void __down_read(struct rw
8774 asm volatile("# beginning down_read\n\t"
8775 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8777 +#ifdef CONFIG_PAX_REFCOUNT
8779 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8781 + _ASM_EXTABLE(0b, 0b)
8784 /* adds 0x00000001 */
8786 " call call_rwsem_down_read_failed\n"
8787 @@ -85,6 +93,14 @@ static inline int __down_read_trylock(st
8792 +#ifdef CONFIG_PAX_REFCOUNT
8796 + _ASM_EXTABLE(0b, 0b)
8800 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8802 @@ -104,6 +120,14 @@ static inline void __down_write_nested(s
8804 asm volatile("# beginning down_write\n\t"
8805 LOCK_PREFIX " xadd %1,(%2)\n\t"
8807 +#ifdef CONFIG_PAX_REFCOUNT
8811 + _ASM_EXTABLE(0b, 0b)
8814 /* adds 0xffff0001, returns the old value */
8816 /* was the count 0 before? */
8817 @@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s
8819 asm volatile("# beginning __up_read\n\t"
8820 LOCK_PREFIX " xadd %1,(%2)\n\t"
8822 +#ifdef CONFIG_PAX_REFCOUNT
8826 + _ASM_EXTABLE(0b, 0b)
8829 /* subtracts 1, returns the old value */
8831 " call call_rwsem_wake\n" /* expects old value in %edx */
8832 @@ -159,6 +191,14 @@ static inline void __up_write(struct rw_
8834 asm volatile("# beginning __up_write\n\t"
8835 LOCK_PREFIX " xadd %1,(%2)\n\t"
8837 +#ifdef CONFIG_PAX_REFCOUNT
8841 + _ASM_EXTABLE(0b, 0b)
8844 /* subtracts 0xffff0001, returns the old value */
8846 " call call_rwsem_wake\n" /* expects old value in %edx */
8847 @@ -176,6 +216,14 @@ static inline void __downgrade_write(str
8849 asm volatile("# beginning __downgrade_write\n\t"
8850 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
8852 +#ifdef CONFIG_PAX_REFCOUNT
8854 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
8856 + _ASM_EXTABLE(0b, 0b)
8860 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
8861 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
8862 @@ -194,7 +242,15 @@ static inline void __downgrade_write(str
8864 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
8866 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
8867 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
8869 +#ifdef CONFIG_PAX_REFCOUNT
8871 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
8873 + _ASM_EXTABLE(0b, 0b)
8879 @@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l
8883 - asm volatile(LOCK_PREFIX "xadd %0,%1"
8884 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8886 +#ifdef CONFIG_PAX_REFCOUNT
8890 + _ASM_EXTABLE(0b, 0b)
8893 : "+r" (tmp), "+m" (sem->count)
8896 diff -urNp linux-3.1.1/arch/x86/include/asm/segment.h linux-3.1.1/arch/x86/include/asm/segment.h
8897 --- linux-3.1.1/arch/x86/include/asm/segment.h 2011-11-11 15:19:27.000000000 -0500
8898 +++ linux-3.1.1/arch/x86/include/asm/segment.h 2011-11-16 18:39:07.000000000 -0500
8900 * 26 - ESPFIX small SS
8901 * 27 - per-cpu [ offset to per-cpu data area ]
8902 * 28 - stack_canary-20 [ for stack protector ]
8905 + * 29 - PCI BIOS CS
8906 + * 30 - PCI BIOS DS
8907 * 31 - TSS for double fault handler
8909 +#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
8910 +#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
8911 +#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
8912 +#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
8914 #define GDT_ENTRY_TLS_MIN 6
8915 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
8919 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
8921 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8923 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
8925 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
8926 @@ -104,6 +111,12 @@
8927 #define __KERNEL_STACK_CANARY 0
8930 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
8931 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8933 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
8934 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8936 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8942 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8943 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8944 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8949 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS*8+3)
8950 #define __USER32_DS __USER_DS
8952 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8954 #define GDT_ENTRY_TSS 8 /* needs two entries */
8955 #define GDT_ENTRY_LDT 10 /* needs two entries */
8956 #define GDT_ENTRY_TLS_MIN 12
8960 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
8961 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
8962 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
8963 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
8964 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
8965 diff -urNp linux-3.1.1/arch/x86/include/asm/smp.h linux-3.1.1/arch/x86/include/asm/smp.h
8966 --- linux-3.1.1/arch/x86/include/asm/smp.h 2011-11-11 15:19:27.000000000 -0500
8967 +++ linux-3.1.1/arch/x86/include/asm/smp.h 2011-11-16 18:39:07.000000000 -0500
8968 @@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_
8969 /* cpus sharing the last level cache: */
8970 DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map);
8971 DECLARE_PER_CPU(u16, cpu_llc_id);
8972 -DECLARE_PER_CPU(int, cpu_number);
8973 +DECLARE_PER_CPU(unsigned int, cpu_number);
8975 static inline struct cpumask *cpu_sibling_mask(int cpu)
8977 @@ -77,7 +77,7 @@ struct smp_ops {
8979 void (*send_call_func_ipi)(const struct cpumask *mask);
8980 void (*send_call_func_single_ipi)(int cpu);
8984 /* Globals due to paravirt */
8985 extern void set_cpu_sibling_map(int cpu);
8986 @@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd
8987 extern int safe_smp_processor_id(void);
8989 #elif defined(CONFIG_X86_64_SMP)
8990 -#define raw_smp_processor_id() (percpu_read(cpu_number))
8992 -#define stack_smp_processor_id() \
8994 - struct thread_info *ti; \
8995 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
8998 +#define raw_smp_processor_id() (percpu_read(cpu_number))
8999 +#define stack_smp_processor_id() raw_smp_processor_id()
9000 #define safe_smp_processor_id() smp_processor_id()
9003 diff -urNp linux-3.1.1/arch/x86/include/asm/spinlock.h linux-3.1.1/arch/x86/include/asm/spinlock.h
9004 --- linux-3.1.1/arch/x86/include/asm/spinlock.h 2011-11-11 15:19:27.000000000 -0500
9005 +++ linux-3.1.1/arch/x86/include/asm/spinlock.h 2011-11-16 18:39:07.000000000 -0500
9006 @@ -248,6 +248,14 @@ static inline int arch_write_can_lock(ar
9007 static inline void arch_read_lock(arch_rwlock_t *rw)
9009 asm volatile(LOCK_PREFIX READ_LOCK_SIZE(dec) " (%0)\n\t"
9011 +#ifdef CONFIG_PAX_REFCOUNT
9013 + LOCK_PREFIX READ_LOCK_SIZE(inc) " (%0)\n"
9015 + _ASM_EXTABLE(0b, 0b)
9019 "call __read_lock_failed\n\t"
9021 @@ -257,6 +265,14 @@ static inline void arch_read_lock(arch_r
9022 static inline void arch_write_lock(arch_rwlock_t *rw)
9024 asm volatile(LOCK_PREFIX WRITE_LOCK_SUB(%1) "(%0)\n\t"
9026 +#ifdef CONFIG_PAX_REFCOUNT
9028 + LOCK_PREFIX WRITE_LOCK_ADD(%1) "(%0)\n"
9030 + _ASM_EXTABLE(0b, 0b)
9034 "call __write_lock_failed\n\t"
9036 @@ -286,13 +302,29 @@ static inline int arch_write_trylock(arc
9038 static inline void arch_read_unlock(arch_rwlock_t *rw)
9040 - asm volatile(LOCK_PREFIX READ_LOCK_SIZE(inc) " %0"
9041 + asm volatile(LOCK_PREFIX READ_LOCK_SIZE(inc) " %0\n"
9043 +#ifdef CONFIG_PAX_REFCOUNT
9045 + LOCK_PREFIX READ_LOCK_SIZE(dec) " %0\n"
9047 + _ASM_EXTABLE(0b, 0b)
9050 :"+m" (rw->lock) : : "memory");
9053 static inline void arch_write_unlock(arch_rwlock_t *rw)
9055 - asm volatile(LOCK_PREFIX WRITE_LOCK_ADD(%1) "%0"
9056 + asm volatile(LOCK_PREFIX WRITE_LOCK_ADD(%1) "%0\n"
9058 +#ifdef CONFIG_PAX_REFCOUNT
9060 + LOCK_PREFIX WRITE_LOCK_SUB(%1) "%0\n"
9062 + _ASM_EXTABLE(0b, 0b)
9065 : "+m" (rw->write) : "i" (RW_LOCK_BIAS) : "memory");
9068 diff -urNp linux-3.1.1/arch/x86/include/asm/stackprotector.h linux-3.1.1/arch/x86/include/asm/stackprotector.h
9069 --- linux-3.1.1/arch/x86/include/asm/stackprotector.h 2011-11-11 15:19:27.000000000 -0500
9070 +++ linux-3.1.1/arch/x86/include/asm/stackprotector.h 2011-11-16 18:39:07.000000000 -0500
9072 * head_32 for boot CPU and setup_per_cpu_areas() for others.
9074 #define GDT_STACK_CANARY_INIT \
9075 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
9076 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
9079 * Initialize the stackprotector canary value.
9080 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9082 static inline void load_stack_canary_segment(void)
9084 -#ifdef CONFIG_X86_32
9085 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9086 asm volatile ("mov %0, %%gs" : : "r" (0));
9089 diff -urNp linux-3.1.1/arch/x86/include/asm/stacktrace.h linux-3.1.1/arch/x86/include/asm/stacktrace.h
9090 --- linux-3.1.1/arch/x86/include/asm/stacktrace.h 2011-11-11 15:19:27.000000000 -0500
9091 +++ linux-3.1.1/arch/x86/include/asm/stacktrace.h 2011-11-16 18:39:07.000000000 -0500
9094 extern int kstack_depth_to_print;
9096 -struct thread_info;
9097 +struct task_struct;
9098 struct stacktrace_ops;
9100 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
9101 - unsigned long *stack,
9103 - const struct stacktrace_ops *ops,
9105 - unsigned long *end,
9108 -extern unsigned long
9109 -print_context_stack(struct thread_info *tinfo,
9110 - unsigned long *stack, unsigned long bp,
9111 - const struct stacktrace_ops *ops, void *data,
9112 - unsigned long *end, int *graph);
9114 -extern unsigned long
9115 -print_context_stack_bp(struct thread_info *tinfo,
9116 - unsigned long *stack, unsigned long bp,
9117 - const struct stacktrace_ops *ops, void *data,
9118 - unsigned long *end, int *graph);
9119 +typedef unsigned long walk_stack_t(struct task_struct *task,
9120 + void *stack_start,
9121 + unsigned long *stack,
9123 + const struct stacktrace_ops *ops,
9125 + unsigned long *end,
9128 +extern walk_stack_t print_context_stack;
9129 +extern walk_stack_t print_context_stack_bp;
9131 /* Generic stack tracer with callbacks */
9133 @@ -40,7 +32,7 @@ struct stacktrace_ops {
9134 void (*address)(void *data, unsigned long address, int reliable);
9135 /* On negative return stop dumping */
9136 int (*stack)(void *data, char *name);
9137 - walk_stack_t walk_stack;
9138 + walk_stack_t *walk_stack;
9141 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
9142 diff -urNp linux-3.1.1/arch/x86/include/asm/sys_ia32.h linux-3.1.1/arch/x86/include/asm/sys_ia32.h
9143 --- linux-3.1.1/arch/x86/include/asm/sys_ia32.h 2011-11-11 15:19:27.000000000 -0500
9144 +++ linux-3.1.1/arch/x86/include/asm/sys_ia32.h 2011-11-16 18:39:07.000000000 -0500
9145 @@ -40,7 +40,7 @@ asmlinkage long sys32_rt_sigprocmask(int
9146 compat_sigset_t __user *, unsigned int);
9147 asmlinkage long sys32_alarm(unsigned int);
9149 -asmlinkage long sys32_waitpid(compat_pid_t, unsigned int *, int);
9150 +asmlinkage long sys32_waitpid(compat_pid_t, unsigned int __user *, int);
9151 asmlinkage long sys32_sysfs(int, u32, u32);
9153 asmlinkage long sys32_sched_rr_get_interval(compat_pid_t,
9154 diff -urNp linux-3.1.1/arch/x86/include/asm/system.h linux-3.1.1/arch/x86/include/asm/system.h
9155 --- linux-3.1.1/arch/x86/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
9156 +++ linux-3.1.1/arch/x86/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
9157 @@ -129,7 +129,7 @@ do { \
9158 "call __switch_to\n\t" \
9159 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
9161 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
9162 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
9163 "movq %%rax,%%rdi\n\t" \
9164 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
9165 "jnz ret_from_fork\n\t" \
9166 @@ -140,7 +140,7 @@ do { \
9167 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
9168 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
9169 [_tif_fork] "i" (_TIF_FORK), \
9170 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
9171 + [thread_info] "m" (current_tinfo), \
9172 [current_task] "m" (current_task) \
9173 __switch_canary_iparam \
9174 : "memory", "cc" __EXTRA_CLOBBER)
9175 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
9177 unsigned long __limit;
9178 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9179 - return __limit + 1;
9183 static inline void native_clts(void)
9184 @@ -397,12 +397,12 @@ void enable_hlt(void);
9186 void cpu_idle_wait(void);
9188 -extern unsigned long arch_align_stack(unsigned long sp);
9189 +#define arch_align_stack(x) ((x) & ~0xfUL)
9190 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9192 void default_idle(void);
9194 -void stop_this_cpu(void *dummy);
9195 +void stop_this_cpu(void *dummy) __noreturn;
9198 * Force strict CPU ordering.
9199 diff -urNp linux-3.1.1/arch/x86/include/asm/thread_info.h linux-3.1.1/arch/x86/include/asm/thread_info.h
9200 --- linux-3.1.1/arch/x86/include/asm/thread_info.h 2011-11-11 15:19:27.000000000 -0500
9201 +++ linux-3.1.1/arch/x86/include/asm/thread_info.h 2011-11-16 18:39:07.000000000 -0500
9203 #include <linux/compiler.h>
9204 #include <asm/page.h>
9205 #include <asm/types.h>
9206 +#include <asm/percpu.h>
9209 * low level task data that entry.S needs immediate access to
9210 @@ -24,7 +25,6 @@ struct exec_domain;
9211 #include <linux/atomic.h>
9213 struct thread_info {
9214 - struct task_struct *task; /* main task structure */
9215 struct exec_domain *exec_domain; /* execution domain */
9216 __u32 flags; /* low level flags */
9217 __u32 status; /* thread synchronous flags */
9218 @@ -34,18 +34,12 @@ struct thread_info {
9219 mm_segment_t addr_limit;
9220 struct restart_block restart_block;
9221 void __user *sysenter_return;
9222 -#ifdef CONFIG_X86_32
9223 - unsigned long previous_esp; /* ESP of the previous stack in
9224 - case of nested (IRQ) stacks
9226 - __u8 supervisor_stack[0];
9228 + unsigned long lowest_stack;
9232 -#define INIT_THREAD_INFO(tsk) \
9233 +#define INIT_THREAD_INFO \
9236 .exec_domain = &default_exec_domain, \
9239 @@ -56,7 +50,7 @@ struct thread_info {
9243 -#define init_thread_info (init_thread_union.thread_info)
9244 +#define init_thread_info (init_thread_union.stack)
9245 #define init_stack (init_thread_union.stack)
9247 #else /* !__ASSEMBLY__ */
9248 @@ -170,6 +164,23 @@ struct thread_info {
9252 +#ifdef __ASSEMBLY__
9253 +/* how to get the thread information struct from ASM */
9254 +#define GET_THREAD_INFO(reg) \
9255 + mov PER_CPU_VAR(current_tinfo), reg
9257 +/* use this one if reg already contains %esp */
9258 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
9260 +/* how to get the thread information struct from C */
9261 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
9263 +static __always_inline struct thread_info *current_thread_info(void)
9265 + return percpu_read_stable(current_tinfo);
9269 #ifdef CONFIG_X86_32
9271 #define STACK_WARN (THREAD_SIZE/8)
9272 @@ -180,35 +191,13 @@ struct thread_info {
9274 #ifndef __ASSEMBLY__
9277 /* how to get the current stack pointer from C */
9278 register unsigned long current_stack_pointer asm("esp") __used;
9280 -/* how to get the thread information struct from C */
9281 -static inline struct thread_info *current_thread_info(void)
9283 - return (struct thread_info *)
9284 - (current_stack_pointer & ~(THREAD_SIZE - 1));
9287 -#else /* !__ASSEMBLY__ */
9289 -/* how to get the thread information struct from ASM */
9290 -#define GET_THREAD_INFO(reg) \
9291 - movl $-THREAD_SIZE, reg; \
9294 -/* use this one if reg already contains %esp */
9295 -#define GET_THREAD_INFO_WITH_ESP(reg) \
9296 - andl $-THREAD_SIZE, reg
9302 -#include <asm/percpu.h>
9303 -#define KERNEL_STACK_OFFSET (5*8)
9306 * macros/functions for gaining access to the thread information structure
9307 * preempt_count needs to be 1 initially, until the scheduler is functional.
9308 @@ -216,21 +205,8 @@ static inline struct thread_info *curren
9309 #ifndef __ASSEMBLY__
9310 DECLARE_PER_CPU(unsigned long, kernel_stack);
9312 -static inline struct thread_info *current_thread_info(void)
9314 - struct thread_info *ti;
9315 - ti = (void *)(percpu_read_stable(kernel_stack) +
9316 - KERNEL_STACK_OFFSET - THREAD_SIZE);
9320 -#else /* !__ASSEMBLY__ */
9322 -/* how to get the thread information struct from ASM */
9323 -#define GET_THREAD_INFO(reg) \
9324 - movq PER_CPU_VAR(kernel_stack),reg ; \
9325 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
9327 +/* how to get the current stack pointer from C */
9328 +register unsigned long current_stack_pointer asm("rsp") __used;
9331 #endif /* !X86_32 */
9332 @@ -266,5 +242,16 @@ extern void arch_task_cache_init(void);
9333 extern void free_thread_info(struct thread_info *ti);
9334 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
9335 #define arch_task_cache_init arch_task_cache_init
9337 +#define __HAVE_THREAD_FUNCTIONS
9338 +#define task_thread_info(task) (&(task)->tinfo)
9339 +#define task_stack_page(task) ((task)->stack)
9340 +#define setup_thread_stack(p, org) do {} while (0)
9341 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
9343 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
9344 +extern struct task_struct *alloc_task_struct_node(int node);
9345 +extern void free_task_struct(struct task_struct *);
9348 #endif /* _ASM_X86_THREAD_INFO_H */
9349 diff -urNp linux-3.1.1/arch/x86/include/asm/uaccess_32.h linux-3.1.1/arch/x86/include/asm/uaccess_32.h
9350 --- linux-3.1.1/arch/x86/include/asm/uaccess_32.h 2011-11-11 15:19:27.000000000 -0500
9351 +++ linux-3.1.1/arch/x86/include/asm/uaccess_32.h 2011-11-16 18:40:08.000000000 -0500
9352 @@ -43,6 +43,11 @@ unsigned long __must_check __copy_from_u
9353 static __always_inline unsigned long __must_check
9354 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9356 + pax_track_stack();
9361 if (__builtin_constant_p(n)) {
9364 @@ -61,6 +66,8 @@ __copy_to_user_inatomic(void __user *to,
9368 + if (!__builtin_constant_p(n))
9369 + check_object_size(from, n, true);
9370 return __copy_to_user_ll(to, from, n);
9373 @@ -82,12 +89,16 @@ static __always_inline unsigned long __m
9374 __copy_to_user(void __user *to, const void *from, unsigned long n)
9378 return __copy_to_user_inatomic(to, from, n);
9381 static __always_inline unsigned long
9382 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9387 /* Avoid zeroing the tail if the copy fails..
9388 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9389 * but as the zeroing behaviour is only significant when n is not
9390 @@ -137,6 +148,12 @@ static __always_inline unsigned long
9391 __copy_from_user(void *to, const void __user *from, unsigned long n)
9395 + pax_track_stack();
9400 if (__builtin_constant_p(n)) {
9403 @@ -152,6 +169,8 @@ __copy_from_user(void *to, const void __
9407 + if (!__builtin_constant_p(n))
9408 + check_object_size(to, n, false);
9409 return __copy_from_user_ll(to, from, n);
9412 @@ -159,6 +178,10 @@ static __always_inline unsigned long __c
9413 const void __user *from, unsigned long n)
9420 if (__builtin_constant_p(n)) {
9423 @@ -181,15 +204,19 @@ static __always_inline unsigned long
9424 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9427 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9432 -unsigned long __must_check copy_to_user(void __user *to,
9433 - const void *from, unsigned long n);
9434 -unsigned long __must_check _copy_from_user(void *to,
9435 - const void __user *from,
9437 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9440 +extern void copy_to_user_overflow(void)
9441 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9442 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9444 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9448 extern void copy_from_user_overflow(void)
9449 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9450 @@ -199,17 +226,61 @@ extern void copy_from_user_overflow(void
9454 -static inline unsigned long __must_check copy_from_user(void *to,
9455 - const void __user *from,
9458 + * copy_to_user: - Copy a block of data into user space.
9459 + * @to: Destination address, in user space.
9460 + * @from: Source address, in kernel space.
9461 + * @n: Number of bytes to copy.
9463 + * Context: User context only. This function may sleep.
9465 + * Copy data from kernel space to user space.
9467 + * Returns number of bytes that could not be copied.
9468 + * On success, this will be zero.
9470 +static inline unsigned long __must_check
9471 +copy_to_user(void __user *to, const void *from, unsigned long n)
9473 + int sz = __compiletime_object_size(from);
9475 + if (unlikely(sz != -1 && sz < n))
9476 + copy_to_user_overflow();
9477 + else if (access_ok(VERIFY_WRITE, to, n))
9478 + n = __copy_to_user(to, from, n);
9483 + * copy_from_user: - Copy a block of data from user space.
9484 + * @to: Destination address, in kernel space.
9485 + * @from: Source address, in user space.
9486 + * @n: Number of bytes to copy.
9488 + * Context: User context only. This function may sleep.
9490 + * Copy data from user space to kernel space.
9492 + * Returns number of bytes that could not be copied.
9493 + * On success, this will be zero.
9495 + * If some data could not be copied, this function will pad the copied
9496 + * data to the requested size using zero bytes.
9498 +static inline unsigned long __must_check
9499 +copy_from_user(void *to, const void __user *from, unsigned long n)
9501 int sz = __compiletime_object_size(to);
9503 - if (likely(sz == -1 || sz >= n))
9504 - n = _copy_from_user(to, from, n);
9506 + if (unlikely(sz != -1 && sz < n))
9507 copy_from_user_overflow();
9509 + else if (access_ok(VERIFY_READ, from, n))
9510 + n = __copy_from_user(to, from, n);
9511 + else if ((long)n > 0) {
9512 + if (!__builtin_constant_p(n))
9513 + check_object_size(to, n, false);
9519 diff -urNp linux-3.1.1/arch/x86/include/asm/uaccess_64.h linux-3.1.1/arch/x86/include/asm/uaccess_64.h
9520 --- linux-3.1.1/arch/x86/include/asm/uaccess_64.h 2011-11-11 15:19:27.000000000 -0500
9521 +++ linux-3.1.1/arch/x86/include/asm/uaccess_64.h 2011-11-16 18:40:08.000000000 -0500
9523 #include <asm/alternative.h>
9524 #include <asm/cpufeature.h>
9525 #include <asm/page.h>
9526 +#include <asm/pgtable.h>
9528 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9531 * Copy To/From Userspace
9532 @@ -36,26 +39,26 @@ copy_user_generic(void *to, const void *
9536 -__must_check unsigned long
9537 -_copy_to_user(void __user *to, const void *from, unsigned len);
9538 -__must_check unsigned long
9539 -_copy_from_user(void *to, const void __user *from, unsigned len);
9540 +static __always_inline __must_check unsigned long
9541 +__copy_to_user(void __user *to, const void *from, unsigned len);
9542 +static __always_inline __must_check unsigned long
9543 +__copy_from_user(void *to, const void __user *from, unsigned len);
9544 __must_check unsigned long
9545 copy_in_user(void __user *to, const void __user *from, unsigned len);
9547 static inline unsigned long __must_check copy_from_user(void *to,
9548 const void __user *from,
9552 - int sz = __compiletime_object_size(to);
9555 - if (likely(sz == -1 || sz >= n))
9556 - n = _copy_from_user(to, from, n);
9557 -#ifdef CONFIG_DEBUG_VM
9559 - WARN(1, "Buffer overflow detected!\n");
9562 + if (access_ok(VERIFY_READ, from, n))
9563 + n = __copy_from_user(to, from, n);
9564 + else if ((int)n > 0) {
9565 + if (!__builtin_constant_p(n))
9566 + check_object_size(to, n, false);
9572 @@ -64,110 +67,198 @@ int copy_to_user(void __user *dst, const
9576 - return _copy_to_user(dst, src, size);
9577 + if (access_ok(VERIFY_WRITE, dst, size))
9578 + size = __copy_to_user(dst, src, size);
9582 static __always_inline __must_check
9583 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9584 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9587 + int sz = __compiletime_object_size(dst);
9591 - if (!__builtin_constant_p(size))
9592 - return copy_user_generic(dst, (__force void *)src, size);
9594 + pax_track_stack();
9596 + if ((int)size < 0)
9599 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9600 + if (!__access_ok(VERIFY_READ, src, size))
9604 + if (unlikely(sz != -1 && sz < size)) {
9605 +#ifdef CONFIG_DEBUG_VM
9606 + WARN(1, "Buffer overflow detected!\n");
9611 + if (!__builtin_constant_p(size)) {
9612 + check_object_size(dst, size, false);
9614 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9615 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9616 + src += PAX_USER_SHADOW_BASE;
9619 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
9622 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9623 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9624 ret, "b", "b", "=q", 1);
9626 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9627 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9628 ret, "w", "w", "=r", 2);
9630 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9631 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9632 ret, "l", "k", "=r", 4);
9634 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9635 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9636 ret, "q", "", "=r", 8);
9639 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9640 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9641 ret, "q", "", "=r", 10);
9644 __get_user_asm(*(u16 *)(8 + (char *)dst),
9645 - (u16 __user *)(8 + (char __user *)src),
9646 + (const u16 __user *)(8 + (const char __user *)src),
9647 ret, "w", "w", "=r", 2);
9650 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9651 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9652 ret, "q", "", "=r", 16);
9655 __get_user_asm(*(u64 *)(8 + (char *)dst),
9656 - (u64 __user *)(8 + (char __user *)src),
9657 + (const u64 __user *)(8 + (const char __user *)src),
9658 ret, "q", "", "=r", 8);
9661 - return copy_user_generic(dst, (__force void *)src, size);
9663 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9664 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9665 + src += PAX_USER_SHADOW_BASE;
9668 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
9672 static __always_inline __must_check
9673 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9674 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9677 + int sz = __compiletime_object_size(src);
9681 - if (!__builtin_constant_p(size))
9682 - return copy_user_generic((__force void *)dst, src, size);
9684 + pax_track_stack();
9686 + if ((int)size < 0)
9689 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9690 + if (!__access_ok(VERIFY_WRITE, dst, size))
9694 + if (unlikely(sz != -1 && sz < size)) {
9695 +#ifdef CONFIG_DEBUG_VM
9696 + WARN(1, "Buffer overflow detected!\n");
9701 + if (!__builtin_constant_p(size)) {
9702 + check_object_size(src, size, true);
9704 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9705 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9706 + dst += PAX_USER_SHADOW_BASE;
9709 + return copy_user_generic((__force_kernel void *)dst, src, size);
9712 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9713 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9714 ret, "b", "b", "iq", 1);
9716 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9717 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9718 ret, "w", "w", "ir", 2);
9720 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9721 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9722 ret, "l", "k", "ir", 4);
9724 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9725 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9726 ret, "q", "", "er", 8);
9729 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9730 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9731 ret, "q", "", "er", 10);
9735 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9736 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9737 ret, "w", "w", "ir", 2);
9740 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9741 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9742 ret, "q", "", "er", 16);
9746 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9747 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9748 ret, "q", "", "er", 8);
9751 - return copy_user_generic((__force void *)dst, src, size);
9753 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9754 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9755 + dst += PAX_USER_SHADOW_BASE;
9758 + return copy_user_generic((__force_kernel void *)dst, src, size);
9762 static __always_inline __must_check
9763 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9764 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9770 - if (!__builtin_constant_p(size))
9771 - return copy_user_generic((__force void *)dst,
9772 - (__force void *)src, size);
9774 + if ((int)size < 0)
9777 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9778 + if (!__access_ok(VERIFY_READ, src, size))
9780 + if (!__access_ok(VERIFY_WRITE, dst, size))
9784 + if (!__builtin_constant_p(size)) {
9786 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9787 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9788 + src += PAX_USER_SHADOW_BASE;
9789 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9790 + dst += PAX_USER_SHADOW_BASE;
9793 + return copy_user_generic((__force_kernel void *)dst,
9794 + (__force_kernel const void *)src, size);
9799 - __get_user_asm(tmp, (u8 __user *)src,
9800 + __get_user_asm(tmp, (const u8 __user *)src,
9801 ret, "b", "b", "=q", 1);
9803 __put_user_asm(tmp, (u8 __user *)dst,
9804 @@ -176,7 +267,7 @@ int __copy_in_user(void __user *dst, con
9808 - __get_user_asm(tmp, (u16 __user *)src,
9809 + __get_user_asm(tmp, (const u16 __user *)src,
9810 ret, "w", "w", "=r", 2);
9812 __put_user_asm(tmp, (u16 __user *)dst,
9813 @@ -186,7 +277,7 @@ int __copy_in_user(void __user *dst, con
9817 - __get_user_asm(tmp, (u32 __user *)src,
9818 + __get_user_asm(tmp, (const u32 __user *)src,
9819 ret, "l", "k", "=r", 4);
9821 __put_user_asm(tmp, (u32 __user *)dst,
9822 @@ -195,7 +286,7 @@ int __copy_in_user(void __user *dst, con
9826 - __get_user_asm(tmp, (u64 __user *)src,
9827 + __get_user_asm(tmp, (const u64 __user *)src,
9828 ret, "q", "", "=r", 8);
9830 __put_user_asm(tmp, (u64 __user *)dst,
9831 @@ -203,8 +294,16 @@ int __copy_in_user(void __user *dst, con
9835 - return copy_user_generic((__force void *)dst,
9836 - (__force void *)src, size);
9838 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9839 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9840 + src += PAX_USER_SHADOW_BASE;
9841 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9842 + dst += PAX_USER_SHADOW_BASE;
9845 + return copy_user_generic((__force_kernel void *)dst,
9846 + (__force_kernel const void *)src, size);
9850 @@ -221,33 +320,72 @@ __must_check unsigned long __clear_user(
9851 static __must_check __always_inline int
9852 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9854 - return copy_user_generic(dst, (__force const void *)src, size);
9855 + pax_track_stack();
9857 + if ((int)size < 0)
9860 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9861 + if (!__access_ok(VERIFY_READ, src, size))
9864 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9865 + src += PAX_USER_SHADOW_BASE;
9868 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
9871 -static __must_check __always_inline int
9872 +static __must_check __always_inline unsigned long
9873 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9875 - return copy_user_generic((__force void *)dst, src, size);
9876 + if ((int)size < 0)
9879 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9880 + if (!__access_ok(VERIFY_WRITE, dst, size))
9883 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9884 + dst += PAX_USER_SHADOW_BASE;
9887 + return copy_user_generic((__force_kernel void *)dst, src, size);
9890 -extern long __copy_user_nocache(void *dst, const void __user *src,
9891 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9892 unsigned size, int zerorest);
9895 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9896 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9900 + if ((int)size < 0)
9903 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9904 + if (!__access_ok(VERIFY_READ, src, size))
9908 return __copy_user_nocache(dst, src, size, 1);
9912 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9913 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9916 + if ((int)size < 0)
9919 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9920 + if (!__access_ok(VERIFY_READ, src, size))
9924 return __copy_user_nocache(dst, src, size, 0);
9928 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9929 +extern unsigned long
9930 +copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest);
9932 #endif /* _ASM_X86_UACCESS_64_H */
9933 diff -urNp linux-3.1.1/arch/x86/include/asm/uaccess.h linux-3.1.1/arch/x86/include/asm/uaccess.h
9934 --- linux-3.1.1/arch/x86/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
9935 +++ linux-3.1.1/arch/x86/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
9937 #include <linux/compiler.h>
9938 #include <linux/thread_info.h>
9939 #include <linux/string.h>
9940 +#include <linux/sched.h>
9941 #include <asm/asm.h>
9942 #include <asm/page.h>
9944 #define VERIFY_READ 0
9945 #define VERIFY_WRITE 1
9947 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9950 * The fs value determines whether argument validity checking should be
9951 * performed or not. If get_fs() == USER_DS, checking is performed, with
9954 #define get_ds() (KERNEL_DS)
9955 #define get_fs() (current_thread_info()->addr_limit)
9956 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9957 +void __set_fs(mm_segment_t x);
9958 +void set_fs(mm_segment_t x);
9960 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9963 #define segment_eq(a, b) ((a).seg == (b).seg)
9966 * checks that the pointer is in the user space range - after calling
9967 * this function, memory access functions may still return -EFAULT.
9969 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9970 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9971 +#define access_ok(type, addr, size) \
9973 + long __size = size; \
9974 + unsigned long __addr = (unsigned long)addr; \
9975 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9976 + unsigned long __end_ao = __addr + __size - 1; \
9977 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9978 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9979 + while(__addr_ao <= __end_ao) { \
9981 + __addr_ao += PAGE_SIZE; \
9982 + if (__size > PAGE_SIZE) \
9984 + if (__get_user(__c_ao, (char __user *)__addr)) \
9986 + if (type != VERIFY_WRITE) { \
9987 + __addr = __addr_ao; \
9990 + if (__put_user(__c_ao, (char __user *)__addr)) \
9992 + __addr = __addr_ao; \
9999 * The exception table consists of pairs of addresses: the first is the
10000 @@ -182,12 +216,20 @@ extern int __get_user_bad(void);
10001 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
10002 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
10005 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10006 +#define __copyuser_seg "gs;"
10007 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
10008 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
10010 +#define __copyuser_seg
10011 +#define __COPYUSER_SET_ES
10012 +#define __COPYUSER_RESTORE_ES
10015 #ifdef CONFIG_X86_32
10016 #define __put_user_asm_u64(x, addr, err, errret) \
10017 - asm volatile("1: movl %%eax,0(%2)\n" \
10018 - "2: movl %%edx,4(%2)\n" \
10019 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
10020 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
10022 ".section .fixup,\"ax\"\n" \
10023 "4: movl %3,%0\n" \
10024 @@ -199,8 +241,8 @@ extern int __get_user_bad(void);
10025 : "A" (x), "r" (addr), "i" (errret), "0" (err))
10027 #define __put_user_asm_ex_u64(x, addr) \
10028 - asm volatile("1: movl %%eax,0(%1)\n" \
10029 - "2: movl %%edx,4(%1)\n" \
10030 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
10031 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
10033 _ASM_EXTABLE(1b, 2b - 1b) \
10034 _ASM_EXTABLE(2b, 3b - 2b) \
10035 @@ -252,7 +294,7 @@ extern void __put_user_8(void);
10036 __typeof__(*(ptr)) __pu_val; \
10037 __chk_user_ptr(ptr); \
10040 + __pu_val = (x); \
10041 switch (sizeof(*(ptr))) { \
10043 __put_user_x(1, __pu_val, ptr, __ret_pu); \
10044 @@ -373,7 +415,7 @@ do { \
10047 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10048 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
10049 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
10051 ".section .fixup,\"ax\"\n" \
10053 @@ -381,7 +423,7 @@ do { \
10056 _ASM_EXTABLE(1b, 3b) \
10057 - : "=r" (err), ltype(x) \
10058 + : "=r" (err), ltype (x) \
10059 : "m" (__m(addr)), "i" (errret), "0" (err))
10061 #define __get_user_size_ex(x, ptr, size) \
10062 @@ -406,7 +448,7 @@ do { \
10065 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
10066 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
10067 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
10069 _ASM_EXTABLE(1b, 2b - 1b) \
10070 : ltype(x) : "m" (__m(addr)))
10071 @@ -423,13 +465,24 @@ do { \
10073 unsigned long __gu_val; \
10074 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
10075 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
10076 + (x) = (__typeof__(*(ptr)))__gu_val; \
10080 /* FIXME: this hack is definitely wrong -AK */
10081 struct __large_struct { unsigned long buf[100]; };
10082 -#define __m(x) (*(struct __large_struct __user *)(x))
10083 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10084 +#define ____m(x) \
10086 + unsigned long ____x = (unsigned long)(x); \
10087 + if (____x < PAX_USER_SHADOW_BASE) \
10088 + ____x += PAX_USER_SHADOW_BASE; \
10089 + (void __user *)____x; \
10092 +#define ____m(x) (x)
10094 +#define __m(x) (*(struct __large_struct __user *)____m(x))
10097 * Tell gcc we read from memory instead of writing: this is because
10098 @@ -437,7 +490,7 @@ struct __large_struct { unsigned long bu
10101 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10102 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
10103 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
10105 ".section .fixup,\"ax\"\n" \
10107 @@ -445,10 +498,10 @@ struct __large_struct { unsigned long bu
10109 _ASM_EXTABLE(1b, 3b) \
10111 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
10112 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
10114 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
10115 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
10116 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
10118 _ASM_EXTABLE(1b, 2b - 1b) \
10119 : : ltype(x), "m" (__m(addr)))
10120 @@ -487,8 +540,12 @@ struct __large_struct { unsigned long bu
10121 * On error, the variable @x is set to zero.
10124 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10125 +#define __get_user(x, ptr) get_user((x), (ptr))
10127 #define __get_user(x, ptr) \
10128 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
10132 * __put_user: - Write a simple value into user space, with less checking.
10133 @@ -510,8 +567,12 @@ struct __large_struct { unsigned long bu
10134 * Returns zero on success, or -EFAULT on error.
10137 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10138 +#define __put_user(x, ptr) put_user((x), (ptr))
10140 #define __put_user(x, ptr) \
10141 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
10144 #define __get_user_unaligned __get_user
10145 #define __put_user_unaligned __put_user
10146 @@ -529,7 +590,7 @@ struct __large_struct { unsigned long bu
10147 #define get_user_ex(x, ptr) do { \
10148 unsigned long __gue_val; \
10149 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
10150 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
10151 + (x) = (__typeof__(*(ptr)))__gue_val; \
10154 #ifdef CONFIG_X86_WP_WORKS_OK
10155 diff -urNp linux-3.1.1/arch/x86/include/asm/vdso.h linux-3.1.1/arch/x86/include/asm/vdso.h
10156 --- linux-3.1.1/arch/x86/include/asm/vdso.h 2011-11-11 15:19:27.000000000 -0500
10157 +++ linux-3.1.1/arch/x86/include/asm/vdso.h 2011-11-16 18:39:07.000000000 -0500
10158 @@ -11,7 +11,7 @@ extern const char VDSO32_PRELINK[];
10159 #define VDSO32_SYMBOL(base, name) \
10161 extern const char VDSO32_##name[]; \
10162 - (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
10163 + (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
10167 diff -urNp linux-3.1.1/arch/x86/include/asm/x86_init.h linux-3.1.1/arch/x86/include/asm/x86_init.h
10168 --- linux-3.1.1/arch/x86/include/asm/x86_init.h 2011-11-11 15:19:27.000000000 -0500
10169 +++ linux-3.1.1/arch/x86/include/asm/x86_init.h 2011-11-16 18:39:07.000000000 -0500
10170 @@ -28,7 +28,7 @@ struct x86_init_mpparse {
10171 void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
10172 void (*find_smp_config)(void);
10173 void (*get_smp_config)(unsigned int early);
10178 * struct x86_init_resources - platform specific resource related ops
10179 @@ -42,7 +42,7 @@ struct x86_init_resources {
10180 void (*probe_roms)(void);
10181 void (*reserve_resources)(void);
10182 char *(*memory_setup)(void);
10187 * struct x86_init_irqs - platform specific interrupt setup
10188 @@ -55,7 +55,7 @@ struct x86_init_irqs {
10189 void (*pre_vector_init)(void);
10190 void (*intr_init)(void);
10191 void (*trap_init)(void);
10196 * struct x86_init_oem - oem platform specific customizing functions
10197 @@ -65,7 +65,7 @@ struct x86_init_irqs {
10198 struct x86_init_oem {
10199 void (*arch_setup)(void);
10200 void (*banner)(void);
10205 * struct x86_init_mapping - platform specific initial kernel pagetable setup
10206 @@ -76,7 +76,7 @@ struct x86_init_oem {
10208 struct x86_init_mapping {
10209 void (*pagetable_reserve)(u64 start, u64 end);
10214 * struct x86_init_paging - platform specific paging functions
10215 @@ -86,7 +86,7 @@ struct x86_init_mapping {
10216 struct x86_init_paging {
10217 void (*pagetable_setup_start)(pgd_t *base);
10218 void (*pagetable_setup_done)(pgd_t *base);
10223 * struct x86_init_timers - platform specific timer setup
10224 @@ -101,7 +101,7 @@ struct x86_init_timers {
10225 void (*tsc_pre_init)(void);
10226 void (*timer_init)(void);
10227 void (*wallclock_init)(void);
10232 * struct x86_init_iommu - platform specific iommu setup
10233 @@ -109,7 +109,7 @@ struct x86_init_timers {
10235 struct x86_init_iommu {
10236 int (*iommu_init)(void);
10241 * struct x86_init_pci - platform specific pci init functions
10242 @@ -123,7 +123,7 @@ struct x86_init_pci {
10244 void (*init_irq)(void);
10245 void (*fixup_irqs)(void);
10250 * struct x86_init_ops - functions for platform specific setup
10251 @@ -139,7 +139,7 @@ struct x86_init_ops {
10252 struct x86_init_timers timers;
10253 struct x86_init_iommu iommu;
10254 struct x86_init_pci pci;
10259 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
10260 @@ -147,7 +147,7 @@ struct x86_init_ops {
10262 struct x86_cpuinit_ops {
10263 void (*setup_percpu_clockev)(void);
10268 * struct x86_platform_ops - platform specific runtime functions
10269 @@ -166,7 +166,7 @@ struct x86_platform_ops {
10270 bool (*is_untracked_pat_range)(u64 start, u64 end);
10271 void (*nmi_init)(void);
10272 int (*i8042_detect)(void);
10278 @@ -174,7 +174,7 @@ struct x86_msi_ops {
10279 int (*setup_msi_irqs)(struct pci_dev *dev, int nvec, int type);
10280 void (*teardown_msi_irq)(unsigned int irq);
10281 void (*teardown_msi_irqs)(struct pci_dev *dev);
10285 extern struct x86_init_ops x86_init;
10286 extern struct x86_cpuinit_ops x86_cpuinit;
10287 diff -urNp linux-3.1.1/arch/x86/include/asm/xsave.h linux-3.1.1/arch/x86/include/asm/xsave.h
10288 --- linux-3.1.1/arch/x86/include/asm/xsave.h 2011-11-11 15:19:27.000000000 -0500
10289 +++ linux-3.1.1/arch/x86/include/asm/xsave.h 2011-11-16 18:39:07.000000000 -0500
10290 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10294 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10295 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10296 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10300 * Clear the xsave header first, so that reserved fields are
10301 * initialized to zero.
10302 @@ -96,10 +101,15 @@ static inline int xsave_user(struct xsav
10303 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
10306 - struct xsave_struct *xstate = ((__force struct xsave_struct *)buf);
10307 + struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf);
10309 u32 hmask = mask >> 32;
10311 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10312 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10313 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10316 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10318 ".section .fixup,\"ax\"\n"
10319 diff -urNp linux-3.1.1/arch/x86/Kconfig linux-3.1.1/arch/x86/Kconfig
10320 --- linux-3.1.1/arch/x86/Kconfig 2011-11-11 15:19:27.000000000 -0500
10321 +++ linux-3.1.1/arch/x86/Kconfig 2011-11-16 18:40:08.000000000 -0500
10322 @@ -236,7 +236,7 @@ config X86_HT
10324 config X86_32_LAZY_GS
10326 - depends on X86_32 && !CC_STACKPROTECTOR
10327 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10329 config ARCH_HWEIGHT_CFLAGS
10331 @@ -1019,7 +1019,7 @@ choice
10335 - depends on !X86_NUMAQ
10336 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10338 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10339 However, the address space of 32-bit x86 processors is only 4
10340 @@ -1056,7 +1056,7 @@ config NOHIGHMEM
10344 - depends on !X86_NUMAQ
10345 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10347 Select this if you have a 32-bit processor and between 1 and 4
10348 gigabytes of physical RAM.
10349 @@ -1110,7 +1110,7 @@ config PAGE_OFFSET
10351 default 0xB0000000 if VMSPLIT_3G_OPT
10352 default 0x80000000 if VMSPLIT_2G
10353 - default 0x78000000 if VMSPLIT_2G_OPT
10354 + default 0x70000000 if VMSPLIT_2G_OPT
10355 default 0x40000000 if VMSPLIT_1G
10358 @@ -1484,6 +1484,7 @@ config SECCOMP
10360 config CC_STACKPROTECTOR
10361 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10362 + depends on X86_64 || !PAX_MEMORY_UDEREF
10364 This option turns on the -fstack-protector GCC feature. This
10365 feature puts, at the beginning of functions, a canary value on
10366 @@ -1541,6 +1542,7 @@ config KEXEC_JUMP
10367 config PHYSICAL_START
10368 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
10369 default "0x1000000"
10370 + range 0x400000 0x40000000
10372 This gives the physical address where the kernel is loaded.
10374 @@ -1604,6 +1606,7 @@ config X86_NEED_RELOCS
10375 config PHYSICAL_ALIGN
10376 hex "Alignment value to which kernel should be aligned" if X86_32
10377 default "0x1000000"
10378 + range 0x400000 0x1000000 if PAX_KERNEXEC
10379 range 0x2000 0x1000000
10381 This value puts the alignment restrictions on physical address
10382 @@ -1635,9 +1638,10 @@ config HOTPLUG_CPU
10383 Say N if you want to disable CPU hotplug.
10388 prompt "Compat VDSO support"
10389 depends on X86_32 || IA32_EMULATION
10390 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10392 Map the 32-bit VDSO to the predictable old-style address too.
10394 diff -urNp linux-3.1.1/arch/x86/Kconfig.cpu linux-3.1.1/arch/x86/Kconfig.cpu
10395 --- linux-3.1.1/arch/x86/Kconfig.cpu 2011-11-11 15:19:27.000000000 -0500
10396 +++ linux-3.1.1/arch/x86/Kconfig.cpu 2011-11-16 18:39:07.000000000 -0500
10397 @@ -341,7 +341,7 @@ config X86_PPRO_FENCE
10399 config X86_F00F_BUG
10401 - depends on M586MMX || M586TSC || M586 || M486 || M386
10402 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10404 config X86_INVD_BUG
10406 @@ -365,7 +365,7 @@ config X86_POPAD_OK
10408 config X86_ALIGNMENT_16
10410 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10411 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10413 config X86_INTEL_USERCOPY
10415 @@ -411,7 +411,7 @@ config X86_CMPXCHG64
10419 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10420 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10422 config X86_MINIMUM_CPU_FAMILY
10424 diff -urNp linux-3.1.1/arch/x86/Kconfig.debug linux-3.1.1/arch/x86/Kconfig.debug
10425 --- linux-3.1.1/arch/x86/Kconfig.debug 2011-11-11 15:19:27.000000000 -0500
10426 +++ linux-3.1.1/arch/x86/Kconfig.debug 2011-11-16 18:39:07.000000000 -0500
10427 @@ -81,7 +81,7 @@ config X86_PTDUMP
10428 config DEBUG_RODATA
10429 bool "Write protect kernel read-only data structures"
10431 - depends on DEBUG_KERNEL
10432 + depends on DEBUG_KERNEL && BROKEN
10434 Mark the kernel read-only data as write-protected in the pagetables,
10435 in order to catch accidental (and incorrect) writes to such const
10436 @@ -99,7 +99,7 @@ config DEBUG_RODATA_TEST
10438 config DEBUG_SET_MODULE_RONX
10439 bool "Set loadable kernel module data as NX and text as RO"
10440 - depends on MODULES
10441 + depends on MODULES && BROKEN
10443 This option helps catch unintended modifications to loadable
10444 kernel module's text and read-only data. It also prevents execution
10445 diff -urNp linux-3.1.1/arch/x86/kernel/acpi/realmode/Makefile linux-3.1.1/arch/x86/kernel/acpi/realmode/Makefile
10446 --- linux-3.1.1/arch/x86/kernel/acpi/realmode/Makefile 2011-11-11 15:19:27.000000000 -0500
10447 +++ linux-3.1.1/arch/x86/kernel/acpi/realmode/Makefile 2011-11-16 18:39:07.000000000 -0500
10448 @@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
10449 $(call cc-option, -fno-stack-protector) \
10450 $(call cc-option, -mpreferred-stack-boundary=2)
10451 KBUILD_CFLAGS += $(call cc-option, -m32)
10452 +ifdef CONSTIFY_PLUGIN
10453 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
10455 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
10458 diff -urNp linux-3.1.1/arch/x86/kernel/acpi/realmode/wakeup.S linux-3.1.1/arch/x86/kernel/acpi/realmode/wakeup.S
10459 --- linux-3.1.1/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-11 15:19:27.000000000 -0500
10460 +++ linux-3.1.1/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-16 18:40:08.000000000 -0500
10461 @@ -108,6 +108,9 @@ wakeup_code:
10462 /* Do any other stuff... */
10464 #ifndef CONFIG_64BIT
10465 + /* Recheck NX bit overrides (64bit path does this in trampoline */
10468 /* This could also be done in C code... */
10469 movl pmode_cr3, %eax
10471 @@ -131,6 +134,7 @@ wakeup_code:
10472 movl pmode_cr0, %eax
10475 +# include "../../verify_cpu.S"
10478 pushw trampoline_segment
10479 diff -urNp linux-3.1.1/arch/x86/kernel/acpi/sleep.c linux-3.1.1/arch/x86/kernel/acpi/sleep.c
10480 --- linux-3.1.1/arch/x86/kernel/acpi/sleep.c 2011-11-11 15:19:27.000000000 -0500
10481 +++ linux-3.1.1/arch/x86/kernel/acpi/sleep.c 2011-11-16 18:39:07.000000000 -0500
10482 @@ -94,8 +94,12 @@ int acpi_suspend_lowlevel(void)
10483 header->trampoline_segment = trampoline_address() >> 4;
10485 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
10487 + pax_open_kernel();
10488 early_gdt_descr.address =
10489 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10490 + pax_close_kernel();
10492 initial_gs = per_cpu_offset(smp_processor_id());
10494 initial_code = (unsigned long)wakeup_long64;
10495 diff -urNp linux-3.1.1/arch/x86/kernel/acpi/wakeup_32.S linux-3.1.1/arch/x86/kernel/acpi/wakeup_32.S
10496 --- linux-3.1.1/arch/x86/kernel/acpi/wakeup_32.S 2011-11-11 15:19:27.000000000 -0500
10497 +++ linux-3.1.1/arch/x86/kernel/acpi/wakeup_32.S 2011-11-16 18:39:07.000000000 -0500
10498 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10499 # and restore the stack ... but you need gdt for this to work
10500 movl saved_context_esp, %esp
10502 - movl %cs:saved_magic, %eax
10503 - cmpl $0x12345678, %eax
10504 + cmpl $0x12345678, saved_magic
10507 # jump to place where we left off
10508 - movl saved_eip, %eax
10514 diff -urNp linux-3.1.1/arch/x86/kernel/alternative.c linux-3.1.1/arch/x86/kernel/alternative.c
10515 --- linux-3.1.1/arch/x86/kernel/alternative.c 2011-11-11 15:19:27.000000000 -0500
10516 +++ linux-3.1.1/arch/x86/kernel/alternative.c 2011-11-16 18:39:07.000000000 -0500
10517 @@ -276,6 +276,13 @@ void __init_or_module apply_alternatives
10519 for (a = start; a < end; a++) {
10520 instr = (u8 *)&a->instr_offset + a->instr_offset;
10522 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
10523 + instr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10524 + if (instr < (u8 *)_text || (u8 *)_einittext <= instr)
10525 + instr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10528 replacement = (u8 *)&a->repl_offset + a->repl_offset;
10529 BUG_ON(a->replacementlen > a->instrlen);
10530 BUG_ON(a->instrlen > sizeof(insnbuf));
10531 @@ -307,10 +314,16 @@ static void alternatives_smp_lock(const
10532 for (poff = start; poff < end; poff++) {
10533 u8 *ptr = (u8 *)poff + *poff;
10535 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
10536 + ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10537 + if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
10538 + ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10541 if (!*poff || ptr < text || ptr >= text_end)
10543 /* turn DS segment override prefix into lock prefix */
10544 - if (*ptr == 0x3e)
10545 + if (*ktla_ktva(ptr) == 0x3e)
10546 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10548 mutex_unlock(&text_mutex);
10549 @@ -328,10 +341,16 @@ static void alternatives_smp_unlock(cons
10550 for (poff = start; poff < end; poff++) {
10551 u8 *ptr = (u8 *)poff + *poff;
10553 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
10554 + ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10555 + if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
10556 + ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10559 if (!*poff || ptr < text || ptr >= text_end)
10561 /* turn lock prefix into DS segment override prefix */
10562 - if (*ptr == 0xf0)
10563 + if (*ktla_ktva(ptr) == 0xf0)
10564 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10566 mutex_unlock(&text_mutex);
10567 @@ -500,7 +519,7 @@ void __init_or_module apply_paravirt(str
10569 BUG_ON(p->len > MAX_PATCH_LEN);
10570 /* prep the buffer with the original instructions */
10571 - memcpy(insnbuf, p->instr, p->len);
10572 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10573 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10574 (unsigned long)p->instr, p->len);
10576 @@ -568,7 +587,7 @@ void __init alternative_instructions(voi
10578 free_init_pages("SMP alternatives",
10579 (unsigned long)__smp_locks,
10580 - (unsigned long)__smp_locks_end);
10581 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10585 @@ -585,13 +604,17 @@ void __init alternative_instructions(voi
10586 * instructions. And on the local CPU you need to be protected again NMI or MCE
10587 * handlers seeing an inconsistent instruction while you patch.
10589 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
10590 +void *__kprobes text_poke_early(void *addr, const void *opcode,
10593 unsigned long flags;
10594 local_irq_save(flags);
10595 - memcpy(addr, opcode, len);
10597 + pax_open_kernel();
10598 + memcpy(ktla_ktva(addr), opcode, len);
10600 + pax_close_kernel();
10602 local_irq_restore(flags);
10603 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10604 that causes hangs on some VIA CPUs. */
10605 @@ -613,36 +636,22 @@ void *__init_or_module text_poke_early(v
10607 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10609 - unsigned long flags;
10611 + unsigned char *vaddr = ktla_ktva(addr);
10612 struct page *pages[2];
10616 if (!core_kernel_text((unsigned long)addr)) {
10617 - pages[0] = vmalloc_to_page(addr);
10618 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10619 + pages[0] = vmalloc_to_page(vaddr);
10620 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10622 - pages[0] = virt_to_page(addr);
10623 + pages[0] = virt_to_page(vaddr);
10624 WARN_ON(!PageReserved(pages[0]));
10625 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10626 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10629 - local_irq_save(flags);
10630 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10632 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10633 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10634 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10635 - clear_fixmap(FIX_TEXT_POKE0);
10637 - clear_fixmap(FIX_TEXT_POKE1);
10638 - local_flush_tlb();
10640 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10641 - that causes hangs on some VIA CPUs. */
10642 + text_poke_early(addr, opcode, len);
10643 for (i = 0; i < len; i++)
10644 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10645 - local_irq_restore(flags);
10646 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10650 diff -urNp linux-3.1.1/arch/x86/kernel/apic/apic.c linux-3.1.1/arch/x86/kernel/apic/apic.c
10651 --- linux-3.1.1/arch/x86/kernel/apic/apic.c 2011-11-11 15:19:27.000000000 -0500
10652 +++ linux-3.1.1/arch/x86/kernel/apic/apic.c 2011-11-16 18:40:08.000000000 -0500
10653 @@ -174,7 +174,7 @@ int first_system_vector = 0xfe;
10655 * Debug level, exported for io_apic.c
10657 -unsigned int apic_verbosity;
10658 +int apic_verbosity;
10662 @@ -1835,7 +1835,7 @@ void smp_error_interrupt(struct pt_regs
10663 apic_write(APIC_ESR, 0);
10664 v1 = apic_read(APIC_ESR);
10666 - atomic_inc(&irq_err_count);
10667 + atomic_inc_unchecked(&irq_err_count);
10669 apic_printk(APIC_DEBUG, KERN_DEBUG "APIC error on CPU%d: %02x(%02x)",
10670 smp_processor_id(), v0 , v1);
10671 @@ -2209,6 +2209,8 @@ static int __cpuinit apic_cluster_num(vo
10672 u16 *bios_cpu_apicid;
10673 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
10675 + pax_track_stack();
10677 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
10678 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
10680 diff -urNp linux-3.1.1/arch/x86/kernel/apic/io_apic.c linux-3.1.1/arch/x86/kernel/apic/io_apic.c
10681 --- linux-3.1.1/arch/x86/kernel/apic/io_apic.c 2011-11-11 15:19:27.000000000 -0500
10682 +++ linux-3.1.1/arch/x86/kernel/apic/io_apic.c 2011-11-16 18:39:07.000000000 -0500
10683 @@ -1028,7 +1028,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10685 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10687 -void lock_vector_lock(void)
10688 +void lock_vector_lock(void) __acquires(vector_lock)
10690 /* Used to the online set of cpus does not change
10691 * during assign_irq_vector.
10692 @@ -1036,7 +1036,7 @@ void lock_vector_lock(void)
10693 raw_spin_lock(&vector_lock);
10696 -void unlock_vector_lock(void)
10697 +void unlock_vector_lock(void) __releases(vector_lock)
10699 raw_spin_unlock(&vector_lock);
10701 @@ -2405,7 +2405,7 @@ static void ack_apic_edge(struct irq_dat
10705 -atomic_t irq_mis_count;
10706 +atomic_unchecked_t irq_mis_count;
10709 * IO-APIC versions below 0x20 don't support EOI register.
10710 @@ -2513,7 +2513,7 @@ static void ack_apic_level(struct irq_da
10713 if (!(v & (1 << (i & 0x1f)))) {
10714 - atomic_inc(&irq_mis_count);
10715 + atomic_inc_unchecked(&irq_mis_count);
10717 eoi_ioapic_irq(irq, cfg);
10719 diff -urNp linux-3.1.1/arch/x86/kernel/apm_32.c linux-3.1.1/arch/x86/kernel/apm_32.c
10720 --- linux-3.1.1/arch/x86/kernel/apm_32.c 2011-11-11 15:19:27.000000000 -0500
10721 +++ linux-3.1.1/arch/x86/kernel/apm_32.c 2011-11-16 18:39:07.000000000 -0500
10722 @@ -413,7 +413,7 @@ static DEFINE_MUTEX(apm_mutex);
10723 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10724 * even though they are called in protected mode.
10726 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10727 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10728 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10730 static const char driver_version[] = "1.16ac"; /* no spaces */
10731 @@ -591,7 +591,10 @@ static long __apm_bios_call(void *_call)
10733 gdt = get_cpu_gdt_table(cpu);
10734 save_desc_40 = gdt[0x40 / 8];
10736 + pax_open_kernel();
10737 gdt[0x40 / 8] = bad_bios_desc;
10738 + pax_close_kernel();
10740 apm_irq_save(flags);
10742 @@ -600,7 +603,11 @@ static long __apm_bios_call(void *_call)
10744 APM_DO_RESTORE_SEGS;
10745 apm_irq_restore(flags);
10747 + pax_open_kernel();
10748 gdt[0x40 / 8] = save_desc_40;
10749 + pax_close_kernel();
10753 return call->eax & 0xff;
10754 @@ -667,7 +674,10 @@ static long __apm_bios_call_simple(void
10756 gdt = get_cpu_gdt_table(cpu);
10757 save_desc_40 = gdt[0x40 / 8];
10759 + pax_open_kernel();
10760 gdt[0x40 / 8] = bad_bios_desc;
10761 + pax_close_kernel();
10763 apm_irq_save(flags);
10765 @@ -675,7 +685,11 @@ static long __apm_bios_call_simple(void
10767 APM_DO_RESTORE_SEGS;
10768 apm_irq_restore(flags);
10770 + pax_open_kernel();
10771 gdt[0x40 / 8] = save_desc_40;
10772 + pax_close_kernel();
10777 @@ -2349,12 +2363,15 @@ static int __init apm_init(void)
10778 * code to that CPU.
10780 gdt = get_cpu_gdt_table(0);
10782 + pax_open_kernel();
10783 set_desc_base(&gdt[APM_CS >> 3],
10784 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10785 set_desc_base(&gdt[APM_CS_16 >> 3],
10786 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10787 set_desc_base(&gdt[APM_DS >> 3],
10788 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10789 + pax_close_kernel();
10791 proc_create("apm", 0, NULL, &apm_file_ops);
10793 diff -urNp linux-3.1.1/arch/x86/kernel/asm-offsets_64.c linux-3.1.1/arch/x86/kernel/asm-offsets_64.c
10794 --- linux-3.1.1/arch/x86/kernel/asm-offsets_64.c 2011-11-11 15:19:27.000000000 -0500
10795 +++ linux-3.1.1/arch/x86/kernel/asm-offsets_64.c 2011-11-16 18:39:07.000000000 -0500
10796 @@ -69,6 +69,7 @@ int main(void)
10800 + DEFINE(TSS_size, sizeof(struct tss_struct));
10801 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
10804 diff -urNp linux-3.1.1/arch/x86/kernel/asm-offsets.c linux-3.1.1/arch/x86/kernel/asm-offsets.c
10805 --- linux-3.1.1/arch/x86/kernel/asm-offsets.c 2011-11-11 15:19:27.000000000 -0500
10806 +++ linux-3.1.1/arch/x86/kernel/asm-offsets.c 2011-11-16 18:39:07.000000000 -0500
10807 @@ -33,6 +33,8 @@ void common(void) {
10808 OFFSET(TI_status, thread_info, status);
10809 OFFSET(TI_addr_limit, thread_info, addr_limit);
10810 OFFSET(TI_preempt_count, thread_info, preempt_count);
10811 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
10812 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
10815 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
10816 @@ -53,8 +55,26 @@ void common(void) {
10817 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10818 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10819 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10821 +#ifdef CONFIG_PAX_KERNEXEC
10822 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10825 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10826 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10827 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10828 +#ifdef CONFIG_X86_64
10829 + OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
10836 + DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
10837 + DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
10838 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
10842 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
10843 diff -urNp linux-3.1.1/arch/x86/kernel/cpu/amd.c linux-3.1.1/arch/x86/kernel/cpu/amd.c
10844 --- linux-3.1.1/arch/x86/kernel/cpu/amd.c 2011-11-11 15:19:27.000000000 -0500
10845 +++ linux-3.1.1/arch/x86/kernel/cpu/amd.c 2011-11-16 18:39:07.000000000 -0500
10846 @@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c
10849 /* AMD errata T13 (order #21922) */
10850 - if ((c->x86 == 6)) {
10851 + if (c->x86 == 6) {
10853 if (c->x86_model == 3 && c->x86_mask == 0)
10855 diff -urNp linux-3.1.1/arch/x86/kernel/cpu/common.c linux-3.1.1/arch/x86/kernel/cpu/common.c
10856 --- linux-3.1.1/arch/x86/kernel/cpu/common.c 2011-11-11 15:19:27.000000000 -0500
10857 +++ linux-3.1.1/arch/x86/kernel/cpu/common.c 2011-11-16 18:39:07.000000000 -0500
10858 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10860 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10862 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10863 -#ifdef CONFIG_X86_64
10865 - * We need valid kernel segments for data and code in long mode too
10866 - * IRET will check the segment types kkeil 2000/10/28
10867 - * Also sysret mandates a special GDT layout
10869 - * TLS descriptors are currently at a different place compared to i386.
10870 - * Hopefully nobody expects them at a fixed place (Wine?)
10872 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10873 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10874 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10875 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10876 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10877 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10879 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10880 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10881 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10882 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10884 - * Segments used for calling PnP BIOS have byte granularity.
10885 - * They code segments and data segments have fixed 64k limits,
10886 - * the transfer segment sizes are set at run time.
10888 - /* 32-bit code */
10889 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10890 - /* 16-bit code */
10891 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10892 - /* 16-bit data */
10893 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10894 - /* 16-bit data */
10895 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10896 - /* 16-bit data */
10897 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10899 - * The APM segments have byte granularity and their bases
10900 - * are set at run time. All have 64k limits.
10902 - /* 32-bit code */
10903 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10904 - /* 16-bit code */
10905 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10907 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10909 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10910 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10911 - GDT_STACK_CANARY_INIT
10914 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10916 static int __init x86_xsave_setup(char *s)
10918 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10919 @@ -371,7 +317,7 @@ void switch_to_new_gdt(int cpu)
10921 struct desc_ptr gdt_descr;
10923 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10924 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10925 gdt_descr.size = GDT_SIZE - 1;
10926 load_gdt(&gdt_descr);
10927 /* Reload the per-cpu base */
10928 @@ -840,6 +786,10 @@ static void __cpuinit identify_cpu(struc
10929 /* Filter out anything that depends on CPUID levels we don't have */
10930 filter_cpuid_features(c, true);
10932 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10933 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10936 /* If the model name is still unset, do table lookup. */
10937 if (!c->x86_model_id[0]) {
10939 @@ -1019,6 +969,9 @@ static __init int setup_disablecpuid(cha
10941 __setup("clearcpuid=", setup_disablecpuid);
10943 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
10944 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
10946 #ifdef CONFIG_X86_64
10947 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
10949 @@ -1034,7 +987,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
10950 EXPORT_PER_CPU_SYMBOL(current_task);
10952 DEFINE_PER_CPU(unsigned long, kernel_stack) =
10953 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
10954 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
10955 EXPORT_PER_CPU_SYMBOL(kernel_stack);
10957 DEFINE_PER_CPU(char *, irq_stack_ptr) =
10958 @@ -1099,7 +1052,7 @@ struct pt_regs * __cpuinit idle_regs(str
10960 memset(regs, 0, sizeof(struct pt_regs));
10961 regs->fs = __KERNEL_PERCPU;
10962 - regs->gs = __KERNEL_STACK_CANARY;
10963 + savesegment(gs, regs->gs);
10967 @@ -1154,7 +1107,7 @@ void __cpuinit cpu_init(void)
10970 cpu = stack_smp_processor_id();
10971 - t = &per_cpu(init_tss, cpu);
10972 + t = init_tss + cpu;
10973 oist = &per_cpu(orig_ist, cpu);
10976 @@ -1180,7 +1133,7 @@ void __cpuinit cpu_init(void)
10977 switch_to_new_gdt(cpu);
10978 loadsegment(fs, 0);
10980 - load_idt((const struct desc_ptr *)&idt_descr);
10981 + load_idt(&idt_descr);
10983 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10985 @@ -1189,7 +1142,6 @@ void __cpuinit cpu_init(void)
10986 wrmsrl(MSR_KERNEL_GS_BASE, 0);
10989 - x86_configure_nx();
10993 @@ -1243,7 +1195,7 @@ void __cpuinit cpu_init(void)
10995 int cpu = smp_processor_id();
10996 struct task_struct *curr = current;
10997 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10998 + struct tss_struct *t = init_tss + cpu;
10999 struct thread_struct *thread = &curr->thread;
11001 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
11002 diff -urNp linux-3.1.1/arch/x86/kernel/cpu/intel.c linux-3.1.1/arch/x86/kernel/cpu/intel.c
11003 --- linux-3.1.1/arch/x86/kernel/cpu/intel.c 2011-11-11 15:19:27.000000000 -0500
11004 +++ linux-3.1.1/arch/x86/kernel/cpu/intel.c 2011-11-16 18:39:07.000000000 -0500
11005 @@ -172,7 +172,7 @@ static void __cpuinit trap_init_f00f_bug
11006 * Update the IDT descriptor and reload the IDT so that
11007 * it uses the read-only mapped virtual address.
11009 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
11010 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
11011 load_idt(&idt_descr);
11014 diff -urNp linux-3.1.1/arch/x86/kernel/cpu/Makefile linux-3.1.1/arch/x86/kernel/cpu/Makefile
11015 --- linux-3.1.1/arch/x86/kernel/cpu/Makefile 2011-11-11 15:19:27.000000000 -0500
11016 +++ linux-3.1.1/arch/x86/kernel/cpu/Makefile 2011-11-16 18:39:07.000000000 -0500
11017 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
11018 CFLAGS_REMOVE_perf_event.o = -pg
11021 -# Make sure load_percpu_segment has no stackprotector
11022 -nostackp := $(call cc-option, -fno-stack-protector)
11023 -CFLAGS_common.o := $(nostackp)
11025 obj-y := intel_cacheinfo.o scattered.o topology.o
11026 obj-y += proc.o capflags.o powerflags.o common.o
11027 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
11028 diff -urNp linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce.c linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce.c
11029 --- linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-11 15:19:27.000000000 -0500
11030 +++ linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-16 18:39:07.000000000 -0500
11032 #include <asm/processor.h>
11033 #include <asm/mce.h>
11034 #include <asm/msr.h>
11035 +#include <asm/local.h>
11037 #include "mce-internal.h"
11039 @@ -205,7 +206,7 @@ static void print_mce(struct mce *m)
11040 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
11043 - if (m->cs == __KERNEL_CS)
11044 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
11045 print_symbol("{%s}", m->ip);
11048 @@ -233,10 +234,10 @@ static void print_mce(struct mce *m)
11050 #define PANIC_TIMEOUT 5 /* 5 seconds */
11052 -static atomic_t mce_paniced;
11053 +static atomic_unchecked_t mce_paniced;
11055 static int fake_panic;
11056 -static atomic_t mce_fake_paniced;
11057 +static atomic_unchecked_t mce_fake_paniced;
11059 /* Panic in progress. Enable interrupts and wait for final IPI */
11060 static void wait_for_panic(void)
11061 @@ -260,7 +261,7 @@ static void mce_panic(char *msg, struct
11063 * Make sure only one CPU runs in machine check panic
11065 - if (atomic_inc_return(&mce_paniced) > 1)
11066 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
11070 @@ -268,7 +269,7 @@ static void mce_panic(char *msg, struct
11073 /* Don't log too much for fake panic */
11074 - if (atomic_inc_return(&mce_fake_paniced) > 1)
11075 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
11078 /* First print corrected ones that are still unlogged */
11079 @@ -610,7 +611,7 @@ static int mce_timed_out(u64 *t)
11080 * might have been modified by someone else.
11083 - if (atomic_read(&mce_paniced))
11084 + if (atomic_read_unchecked(&mce_paniced))
11086 if (!monarch_timeout)
11088 @@ -1429,7 +1430,7 @@ void __cpuinit mcheck_cpu_init(struct cp
11091 static DEFINE_SPINLOCK(mce_chrdev_state_lock);
11092 -static int mce_chrdev_open_count; /* #times opened */
11093 +static local_t mce_chrdev_open_count; /* #times opened */
11094 static int mce_chrdev_open_exclu; /* already open exclusive? */
11096 static int mce_chrdev_open(struct inode *inode, struct file *file)
11097 @@ -1437,7 +1438,7 @@ static int mce_chrdev_open(struct inode
11098 spin_lock(&mce_chrdev_state_lock);
11100 if (mce_chrdev_open_exclu ||
11101 - (mce_chrdev_open_count && (file->f_flags & O_EXCL))) {
11102 + (local_read(&mce_chrdev_open_count) && (file->f_flags & O_EXCL))) {
11103 spin_unlock(&mce_chrdev_state_lock);
11106 @@ -1445,7 +1446,7 @@ static int mce_chrdev_open(struct inode
11108 if (file->f_flags & O_EXCL)
11109 mce_chrdev_open_exclu = 1;
11110 - mce_chrdev_open_count++;
11111 + local_inc(&mce_chrdev_open_count);
11113 spin_unlock(&mce_chrdev_state_lock);
11115 @@ -1456,7 +1457,7 @@ static int mce_chrdev_release(struct ino
11117 spin_lock(&mce_chrdev_state_lock);
11119 - mce_chrdev_open_count--;
11120 + local_dec(&mce_chrdev_open_count);
11121 mce_chrdev_open_exclu = 0;
11123 spin_unlock(&mce_chrdev_state_lock);
11124 @@ -2147,7 +2148,7 @@ struct dentry *mce_get_debugfs_dir(void)
11125 static void mce_reset(void)
11128 - atomic_set(&mce_fake_paniced, 0);
11129 + atomic_set_unchecked(&mce_fake_paniced, 0);
11130 atomic_set(&mce_executing, 0);
11131 atomic_set(&mce_callin, 0);
11132 atomic_set(&global_nwo, 0);
11133 diff -urNp linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce-inject.c
11134 --- linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-11 15:19:27.000000000 -0500
11135 +++ linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-16 18:39:07.000000000 -0500
11136 @@ -215,7 +215,9 @@ static int inject_init(void)
11137 if (!alloc_cpumask_var(&mce_inject_cpumask, GFP_KERNEL))
11139 printk(KERN_INFO "Machine check injector initialized\n");
11140 - mce_chrdev_ops.write = mce_write;
11141 + pax_open_kernel();
11142 + *(void **)&mce_chrdev_ops.write = mce_write;
11143 + pax_close_kernel();
11144 register_die_notifier(&mce_raise_nb);
11147 diff -urNp linux-3.1.1/arch/x86/kernel/cpu/mtrr/main.c linux-3.1.1/arch/x86/kernel/cpu/mtrr/main.c
11148 --- linux-3.1.1/arch/x86/kernel/cpu/mtrr/main.c 2011-11-11 15:19:27.000000000 -0500
11149 +++ linux-3.1.1/arch/x86/kernel/cpu/mtrr/main.c 2011-11-16 18:39:07.000000000 -0500
11150 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
11151 u64 size_or_mask, size_and_mask;
11152 static bool mtrr_aps_delayed_init;
11154 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
11155 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
11157 const struct mtrr_ops *mtrr_if;
11159 diff -urNp linux-3.1.1/arch/x86/kernel/cpu/mtrr/mtrr.h linux-3.1.1/arch/x86/kernel/cpu/mtrr/mtrr.h
11160 --- linux-3.1.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-11 15:19:27.000000000 -0500
11161 +++ linux-3.1.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-16 18:39:07.000000000 -0500
11162 @@ -25,7 +25,7 @@ struct mtrr_ops {
11163 int (*validate_add_page)(unsigned long base, unsigned long size,
11164 unsigned int type);
11165 int (*have_wrcomb)(void);
11169 extern int generic_get_free_region(unsigned long base, unsigned long size,
11171 diff -urNp linux-3.1.1/arch/x86/kernel/cpu/perf_event.c linux-3.1.1/arch/x86/kernel/cpu/perf_event.c
11172 --- linux-3.1.1/arch/x86/kernel/cpu/perf_event.c 2011-11-11 15:19:27.000000000 -0500
11173 +++ linux-3.1.1/arch/x86/kernel/cpu/perf_event.c 2011-11-16 18:40:08.000000000 -0500
11174 @@ -795,6 +795,8 @@ static int x86_schedule_events(struct cp
11175 int i, j, w, wmax, num = 0;
11176 struct hw_perf_event *hwc;
11178 + pax_track_stack();
11180 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
11182 for (i = 0; i < n; i++) {
11183 @@ -1919,7 +1921,7 @@ perf_callchain_user(struct perf_callchai
11186 perf_callchain_store(entry, frame.return_address);
11187 - fp = frame.next_frame;
11188 + fp = (const void __force_user *)frame.next_frame;
11192 diff -urNp linux-3.1.1/arch/x86/kernel/crash.c linux-3.1.1/arch/x86/kernel/crash.c
11193 --- linux-3.1.1/arch/x86/kernel/crash.c 2011-11-11 15:19:27.000000000 -0500
11194 +++ linux-3.1.1/arch/x86/kernel/crash.c 2011-11-16 18:39:07.000000000 -0500
11195 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
11198 #ifdef CONFIG_X86_32
11199 - if (!user_mode_vm(regs)) {
11200 + if (!user_mode(regs)) {
11201 crash_fixup_ss_esp(&fixed_regs, regs);
11202 regs = &fixed_regs;
11204 diff -urNp linux-3.1.1/arch/x86/kernel/doublefault_32.c linux-3.1.1/arch/x86/kernel/doublefault_32.c
11205 --- linux-3.1.1/arch/x86/kernel/doublefault_32.c 2011-11-11 15:19:27.000000000 -0500
11206 +++ linux-3.1.1/arch/x86/kernel/doublefault_32.c 2011-11-16 18:39:07.000000000 -0500
11209 #define DOUBLEFAULT_STACKSIZE (1024)
11210 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
11211 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
11212 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
11214 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
11216 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
11217 unsigned long gdt, tss;
11219 store_gdt(&gdt_desc);
11220 - gdt = gdt_desc.address;
11221 + gdt = (unsigned long)gdt_desc.address;
11223 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
11225 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
11226 /* 0x2 bit is always set */
11227 .flags = X86_EFLAGS_SF | 0x2,
11230 + .es = __KERNEL_DS,
11234 + .ds = __KERNEL_DS,
11235 .fs = __KERNEL_PERCPU,
11237 .__cr3 = __pa_nodebug(swapper_pg_dir),
11238 diff -urNp linux-3.1.1/arch/x86/kernel/dumpstack_32.c linux-3.1.1/arch/x86/kernel/dumpstack_32.c
11239 --- linux-3.1.1/arch/x86/kernel/dumpstack_32.c 2011-11-11 15:19:27.000000000 -0500
11240 +++ linux-3.1.1/arch/x86/kernel/dumpstack_32.c 2011-11-16 18:39:07.000000000 -0500
11241 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task
11242 bp = stack_frame(task, regs);
11245 - struct thread_info *context;
11246 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11248 - context = (struct thread_info *)
11249 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
11250 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
11251 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11253 - stack = (unsigned long *)context->previous_esp;
11255 + if (stack_start == task_stack_page(task))
11257 + stack = *(unsigned long **)stack_start;
11258 if (ops->stack(data, "IRQ") < 0)
11260 touch_nmi_watchdog();
11261 @@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs
11262 * When in-kernel, we also print out the stack and code at the
11263 * time of the fault..
11265 - if (!user_mode_vm(regs)) {
11266 + if (!user_mode(regs)) {
11267 unsigned int code_prologue = code_bytes * 43 / 64;
11268 unsigned int code_len = code_bytes;
11271 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
11273 printk(KERN_EMERG "Stack:\n");
11274 show_stack_log_lvl(NULL, regs, ®s->sp, 0, KERN_EMERG);
11276 printk(KERN_EMERG "Code: ");
11278 - ip = (u8 *)regs->ip - code_prologue;
11279 + ip = (u8 *)regs->ip - code_prologue + cs_base;
11280 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
11281 /* try starting at IP */
11282 - ip = (u8 *)regs->ip;
11283 + ip = (u8 *)regs->ip + cs_base;
11284 code_len = code_len - code_prologue + 1;
11286 for (i = 0; i < code_len; i++, ip++) {
11287 @@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs
11288 printk(" Bad EIP value.");
11291 - if (ip == (u8 *)regs->ip)
11292 + if (ip == (u8 *)regs->ip + cs_base)
11293 printk("<%02x> ", c);
11295 printk("%02x ", c);
11296 @@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip)
11298 unsigned short ud2;
11300 + ip = ktla_ktva(ip);
11301 if (ip < PAGE_OFFSET)
11303 if (probe_kernel_address((unsigned short *)ip, ud2))
11304 @@ -139,3 +139,15 @@ int is_valid_bugaddr(unsigned long ip)
11306 return ud2 == 0x0b0f;
11309 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11310 +void pax_check_alloca(unsigned long size)
11312 + unsigned long sp = (unsigned long)&sp, stack_left;
11314 + /* all kernel stacks are of the same size */
11315 + stack_left = sp & (THREAD_SIZE - 1);
11316 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
11318 +EXPORT_SYMBOL(pax_check_alloca);
11320 diff -urNp linux-3.1.1/arch/x86/kernel/dumpstack_64.c linux-3.1.1/arch/x86/kernel/dumpstack_64.c
11321 --- linux-3.1.1/arch/x86/kernel/dumpstack_64.c 2011-11-11 15:19:27.000000000 -0500
11322 +++ linux-3.1.1/arch/x86/kernel/dumpstack_64.c 2011-11-16 18:39:07.000000000 -0500
11323 @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task
11324 unsigned long *irq_stack_end =
11325 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
11327 - struct thread_info *tinfo;
11329 unsigned long dummy;
11330 + void *stack_start;
11334 @@ -142,10 +142,10 @@ void dump_trace(struct task_struct *task
11335 * current stack address. If the stacks consist of nested
11338 - tinfo = task_thread_info(task);
11341 unsigned long *estack_end;
11343 estack_end = in_exception_stack(cpu, (unsigned long)stack,
11346 @@ -153,7 +153,7 @@ void dump_trace(struct task_struct *task
11347 if (ops->stack(data, id) < 0)
11350 - bp = ops->walk_stack(tinfo, stack, bp, ops,
11351 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
11352 data, estack_end, &graph);
11353 ops->stack(data, "<EOE>");
11355 @@ -172,7 +172,7 @@ void dump_trace(struct task_struct *task
11356 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
11357 if (ops->stack(data, "IRQ") < 0)
11359 - bp = ops->walk_stack(tinfo, stack, bp,
11360 + bp = ops->walk_stack(task, irq_stack, stack, bp,
11361 ops, data, irq_stack_end, &graph);
11363 * We link to the next stack (which would be
11364 @@ -191,7 +191,8 @@ void dump_trace(struct task_struct *task
11366 * This handles the process stack:
11368 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
11369 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11370 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11373 EXPORT_SYMBOL(dump_trace);
11374 @@ -305,3 +306,50 @@ int is_valid_bugaddr(unsigned long ip)
11376 return ud2 == 0x0b0f;
11379 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11380 +void pax_check_alloca(unsigned long size)
11382 + unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
11383 + unsigned cpu, used;
11386 + /* check the process stack first */
11387 + stack_start = (unsigned long)task_stack_page(current);
11388 + stack_end = stack_start + THREAD_SIZE;
11389 + if (likely(stack_start <= sp && sp < stack_end)) {
11390 + unsigned long stack_left = sp & (THREAD_SIZE - 1);
11391 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
11397 + /* check the irq stacks */
11398 + stack_end = (unsigned long)per_cpu(irq_stack_ptr, cpu);
11399 + stack_start = stack_end - IRQ_STACK_SIZE;
11400 + if (stack_start <= sp && sp < stack_end) {
11401 + unsigned long stack_left = sp & (IRQ_STACK_SIZE - 1);
11403 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
11407 + /* check the exception stacks */
11409 + stack_end = (unsigned long)in_exception_stack(cpu, sp, &used, &id);
11410 + stack_start = stack_end - EXCEPTION_STKSZ;
11411 + if (stack_end && stack_start <= sp && sp < stack_end) {
11412 + unsigned long stack_left = sp & (EXCEPTION_STKSZ - 1);
11414 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
11420 + /* unknown stack */
11423 +EXPORT_SYMBOL(pax_check_alloca);
11425 diff -urNp linux-3.1.1/arch/x86/kernel/dumpstack.c linux-3.1.1/arch/x86/kernel/dumpstack.c
11426 --- linux-3.1.1/arch/x86/kernel/dumpstack.c 2011-11-11 15:19:27.000000000 -0500
11427 +++ linux-3.1.1/arch/x86/kernel/dumpstack.c 2011-11-16 18:40:08.000000000 -0500
11429 * Copyright (C) 1991, 1992 Linus Torvalds
11430 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11432 +#ifdef CONFIG_GRKERNSEC_HIDESYM
11433 +#define __INCLUDED_BY_HIDESYM 1
11435 #include <linux/kallsyms.h>
11436 #include <linux/kprobes.h>
11437 #include <linux/uaccess.h>
11438 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
11440 print_ftrace_graph_addr(unsigned long addr, void *data,
11441 const struct stacktrace_ops *ops,
11442 - struct thread_info *tinfo, int *graph)
11443 + struct task_struct *task, int *graph)
11445 - struct task_struct *task = tinfo->task;
11446 unsigned long ret_addr;
11447 int index = task->curr_ret_stack;
11449 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
11451 print_ftrace_graph_addr(unsigned long addr, void *data,
11452 const struct stacktrace_ops *ops,
11453 - struct thread_info *tinfo, int *graph)
11454 + struct task_struct *task, int *graph)
11458 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
11459 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
11462 -static inline int valid_stack_ptr(struct thread_info *tinfo,
11463 - void *p, unsigned int size, void *end)
11464 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
11468 if (p < end && p >= (end-THREAD_SIZE))
11470 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
11474 -print_context_stack(struct thread_info *tinfo,
11475 +print_context_stack(struct task_struct *task, void *stack_start,
11476 unsigned long *stack, unsigned long bp,
11477 const struct stacktrace_ops *ops, void *data,
11478 unsigned long *end, int *graph)
11480 struct stack_frame *frame = (struct stack_frame *)bp;
11482 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
11483 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
11484 unsigned long addr;
11487 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
11489 ops->address(data, addr, 0);
11491 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11492 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11496 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
11497 EXPORT_SYMBOL_GPL(print_context_stack);
11500 -print_context_stack_bp(struct thread_info *tinfo,
11501 +print_context_stack_bp(struct task_struct *task, void *stack_start,
11502 unsigned long *stack, unsigned long bp,
11503 const struct stacktrace_ops *ops, void *data,
11504 unsigned long *end, int *graph)
11505 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
11506 struct stack_frame *frame = (struct stack_frame *)bp;
11507 unsigned long *ret_addr = &frame->return_address;
11509 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
11510 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
11511 unsigned long addr = *ret_addr;
11513 if (!__kernel_text_address(addr))
11514 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
11515 ops->address(data, addr, 1);
11516 frame = frame->next_frame;
11517 ret_addr = &frame->return_address;
11518 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11519 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11522 return (unsigned long)frame;
11523 @@ -186,7 +186,7 @@ void dump_stack(void)
11525 bp = stack_frame(current, NULL);
11526 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11527 - current->pid, current->comm, current->xid, print_tainted(),
11528 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
11529 init_utsname()->release,
11530 (int)strcspn(init_utsname()->version, " "),
11531 init_utsname()->version);
11532 @@ -222,6 +222,8 @@ unsigned __kprobes long oops_begin(void)
11534 EXPORT_SYMBOL_GPL(oops_begin);
11536 +extern void gr_handle_kernel_exploit(void);
11538 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
11540 if (regs && kexec_should_crash(current))
11541 @@ -243,7 +245,10 @@ void __kprobes oops_end(unsigned long fl
11542 panic("Fatal exception in interrupt");
11544 panic("Fatal exception");
11547 + gr_handle_kernel_exploit();
11549 + do_group_exit(signr);
11552 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11553 @@ -269,7 +274,7 @@ int __kprobes __die(const char *str, str
11555 show_registers(regs);
11556 #ifdef CONFIG_X86_32
11557 - if (user_mode_vm(regs)) {
11558 + if (user_mode(regs)) {
11560 ss = regs->ss & 0xffff;
11562 @@ -297,7 +302,7 @@ void die(const char *str, struct pt_regs
11563 unsigned long flags = oops_begin();
11566 - if (!user_mode_vm(regs))
11567 + if (!user_mode(regs))
11568 report_bug(regs->ip, regs);
11570 if (__die(str, regs, err))
11571 diff -urNp linux-3.1.1/arch/x86/kernel/early_printk.c linux-3.1.1/arch/x86/kernel/early_printk.c
11572 --- linux-3.1.1/arch/x86/kernel/early_printk.c 2011-11-11 15:19:27.000000000 -0500
11573 +++ linux-3.1.1/arch/x86/kernel/early_printk.c 2011-11-16 18:40:08.000000000 -0500
11575 #include <linux/pci_regs.h>
11576 #include <linux/pci_ids.h>
11577 #include <linux/errno.h>
11578 +#include <linux/sched.h>
11579 #include <asm/io.h>
11580 #include <asm/processor.h>
11581 #include <asm/fcntl.h>
11582 @@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
11586 + pax_track_stack();
11589 n = vscnprintf(buf, sizeof(buf), fmt, ap);
11590 early_console->write(early_console, buf, n);
11591 diff -urNp linux-3.1.1/arch/x86/kernel/entry_32.S linux-3.1.1/arch/x86/kernel/entry_32.S
11592 --- linux-3.1.1/arch/x86/kernel/entry_32.S 2011-11-11 15:19:27.000000000 -0500
11593 +++ linux-3.1.1/arch/x86/kernel/entry_32.S 2011-11-16 18:40:08.000000000 -0500
11594 @@ -186,13 +186,146 @@
11595 /*CFI_REL_OFFSET gs, PT_GS*/
11597 .macro SET_KERNEL_GS reg
11599 +#ifdef CONFIG_CC_STACKPROTECTOR
11600 movl $(__KERNEL_STACK_CANARY), \reg
11601 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11602 + movl $(__USER_DS), \reg
11610 #endif /* CONFIG_X86_32_LAZY_GS */
11613 +.macro pax_enter_kernel
11614 +#ifdef CONFIG_PAX_KERNEXEC
11615 + call pax_enter_kernel
11619 +.macro pax_exit_kernel
11620 +#ifdef CONFIG_PAX_KERNEXEC
11621 + call pax_exit_kernel
11625 +#ifdef CONFIG_PAX_KERNEXEC
11626 +ENTRY(pax_enter_kernel)
11627 +#ifdef CONFIG_PARAVIRT
11630 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11638 + cmp $__KERNEL_CS, %esi
11640 + ljmp $__KERNEL_CS, $3f
11641 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11643 +#ifdef CONFIG_PARAVIRT
11645 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11650 +#ifdef CONFIG_PARAVIRT
11655 +ENDPROC(pax_enter_kernel)
11657 +ENTRY(pax_exit_kernel)
11658 +#ifdef CONFIG_PARAVIRT
11663 + cmp $__KERNEXEC_KERNEL_CS, %esi
11665 +#ifdef CONFIG_PARAVIRT
11666 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11672 + ljmp $__KERNEL_CS, $1f
11674 +#ifdef CONFIG_PARAVIRT
11676 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11681 +#ifdef CONFIG_PARAVIRT
11686 +ENDPROC(pax_exit_kernel)
11689 +.macro pax_erase_kstack
11690 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11691 + call pax_erase_kstack
11695 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11697 + * ebp: thread_info
11698 + * ecx, edx: can be clobbered
11700 +ENTRY(pax_erase_kstack)
11704 + mov TI_lowest_stack(%ebp), %edi
11705 + mov $-0xBEEF, %eax
11709 + and $THREAD_SIZE_asm - 1, %ecx
11728 + mov TI_task_thread_sp0(%ebp), %edi
11730 + mov %edi, TI_lowest_stack(%ebp)
11735 +ENDPROC(pax_erase_kstack)
11738 +.macro __SAVE_ALL _DS
11742 @@ -215,7 +348,7 @@
11743 CFI_REL_OFFSET ecx, 0
11745 CFI_REL_OFFSET ebx, 0
11746 - movl $(__USER_DS), %edx
11750 movl $(__KERNEL_PERCPU), %edx
11751 @@ -223,6 +356,15 @@
11756 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11757 + __SAVE_ALL __KERNEL_DS
11760 + __SAVE_ALL __USER_DS
11764 .macro RESTORE_INT_REGS
11767 @@ -308,7 +450,7 @@ ENTRY(ret_from_fork)
11771 -END(ret_from_fork)
11772 +ENDPROC(ret_from_fork)
11775 * Interrupt exit functions should be protected against kprobes
11776 @@ -333,7 +475,15 @@ check_userspace:
11777 movb PT_CS(%esp), %al
11778 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11779 cmpl $USER_RPL, %eax
11781 +#ifdef CONFIG_PAX_KERNEXEC
11782 + jae resume_userspace
11785 + jmp resume_kernel
11787 jb resume_kernel # not returning to v8086 or userspace
11790 ENTRY(resume_userspace)
11792 @@ -345,8 +495,8 @@ ENTRY(resume_userspace)
11793 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
11794 # int/exception return?
11797 -END(ret_from_exception)
11798 + jmp restore_all_pax
11799 +ENDPROC(ret_from_exception)
11801 #ifdef CONFIG_PREEMPT
11802 ENTRY(resume_kernel)
11803 @@ -361,7 +511,7 @@ need_resched:
11805 call preempt_schedule_irq
11807 -END(resume_kernel)
11808 +ENDPROC(resume_kernel)
11812 @@ -395,23 +545,34 @@ sysenter_past_esp:
11813 /*CFI_REL_OFFSET cs, 0*/
11815 * Push current_thread_info()->sysenter_return to the stack.
11816 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11817 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11819 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
11821 CFI_REL_OFFSET eip, 0
11825 + GET_THREAD_INFO(%ebp)
11826 + movl TI_sysenter_return(%ebp),%ebp
11827 + movl %ebp,PT_EIP(%esp)
11828 ENABLE_INTERRUPTS(CLBR_NONE)
11831 * Load the potential sixth argument from user stack.
11832 * Careful about security.
11834 + movl PT_OLDESP(%esp),%ebp
11836 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11837 + mov PT_OLDSS(%esp),%ds
11838 +1: movl %ds:(%ebp),%ebp
11842 cmpl $__PAGE_OFFSET-3,%ebp
11844 1: movl (%ebp),%ebp
11847 movl %ebp,PT_EBP(%esp)
11848 .section __ex_table,"a"
11850 @@ -434,12 +595,24 @@ sysenter_do_call:
11851 testl $_TIF_ALLWORK_MASK, %ecx
11855 +#ifdef CONFIG_PAX_RANDKSTACK
11858 + call pax_randomize_kstack
11864 /* if something modifies registers it must also disable sysexit */
11865 movl PT_EIP(%esp), %edx
11866 movl PT_OLDESP(%esp), %ecx
11869 1: mov PT_FS(%esp), %fs
11870 +2: mov PT_DS(%esp), %ds
11871 +3: mov PT_ES(%esp), %es
11873 ENABLE_INTERRUPTS_SYSEXIT
11875 @@ -456,6 +629,9 @@ sysenter_audit:
11876 movl %eax,%edx /* 2nd arg: syscall number */
11877 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
11878 call audit_syscall_entry
11883 movl PT_EAX(%esp),%eax /* reload syscall number */
11884 jmp sysenter_do_call
11885 @@ -482,11 +658,17 @@ sysexit_audit:
11888 .pushsection .fixup,"ax"
11889 -2: movl $0,PT_FS(%esp)
11890 +4: movl $0,PT_FS(%esp)
11892 +5: movl $0,PT_DS(%esp)
11894 +6: movl $0,PT_ES(%esp)
11896 .section __ex_table,"a"
11904 ENDPROC(ia32_sysenter_target)
11905 @@ -519,6 +701,15 @@ syscall_exit:
11906 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11907 jne syscall_exit_work
11911 +#ifdef CONFIG_PAX_RANDKSTACK
11913 + call pax_randomize_kstack
11920 restore_all_notrace:
11921 @@ -578,14 +769,34 @@ ldt_ss:
11922 * compensating for the offset by changing to the ESPFIX segment with
11923 * a base address that matches for the difference.
11925 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11926 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11927 mov %esp, %edx /* load kernel esp */
11928 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11929 mov %dx, %ax /* eax: new kernel esp */
11930 sub %eax, %edx /* offset (low word is 0) */
11932 + movl PER_CPU_VAR(cpu_number), %ebx
11933 + shll $PAGE_SHIFT_asm, %ebx
11934 + addl $cpu_gdt_table, %ebx
11936 + movl $cpu_gdt_table, %ebx
11939 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11940 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11942 +#ifdef CONFIG_PAX_KERNEXEC
11948 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11949 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11951 +#ifdef CONFIG_PAX_KERNEXEC
11956 pushl_cfi $__ESPFIX_SS
11957 pushl_cfi %eax /* new kernel esp */
11958 /* Disable interrupts, but do not irqtrace this section: we
11959 @@ -614,34 +825,28 @@ work_resched:
11960 movl TI_flags(%ebp), %ecx
11961 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
11962 # than syscall tracing?
11964 + jz restore_all_pax
11965 testb $_TIF_NEED_RESCHED, %cl
11968 work_notifysig: # deal with pending signals and
11969 # notify-resume requests
11972 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11974 - jne work_notifysig_v86 # returning to kernel-space or
11975 + jz 1f # returning to kernel-space or
11978 - call do_notify_resume
11979 - jmp resume_userspace_sig
11982 -work_notifysig_v86:
11983 pushl_cfi %ecx # save ti_flags for do_notify_resume
11984 call save_v86_state # %eax contains pt_regs pointer
11992 call do_notify_resume
11993 jmp resume_userspace_sig
11995 +ENDPROC(work_pending)
11997 # perform syscall exit tracing
11999 @@ -649,11 +854,14 @@ syscall_trace_entry:
12000 movl $-ENOSYS,PT_EAX(%esp)
12002 call syscall_trace_enter
12006 /* What it returned is what we'll actually use. */
12007 cmpl $(nr_syscalls), %eax
12010 -END(syscall_trace_entry)
12011 +ENDPROC(syscall_trace_entry)
12013 # perform syscall exit tracing
12015 @@ -666,20 +874,24 @@ syscall_exit_work:
12017 call syscall_trace_leave
12018 jmp resume_userspace
12019 -END(syscall_exit_work)
12020 +ENDPROC(syscall_exit_work)
12023 RING0_INT_FRAME # can't unwind into user space anyway
12025 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12029 GET_THREAD_INFO(%ebp)
12030 movl $-EFAULT,PT_EAX(%esp)
12031 jmp resume_userspace
12032 -END(syscall_fault)
12033 +ENDPROC(syscall_fault)
12036 movl $-ENOSYS,PT_EAX(%esp)
12037 jmp resume_userspace
12038 -END(syscall_badsys)
12039 +ENDPROC(syscall_badsys)
12042 * End of kprobes section
12043 @@ -753,6 +965,36 @@ ptregs_clone:
12045 ENDPROC(ptregs_clone)
12048 +ENTRY(kernel_execve)
12051 + sub $PT_OLDSS+4,%esp
12055 + lea 3*4(%esp),%edi
12056 + mov $PT_OLDSS/4+1,%ecx
12062 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
12066 + CFI_ADJUST_CFA_OFFSET -4
12067 + GET_THREAD_INFO(%ebp)
12070 + add $PT_OLDSS+4,%esp
12071 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
12075 +ENDPROC(kernel_execve)
12077 .macro FIXUP_ESPFIX_STACK
12079 * Switch back for ESPFIX stack to the normal zerobased stack
12080 @@ -762,8 +1004,15 @@ ENDPROC(ptregs_clone)
12081 * normal stack and adjusts ESP with the matching offset.
12083 /* fixup the stack */
12084 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
12085 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
12087 + movl PER_CPU_VAR(cpu_number), %ebx
12088 + shll $PAGE_SHIFT_asm, %ebx
12089 + addl $cpu_gdt_table, %ebx
12091 + movl $cpu_gdt_table, %ebx
12093 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
12094 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
12096 addl %esp, %eax /* the adjusted stack pointer */
12097 pushl_cfi $__KERNEL_DS
12098 @@ -816,7 +1065,7 @@ vector=vector+1
12100 2: jmp common_interrupt
12102 -END(irq_entries_start)
12103 +ENDPROC(irq_entries_start)
12107 @@ -864,7 +1113,7 @@ ENTRY(coprocessor_error)
12108 pushl_cfi $do_coprocessor_error
12111 -END(coprocessor_error)
12112 +ENDPROC(coprocessor_error)
12114 ENTRY(simd_coprocessor_error)
12116 @@ -885,7 +1134,7 @@ ENTRY(simd_coprocessor_error)
12120 -END(simd_coprocessor_error)
12121 +ENDPROC(simd_coprocessor_error)
12123 ENTRY(device_not_available)
12125 @@ -893,7 +1142,7 @@ ENTRY(device_not_available)
12126 pushl_cfi $do_device_not_available
12129 -END(device_not_available)
12130 +ENDPROC(device_not_available)
12132 #ifdef CONFIG_PARAVIRT
12134 @@ -902,12 +1151,12 @@ ENTRY(native_iret)
12136 .long native_iret, iret_exc
12139 +ENDPROC(native_iret)
12141 ENTRY(native_irq_enable_sysexit)
12144 -END(native_irq_enable_sysexit)
12145 +ENDPROC(native_irq_enable_sysexit)
12149 @@ -916,7 +1165,7 @@ ENTRY(overflow)
12150 pushl_cfi $do_overflow
12158 @@ -924,7 +1173,7 @@ ENTRY(bounds)
12159 pushl_cfi $do_bounds
12167 @@ -932,7 +1181,7 @@ ENTRY(invalid_op)
12168 pushl_cfi $do_invalid_op
12172 +ENDPROC(invalid_op)
12174 ENTRY(coprocessor_segment_overrun)
12176 @@ -940,35 +1189,35 @@ ENTRY(coprocessor_segment_overrun)
12177 pushl_cfi $do_coprocessor_segment_overrun
12180 -END(coprocessor_segment_overrun)
12181 +ENDPROC(coprocessor_segment_overrun)
12185 pushl_cfi $do_invalid_TSS
12189 +ENDPROC(invalid_TSS)
12191 ENTRY(segment_not_present)
12193 pushl_cfi $do_segment_not_present
12196 -END(segment_not_present)
12197 +ENDPROC(segment_not_present)
12199 ENTRY(stack_segment)
12201 pushl_cfi $do_stack_segment
12204 -END(stack_segment)
12205 +ENDPROC(stack_segment)
12207 ENTRY(alignment_check)
12209 pushl_cfi $do_alignment_check
12212 -END(alignment_check)
12213 +ENDPROC(alignment_check)
12215 ENTRY(divide_error)
12217 @@ -976,7 +1225,7 @@ ENTRY(divide_error)
12218 pushl_cfi $do_divide_error
12222 +ENDPROC(divide_error)
12224 #ifdef CONFIG_X86_MCE
12225 ENTRY(machine_check)
12226 @@ -985,7 +1234,7 @@ ENTRY(machine_check)
12227 pushl_cfi machine_check_vector
12230 -END(machine_check)
12231 +ENDPROC(machine_check)
12234 ENTRY(spurious_interrupt_bug)
12235 @@ -994,7 +1243,7 @@ ENTRY(spurious_interrupt_bug)
12236 pushl_cfi $do_spurious_interrupt_bug
12239 -END(spurious_interrupt_bug)
12240 +ENDPROC(spurious_interrupt_bug)
12242 * End of kprobes section
12244 @@ -1109,7 +1358,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector
12251 ENTRY(ftrace_caller)
12252 cmpl $0, function_trace_stop
12253 @@ -1138,7 +1387,7 @@ ftrace_graph_call:
12257 -END(ftrace_caller)
12258 +ENDPROC(ftrace_caller)
12260 #else /* ! CONFIG_DYNAMIC_FTRACE */
12262 @@ -1174,7 +1423,7 @@ trace:
12268 #endif /* CONFIG_DYNAMIC_FTRACE */
12269 #endif /* CONFIG_FUNCTION_TRACER */
12271 @@ -1195,7 +1444,7 @@ ENTRY(ftrace_graph_caller)
12275 -END(ftrace_graph_caller)
12276 +ENDPROC(ftrace_graph_caller)
12278 .globl return_to_handler
12280 @@ -1209,7 +1458,6 @@ return_to_handler:
12284 -.section .rodata,"a"
12285 #include "syscall_table_32.S"
12287 syscall_table_size=(.-sys_call_table)
12288 @@ -1255,15 +1503,18 @@ error_code:
12289 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
12292 - movl $(__USER_DS), %ecx
12293 + movl $(__KERNEL_DS), %ecx
12300 movl %esp,%eax # pt_regs pointer
12302 jmp ret_from_exception
12305 +ENDPROC(page_fault)
12308 * Debug traps and NMI can happen at the one SYSENTER instruction
12309 @@ -1305,7 +1556,7 @@ debug_stack_correct:
12311 jmp ret_from_exception
12317 * NMI is doubly nasty. It can happen _while_ we're handling
12318 @@ -1342,6 +1593,9 @@ nmi_stack_correct:
12319 xorl %edx,%edx # zero error code
12320 movl %esp,%eax # pt_regs pointer
12325 jmp restore_all_notrace
12328 @@ -1378,12 +1632,15 @@ nmi_espfix_stack:
12329 FIXUP_ESPFIX_STACK # %eax == %esp
12330 xorl %edx,%edx # zero error code
12336 lss 12+4(%esp), %esp # back to espfix stack
12337 CFI_ADJUST_CFA_OFFSET -24
12345 @@ -1395,14 +1652,14 @@ ENTRY(int3)
12347 jmp ret_from_exception
12352 ENTRY(general_protection)
12354 pushl_cfi $do_general_protection
12357 -END(general_protection)
12358 +ENDPROC(general_protection)
12360 #ifdef CONFIG_KVM_GUEST
12361 ENTRY(async_page_fault)
12362 @@ -1410,7 +1667,7 @@ ENTRY(async_page_fault)
12363 pushl_cfi $do_async_page_fault
12366 -END(async_page_fault)
12367 +ENDPROC(async_page_fault)
12371 diff -urNp linux-3.1.1/arch/x86/kernel/entry_64.S linux-3.1.1/arch/x86/kernel/entry_64.S
12372 --- linux-3.1.1/arch/x86/kernel/entry_64.S 2011-11-11 15:19:27.000000000 -0500
12373 +++ linux-3.1.1/arch/x86/kernel/entry_64.S 2011-11-16 18:40:08.000000000 -0500
12375 #include <asm/paravirt.h>
12376 #include <asm/ftrace.h>
12377 #include <asm/percpu.h>
12378 +#include <asm/pgtable.h>
12379 +#include <asm/alternative-asm.h>
12381 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
12382 #include <linux/elf-em.h>
12384 #ifdef CONFIG_FUNCTION_TRACER
12385 #ifdef CONFIG_DYNAMIC_FTRACE
12387 + pax_force_retaddr
12392 ENTRY(ftrace_caller)
12393 cmpl $0, function_trace_stop
12394 @@ -92,8 +95,9 @@ GLOBAL(ftrace_graph_call)
12397 GLOBAL(ftrace_stub)
12398 + pax_force_retaddr
12400 -END(ftrace_caller)
12401 +ENDPROC(ftrace_caller)
12403 #else /* ! CONFIG_DYNAMIC_FTRACE */
12405 @@ -112,6 +116,7 @@ ENTRY(mcount)
12408 GLOBAL(ftrace_stub)
12409 + pax_force_retaddr
12413 @@ -121,12 +126,13 @@ trace:
12415 subq $MCOUNT_INSN_SIZE, %rdi
12417 + pax_force_fptr ftrace_trace_function
12418 call *ftrace_trace_function
12420 MCOUNT_RESTORE_FRAME
12425 #endif /* CONFIG_DYNAMIC_FTRACE */
12426 #endif /* CONFIG_FUNCTION_TRACER */
12428 @@ -146,8 +152,9 @@ ENTRY(ftrace_graph_caller)
12430 MCOUNT_RESTORE_FRAME
12432 + pax_force_retaddr
12434 -END(ftrace_graph_caller)
12435 +ENDPROC(ftrace_graph_caller)
12437 GLOBAL(return_to_handler)
12439 @@ -163,6 +170,7 @@ GLOBAL(return_to_handler)
12443 + pax_force_fptr %rdi
12447 @@ -178,6 +186,269 @@ ENTRY(native_usergs_sysret64)
12448 ENDPROC(native_usergs_sysret64)
12449 #endif /* CONFIG_PARAVIRT */
12451 + .macro ljmpq sel, off
12452 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
12453 + .byte 0x48; ljmp *1234f(%rip)
12454 + .pushsection .rodata
12456 + 1234: .quad \off; .word \sel
12465 + .macro pax_enter_kernel
12466 +#ifdef CONFIG_PAX_KERNEXEC
12467 + call pax_enter_kernel
12471 + .macro pax_exit_kernel
12472 +#ifdef CONFIG_PAX_KERNEXEC
12473 + call pax_exit_kernel
12477 +#ifdef CONFIG_PAX_KERNEXEC
12478 +ENTRY(pax_enter_kernel)
12481 +#ifdef CONFIG_PARAVIRT
12482 + PV_SAVE_REGS(CLBR_RDI)
12489 + cmp $__KERNEL_CS,%edi
12491 + ljmpq __KERNEL_CS,3f
12492 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
12493 +2: SET_RDI_INTO_CR0
12496 +#ifdef CONFIG_PARAVIRT
12497 + PV_RESTORE_REGS(CLBR_RDI)
12501 + pax_force_retaddr
12503 +ENDPROC(pax_enter_kernel)
12505 +ENTRY(pax_exit_kernel)
12508 +#ifdef CONFIG_PARAVIRT
12509 + PV_SAVE_REGS(CLBR_RDI)
12513 + cmp $__KERNEXEC_KERNEL_CS,%edi
12517 + ljmpq __KERNEL_CS,1f
12518 +1: SET_RDI_INTO_CR0
12521 +#ifdef CONFIG_PARAVIRT
12522 + PV_RESTORE_REGS(CLBR_RDI);
12526 + pax_force_retaddr
12528 +ENDPROC(pax_exit_kernel)
12531 + .macro pax_enter_kernel_user
12532 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12533 + call pax_enter_kernel_user
12537 + .macro pax_exit_kernel_user
12538 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12539 + call pax_exit_kernel_user
12541 +#ifdef CONFIG_PAX_RANDKSTACK
12543 + call pax_randomize_kstack
12548 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12549 +ENTRY(pax_enter_kernel_user)
12553 +#ifdef CONFIG_PARAVIRT
12554 + PV_SAVE_REGS(CLBR_RDI)
12559 + add $__START_KERNEL_map,%rbx
12560 + sub phys_base(%rip),%rbx
12562 +#ifdef CONFIG_PARAVIRT
12564 + cmpl $0, pv_info+PARAVIRT_enabled
12567 + .rept USER_PGD_PTRS
12568 + mov i*8(%rbx),%rsi
12570 + lea i*8(%rbx),%rdi
12571 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
12579 + .rept USER_PGD_PTRS
12580 + movb $0,i*8(%rbx)
12584 +#ifdef CONFIG_PARAVIRT
12589 +#ifdef CONFIG_PAX_KERNEXEC
12595 +#ifdef CONFIG_PARAVIRT
12596 + PV_RESTORE_REGS(CLBR_RDI)
12601 + pax_force_retaddr
12603 +ENDPROC(pax_enter_kernel_user)
12605 +ENTRY(pax_exit_kernel_user)
12608 +#ifdef CONFIG_PARAVIRT
12610 + PV_SAVE_REGS(CLBR_RDI)
12613 +#ifdef CONFIG_PAX_KERNEXEC
12620 + add $__START_KERNEL_map,%rdi
12621 + sub phys_base(%rip),%rdi
12623 +#ifdef CONFIG_PARAVIRT
12624 + cmpl $0, pv_info+PARAVIRT_enabled
12628 + .rept USER_PGD_PTRS
12629 + mov i*8(%rbx),%rsi
12631 + lea i*8(%rbx),%rdi
12632 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
12640 + .rept USER_PGD_PTRS
12641 + movb $0x67,i*8(%rdi)
12645 +#ifdef CONFIG_PARAVIRT
12646 +2: PV_RESTORE_REGS(CLBR_RDI)
12651 + pax_force_retaddr
12653 +ENDPROC(pax_exit_kernel_user)
12656 + .macro pax_erase_kstack
12657 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12658 + call pax_erase_kstack
12662 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12664 + * r10: thread_info
12665 + * rcx, rdx: can be clobbered
12667 +ENTRY(pax_erase_kstack)
12672 + GET_THREAD_INFO(%r10)
12673 + mov TI_lowest_stack(%r10), %rdi
12674 + mov $-0xBEEF, %rax
12678 + and $THREAD_SIZE_asm - 1, %ecx
12695 + cmp $THREAD_SIZE_asm, %rcx
12703 + mov TI_task_thread_sp0(%r10), %rdi
12705 + mov %rdi, TI_lowest_stack(%r10)
12710 + pax_force_retaddr
12712 +ENDPROC(pax_erase_kstack)
12715 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
12716 #ifdef CONFIG_TRACE_IRQFLAGS
12717 @@ -319,7 +590,7 @@ ENDPROC(native_usergs_sysret64)
12720 leaq -RBP(%rsp),%rdi /* arg1 for handler */
12721 - testl $3, CS(%rdi)
12722 + testb $3, CS(%rdi)
12726 @@ -350,9 +621,10 @@ ENTRY(save_rest)
12727 movq_cfi r15, R15+16
12728 movq %r11, 8(%rsp) /* return address */
12729 FIXUP_TOP_OF_STACK %r11, 16
12730 + pax_force_retaddr
12734 +ENDPROC(save_rest)
12736 /* save complete stack frame */
12737 .pushsection .kprobes.text, "ax"
12738 @@ -381,9 +653,10 @@ ENTRY(save_paranoid)
12739 js 1f /* negative -> in kernel */
12743 +1: pax_force_retaddr
12746 -END(save_paranoid)
12747 +ENDPROC(save_paranoid)
12751 @@ -405,7 +678,7 @@ ENTRY(ret_from_fork)
12755 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12756 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12757 je int_ret_from_sys_call
12759 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
12760 @@ -415,7 +688,7 @@ ENTRY(ret_from_fork)
12761 jmp ret_from_sys_call # go to the SYSRET fastpath
12764 -END(ret_from_fork)
12765 +ENDPROC(ret_from_fork)
12768 * System call entry. Up to 6 arguments in registers are supported.
12769 @@ -451,7 +724,7 @@ END(ret_from_fork)
12771 CFI_STARTPROC simple
12773 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
12774 + CFI_DEF_CFA rsp,0
12775 CFI_REGISTER rip,rcx
12776 /*CFI_REGISTER rflags,r11*/
12777 SWAPGS_UNSAFE_STACK
12778 @@ -464,12 +737,13 @@ ENTRY(system_call_after_swapgs)
12780 movq %rsp,PER_CPU_VAR(old_rsp)
12781 movq PER_CPU_VAR(kernel_stack),%rsp
12782 + pax_enter_kernel_user
12784 * No need to follow this irqs off/on section - it's straight
12787 ENABLE_INTERRUPTS(CLBR_NONE)
12790 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
12791 movq %rcx,RIP-ARGOFFSET(%rsp)
12792 CFI_REL_OFFSET rip,RIP-ARGOFFSET
12793 @@ -498,6 +772,8 @@ sysret_check:
12797 + pax_exit_kernel_user
12800 * sysretq will re-enable interrupts:
12802 @@ -556,6 +832,9 @@ auditsys:
12803 movq %rax,%rsi /* 2nd arg: syscall number */
12804 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
12805 call audit_syscall_entry
12809 LOAD_ARGS 0 /* reload call-clobbered registers */
12810 jmp system_call_fastpath
12812 @@ -586,6 +865,9 @@ tracesys:
12813 FIXUP_TOP_OF_STACK %rdi
12815 call syscall_trace_enter
12820 * Reload arg registers from stack in case ptrace changed them.
12821 * We don't reload %rax because syscall_trace_enter() returned
12822 @@ -607,7 +889,7 @@ tracesys:
12823 GLOBAL(int_ret_from_sys_call)
12824 DISABLE_INTERRUPTS(CLBR_NONE)
12826 - testl $3,CS-ARGOFFSET(%rsp)
12827 + testb $3,CS-ARGOFFSET(%rsp)
12828 je retint_restore_args
12829 movl $_TIF_ALLWORK_MASK,%edi
12830 /* edi: mask to check */
12831 @@ -664,7 +946,7 @@ int_restore_rest:
12836 +ENDPROC(system_call)
12839 * Certain special system calls that need to save a complete full stack frame.
12840 @@ -680,7 +962,7 @@ ENTRY(\label)
12842 jmp ptregscall_common
12848 PTREGSCALL stub_clone, sys_clone, %r8
12849 @@ -698,9 +980,10 @@ ENTRY(ptregscall_common)
12850 movq_cfi_restore R12+8, r12
12851 movq_cfi_restore RBP+8, rbp
12852 movq_cfi_restore RBX+8, rbx
12853 + pax_force_retaddr
12854 ret $REST_SKIP /* pop extended registers */
12856 -END(ptregscall_common)
12857 +ENDPROC(ptregscall_common)
12861 @@ -715,7 +998,7 @@ ENTRY(stub_execve)
12863 jmp int_ret_from_sys_call
12866 +ENDPROC(stub_execve)
12869 * sigreturn is special because it needs to restore all registers on return.
12870 @@ -733,7 +1016,7 @@ ENTRY(stub_rt_sigreturn)
12872 jmp int_ret_from_sys_call
12874 -END(stub_rt_sigreturn)
12875 +ENDPROC(stub_rt_sigreturn)
12878 * Build the entry stubs and pointer table with some assembler magic.
12879 @@ -768,7 +1051,7 @@ vector=vector+1
12880 2: jmp common_interrupt
12883 -END(irq_entries_start)
12884 +ENDPROC(irq_entries_start)
12888 @@ -789,6 +1072,16 @@ END(interrupt)
12889 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
12892 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12893 + testb $3, CS(%rdi)
12897 +1: pax_enter_kernel_user
12905 @@ -820,7 +1113,7 @@ ret_from_intr:
12908 GET_THREAD_INFO(%rcx)
12909 - testl $3,CS-ARGOFFSET(%rsp)
12910 + testb $3,CS-ARGOFFSET(%rsp)
12913 /* Interrupt came from user space */
12914 @@ -842,12 +1135,16 @@ retint_swapgs: /* return to user-space
12915 * The iretq could re-enable interrupts:
12917 DISABLE_INTERRUPTS(CLBR_ANY)
12918 + pax_exit_kernel_user
12924 retint_restore_args: /* return to kernel space */
12925 DISABLE_INTERRUPTS(CLBR_ANY)
12927 + pax_force_retaddr RIP-ARGOFFSET
12929 * The iretq could re-enable interrupts:
12931 @@ -936,7 +1233,7 @@ ENTRY(retint_kernel)
12935 -END(common_interrupt)
12936 +ENDPROC(common_interrupt)
12938 * End of kprobes section
12940 @@ -952,7 +1249,7 @@ ENTRY(\sym)
12949 @@ -1017,12 +1314,22 @@ ENTRY(\sym)
12950 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12953 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12954 + testb $3, CS(%rsp)
12958 +1: pax_enter_kernel_user
12963 movq %rsp,%rdi /* pt_regs pointer */
12964 xorl %esi,%esi /* no error code */
12966 jmp error_exit /* %ebx: no swapgs flag */
12972 .macro paranoidzeroentry sym do_sym
12973 @@ -1034,15 +1341,25 @@ ENTRY(\sym)
12974 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12977 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12978 + testb $3, CS(%rsp)
12982 +1: pax_enter_kernel_user
12987 movq %rsp,%rdi /* pt_regs pointer */
12988 xorl %esi,%esi /* no error code */
12990 jmp paranoid_exit /* %ebx: no swapgs flag */
12996 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
12997 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
12998 .macro paranoidzeroentry_ist sym do_sym ist
13001 @@ -1052,14 +1369,30 @@ ENTRY(\sym)
13002 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
13005 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13006 + testb $3, CS(%rsp)
13010 +1: pax_enter_kernel_user
13015 movq %rsp,%rdi /* pt_regs pointer */
13016 xorl %esi,%esi /* no error code */
13018 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
13019 + lea init_tss(%r12), %r12
13021 + lea init_tss(%rip), %r12
13023 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
13025 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
13026 jmp paranoid_exit /* %ebx: no swapgs flag */
13032 .macro errorentry sym do_sym
13033 @@ -1070,13 +1403,23 @@ ENTRY(\sym)
13034 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
13037 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13038 + testb $3, CS(%rsp)
13042 +1: pax_enter_kernel_user
13047 movq %rsp,%rdi /* pt_regs pointer */
13048 movq ORIG_RAX(%rsp),%rsi /* get error code */
13049 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
13051 jmp error_exit /* %ebx: no swapgs flag */
13057 /* error code is on the stack already */
13058 @@ -1089,13 +1432,23 @@ ENTRY(\sym)
13062 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13063 + testb $3, CS(%rsp)
13067 +1: pax_enter_kernel_user
13072 movq %rsp,%rdi /* pt_regs pointer */
13073 movq ORIG_RAX(%rsp),%rsi /* get error code */
13074 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
13076 jmp paranoid_exit /* %ebx: no swapgs flag */
13082 zeroentry divide_error do_divide_error
13083 @@ -1125,9 +1478,10 @@ gs_change:
13084 2: mfence /* workaround */
13087 + pax_force_retaddr
13090 -END(native_load_gs_index)
13091 +ENDPROC(native_load_gs_index)
13093 .section __ex_table,"a"
13095 @@ -1149,13 +1503,14 @@ ENTRY(kernel_thread_helper)
13096 * Here we are in the child and the registers are set as they were
13097 * at kernel_thread() invocation in the parent.
13099 + pax_force_fptr %rsi
13104 ud2 # padding for call trace
13106 -END(kernel_thread_helper)
13107 +ENDPROC(kernel_thread_helper)
13110 * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
13111 @@ -1184,9 +1539,10 @@ ENTRY(kernel_execve)
13112 je int_ret_from_sys_call
13115 + pax_force_retaddr
13118 -END(kernel_execve)
13119 +ENDPROC(kernel_execve)
13121 /* Call softirq on interrupt stack. Interrupts are off. */
13122 ENTRY(call_softirq)
13123 @@ -1204,9 +1560,10 @@ ENTRY(call_softirq)
13124 CFI_DEF_CFA_REGISTER rsp
13125 CFI_ADJUST_CFA_OFFSET -8
13126 decl PER_CPU_VAR(irq_count)
13127 + pax_force_retaddr
13131 +ENDPROC(call_softirq)
13134 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
13135 @@ -1244,7 +1601,7 @@ ENTRY(xen_do_hypervisor_callback) # do
13136 decl PER_CPU_VAR(irq_count)
13139 -END(xen_do_hypervisor_callback)
13140 +ENDPROC(xen_do_hypervisor_callback)
13143 * Hypervisor uses this for application faults while it executes.
13144 @@ -1303,7 +1660,7 @@ ENTRY(xen_failsafe_callback)
13148 -END(xen_failsafe_callback)
13149 +ENDPROC(xen_failsafe_callback)
13151 apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
13152 xen_hvm_callback_vector xen_evtchn_do_upcall
13153 @@ -1352,16 +1709,31 @@ ENTRY(paranoid_exit)
13155 testl %ebx,%ebx /* swapgs needed? */
13156 jnz paranoid_restore
13157 - testl $3,CS(%rsp)
13158 + testb $3,CS(%rsp)
13159 jnz paranoid_userspace
13160 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13162 + TRACE_IRQS_IRETQ 0
13163 + SWAPGS_UNSAFE_STACK
13165 + pax_force_retaddr
13169 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13170 + pax_exit_kernel_user
13175 SWAPGS_UNSAFE_STACK
13182 + pax_force_retaddr
13184 paranoid_userspace:
13185 GET_THREAD_INFO(%rcx)
13186 @@ -1390,7 +1762,7 @@ paranoid_schedule:
13188 jmp paranoid_userspace
13190 -END(paranoid_exit)
13191 +ENDPROC(paranoid_exit)
13194 * Exception entry point. This expects an error code/orig_rax on the stack.
13195 @@ -1417,12 +1789,13 @@ ENTRY(error_entry)
13196 movq_cfi r14, R14+8
13197 movq_cfi r15, R15+8
13199 - testl $3,CS+8(%rsp)
13200 + testb $3,CS+8(%rsp)
13201 je error_kernelspace
13206 + pax_force_retaddr
13210 @@ -1449,7 +1822,7 @@ bstep_iret:
13211 movq %rcx,RIP+8(%rsp)
13215 +ENDPROC(error_entry)
13218 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
13219 @@ -1469,7 +1842,7 @@ ENTRY(error_exit)
13224 +ENDPROC(error_exit)
13227 /* runs on exception stack */
13228 @@ -1481,6 +1854,16 @@ ENTRY(nmi)
13229 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
13232 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13233 + testb $3, CS(%rsp)
13237 +1: pax_enter_kernel_user
13242 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
13245 @@ -1491,12 +1874,28 @@ ENTRY(nmi)
13246 DISABLE_INTERRUPTS(CLBR_NONE)
13247 testl %ebx,%ebx /* swapgs needed? */
13249 - testl $3,CS(%rsp)
13250 + testb $3,CS(%rsp)
13252 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13254 + SWAPGS_UNSAFE_STACK
13256 + pax_force_retaddr
13260 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13261 + pax_exit_kernel_user
13265 SWAPGS_UNSAFE_STACK
13271 + pax_force_retaddr
13274 GET_THREAD_INFO(%rcx)
13275 @@ -1525,14 +1924,14 @@ nmi_schedule:
13282 ENTRY(ignore_sysret)
13287 -END(ignore_sysret)
13288 +ENDPROC(ignore_sysret)
13291 * End of kprobes section
13292 diff -urNp linux-3.1.1/arch/x86/kernel/ftrace.c linux-3.1.1/arch/x86/kernel/ftrace.c
13293 --- linux-3.1.1/arch/x86/kernel/ftrace.c 2011-11-11 15:19:27.000000000 -0500
13294 +++ linux-3.1.1/arch/x86/kernel/ftrace.c 2011-11-16 18:39:07.000000000 -0500
13295 @@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
13296 static const void *mod_code_newcode; /* holds the text to write to the IP */
13298 static unsigned nmi_wait_count;
13299 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
13300 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
13302 int ftrace_arch_read_dyn_info(char *buf, int size)
13304 @@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
13306 r = snprintf(buf, size, "%u %u",
13308 - atomic_read(&nmi_update_count));
13309 + atomic_read_unchecked(&nmi_update_count));
13313 @@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
13315 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
13317 + pax_open_kernel();
13319 - atomic_inc(&nmi_update_count);
13320 + pax_close_kernel();
13321 + atomic_inc_unchecked(&nmi_update_count);
13323 /* Must have previous changes seen before executions */
13325 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
13327 unsigned char replaced[MCOUNT_INSN_SIZE];
13329 + ip = ktla_ktva(ip);
13332 * Note: Due to modules and __init, code can
13333 * disappear and change, we need to protect against faulting
13334 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
13335 unsigned char old[MCOUNT_INSN_SIZE], *new;
13338 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
13339 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
13340 new = ftrace_call_replace(ip, (unsigned long)func);
13341 ret = ftrace_modify_code(ip, old, new);
13343 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
13345 unsigned char code[MCOUNT_INSN_SIZE];
13347 + ip = ktla_ktva(ip);
13349 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
13352 diff -urNp linux-3.1.1/arch/x86/kernel/head32.c linux-3.1.1/arch/x86/kernel/head32.c
13353 --- linux-3.1.1/arch/x86/kernel/head32.c 2011-11-11 15:19:27.000000000 -0500
13354 +++ linux-3.1.1/arch/x86/kernel/head32.c 2011-11-16 18:39:07.000000000 -0500
13356 #include <asm/io_apic.h>
13357 #include <asm/bios_ebda.h>
13358 #include <asm/tlbflush.h>
13359 +#include <asm/boot.h>
13361 static void __init i386_default_early_setup(void)
13363 @@ -33,7 +34,7 @@ void __init i386_start_kernel(void)
13367 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13368 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13370 #ifdef CONFIG_BLK_DEV_INITRD
13371 /* Reserve INITRD */
13372 diff -urNp linux-3.1.1/arch/x86/kernel/head_32.S linux-3.1.1/arch/x86/kernel/head_32.S
13373 --- linux-3.1.1/arch/x86/kernel/head_32.S 2011-11-11 15:19:27.000000000 -0500
13374 +++ linux-3.1.1/arch/x86/kernel/head_32.S 2011-11-16 18:39:07.000000000 -0500
13376 /* Physical address */
13377 #define pa(X) ((X) - __PAGE_OFFSET)
13379 +#ifdef CONFIG_PAX_KERNEXEC
13382 +#define ta(X) ((X) - __PAGE_OFFSET)
13386 * References to members of the new_cpu_data structure.
13389 * and small than max_low_pfn, otherwise will waste some page table entries
13392 -#if PTRS_PER_PMD > 1
13393 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
13395 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
13397 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
13399 /* Number of possible pages in the lowmem region */
13400 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
13401 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
13402 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13405 + * Real beginning of normal "text" segment
13411 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
13412 * %esi points to the real-mode code as a 32-bit pointer.
13413 * CS and DS must be 4 GB flat segments, but we don't depend on
13414 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13419 +#ifdef CONFIG_PAX_KERNEXEC
13421 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
13422 +.fill PAGE_SIZE-5,1,0xcc
13426 movl pa(stack_start),%ecx
13428 @@ -105,6 +120,57 @@ ENTRY(startup_32)
13430 leal -__PAGE_OFFSET(%ecx),%esp
13433 + movl $pa(cpu_gdt_table),%edi
13434 + movl $__per_cpu_load,%eax
13435 + movw %ax,__KERNEL_PERCPU + 2(%edi)
13437 + movb %al,__KERNEL_PERCPU + 4(%edi)
13438 + movb %ah,__KERNEL_PERCPU + 7(%edi)
13439 + movl $__per_cpu_end - 1,%eax
13440 + subl $__per_cpu_start,%eax
13441 + movw %ax,__KERNEL_PERCPU + 0(%edi)
13444 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13445 + movl $NR_CPUS,%ecx
13446 + movl $pa(cpu_gdt_table),%edi
13448 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
13449 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
13450 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
13451 + addl $PAGE_SIZE_asm,%edi
13455 +#ifdef CONFIG_PAX_KERNEXEC
13456 + movl $pa(boot_gdt),%edi
13457 + movl $__LOAD_PHYSICAL_ADDR,%eax
13458 + movw %ax,__BOOT_CS + 2(%edi)
13460 + movb %al,__BOOT_CS + 4(%edi)
13461 + movb %ah,__BOOT_CS + 7(%edi)
13464 + ljmp $(__BOOT_CS),$1f
13467 + movl $NR_CPUS,%ecx
13468 + movl $pa(cpu_gdt_table),%edi
13469 + addl $__PAGE_OFFSET,%eax
13471 + movw %ax,__KERNEL_CS + 2(%edi)
13472 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
13474 + movb %al,__KERNEL_CS + 4(%edi)
13475 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
13476 + movb %ah,__KERNEL_CS + 7(%edi)
13477 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
13479 + addl $PAGE_SIZE_asm,%edi
13484 * Clear BSS first so that there are no surprises...
13486 @@ -195,8 +261,11 @@ ENTRY(startup_32)
13487 movl %eax, pa(max_pfn_mapped)
13489 /* Do early initialization of the fixmap area */
13490 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13491 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
13492 +#ifdef CONFIG_COMPAT_VDSO
13493 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
13495 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
13497 #else /* Not PAE */
13499 page_pde_offset = (__PAGE_OFFSET >> 20);
13500 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13501 movl %eax, pa(max_pfn_mapped)
13503 /* Do early initialization of the fixmap area */
13504 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13505 - movl %eax,pa(initial_page_table+0xffc)
13506 +#ifdef CONFIG_COMPAT_VDSO
13507 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
13509 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
13513 #ifdef CONFIG_PARAVIRT
13514 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13515 cmpl $num_subarch_entries, %eax
13518 - movl pa(subarch_entries)(,%eax,4), %eax
13519 - subl $__PAGE_OFFSET, %eax
13521 + jmp *pa(subarch_entries)(,%eax,4)
13525 @@ -255,10 +325,10 @@ WEAK(xen_entry)
13529 - .long default_entry /* normal x86/PC */
13530 - .long lguest_entry /* lguest hypervisor */
13531 - .long xen_entry /* Xen hypervisor */
13532 - .long default_entry /* Moorestown MID */
13533 + .long ta(default_entry) /* normal x86/PC */
13534 + .long ta(lguest_entry) /* lguest hypervisor */
13535 + .long ta(xen_entry) /* Xen hypervisor */
13536 + .long ta(default_entry) /* Moorestown MID */
13537 num_subarch_entries = (. - subarch_entries) / 4
13540 @@ -312,6 +382,7 @@ default_entry:
13544 +#ifdef CONFIG_X86_PAE
13545 testb $X86_CR4_PAE, %al # check if PAE is enabled
13548 @@ -340,6 +411,9 @@ default_entry:
13549 /* Make changes effective */
13552 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
13558 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
13559 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
13560 movl %eax,%ss # after changing gdt.
13562 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
13563 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
13567 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
13571 - movl $gdt_page,%eax
13572 + movl $cpu_gdt_table,%eax
13573 movl $stack_canary,%ecx
13575 + addl $__per_cpu_load,%ecx
13577 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
13579 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
13580 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
13583 movl $(__KERNEL_STACK_CANARY),%eax
13584 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13585 + movl $(__USER_DS),%eax
13591 xorl %eax,%eax # Clear LDT
13592 @@ -558,22 +639,22 @@ early_page_fault:
13597 #ifdef CONFIG_PRINTK
13598 + cmpl $1,%ss:early_recursion_flag
13600 + incl %ss:early_recursion_flag
13603 movl $(__KERNEL_DS),%eax
13606 - cmpl $2,early_recursion_flag
13608 - incl early_recursion_flag
13611 pushl %edx /* trapno */
13620 @@ -581,8 +662,11 @@ hlt_loop:
13621 /* This is the default interrupt "handler" :-) */
13625 #ifdef CONFIG_PRINTK
13626 + cmpl $2,%ss:early_recursion_flag
13628 + incl %ss:early_recursion_flag
13633 @@ -591,9 +675,6 @@ ignore_int:
13634 movl $(__KERNEL_DS),%eax
13637 - cmpl $2,early_recursion_flag
13639 - incl early_recursion_flag
13643 @@ -622,29 +703,43 @@ ENTRY(initial_code)
13647 -__PAGE_ALIGNED_BSS
13649 #ifdef CONFIG_X86_PAE
13650 +.section .initial_pg_pmd,"a",@progbits
13652 .fill 1024*KPMDS,4,0
13654 +.section .initial_page_table,"a",@progbits
13655 ENTRY(initial_page_table)
13658 +.section .initial_pg_fixmap,"a",@progbits
13661 +.section .empty_zero_page,"a",@progbits
13662 ENTRY(empty_zero_page)
13664 +.section .swapper_pg_dir,"a",@progbits
13665 ENTRY(swapper_pg_dir)
13666 +#ifdef CONFIG_X86_PAE
13673 + * The IDT has to be page-aligned to simplify the Pentium
13674 + * F0 0F bug workaround.. We have a special link segment
13677 +.section .idt,"a",@progbits
13682 * This starts the data section.
13684 #ifdef CONFIG_X86_PAE
13685 -__PAGE_ALIGNED_DATA
13686 - /* Page-aligned for the benefit of paravirt? */
13688 +.section .initial_page_table,"a",@progbits
13689 ENTRY(initial_page_table)
13690 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
13692 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
13693 # error "Kernel PMDs should be 1, 2 or 3"
13695 .align PAGE_SIZE /* needs to be page-sized too */
13697 +#ifdef CONFIG_PAX_PER_CPU_PGD
13709 - .long init_thread_union+THREAD_SIZE
13710 + .long init_thread_union+THREAD_SIZE-8
13714 +.section .rodata,"a",@progbits
13715 early_recursion_flag:
13721 .asciz "Unknown interrupt or fault at: %p %p %p\n"
13723 @@ -707,7 +811,7 @@ fault_msg:
13724 .word 0 # 32 bit align gdt_desc.address
13727 - .long boot_gdt - __PAGE_OFFSET
13728 + .long pa(boot_gdt)
13730 .word 0 # 32-bit align idt_desc.address
13732 @@ -718,7 +822,7 @@ idt_descr:
13733 .word 0 # 32 bit align gdt_desc.address
13734 ENTRY(early_gdt_descr)
13735 .word GDT_ENTRIES*8-1
13736 - .long gdt_page /* Overwritten for secondary CPUs */
13737 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
13740 * The boot_gdt must mirror the equivalent in setup.S and is
13741 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
13742 .align L1_CACHE_BYTES
13744 .fill GDT_ENTRY_BOOT_CS,8,0
13745 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
13746 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
13747 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
13748 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
13750 + .align PAGE_SIZE_asm
13751 +ENTRY(cpu_gdt_table)
13753 + .quad 0x0000000000000000 /* NULL descriptor */
13754 + .quad 0x0000000000000000 /* 0x0b reserved */
13755 + .quad 0x0000000000000000 /* 0x13 reserved */
13756 + .quad 0x0000000000000000 /* 0x1b reserved */
13758 +#ifdef CONFIG_PAX_KERNEXEC
13759 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
13761 + .quad 0x0000000000000000 /* 0x20 unused */
13764 + .quad 0x0000000000000000 /* 0x28 unused */
13765 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
13766 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
13767 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
13768 + .quad 0x0000000000000000 /* 0x4b reserved */
13769 + .quad 0x0000000000000000 /* 0x53 reserved */
13770 + .quad 0x0000000000000000 /* 0x5b reserved */
13772 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
13773 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
13774 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
13775 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
13777 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
13778 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
13781 + * Segments used for calling PnP BIOS have byte granularity.
13782 + * The code segments and data segments have fixed 64k limits,
13783 + * the transfer segment sizes are set at run time.
13785 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
13786 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
13787 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
13788 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
13789 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
13792 + * The APM segments have byte granularity and their bases
13793 + * are set at run time. All have 64k limits.
13795 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
13796 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
13797 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
13799 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
13800 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
13801 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
13802 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
13803 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
13804 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
13806 + /* Be sure this is zeroed to avoid false validations in Xen */
13807 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
13809 diff -urNp linux-3.1.1/arch/x86/kernel/head_64.S linux-3.1.1/arch/x86/kernel/head_64.S
13810 --- linux-3.1.1/arch/x86/kernel/head_64.S 2011-11-11 15:19:27.000000000 -0500
13811 +++ linux-3.1.1/arch/x86/kernel/head_64.S 2011-11-16 18:39:07.000000000 -0500
13813 #include <asm/cache.h>
13814 #include <asm/processor-flags.h>
13815 #include <asm/percpu.h>
13816 +#include <asm/cpufeature.h>
13818 #ifdef CONFIG_PARAVIRT
13819 #include <asm/asm-offsets.h>
13820 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
13821 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
13822 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
13823 L3_START_KERNEL = pud_index(__START_KERNEL_map)
13824 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
13825 +L3_VMALLOC_START = pud_index(VMALLOC_START)
13826 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
13827 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
13831 @@ -85,35 +90,22 @@ startup_64:
13833 addq %rbp, init_level4_pgt + 0(%rip)
13834 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
13835 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
13836 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
13837 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
13839 addq %rbp, level3_ident_pgt + 0(%rip)
13840 +#ifndef CONFIG_XEN
13841 + addq %rbp, level3_ident_pgt + 8(%rip)
13844 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
13845 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
13846 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
13848 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13849 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
13850 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
13852 - /* Add an Identity mapping if I am above 1G */
13853 - leaq _text(%rip), %rdi
13854 - andq $PMD_PAGE_MASK, %rdi
13857 - shrq $PUD_SHIFT, %rax
13858 - andq $(PTRS_PER_PUD - 1), %rax
13859 - jz ident_complete
13861 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
13862 - leaq level3_ident_pgt(%rip), %rbx
13863 - movq %rdx, 0(%rbx, %rax, 8)
13866 - shrq $PMD_SHIFT, %rax
13867 - andq $(PTRS_PER_PMD - 1), %rax
13868 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
13869 - leaq level2_spare_pgt(%rip), %rbx
13870 - movq %rdx, 0(%rbx, %rax, 8)
13872 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13873 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
13876 * Fixup the kernel text+data virtual addresses. Note that
13877 @@ -160,8 +152,8 @@ ENTRY(secondary_startup_64)
13878 * after the boot processor executes this code.
13881 - /* Enable PAE mode and PGE */
13882 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
13883 + /* Enable PAE mode and PSE/PGE */
13884 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
13887 /* Setup early boot stage 4 level pagetables. */
13888 @@ -183,9 +175,14 @@ ENTRY(secondary_startup_64)
13889 movl $MSR_EFER, %ecx
13891 btsl $_EFER_SCE, %eax /* Enable System Call */
13892 - btl $20,%edi /* No Execute supported? */
13893 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
13895 btsl $_EFER_NX, %eax
13896 + leaq init_level4_pgt(%rip), %rdi
13897 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
13898 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
13899 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
13900 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
13901 1: wrmsr /* Make changes effective */
13904 @@ -269,7 +266,7 @@ ENTRY(secondary_startup_64)
13908 - .section ".init.text","ax"
13910 #ifdef CONFIG_EARLY_PRINTK
13911 .globl early_idt_handlers
13912 early_idt_handlers:
13913 @@ -314,18 +311,23 @@ ENTRY(early_idt_handler)
13914 #endif /* EARLY_PRINTK */
13919 #ifdef CONFIG_EARLY_PRINTK
13921 early_recursion_flag:
13925 + .section .rodata,"a",@progbits
13927 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
13930 -#endif /* CONFIG_EARLY_PRINTK */
13932 +#endif /* CONFIG_EARLY_PRINTK */
13934 + .section .rodata,"a",@progbits
13935 #define NEXT_PAGE(name) \
13936 .balign PAGE_SIZE; \
13938 @@ -338,7 +340,6 @@ ENTRY(name)
13944 * This default setting generates an ident mapping at address 0x100000
13945 * and a mapping for the kernel that precisely maps virtual address
13946 @@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt)
13947 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13948 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
13949 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13950 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
13951 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
13952 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
13953 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13954 .org init_level4_pgt + L4_START_KERNEL*8, 0
13955 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
13956 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
13958 +#ifdef CONFIG_PAX_PER_CPU_PGD
13959 +NEXT_PAGE(cpu_pgd)
13965 NEXT_PAGE(level3_ident_pgt)
13966 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13970 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
13974 +NEXT_PAGE(level3_vmalloc_pgt)
13977 +NEXT_PAGE(level3_vmemmap_pgt)
13978 + .fill L3_VMEMMAP_START,8,0
13979 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13981 NEXT_PAGE(level3_kernel_pgt)
13982 .fill L3_START_KERNEL,8,0
13983 @@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt)
13984 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
13985 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13987 +NEXT_PAGE(level2_vmemmap_pgt)
13990 NEXT_PAGE(level2_fixmap_pgt)
13992 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13993 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
13996 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
13997 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
14000 -NEXT_PAGE(level1_fixmap_pgt)
14001 +NEXT_PAGE(level1_vsyscall_pgt)
14004 -NEXT_PAGE(level2_ident_pgt)
14005 - /* Since I easily can, map the first 1G.
14006 + /* Since I easily can, map the first 2G.
14007 * Don't set NX because code runs from these pages.
14009 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
14010 +NEXT_PAGE(level2_ident_pgt)
14011 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
14013 NEXT_PAGE(level2_kernel_pgt)
14015 @@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt)
14016 * If you want to increase this then increase MODULES_VADDR
14019 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
14020 - KERNEL_IMAGE_SIZE/PMD_SIZE)
14022 -NEXT_PAGE(level2_spare_pgt)
14024 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
14031 +ENTRY(cpu_gdt_table)
14033 + .quad 0x0000000000000000 /* NULL descriptor */
14034 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
14035 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
14036 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
14037 + .quad 0x00cffb000000ffff /* __USER32_CS */
14038 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
14039 + .quad 0x00affb000000ffff /* __USER_CS */
14041 +#ifdef CONFIG_PAX_KERNEXEC
14042 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
14044 + .quad 0x0 /* unused */
14047 + .quad 0,0 /* TSS */
14048 + .quad 0,0 /* LDT */
14049 + .quad 0,0,0 /* three TLS descriptors */
14050 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
14051 + /* asm/segment.h:GDT_ENTRIES must match this */
14053 + /* zero the remaining page */
14054 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
14058 .globl early_gdt_descr
14060 .word GDT_ENTRIES*8-1
14061 early_gdt_descr_base:
14062 - .quad INIT_PER_CPU_VAR(gdt_page)
14063 + .quad cpu_gdt_table
14066 /* This must match the first entry in level2_kernel_pgt */
14067 .quad 0x0000000000000000
14069 #include "../../x86/xen/xen-head.S"
14071 - .section .bss, "aw", @nobits
14073 + .section .rodata,"a",@progbits
14074 .align L1_CACHE_BYTES
14076 - .skip IDT_ENTRIES * 16
14081 diff -urNp linux-3.1.1/arch/x86/kernel/i386_ksyms_32.c linux-3.1.1/arch/x86/kernel/i386_ksyms_32.c
14082 --- linux-3.1.1/arch/x86/kernel/i386_ksyms_32.c 2011-11-11 15:19:27.000000000 -0500
14083 +++ linux-3.1.1/arch/x86/kernel/i386_ksyms_32.c 2011-11-16 18:39:07.000000000 -0500
14084 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
14085 EXPORT_SYMBOL(cmpxchg8b_emu);
14088 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
14090 /* Networking helper routines. */
14091 EXPORT_SYMBOL(csum_partial_copy_generic);
14092 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
14093 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
14095 EXPORT_SYMBOL(__get_user_1);
14096 EXPORT_SYMBOL(__get_user_2);
14097 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
14099 EXPORT_SYMBOL(csum_partial);
14100 EXPORT_SYMBOL(empty_zero_page);
14102 +#ifdef CONFIG_PAX_KERNEXEC
14103 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
14105 diff -urNp linux-3.1.1/arch/x86/kernel/i8259.c linux-3.1.1/arch/x86/kernel/i8259.c
14106 --- linux-3.1.1/arch/x86/kernel/i8259.c 2011-11-11 15:19:27.000000000 -0500
14107 +++ linux-3.1.1/arch/x86/kernel/i8259.c 2011-11-16 18:39:07.000000000 -0500
14108 @@ -210,7 +210,7 @@ spurious_8259A_irq:
14109 "spurious 8259A interrupt: IRQ%d.\n", irq);
14110 spurious_irq_mask |= irqmask;
14112 - atomic_inc(&irq_err_count);
14113 + atomic_inc_unchecked(&irq_err_count);
14115 * Theoretically we do not have to handle this IRQ,
14116 * but in Linux this does not cause problems and is
14117 diff -urNp linux-3.1.1/arch/x86/kernel/init_task.c linux-3.1.1/arch/x86/kernel/init_task.c
14118 --- linux-3.1.1/arch/x86/kernel/init_task.c 2011-11-11 15:19:27.000000000 -0500
14119 +++ linux-3.1.1/arch/x86/kernel/init_task.c 2011-11-16 18:39:07.000000000 -0500
14120 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
14121 * way process stacks are handled. This is done by having a special
14122 * "init_task" linker map entry..
14124 -union thread_union init_thread_union __init_task_data =
14125 - { INIT_THREAD_INFO(init_task) };
14126 +union thread_union init_thread_union __init_task_data;
14129 * Initial task structure.
14130 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
14131 * section. Since TSS's are completely CPU-local, we want them
14132 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
14134 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
14136 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
14137 +EXPORT_SYMBOL(init_tss);
14138 diff -urNp linux-3.1.1/arch/x86/kernel/ioport.c linux-3.1.1/arch/x86/kernel/ioport.c
14139 --- linux-3.1.1/arch/x86/kernel/ioport.c 2011-11-11 15:19:27.000000000 -0500
14140 +++ linux-3.1.1/arch/x86/kernel/ioport.c 2011-11-16 18:40:08.000000000 -0500
14142 #include <linux/sched.h>
14143 #include <linux/kernel.h>
14144 #include <linux/capability.h>
14145 +#include <linux/security.h>
14146 #include <linux/errno.h>
14147 #include <linux/types.h>
14148 #include <linux/ioport.h>
14149 @@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long
14151 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
14153 +#ifdef CONFIG_GRKERNSEC_IO
14154 + if (turn_on && grsec_disable_privio) {
14155 + gr_handle_ioperm();
14159 if (turn_on && !capable(CAP_SYS_RAWIO))
14162 @@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long
14163 * because the ->io_bitmap_max value must match the bitmap
14166 - tss = &per_cpu(init_tss, get_cpu());
14167 + tss = init_tss + get_cpu();
14170 bitmap_clear(t->io_bitmap_ptr, from, num);
14171 @@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct
14173 /* Trying to gain more privileges? */
14175 +#ifdef CONFIG_GRKERNSEC_IO
14176 + if (grsec_disable_privio) {
14177 + gr_handle_iopl();
14181 if (!capable(CAP_SYS_RAWIO))
14184 diff -urNp linux-3.1.1/arch/x86/kernel/irq_32.c linux-3.1.1/arch/x86/kernel/irq_32.c
14185 --- linux-3.1.1/arch/x86/kernel/irq_32.c 2011-11-11 15:19:27.000000000 -0500
14186 +++ linux-3.1.1/arch/x86/kernel/irq_32.c 2011-11-16 18:39:07.000000000 -0500
14187 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
14188 __asm__ __volatile__("andl %%esp,%0" :
14189 "=r" (sp) : "0" (THREAD_SIZE - 1));
14191 - return sp < (sizeof(struct thread_info) + STACK_WARN);
14192 + return sp < STACK_WARN;
14195 static void print_stack_overflow(void)
14196 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
14197 * per-CPU IRQ handling contexts (thread information and stack)
14200 - struct thread_info tinfo;
14201 - u32 stack[THREAD_SIZE/sizeof(u32)];
14202 + unsigned long previous_esp;
14203 + u32 stack[THREAD_SIZE/sizeof(u32)];
14204 } __attribute__((aligned(THREAD_SIZE)));
14206 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
14207 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
14209 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
14211 - union irq_ctx *curctx, *irqctx;
14212 + union irq_ctx *irqctx;
14213 u32 *isp, arg1, arg2;
14215 - curctx = (union irq_ctx *) current_thread_info();
14216 irqctx = __this_cpu_read(hardirq_ctx);
14219 @@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struc
14220 * handler) we can't do that and just have to keep using the
14221 * current stack (which is the irq stack already after all)
14223 - if (unlikely(curctx == irqctx))
14224 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
14227 /* build the stack frame on the IRQ stack */
14228 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14229 - irqctx->tinfo.task = curctx->tinfo.task;
14230 - irqctx->tinfo.previous_esp = current_stack_pointer;
14231 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14232 + irqctx->previous_esp = current_stack_pointer;
14235 - * Copy the softirq bits in preempt_count so that the
14236 - * softirq checks work in the hardirq context.
14238 - irqctx->tinfo.preempt_count =
14239 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
14240 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
14241 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14242 + __set_fs(MAKE_MM_SEG(0));
14245 if (unlikely(overflow))
14246 call_on_stack(print_stack_overflow, isp);
14247 @@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struc
14248 : "0" (irq), "1" (desc), "2" (isp),
14249 "D" (desc->handle_irq)
14250 : "memory", "cc", "ecx");
14252 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14253 + __set_fs(current_thread_info()->addr_limit);
14259 @@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struc
14261 void __cpuinit irq_ctx_init(int cpu)
14263 - union irq_ctx *irqctx;
14265 if (per_cpu(hardirq_ctx, cpu))
14268 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
14271 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
14272 - irqctx->tinfo.cpu = cpu;
14273 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
14274 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14276 - per_cpu(hardirq_ctx, cpu) = irqctx;
14278 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
14281 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
14282 - irqctx->tinfo.cpu = cpu;
14283 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14285 - per_cpu(softirq_ctx, cpu) = irqctx;
14286 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
14287 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
14289 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
14290 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
14291 @@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu)
14292 asmlinkage void do_softirq(void)
14294 unsigned long flags;
14295 - struct thread_info *curctx;
14296 union irq_ctx *irqctx;
14299 @@ -162,15 +142,22 @@ asmlinkage void do_softirq(void)
14300 local_irq_save(flags);
14302 if (local_softirq_pending()) {
14303 - curctx = current_thread_info();
14304 irqctx = __this_cpu_read(softirq_ctx);
14305 - irqctx->tinfo.task = curctx->task;
14306 - irqctx->tinfo.previous_esp = current_stack_pointer;
14307 + irqctx->previous_esp = current_stack_pointer;
14309 /* build the stack frame on the softirq stack */
14310 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14311 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14313 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14314 + __set_fs(MAKE_MM_SEG(0));
14317 call_on_stack(__do_softirq, isp);
14319 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14320 + __set_fs(current_thread_info()->addr_limit);
14324 * Shouldn't happen, we returned above if in_interrupt():
14326 diff -urNp linux-3.1.1/arch/x86/kernel/irq.c linux-3.1.1/arch/x86/kernel/irq.c
14327 --- linux-3.1.1/arch/x86/kernel/irq.c 2011-11-11 15:19:27.000000000 -0500
14328 +++ linux-3.1.1/arch/x86/kernel/irq.c 2011-11-16 18:39:07.000000000 -0500
14330 #include <asm/mce.h>
14331 #include <asm/hw_irq.h>
14333 -atomic_t irq_err_count;
14334 +atomic_unchecked_t irq_err_count;
14336 /* Function pointer for generic interrupt vector handling */
14337 void (*x86_platform_ipi_callback)(void) = NULL;
14338 @@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file
14339 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
14340 seq_printf(p, " Machine check polls\n");
14342 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
14343 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
14344 #if defined(CONFIG_X86_IO_APIC)
14345 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
14346 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
14350 @@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
14352 u64 arch_irq_stat(void)
14354 - u64 sum = atomic_read(&irq_err_count);
14355 + u64 sum = atomic_read_unchecked(&irq_err_count);
14357 #ifdef CONFIG_X86_IO_APIC
14358 - sum += atomic_read(&irq_mis_count);
14359 + sum += atomic_read_unchecked(&irq_mis_count);
14363 diff -urNp linux-3.1.1/arch/x86/kernel/kgdb.c linux-3.1.1/arch/x86/kernel/kgdb.c
14364 --- linux-3.1.1/arch/x86/kernel/kgdb.c 2011-11-11 15:19:27.000000000 -0500
14365 +++ linux-3.1.1/arch/x86/kernel/kgdb.c 2011-11-16 18:39:07.000000000 -0500
14366 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
14367 #ifdef CONFIG_X86_32
14370 - if (!user_mode_vm(regs))
14371 + if (!user_mode(regs))
14372 *(unsigned long *)mem = __KERNEL_DS;
14375 - if (!user_mode_vm(regs))
14376 + if (!user_mode(regs))
14377 *(unsigned long *)mem = kernel_stack_pointer(regs);
14380 @@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
14382 /* clear the trace bit */
14383 linux_regs->flags &= ~X86_EFLAGS_TF;
14384 - atomic_set(&kgdb_cpu_doing_single_step, -1);
14385 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
14387 /* set the trace bit if we're stepping */
14388 if (remcomInBuffer[0] == 's') {
14389 linux_regs->flags |= X86_EFLAGS_TF;
14390 - atomic_set(&kgdb_cpu_doing_single_step,
14391 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
14392 raw_smp_processor_id());
14395 @@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args
14396 return NOTIFY_DONE;
14399 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
14400 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
14401 if (user_mode(regs))
14402 return single_step_cont(regs, args);
14404 diff -urNp linux-3.1.1/arch/x86/kernel/kprobes.c linux-3.1.1/arch/x86/kernel/kprobes.c
14405 --- linux-3.1.1/arch/x86/kernel/kprobes.c 2011-11-11 15:19:27.000000000 -0500
14406 +++ linux-3.1.1/arch/x86/kernel/kprobes.c 2011-11-16 18:39:07.000000000 -0500
14407 @@ -117,8 +117,11 @@ static void __kprobes __synthesize_relat
14408 } __attribute__((packed)) *insn;
14410 insn = (struct __arch_relative_insn *)from;
14412 + pax_open_kernel();
14413 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
14415 + pax_close_kernel();
14418 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
14419 @@ -155,7 +158,7 @@ static int __kprobes can_boost(kprobe_op
14420 kprobe_opcode_t opcode;
14421 kprobe_opcode_t *orig_opcodes = opcodes;
14423 - if (search_exception_tables((unsigned long)opcodes))
14424 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
14425 return 0; /* Page fault may occur on this address. */
14428 @@ -316,7 +319,9 @@ static int __kprobes __copy_instruction(
14431 insn_get_length(&insn);
14432 + pax_open_kernel();
14433 memcpy(dest, insn.kaddr, insn.length);
14434 + pax_close_kernel();
14436 #ifdef CONFIG_X86_64
14437 if (insn_rip_relative(&insn)) {
14438 @@ -340,7 +345,9 @@ static int __kprobes __copy_instruction(
14440 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
14441 disp = (u8 *) dest + insn_offset_displacement(&insn);
14442 + pax_open_kernel();
14443 *(s32 *) disp = (s32) newdisp;
14444 + pax_close_kernel();
14447 return insn.length;
14448 @@ -354,12 +361,12 @@ static void __kprobes arch_copy_kprobe(s
14450 __copy_instruction(p->ainsn.insn, p->addr, 0);
14452 - if (can_boost(p->addr))
14453 + if (can_boost(ktla_ktva(p->addr)))
14454 p->ainsn.boostable = 0;
14456 p->ainsn.boostable = -1;
14458 - p->opcode = *p->addr;
14459 + p->opcode = *(ktla_ktva(p->addr));
14462 int __kprobes arch_prepare_kprobe(struct kprobe *p)
14463 @@ -476,7 +483,7 @@ static void __kprobes setup_singlestep(s
14464 * nor set current_kprobe, because it doesn't use single
14467 - regs->ip = (unsigned long)p->ainsn.insn;
14468 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14469 preempt_enable_no_resched();
14472 @@ -495,7 +502,7 @@ static void __kprobes setup_singlestep(s
14473 if (p->opcode == BREAKPOINT_INSTRUCTION)
14474 regs->ip = (unsigned long)p->addr;
14476 - regs->ip = (unsigned long)p->ainsn.insn;
14477 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14481 @@ -574,7 +581,7 @@ static int __kprobes kprobe_handler(stru
14482 setup_singlestep(p, regs, kcb, 0);
14485 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
14486 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
14488 * The breakpoint instruction was removed right
14489 * after we hit it. Another cpu has removed
14490 @@ -682,6 +689,9 @@ static void __used __kprobes kretprobe_t
14491 " movq %rax, 152(%rsp)\n"
14492 RESTORE_REGS_STRING
14494 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
14495 + " btsq $63,(%rsp)\n"
14500 @@ -819,7 +829,7 @@ static void __kprobes resume_execution(s
14501 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
14503 unsigned long *tos = stack_addr(regs);
14504 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
14505 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
14506 unsigned long orig_ip = (unsigned long)p->addr;
14507 kprobe_opcode_t *insn = p->ainsn.insn;
14509 @@ -1001,7 +1011,7 @@ int __kprobes kprobe_exceptions_notify(s
14510 struct die_args *args = data;
14511 int ret = NOTIFY_DONE;
14513 - if (args->regs && user_mode_vm(args->regs))
14514 + if (args->regs && user_mode(args->regs))
14518 @@ -1383,7 +1393,7 @@ int __kprobes arch_prepare_optimized_kpr
14519 * Verify if the address gap is in 2GB range, because this uses
14522 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
14523 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
14524 if (abs(rel) > 0x7fffffff)
14527 @@ -1404,11 +1414,11 @@ int __kprobes arch_prepare_optimized_kpr
14528 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
14530 /* Set probe function call */
14531 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
14532 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
14534 /* Set returning jmp instruction at the tail of out-of-line buffer */
14535 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
14536 - (u8 *)op->kp.addr + op->optinsn.size);
14537 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
14539 flush_icache_range((unsigned long) buf,
14540 (unsigned long) buf + TMPL_END_IDX +
14541 @@ -1430,7 +1440,7 @@ static void __kprobes setup_optimize_kpr
14542 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
14544 /* Backup instructions which will be replaced by jump address */
14545 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
14546 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
14547 RELATIVE_ADDR_SIZE);
14549 insn_buf[0] = RELATIVEJUMP_OPCODE;
14550 diff -urNp linux-3.1.1/arch/x86/kernel/kvm.c linux-3.1.1/arch/x86/kernel/kvm.c
14551 --- linux-3.1.1/arch/x86/kernel/kvm.c 2011-11-11 15:19:27.000000000 -0500
14552 +++ linux-3.1.1/arch/x86/kernel/kvm.c 2011-11-16 18:39:07.000000000 -0500
14553 @@ -437,6 +437,7 @@ static void __init paravirt_ops_setup(vo
14554 pv_mmu_ops.set_pud = kvm_set_pud;
14555 #if PAGETABLE_LEVELS == 4
14556 pv_mmu_ops.set_pgd = kvm_set_pgd;
14557 + pv_mmu_ops.set_pgd_batched = kvm_set_pgd;
14560 pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
14561 diff -urNp linux-3.1.1/arch/x86/kernel/ldt.c linux-3.1.1/arch/x86/kernel/ldt.c
14562 --- linux-3.1.1/arch/x86/kernel/ldt.c 2011-11-11 15:19:27.000000000 -0500
14563 +++ linux-3.1.1/arch/x86/kernel/ldt.c 2011-11-16 18:39:07.000000000 -0500
14564 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
14569 + load_LDT_nolock(pc);
14570 if (!cpumask_equal(mm_cpumask(current->mm),
14571 cpumask_of(smp_processor_id())))
14572 smp_call_function(flush_ldt, current->mm, 1);
14576 + load_LDT_nolock(pc);
14580 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
14583 for (i = 0; i < old->size; i++)
14584 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
14585 + write_ldt_entry(new->ldt, i, old->ldt + i);
14589 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
14590 retval = copy_ldt(&mm->context, &old_mm->context);
14591 mutex_unlock(&old_mm->context.lock);
14594 + if (tsk == current) {
14595 + mm->context.vdso = 0;
14597 +#ifdef CONFIG_X86_32
14598 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14599 + mm->context.user_cs_base = 0UL;
14600 + mm->context.user_cs_limit = ~0UL;
14602 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
14603 + cpus_clear(mm->context.cpu_user_cs_mask);
14614 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
14618 +#ifdef CONFIG_PAX_SEGMEXEC
14619 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
14625 fill_ldt(&ldt, &ldt_info);
14628 diff -urNp linux-3.1.1/arch/x86/kernel/machine_kexec_32.c linux-3.1.1/arch/x86/kernel/machine_kexec_32.c
14629 --- linux-3.1.1/arch/x86/kernel/machine_kexec_32.c 2011-11-11 15:19:27.000000000 -0500
14630 +++ linux-3.1.1/arch/x86/kernel/machine_kexec_32.c 2011-11-16 18:39:07.000000000 -0500
14632 #include <asm/cacheflush.h>
14633 #include <asm/debugreg.h>
14635 -static void set_idt(void *newidt, __u16 limit)
14636 +static void set_idt(struct desc_struct *newidt, __u16 limit)
14638 struct desc_ptr curidt;
14640 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
14644 -static void set_gdt(void *newgdt, __u16 limit)
14645 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
14647 struct desc_ptr curgdt;
14649 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
14652 control_page = page_address(image->control_code_page);
14653 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
14654 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
14656 relocate_kernel_ptr = control_page;
14657 page_list[PA_CONTROL_PAGE] = __pa(control_page);
14658 diff -urNp linux-3.1.1/arch/x86/kernel/microcode_intel.c linux-3.1.1/arch/x86/kernel/microcode_intel.c
14659 --- linux-3.1.1/arch/x86/kernel/microcode_intel.c 2011-11-11 15:19:27.000000000 -0500
14660 +++ linux-3.1.1/arch/x86/kernel/microcode_intel.c 2011-11-16 18:39:07.000000000 -0500
14661 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
14663 static int get_ucode_user(void *to, const void *from, size_t n)
14665 - return copy_from_user(to, from, n);
14666 + return copy_from_user(to, (const void __force_user *)from, n);
14669 static enum ucode_state
14670 request_microcode_user(int cpu, const void __user *buf, size_t size)
14672 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
14673 + return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
14676 static void microcode_fini_cpu(int cpu)
14677 diff -urNp linux-3.1.1/arch/x86/kernel/module.c linux-3.1.1/arch/x86/kernel/module.c
14678 --- linux-3.1.1/arch/x86/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
14679 +++ linux-3.1.1/arch/x86/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
14680 @@ -36,15 +36,60 @@
14681 #define DEBUGP(fmt...)
14684 -void *module_alloc(unsigned long size)
14685 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
14687 if (PAGE_ALIGN(size) > MODULES_LEN)
14689 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
14690 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
14691 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
14692 -1, __builtin_return_address(0));
14695 +void *module_alloc(unsigned long size)
14698 +#ifdef CONFIG_PAX_KERNEXEC
14699 + return __module_alloc(size, PAGE_KERNEL);
14701 + return __module_alloc(size, PAGE_KERNEL_EXEC);
14706 +#ifdef CONFIG_PAX_KERNEXEC
14707 +#ifdef CONFIG_X86_32
14708 +void *module_alloc_exec(unsigned long size)
14710 + struct vm_struct *area;
14715 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
14716 + return area ? area->addr : NULL;
14718 +EXPORT_SYMBOL(module_alloc_exec);
14720 +void module_free_exec(struct module *mod, void *module_region)
14722 + vunmap(module_region);
14724 +EXPORT_SYMBOL(module_free_exec);
14726 +void module_free_exec(struct module *mod, void *module_region)
14728 + module_free(mod, module_region);
14730 +EXPORT_SYMBOL(module_free_exec);
14732 +void *module_alloc_exec(unsigned long size)
14734 + return __module_alloc(size, PAGE_KERNEL_RX);
14736 +EXPORT_SYMBOL(module_alloc_exec);
14740 #ifdef CONFIG_X86_32
14741 int apply_relocate(Elf32_Shdr *sechdrs,
14742 const char *strtab,
14743 @@ -55,14 +100,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14745 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
14747 - uint32_t *location;
14748 + uint32_t *plocation, location;
14750 DEBUGP("Applying relocate section %u to %u\n", relsec,
14751 sechdrs[relsec].sh_info);
14752 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
14753 /* This is where to make the change */
14754 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
14755 - + rel[i].r_offset;
14756 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
14757 + location = (uint32_t)plocation;
14758 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
14759 + plocation = ktla_ktva((void *)plocation);
14760 /* This is the symbol it is referring to. Note that all
14761 undefined symbols have been resolved. */
14762 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
14763 @@ -71,11 +118,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14764 switch (ELF32_R_TYPE(rel[i].r_info)) {
14766 /* We add the value into the location given */
14767 - *location += sym->st_value;
14768 + pax_open_kernel();
14769 + *plocation += sym->st_value;
14770 + pax_close_kernel();
14773 /* Add the value, subtract its postition */
14774 - *location += sym->st_value - (uint32_t)location;
14775 + pax_open_kernel();
14776 + *plocation += sym->st_value - location;
14777 + pax_close_kernel();
14780 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
14781 @@ -120,21 +171,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
14782 case R_X86_64_NONE:
14785 + pax_open_kernel();
14787 + pax_close_kernel();
14790 + pax_open_kernel();
14792 + pax_close_kernel();
14793 if (val != *(u32 *)loc)
14797 + pax_open_kernel();
14799 + pax_close_kernel();
14800 if ((s64)val != *(s32 *)loc)
14803 case R_X86_64_PC32:
14805 + pax_open_kernel();
14807 + pax_close_kernel();
14810 if ((s64)val != *(s32 *)loc)
14812 diff -urNp linux-3.1.1/arch/x86/kernel/paravirt.c linux-3.1.1/arch/x86/kernel/paravirt.c
14813 --- linux-3.1.1/arch/x86/kernel/paravirt.c 2011-11-11 15:19:27.000000000 -0500
14814 +++ linux-3.1.1/arch/x86/kernel/paravirt.c 2011-11-16 18:40:08.000000000 -0500
14815 @@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
14819 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
14820 +PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
14823 void __init default_banner(void)
14825 @@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
14826 * corresponding structure. */
14827 static void *get_call_destination(u8 type)
14829 - struct paravirt_patch_template tmpl = {
14830 + const struct paravirt_patch_template tmpl = {
14831 .pv_init_ops = pv_init_ops,
14832 .pv_time_ops = pv_time_ops,
14833 .pv_cpu_ops = pv_cpu_ops,
14834 @@ -133,6 +136,9 @@ static void *get_call_destination(u8 typ
14835 .pv_lock_ops = pv_lock_ops,
14839 + pax_track_stack();
14841 return *((void **)&tmpl + type);
14844 @@ -145,15 +151,19 @@ unsigned paravirt_patch_default(u8 type,
14845 if (opfunc == NULL)
14846 /* If there's no function, patch it with a ud2a (BUG) */
14847 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
14848 - else if (opfunc == _paravirt_nop)
14849 + else if (opfunc == (void *)_paravirt_nop)
14850 /* If the operation is a nop, then nop the callsite */
14851 ret = paravirt_patch_nop();
14853 /* identity functions just return their single argument */
14854 - else if (opfunc == _paravirt_ident_32)
14855 + else if (opfunc == (void *)_paravirt_ident_32)
14856 ret = paravirt_patch_ident_32(insnbuf, len);
14857 - else if (opfunc == _paravirt_ident_64)
14858 + else if (opfunc == (void *)_paravirt_ident_64)
14859 ret = paravirt_patch_ident_64(insnbuf, len);
14860 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
14861 + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
14862 + ret = paravirt_patch_ident_64(insnbuf, len);
14865 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
14866 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
14867 @@ -178,7 +188,7 @@ unsigned paravirt_patch_insns(void *insn
14868 if (insn_len > len || start == NULL)
14871 - memcpy(insnbuf, start, insn_len);
14872 + memcpy(insnbuf, ktla_ktva(start), insn_len);
14876 @@ -302,7 +312,7 @@ void arch_flush_lazy_mmu_mode(void)
14880 -struct pv_info pv_info = {
14881 +struct pv_info pv_info __read_only = {
14882 .name = "bare hardware",
14883 .paravirt_enabled = 0,
14885 @@ -313,16 +323,16 @@ struct pv_info pv_info = {
14889 -struct pv_init_ops pv_init_ops = {
14890 +struct pv_init_ops pv_init_ops __read_only = {
14891 .patch = native_patch,
14894 -struct pv_time_ops pv_time_ops = {
14895 +struct pv_time_ops pv_time_ops __read_only = {
14896 .sched_clock = native_sched_clock,
14897 .steal_clock = native_steal_clock,
14900 -struct pv_irq_ops pv_irq_ops = {
14901 +struct pv_irq_ops pv_irq_ops __read_only = {
14902 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
14903 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
14904 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
14905 @@ -334,7 +344,7 @@ struct pv_irq_ops pv_irq_ops = {
14909 -struct pv_cpu_ops pv_cpu_ops = {
14910 +struct pv_cpu_ops pv_cpu_ops __read_only = {
14911 .cpuid = native_cpuid,
14912 .get_debugreg = native_get_debugreg,
14913 .set_debugreg = native_set_debugreg,
14914 @@ -395,21 +405,26 @@ struct pv_cpu_ops pv_cpu_ops = {
14915 .end_context_switch = paravirt_nop,
14918 -struct pv_apic_ops pv_apic_ops = {
14919 +struct pv_apic_ops pv_apic_ops __read_only = {
14920 #ifdef CONFIG_X86_LOCAL_APIC
14921 .startup_ipi_hook = paravirt_nop,
14925 -#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
14926 +#ifdef CONFIG_X86_32
14927 +#ifdef CONFIG_X86_PAE
14928 +/* 64-bit pagetable entries */
14929 +#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
14931 /* 32-bit pagetable entries */
14932 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
14935 /* 64-bit pagetable entries */
14936 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
14939 -struct pv_mmu_ops pv_mmu_ops = {
14940 +struct pv_mmu_ops pv_mmu_ops __read_only = {
14942 .read_cr2 = native_read_cr2,
14943 .write_cr2 = native_write_cr2,
14944 @@ -459,6 +474,7 @@ struct pv_mmu_ops pv_mmu_ops = {
14945 .make_pud = PTE_IDENT,
14947 .set_pgd = native_set_pgd,
14948 + .set_pgd_batched = native_set_pgd_batched,
14950 #endif /* PAGETABLE_LEVELS >= 3 */
14952 @@ -478,6 +494,12 @@ struct pv_mmu_ops pv_mmu_ops = {
14955 .set_fixmap = native_set_fixmap,
14957 +#ifdef CONFIG_PAX_KERNEXEC
14958 + .pax_open_kernel = native_pax_open_kernel,
14959 + .pax_close_kernel = native_pax_close_kernel,
14964 EXPORT_SYMBOL_GPL(pv_time_ops);
14965 diff -urNp linux-3.1.1/arch/x86/kernel/paravirt-spinlocks.c linux-3.1.1/arch/x86/kernel/paravirt-spinlocks.c
14966 --- linux-3.1.1/arch/x86/kernel/paravirt-spinlocks.c 2011-11-11 15:19:27.000000000 -0500
14967 +++ linux-3.1.1/arch/x86/kernel/paravirt-spinlocks.c 2011-11-16 18:39:07.000000000 -0500
14968 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
14969 arch_spin_lock(lock);
14972 -struct pv_lock_ops pv_lock_ops = {
14973 +struct pv_lock_ops pv_lock_ops __read_only = {
14975 .spin_is_locked = __ticket_spin_is_locked,
14976 .spin_is_contended = __ticket_spin_is_contended,
14977 diff -urNp linux-3.1.1/arch/x86/kernel/pci-iommu_table.c linux-3.1.1/arch/x86/kernel/pci-iommu_table.c
14978 --- linux-3.1.1/arch/x86/kernel/pci-iommu_table.c 2011-11-11 15:19:27.000000000 -0500
14979 +++ linux-3.1.1/arch/x86/kernel/pci-iommu_table.c 2011-11-16 18:40:08.000000000 -0500
14981 #include <asm/iommu_table.h>
14982 #include <linux/string.h>
14983 #include <linux/kallsyms.h>
14985 +#include <linux/sched.h>
14989 @@ -51,6 +51,8 @@ void __init check_iommu_entries(struct i
14991 struct iommu_table_entry *p, *q, *x;
14993 + pax_track_stack();
14995 /* Simple cyclic dependency checker. */
14996 for (p = start; p < finish; p++) {
14997 q = find_dependents_of(start, finish, p);
14998 diff -urNp linux-3.1.1/arch/x86/kernel/process_32.c linux-3.1.1/arch/x86/kernel/process_32.c
14999 --- linux-3.1.1/arch/x86/kernel/process_32.c 2011-11-11 15:19:27.000000000 -0500
15000 +++ linux-3.1.1/arch/x86/kernel/process_32.c 2011-11-16 18:39:07.000000000 -0500
15001 @@ -66,6 +66,7 @@ asmlinkage void ret_from_fork(void) __as
15002 unsigned long thread_saved_pc(struct task_struct *tsk)
15004 return ((unsigned long *)tsk->thread.sp)[3];
15005 +//XXX return tsk->thread.eip;
15009 @@ -128,15 +129,14 @@ void __show_regs(struct pt_regs *regs, i
15011 unsigned short ss, gs;
15013 - if (user_mode_vm(regs)) {
15014 + if (user_mode(regs)) {
15016 ss = regs->ss & 0xffff;
15017 - gs = get_user_gs(regs);
15019 sp = kernel_stack_pointer(regs);
15020 savesegment(ss, ss);
15021 - savesegment(gs, gs);
15023 + gs = get_user_gs(regs);
15025 show_regs_common();
15027 @@ -198,13 +198,14 @@ int copy_thread(unsigned long clone_flag
15028 struct task_struct *tsk;
15031 - childregs = task_pt_regs(p);
15032 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
15033 *childregs = *regs;
15035 childregs->sp = sp;
15037 p->thread.sp = (unsigned long) childregs;
15038 p->thread.sp0 = (unsigned long) (childregs+1);
15039 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
15041 p->thread.ip = (unsigned long) ret_from_fork;
15043 @@ -294,7 +295,7 @@ __switch_to(struct task_struct *prev_p,
15044 struct thread_struct *prev = &prev_p->thread,
15045 *next = &next_p->thread;
15046 int cpu = smp_processor_id();
15047 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
15048 + struct tss_struct *tss = init_tss + cpu;
15051 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
15052 @@ -329,6 +330,10 @@ __switch_to(struct task_struct *prev_p,
15054 lazy_save_gs(prev->gs);
15056 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15057 + __set_fs(task_thread_info(next_p)->addr_limit);
15061 * Load the per-thread Thread-Local Storage descriptor.
15063 @@ -364,6 +369,9 @@ __switch_to(struct task_struct *prev_p,
15065 arch_end_context_switch(next_p);
15067 + percpu_write(current_task, next_p);
15068 + percpu_write(current_tinfo, &next_p->tinfo);
15071 __math_state_restore();
15073 @@ -373,8 +381,6 @@ __switch_to(struct task_struct *prev_p,
15074 if (prev->gs | next->gs)
15075 lazy_load_gs(next->gs);
15077 - percpu_write(current_task, next_p);
15082 @@ -404,4 +410,3 @@ unsigned long get_wchan(struct task_stru
15083 } while (count++ < 16);
15087 diff -urNp linux-3.1.1/arch/x86/kernel/process_64.c linux-3.1.1/arch/x86/kernel/process_64.c
15088 --- linux-3.1.1/arch/x86/kernel/process_64.c 2011-11-11 15:19:27.000000000 -0500
15089 +++ linux-3.1.1/arch/x86/kernel/process_64.c 2011-11-16 18:39:07.000000000 -0500
15090 @@ -88,7 +88,7 @@ static void __exit_idle(void)
15091 void exit_idle(void)
15093 /* idle loop has pid 0 */
15094 - if (current->pid)
15095 + if (task_pid_nr(current))
15099 @@ -262,8 +262,7 @@ int copy_thread(unsigned long clone_flag
15100 struct pt_regs *childregs;
15101 struct task_struct *me = current;
15103 - childregs = ((struct pt_regs *)
15104 - (THREAD_SIZE + task_stack_page(p))) - 1;
15105 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
15106 *childregs = *regs;
15109 @@ -275,6 +274,7 @@ int copy_thread(unsigned long clone_flag
15110 p->thread.sp = (unsigned long) childregs;
15111 p->thread.sp0 = (unsigned long) (childregs+1);
15112 p->thread.usersp = me->thread.usersp;
15113 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
15115 set_tsk_thread_flag(p, TIF_FORK);
15117 @@ -377,7 +377,7 @@ __switch_to(struct task_struct *prev_p,
15118 struct thread_struct *prev = &prev_p->thread;
15119 struct thread_struct *next = &next_p->thread;
15120 int cpu = smp_processor_id();
15121 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
15122 + struct tss_struct *tss = init_tss + cpu;
15123 unsigned fsindex, gsindex;
15126 @@ -473,10 +473,9 @@ __switch_to(struct task_struct *prev_p,
15127 prev->usersp = percpu_read(old_rsp);
15128 percpu_write(old_rsp, next->usersp);
15129 percpu_write(current_task, next_p);
15130 + percpu_write(current_tinfo, &next_p->tinfo);
15132 - percpu_write(kernel_stack,
15133 - (unsigned long)task_stack_page(next_p) +
15134 - THREAD_SIZE - KERNEL_STACK_OFFSET);
15135 + percpu_write(kernel_stack, next->sp0);
15138 * Now maybe reload the debug registers and handle I/O bitmaps
15139 @@ -538,12 +537,11 @@ unsigned long get_wchan(struct task_stru
15140 if (!p || p == current || p->state == TASK_RUNNING)
15142 stack = (unsigned long)task_stack_page(p);
15143 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
15144 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
15146 fp = *(u64 *)(p->thread.sp);
15148 - if (fp < (unsigned long)stack ||
15149 - fp >= (unsigned long)stack+THREAD_SIZE)
15150 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
15152 ip = *(u64 *)(fp+8);
15153 if (!in_sched_functions(ip))
15154 diff -urNp linux-3.1.1/arch/x86/kernel/process.c linux-3.1.1/arch/x86/kernel/process.c
15155 --- linux-3.1.1/arch/x86/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
15156 +++ linux-3.1.1/arch/x86/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
15157 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
15159 void free_thread_info(struct thread_info *ti)
15161 - free_thread_xstate(ti->task);
15162 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
15165 +static struct kmem_cache *task_struct_cachep;
15167 void arch_task_cache_init(void)
15169 - task_xstate_cachep =
15170 - kmem_cache_create("task_xstate", xstate_size,
15171 + /* create a slab on which task_structs can be allocated */
15172 + task_struct_cachep =
15173 + kmem_cache_create("task_struct", sizeof(struct task_struct),
15174 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
15176 + task_xstate_cachep =
15177 + kmem_cache_create("task_xstate", xstate_size,
15178 __alignof__(union thread_xstate),
15179 - SLAB_PANIC | SLAB_NOTRACK, NULL);
15180 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
15183 +struct task_struct *alloc_task_struct_node(int node)
15185 + return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
15188 +void free_task_struct(struct task_struct *task)
15190 + free_thread_xstate(task);
15191 + kmem_cache_free(task_struct_cachep, task);
15195 @@ -70,7 +87,7 @@ void exit_thread(void)
15196 unsigned long *bp = t->io_bitmap_ptr;
15199 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
15200 + struct tss_struct *tss = init_tss + get_cpu();
15202 t->io_bitmap_ptr = NULL;
15203 clear_thread_flag(TIF_IO_BITMAP);
15204 @@ -106,7 +123,7 @@ void show_regs_common(void)
15206 printk(KERN_CONT "\n");
15207 printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
15208 - current->pid, current->xid, current->comm, print_tainted(),
15209 + task_pid_nr(current), current->xid, current->comm, print_tainted(),
15210 init_utsname()->release,
15211 (int)strcspn(init_utsname()->version, " "),
15212 init_utsname()->version);
15213 @@ -120,6 +137,9 @@ void flush_thread(void)
15215 struct task_struct *tsk = current;
15217 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
15218 + loadsegment(gs, 0);
15220 flush_ptrace_hw_breakpoint(tsk);
15221 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
15223 @@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi
15224 regs.di = (unsigned long) arg;
15226 #ifdef CONFIG_X86_32
15227 - regs.ds = __USER_DS;
15228 - regs.es = __USER_DS;
15229 + regs.ds = __KERNEL_DS;
15230 + regs.es = __KERNEL_DS;
15231 regs.fs = __KERNEL_PERCPU;
15232 - regs.gs = __KERNEL_STACK_CANARY;
15233 + savesegment(gs, regs.gs);
15235 regs.ss = __KERNEL_DS;
15237 @@ -403,7 +423,7 @@ void default_idle(void)
15238 EXPORT_SYMBOL(default_idle);
15241 -void stop_this_cpu(void *dummy)
15242 +__noreturn void stop_this_cpu(void *dummy)
15244 local_irq_disable();
15246 @@ -645,16 +665,37 @@ static int __init idle_setup(char *str)
15248 early_param("idle", idle_setup);
15250 -unsigned long arch_align_stack(unsigned long sp)
15251 +#ifdef CONFIG_PAX_RANDKSTACK
15252 +void pax_randomize_kstack(struct pt_regs *regs)
15254 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
15255 - sp -= get_random_int() % 8192;
15256 - return sp & ~0xf;
15258 + struct thread_struct *thread = ¤t->thread;
15259 + unsigned long time;
15261 -unsigned long arch_randomize_brk(struct mm_struct *mm)
15263 - unsigned long range_end = mm->brk + 0x02000000;
15264 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
15266 + if (!randomize_va_space)
15269 + if (v8086_mode(regs))
15274 + /* P4 seems to return a 0 LSB, ignore it */
15275 +#ifdef CONFIG_MPENTIUM4
15278 +#elif defined(CONFIG_X86_64)
15286 + thread->sp0 ^= time;
15287 + load_sp0(init_tss + smp_processor_id(), thread);
15289 +#ifdef CONFIG_X86_64
15290 + percpu_write(kernel_stack, thread->sp0);
15294 diff -urNp linux-3.1.1/arch/x86/kernel/ptrace.c linux-3.1.1/arch/x86/kernel/ptrace.c
15295 --- linux-3.1.1/arch/x86/kernel/ptrace.c 2011-11-11 15:19:27.000000000 -0500
15296 +++ linux-3.1.1/arch/x86/kernel/ptrace.c 2011-11-16 18:39:07.000000000 -0500
15297 @@ -822,7 +822,7 @@ long arch_ptrace(struct task_struct *chi
15298 unsigned long addr, unsigned long data)
15301 - unsigned long __user *datap = (unsigned long __user *)data;
15302 + unsigned long __user *datap = (__force unsigned long __user *)data;
15305 /* read the word at location addr in the USER area. */
15306 @@ -907,14 +907,14 @@ long arch_ptrace(struct task_struct *chi
15307 if ((int) addr < 0)
15309 ret = do_get_thread_area(child, addr,
15310 - (struct user_desc __user *)data);
15311 + (__force struct user_desc __user *) data);
15314 case PTRACE_SET_THREAD_AREA:
15315 if ((int) addr < 0)
15317 ret = do_set_thread_area(child, addr,
15318 - (struct user_desc __user *)data, 0);
15319 + (__force struct user_desc __user *) data, 0);
15323 @@ -1331,7 +1331,7 @@ static void fill_sigtrap_info(struct tas
15324 memset(info, 0, sizeof(*info));
15325 info->si_signo = SIGTRAP;
15326 info->si_code = si_code;
15327 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
15328 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
15331 void user_single_step_siginfo(struct task_struct *tsk,
15332 diff -urNp linux-3.1.1/arch/x86/kernel/pvclock.c linux-3.1.1/arch/x86/kernel/pvclock.c
15333 --- linux-3.1.1/arch/x86/kernel/pvclock.c 2011-11-11 15:19:27.000000000 -0500
15334 +++ linux-3.1.1/arch/x86/kernel/pvclock.c 2011-11-16 18:39:07.000000000 -0500
15335 @@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
15339 -static atomic64_t last_value = ATOMIC64_INIT(0);
15340 +static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
15342 void pvclock_resume(void)
15344 - atomic64_set(&last_value, 0);
15345 + atomic64_set_unchecked(&last_value, 0);
15348 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
15349 @@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
15350 * updating at the same time, and one of them could be slightly behind,
15351 * making the assumption that last_value always go forward fail to hold.
15353 - last = atomic64_read(&last_value);
15354 + last = atomic64_read_unchecked(&last_value);
15358 - last = atomic64_cmpxchg(&last_value, last, ret);
15359 + last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
15360 } while (unlikely(last != ret));
15363 diff -urNp linux-3.1.1/arch/x86/kernel/reboot.c linux-3.1.1/arch/x86/kernel/reboot.c
15364 --- linux-3.1.1/arch/x86/kernel/reboot.c 2011-11-11 15:19:27.000000000 -0500
15365 +++ linux-3.1.1/arch/x86/kernel/reboot.c 2011-11-16 18:39:07.000000000 -0500
15366 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
15367 EXPORT_SYMBOL(pm_power_off);
15369 static const struct desc_ptr no_idt = {};
15370 -static int reboot_mode;
15371 +static unsigned short reboot_mode;
15372 enum reboot_type reboot_type = BOOT_ACPI;
15375 @@ -315,13 +315,17 @@ core_initcall(reboot_init);
15376 extern const unsigned char machine_real_restart_asm[];
15377 extern const u64 machine_real_restart_gdt[3];
15379 -void machine_real_restart(unsigned int type)
15380 +__noreturn void machine_real_restart(unsigned int type)
15383 unsigned long restart_pa;
15384 - void (*restart_lowmem)(unsigned int);
15385 + void (* __noreturn restart_lowmem)(unsigned int);
15388 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
15389 + struct desc_struct *gdt;
15392 local_irq_disable();
15394 /* Write zero to CMOS register number 0x0f, which the BIOS POST
15395 @@ -347,14 +351,14 @@ void machine_real_restart(unsigned int t
15396 boot)". This seems like a fairly standard thing that gets set by
15397 REBOOT.COM programs, and the previous reset routine did this
15399 - *((unsigned short *)0x472) = reboot_mode;
15400 + *(unsigned short *)(__va(0x472)) = reboot_mode;
15402 /* Patch the GDT in the low memory trampoline */
15403 lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt);
15405 restart_va = TRAMPOLINE_SYM(machine_real_restart_asm);
15406 restart_pa = virt_to_phys(restart_va);
15407 - restart_lowmem = (void (*)(unsigned int))restart_pa;
15408 + restart_lowmem = (void *)restart_pa;
15410 /* GDT[0]: GDT self-pointer */
15412 @@ -365,7 +369,33 @@ void machine_real_restart(unsigned int t
15413 GDT_ENTRY(0x009b, restart_pa, 0xffff);
15415 /* Jump to the identity-mapped low memory code */
15417 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
15418 + gdt = get_cpu_gdt_table(smp_processor_id());
15419 + pax_open_kernel();
15420 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15421 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
15422 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
15423 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
15425 +#ifdef CONFIG_PAX_KERNEXEC
15426 + gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
15427 + gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
15428 + gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
15429 + gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
15430 + gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
15431 + gdt[GDT_ENTRY_KERNEL_CS].g = 1;
15433 + pax_close_kernel();
15436 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15437 + asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type));
15440 restart_lowmem(type);
15444 #ifdef CONFIG_APM_MODULE
15445 EXPORT_SYMBOL(machine_real_restart);
15446 @@ -523,7 +553,7 @@ void __attribute__((weak)) mach_reboot_f
15447 * try to force a triple fault and then cycle between hitting the keyboard
15448 * controller and doing that
15450 -static void native_machine_emergency_restart(void)
15451 +__noreturn static void native_machine_emergency_restart(void)
15455 @@ -647,13 +677,13 @@ void native_machine_shutdown(void)
15459 -static void __machine_emergency_restart(int emergency)
15460 +static __noreturn void __machine_emergency_restart(int emergency)
15462 reboot_emergency = emergency;
15463 machine_ops.emergency_restart();
15466 -static void native_machine_restart(char *__unused)
15467 +static __noreturn void native_machine_restart(char *__unused)
15469 printk("machine restart\n");
15471 @@ -662,7 +692,7 @@ static void native_machine_restart(char
15472 __machine_emergency_restart(0);
15475 -static void native_machine_halt(void)
15476 +static __noreturn void native_machine_halt(void)
15478 /* stop other cpus and apics */
15479 machine_shutdown();
15480 @@ -673,7 +703,7 @@ static void native_machine_halt(void)
15481 stop_this_cpu(NULL);
15484 -static void native_machine_power_off(void)
15485 +__noreturn static void native_machine_power_off(void)
15487 if (pm_power_off) {
15489 @@ -682,6 +712,7 @@ static void native_machine_power_off(voi
15491 /* a fallback in case there is no PM info available */
15492 tboot_shutdown(TB_SHUTDOWN_HALT);
15496 struct machine_ops machine_ops = {
15497 diff -urNp linux-3.1.1/arch/x86/kernel/setup.c linux-3.1.1/arch/x86/kernel/setup.c
15498 --- linux-3.1.1/arch/x86/kernel/setup.c 2011-11-11 15:19:27.000000000 -0500
15499 +++ linux-3.1.1/arch/x86/kernel/setup.c 2011-11-16 18:39:07.000000000 -0500
15500 @@ -447,7 +447,7 @@ static void __init parse_setup_data(void
15502 switch (data->type) {
15503 case SETUP_E820_EXT:
15504 - parse_e820_ext(data);
15505 + parse_e820_ext((struct setup_data __force_kernel *)data);
15509 @@ -650,7 +650,7 @@ static void __init trim_bios_range(void)
15510 * area (640->1Mb) as ram even though it is not.
15513 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
15514 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
15515 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
15518 @@ -773,14 +773,14 @@ void __init setup_arch(char **cmdline_p)
15520 if (!boot_params.hdr.root_flags)
15521 root_mountflags &= ~MS_RDONLY;
15522 - init_mm.start_code = (unsigned long) _text;
15523 - init_mm.end_code = (unsigned long) _etext;
15524 + init_mm.start_code = ktla_ktva((unsigned long) _text);
15525 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
15526 init_mm.end_data = (unsigned long) _edata;
15527 init_mm.brk = _brk_end;
15529 - code_resource.start = virt_to_phys(_text);
15530 - code_resource.end = virt_to_phys(_etext)-1;
15531 - data_resource.start = virt_to_phys(_etext);
15532 + code_resource.start = virt_to_phys(ktla_ktva(_text));
15533 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
15534 + data_resource.start = virt_to_phys(_sdata);
15535 data_resource.end = virt_to_phys(_edata)-1;
15536 bss_resource.start = virt_to_phys(&__bss_start);
15537 bss_resource.end = virt_to_phys(&__bss_stop)-1;
15538 diff -urNp linux-3.1.1/arch/x86/kernel/setup_percpu.c linux-3.1.1/arch/x86/kernel/setup_percpu.c
15539 --- linux-3.1.1/arch/x86/kernel/setup_percpu.c 2011-11-11 15:19:27.000000000 -0500
15540 +++ linux-3.1.1/arch/x86/kernel/setup_percpu.c 2011-11-16 18:39:07.000000000 -0500
15541 @@ -21,19 +21,17 @@
15542 #include <asm/cpu.h>
15543 #include <asm/stackprotector.h>
15545 -DEFINE_PER_CPU(int, cpu_number);
15547 +DEFINE_PER_CPU(unsigned int, cpu_number);
15548 EXPORT_PER_CPU_SYMBOL(cpu_number);
15551 -#ifdef CONFIG_X86_64
15552 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
15554 -#define BOOT_PERCPU_OFFSET 0
15557 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
15558 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
15560 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
15561 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
15562 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
15564 EXPORT_SYMBOL(__per_cpu_offset);
15565 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
15567 #ifdef CONFIG_X86_32
15568 struct desc_struct gdt;
15569 + unsigned long base = per_cpu_offset(cpu);
15571 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
15572 - 0x2 | DESCTYPE_S, 0x8);
15574 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
15575 + 0x83 | DESCTYPE_S, 0xC);
15576 write_gdt_entry(get_cpu_gdt_table(cpu),
15577 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
15579 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
15580 /* alrighty, percpu areas up and running */
15581 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
15582 for_each_possible_cpu(cpu) {
15583 +#ifdef CONFIG_CC_STACKPROTECTOR
15584 +#ifdef CONFIG_X86_32
15585 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
15588 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
15589 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
15590 per_cpu(cpu_number, cpu) = cpu;
15591 @@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
15593 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
15595 +#ifdef CONFIG_CC_STACKPROTECTOR
15596 +#ifdef CONFIG_X86_32
15598 + per_cpu(stack_canary.canary, cpu) = canary;
15602 * Up to this point, the boot CPU has been using .init.data
15603 * area. Reload any changed state for the boot CPU.
15604 diff -urNp linux-3.1.1/arch/x86/kernel/signal.c linux-3.1.1/arch/x86/kernel/signal.c
15605 --- linux-3.1.1/arch/x86/kernel/signal.c 2011-11-11 15:19:27.000000000 -0500
15606 +++ linux-3.1.1/arch/x86/kernel/signal.c 2011-11-16 19:39:49.000000000 -0500
15607 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
15608 * Align the stack pointer according to the i386 ABI,
15609 * i.e. so that on function entry ((sp + 4) & 15) == 0.
15611 - sp = ((sp + 4) & -16ul) - 4;
15612 + sp = ((sp - 12) & -16ul) - 4;
15613 #else /* !CONFIG_X86_32 */
15614 sp = round_down(sp, 16) - 8;
15616 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
15617 * Return an always-bogus address instead so we will die with SIGSEGV.
15619 if (onsigstack && !likely(on_sig_stack(sp)))
15620 - return (void __user *)-1L;
15621 + return (__force void __user *)-1L;
15623 /* save i387 state */
15624 if (used_math() && save_i387_xstate(*fpstate) < 0)
15625 - return (void __user *)-1L;
15626 + return (__force void __user *)-1L;
15628 return (void __user *)sp;
15630 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
15633 if (current->mm->context.vdso)
15634 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15635 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15637 - restorer = &frame->retcode;
15638 + restorer = (void __user *)&frame->retcode;
15639 if (ka->sa.sa_flags & SA_RESTORER)
15640 restorer = ka->sa.sa_restorer;
15642 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
15643 * reasons and because gdb uses it as a signature to notice
15644 * signal handler stack frames.
15646 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
15647 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
15651 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
15652 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
15654 /* Set up to return from userspace. */
15655 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15656 + if (current->mm->context.vdso)
15657 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15659 + restorer = (void __user *)&frame->retcode;
15660 if (ka->sa.sa_flags & SA_RESTORER)
15661 restorer = ka->sa.sa_restorer;
15662 put_user_ex(restorer, &frame->pretcode);
15663 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
15664 * reasons and because gdb uses it as a signature to notice
15665 * signal handler stack frames.
15667 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
15668 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
15669 } put_user_catch(err);
15672 @@ -762,6 +765,8 @@ static void do_signal(struct pt_regs *re
15676 + pax_track_stack();
15679 * We want the common case to go fast, which is why we may in certain
15680 * cases get here from kernel mode. Just return without doing anything
15681 @@ -769,7 +774,7 @@ static void do_signal(struct pt_regs *re
15682 * X86_32: vm86 regs switched out by assembly code before reaching
15683 * here, so testing against kernel CS suffices.
15685 - if (!user_mode(regs))
15686 + if (!user_mode_novm(regs))
15689 signr = get_signal_to_deliver(&info, &ka, regs, NULL);
15690 diff -urNp linux-3.1.1/arch/x86/kernel/smpboot.c linux-3.1.1/arch/x86/kernel/smpboot.c
15691 --- linux-3.1.1/arch/x86/kernel/smpboot.c 2011-11-11 15:19:27.000000000 -0500
15692 +++ linux-3.1.1/arch/x86/kernel/smpboot.c 2011-11-16 18:39:07.000000000 -0500
15693 @@ -709,17 +709,20 @@ static int __cpuinit do_boot_cpu(int api
15694 set_idle_for_cpu(cpu, c_idle.idle);
15696 per_cpu(current_task, cpu) = c_idle.idle;
15697 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
15698 #ifdef CONFIG_X86_32
15699 /* Stack for startup_32 can be just as for start_secondary onwards */
15702 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
15703 initial_gs = per_cpu_offset(cpu);
15704 - per_cpu(kernel_stack, cpu) =
15705 - (unsigned long)task_stack_page(c_idle.idle) -
15706 - KERNEL_STACK_OFFSET + THREAD_SIZE;
15707 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
15710 + pax_open_kernel();
15711 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
15712 + pax_close_kernel();
15714 initial_code = (unsigned long)start_secondary;
15715 stack_start = c_idle.idle->thread.sp;
15717 @@ -861,6 +864,12 @@ int __cpuinit native_cpu_up(unsigned int
15719 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
15721 +#ifdef CONFIG_PAX_PER_CPU_PGD
15722 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
15723 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
15724 + KERNEL_PGD_PTRS);
15727 err = do_boot_cpu(apicid, cpu);
15729 pr_debug("do_boot_cpu failed %d\n", err);
15730 diff -urNp linux-3.1.1/arch/x86/kernel/step.c linux-3.1.1/arch/x86/kernel/step.c
15731 --- linux-3.1.1/arch/x86/kernel/step.c 2011-11-11 15:19:27.000000000 -0500
15732 +++ linux-3.1.1/arch/x86/kernel/step.c 2011-11-16 18:39:07.000000000 -0500
15733 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
15734 struct desc_struct *desc;
15735 unsigned long base;
15740 mutex_lock(&child->mm->context.lock);
15741 - if (unlikely((seg >> 3) >= child->mm->context.size))
15742 + if (unlikely(seg >= child->mm->context.size))
15743 addr = -1L; /* bogus selector, access would fault */
15745 desc = child->mm->context.ldt + seg;
15746 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
15749 mutex_unlock(&child->mm->context.lock);
15751 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
15752 + addr = ktla_ktva(addr);
15756 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
15757 unsigned char opcode[15];
15758 unsigned long addr = convert_ip_to_linear(child, regs);
15760 + if (addr == -EINVAL)
15763 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
15764 for (i = 0; i < copied; i++) {
15765 switch (opcode[i]) {
15766 diff -urNp linux-3.1.1/arch/x86/kernel/syscall_table_32.S linux-3.1.1/arch/x86/kernel/syscall_table_32.S
15767 --- linux-3.1.1/arch/x86/kernel/syscall_table_32.S 2011-11-11 15:19:27.000000000 -0500
15768 +++ linux-3.1.1/arch/x86/kernel/syscall_table_32.S 2011-11-16 18:39:07.000000000 -0500
15770 +.section .rodata,"a",@progbits
15771 ENTRY(sys_call_table)
15772 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
15774 diff -urNp linux-3.1.1/arch/x86/kernel/sys_i386_32.c linux-3.1.1/arch/x86/kernel/sys_i386_32.c
15775 --- linux-3.1.1/arch/x86/kernel/sys_i386_32.c 2011-11-11 15:19:27.000000000 -0500
15776 +++ linux-3.1.1/arch/x86/kernel/sys_i386_32.c 2011-11-16 18:39:07.000000000 -0500
15777 @@ -24,17 +24,224 @@
15779 #include <asm/syscalls.h>
15782 - * Do a system call from kernel instead of calling sys_execve so we
15783 - * end up with proper pt_regs.
15785 -int kernel_execve(const char *filename,
15786 - const char *const argv[],
15787 - const char *const envp[])
15788 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
15791 - asm volatile ("int $0x80"
15793 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
15795 + unsigned long pax_task_size = TASK_SIZE;
15797 +#ifdef CONFIG_PAX_SEGMEXEC
15798 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
15799 + pax_task_size = SEGMEXEC_TASK_SIZE;
15802 + if (len > pax_task_size || addr > pax_task_size - len)
15809 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
15810 + unsigned long len, unsigned long pgoff, unsigned long flags)
15812 + struct mm_struct *mm = current->mm;
15813 + struct vm_area_struct *vma;
15814 + unsigned long start_addr, pax_task_size = TASK_SIZE;
15816 +#ifdef CONFIG_PAX_SEGMEXEC
15817 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15818 + pax_task_size = SEGMEXEC_TASK_SIZE;
15821 + pax_task_size -= PAGE_SIZE;
15823 + if (len > pax_task_size)
15826 + if (flags & MAP_FIXED)
15829 +#ifdef CONFIG_PAX_RANDMMAP
15830 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15834 + addr = PAGE_ALIGN(addr);
15835 + if (pax_task_size - len >= addr) {
15836 + vma = find_vma(mm, addr);
15837 + if (check_heap_stack_gap(vma, addr, len))
15841 + if (len > mm->cached_hole_size) {
15842 + start_addr = addr = mm->free_area_cache;
15844 + start_addr = addr = mm->mmap_base;
15845 + mm->cached_hole_size = 0;
15848 +#ifdef CONFIG_PAX_PAGEEXEC
15849 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
15850 + start_addr = 0x00110000UL;
15852 +#ifdef CONFIG_PAX_RANDMMAP
15853 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15854 + start_addr += mm->delta_mmap & 0x03FFF000UL;
15857 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
15858 + start_addr = addr = mm->mmap_base;
15860 + addr = start_addr;
15865 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
15866 + /* At this point: (!vma || addr < vma->vm_end). */
15867 + if (pax_task_size - len < addr) {
15869 + * Start a new search - just in case we missed
15872 + if (start_addr != mm->mmap_base) {
15873 + start_addr = addr = mm->mmap_base;
15874 + mm->cached_hole_size = 0;
15875 + goto full_search;
15879 + if (check_heap_stack_gap(vma, addr, len))
15881 + if (addr + mm->cached_hole_size < vma->vm_start)
15882 + mm->cached_hole_size = vma->vm_start - addr;
15883 + addr = vma->vm_end;
15884 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
15885 + start_addr = addr = mm->mmap_base;
15886 + mm->cached_hole_size = 0;
15887 + goto full_search;
15892 + * Remember the place where we stopped the search:
15894 + mm->free_area_cache = addr + len;
15899 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
15900 + const unsigned long len, const unsigned long pgoff,
15901 + const unsigned long flags)
15903 + struct vm_area_struct *vma;
15904 + struct mm_struct *mm = current->mm;
15905 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
15907 +#ifdef CONFIG_PAX_SEGMEXEC
15908 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15909 + pax_task_size = SEGMEXEC_TASK_SIZE;
15912 + pax_task_size -= PAGE_SIZE;
15914 + /* requested length too big for entire address space */
15915 + if (len > pax_task_size)
15918 + if (flags & MAP_FIXED)
15921 +#ifdef CONFIG_PAX_PAGEEXEC
15922 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
15926 +#ifdef CONFIG_PAX_RANDMMAP
15927 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15930 + /* requesting a specific address */
15932 + addr = PAGE_ALIGN(addr);
15933 + if (pax_task_size - len >= addr) {
15934 + vma = find_vma(mm, addr);
15935 + if (check_heap_stack_gap(vma, addr, len))
15940 + /* check if free_area_cache is useful for us */
15941 + if (len <= mm->cached_hole_size) {
15942 + mm->cached_hole_size = 0;
15943 + mm->free_area_cache = mm->mmap_base;
15946 + /* either no address requested or can't fit in requested address hole */
15947 + addr = mm->free_area_cache;
15949 + /* make sure it can fit in the remaining address space */
15950 + if (addr > len) {
15951 + vma = find_vma(mm, addr-len);
15952 + if (check_heap_stack_gap(vma, addr - len, len))
15953 + /* remember the address as a hint for next time */
15954 + return (mm->free_area_cache = addr-len);
15957 + if (mm->mmap_base < len)
15960 + addr = mm->mmap_base-len;
15964 + * Lookup failure means no vma is above this address,
15965 + * else if new region fits below vma->vm_start,
15966 + * return with success:
15968 + vma = find_vma(mm, addr);
15969 + if (check_heap_stack_gap(vma, addr, len))
15970 + /* remember the address as a hint for next time */
15971 + return (mm->free_area_cache = addr);
15973 + /* remember the largest hole we saw so far */
15974 + if (addr + mm->cached_hole_size < vma->vm_start)
15975 + mm->cached_hole_size = vma->vm_start - addr;
15977 + /* try just below the current vma->vm_start */
15978 + addr = skip_heap_stack_gap(vma, len);
15979 + } while (!IS_ERR_VALUE(addr));
15983 + * A failed mmap() very likely causes application failure,
15984 + * so fall back to the bottom-up function here. This scenario
15985 + * can happen with large stack limits and large mmap()
15989 +#ifdef CONFIG_PAX_SEGMEXEC
15990 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15991 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
15995 + mm->mmap_base = TASK_UNMAPPED_BASE;
15997 +#ifdef CONFIG_PAX_RANDMMAP
15998 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15999 + mm->mmap_base += mm->delta_mmap;
16002 + mm->free_area_cache = mm->mmap_base;
16003 + mm->cached_hole_size = ~0UL;
16004 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
16006 + * Restore the topdown base:
16008 + mm->mmap_base = base;
16009 + mm->free_area_cache = base;
16010 + mm->cached_hole_size = ~0UL;
16014 diff -urNp linux-3.1.1/arch/x86/kernel/sys_x86_64.c linux-3.1.1/arch/x86/kernel/sys_x86_64.c
16015 --- linux-3.1.1/arch/x86/kernel/sys_x86_64.c 2011-11-11 15:19:27.000000000 -0500
16016 +++ linux-3.1.1/arch/x86/kernel/sys_x86_64.c 2011-11-16 18:39:07.000000000 -0500
16017 @@ -32,8 +32,8 @@ out:
16021 -static void find_start_end(unsigned long flags, unsigned long *begin,
16022 - unsigned long *end)
16023 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
16024 + unsigned long *begin, unsigned long *end)
16026 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
16027 unsigned long new_begin;
16028 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
16029 *begin = new_begin;
16032 - *begin = TASK_UNMAPPED_BASE;
16033 + *begin = mm->mmap_base;
16037 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
16038 if (flags & MAP_FIXED)
16041 - find_start_end(flags, &begin, &end);
16042 + find_start_end(mm, flags, &begin, &end);
16047 +#ifdef CONFIG_PAX_RANDMMAP
16048 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16052 addr = PAGE_ALIGN(addr);
16053 vma = find_vma(mm, addr);
16054 - if (end - len >= addr &&
16055 - (!vma || addr + len <= vma->vm_start))
16056 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
16059 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
16060 @@ -106,7 +109,7 @@ full_search:
16064 - if (!vma || addr + len <= vma->vm_start) {
16065 + if (check_heap_stack_gap(vma, addr, len)) {
16067 * Remember the place where we stopped the search:
16069 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
16071 struct vm_area_struct *vma;
16072 struct mm_struct *mm = current->mm;
16073 - unsigned long addr = addr0;
16074 + unsigned long base = mm->mmap_base, addr = addr0;
16076 /* requested length too big for entire address space */
16077 if (len > TASK_SIZE)
16078 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
16079 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
16082 +#ifdef CONFIG_PAX_RANDMMAP
16083 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16086 /* requesting a specific address */
16088 addr = PAGE_ALIGN(addr);
16089 - vma = find_vma(mm, addr);
16090 - if (TASK_SIZE - len >= addr &&
16091 - (!vma || addr + len <= vma->vm_start))
16093 + if (TASK_SIZE - len >= addr) {
16094 + vma = find_vma(mm, addr);
16095 + if (check_heap_stack_gap(vma, addr, len))
16100 /* check if free_area_cache is useful for us */
16101 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
16102 /* make sure it can fit in the remaining address space */
16104 vma = find_vma(mm, addr-len);
16105 - if (!vma || addr <= vma->vm_start)
16106 + if (check_heap_stack_gap(vma, addr - len, len))
16107 /* remember the address as a hint for next time */
16108 return mm->free_area_cache = addr-len;
16110 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
16111 * return with success:
16113 vma = find_vma(mm, addr);
16114 - if (!vma || addr+len <= vma->vm_start)
16115 + if (check_heap_stack_gap(vma, addr, len))
16116 /* remember the address as a hint for next time */
16117 return mm->free_area_cache = addr;
16119 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
16120 mm->cached_hole_size = vma->vm_start - addr;
16122 /* try just below the current vma->vm_start */
16123 - addr = vma->vm_start-len;
16124 - } while (len < vma->vm_start);
16125 + addr = skip_heap_stack_gap(vma, len);
16126 + } while (!IS_ERR_VALUE(addr));
16130 @@ -198,13 +206,21 @@ bottomup:
16131 * can happen with large stack limits and large mmap()
16134 + mm->mmap_base = TASK_UNMAPPED_BASE;
16136 +#ifdef CONFIG_PAX_RANDMMAP
16137 + if (mm->pax_flags & MF_PAX_RANDMMAP)
16138 + mm->mmap_base += mm->delta_mmap;
16141 + mm->free_area_cache = mm->mmap_base;
16142 mm->cached_hole_size = ~0UL;
16143 - mm->free_area_cache = TASK_UNMAPPED_BASE;
16144 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
16146 * Restore the topdown base:
16148 - mm->free_area_cache = mm->mmap_base;
16149 + mm->mmap_base = base;
16150 + mm->free_area_cache = base;
16151 mm->cached_hole_size = ~0UL;
16154 diff -urNp linux-3.1.1/arch/x86/kernel/tboot.c linux-3.1.1/arch/x86/kernel/tboot.c
16155 --- linux-3.1.1/arch/x86/kernel/tboot.c 2011-11-11 15:19:27.000000000 -0500
16156 +++ linux-3.1.1/arch/x86/kernel/tboot.c 2011-11-16 18:39:07.000000000 -0500
16157 @@ -218,7 +218,7 @@ static int tboot_setup_sleep(void)
16159 void tboot_shutdown(u32 shutdown_type)
16161 - void (*shutdown)(void);
16162 + void (* __noreturn shutdown)(void);
16164 if (!tboot_enabled())
16166 @@ -240,7 +240,7 @@ void tboot_shutdown(u32 shutdown_type)
16168 switch_to_tboot_pt();
16170 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
16171 + shutdown = (void *)tboot->shutdown_entry;
16174 /* should not reach here */
16175 @@ -297,7 +297,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
16176 tboot_shutdown(acpi_shutdown_map[sleep_state]);
16179 -static atomic_t ap_wfs_count;
16180 +static atomic_unchecked_t ap_wfs_count;
16182 static int tboot_wait_for_aps(int num_aps)
16184 @@ -321,9 +321,9 @@ static int __cpuinit tboot_cpu_callback(
16188 - atomic_inc(&ap_wfs_count);
16189 + atomic_inc_unchecked(&ap_wfs_count);
16190 if (num_online_cpus() == 1)
16191 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
16192 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
16196 @@ -342,7 +342,7 @@ static __init int tboot_late_init(void)
16198 tboot_create_trampoline();
16200 - atomic_set(&ap_wfs_count, 0);
16201 + atomic_set_unchecked(&ap_wfs_count, 0);
16202 register_hotcpu_notifier(&tboot_cpu_notifier);
16205 diff -urNp linux-3.1.1/arch/x86/kernel/time.c linux-3.1.1/arch/x86/kernel/time.c
16206 --- linux-3.1.1/arch/x86/kernel/time.c 2011-11-11 15:19:27.000000000 -0500
16207 +++ linux-3.1.1/arch/x86/kernel/time.c 2011-11-16 18:39:07.000000000 -0500
16208 @@ -30,9 +30,9 @@ unsigned long profile_pc(struct pt_regs
16210 unsigned long pc = instruction_pointer(regs);
16212 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
16213 + if (!user_mode(regs) && in_lock_functions(pc)) {
16214 #ifdef CONFIG_FRAME_POINTER
16215 - return *(unsigned long *)(regs->bp + sizeof(long));
16216 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
16218 unsigned long *sp =
16219 (unsigned long *)kernel_stack_pointer(regs);
16220 @@ -41,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
16221 * or above a saved flags. Eflags has bits 22-31 zero,
16222 * kernel addresses don't.
16225 +#ifdef CONFIG_PAX_KERNEXEC
16226 + return ktla_ktva(sp[0]);
16238 diff -urNp linux-3.1.1/arch/x86/kernel/tls.c linux-3.1.1/arch/x86/kernel/tls.c
16239 --- linux-3.1.1/arch/x86/kernel/tls.c 2011-11-11 15:19:27.000000000 -0500
16240 +++ linux-3.1.1/arch/x86/kernel/tls.c 2011-11-16 18:39:07.000000000 -0500
16241 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
16242 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
16245 +#ifdef CONFIG_PAX_SEGMEXEC
16246 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
16250 set_tls_desc(p, idx, &info, 1);
16253 diff -urNp linux-3.1.1/arch/x86/kernel/trampoline_32.S linux-3.1.1/arch/x86/kernel/trampoline_32.S
16254 --- linux-3.1.1/arch/x86/kernel/trampoline_32.S 2011-11-11 15:19:27.000000000 -0500
16255 +++ linux-3.1.1/arch/x86/kernel/trampoline_32.S 2011-11-16 18:39:07.000000000 -0500
16257 #include <asm/segment.h>
16258 #include <asm/page_types.h>
16260 +#ifdef CONFIG_PAX_KERNEXEC
16263 +#define ta(X) ((X) - __PAGE_OFFSET)
16268 .section ".x86_trampoline","a"
16269 @@ -62,7 +68,7 @@ r_base = .
16270 inc %ax # protected mode (PE) bit
16271 lmsw %ax # into protected mode
16272 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
16273 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
16274 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
16276 # These need to be in the same 64K segment as the above;
16277 # hence we don't use the boot_gdt_descr defined in head.S
16278 diff -urNp linux-3.1.1/arch/x86/kernel/trampoline_64.S linux-3.1.1/arch/x86/kernel/trampoline_64.S
16279 --- linux-3.1.1/arch/x86/kernel/trampoline_64.S 2011-11-11 15:19:27.000000000 -0500
16280 +++ linux-3.1.1/arch/x86/kernel/trampoline_64.S 2011-11-16 18:39:07.000000000 -0500
16281 @@ -90,7 +90,7 @@ startup_32:
16282 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
16285 - movl $X86_CR4_PAE, %eax
16286 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
16287 movl %eax, %cr4 # Enable PAE mode
16289 # Setup trampoline 4 level pagetables
16290 @@ -138,7 +138,7 @@ tidt:
16291 # so the kernel can live anywhere
16294 - .short tgdt_end - tgdt # gdt limit
16295 + .short tgdt_end - tgdt - 1 # gdt limit
16296 .long tgdt - r_base
16298 .quad 0x00cf9b000000ffff # __KERNEL32_CS
16299 diff -urNp linux-3.1.1/arch/x86/kernel/traps.c linux-3.1.1/arch/x86/kernel/traps.c
16300 --- linux-3.1.1/arch/x86/kernel/traps.c 2011-11-11 15:19:27.000000000 -0500
16301 +++ linux-3.1.1/arch/x86/kernel/traps.c 2011-11-16 18:39:07.000000000 -0500
16302 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
16304 /* Do we ignore FPU interrupts ? */
16305 char ignore_fpu_irq;
16308 - * The IDT has to be page-aligned to simplify the Pentium
16309 - * F0 0F bug workaround.
16311 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
16314 DECLARE_BITMAP(used_vectors, NR_VECTORS);
16315 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
16318 static void __kprobes
16319 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
16320 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
16321 long error_code, siginfo_t *info)
16323 struct task_struct *tsk = current;
16325 #ifdef CONFIG_X86_32
16326 - if (regs->flags & X86_VM_MASK) {
16327 + if (v8086_mode(regs)) {
16329 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
16330 * On nmi (interrupt 2), do_trap should not be called.
16331 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
16335 - if (!user_mode(regs))
16336 + if (!user_mode_novm(regs))
16339 #ifdef CONFIG_X86_32
16340 @@ -157,7 +151,7 @@ trap_signal:
16341 printk_ratelimit()) {
16343 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
16344 - tsk->comm, tsk->pid, str,
16345 + tsk->comm, task_pid_nr(tsk), str,
16346 regs->ip, regs->sp, error_code);
16347 print_vma_addr(" in ", regs->ip);
16349 @@ -174,8 +168,20 @@ kernel_trap:
16350 if (!fixup_exception(regs)) {
16351 tsk->thread.error_code = error_code;
16352 tsk->thread.trap_no = trapnr;
16354 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16355 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
16356 + str = "PAX: suspicious stack segment fault";
16359 die(str, regs, error_code);
16362 +#ifdef CONFIG_PAX_REFCOUNT
16364 + pax_report_refcount_overflow(regs);
16369 #ifdef CONFIG_X86_32
16370 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
16371 conditional_sti(regs);
16373 #ifdef CONFIG_X86_32
16374 - if (regs->flags & X86_VM_MASK)
16375 + if (v8086_mode(regs))
16380 - if (!user_mode(regs))
16381 + if (!user_mode_novm(regs))
16384 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16385 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
16386 + struct mm_struct *mm = tsk->mm;
16387 + unsigned long limit;
16389 + down_write(&mm->mmap_sem);
16390 + limit = mm->context.user_cs_limit;
16391 + if (limit < TASK_SIZE) {
16392 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
16393 + up_write(&mm->mmap_sem);
16396 + up_write(&mm->mmap_sem);
16400 tsk->thread.error_code = error_code;
16401 tsk->thread.trap_no = 13;
16403 @@ -304,6 +326,13 @@ gp_in_kernel:
16404 if (notify_die(DIE_GPF, "general protection fault", regs,
16405 error_code, 13, SIGSEGV) == NOTIFY_STOP)
16408 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16409 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
16410 + die("PAX: suspicious general protection fault", regs, error_code);
16414 die("general protection fault", regs, error_code);
16417 @@ -433,6 +462,17 @@ static notrace __kprobes void default_do
16418 dotraplinkage notrace __kprobes void
16419 do_nmi(struct pt_regs *regs, long error_code)
16422 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16423 + if (!user_mode(regs)) {
16424 + unsigned long cs = regs->cs & 0xFFFF;
16425 + unsigned long ip = ktva_ktla(regs->ip);
16427 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
16434 inc_irq_stat(__nmi_count);
16435 @@ -569,7 +609,7 @@ dotraplinkage void __kprobes do_debug(st
16436 /* It's safe to allow irq's after DR6 has been saved */
16437 preempt_conditional_sti(regs);
16439 - if (regs->flags & X86_VM_MASK) {
16440 + if (v8086_mode(regs)) {
16441 handle_vm86_trap((struct kernel_vm86_regs *) regs,
16443 preempt_conditional_cli(regs);
16444 @@ -583,7 +623,7 @@ dotraplinkage void __kprobes do_debug(st
16445 * We already checked v86 mode above, so we can check for kernel mode
16446 * by just checking the CPL of CS.
16448 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
16449 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
16450 tsk->thread.debugreg6 &= ~DR_STEP;
16451 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
16452 regs->flags &= ~X86_EFLAGS_TF;
16453 @@ -612,7 +652,7 @@ void math_error(struct pt_regs *regs, in
16455 conditional_sti(regs);
16457 - if (!user_mode_vm(regs))
16458 + if (!user_mode(regs))
16460 if (!fixup_exception(regs)) {
16461 task->thread.error_code = error_code;
16462 @@ -723,7 +763,7 @@ asmlinkage void __attribute__((weak)) sm
16463 void __math_state_restore(void)
16465 struct thread_info *thread = current_thread_info();
16466 - struct task_struct *tsk = thread->task;
16467 + struct task_struct *tsk = current;
16470 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
16471 @@ -750,8 +790,7 @@ void __math_state_restore(void)
16473 asmlinkage void math_state_restore(void)
16475 - struct thread_info *thread = current_thread_info();
16476 - struct task_struct *tsk = thread->task;
16477 + struct task_struct *tsk = current;
16479 if (!tsk_used_math(tsk)) {
16480 local_irq_enable();
16481 diff -urNp linux-3.1.1/arch/x86/kernel/verify_cpu.S linux-3.1.1/arch/x86/kernel/verify_cpu.S
16482 --- linux-3.1.1/arch/x86/kernel/verify_cpu.S 2011-11-11 15:19:27.000000000 -0500
16483 +++ linux-3.1.1/arch/x86/kernel/verify_cpu.S 2011-11-16 18:40:08.000000000 -0500
16485 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
16486 * arch/x86/kernel/trampoline_64.S: secondary processor verification
16487 * arch/x86/kernel/head_32.S: processor startup
16488 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
16490 * verify_cpu, returns the status of longmode and SSE in register %eax.
16491 * 0: Success 1: Failure
16492 diff -urNp linux-3.1.1/arch/x86/kernel/vm86_32.c linux-3.1.1/arch/x86/kernel/vm86_32.c
16493 --- linux-3.1.1/arch/x86/kernel/vm86_32.c 2011-11-11 15:19:27.000000000 -0500
16494 +++ linux-3.1.1/arch/x86/kernel/vm86_32.c 2011-11-16 18:40:08.000000000 -0500
16496 #include <linux/ptrace.h>
16497 #include <linux/audit.h>
16498 #include <linux/stddef.h>
16499 +#include <linux/grsecurity.h>
16501 #include <asm/uaccess.h>
16502 #include <asm/io.h>
16503 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
16507 - tss = &per_cpu(init_tss, get_cpu());
16508 + tss = init_tss + get_cpu();
16509 current->thread.sp0 = current->thread.saved_sp0;
16510 current->thread.sysenter_cs = __KERNEL_CS;
16511 load_sp0(tss, ¤t->thread);
16512 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
16513 struct task_struct *tsk;
16514 int tmp, ret = -EPERM;
16516 +#ifdef CONFIG_GRKERNSEC_VM86
16517 + if (!capable(CAP_SYS_RAWIO)) {
16518 + gr_handle_vm86();
16524 if (tsk->thread.saved_sp0)
16526 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
16528 struct vm86plus_struct __user *v86;
16530 +#ifdef CONFIG_GRKERNSEC_VM86
16531 + if (!capable(CAP_SYS_RAWIO)) {
16532 + gr_handle_vm86();
16540 case VM86_REQUEST_IRQ:
16541 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
16542 tsk->thread.saved_fs = info->regs32->fs;
16543 tsk->thread.saved_gs = get_user_gs(info->regs32);
16545 - tss = &per_cpu(init_tss, get_cpu());
16546 + tss = init_tss + get_cpu();
16547 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
16549 tsk->thread.sysenter_cs = 0;
16550 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
16551 goto cannot_handle;
16552 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
16553 goto cannot_handle;
16554 - intr_ptr = (unsigned long __user *) (i << 2);
16555 + intr_ptr = (__force unsigned long __user *) (i << 2);
16556 if (get_user(segoffs, intr_ptr))
16557 goto cannot_handle;
16558 if ((segoffs >> 16) == BIOSSEG)
16559 diff -urNp linux-3.1.1/arch/x86/kernel/vmlinux.lds.S linux-3.1.1/arch/x86/kernel/vmlinux.lds.S
16560 --- linux-3.1.1/arch/x86/kernel/vmlinux.lds.S 2011-11-11 15:19:27.000000000 -0500
16561 +++ linux-3.1.1/arch/x86/kernel/vmlinux.lds.S 2011-11-16 18:39:07.000000000 -0500
16563 #include <asm/page_types.h>
16564 #include <asm/cache.h>
16565 #include <asm/boot.h>
16566 +#include <asm/segment.h>
16568 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16569 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
16571 +#define __KERNEL_TEXT_OFFSET 0
16574 #undef i386 /* in case the preprocessor is a 32bit one */
16576 @@ -69,30 +76,43 @@ jiffies_64 = jiffies;
16579 text PT_LOAD FLAGS(5); /* R_E */
16580 +#ifdef CONFIG_X86_32
16581 + module PT_LOAD FLAGS(5); /* R_E */
16584 + rodata PT_LOAD FLAGS(5); /* R_E */
16586 + rodata PT_LOAD FLAGS(4); /* R__ */
16588 data PT_LOAD FLAGS(6); /* RW_ */
16589 -#ifdef CONFIG_X86_64
16590 + init.begin PT_LOAD FLAGS(6); /* RW_ */
16592 percpu PT_LOAD FLAGS(6); /* RW_ */
16594 + text.init PT_LOAD FLAGS(5); /* R_E */
16595 + text.exit PT_LOAD FLAGS(5); /* R_E */
16596 init PT_LOAD FLAGS(7); /* RWE */
16598 note PT_NOTE FLAGS(0); /* ___ */
16603 #ifdef CONFIG_X86_32
16604 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
16605 - phys_startup_32 = startup_32 - LOAD_OFFSET;
16606 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
16608 - . = __START_KERNEL;
16609 - phys_startup_64 = startup_64 - LOAD_OFFSET;
16610 + . = __START_KERNEL;
16613 /* Text and read-only data */
16614 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
16616 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16617 /* bootstrapping code */
16618 +#ifdef CONFIG_X86_32
16619 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16621 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16623 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16626 #ifdef CONFIG_X86_32
16627 . = ALIGN(PAGE_SIZE);
16628 @@ -108,13 +128,47 @@ SECTIONS
16632 - /* End of text section */
16636 - NOTES :text :note
16637 + . += __KERNEL_TEXT_OFFSET;
16639 +#ifdef CONFIG_X86_32
16640 + . = ALIGN(PAGE_SIZE);
16641 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
16643 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
16644 + MODULES_EXEC_VADDR = .;
16646 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
16647 + . = ALIGN(HPAGE_SIZE);
16648 + MODULES_EXEC_END = . - 1;
16654 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
16655 + /* End of text section */
16656 + _etext = . - __KERNEL_TEXT_OFFSET;
16659 +#ifdef CONFIG_X86_32
16660 + . = ALIGN(PAGE_SIZE);
16661 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
16663 + . = ALIGN(PAGE_SIZE);
16664 + *(.empty_zero_page)
16665 + *(.initial_pg_fixmap)
16666 + *(.initial_pg_pmd)
16667 + *(.initial_page_table)
16668 + *(.swapper_pg_dir)
16672 + . = ALIGN(PAGE_SIZE);
16673 + NOTES :rodata :note
16675 - EXCEPTION_TABLE(16) :text = 0x9090
16676 + EXCEPTION_TABLE(16) :rodata
16678 #if defined(CONFIG_DEBUG_RODATA)
16679 /* .text should occupy whole number of pages */
16680 @@ -126,16 +180,20 @@ SECTIONS
16683 .data : AT(ADDR(.data) - LOAD_OFFSET) {
16685 +#ifdef CONFIG_PAX_KERNEXEC
16686 + . = ALIGN(HPAGE_SIZE);
16688 + . = ALIGN(PAGE_SIZE);
16691 /* Start of data section */
16695 INIT_TASK_DATA(THREAD_SIZE)
16697 -#ifdef CONFIG_X86_32
16698 - /* 32 bit has nosave before _edata */
16702 PAGE_ALIGNED_DATA(PAGE_SIZE)
16704 @@ -176,12 +234,19 @@ SECTIONS
16705 #endif /* CONFIG_X86_64 */
16707 /* Init code and data - will be freed after init */
16708 - . = ALIGN(PAGE_SIZE);
16709 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
16712 +#ifdef CONFIG_PAX_KERNEXEC
16713 + . = ALIGN(HPAGE_SIZE);
16715 + . = ALIGN(PAGE_SIZE);
16718 __init_begin = .; /* paired with __init_end */
16722 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
16725 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
16726 * output PHDR, so the next output section - .init.text - should
16727 @@ -190,12 +255,27 @@ SECTIONS
16728 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
16731 - INIT_TEXT_SECTION(PAGE_SIZE)
16732 -#ifdef CONFIG_X86_64
16735 + . = ALIGN(PAGE_SIZE);
16737 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
16738 + VMLINUX_SYMBOL(_sinittext) = .;
16740 + VMLINUX_SYMBOL(_einittext) = .;
16741 + . = ALIGN(PAGE_SIZE);
16744 - INIT_DATA_SECTION(16)
16746 + * .exit.text is discard at runtime, not link time, to deal with
16747 + * references from .altinstructions and .eh_frame
16749 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16753 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
16755 + . = ALIGN(PAGE_SIZE);
16756 + INIT_DATA_SECTION(16) :init
16759 * Code and data for a variety of lowlevel trampolines, to be
16760 @@ -269,19 +349,12 @@ SECTIONS
16765 - * .exit.text is discard at runtime, not link time, to deal with
16766 - * references from .altinstructions and .eh_frame
16768 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
16772 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
16776 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
16777 +#ifndef CONFIG_SMP
16778 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
16781 @@ -300,16 +373,10 @@ SECTIONS
16782 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
16785 - . = ALIGN(PAGE_SIZE);
16786 __smp_locks_end = .;
16787 + . = ALIGN(PAGE_SIZE);
16790 -#ifdef CONFIG_X86_64
16791 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
16797 . = ALIGN(PAGE_SIZE);
16798 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
16799 @@ -325,6 +392,7 @@ SECTIONS
16801 . += 64 * 1024; /* 64k alignment slop space */
16802 *(.brk_reservation) /* areas brk users have reserved */
16803 + . = ALIGN(HPAGE_SIZE);
16807 @@ -351,13 +419,12 @@ SECTIONS
16808 * for the boot processor.
16810 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
16811 -INIT_PER_CPU(gdt_page);
16812 INIT_PER_CPU(irq_stack_union);
16815 * Build-time check on the image size:
16817 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
16818 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
16819 "kernel image bigger than KERNEL_IMAGE_SIZE");
16822 diff -urNp linux-3.1.1/arch/x86/kernel/vsyscall_64.c linux-3.1.1/arch/x86/kernel/vsyscall_64.c
16823 --- linux-3.1.1/arch/x86/kernel/vsyscall_64.c 2011-11-11 15:19:27.000000000 -0500
16824 +++ linux-3.1.1/arch/x86/kernel/vsyscall_64.c 2011-11-16 18:39:07.000000000 -0500
16825 @@ -56,15 +56,13 @@ DEFINE_VVAR(struct vsyscall_gtod_data, v
16826 .lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),
16829 -static enum { EMULATE, NATIVE, NONE } vsyscall_mode = NATIVE;
16830 +static enum { EMULATE, NONE } vsyscall_mode = EMULATE;
16832 static int __init vsyscall_setup(char *str)
16835 if (!strcmp("emulate", str))
16836 vsyscall_mode = EMULATE;
16837 - else if (!strcmp("native", str))
16838 - vsyscall_mode = NATIVE;
16839 else if (!strcmp("none", str))
16840 vsyscall_mode = NONE;
16842 @@ -177,7 +175,7 @@ bool emulate_vsyscall(struct pt_regs *re
16845 if (seccomp_mode(&tsk->seccomp))
16846 - do_exit(SIGKILL);
16847 + do_group_exit(SIGKILL);
16849 switch (vsyscall_nr) {
16851 @@ -219,8 +217,7 @@ bool emulate_vsyscall(struct pt_regs *re
16855 - force_sig(SIGSEGV, current);
16857 + do_group_exit(SIGKILL);
16861 @@ -273,10 +270,7 @@ void __init map_vsyscall(void)
16862 extern char __vvar_page;
16863 unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page);
16865 - __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall,
16866 - vsyscall_mode == NATIVE
16867 - ? PAGE_KERNEL_VSYSCALL
16868 - : PAGE_KERNEL_VVAR);
16869 + __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall, PAGE_KERNEL_VVAR);
16870 BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_FIRST_PAGE) !=
16871 (unsigned long)VSYSCALL_START);
16873 diff -urNp linux-3.1.1/arch/x86/kernel/x8664_ksyms_64.c linux-3.1.1/arch/x86/kernel/x8664_ksyms_64.c
16874 --- linux-3.1.1/arch/x86/kernel/x8664_ksyms_64.c 2011-11-11 15:19:27.000000000 -0500
16875 +++ linux-3.1.1/arch/x86/kernel/x8664_ksyms_64.c 2011-11-16 18:39:07.000000000 -0500
16876 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
16877 EXPORT_SYMBOL(copy_user_generic_string);
16878 EXPORT_SYMBOL(copy_user_generic_unrolled);
16879 EXPORT_SYMBOL(__copy_user_nocache);
16880 -EXPORT_SYMBOL(_copy_from_user);
16881 -EXPORT_SYMBOL(_copy_to_user);
16883 EXPORT_SYMBOL(copy_page);
16884 EXPORT_SYMBOL(clear_page);
16885 diff -urNp linux-3.1.1/arch/x86/kernel/xsave.c linux-3.1.1/arch/x86/kernel/xsave.c
16886 --- linux-3.1.1/arch/x86/kernel/xsave.c 2011-11-11 15:19:27.000000000 -0500
16887 +++ linux-3.1.1/arch/x86/kernel/xsave.c 2011-11-16 18:39:07.000000000 -0500
16888 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
16889 fx_sw_user->xstate_size > fx_sw_user->extended_size)
16892 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
16893 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
16894 fx_sw_user->extended_size -
16895 FP_XSTATE_MAGIC2_SIZE));
16897 @@ -267,7 +267,7 @@ fx_only:
16898 * the other extended state.
16900 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
16901 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
16902 + return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf);
16906 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
16908 err = restore_user_xstate(buf);
16910 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
16911 + err = fxrstor_checking((struct i387_fxsave_struct __force_kernel *)
16913 if (unlikely(err)) {
16915 diff -urNp linux-3.1.1/arch/x86/kvm/emulate.c linux-3.1.1/arch/x86/kvm/emulate.c
16916 --- linux-3.1.1/arch/x86/kvm/emulate.c 2011-11-11 15:19:27.000000000 -0500
16917 +++ linux-3.1.1/arch/x86/kvm/emulate.c 2011-11-16 18:39:07.000000000 -0500
16919 #define Src2ImmByte (2<<29)
16920 #define Src2One (3<<29)
16921 #define Src2Imm (4<<29)
16922 -#define Src2Mask (7<<29)
16923 +#define Src2Mask (7U<<29)
16925 #define X2(x...) x, x
16926 #define X3(x...) X2(x), x
16927 @@ -207,6 +207,7 @@ struct gprefix {
16929 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
16931 + unsigned long _tmp; \
16932 __asm__ __volatile__ ( \
16933 _PRE_EFLAGS("0", "4", "2") \
16934 _op _suffix " %"_x"3,%1; " \
16935 @@ -220,8 +221,6 @@ struct gprefix {
16936 /* Raw emulation: instruction has two explicit operands. */
16937 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
16939 - unsigned long _tmp; \
16941 switch ((_dst).bytes) { \
16943 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
16944 @@ -237,7 +236,6 @@ struct gprefix {
16946 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
16948 - unsigned long _tmp; \
16949 switch ((_dst).bytes) { \
16951 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
16952 diff -urNp linux-3.1.1/arch/x86/kvm/lapic.c linux-3.1.1/arch/x86/kvm/lapic.c
16953 --- linux-3.1.1/arch/x86/kvm/lapic.c 2011-11-11 15:19:27.000000000 -0500
16954 +++ linux-3.1.1/arch/x86/kvm/lapic.c 2011-11-16 18:39:07.000000000 -0500
16956 #define APIC_BUS_CYCLE_NS 1
16958 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
16959 -#define apic_debug(fmt, arg...)
16960 +#define apic_debug(fmt, arg...) do {} while (0)
16962 #define APIC_LVT_NUM 6
16963 /* 14 is the version for Xeon and Pentium 8.4.8*/
16964 diff -urNp linux-3.1.1/arch/x86/kvm/mmu.c linux-3.1.1/arch/x86/kvm/mmu.c
16965 --- linux-3.1.1/arch/x86/kvm/mmu.c 2011-11-11 15:19:27.000000000 -0500
16966 +++ linux-3.1.1/arch/x86/kvm/mmu.c 2011-11-16 18:39:07.000000000 -0500
16967 @@ -3552,7 +3552,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16969 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
16971 - invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
16972 + invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
16975 * Assume that the pte write on a page table of the same type
16976 @@ -3584,7 +3584,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16979 spin_lock(&vcpu->kvm->mmu_lock);
16980 - if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16981 + if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16983 kvm_mmu_free_some_pages(vcpu);
16984 ++vcpu->kvm->stat.mmu_pte_write;
16985 diff -urNp linux-3.1.1/arch/x86/kvm/paging_tmpl.h linux-3.1.1/arch/x86/kvm/paging_tmpl.h
16986 --- linux-3.1.1/arch/x86/kvm/paging_tmpl.h 2011-11-11 15:19:27.000000000 -0500
16987 +++ linux-3.1.1/arch/x86/kvm/paging_tmpl.h 2011-11-16 19:40:44.000000000 -0500
16988 @@ -197,7 +197,7 @@ retry_walk:
16989 if (unlikely(kvm_is_error_hva(host_addr)))
16992 - ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
16993 + ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset);
16994 if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte))))
16997 @@ -575,6 +575,8 @@ static int FNAME(page_fault)(struct kvm_
16998 unsigned long mmu_seq;
17001 + pax_track_stack();
17003 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
17005 if (unlikely(error_code & PFERR_RSVD_MASK))
17006 @@ -701,7 +703,7 @@ static void FNAME(invlpg)(struct kvm_vcp
17008 kvm_flush_remote_tlbs(vcpu->kvm);
17010 - atomic_inc(&vcpu->kvm->arch.invlpg_counter);
17011 + atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
17013 spin_unlock(&vcpu->kvm->mmu_lock);
17015 diff -urNp linux-3.1.1/arch/x86/kvm/svm.c linux-3.1.1/arch/x86/kvm/svm.c
17016 --- linux-3.1.1/arch/x86/kvm/svm.c 2011-11-11 15:19:27.000000000 -0500
17017 +++ linux-3.1.1/arch/x86/kvm/svm.c 2011-11-16 18:39:07.000000000 -0500
17018 @@ -3381,7 +3381,11 @@ static void reload_tss(struct kvm_vcpu *
17019 int cpu = raw_smp_processor_id();
17021 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
17023 + pax_open_kernel();
17024 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
17025 + pax_close_kernel();
17030 @@ -3759,6 +3763,10 @@ static void svm_vcpu_run(struct kvm_vcpu
17034 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
17035 + __set_fs(current_thread_info()->addr_limit);
17040 local_irq_disable();
17041 diff -urNp linux-3.1.1/arch/x86/kvm/vmx.c linux-3.1.1/arch/x86/kvm/vmx.c
17042 --- linux-3.1.1/arch/x86/kvm/vmx.c 2011-11-11 15:19:27.000000000 -0500
17043 +++ linux-3.1.1/arch/x86/kvm/vmx.c 2011-11-16 18:39:07.000000000 -0500
17044 @@ -1251,7 +1251,11 @@ static void reload_tss(void)
17045 struct desc_struct *descs;
17047 descs = (void *)gdt->address;
17049 + pax_open_kernel();
17050 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
17051 + pax_close_kernel();
17056 @@ -2520,8 +2524,11 @@ static __init int hardware_setup(void)
17057 if (!cpu_has_vmx_flexpriority())
17058 flexpriority_enabled = 0;
17060 - if (!cpu_has_vmx_tpr_shadow())
17061 - kvm_x86_ops->update_cr8_intercept = NULL;
17062 + if (!cpu_has_vmx_tpr_shadow()) {
17063 + pax_open_kernel();
17064 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
17065 + pax_close_kernel();
17068 if (enable_ept && !cpu_has_vmx_ept_2m_page())
17069 kvm_disable_largepages();
17070 @@ -3535,7 +3542,7 @@ static void vmx_set_constant_host_state(
17071 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
17073 asm("mov $.Lkvm_vmx_return, %0" : "=r"(tmpl));
17074 - vmcs_writel(HOST_RIP, tmpl); /* 22.2.5 */
17075 + vmcs_writel(HOST_RIP, ktla_ktva(tmpl)); /* 22.2.5 */
17077 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
17078 vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
17079 @@ -6021,6 +6028,12 @@ static void __noclone vmx_vcpu_run(struc
17080 "jmp .Lkvm_vmx_return \n\t"
17081 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
17082 ".Lkvm_vmx_return: "
17084 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17085 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
17086 + ".Lkvm_vmx_return2: "
17089 /* Save guest registers, load host registers, keep flags */
17090 "mov %0, %c[wordsize](%%"R"sp) \n\t"
17092 @@ -6069,6 +6082,11 @@ static void __noclone vmx_vcpu_run(struc
17094 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
17095 [wordsize]"i"(sizeof(ulong))
17097 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17098 + ,[cs]"i"(__KERNEL_CS)
17102 , R"ax", R"bx", R"di", R"si"
17103 #ifdef CONFIG_X86_64
17104 @@ -6097,7 +6115,16 @@ static void __noclone vmx_vcpu_run(struc
17108 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
17109 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
17111 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17112 + loadsegment(fs, __KERNEL_PERCPU);
17115 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
17116 + __set_fs(current_thread_info()->addr_limit);
17119 vmx->loaded_vmcs->launched = 1;
17121 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
17122 diff -urNp linux-3.1.1/arch/x86/kvm/x86.c linux-3.1.1/arch/x86/kvm/x86.c
17123 --- linux-3.1.1/arch/x86/kvm/x86.c 2011-11-11 15:19:27.000000000 -0500
17124 +++ linux-3.1.1/arch/x86/kvm/x86.c 2011-11-16 18:39:07.000000000 -0500
17125 @@ -1334,8 +1334,8 @@ static int xen_hvm_config(struct kvm_vcp
17127 struct kvm *kvm = vcpu->kvm;
17128 int lm = is_long_mode(vcpu);
17129 - u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64
17130 - : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
17131 + u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64
17132 + : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
17133 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
17134 : kvm->arch.xen_hvm_config.blob_size_32;
17135 u32 page_num = data & ~PAGE_MASK;
17136 @@ -2137,6 +2137,8 @@ long kvm_arch_dev_ioctl(struct file *fil
17137 if (n < msr_list.nmsrs)
17140 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
17142 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
17143 num_msrs_to_save * sizeof(u32)))
17145 @@ -2312,15 +2314,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
17146 struct kvm_cpuid2 *cpuid,
17147 struct kvm_cpuid_entry2 __user *entries)
17153 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
17156 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
17157 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
17158 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
17160 + for (i = 0; i < cpuid->nent; ++i) {
17161 + struct kvm_cpuid_entry2 cpuid_entry;
17162 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
17164 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
17166 vcpu->arch.cpuid_nent = cpuid->nent;
17167 kvm_apic_set_version(vcpu);
17168 kvm_x86_ops->cpuid_update(vcpu);
17169 @@ -2335,15 +2342,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
17170 struct kvm_cpuid2 *cpuid,
17171 struct kvm_cpuid_entry2 __user *entries)
17177 if (cpuid->nent < vcpu->arch.cpuid_nent)
17180 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
17181 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
17182 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
17184 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
17185 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
17186 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
17192 @@ -2718,7 +2729,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
17193 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
17194 struct kvm_interrupt *irq)
17196 - if (irq->irq < 0 || irq->irq >= 256)
17197 + if (irq->irq >= 256)
17199 if (irqchip_in_kernel(vcpu->kvm))
17201 @@ -5089,7 +5100,7 @@ static void kvm_set_mmio_spte_mask(void)
17202 kvm_mmu_set_mmio_spte_mask(mask);
17205 -int kvm_arch_init(void *opaque)
17206 +int kvm_arch_init(const void *opaque)
17209 struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
17210 diff -urNp linux-3.1.1/arch/x86/lguest/boot.c linux-3.1.1/arch/x86/lguest/boot.c
17211 --- linux-3.1.1/arch/x86/lguest/boot.c 2011-11-11 15:19:27.000000000 -0500
17212 +++ linux-3.1.1/arch/x86/lguest/boot.c 2011-11-16 18:39:07.000000000 -0500
17213 @@ -1184,9 +1184,10 @@ static __init int early_put_chars(u32 vt
17214 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
17215 * Launcher to reboot us.
17217 -static void lguest_restart(char *reason)
17218 +static __noreturn void lguest_restart(char *reason)
17220 hcall(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART, 0, 0);
17225 diff -urNp linux-3.1.1/arch/x86/lib/atomic64_32.c linux-3.1.1/arch/x86/lib/atomic64_32.c
17226 --- linux-3.1.1/arch/x86/lib/atomic64_32.c 2011-11-11 15:19:27.000000000 -0500
17227 +++ linux-3.1.1/arch/x86/lib/atomic64_32.c 2011-11-16 18:39:07.000000000 -0500
17230 long long atomic64_read_cx8(long long, const atomic64_t *v);
17231 EXPORT_SYMBOL(atomic64_read_cx8);
17232 +long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
17233 +EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
17234 long long atomic64_set_cx8(long long, const atomic64_t *v);
17235 EXPORT_SYMBOL(atomic64_set_cx8);
17236 +long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
17237 +EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
17238 long long atomic64_xchg_cx8(long long, unsigned high);
17239 EXPORT_SYMBOL(atomic64_xchg_cx8);
17240 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
17241 EXPORT_SYMBOL(atomic64_add_return_cx8);
17242 +long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17243 +EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
17244 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
17245 EXPORT_SYMBOL(atomic64_sub_return_cx8);
17246 +long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17247 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
17248 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
17249 EXPORT_SYMBOL(atomic64_inc_return_cx8);
17250 +long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17251 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
17252 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
17253 EXPORT_SYMBOL(atomic64_dec_return_cx8);
17254 +long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17255 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
17256 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
17257 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
17258 int atomic64_inc_not_zero_cx8(atomic64_t *v);
17259 @@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
17260 #ifndef CONFIG_X86_CMPXCHG64
17261 long long atomic64_read_386(long long, const atomic64_t *v);
17262 EXPORT_SYMBOL(atomic64_read_386);
17263 +long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
17264 +EXPORT_SYMBOL(atomic64_read_unchecked_386);
17265 long long atomic64_set_386(long long, const atomic64_t *v);
17266 EXPORT_SYMBOL(atomic64_set_386);
17267 +long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
17268 +EXPORT_SYMBOL(atomic64_set_unchecked_386);
17269 long long atomic64_xchg_386(long long, unsigned high);
17270 EXPORT_SYMBOL(atomic64_xchg_386);
17271 long long atomic64_add_return_386(long long a, atomic64_t *v);
17272 EXPORT_SYMBOL(atomic64_add_return_386);
17273 +long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17274 +EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
17275 long long atomic64_sub_return_386(long long a, atomic64_t *v);
17276 EXPORT_SYMBOL(atomic64_sub_return_386);
17277 +long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17278 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
17279 long long atomic64_inc_return_386(long long a, atomic64_t *v);
17280 EXPORT_SYMBOL(atomic64_inc_return_386);
17281 +long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17282 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
17283 long long atomic64_dec_return_386(long long a, atomic64_t *v);
17284 EXPORT_SYMBOL(atomic64_dec_return_386);
17285 +long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17286 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
17287 long long atomic64_add_386(long long a, atomic64_t *v);
17288 EXPORT_SYMBOL(atomic64_add_386);
17289 +long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
17290 +EXPORT_SYMBOL(atomic64_add_unchecked_386);
17291 long long atomic64_sub_386(long long a, atomic64_t *v);
17292 EXPORT_SYMBOL(atomic64_sub_386);
17293 +long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
17294 +EXPORT_SYMBOL(atomic64_sub_unchecked_386);
17295 long long atomic64_inc_386(long long a, atomic64_t *v);
17296 EXPORT_SYMBOL(atomic64_inc_386);
17297 +long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
17298 +EXPORT_SYMBOL(atomic64_inc_unchecked_386);
17299 long long atomic64_dec_386(long long a, atomic64_t *v);
17300 EXPORT_SYMBOL(atomic64_dec_386);
17301 +long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
17302 +EXPORT_SYMBOL(atomic64_dec_unchecked_386);
17303 long long atomic64_dec_if_positive_386(atomic64_t *v);
17304 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
17305 int atomic64_inc_not_zero_386(atomic64_t *v);
17306 diff -urNp linux-3.1.1/arch/x86/lib/atomic64_386_32.S linux-3.1.1/arch/x86/lib/atomic64_386_32.S
17307 --- linux-3.1.1/arch/x86/lib/atomic64_386_32.S 2011-11-11 15:19:27.000000000 -0500
17308 +++ linux-3.1.1/arch/x86/lib/atomic64_386_32.S 2011-11-16 18:39:07.000000000 -0500
17309 @@ -48,6 +48,10 @@ BEGIN(read)
17313 +BEGIN(read_unchecked)
17320 @@ -55,6 +59,10 @@ BEGIN(set)
17324 +BEGIN(set_unchecked)
17331 @@ -70,6 +78,20 @@ RET_ENDP
17336 +#ifdef CONFIG_PAX_REFCOUNT
17342 + _ASM_EXTABLE(0b, 0b)
17346 +BEGIN(add_unchecked)
17352 @@ -77,6 +99,24 @@ RET_ENDP
17357 +#ifdef CONFIG_PAX_REFCOUNT
17360 + _ASM_EXTABLE(1234b, 2f)
17366 +#ifdef CONFIG_PAX_REFCOUNT
17371 +BEGIN(add_return_unchecked)
17377 @@ -86,6 +126,20 @@ RET_ENDP
17382 +#ifdef CONFIG_PAX_REFCOUNT
17388 + _ASM_EXTABLE(0b, 0b)
17392 +BEGIN(sub_unchecked)
17398 @@ -96,6 +150,27 @@ BEGIN(sub_return)
17403 +#ifdef CONFIG_PAX_REFCOUNT
17406 + _ASM_EXTABLE(1234b, 2f)
17412 +#ifdef CONFIG_PAX_REFCOUNT
17417 +BEGIN(sub_return_unchecked)
17426 @@ -105,6 +180,20 @@ RET_ENDP
17431 +#ifdef CONFIG_PAX_REFCOUNT
17437 + _ASM_EXTABLE(0b, 0b)
17441 +BEGIN(inc_unchecked)
17447 @@ -114,6 +203,26 @@ BEGIN(inc_return)
17452 +#ifdef CONFIG_PAX_REFCOUNT
17455 + _ASM_EXTABLE(1234b, 2f)
17461 +#ifdef CONFIG_PAX_REFCOUNT
17466 +BEGIN(inc_return_unchecked)
17474 @@ -123,6 +232,20 @@ RET_ENDP
17479 +#ifdef CONFIG_PAX_REFCOUNT
17485 + _ASM_EXTABLE(0b, 0b)
17489 +BEGIN(dec_unchecked)
17495 @@ -132,6 +255,26 @@ BEGIN(dec_return)
17500 +#ifdef CONFIG_PAX_REFCOUNT
17503 + _ASM_EXTABLE(1234b, 2f)
17509 +#ifdef CONFIG_PAX_REFCOUNT
17514 +BEGIN(dec_return_unchecked)
17522 @@ -143,6 +286,13 @@ BEGIN(add_unless)
17527 +#ifdef CONFIG_PAX_REFCOUNT
17530 + _ASM_EXTABLE(1234b, 2f)
17536 @@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
17541 +#ifdef CONFIG_PAX_REFCOUNT
17544 + _ASM_EXTABLE(1234b, 2f)
17550 @@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
17555 +#ifdef CONFIG_PAX_REFCOUNT
17558 + _ASM_EXTABLE(1234b, 1f)
17564 diff -urNp linux-3.1.1/arch/x86/lib/atomic64_cx8_32.S linux-3.1.1/arch/x86/lib/atomic64_cx8_32.S
17565 --- linux-3.1.1/arch/x86/lib/atomic64_cx8_32.S 2011-11-11 15:19:27.000000000 -0500
17566 +++ linux-3.1.1/arch/x86/lib/atomic64_cx8_32.S 2011-11-16 18:39:07.000000000 -0500
17567 @@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8)
17571 + pax_force_retaddr
17574 ENDPROC(atomic64_read_cx8)
17576 +ENTRY(atomic64_read_unchecked_cx8)
17580 + pax_force_retaddr
17583 +ENDPROC(atomic64_read_unchecked_cx8)
17585 ENTRY(atomic64_set_cx8)
17588 @@ -48,10 +58,25 @@ ENTRY(atomic64_set_cx8)
17592 + pax_force_retaddr
17595 ENDPROC(atomic64_set_cx8)
17597 +ENTRY(atomic64_set_unchecked_cx8)
17601 +/* we don't need LOCK_PREFIX since aligned 64-bit writes
17602 + * are atomic on 586 and newer */
17606 + pax_force_retaddr
17609 +ENDPROC(atomic64_set_unchecked_cx8)
17611 ENTRY(atomic64_xchg_cx8)
17614 @@ -62,12 +87,13 @@ ENTRY(atomic64_xchg_cx8)
17618 + pax_force_retaddr
17621 ENDPROC(atomic64_xchg_cx8)
17623 -.macro addsub_return func ins insc
17624 -ENTRY(atomic64_\func\()_return_cx8)
17625 +.macro addsub_return func ins insc unchecked=""
17626 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17630 @@ -84,27 +110,44 @@ ENTRY(atomic64_\func\()_return_cx8)
17632 \ins\()l %esi, %ebx
17633 \insc\()l %edi, %ecx
17636 +#ifdef CONFIG_PAX_REFCOUNT
17639 + _ASM_EXTABLE(2b, 3f)
17652 +#ifdef CONFIG_PAX_REFCOUNT
17661 + pax_force_retaddr
17664 -ENDPROC(atomic64_\func\()_return_cx8)
17665 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17668 addsub_return add add adc
17669 addsub_return sub sub sbb
17670 +addsub_return add add adc _unchecked
17671 +addsub_return sub sub sbb _unchecked
17673 -.macro incdec_return func ins insc
17674 -ENTRY(atomic64_\func\()_return_cx8)
17675 +.macro incdec_return func ins insc unchecked
17676 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17680 @@ -114,21 +157,39 @@ ENTRY(atomic64_\func\()_return_cx8)
17686 +#ifdef CONFIG_PAX_REFCOUNT
17689 + _ASM_EXTABLE(2b, 3f)
17702 +#ifdef CONFIG_PAX_REFCOUNT
17708 + pax_force_retaddr
17711 -ENDPROC(atomic64_\func\()_return_cx8)
17712 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17715 incdec_return inc add adc
17716 incdec_return dec sub sbb
17717 +incdec_return inc add adc _unchecked
17718 +incdec_return dec sub sbb _unchecked
17720 ENTRY(atomic64_dec_if_positive_cx8)
17722 @@ -140,6 +201,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
17727 +#ifdef CONFIG_PAX_REFCOUNT
17730 + _ASM_EXTABLE(1234b, 2f)
17736 @@ -149,6 +217,7 @@ ENTRY(atomic64_dec_if_positive_cx8)
17740 + pax_force_retaddr
17743 ENDPROC(atomic64_dec_if_positive_cx8)
17744 @@ -174,6 +243,13 @@ ENTRY(atomic64_add_unless_cx8)
17749 +#ifdef CONFIG_PAX_REFCOUNT
17752 + _ASM_EXTABLE(1234b, 3f)
17758 @@ -184,6 +260,7 @@ ENTRY(atomic64_add_unless_cx8)
17759 CFI_ADJUST_CFA_OFFSET -8
17762 + pax_force_retaddr
17766 @@ -206,6 +283,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
17771 +#ifdef CONFIG_PAX_REFCOUNT
17774 + _ASM_EXTABLE(1234b, 3f)
17780 @@ -213,6 +297,7 @@ ENTRY(atomic64_inc_not_zero_cx8)
17784 + pax_force_retaddr
17788 diff -urNp linux-3.1.1/arch/x86/lib/checksum_32.S linux-3.1.1/arch/x86/lib/checksum_32.S
17789 --- linux-3.1.1/arch/x86/lib/checksum_32.S 2011-11-11 15:19:27.000000000 -0500
17790 +++ linux-3.1.1/arch/x86/lib/checksum_32.S 2011-11-16 18:39:07.000000000 -0500
17792 #include <linux/linkage.h>
17793 #include <asm/dwarf2.h>
17794 #include <asm/errno.h>
17796 +#include <asm/segment.h>
17799 * computes a partial checksum, e.g. for TCP/UDP fragments
17801 @@ -296,9 +297,24 @@ unsigned int csum_partial_copy_generic (
17806 -ENTRY(csum_partial_copy_generic)
17808 +ENTRY(csum_partial_copy_generic_to_user)
17811 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17814 + jmp csum_partial_copy_generic
17817 +ENTRY(csum_partial_copy_generic_from_user)
17819 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17824 +ENTRY(csum_partial_copy_generic)
17826 CFI_ADJUST_CFA_OFFSET 4
17828 @@ -320,7 +336,7 @@ ENTRY(csum_partial_copy_generic)
17830 SRC(1: movw (%esi), %bx )
17832 -DST( movw %bx, (%edi) )
17833 +DST( movw %bx, %es:(%edi) )
17837 @@ -332,30 +348,30 @@ DST( movw %bx, (%edi) )
17838 SRC(1: movl (%esi), %ebx )
17839 SRC( movl 4(%esi), %edx )
17841 -DST( movl %ebx, (%edi) )
17842 +DST( movl %ebx, %es:(%edi) )
17844 -DST( movl %edx, 4(%edi) )
17845 +DST( movl %edx, %es:4(%edi) )
17847 SRC( movl 8(%esi), %ebx )
17848 SRC( movl 12(%esi), %edx )
17850 -DST( movl %ebx, 8(%edi) )
17851 +DST( movl %ebx, %es:8(%edi) )
17853 -DST( movl %edx, 12(%edi) )
17854 +DST( movl %edx, %es:12(%edi) )
17856 SRC( movl 16(%esi), %ebx )
17857 SRC( movl 20(%esi), %edx )
17859 -DST( movl %ebx, 16(%edi) )
17860 +DST( movl %ebx, %es:16(%edi) )
17862 -DST( movl %edx, 20(%edi) )
17863 +DST( movl %edx, %es:20(%edi) )
17865 SRC( movl 24(%esi), %ebx )
17866 SRC( movl 28(%esi), %edx )
17868 -DST( movl %ebx, 24(%edi) )
17869 +DST( movl %ebx, %es:24(%edi) )
17871 -DST( movl %edx, 28(%edi) )
17872 +DST( movl %edx, %es:28(%edi) )
17876 @@ -369,7 +385,7 @@ DST( movl %edx, 28(%edi) )
17877 shrl $2, %edx # This clears CF
17878 SRC(3: movl (%esi), %ebx )
17880 -DST( movl %ebx, (%edi) )
17881 +DST( movl %ebx, %es:(%edi) )
17885 @@ -381,12 +397,12 @@ DST( movl %ebx, (%edi) )
17887 SRC( movw (%esi), %cx )
17889 -DST( movw %cx, (%edi) )
17890 +DST( movw %cx, %es:(%edi) )
17894 SRC(5: movb (%esi), %cl )
17895 -DST( movb %cl, (%edi) )
17896 +DST( movb %cl, %es:(%edi) )
17900 @@ -397,7 +413,7 @@ DST( movb %cl, (%edi) )
17903 movl ARGBASE+20(%esp), %ebx # src_err_ptr
17904 - movl $-EFAULT, (%ebx)
17905 + movl $-EFAULT, %ss:(%ebx)
17907 # zero the complete destination - computing the rest
17909 @@ -410,11 +426,15 @@ DST( movb %cl, (%edi) )
17912 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
17913 - movl $-EFAULT,(%ebx)
17914 + movl $-EFAULT,%ss:(%ebx)
17926 @@ -424,26 +444,43 @@ DST( movb %cl, (%edi) )
17927 popl_cfi %ecx # equivalent to addl $4,%esp
17930 -ENDPROC(csum_partial_copy_generic)
17931 +ENDPROC(csum_partial_copy_generic_to_user)
17935 /* Version for PentiumII/PPro */
17937 #define ROUND1(x) \
17939 SRC(movl x(%esi), %ebx ) ; \
17940 addl %ebx, %eax ; \
17941 - DST(movl %ebx, x(%edi) ) ;
17942 + DST(movl %ebx, %es:x(%edi)) ;
17946 SRC(movl x(%esi), %ebx ) ; \
17947 adcl %ebx, %eax ; \
17948 - DST(movl %ebx, x(%edi) ) ;
17949 + DST(movl %ebx, %es:x(%edi)) ;
17953 -ENTRY(csum_partial_copy_generic)
17955 +ENTRY(csum_partial_copy_generic_to_user)
17958 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17961 + jmp csum_partial_copy_generic
17964 +ENTRY(csum_partial_copy_generic_from_user)
17966 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17971 +ENTRY(csum_partial_copy_generic)
17973 CFI_REL_OFFSET ebx, 0
17975 @@ -464,7 +501,7 @@ ENTRY(csum_partial_copy_generic)
17979 - lea 3f(%ebx,%ebx), %ebx
17980 + lea 3f(%ebx,%ebx,2), %ebx
17984 @@ -485,19 +522,19 @@ ENTRY(csum_partial_copy_generic)
17986 SRC( movw (%esi), %dx )
17988 -DST( movw %dx, (%edi) )
17989 +DST( movw %dx, %es:(%edi) )
17994 SRC( movb (%esi), %dl )
17995 -DST( movb %dl, (%edi) )
17996 +DST( movb %dl, %es:(%edi) )
18000 .section .fixup, "ax"
18001 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
18002 - movl $-EFAULT, (%ebx)
18003 + movl $-EFAULT, %ss:(%ebx)
18004 # zero the complete destination (computing the rest is too much work)
18005 movl ARGBASE+8(%esp),%edi # dst
18006 movl ARGBASE+12(%esp),%ecx # len
18007 @@ -505,10 +542,17 @@ DST( movb %dl, (%edi) )
18010 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
18011 - movl $-EFAULT, (%ebx)
18012 + movl $-EFAULT, %ss:(%ebx)
18016 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18026 @@ -517,7 +561,7 @@ DST( movb %dl, (%edi) )
18030 -ENDPROC(csum_partial_copy_generic)
18031 +ENDPROC(csum_partial_copy_generic_to_user)
18035 diff -urNp linux-3.1.1/arch/x86/lib/clear_page_64.S linux-3.1.1/arch/x86/lib/clear_page_64.S
18036 --- linux-3.1.1/arch/x86/lib/clear_page_64.S 2011-11-11 15:19:27.000000000 -0500
18037 +++ linux-3.1.1/arch/x86/lib/clear_page_64.S 2011-11-16 18:39:07.000000000 -0500
18038 @@ -11,6 +11,7 @@ ENTRY(clear_page_c)
18042 + pax_force_retaddr
18045 ENDPROC(clear_page_c)
18046 @@ -20,6 +21,7 @@ ENTRY(clear_page_c_e)
18050 + pax_force_retaddr
18053 ENDPROC(clear_page_c_e)
18054 @@ -43,6 +45,7 @@ ENTRY(clear_page)
18058 + pax_force_retaddr
18062 @@ -58,7 +61,7 @@ ENDPROC(clear_page)
18064 #include <asm/cpufeature.h>
18066 - .section .altinstr_replacement,"ax"
18067 + .section .altinstr_replacement,"a"
18068 1: .byte 0xeb /* jmp <disp8> */
18069 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
18070 2: .byte 0xeb /* jmp <disp8> */
18071 diff -urNp linux-3.1.1/arch/x86/lib/cmpxchg16b_emu.S linux-3.1.1/arch/x86/lib/cmpxchg16b_emu.S
18072 --- linux-3.1.1/arch/x86/lib/cmpxchg16b_emu.S 2011-11-11 15:19:27.000000000 -0500
18073 +++ linux-3.1.1/arch/x86/lib/cmpxchg16b_emu.S 2011-11-16 18:39:07.000000000 -0500
18074 @@ -53,11 +53,13 @@ this_cpu_cmpxchg16b_emu:
18078 + pax_force_retaddr
18084 + pax_force_retaddr
18088 diff -urNp linux-3.1.1/arch/x86/lib/copy_page_64.S linux-3.1.1/arch/x86/lib/copy_page_64.S
18089 --- linux-3.1.1/arch/x86/lib/copy_page_64.S 2011-11-11 15:19:27.000000000 -0500
18090 +++ linux-3.1.1/arch/x86/lib/copy_page_64.S 2011-11-16 18:39:07.000000000 -0500
18091 @@ -9,6 +9,7 @@ copy_page_c:
18095 + pax_force_retaddr
18098 ENDPROC(copy_page_c)
18099 @@ -95,6 +96,7 @@ ENTRY(copy_page)
18102 CFI_ADJUST_CFA_OFFSET -3*8
18103 + pax_force_retaddr
18107 @@ -105,7 +107,7 @@ ENDPROC(copy_page)
18109 #include <asm/cpufeature.h>
18111 - .section .altinstr_replacement,"ax"
18112 + .section .altinstr_replacement,"a"
18113 1: .byte 0xeb /* jmp <disp8> */
18114 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
18116 diff -urNp linux-3.1.1/arch/x86/lib/copy_user_64.S linux-3.1.1/arch/x86/lib/copy_user_64.S
18117 --- linux-3.1.1/arch/x86/lib/copy_user_64.S 2011-11-11 15:19:27.000000000 -0500
18118 +++ linux-3.1.1/arch/x86/lib/copy_user_64.S 2011-11-16 18:39:07.000000000 -0500
18120 #include <asm/thread_info.h>
18121 #include <asm/cpufeature.h>
18122 #include <asm/alternative-asm.h>
18123 +#include <asm/pgtable.h>
18126 * By placing feature2 after feature1 in altinstructions section, we logically
18128 .byte 0xe9 /* 32bit jump */
18129 .long \orig-1f /* by default jump to orig */
18131 - .section .altinstr_replacement,"ax"
18132 + .section .altinstr_replacement,"a"
18133 2: .byte 0xe9 /* near jump with 32bit immediate */
18134 .long \alt1-1b /* offset */ /* or alternatively to alt1 */
18135 3: .byte 0xe9 /* near jump with 32bit immediate */
18136 @@ -71,47 +72,20 @@
18140 -/* Standard copy_to_user with segment limit checking */
18141 -ENTRY(_copy_to_user)
18143 - GET_THREAD_INFO(%rax)
18147 - cmpq TI_addr_limit(%rax),%rcx
18149 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
18150 - copy_user_generic_unrolled,copy_user_generic_string, \
18151 - copy_user_enhanced_fast_string
18153 -ENDPROC(_copy_to_user)
18155 -/* Standard copy_from_user with segment limit checking */
18156 -ENTRY(_copy_from_user)
18158 - GET_THREAD_INFO(%rax)
18162 - cmpq TI_addr_limit(%rax),%rcx
18164 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
18165 - copy_user_generic_unrolled,copy_user_generic_string, \
18166 - copy_user_enhanced_fast_string
18168 -ENDPROC(_copy_from_user)
18170 .section .fixup,"ax"
18171 /* must zero dest */
18172 ENTRY(bad_from_user)
18183 + pax_force_retaddr
18186 ENDPROC(bad_from_user)
18187 @@ -179,6 +153,7 @@ ENTRY(copy_user_generic_unrolled)
18191 + pax_force_retaddr
18194 .section .fixup,"ax"
18195 @@ -251,6 +226,7 @@ ENTRY(copy_user_generic_string)
18199 + pax_force_retaddr
18202 .section .fixup,"ax"
18203 @@ -287,6 +263,7 @@ ENTRY(copy_user_enhanced_fast_string)
18207 + pax_force_retaddr
18210 .section .fixup,"ax"
18211 diff -urNp linux-3.1.1/arch/x86/lib/copy_user_nocache_64.S linux-3.1.1/arch/x86/lib/copy_user_nocache_64.S
18212 --- linux-3.1.1/arch/x86/lib/copy_user_nocache_64.S 2011-11-11 15:19:27.000000000 -0500
18213 +++ linux-3.1.1/arch/x86/lib/copy_user_nocache_64.S 2011-11-16 18:39:07.000000000 -0500
18216 #include <linux/linkage.h>
18217 #include <asm/dwarf2.h>
18218 +#include <asm/alternative-asm.h>
18220 #define FIX_ALIGNMENT 1
18222 #include <asm/current.h>
18223 #include <asm/asm-offsets.h>
18224 #include <asm/thread_info.h>
18225 +#include <asm/pgtable.h>
18227 .macro ALIGN_DESTINATION
18228 #ifdef FIX_ALIGNMENT
18231 ENTRY(__copy_user_nocache)
18234 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18235 + mov $PAX_USER_SHADOW_BASE,%rcx
18243 jb 20f /* less then 8 bytes, go to byte copy loop */
18245 @@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache)
18249 + pax_force_retaddr
18252 .section .fixup,"ax"
18253 diff -urNp linux-3.1.1/arch/x86/lib/csum-copy_64.S linux-3.1.1/arch/x86/lib/csum-copy_64.S
18254 --- linux-3.1.1/arch/x86/lib/csum-copy_64.S 2011-11-11 15:19:27.000000000 -0500
18255 +++ linux-3.1.1/arch/x86/lib/csum-copy_64.S 2011-11-16 18:39:07.000000000 -0500
18257 #include <linux/linkage.h>
18258 #include <asm/dwarf2.h>
18259 #include <asm/errno.h>
18260 +#include <asm/alternative-asm.h>
18263 * Checksum copy with exception handling.
18264 @@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic)
18267 CFI_ADJUST_CFA_OFFSET -7*8
18268 + pax_force_retaddr
18272 diff -urNp linux-3.1.1/arch/x86/lib/csum-wrappers_64.c linux-3.1.1/arch/x86/lib/csum-wrappers_64.c
18273 --- linux-3.1.1/arch/x86/lib/csum-wrappers_64.c 2011-11-11 15:19:27.000000000 -0500
18274 +++ linux-3.1.1/arch/x86/lib/csum-wrappers_64.c 2011-11-16 18:39:07.000000000 -0500
18275 @@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _
18279 - isum = csum_partial_copy_generic((__force const void *)src,
18281 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18282 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
18283 + src += PAX_USER_SHADOW_BASE;
18286 + isum = csum_partial_copy_generic((const void __force_kernel *)src,
18287 dst, len, isum, errp, NULL);
18288 if (unlikely(*errp))
18290 @@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr
18294 - return csum_partial_copy_generic(src, (void __force *)dst,
18296 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18297 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
18298 + dst += PAX_USER_SHADOW_BASE;
18301 + return csum_partial_copy_generic(src, (void __force_kernel *)dst,
18302 len, isum, NULL, errp);
18304 EXPORT_SYMBOL(csum_partial_copy_to_user);
18305 diff -urNp linux-3.1.1/arch/x86/lib/getuser.S linux-3.1.1/arch/x86/lib/getuser.S
18306 --- linux-3.1.1/arch/x86/lib/getuser.S 2011-11-11 15:19:27.000000000 -0500
18307 +++ linux-3.1.1/arch/x86/lib/getuser.S 2011-11-16 18:39:07.000000000 -0500
18308 @@ -33,15 +33,38 @@
18309 #include <asm/asm-offsets.h>
18310 #include <asm/thread_info.h>
18311 #include <asm/asm.h>
18312 +#include <asm/segment.h>
18313 +#include <asm/pgtable.h>
18314 +#include <asm/alternative-asm.h>
18316 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18317 +#define __copyuser_seg gs;
18319 +#define __copyuser_seg
18323 ENTRY(__get_user_1)
18326 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18327 GET_THREAD_INFO(%_ASM_DX)
18328 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18330 -1: movzb (%_ASM_AX),%edx
18332 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18333 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18334 + cmp %_ASM_DX,%_ASM_AX
18336 + add %_ASM_DX,%_ASM_AX
18342 +1: __copyuser_seg movzb (%_ASM_AX),%edx
18344 + pax_force_retaddr
18347 ENDPROC(__get_user_1)
18348 @@ -49,12 +72,26 @@ ENDPROC(__get_user_1)
18349 ENTRY(__get_user_2)
18353 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18355 GET_THREAD_INFO(%_ASM_DX)
18356 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18358 -2: movzwl -1(%_ASM_AX),%edx
18360 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18361 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18362 + cmp %_ASM_DX,%_ASM_AX
18364 + add %_ASM_DX,%_ASM_AX
18370 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
18372 + pax_force_retaddr
18375 ENDPROC(__get_user_2)
18376 @@ -62,12 +99,26 @@ ENDPROC(__get_user_2)
18377 ENTRY(__get_user_4)
18381 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18383 GET_THREAD_INFO(%_ASM_DX)
18384 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18386 -3: mov -3(%_ASM_AX),%edx
18388 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18389 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18390 + cmp %_ASM_DX,%_ASM_AX
18392 + add %_ASM_DX,%_ASM_AX
18398 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
18400 + pax_force_retaddr
18403 ENDPROC(__get_user_4)
18404 @@ -80,8 +131,18 @@ ENTRY(__get_user_8)
18405 GET_THREAD_INFO(%_ASM_DX)
18406 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18409 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18410 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18411 + cmp %_ASM_DX,%_ASM_AX
18413 + add %_ASM_DX,%_ASM_AX
18417 4: movq -7(%_ASM_AX),%_ASM_DX
18419 + pax_force_retaddr
18422 ENDPROC(__get_user_8)
18423 @@ -91,6 +152,7 @@ bad_get_user:
18426 mov $(-EFAULT),%_ASM_AX
18427 + pax_force_retaddr
18431 diff -urNp linux-3.1.1/arch/x86/lib/insn.c linux-3.1.1/arch/x86/lib/insn.c
18432 --- linux-3.1.1/arch/x86/lib/insn.c 2011-11-11 15:19:27.000000000 -0500
18433 +++ linux-3.1.1/arch/x86/lib/insn.c 2011-11-16 18:39:07.000000000 -0500
18435 #include <linux/string.h>
18436 #include <asm/inat.h>
18437 #include <asm/insn.h>
18439 +#include <asm/pgtable_types.h>
18441 +#define ktla_ktva(addr) addr
18444 #define get_next(t, insn) \
18445 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
18447 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
18449 memset(insn, 0, sizeof(*insn));
18450 - insn->kaddr = kaddr;
18451 - insn->next_byte = kaddr;
18452 + insn->kaddr = ktla_ktva(kaddr);
18453 + insn->next_byte = ktla_ktva(kaddr);
18454 insn->x86_64 = x86_64 ? 1 : 0;
18455 insn->opnd_bytes = 4;
18457 diff -urNp linux-3.1.1/arch/x86/lib/iomap_copy_64.S linux-3.1.1/arch/x86/lib/iomap_copy_64.S
18458 --- linux-3.1.1/arch/x86/lib/iomap_copy_64.S 2011-11-11 15:19:27.000000000 -0500
18459 +++ linux-3.1.1/arch/x86/lib/iomap_copy_64.S 2011-11-16 18:39:07.000000000 -0500
18462 #include <linux/linkage.h>
18463 #include <asm/dwarf2.h>
18464 +#include <asm/alternative-asm.h>
18467 * override generic version in lib/iomap_copy.c
18468 @@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy)
18472 + pax_force_retaddr
18475 ENDPROC(__iowrite32_copy)
18476 diff -urNp linux-3.1.1/arch/x86/lib/memcpy_64.S linux-3.1.1/arch/x86/lib/memcpy_64.S
18477 --- linux-3.1.1/arch/x86/lib/memcpy_64.S 2011-11-11 15:19:27.000000000 -0500
18478 +++ linux-3.1.1/arch/x86/lib/memcpy_64.S 2011-11-16 18:39:07.000000000 -0500
18483 + pax_force_retaddr
18491 + pax_force_retaddr
18495 @@ -141,6 +143,7 @@ ENTRY(memcpy)
18496 movq %r9, 1*8(%rdi)
18497 movq %r10, -2*8(%rdi, %rdx)
18498 movq %r11, -1*8(%rdi, %rdx)
18499 + pax_force_retaddr
18503 @@ -153,6 +156,7 @@ ENTRY(memcpy)
18504 movq -1*8(%rsi, %rdx), %r9
18505 movq %r8, 0*8(%rdi)
18506 movq %r9, -1*8(%rdi, %rdx)
18507 + pax_force_retaddr
18511 @@ -166,6 +170,7 @@ ENTRY(memcpy)
18512 movl -4(%rsi, %rdx), %r8d
18514 movl %r8d, -4(%rdi, %rdx)
18515 + pax_force_retaddr
18519 @@ -183,6 +188,7 @@ ENTRY(memcpy)
18523 + pax_force_retaddr
18527 diff -urNp linux-3.1.1/arch/x86/lib/memmove_64.S linux-3.1.1/arch/x86/lib/memmove_64.S
18528 --- linux-3.1.1/arch/x86/lib/memmove_64.S 2011-11-11 15:19:27.000000000 -0500
18529 +++ linux-3.1.1/arch/x86/lib/memmove_64.S 2011-11-16 18:39:07.000000000 -0500
18530 @@ -202,6 +202,7 @@ ENTRY(memmove)
18534 + pax_force_retaddr
18538 @@ -210,6 +211,7 @@ ENTRY(memmove)
18539 /* Forward moving data. */
18542 + pax_force_retaddr
18544 .Lmemmove_end_forward_efs:
18546 diff -urNp linux-3.1.1/arch/x86/lib/memset_64.S linux-3.1.1/arch/x86/lib/memset_64.S
18547 --- linux-3.1.1/arch/x86/lib/memset_64.S 2011-11-11 15:19:27.000000000 -0500
18548 +++ linux-3.1.1/arch/x86/lib/memset_64.S 2011-11-16 18:39:07.000000000 -0500
18553 + pax_force_retaddr
18561 + pax_force_retaddr
18565 @@ -121,6 +123,7 @@ ENTRY(__memset)
18569 + pax_force_retaddr
18573 diff -urNp linux-3.1.1/arch/x86/lib/mmx_32.c linux-3.1.1/arch/x86/lib/mmx_32.c
18574 --- linux-3.1.1/arch/x86/lib/mmx_32.c 2011-11-11 15:19:27.000000000 -0500
18575 +++ linux-3.1.1/arch/x86/lib/mmx_32.c 2011-11-16 18:39:07.000000000 -0500
18576 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
18580 + unsigned long cr0;
18582 if (unlikely(in_interrupt()))
18583 return __memcpy(to, from, len);
18584 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
18585 kernel_fpu_begin();
18587 __asm__ __volatile__ (
18588 - "1: prefetch (%0)\n" /* This set is 28 bytes */
18589 - " prefetch 64(%0)\n"
18590 - " prefetch 128(%0)\n"
18591 - " prefetch 192(%0)\n"
18592 - " prefetch 256(%0)\n"
18593 + "1: prefetch (%1)\n" /* This set is 28 bytes */
18594 + " prefetch 64(%1)\n"
18595 + " prefetch 128(%1)\n"
18596 + " prefetch 192(%1)\n"
18597 + " prefetch 256(%1)\n"
18599 ".section .fixup, \"ax\"\n"
18600 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18603 +#ifdef CONFIG_PAX_KERNEXEC
18604 + " movl %%cr0, %0\n"
18605 + " movl %0, %%eax\n"
18606 + " andl $0xFFFEFFFF, %%eax\n"
18607 + " movl %%eax, %%cr0\n"
18610 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18612 +#ifdef CONFIG_PAX_KERNEXEC
18613 + " movl %0, %%cr0\n"
18618 _ASM_EXTABLE(1b, 3b)
18620 + : "=&r" (cr0) : "r" (from) : "ax");
18622 for ( ; i > 5; i--) {
18623 __asm__ __volatile__ (
18624 - "1: prefetch 320(%0)\n"
18625 - "2: movq (%0), %%mm0\n"
18626 - " movq 8(%0), %%mm1\n"
18627 - " movq 16(%0), %%mm2\n"
18628 - " movq 24(%0), %%mm3\n"
18629 - " movq %%mm0, (%1)\n"
18630 - " movq %%mm1, 8(%1)\n"
18631 - " movq %%mm2, 16(%1)\n"
18632 - " movq %%mm3, 24(%1)\n"
18633 - " movq 32(%0), %%mm0\n"
18634 - " movq 40(%0), %%mm1\n"
18635 - " movq 48(%0), %%mm2\n"
18636 - " movq 56(%0), %%mm3\n"
18637 - " movq %%mm0, 32(%1)\n"
18638 - " movq %%mm1, 40(%1)\n"
18639 - " movq %%mm2, 48(%1)\n"
18640 - " movq %%mm3, 56(%1)\n"
18641 + "1: prefetch 320(%1)\n"
18642 + "2: movq (%1), %%mm0\n"
18643 + " movq 8(%1), %%mm1\n"
18644 + " movq 16(%1), %%mm2\n"
18645 + " movq 24(%1), %%mm3\n"
18646 + " movq %%mm0, (%2)\n"
18647 + " movq %%mm1, 8(%2)\n"
18648 + " movq %%mm2, 16(%2)\n"
18649 + " movq %%mm3, 24(%2)\n"
18650 + " movq 32(%1), %%mm0\n"
18651 + " movq 40(%1), %%mm1\n"
18652 + " movq 48(%1), %%mm2\n"
18653 + " movq 56(%1), %%mm3\n"
18654 + " movq %%mm0, 32(%2)\n"
18655 + " movq %%mm1, 40(%2)\n"
18656 + " movq %%mm2, 48(%2)\n"
18657 + " movq %%mm3, 56(%2)\n"
18658 ".section .fixup, \"ax\"\n"
18659 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18662 +#ifdef CONFIG_PAX_KERNEXEC
18663 + " movl %%cr0, %0\n"
18664 + " movl %0, %%eax\n"
18665 + " andl $0xFFFEFFFF, %%eax\n"
18666 + " movl %%eax, %%cr0\n"
18669 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18671 +#ifdef CONFIG_PAX_KERNEXEC
18672 + " movl %0, %%cr0\n"
18677 _ASM_EXTABLE(1b, 3b)
18678 - : : "r" (from), "r" (to) : "memory");
18679 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18683 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
18684 static void fast_copy_page(void *to, void *from)
18687 + unsigned long cr0;
18689 kernel_fpu_begin();
18691 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
18692 * but that is for later. -AV
18694 __asm__ __volatile__(
18695 - "1: prefetch (%0)\n"
18696 - " prefetch 64(%0)\n"
18697 - " prefetch 128(%0)\n"
18698 - " prefetch 192(%0)\n"
18699 - " prefetch 256(%0)\n"
18700 + "1: prefetch (%1)\n"
18701 + " prefetch 64(%1)\n"
18702 + " prefetch 128(%1)\n"
18703 + " prefetch 192(%1)\n"
18704 + " prefetch 256(%1)\n"
18706 ".section .fixup, \"ax\"\n"
18707 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18710 +#ifdef CONFIG_PAX_KERNEXEC
18711 + " movl %%cr0, %0\n"
18712 + " movl %0, %%eax\n"
18713 + " andl $0xFFFEFFFF, %%eax\n"
18714 + " movl %%eax, %%cr0\n"
18717 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18719 +#ifdef CONFIG_PAX_KERNEXEC
18720 + " movl %0, %%cr0\n"
18725 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
18726 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18728 for (i = 0; i < (4096-320)/64; i++) {
18729 __asm__ __volatile__ (
18730 - "1: prefetch 320(%0)\n"
18731 - "2: movq (%0), %%mm0\n"
18732 - " movntq %%mm0, (%1)\n"
18733 - " movq 8(%0), %%mm1\n"
18734 - " movntq %%mm1, 8(%1)\n"
18735 - " movq 16(%0), %%mm2\n"
18736 - " movntq %%mm2, 16(%1)\n"
18737 - " movq 24(%0), %%mm3\n"
18738 - " movntq %%mm3, 24(%1)\n"
18739 - " movq 32(%0), %%mm4\n"
18740 - " movntq %%mm4, 32(%1)\n"
18741 - " movq 40(%0), %%mm5\n"
18742 - " movntq %%mm5, 40(%1)\n"
18743 - " movq 48(%0), %%mm6\n"
18744 - " movntq %%mm6, 48(%1)\n"
18745 - " movq 56(%0), %%mm7\n"
18746 - " movntq %%mm7, 56(%1)\n"
18747 + "1: prefetch 320(%1)\n"
18748 + "2: movq (%1), %%mm0\n"
18749 + " movntq %%mm0, (%2)\n"
18750 + " movq 8(%1), %%mm1\n"
18751 + " movntq %%mm1, 8(%2)\n"
18752 + " movq 16(%1), %%mm2\n"
18753 + " movntq %%mm2, 16(%2)\n"
18754 + " movq 24(%1), %%mm3\n"
18755 + " movntq %%mm3, 24(%2)\n"
18756 + " movq 32(%1), %%mm4\n"
18757 + " movntq %%mm4, 32(%2)\n"
18758 + " movq 40(%1), %%mm5\n"
18759 + " movntq %%mm5, 40(%2)\n"
18760 + " movq 48(%1), %%mm6\n"
18761 + " movntq %%mm6, 48(%2)\n"
18762 + " movq 56(%1), %%mm7\n"
18763 + " movntq %%mm7, 56(%2)\n"
18764 ".section .fixup, \"ax\"\n"
18765 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18768 +#ifdef CONFIG_PAX_KERNEXEC
18769 + " movl %%cr0, %0\n"
18770 + " movl %0, %%eax\n"
18771 + " andl $0xFFFEFFFF, %%eax\n"
18772 + " movl %%eax, %%cr0\n"
18775 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18777 +#ifdef CONFIG_PAX_KERNEXEC
18778 + " movl %0, %%cr0\n"
18783 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
18784 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18788 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
18789 static void fast_copy_page(void *to, void *from)
18792 + unsigned long cr0;
18794 kernel_fpu_begin();
18796 __asm__ __volatile__ (
18797 - "1: prefetch (%0)\n"
18798 - " prefetch 64(%0)\n"
18799 - " prefetch 128(%0)\n"
18800 - " prefetch 192(%0)\n"
18801 - " prefetch 256(%0)\n"
18802 + "1: prefetch (%1)\n"
18803 + " prefetch 64(%1)\n"
18804 + " prefetch 128(%1)\n"
18805 + " prefetch 192(%1)\n"
18806 + " prefetch 256(%1)\n"
18808 ".section .fixup, \"ax\"\n"
18809 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18812 +#ifdef CONFIG_PAX_KERNEXEC
18813 + " movl %%cr0, %0\n"
18814 + " movl %0, %%eax\n"
18815 + " andl $0xFFFEFFFF, %%eax\n"
18816 + " movl %%eax, %%cr0\n"
18819 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18821 +#ifdef CONFIG_PAX_KERNEXEC
18822 + " movl %0, %%cr0\n"
18827 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
18828 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18830 for (i = 0; i < 4096/64; i++) {
18831 __asm__ __volatile__ (
18832 - "1: prefetch 320(%0)\n"
18833 - "2: movq (%0), %%mm0\n"
18834 - " movq 8(%0), %%mm1\n"
18835 - " movq 16(%0), %%mm2\n"
18836 - " movq 24(%0), %%mm3\n"
18837 - " movq %%mm0, (%1)\n"
18838 - " movq %%mm1, 8(%1)\n"
18839 - " movq %%mm2, 16(%1)\n"
18840 - " movq %%mm3, 24(%1)\n"
18841 - " movq 32(%0), %%mm0\n"
18842 - " movq 40(%0), %%mm1\n"
18843 - " movq 48(%0), %%mm2\n"
18844 - " movq 56(%0), %%mm3\n"
18845 - " movq %%mm0, 32(%1)\n"
18846 - " movq %%mm1, 40(%1)\n"
18847 - " movq %%mm2, 48(%1)\n"
18848 - " movq %%mm3, 56(%1)\n"
18849 + "1: prefetch 320(%1)\n"
18850 + "2: movq (%1), %%mm0\n"
18851 + " movq 8(%1), %%mm1\n"
18852 + " movq 16(%1), %%mm2\n"
18853 + " movq 24(%1), %%mm3\n"
18854 + " movq %%mm0, (%2)\n"
18855 + " movq %%mm1, 8(%2)\n"
18856 + " movq %%mm2, 16(%2)\n"
18857 + " movq %%mm3, 24(%2)\n"
18858 + " movq 32(%1), %%mm0\n"
18859 + " movq 40(%1), %%mm1\n"
18860 + " movq 48(%1), %%mm2\n"
18861 + " movq 56(%1), %%mm3\n"
18862 + " movq %%mm0, 32(%2)\n"
18863 + " movq %%mm1, 40(%2)\n"
18864 + " movq %%mm2, 48(%2)\n"
18865 + " movq %%mm3, 56(%2)\n"
18866 ".section .fixup, \"ax\"\n"
18867 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18870 +#ifdef CONFIG_PAX_KERNEXEC
18871 + " movl %%cr0, %0\n"
18872 + " movl %0, %%eax\n"
18873 + " andl $0xFFFEFFFF, %%eax\n"
18874 + " movl %%eax, %%cr0\n"
18877 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18879 +#ifdef CONFIG_PAX_KERNEXEC
18880 + " movl %0, %%cr0\n"
18885 _ASM_EXTABLE(1b, 3b)
18886 - : : "r" (from), "r" (to) : "memory");
18887 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18891 diff -urNp linux-3.1.1/arch/x86/lib/msr-reg.S linux-3.1.1/arch/x86/lib/msr-reg.S
18892 --- linux-3.1.1/arch/x86/lib/msr-reg.S 2011-11-11 15:19:27.000000000 -0500
18893 +++ linux-3.1.1/arch/x86/lib/msr-reg.S 2011-11-16 18:39:07.000000000 -0500
18895 #include <asm/dwarf2.h>
18896 #include <asm/asm.h>
18897 #include <asm/msr.h>
18898 +#include <asm/alternative-asm.h>
18900 #ifdef CONFIG_X86_64
18902 @@ -37,6 +38,7 @@ ENTRY(native_\op\()_safe_regs)
18903 movl %edi, 28(%r10)
18906 + pax_force_retaddr
18910 diff -urNp linux-3.1.1/arch/x86/lib/putuser.S linux-3.1.1/arch/x86/lib/putuser.S
18911 --- linux-3.1.1/arch/x86/lib/putuser.S 2011-11-11 15:19:27.000000000 -0500
18912 +++ linux-3.1.1/arch/x86/lib/putuser.S 2011-11-16 18:39:07.000000000 -0500
18914 #include <asm/thread_info.h>
18915 #include <asm/errno.h>
18916 #include <asm/asm.h>
18918 +#include <asm/segment.h>
18919 +#include <asm/pgtable.h>
18920 +#include <asm/alternative-asm.h>
18924 @@ -29,52 +31,119 @@
18925 * as they get called from within inline assembly.
