1 diff -urNp linux-2.6.31/arch/alpha/include/asm/atomic.h linux-2.6.31/arch/alpha/include/asm/atomic.h
2 --- linux-2.6.31/arch/alpha/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
3 +++ linux-2.6.31/arch/alpha/include/asm/atomic.h 2009-09-11 22:49:04.785615322 -0400
5 #define ATOMIC64_INIT(i) ( (atomic64_t) { (i) } )
7 #define atomic_read(v) ((v)->counter + 0)
8 +#define atomic_read_unchecked(v) ((v)->counter + 0)
9 #define atomic64_read(v) ((v)->counter + 0)
11 #define atomic_set(v,i) ((v)->counter = (i))
12 +#define atomic_set_unchecked(v,i) ((v)->counter = (i))
13 #define atomic64_set(v,i) ((v)->counter = (i))
16 @@ -44,6 +46,11 @@ static __inline__ void atomic_add(int i,
17 :"Ir" (i), "m" (v->counter));
20 +static __inline__ void atomic_add_unchecked(int i, atomic_unchecked_t * v)
22 + atomic_add(i, (atomic_t *)v);
25 static __inline__ void atomic64_add(long i, atomic64_t * v)
28 @@ -74,6 +81,11 @@ static __inline__ void atomic_sub(int i,
29 :"Ir" (i), "m" (v->counter));
32 +static __inline__ void atomic_sub_unchecked(int i, atomic_unchecked_t * v)
34 + atomic_sub(i, (atomic_t *)v);
37 static __inline__ void atomic64_sub(long i, atomic64_t * v)
40 @@ -246,6 +258,7 @@ static __inline__ int atomic64_add_unles
41 #define atomic64_dec_and_test(v) (atomic64_sub_return(1, (v)) == 0)
43 #define atomic_inc(v) atomic_add(1,(v))
44 +#define atomic_inc_unchecked(v) atomic_add_unchecked(1,(v))
45 #define atomic64_inc(v) atomic64_add(1,(v))
47 #define atomic_dec(v) atomic_sub(1,(v))
48 diff -urNp linux-2.6.31/arch/alpha/include/asm/elf.h linux-2.6.31/arch/alpha/include/asm/elf.h
49 --- linux-2.6.31/arch/alpha/include/asm/elf.h 2009-08-27 20:59:04.000000000 -0400
50 +++ linux-2.6.31/arch/alpha/include/asm/elf.h 2009-09-06 15:29:11.105049911 -0400
51 @@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
53 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
55 +#ifdef CONFIG_PAX_ASLR
56 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
58 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
59 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
62 /* $0 is set by ld.so to a pointer to a function which might be
63 registered using atexit. This provides a mean for the dynamic
64 linker to call DT_FINI functions for shared libraries that have
65 diff -urNp linux-2.6.31/arch/alpha/include/asm/pgtable.h linux-2.6.31/arch/alpha/include/asm/pgtable.h
66 --- linux-2.6.31/arch/alpha/include/asm/pgtable.h 2009-08-27 20:59:04.000000000 -0400
67 +++ linux-2.6.31/arch/alpha/include/asm/pgtable.h 2009-09-06 15:29:11.105049911 -0400
68 @@ -101,6 +101,17 @@ struct vm_area_struct;
69 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
70 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
71 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
73 +#ifdef CONFIG_PAX_PAGEEXEC
74 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
75 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
76 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
78 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
79 +# define PAGE_COPY_NOEXEC PAGE_COPY
80 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
83 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
85 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
86 diff -urNp linux-2.6.31/arch/alpha/kernel/module.c linux-2.6.31/arch/alpha/kernel/module.c
87 --- linux-2.6.31/arch/alpha/kernel/module.c 2009-08-27 20:59:04.000000000 -0400
88 +++ linux-2.6.31/arch/alpha/kernel/module.c 2009-09-06 15:29:11.105049911 -0400
89 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
91 /* The small sections were sorted to the end of the segment.
92 The following should definitely cover them. */
93 - gp = (u64)me->module_core + me->core_size - 0x8000;
94 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
95 got = sechdrs[me->arch.gotsecindex].sh_addr;
97 for (i = 0; i < n; i++) {
98 diff -urNp linux-2.6.31/arch/alpha/kernel/osf_sys.c linux-2.6.31/arch/alpha/kernel/osf_sys.c
99 --- linux-2.6.31/arch/alpha/kernel/osf_sys.c 2009-08-27 20:59:04.000000000 -0400
100 +++ linux-2.6.31/arch/alpha/kernel/osf_sys.c 2009-09-06 15:29:11.106230045 -0400
101 @@ -1212,6 +1212,10 @@ arch_get_unmapped_area(struct file *filp
102 merely specific addresses, but regions of memory -- perhaps
103 this feature should be incorporated into all ports? */
105 +#ifdef CONFIG_PAX_RANDMMAP
106 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
110 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
111 if (addr != (unsigned long) -ENOMEM)
112 @@ -1219,8 +1223,8 @@ arch_get_unmapped_area(struct file *filp
115 /* Next, try allocating at TASK_UNMAPPED_BASE. */
116 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
118 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
120 if (addr != (unsigned long) -ENOMEM)
123 diff -urNp linux-2.6.31/arch/alpha/mm/fault.c linux-2.6.31/arch/alpha/mm/fault.c
124 --- linux-2.6.31/arch/alpha/mm/fault.c 2009-08-27 20:59:04.000000000 -0400
125 +++ linux-2.6.31/arch/alpha/mm/fault.c 2009-09-06 15:29:11.106230045 -0400
126 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
127 __reload_thread(pcb);
130 +#ifdef CONFIG_PAX_PAGEEXEC
132 + * PaX: decide what to do with offenders (regs->pc = fault address)
134 + * returns 1 when task should be killed
135 + * 2 when patched PLT trampoline was detected
136 + * 3 when unpatched PLT trampoline was detected
138 +static int pax_handle_fetch_fault(struct pt_regs *regs)
141 +#ifdef CONFIG_PAX_EMUPLT
144 + do { /* PaX: patched PLT emulation #1 */
145 + unsigned int ldah, ldq, jmp;
147 + err = get_user(ldah, (unsigned int *)regs->pc);
148 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
149 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
154 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
155 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
156 + jmp == 0x6BFB0000U)
158 + unsigned long r27, addr;
159 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
160 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
162 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
163 + err = get_user(r27, (unsigned long *)addr);
173 + do { /* PaX: patched PLT emulation #2 */
174 + unsigned int ldah, lda, br;
176 + err = get_user(ldah, (unsigned int *)regs->pc);
177 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
178 + err |= get_user(br, (unsigned int *)(regs->pc+8));
183 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
184 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
185 + (br & 0xFFE00000U) == 0xC3E00000U)
187 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
188 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
189 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
191 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
192 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
197 + do { /* PaX: unpatched PLT emulation */
200 + err = get_user(br, (unsigned int *)regs->pc);
202 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
203 + unsigned int br2, ldq, nop, jmp;
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
206 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
207 + err = get_user(br2, (unsigned int *)addr);
208 + err |= get_user(ldq, (unsigned int *)(addr+4));
209 + err |= get_user(nop, (unsigned int *)(addr+8));
210 + err |= get_user(jmp, (unsigned int *)(addr+12));
211 + err |= get_user(resolver, (unsigned long *)(addr+16));
216 + if (br2 == 0xC3600000U &&
217 + ldq == 0xA77B000CU &&
218 + nop == 0x47FF041FU &&
219 + jmp == 0x6B7B0000U)
221 + regs->r28 = regs->pc+4;
222 + regs->r27 = addr+16;
223 + regs->pc = resolver;
233 +void pax_report_insns(void *pc, void *sp)
237 + printk(KERN_ERR "PAX: bytes at PC: ");
238 + for (i = 0; i < 5; i++) {
240 + if (get_user(c, (unsigned int *)pc+i))
241 + printk(KERN_CONT "???????? ");
243 + printk(KERN_CONT "%08x ", c);
250 * This routine handles page faults. It determines the address,
251 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
253 si_code = SEGV_ACCERR;
255 - if (!(vma->vm_flags & VM_EXEC))
256 + if (!(vma->vm_flags & VM_EXEC)) {
258 +#ifdef CONFIG_PAX_PAGEEXEC
259 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
262 + up_read(&mm->mmap_sem);
263 + switch (pax_handle_fetch_fault(regs)) {
265 +#ifdef CONFIG_PAX_EMUPLT
272 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
273 + do_group_exit(SIGKILL);
280 /* Allow reads even for write-only mappings */
281 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
282 diff -urNp linux-2.6.31/arch/arm/include/asm/atomic.h linux-2.6.31/arch/arm/include/asm/atomic.h
283 --- linux-2.6.31/arch/arm/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
284 +++ linux-2.6.31/arch/arm/include/asm/atomic.h 2009-09-11 22:51:00.173407719 -0400
288 #define atomic_read(v) ((v)->counter)
289 +#define atomic_read_unchecked(v) ((v)->counter)
291 #if __LINUX_ARM_ARCH__ >= 6
293 @@ -44,6 +45,11 @@ static inline void atomic_set(atomic_t *
297 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
299 + atomic_set((atomic_t *)v, i);
302 static inline void atomic_add(int i, atomic_t *v)
305 @@ -60,6 +66,11 @@ static inline void atomic_add(int i, ato
309 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
311 + atomic_add(i, (atomic_t *)v);
314 static inline int atomic_add_return(int i, atomic_t *v)
317 @@ -98,6 +109,11 @@ static inline void atomic_sub(int i, ato
321 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
323 + atomic_sub(i, (atomic_t *)v);
326 static inline int atomic_sub_return(int i, atomic_t *v)
329 @@ -164,6 +180,7 @@ static inline void atomic_clear_mask(uns
332 #define atomic_set(v,i) (((v)->counter) = (i))
333 +#define atomic_set_unchecked(v,i) (((v)->counter) = (i))
335 static inline int atomic_add_return(int i, atomic_t *v)
337 @@ -232,6 +249,7 @@ static inline int atomic_add_unless(atom
338 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
340 #define atomic_inc(v) atomic_add(1, v)
341 +#define atomic_inc_unchecked(v) atomic_add_unchecked(1, v)
342 #define atomic_dec(v) atomic_sub(1, v)
344 #define atomic_inc_and_test(v) (atomic_add_return(1, v) == 0)
345 diff -urNp linux-2.6.31/arch/arm/include/asm/elf.h linux-2.6.31/arch/arm/include/asm/elf.h
346 --- linux-2.6.31/arch/arm/include/asm/elf.h 2009-08-27 20:59:04.000000000 -0400
347 +++ linux-2.6.31/arch/arm/include/asm/elf.h 2009-09-06 15:29:11.107211663 -0400
348 @@ -103,7 +103,14 @@ extern int arm_elf_read_implies_exec(con
349 the loader. We need to make sure that it is out of the way of the program
350 that it will "exec", and that there is sufficient room for the brk. */
352 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
353 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
355 +#ifdef CONFIG_PAX_ASLR
356 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
358 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
359 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
362 /* When the program starts, a1 contains a pointer to a function to be
363 registered with atexit, as per the SVR4 ABI. A value of 0 means we
364 diff -urNp linux-2.6.31/arch/arm/include/asm/kmap_types.h linux-2.6.31/arch/arm/include/asm/kmap_types.h
365 --- linux-2.6.31/arch/arm/include/asm/kmap_types.h 2009-08-27 20:59:04.000000000 -0400
366 +++ linux-2.6.31/arch/arm/include/asm/kmap_types.h 2009-09-06 15:29:11.107211663 -0400
367 @@ -19,6 +19,7 @@ enum km_type {
375 diff -urNp linux-2.6.31/arch/arm/include/asm/uaccess.h linux-2.6.31/arch/arm/include/asm/uaccess.h
376 --- linux-2.6.31/arch/arm/include/asm/uaccess.h 2009-08-27 20:59:04.000000000 -0400
377 +++ linux-2.6.31/arch/arm/include/asm/uaccess.h 2009-09-06 15:29:11.108180388 -0400
378 @@ -400,6 +400,9 @@ extern unsigned long __must_check __strn
380 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
385 if (access_ok(VERIFY_READ, from, n))
386 n = __copy_from_user(to, from, n);
387 else /* security hole - plug it */
388 @@ -409,6 +412,9 @@ static inline unsigned long __must_check
390 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
395 if (access_ok(VERIFY_WRITE, to, n))
396 n = __copy_to_user(to, from, n);
398 diff -urNp linux-2.6.31/arch/arm/mach-ns9xxx/clock.c linux-2.6.31/arch/arm/mach-ns9xxx/clock.c
399 --- linux-2.6.31/arch/arm/mach-ns9xxx/clock.c 2009-08-27 20:59:04.000000000 -0400
400 +++ linux-2.6.31/arch/arm/mach-ns9xxx/clock.c 2009-09-06 15:29:11.108180388 -0400
401 @@ -195,7 +195,7 @@ static int clk_debugfs_open(struct inode
402 return single_open(file, clk_debugfs_show, NULL);
405 -static struct file_operations clk_debugfs_operations = {
406 +static const struct file_operations clk_debugfs_operations = {
407 .open = clk_debugfs_open,
410 diff -urNp linux-2.6.31/arch/arm/mm/mmap.c linux-2.6.31/arch/arm/mm/mmap.c
411 --- linux-2.6.31/arch/arm/mm/mmap.c 2009-08-27 20:59:04.000000000 -0400
412 +++ linux-2.6.31/arch/arm/mm/mmap.c 2009-09-06 15:29:11.108180388 -0400
413 @@ -62,6 +62,10 @@ arch_get_unmapped_area(struct file *filp
417 +#ifdef CONFIG_PAX_RANDMMAP
418 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
423 addr = COLOUR_ALIGN(addr, pgoff);
424 @@ -74,10 +78,10 @@ arch_get_unmapped_area(struct file *filp
427 if (len > mm->cached_hole_size) {
428 - start_addr = addr = mm->free_area_cache;
429 + start_addr = addr = mm->free_area_cache;
431 - start_addr = addr = TASK_UNMAPPED_BASE;
432 - mm->cached_hole_size = 0;
433 + start_addr = addr = mm->mmap_base;
434 + mm->cached_hole_size = 0;
438 @@ -93,8 +97,8 @@ full_search:
439 * Start a new search - just in case we missed
442 - if (start_addr != TASK_UNMAPPED_BASE) {
443 - start_addr = addr = TASK_UNMAPPED_BASE;
444 + if (start_addr != mm->mmap_base) {
445 + start_addr = addr = mm->mmap_base;
446 mm->cached_hole_size = 0;
449 diff -urNp linux-2.6.31/arch/avr32/include/asm/atomic.h linux-2.6.31/arch/avr32/include/asm/atomic.h
450 --- linux-2.6.31/arch/avr32/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
451 +++ linux-2.6.31/arch/avr32/include/asm/atomic.h 2009-09-11 22:52:43.047793693 -0400
453 #define ATOMIC_INIT(i) { (i) }
455 #define atomic_read(v) ((v)->counter)
456 +#define atomic_read_unchecked(v) ((v)->counter)
457 #define atomic_set(v, i) (((v)->counter) = i)
458 +#define atomic_set_unchecked(v, i) (((v)->counter) = i)
461 * atomic_sub_return - subtract the atomic variable
462 @@ -48,6 +50,18 @@ static inline int atomic_sub_return(int
466 + * atomic_sub_return_unchecked - subtract the atomic variable
467 + * @i: integer value to subtract
468 + * @v: pointer of type atomic_unchecked_t
470 + * Atomically subtracts @i from @v. Returns the resulting value.
472 +static inline int atomic_sub_return_unchecked(int i, atomic_unchecked_t *v)
474 + return atomic_sub_return(i, (atomic_t *)v);
478 * atomic_add_return - add integer to atomic variable
479 * @i: integer value to add
480 * @v: pointer of type atomic_t
481 @@ -76,6 +90,18 @@ static inline int atomic_add_return(int
485 + * atomic_add_return_unchecked - add integer to atomic variable
486 + * @i: integer value to add
487 + * @v: pointer of type atomic_unchecked_t
489 + * Atomically adds @i to @v. Returns the resulting value.
491 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
493 + return atomic_add_return(i, (atomic_t *)v);
497 * atomic_sub_unless - sub unless the number is a given value
498 * @v: pointer of type atomic_t
499 * @a: the amount to add to v...
500 @@ -176,9 +202,12 @@ static inline int atomic_sub_if_positive
501 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
503 #define atomic_sub(i, v) (void)atomic_sub_return(i, v)
504 +#define atomic_sub_unchecked(i, v) (void)atomic_sub_return_unchecked(i, v)
505 #define atomic_add(i, v) (void)atomic_add_return(i, v)
506 +#define atomic_add_unchecked(i, v) (void)atomic_add_return_unchecked(i, v)
507 #define atomic_dec(v) atomic_sub(1, (v))
508 #define atomic_inc(v) atomic_add(1, (v))
509 +#define atomic_inc_unchecked(v) (void)atomic_add_return_unchecked(1, (v))
511 #define atomic_dec_return(v) atomic_sub_return(1, v)
512 #define atomic_inc_return(v) atomic_add_return(1, v)
513 diff -urNp linux-2.6.31/arch/avr32/include/asm/elf.h linux-2.6.31/arch/avr32/include/asm/elf.h
514 --- linux-2.6.31/arch/avr32/include/asm/elf.h 2009-08-27 20:59:04.000000000 -0400
515 +++ linux-2.6.31/arch/avr32/include/asm/elf.h 2009-09-06 15:29:11.109255148 -0400
516 @@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
517 the loader. We need to make sure that it is out of the way of the program
518 that it will "exec", and that there is sufficient room for the brk. */
520 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
521 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
523 +#ifdef CONFIG_PAX_ASLR
524 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
526 +#define PAX_DELTA_MMAP_LEN 15
527 +#define PAX_DELTA_STACK_LEN 15
530 /* This yields a mask that user programs can use to figure out what
531 instruction set this CPU supports. This could be done in user space,
532 diff -urNp linux-2.6.31/arch/avr32/include/asm/kmap_types.h linux-2.6.31/arch/avr32/include/asm/kmap_types.h
533 --- linux-2.6.31/arch/avr32/include/asm/kmap_types.h 2009-08-27 20:59:04.000000000 -0400
534 +++ linux-2.6.31/arch/avr32/include/asm/kmap_types.h 2009-09-06 15:29:11.109255148 -0400
535 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
545 diff -urNp linux-2.6.31/arch/avr32/mm/fault.c linux-2.6.31/arch/avr32/mm/fault.c
546 --- linux-2.6.31/arch/avr32/mm/fault.c 2009-08-27 20:59:04.000000000 -0400
547 +++ linux-2.6.31/arch/avr32/mm/fault.c 2009-09-06 15:29:11.110254440 -0400
548 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
550 int exception_trace = 1;
552 +#ifdef CONFIG_PAX_PAGEEXEC
553 +void pax_report_insns(void *pc, void *sp)
557 + printk(KERN_ERR "PAX: bytes at PC: ");
558 + for (i = 0; i < 20; i++) {
560 + if (get_user(c, (unsigned char *)pc+i))
561 + printk(KERN_CONT "???????? ");
563 + printk(KERN_CONT "%02x ", c);
570 * This routine handles page faults. It determines the address and the
571 * problem, and then passes it off to one of the appropriate routines.
572 @@ -157,6 +174,16 @@ bad_area:
573 up_read(&mm->mmap_sem);
575 if (user_mode(regs)) {
577 +#ifdef CONFIG_PAX_PAGEEXEC
578 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
579 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
580 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
581 + do_group_exit(SIGKILL);
586 if (exception_trace && printk_ratelimit())
587 printk("%s%s[%d]: segfault at %08lx pc %08lx "
588 "sp %08lx ecr %lu\n",
589 diff -urNp linux-2.6.31/arch/blackfin/include/asm/atomic.h linux-2.6.31/arch/blackfin/include/asm/atomic.h
590 --- linux-2.6.31/arch/blackfin/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
591 +++ linux-2.6.31/arch/blackfin/include/asm/atomic.h 2009-09-11 22:53:53.058593048 -0400
594 #define ATOMIC_INIT(i) { (i) }
595 #define atomic_set(v, i) (((v)->counter) = i)
596 +#define atomic_set_unchecked(v, i) (((v)->counter) = i)
598 #define atomic_read(v) __raw_uncached_fetch_asm(&(v)->counter)
599 +#define atomic_read_unchecked(v) __raw_uncached_fetch_asm(&(v)->counter)
601 asmlinkage int __raw_uncached_fetch_asm(const volatile int *ptr);
603 @@ -35,11 +37,21 @@ static inline void atomic_add(int i, ato
604 __raw_atomic_update_asm(&v->counter, i);
607 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
609 + atomic_add(i, (atomic_t *)v);
612 static inline void atomic_sub(int i, atomic_t *v)
614 __raw_atomic_update_asm(&v->counter, -i);
617 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
619 + atomic_sub(i, (atomic_t *)v);
622 static inline int atomic_add_return(int i, atomic_t *v)
624 return __raw_atomic_update_asm(&v->counter, i);
625 @@ -55,6 +67,11 @@ static inline void atomic_inc(volatile a
626 __raw_atomic_update_asm(&v->counter, 1);
629 +static inline void atomic_inc_unchecked(volatile atomic_unchecked_t *v)
631 + atomic_inc((atomic_t *)v);
634 static inline void atomic_dec(volatile atomic_t *v)
636 __raw_atomic_update_asm(&v->counter, -1);
637 diff -urNp linux-2.6.31/arch/blackfin/mach-bf561/coreb.c linux-2.6.31/arch/blackfin/mach-bf561/coreb.c
638 --- linux-2.6.31/arch/blackfin/mach-bf561/coreb.c 2009-08-27 20:59:04.000000000 -0400
639 +++ linux-2.6.31/arch/blackfin/mach-bf561/coreb.c 2009-09-06 15:29:11.110254440 -0400
640 @@ -48,7 +48,7 @@ coreb_ioctl(struct inode *inode, struct
644 -static struct file_operations coreb_fops = {
645 +static const struct file_operations coreb_fops = {
646 .owner = THIS_MODULE,
647 .ioctl = coreb_ioctl,
649 diff -urNp linux-2.6.31/arch/cris/arch-v10/drivers/sync_serial.c linux-2.6.31/arch/cris/arch-v10/drivers/sync_serial.c
650 --- linux-2.6.31/arch/cris/arch-v10/drivers/sync_serial.c 2009-08-27 20:59:04.000000000 -0400
651 +++ linux-2.6.31/arch/cris/arch-v10/drivers/sync_serial.c 2009-09-06 15:29:11.111389293 -0400
652 @@ -244,7 +244,7 @@ static unsigned sync_serial_prescale_sha
654 #define NUMBER_OF_PORTS 2
656 -static struct file_operations sync_serial_fops = {
657 +static const struct file_operations sync_serial_fops = {
658 .owner = THIS_MODULE,
659 .write = sync_serial_write,
660 .read = sync_serial_read,
661 diff -urNp linux-2.6.31/arch/cris/arch-v32/drivers/mach-fs/gpio.c linux-2.6.31/arch/cris/arch-v32/drivers/mach-fs/gpio.c
662 --- linux-2.6.31/arch/cris/arch-v32/drivers/mach-fs/gpio.c 2009-08-27 20:59:04.000000000 -0400
663 +++ linux-2.6.31/arch/cris/arch-v32/drivers/mach-fs/gpio.c 2009-09-06 15:29:11.112155258 -0400
664 @@ -855,7 +855,7 @@ gpio_leds_ioctl(unsigned int cmd, unsign
668 -struct file_operations gpio_fops = {
669 +struct struct file_operations gpio_fops = {
670 .owner = THIS_MODULE,
673 diff -urNp linux-2.6.31/arch/cris/include/asm/atomic.h linux-2.6.31/arch/cris/include/asm/atomic.h
674 --- linux-2.6.31/arch/cris/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
675 +++ linux-2.6.31/arch/cris/include/asm/atomic.h 2009-09-11 22:55:08.915710428 -0400
677 #define ATOMIC_INIT(i) { (i) }
679 #define atomic_read(v) ((v)->counter)
680 +#define atomic_read_unchecked(v) ((v)->counter)
681 #define atomic_set(v,i) (((v)->counter) = (i))
682 +#define atomic_set_unchecked(v,i) (((v)->counter) = (i))
684 /* These should be written in asm but we do it in C for now. */
686 @@ -28,6 +30,11 @@ static inline void atomic_add(int i, vol
687 cris_atomic_restore(v, flags);
690 +static inline void atomic_add_unchecked(int i, volatile atomic_unchecked_t *v)
692 + atomic_add(i, (volatile atomic_t *)v);
695 static inline void atomic_sub(int i, volatile atomic_t *v)
698 @@ -36,6 +43,11 @@ static inline void atomic_sub(int i, vol
699 cris_atomic_restore(v, flags);
702 +static inline void atomic_sub_unchecked(int i, volatile atomic_unchecked_t *v)
704 + atomic_sub(i, (volatile atomic_t *)v);
707 static inline int atomic_add_return(int i, volatile atomic_t *v)
710 @@ -76,6 +88,11 @@ static inline void atomic_inc(volatile a
711 cris_atomic_restore(v, flags);
714 +static inline void atomic_inc_unchecked(volatile atomic_unchecked_t *v)
716 + atomic_inc((volatile atomic_t *)v);
719 static inline void atomic_dec(volatile atomic_t *v)
722 diff -urNp linux-2.6.31/arch/frv/include/asm/atomic.h linux-2.6.31/arch/frv/include/asm/atomic.h
723 --- linux-2.6.31/arch/frv/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
724 +++ linux-2.6.31/arch/frv/include/asm/atomic.h 2009-09-11 21:49:34.085801883 -0400
727 #define ATOMIC_INIT(i) { (i) }
728 #define atomic_read(v) ((v)->counter)
729 +#define atomic_read_unchecked(v) ((v)->counter)
730 #define atomic_set(v, i) (((v)->counter) = (i))
731 +#define atomic_set_unchecked(v, i) (((v)->counter) = (i))
733 #ifndef CONFIG_FRV_OUTOFLINE_ATOMIC_OPS
734 static inline int atomic_add_return(int i, atomic_t *v)
735 @@ -99,16 +101,31 @@ static inline void atomic_add(int i, ato
736 atomic_add_return(i, v);
739 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
741 + atomic_add_return(i, (atomic_t *)v);
744 static inline void atomic_sub(int i, atomic_t *v)
746 atomic_sub_return(i, v);
749 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
751 + atomic_sub_return(i, (atomic_t *)v);
754 static inline void atomic_inc(atomic_t *v)
756 atomic_add_return(1, v);
759 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
761 + atomic_add_return(1, (atomic_t *)v);
764 static inline void atomic_dec(atomic_t *v)
766 atomic_sub_return(1, v);
767 diff -urNp linux-2.6.31/arch/frv/include/asm/kmap_types.h linux-2.6.31/arch/frv/include/asm/kmap_types.h
768 --- linux-2.6.31/arch/frv/include/asm/kmap_types.h 2009-08-27 20:59:04.000000000 -0400
769 +++ linux-2.6.31/arch/frv/include/asm/kmap_types.h 2009-09-06 15:29:11.113186643 -0400
770 @@ -23,6 +23,7 @@ enum km_type {
778 diff -urNp linux-2.6.31/arch/h8300/include/asm/atomic.h linux-2.6.31/arch/h8300/include/asm/atomic.h
779 --- linux-2.6.31/arch/h8300/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
780 +++ linux-2.6.31/arch/h8300/include/asm/atomic.h 2009-09-11 22:59:01.477552220 -0400
782 #define ATOMIC_INIT(i) { (i) }
784 #define atomic_read(v) ((v)->counter)
785 +#define atomic_read_unchecked(v) ((v)->counter)
786 #define atomic_set(v, i) (((v)->counter) = i)
787 +#define atomic_set_unchecked(v, i) (((v)->counter) = i)
789 #include <asm/system.h>
790 #include <linux/kernel.h>
791 @@ -25,7 +27,13 @@ static __inline__ int atomic_add_return(
795 +static __inline__ int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
797 + return atomic_add_return(i, (atomic_t *)v);
800 #define atomic_add(i, v) atomic_add_return(i, v)
801 +#define atomic_add_unchecked(i, v) atomic_add_return_unchecked(i, v)
802 #define atomic_add_negative(a, v) (atomic_add_return((a), (v)) < 0)
804 static __inline__ int atomic_sub_return(int i, atomic_t *v)
805 @@ -37,7 +45,13 @@ static __inline__ int atomic_sub_return(
809 +static __inline__ int atomic_sub_return_unchecked(int i, atomic_unchecked_t *v)
811 + return atomic_sub_return(i, (atomic_t *)v);
814 #define atomic_sub(i, v) atomic_sub_return(i, v)
815 +#define atomic_sub_unchecked(i, v) atomic_sub_return_unchecked(i, v)
816 #define atomic_sub_and_test(i,v) (atomic_sub_return(i, v) == 0)
818 static __inline__ int atomic_inc_return(atomic_t *v)
819 @@ -50,7 +64,13 @@ static __inline__ int atomic_inc_return(
823 +static __inline__ int atomic_inc_return_unchecked(atomic_unchecked_t *v)
825 + return atomic_inc_return((atomic_t *)v);
828 #define atomic_inc(v) atomic_inc_return(v)
829 +#define atomic_inc_unchecked(v) atomic_inc_return_unchecked(v)
832 * atomic_inc_and_test - increment and test
833 diff -urNp linux-2.6.31/arch/ia64/ia32/binfmt_elf32.c linux-2.6.31/arch/ia64/ia32/binfmt_elf32.c
834 --- linux-2.6.31/arch/ia64/ia32/binfmt_elf32.c 2009-08-27 20:59:04.000000000 -0400
835 +++ linux-2.6.31/arch/ia64/ia32/binfmt_elf32.c 2009-09-06 15:29:11.113186643 -0400
836 @@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
838 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
840 +#ifdef CONFIG_PAX_ASLR
841 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
843 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
844 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
847 /* Ugly but avoids duplication */
848 #include "../../../fs/binfmt_elf.c"
850 @@ -69,11 +76,11 @@ ia32_install_gate_page (struct vm_area_s
854 -static struct vm_operations_struct ia32_shared_page_vm_ops = {
855 +static const struct vm_operations_struct ia32_shared_page_vm_ops = {
856 .fault = ia32_install_shared_page
859 -static struct vm_operations_struct ia32_gate_page_vm_ops = {
860 +static const struct vm_operations_struct ia32_gate_page_vm_ops = {
861 .fault = ia32_install_gate_page
864 diff -urNp linux-2.6.31/arch/ia64/ia32/ia32priv.h linux-2.6.31/arch/ia64/ia32/ia32priv.h
865 --- linux-2.6.31/arch/ia64/ia32/ia32priv.h 2009-08-27 20:59:04.000000000 -0400
866 +++ linux-2.6.31/arch/ia64/ia32/ia32priv.h 2009-09-06 15:29:11.114322463 -0400
867 @@ -296,7 +296,14 @@ typedef struct compat_siginfo {
868 #define ELF_DATA ELFDATA2LSB
869 #define ELF_ARCH EM_386
871 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
872 +#ifdef CONFIG_PAX_RANDUSTACK
873 +#define __IA32_DELTA_STACK (current->mm->delta_stack)
875 +#define __IA32_DELTA_STACK 0UL
878 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
880 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
881 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
883 diff -urNp linux-2.6.31/arch/ia64/include/asm/atomic.h linux-2.6.31/arch/ia64/include/asm/atomic.h
884 --- linux-2.6.31/arch/ia64/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
885 +++ linux-2.6.31/arch/ia64/include/asm/atomic.h 2009-09-11 22:02:02.446796802 -0400
887 #define ATOMIC64_INIT(i) ((atomic64_t) { (i) })
889 #define atomic_read(v) ((v)->counter)
890 +#define atomic_read_unchecked(v) ((v)->counter)
891 #define atomic64_read(v) ((v)->counter)
893 #define atomic_set(v,i) (((v)->counter) = (i))
894 +#define atomic_set_unchecked(v,i) (((v)->counter) = (i))
895 #define atomic64_set(v,i) (((v)->counter) = (i))
897 static __inline__ int
898 @@ -201,8 +203,11 @@ atomic64_add_negative (__s64 i, atomic64
899 #define atomic64_inc_and_test(v) (atomic64_add_return(1, (v)) == 0)
901 #define atomic_add(i,v) atomic_add_return((i), (v))
902 +#define atomic_add_unchecked(i,v) atomic_add((i), (atomic_t *)(v))
903 #define atomic_sub(i,v) atomic_sub_return((i), (v))
904 +#define atomic_sub_unchecked(i,v) atomic_sub((i), (atomic_t *)(v))
905 #define atomic_inc(v) atomic_add(1, (v))
906 +#define atomic_inc_unchecked(v) atomic_inc((atomic_t *)(v))
907 #define atomic_dec(v) atomic_sub(1, (v))
909 #define atomic64_add(i,v) atomic64_add_return((i), (v))
910 diff -urNp linux-2.6.31/arch/ia64/include/asm/elf.h linux-2.6.31/arch/ia64/include/asm/elf.h
911 --- linux-2.6.31/arch/ia64/include/asm/elf.h 2009-08-27 20:59:04.000000000 -0400
912 +++ linux-2.6.31/arch/ia64/include/asm/elf.h 2009-09-06 15:29:11.114322463 -0400
915 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
917 +#ifdef CONFIG_PAX_ASLR
918 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
920 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
921 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
924 #define PT_IA_64_UNWIND 0x70000001
926 /* IA-64 relocations: */
927 diff -urNp linux-2.6.31/arch/ia64/include/asm/pgtable.h linux-2.6.31/arch/ia64/include/asm/pgtable.h
928 --- linux-2.6.31/arch/ia64/include/asm/pgtable.h 2009-08-27 20:59:04.000000000 -0400
929 +++ linux-2.6.31/arch/ia64/include/asm/pgtable.h 2009-09-06 15:29:11.115307704 -0400
931 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
932 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
933 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
935 +#ifdef CONFIG_PAX_PAGEEXEC
936 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
937 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
938 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
940 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
941 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
942 +# define PAGE_COPY_NOEXEC PAGE_COPY
945 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
946 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
947 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
948 diff -urNp linux-2.6.31/arch/ia64/include/asm/uaccess.h linux-2.6.31/arch/ia64/include/asm/uaccess.h
949 --- linux-2.6.31/arch/ia64/include/asm/uaccess.h 2009-08-27 20:59:04.000000000 -0400
950 +++ linux-2.6.31/arch/ia64/include/asm/uaccess.h 2009-09-06 15:29:11.115307704 -0400
951 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
952 const void *__cu_from = (from); \
953 long __cu_len = (n); \
955 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
956 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
957 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
960 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
961 long __cu_len = (n); \
963 __chk_user_ptr(__cu_from); \
964 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
965 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
966 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
969 diff -urNp linux-2.6.31/arch/ia64/kernel/module.c linux-2.6.31/arch/ia64/kernel/module.c
970 --- linux-2.6.31/arch/ia64/kernel/module.c 2009-08-27 20:59:04.000000000 -0400
971 +++ linux-2.6.31/arch/ia64/kernel/module.c 2009-09-06 15:29:11.116247536 -0400
972 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
974 module_free (struct module *mod, void *module_region)
976 - if (mod && mod->arch.init_unw_table &&
977 - module_region == mod->module_init) {
978 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
979 unw_remove_unwind_table(mod->arch.init_unw_table);
980 mod->arch.init_unw_table = NULL;
982 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
986 +in_init_rx (const struct module *mod, uint64_t addr)
988 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
992 +in_init_rw (const struct module *mod, uint64_t addr)
994 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
998 in_init (const struct module *mod, uint64_t addr)
1000 - return addr - (uint64_t) mod->module_init < mod->init_size;
1001 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1005 +in_core_rx (const struct module *mod, uint64_t addr)
1007 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1011 +in_core_rw (const struct module *mod, uint64_t addr)
1013 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1017 in_core (const struct module *mod, uint64_t addr)
1019 - return addr - (uint64_t) mod->module_core < mod->core_size;
1020 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1024 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1028 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1029 + if (in_init_rx(mod, val))
1030 + val -= (uint64_t) mod->module_init_rx;
1031 + else if (in_init_rw(mod, val))
1032 + val -= (uint64_t) mod->module_init_rw;
1033 + else if (in_core_rx(mod, val))
1034 + val -= (uint64_t) mod->module_core_rx;
1035 + else if (in_core_rw(mod, val))
1036 + val -= (uint64_t) mod->module_core_rw;
1040 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1041 * addresses have been selected...
1044 - if (mod->core_size > MAX_LTOFF)
1045 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1047 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1048 * at the end of the module.
1050 - gp = mod->core_size - MAX_LTOFF / 2;
1051 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1053 - gp = mod->core_size / 2;
1054 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1055 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1056 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1058 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1060 diff -urNp linux-2.6.31/arch/ia64/kernel/sys_ia64.c linux-2.6.31/arch/ia64/kernel/sys_ia64.c
1061 --- linux-2.6.31/arch/ia64/kernel/sys_ia64.c 2009-08-27 20:59:04.000000000 -0400
1062 +++ linux-2.6.31/arch/ia64/kernel/sys_ia64.c 2009-09-06 15:29:11.116247536 -0400
1063 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1064 if (REGION_NUMBER(addr) == RGN_HPAGE)
1068 +#ifdef CONFIG_PAX_RANDMMAP
1069 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1070 + addr = mm->free_area_cache;
1075 addr = mm->free_area_cache;
1077 @@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
1078 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1079 /* At this point: (!vma || addr < vma->vm_end). */
1080 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1081 - if (start_addr != TASK_UNMAPPED_BASE) {
1082 + if (start_addr != mm->mmap_base) {
1083 /* Start a new search --- just in case we missed some holes. */
1084 - addr = TASK_UNMAPPED_BASE;
1085 + addr = mm->mmap_base;
1089 diff -urNp linux-2.6.31/arch/ia64/mm/fault.c linux-2.6.31/arch/ia64/mm/fault.c
1090 --- linux-2.6.31/arch/ia64/mm/fault.c 2009-08-27 20:59:04.000000000 -0400
1091 +++ linux-2.6.31/arch/ia64/mm/fault.c 2009-09-06 15:29:11.117202694 -0400
1092 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1093 return pte_present(pte);
1096 +#ifdef CONFIG_PAX_PAGEEXEC
1097 +void pax_report_insns(void *pc, void *sp)
1101 + printk(KERN_ERR "PAX: bytes at PC: ");
1102 + for (i = 0; i < 8; i++) {
1104 + if (get_user(c, (unsigned int *)pc+i))
1105 + printk(KERN_CONT "???????? ");
1107 + printk(KERN_CONT "%08x ", c);
1114 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1116 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1117 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1118 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1120 - if ((vma->vm_flags & mask) != mask)
1121 + if ((vma->vm_flags & mask) != mask) {
1123 +#ifdef CONFIG_PAX_PAGEEXEC
1124 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1125 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1128 + up_read(&mm->mmap_sem);
1129 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1130 + do_group_exit(SIGKILL);
1140 * If for any reason at all we couldn't handle the fault, make
1141 diff -urNp linux-2.6.31/arch/ia64/mm/init.c linux-2.6.31/arch/ia64/mm/init.c
1142 --- linux-2.6.31/arch/ia64/mm/init.c 2009-08-27 20:59:04.000000000 -0400
1143 +++ linux-2.6.31/arch/ia64/mm/init.c 2009-09-06 15:29:11.117202694 -0400
1144 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1145 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1146 vma->vm_end = vma->vm_start + PAGE_SIZE;
1147 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1149 +#ifdef CONFIG_PAX_PAGEEXEC
1150 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1151 + vma->vm_flags &= ~VM_EXEC;
1153 +#ifdef CONFIG_PAX_MPROTECT
1154 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1155 + vma->vm_flags &= ~VM_MAYEXEC;
1161 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1162 down_write(¤t->mm->mmap_sem);
1163 if (insert_vm_struct(current->mm, vma)) {
1164 diff -urNp linux-2.6.31/arch/m32r/include/asm/atomic.h linux-2.6.31/arch/m32r/include/asm/atomic.h
1165 --- linux-2.6.31/arch/m32r/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
1166 +++ linux-2.6.31/arch/m32r/include/asm/atomic.h 2009-09-11 22:04:17.637685200 -0400
1168 #define atomic_read(v) ((v)->counter)
1171 + * atomic_read_unchecked - read atomic variable
1172 + * @v: pointer of type atomic_unchecked_t
1174 + * Atomically reads the value of @v.
1176 +#define atomic_read_unchecked(v) ((v)->counter)
1179 * atomic_set - set atomic variable
1180 * @v: pointer of type atomic_t
1181 * @i: required value
1183 #define atomic_set(v,i) (((v)->counter) = (i))
1186 + * atomic_set_unchecked - set atomic variable
1187 + * @v: pointer of type atomic_unchecked_t
1188 + * @i: required value
1190 + * Atomically sets the value of @v to @i.
1192 +#define atomic_set_unchecked(v,i) (((v)->counter) = (i))
1195 * atomic_add_return - add integer to atomic variable and return it
1196 * @i: integer value to add
1197 * @v: pointer of type atomic_t
1198 @@ -308,6 +325,10 @@ static __inline__ void atomic_set_mask(u
1199 local_irq_restore(flags);
1202 +#define atomic_inc_unchecked(v) atomic_inc((atomic_t *)(v))
1203 +#define atomic_add_unchecked(i,v) atomic_add((i),(atomic_t *)(v))
1204 +#define atomic_sub_unchecked(i,v) atomic_sub((i),(atomic_t *)(v))
1206 /* Atomic operations are already serializing on m32r */
1207 #define smp_mb__before_atomic_dec() barrier()
1208 #define smp_mb__after_atomic_dec() barrier()
1209 diff -urNp linux-2.6.31/arch/m32r/lib/usercopy.c linux-2.6.31/arch/m32r/lib/usercopy.c
1210 --- linux-2.6.31/arch/m32r/lib/usercopy.c 2009-08-27 20:59:04.000000000 -0400
1211 +++ linux-2.6.31/arch/m32r/lib/usercopy.c 2009-09-06 15:29:11.118236580 -0400
1214 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1220 if (access_ok(VERIFY_WRITE, to, n))
1221 __copy_user(to,from,n);
1222 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1224 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1230 if (access_ok(VERIFY_READ, from, n))
1231 __copy_user_zeroing(to,from,n);
1232 diff -urNp linux-2.6.31/arch/m68k/include/asm/atomic_mm.h linux-2.6.31/arch/m68k/include/asm/atomic_mm.h
1233 --- linux-2.6.31/arch/m68k/include/asm/atomic_mm.h 2009-08-27 20:59:04.000000000 -0400
1234 +++ linux-2.6.31/arch/m68k/include/asm/atomic_mm.h 2009-09-12 09:48:47.937349132 -0400
1236 #define ATOMIC_INIT(i) { (i) }
1238 #define atomic_read(v) ((v)->counter)
1239 +#define atomic_read_unchecked(v) ((v)->counter)
1240 #define atomic_set(v, i) (((v)->counter) = i)
1241 +#define atomic_set_unchecked(v, i) (((v)->counter) = i)
1243 static inline void atomic_add(int i, atomic_t *v)
1245 __asm__ __volatile__("addl %1,%0" : "+m" (*v) : "id" (i));
1248 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
1250 + atomic_add(i, (atomic_t *)v);
1253 static inline void atomic_sub(int i, atomic_t *v)
1255 __asm__ __volatile__("subl %1,%0" : "+m" (*v) : "id" (i));
1258 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
1260 + atomic_sub(i, (atomic_t *)v);
1263 static inline void atomic_inc(atomic_t *v)
1265 __asm__ __volatile__("addql #1,%0" : "+m" (*v));
1268 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
1270 + atomic_inc((atomic_t *)v);
1273 static inline void atomic_dec(atomic_t *v)
1275 __asm__ __volatile__("subql #1,%0" : "+m" (*v));
1276 diff -urNp linux-2.6.31/arch/m68k/include/asm/atomic_no.h linux-2.6.31/arch/m68k/include/asm/atomic_no.h
1277 --- linux-2.6.31/arch/m68k/include/asm/atomic_no.h 2009-08-27 20:59:04.000000000 -0400
1278 +++ linux-2.6.31/arch/m68k/include/asm/atomic_no.h 2009-09-12 09:50:27.179985977 -0400
1280 #define ATOMIC_INIT(i) { (i) }
1282 #define atomic_read(v) ((v)->counter)
1283 +#define atomic_read_unchecked(v) ((v)->counter)
1284 #define atomic_set(v, i) (((v)->counter) = i)
1285 +#define atomic_set_unchecked(v, i) (((v)->counter) = i)
1287 static __inline__ void atomic_add(int i, atomic_t *v)
1289 @@ -27,6 +29,11 @@ static __inline__ void atomic_add(int i,
1293 +static __inline__ void atomic_add_unchecked(int i, atomic_unchecked_t *v)
1295 + atomic_add(i, (atomic_t *)v);
1298 static __inline__ void atomic_sub(int i, atomic_t *v)
1300 #ifdef CONFIG_COLDFIRE
1301 @@ -36,6 +43,11 @@ static __inline__ void atomic_sub(int i,
1305 +static __inline__ void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
1307 + atomic_sub(i, (atomic_t *)v);
1310 static __inline__ int atomic_sub_and_test(int i, atomic_t * v)
1313 @@ -56,6 +68,11 @@ static __inline__ void atomic_inc(volati
1314 __asm__ __volatile__("addql #1,%0" : "+m" (*v));
1317 +static __inline__ void atomic_inc_unchecked(volatile atomic_unchecked_t *v)
1319 + atomic_inc((volatile atomic_t *)v);
1323 * atomic_inc_and_test - increment and test
1324 * @v: pointer of type atomic_t
1325 diff -urNp linux-2.6.31/arch/mips/include/asm/atomic.h linux-2.6.31/arch/mips/include/asm/atomic.h
1326 --- linux-2.6.31/arch/mips/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
1327 +++ linux-2.6.31/arch/mips/include/asm/atomic.h 2009-09-11 22:19:56.216381287 -0400
1329 #define atomic_read(v) ((v)->counter)
1332 + * atomic_read_unchecked - read atomic variable
1333 + * @v: pointer of type atomic_unchecked_t
1335 + * Atomically reads the value of @v.