18928 -#define ENTER CFI_STARTPROC ; \
18929 - GET_THREAD_INFO(%_ASM_BX)
18930 -#define EXIT ret ; \
18931 +#define ENTER CFI_STARTPROC
18932 +#define EXIT pax_force_retaddr; ret ; \
18935 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18936 +#define _DEST %_ASM_CX,%_ASM_BX
18938 +#define _DEST %_ASM_CX
18941 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18942 +#define __copyuser_seg gs;
18944 +#define __copyuser_seg
18948 ENTRY(__put_user_1)
18951 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18952 + GET_THREAD_INFO(%_ASM_BX)
18953 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
18955 -1: movb %al,(%_ASM_CX)
18957 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18958 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18959 + cmp %_ASM_BX,%_ASM_CX
18967 +1: __copyuser_seg movb %al,(_DEST)
18970 ENDPROC(__put_user_1)
18972 ENTRY(__put_user_2)
18975 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18976 + GET_THREAD_INFO(%_ASM_BX)
18977 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18979 cmp %_ASM_BX,%_ASM_CX
18981 -2: movw %ax,(%_ASM_CX)
18983 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18984 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18985 + cmp %_ASM_BX,%_ASM_CX
18993 +2: __copyuser_seg movw %ax,(_DEST)
18996 ENDPROC(__put_user_2)
18998 ENTRY(__put_user_4)
19001 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19002 + GET_THREAD_INFO(%_ASM_BX)
19003 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
19005 cmp %_ASM_BX,%_ASM_CX
19007 -3: movl %eax,(%_ASM_CX)
19009 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19010 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19011 + cmp %_ASM_BX,%_ASM_CX
19019 +3: __copyuser_seg movl %eax,(_DEST)
19022 ENDPROC(__put_user_4)
19024 ENTRY(__put_user_8)
19027 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19028 + GET_THREAD_INFO(%_ASM_BX)
19029 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
19031 cmp %_ASM_BX,%_ASM_CX
19033 -4: mov %_ASM_AX,(%_ASM_CX)
19035 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19036 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19037 + cmp %_ASM_BX,%_ASM_CX
19045 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
19046 #ifdef CONFIG_X86_32
19047 -5: movl %edx,4(%_ASM_CX)
19048 +5: __copyuser_seg movl %edx,4(_DEST)
19052 diff -urNp linux-3.1.1/arch/x86/lib/rwlock.S linux-3.1.1/arch/x86/lib/rwlock.S
19053 --- linux-3.1.1/arch/x86/lib/rwlock.S 2011-11-11 15:19:27.000000000 -0500
19054 +++ linux-3.1.1/arch/x86/lib/rwlock.S 2011-11-16 18:39:07.000000000 -0500
19055 @@ -23,6 +23,7 @@ ENTRY(__write_lock_failed)
19056 WRITE_LOCK_SUB($RW_LOCK_BIAS) (%__lock_ptr)
19059 + pax_force_retaddr
19062 END(__write_lock_failed)
19063 @@ -39,6 +40,7 @@ ENTRY(__read_lock_failed)
19064 READ_LOCK_SIZE(dec) (%__lock_ptr)
19067 + pax_force_retaddr
19070 END(__read_lock_failed)
19071 diff -urNp linux-3.1.1/arch/x86/lib/rwsem.S linux-3.1.1/arch/x86/lib/rwsem.S
19072 --- linux-3.1.1/arch/x86/lib/rwsem.S 2011-11-11 15:19:27.000000000 -0500
19073 +++ linux-3.1.1/arch/x86/lib/rwsem.S 2011-11-16 18:39:07.000000000 -0500
19074 @@ -94,6 +94,7 @@ ENTRY(call_rwsem_down_read_failed)
19075 __ASM_SIZE(pop,_cfi) %__ASM_REG(dx)
19076 CFI_RESTORE __ASM_REG(dx)
19077 restore_common_regs
19078 + pax_force_retaddr
19081 ENDPROC(call_rwsem_down_read_failed)
19082 @@ -104,6 +105,7 @@ ENTRY(call_rwsem_down_write_failed)
19084 call rwsem_down_write_failed
19085 restore_common_regs
19086 + pax_force_retaddr
19089 ENDPROC(call_rwsem_down_write_failed)
19090 @@ -117,7 +119,8 @@ ENTRY(call_rwsem_wake)
19093 restore_common_regs
19095 +1: pax_force_retaddr
19098 ENDPROC(call_rwsem_wake)
19100 @@ -131,6 +134,7 @@ ENTRY(call_rwsem_downgrade_wake)
19101 __ASM_SIZE(pop,_cfi) %__ASM_REG(dx)
19102 CFI_RESTORE __ASM_REG(dx)
19103 restore_common_regs
19104 + pax_force_retaddr
19107 ENDPROC(call_rwsem_downgrade_wake)
19108 diff -urNp linux-3.1.1/arch/x86/lib/thunk_64.S linux-3.1.1/arch/x86/lib/thunk_64.S
19109 --- linux-3.1.1/arch/x86/lib/thunk_64.S 2011-11-11 15:19:27.000000000 -0500
19110 +++ linux-3.1.1/arch/x86/lib/thunk_64.S 2011-11-16 18:39:07.000000000 -0500
19112 #include <linux/linkage.h>
19113 #include <asm/dwarf2.h>
19114 #include <asm/calling.h>
19115 +#include <asm/alternative-asm.h>
19117 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
19118 .macro THUNK name, func, put_ret_addr_in_rdi=0
19123 + pax_force_retaddr
19126 diff -urNp linux-3.1.1/arch/x86/lib/usercopy_32.c linux-3.1.1/arch/x86/lib/usercopy_32.c
19127 --- linux-3.1.1/arch/x86/lib/usercopy_32.c 2011-11-11 15:19:27.000000000 -0500
19128 +++ linux-3.1.1/arch/x86/lib/usercopy_32.c 2011-11-16 18:39:07.000000000 -0500
19129 @@ -43,7 +43,7 @@ do { \
19130 __asm__ __volatile__( \
19134 + "0: "__copyuser_seg"lodsb\n" \
19136 " testb %%al,%%al\n" \
19138 @@ -128,10 +128,12 @@ do { \
19141 __asm__ __volatile__( \
19142 + __COPYUSER_SET_ES \
19143 "0: rep; stosl\n" \
19145 "1: rep; stosb\n" \
19147 + __COPYUSER_RESTORE_ES \
19148 ".section .fixup,\"ax\"\n" \
19149 "3: lea 0(%2,%0,4),%0\n" \
19151 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
19154 __asm__ __volatile__(
19155 + __COPYUSER_SET_ES
19159 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
19163 + __COPYUSER_RESTORE_ES
19164 ".section .fixup,\"ax\"\n"
19165 "2: xorl %%eax,%%eax\n"
19167 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
19169 #ifdef CONFIG_X86_INTEL_USERCOPY
19170 static unsigned long
19171 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
19172 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
19175 __asm__ __volatile__(
19176 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
19178 "3: movl 0(%4), %%eax\n"
19179 "4: movl 4(%4), %%edx\n"
19180 - "5: movl %%eax, 0(%3)\n"
19181 - "6: movl %%edx, 4(%3)\n"
19182 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
19183 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
19184 "7: movl 8(%4), %%eax\n"
19185 "8: movl 12(%4),%%edx\n"
19186 - "9: movl %%eax, 8(%3)\n"
19187 - "10: movl %%edx, 12(%3)\n"
19188 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
19189 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
19190 "11: movl 16(%4), %%eax\n"
19191 "12: movl 20(%4), %%edx\n"
19192 - "13: movl %%eax, 16(%3)\n"
19193 - "14: movl %%edx, 20(%3)\n"
19194 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
19195 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
19196 "15: movl 24(%4), %%eax\n"
19197 "16: movl 28(%4), %%edx\n"
19198 - "17: movl %%eax, 24(%3)\n"
19199 - "18: movl %%edx, 28(%3)\n"
19200 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
19201 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
19202 "19: movl 32(%4), %%eax\n"
19203 "20: movl 36(%4), %%edx\n"
19204 - "21: movl %%eax, 32(%3)\n"
19205 - "22: movl %%edx, 36(%3)\n"
19206 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
19207 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
19208 "23: movl 40(%4), %%eax\n"
19209 "24: movl 44(%4), %%edx\n"
19210 - "25: movl %%eax, 40(%3)\n"
19211 - "26: movl %%edx, 44(%3)\n"
19212 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
19213 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
19214 "27: movl 48(%4), %%eax\n"
19215 "28: movl 52(%4), %%edx\n"
19216 - "29: movl %%eax, 48(%3)\n"
19217 - "30: movl %%edx, 52(%3)\n"
19218 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
19219 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
19220 "31: movl 56(%4), %%eax\n"
19221 "32: movl 60(%4), %%edx\n"
19222 - "33: movl %%eax, 56(%3)\n"
19223 - "34: movl %%edx, 60(%3)\n"
19224 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
19225 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
19229 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
19231 " andl $3, %%eax\n"
19233 + __COPYUSER_SET_ES
19235 "36: movl %%eax, %0\n"
19238 + __COPYUSER_RESTORE_ES
19239 + ".section .fixup,\"ax\"\n"
19240 + "101: lea 0(%%eax,%0,4),%0\n"
19243 + ".section __ex_table,\"a\"\n"
19245 + " .long 1b,100b\n"
19246 + " .long 2b,100b\n"
19247 + " .long 3b,100b\n"
19248 + " .long 4b,100b\n"
19249 + " .long 5b,100b\n"
19250 + " .long 6b,100b\n"
19251 + " .long 7b,100b\n"
19252 + " .long 8b,100b\n"
19253 + " .long 9b,100b\n"
19254 + " .long 10b,100b\n"
19255 + " .long 11b,100b\n"
19256 + " .long 12b,100b\n"
19257 + " .long 13b,100b\n"
19258 + " .long 14b,100b\n"
19259 + " .long 15b,100b\n"
19260 + " .long 16b,100b\n"
19261 + " .long 17b,100b\n"
19262 + " .long 18b,100b\n"
19263 + " .long 19b,100b\n"
19264 + " .long 20b,100b\n"
19265 + " .long 21b,100b\n"
19266 + " .long 22b,100b\n"
19267 + " .long 23b,100b\n"
19268 + " .long 24b,100b\n"
19269 + " .long 25b,100b\n"
19270 + " .long 26b,100b\n"
19271 + " .long 27b,100b\n"
19272 + " .long 28b,100b\n"
19273 + " .long 29b,100b\n"
19274 + " .long 30b,100b\n"
19275 + " .long 31b,100b\n"
19276 + " .long 32b,100b\n"
19277 + " .long 33b,100b\n"
19278 + " .long 34b,100b\n"
19279 + " .long 35b,100b\n"
19280 + " .long 36b,100b\n"
19281 + " .long 37b,100b\n"
19282 + " .long 99b,101b\n"
19284 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
19285 + : "1"(to), "2"(from), "0"(size)
19286 + : "eax", "edx", "memory");
19290 +static unsigned long
19291 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
19294 + __asm__ __volatile__(
19295 + " .align 2,0x90\n"
19296 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
19297 + " cmpl $67, %0\n"
19299 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
19300 + " .align 2,0x90\n"
19301 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
19302 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
19303 + "5: movl %%eax, 0(%3)\n"
19304 + "6: movl %%edx, 4(%3)\n"
19305 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
19306 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
19307 + "9: movl %%eax, 8(%3)\n"
19308 + "10: movl %%edx, 12(%3)\n"
19309 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
19310 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
19311 + "13: movl %%eax, 16(%3)\n"
19312 + "14: movl %%edx, 20(%3)\n"
19313 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
19314 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
19315 + "17: movl %%eax, 24(%3)\n"
19316 + "18: movl %%edx, 28(%3)\n"
19317 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
19318 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
19319 + "21: movl %%eax, 32(%3)\n"
19320 + "22: movl %%edx, 36(%3)\n"
19321 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
19322 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
19323 + "25: movl %%eax, 40(%3)\n"
19324 + "26: movl %%edx, 44(%3)\n"
19325 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
19326 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
19327 + "29: movl %%eax, 48(%3)\n"
19328 + "30: movl %%edx, 52(%3)\n"
19329 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
19330 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
19331 + "33: movl %%eax, 56(%3)\n"
19332 + "34: movl %%edx, 60(%3)\n"
19333 + " addl $-64, %0\n"
19334 + " addl $64, %4\n"
19335 + " addl $64, %3\n"
19336 + " cmpl $63, %0\n"
19338 + "35: movl %0, %%eax\n"
19340 + " andl $3, %%eax\n"
19342 + "99: rep; "__copyuser_seg" movsl\n"
19343 + "36: movl %%eax, %0\n"
19344 + "37: rep; "__copyuser_seg" movsb\n"
19346 ".section .fixup,\"ax\"\n"
19347 "101: lea 0(%%eax,%0,4),%0\n"
19349 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
19351 __asm__ __volatile__(
19353 - "0: movl 32(%4), %%eax\n"
19354 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19357 - "1: movl 64(%4), %%eax\n"
19358 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19360 - "2: movl 0(%4), %%eax\n"
19361 - "21: movl 4(%4), %%edx\n"
19362 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19363 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19364 " movl %%eax, 0(%3)\n"
19365 " movl %%edx, 4(%3)\n"
19366 - "3: movl 8(%4), %%eax\n"
19367 - "31: movl 12(%4),%%edx\n"
19368 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19369 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19370 " movl %%eax, 8(%3)\n"
19371 " movl %%edx, 12(%3)\n"
19372 - "4: movl 16(%4), %%eax\n"
19373 - "41: movl 20(%4), %%edx\n"
19374 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19375 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19376 " movl %%eax, 16(%3)\n"
19377 " movl %%edx, 20(%3)\n"
19378 - "10: movl 24(%4), %%eax\n"
19379 - "51: movl 28(%4), %%edx\n"
19380 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19381 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19382 " movl %%eax, 24(%3)\n"
19383 " movl %%edx, 28(%3)\n"
19384 - "11: movl 32(%4), %%eax\n"
19385 - "61: movl 36(%4), %%edx\n"
19386 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19387 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19388 " movl %%eax, 32(%3)\n"
19389 " movl %%edx, 36(%3)\n"
19390 - "12: movl 40(%4), %%eax\n"
19391 - "71: movl 44(%4), %%edx\n"
19392 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19393 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19394 " movl %%eax, 40(%3)\n"
19395 " movl %%edx, 44(%3)\n"
19396 - "13: movl 48(%4), %%eax\n"
19397 - "81: movl 52(%4), %%edx\n"
19398 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19399 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19400 " movl %%eax, 48(%3)\n"
19401 " movl %%edx, 52(%3)\n"
19402 - "14: movl 56(%4), %%eax\n"
19403 - "91: movl 60(%4), %%edx\n"
19404 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19405 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19406 " movl %%eax, 56(%3)\n"
19407 " movl %%edx, 60(%3)\n"
19409 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
19411 " andl $3, %%eax\n"
19413 - "6: rep; movsl\n"
19414 + "6: rep; "__copyuser_seg" movsl\n"
19416 - "7: rep; movsb\n"
19417 + "7: rep; "__copyuser_seg" movsb\n"
19419 ".section .fixup,\"ax\"\n"
19420 "9: lea 0(%%eax,%0,4),%0\n"
19421 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
19423 __asm__ __volatile__(
19425 - "0: movl 32(%4), %%eax\n"
19426 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19429 - "1: movl 64(%4), %%eax\n"
19430 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19432 - "2: movl 0(%4), %%eax\n"
19433 - "21: movl 4(%4), %%edx\n"
19434 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19435 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19436 " movnti %%eax, 0(%3)\n"
19437 " movnti %%edx, 4(%3)\n"
19438 - "3: movl 8(%4), %%eax\n"
19439 - "31: movl 12(%4),%%edx\n"
19440 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19441 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19442 " movnti %%eax, 8(%3)\n"
19443 " movnti %%edx, 12(%3)\n"
19444 - "4: movl 16(%4), %%eax\n"
19445 - "41: movl 20(%4), %%edx\n"
19446 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19447 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19448 " movnti %%eax, 16(%3)\n"
19449 " movnti %%edx, 20(%3)\n"
19450 - "10: movl 24(%4), %%eax\n"
19451 - "51: movl 28(%4), %%edx\n"
19452 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19453 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19454 " movnti %%eax, 24(%3)\n"
19455 " movnti %%edx, 28(%3)\n"
19456 - "11: movl 32(%4), %%eax\n"
19457 - "61: movl 36(%4), %%edx\n"
19458 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19459 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19460 " movnti %%eax, 32(%3)\n"
19461 " movnti %%edx, 36(%3)\n"
19462 - "12: movl 40(%4), %%eax\n"
19463 - "71: movl 44(%4), %%edx\n"
19464 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19465 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19466 " movnti %%eax, 40(%3)\n"
19467 " movnti %%edx, 44(%3)\n"
19468 - "13: movl 48(%4), %%eax\n"
19469 - "81: movl 52(%4), %%edx\n"
19470 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19471 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19472 " movnti %%eax, 48(%3)\n"
19473 " movnti %%edx, 52(%3)\n"
19474 - "14: movl 56(%4), %%eax\n"
19475 - "91: movl 60(%4), %%edx\n"
19476 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19477 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19478 " movnti %%eax, 56(%3)\n"
19479 " movnti %%edx, 60(%3)\n"
19481 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
19483 " andl $3, %%eax\n"
19485 - "6: rep; movsl\n"
19486 + "6: rep; "__copyuser_seg" movsl\n"
19488 - "7: rep; movsb\n"
19489 + "7: rep; "__copyuser_seg" movsb\n"
19491 ".section .fixup,\"ax\"\n"
19492 "9: lea 0(%%eax,%0,4),%0\n"
19493 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
19495 __asm__ __volatile__(
19497 - "0: movl 32(%4), %%eax\n"
19498 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19501 - "1: movl 64(%4), %%eax\n"
19502 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19504 - "2: movl 0(%4), %%eax\n"
19505 - "21: movl 4(%4), %%edx\n"
19506 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19507 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19508 " movnti %%eax, 0(%3)\n"
19509 " movnti %%edx, 4(%3)\n"
19510 - "3: movl 8(%4), %%eax\n"
19511 - "31: movl 12(%4),%%edx\n"
19512 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19513 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19514 " movnti %%eax, 8(%3)\n"
19515 " movnti %%edx, 12(%3)\n"
19516 - "4: movl 16(%4), %%eax\n"
19517 - "41: movl 20(%4), %%edx\n"
19518 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19519 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19520 " movnti %%eax, 16(%3)\n"
19521 " movnti %%edx, 20(%3)\n"
19522 - "10: movl 24(%4), %%eax\n"
19523 - "51: movl 28(%4), %%edx\n"
19524 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19525 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19526 " movnti %%eax, 24(%3)\n"
19527 " movnti %%edx, 28(%3)\n"
19528 - "11: movl 32(%4), %%eax\n"
19529 - "61: movl 36(%4), %%edx\n"
19530 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19531 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19532 " movnti %%eax, 32(%3)\n"
19533 " movnti %%edx, 36(%3)\n"
19534 - "12: movl 40(%4), %%eax\n"
19535 - "71: movl 44(%4), %%edx\n"
19536 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19537 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19538 " movnti %%eax, 40(%3)\n"
19539 " movnti %%edx, 44(%3)\n"
19540 - "13: movl 48(%4), %%eax\n"
19541 - "81: movl 52(%4), %%edx\n"
19542 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19543 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19544 " movnti %%eax, 48(%3)\n"
19545 " movnti %%edx, 52(%3)\n"
19546 - "14: movl 56(%4), %%eax\n"
19547 - "91: movl 60(%4), %%edx\n"
19548 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19549 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19550 " movnti %%eax, 56(%3)\n"
19551 " movnti %%edx, 60(%3)\n"
19553 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
19555 " andl $3, %%eax\n"
19557 - "6: rep; movsl\n"
19558 + "6: rep; "__copyuser_seg" movsl\n"
19560 - "7: rep; movsb\n"
19561 + "7: rep; "__copyuser_seg" movsb\n"
19563 ".section .fixup,\"ax\"\n"
19564 "9: lea 0(%%eax,%0,4),%0\n"
19565 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
19567 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
19568 unsigned long size);
19569 -unsigned long __copy_user_intel(void __user *to, const void *from,
19570 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
19571 + unsigned long size);
19572 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
19573 unsigned long size);
19574 unsigned long __copy_user_zeroing_intel_nocache(void *to,
19575 const void __user *from, unsigned long size);
19576 #endif /* CONFIG_X86_INTEL_USERCOPY */
19578 /* Generic arbitrary sized copy. */
19579 -#define __copy_user(to, from, size) \
19580 +#define __copy_user(to, from, size, prefix, set, restore) \
19582 int __d0, __d1, __d2; \
19583 __asm__ __volatile__( \
19591 - "4: rep; movsb\n" \
19592 + "4: rep; "prefix"movsb\n" \
19596 " .align 2,0x90\n" \
19597 - "0: rep; movsl\n" \
19598 + "0: rep; "prefix"movsl\n" \
19600 - "1: rep; movsb\n" \
19601 + "1: rep; "prefix"movsb\n" \
19604 ".section .fixup,\"ax\"\n" \
19605 "5: addl %3,%0\n" \
19607 @@ -682,14 +799,14 @@ do { \
19611 - "4: rep; movsb\n" \
19612 + "4: rep; "__copyuser_seg"movsb\n" \
19616 " .align 2,0x90\n" \
19617 - "0: rep; movsl\n" \
19618 + "0: rep; "__copyuser_seg"movsl\n" \
19620 - "1: rep; movsb\n" \
19621 + "1: rep; "__copyuser_seg"movsb\n" \
19623 ".section .fixup,\"ax\"\n" \
19624 "5: addl %3,%0\n" \
19625 @@ -775,9 +892,9 @@ survive:
19628 if (movsl_is_ok(to, from, n))
19629 - __copy_user(to, from, n);
19630 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
19632 - n = __copy_user_intel(to, from, n);
19633 + n = __generic_copy_to_user_intel(to, from, n);
19636 EXPORT_SYMBOL(__copy_to_user_ll);
19637 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
19640 if (movsl_is_ok(to, from, n))
19641 - __copy_user(to, from, n);
19642 + __copy_user(to, from, n, __copyuser_seg, "", "");
19644 - n = __copy_user_intel((void __user *)to,
19645 - (const void *)from, n);
19646 + n = __generic_copy_from_user_intel(to, from, n);
19649 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
19650 @@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
19651 if (n > 64 && cpu_has_xmm2)
19652 n = __copy_user_intel_nocache(to, from, n);
19654 - __copy_user(to, from, n);
19655 + __copy_user(to, from, n, __copyuser_seg, "", "");
19657 - __copy_user(to, from, n);
19658 + __copy_user(to, from, n, __copyuser_seg, "", "");
19662 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
19665 - * copy_to_user: - Copy a block of data into user space.
19666 - * @to: Destination address, in user space.
19667 - * @from: Source address, in kernel space.
19668 - * @n: Number of bytes to copy.
19670 - * Context: User context only. This function may sleep.
19672 - * Copy data from kernel space to user space.
19674 - * Returns number of bytes that could not be copied.
19675 - * On success, this will be zero.
19678 -copy_to_user(void __user *to, const void *from, unsigned long n)
19679 +void copy_from_user_overflow(void)
19681 - if (access_ok(VERIFY_WRITE, to, n))
19682 - n = __copy_to_user(to, from, n);
19684 + WARN(1, "Buffer overflow detected!\n");
19686 -EXPORT_SYMBOL(copy_to_user);
19687 +EXPORT_SYMBOL(copy_from_user_overflow);
19690 - * copy_from_user: - Copy a block of data from user space.
19691 - * @to: Destination address, in kernel space.
19692 - * @from: Source address, in user space.
19693 - * @n: Number of bytes to copy.
19695 - * Context: User context only. This function may sleep.
19697 - * Copy data from user space to kernel space.
19699 - * Returns number of bytes that could not be copied.
19700 - * On success, this will be zero.
19702 - * If some data could not be copied, this function will pad the copied
19703 - * data to the requested size using zero bytes.
19706 -_copy_from_user(void *to, const void __user *from, unsigned long n)
19707 +void copy_to_user_overflow(void)
19709 - if (access_ok(VERIFY_READ, from, n))
19710 - n = __copy_from_user(to, from, n);
19712 - memset(to, 0, n);
19714 + WARN(1, "Buffer overflow detected!\n");
19716 -EXPORT_SYMBOL(_copy_from_user);
19717 +EXPORT_SYMBOL(copy_to_user_overflow);
19719 -void copy_from_user_overflow(void)
19720 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19721 +void __set_fs(mm_segment_t x)
19723 - WARN(1, "Buffer overflow detected!\n");
19726 + loadsegment(gs, 0);
19728 + case TASK_SIZE_MAX:
19729 + loadsegment(gs, __USER_DS);
19732 + loadsegment(gs, __KERNEL_DS);
19739 -EXPORT_SYMBOL(copy_from_user_overflow);
19740 +EXPORT_SYMBOL(__set_fs);
19742 +void set_fs(mm_segment_t x)
19744 + current_thread_info()->addr_limit = x;
19747 +EXPORT_SYMBOL(set_fs);
19749 diff -urNp linux-3.1.1/arch/x86/lib/usercopy_64.c linux-3.1.1/arch/x86/lib/usercopy_64.c
19750 --- linux-3.1.1/arch/x86/lib/usercopy_64.c 2011-11-11 15:19:27.000000000 -0500
19751 +++ linux-3.1.1/arch/x86/lib/usercopy_64.c 2011-11-16 18:39:07.000000000 -0500
19752 @@ -42,6 +42,12 @@ long
19753 __strncpy_from_user(char *dst, const char __user *src, long count)
19757 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19758 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19759 + src += PAX_USER_SHADOW_BASE;
19762 __do_strncpy_from_user(dst, src, count, res);
19765 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
19770 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19771 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
19772 + addr += PAX_USER_SHADOW_BASE;
19775 /* no memory constraint because it doesn't change any memory gcc knows
19778 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
19780 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
19782 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19783 - return copy_user_generic((__force void *)to, (__force void *)from, len);
19786 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19788 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19789 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
19790 + to += PAX_USER_SHADOW_BASE;
19791 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
19792 + from += PAX_USER_SHADOW_BASE;
19795 + return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len);
19799 EXPORT_SYMBOL(copy_in_user);
19801 @@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user);
19802 * it is not necessary to optimize tail handling.
19805 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
19806 +copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest)
19810 diff -urNp linux-3.1.1/arch/x86/Makefile linux-3.1.1/arch/x86/Makefile
19811 --- linux-3.1.1/arch/x86/Makefile 2011-11-11 15:19:27.000000000 -0500
19812 +++ linux-3.1.1/arch/x86/Makefile 2011-11-16 18:40:08.000000000 -0500
19813 @@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
19816 UTS_MACHINE := x86_64
19817 + biarch := $(call cc-option,-m64)
19818 CHECKFLAGS += -D__x86_64__ -m64
19820 KBUILD_AFLAGS += -m64
19821 @@ -195,3 +196,12 @@ define archhelp
19822 echo ' FDARGS="..." arguments for the booted kernel'
19823 echo ' FDINITRD=file initrd for the booted kernel'
19828 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
19829 +*** Please upgrade your binutils to 2.18 or newer
19833 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
19834 diff -urNp linux-3.1.1/arch/x86/mm/extable.c linux-3.1.1/arch/x86/mm/extable.c
19835 --- linux-3.1.1/arch/x86/mm/extable.c 2011-11-11 15:19:27.000000000 -0500
19836 +++ linux-3.1.1/arch/x86/mm/extable.c 2011-11-16 18:39:07.000000000 -0500
19837 @@ -8,7 +8,7 @@ int fixup_exception(struct pt_regs *regs
19838 const struct exception_table_entry *fixup;
19840 #ifdef CONFIG_PNPBIOS
19841 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
19842 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
19843 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
19844 extern u32 pnp_bios_is_utter_crap;
19845 pnp_bios_is_utter_crap = 1;
19846 diff -urNp linux-3.1.1/arch/x86/mm/fault.c linux-3.1.1/arch/x86/mm/fault.c
19847 --- linux-3.1.1/arch/x86/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
19848 +++ linux-3.1.1/arch/x86/mm/fault.c 2011-11-16 20:43:50.000000000 -0500
19849 @@ -13,11 +13,18 @@
19850 #include <linux/perf_event.h> /* perf_sw_event */
19851 #include <linux/hugetlb.h> /* hstate_index_to_shift */
19852 #include <linux/prefetch.h> /* prefetchw */
19853 +#include <linux/unistd.h>
19854 +#include <linux/compiler.h>
19856 #include <asm/traps.h> /* dotraplinkage, ... */
19857 #include <asm/pgalloc.h> /* pgd_*(), ... */
19858 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
19859 #include <asm/vsyscall.h>
19860 +#include <asm/tlbflush.h>
19862 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19863 +#include <asm/stacktrace.h>
19867 * Page fault error code bits:
19868 @@ -55,7 +62,7 @@ static inline int __kprobes notify_page_
19871 /* kprobe_running() needs smp_processor_id() */
19872 - if (kprobes_built_in() && !user_mode_vm(regs)) {
19873 + if (kprobes_built_in() && !user_mode(regs)) {
19875 if (kprobe_running() && kprobe_fault_handler(regs, 14))
19877 @@ -116,7 +123,10 @@ check_prefetch_opcode(struct pt_regs *re
19878 return !instr_lo || (instr_lo>>1) == 1;
19880 /* Prefetch instruction is 0x0F0D or 0x0F18 */
19881 - if (probe_kernel_address(instr, opcode))
19882 + if (user_mode(regs)) {
19883 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
19885 + } else if (probe_kernel_address(instr, opcode))
19888 *prefetch = (instr_lo == 0xF) &&
19889 @@ -150,7 +160,10 @@ is_prefetch(struct pt_regs *regs, unsign
19890 while (instr < max_instr) {
19891 unsigned char opcode;
19893 - if (probe_kernel_address(instr, opcode))
19894 + if (user_mode(regs)) {
19895 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
19897 + } else if (probe_kernel_address(instr, opcode))
19901 @@ -181,6 +194,34 @@ force_sig_info_fault(int si_signo, int s
19902 force_sig_info(si_signo, &info, tsk);
19905 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19906 +static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
19909 +#ifdef CONFIG_PAX_EMUTRAMP
19910 +static int pax_handle_fetch_fault(struct pt_regs *regs);
19913 +#ifdef CONFIG_PAX_PAGEEXEC
19914 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
19920 + pgd = pgd_offset(mm, address);
19921 + if (!pgd_present(*pgd))
19923 + pud = pud_offset(pgd, address);
19924 + if (!pud_present(*pud))
19926 + pmd = pmd_offset(pud, address);
19927 + if (!pmd_present(*pmd))
19933 DEFINE_SPINLOCK(pgd_lock);
19934 LIST_HEAD(pgd_list);
19936 @@ -231,10 +272,22 @@ void vmalloc_sync_all(void)
19937 for (address = VMALLOC_START & PMD_MASK;
19938 address >= TASK_SIZE && address < FIXADDR_TOP;
19939 address += PMD_SIZE) {
19941 +#ifdef CONFIG_PAX_PER_CPU_PGD
19942 + unsigned long cpu;
19947 spin_lock(&pgd_lock);
19949 +#ifdef CONFIG_PAX_PER_CPU_PGD
19950 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19951 + pgd_t *pgd = get_cpu_pgd(cpu);
19954 list_for_each_entry(page, &pgd_list, lru) {
19955 + pgd_t *pgd = page_address(page);
19956 spinlock_t *pgt_lock;
19959 @@ -242,8 +295,13 @@ void vmalloc_sync_all(void)
19960 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
19962 spin_lock(pgt_lock);
19963 - ret = vmalloc_sync_one(page_address(page), address);
19966 + ret = vmalloc_sync_one(pgd, address);
19968 +#ifndef CONFIG_PAX_PER_CPU_PGD
19969 spin_unlock(pgt_lock);
19974 @@ -277,6 +335,11 @@ static noinline __kprobes int vmalloc_fa
19975 * an interrupt in the middle of a task switch..
19977 pgd_paddr = read_cr3();
19979 +#ifdef CONFIG_PAX_PER_CPU_PGD
19980 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
19983 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
19986 @@ -372,7 +435,14 @@ static noinline __kprobes int vmalloc_fa
19987 * happen within a race in page table update. In the later
19991 +#ifdef CONFIG_PAX_PER_CPU_PGD
19992 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
19993 + pgd = pgd_offset_cpu(smp_processor_id(), address);
19995 pgd = pgd_offset(current->active_mm, address);
19998 pgd_ref = pgd_offset_k(address);
19999 if (pgd_none(*pgd_ref))
20001 @@ -534,7 +604,7 @@ static int is_errata93(struct pt_regs *r
20002 static int is_errata100(struct pt_regs *regs, unsigned long address)
20004 #ifdef CONFIG_X86_64
20005 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
20006 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
20010 @@ -561,7 +631,7 @@ static int is_f00f_bug(struct pt_regs *r
20013 static const char nx_warning[] = KERN_CRIT
20014 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
20015 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
20018 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
20019 @@ -570,14 +640,25 @@ show_fault_oops(struct pt_regs *regs, un
20020 if (!oops_may_print())
20023 - if (error_code & PF_INSTR) {
20024 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
20025 unsigned int level;
20027 pte_t *pte = lookup_address(address, &level);
20029 if (pte && pte_present(*pte) && !pte_exec(*pte))
20030 - printk(nx_warning, current_uid());
20031 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
20034 +#ifdef CONFIG_PAX_KERNEXEC
20035 + if (init_mm.start_code <= address && address < init_mm.end_code) {
20036 + if (current->signal->curr_ip)
20037 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
20038 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
20040 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
20041 + current->comm, task_pid_nr(current), current_uid(), current_euid());
20045 printk(KERN_ALERT "BUG: unable to handle kernel ");
20046 if (address < PAGE_SIZE)
20047 @@ -733,6 +814,21 @@ __bad_area_nosemaphore(struct pt_regs *r
20051 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20052 + if (pax_is_fetch_fault(regs, error_code, address)) {
20054 +#ifdef CONFIG_PAX_EMUTRAMP
20055 + switch (pax_handle_fetch_fault(regs)) {
20061 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
20062 + do_group_exit(SIGKILL);
20066 if (unlikely(show_unhandled_signals))
20067 show_signal_msg(regs, error_code, address, tsk);
20069 @@ -829,7 +925,7 @@ do_sigbus(struct pt_regs *regs, unsigned
20070 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
20072 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
20073 - tsk->comm, tsk->pid, address);
20074 + tsk->comm, task_pid_nr(tsk), address);
20075 code = BUS_MCEERR_AR;
20078 @@ -884,6 +980,99 @@ static int spurious_fault_check(unsigned
20082 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20083 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
20088 + unsigned char pte_mask;
20090 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
20091 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
20094 + /* PaX: it's our fault, let's handle it if we can */
20096 + /* PaX: take a look at read faults before acquiring any locks */
20097 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
20098 + /* instruction fetch attempt from a protected page in user mode */
20099 + up_read(&mm->mmap_sem);
20101 +#ifdef CONFIG_PAX_EMUTRAMP
20102 + switch (pax_handle_fetch_fault(regs)) {
20108 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
20109 + do_group_exit(SIGKILL);
20112 + pmd = pax_get_pmd(mm, address);
20113 + if (unlikely(!pmd))
20116 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
20117 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
20118 + pte_unmap_unlock(pte, ptl);
20122 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
20123 + /* write attempt to a protected page in user mode */
20124 + pte_unmap_unlock(pte, ptl);
20129 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
20131 + if (likely(address > get_limit(regs->cs)))
20134 + set_pte(pte, pte_mkread(*pte));
20135 + __flush_tlb_one(address);
20136 + pte_unmap_unlock(pte, ptl);
20137 + up_read(&mm->mmap_sem);
20141 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
20144 + * PaX: fill DTLB with user rights and retry
20146 + __asm__ __volatile__ (
20148 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
20150 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
20151 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
20152 + * page fault when examined during a TLB load attempt. this is true not only
20153 + * for PTEs holding a non-present entry but also present entries that will
20154 + * raise a page fault (such as those set up by PaX, or the copy-on-write
20155 + * mechanism). in effect it means that we do *not* need to flush the TLBs
20156 + * for our target pages since their PTEs are simply not in the TLBs at all.
20158 + * the best thing in omitting it is that we gain around 15-20% speed in the
20159 + * fast path of the page fault handler and can get rid of tracing since we
20160 + * can no longer flush unintended entries.
20164 + __copyuser_seg"testb $0,(%0)\n"
20167 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
20168 + : "memory", "cc");
20169 + pte_unmap_unlock(pte, ptl);
20170 + up_read(&mm->mmap_sem);
20176 * Handle a spurious fault caused by a stale TLB entry.
20178 @@ -956,6 +1145,9 @@ int show_unhandled_signals = 1;
20180 access_error(unsigned long error_code, struct vm_area_struct *vma)
20182 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
20185 if (error_code & PF_WRITE) {
20186 /* write, present and write, not present: */
20187 if (unlikely(!(vma->vm_flags & VM_WRITE)))
20188 @@ -989,19 +1181,33 @@ do_page_fault(struct pt_regs *regs, unsi
20190 struct vm_area_struct *vma;
20191 struct task_struct *tsk;
20192 - unsigned long address;
20193 struct mm_struct *mm;
20195 int write = error_code & PF_WRITE;
20196 unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE |
20197 (write ? FAULT_FLAG_WRITE : 0);
20199 + /* Get the faulting address: */
20200 + unsigned long address = read_cr2();
20202 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20203 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
20204 + if (!search_exception_tables(regs->ip)) {
20205 + bad_area_nosemaphore(regs, error_code, address);
20208 + if (address < PAX_USER_SHADOW_BASE) {
20209 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
20210 + printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip);
20211 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
20213 + address -= PAX_USER_SHADOW_BASE;
20220 - /* Get the faulting address: */
20221 - address = read_cr2();
20224 * Detect and handle instructions that would cause a page fault for
20225 * both a tracked kernel page and a userspace page.
20226 @@ -1061,7 +1267,7 @@ do_page_fault(struct pt_regs *regs, unsi
20227 * User-mode registers count as a user access even for any
20228 * potential system fault or CPU buglet:
20230 - if (user_mode_vm(regs)) {
20231 + if (user_mode(regs)) {
20232 local_irq_enable();
20233 error_code |= PF_USER;
20235 @@ -1116,6 +1322,11 @@ retry:
20239 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20240 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
20244 vma = find_vma(mm, address);
20245 if (unlikely(!vma)) {
20246 bad_area(regs, error_code, address);
20247 @@ -1127,18 +1338,24 @@ retry:
20248 bad_area(regs, error_code, address);
20251 - if (error_code & PF_USER) {
20253 - * Accessing the stack below %sp is always a bug.
20254 - * The large cushion allows instructions like enter
20255 - * and pusha to work. ("enter $65535, $31" pushes
20256 - * 32 pointers and then decrements %sp by 65535.)
20258 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
20259 - bad_area(regs, error_code, address);
20263 + * Accessing the stack below %sp is always a bug.
20264 + * The large cushion allows instructions like enter
20265 + * and pusha to work. ("enter $65535, $31" pushes
20266 + * 32 pointers and then decrements %sp by 65535.)
20268 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
20269 + bad_area(regs, error_code, address);
20273 +#ifdef CONFIG_PAX_SEGMEXEC
20274 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
20275 + bad_area(regs, error_code, address);
20280 if (unlikely(expand_stack(vma, address))) {
20281 bad_area(regs, error_code, address);
20283 @@ -1193,3 +1410,240 @@ good_area:
20285 up_read(&mm->mmap_sem);
20288 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20289 +static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
20291 + struct mm_struct *mm = current->mm;
20292 + unsigned long ip = regs->ip;
20294 + if (v8086_mode(regs))
20295 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
20297 +#ifdef CONFIG_PAX_PAGEEXEC
20298 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
20299 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR))
20301 + if (!(error_code & (PF_PROT | PF_WRITE)) && ip == address)
20307 +#ifdef CONFIG_PAX_SEGMEXEC
20308 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
20309 + if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
20319 +#ifdef CONFIG_PAX_EMUTRAMP
20320 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
20324 + do { /* PaX: gcc trampoline emulation #1 */
20325 + unsigned char mov1, mov2;
20326 + unsigned short jmp;
20327 + unsigned int addr1, addr2;
20329 +#ifdef CONFIG_X86_64
20330 + if ((regs->ip + 11) >> 32)
20334 + err = get_user(mov1, (unsigned char __user *)regs->ip);
20335 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20336 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
20337 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20338 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
20343 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
20344 + regs->cx = addr1;
20345 + regs->ax = addr2;
20346 + regs->ip = addr2;
20351 + do { /* PaX: gcc trampoline emulation #2 */
20352 + unsigned char mov, jmp;
20353 + unsigned int addr1, addr2;
20355 +#ifdef CONFIG_X86_64
20356 + if ((regs->ip + 9) >> 32)
20360 + err = get_user(mov, (unsigned char __user *)regs->ip);
20361 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20362 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
20363 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20368 + if (mov == 0xB9 && jmp == 0xE9) {
20369 + regs->cx = addr1;
20370 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
20375 + return 1; /* PaX in action */
20378 +#ifdef CONFIG_X86_64
20379 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
20383 + do { /* PaX: gcc trampoline emulation #1 */
20384 + unsigned short mov1, mov2, jmp1;
20385 + unsigned char jmp2;
20386 + unsigned int addr1;
20387 + unsigned long addr2;
20389 + err = get_user(mov1, (unsigned short __user *)regs->ip);
20390 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
20391 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
20392 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
20393 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
20394 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
20399 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20400 + regs->r11 = addr1;
20401 + regs->r10 = addr2;
20402 + regs->ip = addr1;
20407 + do { /* PaX: gcc trampoline emulation #2 */
20408 + unsigned short mov1, mov2, jmp1;
20409 + unsigned char jmp2;
20410 + unsigned long addr1, addr2;
20412 + err = get_user(mov1, (unsigned short __user *)regs->ip);
20413 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
20414 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
20415 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
20416 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
20417 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
20422 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20423 + regs->r11 = addr1;
20424 + regs->r10 = addr2;
20425 + regs->ip = addr1;
20430 + return 1; /* PaX in action */
20435 + * PaX: decide what to do with offenders (regs->ip = fault address)
20437 + * returns 1 when task should be killed
20438 + * 2 when gcc trampoline was detected
20440 +static int pax_handle_fetch_fault(struct pt_regs *regs)
20442 + if (v8086_mode(regs))
20445 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
20448 +#ifdef CONFIG_X86_32
20449 + return pax_handle_fetch_fault_32(regs);
20451 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
20452 + return pax_handle_fetch_fault_32(regs);
20454 + return pax_handle_fetch_fault_64(regs);
20459 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20460 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
20464 + printk(KERN_ERR "PAX: bytes at PC: ");
20465 + for (i = 0; i < 20; i++) {
20467 + if (get_user(c, (unsigned char __force_user *)pc+i))
20468 + printk(KERN_CONT "?? ");
20470 + printk(KERN_CONT "%02x ", c);
20474 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
20475 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
20477 + if (get_user(c, (unsigned long __force_user *)sp+i)) {
20478 +#ifdef CONFIG_X86_32
20479 + printk(KERN_CONT "???????? ");
20481 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)))
20482 + printk(KERN_CONT "???????? ???????? ");
20484 + printk(KERN_CONT "???????????????? ");
20487 +#ifdef CONFIG_X86_64
20488 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) {
20489 + printk(KERN_CONT "%08x ", (unsigned int)c);
20490 + printk(KERN_CONT "%08x ", (unsigned int)(c >> 32));
20493 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
20501 + * probe_kernel_write(): safely attempt to write to a location
20502 + * @dst: address to write to
20503 + * @src: pointer to the data that shall be written
20504 + * @size: size of the data chunk
20506 + * Safely write to address @dst from the buffer at @src. If a kernel fault
20507 + * happens, handle that and return -EFAULT.
20509 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
20512 + mm_segment_t old_fs = get_fs();
20514 + set_fs(KERNEL_DS);
20515 + pagefault_disable();
20516 + pax_open_kernel();
20517 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
20518 + pax_close_kernel();
20519 + pagefault_enable();
20522 + return ret ? -EFAULT : 0;
20524 diff -urNp linux-3.1.1/arch/x86/mm/gup.c linux-3.1.1/arch/x86/mm/gup.c
20525 --- linux-3.1.1/arch/x86/mm/gup.c 2011-11-11 15:19:27.000000000 -0500
20526 +++ linux-3.1.1/arch/x86/mm/gup.c 2011-11-16 18:39:07.000000000 -0500
20527 @@ -253,7 +253,7 @@ int __get_user_pages_fast(unsigned long
20529 len = (unsigned long) nr_pages << PAGE_SHIFT;
20531 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20532 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20533 (void __user *)start, len)))
20536 diff -urNp linux-3.1.1/arch/x86/mm/highmem_32.c linux-3.1.1/arch/x86/mm/highmem_32.c
20537 --- linux-3.1.1/arch/x86/mm/highmem_32.c 2011-11-11 15:19:27.000000000 -0500
20538 +++ linux-3.1.1/arch/x86/mm/highmem_32.c 2011-11-16 18:39:07.000000000 -0500
20539 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
20540 idx = type + KM_TYPE_NR*smp_processor_id();
20541 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
20542 BUG_ON(!pte_none(*(kmap_pte-idx)));
20544 + pax_open_kernel();
20545 set_pte(kmap_pte-idx, mk_pte(page, prot));
20546 + pax_close_kernel();
20548 return (void *)vaddr;
20550 diff -urNp linux-3.1.1/arch/x86/mm/hugetlbpage.c linux-3.1.1/arch/x86/mm/hugetlbpage.c
20551 --- linux-3.1.1/arch/x86/mm/hugetlbpage.c 2011-11-11 15:19:27.000000000 -0500
20552 +++ linux-3.1.1/arch/x86/mm/hugetlbpage.c 2011-11-16 18:39:07.000000000 -0500
20553 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
20554 struct hstate *h = hstate_file(file);
20555 struct mm_struct *mm = current->mm;
20556 struct vm_area_struct *vma;
20557 - unsigned long start_addr;
20558 + unsigned long start_addr, pax_task_size = TASK_SIZE;
20560 +#ifdef CONFIG_PAX_SEGMEXEC
20561 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20562 + pax_task_size = SEGMEXEC_TASK_SIZE;
20565 + pax_task_size -= PAGE_SIZE;
20567 if (len > mm->cached_hole_size) {
20568 - start_addr = mm->free_area_cache;
20569 + start_addr = mm->free_area_cache;
20571 - start_addr = TASK_UNMAPPED_BASE;
20572 - mm->cached_hole_size = 0;
20573 + start_addr = mm->mmap_base;
20574 + mm->cached_hole_size = 0;
20578 @@ -280,26 +287,27 @@ full_search:
20580 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
20581 /* At this point: (!vma || addr < vma->vm_end). */
20582 - if (TASK_SIZE - len < addr) {
20583 + if (pax_task_size - len < addr) {
20585 * Start a new search - just in case we missed
20588 - if (start_addr != TASK_UNMAPPED_BASE) {
20589 - start_addr = TASK_UNMAPPED_BASE;
20590 + if (start_addr != mm->mmap_base) {
20591 + start_addr = mm->mmap_base;
20592 mm->cached_hole_size = 0;
20597 - if (!vma || addr + len <= vma->vm_start) {
20598 - mm->free_area_cache = addr + len;
20601 + if (check_heap_stack_gap(vma, addr, len))
20603 if (addr + mm->cached_hole_size < vma->vm_start)
20604 mm->cached_hole_size = vma->vm_start - addr;
20605 addr = ALIGN(vma->vm_end, huge_page_size(h));
20608 + mm->free_area_cache = addr + len;
20612 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
20613 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
20615 struct hstate *h = hstate_file(file);
20616 struct mm_struct *mm = current->mm;
20617 - struct vm_area_struct *vma, *prev_vma;
20618 - unsigned long base = mm->mmap_base, addr = addr0;
20619 + struct vm_area_struct *vma;
20620 + unsigned long base = mm->mmap_base, addr;
20621 unsigned long largest_hole = mm->cached_hole_size;
20622 - int first_time = 1;
20624 /* don't allow allocations above current base */
20625 if (mm->free_area_cache > base)
20626 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
20628 mm->free_area_cache = base;
20632 /* make sure it can fit in the remaining address space */
20633 if (mm->free_area_cache < len)
20636 /* either no address requested or can't fit in requested address hole */
20637 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
20638 + addr = (mm->free_area_cache - len);
20640 + addr &= huge_page_mask(h);
20641 + vma = find_vma(mm, addr);
20643 * Lookup failure means no vma is above this address,
20644 * i.e. return with success:
20646 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
20650 * new region fits between prev_vma->vm_end and
20651 * vma->vm_start, use it:
20653 - if (addr + len <= vma->vm_start &&
20654 - (!prev_vma || (addr >= prev_vma->vm_end))) {
20655 + if (check_heap_stack_gap(vma, addr, len)) {
20656 /* remember the address as a hint for next time */
20657 - mm->cached_hole_size = largest_hole;
20658 - return (mm->free_area_cache = addr);
20660 - /* pull free_area_cache down to the first hole */
20661 - if (mm->free_area_cache == vma->vm_end) {
20662 - mm->free_area_cache = vma->vm_start;
20663 - mm->cached_hole_size = largest_hole;
20665 + mm->cached_hole_size = largest_hole;
20666 + return (mm->free_area_cache = addr);
20668 + /* pull free_area_cache down to the first hole */
20669 + if (mm->free_area_cache == vma->vm_end) {
20670 + mm->free_area_cache = vma->vm_start;
20671 + mm->cached_hole_size = largest_hole;
20674 /* remember the largest hole we saw so far */
20675 if (addr + largest_hole < vma->vm_start)
20676 - largest_hole = vma->vm_start - addr;
20677 + largest_hole = vma->vm_start - addr;
20679 /* try just below the current vma->vm_start */
20680 - addr = (vma->vm_start - len) & huge_page_mask(h);
20681 - } while (len <= vma->vm_start);
20682 + addr = skip_heap_stack_gap(vma, len);
20683 + } while (!IS_ERR_VALUE(addr));
20687 - * if hint left us with no space for the requested
20688 - * mapping then try again:
20690 - if (first_time) {
20691 - mm->free_area_cache = base;
20692 - largest_hole = 0;
20697 * A failed mmap() very likely causes application failure,
20698 * so fall back to the bottom-up function here. This scenario
20699 * can happen with large stack limits and large mmap()
20702 - mm->free_area_cache = TASK_UNMAPPED_BASE;
20704 +#ifdef CONFIG_PAX_SEGMEXEC
20705 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20706 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
20710 + mm->mmap_base = TASK_UNMAPPED_BASE;
20712 +#ifdef CONFIG_PAX_RANDMMAP
20713 + if (mm->pax_flags & MF_PAX_RANDMMAP)
20714 + mm->mmap_base += mm->delta_mmap;
20717 + mm->free_area_cache = mm->mmap_base;
20718 mm->cached_hole_size = ~0UL;
20719 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
20720 len, pgoff, flags);
20721 @@ -386,6 +392,7 @@ fail:
20723 * Restore the topdown base:
20725 + mm->mmap_base = base;
20726 mm->free_area_cache = base;
20727 mm->cached_hole_size = ~0UL;
20729 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
20730 struct hstate *h = hstate_file(file);
20731 struct mm_struct *mm = current->mm;
20732 struct vm_area_struct *vma;
20733 + unsigned long pax_task_size = TASK_SIZE;
20735 if (len & ~huge_page_mask(h))
20737 - if (len > TASK_SIZE)
20739 +#ifdef CONFIG_PAX_SEGMEXEC
20740 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20741 + pax_task_size = SEGMEXEC_TASK_SIZE;
20744 + pax_task_size -= PAGE_SIZE;
20746 + if (len > pax_task_size)
20749 if (flags & MAP_FIXED) {
20750 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
20752 addr = ALIGN(addr, huge_page_size(h));
20753 vma = find_vma(mm, addr);
20754 - if (TASK_SIZE - len >= addr &&
20755 - (!vma || addr + len <= vma->vm_start))
20756 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
20759 if (mm->get_unmapped_area == arch_get_unmapped_area)
20760 diff -urNp linux-3.1.1/arch/x86/mm/init_32.c linux-3.1.1/arch/x86/mm/init_32.c
20761 --- linux-3.1.1/arch/x86/mm/init_32.c 2011-11-11 15:19:27.000000000 -0500
20762 +++ linux-3.1.1/arch/x86/mm/init_32.c 2011-11-16 18:39:07.000000000 -0500
20763 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
20767 - * Creates a middle page table and puts a pointer to it in the
20768 - * given global directory entry. This only returns the gd entry
20769 - * in non-PAE compilation mode, since the middle layer is folded.
20771 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
20774 - pmd_t *pmd_table;
20776 -#ifdef CONFIG_X86_PAE
20777 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
20778 - if (after_bootmem)
20779 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
20781 - pmd_table = (pmd_t *)alloc_low_page();
20782 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
20783 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
20784 - pud = pud_offset(pgd, 0);
20785 - BUG_ON(pmd_table != pmd_offset(pud, 0));
20787 - return pmd_table;
20790 - pud = pud_offset(pgd, 0);
20791 - pmd_table = pmd_offset(pud, 0);
20793 - return pmd_table;
20797 * Create a page table and place a pointer to it in a middle page
20800 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
20801 page_table = (pte_t *)alloc_low_page();
20803 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
20804 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20805 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
20807 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
20809 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
20812 return pte_offset_kernel(pmd, 0);
20815 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
20818 + pmd_t *pmd_table;
20820 + pud = pud_offset(pgd, 0);
20821 + pmd_table = pmd_offset(pud, 0);
20823 + return pmd_table;
20826 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
20828 int pgd_idx = pgd_index(vaddr);
20829 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
20830 int pgd_idx, pmd_idx;
20831 unsigned long vaddr;
20837 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
20838 pgd = pgd_base + pgd_idx;
20840 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
20841 - pmd = one_md_table_init(pgd);
20842 - pmd = pmd + pmd_index(vaddr);
20843 + pud = pud_offset(pgd, vaddr);
20844 + pmd = pmd_offset(pud, vaddr);
20846 +#ifdef CONFIG_X86_PAE
20847 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20850 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
20851 pmd++, pmd_idx++) {
20852 pte = page_table_kmap_check(one_page_table_init(pmd),
20853 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
20857 -static inline int is_kernel_text(unsigned long addr)
20858 +static inline int is_kernel_text(unsigned long start, unsigned long end)
20860 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
20863 + if ((start > ktla_ktva((unsigned long)_etext) ||
20864 + end <= ktla_ktva((unsigned long)_stext)) &&
20865 + (start > ktla_ktva((unsigned long)_einittext) ||
20866 + end <= ktla_ktva((unsigned long)_sinittext)) &&
20868 +#ifdef CONFIG_ACPI_SLEEP
20869 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
20872 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
20878 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
20879 unsigned long last_map_addr = end;
20880 unsigned long start_pfn, end_pfn;
20881 pgd_t *pgd_base = swapper_pg_dir;
20882 - int pgd_idx, pmd_idx, pte_ofs;
20883 + unsigned int pgd_idx, pmd_idx, pte_ofs;
20889 unsigned pages_2m, pages_4k;
20890 @@ -281,8 +282,13 @@ repeat:
20892 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20893 pgd = pgd_base + pgd_idx;
20894 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
20895 - pmd = one_md_table_init(pgd);
20896 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
20897 + pud = pud_offset(pgd, 0);
20898 + pmd = pmd_offset(pud, 0);
20900 +#ifdef CONFIG_X86_PAE
20901 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20904 if (pfn >= end_pfn)
20906 @@ -294,14 +300,13 @@ repeat:
20908 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
20909 pmd++, pmd_idx++) {
20910 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
20911 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
20914 * Map with big pages if possible, otherwise
20915 * create normal page tables:
20918 - unsigned int addr2;
20919 pgprot_t prot = PAGE_KERNEL_LARGE;
20921 * first pass will use the same initial
20922 @@ -311,11 +316,7 @@ repeat:
20923 __pgprot(PTE_IDENT_ATTR |
20926 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
20927 - PAGE_OFFSET + PAGE_SIZE-1;
20929 - if (is_kernel_text(addr) ||
20930 - is_kernel_text(addr2))
20931 + if (is_kernel_text(address, address + PMD_SIZE))
20932 prot = PAGE_KERNEL_LARGE_EXEC;
20935 @@ -332,7 +333,7 @@ repeat:
20936 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20938 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
20939 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
20940 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
20941 pgprot_t prot = PAGE_KERNEL;
20943 * first pass will use the same initial
20944 @@ -340,7 +341,7 @@ repeat:
20946 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
20948 - if (is_kernel_text(addr))
20949 + if (is_kernel_text(address, address + PAGE_SIZE))
20950 prot = PAGE_KERNEL_EXEC;
20953 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
20955 pud = pud_offset(pgd, va);
20956 pmd = pmd_offset(pud, va);
20957 - if (!pmd_present(*pmd))
20958 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
20961 pte = pte_offset_kernel(pmd, va);
20962 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
20964 static void __init pagetable_init(void)
20966 - pgd_t *pgd_base = swapper_pg_dir;
20968 - permanent_kmaps_init(pgd_base);
20969 + permanent_kmaps_init(swapper_pg_dir);
20972 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20973 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20974 EXPORT_SYMBOL_GPL(__supported_pte_mask);
20976 /* user-defined highmem size */
20977 @@ -757,6 +756,12 @@ void __init mem_init(void)
20981 +#ifdef CONFIG_PAX_PER_CPU_PGD
20982 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
20983 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
20984 + KERNEL_PGD_PTRS);
20987 #ifdef CONFIG_FLATMEM
20990 @@ -774,7 +779,7 @@ void __init mem_init(void)
20991 set_highmem_pages_init();
20993 codesize = (unsigned long) &_etext - (unsigned long) &_text;
20994 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
20995 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
20996 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
20998 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
20999 @@ -815,10 +820,10 @@ void __init mem_init(void)
21000 ((unsigned long)&__init_end -
21001 (unsigned long)&__init_begin) >> 10,
21003 - (unsigned long)&_etext, (unsigned long)&_edata,
21004 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
21005 + (unsigned long)&_sdata, (unsigned long)&_edata,
21006 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
21008 - (unsigned long)&_text, (unsigned long)&_etext,
21009 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
21010 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
21013 @@ -896,6 +901,7 @@ void set_kernel_text_rw(void)
21014 if (!kernel_set_to_readonly)
21017 + start = ktla_ktva(start);
21018 pr_debug("Set kernel text: %lx - %lx for read write\n",
21019 start, start+size);
21021 @@ -910,6 +916,7 @@ void set_kernel_text_ro(void)
21022 if (!kernel_set_to_readonly)
21025 + start = ktla_ktva(start);
21026 pr_debug("Set kernel text: %lx - %lx for read only\n",
21027 start, start+size);
21029 @@ -938,6 +945,7 @@ void mark_rodata_ro(void)
21030 unsigned long start = PFN_ALIGN(_text);
21031 unsigned long size = PFN_ALIGN(_etext) - start;
21033 + start = ktla_ktva(start);
21034 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
21035 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
21037 diff -urNp linux-3.1.1/arch/x86/mm/init_64.c linux-3.1.1/arch/x86/mm/init_64.c
21038 --- linux-3.1.1/arch/x86/mm/init_64.c 2011-11-11 15:19:27.000000000 -0500
21039 +++ linux-3.1.1/arch/x86/mm/init_64.c 2011-11-16 18:39:07.000000000 -0500
21040 @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpa
21041 * around without checking the pgd every time.
21044 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
21045 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
21046 EXPORT_SYMBOL_GPL(__supported_pte_mask);
21048 int force_personality32;
21049 @@ -108,12 +108,22 @@ void sync_global_pgds(unsigned long star
21051 for (address = start; address <= end; address += PGDIR_SIZE) {
21052 const pgd_t *pgd_ref = pgd_offset_k(address);
21054 +#ifdef CONFIG_PAX_PER_CPU_PGD
21055 + unsigned long cpu;
21060 if (pgd_none(*pgd_ref))
21063 spin_lock(&pgd_lock);
21065 +#ifdef CONFIG_PAX_PER_CPU_PGD
21066 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21067 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
21069 list_for_each_entry(page, &pgd_list, lru) {
21071 spinlock_t *pgt_lock;
21072 @@ -122,6 +132,7 @@ void sync_global_pgds(unsigned long star
21073 /* the pgt_lock only for Xen */
21074 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
21075 spin_lock(pgt_lock);
21078 if (pgd_none(*pgd))
21079 set_pgd(pgd, *pgd_ref);
21080 @@ -129,7 +140,10 @@ void sync_global_pgds(unsigned long star
21081 BUG_ON(pgd_page_vaddr(*pgd)
21082 != pgd_page_vaddr(*pgd_ref));
21084 +#ifndef CONFIG_PAX_PER_CPU_PGD
21085 spin_unlock(pgt_lock);
21089 spin_unlock(&pgd_lock);
21091 @@ -203,7 +217,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
21092 pmd = fill_pmd(pud, vaddr);
21093 pte = fill_pte(pmd, vaddr);
21095 + pax_open_kernel();
21096 set_pte(pte, new_pte);
21097 + pax_close_kernel();
21100 * It's enough to flush this one mapping.
21101 @@ -262,14 +278,12 @@ static void __init __init_extra_mapping(
21102 pgd = pgd_offset_k((unsigned long)__va(phys));
21103 if (pgd_none(*pgd)) {
21104 pud = (pud_t *) spp_getpage();
21105 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
21107 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
21109 pud = pud_offset(pgd, (unsigned long)__va(phys));
21110 if (pud_none(*pud)) {
21111 pmd = (pmd_t *) spp_getpage();
21112 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
21114 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
21116 pmd = pmd_offset(pud, phys);
21117 BUG_ON(!pmd_none(*pmd));
21118 @@ -330,7 +344,7 @@ static __ref void *alloc_low_page(unsign
21119 if (pfn >= pgt_buf_top)
21120 panic("alloc_low_page: ran out of memory");
21122 - adr = early_memremap(pfn * PAGE_SIZE, PAGE_SIZE);
21123 + adr = (void __force_kernel *)early_memremap(pfn * PAGE_SIZE, PAGE_SIZE);
21125 *phys = pfn * PAGE_SIZE;
21127 @@ -346,7 +360,7 @@ static __ref void *map_low_page(void *vi
21130 left = phys & (PAGE_SIZE - 1);
21131 - adr = early_memremap(phys & PAGE_MASK, PAGE_SIZE);
21132 + adr = (void __force_kernel *)early_memremap(phys & PAGE_MASK, PAGE_SIZE);
21133 adr = (void *)(((unsigned long)adr) | left);
21136 @@ -693,6 +707,12 @@ void __init mem_init(void)
21140 +#ifdef CONFIG_PAX_PER_CPU_PGD
21141 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
21142 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
21143 + KERNEL_PGD_PTRS);
21146 /* clear_bss() already clear the empty_zero_page */
21149 @@ -853,8 +873,8 @@ int kern_addr_valid(unsigned long addr)
21150 static struct vm_area_struct gate_vma = {
21151 .vm_start = VSYSCALL_START,
21152 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
21153 - .vm_page_prot = PAGE_READONLY_EXEC,
21154 - .vm_flags = VM_READ | VM_EXEC
21155 + .vm_page_prot = PAGE_READONLY,
21156 + .vm_flags = VM_READ
21159 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
21160 @@ -888,7 +908,7 @@ int in_gate_area_no_mm(unsigned long add
21162 const char *arch_vma_name(struct vm_area_struct *vma)
21164 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
21165 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
21167 if (vma == &gate_vma)
21168 return "[vsyscall]";
21169 diff -urNp linux-3.1.1/arch/x86/mm/init.c linux-3.1.1/arch/x86/mm/init.c
21170 --- linux-3.1.1/arch/x86/mm/init.c 2011-11-11 15:19:27.000000000 -0500
21171 +++ linux-3.1.1/arch/x86/mm/init.c 2011-11-16 18:40:08.000000000 -0500
21172 @@ -31,7 +31,7 @@ int direct_gbpages
21173 static void __init find_early_table_space(unsigned long end, int use_pse,
21176 - unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
21177 + unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
21180 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
21181 @@ -312,12 +312,34 @@ unsigned long __init_refok init_memory_m
21183 int devmem_is_allowed(unsigned long pagenr)
21185 - if (pagenr <= 256)
21186 +#ifdef CONFIG_GRKERNSEC_KMEM
21191 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
21196 +#ifdef CONFIG_VM86
21197 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
21202 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
21204 +#ifdef CONFIG_GRKERNSEC_KMEM
21205 + /* throw out everything else below 1MB */
21206 + if (pagenr <= 256)
21209 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
21211 if (!page_is_ram(pagenr))
21217 @@ -372,6 +394,86 @@ void free_init_pages(char *what, unsigne
21219 void free_initmem(void)
21222 +#ifdef CONFIG_PAX_KERNEXEC
21223 +#ifdef CONFIG_X86_32
21224 + /* PaX: limit KERNEL_CS to actual size */
21225 + unsigned long addr, limit;
21226 + struct desc_struct d;
21229 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
21230 + limit = (limit - 1UL) >> PAGE_SHIFT;
21232 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
21233 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
21234 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
21235 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
21238 + /* PaX: make KERNEL_CS read-only */
21239 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
21240 + if (!paravirt_enabled())
21241 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
21243 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
21244 + pgd = pgd_offset_k(addr);
21245 + pud = pud_offset(pgd, addr);
21246 + pmd = pmd_offset(pud, addr);
21247 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21250 +#ifdef CONFIG_X86_PAE
21251 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
21253 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
21254 + pgd = pgd_offset_k(addr);
21255 + pud = pud_offset(pgd, addr);
21256 + pmd = pmd_offset(pud, addr);
21257 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
21262 +#ifdef CONFIG_MODULES
21263 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
21270 + unsigned long addr, end;
21272 + /* PaX: make kernel code/rodata read-only, rest non-executable */
21273 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
21274 + pgd = pgd_offset_k(addr);
21275 + pud = pud_offset(pgd, addr);
21276 + pmd = pmd_offset(pud, addr);
21277 + if (!pmd_present(*pmd))
21279 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
21280 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21282 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
21285 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
21286 + end = addr + KERNEL_IMAGE_SIZE;
21287 + for (; addr < end; addr += PMD_SIZE) {
21288 + pgd = pgd_offset_k(addr);
21289 + pud = pud_offset(pgd, addr);
21290 + pmd = pmd_offset(pud, addr);
21291 + if (!pmd_present(*pmd))
21293 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
21294 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21301 free_init_pages("unused kernel memory",
21302 (unsigned long)(&__init_begin),
21303 (unsigned long)(&__init_end));
21304 diff -urNp linux-3.1.1/arch/x86/mm/iomap_32.c linux-3.1.1/arch/x86/mm/iomap_32.c
21305 --- linux-3.1.1/arch/x86/mm/iomap_32.c 2011-11-11 15:19:27.000000000 -0500
21306 +++ linux-3.1.1/arch/x86/mm/iomap_32.c 2011-11-16 18:39:07.000000000 -0500
21307 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
21308 type = kmap_atomic_idx_push();
21309 idx = type + KM_TYPE_NR * smp_processor_id();
21310 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21312 + pax_open_kernel();
21313 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
21314 + pax_close_kernel();
21316 arch_flush_lazy_mmu_mode();
21318 return (void *)vaddr;
21319 diff -urNp linux-3.1.1/arch/x86/mm/ioremap.c linux-3.1.1/arch/x86/mm/ioremap.c
21320 --- linux-3.1.1/arch/x86/mm/ioremap.c 2011-11-11 15:19:27.000000000 -0500
21321 +++ linux-3.1.1/arch/x86/mm/ioremap.c 2011-11-16 18:39:07.000000000 -0500
21322 @@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(re
21323 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
21324 int is_ram = page_is_ram(pfn);
21326 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
21327 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
21329 WARN_ON_ONCE(is_ram);
21331 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
21332 early_param("early_ioremap_debug", early_ioremap_debug_setup);
21334 static __initdata int after_paging_init;
21335 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
21336 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
21338 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
21340 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
21341 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
21343 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
21344 - memset(bm_pte, 0, sizeof(bm_pte));
21345 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
21346 + pmd_populate_user(&init_mm, pmd, bm_pte);
21349 * The boot-ioremap range spans multiple pmds, for which
21350 diff -urNp linux-3.1.1/arch/x86/mm/kmemcheck/kmemcheck.c linux-3.1.1/arch/x86/mm/kmemcheck/kmemcheck.c
21351 --- linux-3.1.1/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-11 15:19:27.000000000 -0500
21352 +++ linux-3.1.1/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-16 18:39:07.000000000 -0500
21353 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
21354 * memory (e.g. tracked pages)? For now, we need this to avoid
21355 * invoking kmemcheck for PnP BIOS calls.
21357 - if (regs->flags & X86_VM_MASK)
21358 + if (v8086_mode(regs))
21360 - if (regs->cs != __KERNEL_CS)
21361 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
21364 pte = kmemcheck_pte_lookup(address);
21365 diff -urNp linux-3.1.1/arch/x86/mm/mmap.c linux-3.1.1/arch/x86/mm/mmap.c
21366 --- linux-3.1.1/arch/x86/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
21367 +++ linux-3.1.1/arch/x86/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
21368 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
21369 * Leave an at least ~128 MB hole with possible stack randomization.
21371 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
21372 -#define MAX_GAP (TASK_SIZE/6*5)
21373 +#define MAX_GAP (pax_task_size/6*5)
21376 * True on X86_32 or when emulating IA32 on X86_64
21377 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
21378 return rnd << PAGE_SHIFT;
21381 -static unsigned long mmap_base(void)
21382 +static unsigned long mmap_base(struct mm_struct *mm)
21384 unsigned long gap = rlimit(RLIMIT_STACK);
21385 + unsigned long pax_task_size = TASK_SIZE;
21387 +#ifdef CONFIG_PAX_SEGMEXEC
21388 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21389 + pax_task_size = SEGMEXEC_TASK_SIZE;
21394 else if (gap > MAX_GAP)
21397 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
21398 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
21402 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
21403 * does, but not when emulating X86_32
21405 -static unsigned long mmap_legacy_base(void)
21406 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
21408 - if (mmap_is_ia32())
21409 + if (mmap_is_ia32()) {
21411 +#ifdef CONFIG_PAX_SEGMEXEC
21412 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21413 + return SEGMEXEC_TASK_UNMAPPED_BASE;
21417 return TASK_UNMAPPED_BASE;
21420 return TASK_UNMAPPED_BASE + mmap_rnd();
21423 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
21424 void arch_pick_mmap_layout(struct mm_struct *mm)
21426 if (mmap_is_legacy()) {
21427 - mm->mmap_base = mmap_legacy_base();
21428 + mm->mmap_base = mmap_legacy_base(mm);
21430 +#ifdef CONFIG_PAX_RANDMMAP
21431 + if (mm->pax_flags & MF_PAX_RANDMMAP)
21432 + mm->mmap_base += mm->delta_mmap;
21435 mm->get_unmapped_area = arch_get_unmapped_area;
21436 mm->unmap_area = arch_unmap_area;
21438 - mm->mmap_base = mmap_base();
21439 + mm->mmap_base = mmap_base(mm);
21441 +#ifdef CONFIG_PAX_RANDMMAP
21442 + if (mm->pax_flags & MF_PAX_RANDMMAP)
21443 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
21446 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
21447 mm->unmap_area = arch_unmap_area_topdown;
21449 diff -urNp linux-3.1.1/arch/x86/mm/mmio-mod.c linux-3.1.1/arch/x86/mm/mmio-mod.c
21450 --- linux-3.1.1/arch/x86/mm/mmio-mod.c 2011-11-11 15:19:27.000000000 -0500
21451 +++ linux-3.1.1/arch/x86/mm/mmio-mod.c 2011-11-16 18:39:07.000000000 -0500
21452 @@ -195,7 +195,7 @@ static void pre(struct kmmio_probe *p, s
21456 - unsigned char *ip = (unsigned char *)instptr;
21457 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
21458 my_trace->opcode = MMIO_UNKNOWN_OP;
21459 my_trace->width = 0;
21460 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
21461 @@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
21462 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
21463 void __iomem *addr)
21465 - static atomic_t next_id;
21466 + static atomic_unchecked_t next_id;
21467 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
21468 /* These are page-unaligned. */
21469 struct mmiotrace_map map = {
21470 @@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
21474 - .id = atomic_inc_return(&next_id)
21475 + .id = atomic_inc_return_unchecked(&next_id)
21477 map.map_id = trace->id;
21479 diff -urNp linux-3.1.1/arch/x86/mm/pageattr.c linux-3.1.1/arch/x86/mm/pageattr.c
21480 --- linux-3.1.1/arch/x86/mm/pageattr.c 2011-11-11 15:19:27.000000000 -0500
21481 +++ linux-3.1.1/arch/x86/mm/pageattr.c 2011-11-16 18:39:07.000000000 -0500
21482 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
21484 #ifdef CONFIG_PCI_BIOS
21485 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
21486 - pgprot_val(forbidden) |= _PAGE_NX;
21487 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21491 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
21492 * Does not cover __inittext since that is gone later on. On
21493 * 64bit we do not enforce !NX on the low mapping
21495 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
21496 - pgprot_val(forbidden) |= _PAGE_NX;
21497 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
21498 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21500 +#ifdef CONFIG_DEBUG_RODATA
21502 * The .rodata section needs to be read-only. Using the pfn
21503 * catches all aliases.
21504 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
21505 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
21506 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
21507 pgprot_val(forbidden) |= _PAGE_RW;
21510 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
21512 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
21516 +#ifdef CONFIG_PAX_KERNEXEC
21517 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
21518 + pgprot_val(forbidden) |= _PAGE_RW;
21519 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21523 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
21526 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
21527 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
21529 /* change init_mm */
21530 + pax_open_kernel();
21531 set_pte_atomic(kpte, pte);
21533 #ifdef CONFIG_X86_32
21534 if (!SHARED_KERNEL_PMD) {
21536 +#ifdef CONFIG_PAX_PER_CPU_PGD
21537 + unsigned long cpu;
21542 +#ifdef CONFIG_PAX_PER_CPU_PGD
21543 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21544 + pgd_t *pgd = get_cpu_pgd(cpu);
21546 list_for_each_entry(page, &pgd_list, lru) {
21548 + pgd_t *pgd = (pgd_t *)page_address(page);
21554 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
21555 + pgd += pgd_index(address);
21556 pud = pud_offset(pgd, address);
21557 pmd = pmd_offset(pud, address);
21558 set_pte_atomic((pte_t *)pmd, pte);
21562 + pax_close_kernel();
21566 diff -urNp linux-3.1.1/arch/x86/mm/pageattr-test.c linux-3.1.1/arch/x86/mm/pageattr-test.c
21567 --- linux-3.1.1/arch/x86/mm/pageattr-test.c 2011-11-11 15:19:27.000000000 -0500
21568 +++ linux-3.1.1/arch/x86/mm/pageattr-test.c 2011-11-16 18:39:07.000000000 -0500
21569 @@ -36,7 +36,7 @@ enum {
21571 static int pte_testbit(pte_t pte)
21573 - return pte_flags(pte) & _PAGE_UNUSED1;
21574 + return pte_flags(pte) & _PAGE_CPA_TEST;
21577 struct split_state {
21578 diff -urNp linux-3.1.1/arch/x86/mm/pat.c linux-3.1.1/arch/x86/mm/pat.c
21579 --- linux-3.1.1/arch/x86/mm/pat.c 2011-11-11 15:19:27.000000000 -0500
21580 +++ linux-3.1.1/arch/x86/mm/pat.c 2011-11-16 18:39:07.000000000 -0500
21581 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
21584 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
21585 - current->comm, current->pid, start, end);
21586 + current->comm, task_pid_nr(current), start, end);
21590 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
21591 while (cursor < to) {
21592 if (!devmem_is_allowed(pfn)) {
21594 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
21595 - current->comm, from, to);
21596 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
21597 + current->comm, from, to, cursor);
21600 cursor += PAGE_SIZE;
21601 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
21603 "%s:%d ioremap_change_attr failed %s "
21605 - current->comm, current->pid,
21606 + current->comm, task_pid_nr(current),
21608 base, (unsigned long long)(base + size));
21610 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
21611 if (want_flags != flags) {
21612 printk(KERN_WARNING
21613 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
21614 - current->comm, current->pid,
21615 + current->comm, task_pid_nr(current),
21616 cattr_name(want_flags),
21617 (unsigned long long)paddr,
21618 (unsigned long long)(paddr + size),
21619 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
21620 free_memtype(paddr, paddr + size);
21621 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
21622 " for %Lx-%Lx, got %s\n",
21623 - current->comm, current->pid,
21624 + current->comm, task_pid_nr(current),
21625 cattr_name(want_flags),
21626 (unsigned long long)paddr,
21627 (unsigned long long)(paddr + size),
21628 diff -urNp linux-3.1.1/arch/x86/mm/pf_in.c linux-3.1.1/arch/x86/mm/pf_in.c
21629 --- linux-3.1.1/arch/x86/mm/pf_in.c 2011-11-11 15:19:27.000000000 -0500
21630 +++ linux-3.1.1/arch/x86/mm/pf_in.c 2011-11-16 18:39:07.000000000 -0500
21631 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
21633 enum reason_type rv = OTHERS;
21635 - p = (unsigned char *)ins_addr;
21636 + p = (unsigned char *)ktla_ktva(ins_addr);
21637 p += skip_prefix(p, &prf);
21638 p += get_opcode(p, &opcode);
21640 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
21641 struct prefix_bits prf;
21644 - p = (unsigned char *)ins_addr;
21645 + p = (unsigned char *)ktla_ktva(ins_addr);
21646 p += skip_prefix(p, &prf);
21647 p += get_opcode(p, &opcode);
21649 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
21650 struct prefix_bits prf;
21653 - p = (unsigned char *)ins_addr;
21654 + p = (unsigned char *)ktla_ktva(ins_addr);
21655 p += skip_prefix(p, &prf);
21656 p += get_opcode(p, &opcode);
21658 @@ -415,7 +415,7 @@ unsigned long get_ins_reg_val(unsigned l
21659 struct prefix_bits prf;
21662 - p = (unsigned char *)ins_addr;
21663 + p = (unsigned char *)ktla_ktva(ins_addr);
21664 p += skip_prefix(p, &prf);
21665 p += get_opcode(p, &opcode);
21666 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
21667 @@ -470,7 +470,7 @@ unsigned long get_ins_imm_val(unsigned l
21668 struct prefix_bits prf;
21671 - p = (unsigned char *)ins_addr;
21672 + p = (unsigned char *)ktla_ktva(ins_addr);
21673 p += skip_prefix(p, &prf);
21674 p += get_opcode(p, &opcode);
21675 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
21676 diff -urNp linux-3.1.1/arch/x86/mm/pgtable_32.c linux-3.1.1/arch/x86/mm/pgtable_32.c
21677 --- linux-3.1.1/arch/x86/mm/pgtable_32.c 2011-11-11 15:19:27.000000000 -0500
21678 +++ linux-3.1.1/arch/x86/mm/pgtable_32.c 2011-11-16 18:39:07.000000000 -0500
21679 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
21682 pte = pte_offset_kernel(pmd, vaddr);
21684 + pax_open_kernel();
21685 if (pte_val(pteval))
21686 set_pte_at(&init_mm, vaddr, pte, pteval);
21688 pte_clear(&init_mm, vaddr, pte);
21689 + pax_close_kernel();
21692 * It's enough to flush this one mapping.
21693 diff -urNp linux-3.1.1/arch/x86/mm/pgtable.c linux-3.1.1/arch/x86/mm/pgtable.c
21694 --- linux-3.1.1/arch/x86/mm/pgtable.c 2011-11-11 15:19:27.000000000 -0500
21695 +++ linux-3.1.1/arch/x86/mm/pgtable.c 2011-11-16 18:39:07.000000000 -0500
21696 @@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
21697 list_del(&page->lru);
21700 -#define UNSHARED_PTRS_PER_PGD \
21701 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21702 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21703 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
21705 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21708 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
21712 +#ifdef CONFIG_PAX_PER_CPU_PGD
21713 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21717 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21718 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
21726 +#ifdef CONFIG_X86_64
21727 +#define pxd_t pud_t
21728 +#define pyd_t pgd_t
21729 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
21730 +#define pxd_free(mm, pud) pud_free((mm), (pud))
21731 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
21732 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
21733 +#define PYD_SIZE PGDIR_SIZE
21735 +#define pxd_t pmd_t
21736 +#define pyd_t pud_t
21737 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
21738 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
21739 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
21740 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
21741 +#define PYD_SIZE PUD_SIZE
21744 +#ifdef CONFIG_PAX_PER_CPU_PGD
21745 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
21746 +static inline void pgd_dtor(pgd_t *pgd) {}
21748 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
21750 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
21751 @@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
21753 spin_unlock(&pgd_lock);
21758 * List of all pgd's needed for non-PAE so it can invalidate entries
21759 @@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
21763 -#ifdef CONFIG_X86_PAE
21764 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
21766 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
21767 * updating the top-level pagetable entries to guarantee the
21768 @@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
21769 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
21770 * and initialize the kernel pmds here.
21772 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
21773 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21775 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
21777 @@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
21781 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
21782 +#define PREALLOCATED_PXDS USER_PGD_PTRS
21783 #else /* !CONFIG_X86_PAE */
21785 /* No need to prepopulate any pagetable entries in non-PAE modes. */
21786 -#define PREALLOCATED_PMDS 0
21787 +#define PREALLOCATED_PXDS 0
21789 #endif /* CONFIG_X86_PAE */
21791 -static void free_pmds(pmd_t *pmds[])
21792 +static void free_pxds(pxd_t *pxds[])
21796 - for(i = 0; i < PREALLOCATED_PMDS; i++)
21798 - free_page((unsigned long)pmds[i]);
21799 + for(i = 0; i < PREALLOCATED_PXDS; i++)
21801 + free_page((unsigned long)pxds[i]);
21804 -static int preallocate_pmds(pmd_t *pmds[])
21805 +static int preallocate_pxds(pxd_t *pxds[])
21808 bool failed = false;
21810 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
21811 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
21813 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
21814 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
21827 @@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
21828 * preallocate which never got a corresponding vma will need to be
21831 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
21832 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
21836 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
21837 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
21838 pgd_t pgd = pgdp[i];
21840 if (pgd_val(pgd) != 0) {
21841 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
21842 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
21844 - pgdp[i] = native_make_pgd(0);
21845 + set_pgd(pgdp + i, native_make_pgd(0));
21847 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
21848 - pmd_free(mm, pmd);
21849 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
21850 + pxd_free(mm, pxd);
21855 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
21856 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
21860 unsigned long addr;
21863 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
21864 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
21867 - pud = pud_offset(pgd, 0);
21868 +#ifdef CONFIG_X86_64
21869 + pyd = pyd_offset(mm, 0L);
21871 + pyd = pyd_offset(pgd, 0L);
21874 - for (addr = i = 0; i < PREALLOCATED_PMDS;
21875 - i++, pud++, addr += PUD_SIZE) {
21876 - pmd_t *pmd = pmds[i];
21877 + for (addr = i = 0; i < PREALLOCATED_PXDS;
21878 + i++, pyd++, addr += PYD_SIZE) {
21879 + pxd_t *pxd = pxds[i];
21881 if (i >= KERNEL_PGD_BOUNDARY)
21882 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21883 - sizeof(pmd_t) * PTRS_PER_PMD);
21884 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21885 + sizeof(pxd_t) * PTRS_PER_PMD);
21887 - pud_populate(mm, pud, pmd);
21888 + pyd_populate(mm, pyd, pxd);
21892 pgd_t *pgd_alloc(struct mm_struct *mm)
21895 - pmd_t *pmds[PREALLOCATED_PMDS];
21896 + pxd_t *pxds[PREALLOCATED_PXDS];
21898 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
21900 @@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21904 - if (preallocate_pmds(pmds) != 0)
21905 + if (preallocate_pxds(pxds) != 0)
21908 if (paravirt_pgd_alloc(mm) != 0)
21909 - goto out_free_pmds;
21910 + goto out_free_pxds;
21913 * Make sure that pre-populating the pmds is atomic with
21914 @@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21915 spin_lock(&pgd_lock);
21918 - pgd_prepopulate_pmd(mm, pgd, pmds);
21919 + pgd_prepopulate_pxd(mm, pgd, pxds);
21921 spin_unlock(&pgd_lock);
21930 free_page((unsigned long)pgd);
21932 @@ -295,7 +344,7 @@ out:
21934 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
21936 - pgd_mop_up_pmds(mm, pgd);
21937 + pgd_mop_up_pxds(mm, pgd);
21939 paravirt_pgd_free(mm, pgd);
21940 free_page((unsigned long)pgd);
21941 diff -urNp linux-3.1.1/arch/x86/mm/setup_nx.c linux-3.1.1/arch/x86/mm/setup_nx.c
21942 --- linux-3.1.1/arch/x86/mm/setup_nx.c 2011-11-11 15:19:27.000000000 -0500
21943 +++ linux-3.1.1/arch/x86/mm/setup_nx.c 2011-11-16 18:39:07.000000000 -0500
21945 #include <asm/pgtable.h>
21946 #include <asm/proto.h>
21948 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21949 static int disable_nx __cpuinitdata;
21951 +#ifndef CONFIG_PAX_PAGEEXEC
21955 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
21958 early_param("noexec", noexec_setup);
21963 void __cpuinit x86_configure_nx(void)
21965 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21966 if (cpu_has_nx && !disable_nx)
21967 __supported_pte_mask |= _PAGE_NX;
21970 __supported_pte_mask &= ~_PAGE_NX;
21973 diff -urNp linux-3.1.1/arch/x86/mm/tlb.c linux-3.1.1/arch/x86/mm/tlb.c
21974 --- linux-3.1.1/arch/x86/mm/tlb.c 2011-11-11 15:19:27.000000000 -0500
21975 +++ linux-3.1.1/arch/x86/mm/tlb.c 2011-11-16 18:39:07.000000000 -0500
21976 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
21978 cpumask_clear_cpu(cpu,
21979 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
21981 +#ifndef CONFIG_PAX_PER_CPU_PGD
21982 load_cr3(swapper_pg_dir);
21986 EXPORT_SYMBOL_GPL(leave_mm);
21988 diff -urNp linux-3.1.1/arch/x86/net/bpf_jit_comp.c linux-3.1.1/arch/x86/net/bpf_jit_comp.c
21989 --- linux-3.1.1/arch/x86/net/bpf_jit_comp.c 2011-11-11 15:19:27.000000000 -0500
21990 +++ linux-3.1.1/arch/x86/net/bpf_jit_comp.c 2011-11-16 18:39:07.000000000 -0500
21991 @@ -589,7 +589,9 @@ cond_branch: f_offset = addrs[i + filt
21992 module_free(NULL, image);
21995 + pax_open_kernel();
21996 memcpy(image + proglen, temp, ilen);
21997 + pax_close_kernel();
22000 addrs[i] = proglen;
22001 @@ -609,7 +611,7 @@ cond_branch: f_offset = addrs[i + filt
22004 if (proglen == oldproglen) {
22005 - image = module_alloc(max_t(unsigned int,
22006 + image = module_alloc_exec(max_t(unsigned int,
22008 sizeof(struct work_struct)));
22010 diff -urNp linux-3.1.1/arch/x86/net/bpf_jit.S linux-3.1.1/arch/x86/net/bpf_jit.S
22011 --- linux-3.1.1/arch/x86/net/bpf_jit.S 2011-11-11 15:19:27.000000000 -0500
22012 +++ linux-3.1.1/arch/x86/net/bpf_jit.S 2011-11-16 18:39:07.000000000 -0500
22015 #include <linux/linkage.h>
22016 #include <asm/dwarf2.h>
22017 +#include <asm/alternative-asm.h>
22020 * Calling convention :
22021 @@ -35,6 +36,7 @@ sk_load_word:
22022 jle bpf_slow_path_word
22023 mov (SKBDATA,%rsi),%eax
22024 bswap %eax /* ntohl() */
22025 + pax_force_retaddr
22029 @@ -53,6 +55,7 @@ sk_load_half:
22030 jle bpf_slow_path_half
22031 movzwl (SKBDATA,%rsi),%eax
22032 rol $8,%ax # ntohs()
22033 + pax_force_retaddr
22037 @@ -66,6 +69,7 @@ sk_load_byte:
22038 cmp %esi,%r9d /* if (offset >= hlen) goto bpf_slow_path_byte */
22039 jle bpf_slow_path_byte
22040 movzbl (SKBDATA,%rsi),%eax
22041 + pax_force_retaddr
22045 @@ -82,6 +86,7 @@ ENTRY(sk_load_byte_msh)
22046 movzbl (SKBDATA,%rsi),%ebx
22049 + pax_force_retaddr
22052 ENDPROC(sk_load_byte_msh)
22053 @@ -91,6 +96,7 @@ bpf_error:
22057 + pax_force_retaddr
22060 /* rsi contains offset and can be scratched */
22061 @@ -113,6 +119,7 @@ bpf_slow_path_word:
22065 + pax_force_retaddr
22068 bpf_slow_path_half:
22069 @@ -121,12 +128,14 @@ bpf_slow_path_half:
22073 + pax_force_retaddr
22076 bpf_slow_path_byte:
22077 bpf_slow_path_common(1)
22079 movzbl -12(%rbp),%eax
22080 + pax_force_retaddr
22083 bpf_slow_path_byte_msh:
22084 @@ -137,4 +146,5 @@ bpf_slow_path_byte_msh:
22088 + pax_force_retaddr
22090 diff -urNp linux-3.1.1/arch/x86/oprofile/backtrace.c linux-3.1.1/arch/x86/oprofile/backtrace.c
22091 --- linux-3.1.1/arch/x86/oprofile/backtrace.c 2011-11-11 15:19:27.000000000 -0500
22092 +++ linux-3.1.1/arch/x86/oprofile/backtrace.c 2011-11-16 18:39:07.000000000 -0500
22093 @@ -46,11 +46,11 @@ dump_user_backtrace_32(struct stack_fram
22094 struct stack_frame_ia32 *fp;
22095 unsigned long bytes;
22097 - bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
22098 + bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
22099 if (bytes != sizeof(bufhead))
22102 - fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame);
22103 + fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame);
22105 oprofile_add_trace(bufhead[0].return_address);
22107 @@ -92,7 +92,7 @@ static struct stack_frame *dump_user_bac
22108 struct stack_frame bufhead[2];
22109 unsigned long bytes;
22111 - bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
22112 + bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
22113 if (bytes != sizeof(bufhead))
22116 @@ -111,7 +111,7 @@ x86_backtrace(struct pt_regs * const reg
22118 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
22120 - if (!user_mode_vm(regs)) {
22121 + if (!user_mode(regs)) {
22122 unsigned long stack = kernel_stack_pointer(regs);
22124 dump_trace(NULL, regs, (unsigned long *)stack, 0,
22125 diff -urNp linux-3.1.1/arch/x86/pci/mrst.c linux-3.1.1/arch/x86/pci/mrst.c
22126 --- linux-3.1.1/arch/x86/pci/mrst.c 2011-11-11 15:19:27.000000000 -0500
22127 +++ linux-3.1.1/arch/x86/pci/mrst.c 2011-11-16 18:39:07.000000000 -0500
22128 @@ -234,7 +234,9 @@ int __init pci_mrst_init(void)
22129 printk(KERN_INFO "Moorestown platform detected, using MRST PCI ops\n");
22130 pci_mmcfg_late_init();
22131 pcibios_enable_irq = mrst_pci_irq_enable;
22132 - pci_root_ops = pci_mrst_ops;
22133 + pax_open_kernel();
22134 + memcpy((void *)&pci_root_ops, &pci_mrst_ops, sizeof(pci_mrst_ops));
22135 + pax_close_kernel();
22136 /* Continue with standard init */
22139 diff -urNp linux-3.1.1/arch/x86/pci/pcbios.c linux-3.1.1/arch/x86/pci/pcbios.c
22140 --- linux-3.1.1/arch/x86/pci/pcbios.c 2011-11-11 15:19:27.000000000 -0500
22141 +++ linux-3.1.1/arch/x86/pci/pcbios.c 2011-11-16 18:39:07.000000000 -0500
22142 @@ -79,50 +79,93 @@ union bios32 {
22144 unsigned long address;
22145 unsigned short segment;
22146 -} bios32_indirect = { 0, __KERNEL_CS };
22147 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
22150 * Returns the entry point for the given service, NULL on error
22153 -static unsigned long bios32_service(unsigned long service)
22154 +static unsigned long __devinit bios32_service(unsigned long service)
22156 unsigned char return_code; /* %al */
22157 unsigned long address; /* %ebx */
22158 unsigned long length; /* %ecx */
22159 unsigned long entry; /* %edx */
22160 unsigned long flags;
22161 + struct desc_struct d, *gdt;
22163 local_irq_save(flags);
22164 - __asm__("lcall *(%%edi); cld"
22166 + gdt = get_cpu_gdt_table(smp_processor_id());
22168 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
22169 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
22170 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
22171 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
22173 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
22174 : "=a" (return_code),
22180 - "D" (&bios32_indirect));
22181 + "D" (&bios32_indirect),
22182 + "r"(__PCIBIOS_DS)
22185 + pax_open_kernel();
22186 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
22187 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
22188 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
22189 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
22190 + pax_close_kernel();
22192 local_irq_restore(flags);
22194 switch (return_code) {
22196 - return address + entry;
22197 - case 0x80: /* Not present */
22198 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
22200 - default: /* Shouldn't happen */
22201 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
22202 - service, return_code);
22205 + unsigned char flags;
22207 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
22208 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
22209 + printk(KERN_WARNING "bios32_service: not valid\n");
22212 + address = address + PAGE_OFFSET;
22213 + length += 16UL; /* some BIOSs underreport this... */
22215 + if (length >= 64*1024*1024) {
22216 + length >>= PAGE_SHIFT;
22220 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22221 + gdt = get_cpu_gdt_table(cpu);
22222 + pack_descriptor(&d, address, length, 0x9b, flags);
22223 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
22224 + pack_descriptor(&d, address, length, 0x93, flags);
22225 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
22229 + case 0x80: /* Not present */
22230 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
22232 + default: /* Shouldn't happen */
22233 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
22234 + service, return_code);
22240 unsigned long address;
22241 unsigned short segment;
22242 -} pci_indirect = { 0, __KERNEL_CS };
22243 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
22245 -static int pci_bios_present;
22246 +static int pci_bios_present __read_only;
22248 static int __devinit check_pcibios(void)
22250 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
22251 unsigned long flags, pcibios_entry;
22253 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
22254 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
22255 + pci_indirect.address = pcibios_entry;
22257 local_irq_save(flags);
22259 - "lcall *(%%edi); cld\n\t"
22260 + __asm__("movw %w6, %%ds\n\t"
22261 + "lcall *%%ss:(%%edi); cld\n\t"
22267 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
22270 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
22271 - "D" (&pci_indirect)
22272 + "D" (&pci_indirect),
22273 + "r" (__PCIBIOS_DS)
22275 local_irq_restore(flags);
22277 @@ -189,7 +235,10 @@ static int pci_bios_read(unsigned int se
22281 - __asm__("lcall *(%%esi); cld\n\t"
22282 + __asm__("movw %w6, %%ds\n\t"
22283 + "lcall *%%ss:(%%esi); cld\n\t"
22289 @@ -198,7 +247,8 @@ static int pci_bios_read(unsigned int se
22290 : "1" (PCIBIOS_READ_CONFIG_BYTE),
22293 - "S" (&pci_indirect));
22294 + "S" (&pci_indirect),
22295 + "r" (__PCIBIOS_DS));
22297 * Zero-extend the result beyond 8 bits, do not trust the
22298 * BIOS having done it:
22299 @@ -206,7 +256,10 @@ static int pci_bios_read(unsigned int se
22303 - __asm__("lcall *(%%esi); cld\n\t"
22304 + __asm__("movw %w6, %%ds\n\t"
22305 + "lcall *%%ss:(%%esi); cld\n\t"
22311 @@ -215,7 +268,8 @@ static int pci_bios_read(unsigned int se
22312 : "1" (PCIBIOS_READ_CONFIG_WORD),
22315 - "S" (&pci_indirect));
22316 + "S" (&pci_indirect),
22317 + "r" (__PCIBIOS_DS));
22319 * Zero-extend the result beyond 16 bits, do not trust the
22320 * BIOS having done it:
22321 @@ -223,7 +277,10 @@ static int pci_bios_read(unsigned int se
22325 - __asm__("lcall *(%%esi); cld\n\t"
22326 + __asm__("movw %w6, %%ds\n\t"
22327 + "lcall *%%ss:(%%esi); cld\n\t"
22333 @@ -232,7 +289,8 @@ static int pci_bios_read(unsigned int se
22334 : "1" (PCIBIOS_READ_CONFIG_DWORD),
22337 - "S" (&pci_indirect));
22338 + "S" (&pci_indirect),
22339 + "r" (__PCIBIOS_DS));
22343 @@ -256,7 +314,10 @@ static int pci_bios_write(unsigned int s
22347 - __asm__("lcall *(%%esi); cld\n\t"
22348 + __asm__("movw %w6, %%ds\n\t"
22349 + "lcall *%%ss:(%%esi); cld\n\t"
22355 @@ -265,10 +326,14 @@ static int pci_bios_write(unsigned int s
22359 - "S" (&pci_indirect));
22360 + "S" (&pci_indirect),
22361 + "r" (__PCIBIOS_DS));
22364 - __asm__("lcall *(%%esi); cld\n\t"
22365 + __asm__("movw %w6, %%ds\n\t"
22366 + "lcall *%%ss:(%%esi); cld\n\t"
22372 @@ -277,10 +342,14 @@ static int pci_bios_write(unsigned int s
22376 - "S" (&pci_indirect));
22377 + "S" (&pci_indirect),
22378 + "r" (__PCIBIOS_DS));
22381 - __asm__("lcall *(%%esi); cld\n\t"
22382 + __asm__("movw %w6, %%ds\n\t"
22383 + "lcall *%%ss:(%%esi); cld\n\t"
22389 @@ -289,7 +358,8 @@ static int pci_bios_write(unsigned int s
22393 - "S" (&pci_indirect));
22394 + "S" (&pci_indirect),
22395 + "r" (__PCIBIOS_DS));
22399 @@ -394,10 +464,13 @@ struct irq_routing_table * pcibios_get_i
22401 DBG("PCI: Fetching IRQ routing table... ");
22402 __asm__("push %%es\n\t"
22403 + "movw %w8, %%ds\n\t"
22406 - "lcall *(%%esi); cld\n\t"
22407 + "lcall *%%ss:(%%esi); cld\n\t"
22414 @@ -408,7 +481,8 @@ struct irq_routing_table * pcibios_get_i
22417 "S" (&pci_indirect),
22420 + "r" (__PCIBIOS_DS)
22422 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
22424 @@ -432,7 +506,10 @@ int pcibios_set_irq_routing(struct pci_d
22428 - __asm__("lcall *(%%esi); cld\n\t"
22429 + __asm__("movw %w5, %%ds\n\t"
22430 + "lcall *%%ss:(%%esi); cld\n\t"
22436 @@ -440,7 +517,8 @@ int pcibios_set_irq_routing(struct pci_d
22437 : "0" (PCIBIOS_SET_PCI_HW_INT),
22438 "b" ((dev->bus->number << 8) | dev->devfn),
22439 "c" ((irq << 8) | (pin + 10)),
22440 - "S" (&pci_indirect));
22441 + "S" (&pci_indirect),
22442 + "r" (__PCIBIOS_DS));
22443 return !(ret & 0xff00);
22445 EXPORT_SYMBOL(pcibios_set_irq_routing);
22446 diff -urNp linux-3.1.1/arch/x86/platform/efi/efi_32.c linux-3.1.1/arch/x86/platform/efi/efi_32.c
22447 --- linux-3.1.1/arch/x86/platform/efi/efi_32.c 2011-11-11 15:19:27.000000000 -0500
22448 +++ linux-3.1.1/arch/x86/platform/efi/efi_32.c 2011-11-16 18:39:07.000000000 -0500
22449 @@ -38,70 +38,56 @@
22452 static unsigned long efi_rt_eflags;
22453 -static pgd_t efi_bak_pg_dir_pointer[2];
22454 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
22456 -void efi_call_phys_prelog(void)
22457 +void __init efi_call_phys_prelog(void)
22459 - unsigned long cr4;
22460 - unsigned long temp;
22461 struct desc_ptr gdt_descr;
22463 - local_irq_save(efi_rt_eflags);
22464 +#ifdef CONFIG_PAX_KERNEXEC
22465 + struct desc_struct d;
22469 - * If I don't have PAE, I should just duplicate two entries in page
22470 - * directory. If I have PAE, I just need to duplicate one entry in
22471 - * page directory.
22473 - cr4 = read_cr4_safe();
22474 + local_irq_save(efi_rt_eflags);
22476 - if (cr4 & X86_CR4_PAE) {
22477 - efi_bak_pg_dir_pointer[0].pgd =
22478 - swapper_pg_dir[pgd_index(0)].pgd;
22479 - swapper_pg_dir[0].pgd =
22480 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
22482 - efi_bak_pg_dir_pointer[0].pgd =
22483 - swapper_pg_dir[pgd_index(0)].pgd;
22484 - efi_bak_pg_dir_pointer[1].pgd =
22485 - swapper_pg_dir[pgd_index(0x400000)].pgd;
22486 - swapper_pg_dir[pgd_index(0)].pgd =
22487 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
22488 - temp = PAGE_OFFSET + 0x400000;
22489 - swapper_pg_dir[pgd_index(0x400000)].pgd =
22490 - swapper_pg_dir[pgd_index(temp)].pgd;
22492 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
22493 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22494 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
22497 * After the lock is released, the original page table is restored.
22501 +#ifdef CONFIG_PAX_KERNEXEC
22502 + pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
22503 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
22504 + pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
22505 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
22508 gdt_descr.address = __pa(get_cpu_gdt_table(0));
22509 gdt_descr.size = GDT_SIZE - 1;
22510 load_gdt(&gdt_descr);
22513 -void efi_call_phys_epilog(void)
22514 +void __init efi_call_phys_epilog(void)
22516 - unsigned long cr4;
22517 struct desc_ptr gdt_descr;
22519 +#ifdef CONFIG_PAX_KERNEXEC
22520 + struct desc_struct d;
22522 + memset(&d, 0, sizeof d);
22523 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
22524 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
22527 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
22528 gdt_descr.size = GDT_SIZE - 1;
22529 load_gdt(&gdt_descr);
22531 - cr4 = read_cr4_safe();
22533 - if (cr4 & X86_CR4_PAE) {
22534 - swapper_pg_dir[pgd_index(0)].pgd =
22535 - efi_bak_pg_dir_pointer[0].pgd;
22537 - swapper_pg_dir[pgd_index(0)].pgd =
22538 - efi_bak_pg_dir_pointer[0].pgd;
22539 - swapper_pg_dir[pgd_index(0x400000)].pgd =
22540 - efi_bak_pg_dir_pointer[1].pgd;
22542 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
22545 * After the lock is released, the original page table is restored.
22546 diff -urNp linux-3.1.1/arch/x86/platform/efi/efi_stub_32.S linux-3.1.1/arch/x86/platform/efi/efi_stub_32.S
22547 --- linux-3.1.1/arch/x86/platform/efi/efi_stub_32.S 2011-11-11 15:19:27.000000000 -0500
22548 +++ linux-3.1.1/arch/x86/platform/efi/efi_stub_32.S 2011-11-16 18:39:07.000000000 -0500
22552 #include <linux/linkage.h>
22553 +#include <linux/init.h>
22554 #include <asm/page_types.h>
22555 +#include <asm/segment.h>
22558 * efi_call_phys(void *, ...) is a function with variable parameters.
22560 * service functions will comply with gcc calling convention, too.
22565 ENTRY(efi_call_phys)
22567 * 0. The function can only be called in Linux kernel. So CS has been
22568 @@ -36,9 +38,11 @@ ENTRY(efi_call_phys)
22569 * The mapping of lower virtual memory has been created in prelog and
22573 - subl $__PAGE_OFFSET, %edx
22575 + movl $(__KERNEXEC_EFI_DS), %edx
22579 + ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET
22583 @@ -47,14 +51,8 @@ ENTRY(efi_call_phys)
22584 * parameter 2, ..., param n. To make things easy, we save the return
22585 * address of efi_call_phys in a global variable.
22588 - movl %edx, saved_return_addr
22589 - /* get the function pointer into ECX*/
22591 - movl %ecx, efi_rt_function_ptr
22593 - subl $__PAGE_OFFSET, %edx
22595 + popl (saved_return_addr)
22596 + popl (efi_rt_function_ptr)
22599 * 3. Clear PG bit in %CR0.
22600 @@ -73,9 +71,8 @@ ENTRY(efi_call_phys)
22602 * 5. Call the physical function.
22605 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
22609 * 6. After EFI runtime service returns, control will return to
22610 * following instruction. We'd better readjust stack pointer first.
22611 @@ -88,35 +85,32 @@ ENTRY(efi_call_phys)
22613 orl $0x80000000, %edx
22619 * 8. Now restore the virtual mode from flat mode by
22620 * adding EIP with PAGE_OFFSET.
22624 + ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET
22626 + movl $(__KERNEL_DS), %edx
22632 * 9. Balance the stack. And because EAX contain the return value,
22633 * we'd better not clobber it.
22635 - leal efi_rt_function_ptr, %edx
22636 - movl (%edx), %ecx
22638 + pushl (efi_rt_function_ptr)
22641 - * 10. Push the saved return address onto the stack and return.
22642 + * 10. Return to the saved return address.
22644 - leal saved_return_addr, %edx
22645 - movl (%edx), %ecx
22648 + jmpl *(saved_return_addr)
22649 ENDPROC(efi_call_phys)
22656 efi_rt_function_ptr:
22657 diff -urNp linux-3.1.1/arch/x86/platform/efi/efi_stub_64.S linux-3.1.1/arch/x86/platform/efi/efi_stub_64.S
22658 --- linux-3.1.1/arch/x86/platform/efi/efi_stub_64.S 2011-11-11 15:19:27.000000000 -0500
22659 +++ linux-3.1.1/arch/x86/platform/efi/efi_stub_64.S 2011-11-16 18:39:07.000000000 -0500
22663 #include <linux/linkage.h>
22664 +#include <asm/alternative-asm.h>
22668 @@ -40,6 +41,7 @@ ENTRY(efi_call0)
22672 + pax_force_retaddr
22676 @@ -50,6 +52,7 @@ ENTRY(efi_call1)
22680 + pax_force_retaddr
22684 @@ -60,6 +63,7 @@ ENTRY(efi_call2)
22688 + pax_force_retaddr
22692 @@ -71,6 +75,7 @@ ENTRY(efi_call3)
22696 + pax_force_retaddr
22700 @@ -83,6 +88,7 @@ ENTRY(efi_call4)
22704 + pax_force_retaddr
22708 @@ -96,6 +102,7 @@ ENTRY(efi_call5)
22712 + pax_force_retaddr
22716 @@ -112,5 +119,6 @@ ENTRY(efi_call6)
22720 + pax_force_retaddr
22723 diff -urNp linux-3.1.1/arch/x86/platform/mrst/mrst.c linux-3.1.1/arch/x86/platform/mrst/mrst.c
22724 --- linux-3.1.1/arch/x86/platform/mrst/mrst.c 2011-11-11 15:19:27.000000000 -0500
22725 +++ linux-3.1.1/arch/x86/platform/mrst/mrst.c 2011-11-16 18:39:07.000000000 -0500
22726 @@ -239,14 +239,16 @@ static int mrst_i8042_detect(void)
22729 /* Reboot and power off are handled by the SCU on a MID device */
22730 -static void mrst_power_off(void)
22731 +static __noreturn void mrst_power_off(void)
22733 intel_scu_ipc_simple_command(0xf1, 1);
22737 -static void mrst_reboot(void)
22738 +static __noreturn void mrst_reboot(void)
22740 intel_scu_ipc_simple_command(0xf1, 0);
22745 diff -urNp linux-3.1.1/arch/x86/platform/uv/tlb_uv.c linux-3.1.1/arch/x86/platform/uv/tlb_uv.c
22746 --- linux-3.1.1/arch/x86/platform/uv/tlb_uv.c 2011-11-11 15:19:27.000000000 -0500
22747 +++ linux-3.1.1/arch/x86/platform/uv/tlb_uv.c 2011-11-16 19:39:11.000000000 -0500
22748 @@ -377,6 +377,8 @@ static void reset_with_ipi(struct pnmask
22749 struct bau_control *smaster = bcp->socket_master;
22750 struct reset_args reset_args;
22752 + pax_track_stack();
22754 reset_args.sender = sender;
22756 /* find a single cpu for each uvhub in this distribution mask */
22757 diff -urNp linux-3.1.1/arch/x86/power/cpu.c linux-3.1.1/arch/x86/power/cpu.c
22758 --- linux-3.1.1/arch/x86/power/cpu.c 2011-11-11 15:19:27.000000000 -0500
22759 +++ linux-3.1.1/arch/x86/power/cpu.c 2011-11-16 18:39:07.000000000 -0500
22760 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
22761 static void fix_processor_context(void)
22763 int cpu = smp_processor_id();
22764 - struct tss_struct *t = &per_cpu(init_tss, cpu);
22765 + struct tss_struct *t = init_tss + cpu;
22767 set_tss_desc(cpu, t); /*
22768 * This just modifies memory; should not be
22769 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
22772 #ifdef CONFIG_X86_64
22773 + pax_open_kernel();
22774 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
22775 + pax_close_kernel();
22777 syscall_init(); /* This sets MSR_*STAR and related */
22779 diff -urNp linux-3.1.1/arch/x86/vdso/Makefile linux-3.1.1/arch/x86/vdso/Makefile
22780 --- linux-3.1.1/arch/x86/vdso/Makefile 2011-11-11 15:19:27.000000000 -0500
22781 +++ linux-3.1.1/arch/x86/vdso/Makefile 2011-11-16 18:39:07.000000000 -0500
22782 @@ -137,7 +137,7 @@ quiet_cmd_vdso = VDSO $@
22783 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
22784 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
22786 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22787 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22791 diff -urNp linux-3.1.1/arch/x86/vdso/vdso32-setup.c linux-3.1.1/arch/x86/vdso/vdso32-setup.c
22792 --- linux-3.1.1/arch/x86/vdso/vdso32-setup.c 2011-11-11 15:19:27.000000000 -0500
22793 +++ linux-3.1.1/arch/x86/vdso/vdso32-setup.c 2011-11-16 18:39:07.000000000 -0500
22795 #include <asm/tlbflush.h>
22796 #include <asm/vdso.h>
22797 #include <asm/proto.h>
22798 +#include <asm/mman.h>
22802 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
22803 void enable_sep_cpu(void)
22805 int cpu = get_cpu();
22806 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
22807 + struct tss_struct *tss = init_tss + cpu;
22809 if (!boot_cpu_has(X86_FEATURE_SEP)) {
22811 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
22812 gate_vma.vm_start = FIXADDR_USER_START;
22813 gate_vma.vm_end = FIXADDR_USER_END;
22814 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
22815 - gate_vma.vm_page_prot = __P101;
22816 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
22818 * Make sure the vDSO gets into every core dump.
22819 * Dumping its contents makes post-mortem fully interpretable later
22820 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
22822 addr = VDSO_HIGH_BASE;
22824 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
22825 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
22826 if (IS_ERR_VALUE(addr)) {
22832 - current->mm->context.vdso = (void *)addr;
22833 + current->mm->context.vdso = addr;
22835 if (compat_uses_vma || !compat) {
22837 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
22840 current_thread_info()->sysenter_return =
22841 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22842 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22846 - current->mm->context.vdso = NULL;
22847 + current->mm->context.vdso = 0;
22849 up_write(&mm->mmap_sem);
22851 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
22853 const char *arch_vma_name(struct vm_area_struct *vma)
22855 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22856 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22859 +#ifdef CONFIG_PAX_SEGMEXEC
22860 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
22867 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
22868 * Check to see if the corresponding task was created in compat vdso
22871 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
22872 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
22876 diff -urNp linux-3.1.1/arch/x86/vdso/vma.c linux-3.1.1/arch/x86/vdso/vma.c
22877 --- linux-3.1.1/arch/x86/vdso/vma.c 2011-11-11 15:19:27.000000000 -0500
22878 +++ linux-3.1.1/arch/x86/vdso/vma.c 2011-11-16 18:39:07.000000000 -0500
22880 #include <asm/vdso.h>
22881 #include <asm/page.h>
22883 -unsigned int __read_mostly vdso_enabled = 1;
22885 extern char vdso_start[], vdso_end[];
22886 extern unsigned short vdso_sync_cpuid;
22888 @@ -97,13 +95,15 @@ static unsigned long vdso_addr(unsigned
22889 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
22891 struct mm_struct *mm = current->mm;
22892 - unsigned long addr;
22893 + unsigned long addr = 0;
22896 - if (!vdso_enabled)
22899 down_write(&mm->mmap_sem);
22901 +#ifdef CONFIG_PAX_RANDMMAP
22902 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
22905 addr = vdso_addr(mm->start_stack, vdso_size);
22906 addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
22907 if (IS_ERR_VALUE(addr)) {
22908 @@ -111,26 +111,18 @@ int arch_setup_additional_pages(struct l
22912 - current->mm->context.vdso = (void *)addr;
22913 + mm->context.vdso = addr;
22915 ret = install_special_mapping(mm, addr, vdso_size,
22917 VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC|
22921 - current->mm->context.vdso = NULL;
22926 + mm->context.vdso = 0;
22929 up_write(&mm->mmap_sem);
22933 -static __init int vdso_setup(char *s)
22935 - vdso_enabled = simple_strtoul(s, NULL, 0);
22938 -__setup("vdso=", vdso_setup);
22939 diff -urNp linux-3.1.1/arch/x86/xen/enlighten.c linux-3.1.1/arch/x86/xen/enlighten.c
22940 --- linux-3.1.1/arch/x86/xen/enlighten.c 2011-11-11 15:19:27.000000000 -0500
22941 +++ linux-3.1.1/arch/x86/xen/enlighten.c 2011-11-16 18:39:07.000000000 -0500
22942 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
22944 struct shared_info xen_dummy_shared_info;
22946 -void *xen_initial_gdt;
22948 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
22949 __read_mostly int xen_have_vector_callback;
22950 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
22951 @@ -1028,7 +1026,7 @@ static const struct pv_apic_ops xen_apic
22955 -static void xen_reboot(int reason)
22956 +static __noreturn void xen_reboot(int reason)
22958 struct sched_shutdown r = { .reason = reason };
22960 @@ -1036,17 +1034,17 @@ static void xen_reboot(int reason)
22964 -static void xen_restart(char *msg)
22965 +static __noreturn void xen_restart(char *msg)
22967 xen_reboot(SHUTDOWN_reboot);
22970 -static void xen_emergency_restart(void)
22971 +static __noreturn void xen_emergency_restart(void)
22973 xen_reboot(SHUTDOWN_reboot);
22976 -static void xen_machine_halt(void)
22977 +static __noreturn void xen_machine_halt(void)
22979 xen_reboot(SHUTDOWN_poweroff);
22981 @@ -1152,7 +1150,17 @@ asmlinkage void __init xen_start_kernel(
22982 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
22984 /* Work out if we support NX */
22985 - x86_configure_nx();
22986 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
22987 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
22988 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
22991 + __supported_pte_mask |= _PAGE_NX;
22992 + rdmsr(MSR_EFER, l, h);
22994 + wrmsr(MSR_EFER, l, h);
22998 xen_setup_features();
23000 @@ -1183,13 +1191,6 @@ asmlinkage void __init xen_start_kernel(
23002 machine_ops = xen_machine_ops;
23005 - * The only reliable way to retain the initial address of the
23006 - * percpu gdt_page is to remember it here, so we can go and
23007 - * mark it RW later, when the initial percpu area is freed.
23009 - xen_initial_gdt = &per_cpu(gdt_page, 0);
23013 #ifdef CONFIG_ACPI_NUMA
23014 diff -urNp linux-3.1.1/arch/x86/xen/mmu.c linux-3.1.1/arch/x86/xen/mmu.c
23015 --- linux-3.1.1/arch/x86/xen/mmu.c 2011-11-11 15:19:27.000000000 -0500
23016 +++ linux-3.1.1/arch/x86/xen/mmu.c 2011-11-16 18:39:07.000000000 -0500
23017 @@ -1768,6 +1768,8 @@ pgd_t * __init xen_setup_kernel_pagetabl
23018 convert_pfn_mfn(init_level4_pgt);
23019 convert_pfn_mfn(level3_ident_pgt);
23020 convert_pfn_mfn(level3_kernel_pgt);
23021 + convert_pfn_mfn(level3_vmalloc_pgt);
23022 + convert_pfn_mfn(level3_vmemmap_pgt);
23024 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
23025 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
23026 @@ -1786,7 +1788,10 @@ pgd_t * __init xen_setup_kernel_pagetabl
23027 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
23028 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
23029 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
23030 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
23031 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
23032 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
23033 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
23034 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
23035 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
23037 @@ -2000,6 +2005,7 @@ static void __init xen_post_allocator_in
23038 pv_mmu_ops.set_pud = xen_set_pud;
23039 #if PAGETABLE_LEVELS == 4
23040 pv_mmu_ops.set_pgd = xen_set_pgd;
23041 + pv_mmu_ops.set_pgd_batched = xen_set_pgd;
23044 /* This will work as long as patching hasn't happened yet
23045 @@ -2081,6 +2087,7 @@ static const struct pv_mmu_ops xen_mmu_o
23046 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
23047 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
23048 .set_pgd = xen_set_pgd_hyper,
23049 + .set_pgd_batched = xen_set_pgd_hyper,
23051 .alloc_pud = xen_alloc_pmd_init,
23052 .release_pud = xen_release_pmd_init,
23053 diff -urNp linux-3.1.1/arch/x86/xen/smp.c linux-3.1.1/arch/x86/xen/smp.c
23054 --- linux-3.1.1/arch/x86/xen/smp.c 2011-11-11 15:19:27.000000000 -0500
23055 +++ linux-3.1.1/arch/x86/xen/smp.c 2011-11-16 18:39:07.000000000 -0500
23056 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
23058 BUG_ON(smp_processor_id() != 0);
23059 native_smp_prepare_boot_cpu();
23061 - /* We've switched to the "real" per-cpu gdt, so make sure the
23062 - old memory can be recycled */
23063 - make_lowmem_page_readwrite(xen_initial_gdt);
23065 xen_filter_cpu_maps();
23066 xen_setup_vcpu_info_placement();
23068 @@ -275,12 +270,12 @@ cpu_initialize_context(unsigned int cpu,
23069 gdt = get_cpu_gdt_table(cpu);
23071 ctxt->flags = VGCF_IN_KERNEL;
23072 - ctxt->user_regs.ds = __USER_DS;
23073 - ctxt->user_regs.es = __USER_DS;
23074 + ctxt->user_regs.ds = __KERNEL_DS;
23075 + ctxt->user_regs.es = __KERNEL_DS;
23076 ctxt->user_regs.ss = __KERNEL_DS;
23077 #ifdef CONFIG_X86_32
23078 ctxt->user_regs.fs = __KERNEL_PERCPU;
23079 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
23080 + savesegment(gs, ctxt->user_regs.gs);
23082 ctxt->gs_base_kernel = per_cpu_offset(cpu);
23084 @@ -331,13 +326,12 @@ static int __cpuinit xen_cpu_up(unsigned
23087 per_cpu(current_task, cpu) = idle;
23088 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
23089 #ifdef CONFIG_X86_32
23092 clear_tsk_thread_flag(idle, TIF_FORK);
23093 - per_cpu(kernel_stack, cpu) =
23094 - (unsigned long)task_stack_page(idle) -
23095 - KERNEL_STACK_OFFSET + THREAD_SIZE;
23096 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
23098 xen_setup_runstate_info(cpu);
23099 xen_setup_timer(cpu);
23100 diff -urNp linux-3.1.1/arch/x86/xen/xen-asm_32.S linux-3.1.1/arch/x86/xen/xen-asm_32.S
23101 --- linux-3.1.1/arch/x86/xen/xen-asm_32.S 2011-11-11 15:19:27.000000000 -0500
23102 +++ linux-3.1.1/arch/x86/xen/xen-asm_32.S 2011-11-16 18:39:07.000000000 -0500
23103 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
23104 ESP_OFFSET=4 # bytes pushed onto stack
23107 - * Store vcpu_info pointer for easy access. Do it this way to
23108 - * avoid having to reload %fs
23109 + * Store vcpu_info pointer for easy access.
23112 - GET_THREAD_INFO(%eax)
23113 - movl TI_cpu(%eax), %eax
23114 - movl __per_cpu_offset(,%eax,4), %eax
23115 - mov xen_vcpu(%eax), %eax
23117 + mov $(__KERNEL_PERCPU), %eax
23119 + mov PER_CPU_VAR(xen_vcpu), %eax
23122 movl xen_vcpu, %eax
23124 diff -urNp linux-3.1.1/arch/x86/xen/xen-head.S linux-3.1.1/arch/x86/xen/xen-head.S
23125 --- linux-3.1.1/arch/x86/xen/xen-head.S 2011-11-11 15:19:27.000000000 -0500
23126 +++ linux-3.1.1/arch/x86/xen/xen-head.S 2011-11-16 18:39:07.000000000 -0500
23127 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
23128 #ifdef CONFIG_X86_32
23129 mov %esi,xen_start_info
23130 mov $init_thread_union+THREAD_SIZE,%esp
23132 + movl $cpu_gdt_table,%edi
23133 + movl $__per_cpu_load,%eax
23134 + movw %ax,__KERNEL_PERCPU + 2(%edi)
23136 + movb %al,__KERNEL_PERCPU + 4(%edi)
23137 + movb %ah,__KERNEL_PERCPU + 7(%edi)
23138 + movl $__per_cpu_end - 1,%eax
23139 + subl $__per_cpu_start,%eax
23140 + movw %ax,__KERNEL_PERCPU + 0(%edi)
23143 mov %rsi,xen_start_info
23144 mov $init_thread_union+THREAD_SIZE,%rsp
23145 diff -urNp linux-3.1.1/arch/x86/xen/xen-ops.h linux-3.1.1/arch/x86/xen/xen-ops.h
23146 --- linux-3.1.1/arch/x86/xen/xen-ops.h 2011-11-11 15:19:27.000000000 -0500
23147 +++ linux-3.1.1/arch/x86/xen/xen-ops.h 2011-11-16 18:39:07.000000000 -0500
23149 extern const char xen_hypervisor_callback[];
23150 extern const char xen_failsafe_callback[];
23152 -extern void *xen_initial_gdt;
23155 void xen_copy_trap_info(struct trap_info *traps);
23157 diff -urNp linux-3.1.1/block/blk-iopoll.c linux-3.1.1/block/blk-iopoll.c
23158 --- linux-3.1.1/block/blk-iopoll.c 2011-11-11 15:19:27.000000000 -0500
23159 +++ linux-3.1.1/block/blk-iopoll.c 2011-11-16 18:39:07.000000000 -0500
23160 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
23162 EXPORT_SYMBOL(blk_iopoll_complete);
23164 -static void blk_iopoll_softirq(struct softirq_action *h)
23165 +static void blk_iopoll_softirq(void)
23167 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
23168 int rearm = 0, budget = blk_iopoll_budget;
23169 diff -urNp linux-3.1.1/block/blk-map.c linux-3.1.1/block/blk-map.c
23170 --- linux-3.1.1/block/blk-map.c 2011-11-11 15:19:27.000000000 -0500
23171 +++ linux-3.1.1/block/blk-map.c 2011-11-16 18:39:07.000000000 -0500
23172 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
23176 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
23177 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
23179 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
23181 diff -urNp linux-3.1.1/block/blk-softirq.c linux-3.1.1/block/blk-softirq.c
23182 --- linux-3.1.1/block/blk-softirq.c 2011-11-11 15:19:27.000000000 -0500
23183 +++ linux-3.1.1/block/blk-softirq.c 2011-11-16 18:39:07.000000000 -0500
23184 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
23185 * Softirq action handler - move entries to local list and loop over them
23186 * while passing them to the queue registered handler.
23188 -static void blk_done_softirq(struct softirq_action *h)
23189 +static void blk_done_softirq(void)
23191 struct list_head *cpu_list, local_list;
23193 diff -urNp linux-3.1.1/block/bsg.c linux-3.1.1/block/bsg.c
23194 --- linux-3.1.1/block/bsg.c 2011-11-11 15:19:27.000000000 -0500
23195 +++ linux-3.1.1/block/bsg.c 2011-11-16 18:39:07.000000000 -0500
23196 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
23197 struct sg_io_v4 *hdr, struct bsg_device *bd,
23198 fmode_t has_write_perm)
23200 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23201 + unsigned char *cmdptr;
23203 if (hdr->request_len > BLK_MAX_CDB) {
23204 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
23208 + cmdptr = rq->cmd;
23212 - if (copy_from_user(rq->cmd, (void __user *)(unsigned long)hdr->request,
23213 + if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
23217 + if (cmdptr != rq->cmd)
23218 + memcpy(rq->cmd, cmdptr, hdr->request_len);
23220 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
23221 if (blk_verify_command(rq->cmd, has_write_perm))
23223 diff -urNp linux-3.1.1/block/compat_ioctl.c linux-3.1.1/block/compat_ioctl.c
23224 --- linux-3.1.1/block/compat_ioctl.c 2011-11-11 15:19:27.000000000 -0500
23225 +++ linux-3.1.1/block/compat_ioctl.c 2011-11-16 18:39:07.000000000 -0500
23226 @@ -340,7 +340,7 @@ static int compat_fd_ioctl(struct block_
23227 err |= __get_user(f->spec1, &uf->spec1);
23228 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
23229 err |= __get_user(name, &uf->name);
23230 - f->name = compat_ptr(name);
23231 + f->name = (void __force_kernel *)compat_ptr(name);
23235 diff -urNp linux-3.1.1/block/scsi_ioctl.c linux-3.1.1/block/scsi_ioctl.c
23236 --- linux-3.1.1/block/scsi_ioctl.c 2011-11-11 15:19:27.000000000 -0500
23237 +++ linux-3.1.1/block/scsi_ioctl.c 2011-11-16 18:39:07.000000000 -0500
23238 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
23239 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
23240 struct sg_io_hdr *hdr, fmode_t mode)
23242 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
23243 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23244 + unsigned char *cmdptr;
23246 + if (rq->cmd != rq->__cmd)
23247 + cmdptr = rq->cmd;
23251 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
23254 + if (cmdptr != rq->cmd)
23255 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
23257 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
23260 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
23262 unsigned int in_len, out_len, bytes, opcode, cmdlen;
23263 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
23264 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23265 + unsigned char *cmdptr;
23269 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
23272 rq->cmd_len = cmdlen;
23273 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
23275 + if (rq->cmd != rq->__cmd)
23276 + cmdptr = rq->cmd;
23280 + if (copy_from_user(cmdptr, sic->data, cmdlen))
23283 + if (rq->cmd != cmdptr)
23284 + memcpy(rq->cmd, cmdptr, cmdlen);
23286 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
23289 diff -urNp linux-3.1.1/crypto/cryptd.c linux-3.1.1/crypto/cryptd.c
23290 --- linux-3.1.1/crypto/cryptd.c 2011-11-11 15:19:27.000000000 -0500
23291 +++ linux-3.1.1/crypto/cryptd.c 2011-11-16 18:39:07.000000000 -0500
23292 @@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx {
23294 struct cryptd_blkcipher_request_ctx {
23295 crypto_completion_t complete;
23299 struct cryptd_hash_ctx {
23300 struct crypto_shash *child;
23301 @@ -80,7 +80,7 @@ struct cryptd_aead_ctx {
23303 struct cryptd_aead_request_ctx {
23304 crypto_completion_t complete;
23308 static void cryptd_queue_worker(struct work_struct *work);
23310 diff -urNp linux-3.1.1/crypto/serpent.c linux-3.1.1/crypto/serpent.c
23311 --- linux-3.1.1/crypto/serpent.c 2011-11-11 15:19:27.000000000 -0500
23312 +++ linux-3.1.1/crypto/serpent.c 2011-11-16 18:40:10.000000000 -0500
23313 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
23314 u32 r0,r1,r2,r3,r4;
23317 + pax_track_stack();
23319 /* Copy key, add padding */
23321 for (i = 0; i < keylen; ++i)
23322 diff -urNp linux-3.1.1/Documentation/dontdiff linux-3.1.1/Documentation/dontdiff
23323 --- linux-3.1.1/Documentation/dontdiff 2011-11-11 15:19:27.000000000 -0500
23324 +++ linux-3.1.1/Documentation/dontdiff 2011-11-16 18:39:07.000000000 -0500
23345 @@ -70,6 +73,7 @@ Kerntypes
23353 @@ -93,19 +97,24 @@ bounds.h
23376 consolemap_deftbl.c*
23378 @@ -119,6 +128,7 @@ dslm
23381 evergreen_reg_safe.h
23382 +exception_policy.conf
23386 @@ -126,12 +136,14 @@ fore200e_pca_fw.c*
23401 @@ -146,7 +158,7 @@ int32.c
23410 @@ -154,7 +166,6 @@ kxgettext
23418 @@ -166,7 +177,6 @@ machtypes.h
23426 @@ -174,6 +184,7 @@ mkboot
23434 @@ -209,6 +220,7 @@ r300_reg_safe.h
23442 @@ -219,6 +231,7 @@ setup
23450 @@ -229,6 +242,7 @@ tftpboot.img
23458 @@ -246,7 +260,9 @@ vmlinux
23468 @@ -254,9 +270,11 @@ vsyscall_32.lds
23480 diff -urNp linux-3.1.1/Documentation/kernel-parameters.txt linux-3.1.1/Documentation/kernel-parameters.txt
23481 --- linux-3.1.1/Documentation/kernel-parameters.txt 2011-11-11 15:19:27.000000000 -0500
23482 +++ linux-3.1.1/Documentation/kernel-parameters.txt 2011-11-16 18:39:07.000000000 -0500
23483 @@ -1898,6 +1898,13 @@ bytes respectively. Such letter suffixes
23484 the specified number of seconds. This is to be used if
23485 your oopses keep scrolling off the screen.
23487 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
23488 + virtualization environments that don't cope well with the
23489 + expand down segment used by UDEREF on X86-32 or the frequent
23490 + page table updates on X86-64.
23492 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
23497 diff -urNp linux-3.1.1/drivers/acpi/apei/cper.c linux-3.1.1/drivers/acpi/apei/cper.c
23498 --- linux-3.1.1/drivers/acpi/apei/cper.c 2011-11-11 15:19:27.000000000 -0500
23499 +++ linux-3.1.1/drivers/acpi/apei/cper.c 2011-11-16 18:39:07.000000000 -0500
23500 @@ -38,12 +38,12 @@
23502 u64 cper_next_record_id(void)
23504 - static atomic64_t seq;
23505 + static atomic64_unchecked_t seq;
23507 - if (!atomic64_read(&seq))
23508 - atomic64_set(&seq, ((u64)get_seconds()) << 32);
23509 + if (!atomic64_read_unchecked(&seq))
23510 + atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
23512 - return atomic64_inc_return(&seq);
23513 + return atomic64_inc_return_unchecked(&seq);
23515 EXPORT_SYMBOL_GPL(cper_next_record_id);
23517 diff -urNp linux-3.1.1/drivers/acpi/ec_sys.c linux-3.1.1/drivers/acpi/ec_sys.c
23518 --- linux-3.1.1/drivers/acpi/ec_sys.c 2011-11-11 15:19:27.000000000 -0500
23519 +++ linux-3.1.1/drivers/acpi/ec_sys.c 2011-11-16 18:39:07.000000000 -0500
23521 #include <linux/kernel.h>
23522 #include <linux/acpi.h>
23523 #include <linux/debugfs.h>
23524 +#include <asm/uaccess.h>
23525 #include "internal.h"
23527 MODULE_AUTHOR("Thomas Renninger <trenn@suse.de>");
23528 @@ -39,7 +40,7 @@ static ssize_t acpi_ec_read_io(struct fi
23529 * struct acpi_ec *ec = ((struct seq_file *)f->private_data)->private;
23531 unsigned int size = EC_SPACE_SIZE;
23532 - u8 *data = (u8 *) buf;
23534 loff_t init_off = *off;
23537 @@ -52,9 +53,11 @@ static ssize_t acpi_ec_read_io(struct fi
23541 - err = ec_read(*off, &data[*off - init_off]);
23542 + err = ec_read(*off, &data);
23545 + if (put_user(data, &buf[*off - init_off]))
23550 @@ -70,7 +73,6 @@ static ssize_t acpi_ec_write_io(struct f
23552 unsigned int size = count;
23553 loff_t init_off = *off;
23554 - u8 *data = (u8 *) buf;
23557 if (*off >= EC_SPACE_SIZE)
23558 @@ -81,7 +83,9 @@ static ssize_t acpi_ec_write_io(struct f
23562 - u8 byte_write = data[*off - init_off];
23564 + if (get_user(byte_write, &buf[*off - init_off]))
23566 err = ec_write(*off, byte_write);
23569 diff -urNp linux-3.1.1/drivers/acpi/proc.c linux-3.1.1/drivers/acpi/proc.c
23570 --- linux-3.1.1/drivers/acpi/proc.c 2011-11-11 15:19:27.000000000 -0500
23571 +++ linux-3.1.1/drivers/acpi/proc.c 2011-11-16 18:39:07.000000000 -0500
23572 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
23573 size_t count, loff_t * ppos)
23575 struct list_head *node, *next;
23577 - char str[5] = "";
23578 - unsigned int len = count;
23584 + char strbuf[5] = {0};
23586 - if (copy_from_user(strbuf, buffer, len))
23589 + if (copy_from_user(strbuf, buffer, count))
23591 - strbuf[len] = '\0';
23592 - sscanf(strbuf, "%s", str);
23593 + strbuf[count] = '\0';
23595 mutex_lock(&acpi_device_lock);
23596 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
23597 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
23598 if (!dev->wakeup.flags.valid)
23601 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
23602 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
23603 if (device_can_wakeup(&dev->dev)) {
23604 bool enable = !device_may_wakeup(&dev->dev);
23605 device_set_wakeup_enable(&dev->dev, enable);
23606 diff -urNp linux-3.1.1/drivers/acpi/processor_driver.c linux-3.1.1/drivers/acpi/processor_driver.c
23607 --- linux-3.1.1/drivers/acpi/processor_driver.c 2011-11-11 15:19:27.000000000 -0500
23608 +++ linux-3.1.1/drivers/acpi/processor_driver.c 2011-11-16 18:39:07.000000000 -0500
23609 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
23613 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
23614 + BUG_ON(pr->id >= nr_cpu_ids);
23618 diff -urNp linux-3.1.1/drivers/ata/libata-core.c linux-3.1.1/drivers/ata/libata-core.c
23619 --- linux-3.1.1/drivers/ata/libata-core.c 2011-11-11 15:19:27.000000000 -0500
23620 +++ linux-3.1.1/drivers/ata/libata-core.c 2011-11-16 18:39:07.000000000 -0500
23621 @@ -4733,7 +4733,7 @@ void ata_qc_free(struct ata_queued_cmd *
23622 struct ata_port *ap;
23625 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23626 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23630 @@ -4749,7 +4749,7 @@ void __ata_qc_complete(struct ata_queued
23631 struct ata_port *ap;
23632 struct ata_link *link;
23634 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23635 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23636 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
23638 link = qc->dev->link;
23639 @@ -5754,6 +5754,7 @@ static void ata_finalize_port_ops(struct
23643 + pax_open_kernel();
23645 for (cur = ops->inherits; cur; cur = cur->inherits) {
23646 void **inherit = (void **)cur;
23647 @@ -5767,8 +5768,9 @@ static void ata_finalize_port_ops(struct
23651 - ops->inherits = NULL;
23652 + *(struct ata_port_operations **)&ops->inherits = NULL;
23654 + pax_close_kernel();
23655 spin_unlock(&lock);
23658 diff -urNp linux-3.1.1/drivers/ata/libata-eh.c linux-3.1.1/drivers/ata/libata-eh.c
23659 --- linux-3.1.1/drivers/ata/libata-eh.c 2011-11-11 15:19:27.000000000 -0500
23660 +++ linux-3.1.1/drivers/ata/libata-eh.c 2011-11-16 18:40:10.000000000 -0500
23661 @@ -2515,6 +2515,8 @@ void ata_eh_report(struct ata_port *ap)
23663 struct ata_link *link;
23665 + pax_track_stack();
23667 ata_for_each_link(link, ap, HOST_FIRST)
23668 ata_eh_link_report(link);
23670 diff -urNp linux-3.1.1/drivers/ata/pata_arasan_cf.c linux-3.1.1/drivers/ata/pata_arasan_cf.c
23671 --- linux-3.1.1/drivers/ata/pata_arasan_cf.c 2011-11-11 15:19:27.000000000 -0500
23672 +++ linux-3.1.1/drivers/ata/pata_arasan_cf.c 2011-11-16 18:39:07.000000000 -0500
23673 @@ -862,7 +862,9 @@ static int __devinit arasan_cf_probe(str
23674 /* Handle platform specific quirks */
23675 if (pdata->quirk) {
23676 if (pdata->quirk & CF_BROKEN_PIO) {
23677 - ap->ops->set_piomode = NULL;
23678 + pax_open_kernel();
23679 + *(void **)&ap->ops->set_piomode = NULL;
23680 + pax_close_kernel();
23683 if (pdata->quirk & CF_BROKEN_MWDMA)
23684 diff -urNp linux-3.1.1/drivers/atm/adummy.c linux-3.1.1/drivers/atm/adummy.c
23685 --- linux-3.1.1/drivers/atm/adummy.c 2011-11-11 15:19:27.000000000 -0500
23686 +++ linux-3.1.1/drivers/atm/adummy.c 2011-11-16 18:39:07.000000000 -0500
23687 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
23688 vcc->pop(vcc, skb);
23690 dev_kfree_skb_any(skb);
23691 - atomic_inc(&vcc->stats->tx);
23692 + atomic_inc_unchecked(&vcc->stats->tx);
23696 diff -urNp linux-3.1.1/drivers/atm/ambassador.c linux-3.1.1/drivers/atm/ambassador.c
23697 --- linux-3.1.1/drivers/atm/ambassador.c 2011-11-11 15:19:27.000000000 -0500
23698 +++ linux-3.1.1/drivers/atm/ambassador.c 2011-11-16 18:39:07.000000000 -0500
23699 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
23700 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
23703 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23704 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23706 // free the descriptor
23708 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
23709 dump_skb ("<<<", vc, skb);
23712 - atomic_inc(&atm_vcc->stats->rx);
23713 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23714 __net_timestamp(skb);
23715 // end of our responsibility
23716 atm_vcc->push (atm_vcc, skb);
23717 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
23719 PRINTK (KERN_INFO, "dropped over-size frame");
23720 // should we count this?
23721 - atomic_inc(&atm_vcc->stats->rx_drop);
23722 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23726 @@ -1338,7 +1338,7 @@ static int amb_send (struct atm_vcc * at
23729 if (check_area (skb->data, skb->len)) {
23730 - atomic_inc(&atm_vcc->stats->tx_err);
23731 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
23732 return -ENOMEM; // ?
23735 diff -urNp linux-3.1.1/drivers/atm/atmtcp.c linux-3.1.1/drivers/atm/atmtcp.c
23736 --- linux-3.1.1/drivers/atm/atmtcp.c 2011-11-11 15:19:27.000000000 -0500
23737 +++ linux-3.1.1/drivers/atm/atmtcp.c 2011-11-16 18:39:07.000000000 -0500
23738 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
23739 if (vcc->pop) vcc->pop(vcc,skb);
23740 else dev_kfree_skb(skb);
23741 if (dev_data) return 0;
23742 - atomic_inc(&vcc->stats->tx_err);
23743 + atomic_inc_unchecked(&vcc->stats->tx_err);
23746 size = skb->len+sizeof(struct atmtcp_hdr);
23747 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
23749 if (vcc->pop) vcc->pop(vcc,skb);
23750 else dev_kfree_skb(skb);
23751 - atomic_inc(&vcc->stats->tx_err);
23752 + atomic_inc_unchecked(&vcc->stats->tx_err);
23755 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
23756 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
23757 if (vcc->pop) vcc->pop(vcc,skb);
23758 else dev_kfree_skb(skb);
23759 out_vcc->push(out_vcc,new_skb);
23760 - atomic_inc(&vcc->stats->tx);
23761 - atomic_inc(&out_vcc->stats->rx);
23762 + atomic_inc_unchecked(&vcc->stats->tx);
23763 + atomic_inc_unchecked(&out_vcc->stats->rx);
23767 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
23768 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
23769 read_unlock(&vcc_sklist_lock);
23771 - atomic_inc(&vcc->stats->tx_err);
23772 + atomic_inc_unchecked(&vcc->stats->tx_err);
23775 skb_pull(skb,sizeof(struct atmtcp_hdr));
23776 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
23777 __net_timestamp(new_skb);
23778 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
23779 out_vcc->push(out_vcc,new_skb);
23780 - atomic_inc(&vcc->stats->tx);
23781 - atomic_inc(&out_vcc->stats->rx);
23782 + atomic_inc_unchecked(&vcc->stats->tx);
23783 + atomic_inc_unchecked(&out_vcc->stats->rx);
23785 if (vcc->pop) vcc->pop(vcc,skb);
23786 else dev_kfree_skb(skb);
23787 diff -urNp linux-3.1.1/drivers/atm/eni.c linux-3.1.1/drivers/atm/eni.c
23788 --- linux-3.1.1/drivers/atm/eni.c 2011-11-11 15:19:27.000000000 -0500
23789 +++ linux-3.1.1/drivers/atm/eni.c 2011-11-16 18:39:07.000000000 -0500
23790 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
23791 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
23794 - atomic_inc(&vcc->stats->rx_err);
23795 + atomic_inc_unchecked(&vcc->stats->rx_err);
23798 length = ATM_CELL_SIZE-1; /* no HEC */
23799 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23803 - atomic_inc(&vcc->stats->rx_err);
23804 + atomic_inc_unchecked(&vcc->stats->rx_err);
23807 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
23808 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23809 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
23810 vcc->dev->number,vcc->vci,length,size << 2,descr);
23812 - atomic_inc(&vcc->stats->rx_err);
23813 + atomic_inc_unchecked(&vcc->stats->rx_err);
23816 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
23817 @@ -771,7 +771,7 @@ rx_dequeued++;
23818 vcc->push(vcc,skb);
23821 - atomic_inc(&vcc->stats->rx);
23822 + atomic_inc_unchecked(&vcc->stats->rx);
23824 wake_up(&eni_dev->rx_wait);
23826 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
23828 if (vcc->pop) vcc->pop(vcc,skb);
23829 else dev_kfree_skb_irq(skb);
23830 - atomic_inc(&vcc->stats->tx);
23831 + atomic_inc_unchecked(&vcc->stats->tx);
23832 wake_up(&eni_dev->tx_wait);
23835 @@ -1568,7 +1568,7 @@ tx_complete++;
23836 /*--------------------------------- entries ---------------------------------*/
23839 -static const char *media_name[] __devinitdata = {
23840 +static const char *media_name[] __devinitconst = {
23841 "MMF", "SMF", "MMF", "03?", /* 0- 3 */
23842 "UTP", "05?", "06?", "07?", /* 4- 7 */
23843 "TAXI","09?", "10?", "11?", /* 8-11 */
23844 diff -urNp linux-3.1.1/drivers/atm/firestream.c linux-3.1.1/drivers/atm/firestream.c
23845 --- linux-3.1.1/drivers/atm/firestream.c 2011-11-11 15:19:27.000000000 -0500
23846 +++ linux-3.1.1/drivers/atm/firestream.c 2011-11-16 18:39:07.000000000 -0500
23847 @@ -750,7 +750,7 @@ static void process_txdone_queue (struct
23851 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23852 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23854 fs_dprintk (FS_DEBUG_TXMEM, "i");
23855 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
23856 @@ -817,7 +817,7 @@ static void process_incoming (struct fs_
23858 skb_put (skb, qe->p1 & 0xffff);
23859 ATM_SKB(skb)->vcc = atm_vcc;
23860 - atomic_inc(&atm_vcc->stats->rx);
23861 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23862 __net_timestamp(skb);
23863 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
23864 atm_vcc->push (atm_vcc, skb);
23865 @@ -838,12 +838,12 @@ static void process_incoming (struct fs_
23869 - atomic_inc(&atm_vcc->stats->rx_drop);
23870 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23872 case 0x1f: /* Reassembly abort: no buffers. */
23873 /* Silently increment error counter. */
23875 - atomic_inc(&atm_vcc->stats->rx_drop);
23876 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23878 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
23879 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
23880 diff -urNp linux-3.1.1/drivers/atm/fore200e.c linux-3.1.1/drivers/atm/fore200e.c
23881 --- linux-3.1.1/drivers/atm/fore200e.c 2011-11-11 15:19:27.000000000 -0500
23882 +++ linux-3.1.1/drivers/atm/fore200e.c 2011-11-16 18:39:07.000000000 -0500
23883 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
23885 /* check error condition */
23886 if (*entry->status & STATUS_ERROR)
23887 - atomic_inc(&vcc->stats->tx_err);
23888 + atomic_inc_unchecked(&vcc->stats->tx_err);
23890 - atomic_inc(&vcc->stats->tx);
23891 + atomic_inc_unchecked(&vcc->stats->tx);
23895 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
23897 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
23899 - atomic_inc(&vcc->stats->rx_drop);
23900 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23904 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
23906 dev_kfree_skb_any(skb);
23908 - atomic_inc(&vcc->stats->rx_drop);
23909 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23913 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23915 vcc->push(vcc, skb);
23916 - atomic_inc(&vcc->stats->rx);
23917 + atomic_inc_unchecked(&vcc->stats->rx);
23919 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23921 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
23922 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
23923 fore200e->atm_dev->number,
23924 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
23925 - atomic_inc(&vcc->stats->rx_err);
23926 + atomic_inc_unchecked(&vcc->stats->rx_err);
23930 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
23934 - atomic_inc(&vcc->stats->tx_err);
23935 + atomic_inc_unchecked(&vcc->stats->tx_err);
23937 fore200e->tx_sat++;
23938 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
23939 diff -urNp linux-3.1.1/drivers/atm/he.c linux-3.1.1/drivers/atm/he.c
23940 --- linux-3.1.1/drivers/atm/he.c 2011-11-11 15:19:27.000000000 -0500
23941 +++ linux-3.1.1/drivers/atm/he.c 2011-11-16 18:39:07.000000000 -0500
23942 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23944 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
23945 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
23946 - atomic_inc(&vcc->stats->rx_drop);
23947 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23948 goto return_host_buffers;
23951 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23952 RBRQ_LEN_ERR(he_dev->rbrq_head)
23954 vcc->vpi, vcc->vci);
23955 - atomic_inc(&vcc->stats->rx_err);
23956 + atomic_inc_unchecked(&vcc->stats->rx_err);
23957 goto return_host_buffers;
23960 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23961 vcc->push(vcc, skb);
23962 spin_lock(&he_dev->global_lock);
23964 - atomic_inc(&vcc->stats->rx);
23965 + atomic_inc_unchecked(&vcc->stats->rx);
23967 return_host_buffers:
23969 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
23970 tpd->vcc->pop(tpd->vcc, tpd->skb);
23972 dev_kfree_skb_any(tpd->skb);
23973 - atomic_inc(&tpd->vcc->stats->tx_err);
23974 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
23976 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
23978 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23979 vcc->pop(vcc, skb);
23981 dev_kfree_skb_any(skb);
23982 - atomic_inc(&vcc->stats->tx_err);
23983 + atomic_inc_unchecked(&vcc->stats->tx_err);
23987 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23988 vcc->pop(vcc, skb);
23990 dev_kfree_skb_any(skb);
23991 - atomic_inc(&vcc->stats->tx_err);
23992 + atomic_inc_unchecked(&vcc->stats->tx_err);
23996 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23997 vcc->pop(vcc, skb);
23999 dev_kfree_skb_any(skb);
24000 - atomic_inc(&vcc->stats->tx_err);
24001 + atomic_inc_unchecked(&vcc->stats->tx_err);
24002 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24005 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24006 vcc->pop(vcc, skb);
24008 dev_kfree_skb_any(skb);
24009 - atomic_inc(&vcc->stats->tx_err);
24010 + atomic_inc_unchecked(&vcc->stats->tx_err);
24011 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24014 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24015 __enqueue_tpd(he_dev, tpd, cid);
24016 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24018 - atomic_inc(&vcc->stats->tx);
24019 + atomic_inc_unchecked(&vcc->stats->tx);
24023 diff -urNp linux-3.1.1/drivers/atm/horizon.c linux-3.1.1/drivers/atm/horizon.c
24024 --- linux-3.1.1/drivers/atm/horizon.c 2011-11-11 15:19:27.000000000 -0500
24025 +++ linux-3.1.1/drivers/atm/horizon.c 2011-11-16 18:39:07.000000000 -0500
24026 @@ -1035,7 +1035,7 @@ static void rx_schedule (hrz_dev * dev,
24028 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
24030 - atomic_inc(&vcc->stats->rx);
24031 + atomic_inc_unchecked(&vcc->stats->rx);
24032 __net_timestamp(skb);
24033 // end of our responsibility
24034 vcc->push (vcc, skb);
24035 @@ -1187,7 +1187,7 @@ static void tx_schedule (hrz_dev * const
24036 dev->tx_iovec = NULL;
24039 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
24040 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
24043 hrz_kfree_skb (skb);
24044 diff -urNp linux-3.1.1/drivers/atm/idt77252.c linux-3.1.1/drivers/atm/idt77252.c
24045 --- linux-3.1.1/drivers/atm/idt77252.c 2011-11-11 15:19:27.000000000 -0500
24046 +++ linux-3.1.1/drivers/atm/idt77252.c 2011-11-16 18:39:07.000000000 -0500
24047 @@ -812,7 +812,7 @@ drain_scq(struct idt77252_dev *card, str
24049 dev_kfree_skb(skb);
24051 - atomic_inc(&vcc->stats->tx);
24052 + atomic_inc_unchecked(&vcc->stats->tx);
24055 atomic_dec(&scq->used);
24056 @@ -1075,13 +1075,13 @@ dequeue_rx(struct idt77252_dev *card, st
24057 if ((sb = dev_alloc_skb(64)) == NULL) {
24058 printk("%s: Can't allocate buffers for aal0.\n",
24060 - atomic_add(i, &vcc->stats->rx_drop);
24061 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
24064 if (!atm_charge(vcc, sb->truesize)) {
24065 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
24067 - atomic_add(i - 1, &vcc->stats->rx_drop);
24068 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
24072 @@ -1098,7 +1098,7 @@ dequeue_rx(struct idt77252_dev *card, st
24073 ATM_SKB(sb)->vcc = vcc;
24074 __net_timestamp(sb);
24075 vcc->push(vcc, sb);
24076 - atomic_inc(&vcc->stats->rx);
24077 + atomic_inc_unchecked(&vcc->stats->rx);
24079 cell += ATM_CELL_PAYLOAD;
24081 @@ -1135,13 +1135,13 @@ dequeue_rx(struct idt77252_dev *card, st
24083 card->name, len, rpp->len, readl(SAR_REG_CDC));
24084 recycle_rx_pool_skb(card, rpp);
24085 - atomic_inc(&vcc->stats->rx_err);
24086 + atomic_inc_unchecked(&vcc->stats->rx_err);
24089 if (stat & SAR_RSQE_CRC) {
24090 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
24091 recycle_rx_pool_skb(card, rpp);
24092 - atomic_inc(&vcc->stats->rx_err);
24093 + atomic_inc_unchecked(&vcc->stats->rx_err);
24096 if (skb_queue_len(&rpp->queue) > 1) {
24097 @@ -1152,7 +1152,7 @@ dequeue_rx(struct idt77252_dev *card, st
24098 RXPRINTK("%s: Can't alloc RX skb.\n",
24100 recycle_rx_pool_skb(card, rpp);
24101 - atomic_inc(&vcc->stats->rx_err);
24102 + atomic_inc_unchecked(&vcc->stats->rx_err);
24105 if (!atm_charge(vcc, skb->truesize)) {
24106 @@ -1171,7 +1171,7 @@ dequeue_rx(struct idt77252_dev *card, st
24107 __net_timestamp(skb);
24109 vcc->push(vcc, skb);
24110 - atomic_inc(&vcc->stats->rx);
24111 + atomic_inc_unchecked(&vcc->stats->rx);
24115 @@ -1193,7 +1193,7 @@ dequeue_rx(struct idt77252_dev *card, st
24116 __net_timestamp(skb);
24118 vcc->push(vcc, skb);
24119 - atomic_inc(&vcc->stats->rx);
24120 + atomic_inc_unchecked(&vcc->stats->rx);
24122 if (skb->truesize > SAR_FB_SIZE_3)
24123 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
24124 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
24125 if (vcc->qos.aal != ATM_AAL0) {
24126 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
24127 card->name, vpi, vci);
24128 - atomic_inc(&vcc->stats->rx_drop);
24129 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24133 if ((sb = dev_alloc_skb(64)) == NULL) {
24134 printk("%s: Can't allocate buffers for AAL0.\n",
24136 - atomic_inc(&vcc->stats->rx_err);
24137 + atomic_inc_unchecked(&vcc->stats->rx_err);
24141 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
24142 ATM_SKB(sb)->vcc = vcc;
24143 __net_timestamp(sb);
24144 vcc->push(vcc, sb);
24145 - atomic_inc(&vcc->stats->rx);
24146 + atomic_inc_unchecked(&vcc->stats->rx);
24149 skb_pull(queue, 64);
24150 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24153 printk("%s: NULL connection in send().\n", card->name);
24154 - atomic_inc(&vcc->stats->tx_err);
24155 + atomic_inc_unchecked(&vcc->stats->tx_err);
24156 dev_kfree_skb(skb);
24159 if (!test_bit(VCF_TX, &vc->flags)) {
24160 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
24161 - atomic_inc(&vcc->stats->tx_err);
24162 + atomic_inc_unchecked(&vcc->stats->tx_err);
24163 dev_kfree_skb(skb);
24166 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24169 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
24170 - atomic_inc(&vcc->stats->tx_err);
24171 + atomic_inc_unchecked(&vcc->stats->tx_err);
24172 dev_kfree_skb(skb);
24176 if (skb_shinfo(skb)->nr_frags != 0) {
24177 printk("%s: No scatter-gather yet.\n", card->name);
24178 - atomic_inc(&vcc->stats->tx_err);
24179 + atomic_inc_unchecked(&vcc->stats->tx_err);
24180 dev_kfree_skb(skb);
24183 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24185 err = queue_skb(card, vc, skb, oam);
24187 - atomic_inc(&vcc->stats->tx_err);
24188 + atomic_inc_unchecked(&vcc->stats->tx_err);
24189 dev_kfree_skb(skb);
24192 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
24193 skb = dev_alloc_skb(64);
24195 printk("%s: Out of memory in send_oam().\n", card->name);
24196 - atomic_inc(&vcc->stats->tx_err);
24197 + atomic_inc_unchecked(&vcc->stats->tx_err);
24200 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
24201 diff -urNp linux-3.1.1/drivers/atm/iphase.c linux-3.1.1/drivers/atm/iphase.c
24202 --- linux-3.1.1/drivers/atm/iphase.c 2011-11-11 15:19:27.000000000 -0500
24203 +++ linux-3.1.1/drivers/atm/iphase.c 2011-11-16 18:39:07.000000000 -0500
24204 @@ -1121,7 +1121,7 @@ static int rx_pkt(struct atm_dev *dev)
24205 status = (u_short) (buf_desc_ptr->desc_mode);
24206 if (status & (RX_CER | RX_PTE | RX_OFL))
24208 - atomic_inc(&vcc->stats->rx_err);
24209 + atomic_inc_unchecked(&vcc->stats->rx_err);
24210 IF_ERR(printk("IA: bad packet, dropping it");)
24211 if (status & RX_CER) {
24212 IF_ERR(printk(" cause: packet CRC error\n");)
24213 @@ -1144,7 +1144,7 @@ static int rx_pkt(struct atm_dev *dev)
24214 len = dma_addr - buf_addr;
24215 if (len > iadev->rx_buf_sz) {
24216 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
24217 - atomic_inc(&vcc->stats->rx_err);
24218 + atomic_inc_unchecked(&vcc->stats->rx_err);
24219 goto out_free_desc;
24222 @@ -1294,7 +1294,7 @@ static void rx_dle_intr(struct atm_dev *
24223 ia_vcc = INPH_IA_VCC(vcc);
24224 if (ia_vcc == NULL)
24226 - atomic_inc(&vcc->stats->rx_err);
24227 + atomic_inc_unchecked(&vcc->stats->rx_err);
24228 dev_kfree_skb_any(skb);
24229 atm_return(vcc, atm_guess_pdu2truesize(len));
24231 @@ -1306,7 +1306,7 @@ static void rx_dle_intr(struct atm_dev *
24232 if ((length > iadev->rx_buf_sz) || (length >
24233 (skb->len - sizeof(struct cpcs_trailer))))
24235 - atomic_inc(&vcc->stats->rx_err);
24236 + atomic_inc_unchecked(&vcc->stats->rx_err);
24237 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
24238 length, skb->len);)
24239 dev_kfree_skb_any(skb);
24240 @@ -1322,7 +1322,7 @@ static void rx_dle_intr(struct atm_dev *
24242 IF_RX(printk("rx_dle_intr: skb push");)
24243 vcc->push(vcc,skb);
24244 - atomic_inc(&vcc->stats->rx);
24245 + atomic_inc_unchecked(&vcc->stats->rx);
24246 iadev->rx_pkt_cnt++;
24249 @@ -2802,15 +2802,15 @@ static int ia_ioctl(struct atm_dev *dev,
24251 struct k_sonet_stats *stats;
24252 stats = &PRIV(_ia_dev[board])->sonet_stats;
24253 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
24254 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
24255 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
24256 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
24257 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
24258 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
24259 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
24260 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
24261 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
24262 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
24263 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
24264 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
24265 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
24266 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
24267 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
24268 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
24269 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
24270 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
24272 ia_cmds.status = 0;
24274 @@ -2915,7 +2915,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
24275 if ((desc == 0) || (desc > iadev->num_tx_desc))
24277 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
24278 - atomic_inc(&vcc->stats->tx);
24279 + atomic_inc_unchecked(&vcc->stats->tx);
24281 vcc->pop(vcc, skb);
24283 @@ -3020,14 +3020,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
24284 ATM_DESC(skb) = vcc->vci;
24285 skb_queue_tail(&iadev->tx_dma_q, skb);
24287 - atomic_inc(&vcc->stats->tx);
24288 + atomic_inc_unchecked(&vcc->stats->tx);
24289 iadev->tx_pkt_cnt++;
24290 /* Increment transaction counter */
24291 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
24294 /* add flow control logic */
24295 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
24296 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
24297 if (iavcc->vc_desc_cnt > 10) {
24298 vcc->tx_quota = vcc->tx_quota * 3 / 4;
24299 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
24300 diff -urNp linux-3.1.1/drivers/atm/lanai.c linux-3.1.1/drivers/atm/lanai.c
24301 --- linux-3.1.1/drivers/atm/lanai.c 2011-11-11 15:19:27.000000000 -0500
24302 +++ linux-3.1.1/drivers/atm/lanai.c 2011-11-16 18:39:07.000000000 -0500
24303 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
24304 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
24305 lanai_endtx(lanai, lvcc);
24306 lanai_free_skb(lvcc->tx.atmvcc, skb);
24307 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
24308 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
24311 /* Try to fill the buffer - don't call unless there is backlog */
24312 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
24313 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
24314 __net_timestamp(skb);
24315 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
24316 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
24317 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
24319 lvcc->rx.buf.ptr = end;
24320 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
24321 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
24322 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
24323 "vcc %d\n", lanai->number, (unsigned int) s, vci);
24324 lanai->stats.service_rxnotaal5++;
24325 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24326 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24329 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
24330 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
24332 read_unlock(&vcc_sklist_lock);
24333 DPRINTK("got trashed rx pdu on vci %d\n", vci);
24334 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24335 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24336 lvcc->stats.x.aal5.service_trash++;
24337 bytes = (SERVICE_GET_END(s) * 16) -
24338 (((unsigned long) lvcc->rx.buf.ptr) -
24339 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
24341 if (s & SERVICE_STREAM) {
24342 read_unlock(&vcc_sklist_lock);
24343 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24344 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24345 lvcc->stats.x.aal5.service_stream++;
24346 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
24347 "PDU on VCI %d!\n", lanai->number, vci);
24348 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
24351 DPRINTK("got rx crc error on vci %d\n", vci);
24352 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24353 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24354 lvcc->stats.x.aal5.service_rxcrc++;
24355 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
24356 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
24357 diff -urNp linux-3.1.1/drivers/atm/nicstar.c linux-3.1.1/drivers/atm/nicstar.c
24358 --- linux-3.1.1/drivers/atm/nicstar.c 2011-11-11 15:19:27.000000000 -0500
24359 +++ linux-3.1.1/drivers/atm/nicstar.c 2011-11-16 18:39:07.000000000 -0500
24360 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
24361 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
24362 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
24364 - atomic_inc(&vcc->stats->tx_err);
24365 + atomic_inc_unchecked(&vcc->stats->tx_err);
24366 dev_kfree_skb_any(skb);
24369 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
24371 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
24373 - atomic_inc(&vcc->stats->tx_err);
24374 + atomic_inc_unchecked(&vcc->stats->tx_err);
24375 dev_kfree_skb_any(skb);
24378 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
24379 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
24380 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
24382 - atomic_inc(&vcc->stats->tx_err);
24383 + atomic_inc_unchecked(&vcc->stats->tx_err);
24384 dev_kfree_skb_any(skb);
24388 if (skb_shinfo(skb)->nr_frags != 0) {
24389 printk("nicstar%d: No scatter-gather yet.\n", card->index);
24390 - atomic_inc(&vcc->stats->tx_err);
24391 + atomic_inc_unchecked(&vcc->stats->tx_err);
24392 dev_kfree_skb_any(skb);
24395 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
24398 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
24399 - atomic_inc(&vcc->stats->tx_err);
24400 + atomic_inc_unchecked(&vcc->stats->tx_err);
24401 dev_kfree_skb_any(skb);
24404 - atomic_inc(&vcc->stats->tx);
24405 + atomic_inc_unchecked(&vcc->stats->tx);
24409 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
24411 ("nicstar%d: Can't allocate buffers for aal0.\n",
24413 - atomic_add(i, &vcc->stats->rx_drop);
24414 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
24417 if (!atm_charge(vcc, sb->truesize)) {
24419 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
24421 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24422 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24423 dev_kfree_skb_any(sb);
24426 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
24427 ATM_SKB(sb)->vcc = vcc;
24428 __net_timestamp(sb);
24429 vcc->push(vcc, sb);
24430 - atomic_inc(&vcc->stats->rx);
24431 + atomic_inc_unchecked(&vcc->stats->rx);
24432 cell += ATM_CELL_PAYLOAD;
24435 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
24436 if (iovb == NULL) {
24437 printk("nicstar%d: Out of iovec buffers.\n",
24439 - atomic_inc(&vcc->stats->rx_drop);
24440 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24441 recycle_rx_buf(card, skb);
24444 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
24445 small or large buffer itself. */
24446 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
24447 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
24448 - atomic_inc(&vcc->stats->rx_err);
24449 + atomic_inc_unchecked(&vcc->stats->rx_err);
24450 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24452 NS_PRV_IOVCNT(iovb) = 0;
24453 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
24454 ("nicstar%d: Expected a small buffer, and this is not one.\n",
24456 which_list(card, skb);
24457 - atomic_inc(&vcc->stats->rx_err);
24458 + atomic_inc_unchecked(&vcc->stats->rx_err);
24459 recycle_rx_buf(card, skb);
24461 recycle_iov_buf(card, iovb);
24462 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
24463 ("nicstar%d: Expected a large buffer, and this is not one.\n",
24465 which_list(card, skb);
24466 - atomic_inc(&vcc->stats->rx_err);
24467 + atomic_inc_unchecked(&vcc->stats->rx_err);
24468 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24469 NS_PRV_IOVCNT(iovb));
24471 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
24472 printk(" - PDU size mismatch.\n");
24475 - atomic_inc(&vcc->stats->rx_err);
24476 + atomic_inc_unchecked(&vcc->stats->rx_err);
24477 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24478 NS_PRV_IOVCNT(iovb));
24480 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
24481 /* skb points to a small buffer */
24482 if (!atm_charge(vcc, skb->truesize)) {
24483 push_rxbufs(card, skb);
24484 - atomic_inc(&vcc->stats->rx_drop);
24485 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24488 dequeue_sm_buf(card, skb);
24489 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
24490 ATM_SKB(skb)->vcc = vcc;
24491 __net_timestamp(skb);
24492 vcc->push(vcc, skb);
24493 - atomic_inc(&vcc->stats->rx);
24494 + atomic_inc_unchecked(&vcc->stats->rx);
24496 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
24497 struct sk_buff *sb;
24498 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
24499 if (len <= NS_SMBUFSIZE) {
24500 if (!atm_charge(vcc, sb->truesize)) {
24501 push_rxbufs(card, sb);
24502 - atomic_inc(&vcc->stats->rx_drop);
24503 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24506 dequeue_sm_buf(card, sb);
24507 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
24508 ATM_SKB(sb)->vcc = vcc;
24509 __net_timestamp(sb);
24510 vcc->push(vcc, sb);
24511 - atomic_inc(&vcc->stats->rx);
24512 + atomic_inc_unchecked(&vcc->stats->rx);
24515 push_rxbufs(card, skb);
24516 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
24518 if (!atm_charge(vcc, skb->truesize)) {
24519 push_rxbufs(card, skb);
24520 - atomic_inc(&vcc->stats->rx_drop);
24521 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24523 dequeue_lg_buf(card, skb);
24524 #ifdef NS_USE_DESTRUCTORS
24525 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
24526 ATM_SKB(skb)->vcc = vcc;
24527 __net_timestamp(skb);
24528 vcc->push(vcc, skb);
24529 - atomic_inc(&vcc->stats->rx);
24530 + atomic_inc_unchecked(&vcc->stats->rx);
24533 push_rxbufs(card, sb);
24534 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
24536 ("nicstar%d: Out of huge buffers.\n",
24538 - atomic_inc(&vcc->stats->rx_drop);
24539 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24540 recycle_iovec_rx_bufs(card,
24543 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
24544 card->hbpool.count++;
24546 dev_kfree_skb_any(hb);
24547 - atomic_inc(&vcc->stats->rx_drop);
24548 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24550 /* Copy the small buffer to the huge buffer */
24551 sb = (struct sk_buff *)iov->iov_base;
24552 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
24553 #endif /* NS_USE_DESTRUCTORS */
24554 __net_timestamp(hb);
24555 vcc->push(vcc, hb);
24556 - atomic_inc(&vcc->stats->rx);
24557 + atomic_inc_unchecked(&vcc->stats->rx);
24561 diff -urNp linux-3.1.1/drivers/atm/solos-pci.c linux-3.1.1/drivers/atm/solos-pci.c
24562 --- linux-3.1.1/drivers/atm/solos-pci.c 2011-11-11 15:19:27.000000000 -0500
24563 +++ linux-3.1.1/drivers/atm/solos-pci.c 2011-11-16 18:40:10.000000000 -0500
24564 @@ -714,7 +714,7 @@ void solos_bh(unsigned long card_arg)
24566 atm_charge(vcc, skb->truesize);
24567 vcc->push(vcc, skb);
24568 - atomic_inc(&vcc->stats->rx);
24569 + atomic_inc_unchecked(&vcc->stats->rx);
24573 @@ -899,6 +899,8 @@ static int print_buffer(struct sk_buff *
24577 + pax_track_stack();
24580 for (i = 0; i < len; i++){
24582 @@ -1008,7 +1010,7 @@ static uint32_t fpga_tx(struct solos_car
24583 vcc = SKB_CB(oldskb)->vcc;
24586 - atomic_inc(&vcc->stats->tx);
24587 + atomic_inc_unchecked(&vcc->stats->tx);
24588 solos_pop(vcc, oldskb);
24590 dev_kfree_skb_irq(oldskb);
24591 diff -urNp linux-3.1.1/drivers/atm/suni.c linux-3.1.1/drivers/atm/suni.c
24592 --- linux-3.1.1/drivers/atm/suni.c 2011-11-11 15:19:27.000000000 -0500
24593 +++ linux-3.1.1/drivers/atm/suni.c 2011-11-16 18:39:07.000000000 -0500
24594 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
24597 #define ADD_LIMITED(s,v) \
24598 - atomic_add((v),&stats->s); \
24599 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
24600 + atomic_add_unchecked((v),&stats->s); \
24601 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
24604 static void suni_hz(unsigned long from_timer)
24605 diff -urNp linux-3.1.1/drivers/atm/uPD98402.c linux-3.1.1/drivers/atm/uPD98402.c
24606 --- linux-3.1.1/drivers/atm/uPD98402.c 2011-11-11 15:19:27.000000000 -0500
24607 +++ linux-3.1.1/drivers/atm/uPD98402.c 2011-11-16 18:39:07.000000000 -0500
24608 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
24609 struct sonet_stats tmp;
24612 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24613 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24614 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
24615 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
24616 if (zero && !error) {
24617 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
24620 #define ADD_LIMITED(s,v) \
24621 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
24622 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
24623 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24624 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
24625 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
24626 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24629 static void stat_event(struct atm_dev *dev)
24630 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
24631 if (reason & uPD98402_INT_PFM) stat_event(dev);
24632 if (reason & uPD98402_INT_PCO) {
24633 (void) GET(PCOCR); /* clear interrupt cause */
24634 - atomic_add(GET(HECCT),
24635 + atomic_add_unchecked(GET(HECCT),
24636 &PRIV(dev)->sonet_stats.uncorr_hcs);
24638 if ((reason & uPD98402_INT_RFO) &&
24639 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
24640 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
24641 uPD98402_INT_LOS),PIMR); /* enable them */
24642 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
24643 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24644 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
24645 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
24646 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24647 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
24648 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
24652 diff -urNp linux-3.1.1/drivers/atm/zatm.c linux-3.1.1/drivers/atm/zatm.c
24653 --- linux-3.1.1/drivers/atm/zatm.c 2011-11-11 15:19:27.000000000 -0500
24654 +++ linux-3.1.1/drivers/atm/zatm.c 2011-11-16 18:39:07.000000000 -0500
24655 @@ -460,7 +460,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24658 dev_kfree_skb_irq(skb);
24659 - if (vcc) atomic_inc(&vcc->stats->rx_err);
24660 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
24663 if (!atm_charge(vcc,skb->truesize)) {
24664 @@ -470,7 +470,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24666 ATM_SKB(skb)->vcc = vcc;
24667 vcc->push(vcc,skb);
24668 - atomic_inc(&vcc->stats->rx);
24669 + atomic_inc_unchecked(&vcc->stats->rx);
24671 zout(pos & 0xffff,MTA(mbx));
24672 #if 0 /* probably a stupid idea */
24673 @@ -734,7 +734,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
24674 skb_queue_head(&zatm_vcc->backlog,skb);
24677 - atomic_inc(&vcc->stats->tx);
24678 + atomic_inc_unchecked(&vcc->stats->tx);
24679 wake_up(&zatm_vcc->tx_wait);
24682 diff -urNp linux-3.1.1/drivers/base/devtmpfs.c linux-3.1.1/drivers/base/devtmpfs.c
24683 --- linux-3.1.1/drivers/base/devtmpfs.c 2011-11-11 15:19:27.000000000 -0500
24684 +++ linux-3.1.1/drivers/base/devtmpfs.c 2011-11-16 18:39:07.000000000 -0500
24685 @@ -368,7 +368,7 @@ int devtmpfs_mount(const char *mntdir)
24689 - err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL);
24690 + err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL);
24692 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
24694 diff -urNp linux-3.1.1/drivers/base/power/wakeup.c linux-3.1.1/drivers/base/power/wakeup.c
24695 --- linux-3.1.1/drivers/base/power/wakeup.c 2011-11-11 15:19:27.000000000 -0500
24696 +++ linux-3.1.1/drivers/base/power/wakeup.c 2011-11-16 18:39:07.000000000 -0500
24697 @@ -29,14 +29,14 @@ bool events_check_enabled;
24698 * They need to be modified together atomically, so it's better to use one
24699 * atomic variable to hold them both.
24701 -static atomic_t combined_event_count = ATOMIC_INIT(0);
24702 +static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
24704 #define IN_PROGRESS_BITS (sizeof(int) * 4)
24705 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
24707 static void split_counters(unsigned int *cnt, unsigned int *inpr)
24709 - unsigned int comb = atomic_read(&combined_event_count);
24710 + unsigned int comb = atomic_read_unchecked(&combined_event_count);
24712 *cnt = (comb >> IN_PROGRESS_BITS);
24713 *inpr = comb & MAX_IN_PROGRESS;
24714 @@ -350,7 +350,7 @@ static void wakeup_source_activate(struc
24715 ws->last_time = ktime_get();
24717 /* Increment the counter of events in progress. */
24718 - atomic_inc(&combined_event_count);
24719 + atomic_inc_unchecked(&combined_event_count);
24723 @@ -440,7 +440,7 @@ static void wakeup_source_deactivate(str
24724 * Increment the counter of registered wakeup events and decrement the
24725 * couter of wakeup events in progress simultaneously.
24727 - atomic_add(MAX_IN_PROGRESS, &combined_event_count);
24728 + atomic_add_unchecked(MAX_IN_PROGRESS, &combined_event_count);
24732 diff -urNp linux-3.1.1/drivers/block/cciss.c linux-3.1.1/drivers/block/cciss.c
24733 --- linux-3.1.1/drivers/block/cciss.c 2011-11-11 15:19:27.000000000 -0500
24734 +++ linux-3.1.1/drivers/block/cciss.c 2011-11-16 18:40:10.000000000 -0500
24735 @@ -1179,6 +1179,8 @@ static int cciss_ioctl32_passthru(struct
24739 + memset(&arg64, 0, sizeof(arg64));
24743 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
24744 @@ -2986,7 +2988,7 @@ static void start_io(ctlr_info_t *h)
24745 while (!list_empty(&h->reqQ)) {
24746 c = list_entry(h->reqQ.next, CommandList_struct, list);
24747 /* can't do anything if fifo is full */
24748 - if ((h->access.fifo_full(h))) {
24749 + if ((h->access->fifo_full(h))) {
24750 dev_warn(&h->pdev->dev, "fifo full\n");
24753 @@ -2996,7 +2998,7 @@ static void start_io(ctlr_info_t *h)
24756 /* Tell the controller execute command */
24757 - h->access.submit_command(h, c);
24758 + h->access->submit_command(h, c);
24760 /* Put job onto the completed Q */
24762 @@ -3422,17 +3424,17 @@ startio:
24764 static inline unsigned long get_next_completion(ctlr_info_t *h)
24766 - return h->access.command_completed(h);
24767 + return h->access->command_completed(h);
24770 static inline int interrupt_pending(ctlr_info_t *h)
24772 - return h->access.intr_pending(h);
24773 + return h->access->intr_pending(h);
24776 static inline long interrupt_not_for_us(ctlr_info_t *h)
24778 - return ((h->access.intr_pending(h) == 0) ||
24779 + return ((h->access->intr_pending(h) == 0) ||
24780 (h->interrupts_enabled == 0));
24783 @@ -3465,7 +3467,7 @@ static inline u32 next_command(ctlr_info
24786 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
24787 - return h->access.command_completed(h);
24788 + return h->access->command_completed(h);
24790 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
24791 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
24792 @@ -4020,7 +4022,7 @@ static void __devinit cciss_put_controll
24793 trans_support & CFGTBL_Trans_use_short_tags);
24795 /* Change the access methods to the performant access methods */
24796 - h->access = SA5_performant_access;
24797 + h->access = &SA5_performant_access;
24798 h->transMethod = CFGTBL_Trans_Performant;
24801 @@ -4292,7 +4294,7 @@ static int __devinit cciss_pci_init(ctlr
24802 if (prod_index < 0)
24804 h->product_name = products[prod_index].product_name;
24805 - h->access = *(products[prod_index].access);
24806 + h->access = products[prod_index].access;
24808 if (cciss_board_disabled(h)) {
24809 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
24810 @@ -5009,7 +5011,7 @@ reinit_after_soft_reset:
24813 /* make sure the board interrupts are off */
24814 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
24815 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
24816 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
24819 @@ -5061,7 +5063,7 @@ reinit_after_soft_reset:
24820 * fake ones to scoop up any residual completions.
24822 spin_lock_irqsave(&h->lock, flags);
24823 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
24824 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
24825 spin_unlock_irqrestore(&h->lock, flags);
24826 free_irq(h->intr[PERF_MODE_INT], h);
24827 rc = cciss_request_irq(h, cciss_msix_discard_completions,
24828 @@ -5081,9 +5083,9 @@ reinit_after_soft_reset:
24829 dev_info(&h->pdev->dev, "Board READY.\n");
24830 dev_info(&h->pdev->dev,
24831 "Waiting for stale completions to drain.\n");
24832 - h->access.set_intr_mask(h, CCISS_INTR_ON);
24833 + h->access->set_intr_mask(h, CCISS_INTR_ON);
24835 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
24836 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
24838 rc = controller_reset_failed(h->cfgtable);
24840 @@ -5106,7 +5108,7 @@ reinit_after_soft_reset:
24841 cciss_scsi_setup(h);
24843 /* Turn the interrupts on so we can service requests */
24844 - h->access.set_intr_mask(h, CCISS_INTR_ON);
24845 + h->access->set_intr_mask(h, CCISS_INTR_ON);
24847 /* Get the firmware version */
24848 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
24849 @@ -5178,7 +5180,7 @@ static void cciss_shutdown(struct pci_de
24851 if (return_code != IO_OK)
24852 dev_warn(&h->pdev->dev, "Error flushing cache\n");
24853 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
24854 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
24855 free_irq(h->intr[PERF_MODE_INT], h);
24858 diff -urNp linux-3.1.1/drivers/block/cciss.h linux-3.1.1/drivers/block/cciss.h
24859 --- linux-3.1.1/drivers/block/cciss.h 2011-11-11 15:19:27.000000000 -0500
24860 +++ linux-3.1.1/drivers/block/cciss.h 2011-11-16 18:39:07.000000000 -0500
24861 @@ -100,7 +100,7 @@ struct ctlr_info
24862 /* information about each logical volume */
24863 drive_info_struct *drv[CISS_MAX_LUN];
24865 - struct access_method access;
24866 + struct access_method *access;
24868 /* queue and queue Info */
24869 struct list_head reqQ;
24870 diff -urNp linux-3.1.1/drivers/block/cpqarray.c linux-3.1.1/drivers/block/cpqarray.c
24871 --- linux-3.1.1/drivers/block/cpqarray.c 2011-11-11 15:19:27.000000000 -0500
24872 +++ linux-3.1.1/drivers/block/cpqarray.c 2011-11-16 18:40:10.000000000 -0500
24873 @@ -404,7 +404,7 @@ static int __devinit cpqarray_register_c
24874 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
24877 - hba[i]->access.set_intr_mask(hba[i], 0);
24878 + hba[i]->access->set_intr_mask(hba[i], 0);
24879 if (request_irq(hba[i]->intr, do_ida_intr,
24880 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
24882 @@ -459,7 +459,7 @@ static int __devinit cpqarray_register_c
24883 add_timer(&hba[i]->timer);
24885 /* Enable IRQ now that spinlock and rate limit timer are set up */
24886 - hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
24887 + hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
24889 for(j=0; j<NWD; j++) {
24890 struct gendisk *disk = ida_gendisk[i][j];
24891 @@ -694,7 +694,7 @@ DBGINFO(
24892 for(i=0; i<NR_PRODUCTS; i++) {
24893 if (board_id == products[i].board_id) {
24894 c->product_name = products[i].product_name;
24895 - c->access = *(products[i].access);
24896 + c->access = products[i].access;
24900 @@ -792,7 +792,7 @@ static int __devinit cpqarray_eisa_detec
24901 hba[ctlr]->intr = intr;
24902 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
24903 hba[ctlr]->product_name = products[j].product_name;
24904 - hba[ctlr]->access = *(products[j].access);
24905 + hba[ctlr]->access = products[j].access;
24906 hba[ctlr]->ctlr = ctlr;
24907 hba[ctlr]->board_id = board_id;
24908 hba[ctlr]->pci_dev = NULL; /* not PCI */
24909 @@ -911,6 +911,8 @@ static void do_ida_request(struct reques
24910 struct scatterlist tmp_sg[SG_MAX];
24913 + pax_track_stack();
24916 creq = blk_peek_request(q);
24918 @@ -980,7 +982,7 @@ static void start_io(ctlr_info_t *h)
24920 while((c = h->reqQ) != NULL) {
24921 /* Can't do anything if we're busy */
24922 - if (h->access.fifo_full(h) == 0)
24923 + if (h->access->fifo_full(h) == 0)
24926 /* Get the first entry from the request Q */
24927 @@ -988,7 +990,7 @@ static void start_io(ctlr_info_t *h)
24930 /* Tell the controller to do our bidding */
24931 - h->access.submit_command(h, c);
24932 + h->access->submit_command(h, c);
24934 /* Get onto the completion Q */
24936 @@ -1050,7 +1052,7 @@ static irqreturn_t do_ida_intr(int irq,
24937 unsigned long flags;
24940 - istat = h->access.intr_pending(h);
24941 + istat = h->access->intr_pending(h);
24942 /* Is this interrupt for us? */
24945 @@ -1061,7 +1063,7 @@ static irqreturn_t do_ida_intr(int irq,
24947 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
24948 if (istat & FIFO_NOT_EMPTY) {
24949 - while((a = h->access.command_completed(h))) {
24950 + while((a = h->access->command_completed(h))) {
24952 if ((c = h->cmpQ) == NULL)
24954 @@ -1449,11 +1451,11 @@ static int sendcmd(
24956 * Disable interrupt
24958 - info_p->access.set_intr_mask(info_p, 0);
24959 + info_p->access->set_intr_mask(info_p, 0);
24960 /* Make sure there is room in the command FIFO */
24961 /* Actually it should be completely empty at this time. */
24962 for (i = 200000; i > 0; i--) {
24963 - temp = info_p->access.fifo_full(info_p);
24964 + temp = info_p->access->fifo_full(info_p);
24968 @@ -1466,7 +1468,7 @@ DBG(
24972 - info_p->access.submit_command(info_p, c);
24973 + info_p->access->submit_command(info_p, c);
24974 complete = pollcomplete(ctlr);
24976 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
24977 @@ -1549,9 +1551,9 @@ static int revalidate_allvol(ctlr_info_t
24978 * we check the new geometry. Then turn interrupts back on when
24981 - host->access.set_intr_mask(host, 0);
24982 + host->access->set_intr_mask(host, 0);
24984 - host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
24985 + host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
24987 for(i=0; i<NWD; i++) {
24988 struct gendisk *disk = ida_gendisk[ctlr][i];
24989 @@ -1591,7 +1593,7 @@ static int pollcomplete(int ctlr)
24990 /* Wait (up to 2 seconds) for a command to complete */
24992 for (i = 200000; i > 0; i--) {
24993 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
24994 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
24996 udelay(10); /* a short fixed delay */
24998 diff -urNp linux-3.1.1/drivers/block/cpqarray.h linux-3.1.1/drivers/block/cpqarray.h
24999 --- linux-3.1.1/drivers/block/cpqarray.h 2011-11-11 15:19:27.000000000 -0500
25000 +++ linux-3.1.1/drivers/block/cpqarray.h 2011-11-16 18:39:07.000000000 -0500
25001 @@ -99,7 +99,7 @@ struct ctlr_info {
25002 drv_info_t drv[NWD];
25003 struct proc_dir_entry *proc;
25005 - struct access_method access;
25006 + struct access_method *access;
25010 diff -urNp linux-3.1.1/drivers/block/DAC960.c linux-3.1.1/drivers/block/DAC960.c
25011 --- linux-3.1.1/drivers/block/DAC960.c 2011-11-11 15:19:27.000000000 -0500
25012 +++ linux-3.1.1/drivers/block/DAC960.c 2011-11-16 18:40:10.000000000 -0500
25013 @@ -1980,6 +1980,8 @@ static bool DAC960_V1_ReadDeviceConfigur
25014 unsigned long flags;
25015 int Channel, TargetID;
25017 + pax_track_stack();
25019 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
25020 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
25021 sizeof(DAC960_SCSI_Inquiry_T) +
25022 diff -urNp linux-3.1.1/drivers/block/drbd/drbd_int.h linux-3.1.1/drivers/block/drbd/drbd_int.h
25023 --- linux-3.1.1/drivers/block/drbd/drbd_int.h 2011-11-11 15:19:27.000000000 -0500
25024 +++ linux-3.1.1/drivers/block/drbd/drbd_int.h 2011-11-16 18:39:07.000000000 -0500
25025 @@ -737,7 +737,7 @@ struct drbd_request;
25026 struct drbd_epoch {
25027 struct list_head list;
25028 unsigned int barrier_nr;
25029 - atomic_t epoch_size; /* increased on every request added. */
25030 + atomic_unchecked_t epoch_size; /* increased on every request added. */
25031 atomic_t active; /* increased on every req. added, and dec on every finished. */
25032 unsigned long flags;
25034 @@ -1109,7 +1109,7 @@ struct drbd_conf {
25037 wait_queue_head_t seq_wait;
25038 - atomic_t packet_seq;
25039 + atomic_unchecked_t packet_seq;
25040 unsigned int peer_seq;
25041 spinlock_t peer_seq_lock;
25042 unsigned int minor;
25043 @@ -1618,30 +1618,30 @@ static inline int drbd_setsockopt(struct
25045 static inline void drbd_tcp_cork(struct socket *sock)
25047 - int __user val = 1;
25049 (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK,
25050 - (char __user *)&val, sizeof(val));
25051 + (char __force_user *)&val, sizeof(val));
25054 static inline void drbd_tcp_uncork(struct socket *sock)
25056 - int __user val = 0;
25058 (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK,
25059 - (char __user *)&val, sizeof(val));
25060 + (char __force_user *)&val, sizeof(val));
25063 static inline void drbd_tcp_nodelay(struct socket *sock)
25065 - int __user val = 1;
25067 (void) drbd_setsockopt(sock, SOL_TCP, TCP_NODELAY,
25068 - (char __user *)&val, sizeof(val));
25069 + (char __force_user *)&val, sizeof(val));
25072 static inline void drbd_tcp_quickack(struct socket *sock)
25074 - int __user val = 2;
25076 (void) drbd_setsockopt(sock, SOL_TCP, TCP_QUICKACK,
25077 - (char __user *)&val, sizeof(val));
25078 + (char __force_user *)&val, sizeof(val));
25081 void drbd_bump_write_ordering(struct drbd_conf *mdev, enum write_ordering_e wo);
25082 diff -urNp linux-3.1.1/drivers/block/drbd/drbd_main.c linux-3.1.1/drivers/block/drbd/drbd_main.c
25083 --- linux-3.1.1/drivers/block/drbd/drbd_main.c 2011-11-11 15:19:27.000000000 -0500
25084 +++ linux-3.1.1/drivers/block/drbd/drbd_main.c 2011-11-16 18:39:07.000000000 -0500
25085 @@ -2397,7 +2397,7 @@ static int _drbd_send_ack(struct drbd_co
25087 p.block_id = block_id;
25088 p.blksize = blksize;
25089 - p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
25090 + p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
25092 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
25094 @@ -2696,7 +2696,7 @@ int drbd_send_dblock(struct drbd_conf *m
25095 p.sector = cpu_to_be64(req->sector);
25096 p.block_id = (unsigned long)req;
25097 p.seq_num = cpu_to_be32(req->seq_num =
25098 - atomic_add_return(1, &mdev->packet_seq));
25099 + atomic_add_return_unchecked(1, &mdev->packet_seq));
25101 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
25103 @@ -2981,7 +2981,7 @@ void drbd_init_set_defaults(struct drbd_
25104 atomic_set(&mdev->unacked_cnt, 0);
25105 atomic_set(&mdev->local_cnt, 0);
25106 atomic_set(&mdev->net_cnt, 0);
25107 - atomic_set(&mdev->packet_seq, 0);
25108 + atomic_set_unchecked(&mdev->packet_seq, 0);
25109 atomic_set(&mdev->pp_in_use, 0);
25110 atomic_set(&mdev->pp_in_use_by_net, 0);
25111 atomic_set(&mdev->rs_sect_in, 0);
25112 @@ -3063,8 +3063,8 @@ void drbd_mdev_cleanup(struct drbd_conf
25113 mdev->receiver.t_state);
25115 /* no need to lock it, I'm the only thread alive */
25116 - if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
25117 - dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
25118 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
25119 + dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
25120 mdev->al_writ_cnt =
25121 mdev->bm_writ_cnt =
25123 diff -urNp linux-3.1.1/drivers/block/drbd/drbd_nl.c linux-3.1.1/drivers/block/drbd/drbd_nl.c
25124 --- linux-3.1.1/drivers/block/drbd/drbd_nl.c 2011-11-11 15:19:27.000000000 -0500
25125 +++ linux-3.1.1/drivers/block/drbd/drbd_nl.c 2011-11-16 18:39:07.000000000 -0500
25126 @@ -2359,7 +2359,7 @@ static void drbd_connector_callback(stru
25127 module_put(THIS_MODULE);
25130 -static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
25131 +static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
25133 static unsigned short *
25134 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
25135 @@ -2430,7 +2430,7 @@ void drbd_bcast_state(struct drbd_conf *
25136 cn_reply->id.idx = CN_IDX_DRBD;
25137 cn_reply->id.val = CN_VAL_DRBD;
25139 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25140 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25141 cn_reply->ack = 0; /* not used here. */
25142 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25143 (int)((char *)tl - (char *)reply->tag_list);
25144 @@ -2462,7 +2462,7 @@ void drbd_bcast_ev_helper(struct drbd_co
25145 cn_reply->id.idx = CN_IDX_DRBD;
25146 cn_reply->id.val = CN_VAL_DRBD;
25148 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25149 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25150 cn_reply->ack = 0; /* not used here. */
25151 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25152 (int)((char *)tl - (char *)reply->tag_list);
25153 @@ -2540,7 +2540,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
25154 cn_reply->id.idx = CN_IDX_DRBD;
25155 cn_reply->id.val = CN_VAL_DRBD;
25157 - cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
25158 + cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
25159 cn_reply->ack = 0; // not used here.
25160 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25161 (int)((char*)tl - (char*)reply->tag_list);
25162 @@ -2579,7 +2579,7 @@ void drbd_bcast_sync_progress(struct drb
25163 cn_reply->id.idx = CN_IDX_DRBD;
25164 cn_reply->id.val = CN_VAL_DRBD;
25166 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25167 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25168 cn_reply->ack = 0; /* not used here. */
25169 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25170 (int)((char *)tl - (char *)reply->tag_list);
25171 diff -urNp linux-3.1.1/drivers/block/drbd/drbd_receiver.c linux-3.1.1/drivers/block/drbd/drbd_receiver.c
25172 --- linux-3.1.1/drivers/block/drbd/drbd_receiver.c 2011-11-11 15:19:27.000000000 -0500
25173 +++ linux-3.1.1/drivers/block/drbd/drbd_receiver.c 2011-11-16 18:39:07.000000000 -0500
25174 @@ -894,7 +894,7 @@ retry:
25175 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
25176 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
25178 - atomic_set(&mdev->packet_seq, 0);
25179 + atomic_set_unchecked(&mdev->packet_seq, 0);
25180 mdev->peer_seq = 0;
25182 drbd_thread_start(&mdev->asender);
25183 @@ -985,7 +985,7 @@ static enum finish_epoch drbd_may_finish
25187 - epoch_size = atomic_read(&epoch->epoch_size);
25188 + epoch_size = atomic_read_unchecked(&epoch->epoch_size);
25190 switch (ev & ~EV_CLEANUP) {
25192 @@ -1020,7 +1020,7 @@ static enum finish_epoch drbd_may_finish
25196 - atomic_set(&epoch->epoch_size, 0);
25197 + atomic_set_unchecked(&epoch->epoch_size, 0);
25198 /* atomic_set(&epoch->active, 0); is already zero */
25199 if (rv == FE_STILL_LIVE)
25201 @@ -1191,14 +1191,14 @@ static int receive_Barrier(struct drbd_c
25202 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
25205 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
25206 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
25207 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
25212 epoch = mdev->current_epoch;
25213 - wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
25214 + wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
25216 D_ASSERT(atomic_read(&epoch->active) == 0);
25217 D_ASSERT(epoch->flags == 0);
25218 @@ -1210,11 +1210,11 @@ static int receive_Barrier(struct drbd_c
25222 - atomic_set(&epoch->epoch_size, 0);
25223 + atomic_set_unchecked(&epoch->epoch_size, 0);
25224 atomic_set(&epoch->active, 0);
25226 spin_lock(&mdev->epoch_lock);
25227 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
25228 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
25229 list_add(&epoch->list, &mdev->current_epoch->list);
25230 mdev->current_epoch = epoch;
25232 @@ -1663,7 +1663,7 @@ static int receive_Data(struct drbd_conf
25233 spin_unlock(&mdev->peer_seq_lock);
25235 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
25236 - atomic_inc(&mdev->current_epoch->epoch_size);
25237 + atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
25238 return drbd_drain_block(mdev, data_size);
25241 @@ -1689,7 +1689,7 @@ static int receive_Data(struct drbd_conf
25243 spin_lock(&mdev->epoch_lock);
25244 e->epoch = mdev->current_epoch;
25245 - atomic_inc(&e->epoch->epoch_size);
25246 + atomic_inc_unchecked(&e->epoch->epoch_size);
25247 atomic_inc(&e->epoch->active);
25248 spin_unlock(&mdev->epoch_lock);
25250 @@ -3885,7 +3885,7 @@ static void drbd_disconnect(struct drbd_
25251 D_ASSERT(list_empty(&mdev->done_ee));
25253 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
25254 - atomic_set(&mdev->current_epoch->epoch_size, 0);
25255 + atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
25256 D_ASSERT(list_empty(&mdev->current_epoch->list));
25259 diff -urNp linux-3.1.1/drivers/block/loop.c linux-3.1.1/drivers/block/loop.c
25260 --- linux-3.1.1/drivers/block/loop.c 2011-11-11 15:19:27.000000000 -0500
25261 +++ linux-3.1.1/drivers/block/loop.c 2011-11-16 18:39:07.000000000 -0500
25262 @@ -283,7 +283,7 @@ static int __do_lo_send_write(struct fil
25263 mm_segment_t old_fs = get_fs();
25266 - bw = file->f_op->write(file, buf, len, &pos);
25267 + bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos);
25269 if (likely(bw == len))
25271 diff -urNp linux-3.1.1/drivers/block/nbd.c linux-3.1.1/drivers/block/nbd.c
25272 --- linux-3.1.1/drivers/block/nbd.c 2011-11-11 15:19:27.000000000 -0500
25273 +++ linux-3.1.1/drivers/block/nbd.c 2011-11-16 18:40:10.000000000 -0500
25274 @@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
25276 sigset_t blocked, oldset;
25278 + pax_track_stack();
25280 if (unlikely(!sock)) {
25281 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
25282 lo->disk->disk_name, (send ? "send" : "recv"));
25283 @@ -572,6 +574,8 @@ static void do_nbd_request(struct reques
25284 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
25285 unsigned int cmd, unsigned long arg)
25287 + pax_track_stack();
25290 case NBD_DISCONNECT: {
25291 struct request sreq;
25292 diff -urNp linux-3.1.1/drivers/char/agp/frontend.c linux-3.1.1/drivers/char/agp/frontend.c
25293 --- linux-3.1.1/drivers/char/agp/frontend.c 2011-11-11 15:19:27.000000000 -0500
25294 +++ linux-3.1.1/drivers/char/agp/frontend.c 2011-11-16 18:39:07.000000000 -0500
25295 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
25296 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
25299 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
25300 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
25303 client = agp_find_client_by_pid(reserve.pid);
25304 diff -urNp linux-3.1.1/drivers/char/briq_panel.c linux-3.1.1/drivers/char/briq_panel.c
25305 --- linux-3.1.1/drivers/char/briq_panel.c 2011-11-11 15:19:27.000000000 -0500
25306 +++ linux-3.1.1/drivers/char/briq_panel.c 2011-11-16 18:40:10.000000000 -0500
25308 #include <linux/types.h>
25309 #include <linux/errno.h>
25310 #include <linux/tty.h>
25311 +#include <linux/mutex.h>
25312 #include <linux/timer.h>
25313 #include <linux/kernel.h>
25314 #include <linux/wait.h>
25315 @@ -34,6 +35,7 @@ static int vfd_is_open;
25316 static unsigned char vfd[40];
25317 static int vfd_cursor;
25318 static unsigned char ledpb, led;
25319 +static DEFINE_MUTEX(vfd_mutex);
25321 static void update_vfd(void)
25323 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
25327 + mutex_lock(&vfd_mutex);
25332 - if (get_user(c, buf))
25333 + if (get_user(c, buf)) {
25334 + mutex_unlock(&vfd_mutex);
25340 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
25344 + mutex_unlock(&vfd_mutex);
25348 diff -urNp linux-3.1.1/drivers/char/genrtc.c linux-3.1.1/drivers/char/genrtc.c
25349 --- linux-3.1.1/drivers/char/genrtc.c 2011-11-11 15:19:27.000000000 -0500
25350 +++ linux-3.1.1/drivers/char/genrtc.c 2011-11-16 18:40:10.000000000 -0500
25351 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
25355 + memset(&pll, 0, sizeof(pll));
25356 if (get_rtc_pll(&pll))
25359 diff -urNp linux-3.1.1/drivers/char/hpet.c linux-3.1.1/drivers/char/hpet.c
25360 --- linux-3.1.1/drivers/char/hpet.c 2011-11-11 15:19:27.000000000 -0500
25361 +++ linux-3.1.1/drivers/char/hpet.c 2011-11-16 18:39:07.000000000 -0500
25362 @@ -572,7 +572,7 @@ static inline unsigned long hpet_time_di
25366 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
25367 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
25368 struct hpet_info *info)
25370 struct hpet_timer __iomem *timer;
25371 diff -urNp linux-3.1.1/drivers/char/ipmi/ipmi_msghandler.c linux-3.1.1/drivers/char/ipmi/ipmi_msghandler.c
25372 --- linux-3.1.1/drivers/char/ipmi/ipmi_msghandler.c 2011-11-11 15:19:27.000000000 -0500
25373 +++ linux-3.1.1/drivers/char/ipmi/ipmi_msghandler.c 2011-11-16 18:40:10.000000000 -0500
25374 @@ -415,7 +415,7 @@ struct ipmi_smi {
25375 struct proc_dir_entry *proc_dir;
25376 char proc_dir_name[10];
25378 - atomic_t stats[IPMI_NUM_STATS];
25379 + atomic_unchecked_t stats[IPMI_NUM_STATS];
25382 * run_to_completion duplicate of smb_info, smi_info
25383 @@ -448,9 +448,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
25386 #define ipmi_inc_stat(intf, stat) \
25387 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
25388 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
25389 #define ipmi_get_stat(intf, stat) \
25390 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
25391 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
25393 static int is_lan_addr(struct ipmi_addr *addr)
25395 @@ -2868,7 +2868,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
25396 INIT_LIST_HEAD(&intf->cmd_rcvrs);
25397 init_waitqueue_head(&intf->waitq);
25398 for (i = 0; i < IPMI_NUM_STATS; i++)
25399 - atomic_set(&intf->stats[i], 0);
25400 + atomic_set_unchecked(&intf->stats[i], 0);
25402 intf->proc_dir = NULL;
25404 @@ -4220,6 +4220,8 @@ static void send_panic_events(char *str)
25405 struct ipmi_smi_msg smi_msg;
25406 struct ipmi_recv_msg recv_msg;
25408 + pax_track_stack();
25410 si = (struct ipmi_system_interface_addr *) &addr;
25411 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
25412 si->channel = IPMI_BMC_CHANNEL;
25413 diff -urNp linux-3.1.1/drivers/char/ipmi/ipmi_si_intf.c linux-3.1.1/drivers/char/ipmi/ipmi_si_intf.c
25414 --- linux-3.1.1/drivers/char/ipmi/ipmi_si_intf.c 2011-11-11 15:19:27.000000000 -0500
25415 +++ linux-3.1.1/drivers/char/ipmi/ipmi_si_intf.c 2011-11-16 18:39:07.000000000 -0500
25416 @@ -277,7 +277,7 @@ struct smi_info {
25417 unsigned char slave_addr;
25419 /* Counters and things for the proc filesystem. */
25420 - atomic_t stats[SI_NUM_STATS];
25421 + atomic_unchecked_t stats[SI_NUM_STATS];
25423 struct task_struct *thread;
25425 @@ -286,9 +286,9 @@ struct smi_info {
25428 #define smi_inc_stat(smi, stat) \
25429 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
25430 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
25431 #define smi_get_stat(smi, stat) \
25432 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
25433 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
25435 #define SI_MAX_PARMS 4
25437 @@ -3230,7 +3230,7 @@ static int try_smi_init(struct smi_info
25438 atomic_set(&new_smi->req_events, 0);
25439 new_smi->run_to_completion = 0;
25440 for (i = 0; i < SI_NUM_STATS; i++)
25441 - atomic_set(&new_smi->stats[i], 0);
25442 + atomic_set_unchecked(&new_smi->stats[i], 0);
25444 new_smi->interrupt_disabled = 1;
25445 atomic_set(&new_smi->stop_operation, 0);
25446 diff -urNp linux-3.1.1/drivers/char/Kconfig linux-3.1.1/drivers/char/Kconfig
25447 --- linux-3.1.1/drivers/char/Kconfig 2011-11-11 15:19:27.000000000 -0500
25448 +++ linux-3.1.1/drivers/char/Kconfig 2011-11-16 18:40:10.000000000 -0500
25449 @@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
25452 bool "/dev/kmem virtual device support"
25455 + depends on !GRKERNSEC_KMEM
25457 Say Y here if you want to support the /dev/kmem device. The
25458 /dev/kmem device is rarely used, but can be used for certain
25459 @@ -596,6 +597,7 @@ config DEVPORT
25462 depends on ISA || PCI
25463 + depends on !GRKERNSEC_KMEM
25466 source "drivers/s390/char/Kconfig"
25467 diff -urNp linux-3.1.1/drivers/char/mbcs.c linux-3.1.1/drivers/char/mbcs.c
25468 --- linux-3.1.1/drivers/char/mbcs.c 2011-11-11 15:19:27.000000000 -0500
25469 +++ linux-3.1.1/drivers/char/mbcs.c 2011-11-16 18:39:07.000000000 -0500
25470 @@ -800,7 +800,7 @@ static int mbcs_remove(struct cx_dev *de
25474 -static const struct cx_device_id __devinitdata mbcs_id_table[] = {
25475 +static const struct cx_device_id __devinitconst mbcs_id_table[] = {
25477 .part_num = MBCS_PART_NUM,
25478 .mfg_num = MBCS_MFG_NUM,
25479 diff -urNp linux-3.1.1/drivers/char/mem.c linux-3.1.1/drivers/char/mem.c
25480 --- linux-3.1.1/drivers/char/mem.c 2011-11-11 15:19:27.000000000 -0500
25481 +++ linux-3.1.1/drivers/char/mem.c 2011-11-16 18:40:10.000000000 -0500
25483 #include <linux/raw.h>
25484 #include <linux/tty.h>
25485 #include <linux/capability.h>
25486 +#include <linux/security.h>
25487 #include <linux/ptrace.h>
25488 #include <linux/device.h>
25489 #include <linux/highmem.h>
25491 # include <linux/efi.h>
25494 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
25495 +extern struct file_operations grsec_fops;
25498 static inline unsigned long size_inside_page(unsigned long start,
25499 unsigned long size)
25501 @@ -65,9 +70,13 @@ static inline int range_is_allowed(unsig
25503 while (cursor < to) {
25504 if (!devmem_is_allowed(pfn)) {
25505 +#ifdef CONFIG_GRKERNSEC_KMEM
25506 + gr_handle_mem_readwrite(from, to);
25509 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
25510 current->comm, from, to);
25514 cursor += PAGE_SIZE;
25515 @@ -75,6 +84,11 @@ static inline int range_is_allowed(unsig
25519 +#elif defined(CONFIG_GRKERNSEC_KMEM)
25520 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
25525 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
25527 @@ -117,6 +131,7 @@ static ssize_t read_mem(struct file *fil
25529 while (count > 0) {
25530 unsigned long remaining;
25533 sz = size_inside_page(p, count);
25535 @@ -132,7 +147,23 @@ static ssize_t read_mem(struct file *fil
25539 - remaining = copy_to_user(buf, ptr, sz);
25540 +#ifdef CONFIG_PAX_USERCOPY
25541 + temp = kmalloc(sz, GFP_KERNEL);
25543 + unxlate_dev_mem_ptr(p, ptr);
25546 + memcpy(temp, ptr, sz);
25551 + remaining = copy_to_user(buf, temp, sz);
25553 +#ifdef CONFIG_PAX_USERCOPY
25557 unxlate_dev_mem_ptr(p, ptr);
25560 @@ -395,9 +426,8 @@ static ssize_t read_kmem(struct file *fi
25561 size_t count, loff_t *ppos)
25563 unsigned long p = *ppos;
25564 - ssize_t low_count, read, sz;
25565 + ssize_t low_count, read, sz, err = 0;
25566 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
25570 if (p < (unsigned long) high_memory) {
25571 @@ -419,6 +449,8 @@ static ssize_t read_kmem(struct file *fi
25574 while (low_count > 0) {
25577 sz = size_inside_page(p, low_count);
25580 @@ -428,7 +460,22 @@ static ssize_t read_kmem(struct file *fi
25582 kbuf = xlate_dev_kmem_ptr((char *)p);
25584 - if (copy_to_user(buf, kbuf, sz))
25585 +#ifdef CONFIG_PAX_USERCOPY
25586 + temp = kmalloc(sz, GFP_KERNEL);
25589 + memcpy(temp, kbuf, sz);
25594 + err = copy_to_user(buf, temp, sz);
25596 +#ifdef CONFIG_PAX_USERCOPY
25604 @@ -866,6 +913,9 @@ static const struct memdev {
25605 #ifdef CONFIG_CRASH_DUMP
25606 [12] = { "oldmem", 0, &oldmem_fops, NULL },
25608 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
25609 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
25613 static int memory_open(struct inode *inode, struct file *filp)
25614 diff -urNp linux-3.1.1/drivers/char/nvram.c linux-3.1.1/drivers/char/nvram.c
25615 --- linux-3.1.1/drivers/char/nvram.c 2011-11-11 15:19:27.000000000 -0500
25616 +++ linux-3.1.1/drivers/char/nvram.c 2011-11-16 18:39:07.000000000 -0500
25617 @@ -248,7 +248,7 @@ static ssize_t nvram_read(struct file *f
25619 spin_unlock_irq(&rtc_lock);
25621 - if (copy_to_user(buf, contents, tmp - contents))
25622 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
25626 diff -urNp linux-3.1.1/drivers/char/random.c linux-3.1.1/drivers/char/random.c
25627 --- linux-3.1.1/drivers/char/random.c 2011-11-11 15:19:27.000000000 -0500
25628 +++ linux-3.1.1/drivers/char/random.c 2011-11-16 18:40:10.000000000 -0500
25629 @@ -261,8 +261,13 @@
25631 * Configuration information
25633 +#ifdef CONFIG_GRKERNSEC_RANDNET
25634 +#define INPUT_POOL_WORDS 512
25635 +#define OUTPUT_POOL_WORDS 128
25637 #define INPUT_POOL_WORDS 128
25638 #define OUTPUT_POOL_WORDS 32
25640 #define SEC_XFER_SIZE 512
25641 #define EXTRACT_SIZE 10
25643 @@ -300,10 +305,17 @@ static struct poolinfo {
25645 int tap1, tap2, tap3, tap4, tap5;
25646 } poolinfo_table[] = {
25647 +#ifdef CONFIG_GRKERNSEC_RANDNET
25648 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
25649 + { 512, 411, 308, 208, 104, 1 },
25650 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
25651 + { 128, 103, 76, 51, 25, 1 },
25653 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
25654 { 128, 103, 76, 51, 25, 1 },
25655 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
25656 { 32, 26, 20, 14, 7, 1 },
25659 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
25660 { 2048, 1638, 1231, 819, 411, 1 },
25661 @@ -909,7 +921,7 @@ static ssize_t extract_entropy_user(stru
25663 extract_buf(r, tmp);
25664 i = min_t(int, nbytes, EXTRACT_SIZE);
25665 - if (copy_to_user(buf, tmp, i)) {
25666 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
25670 @@ -1214,7 +1226,7 @@ EXPORT_SYMBOL(generate_random_uuid);
25671 #include <linux/sysctl.h>
25673 static int min_read_thresh = 8, min_write_thresh;
25674 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
25675 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
25676 static int max_write_thresh = INPUT_POOL_WORDS * 32;
25677 static char sysctl_bootid[16];
25679 diff -urNp linux-3.1.1/drivers/char/sonypi.c linux-3.1.1/drivers/char/sonypi.c
25680 --- linux-3.1.1/drivers/char/sonypi.c 2011-11-11 15:19:27.000000000 -0500
25681 +++ linux-3.1.1/drivers/char/sonypi.c 2011-11-16 18:39:07.000000000 -0500
25683 #include <asm/uaccess.h>
25684 #include <asm/io.h>
25685 #include <asm/system.h>
25686 +#include <asm/local.h>
25688 #include <linux/sonypi.h>
25690 @@ -491,7 +492,7 @@ static struct sonypi_device {
25691 spinlock_t fifo_lock;
25692 wait_queue_head_t fifo_proc_list;
25693 struct fasync_struct *fifo_async;
25695 + local_t open_count;
25697 struct input_dev *input_jog_dev;
25698 struct input_dev *input_key_dev;
25699 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
25700 static int sonypi_misc_release(struct inode *inode, struct file *file)
25702 mutex_lock(&sonypi_device.lock);
25703 - sonypi_device.open_count--;
25704 + local_dec(&sonypi_device.open_count);
25705 mutex_unlock(&sonypi_device.lock);
25708 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
25710 mutex_lock(&sonypi_device.lock);
25711 /* Flush input queue on first open */
25712 - if (!sonypi_device.open_count)
25713 + if (!local_read(&sonypi_device.open_count))
25714 kfifo_reset(&sonypi_device.fifo);
25715 - sonypi_device.open_count++;
25716 + local_inc(&sonypi_device.open_count);
25717 mutex_unlock(&sonypi_device.lock);
25720 diff -urNp linux-3.1.1/drivers/char/tpm/tpm_bios.c linux-3.1.1/drivers/char/tpm/tpm_bios.c
25721 --- linux-3.1.1/drivers/char/tpm/tpm_bios.c 2011-11-11 15:19:27.000000000 -0500
25722 +++ linux-3.1.1/drivers/char/tpm/tpm_bios.c 2011-11-16 18:39:07.000000000 -0500
25723 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
25726 if ((event->event_type == 0 && event->event_size == 0) ||
25727 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
25728 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
25732 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
25735 if ((event->event_type == 0 && event->event_size == 0) ||
25736 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
25737 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
25741 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
25744 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
25745 - seq_putc(m, data[i]);
25746 + if (!seq_putc(m, data[i]))
25751 @@ -410,8 +411,13 @@ static int read_log(struct tpm_bios_log
25752 log->bios_event_log_end = log->bios_event_log + len;
25754 virt = acpi_os_map_memory(start, len);
25756 + kfree(log->bios_event_log);
25757 + log->bios_event_log = NULL;
25761 - memcpy(log->bios_event_log, virt, len);
25762 + memcpy(log->bios_event_log, (const char __force_kernel *)virt, len);
25764 acpi_os_unmap_memory(virt, len);
25766 diff -urNp linux-3.1.1/drivers/char/tpm/tpm.c linux-3.1.1/drivers/char/tpm/tpm.c
25767 --- linux-3.1.1/drivers/char/tpm/tpm.c 2011-11-11 15:19:27.000000000 -0500
25768 +++ linux-3.1.1/drivers/char/tpm/tpm.c 2011-11-16 18:40:10.000000000 -0500
25769 @@ -414,7 +414,7 @@ static ssize_t tpm_transmit(struct tpm_c
25770 chip->vendor.req_complete_val)
25773 - if ((status == chip->vendor.req_canceled)) {
25774 + if (status == chip->vendor.req_canceled) {
25775 dev_err(chip->dev, "Operation Canceled\n");
25778 @@ -862,6 +862,8 @@ ssize_t tpm_show_pubek(struct device *de
25780 struct tpm_chip *chip = dev_get_drvdata(dev);
25782 + pax_track_stack();
25784 tpm_cmd.header.in = tpm_readpubek_header;
25785 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
25786 "attempting to read the PUBEK");
25787 diff -urNp linux-3.1.1/drivers/char/virtio_console.c linux-3.1.1/drivers/char/virtio_console.c
25788 --- linux-3.1.1/drivers/char/virtio_console.c 2011-11-11 15:19:27.000000000 -0500
25789 +++ linux-3.1.1/drivers/char/virtio_console.c 2011-11-16 18:39:07.000000000 -0500
25790 @@ -555,7 +555,7 @@ static ssize_t fill_readbuf(struct port
25794 - ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count);
25795 + ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count);
25799 @@ -654,7 +654,7 @@ static ssize_t port_fops_read(struct fil
25800 if (!port_has_data(port) && !port->host_connected)
25803 - return fill_readbuf(port, ubuf, count, true);
25804 + return fill_readbuf(port, (char __force_kernel *)ubuf, count, true);
25807 static ssize_t port_fops_write(struct file *filp, const char __user *ubuf,
25808 diff -urNp linux-3.1.1/drivers/crypto/hifn_795x.c linux-3.1.1/drivers/crypto/hifn_795x.c
25809 --- linux-3.1.1/drivers/crypto/hifn_795x.c 2011-11-11 15:19:27.000000000 -0500
25810 +++ linux-3.1.1/drivers/crypto/hifn_795x.c 2011-11-16 18:40:10.000000000 -0500
25811 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
25812 0xCA, 0x34, 0x2B, 0x2E};
25813 struct scatterlist sg;
25815 + pax_track_stack();
25817 memset(src, 0, sizeof(src));
25818 memset(ctx.key, 0, sizeof(ctx.key));
25820 diff -urNp linux-3.1.1/drivers/crypto/padlock-aes.c linux-3.1.1/drivers/crypto/padlock-aes.c
25821 --- linux-3.1.1/drivers/crypto/padlock-aes.c 2011-11-11 15:19:27.000000000 -0500
25822 +++ linux-3.1.1/drivers/crypto/padlock-aes.c 2011-11-16 18:40:10.000000000 -0500
25823 @@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
25824 struct crypto_aes_ctx gen_aes;
25827 + pax_track_stack();
25830 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
25832 diff -urNp linux-3.1.1/drivers/edac/amd64_edac.c linux-3.1.1/drivers/edac/amd64_edac.c
25833 --- linux-3.1.1/drivers/edac/amd64_edac.c 2011-11-11 15:19:27.000000000 -0500
25834 +++ linux-3.1.1/drivers/edac/amd64_edac.c 2011-11-16 18:39:07.000000000 -0500
25835 @@ -2670,7 +2670,7 @@ static void __devexit amd64_remove_one_i
25836 * PCI core identifies what devices are on a system during boot, and then
25837 * inquiry this table to see if this driver is for a given device found.
25839 -static const struct pci_device_id amd64_pci_table[] __devinitdata = {
25840 +static const struct pci_device_id amd64_pci_table[] __devinitconst = {
25842 .vendor = PCI_VENDOR_ID_AMD,
25843 .device = PCI_DEVICE_ID_AMD_K8_NB_MEMCTL,
25844 diff -urNp linux-3.1.1/drivers/edac/amd76x_edac.c linux-3.1.1/drivers/edac/amd76x_edac.c
25845 --- linux-3.1.1/drivers/edac/amd76x_edac.c 2011-11-11 15:19:27.000000000 -0500
25846 +++ linux-3.1.1/drivers/edac/amd76x_edac.c 2011-11-16 18:39:07.000000000 -0500
25847 @@ -321,7 +321,7 @@ static void __devexit amd76x_remove_one(
25851 -static const struct pci_device_id amd76x_pci_tbl[] __devinitdata = {
25852 +static const struct pci_device_id amd76x_pci_tbl[] __devinitconst = {
25854 PCI_VEND_DEV(AMD, FE_GATE_700C), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25856 diff -urNp linux-3.1.1/drivers/edac/e752x_edac.c linux-3.1.1/drivers/edac/e752x_edac.c
25857 --- linux-3.1.1/drivers/edac/e752x_edac.c 2011-11-11 15:19:27.000000000 -0500
25858 +++ linux-3.1.1/drivers/edac/e752x_edac.c 2011-11-16 18:39:07.000000000 -0500
25859 @@ -1380,7 +1380,7 @@ static void __devexit e752x_remove_one(s
25863 -static const struct pci_device_id e752x_pci_tbl[] __devinitdata = {
25864 +static const struct pci_device_id e752x_pci_tbl[] __devinitconst = {
25866 PCI_VEND_DEV(INTEL, 7520_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25868 diff -urNp linux-3.1.1/drivers/edac/e7xxx_edac.c linux-3.1.1/drivers/edac/e7xxx_edac.c
25869 --- linux-3.1.1/drivers/edac/e7xxx_edac.c 2011-11-11 15:19:27.000000000 -0500
25870 +++ linux-3.1.1/drivers/edac/e7xxx_edac.c 2011-11-16 18:39:07.000000000 -0500
25871 @@ -525,7 +525,7 @@ static void __devexit e7xxx_remove_one(s
25875 -static const struct pci_device_id e7xxx_pci_tbl[] __devinitdata = {
25876 +static const struct pci_device_id e7xxx_pci_tbl[] __devinitconst = {
25878 PCI_VEND_DEV(INTEL, 7205_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25880 diff -urNp linux-3.1.1/drivers/edac/edac_pci_sysfs.c linux-3.1.1/drivers/edac/edac_pci_sysfs.c
25881 --- linux-3.1.1/drivers/edac/edac_pci_sysfs.c 2011-11-11 15:19:27.000000000 -0500
25882 +++ linux-3.1.1/drivers/edac/edac_pci_sysfs.c 2011-11-16 18:39:07.000000000 -0500
25883 @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
25884 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
25885 static int edac_pci_poll_msec = 1000; /* one second workq period */
25887 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
25888 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
25889 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
25890 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
25892 static struct kobject *edac_pci_top_main_kobj;
25893 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
25894 @@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
25895 edac_printk(KERN_CRIT, EDAC_PCI,
25896 "Signaled System Error on %s\n",
25898 - atomic_inc(&pci_nonparity_count);
25899 + atomic_inc_unchecked(&pci_nonparity_count);
25902 if (status & (PCI_STATUS_PARITY)) {
25903 @@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
25904 "Master Data Parity Error on %s\n",
25907 - atomic_inc(&pci_parity_count);
25908 + atomic_inc_unchecked(&pci_parity_count);
25911 if (status & (PCI_STATUS_DETECTED_PARITY)) {
25912 @@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
25913 "Detected Parity Error on %s\n",
25916 - atomic_inc(&pci_parity_count);
25917 + atomic_inc_unchecked(&pci_parity_count);
25921 @@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
25922 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
25923 "Signaled System Error on %s\n",
25925 - atomic_inc(&pci_nonparity_count);
25926 + atomic_inc_unchecked(&pci_nonparity_count);
25929 if (status & (PCI_STATUS_PARITY)) {
25930 @@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
25931 "Master Data Parity Error on "
25932 "%s\n", pci_name(dev));
25934 - atomic_inc(&pci_parity_count);
25935 + atomic_inc_unchecked(&pci_parity_count);
25938 if (status & (PCI_STATUS_DETECTED_PARITY)) {
25939 @@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
25940 "Detected Parity Error on %s\n",
25943 - atomic_inc(&pci_parity_count);
25944 + atomic_inc_unchecked(&pci_parity_count);
25948 @@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
25949 if (!check_pci_errors)
25952 - before_count = atomic_read(&pci_parity_count);
25953 + before_count = atomic_read_unchecked(&pci_parity_count);
25955 /* scan all PCI devices looking for a Parity Error on devices and
25957 @@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
25958 /* Only if operator has selected panic on PCI Error */
25959 if (edac_pci_get_panic_on_pe()) {
25960 /* If the count is different 'after' from 'before' */
25961 - if (before_count != atomic_read(&pci_parity_count))
25962 + if (before_count != atomic_read_unchecked(&pci_parity_count))
25963 panic("EDAC: PCI Parity Error");
25966 diff -urNp linux-3.1.1/drivers/edac/i3000_edac.c linux-3.1.1/drivers/edac/i3000_edac.c
25967 --- linux-3.1.1/drivers/edac/i3000_edac.c 2011-11-11 15:19:27.000000000 -0500
25968 +++ linux-3.1.1/drivers/edac/i3000_edac.c 2011-11-16 18:39:07.000000000 -0500
25969 @@ -470,7 +470,7 @@ static void __devexit i3000_remove_one(s
25973 -static const struct pci_device_id i3000_pci_tbl[] __devinitdata = {
25974 +static const struct pci_device_id i3000_pci_tbl[] __devinitconst = {
25976 PCI_VEND_DEV(INTEL, 3000_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25978 diff -urNp linux-3.1.1/drivers/edac/i3200_edac.c linux-3.1.1/drivers/edac/i3200_edac.c
25979 --- linux-3.1.1/drivers/edac/i3200_edac.c 2011-11-11 15:19:27.000000000 -0500
25980 +++ linux-3.1.1/drivers/edac/i3200_edac.c 2011-11-16 18:39:07.000000000 -0500
25981 @@ -456,7 +456,7 @@ static void __devexit i3200_remove_one(s
25985 -static const struct pci_device_id i3200_pci_tbl[] __devinitdata = {
25986 +static const struct pci_device_id i3200_pci_tbl[] __devinitconst = {
25988 PCI_VEND_DEV(INTEL, 3200_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25990 diff -urNp linux-3.1.1/drivers/edac/i5000_edac.c linux-3.1.1/drivers/edac/i5000_edac.c
25991 --- linux-3.1.1/drivers/edac/i5000_edac.c 2011-11-11 15:19:27.000000000 -0500
25992 +++ linux-3.1.1/drivers/edac/i5000_edac.c 2011-11-16 18:39:07.000000000 -0500
25993 @@ -1516,7 +1516,7 @@ static void __devexit i5000_remove_one(s
25995 * The "E500P" device is the first device supported.
25997 -static const struct pci_device_id i5000_pci_tbl[] __devinitdata = {
25998 +static const struct pci_device_id i5000_pci_tbl[] __devinitconst = {
25999 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I5000_DEV16),
26000 .driver_data = I5000P},
26002 diff -urNp linux-3.1.1/drivers/edac/i5100_edac.c linux-3.1.1/drivers/edac/i5100_edac.c
26003 --- linux-3.1.1/drivers/edac/i5100_edac.c 2011-11-11 15:19:27.000000000 -0500
26004 +++ linux-3.1.1/drivers/edac/i5100_edac.c 2011-11-16 18:39:07.000000000 -0500
26005 @@ -1051,7 +1051,7 @@ static void __devexit i5100_remove_one(s
26009 -static const struct pci_device_id i5100_pci_tbl[] __devinitdata = {
26010 +static const struct pci_device_id i5100_pci_tbl[] __devinitconst = {
26011 /* Device 16, Function 0, Channel 0 Memory Map, Error Flag/Mask, ... */
26012 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5100_16) },
26014 diff -urNp linux-3.1.1/drivers/edac/i5400_edac.c linux-3.1.1/drivers/edac/i5400_edac.c
26015 --- linux-3.1.1/drivers/edac/i5400_edac.c 2011-11-11 15:19:27.000000000 -0500
26016 +++ linux-3.1.1/drivers/edac/i5400_edac.c 2011-11-16 18:39:07.000000000 -0500
26017 @@ -1383,7 +1383,7 @@ static void __devexit i5400_remove_one(s
26019 * The "E500P" device is the first device supported.
26021 -static const struct pci_device_id i5400_pci_tbl[] __devinitdata = {
26022 +static const struct pci_device_id i5400_pci_tbl[] __devinitconst = {
26023 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5400_ERR)},
26024 {0,} /* 0 terminated list. */
26026 diff -urNp linux-3.1.1/drivers/edac/i7300_edac.c linux-3.1.1/drivers/edac/i7300_edac.c
26027 --- linux-3.1.1/drivers/edac/i7300_edac.c 2011-11-11 15:19:27.000000000 -0500
26028 +++ linux-3.1.1/drivers/edac/i7300_edac.c 2011-11-16 18:39:07.000000000 -0500
26029 @@ -1191,7 +1191,7 @@ static void __devexit i7300_remove_one(s
26031 * Has only 8086:360c PCI ID
26033 -static const struct pci_device_id i7300_pci_tbl[] __devinitdata = {
26034 +static const struct pci_device_id i7300_pci_tbl[] __devinitconst = {
26035 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I7300_MCH_ERR)},
26036 {0,} /* 0 terminated list. */
26038 diff -urNp linux-3.1.1/drivers/edac/i7core_edac.c linux-3.1.1/drivers/edac/i7core_edac.c
26039 --- linux-3.1.1/drivers/edac/i7core_edac.c 2011-11-11 15:19:27.000000000 -0500
26040 +++ linux-3.1.1/drivers/edac/i7core_edac.c 2011-11-16 18:39:07.000000000 -0500
26041 @@ -359,7 +359,7 @@ static const struct pci_id_table pci_dev
26043 * pci_device_id table for which devices we are looking for
26045 -static const struct pci_device_id i7core_pci_tbl[] __devinitdata = {
26046 +static const struct pci_device_id i7core_pci_tbl[] __devinitconst = {
26047 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_X58_HUB_MGMT)},
26048 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_LYNNFIELD_QPI_LINK0)},
26049 {0,} /* 0 terminated list. */
26050 diff -urNp linux-3.1.1/drivers/edac/i82443bxgx_edac.c linux-3.1.1/drivers/edac/i82443bxgx_edac.c
26051 --- linux-3.1.1/drivers/edac/i82443bxgx_edac.c 2011-11-11 15:19:27.000000000 -0500
26052 +++ linux-3.1.1/drivers/edac/i82443bxgx_edac.c 2011-11-16 18:39:07.000000000 -0500
26053 @@ -380,7 +380,7 @@ static void __devexit i82443bxgx_edacmc_
26055 EXPORT_SYMBOL_GPL(i82443bxgx_edacmc_remove_one);
26057 -static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitdata = {
26058 +static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitconst = {
26059 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_0)},
26060 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_2)},
26061 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0)},
26062 diff -urNp linux-3.1.1/drivers/edac/i82860_edac.c linux-3.1.1/drivers/edac/i82860_edac.c
26063 --- linux-3.1.1/drivers/edac/i82860_edac.c 2011-11-11 15:19:27.000000000 -0500
26064 +++ linux-3.1.1/drivers/edac/i82860_edac.c 2011-11-16 18:39:07.000000000 -0500
26065 @@ -270,7 +270,7 @@ static void __devexit i82860_remove_one(
26069 -static const struct pci_device_id i82860_pci_tbl[] __devinitdata = {
26070 +static const struct pci_device_id i82860_pci_tbl[] __devinitconst = {
26072 PCI_VEND_DEV(INTEL, 82860_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26074 diff -urNp linux-3.1.1/drivers/edac/i82875p_edac.c linux-3.1.1/drivers/edac/i82875p_edac.c
26075 --- linux-3.1.1/drivers/edac/i82875p_edac.c 2011-11-11 15:19:27.000000000 -0500
26076 +++ linux-3.1.1/drivers/edac/i82875p_edac.c 2011-11-16 18:39:07.000000000 -0500
26077 @@ -511,7 +511,7 @@ static void __devexit i82875p_remove_one
26081 -static const struct pci_device_id i82875p_pci_tbl[] __devinitdata = {
26082 +static const struct pci_device_id i82875p_pci_tbl[] __devinitconst = {
26084 PCI_VEND_DEV(INTEL, 82875_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26086 diff -urNp linux-3.1.1/drivers/edac/i82975x_edac.c linux-3.1.1/drivers/edac/i82975x_edac.c
26087 --- linux-3.1.1/drivers/edac/i82975x_edac.c 2011-11-11 15:19:27.000000000 -0500
26088 +++ linux-3.1.1/drivers/edac/i82975x_edac.c 2011-11-16 18:39:07.000000000 -0500
26089 @@ -604,7 +604,7 @@ static void __devexit i82975x_remove_one
26093 -static const struct pci_device_id i82975x_pci_tbl[] __devinitdata = {
26094 +static const struct pci_device_id i82975x_pci_tbl[] __devinitconst = {
26096 PCI_VEND_DEV(INTEL, 82975_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26098 diff -urNp linux-3.1.1/drivers/edac/mce_amd.h linux-3.1.1/drivers/edac/mce_amd.h
26099 --- linux-3.1.1/drivers/edac/mce_amd.h 2011-11-11 15:19:27.000000000 -0500
26100 +++ linux-3.1.1/drivers/edac/mce_amd.h 2011-11-16 18:39:07.000000000 -0500
26101 @@ -83,7 +83,7 @@ struct amd_decoder_ops {
26102 bool (*dc_mce)(u16, u8);
26103 bool (*ic_mce)(u16, u8);
26104 bool (*nb_mce)(u16, u8);
26108 void amd_report_gart_errors(bool);
26109 void amd_register_ecc_decoder(void (*f)(int, struct mce *, u32));
26110 diff -urNp linux-3.1.1/drivers/edac/r82600_edac.c linux-3.1.1/drivers/edac/r82600_edac.c
26111 --- linux-3.1.1/drivers/edac/r82600_edac.c 2011-11-11 15:19:27.000000000 -0500
26112 +++ linux-3.1.1/drivers/edac/r82600_edac.c 2011-11-16 18:39:07.000000000 -0500
26113 @@ -373,7 +373,7 @@ static void __devexit r82600_remove_one(
26117 -static const struct pci_device_id r82600_pci_tbl[] __devinitdata = {
26118 +static const struct pci_device_id r82600_pci_tbl[] __devinitconst = {
26120 PCI_DEVICE(PCI_VENDOR_ID_RADISYS, R82600_BRIDGE_ID)
26122 diff -urNp linux-3.1.1/drivers/edac/x38_edac.c linux-3.1.1/drivers/edac/x38_edac.c
26123 --- linux-3.1.1/drivers/edac/x38_edac.c 2011-11-11 15:19:27.000000000 -0500
26124 +++ linux-3.1.1/drivers/edac/x38_edac.c 2011-11-16 18:39:07.000000000 -0500
26125 @@ -440,7 +440,7 @@ static void __devexit x38_remove_one(str
26129 -static const struct pci_device_id x38_pci_tbl[] __devinitdata = {
26130 +static const struct pci_device_id x38_pci_tbl[] __devinitconst = {
26132 PCI_VEND_DEV(INTEL, X38_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26134 diff -urNp linux-3.1.1/drivers/firewire/core-card.c linux-3.1.1/drivers/firewire/core-card.c
26135 --- linux-3.1.1/drivers/firewire/core-card.c 2011-11-11 15:19:27.000000000 -0500
26136 +++ linux-3.1.1/drivers/firewire/core-card.c 2011-11-16 18:39:07.000000000 -0500
26137 @@ -657,7 +657,7 @@ void fw_card_release(struct kref *kref)
26139 void fw_core_remove_card(struct fw_card *card)
26141 - struct fw_card_driver dummy_driver = dummy_driver_template;
26142 + fw_card_driver_no_const dummy_driver = dummy_driver_template;
26144 card->driver->update_phy_reg(card, 4,
26145 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
26146 diff -urNp linux-3.1.1/drivers/firewire/core-cdev.c linux-3.1.1/drivers/firewire/core-cdev.c
26147 --- linux-3.1.1/drivers/firewire/core-cdev.c 2011-11-11 15:19:27.000000000 -0500
26148 +++ linux-3.1.1/drivers/firewire/core-cdev.c 2011-11-16 18:39:07.000000000 -0500
26149 @@ -1331,8 +1331,7 @@ static int init_iso_resource(struct clie
26152 if ((request->channels == 0 && request->bandwidth == 0) ||
26153 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
26154 - request->bandwidth < 0)
26155 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
26158 r = kmalloc(sizeof(*r), GFP_KERNEL);
26159 diff -urNp linux-3.1.1/drivers/firewire/core.h linux-3.1.1/drivers/firewire/core.h
26160 --- linux-3.1.1/drivers/firewire/core.h 2011-11-11 15:19:27.000000000 -0500
26161 +++ linux-3.1.1/drivers/firewire/core.h 2011-11-16 18:39:07.000000000 -0500
26162 @@ -101,6 +101,7 @@ struct fw_card_driver {
26164 int (*stop_iso)(struct fw_iso_context *ctx);
26166 +typedef struct fw_card_driver __no_const fw_card_driver_no_const;
26168 void fw_card_initialize(struct fw_card *card,
26169 const struct fw_card_driver *driver, struct device *device);
26170 diff -urNp linux-3.1.1/drivers/firewire/core-transaction.c linux-3.1.1/drivers/firewire/core-transaction.c
26171 --- linux-3.1.1/drivers/firewire/core-transaction.c 2011-11-11 15:19:27.000000000 -0500
26172 +++ linux-3.1.1/drivers/firewire/core-transaction.c 2011-11-16 18:40:10.000000000 -0500
26174 #include <linux/timer.h>
26175 #include <linux/types.h>
26176 #include <linux/workqueue.h>
26177 +#include <linux/sched.h>
26179 #include <asm/byteorder.h>
26181 @@ -422,6 +423,8 @@ int fw_run_transaction(struct fw_card *c
26182 struct transaction_callback_data d;
26183 struct fw_transaction t;
26185 + pax_track_stack();
26187 init_timer_on_stack(&t.split_timeout_timer);
26188 init_completion(&d.done);
26189 d.payload = payload;
26190 diff -urNp linux-3.1.1/drivers/firmware/dmi_scan.c linux-3.1.1/drivers/firmware/dmi_scan.c
26191 --- linux-3.1.1/drivers/firmware/dmi_scan.c 2011-11-11 15:19:27.000000000 -0500
26192 +++ linux-3.1.1/drivers/firmware/dmi_scan.c 2011-11-16 18:39:07.000000000 -0500
26193 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
26198 - * no iounmap() for that ioremap(); it would be a no-op, but
26199 - * it's so early in setup that sucker gets confused into doing
26200 - * what it shouldn't if we actually call it.
26202 p = dmi_ioremap(0xF0000, 0x10000);
26205 @@ -725,7 +720,7 @@ int dmi_walk(void (*decode)(const struct
26209 - dmi_table(buf, dmi_len, dmi_num, decode, private_data);
26210 + dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data);
26214 diff -urNp linux-3.1.1/drivers/gpio/gpio-vr41xx.c linux-3.1.1/drivers/gpio/gpio-vr41xx.c
26215 --- linux-3.1.1/drivers/gpio/gpio-vr41xx.c 2011-11-11 15:19:27.000000000 -0500
26216 +++ linux-3.1.1/drivers/gpio/gpio-vr41xx.c 2011-11-16 18:39:07.000000000 -0500
26217 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
26218 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
26219 maskl, pendl, maskh, pendh);
26221 - atomic_inc(&irq_err_count);
26222 + atomic_inc_unchecked(&irq_err_count);
26226 diff -urNp linux-3.1.1/drivers/gpu/drm/drm_crtc.c linux-3.1.1/drivers/gpu/drm/drm_crtc.c
26227 --- linux-3.1.1/drivers/gpu/drm/drm_crtc.c 2011-11-11 15:19:27.000000000 -0500
26228 +++ linux-3.1.1/drivers/gpu/drm/drm_crtc.c 2011-11-16 18:39:07.000000000 -0500
26229 @@ -1374,7 +1374,7 @@ int drm_mode_getconnector(struct drm_dev
26231 if ((out_resp->count_modes >= mode_count) && mode_count) {
26233 - mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr;
26234 + mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr;
26235 list_for_each_entry(mode, &connector->modes, head) {
26236 drm_crtc_convert_to_umode(&u_mode, mode);
26237 if (copy_to_user(mode_ptr + copied,
26238 @@ -1389,8 +1389,8 @@ int drm_mode_getconnector(struct drm_dev
26240 if ((out_resp->count_props >= props_count) && props_count) {
26242 - prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr);
26243 - prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr);
26244 + prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr);
26245 + prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr);
26246 for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) {
26247 if (connector->property_ids[i] != 0) {
26248 if (put_user(connector->property_ids[i],
26249 @@ -1412,7 +1412,7 @@ int drm_mode_getconnector(struct drm_dev
26251 if ((out_resp->count_encoders >= encoders_count) && encoders_count) {
26253 - encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr);
26254 + encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr);
26255 for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) {
26256 if (connector->encoder_ids[i] != 0) {
26257 if (put_user(connector->encoder_ids[i],
26258 @@ -1571,7 +1571,7 @@ int drm_mode_setcrtc(struct drm_device *
26261 for (i = 0; i < crtc_req->count_connectors; i++) {
26262 - set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr;
26263 + set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
26264 if (get_user(out_id, &set_connectors_ptr[i])) {
26267 @@ -1852,7 +1852,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_de
26268 fb = obj_to_fb(obj);
26270 num_clips = r->num_clips;
26271 - clips_ptr = (struct drm_clip_rect *)(unsigned long)r->clips_ptr;
26272 + clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
26274 if (!num_clips != !clips_ptr) {
26276 @@ -2272,7 +2272,7 @@ int drm_mode_getproperty_ioctl(struct dr
26277 out_resp->flags = property->flags;
26279 if ((out_resp->count_values >= value_count) && value_count) {
26280 - values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr;
26281 + values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr;
26282 for (i = 0; i < value_count; i++) {
26283 if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
26285 @@ -2285,7 +2285,7 @@ int drm_mode_getproperty_ioctl(struct dr
26286 if (property->flags & DRM_MODE_PROP_ENUM) {
26287 if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
26289 - enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr;
26290 + enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr;
26291 list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
26293 if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
26294 @@ -2308,7 +2308,7 @@ int drm_mode_getproperty_ioctl(struct dr
26295 if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
26297 blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
26298 - blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr;
26299 + blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr;
26301 list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
26302 if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
26303 @@ -2369,7 +2369,7 @@ int drm_mode_getblob_ioctl(struct drm_de
26304 struct drm_mode_get_blob *out_resp = data;
26305 struct drm_property_blob *blob;
26308 + void __user *blob_ptr;
26310 if (!drm_core_check_feature(dev, DRIVER_MODESET))
26312 @@ -2383,7 +2383,7 @@ int drm_mode_getblob_ioctl(struct drm_de
26313 blob = obj_to_blob(obj);
26315 if (out_resp->length == blob->length) {
26316 - blob_ptr = (void *)(unsigned long)out_resp->data;
26317 + blob_ptr = (void __user *)(unsigned long)out_resp->data;
26318 if (copy_to_user(blob_ptr, blob->data, blob->length)){
26321 diff -urNp linux-3.1.1/drivers/gpu/drm/drm_crtc_helper.c linux-3.1.1/drivers/gpu/drm/drm_crtc_helper.c
26322 --- linux-3.1.1/drivers/gpu/drm/drm_crtc_helper.c 2011-11-11 15:19:27.000000000 -0500
26323 +++ linux-3.1.1/drivers/gpu/drm/drm_crtc_helper.c 2011-11-16 18:40:10.000000000 -0500
26324 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
26325 struct drm_crtc *tmp;
26328 - WARN(!crtc, "checking null crtc?\n");
26333 @@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
26334 struct drm_encoder *encoder;
26337 + pax_track_stack();
26339 crtc->enabled = drm_helper_crtc_in_use(crtc);
26340 if (!crtc->enabled)
26342 diff -urNp linux-3.1.1/drivers/gpu/drm/drm_drv.c linux-3.1.1/drivers/gpu/drm/drm_drv.c
26343 --- linux-3.1.1/drivers/gpu/drm/drm_drv.c 2011-11-11 15:19:27.000000000 -0500
26344 +++ linux-3.1.1/drivers/gpu/drm/drm_drv.c 2011-11-16 18:39:07.000000000 -0500
26345 @@ -307,7 +307,7 @@ module_exit(drm_core_exit);
26347 * Copy and IOCTL return string to user space
26349 -static int drm_copy_field(char *buf, size_t *buf_len, const char *value)
26350 +static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
26354 @@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp,
26356 dev = file_priv->minor->dev;
26357 atomic_inc(&dev->ioctl_count);
26358 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
26359 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
26360 ++file_priv->ioctl_count;
26362 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
26363 diff -urNp linux-3.1.1/drivers/gpu/drm/drm_fops.c linux-3.1.1/drivers/gpu/drm/drm_fops.c
26364 --- linux-3.1.1/drivers/gpu/drm/drm_fops.c 2011-11-11 15:19:27.000000000 -0500
26365 +++ linux-3.1.1/drivers/gpu/drm/drm_fops.c 2011-11-16 18:39:07.000000000 -0500
26366 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
26369 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
26370 - atomic_set(&dev->counts[i], 0);
26371 + atomic_set_unchecked(&dev->counts[i], 0);
26373 dev->sigdata.lock = NULL;
26375 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
26377 retcode = drm_open_helper(inode, filp, dev);
26379 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
26380 - if (!dev->open_count++)
26381 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
26382 + if (local_inc_return(&dev->open_count) == 1)
26383 retcode = drm_setup(dev);
26386 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
26388 mutex_lock(&drm_global_mutex);
26390 - DRM_DEBUG("open_count = %d\n", dev->open_count);
26391 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
26393 if (dev->driver->preclose)
26394 dev->driver->preclose(dev, file_priv);
26395 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
26396 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
26397 task_pid_nr(current),
26398 (long)old_encode_dev(file_priv->minor->device),
26399 - dev->open_count);
26400 + local_read(&dev->open_count));
26402 /* if the master has gone away we can't do anything with the lock */
26403 if (file_priv->minor->master)
26404 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
26405 * End inline drm_release
26408 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
26409 - if (!--dev->open_count) {
26410 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
26411 + if (local_dec_and_test(&dev->open_count)) {
26412 if (atomic_read(&dev->ioctl_count)) {
26413 DRM_ERROR("Device busy: %d\n",
26414 atomic_read(&dev->ioctl_count));
26415 diff -urNp linux-3.1.1/drivers/gpu/drm/drm_global.c linux-3.1.1/drivers/gpu/drm/drm_global.c
26416 --- linux-3.1.1/drivers/gpu/drm/drm_global.c 2011-11-11 15:19:27.000000000 -0500
26417 +++ linux-3.1.1/drivers/gpu/drm/drm_global.c 2011-11-16 18:39:07.000000000 -0500
26419 struct drm_global_item {
26420 struct mutex mutex;
26423 + atomic_t refcount;
26426 static struct drm_global_item glob[DRM_GLOBAL_NUM];
26427 @@ -49,7 +49,7 @@ void drm_global_init(void)
26428 struct drm_global_item *item = &glob[i];
26429 mutex_init(&item->mutex);
26430 item->object = NULL;
26431 - item->refcount = 0;
26432 + atomic_set(&item->refcount, 0);
26436 @@ -59,7 +59,7 @@ void drm_global_release(void)
26437 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
26438 struct drm_global_item *item = &glob[i];
26439 BUG_ON(item->object != NULL);
26440 - BUG_ON(item->refcount != 0);
26441 + BUG_ON(atomic_read(&item->refcount) != 0);
26445 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
26448 mutex_lock(&item->mutex);
26449 - if (item->refcount == 0) {
26450 + if (atomic_read(&item->refcount) == 0) {
26451 item->object = kzalloc(ref->size, GFP_KERNEL);
26452 if (unlikely(item->object == NULL)) {
26454 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
26458 - ++item->refcount;
26459 + atomic_inc(&item->refcount);
26460 ref->object = item->object;
26461 object = item->object;
26462 mutex_unlock(&item->mutex);
26463 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
26464 struct drm_global_item *item = &glob[ref->global_type];
26466 mutex_lock(&item->mutex);
26467 - BUG_ON(item->refcount == 0);
26468 + BUG_ON(atomic_read(&item->refcount) == 0);
26469 BUG_ON(ref->object != item->object);
26470 - if (--item->refcount == 0) {
26471 + if (atomic_dec_and_test(&item->refcount)) {
26473 item->object = NULL;
26475 diff -urNp linux-3.1.1/drivers/gpu/drm/drm_info.c linux-3.1.1/drivers/gpu/drm/drm_info.c
26476 --- linux-3.1.1/drivers/gpu/drm/drm_info.c 2011-11-11 15:19:27.000000000 -0500
26477 +++ linux-3.1.1/drivers/gpu/drm/drm_info.c 2011-11-16 18:40:10.000000000 -0500
26478 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
26479 struct drm_local_map *map;
26480 struct drm_map_list *r_list;
26482 - /* Hardcoded from _DRM_FRAME_BUFFER,
26483 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
26484 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
26485 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
26486 + static const char * const types[] = {
26487 + [_DRM_FRAME_BUFFER] = "FB",
26488 + [_DRM_REGISTERS] = "REG",
26489 + [_DRM_SHM] = "SHM",
26490 + [_DRM_AGP] = "AGP",
26491 + [_DRM_SCATTER_GATHER] = "SG",
26492 + [_DRM_CONSISTENT] = "PCI",
26493 + [_DRM_GEM] = "GEM" };
26497 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
26501 - if (map->type < 0 || map->type > 5)
26502 + if (map->type >= ARRAY_SIZE(types))
26505 type = types[map->type];
26506 @@ -290,7 +294,11 @@ int drm_vma_info(struct seq_file *m, voi
26507 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
26508 vma->vm_flags & VM_LOCKED ? 'l' : '-',
26509 vma->vm_flags & VM_IO ? 'i' : '-',
26510 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26516 #if defined(__i386__)
26517 pgprot = pgprot_val(vma->vm_page_prot);
26518 diff -urNp linux-3.1.1/drivers/gpu/drm/drm_ioc32.c linux-3.1.1/drivers/gpu/drm/drm_ioc32.c
26519 --- linux-3.1.1/drivers/gpu/drm/drm_ioc32.c 2011-11-11 15:19:27.000000000 -0500
26520 +++ linux-3.1.1/drivers/gpu/drm/drm_ioc32.c 2011-11-16 18:39:07.000000000 -0500
26521 @@ -455,7 +455,7 @@ static int compat_drm_infobufs(struct fi
26522 request = compat_alloc_user_space(nbytes);
26523 if (!access_ok(VERIFY_WRITE, request, nbytes))
26525 - list = (struct drm_buf_desc *) (request + 1);
26526 + list = (struct drm_buf_desc __user *) (request + 1);
26528 if (__put_user(count, &request->count)
26529 || __put_user(list, &request->list))
26530 @@ -516,7 +516,7 @@ static int compat_drm_mapbufs(struct fil
26531 request = compat_alloc_user_space(nbytes);
26532 if (!access_ok(VERIFY_WRITE, request, nbytes))
26534 - list = (struct drm_buf_pub *) (request + 1);
26535 + list = (struct drm_buf_pub __user *) (request + 1);
26537 if (__put_user(count, &request->count)
26538 || __put_user(list, &request->list))
26539 diff -urNp linux-3.1.1/drivers/gpu/drm/drm_ioctl.c linux-3.1.1/drivers/gpu/drm/drm_ioctl.c
26540 --- linux-3.1.1/drivers/gpu/drm/drm_ioctl.c 2011-11-11 15:19:27.000000000 -0500
26541 +++ linux-3.1.1/drivers/gpu/drm/drm_ioctl.c 2011-11-16 18:39:07.000000000 -0500
26542 @@ -256,7 +256,7 @@ int drm_getstats(struct drm_device *dev,
26543 stats->data[i].value =
26544 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
26546 - stats->data[i].value = atomic_read(&dev->counts[i]);
26547 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
26548 stats->data[i].type = dev->types[i];
26551 diff -urNp linux-3.1.1/drivers/gpu/drm/drm_lock.c linux-3.1.1/drivers/gpu/drm/drm_lock.c
26552 --- linux-3.1.1/drivers/gpu/drm/drm_lock.c 2011-11-11 15:19:27.000000000 -0500
26553 +++ linux-3.1.1/drivers/gpu/drm/drm_lock.c 2011-11-16 18:39:07.000000000 -0500
26554 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
26555 if (drm_lock_take(&master->lock, lock->context)) {
26556 master->lock.file_priv = file_priv;
26557 master->lock.lock_time = jiffies;
26558 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
26559 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
26560 break; /* Got lock */
26563 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
26567 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
26568 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
26570 if (drm_lock_free(&master->lock, lock->context)) {
26571 /* FIXME: Should really bail out here. */
26572 diff -urNp linux-3.1.1/drivers/gpu/drm/i810/i810_dma.c linux-3.1.1/drivers/gpu/drm/i810/i810_dma.c
26573 --- linux-3.1.1/drivers/gpu/drm/i810/i810_dma.c 2011-11-11 15:19:27.000000000 -0500
26574 +++ linux-3.1.1/drivers/gpu/drm/i810/i810_dma.c 2011-11-16 18:39:07.000000000 -0500
26575 @@ -950,8 +950,8 @@ static int i810_dma_vertex(struct drm_de
26576 dma->buflist[vertex->idx],
26577 vertex->discard, vertex->used);
26579 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26580 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26581 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26582 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26583 sarea_priv->last_enqueue = dev_priv->counter - 1;
26584 sarea_priv->last_dispatch = (int)hw_status[5];
26586 @@ -1111,8 +1111,8 @@ static int i810_dma_mc(struct drm_device
26587 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
26590 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26591 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26592 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26593 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26594 sarea_priv->last_enqueue = dev_priv->counter - 1;
26595 sarea_priv->last_dispatch = (int)hw_status[5];
26597 diff -urNp linux-3.1.1/drivers/gpu/drm/i810/i810_drv.h linux-3.1.1/drivers/gpu/drm/i810/i810_drv.h
26598 --- linux-3.1.1/drivers/gpu/drm/i810/i810_drv.h 2011-11-11 15:19:27.000000000 -0500
26599 +++ linux-3.1.1/drivers/gpu/drm/i810/i810_drv.h 2011-11-16 18:39:07.000000000 -0500
26600 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
26603 wait_queue_head_t irq_queue;
26604 - atomic_t irq_received;
26605 - atomic_t irq_emitted;
26606 + atomic_unchecked_t irq_received;
26607 + atomic_unchecked_t irq_emitted;
26610 } drm_i810_private_t;
26611 diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_debugfs.c linux-3.1.1/drivers/gpu/drm/i915/i915_debugfs.c
26612 --- linux-3.1.1/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-11 15:19:27.000000000 -0500
26613 +++ linux-3.1.1/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-16 18:39:07.000000000 -0500
26614 @@ -497,7 +497,7 @@ static int i915_interrupt_info(struct se
26617 seq_printf(m, "Interrupts received: %d\n",
26618 - atomic_read(&dev_priv->irq_received));
26619 + atomic_read_unchecked(&dev_priv->irq_received));
26620 for (i = 0; i < I915_NUM_RINGS; i++) {
26621 if (IS_GEN6(dev) || IS_GEN7(dev)) {
26622 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
26623 @@ -1185,7 +1185,7 @@ static int i915_opregion(struct seq_file
26626 if (opregion->header)
26627 - seq_write(m, opregion->header, OPREGION_SIZE);
26628 + seq_write(m, (const void __force_kernel *)opregion->header, OPREGION_SIZE);
26630 mutex_unlock(&dev->struct_mutex);
26632 diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_dma.c linux-3.1.1/drivers/gpu/drm/i915/i915_dma.c
26633 --- linux-3.1.1/drivers/gpu/drm/i915/i915_dma.c 2011-11-11 15:19:27.000000000 -0500
26634 +++ linux-3.1.1/drivers/gpu/drm/i915/i915_dma.c 2011-11-16 18:39:07.000000000 -0500
26635 @@ -1171,7 +1171,7 @@ static bool i915_switcheroo_can_switch(s
26638 spin_lock(&dev->count_lock);
26639 - can_switch = (dev->open_count == 0);
26640 + can_switch = (local_read(&dev->open_count) == 0);
26641 spin_unlock(&dev->count_lock);
26644 diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_drv.h linux-3.1.1/drivers/gpu/drm/i915/i915_drv.h
26645 --- linux-3.1.1/drivers/gpu/drm/i915/i915_drv.h 2011-11-11 15:19:27.000000000 -0500
26646 +++ linux-3.1.1/drivers/gpu/drm/i915/i915_drv.h 2011-11-16 18:39:07.000000000 -0500
26647 @@ -222,7 +222,7 @@ struct drm_i915_display_funcs {
26648 /* render clock increase/decrease */
26649 /* display clock increase/decrease */
26650 /* pll clock increase/decrease */
26654 struct intel_device_info {
26656 @@ -305,7 +305,7 @@ typedef struct drm_i915_private {
26660 - atomic_t irq_received;
26661 + atomic_unchecked_t irq_received;
26663 /* protects the irq masks */
26664 spinlock_t irq_lock;
26665 @@ -882,7 +882,7 @@ struct drm_i915_gem_object {
26666 * will be page flipped away on the next vblank. When it
26667 * reaches 0, dev_priv->pending_flip_queue will be woken up.
26669 - atomic_t pending_flip;
26670 + atomic_unchecked_t pending_flip;
26673 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
26674 @@ -1262,7 +1262,7 @@ extern int intel_setup_gmbus(struct drm_
26675 extern void intel_teardown_gmbus(struct drm_device *dev);
26676 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
26677 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
26678 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
26679 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
26681 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
26683 diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-3.1.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c
26684 --- linux-3.1.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-11-11 15:19:27.000000000 -0500
26685 +++ linux-3.1.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-11-16 18:39:07.000000000 -0500
26686 @@ -188,7 +188,7 @@ i915_gem_object_set_to_gpu_domain(struct
26687 i915_gem_clflush_object(obj);
26689 if (obj->base.pending_write_domain)
26690 - cd->flips |= atomic_read(&obj->pending_flip);
26691 + cd->flips |= atomic_read_unchecked(&obj->pending_flip);
26693 /* The actual obj->write_domain will be updated with
26694 * pending_write_domain after we emit the accumulated flush for all
26695 diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_irq.c linux-3.1.1/drivers/gpu/drm/i915/i915_irq.c
26696 --- linux-3.1.1/drivers/gpu/drm/i915/i915_irq.c 2011-11-11 15:19:27.000000000 -0500
26697 +++ linux-3.1.1/drivers/gpu/drm/i915/i915_irq.c 2011-11-16 18:39:07.000000000 -0500
26698 @@ -475,7 +475,7 @@ static irqreturn_t ivybridge_irq_handler
26699 u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir;
26700 struct drm_i915_master_private *master_priv;
26702 - atomic_inc(&dev_priv->irq_received);
26703 + atomic_inc_unchecked(&dev_priv->irq_received);
26705 /* disable master interrupt before clearing iir */
26706 de_ier = I915_READ(DEIER);
26707 @@ -565,7 +565,7 @@ static irqreturn_t ironlake_irq_handler(
26708 struct drm_i915_master_private *master_priv;
26709 u32 bsd_usr_interrupt = GT_BSD_USER_INTERRUPT;
26711 - atomic_inc(&dev_priv->irq_received);
26712 + atomic_inc_unchecked(&dev_priv->irq_received);
26715 bsd_usr_interrupt = GT_GEN6_BSD_USER_INTERRUPT;
26716 @@ -1228,7 +1228,7 @@ static irqreturn_t i915_driver_irq_handl
26717 int ret = IRQ_NONE, pipe;
26718 bool blc_event = false;
26720 - atomic_inc(&dev_priv->irq_received);
26721 + atomic_inc_unchecked(&dev_priv->irq_received);
26723 iir = I915_READ(IIR);
26725 @@ -1740,7 +1740,7 @@ static void ironlake_irq_preinstall(stru
26727 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
26729 - atomic_set(&dev_priv->irq_received, 0);
26730 + atomic_set_unchecked(&dev_priv->irq_received, 0);
26732 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
26733 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
26734 @@ -1904,7 +1904,7 @@ static void i915_driver_irq_preinstall(s
26735 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
26738 - atomic_set(&dev_priv->irq_received, 0);
26739 + atomic_set_unchecked(&dev_priv->irq_received, 0);
26741 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
26742 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
26743 diff -urNp linux-3.1.1/drivers/gpu/drm/i915/intel_display.c linux-3.1.1/drivers/gpu/drm/i915/intel_display.c
26744 --- linux-3.1.1/drivers/gpu/drm/i915/intel_display.c 2011-11-11 15:19:27.000000000 -0500
26745 +++ linux-3.1.1/drivers/gpu/drm/i915/intel_display.c 2011-11-16 18:39:07.000000000 -0500
26746 @@ -2205,7 +2205,7 @@ intel_pipe_set_base(struct drm_crtc *crt
26748 wait_event(dev_priv->pending_flip_queue,
26749 atomic_read(&dev_priv->mm.wedged) ||
26750 - atomic_read(&obj->pending_flip) == 0);
26751 + atomic_read_unchecked(&obj->pending_flip) == 0);
26753 /* Big Hammer, we also need to ensure that any pending
26754 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
26755 @@ -2824,7 +2824,7 @@ static void intel_crtc_wait_for_pending_
26756 obj = to_intel_framebuffer(crtc->fb)->obj;
26757 dev_priv = crtc->dev->dev_private;
26758 wait_event(dev_priv->pending_flip_queue,
26759 - atomic_read(&obj->pending_flip) == 0);
26760 + atomic_read_unchecked(&obj->pending_flip) == 0);
26763 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
26764 @@ -6644,7 +6644,7 @@ static void do_intel_finish_page_flip(st
26766 atomic_clear_mask(1 << intel_crtc->plane,
26767 &obj->pending_flip.counter);
26768 - if (atomic_read(&obj->pending_flip) == 0)
26769 + if (atomic_read_unchecked(&obj->pending_flip) == 0)
26770 wake_up(&dev_priv->pending_flip_queue);
26772 schedule_work(&work->work);
26773 @@ -6933,7 +6933,7 @@ static int intel_crtc_page_flip(struct d
26774 /* Block clients from rendering to the new back buffer until
26775 * the flip occurs and the object is no longer visible.
26777 - atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26778 + atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26780 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
26782 @@ -6947,7 +6947,7 @@ static int intel_crtc_page_flip(struct d
26786 - atomic_sub(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26787 + atomic_sub_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26789 drm_gem_object_unreference(&work->old_fb_obj->base);
26790 drm_gem_object_unreference(&obj->base);
26791 diff -urNp linux-3.1.1/drivers/gpu/drm/mga/mga_drv.h linux-3.1.1/drivers/gpu/drm/mga/mga_drv.h
26792 --- linux-3.1.1/drivers/gpu/drm/mga/mga_drv.h 2011-11-11 15:19:27.000000000 -0500
26793 +++ linux-3.1.1/drivers/gpu/drm/mga/mga_drv.h 2011-11-16 18:39:07.000000000 -0500
26794 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
26798 - atomic_t vbl_received; /**< Number of vblanks received. */
26799 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
26800 wait_queue_head_t fence_queue;
26801 - atomic_t last_fence_retired;
26802 + atomic_unchecked_t last_fence_retired;
26803 u32 next_fence_to_post;
26805 unsigned int fb_cpp;
26806 diff -urNp linux-3.1.1/drivers/gpu/drm/mga/mga_irq.c linux-3.1.1/drivers/gpu/drm/mga/mga_irq.c
26807 --- linux-3.1.1/drivers/gpu/drm/mga/mga_irq.c 2011-11-11 15:19:27.000000000 -0500
26808 +++ linux-3.1.1/drivers/gpu/drm/mga/mga_irq.c 2011-11-16 18:39:07.000000000 -0500
26809 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
26813 - return atomic_read(&dev_priv->vbl_received);
26814 + return atomic_read_unchecked(&dev_priv->vbl_received);
26818 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
26819 /* VBLANK interrupt */
26820 if (status & MGA_VLINEPEN) {
26821 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
26822 - atomic_inc(&dev_priv->vbl_received);
26823 + atomic_inc_unchecked(&dev_priv->vbl_received);
26824 drm_handle_vblank(dev, 0);
26827 @@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
26828 if ((prim_start & ~0x03) != (prim_end & ~0x03))
26829 MGA_WRITE(MGA_PRIMEND, prim_end);
26831 - atomic_inc(&dev_priv->last_fence_retired);
26832 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
26833 DRM_WAKEUP(&dev_priv->fence_queue);
26836 @@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
26839 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
26840 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
26841 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
26842 - *sequence) <= (1 << 23)));
26844 *sequence = cur_fence;
26845 diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_bios.c linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_bios.c
26846 --- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_bios.c 2011-11-11 15:19:27.000000000 -0500
26847 +++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_bios.c 2011-11-16 18:39:07.000000000 -0500
26848 @@ -201,7 +201,7 @@ struct methods {
26849 const char desc[8];
26850 void (*loadbios)(struct drm_device *, uint8_t *);
26855 static struct methods shadow_methods[] = {
26856 { "PRAMIN", load_vbios_pramin, true },
26857 @@ -5489,7 +5489,7 @@ parse_bit_displayport_tbl_entry(struct d
26860 int (* const parse_fn)(struct drm_device *, struct nvbios *, struct bit_entry *);
26864 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry })
26866 diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_drv.h linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_drv.h
26867 --- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-11-11 15:19:27.000000000 -0500
26868 +++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-11-16 18:39:07.000000000 -0500
26869 @@ -238,7 +238,7 @@ struct nouveau_channel {
26870 struct list_head pending;
26872 uint32_t sequence_ack;
26873 - atomic_t last_sequence_irq;
26874 + atomic_unchecked_t last_sequence_irq;
26875 struct nouveau_vma vma;
26878 @@ -319,7 +319,7 @@ struct nouveau_exec_engine {
26879 u32 handle, u16 class);
26880 void (*set_tile_region)(struct drm_device *dev, int i);
26881 void (*tlb_flush)(struct drm_device *, int engine);
26885 struct nouveau_instmem_engine {
26887 @@ -341,13 +341,13 @@ struct nouveau_instmem_engine {
26888 struct nouveau_mc_engine {
26889 int (*init)(struct drm_device *dev);
26890 void (*takedown)(struct drm_device *dev);
26894 struct nouveau_timer_engine {
26895 int (*init)(struct drm_device *dev);
26896 void (*takedown)(struct drm_device *dev);
26897 uint64_t (*read)(struct drm_device *dev);
26901 struct nouveau_fb_engine {
26903 @@ -513,7 +513,7 @@ struct nouveau_vram_engine {
26904 void (*put)(struct drm_device *, struct nouveau_mem **);
26906 bool (*flags_valid)(struct drm_device *, u32 tile_flags);
26910 struct nouveau_engine {
26911 struct nouveau_instmem_engine instmem;
26912 @@ -660,7 +660,7 @@ struct drm_nouveau_private {
26913 struct drm_global_reference mem_global_ref;
26914 struct ttm_bo_global_ref bo_global_ref;
26915 struct ttm_bo_device bdev;
26916 - atomic_t validate_sequence;
26917 + atomic_unchecked_t validate_sequence;
26921 diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_fence.c linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_fence.c
26922 --- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-11-11 15:19:27.000000000 -0500
26923 +++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-11-16 18:39:07.000000000 -0500
26924 @@ -85,7 +85,7 @@ nouveau_fence_update(struct nouveau_chan
26925 if (USE_REFCNT(dev))
26926 sequence = nvchan_rd32(chan, 0x48);
26928 - sequence = atomic_read(&chan->fence.last_sequence_irq);
26929 + sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
26931 if (chan->fence.sequence_ack == sequence)
26933 @@ -541,7 +541,7 @@ nouveau_fence_channel_init(struct nouvea
26935 INIT_LIST_HEAD(&chan->fence.pending);
26936 spin_lock_init(&chan->fence.lock);
26937 - atomic_set(&chan->fence.last_sequence_irq, 0);
26938 + atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
26942 diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_gem.c linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_gem.c
26943 --- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-11-11 15:19:27.000000000 -0500
26944 +++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-11-16 18:39:07.000000000 -0500
26945 @@ -314,7 +314,7 @@ validate_init(struct nouveau_channel *ch
26949 - sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
26950 + sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
26952 if (++trycnt > 100000) {
26953 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
26954 diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_state.c linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_state.c
26955 --- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_state.c 2011-11-11 15:19:27.000000000 -0500
26956 +++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_state.c 2011-11-16 18:39:07.000000000 -0500
26957 @@ -496,7 +496,7 @@ static bool nouveau_switcheroo_can_switc
26960 spin_lock(&dev->count_lock);
26961 - can_switch = (dev->open_count == 0);
26962 + can_switch = (local_read(&dev->open_count) == 0);
26963 spin_unlock(&dev->count_lock);
26966 diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nv04_graph.c linux-3.1.1/drivers/gpu/drm/nouveau/nv04_graph.c
26967 --- linux-3.1.1/drivers/gpu/drm/nouveau/nv04_graph.c 2011-11-11 15:19:27.000000000 -0500
26968 +++ linux-3.1.1/drivers/gpu/drm/nouveau/nv04_graph.c 2011-11-16 18:39:07.000000000 -0500
26969 @@ -554,7 +554,7 @@ static int
26970 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
26971 u32 class, u32 mthd, u32 data)
26973 - atomic_set(&chan->fence.last_sequence_irq, data);
26974 + atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
26978 diff -urNp linux-3.1.1/drivers/gpu/drm/r128/r128_cce.c linux-3.1.1/drivers/gpu/drm/r128/r128_cce.c
26979 --- linux-3.1.1/drivers/gpu/drm/r128/r128_cce.c 2011-11-11 15:19:27.000000000 -0500
26980 +++ linux-3.1.1/drivers/gpu/drm/r128/r128_cce.c 2011-11-16 18:39:07.000000000 -0500
26981 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
26983 /* GH: Simple idle check.
26985 - atomic_set(&dev_priv->idle_count, 0);
26986 + atomic_set_unchecked(&dev_priv->idle_count, 0);
26988 /* We don't support anything other than bus-mastering ring mode,
26989 * but the ring can be in either AGP or PCI space for the ring
26990 diff -urNp linux-3.1.1/drivers/gpu/drm/r128/r128_drv.h linux-3.1.1/drivers/gpu/drm/r128/r128_drv.h
26991 --- linux-3.1.1/drivers/gpu/drm/r128/r128_drv.h 2011-11-11 15:19:27.000000000 -0500
26992 +++ linux-3.1.1/drivers/gpu/drm/r128/r128_drv.h 2011-11-16 18:39:07.000000000 -0500
26993 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
26995 unsigned long cce_buffers_offset;
26997 - atomic_t idle_count;
26998 + atomic_unchecked_t idle_count;
27003 u32 crtc_offset_cntl;
27005 - atomic_t vbl_received;
27006 + atomic_unchecked_t vbl_received;
27009 unsigned int front_offset;
27010 diff -urNp linux-3.1.1/drivers/gpu/drm/r128/r128_irq.c linux-3.1.1/drivers/gpu/drm/r128/r128_irq.c
27011 --- linux-3.1.1/drivers/gpu/drm/r128/r128_irq.c 2011-11-11 15:19:27.000000000 -0500
27012 +++ linux-3.1.1/drivers/gpu/drm/r128/r128_irq.c 2011-11-16 18:39:07.000000000 -0500
27013 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
27017 - return atomic_read(&dev_priv->vbl_received);
27018 + return atomic_read_unchecked(&dev_priv->vbl_received);
27021 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
27022 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
27023 /* VBLANK interrupt */
27024 if (status & R128_CRTC_VBLANK_INT) {
27025 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
27026 - atomic_inc(&dev_priv->vbl_received);
27027 + atomic_inc_unchecked(&dev_priv->vbl_received);
27028 drm_handle_vblank(dev, 0);
27029 return IRQ_HANDLED;
27031 diff -urNp linux-3.1.1/drivers/gpu/drm/r128/r128_state.c linux-3.1.1/drivers/gpu/drm/r128/r128_state.c
27032 --- linux-3.1.1/drivers/gpu/drm/r128/r128_state.c 2011-11-11 15:19:27.000000000 -0500
27033 +++ linux-3.1.1/drivers/gpu/drm/r128/r128_state.c 2011-11-16 18:39:07.000000000 -0500
27034 @@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
27036 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
27038 - if (atomic_read(&dev_priv->idle_count) == 0)
27039 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
27040 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
27042 - atomic_set(&dev_priv->idle_count, 0);
27043 + atomic_set_unchecked(&dev_priv->idle_count, 0);
27047 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/atom.c linux-3.1.1/drivers/gpu/drm/radeon/atom.c
27048 --- linux-3.1.1/drivers/gpu/drm/radeon/atom.c 2011-11-11 15:19:27.000000000 -0500
27049 +++ linux-3.1.1/drivers/gpu/drm/radeon/atom.c 2011-11-16 19:09:42.000000000 -0500
27050 @@ -1254,6 +1254,8 @@ struct atom_context *atom_parse(struct c
27054 + pax_track_stack();
27059 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/mkregtable.c linux-3.1.1/drivers/gpu/drm/radeon/mkregtable.c
27060 --- linux-3.1.1/drivers/gpu/drm/radeon/mkregtable.c 2011-11-11 15:19:27.000000000 -0500
27061 +++ linux-3.1.1/drivers/gpu/drm/radeon/mkregtable.c 2011-11-16 18:39:07.000000000 -0500
27062 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
27064 regmatch_t match[4];
27072 struct offset *offset;
27073 char last_reg_s[10];
27075 + unsigned long last_reg;
27078 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
27079 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_atombios.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_atombios.c
27080 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-11 15:19:27.000000000 -0500
27081 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-16 18:40:10.000000000 -0500
27082 @@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
27083 struct radeon_gpio_rec gpio;
27084 struct radeon_hpd hpd;
27086 + pax_track_stack();
27088 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
27091 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_device.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_device.c
27092 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon_device.c 2011-11-11 15:19:27.000000000 -0500
27093 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_device.c 2011-11-16 18:39:07.000000000 -0500
27094 @@ -684,7 +684,7 @@ static bool radeon_switcheroo_can_switch
27097 spin_lock(&dev->count_lock);
27098 - can_switch = (dev->open_count == 0);
27099 + can_switch = (local_read(&dev->open_count) == 0);
27100 spin_unlock(&dev->count_lock);
27103 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_display.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_display.c
27104 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon_display.c 2011-11-11 15:19:27.000000000 -0500
27105 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_display.c 2011-11-16 18:40:10.000000000 -0500
27106 @@ -925,6 +925,8 @@ void radeon_compute_pll_legacy(struct ra
27108 u32 pll_out_min, pll_out_max;
27110 + pax_track_stack();
27112 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
27113 freq = freq * 1000;
27115 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_drv.h linux-3.1.1/drivers/gpu/drm/radeon/radeon_drv.h
27116 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-11 15:19:27.000000000 -0500
27117 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-16 18:39:07.000000000 -0500
27118 @@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
27121 wait_queue_head_t swi_queue;
27122 - atomic_t swi_emitted;
27123 + atomic_unchecked_t swi_emitted;
27125 uint32_t irq_enable_reg;
27126 uint32_t r500_disp_irq_reg;
27127 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_fence.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_fence.c
27128 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-11 15:19:27.000000000 -0500
27129 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-16 18:39:07.000000000 -0500
27130 @@ -78,7 +78,7 @@ int radeon_fence_emit(struct radeon_devi
27131 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
27134 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
27135 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
27136 if (!rdev->cp.ready)
27137 /* FIXME: cp is not running assume everythings is done right
27139 @@ -373,7 +373,7 @@ int radeon_fence_driver_init(struct rade
27142 radeon_fence_write(rdev, 0);
27143 - atomic_set(&rdev->fence_drv.seq, 0);
27144 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
27145 INIT_LIST_HEAD(&rdev->fence_drv.created);
27146 INIT_LIST_HEAD(&rdev->fence_drv.emited);
27147 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
27148 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon.h linux-3.1.1/drivers/gpu/drm/radeon/radeon.h
27149 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon.h 2011-11-11 15:19:27.000000000 -0500
27150 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon.h 2011-11-16 18:39:07.000000000 -0500
27151 @@ -192,7 +192,7 @@ extern int sumo_get_temp(struct radeon_d
27153 struct radeon_fence_driver {
27154 uint32_t scratch_reg;
27156 + atomic_unchecked_t seq;
27158 unsigned long last_jiffies;
27159 unsigned long last_timeout;
27160 @@ -962,7 +962,7 @@ struct radeon_asic {
27161 void (*pre_page_flip)(struct radeon_device *rdev, int crtc);
27162 u32 (*page_flip)(struct radeon_device *rdev, int crtc, u64 crtc_base);
27163 void (*post_page_flip)(struct radeon_device *rdev, int crtc);
27169 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_ioc32.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_ioc32.c
27170 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-11 15:19:27.000000000 -0500
27171 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-16 18:39:07.000000000 -0500
27172 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
27173 request = compat_alloc_user_space(sizeof(*request));
27174 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
27175 || __put_user(req32.param, &request->param)
27176 - || __put_user((void __user *)(unsigned long)req32.value,
27177 + || __put_user((unsigned long)req32.value,
27181 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_irq.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_irq.c
27182 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-11 15:19:27.000000000 -0500
27183 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-16 18:39:07.000000000 -0500
27184 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
27188 - atomic_inc(&dev_priv->swi_emitted);
27189 - ret = atomic_read(&dev_priv->swi_emitted);
27190 + atomic_inc_unchecked(&dev_priv->swi_emitted);
27191 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
27194 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
27195 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
27196 drm_radeon_private_t *dev_priv =
27197 (drm_radeon_private_t *) dev->dev_private;
27199 - atomic_set(&dev_priv->swi_emitted, 0);
27200 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
27201 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
27203 dev->max_vblank_count = 0x001fffff;
27204 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_state.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_state.c
27205 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon_state.c 2011-11-11 15:19:27.000000000 -0500
27206 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_state.c 2011-11-16 18:39:07.000000000 -0500
27207 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
27208 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
27209 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
27211 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
27212 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
27213 sarea_priv->nbox * sizeof(depth_boxes[0])))
27216 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
27218 drm_radeon_private_t *dev_priv = dev->dev_private;
27219 drm_radeon_getparam_t *param = data;
27223 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
27225 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_ttm.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_ttm.c
27226 --- linux-3.1.1/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-11 15:19:27.000000000 -0500
27227 +++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-16 18:39:07.000000000 -0500
27228 @@ -672,8 +672,10 @@ int radeon_mmap(struct file *filp, struc
27230 if (unlikely(ttm_vm_ops == NULL)) {
27231 ttm_vm_ops = vma->vm_ops;
27232 - radeon_ttm_vm_ops = *ttm_vm_ops;
27233 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
27234 + pax_open_kernel();
27235 + memcpy((void *)&radeon_ttm_vm_ops, ttm_vm_ops, sizeof(radeon_ttm_vm_ops));
27236 + *(void **)&radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
27237 + pax_close_kernel();
27239 vma->vm_ops = &radeon_ttm_vm_ops;
27241 diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/rs690.c linux-3.1.1/drivers/gpu/drm/radeon/rs690.c
27242 --- linux-3.1.1/drivers/gpu/drm/radeon/rs690.c 2011-11-11 15:19:27.000000000 -0500
27243 +++ linux-3.1.1/drivers/gpu/drm/radeon/rs690.c 2011-11-16 18:39:07.000000000 -0500
27244 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
27245 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
27246 rdev->pm.sideport_bandwidth.full)
27247 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
27248 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
27249 + read_delay_latency.full = dfixed_const(800 * 1000);
27250 read_delay_latency.full = dfixed_div(read_delay_latency,
27251 rdev->pm.igp_sideport_mclk);
27252 + a.full = dfixed_const(370);
27253 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
27255 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
27256 rdev->pm.k8_bandwidth.full)
27257 diff -urNp linux-3.1.1/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-3.1.1/drivers/gpu/drm/ttm/ttm_page_alloc.c
27258 --- linux-3.1.1/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-11-11 15:19:27.000000000 -0500
27259 +++ linux-3.1.1/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-11-16 18:39:07.000000000 -0500
27260 @@ -398,9 +398,9 @@ static int ttm_pool_get_num_unused_pages
27261 static int ttm_pool_mm_shrink(struct shrinker *shrink,
27262 struct shrink_control *sc)
27264 - static atomic_t start_pool = ATOMIC_INIT(0);
27265 + static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
27267 - unsigned pool_offset = atomic_add_return(1, &start_pool);
27268 + unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
27269 struct ttm_page_pool *pool;
27270 int shrink_pages = sc->nr_to_scan;
27272 diff -urNp linux-3.1.1/drivers/gpu/drm/via/via_drv.h linux-3.1.1/drivers/gpu/drm/via/via_drv.h
27273 --- linux-3.1.1/drivers/gpu/drm/via/via_drv.h 2011-11-11 15:19:27.000000000 -0500
27274 +++ linux-3.1.1/drivers/gpu/drm/via/via_drv.h 2011-11-16 18:39:07.000000000 -0500
27275 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
27276 typedef uint32_t maskarray_t[5];
27278 typedef struct drm_via_irq {
27279 - atomic_t irq_received;
27280 + atomic_unchecked_t irq_received;
27281 uint32_t pending_mask;
27282 uint32_t enable_mask;
27283 wait_queue_head_t irq_queue;
27284 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
27285 struct timeval last_vblank;
27286 int last_vblank_valid;
27287 unsigned usec_per_vblank;
27288 - atomic_t vbl_received;
27289 + atomic_unchecked_t vbl_received;
27290 drm_via_state_t hc_state;
27291 char pci_buf[VIA_PCI_BUF_SIZE];
27292 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
27293 diff -urNp linux-3.1.1/drivers/gpu/drm/via/via_irq.c linux-3.1.1/drivers/gpu/drm/via/via_irq.c
27294 --- linux-3.1.1/drivers/gpu/drm/via/via_irq.c 2011-11-11 15:19:27.000000000 -0500
27295 +++ linux-3.1.1/drivers/gpu/drm/via/via_irq.c 2011-11-16 18:39:07.000000000 -0500
27296 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
27300 - return atomic_read(&dev_priv->vbl_received);
27301 + return atomic_read_unchecked(&dev_priv->vbl_received);
27304 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
27305 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
27307 status = VIA_READ(VIA_REG_INTERRUPT);
27308 if (status & VIA_IRQ_VBLANK_PENDING) {
27309 - atomic_inc(&dev_priv->vbl_received);
27310 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
27311 + atomic_inc_unchecked(&dev_priv->vbl_received);
27312 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
27313 do_gettimeofday(&cur_vblank);
27314 if (dev_priv->last_vblank_valid) {
27315 dev_priv->usec_per_vblank =
27316 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
27317 dev_priv->last_vblank = cur_vblank;
27318 dev_priv->last_vblank_valid = 1;
27320 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
27321 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
27322 DRM_DEBUG("US per vblank is: %u\n",
27323 dev_priv->usec_per_vblank);
27325 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
27327 for (i = 0; i < dev_priv->num_irqs; ++i) {
27328 if (status & cur_irq->pending_mask) {
27329 - atomic_inc(&cur_irq->irq_received);
27330 + atomic_inc_unchecked(&cur_irq->irq_received);
27331 DRM_WAKEUP(&cur_irq->irq_queue);
27333 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
27334 @@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
27335 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
27336 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
27338 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
27339 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
27341 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
27342 (((cur_irq_sequence =
27343 - atomic_read(&cur_irq->irq_received)) -
27344 + atomic_read_unchecked(&cur_irq->irq_received)) -
27345 *sequence) <= (1 << 23)));
27347 *sequence = cur_irq_sequence;
27348 @@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
27351 for (i = 0; i < dev_priv->num_irqs; ++i) {
27352 - atomic_set(&cur_irq->irq_received, 0);
27353 + atomic_set_unchecked(&cur_irq->irq_received, 0);
27354 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
27355 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
27356 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
27357 @@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
27358 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
27359 case VIA_IRQ_RELATIVE:
27360 irqwait->request.sequence +=
27361 - atomic_read(&cur_irq->irq_received);
27362 + atomic_read_unchecked(&cur_irq->irq_received);
27363 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
27364 case VIA_IRQ_ABSOLUTE:
27366 diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
27367 --- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-11-11 15:19:27.000000000 -0500
27368 +++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-11-16 18:39:07.000000000 -0500
27369 @@ -240,7 +240,7 @@ struct vmw_private {
27370 * Fencing and IRQs.
27373 - atomic_t fence_seq;
27374 + atomic_unchecked_t fence_seq;
27375 wait_queue_head_t fence_queue;
27376 wait_queue_head_t fifo_queue;
27377 atomic_t fence_queue_waiters;
27378 diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
27379 --- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-11-11 15:19:27.000000000 -0500
27380 +++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-11-16 18:39:07.000000000 -0500
27381 @@ -610,7 +610,7 @@ int vmw_execbuf_ioctl(struct drm_device
27382 struct drm_vmw_fence_rep fence_rep;
27383 struct drm_vmw_fence_rep __user *user_fence_rep;
27386 + void __user *user_cmd;
27389 struct vmw_sw_context *sw_context = &dev_priv->ctx;
27390 diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
27391 --- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-11-11 15:19:27.000000000 -0500
27392 +++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-11-16 18:39:07.000000000 -0500
27393 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
27394 while (!vmw_lag_lt(queue, us)) {
27395 spin_lock(&queue->lock);
27396 if (list_empty(&queue->head))
27397 - sequence = atomic_read(&dev_priv->fence_seq);
27398 + sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27400 fence = list_first_entry(&queue->head,
27401 struct vmw_fence, head);
27402 diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
27403 --- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-11-11 15:19:27.000000000 -0500
27404 +++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-11-16 18:39:07.000000000 -0500
27405 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
27406 (unsigned int) min,
27407 (unsigned int) fifo->capabilities);
27409 - atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27410 + atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27411 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
27412 vmw_fence_queue_init(&fifo->fence_queue);
27413 return vmw_fifo_send_fence(dev_priv, &dummy);
27414 @@ -356,7 +356,7 @@ void *vmw_fifo_reserve(struct vmw_privat
27416 iowrite32(bytes, fifo_mem +
27417 SVGA_FIFO_RESERVED);
27418 - return fifo_mem + (next_cmd >> 2);
27419 + return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2);
27421 need_bounce = true;
27423 @@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27425 fm = vmw_fifo_reserve(dev_priv, bytes);
27426 if (unlikely(fm == NULL)) {
27427 - *sequence = atomic_read(&dev_priv->fence_seq);
27428 + *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27430 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
27432 @@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27436 - *sequence = atomic_add_return(1, &dev_priv->fence_seq);
27437 + *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
27438 } while (*sequence == 0);
27440 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
27441 diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
27442 --- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-11-11 15:19:27.000000000 -0500
27443 +++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-11-16 18:39:07.000000000 -0500
27444 @@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
27445 * emitted. Then the fence is stale and signaled.
27448 - ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
27449 + ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
27453 @@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
27456 down_read(&fifo_state->rwsem);
27457 - signal_seq = atomic_read(&dev_priv->fence_seq);
27458 + signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
27462 diff -urNp linux-3.1.1/drivers/hid/hid-core.c linux-3.1.1/drivers/hid/hid-core.c
27463 --- linux-3.1.1/drivers/hid/hid-core.c 2011-11-11 15:19:27.000000000 -0500
27464 +++ linux-3.1.1/drivers/hid/hid-core.c 2011-11-16 18:39:07.000000000 -0500
27465 @@ -1951,7 +1951,7 @@ static bool hid_ignore(struct hid_device
27467 int hid_add_device(struct hid_device *hdev)
27469 - static atomic_t id = ATOMIC_INIT(0);
27470 + static atomic_unchecked_t id = ATOMIC_INIT(0);
27473 if (WARN_ON(hdev->status & HID_STAT_ADDED))
27474 @@ -1966,7 +1966,7 @@ int hid_add_device(struct hid_device *hd
27475 /* XXX hack, any other cleaner solution after the driver core
27476 * is converted to allow more than 20 bytes as the device name? */
27477 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
27478 - hdev->vendor, hdev->product, atomic_inc_return(&id));
27479 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
27481 hid_debug_register(hdev, dev_name(&hdev->dev));
27482 ret = device_add(&hdev->dev);
27483 diff -urNp linux-3.1.1/drivers/hid/usbhid/hiddev.c linux-3.1.1/drivers/hid/usbhid/hiddev.c
27484 --- linux-3.1.1/drivers/hid/usbhid/hiddev.c 2011-11-11 15:19:27.000000000 -0500
27485 +++ linux-3.1.1/drivers/hid/usbhid/hiddev.c 2011-11-16 18:39:07.000000000 -0500
27486 @@ -624,7 +624,7 @@ static long hiddev_ioctl(struct file *fi
27489 case HIDIOCAPPLICATION:
27490 - if (arg < 0 || arg >= hid->maxapplication)
27491 + if (arg >= hid->maxapplication)
27494 for (i = 0; i < hid->maxcollection; i++)
27495 diff -urNp linux-3.1.1/drivers/hwmon/acpi_power_meter.c linux-3.1.1/drivers/hwmon/acpi_power_meter.c
27496 --- linux-3.1.1/drivers/hwmon/acpi_power_meter.c 2011-11-11 15:19:27.000000000 -0500
27497 +++ linux-3.1.1/drivers/hwmon/acpi_power_meter.c 2011-11-16 18:39:07.000000000 -0500
27498 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
27505 mutex_lock(&resource->lock);
27506 resource->trip[attr->index - 7] = temp;
27507 diff -urNp linux-3.1.1/drivers/hwmon/sht15.c linux-3.1.1/drivers/hwmon/sht15.c
27508 --- linux-3.1.1/drivers/hwmon/sht15.c 2011-11-11 15:19:27.000000000 -0500
27509 +++ linux-3.1.1/drivers/hwmon/sht15.c 2011-11-16 18:39:07.000000000 -0500
27510 @@ -166,7 +166,7 @@ struct sht15_data {
27512 bool supply_uV_valid;
27513 struct work_struct update_supply_work;
27514 - atomic_t interrupt_handled;
27515 + atomic_unchecked_t interrupt_handled;
27519 @@ -509,13 +509,13 @@ static int sht15_measurement(struct sht1
27522 gpio_direction_input(data->pdata->gpio_data);
27523 - atomic_set(&data->interrupt_handled, 0);
27524 + atomic_set_unchecked(&data->interrupt_handled, 0);
27526 enable_irq(gpio_to_irq(data->pdata->gpio_data));
27527 if (gpio_get_value(data->pdata->gpio_data) == 0) {
27528 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
27529 /* Only relevant if the interrupt hasn't occurred. */
27530 - if (!atomic_read(&data->interrupt_handled))
27531 + if (!atomic_read_unchecked(&data->interrupt_handled))
27532 schedule_work(&data->read_work);
27534 ret = wait_event_timeout(data->wait_queue,
27535 @@ -782,7 +782,7 @@ static irqreturn_t sht15_interrupt_fired
27537 /* First disable the interrupt */
27538 disable_irq_nosync(irq);
27539 - atomic_inc(&data->interrupt_handled);
27540 + atomic_inc_unchecked(&data->interrupt_handled);
27541 /* Then schedule a reading work struct */
27542 if (data->state != SHT15_READING_NOTHING)
27543 schedule_work(&data->read_work);
27544 @@ -804,11 +804,11 @@ static void sht15_bh_read_data(struct wo
27545 * If not, then start the interrupt again - care here as could
27546 * have gone low in meantime so verify it hasn't!
27548 - atomic_set(&data->interrupt_handled, 0);
27549 + atomic_set_unchecked(&data->interrupt_handled, 0);
27550 enable_irq(gpio_to_irq(data->pdata->gpio_data));
27551 /* If still not occurred or another handler has been scheduled */
27552 if (gpio_get_value(data->pdata->gpio_data)
27553 - || atomic_read(&data->interrupt_handled))
27554 + || atomic_read_unchecked(&data->interrupt_handled))
27558 diff -urNp linux-3.1.1/drivers/i2c/busses/i2c-amd756-s4882.c linux-3.1.1/drivers/i2c/busses/i2c-amd756-s4882.c
27559 --- linux-3.1.1/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-11 15:19:27.000000000 -0500
27560 +++ linux-3.1.1/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-16 18:39:07.000000000 -0500
27562 extern struct i2c_adapter amd756_smbus;
27564 static struct i2c_adapter *s4882_adapter;
27565 -static struct i2c_algorithm *s4882_algo;
27566 +static i2c_algorithm_no_const *s4882_algo;
27568 /* Wrapper access functions for multiplexed SMBus */
27569 static DEFINE_MUTEX(amd756_lock);
27570 diff -urNp linux-3.1.1/drivers/i2c/busses/i2c-nforce2-s4985.c linux-3.1.1/drivers/i2c/busses/i2c-nforce2-s4985.c
27571 --- linux-3.1.1/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-11 15:19:27.000000000 -0500
27572 +++ linux-3.1.1/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-16 18:39:07.000000000 -0500
27574 extern struct i2c_adapter *nforce2_smbus;
27576 static struct i2c_adapter *s4985_adapter;
27577 -static struct i2c_algorithm *s4985_algo;
27578 +static i2c_algorithm_no_const *s4985_algo;
27580 /* Wrapper access functions for multiplexed SMBus */
27581 static DEFINE_MUTEX(nforce2_lock);
27582 diff -urNp linux-3.1.1/drivers/i2c/i2c-mux.c linux-3.1.1/drivers/i2c/i2c-mux.c
27583 --- linux-3.1.1/drivers/i2c/i2c-mux.c 2011-11-11 15:19:27.000000000 -0500
27584 +++ linux-3.1.1/drivers/i2c/i2c-mux.c 2011-11-16 18:39:07.000000000 -0500
27586 /* multiplexer per channel data */
27587 struct i2c_mux_priv {
27588 struct i2c_adapter adap;
27589 - struct i2c_algorithm algo;
27590 + i2c_algorithm_no_const algo;
27592 struct i2c_adapter *parent;
27593 void *mux_dev; /* the mux chip/device */
27594 diff -urNp linux-3.1.1/drivers/ide/aec62xx.c linux-3.1.1/drivers/ide/aec62xx.c
27595 --- linux-3.1.1/drivers/ide/aec62xx.c 2011-11-11 15:19:27.000000000 -0500
27596 +++ linux-3.1.1/drivers/ide/aec62xx.c 2011-11-16 18:39:07.000000000 -0500
27597 @@ -181,7 +181,7 @@ static const struct ide_port_ops atp86x_
27598 .cable_detect = atp86x_cable_detect,
27601 -static const struct ide_port_info aec62xx_chipsets[] __devinitdata = {
27602 +static const struct ide_port_info aec62xx_chipsets[] __devinitconst = {
27605 .init_chipset = init_chipset_aec62xx,
27606 diff -urNp linux-3.1.1/drivers/ide/alim15x3.c linux-3.1.1/drivers/ide/alim15x3.c
27607 --- linux-3.1.1/drivers/ide/alim15x3.c 2011-11-11 15:19:27.000000000 -0500
27608 +++ linux-3.1.1/drivers/ide/alim15x3.c 2011-11-16 18:39:07.000000000 -0500
27609 @@ -512,7 +512,7 @@ static const struct ide_dma_ops ali_dma_
27610 .dma_sff_read_status = ide_dma_sff_read_status,
27613 -static const struct ide_port_info ali15x3_chipset __devinitdata = {
27614 +static const struct ide_port_info ali15x3_chipset __devinitconst = {
27616 .init_chipset = init_chipset_ali15x3,
27617 .init_hwif = init_hwif_ali15x3,
27618 diff -urNp linux-3.1.1/drivers/ide/amd74xx.c linux-3.1.1/drivers/ide/amd74xx.c
27619 --- linux-3.1.1/drivers/ide/amd74xx.c 2011-11-11 15:19:27.000000000 -0500
27620 +++ linux-3.1.1/drivers/ide/amd74xx.c 2011-11-16 18:39:07.000000000 -0500
27621 @@ -223,7 +223,7 @@ static const struct ide_port_ops amd_por
27622 .udma_mask = udma, \
27625 -static const struct ide_port_info amd74xx_chipsets[] __devinitdata = {
27626 +static const struct ide_port_info amd74xx_chipsets[] __devinitconst = {
27627 /* 0: AMD7401 */ DECLARE_AMD_DEV(0x00, ATA_UDMA2),
27628 /* 1: AMD7409 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA4),
27629 /* 2: AMD7411/7441 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA5),
27630 diff -urNp linux-3.1.1/drivers/ide/atiixp.c linux-3.1.1/drivers/ide/atiixp.c
27631 --- linux-3.1.1/drivers/ide/atiixp.c 2011-11-11 15:19:27.000000000 -0500
27632 +++ linux-3.1.1/drivers/ide/atiixp.c 2011-11-16 18:39:07.000000000 -0500
27633 @@ -139,7 +139,7 @@ static const struct ide_port_ops atiixp_
27634 .cable_detect = atiixp_cable_detect,
27637 -static const struct ide_port_info atiixp_pci_info[] __devinitdata = {
27638 +static const struct ide_port_info atiixp_pci_info[] __devinitconst = {
27639 { /* 0: IXP200/300/400/700 */
27641 .enablebits = {{0x48,0x01,0x00}, {0x48,0x08,0x00}},
27642 diff -urNp linux-3.1.1/drivers/ide/cmd64x.c linux-3.1.1/drivers/ide/cmd64x.c
27643 --- linux-3.1.1/drivers/ide/cmd64x.c 2011-11-11 15:19:27.000000000 -0500
27644 +++ linux-3.1.1/drivers/ide/cmd64x.c 2011-11-16 18:39:07.000000000 -0500
27645 @@ -327,7 +327,7 @@ static const struct ide_dma_ops cmd646_r
27646 .dma_sff_read_status = ide_dma_sff_read_status,
27649 -static const struct ide_port_info cmd64x_chipsets[] __devinitdata = {
27650 +static const struct ide_port_info cmd64x_chipsets[] __devinitconst = {
27653 .init_chipset = init_chipset_cmd64x,
27654 diff -urNp linux-3.1.1/drivers/ide/cs5520.c linux-3.1.1/drivers/ide/cs5520.c
27655 --- linux-3.1.1/drivers/ide/cs5520.c 2011-11-11 15:19:27.000000000 -0500
27656 +++ linux-3.1.1/drivers/ide/cs5520.c 2011-11-16 18:39:07.000000000 -0500
27657 @@ -94,7 +94,7 @@ static const struct ide_port_ops cs5520_
27658 .set_dma_mode = cs5520_set_dma_mode,
27661 -static const struct ide_port_info cyrix_chipset __devinitdata = {
27662 +static const struct ide_port_info cyrix_chipset __devinitconst = {
27664 .enablebits = { { 0x60, 0x01, 0x01 }, { 0x60, 0x02, 0x02 } },
27665 .port_ops = &cs5520_port_ops,
27666 diff -urNp linux-3.1.1/drivers/ide/cs5530.c linux-3.1.1/drivers/ide/cs5530.c
27667 --- linux-3.1.1/drivers/ide/cs5530.c 2011-11-11 15:19:27.000000000 -0500
27668 +++ linux-3.1.1/drivers/ide/cs5530.c 2011-11-16 18:39:07.000000000 -0500
27669 @@ -245,7 +245,7 @@ static const struct ide_port_ops cs5530_
27670 .udma_filter = cs5530_udma_filter,
27673 -static const struct ide_port_info cs5530_chipset __devinitdata = {
27674 +static const struct ide_port_info cs5530_chipset __devinitconst = {
27676 .init_chipset = init_chipset_cs5530,
27677 .init_hwif = init_hwif_cs5530,
27678 diff -urNp linux-3.1.1/drivers/ide/cs5535.c linux-3.1.1/drivers/ide/cs5535.c
27679 --- linux-3.1.1/drivers/ide/cs5535.c 2011-11-11 15:19:27.000000000 -0500
27680 +++ linux-3.1.1/drivers/ide/cs5535.c 2011-11-16 18:39:07.000000000 -0500
27681 @@ -170,7 +170,7 @@ static const struct ide_port_ops cs5535_
27682 .cable_detect = cs5535_cable_detect,
27685 -static const struct ide_port_info cs5535_chipset __devinitdata = {
27686 +static const struct ide_port_info cs5535_chipset __devinitconst = {
27688 .port_ops = &cs5535_port_ops,
27689 .host_flags = IDE_HFLAG_SINGLE | IDE_HFLAG_POST_SET_MODE,
27690 diff -urNp linux-3.1.1/drivers/ide/cy82c693.c linux-3.1.1/drivers/ide/cy82c693.c
27691 --- linux-3.1.1/drivers/ide/cy82c693.c 2011-11-11 15:19:27.000000000 -0500
27692 +++ linux-3.1.1/drivers/ide/cy82c693.c 2011-11-16 18:39:07.000000000 -0500
27693 @@ -163,7 +163,7 @@ static const struct ide_port_ops cy82c69
27694 .set_dma_mode = cy82c693_set_dma_mode,
27697 -static const struct ide_port_info cy82c693_chipset __devinitdata = {
27698 +static const struct ide_port_info cy82c693_chipset __devinitconst = {
27700 .init_iops = init_iops_cy82c693,
27701 .port_ops = &cy82c693_port_ops,
27702 diff -urNp linux-3.1.1/drivers/ide/hpt366.c linux-3.1.1/drivers/ide/hpt366.c
27703 --- linux-3.1.1/drivers/ide/hpt366.c 2011-11-11 15:19:27.000000000 -0500
27704 +++ linux-3.1.1/drivers/ide/hpt366.c 2011-11-16 18:39:07.000000000 -0500
27705 @@ -443,7 +443,7 @@ static struct hpt_timings hpt37x_timings
27709 -static const struct hpt_info hpt36x __devinitdata = {
27710 +static const struct hpt_info hpt36x __devinitconst = {
27711 .chip_name = "HPT36x",
27712 .chip_type = HPT36x,
27713 .udma_mask = HPT366_ALLOW_ATA66_3 ? (HPT366_ALLOW_ATA66_4 ? ATA_UDMA4 : ATA_UDMA3) : ATA_UDMA2,
27714 @@ -451,7 +451,7 @@ static const struct hpt_info hpt36x __de
27715 .timings = &hpt36x_timings
27718 -static const struct hpt_info hpt370 __devinitdata = {
27719 +static const struct hpt_info hpt370 __devinitconst = {
27720 .chip_name = "HPT370",
27721 .chip_type = HPT370,
27722 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
27723 @@ -459,7 +459,7 @@ static const struct hpt_info hpt370 __de
27724 .timings = &hpt37x_timings
27727 -static const struct hpt_info hpt370a __devinitdata = {
27728 +static const struct hpt_info hpt370a __devinitconst = {
27729 .chip_name = "HPT370A",
27730 .chip_type = HPT370A,
27731 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
27732 @@ -467,7 +467,7 @@ static const struct hpt_info hpt370a __d
27733 .timings = &hpt37x_timings
27736 -static const struct hpt_info hpt374 __devinitdata = {
27737 +static const struct hpt_info hpt374 __devinitconst = {
27738 .chip_name = "HPT374",
27739 .chip_type = HPT374,
27740 .udma_mask = ATA_UDMA5,
27741 @@ -475,7 +475,7 @@ static const struct hpt_info hpt374 __de
27742 .timings = &hpt37x_timings
27745 -static const struct hpt_info hpt372 __devinitdata = {
27746 +static const struct hpt_info hpt372 __devinitconst = {
27747 .chip_name = "HPT372",
27748 .chip_type = HPT372,
27749 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27750 @@ -483,7 +483,7 @@ static const struct hpt_info hpt372 __de
27751 .timings = &hpt37x_timings
27754 -static const struct hpt_info hpt372a __devinitdata = {
27755 +static const struct hpt_info hpt372a __devinitconst = {
27756 .chip_name = "HPT372A",
27757 .chip_type = HPT372A,
27758 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27759 @@ -491,7 +491,7 @@ static const struct hpt_info hpt372a __d
27760 .timings = &hpt37x_timings
27763 -static const struct hpt_info hpt302 __devinitdata = {
27764 +static const struct hpt_info hpt302 __devinitconst = {
27765 .chip_name = "HPT302",
27766 .chip_type = HPT302,
27767 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27768 @@ -499,7 +499,7 @@ static const struct hpt_info hpt302 __de
27769 .timings = &hpt37x_timings
27772 -static const struct hpt_info hpt371 __devinitdata = {
27773 +static const struct hpt_info hpt371 __devinitconst = {
27774 .chip_name = "HPT371",
27775 .chip_type = HPT371,
27776 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27777 @@ -507,7 +507,7 @@ static const struct hpt_info hpt371 __de
27778 .timings = &hpt37x_timings
27781 -static const struct hpt_info hpt372n __devinitdata = {
27782 +static const struct hpt_info hpt372n __devinitconst = {
27783 .chip_name = "HPT372N",
27784 .chip_type = HPT372N,
27785 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27786 @@ -515,7 +515,7 @@ static const struct hpt_info hpt372n __d
27787 .timings = &hpt37x_timings
27790 -static const struct hpt_info hpt302n __devinitdata = {
27791 +static const struct hpt_info hpt302n __devinitconst = {
27792 .chip_name = "HPT302N",
27793 .chip_type = HPT302N,
27794 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27795 @@ -523,7 +523,7 @@ static const struct hpt_info hpt302n __d
27796 .timings = &hpt37x_timings
27799 -static const struct hpt_info hpt371n __devinitdata = {
27800 +static const struct hpt_info hpt371n __devinitconst = {
27801 .chip_name = "HPT371N",
27802 .chip_type = HPT371N,
27803 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27804 @@ -1361,7 +1361,7 @@ static const struct ide_dma_ops hpt36x_d
27805 .dma_sff_read_status = ide_dma_sff_read_status,
27808 -static const struct ide_port_info hpt366_chipsets[] __devinitdata = {
27809 +static const struct ide_port_info hpt366_chipsets[] __devinitconst = {
27812 .init_chipset = init_chipset_hpt366,
27813 diff -urNp linux-3.1.1/drivers/ide/ide-cd.c linux-3.1.1/drivers/ide/ide-cd.c
27814 --- linux-3.1.1/drivers/ide/ide-cd.c 2011-11-11 15:19:27.000000000 -0500
27815 +++ linux-3.1.1/drivers/ide/ide-cd.c 2011-11-16 18:39:07.000000000 -0500
27816 @@ -769,7 +769,7 @@ static void cdrom_do_block_pc(ide_drive_
27817 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
27818 if ((unsigned long)buf & alignment
27819 || blk_rq_bytes(rq) & q->dma_pad_mask
27820 - || object_is_on_stack(buf))
27821 + || object_starts_on_stack(buf))
27825 diff -urNp linux-3.1.1/drivers/ide/ide-floppy.c linux-3.1.1/drivers/ide/ide-floppy.c
27826 --- linux-3.1.1/drivers/ide/ide-floppy.c 2011-11-11 15:19:27.000000000 -0500
27827 +++ linux-3.1.1/drivers/ide/ide-floppy.c 2011-11-16 18:40:10.000000000 -0500
27828 @@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
27829 u8 pc_buf[256], header_len, desc_cnt;
27830 int i, rc = 1, blocks, length;
27832 + pax_track_stack();
27834 ide_debug_log(IDE_DBG_FUNC, "enter");
27836 drive->bios_cyl = 0;
27837 diff -urNp linux-3.1.1/drivers/ide/ide-pci-generic.c linux-3.1.1/drivers/ide/ide-pci-generic.c
27838 --- linux-3.1.1/drivers/ide/ide-pci-generic.c 2011-11-11 15:19:27.000000000 -0500
27839 +++ linux-3.1.1/drivers/ide/ide-pci-generic.c 2011-11-16 18:39:07.000000000 -0500
27840 @@ -53,7 +53,7 @@ static const struct ide_port_ops netcell
27841 .udma_mask = ATA_UDMA6, \
27844 -static const struct ide_port_info generic_chipsets[] __devinitdata = {
27845 +static const struct ide_port_info generic_chipsets[] __devinitconst = {
27847 DECLARE_GENERIC_PCI_DEV(0),
27849 diff -urNp linux-3.1.1/drivers/ide/it8172.c linux-3.1.1/drivers/ide/it8172.c
27850 --- linux-3.1.1/drivers/ide/it8172.c 2011-11-11 15:19:27.000000000 -0500
27851 +++ linux-3.1.1/drivers/ide/it8172.c 2011-11-16 18:39:07.000000000 -0500
27852 @@ -115,7 +115,7 @@ static const struct ide_port_ops it8172_
27853 .set_dma_mode = it8172_set_dma_mode,
27856 -static const struct ide_port_info it8172_port_info __devinitdata = {
27857 +static const struct ide_port_info it8172_port_info __devinitconst = {
27859 .port_ops = &it8172_port_ops,
27860 .enablebits = { {0x41, 0x80, 0x80}, {0x00, 0x00, 0x00} },
27861 diff -urNp linux-3.1.1/drivers/ide/it8213.c linux-3.1.1/drivers/ide/it8213.c
27862 --- linux-3.1.1/drivers/ide/it8213.c 2011-11-11 15:19:27.000000000 -0500
27863 +++ linux-3.1.1/drivers/ide/it8213.c 2011-11-16 18:39:07.000000000 -0500
27864 @@ -156,7 +156,7 @@ static const struct ide_port_ops it8213_
27865 .cable_detect = it8213_cable_detect,
27868 -static const struct ide_port_info it8213_chipset __devinitdata = {
27869 +static const struct ide_port_info it8213_chipset __devinitconst = {
27871 .enablebits = { {0x41, 0x80, 0x80} },
27872 .port_ops = &it8213_port_ops,
27873 diff -urNp linux-3.1.1/drivers/ide/it821x.c linux-3.1.1/drivers/ide/it821x.c
27874 --- linux-3.1.1/drivers/ide/it821x.c 2011-11-11 15:19:27.000000000 -0500
27875 +++ linux-3.1.1/drivers/ide/it821x.c 2011-11-16 18:39:07.000000000 -0500
27876 @@ -630,7 +630,7 @@ static const struct ide_port_ops it821x_
27877 .cable_detect = it821x_cable_detect,
27880 -static const struct ide_port_info it821x_chipset __devinitdata = {
27881 +static const struct ide_port_info it821x_chipset __devinitconst = {
27883 .init_chipset = init_chipset_it821x,
27884 .init_hwif = init_hwif_it821x,
27885 diff -urNp linux-3.1.1/drivers/ide/jmicron.c linux-3.1.1/drivers/ide/jmicron.c
27886 --- linux-3.1.1/drivers/ide/jmicron.c 2011-11-11 15:19:27.000000000 -0500
27887 +++ linux-3.1.1/drivers/ide/jmicron.c 2011-11-16 18:39:07.000000000 -0500
27888 @@ -102,7 +102,7 @@ static const struct ide_port_ops jmicron
27889 .cable_detect = jmicron_cable_detect,
27892 -static const struct ide_port_info jmicron_chipset __devinitdata = {
27893 +static const struct ide_port_info jmicron_chipset __devinitconst = {
27895 .enablebits = { { 0x40, 0x01, 0x01 }, { 0x40, 0x10, 0x10 } },
27896 .port_ops = &jmicron_port_ops,
27897 diff -urNp linux-3.1.1/drivers/ide/ns87415.c linux-3.1.1/drivers/ide/ns87415.c
27898 --- linux-3.1.1/drivers/ide/ns87415.c 2011-11-11 15:19:27.000000000 -0500
27899 +++ linux-3.1.1/drivers/ide/ns87415.c 2011-11-16 18:39:07.000000000 -0500
27900 @@ -293,7 +293,7 @@ static const struct ide_dma_ops ns87415_
27901 .dma_sff_read_status = superio_dma_sff_read_status,
27904 -static const struct ide_port_info ns87415_chipset __devinitdata = {
27905 +static const struct ide_port_info ns87415_chipset __devinitconst = {
27907 .init_hwif = init_hwif_ns87415,
27908 .tp_ops = &ns87415_tp_ops,
27909 diff -urNp linux-3.1.1/drivers/ide/opti621.c linux-3.1.1/drivers/ide/opti621.c
27910 --- linux-3.1.1/drivers/ide/opti621.c 2011-11-11 15:19:27.000000000 -0500
27911 +++ linux-3.1.1/drivers/ide/opti621.c 2011-11-16 18:39:07.000000000 -0500
27912 @@ -131,7 +131,7 @@ static const struct ide_port_ops opti621
27913 .set_pio_mode = opti621_set_pio_mode,
27916 -static const struct ide_port_info opti621_chipset __devinitdata = {
27917 +static const struct ide_port_info opti621_chipset __devinitconst = {
27919 .enablebits = { {0x45, 0x80, 0x00}, {0x40, 0x08, 0x00} },
27920 .port_ops = &opti621_port_ops,
27921 diff -urNp linux-3.1.1/drivers/ide/pdc202xx_new.c linux-3.1.1/drivers/ide/pdc202xx_new.c
27922 --- linux-3.1.1/drivers/ide/pdc202xx_new.c 2011-11-11 15:19:27.000000000 -0500
27923 +++ linux-3.1.1/drivers/ide/pdc202xx_new.c 2011-11-16 18:39:07.000000000 -0500
27924 @@ -465,7 +465,7 @@ static const struct ide_port_ops pdcnew_
27925 .udma_mask = udma, \
27928 -static const struct ide_port_info pdcnew_chipsets[] __devinitdata = {
27929 +static const struct ide_port_info pdcnew_chipsets[] __devinitconst = {
27930 /* 0: PDC202{68,70} */ DECLARE_PDCNEW_DEV(ATA_UDMA5),
27931 /* 1: PDC202{69,71,75,76,77} */ DECLARE_PDCNEW_DEV(ATA_UDMA6),
27933 diff -urNp linux-3.1.1/drivers/ide/pdc202xx_old.c linux-3.1.1/drivers/ide/pdc202xx_old.c
27934 --- linux-3.1.1/drivers/ide/pdc202xx_old.c 2011-11-11 15:19:27.000000000 -0500
27935 +++ linux-3.1.1/drivers/ide/pdc202xx_old.c 2011-11-16 18:39:07.000000000 -0500
27936 @@ -270,7 +270,7 @@ static const struct ide_dma_ops pdc2026x
27937 .max_sectors = sectors, \
27940 -static const struct ide_port_info pdc202xx_chipsets[] __devinitdata = {
27941 +static const struct ide_port_info pdc202xx_chipsets[] __devinitconst = {
27942 { /* 0: PDC20246 */
27944 .init_chipset = init_chipset_pdc202xx,
27945 diff -urNp linux-3.1.1/drivers/ide/piix.c linux-3.1.1/drivers/ide/piix.c
27946 --- linux-3.1.1/drivers/ide/piix.c 2011-11-11 15:19:27.000000000 -0500
27947 +++ linux-3.1.1/drivers/ide/piix.c 2011-11-16 18:39:07.000000000 -0500
27948 @@ -344,7 +344,7 @@ static const struct ide_port_ops ich_por
27949 .udma_mask = udma, \
27952 -static const struct ide_port_info piix_pci_info[] __devinitdata = {
27953 +static const struct ide_port_info piix_pci_info[] __devinitconst = {
27956 * MPIIX actually has only a single IDE channel mapped to
27957 diff -urNp linux-3.1.1/drivers/ide/rz1000.c linux-3.1.1/drivers/ide/rz1000.c
27958 --- linux-3.1.1/drivers/ide/rz1000.c 2011-11-11 15:19:27.000000000 -0500
27959 +++ linux-3.1.1/drivers/ide/rz1000.c 2011-11-16 18:39:07.000000000 -0500
27960 @@ -38,7 +38,7 @@ static int __devinit rz1000_disable_read
27964 -static const struct ide_port_info rz1000_chipset __devinitdata = {
27965 +static const struct ide_port_info rz1000_chipset __devinitconst = {
27967 .host_flags = IDE_HFLAG_NO_DMA,
27969 diff -urNp linux-3.1.1/drivers/ide/sc1200.c linux-3.1.1/drivers/ide/sc1200.c
27970 --- linux-3.1.1/drivers/ide/sc1200.c 2011-11-11 15:19:27.000000000 -0500
27971 +++ linux-3.1.1/drivers/ide/sc1200.c 2011-11-16 18:39:07.000000000 -0500
27972 @@ -291,7 +291,7 @@ static const struct ide_dma_ops sc1200_d
27973 .dma_sff_read_status = ide_dma_sff_read_status,
27976 -static const struct ide_port_info sc1200_chipset __devinitdata = {
27977 +static const struct ide_port_info sc1200_chipset __devinitconst = {
27979 .port_ops = &sc1200_port_ops,
27980 .dma_ops = &sc1200_dma_ops,
27981 diff -urNp linux-3.1.1/drivers/ide/scc_pata.c linux-3.1.1/drivers/ide/scc_pata.c
27982 --- linux-3.1.1/drivers/ide/scc_pata.c 2011-11-11 15:19:27.000000000 -0500
27983 +++ linux-3.1.1/drivers/ide/scc_pata.c 2011-11-16 18:39:07.000000000 -0500
27984 @@ -811,7 +811,7 @@ static const struct ide_dma_ops scc_dma_
27985 .dma_sff_read_status = scc_dma_sff_read_status,
27988 -static const struct ide_port_info scc_chipset __devinitdata = {
27989 +static const struct ide_port_info scc_chipset __devinitconst = {
27991 .init_iops = init_iops_scc,
27992 .init_dma = scc_init_dma,
27993 diff -urNp linux-3.1.1/drivers/ide/serverworks.c linux-3.1.1/drivers/ide/serverworks.c
27994 --- linux-3.1.1/drivers/ide/serverworks.c 2011-11-11 15:19:27.000000000 -0500
27995 +++ linux-3.1.1/drivers/ide/serverworks.c 2011-11-16 18:39:07.000000000 -0500
27996 @@ -337,7 +337,7 @@ static const struct ide_port_ops svwks_p
27997 .cable_detect = svwks_cable_detect,
28000 -static const struct ide_port_info serverworks_chipsets[] __devinitdata = {
28001 +static const struct ide_port_info serverworks_chipsets[] __devinitconst = {
28004 .init_chipset = init_chipset_svwks,
28005 diff -urNp linux-3.1.1/drivers/ide/setup-pci.c linux-3.1.1/drivers/ide/setup-pci.c
28006 --- linux-3.1.1/drivers/ide/setup-pci.c 2011-11-11 15:19:27.000000000 -0500
28007 +++ linux-3.1.1/drivers/ide/setup-pci.c 2011-11-16 18:40:10.000000000 -0500
28008 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
28009 int ret, i, n_ports = dev2 ? 4 : 2;
28010 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
28012 + pax_track_stack();
28014 for (i = 0; i < n_ports / 2; i++) {
28015 ret = ide_setup_pci_controller(pdev[i], d, !i);
28017 diff -urNp linux-3.1.1/drivers/ide/siimage.c linux-3.1.1/drivers/ide/siimage.c
28018 --- linux-3.1.1/drivers/ide/siimage.c 2011-11-11 15:19:27.000000000 -0500
28019 +++ linux-3.1.1/drivers/ide/siimage.c 2011-11-16 18:39:07.000000000 -0500
28020 @@ -719,7 +719,7 @@ static const struct ide_dma_ops sil_dma_
28021 .udma_mask = ATA_UDMA6, \
28024 -static const struct ide_port_info siimage_chipsets[] __devinitdata = {
28025 +static const struct ide_port_info siimage_chipsets[] __devinitconst = {
28026 /* 0: SiI680 */ DECLARE_SII_DEV(&sil_pata_port_ops),
28027 /* 1: SiI3112 */ DECLARE_SII_DEV(&sil_sata_port_ops)
28029 diff -urNp linux-3.1.1/drivers/ide/sis5513.c linux-3.1.1/drivers/ide/sis5513.c
28030 --- linux-3.1.1/drivers/ide/sis5513.c 2011-11-11 15:19:27.000000000 -0500
28031 +++ linux-3.1.1/drivers/ide/sis5513.c 2011-11-16 18:39:07.000000000 -0500
28032 @@ -563,7 +563,7 @@ static const struct ide_port_ops sis_ata
28033 .cable_detect = sis_cable_detect,
28036 -static const struct ide_port_info sis5513_chipset __devinitdata = {
28037 +static const struct ide_port_info sis5513_chipset __devinitconst = {
28039 .init_chipset = init_chipset_sis5513,
28040 .enablebits = { {0x4a, 0x02, 0x02}, {0x4a, 0x04, 0x04} },
28041 diff -urNp linux-3.1.1/drivers/ide/sl82c105.c linux-3.1.1/drivers/ide/sl82c105.c
28042 --- linux-3.1.1/drivers/ide/sl82c105.c 2011-11-11 15:19:27.000000000 -0500
28043 +++ linux-3.1.1/drivers/ide/sl82c105.c 2011-11-16 18:39:07.000000000 -0500
28044 @@ -299,7 +299,7 @@ static const struct ide_dma_ops sl82c105
28045 .dma_sff_read_status = ide_dma_sff_read_status,
28048 -static const struct ide_port_info sl82c105_chipset __devinitdata = {
28049 +static const struct ide_port_info sl82c105_chipset __devinitconst = {
28051 .init_chipset = init_chipset_sl82c105,
28052 .enablebits = {{0x40,0x01,0x01}, {0x40,0x10,0x10}},
28053 diff -urNp linux-3.1.1/drivers/ide/slc90e66.c linux-3.1.1/drivers/ide/slc90e66.c
28054 --- linux-3.1.1/drivers/ide/slc90e66.c 2011-11-11 15:19:27.000000000 -0500
28055 +++ linux-3.1.1/drivers/ide/slc90e66.c 2011-11-16 18:39:07.000000000 -0500
28056 @@ -132,7 +132,7 @@ static const struct ide_port_ops slc90e6
28057 .cable_detect = slc90e66_cable_detect,
28060 -static const struct ide_port_info slc90e66_chipset __devinitdata = {
28061 +static const struct ide_port_info slc90e66_chipset __devinitconst = {
28063 .enablebits = { {0x41, 0x80, 0x80}, {0x43, 0x80, 0x80} },
28064 .port_ops = &slc90e66_port_ops,
28065 diff -urNp linux-3.1.1/drivers/ide/tc86c001.c linux-3.1.1/drivers/ide/tc86c001.c
28066 --- linux-3.1.1/drivers/ide/tc86c001.c 2011-11-11 15:19:27.000000000 -0500
28067 +++ linux-3.1.1/drivers/ide/tc86c001.c 2011-11-16 18:39:07.000000000 -0500
28068 @@ -191,7 +191,7 @@ static const struct ide_dma_ops tc86c001
28069 .dma_sff_read_status = ide_dma_sff_read_status,
28072 -static const struct ide_port_info tc86c001_chipset __devinitdata = {
28073 +static const struct ide_port_info tc86c001_chipset __devinitconst = {
28075 .init_hwif = init_hwif_tc86c001,
28076 .port_ops = &tc86c001_port_ops,
28077 diff -urNp linux-3.1.1/drivers/ide/triflex.c linux-3.1.1/drivers/ide/triflex.c
28078 --- linux-3.1.1/drivers/ide/triflex.c 2011-11-11 15:19:27.000000000 -0500
28079 +++ linux-3.1.1/drivers/ide/triflex.c 2011-11-16 18:39:07.000000000 -0500
28080 @@ -92,7 +92,7 @@ static const struct ide_port_ops triflex
28081 .set_dma_mode = triflex_set_mode,
28084 -static const struct ide_port_info triflex_device __devinitdata = {
28085 +static const struct ide_port_info triflex_device __devinitconst = {
28087 .enablebits = {{0x80, 0x01, 0x01}, {0x80, 0x02, 0x02}},
28088 .port_ops = &triflex_port_ops,
28089 diff -urNp linux-3.1.1/drivers/ide/trm290.c linux-3.1.1/drivers/ide/trm290.c
28090 --- linux-3.1.1/drivers/ide/trm290.c 2011-11-11 15:19:27.000000000 -0500
28091 +++ linux-3.1.1/drivers/ide/trm290.c 2011-11-16 18:39:07.000000000 -0500
28092 @@ -324,7 +324,7 @@ static struct ide_dma_ops trm290_dma_ops
28093 .dma_check = trm290_dma_check,
28096 -static const struct ide_port_info trm290_chipset __devinitdata = {
28097 +static const struct ide_port_info trm290_chipset __devinitconst = {
28099 .init_hwif = init_hwif_trm290,
28100 .tp_ops = &trm290_tp_ops,
28101 diff -urNp linux-3.1.1/drivers/ide/via82cxxx.c linux-3.1.1/drivers/ide/via82cxxx.c
28102 --- linux-3.1.1/drivers/ide/via82cxxx.c 2011-11-11 15:19:27.000000000 -0500
28103 +++ linux-3.1.1/drivers/ide/via82cxxx.c 2011-11-16 18:39:07.000000000 -0500
28104 @@ -403,7 +403,7 @@ static const struct ide_port_ops via_por
28105 .cable_detect = via82cxxx_cable_detect,
28108 -static const struct ide_port_info via82cxxx_chipset __devinitdata = {
28109 +static const struct ide_port_info via82cxxx_chipset __devinitconst = {
28111 .init_chipset = init_chipset_via82cxxx,
28112 .enablebits = { { 0x40, 0x02, 0x02 }, { 0x40, 0x01, 0x01 } },
28113 diff -urNp linux-3.1.1/drivers/infiniband/core/cm.c linux-3.1.1/drivers/infiniband/core/cm.c
28114 --- linux-3.1.1/drivers/infiniband/core/cm.c 2011-11-11 15:19:27.000000000 -0500
28115 +++ linux-3.1.1/drivers/infiniband/core/cm.c 2011-11-16 18:39:07.000000000 -0500
28116 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
28118 struct cm_counter_group {
28119 struct kobject obj;
28120 - atomic_long_t counter[CM_ATTR_COUNT];
28121 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
28124 struct cm_counter_attribute {
28125 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
28126 struct ib_mad_send_buf *msg = NULL;
28129 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28130 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28131 counter[CM_REQ_COUNTER]);
28133 /* Quick state check to discard duplicate REQs. */
28134 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
28138 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28139 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28140 counter[CM_REP_COUNTER]);
28141 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
28143 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
28144 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
28145 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
28146 spin_unlock_irq(&cm_id_priv->lock);
28147 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28148 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28149 counter[CM_RTU_COUNTER]);
28152 @@ -2115,7 +2115,7 @@ static int cm_dreq_handler(struct cm_wor
28153 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
28154 dreq_msg->local_comm_id);
28156 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28157 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28158 counter[CM_DREQ_COUNTER]);
28159 cm_issue_drep(work->port, work->mad_recv_wc);
28161 @@ -2140,7 +2140,7 @@ static int cm_dreq_handler(struct cm_wor
28162 case IB_CM_MRA_REP_RCVD:
28164 case IB_CM_TIMEWAIT:
28165 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28166 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28167 counter[CM_DREQ_COUNTER]);
28168 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
28170 @@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_wor
28173 case IB_CM_DREQ_RCVD:
28174 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28175 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28176 counter[CM_DREQ_COUNTER]);
28179 @@ -2521,7 +2521,7 @@ static int cm_mra_handler(struct cm_work
28180 ib_modify_mad(cm_id_priv->av.port->mad_agent,
28181 cm_id_priv->msg, timeout)) {
28182 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
28183 - atomic_long_inc(&work->port->
28184 + atomic_long_inc_unchecked(&work->port->
28185 counter_group[CM_RECV_DUPLICATES].
28186 counter[CM_MRA_COUNTER]);
28188 @@ -2530,7 +2530,7 @@ static int cm_mra_handler(struct cm_work
28190 case IB_CM_MRA_REQ_RCVD:
28191 case IB_CM_MRA_REP_RCVD:
28192 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28193 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28194 counter[CM_MRA_COUNTER]);
28197 @@ -2692,7 +2692,7 @@ static int cm_lap_handler(struct cm_work
28198 case IB_CM_LAP_IDLE:
28200 case IB_CM_MRA_LAP_SENT:
28201 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28202 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28203 counter[CM_LAP_COUNTER]);
28204 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
28206 @@ -2708,7 +2708,7 @@ static int cm_lap_handler(struct cm_work
28209 case IB_CM_LAP_RCVD:
28210 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28211 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28212 counter[CM_LAP_COUNTER]);
28215 @@ -2992,7 +2992,7 @@ static int cm_sidr_req_handler(struct cm
28216 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
28217 if (cur_cm_id_priv) {
28218 spin_unlock_irq(&cm.lock);
28219 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28220 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28221 counter[CM_SIDR_REQ_COUNTER]);
28222 goto out; /* Duplicate message. */
28224 @@ -3204,10 +3204,10 @@ static void cm_send_handler(struct ib_ma
28225 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
28228 - atomic_long_add(1 + msg->retries,
28229 + atomic_long_add_unchecked(1 + msg->retries,
28230 &port->counter_group[CM_XMIT].counter[attr_index]);
28232 - atomic_long_add(msg->retries,
28233 + atomic_long_add_unchecked(msg->retries,
28234 &port->counter_group[CM_XMIT_RETRIES].
28235 counter[attr_index]);
28237 @@ -3417,7 +3417,7 @@ static void cm_recv_handler(struct ib_ma
28240 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
28241 - atomic_long_inc(&port->counter_group[CM_RECV].
28242 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
28243 counter[attr_id - CM_ATTR_ID_OFFSET]);
28245 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
28246 @@ -3615,7 +3615,7 @@ static ssize_t cm_show_counter(struct ko
28247 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
28249 return sprintf(buf, "%ld\n",
28250 - atomic_long_read(&group->counter[cm_attr->index]));
28251 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
28254 static const struct sysfs_ops cm_counter_ops = {
28255 diff -urNp linux-3.1.1/drivers/infiniband/core/fmr_pool.c linux-3.1.1/drivers/infiniband/core/fmr_pool.c
28256 --- linux-3.1.1/drivers/infiniband/core/fmr_pool.c 2011-11-11 15:19:27.000000000 -0500
28257 +++ linux-3.1.1/drivers/infiniband/core/fmr_pool.c 2011-11-16 18:39:07.000000000 -0500
28258 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
28260 struct task_struct *thread;
28262 - atomic_t req_ser;
28263 - atomic_t flush_ser;
28264 + atomic_unchecked_t req_ser;
28265 + atomic_unchecked_t flush_ser;
28267 wait_queue_head_t force_wait;
28269 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
28270 struct ib_fmr_pool *pool = pool_ptr;
28273 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
28274 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
28275 ib_fmr_batch_release(pool);
28277 - atomic_inc(&pool->flush_ser);
28278 + atomic_inc_unchecked(&pool->flush_ser);
28279 wake_up_interruptible(&pool->force_wait);
28281 if (pool->flush_function)
28282 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
28285 set_current_state(TASK_INTERRUPTIBLE);
28286 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
28287 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
28288 !kthread_should_stop())
28290 __set_current_state(TASK_RUNNING);
28291 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
28292 pool->dirty_watermark = params->dirty_watermark;
28293 pool->dirty_len = 0;
28294 spin_lock_init(&pool->pool_lock);
28295 - atomic_set(&pool->req_ser, 0);
28296 - atomic_set(&pool->flush_ser, 0);
28297 + atomic_set_unchecked(&pool->req_ser, 0);
28298 + atomic_set_unchecked(&pool->flush_ser, 0);
28299 init_waitqueue_head(&pool->force_wait);
28301 pool->thread = kthread_run(ib_fmr_cleanup_thread,
28302 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
28304 spin_unlock_irq(&pool->pool_lock);
28306 - serial = atomic_inc_return(&pool->req_ser);
28307 + serial = atomic_inc_return_unchecked(&pool->req_ser);
28308 wake_up_process(pool->thread);
28310 if (wait_event_interruptible(pool->force_wait,
28311 - atomic_read(&pool->flush_ser) - serial >= 0))
28312 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
28316 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
28318 list_add_tail(&fmr->list, &pool->dirty_list);
28319 if (++pool->dirty_len >= pool->dirty_watermark) {
28320 - atomic_inc(&pool->req_ser);
28321 + atomic_inc_unchecked(&pool->req_ser);
28322 wake_up_process(pool->thread);
28325 diff -urNp linux-3.1.1/drivers/infiniband/hw/cxgb4/mem.c linux-3.1.1/drivers/infiniband/hw/cxgb4/mem.c
28326 --- linux-3.1.1/drivers/infiniband/hw/cxgb4/mem.c 2011-11-11 15:19:27.000000000 -0500
28327 +++ linux-3.1.1/drivers/infiniband/hw/cxgb4/mem.c 2011-11-16 18:39:07.000000000 -0500
28328 @@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
28330 struct fw_ri_tpte tpt;
28332 - static atomic_t key;
28333 + static atomic_unchecked_t key;
28335 if (c4iw_fatal_error(rdev))
28337 @@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
28338 &rdev->resource.tpt_fifo_lock);
28341 - *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
28342 + *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
28344 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
28345 __func__, stag_state, type, pdid, stag_idx);
28346 diff -urNp linux-3.1.1/drivers/infiniband/hw/ipath/ipath_fs.c linux-3.1.1/drivers/infiniband/hw/ipath/ipath_fs.c
28347 --- linux-3.1.1/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-11 15:19:27.000000000 -0500
28348 +++ linux-3.1.1/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-16 18:40:10.000000000 -0500
28349 @@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
28350 struct infinipath_counters counters;
28351 struct ipath_devdata *dd;
28353 + pax_track_stack();
28355 dd = file->f_path.dentry->d_inode->i_private;
28356 dd->ipath_f_read_counters(dd, &counters);
28358 diff -urNp linux-3.1.1/drivers/infiniband/hw/ipath/ipath_rc.c linux-3.1.1/drivers/infiniband/hw/ipath/ipath_rc.c
28359 --- linux-3.1.1/drivers/infiniband/hw/ipath/ipath_rc.c 2011-11-11 15:19:27.000000000 -0500
28360 +++ linux-3.1.1/drivers/infiniband/hw/ipath/ipath_rc.c 2011-11-16 18:39:07.000000000 -0500
28361 @@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28362 struct ib_atomic_eth *ateth;
28363 struct ipath_ack_entry *e;
28365 - atomic64_t *maddr;
28366 + atomic64_unchecked_t *maddr;
28370 @@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28371 IB_ACCESS_REMOTE_ATOMIC)))
28372 goto nack_acc_unlck;
28373 /* Perform atomic OP and save result. */
28374 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28375 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28376 sdata = be64_to_cpu(ateth->swap_data);
28377 e = &qp->s_ack_queue[qp->r_head_ack_queue];
28378 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
28379 - (u64) atomic64_add_return(sdata, maddr) - sdata :
28380 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28381 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28382 be64_to_cpu(ateth->compare_data),
28384 diff -urNp linux-3.1.1/drivers/infiniband/hw/ipath/ipath_ruc.c linux-3.1.1/drivers/infiniband/hw/ipath/ipath_ruc.c
28385 --- linux-3.1.1/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-11-11 15:19:27.000000000 -0500
28386 +++ linux-3.1.1/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-11-16 18:39:07.000000000 -0500
28387 @@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
28388 unsigned long flags;
28391 - atomic64_t *maddr;
28392 + atomic64_unchecked_t *maddr;
28393 enum ib_wc_status send_status;
28396 @@ -382,11 +382,11 @@ again:
28397 IB_ACCESS_REMOTE_ATOMIC)))
28399 /* Perform atomic OP and save result. */
28400 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28401 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28402 sdata = wqe->wr.wr.atomic.compare_add;
28403 *(u64 *) sqp->s_sge.sge.vaddr =
28404 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
28405 - (u64) atomic64_add_return(sdata, maddr) - sdata :
28406 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28407 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28408 sdata, wqe->wr.wr.atomic.swap);
28410 diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes.c linux-3.1.1/drivers/infiniband/hw/nes/nes.c
28411 --- linux-3.1.1/drivers/infiniband/hw/nes/nes.c 2011-11-11 15:19:27.000000000 -0500
28412 +++ linux-3.1.1/drivers/infiniband/hw/nes/nes.c 2011-11-16 18:39:07.000000000 -0500
28413 @@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
28414 LIST_HEAD(nes_adapter_list);
28415 static LIST_HEAD(nes_dev_list);
28417 -atomic_t qps_destroyed;
28418 +atomic_unchecked_t qps_destroyed;
28420 static unsigned int ee_flsh_adapter;
28421 static unsigned int sysfs_nonidx_addr;
28422 @@ -275,7 +275,7 @@ static void nes_cqp_rem_ref_callback(str
28423 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
28424 struct nes_adapter *nesadapter = nesdev->nesadapter;
28426 - atomic_inc(&qps_destroyed);
28427 + atomic_inc_unchecked(&qps_destroyed);
28429 /* Free the control structures */
28431 diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes_cm.c linux-3.1.1/drivers/infiniband/hw/nes/nes_cm.c
28432 --- linux-3.1.1/drivers/infiniband/hw/nes/nes_cm.c 2011-11-11 15:19:27.000000000 -0500
28433 +++ linux-3.1.1/drivers/infiniband/hw/nes/nes_cm.c 2011-11-16 18:39:07.000000000 -0500
28434 @@ -68,14 +68,14 @@ u32 cm_packets_dropped;
28435 u32 cm_packets_retrans;
28436 u32 cm_packets_created;
28437 u32 cm_packets_received;
28438 -atomic_t cm_listens_created;
28439 -atomic_t cm_listens_destroyed;
28440 +atomic_unchecked_t cm_listens_created;
28441 +atomic_unchecked_t cm_listens_destroyed;
28442 u32 cm_backlog_drops;
28443 -atomic_t cm_loopbacks;
28444 -atomic_t cm_nodes_created;
28445 -atomic_t cm_nodes_destroyed;
28446 -atomic_t cm_accel_dropped_pkts;
28447 -atomic_t cm_resets_recvd;
28448 +atomic_unchecked_t cm_loopbacks;
28449 +atomic_unchecked_t cm_nodes_created;
28450 +atomic_unchecked_t cm_nodes_destroyed;
28451 +atomic_unchecked_t cm_accel_dropped_pkts;
28452 +atomic_unchecked_t cm_resets_recvd;
28454 static inline int mini_cm_accelerated(struct nes_cm_core *,
28455 struct nes_cm_node *);
28456 @@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
28458 static struct nes_cm_core *g_cm_core;
28460 -atomic_t cm_connects;
28461 -atomic_t cm_accepts;
28462 -atomic_t cm_disconnects;
28463 -atomic_t cm_closes;
28464 -atomic_t cm_connecteds;
28465 -atomic_t cm_connect_reqs;
28466 -atomic_t cm_rejects;
28467 +atomic_unchecked_t cm_connects;
28468 +atomic_unchecked_t cm_accepts;
28469 +atomic_unchecked_t cm_disconnects;
28470 +atomic_unchecked_t cm_closes;
28471 +atomic_unchecked_t cm_connecteds;
28472 +atomic_unchecked_t cm_connect_reqs;
28473 +atomic_unchecked_t cm_rejects;
28477 @@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
28481 - atomic_inc(&cm_listens_destroyed);
28482 + atomic_inc_unchecked(&cm_listens_destroyed);
28484 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
28486 @@ -1240,7 +1240,7 @@ static struct nes_cm_node *make_cm_node(
28489 add_hte_node(cm_core, cm_node);
28490 - atomic_inc(&cm_nodes_created);
28491 + atomic_inc_unchecked(&cm_nodes_created);
28495 @@ -1298,7 +1298,7 @@ static int rem_ref_cm_node(struct nes_cm
28498 atomic_dec(&cm_core->node_cnt);
28499 - atomic_inc(&cm_nodes_destroyed);
28500 + atomic_inc_unchecked(&cm_nodes_destroyed);
28501 nesqp = cm_node->nesqp;
28503 nesqp->cm_node = NULL;
28504 @@ -1365,7 +1365,7 @@ static int process_options(struct nes_cm
28506 static void drop_packet(struct sk_buff *skb)
28508 - atomic_inc(&cm_accel_dropped_pkts);
28509 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
28510 dev_kfree_skb_any(skb);
28513 @@ -1428,7 +1428,7 @@ static void handle_rst_pkt(struct nes_cm
28516 int reset = 0; /* whether to send reset in case of err.. */
28517 - atomic_inc(&cm_resets_recvd);
28518 + atomic_inc_unchecked(&cm_resets_recvd);
28519 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
28520 " refcnt=%d\n", cm_node, cm_node->state,
28521 atomic_read(&cm_node->ref_count));
28522 @@ -2057,7 +2057,7 @@ static struct nes_cm_node *mini_cm_conne
28523 rem_ref_cm_node(cm_node->cm_core, cm_node);
28526 - atomic_inc(&cm_loopbacks);
28527 + atomic_inc_unchecked(&cm_loopbacks);
28528 loopbackremotenode->loopbackpartner = cm_node;
28529 loopbackremotenode->tcp_cntxt.rcv_wscale =
28530 NES_CM_DEFAULT_RCV_WND_SCALE;
28531 @@ -2332,7 +2332,7 @@ static int mini_cm_recv_pkt(struct nes_c
28532 add_ref_cm_node(cm_node);
28533 } else if (cm_node->state == NES_CM_STATE_TSA) {
28534 rem_ref_cm_node(cm_core, cm_node);
28535 - atomic_inc(&cm_accel_dropped_pkts);
28536 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
28537 dev_kfree_skb_any(skb);
28540 @@ -2638,7 +2638,7 @@ static int nes_cm_disconn_true(struct ne
28542 if ((cm_id) && (cm_id->event_handler)) {
28543 if (issue_disconn) {
28544 - atomic_inc(&cm_disconnects);
28545 + atomic_inc_unchecked(&cm_disconnects);
28546 cm_event.event = IW_CM_EVENT_DISCONNECT;
28547 cm_event.status = disconn_status;
28548 cm_event.local_addr = cm_id->local_addr;
28549 @@ -2660,7 +2660,7 @@ static int nes_cm_disconn_true(struct ne
28553 - atomic_inc(&cm_closes);
28554 + atomic_inc_unchecked(&cm_closes);
28555 nes_disconnect(nesqp, 1);
28557 cm_id->provider_data = nesqp;
28558 @@ -2791,7 +2791,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
28560 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
28561 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
28562 - atomic_inc(&cm_accepts);
28563 + atomic_inc_unchecked(&cm_accepts);
28565 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
28566 netdev_refcnt_read(nesvnic->netdev));
28567 @@ -3001,7 +3001,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
28569 struct nes_cm_core *cm_core;
28571 - atomic_inc(&cm_rejects);
28572 + atomic_inc_unchecked(&cm_rejects);
28573 cm_node = (struct nes_cm_node *) cm_id->provider_data;
28574 loopback = cm_node->loopbackpartner;
28575 cm_core = cm_node->cm_core;
28576 @@ -3067,7 +3067,7 @@ int nes_connect(struct iw_cm_id *cm_id,
28577 ntohl(cm_id->local_addr.sin_addr.s_addr),
28578 ntohs(cm_id->local_addr.sin_port));
28580 - atomic_inc(&cm_connects);
28581 + atomic_inc_unchecked(&cm_connects);
28582 nesqp->active_conn = 1;
28584 /* cache the cm_id in the qp */
28585 @@ -3173,7 +3173,7 @@ int nes_create_listen(struct iw_cm_id *c
28586 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
28589 - atomic_inc(&cm_listens_created);
28590 + atomic_inc_unchecked(&cm_listens_created);
28593 cm_id->add_ref(cm_id);
28594 @@ -3278,7 +3278,7 @@ static void cm_event_connected(struct ne
28595 if (nesqp->destroyed) {
28598 - atomic_inc(&cm_connecteds);
28599 + atomic_inc_unchecked(&cm_connecteds);
28600 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
28601 " local port 0x%04X. jiffies = %lu.\n",
28603 @@ -3493,7 +3493,7 @@ static void cm_event_reset(struct nes_cm
28605 cm_id->add_ref(cm_id);
28606 ret = cm_id->event_handler(cm_id, &cm_event);
28607 - atomic_inc(&cm_closes);
28608 + atomic_inc_unchecked(&cm_closes);
28609 cm_event.event = IW_CM_EVENT_CLOSE;
28610 cm_event.status = 0;
28611 cm_event.provider_data = cm_id->provider_data;
28612 @@ -3529,7 +3529,7 @@ static void cm_event_mpa_req(struct nes_
28614 cm_id = cm_node->cm_id;
28616 - atomic_inc(&cm_connect_reqs);
28617 + atomic_inc_unchecked(&cm_connect_reqs);
28618 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28619 cm_node, cm_id, jiffies);
28621 @@ -3567,7 +3567,7 @@ static void cm_event_mpa_reject(struct n
28623 cm_id = cm_node->cm_id;
28625 - atomic_inc(&cm_connect_reqs);
28626 + atomic_inc_unchecked(&cm_connect_reqs);
28627 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28628 cm_node, cm_id, jiffies);
28630 diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes.h linux-3.1.1/drivers/infiniband/hw/nes/nes.h
28631 --- linux-3.1.1/drivers/infiniband/hw/nes/nes.h 2011-11-11 15:19:27.000000000 -0500
28632 +++ linux-3.1.1/drivers/infiniband/hw/nes/nes.h 2011-11-16 18:39:07.000000000 -0500
28633 @@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
28634 extern unsigned int wqm_quanta;
28635 extern struct list_head nes_adapter_list;
28637 -extern atomic_t cm_connects;
28638 -extern atomic_t cm_accepts;
28639 -extern atomic_t cm_disconnects;
28640 -extern atomic_t cm_closes;
28641 -extern atomic_t cm_connecteds;
28642 -extern atomic_t cm_connect_reqs;
28643 -extern atomic_t cm_rejects;
28644 -extern atomic_t mod_qp_timouts;
28645 -extern atomic_t qps_created;
28646 -extern atomic_t qps_destroyed;
28647 -extern atomic_t sw_qps_destroyed;
28648 +extern atomic_unchecked_t cm_connects;
28649 +extern atomic_unchecked_t cm_accepts;
28650 +extern atomic_unchecked_t cm_disconnects;
28651 +extern atomic_unchecked_t cm_closes;
28652 +extern atomic_unchecked_t cm_connecteds;
28653 +extern atomic_unchecked_t cm_connect_reqs;
28654 +extern atomic_unchecked_t cm_rejects;
28655 +extern atomic_unchecked_t mod_qp_timouts;
28656 +extern atomic_unchecked_t qps_created;
28657 +extern atomic_unchecked_t qps_destroyed;
28658 +extern atomic_unchecked_t sw_qps_destroyed;
28659 extern u32 mh_detected;
28660 extern u32 mh_pauses_sent;
28661 extern u32 cm_packets_sent;
28662 @@ -194,14 +194,14 @@ extern u32 cm_packets_created;
28663 extern u32 cm_packets_received;
28664 extern u32 cm_packets_dropped;
28665 extern u32 cm_packets_retrans;
28666 -extern atomic_t cm_listens_created;
28667 -extern atomic_t cm_listens_destroyed;
28668 +extern atomic_unchecked_t cm_listens_created;
28669 +extern atomic_unchecked_t cm_listens_destroyed;
28670 extern u32 cm_backlog_drops;
28671 -extern atomic_t cm_loopbacks;
28672 -extern atomic_t cm_nodes_created;
28673 -extern atomic_t cm_nodes_destroyed;
28674 -extern atomic_t cm_accel_dropped_pkts;
28675 -extern atomic_t cm_resets_recvd;
28676 +extern atomic_unchecked_t cm_loopbacks;
28677 +extern atomic_unchecked_t cm_nodes_created;
28678 +extern atomic_unchecked_t cm_nodes_destroyed;
28679 +extern atomic_unchecked_t cm_accel_dropped_pkts;
28680 +extern atomic_unchecked_t cm_resets_recvd;
28682 extern u32 int_mod_timer_init;
28683 extern u32 int_mod_cq_depth_256;
28684 diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes_nic.c linux-3.1.1/drivers/infiniband/hw/nes/nes_nic.c
28685 --- linux-3.1.1/drivers/infiniband/hw/nes/nes_nic.c 2011-11-11 15:19:27.000000000 -0500
28686 +++ linux-3.1.1/drivers/infiniband/hw/nes/nes_nic.c 2011-11-16 18:39:07.000000000 -0500
28687 @@ -1274,31 +1274,31 @@ static void nes_netdev_get_ethtool_stats
28688 target_stat_values[++index] = mh_detected;
28689 target_stat_values[++index] = mh_pauses_sent;
28690 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
28691 - target_stat_values[++index] = atomic_read(&cm_connects);
28692 - target_stat_values[++index] = atomic_read(&cm_accepts);
28693 - target_stat_values[++index] = atomic_read(&cm_disconnects);
28694 - target_stat_values[++index] = atomic_read(&cm_connecteds);
28695 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
28696 - target_stat_values[++index] = atomic_read(&cm_rejects);
28697 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
28698 - target_stat_values[++index] = atomic_read(&qps_created);
28699 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
28700 - target_stat_values[++index] = atomic_read(&qps_destroyed);
28701 - target_stat_values[++index] = atomic_read(&cm_closes);
28702 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
28703 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
28704 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
28705 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
28706 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
28707 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
28708 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
28709 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
28710 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
28711 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
28712 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
28713 target_stat_values[++index] = cm_packets_sent;
28714 target_stat_values[++index] = cm_packets_bounced;
28715 target_stat_values[++index] = cm_packets_created;
28716 target_stat_values[++index] = cm_packets_received;
28717 target_stat_values[++index] = cm_packets_dropped;
28718 target_stat_values[++index] = cm_packets_retrans;
28719 - target_stat_values[++index] = atomic_read(&cm_listens_created);
28720 - target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
28721 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
28722 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
28723 target_stat_values[++index] = cm_backlog_drops;
28724 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
28725 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
28726 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
28727 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
28728 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
28729 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
28730 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
28731 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
28732 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
28733 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
28734 target_stat_values[++index] = nesadapter->free_4kpbl;
28735 target_stat_values[++index] = nesadapter->free_256pbl;
28736 target_stat_values[++index] = int_mod_timer_init;
28737 diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes_verbs.c linux-3.1.1/drivers/infiniband/hw/nes/nes_verbs.c
28738 --- linux-3.1.1/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-11 15:19:27.000000000 -0500
28739 +++ linux-3.1.1/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-16 18:39:07.000000000 -0500
28742 #include <rdma/ib_umem.h>
28744 -atomic_t mod_qp_timouts;
28745 -atomic_t qps_created;
28746 -atomic_t sw_qps_destroyed;
28747 +atomic_unchecked_t mod_qp_timouts;
28748 +atomic_unchecked_t qps_created;
28749 +atomic_unchecked_t sw_qps_destroyed;
28751 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
28753 @@ -1131,7 +1131,7 @@ static struct ib_qp *nes_create_qp(struc
28754 if (init_attr->create_flags)
28755 return ERR_PTR(-EINVAL);
28757 - atomic_inc(&qps_created);
28758 + atomic_inc_unchecked(&qps_created);
28759 switch (init_attr->qp_type) {
28761 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
28762 @@ -1460,7 +1460,7 @@ static int nes_destroy_qp(struct ib_qp *
28763 struct iw_cm_event cm_event;
28766 - atomic_inc(&sw_qps_destroyed);
28767 + atomic_inc_unchecked(&sw_qps_destroyed);
28768 nesqp->destroyed = 1;
28770 /* Blow away the connection if it exists. */
28771 diff -urNp linux-3.1.1/drivers/infiniband/hw/qib/qib.h linux-3.1.1/drivers/infiniband/hw/qib/qib.h
28772 --- linux-3.1.1/drivers/infiniband/hw/qib/qib.h 2011-11-11 15:19:27.000000000 -0500
28773 +++ linux-3.1.1/drivers/infiniband/hw/qib/qib.h 2011-11-16 18:39:07.000000000 -0500
28775 #include <linux/completion.h>
28776 #include <linux/kref.h>
28777 #include <linux/sched.h>
28778 +#include <linux/slab.h>
28780 #include "qib_common.h"
28781 #include "qib_verbs.h"
28782 diff -urNp linux-3.1.1/drivers/input/gameport/gameport.c linux-3.1.1/drivers/input/gameport/gameport.c
28783 --- linux-3.1.1/drivers/input/gameport/gameport.c 2011-11-11 15:19:27.000000000 -0500
28784 +++ linux-3.1.1/drivers/input/gameport/gameport.c 2011-11-16 18:39:07.000000000 -0500
28785 @@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
28787 static void gameport_init_port(struct gameport *gameport)
28789 - static atomic_t gameport_no = ATOMIC_INIT(0);
28790 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
28792 __module_get(THIS_MODULE);
28794 mutex_init(&gameport->drv_mutex);
28795 device_initialize(&gameport->dev);
28796 dev_set_name(&gameport->dev, "gameport%lu",
28797 - (unsigned long)atomic_inc_return(&gameport_no) - 1);
28798 + (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
28799 gameport->dev.bus = &gameport_bus;
28800 gameport->dev.release = gameport_release_port;
28801 if (gameport->parent)
28802 diff -urNp linux-3.1.1/drivers/input/input.c linux-3.1.1/drivers/input/input.c
28803 --- linux-3.1.1/drivers/input/input.c 2011-11-11 15:19:27.000000000 -0500
28804 +++ linux-3.1.1/drivers/input/input.c 2011-11-16 18:39:07.000000000 -0500
28805 @@ -1814,7 +1814,7 @@ static void input_cleanse_bitmasks(struc
28807 int input_register_device(struct input_dev *dev)
28809 - static atomic_t input_no = ATOMIC_INIT(0);
28810 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
28811 struct input_handler *handler;
28814 @@ -1851,7 +1851,7 @@ int input_register_device(struct input_d
28815 dev->setkeycode = input_default_setkeycode;
28817 dev_set_name(&dev->dev, "input%ld",
28818 - (unsigned long) atomic_inc_return(&input_no) - 1);
28819 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
28821 error = device_add(&dev->dev);
28823 diff -urNp linux-3.1.1/drivers/input/joystick/sidewinder.c linux-3.1.1/drivers/input/joystick/sidewinder.c
28824 --- linux-3.1.1/drivers/input/joystick/sidewinder.c 2011-11-11 15:19:27.000000000 -0500
28825 +++ linux-3.1.1/drivers/input/joystick/sidewinder.c 2011-11-16 18:40:10.000000000 -0500
28827 #include <linux/kernel.h>
28828 #include <linux/module.h>
28829 #include <linux/slab.h>
28830 +#include <linux/sched.h>
28831 #include <linux/init.h>
28832 #include <linux/input.h>
28833 #include <linux/gameport.h>
28834 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
28835 unsigned char buf[SW_LENGTH];
28838 + pax_track_stack();
28840 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
28842 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
28843 diff -urNp linux-3.1.1/drivers/input/joystick/xpad.c linux-3.1.1/drivers/input/joystick/xpad.c
28844 --- linux-3.1.1/drivers/input/joystick/xpad.c 2011-11-11 15:19:27.000000000 -0500
28845 +++ linux-3.1.1/drivers/input/joystick/xpad.c 2011-11-16 18:39:07.000000000 -0500
28846 @@ -710,7 +710,7 @@ static void xpad_led_set(struct led_clas
28848 static int xpad_led_probe(struct usb_xpad *xpad)
28850 - static atomic_t led_seq = ATOMIC_INIT(0);
28851 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
28853 struct xpad_led *led;
28854 struct led_classdev *led_cdev;
28855 @@ -723,7 +723,7 @@ static int xpad_led_probe(struct usb_xpa
28859 - led_no = (long)atomic_inc_return(&led_seq) - 1;
28860 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
28862 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
28864 diff -urNp linux-3.1.1/drivers/input/mousedev.c linux-3.1.1/drivers/input/mousedev.c
28865 --- linux-3.1.1/drivers/input/mousedev.c 2011-11-11 15:19:27.000000000 -0500
28866 +++ linux-3.1.1/drivers/input/mousedev.c 2011-11-16 18:39:07.000000000 -0500
28867 @@ -763,7 +763,7 @@ static ssize_t mousedev_read(struct file
28869 spin_unlock_irq(&client->packet_lock);
28871 - if (copy_to_user(buffer, data, count))
28872 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
28876 diff -urNp linux-3.1.1/drivers/input/serio/serio.c linux-3.1.1/drivers/input/serio/serio.c
28877 --- linux-3.1.1/drivers/input/serio/serio.c 2011-11-11 15:19:27.000000000 -0500
28878 +++ linux-3.1.1/drivers/input/serio/serio.c 2011-11-16 18:39:07.000000000 -0500
28879 @@ -497,7 +497,7 @@ static void serio_release_port(struct de
28881 static void serio_init_port(struct serio *serio)
28883 - static atomic_t serio_no = ATOMIC_INIT(0);
28884 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
28886 __module_get(THIS_MODULE);
28888 @@ -508,7 +508,7 @@ static void serio_init_port(struct serio
28889 mutex_init(&serio->drv_mutex);
28890 device_initialize(&serio->dev);
28891 dev_set_name(&serio->dev, "serio%ld",
28892 - (long)atomic_inc_return(&serio_no) - 1);
28893 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
28894 serio->dev.bus = &serio_bus;
28895 serio->dev.release = serio_release_port;
28896 serio->dev.groups = serio_device_attr_groups;
28897 diff -urNp linux-3.1.1/drivers/isdn/capi/capi.c linux-3.1.1/drivers/isdn/capi/capi.c
28898 --- linux-3.1.1/drivers/isdn/capi/capi.c 2011-11-11 15:19:27.000000000 -0500
28899 +++ linux-3.1.1/drivers/isdn/capi/capi.c 2011-11-16 18:39:07.000000000 -0500
28900 @@ -83,8 +83,8 @@ struct capiminor {
28902 struct capi20_appl *ap;
28904 - atomic_t datahandle;
28906 + atomic_unchecked_t datahandle;
28907 + atomic_unchecked_t msgid;
28909 struct tty_port port;
28911 @@ -397,7 +397,7 @@ gen_data_b3_resp_for(struct capiminor *m
28912 capimsg_setu16(s, 2, mp->ap->applid);
28913 capimsg_setu8 (s, 4, CAPI_DATA_B3);
28914 capimsg_setu8 (s, 5, CAPI_RESP);
28915 - capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
28916 + capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
28917 capimsg_setu32(s, 8, mp->ncci);
28918 capimsg_setu16(s, 12, datahandle);
28920 @@ -518,14 +518,14 @@ static void handle_minor_send(struct cap
28921 mp->outbytes -= len;
28922 spin_unlock_bh(&mp->outlock);
28924 - datahandle = atomic_inc_return(&mp->datahandle);
28925 + datahandle = atomic_inc_return_unchecked(&mp->datahandle);
28926 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
28927 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28928 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28929 capimsg_setu16(skb->data, 2, mp->ap->applid);
28930 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
28931 capimsg_setu8 (skb->data, 5, CAPI_REQ);
28932 - capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
28933 + capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
28934 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
28935 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
28936 capimsg_setu16(skb->data, 16, len); /* Data length */
28937 diff -urNp linux-3.1.1/drivers/isdn/gigaset/common.c linux-3.1.1/drivers/isdn/gigaset/common.c
28938 --- linux-3.1.1/drivers/isdn/gigaset/common.c 2011-11-11 15:19:27.000000000 -0500
28939 +++ linux-3.1.1/drivers/isdn/gigaset/common.c 2011-11-16 18:39:07.000000000 -0500
28940 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
28941 cs->commands_pending = 0;
28942 cs->cur_at_seq = 0;
28944 - cs->open_count = 0;
28945 + local_set(&cs->open_count, 0);
28948 cs->tty_dev = NULL;
28949 diff -urNp linux-3.1.1/drivers/isdn/gigaset/gigaset.h linux-3.1.1/drivers/isdn/gigaset/gigaset.h
28950 --- linux-3.1.1/drivers/isdn/gigaset/gigaset.h 2011-11-11 15:19:27.000000000 -0500
28951 +++ linux-3.1.1/drivers/isdn/gigaset/gigaset.h 2011-11-16 18:39:07.000000000 -0500
28953 #include <linux/tty_driver.h>
28954 #include <linux/list.h>
28955 #include <linux/atomic.h>
28956 +#include <asm/local.h>
28958 #define GIG_VERSION {0, 5, 0, 0}
28959 #define GIG_COMPAT {0, 4, 0, 0}
28960 @@ -433,7 +434,7 @@ struct cardstate {
28961 spinlock_t cmdlock;
28962 unsigned curlen, cmdbytes;
28964 - unsigned open_count;
28965 + local_t open_count;
28966 struct tty_struct *tty;
28967 struct tasklet_struct if_wake_tasklet;
28968 unsigned control_state;
28969 diff -urNp linux-3.1.1/drivers/isdn/gigaset/interface.c linux-3.1.1/drivers/isdn/gigaset/interface.c
28970 --- linux-3.1.1/drivers/isdn/gigaset/interface.c 2011-11-11 15:19:27.000000000 -0500
28971 +++ linux-3.1.1/drivers/isdn/gigaset/interface.c 2011-11-16 18:39:07.000000000 -0500
28972 @@ -162,9 +162,7 @@ static int if_open(struct tty_struct *tt
28974 tty->driver_data = cs;
28976 - ++cs->open_count;
28978 - if (cs->open_count == 1) {
28979 + if (local_inc_return(&cs->open_count) == 1) {
28980 spin_lock_irqsave(&cs->lock, flags);
28982 spin_unlock_irqrestore(&cs->lock, flags);
28983 @@ -192,10 +190,10 @@ static void if_close(struct tty_struct *
28985 if (!cs->connected)
28986 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
28987 - else if (!cs->open_count)
28988 + else if (!local_read(&cs->open_count))
28989 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28991 - if (!--cs->open_count) {
28992 + if (!local_dec_return(&cs->open_count)) {
28993 spin_lock_irqsave(&cs->lock, flags);
28995 spin_unlock_irqrestore(&cs->lock, flags);
28996 @@ -230,7 +228,7 @@ static int if_ioctl(struct tty_struct *t
28997 if (!cs->connected) {
28998 gig_dbg(DEBUG_IF, "not connected");
29000 - } else if (!cs->open_count)
29001 + } else if (!local_read(&cs->open_count))
29002 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29005 @@ -360,7 +358,7 @@ static int if_write(struct tty_struct *t
29009 - if (!cs->open_count) {
29010 + if (!local_read(&cs->open_count)) {
29011 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29014 @@ -413,7 +411,7 @@ static int if_write_room(struct tty_stru
29015 if (!cs->connected) {
29016 gig_dbg(DEBUG_IF, "not connected");
29018 - } else if (!cs->open_count)
29019 + } else if (!local_read(&cs->open_count))
29020 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29021 else if (cs->mstate != MS_LOCKED) {
29022 dev_warn(cs->dev, "can't write to unlocked device\n");
29023 @@ -443,7 +441,7 @@ static int if_chars_in_buffer(struct tty
29025 if (!cs->connected)
29026 gig_dbg(DEBUG_IF, "not connected");
29027 - else if (!cs->open_count)
29028 + else if (!local_read(&cs->open_count))
29029 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29030 else if (cs->mstate != MS_LOCKED)
29031 dev_warn(cs->dev, "can't write to unlocked device\n");
29032 @@ -471,7 +469,7 @@ static void if_throttle(struct tty_struc
29034 if (!cs->connected)
29035 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29036 - else if (!cs->open_count)
29037 + else if (!local_read(&cs->open_count))
29038 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29040 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
29041 @@ -495,7 +493,7 @@ static void if_unthrottle(struct tty_str
29043 if (!cs->connected)
29044 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29045 - else if (!cs->open_count)
29046 + else if (!local_read(&cs->open_count))
29047 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29049 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
29050 @@ -526,7 +524,7 @@ static void if_set_termios(struct tty_st
29054 - if (!cs->open_count) {
29055 + if (!local_read(&cs->open_count)) {
29056 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29059 diff -urNp linux-3.1.1/drivers/isdn/hardware/avm/b1.c linux-3.1.1/drivers/isdn/hardware/avm/b1.c
29060 --- linux-3.1.1/drivers/isdn/hardware/avm/b1.c 2011-11-11 15:19:27.000000000 -0500
29061 +++ linux-3.1.1/drivers/isdn/hardware/avm/b1.c 2011-11-16 18:39:07.000000000 -0500
29062 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
29065 if (t4file->user) {
29066 - if (copy_from_user(buf, dp, left))
29067 + if (left > sizeof buf || copy_from_user(buf, dp, left))
29070 memcpy(buf, dp, left);
29071 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
29074 if (config->user) {
29075 - if (copy_from_user(buf, dp, left))
29076 + if (left > sizeof buf || copy_from_user(buf, dp, left))
29079 memcpy(buf, dp, left);
29080 diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/capidtmf.c linux-3.1.1/drivers/isdn/hardware/eicon/capidtmf.c
29081 --- linux-3.1.1/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-11 15:19:27.000000000 -0500
29082 +++ linux-3.1.1/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-16 18:40:10.000000000 -0500
29083 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
29084 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
29085 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
29087 + pax_track_stack();
29089 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
29091 diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/capifunc.c linux-3.1.1/drivers/isdn/hardware/eicon/capifunc.c
29092 --- linux-3.1.1/drivers/isdn/hardware/eicon/capifunc.c 2011-11-11 15:19:27.000000000 -0500
29093 +++ linux-3.1.1/drivers/isdn/hardware/eicon/capifunc.c 2011-11-16 18:40:10.000000000 -0500
29094 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
29096 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29098 + pax_track_stack();
29100 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29102 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29103 diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/diddfunc.c linux-3.1.1/drivers/isdn/hardware/eicon/diddfunc.c
29104 --- linux-3.1.1/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-11 15:19:27.000000000 -0500
29105 +++ linux-3.1.1/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-16 18:40:10.000000000 -0500
29106 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
29108 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29110 + pax_track_stack();
29112 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29114 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29115 diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/divasfunc.c linux-3.1.1/drivers/isdn/hardware/eicon/divasfunc.c
29116 --- linux-3.1.1/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-11 15:19:27.000000000 -0500
29117 +++ linux-3.1.1/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-16 18:40:10.000000000 -0500
29118 @@ -160,6 +160,8 @@ static int DIVA_INIT_FUNCTION connect_di
29120 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29122 + pax_track_stack();
29124 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29126 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29127 diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/divasync.h linux-3.1.1/drivers/isdn/hardware/eicon/divasync.h
29128 --- linux-3.1.1/drivers/isdn/hardware/eicon/divasync.h 2011-11-11 15:19:27.000000000 -0500
29129 +++ linux-3.1.1/drivers/isdn/hardware/eicon/divasync.h 2011-11-16 18:39:07.000000000 -0500
29130 @@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
29131 } diva_didd_add_adapter_t;
29132 typedef struct _diva_didd_remove_adapter {
29133 IDI_CALL p_request;
29134 -} diva_didd_remove_adapter_t;
29135 +} __no_const diva_didd_remove_adapter_t;
29136 typedef struct _diva_didd_read_adapter_array {
29139 diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/idifunc.c linux-3.1.1/drivers/isdn/hardware/eicon/idifunc.c
29140 --- linux-3.1.1/drivers/isdn/hardware/eicon/idifunc.c 2011-11-11 15:19:27.000000000 -0500
29141 +++ linux-3.1.1/drivers/isdn/hardware/eicon/idifunc.c 2011-11-16 18:40:10.000000000 -0500
29142 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
29144 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29146 + pax_track_stack();
29148 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29150 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29151 diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/message.c linux-3.1.1/drivers/isdn/hardware/eicon/message.c
29152 --- linux-3.1.1/drivers/isdn/hardware/eicon/message.c 2011-11-11 15:19:27.000000000 -0500
29153 +++ linux-3.1.1/drivers/isdn/hardware/eicon/message.c 2011-11-16 18:40:10.000000000 -0500
29154 @@ -4886,6 +4886,8 @@ static void sig_ind(PLCI *plci)
29158 + pax_track_stack();
29161 Id = ((word)plci->Id<<8)|a->Id;
29162 PUT_WORD(&SS_Ind[4],0x0000);
29163 @@ -7480,6 +7482,8 @@ static word add_b1(PLCI *plci, API_PARSE
29167 + pax_track_stack();
29170 for(i=0;i<8;i++) bp_parms[i].length = 0;
29171 for(i=0;i<2;i++) global_config[i].length = 0;
29172 @@ -7954,6 +7958,8 @@ static word add_b23(PLCI *plci, API_PARS
29173 const byte llc3[] = {4,3,2,2,6,6,0};
29174 const byte header[] = {0,2,3,3,0,0,0};
29176 + pax_track_stack();
29178 for(i=0;i<8;i++) bp_parms[i].length = 0;
29179 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
29180 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
29181 @@ -14741,6 +14747,8 @@ static void group_optimization(DIVA_CAPI
29182 word appl_number_group_type[MAX_APPL];
29185 + pax_track_stack();
29187 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
29189 if(!a->group_optimization_enabled)
29190 diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/mntfunc.c linux-3.1.1/drivers/isdn/hardware/eicon/mntfunc.c
29191 --- linux-3.1.1/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-11 15:19:27.000000000 -0500
29192 +++ linux-3.1.1/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-16 18:40:10.000000000 -0500
29193 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
29195 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29197 + pax_track_stack();
29199 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29201 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29202 diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/xdi_adapter.h linux-3.1.1/drivers/isdn/hardware/eicon/xdi_adapter.h
29203 --- linux-3.1.1/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-11 15:19:27.000000000 -0500
29204 +++ linux-3.1.1/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-16 18:39:07.000000000 -0500
29205 @@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
29206 typedef struct _diva_os_idi_adapter_interface {
29207 diva_init_card_proc_t cleanup_adapter_proc;
29208 diva_cmd_card_proc_t cmd_proc;
29209 -} diva_os_idi_adapter_interface_t;
29210 +} __no_const diva_os_idi_adapter_interface_t;
29212 typedef struct _diva_os_xdi_adapter {
29213 struct list_head link;
29214 diff -urNp linux-3.1.1/drivers/isdn/i4l/isdn_common.c linux-3.1.1/drivers/isdn/i4l/isdn_common.c
29215 --- linux-3.1.1/drivers/isdn/i4l/isdn_common.c 2011-11-11 15:19:27.000000000 -0500
29216 +++ linux-3.1.1/drivers/isdn/i4l/isdn_common.c 2011-11-16 18:40:10.000000000 -0500
29217 @@ -1286,6 +1286,8 @@ isdn_ioctl(struct file *file, uint cmd,
29219 void __user *argp = (void __user *)arg;
29221 + pax_track_stack();
29223 #define name iocpar.name
29224 #define bname iocpar.bname
29225 #define iocts iocpar.iocts
29226 diff -urNp linux-3.1.1/drivers/isdn/icn/icn.c linux-3.1.1/drivers/isdn/icn/icn.c
29227 --- linux-3.1.1/drivers/isdn/icn/icn.c 2011-11-11 15:19:27.000000000 -0500
29228 +++ linux-3.1.1/drivers/isdn/icn/icn.c 2011-11-16 18:39:07.000000000 -0500
29229 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
29233 - if (copy_from_user(msg, buf, count))
29234 + if (count > sizeof msg || copy_from_user(msg, buf, count))
29237 memcpy(msg, buf, count);
29238 diff -urNp linux-3.1.1/drivers/lguest/core.c linux-3.1.1/drivers/lguest/core.c
29239 --- linux-3.1.1/drivers/lguest/core.c 2011-11-11 15:19:27.000000000 -0500
29240 +++ linux-3.1.1/drivers/lguest/core.c 2011-11-16 18:39:07.000000000 -0500
29241 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
29242 * it's worked so far. The end address needs +1 because __get_vm_area
29243 * allocates an extra guard page, so we need space for that.
29246 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29247 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
29248 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
29249 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
29251 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
29252 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
29253 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
29256 if (!switcher_vma) {
29258 printk("lguest: could not map switcher pages high\n");
29259 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
29260 * Now the Switcher is mapped at the right address, we can't fail!
29261 * Copy in the compiled-in Switcher code (from x86/switcher_32.S).
29263 - memcpy(switcher_vma->addr, start_switcher_text,
29264 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
29265 end_switcher_text - start_switcher_text);
29267 printk(KERN_INFO "lguest: mapped switcher at %p\n",
29268 diff -urNp linux-3.1.1/drivers/lguest/x86/core.c linux-3.1.1/drivers/lguest/x86/core.c
29269 --- linux-3.1.1/drivers/lguest/x86/core.c 2011-11-11 15:19:27.000000000 -0500
29270 +++ linux-3.1.1/drivers/lguest/x86/core.c 2011-11-16 18:39:07.000000000 -0500
29271 @@ -59,7 +59,7 @@ static struct {
29272 /* Offset from where switcher.S was compiled to where we've copied it */
29273 static unsigned long switcher_offset(void)
29275 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
29276 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
29279 /* This cpu's struct lguest_pages. */
29280 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
29281 * These copies are pretty cheap, so we do them unconditionally: */
29282 /* Save the current Host top-level page directory.
29285 +#ifdef CONFIG_PAX_PER_CPU_PGD
29286 + pages->state.host_cr3 = read_cr3();
29288 pages->state.host_cr3 = __pa(current->mm->pgd);
29292 * Set up the Guest's page tables to see this CPU's pages (and no
29293 * other CPU's pages).
29294 @@ -472,7 +478,7 @@ void __init lguest_arch_host_init(void)
29295 * compiled-in switcher code and the high-mapped copy we just made.
29297 for (i = 0; i < IDT_ENTRIES; i++)
29298 - default_idt_entries[i] += switcher_offset();
29299 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
29302 * Set up the Switcher's per-cpu areas.
29303 @@ -555,7 +561,7 @@ void __init lguest_arch_host_init(void)
29304 * it will be undisturbed when we switch. To change %cs and jump we
29305 * need this structure to feed to Intel's "lcall" instruction.
29307 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
29308 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
29309 lguest_entry.segment = LGUEST_CS;
29312 diff -urNp linux-3.1.1/drivers/lguest/x86/switcher_32.S linux-3.1.1/drivers/lguest/x86/switcher_32.S
29313 --- linux-3.1.1/drivers/lguest/x86/switcher_32.S 2011-11-11 15:19:27.000000000 -0500
29314 +++ linux-3.1.1/drivers/lguest/x86/switcher_32.S 2011-11-16 18:39:07.000000000 -0500
29316 #include <asm/page.h>
29317 #include <asm/segment.h>
29318 #include <asm/lguest.h>
29319 +#include <asm/processor-flags.h>
29321 // We mark the start of the code to copy
29322 // It's placed in .text tho it's never run here
29323 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
29324 // Changes type when we load it: damn Intel!
29325 // For after we switch over our page tables
29326 // That entry will be read-only: we'd crash.
29328 +#ifdef CONFIG_PAX_KERNEXEC
29330 + xor $X86_CR0_WP, %edx
29334 movl $(GDT_ENTRY_TSS*8), %edx
29337 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
29338 // Let's clear it again for our return.
29339 // The GDT descriptor of the Host
29340 // Points to the table after two "size" bytes
29341 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
29342 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
29343 // Clear "used" from type field (byte 5, bit 2)
29344 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
29345 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
29347 +#ifdef CONFIG_PAX_KERNEXEC
29349 + xor $X86_CR0_WP, %eax
29353 // Once our page table's switched, the Guest is live!
29354 // The Host fades as we run this final step.
29355 @@ -295,13 +309,12 @@ deliver_to_host:
29356 // I consulted gcc, and it gave
29357 // These instructions, which I gladly credit:
29358 leal (%edx,%ebx,8), %eax
29359 - movzwl (%eax),%edx
29360 - movl 4(%eax), %eax
29363 + movl 4(%eax), %edx
29365 // Now the address of the handler's in %edx
29366 // We call it now: its "iret" drops us home.
29368 + ljmp $__KERNEL_CS, $1f
29371 // Every interrupt can come to us here
29372 // But we must truly tell each apart.
29373 diff -urNp linux-3.1.1/drivers/macintosh/macio_asic.c linux-3.1.1/drivers/macintosh/macio_asic.c
29374 --- linux-3.1.1/drivers/macintosh/macio_asic.c 2011-11-11 15:19:27.000000000 -0500
29375 +++ linux-3.1.1/drivers/macintosh/macio_asic.c 2011-11-16 18:39:07.000000000 -0500
29376 @@ -748,7 +748,7 @@ static void __devexit macio_pci_remove(s
29377 * MacIO is matched against any Apple ID, it's probe() function
29378 * will then decide wether it applies or not
29380 -static const struct pci_device_id __devinitdata pci_ids [] = { {
29381 +static const struct pci_device_id __devinitconst pci_ids [] = { {
29382 .vendor = PCI_VENDOR_ID_APPLE,
29383 .device = PCI_ANY_ID,
29384 .subvendor = PCI_ANY_ID,
29385 diff -urNp linux-3.1.1/drivers/md/dm.c linux-3.1.1/drivers/md/dm.c
29386 --- linux-3.1.1/drivers/md/dm.c 2011-11-11 15:19:27.000000000 -0500
29387 +++ linux-3.1.1/drivers/md/dm.c 2011-11-16 18:39:07.000000000 -0500
29388 @@ -165,9 +165,9 @@ struct mapped_device {
29392 - atomic_t event_nr;
29393 + atomic_unchecked_t event_nr;
29394 wait_queue_head_t eventq;
29395 - atomic_t uevent_seq;
29396 + atomic_unchecked_t uevent_seq;
29397 struct list_head uevent_list;
29398 spinlock_t uevent_lock; /* Protect access to uevent_list */
29400 @@ -1843,8 +1843,8 @@ static struct mapped_device *alloc_dev(i
29401 rwlock_init(&md->map_lock);
29402 atomic_set(&md->holders, 1);
29403 atomic_set(&md->open_count, 0);
29404 - atomic_set(&md->event_nr, 0);
29405 - atomic_set(&md->uevent_seq, 0);
29406 + atomic_set_unchecked(&md->event_nr, 0);
29407 + atomic_set_unchecked(&md->uevent_seq, 0);
29408 INIT_LIST_HEAD(&md->uevent_list);
29409 spin_lock_init(&md->uevent_lock);
29411 @@ -1978,7 +1978,7 @@ static void event_callback(void *context
29413 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
29415 - atomic_inc(&md->event_nr);
29416 + atomic_inc_unchecked(&md->event_nr);
29417 wake_up(&md->eventq);
29420 @@ -2614,18 +2614,18 @@ int dm_kobject_uevent(struct mapped_devi
29422 uint32_t dm_next_uevent_seq(struct mapped_device *md)
29424 - return atomic_add_return(1, &md->uevent_seq);
29425 + return atomic_add_return_unchecked(1, &md->uevent_seq);
29428 uint32_t dm_get_event_nr(struct mapped_device *md)
29430 - return atomic_read(&md->event_nr);
29431 + return atomic_read_unchecked(&md->event_nr);
29434 int dm_wait_event(struct mapped_device *md, int event_nr)
29436 return wait_event_interruptible(md->eventq,
29437 - (event_nr != atomic_read(&md->event_nr)));
29438 + (event_nr != atomic_read_unchecked(&md->event_nr)));
29441 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
29442 diff -urNp linux-3.1.1/drivers/md/dm-ioctl.c linux-3.1.1/drivers/md/dm-ioctl.c
29443 --- linux-3.1.1/drivers/md/dm-ioctl.c 2011-11-11 15:19:27.000000000 -0500
29444 +++ linux-3.1.1/drivers/md/dm-ioctl.c 2011-11-16 18:39:07.000000000 -0500
29445 @@ -1578,7 +1578,7 @@ static int validate_params(uint cmd, str
29446 cmd == DM_LIST_VERSIONS_CMD)
29449 - if ((cmd == DM_DEV_CREATE_CMD)) {
29450 + if (cmd == DM_DEV_CREATE_CMD) {
29451 if (!*param->name) {
29452 DMWARN("name not supplied when creating device");
29454 diff -urNp linux-3.1.1/drivers/md/dm-raid1.c linux-3.1.1/drivers/md/dm-raid1.c
29455 --- linux-3.1.1/drivers/md/dm-raid1.c 2011-11-11 15:19:27.000000000 -0500
29456 +++ linux-3.1.1/drivers/md/dm-raid1.c 2011-11-16 18:39:07.000000000 -0500
29457 @@ -40,7 +40,7 @@ enum dm_raid1_error {
29460 struct mirror_set *ms;
29461 - atomic_t error_count;
29462 + atomic_unchecked_t error_count;
29463 unsigned long error_type;
29464 struct dm_dev *dev;
29466 @@ -185,7 +185,7 @@ static struct mirror *get_valid_mirror(s
29469 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
29470 - if (!atomic_read(&m->error_count))
29471 + if (!atomic_read_unchecked(&m->error_count))
29475 @@ -217,7 +217,7 @@ static void fail_mirror(struct mirror *m
29476 * simple way to tell if a device has encountered
29479 - atomic_inc(&m->error_count);
29480 + atomic_inc_unchecked(&m->error_count);
29482 if (test_and_set_bit(error_type, &m->error_type))
29484 @@ -408,7 +408,7 @@ static struct mirror *choose_mirror(stru
29485 struct mirror *m = get_default_mirror(ms);
29488 - if (likely(!atomic_read(&m->error_count)))
29489 + if (likely(!atomic_read_unchecked(&m->error_count)))
29492 if (m-- == ms->mirror)
29493 @@ -422,7 +422,7 @@ static int default_ok(struct mirror *m)
29495 struct mirror *default_mirror = get_default_mirror(m->ms);
29497 - return !atomic_read(&default_mirror->error_count);
29498 + return !atomic_read_unchecked(&default_mirror->error_count);
29501 static int mirror_available(struct mirror_set *ms, struct bio *bio)
29502 @@ -559,7 +559,7 @@ static void do_reads(struct mirror_set *
29504 if (likely(region_in_sync(ms, region, 1)))
29505 m = choose_mirror(ms, bio->bi_sector);
29506 - else if (m && atomic_read(&m->error_count))
29507 + else if (m && atomic_read_unchecked(&m->error_count))
29511 @@ -937,7 +937,7 @@ static int get_mirror(struct mirror_set
29514 ms->mirror[mirror].ms = ms;
29515 - atomic_set(&(ms->mirror[mirror].error_count), 0);
29516 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
29517 ms->mirror[mirror].error_type = 0;
29518 ms->mirror[mirror].offset = offset;
29520 @@ -1347,7 +1347,7 @@ static void mirror_resume(struct dm_targ
29522 static char device_status_char(struct mirror *m)
29524 - if (!atomic_read(&(m->error_count)))
29525 + if (!atomic_read_unchecked(&(m->error_count)))
29528 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
29529 diff -urNp linux-3.1.1/drivers/md/dm-stripe.c linux-3.1.1/drivers/md/dm-stripe.c
29530 --- linux-3.1.1/drivers/md/dm-stripe.c 2011-11-11 15:19:27.000000000 -0500
29531 +++ linux-3.1.1/drivers/md/dm-stripe.c 2011-11-16 18:39:07.000000000 -0500
29532 @@ -20,7 +20,7 @@ struct stripe {
29533 struct dm_dev *dev;
29534 sector_t physical_start;
29536 - atomic_t error_count;
29537 + atomic_unchecked_t error_count;
29541 @@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
29545 - atomic_set(&(sc->stripe[i].error_count), 0);
29546 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
29550 @@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
29551 DMEMIT("%d ", sc->stripes);
29552 for (i = 0; i < sc->stripes; i++) {
29553 DMEMIT("%s ", sc->stripe[i].dev->name);
29554 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
29555 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
29559 @@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
29561 for (i = 0; i < sc->stripes; i++)
29562 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
29563 - atomic_inc(&(sc->stripe[i].error_count));
29564 - if (atomic_read(&(sc->stripe[i].error_count)) <
29565 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
29566 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
29567 DM_IO_ERROR_THRESHOLD)
29568 schedule_work(&sc->trigger_event);
29570 diff -urNp linux-3.1.1/drivers/md/dm-table.c linux-3.1.1/drivers/md/dm-table.c
29571 --- linux-3.1.1/drivers/md/dm-table.c 2011-11-11 15:19:27.000000000 -0500
29572 +++ linux-3.1.1/drivers/md/dm-table.c 2011-11-16 18:39:07.000000000 -0500
29573 @@ -389,7 +389,7 @@ static int device_area_is_invalid(struct
29577 - if ((start >= dev_size) || (start + len > dev_size)) {
29578 + if ((start >= dev_size) || (len > dev_size - start)) {
29579 DMWARN("%s: %s too small for target: "
29580 "start=%llu, len=%llu, dev_size=%llu",
29581 dm_device_name(ti->table->md), bdevname(bdev, b),
29582 diff -urNp linux-3.1.1/drivers/md/md.c linux-3.1.1/drivers/md/md.c
29583 --- linux-3.1.1/drivers/md/md.c 2011-11-11 15:19:27.000000000 -0500
29584 +++ linux-3.1.1/drivers/md/md.c 2011-11-16 18:39:07.000000000 -0500
29585 @@ -280,10 +280,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
29586 * start build, activate spare
29588 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
29589 -static atomic_t md_event_count;
29590 +static atomic_unchecked_t md_event_count;
29591 void md_new_event(mddev_t *mddev)
29593 - atomic_inc(&md_event_count);
29594 + atomic_inc_unchecked(&md_event_count);
29595 wake_up(&md_event_waiters);
29597 EXPORT_SYMBOL_GPL(md_new_event);
29598 @@ -293,7 +293,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
29600 static void md_new_event_inintr(mddev_t *mddev)
29602 - atomic_inc(&md_event_count);
29603 + atomic_inc_unchecked(&md_event_count);
29604 wake_up(&md_event_waiters);
29607 @@ -1531,7 +1531,7 @@ static int super_1_load(mdk_rdev_t *rdev
29609 rdev->preferred_minor = 0xffff;
29610 rdev->data_offset = le64_to_cpu(sb->data_offset);
29611 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29612 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29614 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
29615 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
29616 @@ -1748,7 +1748,7 @@ static void super_1_sync(mddev_t *mddev,
29618 sb->resync_offset = cpu_to_le64(0);
29620 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
29621 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
29623 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
29624 sb->size = cpu_to_le64(mddev->dev_sectors);
29625 @@ -2643,7 +2643,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
29627 errors_show(mdk_rdev_t *rdev, char *page)
29629 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
29630 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
29634 @@ -2652,7 +2652,7 @@ errors_store(mdk_rdev_t *rdev, const cha
29636 unsigned long n = simple_strtoul(buf, &e, 10);
29637 if (*buf && (*e == 0 || *e == '\n')) {
29638 - atomic_set(&rdev->corrected_errors, n);
29639 + atomic_set_unchecked(&rdev->corrected_errors, n);
29643 @@ -3042,8 +3042,8 @@ int md_rdev_init(mdk_rdev_t *rdev)
29644 rdev->sb_loaded = 0;
29645 rdev->bb_page = NULL;
29646 atomic_set(&rdev->nr_pending, 0);
29647 - atomic_set(&rdev->read_errors, 0);
29648 - atomic_set(&rdev->corrected_errors, 0);
29649 + atomic_set_unchecked(&rdev->read_errors, 0);
29650 + atomic_set_unchecked(&rdev->corrected_errors, 0);
29652 INIT_LIST_HEAD(&rdev->same_set);
29653 init_waitqueue_head(&rdev->blocked_wait);
29654 @@ -6667,7 +6667,7 @@ static int md_seq_show(struct seq_file *
29656 spin_unlock(&pers_lock);
29657 seq_printf(seq, "\n");
29658 - seq->poll_event = atomic_read(&md_event_count);
29659 + seq->poll_event = atomic_read_unchecked(&md_event_count);
29662 if (v == (void*)2) {
29663 @@ -6756,7 +6756,7 @@ static int md_seq_show(struct seq_file *
29664 chunk_kb ? "KB" : "B");
29665 if (bitmap->file) {
29666 seq_printf(seq, ", file: ");
29667 - seq_path(seq, &bitmap->file->f_path, " \t\n");
29668 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
29671 seq_printf(seq, "\n");
29672 @@ -6787,7 +6787,7 @@ static int md_seq_open(struct inode *ino
29675 seq = file->private_data;
29676 - seq->poll_event = atomic_read(&md_event_count);
29677 + seq->poll_event = atomic_read_unchecked(&md_event_count);
29681 @@ -6801,7 +6801,7 @@ static unsigned int mdstat_poll(struct f
29682 /* always allow read */
29683 mask = POLLIN | POLLRDNORM;
29685 - if (seq->poll_event != atomic_read(&md_event_count))
29686 + if (seq->poll_event != atomic_read_unchecked(&md_event_count))
29687 mask |= POLLERR | POLLPRI;
29690 @@ -6845,7 +6845,7 @@ static int is_mddev_idle(mddev_t *mddev,
29691 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
29692 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
29693 (int)part_stat_read(&disk->part0, sectors[1]) -
29694 - atomic_read(&disk->sync_io);
29695 + atomic_read_unchecked(&disk->sync_io);
29696 /* sync IO will cause sync_io to increase before the disk_stats
29697 * as sync_io is counted when a request starts, and
29698 * disk_stats is counted when it completes.
29699 diff -urNp linux-3.1.1/drivers/md/md.h linux-3.1.1/drivers/md/md.h
29700 --- linux-3.1.1/drivers/md/md.h 2011-11-11 15:19:27.000000000 -0500
29701 +++ linux-3.1.1/drivers/md/md.h 2011-11-16 18:39:07.000000000 -0500
29702 @@ -124,13 +124,13 @@ struct mdk_rdev_s
29703 * only maintained for arrays that
29704 * support hot removal
29706 - atomic_t read_errors; /* number of consecutive read errors that
29707 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
29708 * we have tried to ignore.
29710 struct timespec last_read_error; /* monotonic time since our
29713 - atomic_t corrected_errors; /* number of corrected read errors,
29714 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
29715 * for reporting to userspace and storing
29718 @@ -415,7 +415,7 @@ static inline void rdev_dec_pending(mdk_
29720 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
29722 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29723 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29726 struct mdk_personality
29727 diff -urNp linux-3.1.1/drivers/md/raid10.c linux-3.1.1/drivers/md/raid10.c
29728 --- linux-3.1.1/drivers/md/raid10.c 2011-11-11 15:19:27.000000000 -0500
29729 +++ linux-3.1.1/drivers/md/raid10.c 2011-11-16 18:39:07.000000000 -0500
29730 @@ -1423,7 +1423,7 @@ static void end_sync_read(struct bio *bi
29731 /* The write handler will notice the lack of
29732 * R10BIO_Uptodate and record any errors etc
29734 - atomic_add(r10_bio->sectors,
29735 + atomic_add_unchecked(r10_bio->sectors,
29736 &conf->mirrors[d].rdev->corrected_errors);
29738 /* for reconstruct, we always reschedule after a read.
29739 @@ -1723,7 +1723,7 @@ static void check_decay_read_errors(mdde
29741 struct timespec cur_time_mon;
29742 unsigned long hours_since_last;
29743 - unsigned int read_errors = atomic_read(&rdev->read_errors);
29744 + unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
29746 ktime_get_ts(&cur_time_mon);
29748 @@ -1745,9 +1745,9 @@ static void check_decay_read_errors(mdde
29749 * overflowing the shift of read_errors by hours_since_last.
29751 if (hours_since_last >= 8 * sizeof(read_errors))
29752 - atomic_set(&rdev->read_errors, 0);
29753 + atomic_set_unchecked(&rdev->read_errors, 0);
29755 - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
29756 + atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
29759 static int r10_sync_page_io(mdk_rdev_t *rdev, sector_t sector,
29760 @@ -1797,8 +1797,8 @@ static void fix_read_error(conf_t *conf,
29763 check_decay_read_errors(mddev, rdev);
29764 - atomic_inc(&rdev->read_errors);
29765 - if (atomic_read(&rdev->read_errors) > max_read_errors) {
29766 + atomic_inc_unchecked(&rdev->read_errors);
29767 + if (atomic_read_unchecked(&rdev->read_errors) > max_read_errors) {
29768 char b[BDEVNAME_SIZE];
29769 bdevname(rdev->bdev, b);
29771 @@ -1806,7 +1806,7 @@ static void fix_read_error(conf_t *conf,
29772 "md/raid10:%s: %s: Raid device exceeded "
29773 "read_error threshold [cur %d:max %d]\n",
29775 - atomic_read(&rdev->read_errors), max_read_errors);
29776 + atomic_read_unchecked(&rdev->read_errors), max_read_errors);
29778 "md/raid10:%s: %s: Failing raid device\n",
29780 @@ -1951,7 +1951,7 @@ static void fix_read_error(conf_t *conf,
29781 (unsigned long long)(
29782 sect + rdev->data_offset),
29783 bdevname(rdev->bdev, b));
29784 - atomic_add(s, &rdev->corrected_errors);
29785 + atomic_add_unchecked(s, &rdev->corrected_errors);
29788 rdev_dec_pending(rdev, mddev);
29789 diff -urNp linux-3.1.1/drivers/md/raid1.c linux-3.1.1/drivers/md/raid1.c
29790 --- linux-3.1.1/drivers/md/raid1.c 2011-11-11 15:19:27.000000000 -0500
29791 +++ linux-3.1.1/drivers/md/raid1.c 2011-11-16 18:39:07.000000000 -0500
29792 @@ -1541,7 +1541,7 @@ static int fix_sync_read_error(r1bio_t *
29793 if (r1_sync_page_io(rdev, sect, s,
29794 bio->bi_io_vec[idx].bv_page,
29796 - atomic_add(s, &rdev->corrected_errors);
29797 + atomic_add_unchecked(s, &rdev->corrected_errors);
29801 @@ -1754,7 +1754,7 @@ static void fix_read_error(conf_t *conf,
29802 test_bit(In_sync, &rdev->flags)) {
29803 if (r1_sync_page_io(rdev, sect, s,
29804 conf->tmppage, READ)) {
29805 - atomic_add(s, &rdev->corrected_errors);
29806 + atomic_add_unchecked(s, &rdev->corrected_errors);
29808 "md/raid1:%s: read error corrected "
29809 "(%d sectors at %llu on %s)\n",
29810 diff -urNp linux-3.1.1/drivers/md/raid5.c linux-3.1.1/drivers/md/raid5.c
29811 --- linux-3.1.1/drivers/md/raid5.c 2011-11-11 15:19:27.000000000 -0500
29812 +++ linux-3.1.1/drivers/md/raid5.c 2011-11-16 18:40:10.000000000 -0500
29813 @@ -1616,19 +1616,19 @@ static void raid5_end_read_request(struc
29814 (unsigned long long)(sh->sector
29815 + rdev->data_offset),
29816 bdevname(rdev->bdev, b));
29817 - atomic_add(STRIPE_SECTORS, &rdev->corrected_errors);
29818 + atomic_add_unchecked(STRIPE_SECTORS, &rdev->corrected_errors);
29819 clear_bit(R5_ReadError, &sh->dev[i].flags);
29820 clear_bit(R5_ReWrite, &sh->dev[i].flags);
29822 - if (atomic_read(&conf->disks[i].rdev->read_errors))
29823 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
29824 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
29825 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
29827 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
29829 rdev = conf->disks[i].rdev;
29831 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
29832 - atomic_inc(&rdev->read_errors);
29833 + atomic_inc_unchecked(&rdev->read_errors);
29834 if (conf->mddev->degraded >= conf->max_degraded)
29835 printk_ratelimited(
29837 @@ -1648,7 +1648,7 @@ static void raid5_end_read_request(struc
29838 (unsigned long long)(sh->sector
29839 + rdev->data_offset),
29841 - else if (atomic_read(&rdev->read_errors)
29842 + else if (atomic_read_unchecked(&rdev->read_errors)
29843 > conf->max_nr_stripes)
29844 printk(KERN_WARNING
29845 "md/raid:%s: Too many read errors, failing device %s.\n",
29846 @@ -1978,6 +1978,7 @@ static sector_t compute_blocknr(struct s
29848 struct stripe_head sh2;
29850 + pax_track_stack();
29852 chunk_offset = sector_div(new_sector, sectors_per_chunk);
29853 stripe = new_sector;
29854 diff -urNp linux-3.1.1/drivers/media/common/saa7146_hlp.c linux-3.1.1/drivers/media/common/saa7146_hlp.c
29855 --- linux-3.1.1/drivers/media/common/saa7146_hlp.c 2011-11-11 15:19:27.000000000 -0500
29856 +++ linux-3.1.1/drivers/media/common/saa7146_hlp.c 2011-11-16 18:40:10.000000000 -0500
29857 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
29859 int x[32], y[32], w[32], h[32];
29861 + pax_track_stack();
29863 /* clear out memory */
29864 memset(&line_list[0], 0x00, sizeof(u32)*32);
29865 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
29866 diff -urNp linux-3.1.1/drivers/media/dvb/ddbridge/ddbridge-core.c linux-3.1.1/drivers/media/dvb/ddbridge/ddbridge-core.c
29867 --- linux-3.1.1/drivers/media/dvb/ddbridge/ddbridge-core.c 2011-11-11 15:19:27.000000000 -0500
29868 +++ linux-3.1.1/drivers/media/dvb/ddbridge/ddbridge-core.c 2011-11-16 18:39:07.000000000 -0500
29869 @@ -1675,7 +1675,7 @@ static struct ddb_info ddb_v6 = {
29870 .subvendor = _subvend, .subdevice = _subdev, \
29871 .driver_data = (unsigned long)&_driverdata }
29873 -static const struct pci_device_id ddb_id_tbl[] __devinitdata = {
29874 +static const struct pci_device_id ddb_id_tbl[] __devinitconst = {
29875 DDB_ID(DDVID, 0x0002, DDVID, 0x0001, ddb_octopus),
29876 DDB_ID(DDVID, 0x0003, DDVID, 0x0001, ddb_octopus),
29877 DDB_ID(DDVID, 0x0003, DDVID, 0x0002, ddb_octopus_le),
29878 diff -urNp linux-3.1.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-3.1.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
29879 --- linux-3.1.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-11 15:19:27.000000000 -0500
29880 +++ linux-3.1.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-16 18:40:10.000000000 -0500
29881 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
29882 u8 buf[HOST_LINK_BUF_SIZE];
29885 + pax_track_stack();
29887 dprintk("%s\n", __func__);
29889 /* check if we have space for a link buf in the rx_buffer */
29890 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
29891 unsigned long timeout;
29894 + pax_track_stack();
29896 dprintk("%s\n", __func__);
29898 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
29899 diff -urNp linux-3.1.1/drivers/media/dvb/dvb-core/dvb_demux.h linux-3.1.1/drivers/media/dvb/dvb-core/dvb_demux.h
29900 --- linux-3.1.1/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-11 15:19:27.000000000 -0500
29901 +++ linux-3.1.1/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-16 18:40:10.000000000 -0500
29902 @@ -68,12 +68,12 @@ struct dvb_demux_feed {
29904 struct dmx_ts_feed ts;
29905 struct dmx_section_feed sec;
29907 + } __no_const feed;
29911 dmx_section_cb sec;
29915 struct dvb_demux *demux;
29917 diff -urNp linux-3.1.1/drivers/media/dvb/dvb-core/dvbdev.c linux-3.1.1/drivers/media/dvb/dvb-core/dvbdev.c
29918 --- linux-3.1.1/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-11 15:19:27.000000000 -0500
29919 +++ linux-3.1.1/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-16 18:39:07.000000000 -0500
29920 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
29921 const struct dvb_device *template, void *priv, int type)
29923 struct dvb_device *dvbdev;
29924 - struct file_operations *dvbdevfops;
29925 + file_operations_no_const *dvbdevfops;
29926 struct device *clsdev;
29929 diff -urNp linux-3.1.1/drivers/media/dvb/dvb-usb/cxusb.c linux-3.1.1/drivers/media/dvb/dvb-usb/cxusb.c
29930 --- linux-3.1.1/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-11 15:19:27.000000000 -0500
29931 +++ linux-3.1.1/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-16 18:39:07.000000000 -0500
29932 @@ -1059,7 +1059,7 @@ static struct dib0070_config dib7070p_di
29933 struct dib0700_adapter_state {
29934 int (*set_param_save) (struct dvb_frontend *,
29935 struct dvb_frontend_parameters *);
29939 static int dib7070_set_param_override(struct dvb_frontend *fe,
29940 struct dvb_frontend_parameters *fep)
29941 diff -urNp linux-3.1.1/drivers/media/dvb/dvb-usb/dib0700_core.c linux-3.1.1/drivers/media/dvb/dvb-usb/dib0700_core.c
29942 --- linux-3.1.1/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-11 15:19:27.000000000 -0500
29943 +++ linux-3.1.1/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-16 18:40:10.000000000 -0500
29944 @@ -478,6 +478,8 @@ int dib0700_download_firmware(struct usb
29948 + pax_track_stack();
29950 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
29951 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
29952 hx.addr, hx.len, hx.chk);
29953 diff -urNp linux-3.1.1/drivers/media/dvb/dvb-usb/dibusb.h linux-3.1.1/drivers/media/dvb/dvb-usb/dibusb.h
29954 --- linux-3.1.1/drivers/media/dvb/dvb-usb/dibusb.h 2011-11-11 15:19:27.000000000 -0500
29955 +++ linux-3.1.1/drivers/media/dvb/dvb-usb/dibusb.h 2011-11-16 18:40:10.000000000 -0500
29957 #define DIBUSB_IOCTL_CMD_DISABLE_STREAM 0x02
29959 struct dibusb_state {
29960 - struct dib_fe_xfer_ops ops;
29961 + dib_fe_xfer_ops_no_const ops;
29962 int mt2060_present;
29965 diff -urNp linux-3.1.1/drivers/media/dvb/dvb-usb/dw2102.c linux-3.1.1/drivers/media/dvb/dvb-usb/dw2102.c
29966 --- linux-3.1.1/drivers/media/dvb/dvb-usb/dw2102.c 2011-11-11 15:19:27.000000000 -0500
29967 +++ linux-3.1.1/drivers/media/dvb/dvb-usb/dw2102.c 2011-11-16 18:39:07.000000000 -0500
29968 @@ -95,7 +95,7 @@ struct su3000_state {
29970 struct s6x0_state {
29971 int (*old_set_voltage)(struct dvb_frontend *f, fe_sec_voltage_t v);
29976 static int dvb_usb_dw2102_debug;
29977 diff -urNp linux-3.1.1/drivers/media/dvb/dvb-usb/lmedm04.c linux-3.1.1/drivers/media/dvb/dvb-usb/lmedm04.c
29978 --- linux-3.1.1/drivers/media/dvb/dvb-usb/lmedm04.c 2011-11-11 15:19:27.000000000 -0500
29979 +++ linux-3.1.1/drivers/media/dvb/dvb-usb/lmedm04.c 2011-11-16 18:40:10.000000000 -0500
29980 @@ -742,6 +742,7 @@ static int lme2510_download_firmware(str
29981 usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
29982 0x06, 0x80, 0x0200, 0x00, data, 0x0109, 1000);
29984 + pax_track_stack();
29988 @@ -764,6 +765,8 @@ static void lme_coldreset(struct usb_dev
29989 int ret = 0, len_in;
29990 u8 data[512] = {0};
29992 + pax_track_stack();
29996 info("FRM Firmware Cold Reset");
29997 diff -urNp linux-3.1.1/drivers/media/dvb/frontends/dib3000.h linux-3.1.1/drivers/media/dvb/frontends/dib3000.h
29998 --- linux-3.1.1/drivers/media/dvb/frontends/dib3000.h 2011-11-11 15:19:27.000000000 -0500
29999 +++ linux-3.1.1/drivers/media/dvb/frontends/dib3000.h 2011-11-16 18:40:10.000000000 -0500
30000 @@ -40,10 +40,11 @@ struct dib_fe_xfer_ops
30001 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
30002 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
30004 +typedef struct dib_fe_xfer_ops __no_const dib_fe_xfer_ops_no_const;
30006 #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
30007 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
30008 - struct i2c_adapter* i2c, struct dib_fe_xfer_ops *xfer_ops);
30009 + struct i2c_adapter* i2c, dib_fe_xfer_ops_no_const *xfer_ops);
30011 static inline struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
30012 struct i2c_adapter* i2c, struct dib_fe_xfer_ops *xfer_ops)
30013 diff -urNp linux-3.1.1/drivers/media/dvb/frontends/dib3000mb.c linux-3.1.1/drivers/media/dvb/frontends/dib3000mb.c
30014 --- linux-3.1.1/drivers/media/dvb/frontends/dib3000mb.c 2011-11-11 15:19:27.000000000 -0500
30015 +++ linux-3.1.1/drivers/media/dvb/frontends/dib3000mb.c 2011-11-16 18:40:10.000000000 -0500
30016 @@ -756,7 +756,7 @@ static int dib3000mb_tuner_pass_ctrl(str
30017 static struct dvb_frontend_ops dib3000mb_ops;
30019 struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
30020 - struct i2c_adapter* i2c, struct dib_fe_xfer_ops *xfer_ops)
30021 + struct i2c_adapter* i2c, dib_fe_xfer_ops_no_const *xfer_ops)
30023 struct dib3000_state* state = NULL;
30025 diff -urNp linux-3.1.1/drivers/media/dvb/frontends/mb86a16.c linux-3.1.1/drivers/media/dvb/frontends/mb86a16.c
30026 --- linux-3.1.1/drivers/media/dvb/frontends/mb86a16.c 2011-11-11 15:19:27.000000000 -0500
30027 +++ linux-3.1.1/drivers/media/dvb/frontends/mb86a16.c 2011-11-16 18:40:10.000000000 -0500
30028 @@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
30032 + pax_track_stack();
30034 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
30037 diff -urNp linux-3.1.1/drivers/media/dvb/frontends/or51211.c linux-3.1.1/drivers/media/dvb/frontends/or51211.c
30038 --- linux-3.1.1/drivers/media/dvb/frontends/or51211.c 2011-11-11 15:19:27.000000000 -0500
30039 +++ linux-3.1.1/drivers/media/dvb/frontends/or51211.c 2011-11-16 18:40:10.000000000 -0500
30040 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
30044 + pax_track_stack();
30046 dprintk("Firmware is %zd bytes\n",fw->size);
30048 /* Get eprom data */
30049 diff -urNp linux-3.1.1/drivers/media/dvb/ngene/ngene-cards.c linux-3.1.1/drivers/media/dvb/ngene/ngene-cards.c
30050 --- linux-3.1.1/drivers/media/dvb/ngene/ngene-cards.c 2011-11-11 15:19:27.000000000 -0500
30051 +++ linux-3.1.1/drivers/media/dvb/ngene/ngene-cards.c 2011-11-16 18:39:07.000000000 -0500
30052 @@ -477,7 +477,7 @@ static struct ngene_info ngene_info_m780
30054 /****************************************************************************/
30056 -static const struct pci_device_id ngene_id_tbl[] __devinitdata = {
30057 +static const struct pci_device_id ngene_id_tbl[] __devinitconst = {
30058 NGENE_ID(0x18c3, 0xabc3, ngene_info_cineS2),
30059 NGENE_ID(0x18c3, 0xabc4, ngene_info_cineS2),
30060 NGENE_ID(0x18c3, 0xdb01, ngene_info_satixS2),
30061 diff -urNp linux-3.1.1/drivers/media/radio/radio-cadet.c linux-3.1.1/drivers/media/radio/radio-cadet.c
30062 --- linux-3.1.1/drivers/media/radio/radio-cadet.c 2011-11-11 15:19:27.000000000 -0500
30063 +++ linux-3.1.1/drivers/media/radio/radio-cadet.c 2011-11-16 18:39:07.000000000 -0500
30064 @@ -326,6 +326,8 @@ static ssize_t cadet_read(struct file *f
30065 unsigned char readbuf[RDS_BUFFER];
30068 + if (count > RDS_BUFFER)
30070 mutex_lock(&dev->lock);
30071 if (dev->rdsstat == 0) {
30073 diff -urNp linux-3.1.1/drivers/media/video/au0828/au0828.h linux-3.1.1/drivers/media/video/au0828/au0828.h
30074 --- linux-3.1.1/drivers/media/video/au0828/au0828.h 2011-11-11 15:19:27.000000000 -0500
30075 +++ linux-3.1.1/drivers/media/video/au0828/au0828.h 2011-11-16 18:39:07.000000000 -0500
30076 @@ -191,7 +191,7 @@ struct au0828_dev {
30079 struct i2c_adapter i2c_adap;
30080 - struct i2c_algorithm i2c_algo;
30081 + i2c_algorithm_no_const i2c_algo;
30082 struct i2c_client i2c_client;
30085 diff -urNp linux-3.1.1/drivers/media/video/cx18/cx18-driver.c linux-3.1.1/drivers/media/video/cx18/cx18-driver.c
30086 --- linux-3.1.1/drivers/media/video/cx18/cx18-driver.c 2011-11-11 15:19:27.000000000 -0500
30087 +++ linux-3.1.1/drivers/media/video/cx18/cx18-driver.c 2011-11-16 18:40:10.000000000 -0500
30088 @@ -327,6 +327,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
30089 struct i2c_client c;
30092 + pax_track_stack();
30094 memset(&c, 0, sizeof(c));
30095 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
30096 c.adapter = &cx->i2c_adap[0];
30097 diff -urNp linux-3.1.1/drivers/media/video/cx23885/cx23885-input.c linux-3.1.1/drivers/media/video/cx23885/cx23885-input.c
30098 --- linux-3.1.1/drivers/media/video/cx23885/cx23885-input.c 2011-11-11 15:19:27.000000000 -0500
30099 +++ linux-3.1.1/drivers/media/video/cx23885/cx23885-input.c 2011-11-16 18:40:10.000000000 -0500
30100 @@ -53,6 +53,8 @@ static void cx23885_input_process_measur
30101 bool handle = false;
30102 struct ir_raw_event ir_core_event[64];
30104 + pax_track_stack();
30108 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
30109 diff -urNp linux-3.1.1/drivers/media/video/cx88/cx88-alsa.c linux-3.1.1/drivers/media/video/cx88/cx88-alsa.c
30110 --- linux-3.1.1/drivers/media/video/cx88/cx88-alsa.c 2011-11-11 15:19:27.000000000 -0500
30111 +++ linux-3.1.1/drivers/media/video/cx88/cx88-alsa.c 2011-11-16 18:39:07.000000000 -0500
30112 @@ -766,7 +766,7 @@ static struct snd_kcontrol_new snd_cx88_
30113 * Only boards with eeprom and byte 1 at eeprom=1 have it
30116 -static const struct pci_device_id const cx88_audio_pci_tbl[] __devinitdata = {
30117 +static const struct pci_device_id const cx88_audio_pci_tbl[] __devinitconst = {
30118 {0x14f1,0x8801,PCI_ANY_ID,PCI_ANY_ID,0,0,0},
30119 {0x14f1,0x8811,PCI_ANY_ID,PCI_ANY_ID,0,0,0},
30121 diff -urNp linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
30122 --- linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-11 15:19:27.000000000 -0500
30123 +++ linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-16 18:40:10.000000000 -0500
30124 @@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
30126 struct tveeprom tvdata;
30128 + pax_track_stack();
30130 memset(&tvdata,0,sizeof(tvdata));
30132 eeprom = pvr2_eeprom_fetch(hdw);
30133 diff -urNp linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h
30134 --- linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-11-11 15:19:27.000000000 -0500
30135 +++ linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-11-16 18:39:07.000000000 -0500
30136 @@ -196,7 +196,7 @@ struct pvr2_hdw {
30139 struct i2c_adapter i2c_adap;
30140 - struct i2c_algorithm i2c_algo;
30141 + i2c_algorithm_no_const i2c_algo;
30142 pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT];
30143 int i2c_cx25840_hack_state;
30145 diff -urNp linux-3.1.1/drivers/media/video/saa7134/saa6752hs.c linux-3.1.1/drivers/media/video/saa7134/saa6752hs.c
30146 --- linux-3.1.1/drivers/media/video/saa7134/saa6752hs.c 2011-11-11 15:19:27.000000000 -0500
30147 +++ linux-3.1.1/drivers/media/video/saa7134/saa6752hs.c 2011-11-16 18:40:10.000000000 -0500
30148 @@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
30149 unsigned char localPAT[256];
30150 unsigned char localPMT[256];
30152 + pax_track_stack();
30154 /* Set video format - must be done first as it resets other settings */
30155 set_reg8(client, 0x41, h->video_format);
30157 diff -urNp linux-3.1.1/drivers/media/video/saa7164/saa7164-cmd.c linux-3.1.1/drivers/media/video/saa7164/saa7164-cmd.c
30158 --- linux-3.1.1/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-11 15:19:27.000000000 -0500
30159 +++ linux-3.1.1/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-16 18:40:10.000000000 -0500
30160 @@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
30162 dprintk(DBGLVL_CMD, "%s()\n", __func__);
30164 + pax_track_stack();
30166 /* While any outstand message on the bus exists... */
30169 @@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
30171 dprintk(DBGLVL_CMD, "%s()\n", __func__);
30173 + pax_track_stack();
30177 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
30178 diff -urNp linux-3.1.1/drivers/media/video/timblogiw.c linux-3.1.1/drivers/media/video/timblogiw.c
30179 --- linux-3.1.1/drivers/media/video/timblogiw.c 2011-11-11 15:19:27.000000000 -0500
30180 +++ linux-3.1.1/drivers/media/video/timblogiw.c 2011-11-16 18:40:10.000000000 -0500
30181 @@ -744,7 +744,7 @@ static int timblogiw_mmap(struct file *f
30183 /* Platform device functions */
30185 -static __devinitconst struct v4l2_ioctl_ops timblogiw_ioctl_ops = {
30186 +static __devinitconst v4l2_ioctl_ops_no_const timblogiw_ioctl_ops = {
30187 .vidioc_querycap = timblogiw_querycap,
30188 .vidioc_enum_fmt_vid_cap = timblogiw_enum_fmt,
30189 .vidioc_g_fmt_vid_cap = timblogiw_g_fmt,
30190 diff -urNp linux-3.1.1/drivers/media/video/usbvision/usbvision-core.c linux-3.1.1/drivers/media/video/usbvision/usbvision-core.c
30191 --- linux-3.1.1/drivers/media/video/usbvision/usbvision-core.c 2011-11-11 15:19:27.000000000 -0500
30192 +++ linux-3.1.1/drivers/media/video/usbvision/usbvision-core.c 2011-11-16 18:40:10.000000000 -0500
30193 @@ -707,6 +707,8 @@ static enum parse_state usbvision_parse_
30194 unsigned char rv, gv, bv;
30195 static unsigned char *Y, *U, *V;
30197 + pax_track_stack();
30199 frame = usbvision->cur_frame;
30200 image_size = frame->frmwidth * frame->frmheight;
30201 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
30202 diff -urNp linux-3.1.1/drivers/media/video/videobuf-dma-sg.c linux-3.1.1/drivers/media/video/videobuf-dma-sg.c
30203 --- linux-3.1.1/drivers/media/video/videobuf-dma-sg.c 2011-11-11 15:19:27.000000000 -0500
30204 +++ linux-3.1.1/drivers/media/video/videobuf-dma-sg.c 2011-11-16 18:40:10.000000000 -0500
30205 @@ -607,6 +607,8 @@ void *videobuf_sg_alloc(size_t size)
30207 struct videobuf_queue q;
30209 + pax_track_stack();
30211 /* Required to make generic handler to call __videobuf_alloc */
30212 q.int_ops = &sg_ops;
30214 diff -urNp linux-3.1.1/drivers/message/fusion/mptbase.c linux-3.1.1/drivers/message/fusion/mptbase.c
30215 --- linux-3.1.1/drivers/message/fusion/mptbase.c 2011-11-11 15:19:27.000000000 -0500
30216 +++ linux-3.1.1/drivers/message/fusion/mptbase.c 2011-11-16 18:40:10.000000000 -0500
30217 @@ -6681,8 +6681,13 @@ static int mpt_iocinfo_proc_show(struct
30218 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
30219 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
30221 +#ifdef CONFIG_GRKERNSEC_HIDESYM
30222 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
30224 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
30225 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
30229 * Rounding UP to nearest 4-kB boundary here...
30231 diff -urNp linux-3.1.1/drivers/message/fusion/mptsas.c linux-3.1.1/drivers/message/fusion/mptsas.c
30232 --- linux-3.1.1/drivers/message/fusion/mptsas.c 2011-11-11 15:19:27.000000000 -0500
30233 +++ linux-3.1.1/drivers/message/fusion/mptsas.c 2011-11-16 18:39:07.000000000 -0500
30234 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
30238 +static inline void
30239 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
30241 + if (phy_info->port_details) {
30242 + phy_info->port_details->rphy = rphy;
30243 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
30244 + ioc->name, rphy));
30248 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
30249 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
30250 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
30251 + ioc->name, rphy, rphy->dev.release));
30257 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
30258 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
30262 -static inline void
30263 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
30265 - if (phy_info->port_details) {
30266 - phy_info->port_details->rphy = rphy;
30267 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
30268 - ioc->name, rphy));
30272 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
30273 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
30274 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
30275 - ioc->name, rphy, rphy->dev.release));
30279 static inline struct sas_port *
30280 mptsas_get_port(struct mptsas_phyinfo *phy_info)
30282 diff -urNp linux-3.1.1/drivers/message/fusion/mptscsih.c linux-3.1.1/drivers/message/fusion/mptscsih.c
30283 --- linux-3.1.1/drivers/message/fusion/mptscsih.c 2011-11-11 15:19:27.000000000 -0500
30284 +++ linux-3.1.1/drivers/message/fusion/mptscsih.c 2011-11-16 18:39:07.000000000 -0500
30285 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
30287 h = shost_priv(SChost);
30290 - if (h->info_kbuf == NULL)
30291 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
30292 - return h->info_kbuf;
30293 - h->info_kbuf[0] = '\0';
30297 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
30298 - h->info_kbuf[size-1] = '\0';
30300 + if (h->info_kbuf == NULL)
30301 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
30302 + return h->info_kbuf;
30303 + h->info_kbuf[0] = '\0';
30305 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
30306 + h->info_kbuf[size-1] = '\0';
30308 return h->info_kbuf;
30310 diff -urNp linux-3.1.1/drivers/message/i2o/i2o_config.c linux-3.1.1/drivers/message/i2o/i2o_config.c
30311 --- linux-3.1.1/drivers/message/i2o/i2o_config.c 2011-11-11 15:19:27.000000000 -0500
30312 +++ linux-3.1.1/drivers/message/i2o/i2o_config.c 2011-11-16 18:40:10.000000000 -0500
30313 @@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
30314 struct i2o_message *msg;
30317 + pax_track_stack();
30319 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
30322 diff -urNp linux-3.1.1/drivers/message/i2o/i2o_proc.c linux-3.1.1/drivers/message/i2o/i2o_proc.c
30323 --- linux-3.1.1/drivers/message/i2o/i2o_proc.c 2011-11-11 15:19:27.000000000 -0500
30324 +++ linux-3.1.1/drivers/message/i2o/i2o_proc.c 2011-11-16 18:39:07.000000000 -0500
30325 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
30326 "Array Controller Device"
30329 -static char *chtostr(u8 * chars, int n)
30333 - return strncat(tmp, (char *)chars, n);
30336 static int i2o_report_query_status(struct seq_file *seq, int block_status,
30339 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
30341 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
30342 seq_printf(seq, "%-#8x", ddm_table.module_id);
30343 - seq_printf(seq, "%-29s",
30344 - chtostr(ddm_table.module_name_version, 28));
30345 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
30346 seq_printf(seq, "%9d ", ddm_table.data_size);
30347 seq_printf(seq, "%8d", ddm_table.code_size);
30349 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
30351 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
30352 seq_printf(seq, "%-#8x", dst->module_id);
30353 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
30354 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
30355 + seq_printf(seq, "%-.28s", dst->module_name_version);
30356 + seq_printf(seq, "%-.8s", dst->date);
30357 seq_printf(seq, "%8d ", dst->module_size);
30358 seq_printf(seq, "%8d ", dst->mpb_size);
30359 seq_printf(seq, "0x%04x", dst->module_flags);
30360 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
30361 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
30362 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
30363 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
30364 - seq_printf(seq, "Vendor info : %s\n",
30365 - chtostr((u8 *) (work32 + 2), 16));
30366 - seq_printf(seq, "Product info : %s\n",
30367 - chtostr((u8 *) (work32 + 6), 16));
30368 - seq_printf(seq, "Description : %s\n",
30369 - chtostr((u8 *) (work32 + 10), 16));
30370 - seq_printf(seq, "Product rev. : %s\n",
30371 - chtostr((u8 *) (work32 + 14), 8));
30372 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
30373 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
30374 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
30375 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
30377 seq_printf(seq, "Serial number : ");
30378 print_serial_number(seq, (u8 *) (work32 + 16),
30379 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
30382 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
30383 - seq_printf(seq, "Module name : %s\n",
30384 - chtostr(result.module_name, 24));
30385 - seq_printf(seq, "Module revision : %s\n",
30386 - chtostr(result.module_rev, 8));
30387 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
30388 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
30390 seq_printf(seq, "Serial number : ");
30391 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
30392 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
30396 - seq_printf(seq, "Device name : %s\n",
30397 - chtostr(result.device_name, 64));
30398 - seq_printf(seq, "Service name : %s\n",
30399 - chtostr(result.service_name, 64));
30400 - seq_printf(seq, "Physical name : %s\n",
30401 - chtostr(result.physical_location, 64));
30402 - seq_printf(seq, "Instance number : %s\n",
30403 - chtostr(result.instance_number, 4));
30404 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
30405 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
30406 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
30407 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
30411 diff -urNp linux-3.1.1/drivers/message/i2o/iop.c linux-3.1.1/drivers/message/i2o/iop.c
30412 --- linux-3.1.1/drivers/message/i2o/iop.c 2011-11-11 15:19:27.000000000 -0500
30413 +++ linux-3.1.1/drivers/message/i2o/iop.c 2011-11-16 18:39:07.000000000 -0500
30414 @@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
30416 spin_lock_irqsave(&c->context_list_lock, flags);
30418 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
30419 - atomic_inc(&c->context_list_counter);
30420 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
30421 + atomic_inc_unchecked(&c->context_list_counter);
30423 - entry->context = atomic_read(&c->context_list_counter);
30424 + entry->context = atomic_read_unchecked(&c->context_list_counter);
30426 list_add(&entry->list, &c->context_list);
30428 @@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
30430 #if BITS_PER_LONG == 64
30431 spin_lock_init(&c->context_list_lock);
30432 - atomic_set(&c->context_list_counter, 0);
30433 + atomic_set_unchecked(&c->context_list_counter, 0);
30434 INIT_LIST_HEAD(&c->context_list);
30437 diff -urNp linux-3.1.1/drivers/mfd/ab3100-core.c linux-3.1.1/drivers/mfd/ab3100-core.c
30438 --- linux-3.1.1/drivers/mfd/ab3100-core.c 2011-11-11 15:19:27.000000000 -0500
30439 +++ linux-3.1.1/drivers/mfd/ab3100-core.c 2011-11-16 18:39:07.000000000 -0500
30440 @@ -809,7 +809,7 @@ struct ab_family_id {
30444 -static const struct ab_family_id ids[] __devinitdata = {
30445 +static const struct ab_family_id ids[] __devinitconst = {
30449 diff -urNp linux-3.1.1/drivers/mfd/abx500-core.c linux-3.1.1/drivers/mfd/abx500-core.c
30450 --- linux-3.1.1/drivers/mfd/abx500-core.c 2011-11-11 15:19:27.000000000 -0500
30451 +++ linux-3.1.1/drivers/mfd/abx500-core.c 2011-11-16 18:39:07.000000000 -0500
30452 @@ -14,7 +14,7 @@ static LIST_HEAD(abx500_list);
30454 struct abx500_device_entry {
30455 struct list_head list;
30456 - struct abx500_ops ops;
30457 + abx500_ops_no_const ops;
30458 struct device *dev;
30461 diff -urNp linux-3.1.1/drivers/mfd/janz-cmodio.c linux-3.1.1/drivers/mfd/janz-cmodio.c
30462 --- linux-3.1.1/drivers/mfd/janz-cmodio.c 2011-11-11 15:19:27.000000000 -0500
30463 +++ linux-3.1.1/drivers/mfd/janz-cmodio.c 2011-11-16 18:39:07.000000000 -0500
30466 #include <linux/kernel.h>
30467 #include <linux/module.h>
30468 +#include <linux/slab.h>
30469 #include <linux/init.h>
30470 #include <linux/pci.h>
30471 #include <linux/interrupt.h>
30472 diff -urNp linux-3.1.1/drivers/mfd/wm8350-i2c.c linux-3.1.1/drivers/mfd/wm8350-i2c.c
30473 --- linux-3.1.1/drivers/mfd/wm8350-i2c.c 2011-11-11 15:19:27.000000000 -0500
30474 +++ linux-3.1.1/drivers/mfd/wm8350-i2c.c 2011-11-16 18:40:10.000000000 -0500
30475 @@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
30476 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
30479 + pax_track_stack();
30481 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
30484 diff -urNp linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.c linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.c
30485 --- linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.c 2011-11-11 15:19:27.000000000 -0500
30486 +++ linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.c 2011-11-16 18:39:07.000000000 -0500
30487 @@ -437,7 +437,7 @@ static irqreturn_t lis302dl_interrupt(in
30488 * the lid is closed. This leads to interrupts as soon as a little move
30491 - atomic_inc(&lis3_dev.count);
30492 + atomic_inc_unchecked(&lis3_dev.count);
30494 wake_up_interruptible(&lis3_dev.misc_wait);
30495 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
30496 @@ -520,7 +520,7 @@ static int lis3lv02d_misc_open(struct in
30497 if (lis3_dev.pm_dev)
30498 pm_runtime_get_sync(lis3_dev.pm_dev);
30500 - atomic_set(&lis3_dev.count, 0);
30501 + atomic_set_unchecked(&lis3_dev.count, 0);
30505 @@ -547,7 +547,7 @@ static ssize_t lis3lv02d_misc_read(struc
30506 add_wait_queue(&lis3_dev.misc_wait, &wait);
30508 set_current_state(TASK_INTERRUPTIBLE);
30509 - data = atomic_xchg(&lis3_dev.count, 0);
30510 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
30514 @@ -585,7 +585,7 @@ out:
30515 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
30517 poll_wait(file, &lis3_dev.misc_wait, wait);
30518 - if (atomic_read(&lis3_dev.count))
30519 + if (atomic_read_unchecked(&lis3_dev.count))
30520 return POLLIN | POLLRDNORM;
30523 diff -urNp linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.h linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.h
30524 --- linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.h 2011-11-11 15:19:27.000000000 -0500
30525 +++ linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.h 2011-11-16 18:39:07.000000000 -0500
30526 @@ -265,7 +265,7 @@ struct lis3lv02d {
30527 struct input_polled_dev *idev; /* input device */
30528 struct platform_device *pdev; /* platform device */
30529 struct regulator_bulk_data regulators[2];
30530 - atomic_t count; /* interrupt count after last read */
30531 + atomic_unchecked_t count; /* interrupt count after last read */
30532 union axis_conversion ac; /* hw -> logical axis */
30533 int mapped_btns[3];
30535 diff -urNp linux-3.1.1/drivers/misc/sgi-gru/gruhandles.c linux-3.1.1/drivers/misc/sgi-gru/gruhandles.c
30536 --- linux-3.1.1/drivers/misc/sgi-gru/gruhandles.c 2011-11-11 15:19:27.000000000 -0500
30537 +++ linux-3.1.1/drivers/misc/sgi-gru/gruhandles.c 2011-11-16 18:39:07.000000000 -0500
30538 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
30539 unsigned long nsec;
30541 nsec = CLKS2NSEC(clks);
30542 - atomic_long_inc(&mcs_op_statistics[op].count);
30543 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
30544 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
30545 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
30546 if (mcs_op_statistics[op].max < nsec)
30547 mcs_op_statistics[op].max = nsec;
30549 diff -urNp linux-3.1.1/drivers/misc/sgi-gru/gruprocfs.c linux-3.1.1/drivers/misc/sgi-gru/gruprocfs.c
30550 --- linux-3.1.1/drivers/misc/sgi-gru/gruprocfs.c 2011-11-11 15:19:27.000000000 -0500
30551 +++ linux-3.1.1/drivers/misc/sgi-gru/gruprocfs.c 2011-11-16 18:39:07.000000000 -0500
30554 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
30556 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
30557 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
30559 - unsigned long val = atomic_long_read(v);
30560 + unsigned long val = atomic_long_read_unchecked(v);
30562 seq_printf(s, "%16lu %s\n", val, id);
30564 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
30566 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
30567 for (op = 0; op < mcsop_last; op++) {
30568 - count = atomic_long_read(&mcs_op_statistics[op].count);
30569 - total = atomic_long_read(&mcs_op_statistics[op].total);
30570 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
30571 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
30572 max = mcs_op_statistics[op].max;
30573 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
30574 count ? total / count : 0, max);
30575 diff -urNp linux-3.1.1/drivers/misc/sgi-gru/grutables.h linux-3.1.1/drivers/misc/sgi-gru/grutables.h
30576 --- linux-3.1.1/drivers/misc/sgi-gru/grutables.h 2011-11-11 15:19:27.000000000 -0500
30577 +++ linux-3.1.1/drivers/misc/sgi-gru/grutables.h 2011-11-16 18:39:07.000000000 -0500
30578 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
30581 struct gru_stats_s {
30582 - atomic_long_t vdata_alloc;
30583 - atomic_long_t vdata_free;
30584 - atomic_long_t gts_alloc;
30585 - atomic_long_t gts_free;
30586 - atomic_long_t gms_alloc;
30587 - atomic_long_t gms_free;
30588 - atomic_long_t gts_double_allocate;
30589 - atomic_long_t assign_context;
30590 - atomic_long_t assign_context_failed;
30591 - atomic_long_t free_context;
30592 - atomic_long_t load_user_context;
30593 - atomic_long_t load_kernel_context;
30594 - atomic_long_t lock_kernel_context;
30595 - atomic_long_t unlock_kernel_context;
30596 - atomic_long_t steal_user_context;
30597 - atomic_long_t steal_kernel_context;
30598 - atomic_long_t steal_context_failed;
30599 - atomic_long_t nopfn;
30600 - atomic_long_t asid_new;
30601 - atomic_long_t asid_next;
30602 - atomic_long_t asid_wrap;
30603 - atomic_long_t asid_reuse;
30604 - atomic_long_t intr;
30605 - atomic_long_t intr_cbr;
30606 - atomic_long_t intr_tfh;
30607 - atomic_long_t intr_spurious;
30608 - atomic_long_t intr_mm_lock_failed;
30609 - atomic_long_t call_os;
30610 - atomic_long_t call_os_wait_queue;
30611 - atomic_long_t user_flush_tlb;
30612 - atomic_long_t user_unload_context;
30613 - atomic_long_t user_exception;
30614 - atomic_long_t set_context_option;
30615 - atomic_long_t check_context_retarget_intr;
30616 - atomic_long_t check_context_unload;
30617 - atomic_long_t tlb_dropin;
30618 - atomic_long_t tlb_preload_page;
30619 - atomic_long_t tlb_dropin_fail_no_asid;
30620 - atomic_long_t tlb_dropin_fail_upm;
30621 - atomic_long_t tlb_dropin_fail_invalid;
30622 - atomic_long_t tlb_dropin_fail_range_active;
30623 - atomic_long_t tlb_dropin_fail_idle;
30624 - atomic_long_t tlb_dropin_fail_fmm;
30625 - atomic_long_t tlb_dropin_fail_no_exception;
30626 - atomic_long_t tfh_stale_on_fault;
30627 - atomic_long_t mmu_invalidate_range;
30628 - atomic_long_t mmu_invalidate_page;
30629 - atomic_long_t flush_tlb;
30630 - atomic_long_t flush_tlb_gru;
30631 - atomic_long_t flush_tlb_gru_tgh;
30632 - atomic_long_t flush_tlb_gru_zero_asid;
30634 - atomic_long_t copy_gpa;
30635 - atomic_long_t read_gpa;
30637 - atomic_long_t mesq_receive;
30638 - atomic_long_t mesq_receive_none;
30639 - atomic_long_t mesq_send;
30640 - atomic_long_t mesq_send_failed;
30641 - atomic_long_t mesq_noop;
30642 - atomic_long_t mesq_send_unexpected_error;
30643 - atomic_long_t mesq_send_lb_overflow;
30644 - atomic_long_t mesq_send_qlimit_reached;
30645 - atomic_long_t mesq_send_amo_nacked;
30646 - atomic_long_t mesq_send_put_nacked;
30647 - atomic_long_t mesq_page_overflow;
30648 - atomic_long_t mesq_qf_locked;
30649 - atomic_long_t mesq_qf_noop_not_full;
30650 - atomic_long_t mesq_qf_switch_head_failed;
30651 - atomic_long_t mesq_qf_unexpected_error;
30652 - atomic_long_t mesq_noop_unexpected_error;
30653 - atomic_long_t mesq_noop_lb_overflow;
30654 - atomic_long_t mesq_noop_qlimit_reached;
30655 - atomic_long_t mesq_noop_amo_nacked;
30656 - atomic_long_t mesq_noop_put_nacked;
30657 - atomic_long_t mesq_noop_page_overflow;
30658 + atomic_long_unchecked_t vdata_alloc;
30659 + atomic_long_unchecked_t vdata_free;
30660 + atomic_long_unchecked_t gts_alloc;
30661 + atomic_long_unchecked_t gts_free;
30662 + atomic_long_unchecked_t gms_alloc;
30663 + atomic_long_unchecked_t gms_free;
30664 + atomic_long_unchecked_t gts_double_allocate;
30665 + atomic_long_unchecked_t assign_context;
30666 + atomic_long_unchecked_t assign_context_failed;
30667 + atomic_long_unchecked_t free_context;
30668 + atomic_long_unchecked_t load_user_context;
30669 + atomic_long_unchecked_t load_kernel_context;
30670 + atomic_long_unchecked_t lock_kernel_context;
30671 + atomic_long_unchecked_t unlock_kernel_context;
30672 + atomic_long_unchecked_t steal_user_context;
30673 + atomic_long_unchecked_t steal_kernel_context;
30674 + atomic_long_unchecked_t steal_context_failed;
30675 + atomic_long_unchecked_t nopfn;
30676 + atomic_long_unchecked_t asid_new;
30677 + atomic_long_unchecked_t asid_next;
30678 + atomic_long_unchecked_t asid_wrap;
30679 + atomic_long_unchecked_t asid_reuse;
30680 + atomic_long_unchecked_t intr;
30681 + atomic_long_unchecked_t intr_cbr;
30682 + atomic_long_unchecked_t intr_tfh;
30683 + atomic_long_unchecked_t intr_spurious;
30684 + atomic_long_unchecked_t intr_mm_lock_failed;
30685 + atomic_long_unchecked_t call_os;
30686 + atomic_long_unchecked_t call_os_wait_queue;
30687 + atomic_long_unchecked_t user_flush_tlb;
30688 + atomic_long_unchecked_t user_unload_context;
30689 + atomic_long_unchecked_t user_exception;
30690 + atomic_long_unchecked_t set_context_option;
30691 + atomic_long_unchecked_t check_context_retarget_intr;
30692 + atomic_long_unchecked_t check_context_unload;
30693 + atomic_long_unchecked_t tlb_dropin;
30694 + atomic_long_unchecked_t tlb_preload_page;
30695 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
30696 + atomic_long_unchecked_t tlb_dropin_fail_upm;
30697 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
30698 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
30699 + atomic_long_unchecked_t tlb_dropin_fail_idle;
30700 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
30701 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
30702 + atomic_long_unchecked_t tfh_stale_on_fault;
30703 + atomic_long_unchecked_t mmu_invalidate_range;
30704 + atomic_long_unchecked_t mmu_invalidate_page;
30705 + atomic_long_unchecked_t flush_tlb;
30706 + atomic_long_unchecked_t flush_tlb_gru;
30707 + atomic_long_unchecked_t flush_tlb_gru_tgh;
30708 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
30710 + atomic_long_unchecked_t copy_gpa;
30711 + atomic_long_unchecked_t read_gpa;
30713 + atomic_long_unchecked_t mesq_receive;
30714 + atomic_long_unchecked_t mesq_receive_none;
30715 + atomic_long_unchecked_t mesq_send;
30716 + atomic_long_unchecked_t mesq_send_failed;
30717 + atomic_long_unchecked_t mesq_noop;
30718 + atomic_long_unchecked_t mesq_send_unexpected_error;
30719 + atomic_long_unchecked_t mesq_send_lb_overflow;
30720 + atomic_long_unchecked_t mesq_send_qlimit_reached;
30721 + atomic_long_unchecked_t mesq_send_amo_nacked;
30722 + atomic_long_unchecked_t mesq_send_put_nacked;
30723 + atomic_long_unchecked_t mesq_page_overflow;
30724 + atomic_long_unchecked_t mesq_qf_locked;
30725 + atomic_long_unchecked_t mesq_qf_noop_not_full;
30726 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
30727 + atomic_long_unchecked_t mesq_qf_unexpected_error;
30728 + atomic_long_unchecked_t mesq_noop_unexpected_error;
30729 + atomic_long_unchecked_t mesq_noop_lb_overflow;
30730 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
30731 + atomic_long_unchecked_t mesq_noop_amo_nacked;
30732 + atomic_long_unchecked_t mesq_noop_put_nacked;
30733 + atomic_long_unchecked_t mesq_noop_page_overflow;
30737 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
30738 tghop_invalidate, mcsop_last};
30740 struct mcs_op_statistic {
30741 - atomic_long_t count;
30742 - atomic_long_t total;
30743 + atomic_long_unchecked_t count;
30744 + atomic_long_unchecked_t total;
30748 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
30750 #define STAT(id) do { \
30751 if (gru_options & OPT_STATS) \
30752 - atomic_long_inc(&gru_stats.id); \
30753 + atomic_long_inc_unchecked(&gru_stats.id); \
30756 #ifdef CONFIG_SGI_GRU_DEBUG
30757 diff -urNp linux-3.1.1/drivers/misc/sgi-xp/xpc.h linux-3.1.1/drivers/misc/sgi-xp/xpc.h
30758 --- linux-3.1.1/drivers/misc/sgi-xp/xpc.h 2011-11-11 15:19:27.000000000 -0500
30759 +++ linux-3.1.1/drivers/misc/sgi-xp/xpc.h 2011-11-16 18:39:07.000000000 -0500
30760 @@ -835,6 +835,7 @@ struct xpc_arch_operations {
30761 void (*received_payload) (struct xpc_channel *, void *);
30762 void (*notify_senders_of_disconnect) (struct xpc_channel *);
30764 +typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
30766 /* struct xpc_partition act_state values (for XPC HB) */
30768 @@ -876,7 +877,7 @@ extern struct xpc_registration xpc_regis
30769 /* found in xpc_main.c */
30770 extern struct device *xpc_part;
30771 extern struct device *xpc_chan;
30772 -extern struct xpc_arch_operations xpc_arch_ops;
30773 +extern xpc_arch_operations_no_const xpc_arch_ops;
30774 extern int xpc_disengage_timelimit;
30775 extern int xpc_disengage_timedout;
30776 extern int xpc_activate_IRQ_rcvd;
30777 diff -urNp linux-3.1.1/drivers/misc/sgi-xp/xpc_main.c linux-3.1.1/drivers/misc/sgi-xp/xpc_main.c
30778 --- linux-3.1.1/drivers/misc/sgi-xp/xpc_main.c 2011-11-11 15:19:27.000000000 -0500
30779 +++ linux-3.1.1/drivers/misc/sgi-xp/xpc_main.c 2011-11-16 18:39:07.000000000 -0500
30780 @@ -162,7 +162,7 @@ static struct notifier_block xpc_die_not
30781 .notifier_call = xpc_system_die,
30784 -struct xpc_arch_operations xpc_arch_ops;
30785 +xpc_arch_operations_no_const xpc_arch_ops;
30788 * Timer function to enforce the timelimit on the partition disengage.
30789 diff -urNp linux-3.1.1/drivers/misc/sgi-xp/xp.h linux-3.1.1/drivers/misc/sgi-xp/xp.h
30790 --- linux-3.1.1/drivers/misc/sgi-xp/xp.h 2011-11-11 15:19:27.000000000 -0500
30791 +++ linux-3.1.1/drivers/misc/sgi-xp/xp.h 2011-11-16 18:39:07.000000000 -0500
30792 @@ -289,7 +289,7 @@ struct xpc_interface {
30793 xpc_notify_func, void *);
30794 void (*received) (short, int, void *);
30795 enum xp_retval (*partid_to_nasids) (short, void *);
30799 extern struct xpc_interface xpc_interface;
30801 diff -urNp linux-3.1.1/drivers/mmc/host/sdhci-pci.c linux-3.1.1/drivers/mmc/host/sdhci-pci.c
30802 --- linux-3.1.1/drivers/mmc/host/sdhci-pci.c 2011-11-11 15:19:27.000000000 -0500
30803 +++ linux-3.1.1/drivers/mmc/host/sdhci-pci.c 2011-11-16 18:39:07.000000000 -0500
30804 @@ -542,7 +542,7 @@ static const struct sdhci_pci_fixes sdhc
30805 .probe = via_probe,
30808 -static const struct pci_device_id pci_ids[] __devinitdata = {
30809 +static const struct pci_device_id pci_ids[] __devinitconst = {
30811 .vendor = PCI_VENDOR_ID_RICOH,
30812 .device = PCI_DEVICE_ID_RICOH_R5C822,
30813 diff -urNp linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0001.c linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0001.c
30814 --- linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-11 15:19:27.000000000 -0500
30815 +++ linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-16 18:40:10.000000000 -0500
30816 @@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
30817 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
30818 unsigned long timeo = jiffies + HZ;
30820 + pax_track_stack();
30822 /* Prevent setting state FL_SYNCING for chip in suspended state. */
30823 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
30825 @@ -1653,6 +1655,8 @@ static int __xipram do_write_buffer(stru
30826 unsigned long initial_adr;
30827 int initial_len = len;
30829 + pax_track_stack();
30831 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
30832 adr += chip->start;
30834 @@ -1871,6 +1875,8 @@ static int __xipram do_erase_oneblock(st
30838 + pax_track_stack();
30840 adr += chip->start;
30843 diff -urNp linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0020.c linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0020.c
30844 --- linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-11 15:19:27.000000000 -0500
30845 +++ linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-16 18:40:10.000000000 -0500
30846 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
30847 unsigned long cmd_addr;
30848 struct cfi_private *cfi = map->fldrv_priv;
30850 + pax_track_stack();
30852 adr += chip->start;
30854 /* Ensure cmd read/writes are aligned. */
30855 @@ -429,6 +431,8 @@ static inline int do_write_buffer(struct
30856 DECLARE_WAITQUEUE(wait, current);
30859 + pax_track_stack();
30861 /* M58LW064A requires bus alignment for buffer wriets -- saw */
30862 if (adr & (map_bankwidth(map)-1))
30864 @@ -743,6 +747,8 @@ static inline int do_erase_oneblock(stru
30865 DECLARE_WAITQUEUE(wait, current);
30868 + pax_track_stack();
30870 adr += chip->start;
30872 /* Let's determine this according to the interleave only once */
30873 @@ -1048,6 +1054,8 @@ static inline int do_lock_oneblock(struc
30874 unsigned long timeo = jiffies + HZ;
30875 DECLARE_WAITQUEUE(wait, current);
30877 + pax_track_stack();
30879 adr += chip->start;
30881 /* Let's determine this according to the interleave only once */
30882 @@ -1197,6 +1205,8 @@ static inline int do_unlock_oneblock(str
30883 unsigned long timeo = jiffies + HZ;
30884 DECLARE_WAITQUEUE(wait, current);
30886 + pax_track_stack();
30888 adr += chip->start;
30890 /* Let's determine this according to the interleave only once */
30891 diff -urNp linux-3.1.1/drivers/mtd/devices/doc2000.c linux-3.1.1/drivers/mtd/devices/doc2000.c
30892 --- linux-3.1.1/drivers/mtd/devices/doc2000.c 2011-11-11 15:19:27.000000000 -0500
30893 +++ linux-3.1.1/drivers/mtd/devices/doc2000.c 2011-11-16 18:39:07.000000000 -0500
30894 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
30896 /* The ECC will not be calculated correctly if less than 512 is written */
30898 - if (len != 0x200 && eccbuf)
30899 + if (len != 0x200)
30900 printk(KERN_WARNING
30901 "ECC needs a full sector write (adr: %lx size %lx)\n",
30902 (long) to, (long) len);
30903 diff -urNp linux-3.1.1/drivers/mtd/devices/doc2001.c linux-3.1.1/drivers/mtd/devices/doc2001.c
30904 --- linux-3.1.1/drivers/mtd/devices/doc2001.c 2011-11-11 15:19:27.000000000 -0500
30905 +++ linux-3.1.1/drivers/mtd/devices/doc2001.c 2011-11-16 18:39:07.000000000 -0500
30906 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
30907 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
30909 /* Don't allow read past end of device */
30910 - if (from >= this->totlen)
30911 + if (from >= this->totlen || !len)
30914 /* Don't allow a single read to cross a 512-byte block boundary */
30915 diff -urNp linux-3.1.1/drivers/mtd/ftl.c linux-3.1.1/drivers/mtd/ftl.c
30916 --- linux-3.1.1/drivers/mtd/ftl.c 2011-11-11 15:19:27.000000000 -0500
30917 +++ linux-3.1.1/drivers/mtd/ftl.c 2011-11-16 18:40:10.000000000 -0500
30918 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
30920 uint16_t srcunitswap = cpu_to_le16(srcunit);
30922 + pax_track_stack();
30924 eun = &part->EUNInfo[srcunit];
30925 xfer = &part->XferInfo[xferunit];
30926 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
30927 diff -urNp linux-3.1.1/drivers/mtd/inftlcore.c linux-3.1.1/drivers/mtd/inftlcore.c
30928 --- linux-3.1.1/drivers/mtd/inftlcore.c 2011-11-11 15:19:27.000000000 -0500
30929 +++ linux-3.1.1/drivers/mtd/inftlcore.c 2011-11-16 18:40:10.000000000 -0500
30930 @@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
30931 struct inftl_oob oob;
30934 + pax_track_stack();
30936 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
30937 "pending=%d)\n", inftl, thisVUC, pendingblock);
30939 diff -urNp linux-3.1.1/drivers/mtd/inftlmount.c linux-3.1.1/drivers/mtd/inftlmount.c
30940 --- linux-3.1.1/drivers/mtd/inftlmount.c 2011-11-11 15:19:27.000000000 -0500
30941 +++ linux-3.1.1/drivers/mtd/inftlmount.c 2011-11-16 18:40:10.000000000 -0500
30942 @@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
30943 struct INFTLPartition *ip;
30946 + pax_track_stack();
30948 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
30951 diff -urNp linux-3.1.1/drivers/mtd/lpddr/qinfo_probe.c linux-3.1.1/drivers/mtd/lpddr/qinfo_probe.c
30952 --- linux-3.1.1/drivers/mtd/lpddr/qinfo_probe.c 2011-11-11 15:19:27.000000000 -0500
30953 +++ linux-3.1.1/drivers/mtd/lpddr/qinfo_probe.c 2011-11-16 18:40:10.000000000 -0500
30954 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
30956 map_word pfow_val[4];
30958 + pax_track_stack();
30960 /* Check identification string */
30961 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
30962 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
30963 diff -urNp linux-3.1.1/drivers/mtd/mtdchar.c linux-3.1.1/drivers/mtd/mtdchar.c
30964 --- linux-3.1.1/drivers/mtd/mtdchar.c 2011-11-11 15:19:27.000000000 -0500
30965 +++ linux-3.1.1/drivers/mtd/mtdchar.c 2011-11-16 18:40:10.000000000 -0500
30966 @@ -554,6 +554,8 @@ static int mtd_ioctl(struct file *file,
30968 struct mtd_info_user info;
30970 + pax_track_stack();
30972 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
30974 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
30975 diff -urNp linux-3.1.1/drivers/mtd/nand/denali.c linux-3.1.1/drivers/mtd/nand/denali.c
30976 --- linux-3.1.1/drivers/mtd/nand/denali.c 2011-11-11 15:19:27.000000000 -0500
30977 +++ linux-3.1.1/drivers/mtd/nand/denali.c 2011-11-16 18:39:07.000000000 -0500
30979 #include <linux/pci.h>
30980 #include <linux/mtd/mtd.h>
30981 #include <linux/module.h>
30982 +#include <linux/slab.h>
30984 #include "denali.h"
30986 diff -urNp linux-3.1.1/drivers/mtd/nftlcore.c linux-3.1.1/drivers/mtd/nftlcore.c
30987 --- linux-3.1.1/drivers/mtd/nftlcore.c 2011-11-11 15:19:27.000000000 -0500
30988 +++ linux-3.1.1/drivers/mtd/nftlcore.c 2011-11-16 18:40:10.000000000 -0500
30989 @@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
30993 + pax_track_stack();
30995 memset(BlockMap, 0xff, sizeof(BlockMap));
30996 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
30998 diff -urNp linux-3.1.1/drivers/mtd/nftlmount.c linux-3.1.1/drivers/mtd/nftlmount.c
30999 --- linux-3.1.1/drivers/mtd/nftlmount.c 2011-11-11 15:19:27.000000000 -0500
31000 +++ linux-3.1.1/drivers/mtd/nftlmount.c 2011-11-16 18:40:10.000000000 -0500
31002 #include <asm/errno.h>
31003 #include <linux/delay.h>
31004 #include <linux/slab.h>
31005 +#include <linux/sched.h>
31006 #include <linux/mtd/mtd.h>
31007 #include <linux/mtd/nand.h>
31008 #include <linux/mtd/nftl.h>
31009 @@ -45,6 +46,8 @@ static int find_boot_record(struct NFTLr
31010 struct mtd_info *mtd = nftl->mbd.mtd;
31013 + pax_track_stack();
31015 /* Assume logical EraseSize == physical erasesize for starting the scan.
31016 We'll sort it out later if we find a MediaHeader which says otherwise */
31017 /* Actually, we won't. The new DiskOnChip driver has already scanned
31018 diff -urNp linux-3.1.1/drivers/mtd/ubi/build.c linux-3.1.1/drivers/mtd/ubi/build.c
31019 --- linux-3.1.1/drivers/mtd/ubi/build.c 2011-11-11 15:19:27.000000000 -0500
31020 +++ linux-3.1.1/drivers/mtd/ubi/build.c 2011-11-16 18:39:07.000000000 -0500
31021 @@ -1311,7 +1311,7 @@ module_exit(ubi_exit);
31022 static int __init bytes_str_to_int(const char *str)
31025 - unsigned long result;
31026 + unsigned long result, scale = 1;
31028 result = simple_strtoul(str, &endp, 0);
31029 if (str == endp || result >= INT_MAX) {
31030 @@ -1322,11 +1322,11 @@ static int __init bytes_str_to_int(const
31042 if (endp[1] == 'i' && endp[2] == 'B')
31045 @@ -1337,7 +1337,13 @@ static int __init bytes_str_to_int(const
31050 + if ((intoverflow_t)result*scale >= INT_MAX) {
31051 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
31056 + return result*scale;
31060 diff -urNp linux-3.1.1/drivers/net/atlx/atl2.c linux-3.1.1/drivers/net/atlx/atl2.c
31061 --- linux-3.1.1/drivers/net/atlx/atl2.c 2011-11-11 15:19:27.000000000 -0500
31062 +++ linux-3.1.1/drivers/net/atlx/atl2.c 2011-11-16 18:39:07.000000000 -0500
31063 @@ -2857,7 +2857,7 @@ static void atl2_force_ps(struct atl2_hw
31066 #define ATL2_PARAM(X, desc) \
31067 - static const int __devinitdata X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
31068 + static const int __devinitconst X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
31069 MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \
31070 MODULE_PARM_DESC(X, desc);
31072 diff -urNp linux-3.1.1/drivers/net/bna/bfa_ioc_ct.c linux-3.1.1/drivers/net/bna/bfa_ioc_ct.c
31073 --- linux-3.1.1/drivers/net/bna/bfa_ioc_ct.c 2011-11-11 15:19:27.000000000 -0500
31074 +++ linux-3.1.1/drivers/net/bna/bfa_ioc_ct.c 2011-11-16 18:39:07.000000000 -0500
31075 @@ -48,7 +48,21 @@ static void bfa_ioc_ct_sync_ack(struct b
31076 static bool bfa_ioc_ct_sync_complete(struct bfa_ioc *ioc);
31077 static enum bfa_status bfa_ioc_ct_pll_init(void __iomem *rb, bool fcmode);
31079 -static struct bfa_ioc_hwif nw_hwif_ct;
31080 +static struct bfa_ioc_hwif nw_hwif_ct = {
31081 + .ioc_pll_init = bfa_ioc_ct_pll_init,
31082 + .ioc_firmware_lock = bfa_ioc_ct_firmware_lock,
31083 + .ioc_firmware_unlock = bfa_ioc_ct_firmware_unlock,
31084 + .ioc_reg_init = bfa_ioc_ct_reg_init,
31085 + .ioc_map_port = bfa_ioc_ct_map_port,
31086 + .ioc_isr_mode_set = bfa_ioc_ct_isr_mode_set,
31087 + .ioc_notify_fail = bfa_ioc_ct_notify_fail,
31088 + .ioc_ownership_reset = bfa_ioc_ct_ownership_reset,
31089 + .ioc_sync_start = bfa_ioc_ct_sync_start,
31090 + .ioc_sync_join = bfa_ioc_ct_sync_join,
31091 + .ioc_sync_leave = bfa_ioc_ct_sync_leave,
31092 + .ioc_sync_ack = bfa_ioc_ct_sync_ack,
31093 + .ioc_sync_complete = bfa_ioc_ct_sync_complete
31097 * Called from bfa_ioc_attach() to map asic specific calls.
31098 @@ -56,20 +70,6 @@ static struct bfa_ioc_hwif nw_hwif_ct;
31100 bfa_nw_ioc_set_ct_hwif(struct bfa_ioc *ioc)
31102 - nw_hwif_ct.ioc_pll_init = bfa_ioc_ct_pll_init;
31103 - nw_hwif_ct.ioc_firmware_lock = bfa_ioc_ct_firmware_lock;
31104 - nw_hwif_ct.ioc_firmware_unlock = bfa_ioc_ct_firmware_unlock;
31105 - nw_hwif_ct.ioc_reg_init = bfa_ioc_ct_reg_init;
31106 - nw_hwif_ct.ioc_map_port = bfa_ioc_ct_map_port;
31107 - nw_hwif_ct.ioc_isr_mode_set = bfa_ioc_ct_isr_mode_set;
31108 - nw_hwif_ct.ioc_notify_fail = bfa_ioc_ct_notify_fail;
31109 - nw_hwif_ct.ioc_ownership_reset = bfa_ioc_ct_ownership_reset;
31110 - nw_hwif_ct.ioc_sync_start = bfa_ioc_ct_sync_start;
31111 - nw_hwif_ct.ioc_sync_join = bfa_ioc_ct_sync_join;
31112 - nw_hwif_ct.ioc_sync_leave = bfa_ioc_ct_sync_leave;
31113 - nw_hwif_ct.ioc_sync_ack = bfa_ioc_ct_sync_ack;
31114 - nw_hwif_ct.ioc_sync_complete = bfa_ioc_ct_sync_complete;
31116 ioc->ioc_hwif = &nw_hwif_ct;
31119 diff -urNp linux-3.1.1/drivers/net/bna/bnad.c linux-3.1.1/drivers/net/bna/bnad.c
31120 --- linux-3.1.1/drivers/net/bna/bnad.c 2011-11-11 15:19:27.000000000 -0500
31121 +++ linux-3.1.1/drivers/net/bna/bnad.c 2011-11-16 18:39:07.000000000 -0500
31122 @@ -1673,7 +1673,14 @@ bnad_setup_tx(struct bnad *bnad, uint tx
31123 struct bna_intr_info *intr_info =
31124 &res_info[BNA_TX_RES_INTR_T_TXCMPL].res_u.intr_info;
31125 struct bna_tx_config *tx_config = &bnad->tx_config[tx_id];
31126 - struct bna_tx_event_cbfn tx_cbfn;
31127 + static struct bna_tx_event_cbfn tx_cbfn = {
31128 + /* Initialize the tx event handlers */
31129 + .tcb_setup_cbfn = bnad_cb_tcb_setup,
31130 + .tcb_destroy_cbfn = bnad_cb_tcb_destroy,
31131 + .tx_stall_cbfn = bnad_cb_tx_stall,
31132 + .tx_resume_cbfn = bnad_cb_tx_resume,
31133 + .tx_cleanup_cbfn = bnad_cb_tx_cleanup
31136 unsigned long flags;
31138 @@ -1682,13 +1689,6 @@ bnad_setup_tx(struct bnad *bnad, uint tx
31139 tx_config->txq_depth = bnad->txq_depth;
31140 tx_config->tx_type = BNA_TX_T_REGULAR;
31142 - /* Initialize the tx event handlers */
31143 - tx_cbfn.tcb_setup_cbfn = bnad_cb_tcb_setup;
31144 - tx_cbfn.tcb_destroy_cbfn = bnad_cb_tcb_destroy;
31145 - tx_cbfn.tx_stall_cbfn = bnad_cb_tx_stall;
31146 - tx_cbfn.tx_resume_cbfn = bnad_cb_tx_resume;
31147 - tx_cbfn.tx_cleanup_cbfn = bnad_cb_tx_cleanup;
31149 /* Get BNA's resource requirement for one tx object */
31150 spin_lock_irqsave(&bnad->bna_lock, flags);
31151 bna_tx_res_req(bnad->num_txq_per_tx,
31152 @@ -1819,21 +1819,21 @@ bnad_setup_rx(struct bnad *bnad, uint rx
31153 struct bna_intr_info *intr_info =
31154 &res_info[BNA_RX_RES_T_INTR].res_u.intr_info;
31155 struct bna_rx_config *rx_config = &bnad->rx_config[rx_id];
31156 - struct bna_rx_event_cbfn rx_cbfn;
31157 + static struct bna_rx_event_cbfn rx_cbfn = {
31158 + /* Initialize the Rx event handlers */
31159 + .rcb_setup_cbfn = bnad_cb_rcb_setup,
31160 + .rcb_destroy_cbfn = bnad_cb_rcb_destroy,
31161 + .ccb_setup_cbfn = bnad_cb_ccb_setup,
31162 + .ccb_destroy_cbfn = bnad_cb_ccb_destroy,
31163 + .rx_cleanup_cbfn = bnad_cb_rx_cleanup,
31164 + .rx_post_cbfn = bnad_cb_rx_post
31167 unsigned long flags;
31169 /* Initialize the Rx object configuration */
31170 bnad_init_rx_config(bnad, rx_config);
31172 - /* Initialize the Rx event handlers */
31173 - rx_cbfn.rcb_setup_cbfn = bnad_cb_rcb_setup;
31174 - rx_cbfn.rcb_destroy_cbfn = bnad_cb_rcb_destroy;
31175 - rx_cbfn.ccb_setup_cbfn = bnad_cb_ccb_setup;
31176 - rx_cbfn.ccb_destroy_cbfn = bnad_cb_ccb_destroy;
31177 - rx_cbfn.rx_cleanup_cbfn = bnad_cb_rx_cleanup;
31178 - rx_cbfn.rx_post_cbfn = bnad_cb_rx_post;
31180 /* Get BNA's resource requirement for one Rx object */
31181 spin_lock_irqsave(&bnad->bna_lock, flags);
31182 bna_rx_res_req(rx_config, res_info);
31183 diff -urNp linux-3.1.1/drivers/net/bnx2.c linux-3.1.1/drivers/net/bnx2.c
31184 --- linux-3.1.1/drivers/net/bnx2.c 2011-11-11 15:19:27.000000000 -0500
31185 +++ linux-3.1.1/drivers/net/bnx2.c 2011-11-16 18:40:11.000000000 -0500
31186 @@ -5877,6 +5877,8 @@ bnx2_test_nvram(struct bnx2 *bp)
31190 + pax_track_stack();
31192 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
31193 goto test_nvram_done;
31195 diff -urNp linux-3.1.1/drivers/net/bnx2x/bnx2x_ethtool.c linux-3.1.1/drivers/net/bnx2x/bnx2x_ethtool.c
31196 --- linux-3.1.1/drivers/net/bnx2x/bnx2x_ethtool.c 2011-11-11 15:19:27.000000000 -0500
31197 +++ linux-3.1.1/drivers/net/bnx2x/bnx2x_ethtool.c 2011-11-16 18:40:11.000000000 -0500
31198 @@ -1943,6 +1943,8 @@ static int bnx2x_test_nvram(struct bnx2x
31202 + pax_track_stack();
31207 diff -urNp linux-3.1.1/drivers/net/bnx2x/bnx2x_sp.h linux-3.1.1/drivers/net/bnx2x/bnx2x_sp.h
31208 --- linux-3.1.1/drivers/net/bnx2x/bnx2x_sp.h 2011-11-11 15:19:27.000000000 -0500
31209 +++ linux-3.1.1/drivers/net/bnx2x/bnx2x_sp.h 2011-11-16 18:39:07.000000000 -0500
31210 @@ -449,7 +449,7 @@ struct bnx2x_rx_mode_obj {
31212 int (*wait_comp)(struct bnx2x *bp,
31213 struct bnx2x_rx_mode_ramrod_params *p);
31217 /********************** Set multicast group ***********************************/
31219 diff -urNp linux-3.1.1/drivers/net/cxgb3/l2t.h linux-3.1.1/drivers/net/cxgb3/l2t.h
31220 --- linux-3.1.1/drivers/net/cxgb3/l2t.h 2011-11-11 15:19:27.000000000 -0500
31221 +++ linux-3.1.1/drivers/net/cxgb3/l2t.h 2011-11-16 18:39:07.000000000 -0500
31222 @@ -87,7 +87,7 @@ typedef void (*arp_failure_handler_func)
31224 struct l2t_skb_cb {
31225 arp_failure_handler_func arp_failure_handler;
31229 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
31231 diff -urNp linux-3.1.1/drivers/net/cxgb4/cxgb4_main.c linux-3.1.1/drivers/net/cxgb4/cxgb4_main.c
31232 --- linux-3.1.1/drivers/net/cxgb4/cxgb4_main.c 2011-11-11 15:19:27.000000000 -0500
31233 +++ linux-3.1.1/drivers/net/cxgb4/cxgb4_main.c 2011-11-16 18:40:22.000000000 -0500
31234 @@ -3396,6 +3396,8 @@ static int __devinit enable_msix(struct
31235 unsigned int nchan = adap->params.nports;
31236 struct msix_entry entries[MAX_INGQ + 1];
31238 + pax_track_stack();
31240 for (i = 0; i < ARRAY_SIZE(entries); ++i)
31241 entries[i].entry = i;
31243 diff -urNp linux-3.1.1/drivers/net/cxgb4/t4_hw.c linux-3.1.1/drivers/net/cxgb4/t4_hw.c
31244 --- linux-3.1.1/drivers/net/cxgb4/t4_hw.c 2011-11-11 15:19:27.000000000 -0500
31245 +++ linux-3.1.1/drivers/net/cxgb4/t4_hw.c 2011-11-16 18:40:22.000000000 -0500
31246 @@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
31247 u8 vpd[VPD_LEN], csum;
31248 unsigned int vpdr_len, kw_offset, id_len;
31250 + pax_track_stack();
31252 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
31255 diff -urNp linux-3.1.1/drivers/net/e1000e/82571.c linux-3.1.1/drivers/net/e1000e/82571.c
31256 --- linux-3.1.1/drivers/net/e1000e/82571.c 2011-11-11 15:19:27.000000000 -0500
31257 +++ linux-3.1.1/drivers/net/e1000e/82571.c 2011-11-16 18:39:07.000000000 -0500
31258 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
31260 struct e1000_hw *hw = &adapter->hw;
31261 struct e1000_mac_info *mac = &hw->mac;
31262 - struct e1000_mac_operations *func = &mac->ops;
31263 + e1000_mac_operations_no_const *func = &mac->ops;
31266 bool force_clear_smbi = false;
31267 diff -urNp linux-3.1.1/drivers/net/e1000e/es2lan.c linux-3.1.1/drivers/net/e1000e/es2lan.c
31268 --- linux-3.1.1/drivers/net/e1000e/es2lan.c 2011-11-11 15:19:27.000000000 -0500
31269 +++ linux-3.1.1/drivers/net/e1000e/es2lan.c 2011-11-16 18:39:07.000000000 -0500
31270 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
31272 struct e1000_hw *hw = &adapter->hw;
31273 struct e1000_mac_info *mac = &hw->mac;
31274 - struct e1000_mac_operations *func = &mac->ops;
31275 + e1000_mac_operations_no_const *func = &mac->ops;
31277 /* Set media type */
31278 switch (adapter->pdev->device) {
31279 diff -urNp linux-3.1.1/drivers/net/e1000e/hw.h linux-3.1.1/drivers/net/e1000e/hw.h
31280 --- linux-3.1.1/drivers/net/e1000e/hw.h 2011-11-11 15:19:27.000000000 -0500
31281 +++ linux-3.1.1/drivers/net/e1000e/hw.h 2011-11-16 18:39:07.000000000 -0500
31282 @@ -778,6 +778,7 @@ struct e1000_mac_operations {
31283 void (*write_vfta)(struct e1000_hw *, u32, u32);
31284 s32 (*read_mac_addr)(struct e1000_hw *);
31286 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31289 * When to use various PHY register access functions:
31290 @@ -818,6 +819,7 @@ struct e1000_phy_operations {
31291 void (*power_up)(struct e1000_hw *);
31292 void (*power_down)(struct e1000_hw *);
31294 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
31296 /* Function pointers for the NVM. */
31297 struct e1000_nvm_operations {
31298 @@ -829,9 +831,10 @@ struct e1000_nvm_operations {
31299 s32 (*validate)(struct e1000_hw *);
31300 s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
31302 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
31304 struct e1000_mac_info {
31305 - struct e1000_mac_operations ops;
31306 + e1000_mac_operations_no_const ops;
31308 u8 perm_addr[ETH_ALEN];
31310 @@ -872,7 +875,7 @@ struct e1000_mac_info {
31313 struct e1000_phy_info {
31314 - struct e1000_phy_operations ops;
31315 + e1000_phy_operations_no_const ops;
31317 enum e1000_phy_type type;
31319 @@ -906,7 +909,7 @@ struct e1000_phy_info {
31322 struct e1000_nvm_info {
31323 - struct e1000_nvm_operations ops;
31324 + e1000_nvm_operations_no_const ops;
31326 enum e1000_nvm_type type;
31327 enum e1000_nvm_override override;
31328 diff -urNp linux-3.1.1/drivers/net/fealnx.c linux-3.1.1/drivers/net/fealnx.c
31329 --- linux-3.1.1/drivers/net/fealnx.c 2011-11-11 15:19:27.000000000 -0500
31330 +++ linux-3.1.1/drivers/net/fealnx.c 2011-11-16 18:39:07.000000000 -0500
31331 @@ -150,7 +150,7 @@ struct chip_info {
31335 -static const struct chip_info skel_netdrv_tbl[] __devinitdata = {
31336 +static const struct chip_info skel_netdrv_tbl[] __devinitconst = {
31337 { "100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
31338 { "100/10M Ethernet PCI Adapter", HAS_CHIP_XCVR },
31339 { "1000/100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
31340 diff -urNp linux-3.1.1/drivers/net/hamradio/6pack.c linux-3.1.1/drivers/net/hamradio/6pack.c
31341 --- linux-3.1.1/drivers/net/hamradio/6pack.c 2011-11-11 15:19:27.000000000 -0500
31342 +++ linux-3.1.1/drivers/net/hamradio/6pack.c 2011-11-16 18:40:22.000000000 -0500
31343 @@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
31344 unsigned char buf[512];
31347 + pax_track_stack();
31352 diff -urNp linux-3.1.1/drivers/net/igb/e1000_hw.h linux-3.1.1/drivers/net/igb/e1000_hw.h
31353 --- linux-3.1.1/drivers/net/igb/e1000_hw.h 2011-11-11 15:19:27.000000000 -0500
31354 +++ linux-3.1.1/drivers/net/igb/e1000_hw.h 2011-11-16 18:39:07.000000000 -0500
31355 @@ -314,6 +314,7 @@ struct e1000_mac_operations {
31356 s32 (*read_mac_addr)(struct e1000_hw *);
31357 s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *);
31359 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31361 struct e1000_phy_operations {
31362 s32 (*acquire)(struct e1000_hw *);
31363 @@ -330,6 +331,7 @@ struct e1000_phy_operations {
31364 s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
31365 s32 (*write_reg)(struct e1000_hw *, u32, u16);
31367 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
31369 struct e1000_nvm_operations {
31370 s32 (*acquire)(struct e1000_hw *);
31371 @@ -339,6 +341,7 @@ struct e1000_nvm_operations {
31372 s32 (*update)(struct e1000_hw *);
31373 s32 (*validate)(struct e1000_hw *);
31375 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
31377 struct e1000_info {
31378 s32 (*get_invariants)(struct e1000_hw *);
31379 @@ -350,7 +353,7 @@ struct e1000_info {
31380 extern const struct e1000_info e1000_82575_info;
31382 struct e1000_mac_info {
31383 - struct e1000_mac_operations ops;
31384 + e1000_mac_operations_no_const ops;
31388 @@ -388,7 +391,7 @@ struct e1000_mac_info {
31391 struct e1000_phy_info {
31392 - struct e1000_phy_operations ops;
31393 + e1000_phy_operations_no_const ops;
31395 enum e1000_phy_type type;
31397 @@ -423,7 +426,7 @@ struct e1000_phy_info {
31400 struct e1000_nvm_info {
31401 - struct e1000_nvm_operations ops;
31402 + e1000_nvm_operations_no_const ops;
31403 enum e1000_nvm_type type;
31404 enum e1000_nvm_override override;
31406 @@ -468,6 +471,7 @@ struct e1000_mbx_operations {
31407 s32 (*check_for_ack)(struct e1000_hw *, u16);
31408 s32 (*check_for_rst)(struct e1000_hw *, u16);
31410 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
31412 struct e1000_mbx_stats {
31414 @@ -479,7 +483,7 @@ struct e1000_mbx_stats {
31417 struct e1000_mbx_info {
31418 - struct e1000_mbx_operations ops;
31419 + e1000_mbx_operations_no_const ops;
31420 struct e1000_mbx_stats stats;
31423 diff -urNp linux-3.1.1/drivers/net/igbvf/vf.h linux-3.1.1/drivers/net/igbvf/vf.h
31424 --- linux-3.1.1/drivers/net/igbvf/vf.h 2011-11-11 15:19:27.000000000 -0500
31425 +++ linux-3.1.1/drivers/net/igbvf/vf.h 2011-11-16 18:39:07.000000000 -0500
31426 @@ -189,9 +189,10 @@ struct e1000_mac_operations {
31427 s32 (*read_mac_addr)(struct e1000_hw *);
31428 s32 (*set_vfta)(struct e1000_hw *, u16, bool);
31430 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31432 struct e1000_mac_info {
31433 - struct e1000_mac_operations ops;
31434 + e1000_mac_operations_no_const ops;
31438 @@ -213,6 +214,7 @@ struct e1000_mbx_operations {
31439 s32 (*check_for_ack)(struct e1000_hw *);
31440 s32 (*check_for_rst)(struct e1000_hw *);
31442 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
31444 struct e1000_mbx_stats {
31446 @@ -224,7 +226,7 @@ struct e1000_mbx_stats {
31449 struct e1000_mbx_info {
31450 - struct e1000_mbx_operations ops;
31451 + e1000_mbx_operations_no_const ops;
31452 struct e1000_mbx_stats stats;
31455 diff -urNp linux-3.1.1/drivers/net/ixgb/ixgb_main.c linux-3.1.1/drivers/net/ixgb/ixgb_main.c
31456 --- linux-3.1.1/drivers/net/ixgb/ixgb_main.c 2011-11-11 15:19:27.000000000 -0500
31457 +++ linux-3.1.1/drivers/net/ixgb/ixgb_main.c 2011-11-16 18:40:22.000000000 -0500
31458 @@ -1070,6 +1070,8 @@ ixgb_set_multi(struct net_device *netdev
31462 + pax_track_stack();
31464 /* Check for Promiscuous and All Multicast modes */
31466 rctl = IXGB_READ_REG(hw, RCTL);
31467 diff -urNp linux-3.1.1/drivers/net/ixgb/ixgb_param.c linux-3.1.1/drivers/net/ixgb/ixgb_param.c
31468 --- linux-3.1.1/drivers/net/ixgb/ixgb_param.c 2011-11-11 15:19:27.000000000 -0500
31469 +++ linux-3.1.1/drivers/net/ixgb/ixgb_param.c 2011-11-16 18:40:22.000000000 -0500
31470 @@ -261,6 +261,9 @@ void __devinit
31471 ixgb_check_options(struct ixgb_adapter *adapter)
31473 int bd = adapter->bd_number;
31475 + pax_track_stack();
31477 if (bd >= IXGB_MAX_NIC) {
31478 pr_notice("Warning: no configuration for board #%i\n", bd);
31479 pr_notice("Using defaults for all values\n");
31480 diff -urNp linux-3.1.1/drivers/net/ixgbe/ixgbe_type.h linux-3.1.1/drivers/net/ixgbe/ixgbe_type.h
31481 --- linux-3.1.1/drivers/net/ixgbe/ixgbe_type.h 2011-11-11 15:19:27.000000000 -0500
31482 +++ linux-3.1.1/drivers/net/ixgbe/ixgbe_type.h 2011-11-16 18:39:07.000000000 -0500
31483 @@ -2642,6 +2642,7 @@ struct ixgbe_eeprom_operations {
31484 s32 (*update_checksum)(struct ixgbe_hw *);
31485 u16 (*calc_checksum)(struct ixgbe_hw *);
31487 +typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const;
31489 struct ixgbe_mac_operations {
31490 s32 (*init_hw)(struct ixgbe_hw *);
31491 @@ -2703,6 +2704,7 @@ struct ixgbe_mac_operations {
31492 /* Manageability interface */
31493 s32 (*set_fw_drv_ver)(struct ixgbe_hw *, u8, u8, u8, u8);
31495 +typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
31497 struct ixgbe_phy_operations {
31498 s32 (*identify)(struct ixgbe_hw *);
31499 @@ -2722,9 +2724,10 @@ struct ixgbe_phy_operations {
31500 s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
31501 s32 (*check_overtemp)(struct ixgbe_hw *);
31503 +typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const;
31505 struct ixgbe_eeprom_info {
31506 - struct ixgbe_eeprom_operations ops;
31507 + ixgbe_eeprom_operations_no_const ops;
31508 enum ixgbe_eeprom_type type;
31509 u32 semaphore_delay;
31511 @@ -2734,7 +2737,7 @@ struct ixgbe_eeprom_info {
31513 #define IXGBE_FLAGS_DOUBLE_RESET_REQUIRED 0x01
31514 struct ixgbe_mac_info {
31515 - struct ixgbe_mac_operations ops;
31516 + ixgbe_mac_operations_no_const ops;
31517 enum ixgbe_mac_type type;
31518 u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
31519 u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
31520 @@ -2762,7 +2765,7 @@ struct ixgbe_mac_info {
31523 struct ixgbe_phy_info {
31524 - struct ixgbe_phy_operations ops;
31525 + ixgbe_phy_operations_no_const ops;
31526 struct mdio_if_info mdio;
31527 enum ixgbe_phy_type type;
31529 @@ -2790,6 +2793,7 @@ struct ixgbe_mbx_operations {
31530 s32 (*check_for_ack)(struct ixgbe_hw *, u16);
31531 s32 (*check_for_rst)(struct ixgbe_hw *, u16);
31533 +typedef struct ixgbe_mbx_operations __no_const ixgbe_mbx_operations_no_const;
31535 struct ixgbe_mbx_stats {
31537 @@ -2801,7 +2805,7 @@ struct ixgbe_mbx_stats {
31540 struct ixgbe_mbx_info {
31541 - struct ixgbe_mbx_operations ops;
31542 + ixgbe_mbx_operations_no_const ops;
31543 struct ixgbe_mbx_stats stats;
31546 diff -urNp linux-3.1.1/drivers/net/ixgbevf/vf.h linux-3.1.1/drivers/net/ixgbevf/vf.h
31547 --- linux-3.1.1/drivers/net/ixgbevf/vf.h 2011-11-11 15:19:27.000000000 -0500
31548 +++ linux-3.1.1/drivers/net/ixgbevf/vf.h 2011-11-16 18:39:07.000000000 -0500
31549 @@ -70,6 +70,7 @@ struct ixgbe_mac_operations {
31550 s32 (*clear_vfta)(struct ixgbe_hw *);
31551 s32 (*set_vfta)(struct ixgbe_hw *, u32, u32, bool);
31553 +typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
31555 enum ixgbe_mac_type {
31556 ixgbe_mac_unknown = 0,
31557 @@ -79,7 +80,7 @@ enum ixgbe_mac_type {
31560 struct ixgbe_mac_info {
31561 - struct ixgbe_mac_operations ops;
31562 + ixgbe_mac_operations_no_const ops;
31566 @@ -103,6 +104,7 @@ struct ixgbe_mbx_operations {
31567 s32 (*check_for_ack)(struct ixgbe_hw *);
31568 s32 (*check_for_rst)(struct ixgbe_hw *);
31570 +typedef struct ixgbe_mbx_operations __no_const ixgbe_mbx_operations_no_const;
31572 struct ixgbe_mbx_stats {
31574 @@ -114,7 +116,7 @@ struct ixgbe_mbx_stats {
31577 struct ixgbe_mbx_info {
31578 - struct ixgbe_mbx_operations ops;
31579 + ixgbe_mbx_operations_no_const ops;
31580 struct ixgbe_mbx_stats stats;
31583 diff -urNp linux-3.1.1/drivers/net/ksz884x.c linux-3.1.1/drivers/net/ksz884x.c
31584 --- linux-3.1.1/drivers/net/ksz884x.c 2011-11-11 15:19:27.000000000 -0500
31585 +++ linux-3.1.1/drivers/net/ksz884x.c 2011-11-16 18:40:22.000000000 -0500
31586 @@ -6533,6 +6533,8 @@ static void netdev_get_ethtool_stats(str
31588 u64 counter[TOTAL_PORT_COUNTER_NUM];
31590 + pax_track_stack();
31592 mutex_lock(&hw_priv->lock);
31593 n = SWITCH_PORT_NUM;
31594 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
31595 diff -urNp linux-3.1.1/drivers/net/mlx4/main.c linux-3.1.1/drivers/net/mlx4/main.c
31596 --- linux-3.1.1/drivers/net/mlx4/main.c 2011-11-11 15:19:27.000000000 -0500
31597 +++ linux-3.1.1/drivers/net/mlx4/main.c 2011-11-16 18:40:22.000000000 -0500
31599 #include <linux/dma-mapping.h>
31600 #include <linux/slab.h>
31601 #include <linux/io-mapping.h>
31602 +#include <linux/sched.h>
31604 #include <linux/mlx4/device.h>
31605 #include <linux/mlx4/doorbell.h>
31606 @@ -762,6 +763,8 @@ static int mlx4_init_hca(struct mlx4_dev
31610 + pax_track_stack();
31612 err = mlx4_QUERY_FW(dev);
31614 if (err == -EACCES)
31615 diff -urNp linux-3.1.1/drivers/net/niu.c linux-3.1.1/drivers/net/niu.c
31616 --- linux-3.1.1/drivers/net/niu.c 2011-11-11 15:19:27.000000000 -0500
31617 +++ linux-3.1.1/drivers/net/niu.c 2011-11-16 18:40:22.000000000 -0500
31618 @@ -9061,6 +9061,8 @@ static void __devinit niu_try_msix(struc
31619 int i, num_irqs, err;
31622 + pax_track_stack();
31624 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
31625 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
31626 ldg_num_map[i] = first_ldg + i;
31627 diff -urNp linux-3.1.1/drivers/net/pcnet32.c linux-3.1.1/drivers/net/pcnet32.c
31628 --- linux-3.1.1/drivers/net/pcnet32.c 2011-11-11 15:19:27.000000000 -0500
31629 +++ linux-3.1.1/drivers/net/pcnet32.c 2011-11-16 18:39:07.000000000 -0500
31630 @@ -270,7 +270,7 @@ struct pcnet32_private {
31631 struct sk_buff **rx_skbuff;
31632 dma_addr_t *tx_dma_addr;
31633 dma_addr_t *rx_dma_addr;
31634 - struct pcnet32_access a;
31635 + struct pcnet32_access *a;
31636 spinlock_t lock; /* Guard lock */
31637 unsigned int cur_rx, cur_tx; /* The next free ring entry */
31638 unsigned int rx_ring_size; /* current rx ring size */
31639 @@ -460,9 +460,9 @@ static void pcnet32_netif_start(struct n
31642 netif_wake_queue(dev);
31643 - val = lp->a.read_csr(ioaddr, CSR3);
31644 + val = lp->a->read_csr(ioaddr, CSR3);
31646 - lp->a.write_csr(ioaddr, CSR3, val);
31647 + lp->a->write_csr(ioaddr, CSR3, val);
31648 napi_enable(&lp->napi);
31651 @@ -730,7 +730,7 @@ static u32 pcnet32_get_link(struct net_d
31652 r = mii_link_ok(&lp->mii_if);
31653 } else if (lp->chip_version >= PCNET32_79C970A) {
31654 ulong ioaddr = dev->base_addr; /* card base I/O address */
31655 - r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
31656 + r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
31657 } else { /* can not detect link on really old chips */
31660 @@ -792,7 +792,7 @@ static int pcnet32_set_ringparam(struct
31661 pcnet32_netif_stop(dev);
31663 spin_lock_irqsave(&lp->lock, flags);
31664 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31665 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31667 size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
31669 @@ -868,7 +868,7 @@ static void pcnet32_ethtool_test(struct
31670 static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
31672 struct pcnet32_private *lp = netdev_priv(dev);
31673 - struct pcnet32_access *a = &lp->a; /* access to registers */
31674 + struct pcnet32_access *a = lp->a; /* access to registers */
31675 ulong ioaddr = dev->base_addr; /* card base I/O address */
31676 struct sk_buff *skb; /* sk buff */
31677 int x, i; /* counters */
31678 @@ -888,21 +888,21 @@ static int pcnet32_loopback_test(struct
31679 pcnet32_netif_stop(dev);
31681 spin_lock_irqsave(&lp->lock, flags);
31682 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31683 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31685 numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
31687 /* Reset the PCNET32 */
31688 - lp->a.reset(ioaddr);
31689 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31690 + lp->a->reset(ioaddr);
31691 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31693 /* switch pcnet32 to 32bit mode */
31694 - lp->a.write_bcr(ioaddr, 20, 2);
31695 + lp->a->write_bcr(ioaddr, 20, 2);
31697 /* purge & init rings but don't actually restart */
31698 pcnet32_restart(dev, 0x0000);
31700 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31701 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31703 /* Initialize Transmit buffers. */
31704 size = data_len + 15;
31705 @@ -947,10 +947,10 @@ static int pcnet32_loopback_test(struct
31707 /* set int loopback in CSR15 */
31708 x = a->read_csr(ioaddr, CSR15) & 0xfffc;
31709 - lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
31710 + lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
31712 teststatus = cpu_to_le16(0x8000);
31713 - lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
31714 + lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
31716 /* Check status of descriptors */
31717 for (x = 0; x < numbuffs; x++) {
31718 @@ -969,7 +969,7 @@ static int pcnet32_loopback_test(struct
31722 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31723 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31725 if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
31726 netdev_printk(KERN_DEBUG, dev, "RX loopback packets:\n");
31727 @@ -1015,7 +1015,7 @@ clean_up:
31728 pcnet32_restart(dev, CSR0_NORMAL);
31730 pcnet32_purge_rx_ring(dev);
31731 - lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
31732 + lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
31734 spin_unlock_irqrestore(&lp->lock, flags);
31736 @@ -1026,7 +1026,7 @@ static int pcnet32_set_phys_id(struct ne
31737 enum ethtool_phys_id_state state)
31739 struct pcnet32_private *lp = netdev_priv(dev);
31740 - struct pcnet32_access *a = &lp->a;
31741 + struct pcnet32_access *a = lp->a;
31742 ulong ioaddr = dev->base_addr;
31743 unsigned long flags;
31745 @@ -1067,7 +1067,7 @@ static int pcnet32_suspend(struct net_de
31748 struct pcnet32_private *lp = netdev_priv(dev);
31749 - struct pcnet32_access *a = &lp->a;
31750 + struct pcnet32_access *a = lp->a;
31751 ulong ioaddr = dev->base_addr;
31754 @@ -1324,8 +1324,8 @@ static int pcnet32_poll(struct napi_stru
31755 spin_lock_irqsave(&lp->lock, flags);
31756 if (pcnet32_tx(dev)) {
31757 /* reset the chip to clear the error condition, then restart */
31758 - lp->a.reset(ioaddr);
31759 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31760 + lp->a->reset(ioaddr);
31761 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31762 pcnet32_restart(dev, CSR0_START);
31763 netif_wake_queue(dev);
31765 @@ -1337,12 +1337,12 @@ static int pcnet32_poll(struct napi_stru
31766 __napi_complete(napi);
31768 /* clear interrupt masks */
31769 - val = lp->a.read_csr(ioaddr, CSR3);
31770 + val = lp->a->read_csr(ioaddr, CSR3);
31772 - lp->a.write_csr(ioaddr, CSR3, val);
31773 + lp->a->write_csr(ioaddr, CSR3, val);
31775 /* Set interrupt enable. */
31776 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
31777 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
31779 spin_unlock_irqrestore(&lp->lock, flags);
31781 @@ -1365,7 +1365,7 @@ static void pcnet32_get_regs(struct net_
31784 struct pcnet32_private *lp = netdev_priv(dev);
31785 - struct pcnet32_access *a = &lp->a;
31786 + struct pcnet32_access *a = lp->a;
31787 ulong ioaddr = dev->base_addr;
31788 unsigned long flags;
31790 @@ -1401,9 +1401,9 @@ static void pcnet32_get_regs(struct net_
31791 for (j = 0; j < PCNET32_MAX_PHYS; j++) {
31792 if (lp->phymask & (1 << j)) {
31793 for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
31794 - lp->a.write_bcr(ioaddr, 33,
31795 + lp->a->write_bcr(ioaddr, 33,
31797 - *buff++ = lp->a.read_bcr(ioaddr, 34);
31798 + *buff++ = lp->a->read_bcr(ioaddr, 34);
31802 @@ -1785,7 +1785,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31803 ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
31804 lp->options |= PCNET32_PORT_FD;
31809 /* prior to register_netdev, dev->name is not yet correct */
31810 if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
31811 @@ -1844,7 +1844,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31813 /* lp->phycount and lp->phymask are set to 0 by memset above */
31815 - lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
31816 + lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
31817 /* scan for PHYs */
31818 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
31819 unsigned short id1, id2;
31820 @@ -1864,7 +1864,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31821 pr_info("Found PHY %04x:%04x at address %d\n",
31824 - lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
31825 + lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
31826 if (lp->phycount > 1)
31827 lp->options |= PCNET32_PORT_MII;
31829 @@ -2020,10 +2020,10 @@ static int pcnet32_open(struct net_devic
31832 /* Reset the PCNET32 */
31833 - lp->a.reset(ioaddr);
31834 + lp->a->reset(ioaddr);
31836 /* switch pcnet32 to 32bit mode */
31837 - lp->a.write_bcr(ioaddr, 20, 2);
31838 + lp->a->write_bcr(ioaddr, 20, 2);
31840 netif_printk(lp, ifup, KERN_DEBUG, dev,
31841 "%s() irq %d tx/rx rings %#x/%#x init %#x\n",
31842 @@ -2032,14 +2032,14 @@ static int pcnet32_open(struct net_devic
31843 (u32) (lp->init_dma_addr));
31845 /* set/reset autoselect bit */
31846 - val = lp->a.read_bcr(ioaddr, 2) & ~2;
31847 + val = lp->a->read_bcr(ioaddr, 2) & ~2;
31848 if (lp->options & PCNET32_PORT_ASEL)
31850 - lp->a.write_bcr(ioaddr, 2, val);
31851 + lp->a->write_bcr(ioaddr, 2, val);
31853 /* handle full duplex setting */
31854 if (lp->mii_if.full_duplex) {
31855 - val = lp->a.read_bcr(ioaddr, 9) & ~3;
31856 + val = lp->a->read_bcr(ioaddr, 9) & ~3;
31857 if (lp->options & PCNET32_PORT_FD) {
31859 if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
31860 @@ -2049,14 +2049,14 @@ static int pcnet32_open(struct net_devic
31861 if (lp->chip_version == 0x2627)
31864 - lp->a.write_bcr(ioaddr, 9, val);
31865 + lp->a->write_bcr(ioaddr, 9, val);
31868 /* set/reset GPSI bit in test register */
31869 - val = lp->a.read_csr(ioaddr, 124) & ~0x10;
31870 + val = lp->a->read_csr(ioaddr, 124) & ~0x10;
31871 if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
31873 - lp->a.write_csr(ioaddr, 124, val);
31874 + lp->a->write_csr(ioaddr, 124, val);
31876 /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
31877 if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
31878 @@ -2075,24 +2075,24 @@ static int pcnet32_open(struct net_devic
31879 * duplex, and/or enable auto negotiation, and clear DANAS
31881 if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
31882 - lp->a.write_bcr(ioaddr, 32,
31883 - lp->a.read_bcr(ioaddr, 32) | 0x0080);
31884 + lp->a->write_bcr(ioaddr, 32,
31885 + lp->a->read_bcr(ioaddr, 32) | 0x0080);
31886 /* disable Auto Negotiation, set 10Mpbs, HD */
31887 - val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
31888 + val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
31889 if (lp->options & PCNET32_PORT_FD)
31891 if (lp->options & PCNET32_PORT_100)
31893 - lp->a.write_bcr(ioaddr, 32, val);
31894 + lp->a->write_bcr(ioaddr, 32, val);
31896 if (lp->options & PCNET32_PORT_ASEL) {
31897 - lp->a.write_bcr(ioaddr, 32,
31898 - lp->a.read_bcr(ioaddr,
31899 + lp->a->write_bcr(ioaddr, 32,
31900 + lp->a->read_bcr(ioaddr,
31902 /* enable auto negotiate, setup, disable fd */
31903 - val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
31904 + val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
31906 - lp->a.write_bcr(ioaddr, 32, val);
31907 + lp->a->write_bcr(ioaddr, 32, val);
31911 @@ -2105,10 +2105,10 @@ static int pcnet32_open(struct net_devic
31912 * There is really no good other way to handle multiple PHYs
31913 * other than turning off all automatics
31915 - val = lp->a.read_bcr(ioaddr, 2);
31916 - lp->a.write_bcr(ioaddr, 2, val & ~2);
31917 - val = lp->a.read_bcr(ioaddr, 32);
31918 - lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
31919 + val = lp->a->read_bcr(ioaddr, 2);
31920 + lp->a->write_bcr(ioaddr, 2, val & ~2);
31921 + val = lp->a->read_bcr(ioaddr, 32);
31922 + lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
31924 if (!(lp->options & PCNET32_PORT_ASEL)) {
31926 @@ -2118,7 +2118,7 @@ static int pcnet32_open(struct net_devic
31927 ethtool_cmd_speed_set(&ecmd,
31928 (lp->options & PCNET32_PORT_100) ?
31929 SPEED_100 : SPEED_10);
31930 - bcr9 = lp->a.read_bcr(ioaddr, 9);
31931 + bcr9 = lp->a->read_bcr(ioaddr, 9);
31933 if (lp->options & PCNET32_PORT_FD) {
31934 ecmd.duplex = DUPLEX_FULL;
31935 @@ -2127,7 +2127,7 @@ static int pcnet32_open(struct net_devic
31936 ecmd.duplex = DUPLEX_HALF;
31939 - lp->a.write_bcr(ioaddr, 9, bcr9);
31940 + lp->a->write_bcr(ioaddr, 9, bcr9);
31943 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
31944 @@ -2158,9 +2158,9 @@ static int pcnet32_open(struct net_devic
31947 if (lp->dxsuflo) { /* Disable transmit stop on underflow */
31948 - val = lp->a.read_csr(ioaddr, CSR3);
31949 + val = lp->a->read_csr(ioaddr, CSR3);
31951 - lp->a.write_csr(ioaddr, CSR3, val);
31952 + lp->a->write_csr(ioaddr, CSR3, val);
31956 @@ -2176,11 +2176,11 @@ static int pcnet32_open(struct net_devic
31957 napi_enable(&lp->napi);
31959 /* Re-initialize the PCNET32, and start it when done. */
31960 - lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
31961 - lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
31962 + lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
31963 + lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
31965 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31966 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
31967 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31968 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
31970 netif_start_queue(dev);
31972 @@ -2192,19 +2192,19 @@ static int pcnet32_open(struct net_devic
31976 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
31977 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
31980 * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
31981 * reports that doing so triggers a bug in the '974.
31983 - lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
31984 + lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
31986 netif_printk(lp, ifup, KERN_DEBUG, dev,
31987 "pcnet32 open after %d ticks, init block %#x csr0 %4.4x\n",
31989 (u32) (lp->init_dma_addr),
31990 - lp->a.read_csr(ioaddr, CSR0));
31991 + lp->a->read_csr(ioaddr, CSR0));
31993 spin_unlock_irqrestore(&lp->lock, flags);
31995 @@ -2218,7 +2218,7 @@ err_free_ring:
31996 * Switch back to 16bit mode to avoid problems with dumb
31997 * DOS packet driver after a warm reboot
31999 - lp->a.write_bcr(ioaddr, 20, 4);
32000 + lp->a->write_bcr(ioaddr, 20, 4);
32003 spin_unlock_irqrestore(&lp->lock, flags);
32004 @@ -2323,7 +2323,7 @@ static void pcnet32_restart(struct net_d
32006 /* wait for stop */
32007 for (i = 0; i < 100; i++)
32008 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
32009 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
32013 @@ -2335,13 +2335,13 @@ static void pcnet32_restart(struct net_d
32017 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
32018 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
32021 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
32022 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
32025 - lp->a.write_csr(ioaddr, CSR0, csr0_bits);
32026 + lp->a->write_csr(ioaddr, CSR0, csr0_bits);
32029 static void pcnet32_tx_timeout(struct net_device *dev)
32030 @@ -2353,8 +2353,8 @@ static void pcnet32_tx_timeout(struct ne
32031 /* Transmitter timeout, serious problems. */
32032 if (pcnet32_debug & NETIF_MSG_DRV)
32033 pr_err("%s: transmit timed out, status %4.4x, resetting\n",
32034 - dev->name, lp->a.read_csr(ioaddr, CSR0));
32035 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
32036 + dev->name, lp->a->read_csr(ioaddr, CSR0));
32037 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
32038 dev->stats.tx_errors++;
32039 if (netif_msg_tx_err(lp)) {
32041 @@ -2397,7 +2397,7 @@ static netdev_tx_t pcnet32_start_xmit(st
32043 netif_printk(lp, tx_queued, KERN_DEBUG, dev,
32044 "%s() called, csr0 %4.4x\n",
32045 - __func__, lp->a.read_csr(ioaddr, CSR0));
32046 + __func__, lp->a->read_csr(ioaddr, CSR0));
32048 /* Default status -- will not enable Successful-TxDone
32049 * interrupt when that option is available to us.
32050 @@ -2427,7 +2427,7 @@ static netdev_tx_t pcnet32_start_xmit(st
32051 dev->stats.tx_bytes += skb->len;
32053 /* Trigger an immediate send poll. */
32054 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
32055 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
32057 if (lp->tx_ring[(entry + 1) & lp->tx_mod_mask].base != 0) {
32059 @@ -2452,16 +2452,16 @@ pcnet32_interrupt(int irq, void *dev_id)
32061 spin_lock(&lp->lock);
32063 - csr0 = lp->a.read_csr(ioaddr, CSR0);
32064 + csr0 = lp->a->read_csr(ioaddr, CSR0);
32065 while ((csr0 & 0x8f00) && --boguscnt >= 0) {
32066 if (csr0 == 0xffff)
32067 break; /* PCMCIA remove happened */
32068 /* Acknowledge all of the current interrupt sources ASAP. */
32069 - lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
32070 + lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
32072 netif_printk(lp, intr, KERN_DEBUG, dev,
32073 "interrupt csr0=%#2.2x new csr=%#2.2x\n",
32074 - csr0, lp->a.read_csr(ioaddr, CSR0));
32075 + csr0, lp->a->read_csr(ioaddr, CSR0));
32077 /* Log misc errors. */
32079 @@ -2488,19 +2488,19 @@ pcnet32_interrupt(int irq, void *dev_id)
32080 if (napi_schedule_prep(&lp->napi)) {
32082 /* set interrupt masks */
32083 - val = lp->a.read_csr(ioaddr, CSR3);
32084 + val = lp->a->read_csr(ioaddr, CSR3);
32086 - lp->a.write_csr(ioaddr, CSR3, val);
32087 + lp->a->write_csr(ioaddr, CSR3, val);
32089 __napi_schedule(&lp->napi);
32092 - csr0 = lp->a.read_csr(ioaddr, CSR0);
32093 + csr0 = lp->a->read_csr(ioaddr, CSR0);
32096 netif_printk(lp, intr, KERN_DEBUG, dev,
32097 "exiting interrupt, csr0=%#4.4x\n",
32098 - lp->a.read_csr(ioaddr, CSR0));
32099 + lp->a->read_csr(ioaddr, CSR0));
32101 spin_unlock(&lp->lock);
32103 @@ -2520,20 +2520,20 @@ static int pcnet32_close(struct net_devi
32105 spin_lock_irqsave(&lp->lock, flags);
32107 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
32108 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
32110 netif_printk(lp, ifdown, KERN_DEBUG, dev,
32111 "Shutting down ethercard, status was %2.2x\n",
32112 - lp->a.read_csr(ioaddr, CSR0));
32113 + lp->a->read_csr(ioaddr, CSR0));
32115 /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
32116 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
32117 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
32120 * Switch back to 16bit mode to avoid problems with dumb
32121 * DOS packet driver after a warm reboot
32123 - lp->a.write_bcr(ioaddr, 20, 4);
32124 + lp->a->write_bcr(ioaddr, 20, 4);
32126 spin_unlock_irqrestore(&lp->lock, flags);
32128 @@ -2556,7 +2556,7 @@ static struct net_device_stats *pcnet32_
32129 unsigned long flags;
32131 spin_lock_irqsave(&lp->lock, flags);
32132 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
32133 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
32134 spin_unlock_irqrestore(&lp->lock, flags);
32136 return &dev->stats;
32137 @@ -2577,10 +2577,10 @@ static void pcnet32_load_multicast(struc
32138 if (dev->flags & IFF_ALLMULTI) {
32139 ib->filter[0] = cpu_to_le32(~0U);
32140 ib->filter[1] = cpu_to_le32(~0U);
32141 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
32142 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
32143 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
32144 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
32145 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
32146 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
32147 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
32148 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
32151 /* clear the multicast filter */
32152 @@ -2594,7 +2594,7 @@ static void pcnet32_load_multicast(struc
32153 mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
32155 for (i = 0; i < 4; i++)
32156 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
32157 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
32158 le16_to_cpu(mcast_table[i]));
32161 @@ -2609,28 +2609,28 @@ static void pcnet32_set_multicast_list(s
32163 spin_lock_irqsave(&lp->lock, flags);
32164 suspended = pcnet32_suspend(dev, &flags, 0);
32165 - csr15 = lp->a.read_csr(ioaddr, CSR15);
32166 + csr15 = lp->a->read_csr(ioaddr, CSR15);
32167 if (dev->flags & IFF_PROMISC) {
32168 /* Log any net taps. */
32169 netif_info(lp, hw, dev, "Promiscuous mode enabled\n");
32170 lp->init_block->mode =
32171 cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
32173 - lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
32174 + lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
32176 lp->init_block->mode =
32177 cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
32178 - lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
32179 + lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
32180 pcnet32_load_multicast(dev);
32185 /* clear SUSPEND (SPND) - CSR5 bit 0 */
32186 - csr5 = lp->a.read_csr(ioaddr, CSR5);
32187 - lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
32188 + csr5 = lp->a->read_csr(ioaddr, CSR5);
32189 + lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
32191 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
32192 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
32193 pcnet32_restart(dev, CSR0_NORMAL);
32194 netif_wake_queue(dev);
32196 @@ -2648,8 +2648,8 @@ static int mdio_read(struct net_device *
32200 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32201 - val_out = lp->a.read_bcr(ioaddr, 34);
32202 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32203 + val_out = lp->a->read_bcr(ioaddr, 34);
32207 @@ -2663,8 +2663,8 @@ static void mdio_write(struct net_device
32211 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32212 - lp->a.write_bcr(ioaddr, 34, val);
32213 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32214 + lp->a->write_bcr(ioaddr, 34, val);
32217 static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
32218 @@ -2741,7 +2741,7 @@ static void pcnet32_check_media(struct n
32219 curr_link = mii_link_ok(&lp->mii_if);
32221 ulong ioaddr = dev->base_addr; /* card base I/O address */
32222 - curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
32223 + curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
32226 if (prev_link || verbose) {
32227 @@ -2764,13 +2764,13 @@ static void pcnet32_check_media(struct n
32228 (ecmd.duplex == DUPLEX_FULL)
32229 ? "full" : "half");
32231 - bcr9 = lp->a.read_bcr(dev->base_addr, 9);
32232 + bcr9 = lp->a->read_bcr(dev->base_addr, 9);
32233 if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
32234 if (lp->mii_if.full_duplex)
32238 - lp->a.write_bcr(dev->base_addr, 9, bcr9);
32239 + lp->a->write_bcr(dev->base_addr, 9, bcr9);
32242 netif_info(lp, link, dev, "link up\n");
32243 diff -urNp linux-3.1.1/drivers/net/ppp_generic.c linux-3.1.1/drivers/net/ppp_generic.c
32244 --- linux-3.1.1/drivers/net/ppp_generic.c 2011-11-11 15:19:27.000000000 -0500
32245 +++ linux-3.1.1/drivers/net/ppp_generic.c 2011-11-16 18:39:07.000000000 -0500
32246 @@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, st
32247 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
32248 struct ppp_stats stats;
32249 struct ppp_comp_stats cstats;
32253 case SIOCGPPPSTATS:
32254 @@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, st
32258 - vers = PPP_VERSION;
32259 - if (copy_to_user(addr, vers, strlen(vers) + 1))
32260 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
32264 diff -urNp linux-3.1.1/drivers/net/r8169.c linux-3.1.1/drivers/net/r8169.c
32265 --- linux-3.1.1/drivers/net/r8169.c 2011-11-11 15:19:27.000000000 -0500
32266 +++ linux-3.1.1/drivers/net/r8169.c 2011-11-16 18:39:07.000000000 -0500
32267 @@ -663,12 +663,12 @@ struct rtl8169_private {
32269 void (*write)(void __iomem *, int, int);
32270 int (*read)(void __iomem *, int);
32272 + } __no_const mdio_ops;
32274 struct pll_power_ops {
32275 void (*down)(struct rtl8169_private *);
32276 void (*up)(struct rtl8169_private *);
32278 + } __no_const pll_power_ops;
32280 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
32281 int (*get_settings)(struct net_device *, struct ethtool_cmd *);
32282 diff -urNp linux-3.1.1/drivers/net/sis190.c linux-3.1.1/drivers/net/sis190.c
32283 --- linux-3.1.1/drivers/net/sis190.c 2011-11-11 15:19:27.000000000 -0500
32284 +++ linux-3.1.1/drivers/net/sis190.c 2011-11-16 18:39:07.000000000 -0500
32285 @@ -1624,7 +1624,7 @@ static int __devinit sis190_get_mac_addr
32286 static int __devinit sis190_get_mac_addr_from_apc(struct pci_dev *pdev,
32287 struct net_device *dev)
32289 - static const u16 __devinitdata ids[] = { 0x0965, 0x0966, 0x0968 };
32290 + static const u16 __devinitconst ids[] = { 0x0965, 0x0966, 0x0968 };
32291 struct sis190_private *tp = netdev_priv(dev);
32292 struct pci_dev *isa_bridge;
32294 diff -urNp linux-3.1.1/drivers/net/sundance.c linux-3.1.1/drivers/net/sundance.c
32295 --- linux-3.1.1/drivers/net/sundance.c 2011-11-11 15:19:27.000000000 -0500
32296 +++ linux-3.1.1/drivers/net/sundance.c 2011-11-16 18:39:07.000000000 -0500
32297 @@ -218,7 +218,7 @@ enum {
32298 struct pci_id_info {
32301 -static const struct pci_id_info pci_id_tbl[] __devinitdata = {
32302 +static const struct pci_id_info pci_id_tbl[] __devinitconst = {
32303 {"D-Link DFE-550TX FAST Ethernet Adapter"},
32304 {"D-Link DFE-550FX 100Mbps Fiber-optics Adapter"},
32305 {"D-Link DFE-580TX 4 port Server Adapter"},
32306 diff -urNp linux-3.1.1/drivers/net/tg3.h linux-3.1.1/drivers/net/tg3.h
32307 --- linux-3.1.1/drivers/net/tg3.h 2011-11-11 15:19:27.000000000 -0500
32308 +++ linux-3.1.1/drivers/net/tg3.h 2011-11-16 18:39:07.000000000 -0500
32309 @@ -134,6 +134,7 @@
32310 #define CHIPREV_ID_5750_A0 0x4000
32311 #define CHIPREV_ID_5750_A1 0x4001
32312 #define CHIPREV_ID_5750_A3 0x4003
32313 +#define CHIPREV_ID_5750_C1 0x4201
32314 #define CHIPREV_ID_5750_C2 0x4202
32315 #define CHIPREV_ID_5752_A0_HW 0x5000
32316 #define CHIPREV_ID_5752_A0 0x6000
32317 diff -urNp linux-3.1.1/drivers/net/tokenring/abyss.c linux-3.1.1/drivers/net/tokenring/abyss.c
32318 --- linux-3.1.1/drivers/net/tokenring/abyss.c 2011-11-11 15:19:27.000000000 -0500
32319 +++ linux-3.1.1/drivers/net/tokenring/abyss.c 2011-11-16 18:39:07.000000000 -0500
32320 @@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
32322 static int __init abyss_init (void)
32324 - abyss_netdev_ops = tms380tr_netdev_ops;
32325 + pax_open_kernel();
32326 + memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32328 - abyss_netdev_ops.ndo_open = abyss_open;
32329 - abyss_netdev_ops.ndo_stop = abyss_close;
32330 + *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
32331 + *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
32332 + pax_close_kernel();
32334 return pci_register_driver(&abyss_driver);
32336 diff -urNp linux-3.1.1/drivers/net/tokenring/madgemc.c linux-3.1.1/drivers/net/tokenring/madgemc.c
32337 --- linux-3.1.1/drivers/net/tokenring/madgemc.c 2011-11-11 15:19:27.000000000 -0500
32338 +++ linux-3.1.1/drivers/net/tokenring/madgemc.c 2011-11-16 18:39:07.000000000 -0500
32339 @@ -744,9 +744,11 @@ static struct mca_driver madgemc_driver
32341 static int __init madgemc_init (void)
32343 - madgemc_netdev_ops = tms380tr_netdev_ops;
32344 - madgemc_netdev_ops.ndo_open = madgemc_open;
32345 - madgemc_netdev_ops.ndo_stop = madgemc_close;
32346 + pax_open_kernel();
32347 + memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32348 + *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
32349 + *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
32350 + pax_close_kernel();
32352 return mca_register_driver (&madgemc_driver);
32354 diff -urNp linux-3.1.1/drivers/net/tokenring/proteon.c linux-3.1.1/drivers/net/tokenring/proteon.c
32355 --- linux-3.1.1/drivers/net/tokenring/proteon.c 2011-11-11 15:19:27.000000000 -0500
32356 +++ linux-3.1.1/drivers/net/tokenring/proteon.c 2011-11-16 18:39:07.000000000 -0500
32357 @@ -353,9 +353,11 @@ static int __init proteon_init(void)
32358 struct platform_device *pdev;
32359 int i, num = 0, err = 0;
32361 - proteon_netdev_ops = tms380tr_netdev_ops;
32362 - proteon_netdev_ops.ndo_open = proteon_open;
32363 - proteon_netdev_ops.ndo_stop = tms380tr_close;
32364 + pax_open_kernel();
32365 + memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32366 + *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
32367 + *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
32368 + pax_close_kernel();
32370 err = platform_driver_register(&proteon_driver);
32372 diff -urNp linux-3.1.1/drivers/net/tokenring/skisa.c linux-3.1.1/drivers/net/tokenring/skisa.c
32373 --- linux-3.1.1/drivers/net/tokenring/skisa.c 2011-11-11 15:19:27.000000000 -0500
32374 +++ linux-3.1.1/drivers/net/tokenring/skisa.c 2011-11-16 18:39:07.000000000 -0500
32375 @@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
32376 struct platform_device *pdev;
32377 int i, num = 0, err = 0;
32379 - sk_isa_netdev_ops = tms380tr_netdev_ops;
32380 - sk_isa_netdev_ops.ndo_open = sk_isa_open;
32381 - sk_isa_netdev_ops.ndo_stop = tms380tr_close;
32382 + pax_open_kernel();
32383 + memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32384 + *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
32385 + *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
32386 + pax_close_kernel();
32388 err = platform_driver_register(&sk_isa_driver);
32390 diff -urNp linux-3.1.1/drivers/net/tulip/de2104x.c linux-3.1.1/drivers/net/tulip/de2104x.c
32391 --- linux-3.1.1/drivers/net/tulip/de2104x.c 2011-11-11 15:19:27.000000000 -0500
32392 +++ linux-3.1.1/drivers/net/tulip/de2104x.c 2011-11-16 18:40:22.000000000 -0500
32393 @@ -1795,6 +1795,8 @@ static void __devinit de21041_get_srom_i
32394 struct de_srom_info_leaf *il;
32397 + pax_track_stack();
32399 /* download entire eeprom */
32400 for (i = 0; i < DE_EEPROM_WORDS; i++)
32401 ((__le16 *)ee_data)[i] =
32402 diff -urNp linux-3.1.1/drivers/net/tulip/de4x5.c linux-3.1.1/drivers/net/tulip/de4x5.c
32403 --- linux-3.1.1/drivers/net/tulip/de4x5.c 2011-11-11 15:19:27.000000000 -0500
32404 +++ linux-3.1.1/drivers/net/tulip/de4x5.c 2011-11-16 18:39:07.000000000 -0500
32405 @@ -5397,7 +5397,7 @@ de4x5_ioctl(struct net_device *dev, stru
32406 for (i=0; i<ETH_ALEN; i++) {
32407 tmp.addr[i] = dev->dev_addr[i];
32409 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32410 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32413 case DE4X5_SET_HWADDR: /* Set the hardware address */
32414 @@ -5437,7 +5437,7 @@ de4x5_ioctl(struct net_device *dev, stru
32415 spin_lock_irqsave(&lp->lock, flags);
32416 memcpy(&statbuf, &lp->pktStats, ioc->len);
32417 spin_unlock_irqrestore(&lp->lock, flags);
32418 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
32419 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
32423 diff -urNp linux-3.1.1/drivers/net/tulip/eeprom.c linux-3.1.1/drivers/net/tulip/eeprom.c
32424 --- linux-3.1.1/drivers/net/tulip/eeprom.c 2011-11-11 15:19:27.000000000 -0500
32425 +++ linux-3.1.1/drivers/net/tulip/eeprom.c 2011-11-16 18:39:07.000000000 -0500
32426 @@ -81,7 +81,7 @@ static struct eeprom_fixup eeprom_fixups
32430 -static const char *block_name[] __devinitdata = {
32431 +static const char *block_name[] __devinitconst = {
32434 "21142 Serial PHY",
32435 diff -urNp linux-3.1.1/drivers/net/tulip/winbond-840.c linux-3.1.1/drivers/net/tulip/winbond-840.c
32436 --- linux-3.1.1/drivers/net/tulip/winbond-840.c 2011-11-11 15:19:27.000000000 -0500
32437 +++ linux-3.1.1/drivers/net/tulip/winbond-840.c 2011-11-16 18:39:07.000000000 -0500
32438 @@ -236,7 +236,7 @@ struct pci_id_info {
32439 int drv_flags; /* Driver use, intended as capability flags. */
32442 -static const struct pci_id_info pci_id_tbl[] __devinitdata = {
32443 +static const struct pci_id_info pci_id_tbl[] __devinitconst = {
32444 { /* Sometime a Level-One switch card. */
32445 "Winbond W89c840", CanHaveMII | HasBrokenTx | FDXOnNoMII},
32446 { "Winbond W89c840", CanHaveMII | HasBrokenTx},
32447 diff -urNp linux-3.1.1/drivers/net/usb/hso.c linux-3.1.1/drivers/net/usb/hso.c
32448 --- linux-3.1.1/drivers/net/usb/hso.c 2011-11-11 15:19:27.000000000 -0500
32449 +++ linux-3.1.1/drivers/net/usb/hso.c 2011-11-16 18:39:07.000000000 -0500
32451 #include <asm/byteorder.h>
32452 #include <linux/serial_core.h>
32453 #include <linux/serial.h>
32455 +#include <asm/local.h>
32457 #define MOD_AUTHOR "Option Wireless"
32458 #define MOD_DESCRIPTION "USB High Speed Option driver"
32459 @@ -257,7 +257,7 @@ struct hso_serial {
32461 /* from usb_serial_port */
32462 struct tty_struct *tty;
32464 + local_t open_count;
32465 spinlock_t serial_lock;
32467 int (*write_data) (struct hso_serial *serial);
32468 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
32471 urb = serial->rx_urb[0];
32472 - if (serial->open_count > 0) {
32473 + if (local_read(&serial->open_count) > 0) {
32474 count = put_rxbuf_data(urb, serial);
32477 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
32478 DUMP1(urb->transfer_buffer, urb->actual_length);
32480 /* Anyone listening? */
32481 - if (serial->open_count == 0)
32482 + if (local_read(&serial->open_count) == 0)
32486 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
32487 spin_unlock_irq(&serial->serial_lock);
32489 /* check for port already opened, if not set the termios */
32490 - serial->open_count++;
32491 - if (serial->open_count == 1) {
32492 + if (local_inc_return(&serial->open_count) == 1) {
32493 serial->rx_state = RX_IDLE;
32494 /* Force default termio settings */
32495 _hso_serial_set_termios(tty, NULL);
32496 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
32497 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
32499 hso_stop_serial_device(serial->parent);
32500 - serial->open_count--;
32501 + local_dec(&serial->open_count);
32502 kref_put(&serial->parent->ref, hso_serial_ref_free);
32505 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
32507 /* reset the rts and dtr */
32508 /* do the actual close */
32509 - serial->open_count--;
32510 + local_dec(&serial->open_count);
32512 - if (serial->open_count <= 0) {
32513 - serial->open_count = 0;
32514 + if (local_read(&serial->open_count) <= 0) {
32515 + local_set(&serial->open_count, 0);
32516 spin_lock_irq(&serial->serial_lock);
32517 if (serial->tty == tty) {
32518 serial->tty->driver_data = NULL;
32519 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
32521 /* the actual setup */
32522 spin_lock_irqsave(&serial->serial_lock, flags);
32523 - if (serial->open_count)
32524 + if (local_read(&serial->open_count))
32525 _hso_serial_set_termios(tty, old);
32527 tty->termios = old;
32528 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
32529 D1("Pending read interrupt on port %d\n", i);
32530 spin_lock(&serial->serial_lock);
32531 if (serial->rx_state == RX_IDLE &&
32532 - serial->open_count > 0) {
32533 + local_read(&serial->open_count) > 0) {
32534 /* Setup and send a ctrl req read on
32536 if (!serial->rx_urb_filled[0]) {
32537 @@ -3098,7 +3097,7 @@ static int hso_resume(struct usb_interfa
32538 /* Start all serial ports */
32539 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
32540 if (serial_table[i] && (serial_table[i]->interface == iface)) {
32541 - if (dev2ser(serial_table[i])->open_count) {
32542 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
32544 hso_start_serial_device(serial_table[i], GFP_NOIO);
32545 hso_kick_transmit(dev2ser(serial_table[i]));
32546 diff -urNp linux-3.1.1/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-3.1.1/drivers/net/vmxnet3/vmxnet3_ethtool.c
32547 --- linux-3.1.1/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-11-11 15:19:27.000000000 -0500
32548 +++ linux-3.1.1/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-11-16 18:39:07.000000000 -0500
32549 @@ -601,8 +601,7 @@ vmxnet3_set_rss_indir(struct net_device
32550 * Return with error code if any of the queue indices
32553 - if (p->ring_index[i] < 0 ||
32554 - p->ring_index[i] >= adapter->num_rx_queues)
32555 + if (p->ring_index[i] >= adapter->num_rx_queues)
32559 diff -urNp linux-3.1.1/drivers/net/vxge/vxge-config.h linux-3.1.1/drivers/net/vxge/vxge-config.h
32560 --- linux-3.1.1/drivers/net/vxge/vxge-config.h 2011-11-11 15:19:27.000000000 -0500
32561 +++ linux-3.1.1/drivers/net/vxge/vxge-config.h 2011-11-16 18:39:07.000000000 -0500
32562 @@ -514,7 +514,7 @@ struct vxge_hw_uld_cbs {
32563 void (*link_down)(struct __vxge_hw_device *devh);
32564 void (*crit_err)(struct __vxge_hw_device *devh,
32565 enum vxge_hw_event type, u64 ext_data);
32570 * struct __vxge_hw_blockpool_entry - Block private data structure
32571 diff -urNp linux-3.1.1/drivers/net/vxge/vxge-main.c linux-3.1.1/drivers/net/vxge/vxge-main.c
32572 --- linux-3.1.1/drivers/net/vxge/vxge-main.c 2011-11-11 15:19:27.000000000 -0500
32573 +++ linux-3.1.1/drivers/net/vxge/vxge-main.c 2011-11-16 18:40:22.000000000 -0500
32574 @@ -100,6 +100,8 @@ static inline void VXGE_COMPLETE_VPATH_T
32575 struct sk_buff *completed[NR_SKB_COMPLETED];
32578 + pax_track_stack();
32582 skb_ptr = completed;
32583 @@ -1915,6 +1917,8 @@ static enum vxge_hw_status vxge_rth_conf
32584 u8 mtable[256] = {0}; /* CPU to vpath mapping */
32587 + pax_track_stack();
32591 * - itable with bucket numbers
32592 diff -urNp linux-3.1.1/drivers/net/vxge/vxge-traffic.h linux-3.1.1/drivers/net/vxge/vxge-traffic.h
32593 --- linux-3.1.1/drivers/net/vxge/vxge-traffic.h 2011-11-11 15:19:27.000000000 -0500
32594 +++ linux-3.1.1/drivers/net/vxge/vxge-traffic.h 2011-11-16 18:39:07.000000000 -0500
32595 @@ -2088,7 +2088,7 @@ struct vxge_hw_mempool_cbs {
32596 struct vxge_hw_mempool_dma *dma_object,
32602 #define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \
32603 ((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next)
32604 diff -urNp linux-3.1.1/drivers/net/wan/hdlc_x25.c linux-3.1.1/drivers/net/wan/hdlc_x25.c
32605 --- linux-3.1.1/drivers/net/wan/hdlc_x25.c 2011-11-11 15:19:27.000000000 -0500
32606 +++ linux-3.1.1/drivers/net/wan/hdlc_x25.c 2011-11-16 18:39:07.000000000 -0500
32607 @@ -134,16 +134,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
32609 static int x25_open(struct net_device *dev)
32611 - struct lapb_register_struct cb;
32612 + static struct lapb_register_struct cb = {
32613 + .connect_confirmation = x25_connected,
32614 + .connect_indication = x25_connected,
32615 + .disconnect_confirmation = x25_disconnected,
32616 + .disconnect_indication = x25_disconnected,
32617 + .data_indication = x25_data_indication,
32618 + .data_transmit = x25_data_transmit
32622 - cb.connect_confirmation = x25_connected;
32623 - cb.connect_indication = x25_connected;
32624 - cb.disconnect_confirmation = x25_disconnected;
32625 - cb.disconnect_indication = x25_disconnected;
32626 - cb.data_indication = x25_data_indication;
32627 - cb.data_transmit = x25_data_transmit;
32629 result = lapb_register(dev, &cb);
32630 if (result != LAPB_OK)
32632 diff -urNp linux-3.1.1/drivers/net/wimax/i2400m/usb-fw.c linux-3.1.1/drivers/net/wimax/i2400m/usb-fw.c
32633 --- linux-3.1.1/drivers/net/wimax/i2400m/usb-fw.c 2011-11-11 15:19:27.000000000 -0500
32634 +++ linux-3.1.1/drivers/net/wimax/i2400m/usb-fw.c 2011-11-16 18:40:22.000000000 -0500
32635 @@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
32637 DECLARE_COMPLETION_ONSTACK(notif_completion);
32639 + pax_track_stack();
32641 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
32642 i2400m, ack, ack_size);
32643 BUG_ON(_ack == i2400m->bm_ack_buf);
32644 diff -urNp linux-3.1.1/drivers/net/wireless/airo.c linux-3.1.1/drivers/net/wireless/airo.c
32645 --- linux-3.1.1/drivers/net/wireless/airo.c 2011-11-11 15:19:27.000000000 -0500
32646 +++ linux-3.1.1/drivers/net/wireless/airo.c 2011-11-16 18:40:22.000000000 -0500
32647 @@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
32648 BSSListElement * loop_net;
32649 BSSListElement * tmp_net;
32651 + pax_track_stack();
32653 /* Blow away current list of scan results */
32654 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
32655 list_move_tail (&loop_net->list, &ai->network_free_list);
32656 @@ -3794,6 +3796,8 @@ static u16 setup_card(struct airo_info *
32660 + pax_track_stack();
32662 memset( &mySsid, 0, sizeof( mySsid ) );
32665 @@ -4753,6 +4757,8 @@ static int proc_stats_rid_open( struct i
32666 __le32 *vals = stats.vals;
32669 + pax_track_stack();
32671 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32673 data = file->private_data;
32674 @@ -5476,6 +5482,8 @@ static int proc_BSSList_open( struct ino
32675 /* If doLoseSync is not 1, we won't do a Lose Sync */
32676 int doLoseSync = -1;
32678 + pax_track_stack();
32680 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32682 data = file->private_data;
32683 @@ -7181,6 +7189,8 @@ static int airo_get_aplist(struct net_de
32685 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
32687 + pax_track_stack();
32689 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
32692 @@ -7741,6 +7751,8 @@ static void airo_read_wireless_stats(str
32693 CapabilityRid cap_rid;
32694 __le32 *vals = stats_rid.vals;
32696 + pax_track_stack();
32698 /* Get stats out of the card */
32699 clear_bit(JOB_WSTATS, &local->jobs);
32700 if (local->power.event) {
32701 diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath5k/debug.c linux-3.1.1/drivers/net/wireless/ath/ath5k/debug.c
32702 --- linux-3.1.1/drivers/net/wireless/ath/ath5k/debug.c 2011-11-11 15:19:27.000000000 -0500
32703 +++ linux-3.1.1/drivers/net/wireless/ath/ath5k/debug.c 2011-11-16 19:08:21.000000000 -0500
32704 @@ -203,6 +203,8 @@ static ssize_t read_file_beacon(struct f
32708 + pax_track_stack();
32710 v = ath5k_hw_reg_read(ah, AR5K_BEACON);
32711 len += snprintf(buf + len, sizeof(buf) - len,
32712 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
32713 @@ -321,6 +323,8 @@ static ssize_t read_file_debug(struct fi
32714 unsigned int len = 0;
32717 + pax_track_stack();
32719 len += snprintf(buf + len, sizeof(buf) - len,
32720 "DEBUG LEVEL: 0x%08x\n\n", ah->debug.level);
32722 @@ -492,6 +496,8 @@ static ssize_t read_file_misc(struct fil
32723 unsigned int len = 0;
32724 u32 filt = ath5k_hw_get_rx_filter(ah);
32726 + pax_track_stack();
32728 len += snprintf(buf + len, sizeof(buf) - len, "bssid-mask: %pM\n",
32730 len += snprintf(buf + len, sizeof(buf) - len, "filter-flags: 0x%x ",
32731 @@ -548,6 +554,8 @@ static ssize_t read_file_frameerrors(str
32732 unsigned int len = 0;
32735 + pax_track_stack();
32737 len += snprintf(buf + len, sizeof(buf) - len,
32738 "RX\n---------------------\n");
32739 len += snprintf(buf + len, sizeof(buf) - len, "CRC\t%u\t(%u%%)\n",
32740 @@ -665,6 +673,8 @@ static ssize_t read_file_ani(struct file
32742 unsigned int len = 0;
32744 + pax_track_stack();
32746 len += snprintf(buf + len, sizeof(buf) - len,
32747 "HW has PHY error counters:\t%s\n",
32748 ah->ah_capabilities.cap_has_phyerr_counters ?
32749 @@ -829,6 +839,8 @@ static ssize_t read_file_queue(struct fi
32750 struct ath5k_buf *bf, *bf0;
32753 + pax_track_stack();
32755 len += snprintf(buf + len, sizeof(buf) - len,
32756 "available txbuffers: %d\n", ah->txbuf_len);
32758 diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c
32759 --- linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-11-11 15:19:27.000000000 -0500
32760 +++ linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-11-16 18:40:22.000000000 -0500
32761 @@ -758,6 +758,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
32765 + pax_track_stack();
32767 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
32768 if (ah->txchainmask & (1 << i))
32770 diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
32771 --- linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-11-11 15:19:27.000000000 -0500
32772 +++ linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-11-16 18:40:22.000000000 -0500
32773 @@ -406,6 +406,8 @@ static bool create_pa_curve(u32 *data_L,
32774 int theta_low_bin = 0;
32777 + pax_track_stack();
32779 /* disregard any bin that contains <= 16 samples */
32780 thresh_accum_cnt = 16;
32782 diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/debug.c linux-3.1.1/drivers/net/wireless/ath/ath9k/debug.c
32783 --- linux-3.1.1/drivers/net/wireless/ath/ath9k/debug.c 2011-11-11 15:19:27.000000000 -0500
32784 +++ linux-3.1.1/drivers/net/wireless/ath/ath9k/debug.c 2011-11-16 18:40:22.000000000 -0500
32785 @@ -387,6 +387,8 @@ static ssize_t read_file_interrupt(struc
32787 unsigned int len = 0;
32789 + pax_track_stack();
32791 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
32792 len += snprintf(buf + len, sizeof(buf) - len,
32793 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
32794 @@ -477,6 +479,8 @@ static ssize_t read_file_wiphy(struct fi
32798 + pax_track_stack();
32800 len += snprintf(buf + len, sizeof(buf) - len,
32801 "%s (chan=%d center-freq: %d MHz channel-type: %d (%s))\n",
32802 wiphy_name(sc->hw->wiphy),
32803 diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/htc_drv_debug.c linux-3.1.1/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
32804 --- linux-3.1.1/drivers/net/wireless/ath/ath9k/htc_drv_debug.c 2011-11-11 15:19:27.000000000 -0500
32805 +++ linux-3.1.1/drivers/net/wireless/ath/ath9k/htc_drv_debug.c 2011-11-16 18:40:22.000000000 -0500
32806 @@ -31,6 +31,8 @@ static ssize_t read_file_tgt_int_stats(s
32807 unsigned int len = 0;
32810 + pax_track_stack();
32812 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32814 ath9k_htc_ps_wakeup(priv);
32815 @@ -89,6 +91,8 @@ static ssize_t read_file_tgt_tx_stats(st
32816 unsigned int len = 0;
32819 + pax_track_stack();
32821 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32823 ath9k_htc_ps_wakeup(priv);
32824 @@ -159,6 +163,8 @@ static ssize_t read_file_tgt_rx_stats(st
32825 unsigned int len = 0;
32828 + pax_track_stack();
32830 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32832 ath9k_htc_ps_wakeup(priv);
32833 @@ -203,6 +209,8 @@ static ssize_t read_file_xmit(struct fil
32835 unsigned int len = 0;
32837 + pax_track_stack();
32839 len += snprintf(buf + len, sizeof(buf) - len,
32840 "%20s : %10u\n", "Buffers queued",
32841 priv->debug.tx_stats.buf_queued);
32842 @@ -376,6 +384,8 @@ static ssize_t read_file_slot(struct fil
32844 unsigned int len = 0;
32846 + pax_track_stack();
32848 spin_lock_bh(&priv->tx.tx_lock);
32850 len += snprintf(buf + len, sizeof(buf) - len, "TX slot bitmap : ");
32851 @@ -411,6 +421,8 @@ static ssize_t read_file_queue(struct fi
32853 unsigned int len = 0;
32855 + pax_track_stack();
32857 len += snprintf(buf + len, sizeof(buf) - len, "%20s : %10u\n",
32858 "Mgmt endpoint", skb_queue_len(&priv->tx.mgmt_ep_queue));
32860 diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/hw.h linux-3.1.1/drivers/net/wireless/ath/ath9k/hw.h
32861 --- linux-3.1.1/drivers/net/wireless/ath/ath9k/hw.h 2011-11-11 15:19:27.000000000 -0500
32862 +++ linux-3.1.1/drivers/net/wireless/ath/ath9k/hw.h 2011-11-16 18:39:07.000000000 -0500
32863 @@ -588,7 +588,7 @@ struct ath_hw_private_ops {
32866 void (*ani_cache_ini_regs)(struct ath_hw *ah);
32871 * struct ath_hw_ops - callbacks used by hardware code and driver code
32872 @@ -639,7 +639,7 @@ struct ath_hw_ops {
32873 void (*antdiv_comb_conf_set)(struct ath_hw *ah,
32874 struct ath_hw_antcomb_conf *antconf);
32879 struct ath_nf_limits {
32881 @@ -652,7 +652,7 @@ struct ath_nf_limits {
32882 #define AH_UNPLUGGED 0x2 /* The card has been physically removed. */
32885 - struct ath_ops reg_ops;
32886 + ath_ops_no_const reg_ops;
32888 struct ieee80211_hw *hw;
32889 struct ath_common common;
32890 diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath.h linux-3.1.1/drivers/net/wireless/ath/ath.h
32891 --- linux-3.1.1/drivers/net/wireless/ath/ath.h 2011-11-11 15:19:27.000000000 -0500
32892 +++ linux-3.1.1/drivers/net/wireless/ath/ath.h 2011-11-16 18:39:07.000000000 -0500
32893 @@ -121,6 +121,7 @@ struct ath_ops {
32894 void (*write_flush) (void *);
32895 u32 (*rmw)(void *, u32 reg_offset, u32 set, u32 clr);
32897 +typedef struct ath_ops __no_const ath_ops_no_const;
32900 struct ath_bus_ops;
32901 diff -urNp linux-3.1.1/drivers/net/wireless/ipw2x00/ipw2100.c linux-3.1.1/drivers/net/wireless/ipw2x00/ipw2100.c
32902 --- linux-3.1.1/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-11 15:19:27.000000000 -0500
32903 +++ linux-3.1.1/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-16 18:40:22.000000000 -0500
32904 @@ -2102,6 +2102,8 @@ static int ipw2100_set_essid(struct ipw2
32906 DECLARE_SSID_BUF(ssid);
32908 + pax_track_stack();
32910 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
32913 @@ -5451,6 +5453,8 @@ static int ipw2100_set_key(struct ipw210
32914 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
32917 + pax_track_stack();
32919 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
32922 diff -urNp linux-3.1.1/drivers/net/wireless/ipw2x00/libipw_rx.c linux-3.1.1/drivers/net/wireless/ipw2x00/libipw_rx.c
32923 --- linux-3.1.1/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-11 15:19:27.000000000 -0500
32924 +++ linux-3.1.1/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-16 18:40:22.000000000 -0500
32925 @@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
32926 unsigned long flags;
32927 DECLARE_SSID_BUF(ssid);
32929 + pax_track_stack();
32931 LIBIPW_DEBUG_SCAN("'%s' (%pM"
32932 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
32933 print_ssid(ssid, info_element->data, info_element->len),
32934 diff -urNp linux-3.1.1/drivers/net/wireless/iwlegacy/iwl3945-base.c linux-3.1.1/drivers/net/wireless/iwlegacy/iwl3945-base.c
32935 --- linux-3.1.1/drivers/net/wireless/iwlegacy/iwl3945-base.c 2011-11-11 15:19:27.000000000 -0500
32936 +++ linux-3.1.1/drivers/net/wireless/iwlegacy/iwl3945-base.c 2011-11-16 18:39:07.000000000 -0500
32937 @@ -3687,7 +3687,9 @@ static int iwl3945_pci_probe(struct pci_
32939 if (iwl3945_mod_params.disable_hw_scan) {
32940 IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
32941 - iwl3945_hw_ops.hw_scan = NULL;
32942 + pax_open_kernel();
32943 + *(void **)&iwl3945_hw_ops.hw_scan = NULL;
32944 + pax_close_kernel();
32947 IWL_DEBUG_INFO(priv, "*** LOAD DRIVER ***\n");
32948 diff -urNp linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
32949 --- linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-11 15:19:27.000000000 -0500
32950 +++ linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-16 18:40:22.000000000 -0500
32951 @@ -920,6 +920,8 @@ static void rs_tx_status(void *priv_r, s
32952 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
32953 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
32955 + pax_track_stack();
32957 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
32959 /* Treat uninitialized rate scaling data same as non-existing. */
32960 @@ -2931,6 +2933,8 @@ static void rs_fill_link_cmd(struct iwl_
32961 container_of(lq_sta, struct iwl_station_priv, lq_sta);
32962 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
32964 + pax_track_stack();
32966 /* Override starting rate (index 0) if needed for debug purposes */
32967 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
32969 diff -urNp linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c
32970 --- linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-11 15:19:27.000000000 -0500
32971 +++ linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-16 18:40:22.000000000 -0500
32972 @@ -561,6 +561,8 @@ static ssize_t iwl_dbgfs_status_read(str
32974 const size_t bufsz = sizeof(buf);
32976 + pax_track_stack();
32978 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
32979 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
32980 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
32981 @@ -693,6 +695,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
32982 char buf[256 * NUM_IWL_RXON_CTX];
32983 const size_t bufsz = sizeof(buf);
32985 + pax_track_stack();
32987 for_each_context(priv, ctx) {
32988 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
32990 diff -urNp linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debug.h linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debug.h
32991 --- linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-11 15:19:27.000000000 -0500
32992 +++ linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-16 18:39:07.000000000 -0500
32993 @@ -68,8 +68,8 @@ do {
32997 -#define IWL_DEBUG(__priv, level, fmt, args...)
32998 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
32999 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
33000 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
33001 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
33002 const void *p, u32 len)
33004 diff -urNp linux-3.1.1/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-3.1.1/drivers/net/wireless/iwmc3200wifi/debugfs.c
33005 --- linux-3.1.1/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-11 15:19:27.000000000 -0500
33006 +++ linux-3.1.1/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-16 18:40:22.000000000 -0500
33007 @@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
33011 + pax_track_stack();
33015 if (count < sizeof(buf))
33016 diff -urNp linux-3.1.1/drivers/net/wireless/mac80211_hwsim.c linux-3.1.1/drivers/net/wireless/mac80211_hwsim.c
33017 --- linux-3.1.1/drivers/net/wireless/mac80211_hwsim.c 2011-11-11 15:19:27.000000000 -0500
33018 +++ linux-3.1.1/drivers/net/wireless/mac80211_hwsim.c 2011-11-16 18:39:07.000000000 -0500
33019 @@ -1670,9 +1670,11 @@ static int __init init_mac80211_hwsim(vo
33022 if (fake_hw_scan) {
33023 - mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
33024 - mac80211_hwsim_ops.sw_scan_start = NULL;
33025 - mac80211_hwsim_ops.sw_scan_complete = NULL;
33026 + pax_open_kernel();
33027 + *(void **)&mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
33028 + *(void **)&mac80211_hwsim_ops.sw_scan_start = NULL;
33029 + *(void **)&mac80211_hwsim_ops.sw_scan_complete = NULL;
33030 + pax_close_kernel();
33033 spin_lock_init(&hwsim_radio_lock);
33034 diff -urNp linux-3.1.1/drivers/net/wireless/mwifiex/main.h linux-3.1.1/drivers/net/wireless/mwifiex/main.h
33035 --- linux-3.1.1/drivers/net/wireless/mwifiex/main.h 2011-11-11 15:19:27.000000000 -0500
33036 +++ linux-3.1.1/drivers/net/wireless/mwifiex/main.h 2011-11-16 18:39:07.000000000 -0500
33037 @@ -560,7 +560,7 @@ struct mwifiex_if_ops {
33039 void (*update_mp_end_port) (struct mwifiex_adapter *, u16);
33040 void (*cleanup_mpa_buf) (struct mwifiex_adapter *);
33044 struct mwifiex_adapter {
33045 struct mwifiex_private *priv[MWIFIEX_MAX_BSS_NUM];
33046 diff -urNp linux-3.1.1/drivers/net/wireless/rndis_wlan.c linux-3.1.1/drivers/net/wireless/rndis_wlan.c
33047 --- linux-3.1.1/drivers/net/wireless/rndis_wlan.c 2011-11-11 15:19:27.000000000 -0500
33048 +++ linux-3.1.1/drivers/net/wireless/rndis_wlan.c 2011-11-16 18:39:07.000000000 -0500
33049 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
33051 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
33053 - if (rts_threshold < 0 || rts_threshold > 2347)
33054 + if (rts_threshold > 2347)
33055 rts_threshold = 2347;
33057 tmp = cpu_to_le32(rts_threshold);
33058 diff -urNp linux-3.1.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c linux-3.1.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c
33059 --- linux-3.1.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-11-11 15:19:27.000000000 -0500
33060 +++ linux-3.1.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-11-16 18:40:22.000000000 -0500
33061 @@ -837,6 +837,8 @@ bool _rtl92c_phy_sw_chnl_step_by_step(st
33063 u8 num_total_rfpath = rtlphy->num_total_rfpath;
33065 + pax_track_stack();
33067 precommoncmdcnt = 0;
33068 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
33070 diff -urNp linux-3.1.1/drivers/net/wireless/wl1251/wl1251.h linux-3.1.1/drivers/net/wireless/wl1251/wl1251.h
33071 --- linux-3.1.1/drivers/net/wireless/wl1251/wl1251.h 2011-11-11 15:19:27.000000000 -0500
33072 +++ linux-3.1.1/drivers/net/wireless/wl1251/wl1251.h 2011-11-16 18:39:07.000000000 -0500
33073 @@ -266,7 +266,7 @@ struct wl1251_if_operations {
33074 void (*reset)(struct wl1251 *wl);
33075 void (*enable_irq)(struct wl1251 *wl);
33076 void (*disable_irq)(struct wl1251 *wl);
33081 struct ieee80211_hw *hw;
33082 diff -urNp linux-3.1.1/drivers/net/wireless/wl12xx/spi.c linux-3.1.1/drivers/net/wireless/wl12xx/spi.c
33083 --- linux-3.1.1/drivers/net/wireless/wl12xx/spi.c 2011-11-11 15:19:27.000000000 -0500
33084 +++ linux-3.1.1/drivers/net/wireless/wl12xx/spi.c 2011-11-16 18:40:22.000000000 -0500
33085 @@ -281,6 +281,8 @@ static void wl1271_spi_raw_write(struct
33089 + pax_track_stack();
33091 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
33093 spi_message_init(&m);
33094 diff -urNp linux-3.1.1/drivers/oprofile/buffer_sync.c linux-3.1.1/drivers/oprofile/buffer_sync.c
33095 --- linux-3.1.1/drivers/oprofile/buffer_sync.c 2011-11-11 15:19:27.000000000 -0500
33096 +++ linux-3.1.1/drivers/oprofile/buffer_sync.c 2011-11-16 18:39:07.000000000 -0500
33097 @@ -343,7 +343,7 @@ static void add_data(struct op_entry *en
33098 if (cookie == NO_COOKIE)
33100 if (cookie == INVALID_COOKIE) {
33101 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
33102 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
33105 if (cookie != last_cookie) {
33106 @@ -387,14 +387,14 @@ add_sample(struct mm_struct *mm, struct
33107 /* add userspace sample */
33110 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
33111 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
33115 cookie = lookup_dcookie(mm, s->eip, &offset);
33117 if (cookie == INVALID_COOKIE) {
33118 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
33119 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
33123 @@ -563,7 +563,7 @@ void sync_buffer(int cpu)
33124 /* ignore backtraces if failed to add a sample */
33125 if (state == sb_bt_start) {
33126 state = sb_bt_ignore;
33127 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
33128 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
33132 diff -urNp linux-3.1.1/drivers/oprofile/event_buffer.c linux-3.1.1/drivers/oprofile/event_buffer.c
33133 --- linux-3.1.1/drivers/oprofile/event_buffer.c 2011-11-11 15:19:27.000000000 -0500
33134 +++ linux-3.1.1/drivers/oprofile/event_buffer.c 2011-11-16 18:39:07.000000000 -0500
33135 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
33138 if (buffer_pos == buffer_size) {
33139 - atomic_inc(&oprofile_stats.event_lost_overflow);
33140 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
33144 diff -urNp linux-3.1.1/drivers/oprofile/oprof.c linux-3.1.1/drivers/oprofile/oprof.c
33145 --- linux-3.1.1/drivers/oprofile/oprof.c 2011-11-11 15:19:27.000000000 -0500
33146 +++ linux-3.1.1/drivers/oprofile/oprof.c 2011-11-16 18:39:07.000000000 -0500
33147 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
33148 if (oprofile_ops.switch_events())
33151 - atomic_inc(&oprofile_stats.multiplex_counter);
33152 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
33153 start_switch_worker();
33156 diff -urNp linux-3.1.1/drivers/oprofile/oprofilefs.c linux-3.1.1/drivers/oprofile/oprofilefs.c
33157 --- linux-3.1.1/drivers/oprofile/oprofilefs.c 2011-11-11 15:19:27.000000000 -0500
33158 +++ linux-3.1.1/drivers/oprofile/oprofilefs.c 2011-11-16 18:39:07.000000000 -0500
33159 @@ -186,7 +186,7 @@ static const struct file_operations atom
33162 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
33163 - char const *name, atomic_t *val)
33164 + char const *name, atomic_unchecked_t *val)
33166 return __oprofilefs_create_file(sb, root, name,
33167 &atomic_ro_fops, 0444, val);
33168 diff -urNp linux-3.1.1/drivers/oprofile/oprofile_stats.c linux-3.1.1/drivers/oprofile/oprofile_stats.c
33169 --- linux-3.1.1/drivers/oprofile/oprofile_stats.c 2011-11-11 15:19:27.000000000 -0500
33170 +++ linux-3.1.1/drivers/oprofile/oprofile_stats.c 2011-11-16 18:39:07.000000000 -0500
33171 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
33172 cpu_buf->sample_invalid_eip = 0;
33175 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
33176 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
33177 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
33178 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
33179 - atomic_set(&oprofile_stats.multiplex_counter, 0);
33180 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
33181 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
33182 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
33183 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
33184 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
33188 diff -urNp linux-3.1.1/drivers/oprofile/oprofile_stats.h linux-3.1.1/drivers/oprofile/oprofile_stats.h
33189 --- linux-3.1.1/drivers/oprofile/oprofile_stats.h 2011-11-11 15:19:27.000000000 -0500
33190 +++ linux-3.1.1/drivers/oprofile/oprofile_stats.h 2011-11-16 18:39:07.000000000 -0500
33191 @@ -13,11 +13,11 @@
33192 #include <linux/atomic.h>
33194 struct oprofile_stat_struct {
33195 - atomic_t sample_lost_no_mm;
33196 - atomic_t sample_lost_no_mapping;
33197 - atomic_t bt_lost_no_mapping;
33198 - atomic_t event_lost_overflow;
33199 - atomic_t multiplex_counter;
33200 + atomic_unchecked_t sample_lost_no_mm;
33201 + atomic_unchecked_t sample_lost_no_mapping;
33202 + atomic_unchecked_t bt_lost_no_mapping;
33203 + atomic_unchecked_t event_lost_overflow;
33204 + atomic_unchecked_t multiplex_counter;
33207 extern struct oprofile_stat_struct oprofile_stats;
33208 diff -urNp linux-3.1.1/drivers/parport/procfs.c linux-3.1.1/drivers/parport/procfs.c
33209 --- linux-3.1.1/drivers/parport/procfs.c 2011-11-11 15:19:27.000000000 -0500
33210 +++ linux-3.1.1/drivers/parport/procfs.c 2011-11-16 18:39:07.000000000 -0500
33211 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
33215 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
33216 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
33219 #ifdef CONFIG_PARPORT_1284
33220 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
33224 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
33225 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
33227 #endif /* IEEE1284.3 support. */
33229 diff -urNp linux-3.1.1/drivers/pci/hotplug/cpci_hotplug.h linux-3.1.1/drivers/pci/hotplug/cpci_hotplug.h
33230 --- linux-3.1.1/drivers/pci/hotplug/cpci_hotplug.h 2011-11-11 15:19:27.000000000 -0500
33231 +++ linux-3.1.1/drivers/pci/hotplug/cpci_hotplug.h 2011-11-16 18:39:07.000000000 -0500
33232 @@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
33233 int (*hardware_test) (struct slot* slot, u32 value);
33234 u8 (*get_power) (struct slot* slot);
33235 int (*set_power) (struct slot* slot, int value);
33239 struct cpci_hp_controller {
33241 diff -urNp linux-3.1.1/drivers/pci/hotplug/cpqphp_nvram.c linux-3.1.1/drivers/pci/hotplug/cpqphp_nvram.c
33242 --- linux-3.1.1/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-11 15:19:27.000000000 -0500
33243 +++ linux-3.1.1/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-16 18:39:07.000000000 -0500
33244 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
33246 void compaq_nvram_init (void __iomem *rom_start)
33249 +#ifndef CONFIG_PAX_KERNEXEC
33251 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
33255 dbg("int15 entry = %p\n", compaq_int15_entry_point);
33257 /* initialize our int15 lock */
33258 diff -urNp linux-3.1.1/drivers/pci/pcie/aspm.c linux-3.1.1/drivers/pci/pcie/aspm.c
33259 --- linux-3.1.1/drivers/pci/pcie/aspm.c 2011-11-11 15:19:27.000000000 -0500
33260 +++ linux-3.1.1/drivers/pci/pcie/aspm.c 2011-11-16 18:39:07.000000000 -0500
33262 #define MODULE_PARAM_PREFIX "pcie_aspm."
33264 /* Note: those are not register definitions */
33265 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
33266 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
33267 -#define ASPM_STATE_L1 (4) /* L1 state */
33268 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
33269 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
33270 +#define ASPM_STATE_L1 (4U) /* L1 state */
33271 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
33272 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
33274 diff -urNp linux-3.1.1/drivers/pci/probe.c linux-3.1.1/drivers/pci/probe.c
33275 --- linux-3.1.1/drivers/pci/probe.c 2011-11-11 15:19:27.000000000 -0500
33276 +++ linux-3.1.1/drivers/pci/probe.c 2011-11-16 18:39:07.000000000 -0500
33277 @@ -136,7 +136,7 @@ int __pci_read_base(struct pci_dev *dev,
33281 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
33282 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
33284 if (!dev->mmio_always_on) {
33285 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
33286 diff -urNp linux-3.1.1/drivers/pci/proc.c linux-3.1.1/drivers/pci/proc.c
33287 --- linux-3.1.1/drivers/pci/proc.c 2011-11-11 15:19:27.000000000 -0500
33288 +++ linux-3.1.1/drivers/pci/proc.c 2011-11-16 18:40:22.000000000 -0500
33289 @@ -476,7 +476,16 @@ static const struct file_operations proc
33290 static int __init pci_proc_init(void)
33292 struct pci_dev *dev = NULL;
33294 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33295 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33296 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
33297 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33298 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33301 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
33303 proc_create("devices", 0, proc_bus_pci_dir,
33304 &proc_bus_pci_dev_operations);
33305 proc_initialized = 1;
33306 diff -urNp linux-3.1.1/drivers/pci/xen-pcifront.c linux-3.1.1/drivers/pci/xen-pcifront.c
33307 --- linux-3.1.1/drivers/pci/xen-pcifront.c 2011-11-11 15:19:27.000000000 -0500
33308 +++ linux-3.1.1/drivers/pci/xen-pcifront.c 2011-11-16 18:40:22.000000000 -0500
33309 @@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
33310 struct pcifront_sd *sd = bus->sysdata;
33311 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33313 + pax_track_stack();
33315 if (verbose_request)
33316 dev_info(&pdev->xdev->dev,
33317 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
33318 @@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
33319 struct pcifront_sd *sd = bus->sysdata;
33320 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33322 + pax_track_stack();
33324 if (verbose_request)
33325 dev_info(&pdev->xdev->dev,
33326 "write dev=%04x:%02x:%02x.%01x - "
33327 @@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
33328 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33329 struct msi_desc *entry;
33331 + pax_track_stack();
33333 if (nvec > SH_INFO_MAX_VEC) {
33334 dev_err(&dev->dev, "too much vector for pci frontend: %x."
33335 " Increase SH_INFO_MAX_VEC.\n", nvec);
33336 @@ -309,6 +315,8 @@ static void pci_frontend_disable_msix(st
33337 struct pcifront_sd *sd = dev->bus->sysdata;
33338 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33340 + pax_track_stack();
33342 err = do_pci_op(pdev, &op);
33344 /* What should do for error ? */
33345 @@ -328,6 +336,8 @@ static int pci_frontend_enable_msi(struc
33346 struct pcifront_sd *sd = dev->bus->sysdata;
33347 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33349 + pax_track_stack();
33351 err = do_pci_op(pdev, &op);
33352 if (likely(!err)) {
33353 vector[0] = op.value;
33354 diff -urNp linux-3.1.1/drivers/platform/x86/thinkpad_acpi.c linux-3.1.1/drivers/platform/x86/thinkpad_acpi.c
33355 --- linux-3.1.1/drivers/platform/x86/thinkpad_acpi.c 2011-11-11 15:19:27.000000000 -0500
33356 +++ linux-3.1.1/drivers/platform/x86/thinkpad_acpi.c 2011-11-16 18:39:07.000000000 -0500
33357 @@ -2094,7 +2094,7 @@ static int hotkey_mask_get(void)
33361 -void static hotkey_mask_warn_incomplete_mask(void)
33362 +static void hotkey_mask_warn_incomplete_mask(void)
33364 /* log only what the user can fix... */
33365 const u32 wantedmask = hotkey_driver_mask &
33366 diff -urNp linux-3.1.1/drivers/pnp/pnpbios/bioscalls.c linux-3.1.1/drivers/pnp/pnpbios/bioscalls.c
33367 --- linux-3.1.1/drivers/pnp/pnpbios/bioscalls.c 2011-11-11 15:19:27.000000000 -0500
33368 +++ linux-3.1.1/drivers/pnp/pnpbios/bioscalls.c 2011-11-16 18:39:07.000000000 -0500
33369 @@ -59,7 +59,7 @@ do { \
33370 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
33373 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
33374 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
33375 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
33378 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
33381 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
33383 + pax_open_kernel();
33384 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
33385 + pax_close_kernel();
33387 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
33388 spin_lock_irqsave(&pnp_bios_lock, flags);
33389 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
33391 spin_unlock_irqrestore(&pnp_bios_lock, flags);
33393 + pax_open_kernel();
33394 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
33395 + pax_close_kernel();
33399 /* If we get here and this is set then the PnP BIOS faulted on us. */
33400 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
33404 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
33405 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
33409 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
33410 pnp_bios_callpoint.offset = header->fields.pm16offset;
33411 pnp_bios_callpoint.segment = PNP_CS16;
33413 + pax_open_kernel();
33415 for_each_possible_cpu(i) {
33416 struct desc_struct *gdt = get_cpu_gdt_table(i);
33418 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
33419 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
33420 (unsigned long)__va(header->fields.pm16dseg));
33423 + pax_close_kernel();
33425 diff -urNp linux-3.1.1/drivers/pnp/resource.c linux-3.1.1/drivers/pnp/resource.c
33426 --- linux-3.1.1/drivers/pnp/resource.c 2011-11-11 15:19:27.000000000 -0500
33427 +++ linux-3.1.1/drivers/pnp/resource.c 2011-11-16 18:39:07.000000000 -0500
33428 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
33431 /* check if the resource is valid */
33432 - if (*irq < 0 || *irq > 15)
33436 /* check if the resource is reserved */
33437 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
33440 /* check if the resource is valid */
33441 - if (*dma < 0 || *dma == 4 || *dma > 7)
33442 + if (*dma == 4 || *dma > 7)
33445 /* check if the resource is reserved */
33446 diff -urNp linux-3.1.1/drivers/power/bq27x00_battery.c linux-3.1.1/drivers/power/bq27x00_battery.c
33447 --- linux-3.1.1/drivers/power/bq27x00_battery.c 2011-11-11 15:19:27.000000000 -0500
33448 +++ linux-3.1.1/drivers/power/bq27x00_battery.c 2011-11-16 18:39:07.000000000 -0500
33450 struct bq27x00_device_info;
33451 struct bq27x00_access_methods {
33452 int (*read)(struct bq27x00_device_info *di, u8 reg, bool single);
33456 enum bq27x00_chip { BQ27000, BQ27500 };
33458 diff -urNp linux-3.1.1/drivers/regulator/max8660.c linux-3.1.1/drivers/regulator/max8660.c
33459 --- linux-3.1.1/drivers/regulator/max8660.c 2011-11-11 15:19:27.000000000 -0500
33460 +++ linux-3.1.1/drivers/regulator/max8660.c 2011-11-16 18:39:07.000000000 -0500
33461 @@ -383,8 +383,10 @@ static int __devinit max8660_probe(struc
33462 max8660->shadow_regs[MAX8660_OVER1] = 5;
33464 /* Otherwise devices can be toggled via software */
33465 - max8660_dcdc_ops.enable = max8660_dcdc_enable;
33466 - max8660_dcdc_ops.disable = max8660_dcdc_disable;
33467 + pax_open_kernel();
33468 + *(void **)&max8660_dcdc_ops.enable = max8660_dcdc_enable;
33469 + *(void **)&max8660_dcdc_ops.disable = max8660_dcdc_disable;
33470 + pax_close_kernel();
33474 diff -urNp linux-3.1.1/drivers/regulator/mc13892-regulator.c linux-3.1.1/drivers/regulator/mc13892-regulator.c
33475 --- linux-3.1.1/drivers/regulator/mc13892-regulator.c 2011-11-11 15:19:27.000000000 -0500
33476 +++ linux-3.1.1/drivers/regulator/mc13892-regulator.c 2011-11-16 18:39:07.000000000 -0500
33477 @@ -564,10 +564,12 @@ static int __devinit mc13892_regulator_p
33479 mc13xxx_unlock(mc13892);
33481 - mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
33482 + pax_open_kernel();
33483 + *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
33484 = mc13892_vcam_set_mode;
33485 - mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
33486 + *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
33487 = mc13892_vcam_get_mode;
33488 + pax_close_kernel();
33489 for (i = 0; i < pdata->num_regulators; i++) {
33490 init_data = &pdata->regulators[i];
33491 priv->regulators[i] = regulator_register(
33492 diff -urNp linux-3.1.1/drivers/rtc/rtc-dev.c linux-3.1.1/drivers/rtc/rtc-dev.c
33493 --- linux-3.1.1/drivers/rtc/rtc-dev.c 2011-11-11 15:19:27.000000000 -0500
33494 +++ linux-3.1.1/drivers/rtc/rtc-dev.c 2011-11-16 18:40:22.000000000 -0500
33496 #include <linux/module.h>
33497 #include <linux/rtc.h>
33498 #include <linux/sched.h>
33499 +#include <linux/grsecurity.h>
33500 #include "rtc-core.h"
33502 static dev_t rtc_devt;
33503 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
33504 if (copy_from_user(&tm, uarg, sizeof(tm)))
33507 + gr_log_timechange();
33509 return rtc_set_time(rtc, &tm);
33512 diff -urNp linux-3.1.1/drivers/scsi/aacraid/aacraid.h linux-3.1.1/drivers/scsi/aacraid/aacraid.h
33513 --- linux-3.1.1/drivers/scsi/aacraid/aacraid.h 2011-11-11 15:19:27.000000000 -0500
33514 +++ linux-3.1.1/drivers/scsi/aacraid/aacraid.h 2011-11-16 18:39:07.000000000 -0500
33515 @@ -492,7 +492,7 @@ struct adapter_ops
33516 int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
33517 /* Administrative operations */
33518 int (*adapter_comm)(struct aac_dev * dev, int comm);
33523 * Define which interrupt handler needs to be installed
33524 diff -urNp linux-3.1.1/drivers/scsi/aacraid/commctrl.c linux-3.1.1/drivers/scsi/aacraid/commctrl.c
33525 --- linux-3.1.1/drivers/scsi/aacraid/commctrl.c 2011-11-11 15:19:27.000000000 -0500
33526 +++ linux-3.1.1/drivers/scsi/aacraid/commctrl.c 2011-11-16 18:40:22.000000000 -0500
33527 @@ -482,6 +482,7 @@ static int aac_send_raw_srb(struct aac_d
33528 u32 actual_fibsize64, actual_fibsize = 0;
33531 + pax_track_stack();
33533 if (dev->in_reset) {
33534 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
33535 diff -urNp linux-3.1.1/drivers/scsi/aacraid/linit.c linux-3.1.1/drivers/scsi/aacraid/linit.c
33536 --- linux-3.1.1/drivers/scsi/aacraid/linit.c 2011-11-11 15:19:27.000000000 -0500
33537 +++ linux-3.1.1/drivers/scsi/aacraid/linit.c 2011-11-16 18:39:07.000000000 -0500
33538 @@ -92,7 +92,7 @@ static DECLARE_PCI_DEVICE_TABLE(aac_pci_
33539 #elif defined(__devinitconst)
33540 static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
33542 -static const struct pci_device_id aac_pci_tbl[] __devinitdata = {
33543 +static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
33545 { 0x1028, 0x0001, 0x1028, 0x0001, 0, 0, 0 }, /* PERC 2/Si (Iguana/PERC2Si) */
33546 { 0x1028, 0x0002, 0x1028, 0x0002, 0, 0, 1 }, /* PERC 3/Di (Opal/PERC3Di) */
33547 diff -urNp linux-3.1.1/drivers/scsi/aic94xx/aic94xx_init.c linux-3.1.1/drivers/scsi/aic94xx/aic94xx_init.c
33548 --- linux-3.1.1/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-11 15:19:27.000000000 -0500
33549 +++ linux-3.1.1/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-16 18:39:07.000000000 -0500
33550 @@ -1012,7 +1012,7 @@ static struct sas_domain_function_templa
33551 .lldd_control_phy = asd_control_phy,
33554 -static const struct pci_device_id aic94xx_pci_table[] __devinitdata = {
33555 +static const struct pci_device_id aic94xx_pci_table[] __devinitconst = {
33556 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x410),0, 0, 1},
33557 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x412),0, 0, 1},
33558 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x416),0, 0, 1},
33559 diff -urNp linux-3.1.1/drivers/scsi/bfa/bfad.c linux-3.1.1/drivers/scsi/bfa/bfad.c
33560 --- linux-3.1.1/drivers/scsi/bfa/bfad.c 2011-11-11 15:19:27.000000000 -0500
33561 +++ linux-3.1.1/drivers/scsi/bfa/bfad.c 2011-11-16 19:01:15.000000000 -0500
33562 @@ -1019,6 +1019,8 @@ bfad_start_ops(struct bfad_s *bfad) {
33563 struct bfad_vport_s *vport, *vport_new;
33564 struct bfa_fcs_driver_info_s driver_info;
33566 + pax_track_stack();
33568 /* Limit min/max. xfer size to [64k-32MB] */
33569 if (max_xfer_size < BFAD_MIN_SECTORS >> 1)
33570 max_xfer_size = BFAD_MIN_SECTORS >> 1;
33571 diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.c linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.c
33572 --- linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.c 2011-11-11 15:19:27.000000000 -0500
33573 +++ linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.c 2011-11-16 18:39:07.000000000 -0500
33574 @@ -4179,7 +4179,7 @@ bfa_itn_create(struct bfa_s *bfa, struct
33575 void (*isr)(struct bfa_s *bfa, struct bfi_msg_s *m))
33577 struct bfa_fcp_mod_s *fcp = BFA_FCP_MOD(bfa);
33578 - struct bfa_itn_s *itn;
33579 + bfa_itn_s_no_const *itn;
33581 itn = BFA_ITN_FROM_TAG(fcp, rport->rport_tag);
33583 diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.h linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.h
33584 --- linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.h 2011-11-11 15:19:27.000000000 -0500
33585 +++ linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.h 2011-11-16 18:39:07.000000000 -0500
33586 @@ -37,6 +37,7 @@ struct bfa_iotag_s {
33588 bfa_isr_func_t isr;
33590 +typedef struct bfa_itn_s __no_const bfa_itn_s_no_const;
33592 void bfa_itn_create(struct bfa_s *bfa, struct bfa_rport_s *rport,
33593 void (*isr)(struct bfa_s *bfa, struct bfi_msg_s *m));
33594 @@ -149,7 +150,7 @@ struct bfa_fcp_mod_s {
33595 struct list_head iotag_tio_free_q; /* free IO resources */
33596 struct list_head iotag_unused_q; /* unused IO resources*/
33597 struct bfa_iotag_s *iotag_arr;
33598 - struct bfa_itn_s *itn_arr;
33599 + bfa_itn_s_no_const *itn_arr;
33601 int num_fwtio_reqs;
33603 diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_fcs_lport.c linux-3.1.1/drivers/scsi/bfa/bfa_fcs_lport.c
33604 --- linux-3.1.1/drivers/scsi/bfa/bfa_fcs_lport.c 2011-11-11 15:19:27.000000000 -0500
33605 +++ linux-3.1.1/drivers/scsi/bfa/bfa_fcs_lport.c 2011-11-16 18:40:22.000000000 -0500
33606 @@ -1700,6 +1700,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
33610 + pax_track_stack();
33613 * get hba attributes
33615 @@ -1977,6 +1979,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
33619 + pax_track_stack();
33622 * get port attributes
33624 diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_fcs_rport.c linux-3.1.1/drivers/scsi/bfa/bfa_fcs_rport.c
33625 --- linux-3.1.1/drivers/scsi/bfa/bfa_fcs_rport.c 2011-11-11 15:19:27.000000000 -0500
33626 +++ linux-3.1.1/drivers/scsi/bfa/bfa_fcs_rport.c 2011-11-16 18:40:22.000000000 -0500
33627 @@ -1871,6 +1871,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
33628 struct fc_rpsc_speed_info_s speeds;
33629 struct bfa_port_attr_s pport_attr;
33631 + pax_track_stack();
33633 bfa_trc(port->fcs, rx_fchs->s_id);
33634 bfa_trc(port->fcs, rx_fchs->d_id);
33636 diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa.h linux-3.1.1/drivers/scsi/bfa/bfa.h
33637 --- linux-3.1.1/drivers/scsi/bfa/bfa.h 2011-11-11 15:19:27.000000000 -0500
33638 +++ linux-3.1.1/drivers/scsi/bfa/bfa.h 2011-11-16 18:39:07.000000000 -0500
33639 @@ -196,7 +196,7 @@ struct bfa_hwif_s {
33645 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
33647 struct bfa_faa_cbfn_s {
33648 diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_ioc.h linux-3.1.1/drivers/scsi/bfa/bfa_ioc.h
33649 --- linux-3.1.1/drivers/scsi/bfa/bfa_ioc.h 2011-11-11 15:19:27.000000000 -0500
33650 +++ linux-3.1.1/drivers/scsi/bfa/bfa_ioc.h 2011-11-16 18:39:07.000000000 -0500
33651 @@ -258,7 +258,7 @@ struct bfa_ioc_cbfn_s {
33652 bfa_ioc_disable_cbfn_t disable_cbfn;
33653 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
33654 bfa_ioc_reset_cbfn_t reset_cbfn;
33659 * IOC event notification mechanism.
33660 @@ -346,7 +346,7 @@ struct bfa_ioc_hwif_s {
33661 void (*ioc_sync_ack) (struct bfa_ioc_s *ioc);
33662 bfa_boolean_t (*ioc_sync_complete) (struct bfa_ioc_s *ioc);
33663 bfa_boolean_t (*ioc_lpu_read_stat) (struct bfa_ioc_s *ioc);
33668 * Queue element to wait for room in request queue. FIFO order is
33669 diff -urNp linux-3.1.1/drivers/scsi/BusLogic.c linux-3.1.1/drivers/scsi/BusLogic.c
33670 --- linux-3.1.1/drivers/scsi/BusLogic.c 2011-11-11 15:19:27.000000000 -0500
33671 +++ linux-3.1.1/drivers/scsi/BusLogic.c 2011-11-16 18:40:22.000000000 -0500
33672 @@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
33673 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
33674 *PrototypeHostAdapter)
33676 + pax_track_stack();
33679 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
33680 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
33681 diff -urNp linux-3.1.1/drivers/scsi/dpt_i2o.c linux-3.1.1/drivers/scsi/dpt_i2o.c
33682 --- linux-3.1.1/drivers/scsi/dpt_i2o.c 2011-11-11 15:19:27.000000000 -0500
33683 +++ linux-3.1.1/drivers/scsi/dpt_i2o.c 2011-11-16 18:40:22.000000000 -0500
33684 @@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
33688 + pax_track_stack();
33690 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
33691 // get user msg size in u32s
33692 if(get_user(size, &user_msg[0])){
33693 @@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
33697 + pax_track_stack();
33699 memset(msg, 0 , sizeof(msg));
33700 len = scsi_bufflen(cmd);
33701 direction = 0x00000000;
33702 diff -urNp linux-3.1.1/drivers/scsi/eata.c linux-3.1.1/drivers/scsi/eata.c
33703 --- linux-3.1.1/drivers/scsi/eata.c 2011-11-11 15:19:27.000000000 -0500
33704 +++ linux-3.1.1/drivers/scsi/eata.c 2011-11-16 18:40:22.000000000 -0500
33705 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
33706 struct hostdata *ha;
33709 + pax_track_stack();
33711 sprintf(name, "%s%d", driver_name, j);
33713 if (!request_region(port_base, REGION_SIZE, driver_name)) {
33714 diff -urNp linux-3.1.1/drivers/scsi/fcoe/fcoe_ctlr.c linux-3.1.1/drivers/scsi/fcoe/fcoe_ctlr.c
33715 --- linux-3.1.1/drivers/scsi/fcoe/fcoe_ctlr.c 2011-11-11 15:19:27.000000000 -0500
33716 +++ linux-3.1.1/drivers/scsi/fcoe/fcoe_ctlr.c 2011-11-16 18:40:22.000000000 -0500
33717 @@ -2503,6 +2503,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
33721 + pax_track_stack();
33723 fiph = (struct fip_header *)skb->data;
33724 sub = fiph->fip_subcode;
33726 diff -urNp linux-3.1.1/drivers/scsi/gdth.c linux-3.1.1/drivers/scsi/gdth.c
33727 --- linux-3.1.1/drivers/scsi/gdth.c 2011-11-11 15:19:27.000000000 -0500
33728 +++ linux-3.1.1/drivers/scsi/gdth.c 2011-11-16 18:40:22.000000000 -0500
33729 @@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
33730 unsigned long flags;
33733 + pax_track_stack();
33735 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
33737 ha = gdth_find_ha(ldrv.ionode);
33738 @@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
33742 + pax_track_stack();
33744 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
33745 res.number >= MAX_HDRIVES)
33747 @@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
33751 + pax_track_stack();
33753 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
33755 ha = gdth_find_ha(gen.ionode);
33756 @@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
33758 gdth_cmd_str gdtcmd;
33759 char cmnd[MAX_COMMAND_SIZE];
33761 + pax_track_stack();
33763 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
33765 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
33766 diff -urNp linux-3.1.1/drivers/scsi/gdth_proc.c linux-3.1.1/drivers/scsi/gdth_proc.c
33767 --- linux-3.1.1/drivers/scsi/gdth_proc.c 2011-11-11 15:19:27.000000000 -0500
33768 +++ linux-3.1.1/drivers/scsi/gdth_proc.c 2011-11-16 18:40:22.000000000 -0500
33769 @@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
33772 char cmnd[MAX_COMMAND_SIZE];
33774 + pax_track_stack();
33776 memset(cmnd, 0xff, 12);
33777 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
33779 @@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
33780 gdth_hget_str *phg;
33781 char cmnd[MAX_COMMAND_SIZE];
33783 + pax_track_stack();
33785 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
33786 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
33787 if (!gdtcmd || !estr)
33788 diff -urNp linux-3.1.1/drivers/scsi/hosts.c linux-3.1.1/drivers/scsi/hosts.c
33789 --- linux-3.1.1/drivers/scsi/hosts.c 2011-11-11 15:19:27.000000000 -0500
33790 +++ linux-3.1.1/drivers/scsi/hosts.c 2011-11-16 18:39:07.000000000 -0500
33792 #include "scsi_logging.h"
33795 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
33796 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
33799 static void scsi_host_cls_release(struct device *dev)
33800 @@ -357,7 +357,7 @@ struct Scsi_Host *scsi_host_alloc(struct
33801 * subtract one because we increment first then return, but we need to
33802 * know what the next host number was before increment
33804 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
33805 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
33806 shost->dma_channel = 0xff;
33808 /* These three are default values which can be overridden */
33809 diff -urNp linux-3.1.1/drivers/scsi/hpsa.c linux-3.1.1/drivers/scsi/hpsa.c
33810 --- linux-3.1.1/drivers/scsi/hpsa.c 2011-11-11 15:19:27.000000000 -0500
33811 +++ linux-3.1.1/drivers/scsi/hpsa.c 2011-11-16 18:39:07.000000000 -0500
33812 @@ -498,7 +498,7 @@ static inline u32 next_command(struct ct
33815 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
33816 - return h->access.command_completed(h);
33817 + return h->access->command_completed(h);
33819 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
33820 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
33821 @@ -2955,7 +2955,7 @@ static void start_io(struct ctlr_info *h
33822 while (!list_empty(&h->reqQ)) {
33823 c = list_entry(h->reqQ.next, struct CommandList, list);
33824 /* can't do anything if fifo is full */
33825 - if ((h->access.fifo_full(h))) {
33826 + if ((h->access->fifo_full(h))) {
33827 dev_warn(&h->pdev->dev, "fifo full\n");
33830 @@ -2965,7 +2965,7 @@ static void start_io(struct ctlr_info *h
33833 /* Tell the controller execute command */
33834 - h->access.submit_command(h, c);
33835 + h->access->submit_command(h, c);
33837 /* Put job onto the completed Q */
33839 @@ -2974,17 +2974,17 @@ static void start_io(struct ctlr_info *h
33841 static inline unsigned long get_next_completion(struct ctlr_info *h)
33843 - return h->access.command_completed(h);
33844 + return h->access->command_completed(h);
33847 static inline bool interrupt_pending(struct ctlr_info *h)
33849 - return h->access.intr_pending(h);
33850 + return h->access->intr_pending(h);
33853 static inline long interrupt_not_for_us(struct ctlr_info *h)
33855 - return (h->access.intr_pending(h) == 0) ||
33856 + return (h->access->intr_pending(h) == 0) ||
33857 (h->interrupts_enabled == 0);
33860 @@ -3881,7 +3881,7 @@ static int __devinit hpsa_pci_init(struc
33861 if (prod_index < 0)
33863 h->product_name = products[prod_index].product_name;
33864 - h->access = *(products[prod_index].access);
33865 + h->access = products[prod_index].access;
33867 if (hpsa_board_disabled(h->pdev)) {
33868 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
33869 @@ -4158,7 +4158,7 @@ reinit_after_soft_reset:
33872 /* make sure the board interrupts are off */
33873 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
33874 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
33876 if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
33878 @@ -4192,7 +4192,7 @@ reinit_after_soft_reset:
33879 * fake ones to scoop up any residual completions.
33881 spin_lock_irqsave(&h->lock, flags);
33882 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
33883 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
33884 spin_unlock_irqrestore(&h->lock, flags);
33885 free_irq(h->intr[h->intr_mode], h);
33886 rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
33887 @@ -4211,9 +4211,9 @@ reinit_after_soft_reset:
33888 dev_info(&h->pdev->dev, "Board READY.\n");
33889 dev_info(&h->pdev->dev,
33890 "Waiting for stale completions to drain.\n");
33891 - h->access.set_intr_mask(h, HPSA_INTR_ON);
33892 + h->access->set_intr_mask(h, HPSA_INTR_ON);
33894 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
33895 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
33897 rc = controller_reset_failed(h->cfgtable);
33899 @@ -4234,7 +4234,7 @@ reinit_after_soft_reset:
33902 /* Turn the interrupts on so we can service requests */
33903 - h->access.set_intr_mask(h, HPSA_INTR_ON);
33904 + h->access->set_intr_mask(h, HPSA_INTR_ON);
33906 hpsa_hba_inquiry(h);
33907 hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
33908 @@ -4287,7 +4287,7 @@ static void hpsa_shutdown(struct pci_dev
33909 * To write all data in the battery backed cache to disks
33911 hpsa_flush_cache(h);
33912 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
33913 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
33914 free_irq(h->intr[h->intr_mode], h);
33915 #ifdef CONFIG_PCI_MSI
33916 if (h->msix_vector)
33917 @@ -4450,7 +4450,7 @@ static __devinit void hpsa_enter_perform
33920 /* Change the access methods to the performant access methods */
33921 - h->access = SA5_performant_access;
33922 + h->access = &SA5_performant_access;
33923 h->transMethod = CFGTBL_Trans_Performant;
33926 diff -urNp linux-3.1.1/drivers/scsi/hpsa.h linux-3.1.1/drivers/scsi/hpsa.h
33927 --- linux-3.1.1/drivers/scsi/hpsa.h 2011-11-11 15:19:27.000000000 -0500
33928 +++ linux-3.1.1/drivers/scsi/hpsa.h 2011-11-16 18:39:07.000000000 -0500
33929 @@ -73,7 +73,7 @@ struct ctlr_info {
33930 unsigned int msix_vector;
33931 unsigned int msi_vector;
33932 int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
33933 - struct access_method access;
33934 + struct access_method *access;
33936 /* queue and queue Info */
33937 struct list_head reqQ;
33938 diff -urNp linux-3.1.1/drivers/scsi/ips.h linux-3.1.1/drivers/scsi/ips.h
33939 --- linux-3.1.1/drivers/scsi/ips.h 2011-11-11 15:19:27.000000000 -0500
33940 +++ linux-3.1.1/drivers/scsi/ips.h 2011-11-16 18:39:07.000000000 -0500
33941 @@ -1027,7 +1027,7 @@ typedef struct {
33942 int (*intr)(struct ips_ha *);
33943 void (*enableint)(struct ips_ha *);
33944 uint32_t (*statupd)(struct ips_ha *);
33946 +} __no_const ips_hw_func_t;
33948 typedef struct ips_ha {
33949 uint8_t ha_id[IPS_MAX_CHANNELS+1];
33950 diff -urNp linux-3.1.1/drivers/scsi/libfc/fc_exch.c linux-3.1.1/drivers/scsi/libfc/fc_exch.c
33951 --- linux-3.1.1/drivers/scsi/libfc/fc_exch.c 2011-11-11 15:19:27.000000000 -0500
33952 +++ linux-3.1.1/drivers/scsi/libfc/fc_exch.c 2011-11-16 18:39:07.000000000 -0500
33953 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
33954 * all together if not used XXX
33957 - atomic_t no_free_exch;
33958 - atomic_t no_free_exch_xid;
33959 - atomic_t xid_not_found;
33960 - atomic_t xid_busy;
33961 - atomic_t seq_not_found;
33962 - atomic_t non_bls_resp;
33963 + atomic_unchecked_t no_free_exch;
33964 + atomic_unchecked_t no_free_exch_xid;
33965 + atomic_unchecked_t xid_not_found;
33966 + atomic_unchecked_t xid_busy;
33967 + atomic_unchecked_t seq_not_found;
33968 + atomic_unchecked_t non_bls_resp;
33972 @@ -718,7 +718,7 @@ static struct fc_exch *fc_exch_em_alloc(
33973 /* allocate memory for exchange */
33974 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
33976 - atomic_inc(&mp->stats.no_free_exch);
33977 + atomic_inc_unchecked(&mp->stats.no_free_exch);
33980 memset(ep, 0, sizeof(*ep));
33981 @@ -779,7 +779,7 @@ out:
33984 spin_unlock_bh(&pool->lock);
33985 - atomic_inc(&mp->stats.no_free_exch_xid);
33986 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
33987 mempool_free(ep, mp->ep_pool);
33990 @@ -922,7 +922,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33991 xid = ntohs(fh->fh_ox_id); /* we originated exch */
33992 ep = fc_exch_find(mp, xid);
33994 - atomic_inc(&mp->stats.xid_not_found);
33995 + atomic_inc_unchecked(&mp->stats.xid_not_found);
33996 reject = FC_RJT_OX_ID;
33999 @@ -952,7 +952,7 @@ static enum fc_pf_rjt_reason fc_seq_look
34000 ep = fc_exch_find(mp, xid);
34001 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
34003 - atomic_inc(&mp->stats.xid_busy);
34004 + atomic_inc_unchecked(&mp->stats.xid_busy);
34005 reject = FC_RJT_RX_ID;
34008 @@ -963,7 +963,7 @@ static enum fc_pf_rjt_reason fc_seq_look
34010 xid = ep->xid; /* get our XID */
34012 - atomic_inc(&mp->stats.xid_not_found);
34013 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34014 reject = FC_RJT_RX_ID; /* XID not found */
34017 @@ -980,7 +980,7 @@ static enum fc_pf_rjt_reason fc_seq_look
34020 if (sp->id != fh->fh_seq_id) {
34021 - atomic_inc(&mp->stats.seq_not_found);
34022 + atomic_inc_unchecked(&mp->stats.seq_not_found);
34023 if (f_ctl & FC_FC_END_SEQ) {
34025 * Update sequence_id based on incoming last
34026 @@ -1430,22 +1430,22 @@ static void fc_exch_recv_seq_resp(struct
34028 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
34030 - atomic_inc(&mp->stats.xid_not_found);
34031 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34034 if (ep->esb_stat & ESB_ST_COMPLETE) {
34035 - atomic_inc(&mp->stats.xid_not_found);
34036 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34039 if (ep->rxid == FC_XID_UNKNOWN)
34040 ep->rxid = ntohs(fh->fh_rx_id);
34041 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
34042 - atomic_inc(&mp->stats.xid_not_found);
34043 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34046 if (ep->did != ntoh24(fh->fh_s_id) &&
34047 ep->did != FC_FID_FLOGI) {
34048 - atomic_inc(&mp->stats.xid_not_found);
34049 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34053 @@ -1454,7 +1454,7 @@ static void fc_exch_recv_seq_resp(struct
34054 sp->ssb_stat |= SSB_ST_RESP;
34055 sp->id = fh->fh_seq_id;
34056 } else if (sp->id != fh->fh_seq_id) {
34057 - atomic_inc(&mp->stats.seq_not_found);
34058 + atomic_inc_unchecked(&mp->stats.seq_not_found);
34062 @@ -1518,9 +1518,9 @@ static void fc_exch_recv_resp(struct fc_
34063 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
34066 - atomic_inc(&mp->stats.xid_not_found);
34067 + atomic_inc_unchecked(&mp->stats.xid_not_found);
34069 - atomic_inc(&mp->stats.non_bls_resp);
34070 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
34074 diff -urNp linux-3.1.1/drivers/scsi/libsas/sas_ata.c linux-3.1.1/drivers/scsi/libsas/sas_ata.c
34075 --- linux-3.1.1/drivers/scsi/libsas/sas_ata.c 2011-11-11 15:19:27.000000000 -0500
34076 +++ linux-3.1.1/drivers/scsi/libsas/sas_ata.c 2011-11-16 18:39:07.000000000 -0500
34077 @@ -368,7 +368,7 @@ static struct ata_port_operations sas_sa
34078 .postreset = ata_std_postreset,
34079 .error_handler = ata_std_error_handler,
34080 .post_internal_cmd = sas_ata_post_internal,
34081 - .qc_defer = ata_std_qc_defer,
34082 + .qc_defer = ata_std_qc_defer,
34083 .qc_prep = ata_noop_qc_prep,
34084 .qc_issue = sas_ata_qc_issue,
34085 .qc_fill_rtf = sas_ata_qc_fill_rtf,
34086 diff -urNp linux-3.1.1/drivers/scsi/lpfc/lpfc_debugfs.c linux-3.1.1/drivers/scsi/lpfc/lpfc_debugfs.c
34087 --- linux-3.1.1/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-11 15:19:27.000000000 -0500
34088 +++ linux-3.1.1/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-16 18:40:22.000000000 -0500
34089 @@ -105,7 +105,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_
34091 #include <linux/debugfs.h>
34093 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
34094 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
34095 static unsigned long lpfc_debugfs_start_time = 0L;
34098 @@ -146,7 +146,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
34099 lpfc_debugfs_enable = 0;
34102 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
34103 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
34104 (lpfc_debugfs_max_disc_trc - 1);
34105 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
34106 dtp = vport->disc_trc + i;
34107 @@ -212,7 +212,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
34108 lpfc_debugfs_enable = 0;
34111 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
34112 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
34113 (lpfc_debugfs_max_slow_ring_trc - 1);
34114 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
34115 dtp = phba->slow_ring_trc + i;
34116 @@ -635,14 +635,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
34117 !vport || !vport->disc_trc)
34120 - index = atomic_inc_return(&vport->disc_trc_cnt) &
34121 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
34122 (lpfc_debugfs_max_disc_trc - 1);
34123 dtp = vport->disc_trc + index;
34125 dtp->data1 = data1;
34126 dtp->data2 = data2;
34127 dtp->data3 = data3;
34128 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
34129 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
34130 dtp->jif = jiffies;
34133 @@ -673,14 +673,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
34134 !phba || !phba->slow_ring_trc)
34137 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
34138 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
34139 (lpfc_debugfs_max_slow_ring_trc - 1);
34140 dtp = phba->slow_ring_trc + index;
34142 dtp->data1 = data1;
34143 dtp->data2 = data2;
34144 dtp->data3 = data3;
34145 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
34146 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
34147 dtp->jif = jiffies;
34150 @@ -3828,7 +3828,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
34151 "slow_ring buffer\n");
34154 - atomic_set(&phba->slow_ring_trc_cnt, 0);
34155 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
34156 memset(phba->slow_ring_trc, 0,
34157 (sizeof(struct lpfc_debugfs_trc) *
34158 lpfc_debugfs_max_slow_ring_trc));
34159 @@ -3874,7 +3874,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
34163 - atomic_set(&vport->disc_trc_cnt, 0);
34164 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
34166 snprintf(name, sizeof(name), "discovery_trace");
34167 vport->debug_disc_trc =
34168 diff -urNp linux-3.1.1/drivers/scsi/lpfc/lpfc.h linux-3.1.1/drivers/scsi/lpfc/lpfc.h
34169 --- linux-3.1.1/drivers/scsi/lpfc/lpfc.h 2011-11-11 15:19:27.000000000 -0500
34170 +++ linux-3.1.1/drivers/scsi/lpfc/lpfc.h 2011-11-16 18:39:07.000000000 -0500
34171 @@ -425,7 +425,7 @@ struct lpfc_vport {
34172 struct dentry *debug_nodelist;
34173 struct dentry *vport_debugfs_root;
34174 struct lpfc_debugfs_trc *disc_trc;
34175 - atomic_t disc_trc_cnt;
34176 + atomic_unchecked_t disc_trc_cnt;
34178 uint8_t stat_data_enabled;
34179 uint8_t stat_data_blocked;
34180 @@ -835,8 +835,8 @@ struct lpfc_hba {
34181 struct timer_list fabric_block_timer;
34182 unsigned long bit_flags;
34183 #define FABRIC_COMANDS_BLOCKED 0
34184 - atomic_t num_rsrc_err;
34185 - atomic_t num_cmd_success;
34186 + atomic_unchecked_t num_rsrc_err;
34187 + atomic_unchecked_t num_cmd_success;
34188 unsigned long last_rsrc_error_time;
34189 unsigned long last_ramp_down_time;
34190 unsigned long last_ramp_up_time;
34191 @@ -850,7 +850,7 @@ struct lpfc_hba {
34192 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
34193 struct dentry *debug_slow_ring_trc;
34194 struct lpfc_debugfs_trc *slow_ring_trc;
34195 - atomic_t slow_ring_trc_cnt;
34196 + atomic_unchecked_t slow_ring_trc_cnt;
34197 /* iDiag debugfs sub-directory */
34198 struct dentry *idiag_root;
34199 struct dentry *idiag_pci_cfg;
34200 diff -urNp linux-3.1.1/drivers/scsi/lpfc/lpfc_init.c linux-3.1.1/drivers/scsi/lpfc/lpfc_init.c
34201 --- linux-3.1.1/drivers/scsi/lpfc/lpfc_init.c 2011-11-11 15:19:27.000000000 -0500
34202 +++ linux-3.1.1/drivers/scsi/lpfc/lpfc_init.c 2011-11-16 18:39:07.000000000 -0500
34203 @@ -9969,8 +9969,10 @@ lpfc_init(void)
34204 printk(LPFC_COPYRIGHT "\n");
34206 if (lpfc_enable_npiv) {
34207 - lpfc_transport_functions.vport_create = lpfc_vport_create;
34208 - lpfc_transport_functions.vport_delete = lpfc_vport_delete;
34209 + pax_open_kernel();
34210 + *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
34211 + *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
34212 + pax_close_kernel();
34214 lpfc_transport_template =
34215 fc_attach_transport(&lpfc_transport_functions);
34216 diff -urNp linux-3.1.1/drivers/scsi/lpfc/lpfc_scsi.c linux-3.1.1/drivers/scsi/lpfc/lpfc_scsi.c
34217 --- linux-3.1.1/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-11 15:19:27.000000000 -0500
34218 +++ linux-3.1.1/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-16 18:39:07.000000000 -0500
34219 @@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
34220 uint32_t evt_posted;
34222 spin_lock_irqsave(&phba->hbalock, flags);
34223 - atomic_inc(&phba->num_rsrc_err);
34224 + atomic_inc_unchecked(&phba->num_rsrc_err);
34225 phba->last_rsrc_error_time = jiffies;
34227 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
34228 @@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
34229 unsigned long flags;
34230 struct lpfc_hba *phba = vport->phba;
34231 uint32_t evt_posted;
34232 - atomic_inc(&phba->num_cmd_success);
34233 + atomic_inc_unchecked(&phba->num_cmd_success);
34235 if (vport->cfg_lun_queue_depth <= queue_depth)
34237 @@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
34238 unsigned long num_rsrc_err, num_cmd_success;
34241 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
34242 - num_cmd_success = atomic_read(&phba->num_cmd_success);
34243 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
34244 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
34246 vports = lpfc_create_vport_work_array(phba);
34247 if (vports != NULL)
34248 @@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
34251 lpfc_destroy_vport_work_array(phba, vports);
34252 - atomic_set(&phba->num_rsrc_err, 0);
34253 - atomic_set(&phba->num_cmd_success, 0);
34254 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
34255 + atomic_set_unchecked(&phba->num_cmd_success, 0);
34259 @@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
34262 lpfc_destroy_vport_work_array(phba, vports);
34263 - atomic_set(&phba->num_rsrc_err, 0);
34264 - atomic_set(&phba->num_cmd_success, 0);
34265 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
34266 + atomic_set_unchecked(&phba->num_cmd_success, 0);
34270 diff -urNp linux-3.1.1/drivers/scsi/megaraid/megaraid_mbox.c linux-3.1.1/drivers/scsi/megaraid/megaraid_mbox.c
34271 --- linux-3.1.1/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-11 15:19:27.000000000 -0500
34272 +++ linux-3.1.1/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-16 18:40:22.000000000 -0500
34273 @@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
34277 + pax_track_stack();
34279 // Allocate memory for the base list of scb for management module.