1337 +#define atomic_read_unchecked(v) ((v)->counter)
1340 * atomic_set - set atomic variable
1341 * @v: pointer of type atomic_t
1342 * @i: required value
1344 #define atomic_set(v, i) ((v)->counter = (i))
1347 + * atomic_set_unchecked - set atomic variable
1348 + * @v: pointer of type atomic_unchecked_t
1349 + * @i: required value
1351 + * Atomically sets the value of @v to @i.
1353 +#define atomic_set_unchecked(v, i) ((v)->counter = (i))
1356 * atomic_add - add integer to atomic variable
1357 * @i: integer value to add
1358 * @v: pointer of type atomic_t
1359 @@ -381,6 +398,9 @@ static __inline__ int atomic_add_unless(
1360 * Atomically increments @v by 1.
1362 #define atomic_inc(v) atomic_add(1, (v))
1363 +#define atomic_inc_unchecked(v) atomic_inc((atomic_t *)(v))
1364 +#define atomic_add_unchecked(i, v) atomic_add((i), (atomic_t *)(v))
1365 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (atomic_t *)(v))
1368 * atomic_dec - decrement and test
1369 diff -urNp linux-2.6.31/arch/mips/include/asm/elf.h linux-2.6.31/arch/mips/include/asm/elf.h
1370 --- linux-2.6.31/arch/mips/include/asm/elf.h 2009-08-27 20:59:04.000000000 -0400
1371 +++ linux-2.6.31/arch/mips/include/asm/elf.h 2009-09-06 15:29:11.120185424 -0400
1372 @@ -368,4 +368,11 @@ extern int dump_task_fpu(struct task_str
1373 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1376 +#ifdef CONFIG_PAX_ASLR
1377 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1379 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1380 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1383 #endif /* _ASM_ELF_H */
1384 diff -urNp linux-2.6.31/arch/mips/include/asm/page.h linux-2.6.31/arch/mips/include/asm/page.h
1385 --- linux-2.6.31/arch/mips/include/asm/page.h 2009-08-27 20:59:04.000000000 -0400
1386 +++ linux-2.6.31/arch/mips/include/asm/page.h 2009-09-06 15:29:11.120185424 -0400
1387 @@ -92,7 +92,7 @@ extern void copy_user_highpage(struct pa
1388 #ifdef CONFIG_CPU_MIPS32
1389 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1390 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1391 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1392 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1394 typedef struct { unsigned long long pte; } pte_t;
1395 #define pte_val(x) ((x).pte)
1396 diff -urNp linux-2.6.31/arch/mips/include/asm/system.h linux-2.6.31/arch/mips/include/asm/system.h
1397 --- linux-2.6.31/arch/mips/include/asm/system.h 2009-08-27 20:59:04.000000000 -0400
1398 +++ linux-2.6.31/arch/mips/include/asm/system.h 2009-09-06 15:29:11.121159580 -0400
1399 @@ -217,6 +217,6 @@ extern void per_cpu_trap_init(void);
1401 #define __ARCH_WANT_UNLOCKED_CTXSW
1403 -extern unsigned long arch_align_stack(unsigned long sp);
1404 +#define arch_align_stack(x) ((x) & ALMASK)
1406 #endif /* _ASM_SYSTEM_H */
1407 diff -urNp linux-2.6.31/arch/mips/kernel/binfmt_elfn32.c linux-2.6.31/arch/mips/kernel/binfmt_elfn32.c
1408 --- linux-2.6.31/arch/mips/kernel/binfmt_elfn32.c 2009-08-27 20:59:04.000000000 -0400
1409 +++ linux-2.6.31/arch/mips/kernel/binfmt_elfn32.c 2009-09-06 15:29:11.121159580 -0400
1410 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1411 #undef ELF_ET_DYN_BASE
1412 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1414 +#ifdef CONFIG_PAX_ASLR
1415 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1417 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1418 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1421 #include <asm/processor.h>
1422 #include <linux/module.h>
1423 #include <linux/elfcore.h>
1424 diff -urNp linux-2.6.31/arch/mips/kernel/binfmt_elfo32.c linux-2.6.31/arch/mips/kernel/binfmt_elfo32.c
1425 --- linux-2.6.31/arch/mips/kernel/binfmt_elfo32.c 2009-08-27 20:59:04.000000000 -0400
1426 +++ linux-2.6.31/arch/mips/kernel/binfmt_elfo32.c 2009-09-06 15:29:11.121159580 -0400
1427 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1428 #undef ELF_ET_DYN_BASE
1429 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1431 +#ifdef CONFIG_PAX_ASLR
1432 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1434 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1435 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1438 #include <asm/processor.h>
1441 diff -urNp linux-2.6.31/arch/mips/kernel/process.c linux-2.6.31/arch/mips/kernel/process.c
1442 --- linux-2.6.31/arch/mips/kernel/process.c 2009-08-27 20:59:04.000000000 -0400
1443 +++ linux-2.6.31/arch/mips/kernel/process.c 2009-09-06 15:29:11.121159580 -0400
1444 @@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1450 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1451 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1453 -unsigned long arch_align_stack(unsigned long sp)
1455 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1456 - sp -= get_random_int() & ~PAGE_MASK;
1458 - return sp & ALMASK;
1460 diff -urNp linux-2.6.31/arch/mips/kernel/syscall.c linux-2.6.31/arch/mips/kernel/syscall.c
1461 --- linux-2.6.31/arch/mips/kernel/syscall.c 2009-08-27 20:59:04.000000000 -0400
1462 +++ linux-2.6.31/arch/mips/kernel/syscall.c 2009-09-06 15:29:11.122248738 -0400
1463 @@ -99,6 +99,11 @@ unsigned long arch_get_unmapped_area(str
1465 if (filp || (flags & MAP_SHARED))
1468 +#ifdef CONFIG_PAX_RANDMMAP
1469 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1474 addr = COLOUR_ALIGN(addr, pgoff);
1475 @@ -109,7 +114,7 @@ unsigned long arch_get_unmapped_area(str
1476 (!vmm || addr + len <= vmm->vm_start))
1479 - addr = TASK_UNMAPPED_BASE;
1480 + addr = current->mm->mmap_base;
1482 addr = COLOUR_ALIGN(addr, pgoff);
1484 diff -urNp linux-2.6.31/arch/mips/mm/fault.c linux-2.6.31/arch/mips/mm/fault.c
1485 --- linux-2.6.31/arch/mips/mm/fault.c 2009-08-27 20:59:04.000000000 -0400
1486 +++ linux-2.6.31/arch/mips/mm/fault.c 2009-09-06 15:29:11.122248738 -0400
1488 #include <asm/ptrace.h>
1489 #include <asm/highmem.h> /* For VMALLOC_END */
1491 +#ifdef CONFIG_PAX_PAGEEXEC
1492 +void pax_report_insns(void *pc)
1496 + printk(KERN_ERR "PAX: bytes at PC: ");
1497 + for (i = 0; i < 5; i++) {
1499 + if (get_user(c, (unsigned int *)pc+i))
1500 + printk(KERN_CONT "???????? ");
1502 + printk(KERN_CONT "%08x ", c);
1509 * This routine handles page faults. It determines the address,
1510 * and the problem, and then passes it off to one of the appropriate
1511 diff -urNp linux-2.6.31/arch/mn10300/include/asm/atomic.h linux-2.6.31/arch/mn10300/include/asm/atomic.h
1512 --- linux-2.6.31/arch/mn10300/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
1513 +++ linux-2.6.31/arch/mn10300/include/asm/atomic.h 2009-09-11 22:24:04.850517005 -0400
1515 #define atomic_read(v) ((v)->counter)
1518 + * atomic_read_unchecked - read atomic variable
1519 + * @v: pointer of type atomic_unchecked_t
1521 + * Atomically reads the value of @v. Note that the guaranteed
1522 + * useful range of an atomic_unchecked_t is only 24 bits.
1524 +#define atomic_read_unchecked(v) ((v)->counter)
1527 * atomic_set - set atomic variable
1528 * @v: pointer of type atomic_t
1529 * @i: required value
1532 #define atomic_set(v, i) (((v)->counter) = (i))
1535 + * atomic_set_unchecked - set atomic variable
1536 + * @v: pointer of type atomic_unchecked_t
1537 + * @i: required value
1539 + * Atomically sets the value of @v to @i. Note that the guaranteed
1540 + * useful range of an atomic_unchecked_t is only 24 bits.
1542 +#define atomic_set_unchecked(v, i) (((v)->counter) = (i))
1544 #include <asm/system.h>
1547 @@ -99,16 +118,31 @@ static inline void atomic_add(int i, ato
1548 atomic_add_return(i, v);
1551 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
1553 + atomic_add_return(i, (atomic_t *)v);
1556 static inline void atomic_sub(int i, atomic_t *v)
1558 atomic_sub_return(i, v);
1561 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
1563 + atomic_sub_return(i, (atomic_t *)v);
1566 static inline void atomic_inc(atomic_t *v)
1568 atomic_add_return(1, v);
1571 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
1573 + atomic_add_return(1, (atomic_t *)v);
1576 static inline void atomic_dec(atomic_t *v)
1578 atomic_sub_return(1, v);
1579 diff -urNp linux-2.6.31/arch/mn10300/kernel/setup.c linux-2.6.31/arch/mn10300/kernel/setup.c
1580 --- linux-2.6.31/arch/mn10300/kernel/setup.c 2009-08-27 20:59:04.000000000 -0400
1581 +++ linux-2.6.31/arch/mn10300/kernel/setup.c 2009-09-06 15:29:11.123326294 -0400
1582 @@ -285,7 +285,7 @@ static void c_stop(struct seq_file *m, v
1586 -struct seq_operations cpuinfo_op = {
1587 +const struct seq_operations cpuinfo_op = {
1591 diff -urNp linux-2.6.31/arch/parisc/include/asm/atomic.h linux-2.6.31/arch/parisc/include/asm/atomic.h
1592 --- linux-2.6.31/arch/parisc/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
1593 +++ linux-2.6.31/arch/parisc/include/asm/atomic.h 2009-09-11 22:30:04.233759484 -0400
1594 @@ -177,6 +177,18 @@ static __inline__ int __atomic_add_retur
1598 +static __inline__ int __atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
1601 + unsigned long flags;
1602 + _atomic_spin_lock_irqsave(v, flags);
1604 + ret = (v->counter += i);
1606 + _atomic_spin_unlock_irqrestore(v, flags);
1610 static __inline__ void atomic_set(atomic_t *v, int i)
1612 unsigned long flags;
1613 @@ -187,11 +199,26 @@ static __inline__ void atomic_set(atomic
1614 _atomic_spin_unlock_irqrestore(v, flags);
1617 +static __inline__ void atomic_set_unchecked(atomic_unchecked_t *v, int i)
1619 + unsigned long flags;
1620 + _atomic_spin_lock_irqsave(v, flags);
1624 + _atomic_spin_unlock_irqrestore(v, flags);
1627 static __inline__ int atomic_read(const atomic_t *v)
1632 +static __inline__ int atomic_read_unchecked(const atomic_unchecked_t *v)
1634 + return v->counter;
1637 /* exported interface */
1638 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
1639 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
1640 @@ -223,8 +250,11 @@ static __inline__ int atomic_add_unless(
1641 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
1643 #define atomic_add(i,v) ((void)(__atomic_add_return( (i),(v))))
1644 +#define atomic_add_unchecked(i,v) ((void)(__atomic_add_return_unchecked( ((i),(v))))
1645 #define atomic_sub(i,v) ((void)(__atomic_add_return(-(i),(v))))
1646 +#define atomic_sub_unchecked(i,v) ((void)(__atomic_add_return_unchecked(-(i),(v))))
1647 #define atomic_inc(v) ((void)(__atomic_add_return( 1,(v))))
1648 +#define atomic_inc_unchecked(v) ((void)(__atomic_add_return_unchecked( 1,(v))))
1649 #define atomic_dec(v) ((void)(__atomic_add_return( -1,(v))))
1651 #define atomic_add_return(i,v) (__atomic_add_return( (i),(v)))
1652 diff -urNp linux-2.6.31/arch/parisc/include/asm/elf.h linux-2.6.31/arch/parisc/include/asm/elf.h
1653 --- linux-2.6.31/arch/parisc/include/asm/elf.h 2009-08-27 20:59:04.000000000 -0400
1654 +++ linux-2.6.31/arch/parisc/include/asm/elf.h 2009-09-06 15:29:11.124187237 -0400
1655 @@ -343,6 +343,13 @@ struct pt_regs; /* forward declaration..
1657 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1659 +#ifdef CONFIG_PAX_ASLR
1660 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1662 +#define PAX_DELTA_MMAP_LEN 16
1663 +#define PAX_DELTA_STACK_LEN 16
1666 /* This yields a mask that user programs can use to figure out what
1667 instruction set this CPU supports. This could be done in user space,
1668 but it's not easy, and we've already done it here. */
1669 diff -urNp linux-2.6.31/arch/parisc/include/asm/pgtable.h linux-2.6.31/arch/parisc/include/asm/pgtable.h
1670 --- linux-2.6.31/arch/parisc/include/asm/pgtable.h 2009-08-27 20:59:04.000000000 -0400
1671 +++ linux-2.6.31/arch/parisc/include/asm/pgtable.h 2009-09-06 15:29:11.124187237 -0400
1672 @@ -207,6 +207,17 @@
1673 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1674 #define PAGE_COPY PAGE_EXECREAD
1675 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1677 +#ifdef CONFIG_PAX_PAGEEXEC
1678 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1679 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1680 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1682 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1683 +# define PAGE_COPY_NOEXEC PAGE_COPY
1684 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1687 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1688 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1689 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1690 diff -urNp linux-2.6.31/arch/parisc/kernel/module.c linux-2.6.31/arch/parisc/kernel/module.c
1691 --- linux-2.6.31/arch/parisc/kernel/module.c 2009-08-27 20:59:04.000000000 -0400
1692 +++ linux-2.6.31/arch/parisc/kernel/module.c 2009-09-06 15:29:11.125330310 -0400
1695 /* three functions to determine where in the module core
1696 * or init pieces the location is */
1697 +static inline int in_init_rx(struct module *me, void *loc)
1699 + return (loc >= me->module_init_rx &&
1700 + loc < (me->module_init_rx + me->init_size_rx));
1703 +static inline int in_init_rw(struct module *me, void *loc)
1705 + return (loc >= me->module_init_rw &&
1706 + loc < (me->module_init_rw + me->init_size_rw));
1709 static inline int in_init(struct module *me, void *loc)
1711 - return (loc >= me->module_init &&
1712 - loc <= (me->module_init + me->init_size));
1713 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1716 +static inline int in_core_rx(struct module *me, void *loc)
1718 + return (loc >= me->module_core_rx &&
1719 + loc < (me->module_core_rx + me->core_size_rx));
1722 +static inline int in_core_rw(struct module *me, void *loc)
1724 + return (loc >= me->module_core_rw &&
1725 + loc < (me->module_core_rw + me->core_size_rw));
1728 static inline int in_core(struct module *me, void *loc)
1730 - return (loc >= me->module_core &&
1731 - loc <= (me->module_core + me->core_size));
1732 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1735 static inline int in_local(struct module *me, void *loc)
1736 @@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1739 /* align things a bit */
1740 - me->core_size = ALIGN(me->core_size, 16);
1741 - me->arch.got_offset = me->core_size;
1742 - me->core_size += gots * sizeof(struct got_entry);
1744 - me->core_size = ALIGN(me->core_size, 16);
1745 - me->arch.fdesc_offset = me->core_size;
1746 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1747 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1748 + me->arch.got_offset = me->core_size_rw;
1749 + me->core_size_rw += gots * sizeof(struct got_entry);
1751 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1752 + me->arch.fdesc_offset = me->core_size_rw;
1753 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1755 me->arch.got_max = gots;
1756 me->arch.fdesc_max = fdescs;
1757 @@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1761 - got = me->module_core + me->arch.got_offset;
1762 + got = me->module_core_rw + me->arch.got_offset;
1763 for (i = 0; got[i].addr; i++)
1764 if (got[i].addr == value)
1766 @@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1768 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1770 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1771 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1774 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1775 @@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1777 /* Create new one */
1778 fdesc->addr = value;
1779 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1780 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1781 return (Elf_Addr)fdesc;
1783 #endif /* CONFIG_64BIT */
1784 @@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1786 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1787 end = table + sechdrs[me->arch.unwind_section].sh_size;
1788 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1789 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1791 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1792 me->arch.unwind_section, table, end, gp);
1793 diff -urNp linux-2.6.31/arch/parisc/kernel/sys_parisc.c linux-2.6.31/arch/parisc/kernel/sys_parisc.c
1794 --- linux-2.6.31/arch/parisc/kernel/sys_parisc.c 2009-08-27 20:59:04.000000000 -0400
1795 +++ linux-2.6.31/arch/parisc/kernel/sys_parisc.c 2009-09-06 15:29:11.125330310 -0400
1796 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1797 if (flags & MAP_FIXED)
1800 - addr = TASK_UNMAPPED_BASE;
1801 + addr = current->mm->mmap_base;
1804 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1805 diff -urNp linux-2.6.31/arch/parisc/kernel/traps.c linux-2.6.31/arch/parisc/kernel/traps.c
1806 --- linux-2.6.31/arch/parisc/kernel/traps.c 2009-09-06 19:00:55.650249496 -0400
1807 +++ linux-2.6.31/arch/parisc/kernel/traps.c 2009-09-06 19:01:14.292191773 -0400
1808 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1810 down_read(¤t->mm->mmap_sem);
1811 vma = find_vma(current->mm,regs->iaoq[0]);
1812 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1813 - && (vma->vm_flags & VM_EXEC)) {
1815 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1816 fault_address = regs->iaoq[0];
1817 fault_space = regs->iasq[0];
1819 diff -urNp linux-2.6.31/arch/parisc/mm/fault.c linux-2.6.31/arch/parisc/mm/fault.c
1820 --- linux-2.6.31/arch/parisc/mm/fault.c 2009-08-27 20:59:04.000000000 -0400
1821 +++ linux-2.6.31/arch/parisc/mm/fault.c 2009-09-06 15:29:11.126169242 -0400
1823 #include <linux/sched.h>
1824 #include <linux/interrupt.h>
1825 #include <linux/module.h>
1826 +#include <linux/unistd.h>
1828 #include <asm/uaccess.h>
1829 #include <asm/traps.h>
1830 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1831 static unsigned long
1832 parisc_acctyp(unsigned long code, unsigned int inst)
1834 - if (code == 6 || code == 16)
1835 + if (code == 6 || code == 7 || code == 16)
1838 switch (inst & 0xf0000000) {
1839 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1843 +#ifdef CONFIG_PAX_PAGEEXEC
1845 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1847 + * returns 1 when task should be killed
1848 + * 2 when rt_sigreturn trampoline was detected
1849 + * 3 when unpatched PLT trampoline was detected
1851 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1854 +#ifdef CONFIG_PAX_EMUPLT
1857 + do { /* PaX: unpatched PLT emulation */
1858 + unsigned int bl, depwi;
1860 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1861 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1866 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1867 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1869 + err = get_user(ldw, (unsigned int *)addr);
1870 + err |= get_user(bv, (unsigned int *)(addr+4));
1871 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1876 + if (ldw == 0x0E801096U &&
1877 + bv == 0xEAC0C000U &&
1878 + ldw2 == 0x0E881095U)
1880 + unsigned int resolver, map;
1882 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1883 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1887 + regs->gr[20] = instruction_pointer(regs)+8;
1888 + regs->gr[21] = map;
1889 + regs->gr[22] = resolver;
1890 + regs->iaoq[0] = resolver | 3UL;
1891 + regs->iaoq[1] = regs->iaoq[0] + 4;
1898 +#ifdef CONFIG_PAX_EMUTRAMP
1900 +#ifndef CONFIG_PAX_EMUSIGRT
1901 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1905 + do { /* PaX: rt_sigreturn emulation */
1906 + unsigned int ldi1, ldi2, bel, nop;
1908 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1909 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1910 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1911 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1916 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1917 + ldi2 == 0x3414015AU &&
1918 + bel == 0xE4008200U &&
1919 + nop == 0x08000240U)
1921 + regs->gr[25] = (ldi1 & 2) >> 1;
1922 + regs->gr[20] = __NR_rt_sigreturn;
1923 + regs->gr[31] = regs->iaoq[1] + 16;
1924 + regs->sr[0] = regs->iasq[1];
1925 + regs->iaoq[0] = 0x100UL;
1926 + regs->iaoq[1] = regs->iaoq[0] + 4;
1927 + regs->iasq[0] = regs->sr[2];
1928 + regs->iasq[1] = regs->sr[2];
1937 +void pax_report_insns(void *pc, void *sp)
1941 + printk(KERN_ERR "PAX: bytes at PC: ");
1942 + for (i = 0; i < 5; i++) {
1944 + if (get_user(c, (unsigned int *)pc+i))
1945 + printk(KERN_CONT "???????? ");
1947 + printk(KERN_CONT "%08x ", c);
1953 int fixup_exception(struct pt_regs *regs)
1955 const struct exception_table_entry *fix;
1956 @@ -192,8 +303,33 @@ good_area:
1958 acc_type = parisc_acctyp(code,regs->iir);
1960 - if ((vma->vm_flags & acc_type) != acc_type)
1961 + if ((vma->vm_flags & acc_type) != acc_type) {
1963 +#ifdef CONFIG_PAX_PAGEEXEC
1964 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1965 + (address & ~3UL) == instruction_pointer(regs))
1967 + up_read(&mm->mmap_sem);
1968 + switch (pax_handle_fetch_fault(regs)) {
1970 +#ifdef CONFIG_PAX_EMUPLT
1975 +#ifdef CONFIG_PAX_EMUTRAMP
1981 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1982 + do_group_exit(SIGKILL);
1990 * If for any reason at all we couldn't handle the fault, make
1991 diff -urNp linux-2.6.31/arch/powerpc/include/asm/atomic.h linux-2.6.31/arch/powerpc/include/asm/atomic.h
1992 --- linux-2.6.31/arch/powerpc/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
1993 +++ linux-2.6.31/arch/powerpc/include/asm/atomic.h 2009-09-11 22:35:10.191559660 -0400
1994 @@ -24,11 +24,21 @@ static __inline__ int atomic_read(const
1998 +static __inline__ int atomic_read_unchecked(const atomic_unchecked_t *v)
2000 + return atomic_read((const atomic_t *)v);
2003 static __inline__ void atomic_set(atomic_t *v, int i)
2005 __asm__ __volatile__("stw%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
2008 +static __inline__ void atomic_set_unchecked(atomic_unchecked_t *v, int i)
2010 + atomic_set((atomic_t *)v, i);
2013 static __inline__ void atomic_add(int a, atomic_t *v)
2016 @@ -44,6 +54,11 @@ static __inline__ void atomic_add(int a,
2020 +static __inline__ void atomic_add_unchecked(int a, atomic_unchecked_t *v)
2022 + atomic_add(a, (atomic_t *)v);
2025 static __inline__ int atomic_add_return(int a, atomic_t *v)
2028 @@ -80,6 +95,11 @@ static __inline__ void atomic_sub(int a,
2032 +static __inline__ void atomic_sub_unchecked(int a, atomic_unchecked_t *v)
2034 + atomic_sub(a, (atomic_t *)v);
2037 static __inline__ int atomic_sub_return(int a, atomic_t *v)
2040 @@ -114,6 +134,11 @@ static __inline__ void atomic_inc(atomic
2044 +static __inline__ void atomic_inc_unchecked(atomic_unchecked_t *v)
2046 + atomic_inc((atomic_t *)v);
2049 static __inline__ int atomic_inc_return(atomic_t *v)
2052 diff -urNp linux-2.6.31/arch/powerpc/include/asm/elf.h linux-2.6.31/arch/powerpc/include/asm/elf.h
2053 --- linux-2.6.31/arch/powerpc/include/asm/elf.h 2009-08-27 20:59:04.000000000 -0400
2054 +++ linux-2.6.31/arch/powerpc/include/asm/elf.h 2009-09-06 15:29:11.127199153 -0400
2055 @@ -179,8 +179,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2056 the loader. We need to make sure that it is out of the way of the program
2057 that it will "exec", and that there is sufficient room for the brk. */
2059 -extern unsigned long randomize_et_dyn(unsigned long base);
2060 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2061 +#define ELF_ET_DYN_BASE (0x20000000)
2063 +#ifdef CONFIG_PAX_ASLR
2064 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2066 +#ifdef __powerpc64__
2067 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2068 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2070 +#define PAX_DELTA_MMAP_LEN 15
2071 +#define PAX_DELTA_STACK_LEN 15
2076 * Our registers are always unsigned longs, whether we're a 32 bit
2077 diff -urNp linux-2.6.31/arch/powerpc/include/asm/kmap_types.h linux-2.6.31/arch/powerpc/include/asm/kmap_types.h
2078 --- linux-2.6.31/arch/powerpc/include/asm/kmap_types.h 2009-08-27 20:59:04.000000000 -0400
2079 +++ linux-2.6.31/arch/powerpc/include/asm/kmap_types.h 2009-09-06 15:29:11.127199153 -0400
2080 @@ -26,6 +26,7 @@ enum km_type {
2088 diff -urNp linux-2.6.31/arch/powerpc/include/asm/page_64.h linux-2.6.31/arch/powerpc/include/asm/page_64.h
2089 --- linux-2.6.31/arch/powerpc/include/asm/page_64.h 2009-08-27 20:59:04.000000000 -0400
2090 +++ linux-2.6.31/arch/powerpc/include/asm/page_64.h 2009-09-06 15:29:11.127199153 -0400
2091 @@ -170,15 +170,18 @@ do { \
2092 * stack by default, so in the absense of a PT_GNU_STACK program header
2093 * we turn execute permission off.
2095 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2096 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2097 +#define VM_STACK_DEFAULT_FLAGS32 \
2098 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2099 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2101 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2102 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2104 +#ifndef CONFIG_PAX_PAGEEXEC
2105 #define VM_STACK_DEFAULT_FLAGS \
2106 (test_thread_flag(TIF_32BIT) ? \
2107 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2110 #include <asm-generic/getorder.h>
2112 diff -urNp linux-2.6.31/arch/powerpc/include/asm/page.h linux-2.6.31/arch/powerpc/include/asm/page.h
2113 --- linux-2.6.31/arch/powerpc/include/asm/page.h 2009-08-27 20:59:04.000000000 -0400
2114 +++ linux-2.6.31/arch/powerpc/include/asm/page.h 2009-09-06 15:29:11.127199153 -0400
2115 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
2116 * and needs to be executable. This means the whole heap ends
2117 * up being executable.
2119 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2120 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2121 +#define VM_DATA_DEFAULT_FLAGS32 \
2122 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2123 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2125 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2126 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2127 diff -urNp linux-2.6.31/arch/powerpc/include/asm/uaccess.h linux-2.6.31/arch/powerpc/include/asm/uaccess.h
2128 --- linux-2.6.31/arch/powerpc/include/asm/uaccess.h 2009-08-27 20:59:04.000000000 -0400
2129 +++ linux-2.6.31/arch/powerpc/include/asm/uaccess.h 2009-09-06 15:29:11.128195812 -0400
2130 @@ -334,6 +334,9 @@ static inline unsigned long copy_from_us
2134 + if (((long)n < 0) || (n > INT_MAX))
2137 if (access_ok(VERIFY_READ, from, n))
2138 return __copy_tofrom_user((__force void __user *)to, from, n);
2139 if ((unsigned long)from < TASK_SIZE) {
2140 @@ -349,6 +352,9 @@ static inline unsigned long copy_to_user
2144 + if (((long)n < 0) || (n > INT_MAX))
2147 if (access_ok(VERIFY_WRITE, to, n))
2148 return __copy_tofrom_user(to, (__force void __user *)from, n);
2149 if ((unsigned long)to < TASK_SIZE) {
2150 diff -urNp linux-2.6.31/arch/powerpc/kernel/module_32.c linux-2.6.31/arch/powerpc/kernel/module_32.c
2151 --- linux-2.6.31/arch/powerpc/kernel/module_32.c 2009-08-27 20:59:04.000000000 -0400
2152 +++ linux-2.6.31/arch/powerpc/kernel/module_32.c 2009-09-06 15:29:11.128195812 -0400
2153 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2154 me->arch.core_plt_section = i;
2156 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2157 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2158 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2162 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2164 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2165 /* Init, or core PLT? */
2166 - if (location >= mod->module_core
2167 - && location < mod->module_core + mod->core_size)
2168 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2169 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2170 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2172 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2173 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2174 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2176 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2180 /* Find this entry, or if that fails, the next avail. entry */
2181 while (entry->jump[0]) {
2182 diff -urNp linux-2.6.31/arch/powerpc/kernel/process.c linux-2.6.31/arch/powerpc/kernel/process.c
2183 --- linux-2.6.31/arch/powerpc/kernel/process.c 2009-08-27 20:59:04.000000000 -0400
2184 +++ linux-2.6.31/arch/powerpc/kernel/process.c 2009-09-06 15:29:11.128195812 -0400
2185 @@ -1147,36 +1147,3 @@ unsigned long arch_align_stack(unsigned
2186 sp -= get_random_int() & ~PAGE_MASK;
2190 -static inline unsigned long brk_rnd(void)
2192 - unsigned long rnd = 0;
2194 - /* 8MB for 32bit, 1GB for 64bit */
2195 - if (is_32bit_task())
2196 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2198 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2200 - return rnd << PAGE_SHIFT;
2203 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2205 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
2207 - if (ret < mm->brk)
2213 -unsigned long randomize_et_dyn(unsigned long base)
2215 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2222 diff -urNp linux-2.6.31/arch/powerpc/kernel/setup-common.c linux-2.6.31/arch/powerpc/kernel/setup-common.c
2223 --- linux-2.6.31/arch/powerpc/kernel/setup-common.c 2009-08-27 20:59:04.000000000 -0400
2224 +++ linux-2.6.31/arch/powerpc/kernel/setup-common.c 2009-09-06 15:29:11.129483683 -0400
2225 @@ -328,7 +328,7 @@ static void c_stop(struct seq_file *m, v
2229 -struct seq_operations cpuinfo_op = {
2230 +const struct seq_operations cpuinfo_op = {
2234 diff -urNp linux-2.6.31/arch/powerpc/kernel/signal_32.c linux-2.6.31/arch/powerpc/kernel/signal_32.c
2235 --- linux-2.6.31/arch/powerpc/kernel/signal_32.c 2009-08-27 20:59:04.000000000 -0400
2236 +++ linux-2.6.31/arch/powerpc/kernel/signal_32.c 2009-09-06 15:29:11.130176500 -0400
2237 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2238 /* Save user registers on the stack */
2239 frame = &rt_sf->uc.uc_mcontext;
2241 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2242 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2243 if (save_user_regs(regs, frame, 0, 1))
2245 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2246 diff -urNp linux-2.6.31/arch/powerpc/kernel/signal_64.c linux-2.6.31/arch/powerpc/kernel/signal_64.c
2247 --- linux-2.6.31/arch/powerpc/kernel/signal_64.c 2009-08-27 20:59:04.000000000 -0400
2248 +++ linux-2.6.31/arch/powerpc/kernel/signal_64.c 2009-09-06 15:29:11.131193763 -0400
2249 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2250 current->thread.fpscr.val = 0;
2252 /* Set up to return from userspace. */
2253 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2254 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2255 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2257 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2258 diff -urNp linux-2.6.31/arch/powerpc/kernel/vdso.c linux-2.6.31/arch/powerpc/kernel/vdso.c
2259 --- linux-2.6.31/arch/powerpc/kernel/vdso.c 2009-08-27 20:59:04.000000000 -0400
2260 +++ linux-2.6.31/arch/powerpc/kernel/vdso.c 2009-09-06 15:29:11.132155857 -0400
2261 @@ -211,7 +211,7 @@ int arch_setup_additional_pages(struct l
2262 vdso_base = VDSO32_MBASE;
2265 - current->mm->context.vdso_base = 0;
2266 + current->mm->context.vdso_base = ~0UL;
2268 /* vDSO has a problem and was disabled, just don't "enable" it for the
2270 @@ -228,7 +228,7 @@ int arch_setup_additional_pages(struct l
2272 down_write(&mm->mmap_sem);
2273 vdso_base = get_unmapped_area(NULL, vdso_base,
2274 - vdso_pages << PAGE_SHIFT, 0, 0);
2275 + vdso_pages << PAGE_SHIFT, 0, MAP_PRIVATE | MAP_EXECUTABLE);
2276 if (IS_ERR_VALUE(vdso_base)) {
2279 diff -urNp linux-2.6.31/arch/powerpc/kvm/timing.c linux-2.6.31/arch/powerpc/kvm/timing.c
2280 --- linux-2.6.31/arch/powerpc/kvm/timing.c 2009-08-27 20:59:04.000000000 -0400
2281 +++ linux-2.6.31/arch/powerpc/kvm/timing.c 2009-09-06 15:29:11.133165937 -0400
2282 @@ -201,7 +201,7 @@ static int kvmppc_exit_timing_open(struc
2283 return single_open(file, kvmppc_exit_timing_show, inode->i_private);
2286 -static struct file_operations kvmppc_exit_timing_fops = {
2287 +static const struct file_operations kvmppc_exit_timing_fops = {
2288 .owner = THIS_MODULE,
2289 .open = kvmppc_exit_timing_open,
2291 diff -urNp linux-2.6.31/arch/powerpc/lib/usercopy_64.c linux-2.6.31/arch/powerpc/lib/usercopy_64.c
2292 --- linux-2.6.31/arch/powerpc/lib/usercopy_64.c 2009-08-27 20:59:04.000000000 -0400
2293 +++ linux-2.6.31/arch/powerpc/lib/usercopy_64.c 2009-09-06 15:29:11.133165937 -0400
2296 unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2298 + if (unlikely(((long)n < 0) || (n > INT_MAX)))
2301 if (likely(access_ok(VERIFY_READ, from, n)))
2302 n = __copy_from_user(to, from, n);
2304 @@ -20,6 +23,9 @@ unsigned long copy_from_user(void *to, c
2306 unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2308 + if (unlikely(((long)n < 0) || (n > INT_MAX)))
2311 if (likely(access_ok(VERIFY_WRITE, to, n)))
2312 n = __copy_to_user(to, from, n);
2314 diff -urNp linux-2.6.31/arch/powerpc/mm/fault.c linux-2.6.31/arch/powerpc/mm/fault.c
2315 --- linux-2.6.31/arch/powerpc/mm/fault.c 2009-08-27 20:59:04.000000000 -0400
2316 +++ linux-2.6.31/arch/powerpc/mm/fault.c 2009-09-06 15:29:11.134171215 -0400
2318 #include <linux/kprobes.h>
2319 #include <linux/kdebug.h>
2320 #include <linux/perf_counter.h>
2321 +#include <linux/slab.h>
2322 +#include <linux/pagemap.h>
2323 +#include <linux/compiler.h>
2324 +#include <linux/unistd.h>
2326 #include <asm/firmware.h>
2327 #include <asm/page.h>
2328 @@ -64,6 +68,363 @@ static inline int notify_page_fault(stru
2332 +#ifdef CONFIG_PAX_EMUSIGRT
2333 +void pax_syscall_close(struct vm_area_struct *vma)
2335 + vma->vm_mm->call_syscall = 0UL;
2338 +static int pax_syscall_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
2340 + unsigned int *kaddr;
2342 + vmf->page = alloc_page(GFP_HIGHUSER);
2344 + return VM_FAULT_OOM;
2346 + kaddr = kmap(vmf->page);
2347 + memset(kaddr, 0, PAGE_SIZE);
2348 + kaddr[0] = 0x44000002U; /* sc */
2349 + __flush_dcache_icache(kaddr);
2350 + kunmap(vmf->page);
2351 + return VM_FAULT_MAJOR;
2354 +static const struct vm_operations_struct pax_vm_ops = {
2355 + .close = pax_syscall_close,
2356 + .fault = pax_syscall_fault
2359 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
2363 + vma->vm_mm = current->mm;
2364 + vma->vm_start = addr;
2365 + vma->vm_end = addr + PAGE_SIZE;
2366 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
2367 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
2368 + vma->vm_ops = &pax_vm_ops;
2370 + ret = insert_vm_struct(current->mm, vma);
2374 + ++current->mm->total_vm;
2379 +#ifdef CONFIG_PAX_PAGEEXEC
2381 + * PaX: decide what to do with offenders (regs->nip = fault address)
2383 + * returns 1 when task should be killed
2384 + * 2 when patched GOT trampoline was detected
2385 + * 3 when patched PLT trampoline was detected
2386 + * 4 when unpatched PLT trampoline was detected
2387 + * 5 when sigreturn trampoline was detected
2388 + * 6 when rt_sigreturn trampoline was detected
2390 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2393 +#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
2397 +#ifdef CONFIG_PAX_EMUPLT
2398 + do { /* PaX: patched GOT emulation */
2399 + unsigned int blrl;
2401 + err = get_user(blrl, (unsigned int *)regs->nip);
2403 + if (!err && blrl == 0x4E800021U) {
2404 + unsigned long temp = regs->nip;
2406 + regs->nip = regs->link & 0xFFFFFFFCUL;
2407 + regs->link = temp + 4UL;
2412 + do { /* PaX: patched PLT emulation #1 */
2415 + err = get_user(b, (unsigned int *)regs->nip);
2417 + if (!err && (b & 0xFC000003U) == 0x48000000U) {
2418 + regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
2423 + do { /* PaX: unpatched PLT emulation #1 */
2424 + unsigned int li, b;
2426 + err = get_user(li, (unsigned int *)regs->nip);
2427 + err |= get_user(b, (unsigned int *)(regs->nip+4));
2429 + if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
2430 + unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
2431 + unsigned long addr = b | 0xFC000000UL;
2433 + addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
2434 + err = get_user(rlwinm, (unsigned int *)addr);
2435 + err |= get_user(add, (unsigned int *)(addr+4));
2436 + err |= get_user(li2, (unsigned int *)(addr+8));
2437 + err |= get_user(addis2, (unsigned int *)(addr+12));
2438 + err |= get_user(mtctr, (unsigned int *)(addr+16));
2439 + err |= get_user(li3, (unsigned int *)(addr+20));
2440 + err |= get_user(addis3, (unsigned int *)(addr+24));
2441 + err |= get_user(bctr, (unsigned int *)(addr+28));
2446 + if (rlwinm == 0x556C083CU &&
2447 + add == 0x7D6C5A14U &&
2448 + (li2 & 0xFFFF0000U) == 0x39800000U &&
2449 + (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
2450 + mtctr == 0x7D8903A6U &&
2451 + (li3 & 0xFFFF0000U) == 0x39800000U &&
2452 + (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
2453 + bctr == 0x4E800420U)
2455 + regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
2456 + regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
2457 + regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
2458 + regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
2459 + regs->ctr += (addis2 & 0xFFFFU) << 16;
2460 + regs->nip = regs->ctr;
2467 + do { /* PaX: unpatched PLT emulation #2 */
2468 + unsigned int lis, lwzu, b, bctr;
2470 + err = get_user(lis, (unsigned int *)regs->nip);
2471 + err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
2472 + err |= get_user(b, (unsigned int *)(regs->nip+8));
2473 + err |= get_user(bctr, (unsigned int *)(regs->nip+12));
2478 + if ((lis & 0xFFFF0000U) == 0x39600000U &&
2479 + (lwzu & 0xU) == 0xU &&
2480 + (b & 0xFC000003U) == 0x48000000U &&
2481 + bctr == 0x4E800420U)
2483 + unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
2484 + unsigned long addr = b | 0xFC000000UL;
2486 + addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
2487 + err = get_user(addis, (unsigned int *)addr);
2488 + err |= get_user(addi, (unsigned int *)(addr+4));
2489 + err |= get_user(rlwinm, (unsigned int *)(addr+8));
2490 + err |= get_user(add, (unsigned int *)(addr+12));
2491 + err |= get_user(li2, (unsigned int *)(addr+16));
2492 + err |= get_user(addis2, (unsigned int *)(addr+20));
2493 + err |= get_user(mtctr, (unsigned int *)(addr+24));
2494 + err |= get_user(li3, (unsigned int *)(addr+28));
2495 + err |= get_user(addis3, (unsigned int *)(addr+32));
2496 + err |= get_user(bctr, (unsigned int *)(addr+36));
2501 + if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
2502 + (addi & 0xFFFF0000U) == 0x396B0000U &&
2503 + rlwinm == 0x556C083CU &&
2504 + add == 0x7D6C5A14U &&
2505 + (li2 & 0xFFFF0000U) == 0x39800000U &&
2506 + (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
2507 + mtctr == 0x7D8903A6U &&
2508 + (li3 & 0xFFFF0000U) == 0x39800000U &&
2509 + (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
2510 + bctr == 0x4E800420U)
2512 + regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
2513 + regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
2514 + regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
2515 + regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
2516 + regs->ctr += (addis2 & 0xFFFFU) << 16;
2517 + regs->nip = regs->ctr;
2524 + do { /* PaX: unpatched PLT emulation #3 */
2525 + unsigned int li, b;
2527 + err = get_user(li, (unsigned int *)regs->nip);
2528 + err |= get_user(b, (unsigned int *)(regs->nip+4));
2530 + if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
2531 + unsigned int addis, lwz, mtctr, bctr;
2532 + unsigned long addr = b | 0xFC000000UL;
2534 + addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
2535 + err = get_user(addis, (unsigned int *)addr);
2536 + err |= get_user(lwz, (unsigned int *)(addr+4));
2537 + err |= get_user(mtctr, (unsigned int *)(addr+8));
2538 + err |= get_user(bctr, (unsigned int *)(addr+12));
2543 + if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
2544 + (lwz & 0xFFFF0000U) == 0x816B0000U &&
2545 + mtctr == 0x7D6903A6U &&
2546 + bctr == 0x4E800420U)
2550 + addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
2551 + addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
2553 + err = get_user(r11, (unsigned int *)addr);
2557 + regs->gpr[PT_R11] = r11;
2566 +#ifdef CONFIG_PAX_EMUSIGRT
2567 + do { /* PaX: sigreturn emulation */
2568 + unsigned int li, sc;
2570 + err = get_user(li, (unsigned int *)regs->nip);
2571 + err |= get_user(sc, (unsigned int *)(regs->nip+4));
2573 + if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
2574 + struct vm_area_struct *vma;
2575 + unsigned long call_syscall;
2577 + down_read(¤t->mm->mmap_sem);
2578 + call_syscall = current->mm->call_syscall;
2579 + up_read(¤t->mm->mmap_sem);
2580 + if (likely(call_syscall))
2583 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
2585 + down_write(¤t->mm->mmap_sem);
2586 + if (current->mm->call_syscall) {
2587 + call_syscall = current->mm->call_syscall;
2588 + up_write(¤t->mm->mmap_sem);
2590 + kmem_cache_free(vm_area_cachep, vma);
2594 + call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
2595 + if (!vma || (call_syscall & ~PAGE_MASK)) {
2596 + up_write(¤t->mm->mmap_sem);
2598 + kmem_cache_free(vm_area_cachep, vma);
2602 + if (pax_insert_vma(vma, call_syscall)) {
2603 + up_write(¤t->mm->mmap_sem);
2604 + kmem_cache_free(vm_area_cachep, vma);
2608 + current->mm->call_syscall = call_syscall;
2609 + up_write(¤t->mm->mmap_sem);
2612 + regs->gpr[PT_R0] = __NR_sigreturn;
2613 + regs->nip = call_syscall;
2618 + do { /* PaX: rt_sigreturn emulation */
2619 + unsigned int li, sc;
2621 + err = get_user(li, (unsigned int *)regs->nip);
2622 + err |= get_user(sc, (unsigned int *)(regs->nip+4));
2624 + if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
2625 + struct vm_area_struct *vma;
2626 + unsigned int call_syscall;
2628 + down_read(¤t->mm->mmap_sem);
2629 + call_syscall = current->mm->call_syscall;
2630 + up_read(¤t->mm->mmap_sem);
2631 + if (likely(call_syscall))
2634 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
2636 + down_write(¤t->mm->mmap_sem);
2637 + if (current->mm->call_syscall) {
2638 + call_syscall = current->mm->call_syscall;
2639 + up_write(¤t->mm->mmap_sem);
2641 + kmem_cache_free(vm_area_cachep, vma);
2645 + call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
2646 + if (!vma || (call_syscall & ~PAGE_MASK)) {
2647 + up_write(¤t->mm->mmap_sem);
2649 + kmem_cache_free(vm_area_cachep, vma);
2653 + if (pax_insert_vma(vma, call_syscall)) {
2654 + up_write(¤t->mm->mmap_sem);
2655 + kmem_cache_free(vm_area_cachep, vma);
2659 + current->mm->call_syscall = call_syscall;
2660 + up_write(¤t->mm->mmap_sem);
2663 + regs->gpr[PT_R0] = __NR_rt_sigreturn;
2664 + regs->nip = call_syscall;
2673 +void pax_report_insns(void *pc, void *sp)
2677 + printk(KERN_ERR "PAX: bytes at PC: ");
2678 + for (i = 0; i < 5; i++) {
2680 + if (get_user(c, (unsigned int *)pc+i))
2681 + printk(KERN_CONT "???????? ");
2683 + printk(KERN_CONT "%08x ", c);
2690 * Check whether the instruction at regs->nip is a store using
2691 * an update addressing form which will update r1.