34280 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
34282 diff -urNp linux-3.1.1/drivers/scsi/osd/osd_initiator.c linux-3.1.1/drivers/scsi/osd/osd_initiator.c
34283 --- linux-3.1.1/drivers/scsi/osd/osd_initiator.c 2011-11-11 15:19:27.000000000 -0500
34284 +++ linux-3.1.1/drivers/scsi/osd/osd_initiator.c 2011-11-16 18:40:22.000000000 -0500
34285 @@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
34286 int nelem = ARRAY_SIZE(get_attrs), a = 0;
34289 + pax_track_stack();
34291 or = osd_start_request(od, GFP_KERNEL);
34294 diff -urNp linux-3.1.1/drivers/scsi/pmcraid.c linux-3.1.1/drivers/scsi/pmcraid.c
34295 --- linux-3.1.1/drivers/scsi/pmcraid.c 2011-11-11 15:19:27.000000000 -0500
34296 +++ linux-3.1.1/drivers/scsi/pmcraid.c 2011-11-16 18:39:07.000000000 -0500
34297 @@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
34298 res->scsi_dev = scsi_dev;
34299 scsi_dev->hostdata = res;
34300 res->change_detected = 0;
34301 - atomic_set(&res->read_failures, 0);
34302 - atomic_set(&res->write_failures, 0);
34303 + atomic_set_unchecked(&res->read_failures, 0);
34304 + atomic_set_unchecked(&res->write_failures, 0);
34307 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
34308 @@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
34310 /* If this was a SCSI read/write command keep count of errors */
34311 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
34312 - atomic_inc(&res->read_failures);
34313 + atomic_inc_unchecked(&res->read_failures);
34314 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
34315 - atomic_inc(&res->write_failures);
34316 + atomic_inc_unchecked(&res->write_failures);
34318 if (!RES_IS_GSCSI(res->cfg_entry) &&
34319 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
34320 @@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
34321 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
34322 * hrrq_id assigned here in queuecommand
34324 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
34325 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
34326 pinstance->num_hrrq;
34327 cmd->cmd_done = pmcraid_io_done;
34329 @@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
34330 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
34331 * hrrq_id assigned here in queuecommand
34333 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
34334 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
34335 pinstance->num_hrrq;
34337 if (request_size) {
34338 @@ -4498,7 +4498,7 @@ static void pmcraid_worker_function(stru
34340 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
34341 /* add resources only after host is added into system */
34342 - if (!atomic_read(&pinstance->expose_resources))
34343 + if (!atomic_read_unchecked(&pinstance->expose_resources))
34346 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
34347 @@ -5332,8 +5332,8 @@ static int __devinit pmcraid_init_instan
34348 init_waitqueue_head(&pinstance->reset_wait_q);
34350 atomic_set(&pinstance->outstanding_cmds, 0);
34351 - atomic_set(&pinstance->last_message_id, 0);
34352 - atomic_set(&pinstance->expose_resources, 0);
34353 + atomic_set_unchecked(&pinstance->last_message_id, 0);
34354 + atomic_set_unchecked(&pinstance->expose_resources, 0);
34356 INIT_LIST_HEAD(&pinstance->free_res_q);
34357 INIT_LIST_HEAD(&pinstance->used_res_q);
34358 @@ -6048,7 +6048,7 @@ static int __devinit pmcraid_probe(
34359 /* Schedule worker thread to handle CCN and take care of adding and
34360 * removing devices to OS
34362 - atomic_set(&pinstance->expose_resources, 1);
34363 + atomic_set_unchecked(&pinstance->expose_resources, 1);
34364 schedule_work(&pinstance->worker_q);
34367 diff -urNp linux-3.1.1/drivers/scsi/pmcraid.h linux-3.1.1/drivers/scsi/pmcraid.h
34368 --- linux-3.1.1/drivers/scsi/pmcraid.h 2011-11-11 15:19:27.000000000 -0500
34369 +++ linux-3.1.1/drivers/scsi/pmcraid.h 2011-11-16 18:39:07.000000000 -0500
34370 @@ -749,7 +749,7 @@ struct pmcraid_instance {
34371 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
34373 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
34374 - atomic_t last_message_id;
34375 + atomic_unchecked_t last_message_id;
34377 /* configuration table */
34378 struct pmcraid_config_table *cfg_table;
34379 @@ -778,7 +778,7 @@ struct pmcraid_instance {
34380 atomic_t outstanding_cmds;
34382 /* should add/delete resources to mid-layer now ?*/
34383 - atomic_t expose_resources;
34384 + atomic_unchecked_t expose_resources;
34388 @@ -814,8 +814,8 @@ struct pmcraid_resource_entry {
34389 struct pmcraid_config_table_entry_ext cfg_entry_ext;
34391 struct scsi_device *scsi_dev; /* Link scsi_device structure */
34392 - atomic_t read_failures; /* count of failed READ commands */
34393 - atomic_t write_failures; /* count of failed WRITE commands */
34394 + atomic_unchecked_t read_failures; /* count of failed READ commands */
34395 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
34397 /* To indicate add/delete/modify during CCN */
34398 u8 change_detected;
34399 diff -urNp linux-3.1.1/drivers/scsi/qla2xxx/qla_def.h linux-3.1.1/drivers/scsi/qla2xxx/qla_def.h
34400 --- linux-3.1.1/drivers/scsi/qla2xxx/qla_def.h 2011-11-11 15:19:27.000000000 -0500
34401 +++ linux-3.1.1/drivers/scsi/qla2xxx/qla_def.h 2011-11-16 18:39:07.000000000 -0500
34402 @@ -2244,7 +2244,7 @@ struct isp_operations {
34403 int (*get_flash_version) (struct scsi_qla_host *, void *);
34404 int (*start_scsi) (srb_t *);
34405 int (*abort_isp) (struct scsi_qla_host *);
34409 /* MSI-X Support *************************************************************/
34411 diff -urNp linux-3.1.1/drivers/scsi/qla4xxx/ql4_def.h linux-3.1.1/drivers/scsi/qla4xxx/ql4_def.h
34412 --- linux-3.1.1/drivers/scsi/qla4xxx/ql4_def.h 2011-11-11 15:19:27.000000000 -0500
34413 +++ linux-3.1.1/drivers/scsi/qla4xxx/ql4_def.h 2011-11-16 18:39:07.000000000 -0500
34414 @@ -256,7 +256,7 @@ struct ddb_entry {
34415 atomic_t retry_relogin_timer; /* Min Time between relogins
34417 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
34418 - atomic_t relogin_retry_count; /* Num of times relogin has been
34419 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
34423 diff -urNp linux-3.1.1/drivers/scsi/qla4xxx/ql4_init.c linux-3.1.1/drivers/scsi/qla4xxx/ql4_init.c
34424 --- linux-3.1.1/drivers/scsi/qla4xxx/ql4_init.c 2011-11-11 15:19:27.000000000 -0500
34425 +++ linux-3.1.1/drivers/scsi/qla4xxx/ql4_init.c 2011-11-16 18:39:07.000000000 -0500
34426 @@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
34427 ddb_entry->fw_ddb_index = fw_ddb_index;
34428 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
34429 atomic_set(&ddb_entry->relogin_timer, 0);
34430 - atomic_set(&ddb_entry->relogin_retry_count, 0);
34431 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34432 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34433 list_add_tail(&ddb_entry->list, &ha->ddb_list);
34434 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
34435 @@ -1433,7 +1433,7 @@ int qla4xxx_process_ddb_changed(struct s
34436 if ((ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) &&
34437 (atomic_read(&ddb_entry->state) != DDB_STATE_ONLINE)) {
34438 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34439 - atomic_set(&ddb_entry->relogin_retry_count, 0);
34440 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34441 atomic_set(&ddb_entry->relogin_timer, 0);
34442 clear_bit(DF_RELOGIN, &ddb_entry->flags);
34443 iscsi_unblock_session(ddb_entry->sess);
34444 diff -urNp linux-3.1.1/drivers/scsi/qla4xxx/ql4_os.c linux-3.1.1/drivers/scsi/qla4xxx/ql4_os.c
34445 --- linux-3.1.1/drivers/scsi/qla4xxx/ql4_os.c 2011-11-11 15:19:27.000000000 -0500
34446 +++ linux-3.1.1/drivers/scsi/qla4xxx/ql4_os.c 2011-11-16 18:39:07.000000000 -0500
34447 @@ -811,13 +811,13 @@ static void qla4xxx_timer(struct scsi_ql
34448 ddb_entry->fw_ddb_device_state ==
34449 DDB_DS_SESSION_FAILED) {
34450 /* Reset retry relogin timer */
34451 - atomic_inc(&ddb_entry->relogin_retry_count);
34452 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
34453 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
34454 " timed out-retrying"
34457 ddb_entry->fw_ddb_index,
34458 - atomic_read(&ddb_entry->
34459 + atomic_read_unchecked(&ddb_entry->
34460 relogin_retry_count))
34463 diff -urNp linux-3.1.1/drivers/scsi/scsi.c linux-3.1.1/drivers/scsi/scsi.c
34464 --- linux-3.1.1/drivers/scsi/scsi.c 2011-11-11 15:19:27.000000000 -0500
34465 +++ linux-3.1.1/drivers/scsi/scsi.c 2011-11-16 18:39:07.000000000 -0500
34466 @@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
34467 unsigned long timeout;
34470 - atomic_inc(&cmd->device->iorequest_cnt);
34471 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34473 /* check if the device is still usable */
34474 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
34475 diff -urNp linux-3.1.1/drivers/scsi/scsi_debug.c linux-3.1.1/drivers/scsi/scsi_debug.c
34476 --- linux-3.1.1/drivers/scsi/scsi_debug.c 2011-11-11 15:19:27.000000000 -0500
34477 +++ linux-3.1.1/drivers/scsi/scsi_debug.c 2011-11-16 18:40:22.000000000 -0500
34478 @@ -1493,6 +1493,8 @@ static int resp_mode_select(struct scsi_
34479 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
34480 unsigned char *cmd = (unsigned char *)scp->cmnd;
34482 + pax_track_stack();
34484 if ((errsts = check_readiness(scp, 1, devip)))
34486 memset(arr, 0, sizeof(arr));
34487 @@ -1590,6 +1592,8 @@ static int resp_log_sense(struct scsi_cm
34488 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
34489 unsigned char *cmd = (unsigned char *)scp->cmnd;
34491 + pax_track_stack();
34493 if ((errsts = check_readiness(scp, 1, devip)))
34495 memset(arr, 0, sizeof(arr));
34496 diff -urNp linux-3.1.1/drivers/scsi/scsi_lib.c linux-3.1.1/drivers/scsi/scsi_lib.c
34497 --- linux-3.1.1/drivers/scsi/scsi_lib.c 2011-11-11 15:19:27.000000000 -0500
34498 +++ linux-3.1.1/drivers/scsi/scsi_lib.c 2011-11-16 18:39:07.000000000 -0500
34499 @@ -1413,7 +1413,7 @@ static void scsi_kill_request(struct req
34500 shost = sdev->host;
34501 scsi_init_cmd_errh(cmd);
34502 cmd->result = DID_NO_CONNECT << 16;
34503 - atomic_inc(&cmd->device->iorequest_cnt);
34504 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34507 * SCSI request completion path will do scsi_device_unbusy(),
34508 @@ -1439,9 +1439,9 @@ static void scsi_softirq_done(struct req
34510 INIT_LIST_HEAD(&cmd->eh_entry);
34512 - atomic_inc(&cmd->device->iodone_cnt);
34513 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
34515 - atomic_inc(&cmd->device->ioerr_cnt);
34516 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
34518 disposition = scsi_decide_disposition(cmd);
34519 if (disposition != SUCCESS &&
34520 diff -urNp linux-3.1.1/drivers/scsi/scsi_sysfs.c linux-3.1.1/drivers/scsi/scsi_sysfs.c
34521 --- linux-3.1.1/drivers/scsi/scsi_sysfs.c 2011-11-11 15:19:27.000000000 -0500
34522 +++ linux-3.1.1/drivers/scsi/scsi_sysfs.c 2011-11-16 18:39:07.000000000 -0500
34523 @@ -622,7 +622,7 @@ show_iostat_##field(struct device *dev,
34526 struct scsi_device *sdev = to_scsi_device(dev); \
34527 - unsigned long long count = atomic_read(&sdev->field); \
34528 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
34529 return snprintf(buf, 20, "0x%llx\n", count); \
34531 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
34532 diff -urNp linux-3.1.1/drivers/scsi/scsi_tgt_lib.c linux-3.1.1/drivers/scsi/scsi_tgt_lib.c
34533 --- linux-3.1.1/drivers/scsi/scsi_tgt_lib.c 2011-11-11 15:19:27.000000000 -0500
34534 +++ linux-3.1.1/drivers/scsi/scsi_tgt_lib.c 2011-11-16 18:39:07.000000000 -0500
34535 @@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc
34538 dprintk("%lx %u\n", uaddr, len);
34539 - err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL);
34540 + err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL);
34543 * TODO: need to fixup sg_tablesize, max_segment_size,
34544 diff -urNp linux-3.1.1/drivers/scsi/scsi_transport_fc.c linux-3.1.1/drivers/scsi/scsi_transport_fc.c
34545 --- linux-3.1.1/drivers/scsi/scsi_transport_fc.c 2011-11-11 15:19:27.000000000 -0500
34546 +++ linux-3.1.1/drivers/scsi/scsi_transport_fc.c 2011-11-16 18:39:07.000000000 -0500
34547 @@ -484,7 +484,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
34548 * Netlink Infrastructure
34551 -static atomic_t fc_event_seq;
34552 +static atomic_unchecked_t fc_event_seq;
34555 * fc_get_event_number - Obtain the next sequential FC event number
34556 @@ -497,7 +497,7 @@ static atomic_t fc_event_seq;
34558 fc_get_event_number(void)
34560 - return atomic_add_return(1, &fc_event_seq);
34561 + return atomic_add_return_unchecked(1, &fc_event_seq);
34563 EXPORT_SYMBOL(fc_get_event_number);
34565 @@ -645,7 +645,7 @@ static __init int fc_transport_init(void
34569 - atomic_set(&fc_event_seq, 0);
34570 + atomic_set_unchecked(&fc_event_seq, 0);
34572 error = transport_class_register(&fc_host_class);
34574 @@ -835,7 +835,7 @@ static int fc_str_to_dev_loss(const char
34577 *val = simple_strtoul(buf, &cp, 0);
34578 - if ((*cp && (*cp != '\n')) || (*val < 0))
34579 + if (*cp && (*cp != '\n'))
34582 * Check for overflow; dev_loss_tmo is u32
34583 diff -urNp linux-3.1.1/drivers/scsi/scsi_transport_iscsi.c linux-3.1.1/drivers/scsi/scsi_transport_iscsi.c
34584 --- linux-3.1.1/drivers/scsi/scsi_transport_iscsi.c 2011-11-11 15:19:27.000000000 -0500
34585 +++ linux-3.1.1/drivers/scsi/scsi_transport_iscsi.c 2011-11-16 18:39:07.000000000 -0500
34586 @@ -83,7 +83,7 @@ struct iscsi_internal {
34587 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
34590 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
34591 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
34592 static struct workqueue_struct *iscsi_eh_timer_workq;
34595 @@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
34598 ihost = shost->shost_data;
34599 - session->sid = atomic_add_return(1, &iscsi_session_nr);
34600 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
34602 if (id == ISCSI_MAX_TARGET) {
34603 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
34604 @@ -2200,7 +2200,7 @@ static __init int iscsi_transport_init(v
34605 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
34606 ISCSI_TRANSPORT_VERSION);
34608 - atomic_set(&iscsi_session_nr, 0);
34609 + atomic_set_unchecked(&iscsi_session_nr, 0);
34611 err = class_register(&iscsi_transport_class);
34613 diff -urNp linux-3.1.1/drivers/scsi/scsi_transport_srp.c linux-3.1.1/drivers/scsi/scsi_transport_srp.c
34614 --- linux-3.1.1/drivers/scsi/scsi_transport_srp.c 2011-11-11 15:19:27.000000000 -0500
34615 +++ linux-3.1.1/drivers/scsi/scsi_transport_srp.c 2011-11-16 18:39:07.000000000 -0500
34617 #include "scsi_transport_srp_internal.h"
34619 struct srp_host_attrs {
34620 - atomic_t next_port_id;
34621 + atomic_unchecked_t next_port_id;
34623 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
34625 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
34626 struct Scsi_Host *shost = dev_to_shost(dev);
34627 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
34629 - atomic_set(&srp_host->next_port_id, 0);
34630 + atomic_set_unchecked(&srp_host->next_port_id, 0);
34634 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
34635 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
34636 rport->roles = ids->roles;
34638 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
34639 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
34640 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
34642 transport_setup_device(&rport->dev);
34643 diff -urNp linux-3.1.1/drivers/scsi/sg.c linux-3.1.1/drivers/scsi/sg.c
34644 --- linux-3.1.1/drivers/scsi/sg.c 2011-11-11 15:19:27.000000000 -0500
34645 +++ linux-3.1.1/drivers/scsi/sg.c 2011-11-16 18:39:07.000000000 -0500
34646 @@ -1075,7 +1075,7 @@ sg_ioctl(struct file *filp, unsigned int
34647 sdp->disk->disk_name,
34648 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
34651 + (char __user *)arg);
34652 case BLKTRACESTART:
34653 return blk_trace_startstop(sdp->device->request_queue, 1);
34655 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
34656 const struct file_operations * fops;
34659 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
34660 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
34661 {"allow_dio", &adio_fops},
34662 {"debug", &debug_fops},
34663 {"def_reserved_size", &dressz_fops},
34664 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
34667 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
34668 - struct sg_proc_leaf * leaf;
34669 + const struct sg_proc_leaf * leaf;
34671 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
34673 diff -urNp linux-3.1.1/drivers/scsi/sym53c8xx_2/sym_glue.c linux-3.1.1/drivers/scsi/sym53c8xx_2/sym_glue.c
34674 --- linux-3.1.1/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-11 15:19:27.000000000 -0500
34675 +++ linux-3.1.1/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-16 18:40:22.000000000 -0500
34676 @@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
34677 int do_iounmap = 0;
34678 int do_disable_device = 1;
34680 + pax_track_stack();
34682 memset(&sym_dev, 0, sizeof(sym_dev));
34683 memset(&nvram, 0, sizeof(nvram));
34684 sym_dev.pdev = pdev;
34685 diff -urNp linux-3.1.1/drivers/scsi/vmw_pvscsi.c linux-3.1.1/drivers/scsi/vmw_pvscsi.c
34686 --- linux-3.1.1/drivers/scsi/vmw_pvscsi.c 2011-11-11 15:19:27.000000000 -0500
34687 +++ linux-3.1.1/drivers/scsi/vmw_pvscsi.c 2011-11-16 18:40:22.000000000 -0500
34688 @@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
34692 + pax_track_stack();
34694 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
34695 cmd.reqRingNumPages = adapter->req_pages;
34696 cmd.cmpRingNumPages = adapter->cmp_pages;
34697 diff -urNp linux-3.1.1/drivers/spi/spi.c linux-3.1.1/drivers/spi/spi.c
34698 --- linux-3.1.1/drivers/spi/spi.c 2011-11-11 15:19:27.000000000 -0500
34699 +++ linux-3.1.1/drivers/spi/spi.c 2011-11-16 18:39:07.000000000 -0500
34700 @@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
34701 EXPORT_SYMBOL_GPL(spi_bus_unlock);
34703 /* portable code must never pass more than 32 bytes */
34704 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
34705 +#define SPI_BUFSIZ max(32UL,SMP_CACHE_BYTES)
34709 diff -urNp linux-3.1.1/drivers/spi/spi-dw-pci.c linux-3.1.1/drivers/spi/spi-dw-pci.c
34710 --- linux-3.1.1/drivers/spi/spi-dw-pci.c 2011-11-11 15:19:27.000000000 -0500
34711 +++ linux-3.1.1/drivers/spi/spi-dw-pci.c 2011-11-16 18:39:07.000000000 -0500
34712 @@ -148,7 +148,7 @@ static int spi_resume(struct pci_dev *pd
34713 #define spi_resume NULL
34716 -static const struct pci_device_id pci_ids[] __devinitdata = {
34717 +static const struct pci_device_id pci_ids[] __devinitconst = {
34718 /* Intel MID platform SPI controller 0 */
34719 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0800) },
34721 diff -urNp linux-3.1.1/drivers/staging/ath6kl/os/linux/ar6000_drv.c linux-3.1.1/drivers/staging/ath6kl/os/linux/ar6000_drv.c
34722 --- linux-3.1.1/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-11-11 15:19:27.000000000 -0500
34723 +++ linux-3.1.1/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-11-16 18:39:07.000000000 -0500
34724 @@ -362,7 +362,7 @@ static struct ar_cookie s_ar_cookie_mem[
34725 (((ar)->arTargetType == TARGET_TYPE_AR6003) ? AR6003_HOST_INTEREST_ITEM_ADDRESS(item) : 0))
34728 -static struct net_device_ops ar6000_netdev_ops = {
34729 +static net_device_ops_no_const ar6000_netdev_ops = {
34731 .ndo_open = ar6000_open,
34732 .ndo_stop = ar6000_close,
34733 diff -urNp linux-3.1.1/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h linux-3.1.1/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h
34734 --- linux-3.1.1/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h 2011-11-11 15:19:27.000000000 -0500
34735 +++ linux-3.1.1/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h 2011-11-16 18:39:07.000000000 -0500
34736 @@ -30,7 +30,7 @@ typedef bool (*ar6k_pal_recv_pkt_t)(void
34737 typedef struct ar6k_pal_config_s
34739 ar6k_pal_recv_pkt_t fpar6k_pal_recv_pkt;
34740 -}ar6k_pal_config_t;
34741 +} __no_const ar6k_pal_config_t;
34743 void register_pal_cb(ar6k_pal_config_t *palConfig_p);
34744 #endif /* _AR6K_PAL_H_ */
34745 diff -urNp linux-3.1.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-3.1.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
34746 --- linux-3.1.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-11-11 15:19:27.000000000 -0500
34747 +++ linux-3.1.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-11-16 18:39:07.000000000 -0500
34748 @@ -451,14 +451,14 @@ static void brcmf_op_if(struct brcmf_if
34749 free_netdev(ifp->net);
34751 /* Allocate etherdev, including space for private structure */
34752 - ifp->net = alloc_etherdev(sizeof(drvr_priv));
34753 + ifp->net = alloc_etherdev(sizeof(*drvr_priv));
34755 BRCMF_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
34759 strcpy(ifp->net->name, ifp->name);
34760 - memcpy(netdev_priv(ifp->net), &drvr_priv, sizeof(drvr_priv));
34761 + memcpy(netdev_priv(ifp->net), &drvr_priv, sizeof(*drvr_priv));
34762 err = brcmf_net_attach(&drvr_priv->pub, ifp->idx);
34764 BRCMF_ERROR(("%s: brcmf_net_attach failed, "
34765 @@ -1279,7 +1279,7 @@ struct brcmf_pub *brcmf_attach(struct br
34766 BRCMF_TRACE(("%s: Enter\n", __func__));
34768 /* Allocate etherdev, including space for private structure */
34769 - net = alloc_etherdev(sizeof(drvr_priv));
34770 + net = alloc_etherdev(sizeof(*drvr_priv));
34772 BRCMF_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
34774 @@ -1295,7 +1295,7 @@ struct brcmf_pub *brcmf_attach(struct br
34776 * Save the brcmf_info into the priv
34778 - memcpy(netdev_priv(net), &drvr_priv, sizeof(drvr_priv));
34779 + memcpy(netdev_priv(net), &drvr_priv, sizeof(*drvr_priv));
34781 /* Set network interface name if it was provided as module parameter */
34782 if (iface_name[0]) {
34783 @@ -1352,7 +1352,7 @@ struct brcmf_pub *brcmf_attach(struct br
34785 * Save the brcmf_info into the priv
34787 - memcpy(netdev_priv(net), &drvr_priv, sizeof(drvr_priv));
34788 + memcpy(netdev_priv(net), &drvr_priv, sizeof(*drvr_priv));
34790 #if defined(CONFIG_PM_SLEEP)
34791 atomic_set(&brcmf_mmc_suspend, false);
34792 diff -urNp linux-3.1.1/drivers/staging/brcm80211/brcmfmac/sdio_host.h linux-3.1.1/drivers/staging/brcm80211/brcmfmac/sdio_host.h
34793 --- linux-3.1.1/drivers/staging/brcm80211/brcmfmac/sdio_host.h 2011-11-11 15:19:27.000000000 -0500
34794 +++ linux-3.1.1/drivers/staging/brcm80211/brcmfmac/sdio_host.h 2011-11-16 18:39:07.000000000 -0500
34795 @@ -263,7 +263,7 @@ struct brcmf_sdioh_driver {
34796 u16 func, uint bustype, u32 regsva, void *param);
34797 /* detach from device */
34798 void (*detach) (void *ch);
34804 diff -urNp linux-3.1.1/drivers/staging/brcm80211/brcmsmac/phy/phy_int.h linux-3.1.1/drivers/staging/brcm80211/brcmsmac/phy/phy_int.h
34805 --- linux-3.1.1/drivers/staging/brcm80211/brcmsmac/phy/phy_int.h 2011-11-11 15:19:27.000000000 -0500
34806 +++ linux-3.1.1/drivers/staging/brcm80211/brcmsmac/phy/phy_int.h 2011-11-16 18:39:07.000000000 -0500
34807 @@ -591,7 +591,7 @@ struct phy_func_ptr {
34808 initfn_t carrsuppr;
34809 rxsigpwrfn_t rxsigpwr;
34815 struct brcms_phy_pub pubpi_ro;
34816 diff -urNp linux-3.1.1/drivers/staging/et131x/et1310_tx.c linux-3.1.1/drivers/staging/et131x/et1310_tx.c
34817 --- linux-3.1.1/drivers/staging/et131x/et1310_tx.c 2011-11-11 15:19:27.000000000 -0500
34818 +++ linux-3.1.1/drivers/staging/et131x/et1310_tx.c 2011-11-16 18:39:07.000000000 -0500
34819 @@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
34820 struct net_device_stats *stats = &etdev->net_stats;
34822 if (tcb->flags & fMP_DEST_BROAD)
34823 - atomic_inc(&etdev->stats.brdcstxmt);
34824 + atomic_inc_unchecked(&etdev->stats.brdcstxmt);
34825 else if (tcb->flags & fMP_DEST_MULTI)
34826 - atomic_inc(&etdev->stats.multixmt);
34827 + atomic_inc_unchecked(&etdev->stats.multixmt);
34829 - atomic_inc(&etdev->stats.unixmt);
34830 + atomic_inc_unchecked(&etdev->stats.unixmt);
34833 stats->tx_bytes += tcb->skb->len;
34834 diff -urNp linux-3.1.1/drivers/staging/et131x/et131x_adapter.h linux-3.1.1/drivers/staging/et131x/et131x_adapter.h
34835 --- linux-3.1.1/drivers/staging/et131x/et131x_adapter.h 2011-11-11 15:19:27.000000000 -0500
34836 +++ linux-3.1.1/drivers/staging/et131x/et131x_adapter.h 2011-11-16 18:39:07.000000000 -0500
34837 @@ -106,11 +106,11 @@ struct ce_stats {
34840 u32 unircv; /* # multicast packets received */
34841 - atomic_t unixmt; /* # multicast packets for Tx */
34842 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
34843 u32 multircv; /* # multicast packets received */
34844 - atomic_t multixmt; /* # multicast packets for Tx */
34845 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
34846 u32 brdcstrcv; /* # broadcast packets received */
34847 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
34848 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
34849 u32 norcvbuf; /* # Rx packets discarded */
34850 u32 noxmtbuf; /* # Tx packets discarded */
34852 diff -urNp linux-3.1.1/drivers/staging/hv/channel.c linux-3.1.1/drivers/staging/hv/channel.c
34853 --- linux-3.1.1/drivers/staging/hv/channel.c 2011-11-11 15:19:27.000000000 -0500
34854 +++ linux-3.1.1/drivers/staging/hv/channel.c 2011-11-16 18:39:07.000000000 -0500
34855 @@ -447,8 +447,8 @@ int vmbus_establish_gpadl(struct vmbus_c
34859 - next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
34860 - atomic_inc(&vmbus_connection.next_gpadl_handle);
34861 + next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
34862 + atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
34864 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
34866 diff -urNp linux-3.1.1/drivers/staging/hv/hv.c linux-3.1.1/drivers/staging/hv/hv.c
34867 --- linux-3.1.1/drivers/staging/hv/hv.c 2011-11-11 15:19:27.000000000 -0500
34868 +++ linux-3.1.1/drivers/staging/hv/hv.c 2011-11-16 18:39:07.000000000 -0500
34869 @@ -132,7 +132,7 @@ static u64 do_hypercall(u64 control, voi
34870 u64 output_address = (output) ? virt_to_phys(output) : 0;
34871 u32 output_address_hi = output_address >> 32;
34872 u32 output_address_lo = output_address & 0xFFFFFFFF;
34873 - volatile void *hypercall_page = hv_context.hypercall_page;
34874 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
34876 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
34877 "=a"(hv_status_lo) : "d" (control_hi),
34878 diff -urNp linux-3.1.1/drivers/staging/hv/hv_mouse.c linux-3.1.1/drivers/staging/hv/hv_mouse.c
34879 --- linux-3.1.1/drivers/staging/hv/hv_mouse.c 2011-11-11 15:19:27.000000000 -0500
34880 +++ linux-3.1.1/drivers/staging/hv/hv_mouse.c 2011-11-16 18:39:07.000000000 -0500
34881 @@ -878,8 +878,10 @@ static void reportdesc_callback(struct h
34883 DPRINT_INFO(INPUTVSC_DRV, "hid_device created");
34885 - hid_dev->ll_driver->open = mousevsc_hid_open;
34886 - hid_dev->ll_driver->close = mousevsc_hid_close;
34887 + pax_open_kernel();
34888 + *(void **)&hid_dev->ll_driver->open = mousevsc_hid_open;
34889 + *(void **)&hid_dev->ll_driver->close = mousevsc_hid_close;
34890 + pax_close_kernel();
34892 hid_dev->bus = BUS_VIRTUAL;
34893 hid_dev->vendor = input_device_ctx->device_info.vendor;
34894 diff -urNp linux-3.1.1/drivers/staging/hv/hyperv_vmbus.h linux-3.1.1/drivers/staging/hv/hyperv_vmbus.h
34895 --- linux-3.1.1/drivers/staging/hv/hyperv_vmbus.h 2011-11-11 15:19:27.000000000 -0500
34896 +++ linux-3.1.1/drivers/staging/hv/hyperv_vmbus.h 2011-11-16 18:39:07.000000000 -0500
34897 @@ -559,7 +559,7 @@ enum vmbus_connect_state {
34898 struct vmbus_connection {
34899 enum vmbus_connect_state conn_state;
34901 - atomic_t next_gpadl_handle;
34902 + atomic_unchecked_t next_gpadl_handle;
34905 * Represents channel interrupts. Each bit position represents a
34906 diff -urNp linux-3.1.1/drivers/staging/hv/rndis_filter.c linux-3.1.1/drivers/staging/hv/rndis_filter.c
34907 --- linux-3.1.1/drivers/staging/hv/rndis_filter.c 2011-11-11 15:19:27.000000000 -0500
34908 +++ linux-3.1.1/drivers/staging/hv/rndis_filter.c 2011-11-16 18:39:07.000000000 -0500
34909 @@ -43,7 +43,7 @@ struct rndis_device {
34911 enum rndis_device_state state;
34913 - atomic_t new_req_id;
34914 + atomic_unchecked_t new_req_id;
34916 spinlock_t request_lock;
34917 struct list_head req_list;
34918 @@ -117,7 +117,7 @@ static struct rndis_request *get_rndis_r
34921 set = &rndis_msg->msg.set_req;
34922 - set->req_id = atomic_inc_return(&dev->new_req_id);
34923 + set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
34925 /* Add to the request list */
34926 spin_lock_irqsave(&dev->request_lock, flags);
34927 @@ -622,7 +622,7 @@ static void rndis_filter_halt_device(str
34929 /* Setup the rndis set */
34930 halt = &request->request_msg.msg.halt_req;
34931 - halt->req_id = atomic_inc_return(&dev->new_req_id);
34932 + halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
34934 /* Ignore return since this msg is optional. */
34935 rndis_filter_send_request(dev, request);
34936 diff -urNp linux-3.1.1/drivers/staging/hv/vmbus_drv.c linux-3.1.1/drivers/staging/hv/vmbus_drv.c
34937 --- linux-3.1.1/drivers/staging/hv/vmbus_drv.c 2011-11-11 15:19:27.000000000 -0500
34938 +++ linux-3.1.1/drivers/staging/hv/vmbus_drv.c 2011-11-16 18:39:07.000000000 -0500
34939 @@ -660,11 +660,11 @@ int vmbus_child_device_register(struct h
34943 - static atomic_t device_num = ATOMIC_INIT(0);
34944 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
34946 /* Set the device name. Otherwise, device_register() will fail. */
34947 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
34948 - atomic_inc_return(&device_num));
34949 + atomic_inc_return_unchecked(&device_num));
34951 /* The new device belongs to this bus */
34952 child_device_obj->device.bus = &hv_bus; /* device->dev.bus; */
34953 diff -urNp linux-3.1.1/drivers/staging/iio/ring_generic.h linux-3.1.1/drivers/staging/iio/ring_generic.h
34954 --- linux-3.1.1/drivers/staging/iio/ring_generic.h 2011-11-11 15:19:27.000000000 -0500
34955 +++ linux-3.1.1/drivers/staging/iio/ring_generic.h 2011-11-16 18:39:07.000000000 -0500
34956 @@ -62,7 +62,7 @@ struct iio_ring_access_funcs {
34958 int (*is_enabled)(struct iio_ring_buffer *ring);
34959 int (*enable)(struct iio_ring_buffer *ring);
34963 struct iio_ring_setup_ops {
34964 int (*preenable)(struct iio_dev *);
34965 diff -urNp linux-3.1.1/drivers/staging/octeon/ethernet.c linux-3.1.1/drivers/staging/octeon/ethernet.c
34966 --- linux-3.1.1/drivers/staging/octeon/ethernet.c 2011-11-11 15:19:27.000000000 -0500
34967 +++ linux-3.1.1/drivers/staging/octeon/ethernet.c 2011-11-16 18:39:07.000000000 -0500
34968 @@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
34969 * since the RX tasklet also increments it.
34971 #ifdef CONFIG_64BIT
34972 - atomic64_add(rx_status.dropped_packets,
34973 - (atomic64_t *)&priv->stats.rx_dropped);
34974 + atomic64_add_unchecked(rx_status.dropped_packets,
34975 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
34977 - atomic_add(rx_status.dropped_packets,
34978 - (atomic_t *)&priv->stats.rx_dropped);
34979 + atomic_add_unchecked(rx_status.dropped_packets,
34980 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
34984 diff -urNp linux-3.1.1/drivers/staging/octeon/ethernet-rx.c linux-3.1.1/drivers/staging/octeon/ethernet-rx.c
34985 --- linux-3.1.1/drivers/staging/octeon/ethernet-rx.c 2011-11-11 15:19:27.000000000 -0500
34986 +++ linux-3.1.1/drivers/staging/octeon/ethernet-rx.c 2011-11-16 18:39:07.000000000 -0500
34987 @@ -420,11 +420,11 @@ static int cvm_oct_napi_poll(struct napi
34988 /* Increment RX stats for virtual ports */
34989 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
34990 #ifdef CONFIG_64BIT
34991 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
34992 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
34993 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
34994 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
34996 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
34997 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
34998 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
34999 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
35002 netif_receive_skb(skb);
35003 @@ -436,9 +436,9 @@ static int cvm_oct_napi_poll(struct napi
35006 #ifdef CONFIG_64BIT
35007 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
35008 + atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
35010 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
35011 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
35013 dev_kfree_skb_irq(skb);
35015 diff -urNp linux-3.1.1/drivers/staging/pohmelfs/inode.c linux-3.1.1/drivers/staging/pohmelfs/inode.c
35016 --- linux-3.1.1/drivers/staging/pohmelfs/inode.c 2011-11-11 15:19:27.000000000 -0500
35017 +++ linux-3.1.1/drivers/staging/pohmelfs/inode.c 2011-11-16 18:39:07.000000000 -0500
35018 @@ -1861,7 +1861,7 @@ static int pohmelfs_fill_super(struct su
35019 mutex_init(&psb->mcache_lock);
35020 psb->mcache_root = RB_ROOT;
35021 psb->mcache_timeout = msecs_to_jiffies(5000);
35022 - atomic_long_set(&psb->mcache_gen, 0);
35023 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
35025 psb->trans_max_pages = 100;
35027 @@ -1876,7 +1876,7 @@ static int pohmelfs_fill_super(struct su
35028 INIT_LIST_HEAD(&psb->crypto_ready_list);
35029 INIT_LIST_HEAD(&psb->crypto_active_list);
35031 - atomic_set(&psb->trans_gen, 1);
35032 + atomic_set_unchecked(&psb->trans_gen, 1);
35033 atomic_long_set(&psb->total_inodes, 0);
35035 mutex_init(&psb->state_lock);
35036 diff -urNp linux-3.1.1/drivers/staging/pohmelfs/mcache.c linux-3.1.1/drivers/staging/pohmelfs/mcache.c
35037 --- linux-3.1.1/drivers/staging/pohmelfs/mcache.c 2011-11-11 15:19:27.000000000 -0500
35038 +++ linux-3.1.1/drivers/staging/pohmelfs/mcache.c 2011-11-16 18:39:07.000000000 -0500
35039 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
35043 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
35044 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
35046 mutex_lock(&psb->mcache_lock);
35047 err = pohmelfs_mcache_insert(psb, m);
35048 diff -urNp linux-3.1.1/drivers/staging/pohmelfs/netfs.h linux-3.1.1/drivers/staging/pohmelfs/netfs.h
35049 --- linux-3.1.1/drivers/staging/pohmelfs/netfs.h 2011-11-11 15:19:27.000000000 -0500
35050 +++ linux-3.1.1/drivers/staging/pohmelfs/netfs.h 2011-11-16 18:39:07.000000000 -0500
35051 @@ -571,14 +571,14 @@ struct pohmelfs_config;
35052 struct pohmelfs_sb {
35053 struct rb_root mcache_root;
35054 struct mutex mcache_lock;
35055 - atomic_long_t mcache_gen;
35056 + atomic_long_unchecked_t mcache_gen;
35057 unsigned long mcache_timeout;
35061 unsigned int trans_retries;
35063 - atomic_t trans_gen;
35064 + atomic_unchecked_t trans_gen;
35066 unsigned int crypto_attached_size;
35067 unsigned int crypto_align_size;
35068 diff -urNp linux-3.1.1/drivers/staging/pohmelfs/trans.c linux-3.1.1/drivers/staging/pohmelfs/trans.c
35069 --- linux-3.1.1/drivers/staging/pohmelfs/trans.c 2011-11-11 15:19:27.000000000 -0500
35070 +++ linux-3.1.1/drivers/staging/pohmelfs/trans.c 2011-11-16 18:39:07.000000000 -0500
35071 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
35073 struct netfs_cmd *cmd = t->iovec.iov_base;
35075 - t->gen = atomic_inc_return(&psb->trans_gen);
35076 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
35078 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
35079 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
35080 diff -urNp linux-3.1.1/drivers/staging/rtl8712/rtl871x_io.h linux-3.1.1/drivers/staging/rtl8712/rtl871x_io.h
35081 --- linux-3.1.1/drivers/staging/rtl8712/rtl871x_io.h 2011-11-11 15:19:27.000000000 -0500
35082 +++ linux-3.1.1/drivers/staging/rtl8712/rtl871x_io.h 2011-11-16 18:39:07.000000000 -0500
35083 @@ -83,7 +83,7 @@ struct _io_ops {
35085 u32 (*_write_port)(struct intf_hdl *pintfhdl, u32 addr, u32 cnt,
35091 struct list_head list;
35092 diff -urNp linux-3.1.1/drivers/staging/sbe-2t3e3/netdev.c linux-3.1.1/drivers/staging/sbe-2t3e3/netdev.c
35093 --- linux-3.1.1/drivers/staging/sbe-2t3e3/netdev.c 2011-11-11 15:19:27.000000000 -0500
35094 +++ linux-3.1.1/drivers/staging/sbe-2t3e3/netdev.c 2011-11-16 18:39:08.000000000 -0500
35095 @@ -51,7 +51,7 @@ int t3e3_ioctl(struct net_device *dev, s
35096 t3e3_if_config(sc, cmd_2t3e3, (char *)¶m, &resp, &rlen);
35099 - if (copy_to_user(data, &resp, rlen))
35100 + if (rlen > sizeof resp || copy_to_user(data, &resp, rlen))
35104 diff -urNp linux-3.1.1/drivers/staging/usbip/usbip_common.h linux-3.1.1/drivers/staging/usbip/usbip_common.h
35105 --- linux-3.1.1/drivers/staging/usbip/usbip_common.h 2011-11-11 15:19:27.000000000 -0500
35106 +++ linux-3.1.1/drivers/staging/usbip/usbip_common.h 2011-11-16 18:39:08.000000000 -0500
35107 @@ -289,7 +289,7 @@ struct usbip_device {
35108 void (*shutdown)(struct usbip_device *);
35109 void (*reset)(struct usbip_device *);
35110 void (*unusable)(struct usbip_device *);
35112 + } __no_const eh_ops;
35116 diff -urNp linux-3.1.1/drivers/staging/usbip/vhci.h linux-3.1.1/drivers/staging/usbip/vhci.h
35117 --- linux-3.1.1/drivers/staging/usbip/vhci.h 2011-11-11 15:19:27.000000000 -0500
35118 +++ linux-3.1.1/drivers/staging/usbip/vhci.h 2011-11-16 18:39:08.000000000 -0500
35119 @@ -85,7 +85,7 @@ struct vhci_hcd {
35120 unsigned resuming:1;
35121 unsigned long re_timeout;
35124 + atomic_unchecked_t seqnum;
35128 diff -urNp linux-3.1.1/drivers/staging/usbip/vhci_hcd.c linux-3.1.1/drivers/staging/usbip/vhci_hcd.c
35129 --- linux-3.1.1/drivers/staging/usbip/vhci_hcd.c 2011-11-11 15:19:27.000000000 -0500
35130 +++ linux-3.1.1/drivers/staging/usbip/vhci_hcd.c 2011-11-16 18:39:08.000000000 -0500
35131 @@ -527,7 +527,7 @@ static void vhci_tx_urb(struct urb *urb)
35135 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
35136 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
35137 if (priv->seqnum == 0xffff)
35138 dev_info(&urb->dev->dev, "seqnum max\n");
35140 @@ -779,7 +779,7 @@ static int vhci_urb_dequeue(struct usb_h
35144 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
35145 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
35146 if (unlink->seqnum == 0xffff)
35147 pr_info("seqnum max\n");
35149 @@ -969,7 +969,7 @@ static int vhci_start(struct usb_hcd *hc
35150 vdev->rhport = rhport;
35153 - atomic_set(&vhci->seqnum, 0);
35154 + atomic_set_unchecked(&vhci->seqnum, 0);
35155 spin_lock_init(&vhci->lock);
35157 hcd->power_budget = 0; /* no limit */
35158 diff -urNp linux-3.1.1/drivers/staging/usbip/vhci_rx.c linux-3.1.1/drivers/staging/usbip/vhci_rx.c
35159 --- linux-3.1.1/drivers/staging/usbip/vhci_rx.c 2011-11-11 15:19:27.000000000 -0500
35160 +++ linux-3.1.1/drivers/staging/usbip/vhci_rx.c 2011-11-16 18:39:08.000000000 -0500
35161 @@ -76,7 +76,7 @@ static void vhci_recv_ret_submit(struct
35163 pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
35164 pr_info("max seqnum %d\n",
35165 - atomic_read(&the_controller->seqnum));
35166 + atomic_read_unchecked(&the_controller->seqnum));
35167 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
35170 diff -urNp linux-3.1.1/drivers/staging/vt6655/hostap.c linux-3.1.1/drivers/staging/vt6655/hostap.c
35171 --- linux-3.1.1/drivers/staging/vt6655/hostap.c 2011-11-11 15:19:27.000000000 -0500
35172 +++ linux-3.1.1/drivers/staging/vt6655/hostap.c 2011-11-16 18:39:08.000000000 -0500
35173 @@ -79,14 +79,13 @@ static int msglevel
35177 +static net_device_ops_no_const apdev_netdev_ops;
35179 static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
35181 PSDevice apdev_priv;
35182 struct net_device *dev = pDevice->dev;
35184 - const struct net_device_ops apdev_netdev_ops = {
35185 - .ndo_start_xmit = pDevice->tx_80211,
35188 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
35190 @@ -98,6 +97,8 @@ static int hostap_enable_hostapd(PSDevic
35191 *apdev_priv = *pDevice;
35192 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
35194 + /* only half broken now */
35195 + apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
35196 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
35198 pDevice->apdev->type = ARPHRD_IEEE80211;
35199 diff -urNp linux-3.1.1/drivers/staging/vt6656/hostap.c linux-3.1.1/drivers/staging/vt6656/hostap.c
35200 --- linux-3.1.1/drivers/staging/vt6656/hostap.c 2011-11-11 15:19:27.000000000 -0500
35201 +++ linux-3.1.1/drivers/staging/vt6656/hostap.c 2011-11-16 18:39:08.000000000 -0500
35202 @@ -80,14 +80,13 @@ static int msglevel
35206 +static net_device_ops_no_const apdev_netdev_ops;
35208 static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
35210 PSDevice apdev_priv;
35211 struct net_device *dev = pDevice->dev;
35213 - const struct net_device_ops apdev_netdev_ops = {
35214 - .ndo_start_xmit = pDevice->tx_80211,
35217 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
35219 @@ -99,6 +98,8 @@ static int hostap_enable_hostapd(PSDevic
35220 *apdev_priv = *pDevice;
35221 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
35223 + /* only half broken now */
35224 + apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
35225 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
35227 pDevice->apdev->type = ARPHRD_IEEE80211;
35228 diff -urNp linux-3.1.1/drivers/staging/wlan-ng/hfa384x_usb.c linux-3.1.1/drivers/staging/wlan-ng/hfa384x_usb.c
35229 --- linux-3.1.1/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-11 15:19:27.000000000 -0500
35230 +++ linux-3.1.1/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-16 18:39:08.000000000 -0500
35231 @@ -204,7 +204,7 @@ static void unlocked_usbctlx_complete(hf
35233 struct usbctlx_completor {
35234 int (*complete) (struct usbctlx_completor *);
35239 hfa384x_usbctlx_complete_sync(hfa384x_t *hw,
35240 diff -urNp linux-3.1.1/drivers/staging/zcache/tmem.c linux-3.1.1/drivers/staging/zcache/tmem.c
35241 --- linux-3.1.1/drivers/staging/zcache/tmem.c 2011-11-11 15:19:27.000000000 -0500
35242 +++ linux-3.1.1/drivers/staging/zcache/tmem.c 2011-11-16 18:39:08.000000000 -0500
35244 * A tmem host implementation must use this function to register callbacks
35245 * for memory allocation.
35247 -static struct tmem_hostops tmem_hostops;
35248 +static tmem_hostops_no_const tmem_hostops;
35250 static void tmem_objnode_tree_init(void);
35252 @@ -53,7 +53,7 @@ void tmem_register_hostops(struct tmem_h
35253 * A tmem host implementation must use this function to register
35254 * callbacks for a page-accessible memory (PAM) implementation
35256 -static struct tmem_pamops tmem_pamops;
35257 +static tmem_pamops_no_const tmem_pamops;
35259 void tmem_register_pamops(struct tmem_pamops *m)
35261 diff -urNp linux-3.1.1/drivers/staging/zcache/tmem.h linux-3.1.1/drivers/staging/zcache/tmem.h
35262 --- linux-3.1.1/drivers/staging/zcache/tmem.h 2011-11-11 15:19:27.000000000 -0500
35263 +++ linux-3.1.1/drivers/staging/zcache/tmem.h 2011-11-16 18:39:08.000000000 -0500
35264 @@ -180,6 +180,7 @@ struct tmem_pamops {
35265 void (*new_obj)(struct tmem_obj *);
35266 int (*replace_in_obj)(void *, struct tmem_obj *);
35268 +typedef struct tmem_pamops __no_const tmem_pamops_no_const;
35269 extern void tmem_register_pamops(struct tmem_pamops *m);
35271 /* memory allocation methods provided by the host implementation */
35272 @@ -189,6 +190,7 @@ struct tmem_hostops {
35273 struct tmem_objnode *(*objnode_alloc)(struct tmem_pool *);
35274 void (*objnode_free)(struct tmem_objnode *, struct tmem_pool *);
35276 +typedef struct tmem_hostops __no_const tmem_hostops_no_const;
35277 extern void tmem_register_hostops(struct tmem_hostops *m);
35279 /* core tmem accessor functions */
35280 diff -urNp linux-3.1.1/drivers/target/iscsi/iscsi_target.c linux-3.1.1/drivers/target/iscsi/iscsi_target.c
35281 --- linux-3.1.1/drivers/target/iscsi/iscsi_target.c 2011-11-11 15:19:27.000000000 -0500
35282 +++ linux-3.1.1/drivers/target/iscsi/iscsi_target.c 2011-11-16 18:39:08.000000000 -0500
35283 @@ -1368,7 +1368,7 @@ static int iscsit_handle_data_out(struct
35284 * outstanding_r2ts reaches zero, go ahead and send the delayed
35285 * TASK_ABORTED status.
35287 - if (atomic_read(&se_cmd->t_transport_aborted) != 0) {
35288 + if (atomic_read_unchecked(&se_cmd->t_transport_aborted) != 0) {
35289 if (hdr->flags & ISCSI_FLAG_CMD_FINAL)
35290 if (--cmd->outstanding_r2ts < 1) {
35291 iscsit_stop_dataout_timer(cmd);
35292 diff -urNp linux-3.1.1/drivers/target/target_core_alua.c linux-3.1.1/drivers/target/target_core_alua.c
35293 --- linux-3.1.1/drivers/target/target_core_alua.c 2011-11-11 15:19:27.000000000 -0500
35294 +++ linux-3.1.1/drivers/target/target_core_alua.c 2011-11-16 18:40:29.000000000 -0500
35295 @@ -723,6 +723,8 @@ static int core_alua_update_tpg_primary_
35296 char path[ALUA_METADATA_PATH_LEN];
35299 + pax_track_stack();
35301 memset(path, 0, ALUA_METADATA_PATH_LEN);
35303 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
35304 @@ -986,6 +988,8 @@ static int core_alua_update_tpg_secondar
35305 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
35308 + pax_track_stack();
35310 memset(path, 0, ALUA_METADATA_PATH_LEN);
35311 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
35313 diff -urNp linux-3.1.1/drivers/target/target_core_cdb.c linux-3.1.1/drivers/target/target_core_cdb.c
35314 --- linux-3.1.1/drivers/target/target_core_cdb.c 2011-11-11 15:19:27.000000000 -0500
35315 +++ linux-3.1.1/drivers/target/target_core_cdb.c 2011-11-16 18:40:29.000000000 -0500
35316 @@ -933,6 +933,8 @@ target_emulate_modesense(struct se_cmd *
35318 unsigned char buf[SE_MODE_PAGE_BUF];
35320 + pax_track_stack();
35322 memset(buf, 0, SE_MODE_PAGE_BUF);
35324 switch (cdb[2] & 0x3f) {
35325 diff -urNp linux-3.1.1/drivers/target/target_core_configfs.c linux-3.1.1/drivers/target/target_core_configfs.c
35326 --- linux-3.1.1/drivers/target/target_core_configfs.c 2011-11-11 15:19:27.000000000 -0500
35327 +++ linux-3.1.1/drivers/target/target_core_configfs.c 2011-11-16 19:04:37.000000000 -0500
35328 @@ -1267,6 +1267,8 @@ static ssize_t target_core_dev_pr_show_a
35330 int reg_count = 0, prf_isid;
35332 + pax_track_stack();
35334 if (!su_dev->se_dev_ptr)
35337 diff -urNp linux-3.1.1/drivers/target/target_core_pr.c linux-3.1.1/drivers/target/target_core_pr.c
35338 --- linux-3.1.1/drivers/target/target_core_pr.c 2011-11-11 15:19:27.000000000 -0500
35339 +++ linux-3.1.1/drivers/target/target_core_pr.c 2011-11-16 18:40:29.000000000 -0500
35340 @@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
35341 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
35344 + pax_track_stack();
35346 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
35347 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
35349 @@ -1867,6 +1869,8 @@ static int __core_scsi3_update_aptpl_buf
35353 + pax_track_stack();
35355 memset(buf, 0, pr_aptpl_buf_len);
35357 * Called to clear metadata once APTPL has been deactivated.
35358 @@ -1989,6 +1993,8 @@ static int __core_scsi3_write_aptpl_to_f
35362 + pax_track_stack();
35364 memset(iov, 0, sizeof(struct iovec));
35365 memset(path, 0, 512);
35367 diff -urNp linux-3.1.1/drivers/target/target_core_tmr.c linux-3.1.1/drivers/target/target_core_tmr.c
35368 --- linux-3.1.1/drivers/target/target_core_tmr.c 2011-11-11 15:19:27.000000000 -0500
35369 +++ linux-3.1.1/drivers/target/target_core_tmr.c 2011-11-16 18:39:08.000000000 -0500
35370 @@ -255,7 +255,7 @@ static void core_tmr_drain_task_list(
35371 cmd->se_tfo->get_task_tag(cmd), cmd->pr_res_key,
35372 cmd->t_task_list_num,
35373 atomic_read(&cmd->t_task_cdbs_left),
35374 - atomic_read(&cmd->t_task_cdbs_sent),
35375 + atomic_read_unchecked(&cmd->t_task_cdbs_sent),
35376 atomic_read(&cmd->t_transport_active),
35377 atomic_read(&cmd->t_transport_stop),
35378 atomic_read(&cmd->t_transport_sent));
35379 @@ -291,7 +291,7 @@ static void core_tmr_drain_task_list(
35380 pr_debug("LUN_RESET: got t_transport_active = 1 for"
35381 " task: %p, t_fe_count: %d dev: %p\n", task,
35383 - atomic_set(&cmd->t_transport_aborted, 1);
35384 + atomic_set_unchecked(&cmd->t_transport_aborted, 1);
35385 spin_unlock_irqrestore(&cmd->t_state_lock, flags);
35387 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
35388 @@ -299,7 +299,7 @@ static void core_tmr_drain_task_list(
35390 pr_debug("LUN_RESET: Got t_transport_active = 0 for task: %p,"
35391 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
35392 - atomic_set(&cmd->t_transport_aborted, 1);
35393 + atomic_set_unchecked(&cmd->t_transport_aborted, 1);
35394 spin_unlock_irqrestore(&cmd->t_state_lock, flags);
35396 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
35397 diff -urNp linux-3.1.1/drivers/target/target_core_transport.c linux-3.1.1/drivers/target/target_core_transport.c
35398 --- linux-3.1.1/drivers/target/target_core_transport.c 2011-11-11 15:19:27.000000000 -0500
35399 +++ linux-3.1.1/drivers/target/target_core_transport.c 2011-11-16 18:39:08.000000000 -0500
35400 @@ -1445,7 +1445,7 @@ struct se_device *transport_add_device_t
35402 dev->queue_depth = dev_limits->queue_depth;
35403 atomic_set(&dev->depth_left, dev->queue_depth);
35404 - atomic_set(&dev->dev_ordered_id, 0);
35405 + atomic_set_unchecked(&dev->dev_ordered_id, 0);
35407 se_dev_set_default_attribs(dev, dev_limits);
35409 @@ -1633,7 +1633,7 @@ static int transport_check_alloc_task_at
35410 * Used to determine when ORDERED commands should go from
35411 * Dormant to Active status.
35413 - cmd->se_ordered_id = atomic_inc_return(&cmd->se_dev->dev_ordered_id);
35414 + cmd->se_ordered_id = atomic_inc_return_unchecked(&cmd->se_dev->dev_ordered_id);
35415 smp_mb__after_atomic_inc();
35416 pr_debug("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
35417 cmd->se_ordered_id, cmd->sam_task_attr,
35418 @@ -1960,7 +1960,7 @@ static void transport_generic_request_fa
35419 " t_transport_active: %d t_transport_stop: %d"
35420 " t_transport_sent: %d\n", cmd->t_task_list_num,
35421 atomic_read(&cmd->t_task_cdbs_left),
35422 - atomic_read(&cmd->t_task_cdbs_sent),
35423 + atomic_read_unchecked(&cmd->t_task_cdbs_sent),
35424 atomic_read(&cmd->t_task_cdbs_ex_left),
35425 atomic_read(&cmd->t_transport_active),
35426 atomic_read(&cmd->t_transport_stop),
35427 @@ -2460,9 +2460,9 @@ check_depth:
35428 spin_lock_irqsave(&cmd->t_state_lock, flags);
35429 atomic_set(&task->task_active, 1);
35430 atomic_set(&task->task_sent, 1);
35431 - atomic_inc(&cmd->t_task_cdbs_sent);
35432 + atomic_inc_unchecked(&cmd->t_task_cdbs_sent);
35434 - if (atomic_read(&cmd->t_task_cdbs_sent) ==
35435 + if (atomic_read_unchecked(&cmd->t_task_cdbs_sent) ==
35436 cmd->t_task_list_num)
35437 atomic_set(&cmd->transport_sent, 1);
35439 @@ -4665,7 +4665,7 @@ static void transport_generic_wait_for_t
35440 atomic_set(&cmd->transport_lun_stop, 0);
35442 if (!atomic_read(&cmd->t_transport_active) ||
35443 - atomic_read(&cmd->t_transport_aborted))
35444 + atomic_read_unchecked(&cmd->t_transport_aborted))
35447 atomic_set(&cmd->t_transport_stop, 1);
35448 @@ -4900,7 +4900,7 @@ int transport_check_aborted_status(struc
35452 - if (atomic_read(&cmd->t_transport_aborted) != 0) {
35453 + if (atomic_read_unchecked(&cmd->t_transport_aborted) != 0) {
35454 if (!send_status ||
35455 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
35457 @@ -4937,7 +4937,7 @@ void transport_send_task_abort(struct se
35459 if (cmd->data_direction == DMA_TO_DEVICE) {
35460 if (cmd->se_tfo->write_pending_status(cmd) != 0) {
35461 - atomic_inc(&cmd->t_transport_aborted);
35462 + atomic_inc_unchecked(&cmd->t_transport_aborted);
35463 smp_mb__after_atomic_inc();
35464 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
35465 transport_new_cmd_failure(cmd);
35466 @@ -5051,7 +5051,7 @@ static void transport_processing_shutdow
35467 cmd->se_tfo->get_task_tag(cmd),
35468 cmd->t_task_list_num,
35469 atomic_read(&cmd->t_task_cdbs_left),
35470 - atomic_read(&cmd->t_task_cdbs_sent),
35471 + atomic_read_unchecked(&cmd->t_task_cdbs_sent),
35472 atomic_read(&cmd->t_transport_active),
35473 atomic_read(&cmd->t_transport_stop),
35474 atomic_read(&cmd->t_transport_sent));
35475 diff -urNp linux-3.1.1/drivers/telephony/ixj.c linux-3.1.1/drivers/telephony/ixj.c
35476 --- linux-3.1.1/drivers/telephony/ixj.c 2011-11-11 15:19:27.000000000 -0500
35477 +++ linux-3.1.1/drivers/telephony/ixj.c 2011-11-16 18:40:29.000000000 -0500
35478 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
35482 + pax_track_stack();
35484 if (!SCI_Prepare(j))
35487 diff -urNp linux-3.1.1/drivers/tty/hvc/hvcs.c linux-3.1.1/drivers/tty/hvc/hvcs.c
35488 --- linux-3.1.1/drivers/tty/hvc/hvcs.c 2011-11-11 15:19:27.000000000 -0500
35489 +++ linux-3.1.1/drivers/tty/hvc/hvcs.c 2011-11-16 18:39:08.000000000 -0500
35491 #include <asm/hvcserver.h>
35492 #include <asm/uaccess.h>
35493 #include <asm/vio.h>
35494 +#include <asm/local.h>
35497 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
35498 @@ -270,7 +271,7 @@ struct hvcs_struct {
35499 unsigned int index;
35501 struct tty_struct *tty;
35503 + local_t open_count;
35506 * Used to tell the driver kernel_thread what operations need to take
35507 @@ -422,7 +423,7 @@ static ssize_t hvcs_vterm_state_store(st
35509 spin_lock_irqsave(&hvcsd->lock, flags);
35511 - if (hvcsd->open_count > 0) {
35512 + if (local_read(&hvcsd->open_count) > 0) {
35513 spin_unlock_irqrestore(&hvcsd->lock, flags);
35514 printk(KERN_INFO "HVCS: vterm state unchanged. "
35515 "The hvcs device node is still in use.\n");
35516 @@ -1145,7 +1146,7 @@ static int hvcs_open(struct tty_struct *
35517 if ((retval = hvcs_partner_connect(hvcsd)))
35518 goto error_release;
35520 - hvcsd->open_count = 1;
35521 + local_set(&hvcsd->open_count, 1);
35523 tty->driver_data = hvcsd;
35525 @@ -1179,7 +1180,7 @@ fast_open:
35527 spin_lock_irqsave(&hvcsd->lock, flags);
35528 kref_get(&hvcsd->kref);
35529 - hvcsd->open_count++;
35530 + local_inc(&hvcsd->open_count);
35531 hvcsd->todo_mask |= HVCS_SCHED_READ;
35532 spin_unlock_irqrestore(&hvcsd->lock, flags);
35534 @@ -1223,7 +1224,7 @@ static void hvcs_close(struct tty_struct
35535 hvcsd = tty->driver_data;
35537 spin_lock_irqsave(&hvcsd->lock, flags);
35538 - if (--hvcsd->open_count == 0) {
35539 + if (local_dec_and_test(&hvcsd->open_count)) {
35541 vio_disable_interrupts(hvcsd->vdev);
35543 @@ -1249,10 +1250,10 @@ static void hvcs_close(struct tty_struct
35544 free_irq(irq, hvcsd);
35545 kref_put(&hvcsd->kref, destroy_hvcs_struct);
35547 - } else if (hvcsd->open_count < 0) {
35548 + } else if (local_read(&hvcsd->open_count) < 0) {
35549 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
35550 " is missmanaged.\n",
35551 - hvcsd->vdev->unit_address, hvcsd->open_count);
35552 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
35555 spin_unlock_irqrestore(&hvcsd->lock, flags);
35556 @@ -1268,7 +1269,7 @@ static void hvcs_hangup(struct tty_struc
35558 spin_lock_irqsave(&hvcsd->lock, flags);
35559 /* Preserve this so that we know how many kref refs to put */
35560 - temp_open_count = hvcsd->open_count;
35561 + temp_open_count = local_read(&hvcsd->open_count);
35564 * Don't kref put inside the spinlock because the destruction
35565 @@ -1283,7 +1284,7 @@ static void hvcs_hangup(struct tty_struc
35566 hvcsd->tty->driver_data = NULL;
35569 - hvcsd->open_count = 0;
35570 + local_set(&hvcsd->open_count, 0);
35572 /* This will drop any buffered data on the floor which is OK in a hangup
35574 @@ -1354,7 +1355,7 @@ static int hvcs_write(struct tty_struct
35575 * the middle of a write operation? This is a crummy place to do this
35576 * but we want to keep it all in the spinlock.
35578 - if (hvcsd->open_count <= 0) {
35579 + if (local_read(&hvcsd->open_count) <= 0) {
35580 spin_unlock_irqrestore(&hvcsd->lock, flags);
35583 @@ -1428,7 +1429,7 @@ static int hvcs_write_room(struct tty_st
35585 struct hvcs_struct *hvcsd = tty->driver_data;
35587 - if (!hvcsd || hvcsd->open_count <= 0)
35588 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
35591 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
35592 diff -urNp linux-3.1.1/drivers/tty/ipwireless/tty.c linux-3.1.1/drivers/tty/ipwireless/tty.c
35593 --- linux-3.1.1/drivers/tty/ipwireless/tty.c 2011-11-11 15:19:27.000000000 -0500
35594 +++ linux-3.1.1/drivers/tty/ipwireless/tty.c 2011-11-16 18:39:08.000000000 -0500
35596 #include <linux/tty_driver.h>
35597 #include <linux/tty_flip.h>
35598 #include <linux/uaccess.h>
35599 +#include <asm/local.h>
35602 #include "network.h"
35603 @@ -51,7 +52,7 @@ struct ipw_tty {
35605 struct ipw_network *network;
35606 struct tty_struct *linux_tty;
35608 + local_t open_count;
35609 unsigned int control_lines;
35610 struct mutex ipw_tty_mutex;
35611 int tx_bytes_queued;
35612 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
35613 mutex_unlock(&tty->ipw_tty_mutex);
35616 - if (tty->open_count == 0)
35617 + if (local_read(&tty->open_count) == 0)
35618 tty->tx_bytes_queued = 0;
35620 - tty->open_count++;
35621 + local_inc(&tty->open_count);
35623 tty->linux_tty = linux_tty;
35624 linux_tty->driver_data = tty;
35625 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
35627 static void do_ipw_close(struct ipw_tty *tty)
35629 - tty->open_count--;
35631 - if (tty->open_count == 0) {
35632 + if (local_dec_return(&tty->open_count) == 0) {
35633 struct tty_struct *linux_tty = tty->linux_tty;
35635 if (linux_tty != NULL) {
35636 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
35639 mutex_lock(&tty->ipw_tty_mutex);
35640 - if (tty->open_count == 0) {
35641 + if (local_read(&tty->open_count) == 0) {
35642 mutex_unlock(&tty->ipw_tty_mutex);
35645 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
35649 - if (!tty->open_count) {
35650 + if (!local_read(&tty->open_count)) {
35651 mutex_unlock(&tty->ipw_tty_mutex);
35654 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
35657 mutex_lock(&tty->ipw_tty_mutex);
35658 - if (!tty->open_count) {
35659 + if (!local_read(&tty->open_count)) {
35660 mutex_unlock(&tty->ipw_tty_mutex);
35663 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
35667 - if (!tty->open_count)
35668 + if (!local_read(&tty->open_count))
35671 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
35672 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
35676 - if (!tty->open_count)
35677 + if (!local_read(&tty->open_count))
35680 return tty->tx_bytes_queued;
35681 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
35685 - if (!tty->open_count)
35686 + if (!local_read(&tty->open_count))
35689 return get_control_lines(tty);
35690 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
35694 - if (!tty->open_count)
35695 + if (!local_read(&tty->open_count))
35698 return set_control_lines(tty, set, clear);
35699 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
35703 - if (!tty->open_count)
35704 + if (!local_read(&tty->open_count))
35707 /* FIXME: Exactly how is the tty object locked here .. */
35708 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
35709 against a parallel ioctl etc */
35710 mutex_lock(&ttyj->ipw_tty_mutex);
35712 - while (ttyj->open_count)
35713 + while (local_read(&ttyj->open_count))
35714 do_ipw_close(ttyj);
35715 ipwireless_disassociate_network_ttys(network,
35716 ttyj->channel_idx);
35717 diff -urNp linux-3.1.1/drivers/tty/n_gsm.c linux-3.1.1/drivers/tty/n_gsm.c
35718 --- linux-3.1.1/drivers/tty/n_gsm.c 2011-11-11 15:19:27.000000000 -0500
35719 +++ linux-3.1.1/drivers/tty/n_gsm.c 2011-11-16 18:39:08.000000000 -0500
35720 @@ -1625,7 +1625,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
35721 kref_init(&dlci->ref);
35722 mutex_init(&dlci->mutex);
35723 dlci->fifo = &dlci->_fifo;
35724 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
35725 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
35729 diff -urNp linux-3.1.1/drivers/tty/n_tty.c linux-3.1.1/drivers/tty/n_tty.c
35730 --- linux-3.1.1/drivers/tty/n_tty.c 2011-11-11 15:19:27.000000000 -0500
35731 +++ linux-3.1.1/drivers/tty/n_tty.c 2011-11-16 18:39:08.000000000 -0500
35732 @@ -2123,6 +2123,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
35734 *ops = tty_ldisc_N_TTY;
35736 - ops->refcount = ops->flags = 0;
35737 + atomic_set(&ops->refcount, 0);
35740 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
35741 diff -urNp linux-3.1.1/drivers/tty/pty.c linux-3.1.1/drivers/tty/pty.c
35742 --- linux-3.1.1/drivers/tty/pty.c 2011-11-11 15:19:27.000000000 -0500
35743 +++ linux-3.1.1/drivers/tty/pty.c 2011-11-16 18:39:08.000000000 -0500
35744 @@ -773,8 +773,10 @@ static void __init unix98_pty_init(void)
35745 register_sysctl_table(pty_root_table);
35747 /* Now create the /dev/ptmx special device */
35748 + pax_open_kernel();
35749 tty_default_fops(&ptmx_fops);
35750 - ptmx_fops.open = ptmx_open;
35751 + *(void **)&ptmx_fops.open = ptmx_open;
35752 + pax_close_kernel();
35754 cdev_init(&ptmx_cdev, &ptmx_fops);
35755 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
35756 diff -urNp linux-3.1.1/drivers/tty/rocket.c linux-3.1.1/drivers/tty/rocket.c
35757 --- linux-3.1.1/drivers/tty/rocket.c 2011-11-11 15:19:27.000000000 -0500
35758 +++ linux-3.1.1/drivers/tty/rocket.c 2011-11-16 18:40:29.000000000 -0500
35759 @@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
35760 struct rocket_ports tmp;
35763 + pax_track_stack();
35767 memset(&tmp, 0, sizeof (tmp));
35768 diff -urNp linux-3.1.1/drivers/tty/serial/kgdboc.c linux-3.1.1/drivers/tty/serial/kgdboc.c
35769 --- linux-3.1.1/drivers/tty/serial/kgdboc.c 2011-11-11 15:19:27.000000000 -0500
35770 +++ linux-3.1.1/drivers/tty/serial/kgdboc.c 2011-11-16 18:39:08.000000000 -0500
35772 #define MAX_CONFIG_LEN 40
35774 static struct kgdb_io kgdboc_io_ops;
35775 +static struct kgdb_io kgdboc_io_ops_console;
35777 -/* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
35778 +/* -1 = init not run yet, 0 = unconfigured, 1/2 = configured. */
35779 static int configured = -1;
35781 static char config[MAX_CONFIG_LEN];
35782 @@ -147,6 +148,8 @@ static void cleanup_kgdboc(void)
35783 kgdboc_unregister_kbd();
35784 if (configured == 1)
35785 kgdb_unregister_io_module(&kgdboc_io_ops);
35786 + else if (configured == 2)
35787 + kgdb_unregister_io_module(&kgdboc_io_ops_console);
35790 static int configure_kgdboc(void)
35791 @@ -156,13 +159,13 @@ static int configure_kgdboc(void)
35793 char *cptr = config;
35794 struct console *cons;
35795 + int is_console = 0;
35797 err = kgdboc_option_setup(config);
35798 if (err || !strlen(config) || isspace(config[0]))
35802 - kgdboc_io_ops.is_console = 0;
35803 kgdb_tty_driver = NULL;
35805 kgdboc_use_kms = 0;
35806 @@ -183,7 +186,7 @@ static int configure_kgdboc(void)
35808 if (cons->device && cons->device(cons, &idx) == p &&
35810 - kgdboc_io_ops.is_console = 1;
35815 @@ -193,12 +196,16 @@ static int configure_kgdboc(void)
35816 kgdb_tty_line = tty_line;
35819 - err = kgdb_register_io_module(&kgdboc_io_ops);
35820 + if (is_console) {
35821 + err = kgdb_register_io_module(&kgdboc_io_ops_console);
35824 + err = kgdb_register_io_module(&kgdboc_io_ops);
35835 @@ -212,7 +219,7 @@ noconfig:
35836 static int __init init_kgdboc(void)
35838 /* Already configured? */
35839 - if (configured == 1)
35840 + if (configured >= 1)
35843 return configure_kgdboc();
35844 @@ -261,7 +268,7 @@ static int param_set_kgdboc_var(const ch
35845 if (config[len - 1] == '\n')
35846 config[len - 1] = '\0';
35848 - if (configured == 1)
35849 + if (configured >= 1)
35852 /* Go and configure with the new params. */
35853 @@ -301,6 +308,15 @@ static struct kgdb_io kgdboc_io_ops = {
35854 .post_exception = kgdboc_post_exp_handler,
35857 +static struct kgdb_io kgdboc_io_ops_console = {
35858 + .name = "kgdboc",
35859 + .read_char = kgdboc_get_char,
35860 + .write_char = kgdboc_put_char,
35861 + .pre_exception = kgdboc_pre_exp_handler,
35862 + .post_exception = kgdboc_post_exp_handler,
35866 #ifdef CONFIG_KGDB_SERIAL_CONSOLE
35867 /* This is only available if kgdboc is a built in for early debugging */
35868 static int __init kgdboc_early_init(char *opt)
35869 diff -urNp linux-3.1.1/drivers/tty/serial/mfd.c linux-3.1.1/drivers/tty/serial/mfd.c
35870 --- linux-3.1.1/drivers/tty/serial/mfd.c 2011-11-11 15:19:27.000000000 -0500
35871 +++ linux-3.1.1/drivers/tty/serial/mfd.c 2011-11-16 18:39:08.000000000 -0500
35872 @@ -1423,7 +1423,7 @@ static void serial_hsu_remove(struct pci
35875 /* First 3 are UART ports, and the 4th is the DMA */
35876 -static const struct pci_device_id pci_ids[] __devinitdata = {
35877 +static const struct pci_device_id pci_ids[] __devinitconst = {
35878 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081B) },
35879 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081C) },
35880 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081D) },
35881 diff -urNp linux-3.1.1/drivers/tty/serial/mrst_max3110.c linux-3.1.1/drivers/tty/serial/mrst_max3110.c
35882 --- linux-3.1.1/drivers/tty/serial/mrst_max3110.c 2011-11-11 15:19:27.000000000 -0500
35883 +++ linux-3.1.1/drivers/tty/serial/mrst_max3110.c 2011-11-16 18:40:29.000000000 -0500
35884 @@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
35885 int loop = 1, num, total = 0;
35886 u8 recv_buf[512], *pbuf;
35888 + pax_track_stack();
35892 num = max3110_read_multi(max, pbuf);
35893 diff -urNp linux-3.1.1/drivers/tty/tty_io.c linux-3.1.1/drivers/tty/tty_io.c
35894 --- linux-3.1.1/drivers/tty/tty_io.c 2011-11-11 15:19:27.000000000 -0500
35895 +++ linux-3.1.1/drivers/tty/tty_io.c 2011-11-16 18:39:08.000000000 -0500
35896 @@ -3238,7 +3238,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
35898 void tty_default_fops(struct file_operations *fops)
35900 - *fops = tty_fops;
35901 + memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
35905 diff -urNp linux-3.1.1/drivers/tty/tty_ldisc.c linux-3.1.1/drivers/tty/tty_ldisc.c
35906 --- linux-3.1.1/drivers/tty/tty_ldisc.c 2011-11-11 15:19:27.000000000 -0500
35907 +++ linux-3.1.1/drivers/tty/tty_ldisc.c 2011-11-16 18:39:08.000000000 -0500
35908 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
35909 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
35910 struct tty_ldisc_ops *ldo = ld->ops;
35913 + atomic_dec(&ldo->refcount);
35914 module_put(ldo->owner);
35915 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35917 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
35918 spin_lock_irqsave(&tty_ldisc_lock, flags);
35919 tty_ldiscs[disc] = new_ldisc;
35920 new_ldisc->num = disc;
35921 - new_ldisc->refcount = 0;
35922 + atomic_set(&new_ldisc->refcount, 0);
35923 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35926 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
35929 spin_lock_irqsave(&tty_ldisc_lock, flags);
35930 - if (tty_ldiscs[disc]->refcount)
35931 + if (atomic_read(&tty_ldiscs[disc]->refcount))
35934 tty_ldiscs[disc] = NULL;
35935 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
35937 ret = ERR_PTR(-EAGAIN);
35938 if (try_module_get(ldops->owner)) {
35939 - ldops->refcount++;
35940 + atomic_inc(&ldops->refcount);
35944 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
35945 unsigned long flags;
35947 spin_lock_irqsave(&tty_ldisc_lock, flags);
35948 - ldops->refcount--;
35949 + atomic_dec(&ldops->refcount);
35950 module_put(ldops->owner);
35951 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35953 diff -urNp linux-3.1.1/drivers/tty/vt/keyboard.c linux-3.1.1/drivers/tty/vt/keyboard.c
35954 --- linux-3.1.1/drivers/tty/vt/keyboard.c 2011-11-11 15:19:27.000000000 -0500
35955 +++ linux-3.1.1/drivers/tty/vt/keyboard.c 2011-11-16 18:40:29.000000000 -0500
35956 @@ -656,6 +656,16 @@ static void k_spec(struct vc_data *vc, u
35957 kbd->kbdmode == VC_OFF) &&
35958 value != KVAL(K_SAK))
35959 return; /* SAK is allowed even in raw mode */
35961 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
35963 + void *func = fn_handler[value];
35964 + if (func == fn_show_state || func == fn_show_ptregs ||
35965 + func == fn_show_mem)
35970 fn_handler[value](vc);
35973 diff -urNp linux-3.1.1/drivers/tty/vt/vt.c linux-3.1.1/drivers/tty/vt/vt.c
35974 --- linux-3.1.1/drivers/tty/vt/vt.c 2011-11-11 15:19:27.000000000 -0500
35975 +++ linux-3.1.1/drivers/tty/vt/vt.c 2011-11-16 18:39:08.000000000 -0500
35976 @@ -259,7 +259,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
35978 static void notify_write(struct vc_data *vc, unsigned int unicode)
35980 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
35981 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
35982 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, ¶m);
35985 diff -urNp linux-3.1.1/drivers/tty/vt/vt_ioctl.c linux-3.1.1/drivers/tty/vt/vt_ioctl.c
35986 --- linux-3.1.1/drivers/tty/vt/vt_ioctl.c 2011-11-11 15:19:27.000000000 -0500
35987 +++ linux-3.1.1/drivers/tty/vt/vt_ioctl.c 2011-11-16 18:40:29.000000000 -0500
35988 @@ -207,9 +207,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
35989 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
35992 - if (!capable(CAP_SYS_TTY_CONFIG))
35997 key_map = key_maps[s];
35998 @@ -221,6 +218,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
35999 val = (i ? K_HOLE : K_NOSUCHMAP);
36000 return put_user(val, &user_kbe->kb_value);
36002 + if (!capable(CAP_SYS_TTY_CONFIG))
36007 if (!i && v == K_NOSUCHMAP) {
36008 @@ -322,9 +322,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
36012 - if (!capable(CAP_SYS_TTY_CONFIG))
36015 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
36018 @@ -358,6 +355,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
36020 return ((p && *p) ? -EOVERFLOW : 0);
36022 + if (!capable(CAP_SYS_TTY_CONFIG))
36028 diff -urNp linux-3.1.1/drivers/uio/uio.c linux-3.1.1/drivers/uio/uio.c
36029 --- linux-3.1.1/drivers/uio/uio.c 2011-11-11 15:19:27.000000000 -0500
36030 +++ linux-3.1.1/drivers/uio/uio.c 2011-11-16 18:39:08.000000000 -0500
36032 #include <linux/kobject.h>
36033 #include <linux/cdev.h>
36034 #include <linux/uio_driver.h>
36035 +#include <asm/local.h>
36037 #define UIO_MAX_DEVICES (1U << MINORBITS)
36039 @@ -32,10 +33,10 @@ struct uio_device {
36040 struct module *owner;
36041 struct device *dev;
36044 + atomic_unchecked_t event;
36045 struct fasync_struct *async_queue;
36046 wait_queue_head_t wait;
36048 + local_t vma_count;
36049 struct uio_info *info;
36050 struct kobject *map_dir;
36051 struct kobject *portio_dir;
36052 @@ -242,7 +243,7 @@ static ssize_t show_event(struct device
36053 struct device_attribute *attr, char *buf)
36055 struct uio_device *idev = dev_get_drvdata(dev);
36056 - return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
36057 + return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
36060 static struct device_attribute uio_class_attributes[] = {
36061 @@ -408,7 +409,7 @@ void uio_event_notify(struct uio_info *i
36063 struct uio_device *idev = info->uio_dev;
36065 - atomic_inc(&idev->event);
36066 + atomic_inc_unchecked(&idev->event);
36067 wake_up_interruptible(&idev->wait);
36068 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
36070 @@ -461,7 +462,7 @@ static int uio_open(struct inode *inode,
36073 listener->dev = idev;
36074 - listener->event_count = atomic_read(&idev->event);
36075 + listener->event_count = atomic_read_unchecked(&idev->event);
36076 filep->private_data = listener;
36078 if (idev->info->open) {
36079 @@ -512,7 +513,7 @@ static unsigned int uio_poll(struct file
36082 poll_wait(filep, &idev->wait, wait);
36083 - if (listener->event_count != atomic_read(&idev->event))
36084 + if (listener->event_count != atomic_read_unchecked(&idev->event))
36085 return POLLIN | POLLRDNORM;
36088 @@ -537,7 +538,7 @@ static ssize_t uio_read(struct file *fil
36090 set_current_state(TASK_INTERRUPTIBLE);
36092 - event_count = atomic_read(&idev->event);
36093 + event_count = atomic_read_unchecked(&idev->event);
36094 if (event_count != listener->event_count) {
36095 if (copy_to_user(buf, &event_count, count))
36097 @@ -606,13 +607,13 @@ static int uio_find_mem_index(struct vm_
36098 static void uio_vma_open(struct vm_area_struct *vma)
36100 struct uio_device *idev = vma->vm_private_data;
36101 - idev->vma_count++;
36102 + local_inc(&idev->vma_count);
36105 static void uio_vma_close(struct vm_area_struct *vma)
36107 struct uio_device *idev = vma->vm_private_data;
36108 - idev->vma_count--;
36109 + local_dec(&idev->vma_count);
36112 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
36113 @@ -823,7 +824,7 @@ int __uio_register_device(struct module
36114 idev->owner = owner;
36116 init_waitqueue_head(&idev->wait);
36117 - atomic_set(&idev->event, 0);
36118 + atomic_set_unchecked(&idev->event, 0);
36120 ret = uio_get_minor(idev);
36122 diff -urNp linux-3.1.1/drivers/usb/atm/cxacru.c linux-3.1.1/drivers/usb/atm/cxacru.c
36123 --- linux-3.1.1/drivers/usb/atm/cxacru.c 2011-11-11 15:19:27.000000000 -0500
36124 +++ linux-3.1.1/drivers/usb/atm/cxacru.c 2011-11-16 18:39:08.000000000 -0500
36125 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
36126 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
36129 - if (index < 0 || index > 0x7f)
36130 + if (index > 0x7f)
36134 diff -urNp linux-3.1.1/drivers/usb/atm/usbatm.c linux-3.1.1/drivers/usb/atm/usbatm.c
36135 --- linux-3.1.1/drivers/usb/atm/usbatm.c 2011-11-11 15:19:27.000000000 -0500
36136 +++ linux-3.1.1/drivers/usb/atm/usbatm.c 2011-11-16 18:39:08.000000000 -0500
36137 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
36138 if (printk_ratelimit())
36139 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
36140 __func__, vpi, vci);
36141 - atomic_inc(&vcc->stats->rx_err);
36142 + atomic_inc_unchecked(&vcc->stats->rx_err);
36146 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
36147 if (length > ATM_MAX_AAL5_PDU) {
36148 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
36149 __func__, length, vcc);
36150 - atomic_inc(&vcc->stats->rx_err);
36151 + atomic_inc_unchecked(&vcc->stats->rx_err);
36155 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
36156 if (sarb->len < pdu_length) {
36157 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
36158 __func__, pdu_length, sarb->len, vcc);
36159 - atomic_inc(&vcc->stats->rx_err);
36160 + atomic_inc_unchecked(&vcc->stats->rx_err);
36164 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
36165 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
36167 - atomic_inc(&vcc->stats->rx_err);
36168 + atomic_inc_unchecked(&vcc->stats->rx_err);
36172 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
36173 if (printk_ratelimit())
36174 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
36176 - atomic_inc(&vcc->stats->rx_drop);
36177 + atomic_inc_unchecked(&vcc->stats->rx_drop);
36181 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
36183 vcc->push(vcc, skb);
36185 - atomic_inc(&vcc->stats->rx);
36186 + atomic_inc_unchecked(&vcc->stats->rx);
36190 @@ -615,7 +615,7 @@ static void usbatm_tx_process(unsigned l
36191 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
36193 usbatm_pop(vcc, skb);
36194 - atomic_inc(&vcc->stats->tx);
36195 + atomic_inc_unchecked(&vcc->stats->tx);
36197 skb = skb_dequeue(&instance->sndqueue);
36199 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
36201 return sprintf(page,
36202 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
36203 - atomic_read(&atm_dev->stats.aal5.tx),
36204 - atomic_read(&atm_dev->stats.aal5.tx_err),
36205 - atomic_read(&atm_dev->stats.aal5.rx),
36206 - atomic_read(&atm_dev->stats.aal5.rx_err),
36207 - atomic_read(&atm_dev->stats.aal5.rx_drop));
36208 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
36209 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
36210 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
36211 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
36212 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
36215 if (instance->disconnected)
36216 diff -urNp linux-3.1.1/drivers/usb/core/devices.c linux-3.1.1/drivers/usb/core/devices.c
36217 --- linux-3.1.1/drivers/usb/core/devices.c 2011-11-11 15:19:27.000000000 -0500
36218 +++ linux-3.1.1/drivers/usb/core/devices.c 2011-11-16 18:39:08.000000000 -0500
36219 @@ -126,7 +126,7 @@ static const char format_endpt[] =
36220 * time it gets called.
36222 static struct device_connect_event {
36224 + atomic_unchecked_t count;
36225 wait_queue_head_t wait;
36227 .count = ATOMIC_INIT(1),
36228 @@ -164,7 +164,7 @@ static const struct class_info clas_info
36230 void usbfs_conn_disc_event(void)
36232 - atomic_add(2, &device_event.count);
36233 + atomic_add_unchecked(2, &device_event.count);
36234 wake_up(&device_event.wait);
36237 @@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
36239 poll_wait(file, &device_event.wait, wait);
36241 - event_count = atomic_read(&device_event.count);
36242 + event_count = atomic_read_unchecked(&device_event.count);
36243 if (file->f_version != event_count) {
36244 file->f_version = event_count;
36245 return POLLIN | POLLRDNORM;
36246 diff -urNp linux-3.1.1/drivers/usb/core/message.c linux-3.1.1/drivers/usb/core/message.c
36247 --- linux-3.1.1/drivers/usb/core/message.c 2011-11-11 15:19:27.000000000 -0500
36248 +++ linux-3.1.1/drivers/usb/core/message.c 2011-11-16 18:39:08.000000000 -0500
36249 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
36250 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
36252 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
36254 - smallbuf = kmalloc(++len, GFP_NOIO);
36256 + smallbuf = kmalloc(len, GFP_NOIO);
36259 memcpy(smallbuf, buf, len);
36260 diff -urNp linux-3.1.1/drivers/usb/early/ehci-dbgp.c linux-3.1.1/drivers/usb/early/ehci-dbgp.c
36261 --- linux-3.1.1/drivers/usb/early/ehci-dbgp.c 2011-11-11 15:19:27.000000000 -0500
36262 +++ linux-3.1.1/drivers/usb/early/ehci-dbgp.c 2011-11-16 18:39:08.000000000 -0500
36263 @@ -97,7 +97,8 @@ static inline u32 dbgp_len_update(u32 x,
36266 static struct kgdb_io kgdbdbgp_io_ops;
36267 -#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
36268 +static struct kgdb_io kgdbdbgp_io_ops_console;
36269 +#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops || dbg_io_ops == &kgdbdbgp_io_ops_console)
36271 #define dbgp_kgdb_mode (0)
36273 @@ -1035,6 +1036,13 @@ static struct kgdb_io kgdbdbgp_io_ops =
36274 .write_char = kgdbdbgp_write_char,
36277 +static struct kgdb_io kgdbdbgp_io_ops_console = {
36278 + .name = "kgdbdbgp",
36279 + .read_char = kgdbdbgp_read_char,
36280 + .write_char = kgdbdbgp_write_char,
36284 static int kgdbdbgp_wait_time;
36286 static int __init kgdbdbgp_parse_config(char *str)
36287 @@ -1050,8 +1058,10 @@ static int __init kgdbdbgp_parse_config(
36289 kgdbdbgp_wait_time = simple_strtoul(ptr, &ptr, 10);
36291 - kgdb_register_io_module(&kgdbdbgp_io_ops);
36292 - kgdbdbgp_io_ops.is_console = early_dbgp_console.index != -1;
36293 + if (early_dbgp_console.index != -1)
36294 + kgdb_register_io_module(&kgdbdbgp_io_ops_console);
36296 + kgdb_register_io_module(&kgdbdbgp_io_ops);
36300 diff -urNp linux-3.1.1/drivers/usb/host/xhci-mem.c linux-3.1.1/drivers/usb/host/xhci-mem.c
36301 --- linux-3.1.1/drivers/usb/host/xhci-mem.c 2011-11-11 15:19:27.000000000 -0500
36302 +++ linux-3.1.1/drivers/usb/host/xhci-mem.c 2011-11-16 18:40:29.000000000 -0500
36303 @@ -1690,6 +1690,8 @@ static int xhci_check_trb_in_td_math(str
36304 unsigned int num_tests;
36307 + pax_track_stack();
36309 num_tests = ARRAY_SIZE(simple_test_vector);
36310 for (i = 0; i < num_tests; i++) {
36311 ret = xhci_test_trb_in_td(xhci,
36312 diff -urNp linux-3.1.1/drivers/usb/wusbcore/wa-hc.h linux-3.1.1/drivers/usb/wusbcore/wa-hc.h
36313 --- linux-3.1.1/drivers/usb/wusbcore/wa-hc.h 2011-11-11 15:19:27.000000000 -0500
36314 +++ linux-3.1.1/drivers/usb/wusbcore/wa-hc.h 2011-11-16 18:39:08.000000000 -0500
36315 @@ -192,7 +192,7 @@ struct wahc {
36316 struct list_head xfer_delayed_list;
36317 spinlock_t xfer_list_lock;
36318 struct work_struct xfer_work;
36319 - atomic_t xfer_id_count;
36320 + atomic_unchecked_t xfer_id_count;
36324 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
36325 INIT_LIST_HEAD(&wa->xfer_delayed_list);
36326 spin_lock_init(&wa->xfer_list_lock);
36327 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
36328 - atomic_set(&wa->xfer_id_count, 1);
36329 + atomic_set_unchecked(&wa->xfer_id_count, 1);
36333 diff -urNp linux-3.1.1/drivers/usb/wusbcore/wa-xfer.c linux-3.1.1/drivers/usb/wusbcore/wa-xfer.c
36334 --- linux-3.1.1/drivers/usb/wusbcore/wa-xfer.c 2011-11-11 15:19:27.000000000 -0500
36335 +++ linux-3.1.1/drivers/usb/wusbcore/wa-xfer.c 2011-11-16 18:39:08.000000000 -0500
36336 @@ -295,7 +295,7 @@ out:
36338 static void wa_xfer_id_init(struct wa_xfer *xfer)
36340 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
36341 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
36345 diff -urNp linux-3.1.1/drivers/vhost/vhost.c linux-3.1.1/drivers/vhost/vhost.c
36346 --- linux-3.1.1/drivers/vhost/vhost.c 2011-11-11 15:19:27.000000000 -0500
36347 +++ linux-3.1.1/drivers/vhost/vhost.c 2011-11-16 18:39:08.000000000 -0500
36348 @@ -629,7 +629,7 @@ static long vhost_set_memory(struct vhos
36352 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
36353 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
36355 struct file *eventfp, *filep = NULL,
36356 *pollstart = NULL, *pollstop = NULL;
36357 diff -urNp linux-3.1.1/drivers/video/aty/aty128fb.c linux-3.1.1/drivers/video/aty/aty128fb.c
36358 --- linux-3.1.1/drivers/video/aty/aty128fb.c 2011-11-11 15:19:27.000000000 -0500
36359 +++ linux-3.1.1/drivers/video/aty/aty128fb.c 2011-11-16 18:39:08.000000000 -0500
36360 @@ -148,7 +148,7 @@ enum {
36363 /* Must match above enum */
36364 -static const char *r128_family[] __devinitdata = {
36365 +static const char *r128_family[] __devinitconst = {
36369 diff -urNp linux-3.1.1/drivers/video/fbcmap.c linux-3.1.1/drivers/video/fbcmap.c
36370 --- linux-3.1.1/drivers/video/fbcmap.c 2011-11-11 15:19:27.000000000 -0500
36371 +++ linux-3.1.1/drivers/video/fbcmap.c 2011-11-16 18:39:08.000000000 -0500
36372 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
36376 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
36377 - !info->fbops->fb_setcmap)) {
36378 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
36382 diff -urNp linux-3.1.1/drivers/video/fbmem.c linux-3.1.1/drivers/video/fbmem.c
36383 --- linux-3.1.1/drivers/video/fbmem.c 2011-11-11 15:19:27.000000000 -0500
36384 +++ linux-3.1.1/drivers/video/fbmem.c 2011-11-16 18:40:29.000000000 -0500
36385 @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_in
36386 image->dx += image->width + 8;
36388 } else if (rotate == FB_ROTATE_UD) {
36389 - for (x = 0; x < num && image->dx >= 0; x++) {
36390 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
36391 info->fbops->fb_imageblit(info, image);
36392 image->dx -= image->width + 8;
36394 @@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_in
36395 image->dy += image->height + 8;
36397 } else if (rotate == FB_ROTATE_CCW) {
36398 - for (x = 0; x < num && image->dy >= 0; x++) {
36399 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
36400 info->fbops->fb_imageblit(info, image);
36401 image->dy -= image->height + 8;
36403 @@ -939,6 +939,8 @@ fb_set_var(struct fb_info *info, struct
36404 int flags = info->flags;
36407 + pax_track_stack();
36409 if (var->activate & FB_ACTIVATE_INV_MODE) {
36410 struct fb_videomode mode1, mode2;
36412 @@ -1064,6 +1066,8 @@ static long do_fb_ioctl(struct fb_info *
36413 void __user *argp = (void __user *)arg;
36416 + pax_track_stack();
36419 case FBIOGET_VSCREENINFO:
36420 if (!lock_fb_info(info))
36421 @@ -1143,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *
36423 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
36425 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
36426 + if (con2fb.framebuffer >= FB_MAX)
36428 if (!registered_fb[con2fb.framebuffer])
36429 request_module("fb%d", con2fb.framebuffer);
36430 diff -urNp linux-3.1.1/drivers/video/geode/gx1fb_core.c linux-3.1.1/drivers/video/geode/gx1fb_core.c
36431 --- linux-3.1.1/drivers/video/geode/gx1fb_core.c 2011-11-11 15:19:27.000000000 -0500
36432 +++ linux-3.1.1/drivers/video/geode/gx1fb_core.c 2011-11-16 18:39:08.000000000 -0500
36433 @@ -29,7 +29,7 @@ static int crt_option = 1;
36434 static char panel_option[32] = "";
36436 /* Modes relevant to the GX1 (taken from modedb.c) */
36437 -static const struct fb_videomode __devinitdata gx1_modedb[] = {
36438 +static const struct fb_videomode __devinitconst gx1_modedb[] = {
36439 /* 640x480-60 VESA */
36440 { NULL, 60, 640, 480, 39682, 48, 16, 33, 10, 96, 2,
36441 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_VESA },
36442 diff -urNp linux-3.1.1/drivers/video/gxt4500.c linux-3.1.1/drivers/video/gxt4500.c
36443 --- linux-3.1.1/drivers/video/gxt4500.c 2011-11-11 15:19:27.000000000 -0500
36444 +++ linux-3.1.1/drivers/video/gxt4500.c 2011-11-16 18:39:08.000000000 -0500
36445 @@ -156,7 +156,7 @@ struct gxt4500_par {
36446 static char *mode_option;
36448 /* default mode: 1280x1024 @ 60 Hz, 8 bpp */
36449 -static const struct fb_videomode defaultmode __devinitdata = {
36450 +static const struct fb_videomode defaultmode __devinitconst = {
36454 @@ -581,7 +581,7 @@ static int gxt4500_blank(int blank, stru
36458 -static const struct fb_fix_screeninfo gxt4500_fix __devinitdata = {
36459 +static const struct fb_fix_screeninfo gxt4500_fix __devinitconst = {
36460 .id = "IBM GXT4500P",
36461 .type = FB_TYPE_PACKED_PIXELS,
36462 .visual = FB_VISUAL_PSEUDOCOLOR,
36463 diff -urNp linux-3.1.1/drivers/video/i810/i810_accel.c linux-3.1.1/drivers/video/i810/i810_accel.c
36464 --- linux-3.1.1/drivers/video/i810/i810_accel.c 2011-11-11 15:19:27.000000000 -0500
36465 +++ linux-3.1.1/drivers/video/i810/i810_accel.c 2011-11-16 18:39:08.000000000 -0500
36466 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
36469 printk("ringbuffer lockup!!!\n");
36470 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
36471 i810_report_error(mmio);
36472 par->dev_flags |= LOCKUP;
36473 info->pixmap.scan_align = 1;
36474 diff -urNp linux-3.1.1/drivers/video/i810/i810_main.c linux-3.1.1/drivers/video/i810/i810_main.c
36475 --- linux-3.1.1/drivers/video/i810/i810_main.c 2011-11-11 15:19:27.000000000 -0500
36476 +++ linux-3.1.1/drivers/video/i810/i810_main.c 2011-11-16 18:39:08.000000000 -0500
36477 @@ -97,7 +97,7 @@ static int i810fb_blank (int blank_
36478 static void i810fb_release_resource (struct fb_info *info, struct i810fb_par *par);
36481 -static const char *i810_pci_list[] __devinitdata = {
36482 +static const char *i810_pci_list[] __devinitconst = {
36483 "Intel(R) 810 Framebuffer Device" ,
36484 "Intel(R) 810-DC100 Framebuffer Device" ,
36485 "Intel(R) 810E Framebuffer Device" ,
36486 diff -urNp linux-3.1.1/drivers/video/jz4740_fb.c linux-3.1.1/drivers/video/jz4740_fb.c
36487 --- linux-3.1.1/drivers/video/jz4740_fb.c 2011-11-11 15:19:27.000000000 -0500
36488 +++ linux-3.1.1/drivers/video/jz4740_fb.c 2011-11-16 18:39:08.000000000 -0500
36489 @@ -136,7 +136,7 @@ struct jzfb {
36490 uint32_t pseudo_palette[16];
36493 -static const struct fb_fix_screeninfo jzfb_fix __devinitdata = {
36494 +static const struct fb_fix_screeninfo jzfb_fix __devinitconst = {
36496 .type = FB_TYPE_PACKED_PIXELS,
36497 .visual = FB_VISUAL_TRUECOLOR,
36498 diff -urNp linux-3.1.1/drivers/video/logo/logo_linux_clut224.ppm linux-3.1.1/drivers/video/logo/logo_linux_clut224.ppm
36499 --- linux-3.1.1/drivers/video/logo/logo_linux_clut224.ppm 2011-11-11 15:19:27.000000000 -0500
36500 +++ linux-3.1.1/drivers/video/logo/logo_linux_clut224.ppm 2011-11-16 18:40:29.000000000 -0500
36501 @@ -1,1604 +1,1123 @@
36503 -# Standard 224-color Linux logo
36506 - 0 0 0 0 0 0 0 0 0 0 0 0
36507 - 0 0 0 0 0 0 0 0 0 0 0 0
36508 - 0 0 0 0 0 0 0 0 0 0 0 0
36509 - 0 0 0 0 0 0 0 0 0 0 0 0
36510 - 0 0 0 0 0 0 0 0 0 0 0 0
36511 - 0 0 0 0 0 0 0 0 0 0 0 0
36512 - 0 0 0 0 0 0 0 0 0 0 0 0
36513 - 0 0 0 0 0 0 0 0 0 0 0 0
36514 - 0 0 0 0 0 0 0 0 0 0 0 0
36515 - 6 6 6 6 6 6 10 10 10 10 10 10
36516 - 10 10 10 6 6 6 6 6 6 6 6 6
36517 - 0 0 0 0 0 0 0 0 0 0 0 0
36518 - 0 0 0 0 0 0 0 0 0 0 0 0
36519 - 0 0 0 0 0 0 0 0 0 0 0 0
36520 - 0 0 0 0 0 0 0 0 0 0 0 0
36521 - 0 0 0 0 0 0 0 0 0 0 0 0
36522 - 0 0 0 0 0 0 0 0 0 0 0 0
36523 - 0 0 0 0 0 0 0 0 0 0 0 0
36524 - 0 0 0 0 0 0 0 0 0 0 0 0
36525 - 0 0 0 0 0 0 0 0 0 0 0 0
36526 - 0 0 0 0 0 0 0 0 0 0 0 0
36527 - 0 0 0 0 0 0 0 0 0 0 0 0
36528 - 0 0 0 0 0 0 0 0 0 0 0 0
36529 - 0 0 0 0 0 0 0 0 0 0 0 0
36530 - 0 0 0 0 0 0 0 0 0 0 0 0
36531 - 0 0 0 0 0 0 0 0 0 0 0 0
36532 - 0 0 0 0 0 0 0 0 0 0 0 0
36533 - 0 0 0 0 0 0 0 0 0 0 0 0
36534 - 0 0 0 6 6 6 10 10 10 14 14 14
36535 - 22 22 22 26 26 26 30 30 30 34 34 34
36536 - 30 30 30 30 30 30 26 26 26 18 18 18
36537 - 14 14 14 10 10 10 6 6 6 0 0 0
36538 - 0 0 0 0 0 0 0 0 0 0 0 0
36539 - 0 0 0 0 0 0 0 0 0 0 0 0
36540 - 0 0 0 0 0 0 0 0 0 0 0 0
36541 - 0 0 0 0 0 0 0 0 0 0 0 0
36542 - 0 0 0 0 0 0 0 0 0 0 0 0
36543 - 0 0 0 0 0 0 0 0 0 0 0 0
36544 - 0 0 0 0 0 0 0 0 0 0 0 0
36545 - 0 0 0 0 0 0 0 0 0 0 0 0
36546 - 0 0 0 0 0 0 0 0 0 0 0 0
36547 - 0 0 0 0 0 1 0 0 1 0 0 0
36548 - 0 0 0 0 0 0 0 0 0 0 0 0
36549 - 0 0 0 0 0 0 0 0 0 0 0 0
36550 - 0 0 0 0 0 0 0 0 0 0 0 0
36551 - 0 0 0 0 0 0 0 0 0 0 0 0
36552 - 0 0 0 0 0 0 0 0 0 0 0 0
36553 - 0 0 0 0 0 0 0 0 0 0 0 0
36554 - 6 6 6 14 14 14 26 26 26 42 42 42
36555 - 54 54 54 66 66 66 78 78 78 78 78 78
36556 - 78 78 78 74 74 74 66 66 66 54 54 54
36557 - 42 42 42 26 26 26 18 18 18 10 10 10
36558 - 6 6 6 0 0 0 0 0 0 0 0 0
36559 - 0 0 0 0 0 0 0 0 0 0 0 0
36560 - 0 0 0 0 0 0 0 0 0 0 0 0
36561 - 0 0 0 0 0 0 0 0 0 0 0 0
36562 - 0 0 0 0 0 0 0 0 0 0 0 0
36563 - 0 0 0 0 0 0 0 0 0 0 0 0
36564 - 0 0 0 0 0 0 0 0 0 0 0 0
36565 - 0 0 0 0 0 0 0 0 0 0 0 0
36566 - 0 0 0 0 0 0 0 0 0 0 0 0
36567 - 0 0 1 0 0 0 0 0 0 0 0 0
36568 - 0 0 0 0 0 0 0 0 0 0 0 0
36569 - 0 0 0 0 0 0 0 0 0 0 0 0
36570 - 0 0 0 0 0 0 0 0 0 0 0 0
36571 - 0 0 0 0 0 0 0 0 0 0 0 0
36572 - 0 0 0 0 0 0 0 0 0 0 0 0
36573 - 0 0 0 0 0 0 0 0 0 10 10 10
36574 - 22 22 22 42 42 42 66 66 66 86 86 86
36575 - 66 66 66 38 38 38 38 38 38 22 22 22
36576 - 26 26 26 34 34 34 54 54 54 66 66 66
36577 - 86 86 86 70 70 70 46 46 46 26 26 26
36578 - 14 14 14 6 6 6 0 0 0 0 0 0
36579 - 0 0 0 0 0 0 0 0 0 0 0 0
36580 - 0 0 0 0 0 0 0 0 0 0 0 0
36581 - 0 0 0 0 0 0 0 0 0 0 0 0
36582 - 0 0 0 0 0 0 0 0 0 0 0 0
36583 - 0 0 0 0 0 0 0 0 0 0 0 0
36584 - 0 0 0 0 0 0 0 0 0 0 0 0
36585 - 0 0 0 0 0 0 0 0 0 0 0 0
36586 - 0 0 0 0 0 0 0 0 0 0 0 0
36587 - 0 0 1 0 0 1 0 0 1 0 0 0
36588 - 0 0 0 0 0 0 0 0 0 0 0 0
36589 - 0 0 0 0 0 0 0 0 0 0 0 0
36590 - 0 0 0 0 0 0 0 0 0 0 0 0
36591 - 0 0 0 0 0 0 0 0 0 0 0 0
36592 - 0 0 0 0 0 0 0 0 0 0 0 0
36593 - 0 0 0 0 0 0 10 10 10 26 26 26
36594 - 50 50 50 82 82 82 58 58 58 6 6 6
36595 - 2 2 6 2 2 6 2 2 6 2 2 6
36596 - 2 2 6 2 2 6 2 2 6 2 2 6
36597 - 6 6 6 54 54 54 86 86 86 66 66 66
36598 - 38 38 38 18 18 18 6 6 6 0 0 0
36599 - 0 0 0 0 0 0 0 0 0 0 0 0
36600 - 0 0 0 0 0 0 0 0 0 0 0 0
36601 - 0 0 0 0 0 0 0 0 0 0 0 0
36602 - 0 0 0 0 0 0 0 0 0 0 0 0
36603 - 0 0 0 0 0 0 0 0 0 0 0 0
36604 - 0 0 0 0 0 0 0 0 0 0 0 0
36605 - 0 0 0 0 0 0 0 0 0 0 0 0
36606 - 0 0 0 0 0 0 0 0 0 0 0 0
36607 - 0 0 0 0 0 0 0 0 0 0 0 0
36608 - 0 0 0 0 0 0 0 0 0 0 0 0
36609 - 0 0 0 0 0 0 0 0 0 0 0 0
36610 - 0 0 0 0 0 0 0 0 0 0 0 0
36611 - 0 0 0 0 0 0 0 0 0 0 0 0
36612 - 0 0 0 0 0 0 0 0 0 0 0 0
36613 - 0 0 0 6 6 6 22 22 22 50 50 50
36614 - 78 78 78 34 34 34 2 2 6 2 2 6
36615 - 2 2 6 2 2 6 2 2 6 2 2 6
36616 - 2 2 6 2 2 6 2 2 6 2 2 6
36617 - 2 2 6 2 2 6 6 6 6 70 70 70
36618 - 78 78 78 46 46 46 22 22 22 6 6 6
36619 - 0 0 0 0 0 0 0 0 0 0 0 0
36620 - 0 0 0 0 0 0 0 0 0 0 0 0
36621 - 0 0 0 0 0 0 0 0 0 0 0 0
36622 - 0 0 0 0 0 0 0 0 0 0 0 0
36623 - 0 0 0 0 0 0 0 0 0 0 0 0
36624 - 0 0 0 0 0 0 0 0 0 0 0 0
36625 - 0 0 0 0 0 0 0 0 0 0 0 0
36626 - 0 0 0 0 0 0 0 0 0 0 0 0
36627 - 0 0 1 0 0 1 0 0 1 0 0 0
36628 - 0 0 0 0 0 0 0 0 0 0 0 0
36629 - 0 0 0 0 0 0 0 0 0 0 0 0
36630 - 0 0 0 0 0 0 0 0 0 0 0 0
36631 - 0 0 0 0 0 0 0 0 0 0 0 0
36632 - 0 0 0 0 0 0 0 0 0 0 0 0
36633 - 6 6 6 18 18 18 42 42 42 82 82 82
36634 - 26 26 26 2 2 6 2 2 6 2 2 6
36635 - 2 2 6 2 2 6 2 2 6 2 2 6
36636 - 2 2 6 2 2 6 2 2 6 14 14 14
36637 - 46 46 46 34 34 34 6 6 6 2 2 6
36638 - 42 42 42 78 78 78 42 42 42 18 18 18
36639 - 6 6 6 0 0 0 0 0 0 0 0 0
36640 - 0 0 0 0 0 0 0 0 0 0 0 0
36641 - 0 0 0 0 0 0 0 0 0 0 0 0
36642 - 0 0 0 0 0 0 0 0 0 0 0 0
36643 - 0 0 0 0 0 0 0 0 0 0 0 0
36644 - 0 0 0 0 0 0 0 0 0 0 0 0
36645 - 0 0 0 0 0 0 0 0 0 0 0 0
36646 - 0 0 0 0 0 0 0 0 0 0 0 0
36647 - 0 0 1 0 0 0 0 0 1 0 0 0
36648 - 0 0 0 0 0 0 0 0 0 0 0 0
36649 - 0 0 0 0 0 0 0 0 0 0 0 0
36650 - 0 0 0 0 0 0 0 0 0 0 0 0
36651 - 0 0 0 0 0 0 0 0 0 0 0 0
36652 - 0 0 0 0 0 0 0 0 0 0 0 0
36653 - 10 10 10 30 30 30 66 66 66 58 58 58
36654 - 2 2 6 2 2 6 2 2 6 2 2 6
36655 - 2 2 6 2 2 6 2 2 6 2 2 6
36656 - 2 2 6 2 2 6 2 2 6 26 26 26
36657 - 86 86 86 101 101 101 46 46 46 10 10 10
36658 - 2 2 6 58 58 58 70 70 70 34 34 34
36659 - 10 10 10 0 0 0 0 0 0 0 0 0
36660 - 0 0 0 0 0 0 0 0 0 0 0 0
36661 - 0 0 0 0 0 0 0 0 0 0 0 0
36662 - 0 0 0 0 0 0 0 0 0 0 0 0
36663 - 0 0 0 0 0 0 0 0 0 0 0 0
36664 - 0 0 0 0 0 0 0 0 0 0 0 0
36665 - 0 0 0 0 0 0 0 0 0 0 0 0
36666 - 0 0 0 0 0 0 0 0 0 0 0 0
36667 - 0 0 1 0 0 1 0 0 1 0 0 0
36668 - 0 0 0 0 0 0 0 0 0 0 0 0
36669 - 0 0 0 0 0 0 0 0 0 0 0 0
36670 - 0 0 0 0 0 0 0 0 0 0 0 0
36671 - 0 0 0 0 0 0 0 0 0 0 0 0
36672 - 0 0 0 0 0 0 0 0 0 0 0 0
36673 - 14 14 14 42 42 42 86 86 86 10 10 10
36674 - 2 2 6 2 2 6 2 2 6 2 2 6
36675 - 2 2 6 2 2 6 2 2 6 2 2 6
36676 - 2 2 6 2 2 6 2 2 6 30 30 30
36677 - 94 94 94 94 94 94 58 58 58 26 26 26
36678 - 2 2 6 6 6 6 78 78 78 54 54 54
36679 - 22 22 22 6 6 6 0 0 0 0 0 0
36680 - 0 0 0 0 0 0 0 0 0 0 0 0
36681 - 0 0 0 0 0 0 0 0 0 0 0 0
36682 - 0 0 0 0 0 0 0 0 0 0 0 0
36683 - 0 0 0 0 0 0 0 0 0 0 0 0
36684 - 0 0 0 0 0 0 0 0 0 0 0 0
36685 - 0 0 0 0 0 0 0 0 0 0 0 0
36686 - 0 0 0 0 0 0 0 0 0 0 0 0
36687 - 0 0 0 0 0 0 0 0 0 0 0 0
36688 - 0 0 0 0 0 0 0 0 0 0 0 0
36689 - 0 0 0 0 0 0 0 0 0 0 0 0
36690 - 0 0 0 0 0 0 0 0 0 0 0 0
36691 - 0 0 0 0 0 0 0 0 0 0 0 0
36692 - 0 0 0 0 0 0 0 0 0 6 6 6
36693 - 22 22 22 62 62 62 62 62 62 2 2 6
36694 - 2 2 6 2 2 6 2 2 6 2 2 6
36695 - 2 2 6 2 2 6 2 2 6 2 2 6
36696 - 2 2 6 2 2 6 2 2 6 26 26 26
36697 - 54 54 54 38 38 38 18 18 18 10 10 10
36698 - 2 2 6 2 2 6 34 34 34 82 82 82
36699 - 38 38 38 14 14 14 0 0 0 0 0 0
36700 - 0 0 0 0 0 0 0 0 0 0 0 0
36701 - 0 0 0 0 0 0 0 0 0 0 0 0
36702 - 0 0 0 0 0 0 0 0 0 0 0 0
36703 - 0 0 0 0 0 0 0 0 0 0 0 0
36704 - 0 0 0 0 0 0 0 0 0 0 0 0
36705 - 0 0 0 0 0 0 0 0 0 0 0 0
36706 - 0 0 0 0 0 0 0 0 0 0 0 0
36707 - 0 0 0 0 0 1 0 0 1 0 0 0
36708 - 0 0 0 0 0 0 0 0 0 0 0 0
36709 - 0 0 0 0 0 0 0 0 0 0 0 0
36710 - 0 0 0 0 0 0 0 0 0 0 0 0
36711 - 0 0 0 0 0 0 0 0 0 0 0 0
36712 - 0 0 0 0 0 0 0 0 0 6 6 6
36713 - 30 30 30 78 78 78 30 30 30 2 2 6
36714 - 2 2 6 2 2 6 2 2 6 2 2 6
36715 - 2 2 6 2 2 6 2 2 6 2 2 6
36716 - 2 2 6 2 2 6 2 2 6 10 10 10
36717 - 10 10 10 2 2 6 2 2 6 2 2 6
36718 - 2 2 6 2 2 6 2 2 6 78 78 78
36719 - 50 50 50 18 18 18 6 6 6 0 0 0
36720 - 0 0 0 0 0 0 0 0 0 0 0 0
36721 - 0 0 0 0 0 0 0 0 0 0 0 0
36722 - 0 0 0 0 0 0 0 0 0 0 0 0
36723 - 0 0 0 0 0 0 0 0 0 0 0 0
36724 - 0 0 0 0 0 0 0 0 0 0 0 0
36725 - 0 0 0 0 0 0 0 0 0 0 0 0
36726 - 0 0 0 0 0 0 0 0 0 0 0 0
36727 - 0 0 1 0 0 0 0 0 0 0 0 0
36728 - 0 0 0 0 0 0 0 0 0 0 0 0
36729 - 0 0 0 0 0 0 0 0 0 0 0 0
36730 - 0 0 0 0 0 0 0 0 0 0 0 0
36731 - 0 0 0 0 0 0 0 0 0 0 0 0
36732 - 0 0 0 0 0 0 0 0 0 10 10 10
36733 - 38 38 38 86 86 86 14 14 14 2 2 6
36734 - 2 2 6 2 2 6 2 2 6 2 2 6
36735 - 2 2 6 2 2 6 2 2 6 2 2 6
36736 - 2 2 6 2 2 6 2 2 6 2 2 6
36737 - 2 2 6 2 2 6 2 2 6 2 2 6
36738 - 2 2 6 2 2 6 2 2 6 54 54 54
36739 - 66 66 66 26 26 26 6 6 6 0 0 0
36740 - 0 0 0 0 0 0 0 0 0 0 0 0
36741 - 0 0 0 0 0 0 0 0 0 0 0 0
36742 - 0 0 0 0 0 0 0 0 0 0 0 0
36743 - 0 0 0 0 0 0 0 0 0 0 0 0
36744 - 0 0 0 0 0 0 0 0 0 0 0 0
36745 - 0 0 0 0 0 0 0 0 0 0 0 0
36746 - 0 0 0 0 0 0 0 0 0 0 0 0
36747 - 0 0 0 0 0 1 0 0 1 0 0 0
36748 - 0 0 0 0 0 0 0 0 0 0 0 0
36749 - 0 0 0 0 0 0 0 0 0 0 0 0
36750 - 0 0 0 0 0 0 0 0 0 0 0 0
36751 - 0 0 0 0 0 0 0 0 0 0 0 0
36752 - 0 0 0 0 0 0 0 0 0 14 14 14
36753 - 42 42 42 82 82 82 2 2 6 2 2 6
36754 - 2 2 6 6 6 6 10 10 10 2 2 6
36755 - 2 2 6 2 2 6 2 2 6 2 2 6
36756 - 2 2 6 2 2 6 2 2 6 6 6 6
36757 - 14 14 14 10 10 10 2 2 6 2 2 6
36758 - 2 2 6 2 2 6 2 2 6 18 18 18
36759 - 82 82 82 34 34 34 10 10 10 0 0 0
36760 - 0 0 0 0 0 0 0 0 0 0 0 0
36761 - 0 0 0 0 0 0 0 0 0 0 0 0
36762 - 0 0 0 0 0 0 0 0 0 0 0 0
36763 - 0 0 0 0 0 0 0 0 0 0 0 0
36764 - 0 0 0 0 0 0 0 0 0 0 0 0
36765 - 0 0 0 0 0 0 0 0 0 0 0 0
36766 - 0 0 0 0 0 0 0 0 0 0 0 0
36767 - 0 0 1 0 0 0 0 0 0 0 0 0
36768 - 0 0 0 0 0 0 0 0 0 0 0 0
36769 - 0 0 0 0 0 0 0 0 0 0 0 0
36770 - 0 0 0 0 0 0 0 0 0 0 0 0
36771 - 0 0 0 0 0 0 0 0 0 0 0 0
36772 - 0 0 0 0 0 0 0 0 0 14 14 14
36773 - 46 46 46 86 86 86 2 2 6 2 2 6
36774 - 6 6 6 6 6 6 22 22 22 34 34 34
36775 - 6 6 6 2 2 6 2 2 6 2 2 6
36776 - 2 2 6 2 2 6 18 18 18 34 34 34
36777 - 10 10 10 50 50 50 22 22 22 2 2 6
36778 - 2 2 6 2 2 6 2 2 6 10 10 10
36779 - 86 86 86 42 42 42 14 14 14 0 0 0
36780 - 0 0 0 0 0 0 0 0 0 0 0 0
36781 - 0 0 0 0 0 0 0 0 0 0 0 0
36782 - 0 0 0 0 0 0 0 0 0 0 0 0
36783 - 0 0 0 0 0 0 0 0 0 0 0 0
36784 - 0 0 0 0 0 0 0 0 0 0 0 0
36785 - 0 0 0 0 0 0 0 0 0 0 0 0
36786 - 0 0 0 0 0 0 0 0 0 0 0 0
36787 - 0 0 1 0 0 1 0 0 1 0 0 0
36788 - 0 0 0 0 0 0 0 0 0 0 0 0
36789 - 0 0 0 0 0 0 0 0 0 0 0 0
36790 - 0 0 0 0 0 0 0 0 0 0 0 0
36791 - 0 0 0 0 0 0 0 0 0 0 0 0
36792 - 0 0 0 0 0 0 0 0 0 14 14 14
36793 - 46 46 46 86 86 86 2 2 6 2 2 6
36794 - 38 38 38 116 116 116 94 94 94 22 22 22
36795 - 22 22 22 2 2 6 2 2 6 2 2 6
36796 - 14 14 14 86 86 86 138 138 138 162 162 162
36797 -154 154 154 38 38 38 26 26 26 6 6 6
36798 - 2 2 6 2 2 6 2 2 6 2 2 6
36799 - 86 86 86 46 46 46 14 14 14 0 0 0
36800 - 0 0 0 0 0 0 0 0 0 0 0 0
36801 - 0 0 0 0 0 0 0 0 0 0 0 0
36802 - 0 0 0 0 0 0 0 0 0 0 0 0
36803 - 0 0 0 0 0 0 0 0 0 0 0 0
36804 - 0 0 0 0 0 0 0 0 0 0 0 0
36805 - 0 0 0 0 0 0 0 0 0 0 0 0
36806 - 0 0 0 0 0 0 0 0 0 0 0 0
36807 - 0 0 0 0 0 0 0 0 0 0 0 0
36808 - 0 0 0 0 0 0 0 0 0 0 0 0
36809 - 0 0 0 0 0 0 0 0 0 0 0 0
36810 - 0 0 0 0 0 0 0 0 0 0 0 0
36811 - 0 0 0 0 0 0 0 0 0 0 0 0
36812 - 0 0 0 0 0 0 0 0 0 14 14 14
36813 - 46 46 46 86 86 86 2 2 6 14 14 14
36814 -134 134 134 198 198 198 195 195 195 116 116 116
36815 - 10 10 10 2 2 6 2 2 6 6 6 6
36816 -101 98 89 187 187 187 210 210 210 218 218 218
36817 -214 214 214 134 134 134 14 14 14 6 6 6
36818 - 2 2 6 2 2 6 2 2 6 2 2 6
36819 - 86 86 86 50 50 50 18 18 18 6 6 6
36820 - 0 0 0 0 0 0 0 0 0 0 0 0
36821 - 0 0 0 0 0 0 0 0 0 0 0 0
36822 - 0 0 0 0 0 0 0 0 0 0 0 0
36823 - 0 0 0 0 0 0 0 0 0 0 0 0
36824 - 0 0 0 0 0 0 0 0 0 0 0 0
36825 - 0 0 0 0 0 0 0 0 0 0 0 0
36826 - 0 0 0 0 0 0 0 0 1 0 0 0
36827 - 0 0 1 0 0 1 0 0 1 0 0 0
36828 - 0 0 0 0 0 0 0 0 0 0 0 0
36829 - 0 0 0 0 0 0 0 0 0 0 0 0
36830 - 0 0 0 0 0 0 0 0 0 0 0 0
36831 - 0 0 0 0 0 0 0 0 0 0 0 0
36832 - 0 0 0 0 0 0 0 0 0 14 14 14
36833 - 46 46 46 86 86 86 2 2 6 54 54 54
36834 -218 218 218 195 195 195 226 226 226 246 246 246
36835 - 58 58 58 2 2 6 2 2 6 30 30 30
36836 -210 210 210 253 253 253 174 174 174 123 123 123
36837 -221 221 221 234 234 234 74 74 74 2 2 6
36838 - 2 2 6 2 2 6 2 2 6 2 2 6
36839 - 70 70 70 58 58 58 22 22 22 6 6 6
36840 - 0 0 0 0 0 0 0 0 0 0 0 0
36841 - 0 0 0 0 0 0 0 0 0 0 0 0
36842 - 0 0 0 0 0 0 0 0 0 0 0 0
36843 - 0 0 0 0 0 0 0 0 0 0 0 0
36844 - 0 0 0 0 0 0 0 0 0 0 0 0
36845 - 0 0 0 0 0 0 0 0 0 0 0 0
36846 - 0 0 0 0 0 0 0 0 0 0 0 0
36847 - 0 0 0 0 0 0 0 0 0 0 0 0
36848 - 0 0 0 0 0 0 0 0 0 0 0 0
36849 - 0 0 0 0 0 0 0 0 0 0 0 0
36850 - 0 0 0 0 0 0 0 0 0 0 0 0
36851 - 0 0 0 0 0 0 0 0 0 0 0 0
36852 - 0 0 0 0 0 0 0 0 0 14 14 14
36853 - 46 46 46 82 82 82 2 2 6 106 106 106
36854 -170 170 170 26 26 26 86 86 86 226 226 226
36855 -123 123 123 10 10 10 14 14 14 46 46 46
36856 -231 231 231 190 190 190 6 6 6 70 70 70
36857 - 90 90 90 238 238 238 158 158 158 2 2 6
36858 - 2 2 6 2 2 6 2 2 6 2 2 6
36859 - 70 70 70 58 58 58 22 22 22 6 6 6
36860 - 0 0 0 0 0 0 0 0 0 0 0 0
36861 - 0 0 0 0 0 0 0 0 0 0 0 0
36862 - 0 0 0 0 0 0 0 0 0 0 0 0
36863 - 0 0 0 0 0 0 0 0 0 0 0 0
36864 - 0 0 0 0 0 0 0 0 0 0 0 0
36865 - 0 0 0 0 0 0 0 0 0 0 0 0
36866 - 0 0 0 0 0 0 0 0 1 0 0 0
36867 - 0 0 1 0 0 1 0 0 1 0 0 0
36868 - 0 0 0 0 0 0 0 0 0 0 0 0
36869 - 0 0 0 0 0 0 0 0 0 0 0 0
36870 - 0 0 0 0 0 0 0 0 0 0 0 0
36871 - 0 0 0 0 0 0 0 0 0 0 0 0
36872 - 0 0 0 0 0 0 0 0 0 14 14 14
36873 - 42 42 42 86 86 86 6 6 6 116 116 116
36874 -106 106 106 6 6 6 70 70 70 149 149 149
36875 -128 128 128 18 18 18 38 38 38 54 54 54
36876 -221 221 221 106 106 106 2 2 6 14 14 14
36877 - 46 46 46 190 190 190 198 198 198 2 2 6
36878 - 2 2 6 2 2 6 2 2 6 2 2 6
36879 - 74 74 74 62 62 62 22 22 22 6 6 6
36880 - 0 0 0 0 0 0 0 0 0 0 0 0
36881 - 0 0 0 0 0 0 0 0 0 0 0 0
36882 - 0 0 0 0 0 0 0 0 0 0 0 0
36883 - 0 0 0 0 0 0 0 0 0 0 0 0
36884 - 0 0 0 0 0 0 0 0 0 0 0 0
36885 - 0 0 0 0 0 0 0 0 0 0 0 0
36886 - 0 0 0 0 0 0 0 0 1 0 0 0
36887 - 0 0 1 0 0 0 0 0 1 0 0 0
36888 - 0 0 0 0 0 0 0 0 0 0 0 0
36889 - 0 0 0 0 0 0 0 0 0 0 0 0
36890 - 0 0 0 0 0 0 0 0 0 0 0 0
36891 - 0 0 0 0 0 0 0 0 0 0 0 0
36892 - 0 0 0 0 0 0 0 0 0 14 14 14
36893 - 42 42 42 94 94 94 14 14 14 101 101 101
36894 -128 128 128 2 2 6 18 18 18 116 116 116
36895 -118 98 46 121 92 8 121 92 8 98 78 10
36896 -162 162 162 106 106 106 2 2 6 2 2 6
36897 - 2 2 6 195 195 195 195 195 195 6 6 6
36898 - 2 2 6 2 2 6 2 2 6 2 2 6
36899 - 74 74 74 62 62 62 22 22 22 6 6 6
36900 - 0 0 0 0 0 0 0 0 0 0 0 0
36901 - 0 0 0 0 0 0 0 0 0 0 0 0
36902 - 0 0 0 0 0 0 0 0 0 0 0 0
36903 - 0 0 0 0 0 0 0 0 0 0 0 0
36904 - 0 0 0 0 0 0 0 0 0 0 0 0
36905 - 0 0 0 0 0 0 0 0 0 0 0 0
36906 - 0 0 0 0 0 0 0 0 1 0 0 1
36907 - 0 0 1 0 0 0 0 0 1 0 0 0
36908 - 0 0 0 0 0 0 0 0 0 0 0 0
36909 - 0 0 0 0 0 0 0 0 0 0 0 0
36910 - 0 0 0 0 0 0 0 0 0 0 0 0
36911 - 0 0 0 0 0 0 0 0 0 0 0 0
36912 - 0 0 0 0 0 0 0 0 0 10 10 10
36913 - 38 38 38 90 90 90 14 14 14 58 58 58
36914 -210 210 210 26 26 26 54 38 6 154 114 10
36915 -226 170 11 236 186 11 225 175 15 184 144 12
36916 -215 174 15 175 146 61 37 26 9 2 2 6
36917 - 70 70 70 246 246 246 138 138 138 2 2 6
36918 - 2 2 6 2 2 6 2 2 6 2 2 6
36919 - 70 70 70 66 66 66 26 26 26 6 6 6
36920 - 0 0 0 0 0 0 0 0 0 0 0 0
36921 - 0 0 0 0 0 0 0 0 0 0 0 0
36922 - 0 0 0 0 0 0 0 0 0 0 0 0
36923 - 0 0 0 0 0 0 0 0 0 0 0 0
36924 - 0 0 0 0 0 0 0 0 0 0 0 0
36925 - 0 0 0 0 0 0 0 0 0 0 0 0
36926 - 0 0 0 0 0 0 0 0 0 0 0 0
36927 - 0 0 0 0 0 0 0 0 0 0 0 0
36928 - 0 0 0 0 0 0 0 0 0 0 0 0
36929 - 0 0 0 0 0 0 0 0 0 0 0 0
36930 - 0 0 0 0 0 0 0 0 0 0 0 0
36931 - 0 0 0 0 0 0 0 0 0 0 0 0
36932 - 0 0 0 0 0 0 0 0 0 10 10 10
36933 - 38 38 38 86 86 86 14 14 14 10 10 10
36934 -195 195 195 188 164 115 192 133 9 225 175 15
36935 -239 182 13 234 190 10 232 195 16 232 200 30
36936 -245 207 45 241 208 19 232 195 16 184 144 12
36937 -218 194 134 211 206 186 42 42 42 2 2 6
36938 - 2 2 6 2 2 6 2 2 6 2 2 6
36939 - 50 50 50 74 74 74 30 30 30 6 6 6
36940 - 0 0 0 0 0 0 0 0 0 0 0 0
36941 - 0 0 0 0 0 0 0 0 0 0 0 0
36942 - 0 0 0 0 0 0 0 0 0 0 0 0
36943 - 0 0 0 0 0 0 0 0 0 0 0 0
36944 - 0 0 0 0 0 0 0 0 0 0 0 0
36945 - 0 0 0 0 0 0 0 0 0 0 0 0
36946 - 0 0 0 0 0 0 0 0 0 0 0 0
36947 - 0 0 0 0 0 0 0 0 0 0 0 0
36948 - 0 0 0 0 0 0 0 0 0 0 0 0
36949 - 0 0 0 0 0 0 0 0 0 0 0 0
36950 - 0 0 0 0 0 0 0 0 0 0 0 0
36951 - 0 0 0 0 0 0 0 0 0 0 0 0
36952 - 0 0 0 0 0 0 0 0 0 10 10 10
36953 - 34 34 34 86 86 86 14 14 14 2 2 6
36954 -121 87 25 192 133 9 219 162 10 239 182 13
36955 -236 186 11 232 195 16 241 208 19 244 214 54
36956 -246 218 60 246 218 38 246 215 20 241 208 19
36957 -241 208 19 226 184 13 121 87 25 2 2 6
36958 - 2 2 6 2 2 6 2 2 6 2 2 6
36959 - 50 50 50 82 82 82 34 34 34 10 10 10
36960 - 0 0 0 0 0 0 0 0 0 0 0 0
36961 - 0 0 0 0 0 0 0 0 0 0 0 0
36962 - 0 0 0 0 0 0 0 0 0 0 0 0
36963 - 0 0 0 0 0 0 0 0 0 0 0 0
36964 - 0 0 0 0 0 0 0 0 0 0 0 0
36965 - 0 0 0 0 0 0 0 0 0 0 0 0
36966 - 0 0 0 0 0 0 0 0 0 0 0 0
36967 - 0 0 0 0 0 0 0 0 0 0 0 0
36968 - 0 0 0 0 0 0 0 0 0 0 0 0
36969 - 0 0 0 0 0 0 0 0 0 0 0 0
36970 - 0 0 0 0 0 0 0 0 0 0 0 0
36971 - 0 0 0 0 0 0 0 0 0 0 0 0
36972 - 0 0 0 0 0 0 0 0 0 10 10 10
36973 - 34 34 34 82 82 82 30 30 30 61 42 6
36974 -180 123 7 206 145 10 230 174 11 239 182 13
36975 -234 190 10 238 202 15 241 208 19 246 218 74
36976 -246 218 38 246 215 20 246 215 20 246 215 20
36977 -226 184 13 215 174 15 184 144 12 6 6 6
36978 - 2 2 6 2 2 6 2 2 6 2 2 6
36979 - 26 26 26 94 94 94 42 42 42 14 14 14
36980 - 0 0 0 0 0 0 0 0 0 0 0 0
36981 - 0 0 0 0 0 0 0 0 0 0 0 0
36982 - 0 0 0 0 0 0 0 0 0 0 0 0
36983 - 0 0 0 0 0 0 0 0 0 0 0 0
36984 - 0 0 0 0 0 0 0 0 0 0 0 0
36985 - 0 0 0 0 0 0 0 0 0 0 0 0
36986 - 0 0 0 0 0 0 0 0 0 0 0 0
36987 - 0 0 0 0 0 0 0 0 0 0 0 0
36988 - 0 0 0 0 0 0 0 0 0 0 0 0
36989 - 0 0 0 0 0 0 0 0 0 0 0 0
36990 - 0 0 0 0 0 0 0 0 0 0 0 0
36991 - 0 0 0 0 0 0 0 0 0 0 0 0
36992 - 0 0 0 0 0 0 0 0 0 10 10 10
36993 - 30 30 30 78 78 78 50 50 50 104 69 6
36994 -192 133 9 216 158 10 236 178 12 236 186 11
36995 -232 195 16 241 208 19 244 214 54 245 215 43
36996 -246 215 20 246 215 20 241 208 19 198 155 10
36997 -200 144 11 216 158 10 156 118 10 2 2 6
36998 - 2 2 6 2 2 6 2 2 6 2 2 6
36999 - 6 6 6 90 90 90 54 54 54 18 18 18
37000 - 6 6 6 0 0 0 0 0 0 0 0 0
37001 - 0 0 0 0 0 0 0 0 0 0 0 0
37002 - 0 0 0 0 0 0 0 0 0 0 0 0
37003 - 0 0 0 0 0 0 0 0 0 0 0 0
37004 - 0 0 0 0 0 0 0 0 0 0 0 0
37005 - 0 0 0 0 0 0 0 0 0 0 0 0
37006 - 0 0 0 0 0 0 0 0 0 0 0 0
37007 - 0 0 0 0 0 0 0 0 0 0 0 0
37008 - 0 0 0 0 0 0 0 0 0 0 0 0
37009 - 0 0 0 0 0 0 0 0 0 0 0 0
37010 - 0 0 0 0 0 0 0 0 0 0 0 0
37011 - 0 0 0 0 0 0 0 0 0 0 0 0
37012 - 0 0 0 0 0 0 0 0 0 10 10 10
37013 - 30 30 30 78 78 78 46 46 46 22 22 22
37014 -137 92 6 210 162 10 239 182 13 238 190 10
37015 -238 202 15 241 208 19 246 215 20 246 215 20
37016 -241 208 19 203 166 17 185 133 11 210 150 10
37017 -216 158 10 210 150 10 102 78 10 2 2 6
37018 - 6 6 6 54 54 54 14 14 14 2 2 6
37019 - 2 2 6 62 62 62 74 74 74 30 30 30
37020 - 10 10 10 0 0 0 0 0 0 0 0 0
37021 - 0 0 0 0 0 0 0 0 0 0 0 0
37022 - 0 0 0 0 0 0 0 0 0 0 0 0
37023 - 0 0 0 0 0 0 0 0 0 0 0 0
37024 - 0 0 0 0 0 0 0 0 0 0 0 0
37025 - 0 0 0 0 0 0 0 0 0 0 0 0
37026 - 0 0 0 0 0 0 0 0 0 0 0 0
37027 - 0 0 0 0 0 0 0 0 0 0 0 0
37028 - 0 0 0 0 0 0 0 0 0 0 0 0
37029 - 0 0 0 0 0 0 0 0 0 0 0 0
37030 - 0 0 0 0 0 0 0 0 0 0 0 0
37031 - 0 0 0 0 0 0 0 0 0 0 0 0
37032 - 0 0 0 0 0 0 0 0 0 10 10 10
37033 - 34 34 34 78 78 78 50 50 50 6 6 6
37034 - 94 70 30 139 102 15 190 146 13 226 184 13
37035 -232 200 30 232 195 16 215 174 15 190 146 13
37036 -168 122 10 192 133 9 210 150 10 213 154 11
37037 -202 150 34 182 157 106 101 98 89 2 2 6
37038 - 2 2 6 78 78 78 116 116 116 58 58 58
37039 - 2 2 6 22 22 22 90 90 90 46 46 46
37040 - 18 18 18 6 6 6 0 0 0 0 0 0
37041 - 0 0 0 0 0 0 0 0 0 0 0 0
37042 - 0 0 0 0 0 0 0 0 0 0 0 0
37043 - 0 0 0 0 0 0 0 0 0 0 0 0
37044 - 0 0 0 0 0 0 0 0 0 0 0 0
37045 - 0 0 0 0 0 0 0 0 0 0 0 0
37046 - 0 0 0 0 0 0 0 0 0 0 0 0
37047 - 0 0 0 0 0 0 0 0 0 0 0 0
37048 - 0 0 0 0 0 0 0 0 0 0 0 0
37049 - 0 0 0 0 0 0 0 0 0 0 0 0
37050 - 0 0 0 0 0 0 0 0 0 0 0 0
37051 - 0 0 0 0 0 0 0 0 0 0 0 0
37052 - 0 0 0 0 0 0 0 0 0 10 10 10
37053 - 38 38 38 86 86 86 50 50 50 6 6 6
37054 -128 128 128 174 154 114 156 107 11 168 122 10
37055 -198 155 10 184 144 12 197 138 11 200 144 11
37056 -206 145 10 206 145 10 197 138 11 188 164 115
37057 -195 195 195 198 198 198 174 174 174 14 14 14
37058 - 2 2 6 22 22 22 116 116 116 116 116 116
37059 - 22 22 22 2 2 6 74 74 74 70 70 70
37060 - 30 30 30 10 10 10 0 0 0 0 0 0
37061 - 0 0 0 0 0 0 0 0 0 0 0 0
37062 - 0 0 0 0 0 0 0 0 0 0 0 0
37063 - 0 0 0 0 0 0 0 0 0 0 0 0
37064 - 0 0 0 0 0 0 0 0 0 0 0 0
37065 - 0 0 0 0 0 0 0 0 0 0 0 0
37066 - 0 0 0 0 0 0 0 0 0 0 0 0
37067 - 0 0 0 0 0 0 0 0 0 0 0 0
37068 - 0 0 0 0 0 0 0 0 0 0 0 0
37069 - 0 0 0 0 0 0 0 0 0 0 0 0
37070 - 0 0 0 0 0 0 0 0 0 0 0 0
37071 - 0 0 0 0 0 0 0 0 0 0 0 0
37072 - 0 0 0 0 0 0 6 6 6 18 18 18
37073 - 50 50 50 101 101 101 26 26 26 10 10 10
37074 -138 138 138 190 190 190 174 154 114 156 107 11
37075 -197 138 11 200 144 11 197 138 11 192 133 9
37076 -180 123 7 190 142 34 190 178 144 187 187 187
37077 -202 202 202 221 221 221 214 214 214 66 66 66
37078 - 2 2 6 2 2 6 50 50 50 62 62 62
37079 - 6 6 6 2 2 6 10 10 10 90 90 90
37080 - 50 50 50 18 18 18 6 6 6 0 0 0
37081 - 0 0 0 0 0 0 0 0 0 0 0 0
37082 - 0 0 0 0 0 0 0 0 0 0 0 0
37083 - 0 0 0 0 0 0 0 0 0 0 0 0
37084 - 0 0 0 0 0 0 0 0 0 0 0 0
37085 - 0 0 0 0 0 0 0 0 0 0 0 0
37086 - 0 0 0 0 0 0 0 0 0 0 0 0
37087 - 0 0 0 0 0 0 0 0 0 0 0 0
37088 - 0 0 0 0 0 0 0 0 0 0 0 0
37089 - 0 0 0 0 0 0 0 0 0 0 0 0
37090 - 0 0 0 0 0 0 0 0 0 0 0 0
37091 - 0 0 0 0 0 0 0 0 0 0 0 0
37092 - 0 0 0 0 0 0 10 10 10 34 34 34
37093 - 74 74 74 74 74 74 2 2 6 6 6 6
37094 -144 144 144 198 198 198 190 190 190 178 166 146
37095 -154 121 60 156 107 11 156 107 11 168 124 44
37096 -174 154 114 187 187 187 190 190 190 210 210 210
37097 -246 246 246 253 253 253 253 253 253 182 182 182
37098 - 6 6 6 2 2 6 2 2 6 2 2 6
37099 - 2 2 6 2 2 6 2 2 6 62 62 62
37100 - 74 74 74 34 34 34 14 14 14 0 0 0
37101 - 0 0 0 0 0 0 0 0 0 0 0 0
37102 - 0 0 0 0 0 0 0 0 0 0 0 0
37103 - 0 0 0 0 0 0 0 0 0 0 0 0
37104 - 0 0 0 0 0 0 0 0 0 0 0 0
37105 - 0 0 0 0 0 0 0 0 0 0 0 0
37106 - 0 0 0 0 0 0 0 0 0 0 0 0
37107 - 0 0 0 0 0 0 0 0 0 0 0 0
37108 - 0 0 0 0 0 0 0 0 0 0 0 0
37109 - 0 0 0 0 0 0 0 0 0 0 0 0
37110 - 0 0 0 0 0 0 0 0 0 0 0 0
37111 - 0 0 0 0 0 0 0 0 0 0 0 0
37112 - 0 0 0 10 10 10 22 22 22 54 54 54
37113 - 94 94 94 18 18 18 2 2 6 46 46 46
37114 -234 234 234 221 221 221 190 190 190 190 190 190
37115 -190 190 190 187 187 187 187 187 187 190 190 190
37116 -190 190 190 195 195 195 214 214 214 242 242 242
37117 -253 253 253 253 253 253 253 253 253 253 253 253
37118 - 82 82 82 2 2 6 2 2 6 2 2 6
37119 - 2 2 6 2 2 6 2 2 6 14 14 14
37120 - 86 86 86 54 54 54 22 22 22 6 6 6
37121 - 0 0 0 0 0 0 0 0 0 0 0 0
37122 - 0 0 0 0 0 0 0 0 0 0 0 0
37123 - 0 0 0 0 0 0 0 0 0 0 0 0
37124 - 0 0 0 0 0 0 0 0 0 0 0 0
37125 - 0 0 0 0 0 0 0 0 0 0 0 0
37126 - 0 0 0 0 0 0 0 0 0 0 0 0
37127 - 0 0 0 0 0 0 0 0 0 0 0 0
37128 - 0 0 0 0 0 0 0 0 0 0 0 0
37129 - 0 0 0 0 0 0 0 0 0 0 0 0
37130 - 0 0 0 0 0 0 0 0 0 0 0 0
37131 - 0 0 0 0 0 0 0 0 0 0 0 0
37132 - 6 6 6 18 18 18 46 46 46 90 90 90
37133 - 46 46 46 18 18 18 6 6 6 182 182 182
37134 -253 253 253 246 246 246 206 206 206 190 190 190
37135 -190 190 190 190 190 190 190 190 190 190 190 190
37136 -206 206 206 231 231 231 250 250 250 253 253 253
37137 -253 253 253 253 253 253 253 253 253 253 253 253
37138 -202 202 202 14 14 14 2 2 6 2 2 6
37139 - 2 2 6 2 2 6 2 2 6 2 2 6
37140 - 42 42 42 86 86 86 42 42 42 18 18 18
37141 - 6 6 6 0 0 0 0 0 0 0 0 0
37142 - 0 0 0 0 0 0 0 0 0 0 0 0
37143 - 0 0 0 0 0 0 0 0 0 0 0 0
37144 - 0 0 0 0 0 0 0 0 0 0 0 0
37145 - 0 0 0 0 0 0 0 0 0 0 0 0
37146 - 0 0 0 0 0 0 0 0 0 0 0 0
37147 - 0 0 0 0 0 0 0 0 0 0 0 0
37148 - 0 0 0 0 0 0 0 0 0 0 0 0
37149 - 0 0 0 0 0 0 0 0 0 0 0 0
37150 - 0 0 0 0 0 0 0 0 0 0 0 0
37151 - 0 0 0 0 0 0 0 0 0 6 6 6
37152 - 14 14 14 38 38 38 74 74 74 66 66 66
37153 - 2 2 6 6 6 6 90 90 90 250 250 250
37154 -253 253 253 253 253 253 238 238 238 198 198 198
37155 -190 190 190 190 190 190 195 195 195 221 221 221
37156 -246 246 246 253 253 253 253 253 253 253 253 253
37157 -253 253 253 253 253 253 253 253 253 253 253 253
37158 -253 253 253 82 82 82 2 2 6 2 2 6
37159 - 2 2 6 2 2 6 2 2 6 2 2 6
37160 - 2 2 6 78 78 78 70 70 70 34 34 34
37161 - 14 14 14 6 6 6 0 0 0 0 0 0
37162 - 0 0 0 0 0 0 0 0 0 0 0 0
37163 - 0 0 0 0 0 0 0 0 0 0 0 0
37164 - 0 0 0 0 0 0 0 0 0 0 0 0
37165 - 0 0 0 0 0 0 0 0 0 0 0 0
37166 - 0 0 0 0 0 0 0 0 0 0 0 0
37167 - 0 0 0 0 0 0 0 0 0 0 0 0
37168 - 0 0 0 0 0 0 0 0 0 0 0 0
37169 - 0 0 0 0 0 0 0 0 0 0 0 0
37170 - 0 0 0 0 0 0 0 0 0 0 0 0
37171 - 0 0 0 0 0 0 0 0 0 14 14 14
37172 - 34 34 34 66 66 66 78 78 78 6 6 6
37173 - 2 2 6 18 18 18 218 218 218 253 253 253
37174 -253 253 253 253 253 253 253 253 253 246 246 246
37175 -226 226 226 231 231 231 246 246 246 253 253 253
37176 -253 253 253 253 253 253 253 253 253 253 253 253
37177 -253 253 253 253 253 253 253 253 253 253 253 253
37178 -253 253 253 178 178 178 2 2 6 2 2 6
37179 - 2 2 6 2 2 6 2 2 6 2 2 6
37180 - 2 2 6 18 18 18 90 90 90 62 62 62
37181 - 30 30 30 10 10 10 0 0 0 0 0 0
37182 - 0 0 0 0 0 0 0 0 0 0 0 0
37183 - 0 0 0 0 0 0 0 0 0 0 0 0
37184 - 0 0 0 0 0 0 0 0 0 0 0 0
37185 - 0 0 0 0 0 0 0 0 0 0 0 0
37186 - 0 0 0 0 0 0 0 0 0 0 0 0
37187 - 0 0 0 0 0 0 0 0 0 0 0 0
37188 - 0 0 0 0 0 0 0 0 0 0 0 0
37189 - 0 0 0 0 0 0 0 0 0 0 0 0
37190 - 0 0 0 0 0 0 0 0 0 0 0 0
37191 - 0 0 0 0 0 0 10 10 10 26 26 26
37192 - 58 58 58 90 90 90 18 18 18 2 2 6
37193 - 2 2 6 110 110 110 253 253 253 253 253 253
37194 -253 253 253 253 253 253 253 253 253 253 253 253
37195 -250 250 250 253 253 253 253 253 253 253 253 253
37196 -253 253 253 253 253 253 253 253 253 253 253 253
37197 -253 253 253 253 253 253 253 253 253 253 253 253
37198 -253 253 253 231 231 231 18 18 18 2 2 6
37199 - 2 2 6 2 2 6 2 2 6 2 2 6
37200 - 2 2 6 2 2 6 18 18 18 94 94 94
37201 - 54 54 54 26 26 26 10 10 10 0 0 0
37202 - 0 0 0 0 0 0 0 0 0 0 0 0
37203 - 0 0 0 0 0 0 0 0 0 0 0 0
37204 - 0 0 0 0 0 0 0 0 0 0 0 0
37205 - 0 0 0 0 0 0 0 0 0 0 0 0
37206 - 0 0 0 0 0 0 0 0 0 0 0 0
37207 - 0 0 0 0 0 0 0 0 0 0 0 0
37208 - 0 0 0 0 0 0 0 0 0 0 0 0
37209 - 0 0 0 0 0 0 0 0 0 0 0 0
37210 - 0 0 0 0 0 0 0 0 0 0 0 0
37211 - 0 0 0 6 6 6 22 22 22 50 50 50
37212 - 90 90 90 26 26 26 2 2 6 2 2 6
37213 - 14 14 14 195 195 195 250 250 250 253 253 253
37214 -253 253 253 253 253 253 253 253 253 253 253 253
37215 -253 253 253 253 253 253 253 253 253 253 253 253
37216 -253 253 253 253 253 253 253 253 253 253 253 253
37217 -253 253 253 253 253 253 253 253 253 253 253 253
37218 -250 250 250 242 242 242 54 54 54 2 2 6
37219 - 2 2 6 2 2 6 2 2 6 2 2 6
37220 - 2 2 6 2 2 6 2 2 6 38 38 38
37221 - 86 86 86 50 50 50 22 22 22 6 6 6
37222 - 0 0 0 0 0 0 0 0 0 0 0 0
37223 - 0 0 0 0 0 0 0 0 0 0 0 0
37224 - 0 0 0 0 0 0 0 0 0 0 0 0
37225 - 0 0 0 0 0 0 0 0 0 0 0 0
37226 - 0 0 0 0 0 0 0 0 0 0 0 0
37227 - 0 0 0 0 0 0 0 0 0 0 0 0
37228 - 0 0 0 0 0 0 0 0 0 0 0 0
37229 - 0 0 0 0 0 0 0 0 0 0 0 0
37230 - 0 0 0 0 0 0 0 0 0 0 0 0
37231 - 6 6 6 14 14 14 38 38 38 82 82 82
37232 - 34 34 34 2 2 6 2 2 6 2 2 6
37233 - 42 42 42 195 195 195 246 246 246 253 253 253
37234 -253 253 253 253 253 253 253 253 253 250 250 250
37235 -242 242 242 242 242 242 250 250 250 253 253 253
37236 -253 253 253 253 253 253 253 253 253 253 253 253
37237 -253 253 253 250 250 250 246 246 246 238 238 238
37238 -226 226 226 231 231 231 101 101 101 6 6 6
37239 - 2 2 6 2 2 6 2 2 6 2 2 6
37240 - 2 2 6 2 2 6 2 2 6 2 2 6
37241 - 38 38 38 82 82 82 42 42 42 14 14 14
37242 - 6 6 6 0 0 0 0 0 0 0 0 0
37243 - 0 0 0 0 0 0 0 0 0 0 0 0
37244 - 0 0 0 0 0 0 0 0 0 0 0 0
37245 - 0 0 0 0 0 0 0 0 0 0 0 0
37246 - 0 0 0 0 0 0 0 0 0 0 0 0
37247 - 0 0 0 0 0 0 0 0 0 0 0 0
37248 - 0 0 0 0 0 0 0 0 0 0 0 0
37249 - 0 0 0 0 0 0 0 0 0 0 0 0
37250 - 0 0 0 0 0 0 0 0 0 0 0 0
37251 - 10 10 10 26 26 26 62 62 62 66 66 66
37252 - 2 2 6 2 2 6 2 2 6 6 6 6
37253 - 70 70 70 170 170 170 206 206 206 234 234 234
37254 -246 246 246 250 250 250 250 250 250 238 238 238
37255 -226 226 226 231 231 231 238 238 238 250 250 250
37256 -250 250 250 250 250 250 246 246 246 231 231 231
37257 -214 214 214 206 206 206 202 202 202 202 202 202
37258 -198 198 198 202 202 202 182 182 182 18 18 18
37259 - 2 2 6 2 2 6 2 2 6 2 2 6
37260 - 2 2 6 2 2 6 2 2 6 2 2 6
37261 - 2 2 6 62 62 62 66 66 66 30 30 30
37262 - 10 10 10 0 0 0 0 0 0 0 0 0
37263 - 0 0 0 0 0 0 0 0 0 0 0 0
37264 - 0 0 0 0 0 0 0 0 0 0 0 0
37265 - 0 0 0 0 0 0 0 0 0 0 0 0
37266 - 0 0 0 0 0 0 0 0 0 0 0 0
37267 - 0 0 0 0 0 0 0 0 0 0 0 0
37268 - 0 0 0 0 0 0 0 0 0 0 0 0
37269 - 0 0 0 0 0 0 0 0 0 0 0 0
37270 - 0 0 0 0 0 0 0 0 0 0 0 0
37271 - 14 14 14 42 42 42 82 82 82 18 18 18
37272 - 2 2 6 2 2 6 2 2 6 10 10 10
37273 - 94 94 94 182 182 182 218 218 218 242 242 242
37274 -250 250 250 253 253 253 253 253 253 250 250 250
37275 -234 234 234 253 253 253 253 253 253 253 253 253
37276 -253 253 253 253 253 253 253 253 253 246 246 246
37277 -238 238 238 226 226 226 210 210 210 202 202 202
37278 -195 195 195 195 195 195 210 210 210 158 158 158
37279 - 6 6 6 14 14 14 50 50 50 14 14 14
37280 - 2 2 6 2 2 6 2 2 6 2 2 6
37281 - 2 2 6 6 6 6 86 86 86 46 46 46
37282 - 18 18 18 6 6 6 0 0 0 0 0 0
37283 - 0 0 0 0 0 0 0 0 0 0 0 0
37284 - 0 0 0 0 0 0 0 0 0 0 0 0
37285 - 0 0 0 0 0 0 0 0 0 0 0 0
37286 - 0 0 0 0 0 0 0 0 0 0 0 0
37287 - 0 0 0 0 0 0 0 0 0 0 0 0
37288 - 0 0 0 0 0 0 0 0 0 0 0 0
37289 - 0 0 0 0 0 0 0 0 0 0 0 0
37290 - 0 0 0 0 0 0 0 0 0 6 6 6
37291 - 22 22 22 54 54 54 70 70 70 2 2 6
37292 - 2 2 6 10 10 10 2 2 6 22 22 22
37293 -166 166 166 231 231 231 250 250 250 253 253 253
37294 -253 253 253 253 253 253 253 253 253 250 250 250
37295 -242 242 242 253 253 253 253 253 253 253 253 253
37296 -253 253 253 253 253 253 253 253 253 253 253 253
37297 -253 253 253 253 253 253 253 253 253 246 246 246
37298 -231 231 231 206 206 206 198 198 198 226 226 226
37299 - 94 94 94 2 2 6 6 6 6 38 38 38
37300 - 30 30 30 2 2 6 2 2 6 2 2 6
37301 - 2 2 6 2 2 6 62 62 62 66 66 66
37302 - 26 26 26 10 10 10 0 0 0 0 0 0
37303 - 0 0 0 0 0 0 0 0 0 0 0 0
37304 - 0 0 0 0 0 0 0 0 0 0 0 0
37305 - 0 0 0 0 0 0 0 0 0 0 0 0
37306 - 0 0 0 0 0 0 0 0 0 0 0 0
37307 - 0 0 0 0 0 0 0 0 0 0 0 0
37308 - 0 0 0 0 0 0 0 0 0 0 0 0
37309 - 0 0 0 0 0 0 0 0 0 0 0 0
37310 - 0 0 0 0 0 0 0 0 0 10 10 10
37311 - 30 30 30 74 74 74 50 50 50 2 2 6
37312 - 26 26 26 26 26 26 2 2 6 106 106 106
37313 -238 238 238 253 253 253 253 253 253 253 253 253
37314 -253 253 253 253 253 253 253 253 253 253 253 253
37315 -253 253 253 253 253 253 253 253 253 253 253 253
37316 -253 253 253 253 253 253 253 253 253 253 253 253
37317 -253 253 253 253 253 253 253 253 253 253 253 253
37318 -253 253 253 246 246 246 218 218 218 202 202 202
37319 -210 210 210 14 14 14 2 2 6 2 2 6
37320 - 30 30 30 22 22 22 2 2 6 2 2 6
37321 - 2 2 6 2 2 6 18 18 18 86 86 86
37322 - 42 42 42 14 14 14 0 0 0 0 0 0
37323 - 0 0 0 0 0 0 0 0 0 0 0 0
37324 - 0 0 0 0 0 0 0 0 0 0 0 0
37325 - 0 0 0 0 0 0 0 0 0 0 0 0
37326 - 0 0 0 0 0 0 0 0 0 0 0 0
37327 - 0 0 0 0 0 0 0 0 0 0 0 0
37328 - 0 0 0 0 0 0 0 0 0 0 0 0
37329 - 0 0 0 0 0 0 0 0 0 0 0 0
37330 - 0 0 0 0 0 0 0 0 0 14 14 14
37331 - 42 42 42 90 90 90 22 22 22 2 2 6
37332 - 42 42 42 2 2 6 18 18 18 218 218 218
37333 -253 253 253 253 253 253 253 253 253 253 253 253
37334 -253 253 253 253 253 253 253 253 253 253 253 253
37335 -253 253 253 253 253 253 253 253 253 253 253 253
37336 -253 253 253 253 253 253 253 253 253 253 253 253
37337 -253 253 253 253 253 253 253 253 253 253 253 253
37338 -253 253 253 253 253 253 250 250 250 221 221 221
37339 -218 218 218 101 101 101 2 2 6 14 14 14
37340 - 18 18 18 38 38 38 10 10 10 2 2 6
37341 - 2 2 6 2 2 6 2 2 6 78 78 78
37342 - 58 58 58 22 22 22 6 6 6 0 0 0
37343 - 0 0 0 0 0 0 0 0 0 0 0 0
37344 - 0 0 0 0 0 0 0 0 0 0 0 0
37345 - 0 0 0 0 0 0 0 0 0 0 0 0
37346 - 0 0 0 0 0 0 0 0 0 0 0 0
37347 - 0 0 0 0 0 0 0 0 0 0 0 0
37348 - 0 0 0 0 0 0 0 0 0 0 0 0
37349 - 0 0 0 0 0 0 0 0 0 0 0 0
37350 - 0 0 0 0 0 0 6 6 6 18 18 18
37351 - 54 54 54 82 82 82 2 2 6 26 26 26
37352 - 22 22 22 2 2 6 123 123 123 253 253 253
37353 -253 253 253 253 253 253 253 253 253 253 253 253
37354 -253 253 253 253 253 253 253 253 253 253 253 253
37355 -253 253 253 253 253 253 253 253 253 253 253 253
37356 -253 253 253 253 253 253 253 253 253 253 253 253
37357 -253 253 253 253 253 253 253 253 253 253 253 253
37358 -253 253 253 253 253 253 253 253 253 250 250 250
37359 -238 238 238 198 198 198 6 6 6 38 38 38
37360 - 58 58 58 26 26 26 38 38 38 2 2 6
37361 - 2 2 6 2 2 6 2 2 6 46 46 46
37362 - 78 78 78 30 30 30 10 10 10 0 0 0
37363 - 0 0 0 0 0 0 0 0 0 0 0 0
37364 - 0 0 0 0 0 0 0 0 0 0 0 0
37365 - 0 0 0 0 0 0 0 0 0 0 0 0
37366 - 0 0 0 0 0 0 0 0 0 0 0 0
37367 - 0 0 0 0 0 0 0 0 0 0 0 0
37368 - 0 0 0 0 0 0 0 0 0 0 0 0
37369 - 0 0 0 0 0 0 0 0 0 0 0 0
37370 - 0 0 0 0 0 0 10 10 10 30 30 30
37371 - 74 74 74 58 58 58 2 2 6 42 42 42
37372 - 2 2 6 22 22 22 231 231 231 253 253 253
37373 -253 253 253 253 253 253 253 253 253 253 253 253
37374 -253 253 253 253 253 253 253 253 253 250 250 250
37375 -253 253 253 253 253 253 253 253 253 253 253 253
37376 -253 253 253 253 253 253 253 253 253 253 253 253
37377 -253 253 253 253 253 253 253 253 253 253 253 253
37378 -253 253 253 253 253 253 253 253 253 253 253 253
37379 -253 253 253 246 246 246 46 46 46 38 38 38
37380 - 42 42 42 14 14 14 38 38 38 14 14 14
37381 - 2 2 6 2 2 6 2 2 6 6 6 6
37382 - 86 86 86 46 46 46 14 14 14 0 0 0
37383 - 0 0 0 0 0 0 0 0 0 0 0 0
37384 - 0 0 0 0 0 0 0 0 0 0 0 0
37385 - 0 0 0 0 0 0 0 0 0 0 0 0
37386 - 0 0 0 0 0 0 0 0 0 0 0 0
37387 - 0 0 0 0 0 0 0 0 0 0 0 0
37388 - 0 0 0 0 0 0 0 0 0 0 0 0
37389 - 0 0 0 0 0 0 0 0 0 0 0 0
37390 - 0 0 0 6 6 6 14 14 14 42 42 42
37391 - 90 90 90 18 18 18 18 18 18 26 26 26
37392 - 2 2 6 116 116 116 253 253 253 253 253 253
37393 -253 253 253 253 253 253 253 253 253 253 253 253
37394 -253 253 253 253 253 253 250 250 250 238 238 238
37395 -253 253 253 253 253 253 253 253 253 253 253 253
37396 -253 253 253 253 253 253 253 253 253 253 253 253
37397 -253 253 253 253 253 253 253 253 253 253 253 253
37398 -253 253 253 253 253 253 253 253 253 253 253 253
37399 -253 253 253 253 253 253 94 94 94 6 6 6
37400 - 2 2 6 2 2 6 10 10 10 34 34 34
37401 - 2 2 6 2 2 6 2 2 6 2 2 6
37402 - 74 74 74 58 58 58 22 22 22 6 6 6
37403 - 0 0 0 0 0 0 0 0 0 0 0 0
37404 - 0 0 0 0 0 0 0 0 0 0 0 0
37405 - 0 0 0 0 0 0 0 0 0 0 0 0
37406 - 0 0 0 0 0 0 0 0 0 0 0 0
37407 - 0 0 0 0 0 0 0 0 0 0 0 0
37408 - 0 0 0 0 0 0 0 0 0 0 0 0
37409 - 0 0 0 0 0 0 0 0 0 0 0 0
37410 - 0 0 0 10 10 10 26 26 26 66 66 66
37411 - 82 82 82 2 2 6 38 38 38 6 6 6
37412 - 14 14 14 210 210 210 253 253 253 253 253 253
37413 -253 253 253 253 253 253 253 253 253 253 253 253
37414 -253 253 253 253 253 253 246 246 246 242 242 242
37415 -253 253 253 253 253 253 253 253 253 253 253 253
37416 -253 253 253 253 253 253 253 253 253 253 253 253
37417 -253 253 253 253 253 253 253 253 253 253 253 253
37418 -253 253 253 253 253 253 253 253 253 253 253 253
37419 -253 253 253 253 253 253 144 144 144 2 2 6
37420 - 2 2 6 2 2 6 2 2 6 46 46 46
37421 - 2 2 6 2 2 6 2 2 6 2 2 6
37422 - 42 42 42 74 74 74 30 30 30 10 10 10
37423 - 0 0 0 0 0 0 0 0 0 0 0 0
37424 - 0 0 0 0 0 0 0 0 0 0 0 0
37425 - 0 0 0 0 0 0 0 0 0 0 0 0
37426 - 0 0 0 0 0 0 0 0 0 0 0 0
37427 - 0 0 0 0 0 0 0 0 0 0 0 0
37428 - 0 0 0 0 0 0 0 0 0 0 0 0
37429 - 0 0 0 0 0 0 0 0 0 0 0 0
37430 - 6 6 6 14 14 14 42 42 42 90 90 90
37431 - 26 26 26 6 6 6 42 42 42 2 2 6
37432 - 74 74 74 250 250 250 253 253 253 253 253 253
37433 -253 253 253 253 253 253 253 253 253 253 253 253
37434 -253 253 253 253 253 253 242 242 242 242 242 242
37435 -253 253 253 253 253 253 253 253 253 253 253 253
37436 -253 253 253 253 253 253 253 253 253 253 253 253
37437 -253 253 253 253 253 253 253 253 253 253 253 253
37438 -253 253 253 253 253 253 253 253 253 253 253 253
37439 -253 253 253 253 253 253 182 182 182 2 2 6
37440 - 2 2 6 2 2 6 2 2 6 46 46 46
37441 - 2 2 6 2 2 6 2 2 6 2 2 6
37442 - 10 10 10 86 86 86 38 38 38 10 10 10
37443 - 0 0 0 0 0 0 0 0 0 0 0 0
37444 - 0 0 0 0 0 0 0 0 0 0 0 0
37445 - 0 0 0 0 0 0 0 0 0 0 0 0
37446 - 0 0 0 0 0 0 0 0 0 0 0 0
37447 - 0 0 0 0 0 0 0 0 0 0 0 0
37448 - 0 0 0 0 0 0 0 0 0 0 0 0
37449 - 0 0 0 0 0 0 0 0 0 0 0 0
37450 - 10 10 10 26 26 26 66 66 66 82 82 82
37451 - 2 2 6 22 22 22 18 18 18 2 2 6
37452 -149 149 149 253 253 253 253 253 253 253 253 253
37453 -253 253 253 253 253 253 253 253 253 253 253 253
37454 -253 253 253 253 253 253 234 234 234 242 242 242
37455 -253 253 253 253 253 253 253 253 253 253 253 253
37456 -253 253 253 253 253 253 253 253 253 253 253 253
37457 -253 253 253 253 253 253 253 253 253 253 253 253
37458 -253 253 253 253 253 253 253 253 253 253 253 253
37459 -253 253 253 253 253 253 206 206 206 2 2 6
37460 - 2 2 6 2 2 6 2 2 6 38 38 38
37461 - 2 2 6 2 2 6 2 2 6 2 2 6
37462 - 6 6 6 86 86 86 46 46 46 14 14 14
37463 - 0 0 0 0 0 0 0 0 0 0 0 0
37464 - 0 0 0 0 0 0 0 0 0 0 0 0
37465 - 0 0 0 0 0 0 0 0 0 0 0 0
37466 - 0 0 0 0 0 0 0 0 0 0 0 0
37467 - 0 0 0 0 0 0 0 0 0 0 0 0
37468 - 0 0 0 0 0 0 0 0 0 0 0 0
37469 - 0 0 0 0 0 0 0 0 0 6 6 6
37470 - 18 18 18 46 46 46 86 86 86 18 18 18
37471 - 2 2 6 34 34 34 10 10 10 6 6 6
37472 -210 210 210 253 253 253 253 253 253 253 253 253
37473 -253 253 253 253 253 253 253 253 253 253 253 253
37474 -253 253 253 253 253 253 234 234 234 242 242 242
37475 -253 253 253 253 253 253 253 253 253 253 253 253
37476 -253 253 253 253 253 253 253 253 253 253 253 253
37477 -253 253 253 253 253 253 253 253 253 253 253 253
37478 -253 253 253 253 253 253 253 253 253 253 253 253
37479 -253 253 253 253 253 253 221 221 221 6 6 6
37480 - 2 2 6 2 2 6 6 6 6 30 30 30
37481 - 2 2 6 2 2 6 2 2 6 2 2 6
37482 - 2 2 6 82 82 82 54 54 54 18 18 18
37483 - 6 6 6 0 0 0 0 0 0 0 0 0
37484 - 0 0 0 0 0 0 0 0 0 0 0 0
37485 - 0 0 0 0 0 0 0 0 0 0 0 0
37486 - 0 0 0 0 0 0 0 0 0 0 0 0
37487 - 0 0 0 0 0 0 0 0 0 0 0 0
37488 - 0 0 0 0 0 0 0 0 0 0 0 0
37489 - 0 0 0 0 0 0 0 0 0 10 10 10
37490 - 26 26 26 66 66 66 62 62 62 2 2 6
37491 - 2 2 6 38 38 38 10 10 10 26 26 26
37492 -238 238 238 253 253 253 253 253 253 253 253 253
37493 -253 253 253 253 253 253 253 253 253 253 253 253
37494 -253 253 253 253 253 253 231 231 231 238 238 238
37495 -253 253 253 253 253 253 253 253 253 253 253 253
37496 -253 253 253 253 253 253 253 253 253 253 253 253
37497 -253 253 253 253 253 253 253 253 253 253 253 253
37498 -253 253 253 253 253 253 253 253 253 253 253 253
37499 -253 253 253 253 253 253 231 231 231 6 6 6
37500 - 2 2 6 2 2 6 10 10 10 30 30 30
37501 - 2 2 6 2 2 6 2 2 6 2 2 6
37502 - 2 2 6 66 66 66 58 58 58 22 22 22
37503 - 6 6 6 0 0 0 0 0 0 0 0 0
37504 - 0 0 0 0 0 0 0 0 0 0 0 0
37505 - 0 0 0 0 0 0 0 0 0 0 0 0
37506 - 0 0 0 0 0 0 0 0 0 0 0 0
37507 - 0 0 0 0 0 0 0 0 0 0 0 0
37508 - 0 0 0 0 0 0 0 0 0 0 0 0
37509 - 0 0 0 0 0 0 0 0 0 10 10 10
37510 - 38 38 38 78 78 78 6 6 6 2 2 6
37511 - 2 2 6 46 46 46 14 14 14 42 42 42
37512 -246 246 246 253 253 253 253 253 253 253 253 253
37513 -253 253 253 253 253 253 253 253 253 253 253 253
37514 -253 253 253 253 253 253 231 231 231 242 242 242
37515 -253 253 253 253 253 253 253 253 253 253 253 253
37516 -253 253 253 253 253 253 253 253 253 253 253 253
37517 -253 253 253 253 253 253 253 253 253 253 253 253
37518 -253 253 253 253 253 253 253 253 253 253 253 253
37519 -253 253 253 253 253 253 234 234 234 10 10 10
37520 - 2 2 6 2 2 6 22 22 22 14 14 14
37521 - 2 2 6 2 2 6 2 2 6 2 2 6
37522 - 2 2 6 66 66 66 62 62 62 22 22 22
37523 - 6 6 6 0 0 0 0 0 0 0 0 0
37524 - 0 0 0 0 0 0 0 0 0 0 0 0
37525 - 0 0 0 0 0 0 0 0 0 0 0 0
37526 - 0 0 0 0 0 0 0 0 0 0 0 0
37527 - 0 0 0 0 0 0 0 0 0 0 0 0
37528 - 0 0 0 0 0 0 0 0 0 0 0 0
37529 - 0 0 0 0 0 0 6 6 6 18 18 18
37530 - 50 50 50 74 74 74 2 2 6 2 2 6
37531 - 14 14 14 70 70 70 34 34 34 62 62 62
37532 -250 250 250 253 253 253 253 253 253 253 253 253
37533 -253 253 253 253 253 253 253 253 253 253 253 253
37534 -253 253 253 253 253 253 231 231 231 246 246 246
37535 -253 253 253 253 253 253 253 253 253 253 253 253
37536 -253 253 253 253 253 253 253 253 253 253 253 253
37537 -253 253 253 253 253 253 253 253 253 253 253 253
37538 -253 253 253 253 253 253 253 253 253 253 253 253
37539 -253 253 253 253 253 253 234 234 234 14 14 14
37540 - 2 2 6 2 2 6 30 30 30 2 2 6
37541 - 2 2 6 2 2 6 2 2 6 2 2 6
37542 - 2 2 6 66 66 66 62 62 62 22 22 22
37543 - 6 6 6 0 0 0 0 0 0 0 0 0
37544 - 0 0 0 0 0 0 0 0 0 0 0 0
37545 - 0 0 0 0 0 0 0 0 0 0 0 0
37546 - 0 0 0 0 0 0 0 0 0 0 0 0
37547 - 0 0 0 0 0 0 0 0 0 0 0 0
37548 - 0 0 0 0 0 0 0 0 0 0 0 0
37549 - 0 0 0 0 0 0 6 6 6 18 18 18
37550 - 54 54 54 62 62 62 2 2 6 2 2 6
37551 - 2 2 6 30 30 30 46 46 46 70 70 70
37552 -250 250 250 253 253 253 253 253 253 253 253 253
37553 -253 253 253 253 253 253 253 253 253 253 253 253
37554 -253 253 253 253 253 253 231 231 231 246 246 246
37555 -253 253 253 253 253 253 253 253 253 253 253 253
37556 -253 253 253 253 253 253 253 253 253 253 253 253
37557 -253 253 253 253 253 253 253 253 253 253 253 253
37558 -253 253 253 253 253 253 253 253 253 253 253 253
37559 -253 253 253 253 253 253 226 226 226 10 10 10
37560 - 2 2 6 6 6 6 30 30 30 2 2 6
37561 - 2 2 6 2 2 6 2 2 6 2 2 6
37562 - 2 2 6 66 66 66 58 58 58 22 22 22
37563 - 6 6 6 0 0 0 0 0 0 0 0 0
37564 - 0 0 0 0 0 0 0 0 0 0 0 0
37565 - 0 0 0 0 0 0 0 0 0 0 0 0
37566 - 0 0 0 0 0 0 0 0 0 0 0 0
37567 - 0 0 0 0 0 0 0 0 0 0 0 0
37568 - 0 0 0 0 0 0 0 0 0 0 0 0
37569 - 0 0 0 0 0 0 6 6 6 22 22 22
37570 - 58 58 58 62 62 62 2 2 6 2 2 6
37571 - 2 2 6 2 2 6 30 30 30 78 78 78
37572 -250 250 250 253 253 253 253 253 253 253 253 253
37573 -253 253 253 253 253 253 253 253 253 253 253 253
37574 -253 253 253 253 253 253 231 231 231 246 246 246
37575 -253 253 253 253 253 253 253 253 253 253 253 253
37576 -253 253 253 253 253 253 253 253 253 253 253 253
37577 -253 253 253 253 253 253 253 253 253 253 253 253
37578 -253 253 253 253 253 253 253 253 253 253 253 253
37579 -253 253 253 253 253 253 206 206 206 2 2 6
37580 - 22 22 22 34 34 34 18 14 6 22 22 22
37581 - 26 26 26 18 18 18 6 6 6 2 2 6
37582 - 2 2 6 82 82 82 54 54 54 18 18 18
37583 - 6 6 6 0 0 0 0 0 0 0 0 0
37584 - 0 0 0 0 0 0 0 0 0 0 0 0
37585 - 0 0 0 0 0 0 0 0 0 0 0 0
37586 - 0 0 0 0 0 0 0 0 0 0 0 0
37587 - 0 0 0 0 0 0 0 0 0 0 0 0
37588 - 0 0 0 0 0 0 0 0 0 0 0 0
37589 - 0 0 0 0 0 0 6 6 6 26 26 26
37590 - 62 62 62 106 106 106 74 54 14 185 133 11
37591 -210 162 10 121 92 8 6 6 6 62 62 62
37592 -238 238 238 253 253 253 253 253 253 253 253 253
37593 -253 253 253 253 253 253 253 253 253 253 253 253
37594 -253 253 253 253 253 253 231 231 231 246 246 246
37595 -253 253 253 253 253 253 253 253 253 253 253 253
37596 -253 253 253 253 253 253 253 253 253 253 253 253
37597 -253 253 253 253 253 253 253 253 253 253 253 253
37598 -253 253 253 253 253 253 253 253 253 253 253 253
37599 -253 253 253 253 253 253 158 158 158 18 18 18
37600 - 14 14 14 2 2 6 2 2 6 2 2 6
37601 - 6 6 6 18 18 18 66 66 66 38 38 38
37602 - 6 6 6 94 94 94 50 50 50 18 18 18
37603 - 6 6 6 0 0 0 0 0 0 0 0 0
37604 - 0 0 0 0 0 0 0 0 0 0 0 0
37605 - 0 0 0 0 0 0 0 0 0 0 0 0
37606 - 0 0 0 0 0 0 0 0 0 0 0 0
37607 - 0 0 0 0 0 0 0 0 0 0 0 0
37608 - 0 0 0 0 0 0 0 0 0 6 6 6
37609 - 10 10 10 10 10 10 18 18 18 38 38 38
37610 - 78 78 78 142 134 106 216 158 10 242 186 14
37611 -246 190 14 246 190 14 156 118 10 10 10 10
37612 - 90 90 90 238 238 238 253 253 253 253 253 253
37613 -253 253 253 253 253 253 253 253 253 253 253 253
37614 -253 253 253 253 253 253 231 231 231 250 250 250
37615 -253 253 253 253 253 253 253 253 253 253 253 253
37616 -253 253 253 253 253 253 253 253 253 253 253 253
37617 -253 253 253 253 253 253 253 253 253 253 253 253
37618 -253 253 253 253 253 253 253 253 253 246 230 190
37619 -238 204 91 238 204 91 181 142 44 37 26 9
37620 - 2 2 6 2 2 6 2 2 6 2 2 6
37621 - 2 2 6 2 2 6 38 38 38 46 46 46
37622 - 26 26 26 106 106 106 54 54 54 18 18 18
37623 - 6 6 6 0 0 0 0 0 0 0 0 0
37624 - 0 0 0 0 0 0 0 0 0 0 0 0
37625 - 0 0 0 0 0 0 0 0 0 0 0 0
37626 - 0 0 0 0 0 0 0 0 0 0 0 0
37627 - 0 0 0 0 0 0 0 0 0 0 0 0
37628 - 0 0 0 6 6 6 14 14 14 22 22 22
37629 - 30 30 30 38 38 38 50 50 50 70 70 70
37630 -106 106 106 190 142 34 226 170 11 242 186 14
37631 -246 190 14 246 190 14 246 190 14 154 114 10
37632 - 6 6 6 74 74 74 226 226 226 253 253 253
37633 -253 253 253 253 253 253 253 253 253 253 253 253
37634 -253 253 253 253 253 253 231 231 231 250 250 250
37635 -253 253 253 253 253 253 253 253 253 253 253 253
37636 -253 253 253 253 253 253 253 253 253 253 253 253
37637 -253 253 253 253 253 253 253 253 253 253 253 253
37638 -253 253 253 253 253 253 253 253 253 228 184 62
37639 -241 196 14 241 208 19 232 195 16 38 30 10
37640 - 2 2 6 2 2 6 2 2 6 2 2 6
37641 - 2 2 6 6 6 6 30 30 30 26 26 26
37642 -203 166 17 154 142 90 66 66 66 26 26 26
37643 - 6 6 6 0 0 0 0 0 0 0 0 0
37644 - 0 0 0 0 0 0 0 0 0 0 0 0
37645 - 0 0 0 0 0 0 0 0 0 0 0 0
37646 - 0 0 0 0 0 0 0 0 0 0 0 0
37647 - 0 0 0 0 0 0 0 0 0 0 0 0
37648 - 6 6 6 18 18 18 38 38 38 58 58 58
37649 - 78 78 78 86 86 86 101 101 101 123 123 123
37650 -175 146 61 210 150 10 234 174 13 246 186 14
37651 -246 190 14 246 190 14 246 190 14 238 190 10
37652 -102 78 10 2 2 6 46 46 46 198 198 198
37653 -253 253 253 253 253 253 253 253 253 253 253 253
37654 -253 253 253 253 253 253 234 234 234 242 242 242
37655 -253 253 253 253 253 253 253 253 253 253 253 253
37656 -253 253 253 253 253 253 253 253 253 253 253 253
37657 -253 253 253 253 253 253 253 253 253 253 253 253
37658 -253 253 253 253 253 253 253 253 253 224 178 62
37659 -242 186 14 241 196 14 210 166 10 22 18 6
37660 - 2 2 6 2 2 6 2 2 6 2 2 6
37661 - 2 2 6 2 2 6 6 6 6 121 92 8
37662 -238 202 15 232 195 16 82 82 82 34 34 34
37663 - 10 10 10 0 0 0 0 0 0 0 0 0
37664 - 0 0 0 0 0 0 0 0 0 0 0 0
37665 - 0 0 0 0 0 0 0 0 0 0 0 0
37666 - 0 0 0 0 0 0 0 0 0 0 0 0
37667 - 0 0 0 0 0 0 0 0 0 0 0 0
37668 - 14 14 14 38 38 38 70 70 70 154 122 46
37669 -190 142 34 200 144 11 197 138 11 197 138 11
37670 -213 154 11 226 170 11 242 186 14 246 190 14
37671 -246 190 14 246 190 14 246 190 14 246 190 14
37672 -225 175 15 46 32 6 2 2 6 22 22 22
37673 -158 158 158 250 250 250 253 253 253 253 253 253
37674 -253 253 253 253 253 253 253 253 253 253 253 253
37675 -253 253 253 253 253 253 253 253 253 253 253 253
37676 -253 253 253 253 253 253 253 253 253 253 253 253
37677 -253 253 253 253 253 253 253 253 253 253 253 253
37678 -253 253 253 250 250 250 242 242 242 224 178 62
37679 -239 182 13 236 186 11 213 154 11 46 32 6
37680 - 2 2 6 2 2 6 2 2 6 2 2 6
37681 - 2 2 6 2 2 6 61 42 6 225 175 15
37682 -238 190 10 236 186 11 112 100 78 42 42 42
37683 - 14 14 14 0 0 0 0 0 0 0 0 0
37684 - 0 0 0 0 0 0 0 0 0 0 0 0
37685 - 0 0 0 0 0 0 0 0 0 0 0 0
37686 - 0 0 0 0 0 0 0 0 0 0 0 0
37687 - 0 0 0 0 0 0 0 0 0 6 6 6
37688 - 22 22 22 54 54 54 154 122 46 213 154 11
37689 -226 170 11 230 174 11 226 170 11 226 170 11
37690 -236 178 12 242 186 14 246 190 14 246 190 14
37691 -246 190 14 246 190 14 246 190 14 246 190 14
37692 -241 196 14 184 144 12 10 10 10 2 2 6
37693 - 6 6 6 116 116 116 242 242 242 253 253 253
37694 -253 253 253 253 253 253 253 253 253 253 253 253
37695 -253 253 253 253 253 253 253 253 253 253 253 253
37696 -253 253 253 253 253 253 253 253 253 253 253 253
37697 -253 253 253 253 253 253 253 253 253 253 253 253
37698 -253 253 253 231 231 231 198 198 198 214 170 54
37699 -236 178 12 236 178 12 210 150 10 137 92 6
37700 - 18 14 6 2 2 6 2 2 6 2 2 6
37701 - 6 6 6 70 47 6 200 144 11 236 178 12
37702 -239 182 13 239 182 13 124 112 88 58 58 58
37703 - 22 22 22 6 6 6 0 0 0 0 0 0
37704 - 0 0 0 0 0 0 0 0 0 0 0 0
37705 - 0 0 0 0 0 0 0 0 0 0 0 0
37706 - 0 0 0 0 0 0 0 0 0 0 0 0
37707 - 0 0 0 0 0 0 0 0 0 10 10 10
37708 - 30 30 30 70 70 70 180 133 36 226 170 11
37709 -239 182 13 242 186 14 242 186 14 246 186 14
37710 -246 190 14 246 190 14 246 190 14 246 190 14
37711 -246 190 14 246 190 14 246 190 14 246 190 14
37712 -246 190 14 232 195 16 98 70 6 2 2 6
37713 - 2 2 6 2 2 6 66 66 66 221 221 221
37714 -253 253 253 253 253 253 253 253 253 253 253 253
37715 -253 253 253 253 253 253 253 253 253 253 253 253
37716 -253 253 253 253 253 253 253 253 253 253 253 253
37717 -253 253 253 253 253 253 253 253 253 253 253 253
37718 -253 253 253 206 206 206 198 198 198 214 166 58
37719 -230 174 11 230 174 11 216 158 10 192 133 9
37720 -163 110 8 116 81 8 102 78 10 116 81 8
37721 -167 114 7 197 138 11 226 170 11 239 182 13
37722 -242 186 14 242 186 14 162 146 94 78 78 78
37723 - 34 34 34 14 14 14 6 6 6 0 0 0
37724 - 0 0 0 0 0 0 0 0 0 0 0 0
37725 - 0 0 0 0 0 0 0 0 0 0 0 0
37726 - 0 0 0 0 0 0 0 0 0 0 0 0
37727 - 0 0 0 0 0 0 0 0 0 6 6 6
37728 - 30 30 30 78 78 78 190 142 34 226 170 11
37729 -239 182 13 246 190 14 246 190 14 246 190 14
37730 -246 190 14 246 190 14 246 190 14 246 190 14
37731 -246 190 14 246 190 14 246 190 14 246 190 14
37732 -246 190 14 241 196 14 203 166 17 22 18 6
37733 - 2 2 6 2 2 6 2 2 6 38 38 38
37734 -218 218 218 253 253 253 253 253 253 253 253 253
37735 -253 253 253 253 253 253 253 253 253 253 253 253
37736 -253 253 253 253 253 253 253 253 253 253 253 253
37737 -253 253 253 253 253 253 253 253 253 253 253 253
37738 -250 250 250 206 206 206 198 198 198 202 162 69
37739 -226 170 11 236 178 12 224 166 10 210 150 10
37740 -200 144 11 197 138 11 192 133 9 197 138 11
37741 -210 150 10 226 170 11 242 186 14 246 190 14
37742 -246 190 14 246 186 14 225 175 15 124 112 88
37743 - 62 62 62 30 30 30 14 14 14 6 6 6
37744 - 0 0 0 0 0 0 0 0 0 0 0 0
37745 - 0 0 0 0 0 0 0 0 0 0 0 0
37746 - 0 0 0 0 0 0 0 0 0 0 0 0
37747 - 0 0 0 0 0 0 0 0 0 10 10 10
37748 - 30 30 30 78 78 78 174 135 50 224 166 10
37749 -239 182 13 246 190 14 246 190 14 246 190 14
37750 -246 190 14 246 190 14 246 190 14 246 190 14
37751 -246 190 14 246 190 14 246 190 14 246 190 14
37752 -246 190 14 246 190 14 241 196 14 139 102 15
37753 - 2 2 6 2 2 6 2 2 6 2 2 6
37754 - 78 78 78 250 250 250 253 253 253 253 253 253
37755 -253 253 253 253 253 253 253 253 253 253 253 253
37756 -253 253 253 253 253 253 253 253 253 253 253 253
37757 -253 253 253 253 253 253 253 253 253 253 253 253
37758 -250 250 250 214 214 214 198 198 198 190 150 46
37759 -219 162 10 236 178 12 234 174 13 224 166 10
37760 -216 158 10 213 154 11 213 154 11 216 158 10
37761 -226 170 11 239 182 13 246 190 14 246 190 14
37762 -246 190 14 246 190 14 242 186 14 206 162 42
37763 -101 101 101 58 58 58 30 30 30 14 14 14
37764 - 6 6 6 0 0 0 0 0 0 0 0 0
37765 - 0 0 0 0 0 0 0 0 0 0 0 0
37766 - 0 0 0 0 0 0 0 0 0 0 0 0
37767 - 0 0 0 0 0 0 0 0 0 10 10 10
37768 - 30 30 30 74 74 74 174 135 50 216 158 10
37769 -236 178 12 246 190 14 246 190 14 246 190 14
37770 -246 190 14 246 190 14 246 190 14 246 190 14
37771 -246 190 14 246 190 14 246 190 14 246 190 14
37772 -246 190 14 246 190 14 241 196 14 226 184 13
37773 - 61 42 6 2 2 6 2 2 6 2 2 6
37774 - 22 22 22 238 238 238 253 253 253 253 253 253
37775 -253 253 253 253 253 253 253 253 253 253 253 253
37776 -253 253 253 253 253 253 253 253 253 253 253 253
37777 -253 253 253 253 253 253 253 253 253 253 253 253
37778 -253 253 253 226 226 226 187 187 187 180 133 36
37779 -216 158 10 236 178 12 239 182 13 236 178 12
37780 -230 174 11 226 170 11 226 170 11 230 174 11
37781 -236 178 12 242 186 14 246 190 14 246 190 14
37782 -246 190 14 246 190 14 246 186 14 239 182 13
37783 -206 162 42 106 106 106 66 66 66 34 34 34
37784 - 14 14 14 6 6 6 0 0 0 0 0 0
37785 - 0 0 0 0 0 0 0 0 0 0 0 0
37786 - 0 0 0 0 0 0 0 0 0 0 0 0
37787 - 0 0 0 0 0 0 0 0 0 6 6 6
37788 - 26 26 26 70 70 70 163 133 67 213 154 11
37789 -236 178 12 246 190 14 246 190 14 246 190 14
37790 -246 190 14 246 190 14 246 190 14 246 190 14
37791 -246 190 14 246 190 14 246 190 14 246 190 14
37792 -246 190 14 246 190 14 246 190 14 241 196 14
37793 -190 146 13 18 14 6 2 2 6 2 2 6
37794 - 46 46 46 246 246 246 253 253 253 253 253 253
37795 -253 253 253 253 253 253 253 253 253 253 253 253
37796 -253 253 253 253 253 253 253 253 253 253 253 253
37797 -253 253 253 253 253 253 253 253 253 253 253 253
37798 -253 253 253 221 221 221 86 86 86 156 107 11
37799 -216 158 10 236 178 12 242 186 14 246 186 14
37800 -242 186 14 239 182 13 239 182 13 242 186 14
37801 -242 186 14 246 186 14 246 190 14 246 190 14
37802 -246 190 14 246 190 14 246 190 14 246 190 14
37803 -242 186 14 225 175 15 142 122 72 66 66 66
37804 - 30 30 30 10 10 10 0 0 0 0 0 0
37805 - 0 0 0 0 0 0 0 0 0 0 0 0
37806 - 0 0 0 0 0 0 0 0 0 0 0 0
37807 - 0 0 0 0 0 0 0 0 0 6 6 6
37808 - 26 26 26 70 70 70 163 133 67 210 150 10
37809 -236 178 12 246 190 14 246 190 14 246 190 14
37810 -246 190 14 246 190 14 246 190 14 246 190 14
37811 -246 190 14 246 190 14 246 190 14 246 190 14
37812 -246 190 14 246 190 14 246 190 14 246 190 14
37813 -232 195 16 121 92 8 34 34 34 106 106 106
37814 -221 221 221 253 253 253 253 253 253 253 253 253
37815 -253 253 253 253 253 253 253 253 253 253 253 253
37816 -253 253 253 253 253 253 253 253 253 253 253 253
37817 -253 253 253 253 253 253 253 253 253 253 253 253
37818 -242 242 242 82 82 82 18 14 6 163 110 8
37819 -216 158 10 236 178 12 242 186 14 246 190 14
37820 -246 190 14 246 190 14 246 190 14 246 190 14
37821 -246 190 14 246 190 14 246 190 14 246 190 14
37822 -246 190 14 246 190 14 246 190 14 246 190 14
37823 -246 190 14 246 190 14 242 186 14 163 133 67
37824 - 46 46 46 18 18 18 6 6 6 0 0 0
37825 - 0 0 0 0 0 0 0 0 0 0 0 0
37826 - 0 0 0 0 0 0 0 0 0 0 0 0
37827 - 0 0 0 0 0 0 0 0 0 10 10 10
37828 - 30 30 30 78 78 78 163 133 67 210 150 10
37829 -236 178 12 246 186 14 246 190 14 246 190 14
37830 -246 190 14 246 190 14 246 190 14 246 190 14
37831 -246 190 14 246 190 14 246 190 14 246 190 14
37832 -246 190 14 246 190 14 246 190 14 246 190 14
37833 -241 196 14 215 174 15 190 178 144 253 253 253
37834 -253 253 253 253 253 253 253 253 253 253 253 253
37835 -253 253 253 253 253 253 253 253 253 253 253 253
37836 -253 253 253 253 253 253 253 253 253 253 253 253
37837 -253 253 253 253 253 253 253 253 253 218 218 218
37838 - 58 58 58 2 2 6 22 18 6 167 114 7
37839 -216 158 10 236 178 12 246 186 14 246 190 14
37840 -246 190 14 246 190 14 246 190 14 246 190 14
37841 -246 190 14 246 190 14 246 190 14 246 190 14
37842 -246 190 14 246 190 14 246 190 14 246 190 14
37843 -246 190 14 246 186 14 242 186 14 190 150 46
37844 - 54 54 54 22 22 22 6 6 6 0 0 0
37845 - 0 0 0 0 0 0 0 0 0 0 0 0
37846 - 0 0 0 0 0 0 0 0 0 0 0 0
37847 - 0 0 0 0 0 0 0 0 0 14 14 14
37848 - 38 38 38 86 86 86 180 133 36 213 154 11
37849 -236 178 12 246 186 14 246 190 14 246 190 14
37850 -246 190 14 246 190 14 246 190 14 246 190 14
37851 -246 190 14 246 190 14 246 190 14 246 190 14
37852 -246 190 14 246 190 14 246 190 14 246 190 14
37853 -246 190 14 232 195 16 190 146 13 214 214 214
37854 -253 253 253 253 253 253 253 253 253 253 253 253
37855 -253 253 253 253 253 253 253 253 253 253 253 253
37856 -253 253 253 253 253 253 253 253 253 253 253 253
37857 -253 253 253 250 250 250 170 170 170 26 26 26
37858 - 2 2 6 2 2 6 37 26 9 163 110 8
37859 -219 162 10 239 182 13 246 186 14 246 190 14
37860 -246 190 14 246 190 14 246 190 14 246 190 14
37861 -246 190 14 246 190 14 246 190 14 246 190 14
37862 -246 190 14 246 190 14 246 190 14 246 190 14
37863 -246 186 14 236 178 12 224 166 10 142 122 72
37864 - 46 46 46 18 18 18 6 6 6 0 0 0
37865 - 0 0 0 0 0 0 0 0 0 0 0 0
37866 - 0 0 0 0 0 0 0 0 0 0 0 0
37867 - 0 0 0 0 0 0 6 6 6 18 18 18
37868 - 50 50 50 109 106 95 192 133 9 224 166 10
37869 -242 186 14 246 190 14 246 190 14 246 190 14
37870 -246 190 14 246 190 14 246 190 14 246 190 14
37871 -246 190 14 246 190 14 246 190 14 246 190 14
37872 -246 190 14 246 190 14 246 190 14 246 190 14
37873 -242 186 14 226 184 13 210 162 10 142 110 46
37874 -226 226 226 253 253 253 253 253 253 253 253 253
37875 -253 253 253 253 253 253 253 253 253 253 253 253
37876 -253 253 253 253 253 253 253 253 253 253 253 253
37877 -198 198 198 66 66 66 2 2 6 2 2 6
37878 - 2 2 6 2 2 6 50 34 6 156 107 11
37879 -219 162 10 239 182 13 246 186 14 246 190 14
37880 -246 190 14 246 190 14 246 190 14 246 190 14
37881 -246 190 14 246 190 14 246 190 14 246 190 14
37882 -246 190 14 246 190 14 246 190 14 242 186 14
37883 -234 174 13 213 154 11 154 122 46 66 66 66
37884 - 30 30 30 10 10 10 0 0 0 0 0 0
37885 - 0 0 0 0 0 0 0 0 0 0 0 0
37886 - 0 0 0 0 0 0 0 0 0 0 0 0
37887 - 0 0 0 0 0 0 6 6 6 22 22 22
37888 - 58 58 58 154 121 60 206 145 10 234 174 13
37889 -242 186 14 246 186 14 246 190 14 246 190 14
37890 -246 190 14 246 190 14 246 190 14 246 190 14
37891 -246 190 14 246 190 14 246 190 14 246 190 14
37892 -246 190 14 246 190 14 246 190 14 246 190 14
37893 -246 186 14 236 178 12 210 162 10 163 110 8
37894 - 61 42 6 138 138 138 218 218 218 250 250 250
37895 -253 253 253 253 253 253 253 253 253 250 250 250
37896 -242 242 242 210 210 210 144 144 144 66 66 66
37897 - 6 6 6 2 2 6 2 2 6 2 2 6
37898 - 2 2 6 2 2 6 61 42 6 163 110 8
37899 -216 158 10 236 178 12 246 190 14 246 190 14
37900 -246 190 14 246 190 14 246 190 14 246 190 14
37901 -246 190 14 246 190 14 246 190 14 246 190 14
37902 -246 190 14 239 182 13 230 174 11 216 158 10
37903 -190 142 34 124 112 88 70 70 70 38 38 38
37904 - 18 18 18 6 6 6 0 0 0 0 0 0
37905 - 0 0 0 0 0 0 0 0 0 0 0 0
37906 - 0 0 0 0 0 0 0 0 0 0 0 0
37907 - 0 0 0 0 0 0 6 6 6 22 22 22
37908 - 62 62 62 168 124 44 206 145 10 224 166 10
37909 -236 178 12 239 182 13 242 186 14 242 186 14
37910 -246 186 14 246 190 14 246 190 14 246 190 14
37911 -246 190 14 246 190 14 246 190 14 246 190 14
37912 -246 190 14 246 190 14 246 190 14 246 190 14
37913 -246 190 14 236 178 12 216 158 10 175 118 6
37914 - 80 54 7 2 2 6 6 6 6 30 30 30
37915 - 54 54 54 62 62 62 50 50 50 38 38 38
37916 - 14 14 14 2 2 6 2 2 6 2 2 6
37917 - 2 2 6 2 2 6 2 2 6 2 2 6
37918 - 2 2 6 6 6 6 80 54 7 167 114 7
37919 -213 154 11 236 178 12 246 190 14 246 190 14
37920 -246 190 14 246 190 14 246 190 14 246 190 14
37921 -246 190 14 242 186 14 239 182 13 239 182 13
37922 -230 174 11 210 150 10 174 135 50 124 112 88
37923 - 82 82 82 54 54 54 34 34 34 18 18 18
37924 - 6 6 6 0 0 0 0 0 0 0 0 0
37925 - 0 0 0 0 0 0 0 0 0 0 0 0
37926 - 0 0 0 0 0 0 0 0 0 0 0 0
37927 - 0 0 0 0 0 0 6 6 6 18 18 18
37928 - 50 50 50 158 118 36 192 133 9 200 144 11
37929 -216 158 10 219 162 10 224 166 10 226 170 11
37930 -230 174 11 236 178 12 239 182 13 239 182 13
37931 -242 186 14 246 186 14 246 190 14 246 190 14
37932 -246 190 14 246 190 14 246 190 14 246 190 14
37933 -246 186 14 230 174 11 210 150 10 163 110 8
37934 -104 69 6 10 10 10 2 2 6 2 2 6
37935 - 2 2 6 2 2 6 2 2 6 2 2 6
37936 - 2 2 6 2 2 6 2 2 6 2 2 6
37937 - 2 2 6 2 2 6 2 2 6 2 2 6
37938 - 2 2 6 6 6 6 91 60 6 167 114 7
37939 -206 145 10 230 174 11 242 186 14 246 190 14
37940 -246 190 14 246 190 14 246 186 14 242 186 14
37941 -239 182 13 230 174 11 224 166 10 213 154 11
37942 -180 133 36 124 112 88 86 86 86 58 58 58
37943 - 38 38 38 22 22 22 10 10 10 6 6 6
37944 - 0 0 0 0 0 0 0 0 0 0 0 0
37945 - 0 0 0 0 0 0 0 0 0 0 0 0
37946 - 0 0 0 0 0 0 0 0 0 0 0 0
37947 - 0 0 0 0 0 0 0 0 0 14 14 14
37948 - 34 34 34 70 70 70 138 110 50 158 118 36
37949 -167 114 7 180 123 7 192 133 9 197 138 11
37950 -200 144 11 206 145 10 213 154 11 219 162 10
37951 -224 166 10 230 174 11 239 182 13 242 186 14
37952 -246 186 14 246 186 14 246 186 14 246 186 14
37953 -239 182 13 216 158 10 185 133 11 152 99 6
37954 -104 69 6 18 14 6 2 2 6 2 2 6
37955 - 2 2 6 2 2 6 2 2 6 2 2 6
37956 - 2 2 6 2 2 6 2 2 6 2 2 6
37957 - 2 2 6 2 2 6 2 2 6 2 2 6
37958 - 2 2 6 6 6 6 80 54 7 152 99 6
37959 -192 133 9 219 162 10 236 178 12 239 182 13
37960 -246 186 14 242 186 14 239 182 13 236 178 12
37961 -224 166 10 206 145 10 192 133 9 154 121 60
37962 - 94 94 94 62 62 62 42 42 42 22 22 22
37963 - 14 14 14 6 6 6 0 0 0 0 0 0
37964 - 0 0 0 0 0 0 0 0 0 0 0 0
37965 - 0 0 0 0 0 0 0 0 0 0 0 0
37966 - 0 0 0 0 0 0 0 0 0 0 0 0
37967 - 0 0 0 0 0 0 0 0 0 6 6 6
37968 - 18 18 18 34 34 34 58 58 58 78 78 78
37969 -101 98 89 124 112 88 142 110 46 156 107 11
37970 -163 110 8 167 114 7 175 118 6 180 123 7
37971 -185 133 11 197 138 11 210 150 10 219 162 10
37972 -226 170 11 236 178 12 236 178 12 234 174 13
37973 -219 162 10 197 138 11 163 110 8 130 83 6
37974 - 91 60 6 10 10 10 2 2 6 2 2 6
37975 - 18 18 18 38 38 38 38 38 38 38 38 38
37976 - 38 38 38 38 38 38 38 38 38 38 38 38
37977 - 38 38 38 38 38 38 26 26 26 2 2 6
37978 - 2 2 6 6 6 6 70 47 6 137 92 6
37979 -175 118 6 200 144 11 219 162 10 230 174 11
37980 -234 174 13 230 174 11 219 162 10 210 150 10
37981 -192 133 9 163 110 8 124 112 88 82 82 82
37982 - 50 50 50 30 30 30 14 14 14 6 6 6
37983 - 0 0 0 0 0 0 0 0 0 0 0 0
37984 - 0 0 0 0 0 0 0 0 0 0 0 0
37985 - 0 0 0 0 0 0 0 0 0 0 0 0
37986 - 0 0 0 0 0 0 0 0 0 0 0 0
37987 - 0 0 0 0 0 0 0 0 0 0 0 0
37988 - 6 6 6 14 14 14 22 22 22 34 34 34
37989 - 42 42 42 58 58 58 74 74 74 86 86 86
37990 -101 98 89 122 102 70 130 98 46 121 87 25
37991 -137 92 6 152 99 6 163 110 8 180 123 7
37992 -185 133 11 197 138 11 206 145 10 200 144 11
37993 -180 123 7 156 107 11 130 83 6 104 69 6
37994 - 50 34 6 54 54 54 110 110 110 101 98 89
37995 - 86 86 86 82 82 82 78 78 78 78 78 78
37996 - 78 78 78 78 78 78 78 78 78 78 78 78
37997 - 78 78 78 82 82 82 86 86 86 94 94 94
37998 -106 106 106 101 101 101 86 66 34 124 80 6
37999 -156 107 11 180 123 7 192 133 9 200 144 11
38000 -206 145 10 200 144 11 192 133 9 175 118 6
38001 -139 102 15 109 106 95 70 70 70 42 42 42
38002 - 22 22 22 10 10 10 0 0 0 0 0 0
38003 - 0 0 0 0 0 0 0 0 0 0 0 0
38004 - 0 0 0 0 0 0 0 0 0 0 0 0
38005 - 0 0 0 0 0 0 0 0 0 0 0 0
38006 - 0 0 0 0 0 0 0 0 0 0 0 0
38007 - 0 0 0 0 0 0 0 0 0 0 0 0
38008 - 0 0 0 0 0 0 6 6 6 10 10 10
38009 - 14 14 14 22 22 22 30 30 30 38 38 38
38010 - 50 50 50 62 62 62 74 74 74 90 90 90
38011 -101 98 89 112 100 78 121 87 25 124 80 6
38012 -137 92 6 152 99 6 152 99 6 152 99 6
38013 -138 86 6 124 80 6 98 70 6 86 66 30
38014 -101 98 89 82 82 82 58 58 58 46 46 46
38015 - 38 38 38 34 34 34 34 34 34 34 34 34
38016 - 34 34 34 34 34 34 34 34 34 34 34 34
38017 - 34 34 34 34 34 34 38 38 38 42 42 42
38018 - 54 54 54 82 82 82 94 86 76 91 60 6
38019 -134 86 6 156 107 11 167 114 7 175 118 6
38020 -175 118 6 167 114 7 152 99 6 121 87 25
38021 -101 98 89 62 62 62 34 34 34 18 18 18
38022 - 6 6 6 0 0 0 0 0 0 0 0 0
38023 - 0 0 0 0 0 0 0 0 0 0 0 0
38024 - 0 0 0 0 0 0 0 0 0 0 0 0
38025 - 0 0 0 0 0 0 0 0 0 0 0 0
38026 - 0 0 0 0 0 0 0 0 0 0 0 0
38027 - 0 0 0 0 0 0 0 0 0 0 0 0
38028 - 0 0 0 0 0 0 0 0 0 0 0 0
38029 - 0 0 0 6 6 6 6 6 6 10 10 10
38030 - 18 18 18 22 22 22 30 30 30 42 42 42
38031 - 50 50 50 66 66 66 86 86 86 101 98 89
38032 -106 86 58 98 70 6 104 69 6 104 69 6
38033 -104 69 6 91 60 6 82 62 34 90 90 90
38034 - 62 62 62 38 38 38 22 22 22 14 14 14
38035 - 10 10 10 10 10 10 10 10 10 10 10 10
38036 - 10 10 10 10 10 10 6 6 6 10 10 10
38037 - 10 10 10 10 10 10 10 10 10 14 14 14
38038 - 22 22 22 42 42 42 70 70 70 89 81 66
38039 - 80 54 7 104 69 6 124 80 6 137 92 6
38040 -134 86 6 116 81 8 100 82 52 86 86 86
38041 - 58 58 58 30 30 30 14 14 14 6 6 6
38042 - 0 0 0 0 0 0 0 0 0 0 0 0
38043 - 0 0 0 0 0 0 0 0 0 0 0 0
38044 - 0 0 0 0 0 0 0 0 0 0 0 0
38045 - 0 0 0 0 0 0 0 0 0 0 0 0
38046 - 0 0 0 0 0 0 0 0 0 0 0 0
38047 - 0 0 0 0 0 0 0 0 0 0 0 0
38048 - 0 0 0 0 0 0 0 0 0 0 0 0
38049 - 0 0 0 0 0 0 0 0 0 0 0 0
38050 - 0 0 0 6 6 6 10 10 10 14 14 14
38051 - 18 18 18 26 26 26 38 38 38 54 54 54
38052 - 70 70 70 86 86 86 94 86 76 89 81 66
38053 - 89 81 66 86 86 86 74 74 74 50 50 50
38054 - 30 30 30 14 14 14 6 6 6 0 0 0
38055 - 0 0 0 0 0 0 0 0 0 0 0 0
38056 - 0 0 0 0 0 0 0 0 0 0 0 0
38057 - 0 0 0 0 0 0 0 0 0 0 0 0
38058 - 6 6 6 18 18 18 34 34 34 58 58 58
38059 - 82 82 82 89 81 66 89 81 66 89 81 66
38060 - 94 86 66 94 86 76 74 74 74 50 50 50
38061 - 26 26 26 14 14 14 6 6 6 0 0 0
38062 - 0 0 0 0 0 0 0 0 0 0 0 0
38063 - 0 0 0 0 0 0 0 0 0 0 0 0
38064 - 0 0 0 0 0 0 0 0 0 0 0 0
38065 - 0 0 0 0 0 0 0 0 0 0 0 0
38066 - 0 0 0 0 0 0 0 0 0 0 0 0
38067 - 0 0 0 0 0 0 0 0 0 0 0 0
38068 - 0 0 0 0 0 0 0 0 0 0 0 0
38069 - 0 0 0 0 0 0 0 0 0 0 0 0
38070 - 0 0 0 0 0 0 0 0 0 0 0 0
38071 - 6 6 6 6 6 6 14 14 14 18 18 18
38072 - 30 30 30 38 38 38 46 46 46 54 54 54
38073 - 50 50 50 42 42 42 30 30 30 18 18 18
38074 - 10 10 10 0 0 0 0 0 0 0 0 0
38075 - 0 0 0 0 0 0 0 0 0 0 0 0
38076 - 0 0 0 0 0 0 0 0 0 0 0 0
38077 - 0 0 0 0 0 0 0 0 0 0 0 0
38078 - 0 0 0 6 6 6 14 14 14 26 26 26
38079 - 38 38 38 50 50 50 58 58 58 58 58 58
38080 - 54 54 54 42 42 42 30 30 30 18 18 18
38081 - 10 10 10 0 0 0 0 0 0 0 0 0
38082 - 0 0 0 0 0 0 0 0 0 0 0 0
38083 - 0 0 0 0 0 0 0 0 0 0 0 0
38084 - 0 0 0 0 0 0 0 0 0 0 0 0
38085 - 0 0 0 0 0 0 0 0 0 0 0 0
38086 - 0 0 0 0 0 0 0 0 0 0 0 0
38087 - 0 0 0 0 0 0 0 0 0 0 0 0
38088 - 0 0 0 0 0 0 0 0 0 0 0 0
38089 - 0 0 0 0 0 0 0 0 0 0 0 0
38090 - 0 0 0 0 0 0 0 0 0 0 0 0
38091 - 0 0 0 0 0 0 0 0 0 6 6 6
38092 - 6 6 6 10 10 10 14 14 14 18 18 18
38093 - 18 18 18 14 14 14 10 10 10 6 6 6
38094 - 0 0 0 0 0 0 0 0 0 0 0 0
38095 - 0 0 0 0 0 0 0 0 0 0 0 0
38096 - 0 0 0 0 0 0 0 0 0 0 0 0
38097 - 0 0 0 0 0 0 0 0 0 0 0 0
38098 - 0 0 0 0 0 0 0 0 0 6 6 6
38099 - 14 14 14 18 18 18 22 22 22 22 22 22
38100 - 18 18 18 14 14 14 10 10 10 6 6 6
38101 - 0 0 0 0 0 0 0 0 0 0 0 0
38102 - 0 0 0 0 0 0 0 0 0 0 0 0
38103 - 0 0 0 0 0 0 0 0 0 0 0 0
38104 - 0 0 0 0 0 0 0 0 0 0 0 0
38105 - 0 0 0 0 0 0 0 0 0 0 0 0
38106 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38107 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38108 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38109 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38110 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38111 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38112 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38113 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38114 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38115 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38116 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38117 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38118 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38120 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38121 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38122 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38123 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38124 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38125 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38126 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38127 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38128 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38129 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38130 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38131 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38132 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38134 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38135 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38136 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38137 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38138 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38139 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38140 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38141 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38142 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38143 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38144 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38145 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38146 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38148 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38149 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38150 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38151 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38152 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38153 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38154 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38155 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38156 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38157 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38158 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38159 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38160 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38162 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38163 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38164 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38165 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38166 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38167 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38168 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38169 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38170 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38171 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38172 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38173 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38174 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38176 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38177 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38178 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38179 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38180 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38181 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38182 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38183 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38184 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38185 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38186 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38187 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38188 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38190 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38191 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38192 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38193 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38194 +4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
38195 +0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
38196 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38197 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38198 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38199 +4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
38200 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
38201 +4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
38202 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38204 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38205 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38206 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38207 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38208 +4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
38209 +37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
38210 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38211 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38212 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38213 +4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
38214 +2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
38215 +4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
38216 +1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38218 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38219 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38220 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38221 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38222 +2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
38223 +153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
38224 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
38225 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38226 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38227 +4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
38228 +60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
38229 +4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
38230 +2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
38232 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38233 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38234 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38235 +4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
38236 +4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
38237 +165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
38238 +1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
38239 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38240 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
38241 +3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
38242 +163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
38243 +0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
38244 +37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
38246 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38247 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38248 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38249 +4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
38250 +37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
38251 +156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
38252 +125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
38253 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38254 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
38255 +0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
38256 +174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
38257 +0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
38258 +64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
38260 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38261 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38262 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
38263 +5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
38264 +156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
38265 +156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
38266 +174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
38267 +1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
38268 +4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
38269 +13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
38270 +174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
38271 +22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
38272 +90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
38274 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38275 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38276 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
38277 +0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
38278 +174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
38279 +156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
38280 +163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
38281 +4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
38282 +5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
38283 +131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
38284 +190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
38285 +90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
38286 +31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
38288 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38289 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38290 +4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
38291 +4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
38292 +155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
38293 +167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
38294 +153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
38295 +41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
38296 +1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
38297 +177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
38298 +125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
38299 +136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
38300 +7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
38302 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38303 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38304 +4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
38305 +125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
38306 +156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
38307 +137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
38308 +156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
38309 +167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
38310 +0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
38311 +166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
38312 +6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
38313 +90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
38314 +1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
38316 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38317 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38318 +1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
38319 +167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
38320 +157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
38321 +26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
38322 +158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
38323 +165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
38324 +60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
38325 +137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
38326 +52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
38327 +13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
38328 +4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
38330 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38331 +4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
38332 +0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
38333 +158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
38334 +167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
38335 +4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
38336 +174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
38337 +155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
38338 +137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
38339 +16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
38340 +136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
38341 +2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
38342 +4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
38344 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38345 +4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
38346 +37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
38347 +157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
38348 +153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
38349 +4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
38350 +125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
38351 +156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
38352 +174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
38353 +4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
38354 +136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
38355 +1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
38356 +2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
38358 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
38359 +4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
38360 +158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
38361 +153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
38362 +37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
38363 +4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
38364 +4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
38365 +154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
38366 +174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
38367 +32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
38368 +28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
38369 +50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
38370 +0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
38372 +4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
38373 +0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
38374 +174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
38375 +165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
38376 +4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
38377 +4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
38378 +4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
38379 +174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
38380 +60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
38381 +136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
38382 +22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
38383 +136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
38384 +26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
38386 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
38387 +13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
38388 +153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
38389 +177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
38390 +4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
38391 +5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
38392 +6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
38393 +166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
38394 +4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
38395 +146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
38396 +71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
38397 +90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
38398 +125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
38400 +4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
38401 +125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
38402 +155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
38403 +125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
38404 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
38405 +0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
38406 +5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
38407 +37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
38408 +4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
38409 +90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
38410 +2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
38411 +13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
38412 +166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
38414 +4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
38415 +174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
38416 +156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
38417 +4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
38418 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
38419 +10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
38420 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
38421 +4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
38422 +80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
38423 +28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
38424 +50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
38425 +1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
38426 +167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
38428 +4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
38429 +158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
38430 +167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
38431 +4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
38432 +4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
38433 +80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
38434 +4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
38435 +3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
38436 +146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
38437 +68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
38438 +136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
38439 +24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
38440 +163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
38442 +3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
38443 +156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
38444 +155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
38445 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
38446 +2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
38447 +136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
38448 +0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
38449 +0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
38450 +136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
38451 +28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
38452 +22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
38453 +137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
38454 +60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
38456 +3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
38457 +157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
38458 +37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
38459 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
38460 +0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
38461 +101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
38462 +14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
38463 +22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
38464 +136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
38465 +17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
38466 +2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
38467 +166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
38468 +13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
38470 +1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
38471 +163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
38472 +4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
38473 +4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
38474 +40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
38475 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
38476 +101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
38477 +136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
38478 +136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
38479 +136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
38480 +3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
38481 +174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
38482 +4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
38484 +4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
38485 +155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
38486 +4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
38487 +4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
38488 +101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
38489 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
38490 +136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
38491 +136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
38492 +136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
38493 +90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
38494 +85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
38495 +167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
38496 +6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
38498 +1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
38499 +131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
38500 +6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
38501 +0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
38502 +101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
38503 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38504 +101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
38505 +136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
38506 +101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
38507 +7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
38508 +174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
38509 +24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
38510 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
38512 +4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
38513 +131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
38514 +6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
38515 +13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
38516 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38517 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
38518 +101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
38519 +136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
38520 +136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
38521 +2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
38522 +174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
38523 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
38524 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38526 +1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
38527 +137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
38528 +4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
38529 +64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
38530 +90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
38531 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38532 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38533 +136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
38534 +101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
38535 +37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
38536 +167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
38537 +3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
38538 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38540 +4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
38541 +153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
38542 +4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
38543 +90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
38544 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38545 +90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
38546 +101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
38547 +101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
38548 +35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
38549 +154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
38550 +60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
38551 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38552 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38554 +1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
38555 +153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
38556 +4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
38557 +64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
38558 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38559 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38560 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38561 +136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
38562 +13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
38563 +174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
38564 +6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
38565 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38566 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38568 +4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
38569 +156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
38570 +4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
38571 +90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
38572 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38573 +90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
38574 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
38575 +101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
38576 +2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
38577 +174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
38578 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38579 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38580 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38582 +3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
38583 +158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
38584 +4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
38585 +37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
38586 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38587 +90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
38588 +101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
38589 +90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
38590 +5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
38591 +167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
38592 +6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
38593 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38594 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38596 +4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
38597 +163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
38598 +4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
38599 +18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
38600 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38601 +90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
38602 +101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
38603 +13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
38604 +3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
38605 +174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
38606 +4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
38607 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38608 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38610 +1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
38611 +167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
38612 +4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
38613 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
38614 +26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
38615 +90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
38616 +101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
38617 +7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
38618 +4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
38619 +174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
38620 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38621 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38622 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38624 +4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
38625 +174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
38626 +5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
38627 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
38628 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38629 +90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
38630 +101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
38631 +2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
38632 +3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
38633 +153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
38634 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38635 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38636 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38638 +1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
38639 +174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
38640 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
38641 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
38642 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38643 +26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
38644 +35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
38645 +2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
38646 +3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
38647 +131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
38648 +4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38649 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38650 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38652 +3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
38653 +174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
38654 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
38655 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
38656 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38657 +26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
38658 +7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
38659 +4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
38660 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
38661 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38662 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38663 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38664 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38666 +1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
38667 +174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
38668 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
38669 +18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
38670 +18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
38671 +26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
38672 +28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
38673 +3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
38674 +4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38675 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38676 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38677 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38678 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38680 +4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
38681 +174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
38682 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
38683 +10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
38684 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38685 +18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
38686 +90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
38687 +3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
38688 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38689 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38690 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38691 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38692 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38694 +1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
38695 +177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
38696 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
38697 +10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
38698 +26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
38699 +6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
38700 +10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
38701 +2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
38702 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38703 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38704 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38705 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38706 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38708 +4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
38709 +177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
38710 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38711 +10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
38712 +26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
38713 +7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
38714 +3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
38715 +21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
38716 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
38717 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38718 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38719 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38720 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38722 +3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
38723 +190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
38724 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
38725 +10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
38726 +24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
38727 +18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
38728 +28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
38729 +26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
38730 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38731 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38732 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38733 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38734 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38736 +4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
38737 +190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
38738 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38739 +10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
38740 +0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
38741 +26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
38742 +37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
38743 +90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
38744 +4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
38745 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38746 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38747 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38748 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38750 +4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
38751 +193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
38752 +5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
38753 +10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
38754 +1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
38755 +26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
38756 +22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
38757 +26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
38758 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38759 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38760 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38761 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38762 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38764 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38765 +190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
38766 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38767 +10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
38768 +2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
38769 +26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
38770 +10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
38771 +26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
38772 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38773 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38774 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38775 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38776 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38778 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
38779 +193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
38780 +5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
38781 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
38782 +13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
38783 +10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
38784 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38785 +26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
38786 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38787 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38788 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38789 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38790 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38792 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38793 +190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
38794 +5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
38795 +28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
38796 +10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
38797 +28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
38798 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38799 +26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
38800 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38801 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38802 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38803 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38804 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38806 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
38807 +193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
38808 +5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
38809 +4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
38810 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
38811 +10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
38812 +18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
38813 +22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
38814 +4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
38815 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38816 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38817 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38818 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38820 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38821 +190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
38822 +6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
38823 +1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
38824 +18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
38825 +10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
38826 +26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
38827 +1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
38828 +5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
38829 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38830 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38831 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38832 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38834 +4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
38835 +193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
38836 +2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
38837 +4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
38838 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
38839 +10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
38840 +26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
38841 +2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
38842 +3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
38843 +131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38844 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38845 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38846 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38848 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38849 +193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
38850 +0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
38851 +4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
38852 +13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
38853 +10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
38854 +28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
38855 +4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
38856 +0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
38857 +125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38858 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38859 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38860 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38862 +4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
38863 +193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
38864 +120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
38865 +4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
38866 +4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
38867 +10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
38868 +4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
38869 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
38870 +24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
38871 +125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
38872 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38873 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38874 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38876 +4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
38877 +174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
38878 +220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
38879 +3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
38880 +4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
38881 +10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
38882 +1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
38883 +5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
38884 +137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
38885 +125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
38886 +0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38887 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38888 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38890 +5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
38891 +193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
38892 +220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
38893 +4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
38894 +4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
38895 +22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
38896 +4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38897 +1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
38898 +166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
38899 +125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
38900 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38901 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38902 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38904 +4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
38905 +220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
38906 +205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
38907 +24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
38908 +4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
38909 +4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
38910 +4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
38911 +2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
38912 +156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
38913 +137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
38914 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38915 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38916 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38918 +5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
38919 +125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
38920 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
38921 +193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
38922 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
38923 +1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
38924 +5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
38925 +60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
38926 +153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
38927 +125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
38928 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38929 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38930 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38932 +4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
38933 +6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
38934 +193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
38935 +244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
38936 +0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
38937 +4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
38938 +3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
38939 +220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
38940 +153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
38941 +13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
38942 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38943 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38944 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38946 +5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
38947 +6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
38948 +244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
38949 +220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
38950 +3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
38951 +4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
38952 +0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
38953 +177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
38954 +158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
38955 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
38956 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38957 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38958 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38960 +5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
38961 +6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
38962 +177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
38963 +220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
38964 +125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
38965 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
38966 +37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
38967 +174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
38968 +158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
38969 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38970 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38971 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38972 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38974 +4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
38975 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
38976 +26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
38977 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
38978 +244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
38979 +0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
38980 +177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
38981 +174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
38982 +60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
38983 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38984 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38985 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38986 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38988 +5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
38989 +6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
38990 +6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
38991 +220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
38992 +220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
38993 +0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
38994 +220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
38995 +174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
38996 +4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
38997 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38998 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38999 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39000 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39002 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
39003 +6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
39004 +4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
39005 +220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
39006 +205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
39007 +60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
39008 +177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
39009 +190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
39010 +4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39011 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39012 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39013 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39014 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39016 +4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
39017 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
39018 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
39019 +125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
39020 +205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
39021 +193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
39022 +190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
39023 +153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
39024 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39025 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39026 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39027 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39028 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39030 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
39031 +6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
39032 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
39033 +4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
39034 +205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
39035 +220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
39036 +174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
39037 +6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
39038 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39039 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39040 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39041 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39042 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39044 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
39045 +5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
39046 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
39047 +4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
39048 +220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
39049 +190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
39050 +193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
39051 +4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
39052 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39053 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39054 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39055 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39056 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39058 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39059 +4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
39060 +4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
39061 +6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
39062 +174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
39063 +193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
39064 +193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
39065 +6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
39066 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39067 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39068 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39069 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39070 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39072 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39073 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
39074 +5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
39075 +5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
39076 +6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
39077 +193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
39078 +60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
39079 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
39080 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39081 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39082 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39083 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39084 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39086 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39087 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39088 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
39089 +5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
39090 +4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
39091 +193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
39092 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
39093 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
39094 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39095 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39096 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39097 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39098 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39100 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39101 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39102 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
39103 +4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
39104 +6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
39105 +153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
39106 +6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
39107 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39108 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39109 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39110 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39111 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39112 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39114 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39115 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39116 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39117 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
39118 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
39119 +24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
39120 +6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
39121 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39122 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39123 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39124 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39125 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39126 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39128 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39129 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39130 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39131 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
39132 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
39133 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
39134 +4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
39135 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39136 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39137 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39138 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39139 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39140 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39142 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39143 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39144 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39145 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
39146 +5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
39147 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
39148 +6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
39149 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39150 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39151 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39152 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39153 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39154 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39156 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39157 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39158 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39159 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
39160 +4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
39161 +4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
39162 +6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
39163 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39164 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39165 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39166 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39167 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39168 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39170 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39171 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39172 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39173 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39174 +4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
39175 +6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
39176 +4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
39177 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39178 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39179 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39180 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39181 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39182 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39184 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39185 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39186 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39187 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39188 +4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
39189 +4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
39190 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39191 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39192 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39193 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39194 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39195 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39196 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39198 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39199 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39200 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39201 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39202 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
39203 +5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
39204 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39205 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39206 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39207 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39208 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39209 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39210 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39212 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39213 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39214 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39215 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39216 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
39217 +5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
39218 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39219 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39220 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39221 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39222 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39223 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39224 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39226 diff -urNp linux-3.1.1/drivers/video/udlfb.c linux-3.1.1/drivers/video/udlfb.c
39227 --- linux-3.1.1/drivers/video/udlfb.c 2011-11-11 15:19:27.000000000 -0500
39228 +++ linux-3.1.1/drivers/video/udlfb.c 2011-11-16 18:39:08.000000000 -0500
39229 @@ -585,11 +585,11 @@ int dlfb_handle_damage(struct dlfb_data
39230 dlfb_urb_completion(urb);
39233 - atomic_add(bytes_sent, &dev->bytes_sent);
39234 - atomic_add(bytes_identical, &dev->bytes_identical);
39235 - atomic_add(width*height*2, &dev->bytes_rendered);
39236 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
39237 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
39238 + atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
39239 end_cycles = get_cycles();
39240 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
39241 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
39242 >> 10)), /* Kcycles */
39243 &dev->cpu_kcycles_used);
39245 @@ -710,11 +710,11 @@ static void dlfb_dpy_deferred_io(struct
39246 dlfb_urb_completion(urb);
39249 - atomic_add(bytes_sent, &dev->bytes_sent);
39250 - atomic_add(bytes_identical, &dev->bytes_identical);
39251 - atomic_add(bytes_rendered, &dev->bytes_rendered);
39252 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
39253 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
39254 + atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
39255 end_cycles = get_cycles();
39256 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
39257 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
39258 >> 10)), /* Kcycles */
39259 &dev->cpu_kcycles_used);
39261 @@ -1306,7 +1306,7 @@ static ssize_t metrics_bytes_rendered_sh
39262 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39263 struct dlfb_data *dev = fb_info->par;
39264 return snprintf(buf, PAGE_SIZE, "%u\n",
39265 - atomic_read(&dev->bytes_rendered));
39266 + atomic_read_unchecked(&dev->bytes_rendered));
39269 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
39270 @@ -1314,7 +1314,7 @@ static ssize_t metrics_bytes_identical_s
39271 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39272 struct dlfb_data *dev = fb_info->par;
39273 return snprintf(buf, PAGE_SIZE, "%u\n",
39274 - atomic_read(&dev->bytes_identical));
39275 + atomic_read_unchecked(&dev->bytes_identical));
39278 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
39279 @@ -1322,7 +1322,7 @@ static ssize_t metrics_bytes_sent_show(s
39280 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39281 struct dlfb_data *dev = fb_info->par;
39282 return snprintf(buf, PAGE_SIZE, "%u\n",
39283 - atomic_read(&dev->bytes_sent));
39284 + atomic_read_unchecked(&dev->bytes_sent));
39287 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
39288 @@ -1330,7 +1330,7 @@ static ssize_t metrics_cpu_kcycles_used_
39289 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39290 struct dlfb_data *dev = fb_info->par;
39291 return snprintf(buf, PAGE_SIZE, "%u\n",
39292 - atomic_read(&dev->cpu_kcycles_used));
39293 + atomic_read_unchecked(&dev->cpu_kcycles_used));
39296 static ssize_t edid_show(
39297 @@ -1387,10 +1387,10 @@ static ssize_t metrics_reset_store(struc
39298 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39299 struct dlfb_data *dev = fb_info->par;
39301 - atomic_set(&dev->bytes_rendered, 0);
39302 - atomic_set(&dev->bytes_identical, 0);
39303 - atomic_set(&dev->bytes_sent, 0);
39304 - atomic_set(&dev->cpu_kcycles_used, 0);
39305 + atomic_set_unchecked(&dev->bytes_rendered, 0);
39306 + atomic_set_unchecked(&dev->bytes_identical, 0);
39307 + atomic_set_unchecked(&dev->bytes_sent, 0);
39308 + atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
39312 diff -urNp linux-3.1.1/drivers/video/uvesafb.c linux-3.1.1/drivers/video/uvesafb.c
39313 --- linux-3.1.1/drivers/video/uvesafb.c 2011-11-11 15:19:27.000000000 -0500
39314 +++ linux-3.1.1/drivers/video/uvesafb.c 2011-11-16 18:39:08.000000000 -0500
39316 #include <linux/io.h>
39317 #include <linux/mutex.h>
39318 #include <linux/slab.h>
39319 +#include <linux/moduleloader.h>
39320 #include <video/edid.h>
39321 #include <video/uvesafb.h>
39323 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
39327 - return call_usermodehelper(v86d_path, argv, envp, 1);
39328 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
39332 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
39333 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
39334 par->pmi_setpal = par->ypan = 0;
39337 +#ifdef CONFIG_PAX_KERNEXEC
39338 +#ifdef CONFIG_MODULES
39339 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
39341 + if (!par->pmi_code) {
39342 + par->pmi_setpal = par->ypan = 0;
39347 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
39348 + task->t.regs.edi);
39350 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39351 + pax_open_kernel();
39352 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
39353 + pax_close_kernel();
39355 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
39356 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
39358 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
39359 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
39362 printk(KERN_INFO "uvesafb: protected mode interface info at "
39364 (u16)task->t.regs.es, (u16)task->t.regs.edi);
39365 @@ -1821,6 +1844,11 @@ out:
39366 if (par->vbe_modes)
39367 kfree(par->vbe_modes);
39369 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39370 + if (par->pmi_code)
39371 + module_free_exec(NULL, par->pmi_code);
39374 framebuffer_release(info);
39377 @@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platfor
39378 kfree(par->vbe_state_orig);
39379 if (par->vbe_state_saved)
39380 kfree(par->vbe_state_saved);
39382 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39383 + if (par->pmi_code)
39384 + module_free_exec(NULL, par->pmi_code);
39389 framebuffer_release(info);
39390 diff -urNp linux-3.1.1/drivers/video/vesafb.c linux-3.1.1/drivers/video/vesafb.c
39391 --- linux-3.1.1/drivers/video/vesafb.c 2011-11-11 15:19:27.000000000 -0500
39392 +++ linux-3.1.1/drivers/video/vesafb.c 2011-11-16 18:39:08.000000000 -0500
39396 #include <linux/module.h>
39397 +#include <linux/moduleloader.h>
39398 #include <linux/kernel.h>
39399 #include <linux/errno.h>
39400 #include <linux/string.h>
39401 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
39402 static int vram_total __initdata; /* Set total amount of memory */
39403 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
39404 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
39405 -static void (*pmi_start)(void) __read_mostly;
39406 -static void (*pmi_pal) (void) __read_mostly;
39407 +static void (*pmi_start)(void) __read_only;
39408 +static void (*pmi_pal) (void) __read_only;
39409 static int depth __read_mostly;
39410 static int vga_compat __read_mostly;
39411 /* --------------------------------------------------------------------- */
39412 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
39413 unsigned int size_vmode;
39414 unsigned int size_remap;
39415 unsigned int size_total;
39416 + void *pmi_code = NULL;
39418 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
39420 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
39421 size_remap = size_total;
39422 vesafb_fix.smem_len = size_remap;
39425 - screen_info.vesapm_seg = 0;
39428 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
39429 printk(KERN_WARNING
39430 "vesafb: cannot reserve video memory at 0x%lx\n",
39431 @@ -307,9 +305,21 @@ static int __init vesafb_probe(struct pl
39432 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
39433 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
39437 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39438 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
39440 +#elif !defined(CONFIG_PAX_KERNEXEC)
39445 + screen_info.vesapm_seg = 0;
39447 if (screen_info.vesapm_seg) {
39448 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
39449 - screen_info.vesapm_seg,screen_info.vesapm_off);
39450 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
39451 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
39454 if (screen_info.vesapm_seg < 0xc000)
39455 @@ -317,9 +327,25 @@ static int __init vesafb_probe(struct pl
39457 if (ypan || pmi_setpal) {
39458 unsigned short *pmi_base;
39460 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
39461 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
39462 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
39464 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39465 + pax_open_kernel();
39466 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
39468 + pmi_code = pmi_base;
39471 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
39472 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
39474 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39475 + pmi_start = ktva_ktla(pmi_start);
39476 + pmi_pal = ktva_ktla(pmi_pal);
39477 + pax_close_kernel();
39480 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
39482 printk(KERN_INFO "vesafb: pmi: ports = ");
39483 @@ -488,6 +514,11 @@ static int __init vesafb_probe(struct pl
39484 info->node, info->fix.id);
39488 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39489 + module_free_exec(NULL, pmi_code);
39492 if (info->screen_base)
39493 iounmap(info->screen_base);
39494 framebuffer_release(info);
39495 diff -urNp linux-3.1.1/drivers/video/via/via_clock.h linux-3.1.1/drivers/video/via/via_clock.h
39496 --- linux-3.1.1/drivers/video/via/via_clock.h 2011-11-11 15:19:27.000000000 -0500
39497 +++ linux-3.1.1/drivers/video/via/via_clock.h 2011-11-16 18:39:08.000000000 -0500
39498 @@ -56,7 +56,7 @@ struct via_clock {
39500 void (*set_engine_pll_state)(u8 state);
39501 void (*set_engine_pll)(struct via_pll_config config);
39506 static inline u32 get_pll_internal_frequency(u32 ref_freq,
39507 diff -urNp linux-3.1.1/drivers/virtio/virtio_balloon.c linux-3.1.1/drivers/virtio/virtio_balloon.c
39508 --- linux-3.1.1/drivers/virtio/virtio_balloon.c 2011-11-11 15:19:27.000000000 -0500
39509 +++ linux-3.1.1/drivers/virtio/virtio_balloon.c 2011-11-16 18:40:29.000000000 -0500
39510 @@ -174,6 +174,8 @@ static void update_balloon_stats(struct
39514 + pax_track_stack();
39516 all_vm_events(events);
39519 diff -urNp linux-3.1.1/drivers/xen/xen-pciback/conf_space.h linux-3.1.1/drivers/xen/xen-pciback/conf_space.h
39520 --- linux-3.1.1/drivers/xen/xen-pciback/conf_space.h 2011-11-11 15:19:27.000000000 -0500
39521 +++ linux-3.1.1/drivers/xen/xen-pciback/conf_space.h 2011-11-16 18:39:08.000000000 -0500
39522 @@ -44,15 +44,15 @@ struct config_field {
39524 conf_dword_write write;
39525 conf_dword_read read;
39529 conf_word_write write;
39530 conf_word_read read;
39534 conf_byte_write write;
39535 conf_byte_read read;
39539 struct list_head list;
39541 diff -urNp linux-3.1.1/fs/9p/vfs_inode.c linux-3.1.1/fs/9p/vfs_inode.c
39542 --- linux-3.1.1/fs/9p/vfs_inode.c 2011-11-11 15:19:27.000000000 -0500
39543 +++ linux-3.1.1/fs/9p/vfs_inode.c 2011-11-16 18:39:08.000000000 -0500
39544 @@ -1288,7 +1288,7 @@ static void *v9fs_vfs_follow_link(struct
39546 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
39548 - char *s = nd_get_link(nd);
39549 + const char *s = nd_get_link(nd);
39551 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
39552 IS_ERR(s) ? "<error>" : s);
39553 diff -urNp linux-3.1.1/fs/aio.c linux-3.1.1/fs/aio.c
39554 --- linux-3.1.1/fs/aio.c 2011-11-11 15:19:27.000000000 -0500
39555 +++ linux-3.1.1/fs/aio.c 2011-11-16 18:40:29.000000000 -0500
39556 @@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx
39557 size += sizeof(struct io_event) * nr_events;
39558 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
39560 - if (nr_pages < 0)
39561 + if (nr_pages <= 0)
39564 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
39565 @@ -1088,6 +1088,8 @@ static int read_events(struct kioctx *ct
39566 struct aio_timeout to;
39569 + pax_track_stack();
39571 /* needed to zero any padding within an entry (there shouldn't be
39572 * any, but C is fun!
39574 @@ -1381,22 +1383,27 @@ static ssize_t aio_fsync(struct kiocb *i
39575 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
39578 + struct iovec iovstack;
39580 #ifdef CONFIG_COMPAT
39582 ret = compat_rw_copy_check_uvector(type,
39583 (struct compat_iovec __user *)kiocb->ki_buf,
39584 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
39585 + kiocb->ki_nbytes, 1, &iovstack,
39589 ret = rw_copy_check_uvector(type,
39590 (struct iovec __user *)kiocb->ki_buf,
39591 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
39592 + kiocb->ki_nbytes, 1, &iovstack,
39597 + if (kiocb->ki_iovec == &iovstack) {
39598 + kiocb->ki_inline_vec = iovstack;
39599 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
39601 kiocb->ki_nr_segs = kiocb->ki_nbytes;
39602 kiocb->ki_cur_seg = 0;
39603 /* ki_nbytes/left now reflect bytes instead of segs */
39604 diff -urNp linux-3.1.1/fs/attr.c linux-3.1.1/fs/attr.c
39605 --- linux-3.1.1/fs/attr.c 2011-11-11 15:19:27.000000000 -0500
39606 +++ linux-3.1.1/fs/attr.c 2011-11-16 18:40:29.000000000 -0500
39607 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
39608 unsigned long limit;
39610 limit = rlimit(RLIMIT_FSIZE);
39611 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
39612 if (limit != RLIM_INFINITY && offset > limit)
39614 if (offset > inode->i_sb->s_maxbytes)
39615 diff -urNp linux-3.1.1/fs/autofs4/waitq.c linux-3.1.1/fs/autofs4/waitq.c
39616 --- linux-3.1.1/fs/autofs4/waitq.c 2011-11-11 15:19:27.000000000 -0500
39617 +++ linux-3.1.1/fs/autofs4/waitq.c 2011-11-16 18:39:08.000000000 -0500
39618 @@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi
39620 unsigned long sigpipe, flags;
39622 - const char *data = (const char *)addr;
39623 + const char __user *data = (const char __force_user *)addr;
39626 /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/
39627 diff -urNp linux-3.1.1/fs/befs/linuxvfs.c linux-3.1.1/fs/befs/linuxvfs.c
39628 --- linux-3.1.1/fs/befs/linuxvfs.c 2011-11-11 15:19:27.000000000 -0500
39629 +++ linux-3.1.1/fs/befs/linuxvfs.c 2011-11-16 18:39:08.000000000 -0500
39630 @@ -503,7 +503,7 @@ static void befs_put_link(struct dentry
39632 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
39633 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
39634 - char *link = nd_get_link(nd);
39635 + const char *link = nd_get_link(nd);
39639 diff -urNp linux-3.1.1/fs/binfmt_aout.c linux-3.1.1/fs/binfmt_aout.c
39640 --- linux-3.1.1/fs/binfmt_aout.c 2011-11-11 15:19:27.000000000 -0500
39641 +++ linux-3.1.1/fs/binfmt_aout.c 2011-11-16 18:40:29.000000000 -0500
39643 #include <linux/string.h>
39644 #include <linux/fs.h>
39645 #include <linux/file.h>
39646 +#include <linux/security.h>
39647 #include <linux/stat.h>
39648 #include <linux/fcntl.h>
39649 #include <linux/ptrace.h>
39650 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
39652 # define START_STACK(u) ((void __user *)u.start_stack)
39654 + memset(&dump, 0, sizeof(dump));
39659 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
39661 /* If the size of the dump file exceeds the rlimit, then see what would happen
39662 if we wrote the stack, but not the data area. */
39663 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
39664 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
39667 /* Make sure we have enough room to write the stack and data areas. */
39668 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
39669 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
39672 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
39673 rlim = rlimit(RLIMIT_DATA);
39674 if (rlim >= RLIM_INFINITY)
39677 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
39678 if (ex.a_data + ex.a_bss > rlim)
39681 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
39682 install_exec_creds(bprm);
39683 current->flags &= ~PF_FORKNOEXEC;
39685 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
39686 + current->mm->pax_flags = 0UL;
39689 +#ifdef CONFIG_PAX_PAGEEXEC
39690 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
39691 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
39693 +#ifdef CONFIG_PAX_EMUTRAMP
39694 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
39695 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
39698 +#ifdef CONFIG_PAX_MPROTECT
39699 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
39700 + current->mm->pax_flags |= MF_PAX_MPROTECT;
39706 if (N_MAGIC(ex) == OMAGIC) {
39707 unsigned long text_addr, map_size;
39709 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
39711 down_write(¤t->mm->mmap_sem);
39712 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
39713 - PROT_READ | PROT_WRITE | PROT_EXEC,
39714 + PROT_READ | PROT_WRITE,
39715 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
39716 fd_offset + ex.a_text);
39717 up_write(¤t->mm->mmap_sem);
39718 diff -urNp linux-3.1.1/fs/binfmt_elf.c linux-3.1.1/fs/binfmt_elf.c
39719 --- linux-3.1.1/fs/binfmt_elf.c 2011-11-11 15:19:27.000000000 -0500
39720 +++ linux-3.1.1/fs/binfmt_elf.c 2011-11-16 18:40:29.000000000 -0500
39721 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
39722 #define elf_core_dump NULL
39725 +#ifdef CONFIG_PAX_MPROTECT
39726 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
39729 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
39730 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
39732 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
39733 .load_binary = load_elf_binary,
39734 .load_shlib = load_elf_library,
39735 .core_dump = elf_core_dump,
39737 +#ifdef CONFIG_PAX_MPROTECT
39738 + .handle_mprotect= elf_handle_mprotect,
39741 .min_coredump = ELF_EXEC_PAGESIZE,
39744 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
39746 static int set_brk(unsigned long start, unsigned long end)
39748 + unsigned long e = end;
39750 start = ELF_PAGEALIGN(start);
39751 end = ELF_PAGEALIGN(end);
39753 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
39754 if (BAD_ADDR(addr))
39757 - current->mm->start_brk = current->mm->brk = end;
39758 + current->mm->start_brk = current->mm->brk = e;
39762 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
39763 elf_addr_t __user *u_rand_bytes;
39764 const char *k_platform = ELF_PLATFORM;
39765 const char *k_base_platform = ELF_BASE_PLATFORM;
39766 - unsigned char k_rand_bytes[16];
39767 + u32 k_rand_bytes[4];
39769 elf_addr_t *elf_info;
39771 const struct cred *cred = current_cred();
39772 struct vm_area_struct *vma;
39773 + unsigned long saved_auxv[AT_VECTOR_SIZE];
39775 + pax_track_stack();
39778 * In some cases (e.g. Hyper-Threading), we want to avoid L1
39779 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
39780 * Generate 16 random bytes for userspace PRNG seeding.
39782 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
39783 - u_rand_bytes = (elf_addr_t __user *)
39784 - STACK_ALLOC(p, sizeof(k_rand_bytes));
39785 + srandom32(k_rand_bytes[0] ^ random32());
39786 + srandom32(k_rand_bytes[1] ^ random32());
39787 + srandom32(k_rand_bytes[2] ^ random32());
39788 + srandom32(k_rand_bytes[3] ^ random32());
39789 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
39790 + u_rand_bytes = (elf_addr_t __user *) p;
39791 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
39794 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
39796 current->mm->env_end = p;
39798 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
39800 /* Put the elf_info on the stack in the right place. */
39801 sp = (elf_addr_t __user *)envp + 1;
39802 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
39803 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
39807 @@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
39809 struct elf_phdr *elf_phdata;
39810 struct elf_phdr *eppnt;
39811 - unsigned long load_addr = 0;
39812 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
39813 int load_addr_set = 0;
39814 unsigned long last_bss = 0, elf_bss = 0;
39815 - unsigned long error = ~0UL;
39816 + unsigned long error = -EINVAL;
39817 unsigned long total_size;
39818 int retval, i, size;
39820 @@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
39824 +#ifdef CONFIG_PAX_SEGMEXEC
39825 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
39826 + pax_task_size = SEGMEXEC_TASK_SIZE;
39829 eppnt = elf_phdata;
39830 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
39831 if (eppnt->p_type == PT_LOAD) {
39832 @@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
39833 k = load_addr + eppnt->p_vaddr;
39835 eppnt->p_filesz > eppnt->p_memsz ||
39836 - eppnt->p_memsz > TASK_SIZE ||
39837 - TASK_SIZE - eppnt->p_memsz < k) {
39838 + eppnt->p_memsz > pax_task_size ||
39839 + pax_task_size - eppnt->p_memsz < k) {
39843 @@ -528,6 +553,193 @@ out:
39847 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
39848 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
39850 + unsigned long pax_flags = 0UL;
39852 +#ifdef CONFIG_PAX_PAGEEXEC
39853 + if (elf_phdata->p_flags & PF_PAGEEXEC)
39854 + pax_flags |= MF_PAX_PAGEEXEC;
39857 +#ifdef CONFIG_PAX_SEGMEXEC
39858 + if (elf_phdata->p_flags & PF_SEGMEXEC)
39859 + pax_flags |= MF_PAX_SEGMEXEC;
39862 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39863 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39864 + if ((__supported_pte_mask & _PAGE_NX))
39865 + pax_flags &= ~MF_PAX_SEGMEXEC;
39867 + pax_flags &= ~MF_PAX_PAGEEXEC;
39871 +#ifdef CONFIG_PAX_EMUTRAMP
39872 + if (elf_phdata->p_flags & PF_EMUTRAMP)
39873 + pax_flags |= MF_PAX_EMUTRAMP;
39876 +#ifdef CONFIG_PAX_MPROTECT
39877 + if (elf_phdata->p_flags & PF_MPROTECT)
39878 + pax_flags |= MF_PAX_MPROTECT;
39881 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39882 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
39883 + pax_flags |= MF_PAX_RANDMMAP;
39886 + return pax_flags;
39890 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
39891 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
39893 + unsigned long pax_flags = 0UL;
39895 +#ifdef CONFIG_PAX_PAGEEXEC
39896 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
39897 + pax_flags |= MF_PAX_PAGEEXEC;
39900 +#ifdef CONFIG_PAX_SEGMEXEC
39901 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
39902 + pax_flags |= MF_PAX_SEGMEXEC;
39905 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39906 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39907 + if ((__supported_pte_mask & _PAGE_NX))
39908 + pax_flags &= ~MF_PAX_SEGMEXEC;
39910 + pax_flags &= ~MF_PAX_PAGEEXEC;
39914 +#ifdef CONFIG_PAX_EMUTRAMP
39915 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
39916 + pax_flags |= MF_PAX_EMUTRAMP;
39919 +#ifdef CONFIG_PAX_MPROTECT
39920 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
39921 + pax_flags |= MF_PAX_MPROTECT;
39924 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39925 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
39926 + pax_flags |= MF_PAX_RANDMMAP;
39929 + return pax_flags;
39933 +#ifdef CONFIG_PAX_EI_PAX
39934 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
39936 + unsigned long pax_flags = 0UL;
39938 +#ifdef CONFIG_PAX_PAGEEXEC
39939 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
39940 + pax_flags |= MF_PAX_PAGEEXEC;
39943 +#ifdef CONFIG_PAX_SEGMEXEC
39944 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
39945 + pax_flags |= MF_PAX_SEGMEXEC;
39948 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39949 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39950 + if ((__supported_pte_mask & _PAGE_NX))
39951 + pax_flags &= ~MF_PAX_SEGMEXEC;
39953 + pax_flags &= ~MF_PAX_PAGEEXEC;
39957 +#ifdef CONFIG_PAX_EMUTRAMP
39958 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
39959 + pax_flags |= MF_PAX_EMUTRAMP;
39962 +#ifdef CONFIG_PAX_MPROTECT
39963 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
39964 + pax_flags |= MF_PAX_MPROTECT;
39967 +#ifdef CONFIG_PAX_ASLR
39968 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
39969 + pax_flags |= MF_PAX_RANDMMAP;
39972 + return pax_flags;
39976 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
39977 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
39979 + unsigned long pax_flags = 0UL;
39981 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
39983 + int found_flags = 0;
39986 +#ifdef CONFIG_PAX_EI_PAX
39987 + pax_flags = pax_parse_ei_pax(elf_ex);
39990 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
39991 + for (i = 0UL; i < elf_ex->e_phnum; i++)
39992 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
39993 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
39994 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
39995 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
39996 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
39997 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
40000 +#ifdef CONFIG_PAX_SOFTMODE
40001 + if (pax_softmode)
40002 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
40006 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
40012 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
40013 + if (found_flags == 0) {
40014 + struct elf_phdr phdr;
40015 + memset(&phdr, 0, sizeof(phdr));
40016 + phdr.p_flags = PF_NOEMUTRAMP;
40017 +#ifdef CONFIG_PAX_SOFTMODE
40018 + if (pax_softmode)
40019 + pax_flags = pax_parse_softmode(&phdr);
40022 + pax_flags = pax_parse_hardmode(&phdr);
40026 + if (0 > pax_check_flags(&pax_flags))
40029 + current->mm->pax_flags = pax_flags;
40035 * These are the functions used to load ELF style executables and shared
40036 * libraries. There is no binary dependent code anywhere else.
40037 @@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
40039 unsigned int random_variable = 0;
40041 +#ifdef CONFIG_PAX_RANDUSTACK
40042 + if (randomize_va_space)
40043 + return stack_top - current->mm->delta_stack;
40046 if ((current->flags & PF_RANDOMIZE) &&
40047 !(current->personality & ADDR_NO_RANDOMIZE)) {
40048 random_variable = get_random_int() & STACK_RND_MASK;
40049 @@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
40050 unsigned long load_addr = 0, load_bias = 0;
40051 int load_addr_set = 0;
40052 char * elf_interpreter = NULL;
40053 - unsigned long error;
40054 + unsigned long error = 0;
40055 struct elf_phdr *elf_ppnt, *elf_phdata;
40056 unsigned long elf_bss, elf_brk;
40058 @@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
40059 unsigned long start_code, end_code, start_data, end_data;
40060 unsigned long reloc_func_desc __maybe_unused = 0;
40061 int executable_stack = EXSTACK_DEFAULT;
40062 - unsigned long def_flags = 0;
40064 struct elfhdr elf_ex;
40065 struct elfhdr interp_elf_ex;
40067 + unsigned long pax_task_size = TASK_SIZE;
40069 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
40071 @@ -713,11 +930,81 @@ static int load_elf_binary(struct linux_
40073 /* OK, This is the point of no return */
40074 current->flags &= ~PF_FORKNOEXEC;
40075 - current->mm->def_flags = def_flags;
40077 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
40078 + current->mm->pax_flags = 0UL;
40081 +#ifdef CONFIG_PAX_DLRESOLVE
40082 + current->mm->call_dl_resolve = 0UL;
40085 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
40086 + current->mm->call_syscall = 0UL;
40089 +#ifdef CONFIG_PAX_ASLR
40090 + current->mm->delta_mmap = 0UL;
40091 + current->mm->delta_stack = 0UL;
40094 + current->mm->def_flags = 0;
40096 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
40097 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
40098 + send_sig(SIGKILL, current, 0);
40099 + goto out_free_dentry;
40103 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40104 + pax_set_initial_flags(bprm);
40105 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
40106 + if (pax_set_initial_flags_func)
40107 + (pax_set_initial_flags_func)(bprm);
40110 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
40111 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
40112 + current->mm->context.user_cs_limit = PAGE_SIZE;
40113 + current->mm->def_flags |= VM_PAGEEXEC;
40117 +#ifdef CONFIG_PAX_SEGMEXEC
40118 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
40119 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
40120 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
40121 + pax_task_size = SEGMEXEC_TASK_SIZE;
40122 + current->mm->def_flags |= VM_NOHUGEPAGE;
40126 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
40127 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
40128 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
40133 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
40134 may depend on the personality. */
40135 SET_PERSONALITY(loc->elf_ex);
40137 +#ifdef CONFIG_PAX_ASLR
40138 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
40139 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
40140 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
40144 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
40145 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
40146 + executable_stack = EXSTACK_DISABLE_X;
40147 + current->personality &= ~READ_IMPLIES_EXEC;
40151 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
40152 current->personality |= READ_IMPLIES_EXEC;
40154 @@ -808,6 +1095,20 @@ static int load_elf_binary(struct linux_
40156 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
40159 +#ifdef CONFIG_PAX_RANDMMAP
40160 + /* PaX: randomize base address at the default exe base if requested */
40161 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
40162 +#ifdef CONFIG_SPARC64
40163 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
40165 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
40167 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
40168 + elf_flags |= MAP_FIXED;
40174 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
40175 @@ -840,9 +1141,9 @@ static int load_elf_binary(struct linux_
40176 * allowed task size. Note that p_filesz must always be
40177 * <= p_memsz so it is only necessary to check p_memsz.
40179 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
40180 - elf_ppnt->p_memsz > TASK_SIZE ||
40181 - TASK_SIZE - elf_ppnt->p_memsz < k) {
40182 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
40183 + elf_ppnt->p_memsz > pax_task_size ||
40184 + pax_task_size - elf_ppnt->p_memsz < k) {
40185 /* set_brk can never work. Avoid overflows. */
40186 send_sig(SIGKILL, current, 0);
40188 @@ -870,6 +1171,11 @@ static int load_elf_binary(struct linux_
40189 start_data += load_bias;
40190 end_data += load_bias;
40192 +#ifdef CONFIG_PAX_RANDMMAP
40193 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
40194 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
40197 /* Calling set_brk effectively mmaps the pages that we need
40198 * for the bss and break sections. We must do this before
40199 * mapping in the interpreter, to make sure it doesn't wind
40200 @@ -881,9 +1187,11 @@ static int load_elf_binary(struct linux_
40201 goto out_free_dentry;
40203 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
40204 - send_sig(SIGSEGV, current, 0);
40205 - retval = -EFAULT; /* Nobody gets to see this, but.. */
40206 - goto out_free_dentry;
40208 + * This bss-zeroing can fail if the ELF
40209 + * file specifies odd protections. So
40210 + * we don't check the return value
40214 if (elf_interpreter) {
40215 @@ -1098,7 +1406,7 @@ out:
40216 * Decide what to dump of a segment, part, all or none.
40218 static unsigned long vma_dump_size(struct vm_area_struct *vma,
40219 - unsigned long mm_flags)
40220 + unsigned long mm_flags, long signr)
40222 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
40224 @@ -1132,7 +1440,7 @@ static unsigned long vma_dump_size(struc
40225 if (vma->vm_file == NULL)
40228 - if (FILTER(MAPPED_PRIVATE))
40229 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
40233 @@ -1354,9 +1662,9 @@ static void fill_auxv_note(struct memelf
40235 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
40240 - while (auxv[i - 2] != AT_NULL);
40241 + } while (auxv[i - 2] != AT_NULL);
40242 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
40245 @@ -1862,14 +2170,14 @@ static void fill_extnum_info(struct elfh
40248 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
40249 - unsigned long mm_flags)
40250 + struct coredump_params *cprm)
40252 struct vm_area_struct *vma;
40255 for (vma = first_vma(current, gate_vma); vma != NULL;
40256 vma = next_vma(vma, gate_vma))
40257 - size += vma_dump_size(vma, mm_flags);
40258 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
40262 @@ -1963,7 +2271,7 @@ static int elf_core_dump(struct coredump
40264 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
40266 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
40267 + offset += elf_core_vma_data_size(gate_vma, cprm);
40268 offset += elf_core_extra_data_size();
40271 @@ -1977,10 +2285,12 @@ static int elf_core_dump(struct coredump
40274 size += sizeof(*elf);
40275 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
40276 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
40279 size += sizeof(*phdr4note);
40280 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
40281 if (size > cprm->limit
40282 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
40284 @@ -1994,7 +2304,7 @@ static int elf_core_dump(struct coredump
40285 phdr.p_offset = offset;
40286 phdr.p_vaddr = vma->vm_start;
40288 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
40289 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
40290 phdr.p_memsz = vma->vm_end - vma->vm_start;
40291 offset += phdr.p_filesz;
40292 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
40293 @@ -2005,6 +2315,7 @@ static int elf_core_dump(struct coredump
40294 phdr.p_align = ELF_EXEC_PAGESIZE;
40296 size += sizeof(phdr);
40297 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
40298 if (size > cprm->limit
40299 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
40301 @@ -2029,7 +2340,7 @@ static int elf_core_dump(struct coredump
40302 unsigned long addr;
40305 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
40306 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
40308 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
40310 @@ -2038,6 +2349,7 @@ static int elf_core_dump(struct coredump
40311 page = get_dump_page(addr);
40313 void *kaddr = kmap(page);
40314 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
40315 stop = ((size += PAGE_SIZE) > cprm->limit) ||
40316 !dump_write(cprm->file, kaddr,
40318 @@ -2055,6 +2367,7 @@ static int elf_core_dump(struct coredump
40320 if (e_phnum == PN_XNUM) {
40321 size += sizeof(*shdr4extnum);
40322 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
40323 if (size > cprm->limit
40324 || !dump_write(cprm->file, shdr4extnum,
40325 sizeof(*shdr4extnum)))
40326 @@ -2075,6 +2388,97 @@ out:
40328 #endif /* CONFIG_ELF_CORE */
40330 +#ifdef CONFIG_PAX_MPROTECT
40331 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
40332 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
40333 + * we'll remove VM_MAYWRITE for good on RELRO segments.
40335 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
40336 + * basis because we want to allow the common case and not the special ones.
40338 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
40340 + struct elfhdr elf_h;
40341 + struct elf_phdr elf_p;
40343 + unsigned long oldflags;
40344 + bool is_textrel_rw, is_textrel_rx, is_relro;
40346 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
40349 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
40350 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
40352 +#ifdef CONFIG_PAX_ELFRELOCS
40353 + /* possible TEXTREL */
40354 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
40355 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
40357 + is_textrel_rw = false;
40358 + is_textrel_rx = false;
40361 + /* possible RELRO */
40362 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
40364 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
40367 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
40368 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
40370 +#ifdef CONFIG_PAX_ETEXECRELOCS
40371 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
40373 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
40376 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
40377 + !elf_check_arch(&elf_h) ||
40378 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
40379 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
40382 + for (i = 0UL; i < elf_h.e_phnum; i++) {
40383 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
40385 + switch (elf_p.p_type) {
40387 + if (!is_textrel_rw && !is_textrel_rx)
40390 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
40393 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
40395 + if (dyn.d_tag == DT_NULL)
40397 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
40398 + gr_log_textrel(vma);
40399 + if (is_textrel_rw)
40400 + vma->vm_flags |= VM_MAYWRITE;
40402 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
40403 + vma->vm_flags &= ~VM_MAYWRITE;
40410 + case PT_GNU_RELRO:
40413 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
40414 + vma->vm_flags &= ~VM_MAYWRITE;
40421 static int __init init_elf_binfmt(void)
40423 return register_binfmt(&elf_format);
40424 diff -urNp linux-3.1.1/fs/binfmt_flat.c linux-3.1.1/fs/binfmt_flat.c
40425 --- linux-3.1.1/fs/binfmt_flat.c 2011-11-11 15:19:27.000000000 -0500
40426 +++ linux-3.1.1/fs/binfmt_flat.c 2011-11-16 18:39:08.000000000 -0500
40427 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
40428 realdatastart = (unsigned long) -ENOMEM;
40429 printk("Unable to allocate RAM for process data, errno %d\n",
40430 (int)-realdatastart);
40431 + down_write(¤t->mm->mmap_sem);
40432 do_munmap(current->mm, textpos, text_len);
40433 + up_write(¤t->mm->mmap_sem);
40434 ret = realdatastart;
40437 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
40439 if (IS_ERR_VALUE(result)) {
40440 printk("Unable to read data+bss, errno %d\n", (int)-result);
40441 + down_write(¤t->mm->mmap_sem);
40442 do_munmap(current->mm, textpos, text_len);
40443 do_munmap(current->mm, realdatastart, len);
40444 + up_write(¤t->mm->mmap_sem);
40448 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
40450 if (IS_ERR_VALUE(result)) {
40451 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
40452 + down_write(¤t->mm->mmap_sem);
40453 do_munmap(current->mm, textpos, text_len + data_len + extra +
40454 MAX_SHARED_LIBS * sizeof(unsigned long));
40455 + up_write(¤t->mm->mmap_sem);
40459 diff -urNp linux-3.1.1/fs/bio.c linux-3.1.1/fs/bio.c
40460 --- linux-3.1.1/fs/bio.c 2011-11-11 15:19:27.000000000 -0500
40461 +++ linux-3.1.1/fs/bio.c 2011-11-16 18:39:08.000000000 -0500
40462 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
40463 const int read = bio_data_dir(bio) == READ;
40464 struct bio_map_data *bmd = bio->bi_private;
40466 - char *p = bmd->sgvecs[0].iov_base;
40467 + char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base;
40469 __bio_for_each_segment(bvec, bio, i, 0) {
40470 char *addr = page_address(bvec->bv_page);
40471 diff -urNp linux-3.1.1/fs/block_dev.c linux-3.1.1/fs/block_dev.c
40472 --- linux-3.1.1/fs/block_dev.c 2011-11-11 15:19:27.000000000 -0500
40473 +++ linux-3.1.1/fs/block_dev.c 2011-11-16 18:39:08.000000000 -0500
40474 @@ -681,7 +681,7 @@ static bool bd_may_claim(struct block_de
40475 else if (bdev->bd_contains == bdev)
40476 return true; /* is a whole device which isn't held */
40478 - else if (whole->bd_holder == bd_may_claim)
40479 + else if (whole->bd_holder == (void *)bd_may_claim)
40480 return true; /* is a partition of a device that is being partitioned */
40481 else if (whole->bd_holder != NULL)
40482 return false; /* is a partition of a held device */
40483 diff -urNp linux-3.1.1/fs/btrfs/ctree.c linux-3.1.1/fs/btrfs/ctree.c
40484 --- linux-3.1.1/fs/btrfs/ctree.c 2011-11-11 15:19:27.000000000 -0500
40485 +++ linux-3.1.1/fs/btrfs/ctree.c 2011-11-16 18:39:08.000000000 -0500
40486 @@ -488,9 +488,12 @@ static noinline int __btrfs_cow_block(st
40487 free_extent_buffer(buf);
40488 add_root_to_dirty_list(root);
40490 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
40491 - parent_start = parent->start;
40493 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
40495 + parent_start = parent->start;
40497 + parent_start = 0;
40501 WARN_ON(trans->transid != btrfs_header_generation(parent));
40502 diff -urNp linux-3.1.1/fs/btrfs/inode.c linux-3.1.1/fs/btrfs/inode.c
40503 --- linux-3.1.1/fs/btrfs/inode.c 2011-11-11 15:19:27.000000000 -0500
40504 +++ linux-3.1.1/fs/btrfs/inode.c 2011-11-16 18:40:29.000000000 -0500
40505 @@ -6922,7 +6922,7 @@ fail:
40509 -static int btrfs_getattr(struct vfsmount *mnt,
40510 +int btrfs_getattr(struct vfsmount *mnt,
40511 struct dentry *dentry, struct kstat *stat)
40513 struct inode *inode = dentry->d_inode;
40514 @@ -6934,6 +6934,14 @@ static int btrfs_getattr(struct vfsmount
40518 +EXPORT_SYMBOL(btrfs_getattr);
40520 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
40522 + return BTRFS_I(inode)->root->anon_super.s_dev;
40524 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
40527 * If a file is moved, it will inherit the cow and compression flags of the new
40529 diff -urNp linux-3.1.1/fs/btrfs/ioctl.c linux-3.1.1/fs/btrfs/ioctl.c
40530 --- linux-3.1.1/fs/btrfs/ioctl.c 2011-11-11 15:19:27.000000000 -0500
40531 +++ linux-3.1.1/fs/btrfs/ioctl.c 2011-11-16 18:40:29.000000000 -0500
40532 @@ -2704,9 +2704,12 @@ long btrfs_ioctl_space_info(struct btrfs
40533 for (i = 0; i < num_types; i++) {
40534 struct btrfs_space_info *tmp;
40536 + /* Don't copy in more than we allocated */
40544 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
40545 @@ -2728,15 +2731,12 @@ long btrfs_ioctl_space_info(struct btrfs
40546 memcpy(dest, &space, sizeof(space));
40548 space_args.total_spaces++;
40554 up_read(&info->groups_sem);
40557 - user_dest = (struct btrfs_ioctl_space_info *)
40558 + user_dest = (struct btrfs_ioctl_space_info __user *)
40559 (arg + sizeof(struct btrfs_ioctl_space_args));
40561 if (copy_to_user(user_dest, dest_orig, alloc_size))
40562 diff -urNp linux-3.1.1/fs/btrfs/relocation.c linux-3.1.1/fs/btrfs/relocation.c
40563 --- linux-3.1.1/fs/btrfs/relocation.c 2011-11-11 15:19:27.000000000 -0500
40564 +++ linux-3.1.1/fs/btrfs/relocation.c 2011-11-16 18:39:08.000000000 -0500
40565 @@ -1242,7 +1242,7 @@ static int __update_reloc_root(struct bt
40567 spin_unlock(&rc->reloc_root_tree.lock);
40569 - BUG_ON((struct btrfs_root *)node->data != root);
40570 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
40573 spin_lock(&rc->reloc_root_tree.lock);
40574 diff -urNp linux-3.1.1/fs/cachefiles/bind.c linux-3.1.1/fs/cachefiles/bind.c
40575 --- linux-3.1.1/fs/cachefiles/bind.c 2011-11-11 15:19:27.000000000 -0500
40576 +++ linux-3.1.1/fs/cachefiles/bind.c 2011-11-16 18:39:08.000000000 -0500
40577 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
40580 /* start by checking things over */
40581 - ASSERT(cache->fstop_percent >= 0 &&
40582 - cache->fstop_percent < cache->fcull_percent &&
40583 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
40584 cache->fcull_percent < cache->frun_percent &&
40585 cache->frun_percent < 100);
40587 - ASSERT(cache->bstop_percent >= 0 &&
40588 - cache->bstop_percent < cache->bcull_percent &&
40589 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
40590 cache->bcull_percent < cache->brun_percent &&
40591 cache->brun_percent < 100);
40593 diff -urNp linux-3.1.1/fs/cachefiles/daemon.c linux-3.1.1/fs/cachefiles/daemon.c
40594 --- linux-3.1.1/fs/cachefiles/daemon.c 2011-11-11 15:19:27.000000000 -0500
40595 +++ linux-3.1.1/fs/cachefiles/daemon.c 2011-11-16 18:39:08.000000000 -0500
40596 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
40600 - if (copy_to_user(_buffer, buffer, n) != 0)
40601 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
40605 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
40606 if (test_bit(CACHEFILES_DEAD, &cache->flags))
40609 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
40610 + if (datalen > PAGE_SIZE - 1)
40611 return -EOPNOTSUPP;
40613 /* drag the command string into the kernel so we can parse it */
40614 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
40615 if (args[0] != '%' || args[1] != '\0')
40618 - if (fstop < 0 || fstop >= cache->fcull_percent)
40619 + if (fstop >= cache->fcull_percent)
40620 return cachefiles_daemon_range_error(cache, args);
40622 cache->fstop_percent = fstop;
40623 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
40624 if (args[0] != '%' || args[1] != '\0')
40627 - if (bstop < 0 || bstop >= cache->bcull_percent)
40628 + if (bstop >= cache->bcull_percent)
40629 return cachefiles_daemon_range_error(cache, args);
40631 cache->bstop_percent = bstop;
40632 diff -urNp linux-3.1.1/fs/cachefiles/internal.h linux-3.1.1/fs/cachefiles/internal.h
40633 --- linux-3.1.1/fs/cachefiles/internal.h 2011-11-11 15:19:27.000000000 -0500
40634 +++ linux-3.1.1/fs/cachefiles/internal.h 2011-11-16 18:39:08.000000000 -0500
40635 @@ -57,7 +57,7 @@ struct cachefiles_cache {
40636 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
40637 struct rb_root active_nodes; /* active nodes (can't be culled) */
40638 rwlock_t active_lock; /* lock for active_nodes */
40639 - atomic_t gravecounter; /* graveyard uniquifier */
40640 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
40641 unsigned frun_percent; /* when to stop culling (% files) */
40642 unsigned fcull_percent; /* when to start culling (% files) */
40643 unsigned fstop_percent; /* when to stop allocating (% files) */
40644 @@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
40647 #ifdef CONFIG_CACHEFILES_HISTOGRAM
40648 -extern atomic_t cachefiles_lookup_histogram[HZ];
40649 -extern atomic_t cachefiles_mkdir_histogram[HZ];
40650 -extern atomic_t cachefiles_create_histogram[HZ];
40651 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40652 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40653 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
40655 extern int __init cachefiles_proc_init(void);
40656 extern void cachefiles_proc_cleanup(void);
40658 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
40659 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
40661 unsigned long jif = jiffies - start_jif;
40664 - atomic_inc(&histogram[jif]);
40665 + atomic_inc_unchecked(&histogram[jif]);
40669 diff -urNp linux-3.1.1/fs/cachefiles/namei.c linux-3.1.1/fs/cachefiles/namei.c
40670 --- linux-3.1.1/fs/cachefiles/namei.c 2011-11-11 15:19:27.000000000 -0500
40671 +++ linux-3.1.1/fs/cachefiles/namei.c 2011-11-16 18:39:08.000000000 -0500
40672 @@ -318,7 +318,7 @@ try_again:
40673 /* first step is to make up a grave dentry in the graveyard */
40674 sprintf(nbuffer, "%08x%08x",
40675 (uint32_t) get_seconds(),
40676 - (uint32_t) atomic_inc_return(&cache->gravecounter));
40677 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
40679 /* do the multiway lock magic */
40680 trap = lock_rename(cache->graveyard, dir);
40681 diff -urNp linux-3.1.1/fs/cachefiles/proc.c linux-3.1.1/fs/cachefiles/proc.c
40682 --- linux-3.1.1/fs/cachefiles/proc.c 2011-11-11 15:19:27.000000000 -0500
40683 +++ linux-3.1.1/fs/cachefiles/proc.c 2011-11-16 18:39:08.000000000 -0500
40685 #include <linux/seq_file.h>
40686 #include "internal.h"
40688 -atomic_t cachefiles_lookup_histogram[HZ];
40689 -atomic_t cachefiles_mkdir_histogram[HZ];
40690 -atomic_t cachefiles_create_histogram[HZ];
40691 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40692 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40693 +atomic_unchecked_t cachefiles_create_histogram[HZ];
40696 * display the latency histogram
40697 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
40700 index = (unsigned long) v - 3;
40701 - x = atomic_read(&cachefiles_lookup_histogram[index]);
40702 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
40703 - z = atomic_read(&cachefiles_create_histogram[index]);
40704 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
40705 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
40706 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
40707 if (x == 0 && y == 0 && z == 0)
40710 diff -urNp linux-3.1.1/fs/cachefiles/rdwr.c linux-3.1.1/fs/cachefiles/rdwr.c
40711 --- linux-3.1.1/fs/cachefiles/rdwr.c 2011-11-11 15:19:27.000000000 -0500
40712 +++ linux-3.1.1/fs/cachefiles/rdwr.c 2011-11-16 18:39:08.000000000 -0500
40713 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
40716 ret = file->f_op->write(
40717 - file, (const void __user *) data, len, &pos);
40718 + file, (const void __force_user *) data, len, &pos);
40722 diff -urNp linux-3.1.1/fs/ceph/dir.c linux-3.1.1/fs/ceph/dir.c
40723 --- linux-3.1.1/fs/ceph/dir.c 2011-11-11 15:19:27.000000000 -0500
40724 +++ linux-3.1.1/fs/ceph/dir.c 2011-11-16 18:39:08.000000000 -0500
40725 @@ -244,7 +244,7 @@ static int ceph_readdir(struct file *fil
40726 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
40727 struct ceph_mds_client *mdsc = fsc->mdsc;
40728 unsigned frag = fpos_frag(filp->f_pos);
40729 - int off = fpos_off(filp->f_pos);
40730 + unsigned int off = fpos_off(filp->f_pos);
40733 struct ceph_mds_reply_info_parsed *rinfo;
40734 diff -urNp linux-3.1.1/fs/cifs/cifs_debug.c linux-3.1.1/fs/cifs/cifs_debug.c
40735 --- linux-3.1.1/fs/cifs/cifs_debug.c 2011-11-11 15:19:27.000000000 -0500
40736 +++ linux-3.1.1/fs/cifs/cifs_debug.c 2011-11-16 18:39:08.000000000 -0500
40737 @@ -265,8 +265,8 @@ static ssize_t cifs_stats_proc_write(str
40739 if (c == '1' || c == 'y' || c == 'Y' || c == '0') {
40740 #ifdef CONFIG_CIFS_STATS2
40741 - atomic_set(&totBufAllocCount, 0);
40742 - atomic_set(&totSmBufAllocCount, 0);
40743 + atomic_set_unchecked(&totBufAllocCount, 0);
40744 + atomic_set_unchecked(&totSmBufAllocCount, 0);
40745 #endif /* CONFIG_CIFS_STATS2 */
40746 spin_lock(&cifs_tcp_ses_lock);
40747 list_for_each(tmp1, &cifs_tcp_ses_list) {
40748 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
40749 tcon = list_entry(tmp3,
40752 - atomic_set(&tcon->num_smbs_sent, 0);
40753 - atomic_set(&tcon->num_writes, 0);
40754 - atomic_set(&tcon->num_reads, 0);
40755 - atomic_set(&tcon->num_oplock_brks, 0);
40756 - atomic_set(&tcon->num_opens, 0);
40757 - atomic_set(&tcon->num_posixopens, 0);
40758 - atomic_set(&tcon->num_posixmkdirs, 0);
40759 - atomic_set(&tcon->num_closes, 0);
40760 - atomic_set(&tcon->num_deletes, 0);
40761 - atomic_set(&tcon->num_mkdirs, 0);
40762 - atomic_set(&tcon->num_rmdirs, 0);
40763 - atomic_set(&tcon->num_renames, 0);
40764 - atomic_set(&tcon->num_t2renames, 0);
40765 - atomic_set(&tcon->num_ffirst, 0);
40766 - atomic_set(&tcon->num_fnext, 0);
40767 - atomic_set(&tcon->num_fclose, 0);
40768 - atomic_set(&tcon->num_hardlinks, 0);
40769 - atomic_set(&tcon->num_symlinks, 0);
40770 - atomic_set(&tcon->num_locks, 0);
40771 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
40772 + atomic_set_unchecked(&tcon->num_writes, 0);
40773 + atomic_set_unchecked(&tcon->num_reads, 0);
40774 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
40775 + atomic_set_unchecked(&tcon->num_opens, 0);
40776 + atomic_set_unchecked(&tcon->num_posixopens, 0);
40777 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
40778 + atomic_set_unchecked(&tcon->num_closes, 0);
40779 + atomic_set_unchecked(&tcon->num_deletes, 0);
40780 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
40781 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
40782 + atomic_set_unchecked(&tcon->num_renames, 0);
40783 + atomic_set_unchecked(&tcon->num_t2renames, 0);
40784 + atomic_set_unchecked(&tcon->num_ffirst, 0);
40785 + atomic_set_unchecked(&tcon->num_fnext, 0);
40786 + atomic_set_unchecked(&tcon->num_fclose, 0);
40787 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
40788 + atomic_set_unchecked(&tcon->num_symlinks, 0);
40789 + atomic_set_unchecked(&tcon->num_locks, 0);
40793 @@ -327,8 +327,8 @@ static int cifs_stats_proc_show(struct s
40794 smBufAllocCount.counter, cifs_min_small);
40795 #ifdef CONFIG_CIFS_STATS2
40796 seq_printf(m, "Total Large %d Small %d Allocations\n",
40797 - atomic_read(&totBufAllocCount),
40798 - atomic_read(&totSmBufAllocCount));
40799 + atomic_read_unchecked(&totBufAllocCount),
40800 + atomic_read_unchecked(&totSmBufAllocCount));
40801 #endif /* CONFIG_CIFS_STATS2 */
40803 seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
40804 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
40805 if (tcon->need_reconnect)
40806 seq_puts(m, "\tDISCONNECTED ");
40807 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
40808 - atomic_read(&tcon->num_smbs_sent),
40809 - atomic_read(&tcon->num_oplock_brks));
40810 + atomic_read_unchecked(&tcon->num_smbs_sent),
40811 + atomic_read_unchecked(&tcon->num_oplock_brks));
40812 seq_printf(m, "\nReads: %d Bytes: %lld",
40813 - atomic_read(&tcon->num_reads),
40814 + atomic_read_unchecked(&tcon->num_reads),
40815 (long long)(tcon->bytes_read));
40816 seq_printf(m, "\nWrites: %d Bytes: %lld",
40817 - atomic_read(&tcon->num_writes),
40818 + atomic_read_unchecked(&tcon->num_writes),
40819 (long long)(tcon->bytes_written));
40820 seq_printf(m, "\nFlushes: %d",
40821 - atomic_read(&tcon->num_flushes));
40822 + atomic_read_unchecked(&tcon->num_flushes));
40823 seq_printf(m, "\nLocks: %d HardLinks: %d "
40825 - atomic_read(&tcon->num_locks),
40826 - atomic_read(&tcon->num_hardlinks),
40827 - atomic_read(&tcon->num_symlinks));
40828 + atomic_read_unchecked(&tcon->num_locks),
40829 + atomic_read_unchecked(&tcon->num_hardlinks),
40830 + atomic_read_unchecked(&tcon->num_symlinks));
40831 seq_printf(m, "\nOpens: %d Closes: %d "
40833 - atomic_read(&tcon->num_opens),
40834 - atomic_read(&tcon->num_closes),
40835 - atomic_read(&tcon->num_deletes));
40836 + atomic_read_unchecked(&tcon->num_opens),
40837 + atomic_read_unchecked(&tcon->num_closes),
40838 + atomic_read_unchecked(&tcon->num_deletes));
40839 seq_printf(m, "\nPosix Opens: %d "
40840 "Posix Mkdirs: %d",
40841 - atomic_read(&tcon->num_posixopens),
40842 - atomic_read(&tcon->num_posixmkdirs));
40843 + atomic_read_unchecked(&tcon->num_posixopens),
40844 + atomic_read_unchecked(&tcon->num_posixmkdirs));
40845 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
40846 - atomic_read(&tcon->num_mkdirs),
40847 - atomic_read(&tcon->num_rmdirs));
40848 + atomic_read_unchecked(&tcon->num_mkdirs),
40849 + atomic_read_unchecked(&tcon->num_rmdirs));
40850 seq_printf(m, "\nRenames: %d T2 Renames %d",
40851 - atomic_read(&tcon->num_renames),
40852 - atomic_read(&tcon->num_t2renames));
40853 + atomic_read_unchecked(&tcon->num_renames),
40854 + atomic_read_unchecked(&tcon->num_t2renames));
40855 seq_printf(m, "\nFindFirst: %d FNext %d "
40857 - atomic_read(&tcon->num_ffirst),
40858 - atomic_read(&tcon->num_fnext),
40859 - atomic_read(&tcon->num_fclose));
40860 + atomic_read_unchecked(&tcon->num_ffirst),
40861 + atomic_read_unchecked(&tcon->num_fnext),
40862 + atomic_read_unchecked(&tcon->num_fclose));
40866 diff -urNp linux-3.1.1/fs/cifs/cifsfs.c linux-3.1.1/fs/cifs/cifsfs.c
40867 --- linux-3.1.1/fs/cifs/cifsfs.c 2011-11-11 15:19:27.000000000 -0500
40868 +++ linux-3.1.1/fs/cifs/cifsfs.c 2011-11-16 18:39:08.000000000 -0500
40869 @@ -981,7 +981,7 @@ cifs_init_request_bufs(void)
40870 cifs_req_cachep = kmem_cache_create("cifs_request",
40872 MAX_CIFS_HDR_SIZE, 0,
40873 - SLAB_HWCACHE_ALIGN, NULL);
40874 + SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
40875 if (cifs_req_cachep == NULL)
40878 @@ -1008,7 +1008,7 @@ cifs_init_request_bufs(void)
40879 efficient to alloc 1 per page off the slab compared to 17K (5page)
40880 alloc of large cifs buffers even when page debugging is on */
40881 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
40882 - MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
40883 + MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
40885 if (cifs_sm_req_cachep == NULL) {
40886 mempool_destroy(cifs_req_poolp);
40887 @@ -1093,8 +1093,8 @@ init_cifs(void)
40888 atomic_set(&bufAllocCount, 0);
40889 atomic_set(&smBufAllocCount, 0);
40890 #ifdef CONFIG_CIFS_STATS2
40891 - atomic_set(&totBufAllocCount, 0);
40892 - atomic_set(&totSmBufAllocCount, 0);
40893 + atomic_set_unchecked(&totBufAllocCount, 0);
40894 + atomic_set_unchecked(&totSmBufAllocCount, 0);
40895 #endif /* CONFIG_CIFS_STATS2 */
40897 atomic_set(&midCount, 0);
40898 diff -urNp linux-3.1.1/fs/cifs/cifsglob.h linux-3.1.1/fs/cifs/cifsglob.h
40899 --- linux-3.1.1/fs/cifs/cifsglob.h 2011-11-11 15:19:27.000000000 -0500
40900 +++ linux-3.1.1/fs/cifs/cifsglob.h 2011-11-16 18:39:08.000000000 -0500
40901 @@ -381,28 +381,28 @@ struct cifs_tcon {
40902 __u16 Flags; /* optional support bits */
40903 enum statusEnum tidStatus;
40904 #ifdef CONFIG_CIFS_STATS
40905 - atomic_t num_smbs_sent;
40906 - atomic_t num_writes;
40907 - atomic_t num_reads;
40908 - atomic_t num_flushes;
40909 - atomic_t num_oplock_brks;
40910 - atomic_t num_opens;
40911 - atomic_t num_closes;
40912 - atomic_t num_deletes;
40913 - atomic_t num_mkdirs;
40914 - atomic_t num_posixopens;
40915 - atomic_t num_posixmkdirs;
40916 - atomic_t num_rmdirs;
40917 - atomic_t num_renames;
40918 - atomic_t num_t2renames;
40919 - atomic_t num_ffirst;
40920 - atomic_t num_fnext;
40921 - atomic_t num_fclose;
40922 - atomic_t num_hardlinks;
40923 - atomic_t num_symlinks;
40924 - atomic_t num_locks;
40925 - atomic_t num_acl_get;
40926 - atomic_t num_acl_set;
40927 + atomic_unchecked_t num_smbs_sent;
40928 + atomic_unchecked_t num_writes;
40929 + atomic_unchecked_t num_reads;
40930 + atomic_unchecked_t num_flushes;
40931 + atomic_unchecked_t num_oplock_brks;
40932 + atomic_unchecked_t num_opens;
40933 + atomic_unchecked_t num_closes;
40934 + atomic_unchecked_t num_deletes;
40935 + atomic_unchecked_t num_mkdirs;
40936 + atomic_unchecked_t num_posixopens;
40937 + atomic_unchecked_t num_posixmkdirs;
40938 + atomic_unchecked_t num_rmdirs;
40939 + atomic_unchecked_t num_renames;
40940 + atomic_unchecked_t num_t2renames;
40941 + atomic_unchecked_t num_ffirst;
40942 + atomic_unchecked_t num_fnext;
40943 + atomic_unchecked_t num_fclose;
40944 + atomic_unchecked_t num_hardlinks;
40945 + atomic_unchecked_t num_symlinks;
40946 + atomic_unchecked_t num_locks;
40947 + atomic_unchecked_t num_acl_get;
40948 + atomic_unchecked_t num_acl_set;
40949 #ifdef CONFIG_CIFS_STATS2
40950 unsigned long long time_writes;
40951 unsigned long long time_reads;
40952 @@ -613,7 +613,7 @@ convert_delimiter(char *path, char delim
40955 #ifdef CONFIG_CIFS_STATS
40956 -#define cifs_stats_inc atomic_inc
40957 +#define cifs_stats_inc atomic_inc_unchecked
40959 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
40960 unsigned int bytes)
40961 @@ -953,8 +953,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
40962 /* Various Debug counters */
40963 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
40964 #ifdef CONFIG_CIFS_STATS2
40965 -GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
40966 -GLOBAL_EXTERN atomic_t totSmBufAllocCount;
40967 +GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
40968 +GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
40970 GLOBAL_EXTERN atomic_t smBufAllocCount;
40971 GLOBAL_EXTERN atomic_t midCount;
40972 diff -urNp linux-3.1.1/fs/cifs/link.c linux-3.1.1/fs/cifs/link.c
40973 --- linux-3.1.1/fs/cifs/link.c 2011-11-11 15:19:27.000000000 -0500
40974 +++ linux-3.1.1/fs/cifs/link.c 2011-11-16 18:39:08.000000000 -0500
40975 @@ -593,7 +593,7 @@ symlink_exit:
40977 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
40979 - char *p = nd_get_link(nd);
40980 + const char *p = nd_get_link(nd);
40984 diff -urNp linux-3.1.1/fs/cifs/misc.c linux-3.1.1/fs/cifs/misc.c
40985 --- linux-3.1.1/fs/cifs/misc.c 2011-11-11 15:19:27.000000000 -0500
40986 +++ linux-3.1.1/fs/cifs/misc.c 2011-11-16 18:39:08.000000000 -0500
40987 @@ -156,7 +156,7 @@ cifs_buf_get(void)
40988 memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
40989 atomic_inc(&bufAllocCount);
40990 #ifdef CONFIG_CIFS_STATS2
40991 - atomic_inc(&totBufAllocCount);
40992 + atomic_inc_unchecked(&totBufAllocCount);
40993 #endif /* CONFIG_CIFS_STATS2 */
40996 @@ -191,7 +191,7 @@ cifs_small_buf_get(void)
40997 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
40998 atomic_inc(&smBufAllocCount);
40999 #ifdef CONFIG_CIFS_STATS2
41000 - atomic_inc(&totSmBufAllocCount);
41001 + atomic_inc_unchecked(&totSmBufAllocCount);
41002 #endif /* CONFIG_CIFS_STATS2 */
41005 diff -urNp linux-3.1.1/fs/coda/cache.c linux-3.1.1/fs/coda/cache.c
41006 --- linux-3.1.1/fs/coda/cache.c 2011-11-11 15:19:27.000000000 -0500
41007 +++ linux-3.1.1/fs/coda/cache.c 2011-11-16 18:39:08.000000000 -0500
41009 #include "coda_linux.h"
41010 #include "coda_cache.h"
41012 -static atomic_t permission_epoch = ATOMIC_INIT(0);
41013 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
41015 /* replace or extend an acl cache hit */
41016 void coda_cache_enter(struct inode *inode, int mask)
41017 @@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
41018 struct coda_inode_info *cii = ITOC(inode);
41020 spin_lock(&cii->c_lock);
41021 - cii->c_cached_epoch = atomic_read(&permission_epoch);
41022 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
41023 if (cii->c_uid != current_fsuid()) {
41024 cii->c_uid = current_fsuid();
41025 cii->c_cached_perm = mask;
41026 @@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
41028 struct coda_inode_info *cii = ITOC(inode);
41029 spin_lock(&cii->c_lock);
41030 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
41031 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
41032 spin_unlock(&cii->c_lock);
41035 /* remove all acl caches */
41036 void coda_cache_clear_all(struct super_block *sb)
41038 - atomic_inc(&permission_epoch);
41039 + atomic_inc_unchecked(&permission_epoch);
41043 @@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
41044 spin_lock(&cii->c_lock);
41045 hit = (mask & cii->c_cached_perm) == mask &&
41046 cii->c_uid == current_fsuid() &&
41047 - cii->c_cached_epoch == atomic_read(&permission_epoch);
41048 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
41049 spin_unlock(&cii->c_lock);
41052 diff -urNp linux-3.1.1/fs/compat_binfmt_elf.c linux-3.1.1/fs/compat_binfmt_elf.c
41053 --- linux-3.1.1/fs/compat_binfmt_elf.c 2011-11-11 15:19:27.000000000 -0500
41054 +++ linux-3.1.1/fs/compat_binfmt_elf.c 2011-11-16 18:39:08.000000000 -0500
41055 @@ -30,11 +30,13 @@
41061 #define elfhdr elf32_hdr
41062 #define elf_phdr elf32_phdr
41063 #define elf_shdr elf32_shdr
41064 #define elf_note elf32_note
41065 +#define elf_dyn Elf32_Dyn
41066 #define elf_addr_t Elf32_Addr
41069 diff -urNp linux-3.1.1/fs/compat.c linux-3.1.1/fs/compat.c
41070 --- linux-3.1.1/fs/compat.c 2011-11-11 15:19:27.000000000 -0500
41071 +++ linux-3.1.1/fs/compat.c 2011-11-16 18:40:29.000000000 -0500
41072 @@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(const
41073 static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
41075 compat_ino_t ino = stat->ino;
41076 - typeof(ubuf->st_uid) uid = 0;
41077 - typeof(ubuf->st_gid) gid = 0;
41078 + typeof(((struct compat_stat *)0)->st_uid) uid = 0;
41079 + typeof(((struct compat_stat *)0)->st_gid) gid = 0;
41082 SET_UID(uid, stat->uid);
41083 @@ -508,7 +508,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3
41086 /* The __user pointer cast is valid because of the set_fs() */
41087 - ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
41088 + ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
41090 /* truncating is ok because it's a user address */
41092 @@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int
41096 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
41097 + if (nr_segs > UIO_MAXIOV)
41099 if (nr_segs > fast_segs) {
41101 @@ -848,6 +848,7 @@ struct compat_old_linux_dirent {
41103 struct compat_readdir_callback {
41104 struct compat_old_linux_dirent __user *dirent;
41105 + struct file * file;
41109 @@ -865,6 +866,10 @@ static int compat_fillonedir(void *__buf
41110 buf->result = -EOVERFLOW;
41114 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
41118 dirent = buf->dirent;
41119 if (!access_ok(VERIFY_WRITE, dirent,
41120 @@ -897,6 +902,7 @@ asmlinkage long compat_sys_old_readdir(u
41123 buf.dirent = dirent;
41126 error = vfs_readdir(file, compat_fillonedir, &buf);
41128 @@ -917,6 +923,7 @@ struct compat_linux_dirent {
41129 struct compat_getdents_callback {
41130 struct compat_linux_dirent __user *current_dir;
41131 struct compat_linux_dirent __user *previous;
41132 + struct file * file;
41136 @@ -938,6 +945,10 @@ static int compat_filldir(void *__buf, c
41137 buf->error = -EOVERFLOW;
41141 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
41144 dirent = buf->previous;
41146 if (__put_user(offset, &dirent->d_off))
41147 @@ -985,6 +996,7 @@ asmlinkage long compat_sys_getdents(unsi
41148 buf.previous = NULL;
41153 error = vfs_readdir(file, compat_filldir, &buf);
41155 @@ -1006,6 +1018,7 @@ out:
41156 struct compat_getdents_callback64 {
41157 struct linux_dirent64 __user *current_dir;
41158 struct linux_dirent64 __user *previous;
41159 + struct file * file;
41163 @@ -1022,6 +1035,10 @@ static int compat_filldir64(void * __buf
41164 buf->error = -EINVAL; /* only used if we fail.. */
41165 if (reclen > buf->count)
41168 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
41171 dirent = buf->previous;
41174 @@ -1073,13 +1090,14 @@ asmlinkage long compat_sys_getdents64(un
41175 buf.previous = NULL;
41180 error = vfs_readdir(file, compat_filldir64, &buf);
41183 lastdirent = buf.previous;
41185 - typeof(lastdirent->d_off) d_off = file->f_pos;
41186 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
41187 if (__put_user_unaligned(d_off, &lastdirent->d_off))
41190 @@ -1446,6 +1464,8 @@ int compat_core_sys_select(int n, compat
41191 struct fdtable *fdt;
41192 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
41194 + pax_track_stack();
41199 diff -urNp linux-3.1.1/fs/compat_ioctl.c linux-3.1.1/fs/compat_ioctl.c
41200 --- linux-3.1.1/fs/compat_ioctl.c 2011-11-11 15:19:27.000000000 -0500
41201 +++ linux-3.1.1/fs/compat_ioctl.c 2011-11-16 18:39:08.000000000 -0500
41202 @@ -210,6 +210,8 @@ static int do_video_set_spu_palette(unsi
41204 err = get_user(palp, &up->palette);
41205 err |= get_user(length, &up->length);
41209 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
41210 err = put_user(compat_ptr(palp), &up_native->palette);
41211 @@ -621,7 +623,7 @@ static int serial_struct_ioctl(unsigned
41213 if (__get_user(udata, &ss32->iomem_base))
41215 - ss.iomem_base = compat_ptr(udata);
41216 + ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
41217 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
41218 __get_user(ss.port_high, &ss32->port_high))
41220 @@ -796,7 +798,7 @@ static int compat_ioctl_preallocate(stru
41221 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
41222 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
41223 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
41224 - copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
41225 + copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32)))
41228 return ioctl_preallocate(file, p);
41229 @@ -1644,8 +1646,8 @@ asmlinkage long compat_sys_ioctl(unsigne
41230 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
41233 - a = *(unsigned int *)p;
41234 - b = *(unsigned int *)q;
41235 + a = *(const unsigned int *)p;
41236 + b = *(const unsigned int *)q;
41240 diff -urNp linux-3.1.1/fs/configfs/dir.c linux-3.1.1/fs/configfs/dir.c
41241 --- linux-3.1.1/fs/configfs/dir.c 2011-11-11 15:19:27.000000000 -0500
41242 +++ linux-3.1.1/fs/configfs/dir.c 2011-11-16 18:39:08.000000000 -0500
41243 @@ -1575,7 +1575,8 @@ static int configfs_readdir(struct file
41245 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
41246 struct configfs_dirent *next;
41247 - const char * name;
41248 + const unsigned char * name;
41249 + char d_name[sizeof(next->s_dentry->d_iname)];
41251 struct inode *inode = NULL;
41253 @@ -1585,7 +1586,12 @@ static int configfs_readdir(struct file
41256 name = configfs_get_name(next);
41257 - len = strlen(name);
41258 + if (next->s_dentry && name == next->s_dentry->d_iname) {
41259 + len = next->s_dentry->d_name.len;
41260 + memcpy(d_name, name, len);
41263 + len = strlen(name);
41266 * We'll have a dentry and an inode for
41267 diff -urNp linux-3.1.1/fs/dcache.c linux-3.1.1/fs/dcache.c
41268 --- linux-3.1.1/fs/dcache.c 2011-11-11 15:19:27.000000000 -0500
41269 +++ linux-3.1.1/fs/dcache.c 2011-11-16 18:39:08.000000000 -0500
41270 @@ -2998,7 +2998,7 @@ void __init vfs_caches_init(unsigned lon
41271 mempages -= reserve;
41273 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
41274 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
41275 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
41279 diff -urNp linux-3.1.1/fs/ecryptfs/inode.c linux-3.1.1/fs/ecryptfs/inode.c
41280 --- linux-3.1.1/fs/ecryptfs/inode.c 2011-11-11 15:19:27.000000000 -0500
41281 +++ linux-3.1.1/fs/ecryptfs/inode.c 2011-11-16 18:39:08.000000000 -0500
41282 @@ -681,7 +681,7 @@ static int ecryptfs_readlink_lower(struc
41285 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
41286 - (char __user *)lower_buf,
41287 + (char __force_user *)lower_buf,
41291 @@ -727,7 +727,7 @@ static void *ecryptfs_follow_link(struct
41295 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
41296 + rc = dentry->d_inode->i_op->readlink(dentry, (char __force_user *)buf, len);
41300 @@ -742,7 +742,7 @@ out:
41302 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
41304 - char *buf = nd_get_link(nd);
41305 + const char *buf = nd_get_link(nd);
41306 if (!IS_ERR(buf)) {
41307 /* Free the char* */
41309 diff -urNp linux-3.1.1/fs/ecryptfs/miscdev.c linux-3.1.1/fs/ecryptfs/miscdev.c
41310 --- linux-3.1.1/fs/ecryptfs/miscdev.c 2011-11-11 15:19:27.000000000 -0500
41311 +++ linux-3.1.1/fs/ecryptfs/miscdev.c 2011-11-16 18:39:08.000000000 -0500
41312 @@ -328,7 +328,7 @@ check_list:
41313 goto out_unlock_msg_ctx;
41315 if (msg_ctx->msg) {
41316 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
41317 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
41318 goto out_unlock_msg_ctx;
41319 i += packet_length_size;
41320 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
41321 diff -urNp linux-3.1.1/fs/ecryptfs/read_write.c linux-3.1.1/fs/ecryptfs/read_write.c
41322 --- linux-3.1.1/fs/ecryptfs/read_write.c 2011-11-11 15:19:27.000000000 -0500
41323 +++ linux-3.1.1/fs/ecryptfs/read_write.c 2011-11-16 18:39:08.000000000 -0500
41324 @@ -48,7 +48,7 @@ int ecryptfs_write_lower(struct inode *e
41326 fs_save = get_fs();
41328 - rc = vfs_write(lower_file, data, size, &offset);
41329 + rc = vfs_write(lower_file, (const char __force_user *)data, size, &offset);
41331 mark_inode_dirty_sync(ecryptfs_inode);
41333 @@ -235,7 +235,7 @@ int ecryptfs_read_lower(char *data, loff
41335 fs_save = get_fs();
41337 - rc = vfs_read(lower_file, data, size, &offset);
41338 + rc = vfs_read(lower_file, (char __force_user *)data, size, &offset);
41342 diff -urNp linux-3.1.1/fs/exec.c linux-3.1.1/fs/exec.c
41343 --- linux-3.1.1/fs/exec.c 2011-11-11 15:19:27.000000000 -0500
41344 +++ linux-3.1.1/fs/exec.c 2011-11-16 23:41:58.000000000 -0500
41345 @@ -55,12 +55,24 @@
41346 #include <linux/pipe_fs_i.h>
41347 #include <linux/oom.h>
41348 #include <linux/compat.h>
41349 +#include <linux/random.h>
41350 +#include <linux/seq_file.h>
41352 +#ifdef CONFIG_PAX_REFCOUNT
41353 +#include <linux/kallsyms.h>
41354 +#include <linux/kdebug.h>
41357 #include <asm/uaccess.h>
41358 #include <asm/mmu_context.h>
41359 #include <asm/tlb.h>
41360 #include "internal.h"
41362 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
41363 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
41364 +EXPORT_SYMBOL(pax_set_initial_flags_func);
41368 char core_pattern[CORENAME_MAX_SIZE] = "core";
41369 unsigned int core_pipe_limit;
41370 @@ -70,7 +82,7 @@ struct core_name {
41374 -static atomic_t call_count = ATOMIC_INIT(1);
41375 +static atomic_unchecked_t call_count = ATOMIC_INIT(1);
41377 /* The maximal length of core_pattern is also specified in sysctl.c */
41379 @@ -188,18 +200,10 @@ static struct page *get_arg_page(struct
41385 -#ifdef CONFIG_STACK_GROWSUP
41387 - ret = expand_downwards(bprm->vma, pos);
41392 - ret = get_user_pages(current, bprm->mm, pos,
41393 - 1, write, 1, &page, NULL);
41395 + if (0 > expand_downwards(bprm->vma, pos))
41397 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
41401 @@ -274,6 +278,11 @@ static int __bprm_mm_init(struct linux_b
41402 vma->vm_end = STACK_TOP_MAX;
41403 vma->vm_start = vma->vm_end - PAGE_SIZE;
41404 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
41406 +#ifdef CONFIG_PAX_SEGMEXEC
41407 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
41410 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
41411 INIT_LIST_HEAD(&vma->anon_vma_chain);
41413 @@ -288,6 +297,12 @@ static int __bprm_mm_init(struct linux_b
41414 mm->stack_vm = mm->total_vm = 1;
41415 up_write(&mm->mmap_sem);
41416 bprm->p = vma->vm_end - sizeof(void *);
41418 +#ifdef CONFIG_PAX_RANDUSTACK
41419 + if (randomize_va_space)
41420 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
41425 up_write(&mm->mmap_sem);
41426 @@ -396,19 +411,7 @@ err:
41430 -struct user_arg_ptr {
41431 -#ifdef CONFIG_COMPAT
41435 - const char __user *const __user *native;
41436 -#ifdef CONFIG_COMPAT
41437 - compat_uptr_t __user *compat;
41442 -static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
41443 +const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
41445 const char __user *native;
41447 @@ -417,14 +420,14 @@ static const char __user *get_user_arg_p
41448 compat_uptr_t compat;
41450 if (get_user(compat, argv.ptr.compat + nr))
41451 - return ERR_PTR(-EFAULT);
41452 + return (const char __force_user *)ERR_PTR(-EFAULT);
41454 return compat_ptr(compat);
41458 if (get_user(native, argv.ptr.native + nr))
41459 - return ERR_PTR(-EFAULT);
41460 + return (const char __force_user *)ERR_PTR(-EFAULT);
41464 @@ -443,7 +446,7 @@ static int count(struct user_arg_ptr arg
41469 + if (IS_ERR((const char __force_kernel *)p))
41473 @@ -477,7 +480,7 @@ static int copy_strings(int argc, struct
41476 str = get_user_arg_ptr(argv, argc);
41478 + if (IS_ERR((const char __force_kernel *)str))
41481 len = strnlen_user(str, MAX_ARG_STRLEN);
41482 @@ -559,7 +562,7 @@ int copy_strings_kernel(int argc, const
41484 mm_segment_t oldfs = get_fs();
41485 struct user_arg_ptr argv = {
41486 - .ptr.native = (const char __user *const __user *)__argv,
41487 + .ptr.native = (const char __force_user *const __force_user *)__argv,
41491 @@ -594,7 +597,8 @@ static int shift_arg_pages(struct vm_are
41492 unsigned long new_end = old_end - shift;
41493 struct mmu_gather tlb;
41495 - BUG_ON(new_start > new_end);
41496 + if (new_start >= new_end || new_start < mmap_min_addr)
41500 * ensure there are no vmas between where we want to go
41501 @@ -603,6 +607,10 @@ static int shift_arg_pages(struct vm_are
41502 if (vma != find_vma(mm, new_start))
41505 +#ifdef CONFIG_PAX_SEGMEXEC
41506 + BUG_ON(pax_find_mirror_vma(vma));
41510 * cover the whole range: [new_start, old_end)
41512 @@ -683,10 +691,6 @@ int setup_arg_pages(struct linux_binprm
41513 stack_top = arch_align_stack(stack_top);
41514 stack_top = PAGE_ALIGN(stack_top);
41516 - if (unlikely(stack_top < mmap_min_addr) ||
41517 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
41520 stack_shift = vma->vm_end - stack_top;
41522 bprm->p -= stack_shift;
41523 @@ -698,8 +702,28 @@ int setup_arg_pages(struct linux_binprm
41524 bprm->exec -= stack_shift;
41526 down_write(&mm->mmap_sem);
41528 + /* Move stack pages down in memory. */
41529 + if (stack_shift) {
41530 + ret = shift_arg_pages(vma, stack_shift);
41535 vm_flags = VM_STACK_FLAGS;
41537 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41538 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
41539 + vm_flags &= ~VM_EXEC;
41541 +#ifdef CONFIG_PAX_MPROTECT
41542 + if (mm->pax_flags & MF_PAX_MPROTECT)
41543 + vm_flags &= ~VM_MAYEXEC;
41550 * Adjust stack execute permissions; explicitly enable for
41551 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
41552 @@ -718,13 +742,6 @@ int setup_arg_pages(struct linux_binprm
41554 BUG_ON(prev != vma);
41556 - /* Move stack pages down in memory. */
41557 - if (stack_shift) {
41558 - ret = shift_arg_pages(vma, stack_shift);
41563 /* mprotect_fixup is overkill to remove the temporary stack flags */
41564 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
41566 @@ -805,7 +822,7 @@ int kernel_read(struct file *file, loff_
41569 /* The cast to a user pointer is valid due to the set_fs() */
41570 - result = vfs_read(file, (void __user *)addr, count, &pos);
41571 + result = vfs_read(file, (void __force_user *)addr, count, &pos);
41575 @@ -1251,7 +1268,7 @@ int check_unsafe_exec(struct linux_binpr
41579 - if (p->fs->users > n_fs) {
41580 + if (atomic_read(&p->fs->users) > n_fs) {
41581 bprm->unsafe |= LSM_UNSAFE_SHARE;
41584 @@ -1454,6 +1471,11 @@ static int do_execve_common(const char *
41585 struct user_arg_ptr envp,
41586 struct pt_regs *regs)
41588 +#ifdef CONFIG_GRKERNSEC
41589 + struct file *old_exec_file;
41590 + struct acl_subject_label *old_acl;
41591 + struct rlimit old_rlim[RLIM_NLIMITS];
41593 struct linux_binprm *bprm;
41595 struct files_struct *displaced;
41596 @@ -1461,6 +1483,8 @@ static int do_execve_common(const char *
41598 const struct cred *cred = current_cred();
41600 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
41603 * We move the actual failure in case of RLIMIT_NPROC excess from
41604 * set*uid() to execve() because too many poorly written programs
41605 @@ -1507,6 +1531,16 @@ static int do_execve_common(const char *
41606 bprm->filename = filename;
41607 bprm->interp = filename;
41609 + if (gr_process_user_ban()) {
41614 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
41615 + retval = -EACCES;
41619 retval = bprm_mm_init(bprm);
41622 @@ -1536,9 +1570,40 @@ static int do_execve_common(const char *
41626 + if (!gr_tpe_allow(file)) {
41627 + retval = -EACCES;
41631 + if (gr_check_crash_exec(file)) {
41632 + retval = -EACCES;
41636 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
41638 + gr_handle_exec_args(bprm, argv);
41640 +#ifdef CONFIG_GRKERNSEC
41641 + old_acl = current->acl;
41642 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
41643 + old_exec_file = current->exec_file;
41645 + current->exec_file = file;
41648 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
41649 + bprm->unsafe & LSM_UNSAFE_SHARE);
41653 retval = search_binary_handler(bprm,regs);
41657 +#ifdef CONFIG_GRKERNSEC
41658 + if (old_exec_file)
41659 + fput(old_exec_file);
41662 /* execve succeeded */
41663 current->fs->in_exec = 0;
41664 @@ -1549,6 +1614,14 @@ static int do_execve_common(const char *
41665 put_files_struct(displaced);
41669 +#ifdef CONFIG_GRKERNSEC
41670 + current->acl = old_acl;
41671 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
41672 + fput(current->exec_file);
41673 + current->exec_file = old_exec_file;
41678 acct_arg_size(bprm, 0);
41679 @@ -1622,7 +1695,7 @@ static int expand_corename(struct core_n
41681 char *old_corename = cn->corename;
41683 - cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
41684 + cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
41685 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
41687 if (!cn->corename) {
41688 @@ -1719,7 +1792,7 @@ static int format_corename(struct core_n
41689 int pid_in_pattern = 0;
41692 - cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
41693 + cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
41694 cn->corename = kmalloc(cn->size, GFP_KERNEL);
41697 @@ -1816,6 +1889,219 @@ out:
41701 +int pax_check_flags(unsigned long *flags)
41705 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
41706 + if (*flags & MF_PAX_SEGMEXEC)
41708 + *flags &= ~MF_PAX_SEGMEXEC;
41709 + retval = -EINVAL;
41713 + if ((*flags & MF_PAX_PAGEEXEC)
41715 +#ifdef CONFIG_PAX_PAGEEXEC
41716 + && (*flags & MF_PAX_SEGMEXEC)
41721 + *flags &= ~MF_PAX_PAGEEXEC;
41722 + retval = -EINVAL;
41725 + if ((*flags & MF_PAX_MPROTECT)
41727 +#ifdef CONFIG_PAX_MPROTECT
41728 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41733 + *flags &= ~MF_PAX_MPROTECT;
41734 + retval = -EINVAL;
41737 + if ((*flags & MF_PAX_EMUTRAMP)
41739 +#ifdef CONFIG_PAX_EMUTRAMP
41740 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41745 + *flags &= ~MF_PAX_EMUTRAMP;
41746 + retval = -EINVAL;
41752 +EXPORT_SYMBOL(pax_check_flags);
41754 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41755 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
41757 + struct task_struct *tsk = current;
41758 + struct mm_struct *mm = current->mm;
41759 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
41760 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
41761 + char *path_exec = NULL;
41762 + char *path_fault = NULL;
41763 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
41765 + if (buffer_exec && buffer_fault) {
41766 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
41768 + down_read(&mm->mmap_sem);
41770 + while (vma && (!vma_exec || !vma_fault)) {
41771 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
41773 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
41775 + vma = vma->vm_next;
41778 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
41779 + if (IS_ERR(path_exec))
41780 + path_exec = "<path too long>";
41782 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
41785 + path_exec = buffer_exec;
41787 + path_exec = "<path too long>";
41791 + start = vma_fault->vm_start;
41792 + end = vma_fault->vm_end;
41793 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
41794 + if (vma_fault->vm_file) {
41795 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
41796 + if (IS_ERR(path_fault))
41797 + path_fault = "<path too long>";
41799 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
41800 + if (path_fault) {
41802 + path_fault = buffer_fault;
41804 + path_fault = "<path too long>";
41807 + path_fault = "<anonymous mapping>";
41809 + up_read(&mm->mmap_sem);
41811 + if (tsk->signal->curr_ip)
41812 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
41814 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
41815 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
41816 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
41817 + task_uid(tsk), task_euid(tsk), pc, sp);
41818 + free_page((unsigned long)buffer_exec);
41819 + free_page((unsigned long)buffer_fault);
41820 + pax_report_insns(regs, pc, sp);
41821 + do_coredump(SIGKILL, SIGKILL, regs);
41825 +#ifdef CONFIG_PAX_REFCOUNT
41826 +void pax_report_refcount_overflow(struct pt_regs *regs)
41828 + if (current->signal->curr_ip)
41829 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41830 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
41832 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41833 + current->comm, task_pid_nr(current), current_uid(), current_euid());
41834 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
41836 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
41840 +#ifdef CONFIG_PAX_USERCOPY
41841 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
41842 +int object_is_on_stack(const void *obj, unsigned long len)
41844 + const void * const stack = task_stack_page(current);
41845 + const void * const stackend = stack + THREAD_SIZE;
41847 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41848 + const void *frame = NULL;
41849 + const void *oldframe;
41852 + if (obj + len < obj)
41855 + if (obj + len <= stack || stackend <= obj)
41858 + if (obj < stack || stackend < obj + len)
41861 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41862 + oldframe = __builtin_frame_address(1);
41864 + frame = __builtin_frame_address(2);
41866 + low ----------------------------------------------> high
41867 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
41868 + ^----------------^
41869 + allow copies only within here
41871 + while (stack <= frame && frame < stackend) {
41872 + /* if obj + len extends past the last frame, this
41873 + check won't pass and the next frame will be 0,
41874 + causing us to bail out and correctly report
41875 + the copy as invalid
41877 + if (obj + len <= frame)
41878 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
41879 + oldframe = frame;
41880 + frame = *(const void * const *)frame;
41889 +NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
41891 + if (current->signal->curr_ip)
41892 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41893 + ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41895 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41896 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41898 + gr_handle_kernel_exploit();
41899 + do_group_exit(SIGKILL);
41903 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
41904 +void pax_track_stack(void)
41906 + unsigned long sp = (unsigned long)&sp;
41907 + if (sp < current_thread_info()->lowest_stack &&
41908 + sp > (unsigned long)task_stack_page(current))
41909 + current_thread_info()->lowest_stack = sp;
41911 +EXPORT_SYMBOL(pax_track_stack);
41914 static int zap_process(struct task_struct *start, int exit_code)
41916 struct task_struct *t;
41917 @@ -2027,17 +2313,17 @@ static void wait_for_dump_helpers(struct
41918 pipe = file->f_path.dentry->d_inode->i_pipe;
41923 + atomic_inc(&pipe->readers);
41924 + atomic_dec(&pipe->writers);
41926 - while ((pipe->readers > 1) && (!signal_pending(current))) {
41927 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
41928 wake_up_interruptible_sync(&pipe->wait);
41929 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
41935 + atomic_dec(&pipe->readers);
41936 + atomic_inc(&pipe->writers);
41940 @@ -2098,7 +2384,7 @@ void do_coredump(long signr, int exit_co
41944 - static atomic_t core_dump_count = ATOMIC_INIT(0);
41945 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
41946 struct coredump_params cprm = {
41949 @@ -2113,6 +2399,9 @@ void do_coredump(long signr, int exit_co
41951 audit_core_dumps(signr);
41953 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
41954 + gr_handle_brute_attach(current, cprm.mm_flags);
41956 binfmt = mm->binfmt;
41957 if (!binfmt || !binfmt->core_dump)
41959 @@ -2180,7 +2469,7 @@ void do_coredump(long signr, int exit_co
41961 cprm.limit = RLIM_INFINITY;
41963 - dump_count = atomic_inc_return(&core_dump_count);
41964 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
41965 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
41966 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
41967 task_tgid_vnr(current), current->comm);
41968 @@ -2207,6 +2496,8 @@ void do_coredump(long signr, int exit_co
41970 struct inode *inode;
41972 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
41974 if (cprm.limit < binfmt->min_coredump)
41977 @@ -2250,7 +2541,7 @@ close_fail:
41978 filp_close(cprm.file, NULL);
41981 - atomic_dec(&core_dump_count);
41982 + atomic_dec_unchecked(&core_dump_count);
41984 kfree(cn.corename);
41986 @@ -2269,7 +2560,7 @@ fail:
41988 int dump_write(struct file *file, const void *addr, int nr)
41990 - return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, addr, nr, &file->f_pos) == nr;
41991 + return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, (const char __force_user *)addr, nr, &file->f_pos) == nr;
41993 EXPORT_SYMBOL(dump_write);
41995 diff -urNp linux-3.1.1/fs/ext2/balloc.c linux-3.1.1/fs/ext2/balloc.c
41996 --- linux-3.1.1/fs/ext2/balloc.c 2011-11-11 15:19:27.000000000 -0500
41997 +++ linux-3.1.1/fs/ext2/balloc.c 2011-11-16 18:40:29.000000000 -0500
41998 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
42000 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
42001 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
42002 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
42003 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
42004 sbi->s_resuid != current_fsuid() &&
42005 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
42007 diff -urNp linux-3.1.1/fs/ext3/balloc.c linux-3.1.1/fs/ext3/balloc.c
42008 --- linux-3.1.1/fs/ext3/balloc.c 2011-11-11 15:19:27.000000000 -0500
42009 +++ linux-3.1.1/fs/ext3/balloc.c 2011-11-16 18:40:29.000000000 -0500
42010 @@ -1446,7 +1446,7 @@ static int ext3_has_free_blocks(struct e
42012 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
42013 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
42014 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
42015 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
42016 sbi->s_resuid != current_fsuid() &&
42017 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
42019 diff -urNp linux-3.1.1/fs/ext4/balloc.c linux-3.1.1/fs/ext4/balloc.c
42020 --- linux-3.1.1/fs/ext4/balloc.c 2011-11-11 15:19:27.000000000 -0500
42021 +++ linux-3.1.1/fs/ext4/balloc.c 2011-11-16 18:40:29.000000000 -0500
42022 @@ -394,8 +394,8 @@ static int ext4_has_free_blocks(struct e
42023 /* Hm, nope. Are (enough) root reserved blocks available? */
42024 if (sbi->s_resuid == current_fsuid() ||
42025 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
42026 - capable(CAP_SYS_RESOURCE) ||
42027 - (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
42028 + (flags & EXT4_MB_USE_ROOT_BLOCKS) ||
42029 + capable_nolog(CAP_SYS_RESOURCE)) {
42031 if (free_blocks >= (nblocks + dirty_blocks))
42033 diff -urNp linux-3.1.1/fs/ext4/ext4.h linux-3.1.1/fs/ext4/ext4.h
42034 --- linux-3.1.1/fs/ext4/ext4.h 2011-11-11 15:19:27.000000000 -0500
42035 +++ linux-3.1.1/fs/ext4/ext4.h 2011-11-16 18:39:08.000000000 -0500
42036 @@ -1180,19 +1180,19 @@ struct ext4_sb_info {
42037 unsigned long s_mb_last_start;
42039 /* stats for buddy allocator */
42040 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
42041 - atomic_t s_bal_success; /* we found long enough chunks */
42042 - atomic_t s_bal_allocated; /* in blocks */
42043 - atomic_t s_bal_ex_scanned; /* total extents scanned */
42044 - atomic_t s_bal_goals; /* goal hits */
42045 - atomic_t s_bal_breaks; /* too long searches */
42046 - atomic_t s_bal_2orders; /* 2^order hits */
42047 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
42048 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
42049 + atomic_unchecked_t s_bal_allocated; /* in blocks */
42050 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
42051 + atomic_unchecked_t s_bal_goals; /* goal hits */
42052 + atomic_unchecked_t s_bal_breaks; /* too long searches */
42053 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
42054 spinlock_t s_bal_lock;
42055 unsigned long s_mb_buddies_generated;
42056 unsigned long long s_mb_generation_time;
42057 - atomic_t s_mb_lost_chunks;
42058 - atomic_t s_mb_preallocated;
42059 - atomic_t s_mb_discarded;
42060 + atomic_unchecked_t s_mb_lost_chunks;
42061 + atomic_unchecked_t s_mb_preallocated;
42062 + atomic_unchecked_t s_mb_discarded;
42063 atomic_t s_lock_busy;
42065 /* locality groups */
42066 diff -urNp linux-3.1.1/fs/ext4/file.c linux-3.1.1/fs/ext4/file.c
42067 --- linux-3.1.1/fs/ext4/file.c 2011-11-11 15:19:27.000000000 -0500
42068 +++ linux-3.1.1/fs/ext4/file.c 2011-11-16 18:40:29.000000000 -0500
42069 @@ -181,8 +181,8 @@ static int ext4_file_open(struct inode *
42070 path.dentry = mnt->mnt_root;
42071 cp = d_path(&path, buf, sizeof(buf));
42073 - memcpy(sbi->s_es->s_last_mounted, cp,
42074 - sizeof(sbi->s_es->s_last_mounted));
42075 + strlcpy(sbi->s_es->s_last_mounted, cp,
42076 + sizeof(sbi->s_es->s_last_mounted));
42077 ext4_mark_super_dirty(sb);
42080 diff -urNp linux-3.1.1/fs/ext4/ioctl.c linux-3.1.1/fs/ext4/ioctl.c
42081 --- linux-3.1.1/fs/ext4/ioctl.c 2011-11-11 15:19:27.000000000 -0500
42082 +++ linux-3.1.1/fs/ext4/ioctl.c 2011-11-16 18:39:08.000000000 -0500
42083 @@ -348,7 +348,7 @@ mext_out:
42084 if (!blk_queue_discard(q))
42085 return -EOPNOTSUPP;
42087 - if (copy_from_user(&range, (struct fstrim_range *)arg,
42088 + if (copy_from_user(&range, (struct fstrim_range __user *)arg,
42092 @@ -358,7 +358,7 @@ mext_out:
42096 - if (copy_to_user((struct fstrim_range *)arg, &range,
42097 + if (copy_to_user((struct fstrim_range __user *)arg, &range,
42101 diff -urNp linux-3.1.1/fs/ext4/mballoc.c linux-3.1.1/fs/ext4/mballoc.c
42102 --- linux-3.1.1/fs/ext4/mballoc.c 2011-11-11 15:19:27.000000000 -0500
42103 +++ linux-3.1.1/fs/ext4/mballoc.c 2011-11-16 18:40:29.000000000 -0500
42104 @@ -1795,7 +1795,7 @@ void ext4_mb_simple_scan_group(struct ex
42105 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
42107 if (EXT4_SB(sb)->s_mb_stats)
42108 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
42109 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
42113 @@ -2089,7 +2089,7 @@ repeat:
42114 ac->ac_status = AC_STATUS_CONTINUE;
42115 ac->ac_flags |= EXT4_MB_HINT_FIRST;
42117 - atomic_inc(&sbi->s_mb_lost_chunks);
42118 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
42122 @@ -2132,6 +2132,8 @@ static int ext4_mb_seq_groups_show(struc
42123 ext4_grpblk_t counters[16];
42126 + pax_track_stack();
42130 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
42131 @@ -2573,25 +2575,25 @@ int ext4_mb_release(struct super_block *
42132 if (sbi->s_mb_stats) {
42133 ext4_msg(sb, KERN_INFO,
42134 "mballoc: %u blocks %u reqs (%u success)",
42135 - atomic_read(&sbi->s_bal_allocated),
42136 - atomic_read(&sbi->s_bal_reqs),
42137 - atomic_read(&sbi->s_bal_success));
42138 + atomic_read_unchecked(&sbi->s_bal_allocated),
42139 + atomic_read_unchecked(&sbi->s_bal_reqs),
42140 + atomic_read_unchecked(&sbi->s_bal_success));
42141 ext4_msg(sb, KERN_INFO,
42142 "mballoc: %u extents scanned, %u goal hits, "
42143 "%u 2^N hits, %u breaks, %u lost",
42144 - atomic_read(&sbi->s_bal_ex_scanned),
42145 - atomic_read(&sbi->s_bal_goals),
42146 - atomic_read(&sbi->s_bal_2orders),
42147 - atomic_read(&sbi->s_bal_breaks),
42148 - atomic_read(&sbi->s_mb_lost_chunks));
42149 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
42150 + atomic_read_unchecked(&sbi->s_bal_goals),
42151 + atomic_read_unchecked(&sbi->s_bal_2orders),
42152 + atomic_read_unchecked(&sbi->s_bal_breaks),
42153 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
42154 ext4_msg(sb, KERN_INFO,
42155 "mballoc: %lu generated and it took %Lu",
42156 sbi->s_mb_buddies_generated,
42157 sbi->s_mb_generation_time);
42158 ext4_msg(sb, KERN_INFO,
42159 "mballoc: %u preallocated, %u discarded",
42160 - atomic_read(&sbi->s_mb_preallocated),
42161 - atomic_read(&sbi->s_mb_discarded));
42162 + atomic_read_unchecked(&sbi->s_mb_preallocated),
42163 + atomic_read_unchecked(&sbi->s_mb_discarded));
42166 free_percpu(sbi->s_locality_groups);
42167 @@ -3070,16 +3072,16 @@ static void ext4_mb_collect_stats(struct
42168 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
42170 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
42171 - atomic_inc(&sbi->s_bal_reqs);
42172 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
42173 + atomic_inc_unchecked(&sbi->s_bal_reqs);
42174 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
42175 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
42176 - atomic_inc(&sbi->s_bal_success);
42177 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
42178 + atomic_inc_unchecked(&sbi->s_bal_success);
42179 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
42180 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
42181 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
42182 - atomic_inc(&sbi->s_bal_goals);
42183 + atomic_inc_unchecked(&sbi->s_bal_goals);
42184 if (ac->ac_found > sbi->s_mb_max_to_scan)
42185 - atomic_inc(&sbi->s_bal_breaks);
42186 + atomic_inc_unchecked(&sbi->s_bal_breaks);
42189 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
42190 @@ -3477,7 +3479,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
42191 trace_ext4_mb_new_inode_pa(ac, pa);
42193 ext4_mb_use_inode_pa(ac, pa);
42194 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42195 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42197 ei = EXT4_I(ac->ac_inode);
42198 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
42199 @@ -3537,7 +3539,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
42200 trace_ext4_mb_new_group_pa(ac, pa);
42202 ext4_mb_use_group_pa(ac, pa);
42203 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42204 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42206 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
42208 @@ -3625,7 +3627,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
42209 * from the bitmap and continue.