2692 @@ -134,7 +495,7 @@ int __kprobes do_page_fault(struct pt_re
2693 * indicate errors in DSISR but can validly be set in SRR1.
2696 - error_code &= 0x48200000;
2697 + error_code &= 0x58200000;
2699 is_write = error_code & DSISR_ISSTORE;
2701 @@ -335,6 +696,37 @@ bad_area:
2702 bad_area_nosemaphore:
2703 /* User mode accesses cause a SIGSEGV */
2704 if (user_mode(regs)) {
2706 +#ifdef CONFIG_PAX_PAGEEXEC
2707 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2708 +#ifdef CONFIG_PPC64
2709 + if (is_exec && (error_code & DSISR_PROTFAULT)) {
2711 + if (is_exec && regs->nip == address) {
2713 + switch (pax_handle_fetch_fault(regs)) {
2715 +#ifdef CONFIG_PAX_EMUPLT
2722 +#ifdef CONFIG_PAX_EMUSIGRT
2730 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2731 + do_group_exit(SIGKILL);
2736 _exception(SIGSEGV, regs, code, address);
2739 diff -urNp linux-2.6.31/arch/powerpc/mm/mmap_64.c linux-2.6.31/arch/powerpc/mm/mmap_64.c
2740 --- linux-2.6.31/arch/powerpc/mm/mmap_64.c 2009-08-27 20:59:04.000000000 -0400
2741 +++ linux-2.6.31/arch/powerpc/mm/mmap_64.c 2009-09-06 15:29:11.135151676 -0400
2742 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2744 if (mmap_is_legacy()) {
2745 mm->mmap_base = TASK_UNMAPPED_BASE;
2747 +#ifdef CONFIG_PAX_RANDMMAP
2748 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2749 + mm->mmap_base += mm->delta_mmap;
2752 mm->get_unmapped_area = arch_get_unmapped_area;
2753 mm->unmap_area = arch_unmap_area;
2755 mm->mmap_base = mmap_base();
2757 +#ifdef CONFIG_PAX_RANDMMAP
2758 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2759 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2762 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2763 mm->unmap_area = arch_unmap_area_topdown;
2765 diff -urNp linux-2.6.31/arch/powerpc/platforms/cell/spufs/file.c linux-2.6.31/arch/powerpc/platforms/cell/spufs/file.c
2766 --- linux-2.6.31/arch/powerpc/platforms/cell/spufs/file.c 2009-08-27 20:59:04.000000000 -0400
2767 +++ linux-2.6.31/arch/powerpc/platforms/cell/spufs/file.c 2009-09-06 15:29:11.137157502 -0400
2768 @@ -147,7 +147,7 @@ static int __fops ## _open(struct inode
2769 __simple_attr_check_format(__fmt, 0ull); \
2770 return spufs_attr_open(inode, file, __get, __set, __fmt); \
2772 -static struct file_operations __fops = { \
2773 +static const struct file_operations __fops = { \
2774 .owner = THIS_MODULE, \
2775 .open = __fops ## _open, \
2776 .release = spufs_attr_release, \
2777 @@ -309,7 +309,7 @@ static int spufs_mem_mmap_access(struct
2781 -static struct vm_operations_struct spufs_mem_mmap_vmops = {
2782 +static const struct vm_operations_struct spufs_mem_mmap_vmops = {
2783 .fault = spufs_mem_mmap_fault,
2784 .access = spufs_mem_mmap_access,
2786 @@ -436,7 +436,7 @@ static int spufs_cntl_mmap_fault(struct
2787 return spufs_ps_fault(vma, vmf, 0x4000, SPUFS_CNTL_MAP_SIZE);
2790 -static struct vm_operations_struct spufs_cntl_mmap_vmops = {
2791 +static const struct vm_operations_struct spufs_cntl_mmap_vmops = {
2792 .fault = spufs_cntl_mmap_fault,
2795 @@ -1143,7 +1143,7 @@ spufs_signal1_mmap_fault(struct vm_area_
2799 -static struct vm_operations_struct spufs_signal1_mmap_vmops = {
2800 +static const struct vm_operations_struct spufs_signal1_mmap_vmops = {
2801 .fault = spufs_signal1_mmap_fault,
2804 @@ -1279,7 +1279,7 @@ spufs_signal2_mmap_fault(struct vm_area_
2808 -static struct vm_operations_struct spufs_signal2_mmap_vmops = {
2809 +static const struct vm_operations_struct spufs_signal2_mmap_vmops = {
2810 .fault = spufs_signal2_mmap_fault,
2813 @@ -1397,7 +1397,7 @@ spufs_mss_mmap_fault(struct vm_area_stru
2814 return spufs_ps_fault(vma, vmf, 0x0000, SPUFS_MSS_MAP_SIZE);
2817 -static struct vm_operations_struct spufs_mss_mmap_vmops = {
2818 +static const struct vm_operations_struct spufs_mss_mmap_vmops = {
2819 .fault = spufs_mss_mmap_fault,
2822 @@ -1458,7 +1458,7 @@ spufs_psmap_mmap_fault(struct vm_area_st
2823 return spufs_ps_fault(vma, vmf, 0x0000, SPUFS_PS_MAP_SIZE);
2826 -static struct vm_operations_struct spufs_psmap_mmap_vmops = {
2827 +static const struct vm_operations_struct spufs_psmap_mmap_vmops = {
2828 .fault = spufs_psmap_mmap_fault,
2831 @@ -1517,7 +1517,7 @@ spufs_mfc_mmap_fault(struct vm_area_stru
2832 return spufs_ps_fault(vma, vmf, 0x3000, SPUFS_MFC_MAP_SIZE);
2835 -static struct vm_operations_struct spufs_mfc_mmap_vmops = {
2836 +static const struct vm_operations_struct spufs_mfc_mmap_vmops = {
2837 .fault = spufs_mfc_mmap_fault,
2840 diff -urNp linux-2.6.31/arch/powerpc/platforms/pseries/dtl.c linux-2.6.31/arch/powerpc/platforms/pseries/dtl.c
2841 --- linux-2.6.31/arch/powerpc/platforms/pseries/dtl.c 2009-08-27 20:59:04.000000000 -0400
2842 +++ linux-2.6.31/arch/powerpc/platforms/pseries/dtl.c 2009-09-06 15:29:11.137157502 -0400
2843 @@ -209,7 +209,7 @@ static ssize_t dtl_file_read(struct file
2844 return n_read * sizeof(struct dtl_entry);
2847 -static struct file_operations dtl_fops = {
2848 +static const struct file_operations dtl_fops = {
2849 .open = dtl_file_open,
2850 .release = dtl_file_release,
2851 .read = dtl_file_read,
2852 diff -urNp linux-2.6.31/arch/powerpc/platforms/pseries/hvCall_inst.c linux-2.6.31/arch/powerpc/platforms/pseries/hvCall_inst.c
2853 --- linux-2.6.31/arch/powerpc/platforms/pseries/hvCall_inst.c 2009-08-27 20:59:04.000000000 -0400
2854 +++ linux-2.6.31/arch/powerpc/platforms/pseries/hvCall_inst.c 2009-09-06 15:29:11.138157349 -0400
2855 @@ -71,7 +71,7 @@ static int hc_show(struct seq_file *m, v
2859 -static struct seq_operations hcall_inst_seq_ops = {
2860 +static const struct seq_operations hcall_inst_seq_ops = {
2864 diff -urNp linux-2.6.31/arch/s390/hypfs/inode.c linux-2.6.31/arch/s390/hypfs/inode.c
2865 --- linux-2.6.31/arch/s390/hypfs/inode.c 2009-08-27 20:59:04.000000000 -0400
2866 +++ linux-2.6.31/arch/s390/hypfs/inode.c 2009-09-06 15:29:11.139185055 -0400
2867 @@ -41,7 +41,7 @@ struct hypfs_sb_info {
2869 static const struct file_operations hypfs_file_ops;
2870 static struct file_system_type hypfs_type;
2871 -static struct super_operations hypfs_s_ops;
2872 +static const struct super_operations hypfs_s_ops;
2874 /* start of list of all dentries, which have to be deleted on update */
2875 static struct dentry *hypfs_last_dentry;
2876 @@ -476,7 +476,7 @@ static struct file_system_type hypfs_typ
2877 .kill_sb = hypfs_kill_super
2880 -static struct super_operations hypfs_s_ops = {
2881 +static const struct super_operations hypfs_s_ops = {
2882 .statfs = simple_statfs,
2883 .drop_inode = hypfs_drop_inode,
2884 .show_options = hypfs_show_options,
2885 diff -urNp linux-2.6.31/arch/s390/include/asm/atomic.h linux-2.6.31/arch/s390/include/asm/atomic.h
2886 --- linux-2.6.31/arch/s390/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
2887 +++ linux-2.6.31/arch/s390/include/asm/atomic.h 2009-09-11 22:40:25.655434064 -0400
2888 @@ -71,19 +71,31 @@ static inline int atomic_read(const atom
2892 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
2894 + return atomic_read((const atomic_t *)v);
2897 static inline void atomic_set(atomic_t *v, int i)
2903 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
2905 + atomic_set((atomic_t *)v, i);
2908 static __inline__ int atomic_add_return(int i, atomic_t * v)
2910 return __CS_LOOP(v, i, "ar");
2912 #define atomic_add(_i, _v) atomic_add_return(_i, _v)
2913 +#define atomic_add_unchecked(_i, _v) atomic_add((_i), (atomic_t *)(_v))
2914 #define atomic_add_negative(_i, _v) (atomic_add_return(_i, _v) < 0)
2915 #define atomic_inc(_v) atomic_add_return(1, _v)
2916 +#define atomic_inc_unchecked(_v) atomic_inc((atomic_t *)(_v))
2917 #define atomic_inc_return(_v) atomic_add_return(1, _v)
2918 #define atomic_inc_and_test(_v) (atomic_add_return(1, _v) == 0)
2920 @@ -92,6 +104,7 @@ static __inline__ int atomic_sub_return(
2921 return __CS_LOOP(v, i, "sr");
2923 #define atomic_sub(_i, _v) atomic_sub_return(_i, _v)
2924 +#define atomic_sub_unchecked(_i, _v) atomic_sub((_i), (atomic_t *)(_v))
2925 #define atomic_sub_and_test(_i, _v) (atomic_sub_return(_i, _v) == 0)
2926 #define atomic_dec(_v) atomic_sub_return(1, _v)
2927 #define atomic_dec_return(_v) atomic_sub_return(1, _v)
2928 diff -urNp linux-2.6.31/arch/s390/include/asm/uaccess.h linux-2.6.31/arch/s390/include/asm/uaccess.h
2929 --- linux-2.6.31/arch/s390/include/asm/uaccess.h 2009-08-27 20:59:04.000000000 -0400
2930 +++ linux-2.6.31/arch/s390/include/asm/uaccess.h 2009-09-06 15:29:11.141155282 -0400
2931 @@ -232,6 +232,10 @@ static inline unsigned long __must_check
2932 copy_to_user(void __user *to, const void *from, unsigned long n)
2939 if (access_ok(VERIFY_WRITE, to, n))
2940 n = __copy_to_user(to, from, n);
2942 @@ -257,6 +261,9 @@ copy_to_user(void __user *to, const void
2943 static inline unsigned long __must_check
2944 __copy_from_user(void *to, const void __user *from, unsigned long n)
2949 if (__builtin_constant_p(n) && (n <= 256))
2950 return uaccess.copy_from_user_small(n, from, to);
2952 @@ -283,6 +290,10 @@ static inline unsigned long __must_check
2953 copy_from_user(void *to, const void __user *from, unsigned long n)
2960 if (access_ok(VERIFY_READ, from, n))
2961 n = __copy_from_user(to, from, n);
2963 diff -urNp linux-2.6.31/arch/s390/kernel/module.c linux-2.6.31/arch/s390/kernel/module.c
2964 --- linux-2.6.31/arch/s390/kernel/module.c 2009-08-27 20:59:04.000000000 -0400
2965 +++ linux-2.6.31/arch/s390/kernel/module.c 2009-09-06 15:29:11.145235149 -0400
2966 @@ -164,11 +164,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2968 /* Increase core size by size of got & plt and set start
2969 offsets for got and plt. */
2970 - me->core_size = ALIGN(me->core_size, 4);
2971 - me->arch.got_offset = me->core_size;
2972 - me->core_size += me->arch.got_size;
2973 - me->arch.plt_offset = me->core_size;
2974 - me->core_size += me->arch.plt_size;
2975 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
2976 + me->arch.got_offset = me->core_size_rw;
2977 + me->core_size_rw += me->arch.got_size;
2978 + me->arch.plt_offset = me->core_size_rx;
2979 + me->core_size_rx += me->arch.plt_size;
2983 @@ -254,7 +254,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2984 if (info->got_initialized == 0) {
2987 - gotent = me->module_core + me->arch.got_offset +
2988 + gotent = me->module_core_rw + me->arch.got_offset +
2991 info->got_initialized = 1;
2992 @@ -278,7 +278,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2993 else if (r_type == R_390_GOTENT ||
2994 r_type == R_390_GOTPLTENT)
2995 *(unsigned int *) loc =
2996 - (val + (Elf_Addr) me->module_core - loc) >> 1;
2997 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2998 else if (r_type == R_390_GOT64 ||
2999 r_type == R_390_GOTPLT64)
3000 *(unsigned long *) loc = val;
3001 @@ -292,7 +292,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3002 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3003 if (info->plt_initialized == 0) {
3005 - ip = me->module_core + me->arch.plt_offset +
3006 + ip = me->module_core_rx + me->arch.plt_offset +
3008 #ifndef CONFIG_64BIT
3009 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3010 @@ -317,7 +317,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3011 val - loc + 0xffffUL < 0x1ffffeUL) ||
3012 (r_type == R_390_PLT32DBL &&
3013 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3014 - val = (Elf_Addr) me->module_core +
3015 + val = (Elf_Addr) me->module_core_rx +
3016 me->arch.plt_offset +
3018 val += rela->r_addend - loc;
3019 @@ -339,7 +339,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3020 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3021 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3022 val = val + rela->r_addend -
3023 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3024 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3025 if (r_type == R_390_GOTOFF16)
3026 *(unsigned short *) loc = val;
3027 else if (r_type == R_390_GOTOFF32)
3028 @@ -349,7 +349,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3030 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3031 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3032 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3033 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3034 rela->r_addend - loc;
3035 if (r_type == R_390_GOTPC)
3036 *(unsigned int *) loc = val;
3037 diff -urNp linux-2.6.31/arch/sh/include/asm/atomic.h linux-2.6.31/arch/sh/include/asm/atomic.h
3038 --- linux-2.6.31/arch/sh/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
3039 +++ linux-2.6.31/arch/sh/include/asm/atomic.h 2009-09-11 22:42:57.895595838 -0400
3041 #define ATOMIC_INIT(i) ( (atomic_t) { (i) } )
3043 #define atomic_read(v) ((v)->counter)
3044 +#define atomic_read_unchecked(v) ((v)->counter)
3045 #define atomic_set(v,i) ((v)->counter = (i))
3046 +#define atomic_set_unchecked(v,i) ((v)->counter = (i))
3048 #if defined(CONFIG_GUSA_RB)
3049 #include <asm/atomic-grb.h>
3051 #define atomic_dec_and_test(v) (atomic_sub_return(1, (v)) == 0)
3053 #define atomic_inc(v) atomic_add(1,(v))
3054 +#define atomic_inc_unchecked(v) atomic_inc((atomic_t *)(v))
3055 +#define atomic_add_unchecked(i,v) atomic_add((i),(atomic_t *)(v))
3056 +#define atomic_sub_unchecked(i,v) atomic_sub((i),(atomic_t *)(v))
3057 #define atomic_dec(v) atomic_sub(1,(v))
3059 #if !defined(CONFIG_GUSA_RB) && !defined(CONFIG_CPU_SH4A)
3060 diff -urNp linux-2.6.31/arch/sparc/include/asm/atomic_32.h linux-2.6.31/arch/sparc/include/asm/atomic_32.h
3061 --- linux-2.6.31/arch/sparc/include/asm/atomic_32.h 2009-08-27 20:59:04.000000000 -0400
3062 +++ linux-2.6.31/arch/sparc/include/asm/atomic_32.h 2009-09-11 22:43:53.814367715 -0400
3063 @@ -24,12 +24,17 @@ extern int atomic_cmpxchg(atomic_t *, in
3064 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
3065 extern int atomic_add_unless(atomic_t *, int, int);
3066 extern void atomic_set(atomic_t *, int);
3067 +extern void atomic_set_unchecked(atomic_unchecked_t *, int);
3069 #define atomic_read(v) ((v)->counter)
3070 +#define atomic_read_unchecked(v) ((v)->counter)
3072 #define atomic_add(i, v) ((void)__atomic_add_return( (int)(i), (v)))
3073 +#define atomic_add_unchecked(i, v) atomic_add((i), (atomic_t *)(v))
3074 #define atomic_sub(i, v) ((void)__atomic_add_return(-(int)(i), (v)))
3075 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (atomic_t *)(v))
3076 #define atomic_inc(v) ((void)__atomic_add_return( 1, (v)))
3077 +#define atomic_inc_unchecked(v) atomic_inc((atomic_t *)(v))
3078 #define atomic_dec(v) ((void)__atomic_add_return( -1, (v)))
3080 #define atomic_add_return(i, v) (__atomic_add_return( (int)(i), (v)))
3081 diff -urNp linux-2.6.31/arch/sparc/include/asm/atomic_64.h linux-2.6.31/arch/sparc/include/asm/atomic_64.h
3082 --- linux-2.6.31/arch/sparc/include/asm/atomic_64.h 2009-08-27 20:59:04.000000000 -0400
3083 +++ linux-2.6.31/arch/sparc/include/asm/atomic_64.h 2009-09-11 22:44:49.151421500 -0400
3085 #define ATOMIC64_INIT(i) { (i) }
3087 #define atomic_read(v) ((v)->counter)
3088 +#define atomic_read_unchecked(v) ((v)->counter)
3089 #define atomic64_read(v) ((v)->counter)
3091 #define atomic_set(v, i) (((v)->counter) = i)
3092 +#define atomic_set_unchecked(v, i) (((v)->counter) = i)
3093 #define atomic64_set(v, i) (((v)->counter) = i)
3095 extern void atomic_add(int, atomic_t *);
3096 +#define atomic_add_unchecked(i, v) atomic_add((i), (atomic_t *)(v))
3097 extern void atomic64_add(int, atomic64_t *);
3098 extern void atomic_sub(int, atomic_t *);
3099 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (atomic_t *)(v))
3100 extern void atomic64_sub(int, atomic64_t *);
3102 extern int atomic_add_ret(int, atomic_t *);
3103 @@ -59,6 +63,7 @@ extern int atomic64_sub_ret(int, atomic6
3104 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3106 #define atomic_inc(v) atomic_add(1, v)
3107 +#define atomic_inc_unchecked(v) atomic_inc((atomic_t *)(v))
3108 #define atomic64_inc(v) atomic64_add(1, v)
3110 #define atomic_dec(v) atomic_sub(1, v)
3111 diff -urNp linux-2.6.31/arch/sparc/include/asm/elf_32.h linux-2.6.31/arch/sparc/include/asm/elf_32.h
3112 --- linux-2.6.31/arch/sparc/include/asm/elf_32.h 2009-08-27 20:59:04.000000000 -0400
3113 +++ linux-2.6.31/arch/sparc/include/asm/elf_32.h 2009-09-06 15:29:11.148171937 -0400
3114 @@ -116,6 +116,13 @@ typedef struct {
3116 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3118 +#ifdef CONFIG_PAX_ASLR
3119 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3121 +#define PAX_DELTA_MMAP_LEN 16
3122 +#define PAX_DELTA_STACK_LEN 16
3125 /* This yields a mask that user programs can use to figure out what
3126 instruction set this cpu supports. This can NOT be done in userspace
3128 diff -urNp linux-2.6.31/arch/sparc/include/asm/elf_64.h linux-2.6.31/arch/sparc/include/asm/elf_64.h
3129 --- linux-2.6.31/arch/sparc/include/asm/elf_64.h 2009-08-27 20:59:04.000000000 -0400
3130 +++ linux-2.6.31/arch/sparc/include/asm/elf_64.h 2009-09-06 15:29:11.149172278 -0400
3131 @@ -163,6 +163,12 @@ typedef struct {
3132 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3133 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3135 +#ifdef CONFIG_PAX_ASLR
3136 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3138 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28 )
3139 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29 )
3142 /* This yields a mask that user programs can use to figure out what
3143 instruction set this cpu supports. */
3144 diff -urNp linux-2.6.31/arch/sparc/include/asm/pgtable_32.h linux-2.6.31/arch/sparc/include/asm/pgtable_32.h
3145 --- linux-2.6.31/arch/sparc/include/asm/pgtable_32.h 2009-08-27 20:59:04.000000000 -0400
3146 +++ linux-2.6.31/arch/sparc/include/asm/pgtable_32.h 2009-09-06 15:29:11.149172278 -0400
3147 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3148 BTFIXUPDEF_INT(page_none)
3149 BTFIXUPDEF_INT(page_copy)
3150 BTFIXUPDEF_INT(page_readonly)
3152 +#ifdef CONFIG_PAX_PAGEEXEC
3153 +BTFIXUPDEF_INT(page_shared_noexec)
3154 +BTFIXUPDEF_INT(page_copy_noexec)
3155 +BTFIXUPDEF_INT(page_readonly_noexec)
3158 BTFIXUPDEF_INT(page_kernel)
3160 #define PMD_SHIFT SUN4C_PMD_SHIFT
3161 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3162 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3163 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3165 +#ifdef CONFIG_PAX_PAGEEXEC
3166 +extern pgprot_t PAGE_SHARED_NOEXEC;
3167 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3168 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3170 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3171 +# define PAGE_COPY_NOEXEC PAGE_COPY
3172 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3175 extern unsigned long page_kernel;
3178 diff -urNp linux-2.6.31/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.31/arch/sparc/include/asm/pgtsrmmu.h
3179 --- linux-2.6.31/arch/sparc/include/asm/pgtsrmmu.h 2009-08-27 20:59:04.000000000 -0400
3180 +++ linux-2.6.31/arch/sparc/include/asm/pgtsrmmu.h 2009-09-06 15:29:11.150155886 -0400
3181 @@ -115,6 +115,13 @@
3182 SRMMU_EXEC | SRMMU_REF)
3183 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3184 SRMMU_EXEC | SRMMU_REF)
3186 +#ifdef CONFIG_PAX_PAGEEXEC
3187 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3188 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3189 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3192 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3193 SRMMU_DIRTY | SRMMU_REF)
3195 diff -urNp linux-2.6.31/arch/sparc/include/asm/uaccess_32.h linux-2.6.31/arch/sparc/include/asm/uaccess_32.h
3196 --- linux-2.6.31/arch/sparc/include/asm/uaccess_32.h 2009-08-27 20:59:04.000000000 -0400
3197 +++ linux-2.6.31/arch/sparc/include/asm/uaccess_32.h 2009-09-06 15:29:11.151166182 -0400
3198 @@ -249,6 +249,9 @@ extern unsigned long __copy_user(void __
3200 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3205 if (n && __access_ok((unsigned long) to, n))
3206 return __copy_user(to, (__force void __user *) from, n);
3208 @@ -262,6 +265,9 @@ static inline unsigned long __copy_to_us
3210 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3215 if (n && __access_ok((unsigned long) from, n))
3216 return __copy_user((__force void __user *) to, from, n);
3218 @@ -270,6 +276,9 @@ static inline unsigned long copy_from_us
3220 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3225 return __copy_user((__force void __user *) to, from, n);
3228 diff -urNp linux-2.6.31/arch/sparc/include/asm/uaccess_64.h linux-2.6.31/arch/sparc/include/asm/uaccess_64.h
3229 --- linux-2.6.31/arch/sparc/include/asm/uaccess_64.h 2009-08-27 20:59:04.000000000 -0400
3230 +++ linux-2.6.31/arch/sparc/include/asm/uaccess_64.h 2009-09-06 15:29:11.151166182 -0400
3231 @@ -212,7 +212,12 @@ extern unsigned long copy_from_user_fixu
3232 static inline unsigned long __must_check
3233 copy_from_user(void *to, const void __user *from, unsigned long size)
3235 - unsigned long ret = ___copy_from_user(to, from, size);
3236 + unsigned long ret;
3238 + if (unlikely(((long)size > INT_MAX) || ((long)size < 0)))
3241 + ret = ___copy_from_user(to, from, size);
3244 ret = copy_from_user_fixup(to, from, size);
3245 @@ -228,7 +233,12 @@ extern unsigned long copy_to_user_fixup(
3246 static inline unsigned long __must_check
3247 copy_to_user(void __user *to, const void *from, unsigned long size)
3249 - unsigned long ret = ___copy_to_user(to, from, size);
3250 + unsigned long ret;
3252 + if (unlikely(((long)size > INT_MAX) || ((long)size < 0)))
3255 + ret = ___copy_to_user(to, from, size);
3258 ret = copy_to_user_fixup(to, from, size);
3259 diff -urNp linux-2.6.31/arch/sparc/kernel/Makefile linux-2.6.31/arch/sparc/kernel/Makefile
3260 --- linux-2.6.31/arch/sparc/kernel/Makefile 2009-08-27 20:59:04.000000000 -0400
3261 +++ linux-2.6.31/arch/sparc/kernel/Makefile 2009-09-06 15:29:11.152248446 -0400
3266 -ccflags-y := -Werror
3267 +#ccflags-y := -Werror
3269 extra-y := head_$(BITS).o
3270 extra-y += init_task.o
3271 diff -urNp linux-2.6.31/arch/sparc/kernel/sys_sparc_32.c linux-2.6.31/arch/sparc/kernel/sys_sparc_32.c
3272 --- linux-2.6.31/arch/sparc/kernel/sys_sparc_32.c 2009-08-27 20:59:04.000000000 -0400
3273 +++ linux-2.6.31/arch/sparc/kernel/sys_sparc_32.c 2009-09-06 15:29:11.152248446 -0400
3274 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
3275 if (ARCH_SUN4C && len > 0x20000000)
3278 - addr = TASK_UNMAPPED_BASE;
3279 + addr = current->mm->mmap_base;
3281 if (flags & MAP_SHARED)
3282 addr = COLOUR_ALIGN(addr);
3283 diff -urNp linux-2.6.31/arch/sparc/kernel/sys_sparc_64.c linux-2.6.31/arch/sparc/kernel/sys_sparc_64.c
3284 --- linux-2.6.31/arch/sparc/kernel/sys_sparc_64.c 2009-08-27 20:59:04.000000000 -0400
3285 +++ linux-2.6.31/arch/sparc/kernel/sys_sparc_64.c 2009-09-06 15:29:11.153261339 -0400
3286 @@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
3287 /* We do not accept a shared mapping if it would violate
3288 * cache aliasing constraints.
3290 - if ((flags & MAP_SHARED) &&
3291 + if ((filp || (flags & MAP_SHARED)) &&
3292 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3295 @@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
3296 if (filp || (flags & MAP_SHARED))
3299 +#ifdef CONFIG_PAX_RANDMMAP
3300 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
3305 addr = COLOUR_ALIGN(addr, pgoff);
3306 @@ -153,9 +157,9 @@ unsigned long arch_get_unmapped_area(str
3309 if (len > mm->cached_hole_size) {
3310 - start_addr = addr = mm->free_area_cache;
3311 + start_addr = addr = mm->free_area_cache;
3313 - start_addr = addr = TASK_UNMAPPED_BASE;
3314 + start_addr = addr = mm->mmap_base;
3315 mm->cached_hole_size = 0;
3318 @@ -175,8 +179,8 @@ full_search:
3319 vma = find_vma(mm, VA_EXCLUDE_END);
3321 if (unlikely(task_size < addr)) {
3322 - if (start_addr != TASK_UNMAPPED_BASE) {
3323 - start_addr = addr = TASK_UNMAPPED_BASE;
3324 + if (start_addr != mm->mmap_base) {
3325 + start_addr = addr = mm->mmap_base;
3326 mm->cached_hole_size = 0;
3329 @@ -216,7 +220,7 @@ arch_get_unmapped_area_topdown(struct fi
3330 /* We do not accept a shared mapping if it would violate
3331 * cache aliasing constraints.