42212 - atomic_add(free, &sbi->s_mb_discarded);
42213 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
42217 @@ -3643,7 +3645,7 @@ ext4_mb_release_group_pa(struct ext4_bud
42218 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
42219 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
42220 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
42221 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
42222 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
42223 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
42226 diff -urNp linux-3.1.1/fs/fcntl.c linux-3.1.1/fs/fcntl.c
42227 --- linux-3.1.1/fs/fcntl.c 2011-11-11 15:19:27.000000000 -0500
42228 +++ linux-3.1.1/fs/fcntl.c 2011-11-16 23:40:25.000000000 -0500
42229 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
42233 + if (gr_handle_chroot_fowner(pid, type))
42235 + if (gr_check_protected_task_fowner(pid, type))
42238 f_modown(filp, pid, type, force);
42241 @@ -266,7 +271,7 @@ pid_t f_getown(struct file *filp)
42243 static int f_setown_ex(struct file *filp, unsigned long arg)
42245 - struct f_owner_ex * __user owner_p = (void * __user)arg;
42246 + struct f_owner_ex __user *owner_p = (void __user *)arg;
42247 struct f_owner_ex owner;
42250 @@ -306,7 +311,7 @@ static int f_setown_ex(struct file *filp
42252 static int f_getown_ex(struct file *filp, unsigned long arg)
42254 - struct f_owner_ex * __user owner_p = (void * __user)arg;
42255 + struct f_owner_ex __user *owner_p = (void __user *)arg;
42256 struct f_owner_ex owner;
42259 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
42262 case F_DUPFD_CLOEXEC:
42263 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
42264 if (arg >= rlimit(RLIMIT_NOFILE))
42266 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
42267 diff -urNp linux-3.1.1/fs/fifo.c linux-3.1.1/fs/fifo.c
42268 --- linux-3.1.1/fs/fifo.c 2011-11-11 15:19:27.000000000 -0500
42269 +++ linux-3.1.1/fs/fifo.c 2011-11-16 18:39:08.000000000 -0500
42270 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
42272 filp->f_op = &read_pipefifo_fops;
42274 - if (pipe->readers++ == 0)
42275 + if (atomic_inc_return(&pipe->readers) == 1)
42276 wake_up_partner(inode);
42278 - if (!pipe->writers) {
42279 + if (!atomic_read(&pipe->writers)) {
42280 if ((filp->f_flags & O_NONBLOCK)) {
42281 /* suppress POLLHUP until we have
42283 @@ -81,15 +81,15 @@ static int fifo_open(struct inode *inode
42284 * errno=ENXIO when there is no process reading the FIFO.
42287 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
42288 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
42291 filp->f_op = &write_pipefifo_fops;
42293 - if (!pipe->writers++)
42294 + if (atomic_inc_return(&pipe->writers) == 1)
42295 wake_up_partner(inode);
42297 - if (!pipe->readers) {
42298 + if (!atomic_read(&pipe->readers)) {
42299 wait_for_partner(inode, &pipe->r_counter);
42300 if (signal_pending(current))
42302 @@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode
42304 filp->f_op = &rdwr_pipefifo_fops;
42308 + atomic_inc(&pipe->readers);
42309 + atomic_inc(&pipe->writers);
42312 - if (pipe->readers == 1 || pipe->writers == 1)
42313 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
42314 wake_up_partner(inode);
42317 @@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode
42321 - if (!--pipe->readers)
42322 + if (atomic_dec_and_test(&pipe->readers))
42323 wake_up_interruptible(&pipe->wait);
42324 ret = -ERESTARTSYS;
42328 - if (!--pipe->writers)
42329 + if (atomic_dec_and_test(&pipe->writers))
42330 wake_up_interruptible(&pipe->wait);
42331 ret = -ERESTARTSYS;
42335 - if (!pipe->readers && !pipe->writers)
42336 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
42337 free_pipe_info(inode);
42340 diff -urNp linux-3.1.1/fs/file.c linux-3.1.1/fs/file.c
42341 --- linux-3.1.1/fs/file.c 2011-11-11 15:19:27.000000000 -0500
42342 +++ linux-3.1.1/fs/file.c 2011-11-16 18:40:29.000000000 -0500
42344 #include <linux/slab.h>
42345 #include <linux/vmalloc.h>
42346 #include <linux/file.h>
42347 +#include <linux/security.h>
42348 #include <linux/fdtable.h>
42349 #include <linux/bitops.h>
42350 #include <linux/interrupt.h>
42351 @@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
42352 * N.B. For clone tasks sharing a files structure, this test
42353 * will limit the total number of files that can be opened.
42355 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
42356 if (nr >= rlimit(RLIMIT_NOFILE))
42359 diff -urNp linux-3.1.1/fs/filesystems.c linux-3.1.1/fs/filesystems.c
42360 --- linux-3.1.1/fs/filesystems.c 2011-11-11 15:19:27.000000000 -0500
42361 +++ linux-3.1.1/fs/filesystems.c 2011-11-16 18:40:29.000000000 -0500
42362 @@ -274,7 +274,12 @@ struct file_system_type *get_fs_type(con
42363 int len = dot ? dot - name : strlen(name);
42365 fs = __get_fs_type(name, len);
42367 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
42368 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
42370 if (!fs && (request_module("%.*s", len, name) == 0))
42372 fs = __get_fs_type(name, len);
42374 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
42375 diff -urNp linux-3.1.1/fs/fscache/cookie.c linux-3.1.1/fs/fscache/cookie.c
42376 --- linux-3.1.1/fs/fscache/cookie.c 2011-11-11 15:19:27.000000000 -0500
42377 +++ linux-3.1.1/fs/fscache/cookie.c 2011-11-16 18:39:08.000000000 -0500
42378 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
42379 parent ? (char *) parent->def->name : "<no-parent>",
42380 def->name, netfs_data);
42382 - fscache_stat(&fscache_n_acquires);
42383 + fscache_stat_unchecked(&fscache_n_acquires);
42385 /* if there's no parent cookie, then we don't create one here either */
42387 - fscache_stat(&fscache_n_acquires_null);
42388 + fscache_stat_unchecked(&fscache_n_acquires_null);
42389 _leave(" [no parent]");
42392 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
42393 /* allocate and initialise a cookie */
42394 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
42396 - fscache_stat(&fscache_n_acquires_oom);
42397 + fscache_stat_unchecked(&fscache_n_acquires_oom);
42398 _leave(" [ENOMEM]");
42401 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
42403 switch (cookie->def->type) {
42404 case FSCACHE_COOKIE_TYPE_INDEX:
42405 - fscache_stat(&fscache_n_cookie_index);
42406 + fscache_stat_unchecked(&fscache_n_cookie_index);
42408 case FSCACHE_COOKIE_TYPE_DATAFILE:
42409 - fscache_stat(&fscache_n_cookie_data);
42410 + fscache_stat_unchecked(&fscache_n_cookie_data);
42413 - fscache_stat(&fscache_n_cookie_special);
42414 + fscache_stat_unchecked(&fscache_n_cookie_special);
42418 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
42419 if (fscache_acquire_non_index_cookie(cookie) < 0) {
42420 atomic_dec(&parent->n_children);
42421 __fscache_cookie_put(cookie);
42422 - fscache_stat(&fscache_n_acquires_nobufs);
42423 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
42429 - fscache_stat(&fscache_n_acquires_ok);
42430 + fscache_stat_unchecked(&fscache_n_acquires_ok);
42431 _leave(" = %p", cookie);
42434 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
42435 cache = fscache_select_cache_for_object(cookie->parent);
42437 up_read(&fscache_addremove_sem);
42438 - fscache_stat(&fscache_n_acquires_no_cache);
42439 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
42440 _leave(" = -ENOMEDIUM [no cache]");
42443 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
42444 object = cache->ops->alloc_object(cache, cookie);
42445 fscache_stat_d(&fscache_n_cop_alloc_object);
42446 if (IS_ERR(object)) {
42447 - fscache_stat(&fscache_n_object_no_alloc);
42448 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
42449 ret = PTR_ERR(object);
42453 - fscache_stat(&fscache_n_object_alloc);
42454 + fscache_stat_unchecked(&fscache_n_object_alloc);
42456 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
42458 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
42459 struct fscache_object *object;
42460 struct hlist_node *_p;
42462 - fscache_stat(&fscache_n_updates);
42463 + fscache_stat_unchecked(&fscache_n_updates);
42466 - fscache_stat(&fscache_n_updates_null);
42467 + fscache_stat_unchecked(&fscache_n_updates_null);
42468 _leave(" [no cookie]");
42471 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
42472 struct fscache_object *object;
42473 unsigned long event;
42475 - fscache_stat(&fscache_n_relinquishes);
42476 + fscache_stat_unchecked(&fscache_n_relinquishes);
42478 - fscache_stat(&fscache_n_relinquishes_retire);
42479 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
42482 - fscache_stat(&fscache_n_relinquishes_null);
42483 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
42484 _leave(" [no cookie]");
42487 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
42489 /* wait for the cookie to finish being instantiated (or to fail) */
42490 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
42491 - fscache_stat(&fscache_n_relinquishes_waitcrt);
42492 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
42493 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
42494 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
42496 diff -urNp linux-3.1.1/fs/fscache/internal.h linux-3.1.1/fs/fscache/internal.h
42497 --- linux-3.1.1/fs/fscache/internal.h 2011-11-11 15:19:27.000000000 -0500
42498 +++ linux-3.1.1/fs/fscache/internal.h 2011-11-16 18:39:08.000000000 -0500
42499 @@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
42500 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
42501 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
42503 -extern atomic_t fscache_n_op_pend;
42504 -extern atomic_t fscache_n_op_run;
42505 -extern atomic_t fscache_n_op_enqueue;
42506 -extern atomic_t fscache_n_op_deferred_release;
42507 -extern atomic_t fscache_n_op_release;
42508 -extern atomic_t fscache_n_op_gc;
42509 -extern atomic_t fscache_n_op_cancelled;
42510 -extern atomic_t fscache_n_op_rejected;
42512 -extern atomic_t fscache_n_attr_changed;
42513 -extern atomic_t fscache_n_attr_changed_ok;
42514 -extern atomic_t fscache_n_attr_changed_nobufs;
42515 -extern atomic_t fscache_n_attr_changed_nomem;
42516 -extern atomic_t fscache_n_attr_changed_calls;
42518 -extern atomic_t fscache_n_allocs;
42519 -extern atomic_t fscache_n_allocs_ok;
42520 -extern atomic_t fscache_n_allocs_wait;
42521 -extern atomic_t fscache_n_allocs_nobufs;
42522 -extern atomic_t fscache_n_allocs_intr;
42523 -extern atomic_t fscache_n_allocs_object_dead;
42524 -extern atomic_t fscache_n_alloc_ops;
42525 -extern atomic_t fscache_n_alloc_op_waits;
42527 -extern atomic_t fscache_n_retrievals;
42528 -extern atomic_t fscache_n_retrievals_ok;
42529 -extern atomic_t fscache_n_retrievals_wait;
42530 -extern atomic_t fscache_n_retrievals_nodata;
42531 -extern atomic_t fscache_n_retrievals_nobufs;
42532 -extern atomic_t fscache_n_retrievals_intr;
42533 -extern atomic_t fscache_n_retrievals_nomem;
42534 -extern atomic_t fscache_n_retrievals_object_dead;
42535 -extern atomic_t fscache_n_retrieval_ops;
42536 -extern atomic_t fscache_n_retrieval_op_waits;
42538 -extern atomic_t fscache_n_stores;
42539 -extern atomic_t fscache_n_stores_ok;
42540 -extern atomic_t fscache_n_stores_again;
42541 -extern atomic_t fscache_n_stores_nobufs;
42542 -extern atomic_t fscache_n_stores_oom;
42543 -extern atomic_t fscache_n_store_ops;
42544 -extern atomic_t fscache_n_store_calls;
42545 -extern atomic_t fscache_n_store_pages;
42546 -extern atomic_t fscache_n_store_radix_deletes;
42547 -extern atomic_t fscache_n_store_pages_over_limit;
42549 -extern atomic_t fscache_n_store_vmscan_not_storing;
42550 -extern atomic_t fscache_n_store_vmscan_gone;
42551 -extern atomic_t fscache_n_store_vmscan_busy;
42552 -extern atomic_t fscache_n_store_vmscan_cancelled;
42554 -extern atomic_t fscache_n_marks;
42555 -extern atomic_t fscache_n_uncaches;
42557 -extern atomic_t fscache_n_acquires;
42558 -extern atomic_t fscache_n_acquires_null;
42559 -extern atomic_t fscache_n_acquires_no_cache;
42560 -extern atomic_t fscache_n_acquires_ok;
42561 -extern atomic_t fscache_n_acquires_nobufs;
42562 -extern atomic_t fscache_n_acquires_oom;
42564 -extern atomic_t fscache_n_updates;
42565 -extern atomic_t fscache_n_updates_null;
42566 -extern atomic_t fscache_n_updates_run;
42568 -extern atomic_t fscache_n_relinquishes;
42569 -extern atomic_t fscache_n_relinquishes_null;
42570 -extern atomic_t fscache_n_relinquishes_waitcrt;
42571 -extern atomic_t fscache_n_relinquishes_retire;
42573 -extern atomic_t fscache_n_cookie_index;
42574 -extern atomic_t fscache_n_cookie_data;
42575 -extern atomic_t fscache_n_cookie_special;
42577 -extern atomic_t fscache_n_object_alloc;
42578 -extern atomic_t fscache_n_object_no_alloc;
42579 -extern atomic_t fscache_n_object_lookups;
42580 -extern atomic_t fscache_n_object_lookups_negative;
42581 -extern atomic_t fscache_n_object_lookups_positive;
42582 -extern atomic_t fscache_n_object_lookups_timed_out;
42583 -extern atomic_t fscache_n_object_created;
42584 -extern atomic_t fscache_n_object_avail;
42585 -extern atomic_t fscache_n_object_dead;
42587 -extern atomic_t fscache_n_checkaux_none;
42588 -extern atomic_t fscache_n_checkaux_okay;
42589 -extern atomic_t fscache_n_checkaux_update;
42590 -extern atomic_t fscache_n_checkaux_obsolete;
42591 +extern atomic_unchecked_t fscache_n_op_pend;
42592 +extern atomic_unchecked_t fscache_n_op_run;
42593 +extern atomic_unchecked_t fscache_n_op_enqueue;
42594 +extern atomic_unchecked_t fscache_n_op_deferred_release;
42595 +extern atomic_unchecked_t fscache_n_op_release;
42596 +extern atomic_unchecked_t fscache_n_op_gc;
42597 +extern atomic_unchecked_t fscache_n_op_cancelled;
42598 +extern atomic_unchecked_t fscache_n_op_rejected;
42600 +extern atomic_unchecked_t fscache_n_attr_changed;
42601 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
42602 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
42603 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
42604 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
42606 +extern atomic_unchecked_t fscache_n_allocs;
42607 +extern atomic_unchecked_t fscache_n_allocs_ok;
42608 +extern atomic_unchecked_t fscache_n_allocs_wait;
42609 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
42610 +extern atomic_unchecked_t fscache_n_allocs_intr;
42611 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
42612 +extern atomic_unchecked_t fscache_n_alloc_ops;
42613 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
42615 +extern atomic_unchecked_t fscache_n_retrievals;
42616 +extern atomic_unchecked_t fscache_n_retrievals_ok;
42617 +extern atomic_unchecked_t fscache_n_retrievals_wait;
42618 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
42619 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
42620 +extern atomic_unchecked_t fscache_n_retrievals_intr;
42621 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
42622 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
42623 +extern atomic_unchecked_t fscache_n_retrieval_ops;
42624 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
42626 +extern atomic_unchecked_t fscache_n_stores;
42627 +extern atomic_unchecked_t fscache_n_stores_ok;
42628 +extern atomic_unchecked_t fscache_n_stores_again;
42629 +extern atomic_unchecked_t fscache_n_stores_nobufs;
42630 +extern atomic_unchecked_t fscache_n_stores_oom;
42631 +extern atomic_unchecked_t fscache_n_store_ops;
42632 +extern atomic_unchecked_t fscache_n_store_calls;
42633 +extern atomic_unchecked_t fscache_n_store_pages;
42634 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
42635 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
42637 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
42638 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
42639 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
42640 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
42642 +extern atomic_unchecked_t fscache_n_marks;
42643 +extern atomic_unchecked_t fscache_n_uncaches;
42645 +extern atomic_unchecked_t fscache_n_acquires;
42646 +extern atomic_unchecked_t fscache_n_acquires_null;
42647 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
42648 +extern atomic_unchecked_t fscache_n_acquires_ok;
42649 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
42650 +extern atomic_unchecked_t fscache_n_acquires_oom;
42652 +extern atomic_unchecked_t fscache_n_updates;
42653 +extern atomic_unchecked_t fscache_n_updates_null;
42654 +extern atomic_unchecked_t fscache_n_updates_run;
42656 +extern atomic_unchecked_t fscache_n_relinquishes;
42657 +extern atomic_unchecked_t fscache_n_relinquishes_null;
42658 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
42659 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
42661 +extern atomic_unchecked_t fscache_n_cookie_index;
42662 +extern atomic_unchecked_t fscache_n_cookie_data;
42663 +extern atomic_unchecked_t fscache_n_cookie_special;
42665 +extern atomic_unchecked_t fscache_n_object_alloc;
42666 +extern atomic_unchecked_t fscache_n_object_no_alloc;
42667 +extern atomic_unchecked_t fscache_n_object_lookups;
42668 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
42669 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
42670 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
42671 +extern atomic_unchecked_t fscache_n_object_created;
42672 +extern atomic_unchecked_t fscache_n_object_avail;
42673 +extern atomic_unchecked_t fscache_n_object_dead;
42675 +extern atomic_unchecked_t fscache_n_checkaux_none;
42676 +extern atomic_unchecked_t fscache_n_checkaux_okay;
42677 +extern atomic_unchecked_t fscache_n_checkaux_update;
42678 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
42680 extern atomic_t fscache_n_cop_alloc_object;
42681 extern atomic_t fscache_n_cop_lookup_object;
42682 @@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
42686 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
42688 + atomic_inc_unchecked(stat);
42691 static inline void fscache_stat_d(atomic_t *stat)
42694 @@ -267,6 +272,7 @@ extern const struct file_operations fsca
42696 #define __fscache_stat(stat) (NULL)
42697 #define fscache_stat(stat) do {} while (0)
42698 +#define fscache_stat_unchecked(stat) do {} while (0)
42699 #define fscache_stat_d(stat) do {} while (0)
42702 diff -urNp linux-3.1.1/fs/fscache/object.c linux-3.1.1/fs/fscache/object.c
42703 --- linux-3.1.1/fs/fscache/object.c 2011-11-11 15:19:27.000000000 -0500
42704 +++ linux-3.1.1/fs/fscache/object.c 2011-11-16 18:39:08.000000000 -0500
42705 @@ -128,7 +128,7 @@ static void fscache_object_state_machine
42706 /* update the object metadata on disk */
42707 case FSCACHE_OBJECT_UPDATING:
42708 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
42709 - fscache_stat(&fscache_n_updates_run);
42710 + fscache_stat_unchecked(&fscache_n_updates_run);
42711 fscache_stat(&fscache_n_cop_update_object);
42712 object->cache->ops->update_object(object);
42713 fscache_stat_d(&fscache_n_cop_update_object);
42714 @@ -217,7 +217,7 @@ static void fscache_object_state_machine
42715 spin_lock(&object->lock);
42716 object->state = FSCACHE_OBJECT_DEAD;
42717 spin_unlock(&object->lock);
42718 - fscache_stat(&fscache_n_object_dead);
42719 + fscache_stat_unchecked(&fscache_n_object_dead);
42720 goto terminal_transit;
42722 /* handle the parent cache of this object being withdrawn from
42723 @@ -232,7 +232,7 @@ static void fscache_object_state_machine
42724 spin_lock(&object->lock);
42725 object->state = FSCACHE_OBJECT_DEAD;
42726 spin_unlock(&object->lock);
42727 - fscache_stat(&fscache_n_object_dead);
42728 + fscache_stat_unchecked(&fscache_n_object_dead);
42729 goto terminal_transit;
42731 /* complain about the object being woken up once it is
42732 @@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
42733 parent->cookie->def->name, cookie->def->name,
42734 object->cache->tag->name);
42736 - fscache_stat(&fscache_n_object_lookups);
42737 + fscache_stat_unchecked(&fscache_n_object_lookups);
42738 fscache_stat(&fscache_n_cop_lookup_object);
42739 ret = object->cache->ops->lookup_object(object);
42740 fscache_stat_d(&fscache_n_cop_lookup_object);
42741 @@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
42742 if (ret == -ETIMEDOUT) {
42743 /* probably stuck behind another object, so move this one to
42744 * the back of the queue */
42745 - fscache_stat(&fscache_n_object_lookups_timed_out);
42746 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
42747 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42750 @@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
42752 spin_lock(&object->lock);
42753 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42754 - fscache_stat(&fscache_n_object_lookups_negative);
42755 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
42757 /* transit here to allow write requests to begin stacking up
42758 * and read requests to begin returning ENODATA */
42759 @@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
42760 * result, in which case there may be data available */
42761 spin_lock(&object->lock);
42762 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42763 - fscache_stat(&fscache_n_object_lookups_positive);
42764 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
42766 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
42768 @@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
42769 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42771 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
42772 - fscache_stat(&fscache_n_object_created);
42773 + fscache_stat_unchecked(&fscache_n_object_created);
42775 object->state = FSCACHE_OBJECT_AVAILABLE;
42776 spin_unlock(&object->lock);
42777 @@ -602,7 +602,7 @@ static void fscache_object_available(str
42778 fscache_enqueue_dependents(object);
42780 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
42781 - fscache_stat(&fscache_n_object_avail);
42782 + fscache_stat_unchecked(&fscache_n_object_avail);
42786 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
42787 enum fscache_checkaux result;
42789 if (!object->cookie->def->check_aux) {
42790 - fscache_stat(&fscache_n_checkaux_none);
42791 + fscache_stat_unchecked(&fscache_n_checkaux_none);
42792 return FSCACHE_CHECKAUX_OKAY;
42795 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
42797 /* entry okay as is */
42798 case FSCACHE_CHECKAUX_OKAY:
42799 - fscache_stat(&fscache_n_checkaux_okay);
42800 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
42803 /* entry requires update */
42804 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
42805 - fscache_stat(&fscache_n_checkaux_update);
42806 + fscache_stat_unchecked(&fscache_n_checkaux_update);
42809 /* entry requires deletion */
42810 case FSCACHE_CHECKAUX_OBSOLETE:
42811 - fscache_stat(&fscache_n_checkaux_obsolete);
42812 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
42816 diff -urNp linux-3.1.1/fs/fscache/operation.c linux-3.1.1/fs/fscache/operation.c
42817 --- linux-3.1.1/fs/fscache/operation.c 2011-11-11 15:19:27.000000000 -0500
42818 +++ linux-3.1.1/fs/fscache/operation.c 2011-11-16 18:39:08.000000000 -0500
42820 #include <linux/slab.h>
42821 #include "internal.h"
42823 -atomic_t fscache_op_debug_id;
42824 +atomic_unchecked_t fscache_op_debug_id;
42825 EXPORT_SYMBOL(fscache_op_debug_id);
42828 @@ -38,7 +38,7 @@ void fscache_enqueue_operation(struct fs
42829 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
42830 ASSERTCMP(atomic_read(&op->usage), >, 0);
42832 - fscache_stat(&fscache_n_op_enqueue);
42833 + fscache_stat_unchecked(&fscache_n_op_enqueue);
42834 switch (op->flags & FSCACHE_OP_TYPE) {
42835 case FSCACHE_OP_ASYNC:
42836 _debug("queue async");
42837 @@ -69,7 +69,7 @@ static void fscache_run_op(struct fscach
42838 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
42840 fscache_enqueue_operation(op);
42841 - fscache_stat(&fscache_n_op_run);
42842 + fscache_stat_unchecked(&fscache_n_op_run);
42846 @@ -98,11 +98,11 @@ int fscache_submit_exclusive_op(struct f
42847 if (object->n_ops > 1) {
42848 atomic_inc(&op->usage);
42849 list_add_tail(&op->pend_link, &object->pending_ops);
42850 - fscache_stat(&fscache_n_op_pend);
42851 + fscache_stat_unchecked(&fscache_n_op_pend);
42852 } else if (!list_empty(&object->pending_ops)) {
42853 atomic_inc(&op->usage);
42854 list_add_tail(&op->pend_link, &object->pending_ops);
42855 - fscache_stat(&fscache_n_op_pend);
42856 + fscache_stat_unchecked(&fscache_n_op_pend);
42857 fscache_start_operations(object);
42859 ASSERTCMP(object->n_in_progress, ==, 0);
42860 @@ -118,7 +118,7 @@ int fscache_submit_exclusive_op(struct f
42861 object->n_exclusive++; /* reads and writes must wait */
42862 atomic_inc(&op->usage);
42863 list_add_tail(&op->pend_link, &object->pending_ops);
42864 - fscache_stat(&fscache_n_op_pend);
42865 + fscache_stat_unchecked(&fscache_n_op_pend);
42868 /* not allowed to submit ops in any other state */
42869 @@ -203,11 +203,11 @@ int fscache_submit_op(struct fscache_obj
42870 if (object->n_exclusive > 0) {
42871 atomic_inc(&op->usage);
42872 list_add_tail(&op->pend_link, &object->pending_ops);
42873 - fscache_stat(&fscache_n_op_pend);
42874 + fscache_stat_unchecked(&fscache_n_op_pend);
42875 } else if (!list_empty(&object->pending_ops)) {
42876 atomic_inc(&op->usage);
42877 list_add_tail(&op->pend_link, &object->pending_ops);
42878 - fscache_stat(&fscache_n_op_pend);
42879 + fscache_stat_unchecked(&fscache_n_op_pend);
42880 fscache_start_operations(object);
42882 ASSERTCMP(object->n_exclusive, ==, 0);
42883 @@ -219,12 +219,12 @@ int fscache_submit_op(struct fscache_obj
42885 atomic_inc(&op->usage);
42886 list_add_tail(&op->pend_link, &object->pending_ops);
42887 - fscache_stat(&fscache_n_op_pend);
42888 + fscache_stat_unchecked(&fscache_n_op_pend);
42890 } else if (object->state == FSCACHE_OBJECT_DYING ||
42891 object->state == FSCACHE_OBJECT_LC_DYING ||
42892 object->state == FSCACHE_OBJECT_WITHDRAWING) {
42893 - fscache_stat(&fscache_n_op_rejected);
42894 + fscache_stat_unchecked(&fscache_n_op_rejected);
42896 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
42897 fscache_report_unexpected_submission(object, op, ostate);
42898 @@ -294,7 +294,7 @@ int fscache_cancel_op(struct fscache_ope
42901 if (!list_empty(&op->pend_link)) {
42902 - fscache_stat(&fscache_n_op_cancelled);
42903 + fscache_stat_unchecked(&fscache_n_op_cancelled);
42904 list_del_init(&op->pend_link);
42906 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
42907 @@ -331,7 +331,7 @@ void fscache_put_operation(struct fscach
42908 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
42911 - fscache_stat(&fscache_n_op_release);
42912 + fscache_stat_unchecked(&fscache_n_op_release);
42916 @@ -348,7 +348,7 @@ void fscache_put_operation(struct fscach
42917 * lock, and defer it otherwise */
42918 if (!spin_trylock(&object->lock)) {
42919 _debug("defer put");
42920 - fscache_stat(&fscache_n_op_deferred_release);
42921 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
42923 cache = object->cache;
42924 spin_lock(&cache->op_gc_list_lock);
42925 @@ -410,7 +410,7 @@ void fscache_operation_gc(struct work_st
42927 _debug("GC DEFERRED REL OBJ%x OP%x",
42928 object->debug_id, op->debug_id);
42929 - fscache_stat(&fscache_n_op_gc);
42930 + fscache_stat_unchecked(&fscache_n_op_gc);
42932 ASSERTCMP(atomic_read(&op->usage), ==, 0);
42934 diff -urNp linux-3.1.1/fs/fscache/page.c linux-3.1.1/fs/fscache/page.c
42935 --- linux-3.1.1/fs/fscache/page.c 2011-11-11 15:19:27.000000000 -0500
42936 +++ linux-3.1.1/fs/fscache/page.c 2011-11-16 18:39:08.000000000 -0500
42937 @@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
42938 val = radix_tree_lookup(&cookie->stores, page->index);
42941 - fscache_stat(&fscache_n_store_vmscan_not_storing);
42942 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
42943 __fscache_uncache_page(cookie, page);
42946 @@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
42947 spin_unlock(&cookie->stores_lock);
42950 - fscache_stat(&fscache_n_store_vmscan_cancelled);
42951 - fscache_stat(&fscache_n_store_radix_deletes);
42952 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
42953 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
42954 ASSERTCMP(xpage, ==, page);
42956 - fscache_stat(&fscache_n_store_vmscan_gone);
42957 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
42960 wake_up_bit(&cookie->flags, 0);
42961 @@ -107,7 +107,7 @@ page_busy:
42962 /* we might want to wait here, but that could deadlock the allocator as
42963 * the work threads writing to the cache may all end up sleeping
42964 * on memory allocation */
42965 - fscache_stat(&fscache_n_store_vmscan_busy);
42966 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
42969 EXPORT_SYMBOL(__fscache_maybe_release_page);
42970 @@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
42971 FSCACHE_COOKIE_STORING_TAG);
42972 if (!radix_tree_tag_get(&cookie->stores, page->index,
42973 FSCACHE_COOKIE_PENDING_TAG)) {
42974 - fscache_stat(&fscache_n_store_radix_deletes);
42975 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
42976 xpage = radix_tree_delete(&cookie->stores, page->index);
42978 spin_unlock(&cookie->stores_lock);
42979 @@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
42981 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
42983 - fscache_stat(&fscache_n_attr_changed_calls);
42984 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
42986 if (fscache_object_is_active(object)) {
42987 fscache_stat(&fscache_n_cop_attr_changed);
42988 @@ -177,11 +177,11 @@ int __fscache_attr_changed(struct fscach
42990 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
42992 - fscache_stat(&fscache_n_attr_changed);
42993 + fscache_stat_unchecked(&fscache_n_attr_changed);
42995 op = kzalloc(sizeof(*op), GFP_KERNEL);
42997 - fscache_stat(&fscache_n_attr_changed_nomem);
42998 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
42999 _leave(" = -ENOMEM");
43002 @@ -199,7 +199,7 @@ int __fscache_attr_changed(struct fscach
43003 if (fscache_submit_exclusive_op(object, op) < 0)
43005 spin_unlock(&cookie->lock);
43006 - fscache_stat(&fscache_n_attr_changed_ok);
43007 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
43008 fscache_put_operation(op);
43011 @@ -207,7 +207,7 @@ int __fscache_attr_changed(struct fscach
43013 spin_unlock(&cookie->lock);
43015 - fscache_stat(&fscache_n_attr_changed_nobufs);
43016 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
43017 _leave(" = %d", -ENOBUFS);
43020 @@ -243,7 +243,7 @@ static struct fscache_retrieval *fscache
43021 /* allocate a retrieval operation and attempt to submit it */
43022 op = kzalloc(sizeof(*op), GFP_NOIO);
43024 - fscache_stat(&fscache_n_retrievals_nomem);
43025 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
43029 @@ -271,13 +271,13 @@ static int fscache_wait_for_deferred_loo
43033 - fscache_stat(&fscache_n_retrievals_wait);
43034 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
43037 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
43038 fscache_wait_bit_interruptible,
43039 TASK_INTERRUPTIBLE) != 0) {
43040 - fscache_stat(&fscache_n_retrievals_intr);
43041 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
43042 _leave(" = -ERESTARTSYS");
43043 return -ERESTARTSYS;
43045 @@ -295,8 +295,8 @@ static int fscache_wait_for_deferred_loo
43047 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
43048 struct fscache_retrieval *op,
43049 - atomic_t *stat_op_waits,
43050 - atomic_t *stat_object_dead)
43051 + atomic_unchecked_t *stat_op_waits,
43052 + atomic_unchecked_t *stat_object_dead)
43056 @@ -304,7 +304,7 @@ static int fscache_wait_for_retrieval_ac
43057 goto check_if_dead;
43060 - fscache_stat(stat_op_waits);
43061 + fscache_stat_unchecked(stat_op_waits);
43062 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
43063 fscache_wait_bit_interruptible,
43064 TASK_INTERRUPTIBLE) < 0) {
43065 @@ -321,7 +321,7 @@ static int fscache_wait_for_retrieval_ac
43068 if (unlikely(fscache_object_is_dead(object))) {
43069 - fscache_stat(stat_object_dead);
43070 + fscache_stat_unchecked(stat_object_dead);
43074 @@ -348,7 +348,7 @@ int __fscache_read_or_alloc_page(struct
43076 _enter("%p,%p,,,", cookie, page);
43078 - fscache_stat(&fscache_n_retrievals);
43079 + fscache_stat_unchecked(&fscache_n_retrievals);
43081 if (hlist_empty(&cookie->backing_objects))
43083 @@ -381,7 +381,7 @@ int __fscache_read_or_alloc_page(struct
43084 goto nobufs_unlock;
43085 spin_unlock(&cookie->lock);
43087 - fscache_stat(&fscache_n_retrieval_ops);
43088 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
43090 /* pin the netfs read context in case we need to do the actual netfs
43091 * read because we've encountered a cache read failure */
43092 @@ -411,15 +411,15 @@ int __fscache_read_or_alloc_page(struct
43095 if (ret == -ENOMEM)
43096 - fscache_stat(&fscache_n_retrievals_nomem);
43097 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
43098 else if (ret == -ERESTARTSYS)
43099 - fscache_stat(&fscache_n_retrievals_intr);
43100 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
43101 else if (ret == -ENODATA)
43102 - fscache_stat(&fscache_n_retrievals_nodata);
43103 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
43105 - fscache_stat(&fscache_n_retrievals_nobufs);
43106 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43108 - fscache_stat(&fscache_n_retrievals_ok);
43109 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
43111 fscache_put_retrieval(op);
43112 _leave(" = %d", ret);
43113 @@ -429,7 +429,7 @@ nobufs_unlock:
43114 spin_unlock(&cookie->lock);
43117 - fscache_stat(&fscache_n_retrievals_nobufs);
43118 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43119 _leave(" = -ENOBUFS");
43122 @@ -467,7 +467,7 @@ int __fscache_read_or_alloc_pages(struct
43124 _enter("%p,,%d,,,", cookie, *nr_pages);
43126 - fscache_stat(&fscache_n_retrievals);
43127 + fscache_stat_unchecked(&fscache_n_retrievals);
43129 if (hlist_empty(&cookie->backing_objects))
43131 @@ -497,7 +497,7 @@ int __fscache_read_or_alloc_pages(struct
43132 goto nobufs_unlock;
43133 spin_unlock(&cookie->lock);
43135 - fscache_stat(&fscache_n_retrieval_ops);
43136 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
43138 /* pin the netfs read context in case we need to do the actual netfs
43139 * read because we've encountered a cache read failure */
43140 @@ -527,15 +527,15 @@ int __fscache_read_or_alloc_pages(struct
43143 if (ret == -ENOMEM)
43144 - fscache_stat(&fscache_n_retrievals_nomem);
43145 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
43146 else if (ret == -ERESTARTSYS)
43147 - fscache_stat(&fscache_n_retrievals_intr);
43148 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
43149 else if (ret == -ENODATA)
43150 - fscache_stat(&fscache_n_retrievals_nodata);
43151 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
43153 - fscache_stat(&fscache_n_retrievals_nobufs);
43154 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43156 - fscache_stat(&fscache_n_retrievals_ok);
43157 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
43159 fscache_put_retrieval(op);
43160 _leave(" = %d", ret);
43161 @@ -545,7 +545,7 @@ nobufs_unlock:
43162 spin_unlock(&cookie->lock);
43165 - fscache_stat(&fscache_n_retrievals_nobufs);
43166 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43167 _leave(" = -ENOBUFS");
43170 @@ -569,7 +569,7 @@ int __fscache_alloc_page(struct fscache_
43172 _enter("%p,%p,,,", cookie, page);
43174 - fscache_stat(&fscache_n_allocs);
43175 + fscache_stat_unchecked(&fscache_n_allocs);
43177 if (hlist_empty(&cookie->backing_objects))
43179 @@ -595,7 +595,7 @@ int __fscache_alloc_page(struct fscache_
43180 goto nobufs_unlock;
43181 spin_unlock(&cookie->lock);
43183 - fscache_stat(&fscache_n_alloc_ops);
43184 + fscache_stat_unchecked(&fscache_n_alloc_ops);
43186 ret = fscache_wait_for_retrieval_activation(
43188 @@ -611,11 +611,11 @@ int __fscache_alloc_page(struct fscache_
43191 if (ret == -ERESTARTSYS)
43192 - fscache_stat(&fscache_n_allocs_intr);
43193 + fscache_stat_unchecked(&fscache_n_allocs_intr);
43195 - fscache_stat(&fscache_n_allocs_nobufs);
43196 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
43198 - fscache_stat(&fscache_n_allocs_ok);
43199 + fscache_stat_unchecked(&fscache_n_allocs_ok);
43201 fscache_put_retrieval(op);
43202 _leave(" = %d", ret);
43203 @@ -625,7 +625,7 @@ nobufs_unlock:
43204 spin_unlock(&cookie->lock);
43207 - fscache_stat(&fscache_n_allocs_nobufs);
43208 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
43209 _leave(" = -ENOBUFS");
43212 @@ -666,7 +666,7 @@ static void fscache_write_op(struct fsca
43214 spin_lock(&cookie->stores_lock);
43216 - fscache_stat(&fscache_n_store_calls);
43217 + fscache_stat_unchecked(&fscache_n_store_calls);
43219 /* find a page to store */
43221 @@ -677,7 +677,7 @@ static void fscache_write_op(struct fsca
43223 _debug("gang %d [%lx]", n, page->index);
43224 if (page->index > op->store_limit) {
43225 - fscache_stat(&fscache_n_store_pages_over_limit);
43226 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
43230 @@ -689,7 +689,7 @@ static void fscache_write_op(struct fsca
43231 spin_unlock(&cookie->stores_lock);
43232 spin_unlock(&object->lock);
43234 - fscache_stat(&fscache_n_store_pages);
43235 + fscache_stat_unchecked(&fscache_n_store_pages);
43236 fscache_stat(&fscache_n_cop_write_page);
43237 ret = object->cache->ops->write_page(op, page);
43238 fscache_stat_d(&fscache_n_cop_write_page);
43239 @@ -757,7 +757,7 @@ int __fscache_write_page(struct fscache_
43240 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
43241 ASSERT(PageFsCache(page));
43243 - fscache_stat(&fscache_n_stores);
43244 + fscache_stat_unchecked(&fscache_n_stores);
43246 op = kzalloc(sizeof(*op), GFP_NOIO);
43248 @@ -808,7 +808,7 @@ int __fscache_write_page(struct fscache_
43249 spin_unlock(&cookie->stores_lock);
43250 spin_unlock(&object->lock);
43252 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
43253 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
43254 op->store_limit = object->store_limit;
43256 if (fscache_submit_op(object, &op->op) < 0)
43257 @@ -816,8 +816,8 @@ int __fscache_write_page(struct fscache_
43259 spin_unlock(&cookie->lock);
43260 radix_tree_preload_end();
43261 - fscache_stat(&fscache_n_store_ops);
43262 - fscache_stat(&fscache_n_stores_ok);
43263 + fscache_stat_unchecked(&fscache_n_store_ops);
43264 + fscache_stat_unchecked(&fscache_n_stores_ok);
43266 /* the work queue now carries its own ref on the object */
43267 fscache_put_operation(&op->op);
43268 @@ -825,14 +825,14 @@ int __fscache_write_page(struct fscache_
43272 - fscache_stat(&fscache_n_stores_again);
43273 + fscache_stat_unchecked(&fscache_n_stores_again);
43275 spin_unlock(&cookie->stores_lock);
43276 spin_unlock(&object->lock);
43277 spin_unlock(&cookie->lock);
43278 radix_tree_preload_end();
43280 - fscache_stat(&fscache_n_stores_ok);
43281 + fscache_stat_unchecked(&fscache_n_stores_ok);
43285 @@ -851,14 +851,14 @@ nobufs:
43286 spin_unlock(&cookie->lock);
43287 radix_tree_preload_end();
43289 - fscache_stat(&fscache_n_stores_nobufs);
43290 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
43291 _leave(" = -ENOBUFS");
43297 - fscache_stat(&fscache_n_stores_oom);
43298 + fscache_stat_unchecked(&fscache_n_stores_oom);
43299 _leave(" = -ENOMEM");
43302 @@ -876,7 +876,7 @@ void __fscache_uncache_page(struct fscac
43303 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
43304 ASSERTCMP(page, !=, NULL);
43306 - fscache_stat(&fscache_n_uncaches);
43307 + fscache_stat_unchecked(&fscache_n_uncaches);
43309 /* cache withdrawal may beat us to it */
43310 if (!PageFsCache(page))
43311 @@ -929,7 +929,7 @@ void fscache_mark_pages_cached(struct fs
43312 unsigned long loop;
43314 #ifdef CONFIG_FSCACHE_STATS
43315 - atomic_add(pagevec->nr, &fscache_n_marks);
43316 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
43319 for (loop = 0; loop < pagevec->nr; loop++) {
43320 diff -urNp linux-3.1.1/fs/fscache/stats.c linux-3.1.1/fs/fscache/stats.c
43321 --- linux-3.1.1/fs/fscache/stats.c 2011-11-11 15:19:27.000000000 -0500
43322 +++ linux-3.1.1/fs/fscache/stats.c 2011-11-16 18:39:08.000000000 -0500
43323 @@ -18,95 +18,95 @@
43325 * operation counters
43327 -atomic_t fscache_n_op_pend;
43328 -atomic_t fscache_n_op_run;
43329 -atomic_t fscache_n_op_enqueue;
43330 -atomic_t fscache_n_op_requeue;
43331 -atomic_t fscache_n_op_deferred_release;
43332 -atomic_t fscache_n_op_release;
43333 -atomic_t fscache_n_op_gc;
43334 -atomic_t fscache_n_op_cancelled;
43335 -atomic_t fscache_n_op_rejected;
43337 -atomic_t fscache_n_attr_changed;
43338 -atomic_t fscache_n_attr_changed_ok;
43339 -atomic_t fscache_n_attr_changed_nobufs;
43340 -atomic_t fscache_n_attr_changed_nomem;
43341 -atomic_t fscache_n_attr_changed_calls;
43343 -atomic_t fscache_n_allocs;
43344 -atomic_t fscache_n_allocs_ok;
43345 -atomic_t fscache_n_allocs_wait;
43346 -atomic_t fscache_n_allocs_nobufs;
43347 -atomic_t fscache_n_allocs_intr;
43348 -atomic_t fscache_n_allocs_object_dead;
43349 -atomic_t fscache_n_alloc_ops;
43350 -atomic_t fscache_n_alloc_op_waits;
43352 -atomic_t fscache_n_retrievals;
43353 -atomic_t fscache_n_retrievals_ok;
43354 -atomic_t fscache_n_retrievals_wait;
43355 -atomic_t fscache_n_retrievals_nodata;
43356 -atomic_t fscache_n_retrievals_nobufs;
43357 -atomic_t fscache_n_retrievals_intr;
43358 -atomic_t fscache_n_retrievals_nomem;
43359 -atomic_t fscache_n_retrievals_object_dead;
43360 -atomic_t fscache_n_retrieval_ops;
43361 -atomic_t fscache_n_retrieval_op_waits;
43363 -atomic_t fscache_n_stores;
43364 -atomic_t fscache_n_stores_ok;
43365 -atomic_t fscache_n_stores_again;
43366 -atomic_t fscache_n_stores_nobufs;
43367 -atomic_t fscache_n_stores_oom;
43368 -atomic_t fscache_n_store_ops;
43369 -atomic_t fscache_n_store_calls;
43370 -atomic_t fscache_n_store_pages;
43371 -atomic_t fscache_n_store_radix_deletes;
43372 -atomic_t fscache_n_store_pages_over_limit;
43374 -atomic_t fscache_n_store_vmscan_not_storing;
43375 -atomic_t fscache_n_store_vmscan_gone;
43376 -atomic_t fscache_n_store_vmscan_busy;
43377 -atomic_t fscache_n_store_vmscan_cancelled;
43379 -atomic_t fscache_n_marks;
43380 -atomic_t fscache_n_uncaches;
43382 -atomic_t fscache_n_acquires;
43383 -atomic_t fscache_n_acquires_null;
43384 -atomic_t fscache_n_acquires_no_cache;
43385 -atomic_t fscache_n_acquires_ok;
43386 -atomic_t fscache_n_acquires_nobufs;
43387 -atomic_t fscache_n_acquires_oom;
43389 -atomic_t fscache_n_updates;
43390 -atomic_t fscache_n_updates_null;
43391 -atomic_t fscache_n_updates_run;
43393 -atomic_t fscache_n_relinquishes;
43394 -atomic_t fscache_n_relinquishes_null;
43395 -atomic_t fscache_n_relinquishes_waitcrt;
43396 -atomic_t fscache_n_relinquishes_retire;
43398 -atomic_t fscache_n_cookie_index;
43399 -atomic_t fscache_n_cookie_data;
43400 -atomic_t fscache_n_cookie_special;
43402 -atomic_t fscache_n_object_alloc;
43403 -atomic_t fscache_n_object_no_alloc;
43404 -atomic_t fscache_n_object_lookups;
43405 -atomic_t fscache_n_object_lookups_negative;
43406 -atomic_t fscache_n_object_lookups_positive;
43407 -atomic_t fscache_n_object_lookups_timed_out;
43408 -atomic_t fscache_n_object_created;
43409 -atomic_t fscache_n_object_avail;
43410 -atomic_t fscache_n_object_dead;
43412 -atomic_t fscache_n_checkaux_none;
43413 -atomic_t fscache_n_checkaux_okay;
43414 -atomic_t fscache_n_checkaux_update;
43415 -atomic_t fscache_n_checkaux_obsolete;
43416 +atomic_unchecked_t fscache_n_op_pend;
43417 +atomic_unchecked_t fscache_n_op_run;
43418 +atomic_unchecked_t fscache_n_op_enqueue;
43419 +atomic_unchecked_t fscache_n_op_requeue;
43420 +atomic_unchecked_t fscache_n_op_deferred_release;
43421 +atomic_unchecked_t fscache_n_op_release;
43422 +atomic_unchecked_t fscache_n_op_gc;
43423 +atomic_unchecked_t fscache_n_op_cancelled;
43424 +atomic_unchecked_t fscache_n_op_rejected;
43426 +atomic_unchecked_t fscache_n_attr_changed;
43427 +atomic_unchecked_t fscache_n_attr_changed_ok;
43428 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
43429 +atomic_unchecked_t fscache_n_attr_changed_nomem;
43430 +atomic_unchecked_t fscache_n_attr_changed_calls;
43432 +atomic_unchecked_t fscache_n_allocs;
43433 +atomic_unchecked_t fscache_n_allocs_ok;
43434 +atomic_unchecked_t fscache_n_allocs_wait;
43435 +atomic_unchecked_t fscache_n_allocs_nobufs;
43436 +atomic_unchecked_t fscache_n_allocs_intr;
43437 +atomic_unchecked_t fscache_n_allocs_object_dead;
43438 +atomic_unchecked_t fscache_n_alloc_ops;
43439 +atomic_unchecked_t fscache_n_alloc_op_waits;
43441 +atomic_unchecked_t fscache_n_retrievals;
43442 +atomic_unchecked_t fscache_n_retrievals_ok;
43443 +atomic_unchecked_t fscache_n_retrievals_wait;
43444 +atomic_unchecked_t fscache_n_retrievals_nodata;
43445 +atomic_unchecked_t fscache_n_retrievals_nobufs;
43446 +atomic_unchecked_t fscache_n_retrievals_intr;
43447 +atomic_unchecked_t fscache_n_retrievals_nomem;
43448 +atomic_unchecked_t fscache_n_retrievals_object_dead;
43449 +atomic_unchecked_t fscache_n_retrieval_ops;
43450 +atomic_unchecked_t fscache_n_retrieval_op_waits;
43452 +atomic_unchecked_t fscache_n_stores;
43453 +atomic_unchecked_t fscache_n_stores_ok;
43454 +atomic_unchecked_t fscache_n_stores_again;
43455 +atomic_unchecked_t fscache_n_stores_nobufs;
43456 +atomic_unchecked_t fscache_n_stores_oom;
43457 +atomic_unchecked_t fscache_n_store_ops;
43458 +atomic_unchecked_t fscache_n_store_calls;
43459 +atomic_unchecked_t fscache_n_store_pages;
43460 +atomic_unchecked_t fscache_n_store_radix_deletes;
43461 +atomic_unchecked_t fscache_n_store_pages_over_limit;
43463 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
43464 +atomic_unchecked_t fscache_n_store_vmscan_gone;
43465 +atomic_unchecked_t fscache_n_store_vmscan_busy;
43466 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
43468 +atomic_unchecked_t fscache_n_marks;
43469 +atomic_unchecked_t fscache_n_uncaches;
43471 +atomic_unchecked_t fscache_n_acquires;
43472 +atomic_unchecked_t fscache_n_acquires_null;
43473 +atomic_unchecked_t fscache_n_acquires_no_cache;
43474 +atomic_unchecked_t fscache_n_acquires_ok;
43475 +atomic_unchecked_t fscache_n_acquires_nobufs;
43476 +atomic_unchecked_t fscache_n_acquires_oom;
43478 +atomic_unchecked_t fscache_n_updates;
43479 +atomic_unchecked_t fscache_n_updates_null;
43480 +atomic_unchecked_t fscache_n_updates_run;
43482 +atomic_unchecked_t fscache_n_relinquishes;
43483 +atomic_unchecked_t fscache_n_relinquishes_null;
43484 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
43485 +atomic_unchecked_t fscache_n_relinquishes_retire;
43487 +atomic_unchecked_t fscache_n_cookie_index;
43488 +atomic_unchecked_t fscache_n_cookie_data;
43489 +atomic_unchecked_t fscache_n_cookie_special;
43491 +atomic_unchecked_t fscache_n_object_alloc;
43492 +atomic_unchecked_t fscache_n_object_no_alloc;
43493 +atomic_unchecked_t fscache_n_object_lookups;
43494 +atomic_unchecked_t fscache_n_object_lookups_negative;
43495 +atomic_unchecked_t fscache_n_object_lookups_positive;
43496 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
43497 +atomic_unchecked_t fscache_n_object_created;
43498 +atomic_unchecked_t fscache_n_object_avail;
43499 +atomic_unchecked_t fscache_n_object_dead;
43501 +atomic_unchecked_t fscache_n_checkaux_none;
43502 +atomic_unchecked_t fscache_n_checkaux_okay;
43503 +atomic_unchecked_t fscache_n_checkaux_update;
43504 +atomic_unchecked_t fscache_n_checkaux_obsolete;
43506 atomic_t fscache_n_cop_alloc_object;
43507 atomic_t fscache_n_cop_lookup_object;
43508 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
43509 seq_puts(m, "FS-Cache statistics\n");
43511 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
43512 - atomic_read(&fscache_n_cookie_index),
43513 - atomic_read(&fscache_n_cookie_data),
43514 - atomic_read(&fscache_n_cookie_special));
43515 + atomic_read_unchecked(&fscache_n_cookie_index),
43516 + atomic_read_unchecked(&fscache_n_cookie_data),
43517 + atomic_read_unchecked(&fscache_n_cookie_special));
43519 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
43520 - atomic_read(&fscache_n_object_alloc),
43521 - atomic_read(&fscache_n_object_no_alloc),
43522 - atomic_read(&fscache_n_object_avail),
43523 - atomic_read(&fscache_n_object_dead));
43524 + atomic_read_unchecked(&fscache_n_object_alloc),
43525 + atomic_read_unchecked(&fscache_n_object_no_alloc),
43526 + atomic_read_unchecked(&fscache_n_object_avail),
43527 + atomic_read_unchecked(&fscache_n_object_dead));
43528 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
43529 - atomic_read(&fscache_n_checkaux_none),
43530 - atomic_read(&fscache_n_checkaux_okay),
43531 - atomic_read(&fscache_n_checkaux_update),
43532 - atomic_read(&fscache_n_checkaux_obsolete));
43533 + atomic_read_unchecked(&fscache_n_checkaux_none),
43534 + atomic_read_unchecked(&fscache_n_checkaux_okay),
43535 + atomic_read_unchecked(&fscache_n_checkaux_update),
43536 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
43538 seq_printf(m, "Pages : mrk=%u unc=%u\n",
43539 - atomic_read(&fscache_n_marks),
43540 - atomic_read(&fscache_n_uncaches));
43541 + atomic_read_unchecked(&fscache_n_marks),
43542 + atomic_read_unchecked(&fscache_n_uncaches));
43544 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
43546 - atomic_read(&fscache_n_acquires),
43547 - atomic_read(&fscache_n_acquires_null),
43548 - atomic_read(&fscache_n_acquires_no_cache),
43549 - atomic_read(&fscache_n_acquires_ok),
43550 - atomic_read(&fscache_n_acquires_nobufs),
43551 - atomic_read(&fscache_n_acquires_oom));
43552 + atomic_read_unchecked(&fscache_n_acquires),
43553 + atomic_read_unchecked(&fscache_n_acquires_null),
43554 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
43555 + atomic_read_unchecked(&fscache_n_acquires_ok),
43556 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
43557 + atomic_read_unchecked(&fscache_n_acquires_oom));
43559 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
43560 - atomic_read(&fscache_n_object_lookups),
43561 - atomic_read(&fscache_n_object_lookups_negative),
43562 - atomic_read(&fscache_n_object_lookups_positive),
43563 - atomic_read(&fscache_n_object_created),
43564 - atomic_read(&fscache_n_object_lookups_timed_out));
43565 + atomic_read_unchecked(&fscache_n_object_lookups),
43566 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
43567 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
43568 + atomic_read_unchecked(&fscache_n_object_created),
43569 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
43571 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
43572 - atomic_read(&fscache_n_updates),
43573 - atomic_read(&fscache_n_updates_null),
43574 - atomic_read(&fscache_n_updates_run));
43575 + atomic_read_unchecked(&fscache_n_updates),
43576 + atomic_read_unchecked(&fscache_n_updates_null),
43577 + atomic_read_unchecked(&fscache_n_updates_run));
43579 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
43580 - atomic_read(&fscache_n_relinquishes),
43581 - atomic_read(&fscache_n_relinquishes_null),
43582 - atomic_read(&fscache_n_relinquishes_waitcrt),
43583 - atomic_read(&fscache_n_relinquishes_retire));
43584 + atomic_read_unchecked(&fscache_n_relinquishes),
43585 + atomic_read_unchecked(&fscache_n_relinquishes_null),
43586 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
43587 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
43589 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
43590 - atomic_read(&fscache_n_attr_changed),
43591 - atomic_read(&fscache_n_attr_changed_ok),
43592 - atomic_read(&fscache_n_attr_changed_nobufs),
43593 - atomic_read(&fscache_n_attr_changed_nomem),
43594 - atomic_read(&fscache_n_attr_changed_calls));
43595 + atomic_read_unchecked(&fscache_n_attr_changed),
43596 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
43597 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
43598 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
43599 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
43601 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
43602 - atomic_read(&fscache_n_allocs),
43603 - atomic_read(&fscache_n_allocs_ok),
43604 - atomic_read(&fscache_n_allocs_wait),
43605 - atomic_read(&fscache_n_allocs_nobufs),
43606 - atomic_read(&fscache_n_allocs_intr));
43607 + atomic_read_unchecked(&fscache_n_allocs),
43608 + atomic_read_unchecked(&fscache_n_allocs_ok),
43609 + atomic_read_unchecked(&fscache_n_allocs_wait),
43610 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
43611 + atomic_read_unchecked(&fscache_n_allocs_intr));
43612 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
43613 - atomic_read(&fscache_n_alloc_ops),
43614 - atomic_read(&fscache_n_alloc_op_waits),
43615 - atomic_read(&fscache_n_allocs_object_dead));
43616 + atomic_read_unchecked(&fscache_n_alloc_ops),
43617 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
43618 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
43620 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
43621 " int=%u oom=%u\n",
43622 - atomic_read(&fscache_n_retrievals),
43623 - atomic_read(&fscache_n_retrievals_ok),
43624 - atomic_read(&fscache_n_retrievals_wait),
43625 - atomic_read(&fscache_n_retrievals_nodata),
43626 - atomic_read(&fscache_n_retrievals_nobufs),
43627 - atomic_read(&fscache_n_retrievals_intr),
43628 - atomic_read(&fscache_n_retrievals_nomem));
43629 + atomic_read_unchecked(&fscache_n_retrievals),
43630 + atomic_read_unchecked(&fscache_n_retrievals_ok),
43631 + atomic_read_unchecked(&fscache_n_retrievals_wait),
43632 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
43633 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
43634 + atomic_read_unchecked(&fscache_n_retrievals_intr),
43635 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
43636 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
43637 - atomic_read(&fscache_n_retrieval_ops),
43638 - atomic_read(&fscache_n_retrieval_op_waits),
43639 - atomic_read(&fscache_n_retrievals_object_dead));
43640 + atomic_read_unchecked(&fscache_n_retrieval_ops),
43641 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
43642 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
43644 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
43645 - atomic_read(&fscache_n_stores),
43646 - atomic_read(&fscache_n_stores_ok),
43647 - atomic_read(&fscache_n_stores_again),
43648 - atomic_read(&fscache_n_stores_nobufs),
43649 - atomic_read(&fscache_n_stores_oom));
43650 + atomic_read_unchecked(&fscache_n_stores),
43651 + atomic_read_unchecked(&fscache_n_stores_ok),
43652 + atomic_read_unchecked(&fscache_n_stores_again),
43653 + atomic_read_unchecked(&fscache_n_stores_nobufs),
43654 + atomic_read_unchecked(&fscache_n_stores_oom));
43655 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
43656 - atomic_read(&fscache_n_store_ops),
43657 - atomic_read(&fscache_n_store_calls),
43658 - atomic_read(&fscache_n_store_pages),
43659 - atomic_read(&fscache_n_store_radix_deletes),
43660 - atomic_read(&fscache_n_store_pages_over_limit));
43661 + atomic_read_unchecked(&fscache_n_store_ops),
43662 + atomic_read_unchecked(&fscache_n_store_calls),
43663 + atomic_read_unchecked(&fscache_n_store_pages),
43664 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
43665 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
43667 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
43668 - atomic_read(&fscache_n_store_vmscan_not_storing),
43669 - atomic_read(&fscache_n_store_vmscan_gone),
43670 - atomic_read(&fscache_n_store_vmscan_busy),
43671 - atomic_read(&fscache_n_store_vmscan_cancelled));
43672 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
43673 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
43674 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
43675 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
43677 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
43678 - atomic_read(&fscache_n_op_pend),
43679 - atomic_read(&fscache_n_op_run),
43680 - atomic_read(&fscache_n_op_enqueue),
43681 - atomic_read(&fscache_n_op_cancelled),
43682 - atomic_read(&fscache_n_op_rejected));
43683 + atomic_read_unchecked(&fscache_n_op_pend),
43684 + atomic_read_unchecked(&fscache_n_op_run),
43685 + atomic_read_unchecked(&fscache_n_op_enqueue),
43686 + atomic_read_unchecked(&fscache_n_op_cancelled),
43687 + atomic_read_unchecked(&fscache_n_op_rejected));
43688 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
43689 - atomic_read(&fscache_n_op_deferred_release),
43690 - atomic_read(&fscache_n_op_release),
43691 - atomic_read(&fscache_n_op_gc));
43692 + atomic_read_unchecked(&fscache_n_op_deferred_release),
43693 + atomic_read_unchecked(&fscache_n_op_release),
43694 + atomic_read_unchecked(&fscache_n_op_gc));
43696 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
43697 atomic_read(&fscache_n_cop_alloc_object),
43698 diff -urNp linux-3.1.1/fs/fs_struct.c linux-3.1.1/fs/fs_struct.c
43699 --- linux-3.1.1/fs/fs_struct.c 2011-11-11 15:19:27.000000000 -0500
43700 +++ linux-3.1.1/fs/fs_struct.c 2011-11-16 18:40:29.000000000 -0500
43702 #include <linux/slab.h>
43703 #include <linux/fs_struct.h>
43704 #include <linux/vserver/global.h>
43705 +#include <linux/grsecurity.h>
43706 #include "internal.h"
43708 static inline void path_get_longterm(struct path *path)
43709 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
43710 old_root = fs->root;
43712 path_get_longterm(path);
43713 + gr_set_chroot_entries(current, path);
43714 write_seqcount_end(&fs->seq);
43715 spin_unlock(&fs->lock);
43716 if (old_root.dentry)
43717 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
43718 && fs->root.mnt == old_root->mnt) {
43719 path_get_longterm(new_root);
43720 fs->root = *new_root;
43721 + gr_set_chroot_entries(p, new_root);
43724 if (fs->pwd.dentry == old_root->dentry
43725 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
43726 spin_lock(&fs->lock);
43727 write_seqcount_begin(&fs->seq);
43729 - kill = !--fs->users;
43730 + gr_clear_chroot_entries(tsk);
43731 + kill = !atomic_dec_return(&fs->users);
43732 write_seqcount_end(&fs->seq);
43733 spin_unlock(&fs->lock);
43735 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
43736 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
43737 /* We don't need to lock fs - think why ;-) */
43740 + atomic_set(&fs->users, 1);
43742 spin_lock_init(&fs->lock);
43743 seqcount_init(&fs->seq);
43744 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
43745 spin_lock(&old->lock);
43746 fs->root = old->root;
43747 path_get_longterm(&fs->root);
43748 + /* instead of calling gr_set_chroot_entries here,
43749 + we call it from every caller of this function
43751 fs->pwd = old->pwd;
43752 path_get_longterm(&fs->pwd);
43753 spin_unlock(&old->lock);
43754 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
43756 task_lock(current);
43757 spin_lock(&fs->lock);
43758 - kill = !--fs->users;
43759 + kill = !atomic_dec_return(&fs->users);
43760 current->fs = new_fs;
43761 + gr_set_chroot_entries(current, &new_fs->root);
43762 spin_unlock(&fs->lock);
43763 task_unlock(current);
43765 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
43767 /* to be mentioned only in INIT_TASK */
43768 struct fs_struct init_fs = {
43770 + .users = ATOMIC_INIT(1),
43771 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
43772 .seq = SEQCNT_ZERO,
43774 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
43775 task_lock(current);
43777 spin_lock(&init_fs.lock);
43779 + atomic_inc(&init_fs.users);
43780 spin_unlock(&init_fs.lock);
43782 spin_lock(&fs->lock);
43783 current->fs = &init_fs;
43784 - kill = !--fs->users;
43785 + gr_set_chroot_entries(current, ¤t->fs->root);
43786 + kill = !atomic_dec_return(&fs->users);
43787 spin_unlock(&fs->lock);
43789 task_unlock(current);
43790 diff -urNp linux-3.1.1/fs/fuse/cuse.c linux-3.1.1/fs/fuse/cuse.c
43791 --- linux-3.1.1/fs/fuse/cuse.c 2011-11-11 15:19:27.000000000 -0500
43792 +++ linux-3.1.1/fs/fuse/cuse.c 2011-11-16 18:39:08.000000000 -0500
43793 @@ -586,10 +586,12 @@ static int __init cuse_init(void)
43794 INIT_LIST_HEAD(&cuse_conntbl[i]);
43796 /* inherit and extend fuse_dev_operations */
43797 - cuse_channel_fops = fuse_dev_operations;
43798 - cuse_channel_fops.owner = THIS_MODULE;
43799 - cuse_channel_fops.open = cuse_channel_open;
43800 - cuse_channel_fops.release = cuse_channel_release;
43801 + pax_open_kernel();
43802 + memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
43803 + *(void **)&cuse_channel_fops.owner = THIS_MODULE;
43804 + *(void **)&cuse_channel_fops.open = cuse_channel_open;
43805 + *(void **)&cuse_channel_fops.release = cuse_channel_release;
43806 + pax_close_kernel();
43808 cuse_class = class_create(THIS_MODULE, "cuse");
43809 if (IS_ERR(cuse_class))
43810 diff -urNp linux-3.1.1/fs/fuse/dev.c linux-3.1.1/fs/fuse/dev.c
43811 --- linux-3.1.1/fs/fuse/dev.c 2011-11-11 15:19:27.000000000 -0500
43812 +++ linux-3.1.1/fs/fuse/dev.c 2011-11-16 18:39:08.000000000 -0500
43813 @@ -1242,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(stru
43817 - if (!pipe->readers) {
43818 + if (!atomic_read(&pipe->readers)) {
43819 send_sig(SIGPIPE, current, 0);
43822 diff -urNp linux-3.1.1/fs/fuse/dir.c linux-3.1.1/fs/fuse/dir.c
43823 --- linux-3.1.1/fs/fuse/dir.c 2011-11-11 15:19:27.000000000 -0500
43824 +++ linux-3.1.1/fs/fuse/dir.c 2011-11-16 18:39:08.000000000 -0500
43825 @@ -1147,7 +1147,7 @@ static char *read_link(struct dentry *de
43829 -static void free_link(char *link)
43830 +static void free_link(const char *link)
43833 free_page((unsigned long) link);
43834 diff -urNp linux-3.1.1/fs/gfs2/inode.c linux-3.1.1/fs/gfs2/inode.c
43835 --- linux-3.1.1/fs/gfs2/inode.c 2011-11-11 15:19:27.000000000 -0500
43836 +++ linux-3.1.1/fs/gfs2/inode.c 2011-11-16 18:39:08.000000000 -0500
43837 @@ -1517,7 +1517,7 @@ out:
43839 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43841 - char *s = nd_get_link(nd);
43842 + const char *s = nd_get_link(nd);
43846 diff -urNp linux-3.1.1/fs/hfsplus/catalog.c linux-3.1.1/fs/hfsplus/catalog.c
43847 --- linux-3.1.1/fs/hfsplus/catalog.c 2011-11-11 15:19:27.000000000 -0500
43848 +++ linux-3.1.1/fs/hfsplus/catalog.c 2011-11-16 19:23:09.000000000 -0500
43849 @@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
43853 + pax_track_stack();
43855 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
43856 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
43858 @@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
43862 + pax_track_stack();
43864 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
43865 str->name, cnid, inode->i_nlink);
43866 err = hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
43867 @@ -353,6 +357,8 @@ int hfsplus_rename_cat(u32 cnid,
43868 int entry_size, type;
43871 + pax_track_stack();
43873 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
43874 cnid, src_dir->i_ino, src_name->name,
43875 dst_dir->i_ino, dst_name->name);
43876 diff -urNp linux-3.1.1/fs/hfsplus/dir.c linux-3.1.1/fs/hfsplus/dir.c
43877 --- linux-3.1.1/fs/hfsplus/dir.c 2011-11-11 15:19:27.000000000 -0500
43878 +++ linux-3.1.1/fs/hfsplus/dir.c 2011-11-16 18:40:29.000000000 -0500
43879 @@ -131,6 +131,8 @@ static int hfsplus_readdir(struct file *
43880 struct hfsplus_readdir_data *rd;
43883 + pax_track_stack();
43885 if (filp->f_pos >= inode->i_size)
43888 diff -urNp linux-3.1.1/fs/hfsplus/inode.c linux-3.1.1/fs/hfsplus/inode.c
43889 --- linux-3.1.1/fs/hfsplus/inode.c 2011-11-11 15:19:27.000000000 -0500
43890 +++ linux-3.1.1/fs/hfsplus/inode.c 2011-11-16 18:40:29.000000000 -0500
43891 @@ -501,6 +501,8 @@ int hfsplus_cat_read_inode(struct inode
43895 + pax_track_stack();
43897 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
43899 HFSPLUS_I(inode)->linkid = 0;
43900 @@ -564,6 +566,8 @@ int hfsplus_cat_write_inode(struct inode
43901 struct hfs_find_data fd;
43902 hfsplus_cat_entry entry;
43904 + pax_track_stack();
43906 if (HFSPLUS_IS_RSRC(inode))
43907 main_inode = HFSPLUS_I(inode)->rsrc_inode;
43909 diff -urNp linux-3.1.1/fs/hfsplus/ioctl.c linux-3.1.1/fs/hfsplus/ioctl.c
43910 --- linux-3.1.1/fs/hfsplus/ioctl.c 2011-11-11 15:19:27.000000000 -0500
43911 +++ linux-3.1.1/fs/hfsplus/ioctl.c 2011-11-16 18:40:29.000000000 -0500
43912 @@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
43913 struct hfsplus_cat_file *file;
43916 + pax_track_stack();
43918 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43919 return -EOPNOTSUPP;
43921 @@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
43922 struct hfsplus_cat_file *file;
43925 + pax_track_stack();
43927 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43928 return -EOPNOTSUPP;
43930 diff -urNp linux-3.1.1/fs/hfsplus/super.c linux-3.1.1/fs/hfsplus/super.c
43931 --- linux-3.1.1/fs/hfsplus/super.c 2011-11-11 15:19:27.000000000 -0500
43932 +++ linux-3.1.1/fs/hfsplus/super.c 2011-11-16 19:23:30.000000000 -0500
43933 @@ -347,6 +347,8 @@ static int hfsplus_fill_super(struct sup
43934 u64 last_fs_block, last_fs_page;
43937 + pax_track_stack();
43940 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
43942 diff -urNp linux-3.1.1/fs/hugetlbfs/inode.c linux-3.1.1/fs/hugetlbfs/inode.c
43943 --- linux-3.1.1/fs/hugetlbfs/inode.c 2011-11-11 15:19:27.000000000 -0500
43944 +++ linux-3.1.1/fs/hugetlbfs/inode.c 2011-11-16 18:40:29.000000000 -0500
43945 @@ -915,7 +915,7 @@ static struct file_system_type hugetlbfs
43946 .kill_sb = kill_litter_super,
43949 -static struct vfsmount *hugetlbfs_vfsmount;
43950 +struct vfsmount *hugetlbfs_vfsmount;
43952 static int can_do_hugetlb_shm(void)
43954 diff -urNp linux-3.1.1/fs/inode.c linux-3.1.1/fs/inode.c
43955 --- linux-3.1.1/fs/inode.c 2011-11-11 15:19:27.000000000 -0500
43956 +++ linux-3.1.1/fs/inode.c 2011-11-16 18:39:08.000000000 -0500
43957 @@ -787,8 +787,8 @@ unsigned int get_next_ino(void)
43960 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
43961 - static atomic_t shared_last_ino;
43962 - int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
43963 + static atomic_unchecked_t shared_last_ino;
43964 + int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
43966 res = next - LAST_INO_BATCH;
43968 diff -urNp linux-3.1.1/fs/jbd/checkpoint.c linux-3.1.1/fs/jbd/checkpoint.c
43969 --- linux-3.1.1/fs/jbd/checkpoint.c 2011-11-11 15:19:27.000000000 -0500
43970 +++ linux-3.1.1/fs/jbd/checkpoint.c 2011-11-16 18:40:29.000000000 -0500
43971 @@ -358,6 +358,8 @@ int log_do_checkpoint(journal_t *journal
43975 + pax_track_stack();
43977 jbd_debug(1, "Start checkpoint\n");
43980 diff -urNp linux-3.1.1/fs/jffs2/compr_rtime.c linux-3.1.1/fs/jffs2/compr_rtime.c
43981 --- linux-3.1.1/fs/jffs2/compr_rtime.c 2011-11-11 15:19:27.000000000 -0500
43982 +++ linux-3.1.1/fs/jffs2/compr_rtime.c 2011-11-16 18:40:29.000000000 -0500
43983 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
43987 + pax_track_stack();
43989 memset(positions,0,sizeof(positions));
43991 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
43992 @@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
43996 + pax_track_stack();
43998 memset(positions,0,sizeof(positions));
44000 while (outpos<destlen) {
44001 diff -urNp linux-3.1.1/fs/jffs2/compr_rubin.c linux-3.1.1/fs/jffs2/compr_rubin.c
44002 --- linux-3.1.1/fs/jffs2/compr_rubin.c 2011-11-11 15:19:27.000000000 -0500
44003 +++ linux-3.1.1/fs/jffs2/compr_rubin.c 2011-11-16 18:40:29.000000000 -0500
44004 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
44006 uint32_t mysrclen, mydstlen;
44008 + pax_track_stack();
44010 mysrclen = *sourcelen;
44011 mydstlen = *dstlen - 8;
44013 diff -urNp linux-3.1.1/fs/jffs2/erase.c linux-3.1.1/fs/jffs2/erase.c
44014 --- linux-3.1.1/fs/jffs2/erase.c 2011-11-11 15:19:27.000000000 -0500
44015 +++ linux-3.1.1/fs/jffs2/erase.c 2011-11-16 18:39:08.000000000 -0500
44016 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
44017 struct jffs2_unknown_node marker = {
44018 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
44019 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
44020 - .totlen = cpu_to_je32(c->cleanmarker_size)
44021 + .totlen = cpu_to_je32(c->cleanmarker_size),
44022 + .hdr_crc = cpu_to_je32(0)
44025 jffs2_prealloc_raw_node_refs(c, jeb, 1);
44026 diff -urNp linux-3.1.1/fs/jffs2/wbuf.c linux-3.1.1/fs/jffs2/wbuf.c
44027 --- linux-3.1.1/fs/jffs2/wbuf.c 2011-11-11 15:19:27.000000000 -0500
44028 +++ linux-3.1.1/fs/jffs2/wbuf.c 2011-11-16 18:39:08.000000000 -0500
44029 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
44031 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
44032 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
44033 - .totlen = constant_cpu_to_je32(8)
44034 + .totlen = constant_cpu_to_je32(8),
44035 + .hdr_crc = constant_cpu_to_je32(0)
44039 diff -urNp linux-3.1.1/fs/jffs2/xattr.c linux-3.1.1/fs/jffs2/xattr.c
44040 --- linux-3.1.1/fs/jffs2/xattr.c 2011-11-11 15:19:27.000000000 -0500
44041 +++ linux-3.1.1/fs/jffs2/xattr.c 2011-11-16 18:40:29.000000000 -0500
44042 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
44044 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
44046 + pax_track_stack();
44048 /* Phase.1 : Merge same xref */
44049 for (i=0; i < XREF_TMPHASH_SIZE; i++)
44050 xref_tmphash[i] = NULL;
44051 diff -urNp linux-3.1.1/fs/jfs/super.c linux-3.1.1/fs/jfs/super.c
44052 --- linux-3.1.1/fs/jfs/super.c 2011-11-11 15:19:27.000000000 -0500
44053 +++ linux-3.1.1/fs/jfs/super.c 2011-11-16 18:39:08.000000000 -0500
44054 @@ -803,7 +803,7 @@ static int __init init_jfs_fs(void)
44057 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
44058 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
44059 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
44061 if (jfs_inode_cachep == NULL)
44063 diff -urNp linux-3.1.1/fs/Kconfig.binfmt linux-3.1.1/fs/Kconfig.binfmt
44064 --- linux-3.1.1/fs/Kconfig.binfmt 2011-11-11 15:19:27.000000000 -0500
44065 +++ linux-3.1.1/fs/Kconfig.binfmt 2011-11-16 18:39:08.000000000 -0500
44066 @@ -86,7 +86,7 @@ config HAVE_AOUT
44069 tristate "Kernel support for a.out and ECOFF binaries"
44070 - depends on HAVE_AOUT
44071 + depends on HAVE_AOUT && BROKEN
44073 A.out (Assembler.OUTput) is a set of formats for libraries and
44074 executables used in the earliest versions of UNIX. Linux used
44075 diff -urNp linux-3.1.1/fs/libfs.c linux-3.1.1/fs/libfs.c
44076 --- linux-3.1.1/fs/libfs.c 2011-11-11 15:19:27.000000000 -0500
44077 +++ linux-3.1.1/fs/libfs.c 2011-11-16 18:39:08.000000000 -0500
44078 @@ -165,6 +165,9 @@ int dcache_readdir(struct file * filp, v
44080 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
44081 struct dentry *next;
44082 + char d_name[sizeof(next->d_iname)];
44083 + const unsigned char *name;
44085 next = list_entry(p, struct dentry, d_u.d_child);
44086 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
44087 if (!simple_positive(next)) {
44088 @@ -174,7 +177,12 @@ int dcache_readdir(struct file * filp, v
44090 spin_unlock(&next->d_lock);
44091 spin_unlock(&dentry->d_lock);
44092 - if (filldir(dirent, next->d_name.name,
44093 + name = next->d_name.name;
44094 + if (name == next->d_iname) {
44095 + memcpy(d_name, name, next->d_name.len);
44098 + if (filldir(dirent, name,
44099 next->d_name.len, filp->f_pos,
44100 next->d_inode->i_ino,
44101 dt_type(next->d_inode)) < 0)
44102 diff -urNp linux-3.1.1/fs/lockd/clntproc.c linux-3.1.1/fs/lockd/clntproc.c
44103 --- linux-3.1.1/fs/lockd/clntproc.c 2011-11-11 15:19:27.000000000 -0500
44104 +++ linux-3.1.1/fs/lockd/clntproc.c 2011-11-16 18:40:29.000000000 -0500
44105 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
44107 * Cookie counter for NLM requests
44109 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
44110 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
44112 void nlmclnt_next_cookie(struct nlm_cookie *c)
44114 - u32 cookie = atomic_inc_return(&nlm_cookie);
44115 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
44117 memcpy(c->data, &cookie, 4);
44119 @@ -621,6 +621,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
44120 struct nlm_rqst reqst, *req;
44123 + pax_track_stack();
44126 memset(req, 0, sizeof(*req));
44127 locks_init_lock(&req->a_args.lock.fl);
44128 diff -urNp linux-3.1.1/fs/locks.c linux-3.1.1/fs/locks.c
44129 --- linux-3.1.1/fs/locks.c 2011-11-11 15:19:27.000000000 -0500
44130 +++ linux-3.1.1/fs/locks.c 2011-11-16 18:39:08.000000000 -0500
44131 @@ -2022,16 +2022,16 @@ void locks_remove_flock(struct file *fil
44134 if (filp->f_op && filp->f_op->flock) {
44135 - struct file_lock fl = {
44136 + struct file_lock flock = {
44137 .fl_pid = current->tgid,
44139 .fl_flags = FL_FLOCK,
44140 .fl_type = F_UNLCK,
44141 .fl_end = OFFSET_MAX,
44143 - filp->f_op->flock(filp, F_SETLKW, &fl);
44144 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
44145 - fl.fl_ops->fl_release_private(&fl);
44146 + filp->f_op->flock(filp, F_SETLKW, &flock);
44147 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
44148 + flock.fl_ops->fl_release_private(&flock);
44152 diff -urNp linux-3.1.1/fs/logfs/super.c linux-3.1.1/fs/logfs/super.c
44153 --- linux-3.1.1/fs/logfs/super.c 2011-11-11 15:19:27.000000000 -0500
44154 +++ linux-3.1.1/fs/logfs/super.c 2011-11-16 18:40:29.000000000 -0500
44155 @@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
44156 struct logfs_disk_super _ds1, *ds1 = &_ds1;
44157 int err, valid0, valid1;
44159 + pax_track_stack();
44161 /* read first superblock */
44162 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
44164 diff -urNp linux-3.1.1/fs/namei.c linux-3.1.1/fs/namei.c
44165 --- linux-3.1.1/fs/namei.c 2011-11-11 15:19:27.000000000 -0500
44166 +++ linux-3.1.1/fs/namei.c 2011-11-17 00:36:54.000000000 -0500
44167 @@ -283,14 +283,22 @@ int generic_permission(struct inode *ino
44169 if (S_ISDIR(inode->i_mode)) {
44170 /* DACs are overridable for directories */
44171 - if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
44173 if (!(mask & MAY_WRITE))
44174 if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
44176 + if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
44181 + * Searching includes executable on directories, else just read.
44183 + mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
44184 + if (mask == MAY_READ)
44185 + if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
44189 * Read/write DACs are always overridable.
44190 * Executable DACs are overridable when there is
44191 * at least one exec bit set.
44192 @@ -299,14 +307,6 @@ int generic_permission(struct inode *ino
44193 if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
44197 - * Searching includes executable on directories, else just read.
44199 - mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
44200 - if (mask == MAY_READ)
44201 - if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
44207 @@ -653,11 +653,19 @@ follow_link(struct path *link, struct na
44211 + if (gr_handle_follow_link(dentry->d_parent->d_inode,
44212 + dentry->d_inode, dentry, nd->path.mnt)) {
44214 + *p = ERR_PTR(error); /* no ->put_link(), please */
44215 + path_put(&nd->path);
44219 nd->last_type = LAST_BIND;
44220 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
44221 error = PTR_ERR(*p);
44223 - char *s = nd_get_link(nd);
44224 + const char *s = nd_get_link(nd);
44227 error = __vfs_follow_link(nd, s);
44228 @@ -1622,6 +1630,12 @@ static int path_lookupat(int dfd, const
44230 err = complete_walk(nd);
44232 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44234 + path_put(&nd->path);
44238 if (!err && nd->flags & LOOKUP_DIRECTORY) {
44239 if (!nd->inode->i_op->lookup) {
44240 path_put(&nd->path);
44241 @@ -1649,6 +1663,9 @@ static int do_path_lookup(int dfd, const
44242 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
44244 if (likely(!retval)) {
44245 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
44248 if (unlikely(!audit_dummy_context())) {
44249 if (nd->path.dentry && nd->inode)
44250 audit_inode(name, nd->path.dentry);
44251 @@ -2049,7 +2066,27 @@ static int may_open(struct path *path, i
44253 * Ensure there are no outstanding leases on the file.
44255 - return break_lease(inode, flag);
44256 + error = break_lease(inode, flag);
44261 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
44266 + if (gr_handle_rawio(inode)) {
44271 + if (!gr_acl_handle_open(dentry, path->mnt, acc_mode)) {
44279 static int handle_truncate(struct file *filp)
44280 @@ -2110,6 +2147,10 @@ static struct file *do_last(struct namei
44281 error = complete_walk(nd);
44283 return ERR_PTR(error);
44284 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44288 audit_inode(pathname, nd->path.dentry);
44289 if (open_flag & O_CREAT) {
44291 @@ -2120,6 +2161,10 @@ static struct file *do_last(struct namei
44292 error = complete_walk(nd);
44294 return ERR_PTR(error);
44295 + if (!gr_acl_handle_hidden_file(dir, nd->path.mnt)) {
44299 audit_inode(pathname, dir);
44302 @@ -2142,6 +2187,11 @@ static struct file *do_last(struct namei
44304 return ERR_PTR(-ECHILD);
44306 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44312 if (nd->flags & LOOKUP_DIRECTORY) {
44313 if (!nd->inode->i_op->lookup)
44314 @@ -2181,6 +2231,12 @@ static struct file *do_last(struct namei
44315 /* Negative dentry, just create the file */
44316 if (!dentry->d_inode) {
44317 int mode = op->mode;
44319 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, open_flag, acc_mode, mode)) {
44321 + goto exit_mutex_unlock;
44324 if (!IS_POSIXACL(dir->d_inode))
44325 mode &= ~current_umask();
44327 @@ -2204,6 +2260,8 @@ static struct file *do_last(struct namei
44328 error = vfs_create(dir->d_inode, dentry, mode, nd);
44330 goto exit_mutex_unlock;
44332 + gr_handle_create(path->dentry, path->mnt);
44333 mutex_unlock(&dir->d_inode->i_mutex);
44334 dput(nd->path.dentry);
44335 nd->path.dentry = dentry;
44336 @@ -2213,6 +2271,19 @@ static struct file *do_last(struct namei
44338 * It already exists.
44341 + if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) {
44343 + goto exit_mutex_unlock;
44346 + /* only check if O_CREAT is specified, all other checks need to go
44348 + if (gr_handle_fifo(path->dentry, path->mnt, dir, open_flag, acc_mode)) {
44350 + goto exit_mutex_unlock;
44353 mutex_unlock(&dir->d_inode->i_mutex);
44354 audit_inode(pathname, path->dentry);
44356 @@ -2425,6 +2496,11 @@ struct dentry *kern_path_create(int dfd,
44360 + if (!gr_acl_handle_hidden_file(dentry, nd.path.mnt)) {
44362 + dentry = ERR_PTR(-ENOENT);
44366 dentry = ERR_PTR(-EEXIST);
44368 @@ -2447,6 +2523,20 @@ struct dentry *user_path_create(int dfd,
44370 EXPORT_SYMBOL(user_path_create);
44372 +static struct dentry *user_path_create_with_name(int dfd, const char __user *pathname, struct path *path, char **to, int is_dir)
44374 + char *tmp = getname(pathname);
44375 + struct dentry *res;
44377 + return ERR_CAST(tmp);
44378 + res = kern_path_create(dfd, tmp, path, is_dir);
44386 int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
44388 int error = may_create(dir, dentry);
44389 @@ -2514,6 +2604,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
44390 error = mnt_want_write(path.mnt);
44394 + if (gr_handle_chroot_mknod(dentry, path.mnt, mode)) {
44396 + goto out_drop_write;
44399 + if (!gr_acl_handle_mknod(dentry, path.dentry, path.mnt, mode)) {
44401 + goto out_drop_write;
44404 error = security_path_mknod(&path, dentry, mode, dev);
44406 goto out_drop_write;
44407 @@ -2531,6 +2632,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
44410 mnt_drop_write(path.mnt);
44413 + gr_handle_create(dentry, path.mnt);
44416 mutex_unlock(&path.dentry->d_inode->i_mutex);
44417 @@ -2580,12 +2684,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
44418 error = mnt_want_write(path.mnt);
44422 + if (!gr_acl_handle_mkdir(dentry, path.dentry, path.mnt)) {
44424 + goto out_drop_write;
44427 error = security_path_mkdir(&path, dentry, mode);
44429 goto out_drop_write;
44430 error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
44432 mnt_drop_write(path.mnt);
44435 + gr_handle_create(dentry, path.mnt);
44438 mutex_unlock(&path.dentry->d_inode->i_mutex);
44439 @@ -2665,6 +2778,8 @@ static long do_rmdir(int dfd, const char
44441 struct dentry *dentry;
44442 struct nameidata nd;
44443 + ino_t saved_ino = 0;
44444 + dev_t saved_dev = 0;
44446 error = user_path_parent(dfd, pathname, &nd, &name);
44448 @@ -2693,6 +2808,15 @@ static long do_rmdir(int dfd, const char
44453 + saved_ino = dentry->d_inode->i_ino;
44454 + saved_dev = gr_get_dev_from_dentry(dentry);
44456 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
44461 error = mnt_want_write(nd.path.mnt);
44464 @@ -2700,6 +2824,8 @@ static long do_rmdir(int dfd, const char
44467 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
44468 + if (!error && (saved_dev || saved_ino))
44469 + gr_handle_delete(saved_ino, saved_dev);
44471 mnt_drop_write(nd.path.mnt);
44473 @@ -2762,6 +2888,8 @@ static long do_unlinkat(int dfd, const c
44474 struct dentry *dentry;
44475 struct nameidata nd;
44476 struct inode *inode = NULL;
44477 + ino_t saved_ino = 0;
44478 + dev_t saved_dev = 0;
44480 error = user_path_parent(dfd, pathname, &nd, &name);
44482 @@ -2784,6 +2912,16 @@ static long do_unlinkat(int dfd, const c
44487 + if (inode->i_nlink <= 1) {
44488 + saved_ino = inode->i_ino;
44489 + saved_dev = gr_get_dev_from_dentry(dentry);
44491 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
44496 error = mnt_want_write(nd.path.mnt);
44499 @@ -2791,6 +2929,8 @@ static long do_unlinkat(int dfd, const c
44502 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
44503 + if (!error && (saved_ino || saved_dev))
44504 + gr_handle_delete(saved_ino, saved_dev);
44506 mnt_drop_write(nd.path.mnt);
44508 @@ -2866,10 +3006,18 @@ SYSCALL_DEFINE3(symlinkat, const char __
44509 error = mnt_want_write(path.mnt);
44513 + if (!gr_acl_handle_symlink(dentry, path.dentry, path.mnt, from)) {
44515 + goto out_drop_write;
44518 error = security_path_symlink(&path, dentry, from);
44520 goto out_drop_write;
44521 error = vfs_symlink(path.dentry->d_inode, dentry, from);
44523 + gr_handle_create(dentry, path.mnt);
44525 mnt_drop_write(path.mnt);
44527 @@ -2941,6 +3089,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44529 struct dentry *new_dentry;
44530 struct path old_path, new_path;
44535 @@ -2964,7 +3113,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44539 - new_dentry = user_path_create(newdfd, newname, &new_path, 0);
44540 + new_dentry = user_path_create_with_name(newdfd, newname, &new_path, &to, 0);
44541 error = PTR_ERR(new_dentry);
44542 if (IS_ERR(new_dentry))
44544 @@ -2975,13 +3124,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44545 error = mnt_want_write(new_path.mnt);
44549 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
44550 + old_path.dentry->d_inode,
44551 + old_path.dentry->d_inode->i_mode, to)) {
44553 + goto out_drop_write;
44556 + if (!gr_acl_handle_link(new_dentry, new_path.dentry, new_path.mnt,
44557 + old_path.dentry, old_path.mnt, to)) {
44559 + goto out_drop_write;
44562 error = security_path_link(old_path.dentry, &new_path, new_dentry);
44564 goto out_drop_write;
44565 error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry);
44567 + gr_handle_create(new_dentry, new_path.mnt);
44569 mnt_drop_write(new_path.mnt);
44573 mutex_unlock(&new_path.dentry->d_inode->i_mutex);
44574 path_put(&new_path);
44575 @@ -3153,6 +3319,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44579 + pax_track_stack();
44581 error = user_path_parent(olddfd, oldname, &oldnd, &from);
44584 @@ -3209,6 +3377,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44585 if (new_dentry == trap)
44588 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
44589 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
44594 error = mnt_want_write(oldnd.path.mnt);
44597 @@ -3218,6 +3392,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44599 error = vfs_rename(old_dir->d_inode, old_dentry,
44600 new_dir->d_inode, new_dentry);
44602 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
44603 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
44605 mnt_drop_write(oldnd.path.mnt);
44607 @@ -3243,6 +3420,8 @@ SYSCALL_DEFINE2(rename, const char __use
44609 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
44612 + const char *newlink;
44615 len = PTR_ERR(link);
44616 @@ -3252,7 +3431,14 @@ int vfs_readlink(struct dentry *dentry,
44617 len = strlen(link);
44618 if (len > (unsigned) buflen)
44620 - if (copy_to_user(buffer, link, len))
44622 + if (len < sizeof(tmpbuf)) {
44623 + memcpy(tmpbuf, link, len);
44624 + newlink = tmpbuf;
44628 + if (copy_to_user(buffer, newlink, len))
44632 diff -urNp linux-3.1.1/fs/namespace.c linux-3.1.1/fs/namespace.c
44633 --- linux-3.1.1/fs/namespace.c 2011-11-11 15:19:27.000000000 -0500
44634 +++ linux-3.1.1/fs/namespace.c 2011-11-16 18:40:29.000000000 -0500
44635 @@ -1329,6 +1329,9 @@ static int do_umount(struct vfsmount *mn
44636 if (!(sb->s_flags & MS_RDONLY))
44637 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
44638 up_write(&sb->s_umount);
44640 + gr_log_remount(mnt->mnt_devname, retval);
44645 @@ -1348,6 +1351,9 @@ static int do_umount(struct vfsmount *mn
44646 br_write_unlock(vfsmount_lock);
44647 up_write(&namespace_sem);
44648 release_mounts(&umount_list);
44650 + gr_log_unmount(mnt->mnt_devname, retval);
44655 @@ -2339,6 +2345,16 @@ long do_mount(char *dev_name, char *dir_
44656 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
44659 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
44664 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
44669 if (flags & MS_REMOUNT)
44670 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
44672 @@ -2353,6 +2369,9 @@ long do_mount(char *dev_name, char *dir_
44673 dev_name, data_page);
44677 + gr_log_mount(dev_name, dir_name, retval);
44682 @@ -2576,6 +2595,11 @@ SYSCALL_DEFINE2(pivot_root, const char _
44686 + if (gr_handle_chroot_pivot()) {
44691 get_fs_root(current->fs, &root);
44692 error = lock_mount(&old);
44694 diff -urNp linux-3.1.1/fs/ncpfs/dir.c linux-3.1.1/fs/ncpfs/dir.c
44695 --- linux-3.1.1/fs/ncpfs/dir.c 2011-11-11 15:19:27.000000000 -0500
44696 +++ linux-3.1.1/fs/ncpfs/dir.c 2011-11-16 18:40:29.000000000 -0500
44697 @@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
44698 int res, val = 0, len;
44699 __u8 __name[NCP_MAXPATHLEN + 1];
44701 + pax_track_stack();
44703 if (dentry == dentry->d_sb->s_root)
44706 @@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
44707 int error, res, len;
44708 __u8 __name[NCP_MAXPATHLEN + 1];
44710 + pax_track_stack();
44713 if (!ncp_conn_valid(server))
44715 @@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
44716 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
44717 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
44719 + pax_track_stack();
44721 ncp_age_dentry(server, dentry);
44722 len = sizeof(__name);
44723 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
44724 @@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
44726 __u8 __name[NCP_MAXPATHLEN + 1];
44728 + pax_track_stack();
44730 DPRINTK("ncp_mkdir: making %s/%s\n",
44731 dentry->d_parent->d_name.name, dentry->d_name.name);
44733 @@ -1140,6 +1148,8 @@ static int ncp_rename(struct inode *old_
44734 int old_len, new_len;
44735 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
44737 + pax_track_stack();
44739 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
44740 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
44741 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
44742 diff -urNp linux-3.1.1/fs/ncpfs/inode.c linux-3.1.1/fs/ncpfs/inode.c
44743 --- linux-3.1.1/fs/ncpfs/inode.c 2011-11-11 15:19:27.000000000 -0500
44744 +++ linux-3.1.1/fs/ncpfs/inode.c 2011-11-16 18:40:29.000000000 -0500
44745 @@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
44747 struct ncp_entry_info finfo;
44749 + pax_track_stack();
44751 memset(&data, 0, sizeof(data));
44752 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
44754 diff -urNp linux-3.1.1/fs/nfs/blocklayout/blocklayout.c linux-3.1.1/fs/nfs/blocklayout/blocklayout.c
44755 --- linux-3.1.1/fs/nfs/blocklayout/blocklayout.c 2011-11-11 15:19:27.000000000 -0500
44756 +++ linux-3.1.1/fs/nfs/blocklayout/blocklayout.c 2011-11-16 18:39:08.000000000 -0500
44757 @@ -90,7 +90,7 @@ static int is_writable(struct pnfs_block
44759 struct parallel_io {
44760 struct kref refcnt;
44761 - struct rpc_call_ops call_ops;
44762 + rpc_call_ops_no_const call_ops;
44763 void (*pnfs_callback) (void *data);
44766 diff -urNp linux-3.1.1/fs/nfs/inode.c linux-3.1.1/fs/nfs/inode.c
44767 --- linux-3.1.1/fs/nfs/inode.c 2011-11-11 15:19:27.000000000 -0500
44768 +++ linux-3.1.1/fs/nfs/inode.c 2011-11-16 18:39:08.000000000 -0500
44769 @@ -150,7 +150,7 @@ static void nfs_zap_caches_locked(struct
44770 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
44771 nfsi->attrtimeo_timestamp = jiffies;
44773 - memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
44774 + memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
44775 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
44776 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
44778 @@ -1002,16 +1002,16 @@ static int nfs_size_need_update(const st
44779 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
44782 -static atomic_long_t nfs_attr_generation_counter;
44783 +static atomic_long_unchecked_t nfs_attr_generation_counter;
44785 static unsigned long nfs_read_attr_generation_counter(void)
44787 - return atomic_long_read(&nfs_attr_generation_counter);
44788 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
44791 unsigned long nfs_inc_attr_generation_counter(void)
44793 - return atomic_long_inc_return(&nfs_attr_generation_counter);
44794 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
44797 void nfs_fattr_init(struct nfs_fattr *fattr)
44798 diff -urNp linux-3.1.1/fs/nfsd/nfs4state.c linux-3.1.1/fs/nfsd/nfs4state.c
44799 --- linux-3.1.1/fs/nfsd/nfs4state.c 2011-11-11 15:19:27.000000000 -0500
44800 +++ linux-3.1.1/fs/nfsd/nfs4state.c 2011-11-16 18:40:29.000000000 -0500
44801 @@ -3999,6 +3999,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
44802 unsigned int strhashval;
44805 + pax_track_stack();
44807 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
44808 (long long) lock->lk_offset,
44809 (long long) lock->lk_length);
44810 diff -urNp linux-3.1.1/fs/nfsd/nfs4xdr.c linux-3.1.1/fs/nfsd/nfs4xdr.c
44811 --- linux-3.1.1/fs/nfsd/nfs4xdr.c 2011-11-11 15:19:27.000000000 -0500
44812 +++ linux-3.1.1/fs/nfsd/nfs4xdr.c 2011-11-16 18:40:29.000000000 -0500
44813 @@ -1875,6 +1875,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
44817 + pax_track_stack();
44819 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
44820 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
44821 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
44822 diff -urNp linux-3.1.1/fs/nfsd/vfs.c linux-3.1.1/fs/nfsd/vfs.c
44823 --- linux-3.1.1/fs/nfsd/vfs.c 2011-11-11 15:19:27.000000000 -0500
44824 +++ linux-3.1.1/fs/nfsd/vfs.c 2011-11-16 18:39:08.000000000 -0500
44825 @@ -896,7 +896,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
44829 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
44830 + host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
44834 @@ -1000,7 +1000,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
44836 /* Write the data. */
44837 oldfs = get_fs(); set_fs(KERNEL_DS);
44838 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
44839 + host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset);
44843 @@ -1535,7 +1535,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
44846 oldfs = get_fs(); set_fs(KERNEL_DS);
44847 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
44848 + host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp);
44852 diff -urNp linux-3.1.1/fs/notify/fanotify/fanotify_user.c linux-3.1.1/fs/notify/fanotify/fanotify_user.c
44853 --- linux-3.1.1/fs/notify/fanotify/fanotify_user.c 2011-11-11 15:19:27.000000000 -0500
44854 +++ linux-3.1.1/fs/notify/fanotify/fanotify_user.c 2011-11-16 18:39:08.000000000 -0500
44855 @@ -276,7 +276,8 @@ static ssize_t copy_event_to_user(struct
44859 - if (copy_to_user(buf, &fanotify_event_metadata,
44860 + if (fanotify_event_metadata.event_len > sizeof fanotify_event_metadata ||
44861 + copy_to_user(buf, &fanotify_event_metadata,
44862 fanotify_event_metadata.event_len))
44863 goto out_kill_access_response;
44865 diff -urNp linux-3.1.1/fs/notify/notification.c linux-3.1.1/fs/notify/notification.c
44866 --- linux-3.1.1/fs/notify/notification.c 2011-11-11 15:19:27.000000000 -0500
44867 +++ linux-3.1.1/fs/notify/notification.c 2011-11-16 18:39:08.000000000 -0500
44868 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
44869 * get set to 0 so it will never get 'freed'
44871 static struct fsnotify_event *q_overflow_event;
44872 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44873 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44876 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
44877 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
44879 u32 fsnotify_get_cookie(void)
44881 - return atomic_inc_return(&fsnotify_sync_cookie);
44882 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
44884 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
44886 diff -urNp linux-3.1.1/fs/ntfs/dir.c linux-3.1.1/fs/ntfs/dir.c
44887 --- linux-3.1.1/fs/ntfs/dir.c 2011-11-11 15:19:27.000000000 -0500
44888 +++ linux-3.1.1/fs/ntfs/dir.c 2011-11-16 18:39:08.000000000 -0500
44889 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
44890 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
44891 ~(s64)(ndir->itype.index.block_size - 1)));
44892 /* Bounds checks. */
44893 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44894 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44895 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
44896 "inode 0x%lx or driver bug.", vdir->i_ino);
44898 diff -urNp linux-3.1.1/fs/ntfs/file.c linux-3.1.1/fs/ntfs/file.c
44899 --- linux-3.1.1/fs/ntfs/file.c 2011-11-11 15:19:27.000000000 -0500
44900 +++ linux-3.1.1/fs/ntfs/file.c 2011-11-16 18:39:08.000000000 -0500
44901 @@ -2229,6 +2229,6 @@ const struct inode_operations ntfs_file_
44902 #endif /* NTFS_RW */
44905 -const struct file_operations ntfs_empty_file_ops = {};
44906 +const struct file_operations ntfs_empty_file_ops __read_only;
44908 -const struct inode_operations ntfs_empty_inode_ops = {};
44909 +const struct inode_operations ntfs_empty_inode_ops __read_only;
44910 diff -urNp linux-3.1.1/fs/ocfs2/localalloc.c linux-3.1.1/fs/ocfs2/localalloc.c
44911 --- linux-3.1.1/fs/ocfs2/localalloc.c 2011-11-11 15:19:27.000000000 -0500
44912 +++ linux-3.1.1/fs/ocfs2/localalloc.c 2011-11-16 18:39:08.000000000 -0500
44913 @@ -1283,7 +1283,7 @@ static int ocfs2_local_alloc_slide_windo
44917 - atomic_inc(&osb->alloc_stats.moves);
44918 + atomic_inc_unchecked(&osb->alloc_stats.moves);
44922 diff -urNp linux-3.1.1/fs/ocfs2/namei.c linux-3.1.1/fs/ocfs2/namei.c
44923 --- linux-3.1.1/fs/ocfs2/namei.c 2011-11-11 15:19:27.000000000 -0500
44924 +++ linux-3.1.1/fs/ocfs2/namei.c 2011-11-16 18:40:29.000000000 -0500
44925 @@ -1063,6 +1063,8 @@ static int ocfs2_rename(struct inode *ol
44926 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
44927 struct ocfs2_dir_lookup_result target_insert = { NULL, };
44929 + pax_track_stack();
44931 /* At some point it might be nice to break this function up a
44934 diff -urNp linux-3.1.1/fs/ocfs2/ocfs2.h linux-3.1.1/fs/ocfs2/ocfs2.h
44935 --- linux-3.1.1/fs/ocfs2/ocfs2.h 2011-11-11 15:19:27.000000000 -0500
44936 +++ linux-3.1.1/fs/ocfs2/ocfs2.h 2011-11-16 18:39:08.000000000 -0500
44937 @@ -235,11 +235,11 @@ enum ocfs2_vol_state
44939 struct ocfs2_alloc_stats
44942 - atomic_t local_data;
44943 - atomic_t bitmap_data;
44944 - atomic_t bg_allocs;
44945 - atomic_t bg_extends;
44946 + atomic_unchecked_t moves;
44947 + atomic_unchecked_t local_data;
44948 + atomic_unchecked_t bitmap_data;
44949 + atomic_unchecked_t bg_allocs;
44950 + atomic_unchecked_t bg_extends;
44953 enum ocfs2_local_alloc_state
44954 diff -urNp linux-3.1.1/fs/ocfs2/suballoc.c linux-3.1.1/fs/ocfs2/suballoc.c
44955 --- linux-3.1.1/fs/ocfs2/suballoc.c 2011-11-11 15:19:27.000000000 -0500
44956 +++ linux-3.1.1/fs/ocfs2/suballoc.c 2011-11-16 18:39:08.000000000 -0500
44957 @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(s
44958 mlog_errno(status);
44961 - atomic_inc(&osb->alloc_stats.bg_extends);
44962 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
44964 /* You should never ask for this much metadata */
44965 BUG_ON(bits_wanted >
44966 @@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handl
44967 mlog_errno(status);
44970 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44971 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44973 *suballoc_loc = res.sr_bg_blkno;
44974 *suballoc_bit_start = res.sr_bit_offset;
44975 @@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
44976 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
44979 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44980 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44982 BUG_ON(res->sr_bits != 1);
44984 @@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *hand
44985 mlog_errno(status);
44988 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44989 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44991 BUG_ON(res.sr_bits != 1);
44993 @@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *han
44997 - atomic_inc(&osb->alloc_stats.local_data);
44998 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
45000 if (min_clusters > (osb->bitmap_cpg - 1)) {
45001 /* The only paths asking for contiguousness
45002 @@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *han
45003 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
45005 res.sr_bit_offset);
45006 - atomic_inc(&osb->alloc_stats.bitmap_data);
45007 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
45008 *num_clusters = res.sr_bits;
45011 diff -urNp linux-3.1.1/fs/ocfs2/super.c linux-3.1.1/fs/ocfs2/super.c
45012 --- linux-3.1.1/fs/ocfs2/super.c 2011-11-11 15:19:27.000000000 -0500
45013 +++ linux-3.1.1/fs/ocfs2/super.c 2011-11-16 18:39:08.000000000 -0500
45014 @@ -300,11 +300,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
45015 "%10s => GlobalAllocs: %d LocalAllocs: %d "
45016 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
45018 - atomic_read(&osb->alloc_stats.bitmap_data),
45019 - atomic_read(&osb->alloc_stats.local_data),
45020 - atomic_read(&osb->alloc_stats.bg_allocs),
45021 - atomic_read(&osb->alloc_stats.moves),
45022 - atomic_read(&osb->alloc_stats.bg_extends));
45023 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
45024 + atomic_read_unchecked(&osb->alloc_stats.local_data),
45025 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
45026 + atomic_read_unchecked(&osb->alloc_stats.moves),
45027 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
45029 out += snprintf(buf + out, len - out,
45030 "%10s => State: %u Descriptor: %llu Size: %u bits "
45031 @@ -2112,11 +2112,11 @@ static int ocfs2_initialize_super(struct
45032 spin_lock_init(&osb->osb_xattr_lock);
45033 ocfs2_init_steal_slots(osb);
45035 - atomic_set(&osb->alloc_stats.moves, 0);
45036 - atomic_set(&osb->alloc_stats.local_data, 0);
45037 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
45038 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
45039 - atomic_set(&osb->alloc_stats.bg_extends, 0);
45040 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
45041 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
45042 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
45043 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
45044 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
45046 /* Copy the blockcheck stats from the superblock probe */
45047 osb->osb_ecc_stats = *stats;
45048 diff -urNp linux-3.1.1/fs/ocfs2/symlink.c linux-3.1.1/fs/ocfs2/symlink.c
45049 --- linux-3.1.1/fs/ocfs2/symlink.c 2011-11-11 15:19:27.000000000 -0500
45050 +++ linux-3.1.1/fs/ocfs2/symlink.c 2011-11-16 18:39:08.000000000 -0500
45051 @@ -142,7 +142,7 @@ bail:
45053 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
45055 - char *link = nd_get_link(nd);
45056 + const char *link = nd_get_link(nd);
45060 diff -urNp linux-3.1.1/fs/open.c linux-3.1.1/fs/open.c
45061 --- linux-3.1.1/fs/open.c 2011-11-11 15:19:27.000000000 -0500
45062 +++ linux-3.1.1/fs/open.c 2011-11-16 23:40:57.000000000 -0500
45063 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
45064 error = locks_verify_truncate(inode, NULL, length);
45066 error = security_path_truncate(&path);
45068 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
45072 error = do_truncate(path.dentry, length, 0, NULL);
45074 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
45075 if (__mnt_is_readonly(path.mnt))
45078 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
45084 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
45088 + gr_log_chdir(path.dentry, path.mnt);
45090 set_fs_pwd(current->fs, &path);
45093 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
45096 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
45098 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
45102 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
45105 set_fs_pwd(current->fs, &file->f_path);
45107 @@ -438,7 +454,13 @@ SYSCALL_DEFINE1(chroot, const char __use
45111 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
45112 + goto dput_and_out;
45114 set_fs_root(current->fs, &path);
45116 + gr_handle_chroot_chdir(&path);
45121 @@ -456,6 +478,16 @@ static int chmod_common(struct path *pat
45124 mutex_lock(&inode->i_mutex);
45126 + if (!gr_acl_handle_fchmod(path->dentry, path->mnt, mode)) {
45130 + if (gr_handle_chroot_chmod(path->dentry, path->mnt, mode)) {
45135 error = security_path_chmod(path->dentry, path->mnt, mode);
45138 @@ -506,6 +538,9 @@ static int chown_common(struct path *pat
45140 struct iattr newattrs;
45142 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
45145 newattrs.ia_valid = ATTR_CTIME;
45146 if (user != (uid_t) -1) {
45147 newattrs.ia_valid |= ATTR_UID;
45148 @@ -976,7 +1011,8 @@ long do_sys_open(int dfd, const char __u
45149 if (!IS_ERR(tmp)) {
45150 fd = get_unused_fd_flags(flags);
45152 - struct file *f = do_filp_open(dfd, tmp, &op, lookup);
45154 + f = do_filp_open(dfd, tmp, &op, lookup);
45158 diff -urNp linux-3.1.1/fs/partitions/ldm.c linux-3.1.1/fs/partitions/ldm.c
45159 --- linux-3.1.1/fs/partitions/ldm.c 2011-11-11 15:19:27.000000000 -0500
45160 +++ linux-3.1.1/fs/partitions/ldm.c 2011-11-16 18:40:29.000000000 -0500
45161 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
45162 ldm_error ("A VBLK claims to have %d parts.", num);
45167 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
45169 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
45173 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
45174 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
45176 ldm_crit ("Out of memory.");
45178 diff -urNp linux-3.1.1/fs/pipe.c linux-3.1.1/fs/pipe.c
45179 --- linux-3.1.1/fs/pipe.c 2011-11-11 15:19:27.000000000 -0500
45180 +++ linux-3.1.1/fs/pipe.c 2011-11-16 18:40:29.000000000 -0500
45181 @@ -420,9 +420,9 @@ redo:
45183 if (bufs) /* More to do? */
45185 - if (!pipe->writers)
45186 + if (!atomic_read(&pipe->writers))
45188 - if (!pipe->waiting_writers) {
45189 + if (!atomic_read(&pipe->waiting_writers)) {
45190 /* syscall merging: Usually we must not sleep
45191 * if O_NONBLOCK is set, or if we got some data.
45192 * But if a writer sleeps in kernel space, then
45193 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
45194 mutex_lock(&inode->i_mutex);
45195 pipe = inode->i_pipe;
45197 - if (!pipe->readers) {
45198 + if (!atomic_read(&pipe->readers)) {
45199 send_sig(SIGPIPE, current, 0);
45202 @@ -530,7 +530,7 @@ redo1:
45206 - if (!pipe->readers) {
45207 + if (!atomic_read(&pipe->readers)) {
45208 send_sig(SIGPIPE, current, 0);
45211 @@ -616,9 +616,9 @@ redo2:
45212 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
45215 - pipe->waiting_writers++;
45216 + atomic_inc(&pipe->waiting_writers);
45218 - pipe->waiting_writers--;
45219 + atomic_dec(&pipe->waiting_writers);
45222 mutex_unlock(&inode->i_mutex);
45223 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
45225 if (filp->f_mode & FMODE_READ) {
45226 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
45227 - if (!pipe->writers && filp->f_version != pipe->w_counter)
45228 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
45232 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
45233 * Most Unices do not set POLLERR for FIFOs but on Linux they
45234 * behave exactly like pipes for poll().
45236 - if (!pipe->readers)
45237 + if (!atomic_read(&pipe->readers))
45241 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
45243 mutex_lock(&inode->i_mutex);
45244 pipe = inode->i_pipe;
45245 - pipe->readers -= decr;
45246 - pipe->writers -= decw;
45247 + atomic_sub(decr, &pipe->readers);
45248 + atomic_sub(decw, &pipe->writers);
45250 - if (!pipe->readers && !pipe->writers) {
45251 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
45252 free_pipe_info(inode);
45254 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
45255 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
45257 if (inode->i_pipe) {
45259 - inode->i_pipe->readers++;
45260 + atomic_inc(&inode->i_pipe->readers);
45263 mutex_unlock(&inode->i_mutex);
45264 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
45266 if (inode->i_pipe) {
45268 - inode->i_pipe->writers++;
45269 + atomic_inc(&inode->i_pipe->writers);
45272 mutex_unlock(&inode->i_mutex);
45273 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
45274 if (inode->i_pipe) {
45276 if (filp->f_mode & FMODE_READ)
45277 - inode->i_pipe->readers++;
45278 + atomic_inc(&inode->i_pipe->readers);
45279 if (filp->f_mode & FMODE_WRITE)
45280 - inode->i_pipe->writers++;
45281 + atomic_inc(&inode->i_pipe->writers);
45284 mutex_unlock(&inode->i_mutex);
45285 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
45286 inode->i_pipe = NULL;
45289 -static struct vfsmount *pipe_mnt __read_mostly;
45290 +struct vfsmount *pipe_mnt __read_mostly;
45293 * pipefs_dname() is called from d_path().
45294 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
45296 inode->i_pipe = pipe;
45298 - pipe->readers = pipe->writers = 1;
45299 + atomic_set(&pipe->readers, 1);
45300 + atomic_set(&pipe->writers, 1);
45301 inode->i_fop = &rdwr_pipefifo_fops;
45304 diff -urNp linux-3.1.1/fs/proc/array.c linux-3.1.1/fs/proc/array.c
45305 --- linux-3.1.1/fs/proc/array.c 2011-11-11 15:19:27.000000000 -0500
45306 +++ linux-3.1.1/fs/proc/array.c 2011-11-16 18:40:29.000000000 -0500
45308 #include <linux/tty.h>
45309 #include <linux/string.h>
45310 #include <linux/mman.h>
45311 +#include <linux/grsecurity.h>
45312 #include <linux/proc_fs.h>
45313 #include <linux/ioport.h>
45314 #include <linux/uaccess.h>
45315 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
45319 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45320 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
45323 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
45324 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
45325 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
45326 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
45327 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
45328 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
45330 + seq_printf(m, "PaX:\t-----\n");
45334 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
45335 struct pid *pid, struct task_struct *task)
45337 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
45338 task_cpus_allowed(m, task);
45339 cpuset_task_status_allowed(m, task);
45340 task_context_switch_counts(m, task);
45342 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45343 + task_pax(m, task);
45346 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
45347 + task_grsec_rbac(m, task);
45353 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45354 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45355 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
45356 + _mm->pax_flags & MF_PAX_SEGMEXEC))
45359 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
45360 struct pid *pid, struct task_struct *task, int whole)
45362 @@ -375,9 +406,11 @@ static int do_task_stat(struct seq_file
45363 cputime_t cutime, cstime, utime, stime;
45364 cputime_t cgtime, gtime;
45365 unsigned long rsslim = 0;
45366 - char tcomm[sizeof(task->comm)];
45367 + char tcomm[sizeof(task->comm)] = { 0 };
45368 unsigned long flags;
45370 + pax_track_stack();
45372 state = *get_task_state(task);
45373 vsize = eip = esp = 0;
45374 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
45375 @@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
45376 gtime = task->gtime;
45379 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45380 + if (PAX_RAND_FLAGS(mm)) {
45386 +#ifdef CONFIG_GRKERNSEC_HIDESYM
45392 /* scale priority and nice values from timeslices to -20..20 */
45393 /* to make it look like a "normal" Unix priority/nice value */
45394 priority = task_prio(task);
45395 @@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
45397 mm ? get_mm_rss(mm) : 0,
45399 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45400 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
45401 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
45402 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
45404 mm ? (permitted ? mm->start_code : 1) : 0,
45405 mm ? (permitted ? mm->end_code : 1) : 0,
45406 (permitted && mm) ? mm->start_stack : 0,
45410 /* The signal information here is obsolete.
45411 @@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
45416 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45417 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
45420 + unsigned long flags;
45422 + if (lock_task_sighand(task, &flags)) {
45423 + curr_ip = task->signal->curr_ip;
45424 + unlock_task_sighand(task, &flags);
45427 + return sprintf(buffer, "%pI4\n", &curr_ip);
45430 diff -urNp linux-3.1.1/fs/proc/base.c linux-3.1.1/fs/proc/base.c
45431 --- linux-3.1.1/fs/proc/base.c 2011-11-11 15:19:27.000000000 -0500
45432 +++ linux-3.1.1/fs/proc/base.c 2011-11-16 19:25:48.000000000 -0500
45433 @@ -107,6 +107,22 @@ struct pid_entry {
45437 +struct getdents_callback {
45438 + struct linux_dirent __user * current_dir;
45439 + struct linux_dirent __user * previous;
45440 + struct file * file;
45445 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
45446 + loff_t offset, u64 ino, unsigned int d_type)
45448 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
45449 + buf->error = -EINVAL;
45453 #define NOD(NAME, MODE, IOP, FOP, OP) { \
45455 .len = sizeof(NAME) - 1, \
45456 @@ -209,6 +225,9 @@ static struct mm_struct *__check_mem_per
45457 if (task == current)
45460 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
45461 + return ERR_PTR(-EPERM);
45464 * If current is actively ptrace'ing, and would also be
45465 * permitted to freshly attach with ptrace now, permit it.
45466 @@ -282,6 +301,9 @@ static int proc_pid_cmdline(struct task_
45468 goto out_mm; /* Shh! No looking before we're done */
45470 + if (gr_acl_handle_procpidmem(task))
45473 len = mm->arg_end - mm->arg_start;
45475 if (len > PAGE_SIZE)
45476 @@ -309,12 +331,28 @@ out:
45480 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45481 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45482 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
45483 + _mm->pax_flags & MF_PAX_SEGMEXEC))
45486 static int proc_pid_auxv(struct task_struct *task, char *buffer)
45488 struct mm_struct *mm = mm_for_maps(task);
45489 int res = PTR_ERR(mm);
45490 if (mm && !IS_ERR(mm)) {
45491 unsigned int nwords = 0;
45493 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45494 + /* allow if we're currently ptracing this task */
45495 + if (PAX_RAND_FLAGS(mm) &&
45496 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
45504 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
45505 @@ -328,7 +366,7 @@ static int proc_pid_auxv(struct task_str
45509 -#ifdef CONFIG_KALLSYMS
45510 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45512 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
45513 * Returns the resolved symbol. If that fails, simply return the address.
45514 @@ -367,7 +405,7 @@ static void unlock_trace(struct task_str
45515 mutex_unlock(&task->signal->cred_guard_mutex);
45518 -#ifdef CONFIG_STACKTRACE
45519 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45521 #define MAX_STACK_TRACE_DEPTH 64
45523 @@ -558,7 +596,7 @@ static int proc_pid_limits(struct task_s
45527 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45528 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45529 static int proc_pid_syscall(struct task_struct *task, char *buffer)
45532 @@ -587,7 +625,7 @@ static int proc_pid_syscall(struct task_
45533 /************************************************************************/
45535 /* permission checks */
45536 -static int proc_fd_access_allowed(struct inode *inode)
45537 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
45539 struct task_struct *task;
45541 @@ -597,7 +635,10 @@ static int proc_fd_access_allowed(struct
45543 task = get_proc_task(inode);
45545 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45547 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
45549 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45550 put_task_struct(task);
45553 @@ -978,6 +1019,9 @@ static ssize_t environ_read(struct file
45557 + if (gr_acl_handle_procpidmem(task))
45561 page = (char *)__get_free_page(GFP_TEMPORARY);
45563 @@ -1613,7 +1657,7 @@ static void *proc_pid_follow_link(struct
45564 path_put(&nd->path);
45566 /* Are we allowed to snoop on the tasks file descriptors? */
45567 - if (!proc_fd_access_allowed(inode))
45568 + if (!proc_fd_access_allowed(inode,0))
45571 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
45572 @@ -1652,8 +1696,18 @@ static int proc_pid_readlink(struct dent
45575 /* Are we allowed to snoop on the tasks file descriptors? */
45576 - if (!proc_fd_access_allowed(inode))
45578 + /* logging this is needed for learning on chromium to work properly,
45579 + but we don't want to flood the logs from 'ps' which does a readlink
45580 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
45581 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
45583 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
45584 + if (!proc_fd_access_allowed(inode,0))
45587 + if (!proc_fd_access_allowed(inode,1))
45591 error = PROC_I(inode)->op.proc_get_link(inode, &path);
45593 @@ -1718,7 +1772,11 @@ struct inode *proc_pid_make_inode(struct
45595 cred = __task_cred(task);
45596 inode->i_uid = cred->euid;
45597 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45598 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45600 inode->i_gid = cred->egid;
45604 security_task_to_inode(task, inode);
45605 @@ -1736,6 +1794,9 @@ int pid_getattr(struct vfsmount *mnt, st
45606 struct inode *inode = dentry->d_inode;
45607 struct task_struct *task;
45608 const struct cred *cred;
45609 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45610 + const struct cred *tmpcred = current_cred();
45613 generic_fillattr(inode, stat);
45615 @@ -1743,13 +1804,41 @@ int pid_getattr(struct vfsmount *mnt, st
45618 task = pid_task(proc_pid(inode), PIDTYPE_PID);
45620 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
45621 + rcu_read_unlock();
45626 + cred = __task_cred(task);
45627 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45628 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
45629 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45630 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45634 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45635 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45636 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45637 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45638 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45640 task_dumpable(task)) {
45641 - cred = __task_cred(task);
45642 stat->uid = cred->euid;
45643 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45644 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
45646 stat->gid = cred->egid;
45649 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45651 + rcu_read_unlock();
45658 @@ -1786,11 +1875,20 @@ int pid_revalidate(struct dentry *dentry
45661 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45662 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45663 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45664 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45665 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45667 task_dumpable(task)) {
45669 cred = __task_cred(task);
45670 inode->i_uid = cred->euid;
45671 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45672 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45674 inode->i_gid = cred->egid;
45679 @@ -1908,7 +2006,8 @@ static int proc_fd_info(struct inode *in
45680 int fd = proc_fd(inode);
45683 - files = get_files_struct(task);
45684 + if (!gr_acl_handle_procpidmem(task))
45685 + files = get_files_struct(task);
45686 put_task_struct(task);
45689 @@ -2176,11 +2275,21 @@ static const struct file_operations proc
45691 static int proc_fd_permission(struct inode *inode, int mask)
45693 + struct task_struct *task;
45694 int rv = generic_permission(inode, mask);
45698 if (task_pid(current) == proc_pid(inode))
45701 + task = get_proc_task(inode);
45702 + if (task == NULL)
45705 + if (gr_acl_handle_procpidmem(task))
45708 + put_task_struct(task);
45713 @@ -2290,6 +2399,9 @@ static struct dentry *proc_pident_lookup
45717 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45721 * Yes, it does not scale. And it should not. Don't add
45722 * new entries into /proc/<tgid>/ without very good reasons.
45723 @@ -2334,6 +2446,9 @@ static int proc_pident_readdir(struct fi
45727 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45733 @@ -2604,7 +2719,7 @@ static void *proc_self_follow_link(struc
45734 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
45737 - char *s = nd_get_link(nd);
45738 + const char *s = nd_get_link(nd);
45742 @@ -2663,6 +2778,7 @@ static struct dentry *proc_base_instanti
45744 inode->i_fop = p->fop;
45747 d_add(dentry, inode);
45750 @@ -2802,7 +2918,7 @@ static const struct pid_entry tgid_base_
45751 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
45753 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
45754 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45755 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45756 INF("syscall", S_IRUGO, proc_pid_syscall),
45758 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45759 @@ -2827,10 +2943,10 @@ static const struct pid_entry tgid_base_
45760 #ifdef CONFIG_SECURITY
45761 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45763 -#ifdef CONFIG_KALLSYMS
45764 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45765 INF("wchan", S_IRUGO, proc_pid_wchan),
45767 -#ifdef CONFIG_STACKTRACE
45768 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45769 ONE("stack", S_IRUGO, proc_pid_stack),
45771 #ifdef CONFIG_SCHEDSTATS
45772 @@ -2864,6 +2980,9 @@ static const struct pid_entry tgid_base_
45773 INF("hardwall", S_IRUGO, proc_pid_hardwall),
45775 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
45776 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45777 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
45781 static int proc_tgid_base_readdir(struct file * filp,
45782 @@ -2989,7 +3108,14 @@ static struct dentry *proc_pid_instantia
45786 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45787 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
45788 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45789 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45790 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
45792 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
45794 inode->i_op = &proc_tgid_base_inode_operations;
45795 inode->i_fop = &proc_tgid_base_operations;
45796 inode->i_flags|=S_IMMUTABLE;
45797 @@ -3031,7 +3157,14 @@ struct dentry *proc_pid_lookup(struct in
45801 + if (!has_group_leader_pid(task))
45802 + goto out_put_task;
45804 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45805 + goto out_put_task;
45807 result = proc_pid_instantiate(dir, dentry, task, NULL);
45809 put_task_struct(task);
45812 @@ -3096,6 +3229,11 @@ int proc_pid_readdir(struct file * filp,
45815 struct task_struct *reaper;
45816 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45817 + const struct cred *tmpcred = current_cred();
45818 + const struct cred *itercred;
45820 + filldir_t __filldir = filldir;
45821 struct tgid_iter iter;
45822 struct pid_namespace *ns;
45824 @@ -3119,10 +3257,29 @@ int proc_pid_readdir(struct file * filp,
45825 for (iter = next_tgid(ns, iter);
45827 iter.tgid += 1, iter = next_tgid(ns, iter)) {
45828 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45830 + itercred = __task_cred(iter.task);
45832 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
45833 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45834 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
45835 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45836 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45841 + __filldir = &gr_fake_filldir;
45843 + __filldir = filldir;
45844 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45845 + rcu_read_unlock();
45847 filp->f_pos = iter.tgid + TGID_OFFSET;
45848 if (!vx_proc_task_visible(iter.task))
45850 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
45851 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
45852 put_task_struct(iter.task);
45855 @@ -3148,7 +3305,7 @@ static const struct pid_entry tid_base_s
45856 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
45858 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
45859 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45860 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45861 INF("syscall", S_IRUGO, proc_pid_syscall),
45863 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45864 @@ -3172,10 +3329,10 @@ static const struct pid_entry tid_base_s
45865 #ifdef CONFIG_SECURITY
45866 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45868 -#ifdef CONFIG_KALLSYMS
45869 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45870 INF("wchan", S_IRUGO, proc_pid_wchan),
45872 -#ifdef CONFIG_STACKTRACE
45873 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45874 ONE("stack", S_IRUGO, proc_pid_stack),
45876 #ifdef CONFIG_SCHEDSTATS
45877 diff -urNp linux-3.1.1/fs/proc/cmdline.c linux-3.1.1/fs/proc/cmdline.c
45878 --- linux-3.1.1/fs/proc/cmdline.c 2011-11-11 15:19:27.000000000 -0500
45879 +++ linux-3.1.1/fs/proc/cmdline.c 2011-11-16 18:40:29.000000000 -0500
45880 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
45882 static int __init proc_cmdline_init(void)
45884 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
45885 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
45887 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
45891 module_init(proc_cmdline_init);
45892 diff -urNp linux-3.1.1/fs/proc/devices.c linux-3.1.1/fs/proc/devices.c
45893 --- linux-3.1.1/fs/proc/devices.c 2011-11-11 15:19:27.000000000 -0500
45894 +++ linux-3.1.1/fs/proc/devices.c 2011-11-16 18:40:29.000000000 -0500
45895 @@ -64,7 +64,11 @@ static const struct file_operations proc
45897 static int __init proc_devices_init(void)
45899 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
45900 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
45902 proc_create("devices", 0, NULL, &proc_devinfo_operations);
45906 module_init(proc_devices_init);
45907 diff -urNp linux-3.1.1/fs/proc/inode.c linux-3.1.1/fs/proc/inode.c
45908 --- linux-3.1.1/fs/proc/inode.c 2011-11-11 15:19:27.000000000 -0500
45909 +++ linux-3.1.1/fs/proc/inode.c 2011-11-16 18:40:29.000000000 -0500
45910 @@ -18,12 +18,18 @@
45911 #include <linux/module.h>
45912 #include <linux/sysctl.h>
45913 #include <linux/slab.h>
45914 +#include <linux/grsecurity.h>
45916 #include <asm/system.h>
45917 #include <asm/uaccess.h>
45919 #include "internal.h"
45921 +#ifdef CONFIG_PROC_SYSCTL
45922 +extern const struct inode_operations proc_sys_inode_operations;
45923 +extern const struct inode_operations proc_sys_dir_operations;
45926 static void proc_evict_inode(struct inode *inode)
45928 struct proc_dir_entry *de;
45929 @@ -49,6 +55,13 @@ static void proc_evict_inode(struct inod
45930 ns_ops = PROC_I(inode)->ns_ops;
45931 if (ns_ops && ns_ops->put)
45932 ns_ops->put(PROC_I(inode)->ns);
45934 +#ifdef CONFIG_PROC_SYSCTL
45935 + if (inode->i_op == &proc_sys_inode_operations ||
45936 + inode->i_op == &proc_sys_dir_operations)
45937 + gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
45942 static struct kmem_cache * proc_inode_cachep;
45943 @@ -440,7 +453,11 @@ struct inode *proc_get_inode(struct supe
45945 inode->i_mode = de->mode;
45946 inode->i_uid = de->uid;
45947 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45948 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45950 inode->i_gid = de->gid;
45954 inode->i_size = de->size;
45955 diff -urNp linux-3.1.1/fs/proc/internal.h linux-3.1.1/fs/proc/internal.h
45956 --- linux-3.1.1/fs/proc/internal.h 2011-11-11 15:19:27.000000000 -0500
45957 +++ linux-3.1.1/fs/proc/internal.h 2011-11-16 18:40:29.000000000 -0500
45958 @@ -54,7 +54,9 @@ extern int proc_pid_statm(struct seq_fil
45959 struct pid *pid, struct task_struct *task);
45960 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
45961 struct pid *pid, struct task_struct *task);
45963 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45964 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
45966 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
45968 extern const struct file_operations proc_maps_operations;
45969 diff -urNp linux-3.1.1/fs/proc/Kconfig linux-3.1.1/fs/proc/Kconfig
45970 --- linux-3.1.1/fs/proc/Kconfig 2011-11-11 15:19:27.000000000 -0500
45971 +++ linux-3.1.1/fs/proc/Kconfig 2011-11-16 18:40:29.000000000 -0500
45972 @@ -30,12 +30,12 @@ config PROC_FS
45975 bool "/proc/kcore support" if !ARM
45976 - depends on PROC_FS && MMU
45977 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
45980 bool "/proc/vmcore support"
45981 - depends on PROC_FS && CRASH_DUMP
45983 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
45986 Exports the dump image of crashed kernel in ELF format.
45988 @@ -59,8 +59,8 @@ config PROC_SYSCTL
45991 config PROC_PAGE_MONITOR
45993 - depends on PROC_FS && MMU
45995 + depends on PROC_FS && MMU && !GRKERNSEC
45996 bool "Enable /proc page monitoring" if EXPERT
45998 Various /proc files exist to monitor process memory utilization:
45999 diff -urNp linux-3.1.1/fs/proc/kcore.c linux-3.1.1/fs/proc/kcore.c
46000 --- linux-3.1.1/fs/proc/kcore.c 2011-11-11 15:19:27.000000000 -0500
46001 +++ linux-3.1.1/fs/proc/kcore.c 2011-11-16 18:40:29.000000000 -0500
46002 @@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
46004 struct kcore_list *m;
46006 + pax_track_stack();
46008 /* setup ELF header */
46009 elf = (struct elfhdr *) bufp;
46010 bufp += sizeof(struct elfhdr);
46011 @@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
46012 * the addresses in the elf_phdr on our list.
46014 start = kc_offset_to_vaddr(*fpos - elf_buflen);
46015 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
46016 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
46017 + if (tsz > buflen)
46022 struct kcore_list *m;
46024 @@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
46027 if (kern_addr_valid(start)) {
46030 + mm_segment_t oldfs;
46032 - n = copy_to_user(buffer, (char *)start, tsz);
46034 - * We cannot distingush between fault on source
46035 - * and fault on destination. When this happens
46036 - * we clear too and hope it will trigger the
46040 - if (clear_user(buffer + tsz - n,
46042 + elf_buf = kmalloc(tsz, GFP_KERNEL);
46045 + oldfs = get_fs();
46046 + set_fs(KERNEL_DS);
46047 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
46049 + if (copy_to_user(buffer, elf_buf, tsz)) {
46057 if (clear_user(buffer, tsz))
46059 @@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
46061 static int open_kcore(struct inode *inode, struct file *filp)
46063 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
46066 if (!capable(CAP_SYS_RAWIO))
46068 if (kcore_need_update)
46069 diff -urNp linux-3.1.1/fs/proc/meminfo.c linux-3.1.1/fs/proc/meminfo.c
46070 --- linux-3.1.1/fs/proc/meminfo.c 2011-11-11 15:19:27.000000000 -0500
46071 +++ linux-3.1.1/fs/proc/meminfo.c 2011-11-16 18:40:29.000000000 -0500
46072 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
46073 unsigned long pages[NR_LRU_LISTS];
46076 + pax_track_stack();
46079 * display in kilobytes.
46081 @@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
46083 vmi.largest_chunk >> 10
46084 #ifdef CONFIG_MEMORY_FAILURE
46085 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
46086 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
46088 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
46089 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
46090 diff -urNp linux-3.1.1/fs/proc/nommu.c linux-3.1.1/fs/proc/nommu.c
46091 --- linux-3.1.1/fs/proc/nommu.c 2011-11-11 15:19:27.000000000 -0500
46092 +++ linux-3.1.1/fs/proc/nommu.c 2011-11-16 18:39:08.000000000 -0500
46093 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
46096 seq_printf(m, "%*c", len, ' ');
46097 - seq_path(m, &file->f_path, "");
46098 + seq_path(m, &file->f_path, "\n\\");
46102 diff -urNp linux-3.1.1/fs/proc/proc_net.c linux-3.1.1/fs/proc/proc_net.c
46103 --- linux-3.1.1/fs/proc/proc_net.c 2011-11-11 15:19:27.000000000 -0500
46104 +++ linux-3.1.1/fs/proc/proc_net.c 2011-11-16 18:40:29.000000000 -0500
46105 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
46106 struct task_struct *task;
46107 struct nsproxy *ns;
46108 struct net *net = NULL;
46109 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46110 + const struct cred *cred = current_cred();
46113 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46116 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46117 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
46122 task = pid_task(proc_pid(dir), PIDTYPE_PID);
46123 diff -urNp linux-3.1.1/fs/proc/proc_sysctl.c linux-3.1.1/fs/proc/proc_sysctl.c
46124 --- linux-3.1.1/fs/proc/proc_sysctl.c 2011-11-11 15:19:27.000000000 -0500
46125 +++ linux-3.1.1/fs/proc/proc_sysctl.c 2011-11-16 18:40:29.000000000 -0500
46127 #include <linux/namei.h>
46128 #include "internal.h"
46130 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
46132 static const struct dentry_operations proc_sys_dentry_operations;
46133 static const struct file_operations proc_sys_file_operations;
46134 -static const struct inode_operations proc_sys_inode_operations;
46135 +const struct inode_operations proc_sys_inode_operations;
46136 static const struct file_operations proc_sys_dir_file_operations;
46137 -static const struct inode_operations proc_sys_dir_operations;
46138 +const struct inode_operations proc_sys_dir_operations;
46140 static struct inode *proc_sys_make_inode(struct super_block *sb,
46141 struct ctl_table_header *head, struct ctl_table *table)
46142 @@ -121,8 +123,14 @@ static struct dentry *proc_sys_lookup(st
46145 d_set_d_op(dentry, &proc_sys_dentry_operations);
46147 + gr_handle_proc_create(dentry, inode);
46149 d_add(dentry, inode);
46151 + if (gr_handle_sysctl(p, MAY_EXEC))
46152 + err = ERR_PTR(-ENOENT);
46155 sysctl_head_finish(head);
46157 @@ -202,6 +210,9 @@ static int proc_sys_fill_cache(struct fi
46160 d_set_d_op(child, &proc_sys_dentry_operations);
46162 + gr_handle_proc_create(child, inode);
46164 d_add(child, inode);
46167 @@ -230,6 +241,9 @@ static int scan(struct ctl_table_header
46168 if (*pos < file->f_pos)
46171 + if (gr_handle_sysctl(table, 0))
46174 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
46177 @@ -355,6 +369,9 @@ static int proc_sys_getattr(struct vfsmo
46179 return PTR_ERR(head);
46181 + if (table && gr_handle_sysctl(table, MAY_EXEC))
46184 generic_fillattr(inode, stat);
46186 stat->mode = (stat->mode & S_IFMT) | table->mode;
46187 @@ -374,13 +391,13 @@ static const struct file_operations proc
46188 .llseek = generic_file_llseek,
46191 -static const struct inode_operations proc_sys_inode_operations = {
46192 +const struct inode_operations proc_sys_inode_operations = {
46193 .permission = proc_sys_permission,
46194 .setattr = proc_sys_setattr,
46195 .getattr = proc_sys_getattr,
46198 -static const struct inode_operations proc_sys_dir_operations = {
46199 +const struct inode_operations proc_sys_dir_operations = {
46200 .lookup = proc_sys_lookup,
46201 .permission = proc_sys_permission,
46202 .setattr = proc_sys_setattr,
46203 diff -urNp linux-3.1.1/fs/proc/root.c linux-3.1.1/fs/proc/root.c
46204 --- linux-3.1.1/fs/proc/root.c 2011-11-11 15:19:27.000000000 -0500
46205 +++ linux-3.1.1/fs/proc/root.c 2011-11-16 18:40:29.000000000 -0500
46206 @@ -123,7 +123,15 @@ void __init proc_root_init(void)
46207 #ifdef CONFIG_PROC_DEVICETREE
46208 proc_device_tree_init();
46210 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
46211 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46212 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
46213 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46214 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
46217 proc_mkdir("bus", NULL);
46222 diff -urNp linux-3.1.1/fs/proc/task_mmu.c linux-3.1.1/fs/proc/task_mmu.c
46223 --- linux-3.1.1/fs/proc/task_mmu.c 2011-11-11 15:19:27.000000000 -0500
46224 +++ linux-3.1.1/fs/proc/task_mmu.c 2011-11-16 18:40:29.000000000 -0500
46225 @@ -51,8 +51,13 @@ void task_mem(struct seq_file *m, struct
46226 "VmExe:\t%8lu kB\n"
46227 "VmLib:\t%8lu kB\n"
46228 "VmPTE:\t%8lu kB\n"
46229 - "VmSwap:\t%8lu kB\n",
46230 - hiwater_vm << (PAGE_SHIFT-10),
46231 + "VmSwap:\t%8lu kB\n"
46233 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46234 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
46237 + ,hiwater_vm << (PAGE_SHIFT-10),
46238 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
46239 mm->locked_vm << (PAGE_SHIFT-10),
46240 hiwater_rss << (PAGE_SHIFT-10),
46241 @@ -60,7 +65,13 @@ void task_mem(struct seq_file *m, struct
46242 data << (PAGE_SHIFT-10),
46243 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
46244 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
46245 - swap << (PAGE_SHIFT-10));
46246 + swap << (PAGE_SHIFT-10)
46248 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46249 + , mm->context.user_cs_base, mm->context.user_cs_limit
46255 unsigned long task_vsize(struct mm_struct *mm)
46256 @@ -207,6 +218,12 @@ static int do_maps_open(struct inode *in
46260 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46261 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
46262 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
46263 + _mm->pax_flags & MF_PAX_SEGMEXEC))
46266 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
46268 struct mm_struct *mm = vma->vm_mm;
46269 @@ -225,13 +242,13 @@ static void show_map_vma(struct seq_file
46270 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
46273 - /* We don't show the stack guard page in /proc/maps */
46274 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46275 + start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
46276 + end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
46278 start = vma->vm_start;
46279 - if (stack_guard_page_start(vma, start))
46280 - start += PAGE_SIZE;
46282 - if (stack_guard_page_end(vma, end))
46283 - end -= PAGE_SIZE;
46286 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
46288 @@ -240,7 +257,11 @@ static void show_map_vma(struct seq_file
46289 flags & VM_WRITE ? 'w' : '-',
46290 flags & VM_EXEC ? 'x' : '-',
46291 flags & VM_MAYSHARE ? 's' : 'p',
46292 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46293 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
46297 MAJOR(dev), MINOR(dev), ino, &len);
46300 @@ -249,7 +270,7 @@ static void show_map_vma(struct seq_file
46303 pad_len_spaces(m, len);
46304 - seq_path(m, &file->f_path, "\n");
46305 + seq_path(m, &file->f_path, "\n\\");
46307 const char *name = arch_vma_name(vma);
46309 @@ -257,8 +278,9 @@ static void show_map_vma(struct seq_file
46310 if (vma->vm_start <= mm->brk &&
46311 vma->vm_end >= mm->start_brk) {
46313 - } else if (vma->vm_start <= mm->start_stack &&
46314 - vma->vm_end >= mm->start_stack) {
46315 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
46316 + (vma->vm_start <= mm->start_stack &&
46317 + vma->vm_end >= mm->start_stack)) {
46321 @@ -433,11 +455,16 @@ static int show_smap(struct seq_file *m,
46324 memset(&mss, 0, sizeof mss);
46326 - /* mmap_sem is held in m_start */
46327 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
46328 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
46330 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46331 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
46334 + /* mmap_sem is held in m_start */
46335 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
46336 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
46337 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46340 show_map_vma(m, vma);
46343 @@ -455,7 +482,11 @@ static int show_smap(struct seq_file *m,
46344 "KernelPageSize: %8lu kB\n"
46345 "MMUPageSize: %8lu kB\n"
46346 "Locked: %8lu kB\n",
46347 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46348 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
46350 (vma->vm_end - vma->vm_start) >> 10,
46352 mss.resident >> 10,
46353 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
46354 mss.shared_clean >> 10,
46355 @@ -1031,7 +1062,7 @@ static int show_numa_map(struct seq_file
46358 seq_printf(m, " file=");
46359 - seq_path(m, &file->f_path, "\n\t= ");
46360 + seq_path(m, &file->f_path, "\n\t\\= ");
46361 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
46362 seq_printf(m, " heap");
46363 } else if (vma->vm_start <= mm->start_stack &&
46364 diff -urNp linux-3.1.1/fs/proc/task_nommu.c linux-3.1.1/fs/proc/task_nommu.c
46365 --- linux-3.1.1/fs/proc/task_nommu.c 2011-11-11 15:19:27.000000000 -0500
46366 +++ linux-3.1.1/fs/proc/task_nommu.c 2011-11-16 18:39:08.000000000 -0500
46367 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
46369 bytes += kobjsize(mm);
46371 - if (current->fs && current->fs->users > 1)
46372 + if (current->fs && atomic_read(¤t->fs->users) > 1)
46373 sbytes += kobjsize(current->fs);
46375 bytes += kobjsize(current->fs);
46376 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
46379 pad_len_spaces(m, len);
46380 - seq_path(m, &file->f_path, "");
46381 + seq_path(m, &file->f_path, "\n\\");
46383 if (vma->vm_start <= mm->start_stack &&
46384 vma->vm_end >= mm->start_stack) {
46385 diff -urNp linux-3.1.1/fs/quota/netlink.c linux-3.1.1/fs/quota/netlink.c
46386 --- linux-3.1.1/fs/quota/netlink.c 2011-11-11 15:19:27.000000000 -0500
46387 +++ linux-3.1.1/fs/quota/netlink.c 2011-11-16 18:39:08.000000000 -0500
46388 @@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
46389 void quota_send_warning(short type, unsigned int id, dev_t dev,
46390 const char warntype)
46392 - static atomic_t seq;
46393 + static atomic_unchecked_t seq;
46394 struct sk_buff *skb;
46397 @@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
46398 "VFS: Not enough memory to send quota warning.\n");
46401 - msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
46402 + msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
46403 "a_genl_family, 0, QUOTA_NL_C_WARNING);
46406 diff -urNp linux-3.1.1/fs/readdir.c linux-3.1.1/fs/readdir.c
46407 --- linux-3.1.1/fs/readdir.c 2011-11-11 15:19:27.000000000 -0500
46408 +++ linux-3.1.1/fs/readdir.c 2011-11-16 18:40:29.000000000 -0500
46410 #include <linux/security.h>
46411 #include <linux/syscalls.h>
46412 #include <linux/unistd.h>
46413 +#include <linux/namei.h>
46415 #include <asm/uaccess.h>
46417 @@ -67,6 +68,7 @@ struct old_linux_dirent {
46419 struct readdir_callback {
46420 struct old_linux_dirent __user * dirent;
46421 + struct file * file;
46425 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
46426 buf->result = -EOVERFLOW;
46430 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46434 dirent = buf->dirent;
46435 if (!access_ok(VERIFY_WRITE, dirent,
46436 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
46439 buf.dirent = dirent;
46442 error = vfs_readdir(file, fillonedir, &buf);
46444 @@ -142,6 +149,7 @@ struct linux_dirent {
46445 struct getdents_callback {
46446 struct linux_dirent __user * current_dir;
46447 struct linux_dirent __user * previous;
46448 + struct file * file;
46452 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
46453 buf->error = -EOVERFLOW;
46457 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46460 dirent = buf->previous;
46462 if (__put_user(offset, &dirent->d_off))
46463 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
46464 buf.previous = NULL;
46469 error = vfs_readdir(file, filldir, &buf);
46471 @@ -229,6 +242,7 @@ out:
46472 struct getdents_callback64 {
46473 struct linux_dirent64 __user * current_dir;
46474 struct linux_dirent64 __user * previous;
46475 + struct file *file;
46479 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
46480 buf->error = -EINVAL; /* only used if we fail.. */
46481 if (reclen > buf->count)
46484 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46487 dirent = buf->previous;
46489 if (__put_user(offset, &dirent->d_off))
46490 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
46492 buf.current_dir = dirent;
46493 buf.previous = NULL;
46498 @@ -299,7 +318,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
46500 lastdirent = buf.previous;
46502 - typeof(lastdirent->d_off) d_off = file->f_pos;
46503 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
46504 if (__put_user(d_off, &lastdirent->d_off))
46507 diff -urNp linux-3.1.1/fs/reiserfs/dir.c linux-3.1.1/fs/reiserfs/dir.c
46508 --- linux-3.1.1/fs/reiserfs/dir.c 2011-11-11 15:19:27.000000000 -0500
46509 +++ linux-3.1.1/fs/reiserfs/dir.c 2011-11-16 18:40:29.000000000 -0500
46510 @@ -75,6 +75,8 @@ int reiserfs_readdir_dentry(struct dentr
46511 struct reiserfs_dir_entry de;
46514 + pax_track_stack();
46516 reiserfs_write_lock(inode->i_sb);
46518 reiserfs_check_lock_depth(inode->i_sb, "readdir");
46519 diff -urNp linux-3.1.1/fs/reiserfs/do_balan.c linux-3.1.1/fs/reiserfs/do_balan.c
46520 --- linux-3.1.1/fs/reiserfs/do_balan.c 2011-11-11 15:19:27.000000000 -0500
46521 +++ linux-3.1.1/fs/reiserfs/do_balan.c 2011-11-16 18:39:08.000000000 -0500
46522 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
46526 - atomic_inc(&(fs_generation(tb->tb_sb)));
46527 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
46528 do_balance_starts(tb);
46530 /* balance leaf returns 0 except if combining L R and S into
46531 diff -urNp linux-3.1.1/fs/reiserfs/journal.c linux-3.1.1/fs/reiserfs/journal.c
46532 --- linux-3.1.1/fs/reiserfs/journal.c 2011-11-11 15:19:27.000000000 -0500
46533 +++ linux-3.1.1/fs/reiserfs/journal.c 2011-11-16 18:40:29.000000000 -0500
46534 @@ -2289,6 +2289,8 @@ static struct buffer_head *reiserfs_brea
46535 struct buffer_head *bh;
46538 + pax_track_stack();
46540 bh = __getblk(dev, block, bufsize);
46541 if (buffer_uptodate(bh))
46543 diff -urNp linux-3.1.1/fs/reiserfs/namei.c linux-3.1.1/fs/reiserfs/namei.c
46544 --- linux-3.1.1/fs/reiserfs/namei.c 2011-11-11 15:19:27.000000000 -0500
46545 +++ linux-3.1.1/fs/reiserfs/namei.c 2011-11-16 18:40:29.000000000 -0500
46546 @@ -1225,6 +1225,8 @@ static int reiserfs_rename(struct inode
46547 unsigned long savelink = 1;
46548 struct timespec ctime;
46550 + pax_track_stack();
46552 /* three balancings: (1) old name removal, (2) new name insertion
46553 and (3) maybe "save" link insertion
46554 stat data updates: (1) old directory,
46555 diff -urNp linux-3.1.1/fs/reiserfs/procfs.c linux-3.1.1/fs/reiserfs/procfs.c
46556 --- linux-3.1.1/fs/reiserfs/procfs.c 2011-11-11 15:19:27.000000000 -0500
46557 +++ linux-3.1.1/fs/reiserfs/procfs.c 2011-11-16 18:40:29.000000000 -0500
46558 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
46559 "SMALL_TAILS " : "NO_TAILS ",
46560 replay_only(sb) ? "REPLAY_ONLY " : "",
46561 convert_reiserfs(sb) ? "CONV " : "",
46562 - atomic_read(&r->s_generation_counter),
46563 + atomic_read_unchecked(&r->s_generation_counter),
46564 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
46565 SF(s_do_balance), SF(s_unneeded_left_neighbor),
46566 SF(s_good_search_by_key_reada), SF(s_bmaps),
46567 @@ -299,6 +299,8 @@ static int show_journal(struct seq_file
46568 struct journal_params *jp = &rs->s_v1.s_journal;
46569 char b[BDEVNAME_SIZE];
46571 + pax_track_stack();
46573 seq_printf(m, /* on-disk fields */
46574 "jp_journal_1st_block: \t%i\n"
46575 "jp_journal_dev: \t%s[%x]\n"
46576 diff -urNp linux-3.1.1/fs/reiserfs/stree.c linux-3.1.1/fs/reiserfs/stree.c
46577 --- linux-3.1.1/fs/reiserfs/stree.c 2011-11-11 15:19:27.000000000 -0500
46578 +++ linux-3.1.1/fs/reiserfs/stree.c 2011-11-16 18:40:29.000000000 -0500
46579 @@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
46583 + pax_track_stack();
46585 BUG_ON(!th->t_trans_id);
46587 init_tb_struct(th, &s_del_balance, sb, path,
46588 @@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
46590 int quota_cut_bytes = 0;
46592 + pax_track_stack();
46594 BUG_ON(!th->t_trans_id);
46596 le_key2cpu_key(&cpu_key, key);
46597 @@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
46598 int quota_cut_bytes;
46599 loff_t tail_pos = 0;
46601 + pax_track_stack();
46603 BUG_ON(!th->t_trans_id);
46605 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
46606 @@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
46610 + pax_track_stack();
46612 BUG_ON(!th->t_trans_id);
46614 fs_gen = get_generation(inode->i_sb);
46615 @@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
46617 int quota_bytes = 0;
46619 + pax_track_stack();
46621 BUG_ON(!th->t_trans_id);
46623 if (inode) { /* Do we count quotas for item? */
46624 diff -urNp linux-3.1.1/fs/reiserfs/super.c linux-3.1.1/fs/reiserfs/super.c
46625 --- linux-3.1.1/fs/reiserfs/super.c 2011-11-11 15:19:27.000000000 -0500
46626 +++ linux-3.1.1/fs/reiserfs/super.c 2011-11-16 18:40:29.000000000 -0500
46627 @@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
46628 {.option_name = NULL}
46631 + pax_track_stack();
46634 if (!options || !*options)
46635 /* use default configuration: create tails, journaling on, no
46636 diff -urNp linux-3.1.1/fs/select.c linux-3.1.1/fs/select.c
46637 --- linux-3.1.1/fs/select.c 2011-11-11 15:19:27.000000000 -0500
46638 +++ linux-3.1.1/fs/select.c 2011-11-16 18:40:29.000000000 -0500
46640 #include <linux/module.h>
46641 #include <linux/slab.h>
46642 #include <linux/poll.h>
46643 +#include <linux/security.h>
46644 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
46645 #include <linux/file.h>
46646 #include <linux/fdtable.h>
46647 @@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
46648 int retval, i, timed_out = 0;
46649 unsigned long slack = 0;
46651 + pax_track_stack();
46654 retval = max_select_fd(n, fds);
46656 @@ -528,6 +531,8 @@ int core_sys_select(int n, fd_set __user
46657 /* Allocate small arguments on the stack to save memory and be faster */
46658 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
46660 + pax_track_stack();
46665 @@ -837,6 +842,9 @@ int do_sys_poll(struct pollfd __user *uf
46666 struct poll_list *walk = head;
46667 unsigned long todo = nfds;
46669 + pax_track_stack();
46671 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
46672 if (nfds > rlimit(RLIMIT_NOFILE))
46675 diff -urNp linux-3.1.1/fs/seq_file.c linux-3.1.1/fs/seq_file.c
46676 --- linux-3.1.1/fs/seq_file.c 2011-11-11 15:19:27.000000000 -0500
46677 +++ linux-3.1.1/fs/seq_file.c 2011-11-16 18:39:08.000000000 -0500
46678 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
46682 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46683 + m->size = PAGE_SIZE;
46684 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46688 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
46692 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46694 + m->buf = kmalloc(m->size, GFP_KERNEL);
46695 return !m->buf ? -ENOMEM : -EAGAIN;
46698 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
46699 m->version = file->f_version;
46700 /* grab buffer if we didn't have one */
46702 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46703 + m->size = PAGE_SIZE;
46704 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46708 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
46712 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46714 + m->buf = kmalloc(m->size, GFP_KERNEL);
46718 @@ -549,7 +553,7 @@ static void single_stop(struct seq_file
46719 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
46722 - struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
46723 + seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL);
46727 diff -urNp linux-3.1.1/fs/splice.c linux-3.1.1/fs/splice.c
46728 --- linux-3.1.1/fs/splice.c 2011-11-11 15:19:27.000000000 -0500
46729 +++ linux-3.1.1/fs/splice.c 2011-11-16 18:40:29.000000000 -0500
46730 @@ -194,7 +194,7 @@ ssize_t splice_to_pipe(struct pipe_inode
46734 - if (!pipe->readers) {
46735 + if (!atomic_read(&pipe->readers)) {
46736 send_sig(SIGPIPE, current, 0);
46739 @@ -248,9 +248,9 @@ ssize_t splice_to_pipe(struct pipe_inode
46743 - pipe->waiting_writers++;
46744 + atomic_inc(&pipe->waiting_writers);
46746 - pipe->waiting_writers--;
46747 + atomic_dec(&pipe->waiting_writers);
46751 @@ -320,6 +320,8 @@ __generic_file_splice_read(struct file *
46752 .spd_release = spd_release_page,
46755 + pax_track_stack();
46757 if (splice_grow_spd(pipe, &spd))
46760 @@ -560,7 +562,7 @@ static ssize_t kernel_readv(struct file
46763 /* The cast to a user pointer is valid due to the set_fs() */
46764 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
46765 + res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
46769 @@ -575,7 +577,7 @@ static ssize_t kernel_write(struct file
46772 /* The cast to a user pointer is valid due to the set_fs() */
46773 - res = vfs_write(file, (const char __user *)buf, count, &pos);
46774 + res = vfs_write(file, (const char __force_user *)buf, count, &pos);
46778 @@ -603,6 +605,8 @@ ssize_t default_file_splice_read(struct
46779 .spd_release = spd_release_page,
46782 + pax_track_stack();
46784 if (splice_grow_spd(pipe, &spd))
46787 @@ -626,7 +630,7 @@ ssize_t default_file_splice_read(struct
46790 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
46791 - vec[i].iov_base = (void __user *) page_address(page);
46792 + vec[i].iov_base = (void __force_user *) page_address(page);
46793 vec[i].iov_len = this_len;
46794 spd.pages[i] = page;
46796 @@ -846,10 +850,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
46797 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
46799 while (!pipe->nrbufs) {
46800 - if (!pipe->writers)
46801 + if (!atomic_read(&pipe->writers))
46804 - if (!pipe->waiting_writers && sd->num_spliced)
46805 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
46808 if (sd->flags & SPLICE_F_NONBLOCK)
46809 @@ -1182,7 +1186,7 @@ ssize_t splice_direct_to_actor(struct fi
46810 * out of the pipe right after the splice_to_pipe(). So set
46811 * PIPE_READERS appropriately.
46813 - pipe->readers = 1;
46814 + atomic_set(&pipe->readers, 1);
46816 current->splice_pipe = pipe;
46818 @@ -1619,6 +1623,8 @@ static long vmsplice_to_pipe(struct file
46822 + pax_track_stack();
46824 pipe = get_pipe_info(file);
46827 @@ -1734,9 +1740,9 @@ static int ipipe_prep(struct pipe_inode_
46828 ret = -ERESTARTSYS;
46831 - if (!pipe->writers)
46832 + if (!atomic_read(&pipe->writers))
46834 - if (!pipe->waiting_writers) {
46835 + if (!atomic_read(&pipe->waiting_writers)) {
46836 if (flags & SPLICE_F_NONBLOCK) {
46839 @@ -1768,7 +1774,7 @@ static int opipe_prep(struct pipe_inode_
46842 while (pipe->nrbufs >= pipe->buffers) {
46843 - if (!pipe->readers) {
46844 + if (!atomic_read(&pipe->readers)) {
46845 send_sig(SIGPIPE, current, 0);
46848 @@ -1781,9 +1787,9 @@ static int opipe_prep(struct pipe_inode_
46849 ret = -ERESTARTSYS;
46852 - pipe->waiting_writers++;
46853 + atomic_inc(&pipe->waiting_writers);
46855 - pipe->waiting_writers--;
46856 + atomic_dec(&pipe->waiting_writers);
46860 @@ -1819,14 +1825,14 @@ retry:
46861 pipe_double_lock(ipipe, opipe);
46864 - if (!opipe->readers) {
46865 + if (!atomic_read(&opipe->readers)) {
46866 send_sig(SIGPIPE, current, 0);
46872 - if (!ipipe->nrbufs && !ipipe->writers)
46873 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
46877 @@ -1923,7 +1929,7 @@ static int link_pipe(struct pipe_inode_i
46878 pipe_double_lock(ipipe, opipe);
46881 - if (!opipe->readers) {
46882 + if (!atomic_read(&opipe->readers)) {
46883 send_sig(SIGPIPE, current, 0);
46886 @@ -1968,7 +1974,7 @@ static int link_pipe(struct pipe_inode_i
46887 * return EAGAIN if we have the potential of some data in the
46888 * future, otherwise just return 0
46890 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
46891 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
46894 pipe_unlock(ipipe);
46895 diff -urNp linux-3.1.1/fs/sysfs/file.c linux-3.1.1/fs/sysfs/file.c
46896 --- linux-3.1.1/fs/sysfs/file.c 2011-11-11 15:19:27.000000000 -0500
46897 +++ linux-3.1.1/fs/sysfs/file.c 2011-11-16 18:39:08.000000000 -0500
46898 @@ -37,7 +37,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
46900 struct sysfs_open_dirent {
46903 + atomic_unchecked_t event;
46904 wait_queue_head_t poll;
46905 struct list_head buffers; /* goes through sysfs_buffer.list */
46907 @@ -81,7 +81,7 @@ static int fill_read_buffer(struct dentr
46908 if (!sysfs_get_active(attr_sd))
46911 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
46912 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
46913 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
46915 sysfs_put_active(attr_sd);
46916 @@ -287,7 +287,7 @@ static int sysfs_get_open_dirent(struct
46919 atomic_set(&new_od->refcnt, 0);
46920 - atomic_set(&new_od->event, 1);
46921 + atomic_set_unchecked(&new_od->event, 1);
46922 init_waitqueue_head(&new_od->poll);
46923 INIT_LIST_HEAD(&new_od->buffers);
46925 @@ -432,7 +432,7 @@ static unsigned int sysfs_poll(struct fi
46927 sysfs_put_active(attr_sd);
46929 - if (buffer->event != atomic_read(&od->event))
46930 + if (buffer->event != atomic_read_unchecked(&od->event))
46933 return DEFAULT_POLLMASK;
46934 @@ -451,7 +451,7 @@ void sysfs_notify_dirent(struct sysfs_di
46936 od = sd->s_attr.open;
46938 - atomic_inc(&od->event);
46939 + atomic_inc_unchecked(&od->event);
46940 wake_up_interruptible(&od->poll);
46943 diff -urNp linux-3.1.1/fs/sysfs/mount.c linux-3.1.1/fs/sysfs/mount.c
46944 --- linux-3.1.1/fs/sysfs/mount.c 2011-11-11 15:19:27.000000000 -0500
46945 +++ linux-3.1.1/fs/sysfs/mount.c 2011-11-16 18:40:29.000000000 -0500
46946 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
46948 .s_count = ATOMIC_INIT(1),
46949 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
46950 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
46951 + .s_mode = S_IFDIR | S_IRWXU,
46953 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
46958 diff -urNp linux-3.1.1/fs/sysfs/symlink.c linux-3.1.1/fs/sysfs/symlink.c
46959 --- linux-3.1.1/fs/sysfs/symlink.c 2011-11-11 15:19:27.000000000 -0500
46960 +++ linux-3.1.1/fs/sysfs/symlink.c 2011-11-16 18:39:08.000000000 -0500
46961 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
46963 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
46965 - char *page = nd_get_link(nd);
46966 + const char *page = nd_get_link(nd);
46968 free_page((unsigned long)page);
46970 diff -urNp linux-3.1.1/fs/udf/inode.c linux-3.1.1/fs/udf/inode.c
46971 --- linux-3.1.1/fs/udf/inode.c 2011-11-11 15:19:27.000000000 -0500
46972 +++ linux-3.1.1/fs/udf/inode.c 2011-11-16 18:40:29.000000000 -0500
46973 @@ -560,6 +560,8 @@ static struct buffer_head *inode_getblk(
46974 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
46977 + pax_track_stack();
46979 prev_epos.offset = udf_file_entry_alloc_offset(inode);
46980 prev_epos.block = iinfo->i_location;
46981 prev_epos.bh = NULL;
46982 diff -urNp linux-3.1.1/fs/udf/misc.c linux-3.1.1/fs/udf/misc.c
46983 --- linux-3.1.1/fs/udf/misc.c 2011-11-11 15:19:27.000000000 -0500
46984 +++ linux-3.1.1/fs/udf/misc.c 2011-11-16 18:39:08.000000000 -0500
46985 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
46987 u8 udf_tag_checksum(const struct tag *t)
46989 - u8 *data = (u8 *)t;
46990 + const u8 *data = (const u8 *)t;
46993 for (i = 0; i < sizeof(struct tag); ++i)
46994 diff -urNp linux-3.1.1/fs/utimes.c linux-3.1.1/fs/utimes.c
46995 --- linux-3.1.1/fs/utimes.c 2011-11-11 15:19:27.000000000 -0500
46996 +++ linux-3.1.1/fs/utimes.c 2011-11-16 18:40:29.000000000 -0500
46998 #include <linux/compiler.h>
46999 #include <linux/file.h>
47000 #include <linux/fs.h>
47001 +#include <linux/security.h>
47002 #include <linux/linkage.h>
47003 #include <linux/mount.h>
47004 #include <linux/namei.h>
47005 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
47006 goto mnt_drop_write_and_out;
47010 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
47012 + goto mnt_drop_write_and_out;
47015 mutex_lock(&inode->i_mutex);
47016 error = notify_change(path->dentry, &newattrs);
47017 mutex_unlock(&inode->i_mutex);
47018 diff -urNp linux-3.1.1/fs/xattr_acl.c linux-3.1.1/fs/xattr_acl.c
47019 --- linux-3.1.1/fs/xattr_acl.c 2011-11-11 15:19:27.000000000 -0500
47020 +++ linux-3.1.1/fs/xattr_acl.c 2011-11-16 18:39:08.000000000 -0500
47023 posix_acl_from_xattr(const void *value, size_t size)
47025 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
47026 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
47027 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
47028 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
47030 struct posix_acl *acl;
47031 struct posix_acl_entry *acl_e;
47032 diff -urNp linux-3.1.1/fs/xattr.c linux-3.1.1/fs/xattr.c
47033 --- linux-3.1.1/fs/xattr.c 2011-11-11 15:19:27.000000000 -0500
47034 +++ linux-3.1.1/fs/xattr.c 2011-11-16 18:40:29.000000000 -0500
47035 @@ -254,7 +254,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
47036 * Extended attribute SET operations
47039 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
47040 +setxattr(struct path *path, const char __user *name, const void __user *value,
47041 size_t size, int flags)
47044 @@ -278,7 +278,13 @@ setxattr(struct dentry *d, const char __
47045 return PTR_ERR(kvalue);
47048 - error = vfs_setxattr(d, kname, kvalue, size, flags);
47049 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
47054 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
47059 @@ -295,7 +301,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
47061 error = mnt_want_write(path.mnt);
47063 - error = setxattr(path.dentry, name, value, size, flags);
47064 + error = setxattr(&path, name, value, size, flags);
47065 mnt_drop_write(path.mnt);
47068 @@ -314,7 +320,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
47070 error = mnt_want_write(path.mnt);
47072 - error = setxattr(path.dentry, name, value, size, flags);
47073 + error = setxattr(&path, name, value, size, flags);
47074 mnt_drop_write(path.mnt);
47077 @@ -325,17 +331,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
47078 const void __user *,value, size_t, size, int, flags)
47081 - struct dentry *dentry;
47082 int error = -EBADF;
47087 - dentry = f->f_path.dentry;
47088 - audit_inode(NULL, dentry);
47089 + audit_inode(NULL, f->f_path.dentry);
47090 error = mnt_want_write_file(f);
47092 - error = setxattr(dentry, name, value, size, flags);
47093 + error = setxattr(&f->f_path, name, value, size, flags);
47094 mnt_drop_write(f->f_path.mnt);
47097 diff -urNp linux-3.1.1/fs/xfs/xfs_bmap.c linux-3.1.1/fs/xfs/xfs_bmap.c
47098 --- linux-3.1.1/fs/xfs/xfs_bmap.c 2011-11-11 15:19:27.000000000 -0500
47099 +++ linux-3.1.1/fs/xfs/xfs_bmap.c 2011-11-16 18:39:08.000000000 -0500
47100 @@ -250,7 +250,7 @@ xfs_bmap_validate_ret(
47104 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
47105 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
47109 diff -urNp linux-3.1.1/fs/xfs/xfs_dir2_sf.c linux-3.1.1/fs/xfs/xfs_dir2_sf.c
47110 --- linux-3.1.1/fs/xfs/xfs_dir2_sf.c 2011-11-11 15:19:27.000000000 -0500
47111 +++ linux-3.1.1/fs/xfs/xfs_dir2_sf.c 2011-11-16 18:39:08.000000000 -0500
47112 @@ -852,7 +852,15 @@ xfs_dir2_sf_getdents(
47115 ino = xfs_dir2_sfe_get_ino(sfp, sfep);
47116 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
47117 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
47118 + char name[sfep->namelen];
47119 + memcpy(name, sfep->name, sfep->namelen);
47120 + if (filldir(dirent, name, sfep->namelen,
47121 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
47122 + *offset = off & 0x7fffffff;
47125 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
47126 off & 0x7fffffff, ino, DT_UNKNOWN)) {
47127 *offset = off & 0x7fffffff;
47129 diff -urNp linux-3.1.1/fs/xfs/xfs_ioctl.c linux-3.1.1/fs/xfs/xfs_ioctl.c
47130 --- linux-3.1.1/fs/xfs/xfs_ioctl.c 2011-11-11 15:19:27.000000000 -0500
47131 +++ linux-3.1.1/fs/xfs/xfs_ioctl.c 2011-11-16 18:39:08.000000000 -0500
47132 @@ -128,7 +128,7 @@ xfs_find_handle(
47136 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
47137 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
47138 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
47141 diff -urNp linux-3.1.1/fs/xfs/xfs_iops.c linux-3.1.1/fs/xfs/xfs_iops.c
47142 --- linux-3.1.1/fs/xfs/xfs_iops.c 2011-11-11 15:19:27.000000000 -0500
47143 +++ linux-3.1.1/fs/xfs/xfs_iops.c 2011-11-16 18:39:08.000000000 -0500
47144 @@ -446,7 +446,7 @@ xfs_vn_put_link(
47145 struct nameidata *nd,
47148 - char *s = nd_get_link(nd);
47149 + const char *s = nd_get_link(nd);
47153 diff -urNp linux-3.1.1/grsecurity/gracl_alloc.c linux-3.1.1/grsecurity/gracl_alloc.c
47154 --- linux-3.1.1/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
47155 +++ linux-3.1.1/grsecurity/gracl_alloc.c 2011-11-16 18:40:31.000000000 -0500
47157 +#include <linux/kernel.h>
47158 +#include <linux/mm.h>
47159 +#include <linux/slab.h>
47160 +#include <linux/vmalloc.h>
47161 +#include <linux/gracl.h>
47162 +#include <linux/grsecurity.h>
47164 +static unsigned long alloc_stack_next = 1;
47165 +static unsigned long alloc_stack_size = 1;
47166 +static void **alloc_stack;
47168 +static __inline__ int
47171 + if (alloc_stack_next == 1)
47174 + kfree(alloc_stack[alloc_stack_next - 2]);
47176 + alloc_stack_next--;
47181 +static __inline__ int
47182 +alloc_push(void *buf)
47184 + if (alloc_stack_next >= alloc_stack_size)
47187 + alloc_stack[alloc_stack_next - 1] = buf;
47189 + alloc_stack_next++;
47195 +acl_alloc(unsigned long len)
47197 + void *ret = NULL;
47199 + if (!len || len > PAGE_SIZE)
47202 + ret = kmalloc(len, GFP_KERNEL);
47205 + if (alloc_push(ret)) {
47216 +acl_alloc_num(unsigned long num, unsigned long len)
47218 + if (!len || (num > (PAGE_SIZE / len)))
47221 + return acl_alloc(num * len);
47225 +acl_free_all(void)
47227 + if (gr_acl_is_enabled() || !alloc_stack)
47230 + while (alloc_pop()) ;
47232 + if (alloc_stack) {
47233 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
47234 + kfree(alloc_stack);
47236 + vfree(alloc_stack);
47239 + alloc_stack = NULL;
47240 + alloc_stack_size = 1;
47241 + alloc_stack_next = 1;
47247 +acl_alloc_stack_init(unsigned long size)
47249 + if ((size * sizeof (void *)) <= PAGE_SIZE)
47251 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
47253 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
47255 + alloc_stack_size = size;
47257 + if (!alloc_stack)
47262 diff -urNp linux-3.1.1/grsecurity/gracl.c linux-3.1.1/grsecurity/gracl.c
47263 --- linux-3.1.1/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
47264 +++ linux-3.1.1/grsecurity/gracl.c 2011-11-16 19:31:00.000000000 -0500
47266 +#include <linux/kernel.h>
47267 +#include <linux/module.h>
47268 +#include <linux/sched.h>
47269 +#include <linux/mm.h>
47270 +#include <linux/file.h>
47271 +#include <linux/fs.h>
47272 +#include <linux/namei.h>
47273 +#include <linux/mount.h>
47274 +#include <linux/tty.h>
47275 +#include <linux/proc_fs.h>
47276 +#include <linux/lglock.h>
47277 +#include <linux/slab.h>
47278 +#include <linux/vmalloc.h>
47279 +#include <linux/types.h>
47280 +#include <linux/sysctl.h>
47281 +#include <linux/netdevice.h>
47282 +#include <linux/ptrace.h>
47283 +#include <linux/gracl.h>
47284 +#include <linux/gralloc.h>
47285 +#include <linux/grsecurity.h>
47286 +#include <linux/grinternal.h>
47287 +#include <linux/pid_namespace.h>
47288 +#include <linux/fdtable.h>
47289 +#include <linux/percpu.h>
47291 +#include <asm/uaccess.h>
47292 +#include <asm/errno.h>
47293 +#include <asm/mman.h>
47295 +static struct acl_role_db acl_role_set;
47296 +static struct name_db name_set;
47297 +static struct inodev_db inodev_set;
47299 +/* for keeping track of userspace pointers used for subjects, so we
47300 + can share references in the kernel as well
47303 +static struct path real_root;
47305 +static struct acl_subj_map_db subj_map_set;
47307 +static struct acl_role_label *default_role;
47309 +static struct acl_role_label *role_list;
47311 +static u16 acl_sp_role_value;
47313 +extern char *gr_shared_page[4];
47314 +static DEFINE_MUTEX(gr_dev_mutex);
47315 +DEFINE_RWLOCK(gr_inode_lock);
47317 +struct gr_arg *gr_usermode;
47319 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
47321 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
47322 +extern void gr_clear_learn_entries(void);
47324 +#ifdef CONFIG_GRKERNSEC_RESLOG
47325 +extern void gr_log_resource(const struct task_struct *task,
47326 + const int res, const unsigned long wanted, const int gt);
47329 +unsigned char *gr_system_salt;
47330 +unsigned char *gr_system_sum;
47332 +static struct sprole_pw **acl_special_roles = NULL;
47333 +static __u16 num_sprole_pws = 0;
47335 +static struct acl_role_label *kernel_role = NULL;
47337 +static unsigned int gr_auth_attempts = 0;
47338 +static unsigned long gr_auth_expires = 0UL;
47341 +extern struct vfsmount *sock_mnt;
47344 +extern struct vfsmount *pipe_mnt;
47345 +extern struct vfsmount *shm_mnt;
47346 +#ifdef CONFIG_HUGETLBFS
47347 +extern struct vfsmount *hugetlbfs_vfsmount;
47350 +static struct acl_object_label *fakefs_obj_rw;
47351 +static struct acl_object_label *fakefs_obj_rwx;
47353 +extern int gr_init_uidset(void);
47354 +extern void gr_free_uidset(void);
47355 +extern void gr_remove_uid(uid_t uid);
47356 +extern int gr_find_uid(uid_t uid);
47358 +DECLARE_BRLOCK(vfsmount_lock);
47361 +gr_acl_is_enabled(void)
47363 + return (gr_status & GR_READY);
47366 +#ifdef CONFIG_BTRFS_FS
47367 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
47368 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
47371 +static inline dev_t __get_dev(const struct dentry *dentry)
47373 +#ifdef CONFIG_BTRFS_FS
47374 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
47375 + return get_btrfs_dev_from_inode(dentry->d_inode);
47378 + return dentry->d_inode->i_sb->s_dev;
47381 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
47383 + return __get_dev(dentry);
47386 +static char gr_task_roletype_to_char(struct task_struct *task)
47388 + switch (task->role->roletype &
47389 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
47390 + GR_ROLE_SPECIAL)) {
47391 + case GR_ROLE_DEFAULT:
47393 + case GR_ROLE_USER:
47395 + case GR_ROLE_GROUP:
47397 + case GR_ROLE_SPECIAL:
47404 +char gr_roletype_to_char(void)
47406 + return gr_task_roletype_to_char(current);
47410 +gr_acl_tpe_check(void)
47412 + if (unlikely(!(gr_status & GR_READY)))
47414 + if (current->role->roletype & GR_ROLE_TPE)
47421 +gr_handle_rawio(const struct inode *inode)
47423 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
47424 + if (inode && S_ISBLK(inode->i_mode) &&
47425 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
47426 + !capable(CAP_SYS_RAWIO))
47433 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
47435 + if (likely(lena != lenb))
47438 + return !memcmp(a, b, lena);
47441 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
47443 + *buflen -= namelen;
47445 + return -ENAMETOOLONG;
47446 + *buffer -= namelen;
47447 + memcpy(*buffer, str, namelen);
47451 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
47453 + return prepend(buffer, buflen, name->name, name->len);
47456 +static int prepend_path(const struct path *path, struct path *root,
47457 + char **buffer, int *buflen)
47459 + struct dentry *dentry = path->dentry;
47460 + struct vfsmount *vfsmnt = path->mnt;
47461 + bool slash = false;
47464 + while (dentry != root->dentry || vfsmnt != root->mnt) {
47465 + struct dentry * parent;
47467 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
47468 + /* Global root? */
47469 + if (vfsmnt->mnt_parent == vfsmnt) {
47472 + dentry = vfsmnt->mnt_mountpoint;
47473 + vfsmnt = vfsmnt->mnt_parent;
47476 + parent = dentry->d_parent;
47477 + prefetch(parent);
47478 + spin_lock(&dentry->d_lock);
47479 + error = prepend_name(buffer, buflen, &dentry->d_name);
47480 + spin_unlock(&dentry->d_lock);
47482 + error = prepend(buffer, buflen, "/", 1);
47491 + if (!error && !slash)
47492 + error = prepend(buffer, buflen, "/", 1);
47497 +/* this must be called with vfsmount_lock and rename_lock held */
47499 +static char *__our_d_path(const struct path *path, struct path *root,
47500 + char *buf, int buflen)
47502 + char *res = buf + buflen;
47505 + prepend(&res, &buflen, "\0", 1);
47506 + error = prepend_path(path, root, &res, &buflen);
47508 + return ERR_PTR(error);
47514 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
47518 + retval = __our_d_path(path, root, buf, buflen);
47519 + if (unlikely(IS_ERR(retval)))
47520 + retval = strcpy(buf, "<path too long>");
47521 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
47522 + retval[1] = '\0';
47528 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
47529 + char *buf, int buflen)
47531 + struct path path;
47534 + path.dentry = (struct dentry *)dentry;
47535 + path.mnt = (struct vfsmount *)vfsmnt;
47537 + /* we can use real_root.dentry, real_root.mnt, because this is only called
47538 + by the RBAC system */
47539 + res = gen_full_path(&path, &real_root, buf, buflen);
47545 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
47546 + char *buf, int buflen)
47549 + struct path path;
47550 + struct path root;
47551 + struct task_struct *reaper = &init_task;
47553 + path.dentry = (struct dentry *)dentry;
47554 + path.mnt = (struct vfsmount *)vfsmnt;
47556 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
47557 + get_fs_root(reaper->fs, &root);
47559 + write_seqlock(&rename_lock);
47560 + br_read_lock(vfsmount_lock);
47561 + res = gen_full_path(&path, &root, buf, buflen);
47562 + br_read_unlock(vfsmount_lock);
47563 + write_sequnlock(&rename_lock);
47570 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
47573 + write_seqlock(&rename_lock);
47574 + br_read_lock(vfsmount_lock);
47575 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
47577 + br_read_unlock(vfsmount_lock);
47578 + write_sequnlock(&rename_lock);
47583 +gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
47589 + write_seqlock(&rename_lock);
47590 + br_read_lock(vfsmount_lock);
47591 + buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
47592 + ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
47593 + buflen = (int)(ret - buf);
47595 + prepend(&ret, &buflen, "/proc", 5);
47597 + ret = strcpy(buf, "<path too long>");
47598 + br_read_unlock(vfsmount_lock);
47599 + write_sequnlock(&rename_lock);
47604 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
47606 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
47611 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
47613 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
47618 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
47620 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
47625 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
47627 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
47632 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
47634 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
47639 +to_gr_audit(const __u32 reqmode)
47641 + /* masks off auditable permission flags, then shifts them to create
47642 + auditing flags, and adds the special case of append auditing if
47643 + we're requesting write */
47644 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
47647 +struct acl_subject_label *
47648 +lookup_subject_map(const struct acl_subject_label *userp)
47650 + unsigned int index = shash(userp, subj_map_set.s_size);
47651 + struct subject_map *match;
47653 + match = subj_map_set.s_hash[index];
47655 + while (match && match->user != userp)
47656 + match = match->next;
47658 + if (match != NULL)
47659 + return match->kernel;
47665 +insert_subj_map_entry(struct subject_map *subjmap)
47667 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
47668 + struct subject_map **curr;
47670 + subjmap->prev = NULL;
47672 + curr = &subj_map_set.s_hash[index];
47673 + if (*curr != NULL)
47674 + (*curr)->prev = subjmap;
47676 + subjmap->next = *curr;
47682 +static struct acl_role_label *
47683 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
47686 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
47687 + struct acl_role_label *match;
47688 + struct role_allowed_ip *ipp;
47690 + u32 curr_ip = task->signal->curr_ip;
47692 + task->signal->saved_ip = curr_ip;
47694 + match = acl_role_set.r_hash[index];
47697 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
47698 + for (x = 0; x < match->domain_child_num; x++) {
47699 + if (match->domain_children[x] == uid)
47702 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
47704 + match = match->next;
47707 + if (match == NULL) {
47709 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
47710 + match = acl_role_set.r_hash[index];
47713 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
47714 + for (x = 0; x < match->domain_child_num; x++) {
47715 + if (match->domain_children[x] == gid)
47718 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
47720 + match = match->next;
47723 + if (match == NULL)
47724 + match = default_role;
47725 + if (match->allowed_ips == NULL)
47728 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
47730 + ((ntohl(curr_ip) & ipp->netmask) ==
47731 + (ntohl(ipp->addr) & ipp->netmask)))
47734 + match = default_role;
47736 + } else if (match->allowed_ips == NULL) {
47739 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
47741 + ((ntohl(curr_ip) & ipp->netmask) ==
47742 + (ntohl(ipp->addr) & ipp->netmask)))
47751 +struct acl_subject_label *
47752 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
47753 + const struct acl_role_label *role)
47755 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
47756 + struct acl_subject_label *match;
47758 + match = role->subj_hash[index];
47760 + while (match && (match->inode != ino || match->device != dev ||
47761 + (match->mode & GR_DELETED))) {
47762 + match = match->next;
47765 + if (match && !(match->mode & GR_DELETED))
47771 +struct acl_subject_label *
47772 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
47773 + const struct acl_role_label *role)
47775 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
47776 + struct acl_subject_label *match;
47778 + match = role->subj_hash[index];
47780 + while (match && (match->inode != ino || match->device != dev ||
47781 + !(match->mode & GR_DELETED))) {
47782 + match = match->next;
47785 + if (match && (match->mode & GR_DELETED))
47791 +static struct acl_object_label *
47792 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
47793 + const struct acl_subject_label *subj)
47795 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
47796 + struct acl_object_label *match;
47798 + match = subj->obj_hash[index];
47800 + while (match && (match->inode != ino || match->device != dev ||
47801 + (match->mode & GR_DELETED))) {
47802 + match = match->next;
47805 + if (match && !(match->mode & GR_DELETED))
47811 +static struct acl_object_label *
47812 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
47813 + const struct acl_subject_label *subj)
47815 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
47816 + struct acl_object_label *match;
47818 + match = subj->obj_hash[index];
47820 + while (match && (match->inode != ino || match->device != dev ||
47821 + !(match->mode & GR_DELETED))) {
47822 + match = match->next;
47825 + if (match && (match->mode & GR_DELETED))
47828 + match = subj->obj_hash[index];
47830 + while (match && (match->inode != ino || match->device != dev ||
47831 + (match->mode & GR_DELETED))) {
47832 + match = match->next;
47835 + if (match && !(match->mode & GR_DELETED))
47841 +static struct name_entry *
47842 +lookup_name_entry(const char *name)
47844 + unsigned int len = strlen(name);
47845 + unsigned int key = full_name_hash(name, len);
47846 + unsigned int index = key % name_set.n_size;
47847 + struct name_entry *match;
47849 + match = name_set.n_hash[index];
47851 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
47852 + match = match->next;
47857 +static struct name_entry *
47858 +lookup_name_entry_create(const char *name)
47860 + unsigned int len = strlen(name);
47861 + unsigned int key = full_name_hash(name, len);
47862 + unsigned int index = key % name_set.n_size;
47863 + struct name_entry *match;
47865 + match = name_set.n_hash[index];
47867 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
47868 + !match->deleted))
47869 + match = match->next;
47871 + if (match && match->deleted)
47874 + match = name_set.n_hash[index];
47876 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
47878 + match = match->next;
47880 + if (match && !match->deleted)
47886 +static struct inodev_entry *
47887 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
47889 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
47890 + struct inodev_entry *match;
47892 + match = inodev_set.i_hash[index];
47894 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
47895 + match = match->next;
47901 +insert_inodev_entry(struct inodev_entry *entry)
47903 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
47904 + inodev_set.i_size);
47905 + struct inodev_entry **curr;
47907 + entry->prev = NULL;
47909 + curr = &inodev_set.i_hash[index];
47910 + if (*curr != NULL)
47911 + (*curr)->prev = entry;
47913 + entry->next = *curr;
47920 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
47922 + unsigned int index =
47923 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
47924 + struct acl_role_label **curr;
47925 + struct acl_role_label *tmp;
47927 + curr = &acl_role_set.r_hash[index];
47929 + /* if role was already inserted due to domains and already has
47930 + a role in the same bucket as it attached, then we need to
47931 + combine these two buckets
47933 + if (role->next) {
47934 + tmp = role->next;
47935 + while (tmp->next)
47937 + tmp->next = *curr;
47939 + role->next = *curr;
47946 +insert_acl_role_label(struct acl_role_label *role)
47950 + if (role_list == NULL) {
47951 + role_list = role;
47952 + role->prev = NULL;
47954 + role->prev = role_list;
47955 + role_list = role;
47958 + /* used for hash chains */
47959 + role->next = NULL;
47961 + if (role->roletype & GR_ROLE_DOMAIN) {
47962 + for (i = 0; i < role->domain_child_num; i++)
47963 + __insert_acl_role_label(role, role->domain_children[i]);
47965 + __insert_acl_role_label(role, role->uidgid);
47969 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
47971 + struct name_entry **curr, *nentry;
47972 + struct inodev_entry *ientry;
47973 + unsigned int len = strlen(name);
47974 + unsigned int key = full_name_hash(name, len);
47975 + unsigned int index = key % name_set.n_size;
47977 + curr = &name_set.n_hash[index];
47979 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
47980 + curr = &((*curr)->next);
47982 + if (*curr != NULL)
47985 + nentry = acl_alloc(sizeof (struct name_entry));
47986 + if (nentry == NULL)
47988 + ientry = acl_alloc(sizeof (struct inodev_entry));
47989 + if (ientry == NULL)
47991 + ientry->nentry = nentry;
47993 + nentry->key = key;
47994 + nentry->name = name;
47995 + nentry->inode = inode;
47996 + nentry->device = device;
47997 + nentry->len = len;
47998 + nentry->deleted = deleted;
48000 + nentry->prev = NULL;
48001 + curr = &name_set.n_hash[index];
48002 + if (*curr != NULL)
48003 + (*curr)->prev = nentry;
48004 + nentry->next = *curr;
48007 + /* insert us into the table searchable by inode/dev */
48008 + insert_inodev_entry(ientry);
48014 +insert_acl_obj_label(struct acl_object_label *obj,
48015 + struct acl_subject_label *subj)
48017 + unsigned int index =
48018 + fhash(obj->inode, obj->device, subj->obj_hash_size);
48019 + struct acl_object_label **curr;
48022 + obj->prev = NULL;
48024 + curr = &subj->obj_hash[index];
48025 + if (*curr != NULL)
48026 + (*curr)->prev = obj;
48028 + obj->next = *curr;
48035 +insert_acl_subj_label(struct acl_subject_label *obj,
48036 + struct acl_role_label *role)
48038 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
48039 + struct acl_subject_label **curr;
48041 + obj->prev = NULL;
48043 + curr = &role->subj_hash[index];
48044 + if (*curr != NULL)
48045 + (*curr)->prev = obj;
48047 + obj->next = *curr;
48053 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
48056 +create_table(__u32 * len, int elementsize)
48058 + unsigned int table_sizes[] = {
48059 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
48060 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
48061 + 4194301, 8388593, 16777213, 33554393, 67108859
48063 + void *newtable = NULL;
48064 + unsigned int pwr = 0;
48066 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
48067 + table_sizes[pwr] <= *len)
48070 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
48073 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
48075 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
48077 + newtable = vmalloc(table_sizes[pwr] * elementsize);
48079 + *len = table_sizes[pwr];
48085 +init_variables(const struct gr_arg *arg)
48087 + struct task_struct *reaper = &init_task;
48088 + unsigned int stacksize;
48090 + subj_map_set.s_size = arg->role_db.num_subjects;
48091 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
48092 + name_set.n_size = arg->role_db.num_objects;
48093 + inodev_set.i_size = arg->role_db.num_objects;
48095 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
48096 + !name_set.n_size || !inodev_set.i_size)
48099 + if (!gr_init_uidset())
48102 + /* set up the stack that holds allocation info */
48104 + stacksize = arg->role_db.num_pointers + 5;
48106 + if (!acl_alloc_stack_init(stacksize))
48109 + /* grab reference for the real root dentry and vfsmount */
48110 + get_fs_root(reaper->fs, &real_root);
48112 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
48113 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
48116 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
48117 + if (fakefs_obj_rw == NULL)
48119 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
48121 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
48122 + if (fakefs_obj_rwx == NULL)
48124 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
48126 + subj_map_set.s_hash =
48127 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
48128 + acl_role_set.r_hash =
48129 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
48130 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
48131 + inodev_set.i_hash =
48132 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
48134 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
48135 + !name_set.n_hash || !inodev_set.i_hash)
48138 + memset(subj_map_set.s_hash, 0,
48139 + sizeof(struct subject_map *) * subj_map_set.s_size);
48140 + memset(acl_role_set.r_hash, 0,
48141 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
48142 + memset(name_set.n_hash, 0,
48143 + sizeof (struct name_entry *) * name_set.n_size);
48144 + memset(inodev_set.i_hash, 0,
48145 + sizeof (struct inodev_entry *) * inodev_set.i_size);
48150 +/* free information not needed after startup
48151 + currently contains user->kernel pointer mappings for subjects
48155 +free_init_variables(void)
48159 + if (subj_map_set.s_hash) {
48160 + for (i = 0; i < subj_map_set.s_size; i++) {
48161 + if (subj_map_set.s_hash[i]) {
48162 + kfree(subj_map_set.s_hash[i]);
48163 + subj_map_set.s_hash[i] = NULL;
48167 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
48169 + kfree(subj_map_set.s_hash);
48171 + vfree(subj_map_set.s_hash);
48178 +free_variables(void)
48180 + struct acl_subject_label *s;
48181 + struct acl_role_label *r;
48182 + struct task_struct *task, *task2;
48185 + gr_clear_learn_entries();
48187 + read_lock(&tasklist_lock);
48188 + do_each_thread(task2, task) {
48189 + task->acl_sp_role = 0;
48190 + task->acl_role_id = 0;
48191 + task->acl = NULL;
48192 + task->role = NULL;
48193 + } while_each_thread(task2, task);
48194 + read_unlock(&tasklist_lock);
48196 + /* release the reference to the real root dentry and vfsmount */
48197 + path_put(&real_root);
48199 + /* free all object hash tables */
48201 + FOR_EACH_ROLE_START(r)
48202 + if (r->subj_hash == NULL)
48204 + FOR_EACH_SUBJECT_START(r, s, x)
48205 + if (s->obj_hash == NULL)
48207 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
48208 + kfree(s->obj_hash);
48210 + vfree(s->obj_hash);
48211 + FOR_EACH_SUBJECT_END(s, x)
48212 + FOR_EACH_NESTED_SUBJECT_START(r, s)
48213 + if (s->obj_hash == NULL)
48215 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
48216 + kfree(s->obj_hash);
48218 + vfree(s->obj_hash);
48219 + FOR_EACH_NESTED_SUBJECT_END(s)
48220 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
48221 + kfree(r->subj_hash);
48223 + vfree(r->subj_hash);
48224 + r->subj_hash = NULL;
48226 + FOR_EACH_ROLE_END(r)
48230 + if (acl_role_set.r_hash) {
48231 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
48233 + kfree(acl_role_set.r_hash);
48235 + vfree(acl_role_set.r_hash);
48237 + if (name_set.n_hash) {
48238 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
48240 + kfree(name_set.n_hash);
48242 + vfree(name_set.n_hash);
48245 + if (inodev_set.i_hash) {
48246 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
48248 + kfree(inodev_set.i_hash);
48250 + vfree(inodev_set.i_hash);
48253 + gr_free_uidset();
48255 + memset(&name_set, 0, sizeof (struct name_db));
48256 + memset(&inodev_set, 0, sizeof (struct inodev_db));
48257 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
48258 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
48260 + default_role = NULL;
48261 + role_list = NULL;
48267 +count_user_objs(struct acl_object_label *userp)
48269 + struct acl_object_label o_tmp;
48273 + if (copy_from_user(&o_tmp, userp,
48274 + sizeof (struct acl_object_label)))
48277 + userp = o_tmp.prev;
48284 +static struct acl_subject_label *
48285 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
48288 +copy_user_glob(struct acl_object_label *obj)
48290 + struct acl_object_label *g_tmp, **guser;
48291 + unsigned int len;
48294 + if (obj->globbed == NULL)
48297 + guser = &obj->globbed;
48299 + g_tmp = (struct acl_object_label *)
48300 + acl_alloc(sizeof (struct acl_object_label));
48301 + if (g_tmp == NULL)
48304 + if (copy_from_user(g_tmp, *guser,
48305 + sizeof (struct acl_object_label)))
48308 + len = strnlen_user(g_tmp->filename, PATH_MAX);
48310 + if (!len || len >= PATH_MAX)
48313 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48316 + if (copy_from_user(tmp, g_tmp->filename, len))
48318 + tmp[len-1] = '\0';
48319 + g_tmp->filename = tmp;
48322 + guser = &(g_tmp->next);
48329 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
48330 + struct acl_role_label *role)
48332 + struct acl_object_label *o_tmp;
48333 + unsigned int len;
48338 + if ((o_tmp = (struct acl_object_label *)
48339 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
48342 + if (copy_from_user(o_tmp, userp,
48343 + sizeof (struct acl_object_label)))
48346 + userp = o_tmp->prev;
48348 + len = strnlen_user(o_tmp->filename, PATH_MAX);
48350 + if (!len || len >= PATH_MAX)
48353 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48356 + if (copy_from_user(tmp, o_tmp->filename, len))
48358 + tmp[len-1] = '\0';
48359 + o_tmp->filename = tmp;
48361 + insert_acl_obj_label(o_tmp, subj);
48362 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
48363 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
48366 + ret = copy_user_glob(o_tmp);
48370 + if (o_tmp->nested) {
48371 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
48372 + if (IS_ERR(o_tmp->nested))
48373 + return PTR_ERR(o_tmp->nested);
48375 + /* insert into nested subject list */
48376 + o_tmp->nested->next = role->hash->first;
48377 + role->hash->first = o_tmp->nested;
48385 +count_user_subjs(struct acl_subject_label *userp)
48387 + struct acl_subject_label s_tmp;
48391 + if (copy_from_user(&s_tmp, userp,
48392 + sizeof (struct acl_subject_label)))
48395 + userp = s_tmp.prev;
48396 + /* do not count nested subjects against this count, since
48397 + they are not included in the hash table, but are
48398 + attached to objects. We have already counted
48399 + the subjects in userspace for the allocation
48402 + if (!(s_tmp.mode & GR_NESTED))
48410 +copy_user_allowedips(struct acl_role_label *rolep)
48412 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
48414 + ruserip = rolep->allowed_ips;
48416 + while (ruserip) {
48419 + if ((rtmp = (struct role_allowed_ip *)
48420 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
48423 + if (copy_from_user(rtmp, ruserip,
48424 + sizeof (struct role_allowed_ip)))
48427 + ruserip = rtmp->prev;
48430 + rtmp->prev = NULL;
48431 + rolep->allowed_ips = rtmp;
48433 + rlast->next = rtmp;
48434 + rtmp->prev = rlast;
48438 + rtmp->next = NULL;
48445 +copy_user_transitions(struct acl_role_label *rolep)
48447 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
48449 + unsigned int len;
48452 + rusertp = rolep->transitions;
48454 + while (rusertp) {
48457 + if ((rtmp = (struct role_transition *)
48458 + acl_alloc(sizeof (struct role_transition))) == NULL)
48461 + if (copy_from_user(rtmp, rusertp,
48462 + sizeof (struct role_transition)))
48465 + rusertp = rtmp->prev;
48467 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
48469 + if (!len || len >= GR_SPROLE_LEN)
48472 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48475 + if (copy_from_user(tmp, rtmp->rolename, len))
48477 + tmp[len-1] = '\0';
48478 + rtmp->rolename = tmp;
48481 + rtmp->prev = NULL;
48482 + rolep->transitions = rtmp;
48484 + rlast->next = rtmp;
48485 + rtmp->prev = rlast;
48489 + rtmp->next = NULL;
48495 +static struct acl_subject_label *
48496 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
48498 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
48499 + unsigned int len;
48502 + struct acl_ip_label **i_tmp, *i_utmp2;
48503 + struct gr_hash_struct ghash;
48504 + struct subject_map *subjmap;
48505 + unsigned int i_num;
48508 + s_tmp = lookup_subject_map(userp);
48510 + /* we've already copied this subject into the kernel, just return
48511 + the reference to it, and don't copy it over again
48516 + if ((s_tmp = (struct acl_subject_label *)
48517 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
48518 + return ERR_PTR(-ENOMEM);
48520 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
48521 + if (subjmap == NULL)
48522 + return ERR_PTR(-ENOMEM);
48524 + subjmap->user = userp;
48525 + subjmap->kernel = s_tmp;
48526 + insert_subj_map_entry(subjmap);
48528 + if (copy_from_user(s_tmp, userp,
48529 + sizeof (struct acl_subject_label)))
48530 + return ERR_PTR(-EFAULT);
48532 + len = strnlen_user(s_tmp->filename, PATH_MAX);
48534 + if (!len || len >= PATH_MAX)
48535 + return ERR_PTR(-EINVAL);
48537 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48538 + return ERR_PTR(-ENOMEM);
48540 + if (copy_from_user(tmp, s_tmp->filename, len))
48541 + return ERR_PTR(-EFAULT);
48542 + tmp[len-1] = '\0';
48543 + s_tmp->filename = tmp;
48545 + if (!strcmp(s_tmp->filename, "/"))
48546 + role->root_label = s_tmp;
48548 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
48549 + return ERR_PTR(-EFAULT);
48551 + /* copy user and group transition tables */
48553 + if (s_tmp->user_trans_num) {
48556 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
48557 + if (uidlist == NULL)
48558 + return ERR_PTR(-ENOMEM);
48559 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
48560 + return ERR_PTR(-EFAULT);
48562 + s_tmp->user_transitions = uidlist;
48565 + if (s_tmp->group_trans_num) {
48568 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
48569 + if (gidlist == NULL)
48570 + return ERR_PTR(-ENOMEM);
48571 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
48572 + return ERR_PTR(-EFAULT);
48574 + s_tmp->group_transitions = gidlist;
48577 + /* set up object hash table */
48578 + num_objs = count_user_objs(ghash.first);
48580 + s_tmp->obj_hash_size = num_objs;
48581 + s_tmp->obj_hash =
48582 + (struct acl_object_label **)
48583 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
48585 + if (!s_tmp->obj_hash)
48586 + return ERR_PTR(-ENOMEM);
48588 + memset(s_tmp->obj_hash, 0,
48589 + s_tmp->obj_hash_size *
48590 + sizeof (struct acl_object_label *));
48592 + /* add in objects */
48593 + err = copy_user_objs(ghash.first, s_tmp, role);
48596 + return ERR_PTR(err);
48598 + /* set pointer for parent subject */
48599 + if (s_tmp->parent_subject) {
48600 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
48602 + if (IS_ERR(s_tmp2))
48605 + s_tmp->parent_subject = s_tmp2;
48608 + /* add in ip acls */
48610 + if (!s_tmp->ip_num) {
48611 + s_tmp->ips = NULL;
48616 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
48617 + sizeof (struct acl_ip_label *));
48620 + return ERR_PTR(-ENOMEM);
48622 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
48623 + *(i_tmp + i_num) =
48624 + (struct acl_ip_label *)
48625 + acl_alloc(sizeof (struct acl_ip_label));
48626 + if (!*(i_tmp + i_num))
48627 + return ERR_PTR(-ENOMEM);
48629 + if (copy_from_user
48630 + (&i_utmp2, s_tmp->ips + i_num,
48631 + sizeof (struct acl_ip_label *)))
48632 + return ERR_PTR(-EFAULT);
48634 + if (copy_from_user
48635 + (*(i_tmp + i_num), i_utmp2,
48636 + sizeof (struct acl_ip_label)))
48637 + return ERR_PTR(-EFAULT);
48639 + if ((*(i_tmp + i_num))->iface == NULL)
48642 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
48643 + if (!len || len >= IFNAMSIZ)
48644 + return ERR_PTR(-EINVAL);
48645 + tmp = acl_alloc(len);
48647 + return ERR_PTR(-ENOMEM);
48648 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
48649 + return ERR_PTR(-EFAULT);
48650 + (*(i_tmp + i_num))->iface = tmp;
48653 + s_tmp->ips = i_tmp;
48656 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
48657 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
48658 + return ERR_PTR(-ENOMEM);
48664 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
48666 + struct acl_subject_label s_pre;
48667 + struct acl_subject_label * ret;
48671 + if (copy_from_user(&s_pre, userp,
48672 + sizeof (struct acl_subject_label)))
48675 + /* do not add nested subjects here, add
48676 + while parsing objects
48679 + if (s_pre.mode & GR_NESTED) {
48680 + userp = s_pre.prev;
48684 + ret = do_copy_user_subj(userp, role);
48686 + err = PTR_ERR(ret);
48690 + insert_acl_subj_label(ret, role);
48692 + userp = s_pre.prev;
48699 +copy_user_acl(struct gr_arg *arg)
48701 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
48702 + struct sprole_pw *sptmp;
48703 + struct gr_hash_struct *ghash;
48704 + uid_t *domainlist;
48705 + unsigned int r_num;
48706 + unsigned int len;
48712 + /* we need a default and kernel role */
48713 + if (arg->role_db.num_roles < 2)
48716 + /* copy special role authentication info from userspace */
48718 + num_sprole_pws = arg->num_sprole_pws;
48719 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
48721 + if (!acl_special_roles) {
48726 + for (i = 0; i < num_sprole_pws; i++) {
48727 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
48732 + if (copy_from_user(sptmp, arg->sprole_pws + i,
48733 + sizeof (struct sprole_pw))) {
48739 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
48741 + if (!len || len >= GR_SPROLE_LEN) {
48746 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
48751 + if (copy_from_user(tmp, sptmp->rolename, len)) {
48755 + tmp[len-1] = '\0';
48756 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
48757 + printk(KERN_ALERT "Copying special role %s\n", tmp);
48759 + sptmp->rolename = tmp;
48760 + acl_special_roles[i] = sptmp;
48763 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
48765 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
48766 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
48773 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
48774 + sizeof (struct acl_role_label *))) {
48779 + if (copy_from_user(r_tmp, r_utmp2,
48780 + sizeof (struct acl_role_label))) {
48785 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
48787 + if (!len || len >= PATH_MAX) {
48792 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
48796 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
48800 + tmp[len-1] = '\0';
48801 + r_tmp->rolename = tmp;
48803 + if (!strcmp(r_tmp->rolename, "default")
48804 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
48805 + default_role = r_tmp;
48806 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
48807 + kernel_role = r_tmp;
48810 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
48814 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
48819 + r_tmp->hash = ghash;
48821 + num_subjs = count_user_subjs(r_tmp->hash->first);
48823 + r_tmp->subj_hash_size = num_subjs;
48824 + r_tmp->subj_hash =
48825 + (struct acl_subject_label **)
48826 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
48828 + if (!r_tmp->subj_hash) {
48833 + err = copy_user_allowedips(r_tmp);
48837 + /* copy domain info */
48838 + if (r_tmp->domain_children != NULL) {
48839 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
48840 + if (domainlist == NULL) {
48844 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
48848 + r_tmp->domain_children = domainlist;
48851 + err = copy_user_transitions(r_tmp);
48855 + memset(r_tmp->subj_hash, 0,
48856 + r_tmp->subj_hash_size *
48857 + sizeof (struct acl_subject_label *));
48859 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
48864 + /* set nested subject list to null */
48865 + r_tmp->hash->first = NULL;
48867 + insert_acl_role_label(r_tmp);
48872 + free_variables();
48879 +gracl_init(struct gr_arg *args)
48883 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
48884 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
48886 + if (init_variables(args)) {
48887 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
48889 + free_variables();
48893 + error = copy_user_acl(args);
48894 + free_init_variables();
48896 + free_variables();
48900 + if ((error = gr_set_acls(0))) {
48901 + free_variables();
48905 + pax_open_kernel();
48906 + gr_status |= GR_READY;
48907 + pax_close_kernel();
48913 +/* derived from glibc fnmatch() 0: match, 1: no match*/
48916 +glob_match(const char *p, const char *n)
48920 + while ((c = *p++) != '\0') {
48925 + else if (*n == '/')
48933 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
48936 + else if (c == '?') {
48946 + const char *endp;
48948 + if ((endp = strchr(n, '/')) == NULL)
48949 + endp = n + strlen(n);
48952 + for (--p; n < endp; ++n)
48953 + if (!glob_match(p, n))
48955 + } else if (c == '/') {
48956 + while (*n != '\0' && *n != '/')
48958 + if (*n == '/' && !glob_match(p, n + 1))
48961 + for (--p; n < endp; ++n)
48962 + if (*n == c && !glob_match(p, n))
48973 + if (*n == '\0' || *n == '/')
48976 + not = (*p == '!' || *p == '^');
48982 + unsigned char fn = (unsigned char)*n;
48992 + if (c == '-' && *p != ']') {
48993 + unsigned char cend = *p++;
48995 + if (cend == '\0')
48998 + if (cold <= fn && fn <= cend)
49012 + while (c != ']') {
49039 +static struct acl_object_label *
49040 +chk_glob_label(struct acl_object_label *globbed,
49041 + struct dentry *dentry, struct vfsmount *mnt, char **path)
49043 + struct acl_object_label *tmp;
49045 + if (*path == NULL)
49046 + *path = gr_to_filename_nolock(dentry, mnt);
49051 + if (!glob_match(tmp->filename, *path))
49059 +static struct acl_object_label *
49060 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
49061 + const ino_t curr_ino, const dev_t curr_dev,
49062 + const struct acl_subject_label *subj, char **path, const int checkglob)
49064 + struct acl_subject_label *tmpsubj;
49065 + struct acl_object_label *retval;
49066 + struct acl_object_label *retval2;
49068 + tmpsubj = (struct acl_subject_label *) subj;
49069 + read_lock(&gr_inode_lock);
49071 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
49073 + if (checkglob && retval->globbed) {
49074 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
49075 + (struct vfsmount *)orig_mnt, path);
49077 + retval = retval2;
49081 + } while ((tmpsubj = tmpsubj->parent_subject));
49082 + read_unlock(&gr_inode_lock);
49087 +static __inline__ struct acl_object_label *
49088 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
49089 + struct dentry *curr_dentry,
49090 + const struct acl_subject_label *subj, char **path, const int checkglob)
49092 + int newglob = checkglob;
49096 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
49097 + as we don't want a / * rule to match instead of the / object
49098 + don't do this for create lookups that call this function though, since they're looking up
49099 + on the parent and thus need globbing checks on all paths
49101 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
49102 + newglob = GR_NO_GLOB;
49104 + spin_lock(&curr_dentry->d_lock);
49105 + inode = curr_dentry->d_inode->i_ino;
49106 + device = __get_dev(curr_dentry);
49107 + spin_unlock(&curr_dentry->d_lock);
49109 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
49112 +static struct acl_object_label *
49113 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49114 + const struct acl_subject_label *subj, char *path, const int checkglob)
49116 + struct dentry *dentry = (struct dentry *) l_dentry;
49117 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
49118 + struct acl_object_label *retval;
49119 + struct dentry *parent;
49121 + write_seqlock(&rename_lock);
49122 + br_read_lock(vfsmount_lock);
49124 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
49126 + mnt == sock_mnt ||
49128 +#ifdef CONFIG_HUGETLBFS
49129 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
49131 + /* ignore Eric Biederman */
49132 + IS_PRIVATE(l_dentry->d_inode))) {
49133 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
49138 + if (dentry == real_root.dentry && mnt == real_root.mnt)
49141 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
49142 + if (mnt->mnt_parent == mnt)
49145 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49146 + if (retval != NULL)
49149 + dentry = mnt->mnt_mountpoint;
49150 + mnt = mnt->mnt_parent;
49154 + parent = dentry->d_parent;
49155 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49156 + if (retval != NULL)
49162 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49164 + /* real_root is pinned so we don't have to hold a reference */
49165 + if (retval == NULL)
49166 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
49168 + br_read_unlock(vfsmount_lock);
49169 + write_sequnlock(&rename_lock);
49171 + BUG_ON(retval == NULL);
49176 +static __inline__ struct acl_object_label *
49177 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49178 + const struct acl_subject_label *subj)
49180 + char *path = NULL;
49181 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
49184 +static __inline__ struct acl_object_label *
49185 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49186 + const struct acl_subject_label *subj)
49188 + char *path = NULL;
49189 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
49192 +static __inline__ struct acl_object_label *
49193 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49194 + const struct acl_subject_label *subj, char *path)
49196 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
49199 +static struct acl_subject_label *
49200 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49201 + const struct acl_role_label *role)
49203 + struct dentry *dentry = (struct dentry *) l_dentry;
49204 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
49205 + struct acl_subject_label *retval;
49206 + struct dentry *parent;
49208 + write_seqlock(&rename_lock);
49209 + br_read_lock(vfsmount_lock);
49212 + if (dentry == real_root.dentry && mnt == real_root.mnt)
49214 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
49215 + if (mnt->mnt_parent == mnt)
49218 + spin_lock(&dentry->d_lock);
49219 + read_lock(&gr_inode_lock);
49221 + lookup_acl_subj_label(dentry->d_inode->i_ino,
49222 + __get_dev(dentry), role);
49223 + read_unlock(&gr_inode_lock);
49224 + spin_unlock(&dentry->d_lock);
49225 + if (retval != NULL)
49228 + dentry = mnt->mnt_mountpoint;
49229 + mnt = mnt->mnt_parent;
49233 + spin_lock(&dentry->d_lock);
49234 + read_lock(&gr_inode_lock);
49235 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
49236 + __get_dev(dentry), role);
49237 + read_unlock(&gr_inode_lock);
49238 + parent = dentry->d_parent;
49239 + spin_unlock(&dentry->d_lock);
49241 + if (retval != NULL)
49247 + spin_lock(&dentry->d_lock);
49248 + read_lock(&gr_inode_lock);
49249 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
49250 + __get_dev(dentry), role);
49251 + read_unlock(&gr_inode_lock);
49252 + spin_unlock(&dentry->d_lock);
49254 + if (unlikely(retval == NULL)) {
49255 + /* real_root is pinned, we don't need to hold a reference */
49256 + read_lock(&gr_inode_lock);
49257 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
49258 + __get_dev(real_root.dentry), role);
49259 + read_unlock(&gr_inode_lock);
49262 + br_read_unlock(vfsmount_lock);
49263 + write_sequnlock(&rename_lock);
49265 + BUG_ON(retval == NULL);
49271 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
49273 + struct task_struct *task = current;
49274 + const struct cred *cred = current_cred();
49276 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
49277 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
49278 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
49279 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
49285 +gr_log_learn_sysctl(const char *path, const __u32 mode)
49287 + struct task_struct *task = current;
49288 + const struct cred *cred = current_cred();
49290 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
49291 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
49292 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
49293 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
49299 +gr_log_learn_id_change(const char type, const unsigned int real,
49300 + const unsigned int effective, const unsigned int fs)
49302 + struct task_struct *task = current;
49303 + const struct cred *cred = current_cred();
49305 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
49306 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
49307 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
49308 + type, real, effective, fs, &task->signal->saved_ip);
49314 +gr_search_file(const struct dentry * dentry, const __u32 mode,
49315 + const struct vfsmount * mnt)
49317 + __u32 retval = mode;
49318 + struct acl_subject_label *curracl;
49319 + struct acl_object_label *currobj;
49321 + if (unlikely(!(gr_status & GR_READY)))
49322 + return (mode & ~GR_AUDITS);
49324 + curracl = current->acl;
49326 + currobj = chk_obj_label(dentry, mnt, curracl);
49327 + retval = currobj->mode & mode;
49329 + /* if we're opening a specified transfer file for writing
49330 + (e.g. /dev/initctl), then transfer our role to init
49332 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
49333 + current->role->roletype & GR_ROLE_PERSIST)) {
49334 + struct task_struct *task = init_pid_ns.child_reaper;
49336 + if (task->role != current->role) {
49337 + task->acl_sp_role = 0;
49338 + task->acl_role_id = current->acl_role_id;
49339 + task->role = current->role;
49341 + read_lock(&grsec_exec_file_lock);
49342 + gr_apply_subject_to_task(task);
49343 + read_unlock(&grsec_exec_file_lock);
49344 + rcu_read_unlock();
49345 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
49350 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
49351 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
49352 + __u32 new_mode = mode;
49354 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
49356 + retval = new_mode;
49358 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
49359 + new_mode |= GR_INHERIT;
49361 + if (!(mode & GR_NOLEARN))
49362 + gr_log_learn(dentry, mnt, new_mode);
49368 +struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
49369 + const struct dentry *parent,
49370 + const struct vfsmount *mnt)
49372 + struct name_entry *match;
49373 + struct acl_object_label *matchpo;
49374 + struct acl_subject_label *curracl;
49377 + if (unlikely(!(gr_status & GR_READY)))
49380 + preempt_disable();
49381 + path = gr_to_filename_rbac(new_dentry, mnt);
49382 + match = lookup_name_entry_create(path);
49384 + curracl = current->acl;
49387 + read_lock(&gr_inode_lock);
49388 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
49389 + read_unlock(&gr_inode_lock);
49392 + preempt_enable();
49399 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
49401 + preempt_enable();
49406 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
49407 + const struct vfsmount * mnt, const __u32 mode)
49409 + struct acl_object_label *matchpo;
49412 + if (unlikely(!(gr_status & GR_READY)))
49413 + return (mode & ~GR_AUDITS);
49415 + matchpo = gr_get_create_object(new_dentry, parent, mnt);
49417 + retval = matchpo->mode & mode;
49419 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
49420 + && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
49421 + __u32 new_mode = mode;
49423 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
49425 + gr_log_learn(new_dentry, mnt, new_mode);
49433 +gr_check_link(const struct dentry * new_dentry,
49434 + const struct dentry * parent_dentry,
49435 + const struct vfsmount * parent_mnt,
49436 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
49438 + struct acl_object_label *obj;
49439 + __u32 oldmode, newmode;
49441 + __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
49442 + GR_DELETE | GR_INHERIT;
49444 + if (unlikely(!(gr_status & GR_READY)))
49445 + return (GR_CREATE | GR_LINK);
49447 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
49448 + oldmode = obj->mode;
49450 + obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
49451 + newmode = obj->mode;
49453 + needmode = newmode & checkmodes;
49455 + // old name for hardlink must have at least the permissions of the new name
49456 + if ((oldmode & needmode) != needmode)
49459 + // if old name had restrictions/auditing, make sure the new name does as well
49460 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
49462 + // don't allow hardlinking of suid/sgid files without permission
49463 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
49464 + needmode |= GR_SETID;
49466 + if ((newmode & needmode) != needmode)
49469 + // enforce minimum permissions
49470 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
49473 + needmode = oldmode;
49474 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
49475 + needmode |= GR_SETID;
49477 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
49478 + gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
49479 + return (GR_CREATE | GR_LINK);
49480 + } else if (newmode & GR_SUPPRESS)
49481 + return GR_SUPPRESS;
49487 +gr_check_hidden_task(const struct task_struct *task)
49489 + if (unlikely(!(gr_status & GR_READY)))
49492 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
49499 +gr_check_protected_task(const struct task_struct *task)
49501 + if (unlikely(!(gr_status & GR_READY) || !task))
49504 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
49505 + task->acl != current->acl)
49512 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
49514 + struct task_struct *p;
49517 + if (unlikely(!(gr_status & GR_READY) || !pid))
49520 + read_lock(&tasklist_lock);
49521 + do_each_pid_task(pid, type, p) {
49522 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
49523 + p->acl != current->acl) {
49527 + } while_each_pid_task(pid, type, p);
49529 + read_unlock(&tasklist_lock);
49535 +gr_copy_label(struct task_struct *tsk)
49537 + tsk->signal->used_accept = 0;
49538 + tsk->acl_sp_role = 0;
49539 + tsk->acl_role_id = current->acl_role_id;
49540 + tsk->acl = current->acl;
49541 + tsk->role = current->role;
49542 + tsk->signal->curr_ip = current->signal->curr_ip;
49543 + tsk->signal->saved_ip = current->signal->saved_ip;
49544 + if (current->exec_file)
49545 + get_file(current->exec_file);
49546 + tsk->exec_file = current->exec_file;
49547 + tsk->is_writable = current->is_writable;
49548 + if (unlikely(current->signal->used_accept)) {
49549 + current->signal->curr_ip = 0;
49550 + current->signal->saved_ip = 0;
49557 +gr_set_proc_res(struct task_struct *task)
49559 + struct acl_subject_label *proc;
49560 + unsigned short i;
49562 + proc = task->acl;
49564 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
49567 + for (i = 0; i < RLIM_NLIMITS; i++) {
49568 + if (!(proc->resmask & (1 << i)))
49571 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
49572 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
49578 +extern int __gr_process_user_ban(struct user_struct *user);
49581 +gr_check_user_change(int real, int effective, int fs)
49588 + int effectiveok = 0;
49591 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
49592 + struct user_struct *user;
49597 + user = find_user(real);
49598 + if (user == NULL)
49601 + if (__gr_process_user_ban(user)) {
49602 + /* for find_user */
49607 + /* for find_user */
49613 + if (unlikely(!(gr_status & GR_READY)))
49616 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
49617 + gr_log_learn_id_change('u', real, effective, fs);
49619 + num = current->acl->user_trans_num;
49620 + uidlist = current->acl->user_transitions;
49622 + if (uidlist == NULL)
49627 + if (effective == -1)
49632 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
49633 + for (i = 0; i < num; i++) {
49634 + curuid = (int)uidlist[i];
49635 + if (real == curuid)
49637 + if (effective == curuid)
49639 + if (fs == curuid)
49642 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
49643 + for (i = 0; i < num; i++) {
49644 + curuid = (int)uidlist[i];
49645 + if (real == curuid)
49647 + if (effective == curuid)
49649 + if (fs == curuid)
49652 + /* not in deny list */
49660 + if (realok && effectiveok && fsok)
49663 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
49669 +gr_check_group_change(int real, int effective, int fs)
49676 + int effectiveok = 0;
49679 + if (unlikely(!(gr_status & GR_READY)))
49682 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
49683 + gr_log_learn_id_change('g', real, effective, fs);
49685 + num = current->acl->group_trans_num;
49686 + gidlist = current->acl->group_transitions;
49688 + if (gidlist == NULL)
49693 + if (effective == -1)
49698 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
49699 + for (i = 0; i < num; i++) {
49700 + curgid = (int)gidlist[i];
49701 + if (real == curgid)
49703 + if (effective == curgid)
49705 + if (fs == curgid)
49708 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
49709 + for (i = 0; i < num; i++) {
49710 + curgid = (int)gidlist[i];
49711 + if (real == curgid)
49713 + if (effective == curgid)
49715 + if (fs == curgid)
49718 + /* not in deny list */
49726 + if (realok && effectiveok && fsok)
49729 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
49735 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
49737 + struct acl_role_label *role = task->role;
49738 + struct acl_subject_label *subj = NULL;
49739 + struct acl_object_label *obj;
49740 + struct file *filp;
49742 + if (unlikely(!(gr_status & GR_READY)))
49745 + filp = task->exec_file;
49747 + /* kernel process, we'll give them the kernel role */
49748 + if (unlikely(!filp)) {
49749 + task->role = kernel_role;
49750 + task->acl = kernel_role->root_label;
49752 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
49753 + role = lookup_acl_role_label(task, uid, gid);
49755 + /* perform subject lookup in possibly new role
49756 + we can use this result below in the case where role == task->role
49758 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
49760 + /* if we changed uid/gid, but result in the same role
49761 + and are using inheritance, don't lose the inherited subject
49762 + if current subject is other than what normal lookup
49763 + would result in, we arrived via inheritance, don't
49766 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
49767 + (subj == task->acl)))
49768 + task->acl = subj;
49770 + task->role = role;
49772 + task->is_writable = 0;
49774 + /* ignore additional mmap checks for processes that are writable
49775 + by the default ACL */
49776 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
49777 + if (unlikely(obj->mode & GR_WRITE))
49778 + task->is_writable = 1;
49779 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
49780 + if (unlikely(obj->mode & GR_WRITE))
49781 + task->is_writable = 1;
49783 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49784 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
49787 + gr_set_proc_res(task);
49793 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
49794 + const int unsafe_share)
49796 + struct task_struct *task = current;
49797 + struct acl_subject_label *newacl;
49798 + struct acl_object_label *obj;
49801 + if (unlikely(!(gr_status & GR_READY)))
49804 + newacl = chk_subj_label(dentry, mnt, task->role);
49807 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
49808 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
49809 + !(task->role->roletype & GR_ROLE_GOD) &&
49810 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
49811 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
49812 + task_unlock(task);
49813 + if (unsafe_share)
49814 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
49816 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
49819 + task_unlock(task);
49821 + obj = chk_obj_label(dentry, mnt, task->acl);
49822 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
49824 + if (!(task->acl->mode & GR_INHERITLEARN) &&
49825 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
49827 + task->acl = obj->nested;
49829 + task->acl = newacl;
49830 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
49831 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
49833 + task->is_writable = 0;
49835 + /* ignore additional mmap checks for processes that are writable
49836 + by the default ACL */
49837 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
49838 + if (unlikely(obj->mode & GR_WRITE))
49839 + task->is_writable = 1;
49840 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
49841 + if (unlikely(obj->mode & GR_WRITE))
49842 + task->is_writable = 1;
49844 + gr_set_proc_res(task);
49846 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49847 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
49852 +/* always called with valid inodev ptr */
49854 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
49856 + struct acl_object_label *matchpo;
49857 + struct acl_subject_label *matchps;
49858 + struct acl_subject_label *subj;
49859 + struct acl_role_label *role;
49862 + FOR_EACH_ROLE_START(role)
49863 + FOR_EACH_SUBJECT_START(role, subj, x)
49864 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
49865 + matchpo->mode |= GR_DELETED;
49866 + FOR_EACH_SUBJECT_END(subj,x)
49867 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
49868 + if (subj->inode == ino && subj->device == dev)
49869 + subj->mode |= GR_DELETED;
49870 + FOR_EACH_NESTED_SUBJECT_END(subj)
49871 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
49872 + matchps->mode |= GR_DELETED;
49873 + FOR_EACH_ROLE_END(role)
49875 + inodev->nentry->deleted = 1;
49881 +gr_handle_delete(const ino_t ino, const dev_t dev)
49883 + struct inodev_entry *inodev;
49885 + if (unlikely(!(gr_status & GR_READY)))
49888 + write_lock(&gr_inode_lock);
49889 + inodev = lookup_inodev_entry(ino, dev);
49890 + if (inodev != NULL)
49891 + do_handle_delete(inodev, ino, dev);
49892 + write_unlock(&gr_inode_lock);
49898 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
49899 + const ino_t newinode, const dev_t newdevice,
49900 + struct acl_subject_label *subj)
49902 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
49903 + struct acl_object_label *match;
49905 + match = subj->obj_hash[index];
49907 + while (match && (match->inode != oldinode ||
49908 + match->device != olddevice ||
49909 + !(match->mode & GR_DELETED)))
49910 + match = match->next;
49912 + if (match && (match->inode == oldinode)
49913 + && (match->device == olddevice)
49914 + && (match->mode & GR_DELETED)) {
49915 + if (match->prev == NULL) {
49916 + subj->obj_hash[index] = match->next;
49917 + if (match->next != NULL)
49918 + match->next->prev = NULL;
49920 + match->prev->next = match->next;
49921 + if (match->next != NULL)
49922 + match->next->prev = match->prev;
49924 + match->prev = NULL;
49925 + match->next = NULL;
49926 + match->inode = newinode;
49927 + match->device = newdevice;
49928 + match->mode &= ~GR_DELETED;
49930 + insert_acl_obj_label(match, subj);
49937 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
49938 + const ino_t newinode, const dev_t newdevice,
49939 + struct acl_role_label *role)
49941 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
49942 + struct acl_subject_label *match;
49944 + match = role->subj_hash[index];
49946 + while (match && (match->inode != oldinode ||
49947 + match->device != olddevice ||
49948 + !(match->mode & GR_DELETED)))
49949 + match = match->next;
49951 + if (match && (match->inode == oldinode)
49952 + && (match->device == olddevice)
49953 + && (match->mode & GR_DELETED)) {
49954 + if (match->prev == NULL) {
49955 + role->subj_hash[index] = match->next;
49956 + if (match->next != NULL)
49957 + match->next->prev = NULL;
49959 + match->prev->next = match->next;
49960 + if (match->next != NULL)
49961 + match->next->prev = match->prev;
49963 + match->prev = NULL;
49964 + match->next = NULL;
49965 + match->inode = newinode;
49966 + match->device = newdevice;
49967 + match->mode &= ~GR_DELETED;
49969 + insert_acl_subj_label(match, role);
49976 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
49977 + const ino_t newinode, const dev_t newdevice)
49979 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
49980 + struct inodev_entry *match;
49982 + match = inodev_set.i_hash[index];
49984 + while (match && (match->nentry->inode != oldinode ||
49985 + match->nentry->device != olddevice || !match->nentry->deleted))
49986 + match = match->next;
49988 + if (match && (match->nentry->inode == oldinode)
49989 + && (match->nentry->device == olddevice) &&
49990 + match->nentry->deleted) {
49991 + if (match->prev == NULL) {
49992 + inodev_set.i_hash[index] = match->next;
49993 + if (match->next != NULL)
49994 + match->next->prev = NULL;
49996 + match->prev->next = match->next;
49997 + if (match->next != NULL)
49998 + match->next->prev = match->prev;
50000 + match->prev = NULL;
50001 + match->next = NULL;
50002 + match->nentry->inode = newinode;
50003 + match->nentry->device = newdevice;
50004 + match->nentry->deleted = 0;
50006 + insert_inodev_entry(match);
50013 +__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev)
50015 + struct acl_subject_label *subj;
50016 + struct acl_role_label *role;
50019 + FOR_EACH_ROLE_START(role)
50020 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
50022 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
50023 + if ((subj->inode == ino) && (subj->device == dev)) {
50024 + subj->inode = ino;
50025 + subj->device = dev;
50027 + FOR_EACH_NESTED_SUBJECT_END(subj)
50028 + FOR_EACH_SUBJECT_START(role, subj, x)
50029 + update_acl_obj_label(matchn->inode, matchn->device,
50031 + FOR_EACH_SUBJECT_END(subj,x)
50032 + FOR_EACH_ROLE_END(role)
50034 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
50040 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
50041 + const struct vfsmount *mnt)
50043 + ino_t ino = dentry->d_inode->i_ino;
50044 + dev_t dev = __get_dev(dentry);
50046 + __do_handle_create(matchn, ino, dev);
50052 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
50054 + struct name_entry *matchn;
50056 + if (unlikely(!(gr_status & GR_READY)))
50059 + preempt_disable();
50060 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
50062 + if (unlikely((unsigned long)matchn)) {
50063 + write_lock(&gr_inode_lock);
50064 + do_handle_create(matchn, dentry, mnt);
50065 + write_unlock(&gr_inode_lock);
50067 + preempt_enable();
50073 +gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
50075 + struct name_entry *matchn;
50077 + if (unlikely(!(gr_status & GR_READY)))
50080 + preempt_disable();
50081 + matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
50083 + if (unlikely((unsigned long)matchn)) {
50084 + write_lock(&gr_inode_lock);
50085 + __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
50086 + write_unlock(&gr_inode_lock);
50088 + preempt_enable();
50094 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
50095 + struct dentry *old_dentry,
50096 + struct dentry *new_dentry,
50097 + struct vfsmount *mnt, const __u8 replace)
50099 + struct name_entry *matchn;
50100 + struct inodev_entry *inodev;
50101 + struct inode *inode = new_dentry->d_inode;
50102 + ino_t old_ino = old_dentry->d_inode->i_ino;
50103 + dev_t old_dev = __get_dev(old_dentry);
50105 + /* vfs_rename swaps the name and parent link for old_dentry and
50107 + at this point, old_dentry has the new name, parent link, and inode
50108 + for the renamed file
50109 + if a file is being replaced by a rename, new_dentry has the inode
50110 + and name for the replaced file
50113 + if (unlikely(!(gr_status & GR_READY)))
50116 + preempt_disable();
50117 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
50119 + /* we wouldn't have to check d_inode if it weren't for
50120 + NFS silly-renaming
50123 + write_lock(&gr_inode_lock);
50124 + if (unlikely(replace && inode)) {
50125 + ino_t new_ino = inode->i_ino;
50126 + dev_t new_dev = __get_dev(new_dentry);
50128 + inodev = lookup_inodev_entry(new_ino, new_dev);
50129 + if (inodev != NULL && ((inode->i_nlink <= 1) || S_ISDIR(inode->i_mode)))
50130 + do_handle_delete(inodev, new_ino, new_dev);
50133 + inodev = lookup_inodev_entry(old_ino, old_dev);
50134 + if (inodev != NULL && ((old_dentry->d_inode->i_nlink <= 1) || S_ISDIR(old_dentry->d_inode->i_mode)))
50135 + do_handle_delete(inodev, old_ino, old_dev);
50137 + if (unlikely((unsigned long)matchn))
50138 + do_handle_create(matchn, old_dentry, mnt);
50140 + write_unlock(&gr_inode_lock);
50141 + preempt_enable();
50147 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
50148 + unsigned char **sum)
50150 + struct acl_role_label *r;
50151 + struct role_allowed_ip *ipp;
50152 + struct role_transition *trans;
50155 + u32 curr_ip = current->signal->curr_ip;
50157 + current->signal->saved_ip = curr_ip;
50159 + /* check transition table */
50161 + for (trans = current->role->transitions; trans; trans = trans->next) {
50162 + if (!strcmp(rolename, trans->rolename)) {
50171 + /* handle special roles that do not require authentication
50174 + FOR_EACH_ROLE_START(r)
50175 + if (!strcmp(rolename, r->rolename) &&
50176 + (r->roletype & GR_ROLE_SPECIAL)) {
50178 + if (r->allowed_ips != NULL) {
50179 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
50180 + if ((ntohl(curr_ip) & ipp->netmask) ==
50181 + (ntohl(ipp->addr) & ipp->netmask))
50189 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
50190 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
50196 + FOR_EACH_ROLE_END(r)
50198 + for (i = 0; i < num_sprole_pws; i++) {
50199 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
50200 + *salt = acl_special_roles[i]->salt;
50201 + *sum = acl_special_roles[i]->sum;
50210 +assign_special_role(char *rolename)
50212 + struct acl_object_label *obj;
50213 + struct acl_role_label *r;
50214 + struct acl_role_label *assigned = NULL;
50215 + struct task_struct *tsk;
50216 + struct file *filp;
50218 + FOR_EACH_ROLE_START(r)
50219 + if (!strcmp(rolename, r->rolename) &&
50220 + (r->roletype & GR_ROLE_SPECIAL)) {
50224 + FOR_EACH_ROLE_END(r)
50229 + read_lock(&tasklist_lock);
50230 + read_lock(&grsec_exec_file_lock);
50232 + tsk = current->real_parent;
50236 + filp = tsk->exec_file;
50237 + if (filp == NULL)
50240 + tsk->is_writable = 0;
50242 + tsk->acl_sp_role = 1;
50243 + tsk->acl_role_id = ++acl_sp_role_value;
50244 + tsk->role = assigned;
50245 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
50247 + /* ignore additional mmap checks for processes that are writable
50248 + by the default ACL */
50249 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
50250 + if (unlikely(obj->mode & GR_WRITE))
50251 + tsk->is_writable = 1;
50252 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
50253 + if (unlikely(obj->mode & GR_WRITE))
50254 + tsk->is_writable = 1;
50256 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50257 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
50261 + read_unlock(&grsec_exec_file_lock);
50262 + read_unlock(&tasklist_lock);
50266 +int gr_check_secure_terminal(struct task_struct *task)
50268 + struct task_struct *p, *p2, *p3;
50269 + struct files_struct *files;
50270 + struct fdtable *fdt;
50271 + struct file *our_file = NULL, *file;
50274 + if (task->signal->tty == NULL)
50277 + files = get_files_struct(task);
50278 + if (files != NULL) {
50280 + fdt = files_fdtable(files);
50281 + for (i=0; i < fdt->max_fds; i++) {
50282 + file = fcheck_files(files, i);
50283 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
50288 + rcu_read_unlock();
50289 + put_files_struct(files);
50292 + if (our_file == NULL)
50295 + read_lock(&tasklist_lock);
50296 + do_each_thread(p2, p) {
50297 + files = get_files_struct(p);
50298 + if (files == NULL ||
50299 + (p->signal && p->signal->tty == task->signal->tty)) {
50300 + if (files != NULL)
50301 + put_files_struct(files);
50305 + fdt = files_fdtable(files);
50306 + for (i=0; i < fdt->max_fds; i++) {
50307 + file = fcheck_files(files, i);
50308 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
50309 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
50311 + while (p3->pid > 0) {
50314 + p3 = p3->real_parent;
50318 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
50319 + gr_handle_alertkill(p);
50320 + rcu_read_unlock();
50321 + put_files_struct(files);
50322 + read_unlock(&tasklist_lock);
50327 + rcu_read_unlock();
50328 + put_files_struct(files);
50329 + } while_each_thread(p2, p);
50330 + read_unlock(&tasklist_lock);
50337 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
50339 + struct gr_arg_wrapper uwrap;
50340 + unsigned char *sprole_salt = NULL;
50341 + unsigned char *sprole_sum = NULL;
50342 + int error = sizeof (struct gr_arg_wrapper);
50345 + mutex_lock(&gr_dev_mutex);
50347 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
50352 + if (count != sizeof (struct gr_arg_wrapper)) {
50353 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
50359 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
50360 + gr_auth_expires = 0;
50361 + gr_auth_attempts = 0;
50364 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
50369 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
50374 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
50379 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
50380 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
50381 + time_after(gr_auth_expires, get_seconds())) {
50386 + /* if non-root trying to do anything other than use a special role,
50387 + do not attempt authentication, do not count towards authentication
50391 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
50392 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
50398 + /* ensure pw and special role name are null terminated */
50400 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
50401 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
50404 + * We have our enough of the argument structure..(we have yet
50405 + * to copy_from_user the tables themselves) . Copy the tables
50406 + * only if we need them, i.e. for loading operations. */
50408 + switch (gr_usermode->mode) {
50410 + if (gr_status & GR_READY) {
50412 + if (!gr_check_secure_terminal(current))
50417 + case GR_SHUTDOWN:
50418 + if ((gr_status & GR_READY)
50419 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50420 + pax_open_kernel();
50421 + gr_status &= ~GR_READY;
50422 + pax_close_kernel();
50424 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
50425 + free_variables();
50426 + memset(gr_usermode, 0, sizeof (struct gr_arg));
50427 + memset(gr_system_salt, 0, GR_SALT_LEN);
50428 + memset(gr_system_sum, 0, GR_SHA_LEN);
50429 + } else if (gr_status & GR_READY) {
50430 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
50433 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
50438 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
50439 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
50441 + if (gr_status & GR_READY)
50445 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
50449 + if (!(gr_status & GR_READY)) {
50450 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
50452 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50453 + preempt_disable();
50455 + pax_open_kernel();
50456 + gr_status &= ~GR_READY;
50457 + pax_close_kernel();
50459 + free_variables();
50460 + if (!(error2 = gracl_init(gr_usermode))) {
50461 + preempt_enable();
50462 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
50464 + preempt_enable();
50466 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
50469 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
50474 + if (unlikely(!(gr_status & GR_READY))) {
50475 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
50480 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50481 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
50482 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
50483 + struct acl_subject_label *segvacl;
50485 + lookup_acl_subj_label(gr_usermode->segv_inode,
50486 + gr_usermode->segv_device,
50489 + segvacl->crashes = 0;
50490 + segvacl->expires = 0;
50492 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
50493 + gr_remove_uid(gr_usermode->segv_uid);
50496 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
50501 + case GR_SPROLEPAM:
50502 + if (unlikely(!(gr_status & GR_READY))) {
50503 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
50508 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
50509 + current->role->expires = 0;
50510 + current->role->auth_attempts = 0;
50513 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
50514 + time_after(current->role->expires, get_seconds())) {
50519 + if (lookup_special_role_auth
50520 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
50521 + && ((!sprole_salt && !sprole_sum)
50522 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
50524 + assign_special_role(gr_usermode->sp_role);
50525 + read_lock(&tasklist_lock);
50526 + if (current->real_parent)
50527 + p = current->real_parent->role->rolename;
50528 + read_unlock(&tasklist_lock);
50529 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
50530 + p, acl_sp_role_value);
50532 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
50534 + if(!(current->role->auth_attempts++))
50535 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
50540 + case GR_UNSPROLE:
50541 + if (unlikely(!(gr_status & GR_READY))) {
50542 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
50547 + if (current->role->roletype & GR_ROLE_SPECIAL) {
50551 + read_lock(&tasklist_lock);
50552 + if (current->real_parent) {
50553 + p = current->real_parent->role->rolename;
50554 + i = current->real_parent->acl_role_id;
50556 + read_unlock(&tasklist_lock);
50558 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
50566 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
50571 + if (error != -EPERM)
50574 + if(!(gr_auth_attempts++))
50575 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
50578 + mutex_unlock(&gr_dev_mutex);
50582 +/* must be called with
50584 + read_lock(&tasklist_lock);
50585 + read_lock(&grsec_exec_file_lock);
50587 +int gr_apply_subject_to_task(struct task_struct *task)
50589 + struct acl_object_label *obj;
50591 + struct acl_subject_label *tmpsubj;
50592 + struct file *filp;
50593 + struct name_entry *nmatch;
50595 + filp = task->exec_file;
50596 + if (filp == NULL)
50599 + /* the following is to apply the correct subject
50600 + on binaries running when the RBAC system
50601 + is enabled, when the binaries have been
50602 + replaced or deleted since their execution
50604 + when the RBAC system starts, the inode/dev
50605 + from exec_file will be one the RBAC system
50606 + is unaware of. It only knows the inode/dev
50607 + of the present file on disk, or the absence
50610 + preempt_disable();
50611 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
50613 + nmatch = lookup_name_entry(tmpname);
50614 + preempt_enable();
50617 + if (nmatch->deleted)
50618 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
50620 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
50621 + if (tmpsubj != NULL)
50622 + task->acl = tmpsubj;
50624 + if (tmpsubj == NULL)
50625 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
50628 + task->is_writable = 0;
50629 + /* ignore additional mmap checks for processes that are writable
50630 + by the default ACL */
50631 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
50632 + if (unlikely(obj->mode & GR_WRITE))
50633 + task->is_writable = 1;
50634 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
50635 + if (unlikely(obj->mode & GR_WRITE))
50636 + task->is_writable = 1;
50638 + gr_set_proc_res(task);
50640 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50641 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
50651 +gr_set_acls(const int type)
50653 + struct task_struct *task, *task2;
50654 + struct acl_role_label *role = current->role;
50655 + __u16 acl_role_id = current->acl_role_id;
50656 + const struct cred *cred;
50660 + read_lock(&tasklist_lock);
50661 + read_lock(&grsec_exec_file_lock);
50662 + do_each_thread(task2, task) {
50663 + /* check to see if we're called from the exit handler,
50664 + if so, only replace ACLs that have inherited the admin
50667 + if (type && (task->role != role ||
50668 + task->acl_role_id != acl_role_id))
50671 + task->acl_role_id = 0;
50672 + task->acl_sp_role = 0;
50674 + if (task->exec_file) {
50675 + cred = __task_cred(task);
50676 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
50677 + ret = gr_apply_subject_to_task(task);
50679 + read_unlock(&grsec_exec_file_lock);
50680 + read_unlock(&tasklist_lock);
50681 + rcu_read_unlock();
50682 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
50686 + // it's a kernel process
50687 + task->role = kernel_role;
50688 + task->acl = kernel_role->root_label;
50689 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
50690 + task->acl->mode &= ~GR_PROCFIND;
50693 + } while_each_thread(task2, task);
50694 + read_unlock(&grsec_exec_file_lock);
50695 + read_unlock(&tasklist_lock);
50696 + rcu_read_unlock();
50702 +gr_learn_resource(const struct task_struct *task,
50703 + const int res, const unsigned long wanted, const int gt)
50705 + struct acl_subject_label *acl;
50706 + const struct cred *cred;
50708 + if (unlikely((gr_status & GR_READY) &&
50709 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
50710 + goto skip_reslog;
50712 +#ifdef CONFIG_GRKERNSEC_RESLOG
50713 + gr_log_resource(task, res, wanted, gt);
50717 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
50722 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
50723 + !(acl->resmask & (1 << (unsigned short) res))))
50726 + if (wanted >= acl->res[res].rlim_cur) {
50727 + unsigned long res_add;
50729 + res_add = wanted;
50732 + res_add += GR_RLIM_CPU_BUMP;
50734 + case RLIMIT_FSIZE:
50735 + res_add += GR_RLIM_FSIZE_BUMP;
50737 + case RLIMIT_DATA:
50738 + res_add += GR_RLIM_DATA_BUMP;
50740 + case RLIMIT_STACK:
50741 + res_add += GR_RLIM_STACK_BUMP;
50743 + case RLIMIT_CORE:
50744 + res_add += GR_RLIM_CORE_BUMP;
50747 + res_add += GR_RLIM_RSS_BUMP;
50749 + case RLIMIT_NPROC:
50750 + res_add += GR_RLIM_NPROC_BUMP;
50752 + case RLIMIT_NOFILE:
50753 + res_add += GR_RLIM_NOFILE_BUMP;
50755 + case RLIMIT_MEMLOCK:
50756 + res_add += GR_RLIM_MEMLOCK_BUMP;
50759 + res_add += GR_RLIM_AS_BUMP;
50761 + case RLIMIT_LOCKS:
50762 + res_add += GR_RLIM_LOCKS_BUMP;
50764 + case RLIMIT_SIGPENDING:
50765 + res_add += GR_RLIM_SIGPENDING_BUMP;
50767 + case RLIMIT_MSGQUEUE:
50768 + res_add += GR_RLIM_MSGQUEUE_BUMP;
50770 + case RLIMIT_NICE:
50771 + res_add += GR_RLIM_NICE_BUMP;
50773 + case RLIMIT_RTPRIO:
50774 + res_add += GR_RLIM_RTPRIO_BUMP;
50776 + case RLIMIT_RTTIME:
50777 + res_add += GR_RLIM_RTTIME_BUMP;
50781 + acl->res[res].rlim_cur = res_add;
50783 + if (wanted > acl->res[res].rlim_max)
50784 + acl->res[res].rlim_max = res_add;
50786 + /* only log the subject filename, since resource logging is supported for
50787 + single-subject learning only */
50789 + cred = __task_cred(task);
50790 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
50791 + task->role->roletype, cred->uid, cred->gid, acl->filename,
50792 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
50793 + "", (unsigned long) res, &task->signal->saved_ip);
50794 + rcu_read_unlock();
50800 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
50802 +pax_set_initial_flags(struct linux_binprm *bprm)
50804 + struct task_struct *task = current;
50805 + struct acl_subject_label *proc;
50806 + unsigned long flags;
50808 + if (unlikely(!(gr_status & GR_READY)))
50811 + flags = pax_get_flags(task);
50813 + proc = task->acl;
50815 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
50816 + flags &= ~MF_PAX_PAGEEXEC;
50817 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
50818 + flags &= ~MF_PAX_SEGMEXEC;
50819 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
50820 + flags &= ~MF_PAX_RANDMMAP;
50821 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
50822 + flags &= ~MF_PAX_EMUTRAMP;
50823 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
50824 + flags &= ~MF_PAX_MPROTECT;
50826 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
50827 + flags |= MF_PAX_PAGEEXEC;
50828 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
50829 + flags |= MF_PAX_SEGMEXEC;
50830 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
50831 + flags |= MF_PAX_RANDMMAP;
50832 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
50833 + flags |= MF_PAX_EMUTRAMP;
50834 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
50835 + flags |= MF_PAX_MPROTECT;
50837 + pax_set_flags(task, flags);
50843 +#ifdef CONFIG_SYSCTL
50844 +/* Eric Biederman likes breaking userland ABI and every inode-based security
50845 + system to save 35kb of memory */
50847 +/* we modify the passed in filename, but adjust it back before returning */
50848 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
50850 + struct name_entry *nmatch;
50851 + char *p, *lastp = NULL;
50852 + struct acl_object_label *obj = NULL, *tmp;
50853 + struct acl_subject_label *tmpsubj;
50856 + read_lock(&gr_inode_lock);
50858 + p = name + len - 1;
50860 + nmatch = lookup_name_entry(name);
50861 + if (lastp != NULL)
50864 + if (nmatch == NULL)
50865 + goto next_component;
50866 + tmpsubj = current->acl;
50868 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
50869 + if (obj != NULL) {
50870 + tmp = obj->globbed;
50872 + if (!glob_match(tmp->filename, name)) {
50880 + } while ((tmpsubj = tmpsubj->parent_subject));
50886 + while (*p != '/')
50898 + read_unlock(&gr_inode_lock);
50899 + /* obj returned will always be non-null */
50903 +/* returns 0 when allowing, non-zero on error
50904 + op of 0 is used for readdir, so we don't log the names of hidden files
50907 +gr_handle_sysctl(const struct ctl_table *table, const int op)
50909 + struct ctl_table *tmp;
50910 + const char *proc_sys = "/proc/sys";
50912 + struct acl_object_label *obj;
50913 + unsigned short len = 0, pos = 0, depth = 0, i;
50917 + if (unlikely(!(gr_status & GR_READY)))
50920 + /* for now, ignore operations on non-sysctl entries if it's not a
50922 + if (table->child != NULL && op != 0)
50926 + /* it's only a read if it's an entry, read on dirs is for readdir */
50927 + if (op & MAY_READ)
50929 + if (op & MAY_WRITE)
50930 + mode |= GR_WRITE;
50932 + preempt_disable();
50934 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
50936 + /* it's only a read/write if it's an actual entry, not a dir
50937 + (which are opened for readdir)
50940 + /* convert the requested sysctl entry into a pathname */
50942 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
50943 + len += strlen(tmp->procname);
50948 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
50953 + memset(path, 0, PAGE_SIZE);
50955 + memcpy(path, proc_sys, strlen(proc_sys));
50957 + pos += strlen(proc_sys);
50959 + for (; depth > 0; depth--) {
50962 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
50963 + if (depth == i) {
50964 + memcpy(path + pos, tmp->procname,
50965 + strlen(tmp->procname));
50966 + pos += strlen(tmp->procname);
50972 + obj = gr_lookup_by_name(path, pos);
50973 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
50975 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
50976 + ((err & mode) != mode))) {
50977 + __u32 new_mode = mode;
50979 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
50982 + gr_log_learn_sysctl(path, new_mode);
50983 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
50984 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
50986 + } else if (!(err & GR_FIND)) {
50988 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
50989 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
50990 + path, (mode & GR_READ) ? " reading" : "",
50991 + (mode & GR_WRITE) ? " writing" : "");
50993 + } else if ((err & mode) != mode) {
50995 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
50996 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
50997 + path, (mode & GR_READ) ? " reading" : "",
50998 + (mode & GR_WRITE) ? " writing" : "");
51004 + preempt_enable();
51011 +gr_handle_proc_ptrace(struct task_struct *task)
51013 + struct file *filp;
51014 + struct task_struct *tmp = task;
51015 + struct task_struct *curtemp = current;
51018 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
51019 + if (unlikely(!(gr_status & GR_READY)))
51023 + read_lock(&tasklist_lock);
51024 + read_lock(&grsec_exec_file_lock);
51025 + filp = task->exec_file;
51027 + while (tmp->pid > 0) {
51028 + if (tmp == curtemp)
51030 + tmp = tmp->real_parent;
51033 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
51034 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
51035 + read_unlock(&grsec_exec_file_lock);
51036 + read_unlock(&tasklist_lock);
51040 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
51041 + if (!(gr_status & GR_READY)) {
51042 + read_unlock(&grsec_exec_file_lock);
51043 + read_unlock(&tasklist_lock);
51048 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
51049 + read_unlock(&grsec_exec_file_lock);
51050 + read_unlock(&tasklist_lock);
51052 + if (retmode & GR_NOPTRACE)
51055 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
51056 + && (current->acl != task->acl || (current->acl != current->role->root_label
51057 + && current->pid != task->pid)))
51063 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
51065 + if (unlikely(!(gr_status & GR_READY)))
51068 + if (!(current->role->roletype & GR_ROLE_GOD))
51071 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
51072 + p->role->rolename, gr_task_roletype_to_char(p),
51073 + p->acl->filename);
51077 +gr_handle_ptrace(struct task_struct *task, const long request)
51079 + struct task_struct *tmp = task;
51080 + struct task_struct *curtemp = current;
51083 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
51084 + if (unlikely(!(gr_status & GR_READY)))
51088 + read_lock(&tasklist_lock);
51089 + while (tmp->pid > 0) {
51090 + if (tmp == curtemp)
51092 + tmp = tmp->real_parent;
51095 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
51096 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
51097 + read_unlock(&tasklist_lock);
51098 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51101 + read_unlock(&tasklist_lock);
51103 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
51104 + if (!(gr_status & GR_READY))
51108 + read_lock(&grsec_exec_file_lock);
51109 + if (unlikely(!task->exec_file)) {
51110 + read_unlock(&grsec_exec_file_lock);
51114 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
51115 + read_unlock(&grsec_exec_file_lock);
51117 + if (retmode & GR_NOPTRACE) {
51118 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51122 + if (retmode & GR_PTRACERD) {
51123 + switch (request) {
51124 + case PTRACE_SEIZE:
51125 + case PTRACE_POKETEXT:
51126 + case PTRACE_POKEDATA:
51127 + case PTRACE_POKEUSR:
51128 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
51129 + case PTRACE_SETREGS:
51130 + case PTRACE_SETFPREGS:
51133 + case PTRACE_SETFPXREGS:
51135 +#ifdef CONFIG_ALTIVEC
51136 + case PTRACE_SETVRREGS:
51142 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
51143 + !(current->role->roletype & GR_ROLE_GOD) &&
51144 + (current->acl != task->acl)) {
51145 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51152 +static int is_writable_mmap(const struct file *filp)
51154 + struct task_struct *task = current;
51155 + struct acl_object_label *obj, *obj2;
51157 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
51158 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
51159 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
51160 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
51161 + task->role->root_label);
51162 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
51163 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
51171 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
51175 + if (unlikely(!file || !(prot & PROT_EXEC)))
51178 + if (is_writable_mmap(file))
51182 + gr_search_file(file->f_path.dentry,
51183 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
51184 + file->f_path.mnt);
51186 + if (!gr_tpe_allow(file))
51189 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
51190 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51192 + } else if (unlikely(!(mode & GR_EXEC))) {
51194 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
51195 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51203 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
51207 + if (unlikely(!file || !(prot & PROT_EXEC)))
51210 + if (is_writable_mmap(file))
51214 + gr_search_file(file->f_path.dentry,
51215 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
51216 + file->f_path.mnt);
51218 + if (!gr_tpe_allow(file))
51221 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
51222 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51224 + } else if (unlikely(!(mode & GR_EXEC))) {
51226 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
51227 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51235 +gr_acl_handle_psacct(struct task_struct *task, const long code)
51237 + unsigned long runtime;
51238 + unsigned long cputime;
51239 + unsigned int wday, cday;
51243 + struct timespec timeval;
51245 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
51246 + !(task->acl->mode & GR_PROCACCT)))
51249 + do_posix_clock_monotonic_gettime(&timeval);
51250 + runtime = timeval.tv_sec - task->start_time.tv_sec;
51251 + wday = runtime / (3600 * 24);
51252 + runtime -= wday * (3600 * 24);
51253 + whr = runtime / 3600;
51254 + runtime -= whr * 3600;
51255 + wmin = runtime / 60;
51256 + runtime -= wmin * 60;
51259 + cputime = (task->utime + task->stime) / HZ;
51260 + cday = cputime / (3600 * 24);
51261 + cputime -= cday * (3600 * 24);
51262 + chr = cputime / 3600;
51263 + cputime -= chr * 3600;
51264 + cmin = cputime / 60;
51265 + cputime -= cmin * 60;
51268 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
51273 +void gr_set_kernel_label(struct task_struct *task)
51275 + if (gr_status & GR_READY) {
51276 + task->role = kernel_role;
51277 + task->acl = kernel_role->root_label;
51282 +#ifdef CONFIG_TASKSTATS
51283 +int gr_is_taskstats_denied(int pid)
51285 + struct task_struct *task;
51286 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51287 + const struct cred *cred;
51291 + /* restrict taskstats viewing to un-chrooted root users
51292 + who have the 'view' subject flag if the RBAC system is enabled
51296 + read_lock(&tasklist_lock);
51297 + task = find_task_by_vpid(pid);
51299 +#ifdef CONFIG_GRKERNSEC_CHROOT
51300 + if (proc_is_chrooted(task))
51303 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51304 + cred = __task_cred(task);
51305 +#ifdef CONFIG_GRKERNSEC_PROC_USER
51306 + if (cred->uid != 0)
51308 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51309 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
51313 + if (gr_status & GR_READY) {
51314 + if (!(task->acl->mode & GR_VIEW))
51320 + read_unlock(&tasklist_lock);
51321 + rcu_read_unlock();
51327 +/* AUXV entries are filled via a descendant of search_binary_handler
51328 + after we've already applied the subject for the target
51330 +int gr_acl_enable_at_secure(void)
51332 + if (unlikely(!(gr_status & GR_READY)))
51335 + if (current->acl->mode & GR_ATSECURE)
51341 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
51343 + struct task_struct *task = current;
51344 + struct dentry *dentry = file->f_path.dentry;
51345 + struct vfsmount *mnt = file->f_path.mnt;
51346 + struct acl_object_label *obj, *tmp;
51347 + struct acl_subject_label *subj;
51348 + unsigned int bufsize;
51351 + dev_t dev = __get_dev(dentry);
51353 + if (unlikely(!(gr_status & GR_READY)))
51356 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
51359 + /* ignore Eric Biederman */
51360 + if (IS_PRIVATE(dentry->d_inode))
51363 + subj = task->acl;
51365 + obj = lookup_acl_obj_label(ino, dev, subj);
51367 + return (obj->mode & GR_FIND) ? 1 : 0;
51368 + } while ((subj = subj->parent_subject));
51370 + /* this is purely an optimization since we're looking for an object
51371 + for the directory we're doing a readdir on
51372 + if it's possible for any globbed object to match the entry we're
51373 + filling into the directory, then the object we find here will be
51374 + an anchor point with attached globbed objects
51376 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
51377 + if (obj->globbed == NULL)
51378 + return (obj->mode & GR_FIND) ? 1 : 0;
51380 + is_not_root = ((obj->filename[0] == '/') &&
51381 + (obj->filename[1] == '\0')) ? 0 : 1;
51382 + bufsize = PAGE_SIZE - namelen - is_not_root;
51384 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
51385 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
51388 + preempt_disable();
51389 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
51392 + bufsize = strlen(path);
51394 + /* if base is "/", don't append an additional slash */
51396 + *(path + bufsize) = '/';
51397 + memcpy(path + bufsize + is_not_root, name, namelen);
51398 + *(path + bufsize + namelen + is_not_root) = '\0';
51400 + tmp = obj->globbed;
51402 + if (!glob_match(tmp->filename, path)) {
51403 + preempt_enable();
51404 + return (tmp->mode & GR_FIND) ? 1 : 0;
51408 + preempt_enable();
51409 + return (obj->mode & GR_FIND) ? 1 : 0;
51412 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
51413 +EXPORT_SYMBOL(gr_acl_is_enabled);
51415 +EXPORT_SYMBOL(gr_learn_resource);
51416 +EXPORT_SYMBOL(gr_set_kernel_label);
51417 +#ifdef CONFIG_SECURITY
51418 +EXPORT_SYMBOL(gr_check_user_change);
51419 +EXPORT_SYMBOL(gr_check_group_change);
51422 diff -urNp linux-3.1.1/grsecurity/gracl_cap.c linux-3.1.1/grsecurity/gracl_cap.c
51423 --- linux-3.1.1/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
51424 +++ linux-3.1.1/grsecurity/gracl_cap.c 2011-11-16 18:40:31.000000000 -0500
51426 +#include <linux/kernel.h>
51427 +#include <linux/module.h>
51428 +#include <linux/sched.h>
51429 +#include <linux/gracl.h>
51430 +#include <linux/grsecurity.h>
51431 +#include <linux/grinternal.h>
51433 +extern const char *captab_log[];
51434 +extern int captab_log_entries;
51437 +gr_acl_is_capable(const int cap)
51439 + struct task_struct *task = current;
51440 + const struct cred *cred = current_cred();
51441 + struct acl_subject_label *curracl;
51442 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
51443 + kernel_cap_t cap_audit = __cap_empty_set;
51445 + if (!gr_acl_is_enabled())
51448 + curracl = task->acl;
51450 + cap_drop = curracl->cap_lower;
51451 + cap_mask = curracl->cap_mask;
51452 + cap_audit = curracl->cap_invert_audit;
51454 + while ((curracl = curracl->parent_subject)) {
51455 + /* if the cap isn't specified in the current computed mask but is specified in the
51456 + current level subject, and is lowered in the current level subject, then add
51457 + it to the set of dropped capabilities
51458 + otherwise, add the current level subject's mask to the current computed mask
51460 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
51461 + cap_raise(cap_mask, cap);
51462 + if (cap_raised(curracl->cap_lower, cap))
51463 + cap_raise(cap_drop, cap);
51464 + if (cap_raised(curracl->cap_invert_audit, cap))
51465 + cap_raise(cap_audit, cap);
51469 + if (!cap_raised(cap_drop, cap)) {
51470 + if (cap_raised(cap_audit, cap))
51471 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
51475 + curracl = task->acl;
51477 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
51478 + && cap_raised(cred->cap_effective, cap)) {
51479 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
51480 + task->role->roletype, cred->uid,
51481 + cred->gid, task->exec_file ?
51482 + gr_to_filename(task->exec_file->f_path.dentry,
51483 + task->exec_file->f_path.mnt) : curracl->filename,
51484 + curracl->filename, 0UL,
51485 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
51489 + if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
51490 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
51495 +gr_acl_is_capable_nolog(const int cap)
51497 + struct acl_subject_label *curracl;
51498 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
51500 + if (!gr_acl_is_enabled())
51503 + curracl = current->acl;
51505 + cap_drop = curracl->cap_lower;
51506 + cap_mask = curracl->cap_mask;
51508 + while ((curracl = curracl->parent_subject)) {
51509 + /* if the cap isn't specified in the current computed mask but is specified in the
51510 + current level subject, and is lowered in the current level subject, then add
51511 + it to the set of dropped capabilities
51512 + otherwise, add the current level subject's mask to the current computed mask
51514 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
51515 + cap_raise(cap_mask, cap);
51516 + if (cap_raised(curracl->cap_lower, cap))
51517 + cap_raise(cap_drop, cap);
51521 + if (!cap_raised(cap_drop, cap))
51527 diff -urNp linux-3.1.1/grsecurity/gracl_fs.c linux-3.1.1/grsecurity/gracl_fs.c
51528 --- linux-3.1.1/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
51529 +++ linux-3.1.1/grsecurity/gracl_fs.c 2011-11-17 00:25:32.000000000 -0500
51531 +#include <linux/kernel.h>
51532 +#include <linux/sched.h>
51533 +#include <linux/types.h>
51534 +#include <linux/fs.h>
51535 +#include <linux/file.h>
51536 +#include <linux/stat.h>
51537 +#include <linux/grsecurity.h>
51538 +#include <linux/grinternal.h>
51539 +#include <linux/gracl.h>
51542 +gr_acl_handle_hidden_file(const struct dentry * dentry,
51543 + const struct vfsmount * mnt)
51547 + if (unlikely(!dentry->d_inode))
51551 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
51553 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
51554 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
51556 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
51557 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
51559 + } else if (unlikely(!(mode & GR_FIND)))
51566 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
51569 + __u32 reqmode = GR_FIND;
51572 + if (unlikely(!dentry->d_inode))
51575 + if (acc_mode & MAY_APPEND)
51576 + reqmode |= GR_APPEND;
51577 + else if (acc_mode & MAY_WRITE)
51578 + reqmode |= GR_WRITE;
51579 + if ((acc_mode & MAY_READ) && !S_ISDIR(dentry->d_inode->i_mode))
51580 + reqmode |= GR_READ;
51583 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
51586 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51587 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
51588 + reqmode & GR_READ ? " reading" : "",
51589 + reqmode & GR_WRITE ? " writing" : reqmode &
51590 + GR_APPEND ? " appending" : "");
51593 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51595 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
51596 + reqmode & GR_READ ? " reading" : "",
51597 + reqmode & GR_WRITE ? " writing" : reqmode &
51598 + GR_APPEND ? " appending" : "");
51600 + } else if (unlikely((mode & reqmode) != reqmode))
51607 +gr_acl_handle_creat(const struct dentry * dentry,
51608 + const struct dentry * p_dentry,
51609 + const struct vfsmount * p_mnt, int open_flags, int acc_mode,
51612 + __u32 reqmode = GR_WRITE | GR_CREATE;
51615 + if (acc_mode & MAY_APPEND)
51616 + reqmode |= GR_APPEND;
51617 + // if a directory was required or the directory already exists, then
51618 + // don't count this open as a read
51619 + if ((acc_mode & MAY_READ) &&
51620 + !((open_flags & O_DIRECTORY) || (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode))))
51621 + reqmode |= GR_READ;
51622 + if ((open_flags & O_CREAT) && (imode & (S_ISUID | S_ISGID)))
51623 + reqmode |= GR_SETID;
51626 + gr_check_create(dentry, p_dentry, p_mnt,
51627 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
51629 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51630 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
51631 + reqmode & GR_READ ? " reading" : "",
51632 + reqmode & GR_WRITE ? " writing" : reqmode &
51633 + GR_APPEND ? " appending" : "");
51636 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51638 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
51639 + reqmode & GR_READ ? " reading" : "",
51640 + reqmode & GR_WRITE ? " writing" : reqmode &
51641 + GR_APPEND ? " appending" : "");
51643 + } else if (unlikely((mode & reqmode) != reqmode))
51650 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
51653 + __u32 mode, reqmode = GR_FIND;
51655 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
51656 + reqmode |= GR_EXEC;
51657 + if (fmode & S_IWOTH)
51658 + reqmode |= GR_WRITE;
51659 + if (fmode & S_IROTH)
51660 + reqmode |= GR_READ;
51663 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
51666 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51667 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
51668 + reqmode & GR_READ ? " reading" : "",
51669 + reqmode & GR_WRITE ? " writing" : "",
51670 + reqmode & GR_EXEC ? " executing" : "");
51673 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51675 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
51676 + reqmode & GR_READ ? " reading" : "",
51677 + reqmode & GR_WRITE ? " writing" : "",
51678 + reqmode & GR_EXEC ? " executing" : "");
51680 + } else if (unlikely((mode & reqmode) != reqmode))
51686 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
51690 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
51692 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
51693 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
51695 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
51696 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
51698 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
51701 + return (reqmode);
51705 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
51707 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
51711 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
51713 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
51717 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
51719 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
51723 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
51725 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
51729 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
51732 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
51735 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
51736 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
51737 + GR_FCHMOD_ACL_MSG);
51739 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
51744 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
51747 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
51748 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
51749 + GR_CHMOD_ACL_MSG);
51751 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
51756 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
51758 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
51762 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
51764 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
51768 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
51770 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
51774 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
51776 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
51777 + GR_UNIXCONNECT_ACL_MSG);
51780 +/* hardlinks require at minimum create and link permission,
51781 + any additional privilege required is based on the
51782 + privilege of the file being linked to
51785 +gr_acl_handle_link(const struct dentry * new_dentry,
51786 + const struct dentry * parent_dentry,
51787 + const struct vfsmount * parent_mnt,
51788 + const struct dentry * old_dentry,
51789 + const struct vfsmount * old_mnt, const char *to)
51792 + __u32 needmode = GR_CREATE | GR_LINK;
51793 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
51796 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
51799 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
51800 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
51802 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
51803 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
51805 + } else if (unlikely((mode & needmode) != needmode))
51812 +gr_acl_handle_symlink(const struct dentry * new_dentry,
51813 + const struct dentry * parent_dentry,
51814 + const struct vfsmount * parent_mnt, const char *from)
51816 + __u32 needmode = GR_WRITE | GR_CREATE;
51820 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
51821 + GR_CREATE | GR_AUDIT_CREATE |
51822 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
51824 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
51825 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
51827 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
51828 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
51830 + } else if (unlikely((mode & needmode) != needmode))
51833 + return (GR_WRITE | GR_CREATE);
51836 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
51840 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
51842 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
51843 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
51845 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
51846 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
51848 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
51851 + return (reqmode);
51855 +gr_acl_handle_mknod(const struct dentry * new_dentry,
51856 + const struct dentry * parent_dentry,
51857 + const struct vfsmount * parent_mnt,
51860 + __u32 reqmode = GR_WRITE | GR_CREATE;
51861 + if (unlikely(mode & (S_ISUID | S_ISGID)))
51862 + reqmode |= GR_SETID;
51864 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
51865 + reqmode, GR_MKNOD_ACL_MSG);
51869 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
51870 + const struct dentry *parent_dentry,
51871 + const struct vfsmount *parent_mnt)
51873 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
51874 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
51877 +#define RENAME_CHECK_SUCCESS(old, new) \
51878 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
51879 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
51882 +gr_acl_handle_rename(struct dentry *new_dentry,
51883 + struct dentry *parent_dentry,
51884 + const struct vfsmount *parent_mnt,
51885 + struct dentry *old_dentry,
51886 + struct inode *old_parent_inode,
51887 + struct vfsmount *old_mnt, const char *newname)
51889 + __u32 comp1, comp2;
51892 + if (unlikely(!gr_acl_is_enabled()))
51895 + if (!new_dentry->d_inode) {
51896 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
51897 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
51898 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
51899 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
51900 + GR_DELETE | GR_AUDIT_DELETE |
51901 + GR_AUDIT_READ | GR_AUDIT_WRITE |
51902 + GR_SUPPRESS, old_mnt);
51904 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
51905 + GR_CREATE | GR_DELETE |
51906 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
51907 + GR_AUDIT_READ | GR_AUDIT_WRITE |
51908 + GR_SUPPRESS, parent_mnt);
51910 + gr_search_file(old_dentry,
51911 + GR_READ | GR_WRITE | GR_AUDIT_READ |
51912 + GR_DELETE | GR_AUDIT_DELETE |
51913 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
51916 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
51917 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
51918 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
51919 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
51920 + && !(comp2 & GR_SUPPRESS)) {
51921 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
51923 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
51930 +gr_acl_handle_exit(void)
51934 + struct file *exec_file;
51936 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
51937 + !(current->role->roletype & GR_ROLE_PERSIST))) {
51938 + id = current->acl_role_id;
51939 + rolename = current->role->rolename;
51941 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
51944 + write_lock(&grsec_exec_file_lock);
51945 + exec_file = current->exec_file;
51946 + current->exec_file = NULL;
51947 + write_unlock(&grsec_exec_file_lock);
51954 +gr_acl_handle_procpidmem(const struct task_struct *task)
51956 + if (unlikely(!gr_acl_is_enabled()))
51959 + if (task != current && task->acl->mode & GR_PROTPROCFD)
51964 diff -urNp linux-3.1.1/grsecurity/gracl_ip.c linux-3.1.1/grsecurity/gracl_ip.c
51965 --- linux-3.1.1/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
51966 +++ linux-3.1.1/grsecurity/gracl_ip.c 2011-11-16 18:40:31.000000000 -0500
51968 +#include <linux/kernel.h>
51969 +#include <asm/uaccess.h>
51970 +#include <asm/errno.h>
51971 +#include <net/sock.h>
51972 +#include <linux/file.h>
51973 +#include <linux/fs.h>
51974 +#include <linux/net.h>
51975 +#include <linux/in.h>
51976 +#include <linux/skbuff.h>
51977 +#include <linux/ip.h>
51978 +#include <linux/udp.h>
51979 +#include <linux/types.h>
51980 +#include <linux/sched.h>
51981 +#include <linux/netdevice.h>
51982 +#include <linux/inetdevice.h>
51983 +#include <linux/gracl.h>
51984 +#include <linux/grsecurity.h>
51985 +#include <linux/grinternal.h>
51987 +#define GR_BIND 0x01
51988 +#define GR_CONNECT 0x02
51989 +#define GR_INVERT 0x04
51990 +#define GR_BINDOVERRIDE 0x08
51991 +#define GR_CONNECTOVERRIDE 0x10
51992 +#define GR_SOCK_FAMILY 0x20
51994 +static const char * gr_protocols[IPPROTO_MAX] = {
51995 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
51996 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
51997 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
51998 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
51999 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
52000 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
52001 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
52002 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
52003 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
52004 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
52005 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
52006 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
52007 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
52008 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
52009 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
52010 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
52011 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
52012 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
52013 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
52014 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
52015 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
52016 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
52017 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
52018 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
52019 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
52020 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
52021 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
52022 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
52023 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
52024 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
52025 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
52026 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
52029 +static const char * gr_socktypes[SOCK_MAX] = {
52030 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
52031 + "unknown:7", "unknown:8", "unknown:9", "packet"
52034 +static const char * gr_sockfamilies[AF_MAX+1] = {
52035 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
52036 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
52037 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
52038 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
52042 +gr_proto_to_name(unsigned char proto)
52044 + return gr_protocols[proto];
52048 +gr_socktype_to_name(unsigned char type)
52050 + return gr_socktypes[type];
52054 +gr_sockfamily_to_name(unsigned char family)
52056 + return gr_sockfamilies[family];
52060 +gr_search_socket(const int domain, const int type, const int protocol)
52062 + struct acl_subject_label *curr;
52063 + const struct cred *cred = current_cred();
52065 + if (unlikely(!gr_acl_is_enabled()))
52068 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
52069 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
52070 + goto exit; // let the kernel handle it
52072 + curr = current->acl;
52074 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
52075 + /* the family is allowed, if this is PF_INET allow it only if
52076 + the extra sock type/protocol checks pass */
52077 + if (domain == PF_INET)
52081 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52082 + __u32 fakeip = 0;
52083 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52084 + current->role->roletype, cred->uid,
52085 + cred->gid, current->exec_file ?
52086 + gr_to_filename(current->exec_file->f_path.dentry,
52087 + current->exec_file->f_path.mnt) :
52088 + curr->filename, curr->filename,
52089 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
52090 + ¤t->signal->saved_ip);
52097 + /* the rest of this checking is for IPv4 only */
52101 + if ((curr->ip_type & (1 << type)) &&
52102 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
52105 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52106 + /* we don't place acls on raw sockets , and sometimes
52107 + dgram/ip sockets are opened for ioctl and not
52108 + bind/connect, so we'll fake a bind learn log */
52109 + if (type == SOCK_RAW || type == SOCK_PACKET) {
52110 + __u32 fakeip = 0;
52111 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52112 + current->role->roletype, cred->uid,
52113 + cred->gid, current->exec_file ?
52114 + gr_to_filename(current->exec_file->f_path.dentry,
52115 + current->exec_file->f_path.mnt) :
52116 + curr->filename, curr->filename,
52117 + &fakeip, 0, type,
52118 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
52119 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
52120 + __u32 fakeip = 0;
52121 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52122 + current->role->roletype, cred->uid,
52123 + cred->gid, current->exec_file ?
52124 + gr_to_filename(current->exec_file->f_path.dentry,
52125 + current->exec_file->f_path.mnt) :
52126 + curr->filename, curr->filename,
52127 + &fakeip, 0, type,
52128 + protocol, GR_BIND, ¤t->signal->saved_ip);
52130 + /* we'll log when they use connect or bind */
52135 + if (domain == PF_INET)
52136 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
52137 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
52139 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
52140 + gr_socktype_to_name(type), protocol);
52147 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
52149 + if ((ip->mode & mode) &&
52150 + (ip_port >= ip->low) &&
52151 + (ip_port <= ip->high) &&
52152 + ((ntohl(ip_addr) & our_netmask) ==
52153 + (ntohl(our_addr) & our_netmask))
52154 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
52155 + && (ip->type & (1 << type))) {
52156 + if (ip->mode & GR_INVERT)
52157 + return 2; // specifically denied
52159 + return 1; // allowed
52162 + return 0; // not specifically allowed, may continue parsing
52166 +gr_search_connectbind(const int full_mode, struct sock *sk,
52167 + struct sockaddr_in *addr, const int type)
52169 + char iface[IFNAMSIZ] = {0};
52170 + struct acl_subject_label *curr;
52171 + struct acl_ip_label *ip;
52172 + struct inet_sock *isk;
52173 + struct net_device *dev;
52174 + struct in_device *idev;
52177 + int mode = full_mode & (GR_BIND | GR_CONNECT);
52178 + __u32 ip_addr = 0;
52180 + __u32 our_netmask;
52182 + __u16 ip_port = 0;
52183 + const struct cred *cred = current_cred();
52185 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
52188 + curr = current->acl;
52189 + isk = inet_sk(sk);
52191 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
52192 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
52193 + addr->sin_addr.s_addr = curr->inaddr_any_override;
52194 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
52195 + struct sockaddr_in saddr;
52198 + saddr.sin_family = AF_INET;
52199 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
52200 + saddr.sin_port = isk->inet_sport;
52202 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
52206 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
52214 + ip_addr = addr->sin_addr.s_addr;
52215 + ip_port = ntohs(addr->sin_port);
52217 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52218 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52219 + current->role->roletype, cred->uid,
52220 + cred->gid, current->exec_file ?
52221 + gr_to_filename(current->exec_file->f_path.dentry,
52222 + current->exec_file->f_path.mnt) :
52223 + curr->filename, curr->filename,
52224 + &ip_addr, ip_port, type,
52225 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
52229 + for (i = 0; i < curr->ip_num; i++) {
52230 + ip = *(curr->ips + i);
52231 + if (ip->iface != NULL) {
52232 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
52233 + p = strchr(iface, ':');
52236 + dev = dev_get_by_name(sock_net(sk), iface);
52239 + idev = in_dev_get(dev);
52240 + if (idev == NULL) {
52246 + if (!strcmp(ip->iface, ifa->ifa_label)) {
52247 + our_addr = ifa->ifa_address;
52248 + our_netmask = 0xffffffff;
52249 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
52251 + rcu_read_unlock();
52252 + in_dev_put(idev);
52255 + } else if (ret == 2) {
52256 + rcu_read_unlock();
52257 + in_dev_put(idev);
52262 + } endfor_ifa(idev);
52263 + rcu_read_unlock();
52264 + in_dev_put(idev);
52267 + our_addr = ip->addr;
52268 + our_netmask = ip->netmask;
52269 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
52272 + else if (ret == 2)
52278 + if (mode == GR_BIND)
52279 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
52280 + else if (mode == GR_CONNECT)
52281 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
52287 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
52289 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
52293 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
52295 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
52298 +int gr_search_listen(struct socket *sock)
52300 + struct sock *sk = sock->sk;
52301 + struct sockaddr_in addr;
52303 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
52304 + addr.sin_port = inet_sk(sk)->inet_sport;
52306 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
52309 +int gr_search_accept(struct socket *sock)
52311 + struct sock *sk = sock->sk;
52312 + struct sockaddr_in addr;
52314 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
52315 + addr.sin_port = inet_sk(sk)->inet_sport;
52317 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
52321 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
52324 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
52326 + struct sockaddr_in sin;
52327 + const struct inet_sock *inet = inet_sk(sk);
52329 + sin.sin_addr.s_addr = inet->inet_daddr;
52330 + sin.sin_port = inet->inet_dport;
52332 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
52337 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
52339 + struct sockaddr_in sin;
52341 + if (unlikely(skb->len < sizeof (struct udphdr)))
52342 + return 0; // skip this packet
52344 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
52345 + sin.sin_port = udp_hdr(skb)->source;
52347 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
52349 diff -urNp linux-3.1.1/grsecurity/gracl_learn.c linux-3.1.1/grsecurity/gracl_learn.c
52350 --- linux-3.1.1/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
52351 +++ linux-3.1.1/grsecurity/gracl_learn.c 2011-11-16 18:40:31.000000000 -0500
52353 +#include <linux/kernel.h>
52354 +#include <linux/mm.h>
52355 +#include <linux/sched.h>
52356 +#include <linux/poll.h>
52357 +#include <linux/string.h>
52358 +#include <linux/file.h>
52359 +#include <linux/types.h>
52360 +#include <linux/vmalloc.h>
52361 +#include <linux/grinternal.h>
52363 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
52364 + size_t count, loff_t *ppos);
52365 +extern int gr_acl_is_enabled(void);
52367 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
52368 +static int gr_learn_attached;
52370 +/* use a 512k buffer */
52371 +#define LEARN_BUFFER_SIZE (512 * 1024)
52373 +static DEFINE_SPINLOCK(gr_learn_lock);
52374 +static DEFINE_MUTEX(gr_learn_user_mutex);
52376 +/* we need to maintain two buffers, so that the kernel context of grlearn
52377 + uses a semaphore around the userspace copying, and the other kernel contexts
52378 + use a spinlock when copying into the buffer, since they cannot sleep
52380 +static char *learn_buffer;
52381 +static char *learn_buffer_user;
52382 +static int learn_buffer_len;
52383 +static int learn_buffer_user_len;
52386 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
52388 + DECLARE_WAITQUEUE(wait, current);
52389 + ssize_t retval = 0;
52391 + add_wait_queue(&learn_wait, &wait);
52392 + set_current_state(TASK_INTERRUPTIBLE);
52394 + mutex_lock(&gr_learn_user_mutex);
52395 + spin_lock(&gr_learn_lock);
52396 + if (learn_buffer_len)
52398 + spin_unlock(&gr_learn_lock);
52399 + mutex_unlock(&gr_learn_user_mutex);
52400 + if (file->f_flags & O_NONBLOCK) {
52401 + retval = -EAGAIN;
52404 + if (signal_pending(current)) {
52405 + retval = -ERESTARTSYS;
52412 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
52413 + learn_buffer_user_len = learn_buffer_len;
52414 + retval = learn_buffer_len;
52415 + learn_buffer_len = 0;
52417 + spin_unlock(&gr_learn_lock);
52419 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
52420 + retval = -EFAULT;
52422 + mutex_unlock(&gr_learn_user_mutex);
52424 + set_current_state(TASK_RUNNING);
52425 + remove_wait_queue(&learn_wait, &wait);
52429 +static unsigned int
52430 +poll_learn(struct file * file, poll_table * wait)
52432 + poll_wait(file, &learn_wait, wait);
52434 + if (learn_buffer_len)
52435 + return (POLLIN | POLLRDNORM);
52441 +gr_clear_learn_entries(void)
52445 + mutex_lock(&gr_learn_user_mutex);
52446 + spin_lock(&gr_learn_lock);
52447 + tmp = learn_buffer;
52448 + learn_buffer = NULL;
52449 + spin_unlock(&gr_learn_lock);
52452 + if (learn_buffer_user != NULL) {
52453 + vfree(learn_buffer_user);
52454 + learn_buffer_user = NULL;
52456 + learn_buffer_len = 0;
52457 + mutex_unlock(&gr_learn_user_mutex);
52463 +gr_add_learn_entry(const char *fmt, ...)
52466 + unsigned int len;
52468 + if (!gr_learn_attached)
52471 + spin_lock(&gr_learn_lock);
52473 + /* leave a gap at the end so we know when it's "full" but don't have to
52474 + compute the exact length of the string we're trying to append
52476 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
52477 + spin_unlock(&gr_learn_lock);
52478 + wake_up_interruptible(&learn_wait);
52481 + if (learn_buffer == NULL) {
52482 + spin_unlock(&gr_learn_lock);
52486 + va_start(args, fmt);
52487 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
52490 + learn_buffer_len += len + 1;
52492 + spin_unlock(&gr_learn_lock);
52493 + wake_up_interruptible(&learn_wait);
52499 +open_learn(struct inode *inode, struct file *file)
52501 + if (file->f_mode & FMODE_READ && gr_learn_attached)
52503 + if (file->f_mode & FMODE_READ) {
52505 + mutex_lock(&gr_learn_user_mutex);
52506 + if (learn_buffer == NULL)
52507 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
52508 + if (learn_buffer_user == NULL)
52509 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
52510 + if (learn_buffer == NULL) {
52511 + retval = -ENOMEM;
52514 + if (learn_buffer_user == NULL) {
52515 + retval = -ENOMEM;
52518 + learn_buffer_len = 0;
52519 + learn_buffer_user_len = 0;
52520 + gr_learn_attached = 1;
52522 + mutex_unlock(&gr_learn_user_mutex);
52529 +close_learn(struct inode *inode, struct file *file)
52531 + if (file->f_mode & FMODE_READ) {
52532 + char *tmp = NULL;
52533 + mutex_lock(&gr_learn_user_mutex);
52534 + spin_lock(&gr_learn_lock);
52535 + tmp = learn_buffer;
52536 + learn_buffer = NULL;
52537 + spin_unlock(&gr_learn_lock);
52540 + if (learn_buffer_user != NULL) {
52541 + vfree(learn_buffer_user);
52542 + learn_buffer_user = NULL;
52544 + learn_buffer_len = 0;
52545 + learn_buffer_user_len = 0;
52546 + gr_learn_attached = 0;
52547 + mutex_unlock(&gr_learn_user_mutex);
52553 +const struct file_operations grsec_fops = {
52554 + .read = read_learn,
52555 + .write = write_grsec_handler,
52556 + .open = open_learn,
52557 + .release = close_learn,
52558 + .poll = poll_learn,
52560 diff -urNp linux-3.1.1/grsecurity/gracl_res.c linux-3.1.1/grsecurity/gracl_res.c
52561 --- linux-3.1.1/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
52562 +++ linux-3.1.1/grsecurity/gracl_res.c 2011-11-16 18:40:31.000000000 -0500
52564 +#include <linux/kernel.h>
52565 +#include <linux/sched.h>
52566 +#include <linux/gracl.h>
52567 +#include <linux/grinternal.h>
52569 +static const char *restab_log[] = {
52570 + [RLIMIT_CPU] = "RLIMIT_CPU",
52571 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
52572 + [RLIMIT_DATA] = "RLIMIT_DATA",
52573 + [RLIMIT_STACK] = "RLIMIT_STACK",
52574 + [RLIMIT_CORE] = "RLIMIT_CORE",
52575 + [RLIMIT_RSS] = "RLIMIT_RSS",
52576 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
52577 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
52578 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
52579 + [RLIMIT_AS] = "RLIMIT_AS",
52580 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
52581 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
52582 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
52583 + [RLIMIT_NICE] = "RLIMIT_NICE",
52584 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
52585 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
52586 + [GR_CRASH_RES] = "RLIMIT_CRASH"
52590 +gr_log_resource(const struct task_struct *task,
52591 + const int res, const unsigned long wanted, const int gt)
52593 + const struct cred *cred;
52594 + unsigned long rlim;
52596 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
52599 + // not yet supported resource
52600 + if (unlikely(!restab_log[res]))
52603 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
52604 + rlim = task_rlimit_max(task, res);
52606 + rlim = task_rlimit(task, res);
52608 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
52612 + cred = __task_cred(task);
52614 + if (res == RLIMIT_NPROC &&
52615 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
52616 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
52617 + goto out_rcu_unlock;
52618 + else if (res == RLIMIT_MEMLOCK &&
52619 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
52620 + goto out_rcu_unlock;
52621 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
52622 + goto out_rcu_unlock;
52623 + rcu_read_unlock();
52625 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
52629 + rcu_read_unlock();
52632 diff -urNp linux-3.1.1/grsecurity/gracl_segv.c linux-3.1.1/grsecurity/gracl_segv.c
52633 --- linux-3.1.1/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
52634 +++ linux-3.1.1/grsecurity/gracl_segv.c 2011-11-16 18:40:31.000000000 -0500
52636 +#include <linux/kernel.h>
52637 +#include <linux/mm.h>
52638 +#include <asm/uaccess.h>
52639 +#include <asm/errno.h>
52640 +#include <asm/mman.h>
52641 +#include <net/sock.h>
52642 +#include <linux/file.h>
52643 +#include <linux/fs.h>
52644 +#include <linux/net.h>
52645 +#include <linux/in.h>
52646 +#include <linux/slab.h>
52647 +#include <linux/types.h>
52648 +#include <linux/sched.h>
52649 +#include <linux/timer.h>
52650 +#include <linux/gracl.h>
52651 +#include <linux/grsecurity.h>
52652 +#include <linux/grinternal.h>
52654 +static struct crash_uid *uid_set;
52655 +static unsigned short uid_used;
52656 +static DEFINE_SPINLOCK(gr_uid_lock);
52657 +extern rwlock_t gr_inode_lock;
52658 +extern struct acl_subject_label *
52659 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
52660 + struct acl_role_label *role);
52662 +#ifdef CONFIG_BTRFS_FS
52663 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
52664 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
52667 +static inline dev_t __get_dev(const struct dentry *dentry)
52669 +#ifdef CONFIG_BTRFS_FS
52670 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
52671 + return get_btrfs_dev_from_inode(dentry->d_inode);
52674 + return dentry->d_inode->i_sb->s_dev;
52678 +gr_init_uidset(void)
52681 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
52684 + return uid_set ? 1 : 0;
52688 +gr_free_uidset(void)
52697 +gr_find_uid(const uid_t uid)
52699 + struct crash_uid *tmp = uid_set;
52701 + int low = 0, high = uid_used - 1, mid;
52703 + while (high >= low) {
52704 + mid = (low + high) >> 1;
52705 + buid = tmp[mid].uid;
52717 +static __inline__ void
52718 +gr_insertsort(void)
52720 + unsigned short i, j;
52721 + struct crash_uid index;
52723 + for (i = 1; i < uid_used; i++) {
52724 + index = uid_set[i];
52726 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
52727 + uid_set[j] = uid_set[j - 1];
52730 + uid_set[j] = index;
52736 +static __inline__ void
52737 +gr_insert_uid(const uid_t uid, const unsigned long expires)
52741 + if (uid_used == GR_UIDTABLE_MAX)
52744 + loc = gr_find_uid(uid);
52747 + uid_set[loc].expires = expires;
52751 + uid_set[uid_used].uid = uid;
52752 + uid_set[uid_used].expires = expires;
52761 +gr_remove_uid(const unsigned short loc)
52763 + unsigned short i;
52765 + for (i = loc + 1; i < uid_used; i++)
52766 + uid_set[i - 1] = uid_set[i];
52774 +gr_check_crash_uid(const uid_t uid)
52779 + if (unlikely(!gr_acl_is_enabled()))
52782 + spin_lock(&gr_uid_lock);
52783 + loc = gr_find_uid(uid);
52788 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
52789 + gr_remove_uid(loc);
52794 + spin_unlock(&gr_uid_lock);
52798 +static __inline__ int
52799 +proc_is_setxid(const struct cred *cred)
52801 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
52802 + cred->uid != cred->fsuid)
52804 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
52805 + cred->gid != cred->fsgid)
52811 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
52814 +gr_handle_crash(struct task_struct *task, const int sig)
52816 + struct acl_subject_label *curr;
52817 + struct task_struct *tsk, *tsk2;
52818 + const struct cred *cred;
52819 + const struct cred *cred2;
52821 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
52824 + if (unlikely(!gr_acl_is_enabled()))
52827 + curr = task->acl;
52829 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
52832 + if (time_before_eq(curr->expires, get_seconds())) {
52833 + curr->expires = 0;
52834 + curr->crashes = 0;
52839 + if (!curr->expires)
52840 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
52842 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
52843 + time_after(curr->expires, get_seconds())) {
52845 + cred = __task_cred(task);
52846 + if (cred->uid && proc_is_setxid(cred)) {
52847 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
52848 + spin_lock(&gr_uid_lock);
52849 + gr_insert_uid(cred->uid, curr->expires);
52850 + spin_unlock(&gr_uid_lock);
52851 + curr->expires = 0;
52852 + curr->crashes = 0;
52853 + read_lock(&tasklist_lock);
52854 + do_each_thread(tsk2, tsk) {
52855 + cred2 = __task_cred(tsk);
52856 + if (tsk != task && cred2->uid == cred->uid)
52857 + gr_fake_force_sig(SIGKILL, tsk);
52858 + } while_each_thread(tsk2, tsk);
52859 + read_unlock(&tasklist_lock);
52861 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
52862 + read_lock(&tasklist_lock);
52863 + read_lock(&grsec_exec_file_lock);
52864 + do_each_thread(tsk2, tsk) {
52865 + if (likely(tsk != task)) {
52866 + // if this thread has the same subject as the one that triggered
52867 + // RES_CRASH and it's the same binary, kill it
52868 + if (tsk->acl == task->acl && tsk->exec_file == task->exec_file)
52869 + gr_fake_force_sig(SIGKILL, tsk);
52871 + } while_each_thread(tsk2, tsk);
52872 + read_unlock(&grsec_exec_file_lock);
52873 + read_unlock(&tasklist_lock);
52875 + rcu_read_unlock();
52882 +gr_check_crash_exec(const struct file *filp)
52884 + struct acl_subject_label *curr;
52886 + if (unlikely(!gr_acl_is_enabled()))
52889 + read_lock(&gr_inode_lock);
52890 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
52891 + __get_dev(filp->f_path.dentry),
52893 + read_unlock(&gr_inode_lock);
52895 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
52896 + (!curr->crashes && !curr->expires))
52899 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
52900 + time_after(curr->expires, get_seconds()))
52902 + else if (time_before_eq(curr->expires, get_seconds())) {
52903 + curr->crashes = 0;
52904 + curr->expires = 0;
52911 +gr_handle_alertkill(struct task_struct *task)
52913 + struct acl_subject_label *curracl;
52915 + struct task_struct *p, *p2;
52917 + if (unlikely(!gr_acl_is_enabled()))
52920 + curracl = task->acl;
52921 + curr_ip = task->signal->curr_ip;
52923 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
52924 + read_lock(&tasklist_lock);
52925 + do_each_thread(p2, p) {
52926 + if (p->signal->curr_ip == curr_ip)
52927 + gr_fake_force_sig(SIGKILL, p);
52928 + } while_each_thread(p2, p);
52929 + read_unlock(&tasklist_lock);
52930 + } else if (curracl->mode & GR_KILLPROC)
52931 + gr_fake_force_sig(SIGKILL, task);
52935 diff -urNp linux-3.1.1/grsecurity/gracl_shm.c linux-3.1.1/grsecurity/gracl_shm.c
52936 --- linux-3.1.1/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
52937 +++ linux-3.1.1/grsecurity/gracl_shm.c 2011-11-16 18:40:31.000000000 -0500
52939 +#include <linux/kernel.h>
52940 +#include <linux/mm.h>
52941 +#include <linux/sched.h>
52942 +#include <linux/file.h>
52943 +#include <linux/ipc.h>
52944 +#include <linux/gracl.h>
52945 +#include <linux/grsecurity.h>
52946 +#include <linux/grinternal.h>
52949 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
52950 + const time_t shm_createtime, const uid_t cuid, const int shmid)
52952 + struct task_struct *task;
52954 + if (!gr_acl_is_enabled())
52958 + read_lock(&tasklist_lock);
52960 + task = find_task_by_vpid(shm_cprid);
52962 + if (unlikely(!task))
52963 + task = find_task_by_vpid(shm_lapid);
52965 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
52966 + (task->pid == shm_lapid)) &&
52967 + (task->acl->mode & GR_PROTSHM) &&
52968 + (task->acl != current->acl))) {
52969 + read_unlock(&tasklist_lock);
52970 + rcu_read_unlock();
52971 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
52974 + read_unlock(&tasklist_lock);
52975 + rcu_read_unlock();
52979 diff -urNp linux-3.1.1/grsecurity/grsec_chdir.c linux-3.1.1/grsecurity/grsec_chdir.c
52980 --- linux-3.1.1/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
52981 +++ linux-3.1.1/grsecurity/grsec_chdir.c 2011-11-16 18:40:31.000000000 -0500
52983 +#include <linux/kernel.h>
52984 +#include <linux/sched.h>
52985 +#include <linux/fs.h>
52986 +#include <linux/file.h>
52987 +#include <linux/grsecurity.h>
52988 +#include <linux/grinternal.h>
52991 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
52993 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
52994 + if ((grsec_enable_chdir && grsec_enable_group &&
52995 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
52996 + !grsec_enable_group)) {
52997 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
53002 diff -urNp linux-3.1.1/grsecurity/grsec_chroot.c linux-3.1.1/grsecurity/grsec_chroot.c
53003 --- linux-3.1.1/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
53004 +++ linux-3.1.1/grsecurity/grsec_chroot.c 2011-11-16 18:40:31.000000000 -0500
53006 +#include <linux/kernel.h>
53007 +#include <linux/module.h>
53008 +#include <linux/sched.h>
53009 +#include <linux/file.h>
53010 +#include <linux/fs.h>
53011 +#include <linux/mount.h>
53012 +#include <linux/types.h>
53013 +#include <linux/pid_namespace.h>
53014 +#include <linux/grsecurity.h>
53015 +#include <linux/grinternal.h>
53017 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
53019 +#ifdef CONFIG_GRKERNSEC
53020 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
53021 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
53022 + task->gr_is_chrooted = 1;
53024 + task->gr_is_chrooted = 0;
53026 + task->gr_chroot_dentry = path->dentry;
53031 +void gr_clear_chroot_entries(struct task_struct *task)
53033 +#ifdef CONFIG_GRKERNSEC
53034 + task->gr_is_chrooted = 0;
53035 + task->gr_chroot_dentry = NULL;
53041 +gr_handle_chroot_unix(const pid_t pid)
53043 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
53044 + struct task_struct *p;
53046 + if (unlikely(!grsec_enable_chroot_unix))
53049 + if (likely(!proc_is_chrooted(current)))
53053 + read_lock(&tasklist_lock);
53054 + p = find_task_by_vpid_unrestricted(pid);
53055 + if (unlikely(p && !have_same_root(current, p))) {
53056 + read_unlock(&tasklist_lock);
53057 + rcu_read_unlock();
53058 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
53061 + read_unlock(&tasklist_lock);
53062 + rcu_read_unlock();
53068 +gr_handle_chroot_nice(void)
53070 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
53071 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
53072 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
53080 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
53082 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
53083 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
53084 + && proc_is_chrooted(current)) {
53085 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
53093 +gr_handle_chroot_rawio(const struct inode *inode)
53095 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53096 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
53097 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
53104 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
53106 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
53107 + struct task_struct *p;
53109 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
53112 + read_lock(&tasklist_lock);
53113 + do_each_pid_task(pid, type, p) {
53114 + if (!have_same_root(current, p)) {
53118 + } while_each_pid_task(pid, type, p);
53120 + read_unlock(&tasklist_lock);
53127 +gr_pid_is_chrooted(struct task_struct *p)
53129 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
53130 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
53133 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
53134 + !have_same_root(current, p)) {
53141 +EXPORT_SYMBOL(gr_pid_is_chrooted);
53143 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
53144 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
53146 + struct path path, currentroot;
53149 + path.dentry = (struct dentry *)u_dentry;
53150 + path.mnt = (struct vfsmount *)u_mnt;
53151 + get_fs_root(current->fs, ¤troot);
53152 + if (path_is_under(&path, ¤troot))
53154 + path_put(¤troot);
53161 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
53163 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
53164 + if (!grsec_enable_chroot_fchdir)
53167 + if (!proc_is_chrooted(current))
53169 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
53170 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
53178 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53179 + const time_t shm_createtime)
53181 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
53182 + struct task_struct *p;
53183 + time_t starttime;
53185 + if (unlikely(!grsec_enable_chroot_shmat))
53188 + if (likely(!proc_is_chrooted(current)))
53192 + read_lock(&tasklist_lock);
53194 + if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
53195 + starttime = p->start_time.tv_sec;
53196 + if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
53197 + if (have_same_root(current, p)) {
53200 + read_unlock(&tasklist_lock);
53201 + rcu_read_unlock();
53202 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
53206 + /* creator exited, pid reuse, fall through to next check */
53208 + if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
53209 + if (unlikely(!have_same_root(current, p))) {
53210 + read_unlock(&tasklist_lock);
53211 + rcu_read_unlock();
53212 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
53218 + read_unlock(&tasklist_lock);
53219 + rcu_read_unlock();
53225 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
53227 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
53228 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
53229 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
53235 +gr_handle_chroot_mknod(const struct dentry *dentry,
53236 + const struct vfsmount *mnt, const int mode)
53238 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
53239 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
53240 + proc_is_chrooted(current)) {
53241 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
53249 +gr_handle_chroot_mount(const struct dentry *dentry,
53250 + const struct vfsmount *mnt, const char *dev_name)
53252 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
53253 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
53254 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
53262 +gr_handle_chroot_pivot(void)
53264 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
53265 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
53266 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
53274 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
53276 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
53277 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
53278 + !gr_is_outside_chroot(dentry, mnt)) {
53279 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
53286 +extern const char *captab_log[];
53287 +extern int captab_log_entries;
53290 +gr_chroot_is_capable(const int cap)
53292 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53293 + if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
53294 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
53295 + if (cap_raised(chroot_caps, cap)) {
53296 + const struct cred *creds = current_cred();
53297 + if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
53298 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
53308 +gr_chroot_is_capable_nolog(const int cap)
53310 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53311 + if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
53312 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
53313 + if (cap_raised(chroot_caps, cap)) {
53322 +gr_handle_chroot_sysctl(const int op)
53324 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
53325 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
53326 + proc_is_chrooted(current))
53333 +gr_handle_chroot_chdir(struct path *path)
53335 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
53336 + if (grsec_enable_chroot_chdir)
53337 + set_fs_pwd(current->fs, path);
53343 +gr_handle_chroot_chmod(const struct dentry *dentry,
53344 + const struct vfsmount *mnt, const int mode)
53346 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
53347 + /* allow chmod +s on directories, but not files */
53348 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
53349 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
53350 + proc_is_chrooted(current)) {
53351 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
53357 diff -urNp linux-3.1.1/grsecurity/grsec_disabled.c linux-3.1.1/grsecurity/grsec_disabled.c
53358 --- linux-3.1.1/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
53359 +++ linux-3.1.1/grsecurity/grsec_disabled.c 2011-11-17 00:16:25.000000000 -0500
53361 +#include <linux/kernel.h>
53362 +#include <linux/module.h>
53363 +#include <linux/sched.h>
53364 +#include <linux/file.h>
53365 +#include <linux/fs.h>
53366 +#include <linux/kdev_t.h>
53367 +#include <linux/net.h>
53368 +#include <linux/in.h>
53369 +#include <linux/ip.h>
53370 +#include <linux/skbuff.h>
53371 +#include <linux/sysctl.h>
53373 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
53375 +pax_set_initial_flags(struct linux_binprm *bprm)
53381 +#ifdef CONFIG_SYSCTL
53383 +gr_handle_sysctl(const struct ctl_table * table, const int op)
53389 +#ifdef CONFIG_TASKSTATS
53390 +int gr_is_taskstats_denied(int pid)
53397 +gr_acl_is_enabled(void)
53403 +gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
53409 +gr_handle_rawio(const struct inode *inode)
53415 +gr_acl_handle_psacct(struct task_struct *task, const long code)
53421 +gr_handle_ptrace(struct task_struct *task, const long request)
53427 +gr_handle_proc_ptrace(struct task_struct *task)
53433 +gr_learn_resource(const struct task_struct *task,
53434 + const int res, const unsigned long wanted, const int gt)
53440 +gr_set_acls(const int type)
53446 +gr_check_hidden_task(const struct task_struct *tsk)
53452 +gr_check_protected_task(const struct task_struct *task)
53458 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
53464 +gr_copy_label(struct task_struct *tsk)
53470 +gr_set_pax_flags(struct task_struct *task)
53476 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
53477 + const int unsafe_share)
53483 +gr_handle_delete(const ino_t ino, const dev_t dev)
53489 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
53495 +gr_handle_crash(struct task_struct *task, const int sig)
53501 +gr_check_crash_exec(const struct file *filp)
53507 +gr_check_crash_uid(const uid_t uid)
53513 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
53514 + struct dentry *old_dentry,
53515 + struct dentry *new_dentry,
53516 + struct vfsmount *mnt, const __u8 replace)
53522 +gr_search_socket(const int family, const int type, const int protocol)
53528 +gr_search_connectbind(const int mode, const struct socket *sock,
53529 + const struct sockaddr_in *addr)
53535 +gr_handle_alertkill(struct task_struct *task)
53541 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
53547 +gr_acl_handle_hidden_file(const struct dentry * dentry,
53548 + const struct vfsmount * mnt)
53554 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
53561 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
53567 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
53573 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
53574 + unsigned int *vm_flags)
53580 +gr_acl_handle_truncate(const struct dentry * dentry,
53581 + const struct vfsmount * mnt)
53587 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
53593 +gr_acl_handle_access(const struct dentry * dentry,
53594 + const struct vfsmount * mnt, const int fmode)
53600 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
53607 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
53614 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
53620 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
53626 +grsecurity_init(void)
53632 +gr_acl_handle_mknod(const struct dentry * new_dentry,
53633 + const struct dentry * parent_dentry,
53634 + const struct vfsmount * parent_mnt,
53641 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
53642 + const struct dentry * parent_dentry,
53643 + const struct vfsmount * parent_mnt)
53649 +gr_acl_handle_symlink(const struct dentry * new_dentry,
53650 + const struct dentry * parent_dentry,
53651 + const struct vfsmount * parent_mnt, const char *from)
53657 +gr_acl_handle_link(const struct dentry * new_dentry,
53658 + const struct dentry * parent_dentry,
53659 + const struct vfsmount * parent_mnt,
53660 + const struct dentry * old_dentry,
53661 + const struct vfsmount * old_mnt, const char *to)
53667 +gr_acl_handle_rename(const struct dentry *new_dentry,
53668 + const struct dentry *parent_dentry,
53669 + const struct vfsmount *parent_mnt,
53670 + const struct dentry *old_dentry,
53671 + const struct inode *old_parent_inode,
53672 + const struct vfsmount *old_mnt, const char *newname)
53678 +gr_acl_handle_filldir(const struct file *file, const char *name,
53679 + const int namelen, const ino_t ino)
53685 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53686 + const time_t shm_createtime, const uid_t cuid, const int shmid)
53692 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
53698 +gr_search_accept(const struct socket *sock)
53704 +gr_search_listen(const struct socket *sock)
53710 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
53716 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
53722 +gr_acl_handle_creat(const struct dentry * dentry,
53723 + const struct dentry * p_dentry,
53724 + const struct vfsmount * p_mnt, int open_flags, int acc_mode,
53731 +gr_acl_handle_exit(void)
53737 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
53743 +gr_set_role_label(const uid_t uid, const gid_t gid)
53749 +gr_acl_handle_procpidmem(const struct task_struct *task)
53755 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
53761 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
53767 +gr_set_kernel_label(struct task_struct *task)
53773 +gr_check_user_change(int real, int effective, int fs)
53779 +gr_check_group_change(int real, int effective, int fs)
53784 +int gr_acl_enable_at_secure(void)
53789 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
53791 + return dentry->d_inode->i_sb->s_dev;
53794 +EXPORT_SYMBOL(gr_learn_resource);
53795 +EXPORT_SYMBOL(gr_set_kernel_label);
53796 +#ifdef CONFIG_SECURITY
53797 +EXPORT_SYMBOL(gr_check_user_change);
53798 +EXPORT_SYMBOL(gr_check_group_change);
53800 diff -urNp linux-3.1.1/grsecurity/grsec_exec.c linux-3.1.1/grsecurity/grsec_exec.c
53801 --- linux-3.1.1/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
53802 +++ linux-3.1.1/grsecurity/grsec_exec.c 2011-11-16 18:40:31.000000000 -0500
53804 +#include <linux/kernel.h>
53805 +#include <linux/sched.h>
53806 +#include <linux/file.h>
53807 +#include <linux/binfmts.h>
53808 +#include <linux/fs.h>
53809 +#include <linux/types.h>
53810 +#include <linux/grdefs.h>
53811 +#include <linux/grsecurity.h>
53812 +#include <linux/grinternal.h>
53813 +#include <linux/capability.h>
53814 +#include <linux/module.h>
53816 +#include <asm/uaccess.h>
53818 +#ifdef CONFIG_GRKERNSEC_EXECLOG
53819 +static char gr_exec_arg_buf[132];
53820 +static DEFINE_MUTEX(gr_exec_arg_mutex);
53823 +extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
53826 +gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv)
53828 +#ifdef CONFIG_GRKERNSEC_EXECLOG
53829 + char *grarg = gr_exec_arg_buf;
53830 + unsigned int i, x, execlen = 0;
53833 + if (!((grsec_enable_execlog && grsec_enable_group &&
53834 + in_group_p(grsec_audit_gid))
53835 + || (grsec_enable_execlog && !grsec_enable_group)))
53838 + mutex_lock(&gr_exec_arg_mutex);
53839 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
53841 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
53842 + const char __user *p;
53843 + unsigned int len;
53845 + p = get_user_arg_ptr(argv, i);
53849 + len = strnlen_user(p, 128 - execlen);
53850 + if (len > 128 - execlen)
53851 + len = 128 - execlen;
53852 + else if (len > 0)
53854 + if (copy_from_user(grarg + execlen, p, len))
53857 + /* rewrite unprintable characters */
53858 + for (x = 0; x < len; x++) {
53859 + c = *(grarg + execlen + x);
53860 + if (c < 32 || c > 126)
53861 + *(grarg + execlen + x) = ' ';
53865 + *(grarg + execlen) = ' ';
53866 + *(grarg + execlen + 1) = '\0';
53871 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
53872 + bprm->file->f_path.mnt, grarg);
53873 + mutex_unlock(&gr_exec_arg_mutex);
53878 +#ifdef CONFIG_GRKERNSEC
53879 +extern int gr_acl_is_capable(const int cap);
53880 +extern int gr_acl_is_capable_nolog(const int cap);
53881 +extern int gr_chroot_is_capable(const int cap);
53882 +extern int gr_chroot_is_capable_nolog(const int cap);
53885 +const char *captab_log[] = {
53887 + "CAP_DAC_OVERRIDE",
53888 + "CAP_DAC_READ_SEARCH",
53895 + "CAP_LINUX_IMMUTABLE",
53896 + "CAP_NET_BIND_SERVICE",
53897 + "CAP_NET_BROADCAST",
53902 + "CAP_SYS_MODULE",
53904 + "CAP_SYS_CHROOT",
53905 + "CAP_SYS_PTRACE",
53910 + "CAP_SYS_RESOURCE",
53912 + "CAP_SYS_TTY_CONFIG",
53915 + "CAP_AUDIT_WRITE",
53916 + "CAP_AUDIT_CONTROL",
53918 + "CAP_MAC_OVERRIDE",
53924 +int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
53926 +int gr_is_capable(const int cap)
53928 +#ifdef CONFIG_GRKERNSEC
53929 + if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
53937 +int gr_is_capable_nolog(const int cap)
53939 +#ifdef CONFIG_GRKERNSEC
53940 + if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
53948 +EXPORT_SYMBOL(gr_is_capable);
53949 +EXPORT_SYMBOL(gr_is_capable_nolog);
53950 diff -urNp linux-3.1.1/grsecurity/grsec_fifo.c linux-3.1.1/grsecurity/grsec_fifo.c
53951 --- linux-3.1.1/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
53952 +++ linux-3.1.1/grsecurity/grsec_fifo.c 2011-11-16 18:40:31.000000000 -0500
53954 +#include <linux/kernel.h>
53955 +#include <linux/sched.h>
53956 +#include <linux/fs.h>
53957 +#include <linux/file.h>
53958 +#include <linux/grinternal.h>
53961 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
53962 + const struct dentry *dir, const int flag, const int acc_mode)
53964 +#ifdef CONFIG_GRKERNSEC_FIFO
53965 + const struct cred *cred = current_cred();
53967 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
53968 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
53969 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
53970 + (cred->fsuid != dentry->d_inode->i_uid)) {
53971 + if (!inode_permission(dentry->d_inode, acc_mode))
53972 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
53978 diff -urNp linux-3.1.1/grsecurity/grsec_fork.c linux-3.1.1/grsecurity/grsec_fork.c
53979 --- linux-3.1.1/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
53980 +++ linux-3.1.1/grsecurity/grsec_fork.c 2011-11-16 18:40:31.000000000 -0500
53982 +#include <linux/kernel.h>
53983 +#include <linux/sched.h>
53984 +#include <linux/grsecurity.h>
53985 +#include <linux/grinternal.h>
53986 +#include <linux/errno.h>
53989 +gr_log_forkfail(const int retval)
53991 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
53992 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
53993 + switch (retval) {
53995 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
53998 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
54005 diff -urNp linux-3.1.1/grsecurity/grsec_init.c linux-3.1.1/grsecurity/grsec_init.c
54006 --- linux-3.1.1/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
54007 +++ linux-3.1.1/grsecurity/grsec_init.c 2011-11-16 18:40:31.000000000 -0500
54009 +#include <linux/kernel.h>
54010 +#include <linux/sched.h>
54011 +#include <linux/mm.h>
54012 +#include <linux/gracl.h>
54013 +#include <linux/slab.h>
54014 +#include <linux/vmalloc.h>
54015 +#include <linux/percpu.h>
54016 +#include <linux/module.h>
54018 +int grsec_enable_brute;
54019 +int grsec_enable_link;
54020 +int grsec_enable_dmesg;
54021 +int grsec_enable_harden_ptrace;
54022 +int grsec_enable_fifo;
54023 +int grsec_enable_execlog;
54024 +int grsec_enable_signal;
54025 +int grsec_enable_forkfail;
54026 +int grsec_enable_audit_ptrace;
54027 +int grsec_enable_time;
54028 +int grsec_enable_audit_textrel;
54029 +int grsec_enable_group;
54030 +int grsec_audit_gid;
54031 +int grsec_enable_chdir;
54032 +int grsec_enable_mount;
54033 +int grsec_enable_rofs;
54034 +int grsec_enable_chroot_findtask;
54035 +int grsec_enable_chroot_mount;
54036 +int grsec_enable_chroot_shmat;
54037 +int grsec_enable_chroot_fchdir;
54038 +int grsec_enable_chroot_double;
54039 +int grsec_enable_chroot_pivot;
54040 +int grsec_enable_chroot_chdir;
54041 +int grsec_enable_chroot_chmod;
54042 +int grsec_enable_chroot_mknod;
54043 +int grsec_enable_chroot_nice;
54044 +int grsec_enable_chroot_execlog;
54045 +int grsec_enable_chroot_caps;
54046 +int grsec_enable_chroot_sysctl;
54047 +int grsec_enable_chroot_unix;
54048 +int grsec_enable_tpe;
54049 +int grsec_tpe_gid;
54050 +int grsec_enable_blackhole;
54051 +#ifdef CONFIG_IPV6_MODULE
54052 +EXPORT_SYMBOL(grsec_enable_blackhole);
54054 +int grsec_lastack_retries;
54055 +int grsec_enable_tpe_all;
54056 +int grsec_enable_tpe_invert;
54057 +int grsec_enable_socket_all;
54058 +int grsec_socket_all_gid;
54059 +int grsec_enable_socket_client;
54060 +int grsec_socket_client_gid;
54061 +int grsec_enable_socket_server;
54062 +int grsec_socket_server_gid;
54063 +int grsec_resource_logging;
54064 +int grsec_disable_privio;
54065 +int grsec_enable_log_rwxmaps;
54068 +DEFINE_SPINLOCK(grsec_alert_lock);
54069 +unsigned long grsec_alert_wtime = 0;
54070 +unsigned long grsec_alert_fyet = 0;
54072 +DEFINE_SPINLOCK(grsec_audit_lock);
54074 +DEFINE_RWLOCK(grsec_exec_file_lock);
54076 +char *gr_shared_page[4];
54078 +char *gr_alert_log_fmt;
54079 +char *gr_audit_log_fmt;
54080 +char *gr_alert_log_buf;
54081 +char *gr_audit_log_buf;
54083 +extern struct gr_arg *gr_usermode;
54084 +extern unsigned char *gr_system_salt;
54085 +extern unsigned char *gr_system_sum;
54088 +grsecurity_init(void)
54091 + /* create the per-cpu shared pages */
54094 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
54097 + for (j = 0; j < 4; j++) {
54098 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
54099 + if (gr_shared_page[j] == NULL) {
54100 + panic("Unable to allocate grsecurity shared page");
54105 + /* allocate log buffers */
54106 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
54107 + if (!gr_alert_log_fmt) {
54108 + panic("Unable to allocate grsecurity alert log format buffer");
54111 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
54112 + if (!gr_audit_log_fmt) {
54113 + panic("Unable to allocate grsecurity audit log format buffer");
54116 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
54117 + if (!gr_alert_log_buf) {
54118 + panic("Unable to allocate grsecurity alert log buffer");
54121 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
54122 + if (!gr_audit_log_buf) {
54123 + panic("Unable to allocate grsecurity audit log buffer");
54127 + /* allocate memory for authentication structure */
54128 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
54129 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
54130 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
54132 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
54133 + panic("Unable to allocate grsecurity authentication structure");
54138 +#ifdef CONFIG_GRKERNSEC_IO
54139 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
54140 + grsec_disable_privio = 1;
54141 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
54142 + grsec_disable_privio = 1;
54144 + grsec_disable_privio = 0;
54148 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
54149 + /* for backward compatibility, tpe_invert always defaults to on if
54150 + enabled in the kernel
54152 + grsec_enable_tpe_invert = 1;
54155 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
54156 +#ifndef CONFIG_GRKERNSEC_SYSCTL
54160 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
54161 + grsec_enable_audit_textrel = 1;
54163 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54164 + grsec_enable_log_rwxmaps = 1;
54166 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
54167 + grsec_enable_group = 1;
54168 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
54170 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
54171 + grsec_enable_chdir = 1;
54173 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
54174 + grsec_enable_harden_ptrace = 1;
54176 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54177 + grsec_enable_mount = 1;
54179 +#ifdef CONFIG_GRKERNSEC_LINK
54180 + grsec_enable_link = 1;
54182 +#ifdef CONFIG_GRKERNSEC_BRUTE
54183 + grsec_enable_brute = 1;
54185 +#ifdef CONFIG_GRKERNSEC_DMESG
54186 + grsec_enable_dmesg = 1;
54188 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54189 + grsec_enable_blackhole = 1;
54190 + grsec_lastack_retries = 4;
54192 +#ifdef CONFIG_GRKERNSEC_FIFO
54193 + grsec_enable_fifo = 1;
54195 +#ifdef CONFIG_GRKERNSEC_EXECLOG
54196 + grsec_enable_execlog = 1;
54198 +#ifdef CONFIG_GRKERNSEC_SIGNAL
54199 + grsec_enable_signal = 1;
54201 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
54202 + grsec_enable_forkfail = 1;
54204 +#ifdef CONFIG_GRKERNSEC_TIME
54205 + grsec_enable_time = 1;
54207 +#ifdef CONFIG_GRKERNSEC_RESLOG
54208 + grsec_resource_logging = 1;
54210 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
54211 + grsec_enable_chroot_findtask = 1;
54213 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
54214 + grsec_enable_chroot_unix = 1;
54216 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
54217 + grsec_enable_chroot_mount = 1;
54219 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
54220 + grsec_enable_chroot_fchdir = 1;
54222 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
54223 + grsec_enable_chroot_shmat = 1;
54225 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
54226 + grsec_enable_audit_ptrace = 1;
54228 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
54229 + grsec_enable_chroot_double = 1;
54231 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
54232 + grsec_enable_chroot_pivot = 1;
54234 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
54235 + grsec_enable_chroot_chdir = 1;
54237 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
54238 + grsec_enable_chroot_chmod = 1;
54240 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
54241 + grsec_enable_chroot_mknod = 1;
54243 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
54244 + grsec_enable_chroot_nice = 1;
54246 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
54247 + grsec_enable_chroot_execlog = 1;
54249 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
54250 + grsec_enable_chroot_caps = 1;
54252 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
54253 + grsec_enable_chroot_sysctl = 1;
54255 +#ifdef CONFIG_GRKERNSEC_TPE
54256 + grsec_enable_tpe = 1;
54257 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
54258 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
54259 + grsec_enable_tpe_all = 1;
54262 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
54263 + grsec_enable_socket_all = 1;
54264 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
54266 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
54267 + grsec_enable_socket_client = 1;
54268 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
54270 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
54271 + grsec_enable_socket_server = 1;
54272 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
54278 diff -urNp linux-3.1.1/grsecurity/grsec_link.c linux-3.1.1/grsecurity/grsec_link.c
54279 --- linux-3.1.1/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
54280 +++ linux-3.1.1/grsecurity/grsec_link.c 2011-11-16 18:40:31.000000000 -0500
54282 +#include <linux/kernel.h>
54283 +#include <linux/sched.h>
54284 +#include <linux/fs.h>
54285 +#include <linux/file.h>
54286 +#include <linux/grinternal.h>
54289 +gr_handle_follow_link(const struct inode *parent,
54290 + const struct inode *inode,
54291 + const struct dentry *dentry, const struct vfsmount *mnt)
54293 +#ifdef CONFIG_GRKERNSEC_LINK
54294 + const struct cred *cred = current_cred();
54296 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
54297 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
54298 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
54299 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
54307 +gr_handle_hardlink(const struct dentry *dentry,
54308 + const struct vfsmount *mnt,
54309 + struct inode *inode, const int mode, const char *to)
54311 +#ifdef CONFIG_GRKERNSEC_LINK
54312 + const struct cred *cred = current_cred();
54314 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
54315 + (!S_ISREG(mode) || (mode & S_ISUID) ||
54316 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
54317 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
54318 + !capable(CAP_FOWNER) && cred->uid) {
54319 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
54325 diff -urNp linux-3.1.1/grsecurity/grsec_log.c linux-3.1.1/grsecurity/grsec_log.c
54326 --- linux-3.1.1/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
54327 +++ linux-3.1.1/grsecurity/grsec_log.c 2011-11-16 18:40:31.000000000 -0500
54329 +#include <linux/kernel.h>
54330 +#include <linux/sched.h>
54331 +#include <linux/file.h>
54332 +#include <linux/tty.h>
54333 +#include <linux/fs.h>
54334 +#include <linux/grinternal.h>
54336 +#ifdef CONFIG_TREE_PREEMPT_RCU
54337 +#define DISABLE_PREEMPT() preempt_disable()
54338 +#define ENABLE_PREEMPT() preempt_enable()
54340 +#define DISABLE_PREEMPT()
54341 +#define ENABLE_PREEMPT()
54344 +#define BEGIN_LOCKS(x) \
54345 + DISABLE_PREEMPT(); \
54346 + rcu_read_lock(); \
54347 + read_lock(&tasklist_lock); \
54348 + read_lock(&grsec_exec_file_lock); \
54349 + if (x != GR_DO_AUDIT) \
54350 + spin_lock(&grsec_alert_lock); \
54352 + spin_lock(&grsec_audit_lock)
54354 +#define END_LOCKS(x) \
54355 + if (x != GR_DO_AUDIT) \
54356 + spin_unlock(&grsec_alert_lock); \
54358 + spin_unlock(&grsec_audit_lock); \
54359 + read_unlock(&grsec_exec_file_lock); \
54360 + read_unlock(&tasklist_lock); \
54361 + rcu_read_unlock(); \
54362 + ENABLE_PREEMPT(); \
54363 + if (x == GR_DONT_AUDIT) \
54364 + gr_handle_alertkill(current)
54371 +extern char *gr_alert_log_fmt;
54372 +extern char *gr_audit_log_fmt;
54373 +extern char *gr_alert_log_buf;
54374 +extern char *gr_audit_log_buf;
54376 +static int gr_log_start(int audit)
54378 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
54379 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
54380 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54381 +#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
54382 + unsigned long curr_secs = get_seconds();
54384 + if (audit == GR_DO_AUDIT)
54387 + if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
54388 + grsec_alert_wtime = curr_secs;
54389 + grsec_alert_fyet = 0;
54390 + } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
54391 + && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
54392 + grsec_alert_fyet++;
54393 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
54394 + grsec_alert_wtime = curr_secs;
54395 + grsec_alert_fyet++;
54396 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
54399 + else return FLOODING;
54403 + memset(buf, 0, PAGE_SIZE);
54404 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
54405 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
54406 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
54407 + } else if (current->signal->curr_ip) {
54408 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
54409 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
54410 + } else if (gr_acl_is_enabled()) {
54411 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
54412 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
54414 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
54415 + strcpy(buf, fmt);
54418 + return NO_FLOODING;
54421 +static void gr_log_middle(int audit, const char *msg, va_list ap)
54422 + __attribute__ ((format (printf, 2, 0)));
54424 +static void gr_log_middle(int audit, const char *msg, va_list ap)
54426 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54427 + unsigned int len = strlen(buf);
54429 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
54434 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
54435 + __attribute__ ((format (printf, 2, 3)));
54437 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
54439 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54440 + unsigned int len = strlen(buf);
54443 + va_start(ap, msg);
54444 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
54450 +static void gr_log_end(int audit, int append_default)
54452 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54454 + if (append_default) {
54455 + unsigned int len = strlen(buf);
54456 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
54459 + printk("%s\n", buf);
54464 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
54467 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
54468 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
54469 + void *voidptr = NULL;
54470 + int num1 = 0, num2 = 0;
54471 + unsigned long ulong1 = 0, ulong2 = 0;
54472 + struct dentry *dentry = NULL;
54473 + struct vfsmount *mnt = NULL;
54474 + struct file *file = NULL;
54475 + struct task_struct *task = NULL;
54476 + const struct cred *cred, *pcred;
54479 + BEGIN_LOCKS(audit);
54480 + logtype = gr_log_start(audit);
54481 + if (logtype == FLOODING) {
54482 + END_LOCKS(audit);
54485 + va_start(ap, argtypes);
54486 + switch (argtypes) {
54487 + case GR_TTYSNIFF:
54488 + task = va_arg(ap, struct task_struct *);
54489 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
54491 + case GR_SYSCTL_HIDDEN:
54492 + str1 = va_arg(ap, char *);
54493 + gr_log_middle_varargs(audit, msg, result, str1);
54496 + dentry = va_arg(ap, struct dentry *);
54497 + mnt = va_arg(ap, struct vfsmount *);
54498 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
54500 + case GR_RBAC_STR:
54501 + dentry = va_arg(ap, struct dentry *);
54502 + mnt = va_arg(ap, struct vfsmount *);
54503 + str1 = va_arg(ap, char *);
54504 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
54506 + case GR_STR_RBAC:
54507 + str1 = va_arg(ap, char *);
54508 + dentry = va_arg(ap, struct dentry *);
54509 + mnt = va_arg(ap, struct vfsmount *);
54510 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
54512 + case GR_RBAC_MODE2:
54513 + dentry = va_arg(ap, struct dentry *);
54514 + mnt = va_arg(ap, struct vfsmount *);
54515 + str1 = va_arg(ap, char *);
54516 + str2 = va_arg(ap, char *);
54517 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
54519 + case GR_RBAC_MODE3:
54520 + dentry = va_arg(ap, struct dentry *);
54521 + mnt = va_arg(ap, struct vfsmount *);
54522 + str1 = va_arg(ap, char *);
54523 + str2 = va_arg(ap, char *);
54524 + str3 = va_arg(ap, char *);
54525 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
54527 + case GR_FILENAME:
54528 + dentry = va_arg(ap, struct dentry *);
54529 + mnt = va_arg(ap, struct vfsmount *);
54530 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
54532 + case GR_STR_FILENAME:
54533 + str1 = va_arg(ap, char *);
54534 + dentry = va_arg(ap, struct dentry *);
54535 + mnt = va_arg(ap, struct vfsmount *);
54536 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
54538 + case GR_FILENAME_STR:
54539 + dentry = va_arg(ap, struct dentry *);
54540 + mnt = va_arg(ap, struct vfsmount *);
54541 + str1 = va_arg(ap, char *);
54542 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
54544 + case GR_FILENAME_TWO_INT:
54545 + dentry = va_arg(ap, struct dentry *);
54546 + mnt = va_arg(ap, struct vfsmount *);
54547 + num1 = va_arg(ap, int);
54548 + num2 = va_arg(ap, int);
54549 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
54551 + case GR_FILENAME_TWO_INT_STR:
54552 + dentry = va_arg(ap, struct dentry *);
54553 + mnt = va_arg(ap, struct vfsmount *);
54554 + num1 = va_arg(ap, int);
54555 + num2 = va_arg(ap, int);
54556 + str1 = va_arg(ap, char *);
54557 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
54560 + file = va_arg(ap, struct file *);
54561 + ulong1 = va_arg(ap, unsigned long);
54562 + ulong2 = va_arg(ap, unsigned long);
54563 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
54566 + task = va_arg(ap, struct task_struct *);
54567 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
54569 + case GR_RESOURCE:
54570 + task = va_arg(ap, struct task_struct *);
54571 + cred = __task_cred(task);
54572 + pcred = __task_cred(task->real_parent);
54573 + ulong1 = va_arg(ap, unsigned long);
54574 + str1 = va_arg(ap, char *);
54575 + ulong2 = va_arg(ap, unsigned long);
54576 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54579 + task = va_arg(ap, struct task_struct *);
54580 + cred = __task_cred(task);
54581 + pcred = __task_cred(task->real_parent);
54582 + str1 = va_arg(ap, char *);
54583 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54586 + str1 = va_arg(ap, char *);
54587 + voidptr = va_arg(ap, void *);
54588 + gr_log_middle_varargs(audit, msg, str1, voidptr);
54591 + task = va_arg(ap, struct task_struct *);
54592 + cred = __task_cred(task);
54593 + pcred = __task_cred(task->real_parent);
54594 + num1 = va_arg(ap, int);
54595 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54598 + task = va_arg(ap, struct task_struct *);
54599 + cred = __task_cred(task);
54600 + pcred = __task_cred(task->real_parent);
54601 + ulong1 = va_arg(ap, unsigned long);
54602 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
54605 + task = va_arg(ap, struct task_struct *);
54606 + cred = __task_cred(task);
54607 + pcred = __task_cred(task->real_parent);
54608 + ulong1 = va_arg(ap, unsigned long);
54609 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
54612 + file = va_arg(ap, struct file *);
54613 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
54617 + unsigned int wday, cday;
54621 + char cur_tty[64] = { 0 };
54622 + char parent_tty[64] = { 0 };
54624 + task = va_arg(ap, struct task_struct *);
54625 + wday = va_arg(ap, unsigned int);
54626 + cday = va_arg(ap, unsigned int);
54627 + whr = va_arg(ap, int);
54628 + chr = va_arg(ap, int);
54629 + wmin = va_arg(ap, int);
54630 + cmin = va_arg(ap, int);
54631 + wsec = va_arg(ap, int);
54632 + csec = va_arg(ap, int);
54633 + ulong1 = va_arg(ap, unsigned long);
54634 + cred = __task_cred(task);
54635 + pcred = __task_cred(task->real_parent);
54637 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54641 + gr_log_middle(audit, msg, ap);
54644 + // these don't need DEFAULTSECARGS printed on the end
54645 + if (argtypes == GR_CRASH1 || argtypes == GR_CRASH2)
54646 + gr_log_end(audit, 0);
54648 + gr_log_end(audit, 1);
54649 + END_LOCKS(audit);
54651 diff -urNp linux-3.1.1/grsecurity/grsec_mem.c linux-3.1.1/grsecurity/grsec_mem.c
54652 --- linux-3.1.1/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
54653 +++ linux-3.1.1/grsecurity/grsec_mem.c 2011-11-16 18:40:31.000000000 -0500
54655 +#include <linux/kernel.h>
54656 +#include <linux/sched.h>
54657 +#include <linux/mm.h>
54658 +#include <linux/mman.h>
54659 +#include <linux/grinternal.h>
54662 +gr_handle_ioperm(void)
54664 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
54669 +gr_handle_iopl(void)
54671 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
54676 +gr_handle_mem_readwrite(u64 from, u64 to)
54678 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
54683 +gr_handle_vm86(void)
54685 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
54688 diff -urNp linux-3.1.1/grsecurity/grsec_mount.c linux-3.1.1/grsecurity/grsec_mount.c
54689 --- linux-3.1.1/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
54690 +++ linux-3.1.1/grsecurity/grsec_mount.c 2011-11-16 18:40:31.000000000 -0500
54692 +#include <linux/kernel.h>
54693 +#include <linux/sched.h>
54694 +#include <linux/mount.h>
54695 +#include <linux/grsecurity.h>
54696 +#include <linux/grinternal.h>
54699 +gr_log_remount(const char *devname, const int retval)
54701 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54702 + if (grsec_enable_mount && (retval >= 0))
54703 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
54709 +gr_log_unmount(const char *devname, const int retval)
54711 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54712 + if (grsec_enable_mount && (retval >= 0))
54713 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
54719 +gr_log_mount(const char *from, const char *to, const int retval)
54721 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54722 + if (grsec_enable_mount && (retval >= 0))
54723 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
54729 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
54731 +#ifdef CONFIG_GRKERNSEC_ROFS
54732 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
54733 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
54742 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
54744 +#ifdef CONFIG_GRKERNSEC_ROFS
54745 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
54746 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
54747 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
54754 diff -urNp linux-3.1.1/grsecurity/grsec_pax.c linux-3.1.1/grsecurity/grsec_pax.c
54755 --- linux-3.1.1/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
54756 +++ linux-3.1.1/grsecurity/grsec_pax.c 2011-11-16 18:40:31.000000000 -0500
54758 +#include <linux/kernel.h>
54759 +#include <linux/sched.h>
54760 +#include <linux/mm.h>
54761 +#include <linux/file.h>
54762 +#include <linux/grinternal.h>
54763 +#include <linux/grsecurity.h>
54766 +gr_log_textrel(struct vm_area_struct * vma)
54768 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
54769 + if (grsec_enable_audit_textrel)
54770 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
54776 +gr_log_rwxmmap(struct file *file)
54778 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54779 + if (grsec_enable_log_rwxmaps)
54780 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
54786 +gr_log_rwxmprotect(struct file *file)
54788 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54789 + if (grsec_enable_log_rwxmaps)
54790 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
54794 diff -urNp linux-3.1.1/grsecurity/grsec_ptrace.c linux-3.1.1/grsecurity/grsec_ptrace.c
54795 --- linux-3.1.1/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
54796 +++ linux-3.1.1/grsecurity/grsec_ptrace.c 2011-11-16 18:40:31.000000000 -0500
54798 +#include <linux/kernel.h>
54799 +#include <linux/sched.h>
54800 +#include <linux/grinternal.h>
54801 +#include <linux/grsecurity.h>
54804 +gr_audit_ptrace(struct task_struct *task)
54806 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
54807 + if (grsec_enable_audit_ptrace)
54808 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
54812 diff -urNp linux-3.1.1/grsecurity/grsec_sig.c linux-3.1.1/grsecurity/grsec_sig.c
54813 --- linux-3.1.1/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
54814 +++ linux-3.1.1/grsecurity/grsec_sig.c 2011-11-16 18:40:31.000000000 -0500
54816 +#include <linux/kernel.h>
54817 +#include <linux/sched.h>
54818 +#include <linux/delay.h>
54819 +#include <linux/grsecurity.h>
54820 +#include <linux/grinternal.h>
54821 +#include <linux/hardirq.h>
54823 +char *signames[] = {
54824 + [SIGSEGV] = "Segmentation fault",
54825 + [SIGILL] = "Illegal instruction",
54826 + [SIGABRT] = "Abort",
54827 + [SIGBUS] = "Invalid alignment/Bus error"
54831 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
54833 +#ifdef CONFIG_GRKERNSEC_SIGNAL
54834 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
54835 + (sig == SIGABRT) || (sig == SIGBUS))) {
54836 + if (t->pid == current->pid) {
54837 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
54839 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
54847 +gr_handle_signal(const struct task_struct *p, const int sig)
54849 +#ifdef CONFIG_GRKERNSEC
54850 + if (current->pid > 1 && gr_check_protected_task(p)) {
54851 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
54853 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
54860 +#ifdef CONFIG_GRKERNSEC
54861 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
54863 +int gr_fake_force_sig(int sig, struct task_struct *t)
54865 + unsigned long int flags;
54866 + int ret, blocked, ignored;
54867 + struct k_sigaction *action;
54869 + spin_lock_irqsave(&t->sighand->siglock, flags);
54870 + action = &t->sighand->action[sig-1];
54871 + ignored = action->sa.sa_handler == SIG_IGN;
54872 + blocked = sigismember(&t->blocked, sig);
54873 + if (blocked || ignored) {
54874 + action->sa.sa_handler = SIG_DFL;
54876 + sigdelset(&t->blocked, sig);
54877 + recalc_sigpending_and_wake(t);
54880 + if (action->sa.sa_handler == SIG_DFL)
54881 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
54882 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
54884 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
54890 +#ifdef CONFIG_GRKERNSEC_BRUTE
54891 +#define GR_USER_BAN_TIME (15 * 60)
54893 +static int __get_dumpable(unsigned long mm_flags)
54897 + ret = mm_flags & MMF_DUMPABLE_MASK;
54898 + return (ret >= 2) ? 2 : ret;
54902 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
54904 +#ifdef CONFIG_GRKERNSEC_BRUTE
54907 + if (!grsec_enable_brute)
54911 + read_lock(&tasklist_lock);
54912 + read_lock(&grsec_exec_file_lock);
54913 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
54914 + p->real_parent->brute = 1;
54916 + const struct cred *cred = __task_cred(p), *cred2;
54917 + struct task_struct *tsk, *tsk2;
54919 + if (!__get_dumpable(mm_flags) && cred->uid) {
54920 + struct user_struct *user;
54924 + /* this is put upon execution past expiration */
54925 + user = find_user(uid);
54926 + if (user == NULL)
54928 + user->banned = 1;
54929 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
54930 + if (user->ban_expires == ~0UL)
54931 + user->ban_expires--;
54933 + do_each_thread(tsk2, tsk) {
54934 + cred2 = __task_cred(tsk);
54935 + if (tsk != p && cred2->uid == uid)
54936 + gr_fake_force_sig(SIGKILL, tsk);
54937 + } while_each_thread(tsk2, tsk);
54941 + read_unlock(&grsec_exec_file_lock);
54942 + read_unlock(&tasklist_lock);
54943 + rcu_read_unlock();
54946 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
54952 +void gr_handle_brute_check(void)
54954 +#ifdef CONFIG_GRKERNSEC_BRUTE
54955 + if (current->brute)
54956 + msleep(30 * 1000);
54961 +void gr_handle_kernel_exploit(void)
54963 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
54964 + const struct cred *cred;
54965 + struct task_struct *tsk, *tsk2;
54966 + struct user_struct *user;
54969 + if (in_irq() || in_serving_softirq() || in_nmi())
54970 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
54972 + uid = current_uid();
54975 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
54977 + /* kill all the processes of this user, hold a reference
54978 + to their creds struct, and prevent them from creating
54979 + another process until system reset
54981 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
54982 + /* we intentionally leak this ref */
54983 + user = get_uid(current->cred->user);
54985 + user->banned = 1;
54986 + user->ban_expires = ~0UL;
54989 + read_lock(&tasklist_lock);
54990 + do_each_thread(tsk2, tsk) {
54991 + cred = __task_cred(tsk);
54992 + if (cred->uid == uid)
54993 + gr_fake_force_sig(SIGKILL, tsk);
54994 + } while_each_thread(tsk2, tsk);
54995 + read_unlock(&tasklist_lock);
55000 +int __gr_process_user_ban(struct user_struct *user)
55002 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
55003 + if (unlikely(user->banned)) {
55004 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
55005 + user->banned = 0;
55006 + user->ban_expires = 0;
55015 +int gr_process_user_ban(void)
55017 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
55018 + return __gr_process_user_ban(current->cred->user);
55022 diff -urNp linux-3.1.1/grsecurity/grsec_sock.c linux-3.1.1/grsecurity/grsec_sock.c
55023 --- linux-3.1.1/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
55024 +++ linux-3.1.1/grsecurity/grsec_sock.c 2011-11-16 18:40:31.000000000 -0500
55026 +#include <linux/kernel.h>
55027 +#include <linux/module.h>
55028 +#include <linux/sched.h>
55029 +#include <linux/file.h>
55030 +#include <linux/net.h>
55031 +#include <linux/in.h>
55032 +#include <linux/ip.h>
55033 +#include <net/sock.h>
55034 +#include <net/inet_sock.h>
55035 +#include <linux/grsecurity.h>
55036 +#include <linux/grinternal.h>
55037 +#include <linux/gracl.h>
55039 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
55040 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
55042 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
55043 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
55045 +#ifdef CONFIG_UNIX_MODULE
55046 +EXPORT_SYMBOL(gr_acl_handle_unix);
55047 +EXPORT_SYMBOL(gr_acl_handle_mknod);
55048 +EXPORT_SYMBOL(gr_handle_chroot_unix);
55049 +EXPORT_SYMBOL(gr_handle_create);
55052 +#ifdef CONFIG_GRKERNSEC
55053 +#define gr_conn_table_size 32749
55054 +struct conn_table_entry {
55055 + struct conn_table_entry *next;
55056 + struct signal_struct *sig;
55059 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
55060 +DEFINE_SPINLOCK(gr_conn_table_lock);
55062 +extern const char * gr_socktype_to_name(unsigned char type);
55063 +extern const char * gr_proto_to_name(unsigned char proto);
55064 +extern const char * gr_sockfamily_to_name(unsigned char family);
55066 +static __inline__ int
55067 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
55069 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
55072 +static __inline__ int
55073 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
55074 + __u16 sport, __u16 dport)
55076 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
55077 + sig->gr_sport == sport && sig->gr_dport == dport))
55083 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
55085 + struct conn_table_entry **match;
55086 + unsigned int index;
55088 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
55089 + sig->gr_sport, sig->gr_dport,
55090 + gr_conn_table_size);
55092 + newent->sig = sig;
55094 + match = &gr_conn_table[index];
55095 + newent->next = *match;
55101 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
55103 + struct conn_table_entry *match, *last = NULL;
55104 + unsigned int index;
55106 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
55107 + sig->gr_sport, sig->gr_dport,
55108 + gr_conn_table_size);
55110 + match = gr_conn_table[index];
55111 + while (match && !conn_match(match->sig,
55112 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
55113 + sig->gr_dport)) {
55115 + match = match->next;
55120 + last->next = match->next;
55122 + gr_conn_table[index] = NULL;
55129 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
55130 + __u16 sport, __u16 dport)
55132 + struct conn_table_entry *match;
55133 + unsigned int index;
55135 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
55137 + match = gr_conn_table[index];
55138 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
55139 + match = match->next;
55142 + return match->sig;
55149 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
55151 +#ifdef CONFIG_GRKERNSEC
55152 + struct signal_struct *sig = task->signal;
55153 + struct conn_table_entry *newent;
55155 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
55156 + if (newent == NULL)
55158 + /* no bh lock needed since we are called with bh disabled */
55159 + spin_lock(&gr_conn_table_lock);
55160 + gr_del_task_from_ip_table_nolock(sig);
55161 + sig->gr_saddr = inet->inet_rcv_saddr;
55162 + sig->gr_daddr = inet->inet_daddr;
55163 + sig->gr_sport = inet->inet_sport;
55164 + sig->gr_dport = inet->inet_dport;
55165 + gr_add_to_task_ip_table_nolock(sig, newent);
55166 + spin_unlock(&gr_conn_table_lock);
55171 +void gr_del_task_from_ip_table(struct task_struct *task)
55173 +#ifdef CONFIG_GRKERNSEC
55174 + spin_lock_bh(&gr_conn_table_lock);
55175 + gr_del_task_from_ip_table_nolock(task->signal);
55176 + spin_unlock_bh(&gr_conn_table_lock);
55182 +gr_attach_curr_ip(const struct sock *sk)
55184 +#ifdef CONFIG_GRKERNSEC
55185 + struct signal_struct *p, *set;
55186 + const struct inet_sock *inet = inet_sk(sk);
55188 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
55191 + set = current->signal;
55193 + spin_lock_bh(&gr_conn_table_lock);
55194 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
55195 + inet->inet_dport, inet->inet_sport);
55196 + if (unlikely(p != NULL)) {
55197 + set->curr_ip = p->curr_ip;
55198 + set->used_accept = 1;
55199 + gr_del_task_from_ip_table_nolock(p);
55200 + spin_unlock_bh(&gr_conn_table_lock);
55203 + spin_unlock_bh(&gr_conn_table_lock);
55205 + set->curr_ip = inet->inet_daddr;
55206 + set->used_accept = 1;
55212 +gr_handle_sock_all(const int family, const int type, const int protocol)
55214 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
55215 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
55216 + (family != AF_UNIX)) {
55217 + if (family == AF_INET)
55218 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
55220 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
55228 +gr_handle_sock_server(const struct sockaddr *sck)
55230 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55231 + if (grsec_enable_socket_server &&
55232 + in_group_p(grsec_socket_server_gid) &&
55233 + sck && (sck->sa_family != AF_UNIX) &&
55234 + (sck->sa_family != AF_LOCAL)) {
55235 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
55243 +gr_handle_sock_server_other(const struct sock *sck)
55245 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55246 + if (grsec_enable_socket_server &&
55247 + in_group_p(grsec_socket_server_gid) &&
55248 + sck && (sck->sk_family != AF_UNIX) &&
55249 + (sck->sk_family != AF_LOCAL)) {
55250 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
55258 +gr_handle_sock_client(const struct sockaddr *sck)
55260 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
55261 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
55262 + sck && (sck->sa_family != AF_UNIX) &&
55263 + (sck->sa_family != AF_LOCAL)) {
55264 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
55270 diff -urNp linux-3.1.1/grsecurity/grsec_sysctl.c linux-3.1.1/grsecurity/grsec_sysctl.c
55271 --- linux-3.1.1/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
55272 +++ linux-3.1.1/grsecurity/grsec_sysctl.c 2011-11-16 18:40:31.000000000 -0500
55274 +#include <linux/kernel.h>
55275 +#include <linux/sched.h>
55276 +#include <linux/sysctl.h>
55277 +#include <linux/grsecurity.h>
55278 +#include <linux/grinternal.h>
55281 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
55283 +#ifdef CONFIG_GRKERNSEC_SYSCTL
55284 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
55285 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
55292 +#ifdef CONFIG_GRKERNSEC_ROFS
55293 +static int __maybe_unused one = 1;
55296 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
55297 +struct ctl_table grsecurity_table[] = {
55298 +#ifdef CONFIG_GRKERNSEC_SYSCTL
55299 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
55300 +#ifdef CONFIG_GRKERNSEC_IO
55302 + .procname = "disable_priv_io",
55303 + .data = &grsec_disable_privio,
55304 + .maxlen = sizeof(int),
55306 + .proc_handler = &proc_dointvec,
55310 +#ifdef CONFIG_GRKERNSEC_LINK
55312 + .procname = "linking_restrictions",
55313 + .data = &grsec_enable_link,
55314 + .maxlen = sizeof(int),
55316 + .proc_handler = &proc_dointvec,
55319 +#ifdef CONFIG_GRKERNSEC_BRUTE
55321 + .procname = "deter_bruteforce",
55322 + .data = &grsec_enable_brute,
55323 + .maxlen = sizeof(int),
55325 + .proc_handler = &proc_dointvec,
55328 +#ifdef CONFIG_GRKERNSEC_FIFO
55330 + .procname = "fifo_restrictions",
55331 + .data = &grsec_enable_fifo,
55332 + .maxlen = sizeof(int),
55334 + .proc_handler = &proc_dointvec,
55337 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55339 + .procname = "ip_blackhole",
55340 + .data = &grsec_enable_blackhole,
55341 + .maxlen = sizeof(int),
55343 + .proc_handler = &proc_dointvec,
55346 + .procname = "lastack_retries",
55347 + .data = &grsec_lastack_retries,
55348 + .maxlen = sizeof(int),
55350 + .proc_handler = &proc_dointvec,
55353 +#ifdef CONFIG_GRKERNSEC_EXECLOG
55355 + .procname = "exec_logging",
55356 + .data = &grsec_enable_execlog,
55357 + .maxlen = sizeof(int),
55359 + .proc_handler = &proc_dointvec,
55362 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
55364 + .procname = "rwxmap_logging",
55365 + .data = &grsec_enable_log_rwxmaps,
55366 + .maxlen = sizeof(int),
55368 + .proc_handler = &proc_dointvec,
55371 +#ifdef CONFIG_GRKERNSEC_SIGNAL
55373 + .procname = "signal_logging",
55374 + .data = &grsec_enable_signal,
55375 + .maxlen = sizeof(int),
55377 + .proc_handler = &proc_dointvec,
55380 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
55382 + .procname = "forkfail_logging",
55383 + .data = &grsec_enable_forkfail,
55384 + .maxlen = sizeof(int),
55386 + .proc_handler = &proc_dointvec,
55389 +#ifdef CONFIG_GRKERNSEC_TIME
55391 + .procname = "timechange_logging",
55392 + .data = &grsec_enable_time,
55393 + .maxlen = sizeof(int),
55395 + .proc_handler = &proc_dointvec,
55398 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
55400 + .procname = "chroot_deny_shmat",
55401 + .data = &grsec_enable_chroot_shmat,
55402 + .maxlen = sizeof(int),
55404 + .proc_handler = &proc_dointvec,
55407 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55409 + .procname = "chroot_deny_unix",
55410 + .data = &grsec_enable_chroot_unix,
55411 + .maxlen = sizeof(int),
55413 + .proc_handler = &proc_dointvec,
55416 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
55418 + .procname = "chroot_deny_mount",
55419 + .data = &grsec_enable_chroot_mount,
55420 + .maxlen = sizeof(int),
55422 + .proc_handler = &proc_dointvec,
55425 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
55427 + .procname = "chroot_deny_fchdir",
55428 + .data = &grsec_enable_chroot_fchdir,
55429 + .maxlen = sizeof(int),
55431 + .proc_handler = &proc_dointvec,
55434 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
55436 + .procname = "chroot_deny_chroot",
55437 + .data = &grsec_enable_chroot_double,
55438 + .maxlen = sizeof(int),
55440 + .proc_handler = &proc_dointvec,
55443 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
55445 + .procname = "chroot_deny_pivot",
55446 + .data = &grsec_enable_chroot_pivot,
55447 + .maxlen = sizeof(int),
55449 + .proc_handler = &proc_dointvec,
55452 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
55454 + .procname = "chroot_enforce_chdir",
55455 + .data = &grsec_enable_chroot_chdir,
55456 + .maxlen = sizeof(int),
55458 + .proc_handler = &proc_dointvec,
55461 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
55463 + .procname = "chroot_deny_chmod",
55464 + .data = &grsec_enable_chroot_chmod,
55465 + .maxlen = sizeof(int),
55467 + .proc_handler = &proc_dointvec,
55470 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
55472 + .procname = "chroot_deny_mknod",
55473 + .data = &grsec_enable_chroot_mknod,
55474 + .maxlen = sizeof(int),
55476 + .proc_handler = &proc_dointvec,
55479 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
55481 + .procname = "chroot_restrict_nice",
55482 + .data = &grsec_enable_chroot_nice,
55483 + .maxlen = sizeof(int),
55485 + .proc_handler = &proc_dointvec,
55488 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
55490 + .procname = "chroot_execlog",
55491 + .data = &grsec_enable_chroot_execlog,
55492 + .maxlen = sizeof(int),
55494 + .proc_handler = &proc_dointvec,
55497 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
55499 + .procname = "chroot_caps",
55500 + .data = &grsec_enable_chroot_caps,
55501 + .maxlen = sizeof(int),
55503 + .proc_handler = &proc_dointvec,
55506 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
55508 + .procname = "chroot_deny_sysctl",
55509 + .data = &grsec_enable_chroot_sysctl,
55510 + .maxlen = sizeof(int),
55512 + .proc_handler = &proc_dointvec,
55515 +#ifdef CONFIG_GRKERNSEC_TPE
55517 + .procname = "tpe",
55518 + .data = &grsec_enable_tpe,
55519 + .maxlen = sizeof(int),
55521 + .proc_handler = &proc_dointvec,
55524 + .procname = "tpe_gid",
55525 + .data = &grsec_tpe_gid,
55526 + .maxlen = sizeof(int),
55528 + .proc_handler = &proc_dointvec,
55531 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
55533 + .procname = "tpe_invert",
55534 + .data = &grsec_enable_tpe_invert,
55535 + .maxlen = sizeof(int),
55537 + .proc_handler = &proc_dointvec,
55540 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
55542 + .procname = "tpe_restrict_all",
55543 + .data = &grsec_enable_tpe_all,
55544 + .maxlen = sizeof(int),
55546 + .proc_handler = &proc_dointvec,
55549 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
55551 + .procname = "socket_all",
55552 + .data = &grsec_enable_socket_all,
55553 + .maxlen = sizeof(int),
55555 + .proc_handler = &proc_dointvec,
55558 + .procname = "socket_all_gid",
55559 + .data = &grsec_socket_all_gid,
55560 + .maxlen = sizeof(int),
55562 + .proc_handler = &proc_dointvec,
55565 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
55567 + .procname = "socket_client",
55568 + .data = &grsec_enable_socket_client,
55569 + .maxlen = sizeof(int),
55571 + .proc_handler = &proc_dointvec,
55574 + .procname = "socket_client_gid",
55575 + .data = &grsec_socket_client_gid,
55576 + .maxlen = sizeof(int),
55578 + .proc_handler = &proc_dointvec,
55581 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55583 + .procname = "socket_server",
55584 + .data = &grsec_enable_socket_server,
55585 + .maxlen = sizeof(int),
55587 + .proc_handler = &proc_dointvec,
55590 + .procname = "socket_server_gid",
55591 + .data = &grsec_socket_server_gid,
55592 + .maxlen = sizeof(int),
55594 + .proc_handler = &proc_dointvec,
55597 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
55599 + .procname = "audit_group",
55600 + .data = &grsec_enable_group,
55601 + .maxlen = sizeof(int),
55603 + .proc_handler = &proc_dointvec,
55606 + .procname = "audit_gid",
55607 + .data = &grsec_audit_gid,
55608 + .maxlen = sizeof(int),
55610 + .proc_handler = &proc_dointvec,
55613 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
55615 + .procname = "audit_chdir",
55616 + .data = &grsec_enable_chdir,
55617 + .maxlen = sizeof(int),
55619 + .proc_handler = &proc_dointvec,
55622 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
55624 + .procname = "audit_mount",
55625 + .data = &grsec_enable_mount,
55626 + .maxlen = sizeof(int),
55628 + .proc_handler = &proc_dointvec,
55631 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
55633 + .procname = "audit_textrel",
55634 + .data = &grsec_enable_audit_textrel,
55635 + .maxlen = sizeof(int),
55637 + .proc_handler = &proc_dointvec,
55640 +#ifdef CONFIG_GRKERNSEC_DMESG
55642 + .procname = "dmesg",
55643 + .data = &grsec_enable_dmesg,
55644 + .maxlen = sizeof(int),
55646 + .proc_handler = &proc_dointvec,
55649 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
55651 + .procname = "chroot_findtask",
55652 + .data = &grsec_enable_chroot_findtask,
55653 + .maxlen = sizeof(int),
55655 + .proc_handler = &proc_dointvec,
55658 +#ifdef CONFIG_GRKERNSEC_RESLOG
55660 + .procname = "resource_logging",
55661 + .data = &grsec_resource_logging,
55662 + .maxlen = sizeof(int),
55664 + .proc_handler = &proc_dointvec,
55667 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
55669 + .procname = "audit_ptrace",
55670 + .data = &grsec_enable_audit_ptrace,
55671 + .maxlen = sizeof(int),
55673 + .proc_handler = &proc_dointvec,
55676 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55678 + .procname = "harden_ptrace",
55679 + .data = &grsec_enable_harden_ptrace,
55680 + .maxlen = sizeof(int),
55682 + .proc_handler = &proc_dointvec,
55686 + .procname = "grsec_lock",
55687 + .data = &grsec_lock,
55688 + .maxlen = sizeof(int),
55690 + .proc_handler = &proc_dointvec,
55693 +#ifdef CONFIG_GRKERNSEC_ROFS
55695 + .procname = "romount_protect",
55696 + .data = &grsec_enable_rofs,
55697 + .maxlen = sizeof(int),
55699 + .proc_handler = &proc_dointvec_minmax,
55707 diff -urNp linux-3.1.1/grsecurity/grsec_time.c linux-3.1.1/grsecurity/grsec_time.c
55708 --- linux-3.1.1/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
55709 +++ linux-3.1.1/grsecurity/grsec_time.c 2011-11-16 18:40:31.000000000 -0500
55711 +#include <linux/kernel.h>
55712 +#include <linux/sched.h>
55713 +#include <linux/grinternal.h>
55714 +#include <linux/module.h>
55717 +gr_log_timechange(void)
55719 +#ifdef CONFIG_GRKERNSEC_TIME
55720 + if (grsec_enable_time)
55721 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
55726 +EXPORT_SYMBOL(gr_log_timechange);
55727 diff -urNp linux-3.1.1/grsecurity/grsec_tpe.c linux-3.1.1/grsecurity/grsec_tpe.c
55728 --- linux-3.1.1/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
55729 +++ linux-3.1.1/grsecurity/grsec_tpe.c 2011-11-16 18:40:31.000000000 -0500
55731 +#include <linux/kernel.h>
55732 +#include <linux/sched.h>
55733 +#include <linux/file.h>
55734 +#include <linux/fs.h>
55735 +#include <linux/grinternal.h>
55737 +extern int gr_acl_tpe_check(void);
55740 +gr_tpe_allow(const struct file *file)
55742 +#ifdef CONFIG_GRKERNSEC
55743 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
55744 + const struct cred *cred = current_cred();
55746 + if (cred->uid && ((grsec_enable_tpe &&
55747 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
55748 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
55749 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
55751 + in_group_p(grsec_tpe_gid)
55753 + ) || gr_acl_tpe_check()) &&
55754 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
55755 + (inode->i_mode & S_IWOTH))))) {
55756 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
55759 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
55760 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
55761 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
55762 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
55763 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
55770 diff -urNp linux-3.1.1/grsecurity/grsum.c linux-3.1.1/grsecurity/grsum.c
55771 --- linux-3.1.1/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
55772 +++ linux-3.1.1/grsecurity/grsum.c 2011-11-16 18:40:31.000000000 -0500
55774 +#include <linux/err.h>
55775 +#include <linux/kernel.h>
55776 +#include <linux/sched.h>
55777 +#include <linux/mm.h>
55778 +#include <linux/scatterlist.h>
55779 +#include <linux/crypto.h>
55780 +#include <linux/gracl.h>
55783 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
55784 +#error "crypto and sha256 must be built into the kernel"
55788 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
55791 + struct crypto_hash *tfm;
55792 + struct hash_desc desc;
55793 + struct scatterlist sg;
55794 + unsigned char temp_sum[GR_SHA_LEN];
55795 + volatile int retval = 0;
55796 + volatile int dummy = 0;
55799 + sg_init_table(&sg, 1);
55801 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
55802 + if (IS_ERR(tfm)) {
55803 + /* should never happen, since sha256 should be built in */
55810 + crypto_hash_init(&desc);
55813 + sg_set_buf(&sg, p, GR_SALT_LEN);
55814 + crypto_hash_update(&desc, &sg, sg.length);
55817 + sg_set_buf(&sg, p, strlen(p));
55819 + crypto_hash_update(&desc, &sg, sg.length);
55821 + crypto_hash_final(&desc, temp_sum);
55823 + memset(entry->pw, 0, GR_PW_LEN);
55825 + for (i = 0; i < GR_SHA_LEN; i++)
55826 + if (sum[i] != temp_sum[i])
55829 + dummy = 1; // waste a cycle
55831 + crypto_free_hash(tfm);
55835 diff -urNp linux-3.1.1/grsecurity/Kconfig linux-3.1.1/grsecurity/Kconfig
55836 --- linux-3.1.1/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
55837 +++ linux-3.1.1/grsecurity/Kconfig 2011-11-16 18:40:31.000000000 -0500
55840 +# grecurity configuration
55846 + bool "Grsecurity"
55848 + select CRYPTO_SHA256
55850 + If you say Y here, you will be able to configure many features
55851 + that will enhance the security of your system. It is highly
55852 + recommended that you say Y here and read through the help
55853 + for each option so that you fully understand the features and
55854 + can evaluate their usefulness for your machine.
55857 + prompt "Security Level"
55858 + depends on GRKERNSEC
55859 + default GRKERNSEC_CUSTOM
55861 +config GRKERNSEC_LOW
55863 + select GRKERNSEC_LINK
55864 + select GRKERNSEC_FIFO
55865 + select GRKERNSEC_RANDNET
55866 + select GRKERNSEC_DMESG
55867 + select GRKERNSEC_CHROOT
55868 + select GRKERNSEC_CHROOT_CHDIR
55871 + If you choose this option, several of the grsecurity options will
55872 + be enabled that will give you greater protection against a number
55873 + of attacks, while assuring that none of your software will have any
55874 + conflicts with the additional security measures. If you run a lot
55875 + of unusual software, or you are having problems with the higher
55876 + security levels, you should say Y here. With this option, the
55877 + following features are enabled:
55879 + - Linking restrictions
55880 + - FIFO restrictions
55881 + - Restricted dmesg
55882 + - Enforced chdir("/") on chroot
55883 + - Runtime module disabling
55885 +config GRKERNSEC_MEDIUM
55888 + select PAX_EI_PAX
55889 + select PAX_PT_PAX_FLAGS
55890 + select PAX_HAVE_ACL_FLAGS
55891 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
55892 + select GRKERNSEC_CHROOT
55893 + select GRKERNSEC_CHROOT_SYSCTL
55894 + select GRKERNSEC_LINK
55895 + select GRKERNSEC_FIFO
55896 + select GRKERNSEC_DMESG
55897 + select GRKERNSEC_RANDNET
55898 + select GRKERNSEC_FORKFAIL
55899 + select GRKERNSEC_TIME
55900 + select GRKERNSEC_SIGNAL
55901 + select GRKERNSEC_CHROOT
55902 + select GRKERNSEC_CHROOT_UNIX
55903 + select GRKERNSEC_CHROOT_MOUNT
55904 + select GRKERNSEC_CHROOT_PIVOT
55905 + select GRKERNSEC_CHROOT_DOUBLE
55906 + select GRKERNSEC_CHROOT_CHDIR
55907 + select GRKERNSEC_CHROOT_MKNOD
55908 + select GRKERNSEC_PROC
55909 + select GRKERNSEC_PROC_USERGROUP
55910 + select PAX_RANDUSTACK
55912 + select PAX_RANDMMAP
55913 + select PAX_REFCOUNT if (X86 || SPARC64)
55914 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
55917 + If you say Y here, several features in addition to those included
55918 + in the low additional security level will be enabled. These
55919 + features provide even more security to your system, though in rare
55920 + cases they may be incompatible with very old or poorly written
55921 + software. If you enable this option, make sure that your auth
55922 + service (identd) is running as gid 1001. With this option,
55923 + the following features (in addition to those provided in the
55924 + low additional security level) will be enabled:
55926 + - Failed fork logging
55927 + - Time change logging
55929 + - Deny mounts in chroot
55930 + - Deny double chrooting
55931 + - Deny sysctl writes in chroot
55932 + - Deny mknod in chroot
55933 + - Deny access to abstract AF_UNIX sockets out of chroot
55934 + - Deny pivot_root in chroot
55935 + - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port
55936 + - /proc restrictions with special GID set to 10 (usually wheel)
55937 + - Address Space Layout Randomization (ASLR)
55938 + - Prevent exploitation of most refcount overflows
55939 + - Bounds checking of copying between the kernel and userland
55941 +config GRKERNSEC_HIGH
55943 + select GRKERNSEC_LINK
55944 + select GRKERNSEC_FIFO
55945 + select GRKERNSEC_DMESG
55946 + select GRKERNSEC_FORKFAIL
55947 + select GRKERNSEC_TIME
55948 + select GRKERNSEC_SIGNAL
55949 + select GRKERNSEC_CHROOT
55950 + select GRKERNSEC_CHROOT_SHMAT
55951 + select GRKERNSEC_CHROOT_UNIX
55952 + select GRKERNSEC_CHROOT_MOUNT
55953 + select GRKERNSEC_CHROOT_FCHDIR
55954 + select GRKERNSEC_CHROOT_PIVOT
55955 + select GRKERNSEC_CHROOT_DOUBLE
55956 + select GRKERNSEC_CHROOT_CHDIR
55957 + select GRKERNSEC_CHROOT_MKNOD
55958 + select GRKERNSEC_CHROOT_CAPS
55959 + select GRKERNSEC_CHROOT_SYSCTL
55960 + select GRKERNSEC_CHROOT_FINDTASK
55961 + select GRKERNSEC_SYSFS_RESTRICT
55962 + select GRKERNSEC_PROC
55963 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
55964 + select GRKERNSEC_HIDESYM
55965 + select GRKERNSEC_BRUTE
55966 + select GRKERNSEC_PROC_USERGROUP
55967 + select GRKERNSEC_KMEM
55968 + select GRKERNSEC_RESLOG
55969 + select GRKERNSEC_RANDNET
55970 + select GRKERNSEC_PROC_ADD
55971 + select GRKERNSEC_CHROOT_CHMOD
55972 + select GRKERNSEC_CHROOT_NICE
55973 + select GRKERNSEC_AUDIT_MOUNT
55974 + select GRKERNSEC_MODHARDEN if (MODULES)
55975 + select GRKERNSEC_HARDEN_PTRACE
55976 + select GRKERNSEC_VM86 if (X86_32)
55977 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
55979 + select PAX_RANDUSTACK
55981 + select PAX_RANDMMAP
55982 + select PAX_NOEXEC
55983 + select PAX_MPROTECT
55984 + select PAX_EI_PAX
55985 + select PAX_PT_PAX_FLAGS
55986 + select PAX_HAVE_ACL_FLAGS
55987 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
55988 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
55989 + select PAX_RANDKSTACK if (X86_TSC && X86)
55990 + select PAX_SEGMEXEC if (X86_32)
55991 + select PAX_PAGEEXEC
55992 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
55993 + select PAX_EMUTRAMP if (PARISC)
55994 + select PAX_EMUSIGRT if (PARISC)
55995 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
55996 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
55997 + select PAX_REFCOUNT if (X86 || SPARC64)
55998 + select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
56000 + If you say Y here, many of the features of grsecurity will be
56001 + enabled, which will protect you against many kinds of attacks
56002 + against your system. The heightened security comes at a cost
56003 + of an increased chance of incompatibilities with rare software
56004 + on your machine. Since this security level enables PaX, you should
56005 + view <http://pax.grsecurity.net> and read about the PaX
56006 + project. While you are there, download chpax and run it on
56007 + binaries that cause problems with PaX. Also remember that
56008 + since the /proc restrictions are enabled, you must run your
56009 + identd as gid 1001. This security level enables the following
56010 + features in addition to those listed in the low and medium
56013 + - Additional /proc restrictions
56014 + - Chmod restrictions in chroot
56015 + - No signals, ptrace, or viewing of processes outside of chroot
56016 + - Capability restrictions in chroot
56017 + - Deny fchdir out of chroot
56018 + - Priority restrictions in chroot
56019 + - Segmentation-based implementation of PaX
56020 + - Mprotect restrictions
56021 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
56022 + - Kernel stack randomization
56023 + - Mount/unmount/remount logging
56024 + - Kernel symbol hiding
56025 + - Hardening of module auto-loading
56026 + - Ptrace restrictions
56027 + - Restricted vm86 mode
56028 + - Restricted sysfs/debugfs
56029 + - Active kernel exploit response
56031 +config GRKERNSEC_CUSTOM
56034 + If you say Y here, you will be able to configure every grsecurity
56035 + option, which allows you to enable many more features that aren't
56036 + covered in the basic security levels. These additional features
56037 + include TPE, socket restrictions, and the sysctl system for
56038 + grsecurity. It is advised that you read through the help for
56039 + each option to determine its usefulness in your situation.
56043 +menu "Address Space Protection"
56044 +depends on GRKERNSEC
56046 +config GRKERNSEC_KMEM
56047 + bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
56048 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
56050 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
56051 + be written to or read from to modify or leak the contents of the running
56052 + kernel. /dev/port will also not be allowed to be opened. If you have module
56053 + support disabled, enabling this will close up four ways that are
56054 + currently used to insert malicious code into the running kernel.
56055 + Even with all these features enabled, we still highly recommend that
56056 + you use the RBAC system, as it is still possible for an attacker to
56057 + modify the running kernel through privileged I/O granted by ioperm/iopl.
56058 + If you are not using XFree86, you may be able to stop this additional
56059 + case by enabling the 'Disable privileged I/O' option. Though nothing
56060 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
56061 + but only to video memory, which is the only writing we allow in this
56062 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
56063 + not be allowed to mprotect it with PROT_WRITE later.
56064 + It is highly recommended that you say Y here if you meet all the
56065 + conditions above.
56067 +config GRKERNSEC_VM86
56068 + bool "Restrict VM86 mode"
56069 + depends on X86_32
56072 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
56073 + make use of a special execution mode on 32bit x86 processors called
56074 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
56075 + video cards and will still work with this option enabled. The purpose
56076 + of the option is to prevent exploitation of emulation errors in
56077 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
56078 + Nearly all users should be able to enable this option.
56080 +config GRKERNSEC_IO
56081 + bool "Disable privileged I/O"
56084 + select RTC_INTF_DEV
56085 + select RTC_DRV_CMOS
56088 + If you say Y here, all ioperm and iopl calls will return an error.
56089 + Ioperm and iopl can be used to modify the running kernel.
56090 + Unfortunately, some programs need this access to operate properly,
56091 + the most notable of which are XFree86 and hwclock. hwclock can be
56092 + remedied by having RTC support in the kernel, so real-time
56093 + clock support is enabled if this option is enabled, to ensure
56094 + that hwclock operates correctly. XFree86 still will not
56095 + operate correctly with this option enabled, so DO NOT CHOOSE Y
56096 + IF YOU USE XFree86. If you use XFree86 and you still want to
56097 + protect your kernel against modification, use the RBAC system.
56099 +config GRKERNSEC_PROC_MEMMAP
56100 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
56101 + default y if (PAX_NOEXEC || PAX_ASLR)
56102 + depends on PAX_NOEXEC || PAX_ASLR
56104 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
56105 + give no information about the addresses of its mappings if
56106 + PaX features that rely on random addresses are enabled on the task.
56107 + If you use PaX it is greatly recommended that you say Y here as it
56108 + closes up a hole that makes the full ASLR useless for suid
56111 +config GRKERNSEC_BRUTE
56112 + bool "Deter exploit bruteforcing"
56114 + If you say Y here, attempts to bruteforce exploits against forking
56115 + daemons such as apache or sshd, as well as against suid/sgid binaries
56116 + will be deterred. When a child of a forking daemon is killed by PaX
56117 + or crashes due to an illegal instruction or other suspicious signal,
56118 + the parent process will be delayed 30 seconds upon every subsequent
56119 + fork until the administrator is able to assess the situation and
56120 + restart the daemon.
56121 + In the suid/sgid case, the attempt is logged, the user has all their
56122 + processes terminated, and they are prevented from executing any further
56123 + processes for 15 minutes.
56124 + It is recommended that you also enable signal logging in the auditing
56125 + section so that logs are generated when a process triggers a suspicious
56127 + If the sysctl option is enabled, a sysctl option with name
56128 + "deter_bruteforce" is created.
56131 +config GRKERNSEC_MODHARDEN
56132 + bool "Harden module auto-loading"
56133 + depends on MODULES
56135 + If you say Y here, module auto-loading in response to use of some
56136 + feature implemented by an unloaded module will be restricted to
56137 + root users. Enabling this option helps defend against attacks
56138 + by unprivileged users who abuse the auto-loading behavior to
56139 + cause a vulnerable module to load that is then exploited.
56141 + If this option prevents a legitimate use of auto-loading for a
56142 + non-root user, the administrator can execute modprobe manually
56143 + with the exact name of the module mentioned in the alert log.
56144 + Alternatively, the administrator can add the module to the list
56145 + of modules loaded at boot by modifying init scripts.
56147 + Modification of init scripts will most likely be needed on
56148 + Ubuntu servers with encrypted home directory support enabled,
56149 + as the first non-root user logging in will cause the ecb(aes),
56150 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
56152 +config GRKERNSEC_HIDESYM
56153 + bool "Hide kernel symbols"
56155 + If you say Y here, getting information on loaded modules, and
56156 + displaying all kernel symbols through a syscall will be restricted
56157 + to users with CAP_SYS_MODULE. For software compatibility reasons,
56158 + /proc/kallsyms will be restricted to the root user. The RBAC
56159 + system can hide that entry even from root.
56161 + This option also prevents leaking of kernel addresses through
56162 + several /proc entries.
56164 + Note that this option is only effective provided the following
56165 + conditions are met:
56166 + 1) The kernel using grsecurity is not precompiled by some distribution
56167 + 2) You have also enabled GRKERNSEC_DMESG
56168 + 3) You are using the RBAC system and hiding other files such as your
56169 + kernel image and System.map. Alternatively, enabling this option
56170 + causes the permissions on /boot, /lib/modules, and the kernel
56171 + source directory to change at compile time to prevent
56172 + reading by non-root users.
56173 + If the above conditions are met, this option will aid in providing a
56174 + useful protection against local kernel exploitation of overflows
56175 + and arbitrary read/write vulnerabilities.
56177 +config GRKERNSEC_KERN_LOCKOUT
56178 + bool "Active kernel exploit response"
56179 + depends on X86 || ARM || PPC || SPARC
56181 + If you say Y here, when a PaX alert is triggered due to suspicious
56182 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
56183 + or an OOPs occurs due to bad memory accesses, instead of just
56184 + terminating the offending process (and potentially allowing
56185 + a subsequent exploit from the same user), we will take one of two
56187 + If the user was root, we will panic the system
56188 + If the user was non-root, we will log the attempt, terminate
56189 + all processes owned by the user, then prevent them from creating
56190 + any new processes until the system is restarted
56191 + This deters repeated kernel exploitation/bruteforcing attempts
56192 + and is useful for later forensics.
56195 +menu "Role Based Access Control Options"
56196 +depends on GRKERNSEC
56198 +config GRKERNSEC_RBAC_DEBUG
56201 +config GRKERNSEC_NO_RBAC
56202 + bool "Disable RBAC system"
56204 + If you say Y here, the /dev/grsec device will be removed from the kernel,
56205 + preventing the RBAC system from being enabled. You should only say Y
56206 + here if you have no intention of using the RBAC system, so as to prevent
56207 + an attacker with root access from misusing the RBAC system to hide files
56208 + and processes when loadable module support and /dev/[k]mem have been
56211 +config GRKERNSEC_ACL_HIDEKERN
56212 + bool "Hide kernel processes"
56214 + If you say Y here, all kernel threads will be hidden to all
56215 + processes but those whose subject has the "view hidden processes"
56218 +config GRKERNSEC_ACL_MAXTRIES
56219 + int "Maximum tries before password lockout"
56222 + This option enforces the maximum number of times a user can attempt
56223 + to authorize themselves with the grsecurity RBAC system before being
56224 + denied the ability to attempt authorization again for a specified time.
56225 + The lower the number, the harder it will be to brute-force a password.
56227 +config GRKERNSEC_ACL_TIMEOUT
56228 + int "Time to wait after max password tries, in seconds"
56231 + This option specifies the time the user must wait after attempting to
56232 + authorize to the RBAC system with the maximum number of invalid
56233 + passwords. The higher the number, the harder it will be to brute-force
56237 +menu "Filesystem Protections"
56238 +depends on GRKERNSEC
56240 +config GRKERNSEC_PROC
56241 + bool "Proc restrictions"
56243 + If you say Y here, the permissions of the /proc filesystem
56244 + will be altered to enhance system security and privacy. You MUST
56245 + choose either a user only restriction or a user and group restriction.
56246 + Depending upon the option you choose, you can either restrict users to
56247 + see only the processes they themselves run, or choose a group that can
56248 + view all processes and files normally restricted to root if you choose
56249 + the "restrict to user only" option. NOTE: If you're running identd as
56250 + a non-root user, you will have to run it as the group you specify here.
56252 +config GRKERNSEC_PROC_USER
56253 + bool "Restrict /proc to user only"
56254 + depends on GRKERNSEC_PROC
56256 + If you say Y here, non-root users will only be able to view their own
56257 + processes, and restricts them from viewing network-related information,
56258 + and viewing kernel symbol and module information.
56260 +config GRKERNSEC_PROC_USERGROUP
56261 + bool "Allow special group"
56262 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
56264 + If you say Y here, you will be able to select a group that will be
56265 + able to view all processes and network-related information. If you've
56266 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
56267 + remain hidden. This option is useful if you want to run identd as
56270 +config GRKERNSEC_PROC_GID
56271 + int "GID for special group"
56272 + depends on GRKERNSEC_PROC_USERGROUP
56275 +config GRKERNSEC_PROC_ADD
56276 + bool "Additional restrictions"
56277 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
56279 + If you say Y here, additional restrictions will be placed on
56280 + /proc that keep normal users from viewing device information and
56281 + slabinfo information that could be useful for exploits.
56283 +config GRKERNSEC_LINK
56284 + bool "Linking restrictions"
56286 + If you say Y here, /tmp race exploits will be prevented, since users
56287 + will no longer be able to follow symlinks owned by other users in
56288 + world-writable +t directories (e.g. /tmp), unless the owner of the
56289 + symlink is the owner of the directory. users will also not be
56290 + able to hardlink to files they do not own. If the sysctl option is
56291 + enabled, a sysctl option with name "linking_restrictions" is created.
56293 +config GRKERNSEC_FIFO
56294 + bool "FIFO restrictions"
56296 + If you say Y here, users will not be able to write to FIFOs they don't
56297 + own in world-writable +t directories (e.g. /tmp), unless the owner of
56298 + the FIFO is the same owner of the directory it's held in. If the sysctl
56299 + option is enabled, a sysctl option with name "fifo_restrictions" is
56302 +config GRKERNSEC_SYSFS_RESTRICT
56303 + bool "Sysfs/debugfs restriction"
56306 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
56307 + any filesystem normally mounted under it (e.g. debugfs) will only
56308 + be accessible by root. These filesystems generally provide access
56309 + to hardware and debug information that isn't appropriate for unprivileged
56310 + users of the system. Sysfs and debugfs have also become a large source
56311 + of new vulnerabilities, ranging from infoleaks to local compromise.
56312 + There has been very little oversight with an eye toward security involved
56313 + in adding new exporters of information to these filesystems, so their
56314 + use is discouraged.
56315 + This option is equivalent to a chmod 0700 of the mount paths.
56317 +config GRKERNSEC_ROFS
56318 + bool "Runtime read-only mount protection"
56320 + If you say Y here, a sysctl option with name "romount_protect" will
56321 + be created. By setting this option to 1 at runtime, filesystems
56322 + will be protected in the following ways:
56323 + * No new writable mounts will be allowed
56324 + * Existing read-only mounts won't be able to be remounted read/write
56325 + * Write operations will be denied on all block devices
56326 + This option acts independently of grsec_lock: once it is set to 1,
56327 + it cannot be turned off. Therefore, please be mindful of the resulting
56328 + behavior if this option is enabled in an init script on a read-only
56329 + filesystem. This feature is mainly intended for secure embedded systems.
56331 +config GRKERNSEC_CHROOT
56332 + bool "Chroot jail restrictions"
56334 + If you say Y here, you will be able to choose several options that will
56335 + make breaking out of a chrooted jail much more difficult. If you
56336 + encounter no software incompatibilities with the following options, it
56337 + is recommended that you enable each one.
56339 +config GRKERNSEC_CHROOT_MOUNT
56340 + bool "Deny mounts"
56341 + depends on GRKERNSEC_CHROOT
56343 + If you say Y here, processes inside a chroot will not be able to
56344 + mount or remount filesystems. If the sysctl option is enabled, a
56345 + sysctl option with name "chroot_deny_mount" is created.
56347 +config GRKERNSEC_CHROOT_DOUBLE
56348 + bool "Deny double-chroots"
56349 + depends on GRKERNSEC_CHROOT
56351 + If you say Y here, processes inside a chroot will not be able to chroot
56352 + again outside the chroot. This is a widely used method of breaking
56353 + out of a chroot jail and should not be allowed. If the sysctl
56354 + option is enabled, a sysctl option with name
56355 + "chroot_deny_chroot" is created.
56357 +config GRKERNSEC_CHROOT_PIVOT
56358 + bool "Deny pivot_root in chroot"
56359 + depends on GRKERNSEC_CHROOT
56361 + If you say Y here, processes inside a chroot will not be able to use
56362 + a function called pivot_root() that was introduced in Linux 2.3.41. It
56363 + works similar to chroot in that it changes the root filesystem. This
56364 + function could be misused in a chrooted process to attempt to break out
56365 + of the chroot, and therefore should not be allowed. If the sysctl
56366 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
56369 +config GRKERNSEC_CHROOT_CHDIR
56370 + bool "Enforce chdir(\"/\") on all chroots"
56371 + depends on GRKERNSEC_CHROOT
56373 + If you say Y here, the current working directory of all newly-chrooted
56374 + applications will be set to the the root directory of the chroot.
56375 + The man page on chroot(2) states:
56376 + Note that this call does not change the current working
56377 + directory, so that `.' can be outside the tree rooted at
56378 + `/'. In particular, the super-user can escape from a
56379 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
56381 + It is recommended that you say Y here, since it's not known to break
56382 + any software. If the sysctl option is enabled, a sysctl option with
56383 + name "chroot_enforce_chdir" is created.
56385 +config GRKERNSEC_CHROOT_CHMOD
56386 + bool "Deny (f)chmod +s"
56387 + depends on GRKERNSEC_CHROOT
56389 + If you say Y here, processes inside a chroot will not be able to chmod
56390 + or fchmod files to make them have suid or sgid bits. This protects
56391 + against another published method of breaking a chroot. If the sysctl
56392 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
56395 +config GRKERNSEC_CHROOT_FCHDIR
56396 + bool "Deny fchdir out of chroot"
56397 + depends on GRKERNSEC_CHROOT
56399 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
56400 + to a file descriptor of the chrooting process that points to a directory
56401 + outside the filesystem will be stopped. If the sysctl option
56402 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
56404 +config GRKERNSEC_CHROOT_MKNOD
56405 + bool "Deny mknod"
56406 + depends on GRKERNSEC_CHROOT
56408 + If you say Y here, processes inside a chroot will not be allowed to
56409 + mknod. The problem with using mknod inside a chroot is that it
56410 + would allow an attacker to create a device entry that is the same
56411 + as one on the physical root of your system, which could range from
56412 + anything from the console device to a device for your harddrive (which
56413 + they could then use to wipe the drive or steal data). It is recommended
56414 + that you say Y here, unless you run into software incompatibilities.
56415 + If the sysctl option is enabled, a sysctl option with name
56416 + "chroot_deny_mknod" is created.
56418 +config GRKERNSEC_CHROOT_SHMAT
56419 + bool "Deny shmat() out of chroot"
56420 + depends on GRKERNSEC_CHROOT
56422 + If you say Y here, processes inside a chroot will not be able to attach
56423 + to shared memory segments that were created outside of the chroot jail.
56424 + It is recommended that you say Y here. If the sysctl option is enabled,
56425 + a sysctl option with name "chroot_deny_shmat" is created.
56427 +config GRKERNSEC_CHROOT_UNIX
56428 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
56429 + depends on GRKERNSEC_CHROOT
56431 + If you say Y here, processes inside a chroot will not be able to
56432 + connect to abstract (meaning not belonging to a filesystem) Unix
56433 + domain sockets that were bound outside of a chroot. It is recommended
56434 + that you say Y here. If the sysctl option is enabled, a sysctl option
56435 + with name "chroot_deny_unix" is created.
56437 +config GRKERNSEC_CHROOT_FINDTASK
56438 + bool "Protect outside processes"
56439 + depends on GRKERNSEC_CHROOT
56441 + If you say Y here, processes inside a chroot will not be able to
56442 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
56443 + getsid, or view any process outside of the chroot. If the sysctl
56444 + option is enabled, a sysctl option with name "chroot_findtask" is
56447 +config GRKERNSEC_CHROOT_NICE
56448 + bool "Restrict priority changes"
56449 + depends on GRKERNSEC_CHROOT
56451 + If you say Y here, processes inside a chroot will not be able to raise
56452 + the priority of processes in the chroot, or alter the priority of
56453 + processes outside the chroot. This provides more security than simply
56454 + removing CAP_SYS_NICE from the process' capability set. If the
56455 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
56458 +config GRKERNSEC_CHROOT_SYSCTL
56459 + bool "Deny sysctl writes"
56460 + depends on GRKERNSEC_CHROOT
56462 + If you say Y here, an attacker in a chroot will not be able to
56463 + write to sysctl entries, either by sysctl(2) or through a /proc
56464 + interface. It is strongly recommended that you say Y here. If the
56465 + sysctl option is enabled, a sysctl option with name
56466 + "chroot_deny_sysctl" is created.
56468 +config GRKERNSEC_CHROOT_CAPS
56469 + bool "Capability restrictions"
56470 + depends on GRKERNSEC_CHROOT
56472 + If you say Y here, the capabilities on all processes within a
56473 + chroot jail will be lowered to stop module insertion, raw i/o,
56474 + system and net admin tasks, rebooting the system, modifying immutable
56475 + files, modifying IPC owned by another, and changing the system time.
56476 + This is left an option because it can break some apps. Disable this
56477 + if your chrooted apps are having problems performing those kinds of
56478 + tasks. If the sysctl option is enabled, a sysctl option with
56479 + name "chroot_caps" is created.
56482 +menu "Kernel Auditing"
56483 +depends on GRKERNSEC
56485 +config GRKERNSEC_AUDIT_GROUP
56486 + bool "Single group for auditing"
56488 + If you say Y here, the exec, chdir, and (un)mount logging features
56489 + will only operate on a group you specify. This option is recommended
56490 + if you only want to watch certain users instead of having a large
56491 + amount of logs from the entire system. If the sysctl option is enabled,
56492 + a sysctl option with name "audit_group" is created.
56494 +config GRKERNSEC_AUDIT_GID
56495 + int "GID for auditing"
56496 + depends on GRKERNSEC_AUDIT_GROUP
56499 +config GRKERNSEC_EXECLOG
56500 + bool "Exec logging"
56502 + If you say Y here, all execve() calls will be logged (since the
56503 + other exec*() calls are frontends to execve(), all execution
56504 + will be logged). Useful for shell-servers that like to keep track
56505 + of their users. If the sysctl option is enabled, a sysctl option with
56506 + name "exec_logging" is created.
56507 + WARNING: This option when enabled will produce a LOT of logs, especially
56508 + on an active system.
56510 +config GRKERNSEC_RESLOG
56511 + bool "Resource logging"
56513 + If you say Y here, all attempts to overstep resource limits will
56514 + be logged with the resource name, the requested size, and the current
56515 + limit. It is highly recommended that you say Y here. If the sysctl
56516 + option is enabled, a sysctl option with name "resource_logging" is
56517 + created. If the RBAC system is enabled, the sysctl value is ignored.
56519 +config GRKERNSEC_CHROOT_EXECLOG
56520 + bool "Log execs within chroot"
56522 + If you say Y here, all executions inside a chroot jail will be logged
56523 + to syslog. This can cause a large amount of logs if certain
56524 + applications (eg. djb's daemontools) are installed on the system, and
56525 + is therefore left as an option. If the sysctl option is enabled, a
56526 + sysctl option with name "chroot_execlog" is created.
56528 +config GRKERNSEC_AUDIT_PTRACE
56529 + bool "Ptrace logging"
56531 + If you say Y here, all attempts to attach to a process via ptrace
56532 + will be logged. If the sysctl option is enabled, a sysctl option
56533 + with name "audit_ptrace" is created.
56535 +config GRKERNSEC_AUDIT_CHDIR
56536 + bool "Chdir logging"
56538 + If you say Y here, all chdir() calls will be logged. If the sysctl
56539 + option is enabled, a sysctl option with name "audit_chdir" is created.
56541 +config GRKERNSEC_AUDIT_MOUNT
56542 + bool "(Un)Mount logging"
56544 + If you say Y here, all mounts and unmounts will be logged. If the
56545 + sysctl option is enabled, a sysctl option with name "audit_mount" is
56548 +config GRKERNSEC_SIGNAL
56549 + bool "Signal logging"
56551 + If you say Y here, certain important signals will be logged, such as
56552 + SIGSEGV, which will as a result inform you of when a error in a program
56553 + occurred, which in some cases could mean a possible exploit attempt.
56554 + If the sysctl option is enabled, a sysctl option with name
56555 + "signal_logging" is created.
56557 +config GRKERNSEC_FORKFAIL
56558 + bool "Fork failure logging"
56560 + If you say Y here, all failed fork() attempts will be logged.
56561 + This could suggest a fork bomb, or someone attempting to overstep
56562 + their process limit. If the sysctl option is enabled, a sysctl option
56563 + with name "forkfail_logging" is created.
56565 +config GRKERNSEC_TIME
56566 + bool "Time change logging"
56568 + If you say Y here, any changes of the system clock will be logged.
56569 + If the sysctl option is enabled, a sysctl option with name
56570 + "timechange_logging" is created.
56572 +config GRKERNSEC_PROC_IPADDR
56573 + bool "/proc/<pid>/ipaddr support"
56575 + If you say Y here, a new entry will be added to each /proc/<pid>
56576 + directory that contains the IP address of the person using the task.
56577 + The IP is carried across local TCP and AF_UNIX stream sockets.
56578 + This information can be useful for IDS/IPSes to perform remote response
56579 + to a local attack. The entry is readable by only the owner of the
56580 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
56581 + the RBAC system), and thus does not create privacy concerns.
56583 +config GRKERNSEC_RWXMAP_LOG
56584 + bool 'Denied RWX mmap/mprotect logging'
56585 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
56587 + If you say Y here, calls to mmap() and mprotect() with explicit
56588 + usage of PROT_WRITE and PROT_EXEC together will be logged when
56589 + denied by the PAX_MPROTECT feature. If the sysctl option is
56590 + enabled, a sysctl option with name "rwxmap_logging" is created.
56592 +config GRKERNSEC_AUDIT_TEXTREL
56593 + bool 'ELF text relocations logging (READ HELP)'
56594 + depends on PAX_MPROTECT
56596 + If you say Y here, text relocations will be logged with the filename
56597 + of the offending library or binary. The purpose of the feature is
56598 + to help Linux distribution developers get rid of libraries and
56599 + binaries that need text relocations which hinder the future progress
56600 + of PaX. Only Linux distribution developers should say Y here, and
56601 + never on a production machine, as this option creates an information
56602 + leak that could aid an attacker in defeating the randomization of
56603 + a single memory region. If the sysctl option is enabled, a sysctl
56604 + option with name "audit_textrel" is created.
56608 +menu "Executable Protections"
56609 +depends on GRKERNSEC
56611 +config GRKERNSEC_DMESG
56612 + bool "Dmesg(8) restriction"
56614 + If you say Y here, non-root users will not be able to use dmesg(8)
56615 + to view up to the last 4kb of messages in the kernel's log buffer.
56616 + The kernel's log buffer often contains kernel addresses and other
56617 + identifying information useful to an attacker in fingerprinting a
56618 + system for a targeted exploit.
56619 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
56622 +config GRKERNSEC_HARDEN_PTRACE
56623 + bool "Deter ptrace-based process snooping"
56625 + If you say Y here, TTY sniffers and other malicious monitoring
56626 + programs implemented through ptrace will be defeated. If you
56627 + have been using the RBAC system, this option has already been
56628 + enabled for several years for all users, with the ability to make
56629 + fine-grained exceptions.
56631 + This option only affects the ability of non-root users to ptrace
56632 + processes that are not a descendent of the ptracing process.
56633 + This means that strace ./binary and gdb ./binary will still work,
56634 + but attaching to arbitrary processes will not. If the sysctl
56635 + option is enabled, a sysctl option with name "harden_ptrace" is
56638 +config GRKERNSEC_TPE
56639 + bool "Trusted Path Execution (TPE)"
56641 + If you say Y here, you will be able to choose a gid to add to the
56642 + supplementary groups of users you want to mark as "untrusted."
56643 + These users will not be able to execute any files that are not in
56644 + root-owned directories writable only by root. If the sysctl option
56645 + is enabled, a sysctl option with name "tpe" is created.
56647 +config GRKERNSEC_TPE_ALL
56648 + bool "Partially restrict all non-root users"
56649 + depends on GRKERNSEC_TPE
56651 + If you say Y here, all non-root users will be covered under
56652 + a weaker TPE restriction. This is separate from, and in addition to,
56653 + the main TPE options that you have selected elsewhere. Thus, if a
56654 + "trusted" GID is chosen, this restriction applies to even that GID.
56655 + Under this restriction, all non-root users will only be allowed to
56656 + execute files in directories they own that are not group or
56657 + world-writable, or in directories owned by root and writable only by
56658 + root. If the sysctl option is enabled, a sysctl option with name
56659 + "tpe_restrict_all" is created.
56661 +config GRKERNSEC_TPE_INVERT
56662 + bool "Invert GID option"
56663 + depends on GRKERNSEC_TPE
56665 + If you say Y here, the group you specify in the TPE configuration will
56666 + decide what group TPE restrictions will be *disabled* for. This
56667 + option is useful if you want TPE restrictions to be applied to most
56668 + users on the system. If the sysctl option is enabled, a sysctl option
56669 + with name "tpe_invert" is created. Unlike other sysctl options, this
56670 + entry will default to on for backward-compatibility.
56672 +config GRKERNSEC_TPE_GID
56673 + int "GID for untrusted users"
56674 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
56677 + Setting this GID determines what group TPE restrictions will be
56678 + *enabled* for. If the sysctl option is enabled, a sysctl option
56679 + with name "tpe_gid" is created.
56681 +config GRKERNSEC_TPE_GID
56682 + int "GID for trusted users"
56683 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
56686 + Setting this GID determines what group TPE restrictions will be
56687 + *disabled* for. If the sysctl option is enabled, a sysctl option
56688 + with name "tpe_gid" is created.
56691 +menu "Network Protections"
56692 +depends on GRKERNSEC
56694 +config GRKERNSEC_RANDNET
56695 + bool "Larger entropy pools"
56697 + If you say Y here, the entropy pools used for many features of Linux
56698 + and grsecurity will be doubled in size. Since several grsecurity
56699 + features use additional randomness, it is recommended that you say Y
56700 + here. Saying Y here has a similar effect as modifying
56701 + /proc/sys/kernel/random/poolsize.
56703 +config GRKERNSEC_BLACKHOLE
56704 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
56707 + If you say Y here, neither TCP resets nor ICMP
56708 + destination-unreachable packets will be sent in response to packets
56709 + sent to ports for which no associated listening process exists.
56710 + This feature supports both IPV4 and IPV6 and exempts the
56711 + loopback interface from blackholing. Enabling this feature
56712 + makes a host more resilient to DoS attacks and reduces network
56713 + visibility against scanners.
56715 + The blackhole feature as-implemented is equivalent to the FreeBSD
56716 + blackhole feature, as it prevents RST responses to all packets, not
56717 + just SYNs. Under most application behavior this causes no
56718 + problems, but applications (like haproxy) may not close certain
56719 + connections in a way that cleanly terminates them on the remote
56720 + end, leaving the remote host in LAST_ACK state. Because of this
56721 + side-effect and to prevent intentional LAST_ACK DoSes, this
56722 + feature also adds automatic mitigation against such attacks.
56723 + The mitigation drastically reduces the amount of time a socket
56724 + can spend in LAST_ACK state. If you're using haproxy and not
56725 + all servers it connects to have this option enabled, consider
56726 + disabling this feature on the haproxy host.
56728 + If the sysctl option is enabled, two sysctl options with names
56729 + "ip_blackhole" and "lastack_retries" will be created.
56730 + While "ip_blackhole" takes the standard zero/non-zero on/off
56731 + toggle, "lastack_retries" uses the same kinds of values as
56732 + "tcp_retries1" and "tcp_retries2". The default value of 4
56733 + prevents a socket from lasting more than 45 seconds in LAST_ACK
56736 +config GRKERNSEC_SOCKET
56737 + bool "Socket restrictions"
56740 + If you say Y here, you will be able to choose from several options.
56741 + If you assign a GID on your system and add it to the supplementary
56742 + groups of users you want to restrict socket access to, this patch
56743 + will perform up to three things, based on the option(s) you choose.
56745 +config GRKERNSEC_SOCKET_ALL
56746 + bool "Deny any sockets to group"
56747 + depends on GRKERNSEC_SOCKET
56749 + If you say Y here, you will be able to choose a GID of whose users will
56750 + be unable to connect to other hosts from your machine or run server
56751 + applications from your machine. If the sysctl option is enabled, a
56752 + sysctl option with name "socket_all" is created.
56754 +config GRKERNSEC_SOCKET_ALL_GID
56755 + int "GID to deny all sockets for"
56756 + depends on GRKERNSEC_SOCKET_ALL
56759 + Here you can choose the GID to disable socket access for. Remember to
56760 + add the users you want socket access disabled for to the GID
56761 + specified here. If the sysctl option is enabled, a sysctl option
56762 + with name "socket_all_gid" is created.
56764 +config GRKERNSEC_SOCKET_CLIENT
56765 + bool "Deny client sockets to group"
56766 + depends on GRKERNSEC_SOCKET
56768 + If you say Y here, you will be able to choose a GID of whose users will
56769 + be unable to connect to other hosts from your machine, but will be
56770 + able to run servers. If this option is enabled, all users in the group
56771 + you specify will have to use passive mode when initiating ftp transfers
56772 + from the shell on your machine. If the sysctl option is enabled, a
56773 + sysctl option with name "socket_client" is created.
56775 +config GRKERNSEC_SOCKET_CLIENT_GID
56776 + int "GID to deny client sockets for"
56777 + depends on GRKERNSEC_SOCKET_CLIENT
56780 + Here you can choose the GID to disable client socket access for.
56781 + Remember to add the users you want client socket access disabled for to
56782 + the GID specified here. If the sysctl option is enabled, a sysctl
56783 + option with name "socket_client_gid" is created.
56785 +config GRKERNSEC_SOCKET_SERVER
56786 + bool "Deny server sockets to group"
56787 + depends on GRKERNSEC_SOCKET
56789 + If you say Y here, you will be able to choose a GID of whose users will
56790 + be unable to run server applications from your machine. If the sysctl
56791 + option is enabled, a sysctl option with name "socket_server" is created.
56793 +config GRKERNSEC_SOCKET_SERVER_GID
56794 + int "GID to deny server sockets for"
56795 + depends on GRKERNSEC_SOCKET_SERVER
56798 + Here you can choose the GID to disable server socket access for.
56799 + Remember to add the users you want server socket access disabled for to
56800 + the GID specified here. If the sysctl option is enabled, a sysctl
56801 + option with name "socket_server_gid" is created.
56804 +menu "Sysctl support"
56805 +depends on GRKERNSEC && SYSCTL
56807 +config GRKERNSEC_SYSCTL
56808 + bool "Sysctl support"
56810 + If you say Y here, you will be able to change the options that
56811 + grsecurity runs with at bootup, without having to recompile your
56812 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
56813 + to enable (1) or disable (0) various features. All the sysctl entries
56814 + are mutable until the "grsec_lock" entry is set to a non-zero value.
56815 + All features enabled in the kernel configuration are disabled at boot
56816 + if you do not say Y to the "Turn on features by default" option.
56817 + All options should be set at startup, and the grsec_lock entry should
56818 + be set to a non-zero value after all the options are set.
56819 + *THIS IS EXTREMELY IMPORTANT*
56821 +config GRKERNSEC_SYSCTL_DISTRO
56822 + bool "Extra sysctl support for distro makers (READ HELP)"
56823 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
56825 + If you say Y here, additional sysctl options will be created
56826 + for features that affect processes running as root. Therefore,
56827 + it is critical when using this option that the grsec_lock entry be
56828 + enabled after boot. Only distros with prebuilt kernel packages
56829 + with this option enabled that can ensure grsec_lock is enabled
56830 + after boot should use this option.
56831 + *Failure to set grsec_lock after boot makes all grsec features
56832 + this option covers useless*
56834 + Currently this option creates the following sysctl entries:
56835 + "Disable Privileged I/O": "disable_priv_io"
56837 +config GRKERNSEC_SYSCTL_ON
56838 + bool "Turn on features by default"
56839 + depends on GRKERNSEC_SYSCTL
56841 + If you say Y here, instead of having all features enabled in the
56842 + kernel configuration disabled at boot time, the features will be
56843 + enabled at boot time. It is recommended you say Y here unless
56844 + there is some reason you would want all sysctl-tunable features to
56845 + be disabled by default. As mentioned elsewhere, it is important
56846 + to enable the grsec_lock entry once you have finished modifying
56847 + the sysctl entries.
56850 +menu "Logging Options"
56851 +depends on GRKERNSEC
56853 +config GRKERNSEC_FLOODTIME
56854 + int "Seconds in between log messages (minimum)"
56857 + This option allows you to enforce the number of seconds between
56858 + grsecurity log messages. The default should be suitable for most
56859 + people, however, if you choose to change it, choose a value small enough
56860 + to allow informative logs to be produced, but large enough to
56861 + prevent flooding.
56863 +config GRKERNSEC_FLOODBURST
56864 + int "Number of messages in a burst (maximum)"
56867 + This option allows you to choose the maximum number of messages allowed
56868 + within the flood time interval you chose in a separate option. The
56869 + default should be suitable for most people, however if you find that
56870 + many of your logs are being interpreted as flooding, you may want to
56871 + raise this value.
56876 diff -urNp linux-3.1.1/grsecurity/Makefile linux-3.1.1/grsecurity/Makefile
56877 --- linux-3.1.1/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
56878 +++ linux-3.1.1/grsecurity/Makefile 2011-11-16 18:40:31.000000000 -0500
56880 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
56881 +# during 2001-2009 it has been completely redesigned by Brad Spengler
56882 +# into an RBAC system
56884 +# All code in this directory and various hooks inserted throughout the kernel
56885 +# are copyright Brad Spengler - Open Source Security, Inc., and released
56886 +# under the GPL v2 or higher
56888 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
56889 + grsec_mount.o grsec_sig.o grsec_sysctl.o \
56890 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
56892 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
56893 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
56894 + gracl_learn.o grsec_log.o
56895 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
56898 +obj-y += grsec_sock.o
56899 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
56902 +ifndef CONFIG_GRKERNSEC
56903 +obj-y += grsec_disabled.o
56906 +ifdef CONFIG_GRKERNSEC_HIDESYM
56907 +extra-y := grsec_hidesym.o
56908 +$(obj)/grsec_hidesym.o:
56909 + @-chmod -f 500 /boot
56910 + @-chmod -f 500 /lib/modules
56911 + @-chmod -f 500 /lib64/modules
56912 + @-chmod -f 500 /lib32/modules
56914 + @echo ' grsec: protected kernel image paths'
56916 diff -urNp linux-3.1.1/include/acpi/acpi_bus.h linux-3.1.1/include/acpi/acpi_bus.h
56917 --- linux-3.1.1/include/acpi/acpi_bus.h 2011-11-11 15:19:27.000000000 -0500
56918 +++ linux-3.1.1/include/acpi/acpi_bus.h 2011-11-16 18:39:08.000000000 -0500
56919 @@ -107,7 +107,7 @@ struct acpi_device_ops {
56921 acpi_op_unbind unbind;
56922 acpi_op_notify notify;
56926 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
56928 diff -urNp linux-3.1.1/include/asm-generic/atomic-long.h linux-3.1.1/include/asm-generic/atomic-long.h
56929 --- linux-3.1.1/include/asm-generic/atomic-long.h 2011-11-11 15:19:27.000000000 -0500
56930 +++ linux-3.1.1/include/asm-generic/atomic-long.h 2011-11-16 18:39:08.000000000 -0500
56933 typedef atomic64_t atomic_long_t;
56935 +#ifdef CONFIG_PAX_REFCOUNT
56936 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
56938 +typedef atomic64_t atomic_long_unchecked_t;
56941 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
56943 static inline long atomic_long_read(atomic_long_t *l)
56944 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
56945 return (long)atomic64_read(v);
56948 +#ifdef CONFIG_PAX_REFCOUNT
56949 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
56951 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56953 + return (long)atomic64_read_unchecked(v);
56957 static inline void atomic_long_set(atomic_long_t *l, long i)
56959 atomic64_t *v = (atomic64_t *)l;
56960 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
56961 atomic64_set(v, i);
56964 +#ifdef CONFIG_PAX_REFCOUNT
56965 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
56967 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56969 + atomic64_set_unchecked(v, i);
56973 static inline void atomic_long_inc(atomic_long_t *l)
56975 atomic64_t *v = (atomic64_t *)l;
56976 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
56980 +#ifdef CONFIG_PAX_REFCOUNT
56981 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
56983 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56985 + atomic64_inc_unchecked(v);
56989 static inline void atomic_long_dec(atomic_long_t *l)
56991 atomic64_t *v = (atomic64_t *)l;
56992 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
56996 +#ifdef CONFIG_PAX_REFCOUNT
56997 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
56999 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57001 + atomic64_dec_unchecked(v);
57005 static inline void atomic_long_add(long i, atomic_long_t *l)
57007 atomic64_t *v = (atomic64_t *)l;
57008 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
57009 atomic64_add(i, v);
57012 +#ifdef CONFIG_PAX_REFCOUNT
57013 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
57015 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57017 + atomic64_add_unchecked(i, v);
57021 static inline void atomic_long_sub(long i, atomic_long_t *l)
57023 atomic64_t *v = (atomic64_t *)l;
57024 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
57025 atomic64_sub(i, v);
57028 +#ifdef CONFIG_PAX_REFCOUNT
57029 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
57031 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57033 + atomic64_sub_unchecked(i, v);
57037 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
57039 atomic64_t *v = (atomic64_t *)l;
57040 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
57041 return (long)atomic64_inc_return(v);
57044 +#ifdef CONFIG_PAX_REFCOUNT
57045 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
57047 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57049 + return (long)atomic64_inc_return_unchecked(v);
57053 static inline long atomic_long_dec_return(atomic_long_t *l)
57055 atomic64_t *v = (atomic64_t *)l;
57056 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
57058 typedef atomic_t atomic_long_t;
57060 +#ifdef CONFIG_PAX_REFCOUNT
57061 +typedef atomic_unchecked_t atomic_long_unchecked_t;
57063 +typedef atomic_t atomic_long_unchecked_t;
57066 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
57067 static inline long atomic_long_read(atomic_long_t *l)
57069 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
57070 return (long)atomic_read(v);
57073 +#ifdef CONFIG_PAX_REFCOUNT
57074 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
57076 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57078 + return (long)atomic_read_unchecked(v);
57082 static inline void atomic_long_set(atomic_long_t *l, long i)
57084 atomic_t *v = (atomic_t *)l;
57085 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
57089 +#ifdef CONFIG_PAX_REFCOUNT
57090 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
57092 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57094 + atomic_set_unchecked(v, i);
57098 static inline void atomic_long_inc(atomic_long_t *l)
57100 atomic_t *v = (atomic_t *)l;
57101 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
57105 +#ifdef CONFIG_PAX_REFCOUNT
57106 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
57108 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57110 + atomic_inc_unchecked(v);
57114 static inline void atomic_long_dec(atomic_long_t *l)
57116 atomic_t *v = (atomic_t *)l;
57117 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
57121 +#ifdef CONFIG_PAX_REFCOUNT
57122 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
57124 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57126 + atomic_dec_unchecked(v);
57130 static inline void atomic_long_add(long i, atomic_long_t *l)
57132 atomic_t *v = (atomic_t *)l;
57133 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
57137 +#ifdef CONFIG_PAX_REFCOUNT
57138 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
57140 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57142 + atomic_add_unchecked(i, v);
57146 static inline void atomic_long_sub(long i, atomic_long_t *l)
57148 atomic_t *v = (atomic_t *)l;
57149 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
57153 +#ifdef CONFIG_PAX_REFCOUNT
57154 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
57156 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57158 + atomic_sub_unchecked(i, v);
57162 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
57164 atomic_t *v = (atomic_t *)l;
57165 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
57166 return (long)atomic_inc_return(v);
57169 +#ifdef CONFIG_PAX_REFCOUNT
57170 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
57172 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57174 + return (long)atomic_inc_return_unchecked(v);
57178 static inline long atomic_long_dec_return(atomic_long_t *l)
57180 atomic_t *v = (atomic_t *)l;
57181 @@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
57183 #endif /* BITS_PER_LONG == 64 */
57185 +#ifdef CONFIG_PAX_REFCOUNT
57186 +static inline void pax_refcount_needs_these_functions(void)
57188 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
57189 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
57190 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
57191 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
57192 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
57193 + (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
57194 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
57195 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
57196 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
57197 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
57198 + (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
57200 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
57201 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
57202 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
57203 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
57204 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
57205 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
57206 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
57209 +#define atomic_read_unchecked(v) atomic_read(v)
57210 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
57211 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
57212 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
57213 +#define atomic_inc_unchecked(v) atomic_inc(v)
57214 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
57215 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
57216 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
57217 +#define atomic_dec_unchecked(v) atomic_dec(v)
57218 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
57219 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
57221 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
57222 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
57223 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
57224 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
57225 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
57226 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
57227 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
57230 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
57231 diff -urNp linux-3.1.1/include/asm-generic/cache.h linux-3.1.1/include/asm-generic/cache.h
57232 --- linux-3.1.1/include/asm-generic/cache.h 2011-11-11 15:19:27.000000000 -0500
57233 +++ linux-3.1.1/include/asm-generic/cache.h 2011-11-16 18:39:08.000000000 -0500
57235 * cache lines need to provide their own cache.h.
57238 -#define L1_CACHE_SHIFT 5
57239 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
57240 +#define L1_CACHE_SHIFT 5UL
57241 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
57243 #endif /* __ASM_GENERIC_CACHE_H */
57244 diff -urNp linux-3.1.1/include/asm-generic/int-l64.h linux-3.1.1/include/asm-generic/int-l64.h
57245 --- linux-3.1.1/include/asm-generic/int-l64.h 2011-11-11 15:19:27.000000000 -0500
57246 +++ linux-3.1.1/include/asm-generic/int-l64.h 2011-11-16 18:39:08.000000000 -0500
57247 @@ -46,6 +46,8 @@ typedef unsigned int u32;
57248 typedef signed long s64;
57249 typedef unsigned long u64;
57251 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
57254 #define U8_C(x) x ## U
57256 diff -urNp linux-3.1.1/include/asm-generic/int-ll64.h linux-3.1.1/include/asm-generic/int-ll64.h
57257 --- linux-3.1.1/include/asm-generic/int-ll64.h 2011-11-11 15:19:27.000000000 -0500
57258 +++ linux-3.1.1/include/asm-generic/int-ll64.h 2011-11-16 18:39:08.000000000 -0500
57259 @@ -51,6 +51,8 @@ typedef unsigned int u32;
57260 typedef signed long long s64;
57261 typedef unsigned long long u64;
57263 +typedef unsigned long long intoverflow_t;
57266 #define U8_C(x) x ## U
57268 diff -urNp linux-3.1.1/include/asm-generic/kmap_types.h linux-3.1.1/include/asm-generic/kmap_types.h
57269 --- linux-3.1.1/include/asm-generic/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
57270 +++ linux-3.1.1/include/asm-generic/kmap_types.h 2011-11-16 18:39:08.000000000 -0500
57271 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
57273 KMAP_D(18) KM_NMI_PTE,
57275 +KMAP_D(20) KM_CLEARPAGE,
57277 * Remember to update debug_kmap_atomic() when adding new kmap types!
57279 -KMAP_D(20) KM_TYPE_NR
57280 +KMAP_D(21) KM_TYPE_NR
57284 diff -urNp linux-3.1.1/include/asm-generic/pgtable.h linux-3.1.1/include/asm-generic/pgtable.h
57285 --- linux-3.1.1/include/asm-generic/pgtable.h 2011-11-11 15:19:27.000000000 -0500
57286 +++ linux-3.1.1/include/asm-generic/pgtable.h 2011-11-16 18:39:08.000000000 -0500
57287 @@ -443,6 +443,14 @@ static inline int pmd_write(pmd_t pmd)
57288 #endif /* __HAVE_ARCH_PMD_WRITE */
57291 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
57292 +static inline unsigned long pax_open_kernel(void) { return 0; }
57295 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
57296 +static inline unsigned long pax_close_kernel(void) { return 0; }
57299 #endif /* !__ASSEMBLY__ */
57301 #endif /* _ASM_GENERIC_PGTABLE_H */
57302 diff -urNp linux-3.1.1/include/asm-generic/pgtable-nopmd.h linux-3.1.1/include/asm-generic/pgtable-nopmd.h
57303 --- linux-3.1.1/include/asm-generic/pgtable-nopmd.h 2011-11-11 15:19:27.000000000 -0500
57304 +++ linux-3.1.1/include/asm-generic/pgtable-nopmd.h 2011-11-16 18:39:08.000000000 -0500
57306 #ifndef _PGTABLE_NOPMD_H
57307 #define _PGTABLE_NOPMD_H
57309 -#ifndef __ASSEMBLY__
57311 #include <asm-generic/pgtable-nopud.h>
57315 #define __PAGETABLE_PMD_FOLDED
57317 +#define PMD_SHIFT PUD_SHIFT
57318 +#define PTRS_PER_PMD 1
57319 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
57320 +#define PMD_MASK (~(PMD_SIZE-1))
57322 +#ifndef __ASSEMBLY__
57327 * Having the pmd type consist of a pud gets the size right, and allows
57328 * us to conceptually access the pud entry that this pmd is folded into
57329 @@ -16,11 +21,6 @@ struct mm_struct;
57331 typedef struct { pud_t pud; } pmd_t;
57333 -#define PMD_SHIFT PUD_SHIFT
57334 -#define PTRS_PER_PMD 1
57335 -#define PMD_SIZE (1UL << PMD_SHIFT)
57336 -#define PMD_MASK (~(PMD_SIZE-1))
57339 * The "pud_xxx()" functions here are trivial for a folded two-level
57340 * setup: the pmd is never bad, and a pmd always exists (as it's folded
57341 diff -urNp linux-3.1.1/include/asm-generic/pgtable-nopud.h linux-3.1.1/include/asm-generic/pgtable-nopud.h
57342 --- linux-3.1.1/include/asm-generic/pgtable-nopud.h 2011-11-11 15:19:27.000000000 -0500
57343 +++ linux-3.1.1/include/asm-generic/pgtable-nopud.h 2011-11-16 18:39:08.000000000 -0500
57345 #ifndef _PGTABLE_NOPUD_H
57346 #define _PGTABLE_NOPUD_H
57348 -#ifndef __ASSEMBLY__
57350 #define __PAGETABLE_PUD_FOLDED
57352 +#define PUD_SHIFT PGDIR_SHIFT
57353 +#define PTRS_PER_PUD 1
57354 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
57355 +#define PUD_MASK (~(PUD_SIZE-1))
57357 +#ifndef __ASSEMBLY__
57360 * Having the pud type consist of a pgd gets the size right, and allows
57361 * us to conceptually access the pgd entry that this pud is folded into
57364 typedef struct { pgd_t pgd; } pud_t;
57366 -#define PUD_SHIFT PGDIR_SHIFT
57367 -#define PTRS_PER_PUD 1
57368 -#define PUD_SIZE (1UL << PUD_SHIFT)
57369 -#define PUD_MASK (~(PUD_SIZE-1))
57372 * The "pgd_xxx()" functions here are trivial for a folded two-level
57373 * setup: the pud is never bad, and a pud always exists (as it's folded
57374 diff -urNp linux-3.1.1/include/asm-generic/vmlinux.lds.h linux-3.1.1/include/asm-generic/vmlinux.lds.h
57375 --- linux-3.1.1/include/asm-generic/vmlinux.lds.h 2011-11-11 15:19:27.000000000 -0500
57376 +++ linux-3.1.1/include/asm-generic/vmlinux.lds.h 2011-11-16 18:39:08.000000000 -0500
57377 @@ -217,6 +217,7 @@
57378 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
57379 VMLINUX_SYMBOL(__start_rodata) = .; \
57380 *(.rodata) *(.rodata.*) \
57381 + *(.data..read_only) \
57382 *(__vermagic) /* Kernel version magic */ \
57384 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
57385 @@ -723,17 +724,18 @@
57386 * section in the linker script will go there too. @phdr should have
57389 - * Note that this macros defines __per_cpu_load as an absolute symbol.
57390 + * Note that this macros defines per_cpu_load as an absolute symbol.
57391 * If there is no need to put the percpu section at a predetermined
57392 * address, use PERCPU_SECTION.
57394 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
57395 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
57396 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
57397 + per_cpu_load = .; \
57398 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
57400 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
57401 PERCPU_INPUT(cacheline) \
57403 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
57404 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
57407 * PERCPU_SECTION - define output section for percpu area, simple version
57408 diff -urNp linux-3.1.1/include/drm/drm_crtc_helper.h linux-3.1.1/include/drm/drm_crtc_helper.h
57409 --- linux-3.1.1/include/drm/drm_crtc_helper.h 2011-11-11 15:19:27.000000000 -0500
57410 +++ linux-3.1.1/include/drm/drm_crtc_helper.h 2011-11-16 18:39:08.000000000 -0500
57411 @@ -74,7 +74,7 @@ struct drm_crtc_helper_funcs {
57413 /* disable crtc when not in use - more explicit than dpms off */
57414 void (*disable)(struct drm_crtc *crtc);
57418 struct drm_encoder_helper_funcs {
57419 void (*dpms)(struct drm_encoder *encoder, int mode);
57420 @@ -95,7 +95,7 @@ struct drm_encoder_helper_funcs {
57421 struct drm_connector *connector);
57422 /* disable encoder when not in use - more explicit than dpms off */
57423 void (*disable)(struct drm_encoder *encoder);
57427 struct drm_connector_helper_funcs {
57428 int (*get_modes)(struct drm_connector *connector);
57429 diff -urNp linux-3.1.1/include/drm/drmP.h linux-3.1.1/include/drm/drmP.h
57430 --- linux-3.1.1/include/drm/drmP.h 2011-11-11 15:19:27.000000000 -0500
57431 +++ linux-3.1.1/include/drm/drmP.h 2011-11-16 18:39:08.000000000 -0500
57433 #include <linux/workqueue.h>
57434 #include <linux/poll.h>
57435 #include <asm/pgalloc.h>
57436 +#include <asm/local.h>
57439 #include <linux/idr.h>
57440 @@ -1035,7 +1036,7 @@ struct drm_device {
57442 /** \name Usage Counters */
57444 - int open_count; /**< Outstanding files open */
57445 + local_t open_count; /**< Outstanding files open */
57446 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
57447 atomic_t vma_count; /**< Outstanding vma areas open */
57448 int buf_use; /**< Buffers in use -- cannot alloc */
57449 @@ -1046,7 +1047,7 @@ struct drm_device {
57451 unsigned long counters;
57452 enum drm_stat_type types[15];
57453 - atomic_t counts[15];
57454 + atomic_unchecked_t counts[15];
57457 struct list_head filelist;
57458 diff -urNp linux-3.1.1/include/drm/ttm/ttm_memory.h linux-3.1.1/include/drm/ttm/ttm_memory.h
57459 --- linux-3.1.1/include/drm/ttm/ttm_memory.h 2011-11-11 15:19:27.000000000 -0500
57460 +++ linux-3.1.1/include/drm/ttm/ttm_memory.h 2011-11-16 18:39:08.000000000 -0500
57463 struct ttm_mem_shrink {
57464 int (*do_shrink) (struct ttm_mem_shrink *);
57469 * struct ttm_mem_global - Global memory accounting structure.
57470 diff -urNp linux-3.1.1/include/linux/a.out.h linux-3.1.1/include/linux/a.out.h
57471 --- linux-3.1.1/include/linux/a.out.h 2011-11-11 15:19:27.000000000 -0500
57472 +++ linux-3.1.1/include/linux/a.out.h 2011-11-16 18:39:08.000000000 -0500
57473 @@ -39,6 +39,14 @@ enum machine_type {
57474 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
57477 +/* Constants for the N_FLAGS field */
57478 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
57479 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
57480 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
57481 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
57482 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
57483 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
57485 #if !defined (N_MAGIC)
57486 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
57488 diff -urNp linux-3.1.1/include/linux/atmdev.h linux-3.1.1/include/linux/atmdev.h
57489 --- linux-3.1.1/include/linux/atmdev.h 2011-11-11 15:19:27.000000000 -0500
57490 +++ linux-3.1.1/include/linux/atmdev.h 2011-11-16 18:39:08.000000000 -0500
57491 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
57494 struct k_atm_aal_stats {
57495 -#define __HANDLE_ITEM(i) atomic_t i
57496 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
57498 #undef __HANDLE_ITEM
57500 diff -urNp linux-3.1.1/include/linux/binfmts.h linux-3.1.1/include/linux/binfmts.h
57501 --- linux-3.1.1/include/linux/binfmts.h 2011-11-11 15:19:27.000000000 -0500
57502 +++ linux-3.1.1/include/linux/binfmts.h 2011-11-16 18:39:08.000000000 -0500
57503 @@ -88,6 +88,7 @@ struct linux_binfmt {
57504 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
57505 int (*load_shlib)(struct file *);
57506 int (*core_dump)(struct coredump_params *cprm);
57507 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
57508 unsigned long min_coredump; /* minimal dump size */
57511 diff -urNp linux-3.1.1/include/linux/blkdev.h linux-3.1.1/include/linux/blkdev.h
57512 --- linux-3.1.1/include/linux/blkdev.h 2011-11-11 15:19:27.000000000 -0500
57513 +++ linux-3.1.1/include/linux/blkdev.h 2011-11-16 18:39:08.000000000 -0500
57514 @@ -1321,7 +1321,7 @@ struct block_device_operations {
57515 /* this callback is with swap_lock and sometimes page table lock held */
57516 void (*swap_slot_free_notify) (struct block_device *, unsigned long);
57517 struct module *owner;
57521 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
57523 diff -urNp linux-3.1.1/include/linux/blktrace_api.h linux-3.1.1/include/linux/blktrace_api.h
57524 --- linux-3.1.1/include/linux/blktrace_api.h 2011-11-11 15:19:27.000000000 -0500
57525 +++ linux-3.1.1/include/linux/blktrace_api.h 2011-11-16 18:39:08.000000000 -0500
57526 @@ -162,7 +162,7 @@ struct blk_trace {
57527 struct dentry *dir;
57528 struct dentry *dropped_file;
57529 struct dentry *msg_file;
57530 - atomic_t dropped;
57531 + atomic_unchecked_t dropped;
57534 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
57535 diff -urNp linux-3.1.1/include/linux/byteorder/little_endian.h linux-3.1.1/include/linux/byteorder/little_endian.h
57536 --- linux-3.1.1/include/linux/byteorder/little_endian.h 2011-11-11 15:19:27.000000000 -0500
57537 +++ linux-3.1.1/include/linux/byteorder/little_endian.h 2011-11-16 18:39:08.000000000 -0500
57538 @@ -42,51 +42,51 @@
57540 static inline __le64 __cpu_to_le64p(const __u64 *p)
57542 - return (__force __le64)*p;
57543 + return (__force const __le64)*p;
57545 static inline __u64 __le64_to_cpup(const __le64 *p)
57547 - return (__force __u64)*p;
57548 + return (__force const __u64)*p;
57550 static inline __le32 __cpu_to_le32p(const __u32 *p)
57552 - return (__force __le32)*p;
57553 + return (__force const __le32)*p;
57555 static inline __u32 __le32_to_cpup(const __le32 *p)
57557 - return (__force __u32)*p;
57558 + return (__force const __u32)*p;
57560 static inline __le16 __cpu_to_le16p(const __u16 *p)
57562 - return (__force __le16)*p;
57563 + return (__force const __le16)*p;
57565 static inline __u16 __le16_to_cpup(const __le16 *p)
57567 - return (__force __u16)*p;
57568 + return (__force const __u16)*p;
57570 static inline __be64 __cpu_to_be64p(const __u64 *p)
57572 - return (__force __be64)__swab64p(p);
57573 + return (__force const __be64)__swab64p(p);
57575 static inline __u64 __be64_to_cpup(const __be64 *p)
57577 - return __swab64p((__u64 *)p);
57578 + return __swab64p((const __u64 *)p);
57580 static inline __be32 __cpu_to_be32p(const __u32 *p)
57582 - return (__force __be32)__swab32p(p);
57583 + return (__force const __be32)__swab32p(p);
57585 static inline __u32 __be32_to_cpup(const __be32 *p)
57587 - return __swab32p((__u32 *)p);
57588 + return __swab32p((const __u32 *)p);
57590 static inline __be16 __cpu_to_be16p(const __u16 *p)
57592 - return (__force __be16)__swab16p(p);
57593 + return (__force const __be16)__swab16p(p);
57595 static inline __u16 __be16_to_cpup(const __be16 *p)
57597 - return __swab16p((__u16 *)p);
57598 + return __swab16p((const __u16 *)p);
57600 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
57601 #define __le64_to_cpus(x) do { (void)(x); } while (0)
57602 diff -urNp linux-3.1.1/include/linux/cache.h linux-3.1.1/include/linux/cache.h
57603 --- linux-3.1.1/include/linux/cache.h 2011-11-11 15:19:27.000000000 -0500
57604 +++ linux-3.1.1/include/linux/cache.h 2011-11-16 18:39:08.000000000 -0500
57606 #define __read_mostly
57609 +#ifndef __read_only
57610 +#define __read_only __read_mostly
57613 #ifndef ____cacheline_aligned
57614 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
57616 diff -urNp linux-3.1.1/include/linux/capability.h linux-3.1.1/include/linux/capability.h
57617 --- linux-3.1.1/include/linux/capability.h 2011-11-11 15:19:27.000000000 -0500
57618 +++ linux-3.1.1/include/linux/capability.h 2011-11-16 18:40:31.000000000 -0500
57619 @@ -547,6 +547,9 @@ extern bool capable(int cap);
57620 extern bool ns_capable(struct user_namespace *ns, int cap);
57621 extern bool task_ns_capable(struct task_struct *t, int cap);
57622 extern bool nsown_capable(int cap);
57623 +extern bool task_ns_capable_nolog(struct task_struct *t, int cap);
57624 +extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
57625 +extern bool capable_nolog(int cap);
57627 /* audit system wants to get cap info from files as well */
57628 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
57629 diff -urNp linux-3.1.1/include/linux/cleancache.h linux-3.1.1/include/linux/cleancache.h
57630 --- linux-3.1.1/include/linux/cleancache.h 2011-11-11 15:19:27.000000000 -0500
57631 +++ linux-3.1.1/include/linux/cleancache.h 2011-11-16 18:39:08.000000000 -0500
57632 @@ -31,7 +31,7 @@ struct cleancache_ops {
57633 void (*flush_page)(int, struct cleancache_filekey, pgoff_t);
57634 void (*flush_inode)(int, struct cleancache_filekey);
57635 void (*flush_fs)(int);
57639 extern struct cleancache_ops
57640 cleancache_register_ops(struct cleancache_ops *ops);
57641 diff -urNp linux-3.1.1/include/linux/compiler-gcc4.h linux-3.1.1/include/linux/compiler-gcc4.h
57642 --- linux-3.1.1/include/linux/compiler-gcc4.h 2011-11-11 15:19:27.000000000 -0500
57643 +++ linux-3.1.1/include/linux/compiler-gcc4.h 2011-11-16 18:39:08.000000000 -0500
57647 #if __GNUC_MINOR__ >= 5
57649 +#ifdef CONSTIFY_PLUGIN
57650 +#define __no_const __attribute__((no_const))
57651 +#define __do_const __attribute__((do_const))
57655 * Mark a position in code as unreachable. This can be used to
57656 * suppress control flow warnings after asm blocks that transfer
57658 #define __noclone __attribute__((__noclone__))
57662 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
57663 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
57664 +#define __bos0(ptr) __bos((ptr), 0)
57665 +#define __bos1(ptr) __bos((ptr), 1)
57668 #if __GNUC_MINOR__ > 0
57669 diff -urNp linux-3.1.1/include/linux/compiler.h linux-3.1.1/include/linux/compiler.h
57670 --- linux-3.1.1/include/linux/compiler.h 2011-11-11 15:19:27.000000000 -0500
57671 +++ linux-3.1.1/include/linux/compiler.h 2011-11-16 18:39:08.000000000 -0500
57675 # define __user __attribute__((noderef, address_space(1)))
57676 +# define __force_user __force __user
57677 # define __kernel __attribute__((address_space(0)))
57678 +# define __force_kernel __force __kernel
57679 # define __safe __attribute__((safe))
57680 # define __force __attribute__((force))
57681 # define __nocast __attribute__((nocast))
57682 # define __iomem __attribute__((noderef, address_space(2)))
57683 +# define __force_iomem __force __iomem
57684 # define __acquires(x) __attribute__((context(x,0,1)))
57685 # define __releases(x) __attribute__((context(x,1,0)))
57686 # define __acquire(x) __context__(x,1)
57687 # define __release(x) __context__(x,-1)
57688 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
57689 # define __percpu __attribute__((noderef, address_space(3)))
57690 +# define __force_percpu __force __percpu
57691 #ifdef CONFIG_SPARSE_RCU_POINTER
57692 # define __rcu __attribute__((noderef, address_space(4)))
57693 +# define __force_rcu __force __rcu
57696 +# define __force_rcu
57698 extern void __chk_user_ptr(const volatile void __user *);
57699 extern void __chk_io_ptr(const volatile void __iomem *);
57700 +#elif defined(CHECKER_PLUGIN)
57702 +//# define __force_user
57703 +//# define __kernel
57704 +//# define __force_kernel
57709 +# define __force_iomem
57710 +# define __chk_user_ptr(x) (void)0
57711 +# define __chk_io_ptr(x) (void)0
57712 +# define __builtin_warning(x, y...) (1)
57713 +# define __acquires(x)
57714 +# define __releases(x)
57715 +# define __acquire(x) (void)0
57716 +# define __release(x) (void)0
57717 +# define __cond_lock(x,c) (c)
57719 +# define __force_percpu
57721 +# define __force_rcu
57724 +# define __force_user
57726 +# define __force_kernel
57731 +# define __force_iomem
57732 # define __chk_user_ptr(x) (void)0
57733 # define __chk_io_ptr(x) (void)0
57734 # define __builtin_warning(x, y...) (1)
57735 @@ -39,7 +70,9 @@ extern void __chk_io_ptr(const volatile
57736 # define __release(x) (void)0
57737 # define __cond_lock(x,c) (c)
57739 +# define __force_percpu
57741 +# define __force_rcu
57745 @@ -264,6 +297,14 @@ void ftrace_likely_update(struct ftrace_
57746 # define __attribute_const__ /* unimplemented */
57749 +#ifndef __no_const
57750 +# define __no_const
57753 +#ifndef __do_const
57754 +# define __do_const
57758 * Tell gcc if a function is cold. The compiler will assume any path
57759 * directly leading to the call is unlikely.
57760 @@ -273,6 +314,22 @@ void ftrace_likely_update(struct ftrace_
57764 +#ifndef __alloc_size
57765 +#define __alloc_size(...)
57769 +#define __bos(ptr, arg)
57773 +#define __bos0(ptr)
57777 +#define __bos1(ptr)
57780 /* Simple shorthand for a section definition */
57782 # define __section(S) __attribute__ ((__section__(#S)))
57783 @@ -306,6 +363,7 @@ void ftrace_likely_update(struct ftrace_
57784 * use is to mediate communication between process-level code and irq/NMI
57785 * handlers, all running on the same CPU.
57787 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
57788 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
57789 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
57791 #endif /* __LINUX_COMPILER_H */
57792 diff -urNp linux-3.1.1/include/linux/cpuset.h linux-3.1.1/include/linux/cpuset.h
57793 --- linux-3.1.1/include/linux/cpuset.h 2011-11-11 15:19:27.000000000 -0500
57794 +++ linux-3.1.1/include/linux/cpuset.h 2011-11-16 18:39:08.000000000 -0500
57795 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
57799 - --ACCESS_ONCE(current->mems_allowed_change_disable);
57800 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
57803 static inline void set_mems_allowed(nodemask_t nodemask)
57804 diff -urNp linux-3.1.1/include/linux/crypto.h linux-3.1.1/include/linux/crypto.h
57805 --- linux-3.1.1/include/linux/crypto.h 2011-11-11 15:19:27.000000000 -0500
57806 +++ linux-3.1.1/include/linux/crypto.h 2011-11-16 18:39:08.000000000 -0500
57807 @@ -361,7 +361,7 @@ struct cipher_tfm {
57808 const u8 *key, unsigned int keylen);
57809 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57810 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57815 int (*init)(struct hash_desc *desc);
57816 @@ -382,13 +382,13 @@ struct compress_tfm {
57817 int (*cot_decompress)(struct crypto_tfm *tfm,
57818 const u8 *src, unsigned int slen,
57819 u8 *dst, unsigned int *dlen);
57824 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
57825 unsigned int dlen);
57826 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
57830 #define crt_ablkcipher crt_u.ablkcipher
57831 #define crt_aead crt_u.aead
57832 diff -urNp linux-3.1.1/include/linux/decompress/mm.h linux-3.1.1/include/linux/decompress/mm.h
57833 --- linux-3.1.1/include/linux/decompress/mm.h 2011-11-11 15:19:27.000000000 -0500
57834 +++ linux-3.1.1/include/linux/decompress/mm.h 2011-11-16 18:39:08.000000000 -0500
57835 @@ -77,7 +77,7 @@ static void free(void *where)
57836 * warnings when not needed (indeed large_malloc / large_free are not
57837 * needed by inflate */
57839 -#define malloc(a) kmalloc(a, GFP_KERNEL)
57840 +#define malloc(a) kmalloc((a), GFP_KERNEL)
57841 #define free(a) kfree(a)
57843 #define large_malloc(a) vmalloc(a)
57844 diff -urNp linux-3.1.1/include/linux/dma-mapping.h linux-3.1.1/include/linux/dma-mapping.h
57845 --- linux-3.1.1/include/linux/dma-mapping.h 2011-11-11 15:19:27.000000000 -0500
57846 +++ linux-3.1.1/include/linux/dma-mapping.h 2011-11-16 18:39:08.000000000 -0500
57847 @@ -42,7 +42,7 @@ struct dma_map_ops {
57848 int (*dma_supported)(struct device *dev, u64 mask);
57849 int (*set_dma_mask)(struct device *dev, u64 mask);
57854 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
57856 diff -urNp linux-3.1.1/include/linux/efi.h linux-3.1.1/include/linux/efi.h
57857 --- linux-3.1.1/include/linux/efi.h 2011-11-11 15:19:27.000000000 -0500
57858 +++ linux-3.1.1/include/linux/efi.h 2011-11-16 18:39:08.000000000 -0500
57859 @@ -446,7 +446,7 @@ struct efivar_operations {
57860 efi_get_variable_t *get_variable;
57861 efi_get_next_variable_t *get_next_variable;
57862 efi_set_variable_t *set_variable;
57868 diff -urNp linux-3.1.1/include/linux/elf.h linux-3.1.1/include/linux/elf.h
57869 --- linux-3.1.1/include/linux/elf.h 2011-11-11 15:19:27.000000000 -0500
57870 +++ linux-3.1.1/include/linux/elf.h 2011-11-16 18:39:08.000000000 -0500
57871 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
57872 #define PT_GNU_EH_FRAME 0x6474e550
57874 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
57875 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
57877 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
57879 +/* Constants for the e_flags field */
57880 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
57881 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
57882 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
57883 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
57884 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
57885 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
57888 * Extended Numbering
57889 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
57890 #define DT_DEBUG 21
57891 #define DT_TEXTREL 22
57892 #define DT_JMPREL 23
57893 +#define DT_FLAGS 30
57894 + #define DF_TEXTREL 0x00000004
57895 #define DT_ENCODING 32
57896 #define OLD_DT_LOOS 0x60000000
57897 #define DT_LOOS 0x6000000d
57898 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
57902 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
57903 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
57904 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
57905 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
57906 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
57907 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
57908 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
57909 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
57910 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
57911 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
57912 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
57913 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
57915 typedef struct elf32_phdr{
57917 Elf32_Off p_offset;
57918 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
57924 #define ELFMAG0 0x7f /* EI_MAG */
57925 #define ELFMAG1 'E'
57926 #define ELFMAG2 'L'
57927 @@ -422,6 +450,7 @@ extern Elf32_Dyn _DYNAMIC [];
57928 #define elf_note elf32_note
57929 #define elf_addr_t Elf32_Off
57930 #define Elf_Half Elf32_Half
57931 +#define elf_dyn Elf32_Dyn
57935 @@ -432,6 +461,7 @@ extern Elf64_Dyn _DYNAMIC [];
57936 #define elf_note elf64_note
57937 #define elf_addr_t Elf64_Off
57938 #define Elf_Half Elf64_Half
57939 +#define elf_dyn Elf64_Dyn
57943 diff -urNp linux-3.1.1/include/linux/firewire.h linux-3.1.1/include/linux/firewire.h
57944 --- linux-3.1.1/include/linux/firewire.h 2011-11-11 15:19:27.000000000 -0500
57945 +++ linux-3.1.1/include/linux/firewire.h 2011-11-16 18:39:08.000000000 -0500
57946 @@ -428,7 +428,7 @@ struct fw_iso_context {
57948 fw_iso_callback_t sc;
57949 fw_iso_mc_callback_t mc;
57951 + } __no_const callback;
57952 void *callback_data;
57955 diff -urNp linux-3.1.1/include/linux/fscache-cache.h linux-3.1.1/include/linux/fscache-cache.h
57956 --- linux-3.1.1/include/linux/fscache-cache.h 2011-11-11 15:19:27.000000000 -0500
57957 +++ linux-3.1.1/include/linux/fscache-cache.h 2011-11-16 18:39:08.000000000 -0500
57958 @@ -102,7 +102,7 @@ struct fscache_operation {
57959 fscache_operation_release_t release;
57962 -extern atomic_t fscache_op_debug_id;
57963 +extern atomic_unchecked_t fscache_op_debug_id;
57964 extern void fscache_op_work_func(struct work_struct *work);
57966 extern void fscache_enqueue_operation(struct fscache_operation *);
57967 @@ -122,7 +122,7 @@ static inline void fscache_operation_ini
57969 INIT_WORK(&op->work, fscache_op_work_func);
57970 atomic_set(&op->usage, 1);
57971 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
57972 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
57973 op->processor = processor;
57974 op->release = release;
57975 INIT_LIST_HEAD(&op->pend_link);
57976 diff -urNp linux-3.1.1/include/linux/fs.h linux-3.1.1/include/linux/fs.h
57977 --- linux-3.1.1/include/linux/fs.h 2011-11-11 15:19:27.000000000 -0500
57978 +++ linux-3.1.1/include/linux/fs.h 2011-11-16 23:39:39.000000000 -0500
57979 @@ -1588,7 +1588,8 @@ struct file_operations {
57980 int (*setlease)(struct file *, long, struct file_lock **);
57981 long (*fallocate)(struct file *file, int mode, loff_t offset,
57985 +typedef struct file_operations __no_const file_operations_no_const;
57987 struct inode_operations {
57988 struct dentry * (*lookup) (struct inode *,struct dentry *, struct nameidata *);
57989 diff -urNp linux-3.1.1/include/linux/fsnotify.h linux-3.1.1/include/linux/fsnotify.h
57990 --- linux-3.1.1/include/linux/fsnotify.h 2011-11-11 15:19:27.000000000 -0500
57991 +++ linux-3.1.1/include/linux/fsnotify.h 2011-11-16 18:39:08.000000000 -0500
57992 @@ -314,7 +314,7 @@ static inline void fsnotify_change(struc
57994 static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
57996 - return kstrdup(name, GFP_KERNEL);
57997 + return (const unsigned char *)kstrdup((const char *)name, GFP_KERNEL);
58001 diff -urNp linux-3.1.1/include/linux/fs_struct.h linux-3.1.1/include/linux/fs_struct.h
58002 --- linux-3.1.1/include/linux/fs_struct.h 2011-11-11 15:19:27.000000000 -0500
58003 +++ linux-3.1.1/include/linux/fs_struct.h 2011-11-16 18:39:08.000000000 -0500
58005 #include <linux/seqlock.h>
58013 diff -urNp linux-3.1.1/include/linux/ftrace_event.h linux-3.1.1/include/linux/ftrace_event.h
58014 --- linux-3.1.1/include/linux/ftrace_event.h 2011-11-11 15:19:27.000000000 -0500
58015 +++ linux-3.1.1/include/linux/ftrace_event.h 2011-11-16 18:39:08.000000000 -0500
58016 @@ -97,7 +97,7 @@ struct trace_event_functions {
58017 trace_print_func raw;
58018 trace_print_func hex;
58019 trace_print_func binary;
58023 struct trace_event {
58024 struct hlist_node node;
58025 @@ -252,7 +252,7 @@ extern int trace_define_field(struct ftr
58026 extern int trace_add_event_call(struct ftrace_event_call *call);
58027 extern void trace_remove_event_call(struct ftrace_event_call *call);
58029 -#define is_signed_type(type) (((type)(-1)) < 0)
58030 +#define is_signed_type(type) (((type)(-1)) < (type)1)
58032 int trace_set_clr_event(const char *system, const char *event, int set);
58034 diff -urNp linux-3.1.1/include/linux/genhd.h linux-3.1.1/include/linux/genhd.h
58035 --- linux-3.1.1/include/linux/genhd.h 2011-11-11 15:19:27.000000000 -0500
58036 +++ linux-3.1.1/include/linux/genhd.h 2011-11-16 18:39:08.000000000 -0500
58037 @@ -184,7 +184,7 @@ struct gendisk {
58038 struct kobject *slave_dir;
58040 struct timer_rand_state *random;
58041 - atomic_t sync_io; /* RAID */
58042 + atomic_unchecked_t sync_io; /* RAID */
58043 struct disk_events *ev;
58044 #ifdef CONFIG_BLK_DEV_INTEGRITY
58045 struct blk_integrity *integrity;
58046 diff -urNp linux-3.1.1/include/linux/gracl.h linux-3.1.1/include/linux/gracl.h
58047 --- linux-3.1.1/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
58048 +++ linux-3.1.1/include/linux/gracl.h 2011-11-16 18:40:31.000000000 -0500
58053 +#include <linux/grdefs.h>
58054 +#include <linux/resource.h>
58055 +#include <linux/capability.h>
58056 +#include <linux/dcache.h>
58057 +#include <asm/resource.h>
58059 +/* Major status information */
58061 +#define GR_VERSION "grsecurity 2.2.2"
58062 +#define GRSECURITY_VERSION 0x2202
58073 + GR_SPROLEPAM = 8,
58076 +/* Password setup definitions
58077 + * kernel/grhash.c */
58080 + GR_SALT_LEN = 16,
58085 + GR_SPROLE_LEN = 64,
58094 +#define GR_NLIMITS 32
58096 +/* Begin Data Structures */
58098 +struct sprole_pw {
58099 + unsigned char *rolename;
58100 + unsigned char salt[GR_SALT_LEN];
58101 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
58104 +struct name_entry {
58111 + struct name_entry *prev;
58112 + struct name_entry *next;
58115 +struct inodev_entry {
58116 + struct name_entry *nentry;
58117 + struct inodev_entry *prev;
58118 + struct inodev_entry *next;
58121 +struct acl_role_db {
58122 + struct acl_role_label **r_hash;
58126 +struct inodev_db {
58127 + struct inodev_entry **i_hash;
58132 + struct name_entry **n_hash;
58136 +struct crash_uid {
58138 + unsigned long expires;
58141 +struct gr_hash_struct {
58143 + void **nametable;
58145 + __u32 table_size;
58150 +/* Userspace Grsecurity ACL data structures */
58152 +struct acl_subject_label {
58157 + kernel_cap_t cap_mask;
58158 + kernel_cap_t cap_lower;
58159 + kernel_cap_t cap_invert_audit;
58161 + struct rlimit res[GR_NLIMITS];
58164 + __u8 user_trans_type;
58165 + __u8 group_trans_type;
58166 + uid_t *user_transitions;
58167 + gid_t *group_transitions;
58168 + __u16 user_trans_num;
58169 + __u16 group_trans_num;
58171 + __u32 sock_families[2];
58172 + __u32 ip_proto[8];
58174 + struct acl_ip_label **ips;
58176 + __u32 inaddr_any_override;
58179 + unsigned long expires;
58181 + struct acl_subject_label *parent_subject;
58182 + struct gr_hash_struct *hash;
58183 + struct acl_subject_label *prev;
58184 + struct acl_subject_label *next;
58186 + struct acl_object_label **obj_hash;
58187 + __u32 obj_hash_size;
58191 +struct role_allowed_ip {
58195 + struct role_allowed_ip *prev;
58196 + struct role_allowed_ip *next;
58199 +struct role_transition {
58202 + struct role_transition *prev;
58203 + struct role_transition *next;
58206 +struct acl_role_label {
58211 + __u16 auth_attempts;
58212 + unsigned long expires;
58214 + struct acl_subject_label *root_label;
58215 + struct gr_hash_struct *hash;
58217 + struct acl_role_label *prev;
58218 + struct acl_role_label *next;
58220 + struct role_transition *transitions;
58221 + struct role_allowed_ip *allowed_ips;
58222 + uid_t *domain_children;
58223 + __u16 domain_child_num;
58225 + struct acl_subject_label **subj_hash;
58226 + __u32 subj_hash_size;
58229 +struct user_acl_role_db {
58230 + struct acl_role_label **r_table;
58231 + __u32 num_pointers; /* Number of allocations to track */
58232 + __u32 num_roles; /* Number of roles */
58233 + __u32 num_domain_children; /* Number of domain children */
58234 + __u32 num_subjects; /* Number of subjects */
58235 + __u32 num_objects; /* Number of objects */
58238 +struct acl_object_label {
58244 + struct acl_subject_label *nested;
58245 + struct acl_object_label *globbed;
58247 + /* next two structures not used */
58249 + struct acl_object_label *prev;
58250 + struct acl_object_label *next;
58253 +struct acl_ip_label {
58262 + /* next two structures not used */
58264 + struct acl_ip_label *prev;
58265 + struct acl_ip_label *next;
58269 + struct user_acl_role_db role_db;
58270 + unsigned char pw[GR_PW_LEN];
58271 + unsigned char salt[GR_SALT_LEN];
58272 + unsigned char sum[GR_SHA_LEN];
58273 + unsigned char sp_role[GR_SPROLE_LEN];
58274 + struct sprole_pw *sprole_pws;
58275 + dev_t segv_device;
58276 + ino_t segv_inode;
58278 + __u16 num_sprole_pws;
58282 +struct gr_arg_wrapper {
58283 + struct gr_arg *arg;
58288 +struct subject_map {
58289 + struct acl_subject_label *user;
58290 + struct acl_subject_label *kernel;
58291 + struct subject_map *prev;
58292 + struct subject_map *next;
58295 +struct acl_subj_map_db {
58296 + struct subject_map **s_hash;
58300 +/* End Data Structures Section */
58302 +/* Hash functions generated by empirical testing by Brad Spengler
58303 + Makes good use of the low bits of the inode. Generally 0-1 times
58304 + in loop for successful match. 0-3 for unsuccessful match.
58305 + Shift/add algorithm with modulus of table size and an XOR*/
58307 +static __inline__ unsigned int
58308 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
58310 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
58313 + static __inline__ unsigned int
58314 +shash(const struct acl_subject_label *userp, const unsigned int sz)
58316 + return ((const unsigned long)userp % sz);
58319 +static __inline__ unsigned int
58320 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
58322 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
58325 +static __inline__ unsigned int
58326 +nhash(const char *name, const __u16 len, const unsigned int sz)
58328 + return full_name_hash((const unsigned char *)name, len) % sz;
58331 +#define FOR_EACH_ROLE_START(role) \
58332 + role = role_list; \
58335 +#define FOR_EACH_ROLE_END(role) \
58336 + role = role->prev; \
58339 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
58342 + while (iter < role->subj_hash_size) { \
58343 + if (subj == NULL) \
58344 + subj = role->subj_hash[iter]; \
58345 + if (subj == NULL) { \
58350 +#define FOR_EACH_SUBJECT_END(subj,iter) \
58351 + subj = subj->next; \
58352 + if (subj == NULL) \
58357 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
58358 + subj = role->hash->first; \
58359 + while (subj != NULL) {
58361 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
58362 + subj = subj->next; \
58367 diff -urNp linux-3.1.1/include/linux/gralloc.h linux-3.1.1/include/linux/gralloc.h
58368 --- linux-3.1.1/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
58369 +++ linux-3.1.1/include/linux/gralloc.h 2011-11-16 18:40:31.000000000 -0500
58371 +#ifndef __GRALLOC_H
58372 +#define __GRALLOC_H
58374 +void acl_free_all(void);
58375 +int acl_alloc_stack_init(unsigned long size);
58376 +void *acl_alloc(unsigned long len);
58377 +void *acl_alloc_num(unsigned long num, unsigned long len);
58380 diff -urNp linux-3.1.1/include/linux/grdefs.h linux-3.1.1/include/linux/grdefs.h
58381 --- linux-3.1.1/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
58382 +++ linux-3.1.1/include/linux/grdefs.h 2011-11-16 18:40:31.000000000 -0500
58387 +/* Begin grsecurity status declarations */
58391 + GR_STATUS_INIT = 0x00 // disabled state
58394 +/* Begin ACL declarations */
58399 + GR_ROLE_USER = 0x0001,
58400 + GR_ROLE_GROUP = 0x0002,
58401 + GR_ROLE_DEFAULT = 0x0004,
58402 + GR_ROLE_SPECIAL = 0x0008,
58403 + GR_ROLE_AUTH = 0x0010,
58404 + GR_ROLE_NOPW = 0x0020,
58405 + GR_ROLE_GOD = 0x0040,
58406 + GR_ROLE_LEARN = 0x0080,
58407 + GR_ROLE_TPE = 0x0100,
58408 + GR_ROLE_DOMAIN = 0x0200,
58409 + GR_ROLE_PAM = 0x0400,
58410 + GR_ROLE_PERSIST = 0x0800
58413 +/* ACL Subject and Object mode flags */
58415 + GR_DELETED = 0x80000000
58418 +/* ACL Object-only mode flags */
58420 + GR_READ = 0x00000001,
58421 + GR_APPEND = 0x00000002,
58422 + GR_WRITE = 0x00000004,
58423 + GR_EXEC = 0x00000008,
58424 + GR_FIND = 0x00000010,
58425 + GR_INHERIT = 0x00000020,
58426 + GR_SETID = 0x00000040,
58427 + GR_CREATE = 0x00000080,
58428 + GR_DELETE = 0x00000100,
58429 + GR_LINK = 0x00000200,
58430 + GR_AUDIT_READ = 0x00000400,
58431 + GR_AUDIT_APPEND = 0x00000800,
58432 + GR_AUDIT_WRITE = 0x00001000,
58433 + GR_AUDIT_EXEC = 0x00002000,
58434 + GR_AUDIT_FIND = 0x00004000,
58435 + GR_AUDIT_INHERIT= 0x00008000,
58436 + GR_AUDIT_SETID = 0x00010000,
58437 + GR_AUDIT_CREATE = 0x00020000,
58438 + GR_AUDIT_DELETE = 0x00040000,
58439 + GR_AUDIT_LINK = 0x00080000,
58440 + GR_PTRACERD = 0x00100000,
58441 + GR_NOPTRACE = 0x00200000,
58442 + GR_SUPPRESS = 0x00400000,
58443 + GR_NOLEARN = 0x00800000,
58444 + GR_INIT_TRANSFER= 0x01000000
58447 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
58448 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
58449 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
58451 +/* ACL subject-only mode flags */
58453 + GR_KILL = 0x00000001,
58454 + GR_VIEW = 0x00000002,
58455 + GR_PROTECTED = 0x00000004,
58456 + GR_LEARN = 0x00000008,
58457 + GR_OVERRIDE = 0x00000010,
58458 + /* just a placeholder, this mode is only used in userspace */
58459 + GR_DUMMY = 0x00000020,
58460 + GR_PROTSHM = 0x00000040,
58461 + GR_KILLPROC = 0x00000080,
58462 + GR_KILLIPPROC = 0x00000100,
58463 + /* just a placeholder, this mode is only used in userspace */
58464 + GR_NOTROJAN = 0x00000200,
58465 + GR_PROTPROCFD = 0x00000400,
58466 + GR_PROCACCT = 0x00000800,
58467 + GR_RELAXPTRACE = 0x00001000,
58468 + GR_NESTED = 0x00002000,
58469 + GR_INHERITLEARN = 0x00004000,
58470 + GR_PROCFIND = 0x00008000,
58471 + GR_POVERRIDE = 0x00010000,
58472 + GR_KERNELAUTH = 0x00020000,
58473 + GR_ATSECURE = 0x00040000,
58474 + GR_SHMEXEC = 0x00080000
58478 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
58479 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
58480 + GR_PAX_ENABLE_MPROTECT = 0x0004,
58481 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
58482 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
58483 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
58484 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
58485 + GR_PAX_DISABLE_MPROTECT = 0x0400,
58486 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
58487 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
58491 + GR_ID_USER = 0x01,
58492 + GR_ID_GROUP = 0x02,
58496 + GR_ID_ALLOW = 0x01,
58497 + GR_ID_DENY = 0x02,
58500 +#define GR_CRASH_RES 31
58501 +#define GR_UIDTABLE_MAX 500
58503 +/* begin resource learning section */
58505 + GR_RLIM_CPU_BUMP = 60,
58506 + GR_RLIM_FSIZE_BUMP = 50000,
58507 + GR_RLIM_DATA_BUMP = 10000,
58508 + GR_RLIM_STACK_BUMP = 1000,
58509 + GR_RLIM_CORE_BUMP = 10000,
58510 + GR_RLIM_RSS_BUMP = 500000,
58511 + GR_RLIM_NPROC_BUMP = 1,
58512 + GR_RLIM_NOFILE_BUMP = 5,
58513 + GR_RLIM_MEMLOCK_BUMP = 50000,
58514 + GR_RLIM_AS_BUMP = 500000,
58515 + GR_RLIM_LOCKS_BUMP = 2,
58516 + GR_RLIM_SIGPENDING_BUMP = 5,
58517 + GR_RLIM_MSGQUEUE_BUMP = 10000,
58518 + GR_RLIM_NICE_BUMP = 1,
58519 + GR_RLIM_RTPRIO_BUMP = 1,
58520 + GR_RLIM_RTTIME_BUMP = 1000000
58524 diff -urNp linux-3.1.1/include/linux/grinternal.h linux-3.1.1/include/linux/grinternal.h
58525 --- linux-3.1.1/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
58526 +++ linux-3.1.1/include/linux/grinternal.h 2011-11-16 18:40:31.000000000 -0500
58528 +#ifndef __GRINTERNAL_H
58529 +#define __GRINTERNAL_H
58531 +#ifdef CONFIG_GRKERNSEC
58533 +#include <linux/fs.h>
58534 +#include <linux/mnt_namespace.h>
58535 +#include <linux/nsproxy.h>
58536 +#include <linux/gracl.h>
58537 +#include <linux/grdefs.h>
58538 +#include <linux/grmsg.h>
58540 +void gr_add_learn_entry(const char *fmt, ...)
58541 + __attribute__ ((format (printf, 1, 2)));
58542 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
58543 + const struct vfsmount *mnt);
58544 +__u32 gr_check_create(const struct dentry *new_dentry,
58545 + const struct dentry *parent,
58546 + const struct vfsmount *mnt, const __u32 mode);
58547 +int gr_check_protected_task(const struct task_struct *task);
58548 +__u32 to_gr_audit(const __u32 reqmode);
58549 +int gr_set_acls(const int type);
58550 +int gr_apply_subject_to_task(struct task_struct *task);
58551 +int gr_acl_is_enabled(void);
58552 +char gr_roletype_to_char(void);
58554 +void gr_handle_alertkill(struct task_struct *task);
58555 +char *gr_to_filename(const struct dentry *dentry,
58556 + const struct vfsmount *mnt);
58557 +char *gr_to_filename1(const struct dentry *dentry,
58558 + const struct vfsmount *mnt);
58559 +char *gr_to_filename2(const struct dentry *dentry,
58560 + const struct vfsmount *mnt);
58561 +char *gr_to_filename3(const struct dentry *dentry,
58562 + const struct vfsmount *mnt);
58564 +extern int grsec_enable_harden_ptrace;
58565 +extern int grsec_enable_link;
58566 +extern int grsec_enable_fifo;
58567 +extern int grsec_enable_execve;
58568 +extern int grsec_enable_shm;
58569 +extern int grsec_enable_execlog;
58570 +extern int grsec_enable_signal;
58571 +extern int grsec_enable_audit_ptrace;
58572 +extern int grsec_enable_forkfail;
58573 +extern int grsec_enable_time;
58574 +extern int grsec_enable_rofs;
58575 +extern int grsec_enable_chroot_shmat;
58576 +extern int grsec_enable_chroot_mount;
58577 +extern int grsec_enable_chroot_double;
58578 +extern int grsec_enable_chroot_pivot;
58579 +extern int grsec_enable_chroot_chdir;
58580 +extern int grsec_enable_chroot_chmod;
58581 +extern int grsec_enable_chroot_mknod;
58582 +extern int grsec_enable_chroot_fchdir;
58583 +extern int grsec_enable_chroot_nice;
58584 +extern int grsec_enable_chroot_execlog;
58585 +extern int grsec_enable_chroot_caps;
58586 +extern int grsec_enable_chroot_sysctl;
58587 +extern int grsec_enable_chroot_unix;
58588 +extern int grsec_enable_tpe;
58589 +extern int grsec_tpe_gid;
58590 +extern int grsec_enable_tpe_all;
58591 +extern int grsec_enable_tpe_invert;
58592 +extern int grsec_enable_socket_all;
58593 +extern int grsec_socket_all_gid;
58594 +extern int grsec_enable_socket_client;
58595 +extern int grsec_socket_client_gid;
58596 +extern int grsec_enable_socket_server;
58597 +extern int grsec_socket_server_gid;
58598 +extern int grsec_audit_gid;
58599 +extern int grsec_enable_group;
58600 +extern int grsec_enable_audit_textrel;
58601 +extern int grsec_enable_log_rwxmaps;
58602 +extern int grsec_enable_mount;
58603 +extern int grsec_enable_chdir;
58604 +extern int grsec_resource_logging;
58605 +extern int grsec_enable_blackhole;
58606 +extern int grsec_lastack_retries;
58607 +extern int grsec_enable_brute;
58608 +extern int grsec_lock;
58610 +extern spinlock_t grsec_alert_lock;
58611 +extern unsigned long grsec_alert_wtime;
58612 +extern unsigned long grsec_alert_fyet;
58614 +extern spinlock_t grsec_audit_lock;
58616 +extern rwlock_t grsec_exec_file_lock;
58618 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
58619 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
58620 + (tsk)->exec_file->f_vfsmnt) : "/")
58622 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
58623 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
58624 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58626 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
58627 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
58628 + (tsk)->exec_file->f_vfsmnt) : "/")
58630 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
58631 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
58632 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58634 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
58636 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
58638 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
58639 + (task)->pid, (cred)->uid, \
58640 + (cred)->euid, (cred)->gid, (cred)->egid, \
58641 + gr_parent_task_fullpath(task), \
58642 + (task)->real_parent->comm, (task)->real_parent->pid, \
58643 + (pcred)->uid, (pcred)->euid, \
58644 + (pcred)->gid, (pcred)->egid
58646 +#define GR_CHROOT_CAPS {{ \
58647 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
58648 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
58649 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
58650 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
58651 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
58652 + CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
58653 + CAP_TO_MASK(CAP_SYSLOG) | CAP_TO_MASK(CAP_MAC_ADMIN) }}
58655 +#define security_learn(normal_msg,args...) \
58657 + read_lock(&grsec_exec_file_lock); \
58658 + gr_add_learn_entry(normal_msg "\n", ## args); \
58659 + read_unlock(&grsec_exec_file_lock); \
58665 + /* used for non-audit messages that we shouldn't kill the task on */
58666 + GR_DONT_AUDIT_GOOD
58677 + GR_SYSCTL_HIDDEN,
58680 + GR_ONE_INT_TWO_STR,
58687 + GR_FIVE_INT_TWO_STR,
58693 + GR_FILENAME_TWO_INT,
58694 + GR_FILENAME_TWO_INT_STR,
58707 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
58708 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
58709 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
58710 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
58711 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
58712 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
58713 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
58714 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
58715 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
58716 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
58717 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
58718 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
58719 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
58720 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
58721 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
58722 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
58723 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
58724 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
58725 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
58726 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
58727 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
58728 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
58729 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
58730 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
58731 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
58732 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
58733 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
58734 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
58735 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
58736 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
58737 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
58738 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
58739 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
58740 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
58741 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
58743 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
58748 diff -urNp linux-3.1.1/include/linux/grmsg.h linux-3.1.1/include/linux/grmsg.h
58749 --- linux-3.1.1/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
58750 +++ linux-3.1.1/include/linux/grmsg.h 2011-11-16 18:40:31.000000000 -0500
58752 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
58753 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
58754 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
58755 +#define GR_STOPMOD_MSG "denied modification of module state by "
58756 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
58757 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
58758 +#define GR_IOPERM_MSG "denied use of ioperm() by "
58759 +#define GR_IOPL_MSG "denied use of iopl() by "
58760 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
58761 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
58762 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
58763 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
58764 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
58765 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
58766 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
58767 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
58768 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
58769 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
58770 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
58771 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
58772 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
58773 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
58774 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
58775 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
58776 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
58777 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
58778 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
58779 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
58780 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
58781 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
58782 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
58783 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
58784 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
58785 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
58786 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
58787 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
58788 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
58789 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
58790 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
58791 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
58792 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
58793 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
58794 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
58795 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
58796 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
58797 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
58798 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
58799 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
58800 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
58801 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
58802 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
58803 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
58804 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
58805 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
58806 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
58807 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
58808 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
58809 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
58810 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
58811 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
58812 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
58813 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
58814 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
58815 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
58816 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
58817 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
58818 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
58819 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
58820 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
58821 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
58822 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
58823 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
58824 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
58825 +#define GR_NICE_CHROOT_MSG "denied priority change by "
58826 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
58827 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
58828 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
58829 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
58830 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
58831 +#define GR_TIME_MSG "time set by "
58832 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
58833 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
58834 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
58835 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
58836 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
58837 +#define GR_BIND_MSG "denied bind() by "
58838 +#define GR_CONNECT_MSG "denied connect() by "
58839 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
58840 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
58841 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
58842 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
58843 +#define GR_CAP_ACL_MSG "use of %s denied for "
58844 +#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
58845 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
58846 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
58847 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
58848 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
58849 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
58850 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
58851 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
58852 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
58853 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
58854 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
58855 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
58856 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
58857 +#define GR_VM86_MSG "denied use of vm86 by "
58858 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
58859 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
58860 diff -urNp linux-3.1.1/include/linux/grsecurity.h linux-3.1.1/include/linux/grsecurity.h
58861 --- linux-3.1.1/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
58862 +++ linux-3.1.1/include/linux/grsecurity.h 2011-11-17 00:16:10.000000000 -0500
58864 +#ifndef GR_SECURITY_H
58865 +#define GR_SECURITY_H
58866 +#include <linux/fs.h>
58867 +#include <linux/fs_struct.h>
58868 +#include <linux/binfmts.h>
58869 +#include <linux/gracl.h>
58871 +/* notify of brain-dead configs */
58872 +#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
58873 +#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
58875 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
58876 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
58878 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
58879 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
58881 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
58882 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
58884 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
58885 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
58887 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
58888 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
58891 +#include <linux/compat.h>
58893 +struct user_arg_ptr {
58894 +#ifdef CONFIG_COMPAT
58898 + const char __user *const __user *native;
58899 +#ifdef CONFIG_COMPAT
58900 + compat_uptr_t __user *compat;
58905 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
58906 +void gr_handle_brute_check(void);
58907 +void gr_handle_kernel_exploit(void);
58908 +int gr_process_user_ban(void);
58910 +char gr_roletype_to_char(void);
58912 +int gr_acl_enable_at_secure(void);
58914 +int gr_check_user_change(int real, int effective, int fs);
58915 +int gr_check_group_change(int real, int effective, int fs);
58917 +void gr_del_task_from_ip_table(struct task_struct *p);
58919 +int gr_pid_is_chrooted(struct task_struct *p);
58920 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
58921 +int gr_handle_chroot_nice(void);
58922 +int gr_handle_chroot_sysctl(const int op);
58923 +int gr_handle_chroot_setpriority(struct task_struct *p,
58924 + const int niceval);
58925 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
58926 +int gr_handle_chroot_chroot(const struct dentry *dentry,
58927 + const struct vfsmount *mnt);
58928 +void gr_handle_chroot_chdir(struct path *path);
58929 +int gr_handle_chroot_chmod(const struct dentry *dentry,
58930 + const struct vfsmount *mnt, const int mode);
58931 +int gr_handle_chroot_mknod(const struct dentry *dentry,
58932 + const struct vfsmount *mnt, const int mode);
58933 +int gr_handle_chroot_mount(const struct dentry *dentry,
58934 + const struct vfsmount *mnt,
58935 + const char *dev_name);
58936 +int gr_handle_chroot_pivot(void);
58937 +int gr_handle_chroot_unix(const pid_t pid);
58939 +int gr_handle_rawio(const struct inode *inode);
58941 +void gr_handle_ioperm(void);
58942 +void gr_handle_iopl(void);
58944 +int gr_tpe_allow(const struct file *file);
58946 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
58947 +void gr_clear_chroot_entries(struct task_struct *task);
58949 +void gr_log_forkfail(const int retval);
58950 +void gr_log_timechange(void);
58951 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
58952 +void gr_log_chdir(const struct dentry *dentry,
58953 + const struct vfsmount *mnt);
58954 +void gr_log_chroot_exec(const struct dentry *dentry,
58955 + const struct vfsmount *mnt);
58956 +void gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv);
58957 +void gr_log_remount(const char *devname, const int retval);
58958 +void gr_log_unmount(const char *devname, const int retval);
58959 +void gr_log_mount(const char *from, const char *to, const int retval);
58960 +void gr_log_textrel(struct vm_area_struct *vma);
58961 +void gr_log_rwxmmap(struct file *file);
58962 +void gr_log_rwxmprotect(struct file *file);
58964 +int gr_handle_follow_link(const struct inode *parent,
58965 + const struct inode *inode,
58966 + const struct dentry *dentry,
58967 + const struct vfsmount *mnt);
58968 +int gr_handle_fifo(const struct dentry *dentry,
58969 + const struct vfsmount *mnt,
58970 + const struct dentry *dir, const int flag,
58971 + const int acc_mode);
58972 +int gr_handle_hardlink(const struct dentry *dentry,
58973 + const struct vfsmount *mnt,
58974 + struct inode *inode,
58975 + const int mode, const char *to);
58977 +int gr_is_capable(const int cap);
58978 +int gr_is_capable_nolog(const int cap);
58979 +void gr_learn_resource(const struct task_struct *task, const int limit,
58980 + const unsigned long wanted, const int gt);
58981 +void gr_copy_label(struct task_struct *tsk);
58982 +void gr_handle_crash(struct task_struct *task, const int sig);
58983 +int gr_handle_signal(const struct task_struct *p, const int sig);
58984 +int gr_check_crash_uid(const uid_t uid);
58985 +int gr_check_protected_task(const struct task_struct *task);
58986 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
58987 +int gr_acl_handle_mmap(const struct file *file,
58988 + const unsigned long prot);
58989 +int gr_acl_handle_mprotect(const struct file *file,
58990 + const unsigned long prot);
58991 +int gr_check_hidden_task(const struct task_struct *tsk);
58992 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
58993 + const struct vfsmount *mnt);
58994 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
58995 + const struct vfsmount *mnt);
58996 +__u32 gr_acl_handle_access(const struct dentry *dentry,
58997 + const struct vfsmount *mnt, const int fmode);
58998 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
58999 + const struct vfsmount *mnt, mode_t mode);
59000 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
59001 + const struct vfsmount *mnt, mode_t mode);
59002 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
59003 + const struct vfsmount *mnt);
59004 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
59005 + const struct vfsmount *mnt);
59006 +int gr_handle_ptrace(struct task_struct *task, const long request);
59007 +int gr_handle_proc_ptrace(struct task_struct *task);
59008 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
59009 + const struct vfsmount *mnt);
59010 +int gr_check_crash_exec(const struct file *filp);
59011 +int gr_acl_is_enabled(void);
59012 +void gr_set_kernel_label(struct task_struct *task);
59013 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
59014 + const gid_t gid);
59015 +int gr_set_proc_label(const struct dentry *dentry,
59016 + const struct vfsmount *mnt,
59017 + const int unsafe_share);
59018 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
59019 + const struct vfsmount *mnt);
59020 +__u32 gr_acl_handle_open(const struct dentry *dentry,
59021 + const struct vfsmount *mnt, int acc_mode);
59022 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
59023 + const struct dentry *p_dentry,
59024 + const struct vfsmount *p_mnt,
59025 + int open_flags, int acc_mode, const int imode);
59026 +void gr_handle_create(const struct dentry *dentry,
59027 + const struct vfsmount *mnt);
59028 +void gr_handle_proc_create(const struct dentry *dentry,
59029 + const struct inode *inode);
59030 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
59031 + const struct dentry *parent_dentry,
59032 + const struct vfsmount *parent_mnt,
59034 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
59035 + const struct dentry *parent_dentry,
59036 + const struct vfsmount *parent_mnt);
59037 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
59038 + const struct vfsmount *mnt);
59039 +void gr_handle_delete(const ino_t ino, const dev_t dev);
59040 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
59041 + const struct vfsmount *mnt);
59042 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
59043 + const struct dentry *parent_dentry,
59044 + const struct vfsmount *parent_mnt,
59045 + const char *from);
59046 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
59047 + const struct dentry *parent_dentry,
59048 + const struct vfsmount *parent_mnt,
59049 + const struct dentry *old_dentry,
59050 + const struct vfsmount *old_mnt, const char *to);
59051 +int gr_acl_handle_rename(struct dentry *new_dentry,
59052 + struct dentry *parent_dentry,
59053 + const struct vfsmount *parent_mnt,
59054 + struct dentry *old_dentry,
59055 + struct inode *old_parent_inode,
59056 + struct vfsmount *old_mnt, const char *newname);
59057 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
59058 + struct dentry *old_dentry,
59059 + struct dentry *new_dentry,
59060 + struct vfsmount *mnt, const __u8 replace);
59061 +__u32 gr_check_link(const struct dentry *new_dentry,
59062 + const struct dentry *parent_dentry,
59063 + const struct vfsmount *parent_mnt,
59064 + const struct dentry *old_dentry,
59065 + const struct vfsmount *old_mnt);
59066 +int gr_acl_handle_filldir(const struct file *file, const char *name,
59067 + const unsigned int namelen, const ino_t ino);
59069 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
59070 + const struct vfsmount *mnt);
59071 +void gr_acl_handle_exit(void);
59072 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
59073 +int gr_acl_handle_procpidmem(const struct task_struct *task);
59074 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
59075 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
59076 +void gr_audit_ptrace(struct task_struct *task);
59077 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
59079 +#ifdef CONFIG_GRKERNSEC
59080 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
59081 +void gr_handle_vm86(void);
59082 +void gr_handle_mem_readwrite(u64 from, u64 to);
59084 +extern int grsec_enable_dmesg;
59085 +extern int grsec_disable_privio;
59086 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59087 +extern int grsec_enable_chroot_findtask;
59092 diff -urNp linux-3.1.1/include/linux/grsock.h linux-3.1.1/include/linux/grsock.h
59093 --- linux-3.1.1/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
59094 +++ linux-3.1.1/include/linux/grsock.h 2011-11-16 18:40:31.000000000 -0500
59096 +#ifndef __GRSOCK_H
59097 +#define __GRSOCK_H
59099 +extern void gr_attach_curr_ip(const struct sock *sk);
59100 +extern int gr_handle_sock_all(const int family, const int type,
59101 + const int protocol);
59102 +extern int gr_handle_sock_server(const struct sockaddr *sck);
59103 +extern int gr_handle_sock_server_other(const struct sock *sck);
59104 +extern int gr_handle_sock_client(const struct sockaddr *sck);
59105 +extern int gr_search_connect(struct socket * sock,
59106 + struct sockaddr_in * addr);
59107 +extern int gr_search_bind(struct socket * sock,
59108 + struct sockaddr_in * addr);
59109 +extern int gr_search_listen(struct socket * sock);
59110 +extern int gr_search_accept(struct socket * sock);
59111 +extern int gr_search_socket(const int domain, const int type,
59112 + const int protocol);
59115 diff -urNp linux-3.1.1/include/linux/hid.h linux-3.1.1/include/linux/hid.h
59116 --- linux-3.1.1/include/linux/hid.h 2011-11-11 15:19:27.000000000 -0500
59117 +++ linux-3.1.1/include/linux/hid.h 2011-11-16 18:39:08.000000000 -0500
59118 @@ -676,7 +676,7 @@ struct hid_ll_driver {
59119 unsigned int code, int value);
59121 int (*parse)(struct hid_device *hdev);
59125 #define PM_HINT_FULLON 1<<5
59126 #define PM_HINT_NORMAL 1<<1
59127 diff -urNp linux-3.1.1/include/linux/highmem.h linux-3.1.1/include/linux/highmem.h
59128 --- linux-3.1.1/include/linux/highmem.h 2011-11-11 15:19:27.000000000 -0500
59129 +++ linux-3.1.1/include/linux/highmem.h 2011-11-16 18:39:08.000000000 -0500
59130 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
59131 kunmap_atomic(kaddr, KM_USER0);
59134 +static inline void sanitize_highpage(struct page *page)
59137 + unsigned long flags;
59139 + local_irq_save(flags);
59140 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
59141 + clear_page(kaddr);
59142 + kunmap_atomic(kaddr, KM_CLEARPAGE);
59143 + local_irq_restore(flags);
59146 static inline void zero_user_segments(struct page *page,
59147 unsigned start1, unsigned end1,
59148 unsigned start2, unsigned end2)
59149 diff -urNp linux-3.1.1/include/linux/i2c.h linux-3.1.1/include/linux/i2c.h
59150 --- linux-3.1.1/include/linux/i2c.h 2011-11-11 15:19:27.000000000 -0500
59151 +++ linux-3.1.1/include/linux/i2c.h 2011-11-16 18:39:08.000000000 -0500
59152 @@ -346,6 +346,7 @@ struct i2c_algorithm {
59153 /* To determine what the adapter supports */
59154 u32 (*functionality) (struct i2c_adapter *);
59156 +typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
59159 * i2c_adapter is the structure used to identify a physical i2c bus along
59160 diff -urNp linux-3.1.1/include/linux/i2o.h linux-3.1.1/include/linux/i2o.h
59161 --- linux-3.1.1/include/linux/i2o.h 2011-11-11 15:19:27.000000000 -0500
59162 +++ linux-3.1.1/include/linux/i2o.h 2011-11-16 18:39:08.000000000 -0500
59163 @@ -564,7 +564,7 @@ struct i2o_controller {
59164 struct i2o_device *exec; /* Executive */
59165 #if BITS_PER_LONG == 64
59166 spinlock_t context_list_lock; /* lock for context_list */
59167 - atomic_t context_list_counter; /* needed for unique contexts */
59168 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
59169 struct list_head context_list; /* list of context id's
59172 diff -urNp linux-3.1.1/include/linux/init.h linux-3.1.1/include/linux/init.h
59173 --- linux-3.1.1/include/linux/init.h 2011-11-11 15:19:27.000000000 -0500
59174 +++ linux-3.1.1/include/linux/init.h 2011-11-16 18:39:08.000000000 -0500
59175 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
59177 /* Each module must use one module_init(). */
59178 #define module_init(initfn) \
59179 - static inline initcall_t __inittest(void) \
59180 + static inline __used initcall_t __inittest(void) \
59181 { return initfn; } \
59182 int init_module(void) __attribute__((alias(#initfn)));
59184 /* This is only required if you want to be unloadable. */
59185 #define module_exit(exitfn) \
59186 - static inline exitcall_t __exittest(void) \
59187 + static inline __used exitcall_t __exittest(void) \
59188 { return exitfn; } \
59189 void cleanup_module(void) __attribute__((alias(#exitfn)));
59191 diff -urNp linux-3.1.1/include/linux/init_task.h linux-3.1.1/include/linux/init_task.h
59192 --- linux-3.1.1/include/linux/init_task.h 2011-11-11 15:19:27.000000000 -0500
59193 +++ linux-3.1.1/include/linux/init_task.h 2011-11-16 18:39:08.000000000 -0500
59194 @@ -126,6 +126,12 @@ extern struct cred init_cred;
59195 # define INIT_PERF_EVENTS(tsk)
59199 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
59201 +#define INIT_TASK_THREAD_INFO
59205 * INIT_TASK is used to set up the first task table, touch at
59206 * your own risk!. Base=0, limit=0x1fffff (=2MB)
59207 @@ -164,6 +170,7 @@ extern struct cred init_cred;
59208 RCU_INIT_POINTER(.cred, &init_cred), \
59209 .comm = "swapper", \
59210 .thread = INIT_THREAD, \
59211 + INIT_TASK_THREAD_INFO \
59213 .files = &init_files, \
59214 .signal = &init_signals, \
59215 diff -urNp linux-3.1.1/include/linux/intel-iommu.h linux-3.1.1/include/linux/intel-iommu.h
59216 --- linux-3.1.1/include/linux/intel-iommu.h 2011-11-11 15:19:27.000000000 -0500
59217 +++ linux-3.1.1/include/linux/intel-iommu.h 2011-11-16 18:39:08.000000000 -0500
59218 @@ -296,7 +296,7 @@ struct iommu_flush {
59220 void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
59221 unsigned int size_order, u64 type);
59227 diff -urNp linux-3.1.1/include/linux/interrupt.h linux-3.1.1/include/linux/interrupt.h
59228 --- linux-3.1.1/include/linux/interrupt.h 2011-11-11 15:19:27.000000000 -0500
59229 +++ linux-3.1.1/include/linux/interrupt.h 2011-11-16 18:39:08.000000000 -0500
59230 @@ -425,7 +425,7 @@ enum
59231 /* map softirq index to softirq name. update 'softirq_to_name' in
59232 * kernel/softirq.c when adding a new softirq.
59234 -extern char *softirq_to_name[NR_SOFTIRQS];
59235 +extern const char * const softirq_to_name[NR_SOFTIRQS];
59237 /* softirq mask and active fields moved to irq_cpustat_t in
59238 * asm/hardirq.h to get better cache usage. KAO
59239 @@ -433,12 +433,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
59241 struct softirq_action
59243 - void (*action)(struct softirq_action *);
59244 + void (*action)(void);
59247 asmlinkage void do_softirq(void);
59248 asmlinkage void __do_softirq(void);
59249 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
59250 +extern void open_softirq(int nr, void (*action)(void));
59251 extern void softirq_init(void);
59252 static inline void __raise_softirq_irqoff(unsigned int nr)
59254 diff -urNp linux-3.1.1/include/linux/kallsyms.h linux-3.1.1/include/linux/kallsyms.h
59255 --- linux-3.1.1/include/linux/kallsyms.h 2011-11-11 15:19:27.000000000 -0500
59256 +++ linux-3.1.1/include/linux/kallsyms.h 2011-11-16 18:40:31.000000000 -0500
59261 -#ifdef CONFIG_KALLSYMS
59262 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
59263 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
59264 /* Lookup the address for a symbol. Returns 0 if not found. */
59265 unsigned long kallsyms_lookup_name(const char *name);
59267 @@ -99,6 +100,16 @@ static inline int lookup_symbol_attrs(un
59268 /* Stupid that this does nothing, but I didn't create this mess. */
59269 #define __print_symbol(fmt, addr)
59270 #endif /*CONFIG_KALLSYMS*/
59271 +#else /* when included by kallsyms.c, vsnprintf.c, or
59272 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
59273 +extern void __print_symbol(const char *fmt, unsigned long address);
59274 +extern int sprint_backtrace(char *buffer, unsigned long address);
59275 +extern int sprint_symbol(char *buffer, unsigned long address);
59276 +const char *kallsyms_lookup(unsigned long addr,
59277 + unsigned long *symbolsize,
59278 + unsigned long *offset,
59279 + char **modname, char *namebuf);
59282 /* This macro allows us to keep printk typechecking */
59283 static void __check_printsym_format(const char *fmt, ...)
59284 diff -urNp linux-3.1.1/include/linux/kgdb.h linux-3.1.1/include/linux/kgdb.h
59285 --- linux-3.1.1/include/linux/kgdb.h 2011-11-11 15:19:27.000000000 -0500
59286 +++ linux-3.1.1/include/linux/kgdb.h 2011-11-16 18:39:08.000000000 -0500
59287 @@ -53,7 +53,7 @@ extern int kgdb_connected;
59288 extern int kgdb_io_module_registered;
59290 extern atomic_t kgdb_setting_breakpoint;
59291 -extern atomic_t kgdb_cpu_doing_single_step;
59292 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
59294 extern struct task_struct *kgdb_usethread;
59295 extern struct task_struct *kgdb_contthread;
59296 @@ -251,7 +251,7 @@ struct kgdb_arch {
59297 void (*disable_hw_break)(struct pt_regs *regs);
59298 void (*remove_all_hw_break)(void);
59299 void (*correct_hw_break)(void);
59304 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
59305 @@ -276,7 +276,7 @@ struct kgdb_io {
59306 void (*pre_exception) (void);
59307 void (*post_exception) (void);
59312 extern struct kgdb_arch arch_kgdb_ops;
59314 diff -urNp linux-3.1.1/include/linux/kmod.h linux-3.1.1/include/linux/kmod.h
59315 --- linux-3.1.1/include/linux/kmod.h 2011-11-11 15:19:27.000000000 -0500
59316 +++ linux-3.1.1/include/linux/kmod.h 2011-11-16 18:40:31.000000000 -0500
59317 @@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysc
59318 * usually useless though. */
59319 extern int __request_module(bool wait, const char *name, ...) \
59320 __attribute__((format(printf, 2, 3)));
59321 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
59322 + __attribute__((format(printf, 3, 4)));
59323 #define request_module(mod...) __request_module(true, mod)
59324 #define request_module_nowait(mod...) __request_module(false, mod)
59325 #define try_then_request_module(x, mod...) \
59326 diff -urNp linux-3.1.1/include/linux/kvm_host.h linux-3.1.1/include/linux/kvm_host.h
59327 --- linux-3.1.1/include/linux/kvm_host.h 2011-11-11 15:19:27.000000000 -0500
59328 +++ linux-3.1.1/include/linux/kvm_host.h 2011-11-16 18:39:08.000000000 -0500
59329 @@ -308,7 +308,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
59330 void vcpu_load(struct kvm_vcpu *vcpu);
59331 void vcpu_put(struct kvm_vcpu *vcpu);
59333 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59334 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59335 struct module *module);
59336 void kvm_exit(void);
59338 @@ -454,7 +454,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
59339 struct kvm_guest_debug *dbg);
59340 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
59342 -int kvm_arch_init(void *opaque);
59343 +int kvm_arch_init(const void *opaque);
59344 void kvm_arch_exit(void);
59346 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
59347 diff -urNp linux-3.1.1/include/linux/libata.h linux-3.1.1/include/linux/libata.h
59348 --- linux-3.1.1/include/linux/libata.h 2011-11-11 15:19:27.000000000 -0500
59349 +++ linux-3.1.1/include/linux/libata.h 2011-11-16 18:39:08.000000000 -0500
59350 @@ -909,7 +909,7 @@ struct ata_port_operations {
59351 * fields must be pointers.
59353 const struct ata_port_operations *inherits;
59357 struct ata_port_info {
59358 unsigned long flags;
59359 diff -urNp linux-3.1.1/include/linux/mca.h linux-3.1.1/include/linux/mca.h
59360 --- linux-3.1.1/include/linux/mca.h 2011-11-11 15:19:27.000000000 -0500
59361 +++ linux-3.1.1/include/linux/mca.h 2011-11-16 18:39:08.000000000 -0500
59362 @@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
59364 void * (*mca_transform_memory)(struct mca_device *,
59370 u64 default_dma_mask;
59371 diff -urNp linux-3.1.1/include/linux/memory.h linux-3.1.1/include/linux/memory.h
59372 --- linux-3.1.1/include/linux/memory.h 2011-11-11 15:19:27.000000000 -0500
59373 +++ linux-3.1.1/include/linux/memory.h 2011-11-16 18:39:08.000000000 -0500
59374 @@ -144,7 +144,7 @@ struct memory_accessor {
59376 ssize_t (*write)(struct memory_accessor *, const char *buf,
59377 off_t offset, size_t count);
59382 * Kernel text modification mutex, used for code patching. Users of this lock
59383 diff -urNp linux-3.1.1/include/linux/mfd/abx500.h linux-3.1.1/include/linux/mfd/abx500.h
59384 --- linux-3.1.1/include/linux/mfd/abx500.h 2011-11-11 15:19:27.000000000 -0500
59385 +++ linux-3.1.1/include/linux/mfd/abx500.h 2011-11-16 18:39:08.000000000 -0500
59386 @@ -234,6 +234,7 @@ struct abx500_ops {
59387 int (*event_registers_startup_state_get) (struct device *, u8 *);
59388 int (*startup_irq_enabled) (struct device *, unsigned int);
59390 +typedef struct abx500_ops __no_const abx500_ops_no_const;
59392 int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
59393 void abx500_remove_ops(struct device *dev);
59394 diff -urNp linux-3.1.1/include/linux/mm.h linux-3.1.1/include/linux/mm.h
59395 --- linux-3.1.1/include/linux/mm.h 2011-11-11 15:19:27.000000000 -0500
59396 +++ linux-3.1.1/include/linux/mm.h 2011-11-16 18:39:08.000000000 -0500
59397 @@ -114,7 +114,14 @@ extern unsigned int kobjsize(const void
59399 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
59400 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
59402 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
59403 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
59404 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
59406 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
59409 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
59410 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
59412 @@ -1011,34 +1018,6 @@ int set_page_dirty(struct page *page);
59413 int set_page_dirty_lock(struct page *page);
59414 int clear_page_dirty_for_io(struct page *page);
59416 -/* Is the vma a continuation of the stack vma above it? */
59417 -static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
59419 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
59422 -static inline int stack_guard_page_start(struct vm_area_struct *vma,
59423 - unsigned long addr)
59425 - return (vma->vm_flags & VM_GROWSDOWN) &&
59426 - (vma->vm_start == addr) &&
59427 - !vma_growsdown(vma->vm_prev, addr);
59430 -/* Is the vma a continuation of the stack vma below it? */
59431 -static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
59433 - return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
59436 -static inline int stack_guard_page_end(struct vm_area_struct *vma,
59437 - unsigned long addr)
59439 - return (vma->vm_flags & VM_GROWSUP) &&
59440 - (vma->vm_end == addr) &&
59441 - !vma_growsup(vma->vm_next, addr);
59444 extern unsigned long move_page_tables(struct vm_area_struct *vma,
59445 unsigned long old_addr, struct vm_area_struct *new_vma,
59446 unsigned long new_addr, unsigned long len);
59447 @@ -1133,6 +1112,15 @@ static inline void sync_mm_rss(struct ta
59452 +pgprot_t vm_get_page_prot(vm_flags_t vm_flags);
59454 +static inline pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
59456 + return __pgprot(0);
59460 int vma_wants_writenotify(struct vm_area_struct *vma);
59462 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
59463 @@ -1417,6 +1405,7 @@ out:
59466 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
59467 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
59469 extern unsigned long do_brk(unsigned long, unsigned long);
59471 @@ -1474,6 +1463,10 @@ extern struct vm_area_struct * find_vma(
59472 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
59473 struct vm_area_struct **pprev);
59475 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
59476 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
59477 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
59479 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
59480 NULL if none. Assume start_addr < end_addr. */
59481 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
59482 @@ -1490,15 +1483,6 @@ static inline unsigned long vma_pages(st
59483 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
59487 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
59489 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
59491 - return __pgprot(0);
59495 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
59496 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
59497 unsigned long pfn, unsigned long size, pgprot_t);
59498 @@ -1612,7 +1596,7 @@ extern int unpoison_memory(unsigned long
59499 extern int sysctl_memory_failure_early_kill;
59500 extern int sysctl_memory_failure_recovery;
59501 extern void shake_page(struct page *p, int access);
59502 -extern atomic_long_t mce_bad_pages;
59503 +extern atomic_long_unchecked_t mce_bad_pages;
59504 extern int soft_offline_page(struct page *page, int flags);
59506 extern void dump_page(struct page *page);
59507 @@ -1626,5 +1610,11 @@ extern void copy_user_huge_page(struct p
59508 unsigned int pages_per_huge_page);
59509 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
59511 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
59512 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
59514 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
59517 #endif /* __KERNEL__ */
59518 #endif /* _LINUX_MM_H */
59519 diff -urNp linux-3.1.1/include/linux/mm_types.h linux-3.1.1/include/linux/mm_types.h
59520 --- linux-3.1.1/include/linux/mm_types.h 2011-11-11 15:19:27.000000000 -0500
59521 +++ linux-3.1.1/include/linux/mm_types.h 2011-11-16 18:39:08.000000000 -0500
59522 @@ -230,6 +230,8 @@ struct vm_area_struct {
59524 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
59527 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
59530 struct core_thread {
59531 @@ -362,6 +364,24 @@ struct mm_struct {
59532 #ifdef CONFIG_CPUMASK_OFFSTACK
59533 struct cpumask cpumask_allocation;
59536 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
59537 + unsigned long pax_flags;
59540 +#ifdef CONFIG_PAX_DLRESOLVE
59541 + unsigned long call_dl_resolve;
59544 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
59545 + unsigned long call_syscall;
59548 +#ifdef CONFIG_PAX_ASLR
59549 + unsigned long delta_mmap; /* randomized offset */
59550 + unsigned long delta_stack; /* randomized offset */
59555 static inline void mm_init_cpumask(struct mm_struct *mm)
59556 diff -urNp linux-3.1.1/include/linux/mmu_notifier.h linux-3.1.1/include/linux/mmu_notifier.h
59557 --- linux-3.1.1/include/linux/mmu_notifier.h 2011-11-11 15:19:27.000000000 -0500
59558 +++ linux-3.1.1/include/linux/mmu_notifier.h 2011-11-16 18:39:08.000000000 -0500
59559 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
59561 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
59565 struct vm_area_struct *___vma = __vma; \
59566 unsigned long ___address = __address; \
59567 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
59568 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
59569 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
59574 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
59575 diff -urNp linux-3.1.1/include/linux/mmzone.h linux-3.1.1/include/linux/mmzone.h
59576 --- linux-3.1.1/include/linux/mmzone.h 2011-11-11 15:19:27.000000000 -0500
59577 +++ linux-3.1.1/include/linux/mmzone.h 2011-11-16 18:39:08.000000000 -0500
59578 @@ -356,7 +356,7 @@ struct zone {
59579 unsigned long flags; /* zone flags, see below */
59581 /* Zone statistics */
59582 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59583 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59586 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
59587 diff -urNp linux-3.1.1/include/linux/mod_devicetable.h linux-3.1.1/include/linux/mod_devicetable.h
59588 --- linux-3.1.1/include/linux/mod_devicetable.h 2011-11-11 15:19:27.000000000 -0500
59589 +++ linux-3.1.1/include/linux/mod_devicetable.h 2011-11-16 18:39:08.000000000 -0500
59591 typedef unsigned long kernel_ulong_t;
59594 -#define PCI_ANY_ID (~0)
59595 +#define PCI_ANY_ID ((__u16)~0)
59597 struct pci_device_id {
59598 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
59599 @@ -131,7 +131,7 @@ struct usb_device_id {
59600 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
59601 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
59603 -#define HID_ANY_ID (~0)
59604 +#define HID_ANY_ID (~0U)
59606 struct hid_device_id {
59608 diff -urNp linux-3.1.1/include/linux/module.h linux-3.1.1/include/linux/module.h
59609 --- linux-3.1.1/include/linux/module.h 2011-11-11 15:19:27.000000000 -0500
59610 +++ linux-3.1.1/include/linux/module.h 2011-11-16 18:39:08.000000000 -0500
59612 #include <linux/kobject.h>
59613 #include <linux/moduleparam.h>
59614 #include <linux/tracepoint.h>
59615 +#include <linux/fs.h>
59617 #include <linux/percpu.h>
59618 #include <asm/module.h>
59619 @@ -327,19 +328,16 @@ struct module
59622 /* If this is non-NULL, vfree after init() returns */
59623 - void *module_init;
59624 + void *module_init_rx, *module_init_rw;
59626 /* Here is the actual code + data, vfree'd on unload. */
59627 - void *module_core;
59628 + void *module_core_rx, *module_core_rw;
59630 /* Here are the sizes of the init and core sections */
59631 - unsigned int init_size, core_size;
59632 + unsigned int init_size_rw, core_size_rw;
59634 /* The size of the executable code in each section. */
59635 - unsigned int init_text_size, core_text_size;
59637 - /* Size of RO sections of the module (text+rodata) */
59638 - unsigned int init_ro_size, core_ro_size;
59639 + unsigned int init_size_rx, core_size_rx;
59641 /* Arch-specific module values */
59642 struct mod_arch_specific arch;
59643 @@ -395,6 +393,10 @@ struct module
59644 #ifdef CONFIG_EVENT_TRACING
59645 struct ftrace_event_call **trace_events;
59646 unsigned int num_trace_events;
59647 + struct file_operations trace_id;
59648 + struct file_operations trace_enable;
59649 + struct file_operations trace_format;
59650 + struct file_operations trace_filter;
59652 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
59653 unsigned int num_ftrace_callsites;
59654 @@ -445,16 +447,46 @@ bool is_module_address(unsigned long add
59655 bool is_module_percpu_address(unsigned long addr);
59656 bool is_module_text_address(unsigned long addr);
59658 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
59661 +#ifdef CONFIG_PAX_KERNEXEC
59662 + if (ktla_ktva(addr) >= (unsigned long)start &&
59663 + ktla_ktva(addr) < (unsigned long)start + size)
59667 + return ((void *)addr >= start && (void *)addr < start + size);
59670 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
59672 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
59675 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
59677 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
59680 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
59682 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
59685 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
59687 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
59690 static inline int within_module_core(unsigned long addr, struct module *mod)
59692 - return (unsigned long)mod->module_core <= addr &&
59693 - addr < (unsigned long)mod->module_core + mod->core_size;
59694 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
59697 static inline int within_module_init(unsigned long addr, struct module *mod)
59699 - return (unsigned long)mod->module_init <= addr &&
59700 - addr < (unsigned long)mod->module_init + mod->init_size;
59701 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
59704 /* Search for module by name: must hold module_mutex. */
59705 diff -urNp linux-3.1.1/include/linux/moduleloader.h linux-3.1.1/include/linux/moduleloader.h
59706 --- linux-3.1.1/include/linux/moduleloader.h 2011-11-11 15:19:27.000000000 -0500
59707 +++ linux-3.1.1/include/linux/moduleloader.h 2011-11-16 18:39:08.000000000 -0500
59708 @@ -25,9 +25,21 @@ unsigned int arch_mod_section_prepend(st
59709 sections. Returns NULL on failure. */
59710 void *module_alloc(unsigned long size);
59712 +#ifdef CONFIG_PAX_KERNEXEC
59713 +void *module_alloc_exec(unsigned long size);
59715 +#define module_alloc_exec(x) module_alloc(x)
59718 /* Free memory returned from module_alloc. */
59719 void module_free(struct module *mod, void *module_region);
59721 +#ifdef CONFIG_PAX_KERNEXEC
59722 +void module_free_exec(struct module *mod, void *module_region);
59724 +#define module_free_exec(x, y) module_free((x), (y))
59727 /* Apply the given relocation to the (simplified) ELF. Return -error
59729 int apply_relocate(Elf_Shdr *sechdrs,
59730 diff -urNp linux-3.1.1/include/linux/moduleparam.h linux-3.1.1/include/linux/moduleparam.h
59731 --- linux-3.1.1/include/linux/moduleparam.h 2011-11-11 15:19:27.000000000 -0500
59732 +++ linux-3.1.1/include/linux/moduleparam.h 2011-11-16 18:39:08.000000000 -0500
59733 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
59734 * @len is usually just sizeof(string).
59736 #define module_param_string(name, string, len, perm) \
59737 - static const struct kparam_string __param_string_##name \
59738 + static const struct kparam_string __param_string_##name __used \
59739 = { len, string }; \
59740 __module_param_call(MODULE_PARAM_PREFIX, name, \
59741 ¶m_ops_string, \
59742 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
59743 * module_param_named() for why this might be necessary.
59745 #define module_param_array_named(name, array, type, nump, perm) \
59746 - static const struct kparam_array __param_arr_##name \
59747 + static const struct kparam_array __param_arr_##name __used \
59748 = { .max = ARRAY_SIZE(array), .num = nump, \
59749 .ops = ¶m_ops_##type, \
59750 .elemsize = sizeof(array[0]), .elem = array }; \
59751 diff -urNp linux-3.1.1/include/linux/namei.h linux-3.1.1/include/linux/namei.h
59752 --- linux-3.1.1/include/linux/namei.h 2011-11-11 15:19:27.000000000 -0500
59753 +++ linux-3.1.1/include/linux/namei.h 2011-11-16 18:39:08.000000000 -0500
59754 @@ -24,7 +24,7 @@ struct nameidata {
59758 - char *saved_names[MAX_NESTED_LINKS + 1];
59759 + const char *saved_names[MAX_NESTED_LINKS + 1];
59763 @@ -94,12 +94,12 @@ extern int follow_up(struct path *);
59764 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
59765 extern void unlock_rename(struct dentry *, struct dentry *);
59767 -static inline void nd_set_link(struct nameidata *nd, char *path)
59768 +static inline void nd_set_link(struct nameidata *nd, const char *path)
59770 nd->saved_names[nd->depth] = path;
59773 -static inline char *nd_get_link(struct nameidata *nd)
59774 +static inline const char *nd_get_link(const struct nameidata *nd)
59776 return nd->saved_names[nd->depth];
59778 diff -urNp linux-3.1.1/include/linux/netdevice.h linux-3.1.1/include/linux/netdevice.h
59779 --- linux-3.1.1/include/linux/netdevice.h 2011-11-11 15:19:27.000000000 -0500
59780 +++ linux-3.1.1/include/linux/netdevice.h 2011-11-16 18:39:08.000000000 -0500
59781 @@ -944,6 +944,7 @@ struct net_device_ops {
59782 int (*ndo_set_features)(struct net_device *dev,
59785 +typedef struct net_device_ops __no_const net_device_ops_no_const;
59788 * The DEVICE structure.
59789 diff -urNp linux-3.1.1/include/linux/netfilter/xt_gradm.h linux-3.1.1/include/linux/netfilter/xt_gradm.h
59790 --- linux-3.1.1/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
59791 +++ linux-3.1.1/include/linux/netfilter/xt_gradm.h 2011-11-16 18:40:31.000000000 -0500
59793 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
59794 +#define _LINUX_NETFILTER_XT_GRADM_H 1
59796 +struct xt_gradm_mtinfo {
59802 diff -urNp linux-3.1.1/include/linux/of_pdt.h linux-3.1.1/include/linux/of_pdt.h
59803 --- linux-3.1.1/include/linux/of_pdt.h 2011-11-11 15:19:27.000000000 -0500
59804 +++ linux-3.1.1/include/linux/of_pdt.h 2011-11-16 18:39:08.000000000 -0500
59805 @@ -32,7 +32,7 @@ struct of_pdt_ops {
59807 /* return 0 on success; fill in 'len' with number of bytes in path */
59808 int (*pkg2path)(phandle node, char *buf, const int buflen, int *len);
59812 extern void *prom_early_alloc(unsigned long size);
59814 diff -urNp linux-3.1.1/include/linux/oprofile.h linux-3.1.1/include/linux/oprofile.h
59815 --- linux-3.1.1/include/linux/oprofile.h 2011-11-11 15:19:27.000000000 -0500
59816 +++ linux-3.1.1/include/linux/oprofile.h 2011-11-16 18:39:08.000000000 -0500
59817 @@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super
59818 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
59819 char const * name, ulong * val);
59821 -/** Create a file for read-only access to an atomic_t. */
59822 +/** Create a file for read-only access to an atomic_unchecked_t. */
59823 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
59824 - char const * name, atomic_t * val);
59825 + char const * name, atomic_unchecked_t * val);
59827 /** create a directory */
59828 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
59829 diff -urNp linux-3.1.1/include/linux/padata.h linux-3.1.1/include/linux/padata.h
59830 --- linux-3.1.1/include/linux/padata.h 2011-11-11 15:19:27.000000000 -0500
59831 +++ linux-3.1.1/include/linux/padata.h 2011-11-16 18:39:08.000000000 -0500
59832 @@ -129,7 +129,7 @@ struct parallel_data {
59833 struct padata_instance *pinst;
59834 struct padata_parallel_queue __percpu *pqueue;
59835 struct padata_serial_queue __percpu *squeue;
59837 + atomic_unchecked_t seq_nr;
59838 atomic_t reorder_objects;
59840 unsigned int max_seq_nr;
59841 diff -urNp linux-3.1.1/include/linux/perf_event.h linux-3.1.1/include/linux/perf_event.h
59842 --- linux-3.1.1/include/linux/perf_event.h 2011-11-11 15:19:27.000000000 -0500
59843 +++ linux-3.1.1/include/linux/perf_event.h 2011-11-16 18:39:08.000000000 -0500
59844 @@ -745,8 +745,8 @@ struct perf_event {
59846 enum perf_event_active_state state;
59847 unsigned int attach_state;
59849 - atomic64_t child_count;
59850 + local64_t count; /* PaX: fix it one day */
59851 + atomic64_unchecked_t child_count;
59854 * These are the total time in nanoseconds that the event
59855 @@ -797,8 +797,8 @@ struct perf_event {
59856 * These accumulate total time (in nanoseconds) that children
59857 * events have been enabled and running, respectively.
59859 - atomic64_t child_total_time_enabled;
59860 - atomic64_t child_total_time_running;
59861 + atomic64_unchecked_t child_total_time_enabled;
59862 + atomic64_unchecked_t child_total_time_running;
59865 * Protect attach/detach and child_list:
59866 diff -urNp linux-3.1.1/include/linux/pipe_fs_i.h linux-3.1.1/include/linux/pipe_fs_i.h
59867 --- linux-3.1.1/include/linux/pipe_fs_i.h 2011-11-11 15:19:27.000000000 -0500
59868 +++ linux-3.1.1/include/linux/pipe_fs_i.h 2011-11-16 18:39:08.000000000 -0500
59869 @@ -46,9 +46,9 @@ struct pipe_buffer {
59870 struct pipe_inode_info {
59871 wait_queue_head_t wait;
59872 unsigned int nrbufs, curbuf, buffers;
59873 - unsigned int readers;
59874 - unsigned int writers;
59875 - unsigned int waiting_writers;
59876 + atomic_t readers;
59877 + atomic_t writers;
59878 + atomic_t waiting_writers;
59879 unsigned int r_counter;
59880 unsigned int w_counter;
59881 struct page *tmp_page;
59882 diff -urNp linux-3.1.1/include/linux/pm_runtime.h linux-3.1.1/include/linux/pm_runtime.h
59883 --- linux-3.1.1/include/linux/pm_runtime.h 2011-11-11 15:19:27.000000000 -0500
59884 +++ linux-3.1.1/include/linux/pm_runtime.h 2011-11-16 18:39:08.000000000 -0500
59885 @@ -99,7 +99,7 @@ static inline bool pm_runtime_callbacks_
59887 static inline void pm_runtime_mark_last_busy(struct device *dev)
59889 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
59890 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
59893 #else /* !CONFIG_PM_RUNTIME */
59894 diff -urNp linux-3.1.1/include/linux/poison.h linux-3.1.1/include/linux/poison.h
59895 --- linux-3.1.1/include/linux/poison.h 2011-11-11 15:19:27.000000000 -0500
59896 +++ linux-3.1.1/include/linux/poison.h 2011-11-16 18:39:08.000000000 -0500
59898 * under normal circumstances, used to verify that nobody uses
59899 * non-initialized list entries.
59901 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
59902 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
59903 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
59904 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
59906 /********** include/linux/timer.h **********/
59908 diff -urNp linux-3.1.1/include/linux/preempt.h linux-3.1.1/include/linux/preempt.h
59909 --- linux-3.1.1/include/linux/preempt.h 2011-11-11 15:19:27.000000000 -0500
59910 +++ linux-3.1.1/include/linux/preempt.h 2011-11-16 18:39:08.000000000 -0500
59911 @@ -123,7 +123,7 @@ struct preempt_ops {
59912 void (*sched_in)(struct preempt_notifier *notifier, int cpu);
59913 void (*sched_out)(struct preempt_notifier *notifier,
59914 struct task_struct *next);
59919 * preempt_notifier - key for installing preemption notifiers
59920 diff -urNp linux-3.1.1/include/linux/proc_fs.h linux-3.1.1/include/linux/proc_fs.h
59921 --- linux-3.1.1/include/linux/proc_fs.h 2011-11-11 15:19:27.000000000 -0500
59922 +++ linux-3.1.1/include/linux/proc_fs.h 2011-11-16 18:40:31.000000000 -0500
59923 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
59924 return proc_create_data(name, mode, parent, proc_fops, NULL);
59927 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
59928 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
59930 +#ifdef CONFIG_GRKERNSEC_PROC_USER
59931 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
59932 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
59933 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
59935 + return proc_create_data(name, mode, parent, proc_fops, NULL);
59940 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
59941 mode_t mode, struct proc_dir_entry *base,
59942 read_proc_t *read_proc, void * data)
59943 @@ -278,7 +291,7 @@ union proc_op {
59944 int (*proc_vs_read)(char *page);
59945 int (*proc_vxi_read)(struct vx_info *vxi, char *page);
59946 int (*proc_nxi_read)(struct nx_info *nxi, char *page);
59950 struct ctl_table_header;
59952 diff -urNp linux-3.1.1/include/linux/ptrace.h linux-3.1.1/include/linux/ptrace.h
59953 --- linux-3.1.1/include/linux/ptrace.h 2011-11-11 15:19:27.000000000 -0500
59954 +++ linux-3.1.1/include/linux/ptrace.h 2011-11-16 18:40:31.000000000 -0500
59955 @@ -129,10 +129,10 @@ extern void __ptrace_unlink(struct task_
59956 extern void exit_ptrace(struct task_struct *tracer);
59957 #define PTRACE_MODE_READ 1
59958 #define PTRACE_MODE_ATTACH 2
59959 -/* Returns 0 on success, -errno on denial. */
59960 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
59961 /* Returns true on success, false on denial. */
59962 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
59963 +/* Returns true on success, false on denial. */
59964 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
59966 static inline int ptrace_reparented(struct task_struct *child)
59968 diff -urNp linux-3.1.1/include/linux/random.h linux-3.1.1/include/linux/random.h
59969 --- linux-3.1.1/include/linux/random.h 2011-11-11 15:19:27.000000000 -0500
59970 +++ linux-3.1.1/include/linux/random.h 2011-11-16 18:39:08.000000000 -0500
59971 @@ -69,12 +69,17 @@ void srandom32(u32 seed);
59973 u32 prandom32(struct rnd_state *);
59975 +static inline unsigned long pax_get_random_long(void)
59977 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
59981 * Handle minimum values for seeds
59983 static inline u32 __seed(u32 x, u32 m)
59985 - return (x < m) ? x + m : x;
59986 + return (x <= m) ? x + m + 1 : x;
59990 diff -urNp linux-3.1.1/include/linux/reboot.h linux-3.1.1/include/linux/reboot.h
59991 --- linux-3.1.1/include/linux/reboot.h 2011-11-11 15:19:27.000000000 -0500
59992 +++ linux-3.1.1/include/linux/reboot.h 2011-11-16 18:39:08.000000000 -0500
59993 @@ -52,9 +52,9 @@ extern int unregister_reboot_notifier(st
59994 * Architecture-specific implementations of sys_reboot commands.
59997 -extern void machine_restart(char *cmd);
59998 -extern void machine_halt(void);
59999 -extern void machine_power_off(void);
60000 +extern void machine_restart(char *cmd) __noreturn;
60001 +extern void machine_halt(void) __noreturn;
60002 +extern void machine_power_off(void) __noreturn;
60004 extern void machine_shutdown(void);
60006 @@ -65,9 +65,9 @@ extern void machine_crash_shutdown(struc
60009 extern void kernel_restart_prepare(char *cmd);
60010 -extern void kernel_restart(char *cmd);
60011 -extern void kernel_halt(void);
60012 -extern void kernel_power_off(void);
60013 +extern void kernel_restart(char *cmd) __noreturn;
60014 +extern void kernel_halt(void) __noreturn;
60015 +extern void kernel_power_off(void) __noreturn;
60017 extern int C_A_D; /* for sysctl */
60018 void ctrl_alt_del(void);
60019 @@ -81,7 +81,7 @@ extern int orderly_poweroff(bool force);
60020 * Emergency restart, callable from an interrupt handler.
60023 -extern void emergency_restart(void);
60024 +extern void emergency_restart(void) __noreturn;
60025 #include <asm/emergency-restart.h>
60028 diff -urNp linux-3.1.1/include/linux/reiserfs_fs.h linux-3.1.1/include/linux/reiserfs_fs.h
60029 --- linux-3.1.1/include/linux/reiserfs_fs.h 2011-11-11 15:19:27.000000000 -0500
60030 +++ linux-3.1.1/include/linux/reiserfs_fs.h 2011-11-16 18:39:08.000000000 -0500
60031 @@ -1406,7 +1406,7 @@ static inline loff_t max_reiserfs_offset
60032 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
60034 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
60035 -#define get_generation(s) atomic_read (&fs_generation(s))
60036 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
60037 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
60038 #define __fs_changed(gen,s) (gen != get_generation (s))
60039 #define fs_changed(gen,s) \
60040 diff -urNp linux-3.1.1/include/linux/reiserfs_fs_sb.h linux-3.1.1/include/linux/reiserfs_fs_sb.h
60041 --- linux-3.1.1/include/linux/reiserfs_fs_sb.h 2011-11-11 15:19:27.000000000 -0500
60042 +++ linux-3.1.1/include/linux/reiserfs_fs_sb.h 2011-11-16 18:39:08.000000000 -0500
60043 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
60044 /* Comment? -Hans */
60045 wait_queue_head_t s_wait;
60046 /* To be obsoleted soon by per buffer seals.. -Hans */
60047 - atomic_t s_generation_counter; // increased by one every time the
60048 + atomic_unchecked_t s_generation_counter; // increased by one every time the
60049 // tree gets re-balanced
60050 unsigned long s_properties; /* File system properties. Currently holds
60051 on-disk FS format */
60052 diff -urNp linux-3.1.1/include/linux/relay.h linux-3.1.1/include/linux/relay.h
60053 --- linux-3.1.1/include/linux/relay.h 2011-11-11 15:19:27.000000000 -0500
60054 +++ linux-3.1.1/include/linux/relay.h 2011-11-16 18:39:08.000000000 -0500
60055 @@ -159,7 +159,7 @@ struct rchan_callbacks
60056 * The callback should return 0 if successful, negative if not.
60058 int (*remove_buf_file)(struct dentry *dentry);
60063 * CONFIG_RELAY kernel API, kernel/relay.c
60064 diff -urNp linux-3.1.1/include/linux/rfkill.h linux-3.1.1/include/linux/rfkill.h
60065 --- linux-3.1.1/include/linux/rfkill.h 2011-11-11 15:19:27.000000000 -0500
60066 +++ linux-3.1.1/include/linux/rfkill.h 2011-11-16 18:39:08.000000000 -0500
60067 @@ -147,6 +147,7 @@ struct rfkill_ops {
60068 void (*query)(struct rfkill *rfkill, void *data);
60069 int (*set_block)(void *data, bool blocked);
60071 +typedef struct rfkill_ops __no_const rfkill_ops_no_const;
60073 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
60075 diff -urNp linux-3.1.1/include/linux/rmap.h linux-3.1.1/include/linux/rmap.h
60076 --- linux-3.1.1/include/linux/rmap.h 2011-11-11 15:19:27.000000000 -0500
60077 +++ linux-3.1.1/include/linux/rmap.h 2011-11-16 18:39:08.000000000 -0500
60078 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
60079 void anon_vma_init(void); /* create anon_vma_cachep */
60080 int anon_vma_prepare(struct vm_area_struct *);
60081 void unlink_anon_vmas(struct vm_area_struct *);
60082 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
60083 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
60084 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
60085 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
60086 void __anon_vma_link(struct vm_area_struct *);
60088 static inline void anon_vma_merge(struct vm_area_struct *vma,
60089 diff -urNp linux-3.1.1/include/linux/sched.h linux-3.1.1/include/linux/sched.h
60090 --- linux-3.1.1/include/linux/sched.h 2011-11-11 15:19:27.000000000 -0500
60091 +++ linux-3.1.1/include/linux/sched.h 2011-11-16 18:40:31.000000000 -0500
60092 @@ -100,6 +100,7 @@ struct bio_list;
60094 struct perf_event_context;
60096 +struct linux_binprm;
60099 * List of flags we want to share for kernel threads,
60100 @@ -380,10 +381,13 @@ struct user_namespace;
60101 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
60103 extern int sysctl_max_map_count;
60104 +extern unsigned long sysctl_heap_stack_gap;
60106 #include <linux/aio.h>
60109 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
60110 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
60111 extern void arch_pick_mmap_layout(struct mm_struct *mm);
60112 extern unsigned long
60113 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
60114 @@ -629,6 +633,17 @@ struct signal_struct {
60115 #ifdef CONFIG_TASKSTATS
60116 struct taskstats *stats;
60119 +#ifdef CONFIG_GRKERNSEC
60126 + u8 used_accept:1;
60129 #ifdef CONFIG_AUDIT
60130 unsigned audit_tty;
60131 struct tty_audit_buf *tty_audit_buf;
60132 @@ -710,6 +725,11 @@ struct user_struct {
60133 struct key *session_keyring; /* UID's default session keyring */
60136 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60137 + unsigned int banned;
60138 + unsigned long ban_expires;
60141 /* Hash table maintenance information */
60142 struct hlist_node uidhash_node;
60144 @@ -1340,8 +1360,8 @@ struct task_struct {
60145 struct list_head thread_group;
60147 struct completion *vfork_done; /* for vfork() */
60148 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
60149 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
60150 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
60151 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
60153 cputime_t utime, stime, utimescaled, stimescaled;
60155 @@ -1357,13 +1377,6 @@ struct task_struct {
60156 struct task_cputime cputime_expires;
60157 struct list_head cpu_timers[3];
60159 -/* process credentials */
60160 - const struct cred __rcu *real_cred; /* objective and real subjective task
60161 - * credentials (COW) */
60162 - const struct cred __rcu *cred; /* effective (overridable) subjective task
60163 - * credentials (COW) */
60164 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
60166 char comm[TASK_COMM_LEN]; /* executable name excluding path
60167 - access with [gs]et_task_comm (which lock
60168 it with task_lock())
60169 @@ -1380,8 +1393,16 @@ struct task_struct {
60171 /* CPU-specific state of this task */
60172 struct thread_struct thread;
60173 +/* thread_info moved to task_struct */
60175 + struct thread_info tinfo;
60177 /* filesystem information */
60178 struct fs_struct *fs;
60180 + const struct cred __rcu *cred; /* effective (overridable) subjective task
60181 + * credentials (COW) */
60183 /* open file information */
60184 struct files_struct *files;
60186 @@ -1428,6 +1449,11 @@ struct task_struct {
60187 struct rt_mutex_waiter *pi_blocked_on;
60190 +/* process credentials */
60191 + const struct cred __rcu *real_cred; /* objective and real subjective task
60192 + * credentials (COW) */
60193 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
60195 #ifdef CONFIG_DEBUG_MUTEXES
60196 /* mutex deadlock detection */
60197 struct mutex_waiter *blocked_on;
60198 @@ -1537,6 +1563,21 @@ struct task_struct {
60199 unsigned long default_timer_slack_ns;
60201 struct list_head *scm_work_list;
60203 +#ifdef CONFIG_GRKERNSEC
60205 + struct dentry *gr_chroot_dentry;
60206 + struct acl_subject_label *acl;
60207 + struct acl_role_label *role;
60208 + struct file *exec_file;
60210 + /* is this the task that authenticated to the special role */
60214 + u8 gr_is_chrooted;
60217 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
60218 /* Index of current stored address in ret_stack */
60219 int curr_ret_stack;
60220 @@ -1571,6 +1612,57 @@ struct task_struct {
60224 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
60225 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
60226 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
60227 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
60228 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
60229 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
60231 +#ifdef CONFIG_PAX_SOFTMODE
60232 +extern int pax_softmode;
60235 +extern int pax_check_flags(unsigned long *);
60237 +/* if tsk != current then task_lock must be held on it */
60238 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
60239 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
60241 + if (likely(tsk->mm))
60242 + return tsk->mm->pax_flags;
60247 +/* if tsk != current then task_lock must be held on it */
60248 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
60250 + if (likely(tsk->mm)) {
60251 + tsk->mm->pax_flags = flags;
60258 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
60259 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
60260 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
60261 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
60264 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
60265 +extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp);
60266 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
60267 +extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
60269 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
60270 +extern void pax_track_stack(void);
60272 +static inline void pax_track_stack(void) {}
60275 /* Future-safe accessor for struct task_struct's cpus_allowed. */
60276 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
60278 @@ -2074,7 +2166,9 @@ void yield(void);
60279 extern struct exec_domain default_exec_domain;
60281 union thread_union {
60282 +#ifndef CONFIG_X86
60283 struct thread_info thread_info;
60285 unsigned long stack[THREAD_SIZE/sizeof(long)];
60288 @@ -2107,6 +2201,7 @@ extern struct pid_namespace init_pid_ns;
60291 extern struct task_struct *find_task_by_vpid(pid_t nr);
60292 +extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
60293 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
60294 struct pid_namespace *ns);
60296 @@ -2243,7 +2338,7 @@ extern void __cleanup_sighand(struct sig
60297 extern void exit_itimers(struct signal_struct *);
60298 extern void flush_itimer_signals(void);
60300 -extern NORET_TYPE void do_group_exit(int);
60301 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
60303 extern void daemonize(const char *, ...);
60304 extern int allow_signal(int);
60305 @@ -2408,13 +2503,17 @@ static inline unsigned long *end_of_stac
60309 -static inline int object_is_on_stack(void *obj)
60310 +static inline int object_starts_on_stack(void *obj)
60312 - void *stack = task_stack_page(current);
60313 + const void *stack = task_stack_page(current);
60315 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
60318 +#ifdef CONFIG_PAX_USERCOPY
60319 +extern int object_is_on_stack(const void *obj, unsigned long len);
60322 extern void thread_info_cache_init(void);
60324 #ifdef CONFIG_DEBUG_STACK_USAGE
60325 diff -urNp linux-3.1.1/include/linux/screen_info.h linux-3.1.1/include/linux/screen_info.h
60326 --- linux-3.1.1/include/linux/screen_info.h 2011-11-11 15:19:27.000000000 -0500
60327 +++ linux-3.1.1/include/linux/screen_info.h 2011-11-16 18:39:08.000000000 -0500
60328 @@ -43,7 +43,8 @@ struct screen_info {
60329 __u16 pages; /* 0x32 */
60330 __u16 vesa_attributes; /* 0x34 */
60331 __u32 capabilities; /* 0x36 */
60332 - __u8 _reserved[6]; /* 0x3a */
60333 + __u16 vesapm_size; /* 0x3a */
60334 + __u8 _reserved[4]; /* 0x3c */
60335 } __attribute__((packed));
60337 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
60338 diff -urNp linux-3.1.1/include/linux/security.h linux-3.1.1/include/linux/security.h
60339 --- linux-3.1.1/include/linux/security.h 2011-11-11 15:19:27.000000000 -0500
60340 +++ linux-3.1.1/include/linux/security.h 2011-11-16 18:40:31.000000000 -0500
60342 #include <linux/key.h>
60343 #include <linux/xfrm.h>
60344 #include <linux/slab.h>
60345 +#include <linux/grsecurity.h>
60346 #include <net/flow.h>
60348 /* Maximum number of letters for an LSM name string */
60349 diff -urNp linux-3.1.1/include/linux/seq_file.h linux-3.1.1/include/linux/seq_file.h
60350 --- linux-3.1.1/include/linux/seq_file.h 2011-11-11 15:19:27.000000000 -0500
60351 +++ linux-3.1.1/include/linux/seq_file.h 2011-11-16 18:39:08.000000000 -0500
60352 @@ -33,6 +33,7 @@ struct seq_operations {
60353 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
60354 int (*show) (struct seq_file *m, void *v);
60356 +typedef struct seq_operations __no_const seq_operations_no_const;
60360 diff -urNp linux-3.1.1/include/linux/shm.h linux-3.1.1/include/linux/shm.h
60361 --- linux-3.1.1/include/linux/shm.h 2011-11-11 15:19:27.000000000 -0500
60362 +++ linux-3.1.1/include/linux/shm.h 2011-11-16 18:59:58.000000000 -0500
60363 @@ -98,6 +98,10 @@ struct shmid_kernel /* private to the ke
60365 /* The task created the shm object. NULL if the task is dead. */
60366 struct task_struct *shm_creator;
60367 +#ifdef CONFIG_GRKERNSEC
60368 + time_t shm_createtime;
60373 /* shm_mode upper byte flags */
60374 diff -urNp linux-3.1.1/include/linux/skbuff.h linux-3.1.1/include/linux/skbuff.h
60375 --- linux-3.1.1/include/linux/skbuff.h 2011-11-11 15:19:27.000000000 -0500
60376 +++ linux-3.1.1/include/linux/skbuff.h 2011-11-16 18:39:08.000000000 -0500
60377 @@ -610,7 +610,7 @@ static inline struct skb_shared_hwtstamp
60379 static inline int skb_queue_empty(const struct sk_buff_head *list)
60381 - return list->next == (struct sk_buff *)list;
60382 + return list->next == (const struct sk_buff *)list;
60386 @@ -623,7 +623,7 @@ static inline int skb_queue_empty(const
60387 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
60388 const struct sk_buff *skb)
60390 - return skb->next == (struct sk_buff *)list;
60391 + return skb->next == (const struct sk_buff *)list;
60395 @@ -636,7 +636,7 @@ static inline bool skb_queue_is_last(con
60396 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
60397 const struct sk_buff *skb)
60399 - return skb->prev == (struct sk_buff *)list;
60400 + return skb->prev == (const struct sk_buff *)list;
60404 @@ -1458,7 +1458,7 @@ static inline int pskb_network_may_pull(
60405 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
60407 #ifndef NET_SKB_PAD
60408 -#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
60409 +#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
60412 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
60413 diff -urNp linux-3.1.1/include/linux/slab_def.h linux-3.1.1/include/linux/slab_def.h
60414 --- linux-3.1.1/include/linux/slab_def.h 2011-11-11 15:19:27.000000000 -0500
60415 +++ linux-3.1.1/include/linux/slab_def.h 2011-11-16 18:39:08.000000000 -0500
60416 @@ -68,10 +68,10 @@ struct kmem_cache {
60417 unsigned long node_allocs;
60418 unsigned long node_frees;
60419 unsigned long node_overflow;
60420 - atomic_t allochit;
60421 - atomic_t allocmiss;
60422 - atomic_t freehit;
60423 - atomic_t freemiss;
60424 + atomic_unchecked_t allochit;
60425 + atomic_unchecked_t allocmiss;
60426 + atomic_unchecked_t freehit;
60427 + atomic_unchecked_t freemiss;
60430 * If debugging is enabled, then the allocator can add additional
60431 diff -urNp linux-3.1.1/include/linux/slab.h linux-3.1.1/include/linux/slab.h
60432 --- linux-3.1.1/include/linux/slab.h 2011-11-11 15:19:27.000000000 -0500
60433 +++ linux-3.1.1/include/linux/slab.h 2011-11-16 18:39:08.000000000 -0500
60434 @@ -11,12 +11,20 @@
60436 #include <linux/gfp.h>
60437 #include <linux/types.h>
60438 +#include <linux/err.h>
60441 * Flags to pass to kmem_cache_create().
60442 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
60444 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
60446 +#ifdef CONFIG_PAX_USERCOPY
60447 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
60449 +#define SLAB_USERCOPY 0x00000000UL
60452 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
60453 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
60454 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
60455 @@ -87,10 +95,13 @@
60456 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
60457 * Both make kfree a no-op.
60459 -#define ZERO_SIZE_PTR ((void *)16)
60460 +#define ZERO_SIZE_PTR \
60462 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
60463 + (void *)(-MAX_ERRNO-1L); \
60466 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
60467 - (unsigned long)ZERO_SIZE_PTR)
60468 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
60471 * struct kmem_cache related prototypes
60472 @@ -161,6 +172,7 @@ void * __must_check krealloc(const void
60473 void kfree(const void *);
60474 void kzfree(const void *);
60475 size_t ksize(const void *);
60476 +void check_object_size(const void *ptr, unsigned long n, bool to);
60479 * Allocator specific definitions. These are mainly used to establish optimized
60480 @@ -353,4 +365,59 @@ static inline void *kzalloc_node(size_t
60482 void __init kmem_cache_init_late(void);
60484 +#define kmalloc(x, y) \
60486 + void *___retval; \
60487 + intoverflow_t ___x = (intoverflow_t)x; \
60488 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
60489 + ___retval = NULL; \
60491 + ___retval = kmalloc((size_t)___x, (y)); \
60495 +#define kmalloc_node(x, y, z) \
60497 + void *___retval; \
60498 + intoverflow_t ___x = (intoverflow_t)x; \
60499 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
60500 + ___retval = NULL; \
60502 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
60506 +#define kzalloc(x, y) \
60508 + void *___retval; \
60509 + intoverflow_t ___x = (intoverflow_t)x; \
60510 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
60511 + ___retval = NULL; \
60513 + ___retval = kzalloc((size_t)___x, (y)); \
60517 +#define __krealloc(x, y, z) \
60519 + void *___retval; \
60520 + intoverflow_t ___y = (intoverflow_t)y; \
60521 + if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
60522 + ___retval = NULL; \
60524 + ___retval = __krealloc((x), (size_t)___y, (z)); \
60528 +#define krealloc(x, y, z) \
60530 + void *___retval; \
60531 + intoverflow_t ___y = (intoverflow_t)y; \
60532 + if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
60533 + ___retval = NULL; \
60535 + ___retval = krealloc((x), (size_t)___y, (z)); \
60539 #endif /* _LINUX_SLAB_H */
60540 diff -urNp linux-3.1.1/include/linux/slub_def.h linux-3.1.1/include/linux/slub_def.h
60541 --- linux-3.1.1/include/linux/slub_def.h 2011-11-11 15:19:27.000000000 -0500
60542 +++ linux-3.1.1/include/linux/slub_def.h 2011-11-16 18:39:08.000000000 -0500
60543 @@ -85,7 +85,7 @@ struct kmem_cache {
60544 struct kmem_cache_order_objects max;
60545 struct kmem_cache_order_objects min;
60546 gfp_t allocflags; /* gfp flags to use on each alloc */
60547 - int refcount; /* Refcount for slab cache destroy */
60548 + atomic_t refcount; /* Refcount for slab cache destroy */
60549 void (*ctor)(void *);
60550 int inuse; /* Offset to metadata */
60551 int align; /* Alignment */
60552 @@ -211,7 +211,7 @@ static __always_inline struct kmem_cache
60555 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
60556 -void *__kmalloc(size_t size, gfp_t flags);
60557 +void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
60559 static __always_inline void *
60560 kmalloc_order(size_t size, gfp_t flags, unsigned int order)
60561 diff -urNp linux-3.1.1/include/linux/sonet.h linux-3.1.1/include/linux/sonet.h
60562 --- linux-3.1.1/include/linux/sonet.h 2011-11-11 15:19:27.000000000 -0500
60563 +++ linux-3.1.1/include/linux/sonet.h 2011-11-16 18:39:08.000000000 -0500
60564 @@ -61,7 +61,7 @@ struct sonet_stats {
60565 #include <linux/atomic.h>
60567 struct k_sonet_stats {
60568 -#define __HANDLE_ITEM(i) atomic_t i
60569 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
60571 #undef __HANDLE_ITEM
60573 diff -urNp linux-3.1.1/include/linux/sunrpc/clnt.h linux-3.1.1/include/linux/sunrpc/clnt.h
60574 --- linux-3.1.1/include/linux/sunrpc/clnt.h 2011-11-11 15:19:27.000000000 -0500
60575 +++ linux-3.1.1/include/linux/sunrpc/clnt.h 2011-11-16 18:39:08.000000000 -0500
60576 @@ -169,9 +169,9 @@ static inline unsigned short rpc_get_por
60578 switch (sap->sa_family) {
60580 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
60581 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
60583 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
60584 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
60588 @@ -204,7 +204,7 @@ static inline bool __rpc_cmp_addr4(const
60589 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
60590 const struct sockaddr *src)
60592 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
60593 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
60594 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
60596 dsin->sin_family = ssin->sin_family;
60597 @@ -301,7 +301,7 @@ static inline u32 rpc_get_scope_id(const
60598 if (sa->sa_family != AF_INET6)
60601 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
60602 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
60605 #endif /* __KERNEL__ */
60606 diff -urNp linux-3.1.1/include/linux/sunrpc/sched.h linux-3.1.1/include/linux/sunrpc/sched.h
60607 --- linux-3.1.1/include/linux/sunrpc/sched.h 2011-11-11 15:19:27.000000000 -0500
60608 +++ linux-3.1.1/include/linux/sunrpc/sched.h 2011-11-16 18:39:08.000000000 -0500
60609 @@ -105,6 +105,7 @@ struct rpc_call_ops {
60610 void (*rpc_call_done)(struct rpc_task *, void *);
60611 void (*rpc_release)(void *);
60613 +typedef struct rpc_call_ops __no_const rpc_call_ops_no_const;
60615 struct rpc_task_setup {
60616 struct rpc_task *task;
60617 diff -urNp linux-3.1.1/include/linux/sunrpc/svc_rdma.h linux-3.1.1/include/linux/sunrpc/svc_rdma.h
60618 --- linux-3.1.1/include/linux/sunrpc/svc_rdma.h 2011-11-11 15:19:27.000000000 -0500
60619 +++ linux-3.1.1/include/linux/sunrpc/svc_rdma.h 2011-11-16 18:39:08.000000000 -0500
60620 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
60621 extern unsigned int svcrdma_max_requests;
60622 extern unsigned int svcrdma_max_req_size;
60624 -extern atomic_t rdma_stat_recv;
60625 -extern atomic_t rdma_stat_read;
60626 -extern atomic_t rdma_stat_write;
60627 -extern atomic_t rdma_stat_sq_starve;
60628 -extern atomic_t rdma_stat_rq_starve;
60629 -extern atomic_t rdma_stat_rq_poll;
60630 -extern atomic_t rdma_stat_rq_prod;
60631 -extern atomic_t rdma_stat_sq_poll;
60632 -extern atomic_t rdma_stat_sq_prod;
60633 +extern atomic_unchecked_t rdma_stat_recv;
60634 +extern atomic_unchecked_t rdma_stat_read;
60635 +extern atomic_unchecked_t rdma_stat_write;
60636 +extern atomic_unchecked_t rdma_stat_sq_starve;
60637 +extern atomic_unchecked_t rdma_stat_rq_starve;
60638 +extern atomic_unchecked_t rdma_stat_rq_poll;
60639 +extern atomic_unchecked_t rdma_stat_rq_prod;
60640 +extern atomic_unchecked_t rdma_stat_sq_poll;
60641 +extern atomic_unchecked_t rdma_stat_sq_prod;
60643 #define RPCRDMA_VERSION 1
60645 diff -urNp linux-3.1.1/include/linux/sysctl.h linux-3.1.1/include/linux/sysctl.h
60646 --- linux-3.1.1/include/linux/sysctl.h 2011-11-11 15:19:27.000000000 -0500
60647 +++ linux-3.1.1/include/linux/sysctl.h 2011-11-16 18:40:31.000000000 -0500
60648 @@ -155,7 +155,11 @@ enum
60649 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
60653 +#ifdef CONFIG_PAX_SOFTMODE
60655 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
60659 /* CTL_VM names: */
60661 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
60663 extern int proc_dostring(struct ctl_table *, int,
60664 void __user *, size_t *, loff_t *);
60665 +extern int proc_dostring_modpriv(struct ctl_table *, int,
60666 + void __user *, size_t *, loff_t *);
60667 extern int proc_dointvec(struct ctl_table *, int,
60668 void __user *, size_t *, loff_t *);
60669 extern int proc_dointvec_minmax(struct ctl_table *, int,
60670 diff -urNp linux-3.1.1/include/linux/tty_ldisc.h linux-3.1.1/include/linux/tty_ldisc.h
60671 --- linux-3.1.1/include/linux/tty_ldisc.h 2011-11-11 15:19:27.000000000 -0500
60672 +++ linux-3.1.1/include/linux/tty_ldisc.h 2011-11-16 18:39:08.000000000 -0500
60673 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
60675 struct module *owner;
60678 + atomic_t refcount;
60682 diff -urNp linux-3.1.1/include/linux/types.h linux-3.1.1/include/linux/types.h
60683 --- linux-3.1.1/include/linux/types.h 2011-11-11 15:19:27.000000000 -0500
60684 +++ linux-3.1.1/include/linux/types.h 2011-11-16 18:39:08.000000000 -0500
60685 @@ -213,10 +213,26 @@ typedef struct {
60689 +#ifdef CONFIG_PAX_REFCOUNT
60692 +} atomic_unchecked_t;
60694 +typedef atomic_t atomic_unchecked_t;
60697 #ifdef CONFIG_64BIT
60702 +#ifdef CONFIG_PAX_REFCOUNT
60705 +} atomic64_unchecked_t;
60707 +typedef atomic64_t atomic64_unchecked_t;
60712 diff -urNp linux-3.1.1/include/linux/uaccess.h linux-3.1.1/include/linux/uaccess.h
60713 --- linux-3.1.1/include/linux/uaccess.h 2011-11-11 15:19:27.000000000 -0500
60714 +++ linux-3.1.1/include/linux/uaccess.h 2011-11-16 18:39:08.000000000 -0500
60715 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
60717 mm_segment_t old_fs = get_fs(); \
60719 - set_fs(KERNEL_DS); \
60720 pagefault_disable(); \
60721 - ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
60722 - pagefault_enable(); \
60723 + set_fs(KERNEL_DS); \
60724 + ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
60726 + pagefault_enable(); \
60730 diff -urNp linux-3.1.1/include/linux/unaligned/access_ok.h linux-3.1.1/include/linux/unaligned/access_ok.h
60731 --- linux-3.1.1/include/linux/unaligned/access_ok.h 2011-11-11 15:19:27.000000000 -0500
60732 +++ linux-3.1.1/include/linux/unaligned/access_ok.h 2011-11-16 18:39:08.000000000 -0500
60735 static inline u16 get_unaligned_le16(const void *p)
60737 - return le16_to_cpup((__le16 *)p);
60738 + return le16_to_cpup((const __le16 *)p);
60741 static inline u32 get_unaligned_le32(const void *p)
60743 - return le32_to_cpup((__le32 *)p);
60744 + return le32_to_cpup((const __le32 *)p);
60747 static inline u64 get_unaligned_le64(const void *p)
60749 - return le64_to_cpup((__le64 *)p);
60750 + return le64_to_cpup((const __le64 *)p);
60753 static inline u16 get_unaligned_be16(const void *p)
60755 - return be16_to_cpup((__be16 *)p);
60756 + return be16_to_cpup((const __be16 *)p);
60759 static inline u32 get_unaligned_be32(const void *p)
60761 - return be32_to_cpup((__be32 *)p);
60762 + return be32_to_cpup((const __be32 *)p);
60765 static inline u64 get_unaligned_be64(const void *p)
60767 - return be64_to_cpup((__be64 *)p);
60768 + return be64_to_cpup((const __be64 *)p);
60771 static inline void put_unaligned_le16(u16 val, void *p)
60772 diff -urNp linux-3.1.1/include/linux/vermagic.h linux-3.1.1/include/linux/vermagic.h
60773 --- linux-3.1.1/include/linux/vermagic.h 2011-11-11 15:19:27.000000000 -0500
60774 +++ linux-3.1.1/include/linux/vermagic.h 2011-11-16 18:54:54.000000000 -0500
60776 #define MODULE_ARCH_VERMAGIC ""
60779 +#ifdef CONFIG_PAX_REFCOUNT
60780 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
60782 +#define MODULE_PAX_REFCOUNT ""
60785 +#ifdef CONSTIFY_PLUGIN
60786 +#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
60788 +#define MODULE_CONSTIFY_PLUGIN ""
60791 +#ifdef STACKLEAK_PLUGIN
60792 +#define MODULE_STACKLEAK_PLUGIN "STACKLEAK_PLUGIN "
60794 +#define MODULE_STACKLEAK_PLUGIN ""
60797 +#ifdef CONFIG_GRKERNSEC
60798 +#define MODULE_GRSEC "GRSEC "
60800 +#define MODULE_GRSEC ""
60803 #define VERMAGIC_STRING \
60805 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
60806 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
60807 - MODULE_ARCH_VERMAGIC
60808 + MODULE_ARCH_VERMAGIC \
60809 + MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_STACKLEAK_PLUGIN \
60812 diff -urNp linux-3.1.1/include/linux/vmalloc.h linux-3.1.1/include/linux/vmalloc.h
60813 --- linux-3.1.1/include/linux/vmalloc.h 2011-11-11 15:19:27.000000000 -0500
60814 +++ linux-3.1.1/include/linux/vmalloc.h 2011-11-16 18:39:08.000000000 -0500
60815 @@ -14,6 +14,11 @@ struct vm_area_struct; /* vma defining
60816 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
60817 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
60818 #define VM_UNLIST 0x00000020 /* vm_struct is not listed in vmlist */
60820 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
60821 +#define VM_KERNEXEC 0x00000040 /* allocate from executable kernel memory range */
60824 /* bits [20..32] reserved for arch specific ioremap internals */
60827 @@ -156,4 +161,103 @@ pcpu_free_vm_areas(struct vm_struct **vm
60831 +#define vmalloc(x) \
60833 + void *___retval; \
60834 + intoverflow_t ___x = (intoverflow_t)x; \
60835 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
60836 + ___retval = NULL; \
60838 + ___retval = vmalloc((unsigned long)___x); \
60842 +#define vzalloc(x) \
60844 + void *___retval; \
60845 + intoverflow_t ___x = (intoverflow_t)x; \
60846 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
60847 + ___retval = NULL; \
60849 + ___retval = vzalloc((unsigned long)___x); \
60853 +#define __vmalloc(x, y, z) \
60855 + void *___retval; \
60856 + intoverflow_t ___x = (intoverflow_t)x; \
60857 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
60858 + ___retval = NULL; \
60860 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
60864 +#define vmalloc_user(x) \
60866 + void *___retval; \
60867 + intoverflow_t ___x = (intoverflow_t)x; \
60868 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
60869 + ___retval = NULL; \
60871 + ___retval = vmalloc_user((unsigned long)___x); \
60875 +#define vmalloc_exec(x) \
60877 + void *___retval; \
60878 + intoverflow_t ___x = (intoverflow_t)x; \
60879 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
60880 + ___retval = NULL; \
60882 + ___retval = vmalloc_exec((unsigned long)___x); \
60886 +#define vmalloc_node(x, y) \
60888 + void *___retval; \
60889 + intoverflow_t ___x = (intoverflow_t)x; \
60890 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
60891 + ___retval = NULL; \
60893 + ___retval = vmalloc_node((unsigned long)___x, (y));\
60897 +#define vzalloc_node(x, y) \
60899 + void *___retval; \
60900 + intoverflow_t ___x = (intoverflow_t)x; \
60901 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
60902 + ___retval = NULL; \
60904 + ___retval = vzalloc_node((unsigned long)___x, (y));\
60908 +#define vmalloc_32(x) \
60910 + void *___retval; \
60911 + intoverflow_t ___x = (intoverflow_t)x; \
60912 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
60913 + ___retval = NULL; \
60915 + ___retval = vmalloc_32((unsigned long)___x); \
60919 +#define vmalloc_32_user(x) \
60921 +void *___retval; \
60922 + intoverflow_t ___x = (intoverflow_t)x; \
60923 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
60924 + ___retval = NULL; \
60926 + ___retval = vmalloc_32_user((unsigned long)___x);\
60930 #endif /* _LINUX_VMALLOC_H */
60931 diff -urNp linux-3.1.1/include/linux/vmstat.h linux-3.1.1/include/linux/vmstat.h
60932 --- linux-3.1.1/include/linux/vmstat.h 2011-11-11 15:19:27.000000000 -0500
60933 +++ linux-3.1.1/include/linux/vmstat.h 2011-11-16 18:39:08.000000000 -0500
60934 @@ -87,18 +87,18 @@ static inline void vm_events_fold_cpu(in
60936 * Zone based page accounting with per cpu differentials.
60938 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
60939 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
60941 static inline void zone_page_state_add(long x, struct zone *zone,
60942 enum zone_stat_item item)
60944 - atomic_long_add(x, &zone->vm_stat[item]);
60945 - atomic_long_add(x, &vm_stat[item]);
60946 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
60947 + atomic_long_add_unchecked(x, &vm_stat[item]);
60950 static inline unsigned long global_page_state(enum zone_stat_item item)
60952 - long x = atomic_long_read(&vm_stat[item]);
60953 + long x = atomic_long_read_unchecked(&vm_stat[item]);
60957 @@ -109,7 +109,7 @@ static inline unsigned long global_page_
60958 static inline unsigned long zone_page_state(struct zone *zone,
60959 enum zone_stat_item item)
60961 - long x = atomic_long_read(&zone->vm_stat[item]);
60962 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
60966 @@ -126,7 +126,7 @@ static inline unsigned long zone_page_st
60967 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
60968 enum zone_stat_item item)
60970 - long x = atomic_long_read(&zone->vm_stat[item]);
60971 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
60975 @@ -221,8 +221,8 @@ static inline void __mod_zone_page_state
60977 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
60979 - atomic_long_inc(&zone->vm_stat[item]);
60980 - atomic_long_inc(&vm_stat[item]);
60981 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
60982 + atomic_long_inc_unchecked(&vm_stat[item]);
60985 static inline void __inc_zone_page_state(struct page *page,
60986 @@ -233,8 +233,8 @@ static inline void __inc_zone_page_state
60988 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
60990 - atomic_long_dec(&zone->vm_stat[item]);
60991 - atomic_long_dec(&vm_stat[item]);
60992 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
60993 + atomic_long_dec_unchecked(&vm_stat[item]);
60996 static inline void __dec_zone_page_state(struct page *page,
60997 diff -urNp linux-3.1.1/include/media/saa7146_vv.h linux-3.1.1/include/media/saa7146_vv.h
60998 --- linux-3.1.1/include/media/saa7146_vv.h 2011-11-11 15:19:27.000000000 -0500
60999 +++ linux-3.1.1/include/media/saa7146_vv.h 2011-11-16 18:39:08.000000000 -0500
61000 @@ -163,7 +163,7 @@ struct saa7146_ext_vv
61001 int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *);
61003 /* the extension can override this */
61004 - struct v4l2_ioctl_ops ops;
61005 + v4l2_ioctl_ops_no_const ops;
61006 /* pointer to the saa7146 core ops */
61007 const struct v4l2_ioctl_ops *core_ops;
61009 diff -urNp linux-3.1.1/include/media/v4l2-dev.h linux-3.1.1/include/media/v4l2-dev.h
61010 --- linux-3.1.1/include/media/v4l2-dev.h 2011-11-11 15:19:27.000000000 -0500
61011 +++ linux-3.1.1/include/media/v4l2-dev.h 2011-11-16 18:39:08.000000000 -0500
61012 @@ -56,7 +56,7 @@ int v4l2_prio_check(struct v4l2_prio_sta
61015 struct v4l2_file_operations {
61016 - struct module *owner;
61017 + struct module * const owner;
61018 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
61019 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
61020 unsigned int (*poll) (struct file *, struct poll_table_struct *);
61021 @@ -68,6 +68,7 @@ struct v4l2_file_operations {
61022 int (*open) (struct file *);
61023 int (*release) (struct file *);
61025 +typedef struct v4l2_file_operations __no_const v4l2_file_operations_no_const;
61028 * Newer version of video_device, handled by videodev2.c
61029 diff -urNp linux-3.1.1/include/media/v4l2-ioctl.h linux-3.1.1/include/media/v4l2-ioctl.h
61030 --- linux-3.1.1/include/media/v4l2-ioctl.h 2011-11-11 15:19:27.000000000 -0500
61031 +++ linux-3.1.1/include/media/v4l2-ioctl.h 2011-11-16 18:40:44.000000000 -0500
61032 @@ -272,6 +272,7 @@ struct v4l2_ioctl_ops {
61033 long (*vidioc_default) (struct file *file, void *fh,
61034 bool valid_prio, int cmd, void *arg);
61036 +typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const;
61039 /* v4l debugging and diagnostics */
61040 diff -urNp linux-3.1.1/include/net/caif/caif_hsi.h linux-3.1.1/include/net/caif/caif_hsi.h
61041 --- linux-3.1.1/include/net/caif/caif_hsi.h 2011-11-11 15:19:27.000000000 -0500
61042 +++ linux-3.1.1/include/net/caif/caif_hsi.h 2011-11-16 18:39:08.000000000 -0500
61043 @@ -94,7 +94,7 @@ struct cfhsi_drv {
61044 void (*rx_done_cb) (struct cfhsi_drv *drv);
61045 void (*wake_up_cb) (struct cfhsi_drv *drv);
61046 void (*wake_down_cb) (struct cfhsi_drv *drv);
61050 /* Structure implemented by HSI device. */
61052 diff -urNp linux-3.1.1/include/net/caif/cfctrl.h linux-3.1.1/include/net/caif/cfctrl.h
61053 --- linux-3.1.1/include/net/caif/cfctrl.h 2011-11-11 15:19:27.000000000 -0500
61054 +++ linux-3.1.1/include/net/caif/cfctrl.h 2011-11-16 18:39:08.000000000 -0500
61055 @@ -52,7 +52,7 @@ struct cfctrl_rsp {
61056 void (*radioset_rsp)(void);
61057 void (*reject_rsp)(struct cflayer *layer, u8 linkid,
61058 struct cflayer *client_layer);
61062 /* Link Setup Parameters for CAIF-Links. */
61063 struct cfctrl_link_param {
61064 @@ -101,8 +101,8 @@ struct cfctrl_request_info {
61066 struct cfsrvl serv;
61067 struct cfctrl_rsp res;
61068 - atomic_t req_seq_no;
61069 - atomic_t rsp_seq_no;
61070 + atomic_unchecked_t req_seq_no;
61071 + atomic_unchecked_t rsp_seq_no;
61072 struct list_head list;
61073 /* Protects from simultaneous access to first_req list */
61074 spinlock_t info_list_lock;
61075 diff -urNp linux-3.1.1/include/net/flow.h linux-3.1.1/include/net/flow.h
61076 --- linux-3.1.1/include/net/flow.h 2011-11-11 15:19:27.000000000 -0500
61077 +++ linux-3.1.1/include/net/flow.h 2011-11-16 18:39:08.000000000 -0500
61078 @@ -207,6 +207,6 @@ extern struct flow_cache_object *flow_ca
61079 u8 dir, flow_resolve_t resolver, void *ctx);
61081 extern void flow_cache_flush(void);
61082 -extern atomic_t flow_cache_genid;
61083 +extern atomic_unchecked_t flow_cache_genid;
61086 diff -urNp linux-3.1.1/include/net/inetpeer.h linux-3.1.1/include/net/inetpeer.h
61087 --- linux-3.1.1/include/net/inetpeer.h 2011-11-11 15:19:27.000000000 -0500
61088 +++ linux-3.1.1/include/net/inetpeer.h 2011-11-16 18:39:08.000000000 -0500
61089 @@ -47,8 +47,8 @@ struct inet_peer {
61093 - atomic_t rid; /* Frag reception counter */
61094 - atomic_t ip_id_count; /* IP ID for the next packet */
61095 + atomic_unchecked_t rid; /* Frag reception counter */
61096 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
61098 __u32 tcp_ts_stamp;
61100 @@ -112,11 +112,11 @@ static inline int inet_getid(struct inet
61102 inet_peer_refcheck(p);
61104 - old = atomic_read(&p->ip_id_count);
61105 + old = atomic_read_unchecked(&p->ip_id_count);
61109 - } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
61110 + } while (atomic_cmpxchg_unchecked(&p->ip_id_count, old, new) != old);
61114 diff -urNp linux-3.1.1/include/net/ip_fib.h linux-3.1.1/include/net/ip_fib.h
61115 --- linux-3.1.1/include/net/ip_fib.h 2011-11-11 15:19:27.000000000 -0500
61116 +++ linux-3.1.1/include/net/ip_fib.h 2011-11-16 18:39:08.000000000 -0500
61117 @@ -146,7 +146,7 @@ extern __be32 fib_info_update_nh_saddr(s
61119 #define FIB_RES_SADDR(net, res) \
61120 ((FIB_RES_NH(res).nh_saddr_genid == \
61121 - atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
61122 + atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
61123 FIB_RES_NH(res).nh_saddr : \
61124 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
61125 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
61126 diff -urNp linux-3.1.1/include/net/ip_vs.h linux-3.1.1/include/net/ip_vs.h
61127 --- linux-3.1.1/include/net/ip_vs.h 2011-11-11 15:19:27.000000000 -0500
61128 +++ linux-3.1.1/include/net/ip_vs.h 2011-11-16 18:39:08.000000000 -0500
61129 @@ -509,7 +509,7 @@ struct ip_vs_conn {
61130 struct ip_vs_conn *control; /* Master control connection */
61131 atomic_t n_control; /* Number of controlled ones */
61132 struct ip_vs_dest *dest; /* real server */
61133 - atomic_t in_pkts; /* incoming packet counter */
61134 + atomic_unchecked_t in_pkts; /* incoming packet counter */
61136 /* packet transmitter for different forwarding methods. If it
61137 mangles the packet, it must return NF_DROP or better NF_STOLEN,
61138 @@ -647,7 +647,7 @@ struct ip_vs_dest {
61139 __be16 port; /* port number of the server */
61140 union nf_inet_addr addr; /* IP address of the server */
61141 volatile unsigned flags; /* dest status flags */
61142 - atomic_t conn_flags; /* flags to copy to conn */
61143 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
61144 atomic_t weight; /* server weight */
61146 atomic_t refcnt; /* reference counter */
61147 diff -urNp linux-3.1.1/include/net/irda/ircomm_core.h linux-3.1.1/include/net/irda/ircomm_core.h
61148 --- linux-3.1.1/include/net/irda/ircomm_core.h 2011-11-11 15:19:27.000000000 -0500
61149 +++ linux-3.1.1/include/net/irda/ircomm_core.h 2011-11-16 18:39:08.000000000 -0500
61150 @@ -51,7 +51,7 @@ typedef struct {
61151 int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
61152 int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
61153 struct ircomm_info *);
61155 +} __no_const call_t;
61158 irda_queue_t queue;
61159 diff -urNp linux-3.1.1/include/net/irda/ircomm_tty.h linux-3.1.1/include/net/irda/ircomm_tty.h
61160 --- linux-3.1.1/include/net/irda/ircomm_tty.h 2011-11-11 15:19:27.000000000 -0500
61161 +++ linux-3.1.1/include/net/irda/ircomm_tty.h 2011-11-16 18:39:08.000000000 -0500
61163 #include <linux/termios.h>
61164 #include <linux/timer.h>
61165 #include <linux/tty.h> /* struct tty_struct */
61166 +#include <asm/local.h>
61168 #include <net/irda/irias_object.h>
61169 #include <net/irda/ircomm_core.h>
61170 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
61171 unsigned short close_delay;
61172 unsigned short closing_wait; /* time to wait before closing */
61175 - int blocked_open; /* # of blocked opens */
61176 + local_t open_count;
61177 + local_t blocked_open; /* # of blocked opens */
61179 /* Protect concurent access to :
61180 * o self->open_count
61181 diff -urNp linux-3.1.1/include/net/iucv/af_iucv.h linux-3.1.1/include/net/iucv/af_iucv.h
61182 --- linux-3.1.1/include/net/iucv/af_iucv.h 2011-11-11 15:19:27.000000000 -0500
61183 +++ linux-3.1.1/include/net/iucv/af_iucv.h 2011-11-16 18:39:08.000000000 -0500
61184 @@ -87,7 +87,7 @@ struct iucv_sock {
61185 struct iucv_sock_list {
61186 struct hlist_head head;
61188 - atomic_t autobind_name;
61189 + atomic_unchecked_t autobind_name;
61192 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
61193 diff -urNp linux-3.1.1/include/net/lapb.h linux-3.1.1/include/net/lapb.h
61194 --- linux-3.1.1/include/net/lapb.h 2011-11-11 15:19:27.000000000 -0500
61195 +++ linux-3.1.1/include/net/lapb.h 2011-11-16 18:39:08.000000000 -0500
61196 @@ -95,7 +95,7 @@ struct lapb_cb {
61197 struct sk_buff_head write_queue;
61198 struct sk_buff_head ack_queue;
61199 unsigned char window;
61200 - struct lapb_register_struct callbacks;
61201 + struct lapb_register_struct *callbacks;
61203 /* FRMR control information */
61204 struct lapb_frame frmr_data;
61205 diff -urNp linux-3.1.1/include/net/neighbour.h linux-3.1.1/include/net/neighbour.h
61206 --- linux-3.1.1/include/net/neighbour.h 2011-11-11 15:19:27.000000000 -0500
61207 +++ linux-3.1.1/include/net/neighbour.h 2011-11-16 18:39:08.000000000 -0500
61208 @@ -122,7 +122,7 @@ struct neigh_ops {
61209 void (*error_report)(struct neighbour *, struct sk_buff *);
61210 int (*output)(struct neighbour *, struct sk_buff *);
61211 int (*connected_output)(struct neighbour *, struct sk_buff *);
61215 struct pneigh_entry {
61216 struct pneigh_entry *next;
61217 diff -urNp linux-3.1.1/include/net/netlink.h linux-3.1.1/include/net/netlink.h
61218 --- linux-3.1.1/include/net/netlink.h 2011-11-11 15:19:27.000000000 -0500
61219 +++ linux-3.1.1/include/net/netlink.h 2011-11-16 18:39:08.000000000 -0500
61220 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
61221 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
61224 - skb_trim(skb, (unsigned char *) mark - skb->data);
61225 + skb_trim(skb, (const unsigned char *) mark - skb->data);
61229 diff -urNp linux-3.1.1/include/net/netns/ipv4.h linux-3.1.1/include/net/netns/ipv4.h
61230 --- linux-3.1.1/include/net/netns/ipv4.h 2011-11-11 15:19:27.000000000 -0500
61231 +++ linux-3.1.1/include/net/netns/ipv4.h 2011-11-16 18:39:08.000000000 -0500
61232 @@ -56,8 +56,8 @@ struct netns_ipv4 {
61234 unsigned int sysctl_ping_group_range[2];
61236 - atomic_t rt_genid;
61237 - atomic_t dev_addr_genid;
61238 + atomic_unchecked_t rt_genid;
61239 + atomic_unchecked_t dev_addr_genid;
61241 #ifdef CONFIG_IP_MROUTE
61242 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
61243 diff -urNp linux-3.1.1/include/net/sctp/sctp.h linux-3.1.1/include/net/sctp/sctp.h
61244 --- linux-3.1.1/include/net/sctp/sctp.h 2011-11-11 15:19:27.000000000 -0500
61245 +++ linux-3.1.1/include/net/sctp/sctp.h 2011-11-16 18:39:08.000000000 -0500
61246 @@ -318,9 +318,9 @@ do { \
61248 #else /* SCTP_DEBUG */
61250 -#define SCTP_DEBUG_PRINTK(whatever...)
61251 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
61252 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
61253 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
61254 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
61255 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
61256 #define SCTP_ENABLE_DEBUG
61257 #define SCTP_DISABLE_DEBUG
61258 #define SCTP_ASSERT(expr, str, func)
61259 diff -urNp linux-3.1.1/include/net/sock.h linux-3.1.1/include/net/sock.h
61260 --- linux-3.1.1/include/net/sock.h 2011-11-11 15:19:27.000000000 -0500
61261 +++ linux-3.1.1/include/net/sock.h 2011-11-16 18:39:08.000000000 -0500
61262 @@ -278,7 +278,7 @@ struct sock {
61266 - atomic_t sk_drops;
61267 + atomic_unchecked_t sk_drops;
61270 struct sk_filter __rcu *sk_filter;
61271 @@ -1391,7 +1391,7 @@ static inline void sk_nocaps_add(struct
61274 static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
61275 - char __user *from, char *to,
61276 + char __user *from, unsigned char *to,
61277 int copy, int offset)
61279 if (skb->ip_summed == CHECKSUM_NONE) {
61280 diff -urNp linux-3.1.1/include/net/tcp.h linux-3.1.1/include/net/tcp.h
61281 --- linux-3.1.1/include/net/tcp.h 2011-11-11 15:19:27.000000000 -0500
61282 +++ linux-3.1.1/include/net/tcp.h 2011-11-16 18:39:08.000000000 -0500
61283 @@ -1401,8 +1401,8 @@ enum tcp_seq_states {
61284 struct tcp_seq_afinfo {
61286 sa_family_t family;
61287 - struct file_operations seq_fops;
61288 - struct seq_operations seq_ops;
61289 + file_operations_no_const seq_fops;
61290 + seq_operations_no_const seq_ops;
61293 struct tcp_iter_state {
61294 diff -urNp linux-3.1.1/include/net/udp.h linux-3.1.1/include/net/udp.h
61295 --- linux-3.1.1/include/net/udp.h 2011-11-11 15:19:27.000000000 -0500
61296 +++ linux-3.1.1/include/net/udp.h 2011-11-16 18:39:08.000000000 -0500
61297 @@ -234,8 +234,8 @@ struct udp_seq_afinfo {
61299 sa_family_t family;
61300 struct udp_table *udp_table;
61301 - struct file_operations seq_fops;
61302 - struct seq_operations seq_ops;
61303 + file_operations_no_const seq_fops;
61304 + seq_operations_no_const seq_ops;
61307 struct udp_iter_state {
61308 diff -urNp linux-3.1.1/include/net/xfrm.h linux-3.1.1/include/net/xfrm.h
61309 --- linux-3.1.1/include/net/xfrm.h 2011-11-11 15:19:27.000000000 -0500
61310 +++ linux-3.1.1/include/net/xfrm.h 2011-11-16 18:39:08.000000000 -0500
61311 @@ -505,7 +505,7 @@ struct xfrm_policy {
61312 struct timer_list timer;
61314 struct flow_cache_object flo;
61316 + atomic_unchecked_t genid;
61319 struct xfrm_mark mark;
61320 diff -urNp linux-3.1.1/include/rdma/iw_cm.h linux-3.1.1/include/rdma/iw_cm.h
61321 --- linux-3.1.1/include/rdma/iw_cm.h 2011-11-11 15:19:27.000000000 -0500
61322 +++ linux-3.1.1/include/rdma/iw_cm.h 2011-11-16 18:39:08.000000000 -0500
61323 @@ -120,7 +120,7 @@ struct iw_cm_verbs {
61326 int (*destroy_listen)(struct iw_cm_id *cm_id);
61331 * iw_create_cm_id - Create an IW CM identifier.