3333 - if ((flags & MAP_SHARED) &&
3334 + if ((filp || (flags & MAP_SHARED)) &&
3335 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3338 @@ -380,6 +384,12 @@ void arch_pick_mmap_layout(struct mm_str
3339 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
3340 sysctl_legacy_va_layout) {
3341 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
3343 +#ifdef CONFIG_PAX_RANDMMAP
3344 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3345 + mm->mmap_base += mm->delta_mmap;
3348 mm->get_unmapped_area = arch_get_unmapped_area;
3349 mm->unmap_area = arch_unmap_area;
3351 @@ -394,6 +404,12 @@ void arch_pick_mmap_layout(struct mm_str
3352 gap = (task_size / 6 * 5);
3354 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
3356 +#ifdef CONFIG_PAX_RANDMMAP
3357 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3358 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3361 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3362 mm->unmap_area = arch_unmap_area_topdown;
3364 diff -urNp linux-2.6.31/arch/sparc/lib/atomic32.c linux-2.6.31/arch/sparc/lib/atomic32.c
3365 --- linux-2.6.31/arch/sparc/lib/atomic32.c 2009-08-27 20:59:04.000000000 -0400
3366 +++ linux-2.6.31/arch/sparc/lib/atomic32.c 2009-09-12 09:46:47.281008949 -0400
3367 @@ -80,6 +80,12 @@ void atomic_set(atomic_t *v, int i)
3369 EXPORT_SYMBOL(atomic_set);
3371 +void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3373 + atomic_set((atomic_t *)v, i);
3375 +EXPORT_SYMBOL(atomic_set_unchecked);
3377 unsigned long ___set_bit(unsigned long *addr, unsigned long mask)
3379 unsigned long old, flags;
3380 diff -urNp linux-2.6.31/arch/sparc/Makefile linux-2.6.31/arch/sparc/Makefile
3381 --- linux-2.6.31/arch/sparc/Makefile 2009-08-27 20:59:04.000000000 -0400
3382 +++ linux-2.6.31/arch/sparc/Makefile 2009-09-06 15:29:11.153261339 -0400
3383 @@ -81,7 +81,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
3384 # Export what is needed by arch/sparc/boot/Makefile
3385 export VMLINUX_INIT VMLINUX_MAIN
3386 VMLINUX_INIT := $(head-y) $(init-y)
3387 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
3388 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
3389 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
3390 VMLINUX_MAIN += $(drivers-y) $(net-y)
3392 diff -urNp linux-2.6.31/arch/sparc/mm/fault_32.c linux-2.6.31/arch/sparc/mm/fault_32.c
3393 --- linux-2.6.31/arch/sparc/mm/fault_32.c 2009-08-27 20:59:04.000000000 -0400
3394 +++ linux-2.6.31/arch/sparc/mm/fault_32.c 2009-09-06 15:29:11.154359141 -0400
3396 #include <linux/interrupt.h>
3397 #include <linux/module.h>
3398 #include <linux/kdebug.h>
3399 +#include <linux/slab.h>
3400 +#include <linux/pagemap.h>
3401 +#include <linux/compiler.h>
3403 #include <asm/system.h>
3404 #include <asm/page.h>
3405 @@ -167,6 +170,264 @@ static unsigned long compute_si_addr(str
3406 return safe_compute_effective_address(regs, insn);
3409 +#ifdef CONFIG_PAX_PAGEEXEC
3410 +void pax_emuplt_close(struct vm_area_struct *vma)
3412 + vma->vm_mm->call_dl_resolve = 0UL;
3415 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
3417 + unsigned int *kaddr;
3419 + vmf->page = alloc_page(GFP_HIGHUSER);
3421 + return VM_FAULT_OOM;
3423 + kaddr = kmap(vmf->page);
3424 + memset(kaddr, 0, PAGE_SIZE);
3425 + kaddr[0] = 0x9DE3BFA8U; /* save */
3426 + flush_dcache_page(vmf->page);
3427 + kunmap(vmf->page);
3428 + return VM_FAULT_MAJOR;
3431 +static const struct vm_operations_struct pax_vm_ops = {
3432 + .close = pax_emuplt_close,
3433 + .fault = pax_emuplt_fault
3436 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
3440 + vma->vm_mm = current->mm;
3441 + vma->vm_start = addr;
3442 + vma->vm_end = addr + PAGE_SIZE;
3443 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
3444 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
3445 + vma->vm_ops = &pax_vm_ops;
3447 + ret = insert_vm_struct(current->mm, vma);
3451 + ++current->mm->total_vm;
3456 + * PaX: decide what to do with offenders (regs->pc = fault address)
3458 + * returns 1 when task should be killed
3459 + * 2 when patched PLT trampoline was detected
3460 + * 3 when unpatched PLT trampoline was detected
3462 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3465 +#ifdef CONFIG_PAX_EMUPLT
3468 + do { /* PaX: patched PLT emulation #1 */
3469 + unsigned int sethi1, sethi2, jmpl;
3471 + err = get_user(sethi1, (unsigned int *)regs->pc);
3472 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
3473 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
3478 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
3479 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
3480 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
3482 + unsigned int addr;
3484 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
3485 + addr = regs->u_regs[UREG_G1];
3486 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
3488 + regs->npc = addr+4;
3493 + { /* PaX: patched PLT emulation #2 */
3496 + err = get_user(ba, (unsigned int *)regs->pc);
3498 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
3499 + unsigned int addr;
3501 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
3503 + regs->npc = addr+4;
3508 + do { /* PaX: patched PLT emulation #3 */
3509 + unsigned int sethi, jmpl, nop;
3511 + err = get_user(sethi, (unsigned int *)regs->pc);
3512 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
3513 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
3518 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
3519 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
3520 + nop == 0x01000000U)
3522 + unsigned int addr;
3524 + addr = (sethi & 0x003FFFFFU) << 10;
3525 + regs->u_regs[UREG_G1] = addr;
3526 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
3528 + regs->npc = addr+4;
3533 + do { /* PaX: unpatched PLT emulation step 1 */
3534 + unsigned int sethi, ba, nop;
3536 + err = get_user(sethi, (unsigned int *)regs->pc);
3537 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
3538 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
3543 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
3544 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
3545 + nop == 0x01000000U)
3547 + unsigned int addr, save, call;
3549 + if ((ba & 0xFFC00000U) == 0x30800000U)
3550 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
3552 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
3554 + err = get_user(save, (unsigned int *)addr);
3555 + err |= get_user(call, (unsigned int *)(addr+4));
3556 + err |= get_user(nop, (unsigned int *)(addr+8));
3560 + if (save == 0x9DE3BFA8U &&
3561 + (call & 0xC0000000U) == 0x40000000U &&
3562 + nop == 0x01000000U)
3564 + struct vm_area_struct *vma;
3565 + unsigned long call_dl_resolve;
3567 + down_read(¤t->mm->mmap_sem);
3568 + call_dl_resolve = current->mm->call_dl_resolve;
3569 + up_read(¤t->mm->mmap_sem);
3570 + if (likely(call_dl_resolve))
3573 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
3575 + down_write(¤t->mm->mmap_sem);
3576 + if (current->mm->call_dl_resolve) {
3577 + call_dl_resolve = current->mm->call_dl_resolve;
3578 + up_write(¤t->mm->mmap_sem);
3580 + kmem_cache_free(vm_area_cachep, vma);
3584 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
3585 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
3586 + up_write(¤t->mm->mmap_sem);
3588 + kmem_cache_free(vm_area_cachep, vma);
3592 + if (pax_insert_vma(vma, call_dl_resolve)) {
3593 + up_write(¤t->mm->mmap_sem);
3594 + kmem_cache_free(vm_area_cachep, vma);
3598 + current->mm->call_dl_resolve = call_dl_resolve;
3599 + up_write(¤t->mm->mmap_sem);
3602 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
3603 + regs->pc = call_dl_resolve;
3604 + regs->npc = addr+4;
3608 + /* PaX: newer glibc/binutils generate sethi/jmp instead of save/call */
3609 + if ((save & 0xFFC00000U) == 0x05000000U &&
3610 + (call & 0xFFFFE000U) == 0x85C0A000U &&
3611 + nop == 0x01000000U)
3613 + unsigned long addr;
3615 + addr = (save & 0x003FFFFFU) << 10;
3616 + regs->u_regs[UREG_G2] = addr;
3617 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
3619 + regs->npc = addr+4;
3625 + do { /* PaX: unpatched PLT emulation step 2 */
3626 + unsigned int save, call, nop;
3628 + err = get_user(save, (unsigned int *)(regs->pc-4));
3629 + err |= get_user(call, (unsigned int *)regs->pc);
3630 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
3634 + if (save == 0x9DE3BFA8U &&
3635 + (call & 0xC0000000U) == 0x40000000U &&
3636 + nop == 0x01000000U)
3638 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
3640 + regs->u_regs[UREG_RETPC] = regs->pc;
3641 + regs->pc = dl_resolve;
3642 + regs->npc = dl_resolve+4;
3651 +void pax_report_insns(void *pc, void *sp)
3655 + printk(KERN_ERR "PAX: bytes at PC: ");
3656 + for (i = 0; i < 5; i++) {
3658 + if (get_user(c, (unsigned int *)pc+i))
3659 + printk(KERN_CONT "???????? ");
3661 + printk(KERN_CONT "%08x ", c);
3667 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
3668 unsigned long address)
3670 @@ -231,6 +492,24 @@ good_area:
3671 if(!(vma->vm_flags & VM_WRITE))
3675 +#ifdef CONFIG_PAX_PAGEEXEC
3676 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
3677 + up_read(&mm->mmap_sem);
3678 + switch (pax_handle_fetch_fault(regs)) {
3680 +#ifdef CONFIG_PAX_EMUPLT
3687 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
3688 + do_group_exit(SIGKILL);
3692 /* Allow reads even for write-only mappings */
3693 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
3695 diff -urNp linux-2.6.31/arch/sparc/mm/fault_64.c linux-2.6.31/arch/sparc/mm/fault_64.c
3696 --- linux-2.6.31/arch/sparc/mm/fault_64.c 2009-08-27 20:59:04.000000000 -0400
3697 +++ linux-2.6.31/arch/sparc/mm/fault_64.c 2009-09-10 19:30:54.839077430 -0400
3699 #include <linux/kprobes.h>
3700 #include <linux/kdebug.h>
3701 #include <linux/percpu.h>
3702 +#include <linux/slab.h>
3703 +#include <linux/pagemap.h>
3704 +#include <linux/compiler.h>
3706 #include <asm/page.h>
3707 #include <asm/pgtable.h>
3708 @@ -249,6 +252,405 @@ static void noinline bogus_32bit_fault_a
3712 +#ifdef CONFIG_PAX_PAGEEXEC
3713 +#ifdef CONFIG_PAX_EMUPLT
3714 +static void pax_emuplt_close(struct vm_area_struct *vma)
3716 + vma->vm_mm->call_dl_resolve = 0UL;
3719 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
3721 + unsigned int *kaddr;
3723 + vmf->page = alloc_page(GFP_HIGHUSER);
3725 + return VM_FAULT_OOM;
3727 + kaddr = kmap(vmf->page);
3728 + memset(kaddr, 0, PAGE_SIZE);
3729 + kaddr[0] = 0x9DE3BFA8U; /* save */
3730 + flush_dcache_page(vmf->page);
3731 + kunmap(vmf->page);
3732 + return VM_FAULT_MAJOR;
3735 +static const struct vm_operations_struct pax_vm_ops = {
3736 + .close = pax_emuplt_close,
3737 + .fault = pax_emuplt_fault
3740 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
3744 + vma->vm_mm = current->mm;
3745 + vma->vm_start = addr;
3746 + vma->vm_end = addr + PAGE_SIZE;
3747 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
3748 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
3749 + vma->vm_ops = &pax_vm_ops;
3751 + ret = insert_vm_struct(current->mm, vma);
3755 + ++current->mm->total_vm;
3761 + * PaX: decide what to do with offenders (regs->tpc = fault address)
3763 + * returns 1 when task should be killed
3764 + * 2 when patched PLT trampoline was detected
3765 + * 3 when unpatched PLT trampoline was detected
3767 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3770 +#ifdef CONFIG_PAX_EMUPLT
3773 + do { /* PaX: patched PLT emulation #1 */
3774 + unsigned int sethi1, sethi2, jmpl;
3776 + err = get_user(sethi1, (unsigned int *)regs->tpc);
3777 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
3778 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
3783 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
3784 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
3785 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
3787 + unsigned long addr;
3789 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
3790 + addr = regs->u_regs[UREG_G1];
3791 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
3793 + if (test_thread_flag(TIF_32BIT))
3794 + addr &= 0xFFFFFFFFUL;
3797 + regs->tnpc = addr+4;
3802 + { /* PaX: patched PLT emulation #2 */
3805 + err = get_user(ba, (unsigned int *)regs->tpc);
3807 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
3808 + unsigned long addr;
3810 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
3812 + if (test_thread_flag(TIF_32BIT))
3813 + addr &= 0xFFFFFFFFUL;
3816 + regs->tnpc = addr+4;
3821 + do { /* PaX: patched PLT emulation #3 */
3822 + unsigned int sethi, jmpl, nop;
3824 + err = get_user(sethi, (unsigned int *)regs->tpc);
3825 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
3826 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
3831 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
3832 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
3833 + nop == 0x01000000U)
3835 + unsigned long addr;
3837 + addr = (sethi & 0x003FFFFFU) << 10;
3838 + regs->u_regs[UREG_G1] = addr;
3839 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
3841 + if (test_thread_flag(TIF_32BIT))
3842 + addr &= 0xFFFFFFFFUL;
3845 + regs->tnpc = addr+4;
3850 + do { /* PaX: patched PLT emulation #4 */
3851 + unsigned int mov1, call, mov2;
3853 + err = get_user(mov1, (unsigned int *)regs->tpc);
3854 + err |= get_user(call, (unsigned int *)(regs->tpc+4));
3855 + err |= get_user(mov2, (unsigned int *)(regs->tpc+8));
3860 + if (mov1 == 0x8210000FU &&
3861 + (call & 0xC0000000U) == 0x40000000U &&
3862 + mov2 == 0x9E100001U)
3864 + unsigned long addr;
3866 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
3867 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
3869 + regs->tnpc = addr+4;
3874 + do { /* PaX: patched PLT emulation #5 */
3875 + unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
3877 + err = get_user(sethi1, (unsigned int *)regs->tpc);
3878 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
3879 + err |= get_user(or1, (unsigned int *)(regs->tpc+8));
3880 + err |= get_user(or2, (unsigned int *)(regs->tpc+12));
3881 + err |= get_user(sllx, (unsigned int *)(regs->tpc+16));
3882 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
3883 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
3888 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
3889 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
3890 + (or1 & 0xFFFFE000U) == 0x82106000U &&
3891 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
3892 + sllx == 0x83287020 &&
3893 + jmpl == 0x81C04005U &&
3894 + nop == 0x01000000U)
3896 + unsigned long addr;
3898 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
3899 + regs->u_regs[UREG_G1] <<= 32;
3900 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
3901 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
3903 + regs->tnpc = addr+4;
3908 + do { /* PaX: patched PLT emulation #6 */
3909 + unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
3911 + err = get_user(sethi1, (unsigned int *)regs->tpc);
3912 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
3913 + err |= get_user(sllx, (unsigned int *)(regs->tpc+8));
3914 + err |= get_user(or, (unsigned int *)(regs->tpc+12));
3915 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+16));
3916 + err |= get_user(nop, (unsigned int *)(regs->tpc+20));
3921 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
3922 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
3923 + sllx == 0x83287020 &&
3924 + (or & 0xFFFFE000U) == 0x8A116000U &&
3925 + jmpl == 0x81C04005U &&
3926 + nop == 0x01000000U)
3928 + unsigned long addr;
3930 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
3931 + regs->u_regs[UREG_G1] <<= 32;
3932 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
3933 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
3935 + regs->tnpc = addr+4;
3940 + do { /* PaX: patched PLT emulation #7 */
3941 + unsigned int sethi, ba, nop;
3943 + err = get_user(sethi, (unsigned int *)regs->tpc);
3944 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
3945 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
3950 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
3951 + (ba & 0xFFF00000U) == 0x30600000U &&
3952 + nop == 0x01000000U)
3954 + unsigned long addr;
3956 + addr = (sethi & 0x003FFFFFU) << 10;
3957 + regs->u_regs[UREG_G1] = addr;
3958 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
3960 + regs->tnpc = addr+4;
3965 + do { /* PaX: unpatched PLT emulation step 1 */
3966 + unsigned int sethi, ba, nop;
3968 + err = get_user(sethi, (unsigned int *)regs->tpc);
3969 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
3970 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
3975 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
3976 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
3977 + nop == 0x01000000U)
3979 + unsigned long addr;
3980 + unsigned int save, call;
3982 + if ((ba & 0xFFC00000U) == 0x30800000U)
3983 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
3985 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
3987 + if (test_thread_flag(TIF_32BIT))
3988 + addr &= 0xFFFFFFFFUL;
3990 + err = get_user(save, (unsigned int *)addr);
3991 + err |= get_user(call, (unsigned int *)(addr+4));
3992 + err |= get_user(nop, (unsigned int *)(addr+8));
3996 + if (save == 0x9DE3BFA8U &&
3997 + (call & 0xC0000000U) == 0x40000000U &&
3998 + nop == 0x01000000U)
4000 + struct vm_area_struct *vma;
4001 + unsigned long call_dl_resolve;
4003 + down_read(¤t->mm->mmap_sem);
4004 + call_dl_resolve = current->mm->call_dl_resolve;
4005 + up_read(¤t->mm->mmap_sem);
4006 + if (likely(call_dl_resolve))
4009 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4011 + down_write(¤t->mm->mmap_sem);
4012 + if (current->mm->call_dl_resolve) {
4013 + call_dl_resolve = current->mm->call_dl_resolve;
4014 + up_write(¤t->mm->mmap_sem);
4016 + kmem_cache_free(vm_area_cachep, vma);
4020 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4021 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4022 + up_write(¤t->mm->mmap_sem);
4024 + kmem_cache_free(vm_area_cachep, vma);
4028 + if (pax_insert_vma(vma, call_dl_resolve)) {
4029 + up_write(¤t->mm->mmap_sem);
4030 + kmem_cache_free(vm_area_cachep, vma);
4034 + current->mm->call_dl_resolve = call_dl_resolve;
4035 + up_write(¤t->mm->mmap_sem);
4038 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4039 + regs->tpc = call_dl_resolve;
4040 + regs->tnpc = addr+4;
4044 + /* PaX: newer glibc/binutils generate sethi/jmp instead of save/call */
4045 + if ((save & 0xFFC00000U) == 0x05000000U &&
4046 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4047 + nop == 0x01000000U)
4049 + unsigned long addr;
4051 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4052 + addr = (save & 0x003FFFFFU) << 10;
4053 + regs->u_regs[UREG_G2] = addr;
4054 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4056 + if (test_thread_flag(TIF_32BIT))
4057 + addr &= 0xFFFFFFFFUL;
4060 + regs->tnpc = addr+4;
4066 + do { /* PaX: unpatched PLT emulation step 2 */
4067 + unsigned int save, call, nop;
4069 + err = get_user(save, (unsigned int *)(regs->tpc-4));
4070 + err |= get_user(call, (unsigned int *)regs->tpc);
4071 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
4075 + if (save == 0x9DE3BFA8U &&
4076 + (call & 0xC0000000U) == 0x40000000U &&
4077 + nop == 0x01000000U)
4079 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4081 + if (test_thread_flag(TIF_32BIT))
4082 + dl_resolve &= 0xFFFFFFFFUL;
4084 + regs->u_regs[UREG_RETPC] = regs->tpc;
4085 + regs->tpc = dl_resolve;
4086 + regs->tnpc = dl_resolve+4;
4095 +void pax_report_insns(void *pc, void *sp)
4099 + printk(KERN_ERR "PAX: bytes at PC: ");
4100 + for (i = 0; i < 5; i++) {
4102 + if (get_user(c, (unsigned int *)pc+i))
4103 + printk(KERN_CONT "???????? ");
4105 + printk(KERN_CONT "%08x ", c);
4111 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
4113 struct mm_struct *mm = current->mm;
4114 @@ -315,6 +717,29 @@ asmlinkage void __kprobes do_sparc64_fau
4118 +#ifdef CONFIG_PAX_PAGEEXEC
4119 + /* PaX: detect ITLB misses on non-exec pages */
4120 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
4121 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
4123 + if (address != regs->tpc)
4126 + up_read(&mm->mmap_sem);
4127 + switch (pax_handle_fetch_fault(regs)) {
4129 +#ifdef CONFIG_PAX_EMUPLT
4136 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
4137 + do_group_exit(SIGKILL);
4141 /* Pure DTLB misses do not tell us whether the fault causing
4142 * load/store/atomic was a write or not, it only says that there
4143 * was no match. So in such a case we (carefully) read the
4144 diff -urNp linux-2.6.31/arch/sparc/mm/init_32.c linux-2.6.31/arch/sparc/mm/init_32.c
4145 --- linux-2.6.31/arch/sparc/mm/init_32.c 2009-08-27 20:59:04.000000000 -0400
4146 +++ linux-2.6.31/arch/sparc/mm/init_32.c 2009-09-06 15:29:11.155370002 -0400
4147 @@ -316,6 +316,9 @@ extern void device_scan(void);
4148 pgprot_t PAGE_SHARED __read_mostly;
4149 EXPORT_SYMBOL(PAGE_SHARED);
4151 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
4152 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
4154 void __init paging_init(void)
4156 switch(sparc_cpu_model) {
4157 @@ -341,17 +344,17 @@ void __init paging_init(void)
4159 /* Initialize the protection map with non-constant, MMU dependent values. */
4160 protection_map[0] = PAGE_NONE;
4161 - protection_map[1] = PAGE_READONLY;
4162 - protection_map[2] = PAGE_COPY;
4163 - protection_map[3] = PAGE_COPY;
4164 + protection_map[1] = PAGE_READONLY_NOEXEC;
4165 + protection_map[2] = PAGE_COPY_NOEXEC;
4166 + protection_map[3] = PAGE_COPY_NOEXEC;
4167 protection_map[4] = PAGE_READONLY;
4168 protection_map[5] = PAGE_READONLY;
4169 protection_map[6] = PAGE_COPY;
4170 protection_map[7] = PAGE_COPY;
4171 protection_map[8] = PAGE_NONE;
4172 - protection_map[9] = PAGE_READONLY;
4173 - protection_map[10] = PAGE_SHARED;
4174 - protection_map[11] = PAGE_SHARED;
4175 + protection_map[9] = PAGE_READONLY_NOEXEC;
4176 + protection_map[10] = PAGE_SHARED_NOEXEC;
4177 + protection_map[11] = PAGE_SHARED_NOEXEC;
4178 protection_map[12] = PAGE_READONLY;
4179 protection_map[13] = PAGE_READONLY;
4180 protection_map[14] = PAGE_SHARED;
4181 diff -urNp linux-2.6.31/arch/sparc/mm/Makefile linux-2.6.31/arch/sparc/mm/Makefile
4182 --- linux-2.6.31/arch/sparc/mm/Makefile 2009-08-27 20:59:04.000000000 -0400
4183 +++ linux-2.6.31/arch/sparc/mm/Makefile 2009-09-06 15:29:11.155370002 -0400
4188 -ccflags-y := -Werror
4189 +#ccflags-y := -Werror
4191 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
4192 obj-y += fault_$(BITS).o
4193 diff -urNp linux-2.6.31/arch/sparc/mm/srmmu.c linux-2.6.31/arch/sparc/mm/srmmu.c
4194 --- linux-2.6.31/arch/sparc/mm/srmmu.c 2009-08-27 20:59:04.000000000 -0400
4195 +++ linux-2.6.31/arch/sparc/mm/srmmu.c 2009-09-06 15:29:11.155370002 -0400
4196 @@ -2149,6 +2149,13 @@ void __init ld_mmu_srmmu(void)
4197 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
4198 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
4199 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
4201 +#ifdef CONFIG_PAX_PAGEEXEC
4202 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
4203 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
4204 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
4207 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
4208 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
4210 diff -urNp linux-2.6.31/arch/um/include/asm/kmap_types.h linux-2.6.31/arch/um/include/asm/kmap_types.h
4211 --- linux-2.6.31/arch/um/include/asm/kmap_types.h 2009-08-27 20:59:04.000000000 -0400
4212 +++ linux-2.6.31/arch/um/include/asm/kmap_types.h 2009-09-06 15:29:11.156214181 -0400
4213 @@ -23,6 +23,7 @@ enum km_type {
4221 diff -urNp linux-2.6.31/arch/um/include/asm/page.h linux-2.6.31/arch/um/include/asm/page.h
4222 --- linux-2.6.31/arch/um/include/asm/page.h 2009-08-27 20:59:04.000000000 -0400
4223 +++ linux-2.6.31/arch/um/include/asm/page.h 2009-09-06 15:29:11.156214181 -0400
4225 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
4226 #define PAGE_MASK (~(PAGE_SIZE-1))
4228 +#define ktla_ktva(addr) (addr)
4229 +#define ktva_ktla(addr) (addr)
4231 #ifndef __ASSEMBLY__
4234 diff -urNp linux-2.6.31/arch/um/sys-i386/syscalls.c linux-2.6.31/arch/um/sys-i386/syscalls.c
4235 --- linux-2.6.31/arch/um/sys-i386/syscalls.c 2009-08-27 20:59:04.000000000 -0400
4236 +++ linux-2.6.31/arch/um/sys-i386/syscalls.c 2009-09-06 15:29:11.157173432 -0400
4238 #include "asm/uaccess.h"
4239 #include "asm/unistd.h"
4241 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
4243 + unsigned long pax_task_size = TASK_SIZE;
4245 +#ifdef CONFIG_PAX_SEGMEXEC
4246 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
4247 + pax_task_size = SEGMEXEC_TASK_SIZE;
4250 + if (len > pax_task_size || addr > pax_task_size - len)
4257 * Perform the select(nd, in, out, ex, tv) and mmap() system
4258 * calls. Linux/i386 didn't use to be able to handle more than
4259 diff -urNp linux-2.6.31/arch/x86/boot/bitops.h linux-2.6.31/arch/x86/boot/bitops.h
4260 --- linux-2.6.31/arch/x86/boot/bitops.h 2009-08-27 20:59:04.000000000 -0400
4261 +++ linux-2.6.31/arch/x86/boot/bitops.h 2009-09-06 15:29:11.161166844 -0400
4262 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
4264 const u32 *p = (const u32 *)addr;
4266 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4267 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4271 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
4273 static inline void set_bit(int nr, void *addr)
4275 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4276 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4279 #endif /* BOOT_BITOPS_H */
4280 diff -urNp linux-2.6.31/arch/x86/boot/boot.h linux-2.6.31/arch/x86/boot/boot.h
4281 --- linux-2.6.31/arch/x86/boot/boot.h 2009-08-27 20:59:04.000000000 -0400
4282 +++ linux-2.6.31/arch/x86/boot/boot.h 2009-09-06 15:29:11.162169936 -0400
4283 @@ -82,7 +82,7 @@ static inline void io_delay(void)
4284 static inline u16 ds(void)
4287 - asm("movw %%ds,%0" : "=rm" (seg));
4288 + asm volatile("movw %%ds,%0" : "=rm" (seg));
4292 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
4293 static inline int memcmp(const void *s1, const void *s2, size_t len)
4296 - asm("repe; cmpsb; setnz %0"
4297 + asm volatile("repe; cmpsb; setnz %0"
4298 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
4301 diff -urNp linux-2.6.31/arch/x86/boot/compressed/head_32.S linux-2.6.31/arch/x86/boot/compressed/head_32.S
4302 --- linux-2.6.31/arch/x86/boot/compressed/head_32.S 2009-08-27 20:59:04.000000000 -0400
4303 +++ linux-2.6.31/arch/x86/boot/compressed/head_32.S 2009-09-06 15:29:11.163157519 -0400
4304 @@ -75,7 +75,7 @@ ENTRY(startup_32)
4308 - movl $LOAD_PHYSICAL_ADDR, %ebx
4309 + movl $____LOAD_PHYSICAL_ADDR, %ebx
4312 /* Target address to relocate to for decompression */
4313 @@ -148,7 +148,7 @@ relocated:
4314 * and where it was actually loaded.
4317 - subl $LOAD_PHYSICAL_ADDR, %ebx
4318 + subl $____LOAD_PHYSICAL_ADDR, %ebx
4319 jz 2f /* Nothing to be done if loaded at compiled addr. */
4321 * Process relocations.
4322 @@ -156,8 +156,7 @@ relocated:
4329 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
4332 diff -urNp linux-2.6.31/arch/x86/boot/compressed/head_64.S linux-2.6.31/arch/x86/boot/compressed/head_64.S
4333 --- linux-2.6.31/arch/x86/boot/compressed/head_64.S 2009-08-27 20:59:04.000000000 -0400
4334 +++ linux-2.6.31/arch/x86/boot/compressed/head_64.S 2009-09-10 20:40:58.014899975 -0400
4335 @@ -90,7 +90,7 @@ ENTRY(startup_32)
4339 - movl $LOAD_PHYSICAL_ADDR, %ebx
4340 + movl $____LOAD_PHYSICAL_ADDR, %ebx
4343 /* Target address to relocate to for decompression */
4344 @@ -233,7 +233,7 @@ ENTRY(startup_64)
4348 - movq $LOAD_PHYSICAL_ADDR, %rbp
4349 + movq $____LOAD_PHYSICAL_ADDR, %rbp
4352 /* Target address to relocate to for decompression */
4353 diff -urNp linux-2.6.31/arch/x86/boot/compressed/misc.c linux-2.6.31/arch/x86/boot/compressed/misc.c
4354 --- linux-2.6.31/arch/x86/boot/compressed/misc.c 2009-08-27 20:59:04.000000000 -0400
4355 +++ linux-2.6.31/arch/x86/boot/compressed/misc.c 2009-09-06 15:29:11.163157519 -0400
4356 @@ -288,7 +288,7 @@ static void parse_elf(void *output)
4358 #ifdef CONFIG_RELOCATABLE
4360 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
4361 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
4363 dest = (void *)(phdr->p_paddr);
4365 @@ -335,7 +335,7 @@ asmlinkage void decompress_kernel(void *
4366 error("Destination address too large");
4368 #ifndef CONFIG_RELOCATABLE
4369 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
4370 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
4371 error("Wrong destination address");
4374 diff -urNp linux-2.6.31/arch/x86/boot/compressed/mkpiggy.c linux-2.6.31/arch/x86/boot/compressed/mkpiggy.c
4375 --- linux-2.6.31/arch/x86/boot/compressed/mkpiggy.c 2009-08-27 20:59:04.000000000 -0400
4376 +++ linux-2.6.31/arch/x86/boot/compressed/mkpiggy.c 2009-09-06 15:29:11.164183902 -0400
4377 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
4379 offs = (olen > ilen) ? olen - ilen : 0;
4380 offs += olen >> 12; /* Add 8 bytes for each 32K block */
4381 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
4382 + offs += 64*1024; /* Add 64K bytes slack */
4383 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
4385 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
4386 diff -urNp linux-2.6.31/arch/x86/boot/compressed/relocs.c linux-2.6.31/arch/x86/boot/compressed/relocs.c
4387 --- linux-2.6.31/arch/x86/boot/compressed/relocs.c 2009-08-27 20:59:04.000000000 -0400
4388 +++ linux-2.6.31/arch/x86/boot/compressed/relocs.c 2009-09-06 15:29:11.165162482 -0400
4393 +#include "../../../../include/linux/autoconf.h"
4395 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
4396 static Elf32_Ehdr ehdr;
4397 +static Elf32_Phdr *phdr;
4398 static unsigned long reloc_count, reloc_idx;
4399 static unsigned long *relocs;
4401 @@ -37,7 +40,7 @@ static const char* safe_abs_relocs[] = {
4403 static int is_safe_abs_reloc(const char* sym_name)
4408 for (i = 0; i < ARRAY_SIZE(safe_abs_relocs); i++) {
4409 if (!strcmp(sym_name, safe_abs_relocs[i]))
4410 @@ -245,9 +248,39 @@ static void read_ehdr(FILE *fp)
4414 +static void read_phdrs(FILE *fp)
4418 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
4420 + die("Unable to allocate %d program headers\n",
4423 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
4424 + die("Seek to %d failed: %s\n",
4425 + ehdr.e_phoff, strerror(errno));
4427 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
4428 + die("Cannot read ELF program headers: %s\n",
4431 + for(i = 0; i < ehdr.e_phnum; i++) {
4432 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
4433 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
4434 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
4435 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
4436 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
4437 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
4438 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
4439 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
4444 static void read_shdrs(FILE *fp)
4450 secs = calloc(ehdr.e_shnum, sizeof(struct section));
4451 @@ -282,7 +315,7 @@ static void read_shdrs(FILE *fp)
4453 static void read_strtabs(FILE *fp)
4457 for (i = 0; i < ehdr.e_shnum; i++) {
4458 struct section *sec = &secs[i];
4459 if (sec->shdr.sh_type != SHT_STRTAB) {
4460 @@ -307,7 +340,7 @@ static void read_strtabs(FILE *fp)
4462 static void read_symtabs(FILE *fp)
4466 for (i = 0; i < ehdr.e_shnum; i++) {
4467 struct section *sec = &secs[i];
4468 if (sec->shdr.sh_type != SHT_SYMTAB) {
4469 @@ -340,7 +373,9 @@ static void read_symtabs(FILE *fp)
4471 static void read_relocs(FILE *fp)
4477 for (i = 0; i < ehdr.e_shnum; i++) {
4478 struct section *sec = &secs[i];
4479 if (sec->shdr.sh_type != SHT_REL) {
4480 @@ -360,9 +395,18 @@ static void read_relocs(FILE *fp)
4481 die("Cannot read symbol table: %s\n",
4485 + for (j = 0; j < ehdr.e_phnum; j++) {
4486 + if (phdr[j].p_type != PT_LOAD )
4488 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
4490 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
4493 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
4494 Elf32_Rel *rel = &sec->reltab[j];
4495 - rel->r_offset = elf32_to_cpu(rel->r_offset);
4496 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
4497 rel->r_info = elf32_to_cpu(rel->r_info);
4500 @@ -371,14 +415,14 @@ static void read_relocs(FILE *fp)
4502 static void print_absolute_symbols(void)
4506 printf("Absolute symbols\n");
4507 printf(" Num: Value Size Type Bind Visibility Name\n");
4508 for (i = 0; i < ehdr.e_shnum; i++) {
4509 struct section *sec = &secs[i];
4511 Elf32_Sym *sh_symtab;
4515 if (sec->shdr.sh_type != SHT_SYMTAB) {
4517 @@ -406,14 +450,14 @@ static void print_absolute_symbols(void)
4519 static void print_absolute_relocs(void)
4521 - int i, printed = 0;
4522 + unsigned int i, printed = 0;
4524 for (i = 0; i < ehdr.e_shnum; i++) {
4525 struct section *sec = &secs[i];
4526 struct section *sec_applies, *sec_symtab;
4528 Elf32_Sym *sh_symtab;
4531 if (sec->shdr.sh_type != SHT_REL) {
4534 @@ -474,13 +518,13 @@ static void print_absolute_relocs(void)
4536 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
4540 /* Walk through the relocations */
4541 for (i = 0; i < ehdr.e_shnum; i++) {
4543 Elf32_Sym *sh_symtab;
4544 struct section *sec_applies, *sec_symtab;
4547 struct section *sec = &secs[i];
4549 if (sec->shdr.sh_type != SHT_REL) {
4550 @@ -504,6 +548,24 @@ static void walk_relocs(void (*visit)(El
4551 if (sym->st_shndx == SHN_ABS) {
4554 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
4555 + if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
4557 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
4558 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
4559 + if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
4560 + if (strcmp(sym_name(sym_strtab, sym), "__init_begin"))
4563 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
4565 + if (!strcmp(sec_name(sym->st_shndx), ".text.head")) {
4566 + if (strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET"))
4569 + if (!strcmp(sec_name(sym->st_shndx), ".text"))
4572 if (r_type == R_386_NONE || r_type == R_386_PC32) {
4574 * NONE can be ignored and and PC relative
4575 @@ -541,7 +603,7 @@ static int cmp_relocs(const void *va, co
4577 static void emit_relocs(int as_text)
4581 /* Count how many relocations I have and allocate space for them. */
4583 walk_relocs(count_reloc);
4584 @@ -634,6 +696,7 @@ int main(int argc, char **argv)
4585 fname, strerror(errno));
4592 diff -urNp linux-2.6.31/arch/x86/boot/cpucheck.c linux-2.6.31/arch/x86/boot/cpucheck.c
4593 --- linux-2.6.31/arch/x86/boot/cpucheck.c 2009-08-27 20:59:04.000000000 -0400
4594 +++ linux-2.6.31/arch/x86/boot/cpucheck.c 2009-09-06 15:29:11.169177727 -0400
4595 @@ -74,7 +74,7 @@ static int has_fpu(void)
4596 u16 fcw = -1, fsw = -1;
4599 - asm("movl %%cr0,%0" : "=r" (cr0));
4600 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
4601 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
4602 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
4603 asm volatile("movl %0,%%cr0" : : "r" (cr0));
4604 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
4609 + asm volatile("pushfl ; "
4613 @@ -115,7 +115,7 @@ static void get_flags(void)
4614 set_bit(X86_FEATURE_FPU, cpu.flags);
4616 if (has_eflag(X86_EFLAGS_ID)) {
4618 + asm volatile("cpuid"
4619 : "=a" (max_intel_level),
4620 "=b" (cpu_vendor[0]),
4621 "=d" (cpu_vendor[1]),
4622 @@ -124,7 +124,7 @@ static void get_flags(void)
4624 if (max_intel_level >= 0x00000001 &&
4625 max_intel_level <= 0x0000ffff) {
4627 + asm volatile("cpuid"
4629 "=c" (cpu.flags[4]),
4631 @@ -136,7 +136,7 @@ static void get_flags(void)
4632 cpu.model += ((tfms >> 16) & 0xf) << 4;
4636 + asm volatile("cpuid"
4637 : "=a" (max_amd_level)
4639 : "ebx", "ecx", "edx");
4640 @@ -144,7 +144,7 @@ static void get_flags(void)
4641 if (max_amd_level >= 0x80000001 &&
4642 max_amd_level <= 0x8000ffff) {
4643 u32 eax = 0x80000001;
4645 + asm volatile("cpuid"
4647 "=c" (cpu.flags[6]),
4649 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
4650 u32 ecx = MSR_K7_HWCR;
4653 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
4654 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
4656 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
4657 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
4659 get_flags(); /* Make sure it really did something */
4660 err = check_flags();
4661 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
4662 u32 ecx = MSR_VIA_FCR;
4665 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
4666 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
4667 eax |= (1<<1)|(1<<7);
4668 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
4669 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
4671 set_bit(X86_FEATURE_CX8, cpu.flags);
4672 err = check_flags();
4673 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
4677 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
4678 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
4680 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
4681 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
4682 + asm volatile("cpuid"
4683 : "+a" (level), "=d" (cpu.flags[0])
4685 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
4686 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
4688 err = check_flags();
4690 diff -urNp linux-2.6.31/arch/x86/boot/header.S linux-2.6.31/arch/x86/boot/header.S
4691 --- linux-2.6.31/arch/x86/boot/header.S 2009-08-27 20:59:04.000000000 -0400
4692 +++ linux-2.6.31/arch/x86/boot/header.S 2009-09-06 15:29:11.170165940 -0400
4693 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
4694 # single linked list of
4697 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
4698 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
4700 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
4701 #define VO_INIT_SIZE (VO__end - VO__text)
4702 diff -urNp linux-2.6.31/arch/x86/boot/video-vesa.c linux-2.6.31/arch/x86/boot/video-vesa.c
4703 --- linux-2.6.31/arch/x86/boot/video-vesa.c 2009-08-27 20:59:04.000000000 -0400
4704 +++ linux-2.6.31/arch/x86/boot/video-vesa.c 2009-09-06 15:29:11.171179722 -0400
4705 @@ -205,6 +205,7 @@ static void vesa_store_pm_info(void)
4707 boot_params.screen_info.vesapm_seg = oreg.es;
4708 boot_params.screen_info.vesapm_off = oreg.di;
4709 + boot_params.screen_info.vesapm_size = oreg.cx;
4713 diff -urNp linux-2.6.31/arch/x86/ia32/ia32_signal.c linux-2.6.31/arch/x86/ia32/ia32_signal.c
4714 --- linux-2.6.31/arch/x86/ia32/ia32_signal.c 2009-08-27 20:59:04.000000000 -0400
4715 +++ linux-2.6.31/arch/x86/ia32/ia32_signal.c 2009-09-06 15:29:11.172266784 -0400
4716 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
4718 /* Align the stack pointer according to the i386 ABI,
4719 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
4720 - sp = ((sp + 4) & -16ul) - 4;
4721 + sp = ((sp - 12) & -16ul) - 4;
4722 return (void __user *) sp;
4725 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
4727 __NR_ia32_rt_sigreturn,
4733 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
4734 diff -urNp linux-2.6.31/arch/x86/include/asm/alternative.h linux-2.6.31/arch/x86/include/asm/alternative.h
4735 --- linux-2.6.31/arch/x86/include/asm/alternative.h 2009-08-27 20:59:04.000000000 -0400
4736 +++ linux-2.6.31/arch/x86/include/asm/alternative.h 2009-09-06 15:29:11.173164562 -0400
4737 @@ -87,7 +87,7 @@ const unsigned char *const *find_nop_tab
4738 " .byte 662b-661b\n" /* sourcelen */ \
4739 " .byte 664f-663f\n" /* replacementlen */ \
4741 - ".section .altinstr_replacement, \"ax\"\n" \
4742 + ".section .altinstr_replacement, \"a\"\n" \
4743 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
4746 diff -urNp linux-2.6.31/arch/x86/include/asm/apm.h linux-2.6.31/arch/x86/include/asm/apm.h
4747 --- linux-2.6.31/arch/x86/include/asm/apm.h 2009-08-27 20:59:04.000000000 -0400
4748 +++ linux-2.6.31/arch/x86/include/asm/apm.h 2009-09-06 15:29:11.174173729 -0400
4749 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
4750 __asm__ __volatile__(APM_DO_ZERO_SEGS
4753 - "lcall *%%cs:apm_bios_entry\n\t"
4754 + "lcall *%%ss:apm_bios_entry\n\t"
4758 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
4759 __asm__ __volatile__(APM_DO_ZERO_SEGS
4762 - "lcall *%%cs:apm_bios_entry\n\t"
4763 + "lcall *%%ss:apm_bios_entry\n\t"
4767 diff -urNp linux-2.6.31/arch/x86/include/asm/atomic_32.h linux-2.6.31/arch/x86/include/asm/atomic_32.h
4768 --- linux-2.6.31/arch/x86/include/asm/atomic_32.h 2009-08-27 20:59:04.000000000 -0400
4769 +++ linux-2.6.31/arch/x86/include/asm/atomic_32.h 2009-09-06 15:29:11.175190733 -0400
4770 @@ -25,6 +25,17 @@ static inline int atomic_read(const atom
4774 + * atomic_read_unchecked - read atomic variable
4775 + * @v: pointer of type atomic_unchecked_t
4777 + * Atomically reads the value of @v.
4779 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
4781 + return v->counter;
4785 * atomic_set - set atomic variable
4786 * @v: pointer of type atomic_t
4787 * @i: required value
4788 @@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
4792 + * atomic_set_unchecked - set atomic variable
4793 + * @v: pointer of type atomic_unchecked_t
4794 + * @i: required value
4796 + * Atomically sets the value of @v to @i.
4798 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
4804 * atomic_add - add integer to atomic variable
4805 * @i: integer value to add
4806 * @v: pointer of type atomic_t
4807 @@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
4809 static inline void atomic_add(int i, atomic_t *v)
4811 - asm volatile(LOCK_PREFIX "addl %1,%0"
4812 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
4814 +#ifdef CONFIG_PAX_REFCOUNT
4816 + LOCK_PREFIX "subl %1,%0\n"
4818 + _ASM_EXTABLE(0b, 0b)
4821 + : "+m" (v->counter)
4826 + * atomic_add_unchecked - add integer to atomic variable
4827 + * @i: integer value to add
4828 + * @v: pointer of type atomic_unchecked_t
4830 + * Atomically adds @i to @v.
4832 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
4834 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
4838 @@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
4840 static inline void atomic_sub(int i, atomic_t *v)
4842 - asm volatile(LOCK_PREFIX "subl %1,%0"
4843 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
4845 +#ifdef CONFIG_PAX_REFCOUNT
4847 + LOCK_PREFIX "addl %1,%0\n"
4849 + _ASM_EXTABLE(0b, 0b)
4852 + : "+m" (v->counter)
4857 + * atomic_sub_unchecked - subtract integer from atomic variable
4858 + * @i: integer value to subtract
4859 + * @v: pointer of type atomic_t
4861 + * Atomically subtracts @i from @v.
4863 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
4865 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
4869 @@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
4873 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
4874 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
4876 +#ifdef CONFIG_PAX_REFCOUNT
4878 + LOCK_PREFIX "addl %2,%0\n"
4880 + _ASM_EXTABLE(0b, 0b)
4884 : "+m" (v->counter), "=qm" (c)
4885 : "ir" (i) : "memory");
4887 @@ -91,7 +167,30 @@ static inline int atomic_sub_and_test(in
4889 static inline void atomic_inc(atomic_t *v)
4891 - asm volatile(LOCK_PREFIX "incl %0"
4892 + asm volatile(LOCK_PREFIX "incl %0\n"
4894 +#ifdef CONFIG_PAX_REFCOUNT
4896 + ".pushsection .fixup,\"ax\"\n"
4898 + LOCK_PREFIX "decl %0\n"
4901 + _ASM_EXTABLE(0b, 1b)
4904 + : "+m" (v->counter));
4908 + * atomic_inc_unchecked - increment atomic variable
4909 + * @v: pointer of type atomic_unchecked_t
4911 + * Atomically increments @v by 1.
4913 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
4915 + asm volatile(LOCK_PREFIX "incl %0\n"
4916 : "+m" (v->counter));
4919 @@ -103,7 +202,18 @@ static inline void atomic_inc(atomic_t *
4921 static inline void atomic_dec(atomic_t *v)
4923 - asm volatile(LOCK_PREFIX "decl %0"
4924 + asm volatile(LOCK_PREFIX "decl %0\n"
4926 +#ifdef CONFIG_PAX_REFCOUNT
4928 + ".pushsection .fixup,\"ax\"\n"
4930 + LOCK_PREFIX "incl %0\n"
4933 + _ASM_EXTABLE(0b, 1b)
4936 : "+m" (v->counter));
4939 @@ -119,7 +229,19 @@ static inline int atomic_dec_and_test(at
4943 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
4944 + asm volatile(LOCK_PREFIX "decl %0\n"
4946 +#ifdef CONFIG_PAX_REFCOUNT
4948 + ".pushsection .fixup,\"ax\"\n"
4950 + LOCK_PREFIX "incl %0\n"
4953 + _ASM_EXTABLE(0b, 1b)
4957 : "+m" (v->counter), "=qm" (c)
4960 @@ -137,7 +259,19 @@ static inline int atomic_inc_and_test(at
4964 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
4965 + asm volatile(LOCK_PREFIX "incl %0\n"
4967 +#ifdef CONFIG_PAX_REFCOUNT
4969 + ".pushsection .fixup,\"ax\"\n"
4971 + LOCK_PREFIX "decl %0\n"
4974 + _ASM_EXTABLE(0b, 1b)
4978 : "+m" (v->counter), "=qm" (c)
4981 @@ -156,7 +290,16 @@ static inline int atomic_add_negative(in
4985 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
4986 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
4988 +#ifdef CONFIG_PAX_REFCOUNT
4990 + LOCK_PREFIX "subl %2,%0\n"
4992 + _ASM_EXTABLE(0b, 0b)
4996 : "+m" (v->counter), "=qm" (c)
4997 : "ir" (i) : "memory");
4999 @@ -179,7 +322,15 @@ static inline int atomic_add_return(int
5001 /* Modern 486+ processor */
5003 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
5004 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
5006 +#ifdef CONFIG_PAX_REFCOUNT
5010 + _ASM_EXTABLE(0b, 0b)
5013 : "+r" (i), "+m" (v->counter)
5016 @@ -227,17 +378,28 @@ static inline int atomic_xchg(atomic_t *
5018 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5024 - if (unlikely(c == (u)))
5025 + if (unlikely(c == u))
5027 - old = atomic_cmpxchg((v), c, c + (a));
5029 + asm volatile("addl %2,%0\n"
5031 +#ifdef CONFIG_PAX_REFCOUNT
5033 + _ASM_EXTABLE(0b, 0b)
5037 + : "0" (c), "ir" (a));
5039 + old = atomic_cmpxchg(v, c, new);
5040 if (likely(old == c))
5048 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5049 diff -urNp linux-2.6.31/arch/x86/include/asm/atomic_64.h linux-2.6.31/arch/x86/include/asm/atomic_64.h
5050 --- linux-2.6.31/arch/x86/include/asm/atomic_64.h 2009-08-27 20:59:04.000000000 -0400
5051 +++ linux-2.6.31/arch/x86/include/asm/atomic_64.h 2009-09-06 15:29:11.175190733 -0400
5052 @@ -24,6 +24,17 @@ static inline int atomic_read(const atom
5056 + * atomic_read_unchecked - read atomic variable
5057 + * @v: pointer of type atomic_unchecked_t
5059 + * Atomically reads the value of @v.
5061 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5063 + return v->counter;
5067 * atomic_set - set atomic variable
5068 * @v: pointer of type atomic_t
5069 * @i: required value
5070 @@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
5074 + * atomic_set_unchecked - set atomic variable
5075 + * @v: pointer of type atomic_unchecked_t
5076 + * @i: required value
5078 + * Atomically sets the value of @v to @i.
5080 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5086 * atomic_add - add integer to atomic variable
5087 * @i: integer value to add
5088 * @v: pointer of type atomic_t
5089 @@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
5091 static inline void atomic_add(int i, atomic_t *v)
5093 - asm volatile(LOCK_PREFIX "addl %1,%0"
5094 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5096 +#ifdef CONFIG_PAX_REFCOUNT
5098 + LOCK_PREFIX "subl %1,%0\n"
5100 + _ASM_EXTABLE(0b, 0b)
5103 + : "=m" (v->counter)
5104 + : "ir" (i), "m" (v->counter));
5108 + * atomic_add_unchecked - add integer to atomic variable
5109 + * @i: integer value to add
5110 + * @v: pointer of type atomic_unchecked_t
5112 + * Atomically adds @i to @v.
5114 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5116 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5118 : "ir" (i), "m" (v->counter));
5120 @@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
5122 static inline void atomic_sub(int i, atomic_t *v)
5124 - asm volatile(LOCK_PREFIX "subl %1,%0"
5125 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5127 +#ifdef CONFIG_PAX_REFCOUNT
5129 + LOCK_PREFIX "addl %1,%0\n"
5131 + _ASM_EXTABLE(0b, 0b)
5134 + : "=m" (v->counter)
5135 + : "ir" (i), "m" (v->counter));
5139 + * atomic_sub_unchecked - subtract the atomic variable
5140 + * @i: integer value to subtract
5141 + * @v: pointer of type atomic_unchecked_t
5143 + * Atomically subtracts @i from @v.
5145 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
5147 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5149 : "ir" (i), "m" (v->counter));
5151 @@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
5155 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
5156 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
5158 +#ifdef CONFIG_PAX_REFCOUNT
5160 + LOCK_PREFIX "addl %2,%0\n"
5162 + _ASM_EXTABLE(0b, 0b)
5166 : "=m" (v->counter), "=qm" (c)
5167 : "ir" (i), "m" (v->counter) : "memory");
5169 @@ -90,7 +166,32 @@ static inline int atomic_sub_and_test(in
5171 static inline void atomic_inc(atomic_t *v)
5173 - asm volatile(LOCK_PREFIX "incl %0"
5174 + asm volatile(LOCK_PREFIX "incl %0\n"
5176 +#ifdef CONFIG_PAX_REFCOUNT
5179 + ".pushsection .fixup,\"ax\"\n"
5181 + LOCK_PREFIX "decl %0\n"
5184 + _ASM_EXTABLE(0b, 1b)
5187 + : "=m" (v->counter)
5188 + : "m" (v->counter));
5192 + * atomic_inc_unchecked - increment atomic variable
5193 + * @v: pointer of type atomic_unchecked_t
5195 + * Atomically increments @v by 1.
5197 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5199 + asm volatile(LOCK_PREFIX "incl %0\n"
5201 : "m" (v->counter));
5203 @@ -103,7 +204,19 @@ static inline void atomic_inc(atomic_t *
5205 static inline void atomic_dec(atomic_t *v)
5207 - asm volatile(LOCK_PREFIX "decl %0"
5208 + asm volatile(LOCK_PREFIX "decl %0\n"
5210 +#ifdef CONFIG_PAX_REFCOUNT
5213 + ".pushsection .fixup,\"ax\"\n"
5215 + LOCK_PREFIX "incl %0\n"
5218 + _ASM_EXTABLE(0b, 1b)
5222 : "m" (v->counter));
5224 @@ -120,7 +233,20 @@ static inline int atomic_dec_and_test(at
5228 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
5229 + asm volatile(LOCK_PREFIX "decl %0\n"
5231 +#ifdef CONFIG_PAX_REFCOUNT
5234 + ".pushsection .fixup,\"ax\"\n"
5236 + LOCK_PREFIX "incl %0\n"
5239 + _ASM_EXTABLE(0b, 1b)
5243 : "=m" (v->counter), "=qm" (c)
5244 : "m" (v->counter) : "memory");
5246 @@ -138,7 +264,20 @@ static inline int atomic_inc_and_test(at
5250 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
5251 + asm volatile(LOCK_PREFIX "incl %0\n"
5253 +#ifdef CONFIG_PAX_REFCOUNT
5256 + ".pushsection .fixup,\"ax\"\n"
5258 + LOCK_PREFIX "decl %0\n"
5261 + _ASM_EXTABLE(0b, 1b)
5265 : "=m" (v->counter), "=qm" (c)
5266 : "m" (v->counter) : "memory");
5268 @@ -157,7 +296,16 @@ static inline int atomic_add_negative(in
5272 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
5273 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
5275 +#ifdef CONFIG_PAX_REFCOUNT
5277 + LOCK_PREFIX "subl %2,%0\n"
5279 + _ASM_EXTABLE(0b, 0b)
5283 : "=m" (v->counter), "=qm" (c)
5284 : "ir" (i), "m" (v->counter) : "memory");
5286 @@ -173,7 +321,15 @@ static inline int atomic_add_negative(in
5287 static inline int atomic_add_return(int i, atomic_t *v)
5290 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
5291 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
5293 +#ifdef CONFIG_PAX_REFCOUNT
5297 + _ASM_EXTABLE(0b, 0b)
5300 : "+r" (i), "+m" (v->counter)
5303 @@ -224,7 +380,15 @@ static inline void atomic64_set(atomic64
5305 static inline void atomic64_add(long i, atomic64_t *v)
5307 - asm volatile(LOCK_PREFIX "addq %1,%0"
5308 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
5310 +#ifdef CONFIG_PAX_REFCOUNT
5312 + LOCK_PREFIX "subq %1,%0\n"
5314 + _ASM_EXTABLE(0b, 0b)
5318 : "er" (i), "m" (v->counter));
5320 @@ -238,7 +402,15 @@ static inline void atomic64_add(long i,
5322 static inline void atomic64_sub(long i, atomic64_t *v)
5324 - asm volatile(LOCK_PREFIX "subq %1,%0"
5325 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
5327 +#ifdef CONFIG_PAX_REFCOUNT
5329 + LOCK_PREFIX "addq %1,%0\n"
5331 + _ASM_EXTABLE(0b, 0b)
5335 : "er" (i), "m" (v->counter));
5337 @@ -256,7 +428,16 @@ static inline int atomic64_sub_and_test(
5341 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
5342 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
5344 +#ifdef CONFIG_PAX_REFCOUNT
5346 + LOCK_PREFIX "addq %2,%0\n"
5348 + _ASM_EXTABLE(0b, 0b)
5352 : "=m" (v->counter), "=qm" (c)
5353 : "er" (i), "m" (v->counter) : "memory");
5355 @@ -270,7 +451,19 @@ static inline int atomic64_sub_and_test(
5357 static inline void atomic64_inc(atomic64_t *v)
5359 - asm volatile(LOCK_PREFIX "incq %0"
5360 + asm volatile(LOCK_PREFIX "incq %0\n"
5362 +#ifdef CONFIG_PAX_REFCOUNT
5365 + ".pushsection .fixup,\"ax\"\n"
5367 + LOCK_PREFIX "decq %0\n"
5370 + _ASM_EXTABLE(0b, 1b)
5374 : "m" (v->counter));
5376 @@ -283,7 +476,19 @@ static inline void atomic64_inc(atomic64
5378 static inline void atomic64_dec(atomic64_t *v)
5380 - asm volatile(LOCK_PREFIX "decq %0"
5381 + asm volatile(LOCK_PREFIX "decq %0\n"
5383 +#ifdef CONFIG_PAX_REFCOUNT
5386 + ".pushsection .fixup,\"ax\"\n"
5388 + LOCK_PREFIX "incq %0\n"
5391 + _ASM_EXTABLE(0b, 1b)
5395 : "m" (v->counter));
5397 @@ -300,7 +505,20 @@ static inline int atomic64_dec_and_test(
5401 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
5402 + asm volatile(LOCK_PREFIX "decq %0\n"
5404 +#ifdef CONFIG_PAX_REFCOUNT
5407 + ".pushsection .fixup,\"ax\"\n"
5409 + LOCK_PREFIX "incq %0\n"
5412 + _ASM_EXTABLE(0b, 1b)
5416 : "=m" (v->counter), "=qm" (c)
5417 : "m" (v->counter) : "memory");
5419 @@ -318,7 +536,20 @@ static inline int atomic64_inc_and_test(
5423 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
5424 + asm volatile(LOCK_PREFIX "incq %0\n"
5426 +#ifdef CONFIG_PAX_REFCOUNT
5429 + ".pushsection .fixup,\"ax\"\n"
5431 + LOCK_PREFIX "decq %0\n"
5434 + _ASM_EXTABLE(0b, 1b)
5438 : "=m" (v->counter), "=qm" (c)
5439 : "m" (v->counter) : "memory");
5441 @@ -337,7 +568,16 @@ static inline int atomic64_add_negative(
5445 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
5446 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
5448 +#ifdef CONFIG_PAX_REFCOUNT
5450 + LOCK_PREFIX "subq %2,%0\n"
5452 + _ASM_EXTABLE(0b, 0b)
5456 : "=m" (v->counter), "=qm" (c)
5457 : "er" (i), "m" (v->counter) : "memory");
5459 @@ -353,7 +593,15 @@ static inline int atomic64_add_negative(
5460 static inline long atomic64_add_return(long i, atomic64_t *v)
5463 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
5464 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
5466 +#ifdef CONFIG_PAX_REFCOUNT
5470 + _ASM_EXTABLE(0b, 0b)
5473 : "+r" (i), "+m" (v->counter)
5476 @@ -398,17 +646,29 @@ static inline long atomic_xchg(atomic_t
5478 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5484 - if (unlikely(c == (u)))
5485 + if (unlikely(c == u))
5487 - old = atomic_cmpxchg((v), c, c + (a));
5489 + asm volatile("addl %2,%0\n"
5491 +#ifdef CONFIG_PAX_REFCOUNT
5494 + _ASM_EXTABLE(0b, 0b)
5498 + : "0" (c), "ir" (a));
5500 + old = atomic_cmpxchg(v, c, new);
5501 if (likely(old == c))
5509 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5510 @@ -424,17 +684,29 @@ static inline int atomic_add_unless(atom
5512 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
5516 c = atomic64_read(v);
5518 - if (unlikely(c == (u)))
5519 + if (unlikely(c == u))
5521 - old = atomic64_cmpxchg((v), c, c + (a));
5523 + asm volatile("addq %2,%0\n"
5525 +#ifdef CONFIG_PAX_REFCOUNT
5528 + _ASM_EXTABLE(0b, 0b)
5532 + : "0" (c), "er" (a));
5534 + old = atomic64_cmpxchg((v), c, new);
5535 if (likely(old == c))
5544 diff -urNp linux-2.6.31/arch/x86/include/asm/boot.h linux-2.6.31/arch/x86/include/asm/boot.h
5545 --- linux-2.6.31/arch/x86/include/asm/boot.h 2009-08-27 20:59:04.000000000 -0400
5546 +++ linux-2.6.31/arch/x86/include/asm/boot.h 2009-09-06 15:29:11.176333963 -0400
5548 #include <asm/pgtable_types.h>
5550 /* Physical address where kernel should be loaded. */
5551 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
5552 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
5553 + (CONFIG_PHYSICAL_ALIGN - 1)) \
5554 & ~(CONFIG_PHYSICAL_ALIGN - 1))
5556 +#ifndef __ASSEMBLY__
5557 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
5558 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
5561 /* Minimum kernel alignment, as a power of two */
5562 #ifdef CONFIG_X86_64
5563 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
5564 diff -urNp linux-2.6.31/arch/x86/include/asm/cache.h linux-2.6.31/arch/x86/include/asm/cache.h
5565 --- linux-2.6.31/arch/x86/include/asm/cache.h 2009-08-27 20:59:04.000000000 -0400
5566 +++ linux-2.6.31/arch/x86/include/asm/cache.h 2009-09-06 15:29:11.176333963 -0400
5568 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5570 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
5571 +#define __read_only __attribute__((__section__(".data.read_only")))
5573 #ifdef CONFIG_X86_VSMP
5574 /* vSMP Internode cacheline shift */
5575 diff -urNp linux-2.6.31/arch/x86/include/asm/checksum_32.h linux-2.6.31/arch/x86/include/asm/checksum_32.h
5576 --- linux-2.6.31/arch/x86/include/asm/checksum_32.h 2009-08-27 20:59:04.000000000 -0400
5577 +++ linux-2.6.31/arch/x86/include/asm/checksum_32.h 2009-09-06 15:29:11.176333963 -0400
5578 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
5579 int len, __wsum sum,
5580 int *src_err_ptr, int *dst_err_ptr);
5582 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
5583 + int len, __wsum sum,
5584 + int *src_err_ptr, int *dst_err_ptr);
5586 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
5587 + int len, __wsum sum,
5588 + int *src_err_ptr, int *dst_err_ptr);
5591 * Note: when you get a NULL pointer exception here this means someone
5592 * passed in an incorrect kernel address to one of these functions.
5593 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
5597 - return csum_partial_copy_generic((__force void *)src, dst,
5598 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
5599 len, sum, err_ptr, NULL);
5602 @@ -177,7 +185,7 @@ static inline __wsum csum_and_copy_to_us
5605 if (access_ok(VERIFY_WRITE, dst, len))
5606 - return csum_partial_copy_generic(src, (__force void *)dst,
5607 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
5608 len, sum, NULL, err_ptr);
5611 diff -urNp linux-2.6.31/arch/x86/include/asm/desc.h linux-2.6.31/arch/x86/include/asm/desc.h
5612 --- linux-2.6.31/arch/x86/include/asm/desc.h 2009-08-27 20:59:04.000000000 -0400
5613 +++ linux-2.6.31/arch/x86/include/asm/desc.h 2009-09-06 15:29:11.177300796 -0400
5614 @@ -15,6 +15,7 @@ static inline void fill_ldt(struct desc_
5615 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
5616 desc->type = (info->read_exec_only ^ 1) << 1;
5617 desc->type |= info->contents << 2;
5618 + desc->type |= info->seg_not_present ^ 1;
5621 desc->p = info->seg_not_present ^ 1;
5622 @@ -31,16 +32,12 @@ static inline void fill_ldt(struct desc_
5625 extern struct desc_ptr idt_descr;
5626 -extern gate_desc idt_table[];
5629 - struct desc_struct gdt[GDT_ENTRIES];
5630 -} __attribute__((aligned(PAGE_SIZE)));
5631 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
5632 +extern gate_desc idt_table[256];
5634 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
5635 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
5637 - return per_cpu(gdt_page, cpu).gdt;
5638 + return cpu_gdt_table[cpu];
5641 #ifdef CONFIG_X86_64
5642 @@ -115,19 +112,48 @@ static inline void paravirt_free_ldt(str
5643 static inline void native_write_idt_entry(gate_desc *idt, int entry,
5644 const gate_desc *gate)
5647 +#ifdef CONFIG_PAX_KERNEXEC
5648 + unsigned long cr0;
5650 + pax_open_kernel(cr0);
5653 memcpy(&idt[entry], gate, sizeof(*gate));
5655 +#ifdef CONFIG_PAX_KERNEXEC
5656 + pax_close_kernel(cr0);
5661 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
5665 +#ifdef CONFIG_PAX_KERNEXEC
5666 + unsigned long cr0;
5668 + pax_open_kernel(cr0);
5671 memcpy(&ldt[entry], desc, 8);
5673 +#ifdef CONFIG_PAX_KERNEXEC
5674 + pax_close_kernel(cr0);
5679 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
5680 const void *desc, int type)
5684 +#ifdef CONFIG_PAX_KERNEXEC
5685 + unsigned long cr0;
5690 size = sizeof(tss_desc);
5691 @@ -139,7 +165,17 @@ static inline void native_write_gdt_entr
5692 size = sizeof(struct desc_struct);
5696 +#ifdef CONFIG_PAX_KERNEXEC
5697 + pax_open_kernel(cr0);
5700 memcpy(&gdt[entry], desc, size);
5702 +#ifdef CONFIG_PAX_KERNEXEC
5703 + pax_close_kernel(cr0);
5708 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
5709 @@ -211,7 +247,19 @@ static inline void native_set_ldt(const
5711 static inline void native_load_tr_desc(void)
5714 +#ifdef CONFIG_PAX_KERNEXEC
5715 + unsigned long cr0;
5717 + pax_open_kernel(cr0);
5720 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
5722 +#ifdef CONFIG_PAX_KERNEXEC
5723 + pax_close_kernel(cr0);
5728 static inline void native_load_gdt(const struct desc_ptr *dtr)
5729 @@ -246,8 +294,19 @@ static inline void native_load_tls(struc
5731 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
5733 +#ifdef CONFIG_PAX_KERNEXEC
5734 + unsigned long cr0;
5736 + pax_open_kernel(cr0);
5739 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
5740 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
5742 +#ifdef CONFIG_PAX_KERNEXEC
5743 + pax_close_kernel(cr0);
5748 #define _LDT_empty(info) \
5749 @@ -379,4 +438,16 @@ static inline void set_system_intr_gate_
5750 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
5753 +#ifdef CONFIG_X86_32
5754 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
5756 + struct desc_struct d;
5758 + if (likely(limit))
5759 + limit = (limit - 1UL) >> PAGE_SHIFT;
5760 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
5761 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
5765 #endif /* _ASM_X86_DESC_H */
5766 diff -urNp linux-2.6.31/arch/x86/include/asm/e820.h linux-2.6.31/arch/x86/include/asm/e820.h
5767 --- linux-2.6.31/arch/x86/include/asm/e820.h 2009-08-27 20:59:04.000000000 -0400
5768 +++ linux-2.6.31/arch/x86/include/asm/e820.h 2009-09-06 15:29:11.177300796 -0400
5769 @@ -135,7 +135,7 @@ extern char *memory_setup(void);
5770 #define ISA_END_ADDRESS 0x100000
5771 #define is_ISA_range(s, e) ((s) >= ISA_START_ADDRESS && (e) < ISA_END_ADDRESS)
5773 -#define BIOS_BEGIN 0x000a0000
5774 +#define BIOS_BEGIN 0x000c0000
5775 #define BIOS_END 0x00100000
5778 diff -urNp linux-2.6.31/arch/x86/include/asm/elf.h linux-2.6.31/arch/x86/include/asm/elf.h
5779 --- linux-2.6.31/arch/x86/include/asm/elf.h 2009-08-27 20:59:04.000000000 -0400
5780 +++ linux-2.6.31/arch/x86/include/asm/elf.h 2009-09-06 15:29:11.178289958 -0400
5781 @@ -263,7 +263,25 @@ extern int force_personality32;
5782 the loader. We need to make sure that it is out of the way of the program
5783 that it will "exec", and that there is sufficient room for the brk. */
5785 +#ifdef CONFIG_PAX_SEGMEXEC
5786 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
5788 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
5791 +#ifdef CONFIG_PAX_ASLR
5792 +#ifdef CONFIG_X86_32
5793 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
5795 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
5796 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
5798 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
5800 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
5801 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
5805 /* This yields a mask that user programs can use to figure out what
5806 instruction set this CPU supports. This could be done in user space,
5807 @@ -315,8 +333,7 @@ do { \
5808 #define ARCH_DLINFO \
5811 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
5812 - (unsigned long)current->mm->context.vdso); \
5813 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
5816 #define AT_SYSINFO 32
5817 @@ -327,7 +344,7 @@ do { \
5819 #endif /* !CONFIG_X86_32 */
5821 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
5822 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
5824 #define VDSO_ENTRY \
5825 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
5826 @@ -341,7 +358,4 @@ extern int arch_setup_additional_pages(s
5827 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
5828 #define compat_arch_setup_additional_pages syscall32_setup_pages
5830 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
5831 -#define arch_randomize_brk arch_randomize_brk
5833 #endif /* _ASM_X86_ELF_H */
5834 diff -urNp linux-2.6.31/arch/x86/include/asm/futex.h linux-2.6.31/arch/x86/include/asm/futex.h
5835 --- linux-2.6.31/arch/x86/include/asm/futex.h 2009-08-27 20:59:04.000000000 -0400
5836 +++ linux-2.6.31/arch/x86/include/asm/futex.h 2009-09-06 15:29:11.178289958 -0400
5838 #include <asm/processor.h>
5839 #include <asm/system.h>
5841 +#ifdef CONFIG_X86_32
5842 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
5844 + "movw\t%w6, %%ds\n" \
5845 + "1:\t" insn "\n" \
5846 + "2:\tpushl\t%%ss\n" \
5847 + "\tpopl\t%%ds\n" \
5848 + "\t.section .fixup,\"ax\"\n" \
5849 + "3:\tmov\t%3, %1\n" \
5852 + _ASM_EXTABLE(1b, 3b) \
5853 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
5854 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
5856 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
5857 + asm volatile("movw\t%w7, %%es\n" \
5858 + "1:\tmovl\t%%es:%2, %0\n" \
5859 + "\tmovl\t%0, %3\n" \
5861 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
5863 + "3:\tpushl\t%%ss\n" \
5864 + "\tpopl\t%%es\n" \
5865 + "\t.section .fixup,\"ax\"\n" \
5866 + "4:\tmov\t%5, %1\n" \
5869 + _ASM_EXTABLE(1b, 4b) \
5870 + _ASM_EXTABLE(2b, 4b) \
5871 + : "=&a" (oldval), "=&r" (ret), \
5872 + "+m" (*uaddr), "=&r" (tem) \
5873 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
5875 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
5876 asm volatile("1:\t" insn "\n" \
5877 "2:\t.section .fixup,\"ax\"\n" \
5879 : "=&a" (oldval), "=&r" (ret), \
5880 "+m" (*uaddr), "=&r" (tem) \
5881 : "r" (oparg), "i" (-EFAULT), "1" (0))
5884 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
5885 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
5887 int op = (encoded_op >> 28) & 7;
5888 int cmp = (encoded_op >> 24) & 15;
5889 @@ -61,11 +96,20 @@ static inline int futex_atomic_op_inuser
5893 +#ifdef CONFIG_X86_32
5894 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
5896 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
5900 +#ifdef CONFIG_X86_32
5901 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
5904 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
5909 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
5910 @@ -109,7 +153,7 @@ static inline int futex_atomic_op_inuser
5914 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
5915 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
5919 @@ -122,14 +166,27 @@ static inline int futex_atomic_cmpxchg_i
5920 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
5923 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
5925 +#ifdef CONFIG_X86_32
5926 + "\tmovw %w5, %%ds\n"
5927 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
5928 + "2:\tpushl %%ss\n"
5930 + "\t.section .fixup, \"ax\"\n"
5932 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
5933 "2:\t.section .fixup, \"ax\"\n"
5938 _ASM_EXTABLE(1b, 3b)
5939 : "=a" (oldval), "+m" (*uaddr)
5940 +#ifdef CONFIG_X86_32
5941 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
5943 : "i" (-EFAULT), "r" (newval), "0" (oldval)
5948 diff -urNp linux-2.6.31/arch/x86/include/asm/i387.h linux-2.6.31/arch/x86/include/asm/i387.h
5949 --- linux-2.6.31/arch/x86/include/asm/i387.h 2009-08-27 20:59:04.000000000 -0400
5950 +++ linux-2.6.31/arch/x86/include/asm/i387.h 2009-09-06 15:29:11.178289958 -0400
5951 @@ -194,13 +194,8 @@ static inline int fxrstor_checking(struc
5954 /* We need a safe address that is cheap to find and that is already
5955 - in L1 during context switch. The best choices are unfortunately
5956 - different for UP and SMP */
5958 -#define safe_address (__per_cpu_offset[0])
5960 -#define safe_address (kstat_cpu(0).cpustat.user)
5962 + in L1 during context switch. */
5963 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
5966 * These must be called with preempt disabled
5967 diff -urNp linux-2.6.31/arch/x86/include/asm/io_64.h linux-2.6.31/arch/x86/include/asm/io_64.h
5968 --- linux-2.6.31/arch/x86/include/asm/io_64.h 2009-08-27 20:59:04.000000000 -0400
5969 +++ linux-2.6.31/arch/x86/include/asm/io_64.h 2009-09-06 15:29:11.179213852 -0400
5970 @@ -140,6 +140,17 @@ __OUTS(l)
5972 #include <linux/vmalloc.h>
5974 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
5975 +static inline int valid_phys_addr_range (unsigned long addr, size_t count)
5977 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
5980 +static inline int valid_mmap_phys_addr_range (unsigned long pfn, size_t count)
5982 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
5985 #include <asm-generic/iomap.h>
5987 void __memcpy_fromio(void *, unsigned long, unsigned);
5988 diff -urNp linux-2.6.31/arch/x86/include/asm/irqflags.h linux-2.6.31/arch/x86/include/asm/irqflags.h
5989 --- linux-2.6.31/arch/x86/include/asm/irqflags.h 2009-08-27 20:59:04.000000000 -0400
5990 +++ linux-2.6.31/arch/x86/include/asm/irqflags.h 2009-09-06 15:29:11.179213852 -0400
5991 @@ -147,6 +147,8 @@ static inline unsigned long __raw_local_
5992 #define INTERRUPT_RETURN iret
5993 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
5994 #define GET_CR0_INTO_EAX movl %cr0, %eax
5995 +#define GET_CR0_INTO_EDX movl %cr0, %edx
5996 +#define SET_CR0_FROM_EDX movl %edx, %cr0
6000 diff -urNp linux-2.6.31/arch/x86/include/asm/kvm_host.h linux-2.6.31/arch/x86/include/asm/kvm_host.h
6001 --- linux-2.6.31/arch/x86/include/asm/kvm_host.h 2009-08-27 20:59:04.000000000 -0400
6002 +++ linux-2.6.31/arch/x86/include/asm/kvm_host.h 2009-09-06 15:29:11.180243443 -0400
6003 @@ -528,7 +528,7 @@ struct kvm_x86_ops {
6004 u64 (*get_mt_mask)(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio);
6007 -extern struct kvm_x86_ops *kvm_x86_ops;
6008 +extern const struct kvm_x86_ops *kvm_x86_ops;
6010 int kvm_mmu_module_init(void);
6011 void kvm_mmu_module_exit(void);
6012 diff -urNp linux-2.6.31/arch/x86/include/asm/local.h linux-2.6.31/arch/x86/include/asm/local.h
6013 --- linux-2.6.31/arch/x86/include/asm/local.h 2009-08-27 20:59:04.000000000 -0400
6014 +++ linux-2.6.31/arch/x86/include/asm/local.h 2009-09-06 15:29:11.180243443 -0400
6015 @@ -18,26 +18,90 @@ typedef struct {
6017 static inline void local_inc(local_t *l)
6019 - asm volatile(_ASM_INC "%0"
6020 + asm volatile(_ASM_INC "%0\n"
6022 +#ifdef CONFIG_PAX_REFCOUNT
6023 +#ifdef CONFIG_X86_32
6029 + ".pushsection .fixup,\"ax\"\n"
6034 + _ASM_EXTABLE(0b, 1b)
6037 : "+m" (l->a.counter));
6040 static inline void local_dec(local_t *l)
6042 - asm volatile(_ASM_DEC "%0"
6043 + asm volatile(_ASM_DEC "%0\n"
6045 +#ifdef CONFIG_PAX_REFCOUNT
6046 +#ifdef CONFIG_X86_32
6052 + ".pushsection .fixup,\"ax\"\n"
6057 + _ASM_EXTABLE(0b, 1b)
6060 : "+m" (l->a.counter));
6063 static inline void local_add(long i, local_t *l)
6065 - asm volatile(_ASM_ADD "%1,%0"
6066 + asm volatile(_ASM_ADD "%1,%0\n"
6068 +#ifdef CONFIG_PAX_REFCOUNT
6069 +#ifdef CONFIG_X86_32
6075 + ".pushsection .fixup,\"ax\"\n"
6077 + _ASM_SUB "%1,%0\n"
6080 + _ASM_EXTABLE(0b, 1b)
6083 : "+m" (l->a.counter)
6087 static inline void local_sub(long i, local_t *l)
6089 - asm volatile(_ASM_SUB "%1,%0"
6090 + asm volatile(_ASM_SUB "%1,%0\n"
6092 +#ifdef CONFIG_PAX_REFCOUNT
6093 +#ifdef CONFIG_X86_32
6099 + ".pushsection .fixup,\"ax\"\n"
6101 + _ASM_ADD "%1,%0\n"
6104 + _ASM_EXTABLE(0b, 1b)
6107 : "+m" (l->a.counter)
6110 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
6114 - asm volatile(_ASM_SUB "%2,%0; sete %1"
6115 + asm volatile(_ASM_SUB "%2,%0\n"
6117 +#ifdef CONFIG_PAX_REFCOUNT
6118 +#ifdef CONFIG_X86_32
6124 + ".pushsection .fixup,\"ax\"\n"
6126 + _ASM_ADD "%2,%0\n"
6129 + _ASM_EXTABLE(0b, 1b)
6133 : "+m" (l->a.counter), "=qm" (c)
6134 : "ir" (i) : "memory");
6136 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
6140 - asm volatile(_ASM_DEC "%0; sete %1"
6141 + asm volatile(_ASM_DEC "%0\n"
6143 +#ifdef CONFIG_PAX_REFCOUNT
6144 +#ifdef CONFIG_X86_32
6150 + ".pushsection .fixup,\"ax\"\n"
6155 + _ASM_EXTABLE(0b, 1b)
6159 : "+m" (l->a.counter), "=qm" (c)
6162 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
6166 - asm volatile(_ASM_INC "%0; sete %1"
6167 + asm volatile(_ASM_INC "%0\n"
6169 +#ifdef CONFIG_PAX_REFCOUNT
6170 +#ifdef CONFIG_X86_32
6176 + ".pushsection .fixup,\"ax\"\n"
6181 + _ASM_EXTABLE(0b, 1b)
6185 : "+m" (l->a.counter), "=qm" (c)
6188 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
6192 - asm volatile(_ASM_ADD "%2,%0; sets %1"
6193 + asm volatile(_ASM_ADD "%2,%0\n"
6195 +#ifdef CONFIG_PAX_REFCOUNT
6196 +#ifdef CONFIG_X86_32
6202 + ".pushsection .fixup,\"ax\"\n"
6204 + _ASM_SUB "%2,%0\n"
6207 + _ASM_EXTABLE(0b, 1b)
6211 : "+m" (l->a.counter), "=qm" (c)
6212 : "ir" (i) : "memory");
6214 @@ -133,7 +265,23 @@ static inline long local_add_return(long
6216 /* Modern 486+ processor */
6218 - asm volatile(_ASM_XADD "%0, %1;"
6219 + asm volatile(_ASM_XADD "%0, %1\n"
6221 +#ifdef CONFIG_PAX_REFCOUNT
6222 +#ifdef CONFIG_X86_32
6228 + ".pushsection .fixup,\"ax\"\n"
6230 + _ASM_MOV "%0,%1\n"
6233 + _ASM_EXTABLE(0b, 1b)
6236 : "+r" (i), "+m" (l->a.counter)
6239 diff -urNp linux-2.6.31/arch/x86/include/asm/mman.h linux-2.6.31/arch/x86/include/asm/mman.h
6240 --- linux-2.6.31/arch/x86/include/asm/mman.h 2009-08-27 20:59:04.000000000 -0400
6241 +++ linux-2.6.31/arch/x86/include/asm/mman.h 2009-09-06 15:29:11.181247426 -0400
6243 #define MCL_CURRENT 1 /* lock all current mappings */
6244 #define MCL_FUTURE 2 /* lock all future mappings */
6247 +#ifndef __ASSEMBLY__
6248 +#ifdef CONFIG_X86_32
6249 +#define arch_mmap_check i386_mmap_check
6250 +int i386_mmap_check(unsigned long addr, unsigned long len,
6251 + unsigned long flags);
6256 #endif /* _ASM_X86_MMAN_H */
6257 diff -urNp linux-2.6.31/arch/x86/include/asm/mmu_context.h linux-2.6.31/arch/x86/include/asm/mmu_context.h
6258 --- linux-2.6.31/arch/x86/include/asm/mmu_context.h 2009-08-27 20:59:04.000000000 -0400
6259 +++ linux-2.6.31/arch/x86/include/asm/mmu_context.h 2009-09-06 15:29:11.181247426 -0400
6260 @@ -34,11 +34,17 @@ static inline void switch_mm(struct mm_s
6261 struct task_struct *tsk)
6263 unsigned cpu = smp_processor_id();
6264 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
6265 + int tlbstate = TLBSTATE_OK;
6268 if (likely(prev != next)) {
6269 /* stop flush ipis for the previous mm */
6270 cpu_clear(cpu, prev->cpu_vm_mask);
6272 +#ifdef CONFIG_X86_32
6273 + tlbstate = percpu_read(cpu_tlbstate.state);
6275 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
6276 percpu_write(cpu_tlbstate.active_mm, next);
6278 @@ -52,6 +58,26 @@ static inline void switch_mm(struct mm_s
6280 if (unlikely(prev->context.ldt != next->context.ldt))
6281 load_LDT_nolock(&next->context);
6283 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
6284 + if (!nx_enabled) {
6285 + smp_mb__before_clear_bit();
6286 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
6287 + smp_mb__after_clear_bit();
6288 + cpu_set(cpu, next->context.cpu_user_cs_mask);
6292 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
6293 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
6294 + prev->context.user_cs_limit != next->context.user_cs_limit
6296 + || tlbstate != TLBSTATE_OK
6299 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
6305 @@ -65,6 +91,19 @@ static inline void switch_mm(struct mm_s
6307 load_cr3(next->pgd);
6308 load_LDT_nolock(&next->context);
6310 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
6312 + cpu_set(cpu, next->context.cpu_user_cs_mask);
6315 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
6316 +#ifdef CONFIG_PAX_PAGEEXEC
6317 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
6319 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
6325 diff -urNp linux-2.6.31/arch/x86/include/asm/mmu.h linux-2.6.31/arch/x86/include/asm/mmu.h
6326 --- linux-2.6.31/arch/x86/include/asm/mmu.h 2009-08-27 20:59:04.000000000 -0400
6327 +++ linux-2.6.31/arch/x86/include/asm/mmu.h 2009-09-06 15:29:11.182192844 -0400
6329 * we put the segment information here.
6333 + struct desc_struct *ldt;
6337 + unsigned long vdso;
6339 +#ifdef CONFIG_X86_32
6340 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
6341 + unsigned long user_cs_base;
6342 + unsigned long user_cs_limit;
6344 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
6345 + cpumask_t cpu_user_cs_mask;
6354 diff -urNp linux-2.6.31/arch/x86/include/asm/module.h linux-2.6.31/arch/x86/include/asm/module.h
6355 --- linux-2.6.31/arch/x86/include/asm/module.h 2009-08-27 20:59:04.000000000 -0400
6356 +++ linux-2.6.31/arch/x86/include/asm/module.h 2009-09-06 15:29:11.182192844 -0400
6357 @@ -74,7 +74,12 @@ struct mod_arch_specific {};
6359 # define MODULE_STACKSIZE ""
6361 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
6362 +# ifdef CONFIG_GRKERNSEC
6363 +# define MODULE_GRSEC "GRSECURITY "
6365 +# define MODULE_GRSEC ""
6367 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
6370 #endif /* _ASM_X86_MODULE_H */
6371 diff -urNp linux-2.6.31/arch/x86/include/asm/page_32_types.h linux-2.6.31/arch/x86/include/asm/page_32_types.h
6372 --- linux-2.6.31/arch/x86/include/asm/page_32_types.h 2009-08-27 20:59:04.000000000 -0400
6373 +++ linux-2.6.31/arch/x86/include/asm/page_32_types.h 2009-09-06 15:29:11.182192844 -0400
6376 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
6378 +#ifdef CONFIG_PAX_PAGEEXEC
6379 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
6382 #ifdef CONFIG_4KSTACKS
6383 #define THREAD_ORDER 0
6385 diff -urNp linux-2.6.31/arch/x86/include/asm/page_64_types.h linux-2.6.31/arch/x86/include/asm/page_64_types.h
6386 --- linux-2.6.31/arch/x86/include/asm/page_64_types.h 2009-08-27 20:59:04.000000000 -0400
6387 +++ linux-2.6.31/arch/x86/include/asm/page_64_types.h 2009-09-06 15:29:11.183155967 -0400
6389 #define __START_KERNEL (__START_KERNEL_map + __PHYSICAL_START)
6390 #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
6392 +#define ktla_ktva(addr) (addr)
6393 +#define ktva_ktla(addr) (addr)
6395 /* See Documentation/x86/x86_64/mm.txt for a description of the memory map. */
6396 #define __PHYSICAL_MASK_SHIFT 46
6397 #define __VIRTUAL_MASK_SHIFT 47
6398 diff -urNp linux-2.6.31/arch/x86/include/asm/paravirt.h linux-2.6.31/arch/x86/include/asm/paravirt.h
6399 --- linux-2.6.31/arch/x86/include/asm/paravirt.h 2009-08-27 20:59:04.000000000 -0400
6400 +++ linux-2.6.31/arch/x86/include/asm/paravirt.h 2009-09-06 15:29:11.184157210 -0400
6401 @@ -1688,7 +1688,7 @@ static inline unsigned long __raw_local_
6403 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
6404 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
6405 -#define PARA_INDIRECT(addr) *%cs:addr
6406 +#define PARA_INDIRECT(addr) *%ss:addr
6409 #define INTERRUPT_RETURN \
6410 diff -urNp linux-2.6.31/arch/x86/include/asm/pgalloc.h linux-2.6.31/arch/x86/include/asm/pgalloc.h
6411 --- linux-2.6.31/arch/x86/include/asm/pgalloc.h 2009-08-27 20:59:04.000000000 -0400
6412 +++ linux-2.6.31/arch/x86/include/asm/pgalloc.h 2009-09-06 15:30:00.013375877 -0400
6413 @@ -58,6 +58,13 @@ static inline void pmd_populate_kernel(s
6414 pmd_t *pmd, pte_t *pte)
6416 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
6417 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
6420 +static inline void pmd_populate_user(struct mm_struct *mm,
6421 + pmd_t *pmd, pte_t *pte)
6423 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
6424 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
6427 diff -urNp linux-2.6.31/arch/x86/include/asm/pgtable-2level.h linux-2.6.31/arch/x86/include/asm/pgtable-2level.h
6428 --- linux-2.6.31/arch/x86/include/asm/pgtable-2level.h 2009-08-27 20:59:04.000000000 -0400
6429 +++ linux-2.6.31/arch/x86/include/asm/pgtable-2level.h 2009-09-06 15:29:11.184157210 -0400
6430 @@ -18,7 +18,19 @@ static inline void native_set_pte(pte_t
6432 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
6435 +#ifdef CONFIG_PAX_KERNEXEC
6436 + unsigned long cr0;
6438 + pax_open_kernel(cr0);
6443 +#ifdef CONFIG_PAX_KERNEXEC
6444 + pax_close_kernel(cr0);
6449 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
6450 diff -urNp linux-2.6.31/arch/x86/include/asm/pgtable_32.h linux-2.6.31/arch/x86/include/asm/pgtable_32.h
6451 --- linux-2.6.31/arch/x86/include/asm/pgtable_32.h 2009-08-27 20:59:04.000000000 -0400
6452 +++ linux-2.6.31/arch/x86/include/asm/pgtable_32.h 2009-09-06 15:30:00.013375877 -0400
6455 struct vm_area_struct;
6457 -extern pgd_t swapper_pg_dir[1024];
6459 static inline void pgtable_cache_init(void) { }
6460 static inline void check_pgt_cache(void) { }
6461 void paging_init(void);
6462 @@ -48,6 +46,11 @@ extern void set_pmd_pfn(unsigned long, u
6463 # include <asm/pgtable-2level.h>
6466 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
6467 +#ifdef CONFIG_X86_PAE
6468 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
6471 #if defined(CONFIG_HIGHPTE)
6473 (in_nmi() ? KM_NMI_PTE : \
6474 @@ -84,6 +87,9 @@ do { \
6476 #endif /* !__ASSEMBLY__ */
6478 +#define HAVE_ARCH_UNMAPPED_AREA
6479 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
6482 * kern_addr_valid() is (1) for FLATMEM and (0) for
6483 * SPARSEMEM and DISCONTIGMEM
6484 diff -urNp linux-2.6.31/arch/x86/include/asm/pgtable_32_types.h linux-2.6.31/arch/x86/include/asm/pgtable_32_types.h
6485 --- linux-2.6.31/arch/x86/include/asm/pgtable_32_types.h 2009-08-27 20:59:04.000000000 -0400
6486 +++ linux-2.6.31/arch/x86/include/asm/pgtable_32_types.h 2009-09-06 15:29:11.185669248 -0400
6489 #ifdef CONFIG_X86_PAE
6490 # include <asm/pgtable-3level_types.h>
6491 -# define PMD_SIZE (1UL << PMD_SHIFT)
6492 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
6493 # define PMD_MASK (~(PMD_SIZE - 1))
6495 # include <asm/pgtable-2level_types.h>
6496 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
6497 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
6500 +#ifdef CONFIG_PAX_KERNEXEC
6501 +#ifndef __ASSEMBLY__
6502 +extern unsigned char MODULES_EXEC_VADDR[];
6503 +extern unsigned char MODULES_EXEC_END[];
6504 +extern unsigned char KERNEL_TEXT_OFFSET[];
6506 +#define ktla_ktva(addr) (addr + (unsigned long)KERNEL_TEXT_OFFSET)
6507 +#define ktva_ktla(addr) (addr - (unsigned long)KERNEL_TEXT_OFFSET)
6509 +#define ktla_ktva(addr) (addr)
6510 +#define ktva_ktla(addr) (addr)
6513 #define MODULES_VADDR VMALLOC_START
6514 #define MODULES_END VMALLOC_END
6515 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
6516 diff -urNp linux-2.6.31/arch/x86/include/asm/pgtable-3level.h linux-2.6.31/arch/x86/include/asm/pgtable-3level.h
6517 --- linux-2.6.31/arch/x86/include/asm/pgtable-3level.h 2009-08-27 20:59:04.000000000 -0400
6518 +++ linux-2.6.31/arch/x86/include/asm/pgtable-3level.h 2009-09-06 15:29:11.186185619 -0400
6519 @@ -38,12 +38,36 @@ static inline void native_set_pte_atomic
6521 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
6524 +#ifdef CONFIG_PAX_KERNEXEC
6525 + unsigned long cr0;
6527 + pax_open_kernel(cr0);
6530 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
6532 +#ifdef CONFIG_PAX_KERNEXEC
6533 + pax_close_kernel(cr0);
6538 static inline void native_set_pud(pud_t *pudp, pud_t pud)
6541 +#ifdef CONFIG_PAX_KERNEXEC
6542 + unsigned long cr0;
6544 + pax_open_kernel(cr0);
6547 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
6549 +#ifdef CONFIG_PAX_KERNEXEC
6550 + pax_close_kernel(cr0);
6556 diff -urNp linux-2.6.31/arch/x86/include/asm/pgtable_64.h linux-2.6.31/arch/x86/include/asm/pgtable_64.h
6557 --- linux-2.6.31/arch/x86/include/asm/pgtable_64.h 2009-08-27 20:59:04.000000000 -0400
6558 +++ linux-2.6.31/arch/x86/include/asm/pgtable_64.h 2009-09-06 15:30:00.013375877 -0400
6561 extern pud_t level3_kernel_pgt[512];
6562 extern pud_t level3_ident_pgt[512];
6563 +extern pud_t level3_vmalloc_pgt[512];
6564 +extern pud_t level3_vmemmap_pgt[512];
6565 extern pmd_t level2_kernel_pgt[512];
6566 extern pmd_t level2_fixmap_pgt[512];
6567 -extern pmd_t level2_ident_pgt[512];
6568 +extern pmd_t level2_ident_pgt[512*4];
6569 extern pgd_t init_level4_pgt[];
6571 #define swapper_pg_dir init_level4_pgt
6572 @@ -74,7 +76,19 @@ static inline pte_t native_ptep_get_and_
6574 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
6577 +#ifdef CONFIG_PAX_KERNEXEC
6578 + unsigned long cr0;
6580 + pax_open_kernel(cr0);
6585 +#ifdef CONFIG_PAX_KERNEXEC
6586 + pax_close_kernel(cr0);
6591 static inline void native_pmd_clear(pmd_t *pmd)
6592 diff -urNp linux-2.6.31/arch/x86/include/asm/pgtable.h linux-2.6.31/arch/x86/include/asm/pgtable.h
6593 --- linux-2.6.31/arch/x86/include/asm/pgtable.h 2009-08-27 20:59:04.000000000 -0400
6594 +++ linux-2.6.31/arch/x86/include/asm/pgtable.h 2009-09-06 15:29:11.186185619 -0400
6595 @@ -90,6 +90,11 @@ static inline void __init paravirt_paget
6596 * The following only work if pte_present() is true.
6597 * Undefined behaviour if not..
6599 +static inline int pte_user(pte_t pte)
6601 + return pte_val(pte) & _PAGE_USER;
6604 static inline int pte_dirty(pte_t pte)
6606 return pte_flags(pte) & _PAGE_DIRTY;
6607 @@ -172,9 +177,29 @@ static inline pte_t pte_wrprotect(pte_t
6608 return pte_clear_flags(pte, _PAGE_RW);
6611 +static inline pte_t pte_mkread(pte_t pte)
6613 + return __pte(pte_val(pte) | _PAGE_USER);
6616 static inline pte_t pte_mkexec(pte_t pte)
6618 - return pte_clear_flags(pte, _PAGE_NX);
6619 +#ifdef CONFIG_X86_PAE
6620 + if (__supported_pte_mask & _PAGE_NX)
6621 + return pte_clear_flags(pte, _PAGE_NX);
6624 + return pte_set_flags(pte, _PAGE_USER);
6627 +static inline pte_t pte_exprotect(pte_t pte)
6629 +#ifdef CONFIG_X86_PAE
6630 + if (__supported_pte_mask & _PAGE_NX)
6631 + return pte_set_flags(pte, _PAGE_NX);
6634 + return pte_clear_flags(pte, _PAGE_USER);
6637 static inline pte_t pte_mkdirty(pte_t pte)
6638 @@ -482,7 +507,7 @@ static inline pud_t *pud_offset(pgd_t *p
6640 static inline int pgd_bad(pgd_t pgd)
6642 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
6643 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
6646 static inline int pgd_none(pgd_t pgd)
6647 @@ -623,7 +648,19 @@ static inline void ptep_set_wrprotect(st
6649 static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
6651 - memcpy(dst, src, count * sizeof(pgd_t));
6653 +#ifdef CONFIG_PAX_KERNEXEC
6654 + unsigned long cr0;
6656 + pax_open_kernel(cr0);
6659 + memcpy(dst, src, count * sizeof(pgd_t));
6661 +#ifdef CONFIG_PAX_KERNEXEC
6662 + pax_close_kernel(cr0);
6668 diff -urNp linux-2.6.31/arch/x86/include/asm/pgtable_types.h linux-2.6.31/arch/x86/include/asm/pgtable_types.h
6669 --- linux-2.6.31/arch/x86/include/asm/pgtable_types.h 2009-08-27 20:59:04.000000000 -0400
6670 +++ linux-2.6.31/arch/x86/include/asm/pgtable_types.h 2009-09-10 19:30:54.922535723 -0400
6672 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
6673 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
6674 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
6675 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
6676 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
6677 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
6678 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
6679 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
6680 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
6681 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
6682 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
6683 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
6685 /* If _PAGE_BIT_PRESENT is clear, we use these: */
6687 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
6688 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
6689 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
6690 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
6691 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
6692 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
6693 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
6696 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
6697 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
6699 +#elif defined(CONFIG_KMEMCHECK)
6700 #define _PAGE_NX (_AT(pteval_t, 0))
6702 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
6705 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
6707 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
6710 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
6711 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
6713 #define __PAGE_KERNEL_EXEC \
6714 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
6715 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
6717 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
6718 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
6719 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
6720 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
6721 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
6722 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
6723 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
6724 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
6725 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
6726 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
6728 * bits are combined, this will alow user to access the high address mapped
6729 * VDSO in the presence of CONFIG_COMPAT_VDSO
6731 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
6732 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
6733 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
6734 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
6735 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
6738 @@ -277,7 +280,11 @@ static inline pteval_t pte_flags(pte_t p
6739 typedef struct page *pgtable_t;
6741 extern pteval_t __supported_pte_mask;
6742 +#ifdef CONFIG_X86_32
6743 extern int nx_enabled;
6745 +#define nx_enabled (1)
6748 #define pgprot_writecombine pgprot_writecombine
6749 extern pgprot_t pgprot_writecombine(pgprot_t prot);
6750 diff -urNp linux-2.6.31/arch/x86/include/asm/processor.h linux-2.6.31/arch/x86/include/asm/processor.h
6751 --- linux-2.6.31/arch/x86/include/asm/processor.h 2009-08-27 20:59:04.000000000 -0400
6752 +++ linux-2.6.31/arch/x86/include/asm/processor.h 2009-09-06 15:29:11.189290559 -0400
6753 @@ -271,7 +271,7 @@ struct tss_struct {
6755 } ____cacheline_aligned;
6757 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
6758 +extern struct tss_struct init_tss[NR_CPUS];
6761 * Save the original ist values for checking stack pointers during debugging
6762 @@ -890,8 +890,17 @@ static inline void spin_lock_prefetch(co
6764 #define TASK_SIZE PAGE_OFFSET
6765 #define TASK_SIZE_MAX TASK_SIZE
6767 +#ifdef CONFIG_PAX_SEGMEXEC
6768 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
6771 +#ifdef CONFIG_PAX_SEGMEXEC
6772 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
6774 #define STACK_TOP TASK_SIZE
6775 -#define STACK_TOP_MAX STACK_TOP
6777 +#define STACK_TOP_MAX TASK_SIZE
6779 #define INIT_THREAD { \
6780 .sp0 = sizeof(init_stack) + (long)&init_stack, \
6781 @@ -908,7 +917,7 @@ static inline void spin_lock_prefetch(co
6783 #define INIT_TSS { \
6785 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
6786 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
6787 .ss0 = __KERNEL_DS, \
6788 .ss1 = __KERNEL_CS, \
6789 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
6790 @@ -919,11 +928,7 @@ static inline void spin_lock_prefetch(co
6791 extern unsigned long thread_saved_pc(struct task_struct *tsk);
6793 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
6794 -#define KSTK_TOP(info) \
6796 - unsigned long *__ptr = (unsigned long *)(info); \
6797 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
6799 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
6802 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
6803 @@ -938,7 +943,7 @@ extern unsigned long thread_saved_pc(str
6804 #define task_pt_regs(task) \
6806 struct pt_regs *__regs__; \
6807 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
6808 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
6812 @@ -954,7 +959,7 @@ extern unsigned long thread_saved_pc(str
6813 * space during mmap's.