61332 diff -urNp linux-3.1.1/include/scsi/libfc.h linux-3.1.1/include/scsi/libfc.h
61333 --- linux-3.1.1/include/scsi/libfc.h 2011-11-11 15:19:27.000000000 -0500
61334 +++ linux-3.1.1/include/scsi/libfc.h 2011-11-16 18:39:08.000000000 -0500
61335 @@ -758,6 +758,7 @@ struct libfc_function_template {
61337 void (*disc_stop_final) (struct fc_lport *);
61339 +typedef struct libfc_function_template __no_const libfc_function_template_no_const;
61342 * struct fc_disc - Discovery context
61343 @@ -861,7 +862,7 @@ struct fc_lport {
61344 struct fc_vport *vport;
61346 /* Operational Information */
61347 - struct libfc_function_template tt;
61348 + libfc_function_template_no_const tt;
61351 enum fc_lport_state state;
61352 diff -urNp linux-3.1.1/include/scsi/scsi_device.h linux-3.1.1/include/scsi/scsi_device.h
61353 --- linux-3.1.1/include/scsi/scsi_device.h 2011-11-11 15:19:27.000000000 -0500
61354 +++ linux-3.1.1/include/scsi/scsi_device.h 2011-11-16 18:39:08.000000000 -0500
61355 @@ -161,9 +161,9 @@ struct scsi_device {
61356 unsigned int max_device_blocked; /* what device_blocked counts down from */
61357 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
61359 - atomic_t iorequest_cnt;
61360 - atomic_t iodone_cnt;
61361 - atomic_t ioerr_cnt;
61362 + atomic_unchecked_t iorequest_cnt;
61363 + atomic_unchecked_t iodone_cnt;
61364 + atomic_unchecked_t ioerr_cnt;
61366 struct device sdev_gendev,
61368 diff -urNp linux-3.1.1/include/scsi/scsi_transport_fc.h linux-3.1.1/include/scsi/scsi_transport_fc.h
61369 --- linux-3.1.1/include/scsi/scsi_transport_fc.h 2011-11-11 15:19:27.000000000 -0500
61370 +++ linux-3.1.1/include/scsi/scsi_transport_fc.h 2011-11-16 18:39:08.000000000 -0500
61371 @@ -711,7 +711,7 @@ struct fc_function_template {
61372 unsigned long show_host_system_hostname:1;
61374 unsigned long disable_target_scan:1;
61380 diff -urNp linux-3.1.1/include/sound/ak4xxx-adda.h linux-3.1.1/include/sound/ak4xxx-adda.h
61381 --- linux-3.1.1/include/sound/ak4xxx-adda.h 2011-11-11 15:19:27.000000000 -0500
61382 +++ linux-3.1.1/include/sound/ak4xxx-adda.h 2011-11-16 18:39:08.000000000 -0500
61383 @@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
61384 void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
61385 unsigned char val);
61386 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
61390 #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
61392 diff -urNp linux-3.1.1/include/sound/hwdep.h linux-3.1.1/include/sound/hwdep.h
61393 --- linux-3.1.1/include/sound/hwdep.h 2011-11-11 15:19:27.000000000 -0500
61394 +++ linux-3.1.1/include/sound/hwdep.h 2011-11-16 18:39:08.000000000 -0500
61395 @@ -49,7 +49,7 @@ struct snd_hwdep_ops {
61396 struct snd_hwdep_dsp_status *status);
61397 int (*dsp_load)(struct snd_hwdep *hw,
61398 struct snd_hwdep_dsp_image *image);
61403 struct snd_card *card;
61404 diff -urNp linux-3.1.1/include/sound/info.h linux-3.1.1/include/sound/info.h
61405 --- linux-3.1.1/include/sound/info.h 2011-11-11 15:19:27.000000000 -0500
61406 +++ linux-3.1.1/include/sound/info.h 2011-11-16 18:39:08.000000000 -0500
61407 @@ -44,7 +44,7 @@ struct snd_info_entry_text {
61408 struct snd_info_buffer *buffer);
61409 void (*write)(struct snd_info_entry *entry,
61410 struct snd_info_buffer *buffer);
61414 struct snd_info_entry_ops {
61415 int (*open)(struct snd_info_entry *entry,
61416 diff -urNp linux-3.1.1/include/sound/pcm.h linux-3.1.1/include/sound/pcm.h
61417 --- linux-3.1.1/include/sound/pcm.h 2011-11-11 15:19:27.000000000 -0500
61418 +++ linux-3.1.1/include/sound/pcm.h 2011-11-16 18:39:08.000000000 -0500
61419 @@ -81,6 +81,7 @@ struct snd_pcm_ops {
61420 int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma);
61421 int (*ack)(struct snd_pcm_substream *substream);
61423 +typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const;
61427 diff -urNp linux-3.1.1/include/sound/sb16_csp.h linux-3.1.1/include/sound/sb16_csp.h
61428 --- linux-3.1.1/include/sound/sb16_csp.h 2011-11-11 15:19:27.000000000 -0500
61429 +++ linux-3.1.1/include/sound/sb16_csp.h 2011-11-16 18:39:08.000000000 -0500
61430 @@ -146,7 +146,7 @@ struct snd_sb_csp_ops {
61431 int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
61432 int (*csp_stop) (struct snd_sb_csp * p);
61433 int (*csp_qsound_transfer) (struct snd_sb_csp * p);
61439 diff -urNp linux-3.1.1/include/sound/soc.h linux-3.1.1/include/sound/soc.h
61440 --- linux-3.1.1/include/sound/soc.h 2011-11-11 15:19:27.000000000 -0500
61441 +++ linux-3.1.1/include/sound/soc.h 2011-11-16 18:39:08.000000000 -0500
61442 @@ -676,7 +676,7 @@ struct snd_soc_platform_driver {
61443 /* platform IO - used for platform DAPM */
61444 unsigned int (*read)(struct snd_soc_platform *, unsigned int);
61445 int (*write)(struct snd_soc_platform *, unsigned int, unsigned int);
61449 struct snd_soc_platform {
61451 diff -urNp linux-3.1.1/include/sound/ymfpci.h linux-3.1.1/include/sound/ymfpci.h
61452 --- linux-3.1.1/include/sound/ymfpci.h 2011-11-11 15:19:27.000000000 -0500
61453 +++ linux-3.1.1/include/sound/ymfpci.h 2011-11-16 18:39:08.000000000 -0500
61454 @@ -358,7 +358,7 @@ struct snd_ymfpci {
61455 spinlock_t reg_lock;
61456 spinlock_t voice_lock;
61457 wait_queue_head_t interrupt_sleep;
61458 - atomic_t interrupt_sleep_count;
61459 + atomic_unchecked_t interrupt_sleep_count;
61460 struct snd_info_entry *proc_entry;
61461 const struct firmware *dsp_microcode;
61462 const struct firmware *controller_microcode;
61463 diff -urNp linux-3.1.1/include/target/target_core_base.h linux-3.1.1/include/target/target_core_base.h
61464 --- linux-3.1.1/include/target/target_core_base.h 2011-11-11 15:19:27.000000000 -0500
61465 +++ linux-3.1.1/include/target/target_core_base.h 2011-11-16 18:39:08.000000000 -0500
61466 @@ -356,7 +356,7 @@ struct t10_reservation_ops {
61467 int (*t10_seq_non_holder)(struct se_cmd *, unsigned char *, u32);
61468 int (*t10_pr_register)(struct se_cmd *);
61469 int (*t10_pr_clear)(struct se_cmd *);
61473 struct t10_reservation {
61474 /* Reservation effects all target ports */
61475 @@ -496,8 +496,8 @@ struct se_cmd {
61476 atomic_t t_task_cdbs_left;
61477 atomic_t t_task_cdbs_ex_left;
61478 atomic_t t_task_cdbs_timeout_left;
61479 - atomic_t t_task_cdbs_sent;
61480 - atomic_t t_transport_aborted;
61481 + atomic_unchecked_t t_task_cdbs_sent;
61482 + atomic_unchecked_t t_transport_aborted;
61483 atomic_t t_transport_active;
61484 atomic_t t_transport_complete;
61485 atomic_t t_transport_queue_active;
61486 @@ -744,7 +744,7 @@ struct se_device {
61487 atomic_t active_cmds;
61488 atomic_t simple_cmds;
61489 atomic_t depth_left;
61490 - atomic_t dev_ordered_id;
61491 + atomic_unchecked_t dev_ordered_id;
61492 atomic_t dev_tur_active;
61493 atomic_t execute_tasks;
61494 atomic_t dev_status_thr_count;
61495 diff -urNp linux-3.1.1/include/trace/events/irq.h linux-3.1.1/include/trace/events/irq.h
61496 --- linux-3.1.1/include/trace/events/irq.h 2011-11-11 15:19:27.000000000 -0500
61497 +++ linux-3.1.1/include/trace/events/irq.h 2011-11-16 18:39:08.000000000 -0500
61498 @@ -36,7 +36,7 @@ struct softirq_action;
61500 TRACE_EVENT(irq_handler_entry,
61502 - TP_PROTO(int irq, struct irqaction *action),
61503 + TP_PROTO(int irq, const struct irqaction *action),
61505 TP_ARGS(irq, action),
61507 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
61509 TRACE_EVENT(irq_handler_exit,
61511 - TP_PROTO(int irq, struct irqaction *action, int ret),
61512 + TP_PROTO(int irq, const struct irqaction *action, int ret),
61514 TP_ARGS(irq, action, ret),
61516 diff -urNp linux-3.1.1/include/video/udlfb.h linux-3.1.1/include/video/udlfb.h
61517 --- linux-3.1.1/include/video/udlfb.h 2011-11-11 15:19:27.000000000 -0500
61518 +++ linux-3.1.1/include/video/udlfb.h 2011-11-16 18:39:08.000000000 -0500
61519 @@ -51,10 +51,10 @@ struct dlfb_data {
61521 u32 pseudo_palette[256];
61522 /* blit-only rendering path metrics, exposed through sysfs */
61523 - atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
61524 - atomic_t bytes_identical; /* saved effort with backbuffer comparison */
61525 - atomic_t bytes_sent; /* to usb, after compression including overhead */
61526 - atomic_t cpu_kcycles_used; /* transpired during pixel processing */
61527 + atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
61528 + atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
61529 + atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
61530 + atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
61533 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
61534 diff -urNp linux-3.1.1/include/video/uvesafb.h linux-3.1.1/include/video/uvesafb.h
61535 --- linux-3.1.1/include/video/uvesafb.h 2011-11-11 15:19:27.000000000 -0500
61536 +++ linux-3.1.1/include/video/uvesafb.h 2011-11-16 18:39:08.000000000 -0500
61537 @@ -177,6 +177,7 @@ struct uvesafb_par {
61538 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
61539 u8 pmi_setpal; /* PMI for palette changes */
61540 u16 *pmi_base; /* protected mode interface location */
61541 + u8 *pmi_code; /* protected mode code location */
61544 u8 *vbe_state_orig; /*
61545 diff -urNp linux-3.1.1/init/do_mounts.c linux-3.1.1/init/do_mounts.c
61546 --- linux-3.1.1/init/do_mounts.c 2011-11-11 15:19:27.000000000 -0500
61547 +++ linux-3.1.1/init/do_mounts.c 2011-11-16 18:39:08.000000000 -0500
61548 @@ -287,11 +287,11 @@ static void __init get_fs_names(char *pa
61550 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
61552 - int err = sys_mount(name, "/root", fs, flags, data);
61553 + int err = sys_mount((char __force_user *)name, (char __force_user *)"/root", (char __force_user *)fs, flags, (void __force_user *)data);
61557 - sys_chdir((const char __user __force *)"/root");
61558 + sys_chdir((const char __force_user*)"/root");
61559 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
61561 "VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
61562 @@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ...
61563 va_start(args, fmt);
61564 vsprintf(buf, fmt, args);
61566 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
61567 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
61569 sys_ioctl(fd, FDEJECT, 0);
61572 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
61573 - fd = sys_open("/dev/console", O_RDWR, 0);
61574 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
61576 sys_ioctl(fd, TCGETS, (long)&termios);
61577 termios.c_lflag &= ~ICANON;
61578 sys_ioctl(fd, TCSETSF, (long)&termios);
61579 - sys_read(fd, &c, 1);
61580 + sys_read(fd, (char __user *)&c, 1);
61581 termios.c_lflag |= ICANON;
61582 sys_ioctl(fd, TCSETSF, (long)&termios);
61584 @@ -488,6 +488,6 @@ void __init prepare_namespace(void)
61587 devtmpfs_mount("dev");
61588 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
61589 - sys_chroot((const char __user __force *)".");
61590 + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
61591 + sys_chroot((const char __force_user *)".");
61593 diff -urNp linux-3.1.1/init/do_mounts.h linux-3.1.1/init/do_mounts.h
61594 --- linux-3.1.1/init/do_mounts.h 2011-11-11 15:19:27.000000000 -0500
61595 +++ linux-3.1.1/init/do_mounts.h 2011-11-16 18:39:08.000000000 -0500
61596 @@ -15,15 +15,15 @@ extern int root_mountflags;
61598 static inline int create_dev(char *name, dev_t dev)
61600 - sys_unlink(name);
61601 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
61602 + sys_unlink((char __force_user *)name);
61603 + return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
61606 #if BITS_PER_LONG == 32
61607 static inline u32 bstat(char *name)
61609 struct stat64 stat;
61610 - if (sys_stat64(name, &stat) != 0)
61611 + if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
61613 if (!S_ISBLK(stat.st_mode))
61615 @@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
61616 static inline u32 bstat(char *name)
61619 - if (sys_newstat(name, &stat) != 0)
61620 + if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
61622 if (!S_ISBLK(stat.st_mode))
61624 diff -urNp linux-3.1.1/init/do_mounts_initrd.c linux-3.1.1/init/do_mounts_initrd.c
61625 --- linux-3.1.1/init/do_mounts_initrd.c 2011-11-11 15:19:27.000000000 -0500
61626 +++ linux-3.1.1/init/do_mounts_initrd.c 2011-11-16 18:39:08.000000000 -0500
61627 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
61628 create_dev("/dev/root.old", Root_RAM0);
61629 /* mount initrd on rootfs' /root */
61630 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
61631 - sys_mkdir("/old", 0700);
61632 - root_fd = sys_open("/", 0, 0);
61633 - old_fd = sys_open("/old", 0, 0);
61634 + sys_mkdir((const char __force_user *)"/old", 0700);
61635 + root_fd = sys_open((const char __force_user *)"/", 0, 0);
61636 + old_fd = sys_open((const char __force_user *)"/old", 0, 0);
61637 /* move initrd over / and chdir/chroot in initrd root */
61638 - sys_chdir("/root");
61639 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
61641 + sys_chdir((const char __force_user *)"/root");
61642 + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
61643 + sys_chroot((const char __force_user *)".");
61646 * In case that a resume from disk is carried out by linuxrc or one of
61647 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
61649 /* move initrd to rootfs' /old */
61650 sys_fchdir(old_fd);
61651 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
61652 + sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL);
61653 /* switch root and cwd back to / of rootfs */
61654 sys_fchdir(root_fd);
61656 + sys_chroot((const char __force_user *)".");
61658 sys_close(root_fd);
61660 if (new_decode_dev(real_root_dev) == Root_RAM0) {
61661 - sys_chdir("/old");
61662 + sys_chdir((const char __force_user *)"/old");
61666 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
61669 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
61670 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
61671 + error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
61675 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
61676 + int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
61677 if (error == -ENOENT)
61678 printk("/initrd does not exist. Ignored.\n");
61680 printk("failed\n");
61681 printk(KERN_NOTICE "Unmounting old root\n");
61682 - sys_umount("/old", MNT_DETACH);
61683 + sys_umount((char __force_user *)"/old", MNT_DETACH);
61684 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
61687 @@ -116,11 +116,11 @@ int __init initrd_load(void)
61688 * mounted in the normal path.
61690 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
61691 - sys_unlink("/initrd.image");
61692 + sys_unlink((const char __force_user *)"/initrd.image");
61697 - sys_unlink("/initrd.image");
61698 + sys_unlink((const char __force_user *)"/initrd.image");
61701 diff -urNp linux-3.1.1/init/do_mounts_md.c linux-3.1.1/init/do_mounts_md.c
61702 --- linux-3.1.1/init/do_mounts_md.c 2011-11-11 15:19:27.000000000 -0500
61703 +++ linux-3.1.1/init/do_mounts_md.c 2011-11-16 18:39:08.000000000 -0500
61704 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
61705 partitioned ? "_d" : "", minor,
61706 md_setup_args[ent].device_names);
61708 - fd = sys_open(name, 0, 0);
61709 + fd = sys_open((char __force_user *)name, 0, 0);
61711 printk(KERN_ERR "md: open failed - cannot start "
61712 "array %s\n", name);
61713 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
61717 - fd = sys_open(name, 0, 0);
61718 + fd = sys_open((char __force_user *)name, 0, 0);
61719 sys_ioctl(fd, BLKRRPART, 0);
61722 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
61724 wait_for_device_probe();
61726 - fd = sys_open((const char __user __force *) "/dev/md0", 0, 0);
61727 + fd = sys_open((const char __force_user *) "/dev/md0", 0, 0);
61729 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
61731 diff -urNp linux-3.1.1/init/initramfs.c linux-3.1.1/init/initramfs.c
61732 --- linux-3.1.1/init/initramfs.c 2011-11-11 15:19:27.000000000 -0500
61733 +++ linux-3.1.1/init/initramfs.c 2011-11-16 18:39:08.000000000 -0500
61734 @@ -74,7 +74,7 @@ static void __init free_hash(void)
61738 -static long __init do_utime(char __user *filename, time_t mtime)
61739 +static long __init do_utime(__force char __user *filename, time_t mtime)
61741 struct timespec t[2];
61743 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
61744 struct dir_entry *de, *tmp;
61745 list_for_each_entry_safe(de, tmp, &dir_list, list) {
61746 list_del(&de->list);
61747 - do_utime(de->name, de->mtime);
61748 + do_utime((char __force_user *)de->name, de->mtime);
61752 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
61754 char *old = find_link(major, minor, ino, mode, collected);
61756 - return (sys_link(old, collected) < 0) ? -1 : 1;
61757 + return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
61761 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
61765 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
61766 + if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) {
61767 if (S_ISDIR(st.st_mode))
61769 + sys_rmdir((char __force_user *)path);
61771 - sys_unlink(path);
61772 + sys_unlink((char __force_user *)path);
61776 @@ -305,7 +305,7 @@ static int __init do_name(void)
61777 int openflags = O_WRONLY|O_CREAT;
61779 openflags |= O_TRUNC;
61780 - wfd = sys_open(collected, openflags, mode);
61781 + wfd = sys_open((char __force_user *)collected, openflags, mode);
61784 sys_fchown(wfd, uid, gid);
61785 @@ -317,17 +317,17 @@ static int __init do_name(void)
61788 } else if (S_ISDIR(mode)) {
61789 - sys_mkdir(collected, mode);
61790 - sys_chown(collected, uid, gid);
61791 - sys_chmod(collected, mode);
61792 + sys_mkdir((char __force_user *)collected, mode);
61793 + sys_chown((char __force_user *)collected, uid, gid);
61794 + sys_chmod((char __force_user *)collected, mode);
61795 dir_add(collected, mtime);
61796 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
61797 S_ISFIFO(mode) || S_ISSOCK(mode)) {
61798 if (maybe_link() == 0) {
61799 - sys_mknod(collected, mode, rdev);
61800 - sys_chown(collected, uid, gid);
61801 - sys_chmod(collected, mode);
61802 - do_utime(collected, mtime);
61803 + sys_mknod((char __force_user *)collected, mode, rdev);
61804 + sys_chown((char __force_user *)collected, uid, gid);
61805 + sys_chmod((char __force_user *)collected, mode);
61806 + do_utime((char __force_user *)collected, mtime);
61810 @@ -336,15 +336,15 @@ static int __init do_name(void)
61811 static int __init do_copy(void)
61813 if (count >= body_len) {
61814 - sys_write(wfd, victim, body_len);
61815 + sys_write(wfd, (char __force_user *)victim, body_len);
61817 - do_utime(vcollected, mtime);
61818 + do_utime((char __force_user *)vcollected, mtime);
61824 - sys_write(wfd, victim, count);
61825 + sys_write(wfd, (char __force_user *)victim, count);
61829 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
61831 collected[N_ALIGN(name_len) + body_len] = '\0';
61832 clean_path(collected, 0);
61833 - sys_symlink(collected + N_ALIGN(name_len), collected);
61834 - sys_lchown(collected, uid, gid);
61835 - do_utime(collected, mtime);
61836 + sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
61837 + sys_lchown((char __force_user *)collected, uid, gid);
61838 + do_utime((char __force_user *)collected, mtime);
61840 next_state = Reset;
61842 diff -urNp linux-3.1.1/init/Kconfig linux-3.1.1/init/Kconfig
61843 --- linux-3.1.1/init/Kconfig 2011-11-11 15:19:27.000000000 -0500
61844 +++ linux-3.1.1/init/Kconfig 2011-11-16 18:39:08.000000000 -0500
61845 @@ -1202,7 +1202,7 @@ config SLUB_DEBUG
61848 bool "Disable heap randomization"
61852 Randomizing heap placement makes heap exploits harder, but it
61853 also breaks ancient binaries (including anything libc5 based).
61854 diff -urNp linux-3.1.1/init/main.c linux-3.1.1/init/main.c
61855 --- linux-3.1.1/init/main.c 2011-11-11 15:19:27.000000000 -0500
61856 +++ linux-3.1.1/init/main.c 2011-11-16 18:40:44.000000000 -0500
61857 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
61858 extern void tc_init(void);
61861 +extern void grsecurity_init(void);
61864 * Debug helper: via this flag we know that we are in 'early bootup code'
61865 * where only the boot processor is running with IRQ disabled. This means
61866 @@ -149,6 +151,49 @@ static int __init set_reset_devices(char
61868 __setup("reset_devices", set_reset_devices);
61870 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
61871 +extern char pax_enter_kernel_user[];
61872 +extern char pax_exit_kernel_user[];
61873 +extern pgdval_t clone_pgd_mask;
61876 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
61877 +static int __init setup_pax_nouderef(char *str)
61879 +#ifdef CONFIG_X86_32
61880 + unsigned int cpu;
61881 + struct desc_struct *gdt;
61883 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
61884 + gdt = get_cpu_gdt_table(cpu);
61885 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
61886 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
61887 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
61888 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
61890 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
61892 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
61893 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
61894 + clone_pgd_mask = ~(pgdval_t)0UL;
61899 +early_param("pax_nouderef", setup_pax_nouderef);
61902 +#ifdef CONFIG_PAX_SOFTMODE
61905 +static int __init setup_pax_softmode(char *str)
61907 + get_option(&str, &pax_softmode);
61910 +__setup("pax_softmode=", setup_pax_softmode);
61913 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
61914 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
61915 static const char *panic_later, *panic_param;
61916 @@ -678,6 +723,7 @@ int __init_or_module do_one_initcall(ini
61918 int count = preempt_count();
61920 + const char *msg1 = "", *msg2 = "";
61922 if (initcall_debug)
61923 ret = do_one_initcall_debug(fn);
61924 @@ -690,15 +736,15 @@ int __init_or_module do_one_initcall(ini
61925 sprintf(msgbuf, "error code %d ", ret);
61927 if (preempt_count() != count) {
61928 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
61929 + msg1 = " preemption imbalance";
61930 preempt_count() = count;
61932 if (irqs_disabled()) {
61933 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
61934 + msg2 = " disabled interrupts";
61935 local_irq_enable();
61938 - printk("initcall %pF returned with %s\n", fn, msgbuf);
61939 + if (msgbuf[0] || *msg1 || *msg2) {
61940 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
61944 @@ -817,7 +863,7 @@ static int __init kernel_init(void * unu
61947 /* Open the /dev/console on the rootfs, this should never fail */
61948 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
61949 + if (sys_open((const char __force_user *) "/dev/console", O_RDWR, 0) < 0)
61950 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
61953 @@ -830,11 +876,13 @@ static int __init kernel_init(void * unu
61954 if (!ramdisk_execute_command)
61955 ramdisk_execute_command = "/init";
61957 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
61958 + if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
61959 ramdisk_execute_command = NULL;
61960 prepare_namespace();
61963 + grsecurity_init();
61966 * Ok, we have completed the initial bootup, and
61967 * we're essentially up and running. Get rid of the
61968 diff -urNp linux-3.1.1/ipc/mqueue.c linux-3.1.1/ipc/mqueue.c
61969 --- linux-3.1.1/ipc/mqueue.c 2011-11-11 15:19:27.000000000 -0500
61970 +++ linux-3.1.1/ipc/mqueue.c 2011-11-16 18:40:44.000000000 -0500
61971 @@ -156,6 +156,7 @@ static struct inode *mqueue_get_inode(st
61972 mq_bytes = (mq_msg_tblsz +
61973 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
61975 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
61976 spin_lock(&mq_lock);
61977 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
61978 u->mq_bytes + mq_bytes > task_rlimit(p, RLIMIT_MSGQUEUE)) {
61979 diff -urNp linux-3.1.1/ipc/msg.c linux-3.1.1/ipc/msg.c
61980 --- linux-3.1.1/ipc/msg.c 2011-11-11 15:19:27.000000000 -0500
61981 +++ linux-3.1.1/ipc/msg.c 2011-11-16 18:39:08.000000000 -0500
61982 @@ -309,18 +309,19 @@ static inline int msg_security(struct ke
61983 return security_msg_queue_associate(msq, msgflg);
61986 +static struct ipc_ops msg_ops = {
61987 + .getnew = newque,
61988 + .associate = msg_security,
61989 + .more_checks = NULL
61992 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
61994 struct ipc_namespace *ns;
61995 - struct ipc_ops msg_ops;
61996 struct ipc_params msg_params;
61998 ns = current->nsproxy->ipc_ns;
62000 - msg_ops.getnew = newque;
62001 - msg_ops.associate = msg_security;
62002 - msg_ops.more_checks = NULL;
62004 msg_params.key = key;
62005 msg_params.flg = msgflg;
62007 diff -urNp linux-3.1.1/ipc/sem.c linux-3.1.1/ipc/sem.c
62008 --- linux-3.1.1/ipc/sem.c 2011-11-11 15:19:27.000000000 -0500
62009 +++ linux-3.1.1/ipc/sem.c 2011-11-16 18:40:44.000000000 -0500
62010 @@ -318,10 +318,15 @@ static inline int sem_more_checks(struct
62014 +static struct ipc_ops sem_ops = {
62015 + .getnew = newary,
62016 + .associate = sem_security,
62017 + .more_checks = sem_more_checks
62020 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
62022 struct ipc_namespace *ns;
62023 - struct ipc_ops sem_ops;
62024 struct ipc_params sem_params;
62026 ns = current->nsproxy->ipc_ns;
62027 @@ -329,10 +334,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
62028 if (nsems < 0 || nsems > ns->sc_semmsl)
62031 - sem_ops.getnew = newary;
62032 - sem_ops.associate = sem_security;
62033 - sem_ops.more_checks = sem_more_checks;
62035 sem_params.key = key;
62036 sem_params.flg = semflg;
62037 sem_params.u.nsems = nsems;
62038 @@ -848,6 +849,8 @@ static int semctl_main(struct ipc_namesp
62040 struct list_head tasks;
62042 + pax_track_stack();
62044 sma = sem_lock_check(ns, semid);
62046 return PTR_ERR(sma);
62047 @@ -1295,6 +1298,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
62048 struct ipc_namespace *ns;
62049 struct list_head tasks;
62051 + pax_track_stack();
62053 ns = current->nsproxy->ipc_ns;
62055 if (nsops < 1 || semid < 0)
62056 diff -urNp linux-3.1.1/ipc/shm.c linux-3.1.1/ipc/shm.c
62057 --- linux-3.1.1/ipc/shm.c 2011-11-11 15:19:27.000000000 -0500
62058 +++ linux-3.1.1/ipc/shm.c 2011-11-16 18:40:44.000000000 -0500
62059 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
62060 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
62063 +#ifdef CONFIG_GRKERNSEC
62064 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62065 + const time_t shm_createtime, const uid_t cuid,
62066 + const int shmid);
62067 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62068 + const time_t shm_createtime);
62071 void shm_init_ns(struct ipc_namespace *ns)
62073 ns->shm_ctlmax = SHMMAX;
62074 @@ -508,6 +516,14 @@ static int newseg(struct ipc_namespace *
62075 shp->shm_lprid = 0;
62076 shp->shm_atim = shp->shm_dtim = 0;
62077 shp->shm_ctim = get_seconds();
62078 +#ifdef CONFIG_GRKERNSEC
62080 + struct timespec timeval;
62081 + do_posix_clock_monotonic_gettime(&timeval);
62083 + shp->shm_createtime = timeval.tv_sec;
62086 shp->shm_segsz = size;
62087 shp->shm_nattch = 0;
62088 shp->shm_file = file;
62089 @@ -559,18 +575,19 @@ static inline int shm_more_checks(struct
62093 +static struct ipc_ops shm_ops = {
62094 + .getnew = newseg,
62095 + .associate = shm_security,
62096 + .more_checks = shm_more_checks
62099 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
62101 struct ipc_namespace *ns;
62102 - struct ipc_ops shm_ops;
62103 struct ipc_params shm_params;
62105 ns = current->nsproxy->ipc_ns;
62107 - shm_ops.getnew = newseg;
62108 - shm_ops.associate = shm_security;
62109 - shm_ops.more_checks = shm_more_checks;
62111 shm_params.key = key;
62112 shm_params.flg = shmflg;
62113 shm_params.u.size = size;
62114 @@ -870,8 +887,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
62118 - struct file *uninitialized_var(shm_file);
62120 lru_add_drain_all(); /* drain pagevecs to lru lists */
62122 shp = shm_lock_check(ns, shmid);
62123 @@ -1004,9 +1019,21 @@ long do_shmat(int shmid, char __user *sh
62127 +#ifdef CONFIG_GRKERNSEC
62128 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
62129 + shp->shm_perm.cuid, shmid) ||
62130 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
62136 path = shp->shm_file->f_path;
62139 +#ifdef CONFIG_GRKERNSEC
62140 + shp->shm_lapid = current->pid;
62142 size = i_size_read(path.dentry->d_inode);
62145 diff -urNp linux-3.1.1/kernel/acct.c linux-3.1.1/kernel/acct.c
62146 --- linux-3.1.1/kernel/acct.c 2011-11-11 15:19:27.000000000 -0500
62147 +++ linux-3.1.1/kernel/acct.c 2011-11-16 18:39:08.000000000 -0500
62148 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
62150 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
62151 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
62152 - file->f_op->write(file, (char *)&ac,
62153 + file->f_op->write(file, (char __force_user *)&ac,
62154 sizeof(acct_t), &file->f_pos);
62155 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
62157 diff -urNp linux-3.1.1/kernel/audit.c linux-3.1.1/kernel/audit.c
62158 --- linux-3.1.1/kernel/audit.c 2011-11-11 15:19:27.000000000 -0500
62159 +++ linux-3.1.1/kernel/audit.c 2011-11-16 18:39:08.000000000 -0500
62160 @@ -115,7 +115,7 @@ u32 audit_sig_sid = 0;
62161 3) suppressed due to audit_rate_limit
62162 4) suppressed due to audit_backlog_limit
62164 -static atomic_t audit_lost = ATOMIC_INIT(0);
62165 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
62167 /* The netlink socket. */
62168 static struct sock *audit_sock;
62169 @@ -237,7 +237,7 @@ void audit_log_lost(const char *message)
62173 - atomic_inc(&audit_lost);
62174 + atomic_inc_unchecked(&audit_lost);
62176 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
62178 @@ -256,7 +256,7 @@ void audit_log_lost(const char *message)
62179 printk(KERN_WARNING
62180 "audit: audit_lost=%d audit_rate_limit=%d "
62181 "audit_backlog_limit=%d\n",
62182 - atomic_read(&audit_lost),
62183 + atomic_read_unchecked(&audit_lost),
62185 audit_backlog_limit);
62186 audit_panic(message);
62187 @@ -689,7 +689,7 @@ static int audit_receive_msg(struct sk_b
62188 status_set.pid = audit_pid;
62189 status_set.rate_limit = audit_rate_limit;
62190 status_set.backlog_limit = audit_backlog_limit;
62191 - status_set.lost = atomic_read(&audit_lost);
62192 + status_set.lost = atomic_read_unchecked(&audit_lost);
62193 status_set.backlog = skb_queue_len(&audit_skb_queue);
62194 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
62195 &status_set, sizeof(status_set));
62196 diff -urNp linux-3.1.1/kernel/auditsc.c linux-3.1.1/kernel/auditsc.c
62197 --- linux-3.1.1/kernel/auditsc.c 2011-11-11 15:19:27.000000000 -0500
62198 +++ linux-3.1.1/kernel/auditsc.c 2011-11-16 18:39:08.000000000 -0500
62199 @@ -2118,7 +2118,7 @@ int auditsc_get_stamp(struct audit_conte
62202 /* global counter which is incremented every time something logs in */
62203 -static atomic_t session_id = ATOMIC_INIT(0);
62204 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
62207 * audit_set_loginuid - set a task's audit_context loginuid
62208 @@ -2131,7 +2131,7 @@ static atomic_t session_id = ATOMIC_INIT
62210 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
62212 - unsigned int sessionid = atomic_inc_return(&session_id);
62213 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
62214 struct audit_context *context = task->audit_context;
62216 if (context && context->in_syscall) {
62217 diff -urNp linux-3.1.1/kernel/capability.c linux-3.1.1/kernel/capability.c
62218 --- linux-3.1.1/kernel/capability.c 2011-11-11 15:19:27.000000000 -0500
62219 +++ linux-3.1.1/kernel/capability.c 2011-11-16 18:40:44.000000000 -0500
62220 @@ -202,6 +202,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
62221 * before modification is attempted and the application
62224 + if (tocopy > ARRAY_SIZE(kdata))
62227 if (copy_to_user(dataptr, kdata, tocopy
62228 * sizeof(struct __user_cap_data_struct))) {
62230 @@ -374,7 +377,7 @@ bool ns_capable(struct user_namespace *n
62234 - if (security_capable(ns, current_cred(), cap) == 0) {
62235 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable(cap)) {
62236 current->flags |= PF_SUPERPRIV;
62239 @@ -382,6 +385,27 @@ bool ns_capable(struct user_namespace *n
62241 EXPORT_SYMBOL(ns_capable);
62243 +bool ns_capable_nolog(struct user_namespace *ns, int cap)
62245 + if (unlikely(!cap_valid(cap))) {
62246 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
62250 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
62251 + current->flags |= PF_SUPERPRIV;
62256 +EXPORT_SYMBOL(ns_capable_nolog);
62258 +bool capable_nolog(int cap)
62260 + return ns_capable_nolog(&init_user_ns, cap);
62262 +EXPORT_SYMBOL(capable_nolog);
62265 * task_ns_capable - Determine whether current task has a superior
62266 * capability targeted at a specific task's user namespace.
62267 @@ -396,6 +420,12 @@ bool task_ns_capable(struct task_struct
62269 EXPORT_SYMBOL(task_ns_capable);
62271 +bool task_ns_capable_nolog(struct task_struct *t, int cap)
62273 + return ns_capable_nolog(task_cred_xxx(t, user)->user_ns, cap);
62275 +EXPORT_SYMBOL(task_ns_capable_nolog);
62278 * nsown_capable - Check superior capability to one's own user_ns
62279 * @cap: The capability in question
62280 diff -urNp linux-3.1.1/kernel/cgroup.c linux-3.1.1/kernel/cgroup.c
62281 --- linux-3.1.1/kernel/cgroup.c 2011-11-11 15:19:27.000000000 -0500
62282 +++ linux-3.1.1/kernel/cgroup.c 2011-11-16 18:40:44.000000000 -0500
62283 @@ -595,6 +595,8 @@ static struct css_set *find_css_set(
62284 struct hlist_head *hhead;
62285 struct cg_cgroup_link *link;
62287 + pax_track_stack();
62289 /* First see if we already have a cgroup group that matches
62290 * the desired set */
62291 read_lock(&css_set_lock);
62292 diff -urNp linux-3.1.1/kernel/compat.c linux-3.1.1/kernel/compat.c
62293 --- linux-3.1.1/kernel/compat.c 2011-11-11 15:19:27.000000000 -0500
62294 +++ linux-3.1.1/kernel/compat.c 2011-11-16 18:40:44.000000000 -0500
62297 #include <linux/linkage.h>
62298 #include <linux/compat.h>
62299 +#include <linux/module.h>
62300 #include <linux/errno.h>
62301 #include <linux/time.h>
62302 #include <linux/signal.h>
62303 @@ -167,7 +168,7 @@ static long compat_nanosleep_restart(str
62304 mm_segment_t oldfs;
62307 - restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
62308 + restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
62311 ret = hrtimer_nanosleep_restart(restart);
62312 @@ -199,7 +200,7 @@ asmlinkage long compat_sys_nanosleep(str
62315 ret = hrtimer_nanosleep(&tu,
62316 - rmtp ? (struct timespec __user *)&rmt : NULL,
62317 + rmtp ? (struct timespec __force_user *)&rmt : NULL,
62318 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
62321 @@ -308,7 +309,7 @@ asmlinkage long compat_sys_sigpending(co
62322 mm_segment_t old_fs = get_fs();
62325 - ret = sys_sigpending((old_sigset_t __user *) &s);
62326 + ret = sys_sigpending((old_sigset_t __force_user *) &s);
62329 ret = put_user(s, set);
62330 @@ -331,8 +332,8 @@ asmlinkage long compat_sys_sigprocmask(i
62333 ret = sys_sigprocmask(how,
62334 - set ? (old_sigset_t __user *) &s : NULL,
62335 - oset ? (old_sigset_t __user *) &s : NULL);
62336 + set ? (old_sigset_t __force_user *) &s : NULL,
62337 + oset ? (old_sigset_t __force_user *) &s : NULL);
62341 @@ -369,7 +370,7 @@ asmlinkage long compat_sys_old_getrlimit
62342 mm_segment_t old_fs = get_fs();
62345 - ret = sys_old_getrlimit(resource, &r);
62346 + ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
62350 @@ -441,7 +442,7 @@ asmlinkage long compat_sys_getrusage(int
62351 mm_segment_t old_fs = get_fs();
62354 - ret = sys_getrusage(who, (struct rusage __user *) &r);
62355 + ret = sys_getrusage(who, (struct rusage __force_user *) &r);
62359 @@ -468,8 +469,8 @@ compat_sys_wait4(compat_pid_t pid, compa
62360 set_fs (KERNEL_DS);
62361 ret = sys_wait4(pid,
62363 - (unsigned int __user *) &status : NULL),
62364 - options, (struct rusage __user *) &r);
62365 + (unsigned int __force_user *) &status : NULL),
62366 + options, (struct rusage __force_user *) &r);
62370 @@ -494,8 +495,8 @@ asmlinkage long compat_sys_waitid(int wh
62371 memset(&info, 0, sizeof(info));
62374 - ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
62375 - uru ? (struct rusage __user *)&ru : NULL);
62376 + ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
62377 + uru ? (struct rusage __force_user *)&ru : NULL);
62380 if ((ret < 0) || (info.si_signo == 0))
62381 @@ -625,8 +626,8 @@ long compat_sys_timer_settime(timer_t ti
62384 err = sys_timer_settime(timer_id, flags,
62385 - (struct itimerspec __user *) &newts,
62386 - (struct itimerspec __user *) &oldts);
62387 + (struct itimerspec __force_user *) &newts,
62388 + (struct itimerspec __force_user *) &oldts);
62390 if (!err && old && put_compat_itimerspec(old, &oldts))
62392 @@ -643,7 +644,7 @@ long compat_sys_timer_gettime(timer_t ti
62395 err = sys_timer_gettime(timer_id,
62396 - (struct itimerspec __user *) &ts);
62397 + (struct itimerspec __force_user *) &ts);
62399 if (!err && put_compat_itimerspec(setting, &ts))
62401 @@ -662,7 +663,7 @@ long compat_sys_clock_settime(clockid_t
62404 err = sys_clock_settime(which_clock,
62405 - (struct timespec __user *) &ts);
62406 + (struct timespec __force_user *) &ts);
62410 @@ -677,7 +678,7 @@ long compat_sys_clock_gettime(clockid_t
62413 err = sys_clock_gettime(which_clock,
62414 - (struct timespec __user *) &ts);
62415 + (struct timespec __force_user *) &ts);
62417 if (!err && put_compat_timespec(&ts, tp))
62419 @@ -697,7 +698,7 @@ long compat_sys_clock_adjtime(clockid_t
62423 - ret = sys_clock_adjtime(which_clock, (struct timex __user *) &txc);
62424 + ret = sys_clock_adjtime(which_clock, (struct timex __force_user *) &txc);
62427 err = compat_put_timex(utp, &txc);
62428 @@ -717,7 +718,7 @@ long compat_sys_clock_getres(clockid_t w
62431 err = sys_clock_getres(which_clock,
62432 - (struct timespec __user *) &ts);
62433 + (struct timespec __force_user *) &ts);
62435 if (!err && tp && put_compat_timespec(&ts, tp))
62437 @@ -729,9 +730,9 @@ static long compat_clock_nanosleep_resta
62439 mm_segment_t oldfs;
62440 struct timespec tu;
62441 - struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp;
62442 + struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
62444 - restart->nanosleep.rmtp = (struct timespec __user *) &tu;
62445 + restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
62448 err = clock_nanosleep_restart(restart);
62449 @@ -763,8 +764,8 @@ long compat_sys_clock_nanosleep(clockid_
62452 err = sys_clock_nanosleep(which_clock, flags,
62453 - (struct timespec __user *) &in,
62454 - (struct timespec __user *) &out);
62455 + (struct timespec __force_user *) &in,
62456 + (struct timespec __force_user *) &out);
62459 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
62460 diff -urNp linux-3.1.1/kernel/configs.c linux-3.1.1/kernel/configs.c
62461 --- linux-3.1.1/kernel/configs.c 2011-11-11 15:19:27.000000000 -0500
62462 +++ linux-3.1.1/kernel/configs.c 2011-11-16 18:40:44.000000000 -0500
62463 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
62464 struct proc_dir_entry *entry;
62466 /* create the current config file */
62467 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
62468 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
62469 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
62470 + &ikconfig_file_ops);
62471 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
62472 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
62473 + &ikconfig_file_ops);
62476 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
62477 &ikconfig_file_ops);
62483 diff -urNp linux-3.1.1/kernel/cred.c linux-3.1.1/kernel/cred.c
62484 --- linux-3.1.1/kernel/cred.c 2011-11-11 15:19:27.000000000 -0500
62485 +++ linux-3.1.1/kernel/cred.c 2011-11-16 18:40:44.000000000 -0500
62486 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
62488 void __put_cred(struct cred *cred)
62490 + pax_track_stack();
62492 kdebug("__put_cred(%p{%d,%d})", cred,
62493 atomic_read(&cred->usage),
62494 read_cred_subscribers(cred));
62495 @@ -182,6 +184,8 @@ void exit_creds(struct task_struct *tsk)
62499 + pax_track_stack();
62501 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
62502 atomic_read(&tsk->cred->usage),
62503 read_cred_subscribers(tsk->cred));
62504 @@ -220,6 +224,8 @@ const struct cred *get_task_cred(struct
62506 const struct cred *cred;
62508 + pax_track_stack();
62513 @@ -239,6 +245,8 @@ struct cred *cred_alloc_blank(void)
62517 + pax_track_stack();
62519 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
62522 @@ -303,6 +311,8 @@ error:
62524 struct cred *prepare_creds(void)
62526 + pax_track_stack();
62528 validate_process_creds();
62530 return __prepare_creds(current->cred);
62531 @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
62532 struct thread_group_cred *tgcred = NULL;
62535 + pax_track_stack();
62538 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
62540 @@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, un
62544 + pax_track_stack();
62548 !p->cred->thread_keyring &&
62549 @@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
62550 struct task_struct *task = current;
62551 const struct cred *old = task->real_cred;
62553 + pax_track_stack();
62555 kdebug("commit_creds(%p{%d,%d})", new,
62556 atomic_read(&new->usage),
62557 read_cred_subscribers(new));
62558 @@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
62560 get_cred(new); /* we will require a ref for the subj creds too */
62562 + gr_set_role_label(task, new->uid, new->gid);
62564 /* dumpability changes */
62565 if (old->euid != new->euid ||
62566 old->egid != new->egid ||
62567 @@ -549,6 +567,8 @@ EXPORT_SYMBOL(commit_creds);
62569 void abort_creds(struct cred *new)
62571 + pax_track_stack();
62573 kdebug("abort_creds(%p{%d,%d})", new,
62574 atomic_read(&new->usage),
62575 read_cred_subscribers(new));
62576 @@ -572,6 +592,8 @@ const struct cred *override_creds(const
62578 const struct cred *old = current->cred;
62580 + pax_track_stack();
62582 kdebug("override_creds(%p{%d,%d})", new,
62583 atomic_read(&new->usage),
62584 read_cred_subscribers(new));
62585 @@ -601,6 +623,8 @@ void revert_creds(const struct cred *old
62587 const struct cred *override = current->cred;
62589 + pax_track_stack();
62591 kdebug("revert_creds(%p{%d,%d})", old,
62592 atomic_read(&old->usage),
62593 read_cred_subscribers(old));
62594 @@ -647,6 +671,8 @@ struct cred *prepare_kernel_cred(struct
62595 const struct cred *old;
62598 + pax_track_stack();
62600 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
62603 @@ -701,6 +727,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
62605 int set_security_override(struct cred *new, u32 secid)
62607 + pax_track_stack();
62609 return security_kernel_act_as(new, secid);
62611 EXPORT_SYMBOL(set_security_override);
62612 @@ -720,6 +748,8 @@ int set_security_override_from_ctx(struc
62616 + pax_track_stack();
62618 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
62621 diff -urNp linux-3.1.1/kernel/debug/debug_core.c linux-3.1.1/kernel/debug/debug_core.c
62622 --- linux-3.1.1/kernel/debug/debug_core.c 2011-11-11 15:19:27.000000000 -0500
62623 +++ linux-3.1.1/kernel/debug/debug_core.c 2011-11-16 18:39:08.000000000 -0500
62624 @@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
62626 static atomic_t masters_in_kgdb;
62627 static atomic_t slaves_in_kgdb;
62628 -static atomic_t kgdb_break_tasklet_var;
62629 +static atomic_unchecked_t kgdb_break_tasklet_var;
62630 atomic_t kgdb_setting_breakpoint;
62632 struct task_struct *kgdb_usethread;
62633 @@ -129,7 +129,7 @@ int kgdb_single_step;
62634 static pid_t kgdb_sstep_pid;
62636 /* to keep track of the CPU which is doing the single stepping*/
62637 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
62638 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
62641 * If you are debugging a problem where roundup (the collection of
62642 @@ -542,7 +542,7 @@ return_normal:
62643 * kernel will only try for the value of sstep_tries before
62644 * giving up and continuing on.
62646 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
62647 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
62648 (kgdb_info[cpu].task &&
62649 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
62650 atomic_set(&kgdb_active, -1);
62651 @@ -636,8 +636,8 @@ cpu_master_loop:
62655 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
62656 - int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
62657 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
62658 + int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
62659 if (kgdb_info[sstep_cpu].task)
62660 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
62662 @@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
62663 static void kgdb_tasklet_bpt(unsigned long ing)
62666 - atomic_set(&kgdb_break_tasklet_var, 0);
62667 + atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
62670 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
62672 void kgdb_schedule_breakpoint(void)
62674 - if (atomic_read(&kgdb_break_tasklet_var) ||
62675 + if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
62676 atomic_read(&kgdb_active) != -1 ||
62677 atomic_read(&kgdb_setting_breakpoint))
62679 - atomic_inc(&kgdb_break_tasklet_var);
62680 + atomic_inc_unchecked(&kgdb_break_tasklet_var);
62681 tasklet_schedule(&kgdb_tasklet_breakpoint);
62683 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
62684 diff -urNp linux-3.1.1/kernel/debug/kdb/kdb_main.c linux-3.1.1/kernel/debug/kdb/kdb_main.c
62685 --- linux-3.1.1/kernel/debug/kdb/kdb_main.c 2011-11-11 15:19:27.000000000 -0500
62686 +++ linux-3.1.1/kernel/debug/kdb/kdb_main.c 2011-11-16 18:39:08.000000000 -0500
62687 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
62688 list_for_each_entry(mod, kdb_modules, list) {
62690 kdb_printf("%-20s%8u 0x%p ", mod->name,
62691 - mod->core_size, (void *)mod);
62692 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
62693 #ifdef CONFIG_MODULE_UNLOAD
62694 kdb_printf("%4d ", module_refcount(mod));
62696 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
62697 kdb_printf(" (Loading)");
62699 kdb_printf(" (Live)");
62700 - kdb_printf(" 0x%p", mod->module_core);
62701 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
62703 #ifdef CONFIG_MODULE_UNLOAD
62705 diff -urNp linux-3.1.1/kernel/events/core.c linux-3.1.1/kernel/events/core.c
62706 --- linux-3.1.1/kernel/events/core.c 2011-11-11 15:19:27.000000000 -0500
62707 +++ linux-3.1.1/kernel/events/core.c 2011-11-16 18:39:08.000000000 -0500
62708 @@ -172,7 +172,7 @@ int perf_proc_update_handler(struct ctl_
62712 -static atomic64_t perf_event_id;
62713 +static atomic64_unchecked_t perf_event_id;
62715 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
62716 enum event_type_t event_type);
62717 @@ -2535,7 +2535,7 @@ static void __perf_event_read(void *info
62719 static inline u64 perf_event_count(struct perf_event *event)
62721 - return local64_read(&event->count) + atomic64_read(&event->child_count);
62722 + return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
62725 static u64 perf_event_read(struct perf_event *event)
62726 @@ -3060,9 +3060,9 @@ u64 perf_event_read_value(struct perf_ev
62727 mutex_lock(&event->child_mutex);
62728 total += perf_event_read(event);
62729 *enabled += event->total_time_enabled +
62730 - atomic64_read(&event->child_total_time_enabled);
62731 + atomic64_read_unchecked(&event->child_total_time_enabled);
62732 *running += event->total_time_running +
62733 - atomic64_read(&event->child_total_time_running);
62734 + atomic64_read_unchecked(&event->child_total_time_running);
62736 list_for_each_entry(child, &event->child_list, child_list) {
62737 total += perf_event_read(child);
62738 @@ -3448,10 +3448,10 @@ void perf_event_update_userpage(struct p
62739 userpg->offset -= local64_read(&event->hw.prev_count);
62741 userpg->time_enabled = enabled +
62742 - atomic64_read(&event->child_total_time_enabled);
62743 + atomic64_read_unchecked(&event->child_total_time_enabled);
62745 userpg->time_running = running +
62746 - atomic64_read(&event->child_total_time_running);
62747 + atomic64_read_unchecked(&event->child_total_time_running);
62751 @@ -3822,11 +3822,11 @@ static void perf_output_read_one(struct
62752 values[n++] = perf_event_count(event);
62753 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
62754 values[n++] = enabled +
62755 - atomic64_read(&event->child_total_time_enabled);
62756 + atomic64_read_unchecked(&event->child_total_time_enabled);
62758 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
62759 values[n++] = running +
62760 - atomic64_read(&event->child_total_time_running);
62761 + atomic64_read_unchecked(&event->child_total_time_running);
62763 if (read_format & PERF_FORMAT_ID)
62764 values[n++] = primary_event_id(event);
62765 @@ -4477,12 +4477,12 @@ static void perf_event_mmap_event(struct
62766 * need to add enough zero bytes after the string to handle
62767 * the 64bit alignment we do later.
62769 - buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
62770 + buf = kzalloc(PATH_MAX, GFP_KERNEL);
62772 name = strncpy(tmp, "//enomem", sizeof(tmp));
62775 - name = d_path(&file->f_path, buf, PATH_MAX);
62776 + name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
62777 if (IS_ERR(name)) {
62778 name = strncpy(tmp, "//toolong", sizeof(tmp));
62780 @@ -5833,7 +5833,7 @@ perf_event_alloc(struct perf_event_attr
62781 event->parent = parent_event;
62783 event->ns = get_pid_ns(current->nsproxy->pid_ns);
62784 - event->id = atomic64_inc_return(&perf_event_id);
62785 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
62787 event->state = PERF_EVENT_STATE_INACTIVE;
62789 @@ -6355,10 +6355,10 @@ static void sync_child_event(struct perf
62791 * Add back the child's count to the parent's count:
62793 - atomic64_add(child_val, &parent_event->child_count);
62794 - atomic64_add(child_event->total_time_enabled,
62795 + atomic64_add_unchecked(child_val, &parent_event->child_count);
62796 + atomic64_add_unchecked(child_event->total_time_enabled,
62797 &parent_event->child_total_time_enabled);
62798 - atomic64_add(child_event->total_time_running,
62799 + atomic64_add_unchecked(child_event->total_time_running,
62800 &parent_event->child_total_time_running);
62803 diff -urNp linux-3.1.1/kernel/exit.c linux-3.1.1/kernel/exit.c
62804 --- linux-3.1.1/kernel/exit.c 2011-11-11 15:19:27.000000000 -0500
62805 +++ linux-3.1.1/kernel/exit.c 2011-11-16 19:33:48.000000000 -0500
62807 #include <asm/pgtable.h>
62808 #include <asm/mmu_context.h>
62810 +#ifdef CONFIG_GRKERNSEC
62811 +extern rwlock_t grsec_exec_file_lock;
62814 static void exit_mm(struct task_struct * tsk);
62816 static void __unhash_process(struct task_struct *p, bool group_dead)
62817 @@ -168,6 +172,10 @@ void release_task(struct task_struct * p
62818 struct task_struct *leader;
62822 + gr_del_task_from_ip_table(p);
62825 /* don't need to get the RCU readlock here - the process is dead and
62826 * can't be modifying its own credentials. But shut RCU-lockdep up */
62828 @@ -324,11 +332,22 @@ static void reparent_to_kthreadd(void)
62830 write_lock_irq(&tasklist_lock);
62832 +#ifdef CONFIG_GRKERNSEC
62833 + write_lock(&grsec_exec_file_lock);
62834 + if (current->exec_file) {
62835 + fput(current->exec_file);
62836 + current->exec_file = NULL;
62838 + write_unlock(&grsec_exec_file_lock);
62841 ptrace_unlink(current);
62842 /* Reparent to init */
62843 current->real_parent = current->parent = kthreadd_task;
62844 list_move_tail(¤t->sibling, ¤t->real_parent->children);
62846 + gr_set_kernel_label(current);
62848 /* Set the exit signal to SIGCHLD so we signal init on exit */
62849 current->exit_signal = SIGCHLD;
62851 @@ -380,7 +399,7 @@ int allow_signal(int sig)
62852 * know it'll be handled, so that they don't get converted to
62853 * SIGKILL or just silently dropped.
62855 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
62856 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
62857 recalc_sigpending();
62858 spin_unlock_irq(¤t->sighand->siglock);
62860 @@ -416,6 +435,17 @@ void daemonize(const char *name, ...)
62861 vsnprintf(current->comm, sizeof(current->comm), name, args);
62864 +#ifdef CONFIG_GRKERNSEC
62865 + write_lock(&grsec_exec_file_lock);
62866 + if (current->exec_file) {
62867 + fput(current->exec_file);
62868 + current->exec_file = NULL;
62870 + write_unlock(&grsec_exec_file_lock);
62873 + gr_set_kernel_label(current);
62876 * If we were started as result of loading a module, close all of the
62877 * user space pages. We don't need them, and if we didn't close them
62878 @@ -895,6 +925,8 @@ NORET_TYPE void do_exit(long code)
62879 struct task_struct *tsk = current;
62884 profile_task_exit(tsk);
62886 WARN_ON(blk_needs_flush_plug(tsk));
62887 @@ -911,7 +943,6 @@ NORET_TYPE void do_exit(long code)
62888 * mm_release()->clear_child_tid() from writing to a user-controlled
62893 ptrace_event(PTRACE_EVENT_EXIT, code);
62895 @@ -973,6 +1004,9 @@ NORET_TYPE void do_exit(long code)
62896 tsk->exit_code = code;
62897 taskstats_exit(tsk, group_dead);
62899 + gr_acl_handle_psacct(tsk, code);
62900 + gr_acl_handle_exit();
62905 diff -urNp linux-3.1.1/kernel/fork.c linux-3.1.1/kernel/fork.c
62906 --- linux-3.1.1/kernel/fork.c 2011-11-11 15:19:27.000000000 -0500
62907 +++ linux-3.1.1/kernel/fork.c 2011-11-16 19:36:31.000000000 -0500
62908 @@ -285,7 +285,7 @@ static struct task_struct *dup_task_stru
62909 *stackend = STACK_END_MAGIC; /* for overflow detection */
62911 #ifdef CONFIG_CC_STACKPROTECTOR
62912 - tsk->stack_canary = get_random_int();
62913 + tsk->stack_canary = pax_get_random_long();
62917 @@ -309,13 +309,77 @@ out:
62921 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
62923 + struct vm_area_struct *tmp;
62924 + unsigned long charge;
62925 + struct mempolicy *pol;
62926 + struct file *file;
62929 + if (mpnt->vm_flags & VM_ACCOUNT) {
62930 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
62931 + if (security_vm_enough_memory(len))
62935 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
62940 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
62941 + pol = mpol_dup(vma_policy(mpnt));
62943 + goto fail_nomem_policy;
62944 + vma_set_policy(tmp, pol);
62945 + if (anon_vma_fork(tmp, mpnt))
62946 + goto fail_nomem_anon_vma_fork;
62947 + tmp->vm_flags &= ~VM_LOCKED;
62948 + tmp->vm_next = tmp->vm_prev = NULL;
62949 + tmp->vm_mirror = NULL;
62950 + file = tmp->vm_file;
62952 + struct inode *inode = file->f_path.dentry->d_inode;
62953 + struct address_space *mapping = file->f_mapping;
62956 + if (tmp->vm_flags & VM_DENYWRITE)
62957 + atomic_dec(&inode->i_writecount);
62958 + mutex_lock(&mapping->i_mmap_mutex);
62959 + if (tmp->vm_flags & VM_SHARED)
62960 + mapping->i_mmap_writable++;
62961 + flush_dcache_mmap_lock(mapping);
62962 + /* insert tmp into the share list, just after mpnt */
62963 + vma_prio_tree_add(tmp, mpnt);
62964 + flush_dcache_mmap_unlock(mapping);
62965 + mutex_unlock(&mapping->i_mmap_mutex);
62969 + * Clear hugetlb-related page reserves for children. This only
62970 + * affects MAP_PRIVATE mappings. Faults generated by the child
62971 + * are not guaranteed to succeed, even if read-only
62973 + if (is_vm_hugetlb_page(tmp))
62974 + reset_vma_resv_huge_pages(tmp);
62978 +fail_nomem_anon_vma_fork:
62980 +fail_nomem_policy:
62981 + kmem_cache_free(vm_area_cachep, tmp);
62983 + vm_unacct_memory(charge);
62987 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
62989 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
62990 struct rb_node **rb_link, *rb_parent;
62992 - unsigned long charge;
62993 - struct mempolicy *pol;
62995 down_write(&oldmm->mmap_sem);
62996 flush_cache_dup_mm(oldmm);
62997 @@ -327,8 +391,8 @@ static int dup_mmap(struct mm_struct *mm
63000 mm->mmap_cache = NULL;
63001 - mm->free_area_cache = oldmm->mmap_base;
63002 - mm->cached_hole_size = ~0UL;
63003 + mm->free_area_cache = oldmm->free_area_cache;
63004 + mm->cached_hole_size = oldmm->cached_hole_size;
63006 cpumask_clear(mm_cpumask(mm));
63007 mm->mm_rb = RB_ROOT;
63008 @@ -344,8 +408,6 @@ static int dup_mmap(struct mm_struct *mm
63011 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
63012 - struct file *file;
63014 if (mpnt->vm_flags & VM_DONTCOPY) {
63015 long pages = vma_pages(mpnt);
63016 mm->total_vm -= pages;
63017 @@ -353,55 +415,13 @@ static int dup_mmap(struct mm_struct *mm
63022 - if (mpnt->vm_flags & VM_ACCOUNT) {
63023 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
63024 - if (security_vm_enough_memory(len))
63028 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
63032 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
63033 - pol = mpol_dup(vma_policy(mpnt));
63034 - retval = PTR_ERR(pol);
63036 - goto fail_nomem_policy;
63037 - vma_set_policy(tmp, pol);
63039 - if (anon_vma_fork(tmp, mpnt))
63040 - goto fail_nomem_anon_vma_fork;
63041 - tmp->vm_flags &= ~VM_LOCKED;
63042 - tmp->vm_next = tmp->vm_prev = NULL;
63043 - file = tmp->vm_file;
63045 - struct inode *inode = file->f_path.dentry->d_inode;
63046 - struct address_space *mapping = file->f_mapping;
63049 - if (tmp->vm_flags & VM_DENYWRITE)
63050 - atomic_dec(&inode->i_writecount);
63051 - mutex_lock(&mapping->i_mmap_mutex);
63052 - if (tmp->vm_flags & VM_SHARED)
63053 - mapping->i_mmap_writable++;
63054 - flush_dcache_mmap_lock(mapping);
63055 - /* insert tmp into the share list, just after mpnt */
63056 - vma_prio_tree_add(tmp, mpnt);
63057 - flush_dcache_mmap_unlock(mapping);
63058 - mutex_unlock(&mapping->i_mmap_mutex);
63059 + tmp = dup_vma(mm, mpnt);
63061 + retval = -ENOMEM;
63066 - * Clear hugetlb-related page reserves for children. This only
63067 - * affects MAP_PRIVATE mappings. Faults generated by the child
63068 - * are not guaranteed to succeed, even if read-only
63070 - if (is_vm_hugetlb_page(tmp))
63071 - reset_vma_resv_huge_pages(tmp);
63074 * Link in the new vma and copy the page table entries.
63077 @@ -422,6 +442,31 @@ static int dup_mmap(struct mm_struct *mm
63082 +#ifdef CONFIG_PAX_SEGMEXEC
63083 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
63084 + struct vm_area_struct *mpnt_m;
63086 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
63087 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
63089 + if (!mpnt->vm_mirror)
63092 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
63093 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
63094 + mpnt->vm_mirror = mpnt_m;
63096 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
63097 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
63098 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
63099 + mpnt->vm_mirror->vm_mirror = mpnt;
63106 /* a new mm has just been created */
63107 arch_dup_mmap(oldmm, mm);
63109 @@ -430,14 +475,6 @@ out:
63110 flush_tlb_mm(oldmm);
63111 up_write(&oldmm->mmap_sem);
63113 -fail_nomem_anon_vma_fork:
63115 -fail_nomem_policy:
63116 - kmem_cache_free(vm_area_cachep, tmp);
63118 - retval = -ENOMEM;
63119 - vm_unacct_memory(charge);
63123 static inline int mm_alloc_pgd(struct mm_struct *mm)
63124 @@ -837,12 +874,13 @@ static int copy_fs(unsigned long clone_f
63125 spin_unlock(&fs->lock);
63129 + atomic_inc(&fs->users);
63130 spin_unlock(&fs->lock);
63133 tsk->fs = copy_fs_struct(fs);
63136 + gr_set_chroot_entries(tsk, &tsk->fs->root);
63140 @@ -1158,6 +1158,9 @@ static struct task_struct *copy_process(
63141 init_nx_info(&p->nx_info, current_nx_info());
63145 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
63147 if (!vx_nproc_avail(1))
63148 goto bad_fork_free;
63149 if (atomic_read(&p->real_cred->user->processes) >=
63150 @@ -1264,6 +1305,8 @@ static struct task_struct *copy_process(
63151 if (clone_flags & CLONE_THREAD)
63152 p->tgid = current->tgid;
63154 + gr_copy_label(p);
63156 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
63158 * Clear TID on mm_release()?
63159 @@ -1428,6 +1471,8 @@ bad_fork_cleanup_count:
63163 + gr_log_forkfail(retval);
63165 return ERR_PTR(retval);
63168 @@ -1528,6 +1573,8 @@ long do_fork(unsigned long clone_flags,
63169 if (clone_flags & CLONE_PARENT_SETTID)
63170 put_user(nr, parent_tidptr);
63172 + gr_handle_brute_check();
63174 if (clone_flags & CLONE_VFORK) {
63175 p->vfork_done = &vfork;
63176 init_completion(&vfork);
63177 @@ -1637,7 +1684,7 @@ static int unshare_fs(unsigned long unsh
63180 /* don't need lock here; in the worst case we'll do useless copy */
63181 - if (fs->users == 1)
63182 + if (atomic_read(&fs->users) == 1)
63185 *new_fsp = copy_fs_struct(fs);
63186 @@ -1726,7 +1773,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
63188 spin_lock(&fs->lock);
63189 current->fs = new_fs;
63191 + gr_set_chroot_entries(current, ¤t->fs->root);
63192 + if (atomic_dec_return(&fs->users))
63196 diff -urNp linux-3.1.1/kernel/futex.c linux-3.1.1/kernel/futex.c
63197 --- linux-3.1.1/kernel/futex.c 2011-11-11 15:19:27.000000000 -0500
63198 +++ linux-3.1.1/kernel/futex.c 2011-11-16 18:40:44.000000000 -0500
63200 #include <linux/mount.h>
63201 #include <linux/pagemap.h>
63202 #include <linux/syscalls.h>
63203 +#include <linux/ptrace.h>
63204 #include <linux/signal.h>
63205 #include <linux/module.h>
63206 #include <linux/magic.h>
63207 @@ -238,6 +239,11 @@ get_futex_key(u32 __user *uaddr, int fsh
63208 struct page *page, *page_head;
63211 +#ifdef CONFIG_PAX_SEGMEXEC
63212 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
63217 * The futex address must be "naturally" aligned.
63219 @@ -1863,6 +1869,8 @@ static int futex_wait(u32 __user *uaddr,
63220 struct futex_q q = futex_q_init;
63223 + pax_track_stack();
63228 @@ -2259,6 +2267,8 @@ static int futex_wait_requeue_pi(u32 __u
63229 struct futex_q q = futex_q_init;
63232 + pax_track_stack();
63237 @@ -2431,7 +2441,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
63239 struct robust_list_head __user *head;
63241 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
63242 const struct cred *cred = current_cred(), *pcred;
63245 if (!futex_cmpxchg_enabled)
63247 @@ -2447,6 +2459,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
63251 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
63252 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
63255 pcred = __task_cred(p);
63256 /* If victim is in different user_ns, then uids are not
63257 comparable, so we must have CAP_SYS_PTRACE */
63258 @@ -2461,6 +2477,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
63259 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
63263 head = p->robust_list;
63266 @@ -2712,6 +2729,7 @@ static int __init futex_init(void)
63270 + mm_segment_t oldfs;
63273 * This will fail and we want it. Some arch implementations do
63274 @@ -2723,8 +2741,11 @@ static int __init futex_init(void)
63275 * implementation, the non-functional ones will return
63278 + oldfs = get_fs();
63280 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
63281 futex_cmpxchg_enabled = 1;
63284 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
63285 plist_head_init(&futex_queues[i].chain);
63286 diff -urNp linux-3.1.1/kernel/futex_compat.c linux-3.1.1/kernel/futex_compat.c
63287 --- linux-3.1.1/kernel/futex_compat.c 2011-11-11 15:19:27.000000000 -0500
63288 +++ linux-3.1.1/kernel/futex_compat.c 2011-11-16 18:40:44.000000000 -0500
63290 #include <linux/compat.h>
63291 #include <linux/nsproxy.h>
63292 #include <linux/futex.h>
63293 +#include <linux/ptrace.h>
63295 #include <asm/uaccess.h>
63297 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
63299 struct compat_robust_list_head __user *head;
63301 - const struct cred *cred = current_cred(), *pcred;
63302 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
63303 + const struct cred *cred = current_cred();
63304 + const struct cred *pcred;
63307 if (!futex_cmpxchg_enabled)
63309 @@ -152,6 +156,10 @@ compat_sys_get_robust_list(int pid, comp
63313 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
63314 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
63317 pcred = __task_cred(p);
63318 /* If victim is in different user_ns, then uids are not
63319 comparable, so we must have CAP_SYS_PTRACE */
63320 @@ -166,6 +174,7 @@ compat_sys_get_robust_list(int pid, comp
63321 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
63325 head = p->compat_robust_list;
63328 diff -urNp linux-3.1.1/kernel/gcov/base.c linux-3.1.1/kernel/gcov/base.c
63329 --- linux-3.1.1/kernel/gcov/base.c 2011-11-11 15:19:27.000000000 -0500
63330 +++ linux-3.1.1/kernel/gcov/base.c 2011-11-16 18:39:08.000000000 -0500
63331 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
63334 #ifdef CONFIG_MODULES
63335 -static inline int within(void *addr, void *start, unsigned long size)
63337 - return ((addr >= start) && (addr < start + size));
63340 /* Update list and generate events when modules are unloaded. */
63341 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
63343 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
63345 /* Remove entries located in module from linked list. */
63346 for (info = gcov_info_head; info; info = info->next) {
63347 - if (within(info, mod->module_core, mod->core_size)) {
63348 + if (within_module_core_rw((unsigned long)info, mod)) {
63350 prev->next = info->next;
63352 diff -urNp linux-3.1.1/kernel/hrtimer.c linux-3.1.1/kernel/hrtimer.c
63353 --- linux-3.1.1/kernel/hrtimer.c 2011-11-11 15:19:27.000000000 -0500
63354 +++ linux-3.1.1/kernel/hrtimer.c 2011-11-16 18:39:08.000000000 -0500
63355 @@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
63356 local_irq_restore(flags);
63359 -static void run_hrtimer_softirq(struct softirq_action *h)
63360 +static void run_hrtimer_softirq(void)
63362 hrtimer_peek_ahead_timers();
63364 diff -urNp linux-3.1.1/kernel/jump_label.c linux-3.1.1/kernel/jump_label.c
63365 --- linux-3.1.1/kernel/jump_label.c 2011-11-11 15:19:27.000000000 -0500
63366 +++ linux-3.1.1/kernel/jump_label.c 2011-11-16 18:39:08.000000000 -0500
63367 @@ -55,7 +55,9 @@ jump_label_sort_entries(struct jump_entr
63369 size = (((unsigned long)stop - (unsigned long)start)
63370 / sizeof(struct jump_entry));
63371 + pax_open_kernel();
63372 sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
63373 + pax_close_kernel();
63376 static void jump_label_update(struct jump_label_key *key, int enable);
63377 @@ -297,10 +299,12 @@ static void jump_label_invalidate_module
63378 struct jump_entry *iter_stop = iter_start + mod->num_jump_entries;
63379 struct jump_entry *iter;
63381 + pax_open_kernel();
63382 for (iter = iter_start; iter < iter_stop; iter++) {
63383 if (within_module_init(iter->code, mod))
63386 + pax_close_kernel();
63390 diff -urNp linux-3.1.1/kernel/kallsyms.c linux-3.1.1/kernel/kallsyms.c
63391 --- linux-3.1.1/kernel/kallsyms.c 2011-11-11 15:19:27.000000000 -0500
63392 +++ linux-3.1.1/kernel/kallsyms.c 2011-11-16 18:40:44.000000000 -0500
63394 * Changed the compression method from stem compression to "table lookup"
63395 * compression (see scripts/kallsyms.c for a more complete description)
63397 +#ifdef CONFIG_GRKERNSEC_HIDESYM
63398 +#define __INCLUDED_BY_HIDESYM 1
63400 #include <linux/kallsyms.h>
63401 #include <linux/module.h>
63402 #include <linux/init.h>
63403 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
63405 static inline int is_kernel_inittext(unsigned long addr)
63407 + if (system_state != SYSTEM_BOOTING)
63410 if (addr >= (unsigned long)_sinittext
63411 && addr <= (unsigned long)_einittext)
63416 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63417 +#ifdef CONFIG_MODULES
63418 +static inline int is_module_text(unsigned long addr)
63420 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
63423 + addr = ktla_ktva(addr);
63424 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
63427 +static inline int is_module_text(unsigned long addr)
63434 static inline int is_kernel_text(unsigned long addr)
63436 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
63437 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
63439 static inline int is_kernel(unsigned long addr)
63442 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63443 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
63446 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
63448 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
63452 return in_gate_area_no_mm(addr);
63455 static int is_ksym_addr(unsigned long addr)
63458 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63459 + if (is_module_text(addr))
63464 return is_kernel(addr);
63466 @@ -454,7 +493,6 @@ static unsigned long get_ksymbol_core(st
63468 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
63470 - iter->name[0] = '\0';
63471 iter->nameoff = get_symbol_offset(new_pos);
63472 iter->pos = new_pos;
63474 @@ -502,6 +540,11 @@ static int s_show(struct seq_file *m, vo
63476 struct kallsym_iter *iter = m->private;
63478 +#ifdef CONFIG_GRKERNSEC_HIDESYM
63479 + if (current_uid())
63483 /* Some debugging symbols have no name. Ignore them. */
63484 if (!iter->name[0])
63486 @@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *i
63487 struct kallsym_iter *iter;
63490 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
63491 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
63494 reset_iter(iter, 0);
63495 diff -urNp linux-3.1.1/kernel/kexec.c linux-3.1.1/kernel/kexec.c
63496 --- linux-3.1.1/kernel/kexec.c 2011-11-11 15:19:27.000000000 -0500
63497 +++ linux-3.1.1/kernel/kexec.c 2011-11-16 18:39:08.000000000 -0500
63498 @@ -1033,7 +1033,8 @@ asmlinkage long compat_sys_kexec_load(un
63499 unsigned long flags)
63501 struct compat_kexec_segment in;
63502 - struct kexec_segment out, __user *ksegments;
63503 + struct kexec_segment out;
63504 + struct kexec_segment __user *ksegments;
63505 unsigned long i, result;
63507 /* Don't allow clients that don't understand the native
63508 diff -urNp linux-3.1.1/kernel/kmod.c linux-3.1.1/kernel/kmod.c
63509 --- linux-3.1.1/kernel/kmod.c 2011-11-11 15:19:27.000000000 -0500
63510 +++ linux-3.1.1/kernel/kmod.c 2011-11-16 18:40:44.000000000 -0500
63511 @@ -73,13 +73,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
63512 * If module auto-loading support is disabled then this function
63513 * becomes a no-operation.
63515 -int __request_module(bool wait, const char *fmt, ...)
63516 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
63519 char module_name[MODULE_NAME_LEN];
63520 unsigned int max_modprobes;
63522 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
63523 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
63524 static char *envp[] = { "HOME=/",
63526 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
63527 @@ -88,9 +87,7 @@ int __request_module(bool wait, const ch
63528 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
63529 static int kmod_loop_msg;
63531 - va_start(args, fmt);
63532 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
63534 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
63535 if (ret >= MODULE_NAME_LEN)
63536 return -ENAMETOOLONG;
63538 @@ -98,6 +95,20 @@ int __request_module(bool wait, const ch
63542 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63543 + if (!current_uid()) {
63544 + /* hack to workaround consolekit/udisks stupidity */
63545 + read_lock(&tasklist_lock);
63546 + if (!strcmp(current->comm, "mount") &&
63547 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
63548 + read_unlock(&tasklist_lock);
63549 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
63552 + read_unlock(&tasklist_lock);
63556 /* If modprobe needs a service that is in a module, we get a recursive
63557 * loop. Limit the number of running kmod threads to max_threads/2 or
63558 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
63559 @@ -133,6 +144,47 @@ int __request_module(bool wait, const ch
63560 atomic_dec(&kmod_concurrent);
63564 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
63569 + va_start(args, fmt);
63570 + ret = ____request_module(wait, module_param, fmt, args);
63576 +int __request_module(bool wait, const char *fmt, ...)
63581 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63582 + if (current_uid()) {
63583 + char module_param[MODULE_NAME_LEN];
63585 + memset(module_param, 0, sizeof(module_param));
63587 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
63589 + va_start(args, fmt);
63590 + ret = ____request_module(wait, module_param, fmt, args);
63597 + va_start(args, fmt);
63598 + ret = ____request_module(wait, NULL, fmt, args);
63604 EXPORT_SYMBOL(__request_module);
63605 #endif /* CONFIG_MODULES */
63607 @@ -222,7 +274,7 @@ static int wait_for_helper(void *data)
63609 * Thus the __user pointer cast is valid here.
63611 - sys_wait4(pid, (int __user *)&ret, 0, NULL);
63612 + sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
63615 * If ret is 0, either ____call_usermodehelper failed and the
63616 diff -urNp linux-3.1.1/kernel/kprobes.c linux-3.1.1/kernel/kprobes.c
63617 --- linux-3.1.1/kernel/kprobes.c 2011-11-11 15:19:27.000000000 -0500
63618 +++ linux-3.1.1/kernel/kprobes.c 2011-11-16 18:39:08.000000000 -0500
63619 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
63620 * kernel image and loaded module images reside. This is required
63621 * so x86_64 can correctly handle the %rip-relative fixups.
63623 - kip->insns = module_alloc(PAGE_SIZE);
63624 + kip->insns = module_alloc_exec(PAGE_SIZE);
63628 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
63630 if (!list_is_singular(&kip->list)) {
63631 list_del(&kip->list);
63632 - module_free(NULL, kip->insns);
63633 + module_free_exec(NULL, kip->insns);
63637 @@ -1949,7 +1949,7 @@ static int __init init_kprobes(void)
63640 unsigned long offset = 0, size = 0;
63641 - char *modname, namebuf[128];
63642 + char *modname, namebuf[KSYM_NAME_LEN];
63643 const char *symbol_name;
63645 struct kprobe_blackpoint *kb;
63646 @@ -2075,7 +2075,7 @@ static int __kprobes show_kprobe_addr(st
63647 const char *sym = NULL;
63648 unsigned int i = *(loff_t *) v;
63649 unsigned long offset = 0;
63650 - char *modname, namebuf[128];
63651 + char *modname, namebuf[KSYM_NAME_LEN];
63653 head = &kprobe_table[i];
63655 diff -urNp linux-3.1.1/kernel/lockdep.c linux-3.1.1/kernel/lockdep.c
63656 --- linux-3.1.1/kernel/lockdep.c 2011-11-11 15:19:27.000000000 -0500
63657 +++ linux-3.1.1/kernel/lockdep.c 2011-11-16 18:39:08.000000000 -0500
63658 @@ -583,6 +583,10 @@ static int static_obj(void *obj)
63659 end = (unsigned long) &_end,
63660 addr = (unsigned long) obj;
63662 +#ifdef CONFIG_PAX_KERNEXEC
63663 + start = ktla_ktva(start);
63669 @@ -718,6 +722,7 @@ register_lock_class(struct lockdep_map *
63670 if (!static_obj(lock->key)) {
63672 printk("INFO: trying to register non-static key.\n");
63673 + printk("lock:%pS key:%pS.\n", lock, lock->key);
63674 printk("the code is fine but needs lockdep annotation.\n");
63675 printk("turning off the locking correctness validator.\n");
63677 @@ -2948,7 +2953,7 @@ static int __lock_acquire(struct lockdep
63681 - atomic_inc((atomic_t *)&class->ops);
63682 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
63683 if (very_verbose(class)) {
63684 printk("\nacquire class [%p] %s", class->key, class->name);
63685 if (class->name_version > 1)
63686 diff -urNp linux-3.1.1/kernel/lockdep_proc.c linux-3.1.1/kernel/lockdep_proc.c
63687 --- linux-3.1.1/kernel/lockdep_proc.c 2011-11-11 15:19:27.000000000 -0500
63688 +++ linux-3.1.1/kernel/lockdep_proc.c 2011-11-16 18:39:08.000000000 -0500
63689 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
63691 static void print_name(struct seq_file *m, struct lock_class *class)
63694 + char str[KSYM_NAME_LEN];
63695 const char *name = class->name;
63698 diff -urNp linux-3.1.1/kernel/module.c linux-3.1.1/kernel/module.c
63699 --- linux-3.1.1/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
63700 +++ linux-3.1.1/kernel/module.c 2011-11-16 18:40:44.000000000 -0500
63702 #include <linux/jump_label.h>
63703 #include <linux/pfn.h>
63704 #include <linux/bsearch.h>
63705 +#include <linux/grsecurity.h>
63707 #define CREATE_TRACE_POINTS
63708 #include <trace/events/module.h>
63709 @@ -119,7 +120,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
63711 /* Bounds of module allocation, for speeding __module_address.
63712 * Protected by module_mutex. */
63713 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
63714 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
63715 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
63717 int register_module_notifier(struct notifier_block * nb)
63719 @@ -284,7 +286,7 @@ bool each_symbol_section(bool (*fn)(cons
63722 list_for_each_entry_rcu(mod, &modules, list) {
63723 - struct symsearch arr[] = {
63724 + struct symsearch modarr[] = {
63725 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
63726 NOT_GPL_ONLY, false },
63727 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
63728 @@ -306,7 +308,7 @@ bool each_symbol_section(bool (*fn)(cons
63732 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
63733 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
63737 @@ -438,7 +440,7 @@ static inline void __percpu *mod_percpu(
63738 static int percpu_modalloc(struct module *mod,
63739 unsigned long size, unsigned long align)
63741 - if (align > PAGE_SIZE) {
63742 + if (align-1 >= PAGE_SIZE) {
63743 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
63744 mod->name, align, PAGE_SIZE);
63746 @@ -1183,7 +1185,7 @@ resolve_symbol_wait(struct module *mod,
63748 #ifdef CONFIG_SYSFS
63750 -#ifdef CONFIG_KALLSYMS
63751 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63752 static inline bool sect_empty(const Elf_Shdr *sect)
63754 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
63755 @@ -1649,21 +1651,21 @@ static void set_section_ro_nx(void *base
63757 static void unset_module_core_ro_nx(struct module *mod)
63759 - set_page_attributes(mod->module_core + mod->core_text_size,
63760 - mod->module_core + mod->core_size,
63761 + set_page_attributes(mod->module_core_rw,
63762 + mod->module_core_rw + mod->core_size_rw,
63764 - set_page_attributes(mod->module_core,
63765 - mod->module_core + mod->core_ro_size,
63766 + set_page_attributes(mod->module_core_rx,
63767 + mod->module_core_rx + mod->core_size_rx,
63771 static void unset_module_init_ro_nx(struct module *mod)
63773 - set_page_attributes(mod->module_init + mod->init_text_size,
63774 - mod->module_init + mod->init_size,
63775 + set_page_attributes(mod->module_init_rw,
63776 + mod->module_init_rw + mod->init_size_rw,
63778 - set_page_attributes(mod->module_init,
63779 - mod->module_init + mod->init_ro_size,
63780 + set_page_attributes(mod->module_init_rx,
63781 + mod->module_init_rx + mod->init_size_rx,
63785 @@ -1674,14 +1676,14 @@ void set_all_modules_text_rw(void)
63787 mutex_lock(&module_mutex);
63788 list_for_each_entry_rcu(mod, &modules, list) {
63789 - if ((mod->module_core) && (mod->core_text_size)) {
63790 - set_page_attributes(mod->module_core,
63791 - mod->module_core + mod->core_text_size,
63792 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
63793 + set_page_attributes(mod->module_core_rx,
63794 + mod->module_core_rx + mod->core_size_rx,
63797 - if ((mod->module_init) && (mod->init_text_size)) {
63798 - set_page_attributes(mod->module_init,
63799 - mod->module_init + mod->init_text_size,
63800 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
63801 + set_page_attributes(mod->module_init_rx,
63802 + mod->module_init_rx + mod->init_size_rx,
63806 @@ -1695,14 +1697,14 @@ void set_all_modules_text_ro(void)
63808 mutex_lock(&module_mutex);
63809 list_for_each_entry_rcu(mod, &modules, list) {
63810 - if ((mod->module_core) && (mod->core_text_size)) {
63811 - set_page_attributes(mod->module_core,
63812 - mod->module_core + mod->core_text_size,
63813 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
63814 + set_page_attributes(mod->module_core_rx,
63815 + mod->module_core_rx + mod->core_size_rx,
63818 - if ((mod->module_init) && (mod->init_text_size)) {
63819 - set_page_attributes(mod->module_init,
63820 - mod->module_init + mod->init_text_size,
63821 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
63822 + set_page_attributes(mod->module_init_rx,
63823 + mod->module_init_rx + mod->init_size_rx,
63827 @@ -1748,16 +1750,19 @@ static void free_module(struct module *m
63829 /* This may be NULL, but that's OK */
63830 unset_module_init_ro_nx(mod);
63831 - module_free(mod, mod->module_init);
63832 + module_free(mod, mod->module_init_rw);
63833 + module_free_exec(mod, mod->module_init_rx);
63835 percpu_modfree(mod);
63837 /* Free lock-classes: */
63838 - lockdep_free_key_range(mod->module_core, mod->core_size);
63839 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
63840 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
63842 /* Finally, free the core (containing the module structure) */
63843 unset_module_core_ro_nx(mod);
63844 - module_free(mod, mod->module_core);
63845 + module_free_exec(mod, mod->module_core_rx);
63846 + module_free(mod, mod->module_core_rw);
63849 update_protections(current->mm);
63850 @@ -1826,10 +1831,31 @@ static int simplify_symbols(struct modul
63853 const struct kernel_symbol *ksym;
63854 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63855 + int is_fs_load = 0;
63856 + int register_filesystem_found = 0;
63859 + p = strstr(mod->args, "grsec_modharden_fs");
63861 + char *endptr = p + strlen("grsec_modharden_fs");
63862 + /* copy \0 as well */
63863 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
63868 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
63869 const char *name = info->strtab + sym[i].st_name;
63871 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63872 + /* it's a real shame this will never get ripped and copied
63875 + if (is_fs_load && !strcmp(name, "register_filesystem"))
63876 + register_filesystem_found = 1;
63879 switch (sym[i].st_shndx) {
63881 /* We compiled with -fno-common. These are not
63882 @@ -1850,7 +1876,9 @@ static int simplify_symbols(struct modul
63883 ksym = resolve_symbol_wait(mod, info, name);
63884 /* Ok if resolved. */
63885 if (ksym && !IS_ERR(ksym)) {
63886 + pax_open_kernel();
63887 sym[i].st_value = ksym->value;
63888 + pax_close_kernel();
63892 @@ -1869,11 +1897,20 @@ static int simplify_symbols(struct modul
63893 secbase = (unsigned long)mod_percpu(mod);
63895 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
63896 + pax_open_kernel();
63897 sym[i].st_value += secbase;
63898 + pax_close_kernel();
63903 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63904 + if (is_fs_load && !register_filesystem_found) {
63905 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
63913 @@ -1977,22 +2014,12 @@ static void layout_sections(struct modul
63914 || s->sh_entsize != ~0UL
63915 || strstarts(sname, ".init"))
63917 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
63918 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
63919 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
63921 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
63922 DEBUGP("\t%s\n", name);
63925 - case 0: /* executable */
63926 - mod->core_size = debug_align(mod->core_size);
63927 - mod->core_text_size = mod->core_size;
63929 - case 1: /* RO: text and ro-data */
63930 - mod->core_size = debug_align(mod->core_size);
63931 - mod->core_ro_size = mod->core_size;
63933 - case 3: /* whole core */
63934 - mod->core_size = debug_align(mod->core_size);
63939 DEBUGP("Init section allocation order:\n");
63940 @@ -2006,23 +2033,13 @@ static void layout_sections(struct modul
63941 || s->sh_entsize != ~0UL
63942 || !strstarts(sname, ".init"))
63944 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
63945 - | INIT_OFFSET_MASK);
63946 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
63947 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
63949 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
63950 + s->sh_entsize |= INIT_OFFSET_MASK;
63951 DEBUGP("\t%s\n", sname);
63954 - case 0: /* executable */
63955 - mod->init_size = debug_align(mod->init_size);
63956 - mod->init_text_size = mod->init_size;
63958 - case 1: /* RO: text and ro-data */
63959 - mod->init_size = debug_align(mod->init_size);
63960 - mod->init_ro_size = mod->init_size;
63962 - case 3: /* whole init */
63963 - mod->init_size = debug_align(mod->init_size);
63969 @@ -2187,7 +2204,7 @@ static void layout_symtab(struct module
63971 /* Put symbol section at end of init part of module. */
63972 symsect->sh_flags |= SHF_ALLOC;
63973 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
63974 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
63975 info->index.sym) | INIT_OFFSET_MASK;
63976 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
63978 @@ -2204,19 +2221,19 @@ static void layout_symtab(struct module
63981 /* Append room for core symbols at end of core part. */
63982 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
63983 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
63984 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
63985 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
63987 /* Put string table section at end of init part of module. */
63988 strsect->sh_flags |= SHF_ALLOC;
63989 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
63990 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
63991 info->index.str) | INIT_OFFSET_MASK;
63992 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
63994 /* Append room for core symbols' strings at end of core part. */
63995 - info->stroffs = mod->core_size;
63996 + info->stroffs = mod->core_size_rx;
63997 __set_bit(0, info->strmap);
63998 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
63999 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
64002 static void add_kallsyms(struct module *mod, const struct load_info *info)
64003 @@ -2232,11 +2249,13 @@ static void add_kallsyms(struct module *
64004 /* Make sure we get permanent strtab: don't use info->strtab. */
64005 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
64007 + pax_open_kernel();
64009 /* Set types up while we still have access to sections. */
64010 for (i = 0; i < mod->num_symtab; i++)
64011 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
64013 - mod->core_symtab = dst = mod->module_core + info->symoffs;
64014 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
64017 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
64018 @@ -2249,10 +2268,12 @@ static void add_kallsyms(struct module *
64020 mod->core_num_syms = ndst;
64022 - mod->core_strtab = s = mod->module_core + info->stroffs;
64023 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
64024 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
64025 if (test_bit(i, info->strmap))
64026 *++s = mod->strtab[i];
64028 + pax_close_kernel();
64031 static inline void layout_symtab(struct module *mod, struct load_info *info)
64032 @@ -2286,17 +2307,33 @@ void * __weak module_alloc(unsigned long
64033 return size == 0 ? NULL : vmalloc_exec(size);
64036 -static void *module_alloc_update_bounds(unsigned long size)
64037 +static void *module_alloc_update_bounds_rw(unsigned long size)
64039 void *ret = module_alloc(size);
64042 mutex_lock(&module_mutex);
64043 /* Update module bounds. */
64044 - if ((unsigned long)ret < module_addr_min)
64045 - module_addr_min = (unsigned long)ret;
64046 - if ((unsigned long)ret + size > module_addr_max)
64047 - module_addr_max = (unsigned long)ret + size;
64048 + if ((unsigned long)ret < module_addr_min_rw)
64049 + module_addr_min_rw = (unsigned long)ret;
64050 + if ((unsigned long)ret + size > module_addr_max_rw)
64051 + module_addr_max_rw = (unsigned long)ret + size;
64052 + mutex_unlock(&module_mutex);
64057 +static void *module_alloc_update_bounds_rx(unsigned long size)
64059 + void *ret = module_alloc_exec(size);
64062 + mutex_lock(&module_mutex);
64063 + /* Update module bounds. */
64064 + if ((unsigned long)ret < module_addr_min_rx)
64065 + module_addr_min_rx = (unsigned long)ret;
64066 + if ((unsigned long)ret + size > module_addr_max_rx)
64067 + module_addr_max_rx = (unsigned long)ret + size;
64068 mutex_unlock(&module_mutex);
64071 @@ -2589,7 +2626,7 @@ static int move_module(struct module *mo
64074 /* Do the allocs. */
64075 - ptr = module_alloc_update_bounds(mod->core_size);
64076 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
64078 * The pointer to this block is stored in the module structure
64079 * which is inside the block. Just mark it as not being a
64080 @@ -2599,23 +2636,50 @@ static int move_module(struct module *mo
64084 - memset(ptr, 0, mod->core_size);
64085 - mod->module_core = ptr;
64086 + memset(ptr, 0, mod->core_size_rw);
64087 + mod->module_core_rw = ptr;
64089 - ptr = module_alloc_update_bounds(mod->init_size);
64090 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
64092 * The pointer to this block is stored in the module structure
64093 * which is inside the block. This block doesn't need to be
64094 * scanned as it contains data and code that will be freed
64095 * after the module is initialized.
64097 - kmemleak_ignore(ptr);
64098 - if (!ptr && mod->init_size) {
64099 - module_free(mod, mod->module_core);
64100 + kmemleak_not_leak(ptr);
64101 + if (!ptr && mod->init_size_rw) {
64102 + module_free(mod, mod->module_core_rw);
64105 - memset(ptr, 0, mod->init_size);
64106 - mod->module_init = ptr;
64107 + memset(ptr, 0, mod->init_size_rw);
64108 + mod->module_init_rw = ptr;
64110 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
64111 + kmemleak_not_leak(ptr);
64113 + module_free(mod, mod->module_init_rw);
64114 + module_free(mod, mod->module_core_rw);
64118 + pax_open_kernel();
64119 + memset(ptr, 0, mod->core_size_rx);
64120 + pax_close_kernel();
64121 + mod->module_core_rx = ptr;
64123 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
64124 + kmemleak_not_leak(ptr);
64125 + if (!ptr && mod->init_size_rx) {
64126 + module_free_exec(mod, mod->module_core_rx);
64127 + module_free(mod, mod->module_init_rw);
64128 + module_free(mod, mod->module_core_rw);
64132 + pax_open_kernel();
64133 + memset(ptr, 0, mod->init_size_rx);
64134 + pax_close_kernel();
64135 + mod->module_init_rx = ptr;
64137 /* Transfer each section which specifies SHF_ALLOC */
64138 DEBUGP("final section addresses:\n");
64139 @@ -2626,16 +2690,45 @@ static int move_module(struct module *mo
64140 if (!(shdr->sh_flags & SHF_ALLOC))
64143 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
64144 - dest = mod->module_init
64145 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
64147 - dest = mod->module_core + shdr->sh_entsize;
64148 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
64149 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
64150 + dest = mod->module_init_rw
64151 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
64153 + dest = mod->module_init_rx
64154 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
64156 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
64157 + dest = mod->module_core_rw + shdr->sh_entsize;
64159 + dest = mod->module_core_rx + shdr->sh_entsize;
64162 + if (shdr->sh_type != SHT_NOBITS) {
64164 +#ifdef CONFIG_PAX_KERNEXEC
64165 +#ifdef CONFIG_X86_64
64166 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
64167 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
64169 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
64170 + pax_open_kernel();
64171 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
64172 + pax_close_kernel();
64176 - if (shdr->sh_type != SHT_NOBITS)
64177 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
64179 /* Update sh_addr to point to copy in image. */
64180 - shdr->sh_addr = (unsigned long)dest;
64182 +#ifdef CONFIG_PAX_KERNEXEC
64183 + if (shdr->sh_flags & SHF_EXECINSTR)
64184 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
64188 + shdr->sh_addr = (unsigned long)dest;
64189 DEBUGP("\t0x%lx %s\n",
64190 shdr->sh_addr, info->secstrings + shdr->sh_name);
64192 @@ -2686,12 +2779,12 @@ static void flush_module_icache(const st
64193 * Do it before processing of module parameters, so the module
64194 * can provide parameter accessor functions of its own.
64196 - if (mod->module_init)
64197 - flush_icache_range((unsigned long)mod->module_init,
64198 - (unsigned long)mod->module_init
64199 - + mod->init_size);
64200 - flush_icache_range((unsigned long)mod->module_core,
64201 - (unsigned long)mod->module_core + mod->core_size);
64202 + if (mod->module_init_rx)
64203 + flush_icache_range((unsigned long)mod->module_init_rx,
64204 + (unsigned long)mod->module_init_rx
64205 + + mod->init_size_rx);
64206 + flush_icache_range((unsigned long)mod->module_core_rx,
64207 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
64211 @@ -2771,8 +2864,10 @@ static void module_deallocate(struct mod
64213 kfree(info->strmap);
64214 percpu_modfree(mod);
64215 - module_free(mod, mod->module_init);
64216 - module_free(mod, mod->module_core);
64217 + module_free_exec(mod, mod->module_init_rx);
64218 + module_free_exec(mod, mod->module_core_rx);
64219 + module_free(mod, mod->module_init_rw);
64220 + module_free(mod, mod->module_core_rw);
64223 int __weak module_finalize(const Elf_Ehdr *hdr,
64224 @@ -2836,9 +2931,38 @@ static struct module *load_module(void _
64228 + /* Now copy in args */
64229 + mod->args = strndup_user(uargs, ~0UL >> 1);
64230 + if (IS_ERR(mod->args)) {
64231 + err = PTR_ERR(mod->args);
64232 + goto free_unload;
64235 /* Set up MODINFO_ATTR fields */
64236 setup_modinfo(mod, &info);
64238 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
64242 + if (strstr(mod->args, "grsec_modharden_netdev")) {
64243 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
64245 + goto free_modinfo;
64246 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
64247 + p += strlen("grsec_modharden_normal");
64248 + p2 = strstr(p, "_");
64251 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
64255 + goto free_modinfo;
64260 /* Fix up syms, so that st_value is a pointer to location. */
64261 err = simplify_symbols(mod, &info);
64263 @@ -2854,13 +2978,6 @@ static struct module *load_module(void _
64265 flush_module_icache(mod);
64267 - /* Now copy in args */
64268 - mod->args = strndup_user(uargs, ~0UL >> 1);
64269 - if (IS_ERR(mod->args)) {
64270 - err = PTR_ERR(mod->args);
64271 - goto free_arch_cleanup;
64274 /* Mark state as coming so strong_try_module_get() ignores us. */
64275 mod->state = MODULE_STATE_COMING;
64277 @@ -2920,11 +3037,10 @@ static struct module *load_module(void _
64279 mutex_unlock(&module_mutex);
64280 synchronize_sched();
64281 - kfree(mod->args);
64282 - free_arch_cleanup:
64283 module_arch_cleanup(mod);
64286 + kfree(mod->args);
64288 module_unload_free(mod);
64290 @@ -2965,16 +3081,16 @@ SYSCALL_DEFINE3(init_module, void __user
64291 MODULE_STATE_COMING, mod);
64293 /* Set RO and NX regions for core */
64294 - set_section_ro_nx(mod->module_core,
64295 - mod->core_text_size,
64296 - mod->core_ro_size,
64298 + set_section_ro_nx(mod->module_core_rx,
64299 + mod->core_size_rx,
64300 + mod->core_size_rx,
64301 + mod->core_size_rx);
64303 /* Set RO and NX regions for init */
64304 - set_section_ro_nx(mod->module_init,
64305 - mod->init_text_size,
64306 - mod->init_ro_size,
64308 + set_section_ro_nx(mod->module_init_rx,
64309 + mod->init_size_rx,
64310 + mod->init_size_rx,
64311 + mod->init_size_rx);
64314 /* Start the module */
64315 @@ -3020,11 +3136,12 @@ SYSCALL_DEFINE3(init_module, void __user
64316 mod->strtab = mod->core_strtab;
64318 unset_module_init_ro_nx(mod);
64319 - module_free(mod, mod->module_init);
64320 - mod->module_init = NULL;
64321 - mod->init_size = 0;
64322 - mod->init_ro_size = 0;
64323 - mod->init_text_size = 0;
64324 + module_free(mod, mod->module_init_rw);
64325 + module_free_exec(mod, mod->module_init_rx);
64326 + mod->module_init_rw = NULL;
64327 + mod->module_init_rx = NULL;
64328 + mod->init_size_rw = 0;
64329 + mod->init_size_rx = 0;
64330 mutex_unlock(&module_mutex);
64333 @@ -3055,10 +3172,16 @@ static const char *get_ksymbol(struct mo
64334 unsigned long nextval;
64336 /* At worse, next value is at end of module */
64337 - if (within_module_init(addr, mod))
64338 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
64339 + if (within_module_init_rx(addr, mod))
64340 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
64341 + else if (within_module_init_rw(addr, mod))
64342 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
64343 + else if (within_module_core_rx(addr, mod))
64344 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
64345 + else if (within_module_core_rw(addr, mod))
64346 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
64348 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
64351 /* Scan for closest preceding symbol, and next symbol. (ELF
64352 starts real symbols at 1). */
64353 @@ -3304,7 +3427,7 @@ static int m_show(struct seq_file *m, vo
64356 seq_printf(m, "%s %u",
64357 - mod->name, mod->init_size + mod->core_size);
64358 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
64359 print_unload_info(m, mod);
64361 /* Informative for users. */
64362 @@ -3313,7 +3436,7 @@ static int m_show(struct seq_file *m, vo
64363 mod->state == MODULE_STATE_COMING ? "Loading":
64365 /* Used by oprofile and other similar tools. */
64366 - seq_printf(m, " 0x%pK", mod->module_core);
64367 + seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
64371 @@ -3349,7 +3472,17 @@ static const struct file_operations proc
64373 static int __init proc_modules_init(void)
64375 +#ifndef CONFIG_GRKERNSEC_HIDESYM
64376 +#ifdef CONFIG_GRKERNSEC_PROC_USER
64377 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64378 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64379 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
64381 proc_create("modules", 0, NULL, &proc_modules_operations);
64384 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64388 module_init(proc_modules_init);
64389 @@ -3408,12 +3541,12 @@ struct module *__module_address(unsigned
64391 struct module *mod;
64393 - if (addr < module_addr_min || addr > module_addr_max)
64394 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
64395 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
64398 list_for_each_entry_rcu(mod, &modules, list)
64399 - if (within_module_core(addr, mod)
64400 - || within_module_init(addr, mod))
64401 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
64405 @@ -3447,11 +3580,20 @@ bool is_module_text_address(unsigned lon
64407 struct module *__module_text_address(unsigned long addr)
64409 - struct module *mod = __module_address(addr);
64410 + struct module *mod;
64412 +#ifdef CONFIG_X86_32
64413 + addr = ktla_ktva(addr);
64416 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
64419 + mod = __module_address(addr);
64422 /* Make sure it's within the text section. */
64423 - if (!within(addr, mod->module_init, mod->init_text_size)
64424 - && !within(addr, mod->module_core, mod->core_text_size))
64425 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
64429 diff -urNp linux-3.1.1/kernel/mutex.c linux-3.1.1/kernel/mutex.c
64430 --- linux-3.1.1/kernel/mutex.c 2011-11-11 15:19:27.000000000 -0500
64431 +++ linux-3.1.1/kernel/mutex.c 2011-11-16 18:39:08.000000000 -0500
64432 @@ -198,7 +198,7 @@ __mutex_lock_common(struct mutex *lock,
64433 spin_lock_mutex(&lock->wait_lock, flags);
64435 debug_mutex_lock_common(lock, &waiter);
64436 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
64437 + debug_mutex_add_waiter(lock, &waiter, task);
64439 /* add waiting tasks to the end of the waitqueue (FIFO): */
64440 list_add_tail(&waiter.list, &lock->wait_list);
64441 @@ -227,8 +227,7 @@ __mutex_lock_common(struct mutex *lock,
64442 * TASK_UNINTERRUPTIBLE case.)
64444 if (unlikely(signal_pending_state(state, task))) {
64445 - mutex_remove_waiter(lock, &waiter,
64446 - task_thread_info(task));
64447 + mutex_remove_waiter(lock, &waiter, task);
64448 mutex_release(&lock->dep_map, 1, ip);
64449 spin_unlock_mutex(&lock->wait_lock, flags);
64451 @@ -249,7 +248,7 @@ __mutex_lock_common(struct mutex *lock,
64453 lock_acquired(&lock->dep_map, ip);
64454 /* got the lock - rejoice! */
64455 - mutex_remove_waiter(lock, &waiter, current_thread_info());
64456 + mutex_remove_waiter(lock, &waiter, task);
64457 mutex_set_owner(lock);
64459 /* set it to 0 if there are no waiters left: */
64460 diff -urNp linux-3.1.1/kernel/mutex-debug.c linux-3.1.1/kernel/mutex-debug.c
64461 --- linux-3.1.1/kernel/mutex-debug.c 2011-11-11 15:19:27.000000000 -0500
64462 +++ linux-3.1.1/kernel/mutex-debug.c 2011-11-16 18:39:08.000000000 -0500
64463 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
64466 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64467 - struct thread_info *ti)
64468 + struct task_struct *task)
64470 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
64472 /* Mark the current thread as blocked on the lock: */
64473 - ti->task->blocked_on = waiter;
64474 + task->blocked_on = waiter;
64477 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64478 - struct thread_info *ti)
64479 + struct task_struct *task)
64481 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
64482 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
64483 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
64484 - ti->task->blocked_on = NULL;
64485 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
64486 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
64487 + task->blocked_on = NULL;
64489 list_del_init(&waiter->list);
64490 waiter->task = NULL;
64491 diff -urNp linux-3.1.1/kernel/mutex-debug.h linux-3.1.1/kernel/mutex-debug.h
64492 --- linux-3.1.1/kernel/mutex-debug.h 2011-11-11 15:19:27.000000000 -0500
64493 +++ linux-3.1.1/kernel/mutex-debug.h 2011-11-16 18:39:08.000000000 -0500
64494 @@ -20,9 +20,9 @@ extern void debug_mutex_wake_waiter(stru
64495 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
64496 extern void debug_mutex_add_waiter(struct mutex *lock,
64497 struct mutex_waiter *waiter,
64498 - struct thread_info *ti);
64499 + struct task_struct *task);
64500 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64501 - struct thread_info *ti);
64502 + struct task_struct *task);
64503 extern void debug_mutex_unlock(struct mutex *lock);
64504 extern void debug_mutex_init(struct mutex *lock, const char *name,
64505 struct lock_class_key *key);
64506 diff -urNp linux-3.1.1/kernel/padata.c linux-3.1.1/kernel/padata.c
64507 --- linux-3.1.1/kernel/padata.c 2011-11-11 15:19:27.000000000 -0500
64508 +++ linux-3.1.1/kernel/padata.c 2011-11-16 18:39:08.000000000 -0500
64509 @@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
64511 padata->cb_cpu = cb_cpu;
64513 - if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
64514 - atomic_set(&pd->seq_nr, -1);
64515 + if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
64516 + atomic_set_unchecked(&pd->seq_nr, -1);
64518 - padata->seq_nr = atomic_inc_return(&pd->seq_nr);
64519 + padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
64521 target_cpu = padata_cpu_hash(padata);
64522 queue = per_cpu_ptr(pd->pqueue, target_cpu);
64523 @@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
64524 padata_init_pqueues(pd);
64525 padata_init_squeues(pd);
64526 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
64527 - atomic_set(&pd->seq_nr, -1);
64528 + atomic_set_unchecked(&pd->seq_nr, -1);
64529 atomic_set(&pd->reorder_objects, 0);
64530 atomic_set(&pd->refcnt, 0);
64532 diff -urNp linux-3.1.1/kernel/panic.c linux-3.1.1/kernel/panic.c
64533 --- linux-3.1.1/kernel/panic.c 2011-11-11 15:19:27.000000000 -0500
64534 +++ linux-3.1.1/kernel/panic.c 2011-11-16 18:40:44.000000000 -0500
64535 @@ -371,7 +371,7 @@ static void warn_slowpath_common(const c
64538 printk(KERN_WARNING "------------[ cut here ]------------\n");
64539 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
64540 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
64541 board = dmi_get_system_info(DMI_PRODUCT_NAME);
64543 printk(KERN_WARNING "Hardware name: %s\n", board);
64544 @@ -426,7 +426,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
64546 void __stack_chk_fail(void)
64548 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
64550 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
64551 __builtin_return_address(0));
64553 EXPORT_SYMBOL(__stack_chk_fail);
64554 diff -urNp linux-3.1.1/kernel/pid.c linux-3.1.1/kernel/pid.c
64555 --- linux-3.1.1/kernel/pid.c 2011-11-11 15:19:27.000000000 -0500
64556 +++ linux-3.1.1/kernel/pid.c 2011-11-16 18:40:44.000000000 -0500
64558 #include <linux/rculist.h>
64559 #include <linux/bootmem.h>
64560 #include <linux/hash.h>
64561 +#include <linux/security.h>
64562 #include <linux/pid_namespace.h>
64563 #include <linux/init_task.h>
64564 #include <linux/syscalls.h>
64565 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
64567 int pid_max = PID_MAX_DEFAULT;
64569 -#define RESERVED_PIDS 300
64570 +#define RESERVED_PIDS 500
64572 int pid_max_min = RESERVED_PIDS + 1;
64573 int pid_max_max = PID_MAX_LIMIT;
64574 @@ -418,8 +419,15 @@ EXPORT_SYMBOL(pid_task);
64576 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
64578 + struct task_struct *task;
64580 rcu_lockdep_assert(rcu_read_lock_held());
64581 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
64582 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
64584 + if (gr_pid_is_chrooted(task))
64590 struct task_struct *find_task_by_vpid(pid_t vnr)
64591 @@ -427,6 +435,12 @@ struct task_struct *find_task_by_vpid(pi
64592 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
64595 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
64597 + rcu_lockdep_assert(rcu_read_lock_held());
64598 + return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
64601 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
64604 diff -urNp linux-3.1.1/kernel/posix-cpu-timers.c linux-3.1.1/kernel/posix-cpu-timers.c
64605 --- linux-3.1.1/kernel/posix-cpu-timers.c 2011-11-11 15:19:27.000000000 -0500
64606 +++ linux-3.1.1/kernel/posix-cpu-timers.c 2011-11-16 18:40:44.000000000 -0500
64608 #include <linux/posix-timers.h>
64609 #include <linux/errno.h>
64610 #include <linux/math64.h>
64611 +#include <linux/security.h>
64612 #include <asm/uaccess.h>
64613 #include <linux/kernel_stat.h>
64614 #include <trace/events/timer.h>
64615 @@ -1606,14 +1607,14 @@ struct k_clock clock_posix_cpu = {
64617 static __init int init_posix_cpu_timers(void)
64619 - struct k_clock process = {
64620 + static struct k_clock process = {
64621 .clock_getres = process_cpu_clock_getres,
64622 .clock_get = process_cpu_clock_get,
64623 .timer_create = process_cpu_timer_create,
64624 .nsleep = process_cpu_nsleep,
64625 .nsleep_restart = process_cpu_nsleep_restart,
64627 - struct k_clock thread = {
64628 + static struct k_clock thread = {
64629 .clock_getres = thread_cpu_clock_getres,
64630 .clock_get = thread_cpu_clock_get,
64631 .timer_create = thread_cpu_timer_create,
64632 diff -urNp linux-3.1.1/kernel/posix-timers.c linux-3.1.1/kernel/posix-timers.c
64633 --- linux-3.1.1/kernel/posix-timers.c 2011-11-11 15:19:27.000000000 -0500
64634 +++ linux-3.1.1/kernel/posix-timers.c 2011-11-16 18:40:44.000000000 -0500
64636 #include <linux/idr.h>
64637 #include <linux/posix-clock.h>
64638 #include <linux/posix-timers.h>
64639 +#include <linux/grsecurity.h>
64640 #include <linux/syscalls.h>
64641 #include <linux/wait.h>
64642 #include <linux/workqueue.h>
64643 @@ -129,7 +130,7 @@ static DEFINE_SPINLOCK(idr_lock);
64644 * which we beg off on and pass to do_sys_settimeofday().
64647 -static struct k_clock posix_clocks[MAX_CLOCKS];
64648 +static struct k_clock *posix_clocks[MAX_CLOCKS];
64651 * These ones are defined below.
64652 @@ -227,7 +228,7 @@ static int posix_get_boottime(const cloc
64654 static __init int init_posix_timers(void)
64656 - struct k_clock clock_realtime = {
64657 + static struct k_clock clock_realtime = {
64658 .clock_getres = hrtimer_get_res,
64659 .clock_get = posix_clock_realtime_get,
64660 .clock_set = posix_clock_realtime_set,
64661 @@ -239,7 +240,7 @@ static __init int init_posix_timers(void
64662 .timer_get = common_timer_get,
64663 .timer_del = common_timer_del,
64665 - struct k_clock clock_monotonic = {
64666 + static struct k_clock clock_monotonic = {
64667 .clock_getres = hrtimer_get_res,
64668 .clock_get = posix_ktime_get_ts,
64669 .nsleep = common_nsleep,
64670 @@ -249,19 +250,19 @@ static __init int init_posix_timers(void
64671 .timer_get = common_timer_get,
64672 .timer_del = common_timer_del,
64674 - struct k_clock clock_monotonic_raw = {
64675 + static struct k_clock clock_monotonic_raw = {
64676 .clock_getres = hrtimer_get_res,
64677 .clock_get = posix_get_monotonic_raw,
64679 - struct k_clock clock_realtime_coarse = {
64680 + static struct k_clock clock_realtime_coarse = {
64681 .clock_getres = posix_get_coarse_res,
64682 .clock_get = posix_get_realtime_coarse,
64684 - struct k_clock clock_monotonic_coarse = {
64685 + static struct k_clock clock_monotonic_coarse = {
64686 .clock_getres = posix_get_coarse_res,
64687 .clock_get = posix_get_monotonic_coarse,
64689 - struct k_clock clock_boottime = {
64690 + static struct k_clock clock_boottime = {
64691 .clock_getres = hrtimer_get_res,
64692 .clock_get = posix_get_boottime,
64693 .nsleep = common_nsleep,
64694 @@ -272,6 +273,8 @@ static __init int init_posix_timers(void
64695 .timer_del = common_timer_del,
64698 + pax_track_stack();
64700 posix_timers_register_clock(CLOCK_REALTIME, &clock_realtime);
64701 posix_timers_register_clock(CLOCK_MONOTONIC, &clock_monotonic);
64702 posix_timers_register_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
64703 @@ -473,7 +476,7 @@ void posix_timers_register_clock(const c
64707 - posix_clocks[clock_id] = *new_clock;
64708 + posix_clocks[clock_id] = new_clock;
64710 EXPORT_SYMBOL_GPL(posix_timers_register_clock);
64712 @@ -519,9 +522,9 @@ static struct k_clock *clockid_to_kclock
64713 return (id & CLOCKFD_MASK) == CLOCKFD ?
64714 &clock_posix_dynamic : &clock_posix_cpu;
64716 - if (id >= MAX_CLOCKS || !posix_clocks[id].clock_getres)
64717 + if (id >= MAX_CLOCKS || !posix_clocks[id] || !posix_clocks[id]->clock_getres)
64719 - return &posix_clocks[id];
64720 + return posix_clocks[id];
64723 static int common_timer_create(struct k_itimer *new_timer)
64724 @@ -959,6 +962,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
64725 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
64728 + /* only the CLOCK_REALTIME clock can be set, all other clocks
64729 + have their clock_set fptr set to a nosettime dummy function
64730 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
64731 + call common_clock_set, which calls do_sys_settimeofday, which
64735 return kc->clock_set(which_clock, &new_tp);
64738 diff -urNp linux-3.1.1/kernel/power/poweroff.c linux-3.1.1/kernel/power/poweroff.c
64739 --- linux-3.1.1/kernel/power/poweroff.c 2011-11-11 15:19:27.000000000 -0500
64740 +++ linux-3.1.1/kernel/power/poweroff.c 2011-11-16 18:39:08.000000000 -0500
64741 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
64742 .enable_mask = SYSRQ_ENABLE_BOOT,
64745 -static int pm_sysrq_init(void)
64746 +static int __init pm_sysrq_init(void)
64748 register_sysrq_key('o', &sysrq_poweroff_op);
64750 diff -urNp linux-3.1.1/kernel/power/process.c linux-3.1.1/kernel/power/process.c
64751 --- linux-3.1.1/kernel/power/process.c 2011-11-11 15:19:27.000000000 -0500
64752 +++ linux-3.1.1/kernel/power/process.c 2011-11-16 18:39:08.000000000 -0500
64753 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
64754 u64 elapsed_csecs64;
64755 unsigned int elapsed_csecs;
64756 bool wakeup = false;
64757 + bool timedout = false;
64759 do_gettimeofday(&start);
64761 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
64765 + if (time_after(jiffies, end_time))
64767 read_lock(&tasklist_lock);
64768 do_each_thread(g, p) {
64769 if (frozen(p) || !freezable(p))
64770 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
64771 * try_to_stop() after schedule() in ptrace/signal
64772 * stop sees TIF_FREEZE.
64774 - if (!task_is_stopped_or_traced(p) &&
64775 - !freezer_should_skip(p))
64776 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
64779 + printk(KERN_ERR "Task refusing to freeze:\n");
64780 + sched_show_task(p);
64783 } while_each_thread(g, p);
64784 read_unlock(&tasklist_lock);
64786 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
64790 - if (!todo || time_after(jiffies, end_time))
64791 + if (!todo || timedout)
64794 if (pm_wakeup_pending()) {
64795 diff -urNp linux-3.1.1/kernel/printk.c linux-3.1.1/kernel/printk.c
64796 --- linux-3.1.1/kernel/printk.c 2011-11-11 15:19:27.000000000 -0500
64797 +++ linux-3.1.1/kernel/printk.c 2011-11-16 19:38:11.000000000 -0500
64798 @@ -313,6 +313,11 @@ static int check_syslog_permissions(int
64799 if (from_file && type != SYSLOG_ACTION_OPEN)
64802 +#ifdef CONFIG_GRKERNSEC_DMESG
64803 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
64807 if (syslog_action_restricted(type)) {
64808 if (capable(CAP_SYSLOG))
64810 diff -urNp linux-3.1.1/kernel/profile.c linux-3.1.1/kernel/profile.c
64811 --- linux-3.1.1/kernel/profile.c 2011-11-11 15:19:27.000000000 -0500
64812 +++ linux-3.1.1/kernel/profile.c 2011-11-16 18:39:08.000000000 -0500
64813 @@ -39,7 +39,7 @@ struct profile_hit {
64814 /* Oprofile timer tick hook */
64815 static int (*timer_hook)(struct pt_regs *) __read_mostly;
64817 -static atomic_t *prof_buffer;
64818 +static atomic_unchecked_t *prof_buffer;
64819 static unsigned long prof_len, prof_shift;
64821 int prof_on __read_mostly;
64822 @@ -281,7 +281,7 @@ static void profile_flip_buffers(void)
64826 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64827 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64828 hits[i].hits = hits[i].pc = 0;
64831 @@ -342,9 +342,9 @@ static void do_profile_hits(int type, vo
64832 * Add the current hit(s) and flush the write-queue out
64833 * to the global buffer:
64835 - atomic_add(nr_hits, &prof_buffer[pc]);
64836 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
64837 for (i = 0; i < NR_PROFILE_HIT; ++i) {
64838 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64839 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64840 hits[i].pc = hits[i].hits = 0;
64843 @@ -419,7 +419,7 @@ static void do_profile_hits(int type, vo
64846 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
64847 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64848 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64850 #endif /* !CONFIG_SMP */
64852 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
64854 buf++; p++; count--; read++;
64856 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
64857 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
64858 if (copy_to_user(buf, (void *)pnt, count))
64861 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
64864 profile_discard_flip_buffers();
64865 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
64866 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
64870 diff -urNp linux-3.1.1/kernel/ptrace.c linux-3.1.1/kernel/ptrace.c
64871 --- linux-3.1.1/kernel/ptrace.c 2011-11-11 15:19:27.000000000 -0500
64872 +++ linux-3.1.1/kernel/ptrace.c 2011-11-16 19:50:22.000000000 -0500
64873 @@ -161,7 +161,8 @@ int ptrace_check_attach(struct task_stru
64877 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
64878 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
64879 + unsigned int log)
64881 const struct cred *cred = current_cred(), *tcred;
64883 @@ -187,7 +188,8 @@ int __ptrace_may_access(struct task_stru
64884 cred->gid == tcred->sgid &&
64885 cred->gid == tcred->gid))
64887 - if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
64888 + if ((!log && ns_capable_nolog(tcred->user->user_ns, CAP_SYS_PTRACE)) ||
64889 + (log && ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)))
64893 @@ -196,7 +198,9 @@ ok:
64896 dumpable = get_dumpable(task->mm);
64897 - if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
64899 + ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
64900 + (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
64903 return security_ptrace_access_check(task, mode);
64904 @@ -206,7 +210,16 @@ bool ptrace_may_access(struct task_struc
64908 - err = __ptrace_may_access(task, mode);
64909 + err = __ptrace_may_access(task, mode, 0);
64910 + task_unlock(task);
64914 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
64918 + err = __ptrace_may_access(task, mode, 1);
64922 @@ -251,7 +264,7 @@ static int ptrace_attach(struct task_str
64926 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
64927 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
64931 @@ -266,7 +279,7 @@ static int ptrace_attach(struct task_str
64932 task->ptrace = PT_PTRACED;
64934 task->ptrace |= PT_SEIZED;
64935 - if (task_ns_capable(task, CAP_SYS_PTRACE))
64936 + if (task_ns_capable_nolog(task, CAP_SYS_PTRACE))
64937 task->ptrace |= PT_PTRACE_CAP;
64939 __ptrace_link(task, current);
64940 @@ -461,6 +474,8 @@ int ptrace_readdata(struct task_struct *
64944 + pax_track_stack();
64948 int this_len, retval;
64949 @@ -472,7 +487,7 @@ int ptrace_readdata(struct task_struct *
64953 - if (copy_to_user(dst, buf, retval))
64954 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
64958 @@ -486,6 +501,8 @@ int ptrace_writedata(struct task_struct
64962 + pax_track_stack();
64966 int this_len, retval;
64967 @@ -669,10 +686,12 @@ int ptrace_request(struct task_struct *c
64968 bool seized = child->ptrace & PT_SEIZED;
64970 siginfo_t siginfo, *si;
64971 - void __user *datavp = (void __user *) data;
64972 + void __user *datavp = (__force void __user *) data;
64973 unsigned long __user *datalp = datavp;
64974 unsigned long flags;
64976 + pax_track_stack();
64979 case PTRACE_PEEKTEXT:
64980 case PTRACE_PEEKDATA:
64981 @@ -871,14 +890,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
64985 + if (gr_handle_ptrace(child, request)) {
64987 + goto out_put_task_struct;
64990 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
64991 ret = ptrace_attach(child, request, data);
64993 * Some architectures need to do book-keeping after
64998 arch_ptrace_attach(child);
64999 + gr_audit_ptrace(child);
65001 goto out_put_task_struct;
65004 @@ -904,7 +930,7 @@ int generic_ptrace_peekdata(struct task_
65005 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
65006 if (copied != sizeof(tmp))
65008 - return put_user(tmp, (unsigned long __user *)data);
65009 + return put_user(tmp, (__force unsigned long __user *)data);
65012 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
65013 @@ -927,6 +953,8 @@ int compat_ptrace_request(struct task_st
65017 + pax_track_stack();
65020 case PTRACE_PEEKTEXT:
65021 case PTRACE_PEEKDATA:
65022 @@ -1014,14 +1042,21 @@ asmlinkage long compat_sys_ptrace(compat
65026 + if (gr_handle_ptrace(child, request)) {
65028 + goto out_put_task_struct;
65031 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
65032 ret = ptrace_attach(child, request, data);
65034 * Some architectures need to do book-keeping after
65039 arch_ptrace_attach(child);
65040 + gr_audit_ptrace(child);
65042 goto out_put_task_struct;
65045 diff -urNp linux-3.1.1/kernel/rcutorture.c linux-3.1.1/kernel/rcutorture.c
65046 --- linux-3.1.1/kernel/rcutorture.c 2011-11-11 15:19:27.000000000 -0500
65047 +++ linux-3.1.1/kernel/rcutorture.c 2011-11-16 18:39:08.000000000 -0500
65048 @@ -138,12 +138,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
65050 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
65052 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
65053 -static atomic_t n_rcu_torture_alloc;
65054 -static atomic_t n_rcu_torture_alloc_fail;
65055 -static atomic_t n_rcu_torture_free;
65056 -static atomic_t n_rcu_torture_mberror;
65057 -static atomic_t n_rcu_torture_error;
65058 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
65059 +static atomic_unchecked_t n_rcu_torture_alloc;
65060 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
65061 +static atomic_unchecked_t n_rcu_torture_free;
65062 +static atomic_unchecked_t n_rcu_torture_mberror;
65063 +static atomic_unchecked_t n_rcu_torture_error;
65064 static long n_rcu_torture_boost_ktrerror;
65065 static long n_rcu_torture_boost_rterror;
65066 static long n_rcu_torture_boost_failure;
65067 @@ -223,11 +223,11 @@ rcu_torture_alloc(void)
65069 spin_lock_bh(&rcu_torture_lock);
65070 if (list_empty(&rcu_torture_freelist)) {
65071 - atomic_inc(&n_rcu_torture_alloc_fail);
65072 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
65073 spin_unlock_bh(&rcu_torture_lock);
65076 - atomic_inc(&n_rcu_torture_alloc);
65077 + atomic_inc_unchecked(&n_rcu_torture_alloc);
65078 p = rcu_torture_freelist.next;
65080 spin_unlock_bh(&rcu_torture_lock);
65081 @@ -240,7 +240,7 @@ rcu_torture_alloc(void)
65083 rcu_torture_free(struct rcu_torture *p)
65085 - atomic_inc(&n_rcu_torture_free);
65086 + atomic_inc_unchecked(&n_rcu_torture_free);
65087 spin_lock_bh(&rcu_torture_lock);
65088 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
65089 spin_unlock_bh(&rcu_torture_lock);
65090 @@ -360,7 +360,7 @@ rcu_torture_cb(struct rcu_head *p)
65091 i = rp->rtort_pipe_count;
65092 if (i > RCU_TORTURE_PIPE_LEN)
65093 i = RCU_TORTURE_PIPE_LEN;
65094 - atomic_inc(&rcu_torture_wcount[i]);
65095 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
65096 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
65097 rp->rtort_mbtest = 0;
65098 rcu_torture_free(rp);
65099 @@ -407,7 +407,7 @@ static void rcu_sync_torture_deferred_fr
65100 i = rp->rtort_pipe_count;
65101 if (i > RCU_TORTURE_PIPE_LEN)
65102 i = RCU_TORTURE_PIPE_LEN;
65103 - atomic_inc(&rcu_torture_wcount[i]);
65104 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
65105 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
65106 rp->rtort_mbtest = 0;
65107 list_del(&rp->rtort_free);
65108 @@ -882,7 +882,7 @@ rcu_torture_writer(void *arg)
65109 i = old_rp->rtort_pipe_count;
65110 if (i > RCU_TORTURE_PIPE_LEN)
65111 i = RCU_TORTURE_PIPE_LEN;
65112 - atomic_inc(&rcu_torture_wcount[i]);
65113 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
65114 old_rp->rtort_pipe_count++;
65115 cur_ops->deferred_free(old_rp);
65117 @@ -950,7 +950,7 @@ static void rcu_torture_timer(unsigned l
65120 if (p->rtort_mbtest == 0)
65121 - atomic_inc(&n_rcu_torture_mberror);
65122 + atomic_inc_unchecked(&n_rcu_torture_mberror);
65123 spin_lock(&rand_lock);
65124 cur_ops->read_delay(&rand);
65125 n_rcu_torture_timers++;
65126 @@ -1011,7 +1011,7 @@ rcu_torture_reader(void *arg)
65129 if (p->rtort_mbtest == 0)
65130 - atomic_inc(&n_rcu_torture_mberror);
65131 + atomic_inc_unchecked(&n_rcu_torture_mberror);
65132 cur_ops->read_delay(&rand);
65134 pipe_count = p->rtort_pipe_count;
65135 @@ -1070,16 +1070,16 @@ rcu_torture_printk(char *page)
65136 rcu_torture_current,
65137 rcu_torture_current_version,
65138 list_empty(&rcu_torture_freelist),
65139 - atomic_read(&n_rcu_torture_alloc),
65140 - atomic_read(&n_rcu_torture_alloc_fail),
65141 - atomic_read(&n_rcu_torture_free),
65142 - atomic_read(&n_rcu_torture_mberror),
65143 + atomic_read_unchecked(&n_rcu_torture_alloc),
65144 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
65145 + atomic_read_unchecked(&n_rcu_torture_free),
65146 + atomic_read_unchecked(&n_rcu_torture_mberror),
65147 n_rcu_torture_boost_ktrerror,
65148 n_rcu_torture_boost_rterror,
65149 n_rcu_torture_boost_failure,
65150 n_rcu_torture_boosts,
65151 n_rcu_torture_timers);
65152 - if (atomic_read(&n_rcu_torture_mberror) != 0 ||
65153 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
65154 n_rcu_torture_boost_ktrerror != 0 ||
65155 n_rcu_torture_boost_rterror != 0 ||
65156 n_rcu_torture_boost_failure != 0)
65157 @@ -1087,7 +1087,7 @@ rcu_torture_printk(char *page)
65158 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
65160 cnt += sprintf(&page[cnt], "!!! ");
65161 - atomic_inc(&n_rcu_torture_error);
65162 + atomic_inc_unchecked(&n_rcu_torture_error);
65165 cnt += sprintf(&page[cnt], "Reader Pipe: ");
65166 @@ -1101,7 +1101,7 @@ rcu_torture_printk(char *page)
65167 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
65168 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
65169 cnt += sprintf(&page[cnt], " %d",
65170 - atomic_read(&rcu_torture_wcount[i]));
65171 + atomic_read_unchecked(&rcu_torture_wcount[i]));
65173 cnt += sprintf(&page[cnt], "\n");
65174 if (cur_ops->stats)
65175 @@ -1410,7 +1410,7 @@ rcu_torture_cleanup(void)
65177 if (cur_ops->cleanup)
65178 cur_ops->cleanup();
65179 - if (atomic_read(&n_rcu_torture_error))
65180 + if (atomic_read_unchecked(&n_rcu_torture_error))
65181 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
65183 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
65184 @@ -1474,17 +1474,17 @@ rcu_torture_init(void)
65186 rcu_torture_current = NULL;
65187 rcu_torture_current_version = 0;
65188 - atomic_set(&n_rcu_torture_alloc, 0);
65189 - atomic_set(&n_rcu_torture_alloc_fail, 0);
65190 - atomic_set(&n_rcu_torture_free, 0);
65191 - atomic_set(&n_rcu_torture_mberror, 0);
65192 - atomic_set(&n_rcu_torture_error, 0);
65193 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
65194 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
65195 + atomic_set_unchecked(&n_rcu_torture_free, 0);
65196 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
65197 + atomic_set_unchecked(&n_rcu_torture_error, 0);
65198 n_rcu_torture_boost_ktrerror = 0;
65199 n_rcu_torture_boost_rterror = 0;
65200 n_rcu_torture_boost_failure = 0;
65201 n_rcu_torture_boosts = 0;
65202 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
65203 - atomic_set(&rcu_torture_wcount[i], 0);
65204 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
65205 for_each_possible_cpu(cpu) {
65206 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
65207 per_cpu(rcu_torture_count, cpu)[i] = 0;
65208 diff -urNp linux-3.1.1/kernel/rcutree.c linux-3.1.1/kernel/rcutree.c
65209 --- linux-3.1.1/kernel/rcutree.c 2011-11-11 15:19:27.000000000 -0500
65210 +++ linux-3.1.1/kernel/rcutree.c 2011-11-16 18:39:08.000000000 -0500
65211 @@ -356,9 +356,9 @@ void rcu_enter_nohz(void)
65213 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
65214 smp_mb__before_atomic_inc(); /* See above. */
65215 - atomic_inc(&rdtp->dynticks);
65216 + atomic_inc_unchecked(&rdtp->dynticks);
65217 smp_mb__after_atomic_inc(); /* Force ordering with next sojourn. */
65218 - WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
65219 + WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
65220 local_irq_restore(flags);
65222 /* If the interrupt queued a callback, get out of dyntick mode. */
65223 @@ -387,10 +387,10 @@ void rcu_exit_nohz(void)
65226 smp_mb__before_atomic_inc(); /* Force ordering w/previous sojourn. */
65227 - atomic_inc(&rdtp->dynticks);
65228 + atomic_inc_unchecked(&rdtp->dynticks);
65229 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
65230 smp_mb__after_atomic_inc(); /* See above. */
65231 - WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
65232 + WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
65233 local_irq_restore(flags);
65236 @@ -406,14 +406,14 @@ void rcu_nmi_enter(void)
65237 struct rcu_dynticks *rdtp = &__get_cpu_var(rcu_dynticks);
65239 if (rdtp->dynticks_nmi_nesting == 0 &&
65240 - (atomic_read(&rdtp->dynticks) & 0x1))
65241 + (atomic_read_unchecked(&rdtp->dynticks) & 0x1))
65243 rdtp->dynticks_nmi_nesting++;
65244 smp_mb__before_atomic_inc(); /* Force delay from prior write. */
65245 - atomic_inc(&rdtp->dynticks);
65246 + atomic_inc_unchecked(&rdtp->dynticks);
65247 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
65248 smp_mb__after_atomic_inc(); /* See above. */
65249 - WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
65250 + WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
65254 @@ -432,9 +432,9 @@ void rcu_nmi_exit(void)
65256 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
65257 smp_mb__before_atomic_inc(); /* See above. */
65258 - atomic_inc(&rdtp->dynticks);
65259 + atomic_inc_unchecked(&rdtp->dynticks);
65260 smp_mb__after_atomic_inc(); /* Force delay to next write. */
65261 - WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
65262 + WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
65266 @@ -469,7 +469,7 @@ void rcu_irq_exit(void)
65268 static int dyntick_save_progress_counter(struct rcu_data *rdp)
65270 - rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks);
65271 + rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
65275 @@ -484,7 +484,7 @@ static int rcu_implicit_dynticks_qs(stru
65276 unsigned long curr;
65277 unsigned long snap;
65279 - curr = (unsigned long)atomic_add_return(0, &rdp->dynticks->dynticks);
65280 + curr = (unsigned long)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
65281 snap = (unsigned long)rdp->dynticks_snap;
65284 @@ -1470,7 +1470,7 @@ __rcu_process_callbacks(struct rcu_state
65286 * Do softirq processing for the current CPU.
65288 -static void rcu_process_callbacks(struct softirq_action *unused)
65289 +static void rcu_process_callbacks(void)
65291 __rcu_process_callbacks(&rcu_sched_state,
65292 &__get_cpu_var(rcu_sched_data));
65293 diff -urNp linux-3.1.1/kernel/rcutree.h linux-3.1.1/kernel/rcutree.h
65294 --- linux-3.1.1/kernel/rcutree.h 2011-11-11 15:19:27.000000000 -0500
65295 +++ linux-3.1.1/kernel/rcutree.h 2011-11-16 18:39:08.000000000 -0500
65297 struct rcu_dynticks {
65298 int dynticks_nesting; /* Track irq/process nesting level. */
65299 int dynticks_nmi_nesting; /* Track NMI nesting level. */
65300 - atomic_t dynticks; /* Even value for dynticks-idle, else odd. */
65301 + atomic_unchecked_t dynticks; /* Even value for dynticks-idle, else odd. */
65304 /* RCU's kthread states for tracing. */
65305 diff -urNp linux-3.1.1/kernel/rcutree_plugin.h linux-3.1.1/kernel/rcutree_plugin.h
65306 --- linux-3.1.1/kernel/rcutree_plugin.h 2011-11-11 15:19:27.000000000 -0500
65307 +++ linux-3.1.1/kernel/rcutree_plugin.h 2011-11-16 18:39:08.000000000 -0500
65308 @@ -822,7 +822,7 @@ void synchronize_rcu_expedited(void)
65310 /* Clean up and exit. */
65311 smp_mb(); /* ensure expedited GP seen before counter increment. */
65312 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
65313 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
65315 mutex_unlock(&sync_rcu_preempt_exp_mutex);
65317 @@ -1774,8 +1774,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
65319 #else /* #ifndef CONFIG_SMP */
65321 -static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
65322 -static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
65323 +static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
65324 +static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
65326 static int synchronize_sched_expedited_cpu_stop(void *data)
65328 @@ -1830,7 +1830,7 @@ void synchronize_sched_expedited(void)
65329 int firstsnap, s, snap, trycount = 0;
65331 /* Note that atomic_inc_return() implies full memory barrier. */
65332 - firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
65333 + firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
65337 @@ -1851,7 +1851,7 @@ void synchronize_sched_expedited(void)
65340 /* Check to see if someone else did our work for us. */
65341 - s = atomic_read(&sync_sched_expedited_done);
65342 + s = atomic_read_unchecked(&sync_sched_expedited_done);
65343 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
65344 smp_mb(); /* ensure test happens before caller kfree */
65346 @@ -1866,7 +1866,7 @@ void synchronize_sched_expedited(void)
65347 * grace period works for us.
65350 - snap = atomic_read(&sync_sched_expedited_started) - 1;
65351 + snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
65352 smp_mb(); /* ensure read is before try_stop_cpus(). */
65355 @@ -1877,12 +1877,12 @@ void synchronize_sched_expedited(void)
65356 * than we did beat us to the punch.
65359 - s = atomic_read(&sync_sched_expedited_done);
65360 + s = atomic_read_unchecked(&sync_sched_expedited_done);
65361 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
65362 smp_mb(); /* ensure test happens before caller kfree */
65365 - } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
65366 + } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
65370 diff -urNp linux-3.1.1/kernel/relay.c linux-3.1.1/kernel/relay.c
65371 --- linux-3.1.1/kernel/relay.c 2011-11-11 15:19:27.000000000 -0500
65372 +++ linux-3.1.1/kernel/relay.c 2011-11-16 18:40:44.000000000 -0500
65373 @@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
65377 + pax_track_stack();
65379 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
65381 if (splice_grow_spd(pipe, &spd))
65382 diff -urNp linux-3.1.1/kernel/resource.c linux-3.1.1/kernel/resource.c
65383 --- linux-3.1.1/kernel/resource.c 2011-11-11 15:19:27.000000000 -0500
65384 +++ linux-3.1.1/kernel/resource.c 2011-11-16 18:40:44.000000000 -0500
65385 @@ -141,8 +141,18 @@ static const struct file_operations proc
65387 static int __init ioresources_init(void)
65389 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
65390 +#ifdef CONFIG_GRKERNSEC_PROC_USER
65391 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
65392 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
65393 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
65394 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
65395 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
65398 proc_create("ioports", 0, NULL, &proc_ioports_operations);
65399 proc_create("iomem", 0, NULL, &proc_iomem_operations);
65403 __initcall(ioresources_init);
65404 diff -urNp linux-3.1.1/kernel/rtmutex-tester.c linux-3.1.1/kernel/rtmutex-tester.c
65405 --- linux-3.1.1/kernel/rtmutex-tester.c 2011-11-11 15:19:27.000000000 -0500
65406 +++ linux-3.1.1/kernel/rtmutex-tester.c 2011-11-16 18:39:08.000000000 -0500
65408 #define MAX_RT_TEST_MUTEXES 8
65410 static spinlock_t rttest_lock;
65411 -static atomic_t rttest_event;
65412 +static atomic_unchecked_t rttest_event;
65414 struct test_thread_data {
65416 @@ -61,7 +61,7 @@ static int handle_op(struct test_thread_
65418 case RTTEST_LOCKCONT:
65419 td->mutexes[td->opdata] = 1;
65420 - td->event = atomic_add_return(1, &rttest_event);
65421 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65425 @@ -74,7 +74,7 @@ static int handle_op(struct test_thread_
65428 case RTTEST_RESETEVENT:
65429 - atomic_set(&rttest_event, 0);
65430 + atomic_set_unchecked(&rttest_event, 0);
65434 @@ -91,9 +91,9 @@ static int handle_op(struct test_thread_
65437 td->mutexes[id] = 1;
65438 - td->event = atomic_add_return(1, &rttest_event);
65439 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65440 rt_mutex_lock(&mutexes[id]);
65441 - td->event = atomic_add_return(1, &rttest_event);
65442 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65443 td->mutexes[id] = 4;
65446 @@ -104,9 +104,9 @@ static int handle_op(struct test_thread_
65449 td->mutexes[id] = 1;
65450 - td->event = atomic_add_return(1, &rttest_event);
65451 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65452 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
65453 - td->event = atomic_add_return(1, &rttest_event);
65454 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65455 td->mutexes[id] = ret ? 0 : 4;
65456 return ret ? -EINTR : 0;
65458 @@ -115,9 +115,9 @@ static int handle_op(struct test_thread_
65459 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
65462 - td->event = atomic_add_return(1, &rttest_event);
65463 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65464 rt_mutex_unlock(&mutexes[id]);
65465 - td->event = atomic_add_return(1, &rttest_event);
65466 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65467 td->mutexes[id] = 0;
65470 @@ -164,7 +164,7 @@ void schedule_rt_mutex_test(struct rt_mu
65473 td->mutexes[dat] = 2;
65474 - td->event = atomic_add_return(1, &rttest_event);
65475 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65479 @@ -184,7 +184,7 @@ void schedule_rt_mutex_test(struct rt_mu
65482 td->mutexes[dat] = 3;
65483 - td->event = atomic_add_return(1, &rttest_event);
65484 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65487 case RTTEST_LOCKNOWAIT:
65488 @@ -196,7 +196,7 @@ void schedule_rt_mutex_test(struct rt_mu
65491 td->mutexes[dat] = 1;
65492 - td->event = atomic_add_return(1, &rttest_event);
65493 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65497 diff -urNp linux-3.1.1/kernel/sched_autogroup.c linux-3.1.1/kernel/sched_autogroup.c
65498 --- linux-3.1.1/kernel/sched_autogroup.c 2011-11-11 15:19:27.000000000 -0500
65499 +++ linux-3.1.1/kernel/sched_autogroup.c 2011-11-16 18:39:08.000000000 -0500
65502 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
65503 static struct autogroup autogroup_default;
65504 -static atomic_t autogroup_seq_nr;
65505 +static atomic_unchecked_t autogroup_seq_nr;
65507 static void __init autogroup_init(struct task_struct *init_task)
65509 @@ -78,7 +78,7 @@ static inline struct autogroup *autogrou
65511 kref_init(&ag->kref);
65512 init_rwsem(&ag->lock);
65513 - ag->id = atomic_inc_return(&autogroup_seq_nr);
65514 + ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
65516 #ifdef CONFIG_RT_GROUP_SCHED
65518 diff -urNp linux-3.1.1/kernel/sched.c linux-3.1.1/kernel/sched.c
65519 --- linux-3.1.1/kernel/sched.c 2011-11-11 15:19:27.000000000 -0500
65520 +++ linux-3.1.1/kernel/sched.c 2011-11-16 18:40:44.000000000 -0500
65521 @@ -4264,6 +4264,8 @@ static void __sched __schedule(void)
65525 + pax_track_stack();
65529 cpu = smp_processor_id();
65530 @@ -4950,6 +4952,8 @@ int can_nice(const struct task_struct *p
65531 /* convert nice value [19,-20] to rlimit style value [1,40] */
65532 int nice_rlim = 20 - nice;
65534 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
65536 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
65537 capable(CAP_SYS_NICE));
65539 @@ -4983,7 +4987,8 @@ SYSCALL_DEFINE1(nice, int, increment)
65543 - if (increment < 0 && !can_nice(current, nice))
65544 + if (increment < 0 && (!can_nice(current, nice) ||
65545 + gr_handle_chroot_nice()))
65546 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
65548 retval = security_task_setnice(current, nice);
65549 @@ -5127,6 +5132,7 @@ recheck:
65550 unsigned long rlim_rtprio =
65551 task_rlimit(p, RLIMIT_RTPRIO);
65553 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
65554 /* can't set/change the rt policy */
65555 if (policy != p->policy && !rlim_rtprio)
65557 diff -urNp linux-3.1.1/kernel/sched_fair.c linux-3.1.1/kernel/sched_fair.c
65558 --- linux-3.1.1/kernel/sched_fair.c 2011-11-11 15:19:27.000000000 -0500
65559 +++ linux-3.1.1/kernel/sched_fair.c 2011-11-16 18:39:08.000000000 -0500
65560 @@ -4062,7 +4062,7 @@ static void nohz_idle_balance(int this_c
65561 * run_rebalance_domains is triggered when needed from the scheduler tick.
65562 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
65564 -static void run_rebalance_domains(struct softirq_action *h)
65565 +static void run_rebalance_domains(void)
65567 int this_cpu = smp_processor_id();
65568 struct rq *this_rq = cpu_rq(this_cpu);
65569 diff -urNp linux-3.1.1/kernel/signal.c linux-3.1.1/kernel/signal.c
65570 --- linux-3.1.1/kernel/signal.c 2011-11-11 15:19:27.000000000 -0500
65571 +++ linux-3.1.1/kernel/signal.c 2011-11-16 19:30:04.000000000 -0500
65572 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
65574 int print_fatal_signals __read_mostly;
65576 -static void __user *sig_handler(struct task_struct *t, int sig)
65577 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
65579 return t->sighand->action[sig - 1].sa.sa_handler;
65582 -static int sig_handler_ignored(void __user *handler, int sig)
65583 +static int sig_handler_ignored(__sighandler_t handler, int sig)
65585 /* Is it explicitly or implicitly ignored? */
65586 return handler == SIG_IGN ||
65587 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
65588 static int sig_task_ignored(struct task_struct *t, int sig,
65589 int from_ancestor_ns)
65591 - void __user *handler;
65592 + __sighandler_t handler;
65594 handler = sig_handler(t, sig);
65596 @@ -364,6 +364,9 @@ __sigqueue_alloc(int sig, struct task_st
65597 atomic_inc(&user->sigpending);
65600 + if (!override_rlimit)
65601 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
65603 if (override_rlimit ||
65604 atomic_read(&user->sigpending) <=
65605 task_rlimit(t, RLIMIT_SIGPENDING)) {
65606 @@ -488,7 +491,7 @@ flush_signal_handlers(struct task_struct
65608 int unhandled_signal(struct task_struct *tsk, int sig)
65610 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
65611 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
65612 if (is_global_init(tsk))
65614 if (handler != SIG_IGN && handler != SIG_DFL)
65615 @@ -833,6 +836,13 @@ static int check_kill_permission(int sig
65616 if (t->pid == 1 && current->xid)
65619 + /* allow glibc communication via tgkill to other threads in our
65621 + if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
65622 + sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
65623 + && gr_handle_signal(t, sig))
65627 /* FIXME: we shouldn't return ESRCH ever, to avoid
65628 loops, maybe ENOENT or EACCES? */
65629 @@ -1165,7 +1175,7 @@ __group_send_sig_info(int sig, struct si
65630 return send_signal(sig, info, p, 1);
65635 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
65637 return send_signal(sig, info, t, 0);
65638 @@ -1202,6 +1212,7 @@ force_sig_info(int sig, struct siginfo *
65639 unsigned long int flags;
65640 int ret, blocked, ignored;
65641 struct k_sigaction *action;
65642 + int is_unhandled = 0;
65644 spin_lock_irqsave(&t->sighand->siglock, flags);
65645 action = &t->sighand->action[sig-1];
65646 @@ -1216,9 +1227,18 @@ force_sig_info(int sig, struct siginfo *
65648 if (action->sa.sa_handler == SIG_DFL)
65649 t->signal->flags &= ~SIGNAL_UNKILLABLE;
65650 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
65651 + is_unhandled = 1;
65652 ret = specific_send_sig_info(sig, info, t);
65653 spin_unlock_irqrestore(&t->sighand->siglock, flags);
65655 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
65656 + normal operation */
65657 + if (is_unhandled) {
65658 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
65659 + gr_handle_crash(t, sig);
65665 @@ -1285,8 +1305,11 @@ int group_send_sig_info(int sig, struct
65666 ret = check_kill_permission(sig, info, p);
65670 + if (!ret && sig) {
65671 ret = do_send_sig_info(sig, info, p, true);
65673 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
65678 @@ -1909,6 +1932,8 @@ static void ptrace_do_notify(int signr,
65682 + pax_track_stack();
65684 memset(&info, 0, sizeof info);
65685 info.si_signo = signr;
65686 info.si_code = exit_code;
65687 @@ -2748,7 +2773,15 @@ do_send_specific(pid_t tgid, pid_t pid,
65688 int error = -ESRCH;
65691 - p = find_task_by_vpid(pid);
65692 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
65693 + /* allow glibc communication via tgkill to other threads in our
65695 + if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
65696 + sig == (SIGRTMIN+1) && tgid == info->si_pid)
65697 + p = find_task_by_vpid_unrestricted(pid);
65700 + p = find_task_by_vpid(pid);
65701 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
65702 error = check_kill_permission(sig, info, p);
65704 diff -urNp linux-3.1.1/kernel/smp.c linux-3.1.1/kernel/smp.c
65705 --- linux-3.1.1/kernel/smp.c 2011-11-11 15:19:27.000000000 -0500
65706 +++ linux-3.1.1/kernel/smp.c 2011-11-16 18:39:08.000000000 -0500
65707 @@ -580,22 +580,22 @@ int smp_call_function(smp_call_func_t fu
65709 EXPORT_SYMBOL(smp_call_function);
65711 -void ipi_call_lock(void)
65712 +void ipi_call_lock(void) __acquires(call_function.lock)
65714 raw_spin_lock(&call_function.lock);
65717 -void ipi_call_unlock(void)
65718 +void ipi_call_unlock(void) __releases(call_function.lock)
65720 raw_spin_unlock(&call_function.lock);
65723 -void ipi_call_lock_irq(void)
65724 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
65726 raw_spin_lock_irq(&call_function.lock);
65729 -void ipi_call_unlock_irq(void)
65730 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
65732 raw_spin_unlock_irq(&call_function.lock);
65734 diff -urNp linux-3.1.1/kernel/softirq.c linux-3.1.1/kernel/softirq.c
65735 --- linux-3.1.1/kernel/softirq.c 2011-11-11 15:19:27.000000000 -0500
65736 +++ linux-3.1.1/kernel/softirq.c 2011-11-16 18:39:08.000000000 -0500
65737 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
65739 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
65741 -char *softirq_to_name[NR_SOFTIRQS] = {
65742 +const char * const softirq_to_name[NR_SOFTIRQS] = {
65743 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
65744 "TASKLET", "SCHED", "HRTIMER", "RCU"
65746 @@ -235,7 +235,7 @@ restart:
65747 kstat_incr_softirqs_this_cpu(vec_nr);
65749 trace_softirq_entry(vec_nr);
65752 trace_softirq_exit(vec_nr);
65753 if (unlikely(prev_count != preempt_count())) {
65754 printk(KERN_ERR "huh, entered softirq %u %s %p"
65755 @@ -385,9 +385,11 @@ void raise_softirq(unsigned int nr)
65756 local_irq_restore(flags);
65759 -void open_softirq(int nr, void (*action)(struct softirq_action *))
65760 +void open_softirq(int nr, void (*action)(void))
65762 - softirq_vec[nr].action = action;
65763 + pax_open_kernel();
65764 + *(void **)&softirq_vec[nr].action = action;
65765 + pax_close_kernel();
65769 @@ -441,7 +443,7 @@ void __tasklet_hi_schedule_first(struct
65771 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
65773 -static void tasklet_action(struct softirq_action *a)
65774 +static void tasklet_action(void)
65776 struct tasklet_struct *list;
65778 @@ -476,7 +478,7 @@ static void tasklet_action(struct softir
65782 -static void tasklet_hi_action(struct softirq_action *a)
65783 +static void tasklet_hi_action(void)
65785 struct tasklet_struct *list;
65787 diff -urNp linux-3.1.1/kernel/sys.c linux-3.1.1/kernel/sys.c
65788 --- linux-3.1.1/kernel/sys.c 2011-11-11 15:19:27.000000000 -0500
65789 +++ linux-3.1.1/kernel/sys.c 2011-11-16 18:40:44.000000000 -0500
65790 @@ -157,6 +157,12 @@ static int set_one_prio(struct task_stru
65795 + if (gr_handle_chroot_setpriority(p, niceval)) {
65800 no_nice = security_task_setnice(p, niceval);
65803 @@ -571,6 +577,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
65807 + if (gr_check_group_change(new->gid, new->egid, -1))
65810 if (rgid != (gid_t) -1 ||
65811 (egid != (gid_t) -1 && egid != old->gid))
65812 new->sgid = new->egid;
65813 @@ -600,6 +609,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
65814 old = current_cred();
65818 + if (gr_check_group_change(gid, gid, gid))
65821 if (nsown_capable(CAP_SETGID))
65822 new->gid = new->egid = new->sgid = new->fsgid = gid;
65823 else if (gid == old->gid || gid == old->sgid)
65824 @@ -687,6 +700,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
65828 + if (gr_check_user_change(new->uid, new->euid, -1))
65831 if (new->uid != old->uid) {
65832 retval = set_user(new);
65834 @@ -731,6 +747,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
65835 old = current_cred();
65839 + if (gr_check_crash_uid(uid))
65841 + if (gr_check_user_change(uid, uid, uid))
65844 if (nsown_capable(CAP_SETUID)) {
65845 new->suid = new->uid = uid;
65846 if (uid != old->uid) {
65847 @@ -785,6 +807,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
65851 + if (gr_check_user_change(ruid, euid, -1))
65854 if (ruid != (uid_t) -1) {
65856 if (ruid != old->uid) {
65857 @@ -849,6 +874,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
65861 + if (gr_check_group_change(rgid, egid, -1))
65864 if (rgid != (gid_t) -1)
65866 if (egid != (gid_t) -1)
65867 @@ -895,6 +923,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
65868 old = current_cred();
65869 old_fsuid = old->fsuid;
65871 + if (gr_check_user_change(-1, -1, uid))
65874 if (uid == old->uid || uid == old->euid ||
65875 uid == old->suid || uid == old->fsuid ||
65876 nsown_capable(CAP_SETUID)) {
65877 @@ -905,6 +936,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
65885 @@ -931,12 +963,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
65886 if (gid == old->gid || gid == old->egid ||
65887 gid == old->sgid || gid == old->fsgid ||
65888 nsown_capable(CAP_SETGID)) {
65889 + if (gr_check_group_change(-1, -1, gid))
65892 if (gid != old_fsgid) {
65902 @@ -1242,19 +1278,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_
65905 down_read(&uts_sem);
65906 - error = __copy_to_user(&name->sysname, &utsname()->sysname,
65907 + error = __copy_to_user(name->sysname, &utsname()->sysname,
65909 error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
65910 - error |= __copy_to_user(&name->nodename, &utsname()->nodename,
65911 + error |= __copy_to_user(name->nodename, &utsname()->nodename,
65913 error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
65914 - error |= __copy_to_user(&name->release, &utsname()->release,
65915 + error |= __copy_to_user(name->release, &utsname()->release,
65917 error |= __put_user(0, name->release + __OLD_UTS_LEN);
65918 - error |= __copy_to_user(&name->version, &utsname()->version,
65919 + error |= __copy_to_user(name->version, &utsname()->version,
65921 error |= __put_user(0, name->version + __OLD_UTS_LEN);
65922 - error |= __copy_to_user(&name->machine, &utsname()->machine,
65923 + error |= __copy_to_user(name->machine, &utsname()->machine,
65925 error |= __put_user(0, name->machine + __OLD_UTS_LEN);
65927 @@ -1717,7 +1753,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
65928 error = get_dumpable(me->mm);
65930 case PR_SET_DUMPABLE:
65931 - if (arg2 < 0 || arg2 > 1) {
65936 diff -urNp linux-3.1.1/kernel/sysctl_binary.c linux-3.1.1/kernel/sysctl_binary.c
65937 --- linux-3.1.1/kernel/sysctl_binary.c 2011-11-11 15:19:27.000000000 -0500
65938 +++ linux-3.1.1/kernel/sysctl_binary.c 2011-11-16 18:39:08.000000000 -0500
65939 @@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *f
65943 - result = vfs_read(file, buffer, BUFSZ - 1, &pos);
65944 + result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos);
65948 @@ -1034,7 +1034,7 @@ static ssize_t bin_intvec(struct file *f
65952 - result = vfs_write(file, buffer, str - buffer, &pos);
65953 + result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos);
65957 @@ -1067,7 +1067,7 @@ static ssize_t bin_ulongvec(struct file
65961 - result = vfs_read(file, buffer, BUFSZ - 1, &pos);
65962 + result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos);
65966 @@ -1112,7 +1112,7 @@ static ssize_t bin_ulongvec(struct file
65970 - result = vfs_write(file, buffer, str - buffer, &pos);
65971 + result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos);
65975 @@ -1138,7 +1138,7 @@ static ssize_t bin_uuid(struct file *fil
65979 - result = vfs_read(file, buf, sizeof(buf) - 1, &pos);
65980 + result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos);
65984 @@ -1185,7 +1185,7 @@ static ssize_t bin_dn_node_address(struc
65988 - result = vfs_read(file, buf, sizeof(buf) - 1, &pos);
65989 + result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos);
65993 @@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struc
65994 le16_to_cpu(dnaddr) & 0x3ff);
65997 - result = vfs_write(file, buf, len, &pos);
65998 + result = vfs_write(file, (const char __force_user *)buf, len, &pos);
66002 diff -urNp linux-3.1.1/kernel/sysctl.c linux-3.1.1/kernel/sysctl.c
66003 --- linux-3.1.1/kernel/sysctl.c 2011-11-11 15:19:27.000000000 -0500
66004 +++ linux-3.1.1/kernel/sysctl.c 2011-11-16 18:40:44.000000000 -0500
66008 #if defined(CONFIG_SYSCTL)
66009 +#include <linux/grsecurity.h>
66010 +#include <linux/grinternal.h>
66012 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
66013 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
66015 +extern int gr_handle_chroot_sysctl(const int op);
66017 /* External variables not in a header file. */
66018 extern int sysctl_overcommit_memory;
66019 @@ -197,6 +204,7 @@ static int sysrq_sysctl_handler(ctl_tabl
66023 +extern struct ctl_table grsecurity_table[];
66025 static struct ctl_table root_table[];
66026 static struct ctl_table_root sysctl_table_root;
66027 @@ -226,6 +234,20 @@ extern struct ctl_table epoll_table[];
66028 int sysctl_legacy_va_layout;
66031 +#ifdef CONFIG_PAX_SOFTMODE
66032 +static ctl_table pax_table[] = {
66034 + .procname = "softmode",
66035 + .data = &pax_softmode,
66036 + .maxlen = sizeof(unsigned int),
66038 + .proc_handler = &proc_dointvec,
66045 /* The default sysctl tables: */
66047 static struct ctl_table root_table[] = {
66048 @@ -272,6 +294,22 @@ static int max_extfrag_threshold = 1000;
66051 static struct ctl_table kern_table[] = {
66052 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
66054 + .procname = "grsecurity",
66056 + .child = grsecurity_table,
66060 +#ifdef CONFIG_PAX_SOFTMODE
66062 + .procname = "pax",
66064 + .child = pax_table,
66069 .procname = "sched_child_runs_first",
66070 .data = &sysctl_sched_child_runs_first,
66071 @@ -546,7 +584,7 @@ static struct ctl_table kern_table[] = {
66072 .data = &modprobe_path,
66073 .maxlen = KMOD_PATH_LEN,
66075 - .proc_handler = proc_dostring,
66076 + .proc_handler = proc_dostring_modpriv,
66079 .procname = "modules_disabled",
66080 @@ -713,16 +751,20 @@ static struct ctl_table kern_table[] = {
66086 .procname = "kptr_restrict",
66087 .data = &kptr_restrict,
66088 .maxlen = sizeof(int),
66090 .proc_handler = proc_dmesg_restrict,
66091 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66100 .procname = "ngroups_max",
66101 .data = &ngroups_max,
66102 @@ -1205,6 +1247,13 @@ static struct ctl_table vm_table[] = {
66103 .proc_handler = proc_dointvec_minmax,
66107 + .procname = "heap_stack_gap",
66108 + .data = &sysctl_heap_stack_gap,
66109 + .maxlen = sizeof(sysctl_heap_stack_gap),
66111 + .proc_handler = proc_doulongvec_minmax,
66115 .procname = "nr_trim_pages",
66116 @@ -1709,6 +1758,17 @@ static int test_perm(int mode, int op)
66117 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
66122 + if (table->parent != NULL && table->parent->procname != NULL &&
66123 + table->procname != NULL &&
66124 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
66126 + if (gr_handle_chroot_sysctl(op))
66128 + error = gr_handle_sysctl(table, op);
66132 if (root->permissions)
66133 mode = root->permissions(root, current->nsproxy, table);
66134 @@ -2113,6 +2173,16 @@ int proc_dostring(struct ctl_table *tabl
66135 buffer, lenp, ppos);
66138 +int proc_dostring_modpriv(struct ctl_table *table, int write,
66139 + void __user *buffer, size_t *lenp, loff_t *ppos)
66141 + if (write && !capable(CAP_SYS_MODULE))
66144 + return _proc_do_string(table->data, table->maxlen, write,
66145 + buffer, lenp, ppos);
66148 static size_t proc_skip_spaces(char **buf)
66151 @@ -2218,6 +2288,8 @@ static int proc_put_long(void __user **b
66155 + if (len > sizeof(tmp))
66156 + len = sizeof(tmp);
66157 if (copy_to_user(*buf, tmp, len))
66160 @@ -2534,8 +2606,11 @@ static int __do_proc_doulongvec_minmax(v
66163 val = convdiv * (*i) / convmul;
66166 err = proc_put_char(&buffer, &left, '\t');
66170 err = proc_put_long(&buffer, &left, val, false);
66173 @@ -2930,6 +3005,12 @@ int proc_dostring(struct ctl_table *tabl
66177 +int proc_dostring_modpriv(struct ctl_table *table, int write,
66178 + void __user *buffer, size_t *lenp, loff_t *ppos)
66183 int proc_dointvec(struct ctl_table *table, int write,
66184 void __user *buffer, size_t *lenp, loff_t *ppos)
66186 @@ -2986,6 +3067,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
66187 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
66188 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
66189 EXPORT_SYMBOL(proc_dostring);
66190 +EXPORT_SYMBOL(proc_dostring_modpriv);
66191 EXPORT_SYMBOL(proc_doulongvec_minmax);
66192 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
66193 EXPORT_SYMBOL(register_sysctl_table);
66194 diff -urNp linux-3.1.1/kernel/sysctl_check.c linux-3.1.1/kernel/sysctl_check.c
66195 --- linux-3.1.1/kernel/sysctl_check.c 2011-11-11 15:19:27.000000000 -0500
66196 +++ linux-3.1.1/kernel/sysctl_check.c 2011-11-16 18:40:44.000000000 -0500
66197 @@ -129,6 +129,7 @@ int sysctl_check_table(struct nsproxy *n
66198 set_fail(&fail, table, "Directory with extra2");
66200 if ((table->proc_handler == proc_dostring) ||
66201 + (table->proc_handler == proc_dostring_modpriv) ||
66202 (table->proc_handler == proc_dointvec) ||
66203 (table->proc_handler == proc_dointvec_minmax) ||
66204 (table->proc_handler == proc_dointvec_jiffies) ||
66205 diff -urNp linux-3.1.1/kernel/taskstats.c linux-3.1.1/kernel/taskstats.c
66206 --- linux-3.1.1/kernel/taskstats.c 2011-11-11 15:19:27.000000000 -0500
66207 +++ linux-3.1.1/kernel/taskstats.c 2011-11-16 19:35:09.000000000 -0500
66209 #include <linux/cgroup.h>
66210 #include <linux/fs.h>
66211 #include <linux/file.h>
66212 +#include <linux/grsecurity.h>
66213 #include <net/genetlink.h>
66214 #include <linux/atomic.h>
66216 +extern int gr_is_taskstats_denied(int pid);
66219 * Maximum length of a cpumask that can be specified in
66220 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
66221 @@ -556,6 +559,9 @@ err:
66223 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
66225 + if (gr_is_taskstats_denied(current->pid))
66228 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
66229 return cmd_attr_register_cpumask(info);
66230 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
66231 diff -urNp linux-3.1.1/kernel/time/alarmtimer.c linux-3.1.1/kernel/time/alarmtimer.c
66232 --- linux-3.1.1/kernel/time/alarmtimer.c 2011-11-11 15:19:27.000000000 -0500
66233 +++ linux-3.1.1/kernel/time/alarmtimer.c 2011-11-16 18:39:08.000000000 -0500
66234 @@ -693,7 +693,7 @@ static int __init alarmtimer_init(void)
66238 - struct k_clock alarm_clock = {
66239 + static struct k_clock alarm_clock = {
66240 .clock_getres = alarm_clock_getres,
66241 .clock_get = alarm_clock_get,
66242 .timer_create = alarm_timer_create,
66243 diff -urNp linux-3.1.1/kernel/time/tick-broadcast.c linux-3.1.1/kernel/time/tick-broadcast.c
66244 --- linux-3.1.1/kernel/time/tick-broadcast.c 2011-11-11 15:19:27.000000000 -0500
66245 +++ linux-3.1.1/kernel/time/tick-broadcast.c 2011-11-16 18:39:08.000000000 -0500
66246 @@ -115,7 +115,7 @@ int tick_device_uses_broadcast(struct cl
66247 * then clear the broadcast bit.
66249 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
66250 - int cpu = smp_processor_id();
66251 + cpu = smp_processor_id();
66253 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
66254 tick_broadcast_clear_oneshot(cpu);
66255 diff -urNp linux-3.1.1/kernel/time/timekeeping.c linux-3.1.1/kernel/time/timekeeping.c
66256 --- linux-3.1.1/kernel/time/timekeeping.c 2011-11-11 15:19:27.000000000 -0500
66257 +++ linux-3.1.1/kernel/time/timekeeping.c 2011-11-16 18:40:44.000000000 -0500
66259 #include <linux/init.h>
66260 #include <linux/mm.h>
66261 #include <linux/sched.h>
66262 +#include <linux/grsecurity.h>
66263 #include <linux/syscore_ops.h>
66264 #include <linux/clocksource.h>
66265 #include <linux/jiffies.h>
66266 @@ -361,6 +362,8 @@ int do_settimeofday(const struct timespe
66267 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
66270 + gr_log_timechange();
66272 write_seqlock_irqsave(&xtime_lock, flags);
66274 timekeeping_forward_now();
66275 diff -urNp linux-3.1.1/kernel/time/timer_list.c linux-3.1.1/kernel/time/timer_list.c
66276 --- linux-3.1.1/kernel/time/timer_list.c 2011-11-11 15:19:27.000000000 -0500
66277 +++ linux-3.1.1/kernel/time/timer_list.c 2011-11-16 18:40:44.000000000 -0500
66278 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
66280 static void print_name_offset(struct seq_file *m, void *sym)
66282 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66283 + SEQ_printf(m, "<%p>", NULL);
66285 char symname[KSYM_NAME_LEN];
66287 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
66288 SEQ_printf(m, "<%pK>", sym);
66290 SEQ_printf(m, "%s", symname);
66295 @@ -112,7 +116,11 @@ next_one:
66297 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
66299 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66300 + SEQ_printf(m, " .base: %p\n", NULL);
66302 SEQ_printf(m, " .base: %pK\n", base);
66304 SEQ_printf(m, " .index: %d\n",
66306 SEQ_printf(m, " .resolution: %Lu nsecs\n",
66307 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
66309 struct proc_dir_entry *pe;
66311 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
66312 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
66314 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
66319 diff -urNp linux-3.1.1/kernel/time/timer_stats.c linux-3.1.1/kernel/time/timer_stats.c
66320 --- linux-3.1.1/kernel/time/timer_stats.c 2011-11-11 15:19:27.000000000 -0500
66321 +++ linux-3.1.1/kernel/time/timer_stats.c 2011-11-16 18:40:44.000000000 -0500
66322 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
66323 static unsigned long nr_entries;
66324 static struct entry entries[MAX_ENTRIES];
66326 -static atomic_t overflow_count;
66327 +static atomic_unchecked_t overflow_count;
66330 * The entries are in a hash-table, for fast lookup:
66331 @@ -140,7 +140,7 @@ static void reset_entries(void)
66333 memset(entries, 0, sizeof(entries));
66334 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
66335 - atomic_set(&overflow_count, 0);
66336 + atomic_set_unchecked(&overflow_count, 0);
66339 static struct entry *alloc_entry(void)
66340 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
66344 - atomic_inc(&overflow_count);
66345 + atomic_inc_unchecked(&overflow_count);
66348 raw_spin_unlock_irqrestore(lock, flags);
66349 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
66351 static void print_name_offset(struct seq_file *m, unsigned long addr)
66353 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66354 + seq_printf(m, "<%p>", NULL);
66356 char symname[KSYM_NAME_LEN];
66358 if (lookup_symbol_name(addr, symname) < 0)
66359 seq_printf(m, "<%p>", (void *)addr);
66361 seq_printf(m, "%s", symname);
66365 static int tstats_show(struct seq_file *m, void *v)
66366 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
66368 seq_puts(m, "Timer Stats Version: v0.2\n");
66369 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
66370 - if (atomic_read(&overflow_count))
66371 + if (atomic_read_unchecked(&overflow_count))
66372 seq_printf(m, "Overflow: %d entries\n",
66373 - atomic_read(&overflow_count));
66374 + atomic_read_unchecked(&overflow_count));
66376 for (i = 0; i < nr_entries; i++) {
66377 entry = entries + i;
66378 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
66380 struct proc_dir_entry *pe;
66382 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
66383 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
66385 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
66390 diff -urNp linux-3.1.1/kernel/time.c linux-3.1.1/kernel/time.c
66391 --- linux-3.1.1/kernel/time.c 2011-11-11 15:19:27.000000000 -0500
66392 +++ linux-3.1.1/kernel/time.c 2011-11-16 18:40:44.000000000 -0500
66393 @@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct tim
66397 + /* we log in do_settimeofday called below, so don't log twice
66400 + gr_log_timechange();
66402 /* SMP safe, global irq locking makes it work. */
66404 update_vsyscall_tz();
66405 diff -urNp linux-3.1.1/kernel/timer.c linux-3.1.1/kernel/timer.c
66406 --- linux-3.1.1/kernel/timer.c 2011-11-11 15:19:27.000000000 -0500
66407 +++ linux-3.1.1/kernel/timer.c 2011-11-16 18:39:08.000000000 -0500
66408 @@ -1304,7 +1304,7 @@ void update_process_times(int user_tick)
66410 * This function runs timers and the timer-tq in bottom half context.
66412 -static void run_timer_softirq(struct softirq_action *h)
66413 +static void run_timer_softirq(void)
66415 struct tvec_base *base = __this_cpu_read(tvec_bases);
66417 diff -urNp linux-3.1.1/kernel/trace/blktrace.c linux-3.1.1/kernel/trace/blktrace.c
66418 --- linux-3.1.1/kernel/trace/blktrace.c 2011-11-11 15:19:27.000000000 -0500
66419 +++ linux-3.1.1/kernel/trace/blktrace.c 2011-11-16 18:39:08.000000000 -0500
66420 @@ -323,7 +323,7 @@ static ssize_t blk_dropped_read(struct f
66421 struct blk_trace *bt = filp->private_data;
66424 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
66425 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
66427 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
66429 @@ -388,7 +388,7 @@ static int blk_subbuf_start_callback(str
66432 bt = buf->chan->private_data;
66433 - atomic_inc(&bt->dropped);
66434 + atomic_inc_unchecked(&bt->dropped);
66438 @@ -489,7 +489,7 @@ int do_blk_trace_setup(struct request_qu
66442 - atomic_set(&bt->dropped, 0);
66443 + atomic_set_unchecked(&bt->dropped, 0);
66446 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
66447 diff -urNp linux-3.1.1/kernel/trace/ftrace.c linux-3.1.1/kernel/trace/ftrace.c
66448 --- linux-3.1.1/kernel/trace/ftrace.c 2011-11-11 15:19:27.000000000 -0500
66449 +++ linux-3.1.1/kernel/trace/ftrace.c 2011-11-16 18:39:08.000000000 -0500
66450 @@ -1585,12 +1585,17 @@ ftrace_code_disable(struct module *mod,
66451 if (unlikely(ftrace_disabled))
66454 + ret = ftrace_arch_code_modify_prepare();
66455 + FTRACE_WARN_ON(ret);
66459 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
66460 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
66462 ftrace_bug(ret, ip);
66466 + return ret ? 0 : 1;
66470 @@ -2607,7 +2612,7 @@ static void ftrace_free_entry_rcu(struct
66473 register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
66477 struct ftrace_func_probe *entry;
66478 struct ftrace_page *pg;
66479 diff -urNp linux-3.1.1/kernel/trace/trace.c linux-3.1.1/kernel/trace/trace.c
66480 --- linux-3.1.1/kernel/trace/trace.c 2011-11-11 15:19:27.000000000 -0500
66481 +++ linux-3.1.1/kernel/trace/trace.c 2011-11-16 18:40:44.000000000 -0500
66482 @@ -3451,6 +3451,8 @@ static ssize_t tracing_splice_read_pipe(
66486 + pax_track_stack();
66488 if (splice_grow_spd(pipe, &spd))
66491 @@ -3926,6 +3928,8 @@ tracing_buffers_splice_read(struct file
66492 int entries, size, i;
66495 + pax_track_stack();
66497 if (splice_grow_spd(pipe, &spd))
66500 @@ -4093,10 +4097,9 @@ static const struct file_operations trac
66504 -static struct dentry *d_tracer;
66506 struct dentry *tracing_init_dentry(void)
66508 + static struct dentry *d_tracer;
66512 @@ -4116,10 +4119,9 @@ struct dentry *tracing_init_dentry(void)
66516 -static struct dentry *d_percpu;
66518 struct dentry *tracing_dentry_percpu(void)
66520 + static struct dentry *d_percpu;
66522 struct dentry *d_tracer;
66524 diff -urNp linux-3.1.1/kernel/trace/trace_events.c linux-3.1.1/kernel/trace/trace_events.c
66525 --- linux-3.1.1/kernel/trace/trace_events.c 2011-11-11 15:19:27.000000000 -0500
66526 +++ linux-3.1.1/kernel/trace/trace_events.c 2011-11-16 18:39:08.000000000 -0500
66527 @@ -1300,10 +1300,6 @@ static LIST_HEAD(ftrace_module_file_list
66528 struct ftrace_module_file_ops {
66529 struct list_head list;
66530 struct module *mod;
66531 - struct file_operations id;
66532 - struct file_operations enable;
66533 - struct file_operations format;
66534 - struct file_operations filter;
66537 static struct ftrace_module_file_ops *
66538 @@ -1324,17 +1320,12 @@ trace_create_file_ops(struct module *mod
66540 file_ops->mod = mod;
66542 - file_ops->id = ftrace_event_id_fops;
66543 - file_ops->id.owner = mod;
66545 - file_ops->enable = ftrace_enable_fops;
66546 - file_ops->enable.owner = mod;
66548 - file_ops->filter = ftrace_event_filter_fops;
66549 - file_ops->filter.owner = mod;
66551 - file_ops->format = ftrace_event_format_fops;
66552 - file_ops->format.owner = mod;
66553 + pax_open_kernel();
66554 + *(void **)&mod->trace_id.owner = mod;
66555 + *(void **)&mod->trace_enable.owner = mod;
66556 + *(void **)&mod->trace_filter.owner = mod;
66557 + *(void **)&mod->trace_format.owner = mod;
66558 + pax_close_kernel();
66560 list_add(&file_ops->list, &ftrace_module_file_list);
66562 @@ -1358,8 +1349,8 @@ static void trace_module_add_events(stru
66564 for_each_event(call, start, end) {
66565 __trace_add_event_call(*call, mod,
66566 - &file_ops->id, &file_ops->enable,
66567 - &file_ops->filter, &file_ops->format);
66568 + &mod->trace_id, &mod->trace_enable,
66569 + &mod->trace_filter, &mod->trace_format);
66573 diff -urNp linux-3.1.1/kernel/trace/trace_kprobe.c linux-3.1.1/kernel/trace/trace_kprobe.c
66574 --- linux-3.1.1/kernel/trace/trace_kprobe.c 2011-11-11 15:19:27.000000000 -0500
66575 +++ linux-3.1.1/kernel/trace/trace_kprobe.c 2011-11-16 18:39:08.000000000 -0500
66576 @@ -217,7 +217,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66578 int maxlen = get_rloc_len(*(u32 *)dest);
66579 u8 *dst = get_rloc_data(dest);
66581 + const u8 __user *src = (const u8 __force_user *)addr;
66582 mm_segment_t old_fs = get_fs();
66585 @@ -229,7 +229,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66586 pagefault_disable();
66588 ret = __copy_from_user_inatomic(dst++, src++, 1);
66589 - while (dst[-1] && ret == 0 && src - (u8 *)addr < maxlen);
66590 + while (dst[-1] && ret == 0 && src - (const u8 __force_user *)addr < maxlen);
66592 pagefault_enable();
66594 @@ -238,7 +238,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66595 ((u8 *)get_rloc_data(dest))[0] = '\0';
66596 *(u32 *)dest = make_data_rloc(0, get_rloc_offs(*(u32 *)dest));
66598 - *(u32 *)dest = make_data_rloc(src - (u8 *)addr,
66599 + *(u32 *)dest = make_data_rloc(src - (const u8 __force_user *)addr,
66600 get_rloc_offs(*(u32 *)dest));
66602 /* Return the length of string -- including null terminal byte */
66603 @@ -252,7 +252,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66605 pagefault_disable();
66607 - ret = __copy_from_user_inatomic(&c, (u8 *)addr + len, 1);
66608 + ret = __copy_from_user_inatomic(&c, (const u8 __force_user *)addr + len, 1);
66610 } while (c && ret == 0 && len < MAX_STRING_SIZE);
66611 pagefault_enable();
66612 diff -urNp linux-3.1.1/kernel/trace/trace_mmiotrace.c linux-3.1.1/kernel/trace/trace_mmiotrace.c
66613 --- linux-3.1.1/kernel/trace/trace_mmiotrace.c 2011-11-11 15:19:27.000000000 -0500
66614 +++ linux-3.1.1/kernel/trace/trace_mmiotrace.c 2011-11-16 18:39:08.000000000 -0500
66615 @@ -24,7 +24,7 @@ struct header_iter {
66616 static struct trace_array *mmio_trace_array;
66617 static bool overrun_detected;
66618 static unsigned long prev_overruns;
66619 -static atomic_t dropped_count;
66620 +static atomic_unchecked_t dropped_count;
66622 static void mmio_reset_data(struct trace_array *tr)
66624 @@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
66626 static unsigned long count_overruns(struct trace_iterator *iter)
66628 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
66629 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
66630 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
66632 if (over > prev_overruns)
66633 @@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
66634 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
66635 sizeof(*entry), 0, pc);
66637 - atomic_inc(&dropped_count);
66638 + atomic_inc_unchecked(&dropped_count);
66641 entry = ring_buffer_event_data(event);
66642 @@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
66643 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
66644 sizeof(*entry), 0, pc);
66646 - atomic_inc(&dropped_count);
66647 + atomic_inc_unchecked(&dropped_count);
66650 entry = ring_buffer_event_data(event);
66651 diff -urNp linux-3.1.1/kernel/trace/trace_output.c linux-3.1.1/kernel/trace/trace_output.c
66652 --- linux-3.1.1/kernel/trace/trace_output.c 2011-11-11 15:19:27.000000000 -0500
66653 +++ linux-3.1.1/kernel/trace/trace_output.c 2011-11-16 18:39:08.000000000 -0500
66654 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
66656 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
66658 - p = mangle_path(s->buffer + s->len, p, "\n");
66659 + p = mangle_path(s->buffer + s->len, p, "\n\\");
66661 s->len = p - s->buffer;
66663 diff -urNp linux-3.1.1/kernel/trace/trace_stack.c linux-3.1.1/kernel/trace/trace_stack.c
66664 --- linux-3.1.1/kernel/trace/trace_stack.c 2011-11-11 15:19:27.000000000 -0500
66665 +++ linux-3.1.1/kernel/trace/trace_stack.c 2011-11-16 18:39:08.000000000 -0500
66666 @@ -50,7 +50,7 @@ static inline void check_stack(void)
66669 /* we do not handle interrupt stacks yet */
66670 - if (!object_is_on_stack(&this_size))
66671 + if (!object_starts_on_stack(&this_size))
66674 local_irq_save(flags);
66675 diff -urNp linux-3.1.1/kernel/trace/trace_workqueue.c linux-3.1.1/kernel/trace/trace_workqueue.c
66676 --- linux-3.1.1/kernel/trace/trace_workqueue.c 2011-11-11 15:19:27.000000000 -0500
66677 +++ linux-3.1.1/kernel/trace/trace_workqueue.c 2011-11-16 18:39:08.000000000 -0500
66678 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
66681 /* Can be inserted from interrupt or user context, need to be atomic */
66682 - atomic_t inserted;
66683 + atomic_unchecked_t inserted;
66685 * Don't need to be atomic, works are serialized in a single workqueue thread
66687 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
66688 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
66689 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
66690 if (node->pid == wq_thread->pid) {
66691 - atomic_inc(&node->inserted);
66692 + atomic_inc_unchecked(&node->inserted);
66696 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
66697 tsk = get_pid_task(pid, PIDTYPE_PID);
66699 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
66700 - atomic_read(&cws->inserted), cws->executed,
66701 + atomic_read_unchecked(&cws->inserted), cws->executed,
66703 put_task_struct(tsk);
66705 diff -urNp linux-3.1.1/lib/bitmap.c linux-3.1.1/lib/bitmap.c
66706 --- linux-3.1.1/lib/bitmap.c 2011-11-11 15:19:27.000000000 -0500
66707 +++ linux-3.1.1/lib/bitmap.c 2011-11-16 18:39:08.000000000 -0500
66708 @@ -419,7 +419,7 @@ int __bitmap_parse(const char *buf, unsi
66710 int c, old_c, totaldigits, ndigits, nchunks, nbits;
66712 - const char __user *ubuf = buf;
66713 + const char __user *ubuf = (const char __force_user *)buf;
66715 bitmap_zero(maskp, nmaskbits);
66717 @@ -504,7 +504,7 @@ int bitmap_parse_user(const char __user
66719 if (!access_ok(VERIFY_READ, ubuf, ulen))
66721 - return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits);
66722 + return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits);
66724 EXPORT_SYMBOL(bitmap_parse_user);
66726 @@ -594,7 +594,7 @@ static int __bitmap_parselist(const char
66729 int c, old_c, totaldigits;
66730 - const char __user *ubuf = buf;
66731 + const char __user *ubuf = (const char __force_user *)buf;
66732 int exp_digit, in_range;
66734 totaldigits = c = 0;
66735 @@ -694,7 +694,7 @@ int bitmap_parselist_user(const char __u
66737 if (!access_ok(VERIFY_READ, ubuf, ulen))
66739 - return __bitmap_parselist((const char *)ubuf,
66740 + return __bitmap_parselist((const char __force_kernel *)ubuf,
66741 ulen, 1, maskp, nmaskbits);
66743 EXPORT_SYMBOL(bitmap_parselist_user);
66744 diff -urNp linux-3.1.1/lib/bug.c linux-3.1.1/lib/bug.c
66745 --- linux-3.1.1/lib/bug.c 2011-11-11 15:19:27.000000000 -0500
66746 +++ linux-3.1.1/lib/bug.c 2011-11-16 18:39:08.000000000 -0500
66747 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
66748 return BUG_TRAP_TYPE_NONE;
66750 bug = find_bug(bugaddr);
66752 + return BUG_TRAP_TYPE_NONE;
66756 diff -urNp linux-3.1.1/lib/debugobjects.c linux-3.1.1/lib/debugobjects.c
66757 --- linux-3.1.1/lib/debugobjects.c 2011-11-11 15:19:27.000000000 -0500
66758 +++ linux-3.1.1/lib/debugobjects.c 2011-11-16 18:39:08.000000000 -0500
66759 @@ -284,7 +284,7 @@ static void debug_object_is_on_stack(voi
66763 - is_on_stack = object_is_on_stack(addr);
66764 + is_on_stack = object_starts_on_stack(addr);
66765 if (is_on_stack == onstack)
66768 diff -urNp linux-3.1.1/lib/devres.c linux-3.1.1/lib/devres.c
66769 --- linux-3.1.1/lib/devres.c 2011-11-11 15:19:27.000000000 -0500
66770 +++ linux-3.1.1/lib/devres.c 2011-11-16 18:39:08.000000000 -0500
66771 @@ -80,7 +80,7 @@ EXPORT_SYMBOL(devm_ioremap_nocache);
66772 void devm_iounmap(struct device *dev, void __iomem *addr)
66774 WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match,
66776 + (void __force *)addr));
66779 EXPORT_SYMBOL(devm_iounmap);
66780 @@ -141,7 +141,7 @@ void devm_ioport_unmap(struct device *de
66782 ioport_unmap(addr);
66783 WARN_ON(devres_destroy(dev, devm_ioport_map_release,
66784 - devm_ioport_map_match, (void *)addr));
66785 + devm_ioport_map_match, (void __force *)addr));
66787 EXPORT_SYMBOL(devm_ioport_unmap);
66789 diff -urNp linux-3.1.1/lib/dma-debug.c linux-3.1.1/lib/dma-debug.c
66790 --- linux-3.1.1/lib/dma-debug.c 2011-11-11 15:19:27.000000000 -0500
66791 +++ linux-3.1.1/lib/dma-debug.c 2011-11-16 18:39:08.000000000 -0500
66792 @@ -870,7 +870,7 @@ out:
66794 static void check_for_stack(struct device *dev, void *addr)
66796 - if (object_is_on_stack(addr))
66797 + if (object_starts_on_stack(addr))
66798 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
66799 "stack [addr=%p]\n", addr);
66801 diff -urNp linux-3.1.1/lib/extable.c linux-3.1.1/lib/extable.c
66802 --- linux-3.1.1/lib/extable.c 2011-11-11 15:19:27.000000000 -0500
66803 +++ linux-3.1.1/lib/extable.c 2011-11-16 18:39:08.000000000 -0500
66805 #include <linux/init.h>
66806 #include <linux/sort.h>
66807 #include <asm/uaccess.h>
66808 +#include <asm/pgtable.h>
66810 #ifndef ARCH_HAS_SORT_EXTABLE
66812 @@ -36,8 +37,10 @@ static int cmp_ex(const void *a, const v
66813 void sort_extable(struct exception_table_entry *start,
66814 struct exception_table_entry *finish)
66816 + pax_open_kernel();
66817 sort(start, finish - start, sizeof(struct exception_table_entry),
66819 + pax_close_kernel();
66822 #ifdef CONFIG_MODULES
66823 diff -urNp linux-3.1.1/lib/inflate.c linux-3.1.1/lib/inflate.c
66824 --- linux-3.1.1/lib/inflate.c 2011-11-11 15:19:27.000000000 -0500
66825 +++ linux-3.1.1/lib/inflate.c 2011-11-16 18:39:08.000000000 -0500
66826 @@ -269,7 +269,7 @@ static void free(void *where)
66827 malloc_ptr = free_mem_ptr;
66830 -#define malloc(a) kmalloc(a, GFP_KERNEL)
66831 +#define malloc(a) kmalloc((a), GFP_KERNEL)
66832 #define free(a) kfree(a)
66835 diff -urNp linux-3.1.1/lib/Kconfig.debug linux-3.1.1/lib/Kconfig.debug
66836 --- linux-3.1.1/lib/Kconfig.debug 2011-11-11 15:19:27.000000000 -0500
66837 +++ linux-3.1.1/lib/Kconfig.debug 2011-11-16 18:40:44.000000000 -0500
66838 @@ -1091,6 +1091,7 @@ config LATENCYTOP
66839 depends on DEBUG_KERNEL
66840 depends on STACKTRACE_SUPPORT
66842 + depends on !GRKERNSEC_HIDESYM
66843 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
66845 select KALLSYMS_ALL
66846 diff -urNp linux-3.1.1/lib/kref.c linux-3.1.1/lib/kref.c
66847 --- linux-3.1.1/lib/kref.c 2011-11-11 15:19:27.000000000 -0500
66848 +++ linux-3.1.1/lib/kref.c 2011-11-16 18:39:08.000000000 -0500
66849 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
66851 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
66853 - WARN_ON(release == NULL);
66854 + BUG_ON(release == NULL);
66855 WARN_ON(release == (void (*)(struct kref *))kfree);
66857 if (atomic_dec_and_test(&kref->refcount)) {
66858 diff -urNp linux-3.1.1/lib/radix-tree.c linux-3.1.1/lib/radix-tree.c
66859 --- linux-3.1.1/lib/radix-tree.c 2011-11-11 15:19:27.000000000 -0500
66860 +++ linux-3.1.1/lib/radix-tree.c 2011-11-16 18:39:08.000000000 -0500
66861 @@ -80,7 +80,7 @@ struct radix_tree_preload {
66863 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
66865 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
66866 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
66868 static inline void *ptr_to_indirect(void *ptr)
66870 diff -urNp linux-3.1.1/lib/vsprintf.c linux-3.1.1/lib/vsprintf.c
66871 --- linux-3.1.1/lib/vsprintf.c 2011-11-11 15:19:27.000000000 -0500
66872 +++ linux-3.1.1/lib/vsprintf.c 2011-11-16 18:40:44.000000000 -0500
66874 * - scnprintf and vscnprintf
66877 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66878 +#define __INCLUDED_BY_HIDESYM 1
66880 #include <stdarg.h>
66881 #include <linux/module.h>
66882 #include <linux/types.h>
66883 @@ -432,7 +435,7 @@ char *symbol_string(char *buf, char *end
66884 char sym[KSYM_SYMBOL_LEN];
66886 sprint_backtrace(sym, value);
66887 - else if (ext != 'f' && ext != 's')
66888 + else if (ext != 'f' && ext != 's' && ext != 'a')
66889 sprint_symbol(sym, value);
66891 kallsyms_lookup(value, NULL, NULL, NULL, sym);
66892 @@ -796,7 +799,11 @@ char *uuid_string(char *buf, char *end,
66893 return string(buf, end, uuid, spec);
66896 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66897 +int kptr_restrict __read_mostly = 2;
66899 int kptr_restrict __read_mostly;
66903 * Show a '%p' thing. A kernel extension is that the '%p' is followed
66904 @@ -810,6 +817,8 @@ int kptr_restrict __read_mostly;
66905 * - 'S' For symbolic direct pointers with offset
66906 * - 's' For symbolic direct pointers without offset
66907 * - 'B' For backtraced symbolic direct pointers with offset
66908 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
66909 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
66910 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
66911 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
66912 * - 'M' For a 6-byte MAC address, it prints the address in the
66913 @@ -854,12 +863,12 @@ char *pointer(const char *fmt, char *buf
66915 if (!ptr && *fmt != 'K') {
66917 - * Print (null) with the same width as a pointer so it makes
66918 + * Print (nil) with the same width as a pointer so it makes
66919 * tabular output look nice.
66921 if (spec.field_width == -1)
66922 spec.field_width = 2 * sizeof(void *);
66923 - return string(buf, end, "(null)", spec);
66924 + return string(buf, end, "(nil)", spec);
66928 @@ -869,6 +878,13 @@ char *pointer(const char *fmt, char *buf
66932 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66935 + return symbol_string(buf, end, ptr, spec, *fmt);
66940 return symbol_string(buf, end, ptr, spec, *fmt);
66942 @@ -1627,11 +1643,11 @@ int bstr_printf(char *buf, size_t size,
66943 typeof(type) value; \
66944 if (sizeof(type) == 8) { \
66945 args = PTR_ALIGN(args, sizeof(u32)); \
66946 - *(u32 *)&value = *(u32 *)args; \
66947 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
66948 + *(u32 *)&value = *(const u32 *)args; \
66949 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
66951 args = PTR_ALIGN(args, sizeof(type)); \
66952 - value = *(typeof(type) *)args; \
66953 + value = *(const typeof(type) *)args; \
66955 args += sizeof(type); \
66957 @@ -1694,7 +1710,7 @@ int bstr_printf(char *buf, size_t size,
66958 case FORMAT_TYPE_STR: {
66959 const char *str_arg = args;
66960 args += strlen(str_arg) + 1;
66961 - str = string(str, end, (char *)str_arg, spec);
66962 + str = string(str, end, str_arg, spec);
66966 diff -urNp linux-3.1.1/localversion-grsec linux-3.1.1/localversion-grsec
66967 --- linux-3.1.1/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
66968 +++ linux-3.1.1/localversion-grsec 2011-11-16 18:40:44.000000000 -0500
66971 diff -urNp linux-3.1.1/Makefile linux-3.1.1/Makefile
66972 --- linux-3.1.1/Makefile 2011-11-11 15:19:27.000000000 -0500
66973 +++ linux-3.1.1/Makefile 2011-11-16 18:45:38.000000000 -0500
66974 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
66978 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
66979 -HOSTCXXFLAGS = -O2
66980 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
66981 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
66982 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
66984 # Decide whether to build built-in, modular, or both.
66985 # Normally, just do built-in.
66986 @@ -365,10 +366,12 @@ LINUXINCLUDE := -I$(srctree)/arch/$(h
66987 KBUILD_CPPFLAGS := -D__KERNEL__
66989 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
66990 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
66991 -fno-strict-aliasing -fno-common \
66992 -Werror-implicit-function-declaration \
66993 -Wno-format-security \
66994 -fno-delete-null-pointer-checks
66995 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
66996 KBUILD_AFLAGS_KERNEL :=
66997 KBUILD_CFLAGS_KERNEL :=
66998 KBUILD_AFLAGS := -D__ASSEMBLY__
66999 @@ -407,8 +410,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
67000 # Rules shared between *config targets and build targets
67002 # Basic helpers built in scripts/
67003 -PHONY += scripts_basic
67005 +PHONY += scripts_basic gcc-plugins
67006 +scripts_basic: gcc-plugins
67007 $(Q)$(MAKE) $(build)=scripts/basic
67008 $(Q)rm -f .tmp_quiet_recordmcount
67010 @@ -564,6 +567,37 @@ else
67011 KBUILD_CFLAGS += -O2
67014 +ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y)
67015 +CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
67016 +ifdef CONFIG_PAX_MEMORY_STACKLEAK
67017 +STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN
67018 +STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-track-lowest-sp=100
67020 +ifdef CONFIG_KALLOCSTAT_PLUGIN
67021 +KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
67023 +ifdef CONFIG_PAX_KERNEXEC_PLUGIN
67024 +KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
67026 +ifdef CONFIG_CHECKER_PLUGIN
67027 +ifeq ($(call cc-ifversion, -ge, 0406, y), y)
67028 +CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
67031 +GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN)
67032 +export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
67034 + $(Q)$(MAKE) $(build)=tools/gcc
67037 +ifeq ($(call cc-ifversion, -ge, 0405, y), y)
67038 + $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev.))
67040 + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
67042 + $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
67045 include $(srctree)/arch/$(SRCARCH)/Makefile
67047 ifneq ($(CONFIG_FRAME_WARN),0)
67048 @@ -708,7 +742,7 @@ export mod_strip_cmd
67051 ifeq ($(KBUILD_EXTMOD),)
67052 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
67053 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
67055 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
67056 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
67057 @@ -932,6 +966,7 @@ vmlinux.o: $(modpost-init) $(vmlinux-mai
67059 # The actual objects are generated when descending,
67060 # make sure no implicit rule kicks in
67061 +$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_CFLAGS += $(GCC_PLUGINS)
67062 $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
67064 # Handle descending into subdirectories listed in $(vmlinux-dirs)
67065 @@ -941,7 +976,7 @@ $(sort $(vmlinux-init) $(vmlinux-main))
67066 # Error messages still appears in the original language
67068 PHONY += $(vmlinux-dirs)
67069 -$(vmlinux-dirs): prepare scripts
67070 +$(vmlinux-dirs): gcc-plugins prepare scripts
67071 $(Q)$(MAKE) $(build)=$@
67073 # Store (new) KERNELRELASE string in include/config/kernel.release
67074 @@ -986,6 +1021,7 @@ prepare0: archprepare FORCE
67075 $(Q)$(MAKE) $(build)=. missing-syscalls
67077 # All the preparing..
67078 +prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS))
67081 # Generate some files
67082 @@ -1087,6 +1123,7 @@ all: modules
67083 # using awk while concatenating to the final file.
67086 +modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
67087 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
67088 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
67089 @$(kecho) ' Building modules, stage 2.';
67090 @@ -1102,7 +1139,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu
67092 # Target to prepare building external modules
67093 PHONY += modules_prepare
67094 -modules_prepare: prepare scripts
67095 +modules_prepare: gcc-plugins prepare scripts
67097 # Target to install modules
67098 PHONY += modules_install
67099 @@ -1198,7 +1235,7 @@ distclean: mrproper
67100 @find $(srctree) $(RCS_FIND_IGNORE) \
67101 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
67102 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
67103 - -o -name '.*.rej' -o -size 0 \
67104 + -o -name '.*.rej' -o -name '*.so' -o -size 0 \
67105 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
67106 -type f -print | xargs rm -f
67108 @@ -1360,6 +1397,7 @@ PHONY += $(module-dirs) modules
67109 $(module-dirs): crmodverdir $(objtree)/Module.symvers
67110 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
67112 +modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
67113 modules: $(module-dirs)
67114 @$(kecho) ' Building modules, stage 2.';
67115 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
67116 @@ -1486,17 +1524,19 @@ else
67117 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
67120 -%.s: %.c prepare scripts FORCE
67121 +%.s: KBUILD_CFLAGS += $(GCC_PLUGINS)
67122 +%.s: %.c gcc-plugins prepare scripts FORCE
67123 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67124 %.i: %.c prepare scripts FORCE
67125 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67126 -%.o: %.c prepare scripts FORCE
67127 +%.o: KBUILD_CFLAGS += $(GCC_PLUGINS)
67128 +%.o: %.c gcc-plugins prepare scripts FORCE
67129 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67130 %.lst: %.c prepare scripts FORCE
67131 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67132 -%.s: %.S prepare scripts FORCE
67133 +%.s: %.S gcc-plugins prepare scripts FORCE
67134 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67135 -%.o: %.S prepare scripts FORCE
67136 +%.o: %.S gcc-plugins prepare scripts FORCE
67137 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67138 %.symtypes: %.c prepare scripts FORCE
67139 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67140 @@ -1506,11 +1546,13 @@ endif
67142 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
67143 $(build)=$(build-dir)
67144 -%/: prepare scripts FORCE
67145 +%/: KBUILD_CFLAGS += $(GCC_PLUGINS)
67146 +%/: gcc-plugins prepare scripts FORCE
67148 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
67149 $(build)=$(build-dir)
67150 -%.ko: prepare scripts FORCE
67151 +%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS)
67152 +%.ko: gcc-plugins prepare scripts FORCE
67154 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
67155 $(build)=$(build-dir) $(@:.ko=.o)
67156 diff -urNp linux-3.1.1/mm/filemap.c linux-3.1.1/mm/filemap.c
67157 --- linux-3.1.1/mm/filemap.c 2011-11-11 15:19:27.000000000 -0500
67158 +++ linux-3.1.1/mm/filemap.c 2011-11-16 18:40:44.000000000 -0500
67159 @@ -1784,7 +1784,7 @@ int generic_file_mmap(struct file * file
67160 struct address_space *mapping = file->f_mapping;
67162 if (!mapping->a_ops->readpage)
67165 file_accessed(file);
67166 vma->vm_ops = &generic_file_vm_ops;
67167 vma->vm_flags |= VM_CAN_NONLINEAR;
67168 @@ -2190,6 +2190,7 @@ inline int generic_write_checks(struct f
67169 *pos = i_size_read(inode);
67171 if (limit != RLIM_INFINITY) {
67172 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
67173 if (*pos >= limit) {
67174 send_sig(SIGXFSZ, current, 0);
67176 diff -urNp linux-3.1.1/mm/fremap.c linux-3.1.1/mm/fremap.c
67177 --- linux-3.1.1/mm/fremap.c 2011-11-11 15:19:27.000000000 -0500
67178 +++ linux-3.1.1/mm/fremap.c 2011-11-16 18:39:08.000000000 -0500
67179 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
67181 vma = find_vma(mm, start);
67183 +#ifdef CONFIG_PAX_SEGMEXEC
67184 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
67189 * Make sure the vma is shared, that it supports prefaulting,
67190 * and that the remapped range is valid and fully within
67191 diff -urNp linux-3.1.1/mm/highmem.c linux-3.1.1/mm/highmem.c
67192 --- linux-3.1.1/mm/highmem.c 2011-11-11 15:19:27.000000000 -0500
67193 +++ linux-3.1.1/mm/highmem.c 2011-11-16 18:39:08.000000000 -0500
67194 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
67195 * So no dangers, even with speculative execution.
67197 page = pte_page(pkmap_page_table[i]);
67198 + pax_open_kernel();
67199 pte_clear(&init_mm, (unsigned long)page_address(page),
67200 &pkmap_page_table[i]);
67202 + pax_close_kernel();
67203 set_page_address(page, NULL);
67206 @@ -186,9 +187,11 @@ start:
67209 vaddr = PKMAP_ADDR(last_pkmap_nr);
67211 + pax_open_kernel();
67212 set_pte_at(&init_mm, vaddr,
67213 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
67215 + pax_close_kernel();
67216 pkmap_count[last_pkmap_nr] = 1;
67217 set_page_address(page, (void *)vaddr);
67219 diff -urNp linux-3.1.1/mm/huge_memory.c linux-3.1.1/mm/huge_memory.c
67220 --- linux-3.1.1/mm/huge_memory.c 2011-11-11 15:19:27.000000000 -0500
67221 +++ linux-3.1.1/mm/huge_memory.c 2011-11-16 18:39:08.000000000 -0500
67222 @@ -702,7 +702,7 @@ out:
67223 * run pte_offset_map on the pmd, if an huge pmd could
67224 * materialize from under us from a different thread.
67226 - if (unlikely(__pte_alloc(mm, vma, pmd, address)))
67227 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
67228 return VM_FAULT_OOM;
67229 /* if an huge pmd materialized from under us just retry later */
67230 if (unlikely(pmd_trans_huge(*pmd)))
67231 diff -urNp linux-3.1.1/mm/hugetlb.c linux-3.1.1/mm/hugetlb.c
67232 --- linux-3.1.1/mm/hugetlb.c 2011-11-11 15:19:27.000000000 -0500
67233 +++ linux-3.1.1/mm/hugetlb.c 2011-11-16 18:39:08.000000000 -0500
67234 @@ -2346,6 +2346,27 @@ static int unmap_ref_private(struct mm_s
67238 +#ifdef CONFIG_PAX_SEGMEXEC
67239 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
67241 + struct mm_struct *mm = vma->vm_mm;
67242 + struct vm_area_struct *vma_m;
67243 + unsigned long address_m;
67246 + vma_m = pax_find_mirror_vma(vma);
67250 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67251 + address_m = address + SEGMEXEC_TASK_SIZE;
67252 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
67253 + get_page(page_m);
67254 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
67255 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
67260 * Hugetlb_cow() should be called with page lock of the original hugepage held.
67262 @@ -2447,6 +2468,11 @@ retry_avoidcopy:
67263 make_huge_pte(vma, new_page, 1));
67264 page_remove_rmap(old_page);
67265 hugepage_add_new_anon_rmap(new_page, vma, address);
67267 +#ifdef CONFIG_PAX_SEGMEXEC
67268 + pax_mirror_huge_pte(vma, address, new_page);
67271 /* Make the old page be freed below */
67272 new_page = old_page;
67273 mmu_notifier_invalidate_range_end(mm,
67274 @@ -2598,6 +2624,10 @@ retry:
67275 && (vma->vm_flags & VM_SHARED)));
67276 set_huge_pte_at(mm, address, ptep, new_pte);
67278 +#ifdef CONFIG_PAX_SEGMEXEC
67279 + pax_mirror_huge_pte(vma, address, page);
67282 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
67283 /* Optimization, do the COW without a second fault */
67284 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
67285 @@ -2627,6 +2657,10 @@ int hugetlb_fault(struct mm_struct *mm,
67286 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
67287 struct hstate *h = hstate_vma(vma);
67289 +#ifdef CONFIG_PAX_SEGMEXEC
67290 + struct vm_area_struct *vma_m;
67293 ptep = huge_pte_offset(mm, address);
67295 entry = huge_ptep_get(ptep);
67296 @@ -2638,6 +2672,26 @@ int hugetlb_fault(struct mm_struct *mm,
67297 VM_FAULT_SET_HINDEX(h - hstates);
67300 +#ifdef CONFIG_PAX_SEGMEXEC
67301 + vma_m = pax_find_mirror_vma(vma);
67303 + unsigned long address_m;
67305 + if (vma->vm_start > vma_m->vm_start) {
67306 + address_m = address;
67307 + address -= SEGMEXEC_TASK_SIZE;
67309 + h = hstate_vma(vma);
67311 + address_m = address + SEGMEXEC_TASK_SIZE;
67313 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
67314 + return VM_FAULT_OOM;
67315 + address_m &= HPAGE_MASK;
67316 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
67320 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
67322 return VM_FAULT_OOM;
67323 diff -urNp linux-3.1.1/mm/internal.h linux-3.1.1/mm/internal.h
67324 --- linux-3.1.1/mm/internal.h 2011-11-11 15:19:27.000000000 -0500
67325 +++ linux-3.1.1/mm/internal.h 2011-11-16 18:39:08.000000000 -0500
67326 @@ -95,6 +95,7 @@ extern void putback_lru_page(struct page
67327 * in mm/page_alloc.c
67329 extern void __free_pages_bootmem(struct page *page, unsigned int order);
67330 +extern void free_compound_page(struct page *page);
67331 extern void prep_compound_page(struct page *page, unsigned long order);
67332 #ifdef CONFIG_MEMORY_FAILURE
67333 extern bool is_free_buddy_page(struct page *page);
67334 diff -urNp linux-3.1.1/mm/Kconfig linux-3.1.1/mm/Kconfig
67335 --- linux-3.1.1/mm/Kconfig 2011-11-11 15:19:27.000000000 -0500
67336 +++ linux-3.1.1/mm/Kconfig 2011-11-16 18:40:44.000000000 -0500
67337 @@ -240,7 +240,7 @@ config KSM
67338 config DEFAULT_MMAP_MIN_ADDR
67339 int "Low address space to protect from user allocation"
67344 This is the portion of low virtual memory which should be protected
67345 from userspace allocation. Keeping a user from writing to low pages
67346 diff -urNp linux-3.1.1/mm/kmemleak.c linux-3.1.1/mm/kmemleak.c
67347 --- linux-3.1.1/mm/kmemleak.c 2011-11-11 15:19:27.000000000 -0500
67348 +++ linux-3.1.1/mm/kmemleak.c 2011-11-16 18:40:44.000000000 -0500
67349 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
67351 for (i = 0; i < object->trace_len; i++) {
67352 void *ptr = (void *)object->trace[i];
67353 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
67354 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
67358 diff -urNp linux-3.1.1/mm/maccess.c linux-3.1.1/mm/maccess.c
67359 --- linux-3.1.1/mm/maccess.c 2011-11-11 15:19:27.000000000 -0500
67360 +++ linux-3.1.1/mm/maccess.c 2011-11-16 18:39:08.000000000 -0500
67361 @@ -26,7 +26,7 @@ long __probe_kernel_read(void *dst, cons
67363 pagefault_disable();
67364 ret = __copy_from_user_inatomic(dst,
67365 - (__force const void __user *)src, size);
67366 + (const void __force_user *)src, size);
67367 pagefault_enable();
67370 @@ -53,7 +53,7 @@ long __probe_kernel_write(void *dst, con
67373 pagefault_disable();
67374 - ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
67375 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
67376 pagefault_enable();
67379 diff -urNp linux-3.1.1/mm/madvise.c linux-3.1.1/mm/madvise.c
67380 --- linux-3.1.1/mm/madvise.c 2011-11-11 15:19:27.000000000 -0500
67381 +++ linux-3.1.1/mm/madvise.c 2011-11-16 18:39:08.000000000 -0500
67382 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
67384 unsigned long new_flags = vma->vm_flags;
67386 +#ifdef CONFIG_PAX_SEGMEXEC
67387 + struct vm_area_struct *vma_m;
67390 switch (behavior) {
67392 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
67393 @@ -110,6 +114,13 @@ success:
67395 * vm_flags is protected by the mmap_sem held in write mode.
67398 +#ifdef CONFIG_PAX_SEGMEXEC
67399 + vma_m = pax_find_mirror_vma(vma);
67401 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
67404 vma->vm_flags = new_flags;
67407 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
67408 struct vm_area_struct ** prev,
67409 unsigned long start, unsigned long end)
67412 +#ifdef CONFIG_PAX_SEGMEXEC
67413 + struct vm_area_struct *vma_m;
67417 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
67419 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
67420 zap_page_range(vma, start, end - start, &details);
67422 zap_page_range(vma, start, end - start, NULL);
67424 +#ifdef CONFIG_PAX_SEGMEXEC
67425 + vma_m = pax_find_mirror_vma(vma);
67427 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
67428 + struct zap_details details = {
67429 + .nonlinear_vma = vma_m,
67430 + .last_index = ULONG_MAX,
67432 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
67434 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
67441 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
67445 +#ifdef CONFIG_PAX_SEGMEXEC
67446 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
67447 + if (end > SEGMEXEC_TASK_SIZE)
67452 + if (end > TASK_SIZE)
67458 diff -urNp linux-3.1.1/mm/memory.c linux-3.1.1/mm/memory.c
67459 --- linux-3.1.1/mm/memory.c 2011-11-11 15:19:27.000000000 -0500
67460 +++ linux-3.1.1/mm/memory.c 2011-11-16 18:39:08.000000000 -0500
67461 @@ -457,8 +457,12 @@ static inline void free_pmd_range(struct
67464 pmd = pmd_offset(pud, start);
67466 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
67468 pmd_free_tlb(tlb, pmd, start);
67473 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
67474 @@ -489,9 +493,12 @@ static inline void free_pud_range(struct
67475 if (end - 1 > ceiling - 1)
67478 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
67479 pud = pud_offset(pgd, start);
67481 pud_free_tlb(tlb, pud, start);
67487 @@ -1566,12 +1573,6 @@ no_page_table:
67491 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
67493 - return stack_guard_page_start(vma, addr) ||
67494 - stack_guard_page_end(vma, addr+PAGE_SIZE);
67498 * __get_user_pages() - pin user pages in memory
67499 * @tsk: task_struct of target task
67500 @@ -1644,10 +1645,10 @@ int __get_user_pages(struct task_struct
67501 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
67505 + while (nr_pages) {
67506 struct vm_area_struct *vma;
67508 - vma = find_extend_vma(mm, start);
67509 + vma = find_vma(mm, start);
67510 if (!vma && in_gate_area(mm, start)) {
67511 unsigned long pg = start & PAGE_MASK;
67513 @@ -1695,7 +1696,7 @@ int __get_user_pages(struct task_struct
67518 + if (!vma || start < vma->vm_start ||
67519 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
67520 !(vm_flags & vma->vm_flags))
67521 return i ? : -EFAULT;
67522 @@ -1722,11 +1723,6 @@ int __get_user_pages(struct task_struct
67524 unsigned int fault_flags = 0;
67526 - /* For mlock, just skip the stack guard page. */
67527 - if (foll_flags & FOLL_MLOCK) {
67528 - if (stack_guard_page(vma, start))
67531 if (foll_flags & FOLL_WRITE)
67532 fault_flags |= FAULT_FLAG_WRITE;
67534 @@ -1800,7 +1796,7 @@ next_page:
67535 start += PAGE_SIZE;
67537 } while (nr_pages && start < vma->vm_end);
67538 - } while (nr_pages);
67542 EXPORT_SYMBOL(__get_user_pages);
67543 @@ -2007,6 +2003,10 @@ static int insert_page(struct vm_area_st
67544 page_add_file_rmap(page);
67545 set_pte_at(mm, addr, pte, mk_pte(page, prot));
67547 +#ifdef CONFIG_PAX_SEGMEXEC
67548 + pax_mirror_file_pte(vma, addr, page, ptl);
67552 pte_unmap_unlock(pte, ptl);
67554 @@ -2041,10 +2041,22 @@ out:
67555 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
67559 +#ifdef CONFIG_PAX_SEGMEXEC
67560 + struct vm_area_struct *vma_m;
67563 if (addr < vma->vm_start || addr >= vma->vm_end)
67565 if (!page_count(page))
67568 +#ifdef CONFIG_PAX_SEGMEXEC
67569 + vma_m = pax_find_mirror_vma(vma);
67571 + vma_m->vm_flags |= VM_INSERTPAGE;
67574 vma->vm_flags |= VM_INSERTPAGE;
67575 return insert_page(vma, addr, page, vma->vm_page_prot);
67577 @@ -2130,6 +2142,7 @@ int vm_insert_mixed(struct vm_area_struc
67580 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
67581 + BUG_ON(vma->vm_mirror);
67583 if (addr < vma->vm_start || addr >= vma->vm_end)
67585 @@ -2445,6 +2458,186 @@ static inline void cow_user_page(struct
67586 copy_user_highpage(dst, src, va, vma);
67589 +#ifdef CONFIG_PAX_SEGMEXEC
67590 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
67592 + struct mm_struct *mm = vma->vm_mm;
67594 + pte_t *pte, entry;
67596 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
67598 + if (!pte_present(entry)) {
67599 + if (!pte_none(entry)) {
67600 + BUG_ON(pte_file(entry));
67601 + free_swap_and_cache(pte_to_swp_entry(entry));
67602 + pte_clear_not_present_full(mm, address, pte, 0);
67605 + struct page *page;
67607 + flush_cache_page(vma, address, pte_pfn(entry));
67608 + entry = ptep_clear_flush(vma, address, pte);
67609 + BUG_ON(pte_dirty(entry));
67610 + page = vm_normal_page(vma, address, entry);
67612 + update_hiwater_rss(mm);
67613 + if (PageAnon(page))
67614 + dec_mm_counter_fast(mm, MM_ANONPAGES);
67616 + dec_mm_counter_fast(mm, MM_FILEPAGES);
67617 + page_remove_rmap(page);
67618 + page_cache_release(page);
67621 + pte_unmap_unlock(pte, ptl);
67624 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
67626 + * the ptl of the lower mapped page is held on entry and is not released on exit
67627 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
67629 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67631 + struct mm_struct *mm = vma->vm_mm;
67632 + unsigned long address_m;
67633 + spinlock_t *ptl_m;
67634 + struct vm_area_struct *vma_m;
67636 + pte_t *pte_m, entry_m;
67638 + BUG_ON(!page_m || !PageAnon(page_m));
67640 + vma_m = pax_find_mirror_vma(vma);
67644 + BUG_ON(!PageLocked(page_m));
67645 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67646 + address_m = address + SEGMEXEC_TASK_SIZE;
67647 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67648 + pte_m = pte_offset_map(pmd_m, address_m);
67649 + ptl_m = pte_lockptr(mm, pmd_m);
67650 + if (ptl != ptl_m) {
67651 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67652 + if (!pte_none(*pte_m))
67656 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67657 + page_cache_get(page_m);
67658 + page_add_anon_rmap(page_m, vma_m, address_m);
67659 + inc_mm_counter_fast(mm, MM_ANONPAGES);
67660 + set_pte_at(mm, address_m, pte_m, entry_m);
67661 + update_mmu_cache(vma_m, address_m, entry_m);
67663 + if (ptl != ptl_m)
67664 + spin_unlock(ptl_m);
67665 + pte_unmap(pte_m);
67666 + unlock_page(page_m);
67669 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67671 + struct mm_struct *mm = vma->vm_mm;
67672 + unsigned long address_m;
67673 + spinlock_t *ptl_m;
67674 + struct vm_area_struct *vma_m;
67676 + pte_t *pte_m, entry_m;
67678 + BUG_ON(!page_m || PageAnon(page_m));
67680 + vma_m = pax_find_mirror_vma(vma);
67684 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67685 + address_m = address + SEGMEXEC_TASK_SIZE;
67686 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67687 + pte_m = pte_offset_map(pmd_m, address_m);
67688 + ptl_m = pte_lockptr(mm, pmd_m);
67689 + if (ptl != ptl_m) {
67690 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67691 + if (!pte_none(*pte_m))
67695 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67696 + page_cache_get(page_m);
67697 + page_add_file_rmap(page_m);
67698 + inc_mm_counter_fast(mm, MM_FILEPAGES);
67699 + set_pte_at(mm, address_m, pte_m, entry_m);
67700 + update_mmu_cache(vma_m, address_m, entry_m);
67702 + if (ptl != ptl_m)
67703 + spin_unlock(ptl_m);
67704 + pte_unmap(pte_m);
67707 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
67709 + struct mm_struct *mm = vma->vm_mm;
67710 + unsigned long address_m;
67711 + spinlock_t *ptl_m;
67712 + struct vm_area_struct *vma_m;
67714 + pte_t *pte_m, entry_m;
67716 + vma_m = pax_find_mirror_vma(vma);
67720 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67721 + address_m = address + SEGMEXEC_TASK_SIZE;
67722 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67723 + pte_m = pte_offset_map(pmd_m, address_m);
67724 + ptl_m = pte_lockptr(mm, pmd_m);
67725 + if (ptl != ptl_m) {
67726 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67727 + if (!pte_none(*pte_m))
67731 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
67732 + set_pte_at(mm, address_m, pte_m, entry_m);
67734 + if (ptl != ptl_m)
67735 + spin_unlock(ptl_m);
67736 + pte_unmap(pte_m);
67739 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
67741 + struct page *page_m;
67744 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
67748 + page_m = vm_normal_page(vma, address, entry);
67750 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
67751 + else if (PageAnon(page_m)) {
67752 + if (pax_find_mirror_vma(vma)) {
67753 + pte_unmap_unlock(pte, ptl);
67754 + lock_page(page_m);
67755 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
67756 + if (pte_same(entry, *pte))
67757 + pax_mirror_anon_pte(vma, address, page_m, ptl);
67759 + unlock_page(page_m);
67762 + pax_mirror_file_pte(vma, address, page_m, ptl);
67765 + pte_unmap_unlock(pte, ptl);
67770 * This routine handles present pages, when users try to write
67771 * to a shared page. It is done by copying the page to a new address
67772 @@ -2656,6 +2849,12 @@ gotten:
67774 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67775 if (likely(pte_same(*page_table, orig_pte))) {
67777 +#ifdef CONFIG_PAX_SEGMEXEC
67778 + if (pax_find_mirror_vma(vma))
67779 + BUG_ON(!trylock_page(new_page));
67783 if (!PageAnon(old_page)) {
67784 dec_mm_counter_fast(mm, MM_FILEPAGES);
67785 @@ -2707,6 +2906,10 @@ gotten:
67786 page_remove_rmap(old_page);
67789 +#ifdef CONFIG_PAX_SEGMEXEC
67790 + pax_mirror_anon_pte(vma, address, new_page, ptl);
67793 /* Free the old page.. */
67794 new_page = old_page;
67795 ret |= VM_FAULT_WRITE;
67796 @@ -2986,6 +3189,11 @@ static int do_swap_page(struct mm_struct
67798 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
67799 try_to_free_swap(page);
67801 +#ifdef CONFIG_PAX_SEGMEXEC
67802 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
67808 @@ -3009,6 +3217,11 @@ static int do_swap_page(struct mm_struct
67810 /* No need to invalidate - it was non-present before */
67811 update_mmu_cache(vma, address, page_table);
67813 +#ifdef CONFIG_PAX_SEGMEXEC
67814 + pax_mirror_anon_pte(vma, address, page, ptl);
67818 pte_unmap_unlock(page_table, ptl);
67820 @@ -3028,40 +3241,6 @@ out_release:
67824 - * This is like a special single-page "expand_{down|up}wards()",
67825 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
67826 - * doesn't hit another vma.
67828 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
67830 - address &= PAGE_MASK;
67831 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
67832 - struct vm_area_struct *prev = vma->vm_prev;
67835 - * Is there a mapping abutting this one below?
67837 - * That's only ok if it's the same stack mapping
67838 - * that has gotten split..
67840 - if (prev && prev->vm_end == address)
67841 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
67843 - expand_downwards(vma, address - PAGE_SIZE);
67845 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
67846 - struct vm_area_struct *next = vma->vm_next;
67848 - /* As VM_GROWSDOWN but s/below/above/ */
67849 - if (next && next->vm_start == address + PAGE_SIZE)
67850 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
67852 - expand_upwards(vma, address + PAGE_SIZE);
67858 * We enter with non-exclusive mmap_sem (to exclude vma changes,
67859 * but allow concurrent faults), and pte mapped but not yet locked.
67860 * We return with mmap_sem still held, but pte unmapped and unlocked.
67861 @@ -3070,27 +3249,23 @@ static int do_anonymous_page(struct mm_s
67862 unsigned long address, pte_t *page_table, pmd_t *pmd,
67863 unsigned int flags)
67865 - struct page *page;
67866 + struct page *page = NULL;
67870 - pte_unmap(page_table);
67872 - /* Check if we need to add a guard page to the stack */
67873 - if (check_stack_guard_page(vma, address) < 0)
67874 - return VM_FAULT_SIGBUS;
67876 - /* Use the zero-page for reads */
67877 if (!(flags & FAULT_FLAG_WRITE)) {
67878 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
67879 vma->vm_page_prot));
67880 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67881 + ptl = pte_lockptr(mm, pmd);
67883 if (!pte_none(*page_table))
67888 /* Allocate our own private page. */
67889 + pte_unmap(page_table);
67891 if (unlikely(anon_vma_prepare(vma)))
67893 page = alloc_zeroed_user_highpage_movable(vma, address);
67894 @@ -3109,6 +3284,11 @@ static int do_anonymous_page(struct mm_s
67895 if (!pte_none(*page_table))
67898 +#ifdef CONFIG_PAX_SEGMEXEC
67899 + if (pax_find_mirror_vma(vma))
67900 + BUG_ON(!trylock_page(page));
67903 inc_mm_counter_fast(mm, MM_ANONPAGES);
67904 page_add_new_anon_rmap(page, vma, address);
67906 @@ -3116,6 +3296,12 @@ setpte:
67908 /* No need to invalidate - it was non-present before */
67909 update_mmu_cache(vma, address, page_table);
67911 +#ifdef CONFIG_PAX_SEGMEXEC
67913 + pax_mirror_anon_pte(vma, address, page, ptl);
67917 pte_unmap_unlock(page_table, ptl);
67919 @@ -3259,6 +3445,12 @@ static int __do_fault(struct mm_struct *
67921 /* Only go through if we didn't race with anybody else... */
67922 if (likely(pte_same(*page_table, orig_pte))) {
67924 +#ifdef CONFIG_PAX_SEGMEXEC
67925 + if (anon && pax_find_mirror_vma(vma))
67926 + BUG_ON(!trylock_page(page));
67929 flush_icache_page(vma, page);
67930 entry = mk_pte(page, vma->vm_page_prot);
67931 if (flags & FAULT_FLAG_WRITE)
67932 @@ -3278,6 +3470,14 @@ static int __do_fault(struct mm_struct *
67934 /* no need to invalidate: a not-present page won't be cached */
67935 update_mmu_cache(vma, address, page_table);
67937 +#ifdef CONFIG_PAX_SEGMEXEC
67939 + pax_mirror_anon_pte(vma, address, page, ptl);
67941 + pax_mirror_file_pte(vma, address, page, ptl);
67946 mem_cgroup_uncharge_page(cow_page);
67947 @@ -3431,6 +3631,12 @@ int handle_pte_fault(struct mm_struct *m
67948 if (flags & FAULT_FLAG_WRITE)
67949 flush_tlb_fix_spurious_fault(vma, address);
67952 +#ifdef CONFIG_PAX_SEGMEXEC
67953 + pax_mirror_pte(vma, address, pte, pmd, ptl);
67958 pte_unmap_unlock(pte, ptl);
67960 @@ -3447,6 +3653,10 @@ int handle_mm_fault(struct mm_struct *mm
67964 +#ifdef CONFIG_PAX_SEGMEXEC
67965 + struct vm_area_struct *vma_m;
67968 __set_current_state(TASK_RUNNING);
67970 count_vm_event(PGFAULT);
67971 @@ -3458,6 +3668,34 @@ int handle_mm_fault(struct mm_struct *mm
67972 if (unlikely(is_vm_hugetlb_page(vma)))
67973 return hugetlb_fault(mm, vma, address, flags);
67975 +#ifdef CONFIG_PAX_SEGMEXEC
67976 + vma_m = pax_find_mirror_vma(vma);
67978 + unsigned long address_m;
67983 + if (vma->vm_start > vma_m->vm_start) {
67984 + address_m = address;
67985 + address -= SEGMEXEC_TASK_SIZE;
67988 + address_m = address + SEGMEXEC_TASK_SIZE;
67990 + pgd_m = pgd_offset(mm, address_m);
67991 + pud_m = pud_alloc(mm, pgd_m, address_m);
67993 + return VM_FAULT_OOM;
67994 + pmd_m = pmd_alloc(mm, pud_m, address_m);
67996 + return VM_FAULT_OOM;
67997 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
67998 + return VM_FAULT_OOM;
67999 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
68003 pgd = pgd_offset(mm, address);
68004 pud = pud_alloc(mm, pgd, address);
68006 @@ -3487,7 +3725,7 @@ int handle_mm_fault(struct mm_struct *mm
68007 * run pte_offset_map on the pmd, if an huge pmd could
68008 * materialize from under us from a different thread.
68010 - if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
68011 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
68012 return VM_FAULT_OOM;
68013 /* if an huge pmd materialized from under us just retry later */
68014 if (unlikely(pmd_trans_huge(*pmd)))
68015 @@ -3591,7 +3829,7 @@ static int __init gate_vma_init(void)
68016 gate_vma.vm_start = FIXADDR_USER_START;
68017 gate_vma.vm_end = FIXADDR_USER_END;
68018 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
68019 - gate_vma.vm_page_prot = __P101;
68020 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
68022 * Make sure the vDSO gets into every core dump.
68023 * Dumping its contents makes post-mortem fully interpretable later
68024 diff -urNp linux-3.1.1/mm/memory-failure.c linux-3.1.1/mm/memory-failure.c
68025 --- linux-3.1.1/mm/memory-failure.c 2011-11-11 15:19:27.000000000 -0500
68026 +++ linux-3.1.1/mm/memory-failure.c 2011-11-16 18:39:08.000000000 -0500
68027 @@ -60,7 +60,7 @@ int sysctl_memory_failure_early_kill __r
68029 int sysctl_memory_failure_recovery __read_mostly = 1;
68031 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
68032 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
68034 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
68036 @@ -201,7 +201,7 @@ static int kill_proc_ao(struct task_stru
68037 si.si_signo = SIGBUS;
68039 si.si_code = BUS_MCEERR_AO;
68040 - si.si_addr = (void *)addr;
68041 + si.si_addr = (void __user *)addr;
68042 #ifdef __ARCH_SI_TRAPNO
68043 si.si_trapno = trapno;
68045 @@ -1009,7 +1009,7 @@ int __memory_failure(unsigned long pfn,
68048 nr_pages = 1 << compound_trans_order(hpage);
68049 - atomic_long_add(nr_pages, &mce_bad_pages);
68050 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
68053 * We need/can do nothing about count=0 pages.
68054 @@ -1039,7 +1039,7 @@ int __memory_failure(unsigned long pfn,
68055 if (!PageHWPoison(hpage)
68056 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
68057 || (p != hpage && TestSetPageHWPoison(hpage))) {
68058 - atomic_long_sub(nr_pages, &mce_bad_pages);
68059 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68062 set_page_hwpoison_huge_page(hpage);
68063 @@ -1097,7 +1097,7 @@ int __memory_failure(unsigned long pfn,
68065 if (hwpoison_filter(p)) {
68066 if (TestClearPageHWPoison(p))
68067 - atomic_long_sub(nr_pages, &mce_bad_pages);
68068 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68069 unlock_page(hpage);
68072 @@ -1314,7 +1314,7 @@ int unpoison_memory(unsigned long pfn)
68075 if (TestClearPageHWPoison(p))
68076 - atomic_long_sub(nr_pages, &mce_bad_pages);
68077 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68078 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
68081 @@ -1328,7 +1328,7 @@ int unpoison_memory(unsigned long pfn)
68083 if (TestClearPageHWPoison(page)) {
68084 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
68085 - atomic_long_sub(nr_pages, &mce_bad_pages);
68086 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68088 if (PageHuge(page))
68089 clear_page_hwpoison_huge_page(page);
68090 @@ -1441,7 +1441,7 @@ static int soft_offline_huge_page(struct
68093 if (!PageHWPoison(hpage))
68094 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
68095 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
68096 set_page_hwpoison_huge_page(hpage);
68097 dequeue_hwpoisoned_huge_page(hpage);
68098 /* keep elevated page count for bad page */
68099 @@ -1572,7 +1572,7 @@ int soft_offline_page(struct page *page,
68103 - atomic_long_add(1, &mce_bad_pages);
68104 + atomic_long_add_unchecked(1, &mce_bad_pages);
68105 SetPageHWPoison(page);
68106 /* keep elevated page count for bad page */
68108 diff -urNp linux-3.1.1/mm/mempolicy.c linux-3.1.1/mm/mempolicy.c
68109 --- linux-3.1.1/mm/mempolicy.c 2011-11-11 15:19:27.000000000 -0500
68110 +++ linux-3.1.1/mm/mempolicy.c 2011-11-16 18:40:44.000000000 -0500
68111 @@ -639,6 +639,10 @@ static int mbind_range(struct mm_struct
68112 unsigned long vmstart;
68113 unsigned long vmend;
68115 +#ifdef CONFIG_PAX_SEGMEXEC
68116 + struct vm_area_struct *vma_m;
68119 vma = find_vma_prev(mm, start, &prev);
68120 if (!vma || vma->vm_start > start)
68122 @@ -669,6 +673,16 @@ static int mbind_range(struct mm_struct
68123 err = policy_vma(vma, new_pol);
68127 +#ifdef CONFIG_PAX_SEGMEXEC
68128 + vma_m = pax_find_mirror_vma(vma);
68130 + err = policy_vma(vma_m, new_pol);
68139 @@ -1102,6 +1116,17 @@ static long do_mbind(unsigned long start
68144 +#ifdef CONFIG_PAX_SEGMEXEC
68145 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
68146 + if (end > SEGMEXEC_TASK_SIZE)
68151 + if (end > TASK_SIZE)
68157 @@ -1320,6 +1345,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
68161 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68162 + if (mm != current->mm &&
68163 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
68170 * Check if this process has the right to modify the specified
68171 * process. The right exists if the process has administrative
68172 @@ -1329,8 +1362,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
68174 tcred = __task_cred(task);
68175 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
68176 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
68177 - !capable(CAP_SYS_NICE)) {
68178 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
68182 diff -urNp linux-3.1.1/mm/migrate.c linux-3.1.1/mm/migrate.c
68183 --- linux-3.1.1/mm/migrate.c 2011-11-11 15:19:27.000000000 -0500
68184 +++ linux-3.1.1/mm/migrate.c 2011-11-16 18:40:44.000000000 -0500
68185 @@ -1124,6 +1124,8 @@ static int do_pages_move(struct mm_struc
68186 unsigned long chunk_start;
68189 + pax_track_stack();
68191 task_nodes = cpuset_mems_allowed(task);
68194 @@ -1308,6 +1310,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
68198 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68199 + if (mm != current->mm &&
68200 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
68207 * Check if this process has the right to modify the specified
68208 * process. The right exists if the process has administrative
68209 @@ -1317,8 +1327,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
68211 tcred = __task_cred(task);
68212 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
68213 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
68214 - !capable(CAP_SYS_NICE)) {
68215 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
68219 diff -urNp linux-3.1.1/mm/mlock.c linux-3.1.1/mm/mlock.c
68220 --- linux-3.1.1/mm/mlock.c 2011-11-11 15:19:27.000000000 -0500
68221 +++ linux-3.1.1/mm/mlock.c 2011-11-16 18:40:44.000000000 -0500
68223 #include <linux/pagemap.h>
68224 #include <linux/mempolicy.h>
68225 #include <linux/syscalls.h>
68226 +#include <linux/security.h>
68227 #include <linux/sched.h>
68228 #include <linux/module.h>
68229 #include <linux/rmap.h>
68230 @@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
68234 + if (end > TASK_SIZE)
68237 vma = find_vma_prev(current->mm, start, &prev);
68238 if (!vma || vma->vm_start > start)
68240 @@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
68241 for (nstart = start ; ; ) {
68242 vm_flags_t newflags;
68244 +#ifdef CONFIG_PAX_SEGMEXEC
68245 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
68249 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
68251 newflags = vma->vm_flags | VM_LOCKED;
68252 @@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
68253 lock_limit >>= PAGE_SHIFT;
68255 /* check against resource limits */
68256 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
68257 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
68258 error = do_mlock(start, len, 1);
68259 up_write(¤t->mm->mmap_sem);
68260 @@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
68261 static int do_mlockall(int flags)
68263 struct vm_area_struct * vma, * prev = NULL;
68264 - unsigned int def_flags = 0;
68266 if (flags & MCL_FUTURE)
68267 - def_flags = VM_LOCKED;
68268 - current->mm->def_flags = def_flags;
68269 + current->mm->def_flags |= VM_LOCKED;
68271 + current->mm->def_flags &= ~VM_LOCKED;
68272 if (flags == MCL_FUTURE)
68275 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
68276 vm_flags_t newflags;
68278 +#ifdef CONFIG_PAX_SEGMEXEC
68279 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
68283 + BUG_ON(vma->vm_end > TASK_SIZE);
68284 newflags = vma->vm_flags | VM_LOCKED;
68285 if (!(flags & MCL_CURRENT))
68286 newflags &= ~VM_LOCKED;
68287 @@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
68288 lock_limit >>= PAGE_SHIFT;
68291 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
68292 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
68293 capable(CAP_IPC_LOCK))
68294 ret = do_mlockall(flags);
68295 diff -urNp linux-3.1.1/mm/mmap.c linux-3.1.1/mm/mmap.c
68296 --- linux-3.1.1/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
68297 +++ linux-3.1.1/mm/mmap.c 2011-11-16 18:40:44.000000000 -0500
68299 #define arch_rebalance_pgtables(addr, len) (addr)
68302 +static inline void verify_mm_writelocked(struct mm_struct *mm)
68304 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
68305 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
68306 + up_read(&mm->mmap_sem);
68312 static void unmap_region(struct mm_struct *mm,
68313 struct vm_area_struct *vma, struct vm_area_struct *prev,
68314 unsigned long start, unsigned long end);
68315 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
68316 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
68319 -pgprot_t protection_map[16] = {
68320 +pgprot_t protection_map[16] __read_only = {
68321 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
68322 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
68325 -pgprot_t vm_get_page_prot(unsigned long vm_flags)
68326 +pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
68328 - return __pgprot(pgprot_val(protection_map[vm_flags &
68329 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
68330 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
68331 pgprot_val(arch_vm_get_page_prot(vm_flags)));
68333 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68334 + if (!(__supported_pte_mask & _PAGE_NX) &&
68335 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
68336 + (vm_flags & (VM_READ | VM_WRITE)))
68337 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
68342 EXPORT_SYMBOL(vm_get_page_prot);
68344 int sysctl_overcommit_memory __read_mostly = OVERCOMMIT_GUESS; /* heuristic overcommit */
68345 int sysctl_overcommit_ratio __read_mostly = 50; /* default is 50% */
68346 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
68347 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
68349 * Make sure vm_committed_as in one cacheline and not cacheline shared with
68350 * other variables. It can be updated by several CPUs frequently.
68351 @@ -228,6 +248,7 @@ static struct vm_area_struct *remove_vma
68352 struct vm_area_struct *next = vma->vm_next;
68355 + BUG_ON(vma->vm_mirror);
68356 if (vma->vm_ops && vma->vm_ops->close)
68357 vma->vm_ops->close(vma);
68358 if (vma->vm_file) {
68359 @@ -272,6 +293,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
68360 * not page aligned -Ram Gupta
68362 rlim = rlimit(RLIMIT_DATA);
68363 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
68364 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
68365 (mm->end_data - mm->start_data) > rlim)
68367 @@ -689,6 +711,12 @@ static int
68368 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
68369 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68372 +#ifdef CONFIG_PAX_SEGMEXEC
68373 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
68377 if (is_mergeable_vma(vma, file, vm_flags) &&
68378 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
68379 if (vma->vm_pgoff == vm_pgoff)
68380 @@ -708,6 +736,12 @@ static int
68381 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
68382 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68385 +#ifdef CONFIG_PAX_SEGMEXEC
68386 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
68390 if (is_mergeable_vma(vma, file, vm_flags) &&
68391 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
68393 @@ -750,13 +784,20 @@ can_vma_merge_after(struct vm_area_struc
68394 struct vm_area_struct *vma_merge(struct mm_struct *mm,
68395 struct vm_area_struct *prev, unsigned long addr,
68396 unsigned long end, unsigned long vm_flags,
68397 - struct anon_vma *anon_vma, struct file *file,
68398 + struct anon_vma *anon_vma, struct file *file,
68399 pgoff_t pgoff, struct mempolicy *policy)
68401 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
68402 struct vm_area_struct *area, *next;
68405 +#ifdef CONFIG_PAX_SEGMEXEC
68406 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
68407 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
68409 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
68413 * We later require that vma->vm_flags == vm_flags,
68414 * so this tests vma->vm_flags & VM_SPECIAL, too.
68415 @@ -772,6 +813,15 @@ struct vm_area_struct *vma_merge(struct
68416 if (next && next->vm_end == end) /* cases 6, 7, 8 */
68417 next = next->vm_next;
68419 +#ifdef CONFIG_PAX_SEGMEXEC
68421 + prev_m = pax_find_mirror_vma(prev);
68423 + area_m = pax_find_mirror_vma(area);
68425 + next_m = pax_find_mirror_vma(next);
68429 * Can it merge with the predecessor?
68431 @@ -791,9 +841,24 @@ struct vm_area_struct *vma_merge(struct
68433 err = vma_adjust(prev, prev->vm_start,
68434 next->vm_end, prev->vm_pgoff, NULL);
68435 - } else /* cases 2, 5, 7 */
68437 +#ifdef CONFIG_PAX_SEGMEXEC
68438 + if (!err && prev_m)
68439 + err = vma_adjust(prev_m, prev_m->vm_start,
68440 + next_m->vm_end, prev_m->vm_pgoff, NULL);
68443 + } else { /* cases 2, 5, 7 */
68444 err = vma_adjust(prev, prev->vm_start,
68445 end, prev->vm_pgoff, NULL);
68447 +#ifdef CONFIG_PAX_SEGMEXEC
68448 + if (!err && prev_m)
68449 + err = vma_adjust(prev_m, prev_m->vm_start,
68450 + end_m, prev_m->vm_pgoff, NULL);
68456 khugepaged_enter_vma_merge(prev);
68457 @@ -807,12 +872,27 @@ struct vm_area_struct *vma_merge(struct
68458 mpol_equal(policy, vma_policy(next)) &&
68459 can_vma_merge_before(next, vm_flags,
68460 anon_vma, file, pgoff+pglen)) {
68461 - if (prev && addr < prev->vm_end) /* case 4 */
68462 + if (prev && addr < prev->vm_end) { /* case 4 */
68463 err = vma_adjust(prev, prev->vm_start,
68464 addr, prev->vm_pgoff, NULL);
68465 - else /* cases 3, 8 */
68467 +#ifdef CONFIG_PAX_SEGMEXEC
68468 + if (!err && prev_m)
68469 + err = vma_adjust(prev_m, prev_m->vm_start,
68470 + addr_m, prev_m->vm_pgoff, NULL);
68473 + } else { /* cases 3, 8 */
68474 err = vma_adjust(area, addr, next->vm_end,
68475 next->vm_pgoff - pglen, NULL);
68477 +#ifdef CONFIG_PAX_SEGMEXEC
68478 + if (!err && area_m)
68479 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
68480 + next_m->vm_pgoff - pglen, NULL);
68486 khugepaged_enter_vma_merge(area);
68487 @@ -921,14 +1001,11 @@ none:
68488 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
68489 struct file *file, long pages)
68491 - const unsigned long stack_flags
68492 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
68495 mm->shared_vm += pages;
68496 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
68497 mm->exec_vm += pages;
68498 - } else if (flags & stack_flags)
68499 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
68500 mm->stack_vm += pages;
68501 if (flags & (VM_RESERVED|VM_IO))
68502 mm->reserved_vm += pages;
68503 @@ -955,7 +1032,7 @@ unsigned long do_mmap_pgoff(struct file
68504 * (the exception is when the underlying filesystem is noexec
68505 * mounted, in which case we dont add PROT_EXEC.)
68507 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
68508 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
68509 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
68512 @@ -981,7 +1058,7 @@ unsigned long do_mmap_pgoff(struct file
68513 /* Obtain the address to map to. we verify (or select) it and ensure
68514 * that it represents a valid section of the address space.
68516 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
68517 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
68518 if (addr & ~PAGE_MASK)
68521 @@ -992,6 +1069,36 @@ unsigned long do_mmap_pgoff(struct file
68522 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
68523 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
68525 +#ifdef CONFIG_PAX_MPROTECT
68526 + if (mm->pax_flags & MF_PAX_MPROTECT) {
68527 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
68528 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
68529 + gr_log_rwxmmap(file);
68531 +#ifdef CONFIG_PAX_EMUPLT
68532 + vm_flags &= ~VM_EXEC;
68539 + if (!(vm_flags & VM_EXEC))
68540 + vm_flags &= ~VM_MAYEXEC;
68542 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
68543 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
68546 + vm_flags &= ~VM_MAYWRITE;
68550 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68551 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
68552 + vm_flags &= ~VM_PAGEEXEC;
68555 if (flags & MAP_LOCKED)
68556 if (!can_do_mlock())
68558 @@ -1003,6 +1110,7 @@ unsigned long do_mmap_pgoff(struct file
68559 locked += mm->locked_vm;
68560 lock_limit = rlimit(RLIMIT_MEMLOCK);
68561 lock_limit >>= PAGE_SHIFT;
68562 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68563 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
68566 @@ -1073,6 +1181,9 @@ unsigned long do_mmap_pgoff(struct file
68570 + if (!gr_acl_handle_mmap(file, prot))
68573 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
68575 EXPORT_SYMBOL(do_mmap_pgoff);
68576 @@ -1153,7 +1264,7 @@ int vma_wants_writenotify(struct vm_area
68577 vm_flags_t vm_flags = vma->vm_flags;
68579 /* If it was private or non-writable, the write bit is already clear */
68580 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
68581 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
68584 /* The backer wishes to know when pages are first written to? */
68585 @@ -1202,14 +1313,24 @@ unsigned long mmap_region(struct file *f
68586 unsigned long charged = 0;
68587 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
68589 +#ifdef CONFIG_PAX_SEGMEXEC
68590 + struct vm_area_struct *vma_m = NULL;
68594 + * mm->mmap_sem is required to protect against another thread
68595 + * changing the mappings in case we sleep.
68597 + verify_mm_writelocked(mm);
68599 /* Clear old maps */
68602 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68603 if (vma && vma->vm_start < addr + len) {
68604 if (do_munmap(mm, addr, len))
68606 - goto munmap_back;
68607 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68608 + BUG_ON(vma && vma->vm_start < addr + len);
68611 /* Check against address space limit. */
68612 @@ -1258,6 +1379,16 @@ munmap_back:
68616 +#ifdef CONFIG_PAX_SEGMEXEC
68617 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
68618 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
68627 vma->vm_start = addr;
68628 vma->vm_end = addr + len;
68629 @@ -1281,6 +1412,19 @@ munmap_back:
68630 error = file->f_op->mmap(file, vma);
68632 goto unmap_and_free_vma;
68634 +#ifdef CONFIG_PAX_SEGMEXEC
68635 + if (vma_m && (vm_flags & VM_EXECUTABLE))
68636 + added_exe_file_vma(mm);
68639 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68640 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
68641 + vma->vm_flags |= VM_PAGEEXEC;
68642 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
68646 if (vm_flags & VM_EXECUTABLE)
68647 added_exe_file_vma(mm);
68649 @@ -1316,6 +1460,11 @@ munmap_back:
68650 vma_link(mm, vma, prev, rb_link, rb_parent);
68651 file = vma->vm_file;
68653 +#ifdef CONFIG_PAX_SEGMEXEC
68655 + BUG_ON(pax_mirror_vma(vma_m, vma));
68658 /* Once vma denies write, undo our temporary denial count */
68659 if (correct_wcount)
68660 atomic_inc(&inode->i_writecount);
68661 @@ -1324,6 +1473,7 @@ out:
68663 mm->total_vm += len >> PAGE_SHIFT;
68664 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
68665 + track_exec_limit(mm, addr, addr + len, vm_flags);
68666 if (vm_flags & VM_LOCKED) {
68667 if (!mlock_vma_pages_range(vma, addr, addr + len))
68668 mm->locked_vm += (len >> PAGE_SHIFT);
68669 @@ -1341,6 +1491,12 @@ unmap_and_free_vma:
68670 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
68674 +#ifdef CONFIG_PAX_SEGMEXEC
68676 + kmem_cache_free(vm_area_cachep, vma_m);
68679 kmem_cache_free(vm_area_cachep, vma);
68682 @@ -1348,6 +1504,44 @@ unacct_error:
68686 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
68689 +#ifdef CONFIG_STACK_GROWSUP
68690 + if (addr > sysctl_heap_stack_gap)
68691 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
68693 + vma = find_vma(current->mm, 0);
68694 + if (vma && (vma->vm_flags & VM_GROWSUP))
68700 + if (addr + len > vma->vm_start)
68703 + if (vma->vm_flags & VM_GROWSDOWN)
68704 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
68705 +#ifdef CONFIG_STACK_GROWSUP
68706 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
68707 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
68713 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
68715 + if (vma->vm_start < len)
68717 + if (!(vma->vm_flags & VM_GROWSDOWN))
68718 + return vma->vm_start - len;
68719 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
68720 + return vma->vm_start - len - sysctl_heap_stack_gap;
68724 /* Get an address range which is currently unmapped.
68725 * For shmat() with addr=0.
68727 @@ -1374,18 +1568,23 @@ arch_get_unmapped_area(struct file *filp
68728 if (flags & MAP_FIXED)
68731 +#ifdef CONFIG_PAX_RANDMMAP
68732 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68736 addr = PAGE_ALIGN(addr);
68737 - vma = find_vma(mm, addr);
68738 - if (TASK_SIZE - len >= addr &&
68739 - (!vma || addr + len <= vma->vm_start))
68741 + if (TASK_SIZE - len >= addr) {
68742 + vma = find_vma(mm, addr);
68743 + if (check_heap_stack_gap(vma, addr, len))
68747 if (len > mm->cached_hole_size) {
68748 - start_addr = addr = mm->free_area_cache;
68749 + start_addr = addr = mm->free_area_cache;
68751 - start_addr = addr = TASK_UNMAPPED_BASE;
68752 - mm->cached_hole_size = 0;
68753 + start_addr = addr = mm->mmap_base;
68754 + mm->cached_hole_size = 0;
68758 @@ -1396,34 +1595,40 @@ full_search:
68759 * Start a new search - just in case we missed
68762 - if (start_addr != TASK_UNMAPPED_BASE) {
68763 - addr = TASK_UNMAPPED_BASE;
68764 - start_addr = addr;
68765 + if (start_addr != mm->mmap_base) {
68766 + start_addr = addr = mm->mmap_base;
68767 mm->cached_hole_size = 0;
68772 - if (!vma || addr + len <= vma->vm_start) {
68774 - * Remember the place where we stopped the search:
68776 - mm->free_area_cache = addr + len;
68779 + if (check_heap_stack_gap(vma, addr, len))
68781 if (addr + mm->cached_hole_size < vma->vm_start)
68782 mm->cached_hole_size = vma->vm_start - addr;
68783 addr = vma->vm_end;
68787 + * Remember the place where we stopped the search:
68789 + mm->free_area_cache = addr + len;
68794 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
68797 +#ifdef CONFIG_PAX_SEGMEXEC
68798 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68803 * Is this a new hole at the lowest possible address?
68805 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
68806 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
68807 mm->free_area_cache = addr;
68808 mm->cached_hole_size = ~0UL;
68810 @@ -1441,7 +1646,7 @@ arch_get_unmapped_area_topdown(struct fi
68812 struct vm_area_struct *vma;
68813 struct mm_struct *mm = current->mm;
68814 - unsigned long addr = addr0;
68815 + unsigned long base = mm->mmap_base, addr = addr0;
68817 /* requested length too big for entire address space */
68818 if (len > TASK_SIZE)
68819 @@ -1450,13 +1655,18 @@ arch_get_unmapped_area_topdown(struct fi
68820 if (flags & MAP_FIXED)
68823 +#ifdef CONFIG_PAX_RANDMMAP
68824 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68827 /* requesting a specific address */
68829 addr = PAGE_ALIGN(addr);
68830 - vma = find_vma(mm, addr);
68831 - if (TASK_SIZE - len >= addr &&
68832 - (!vma || addr + len <= vma->vm_start))
68834 + if (TASK_SIZE - len >= addr) {
68835 + vma = find_vma(mm, addr);
68836 + if (check_heap_stack_gap(vma, addr, len))
68841 /* check if free_area_cache is useful for us */
68842 @@ -1471,7 +1681,7 @@ arch_get_unmapped_area_topdown(struct fi
68843 /* make sure it can fit in the remaining address space */
68845 vma = find_vma(mm, addr-len);
68846 - if (!vma || addr <= vma->vm_start)
68847 + if (check_heap_stack_gap(vma, addr - len, len))
68848 /* remember the address as a hint for next time */
68849 return (mm->free_area_cache = addr-len);
68851 @@ -1488,7 +1698,7 @@ arch_get_unmapped_area_topdown(struct fi
68852 * return with success:
68854 vma = find_vma(mm, addr);
68855 - if (!vma || addr+len <= vma->vm_start)
68856 + if (check_heap_stack_gap(vma, addr, len))
68857 /* remember the address as a hint for next time */
68858 return (mm->free_area_cache = addr);
68860 @@ -1497,8 +1707,8 @@ arch_get_unmapped_area_topdown(struct fi
68861 mm->cached_hole_size = vma->vm_start - addr;
68863 /* try just below the current vma->vm_start */
68864 - addr = vma->vm_start-len;
68865 - } while (len < vma->vm_start);
68866 + addr = skip_heap_stack_gap(vma, len);
68867 + } while (!IS_ERR_VALUE(addr));
68871 @@ -1507,13 +1717,21 @@ bottomup:
68872 * can happen with large stack limits and large mmap()
68875 + mm->mmap_base = TASK_UNMAPPED_BASE;
68877 +#ifdef CONFIG_PAX_RANDMMAP
68878 + if (mm->pax_flags & MF_PAX_RANDMMAP)
68879 + mm->mmap_base += mm->delta_mmap;
68882 + mm->free_area_cache = mm->mmap_base;
68883 mm->cached_hole_size = ~0UL;
68884 - mm->free_area_cache = TASK_UNMAPPED_BASE;
68885 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
68887 * Restore the topdown base:
68889 - mm->free_area_cache = mm->mmap_base;
68890 + mm->mmap_base = base;
68891 + mm->free_area_cache = base;
68892 mm->cached_hole_size = ~0UL;
68895 @@ -1522,6 +1740,12 @@ bottomup:
68897 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
68900 +#ifdef CONFIG_PAX_SEGMEXEC
68901 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68906 * Is this a new hole at the highest possible address?
68908 @@ -1529,8 +1753,10 @@ void arch_unmap_area_topdown(struct mm_s
68909 mm->free_area_cache = addr;
68911 /* dont allow allocations above current base */
68912 - if (mm->free_area_cache > mm->mmap_base)
68913 + if (mm->free_area_cache > mm->mmap_base) {
68914 mm->free_area_cache = mm->mmap_base;
68915 + mm->cached_hole_size = ~0UL;
68920 @@ -1638,6 +1864,28 @@ out:
68921 return prev ? prev->vm_next : vma;
68924 +#ifdef CONFIG_PAX_SEGMEXEC
68925 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
68927 + struct vm_area_struct *vma_m;
68929 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
68930 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
68931 + BUG_ON(vma->vm_mirror);
68934 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
68935 + vma_m = vma->vm_mirror;
68936 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
68937 + BUG_ON(vma->vm_file != vma_m->vm_file);
68938 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
68939 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
68940 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
68941 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
68947 * Verify that the stack growth is acceptable and
68948 * update accounting. This is shared with both the
68949 @@ -1654,6 +1902,7 @@ static int acct_stack_growth(struct vm_a
68952 /* Stack limit test */
68953 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
68954 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
68957 @@ -1664,6 +1913,7 @@ static int acct_stack_growth(struct vm_a
68958 locked = mm->locked_vm + grow;
68959 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
68960 limit >>= PAGE_SHIFT;
68961 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68962 if (locked > limit && !capable(CAP_IPC_LOCK))
68965 @@ -1694,37 +1944,48 @@ static int acct_stack_growth(struct vm_a
68966 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
68967 * vma is the last one with address > vma->vm_end. Have to extend vma.
68969 +#ifndef CONFIG_IA64
68972 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
68977 if (!(vma->vm_flags & VM_GROWSUP))
68980 + /* Also guard against wrapping around to address 0. */
68981 + if (address < PAGE_ALIGN(address+1))
68982 + address = PAGE_ALIGN(address+1);
68987 * We must make sure the anon_vma is allocated
68988 * so that the anon_vma locking is not a noop.
68990 if (unlikely(anon_vma_prepare(vma)))
68992 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
68993 + if (locknext && anon_vma_prepare(vma->vm_next))
68995 vma_lock_anon_vma(vma);
68997 + vma_lock_anon_vma(vma->vm_next);
69000 * vma->vm_start/vm_end cannot change under us because the caller
69001 * is required to hold the mmap_sem in read mode. We need the
69002 - * anon_vma lock to serialize against concurrent expand_stacks.
69003 - * Also guard against wrapping around to address 0.
69004 + * anon_vma locks to serialize against concurrent expand_stacks
69005 + * and expand_upwards.
69007 - if (address < PAGE_ALIGN(address+4))
69008 - address = PAGE_ALIGN(address+4);
69010 - vma_unlock_anon_vma(vma);
69015 /* Somebody else might have raced and expanded it already */
69016 - if (address > vma->vm_end) {
69017 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
69019 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
69020 unsigned long size, grow;
69022 size = address - vma->vm_start;
69023 @@ -1739,6 +2000,8 @@ int expand_upwards(struct vm_area_struct
69028 + vma_unlock_anon_vma(vma->vm_next);
69029 vma_unlock_anon_vma(vma);
69030 khugepaged_enter_vma_merge(vma);
69032 @@ -1752,6 +2015,8 @@ int expand_downwards(struct vm_area_stru
69033 unsigned long address)
69036 + bool lockprev = false;
69037 + struct vm_area_struct *prev;
69040 * We must make sure the anon_vma is allocated
69041 @@ -1765,6 +2030,15 @@ int expand_downwards(struct vm_area_stru
69045 + prev = vma->vm_prev;
69046 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
69047 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
69049 + if (lockprev && anon_vma_prepare(prev))
69052 + vma_lock_anon_vma(prev);
69054 vma_lock_anon_vma(vma);
69057 @@ -1774,9 +2048,17 @@ int expand_downwards(struct vm_area_stru
69060 /* Somebody else might have raced and expanded it already */
69061 - if (address < vma->vm_start) {
69062 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
69064 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
69065 unsigned long size, grow;
69067 +#ifdef CONFIG_PAX_SEGMEXEC
69068 + struct vm_area_struct *vma_m;
69070 + vma_m = pax_find_mirror_vma(vma);
69073 size = vma->vm_end - address;
69074 grow = (vma->vm_start - address) >> PAGE_SHIFT;
69076 @@ -1786,11 +2068,22 @@ int expand_downwards(struct vm_area_stru
69078 vma->vm_start = address;
69079 vma->vm_pgoff -= grow;
69080 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
69082 +#ifdef CONFIG_PAX_SEGMEXEC
69084 + vma_m->vm_start -= grow << PAGE_SHIFT;
69085 + vma_m->vm_pgoff -= grow;
69089 perf_event_mmap(vma);
69093 vma_unlock_anon_vma(vma);
69095 + vma_unlock_anon_vma(prev);
69096 khugepaged_enter_vma_merge(vma);
69099 @@ -1860,6 +2153,13 @@ static void remove_vma_list(struct mm_st
69101 long nrpages = vma_pages(vma);
69103 +#ifdef CONFIG_PAX_SEGMEXEC
69104 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
69105 + vma = remove_vma(vma);
69110 mm->total_vm -= nrpages;
69111 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
69112 vma = remove_vma(vma);
69113 @@ -1905,6 +2205,16 @@ detach_vmas_to_be_unmapped(struct mm_str
69114 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
69115 vma->vm_prev = NULL;
69118 +#ifdef CONFIG_PAX_SEGMEXEC
69119 + if (vma->vm_mirror) {
69120 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
69121 + vma->vm_mirror->vm_mirror = NULL;
69122 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
69123 + vma->vm_mirror = NULL;
69127 rb_erase(&vma->vm_rb, &mm->mm_rb);
69130 @@ -1933,14 +2243,33 @@ static int __split_vma(struct mm_struct
69131 struct vm_area_struct *new;
69134 +#ifdef CONFIG_PAX_SEGMEXEC
69135 + struct vm_area_struct *vma_m, *new_m = NULL;
69136 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
69139 if (is_vm_hugetlb_page(vma) && (addr &
69140 ~(huge_page_mask(hstate_vma(vma)))))
69143 +#ifdef CONFIG_PAX_SEGMEXEC
69144 + vma_m = pax_find_mirror_vma(vma);
69147 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69151 +#ifdef CONFIG_PAX_SEGMEXEC
69153 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69155 + kmem_cache_free(vm_area_cachep, new);
69161 /* most fields are the same, copy all, and then fixup */
69164 @@ -1953,6 +2282,22 @@ static int __split_vma(struct mm_struct
69165 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
69168 +#ifdef CONFIG_PAX_SEGMEXEC
69171 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
69172 + new_m->vm_mirror = new;
69173 + new->vm_mirror = new_m;
69176 + new_m->vm_end = addr_m;
69178 + new_m->vm_start = addr_m;
69179 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
69184 pol = mpol_dup(vma_policy(vma));
69186 err = PTR_ERR(pol);
69187 @@ -1978,6 +2323,42 @@ static int __split_vma(struct mm_struct
69189 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
69191 +#ifdef CONFIG_PAX_SEGMEXEC
69192 + if (!err && vma_m) {
69193 + if (anon_vma_clone(new_m, vma_m))
69194 + goto out_free_mpol;
69197 + vma_set_policy(new_m, pol);
69199 + if (new_m->vm_file) {
69200 + get_file(new_m->vm_file);
69201 + if (vma_m->vm_flags & VM_EXECUTABLE)
69202 + added_exe_file_vma(mm);
69205 + if (new_m->vm_ops && new_m->vm_ops->open)
69206 + new_m->vm_ops->open(new_m);
69209 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
69210 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
69212 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
69215 + if (new_m->vm_ops && new_m->vm_ops->close)
69216 + new_m->vm_ops->close(new_m);
69217 + if (new_m->vm_file) {
69218 + if (vma_m->vm_flags & VM_EXECUTABLE)
69219 + removed_exe_file_vma(mm);
69220 + fput(new_m->vm_file);
69230 @@ -1990,10 +2371,18 @@ static int __split_vma(struct mm_struct
69231 removed_exe_file_vma(mm);
69232 fput(new->vm_file);
69234 - unlink_anon_vmas(new);
69239 +#ifdef CONFIG_PAX_SEGMEXEC
69241 + unlink_anon_vmas(new_m);
69242 + kmem_cache_free(vm_area_cachep, new_m);
69246 + unlink_anon_vmas(new);
69247 kmem_cache_free(vm_area_cachep, new);
69250 @@ -2006,6 +2395,15 @@ static int __split_vma(struct mm_struct
69251 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
69252 unsigned long addr, int new_below)
69255 +#ifdef CONFIG_PAX_SEGMEXEC
69256 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
69257 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
69258 + if (mm->map_count >= sysctl_max_map_count-1)
69263 if (mm->map_count >= sysctl_max_map_count)
69266 @@ -2017,11 +2415,30 @@ int split_vma(struct mm_struct *mm, stru
69267 * work. This now handles partial unmappings.
69268 * Jeremy Fitzhardinge <jeremy@goop.org>
69270 +#ifdef CONFIG_PAX_SEGMEXEC
69271 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69273 + int ret = __do_munmap(mm, start, len);
69274 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
69277 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
69280 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69282 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69286 struct vm_area_struct *vma, *prev, *last;
69289 + * mm->mmap_sem is required to protect against another thread
69290 + * changing the mappings in case we sleep.
69292 + verify_mm_writelocked(mm);
69294 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
69297 @@ -2096,6 +2513,8 @@ int do_munmap(struct mm_struct *mm, unsi
69298 /* Fix up all other VM information */
69299 remove_vma_list(mm, vma);
69301 + track_exec_limit(mm, start, end, 0UL);
69306 @@ -2108,22 +2527,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
69308 profile_munmap(addr);
69310 +#ifdef CONFIG_PAX_SEGMEXEC
69311 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
69312 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
69316 down_write(&mm->mmap_sem);
69317 ret = do_munmap(mm, addr, len);
69318 up_write(&mm->mmap_sem);
69322 -static inline void verify_mm_writelocked(struct mm_struct *mm)
69324 -#ifdef CONFIG_DEBUG_VM
69325 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
69327 - up_read(&mm->mmap_sem);
69333 * this is really a simplified "do_mmap". it only handles
69334 * anonymous maps. eventually we may be able to do some
69335 @@ -2137,6 +2552,7 @@ unsigned long do_brk(unsigned long addr,
69336 struct rb_node ** rb_link, * rb_parent;
69337 pgoff_t pgoff = addr >> PAGE_SHIFT;
69339 + unsigned long charged;
69341 len = PAGE_ALIGN(len);
69343 @@ -2148,16 +2564,30 @@ unsigned long do_brk(unsigned long addr,
69345 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
69347 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
69348 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
69349 + flags &= ~VM_EXEC;
69351 +#ifdef CONFIG_PAX_MPROTECT
69352 + if (mm->pax_flags & MF_PAX_MPROTECT)
69353 + flags &= ~VM_MAYEXEC;
69359 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
69360 if (error & ~PAGE_MASK)
69363 + charged = len >> PAGE_SHIFT;
69366 * mlock MCL_FUTURE?
69368 if (mm->def_flags & VM_LOCKED) {
69369 unsigned long locked, lock_limit;
69370 - locked = len >> PAGE_SHIFT;
69371 + locked = charged;
69372 locked += mm->locked_vm;
69373 lock_limit = rlimit(RLIMIT_MEMLOCK);
69374 lock_limit >>= PAGE_SHIFT;
69375 @@ -2174,22 +2604,22 @@ unsigned long do_brk(unsigned long addr,
69377 * Clear old maps. this also does some error checking for us
69380 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69381 if (vma && vma->vm_start < addr + len) {
69382 if (do_munmap(mm, addr, len))
69384 - goto munmap_back;
69385 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69386 + BUG_ON(vma && vma->vm_start < addr + len);
69389 /* Check against address space limits *after* clearing old maps... */
69390 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
69391 + if (!may_expand_vm(mm, charged))
69394 if (mm->map_count > sysctl_max_map_count)
69397 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
69398 + if (security_vm_enough_memory(charged))
69401 /* Can we just expand an old private anonymous mapping? */
69402 @@ -2203,7 +2633,7 @@ unsigned long do_brk(unsigned long addr,
69404 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69406 - vm_unacct_memory(len >> PAGE_SHIFT);
69407 + vm_unacct_memory(charged);
69411 @@ -2217,11 +2647,12 @@ unsigned long do_brk(unsigned long addr,
69412 vma_link(mm, vma, prev, rb_link, rb_parent);
69414 perf_event_mmap(vma);
69415 - mm->total_vm += len >> PAGE_SHIFT;
69416 + mm->total_vm += charged;
69417 if (flags & VM_LOCKED) {
69418 if (!mlock_vma_pages_range(vma, addr, addr + len))
69419 - mm->locked_vm += (len >> PAGE_SHIFT);
69420 + mm->locked_vm += charged;
69422 + track_exec_limit(mm, addr, addr + len, flags);
69426 @@ -2268,8 +2699,10 @@ void exit_mmap(struct mm_struct *mm)
69427 * Walk the list again, actually closing and freeing it,
69428 * with preemption enabled, without holding any MM locks.
69432 + vma->vm_mirror = NULL;
69433 vma = remove_vma(vma);
69436 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
69438 @@ -2283,6 +2716,13 @@ int insert_vm_struct(struct mm_struct *
69439 struct vm_area_struct * __vma, * prev;
69440 struct rb_node ** rb_link, * rb_parent;
69442 +#ifdef CONFIG_PAX_SEGMEXEC
69443 + struct vm_area_struct *vma_m = NULL;
69446 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
69450 * The vm_pgoff of a purely anonymous vma should be irrelevant
69451 * until its first write fault, when page's anon_vma and index
69452 @@ -2305,7 +2745,22 @@ int insert_vm_struct(struct mm_struct *
69453 if ((vma->vm_flags & VM_ACCOUNT) &&
69454 security_vm_enough_memory_mm(mm, vma_pages(vma)))
69457 +#ifdef CONFIG_PAX_SEGMEXEC
69458 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
69459 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69465 vma_link(mm, vma, prev, rb_link, rb_parent);
69467 +#ifdef CONFIG_PAX_SEGMEXEC
69469 + BUG_ON(pax_mirror_vma(vma_m, vma));
69475 @@ -2323,6 +2778,8 @@ struct vm_area_struct *copy_vma(struct v
69476 struct rb_node **rb_link, *rb_parent;
69477 struct mempolicy *pol;
69479 + BUG_ON(vma->vm_mirror);
69482 * If anonymous vma has not yet been faulted, update new pgoff
69483 * to match new location, to increase its chance of merging.
69484 @@ -2373,6 +2830,39 @@ struct vm_area_struct *copy_vma(struct v
69488 +#ifdef CONFIG_PAX_SEGMEXEC
69489 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
69491 + struct vm_area_struct *prev_m;
69492 + struct rb_node **rb_link_m, *rb_parent_m;
69493 + struct mempolicy *pol_m;
69495 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
69496 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
69497 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
69499 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
69500 + if (anon_vma_clone(vma_m, vma))
69502 + pol_m = vma_policy(vma_m);
69504 + vma_set_policy(vma_m, pol_m);
69505 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
69506 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
69507 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
69508 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
69509 + if (vma_m->vm_file)
69510 + get_file(vma_m->vm_file);
69511 + if (vma_m->vm_ops && vma_m->vm_ops->open)
69512 + vma_m->vm_ops->open(vma_m);
69513 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
69514 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
69515 + vma_m->vm_mirror = vma;
69516 + vma->vm_mirror = vma_m;
69522 * Return true if the calling process may expand its vm space by the passed
69524 @@ -2383,7 +2873,7 @@ int may_expand_vm(struct mm_struct *mm,
69527 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
69529 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
69530 if (cur + npages > lim)
69533 @@ -2454,6 +2944,22 @@ int install_special_mapping(struct mm_st
69534 vma->vm_start = addr;
69535 vma->vm_end = addr + len;
69537 +#ifdef CONFIG_PAX_MPROTECT
69538 + if (mm->pax_flags & MF_PAX_MPROTECT) {
69539 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
69540 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
69542 + if (!(vm_flags & VM_EXEC))
69543 + vm_flags &= ~VM_MAYEXEC;
69545 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
69546 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
69549 + vm_flags &= ~VM_MAYWRITE;
69553 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
69554 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
69556 diff -urNp linux-3.1.1/mm/mprotect.c linux-3.1.1/mm/mprotect.c
69557 --- linux-3.1.1/mm/mprotect.c 2011-11-11 15:19:27.000000000 -0500
69558 +++ linux-3.1.1/mm/mprotect.c 2011-11-16 18:40:44.000000000 -0500
69559 @@ -23,10 +23,16 @@
69560 #include <linux/mmu_notifier.h>
69561 #include <linux/migrate.h>
69562 #include <linux/perf_event.h>
69564 +#ifdef CONFIG_PAX_MPROTECT
69565 +#include <linux/elf.h>
69568 #include <asm/uaccess.h>
69569 #include <asm/pgtable.h>
69570 #include <asm/cacheflush.h>
69571 #include <asm/tlbflush.h>
69572 +#include <asm/mmu_context.h>
69574 #ifndef pgprot_modify
69575 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
69576 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
69577 flush_tlb_range(vma, start, end);
69580 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69581 +/* called while holding the mmap semaphor for writing except stack expansion */
69582 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
69584 + unsigned long oldlimit, newlimit = 0UL;
69586 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
69589 + spin_lock(&mm->page_table_lock);
69590 + oldlimit = mm->context.user_cs_limit;
69591 + if ((prot & VM_EXEC) && oldlimit < end)
69592 + /* USER_CS limit moved up */
69594 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
69595 + /* USER_CS limit moved down */
69596 + newlimit = start;
69599 + mm->context.user_cs_limit = newlimit;
69603 + cpus_clear(mm->context.cpu_user_cs_mask);
69604 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
69607 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
69609 + spin_unlock(&mm->page_table_lock);
69610 + if (newlimit == end) {
69611 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
69613 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
69614 + if (is_vm_hugetlb_page(vma))
69615 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
69617 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
69623 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
69624 unsigned long start, unsigned long end, unsigned long newflags)
69625 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
69627 int dirty_accountable = 0;
69629 +#ifdef CONFIG_PAX_SEGMEXEC
69630 + struct vm_area_struct *vma_m = NULL;
69631 + unsigned long start_m, end_m;
69633 + start_m = start + SEGMEXEC_TASK_SIZE;
69634 + end_m = end + SEGMEXEC_TASK_SIZE;
69637 if (newflags == oldflags) {
69642 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
69643 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
69645 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
69648 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
69653 * If we make a private mapping writable we increase our commit;
69654 * but (without finer accounting) cannot reduce our commit if we
69655 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
69659 +#ifdef CONFIG_PAX_SEGMEXEC
69660 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
69661 + if (start != vma->vm_start) {
69662 + error = split_vma(mm, vma, start, 1);
69665 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
69666 + *pprev = (*pprev)->vm_next;
69669 + if (end != vma->vm_end) {
69670 + error = split_vma(mm, vma, end, 0);
69675 + if (pax_find_mirror_vma(vma)) {
69676 + error = __do_munmap(mm, start_m, end_m - start_m);
69680 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69685 + vma->vm_flags = newflags;
69686 + error = pax_mirror_vma(vma_m, vma);
69688 + vma->vm_flags = oldflags;
69696 * First try to merge with previous and/or next vma.
69698 @@ -204,9 +306,21 @@ success:
69699 * vm_flags and vm_page_prot are protected by the mmap_sem
69700 * held in write mode.
69703 +#ifdef CONFIG_PAX_SEGMEXEC
69704 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
69705 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
69708 vma->vm_flags = newflags;
69710 +#ifdef CONFIG_PAX_MPROTECT
69711 + if (mm->binfmt && mm->binfmt->handle_mprotect)
69712 + mm->binfmt->handle_mprotect(vma, newflags);
69715 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
69716 - vm_get_page_prot(newflags));
69717 + vm_get_page_prot(vma->vm_flags));
69719 if (vma_wants_writenotify(vma)) {
69720 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
69721 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69726 +#ifdef CONFIG_PAX_SEGMEXEC
69727 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
69728 + if (end > SEGMEXEC_TASK_SIZE)
69733 + if (end > TASK_SIZE)
69736 if (!arch_validate_prot(prot))
69739 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69741 * Does the application expect PROT_READ to imply PROT_EXEC:
69743 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
69744 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
69747 vm_flags = calc_vm_prot_bits(prot);
69748 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69749 if (start > vma->vm_start)
69752 +#ifdef CONFIG_PAX_MPROTECT
69753 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
69754 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
69757 for (nstart = start ; ; ) {
69758 unsigned long newflags;
69760 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69762 /* newflags >> 4 shift VM_MAY% in place of VM_% */
69763 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
69764 + if (prot & (PROT_WRITE | PROT_EXEC))
69765 + gr_log_rwxmprotect(vma->vm_file);
69771 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
69775 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69776 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
69780 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
69784 if (nstart < prev->vm_end)
69785 diff -urNp linux-3.1.1/mm/mremap.c linux-3.1.1/mm/mremap.c
69786 --- linux-3.1.1/mm/mremap.c 2011-11-11 15:19:27.000000000 -0500
69787 +++ linux-3.1.1/mm/mremap.c 2011-11-16 18:39:08.000000000 -0500
69788 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
69790 pte = ptep_clear_flush(vma, old_addr, old_pte);
69791 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
69793 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69794 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
69795 + pte = pte_exprotect(pte);
69798 set_pte_at(mm, new_addr, new_pte, pte);
69801 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
69802 if (is_vm_hugetlb_page(vma))
69805 +#ifdef CONFIG_PAX_SEGMEXEC
69806 + if (pax_find_mirror_vma(vma))
69810 /* We can't remap across vm area boundaries */
69811 if (old_len > vma->vm_end - addr)
69813 @@ -328,20 +339,25 @@ static unsigned long mremap_to(unsigned
69814 unsigned long ret = -EINVAL;
69815 unsigned long charged = 0;
69816 unsigned long map_flags;
69817 + unsigned long pax_task_size = TASK_SIZE;
69819 if (new_addr & ~PAGE_MASK)
69822 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
69823 +#ifdef CONFIG_PAX_SEGMEXEC
69824 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
69825 + pax_task_size = SEGMEXEC_TASK_SIZE;
69828 + pax_task_size -= PAGE_SIZE;
69830 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
69833 /* Check if the location we're moving into overlaps the
69834 * old location at all, and fail if it does.
69836 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
69839 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
69840 + if (addr + old_len > new_addr && new_addr + new_len > addr)
69843 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69844 @@ -413,6 +429,7 @@ unsigned long do_mremap(unsigned long ad
69845 struct vm_area_struct *vma;
69846 unsigned long ret = -EINVAL;
69847 unsigned long charged = 0;
69848 + unsigned long pax_task_size = TASK_SIZE;
69850 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
69852 @@ -431,6 +448,17 @@ unsigned long do_mremap(unsigned long ad
69856 +#ifdef CONFIG_PAX_SEGMEXEC
69857 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
69858 + pax_task_size = SEGMEXEC_TASK_SIZE;
69861 + pax_task_size -= PAGE_SIZE;
69863 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
69864 + old_len > pax_task_size || addr > pax_task_size-old_len)
69867 if (flags & MREMAP_FIXED) {
69868 if (flags & MREMAP_MAYMOVE)
69869 ret = mremap_to(addr, old_len, new_addr, new_len);
69870 @@ -480,6 +508,7 @@ unsigned long do_mremap(unsigned long ad
69874 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
69878 @@ -506,7 +535,13 @@ unsigned long do_mremap(unsigned long ad
69879 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69883 + map_flags = vma->vm_flags;
69884 ret = move_vma(vma, addr, old_len, new_len, new_addr);
69885 + if (!(ret & ~PAGE_MASK)) {
69886 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
69887 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
69891 if (ret & ~PAGE_MASK)
69892 diff -urNp linux-3.1.1/mm/nobootmem.c linux-3.1.1/mm/nobootmem.c
69893 --- linux-3.1.1/mm/nobootmem.c 2011-11-11 15:19:27.000000000 -0500
69894 +++ linux-3.1.1/mm/nobootmem.c 2011-11-16 18:39:08.000000000 -0500
69895 @@ -110,19 +110,30 @@ static void __init __free_pages_memory(u
69896 unsigned long __init free_all_memory_core_early(int nodeid)
69900 + u64 start, end, startrange, endrange;
69901 unsigned long count = 0;
69902 - struct range *range = NULL;
69903 + struct range *range = NULL, rangerange = { 0, 0 };
69906 nr_range = get_free_all_memory_range(&range, nodeid);
69907 + startrange = __pa(range) >> PAGE_SHIFT;
69908 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
69910 for (i = 0; i < nr_range; i++) {
69911 start = range[i].start;
69912 end = range[i].end;
69913 + if (start <= endrange && startrange < end) {
69914 + BUG_ON(rangerange.start | rangerange.end);
69915 + rangerange = range[i];
69918 count += end - start;
69919 __free_pages_memory(start, end);
69921 + start = rangerange.start;
69922 + end = rangerange.end;
69923 + count += end - start;
69924 + __free_pages_memory(start, end);
69928 diff -urNp linux-3.1.1/mm/nommu.c linux-3.1.1/mm/nommu.c
69929 --- linux-3.1.1/mm/nommu.c 2011-11-11 15:19:27.000000000 -0500
69930 +++ linux-3.1.1/mm/nommu.c 2011-11-16 18:39:08.000000000 -0500
69931 @@ -62,7 +62,6 @@ int sysctl_overcommit_memory = OVERCOMMI
69932 int sysctl_overcommit_ratio = 50; /* default is 50% */
69933 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
69934 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
69935 -int heap_stack_gap = 0;
69937 atomic_long_t mmap_pages_allocated;
69939 @@ -825,15 +824,6 @@ struct vm_area_struct *find_vma(struct m
69940 EXPORT_SYMBOL(find_vma);
69944 - * - we don't extend stack VMAs under NOMMU conditions
69946 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
69948 - return find_vma(mm, addr);
69952 * expand a stack to a given address
69953 * - not supported under NOMMU conditions
69955 @@ -1553,6 +1543,7 @@ int split_vma(struct mm_struct *mm, stru
69957 /* most fields are the same, copy all, and then fixup */
69959 + INIT_LIST_HEAD(&new->anon_vma_chain);
69960 *region = *vma->vm_region;
69961 new->vm_region = region;
69963 diff -urNp linux-3.1.1/mm/page_alloc.c linux-3.1.1/mm/page_alloc.c
69964 --- linux-3.1.1/mm/page_alloc.c 2011-11-11 15:19:27.000000000 -0500
69965 +++ linux-3.1.1/mm/page_alloc.c 2011-11-16 18:40:44.000000000 -0500
69966 @@ -340,7 +340,7 @@ out:
69967 * This usage means that zero-order pages may not be compound.
69970 -static void free_compound_page(struct page *page)
69971 +void free_compound_page(struct page *page)
69973 __free_pages_ok(page, compound_order(page));
69975 @@ -653,6 +653,10 @@ static bool free_pages_prepare(struct pa
69979 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
69980 + unsigned long index = 1UL << order;
69983 trace_mm_page_free_direct(page, order);
69984 kmemcheck_free_shadow(page, order);
69986 @@ -668,6 +672,12 @@ static bool free_pages_prepare(struct pa
69987 debug_check_no_obj_freed(page_address(page),
69988 PAGE_SIZE << order);
69991 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
69992 + for (; index; --index)
69993 + sanitize_highpage(page + index - 1);
69996 arch_free_page(page, order);
69997 kernel_map_pages(page, 1 << order, 0);
69999 @@ -783,8 +793,10 @@ static int prep_new_page(struct page *pa
70000 arch_alloc_page(page, order);
70001 kernel_map_pages(page, 1 << order, 1);
70003 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
70004 if (gfp_flags & __GFP_ZERO)
70005 prep_zero_page(page, order, gfp_flags);
70008 if (order && (gfp_flags & __GFP_COMP))
70009 prep_compound_page(page, order);
70010 @@ -2539,6 +2551,8 @@ void show_free_areas(unsigned int filter
70014 + pax_track_stack();
70016 for_each_populated_zone(zone) {
70017 if (skip_free_areas_node(filter, zone_to_nid(zone)))
70019 @@ -3350,7 +3364,13 @@ static int pageblock_is_reserved(unsigne
70022 for (pfn = start_pfn; pfn < end_pfn; pfn++) {
70023 +#ifdef CONFIG_X86_32
70024 + /* boot failures in VMware 8 on 32bit vanilla since
70026 + if (!pfn_valid(pfn) || PageReserved(pfn_to_page(pfn)))
70028 if (!pfn_valid_within(pfn) || PageReserved(pfn_to_page(pfn)))
70033 diff -urNp linux-3.1.1/mm/percpu.c linux-3.1.1/mm/percpu.c
70034 --- linux-3.1.1/mm/percpu.c 2011-11-11 15:19:27.000000000 -0500
70035 +++ linux-3.1.1/mm/percpu.c 2011-11-16 18:39:08.000000000 -0500
70036 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
70037 static unsigned int pcpu_last_unit_cpu __read_mostly;
70039 /* the address of the first chunk which starts with the kernel static area */
70040 -void *pcpu_base_addr __read_mostly;
70041 +void *pcpu_base_addr __read_only;
70042 EXPORT_SYMBOL_GPL(pcpu_base_addr);
70044 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
70045 diff -urNp linux-3.1.1/mm/rmap.c linux-3.1.1/mm/rmap.c
70046 --- linux-3.1.1/mm/rmap.c 2011-11-11 15:19:27.000000000 -0500
70047 +++ linux-3.1.1/mm/rmap.c 2011-11-16 18:39:08.000000000 -0500
70048 @@ -152,6 +152,10 @@ int anon_vma_prepare(struct vm_area_stru
70049 struct anon_vma *anon_vma = vma->anon_vma;
70050 struct anon_vma_chain *avc;
70052 +#ifdef CONFIG_PAX_SEGMEXEC
70053 + struct anon_vma_chain *avc_m = NULL;
70057 if (unlikely(!anon_vma)) {
70058 struct mm_struct *mm = vma->vm_mm;
70059 @@ -161,6 +165,12 @@ int anon_vma_prepare(struct vm_area_stru
70063 +#ifdef CONFIG_PAX_SEGMEXEC
70064 + avc_m = anon_vma_chain_alloc(GFP_KERNEL);
70066 + goto out_enomem_free_avc;
70069 anon_vma = find_mergeable_anon_vma(vma);
70072 @@ -174,6 +184,21 @@ int anon_vma_prepare(struct vm_area_stru
70073 /* page_table_lock to protect against threads */
70074 spin_lock(&mm->page_table_lock);
70075 if (likely(!vma->anon_vma)) {
70077 +#ifdef CONFIG_PAX_SEGMEXEC
70078 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
70081 + BUG_ON(vma_m->anon_vma);
70082 + vma_m->anon_vma = anon_vma;
70083 + avc_m->anon_vma = anon_vma;
70084 + avc_m->vma = vma;
70085 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
70086 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
70091 vma->anon_vma = anon_vma;
70092 avc->anon_vma = anon_vma;
70094 @@ -187,12 +212,24 @@ int anon_vma_prepare(struct vm_area_stru
70096 if (unlikely(allocated))
70097 put_anon_vma(allocated);
70099 +#ifdef CONFIG_PAX_SEGMEXEC
70100 + if (unlikely(avc_m))
70101 + anon_vma_chain_free(avc_m);
70105 anon_vma_chain_free(avc);
70109 out_enomem_free_avc:
70111 +#ifdef CONFIG_PAX_SEGMEXEC
70113 + anon_vma_chain_free(avc_m);
70116 anon_vma_chain_free(avc);
70119 @@ -243,7 +280,7 @@ static void anon_vma_chain_link(struct v
70120 * Attach the anon_vmas from src to dst.
70121 * Returns 0 on success, -ENOMEM on failure.
70123 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
70124 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
70126 struct anon_vma_chain *avc, *pavc;
70127 struct anon_vma *root = NULL;
70128 @@ -276,7 +313,7 @@ int anon_vma_clone(struct vm_area_struct
70129 * the corresponding VMA in the parent process is attached to.
70130 * Returns 0 on success, non-zero on failure.
70132 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
70133 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
70135 struct anon_vma_chain *avc;
70136 struct anon_vma *anon_vma;
70137 diff -urNp linux-3.1.1/mm/shmem.c linux-3.1.1/mm/shmem.c
70138 --- linux-3.1.1/mm/shmem.c 2011-11-11 15:19:27.000000000 -0500
70139 +++ linux-3.1.1/mm/shmem.c 2011-11-16 19:28:28.000000000 -0500
70141 #include <linux/module.h>
70142 #include <linux/swap.h>
70144 -static struct vfsmount *shm_mnt;
70145 +struct vfsmount *shm_mnt;
70147 #ifdef CONFIG_SHMEM
70149 @@ -74,7 +74,7 @@ static struct vfsmount *shm_mnt;
70150 #define BOGO_DIRENT_SIZE 20
70152 /* Symlink up to this size is kmalloc'ed instead of using a swappable page */
70153 -#define SHORT_SYMLINK_LEN 128
70154 +#define SHORT_SYMLINK_LEN 64
70156 struct shmem_xattr {
70157 struct list_head list; /* anchored by shmem_inode_info->xattr_list */
70158 @@ -769,6 +769,8 @@ static struct page *shmem_swapin(swp_ent
70159 struct mempolicy mpol, *spol;
70160 struct vm_area_struct pvma;
70162 + pax_track_stack();
70164 spol = mpol_cond_copy(&mpol,
70165 mpol_shared_policy_lookup(&info->policy, index));
70167 @@ -2149,8 +2151,7 @@ int shmem_fill_super(struct super_block
70170 /* Round up to L1_CACHE_BYTES to resist false sharing */
70171 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
70172 - L1_CACHE_BYTES), GFP_KERNEL);
70173 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
70177 diff -urNp linux-3.1.1/mm/slab.c linux-3.1.1/mm/slab.c
70178 --- linux-3.1.1/mm/slab.c 2011-11-11 15:19:27.000000000 -0500
70179 +++ linux-3.1.1/mm/slab.c 2011-11-16 18:40:44.000000000 -0500
70180 @@ -151,7 +151,7 @@
70182 /* Legal flag mask for kmem_cache_create(). */
70184 -# define CREATE_MASK (SLAB_RED_ZONE | \
70185 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
70186 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
70188 SLAB_STORE_USER | \
70189 @@ -159,7 +159,7 @@
70190 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
70191 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
70193 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
70194 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
70196 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
70197 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
70198 @@ -288,7 +288,7 @@ struct kmem_list3 {
70199 * Need this for bootstrapping a per node allocator.
70201 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
70202 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
70203 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
70204 #define CACHE_CACHE 0
70205 #define SIZE_AC MAX_NUMNODES
70206 #define SIZE_L3 (2 * MAX_NUMNODES)
70207 @@ -389,10 +389,10 @@ static void kmem_list3_init(struct kmem_
70208 if ((x)->max_freeable < i) \
70209 (x)->max_freeable = i; \
70211 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
70212 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
70213 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
70214 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
70215 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
70216 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
70217 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
70218 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
70220 #define STATS_INC_ACTIVE(x) do { } while (0)
70221 #define STATS_DEC_ACTIVE(x) do { } while (0)
70222 @@ -538,7 +538,7 @@ static inline void *index_to_obj(struct
70223 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
70225 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
70226 - const struct slab *slab, void *obj)
70227 + const struct slab *slab, const void *obj)
70229 u32 offset = (obj - slab->s_mem);
70230 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
70231 @@ -564,7 +564,7 @@ struct cache_names {
70232 static struct cache_names __initdata cache_names[] = {
70233 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
70234 #include <linux/kmalloc_sizes.h>
70240 @@ -1571,7 +1571,7 @@ void __init kmem_cache_init(void)
70241 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
70242 sizes[INDEX_AC].cs_size,
70243 ARCH_KMALLOC_MINALIGN,
70244 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
70245 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
70248 if (INDEX_AC != INDEX_L3) {
70249 @@ -1579,7 +1579,7 @@ void __init kmem_cache_init(void)
70250 kmem_cache_create(names[INDEX_L3].name,
70251 sizes[INDEX_L3].cs_size,
70252 ARCH_KMALLOC_MINALIGN,
70253 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
70254 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
70258 @@ -1597,7 +1597,7 @@ void __init kmem_cache_init(void)
70259 sizes->cs_cachep = kmem_cache_create(names->name,
70261 ARCH_KMALLOC_MINALIGN,
70262 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
70263 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
70266 #ifdef CONFIG_ZONE_DMA
70267 @@ -4324,10 +4324,10 @@ static int s_show(struct seq_file *m, vo
70271 - unsigned long allochit = atomic_read(&cachep->allochit);
70272 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
70273 - unsigned long freehit = atomic_read(&cachep->freehit);
70274 - unsigned long freemiss = atomic_read(&cachep->freemiss);
70275 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
70276 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
70277 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
70278 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
70280 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
70281 allochit, allocmiss, freehit, freemiss);
70282 @@ -4584,15 +4584,70 @@ static const struct file_operations proc
70284 static int __init slab_proc_init(void)
70286 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
70287 + mode_t gr_mode = S_IRUGO;
70289 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70290 + gr_mode = S_IRUSR;
70293 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
70294 #ifdef CONFIG_DEBUG_SLAB_LEAK
70295 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
70296 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
70300 module_init(slab_proc_init);
70303 +void check_object_size(const void *ptr, unsigned long n, bool to)
70306 +#ifdef CONFIG_PAX_USERCOPY
70307 + struct page *page;
70308 + struct kmem_cache *cachep = NULL;
70309 + struct slab *slabp;
70310 + unsigned int objnr;
70311 + unsigned long offset;
70312 + const char *type;
70318 + if (ZERO_OR_NULL_PTR(ptr))
70321 + if (!virt_addr_valid(ptr))
70324 + page = virt_to_head_page(ptr);
70326 + type = "<process stack>";
70327 + if (!PageSlab(page)) {
70328 + if (object_is_on_stack(ptr, n) == -1)
70333 + cachep = page_get_cache(page);
70334 + type = cachep->name;
70335 + if (!(cachep->flags & SLAB_USERCOPY))
70338 + slabp = page_get_slab(page);
70339 + objnr = obj_to_index(cachep, slabp, ptr);
70340 + BUG_ON(objnr >= cachep->num);
70341 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
70342 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
70346 + pax_report_usercopy(ptr, n, to, type);
70350 +EXPORT_SYMBOL(check_object_size);
70353 * ksize - get the actual amount of memory allocated for a given object
70354 * @objp: Pointer to the object
70355 diff -urNp linux-3.1.1/mm/slob.c linux-3.1.1/mm/slob.c
70356 --- linux-3.1.1/mm/slob.c 2011-11-11 15:19:27.000000000 -0500
70357 +++ linux-3.1.1/mm/slob.c 2011-11-16 18:39:08.000000000 -0500
70359 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
70360 * alloc_pages() directly, allocating compound pages so the page order
70361 * does not have to be separately tracked, and also stores the exact
70362 - * allocation size in page->private so that it can be used to accurately
70363 + * allocation size in slob_page->size so that it can be used to accurately
70364 * provide ksize(). These objects are detected in kfree() because slob_page()
70365 * is false for them.
70370 #include <linux/kernel.h>
70371 +#include <linux/sched.h>
70372 #include <linux/slab.h>
70373 #include <linux/mm.h>
70374 #include <linux/swap.h> /* struct reclaim_state */
70375 @@ -102,7 +103,8 @@ struct slob_page {
70376 unsigned long flags; /* mandatory */
70377 atomic_t _count; /* mandatory */
70378 slobidx_t units; /* free units left in page */
70379 - unsigned long pad[2];
70380 + unsigned long pad[1];
70381 + unsigned long size; /* size when >=PAGE_SIZE */
70382 slob_t *free; /* first free slob_t in page */
70383 struct list_head list; /* linked list of free pages */
70385 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
70387 static inline int is_slob_page(struct slob_page *sp)
70389 - return PageSlab((struct page *)sp);
70390 + return PageSlab((struct page *)sp) && !sp->size;
70393 static inline void set_slob_page(struct slob_page *sp)
70394 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
70396 static inline struct slob_page *slob_page(const void *addr)
70398 - return (struct slob_page *)virt_to_page(addr);
70399 + return (struct slob_page *)virt_to_head_page(addr);
70403 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
70405 * Return the size of a slob block.