6815 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
6816 - 0xc0000000 : 0xFFFFe000)
6817 + 0xc0000000 : 0xFFFFf000)
6819 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
6820 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
6821 @@ -991,6 +996,10 @@ extern void start_thread(struct pt_regs
6823 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
6825 +#ifdef CONFIG_PAX_SEGMEXEC
6826 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
6829 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
6831 /* Get/set a process' ability to use the timestamp counter instruction */
6832 diff -urNp linux-2.6.31/arch/x86/include/asm/ptrace.h linux-2.6.31/arch/x86/include/asm/ptrace.h
6833 --- linux-2.6.31/arch/x86/include/asm/ptrace.h 2009-08-27 20:59:04.000000000 -0400
6834 +++ linux-2.6.31/arch/x86/include/asm/ptrace.h 2009-09-06 15:29:11.189290559 -0400
6835 @@ -151,28 +151,29 @@ static inline unsigned long regs_return_
6839 - * user_mode_vm(regs) determines whether a register set came from user mode.
6840 + * user_mode(regs) determines whether a register set came from user mode.
6841 * This is true if V8086 mode was enabled OR if the register set was from
6842 * protected mode with RPL-3 CS value. This tricky test checks that with
6843 * one comparison. Many places in the kernel can bypass this full check
6844 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
6845 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
6848 -static inline int user_mode(struct pt_regs *regs)
6849 +static inline int user_mode_novm(struct pt_regs *regs)
6851 #ifdef CONFIG_X86_32
6852 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
6854 - return !!(regs->cs & 3);
6855 + return !!(regs->cs & SEGMENT_RPL_MASK);
6859 -static inline int user_mode_vm(struct pt_regs *regs)
6860 +static inline int user_mode(struct pt_regs *regs)
6862 #ifdef CONFIG_X86_32
6863 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
6866 - return user_mode(regs);
6867 + return user_mode_novm(regs);
6871 diff -urNp linux-2.6.31/arch/x86/include/asm/reboot.h linux-2.6.31/arch/x86/include/asm/reboot.h
6872 --- linux-2.6.31/arch/x86/include/asm/reboot.h 2009-08-27 20:59:04.000000000 -0400
6873 +++ linux-2.6.31/arch/x86/include/asm/reboot.h 2009-09-06 15:29:11.190172705 -0400
6874 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
6876 void native_machine_crash_shutdown(struct pt_regs *regs);
6877 void native_machine_shutdown(void);
6878 -void machine_real_restart(const unsigned char *code, int length);
6879 +void machine_real_restart(const unsigned char *code, unsigned int length);
6881 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
6882 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
6883 diff -urNp linux-2.6.31/arch/x86/include/asm/rwsem.h linux-2.6.31/arch/x86/include/asm/rwsem.h
6884 --- linux-2.6.31/arch/x86/include/asm/rwsem.h 2009-08-27 20:59:04.000000000 -0400
6885 +++ linux-2.6.31/arch/x86/include/asm/rwsem.h 2009-09-06 15:29:11.190172705 -0400
6886 @@ -106,10 +106,26 @@ static inline void __down_read(struct rw
6888 asm volatile("# beginning down_read\n\t"
6889 LOCK_PREFIX " incl (%%eax)\n\t"
6891 +#ifdef CONFIG_PAX_REFCOUNT
6892 +#ifdef CONFIG_X86_32
6898 + ".pushsection .fixup,\"ax\"\n"
6900 + LOCK_PREFIX "decl (%%eax)\n"
6903 + _ASM_EXTABLE(0b, 1b)
6906 /* adds 0x00000001, returns the old value */
6909 " call call_rwsem_down_read_failed\n"
6912 "# ending down_read\n\t"
6915 @@ -124,13 +140,29 @@ static inline int __down_read_trylock(st
6917 asm volatile("# beginning __down_read_trylock\n\t"
6925 +#ifdef CONFIG_PAX_REFCOUNT
6926 +#ifdef CONFIG_X86_32
6932 + ".pushsection .fixup,\"ax\"\n"
6937 + _ASM_EXTABLE(0b, 1b)
6941 LOCK_PREFIX " cmpxchgl %2,%0\n\t"
6946 "# ending __down_read_trylock\n\t"
6947 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
6948 : "i" (RWSEM_ACTIVE_READ_BIAS)
6949 @@ -148,12 +180,28 @@ static inline void __down_write_nested(s
6950 tmp = RWSEM_ACTIVE_WRITE_BIAS;
6951 asm volatile("# beginning down_write\n\t"
6952 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
6954 +#ifdef CONFIG_PAX_REFCOUNT
6955 +#ifdef CONFIG_X86_32
6961 + ".pushsection .fixup,\"ax\"\n"
6963 + "movl %%edx,(%%eax)\n"
6966 + _ASM_EXTABLE(0b, 1b)
6969 /* subtract 0x0000ffff, returns the old value */
6970 " testl %%edx,%%edx\n\t"
6971 /* was the count 0 before? */
6974 " call call_rwsem_down_write_failed\n"
6977 "# ending down_write"
6978 : "+m" (sem->count), "=d" (tmp)
6979 : "a" (sem), "1" (tmp)
6980 @@ -186,10 +234,26 @@ static inline void __up_read(struct rw_s
6981 __s32 tmp = -RWSEM_ACTIVE_READ_BIAS;
6982 asm volatile("# beginning __up_read\n\t"
6983 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
6985 +#ifdef CONFIG_PAX_REFCOUNT
6986 +#ifdef CONFIG_X86_32
6992 + ".pushsection .fixup,\"ax\"\n"
6994 + "movl %%edx,(%%eax)\n"
6997 + _ASM_EXTABLE(0b, 1b)
7000 /* subtracts 1, returns the old value */
7003 " call call_rwsem_wake\n"
7006 "# ending __up_read\n"
7007 : "+m" (sem->count), "=d" (tmp)
7008 : "a" (sem), "1" (tmp)
7009 @@ -204,11 +268,27 @@ static inline void __up_write(struct rw_
7010 asm volatile("# beginning __up_write\n\t"
7011 " movl %2,%%edx\n\t"
7012 LOCK_PREFIX " xaddl %%edx,(%%eax)\n\t"
7014 +#ifdef CONFIG_PAX_REFCOUNT
7015 +#ifdef CONFIG_X86_32
7021 + ".pushsection .fixup,\"ax\"\n"
7023 + "movl %%edx,(%%eax)\n"
7026 + _ASM_EXTABLE(0b, 1b)
7029 /* tries to transition
7030 0xffff0001 -> 0x00000000 */
7033 " call call_rwsem_wake\n"
7036 "# ending __up_write\n"
7038 : "a" (sem), "i" (-RWSEM_ACTIVE_WRITE_BIAS)
7039 @@ -222,10 +302,26 @@ static inline void __downgrade_write(str
7041 asm volatile("# beginning __downgrade_write\n\t"
7042 LOCK_PREFIX " addl %2,(%%eax)\n\t"
7044 +#ifdef CONFIG_PAX_REFCOUNT
7045 +#ifdef CONFIG_X86_32
7051 + ".pushsection .fixup,\"ax\"\n"
7053 + LOCK_PREFIX "subl %2,(%%eax)\n"
7056 + _ASM_EXTABLE(0b, 1b)
7059 /* transitions 0xZZZZ0001 -> 0xYYYY0001 */
7062 " call call_rwsem_downgrade_wake\n"
7065 "# ending __downgrade_write\n"
7067 : "a" (sem), "i" (-RWSEM_WAITING_BIAS)
7068 @@ -237,7 +333,23 @@ static inline void __downgrade_write(str
7070 static inline void rwsem_atomic_add(int delta, struct rw_semaphore *sem)
7072 - asm volatile(LOCK_PREFIX "addl %1,%0"
7073 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7075 +#ifdef CONFIG_PAX_REFCOUNT
7076 +#ifdef CONFIG_X86_32
7082 + ".pushsection .fixup,\"ax\"\n"
7084 + LOCK_PREFIX "subl %1,%0\n"
7087 + _ASM_EXTABLE(0b, 1b)
7093 @@ -249,7 +361,23 @@ static inline int rwsem_atomic_update(in
7097 - asm volatile(LOCK_PREFIX "xadd %0,%1"
7098 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
7100 +#ifdef CONFIG_PAX_REFCOUNT
7101 +#ifdef CONFIG_X86_32
7107 + ".pushsection .fixup,\"ax\"\n"
7112 + _ASM_EXTABLE(0b, 1b)
7115 : "+r" (tmp), "+m" (sem->count)
7118 diff -urNp linux-2.6.31/arch/x86/include/asm/segment.h linux-2.6.31/arch/x86/include/asm/segment.h
7119 --- linux-2.6.31/arch/x86/include/asm/segment.h 2009-08-27 20:59:04.000000000 -0400
7120 +++ linux-2.6.31/arch/x86/include/asm/segment.h 2009-09-06 15:29:11.190172705 -0400
7122 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
7123 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
7125 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
7126 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
7128 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
7130 @@ -102,6 +102,12 @@
7131 #define __KERNEL_STACK_CANARY 0
7134 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
7135 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
7137 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
7138 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
7140 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
7146 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
7147 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
7148 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
7152 diff -urNp linux-2.6.31/arch/x86/include/asm/spinlock.h linux-2.6.31/arch/x86/include/asm/spinlock.h
7153 --- linux-2.6.31/arch/x86/include/asm/spinlock.h 2009-08-27 20:59:04.000000000 -0400
7154 +++ linux-2.6.31/arch/x86/include/asm/spinlock.h 2009-09-06 15:29:11.191191971 -0400
7155 @@ -249,18 +249,50 @@ static inline int __raw_write_can_lock(r
7156 static inline void __raw_read_lock(raw_rwlock_t *rw)
7158 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
7160 - "call __read_lock_failed\n\t"
7162 +#ifdef CONFIG_PAX_REFCOUNT
7163 +#ifdef CONFIG_X86_32
7169 + ".pushsection .fixup,\"ax\"\n"
7171 + LOCK_PREFIX " addl $1,(%0)\n"
7174 + _ASM_EXTABLE(0b, 1b)
7178 + "call __read_lock_failed\n\t"
7180 ::LOCK_PTR_REG (rw) : "memory");
7183 static inline void __raw_write_lock(raw_rwlock_t *rw)
7185 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
7187 - "call __write_lock_failed\n\t"
7189 +#ifdef CONFIG_PAX_REFCOUNT
7190 +#ifdef CONFIG_X86_32
7196 + ".pushsection .fixup,\"ax\"\n"
7198 + LOCK_PREFIX " addl %1,(%0)\n"
7201 + _ASM_EXTABLE(0b, 1b)
7205 + "call __write_lock_failed\n\t"
7207 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
7210 @@ -286,12 +318,45 @@ static inline int __raw_write_trylock(ra
7212 static inline void __raw_read_unlock(raw_rwlock_t *rw)
7214 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
7215 + asm volatile(LOCK_PREFIX "incl %0\n"
7217 +#ifdef CONFIG_PAX_REFCOUNT
7218 +#ifdef CONFIG_X86_32
7224 + ".pushsection .fixup,\"ax\"\n"
7226 + LOCK_PREFIX "decl %0\n"
7229 + _ASM_EXTABLE(0b, 1b)
7232 + :"+m" (rw->lock) : : "memory");
7235 static inline void __raw_write_unlock(raw_rwlock_t *rw)
7237 - asm volatile(LOCK_PREFIX "addl %1, %0"
7238 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
7240 +#ifdef CONFIG_PAX_REFCOUNT
7241 +#ifdef CONFIG_X86_32
7247 + ".pushsection .fixup,\"ax\"\n"
7249 + LOCK_PREFIX "subl %1,%0\n"
7252 + _ASM_EXTABLE(0b, 1b)
7255 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
7258 diff -urNp linux-2.6.31/arch/x86/include/asm/system.h linux-2.6.31/arch/x86/include/asm/system.h
7259 --- linux-2.6.31/arch/x86/include/asm/system.h 2009-08-27 20:59:04.000000000 -0400
7260 +++ linux-2.6.31/arch/x86/include/asm/system.h 2009-09-06 15:29:11.191191971 -0400
7261 @@ -227,7 +227,7 @@ static inline unsigned long get_limit(un
7263 unsigned long __limit;
7264 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
7265 - return __limit + 1;
7269 static inline void native_clts(void)
7270 @@ -353,6 +353,23 @@ static inline void native_wbinvd(void)
7272 #define stts() write_cr0(read_cr0() | X86_CR0_TS)
7274 +#define pax_open_kernel(cr0) \
7276 + typecheck(unsigned long, cr0); \
7277 + preempt_disable(); \
7279 + cr0 = read_cr0(); \
7280 + write_cr0(cr0 & ~X86_CR0_WP); \
7283 +#define pax_close_kernel(cr0) \
7285 + typecheck(unsigned long, cr0); \
7288 + preempt_enable_no_resched(); \
7291 #endif /* __KERNEL__ */
7293 static inline void clflush(volatile void *__p)
7294 @@ -367,7 +384,7 @@ void enable_hlt(void);
7296 void cpu_idle_wait(void);
7298 -extern unsigned long arch_align_stack(unsigned long sp);
7299 +#define arch_align_stack(x) ((x) & ~0xfUL)
7300 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
7302 void default_idle(void);
7303 diff -urNp linux-2.6.31/arch/x86/include/asm/uaccess_32.h linux-2.6.31/arch/x86/include/asm/uaccess_32.h
7304 --- linux-2.6.31/arch/x86/include/asm/uaccess_32.h 2009-08-27 20:59:04.000000000 -0400
7305 +++ linux-2.6.31/arch/x86/include/asm/uaccess_32.h 2009-09-06 15:29:11.192462655 -0400
7306 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
7307 static __always_inline unsigned long __must_check
7308 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
7313 if (__builtin_constant_p(n)) {
7316 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
7320 + if (!__builtin_constant_p(n))
7321 + check_object_size(from, n, true);
7322 return __copy_to_user_ll(to, from, n);
7325 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
7326 static __always_inline unsigned long
7327 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
7332 /* Avoid zeroing the tail if the copy fails..
7333 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
7334 * but as the zeroing behaviour is only significant when n is not
7335 @@ -138,6 +146,10 @@ static __always_inline unsigned long
7336 __copy_from_user(void *to, const void __user *from, unsigned long n)
7343 if (__builtin_constant_p(n)) {
7346 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
7350 + if (!__builtin_constant_p(n))
7351 + check_object_size(to, n, false);
7352 return __copy_from_user_ll(to, from, n);
7355 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
7356 const void __user *from, unsigned long n)
7363 if (__builtin_constant_p(n)) {
7366 @@ -182,14 +200,62 @@ static __always_inline unsigned long
7367 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
7370 - return __copy_from_user_ll_nocache_nozero(to, from, n);
7374 + return __copy_from_user_ll_nocache_nozero(to, from, n);
7378 + * copy_to_user: - Copy a block of data into user space.
7379 + * @to: Destination address, in user space.
7380 + * @from: Source address, in kernel space.
7381 + * @n: Number of bytes to copy.
7383 + * Context: User context only. This function may sleep.
7385 + * Copy data from kernel space to user space.
7387 + * Returns number of bytes that could not be copied.
7388 + * On success, this will be zero.
7390 +static __always_inline unsigned long __must_check
7391 +copy_to_user(void __user *to, const void *from, unsigned long n)
7393 + if (access_ok(VERIFY_WRITE, to, n))
7394 + n = __copy_to_user(to, from, n);
7399 + * copy_from_user: - Copy a block of data from user space.
7400 + * @to: Destination address, in kernel space.
7401 + * @from: Source address, in user space.
7402 + * @n: Number of bytes to copy.
7404 + * Context: User context only. This function may sleep.
7406 + * Copy data from user space to kernel space.
7408 + * Returns number of bytes that could not be copied.
7409 + * On success, this will be zero.
7411 + * If some data could not be copied, this function will pad the copied
7412 + * data to the requested size using zero bytes.
7414 +static __always_inline unsigned long __must_check
7415 +copy_from_user(void *to, const void __user *from, unsigned long n)
7417 + if (access_ok(VERIFY_READ, from, n))
7418 + n = __copy_from_user(to, from, n);
7419 + else if ((long)n > 0) {
7420 + if (!__builtin_constant_p(n))
7421 + check_object_size(to, n, false);
7427 -unsigned long __must_check copy_to_user(void __user *to,
7428 - const void *from, unsigned long n);
7429 -unsigned long __must_check copy_from_user(void *to,
7430 - const void __user *from,
7432 long __must_check strncpy_from_user(char *dst, const char __user *src,
7434 long __must_check __strncpy_from_user(char *dst,
7435 diff -urNp linux-2.6.31/arch/x86/include/asm/uaccess_64.h linux-2.6.31/arch/x86/include/asm/uaccess_64.h
7436 --- linux-2.6.31/arch/x86/include/asm/uaccess_64.h 2009-08-27 20:59:04.000000000 -0400
7437 +++ linux-2.6.31/arch/x86/include/asm/uaccess_64.h 2009-09-06 15:29:11.192462655 -0400
7439 #include <linux/lockdep.h>
7440 #include <asm/page.h>
7442 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
7445 * Copy To/From Userspace
7447 @@ -19,20 +21,22 @@ __must_check unsigned long
7448 copy_user_generic(void *to, const void *from, unsigned len);
7450 __must_check unsigned long
7451 -copy_to_user(void __user *to, const void *from, unsigned len);
7452 -__must_check unsigned long
7453 -copy_from_user(void *to, const void __user *from, unsigned len);
7454 -__must_check unsigned long
7455 copy_in_user(void __user *to, const void __user *from, unsigned len);
7457 static __always_inline __must_check
7458 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
7459 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
7465 - if (!__builtin_constant_p(size))
7467 + if ((int)size < 0)
7470 + if (!__builtin_constant_p(size)) {
7471 + check_object_size(dst, size, false);
7472 return copy_user_generic(dst, (__force void *)src, size);
7475 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
7476 ret, "b", "b", "=q", 1);
7477 @@ -70,13 +74,19 @@ int __copy_from_user(void *dst, const vo
7480 static __always_inline __must_check
7481 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
7482 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
7488 - if (!__builtin_constant_p(size))
7490 + if ((int)size < 0)
7493 + if (!__builtin_constant_p(size)) {
7494 + check_object_size(src, size, true);
7495 return copy_user_generic((__force void *)dst, src, size);
7498 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
7499 ret, "b", "b", "iq", 1);
7500 @@ -114,11 +124,39 @@ int __copy_to_user(void __user *dst, con
7503 static __always_inline __must_check
7504 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
7505 +unsigned long copy_to_user(void __user *to, const void *from, unsigned len)
7508 + if (access_ok(VERIFY_WRITE, to, len))
7509 + len = __copy_to_user(to, from, len);
7513 +static __always_inline __must_check
7514 +unsigned long copy_from_user(void *to, const void __user *from, unsigned len)
7519 + if (access_ok(VERIFY_READ, from, len))
7520 + len = __copy_from_user(to, from, len);
7521 + else if ((int)len > 0) {
7522 + if (!__builtin_constant_p(len))
7523 + check_object_size(to, len, false);
7524 + memset(to, 0, len);
7529 +static __always_inline __must_check
7530 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
7536 + if ((int)size < 0)
7539 if (!__builtin_constant_p(size))
7540 return copy_user_generic((__force void *)dst,
7541 (__force void *)src, size);
7542 @@ -179,30 +217,38 @@ __must_check unsigned long __clear_user(
7543 __must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
7546 -static __must_check __always_inline int
7547 +static __must_check __always_inline unsigned long
7548 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
7550 + if ((int)size < 0)
7553 return copy_user_generic((__force void *)dst, src, size);
7556 -extern long __copy_user_nocache(void *dst, const void __user *src,
7557 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
7558 unsigned size, int zerorest);
7561 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
7562 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
7566 + if ((int)size < 0)
7569 return __copy_user_nocache(dst, src, size, 1);
7573 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
7574 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
7577 + if ((int)size < 0)
7580 return __copy_user_nocache(dst, src, size, 0);
7584 +extern unsigned long
7585 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
7587 #endif /* _ASM_X86_UACCESS_64_H */
7588 diff -urNp linux-2.6.31/arch/x86/include/asm/uaccess.h linux-2.6.31/arch/x86/include/asm/uaccess.h
7589 --- linux-2.6.31/arch/x86/include/asm/uaccess.h 2009-08-27 20:59:04.000000000 -0400
7590 +++ linux-2.6.31/arch/x86/include/asm/uaccess.h 2009-09-06 16:57:53.423160624 -0400
7592 #include <linux/thread_info.h>
7593 #include <linux/prefetch.h>
7594 #include <linux/string.h>
7595 +#include <linux/sched.h>
7596 +#include <linux/slab.h>
7597 #include <asm/asm.h>
7598 #include <asm/page.h>
7599 +#include <asm/segment.h>
7601 #define VERIFY_READ 0
7602 #define VERIFY_WRITE 1
7605 #define get_ds() (KERNEL_DS)
7606 #define get_fs() (current_thread_info()->addr_limit)
7607 +#ifdef CONFIG_X86_32
7608 +void __set_fs(mm_segment_t x, int cpu);
7609 +void set_fs(mm_segment_t x);
7611 #define set_fs(x) (current_thread_info()->addr_limit = (x))
7614 #define segment_eq(a, b) ((a).seg == (b).seg)
7617 * checks that the pointer is in the user space range - after calling
7618 * this function, memory access functions may still return -EFAULT.
7620 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
7621 +#define access_ok(type, addr, size) \
7623 + bool __ret_ao = __range_not_ok(addr, size) == 0; \
7624 + unsigned long __addr_ao = (unsigned long)addr & PAGE_MASK; \
7625 + unsigned long __end_ao = (unsigned long)addr + size - 1; \
7626 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
7627 + for (; __addr_ao <= __end_ao; __addr_ao += PAGE_SIZE) { \
7629 + if (size > PAGE_SIZE) \
7631 + if (__get_user(__c_ao, (char __user *)__addr_ao))\
7633 + if (type != VERIFY_WRITE) \
7635 + if (__put_user(__c_ao, (char __user *)__addr_ao))\
7643 * The exception table consists of pairs of addresses: the first is the
7644 @@ -183,13 +210,21 @@ extern int __get_user_bad(void);
7645 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
7646 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
7649 +#ifdef CONFIG_X86_32
7650 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
7651 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
7653 +#define _ASM_LOAD_USER_DS(ds)
7654 +#define _ASM_LOAD_KERNEL_DS
7657 #ifdef CONFIG_X86_32
7658 #define __put_user_asm_u64(x, addr, err, errret) \
7659 - asm volatile("1: movl %%eax,0(%2)\n" \
7660 - "2: movl %%edx,4(%2)\n" \
7661 + asm volatile(_ASM_LOAD_USER_DS(5) \
7662 + "1: movl %%eax,%%ds:0(%2)\n" \
7663 + "2: movl %%edx,%%ds:4(%2)\n" \
7665 + _ASM_LOAD_KERNEL_DS \
7666 ".section .fixup,\"ax\"\n" \
7669 @@ -197,15 +232,18 @@ extern int __get_user_bad(void);
7670 _ASM_EXTABLE(1b, 4b) \
7671 _ASM_EXTABLE(2b, 4b) \
7673 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
7674 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
7677 #define __put_user_asm_ex_u64(x, addr) \
7678 - asm volatile("1: movl %%eax,0(%1)\n" \
7679 - "2: movl %%edx,4(%1)\n" \
7680 + asm volatile(_ASM_LOAD_USER_DS(2) \
7681 + "1: movl %%eax,%%ds:0(%1)\n" \
7682 + "2: movl %%edx,%%ds:4(%1)\n" \
7684 + _ASM_LOAD_KERNEL_DS \
7685 _ASM_EXTABLE(1b, 2b - 1b) \
7686 _ASM_EXTABLE(2b, 3b - 2b) \
7687 - : : "A" (x), "r" (addr))
7688 + : : "A" (x), "r" (addr), "r"(__USER_DS))
7690 #define __put_user_x8(x, ptr, __ret_pu) \
7691 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
7692 @@ -374,16 +412,18 @@ do { \
7695 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
7696 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
7697 + asm volatile(_ASM_LOAD_USER_DS(5) \
7698 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
7700 + _ASM_LOAD_KERNEL_DS \
7701 ".section .fixup,\"ax\"\n" \
7703 " xor"itype" %"rtype"1,%"rtype"1\n" \
7706 _ASM_EXTABLE(1b, 3b) \
7707 - : "=r" (err), ltype(x) \
7708 - : "m" (__m(addr)), "i" (errret), "0" (err))
7709 + : "=r" (err), ltype (x) \
7710 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
7712 #define __get_user_size_ex(x, ptr, size) \
7714 @@ -407,10 +447,12 @@ do { \
7717 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
7718 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
7719 + asm volatile(_ASM_LOAD_USER_DS(2) \
7720 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
7722 + _ASM_LOAD_KERNEL_DS \
7723 _ASM_EXTABLE(1b, 2b - 1b) \
7724 - : ltype(x) : "m" (__m(addr)))
7725 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
7727 #define __put_user_nocheck(x, ptr, size) \
7729 @@ -438,21 +480,26 @@ struct __large_struct { unsigned long bu
7732 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
7733 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
7734 + asm volatile(_ASM_LOAD_USER_DS(5) \
7735 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
7737 + _ASM_LOAD_KERNEL_DS \
7738 ".section .fixup,\"ax\"\n" \
7742 _ASM_EXTABLE(1b, 3b) \
7744 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
7745 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
7748 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
7749 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
7750 + asm volatile(_ASM_LOAD_USER_DS(2) \
7751 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
7753 + _ASM_LOAD_KERNEL_DS \
7754 _ASM_EXTABLE(1b, 2b - 1b) \
7755 - : : ltype(x), "m" (__m(addr)))
7756 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
7759 * uaccess_try and catch
7760 @@ -567,6 +614,7 @@ extern struct movsl_mask {
7762 #define ARCH_HAS_NOCACHE_UACCESS 1
7764 +#define ARCH_HAS_SORT_EXTABLE
7765 #ifdef CONFIG_X86_32
7766 # include "uaccess_32.h"
7768 diff -urNp linux-2.6.31/arch/x86/include/asm/vgtod.h linux-2.6.31/arch/x86/include/asm/vgtod.h
7769 --- linux-2.6.31/arch/x86/include/asm/vgtod.h 2009-08-27 20:59:04.000000000 -0400
7770 +++ linux-2.6.31/arch/x86/include/asm/vgtod.h 2009-09-06 15:29:11.193422909 -0400
7771 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
7773 struct timezone sys_tz;
7774 struct { /* extract of a clocksource struct */
7776 cycle_t (*vread)(void);
7779 diff -urNp linux-2.6.31/arch/x86/include/asm/vsyscall.h linux-2.6.31/arch/x86/include/asm/vsyscall.h
7780 --- linux-2.6.31/arch/x86/include/asm/vsyscall.h 2009-08-27 20:59:04.000000000 -0400
7781 +++ linux-2.6.31/arch/x86/include/asm/vsyscall.h 2009-09-06 15:29:11.194260512 -0400
7782 @@ -15,9 +15,10 @@ enum vsyscall_num {
7785 #include <linux/seqlock.h>
7786 +#include <linux/getcpu.h>
7787 +#include <linux/time.h>
7789 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
7790 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
7792 /* Definitions for CONFIG_GENERIC_TIME definitions */
7793 #define __section_vsyscall_gtod_data __attribute__ \
7794 @@ -31,7 +32,6 @@ enum vsyscall_num {
7795 #define VGETCPU_LSL 2
7797 extern int __vgetcpu_mode;
7798 -extern volatile unsigned long __jiffies;
7800 /* kernel space (writeable) */
7801 extern int vgetcpu_mode;
7802 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
7804 extern void map_vsyscall(void);
7806 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
7807 +extern time_t vtime(time_t *t);
7808 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
7809 #endif /* __KERNEL__ */
7811 #endif /* _ASM_X86_VSYSCALL_H */
7812 diff -urNp linux-2.6.31/arch/x86/Kconfig linux-2.6.31/arch/x86/Kconfig
7813 --- linux-2.6.31/arch/x86/Kconfig 2009-08-27 20:59:04.000000000 -0400
7814 +++ linux-2.6.31/arch/x86/Kconfig 2009-09-06 15:29:11.194260512 -0400
7815 @@ -348,6 +348,7 @@ config X86_VSMP
7817 depends on X86_64 && PCI
7818 depends on X86_EXTENDED_PLATFORM
7819 + depends on !PAX_KERNEXEC
7821 Support for ScaleMP vSMP systems. Say 'Y' here if this kernel is
7822 supposed to run on these EM64T-based machines. Only choose this option
7823 @@ -467,6 +468,7 @@ config VMI
7824 bool "VMI Guest support"
7827 + depends on !PAX_KERNEXEC
7829 VMI provides a paravirtualized interface to the VMware ESX server
7830 (it could be used by other hypervisors in theory too, but is not
7831 @@ -477,6 +479,7 @@ config KVM_CLOCK
7832 bool "KVM paravirtualized clock"
7834 select PARAVIRT_CLOCK
7835 + depends on !PAX_KERNEXEC
7837 Turning on this option will allow you to run a paravirtualized clock
7838 when running over the KVM hypervisor. Instead of relying on a PIT
7839 @@ -487,6 +490,7 @@ config KVM_CLOCK
7841 bool "KVM Guest support"
7843 + depends on !PAX_KERNEXEC
7845 This option enables various optimizations for running under the KVM
7847 @@ -495,6 +499,7 @@ source "arch/x86/lguest/Kconfig"
7850 bool "Enable paravirtualization code"
7851 + depends on !PAX_KERNEXEC
7853 This changes the kernel so it can modify itself when it is run
7854 under a hypervisor, potentially improving performance significantly
7855 @@ -1098,7 +1103,7 @@ config PAGE_OFFSET
7857 default 0xB0000000 if VMSPLIT_3G_OPT
7858 default 0x80000000 if VMSPLIT_2G
7859 - default 0x78000000 if VMSPLIT_2G_OPT
7860 + default 0x70000000 if VMSPLIT_2G_OPT
7861 default 0x40000000 if VMSPLIT_1G
7864 @@ -1416,7 +1421,7 @@ config X86_PAT
7867 bool "EFI runtime service support"
7869 + depends on ACPI && !PAX_KERNEXEC
7871 This enables the kernel to use EFI runtime services that are
7872 available (such as the EFI variable services).
7873 @@ -1602,9 +1607,10 @@ config HOTPLUG_CPU
7874 Say N if you want to disable CPU hotplug.
7879 prompt "Compat VDSO support"
7880 depends on X86_32 || IA32_EMULATION
7881 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
7883 Map the 32-bit VDSO to the predictable old-style address too.
7885 diff -urNp linux-2.6.31/arch/x86/Kconfig.cpu linux-2.6.31/arch/x86/Kconfig.cpu
7886 --- linux-2.6.31/arch/x86/Kconfig.cpu 2009-08-27 20:59:04.000000000 -0400
7887 +++ linux-2.6.31/arch/x86/Kconfig.cpu 2009-09-06 15:29:11.195174311 -0400
7888 @@ -331,7 +331,7 @@ config X86_PPRO_FENCE
7892 - depends on M586MMX || M586TSC || M586 || M486 || M386
7893 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
7895 config X86_WP_WORKS_OK
7897 @@ -351,7 +351,7 @@ config X86_POPAD_OK
7899 config X86_ALIGNMENT_16
7901 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
7902 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
7904 config X86_INTEL_USERCOPY
7906 @@ -397,7 +397,7 @@ config X86_CMPXCHG64
7910 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64)
7911 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64)
7913 config X86_MINIMUM_CPU_FAMILY
7915 diff -urNp linux-2.6.31/arch/x86/Kconfig.debug linux-2.6.31/arch/x86/Kconfig.debug
7916 --- linux-2.6.31/arch/x86/Kconfig.debug 2009-08-27 20:59:04.000000000 -0400
7917 +++ linux-2.6.31/arch/x86/Kconfig.debug 2009-09-06 15:29:11.195174311 -0400
7918 @@ -99,7 +99,7 @@ config X86_PTDUMP
7920 bool "Write protect kernel read-only data structures"
7922 - depends on DEBUG_KERNEL
7923 + depends on DEBUG_KERNEL && BROKEN
7925 Mark the kernel read-only data as write-protected in the pagetables,
7926 in order to catch accidental (and incorrect) writes to such const
7927 diff -urNp linux-2.6.31/arch/x86/kernel/acpi/boot.c linux-2.6.31/arch/x86/kernel/acpi/boot.c
7928 --- linux-2.6.31/arch/x86/kernel/acpi/boot.c 2009-08-27 20:59:04.000000000 -0400
7929 +++ linux-2.6.31/arch/x86/kernel/acpi/boot.c 2009-09-06 15:29:11.196216265 -0400
7930 @@ -1609,7 +1609,7 @@ static struct dmi_system_id __initdata a
7931 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
7935 + { NULL, NULL, {{0, {0}}}, NULL}
7939 diff -urNp linux-2.6.31/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.31/arch/x86/kernel/acpi/realmode/wakeup.S
7940 --- linux-2.6.31/arch/x86/kernel/acpi/realmode/wakeup.S 2009-08-27 20:59:04.000000000 -0400
7941 +++ linux-2.6.31/arch/x86/kernel/acpi/realmode/wakeup.S 2009-09-06 15:29:11.197332986 -0400
7942 @@ -104,7 +104,7 @@ _start:
7946 - movl $0xc0000080, %ecx
7947 + mov $MSR_EFER, %ecx
7951 diff -urNp linux-2.6.31/arch/x86/kernel/acpi/sleep.c linux-2.6.31/arch/x86/kernel/acpi/sleep.c
7952 --- linux-2.6.31/arch/x86/kernel/acpi/sleep.c 2009-08-27 20:59:04.000000000 -0400
7953 +++ linux-2.6.31/arch/x86/kernel/acpi/sleep.c 2009-09-06 15:29:11.197332986 -0400
7955 #include <linux/cpumask.h>
7956 #include <asm/segment.h>
7957 #include <asm/desc.h>
7958 +#include <asm/e820.h>
7960 #include "realmode/wakeup.h"
7963 -unsigned long acpi_wakeup_address;
7964 +unsigned long acpi_wakeup_address = 0x2000;
7965 unsigned long acpi_realmode_flags;
7967 /* address in low memory of the wakeup routine. */
7968 @@ -37,6 +38,10 @@ int acpi_save_state_mem(void)
7970 struct wakeup_header *header;
7972 +#if defined(CONFIG_64BIT) && defined(CONFIG_SMP) && defined(CONFIG_PAX_KERNEXEC)
7973 + unsigned long cr0;
7976 if (!acpi_realmode) {
7977 printk(KERN_ERR "Could not allocate memory during boot, "
7979 @@ -99,8 +104,18 @@ int acpi_save_state_mem(void)
7980 header->trampoline_segment = setup_trampoline() >> 4;
7982 stack_start.sp = temp_stack + sizeof(temp_stack);
7984 +#ifdef CONFIG_PAX_KERNEXEC
7985 + pax_open_kernel(cr0);
7988 early_gdt_descr.address =
7989 (unsigned long)get_cpu_gdt_table(smp_processor_id());
7991 +#ifdef CONFIG_PAX_KERNEXEC
7992 + pax_close_kernel(cr0);
7995 initial_gs = per_cpu_offset(smp_processor_id());
7997 initial_code = (unsigned long)wakeup_long64;
7998 @@ -134,14 +149,8 @@ void __init acpi_reserve_bootmem(void)
8002 - acpi_realmode = (unsigned long)alloc_bootmem_low(WAKEUP_SIZE);
8004 - if (!acpi_realmode) {
8005 - printk(KERN_ERR "ACPI: Cannot allocate lowmem, S3 disabled.\n");
8009 - acpi_wakeup_address = virt_to_phys((void *)acpi_realmode);
8010 + reserve_early(acpi_wakeup_address, acpi_wakeup_address + WAKEUP_SIZE, "ACPI Wakeup Code");
8011 + acpi_realmode = (unsigned long)__va(acpi_wakeup_address);;
8015 diff -urNp linux-2.6.31/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.31/arch/x86/kernel/acpi/wakeup_32.S
8016 --- linux-2.6.31/arch/x86/kernel/acpi/wakeup_32.S 2009-08-27 20:59:04.000000000 -0400
8017 +++ linux-2.6.31/arch/x86/kernel/acpi/wakeup_32.S 2009-09-06 15:29:11.197332986 -0400
8018 @@ -30,13 +30,11 @@ wakeup_pmode_return:
8019 # and restore the stack ... but you need gdt for this to work
8020 movl saved_context_esp, %esp
8022 - movl %cs:saved_magic, %eax
8023 - cmpl $0x12345678, %eax
8024 + cmpl $0x12345678, saved_magic
8027 # jump to place where we left off
8028 - movl saved_eip, %eax
8034 diff -urNp linux-2.6.31/arch/x86/kernel/alternative.c linux-2.6.31/arch/x86/kernel/alternative.c
8035 --- linux-2.6.31/arch/x86/kernel/alternative.c 2009-08-27 20:59:04.000000000 -0400
8036 +++ linux-2.6.31/arch/x86/kernel/alternative.c 2009-09-06 15:29:11.198309525 -0400
8037 @@ -400,7 +400,7 @@ void apply_paravirt(struct paravirt_patc
8039 BUG_ON(p->len > MAX_PATCH_LEN);
8040 /* prep the buffer with the original instructions */
8041 - memcpy(insnbuf, p->instr, p->len);
8042 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
8043 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
8044 (unsigned long)p->instr, p->len);
8046 @@ -485,11 +485,26 @@ void __init alternative_instructions(voi
8047 * instructions. And on the local CPU you need to be protected again NMI or MCE
8048 * handlers seeing an inconsistent instruction while you patch.
8050 -void *text_poke_early(void *addr, const void *opcode, size_t len)
8051 +void *__kprobes text_poke_early(void *addr, const void *opcode, size_t len)
8053 unsigned long flags;
8055 +#ifdef CONFIG_PAX_KERNEXEC
8056 + unsigned long cr0;
8059 local_irq_save(flags);
8060 - memcpy(addr, opcode, len);
8062 +#ifdef CONFIG_PAX_KERNEXEC
8063 + pax_open_kernel(cr0);
8066 + memcpy(ktla_ktva(addr), opcode, len);
8068 +#ifdef CONFIG_PAX_KERNEXEC
8069 + pax_close_kernel(cr0);
8072 local_irq_restore(flags);
8074 /* Could also do a CLFLUSH here to speed up CPU recovery; but
8075 @@ -512,35 +527,27 @@ void *text_poke_early(void *addr, const
8077 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
8079 - unsigned long flags;
8081 + unsigned char *vaddr = ktla_ktva(addr);
8082 struct page *pages[2];
8086 + if (!core_kernel_text((unsigned long)addr)
8088 - if (!core_kernel_text((unsigned long)addr)) {
8089 - pages[0] = vmalloc_to_page(addr);
8090 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
8091 +#if defined(CONFIG_X86_32) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
8092 + && (vaddr < MODULES_EXEC_VADDR || MODULES_EXEC_END < vaddr)
8096 + pages[0] = vmalloc_to_page(vaddr);
8097 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
8099 - pages[0] = virt_to_page(addr);
8100 + pages[0] = virt_to_page(vaddr);
8101 WARN_ON(!PageReserved(pages[0]));
8102 - pages[1] = virt_to_page(addr + PAGE_SIZE);
8103 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
8106 - local_irq_save(flags);
8107 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
8109 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
8110 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
8111 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
8112 - clear_fixmap(FIX_TEXT_POKE0);
8114 - clear_fixmap(FIX_TEXT_POKE1);
8115 - local_flush_tlb();
8117 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
8118 - that causes hangs on some VIA CPUs. */
8119 + text_poke_early(addr, opcode, len);
8120 for (i = 0; i < len; i++)
8121 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
8122 - local_irq_restore(flags);
8123 + BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
8126 diff -urNp linux-2.6.31/arch/x86/kernel/apm_32.c linux-2.6.31/arch/x86/kernel/apm_32.c
8127 --- linux-2.6.31/arch/x86/kernel/apm_32.c 2009-08-27 20:59:04.000000000 -0400
8128 +++ linux-2.6.31/arch/x86/kernel/apm_32.c 2009-09-06 15:29:11.199169407 -0400
8129 @@ -403,7 +403,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
8130 static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
8131 static struct apm_user *user_list;
8132 static DEFINE_SPINLOCK(user_list_lock);
8133 -static const struct desc_struct bad_bios_desc = { { { 0, 0x00409200 } } };
8134 +static const struct desc_struct bad_bios_desc = { { { 0, 0x00409300 } } };
8136 static const char driver_version[] = "1.16ac"; /* no spaces */
8138 @@ -576,12 +576,25 @@ static long __apm_bios_call(void *_call)
8139 struct desc_struct *gdt;
8140 struct apm_bios_call *call = _call;
8142 +#ifdef CONFIG_PAX_KERNEXEC
8143 + unsigned long cr0;
8148 gdt = get_cpu_gdt_table(cpu);
8149 save_desc_40 = gdt[0x40 / 8];
8151 +#ifdef CONFIG_PAX_KERNEXEC
8152 + pax_open_kernel(cr0);
8155 gdt[0x40 / 8] = bad_bios_desc;
8157 +#ifdef CONFIG_PAX_KERNEXEC
8158 + pax_close_kernel(cr0);
8161 apm_irq_save(flags);
8163 apm_bios_call_asm(call->func, call->ebx, call->ecx,
8164 @@ -589,7 +602,17 @@ static long __apm_bios_call(void *_call)
8166 APM_DO_RESTORE_SEGS;
8167 apm_irq_restore(flags);
8169 +#ifdef CONFIG_PAX_KERNEXEC
8170 + pax_open_kernel(cr0);
8173 gdt[0x40 / 8] = save_desc_40;
8175 +#ifdef CONFIG_PAX_KERNEXEC
8176 + pax_close_kernel(cr0);
8181 return call->eax & 0xff;
8182 @@ -652,19 +675,42 @@ static long __apm_bios_call_simple(void
8183 struct desc_struct *gdt;
8184 struct apm_bios_call *call = _call;
8186 +#ifdef CONFIG_PAX_KERNEXEC
8187 + unsigned long cr0;
8192 gdt = get_cpu_gdt_table(cpu);
8193 save_desc_40 = gdt[0x40 / 8];
8195 +#ifdef CONFIG_PAX_KERNEXEC
8196 + pax_open_kernel(cr0);
8199 gdt[0x40 / 8] = bad_bios_desc;
8201 +#ifdef CONFIG_PAX_KERNEXEC
8202 + pax_close_kernel(cr0);
8205 apm_irq_save(flags);
8207 error = apm_bios_call_simple_asm(call->func, call->ebx, call->ecx,
8209 APM_DO_RESTORE_SEGS;
8210 apm_irq_restore(flags);
8212 +#ifdef CONFIG_PAX_KERNEXEC
8213 + pax_open_kernel(cr0);
8216 gdt[0x40 / 8] = save_desc_40;
8218 +#ifdef CONFIG_PAX_KERNEXEC
8219 + pax_close_kernel(cr0);
8225 @@ -967,7 +1013,7 @@ recalc:
8227 static void apm_power_off(void)
8229 - unsigned char po_bios_call[] = {
8230 + const unsigned char po_bios_call[] = {
8231 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
8232 0x8e, 0xd0, /* movw ax,ss */
8233 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
8234 @@ -1925,7 +1971,10 @@ static const struct file_operations apm_
8235 static struct miscdevice apm_device = {
8246 @@ -2246,7 +2295,7 @@ static struct dmi_system_id __initdata a
8247 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
8251 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
8255 @@ -2264,6 +2313,10 @@ static int __init apm_init(void)
8256 struct desc_struct *gdt;
8259 +#ifdef CONFIG_PAX_KERNEXEC
8260 + unsigned long cr0;
8263 dmi_check_system(apm_dmi_table);
8265 if (apm_info.bios.version == 0 || paravirt_enabled() || machine_is_olpc()) {
8266 @@ -2337,9 +2390,18 @@ static int __init apm_init(void)
8267 * This is for buggy BIOS's that refer to (real mode) segment 0x40
8268 * even though they are called in protected mode.
8271 +#ifdef CONFIG_PAX_KERNEXEC
8272 + pax_open_kernel(cr0);
8275 set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
8276 _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
8278 +#ifdef CONFIG_PAX_KERNEXEC
8279 + pax_close_kernel(cr0);
8283 * Set up the long jump entry point to the APM BIOS, which is called
8284 * from inline assembly.
8285 @@ -2358,6 +2420,11 @@ static int __init apm_init(void)
8288 gdt = get_cpu_gdt_table(0);
8290 +#ifdef CONFIG_PAX_KERNEXEC
8291 + pax_open_kernel(cr0);
8294 set_base(gdt[APM_CS >> 3],
8295 __va((unsigned long)apm_info.bios.cseg << 4));
8296 set_base(gdt[APM_CS_16 >> 3],
8297 @@ -2365,6 +2432,10 @@ static int __init apm_init(void)
8298 set_base(gdt[APM_DS >> 3],
8299 __va((unsigned long)apm_info.bios.dseg << 4));
8301 +#ifdef CONFIG_PAX_KERNEXEC
8302 + pax_close_kernel(cr0);
8305 proc_create("apm", 0, NULL, &apm_file_ops);
8307 kapmd_task = kthread_create(apm, NULL, "kapmd");
8308 diff -urNp linux-2.6.31/arch/x86/kernel/asm-offsets_32.c linux-2.6.31/arch/x86/kernel/asm-offsets_32.c
8309 --- linux-2.6.31/arch/x86/kernel/asm-offsets_32.c 2009-08-27 20:59:04.000000000 -0400
8310 +++ linux-2.6.31/arch/x86/kernel/asm-offsets_32.c 2009-09-06 15:29:11.200173853 -0400
8311 @@ -115,6 +115,7 @@ void foo(void)
8312 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
8313 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
8314 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
8315 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
8319 diff -urNp linux-2.6.31/arch/x86/kernel/asm-offsets_64.c linux-2.6.31/arch/x86/kernel/asm-offsets_64.c
8320 --- linux-2.6.31/arch/x86/kernel/asm-offsets_64.c 2009-08-27 20:59:04.000000000 -0400
8321 +++ linux-2.6.31/arch/x86/kernel/asm-offsets_64.c 2009-09-06 15:29:11.200173853 -0400
8322 @@ -114,6 +114,7 @@ int main(void)
8326 + DEFINE(TSS_size, sizeof(struct tss_struct));
8327 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
8329 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
8330 diff -urNp linux-2.6.31/arch/x86/kernel/cpu/common.c linux-2.6.31/arch/x86/kernel/cpu/common.c
8331 --- linux-2.6.31/arch/x86/kernel/cpu/common.c 2009-08-27 20:59:04.000000000 -0400
8332 +++ linux-2.6.31/arch/x86/kernel/cpu/common.c 2009-09-06 15:29:11.200173853 -0400
8333 @@ -84,60 +84,6 @@ static const struct cpu_dev __cpuinitcon
8335 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
8337 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
8338 -#ifdef CONFIG_X86_64
8340 - * We need valid kernel segments for data and code in long mode too
8341 - * IRET will check the segment types kkeil 2000/10/28
8342 - * Also sysret mandates a special GDT layout
8344 - * TLS descriptors are currently at a different place compared to i386.
8345 - * Hopefully nobody expects them at a fixed place (Wine?)
8347 - [GDT_ENTRY_KERNEL32_CS] = { { { 0x0000ffff, 0x00cf9b00 } } },
8348 - [GDT_ENTRY_KERNEL_CS] = { { { 0x0000ffff, 0x00af9b00 } } },
8349 - [GDT_ENTRY_KERNEL_DS] = { { { 0x0000ffff, 0x00cf9300 } } },
8350 - [GDT_ENTRY_DEFAULT_USER32_CS] = { { { 0x0000ffff, 0x00cffb00 } } },
8351 - [GDT_ENTRY_DEFAULT_USER_DS] = { { { 0x0000ffff, 0x00cff300 } } },
8352 - [GDT_ENTRY_DEFAULT_USER_CS] = { { { 0x0000ffff, 0x00affb00 } } },
8354 - [GDT_ENTRY_KERNEL_CS] = { { { 0x0000ffff, 0x00cf9a00 } } },
8355 - [GDT_ENTRY_KERNEL_DS] = { { { 0x0000ffff, 0x00cf9200 } } },
8356 - [GDT_ENTRY_DEFAULT_USER_CS] = { { { 0x0000ffff, 0x00cffa00 } } },
8357 - [GDT_ENTRY_DEFAULT_USER_DS] = { { { 0x0000ffff, 0x00cff200 } } },
8359 - * Segments used for calling PnP BIOS have byte granularity.
8360 - * They code segments and data segments have fixed 64k limits,
8361 - * the transfer segment sizes are set at run time.
8364 - [GDT_ENTRY_PNPBIOS_CS32] = { { { 0x0000ffff, 0x00409a00 } } },
8366 - [GDT_ENTRY_PNPBIOS_CS16] = { { { 0x0000ffff, 0x00009a00 } } },
8368 - [GDT_ENTRY_PNPBIOS_DS] = { { { 0x0000ffff, 0x00009200 } } },
8370 - [GDT_ENTRY_PNPBIOS_TS1] = { { { 0x00000000, 0x00009200 } } },
8372 - [GDT_ENTRY_PNPBIOS_TS2] = { { { 0x00000000, 0x00009200 } } },
8374 - * The APM segments have byte granularity and their bases
8375 - * are set at run time. All have 64k limits.
8378 - [GDT_ENTRY_APMBIOS_BASE] = { { { 0x0000ffff, 0x00409a00 } } },
8380 - [GDT_ENTRY_APMBIOS_BASE+1] = { { { 0x0000ffff, 0x00009a00 } } },
8382 - [GDT_ENTRY_APMBIOS_BASE+2] = { { { 0x0000ffff, 0x00409200 } } },
8384 - [GDT_ENTRY_ESPFIX_SS] = { { { 0x0000ffff, 0x00cf9200 } } },
8385 - [GDT_ENTRY_PERCPU] = { { { 0x0000ffff, 0x00cf9200 } } },
8386 - GDT_STACK_CANARY_INIT
8389 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
8391 static int __init x86_xsave_setup(char *s)
8393 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
8394 @@ -345,7 +291,7 @@ void switch_to_new_gdt(int cpu)
8396 struct desc_ptr gdt_descr;
8398 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
8399 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
8400 gdt_descr.size = GDT_SIZE - 1;
8401 load_gdt(&gdt_descr);
8402 /* Reload the per-cpu base */
8403 @@ -799,6 +745,10 @@ static void __cpuinit identify_cpu(struc
8404 /* Filter out anything that depends on CPUID levels we don't have */
8405 filter_cpuid_features(c, true);
8407 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
8408 + setup_clear_cpu_cap(X86_FEATURE_SEP);
8411 /* If the model name is still unset, do table lookup. */
8412 if (!c->x86_model_id[0]) {
8414 @@ -982,7 +932,7 @@ static __init int setup_disablecpuid(cha
8415 __setup("clearcpuid=", setup_disablecpuid);
8417 #ifdef CONFIG_X86_64
8418 -struct desc_ptr idt_descr = { 256 * 16 - 1, (unsigned long) idt_table };
8419 +struct desc_ptr idt_descr __read_only = { 256 * 16 - 1, (unsigned long) idt_table };
8421 DEFINE_PER_CPU_FIRST(union irq_stack_union,
8422 irq_stack_union) __aligned(PAGE_SIZE);
8423 @@ -1092,7 +1042,7 @@ void __cpuinit cpu_init(void)
8426 cpu = stack_smp_processor_id();
8427 - t = &per_cpu(init_tss, cpu);
8428 + t = init_tss + cpu;
8429 orig_ist = &per_cpu(orig_ist, cpu);
8432 @@ -1190,7 +1140,7 @@ void __cpuinit cpu_init(void)
8434 int cpu = smp_processor_id();
8435 struct task_struct *curr = current;
8436 - struct tss_struct *t = &per_cpu(init_tss, cpu);
8437 + struct tss_struct *t = init_tss + cpu;
8438 struct thread_struct *thread = &curr->thread;
8440 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
8441 diff -urNp linux-2.6.31/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.31/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
8442 --- linux-2.6.31/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2009-08-27 20:59:04.000000000 -0400
8443 +++ linux-2.6.31/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2009-09-06 15:29:11.201202196 -0400
8444 @@ -586,7 +586,7 @@ static const struct dmi_system_id sw_any
8445 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
8449 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
8453 diff -urNp linux-2.6.31/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.31/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
8454 --- linux-2.6.31/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2009-08-27 20:59:04.000000000 -0400
8455 +++ linux-2.6.31/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2009-09-06 15:29:11.201202196 -0400
8456 @@ -225,7 +225,7 @@ static struct cpu_model models[] =
8457 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
8458 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
8461 + { NULL, NULL, 0, NULL}
8465 diff -urNp linux-2.6.31/arch/x86/kernel/cpu/intel.c linux-2.6.31/arch/x86/kernel/cpu/intel.c
8466 --- linux-2.6.31/arch/x86/kernel/cpu/intel.c 2009-08-27 20:59:04.000000000 -0400
8467 +++ linux-2.6.31/arch/x86/kernel/cpu/intel.c 2009-09-06 15:29:11.202212148 -0400
8468 @@ -140,7 +140,7 @@ static void __cpuinit trap_init_f00f_bug
8469 * Update the IDT descriptor and reload the IDT so that
8470 * it uses the read-only mapped virtual address.
8472 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
8473 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
8474 load_idt(&idt_descr);
8477 diff -urNp linux-2.6.31/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.31/arch/x86/kernel/cpu/mcheck/mce.c
8478 --- linux-2.6.31/arch/x86/kernel/cpu/mcheck/mce.c 2009-08-27 20:59:04.000000000 -0400
8479 +++ linux-2.6.31/arch/x86/kernel/cpu/mcheck/mce.c 2009-09-06 15:29:11.202212148 -0400
8480 @@ -1370,14 +1370,14 @@ void __cpuinit mcheck_init(struct cpuinf
8483 static DEFINE_SPINLOCK(mce_state_lock);
8484 -static int open_count; /* #times opened */
8485 +static atomic_t open_count; /* #times opened */
8486 static int open_exclu; /* already open exclusive? */
8488 static int mce_open(struct inode *inode, struct file *file)
8490 spin_lock(&mce_state_lock);
8492 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
8493 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
8494 spin_unlock(&mce_state_lock);
8497 @@ -1385,7 +1385,7 @@ static int mce_open(struct inode *inode,
8499 if (file->f_flags & O_EXCL)
8502 + atomic_inc(&open_count);
8504 spin_unlock(&mce_state_lock);
8506 @@ -1396,7 +1396,7 @@ static int mce_release(struct inode *ino
8508 spin_lock(&mce_state_lock);
8511 + atomic_dec(&open_count);
8514 spin_unlock(&mce_state_lock);
8515 @@ -1536,6 +1536,7 @@ static struct miscdevice mce_log_device
8519 + {NULL, NULL}, NULL, NULL
8523 diff -urNp linux-2.6.31/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.31/arch/x86/kernel/cpu/mtrr/generic.c
8524 --- linux-2.6.31/arch/x86/kernel/cpu/mtrr/generic.c 2009-08-27 20:59:04.000000000 -0400
8525 +++ linux-2.6.31/arch/x86/kernel/cpu/mtrr/generic.c 2009-09-06 15:29:11.203160585 -0400
8526 @@ -23,14 +23,14 @@ static struct fixed_range_block fixed_ra
8527 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
8528 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
8529 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
8534 static unsigned long smp_changes_mask;
8535 static int mtrr_state_set;
8538 -struct mtrr_state_type mtrr_state = {};
8539 +struct mtrr_state_type mtrr_state;
8540 EXPORT_SYMBOL_GPL(mtrr_state);
8543 diff -urNp linux-2.6.31/arch/x86/kernel/crash.c linux-2.6.31/arch/x86/kernel/crash.c
8544 --- linux-2.6.31/arch/x86/kernel/crash.c 2009-08-27 20:59:04.000000000 -0400
8545 +++ linux-2.6.31/arch/x86/kernel/crash.c 2009-09-06 15:29:11.203160585 -0400
8546 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
8549 #ifdef CONFIG_X86_32
8550 - if (!user_mode_vm(regs)) {
8551 + if (!user_mode(regs)) {
8552 crash_fixup_ss_esp(&fixed_regs, regs);
8555 diff -urNp linux-2.6.31/arch/x86/kernel/doublefault_32.c linux-2.6.31/arch/x86/kernel/doublefault_32.c
8556 --- linux-2.6.31/arch/x86/kernel/doublefault_32.c 2009-08-27 20:59:04.000000000 -0400
8557 +++ linux-2.6.31/arch/x86/kernel/doublefault_32.c 2009-09-06 15:29:11.204182293 -0400
8560 #define DOUBLEFAULT_STACKSIZE (1024)
8561 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
8562 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
8563 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
8565 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
8567 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
8568 unsigned long gdt, tss;
8570 store_gdt(&gdt_desc);
8571 - gdt = gdt_desc.address;
8572 + gdt = (unsigned long)gdt_desc.address;
8574 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
8576 @@ -60,10 +60,10 @@ struct tss_struct doublefault_tss __cach
8577 /* 0x2 bit is always set */
8578 .flags = X86_EFLAGS_SF | 0x2,
8581 + .es = __KERNEL_DS,
8585 + .ds = __KERNEL_DS,
8586 .fs = __KERNEL_PERCPU,
8588 .__cr3 = __pa_nodebug(swapper_pg_dir),
8589 diff -urNp linux-2.6.31/arch/x86/kernel/dumpstack_32.c linux-2.6.31/arch/x86/kernel/dumpstack_32.c
8590 --- linux-2.6.31/arch/x86/kernel/dumpstack_32.c 2009-08-27 20:59:04.000000000 -0400
8591 +++ linux-2.6.31/arch/x86/kernel/dumpstack_32.c 2009-09-06 15:29:11.204182293 -0400
8592 @@ -113,11 +113,12 @@ void show_registers(struct pt_regs *regs
8593 * When in-kernel, we also print out the stack and code at the
8594 * time of the fault..
8596 - if (!user_mode_vm(regs)) {
8597 + if (!user_mode(regs)) {
8598 unsigned int code_prologue = code_bytes * 43 / 64;
8599 unsigned int code_len = code_bytes;
8602 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
8604 printk(KERN_EMERG "Stack:\n");
8605 show_stack_log_lvl(NULL, regs, ®s->sp,
8606 @@ -125,10 +126,10 @@ void show_registers(struct pt_regs *regs
8608 printk(KERN_EMERG "Code: ");
8610 - ip = (u8 *)regs->ip - code_prologue;
8611 + ip = (u8 *)regs->ip - code_prologue + cs_base;
8612 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
8613 /* try starting at IP */
8614 - ip = (u8 *)regs->ip;
8615 + ip = (u8 *)regs->ip + cs_base;
8616 code_len = code_len - code_prologue + 1;
8618 for (i = 0; i < code_len; i++, ip++) {
8619 @@ -137,7 +138,7 @@ void show_registers(struct pt_regs *regs
8620 printk(" Bad EIP value.");
8623 - if (ip == (u8 *)regs->ip)
8624 + if (ip == (u8 *)regs->ip + cs_base)
8625 printk("<%02x> ", c);
8628 @@ -150,6 +151,7 @@ int is_valid_bugaddr(unsigned long ip)
8632 + ip = ktla_ktva(ip);
8633 if (ip < PAGE_OFFSET)
8635 if (probe_kernel_address((unsigned short *)ip, ud2))
8636 diff -urNp linux-2.6.31/arch/x86/kernel/dumpstack.c linux-2.6.31/arch/x86/kernel/dumpstack.c
8637 --- linux-2.6.31/arch/x86/kernel/dumpstack.c 2009-08-27 20:59:04.000000000 -0400
8638 +++ linux-2.6.31/arch/x86/kernel/dumpstack.c 2009-09-06 15:29:11.204182293 -0400
8639 @@ -181,7 +181,7 @@ void dump_stack(void)
8642 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
8643 - current->pid, current->comm, current->xid, print_tainted(),
8644 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
8645 init_utsname()->release,
8646 (int)strcspn(init_utsname()->version, " "),
8647 init_utsname()->version);
8648 @@ -242,7 +242,7 @@ void __kprobes oops_end(unsigned long fl
8649 panic("Fatal exception in interrupt");
8651 panic("Fatal exception");
8653 + do_group_exit(signr);
8656 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
8657 @@ -296,7 +296,7 @@ void die(const char *str, struct pt_regs
8658 unsigned long flags = oops_begin();
8661 - if (!user_mode_vm(regs))
8662 + if (!user_mode(regs))
8663 report_bug(regs->ip, regs);
8665 if (__die(str, regs, err))
8666 diff -urNp linux-2.6.31/arch/x86/kernel/e820.c linux-2.6.31/arch/x86/kernel/e820.c
8667 --- linux-2.6.31/arch/x86/kernel/e820.c 2009-08-27 20:59:04.000000000 -0400
8668 +++ linux-2.6.31/arch/x86/kernel/e820.c 2009-09-06 15:29:11.204182293 -0400
8669 @@ -733,7 +733,10 @@ struct early_res {
8671 static struct early_res early_res[MAX_EARLY_RES] __initdata = {
8672 { 0, PAGE_SIZE, "BIOS data page" }, /* BIOS data page */
8675 + { PAGE_SIZE, ISA_START_ADDRESS, "V86 mode memory", 1 },
8680 static int __init find_overlapped_early(u64 start, u64 end)
8681 diff -urNp linux-2.6.31/arch/x86/kernel/efi_32.c linux-2.6.31/arch/x86/kernel/efi_32.c
8682 --- linux-2.6.31/arch/x86/kernel/efi_32.c 2009-08-27 20:59:04.000000000 -0400
8683 +++ linux-2.6.31/arch/x86/kernel/efi_32.c 2009-09-06 15:29:11.205512344 -0400
8687 static unsigned long efi_rt_eflags;
8688 -static pgd_t efi_bak_pg_dir_pointer[2];
8689 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
8691 -void efi_call_phys_prelog(void)
8692 +void __init efi_call_phys_prelog(void)
8694 - unsigned long cr4;
8695 - unsigned long temp;
8696 struct desc_ptr gdt_descr;
8698 local_irq_save(efi_rt_eflags);
8701 - * If I don't have PAE, I should just duplicate two entries in page
8702 - * directory. If I have PAE, I just need to duplicate one entry in
8705 - cr4 = read_cr4_safe();
8707 - if (cr4 & X86_CR4_PAE) {
8708 - efi_bak_pg_dir_pointer[0].pgd =
8709 - swapper_pg_dir[pgd_index(0)].pgd;
8710 - swapper_pg_dir[0].pgd =
8711 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
8713 - efi_bak_pg_dir_pointer[0].pgd =
8714 - swapper_pg_dir[pgd_index(0)].pgd;
8715 - efi_bak_pg_dir_pointer[1].pgd =
8716 - swapper_pg_dir[pgd_index(0x400000)].pgd;
8717 - swapper_pg_dir[pgd_index(0)].pgd =
8718 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
8719 - temp = PAGE_OFFSET + 0x400000;
8720 - swapper_pg_dir[pgd_index(0x400000)].pgd =
8721 - swapper_pg_dir[pgd_index(temp)].pgd;
8723 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
8724 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
8725 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
8728 * After the lock is released, the original page table is restored.
8732 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
8733 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
8734 gdt_descr.size = GDT_SIZE - 1;
8735 load_gdt(&gdt_descr);
8738 -void efi_call_phys_epilog(void)
8739 +void __init efi_call_phys_epilog(void)
8741 - unsigned long cr4;
8742 struct desc_ptr gdt_descr;
8744 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
8745 + gdt_descr.address = get_cpu_gdt_table(0);
8746 gdt_descr.size = GDT_SIZE - 1;
8747 load_gdt(&gdt_descr);
8749 - cr4 = read_cr4_safe();
8751 - if (cr4 & X86_CR4_PAE) {
8752 - swapper_pg_dir[pgd_index(0)].pgd =
8753 - efi_bak_pg_dir_pointer[0].pgd;
8755 - swapper_pg_dir[pgd_index(0)].pgd =
8756 - efi_bak_pg_dir_pointer[0].pgd;
8757 - swapper_pg_dir[pgd_index(0x400000)].pgd =
8758 - efi_bak_pg_dir_pointer[1].pgd;
8760 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
8763 * After the lock is released, the original page table is restored.
8764 diff -urNp linux-2.6.31/arch/x86/kernel/efi_stub_32.S linux-2.6.31/arch/x86/kernel/efi_stub_32.S
8765 --- linux-2.6.31/arch/x86/kernel/efi_stub_32.S 2009-08-27 20:59:04.000000000 -0400
8766 +++ linux-2.6.31/arch/x86/kernel/efi_stub_32.S 2009-09-06 15:29:11.205512344 -0400
8770 #include <linux/linkage.h>
8771 +#include <linux/init.h>
8772 #include <asm/page_types.h>
8776 * service functions will comply with gcc calling convention, too.
8781 ENTRY(efi_call_phys)
8783 * 0. The function can only be called in Linux kernel. So CS has been
8784 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
8785 * The mapping of lower virtual memory has been created in prelog and
8789 - subl $__PAGE_OFFSET, %edx
8791 + jmp 1f-__PAGE_OFFSET
8795 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
8796 * parameter 2, ..., param n. To make things easy, we save the return
8797 * address of efi_call_phys in a global variable.
8800 - movl %edx, saved_return_addr
8801 - /* get the function pointer into ECX*/
8803 - movl %ecx, efi_rt_function_ptr
8805 - subl $__PAGE_OFFSET, %edx
8807 + popl (saved_return_addr)
8808 + popl (efi_rt_function_ptr)
8811 * 3. Clear PG bit in %CR0.
8812 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
8814 * 5. Call the physical function.
8817 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
8821 * 6. After EFI runtime service returns, control will return to
8822 * following instruction. We'd better readjust stack pointer first.
8823 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
8825 orl $0x80000000, %edx
8831 * 8. Now restore the virtual mode from flat mode by
8832 * adding EIP with PAGE_OFFSET.
8836 + jmp 1f+__PAGE_OFFSET
8840 * 9. Balance the stack. And because EAX contain the return value,
8841 * we'd better not clobber it.
8843 - leal efi_rt_function_ptr, %edx
8846 + pushl (efi_rt_function_ptr)
8849 - * 10. Push the saved return address onto the stack and return.
8850 + * 10. Return to the saved return address.
8852 - leal saved_return_addr, %edx
8856 + jmpl *(saved_return_addr)
8857 ENDPROC(efi_call_phys)
8864 efi_rt_function_ptr:
8865 diff -urNp linux-2.6.31/arch/x86/kernel/entry_32.S linux-2.6.31/arch/x86/kernel/entry_32.S
8866 --- linux-2.6.31/arch/x86/kernel/entry_32.S 2009-08-27 20:59:04.000000000 -0400
8867 +++ linux-2.6.31/arch/x86/kernel/entry_32.S 2009-09-06 15:29:11.206296868 -0400
8870 #endif /* CONFIG_X86_32_LAZY_GS */
8873 +.macro __SAVE_ALL _DS
8879 CFI_ADJUST_CFA_OFFSET 4
8880 CFI_REL_OFFSET ebx, 0
8881 - movl $(__USER_DS), %edx
8885 movl $(__KERNEL_PERCPU), %edx
8886 @@ -232,6 +232,21 @@
8891 +#ifdef CONFIG_PAX_KERNEXEC
8892 + __SAVE_ALL __KERNEL_DS
8895 + orl $X86_CR0_WP, %edx;
8898 +#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
8899 + __SAVE_ALL __KERNEL_DS
8901 + __SAVE_ALL __USER_DS
8905 .macro RESTORE_INT_REGS
8907 CFI_ADJUST_CFA_OFFSET -4
8908 @@ -329,6 +344,11 @@ ENTRY(ret_from_fork)
8909 CFI_ADJUST_CFA_OFFSET 4
8911 CFI_ADJUST_CFA_OFFSET -4
8913 +#ifdef CONFIG_PAX_KERNEXEC
8920 @@ -352,7 +372,17 @@ check_userspace:
8921 movb PT_CS(%esp), %al
8922 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
8923 cmpl $USER_RPL, %eax
8925 +#ifdef CONFIG_PAX_KERNEXEC
8926 + jae resume_userspace
8933 jb resume_kernel # not returning to v8086 or userspace
8936 ENTRY(resume_userspace)
8938 @@ -414,10 +444,9 @@ sysenter_past_esp:
8939 /*CFI_REL_OFFSET cs, 0*/
8941 * Push current_thread_info()->sysenter_return to the stack.
8942 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
8943 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
8945 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
8946 + GET_THREAD_INFO(%ebp)
8947 + pushl TI_sysenter_return(%ebp)
8948 CFI_ADJUST_CFA_OFFSET 4
8949 CFI_REL_OFFSET eip, 0
8951 @@ -430,9 +459,19 @@ sysenter_past_esp:
8952 * Load the potential sixth argument from user stack.
8953 * Careful about security.
8955 + movl PT_OLDESP(%esp),%ebp
8957 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8958 + mov PT_OLDSS(%esp),%ds
8959 +1: movl %ds:(%ebp),%ebp
8963 cmpl $__PAGE_OFFSET-3,%ebp
8968 movl %ebp,PT_EBP(%esp)
8969 .section __ex_table,"a"
8971 @@ -455,12 +494,23 @@ sysenter_do_call:
8972 testl $_TIF_ALLWORK_MASK, %ecx
8976 +#ifdef CONFIG_PAX_RANDKSTACK
8978 + CFI_ADJUST_CFA_OFFSET 4
8979 + call pax_randomize_kstack
8981 + CFI_ADJUST_CFA_OFFSET -4
8984 /* if something modifies registers it must also disable sysexit */
8985 movl PT_EIP(%esp), %edx
8986 movl PT_OLDESP(%esp), %ecx
8989 1: mov PT_FS(%esp), %fs
8990 +2: mov PT_DS(%esp), %ds
8991 +3: mov PT_ES(%esp), %es
8993 ENABLE_INTERRUPTS_SYSEXIT
8995 @@ -504,11 +554,17 @@ sysexit_audit:
8998 .pushsection .fixup,"ax"
8999 -2: movl $0,PT_FS(%esp)
9000 +4: movl $0,PT_FS(%esp)
9002 +5: movl $0,PT_DS(%esp)
9004 +6: movl $0,PT_ES(%esp)
9006 .section __ex_table,"a"
9014 ENDPROC(ia32_sysenter_target)
9015 @@ -538,6 +594,10 @@ syscall_exit:
9016 testl $_TIF_ALLWORK_MASK, %ecx # current->work
9017 jne syscall_exit_work
9019 +#ifdef CONFIG_PAX_RANDKSTACK
9020 + call pax_randomize_kstack
9025 restore_all_notrace:
9026 @@ -602,7 +662,13 @@ ldt_ss:
9027 mov PT_OLDESP(%esp), %eax /* load userspace esp */
9028 mov %dx, %ax /* eax: new kernel esp */
9029 sub %eax, %edx /* offset (low word is 0) */
9030 - PER_CPU(gdt_page, %ebx)
9032 + movl PER_CPU_VAR(cpu_number), %ebx
9033 + shll $PAGE_SHIFT_asm, %ebx
9034 + addl $cpu_gdt_table, %ebx
9036 + movl $cpu_gdt_table, %ebx
9039 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
9040 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
9041 @@ -642,25 +708,19 @@ work_resched:
9043 work_notifysig: # deal with pending signals and
9044 # notify-resume requests
9047 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
9049 - jne work_notifysig_v86 # returning to kernel-space or
9050 + jz 1f # returning to kernel-space or
9053 - call do_notify_resume
9054 - jmp resume_userspace_sig
9057 -work_notifysig_v86:
9058 pushl %ecx # save ti_flags for do_notify_resume
9059 CFI_ADJUST_CFA_OFFSET 4
9060 call save_v86_state # %eax contains pt_regs pointer
9062 CFI_ADJUST_CFA_OFFSET -4
9069 call do_notify_resume
9070 @@ -695,6 +755,10 @@ END(syscall_exit_work)
9072 RING0_INT_FRAME # can't unwind into user space anyway
9074 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9078 GET_THREAD_INFO(%ebp)
9079 movl $-EFAULT,PT_EAX(%esp)
9080 jmp resume_userspace
9081 @@ -735,7 +799,13 @@ PTREGSCALL(vm86old)
9082 * normal stack and adjusts ESP with the matching offset.
9084 /* fixup the stack */
9085 - PER_CPU(gdt_page, %ebx)
9087 + movl PER_CPU_VAR(cpu_number), %ebx
9088 + shll $PAGE_SHIFT_asm, %ebx
9089 + addl $cpu_gdt_table, %ebx
9091 + movl $cpu_gdt_table, %ebx
9093 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
9094 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
9096 @@ -1198,7 +1268,6 @@ return_to_handler:
9100 -.section .rodata,"a"
9101 #include "syscall_table_32.S"
9103 syscall_table_size=(.-sys_call_table)
9104 @@ -1250,12 +1319,21 @@ error_code:
9109 +#ifdef CONFIG_PAX_KERNEXEC
9112 + orl $X86_CR0_WP, %edx
9117 movl PT_GS(%esp), %edi # get the function address
9118 movl PT_ORIG_EAX(%esp), %edx # get the error code
9119 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
9122 - movl $(__USER_DS), %ecx
9123 + movl $(__KERNEL_DS), %ecx
9127 @@ -1351,6 +1429,13 @@ nmi_stack_correct:
9128 xorl %edx,%edx # zero error code
9129 movl %esp,%eax # pt_regs pointer
9132 +#ifdef CONFIG_PAX_KERNEXEC
9138 jmp restore_all_notrace
9141 @@ -1391,6 +1476,13 @@ nmi_espfix_stack:
9142 FIXUP_ESPFIX_STACK # %eax == %esp
9143 xorl %edx,%edx # zero error code
9146 +#ifdef CONFIG_PAX_KERNEXEC
9153 lss 12+4(%esp), %esp # back to espfix stack
9154 CFI_ADJUST_CFA_OFFSET -24
9155 diff -urNp linux-2.6.31/arch/x86/kernel/entry_64.S linux-2.6.31/arch/x86/kernel/entry_64.S
9156 --- linux-2.6.31/arch/x86/kernel/entry_64.S 2009-08-27 20:59:04.000000000 -0400
9157 +++ linux-2.6.31/arch/x86/kernel/entry_64.S 2009-09-06 15:29:11.206296868 -0400
9158 @@ -1074,7 +1074,12 @@ ENTRY(\sym)
9160 movq %rsp,%rdi /* pt_regs pointer */
9161 xorl %esi,%esi /* no error code */
9162 - PER_CPU(init_tss, %rbp)
9164 + imul $TSS_size, PER_CPU_VAR(cpu_number), %ebp
9165 + lea init_tss(%rbp), %rbp
9167 + lea init_tss(%rip), %rbp
9169 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
9171 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
9172 diff -urNp linux-2.6.31/arch/x86/kernel/ftrace.c linux-2.6.31/arch/x86/kernel/ftrace.c
9173 --- linux-2.6.31/arch/x86/kernel/ftrace.c 2009-08-27 20:59:04.000000000 -0400
9174 +++ linux-2.6.31/arch/x86/kernel/ftrace.c 2009-09-06 15:29:11.207555331 -0400
9175 @@ -284,9 +284,9 @@ int ftrace_update_ftrace_func(ftrace_fun
9176 unsigned char old[MCOUNT_INSN_SIZE], *new;
9179 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
9180 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
9181 new = ftrace_call_replace(ip, (unsigned long)func);
9182 - ret = ftrace_modify_code(ip, old, new);
9183 + ret = ftrace_modify_code(ktla_ktva(ip), old, new);
9187 diff -urNp linux-2.6.31/arch/x86/kernel/head32.c linux-2.6.31/arch/x86/kernel/head32.c
9188 --- linux-2.6.31/arch/x86/kernel/head32.c 2009-08-27 20:59:04.000000000 -0400
9189 +++ linux-2.6.31/arch/x86/kernel/head32.c 2009-09-06 15:29:11.208258154 -0400
9191 #include <asm/e820.h>
9192 #include <asm/bios_ebda.h>
9193 #include <asm/trampoline.h>
9194 +#include <asm/boot.h>
9196 void __init i386_start_kernel(void)
9198 reserve_trampoline_memory();
9200 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
9201 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
9203 #ifdef CONFIG_BLK_DEV_INITRD
9204 /* Reserve INITRD */
9205 diff -urNp linux-2.6.31/arch/x86/kernel/head_32.S linux-2.6.31/arch/x86/kernel/head_32.S
9206 --- linux-2.6.31/arch/x86/kernel/head_32.S 2009-08-27 20:59:04.000000000 -0400
9207 +++ linux-2.6.31/arch/x86/kernel/head_32.S 2009-09-10 19:30:54.973203235 -0400
9209 #include <asm/setup.h>
9210 #include <asm/processor-flags.h>
9211 #include <asm/percpu.h>
9212 +#include <asm/msr-index.h>
9214 /* Physical address */
9215 #define pa(X) ((X) - __PAGE_OFFSET)
9217 * and small than max_low_pfn, otherwise will waste some page table entries
9220 -#if PTRS_PER_PMD > 1
9221 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
9223 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
9225 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
9227 /* Enough space to fit pagetables for the low memory linear map */
9228 MAPPING_BEYOND_END = \
9229 @@ -73,6 +70,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
9230 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
9233 + * Real beginning of normal "text" segment
9239 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
9240 * %esi points to the real-mode code as a 32-bit pointer.
9241 * CS and DS must be 4 GB flat segments, but we don't depend on
9242 @@ -80,6 +83,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
9245 .section .text.head,"ax",@progbits
9247 +#ifdef CONFIG_PAX_KERNEXEC
9249 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
9250 +.fill PAGE_SIZE-5,1,0xcc
9254 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
9255 us to not reload segments */
9256 @@ -97,6 +107,48 @@ ENTRY(startup_32)
9261 + movl $pa(cpu_gdt_table),%edi
9262 + movl $__per_cpu_load,%eax
9263 + movw %ax,__KERNEL_PERCPU + 2(%edi)
9265 + movb %al,__KERNEL_PERCPU + 4(%edi)
9266 + movb %ah,__KERNEL_PERCPU + 7(%edi)
9267 + movl $__per_cpu_end - 1,%eax
9268 + subl $__per_cpu_load,%eax
9269 + movw %ax,__KERNEL_PERCPU + 0(%edi)
9272 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9273 + movl $NR_CPUS,%ecx
9274 + movl $pa(cpu_gdt_table),%edi
9276 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
9277 + addl $PAGE_SIZE_asm,%edi
9281 +#ifdef CONFIG_PAX_KERNEXEC
9282 + movl $pa(boot_gdt),%edi
9283 + movl $KERNEL_TEXT_OFFSET,%eax
9284 + movw %ax,__BOOT_CS + 2(%edi)
9286 + movb %al,__BOOT_CS + 4(%edi)
9287 + movb %ah,__BOOT_CS + 7(%edi)
9290 + movl $NR_CPUS,%ecx
9291 + movl $pa(cpu_gdt_table),%edi
9293 + movw %ax,__KERNEL_CS + 2(%edi)
9295 + movb %al,__KERNEL_CS + 4(%edi)
9296 + movb %ah,__KERNEL_CS + 7(%edi)
9298 + addl $PAGE_SIZE_asm,%edi
9303 * Clear BSS first so that there are no surprises...
9305 @@ -140,9 +192,7 @@ ENTRY(startup_32)
9306 cmpl $num_subarch_entries, %eax
9309 - movl pa(subarch_entries)(,%eax,4), %eax
9310 - subl $__PAGE_OFFSET, %eax
9312 + jmp *pa(subarch_entries)(,%eax,4)
9316 @@ -154,9 +204,9 @@ WEAK(xen_entry)
9320 - .long default_entry /* normal x86/PC */
9321 - .long lguest_entry /* lguest hypervisor */
9322 - .long xen_entry /* Xen hypervisor */
9323 + .long pa(default_entry) /* normal x86/PC */
9324 + .long pa(lguest_entry) /* lguest hypervisor */
9325 + .long pa(xen_entry) /* Xen hypervisor */
9326 num_subarch_entries = (. - subarch_entries) / 4
9328 #endif /* CONFIG_PARAVIRT */
9329 @@ -217,8 +267,11 @@ default_entry:
9330 movl %eax, pa(max_pfn_mapped)
9332 /* Do early initialization of the fixmap area */
9333 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
9334 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
9335 +#ifdef CONFIG_COMPAT_VDSO
9336 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
9338 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
9342 page_pde_offset = (__PAGE_OFFSET >> 20);
9343 @@ -248,8 +301,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
9344 movl %eax, pa(max_pfn_mapped)
9346 /* Do early initialization of the fixmap area */
9347 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
9348 - movl %eax,pa(swapper_pg_dir+0xffc)
9349 +#ifdef CONFIG_COMPAT_VDSO
9350 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
9352 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
9357 @@ -311,13 +367,16 @@ ENTRY(startup_32_smp)
9360 /* Setup EFER (Extended Feature Enable Register) */
9361 - movl $0xc0000080, %ecx
9362 + movl $MSR_EFER, %ecx
9366 /* Make changes effective */
9369 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
9370 + movl $1,pa(nx_enabled)
9375 @@ -343,9 +402,7 @@ ENTRY(startup_32_smp)
9379 - jz 1f /* Initial CPU cleans BSS */
9382 + jnz checkCPUtype /* Initial CPU cleans BSS */
9383 #endif /* CONFIG_SMP */
9386 @@ -423,7 +480,7 @@ is386: movl $2,%ecx # set MP
9387 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
9388 movl %eax,%ss # after changing gdt.
9390 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
9391 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
9395 @@ -437,8 +494,11 @@ is386: movl $2,%ecx # set MP
9399 - movl $per_cpu__gdt_page,%eax
9400 + movl $cpu_gdt_table,%eax
9401 movl $per_cpu__stack_canary,%ecx
9403 + addl $__per_cpu_load,%ecx
9405 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
9407 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
9408 @@ -457,10 +517,6 @@ is386: movl $2,%ecx # set MP
9412 - cmpb $0,%cl # the first CPU calls start_kernel
9414 - movl (stack_start), %esp
9416 #endif /* CONFIG_SMP */
9419 @@ -546,22 +602,22 @@ early_page_fault:
9424 #ifdef CONFIG_PRINTK
9425 + cmpl $1,%ss:early_recursion_flag
9427 + incl %ss:early_recursion_flag
9430 movl $(__KERNEL_DS),%eax
9433 - cmpl $2,early_recursion_flag
9435 - incl early_recursion_flag
9438 pushl %edx /* trapno */
9447 @@ -569,8 +625,11 @@ hlt_loop:
9448 /* This is the default interrupt "handler" :-) */
9452 #ifdef CONFIG_PRINTK
9453 + cmpl $2,%ss:early_recursion_flag
9455 + incl %ss:early_recursion_flag
9460 @@ -579,9 +638,6 @@ ignore_int:
9461 movl $(__KERNEL_DS),%eax
9464 - cmpl $2,early_recursion_flag
9466 - incl early_recursion_flag
9470 @@ -608,27 +664,37 @@ ENTRY(initial_code)
9474 -.section ".bss.page_aligned","wa"
9475 - .align PAGE_SIZE_asm
9476 #ifdef CONFIG_X86_PAE
9477 +.section .swapper_pg_pmd,"a",@progbits
9479 .fill 1024*KPMDS,4,0
9481 +.section .swapper_pg_dir,"a",@progbits
9482 ENTRY(swapper_pg_dir)
9489 +.section .empty_zero_page,"a",@progbits
9490 ENTRY(empty_zero_page)
9494 + * The IDT has to be page-aligned to simplify the Pentium
9495 + * F0 0F bug workaround.. We have a special link segment
9498 +.section .idt,"a",@progbits
9503 * This starts the data section.
9505 #ifdef CONFIG_X86_PAE
9506 -.section ".data.page_aligned","wa"
9507 - /* Page-aligned for the benefit of paravirt? */
9508 - .align PAGE_SIZE_asm
9509 +.section .swapper_pg_dir,"a",@progbits
9510 ENTRY(swapper_pg_dir)
9511 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
9513 @@ -651,11 +717,12 @@ ENTRY(swapper_pg_dir)
9517 - .long init_thread_union+THREAD_SIZE
9518 + .long init_thread_union+THREAD_SIZE-8
9523 +.section .rodata,"a",@progbits
9524 early_recursion_flag:
9527 @@ -691,7 +758,7 @@ fault_msg:
9528 .word 0 # 32 bit align gdt_desc.address
9531 - .long boot_gdt - __PAGE_OFFSET
9532 + .long pa(boot_gdt)
9534 .word 0 # 32-bit align idt_desc.address
9536 @@ -702,7 +769,7 @@ idt_descr:
9537 .word 0 # 32 bit align gdt_desc.address
9538 ENTRY(early_gdt_descr)
9539 .word GDT_ENTRIES*8-1
9540 - .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
9541 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
9544 * The boot_gdt must mirror the equivalent in setup.S and is
9545 @@ -711,5 +778,59 @@ ENTRY(early_gdt_descr)
9546 .align L1_CACHE_BYTES
9548 .fill GDT_ENTRY_BOOT_CS,8,0
9549 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
9550 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
9551 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
9552 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
9554 + .align PAGE_SIZE_asm
9555 +ENTRY(cpu_gdt_table)
9557 + .quad 0x0000000000000000 /* NULL descriptor */
9558 + .quad 0x0000000000000000 /* 0x0b reserved */
9559 + .quad 0x0000000000000000 /* 0x13 reserved */
9560 + .quad 0x0000000000000000 /* 0x1b reserved */
9561 + .quad 0x0000000000000000 /* 0x20 unused */
9562 + .quad 0x0000000000000000 /* 0x28 unused */
9563 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
9564 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
9565 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
9566 + .quad 0x0000000000000000 /* 0x4b reserved */
9567 + .quad 0x0000000000000000 /* 0x53 reserved */
9568 + .quad 0x0000000000000000 /* 0x5b reserved */
9570 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
9571 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
9572 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
9573 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
9575 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
9576 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
9579 + * Segments used for calling PnP BIOS have byte granularity.