70407 -static slobidx_t slob_units(slob_t *s)
70408 +static slobidx_t slob_units(const slob_t *s)
70412 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
70414 * Return the next free slob block pointer after this one.
70416 -static slob_t *slob_next(slob_t *s)
70417 +static slob_t *slob_next(const slob_t *s)
70419 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
70421 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
70423 * Returns true if s is the last free block in its page.
70425 -static int slob_last(slob_t *s)
70426 +static int slob_last(const slob_t *s)
70428 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
70430 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
70434 + set_slob_page(page);
70435 return page_address(page);
70438 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
70442 - set_slob_page(sp);
70444 spin_lock_irqsave(&slob_lock, flags);
70445 sp->units = SLOB_UNITS(PAGE_SIZE);
70448 INIT_LIST_HEAD(&sp->list);
70449 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
70450 set_slob_page_free(sp, slob_list);
70451 @@ -476,10 +479,9 @@ out:
70452 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
70455 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70456 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
70459 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70463 gfp &= gfp_allowed_mask;
70464 @@ -494,7 +496,10 @@ void *__kmalloc_node(size_t size, gfp_t
70469 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
70470 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
70471 + m[0].units = size;
70472 + m[1].units = align;
70473 ret = (void *)m + align;
70475 trace_kmalloc_node(_RET_IP_, ret,
70476 @@ -506,16 +511,25 @@ void *__kmalloc_node(size_t size, gfp_t
70478 ret = slob_new_pages(gfp, order, node);
70480 - struct page *page;
70481 - page = virt_to_page(ret);
70482 - page->private = size;
70483 + struct slob_page *sp;
70484 + sp = slob_page(ret);
70488 trace_kmalloc_node(_RET_IP_, ret,
70489 size, PAGE_SIZE << order, gfp, node);
70492 - kmemleak_alloc(ret, size, 1, gfp);
70496 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70498 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70499 + void *ret = __kmalloc_node_align(size, gfp, node, align);
70501 + if (!ZERO_OR_NULL_PTR(ret))
70502 + kmemleak_alloc(ret, size, 1, gfp);
70505 EXPORT_SYMBOL(__kmalloc_node);
70506 @@ -533,13 +547,92 @@ void kfree(const void *block)
70507 sp = slob_page(block);
70508 if (is_slob_page(sp)) {
70509 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70510 - unsigned int *m = (unsigned int *)(block - align);
70511 - slob_free(m, *m + align);
70513 + slob_t *m = (slob_t *)(block - align);
70514 + slob_free(m, m[0].units + align);
70516 + clear_slob_page(sp);
70517 + free_slob_page(sp);
70519 put_page(&sp->page);
70522 EXPORT_SYMBOL(kfree);
70524 +void check_object_size(const void *ptr, unsigned long n, bool to)
70527 +#ifdef CONFIG_PAX_USERCOPY
70528 + struct slob_page *sp;
70529 + const slob_t *free;
70530 + const void *base;
70531 + unsigned long flags;
70532 + const char *type;
70538 + if (ZERO_OR_NULL_PTR(ptr))
70541 + if (!virt_addr_valid(ptr))
70544 + type = "<process stack>";
70545 + sp = slob_page(ptr);
70546 + if (!PageSlab((struct page*)sp)) {
70547 + if (object_is_on_stack(ptr, n) == -1)
70554 + base = page_address(&sp->page);
70555 + if (base <= ptr && n <= sp->size - (ptr - base))
70560 + /* some tricky double walking to find the chunk */
70561 + spin_lock_irqsave(&slob_lock, flags);
70562 + base = (void *)((unsigned long)ptr & PAGE_MASK);
70565 + while (!slob_last(free) && (void *)free <= ptr) {
70566 + base = free + slob_units(free);
70567 + free = slob_next(free);
70570 + while (base < (void *)free) {
70571 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
70572 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
70575 + if (ptr < base + align)
70578 + offset = ptr - base - align;
70579 + if (offset >= m) {
70584 + if (n > m - offset)
70587 + spin_unlock_irqrestore(&slob_lock, flags);
70591 + spin_unlock_irqrestore(&slob_lock, flags);
70593 + pax_report_usercopy(ptr, n, to, type);
70597 +EXPORT_SYMBOL(check_object_size);
70599 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
70600 size_t ksize(const void *block)
70602 @@ -552,10 +645,10 @@ size_t ksize(const void *block)
70603 sp = slob_page(block);
70604 if (is_slob_page(sp)) {
70605 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70606 - unsigned int *m = (unsigned int *)(block - align);
70607 - return SLOB_UNITS(*m) * SLOB_UNIT;
70608 + slob_t *m = (slob_t *)(block - align);
70609 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
70611 - return sp->page.private;
70614 EXPORT_SYMBOL(ksize);
70616 @@ -571,8 +664,13 @@ struct kmem_cache *kmem_cache_create(con
70618 struct kmem_cache *c;
70620 +#ifdef CONFIG_PAX_USERCOPY
70621 + c = __kmalloc_node_align(sizeof(struct kmem_cache),
70622 + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
70624 c = slob_alloc(sizeof(struct kmem_cache),
70625 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
70630 @@ -614,17 +712,25 @@ void *kmem_cache_alloc_node(struct kmem_
70632 lockdep_trace_alloc(flags);
70634 +#ifdef CONFIG_PAX_USERCOPY
70635 + b = __kmalloc_node_align(c->size, flags, node, c->align);
70637 if (c->size < PAGE_SIZE) {
70638 b = slob_alloc(c->size, flags, c->align, node);
70639 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70640 SLOB_UNITS(c->size) * SLOB_UNIT,
70643 + struct slob_page *sp;
70645 b = slob_new_pages(flags, get_order(c->size), node);
70646 + sp = slob_page(b);
70647 + sp->size = c->size;
70648 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70649 PAGE_SIZE << get_order(c->size),
70656 @@ -636,10 +742,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
70658 static void __kmem_cache_free(void *b, int size)
70660 - if (size < PAGE_SIZE)
70661 + struct slob_page *sp = slob_page(b);
70663 + if (is_slob_page(sp))
70664 slob_free(b, size);
70667 + clear_slob_page(sp);
70668 + free_slob_page(sp);
70670 slob_free_pages(b, get_order(size));
70674 static void kmem_rcu_free(struct rcu_head *head)
70675 @@ -652,17 +764,31 @@ static void kmem_rcu_free(struct rcu_hea
70677 void kmem_cache_free(struct kmem_cache *c, void *b)
70679 + int size = c->size;
70681 +#ifdef CONFIG_PAX_USERCOPY
70682 + if (size + c->align < PAGE_SIZE) {
70683 + size += c->align;
70688 kmemleak_free_recursive(b, c->flags);
70689 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
70690 struct slob_rcu *slob_rcu;
70691 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
70692 - slob_rcu->size = c->size;
70693 + slob_rcu = b + (size - sizeof(struct slob_rcu));
70694 + slob_rcu->size = size;
70695 call_rcu(&slob_rcu->head, kmem_rcu_free);
70697 - __kmem_cache_free(b, c->size);
70698 + __kmem_cache_free(b, size);
70701 +#ifdef CONFIG_PAX_USERCOPY
70702 + trace_kfree(_RET_IP_, b);
70704 trace_kmem_cache_free(_RET_IP_, b);
70708 EXPORT_SYMBOL(kmem_cache_free);
70710 diff -urNp linux-3.1.1/mm/slub.c linux-3.1.1/mm/slub.c
70711 --- linux-3.1.1/mm/slub.c 2011-11-11 15:19:27.000000000 -0500
70712 +++ linux-3.1.1/mm/slub.c 2011-11-16 19:27:25.000000000 -0500
70713 @@ -208,7 +208,7 @@ struct track {
70715 enum track_item { TRACK_ALLOC, TRACK_FREE };
70717 -#ifdef CONFIG_SYSFS
70718 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70719 static int sysfs_slab_add(struct kmem_cache *);
70720 static int sysfs_slab_alias(struct kmem_cache *, const char *);
70721 static void sysfs_slab_remove(struct kmem_cache *);
70722 @@ -556,7 +556,7 @@ static void print_track(const char *s, s
70726 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
70727 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
70728 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
70729 #ifdef CONFIG_STACKTRACE
70731 @@ -2456,6 +2456,8 @@ void kmem_cache_free(struct kmem_cache *
70733 page = virt_to_head_page(x);
70735 + BUG_ON(!PageSlab(page));
70737 slab_free(s, page, x, _RET_IP_);
70739 trace_kmem_cache_free(_RET_IP_, x);
70740 @@ -2489,7 +2491,7 @@ static int slub_min_objects;
70741 * Merge control. If this is set then no merging of slab caches will occur.
70742 * (Could be removed. This was introduced to pacify the merge skeptics.)
70744 -static int slub_nomerge;
70745 +static int slub_nomerge = 1;
70748 * Calculate the order of allocation given an slab object size.
70749 @@ -2912,7 +2914,7 @@ static int kmem_cache_open(struct kmem_c
70750 * list to avoid pounding the page allocator excessively.
70752 set_min_partial(s, ilog2(s->size));
70754 + atomic_set(&s->refcount, 1);
70756 s->remote_node_defrag_ratio = 1000;
70758 @@ -3017,8 +3019,7 @@ static inline int kmem_cache_close(struc
70759 void kmem_cache_destroy(struct kmem_cache *s)
70761 down_write(&slub_lock);
70763 - if (!s->refcount) {
70764 + if (atomic_dec_and_test(&s->refcount)) {
70765 list_del(&s->list);
70766 if (kmem_cache_close(s)) {
70767 printk(KERN_ERR "SLUB %s: %s called for cache that "
70768 @@ -3228,6 +3229,50 @@ void *__kmalloc_node(size_t size, gfp_t
70769 EXPORT_SYMBOL(__kmalloc_node);
70772 +void check_object_size(const void *ptr, unsigned long n, bool to)
70775 +#ifdef CONFIG_PAX_USERCOPY
70776 + struct page *page;
70777 + struct kmem_cache *s = NULL;
70778 + unsigned long offset;
70779 + const char *type;
70785 + if (ZERO_OR_NULL_PTR(ptr))
70788 + if (!virt_addr_valid(ptr))
70791 + page = virt_to_head_page(ptr);
70793 + type = "<process stack>";
70794 + if (!PageSlab(page)) {
70795 + if (object_is_on_stack(ptr, n) == -1)
70802 + if (!(s->flags & SLAB_USERCOPY))
70805 + offset = (ptr - page_address(page)) % s->size;
70806 + if (offset <= s->objsize && n <= s->objsize - offset)
70810 + pax_report_usercopy(ptr, n, to, type);
70814 +EXPORT_SYMBOL(check_object_size);
70816 size_t ksize(const void *object)
70819 @@ -3502,7 +3547,7 @@ static void __init kmem_cache_bootstrap_
70822 list_add(&s->list, &slab_caches);
70823 - s->refcount = -1;
70824 + atomic_set(&s->refcount, -1);
70826 for_each_node_state(node, N_NORMAL_MEMORY) {
70827 struct kmem_cache_node *n = get_node(s, node);
70828 @@ -3619,17 +3664,17 @@ void __init kmem_cache_init(void)
70830 /* Caches that are not of the two-to-the-power-of size */
70831 if (KMALLOC_MIN_SIZE <= 32) {
70832 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
70833 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
70837 if (KMALLOC_MIN_SIZE <= 64) {
70838 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
70839 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
70843 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
70844 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
70845 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
70849 @@ -3697,7 +3742,7 @@ static int slab_unmergeable(struct kmem_
70851 * We may have set a slab to be unmergeable during bootstrap.
70853 - if (s->refcount < 0)
70854 + if (atomic_read(&s->refcount) < 0)
70858 @@ -3756,7 +3801,7 @@ struct kmem_cache *kmem_cache_create(con
70859 down_write(&slub_lock);
70860 s = find_mergeable(size, align, flags, name, ctor);
70863 + atomic_inc(&s->refcount);
70865 * Adjust the object sizes so that we clear
70866 * the complete object on kzalloc.
70867 @@ -3765,7 +3810,7 @@ struct kmem_cache *kmem_cache_create(con
70868 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
70870 if (sysfs_slab_alias(s, name)) {
70872 + atomic_dec(&s->refcount);
70875 up_write(&slub_lock);
70876 @@ -3893,7 +3938,7 @@ void *__kmalloc_node_track_caller(size_t
70880 -#ifdef CONFIG_SYSFS
70881 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70882 static int count_inuse(struct page *page)
70884 return page->inuse;
70885 @@ -4280,12 +4325,12 @@ static void resiliency_test(void)
70886 validate_slab_cache(kmalloc_caches[9]);
70889 -#ifdef CONFIG_SYSFS
70890 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70891 static void resiliency_test(void) {};
70895 -#ifdef CONFIG_SYSFS
70896 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70897 enum slab_stat_type {
70898 SL_ALL, /* All slabs */
70899 SL_PARTIAL, /* Only partially allocated slabs */
70900 @@ -4495,7 +4540,7 @@ SLAB_ATTR_RO(ctor);
70902 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
70904 - return sprintf(buf, "%d\n", s->refcount - 1);
70905 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
70907 SLAB_ATTR_RO(aliases);
70909 @@ -5025,6 +5070,7 @@ static char *create_unique_id(struct kme
70913 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70914 static int sysfs_slab_add(struct kmem_cache *s)
70917 @@ -5087,6 +5133,7 @@ static void sysfs_slab_remove(struct kme
70918 kobject_del(&s->kobj);
70919 kobject_put(&s->kobj);
70924 * Need to buffer aliases during bootup until sysfs becomes
70925 @@ -5100,6 +5147,7 @@ struct saved_alias {
70927 static struct saved_alias *alias_list;
70929 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70930 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
70932 struct saved_alias *al;
70933 @@ -5122,6 +5170,7 @@ static int sysfs_slab_alias(struct kmem_
70939 static int __init slab_sysfs_init(void)
70941 @@ -5257,7 +5306,13 @@ static const struct file_operations proc
70943 static int __init slab_proc_init(void)
70945 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
70946 + mode_t gr_mode = S_IRUGO;
70948 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70949 + gr_mode = S_IRUSR;
70952 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
70955 module_init(slab_proc_init);
70956 diff -urNp linux-3.1.1/mm/swap.c linux-3.1.1/mm/swap.c
70957 --- linux-3.1.1/mm/swap.c 2011-11-11 15:19:27.000000000 -0500
70958 +++ linux-3.1.1/mm/swap.c 2011-11-16 18:39:08.000000000 -0500
70960 #include <linux/backing-dev.h>
70961 #include <linux/memcontrol.h>
70962 #include <linux/gfp.h>
70963 +#include <linux/hugetlb.h>
70965 #include "internal.h"
70967 @@ -71,6 +72,8 @@ static void __put_compound_page(struct p
70969 __page_cache_release(page);
70970 dtor = get_compound_page_dtor(page);
70971 + if (!PageHuge(page))
70972 + BUG_ON(dtor != free_compound_page);
70976 diff -urNp linux-3.1.1/mm/swapfile.c linux-3.1.1/mm/swapfile.c
70977 --- linux-3.1.1/mm/swapfile.c 2011-11-11 15:19:27.000000000 -0500
70978 +++ linux-3.1.1/mm/swapfile.c 2011-11-16 18:39:08.000000000 -0500
70979 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(swapon_mutex);
70981 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
70982 /* Activity counter to indicate that a swapon or swapoff has occurred */
70983 -static atomic_t proc_poll_event = ATOMIC_INIT(0);
70984 +static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
70986 static inline unsigned char swap_count(unsigned char ent)
70988 @@ -1671,7 +1671,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
70990 filp_close(swap_file, NULL);
70992 - atomic_inc(&proc_poll_event);
70993 + atomic_inc_unchecked(&proc_poll_event);
70994 wake_up_interruptible(&proc_poll_wait);
70997 @@ -1687,8 +1687,8 @@ static unsigned swaps_poll(struct file *
70999 poll_wait(file, &proc_poll_wait, wait);
71001 - if (seq->poll_event != atomic_read(&proc_poll_event)) {
71002 - seq->poll_event = atomic_read(&proc_poll_event);
71003 + if (seq->poll_event != atomic_read_unchecked(&proc_poll_event)) {
71004 + seq->poll_event = atomic_read_unchecked(&proc_poll_event);
71005 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
71008 @@ -1786,7 +1786,7 @@ static int swaps_open(struct inode *inod
71011 seq = file->private_data;
71012 - seq->poll_event = atomic_read(&proc_poll_event);
71013 + seq->poll_event = atomic_read_unchecked(&proc_poll_event);
71017 @@ -2124,7 +2124,7 @@ SYSCALL_DEFINE2(swapon, const char __use
71018 (p->flags & SWP_DISCARDABLE) ? "D" : "");
71020 mutex_unlock(&swapon_mutex);
71021 - atomic_inc(&proc_poll_event);
71022 + atomic_inc_unchecked(&proc_poll_event);
71023 wake_up_interruptible(&proc_poll_wait);
71025 if (S_ISREG(inode->i_mode))
71026 diff -urNp linux-3.1.1/mm/util.c linux-3.1.1/mm/util.c
71027 --- linux-3.1.1/mm/util.c 2011-11-11 15:19:27.000000000 -0500
71028 +++ linux-3.1.1/mm/util.c 2011-11-16 18:39:08.000000000 -0500
71029 @@ -114,6 +114,7 @@ EXPORT_SYMBOL(memdup_user);
71030 * allocated buffer. Use this if you don't want to free the buffer immediately
71031 * like, for example, with RCU.
71034 void *__krealloc(const void *p, size_t new_size, gfp_t flags)
71037 @@ -147,6 +148,7 @@ EXPORT_SYMBOL(__krealloc);
71038 * behaves exactly like kmalloc(). If @size is 0 and @p is not a
71039 * %NULL pointer, the object pointed to is freed.
71042 void *krealloc(const void *p, size_t new_size, gfp_t flags)
71045 @@ -243,6 +245,12 @@ void __vma_link_list(struct mm_struct *m
71046 void arch_pick_mmap_layout(struct mm_struct *mm)
71048 mm->mmap_base = TASK_UNMAPPED_BASE;
71050 +#ifdef CONFIG_PAX_RANDMMAP
71051 + if (mm->pax_flags & MF_PAX_RANDMMAP)
71052 + mm->mmap_base += mm->delta_mmap;
71055 mm->get_unmapped_area = arch_get_unmapped_area;
71056 mm->unmap_area = arch_unmap_area;
71058 diff -urNp linux-3.1.1/mm/vmalloc.c linux-3.1.1/mm/vmalloc.c
71059 --- linux-3.1.1/mm/vmalloc.c 2011-11-11 15:19:27.000000000 -0500
71060 +++ linux-3.1.1/mm/vmalloc.c 2011-11-16 18:40:44.000000000 -0500
71061 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
71063 pte = pte_offset_kernel(pmd, addr);
71065 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
71066 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
71068 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
71069 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
71070 + BUG_ON(!pte_exec(*pte));
71071 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
71077 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
71078 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
71080 } while (pte++, addr += PAGE_SIZE, addr != end);
71083 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
71084 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
71087 + int ret = -ENOMEM;
71090 * nr is a running index into the array which helps higher level
71091 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
71092 pte = pte_alloc_kernel(pmd, addr);
71096 + pax_open_kernel();
71098 struct page *page = pages[*nr];
71100 - if (WARN_ON(!pte_none(*pte)))
71102 - if (WARN_ON(!page))
71104 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
71105 + if (pgprot_val(prot) & _PAGE_NX)
71108 + if (WARN_ON(!pte_none(*pte))) {
71112 + if (WARN_ON(!page)) {
71116 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
71118 } while (pte++, addr += PAGE_SIZE, addr != end);
71122 + pax_close_kernel();
71126 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
71127 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
71128 * and fall back on vmalloc() if that fails. Others
71129 * just put it in the vmalloc space.
71131 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
71132 +#ifdef CONFIG_MODULES
71133 +#ifdef MODULES_VADDR
71134 unsigned long addr = (unsigned long)x;
71135 if (addr >= MODULES_VADDR && addr < MODULES_END)
71139 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
71140 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
71146 return is_vmalloc_addr(x);
71149 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
71151 if (!pgd_none(*pgd)) {
71152 pud_t *pud = pud_offset(pgd, addr);
71154 + if (!pud_large(*pud))
71156 if (!pud_none(*pud)) {
71157 pmd_t *pmd = pmd_offset(pud, addr);
71159 + if (!pmd_large(*pmd))
71161 if (!pmd_none(*pmd)) {
71164 @@ -1294,6 +1334,16 @@ static struct vm_struct *__get_vm_area_n
71165 struct vm_struct *area;
71167 BUG_ON(in_interrupt());
71169 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
71170 + if (flags & VM_KERNEXEC) {
71171 + if (start != VMALLOC_START || end != VMALLOC_END)
71173 + start = (unsigned long)MODULES_EXEC_VADDR;
71174 + end = (unsigned long)MODULES_EXEC_END;
71178 if (flags & VM_IOREMAP) {
71179 int bit = fls(size);
71181 @@ -1526,6 +1576,11 @@ void *vmap(struct page **pages, unsigned
71182 if (count > totalram_pages)
71185 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
71186 + if (!(pgprot_val(prot) & _PAGE_NX))
71187 + flags |= VM_KERNEXEC;
71190 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
71191 __builtin_return_address(0));
71193 @@ -1627,6 +1682,13 @@ void *__vmalloc_node_range(unsigned long
71194 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
71197 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
71198 + if (!(pgprot_val(prot) & _PAGE_NX))
71199 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST | VM_KERNEXEC,
71200 + VMALLOC_START, VMALLOC_END, node, gfp_mask, caller);
71204 area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST,
71205 start, end, node, gfp_mask, caller);
71207 @@ -1672,6 +1734,7 @@ static void *__vmalloc_node(unsigned lon
71208 gfp_mask, prot, node, caller);
71212 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
71214 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
71215 @@ -1695,6 +1758,7 @@ static inline void *__vmalloc_node_flags
71216 * For tight control over page level allocator and protection flags
71217 * use __vmalloc() instead.
71220 void *vmalloc(unsigned long size)
71222 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
71223 @@ -1711,6 +1775,7 @@ EXPORT_SYMBOL(vmalloc);
71224 * For tight control over page level allocator and protection flags
71225 * use __vmalloc() instead.
71228 void *vzalloc(unsigned long size)
71230 return __vmalloc_node_flags(size, -1,
71231 @@ -1725,6 +1790,7 @@ EXPORT_SYMBOL(vzalloc);
71232 * The resulting memory area is zeroed so it can be mapped to userspace
71233 * without leaking data.
71235 +#undef vmalloc_user
71236 void *vmalloc_user(unsigned long size)
71238 struct vm_struct *area;
71239 @@ -1752,6 +1818,7 @@ EXPORT_SYMBOL(vmalloc_user);
71240 * For tight control over page level allocator and protection flags
71241 * use __vmalloc() instead.
71243 +#undef vmalloc_node
71244 void *vmalloc_node(unsigned long size, int node)
71246 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
71247 @@ -1771,6 +1838,7 @@ EXPORT_SYMBOL(vmalloc_node);
71248 * For tight control over page level allocator and protection flags
71249 * use __vmalloc_node() instead.
71251 +#undef vzalloc_node
71252 void *vzalloc_node(unsigned long size, int node)
71254 return __vmalloc_node_flags(size, node,
71255 @@ -1793,10 +1861,10 @@ EXPORT_SYMBOL(vzalloc_node);
71256 * For tight control over page level allocator and protection flags
71257 * use __vmalloc() instead.
71260 +#undef vmalloc_exec
71261 void *vmalloc_exec(unsigned long size)
71263 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
71264 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
71265 -1, __builtin_return_address(0));
71268 @@ -1815,6 +1883,7 @@ void *vmalloc_exec(unsigned long size)
71269 * Allocate enough 32bit PA addressable pages to cover @size from the
71270 * page level allocator and map them into contiguous kernel virtual space.
71273 void *vmalloc_32(unsigned long size)
71275 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
71276 @@ -1829,6 +1898,7 @@ EXPORT_SYMBOL(vmalloc_32);
71277 * The resulting memory area is 32bit addressable and zeroed so it can be
71278 * mapped to userspace without leaking data.
71280 +#undef vmalloc_32_user
71281 void *vmalloc_32_user(unsigned long size)
71283 struct vm_struct *area;
71284 @@ -2091,6 +2161,8 @@ int remap_vmalloc_range(struct vm_area_s
71285 unsigned long uaddr = vma->vm_start;
71286 unsigned long usize = vma->vm_end - vma->vm_start;
71288 + BUG_ON(vma->vm_mirror);
71290 if ((PAGE_SIZE-1) & (unsigned long)addr)
71293 diff -urNp linux-3.1.1/mm/vmstat.c linux-3.1.1/mm/vmstat.c
71294 --- linux-3.1.1/mm/vmstat.c 2011-11-11 15:19:27.000000000 -0500
71295 +++ linux-3.1.1/mm/vmstat.c 2011-11-16 18:40:44.000000000 -0500
71296 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
71298 * vm_stat contains the global counters
71300 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
71301 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
71302 EXPORT_SYMBOL(vm_stat);
71305 @@ -454,7 +454,7 @@ void refresh_cpu_vm_stats(int cpu)
71306 v = p->vm_stat_diff[i];
71307 p->vm_stat_diff[i] = 0;
71308 local_irq_restore(flags);
71309 - atomic_long_add(v, &zone->vm_stat[i]);
71310 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
71311 global_diff[i] += v;
71313 /* 3 seconds idle till flush */
71314 @@ -492,7 +492,7 @@ void refresh_cpu_vm_stats(int cpu)
71316 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
71317 if (global_diff[i])
71318 - atomic_long_add(global_diff[i], &vm_stat[i]);
71319 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
71323 @@ -1207,10 +1207,20 @@ static int __init setup_vmstat(void)
71324 start_cpu_timer(cpu);
71326 #ifdef CONFIG_PROC_FS
71327 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
71328 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
71329 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
71330 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
71332 + mode_t gr_mode = S_IRUGO;
71333 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71334 + gr_mode = S_IRUSR;
71336 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
71337 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
71338 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
71339 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
71341 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
71343 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
71348 diff -urNp linux-3.1.1/net/8021q/vlan.c linux-3.1.1/net/8021q/vlan.c
71349 --- linux-3.1.1/net/8021q/vlan.c 2011-11-11 15:19:27.000000000 -0500
71350 +++ linux-3.1.1/net/8021q/vlan.c 2011-11-16 18:39:08.000000000 -0500
71351 @@ -588,8 +588,7 @@ static int vlan_ioctl_handler(struct net
71353 if (!capable(CAP_NET_ADMIN))
71355 - if ((args.u.name_type >= 0) &&
71356 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
71357 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
71358 struct vlan_net *vn;
71360 vn = net_generic(net, vlan_net_id);
71361 diff -urNp linux-3.1.1/net/9p/trans_fd.c linux-3.1.1/net/9p/trans_fd.c
71362 --- linux-3.1.1/net/9p/trans_fd.c 2011-11-11 15:19:27.000000000 -0500
71363 +++ linux-3.1.1/net/9p/trans_fd.c 2011-11-16 18:39:08.000000000 -0500
71364 @@ -423,7 +423,7 @@ static int p9_fd_write(struct p9_client
71367 /* The cast to a user pointer is valid due to the set_fs() */
71368 - ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
71369 + ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
71372 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
71373 diff -urNp linux-3.1.1/net/9p/trans_virtio.c linux-3.1.1/net/9p/trans_virtio.c
71374 --- linux-3.1.1/net/9p/trans_virtio.c 2011-11-11 15:19:27.000000000 -0500
71375 +++ linux-3.1.1/net/9p/trans_virtio.c 2011-11-16 18:39:08.000000000 -0500
71376 @@ -327,7 +327,7 @@ req_retry_pinned:
71379 if (req->tc->pubuf)
71380 - pbuf = (__force char *) req->tc->pubuf;
71381 + pbuf = (char __force_kernel *) req->tc->pubuf;
71383 pbuf = req->tc->pkbuf;
71384 outp = pack_sg_list(chan->sg, out, VIRTQUEUE_NUM, pbuf,
71385 @@ -357,7 +357,7 @@ req_retry_pinned:
71388 if (req->tc->pubuf)
71389 - pbuf = (__force char *) req->tc->pubuf;
71390 + pbuf = (char __force_kernel *) req->tc->pubuf;
71392 pbuf = req->tc->pkbuf;
71394 diff -urNp linux-3.1.1/net/atm/atm_misc.c linux-3.1.1/net/atm/atm_misc.c
71395 --- linux-3.1.1/net/atm/atm_misc.c 2011-11-11 15:19:27.000000000 -0500
71396 +++ linux-3.1.1/net/atm/atm_misc.c 2011-11-16 18:39:08.000000000 -0500
71397 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
71398 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
71400 atm_return(vcc, truesize);
71401 - atomic_inc(&vcc->stats->rx_drop);
71402 + atomic_inc_unchecked(&vcc->stats->rx_drop);
71405 EXPORT_SYMBOL(atm_charge);
71406 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
71409 atm_return(vcc, guess);
71410 - atomic_inc(&vcc->stats->rx_drop);
71411 + atomic_inc_unchecked(&vcc->stats->rx_drop);
71414 EXPORT_SYMBOL(atm_alloc_charge);
71415 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
71417 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
71419 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
71420 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
71422 #undef __HANDLE_ITEM
71424 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
71426 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
71428 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
71429 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
71431 #undef __HANDLE_ITEM
71433 diff -urNp linux-3.1.1/net/atm/lec.h linux-3.1.1/net/atm/lec.h
71434 --- linux-3.1.1/net/atm/lec.h 2011-11-11 15:19:27.000000000 -0500
71435 +++ linux-3.1.1/net/atm/lec.h 2011-11-16 18:39:08.000000000 -0500
71436 @@ -48,7 +48,7 @@ struct lane2_ops {
71437 const u8 *tlvs, u32 sizeoftlvs);
71438 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
71439 const u8 *tlvs, u32 sizeoftlvs);
71444 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
71445 diff -urNp linux-3.1.1/net/atm/mpc.h linux-3.1.1/net/atm/mpc.h
71446 --- linux-3.1.1/net/atm/mpc.h 2011-11-11 15:19:27.000000000 -0500
71447 +++ linux-3.1.1/net/atm/mpc.h 2011-11-16 18:39:08.000000000 -0500
71448 @@ -33,7 +33,7 @@ struct mpoa_client {
71449 struct mpc_parameters parameters; /* parameters for this client */
71451 const struct net_device_ops *old_ops;
71452 - struct net_device_ops new_ops;
71453 + net_device_ops_no_const new_ops;
71457 diff -urNp linux-3.1.1/net/atm/mpoa_caches.c linux-3.1.1/net/atm/mpoa_caches.c
71458 --- linux-3.1.1/net/atm/mpoa_caches.c 2011-11-11 15:19:27.000000000 -0500
71459 +++ linux-3.1.1/net/atm/mpoa_caches.c 2011-11-16 18:40:44.000000000 -0500
71460 @@ -255,6 +255,8 @@ static void check_resolving_entries(stru
71461 struct timeval now;
71462 struct k_message msg;
71464 + pax_track_stack();
71466 do_gettimeofday(&now);
71468 read_lock_bh(&client->ingress_lock);
71469 diff -urNp linux-3.1.1/net/atm/proc.c linux-3.1.1/net/atm/proc.c
71470 --- linux-3.1.1/net/atm/proc.c 2011-11-11 15:19:27.000000000 -0500
71471 +++ linux-3.1.1/net/atm/proc.c 2011-11-16 18:39:08.000000000 -0500
71472 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
71473 const struct k_atm_aal_stats *stats)
71475 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
71476 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
71477 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
71478 - atomic_read(&stats->rx_drop));
71479 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
71480 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
71481 + atomic_read_unchecked(&stats->rx_drop));
71484 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
71485 diff -urNp linux-3.1.1/net/atm/resources.c linux-3.1.1/net/atm/resources.c
71486 --- linux-3.1.1/net/atm/resources.c 2011-11-11 15:19:27.000000000 -0500
71487 +++ linux-3.1.1/net/atm/resources.c 2011-11-16 18:39:08.000000000 -0500
71488 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
71489 static void copy_aal_stats(struct k_atm_aal_stats *from,
71490 struct atm_aal_stats *to)
71492 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
71493 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
71495 #undef __HANDLE_ITEM
71497 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
71498 static void subtract_aal_stats(struct k_atm_aal_stats *from,
71499 struct atm_aal_stats *to)
71501 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
71502 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
71504 #undef __HANDLE_ITEM
71506 diff -urNp linux-3.1.1/net/batman-adv/hard-interface.c linux-3.1.1/net/batman-adv/hard-interface.c
71507 --- linux-3.1.1/net/batman-adv/hard-interface.c 2011-11-11 15:19:27.000000000 -0500
71508 +++ linux-3.1.1/net/batman-adv/hard-interface.c 2011-11-16 18:39:08.000000000 -0500
71509 @@ -347,8 +347,8 @@ int hardif_enable_interface(struct hard_
71510 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
71511 dev_add_pack(&hard_iface->batman_adv_ptype);
71513 - atomic_set(&hard_iface->seqno, 1);
71514 - atomic_set(&hard_iface->frag_seqno, 1);
71515 + atomic_set_unchecked(&hard_iface->seqno, 1);
71516 + atomic_set_unchecked(&hard_iface->frag_seqno, 1);
71517 bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
71518 hard_iface->net_dev->name);
71520 diff -urNp linux-3.1.1/net/batman-adv/routing.c linux-3.1.1/net/batman-adv/routing.c
71521 --- linux-3.1.1/net/batman-adv/routing.c 2011-11-11 15:19:27.000000000 -0500
71522 +++ linux-3.1.1/net/batman-adv/routing.c 2011-11-16 18:39:08.000000000 -0500
71523 @@ -656,7 +656,7 @@ void receive_bat_packet(const struct eth
71526 /* could be changed by schedule_own_packet() */
71527 - if_incoming_seqno = atomic_read(&if_incoming->seqno);
71528 + if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
71530 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
71532 diff -urNp linux-3.1.1/net/batman-adv/send.c linux-3.1.1/net/batman-adv/send.c
71533 --- linux-3.1.1/net/batman-adv/send.c 2011-11-11 15:19:27.000000000 -0500
71534 +++ linux-3.1.1/net/batman-adv/send.c 2011-11-16 18:39:08.000000000 -0500
71535 @@ -326,7 +326,7 @@ void schedule_own_packet(struct hard_ifa
71537 /* change sequence number to network order */
71538 batman_packet->seqno =
71539 - htonl((uint32_t)atomic_read(&hard_iface->seqno));
71540 + htonl((uint32_t)atomic_read_unchecked(&hard_iface->seqno));
71542 batman_packet->ttvn = atomic_read(&bat_priv->ttvn);
71543 batman_packet->tt_crc = htons((uint16_t)atomic_read(&bat_priv->tt_crc));
71544 @@ -343,7 +343,7 @@ void schedule_own_packet(struct hard_ifa
71546 batman_packet->gw_flags = NO_FLAGS;
71548 - atomic_inc(&hard_iface->seqno);
71549 + atomic_inc_unchecked(&hard_iface->seqno);
71551 slide_own_bcast_window(hard_iface);
71552 send_time = own_send_time(bat_priv);
71553 diff -urNp linux-3.1.1/net/batman-adv/soft-interface.c linux-3.1.1/net/batman-adv/soft-interface.c
71554 --- linux-3.1.1/net/batman-adv/soft-interface.c 2011-11-11 15:19:27.000000000 -0500
71555 +++ linux-3.1.1/net/batman-adv/soft-interface.c 2011-11-16 18:39:08.000000000 -0500
71556 @@ -632,7 +632,7 @@ static int interface_tx(struct sk_buff *
71558 /* set broadcast sequence number */
71559 bcast_packet->seqno =
71560 - htonl(atomic_inc_return(&bat_priv->bcast_seqno));
71561 + htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
71563 add_bcast_packet_to_list(bat_priv, skb, 1);
71565 @@ -824,7 +824,7 @@ struct net_device *softif_create(const c
71566 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
71568 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
71569 - atomic_set(&bat_priv->bcast_seqno, 1);
71570 + atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
71571 atomic_set(&bat_priv->ttvn, 0);
71572 atomic_set(&bat_priv->tt_local_changes, 0);
71573 atomic_set(&bat_priv->tt_ogm_append_cnt, 0);
71574 diff -urNp linux-3.1.1/net/batman-adv/types.h linux-3.1.1/net/batman-adv/types.h
71575 --- linux-3.1.1/net/batman-adv/types.h 2011-11-11 15:19:27.000000000 -0500
71576 +++ linux-3.1.1/net/batman-adv/types.h 2011-11-16 18:39:08.000000000 -0500
71577 @@ -38,8 +38,8 @@ struct hard_iface {
71580 struct net_device *net_dev;
71582 - atomic_t frag_seqno;
71583 + atomic_unchecked_t seqno;
71584 + atomic_unchecked_t frag_seqno;
71585 unsigned char *packet_buff;
71587 struct kobject *hardif_obj;
71588 @@ -153,7 +153,7 @@ struct bat_priv {
71589 atomic_t orig_interval; /* uint */
71590 atomic_t hop_penalty; /* uint */
71591 atomic_t log_level; /* uint */
71592 - atomic_t bcast_seqno;
71593 + atomic_unchecked_t bcast_seqno;
71594 atomic_t bcast_queue_left;
71595 atomic_t batman_queue_left;
71596 atomic_t ttvn; /* tranlation table version number */
71597 diff -urNp linux-3.1.1/net/batman-adv/unicast.c linux-3.1.1/net/batman-adv/unicast.c
71598 --- linux-3.1.1/net/batman-adv/unicast.c 2011-11-11 15:19:27.000000000 -0500
71599 +++ linux-3.1.1/net/batman-adv/unicast.c 2011-11-16 18:39:08.000000000 -0500
71600 @@ -264,7 +264,7 @@ int frag_send_skb(struct sk_buff *skb, s
71601 frag1->flags = UNI_FRAG_HEAD | large_tail;
71602 frag2->flags = large_tail;
71604 - seqno = atomic_add_return(2, &hard_iface->frag_seqno);
71605 + seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
71606 frag1->seqno = htons(seqno - 1);
71607 frag2->seqno = htons(seqno);
71609 diff -urNp linux-3.1.1/net/bluetooth/hci_conn.c linux-3.1.1/net/bluetooth/hci_conn.c
71610 --- linux-3.1.1/net/bluetooth/hci_conn.c 2011-11-11 15:19:27.000000000 -0500
71611 +++ linux-3.1.1/net/bluetooth/hci_conn.c 2011-11-16 18:39:08.000000000 -0500
71612 @@ -218,7 +218,7 @@ void hci_le_start_enc(struct hci_conn *c
71613 cp.handle = cpu_to_le16(conn->handle);
71614 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
71616 - memcpy(cp.rand, rand, sizeof(rand));
71617 + memcpy(cp.rand, rand, sizeof(cp.rand));
71619 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
71621 @@ -234,7 +234,7 @@ void hci_le_ltk_reply(struct hci_conn *c
71622 memset(&cp, 0, sizeof(cp));
71624 cp.handle = cpu_to_le16(conn->handle);
71625 - memcpy(cp.ltk, ltk, sizeof(ltk));
71626 + memcpy(cp.ltk, ltk, sizeof(cp.ltk));
71628 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
71630 diff -urNp linux-3.1.1/net/bridge/br_multicast.c linux-3.1.1/net/bridge/br_multicast.c
71631 --- linux-3.1.1/net/bridge/br_multicast.c 2011-11-11 15:19:27.000000000 -0500
71632 +++ linux-3.1.1/net/bridge/br_multicast.c 2011-11-16 18:39:08.000000000 -0500
71633 @@ -1485,7 +1485,7 @@ static int br_multicast_ipv6_rcv(struct
71634 nexthdr = ip6h->nexthdr;
71635 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
71637 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
71638 + if (nexthdr != IPPROTO_ICMPV6)
71641 /* Okay, we found ICMPv6 header */
71642 diff -urNp linux-3.1.1/net/bridge/netfilter/ebtables.c linux-3.1.1/net/bridge/netfilter/ebtables.c
71643 --- linux-3.1.1/net/bridge/netfilter/ebtables.c 2011-11-11 15:19:27.000000000 -0500
71644 +++ linux-3.1.1/net/bridge/netfilter/ebtables.c 2011-11-16 18:40:44.000000000 -0500
71645 @@ -1513,7 +1513,7 @@ static int do_ebt_get_ctl(struct sock *s
71646 tmp.valid_hooks = t->table->valid_hooks;
71648 mutex_unlock(&ebt_mutex);
71649 - if (copy_to_user(user, &tmp, *len) != 0){
71650 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
71651 BUGPRINT("c2u Didn't work\n");
71654 @@ -1781,6 +1781,8 @@ static int compat_copy_everything_to_use
71658 + pax_track_stack();
71660 memset(&tinfo, 0, sizeof(tinfo));
71662 if (cmd == EBT_SO_GET_ENTRIES) {
71663 diff -urNp linux-3.1.1/net/caif/caif_socket.c linux-3.1.1/net/caif/caif_socket.c
71664 --- linux-3.1.1/net/caif/caif_socket.c 2011-11-11 15:19:27.000000000 -0500
71665 +++ linux-3.1.1/net/caif/caif_socket.c 2011-11-16 18:39:08.000000000 -0500
71666 @@ -48,19 +48,20 @@ static struct dentry *debugfsdir;
71667 #ifdef CONFIG_DEBUG_FS
71668 struct debug_fs_counter {
71669 atomic_t caif_nr_socks;
71670 - atomic_t caif_sock_create;
71671 - atomic_t num_connect_req;
71672 - atomic_t num_connect_resp;
71673 - atomic_t num_connect_fail_resp;
71674 - atomic_t num_disconnect;
71675 - atomic_t num_remote_shutdown_ind;
71676 - atomic_t num_tx_flow_off_ind;
71677 - atomic_t num_tx_flow_on_ind;
71678 - atomic_t num_rx_flow_off;
71679 - atomic_t num_rx_flow_on;
71680 + atomic_unchecked_t caif_sock_create;
71681 + atomic_unchecked_t num_connect_req;
71682 + atomic_unchecked_t num_connect_resp;
71683 + atomic_unchecked_t num_connect_fail_resp;
71684 + atomic_unchecked_t num_disconnect;
71685 + atomic_unchecked_t num_remote_shutdown_ind;
71686 + atomic_unchecked_t num_tx_flow_off_ind;
71687 + atomic_unchecked_t num_tx_flow_on_ind;
71688 + atomic_unchecked_t num_rx_flow_off;
71689 + atomic_unchecked_t num_rx_flow_on;
71691 static struct debug_fs_counter cnt;
71692 #define dbfs_atomic_inc(v) atomic_inc_return(v)
71693 +#define dbfs_atomic_inc_unchecked(v) atomic_inc_return_unchecked(v)
71694 #define dbfs_atomic_dec(v) atomic_dec_return(v)
71696 #define dbfs_atomic_inc(v) 0
71697 @@ -161,7 +162,7 @@ static int caif_queue_rcv_skb(struct soc
71698 atomic_read(&cf_sk->sk.sk_rmem_alloc),
71699 sk_rcvbuf_lowwater(cf_sk));
71700 set_rx_flow_off(cf_sk);
71701 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
71702 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
71703 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
71706 @@ -172,7 +173,7 @@ static int caif_queue_rcv_skb(struct soc
71707 set_rx_flow_off(cf_sk);
71708 if (net_ratelimit())
71709 pr_debug("sending flow OFF due to rmem_schedule\n");
71710 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
71711 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
71712 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
71715 @@ -233,14 +234,14 @@ static void caif_ctrl_cb(struct cflayer
71717 case CAIF_CTRLCMD_FLOW_ON_IND:
71718 /* OK from modem to start sending again */
71719 - dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
71720 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
71721 set_tx_flow_on(cf_sk);
71722 cf_sk->sk.sk_state_change(&cf_sk->sk);
71725 case CAIF_CTRLCMD_FLOW_OFF_IND:
71726 /* Modem asks us to shut up */
71727 - dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
71728 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
71729 set_tx_flow_off(cf_sk);
71730 cf_sk->sk.sk_state_change(&cf_sk->sk);
71732 @@ -249,7 +250,7 @@ static void caif_ctrl_cb(struct cflayer
71733 /* We're now connected */
71734 caif_client_register_refcnt(&cf_sk->layer,
71735 cfsk_hold, cfsk_put);
71736 - dbfs_atomic_inc(&cnt.num_connect_resp);
71737 + dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
71738 cf_sk->sk.sk_state = CAIF_CONNECTED;
71739 set_tx_flow_on(cf_sk);
71740 cf_sk->sk.sk_state_change(&cf_sk->sk);
71741 @@ -263,7 +264,7 @@ static void caif_ctrl_cb(struct cflayer
71743 case CAIF_CTRLCMD_INIT_FAIL_RSP:
71744 /* Connect request failed */
71745 - dbfs_atomic_inc(&cnt.num_connect_fail_resp);
71746 + dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
71747 cf_sk->sk.sk_err = ECONNREFUSED;
71748 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
71749 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
71750 @@ -277,7 +278,7 @@ static void caif_ctrl_cb(struct cflayer
71752 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
71753 /* Modem has closed this connection, or device is down. */
71754 - dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
71755 + dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
71756 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
71757 cf_sk->sk.sk_err = ECONNRESET;
71758 set_rx_flow_on(cf_sk);
71759 @@ -297,7 +298,7 @@ static void caif_check_flow_release(stru
71762 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
71763 - dbfs_atomic_inc(&cnt.num_rx_flow_on);
71764 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
71765 set_rx_flow_on(cf_sk);
71766 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
71768 @@ -854,7 +855,7 @@ static int caif_connect(struct socket *s
71769 /*ifindex = id of the interface.*/
71770 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
71772 - dbfs_atomic_inc(&cnt.num_connect_req);
71773 + dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
71774 cf_sk->layer.receive = caif_sktrecv_cb;
71776 err = caif_connect_client(sock_net(sk), &cf_sk->conn_req,
71777 @@ -943,7 +944,7 @@ static int caif_release(struct socket *s
71778 spin_unlock_bh(&sk->sk_receive_queue.lock);
71781 - dbfs_atomic_inc(&cnt.num_disconnect);
71782 + dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
71784 WARN_ON(IS_ERR(cf_sk->debugfs_socket_dir));
71785 if (cf_sk->debugfs_socket_dir != NULL)
71786 @@ -1122,7 +1123,7 @@ static int caif_create(struct net *net,
71787 cf_sk->conn_req.protocol = protocol;
71788 /* Increase the number of sockets created. */
71789 dbfs_atomic_inc(&cnt.caif_nr_socks);
71790 - num = dbfs_atomic_inc(&cnt.caif_sock_create);
71791 + num = dbfs_atomic_inc_unchecked(&cnt.caif_sock_create);
71792 #ifdef CONFIG_DEBUG_FS
71793 if (!IS_ERR(debugfsdir)) {
71795 diff -urNp linux-3.1.1/net/caif/cfctrl.c linux-3.1.1/net/caif/cfctrl.c
71796 --- linux-3.1.1/net/caif/cfctrl.c 2011-11-11 15:19:27.000000000 -0500
71797 +++ linux-3.1.1/net/caif/cfctrl.c 2011-11-16 18:40:44.000000000 -0500
71799 #include <linux/stddef.h>
71800 #include <linux/spinlock.h>
71801 #include <linux/slab.h>
71802 +#include <linux/sched.h>
71803 #include <net/caif/caif_layer.h>
71804 #include <net/caif/cfpkt.h>
71805 #include <net/caif/cfctrl.h>
71806 @@ -45,8 +46,8 @@ struct cflayer *cfctrl_create(void)
71807 dev_info.id = 0xff;
71808 memset(this, 0, sizeof(*this));
71809 cfsrvl_init(&this->serv, 0, &dev_info, false);
71810 - atomic_set(&this->req_seq_no, 1);
71811 - atomic_set(&this->rsp_seq_no, 1);
71812 + atomic_set_unchecked(&this->req_seq_no, 1);
71813 + atomic_set_unchecked(&this->rsp_seq_no, 1);
71814 this->serv.layer.receive = cfctrl_recv;
71815 sprintf(this->serv.layer.name, "ctrl");
71816 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
71817 @@ -132,8 +133,8 @@ static void cfctrl_insert_req(struct cfc
71818 struct cfctrl_request_info *req)
71820 spin_lock_bh(&ctrl->info_list_lock);
71821 - atomic_inc(&ctrl->req_seq_no);
71822 - req->sequence_no = atomic_read(&ctrl->req_seq_no);
71823 + atomic_inc_unchecked(&ctrl->req_seq_no);
71824 + req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
71825 list_add_tail(&req->list, &ctrl->list);
71826 spin_unlock_bh(&ctrl->info_list_lock);
71828 @@ -151,7 +152,7 @@ static struct cfctrl_request_info *cfctr
71830 pr_warn("Requests are not received in order\n");
71832 - atomic_set(&ctrl->rsp_seq_no,
71833 + atomic_set_unchecked(&ctrl->rsp_seq_no,
71835 list_del(&p->list);
71837 @@ -364,6 +365,7 @@ static int cfctrl_recv(struct cflayer *l
71838 struct cfctrl *cfctrl = container_obj(layer);
71839 struct cfctrl_request_info rsp, *req;
71841 + pax_track_stack();
71843 cfpkt_extr_head(pkt, &cmdrsp, 1);
71844 cmd = cmdrsp & CFCTRL_CMD_MASK;
71845 diff -urNp linux-3.1.1/net/compat.c linux-3.1.1/net/compat.c
71846 --- linux-3.1.1/net/compat.c 2011-11-11 15:19:27.000000000 -0500
71847 +++ linux-3.1.1/net/compat.c 2011-11-16 18:39:08.000000000 -0500
71848 @@ -70,9 +70,9 @@ int get_compat_msghdr(struct msghdr *kms
71849 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
71850 __get_user(kmsg->msg_flags, &umsg->msg_flags))
71852 - kmsg->msg_name = compat_ptr(tmp1);
71853 - kmsg->msg_iov = compat_ptr(tmp2);
71854 - kmsg->msg_control = compat_ptr(tmp3);
71855 + kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
71856 + kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
71857 + kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
71861 @@ -84,7 +84,7 @@ int verify_compat_iovec(struct msghdr *k
71863 if (kern_msg->msg_namelen) {
71864 if (mode == VERIFY_READ) {
71865 - int err = move_addr_to_kernel(kern_msg->msg_name,
71866 + int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name,
71867 kern_msg->msg_namelen,
71870 @@ -95,7 +95,7 @@ int verify_compat_iovec(struct msghdr *k
71871 kern_msg->msg_name = NULL;
71873 tot_len = iov_from_user_compat_to_kern(kern_iov,
71874 - (struct compat_iovec __user *)kern_msg->msg_iov,
71875 + (struct compat_iovec __force_user *)kern_msg->msg_iov,
71876 kern_msg->msg_iovlen);
71878 kern_msg->msg_iov = kern_iov;
71879 @@ -115,20 +115,20 @@ int verify_compat_iovec(struct msghdr *k
71881 #define CMSG_COMPAT_FIRSTHDR(msg) \
71882 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
71883 - (struct compat_cmsghdr __user *)((msg)->msg_control) : \
71884 + (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
71885 (struct compat_cmsghdr __user *)NULL)
71887 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
71888 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
71889 (ucmlen) <= (unsigned long) \
71890 ((mhdr)->msg_controllen - \
71891 - ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
71892 + ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
71894 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
71895 struct compat_cmsghdr __user *cmsg, int cmsg_len)
71897 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
71898 - if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
71899 + if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
71900 msg->msg_controllen)
71902 return (struct compat_cmsghdr __user *)ptr;
71903 @@ -220,7 +220,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
71905 struct compat_timeval ctv;
71906 struct compat_timespec cts[3];
71907 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
71908 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
71909 struct compat_cmsghdr cmhdr;
71912 @@ -272,7 +272,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
71914 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
71916 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
71917 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
71918 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
71919 int fdnum = scm->fp->count;
71920 struct file **fp = scm->fp->fp;
71921 @@ -369,7 +369,7 @@ static int do_set_sock_timeout(struct so
71925 - err = sock_setsockopt(sock, level, optname, (char *)&ktime, sizeof(ktime));
71926 + err = sock_setsockopt(sock, level, optname, (char __force_user *)&ktime, sizeof(ktime));
71930 @@ -430,7 +430,7 @@ static int do_get_sock_timeout(struct so
71931 len = sizeof(ktime);
71934 - err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
71935 + err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
71939 @@ -565,7 +565,7 @@ int compat_mc_setsockopt(struct sock *so
71940 case MCAST_JOIN_GROUP:
71941 case MCAST_LEAVE_GROUP:
71943 - struct compat_group_req __user *gr32 = (void *)optval;
71944 + struct compat_group_req __user *gr32 = (void __user *)optval;
71945 struct group_req __user *kgr =
71946 compat_alloc_user_space(sizeof(struct group_req));
71948 @@ -586,7 +586,7 @@ int compat_mc_setsockopt(struct sock *so
71949 case MCAST_BLOCK_SOURCE:
71950 case MCAST_UNBLOCK_SOURCE:
71952 - struct compat_group_source_req __user *gsr32 = (void *)optval;
71953 + struct compat_group_source_req __user *gsr32 = (void __user *)optval;
71954 struct group_source_req __user *kgsr = compat_alloc_user_space(
71955 sizeof(struct group_source_req));
71957 @@ -607,7 +607,7 @@ int compat_mc_setsockopt(struct sock *so
71959 case MCAST_MSFILTER:
71961 - struct compat_group_filter __user *gf32 = (void *)optval;
71962 + struct compat_group_filter __user *gf32 = (void __user *)optval;
71963 struct group_filter __user *kgf;
71964 u32 interface, fmode, numsrc;
71966 @@ -645,7 +645,7 @@ int compat_mc_getsockopt(struct sock *so
71967 char __user *optval, int __user *optlen,
71968 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
71970 - struct compat_group_filter __user *gf32 = (void *)optval;
71971 + struct compat_group_filter __user *gf32 = (void __user *)optval;
71972 struct group_filter __user *kgf;
71973 int __user *koptlen;
71974 u32 interface, fmode, numsrc;
71975 diff -urNp linux-3.1.1/net/core/datagram.c linux-3.1.1/net/core/datagram.c
71976 --- linux-3.1.1/net/core/datagram.c 2011-11-11 15:19:27.000000000 -0500
71977 +++ linux-3.1.1/net/core/datagram.c 2011-11-16 18:39:08.000000000 -0500
71978 @@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
71982 - atomic_inc(&sk->sk_drops);
71983 + atomic_inc_unchecked(&sk->sk_drops);
71984 sk_mem_reclaim_partial(sk);
71987 diff -urNp linux-3.1.1/net/core/dev.c linux-3.1.1/net/core/dev.c
71988 --- linux-3.1.1/net/core/dev.c 2011-11-11 15:19:27.000000000 -0500
71989 +++ linux-3.1.1/net/core/dev.c 2011-11-16 18:40:44.000000000 -0500
71990 @@ -1135,10 +1135,14 @@ void dev_load(struct net *net, const cha
71991 if (no_module && capable(CAP_NET_ADMIN))
71992 no_module = request_module("netdev-%s", name);
71993 if (no_module && capable(CAP_SYS_MODULE)) {
71994 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
71995 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
71997 if (!request_module("%s", name))
71998 pr_err("Loading kernel module for a network device "
71999 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
72000 "instead\n", name);
72004 EXPORT_SYMBOL(dev_load);
72005 @@ -1977,7 +1981,7 @@ static int illegal_highdma(struct net_de
72007 struct dev_gso_cb {
72008 void (*destructor)(struct sk_buff *skb);
72012 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
72014 @@ -2930,7 +2934,7 @@ int netif_rx_ni(struct sk_buff *skb)
72016 EXPORT_SYMBOL(netif_rx_ni);
72018 -static void net_tx_action(struct softirq_action *h)
72019 +static void net_tx_action(void)
72021 struct softnet_data *sd = &__get_cpu_var(softnet_data);
72023 @@ -3779,7 +3783,7 @@ void netif_napi_del(struct napi_struct *
72025 EXPORT_SYMBOL(netif_napi_del);
72027 -static void net_rx_action(struct softirq_action *h)
72028 +static void net_rx_action(void)
72030 struct softnet_data *sd = &__get_cpu_var(softnet_data);
72031 unsigned long time_limit = jiffies + 2;
72032 diff -urNp linux-3.1.1/net/core/flow.c linux-3.1.1/net/core/flow.c
72033 --- linux-3.1.1/net/core/flow.c 2011-11-11 15:19:27.000000000 -0500
72034 +++ linux-3.1.1/net/core/flow.c 2011-11-16 18:39:08.000000000 -0500
72035 @@ -61,7 +61,7 @@ struct flow_cache {
72036 struct timer_list rnd_timer;
72039 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
72040 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
72041 EXPORT_SYMBOL(flow_cache_genid);
72042 static struct flow_cache flow_cache_global;
72043 static struct kmem_cache *flow_cachep __read_mostly;
72044 @@ -86,7 +86,7 @@ static void flow_cache_new_hashrnd(unsig
72046 static int flow_entry_valid(struct flow_cache_entry *fle)
72048 - if (atomic_read(&flow_cache_genid) != fle->genid)
72049 + if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
72051 if (fle->object && !fle->object->ops->check(fle->object))
72053 @@ -259,7 +259,7 @@ flow_cache_lookup(struct net *net, const
72054 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
72057 - } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
72058 + } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
72062 @@ -280,7 +280,7 @@ nocache:
72064 flo = resolver(net, key, family, dir, flo, ctx);
72066 - fle->genid = atomic_read(&flow_cache_genid);
72067 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
72071 diff -urNp linux-3.1.1/net/core/iovec.c linux-3.1.1/net/core/iovec.c
72072 --- linux-3.1.1/net/core/iovec.c 2011-11-11 15:19:27.000000000 -0500
72073 +++ linux-3.1.1/net/core/iovec.c 2011-11-16 18:39:08.000000000 -0500
72074 @@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struc
72075 if (m->msg_namelen) {
72076 if (mode == VERIFY_READ) {
72077 void __user *namep;
72078 - namep = (void __user __force *) m->msg_name;
72079 + namep = (void __force_user *) m->msg_name;
72080 err = move_addr_to_kernel(namep, m->msg_namelen,
72083 @@ -54,7 +54,7 @@ int verify_iovec(struct msghdr *m, struc
72086 size = m->msg_iovlen * sizeof(struct iovec);
72087 - if (copy_from_user(iov, (void __user __force *) m->msg_iov, size))
72088 + if (copy_from_user(iov, (void __force_user *) m->msg_iov, size))
72092 diff -urNp linux-3.1.1/net/core/rtnetlink.c linux-3.1.1/net/core/rtnetlink.c
72093 --- linux-3.1.1/net/core/rtnetlink.c 2011-11-11 15:19:27.000000000 -0500
72094 +++ linux-3.1.1/net/core/rtnetlink.c 2011-11-16 18:39:08.000000000 -0500
72095 @@ -57,7 +57,7 @@ struct rtnl_link {
72096 rtnl_doit_func doit;
72097 rtnl_dumpit_func dumpit;
72098 rtnl_calcit_func calcit;
72102 static DEFINE_MUTEX(rtnl_mutex);
72103 static u16 min_ifinfo_dump_size;
72104 diff -urNp linux-3.1.1/net/core/scm.c linux-3.1.1/net/core/scm.c
72105 --- linux-3.1.1/net/core/scm.c 2011-11-11 15:19:27.000000000 -0500
72106 +++ linux-3.1.1/net/core/scm.c 2011-11-16 18:39:08.000000000 -0500
72107 @@ -218,7 +218,7 @@ EXPORT_SYMBOL(__scm_send);
72108 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
72110 struct cmsghdr __user *cm
72111 - = (__force struct cmsghdr __user *)msg->msg_control;
72112 + = (struct cmsghdr __force_user *)msg->msg_control;
72113 struct cmsghdr cmhdr;
72114 int cmlen = CMSG_LEN(len);
72116 @@ -241,7 +241,7 @@ int put_cmsg(struct msghdr * msg, int le
72118 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
72120 - if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
72121 + if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
72123 cmlen = CMSG_SPACE(len);
72124 if (msg->msg_controllen < cmlen)
72125 @@ -257,7 +257,7 @@ EXPORT_SYMBOL(put_cmsg);
72126 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
72128 struct cmsghdr __user *cm
72129 - = (__force struct cmsghdr __user*)msg->msg_control;
72130 + = (struct cmsghdr __force_user *)msg->msg_control;
72133 int fdnum = scm->fp->count;
72134 @@ -277,7 +277,7 @@ void scm_detach_fds(struct msghdr *msg,
72138 - for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
72139 + for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
72143 diff -urNp linux-3.1.1/net/core/skbuff.c linux-3.1.1/net/core/skbuff.c
72144 --- linux-3.1.1/net/core/skbuff.c 2011-11-11 15:19:27.000000000 -0500
72145 +++ linux-3.1.1/net/core/skbuff.c 2011-11-16 18:40:44.000000000 -0500
72146 @@ -1650,6 +1650,8 @@ int skb_splice_bits(struct sk_buff *skb,
72147 struct sock *sk = skb->sk;
72150 + pax_track_stack();
72152 if (splice_grow_spd(pipe, &spd))
72155 diff -urNp linux-3.1.1/net/core/sock.c linux-3.1.1/net/core/sock.c
72156 --- linux-3.1.1/net/core/sock.c 2011-11-11 15:19:27.000000000 -0500
72157 +++ linux-3.1.1/net/core/sock.c 2011-11-16 18:40:44.000000000 -0500
72158 @@ -293,7 +293,7 @@ int sock_queue_rcv_skb(struct sock *sk,
72160 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
72161 (unsigned)sk->sk_rcvbuf) {
72162 - atomic_inc(&sk->sk_drops);
72163 + atomic_inc_unchecked(&sk->sk_drops);
72164 trace_sock_rcvqueue_full(sk, skb);
72167 @@ -303,7 +303,7 @@ int sock_queue_rcv_skb(struct sock *sk,
72170 if (!sk_rmem_schedule(sk, skb->truesize)) {
72171 - atomic_inc(&sk->sk_drops);
72172 + atomic_inc_unchecked(&sk->sk_drops);
72176 @@ -323,7 +323,7 @@ int sock_queue_rcv_skb(struct sock *sk,
72177 skb_dst_force(skb);
72179 spin_lock_irqsave(&list->lock, flags);
72180 - skb->dropcount = atomic_read(&sk->sk_drops);
72181 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
72182 __skb_queue_tail(list, skb);
72183 spin_unlock_irqrestore(&list->lock, flags);
72185 @@ -343,7 +343,7 @@ int sk_receive_skb(struct sock *sk, stru
72188 if (sk_rcvqueues_full(sk, skb)) {
72189 - atomic_inc(&sk->sk_drops);
72190 + atomic_inc_unchecked(&sk->sk_drops);
72191 goto discard_and_relse;
72194 @@ -361,7 +361,7 @@ int sk_receive_skb(struct sock *sk, stru
72195 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
72196 } else if (sk_add_backlog(sk, skb)) {
72197 bh_unlock_sock(sk);
72198 - atomic_inc(&sk->sk_drops);
72199 + atomic_inc_unchecked(&sk->sk_drops);
72200 goto discard_and_relse;
72203 @@ -924,7 +924,7 @@ int sock_getsockopt(struct socket *sock,
72204 if (len > sizeof(peercred))
72205 len = sizeof(peercred);
72206 cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
72207 - if (copy_to_user(optval, &peercred, len))
72208 + if (len > sizeof(peercred) || copy_to_user(optval, &peercred, len))
72212 @@ -937,7 +937,7 @@ int sock_getsockopt(struct socket *sock,
72216 - if (copy_to_user(optval, address, len))
72217 + if (len > sizeof(address) || copy_to_user(optval, address, len))
72221 @@ -970,7 +970,7 @@ int sock_getsockopt(struct socket *sock,
72225 - if (copy_to_user(optval, &v, len))
72226 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
72229 if (put_user(len, optlen))
72230 @@ -2029,7 +2029,7 @@ void sock_init_data(struct socket *sock,
72233 atomic_set(&sk->sk_refcnt, 1);
72234 - atomic_set(&sk->sk_drops, 0);
72235 + atomic_set_unchecked(&sk->sk_drops, 0);
72237 EXPORT_SYMBOL(sock_init_data);
72239 diff -urNp linux-3.1.1/net/decnet/sysctl_net_decnet.c linux-3.1.1/net/decnet/sysctl_net_decnet.c
72240 --- linux-3.1.1/net/decnet/sysctl_net_decnet.c 2011-11-11 15:19:27.000000000 -0500
72241 +++ linux-3.1.1/net/decnet/sysctl_net_decnet.c 2011-11-16 18:39:08.000000000 -0500
72242 @@ -174,7 +174,7 @@ static int dn_node_address_handler(ctl_t
72244 if (len > *lenp) len = *lenp;
72246 - if (copy_to_user(buffer, addr, len))
72247 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
72251 @@ -237,7 +237,7 @@ static int dn_def_dev_handler(ctl_table
72253 if (len > *lenp) len = *lenp;
72255 - if (copy_to_user(buffer, devname, len))
72256 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
72260 diff -urNp linux-3.1.1/net/econet/Kconfig linux-3.1.1/net/econet/Kconfig
72261 --- linux-3.1.1/net/econet/Kconfig 2011-11-11 15:19:27.000000000 -0500
72262 +++ linux-3.1.1/net/econet/Kconfig 2011-11-16 18:40:44.000000000 -0500
72266 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
72267 - depends on EXPERIMENTAL && INET
72268 + depends on EXPERIMENTAL && INET && BROKEN
72270 Econet is a fairly old and slow networking protocol mainly used by
72271 Acorn computers to access file and print servers. It uses native
72272 diff -urNp linux-3.1.1/net/ipv4/fib_frontend.c linux-3.1.1/net/ipv4/fib_frontend.c
72273 --- linux-3.1.1/net/ipv4/fib_frontend.c 2011-11-11 15:19:27.000000000 -0500
72274 +++ linux-3.1.1/net/ipv4/fib_frontend.c 2011-11-16 18:39:08.000000000 -0500
72275 @@ -970,12 +970,12 @@ static int fib_inetaddr_event(struct not
72276 #ifdef CONFIG_IP_ROUTE_MULTIPATH
72279 - atomic_inc(&net->ipv4.dev_addr_genid);
72280 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
72281 rt_cache_flush(dev_net(dev), -1);
72284 fib_del_ifaddr(ifa, NULL);
72285 - atomic_inc(&net->ipv4.dev_addr_genid);
72286 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
72287 if (ifa->ifa_dev->ifa_list == NULL) {
72288 /* Last address was deleted from this interface.
72290 @@ -1011,7 +1011,7 @@ static int fib_netdev_event(struct notif
72291 #ifdef CONFIG_IP_ROUTE_MULTIPATH
72294 - atomic_inc(&net->ipv4.dev_addr_genid);
72295 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
72296 rt_cache_flush(dev_net(dev), -1);
72299 diff -urNp linux-3.1.1/net/ipv4/fib_semantics.c linux-3.1.1/net/ipv4/fib_semantics.c
72300 --- linux-3.1.1/net/ipv4/fib_semantics.c 2011-11-11 15:19:27.000000000 -0500
72301 +++ linux-3.1.1/net/ipv4/fib_semantics.c 2011-11-16 18:39:08.000000000 -0500
72302 @@ -699,7 +699,7 @@ __be32 fib_info_update_nh_saddr(struct n
72303 nh->nh_saddr = inet_select_addr(nh->nh_dev,
72305 nh->nh_parent->fib_scope);
72306 - nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
72307 + nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
72309 return nh->nh_saddr;
72311 diff -urNp linux-3.1.1/net/ipv4/inet_diag.c linux-3.1.1/net/ipv4/inet_diag.c
72312 --- linux-3.1.1/net/ipv4/inet_diag.c 2011-11-11 15:19:27.000000000 -0500
72313 +++ linux-3.1.1/net/ipv4/inet_diag.c 2011-11-16 18:40:44.000000000 -0500
72314 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
72315 r->idiag_retrans = 0;
72317 r->id.idiag_if = sk->sk_bound_dev_if;
72319 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72320 + r->id.idiag_cookie[0] = 0;
72321 + r->id.idiag_cookie[1] = 0;
72323 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
72324 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
72327 r->id.idiag_sport = inet->inet_sport;
72328 r->id.idiag_dport = inet->inet_dport;
72329 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
72330 r->idiag_family = tw->tw_family;
72331 r->idiag_retrans = 0;
72332 r->id.idiag_if = tw->tw_bound_dev_if;
72334 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72335 + r->id.idiag_cookie[0] = 0;
72336 + r->id.idiag_cookie[1] = 0;
72338 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
72339 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
72342 r->id.idiag_sport = tw->tw_sport;
72343 r->id.idiag_dport = tw->tw_dport;
72344 r->id.idiag_src[0] = tw->tw_rcv_saddr;
72345 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
72349 +#ifndef CONFIG_GRKERNSEC_HIDESYM
72351 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
72352 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
72353 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
72354 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
72359 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
72360 @@ -580,8 +595,14 @@ static int inet_diag_fill_req(struct sk_
72361 r->idiag_retrans = req->retrans;
72363 r->id.idiag_if = sk->sk_bound_dev_if;
72365 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72366 + r->id.idiag_cookie[0] = 0;
72367 + r->id.idiag_cookie[1] = 0;
72369 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
72370 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
72373 tmo = req->expires - jiffies;
72375 diff -urNp linux-3.1.1/net/ipv4/inet_hashtables.c linux-3.1.1/net/ipv4/inet_hashtables.c
72376 --- linux-3.1.1/net/ipv4/inet_hashtables.c 2011-11-11 15:19:27.000000000 -0500
72377 +++ linux-3.1.1/net/ipv4/inet_hashtables.c 2011-11-16 18:40:44.000000000 -0500
72378 @@ -18,13 +18,16 @@
72379 #include <linux/sched.h>
72380 #include <linux/slab.h>
72381 #include <linux/wait.h>
72382 +#include <linux/security.h>
72384 #include <net/inet_connection_sock.h>
72385 #include <net/inet_hashtables.h>
72386 #include <net/secure_seq.h>
72387 #include <net/route.h>
72388 #include <net/ip.h>
72390 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
72393 * Allocate and initialize a new local port bind bucket.
72394 * The bindhash mutex for snum's hash chain must be held here.
72395 @@ -530,6 +533,8 @@ ok:
72396 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
72397 spin_unlock(&head->lock);
72399 + gr_update_task_in_ip_table(current, inet_sk(sk));
72402 inet_twsk_deschedule(tw, death_row);
72404 diff -urNp linux-3.1.1/net/ipv4/inetpeer.c linux-3.1.1/net/ipv4/inetpeer.c
72405 --- linux-3.1.1/net/ipv4/inetpeer.c 2011-11-11 15:19:27.000000000 -0500
72406 +++ linux-3.1.1/net/ipv4/inetpeer.c 2011-11-16 19:18:22.000000000 -0500
72407 @@ -400,6 +400,8 @@ struct inet_peer *inet_getpeer(const str
72408 unsigned int sequence;
72409 int invalidated, gccnt = 0;
72411 + pax_track_stack();
72413 /* Attempt a lockless lookup first.
72414 * Because of a concurrent writer, we might not find an existing entry.
72416 @@ -436,8 +438,8 @@ relookup:
72419 atomic_set(&p->refcnt, 1);
72420 - atomic_set(&p->rid, 0);
72421 - atomic_set(&p->ip_id_count,
72422 + atomic_set_unchecked(&p->rid, 0);
72423 + atomic_set_unchecked(&p->ip_id_count,
72424 (daddr->family == AF_INET) ?
72425 secure_ip_id(daddr->addr.a4) :
72426 secure_ipv6_id(daddr->addr.a6));
72427 diff -urNp linux-3.1.1/net/ipv4/ipconfig.c linux-3.1.1/net/ipv4/ipconfig.c
72428 --- linux-3.1.1/net/ipv4/ipconfig.c 2011-11-11 15:19:27.000000000 -0500
72429 +++ linux-3.1.1/net/ipv4/ipconfig.c 2011-11-16 18:39:08.000000000 -0500
72430 @@ -313,7 +313,7 @@ static int __init ic_devinet_ioctl(unsig
72432 mm_segment_t oldfs = get_fs();
72434 - res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
72435 + res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
72439 @@ -324,7 +324,7 @@ static int __init ic_dev_ioctl(unsigned
72441 mm_segment_t oldfs = get_fs();
72443 - res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
72444 + res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
72448 @@ -335,7 +335,7 @@ static int __init ic_route_ioctl(unsigne
72450 mm_segment_t oldfs = get_fs();
72452 - res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
72453 + res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
72457 diff -urNp linux-3.1.1/net/ipv4/ip_fragment.c linux-3.1.1/net/ipv4/ip_fragment.c
72458 --- linux-3.1.1/net/ipv4/ip_fragment.c 2011-11-11 15:19:27.000000000 -0500
72459 +++ linux-3.1.1/net/ipv4/ip_fragment.c 2011-11-16 18:39:08.000000000 -0500
72460 @@ -316,7 +316,7 @@ static inline int ip_frag_too_far(struct
72464 - end = atomic_inc_return(&peer->rid);
72465 + end = atomic_inc_return_unchecked(&peer->rid);
72468 rc = qp->q.fragments && (end - start) > max;
72469 diff -urNp linux-3.1.1/net/ipv4/ip_sockglue.c linux-3.1.1/net/ipv4/ip_sockglue.c
72470 --- linux-3.1.1/net/ipv4/ip_sockglue.c 2011-11-11 15:19:27.000000000 -0500
72471 +++ linux-3.1.1/net/ipv4/ip_sockglue.c 2011-11-16 18:40:44.000000000 -0500
72472 @@ -1073,6 +1073,8 @@ static int do_ip_getsockopt(struct sock
72476 + pax_track_stack();
72478 if (level != SOL_IP)
72479 return -EOPNOTSUPP;
72481 @@ -1110,7 +1112,8 @@ static int do_ip_getsockopt(struct sock
72482 len = min_t(unsigned int, len, opt->optlen);
72483 if (put_user(len, optlen))
72485 - if (copy_to_user(optval, opt->__data, len))
72486 + if ((len > (sizeof(optbuf) - sizeof(struct ip_options))) ||
72487 + copy_to_user(optval, opt->__data, len))
72491 @@ -1238,7 +1241,7 @@ static int do_ip_getsockopt(struct sock
72492 if (sk->sk_type != SOCK_STREAM)
72493 return -ENOPROTOOPT;
72495 - msg.msg_control = optval;
72496 + msg.msg_control = (void __force_kernel *)optval;
72497 msg.msg_controllen = len;
72498 msg.msg_flags = flags;
72500 diff -urNp linux-3.1.1/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-3.1.1/net/ipv4/netfilter/nf_nat_snmp_basic.c
72501 --- linux-3.1.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-11 15:19:27.000000000 -0500
72502 +++ linux-3.1.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-16 18:39:08.000000000 -0500
72503 @@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(
72507 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
72508 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
72509 if (*octets == NULL) {
72510 if (net_ratelimit())
72511 pr_notice("OOM in bsalg (%d)\n", __LINE__);
72512 diff -urNp linux-3.1.1/net/ipv4/ping.c linux-3.1.1/net/ipv4/ping.c
72513 --- linux-3.1.1/net/ipv4/ping.c 2011-11-11 15:19:27.000000000 -0500
72514 +++ linux-3.1.1/net/ipv4/ping.c 2011-11-16 18:39:08.000000000 -0500
72515 @@ -837,7 +837,7 @@ static void ping_format_sock(struct sock
72516 sk_rmem_alloc_get(sp),
72517 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72518 atomic_read(&sp->sk_refcnt), sp,
72519 - atomic_read(&sp->sk_drops), len);
72520 + atomic_read_unchecked(&sp->sk_drops), len);
72523 static int ping_seq_show(struct seq_file *seq, void *v)
72524 diff -urNp linux-3.1.1/net/ipv4/raw.c linux-3.1.1/net/ipv4/raw.c
72525 --- linux-3.1.1/net/ipv4/raw.c 2011-11-11 15:19:27.000000000 -0500
72526 +++ linux-3.1.1/net/ipv4/raw.c 2011-11-16 18:40:44.000000000 -0500
72527 @@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
72528 int raw_rcv(struct sock *sk, struct sk_buff *skb)
72530 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
72531 - atomic_inc(&sk->sk_drops);
72532 + atomic_inc_unchecked(&sk->sk_drops);
72534 return NET_RX_DROP;
72536 @@ -737,16 +737,20 @@ static int raw_init(struct sock *sk)
72538 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
72540 + struct icmp_filter filter;
72542 if (optlen > sizeof(struct icmp_filter))
72543 optlen = sizeof(struct icmp_filter);
72544 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
72545 + if (copy_from_user(&filter, optval, optlen))
72547 + raw_sk(sk)->filter = filter;
72551 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
72553 int len, ret = -EFAULT;
72554 + struct icmp_filter filter;
72556 if (get_user(len, optlen))
72558 @@ -756,8 +760,9 @@ static int raw_geticmpfilter(struct sock
72559 if (len > sizeof(struct icmp_filter))
72560 len = sizeof(struct icmp_filter);
72562 - if (put_user(len, optlen) ||
72563 - copy_to_user(optval, &raw_sk(sk)->filter, len))
72564 + filter = raw_sk(sk)->filter;
72565 + if (put_user(len, optlen) || len > sizeof filter ||
72566 + copy_to_user(optval, &filter, len))
72570 @@ -985,7 +990,13 @@ static void raw_sock_seq_show(struct seq
72571 sk_wmem_alloc_get(sp),
72572 sk_rmem_alloc_get(sp),
72573 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72574 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
72575 + atomic_read(&sp->sk_refcnt),
72576 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72581 + atomic_read_unchecked(&sp->sk_drops));
72584 static int raw_seq_show(struct seq_file *seq, void *v)
72585 diff -urNp linux-3.1.1/net/ipv4/route.c linux-3.1.1/net/ipv4/route.c
72586 --- linux-3.1.1/net/ipv4/route.c 2011-11-11 15:19:27.000000000 -0500
72587 +++ linux-3.1.1/net/ipv4/route.c 2011-11-16 18:39:08.000000000 -0500
72588 @@ -308,7 +308,7 @@ static inline unsigned int rt_hash(__be3
72590 static inline int rt_genid(struct net *net)
72592 - return atomic_read(&net->ipv4.rt_genid);
72593 + return atomic_read_unchecked(&net->ipv4.rt_genid);
72596 #ifdef CONFIG_PROC_FS
72597 @@ -837,7 +837,7 @@ static void rt_cache_invalidate(struct n
72598 unsigned char shuffle;
72600 get_random_bytes(&shuffle, sizeof(shuffle));
72601 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
72602 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
72606 @@ -2872,7 +2872,7 @@ static int rt_fill_info(struct net *net,
72607 error = rt->dst.error;
72609 inet_peer_refcheck(rt->peer);
72610 - id = atomic_read(&peer->ip_id_count) & 0xffff;
72611 + id = atomic_read_unchecked(&peer->ip_id_count) & 0xffff;
72612 if (peer->tcp_ts_stamp) {
72614 tsage = get_seconds() - peer->tcp_ts_stamp;
72615 diff -urNp linux-3.1.1/net/ipv4/tcp.c linux-3.1.1/net/ipv4/tcp.c
72616 --- linux-3.1.1/net/ipv4/tcp.c 2011-11-11 15:19:27.000000000 -0500
72617 +++ linux-3.1.1/net/ipv4/tcp.c 2011-11-16 18:40:44.000000000 -0500
72618 @@ -2122,6 +2122,8 @@ static int do_tcp_setsockopt(struct sock
72622 + pax_track_stack();
72624 /* These are data/string values, all the others are ints */
72626 case TCP_CONGESTION: {
72627 @@ -2501,6 +2503,8 @@ static int do_tcp_getsockopt(struct sock
72628 struct tcp_sock *tp = tcp_sk(sk);
72631 + pax_track_stack();
72633 if (get_user(len, optlen))
72636 diff -urNp linux-3.1.1/net/ipv4/tcp_ipv4.c linux-3.1.1/net/ipv4/tcp_ipv4.c
72637 --- linux-3.1.1/net/ipv4/tcp_ipv4.c 2011-11-11 15:19:27.000000000 -0500
72638 +++ linux-3.1.1/net/ipv4/tcp_ipv4.c 2011-11-16 18:40:44.000000000 -0500
72639 @@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
72640 int sysctl_tcp_low_latency __read_mostly;
72641 EXPORT_SYMBOL(sysctl_tcp_low_latency);
72643 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72644 +extern int grsec_enable_blackhole;
72647 #ifdef CONFIG_TCP_MD5SIG
72648 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
72649 @@ -1622,6 +1625,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
72653 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72654 + if (!grsec_enable_blackhole)
72656 tcp_v4_send_reset(rsk, skb);
72659 @@ -1684,12 +1690,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
72660 TCP_SKB_CB(skb)->sacked = 0;
72662 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
72665 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72668 goto no_tcp_socket;
72672 - if (sk->sk_state == TCP_TIME_WAIT)
72673 + if (sk->sk_state == TCP_TIME_WAIT) {
72674 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72680 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
72681 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
72682 @@ -1739,6 +1752,10 @@ no_tcp_socket:
72684 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
72686 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72687 + if (!grsec_enable_blackhole || (ret == 1 &&
72688 + (skb->dev->flags & IFF_LOOPBACK)))
72690 tcp_v4_send_reset(NULL, skb);
72693 @@ -2403,7 +2420,11 @@ static void get_openreq4(struct sock *sk
72694 0, /* non standard timer */
72695 0, /* open_requests have no inode */
72696 atomic_read(&sk->sk_refcnt),
72697 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72705 @@ -2453,7 +2474,12 @@ static void get_tcp4_sock(struct sock *s
72707 icsk->icsk_probes_out,
72709 - atomic_read(&sk->sk_refcnt), sk,
72710 + atomic_read(&sk->sk_refcnt),
72711 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72716 jiffies_to_clock_t(icsk->icsk_rto),
72717 jiffies_to_clock_t(icsk->icsk_ack.ato),
72718 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
72719 @@ -2481,7 +2507,13 @@ static void get_timewait4_sock(struct in
72720 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",
72721 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
72722 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
72723 - atomic_read(&tw->tw_refcnt), tw, len);
72724 + atomic_read(&tw->tw_refcnt),
72725 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72734 diff -urNp linux-3.1.1/net/ipv4/tcp_minisocks.c linux-3.1.1/net/ipv4/tcp_minisocks.c
72735 --- linux-3.1.1/net/ipv4/tcp_minisocks.c 2011-11-11 15:19:27.000000000 -0500
72736 +++ linux-3.1.1/net/ipv4/tcp_minisocks.c 2011-11-16 18:40:44.000000000 -0500
72738 #include <net/inet_common.h>
72739 #include <net/xfrm.h>
72741 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72742 +extern int grsec_enable_blackhole;
72745 int sysctl_tcp_syncookies __read_mostly = 1;
72746 EXPORT_SYMBOL(sysctl_tcp_syncookies);
72748 @@ -750,6 +754,10 @@ listen_overflow:
72751 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
72753 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72754 + if (!grsec_enable_blackhole)
72756 if (!(flg & TCP_FLAG_RST))
72757 req->rsk_ops->send_reset(sk, skb);
72759 diff -urNp linux-3.1.1/net/ipv4/tcp_output.c linux-3.1.1/net/ipv4/tcp_output.c
72760 --- linux-3.1.1/net/ipv4/tcp_output.c 2011-11-11 15:19:27.000000000 -0500
72761 +++ linux-3.1.1/net/ipv4/tcp_output.c 2011-11-16 18:40:44.000000000 -0500
72762 @@ -2421,6 +2421,8 @@ struct sk_buff *tcp_make_synack(struct s
72764 int s_data_desired = 0;
72766 + pax_track_stack();
72768 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
72769 s_data_desired = cvp->s_data_desired;
72770 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
72771 diff -urNp linux-3.1.1/net/ipv4/tcp_probe.c linux-3.1.1/net/ipv4/tcp_probe.c
72772 --- linux-3.1.1/net/ipv4/tcp_probe.c 2011-11-11 15:19:27.000000000 -0500
72773 +++ linux-3.1.1/net/ipv4/tcp_probe.c 2011-11-16 18:39:08.000000000 -0500
72774 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
72775 if (cnt + width >= len)
72778 - if (copy_to_user(buf + cnt, tbuf, width))
72779 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
72783 diff -urNp linux-3.1.1/net/ipv4/tcp_timer.c linux-3.1.1/net/ipv4/tcp_timer.c
72784 --- linux-3.1.1/net/ipv4/tcp_timer.c 2011-11-11 15:19:27.000000000 -0500
72785 +++ linux-3.1.1/net/ipv4/tcp_timer.c 2011-11-16 18:40:44.000000000 -0500
72787 #include <linux/gfp.h>
72788 #include <net/tcp.h>
72790 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72791 +extern int grsec_lastack_retries;
72794 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
72795 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
72796 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
72797 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
72801 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72802 + if ((sk->sk_state == TCP_LAST_ACK) &&
72803 + (grsec_lastack_retries > 0) &&
72804 + (grsec_lastack_retries < retry_until))
72805 + retry_until = grsec_lastack_retries;
72808 if (retransmits_timed_out(sk, retry_until,
72809 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
72810 /* Has it gone just too far? */
72811 diff -urNp linux-3.1.1/net/ipv4/udp.c linux-3.1.1/net/ipv4/udp.c
72812 --- linux-3.1.1/net/ipv4/udp.c 2011-11-11 15:19:27.000000000 -0500
72813 +++ linux-3.1.1/net/ipv4/udp.c 2011-11-16 19:17:54.000000000 -0500
72815 #include <linux/types.h>
72816 #include <linux/fcntl.h>
72817 #include <linux/module.h>
72818 +#include <linux/security.h>
72819 #include <linux/socket.h>
72820 #include <linux/sockios.h>
72821 #include <linux/igmp.h>
72822 @@ -108,6 +109,10 @@
72823 #include <trace/events/udp.h>
72824 #include "udp_impl.h"
72826 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72827 +extern int grsec_enable_blackhole;
72830 struct udp_table udp_table __read_mostly;
72831 EXPORT_SYMBOL(udp_table);
72833 @@ -565,6 +570,9 @@ found:
72837 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
72838 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
72841 * This routine is called by the ICMP module when it gets some
72842 * sort of error condition. If err < 0 then the socket should
72843 @@ -856,9 +864,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
72844 dport = usin->sin_port;
72848 + err = gr_search_udp_sendmsg(sk, usin);
72852 if (sk->sk_state != TCP_ESTABLISHED)
72853 return -EDESTADDRREQ;
72855 + err = gr_search_udp_sendmsg(sk, NULL);
72859 daddr = inet->inet_daddr;
72860 dport = inet->inet_dport;
72861 /* Open fast path for connected socket.
72862 @@ -1099,7 +1116,7 @@ static unsigned int first_packet_length(
72863 udp_lib_checksum_complete(skb)) {
72864 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
72866 - atomic_inc(&sk->sk_drops);
72867 + atomic_inc_unchecked(&sk->sk_drops);
72868 __skb_unlink(skb, rcvq);
72869 __skb_queue_tail(&list_kill, skb);
72871 @@ -1185,6 +1202,10 @@ try_again:
72875 + err = gr_search_udp_recvmsg(sk, skb);
72879 ulen = skb->len - sizeof(struct udphdr);
72882 @@ -1485,7 +1506,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
72885 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
72886 - atomic_inc(&sk->sk_drops);
72887 + atomic_inc_unchecked(&sk->sk_drops);
72891 @@ -1504,7 +1525,7 @@ static void flush_stack(struct sock **st
72892 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
72895 - atomic_inc(&sk->sk_drops);
72896 + atomic_inc_unchecked(&sk->sk_drops);
72897 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
72899 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
72900 @@ -1673,6 +1694,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
72903 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
72904 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72905 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
72907 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
72910 @@ -2100,8 +2124,13 @@ static void udp4_format_sock(struct sock
72911 sk_wmem_alloc_get(sp),
72912 sk_rmem_alloc_get(sp),
72913 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72914 - atomic_read(&sp->sk_refcnt), sp,
72915 - atomic_read(&sp->sk_drops), len);
72916 + atomic_read(&sp->sk_refcnt),
72917 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72922 + atomic_read_unchecked(&sp->sk_drops), len);
72925 int udp4_seq_show(struct seq_file *seq, void *v)
72926 diff -urNp linux-3.1.1/net/ipv6/addrconf.c linux-3.1.1/net/ipv6/addrconf.c
72927 --- linux-3.1.1/net/ipv6/addrconf.c 2011-11-11 15:19:27.000000000 -0500
72928 +++ linux-3.1.1/net/ipv6/addrconf.c 2011-11-16 18:39:08.000000000 -0500
72929 @@ -2083,7 +2083,7 @@ int addrconf_set_dstaddr(struct net *net
72931 p.iph.protocol = IPPROTO_IPV6;
72933 - ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
72934 + ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
72936 if (ops->ndo_do_ioctl) {
72937 mm_segment_t oldfs = get_fs();
72938 diff -urNp linux-3.1.1/net/ipv6/inet6_connection_sock.c linux-3.1.1/net/ipv6/inet6_connection_sock.c
72939 --- linux-3.1.1/net/ipv6/inet6_connection_sock.c 2011-11-11 15:19:27.000000000 -0500
72940 +++ linux-3.1.1/net/ipv6/inet6_connection_sock.c 2011-11-16 18:39:08.000000000 -0500
72941 @@ -178,7 +178,7 @@ void __inet6_csk_dst_store(struct sock *
72944 struct rt6_info *rt = (struct rt6_info *)dst;
72945 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
72946 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
72950 @@ -193,7 +193,7 @@ struct dst_entry *__inet6_csk_dst_check(
72953 struct rt6_info *rt = (struct rt6_info *)dst;
72954 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
72955 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
72956 __sk_dst_reset(sk);
72959 diff -urNp linux-3.1.1/net/ipv6/ipv6_sockglue.c linux-3.1.1/net/ipv6/ipv6_sockglue.c
72960 --- linux-3.1.1/net/ipv6/ipv6_sockglue.c 2011-11-11 15:19:27.000000000 -0500
72961 +++ linux-3.1.1/net/ipv6/ipv6_sockglue.c 2011-11-16 18:40:44.000000000 -0500
72962 @@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
72964 int retv = -ENOPROTOOPT;
72966 + pax_track_stack();
72968 if (optval == NULL)
72971 @@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
72975 + pax_track_stack();
72977 if (ip6_mroute_opt(optname))
72978 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
72980 @@ -960,7 +964,7 @@ static int do_ipv6_getsockopt(struct soc
72981 if (sk->sk_type != SOCK_STREAM)
72982 return -ENOPROTOOPT;
72984 - msg.msg_control = optval;
72985 + msg.msg_control = (void __force_kernel *)optval;
72986 msg.msg_controllen = len;
72987 msg.msg_flags = flags;
72989 diff -urNp linux-3.1.1/net/ipv6/raw.c linux-3.1.1/net/ipv6/raw.c
72990 --- linux-3.1.1/net/ipv6/raw.c 2011-11-11 15:19:27.000000000 -0500
72991 +++ linux-3.1.1/net/ipv6/raw.c 2011-11-16 18:40:44.000000000 -0500
72992 @@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
72994 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
72995 skb_checksum_complete(skb)) {
72996 - atomic_inc(&sk->sk_drops);
72997 + atomic_inc_unchecked(&sk->sk_drops);
72999 return NET_RX_DROP;
73001 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
73002 struct raw6_sock *rp = raw6_sk(sk);
73004 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
73005 - atomic_inc(&sk->sk_drops);
73006 + atomic_inc_unchecked(&sk->sk_drops);
73008 return NET_RX_DROP;
73010 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
73012 if (inet->hdrincl) {
73013 if (skb_checksum_complete(skb)) {
73014 - atomic_inc(&sk->sk_drops);
73015 + atomic_inc_unchecked(&sk->sk_drops);
73017 return NET_RX_DROP;
73019 @@ -601,7 +601,7 @@ out:
73023 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
73024 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
73025 struct flowi6 *fl6, struct dst_entry **dstp,
73026 unsigned int flags)
73028 @@ -742,6 +742,8 @@ static int rawv6_sendmsg(struct kiocb *i
73032 + pax_track_stack();
73034 /* Rough check on arithmetic overflow,
73035 better check is made in ip6_append_data().
73037 @@ -909,12 +911,15 @@ do_confirm:
73038 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
73039 char __user *optval, int optlen)
73041 + struct icmp6_filter filter;
73044 case ICMPV6_FILTER:
73045 if (optlen > sizeof(struct icmp6_filter))
73046 optlen = sizeof(struct icmp6_filter);
73047 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
73048 + if (copy_from_user(&filter, optval, optlen))
73050 + raw6_sk(sk)->filter = filter;
73053 return -ENOPROTOOPT;
73054 @@ -927,6 +932,7 @@ static int rawv6_geticmpfilter(struct so
73055 char __user *optval, int __user *optlen)
73058 + struct icmp6_filter filter;
73061 case ICMPV6_FILTER:
73062 @@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
73063 len = sizeof(struct icmp6_filter);
73064 if (put_user(len, optlen))
73066 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
73067 + filter = raw6_sk(sk)->filter;
73068 + if (len > sizeof filter || copy_to_user(optval, &filter, len))
73072 @@ -1245,7 +1252,13 @@ static void raw6_sock_seq_show(struct se
73076 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
73077 + atomic_read(&sp->sk_refcnt),
73078 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73083 + atomic_read_unchecked(&sp->sk_drops));
73086 static int raw6_seq_show(struct seq_file *seq, void *v)
73087 diff -urNp linux-3.1.1/net/ipv6/tcp_ipv6.c linux-3.1.1/net/ipv6/tcp_ipv6.c
73088 --- linux-3.1.1/net/ipv6/tcp_ipv6.c 2011-11-11 15:19:27.000000000 -0500
73089 +++ linux-3.1.1/net/ipv6/tcp_ipv6.c 2011-11-16 18:40:44.000000000 -0500
73090 @@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
73094 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73095 +extern int grsec_enable_blackhole;
73098 static void tcp_v6_hash(struct sock *sk)
73100 if (sk->sk_state != TCP_CLOSE) {
73101 @@ -1647,6 +1651,9 @@ static int tcp_v6_do_rcv(struct sock *sk
73105 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73106 + if (!grsec_enable_blackhole)
73108 tcp_v6_send_reset(sk, skb);
73111 @@ -1726,12 +1733,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
73112 TCP_SKB_CB(skb)->sacked = 0;
73114 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
73117 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73120 goto no_tcp_socket;
73124 - if (sk->sk_state == TCP_TIME_WAIT)
73125 + if (sk->sk_state == TCP_TIME_WAIT) {
73126 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73132 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
73133 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
73134 @@ -1779,6 +1794,10 @@ no_tcp_socket:
73136 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
73138 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73139 + if (!grsec_enable_blackhole || (ret == 1 &&
73140 + (skb->dev->flags & IFF_LOOPBACK)))
73142 tcp_v6_send_reset(NULL, skb);
73145 @@ -2039,7 +2058,13 @@ static void get_openreq6(struct seq_file
73147 0, /* non standard timer */
73148 0, /* open_requests have no inode */
73151 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73159 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
73160 @@ -2089,7 +2114,12 @@ static void get_tcp6_sock(struct seq_fil
73162 icsk->icsk_probes_out,
73164 - atomic_read(&sp->sk_refcnt), sp,
73165 + atomic_read(&sp->sk_refcnt),
73166 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73171 jiffies_to_clock_t(icsk->icsk_rto),
73172 jiffies_to_clock_t(icsk->icsk_ack.ato),
73173 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
73174 @@ -2124,7 +2154,13 @@ static void get_timewait6_sock(struct se
73175 dest->s6_addr32[2], dest->s6_addr32[3], destp,
73176 tw->tw_substate, 0, 0,
73177 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
73178 - atomic_read(&tw->tw_refcnt), tw);
73179 + atomic_read(&tw->tw_refcnt),
73180 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73188 static int tcp6_seq_show(struct seq_file *seq, void *v)
73189 diff -urNp linux-3.1.1/net/ipv6/udp.c linux-3.1.1/net/ipv6/udp.c
73190 --- linux-3.1.1/net/ipv6/udp.c 2011-11-11 15:19:27.000000000 -0500
73191 +++ linux-3.1.1/net/ipv6/udp.c 2011-11-16 18:40:44.000000000 -0500
73193 #include <linux/seq_file.h>
73194 #include "udp_impl.h"
73196 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73197 +extern int grsec_enable_blackhole;
73200 int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
73202 const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
73203 @@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
73207 - atomic_inc(&sk->sk_drops);
73208 + atomic_inc_unchecked(&sk->sk_drops);
73209 drop_no_sk_drops_inc:
73210 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
73212 @@ -624,7 +628,7 @@ static void flush_stack(struct sock **st
73216 - atomic_inc(&sk->sk_drops);
73217 + atomic_inc_unchecked(&sk->sk_drops);
73218 UDP6_INC_STATS_BH(sock_net(sk),
73219 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
73220 UDP6_INC_STATS_BH(sock_net(sk),
73221 @@ -779,6 +783,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
73222 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
73223 proto == IPPROTO_UDPLITE);
73225 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73226 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
73228 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
73231 @@ -795,7 +802,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
73232 if (!sock_owned_by_user(sk))
73233 udpv6_queue_rcv_skb(sk, skb);
73234 else if (sk_add_backlog(sk, skb)) {
73235 - atomic_inc(&sk->sk_drops);
73236 + atomic_inc_unchecked(&sk->sk_drops);
73237 bh_unlock_sock(sk);
73240 @@ -1406,8 +1413,13 @@ static void udp6_sock_seq_show(struct se
73244 - atomic_read(&sp->sk_refcnt), sp,
73245 - atomic_read(&sp->sk_drops));
73246 + atomic_read(&sp->sk_refcnt),
73247 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73252 + atomic_read_unchecked(&sp->sk_drops));
73255 int udp6_seq_show(struct seq_file *seq, void *v)
73256 diff -urNp linux-3.1.1/net/irda/ircomm/ircomm_tty.c linux-3.1.1/net/irda/ircomm/ircomm_tty.c
73257 --- linux-3.1.1/net/irda/ircomm/ircomm_tty.c 2011-11-11 15:19:27.000000000 -0500
73258 +++ linux-3.1.1/net/irda/ircomm/ircomm_tty.c 2011-11-16 18:39:08.000000000 -0500
73259 @@ -282,16 +282,16 @@ static int ircomm_tty_block_til_ready(st
73260 add_wait_queue(&self->open_wait, &wait);
73262 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
73263 - __FILE__,__LINE__, tty->driver->name, self->open_count );
73264 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
73266 /* As far as I can see, we protect open_count - Jean II */
73267 spin_lock_irqsave(&self->spinlock, flags);
73268 if (!tty_hung_up_p(filp)) {
73270 - self->open_count--;
73271 + local_dec(&self->open_count);
73273 spin_unlock_irqrestore(&self->spinlock, flags);
73274 - self->blocked_open++;
73275 + local_inc(&self->blocked_open);
73278 if (tty->termios->c_cflag & CBAUD) {
73279 @@ -331,7 +331,7 @@ static int ircomm_tty_block_til_ready(st
73282 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
73283 - __FILE__,__LINE__, tty->driver->name, self->open_count );
73284 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
73288 @@ -342,13 +342,13 @@ static int ircomm_tty_block_til_ready(st
73290 /* ++ is not atomic, so this should be protected - Jean II */
73291 spin_lock_irqsave(&self->spinlock, flags);
73292 - self->open_count++;
73293 + local_inc(&self->open_count);
73294 spin_unlock_irqrestore(&self->spinlock, flags);
73296 - self->blocked_open--;
73297 + local_dec(&self->blocked_open);
73299 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
73300 - __FILE__,__LINE__, tty->driver->name, self->open_count);
73301 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
73304 self->flags |= ASYNC_NORMAL_ACTIVE;
73305 @@ -417,14 +417,14 @@ static int ircomm_tty_open(struct tty_st
73307 /* ++ is not atomic, so this should be protected - Jean II */
73308 spin_lock_irqsave(&self->spinlock, flags);
73309 - self->open_count++;
73310 + local_inc(&self->open_count);
73312 tty->driver_data = self;
73314 spin_unlock_irqrestore(&self->spinlock, flags);
73316 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
73317 - self->line, self->open_count);
73318 + self->line, local_read(&self->open_count));
73320 /* Not really used by us, but lets do it anyway */
73321 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
73322 @@ -510,7 +510,7 @@ static void ircomm_tty_close(struct tty_
73326 - if ((tty->count == 1) && (self->open_count != 1)) {
73327 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
73329 * Uh, oh. tty->count is 1, which means that the tty
73330 * structure will be freed. state->count should always
73331 @@ -520,16 +520,16 @@ static void ircomm_tty_close(struct tty_
73333 IRDA_DEBUG(0, "%s(), bad serial port count; "
73334 "tty->count is 1, state->count is %d\n", __func__ ,
73335 - self->open_count);
73336 - self->open_count = 1;
73337 + local_read(&self->open_count));
73338 + local_set(&self->open_count, 1);
73341 - if (--self->open_count < 0) {
73342 + if (local_dec_return(&self->open_count) < 0) {
73343 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
73344 - __func__, self->line, self->open_count);
73345 - self->open_count = 0;
73346 + __func__, self->line, local_read(&self->open_count));
73347 + local_set(&self->open_count, 0);
73349 - if (self->open_count) {
73350 + if (local_read(&self->open_count)) {
73351 spin_unlock_irqrestore(&self->spinlock, flags);
73353 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
73354 @@ -561,7 +561,7 @@ static void ircomm_tty_close(struct tty_
73358 - if (self->blocked_open) {
73359 + if (local_read(&self->blocked_open)) {
73360 if (self->close_delay)
73361 schedule_timeout_interruptible(self->close_delay);
73362 wake_up_interruptible(&self->open_wait);
73363 @@ -1013,7 +1013,7 @@ static void ircomm_tty_hangup(struct tty
73364 spin_lock_irqsave(&self->spinlock, flags);
73365 self->flags &= ~ASYNC_NORMAL_ACTIVE;
73367 - self->open_count = 0;
73368 + local_set(&self->open_count, 0);
73369 spin_unlock_irqrestore(&self->spinlock, flags);
73371 wake_up_interruptible(&self->open_wait);
73372 @@ -1360,7 +1360,7 @@ static void ircomm_tty_line_info(struct
73375 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
73376 - seq_printf(m, "Open count: %d\n", self->open_count);
73377 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
73378 seq_printf(m, "Max data size: %d\n", self->max_data_size);
73379 seq_printf(m, "Max header size: %d\n", self->max_header_size);
73381 diff -urNp linux-3.1.1/net/iucv/af_iucv.c linux-3.1.1/net/iucv/af_iucv.c
73382 --- linux-3.1.1/net/iucv/af_iucv.c 2011-11-11 15:19:27.000000000 -0500
73383 +++ linux-3.1.1/net/iucv/af_iucv.c 2011-11-16 18:39:08.000000000 -0500
73384 @@ -648,10 +648,10 @@ static int iucv_sock_autobind(struct soc
73386 write_lock_bh(&iucv_sk_list.lock);
73388 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
73389 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
73390 while (__iucv_get_sock_by_name(name)) {
73391 sprintf(name, "%08x",
73392 - atomic_inc_return(&iucv_sk_list.autobind_name));
73393 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
73396 write_unlock_bh(&iucv_sk_list.lock);
73397 diff -urNp linux-3.1.1/net/key/af_key.c linux-3.1.1/net/key/af_key.c
73398 --- linux-3.1.1/net/key/af_key.c 2011-11-11 15:19:27.000000000 -0500
73399 +++ linux-3.1.1/net/key/af_key.c 2011-11-16 18:40:44.000000000 -0500
73400 @@ -2481,6 +2481,8 @@ static int pfkey_migrate(struct sock *sk
73401 struct xfrm_migrate m[XFRM_MAX_DEPTH];
73402 struct xfrm_kmaddress k;
73404 + pax_track_stack();
73406 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
73407 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
73408 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
73409 @@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(stru
73410 static u32 get_acqseq(void)
73413 - static atomic_t acqseq;
73414 + static atomic_unchecked_t acqseq;
73417 - res = atomic_inc_return(&acqseq);
73418 + res = atomic_inc_return_unchecked(&acqseq);
73422 diff -urNp linux-3.1.1/net/lapb/lapb_iface.c linux-3.1.1/net/lapb/lapb_iface.c
73423 --- linux-3.1.1/net/lapb/lapb_iface.c 2011-11-11 15:19:27.000000000 -0500
73424 +++ linux-3.1.1/net/lapb/lapb_iface.c 2011-11-16 18:39:08.000000000 -0500
73425 @@ -158,7 +158,7 @@ int lapb_register(struct net_device *dev
73429 - lapb->callbacks = *callbacks;
73430 + lapb->callbacks = callbacks;
73432 __lapb_insert_cb(lapb);
73434 @@ -380,32 +380,32 @@ int lapb_data_received(struct net_device
73436 void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
73438 - if (lapb->callbacks.connect_confirmation)
73439 - lapb->callbacks.connect_confirmation(lapb->dev, reason);
73440 + if (lapb->callbacks->connect_confirmation)
73441 + lapb->callbacks->connect_confirmation(lapb->dev, reason);
73444 void lapb_connect_indication(struct lapb_cb *lapb, int reason)
73446 - if (lapb->callbacks.connect_indication)
73447 - lapb->callbacks.connect_indication(lapb->dev, reason);
73448 + if (lapb->callbacks->connect_indication)
73449 + lapb->callbacks->connect_indication(lapb->dev, reason);
73452 void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
73454 - if (lapb->callbacks.disconnect_confirmation)
73455 - lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
73456 + if (lapb->callbacks->disconnect_confirmation)
73457 + lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
73460 void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
73462 - if (lapb->callbacks.disconnect_indication)
73463 - lapb->callbacks.disconnect_indication(lapb->dev, reason);
73464 + if (lapb->callbacks->disconnect_indication)
73465 + lapb->callbacks->disconnect_indication(lapb->dev, reason);
73468 int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
73470 - if (lapb->callbacks.data_indication)
73471 - return lapb->callbacks.data_indication(lapb->dev, skb);
73472 + if (lapb->callbacks->data_indication)
73473 + return lapb->callbacks->data_indication(lapb->dev, skb);
73476 return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
73477 @@ -415,8 +415,8 @@ int lapb_data_transmit(struct lapb_cb *l
73481 - if (lapb->callbacks.data_transmit) {
73482 - lapb->callbacks.data_transmit(lapb->dev, skb);
73483 + if (lapb->callbacks->data_transmit) {
73484 + lapb->callbacks->data_transmit(lapb->dev, skb);
73488 diff -urNp linux-3.1.1/net/mac80211/debugfs_sta.c linux-3.1.1/net/mac80211/debugfs_sta.c
73489 --- linux-3.1.1/net/mac80211/debugfs_sta.c 2011-11-11 15:19:27.000000000 -0500
73490 +++ linux-3.1.1/net/mac80211/debugfs_sta.c 2011-11-16 18:40:44.000000000 -0500
73491 @@ -140,6 +140,8 @@ static ssize_t sta_agg_status_read(struc
73492 struct tid_ampdu_rx *tid_rx;
73493 struct tid_ampdu_tx *tid_tx;
73495 + pax_track_stack();
73499 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
73500 @@ -240,6 +242,8 @@ static ssize_t sta_ht_capa_read(struct f
73501 struct sta_info *sta = file->private_data;
73502 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
73504 + pax_track_stack();
73506 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
73507 htc->ht_supported ? "" : "not ");
73508 if (htc->ht_supported) {
73509 diff -urNp linux-3.1.1/net/mac80211/ieee80211_i.h linux-3.1.1/net/mac80211/ieee80211_i.h
73510 --- linux-3.1.1/net/mac80211/ieee80211_i.h 2011-11-11 15:19:27.000000000 -0500
73511 +++ linux-3.1.1/net/mac80211/ieee80211_i.h 2011-11-16 18:39:08.000000000 -0500
73513 #include <net/ieee80211_radiotap.h>
73514 #include <net/cfg80211.h>
73515 #include <net/mac80211.h>
73516 +#include <asm/local.h>
73518 #include "sta_info.h"
73520 @@ -754,7 +755,7 @@ struct ieee80211_local {
73521 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
73522 spinlock_t queue_stop_reason_lock;
73525 + local_t open_count;
73526 int monitors, cooked_mntrs;
73527 /* number of interfaces with corresponding FIF_ flags */
73528 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
73529 diff -urNp linux-3.1.1/net/mac80211/iface.c linux-3.1.1/net/mac80211/iface.c
73530 --- linux-3.1.1/net/mac80211/iface.c 2011-11-11 15:19:27.000000000 -0500
73531 +++ linux-3.1.1/net/mac80211/iface.c 2011-11-16 18:39:08.000000000 -0500
73532 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
73536 - if (local->open_count == 0) {
73537 + if (local_read(&local->open_count) == 0) {
73538 res = drv_start(local);
73541 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
73542 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
73544 if (!is_valid_ether_addr(dev->dev_addr)) {
73545 - if (!local->open_count)
73546 + if (!local_read(&local->open_count))
73548 return -EADDRNOTAVAIL;
73550 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
73551 mutex_unlock(&local->mtx);
73554 - local->open_count++;
73555 + local_inc(&local->open_count);
73557 if (hw_reconf_flags) {
73558 ieee80211_hw_config(local, hw_reconf_flags);
73559 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
73561 drv_remove_interface(local, &sdata->vif);
73563 - if (!local->open_count)
73564 + if (!local_read(&local->open_count))
73568 @@ -474,7 +474,7 @@ static void ieee80211_do_stop(struct iee
73572 - local->open_count--;
73573 + local_dec(&local->open_count);
73575 switch (sdata->vif.type) {
73576 case NL80211_IFTYPE_AP_VLAN:
73577 @@ -533,7 +533,7 @@ static void ieee80211_do_stop(struct iee
73579 ieee80211_recalc_ps(local, -1);
73581 - if (local->open_count == 0) {
73582 + if (local_read(&local->open_count) == 0) {
73583 if (local->ops->napi_poll)
73584 napi_disable(&local->napi);
73585 ieee80211_clear_tx_pending(local);
73586 diff -urNp linux-3.1.1/net/mac80211/main.c linux-3.1.1/net/mac80211/main.c
73587 --- linux-3.1.1/net/mac80211/main.c 2011-11-11 15:19:27.000000000 -0500
73588 +++ linux-3.1.1/net/mac80211/main.c 2011-11-16 18:39:08.000000000 -0500
73589 @@ -209,7 +209,7 @@ int ieee80211_hw_config(struct ieee80211
73590 local->hw.conf.power_level = power;
73593 - if (changed && local->open_count) {
73594 + if (changed && local_read(&local->open_count)) {
73595 ret = drv_config(local, changed);
73598 diff -urNp linux-3.1.1/net/mac80211/mlme.c linux-3.1.1/net/mac80211/mlme.c
73599 --- linux-3.1.1/net/mac80211/mlme.c 2011-11-11 15:19:27.000000000 -0500
73600 +++ linux-3.1.1/net/mac80211/mlme.c 2011-11-16 18:40:44.000000000 -0500
73601 @@ -1464,6 +1464,8 @@ static bool ieee80211_assoc_success(stru
73602 bool have_higher_than_11mbit = false;
73603 u16 ap_ht_cap_flags;
73605 + pax_track_stack();
73607 /* AssocResp and ReassocResp have identical structure */
73609 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
73610 diff -urNp linux-3.1.1/net/mac80211/pm.c linux-3.1.1/net/mac80211/pm.c
73611 --- linux-3.1.1/net/mac80211/pm.c 2011-11-11 15:19:27.000000000 -0500
73612 +++ linux-3.1.1/net/mac80211/pm.c 2011-11-16 18:39:08.000000000 -0500
73613 @@ -34,7 +34,7 @@ int __ieee80211_suspend(struct ieee80211
73614 struct ieee80211_sub_if_data *sdata;
73615 struct sta_info *sta;
73617 - if (!local->open_count)
73618 + if (!local_read(&local->open_count))
73621 ieee80211_scan_cancel(local);
73622 @@ -72,7 +72,7 @@ int __ieee80211_suspend(struct ieee80211
73623 cancel_work_sync(&local->dynamic_ps_enable_work);
73624 del_timer_sync(&local->dynamic_ps_timer);
73626 - local->wowlan = wowlan && local->open_count;
73627 + local->wowlan = wowlan && local_read(&local->open_count);
73628 if (local->wowlan) {
73629 int err = drv_suspend(local, wowlan);
73631 @@ -129,7 +129,7 @@ int __ieee80211_suspend(struct ieee80211
73634 /* stop hardware - this must stop RX */
73635 - if (local->open_count)
73636 + if (local_read(&local->open_count))
73637 ieee80211_stop_device(local);
73640 diff -urNp linux-3.1.1/net/mac80211/rate.c linux-3.1.1/net/mac80211/rate.c
73641 --- linux-3.1.1/net/mac80211/rate.c 2011-11-11 15:19:27.000000000 -0500
73642 +++ linux-3.1.1/net/mac80211/rate.c 2011-11-16 18:39:08.000000000 -0500
73643 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
73647 - if (local->open_count)
73648 + if (local_read(&local->open_count))
73651 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
73652 diff -urNp linux-3.1.1/net/mac80211/rc80211_pid_debugfs.c linux-3.1.1/net/mac80211/rc80211_pid_debugfs.c
73653 --- linux-3.1.1/net/mac80211/rc80211_pid_debugfs.c 2011-11-11 15:19:27.000000000 -0500
73654 +++ linux-3.1.1/net/mac80211/rc80211_pid_debugfs.c 2011-11-16 18:39:08.000000000 -0500
73655 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
73657 spin_unlock_irqrestore(&events->lock, status);
73659 - if (copy_to_user(buf, pb, p))
73660 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
73664 diff -urNp linux-3.1.1/net/mac80211/util.c linux-3.1.1/net/mac80211/util.c
73665 --- linux-3.1.1/net/mac80211/util.c 2011-11-11 15:19:27.000000000 -0500
73666 +++ linux-3.1.1/net/mac80211/util.c 2011-11-16 18:39:08.000000000 -0500
73667 @@ -1166,7 +1166,7 @@ int ieee80211_reconfig(struct ieee80211_
73668 drv_set_coverage_class(local, hw->wiphy->coverage_class);
73670 /* everything else happens only if HW was up & running */
73671 - if (!local->open_count)
73672 + if (!local_read(&local->open_count))
73676 diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_conn.c linux-3.1.1/net/netfilter/ipvs/ip_vs_conn.c
73677 --- linux-3.1.1/net/netfilter/ipvs/ip_vs_conn.c 2011-11-11 15:19:27.000000000 -0500
73678 +++ linux-3.1.1/net/netfilter/ipvs/ip_vs_conn.c 2011-11-16 18:39:08.000000000 -0500
73679 @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
73680 /* Increase the refcnt counter of the dest */
73681 atomic_inc(&dest->refcnt);
73683 - conn_flags = atomic_read(&dest->conn_flags);
73684 + conn_flags = atomic_read_unchecked(&dest->conn_flags);
73685 if (cp->protocol != IPPROTO_UDP)
73686 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
73687 /* Bind with the destination and its corresponding transmitter */
73688 @@ -869,7 +869,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
73689 atomic_set(&cp->refcnt, 1);
73691 atomic_set(&cp->n_control, 0);
73692 - atomic_set(&cp->in_pkts, 0);
73693 + atomic_set_unchecked(&cp->in_pkts, 0);
73695 atomic_inc(&ipvs->conn_count);
73696 if (flags & IP_VS_CONN_F_NO_CPORT)
73697 @@ -1149,7 +1149,7 @@ static inline int todrop_entry(struct ip
73699 /* Don't drop the entry if its number of incoming packets is not
73700 located in [0, 8] */
73701 - i = atomic_read(&cp->in_pkts);
73702 + i = atomic_read_unchecked(&cp->in_pkts);
73703 if (i > 8 || i < 0) return 0;
73705 if (!todrop_rate[i]) return 0;
73706 diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_core.c linux-3.1.1/net/netfilter/ipvs/ip_vs_core.c
73707 --- linux-3.1.1/net/netfilter/ipvs/ip_vs_core.c 2011-11-11 15:19:27.000000000 -0500
73708 +++ linux-3.1.1/net/netfilter/ipvs/ip_vs_core.c 2011-11-16 18:39:08.000000000 -0500
73709 @@ -563,7 +563,7 @@ int ip_vs_leave(struct ip_vs_service *sv
73710 ret = cp->packet_xmit(skb, cp, pd->pp);
73711 /* do not touch skb anymore */
73713 - atomic_inc(&cp->in_pkts);
73714 + atomic_inc_unchecked(&cp->in_pkts);
73715 ip_vs_conn_put(cp);
73718 @@ -1612,7 +1612,7 @@ ip_vs_in(unsigned int hooknum, struct sk
73719 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
73720 pkts = sysctl_sync_threshold(ipvs);
73722 - pkts = atomic_add_return(1, &cp->in_pkts);
73723 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
73725 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
73726 cp->protocol == IPPROTO_SCTP) {
73727 diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_ctl.c linux-3.1.1/net/netfilter/ipvs/ip_vs_ctl.c
73728 --- linux-3.1.1/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-11 15:19:27.000000000 -0500
73729 +++ linux-3.1.1/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-16 19:13:12.000000000 -0500
73730 @@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
73731 ip_vs_rs_hash(ipvs, dest);
73732 write_unlock_bh(&ipvs->rs_lock);
73734 - atomic_set(&dest->conn_flags, conn_flags);
73735 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
73737 /* bind the service */
73739 @@ -2027,7 +2027,7 @@ static int ip_vs_info_seq_show(struct se
73740 " %-7s %-6d %-10d %-10d\n",
73743 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
73744 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
73745 atomic_read(&dest->weight),
73746 atomic_read(&dest->activeconns),
73747 atomic_read(&dest->inactconns));
73748 @@ -2038,7 +2038,7 @@ static int ip_vs_info_seq_show(struct se
73749 "%-7s %-6d %-10d %-10d\n",
73750 ntohl(dest->addr.ip),
73752 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
73753 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
73754 atomic_read(&dest->weight),
73755 atomic_read(&dest->activeconns),
73756 atomic_read(&dest->inactconns));
73757 @@ -2285,6 +2285,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
73758 struct ip_vs_dest_user_kern udest;
73759 struct netns_ipvs *ipvs = net_ipvs(net);
73761 + pax_track_stack();
73763 if (!capable(CAP_NET_ADMIN))
73766 @@ -2508,7 +2510,7 @@ __ip_vs_get_dest_entries(struct net *net
73768 entry.addr = dest->addr.ip;
73769 entry.port = dest->port;
73770 - entry.conn_flags = atomic_read(&dest->conn_flags);
73771 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
73772 entry.weight = atomic_read(&dest->weight);
73773 entry.u_threshold = dest->u_threshold;
73774 entry.l_threshold = dest->l_threshold;
73775 @@ -3041,7 +3043,7 @@ static int ip_vs_genl_fill_dest(struct s
73776 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
73778 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
73779 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
73780 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
73781 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
73782 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
73783 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
73784 diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_sync.c linux-3.1.1/net/netfilter/ipvs/ip_vs_sync.c
73785 --- linux-3.1.1/net/netfilter/ipvs/ip_vs_sync.c 2011-11-11 15:19:27.000000000 -0500
73786 +++ linux-3.1.1/net/netfilter/ipvs/ip_vs_sync.c 2011-11-16 18:39:08.000000000 -0500
73787 @@ -649,7 +649,7 @@ control:
73788 * i.e only increment in_pkts for Templates.
73790 if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
73791 - int pkts = atomic_add_return(1, &cp->in_pkts);
73792 + int pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
73794 if (pkts % sysctl_sync_period(ipvs) != 1)
73796 @@ -795,7 +795,7 @@ static void ip_vs_proc_conn(struct net *
73799 memcpy(&cp->in_seq, opt, sizeof(*opt));
73800 - atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
73801 + atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
73803 cp->old_state = cp->state;
73805 diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_xmit.c linux-3.1.1/net/netfilter/ipvs/ip_vs_xmit.c
73806 --- linux-3.1.1/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-11 15:19:27.000000000 -0500
73807 +++ linux-3.1.1/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-16 18:39:08.000000000 -0500
73808 @@ -1151,7 +1151,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
73811 /* do not touch skb anymore */
73812 - atomic_inc(&cp->in_pkts);
73813 + atomic_inc_unchecked(&cp->in_pkts);
73817 @@ -1272,7 +1272,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
73820 /* do not touch skb anymore */
73821 - atomic_inc(&cp->in_pkts);
73822 + atomic_inc_unchecked(&cp->in_pkts);
73826 diff -urNp linux-3.1.1/net/netfilter/Kconfig linux-3.1.1/net/netfilter/Kconfig
73827 --- linux-3.1.1/net/netfilter/Kconfig 2011-11-11 15:19:27.000000000 -0500
73828 +++ linux-3.1.1/net/netfilter/Kconfig 2011-11-16 18:40:44.000000000 -0500
73829 @@ -781,6 +781,16 @@ config NETFILTER_XT_MATCH_ESP
73831 To compile it as a module, choose M here. If unsure, say N.
73833 +config NETFILTER_XT_MATCH_GRADM
73834 + tristate '"gradm" match support'
73835 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
73836 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
73838 + The gradm match allows to match on grsecurity RBAC being enabled.
73839 + It is useful when iptables rules are applied early on bootup to
73840 + prevent connections to the machine (except from a trusted host)
73841 + while the RBAC system is disabled.
73843 config NETFILTER_XT_MATCH_HASHLIMIT
73844 tristate '"hashlimit" match support'
73845 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
73846 diff -urNp linux-3.1.1/net/netfilter/Makefile linux-3.1.1/net/netfilter/Makefile
73847 --- linux-3.1.1/net/netfilter/Makefile 2011-11-11 15:19:27.000000000 -0500
73848 +++ linux-3.1.1/net/netfilter/Makefile 2011-11-16 18:40:44.000000000 -0500
73849 @@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=
73850 obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
73851 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
73852 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
73853 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
73854 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
73855 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
73856 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
73857 diff -urNp linux-3.1.1/net/netfilter/nfnetlink_log.c linux-3.1.1/net/netfilter/nfnetlink_log.c
73858 --- linux-3.1.1/net/netfilter/nfnetlink_log.c 2011-11-11 15:19:27.000000000 -0500
73859 +++ linux-3.1.1/net/netfilter/nfnetlink_log.c 2011-11-16 18:39:08.000000000 -0500
73860 @@ -70,7 +70,7 @@ struct nfulnl_instance {
73863 static DEFINE_SPINLOCK(instances_lock);
73864 -static atomic_t global_seq;
73865 +static atomic_unchecked_t global_seq;
73867 #define INSTANCE_BUCKETS 16
73868 static struct hlist_head instance_table[INSTANCE_BUCKETS];
73869 @@ -505,7 +505,7 @@ __build_packet_message(struct nfulnl_ins
73870 /* global sequence number */
73871 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
73872 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
73873 - htonl(atomic_inc_return(&global_seq)));
73874 + htonl(atomic_inc_return_unchecked(&global_seq)));
73877 struct nlattr *nla;
73878 diff -urNp linux-3.1.1/net/netfilter/xt_gradm.c linux-3.1.1/net/netfilter/xt_gradm.c
73879 --- linux-3.1.1/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
73880 +++ linux-3.1.1/net/netfilter/xt_gradm.c 2011-11-16 18:40:44.000000000 -0500
73883 + * gradm match for netfilter
73884 + * Copyright © Zbigniew Krzystolik, 2010
73886 + * This program is free software; you can redistribute it and/or modify
73887 + * it under the terms of the GNU General Public License; either version
73888 + * 2 or 3 as published by the Free Software Foundation.
73890 +#include <linux/module.h>
73891 +#include <linux/moduleparam.h>
73892 +#include <linux/skbuff.h>
73893 +#include <linux/netfilter/x_tables.h>
73894 +#include <linux/grsecurity.h>
73895 +#include <linux/netfilter/xt_gradm.h>
73898 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
73900 + const struct xt_gradm_mtinfo *info = par->matchinfo;
73901 + bool retval = false;
73902 + if (gr_acl_is_enabled())
73904 + return retval ^ info->invflags;
73907 +static struct xt_match gradm_mt_reg __read_mostly = {
73910 + .family = NFPROTO_UNSPEC,
73911 + .match = gradm_mt,
73912 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
73913 + .me = THIS_MODULE,
73916 +static int __init gradm_mt_init(void)
73918 + return xt_register_match(&gradm_mt_reg);
73921 +static void __exit gradm_mt_exit(void)
73923 + xt_unregister_match(&gradm_mt_reg);
73926 +module_init(gradm_mt_init);
73927 +module_exit(gradm_mt_exit);
73928 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
73929 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
73930 +MODULE_LICENSE("GPL");
73931 +MODULE_ALIAS("ipt_gradm");
73932 +MODULE_ALIAS("ip6t_gradm");
73933 diff -urNp linux-3.1.1/net/netfilter/xt_statistic.c linux-3.1.1/net/netfilter/xt_statistic.c
73934 --- linux-3.1.1/net/netfilter/xt_statistic.c 2011-11-11 15:19:27.000000000 -0500
73935 +++ linux-3.1.1/net/netfilter/xt_statistic.c 2011-11-16 18:39:08.000000000 -0500
73937 #include <linux/netfilter/x_tables.h>
73939 struct xt_statistic_priv {
73941 + atomic_unchecked_t count;
73942 } ____cacheline_aligned_in_smp;
73944 MODULE_LICENSE("GPL");
73945 @@ -41,9 +41,9 @@ statistic_mt(const struct sk_buff *skb,
73947 case XT_STATISTIC_MODE_NTH:
73949 - oval = atomic_read(&info->master->count);
73950 + oval = atomic_read_unchecked(&info->master->count);
73951 nval = (oval == info->u.nth.every) ? 0 : oval + 1;
73952 - } while (atomic_cmpxchg(&info->master->count, oval, nval) != oval);
73953 + } while (atomic_cmpxchg_unchecked(&info->master->count, oval, nval) != oval);
73957 @@ -63,7 +63,7 @@ static int statistic_mt_check(const stru
73958 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
73959 if (info->master == NULL)
73961 - atomic_set(&info->master->count, info->u.nth.count);
73962 + atomic_set_unchecked(&info->master->count, info->u.nth.count);
73966 diff -urNp linux-3.1.1/net/netlink/af_netlink.c linux-3.1.1/net/netlink/af_netlink.c
73967 --- linux-3.1.1/net/netlink/af_netlink.c 2011-11-11 15:19:27.000000000 -0500
73968 +++ linux-3.1.1/net/netlink/af_netlink.c 2011-11-16 18:39:08.000000000 -0500
73969 @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock
73970 sk->sk_error_report(sk);
73973 - atomic_inc(&sk->sk_drops);
73974 + atomic_inc_unchecked(&sk->sk_drops);
73977 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
73978 @@ -2000,7 +2000,7 @@ static int netlink_seq_show(struct seq_f
73979 sk_wmem_alloc_get(s),
73981 atomic_read(&s->sk_refcnt),
73982 - atomic_read(&s->sk_drops),
73983 + atomic_read_unchecked(&s->sk_drops),
73987 diff -urNp linux-3.1.1/net/netrom/af_netrom.c linux-3.1.1/net/netrom/af_netrom.c
73988 --- linux-3.1.1/net/netrom/af_netrom.c 2011-11-11 15:19:27.000000000 -0500
73989 +++ linux-3.1.1/net/netrom/af_netrom.c 2011-11-16 18:40:44.000000000 -0500
73990 @@ -839,6 +839,7 @@ static int nr_getname(struct socket *soc
73991 struct sock *sk = sock->sk;
73992 struct nr_sock *nr = nr_sk(sk);
73994 + memset(sax, 0, sizeof(*sax));
73997 if (sk->sk_state != TCP_ESTABLISHED) {
73998 @@ -853,7 +854,6 @@ static int nr_getname(struct socket *soc
73999 *uaddr_len = sizeof(struct full_sockaddr_ax25);
74001 sax->fsa_ax25.sax25_family = AF_NETROM;
74002 - sax->fsa_ax25.sax25_ndigis = 0;
74003 sax->fsa_ax25.sax25_call = nr->source_addr;
74004 *uaddr_len = sizeof(struct sockaddr_ax25);
74006 diff -urNp linux-3.1.1/net/packet/af_packet.c linux-3.1.1/net/packet/af_packet.c
74007 --- linux-3.1.1/net/packet/af_packet.c 2011-11-11 15:19:27.000000000 -0500
74008 +++ linux-3.1.1/net/packet/af_packet.c 2011-11-16 18:39:08.000000000 -0500
74009 @@ -954,7 +954,7 @@ static int packet_rcv(struct sk_buff *sk
74011 spin_lock(&sk->sk_receive_queue.lock);
74012 po->stats.tp_packets++;
74013 - skb->dropcount = atomic_read(&sk->sk_drops);
74014 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
74015 __skb_queue_tail(&sk->sk_receive_queue, skb);
74016 spin_unlock(&sk->sk_receive_queue.lock);
74017 sk->sk_data_ready(sk, skb->len);
74018 @@ -963,7 +963,7 @@ static int packet_rcv(struct sk_buff *sk
74020 spin_lock(&sk->sk_receive_queue.lock);
74021 po->stats.tp_drops++;
74022 - atomic_inc(&sk->sk_drops);
74023 + atomic_inc_unchecked(&sk->sk_drops);
74024 spin_unlock(&sk->sk_receive_queue.lock);
74027 @@ -2479,7 +2479,7 @@ static int packet_getsockopt(struct sock
74028 case PACKET_HDRLEN:
74029 if (len > sizeof(int))
74031 - if (copy_from_user(&val, optval, len))
74032 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
74036 @@ -2526,7 +2526,7 @@ static int packet_getsockopt(struct sock
74038 if (put_user(len, optlen))
74040 - if (copy_to_user(optval, data, len))
74041 + if (len > sizeof(st) || copy_to_user(optval, data, len))
74045 diff -urNp linux-3.1.1/net/phonet/af_phonet.c linux-3.1.1/net/phonet/af_phonet.c
74046 --- linux-3.1.1/net/phonet/af_phonet.c 2011-11-11 15:19:27.000000000 -0500
74047 +++ linux-3.1.1/net/phonet/af_phonet.c 2011-11-16 18:40:44.000000000 -0500
74048 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
74050 struct phonet_protocol *pp;
74052 - if (protocol >= PHONET_NPROTO)
74053 + if (protocol < 0 || protocol >= PHONET_NPROTO)
74057 @@ -469,7 +469,7 @@ int __init_or_module phonet_proto_regist
74061 - if (protocol >= PHONET_NPROTO)
74062 + if (protocol < 0 || protocol >= PHONET_NPROTO)
74065 err = proto_register(pp->prot, 1);
74066 diff -urNp linux-3.1.1/net/phonet/pep.c linux-3.1.1/net/phonet/pep.c
74067 --- linux-3.1.1/net/phonet/pep.c 2011-11-11 15:19:27.000000000 -0500
74068 +++ linux-3.1.1/net/phonet/pep.c 2011-11-16 18:39:08.000000000 -0500
74069 @@ -387,7 +387,7 @@ static int pipe_do_rcv(struct sock *sk,
74071 case PNS_PEP_CTRL_REQ:
74072 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
74073 - atomic_inc(&sk->sk_drops);
74074 + atomic_inc_unchecked(&sk->sk_drops);
74077 __skb_pull(skb, 4);
74078 @@ -408,7 +408,7 @@ static int pipe_do_rcv(struct sock *sk,
74081 if (pn->rx_credits == 0) {
74082 - atomic_inc(&sk->sk_drops);
74083 + atomic_inc_unchecked(&sk->sk_drops);
74087 @@ -556,7 +556,7 @@ static int pipe_handler_do_rcv(struct so
74090 if (pn->rx_credits == 0) {
74091 - atomic_inc(&sk->sk_drops);
74092 + atomic_inc_unchecked(&sk->sk_drops);
74096 diff -urNp linux-3.1.1/net/phonet/socket.c linux-3.1.1/net/phonet/socket.c
74097 --- linux-3.1.1/net/phonet/socket.c 2011-11-11 15:19:27.000000000 -0500
74098 +++ linux-3.1.1/net/phonet/socket.c 2011-11-16 18:40:44.000000000 -0500
74099 @@ -612,8 +612,13 @@ static int pn_sock_seq_show(struct seq_f
74100 pn->resource, sk->sk_state,
74101 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
74102 sock_i_uid(sk), sock_i_ino(sk),
74103 - atomic_read(&sk->sk_refcnt), sk,
74104 - atomic_read(&sk->sk_drops), &len);
74105 + atomic_read(&sk->sk_refcnt),
74106 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74111 + atomic_read_unchecked(&sk->sk_drops), &len);
74113 seq_printf(seq, "%*s\n", 127 - len, "");
74115 diff -urNp linux-3.1.1/net/rds/cong.c linux-3.1.1/net/rds/cong.c
74116 --- linux-3.1.1/net/rds/cong.c 2011-11-11 15:19:27.000000000 -0500
74117 +++ linux-3.1.1/net/rds/cong.c 2011-11-16 18:39:08.000000000 -0500
74119 * finds that the saved generation number is smaller than the global generation
74120 * number, it wakes up the process.
74122 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
74123 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
74126 * Congestion monitoring
74127 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
74128 rdsdebug("waking map %p for %pI4\n",
74129 map, &map->m_addr);
74130 rds_stats_inc(s_cong_update_received);
74131 - atomic_inc(&rds_cong_generation);
74132 + atomic_inc_unchecked(&rds_cong_generation);
74133 if (waitqueue_active(&map->m_waitq))
74134 wake_up(&map->m_waitq);
74135 if (waitqueue_active(&rds_poll_waitq))
74136 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
74138 int rds_cong_updated_since(unsigned long *recent)
74140 - unsigned long gen = atomic_read(&rds_cong_generation);
74141 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
74143 if (likely(*recent == gen))
74145 diff -urNp linux-3.1.1/net/rds/ib_cm.c linux-3.1.1/net/rds/ib_cm.c
74146 --- linux-3.1.1/net/rds/ib_cm.c 2011-11-11 15:19:27.000000000 -0500
74147 +++ linux-3.1.1/net/rds/ib_cm.c 2011-11-16 18:39:08.000000000 -0500
74148 @@ -720,7 +720,7 @@ void rds_ib_conn_shutdown(struct rds_con
74149 /* Clear the ACK state */
74150 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
74151 #ifdef KERNEL_HAS_ATOMIC64
74152 - atomic64_set(&ic->i_ack_next, 0);
74153 + atomic64_set_unchecked(&ic->i_ack_next, 0);
74155 ic->i_ack_next = 0;
74157 diff -urNp linux-3.1.1/net/rds/ib.h linux-3.1.1/net/rds/ib.h
74158 --- linux-3.1.1/net/rds/ib.h 2011-11-11 15:19:27.000000000 -0500
74159 +++ linux-3.1.1/net/rds/ib.h 2011-11-16 18:39:08.000000000 -0500
74160 @@ -128,7 +128,7 @@ struct rds_ib_connection {
74162 unsigned long i_ack_flags;
74163 #ifdef KERNEL_HAS_ATOMIC64
74164 - atomic64_t i_ack_next; /* next ACK to send */
74165 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
74167 spinlock_t i_ack_lock; /* protect i_ack_next */
74168 u64 i_ack_next; /* next ACK to send */
74169 diff -urNp linux-3.1.1/net/rds/ib_recv.c linux-3.1.1/net/rds/ib_recv.c
74170 --- linux-3.1.1/net/rds/ib_recv.c 2011-11-11 15:19:27.000000000 -0500
74171 +++ linux-3.1.1/net/rds/ib_recv.c 2011-11-16 18:39:08.000000000 -0500
74172 @@ -592,7 +592,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
74173 static void rds_ib_set_ack(struct rds_ib_connection *ic, u64 seq,
74176 - atomic64_set(&ic->i_ack_next, seq);
74177 + atomic64_set_unchecked(&ic->i_ack_next, seq);
74178 if (ack_required) {
74179 smp_mb__before_clear_bit();
74180 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
74181 @@ -604,7 +604,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
74182 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
74183 smp_mb__after_clear_bit();
74185 - return atomic64_read(&ic->i_ack_next);
74186 + return atomic64_read_unchecked(&ic->i_ack_next);
74190 diff -urNp linux-3.1.1/net/rds/iw_cm.c linux-3.1.1/net/rds/iw_cm.c
74191 --- linux-3.1.1/net/rds/iw_cm.c 2011-11-11 15:19:27.000000000 -0500
74192 +++ linux-3.1.1/net/rds/iw_cm.c 2011-11-16 18:39:08.000000000 -0500
74193 @@ -663,7 +663,7 @@ void rds_iw_conn_shutdown(struct rds_con
74194 /* Clear the ACK state */
74195 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
74196 #ifdef KERNEL_HAS_ATOMIC64
74197 - atomic64_set(&ic->i_ack_next, 0);
74198 + atomic64_set_unchecked(&ic->i_ack_next, 0);
74200 ic->i_ack_next = 0;
74202 diff -urNp linux-3.1.1/net/rds/iw.h linux-3.1.1/net/rds/iw.h
74203 --- linux-3.1.1/net/rds/iw.h 2011-11-11 15:19:27.000000000 -0500
74204 +++ linux-3.1.1/net/rds/iw.h 2011-11-16 18:39:08.000000000 -0500
74205 @@ -134,7 +134,7 @@ struct rds_iw_connection {
74207 unsigned long i_ack_flags;
74208 #ifdef KERNEL_HAS_ATOMIC64
74209 - atomic64_t i_ack_next; /* next ACK to send */
74210 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
74212 spinlock_t i_ack_lock; /* protect i_ack_next */
74213 u64 i_ack_next; /* next ACK to send */
74214 diff -urNp linux-3.1.1/net/rds/iw_rdma.c linux-3.1.1/net/rds/iw_rdma.c
74215 --- linux-3.1.1/net/rds/iw_rdma.c 2011-11-11 15:19:27.000000000 -0500
74216 +++ linux-3.1.1/net/rds/iw_rdma.c 2011-11-16 18:40:44.000000000 -0500
74217 @@ -184,6 +184,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
74218 struct rdma_cm_id *pcm_id;
74221 + pax_track_stack();
74223 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
74224 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
74226 diff -urNp linux-3.1.1/net/rds/iw_recv.c linux-3.1.1/net/rds/iw_recv.c
74227 --- linux-3.1.1/net/rds/iw_recv.c 2011-11-11 15:19:27.000000000 -0500
74228 +++ linux-3.1.1/net/rds/iw_recv.c 2011-11-16 18:39:08.000000000 -0500
74229 @@ -427,7 +427,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
74230 static void rds_iw_set_ack(struct rds_iw_connection *ic, u64 seq,
74233 - atomic64_set(&ic->i_ack_next, seq);
74234 + atomic64_set_unchecked(&ic->i_ack_next, seq);
74235 if (ack_required) {
74236 smp_mb__before_clear_bit();
74237 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
74238 @@ -439,7 +439,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
74239 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
74240 smp_mb__after_clear_bit();
74242 - return atomic64_read(&ic->i_ack_next);
74243 + return atomic64_read_unchecked(&ic->i_ack_next);
74247 diff -urNp linux-3.1.1/net/rds/tcp.c linux-3.1.1/net/rds/tcp.c
74248 --- linux-3.1.1/net/rds/tcp.c 2011-11-11 15:19:27.000000000 -0500
74249 +++ linux-3.1.1/net/rds/tcp.c 2011-11-16 18:39:08.000000000 -0500
74250 @@ -58,7 +58,7 @@ void rds_tcp_nonagle(struct socket *sock
74254 - sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __user *)&val,
74255 + sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __force_user *)&val,
74259 diff -urNp linux-3.1.1/net/rds/tcp_send.c linux-3.1.1/net/rds/tcp_send.c
74260 --- linux-3.1.1/net/rds/tcp_send.c 2011-11-11 15:19:27.000000000 -0500
74261 +++ linux-3.1.1/net/rds/tcp_send.c 2011-11-16 18:39:08.000000000 -0500
74262 @@ -43,7 +43,7 @@ static void rds_tcp_cork(struct socket *
74266 - sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __user *)&val,
74267 + sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __force_user *)&val,
74271 diff -urNp linux-3.1.1/net/rxrpc/af_rxrpc.c linux-3.1.1/net/rxrpc/af_rxrpc.c
74272 --- linux-3.1.1/net/rxrpc/af_rxrpc.c 2011-11-11 15:19:27.000000000 -0500
74273 +++ linux-3.1.1/net/rxrpc/af_rxrpc.c 2011-11-16 18:39:08.000000000 -0500
74274 @@ -39,7 +39,7 @@ static const struct proto_ops rxrpc_rpc_
74275 __be32 rxrpc_epoch;
74277 /* current debugging ID */
74278 -atomic_t rxrpc_debug_id;
74279 +atomic_unchecked_t rxrpc_debug_id;
74281 /* count of skbs currently in use */
74282 atomic_t rxrpc_n_skbs;
74283 diff -urNp linux-3.1.1/net/rxrpc/ar-ack.c linux-3.1.1/net/rxrpc/ar-ack.c
74284 --- linux-3.1.1/net/rxrpc/ar-ack.c 2011-11-11 15:19:27.000000000 -0500
74285 +++ linux-3.1.1/net/rxrpc/ar-ack.c 2011-11-16 18:40:44.000000000 -0500
74286 @@ -175,7 +175,7 @@ static void rxrpc_resend(struct rxrpc_ca
74288 _enter("{%d,%d,%d,%d},",
74289 call->acks_hard, call->acks_unacked,
74290 - atomic_read(&call->sequence),
74291 + atomic_read_unchecked(&call->sequence),
74292 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
74295 @@ -199,7 +199,7 @@ static void rxrpc_resend(struct rxrpc_ca
74297 /* each Tx packet has a new serial number */
74299 - htonl(atomic_inc_return(&call->conn->serial));
74300 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
74302 hdr = (struct rxrpc_header *) txb->head;
74303 hdr->serial = sp->hdr.serial;
74304 @@ -403,7 +403,7 @@ static void rxrpc_rotate_tx_window(struc
74306 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
74308 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
74309 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
74313 @@ -629,7 +629,7 @@ process_further:
74315 latest = ntohl(sp->hdr.serial);
74316 hard = ntohl(ack.firstPacket);
74317 - tx = atomic_read(&call->sequence);
74318 + tx = atomic_read_unchecked(&call->sequence);
74320 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
74322 @@ -842,6 +842,8 @@ void rxrpc_process_call(struct work_stru
74323 u32 abort_code = RX_PROTOCOL_ERROR;
74326 + pax_track_stack();
74328 //printk("\n--------------------\n");
74329 _enter("{%d,%s,%lx} [%lu]",
74330 call->debug_id, rxrpc_call_states[call->state], call->events,
74331 @@ -1161,7 +1163,7 @@ void rxrpc_process_call(struct work_stru
74332 goto maybe_reschedule;
74334 send_ACK_with_skew:
74335 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
74336 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
74337 ntohl(ack.serial));
74339 mtu = call->conn->trans->peer->if_mtu;
74340 @@ -1173,7 +1175,7 @@ send_ACK:
74341 ackinfo.rxMTU = htonl(5692);
74342 ackinfo.jumbo_max = htonl(4);
74344 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
74345 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
74346 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
74348 ntohs(ack.maxSkew),
74349 @@ -1191,7 +1193,7 @@ send_ACK:
74351 _debug("send message");
74353 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
74354 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
74355 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
74358 diff -urNp linux-3.1.1/net/rxrpc/ar-call.c linux-3.1.1/net/rxrpc/ar-call.c
74359 --- linux-3.1.1/net/rxrpc/ar-call.c 2011-11-11 15:19:27.000000000 -0500
74360 +++ linux-3.1.1/net/rxrpc/ar-call.c 2011-11-16 18:39:08.000000000 -0500
74361 @@ -83,7 +83,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
74362 spin_lock_init(&call->lock);
74363 rwlock_init(&call->state_lock);
74364 atomic_set(&call->usage, 1);
74365 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
74366 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74367 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
74369 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
74370 diff -urNp linux-3.1.1/net/rxrpc/ar-connection.c linux-3.1.1/net/rxrpc/ar-connection.c
74371 --- linux-3.1.1/net/rxrpc/ar-connection.c 2011-11-11 15:19:27.000000000 -0500
74372 +++ linux-3.1.1/net/rxrpc/ar-connection.c 2011-11-16 18:39:08.000000000 -0500
74373 @@ -206,7 +206,7 @@ static struct rxrpc_connection *rxrpc_al
74374 rwlock_init(&conn->lock);
74375 spin_lock_init(&conn->state_lock);
74376 atomic_set(&conn->usage, 1);
74377 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
74378 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74379 conn->avail_calls = RXRPC_MAXCALLS;
74380 conn->size_align = 4;
74381 conn->header_size = sizeof(struct rxrpc_header);
74382 diff -urNp linux-3.1.1/net/rxrpc/ar-connevent.c linux-3.1.1/net/rxrpc/ar-connevent.c
74383 --- linux-3.1.1/net/rxrpc/ar-connevent.c 2011-11-11 15:19:27.000000000 -0500
74384 +++ linux-3.1.1/net/rxrpc/ar-connevent.c 2011-11-16 18:39:08.000000000 -0500
74385 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
74387 len = iov[0].iov_len + iov[1].iov_len;
74389 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
74390 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
74391 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
74393 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
74394 diff -urNp linux-3.1.1/net/rxrpc/ar-input.c linux-3.1.1/net/rxrpc/ar-input.c
74395 --- linux-3.1.1/net/rxrpc/ar-input.c 2011-11-11 15:19:27.000000000 -0500
74396 +++ linux-3.1.1/net/rxrpc/ar-input.c 2011-11-16 18:39:08.000000000 -0500
74397 @@ -340,9 +340,9 @@ void rxrpc_fast_process_packet(struct rx
74398 /* track the latest serial number on this connection for ACK packet
74400 serial = ntohl(sp->hdr.serial);
74401 - hi_serial = atomic_read(&call->conn->hi_serial);
74402 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
74403 while (serial > hi_serial)
74404 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
74405 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
74408 /* request ACK generation for any ACK or DATA packet that requests
74409 diff -urNp linux-3.1.1/net/rxrpc/ar-internal.h linux-3.1.1/net/rxrpc/ar-internal.h
74410 --- linux-3.1.1/net/rxrpc/ar-internal.h 2011-11-11 15:19:27.000000000 -0500
74411 +++ linux-3.1.1/net/rxrpc/ar-internal.h 2011-11-16 18:39:08.000000000 -0500
74412 @@ -272,8 +272,8 @@ struct rxrpc_connection {
74413 int error; /* error code for local abort */
74414 int debug_id; /* debug ID for printks */
74415 unsigned call_counter; /* call ID counter */
74416 - atomic_t serial; /* packet serial number counter */
74417 - atomic_t hi_serial; /* highest serial number received */
74418 + atomic_unchecked_t serial; /* packet serial number counter */
74419 + atomic_unchecked_t hi_serial; /* highest serial number received */
74420 u8 avail_calls; /* number of calls available */
74421 u8 size_align; /* data size alignment (for security) */
74422 u8 header_size; /* rxrpc + security header size */
74423 @@ -346,7 +346,7 @@ struct rxrpc_call {
74425 rwlock_t state_lock; /* lock for state transition */
74427 - atomic_t sequence; /* Tx data packet sequence counter */
74428 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
74429 u32 abort_code; /* local/remote abort code */
74430 enum { /* current state of call */
74431 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
74432 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
74434 extern atomic_t rxrpc_n_skbs;
74435 extern __be32 rxrpc_epoch;
74436 -extern atomic_t rxrpc_debug_id;
74437 +extern atomic_unchecked_t rxrpc_debug_id;
74438 extern struct workqueue_struct *rxrpc_workqueue;
74441 diff -urNp linux-3.1.1/net/rxrpc/ar-local.c linux-3.1.1/net/rxrpc/ar-local.c
74442 --- linux-3.1.1/net/rxrpc/ar-local.c 2011-11-11 15:19:27.000000000 -0500
74443 +++ linux-3.1.1/net/rxrpc/ar-local.c 2011-11-16 18:39:08.000000000 -0500
74444 @@ -45,7 +45,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
74445 spin_lock_init(&local->lock);
74446 rwlock_init(&local->services_lock);
74447 atomic_set(&local->usage, 1);
74448 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
74449 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74450 memcpy(&local->srx, srx, sizeof(*srx));
74453 diff -urNp linux-3.1.1/net/rxrpc/ar-output.c linux-3.1.1/net/rxrpc/ar-output.c
74454 --- linux-3.1.1/net/rxrpc/ar-output.c 2011-11-11 15:19:27.000000000 -0500
74455 +++ linux-3.1.1/net/rxrpc/ar-output.c 2011-11-16 18:39:08.000000000 -0500
74456 @@ -681,9 +681,9 @@ static int rxrpc_send_data(struct kiocb
74457 sp->hdr.cid = call->cid;
74458 sp->hdr.callNumber = call->call_id;
74460 - htonl(atomic_inc_return(&call->sequence));
74461 + htonl(atomic_inc_return_unchecked(&call->sequence));
74463 - htonl(atomic_inc_return(&conn->serial));
74464 + htonl(atomic_inc_return_unchecked(&conn->serial));
74465 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
74466 sp->hdr.userStatus = 0;
74467 sp->hdr.securityIndex = conn->security_ix;
74468 diff -urNp linux-3.1.1/net/rxrpc/ar-peer.c linux-3.1.1/net/rxrpc/ar-peer.c
74469 --- linux-3.1.1/net/rxrpc/ar-peer.c 2011-11-11 15:19:27.000000000 -0500
74470 +++ linux-3.1.1/net/rxrpc/ar-peer.c 2011-11-16 18:39:08.000000000 -0500
74471 @@ -72,7 +72,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
74472 INIT_LIST_HEAD(&peer->error_targets);
74473 spin_lock_init(&peer->lock);
74474 atomic_set(&peer->usage, 1);
74475 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
74476 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74477 memcpy(&peer->srx, srx, sizeof(*srx));
74479 rxrpc_assess_MTU_size(peer);
74480 diff -urNp linux-3.1.1/net/rxrpc/ar-proc.c linux-3.1.1/net/rxrpc/ar-proc.c
74481 --- linux-3.1.1/net/rxrpc/ar-proc.c 2011-11-11 15:19:27.000000000 -0500
74482 +++ linux-3.1.1/net/rxrpc/ar-proc.c 2011-11-16 18:39:08.000000000 -0500
74483 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
74484 atomic_read(&conn->usage),
74485 rxrpc_conn_states[conn->state],
74486 key_serial(conn->key),
74487 - atomic_read(&conn->serial),
74488 - atomic_read(&conn->hi_serial));
74489 + atomic_read_unchecked(&conn->serial),
74490 + atomic_read_unchecked(&conn->hi_serial));
74494 diff -urNp linux-3.1.1/net/rxrpc/ar-transport.c linux-3.1.1/net/rxrpc/ar-transport.c
74495 --- linux-3.1.1/net/rxrpc/ar-transport.c 2011-11-11 15:19:27.000000000 -0500
74496 +++ linux-3.1.1/net/rxrpc/ar-transport.c 2011-11-16 18:39:08.000000000 -0500
74497 @@ -47,7 +47,7 @@ static struct rxrpc_transport *rxrpc_all
74498 spin_lock_init(&trans->client_lock);
74499 rwlock_init(&trans->conn_lock);
74500 atomic_set(&trans->usage, 1);
74501 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
74502 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
74504 if (peer->srx.transport.family == AF_INET) {
74505 switch (peer->srx.transport_type) {
74506 diff -urNp linux-3.1.1/net/rxrpc/rxkad.c linux-3.1.1/net/rxrpc/rxkad.c
74507 --- linux-3.1.1/net/rxrpc/rxkad.c 2011-11-11 15:19:27.000000000 -0500
74508 +++ linux-3.1.1/net/rxrpc/rxkad.c 2011-11-16 18:40:44.000000000 -0500
74509 @@ -211,6 +211,8 @@ static int rxkad_secure_packet_encrypt(c
74513 + pax_track_stack();
74515 sp = rxrpc_skb(skb);
74518 @@ -338,6 +340,8 @@ static int rxkad_verify_packet_auth(cons
74522 + pax_track_stack();
74526 sp = rxrpc_skb(skb);
74527 @@ -610,7 +614,7 @@ static int rxkad_issue_challenge(struct
74529 len = iov[0].iov_len + iov[1].iov_len;
74531 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
74532 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
74533 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
74535 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
74536 @@ -660,7 +664,7 @@ static int rxkad_send_response(struct rx
74538 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
74540 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
74541 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
74542 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
74544 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
74545 diff -urNp linux-3.1.1/net/sctp/proc.c linux-3.1.1/net/sctp/proc.c
74546 --- linux-3.1.1/net/sctp/proc.c 2011-11-11 15:19:27.000000000 -0500
74547 +++ linux-3.1.1/net/sctp/proc.c 2011-11-16 18:40:44.000000000 -0500
74548 @@ -318,7 +318,8 @@ static int sctp_assocs_seq_show(struct s
74550 "%8pK %8pK %-3d %-3d %-2d %-4d "
74551 "%4d %8d %8d %7d %5lu %-5d %5d ",
74552 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
74554 + sctp_sk(sk)->type, sk->sk_state,
74555 assoc->state, hash,
74557 assoc->sndbuf_used,
74558 diff -urNp linux-3.1.1/net/sctp/socket.c linux-3.1.1/net/sctp/socket.c
74559 --- linux-3.1.1/net/sctp/socket.c 2011-11-11 15:19:27.000000000 -0500
74560 +++ linux-3.1.1/net/sctp/socket.c 2011-11-16 18:39:08.000000000 -0500
74561 @@ -4575,7 +4575,7 @@ static int sctp_getsockopt_peer_addrs(st
74562 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
74563 if (space_left < addrlen)
74565 - if (copy_to_user(to, &temp, addrlen))
74566 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
74570 diff -urNp linux-3.1.1/net/socket.c linux-3.1.1/net/socket.c
74571 --- linux-3.1.1/net/socket.c 2011-11-11 15:19:27.000000000 -0500
74572 +++ linux-3.1.1/net/socket.c 2011-11-16 18:40:44.000000000 -0500
74574 #include <linux/nsproxy.h>
74575 #include <linux/magic.h>
74576 #include <linux/slab.h>
74577 +#include <linux/in.h>
74579 #include <asm/uaccess.h>
74580 #include <asm/unistd.h>
74581 @@ -105,6 +106,8 @@
74582 #include <linux/sockios.h>
74583 #include <linux/atalk.h>
74585 +#include <linux/grsock.h>
74587 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
74588 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
74589 unsigned long nr_segs, loff_t pos);
74590 @@ -321,7 +324,7 @@ static struct dentry *sockfs_mount(struc
74591 &sockfs_dentry_operations, SOCKFS_MAGIC);
74594 -static struct vfsmount *sock_mnt __read_mostly;
74595 +struct vfsmount *sock_mnt __read_mostly;
74597 static struct file_system_type sock_fs_type = {
74599 @@ -1187,6 +1190,8 @@ int __sock_create(struct net *net, int f
74600 return -EAFNOSUPPORT;
74601 if (type < 0 || type >= SOCK_MAX)
74603 + if (protocol < 0)
74608 @@ -1319,6 +1324,16 @@ SYSCALL_DEFINE3(socket, int, family, int
74609 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
74610 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
74612 + if(!gr_search_socket(family, type, protocol)) {
74613 + retval = -EACCES;
74617 + if (gr_handle_sock_all(family, type, protocol)) {
74618 + retval = -EACCES;
74622 retval = sock_create(family, type, protocol, &sock);
74625 @@ -1431,6 +1446,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
74627 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
74629 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
74633 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
74637 err = security_socket_bind(sock,
74638 (struct sockaddr *)&address,
74640 @@ -1439,6 +1462,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
74641 (struct sockaddr *)
74642 &address, addrlen);
74645 fput_light(sock->file, fput_needed);
74648 @@ -1462,10 +1486,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
74649 if ((unsigned)backlog > somaxconn)
74650 backlog = somaxconn;
74652 + if (gr_handle_sock_server_other(sock->sk)) {
74657 + err = gr_search_listen(sock);
74661 err = security_socket_listen(sock, backlog);
74663 err = sock->ops->listen(sock, backlog);
74666 fput_light(sock->file, fput_needed);
74669 @@ -1509,6 +1543,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
74670 newsock->type = sock->type;
74671 newsock->ops = sock->ops;
74673 + if (gr_handle_sock_server_other(sock->sk)) {
74675 + sock_release(newsock);
74679 + err = gr_search_accept(sock);
74681 + sock_release(newsock);
74686 * We don't need try_module_get here, as the listening socket (sock)
74687 * has the protocol module (sock->ops->owner) held.
74688 @@ -1547,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
74689 fd_install(newfd, newfile);
74692 + gr_attach_curr_ip(newsock->sk);
74695 fput_light(sock->file, fput_needed);
74697 @@ -1579,6 +1627,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
74700 struct socket *sock;
74701 + struct sockaddr *sck;
74702 struct sockaddr_storage address;
74703 int err, fput_needed;
74705 @@ -1589,6 +1638,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
74709 + sck = (struct sockaddr *)&address;
74711 + if (gr_handle_sock_client(sck)) {
74716 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
74721 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
74723 @@ -1890,6 +1950,8 @@ static int __sys_sendmsg(struct socket *
74724 unsigned char *ctl_buf = ctl;
74725 int err, ctl_len, iov_size, total_len;
74727 + pax_track_stack();
74730 if (MSG_CMSG_COMPAT & flags) {
74731 if (get_compat_msghdr(msg_sys, msg_compat))
74732 @@ -1950,7 +2012,7 @@ static int __sys_sendmsg(struct socket *
74733 * checking falls down on this.
74735 if (copy_from_user(ctl_buf,
74736 - (void __user __force *)msg_sys->msg_control,
74737 + (void __force_user *)msg_sys->msg_control,
74740 msg_sys->msg_control = ctl_buf;
74741 @@ -2120,7 +2182,7 @@ static int __sys_recvmsg(struct socket *
74742 * kernel msghdr to use the kernel address space)
74745 - uaddr = (__force void __user *)msg_sys->msg_name;
74746 + uaddr = (void __force_user *)msg_sys->msg_name;
74747 uaddr_len = COMPAT_NAMELEN(msg);
74748 if (MSG_CMSG_COMPAT & flags) {
74749 err = verify_compat_iovec(msg_sys, iov,
74750 @@ -2748,7 +2810,7 @@ static int ethtool_ioctl(struct net *net
74753 ifr = compat_alloc_user_space(buf_size);
74754 - rxnfc = (void *)ifr + ALIGN(sizeof(struct ifreq), 8);
74755 + rxnfc = (void __user *)ifr + ALIGN(sizeof(struct ifreq), 8);
74757 if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
74759 @@ -2772,12 +2834,12 @@ static int ethtool_ioctl(struct net *net
74760 offsetof(struct ethtool_rxnfc, fs.ring_cookie));
74762 if (copy_in_user(rxnfc, compat_rxnfc,
74763 - (void *)(&rxnfc->fs.m_ext + 1) -
74764 - (void *)rxnfc) ||
74765 + (void __user *)(&rxnfc->fs.m_ext + 1) -
74766 + (void __user *)rxnfc) ||
74767 copy_in_user(&rxnfc->fs.ring_cookie,
74768 &compat_rxnfc->fs.ring_cookie,
74769 - (void *)(&rxnfc->fs.location + 1) -
74770 - (void *)&rxnfc->fs.ring_cookie) ||
74771 + (void __user *)(&rxnfc->fs.location + 1) -
74772 + (void __user *)&rxnfc->fs.ring_cookie) ||
74773 copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
74774 sizeof(rxnfc->rule_cnt)))
74776 @@ -2789,12 +2851,12 @@ static int ethtool_ioctl(struct net *net
74779 if (copy_in_user(compat_rxnfc, rxnfc,
74780 - (const void *)(&rxnfc->fs.m_ext + 1) -
74781 - (const void *)rxnfc) ||
74782 + (const void __user *)(&rxnfc->fs.m_ext + 1) -
74783 + (const void __user *)rxnfc) ||
74784 copy_in_user(&compat_rxnfc->fs.ring_cookie,
74785 &rxnfc->fs.ring_cookie,
74786 - (const void *)(&rxnfc->fs.location + 1) -
74787 - (const void *)&rxnfc->fs.ring_cookie) ||
74788 + (const void __user *)(&rxnfc->fs.location + 1) -
74789 + (const void __user *)&rxnfc->fs.ring_cookie) ||
74790 copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
74791 sizeof(rxnfc->rule_cnt)))
74793 @@ -2864,7 +2926,7 @@ static int bond_ioctl(struct net *net, u
74796 err = dev_ioctl(net, cmd,
74797 - (struct ifreq __user __force *) &kifr);
74798 + (struct ifreq __force_user *) &kifr);
74802 @@ -2973,7 +3035,7 @@ static int compat_sioc_ifmap(struct net
74806 - err = dev_ioctl(net, cmd, (void __user __force *)&ifr);
74807 + err = dev_ioctl(net, cmd, (void __force_user *)&ifr);
74810 if (cmd == SIOCGIFMAP && !err) {
74811 @@ -3078,7 +3140,7 @@ static int routing_ioctl(struct net *net
74812 ret |= __get_user(rtdev, &(ur4->rt_dev));
74814 ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
74815 - r4.rt_dev = (char __user __force *)devname;
74816 + r4.rt_dev = (char __force_user *)devname;
74820 @@ -3318,8 +3380,8 @@ int kernel_getsockopt(struct socket *soc
74821 int __user *uoptlen;
74824 - uoptval = (char __user __force *) optval;
74825 - uoptlen = (int __user __force *) optlen;
74826 + uoptval = (char __force_user *) optval;
74827 + uoptlen = (int __force_user *) optlen;
74830 if (level == SOL_SOCKET)
74831 @@ -3339,7 +3401,7 @@ int kernel_setsockopt(struct socket *soc
74832 char __user *uoptval;
74835 - uoptval = (char __user __force *) optval;
74836 + uoptval = (char __force_user *) optval;
74839 if (level == SOL_SOCKET)
74840 diff -urNp linux-3.1.1/net/sunrpc/sched.c linux-3.1.1/net/sunrpc/sched.c
74841 --- linux-3.1.1/net/sunrpc/sched.c 2011-11-11 15:19:27.000000000 -0500
74842 +++ linux-3.1.1/net/sunrpc/sched.c 2011-11-16 18:39:08.000000000 -0500
74843 @@ -238,9 +238,9 @@ static int rpc_wait_bit_killable(void *w
74845 static void rpc_task_set_debuginfo(struct rpc_task *task)
74847 - static atomic_t rpc_pid;
74848 + static atomic_unchecked_t rpc_pid;
74850 - task->tk_pid = atomic_inc_return(&rpc_pid);
74851 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
74854 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
74855 diff -urNp linux-3.1.1/net/sunrpc/svcsock.c linux-3.1.1/net/sunrpc/svcsock.c
74856 --- linux-3.1.1/net/sunrpc/svcsock.c 2011-11-11 15:19:27.000000000 -0500
74857 +++ linux-3.1.1/net/sunrpc/svcsock.c 2011-11-16 18:39:08.000000000 -0500
74858 @@ -394,7 +394,7 @@ static int svc_partial_recvfrom(struct s
74859 int buflen, unsigned int base)
74861 size_t save_iovlen;
74862 - void __user *save_iovbase;
74863 + void *save_iovbase;
74867 diff -urNp linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma.c linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma.c
74868 --- linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma.c 2011-11-11 15:19:27.000000000 -0500
74869 +++ linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma.c 2011-11-16 18:39:08.000000000 -0500
74870 @@ -61,15 +61,15 @@ unsigned int svcrdma_max_req_size = RPCR
74871 static unsigned int min_max_inline = 4096;
74872 static unsigned int max_max_inline = 65536;
74874 -atomic_t rdma_stat_recv;
74875 -atomic_t rdma_stat_read;
74876 -atomic_t rdma_stat_write;
74877 -atomic_t rdma_stat_sq_starve;
74878 -atomic_t rdma_stat_rq_starve;
74879 -atomic_t rdma_stat_rq_poll;
74880 -atomic_t rdma_stat_rq_prod;
74881 -atomic_t rdma_stat_sq_poll;
74882 -atomic_t rdma_stat_sq_prod;
74883 +atomic_unchecked_t rdma_stat_recv;
74884 +atomic_unchecked_t rdma_stat_read;
74885 +atomic_unchecked_t rdma_stat_write;
74886 +atomic_unchecked_t rdma_stat_sq_starve;
74887 +atomic_unchecked_t rdma_stat_rq_starve;
74888 +atomic_unchecked_t rdma_stat_rq_poll;
74889 +atomic_unchecked_t rdma_stat_rq_prod;
74890 +atomic_unchecked_t rdma_stat_sq_poll;
74891 +atomic_unchecked_t rdma_stat_sq_prod;
74893 /* Temporary NFS request map and context caches */
74894 struct kmem_cache *svc_rdma_map_cachep;
74895 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
74899 - if (len && copy_to_user(buffer, str_buf, len))
74900 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
74904 @@ -150,63 +150,63 @@ static ctl_table svcrdma_parm_table[] =
74906 .procname = "rdma_stat_read",
74907 .data = &rdma_stat_read,
74908 - .maxlen = sizeof(atomic_t),
74909 + .maxlen = sizeof(atomic_unchecked_t),
74911 .proc_handler = read_reset_stat,
74914 .procname = "rdma_stat_recv",
74915 .data = &rdma_stat_recv,
74916 - .maxlen = sizeof(atomic_t),
74917 + .maxlen = sizeof(atomic_unchecked_t),
74919 .proc_handler = read_reset_stat,
74922 .procname = "rdma_stat_write",
74923 .data = &rdma_stat_write,
74924 - .maxlen = sizeof(atomic_t),
74925 + .maxlen = sizeof(atomic_unchecked_t),
74927 .proc_handler = read_reset_stat,
74930 .procname = "rdma_stat_sq_starve",
74931 .data = &rdma_stat_sq_starve,
74932 - .maxlen = sizeof(atomic_t),
74933 + .maxlen = sizeof(atomic_unchecked_t),
74935 .proc_handler = read_reset_stat,
74938 .procname = "rdma_stat_rq_starve",
74939 .data = &rdma_stat_rq_starve,
74940 - .maxlen = sizeof(atomic_t),
74941 + .maxlen = sizeof(atomic_unchecked_t),
74943 .proc_handler = read_reset_stat,
74946 .procname = "rdma_stat_rq_poll",
74947 .data = &rdma_stat_rq_poll,
74948 - .maxlen = sizeof(atomic_t),
74949 + .maxlen = sizeof(atomic_unchecked_t),
74951 .proc_handler = read_reset_stat,
74954 .procname = "rdma_stat_rq_prod",
74955 .data = &rdma_stat_rq_prod,
74956 - .maxlen = sizeof(atomic_t),
74957 + .maxlen = sizeof(atomic_unchecked_t),
74959 .proc_handler = read_reset_stat,
74962 .procname = "rdma_stat_sq_poll",
74963 .data = &rdma_stat_sq_poll,
74964 - .maxlen = sizeof(atomic_t),
74965 + .maxlen = sizeof(atomic_unchecked_t),
74967 .proc_handler = read_reset_stat,
74970 .procname = "rdma_stat_sq_prod",
74971 .data = &rdma_stat_sq_prod,
74972 - .maxlen = sizeof(atomic_t),
74973 + .maxlen = sizeof(atomic_unchecked_t),
74975 .proc_handler = read_reset_stat,
74977 diff -urNp linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
74978 --- linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-11-11 15:19:27.000000000 -0500
74979 +++ linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-11-16 18:39:08.000000000 -0500
74980 @@ -499,7 +499,7 @@ next_sge:
74981 svc_rdma_put_context(ctxt, 0);
74984 - atomic_inc(&rdma_stat_read);
74985 + atomic_inc_unchecked(&rdma_stat_read);
74987 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
74988 chl_map->ch[ch_no].count -= read_wr.num_sge;
74989 @@ -609,7 +609,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
74991 list_del_init(&ctxt->dto_q);
74993 - atomic_inc(&rdma_stat_rq_starve);
74994 + atomic_inc_unchecked(&rdma_stat_rq_starve);
74995 clear_bit(XPT_DATA, &xprt->xpt_flags);
74998 @@ -629,7 +629,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
74999 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
75000 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
75001 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
75002 - atomic_inc(&rdma_stat_recv);
75003 + atomic_inc_unchecked(&rdma_stat_recv);
75005 /* Build up the XDR from the receive buffers. */
75006 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
75007 diff -urNp linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_sendto.c
75008 --- linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-11-11 15:19:27.000000000 -0500
75009 +++ linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-11-16 18:39:08.000000000 -0500
75010 @@ -362,7 +362,7 @@ static int send_write(struct svcxprt_rdm
75011 write_wr.wr.rdma.remote_addr = to;
75014 - atomic_inc(&rdma_stat_write);
75015 + atomic_inc_unchecked(&rdma_stat_write);
75016 if (svc_rdma_send(xprt, &write_wr))
75019 diff -urNp linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_transport.c
75020 --- linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-11-11 15:19:27.000000000 -0500
75021 +++ linux-3.1.1/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-11-16 18:39:08.000000000 -0500
75022 @@ -299,7 +299,7 @@ static void rq_cq_reap(struct svcxprt_rd
75025 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
75026 - atomic_inc(&rdma_stat_rq_poll);
75027 + atomic_inc_unchecked(&rdma_stat_rq_poll);
75029 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
75030 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
75031 @@ -321,7 +321,7 @@ static void rq_cq_reap(struct svcxprt_rd
75035 - atomic_inc(&rdma_stat_rq_prod);
75036 + atomic_inc_unchecked(&rdma_stat_rq_prod);
75038 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
75040 @@ -393,7 +393,7 @@ static void sq_cq_reap(struct svcxprt_rd
75043 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
75044 - atomic_inc(&rdma_stat_sq_poll);
75045 + atomic_inc_unchecked(&rdma_stat_sq_poll);
75046 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
75047 if (wc.status != IB_WC_SUCCESS)
75048 /* Close the transport */
75049 @@ -411,7 +411,7 @@ static void sq_cq_reap(struct svcxprt_rd
75053 - atomic_inc(&rdma_stat_sq_prod);
75054 + atomic_inc_unchecked(&rdma_stat_sq_prod);
75057 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
75058 @@ -1273,7 +1273,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
75059 spin_lock_bh(&xprt->sc_lock);
75060 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
75061 spin_unlock_bh(&xprt->sc_lock);
75062 - atomic_inc(&rdma_stat_sq_starve);
75063 + atomic_inc_unchecked(&rdma_stat_sq_starve);
75065 /* See if we can opportunistically reap SQ WR to make room */
75067 diff -urNp linux-3.1.1/net/sysctl_net.c linux-3.1.1/net/sysctl_net.c
75068 --- linux-3.1.1/net/sysctl_net.c 2011-11-11 15:19:27.000000000 -0500
75069 +++ linux-3.1.1/net/sysctl_net.c 2011-11-16 18:40:44.000000000 -0500
75070 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
75071 struct ctl_table *table)
75073 /* Allow network administrator to have same access as root. */
75074 - if (capable(CAP_NET_ADMIN)) {
75075 + if (capable_nolog(CAP_NET_ADMIN)) {
75076 int mode = (table->mode >> 6) & 7;
75077 return (mode << 6) | (mode << 3) | mode;
75079 diff -urNp linux-3.1.1/net/tipc/link.c linux-3.1.1/net/tipc/link.c
75080 --- linux-3.1.1/net/tipc/link.c 2011-11-11 15:19:27.000000000 -0500
75081 +++ linux-3.1.1/net/tipc/link.c 2011-11-16 18:39:08.000000000 -0500
75082 @@ -1170,7 +1170,7 @@ static int link_send_sections_long(struc
75083 struct tipc_msg fragm_hdr;
75084 struct sk_buff *buf, *buf_chain, *prev;
75085 u32 fragm_crs, fragm_rest, hsz, sect_rest;
75086 - const unchar *sect_crs;
75087 + const unchar __user *sect_crs;
75091 @@ -1214,7 +1214,7 @@ again:
75094 sect_rest = msg_sect[++curr_sect].iov_len;
75095 - sect_crs = (const unchar *)msg_sect[curr_sect].iov_base;
75096 + sect_crs = (const unchar __user *)msg_sect[curr_sect].iov_base;
75099 if (sect_rest < fragm_rest)
75100 @@ -1233,7 +1233,7 @@ error:
75103 skb_copy_to_linear_data_offset(buf, fragm_crs,
75105 + (const void __force_kernel *)sect_crs, sz);
75109 diff -urNp linux-3.1.1/net/tipc/msg.c linux-3.1.1/net/tipc/msg.c
75110 --- linux-3.1.1/net/tipc/msg.c 2011-11-11 15:19:27.000000000 -0500
75111 +++ linux-3.1.1/net/tipc/msg.c 2011-11-16 18:39:08.000000000 -0500
75112 @@ -99,7 +99,7 @@ int tipc_msg_build(struct tipc_msg *hdr,
75113 msg_sect[cnt].iov_len);
75115 skb_copy_to_linear_data_offset(*buf, pos,
75116 - msg_sect[cnt].iov_base,
75117 + (const void __force_kernel *)msg_sect[cnt].iov_base,
75118 msg_sect[cnt].iov_len);
75119 pos += msg_sect[cnt].iov_len;
75121 diff -urNp linux-3.1.1/net/tipc/subscr.c linux-3.1.1/net/tipc/subscr.c
75122 --- linux-3.1.1/net/tipc/subscr.c 2011-11-11 15:19:27.000000000 -0500
75123 +++ linux-3.1.1/net/tipc/subscr.c 2011-11-16 18:39:08.000000000 -0500
75124 @@ -101,7 +101,7 @@ static void subscr_send_event(struct sub
75126 struct iovec msg_sect;
75128 - msg_sect.iov_base = (void *)&sub->evt;
75129 + msg_sect.iov_base = (void __force_user *)&sub->evt;
75130 msg_sect.iov_len = sizeof(struct tipc_event);
75132 sub->evt.event = htohl(event, sub->swap);
75133 diff -urNp linux-3.1.1/net/unix/af_unix.c linux-3.1.1/net/unix/af_unix.c
75134 --- linux-3.1.1/net/unix/af_unix.c 2011-11-11 15:19:27.000000000 -0500
75135 +++ linux-3.1.1/net/unix/af_unix.c 2011-11-16 19:17:17.000000000 -0500
75136 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(stru
75137 err = -ECONNREFUSED;
75138 if (!S_ISSOCK(inode->i_mode))
75141 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
75146 u = unix_find_socket_byinode(inode);
75149 @@ -787,6 +793,13 @@ static struct sock *unix_find_other(stru
75151 struct dentry *dentry;
75152 dentry = unix_sk(u)->dentry;
75154 + if (!gr_handle_chroot_unix(pid_vnr(u->sk_peer_pid))) {
75161 touch_atime(unix_sk(u)->mnt, dentry);
75163 @@ -869,11 +882,18 @@ static int unix_bind(struct socket *sock
75164 err = security_path_mknod(&path, dentry, mode, 0);
75166 goto out_mknod_drop_write;
75167 + if (!gr_acl_handle_mknod(dentry, path.dentry, path.mnt, mode)) {
75169 + goto out_mknod_drop_write;
75171 err = vfs_mknod(path.dentry->d_inode, dentry, mode, 0);
75172 out_mknod_drop_write:
75173 mnt_drop_write(path.mnt);
75175 goto out_mknod_dput;
75177 + gr_handle_create(dentry, path.mnt);
75179 mutex_unlock(&path.dentry->d_inode->i_mutex);
75181 path.dentry = dentry;
75182 diff -urNp linux-3.1.1/net/wireless/core.h linux-3.1.1/net/wireless/core.h
75183 --- linux-3.1.1/net/wireless/core.h 2011-11-11 15:19:27.000000000 -0500
75184 +++ linux-3.1.1/net/wireless/core.h 2011-11-16 18:39:08.000000000 -0500
75185 @@ -27,7 +27,7 @@ struct cfg80211_registered_device {
75188 /* rfkill support */
75189 - struct rfkill_ops rfkill_ops;
75190 + rfkill_ops_no_const rfkill_ops;
75191 struct rfkill *rfkill;
75192 struct work_struct rfkill_sync;
75194 diff -urNp linux-3.1.1/net/wireless/wext-core.c linux-3.1.1/net/wireless/wext-core.c
75195 --- linux-3.1.1/net/wireless/wext-core.c 2011-11-11 15:19:27.000000000 -0500
75196 +++ linux-3.1.1/net/wireless/wext-core.c 2011-11-16 18:39:08.000000000 -0500
75197 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
75200 /* Support for very large requests */
75201 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
75202 - (user_length > descr->max_tokens)) {
75203 + if (user_length > descr->max_tokens) {
75204 /* Allow userspace to GET more than max so
75205 * we can support any size GET requests.
75206 * There is still a limit : -ENOMEM.
75207 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
75211 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
75213 - * If this is a GET, but not NOMAX, it means that the extra
75214 - * data is not bounded by userspace, but by max_tokens. Thus
75215 - * set the length to max_tokens. This matches the extra data
75217 - * The driver should fill it with the number of tokens it
75218 - * provided, and it may check iwp->length rather than having
75219 - * knowledge of max_tokens. If the driver doesn't change the
75220 - * iwp->length, this ioctl just copies back max_token tokens
75221 - * filled with zeroes. Hopefully the driver isn't claiming
75222 - * them to be valid data.
75224 - iwp->length = descr->max_tokens;
75227 err = handler(dev, info, (union iwreq_data *) iwp, extra);
75229 iwp->length += essid_compat;
75230 diff -urNp linux-3.1.1/net/xfrm/xfrm_policy.c linux-3.1.1/net/xfrm/xfrm_policy.c
75231 --- linux-3.1.1/net/xfrm/xfrm_policy.c 2011-11-11 15:19:27.000000000 -0500
75232 +++ linux-3.1.1/net/xfrm/xfrm_policy.c 2011-11-16 18:39:08.000000000 -0500
75233 @@ -299,7 +299,7 @@ static void xfrm_policy_kill(struct xfrm
75235 policy->walk.dead = 1;
75237 - atomic_inc(&policy->genid);
75238 + atomic_inc_unchecked(&policy->genid);
75240 if (del_timer(&policy->timer))
75241 xfrm_pol_put(policy);
75242 @@ -583,7 +583,7 @@ int xfrm_policy_insert(int dir, struct x
75243 hlist_add_head(&policy->bydst, chain);
75244 xfrm_pol_hold(policy);
75245 net->xfrm.policy_count[dir]++;
75246 - atomic_inc(&flow_cache_genid);
75247 + atomic_inc_unchecked(&flow_cache_genid);
75249 __xfrm_policy_unlink(delpol, dir);
75250 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
75251 @@ -1530,7 +1530,7 @@ free_dst:
75257 xfrm_dst_alloc_copy(void **target, const void *src, int size)
75260 @@ -1542,7 +1542,7 @@ xfrm_dst_alloc_copy(void **target, const
75266 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
75268 #ifdef CONFIG_XFRM_SUB_POLICY
75269 @@ -1554,7 +1554,7 @@ xfrm_dst_update_parent(struct dst_entry
75275 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
75277 #ifdef CONFIG_XFRM_SUB_POLICY
75278 @@ -1648,7 +1648,7 @@ xfrm_resolve_and_create_bundle(struct xf
75280 xdst->num_pols = num_pols;
75281 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
75282 - xdst->policy_genid = atomic_read(&pols[0]->genid);
75283 + xdst->policy_genid = atomic_read_unchecked(&pols[0]->genid);
75287 @@ -2335,7 +2335,7 @@ static int xfrm_bundle_ok(struct xfrm_ds
75288 if (xdst->xfrm_genid != dst->xfrm->genid)
75290 if (xdst->num_pols > 0 &&
75291 - xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
75292 + xdst->policy_genid != atomic_read_unchecked(&xdst->pols[0]->genid))
75295 mtu = dst_mtu(dst->child);
75296 @@ -2870,7 +2870,7 @@ static int xfrm_policy_migrate(struct xf
75297 sizeof(pol->xfrm_vec[i].saddr));
75298 pol->xfrm_vec[i].encap_family = mp->new_family;
75299 /* flush bundles */
75300 - atomic_inc(&pol->genid);
75301 + atomic_inc_unchecked(&pol->genid);
75305 diff -urNp linux-3.1.1/net/xfrm/xfrm_user.c linux-3.1.1/net/xfrm/xfrm_user.c
75306 --- linux-3.1.1/net/xfrm/xfrm_user.c 2011-11-11 15:19:27.000000000 -0500
75307 +++ linux-3.1.1/net/xfrm/xfrm_user.c 2011-11-16 18:40:44.000000000 -0500
75308 @@ -1394,6 +1394,8 @@ static int copy_to_user_tmpl(struct xfrm
75309 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
75312 + pax_track_stack();
75314 if (xp->xfrm_nr == 0)
75317 @@ -2062,6 +2064,8 @@ static int xfrm_do_migrate(struct sk_buf
75321 + pax_track_stack();
75323 if (attrs[XFRMA_MIGRATE] == NULL)
75326 diff -urNp linux-3.1.1/scripts/basic/fixdep.c linux-3.1.1/scripts/basic/fixdep.c
75327 --- linux-3.1.1/scripts/basic/fixdep.c 2011-11-11 15:19:27.000000000 -0500
75328 +++ linux-3.1.1/scripts/basic/fixdep.c 2011-11-16 18:39:08.000000000 -0500
75329 @@ -161,7 +161,7 @@ static unsigned int strhash(const char *
75331 * Lookup a value in the configuration string.
75333 -static int is_defined_config(const char *name, int len, unsigned int hash)
75334 +static int is_defined_config(const char *name, unsigned int len, unsigned int hash)
75338 @@ -211,10 +211,10 @@ static void clear_config(void)
75340 * Record the use of a CONFIG_* word.
75342 -static void use_config(const char *m, int slen)
75343 +static void use_config(const char *m, unsigned int slen)
75345 unsigned int hash = strhash(m, slen);
75347 + unsigned int c, i;
75349 if (is_defined_config(m, slen, hash))
75351 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
75353 static void parse_config_file(const char *map, size_t len)
75355 - const int *end = (const int *) (map + len);
75356 + const unsigned int *end = (const unsigned int *) (map + len);
75357 /* start at +1, so that p can never be < map */
75358 - const int *m = (const int *) map + 1;
75359 + const unsigned int *m = (const unsigned int *) map + 1;
75362 for (; m < end; m++) {
75363 @@ -405,7 +405,7 @@ static void print_deps(void)
75364 static void traps(void)
75366 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
75367 - int *p = (int *)test;
75368 + unsigned int *p = (unsigned int *)test;
75370 if (*p != INT_CONF) {
75371 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
75372 diff -urNp linux-3.1.1/scripts/gcc-plugin.sh linux-3.1.1/scripts/gcc-plugin.sh
75373 --- linux-3.1.1/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500
75374 +++ linux-3.1.1/scripts/gcc-plugin.sh 2011-11-16 18:39:08.000000000 -0500
75377 +echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y"
75378 diff -urNp linux-3.1.1/scripts/Makefile.build linux-3.1.1/scripts/Makefile.build
75379 --- linux-3.1.1/scripts/Makefile.build 2011-11-11 15:19:27.000000000 -0500
75380 +++ linux-3.1.1/scripts/Makefile.build 2011-11-16 18:40:44.000000000 -0500
75381 @@ -109,7 +109,7 @@ endif
75384 # Do not include host rules unless needed
75385 -ifneq ($(hostprogs-y)$(hostprogs-m),)
75386 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
75387 include scripts/Makefile.host
75390 diff -urNp linux-3.1.1/scripts/Makefile.clean linux-3.1.1/scripts/Makefile.clean
75391 --- linux-3.1.1/scripts/Makefile.clean 2011-11-11 15:19:27.000000000 -0500
75392 +++ linux-3.1.1/scripts/Makefile.clean 2011-11-16 18:39:08.000000000 -0500
75393 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
75394 __clean-files := $(extra-y) $(always) \
75395 $(targets) $(clean-files) \
75397 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
75398 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
75399 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
75401 __clean-files := $(filter-out $(no-clean-files), $(__clean-files))
75403 diff -urNp linux-3.1.1/scripts/Makefile.host linux-3.1.1/scripts/Makefile.host
75404 --- linux-3.1.1/scripts/Makefile.host 2011-11-11 15:19:27.000000000 -0500
75405 +++ linux-3.1.1/scripts/Makefile.host 2011-11-16 18:39:08.000000000 -0500
75407 # Note: Shared libraries consisting of C++ files are not supported
75409 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
75410 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
75413 # Executables compiled from a single .c file
75414 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
75415 # Shared libaries (only .c supported)
75416 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
75417 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
75418 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
75419 # Remove .so files from "xxx-objs"
75420 host-cobjs := $(filter-out %.so,$(host-cobjs))
75422 diff -urNp linux-3.1.1/scripts/mod/file2alias.c linux-3.1.1/scripts/mod/file2alias.c
75423 --- linux-3.1.1/scripts/mod/file2alias.c 2011-11-11 15:19:27.000000000 -0500
75424 +++ linux-3.1.1/scripts/mod/file2alias.c 2011-11-16 18:39:08.000000000 -0500
75425 @@ -72,7 +72,7 @@ static void device_id_check(const char *
75426 unsigned long size, unsigned long id_size,
75432 if (size % id_size || size < id_size) {
75433 if (cross_build != 0)
75434 @@ -102,7 +102,7 @@ static void device_id_check(const char *
75435 /* USB is special because the bcdDevice can be matched against a numeric range */
75436 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
75437 static void do_usb_entry(struct usb_device_id *id,
75438 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
75439 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
75440 unsigned char range_lo, unsigned char range_hi,
75441 unsigned char max, struct module *mod)
75443 @@ -203,7 +203,7 @@ static void do_usb_entry_multi(struct us
75445 unsigned int devlo, devhi;
75446 unsigned char chi, clo, max;
75448 + unsigned int ndigits;
75450 id->match_flags = TO_NATIVE(id->match_flags);
75451 id->idVendor = TO_NATIVE(id->idVendor);
75452 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
75453 for (i = 0; i < count; i++) {
75454 const char *id = (char *)devs[i].id;
75455 char acpi_id[sizeof(devs[0].id)];
75459 buf_printf(&mod->dev_table_buf,
75460 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
75461 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
75463 for (j = 0; j < PNP_MAX_DEVICES; j++) {
75464 const char *id = (char *)card->devs[j].id;
75466 + unsigned int i2, j2;
75470 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
75471 /* add an individual alias for every device entry */
75473 char acpi_id[sizeof(card->devs[0].id)];
75477 buf_printf(&mod->dev_table_buf,
75478 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
75479 @@ -786,7 +786,7 @@ static void dmi_ascii_filter(char *d, co
75480 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
75484 + unsigned int i, j;
75486 sprintf(alias, "dmi*");
75488 diff -urNp linux-3.1.1/scripts/mod/modpost.c linux-3.1.1/scripts/mod/modpost.c
75489 --- linux-3.1.1/scripts/mod/modpost.c 2011-11-11 15:19:27.000000000 -0500
75490 +++ linux-3.1.1/scripts/mod/modpost.c 2011-11-16 18:39:08.000000000 -0500
75491 @@ -919,6 +919,7 @@ enum mismatch {
75492 ANY_INIT_TO_ANY_EXIT,
75493 ANY_EXIT_TO_ANY_INIT,
75494 EXPORT_TO_INIT_EXIT,
75498 struct sectioncheck {
75499 @@ -1027,6 +1028,12 @@ const struct sectioncheck sectioncheck[]
75500 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
75501 .mismatch = EXPORT_TO_INIT_EXIT,
75502 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
75504 +/* Do not reference code from writable data */
75506 + .fromsec = { DATA_SECTIONS, NULL },
75507 + .tosec = { TEXT_SECTIONS, NULL },
75508 + .mismatch = DATA_TO_TEXT
75512 @@ -1149,10 +1156,10 @@ static Elf_Sym *find_elf_symbol(struct e
75514 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
75516 - if (sym->st_value == addr)
75518 /* Find a symbol nearby - addr are maybe negative */
75519 d = sym->st_value - addr;
75523 d = addr - sym->st_value;
75524 if (d < distance) {
75525 @@ -1431,6 +1438,14 @@ static void report_sec_mismatch(const ch
75526 tosym, prl_to, prl_to, tosym);
75529 + case DATA_TO_TEXT:
75532 + "The variable %s references\n"
75533 + "the %s %s%s%s\n",
75534 + fromsym, to, sec2annotation(tosec), tosym, to_p);
75538 fprintf(stderr, "\n");
75540 @@ -1656,7 +1671,7 @@ static void section_rel(const char *modn
75541 static void check_sec_ref(struct module *mod, const char *modname,
75542 struct elf_info *elf)
75546 Elf_Shdr *sechdrs = elf->sechdrs;
75548 /* Walk through all sections */
75549 @@ -1754,7 +1769,7 @@ void __attribute__((format(printf, 2, 3)
75553 -void buf_write(struct buffer *buf, const char *s, int len)
75554 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
75556 if (buf->size - buf->pos < len) {
75557 buf->size += len + SZ;
75558 @@ -1966,7 +1981,7 @@ static void write_if_changed(struct buff
75559 if (fstat(fileno(file), &st) < 0)
75562 - if (st.st_size != b->pos)
75563 + if (st.st_size != (off_t)b->pos)
75566 tmp = NOFAIL(malloc(b->pos));
75567 diff -urNp linux-3.1.1/scripts/mod/modpost.h linux-3.1.1/scripts/mod/modpost.h
75568 --- linux-3.1.1/scripts/mod/modpost.h 2011-11-11 15:19:27.000000000 -0500
75569 +++ linux-3.1.1/scripts/mod/modpost.h 2011-11-16 18:39:08.000000000 -0500
75570 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
75576 + unsigned int pos;
75577 + unsigned int size;
75580 void __attribute__((format(printf, 2, 3)))
75581 buf_printf(struct buffer *buf, const char *fmt, ...);
75584 -buf_write(struct buffer *buf, const char *s, int len);
75585 +buf_write(struct buffer *buf, const char *s, unsigned int len);
75588 struct module *next;
75589 diff -urNp linux-3.1.1/scripts/mod/sumversion.c linux-3.1.1/scripts/mod/sumversion.c
75590 --- linux-3.1.1/scripts/mod/sumversion.c 2011-11-11 15:19:27.000000000 -0500
75591 +++ linux-3.1.1/scripts/mod/sumversion.c 2011-11-16 18:39:08.000000000 -0500
75592 @@ -470,7 +470,7 @@ static void write_version(const char *fi
75596 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
75597 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
75598 warn("writing sum in %s failed: %s\n",
75599 filename, strerror(errno));
75601 diff -urNp linux-3.1.1/scripts/pnmtologo.c linux-3.1.1/scripts/pnmtologo.c
75602 --- linux-3.1.1/scripts/pnmtologo.c 2011-11-11 15:19:27.000000000 -0500
75603 +++ linux-3.1.1/scripts/pnmtologo.c 2011-11-16 18:39:08.000000000 -0500
75604 @@ -237,14 +237,14 @@ static void write_header(void)
75605 fprintf(out, " * Linux logo %s\n", logoname);
75606 fputs(" */\n\n", out);
75607 fputs("#include <linux/linux_logo.h>\n\n", out);
75608 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
75609 + fprintf(out, "static unsigned char %s_data[] = {\n",
75613 static void write_footer(void)
75615 fputs("\n};\n\n", out);
75616 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
75617 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
75618 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
75619 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
75620 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
75621 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
75622 fputs("\n};\n\n", out);
75624 /* write logo clut */
75625 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
75626 + fprintf(out, "static unsigned char %s_clut[] = {\n",
75629 for (i = 0; i < logo_clutsize; i++) {
75630 diff -urNp linux-3.1.1/security/apparmor/lsm.c linux-3.1.1/security/apparmor/lsm.c
75631 --- linux-3.1.1/security/apparmor/lsm.c 2011-11-11 15:19:27.000000000 -0500
75632 +++ linux-3.1.1/security/apparmor/lsm.c 2011-11-16 18:40:44.000000000 -0500
75633 @@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struc
75637 -static struct security_operations apparmor_ops = {
75638 +static struct security_operations apparmor_ops __read_only = {
75639 .name = "apparmor",
75641 .ptrace_access_check = apparmor_ptrace_access_check,
75642 diff -urNp linux-3.1.1/security/commoncap.c linux-3.1.1/security/commoncap.c
75643 --- linux-3.1.1/security/commoncap.c 2011-11-11 15:19:27.000000000 -0500
75644 +++ linux-3.1.1/security/commoncap.c 2011-11-16 18:40:44.000000000 -0500
75646 #include <linux/prctl.h>
75647 #include <linux/securebits.h>
75648 #include <linux/user_namespace.h>
75649 +#include <net/sock.h>
75652 * If a non-root user executes a setuid-root binary in
75653 @@ -58,7 +59,7 @@ int cap_netlink_send(struct sock *sk, st
75655 int cap_netlink_recv(struct sk_buff *skb, int cap)
75657 - if (!cap_raised(current_cap(), cap))
75658 + if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap))
75662 @@ -575,6 +576,9 @@ int cap_bprm_secureexec(struct linux_bin
75664 const struct cred *cred = current_cred();
75666 + if (gr_acl_enable_at_secure())
75669 if (cred->uid != 0) {
75670 if (bprm->cap_effective)
75672 diff -urNp linux-3.1.1/security/integrity/ima/ima_api.c linux-3.1.1/security/integrity/ima/ima_api.c
75673 --- linux-3.1.1/security/integrity/ima/ima_api.c 2011-11-11 15:19:27.000000000 -0500
75674 +++ linux-3.1.1/security/integrity/ima/ima_api.c 2011-11-16 18:39:08.000000000 -0500
75675 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
75678 /* can overflow, only indicator */
75679 - atomic_long_inc(&ima_htable.violations);
75680 + atomic_long_inc_unchecked(&ima_htable.violations);
75682 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
75684 diff -urNp linux-3.1.1/security/integrity/ima/ima_fs.c linux-3.1.1/security/integrity/ima/ima_fs.c
75685 --- linux-3.1.1/security/integrity/ima/ima_fs.c 2011-11-11 15:19:27.000000000 -0500
75686 +++ linux-3.1.1/security/integrity/ima/ima_fs.c 2011-11-16 18:39:08.000000000 -0500
75687 @@ -28,12 +28,12 @@
75688 static int valid_policy = 1;
75689 #define TMPBUFLEN 12
75690 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
75691 - loff_t *ppos, atomic_long_t *val)
75692 + loff_t *ppos, atomic_long_unchecked_t *val)
75694 char tmpbuf[TMPBUFLEN];
75697 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
75698 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
75699 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
75702 diff -urNp linux-3.1.1/security/integrity/ima/ima.h linux-3.1.1/security/integrity/ima/ima.h
75703 --- linux-3.1.1/security/integrity/ima/ima.h 2011-11-11 15:19:27.000000000 -0500
75704 +++ linux-3.1.1/security/integrity/ima/ima.h 2011-11-16 18:39:08.000000000 -0500
75705 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
75706 extern spinlock_t ima_queue_lock;
75708 struct ima_h_table {
75709 - atomic_long_t len; /* number of stored measurements in the list */
75710 - atomic_long_t violations;
75711 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
75712 + atomic_long_unchecked_t violations;
75713 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
75715 extern struct ima_h_table ima_htable;
75716 diff -urNp linux-3.1.1/security/integrity/ima/ima_queue.c linux-3.1.1/security/integrity/ima/ima_queue.c
75717 --- linux-3.1.1/security/integrity/ima/ima_queue.c 2011-11-11 15:19:27.000000000 -0500
75718 +++ linux-3.1.1/security/integrity/ima/ima_queue.c 2011-11-16 18:39:08.000000000 -0500
75719 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
75720 INIT_LIST_HEAD(&qe->later);
75721 list_add_tail_rcu(&qe->later, &ima_measurements);
75723 - atomic_long_inc(&ima_htable.len);
75724 + atomic_long_inc_unchecked(&ima_htable.len);
75725 key = ima_hash_key(entry->digest);
75726 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
75728 diff -urNp linux-3.1.1/security/Kconfig linux-3.1.1/security/Kconfig
75729 --- linux-3.1.1/security/Kconfig 2011-11-11 15:19:27.000000000 -0500
75730 +++ linux-3.1.1/security/Kconfig 2011-11-16 18:40:44.000000000 -0500
75733 menu "Security options"
75735 +source grsecurity/Kconfig
75739 + config ARCH_TRACK_EXEC_LIMIT
75742 + config PAX_KERNEXEC_PLUGIN
75745 + config PAX_PER_CPU_PGD
75748 + config TASK_SIZE_MAX_SHIFT
75750 + depends on X86_64
75751 + default 47 if !PAX_PER_CPU_PGD
75752 + default 42 if PAX_PER_CPU_PGD
75754 + config PAX_ENABLE_PAE
75756 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
75759 + bool "Enable various PaX features"
75760 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
75762 + This allows you to enable various PaX features. PaX adds
75763 + intrusion prevention mechanisms to the kernel that reduce
75764 + the risks posed by exploitable memory corruption bugs.
75766 +menu "PaX Control"
75769 +config PAX_SOFTMODE
75770 + bool 'Support soft mode'
75771 + select PAX_PT_PAX_FLAGS
75773 + Enabling this option will allow you to run PaX in soft mode, that
75774 + is, PaX features will not be enforced by default, only on executables
75775 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
75776 + is the only way to mark executables for soft mode use.
75778 + Soft mode can be activated by using the "pax_softmode=1" kernel command
75779 + line option on boot. Furthermore you can control various PaX features
75780 + at runtime via the entries in /proc/sys/kernel/pax.
75783 + bool 'Use legacy ELF header marking'
75785 + Enabling this option will allow you to control PaX features on
75786 + a per executable basis via the 'chpax' utility available at
75787 + http://pax.grsecurity.net/. The control flags will be read from
75788 + an otherwise reserved part of the ELF header. This marking has
75789 + numerous drawbacks (no support for soft-mode, toolchain does not
75790 + know about the non-standard use of the ELF header) therefore it
75791 + has been deprecated in favour of PT_PAX_FLAGS support.
75793 + Note that if you enable PT_PAX_FLAGS marking support as well,
75794 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
75796 +config PAX_PT_PAX_FLAGS
75797 + bool 'Use ELF program header marking'
75799 + Enabling this option will allow you to control PaX features on
75800 + a per executable basis via the 'paxctl' utility available at
75801 + http://pax.grsecurity.net/. The control flags will be read from
75802 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
75803 + has the benefits of supporting both soft mode and being fully
75804 + integrated into the toolchain (the binutils patch is available
75805 + from http://pax.grsecurity.net).
75807 + If your toolchain does not support PT_PAX_FLAGS markings,
75808 + you can create one in most cases with 'paxctl -C'.
75810 + Note that if you enable the legacy EI_PAX marking support as well,
75811 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
75814 + prompt 'MAC system integration'
75815 + default PAX_HAVE_ACL_FLAGS
75817 + Mandatory Access Control systems have the option of controlling
75818 + PaX flags on a per executable basis, choose the method supported
75819 + by your particular system.
75821 + - "none": if your MAC system does not interact with PaX,
75822 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
75823 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
75825 + NOTE: this option is for developers/integrators only.
75827 + config PAX_NO_ACL_FLAGS
75830 + config PAX_HAVE_ACL_FLAGS
75833 + config PAX_HOOK_ACL_FLAGS
75839 +menu "Non-executable pages"
75843 + bool "Enforce non-executable pages"
75844 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
75846 + By design some architectures do not allow for protecting memory
75847 + pages against execution or even if they do, Linux does not make
75848 + use of this feature. In practice this means that if a page is
75849 + readable (such as the stack or heap) it is also executable.
75851 + There is a well known exploit technique that makes use of this
75852 + fact and a common programming mistake where an attacker can
75853 + introduce code of his choice somewhere in the attacked program's
75854 + memory (typically the stack or the heap) and then execute it.
75856 + If the attacked program was running with different (typically
75857 + higher) privileges than that of the attacker, then he can elevate
75858 + his own privilege level (e.g. get a root shell, write to files for
75859 + which he does not have write access to, etc).
75861 + Enabling this option will let you choose from various features
75862 + that prevent the injection and execution of 'foreign' code in
75865 + This will also break programs that rely on the old behaviour and
75866 + expect that dynamically allocated memory via the malloc() family
75867 + of functions is executable (which it is not). Notable examples
75868 + are the XFree86 4.x server, the java runtime and wine.
75870 +config PAX_PAGEEXEC
75871 + bool "Paging based non-executable pages"
75872 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
75873 + select S390_SWITCH_AMODE if S390
75874 + select S390_EXEC_PROTECT if S390
75875 + select ARCH_TRACK_EXEC_LIMIT if X86_32
75877 + This implementation is based on the paging feature of the CPU.
75878 + On i386 without hardware non-executable bit support there is a
75879 + variable but usually low performance impact, however on Intel's
75880 + P4 core based CPUs it is very high so you should not enable this
75881 + for kernels meant to be used on such CPUs.
75883 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
75884 + with hardware non-executable bit support there is no performance
75885 + impact, on ppc the impact is negligible.
75887 + Note that several architectures require various emulations due to
75888 + badly designed userland ABIs, this will cause a performance impact
75889 + but will disappear as soon as userland is fixed. For example, ppc
75890 + userland MUST have been built with secure-plt by a recent toolchain.
75892 +config PAX_SEGMEXEC
75893 + bool "Segmentation based non-executable pages"
75894 + depends on PAX_NOEXEC && X86_32
75896 + This implementation is based on the segmentation feature of the
75897 + CPU and has a very small performance impact, however applications
75898 + will be limited to a 1.5 GB address space instead of the normal
75901 +config PAX_EMUTRAMP
75902 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
75903 + default y if PARISC
75905 + There are some programs and libraries that for one reason or
75906 + another attempt to execute special small code snippets from
75907 + non-executable memory pages. Most notable examples are the
75908 + signal handler return code generated by the kernel itself and
75909 + the GCC trampolines.
75911 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
75912 + such programs will no longer work under your kernel.
75914 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
75915 + utilities to enable trampoline emulation for the affected programs
75916 + yet still have the protection provided by the non-executable pages.
75918 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
75919 + your system will not even boot.
75921 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
75922 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
75923 + for the affected files.
75925 + NOTE: enabling this feature *may* open up a loophole in the
75926 + protection provided by non-executable pages that an attacker
75927 + could abuse. Therefore the best solution is to not have any
75928 + files on your system that would require this option. This can
75929 + be achieved by not using libc5 (which relies on the kernel
75930 + signal handler return code) and not using or rewriting programs
75931 + that make use of the nested function implementation of GCC.
75932 + Skilled users can just fix GCC itself so that it implements
75933 + nested function calls in a way that does not interfere with PaX.
75935 +config PAX_EMUSIGRT
75936 + bool "Automatically emulate sigreturn trampolines"
75937 + depends on PAX_EMUTRAMP && PARISC
75940 + Enabling this option will have the kernel automatically detect
75941 + and emulate signal return trampolines executing on the stack
75942 + that would otherwise lead to task termination.
75944 + This solution is intended as a temporary one for users with
75945 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
75946 + Modula-3 runtime, etc) or executables linked to such, basically
75947 + everything that does not specify its own SA_RESTORER function in
75948 + normal executable memory like glibc 2.1+ does.
75950 + On parisc you MUST enable this option, otherwise your system will
75953 + NOTE: this feature cannot be disabled on a per executable basis
75954 + and since it *does* open up a loophole in the protection provided
75955 + by non-executable pages, the best solution is to not have any
75956 + files on your system that would require this option.
75958 +config PAX_MPROTECT
75959 + bool "Restrict mprotect()"
75960 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
75962 + Enabling this option will prevent programs from
75963 + - changing the executable status of memory pages that were
75964 + not originally created as executable,
75965 + - making read-only executable pages writable again,
75966 + - creating executable pages from anonymous memory,
75967 + - making read-only-after-relocations (RELRO) data pages writable again.
75969 + You should say Y here to complete the protection provided by
75970 + the enforcement of non-executable pages.
75972 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
75973 + this feature on a per file basis.
75975 +config PAX_MPROTECT_COMPAT
75976 + bool "Use legacy/compat protection demoting (read help)"
75977 + depends on PAX_MPROTECT
75980 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
75981 + by sending the proper error code to the application. For some broken
75982 + userland, this can cause problems with Python or other applications. The
75983 + current implementation however allows for applications like clamav to
75984 + detect if JIT compilation/execution is allowed and to fall back gracefully
75985 + to an interpreter-based mode if it does not. While we encourage everyone
75986 + to use the current implementation as-is and push upstream to fix broken
75987 + userland (note that the RWX logging option can assist with this), in some
75988 + environments this may not be possible. Having to disable MPROTECT
75989 + completely on certain binaries reduces the security benefit of PaX,
75990 + so this option is provided for those environments to revert to the old
75993 +config PAX_ELFRELOCS
75994 + bool "Allow ELF text relocations (read help)"
75995 + depends on PAX_MPROTECT
75998 + Non-executable pages and mprotect() restrictions are effective
75999 + in preventing the introduction of new executable code into an
76000 + attacked task's address space. There remain only two venues
76001 + for this kind of attack: if the attacker can execute already
76002 + existing code in the attacked task then he can either have it
76003 + create and mmap() a file containing his code or have it mmap()
76004 + an already existing ELF library that does not have position
76005 + independent code in it and use mprotect() on it to make it
76006 + writable and copy his code there. While protecting against
76007 + the former approach is beyond PaX, the latter can be prevented
76008 + by having only PIC ELF libraries on one's system (which do not
76009 + need to relocate their code). If you are sure this is your case,
76010 + as is the case with all modern Linux distributions, then leave
76011 + this option disabled. You should say 'n' here.
76013 +config PAX_ETEXECRELOCS
76014 + bool "Allow ELF ET_EXEC text relocations"
76015 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
76016 + select PAX_ELFRELOCS
76019 + On some architectures there are incorrectly created applications
76020 + that require text relocations and would not work without enabling
76021 + this option. If you are an alpha, ia64 or parisc user, you should
76022 + enable this option and disable it once you have made sure that
76023 + none of your applications need it.
76026 + bool "Automatically emulate ELF PLT"
76027 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
76030 + Enabling this option will have the kernel automatically detect
76031 + and emulate the Procedure Linkage Table entries in ELF files.
76032 + On some architectures such entries are in writable memory, and
76033 + become non-executable leading to task termination. Therefore
76034 + it is mandatory that you enable this option on alpha, parisc,
76035 + sparc and sparc64, otherwise your system would not even boot.
76037 + NOTE: this feature *does* open up a loophole in the protection
76038 + provided by the non-executable pages, therefore the proper
76039 + solution is to modify the toolchain to produce a PLT that does
76040 + not need to be writable.
76042 +config PAX_DLRESOLVE
76043 + bool 'Emulate old glibc resolver stub'
76044 + depends on PAX_EMUPLT && SPARC
76047 + This option is needed if userland has an old glibc (before 2.4)
76048 + that puts a 'save' instruction into the runtime generated resolver
76049 + stub that needs special emulation.
76051 +config PAX_KERNEXEC
76052 + bool "Enforce non-executable kernel pages"
76053 + depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
76054 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
76055 + select PAX_KERNEXEC_PLUGIN if X86_64
76057 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
76058 + that is, enabling this option will make it harder to inject
76059 + and execute 'foreign' code in kernel memory itself.
76061 + Note that on x86_64 kernels there is a known regression when
76062 + this feature and KVM/VMX are both enabled in the host kernel.
76064 +config PAX_KERNEXEC_MODULE_TEXT
76065 + int "Minimum amount of memory reserved for module code"
76067 + depends on PAX_KERNEXEC && X86_32 && MODULES
76069 + Due to implementation details the kernel must reserve a fixed
76070 + amount of memory for module code at compile time that cannot be
76071 + changed at runtime. Here you can specify the minimum amount
76072 + in MB that will be reserved. Due to the same implementation
76073 + details this size will always be rounded up to the next 2/4 MB
76074 + boundary (depends on PAE) so the actually available memory for
76075 + module code will usually be more than this minimum.
76077 + The default 4 MB should be enough for most users but if you have
76078 + an excessive number of modules (e.g., most distribution configs
76079 + compile many drivers as modules) or use huge modules such as
76080 + nvidia's kernel driver, you will need to adjust this amount.
76081 + A good rule of thumb is to look at your currently loaded kernel
76082 + modules and add up their sizes.
76086 +menu "Address Space Layout Randomization"
76090 + bool "Address Space Layout Randomization"
76091 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
76093 + Many if not most exploit techniques rely on the knowledge of
76094 + certain addresses in the attacked program. The following options
76095 + will allow the kernel to apply a certain amount of randomization
76096 + to specific parts of the program thereby forcing an attacker to
76097 + guess them in most cases. Any failed guess will most likely crash
76098 + the attacked program which allows the kernel to detect such attempts
76099 + and react on them. PaX itself provides no reaction mechanisms,
76100 + instead it is strongly encouraged that you make use of Nergal's
76101 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
76102 + (http://www.grsecurity.net/) built-in crash detection features or
76103 + develop one yourself.
76105 + By saying Y here you can choose to randomize the following areas:
76106 + - top of the task's kernel stack
76107 + - top of the task's userland stack
76108 + - base address for mmap() requests that do not specify one
76109 + (this includes all libraries)
76110 + - base address of the main executable
76112 + It is strongly recommended to say Y here as address space layout
76113 + randomization has negligible impact on performance yet it provides
76114 + a very effective protection.
76116 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
76117 + this feature on a per file basis.
76119 +config PAX_RANDKSTACK
76120 + bool "Randomize kernel stack base"
76121 + depends on X86_TSC && X86
76123 + By saying Y here the kernel will randomize every task's kernel
76124 + stack on every system call. This will not only force an attacker
76125 + to guess it but also prevent him from making use of possible
76126 + leaked information about it.
76128 + Since the kernel stack is a rather scarce resource, randomization
76129 + may cause unexpected stack overflows, therefore you should very
76130 + carefully test your system. Note that once enabled in the kernel
76131 + configuration, this feature cannot be disabled on a per file basis.
76133 +config PAX_RANDUSTACK
76134 + bool "Randomize user stack base"
76135 + depends on PAX_ASLR
76137 + By saying Y here the kernel will randomize every task's userland
76138 + stack. The randomization is done in two steps where the second
76139 + one may apply a big amount of shift to the top of the stack and
76140 + cause problems for programs that want to use lots of memory (more
76141 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
76142 + For this reason the second step can be controlled by 'chpax' or
76143 + 'paxctl' on a per file basis.
76145 +config PAX_RANDMMAP
76146 + bool "Randomize mmap() base"
76147 + depends on PAX_ASLR
76149 + By saying Y here the kernel will use a randomized base address for
76150 + mmap() requests that do not specify one themselves. As a result
76151 + all dynamically loaded libraries will appear at random addresses
76152 + and therefore be harder to exploit by a technique where an attacker
76153 + attempts to execute library code for his purposes (e.g. spawn a
76154 + shell from an exploited program that is running at an elevated
76155 + privilege level).
76157 + Furthermore, if a program is relinked as a dynamic ELF file, its
76158 + base address will be randomized as well, completing the full
76159 + randomization of the address space layout. Attacking such programs
76160 + becomes a guess game. You can find an example of doing this at
76161 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
76162 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
76164 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
76165 + feature on a per file basis.
76169 +menu "Miscellaneous hardening features"
76171 +config PAX_MEMORY_SANITIZE
76172 + bool "Sanitize all freed memory"
76174 + By saying Y here the kernel will erase memory pages as soon as they
76175 + are freed. This in turn reduces the lifetime of data stored in the
76176 + pages, making it less likely that sensitive information such as
76177 + passwords, cryptographic secrets, etc stay in memory for too long.
76179 + This is especially useful for programs whose runtime is short, long
76180 + lived processes and the kernel itself benefit from this as long as
76181 + they operate on whole memory pages and ensure timely freeing of pages
76182 + that may hold sensitive information.
76184 + The tradeoff is performance impact, on a single CPU system kernel
76185 + compilation sees a 3% slowdown, other systems and workloads may vary
76186 + and you are advised to test this feature on your expected workload
76187 + before deploying it.
76189 + Note that this feature does not protect data stored in live pages,
76190 + e.g., process memory swapped to disk may stay there for a long time.
76192 +config PAX_MEMORY_STACKLEAK
76193 + bool "Sanitize kernel stack"
76196 + By saying Y here the kernel will erase the kernel stack before it
76197 + returns from a system call. This in turn reduces the information
76198 + that a kernel stack leak bug can reveal.
76200 + Note that such a bug can still leak information that was put on
76201 + the stack by the current system call (the one eventually triggering
76202 + the bug) but traces of earlier system calls on the kernel stack
76203 + cannot leak anymore.
76205 + The tradeoff is performance impact: on a single CPU system kernel
76206 + compilation sees a 1% slowdown, other systems and workloads may vary
76207 + and you are advised to test this feature on your expected workload
76208 + before deploying it.
76210 + Note: full support for this feature requires gcc with plugin support
76211 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
76212 + is not supported). Using older gcc versions means that functions
76213 + with large enough stack frames may leave uninitialized memory behind
76214 + that may be exposed to a later syscall leaking the stack.
76216 +config PAX_MEMORY_UDEREF
76217 + bool "Prevent invalid userland pointer dereference"
76218 + depends on X86 && !UML_X86 && !XEN
76219 + select PAX_PER_CPU_PGD if X86_64
76221 + By saying Y here the kernel will be prevented from dereferencing
76222 + userland pointers in contexts where the kernel expects only kernel
76223 + pointers. This is both a useful runtime debugging feature and a
76224 + security measure that prevents exploiting a class of kernel bugs.
76226 + The tradeoff is that some virtualization solutions may experience
76227 + a huge slowdown and therefore you should not enable this feature
76228 + for kernels meant to run in such environments. Whether a given VM
76229 + solution is affected or not is best determined by simply trying it
76230 + out, the performance impact will be obvious right on boot as this
76231 + mechanism engages from very early on. A good rule of thumb is that
76232 + VMs running on CPUs without hardware virtualization support (i.e.,
76233 + the majority of IA-32 CPUs) will likely experience the slowdown.
76235 +config PAX_REFCOUNT
76236 + bool "Prevent various kernel object reference counter overflows"
76237 + depends on GRKERNSEC && (X86 || SPARC64)
76239 + By saying Y here the kernel will detect and prevent overflowing
76240 + various (but not all) kinds of object reference counters. Such
76241 + overflows can normally occur due to bugs only and are often, if
76242 + not always, exploitable.
76244 + The tradeoff is that data structures protected by an overflowed
76245 + refcount will never be freed and therefore will leak memory. Note
76246 + that this leak also happens even without this protection but in
76247 + that case the overflow can eventually trigger the freeing of the
76248 + data structure while it is still being used elsewhere, resulting
76249 + in the exploitable situation that this feature prevents.
76251 + Since this has a negligible performance impact, you should enable
76254 +config PAX_USERCOPY
76255 + bool "Harden heap object copies between kernel and userland"
76256 + depends on X86 || PPC || SPARC || ARM
76257 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
76259 + By saying Y here the kernel will enforce the size of heap objects
76260 + when they are copied in either direction between the kernel and
76261 + userland, even if only a part of the heap object is copied.
76263 + Specifically, this checking prevents information leaking from the
76264 + kernel heap during kernel to userland copies (if the kernel heap
76265 + object is otherwise fully initialized) and prevents kernel heap
76266 + overflows during userland to kernel copies.
76268 + Note that the current implementation provides the strictest bounds
76269 + checks for the SLUB allocator.
76271 + Enabling this option also enables per-slab cache protection against
76272 + data in a given cache being copied into/out of via userland
76273 + accessors. Though the whitelist of regions will be reduced over
76274 + time, it notably protects important data structures like task structs.
76276 + If frame pointers are enabled on x86, this option will also restrict
76277 + copies into and out of the kernel stack to local variables within a
76280 + Since this has a negligible performance impact, you should enable
76288 bool "Enable access key retention support"
76290 @@ -167,7 +719,7 @@ config INTEL_TXT
76291 config LSM_MMAP_MIN_ADDR
76292 int "Low address space for LSM to protect from user allocation"
76293 depends on SECURITY && SECURITY_SELINUX
76294 - default 32768 if ARM
76295 + default 32768 if ALPHA || ARM || PARISC || SPARC32
76298 This is the portion of low virtual memory which should be protected
76299 diff -urNp linux-3.1.1/security/keys/compat.c linux-3.1.1/security/keys/compat.c
76300 --- linux-3.1.1/security/keys/compat.c 2011-11-11 15:19:27.000000000 -0500
76301 +++ linux-3.1.1/security/keys/compat.c 2011-11-16 18:39:08.000000000 -0500
76302 @@ -44,7 +44,7 @@ long compat_keyctl_instantiate_key_iov(
76304 goto no_payload_free;
76306 - ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
76307 + ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
76309 if (iov != iovstack)
76311 diff -urNp linux-3.1.1/security/keys/keyctl.c linux-3.1.1/security/keys/keyctl.c
76312 --- linux-3.1.1/security/keys/keyctl.c 2011-11-11 15:19:27.000000000 -0500
76313 +++ linux-3.1.1/security/keys/keyctl.c 2011-11-16 18:39:08.000000000 -0500
76314 @@ -921,7 +921,7 @@ static int keyctl_change_reqkey_auth(str
76316 * Copy the iovec data from userspace
76318 -static long copy_from_user_iovec(void *buffer, const struct iovec *iov,
76319 +static long copy_from_user_iovec(void *buffer, const struct iovec __user *iov,
76322 for (; ioc > 0; ioc--) {
76323 @@ -943,7 +943,7 @@ static long copy_from_user_iovec(void *b
76324 * If successful, 0 will be returned.
76326 long keyctl_instantiate_key_common(key_serial_t id,
76327 - const struct iovec *payload_iov,
76328 + const struct iovec __user *payload_iov,
76331 key_serial_t ringid)
76332 @@ -1038,7 +1038,7 @@ long keyctl_instantiate_key(key_serial_t
76336 - return keyctl_instantiate_key_common(id, iov, 1, plen, ringid);
76337 + return keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, 1, plen, ringid);
76340 return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid);
76341 @@ -1071,7 +1071,7 @@ long keyctl_instantiate_key_iov(key_seri
76343 goto no_payload_free;
76345 - ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
76346 + ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
76348 if (iov != iovstack)
76350 diff -urNp linux-3.1.1/security/keys/keyring.c linux-3.1.1/security/keys/keyring.c
76351 --- linux-3.1.1/security/keys/keyring.c 2011-11-11 15:19:27.000000000 -0500
76352 +++ linux-3.1.1/security/keys/keyring.c 2011-11-16 18:39:08.000000000 -0500
76353 @@ -214,15 +214,15 @@ static long keyring_read(const struct ke
76356 for (loop = 0; loop < klist->nkeys; loop++) {
76357 + key_serial_t serial;
76358 key = klist->keys[loop];
76359 + serial = key->serial;
76361 tmp = sizeof(key_serial_t);
76365 - if (copy_to_user(buffer,
76368 + if (copy_to_user(buffer, &serial, tmp))
76372 diff -urNp linux-3.1.1/security/min_addr.c linux-3.1.1/security/min_addr.c
76373 --- linux-3.1.1/security/min_addr.c 2011-11-11 15:19:27.000000000 -0500
76374 +++ linux-3.1.1/security/min_addr.c 2011-11-16 18:40:44.000000000 -0500
76375 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
76377 static void update_mmap_min_addr(void)
76380 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
76381 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
76382 mmap_min_addr = dac_mmap_min_addr;
76383 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
76385 mmap_min_addr = dac_mmap_min_addr;
76391 diff -urNp linux-3.1.1/security/security.c linux-3.1.1/security/security.c
76392 --- linux-3.1.1/security/security.c 2011-11-11 15:19:27.000000000 -0500
76393 +++ linux-3.1.1/security/security.c 2011-11-16 18:40:44.000000000 -0500
76394 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
76395 /* things that live in capability.c */
76396 extern void __init security_fixup_ops(struct security_operations *ops);
76398 -static struct security_operations *security_ops;
76399 -static struct security_operations default_security_ops = {
76400 +static struct security_operations *security_ops __read_only;
76401 +static struct security_operations default_security_ops __read_only = {
76405 @@ -67,7 +67,9 @@ int __init security_init(void)
76407 void reset_security_ops(void)
76409 + pax_open_kernel();
76410 security_ops = &default_security_ops;
76411 + pax_close_kernel();
76414 /* Save user chosen LSM */
76415 diff -urNp linux-3.1.1/security/selinux/hooks.c linux-3.1.1/security/selinux/hooks.c
76416 --- linux-3.1.1/security/selinux/hooks.c 2011-11-11 15:19:27.000000000 -0500
76417 +++ linux-3.1.1/security/selinux/hooks.c 2011-11-16 18:40:44.000000000 -0500
76419 #define NUM_SEL_MNT_OPTS 5
76421 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
76422 -extern struct security_operations *security_ops;
76424 /* SECMARK reference count */
76425 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
76426 @@ -5455,7 +5454,7 @@ static int selinux_key_getsecurity(struc
76430 -static struct security_operations selinux_ops = {
76431 +static struct security_operations selinux_ops __read_only = {
76434 .ptrace_access_check = selinux_ptrace_access_check,
76435 diff -urNp linux-3.1.1/security/selinux/include/xfrm.h linux-3.1.1/security/selinux/include/xfrm.h
76436 --- linux-3.1.1/security/selinux/include/xfrm.h 2011-11-11 15:19:27.000000000 -0500
76437 +++ linux-3.1.1/security/selinux/include/xfrm.h 2011-11-16 18:39:08.000000000 -0500
76438 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
76440 static inline void selinux_xfrm_notify_policyload(void)
76442 - atomic_inc(&flow_cache_genid);
76443 + atomic_inc_unchecked(&flow_cache_genid);
76446 static inline int selinux_xfrm_enabled(void)
76447 diff -urNp linux-3.1.1/security/selinux/ss/services.c linux-3.1.1/security/selinux/ss/services.c
76448 --- linux-3.1.1/security/selinux/ss/services.c 2011-11-11 15:19:27.000000000 -0500
76449 +++ linux-3.1.1/security/selinux/ss/services.c 2011-11-16 18:40:44.000000000 -0500
76450 @@ -1814,6 +1814,8 @@ int security_load_policy(void *data, siz
76452 struct policy_file file = { data, len }, *fp = &file;
76454 + pax_track_stack();
76456 if (!ss_initialized) {
76457 avtab_cache_init();
76458 rc = policydb_read(&policydb, fp);
76459 diff -urNp linux-3.1.1/security/smack/smack_lsm.c linux-3.1.1/security/smack/smack_lsm.c
76460 --- linux-3.1.1/security/smack/smack_lsm.c 2011-11-11 15:19:27.000000000 -0500
76461 +++ linux-3.1.1/security/smack/smack_lsm.c 2011-11-16 18:39:08.000000000 -0500
76462 @@ -3393,7 +3393,7 @@ static int smack_inode_getsecctx(struct
76466 -struct security_operations smack_ops = {
76467 +struct security_operations smack_ops __read_only = {
76470 .ptrace_access_check = smack_ptrace_access_check,
76471 diff -urNp linux-3.1.1/security/tomoyo/tomoyo.c linux-3.1.1/security/tomoyo/tomoyo.c
76472 --- linux-3.1.1/security/tomoyo/tomoyo.c 2011-11-11 15:19:27.000000000 -0500
76473 +++ linux-3.1.1/security/tomoyo/tomoyo.c 2011-11-16 18:39:08.000000000 -0500
76474 @@ -446,7 +446,7 @@ static int tomoyo_sb_pivotroot(struct pa
76475 * tomoyo_security_ops is a "struct security_operations" which is used for
76476 * registering TOMOYO.
76478 -static struct security_operations tomoyo_security_ops = {
76479 +static struct security_operations tomoyo_security_ops __read_only = {
76481 .cred_alloc_blank = tomoyo_cred_alloc_blank,
76482 .cred_prepare = tomoyo_cred_prepare,
76483 diff -urNp linux-3.1.1/sound/aoa/codecs/onyx.c linux-3.1.1/sound/aoa/codecs/onyx.c
76484 --- linux-3.1.1/sound/aoa/codecs/onyx.c 2011-11-11 15:19:27.000000000 -0500
76485 +++ linux-3.1.1/sound/aoa/codecs/onyx.c 2011-11-16 18:39:08.000000000 -0500
76486 @@ -54,7 +54,7 @@ struct onyx {
76491 + local_t open_count;
76492 struct codec_info *codec_info;
76494 /* mutex serializes concurrent access to the device
76495 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
76496 struct onyx *onyx = cii->codec_data;
76498 mutex_lock(&onyx->mutex);
76499 - onyx->open_count++;
76500 + local_inc(&onyx->open_count);
76501 mutex_unlock(&onyx->mutex);
76504 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
76505 struct onyx *onyx = cii->codec_data;
76507 mutex_lock(&onyx->mutex);
76508 - onyx->open_count--;
76509 - if (!onyx->open_count)
76510 + if (local_dec_and_test(&onyx->open_count))
76511 onyx->spdif_locked = onyx->analog_locked = 0;
76512 mutex_unlock(&onyx->mutex);
76514 diff -urNp linux-3.1.1/sound/aoa/codecs/onyx.h linux-3.1.1/sound/aoa/codecs/onyx.h
76515 --- linux-3.1.1/sound/aoa/codecs/onyx.h 2011-11-11 15:19:27.000000000 -0500
76516 +++ linux-3.1.1/sound/aoa/codecs/onyx.h 2011-11-16 18:39:08.000000000 -0500
76518 #include <linux/i2c.h>
76519 #include <asm/pmac_low_i2c.h>
76520 #include <asm/prom.h>
76521 +#include <asm/local.h>
76523 /* PCM3052 register definitions */
76525 diff -urNp linux-3.1.1/sound/core/oss/pcm_oss.c linux-3.1.1/sound/core/oss/pcm_oss.c
76526 --- linux-3.1.1/sound/core/oss/pcm_oss.c 2011-11-11 15:19:27.000000000 -0500
76527 +++ linux-3.1.1/sound/core/oss/pcm_oss.c 2011-11-16 18:39:08.000000000 -0500
76528 @@ -1189,10 +1189,10 @@ snd_pcm_sframes_t snd_pcm_oss_write3(str
76531 fs = snd_enter_user();
76532 - ret = snd_pcm_lib_write(substream, (void __force __user *)ptr, frames);
76533 + ret = snd_pcm_lib_write(substream, (void __force_user *)ptr, frames);
76534 snd_leave_user(fs);
76536 - ret = snd_pcm_lib_write(substream, (void __force __user *)ptr, frames);
76537 + ret = snd_pcm_lib_write(substream, (void __force_user *)ptr, frames);
76539 if (ret != -EPIPE && ret != -ESTRPIPE)
76541 @@ -1234,10 +1234,10 @@ snd_pcm_sframes_t snd_pcm_oss_read3(stru
76544 fs = snd_enter_user();
76545 - ret = snd_pcm_lib_read(substream, (void __force __user *)ptr, frames);
76546 + ret = snd_pcm_lib_read(substream, (void __force_user *)ptr, frames);
76547 snd_leave_user(fs);
76549 - ret = snd_pcm_lib_read(substream, (void __force __user *)ptr, frames);
76550 + ret = snd_pcm_lib_read(substream, (void __force_user *)ptr, frames);
76552 if (ret == -EPIPE) {
76553 if (runtime->status->state == SNDRV_PCM_STATE_DRAINING) {
76554 @@ -1337,7 +1337,7 @@ static ssize_t snd_pcm_oss_write2(struct
76555 struct snd_pcm_plugin_channel *channels;
76556 size_t oss_frame_bytes = (runtime->oss.plugin_first->src_width * runtime->oss.plugin_first->src_format.channels) / 8;
76558 - if (copy_from_user(runtime->oss.buffer, (const char __force __user *)buf, bytes))
76559 + if (copy_from_user(runtime->oss.buffer, (const char __force_user *)buf, bytes))
76561 buf = runtime->oss.buffer;
76563 @@ -1407,7 +1407,7 @@ static ssize_t snd_pcm_oss_write1(struct
76566 tmp = snd_pcm_oss_write2(substream,
76567 - (const char __force *)buf,
76568 + (const char __force_kernel *)buf,
76569 runtime->oss.period_bytes, 0);
76572 @@ -1433,7 +1433,7 @@ static ssize_t snd_pcm_oss_read2(struct
76573 struct snd_pcm_runtime *runtime = substream->runtime;
76574 snd_pcm_sframes_t frames, frames1;
76575 #ifdef CONFIG_SND_PCM_OSS_PLUGINS
76576 - char __user *final_dst = (char __force __user *)buf;
76577 + char __user *final_dst = (char __force_user *)buf;
76578 if (runtime->oss.plugin_first) {
76579 struct snd_pcm_plugin_channel *channels;
76580 size_t oss_frame_bytes = (runtime->oss.plugin_last->dst_width * runtime->oss.plugin_last->dst_format.channels) / 8;
76581 @@ -1495,7 +1495,7 @@ static ssize_t snd_pcm_oss_read1(struct
76583 runtime->oss.buffer_used -= tmp;
76585 - tmp = snd_pcm_oss_read2(substream, (char __force *)buf,
76586 + tmp = snd_pcm_oss_read2(substream, (char __force_kernel *)buf,
76587 runtime->oss.period_bytes, 0);
76590 @@ -1663,7 +1663,7 @@ static int snd_pcm_oss_sync(struct snd_p
76592 size1 /= runtime->channels; /* frames */
76593 fs = snd_enter_user();
76594 - snd_pcm_lib_write(substream, (void __force __user *)runtime->oss.buffer, size1);
76595 + snd_pcm_lib_write(substream, (void __force_user *)runtime->oss.buffer, size1);
76596 snd_leave_user(fs);
76598 } else if (runtime->access == SNDRV_PCM_ACCESS_RW_NONINTERLEAVED) {
76599 diff -urNp linux-3.1.1/sound/core/pcm_compat.c linux-3.1.1/sound/core/pcm_compat.c
76600 --- linux-3.1.1/sound/core/pcm_compat.c 2011-11-11 15:19:27.000000000 -0500
76601 +++ linux-3.1.1/sound/core/pcm_compat.c 2011-11-16 18:39:08.000000000 -0500
76602 @@ -31,7 +31,7 @@ static int snd_pcm_ioctl_delay_compat(st
76605 fs = snd_enter_user();
76606 - err = snd_pcm_delay(substream, &delay);
76607 + err = snd_pcm_delay(substream, (snd_pcm_sframes_t __force_user *)&delay);
76608 snd_leave_user(fs);
76611 diff -urNp linux-3.1.1/sound/core/pcm_native.c linux-3.1.1/sound/core/pcm_native.c
76612 --- linux-3.1.1/sound/core/pcm_native.c 2011-11-11 15:19:27.000000000 -0500
76613 +++ linux-3.1.1/sound/core/pcm_native.c 2011-11-16 18:39:08.000000000 -0500
76614 @@ -2770,11 +2770,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_
76615 switch (substream->stream) {
76616 case SNDRV_PCM_STREAM_PLAYBACK:
76617 result = snd_pcm_playback_ioctl1(NULL, substream, cmd,
76618 - (void __user *)arg);
76619 + (void __force_user *)arg);
76621 case SNDRV_PCM_STREAM_CAPTURE:
76622 result = snd_pcm_capture_ioctl1(NULL, substream, cmd,
76623 - (void __user *)arg);
76624 + (void __force_user *)arg);
76628 diff -urNp linux-3.1.1/sound/core/seq/seq_device.c linux-3.1.1/sound/core/seq/seq_device.c
76629 --- linux-3.1.1/sound/core/seq/seq_device.c 2011-11-11 15:19:27.000000000 -0500
76630 +++ linux-3.1.1/sound/core/seq/seq_device.c 2011-11-16 18:39:08.000000000 -0500
76631 @@ -63,7 +63,7 @@ struct ops_list {
76632 int argsize; /* argument size */
76635 - struct snd_seq_dev_ops ops;
76636 + struct snd_seq_dev_ops *ops;
76638 /* registred devices */
76639 struct list_head dev_list; /* list of devices */
76640 @@ -332,7 +332,7 @@ int snd_seq_device_register_driver(char
76642 mutex_lock(&ops->reg_mutex);
76643 /* copy driver operators */
76644 - ops->ops = *entry;
76645 + ops->ops = entry;
76646 ops->driver |= DRIVER_LOADED;
76647 ops->argsize = argsize;
76649 @@ -462,7 +462,7 @@ static int init_device(struct snd_seq_de
76650 dev->name, ops->id, ops->argsize, dev->argsize);
76653 - if (ops->ops.init_device(dev) >= 0) {
76654 + if (ops->ops->init_device(dev) >= 0) {
76655 dev->status = SNDRV_SEQ_DEVICE_REGISTERED;
76656 ops->num_init_devices++;
76658 @@ -489,7 +489,7 @@ static int free_device(struct snd_seq_de
76659 dev->name, ops->id, ops->argsize, dev->argsize);
76662 - if ((result = ops->ops.free_device(dev)) >= 0 || result == -ENXIO) {
76663 + if ((result = ops->ops->free_device(dev)) >= 0 || result == -ENXIO) {
76664 dev->status = SNDRV_SEQ_DEVICE_FREE;
76665 dev->driver_data = NULL;
76666 ops->num_init_devices--;
76667 diff -urNp linux-3.1.1/sound/drivers/mts64.c linux-3.1.1/sound/drivers/mts64.c
76668 --- linux-3.1.1/sound/drivers/mts64.c 2011-11-11 15:19:27.000000000 -0500
76669 +++ linux-3.1.1/sound/drivers/mts64.c 2011-11-16 18:39:08.000000000 -0500
76671 #include <sound/initval.h>
76672 #include <sound/rawmidi.h>
76673 #include <sound/control.h>
76674 +#include <asm/local.h>
76676 #define CARD_NAME "Miditerminal 4140"
76677 #define DRIVER_NAME "MTS64"
76678 @@ -66,7 +67,7 @@ struct mts64 {
76679 struct pardevice *pardev;
76680 int pardev_claimed;
76683 + local_t open_count;
76684 int current_midi_output_port;
76685 int current_midi_input_port;
76686 u8 mode[MTS64_NUM_INPUT_PORTS];
76687 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
76689 struct mts64 *mts = substream->rmidi->private_data;
76691 - if (mts->open_count == 0) {
76692 + if (local_read(&mts->open_count) == 0) {
76693 /* We don't need a spinlock here, because this is just called
76694 if the device has not been opened before.
76695 So there aren't any IRQs from the device */
76696 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
76700 - ++(mts->open_count);
76701 + local_inc(&mts->open_count);
76705 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
76706 struct mts64 *mts = substream->rmidi->private_data;
76707 unsigned long flags;
76709 - --(mts->open_count);
76710 - if (mts->open_count == 0) {
76711 + if (local_dec_return(&mts->open_count) == 0) {
76712 /* We need the spinlock_irqsave here because we can still
76713 have IRQs at this point */
76714 spin_lock_irqsave(&mts->lock, flags);
76715 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
76719 - } else if (mts->open_count < 0)
76720 - mts->open_count = 0;
76721 + } else if (local_read(&mts->open_count) < 0)
76722 + local_set(&mts->open_count, 0);
76726 diff -urNp linux-3.1.1/sound/drivers/opl4/opl4_lib.c linux-3.1.1/sound/drivers/opl4/opl4_lib.c
76727 --- linux-3.1.1/sound/drivers/opl4/opl4_lib.c 2011-11-11 15:19:27.000000000 -0500
76728 +++ linux-3.1.1/sound/drivers/opl4/opl4_lib.c 2011-11-16 18:39:08.000000000 -0500
76729 @@ -28,7 +28,7 @@ MODULE_AUTHOR("Clemens Ladisch <clemens@
76730 MODULE_DESCRIPTION("OPL4 driver");
76731 MODULE_LICENSE("GPL");
76733 -static void inline snd_opl4_wait(struct snd_opl4 *opl4)
76734 +static inline void snd_opl4_wait(struct snd_opl4 *opl4)
76737 while ((inb(opl4->fm_port) & OPL4_STATUS_BUSY) && --timeout > 0)
76738 diff -urNp linux-3.1.1/sound/drivers/portman2x4.c linux-3.1.1/sound/drivers/portman2x4.c
76739 --- linux-3.1.1/sound/drivers/portman2x4.c 2011-11-11 15:19:27.000000000 -0500
76740 +++ linux-3.1.1/sound/drivers/portman2x4.c 2011-11-16 18:39:08.000000000 -0500
76742 #include <sound/initval.h>
76743 #include <sound/rawmidi.h>
76744 #include <sound/control.h>
76745 +#include <asm/local.h>
76747 #define CARD_NAME "Portman 2x4"
76748 #define DRIVER_NAME "portman"
76749 @@ -84,7 +85,7 @@ struct portman {
76750 struct pardevice *pardev;
76751 int pardev_claimed;
76754 + local_t open_count;
76755 int mode[PORTMAN_NUM_INPUT_PORTS];
76756 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
76758 diff -urNp linux-3.1.1/sound/firewire/amdtp.c linux-3.1.1/sound/firewire/amdtp.c
76759 --- linux-3.1.1/sound/firewire/amdtp.c 2011-11-11 15:19:27.000000000 -0500
76760 +++ linux-3.1.1/sound/firewire/amdtp.c 2011-11-16 18:39:08.000000000 -0500
76761 @@ -371,7 +371,7 @@ static void queue_out_packet(struct amdt
76762 ptr = s->pcm_buffer_pointer + data_blocks;
76763 if (ptr >= pcm->runtime->buffer_size)
76764 ptr -= pcm->runtime->buffer_size;
76765 - ACCESS_ONCE(s->pcm_buffer_pointer) = ptr;
76766 + ACCESS_ONCE_RW(s->pcm_buffer_pointer) = ptr;
76768 s->pcm_period_pointer += data_blocks;
76769 if (s->pcm_period_pointer >= pcm->runtime->period_size) {
76770 @@ -511,7 +511,7 @@ EXPORT_SYMBOL(amdtp_out_stream_start);
76772 void amdtp_out_stream_update(struct amdtp_out_stream *s)
76774 - ACCESS_ONCE(s->source_node_id_field) =
76775 + ACCESS_ONCE_RW(s->source_node_id_field) =
76776 (fw_parent_device(s->unit)->card->node_id & 0x3f) << 24;
76778 EXPORT_SYMBOL(amdtp_out_stream_update);
76779 diff -urNp linux-3.1.1/sound/firewire/amdtp.h linux-3.1.1/sound/firewire/amdtp.h
76780 --- linux-3.1.1/sound/firewire/amdtp.h 2011-11-11 15:19:27.000000000 -0500
76781 +++ linux-3.1.1/sound/firewire/amdtp.h 2011-11-16 18:39:08.000000000 -0500
76782 @@ -146,7 +146,7 @@ static inline void amdtp_out_stream_pcm_
76783 static inline void amdtp_out_stream_pcm_trigger(struct amdtp_out_stream *s,
76784 struct snd_pcm_substream *pcm)
76786 - ACCESS_ONCE(s->pcm) = pcm;
76787 + ACCESS_ONCE_RW(s->pcm) = pcm;
76791 diff -urNp linux-3.1.1/sound/firewire/isight.c linux-3.1.1/sound/firewire/isight.c
76792 --- linux-3.1.1/sound/firewire/isight.c 2011-11-11 15:19:27.000000000 -0500
76793 +++ linux-3.1.1/sound/firewire/isight.c 2011-11-16 18:39:08.000000000 -0500
76794 @@ -97,7 +97,7 @@ static void isight_update_pointers(struc
76796 if (ptr >= runtime->buffer_size)
76797 ptr -= runtime->buffer_size;
76798 - ACCESS_ONCE(isight->buffer_pointer) = ptr;
76799 + ACCESS_ONCE_RW(isight->buffer_pointer) = ptr;
76801 isight->period_counter += count;
76802 if (isight->period_counter >= runtime->period_size) {
76803 @@ -308,7 +308,7 @@ static int isight_hw_params(struct snd_p
76807 - ACCESS_ONCE(isight->pcm_active) = true;
76808 + ACCESS_ONCE_RW(isight->pcm_active) = true;
76812 @@ -341,7 +341,7 @@ static int isight_hw_free(struct snd_pcm
76814 struct isight *isight = substream->private_data;
76816 - ACCESS_ONCE(isight->pcm_active) = false;
76817 + ACCESS_ONCE_RW(isight->pcm_active) = false;
76819 mutex_lock(&isight->mutex);
76820 isight_stop_streaming(isight);
76821 @@ -434,10 +434,10 @@ static int isight_trigger(struct snd_pcm
76824 case SNDRV_PCM_TRIGGER_START:
76825 - ACCESS_ONCE(isight->pcm_running) = true;
76826 + ACCESS_ONCE_RW(isight->pcm_running) = true;
76828 case SNDRV_PCM_TRIGGER_STOP:
76829 - ACCESS_ONCE(isight->pcm_running) = false;
76830 + ACCESS_ONCE_RW(isight->pcm_running) = false;
76834 diff -urNp linux-3.1.1/sound/isa/cmi8330.c linux-3.1.1/sound/isa/cmi8330.c
76835 --- linux-3.1.1/sound/isa/cmi8330.c 2011-11-11 15:19:27.000000000 -0500
76836 +++ linux-3.1.1/sound/isa/cmi8330.c 2011-11-16 18:39:08.000000000 -0500
76837 @@ -172,7 +172,7 @@ struct snd_cmi8330 {
76839 struct snd_pcm *pcm;
76840 struct snd_cmi8330_stream {
76841 - struct snd_pcm_ops ops;
76842 + snd_pcm_ops_no_const ops;
76843 snd_pcm_open_callback_t open;
76844 void *private_data; /* sb or wss */
76846 diff -urNp linux-3.1.1/sound/oss/sb_audio.c linux-3.1.1/sound/oss/sb_audio.c
76847 --- linux-3.1.1/sound/oss/sb_audio.c 2011-11-11 15:19:27.000000000 -0500
76848 +++ linux-3.1.1/sound/oss/sb_audio.c 2011-11-16 18:39:08.000000000 -0500
76849 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
76850 buf16 = (signed short *)(localbuf + localoffs);
76853 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
76854 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
76855 if (copy_from_user(lbuf8,
76856 userbuf+useroffs + p,
76858 diff -urNp linux-3.1.1/sound/oss/swarm_cs4297a.c linux-3.1.1/sound/oss/swarm_cs4297a.c
76859 --- linux-3.1.1/sound/oss/swarm_cs4297a.c 2011-11-11 15:19:27.000000000 -0500
76860 +++ linux-3.1.1/sound/oss/swarm_cs4297a.c 2011-11-16 18:39:08.000000000 -0500
76861 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
76863 struct cs4297a_state *s;
76867 #ifndef CONFIG_BCM_CS4297A_CSWARM
76869 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
76871 char *sb1250_duart_present;
76878 val = SOUND_MASK_LINE;
76879 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
76880 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
76881 val = initvol[i].vol;
76882 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
76885 // cs4297a_write_ac97(s, 0x18, 0x0808);
76887 // cs4297a_write_ac97(s, 0x5e, 0x180);
76888 cs4297a_write_ac97(s, 0x02, 0x0808);
76889 cs4297a_write_ac97(s, 0x18, 0x0808);
76893 list_add(&s->list, &cs4297a_devs);
76895 diff -urNp linux-3.1.1/sound/pci/hda/hda_codec.h linux-3.1.1/sound/pci/hda/hda_codec.h
76896 --- linux-3.1.1/sound/pci/hda/hda_codec.h 2011-11-11 15:19:27.000000000 -0500
76897 +++ linux-3.1.1/sound/pci/hda/hda_codec.h 2011-11-16 18:39:08.000000000 -0500
76898 @@ -611,7 +611,7 @@ struct hda_bus_ops {
76899 /* notify power-up/down from codec to controller */
76900 void (*pm_notify)(struct hda_bus *bus);
76905 /* template to pass to the bus constructor */
76906 struct hda_bus_template {
76907 @@ -713,6 +713,7 @@ struct hda_codec_ops {
76909 void (*reboot_notify)(struct hda_codec *codec);
76911 +typedef struct hda_codec_ops __no_const hda_codec_ops_no_const;
76913 /* record for amp information cache */
76914 struct hda_cache_head {
76915 @@ -743,7 +744,7 @@ struct hda_pcm_ops {
76916 struct snd_pcm_substream *substream);
76917 int (*cleanup)(struct hda_pcm_stream *info, struct hda_codec *codec,
76918 struct snd_pcm_substream *substream);
76922 /* PCM information for each substream */
76923 struct hda_pcm_stream {
76924 @@ -801,7 +802,7 @@ struct hda_codec {
76925 const char *modelname; /* model name for preset */
76928 - struct hda_codec_ops patch_ops;
76929 + hda_codec_ops_no_const patch_ops;
76931 /* PCM to create, set by patch_ops.build_pcms callback */
76932 unsigned int num_pcms;
76933 diff -urNp linux-3.1.1/sound/pci/ice1712/ice1712.h linux-3.1.1/sound/pci/ice1712/ice1712.h
76934 --- linux-3.1.1/sound/pci/ice1712/ice1712.h 2011-11-11 15:19:27.000000000 -0500
76935 +++ linux-3.1.1/sound/pci/ice1712/ice1712.h 2011-11-16 18:39:08.000000000 -0500
76936 @@ -269,7 +269,7 @@ struct snd_ak4xxx_private {
76937 unsigned int mask_flags; /* total mask bits */
76938 struct snd_akm4xxx_ops {
76939 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
76941 + } __no_const ops;
76944 struct snd_ice1712_spdif {
76945 @@ -285,7 +285,7 @@ struct snd_ice1712_spdif {
76946 int (*default_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
76947 void (*stream_get)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
76948 int (*stream_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
76950 + } __no_const ops;
76954 diff -urNp linux-3.1.1/sound/pci/ymfpci/ymfpci_main.c linux-3.1.1/sound/pci/ymfpci/ymfpci_main.c
76955 --- linux-3.1.1/sound/pci/ymfpci/ymfpci_main.c 2011-11-11 15:19:27.000000000 -0500
76956 +++ linux-3.1.1/sound/pci/ymfpci/ymfpci_main.c 2011-11-16 18:39:08.000000000 -0500
76957 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
76958 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
76961 - if (atomic_read(&chip->interrupt_sleep_count)) {
76962 - atomic_set(&chip->interrupt_sleep_count, 0);
76963 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
76964 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
76965 wake_up(&chip->interrupt_sleep);
76968 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
76970 init_waitqueue_entry(&wait, current);
76971 add_wait_queue(&chip->interrupt_sleep, &wait);
76972 - atomic_inc(&chip->interrupt_sleep_count);
76973 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
76974 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
76975 remove_wait_queue(&chip->interrupt_sleep, &wait);
76977 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
76978 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
76979 spin_unlock(&chip->reg_lock);
76981 - if (atomic_read(&chip->interrupt_sleep_count)) {
76982 - atomic_set(&chip->interrupt_sleep_count, 0);
76983 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
76984 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
76985 wake_up(&chip->interrupt_sleep);
76988 @@ -2363,7 +2363,7 @@ int __devinit snd_ymfpci_create(struct s
76989 spin_lock_init(&chip->reg_lock);
76990 spin_lock_init(&chip->voice_lock);
76991 init_waitqueue_head(&chip->interrupt_sleep);
76992 - atomic_set(&chip->interrupt_sleep_count, 0);
76993 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
76997 diff -urNp linux-3.1.1/sound/soc/soc-pcm.c linux-3.1.1/sound/soc/soc-pcm.c
76998 --- linux-3.1.1/sound/soc/soc-pcm.c 2011-11-11 15:19:27.000000000 -0500
76999 +++ linux-3.1.1/sound/soc/soc-pcm.c 2011-11-16 18:39:08.000000000 -0500
77000 @@ -568,7 +568,7 @@ static snd_pcm_uframes_t soc_pcm_pointer
77003 /* ASoC PCM operations */
77004 -static struct snd_pcm_ops soc_pcm_ops = {
77005 +static snd_pcm_ops_no_const soc_pcm_ops = {
77006 .open = soc_pcm_open,
77007 .close = soc_pcm_close,
77008 .hw_params = soc_pcm_hw_params,
77009 diff -urNp linux-3.1.1/sound/usb/card.h linux-3.1.1/sound/usb/card.h
77010 --- linux-3.1.1/sound/usb/card.h 2011-11-11 15:19:27.000000000 -0500
77011 +++ linux-3.1.1/sound/usb/card.h 2011-11-16 18:39:08.000000000 -0500
77012 @@ -44,6 +44,7 @@ struct snd_urb_ops {
77013 int (*prepare_sync)(struct snd_usb_substream *subs, struct snd_pcm_runtime *runtime, struct urb *u);
77014 int (*retire_sync)(struct snd_usb_substream *subs, struct snd_pcm_runtime *runtime, struct urb *u);
77016 +typedef struct snd_urb_ops __no_const snd_urb_ops_no_const;
77018 struct snd_usb_substream {
77019 struct snd_usb_stream *stream;
77020 @@ -93,7 +94,7 @@ struct snd_usb_substream {
77021 struct snd_pcm_hw_constraint_list rate_list; /* limited rates */
77024 - struct snd_urb_ops ops; /* callbacks (must be filled at init) */
77025 + snd_urb_ops_no_const ops; /* callbacks (must be filled at init) */
77028 struct snd_usb_stream {
77029 diff -urNp linux-3.1.1/tools/gcc/checker_plugin.c linux-3.1.1/tools/gcc/checker_plugin.c
77030 --- linux-3.1.1/tools/gcc/checker_plugin.c 1969-12-31 19:00:00.000000000 -0500
77031 +++ linux-3.1.1/tools/gcc/checker_plugin.c 2011-11-16 18:39:08.000000000 -0500
77034 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
77035 + * Licensed under the GPL v2
77037 + * Note: the choice of the license means that the compilation process is
77038 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
77039 + * but for the kernel it doesn't matter since it doesn't link against
77040 + * any of the gcc libraries
77042 + * gcc plugin to implement various sparse (source code checker) features
77045 + * - define separate __iomem, __percpu and __rcu address spaces (lots of code to patch)
77050 +#include "gcc-plugin.h"
77051 +#include "config.h"
77052 +#include "system.h"
77053 +#include "coretypes.h"
77055 +#include "tree-pass.h"
77056 +#include "flags.h"
77058 +#include "toplev.h"
77059 +#include "plugin.h"
77060 +//#include "expr.h" where are you...
77061 +#include "diagnostic.h"
77062 +#include "plugin-version.h"
77064 +#include "function.h"
77065 +#include "basic-block.h"
77066 +#include "gimple.h"
77068 +#include "emit-rtl.h"
77069 +#include "tree-flow.h"
77070 +#include "target.h"
77072 +extern void c_register_addr_space (const char *str, addr_space_t as);
77073 +extern enum machine_mode default_addr_space_pointer_mode (addr_space_t);
77074 +extern enum machine_mode default_addr_space_address_mode (addr_space_t);
77075 +extern bool default_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as);
77076 +extern bool default_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as);
77077 +extern rtx default_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as);
77079 +extern void print_gimple_stmt(FILE *, gimple, int, int);
77080 +extern rtx emit_move_insn(rtx x, rtx y);
77082 +int plugin_is_GPL_compatible;
77084 +static struct plugin_info checker_plugin_info = {
77085 + .version = "201111150100",
77088 +#define ADDR_SPACE_KERNEL 0
77089 +#define ADDR_SPACE_FORCE_KERNEL 1
77090 +#define ADDR_SPACE_USER 2
77091 +#define ADDR_SPACE_FORCE_USER 3
77092 +#define ADDR_SPACE_IOMEM 0
77093 +#define ADDR_SPACE_FORCE_IOMEM 0
77094 +#define ADDR_SPACE_PERCPU 0
77095 +#define ADDR_SPACE_FORCE_PERCPU 0
77096 +#define ADDR_SPACE_RCU 0
77097 +#define ADDR_SPACE_FORCE_RCU 0
77099 +static enum machine_mode checker_addr_space_pointer_mode(addr_space_t addrspace)
77101 + return default_addr_space_pointer_mode(ADDR_SPACE_GENERIC);
77104 +static enum machine_mode checker_addr_space_address_mode(addr_space_t addrspace)
77106 + return default_addr_space_address_mode(ADDR_SPACE_GENERIC);
77109 +static bool checker_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as)
77111 + return default_addr_space_valid_pointer_mode(mode, as);
77114 +static bool checker_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as)
77116 + return default_addr_space_legitimate_address_p(mode, mem, strict, ADDR_SPACE_GENERIC);
77119 +static rtx checker_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as)
77121 + return default_addr_space_legitimize_address(x, oldx, mode, as);
77124 +static bool checker_addr_space_subset_p(addr_space_t subset, addr_space_t superset)
77126 + if (subset == ADDR_SPACE_FORCE_KERNEL && superset == ADDR_SPACE_KERNEL)
77129 + if (subset == ADDR_SPACE_FORCE_USER && superset == ADDR_SPACE_USER)
77132 + if (subset == ADDR_SPACE_FORCE_IOMEM && superset == ADDR_SPACE_IOMEM)
77135 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_USER)
77138 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_IOMEM)
77141 + if (subset == ADDR_SPACE_USER && superset == ADDR_SPACE_FORCE_KERNEL)
77144 + if (subset == ADDR_SPACE_IOMEM && superset == ADDR_SPACE_FORCE_KERNEL)
77147 + return subset == superset;
77150 +static rtx checker_addr_space_convert(rtx op, tree from_type, tree to_type)
77152 +// addr_space_t from_as = TYPE_ADDR_SPACE(TREE_TYPE(from_type));
77153 +// addr_space_t to_as = TYPE_ADDR_SPACE(TREE_TYPE(to_type));
77158 +static void register_checker_address_spaces(void *event_data, void *data)
77160 + c_register_addr_space("__kernel", ADDR_SPACE_KERNEL);
77161 + c_register_addr_space("__force_kernel", ADDR_SPACE_FORCE_KERNEL);
77162 + c_register_addr_space("__user", ADDR_SPACE_USER);
77163 + c_register_addr_space("__force_user", ADDR_SPACE_FORCE_USER);
77164 +// c_register_addr_space("__iomem", ADDR_SPACE_IOMEM);
77165 +// c_register_addr_space("__force_iomem", ADDR_SPACE_FORCE_IOMEM);
77166 +// c_register_addr_space("__percpu", ADDR_SPACE_PERCPU);
77167 +// c_register_addr_space("__force_percpu", ADDR_SPACE_FORCE_PERCPU);
77168 +// c_register_addr_space("__rcu", ADDR_SPACE_RCU);
77169 +// c_register_addr_space("__force_rcu", ADDR_SPACE_FORCE_RCU);
77171 + targetm.addr_space.pointer_mode = checker_addr_space_pointer_mode;
77172 + targetm.addr_space.address_mode = checker_addr_space_address_mode;
77173 + targetm.addr_space.valid_pointer_mode = checker_addr_space_valid_pointer_mode;
77174 + targetm.addr_space.legitimate_address_p = checker_addr_space_legitimate_address_p;
77175 +// targetm.addr_space.legitimize_address = checker_addr_space_legitimize_address;
77176 + targetm.addr_space.subset_p = checker_addr_space_subset_p;
77177 + targetm.addr_space.convert = checker_addr_space_convert;
77180 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
77182 + const char * const plugin_name = plugin_info->base_name;
77183 + const int argc = plugin_info->argc;
77184 + const struct plugin_argument * const argv = plugin_info->argv;
77187 + if (!plugin_default_version_check(version, &gcc_version)) {
77188 + error(G_("incompatible gcc/plugin versions"));
77192 + register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info);
77194 + for (i = 0; i < argc; ++i)
77195 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
77197 + if (TARGET_64BIT == 0)
77200 + register_callback (plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL);
77204 diff -urNp linux-3.1.1/tools/gcc/constify_plugin.c linux-3.1.1/tools/gcc/constify_plugin.c
77205 --- linux-3.1.1/tools/gcc/constify_plugin.c 1969-12-31 19:00:00.000000000 -0500
77206 +++ linux-3.1.1/tools/gcc/constify_plugin.c 2011-11-16 18:39:08.000000000 -0500
77209 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
77210 + * Copyright 2011 by PaX Team <pageexec@freemail.hu>
77211 + * Licensed under the GPL v2, or (at your option) v3
77213 + * This gcc plugin constifies all structures which contain only function pointers or are explicitly marked for constification.
77216 + * http://www.grsecurity.net/~ephox/const_plugin/
77219 + * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o constify_plugin.so constify_plugin.c
77220 + * $ gcc -fplugin=constify_plugin.so test.c -O2
77223 +#include "gcc-plugin.h"
77224 +#include "config.h"
77225 +#include "system.h"
77226 +#include "coretypes.h"
77228 +#include "tree-pass.h"
77229 +#include "flags.h"
77231 +#include "toplev.h"
77232 +#include "plugin.h"
77233 +#include "diagnostic.h"
77234 +#include "plugin-version.h"
77236 +#include "function.h"
77237 +#include "basic-block.h"
77238 +#include "gimple.h"
77240 +#include "emit-rtl.h"
77241 +#include "tree-flow.h"
77243 +#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
77245 +int plugin_is_GPL_compatible;
77247 +static struct plugin_info const_plugin_info = {
77248 + .version = "201111150100",
77249 + .help = "no-constify\tturn off constification\n",
77252 +static void constify_type(tree type);
77253 +static bool walk_struct(tree node);
77255 +static tree deconstify_type(tree old_type)
77257 + tree new_type, field;
77259 + new_type = build_qualified_type(old_type, TYPE_QUALS(old_type) & ~TYPE_QUAL_CONST);
77260 + TYPE_FIELDS(new_type) = copy_list(TYPE_FIELDS(new_type));
77261 + for (field = TYPE_FIELDS(new_type); field; field = TREE_CHAIN(field))
77262 + DECL_FIELD_CONTEXT(field) = new_type;
77263 + TYPE_READONLY(new_type) = 0;
77264 + C_TYPE_FIELDS_READONLY(new_type) = 0;
77268 +static tree handle_no_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
77272 + *no_add_attrs = true;
77273 + if (TREE_CODE(*node) == FUNCTION_DECL) {
77274 + error("%qE attribute does not apply to functions", name);
77275 + return NULL_TREE;
77278 + if (TREE_CODE(*node) == VAR_DECL) {
77279 + error("%qE attribute does not apply to variables", name);
77280 + return NULL_TREE;
77283 + if (TYPE_P(*node)) {
77284 + if (TREE_CODE(*node) == RECORD_TYPE || TREE_CODE(*node) == UNION_TYPE)
77285 + *no_add_attrs = false;
77287 + error("%qE attribute applies to struct and union types only", name);
77288 + return NULL_TREE;
77291 + type = TREE_TYPE(*node);
77293 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) {
77294 + error("%qE attribute applies to struct and union types only", name);
77295 + return NULL_TREE;
77298 + if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(type))) {
77299 + error("%qE attribute is already applied to the type", name);
77300 + return NULL_TREE;
77303 + if (TREE_CODE(*node) == TYPE_DECL && !TYPE_READONLY(type)) {
77304 + error("%qE attribute used on type that is not constified", name);
77305 + return NULL_TREE;
77308 + if (TREE_CODE(*node) == TYPE_DECL) {
77309 + TREE_TYPE(*node) = deconstify_type(type);
77310 + TREE_READONLY(*node) = 0;
77311 + return NULL_TREE;
77314 + return NULL_TREE;
77317 +static tree handle_do_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
77319 + *no_add_attrs = true;
77320 + if (!TYPE_P(*node)) {
77321 + error("%qE attribute applies to types only", name);
77322 + return NULL_TREE;
77325 + if (TREE_CODE(*node) != RECORD_TYPE && TREE_CODE(*node) != UNION_TYPE) {
77326 + error("%qE attribute applies to struct and union types only", name);
77327 + return NULL_TREE;
77330 + *no_add_attrs = false;
77331 + constify_type(*node);
77332 + return NULL_TREE;
77335 +static struct attribute_spec no_const_attr = {
77336 + .name = "no_const",
77339 + .decl_required = false,
77340 + .type_required = false,
77341 + .function_type_required = false,
77342 + .handler = handle_no_const_attribute,
77343 +#if __GNUC__ > 4 || __GNUC_MINOR__ >= 7
77344 + .affects_type_identity = true
77348 +static struct attribute_spec do_const_attr = {
77349 + .name = "do_const",
77352 + .decl_required = false,
77353 + .type_required = false,
77354 + .function_type_required = false,
77355 + .handler = handle_do_const_attribute,
77356 +#if __GNUC__ > 4 || __GNUC_MINOR__ >= 7
77357 + .affects_type_identity = true
77361 +static void register_attributes(void *event_data, void *data)
77363 + register_attribute(&no_const_attr);
77364 + register_attribute(&do_const_attr);
77367 +static void constify_type(tree type)
77369 + TYPE_READONLY(type) = 1;
77370 + C_TYPE_FIELDS_READONLY(type) = 1;
77373 +static bool is_fptr(tree field)
77375 + tree ptr = TREE_TYPE(field);
77377 + if (TREE_CODE(ptr) != POINTER_TYPE)
77380 + return TREE_CODE(TREE_TYPE(ptr)) == FUNCTION_TYPE;
77383 +static bool walk_struct(tree node)
77387 + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node)))
77390 + if (TYPE_FIELDS(node) == NULL_TREE)
77393 + for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
77394 + tree type = TREE_TYPE(field);
77395 + enum tree_code code = TREE_CODE(type);
77396 + if (code == RECORD_TYPE || code == UNION_TYPE) {
77397 + if (!(walk_struct(type)))
77399 + } else if (!is_fptr(field) && !TREE_READONLY(field))
77405 +static void finish_type(void *event_data, void *data)
77407 + tree type = (tree)event_data;
77409 + if (type == NULL_TREE)
77412 + if (TYPE_READONLY(type))
77415 + if (walk_struct(type))
77416 + constify_type(type);
77419 +static unsigned int check_local_variables(void);
77421 +struct gimple_opt_pass pass_local_variable = {
77423 + .type = GIMPLE_PASS,
77424 + .name = "check_local_variables",
77426 + .execute = check_local_variables,
77429 + .static_pass_number = 0,
77430 + .tv_id = TV_NONE,
77431 + .properties_required = 0,
77432 + .properties_provided = 0,
77433 + .properties_destroyed = 0,
77434 + .todo_flags_start = 0,
77435 + .todo_flags_finish = 0
77439 +static unsigned int check_local_variables(void)
77442 + referenced_var_iterator rvi;
77444 +#if __GNUC__ == 4 && __GNUC_MINOR__ == 5
77445 + FOR_EACH_REFERENCED_VAR(var, rvi) {
77447 + FOR_EACH_REFERENCED_VAR(cfun, var, rvi) {
77449 + tree type = TREE_TYPE(var);
77451 + if (!DECL_P(var) || TREE_STATIC(var) || DECL_EXTERNAL(var))
77454 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
77457 + if (!TYPE_READONLY(type))
77460 +// if (lookup_attribute("no_const", DECL_ATTRIBUTES(var)))
77463 +// if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type)))
77466 + if (walk_struct(type)) {
77467 + error("constified variable %qE cannot be local", var);
77474 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
77476 + const char * const plugin_name = plugin_info->base_name;
77477 + const int argc = plugin_info->argc;
77478 + const struct plugin_argument * const argv = plugin_info->argv;
77480 + bool constify = true;
77482 + struct register_pass_info local_variable_pass_info = {
77483 + .pass = &pass_local_variable.pass,
77484 + .reference_pass_name = "*referenced_vars",
77485 + .ref_pass_instance_number = 0,
77486 + .pos_op = PASS_POS_INSERT_AFTER
77489 + if (!plugin_default_version_check(version, &gcc_version)) {
77490 + error(G_("incompatible gcc/plugin versions"));
77494 + for (i = 0; i < argc; ++i) {
77495 + if (!(strcmp(argv[i].key, "no-constify"))) {
77496 + constify = false;
77499 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
77502 + register_callback(plugin_name, PLUGIN_INFO, NULL, &const_plugin_info);
77504 + register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
77505 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &local_variable_pass_info);
77507 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
77511 diff -urNp linux-3.1.1/tools/gcc/kallocstat_plugin.c linux-3.1.1/tools/gcc/kallocstat_plugin.c
77512 --- linux-3.1.1/tools/gcc/kallocstat_plugin.c 1969-12-31 19:00:00.000000000 -0500
77513 +++ linux-3.1.1/tools/gcc/kallocstat_plugin.c 2011-11-16 18:39:08.000000000 -0500
77516 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
77517 + * Licensed under the GPL v2
77519 + * Note: the choice of the license means that the compilation process is
77520 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
77521 + * but for the kernel it doesn't matter since it doesn't link against
77522 + * any of the gcc libraries
77524 + * gcc plugin to find the distribution of k*alloc sizes
77531 +#include "gcc-plugin.h"
77532 +#include "config.h"
77533 +#include "system.h"
77534 +#include "coretypes.h"
77536 +#include "tree-pass.h"
77537 +#include "flags.h"
77539 +#include "toplev.h"
77540 +#include "plugin.h"
77541 +//#include "expr.h" where are you...
77542 +#include "diagnostic.h"
77543 +#include "plugin-version.h"
77545 +#include "function.h"
77546 +#include "basic-block.h"
77547 +#include "gimple.h"
77549 +#include "emit-rtl.h"
77551 +extern void print_gimple_stmt(FILE *, gimple, int, int);
77553 +int plugin_is_GPL_compatible;
77555 +static const char * const kalloc_functions[] = {
77561 + "kmalloc_order_trace",
77567 +static struct plugin_info kallocstat_plugin_info = {
77568 + .version = "201111150100",
77571 +static unsigned int execute_kallocstat(void);
77573 +static struct gimple_opt_pass kallocstat_pass = {
77575 + .type = GIMPLE_PASS,
77576 + .name = "kallocstat",
77578 + .execute = execute_kallocstat,
77581 + .static_pass_number = 0,
77582 + .tv_id = TV_NONE,
77583 + .properties_required = 0,
77584 + .properties_provided = 0,
77585 + .properties_destroyed = 0,
77586 + .todo_flags_start = 0,
77587 + .todo_flags_finish = 0
77591 +static bool is_kalloc(const char *fnname)
77595 + for (i = 0; i < ARRAY_SIZE(kalloc_functions); i++)
77596 + if (!strcmp(fnname, kalloc_functions[i]))
77601 +static unsigned int execute_kallocstat(void)
77605 + // 1. loop through BBs and GIMPLE statements
77606 + FOR_EACH_BB(bb) {
77607 + gimple_stmt_iterator gsi;
77608 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
77610 + tree fndecl, size;
77611 + gimple call_stmt;
77612 + const char *fnname;
77615 + call_stmt = gsi_stmt(gsi);
77616 + if (!is_gimple_call(call_stmt))
77618 + fndecl = gimple_call_fndecl(call_stmt);
77619 + if (fndecl == NULL_TREE)
77621 + if (TREE_CODE(fndecl) != FUNCTION_DECL)
77624 + // is it a call to k*alloc
77625 + fnname = IDENTIFIER_POINTER(DECL_NAME(fndecl));
77626 + if (!is_kalloc(fnname))
77629 + // is the size arg the result of a simple const assignment
77630 + size = gimple_call_arg(call_stmt, 0);
77633 + expanded_location xloc;
77636 + if (TREE_CODE(size) != SSA_NAME)
77638 + def_stmt = SSA_NAME_DEF_STMT(size);
77639 + if (!def_stmt || !is_gimple_assign(def_stmt))
77641 + if (gimple_num_ops(def_stmt) != 2)
77643 + size = gimple_assign_rhs1(def_stmt);
77644 + if (!TREE_CONSTANT(size))
77646 + xloc = expand_location(gimple_location(def_stmt));
77648 + xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl));
77649 + size_val = TREE_INT_CST_LOW(size);
77650 + fprintf(stderr, "kallocsize: %8zu %8zx %s %s:%u\n", size_val, size_val, fnname, xloc.file, xloc.line);
77653 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
77654 +//debug_tree(gimple_call_fn(call_stmt));
77655 +//print_node(stderr, "pax", fndecl, 4);
77662 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
77664 + const char * const plugin_name = plugin_info->base_name;
77665 + struct register_pass_info kallocstat_pass_info = {
77666 + .pass = &kallocstat_pass.pass,
77667 + .reference_pass_name = "ssa",
77668 + .ref_pass_instance_number = 0,
77669 + .pos_op = PASS_POS_INSERT_AFTER
77672 + if (!plugin_default_version_check(version, &gcc_version)) {
77673 + error(G_("incompatible gcc/plugin versions"));
77677 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kallocstat_plugin_info);
77678 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kallocstat_pass_info);
77682 diff -urNp linux-3.1.1/tools/gcc/kernexec_plugin.c linux-3.1.1/tools/gcc/kernexec_plugin.c
77683 --- linux-3.1.1/tools/gcc/kernexec_plugin.c 1969-12-31 19:00:00.000000000 -0500
77684 +++ linux-3.1.1/tools/gcc/kernexec_plugin.c 2011-11-16 18:39:08.000000000 -0500
77687 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
77688 + * Licensed under the GPL v2
77690 + * Note: the choice of the license means that the compilation process is
77691 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
77692 + * but for the kernel it doesn't matter since it doesn't link against
77693 + * any of the gcc libraries
77695 + * gcc plugin to make KERNEXEC/amd64 almost as good as it is on i386
77702 +#include "gcc-plugin.h"
77703 +#include "config.h"
77704 +#include "system.h"
77705 +#include "coretypes.h"
77707 +#include "tree-pass.h"
77708 +#include "flags.h"
77710 +#include "toplev.h"
77711 +#include "plugin.h"
77712 +//#include "expr.h" where are you...
77713 +#include "diagnostic.h"
77714 +#include "plugin-version.h"
77716 +#include "function.h"
77717 +#include "basic-block.h"
77718 +#include "gimple.h"
77720 +#include "emit-rtl.h"
77721 +#include "tree-flow.h"
77723 +extern void print_gimple_stmt(FILE *, gimple, int, int);
77724 +extern rtx emit_move_insn(rtx x, rtx y);
77726 +int plugin_is_GPL_compatible;
77728 +static struct plugin_info kernexec_plugin_info = {
77729 + .version = "201111150100",
77732 +static unsigned int execute_kernexec_fptr(void);
77733 +static unsigned int execute_kernexec_retaddr(void);
77734 +static bool kernexec_cmodel_check(void);
77736 +static struct gimple_opt_pass kernexec_fptr_pass = {
77738 + .type = GIMPLE_PASS,
77739 + .name = "kernexec_fptr",
77740 + .gate = kernexec_cmodel_check,
77741 + .execute = execute_kernexec_fptr,
77744 + .static_pass_number = 0,
77745 + .tv_id = TV_NONE,
77746 + .properties_required = 0,
77747 + .properties_provided = 0,
77748 + .properties_destroyed = 0,
77749 + .todo_flags_start = 0,
77750 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi
77754 +static struct rtl_opt_pass kernexec_retaddr_pass = {
77756 + .type = RTL_PASS,
77757 + .name = "kernexec_retaddr",
77758 + .gate = kernexec_cmodel_check,
77759 + .execute = execute_kernexec_retaddr,
77762 + .static_pass_number = 0,
77763 + .tv_id = TV_NONE,
77764 + .properties_required = 0,
77765 + .properties_provided = 0,
77766 + .properties_destroyed = 0,
77767 + .todo_flags_start = 0,
77768 + .todo_flags_finish = TODO_dump_func | TODO_ggc_collect
77772 +static bool kernexec_cmodel_check(void)
77776 + if (ix86_cmodel != CM_KERNEL)
77779 + section = lookup_attribute("section", DECL_ATTRIBUTES(current_function_decl));
77780 + if (!section || !TREE_VALUE(section))
77783 + section = TREE_VALUE(TREE_VALUE(section));
77784 + if (strncmp(TREE_STRING_POINTER(section), ".vsyscall_", 10))
77791 + * add special KERNEXEC instrumentation: force MSB of fptr to 1, which will produce
77792 + * a non-canonical address from a userland ptr and will just trigger a GPF on dereference
77794 +static void kernexec_instrument_fptr(gimple_stmt_iterator gsi)
77796 + gimple assign_intptr, assign_new_fptr, call_stmt;
77797 + tree intptr, old_fptr, new_fptr, kernexec_mask;
77799 + call_stmt = gsi_stmt(gsi);
77800 + old_fptr = gimple_call_fn(call_stmt);
77802 + // create temporary unsigned long variable used for bitops and cast fptr to it
77803 + intptr = create_tmp_var(long_unsigned_type_node, NULL);
77804 + add_referenced_var(intptr);
77805 + mark_sym_for_renaming(intptr);
77806 + assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr));
77807 + update_stmt(assign_intptr);
77808 + gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
77810 + // apply logical or to temporary unsigned long and bitmask
77811 + kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL);
77812 +// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL);
77813 + assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask));
77814 + update_stmt(assign_intptr);
77815 + gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
77817 + // cast temporary unsigned long back to a temporary fptr variable
77818 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), NULL);
77819 + add_referenced_var(new_fptr);
77820 + mark_sym_for_renaming(new_fptr);
77821 + assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr));
77822 + update_stmt(assign_new_fptr);
77823 + gsi_insert_before(&gsi, assign_new_fptr, GSI_SAME_STMT);
77825 + // replace call stmt fn with the new fptr
77826 + gimple_call_set_fn(call_stmt, new_fptr);
77827 + update_stmt(call_stmt);
77831 + * find all C level function pointer dereferences and forcibly set the highest bit of the pointer
77833 +static unsigned int execute_kernexec_fptr(void)
77836 + gimple_stmt_iterator gsi;
77838 + // 1. loop through BBs and GIMPLE statements
77839 + FOR_EACH_BB(bb) {
77840 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
77841 + // gimple match: h_1 = get_fptr (); D.2709_3 = h_1 (x_2(D));
77843 + gimple call_stmt;
77845 + // is it a call ...
77846 + call_stmt = gsi_stmt(gsi);
77847 + if (!is_gimple_call(call_stmt))
77849 + fn = gimple_call_fn(call_stmt);
77850 + if (TREE_CODE(fn) == ADDR_EXPR)
77852 + if (TREE_CODE(fn) != SSA_NAME)
77853 + gcc_unreachable();
77855 + // ... through a function pointer
77856 + fn = SSA_NAME_VAR(fn);
77857 + if (TREE_CODE(fn) != VAR_DECL && TREE_CODE(fn) != PARM_DECL)
77859 + fn = TREE_TYPE(fn);
77860 + if (TREE_CODE(fn) != POINTER_TYPE)
77862 + fn = TREE_TYPE(fn);
77863 + if (TREE_CODE(fn) != FUNCTION_TYPE)
77866 + kernexec_instrument_fptr(gsi);
77868 +//debug_tree(gimple_call_fn(call_stmt));
77869 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
77876 +// add special KERNEXEC instrumentation: btsq $63,(%rsp) just before retn
77877 +static void kernexec_instrument_retaddr(rtx insn)
77880 + rtvec argvec, constraintvec, labelvec;
77883 + // create asm volatile("btsq $63,(%%rsp)":::)
77884 + argvec = rtvec_alloc(0);
77885 + constraintvec = rtvec_alloc(0);
77886 + labelvec = rtvec_alloc(0);
77887 + line = expand_location(RTL_LOCATION(insn)).line;
77888 + btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line);
77889 + MEM_VOLATILE_P(btsq) = 1;
77890 + RTX_FRAME_RELATED_P(btsq) = 1;
77891 + emit_insn_before(btsq, insn);
77895 + * find all asm level function returns and forcibly set the highest bit of the return address
77897 +static unsigned int execute_kernexec_retaddr(void)
77901 + // 1. find function returns
77902 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
77903 + // rtl match: (jump_insn 41 40 42 2 (return) fptr.c:42 634 {return_internal} (nil))
77904 + // (jump_insn 12 9 11 2 (parallel [ (return) (unspec [ (0) ] UNSPEC_REP) ]) fptr.c:46 635 {return_internal_long} (nil))
77908 + if (!JUMP_P(insn))
77910 + body = PATTERN(insn);
77911 + if (GET_CODE(body) == PARALLEL)
77912 + body = XVECEXP(body, 0, 0);
77913 + if (GET_CODE(body) != RETURN)
77915 + kernexec_instrument_retaddr(insn);
77918 +// print_simple_rtl(stderr, get_insns());
77919 +// print_rtl(stderr, get_insns());
77924 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
77926 + const char * const plugin_name = plugin_info->base_name;
77927 + const int argc = plugin_info->argc;
77928 + const struct plugin_argument * const argv = plugin_info->argv;
77930 + struct register_pass_info kernexec_fptr_pass_info = {
77931 + .pass = &kernexec_fptr_pass.pass,
77932 + .reference_pass_name = "ssa",
77933 + .ref_pass_instance_number = 0,
77934 + .pos_op = PASS_POS_INSERT_AFTER
77936 + struct register_pass_info kernexec_retaddr_pass_info = {
77937 + .pass = &kernexec_retaddr_pass.pass,
77938 + .reference_pass_name = "pro_and_epilogue",
77939 + .ref_pass_instance_number = 0,
77940 + .pos_op = PASS_POS_INSERT_AFTER
77943 + if (!plugin_default_version_check(version, &gcc_version)) {
77944 + error(G_("incompatible gcc/plugin versions"));
77948 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kernexec_plugin_info);
77950 + for (i = 0; i < argc; ++i)
77951 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
77953 + if (TARGET_64BIT == 0)
77956 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_fptr_pass_info);
77957 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_retaddr_pass_info);
77961 diff -urNp linux-3.1.1/tools/gcc/Makefile linux-3.1.1/tools/gcc/Makefile
77962 --- linux-3.1.1/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
77963 +++ linux-3.1.1/tools/gcc/Makefile 2011-11-16 20:37:08.000000000 -0500
77966 +#PLUGIN_SOURCE_FILES := pax_plugin.c
77967 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
77968 +GCCPLUGINS_DIR := $(shell $(CC) -print-file-name=plugin)
77969 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
77971 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
77973 +hostlibs-y := constify_plugin.so
77974 +hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so
77975 +hostlibs-$(CONFIG_KALLOCSTAT_PLUGIN) += kallocstat_plugin.so
77976 +hostlibs-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so
77977 +hostlibs-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so
77979 +always := $(hostlibs-y)
77981 +constify_plugin-objs := constify_plugin.o
77982 +stackleak_plugin-objs := stackleak_plugin.o
77983 +kallocstat_plugin-objs := kallocstat_plugin.o
77984 +kernexec_plugin-objs := kernexec_plugin.o
77985 +checker_plugin-objs := checker_plugin.o
77986 diff -urNp linux-3.1.1/tools/gcc/stackleak_plugin.c linux-3.1.1/tools/gcc/stackleak_plugin.c
77987 --- linux-3.1.1/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500
77988 +++ linux-3.1.1/tools/gcc/stackleak_plugin.c 2011-11-16 18:39:08.000000000 -0500
77991 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
77992 + * Licensed under the GPL v2
77994 + * Note: the choice of the license means that the compilation process is
77995 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
77996 + * but for the kernel it doesn't matter since it doesn't link against
77997 + * any of the gcc libraries
77999 + * gcc plugin to help implement various PaX features
78001 + * - track lowest stack pointer
78004 + * - initialize all local variables
78009 +#include "gcc-plugin.h"
78010 +#include "config.h"
78011 +#include "system.h"
78012 +#include "coretypes.h"
78014 +#include "tree-pass.h"
78015 +#include "flags.h"
78017 +#include "toplev.h"
78018 +#include "plugin.h"
78019 +//#include "expr.h" where are you...
78020 +#include "diagnostic.h"
78021 +#include "plugin-version.h"
78023 +#include "function.h"
78024 +#include "basic-block.h"
78025 +#include "gimple.h"
78027 +#include "emit-rtl.h"
78029 +extern void print_gimple_stmt(FILE *, gimple, int, int);
78031 +int plugin_is_GPL_compatible;
78033 +static int track_frame_size = -1;
78034 +static const char track_function[] = "pax_track_stack";
78035 +static const char check_function[] = "pax_check_alloca";
78036 +static bool init_locals;
78038 +static struct plugin_info stackleak_plugin_info = {
78039 + .version = "201111150100",
78040 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
78041 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
78044 +static bool gate_stackleak_track_stack(void);
78045 +static unsigned int execute_stackleak_tree_instrument(void);
78046 +static unsigned int execute_stackleak_final(void);
78048 +static struct gimple_opt_pass stackleak_tree_instrument_pass = {
78050 + .type = GIMPLE_PASS,
78051 + .name = "stackleak_tree_instrument",
78052 + .gate = gate_stackleak_track_stack,
78053 + .execute = execute_stackleak_tree_instrument,
78056 + .static_pass_number = 0,
78057 + .tv_id = TV_NONE,
78058 + .properties_required = PROP_gimple_leh | PROP_cfg,
78059 + .properties_provided = 0,
78060 + .properties_destroyed = 0,
78061 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
78062 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_update_ssa
78066 +static struct rtl_opt_pass stackleak_final_rtl_opt_pass = {
78068 + .type = RTL_PASS,
78069 + .name = "stackleak_final",
78070 + .gate = gate_stackleak_track_stack,
78071 + .execute = execute_stackleak_final,
78074 + .static_pass_number = 0,
78075 + .tv_id = TV_NONE,
78076 + .properties_required = 0,
78077 + .properties_provided = 0,
78078 + .properties_destroyed = 0,
78079 + .todo_flags_start = 0,
78080 + .todo_flags_finish = TODO_dump_func
78084 +static bool gate_stackleak_track_stack(void)
78086 + return track_frame_size >= 0;
78089 +static void stackleak_check_alloca(gimple_stmt_iterator gsi)
78091 + gimple check_alloca;
78092 + tree fndecl, fntype, alloca_size;
78094 + // insert call to void pax_check_alloca(unsigned long size)
78095 + fntype = build_function_type_list(void_type_node, long_unsigned_type_node, NULL_TREE);
78096 + fndecl = build_fn_decl(check_function, fntype);
78097 + DECL_ASSEMBLER_NAME(fndecl); // for LTO
78098 + alloca_size = gimple_call_arg(gsi_stmt(gsi), 0);
78099 + check_alloca = gimple_build_call(fndecl, 1, alloca_size);
78100 + gsi_insert_before(&gsi, check_alloca, GSI_CONTINUE_LINKING);
78103 +static void stackleak_add_instrumentation(gimple_stmt_iterator gsi)
78105 + gimple track_stack;
78106 + tree fndecl, fntype;
78108 + // insert call to void pax_track_stack(void)
78109 + fntype = build_function_type_list(void_type_node, NULL_TREE);
78110 + fndecl = build_fn_decl(track_function, fntype);
78111 + DECL_ASSEMBLER_NAME(fndecl); // for LTO
78112 + track_stack = gimple_build_call(fndecl, 0);
78113 + gsi_insert_after(&gsi, track_stack, GSI_CONTINUE_LINKING);
78116 +#if __GNUC__ == 4 && __GNUC_MINOR__ == 5
78117 +static bool gimple_call_builtin_p(gimple stmt, enum built_in_function code)
78121 + if (!is_gimple_call(stmt))
78123 + fndecl = gimple_call_fndecl(stmt);
78126 + if (DECL_BUILT_IN_CLASS(fndecl) != BUILT_IN_NORMAL)
78128 +// print_node(stderr, "pax", fndecl, 4);
78129 + return DECL_FUNCTION_CODE(fndecl) == code;
78133 +static bool is_alloca(gimple stmt)
78135 + if (gimple_call_builtin_p(stmt, BUILT_IN_ALLOCA))
78138 +#if __GNUC__ > 4 || __GNUC_MINOR__ >= 7
78139 + if (gimple_call_builtin_p(stmt, BUILT_IN_ALLOCA_WITH_ALIGN))
78146 +static unsigned int execute_stackleak_tree_instrument(void)
78148 + basic_block bb, entry_bb;
78149 + bool prologue_instrumented = false;
78151 + entry_bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
78153 + // 1. loop through BBs and GIMPLE statements
78154 + FOR_EACH_BB(bb) {
78155 + gimple_stmt_iterator gsi;
78156 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
78157 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
78158 + if (!is_alloca(gsi_stmt(gsi)))
78161 + // 2. insert stack overflow check before each __builtin_alloca call
78162 + stackleak_check_alloca(gsi);
78164 + // 3. insert track call after each __builtin_alloca call
78165 + stackleak_add_instrumentation(gsi);
78166 + if (bb == entry_bb)
78167 + prologue_instrumented = true;
78171 + // 4. insert track call at the beginning
78172 + if (!prologue_instrumented) {
78173 + bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest;
78174 + if (dom_info_available_p(CDI_DOMINATORS))
78175 + set_immediate_dominator(CDI_DOMINATORS, bb, ENTRY_BLOCK_PTR);
78176 + stackleak_add_instrumentation(gsi_start_bb(bb));
78182 +static unsigned int execute_stackleak_final(void)
78186 + if (cfun->calls_alloca)
78189 + // keep calls only if function frame is big enough
78190 + if (get_frame_size() >= track_frame_size)
78193 + // 1. find pax_track_stack calls
78194 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
78195 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
78198 + if (!CALL_P(insn))
78200 + body = PATTERN(insn);
78201 + if (GET_CODE(body) != CALL)
78203 + body = XEXP(body, 0);
78204 + if (GET_CODE(body) != MEM)
78206 + body = XEXP(body, 0);
78207 + if (GET_CODE(body) != SYMBOL_REF)
78209 + if (strcmp(XSTR(body, 0), track_function))
78211 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
78212 + // 2. delete call
78213 + insn = delete_insn_and_edges(insn);
78214 +#if __GNUC__ > 4 || __GNUC_MINOR__ >= 7
78215 + if (GET_CODE(insn) == NOTE && NOTE_KIND(insn) == NOTE_INSN_CALL_ARG_LOCATION)
78216 + insn = delete_insn_and_edges(insn);
78220 +// print_simple_rtl(stderr, get_insns());
78221 +// print_rtl(stderr, get_insns());
78222 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
78227 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
78229 + const char * const plugin_name = plugin_info->base_name;
78230 + const int argc = plugin_info->argc;
78231 + const struct plugin_argument * const argv = plugin_info->argv;
78233 + struct register_pass_info stackleak_tree_instrument_pass_info = {
78234 + .pass = &stackleak_tree_instrument_pass.pass,
78235 +// .reference_pass_name = "tree_profile",
78236 + .reference_pass_name = "optimized",
78237 + .ref_pass_instance_number = 0,
78238 + .pos_op = PASS_POS_INSERT_AFTER
78240 + struct register_pass_info stackleak_final_pass_info = {
78241 + .pass = &stackleak_final_rtl_opt_pass.pass,
78242 + .reference_pass_name = "final",
78243 + .ref_pass_instance_number = 0,
78244 + .pos_op = PASS_POS_INSERT_BEFORE
78247 + if (!plugin_default_version_check(version, &gcc_version)) {
78248 + error(G_("incompatible gcc/plugin versions"));
78252 + register_callback(plugin_name, PLUGIN_INFO, NULL, &stackleak_plugin_info);
78254 + for (i = 0; i < argc; ++i) {
78255 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
78256 + if (!argv[i].value) {
78257 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
78260 + track_frame_size = atoi(argv[i].value);
78261 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
78262 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
78265 + if (!strcmp(argv[i].key, "initialize-locals")) {
78266 + if (argv[i].value) {
78267 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
78270 + init_locals = true;
78273 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
78276 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_tree_instrument_pass_info);
78277 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_final_pass_info);
78281 diff -urNp linux-3.1.1/tools/perf/util/include/asm/alternative-asm.h linux-3.1.1/tools/perf/util/include/asm/alternative-asm.h
78282 --- linux-3.1.1/tools/perf/util/include/asm/alternative-asm.h 2011-11-11 15:19:27.000000000 -0500
78283 +++ linux-3.1.1/tools/perf/util/include/asm/alternative-asm.h 2011-11-16 18:39:08.000000000 -0500
78286 #define altinstruction_entry #
78288 + .macro pax_force_retaddr rip=0
78292 diff -urNp linux-3.1.1/usr/gen_init_cpio.c linux-3.1.1/usr/gen_init_cpio.c
78293 --- linux-3.1.1/usr/gen_init_cpio.c 2011-11-11 15:19:27.000000000 -0500
78294 +++ linux-3.1.1/usr/gen_init_cpio.c 2011-11-16 18:39:08.000000000 -0500
78295 @@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name,
78304 @@ -392,9 +392,10 @@ static char *cpio_replace_env(char *new_
78305 *env_var = *expanded = '\0';
78306 strncat(env_var, start + 2, end - start - 2);
78307 strncat(expanded, new_location, start - new_location);
78308 - strncat(expanded, getenv(env_var), PATH_MAX);
78309 - strncat(expanded, end + 1, PATH_MAX);
78310 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
78311 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
78312 strncpy(new_location, expanded, PATH_MAX);
78313 + new_location[PATH_MAX] = 0;
78317 diff -urNp linux-3.1.1/virt/kvm/kvm_main.c linux-3.1.1/virt/kvm/kvm_main.c
78318 --- linux-3.1.1/virt/kvm/kvm_main.c 2011-11-11 15:19:27.000000000 -0500
78319 +++ linux-3.1.1/virt/kvm/kvm_main.c 2011-11-16 18:39:08.000000000 -0500
78320 @@ -73,7 +73,7 @@ LIST_HEAD(vm_list);
78322 static cpumask_var_t cpus_hardware_enabled;
78323 static int kvm_usage_count = 0;
78324 -static atomic_t hardware_enable_failed;
78325 +static atomic_unchecked_t hardware_enable_failed;
78327 struct kmem_cache *kvm_vcpu_cache;
78328 EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
78329 @@ -2266,7 +2266,7 @@ static void hardware_enable_nolock(void
78332 cpumask_clear_cpu(cpu, cpus_hardware_enabled);
78333 - atomic_inc(&hardware_enable_failed);
78334 + atomic_inc_unchecked(&hardware_enable_failed);
78335 printk(KERN_INFO "kvm: enabling virtualization on "
78336 "CPU%d failed\n", cpu);
78338 @@ -2320,10 +2320,10 @@ static int hardware_enable_all(void)
78341 if (kvm_usage_count == 1) {
78342 - atomic_set(&hardware_enable_failed, 0);
78343 + atomic_set_unchecked(&hardware_enable_failed, 0);
78344 on_each_cpu(hardware_enable_nolock, NULL, 1);
78346 - if (atomic_read(&hardware_enable_failed)) {
78347 + if (atomic_read_unchecked(&hardware_enable_failed)) {
78348 hardware_disable_all_nolock();
78351 @@ -2588,7 +2588,7 @@ static void kvm_sched_out(struct preempt
78352 kvm_arch_vcpu_put(vcpu);
78355 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
78356 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
78357 struct module *module)
78360 @@ -2651,7 +2651,7 @@ int kvm_init(void *opaque, unsigned vcpu
78362 vcpu_align = __alignof__(struct kvm_vcpu);
78363 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
78365 + SLAB_USERCOPY, NULL);
78366 if (!kvm_vcpu_cache) {
78369 @@ -2661,9 +2661,11 @@ int kvm_init(void *opaque, unsigned vcpu
78373 - kvm_chardev_ops.owner = module;
78374 - kvm_vm_fops.owner = module;
78375 - kvm_vcpu_fops.owner = module;
78376 + pax_open_kernel();
78377 + *(void **)&kvm_chardev_ops.owner = module;
78378 + *(void **)&kvm_vm_fops.owner = module;
78379 + *(void **)&kvm_vcpu_fops.owner = module;
78380 + pax_close_kernel();
78382 r = misc_register(&kvm_dev);
projects / packages / kernel.git / blob