9580 + * The code segments and data segments have fixed 64k limits,
9581 + * the transfer segment sizes are set at run time.
9583 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
9584 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
9585 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
9586 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
9587 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
9590 + * The APM segments have byte granularity and their bases
9591 + * are set at run time. All have 64k limits.
9593 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
9594 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
9595 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
9597 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
9598 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
9599 + .quad 0x0040930000000018 /* 0xe0 - STACK_CANARY */
9600 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
9601 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
9602 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
9604 + /* Be sure this is zeroed to avoid false validations in Xen */
9605 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
9607 diff -urNp linux-2.6.31/arch/x86/kernel/head_64.S linux-2.6.31/arch/x86/kernel/head_64.S
9608 --- linux-2.6.31/arch/x86/kernel/head_64.S 2009-08-27 20:59:04.000000000 -0400
9609 +++ linux-2.6.31/arch/x86/kernel/head_64.S 2009-09-06 15:30:00.014344371 -0400
9610 @@ -38,6 +38,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
9611 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
9612 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
9613 L3_START_KERNEL = pud_index(__START_KERNEL_map)
9614 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
9615 +L3_VMALLOC_START = pud_index(VMALLOC_START)
9616 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
9617 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
9621 @@ -85,35 +89,22 @@ startup_64:
9623 addq %rbp, init_level4_pgt + 0(%rip)
9624 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
9625 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
9626 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
9627 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
9629 addq %rbp, level3_ident_pgt + 0(%rip)
9630 + addq %rbp, level3_ident_pgt + 8(%rip)
9631 + addq %rbp, level3_ident_pgt + 16(%rip)
9632 + addq %rbp, level3_ident_pgt + 24(%rip)
9634 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
9635 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
9636 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
9638 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
9639 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
9640 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
9642 - /* Add an Identity mapping if I am above 1G */
9643 - leaq _text(%rip), %rdi
9644 - andq $PMD_PAGE_MASK, %rdi
9647 - shrq $PUD_SHIFT, %rax
9648 - andq $(PTRS_PER_PUD - 1), %rax
9651 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
9652 - leaq level3_ident_pgt(%rip), %rbx
9653 - movq %rdx, 0(%rbx, %rax, 8)
9656 - shrq $PMD_SHIFT, %rax
9657 - andq $(PTRS_PER_PMD - 1), %rax
9658 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
9659 - leaq level2_spare_pgt(%rip), %rbx
9660 - movq %rdx, 0(%rbx, %rax, 8)
9662 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
9663 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
9666 * Fixup the kernel text+data virtual addresses. Note that
9667 @@ -187,6 +178,10 @@ ENTRY(secondary_startup_64)
9668 btl $20,%edi /* No Execute supported? */
9670 btsl $_EFER_NX, %eax
9671 + leaq init_level4_pgt(%rip), %rdi
9672 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
9673 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
9674 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
9675 1: wrmsr /* Make changes effective */
9678 @@ -262,16 +257,16 @@ ENTRY(secondary_startup_64)
9679 .quad x86_64_start_kernel
9681 .quad INIT_PER_CPU_VAR(irq_stack_union)
9685 .quad init_thread_union+THREAD_SIZE-8
9692 - .section ".init.text","ax"
9694 #ifdef CONFIG_EARLY_PRINTK
9695 .globl early_idt_handlers
9697 @@ -316,18 +311,23 @@ ENTRY(early_idt_handler)
9698 #endif /* EARLY_PRINTK */
9703 #ifdef CONFIG_EARLY_PRINTK
9705 early_recursion_flag:
9709 + .section .rodata,"a",@progbits
9711 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
9714 -#endif /* CONFIG_EARLY_PRINTK */
9716 +#endif /* CONFIG_EARLY_PRINTK */
9718 + .section .rodata,"a",@progbits
9719 #define NEXT_PAGE(name) \
9720 .balign PAGE_SIZE; \
9722 @@ -350,13 +350,27 @@ NEXT_PAGE(init_level4_pgt)
9723 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
9724 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
9725 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
9726 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
9727 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
9728 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
9729 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
9730 .org init_level4_pgt + L4_START_KERNEL*8, 0
9731 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
9732 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
9734 NEXT_PAGE(level3_ident_pgt)
9735 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
9737 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
9738 + .quad level2_ident_pgt + 2*PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
9739 + .quad level2_ident_pgt + 3*PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
9742 +NEXT_PAGE(level3_vmalloc_pgt)
9745 +NEXT_PAGE(level3_vmemmap_pgt)
9746 + .fill L3_VMEMMAP_START,8,0
9747 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
9749 NEXT_PAGE(level3_kernel_pgt)
9750 .fill L3_START_KERNEL,8,0
9751 @@ -364,20 +378,23 @@ NEXT_PAGE(level3_kernel_pgt)
9752 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
9753 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
9755 +NEXT_PAGE(level2_vmemmap_pgt)
9758 NEXT_PAGE(level2_fixmap_pgt)
9760 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
9761 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
9764 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
9765 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
9768 -NEXT_PAGE(level1_fixmap_pgt)
9769 +NEXT_PAGE(level1_vsyscall_pgt)
9772 -NEXT_PAGE(level2_ident_pgt)
9773 - /* Since I easily can, map the first 1G.
9774 + /* Since I easily can, map the first 4G.
9775 * Don't set NX because code runs from these pages.
9777 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
9778 +NEXT_PAGE(level2_ident_pgt)
9779 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 4*PTRS_PER_PMD)
9781 NEXT_PAGE(level2_kernel_pgt)
9783 @@ -390,33 +407,49 @@ NEXT_PAGE(level2_kernel_pgt)
9784 * If you want to increase this then increase MODULES_VADDR
9787 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
9788 - KERNEL_IMAGE_SIZE/PMD_SIZE)
9790 -NEXT_PAGE(level2_spare_pgt)
9792 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
9799 +ENTRY(cpu_gdt_table)
9801 + .quad 0x0000000000000000 /* NULL descriptor */
9802 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
9803 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
9804 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
9805 + .quad 0x00cffb000000ffff /* __USER32_CS */
9806 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
9807 + .quad 0x00affb000000ffff /* __USER_CS */
9808 + .quad 0x0 /* unused */
9809 + .quad 0,0 /* TSS */
9810 + .quad 0,0 /* LDT */
9811 + .quad 0,0,0 /* three TLS descriptors */
9812 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
9813 + /* asm/segment.h:GDT_ENTRIES must match this */
9815 + /* zero the remaining page */
9816 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
9820 .globl early_gdt_descr
9822 .word GDT_ENTRIES*8-1
9823 early_gdt_descr_base:
9824 - .quad INIT_PER_CPU_VAR(gdt_page)
9825 + .quad cpu_gdt_table
9828 /* This must match the first entry in level2_kernel_pgt */
9829 .quad 0x0000000000000000
9831 #include "../../x86/xen/xen-head.S"
9833 - .section .bss, "aw", @nobits
9835 + .section .rodata,"a",@progbits
9836 .align L1_CACHE_BYTES
9838 - .skip IDT_ENTRIES * 16
9841 .section .bss.page_aligned, "aw", @nobits
9843 diff -urNp linux-2.6.31/arch/x86/kernel/i386_ksyms_32.c linux-2.6.31/arch/x86/kernel/i386_ksyms_32.c
9844 --- linux-2.6.31/arch/x86/kernel/i386_ksyms_32.c 2009-08-27 20:59:04.000000000 -0400
9845 +++ linux-2.6.31/arch/x86/kernel/i386_ksyms_32.c 2009-09-06 15:29:11.209316692 -0400
9847 EXPORT_SYMBOL(mcount);
9850 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
9852 /* Networking helper routines. */
9853 EXPORT_SYMBOL(csum_partial_copy_generic);
9854 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
9855 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
9857 EXPORT_SYMBOL(__get_user_1);
9858 EXPORT_SYMBOL(__get_user_2);
9859 @@ -26,3 +30,7 @@ EXPORT_SYMBOL(strstr);
9861 EXPORT_SYMBOL(csum_partial);
9862 EXPORT_SYMBOL(empty_zero_page);
9864 +#ifdef CONFIG_PAX_KERNEXEC
9865 +EXPORT_SYMBOL(KERNEL_TEXT_OFFSET);
9867 diff -urNp linux-2.6.31/arch/x86/kernel/init_task.c linux-2.6.31/arch/x86/kernel/init_task.c
9868 --- linux-2.6.31/arch/x86/kernel/init_task.c 2009-08-27 20:59:04.000000000 -0400
9869 +++ linux-2.6.31/arch/x86/kernel/init_task.c 2009-09-06 15:29:11.209316692 -0400
9870 @@ -39,5 +39,5 @@ EXPORT_SYMBOL(init_task);
9871 * section. Since TSS's are completely CPU-local, we want them
9872 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
9874 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
9876 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
9877 +EXPORT_SYMBOL(init_tss);
9878 diff -urNp linux-2.6.31/arch/x86/kernel/ioport.c linux-2.6.31/arch/x86/kernel/ioport.c
9879 --- linux-2.6.31/arch/x86/kernel/ioport.c 2009-08-27 20:59:04.000000000 -0400
9880 +++ linux-2.6.31/arch/x86/kernel/ioport.c 2009-09-06 15:29:11.210412651 -0400
9882 #include <linux/sched.h>
9883 #include <linux/kernel.h>
9884 #include <linux/capability.h>
9885 +#include <linux/security.h>
9886 #include <linux/errno.h>
9887 #include <linux/types.h>
9888 #include <linux/ioport.h>
9889 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
9891 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
9893 +#ifdef CONFIG_GRKERNSEC_IO
9895 + gr_handle_ioperm();
9899 if (turn_on && !capable(CAP_SYS_RAWIO))
9902 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
9903 * because the ->io_bitmap_max value must match the bitmap
9906 - tss = &per_cpu(init_tss, get_cpu());
9907 + tss = init_tss + get_cpu();
9909 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
9911 @@ -111,8 +118,13 @@ static int do_iopl(unsigned int level, s
9913 /* Trying to gain more privileges? */
9915 +#ifdef CONFIG_GRKERNSEC_IO
9919 if (!capable(CAP_SYS_RAWIO))
9923 regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
9925 diff -urNp linux-2.6.31/arch/x86/kernel/irq_32.c linux-2.6.31/arch/x86/kernel/irq_32.c
9926 --- linux-2.6.31/arch/x86/kernel/irq_32.c 2009-08-27 20:59:04.000000000 -0400
9927 +++ linux-2.6.31/arch/x86/kernel/irq_32.c 2009-09-06 15:29:11.210412651 -0400
9928 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
9931 /* build the stack frame on the IRQ stack */
9932 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
9933 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
9934 irqctx->tinfo.task = curctx->tinfo.task;
9935 irqctx->tinfo.previous_esp = current_stack_pointer;
9937 @@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
9938 irqctx->tinfo.previous_esp = current_stack_pointer;
9940 /* build the stack frame on the softirq stack */
9941 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
9942 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
9944 call_on_stack(__do_softirq, isp);
9946 diff -urNp linux-2.6.31/arch/x86/kernel/kprobes.c linux-2.6.31/arch/x86/kernel/kprobes.c
9947 --- linux-2.6.31/arch/x86/kernel/kprobes.c 2009-08-27 20:59:04.000000000 -0400
9948 +++ linux-2.6.31/arch/x86/kernel/kprobes.c 2009-09-06 15:29:11.210412651 -0400
9949 @@ -166,9 +166,24 @@ static void __kprobes set_jmp_op(void *f
9952 } __attribute__((packed)) * jop;
9953 - jop = (struct __arch_jmp_op *)from;
9955 +#ifdef CONFIG_PAX_KERNEXEC
9956 + unsigned long cr0;
9959 + jop = (struct __arch_jmp_op *)(ktla_ktva(from));
9961 +#ifdef CONFIG_PAX_KERNEXEC
9962 + pax_open_kernel(cr0);
9965 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
9966 jop->op = RELATIVEJUMP_INSTRUCTION;
9968 +#ifdef CONFIG_PAX_KERNEXEC
9969 + pax_close_kernel(cr0);
9975 @@ -345,16 +360,29 @@ static void __kprobes fix_riprel(struct
9977 static void __kprobes arch_copy_kprobe(struct kprobe *p)
9979 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
9981 +#ifdef CONFIG_PAX_KERNEXEC
9982 + unsigned long cr0;
9985 +#ifdef CONFIG_PAX_KERNEXEC
9986 + pax_open_kernel(cr0);
9989 + memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
9991 +#ifdef CONFIG_PAX_KERNEXEC
9992 + pax_close_kernel(cr0);
9997 - if (can_boost(p->addr))
9998 + if (can_boost(ktla_ktva(p->addr)))
9999 p->ainsn.boostable = 0;
10001 p->ainsn.boostable = -1;
10003 - p->opcode = *p->addr;
10004 + p->opcode = *(ktla_ktva(p->addr));
10007 int __kprobes arch_prepare_kprobe(struct kprobe *p)
10008 @@ -432,7 +460,7 @@ static void __kprobes prepare_singlestep
10009 if (p->opcode == BREAKPOINT_INSTRUCTION)
10010 regs->ip = (unsigned long)p->addr;
10012 - regs->ip = (unsigned long)p->ainsn.insn;
10013 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
10016 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
10017 @@ -453,7 +481,7 @@ static void __kprobes setup_singlestep(s
10018 if (p->ainsn.boostable == 1 && !p->post_handler) {
10019 /* Boost up -- we can execute copied instructions directly */
10020 reset_current_kprobe();
10021 - regs->ip = (unsigned long)p->ainsn.insn;
10022 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
10023 preempt_enable_no_resched();
10026 @@ -523,7 +551,7 @@ static int __kprobes kprobe_handler(stru
10027 struct kprobe_ctlblk *kcb;
10029 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
10030 - if (*addr != BREAKPOINT_INSTRUCTION) {
10031 + if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
10033 * The breakpoint instruction was removed right
10034 * after we hit it. Another cpu has removed
10035 @@ -775,7 +803,7 @@ static void __kprobes resume_execution(s
10036 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
10038 unsigned long *tos = stack_addr(regs);
10039 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
10040 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
10041 unsigned long orig_ip = (unsigned long)p->addr;
10042 kprobe_opcode_t *insn = p->ainsn.insn;
10044 @@ -958,7 +986,7 @@ int __kprobes kprobe_exceptions_notify(s
10045 struct die_args *args = data;
10046 int ret = NOTIFY_DONE;
10048 - if (args->regs && user_mode_vm(args->regs))
10049 + if (args->regs && user_mode(args->regs))
10053 diff -urNp linux-2.6.31/arch/x86/kernel/ldt.c linux-2.6.31/arch/x86/kernel/ldt.c
10054 --- linux-2.6.31/arch/x86/kernel/ldt.c 2009-08-27 20:59:04.000000000 -0400
10055 +++ linux-2.6.31/arch/x86/kernel/ldt.c 2009-09-06 15:29:11.211514562 -0400
10056 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
10061 + load_LDT_nolock(pc);
10062 if (!cpus_equal(current->mm->cpu_vm_mask,
10063 cpumask_of_cpu(smp_processor_id())))
10064 smp_call_function(flush_ldt, current->mm, 1);
10068 + load_LDT_nolock(pc);
10072 @@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
10075 for (i = 0; i < old->size; i++)
10076 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
10077 + write_ldt_entry(new->ldt, i, old->ldt + i);
10081 @@ -115,6 +115,24 @@ int init_new_context(struct task_struct
10082 retval = copy_ldt(&mm->context, &old_mm->context);
10083 mutex_unlock(&old_mm->context.lock);
10086 + if (tsk == current) {
10087 + mm->context.vdso = ~0UL;
10089 +#ifdef CONFIG_X86_32
10090 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10091 + mm->context.user_cs_base = 0UL;
10092 + mm->context.user_cs_limit = ~0UL;
10094 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10095 + cpus_clear(mm->context.cpu_user_cs_mask);
10106 @@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
10110 +#ifdef CONFIG_PAX_SEGMEXEC
10111 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
10117 fill_ldt(&ldt, &ldt_info);
10120 diff -urNp linux-2.6.31/arch/x86/kernel/machine_kexec_32.c linux-2.6.31/arch/x86/kernel/machine_kexec_32.c
10121 --- linux-2.6.31/arch/x86/kernel/machine_kexec_32.c 2009-08-27 20:59:04.000000000 -0400
10122 +++ linux-2.6.31/arch/x86/kernel/machine_kexec_32.c 2009-09-06 15:29:11.212155993 -0400
10124 #include <asm/system.h>
10125 #include <asm/cacheflush.h>
10127 -static void set_idt(void *newidt, __u16 limit)
10128 +static void set_idt(struct desc_struct *newidt, __u16 limit)
10130 struct desc_ptr curidt;
10132 @@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16
10136 -static void set_gdt(void *newgdt, __u16 limit)
10137 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
10139 struct desc_ptr curgdt;
10141 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
10144 control_page = page_address(image->control_code_page);
10145 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
10146 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
10148 relocate_kernel_ptr = control_page;
10149 page_list[PA_CONTROL_PAGE] = __pa(control_page);
10150 diff -urNp linux-2.6.31/arch/x86/kernel/module.c linux-2.6.31/arch/x86/kernel/module.c
10151 --- linux-2.6.31/arch/x86/kernel/module.c 2009-08-27 20:59:04.000000000 -0400
10152 +++ linux-2.6.31/arch/x86/kernel/module.c 2009-09-06 15:29:11.212155993 -0400
10154 #include <asm/system.h>
10155 #include <asm/page.h>
10156 #include <asm/pgtable.h>
10157 +#include <asm/desc.h>
10160 #define DEBUGP printk
10162 #define DEBUGP(fmt...)
10165 -void *module_alloc(unsigned long size)
10166 +static void *__module_alloc(unsigned long size, pgprot_t prot)
10168 struct vm_struct *area;
10170 @@ -48,9 +49,92 @@ void *module_alloc(unsigned long size)
10174 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
10175 - PAGE_KERNEL_EXEC);
10176 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
10179 +#ifdef CONFIG_PAX_KERNEXEC
10180 +#ifdef CONFIG_X86_32
10181 +void *module_alloc(unsigned long size)
10183 + return __module_alloc(size, PAGE_KERNEL);
10186 +void *module_alloc_exec(unsigned long size)
10188 + struct vm_struct *area;
10193 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
10195 + return area->addr;
10199 +EXPORT_SYMBOL(module_alloc_exec);
10201 +void module_free_exec(struct module *mod, void *module_region)
10203 + struct vm_struct **p, *tmp;
10205 + if (!module_region)
10208 + if ((PAGE_SIZE-1) & (unsigned long)module_region) {
10209 + printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
10214 + write_lock(&vmlist_lock);
10215 + for (p = &vmlist; (tmp = *p) != NULL; p = &tmp->next)
10216 + if (tmp->addr == module_region)
10220 + unsigned long cr0;
10222 + pax_open_kernel(cr0);
10223 + memset(tmp->addr, 0xCC, tmp->size);
10224 + pax_close_kernel(cr0);
10229 + write_unlock(&vmlist_lock);
10232 + printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
10237 +EXPORT_SYMBOL(module_free_exec);
10239 +void *module_alloc(unsigned long size)
10241 + return __module_alloc(size, PAGE_KERNEL);
10244 +void module_free_exec(struct module *mod, void *module_region)
10246 + module_free(mod, module_region);
10248 +EXPORT_SYMBOL(module_free_exec);
10250 +void *module_alloc_exec(unsigned long size)
10252 + return __module_alloc(size, PAGE_KERNEL_RX);
10254 +EXPORT_SYMBOL(module_alloc_exec);
10257 +void *module_alloc(unsigned long size)
10259 + return __module_alloc(size, PAGE_KERNEL_EXEC);
10263 /* Free memory returned from module_alloc */
10264 void module_free(struct module *mod, void *module_region)
10265 @@ -77,14 +161,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
10267 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
10269 - uint32_t *location;
10270 + uint32_t *plocation, location;
10272 +#ifdef CONFIG_PAX_KERNEXEC
10273 + unsigned long cr0;
10276 DEBUGP("Applying relocate section %u to %u\n", relsec,
10277 sechdrs[relsec].sh_info);
10278 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
10279 /* This is where to make the change */
10280 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
10281 - + rel[i].r_offset;
10282 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
10283 + location = (uint32_t)plocation;
10284 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
10285 + plocation = ktla_ktva((void *)plocation);
10286 /* This is the symbol it is referring to. Note that all
10287 undefined symbols have been resolved. */
10288 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
10289 @@ -93,11 +183,31 @@ int apply_relocate(Elf32_Shdr *sechdrs,
10290 switch (ELF32_R_TYPE(rel[i].r_info)) {
10292 /* We add the value into the location given */
10293 - *location += sym->st_value;
10295 +#ifdef CONFIG_PAX_KERNEXEC
10296 + pax_open_kernel(cr0);
10299 + *plocation += sym->st_value;
10301 +#ifdef CONFIG_PAX_KERNEXEC
10302 + pax_close_kernel(cr0);
10307 /* Add the value, subtract its postition */
10308 - *location += sym->st_value - (uint32_t)location;
10310 +#ifdef CONFIG_PAX_KERNEXEC
10311 + pax_open_kernel(cr0);
10314 + *plocation += sym->st_value - location;
10316 +#ifdef CONFIG_PAX_KERNEXEC
10317 + pax_close_kernel(cr0);
10322 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
10323 @@ -131,6 +241,10 @@ int apply_relocate_add(Elf64_Shdr *sechd
10327 +#ifdef CONFIG_PAX_KERNEXEC
10328 + unsigned long cr0;
10331 DEBUGP("Applying relocate section %u to %u\n", relsec,
10332 sechdrs[relsec].sh_info);
10333 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
10334 @@ -153,21 +267,61 @@ int apply_relocate_add(Elf64_Shdr *sechd
10335 case R_X86_64_NONE:
10339 +#ifdef CONFIG_PAX_KERNEXEC
10340 + pax_open_kernel(cr0);
10345 +#ifdef CONFIG_PAX_KERNEXEC
10346 + pax_close_kernel(cr0);
10352 +#ifdef CONFIG_PAX_KERNEXEC
10353 + pax_open_kernel(cr0);
10358 +#ifdef CONFIG_PAX_KERNEXEC
10359 + pax_close_kernel(cr0);
10362 if (val != *(u32 *)loc)
10367 +#ifdef CONFIG_PAX_KERNEXEC
10368 + pax_open_kernel(cr0);
10373 +#ifdef CONFIG_PAX_KERNEXEC
10374 + pax_close_kernel(cr0);
10377 if ((s64)val != *(s32 *)loc)
10380 case R_X86_64_PC32:
10383 +#ifdef CONFIG_PAX_KERNEXEC
10384 + pax_open_kernel(cr0);
10389 +#ifdef CONFIG_PAX_KERNEXEC
10390 + pax_close_kernel(cr0);
10394 if ((s64)val != *(s32 *)loc)
10396 diff -urNp linux-2.6.31/arch/x86/kernel/paravirt.c linux-2.6.31/arch/x86/kernel/paravirt.c
10397 --- linux-2.6.31/arch/x86/kernel/paravirt.c 2009-08-27 20:59:04.000000000 -0400
10398 +++ linux-2.6.31/arch/x86/kernel/paravirt.c 2009-09-12 09:57:24.321023944 -0400
10399 @@ -54,7 +54,7 @@ u64 _paravirt_ident_64(u64 x)
10403 -static void __init default_banner(void)
10404 +static void default_banner(void)
10406 printk(KERN_INFO "Booting paravirtualized kernel on %s\n",
10408 @@ -183,7 +183,7 @@ unsigned paravirt_patch_insns(void *insn
10409 if (insn_len > len || start == NULL)
10412 - memcpy(insnbuf, start, insn_len);
10413 + memcpy(insnbuf, ktla_ktva(start), insn_len);
10417 @@ -311,21 +311,21 @@ void arch_flush_lazy_mmu_mode(void)
10421 -struct pv_info pv_info = {
10422 +struct pv_info pv_info __read_only = {
10423 .name = "bare hardware",
10424 .paravirt_enabled = 0,
10426 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
10429 -struct pv_init_ops pv_init_ops = {
10430 +struct pv_init_ops pv_init_ops __read_only = {
10431 .patch = native_patch,
10432 .banner = default_banner,
10433 .arch_setup = paravirt_nop,
10434 .memory_setup = machine_specific_memory_setup,
10437 -struct pv_time_ops pv_time_ops = {
10438 +struct pv_time_ops pv_time_ops __read_only = {
10439 .time_init = hpet_time_init,
10440 .get_wallclock = native_get_wallclock,
10441 .set_wallclock = native_set_wallclock,
10442 @@ -333,7 +333,7 @@ struct pv_time_ops pv_time_ops = {
10443 .get_tsc_khz = native_calibrate_tsc,
10446 -struct pv_irq_ops pv_irq_ops = {
10447 +struct pv_irq_ops pv_irq_ops __read_only = {
10448 .init_IRQ = native_init_IRQ,
10449 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
10450 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
10451 @@ -346,7 +346,7 @@ struct pv_irq_ops pv_irq_ops = {
10455 -struct pv_cpu_ops pv_cpu_ops = {
10456 +struct pv_cpu_ops pv_cpu_ops __read_only = {
10457 .cpuid = native_cpuid,
10458 .get_debugreg = native_get_debugreg,
10459 .set_debugreg = native_set_debugreg,
10460 @@ -406,7 +406,7 @@ struct pv_cpu_ops pv_cpu_ops = {
10461 .end_context_switch = paravirt_nop,
10464 -struct pv_apic_ops pv_apic_ops = {
10465 +struct pv_apic_ops pv_apic_ops __read_only = {
10466 #ifdef CONFIG_X86_LOCAL_APIC
10467 .setup_boot_clock = setup_boot_APIC_clock,
10468 .setup_secondary_clock = setup_secondary_APIC_clock,
10469 @@ -422,7 +422,7 @@ struct pv_apic_ops pv_apic_ops = {
10470 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
10473 -struct pv_mmu_ops pv_mmu_ops = {
10474 +struct pv_mmu_ops pv_mmu_ops __read_only = {
10475 #ifndef CONFIG_X86_64
10476 .pagetable_setup_start = native_pagetable_setup_start,
10477 .pagetable_setup_done = native_pagetable_setup_done,
10478 diff -urNp linux-2.6.31/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.31/arch/x86/kernel/paravirt-spinlocks.c
10479 --- linux-2.6.31/arch/x86/kernel/paravirt-spinlocks.c 2009-08-27 20:59:04.000000000 -0400
10480 +++ linux-2.6.31/arch/x86/kernel/paravirt-spinlocks.c 2009-09-06 15:29:11.213326019 -0400
10481 @@ -13,7 +13,7 @@ default_spin_lock_flags(raw_spinlock_t *
10482 __raw_spin_lock(lock);
10485 -struct pv_lock_ops pv_lock_ops = {
10486 +struct pv_lock_ops pv_lock_ops __read_only = {
10488 .spin_is_locked = __ticket_spin_is_locked,
10489 .spin_is_contended = __ticket_spin_is_contended,
10490 diff -urNp linux-2.6.31/arch/x86/kernel/process_32.c linux-2.6.31/arch/x86/kernel/process_32.c
10491 --- linux-2.6.31/arch/x86/kernel/process_32.c 2009-08-27 20:59:04.000000000 -0400
10492 +++ linux-2.6.31/arch/x86/kernel/process_32.c 2009-09-06 15:29:11.213326019 -0400
10493 @@ -70,6 +70,7 @@ EXPORT_PER_CPU_SYMBOL(current_task);
10494 unsigned long thread_saved_pc(struct task_struct *tsk)
10496 return ((unsigned long *)tsk->thread.sp)[3];
10497 +//XXX return tsk->thread.eip;
10501 @@ -132,7 +133,7 @@ void __show_regs(struct pt_regs *regs, i
10502 unsigned short ss, gs;
10505 - if (user_mode_vm(regs)) {
10506 + if (user_mode(regs)) {
10508 ss = regs->ss & 0xffff;
10509 gs = get_user_gs(regs);
10510 @@ -213,8 +214,8 @@ int kernel_thread(int (*fn)(void *), voi
10511 regs.bx = (unsigned long) fn;
10512 regs.dx = (unsigned long) arg;
10514 - regs.ds = __USER_DS;
10515 - regs.es = __USER_DS;
10516 + regs.ds = __KERNEL_DS;
10517 + regs.es = __KERNEL_DS;
10518 regs.fs = __KERNEL_PERCPU;
10519 regs.gs = __KERNEL_STACK_CANARY;
10521 @@ -250,7 +251,7 @@ int copy_thread(unsigned long clone_flag
10522 struct task_struct *tsk;
10525 - childregs = task_pt_regs(p);
10526 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
10527 *childregs = *regs;
10529 childregs->sp = sp;
10530 @@ -279,6 +280,7 @@ int copy_thread(unsigned long clone_flag
10531 * Set a new TLS for the child thread?
10533 if (clone_flags & CLONE_SETTLS)
10534 +//XXX needs set_fs()?
10535 err = do_set_thread_area(p, -1,
10536 (struct user_desc __user *)childregs->si, 0);
10538 @@ -349,7 +351,7 @@ __switch_to(struct task_struct *prev_p,
10539 struct thread_struct *prev = &prev_p->thread,
10540 *next = &next_p->thread;
10541 int cpu = smp_processor_id();
10542 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
10543 + struct tss_struct *tss = init_tss + cpu;
10545 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
10547 @@ -377,6 +379,11 @@ __switch_to(struct task_struct *prev_p,
10549 lazy_save_gs(prev->gs);
10551 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10552 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
10553 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
10557 * Load the per-thread Thread-Local Storage descriptor.
10559 @@ -495,3 +502,27 @@ unsigned long get_wchan(struct task_stru
10563 +#ifdef CONFIG_PAX_RANDKSTACK
10564 +asmlinkage void pax_randomize_kstack(void)
10566 + struct thread_struct *thread = ¤t->thread;
10567 + unsigned long time;
10569 + if (!randomize_va_space)
10574 + /* P4 seems to return a 0 LSB, ignore it */
10575 +#ifdef CONFIG_MPENTIUM4
10583 + thread->sp0 ^= time;
10584 + load_sp0(init_tss + smp_processor_id(), thread);
10587 diff -urNp linux-2.6.31/arch/x86/kernel/process_64.c linux-2.6.31/arch/x86/kernel/process_64.c
10588 --- linux-2.6.31/arch/x86/kernel/process_64.c 2009-08-27 20:59:04.000000000 -0400
10589 +++ linux-2.6.31/arch/x86/kernel/process_64.c 2009-09-06 15:29:11.214179556 -0400
10590 @@ -94,7 +94,7 @@ static void __exit_idle(void)
10591 void exit_idle(void)
10593 /* idle loop has pid 0 */
10594 - if (current->pid)
10595 + if (task_pid_nr(current))
10599 @@ -173,7 +173,7 @@ void __show_regs(struct pt_regs *regs, i
10602 printk(KERN_INFO "Pid: %d, comm: %.20s xid: #%u %s %s %.*s %s\n",
10603 - current->pid, current->comm, current->xid, print_tainted(),
10604 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
10605 init_utsname()->release,
10606 (int)strcspn(init_utsname()->version, " "),
10607 init_utsname()->version, board);
10608 @@ -384,7 +384,7 @@ __switch_to(struct task_struct *prev_p,
10609 struct thread_struct *prev = &prev_p->thread;
10610 struct thread_struct *next = &next_p->thread;
10611 int cpu = smp_processor_id();
10612 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
10613 + struct tss_struct *tss = init_tss + cpu;
10614 unsigned fsindex, gsindex;
10616 /* we're going to use this soon, after a few expensive things */
10617 @@ -543,12 +543,11 @@ unsigned long get_wchan(struct task_stru
10618 if (!p || p == current || p->state == TASK_RUNNING)
10620 stack = (unsigned long)task_stack_page(p);
10621 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
10622 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
10624 fp = *(u64 *)(p->thread.sp);
10626 - if (fp < (unsigned long)stack ||
10627 - fp >= (unsigned long)stack+THREAD_SIZE)
10628 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
10630 ip = *(u64 *)(fp+8);
10631 if (!in_sched_functions(ip))
10632 diff -urNp linux-2.6.31/arch/x86/kernel/process.c linux-2.6.31/arch/x86/kernel/process.c
10633 --- linux-2.6.31/arch/x86/kernel/process.c 2009-08-27 20:59:04.000000000 -0400
10634 +++ linux-2.6.31/arch/x86/kernel/process.c 2009-09-06 15:29:11.214179556 -0400
10635 @@ -76,7 +76,7 @@ void exit_thread(void)
10636 unsigned long *bp = t->io_bitmap_ptr;
10639 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
10640 + struct tss_struct *tss = init_tss + get_cpu();
10642 t->io_bitmap_ptr = NULL;
10643 clear_thread_flag(TIF_IO_BITMAP);
10644 @@ -108,6 +108,9 @@ void flush_thread(void)
10646 clear_tsk_thread_flag(tsk, TIF_DEBUG);
10648 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
10649 + loadsegment(gs, 0);
10651 tsk->thread.debugreg0 = 0;
10652 tsk->thread.debugreg1 = 0;
10653 tsk->thread.debugreg2 = 0;
10654 @@ -611,17 +614,3 @@ static int __init idle_setup(char *str)
10657 early_param("idle", idle_setup);
10659 -unsigned long arch_align_stack(unsigned long sp)
10661 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
10662 - sp -= get_random_int() % 8192;
10663 - return sp & ~0xf;
10666 -unsigned long arch_randomize_brk(struct mm_struct *mm)
10668 - unsigned long range_end = mm->brk + 0x02000000;
10669 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
10672 diff -urNp linux-2.6.31/arch/x86/kernel/ptrace.c linux-2.6.31/arch/x86/kernel/ptrace.c
10673 --- linux-2.6.31/arch/x86/kernel/ptrace.c 2009-08-27 20:59:04.000000000 -0400
10674 +++ linux-2.6.31/arch/x86/kernel/ptrace.c 2009-09-06 15:29:11.215398851 -0400
10675 @@ -1454,7 +1454,7 @@ void send_sigtrap(struct task_struct *ts
10676 info.si_code = si_code;
10678 /* User-mode ip? */
10679 - info.si_addr = user_mode_vm(regs) ? (void __user *) regs->ip : NULL;
10680 + info.si_addr = user_mode(regs) ? (void __user *) regs->ip : NULL;
10682 /* Send us the fake SIGTRAP */
10683 force_sig_info(SIGTRAP, &info, tsk);
10684 diff -urNp linux-2.6.31/arch/x86/kernel/reboot.c linux-2.6.31/arch/x86/kernel/reboot.c
10685 --- linux-2.6.31/arch/x86/kernel/reboot.c 2009-08-27 20:59:04.000000000 -0400
10686 +++ linux-2.6.31/arch/x86/kernel/reboot.c 2009-09-06 15:29:11.215398851 -0400
10687 @@ -31,7 +31,7 @@ void (*pm_power_off)(void);
10688 EXPORT_SYMBOL(pm_power_off);
10690 static const struct desc_ptr no_idt = {};
10691 -static int reboot_mode;
10692 +static unsigned short reboot_mode;
10693 enum reboot_type reboot_type = BOOT_KBD;
10696 @@ -257,7 +257,7 @@ static struct dmi_system_id __initdata r
10697 DMI_MATCH(DMI_PRODUCT_NAME, "SBC-FITPC2"),
10701 + { NULL, NULL, {{0, {0}}}, NULL}
10704 static int __init reboot_init(void)
10705 @@ -273,12 +273,12 @@ core_initcall(reboot_init);
10706 controller to pulse the CPU reset line, which is more thorough, but
10707 doesn't work with at least one type of 486 motherboard. It is easy
10708 to stop this code working; hence the copious comments. */
10709 -static const unsigned long long
10710 -real_mode_gdt_entries [3] =
10711 +static struct desc_struct
10712 +real_mode_gdt_entries [3] __read_only =
10714 - 0x0000000000000000ULL, /* Null descriptor */
10715 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
10716 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
10717 + {{{0x00000000, 0x00000000}}}, /* Null descriptor */
10718 + {{{0x0000ffff, 0x00009b00}}}, /* 16-bit real-mode 64k code at 0x00000000 */
10719 + {{{0x0100ffff, 0x00009300}}} /* 16-bit real-mode 64k data at 0x00000100 */
10722 static const struct desc_ptr
10723 @@ -327,7 +327,7 @@ static const unsigned char jump_to_bios
10724 * specified by the code and length parameters.
10725 * We assume that length will aways be less that 100!
10727 -void machine_real_restart(const unsigned char *code, int length)
10728 +void machine_real_restart(const unsigned char *code, unsigned int length)
10730 local_irq_disable();
10732 @@ -347,8 +347,8 @@ void machine_real_restart(const unsigned
10733 /* Remap the kernel at virtual address zero, as well as offset zero
10734 from the kernel segment. This assumes the kernel segment starts at
10735 virtual address PAGE_OFFSET. */
10736 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10737 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
10738 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10739 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10742 * Use `swapper_pg_dir' as our page directory.
10743 @@ -360,16 +360,15 @@ void machine_real_restart(const unsigned
10744 boot)". This seems like a fairly standard thing that gets set by
10745 REBOOT.COM programs, and the previous reset routine did this
10747 - *((unsigned short *)0x472) = reboot_mode;
10748 + *(unsigned short *)(__va(0x472)) = reboot_mode;
10750 /* For the switch to real mode, copy some code to low memory. It has
10751 to be in the first 64k because it is running in 16-bit mode, and it
10752 has to have the same physical and virtual address, because it turns
10753 off paging. Copy it near the end of the first page, out of the way
10754 of BIOS variables. */
10755 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
10756 - real_mode_switch, sizeof (real_mode_switch));
10757 - memcpy((void *)(0x1000 - 100), code, length);
10758 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
10759 + memcpy(__va(0x1000 - 100), code, length);
10761 /* Set up the IDT for real mode. */
10762 load_idt(&real_mode_idt);
10763 diff -urNp linux-2.6.31/arch/x86/kernel/setup.c linux-2.6.31/arch/x86/kernel/setup.c
10764 --- linux-2.6.31/arch/x86/kernel/setup.c 2009-08-27 20:59:04.000000000 -0400
10765 +++ linux-2.6.31/arch/x86/kernel/setup.c 2009-09-06 15:29:11.218341276 -0400
10766 @@ -768,14 +768,14 @@ void __init setup_arch(char **cmdline_p)
10768 if (!boot_params.hdr.root_flags)
10769 root_mountflags &= ~MS_RDONLY;
10770 - init_mm.start_code = (unsigned long) _text;
10771 - init_mm.end_code = (unsigned long) _etext;
10772 + init_mm.start_code = ktla_ktva((unsigned long) _text);
10773 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
10774 init_mm.end_data = (unsigned long) _edata;
10775 init_mm.brk = _brk_end;
10777 - code_resource.start = virt_to_phys(_text);
10778 - code_resource.end = virt_to_phys(_etext)-1;
10779 - data_resource.start = virt_to_phys(_etext);
10780 + code_resource.start = virt_to_phys(ktla_ktva(_text));
10781 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
10782 + data_resource.start = virt_to_phys(_sdata);
10783 data_resource.end = virt_to_phys(_edata)-1;
10784 bss_resource.start = virt_to_phys(&__bss_start);
10785 bss_resource.end = virt_to_phys(&__bss_stop)-1;
10786 diff -urNp linux-2.6.31/arch/x86/kernel/setup_percpu.c linux-2.6.31/arch/x86/kernel/setup_percpu.c
10787 --- linux-2.6.31/arch/x86/kernel/setup_percpu.c 2009-08-27 20:59:04.000000000 -0400
10788 +++ linux-2.6.31/arch/x86/kernel/setup_percpu.c 2009-09-06 15:29:11.218341276 -0400
10789 @@ -25,19 +25,17 @@
10794 DEFINE_PER_CPU(int, cpu_number);
10795 EXPORT_PER_CPU_SYMBOL(cpu_number);
10798 -#ifdef CONFIG_X86_64
10799 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
10801 -#define BOOT_PERCPU_OFFSET 0
10804 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
10805 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
10807 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
10808 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
10809 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
10811 EXPORT_SYMBOL(__per_cpu_offset);
10812 @@ -429,13 +427,15 @@ early_param("percpu_alloc", percpu_alloc
10813 static inline void setup_percpu_segment(int cpu)
10815 #ifdef CONFIG_X86_32
10816 - struct desc_struct gdt;
10818 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
10819 - 0x2 | DESCTYPE_S, 0x8);
10821 - write_gdt_entry(get_cpu_gdt_table(cpu),
10822 - GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
10823 + struct desc_struct d, *gdt = get_cpu_gdt_table(cpu);
10824 + unsigned long base = per_cpu_offset(cpu);
10825 + const unsigned long limit = VMALLOC_END - base - 1;
10827 + if (limit < 64*1024)
10828 + pack_descriptor(&d, base, limit, 0x80 | DESCTYPE_S | 0x3, 0x4);
10830 + pack_descriptor(&d, base, limit >> PAGE_SHIFT, 0x80 | DESCTYPE_S | 0x3, 0xC);
10831 + write_gdt_entry(gdt, GDT_ENTRY_PERCPU, &d, DESCTYPE_S);
10835 @@ -486,6 +486,11 @@ void __init setup_per_cpu_areas(void)
10836 /* alrighty, percpu areas up and running */
10837 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
10838 for_each_possible_cpu(cpu) {
10839 +#ifdef CONFIG_CC_STACKPROTECTOR
10840 +#ifdef CONFIG_x86_32
10841 + unsigned long canary = per_cpu(stack_canary, cpu);
10844 per_cpu_offset(cpu) = delta + cpu * pcpu_unit_size;
10845 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
10846 per_cpu(cpu_number, cpu) = cpu;
10847 @@ -513,6 +518,12 @@ void __init setup_per_cpu_areas(void)
10848 early_per_cpu_map(x86_cpu_to_node_map, cpu);
10851 +#ifdef CONFIG_CC_STACKPROTECTOR
10852 +#ifdef CONFIG_x86_32
10853 + if (cpu == boot_cpu_id)
10854 + per_cpu(stack_canary, cpu) = canary;
10858 * Up to this point, the boot CPU has been using .data.init
10859 * area. Reload any changed state for the boot CPU.
10860 diff -urNp linux-2.6.31/arch/x86/kernel/signal.c linux-2.6.31/arch/x86/kernel/signal.c
10861 --- linux-2.6.31/arch/x86/kernel/signal.c 2009-08-27 20:59:04.000000000 -0400
10862 +++ linux-2.6.31/arch/x86/kernel/signal.c 2009-09-06 15:29:11.219332248 -0400
10863 @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsi
10864 * Align the stack pointer according to the i386 ABI,
10865 * i.e. so that on function entry ((sp + 4) & 15) == 0.
10867 - sp = ((sp + 4) & -16ul) - 4;
10868 + sp = ((sp - 12) & -16ul) - 4;
10869 #else /* !CONFIG_X86_32 */
10870 sp = round_down(sp, 16) - 8;
10872 @@ -307,9 +307,9 @@ __setup_frame(int sig, struct k_sigactio
10875 if (current->mm->context.vdso)
10876 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
10877 + restorer = (void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
10879 - restorer = &frame->retcode;
10880 + restorer = (void __user *)&frame->retcode;
10881 if (ka->sa.sa_flags & SA_RESTORER)
10882 restorer = ka->sa.sa_restorer;
10884 @@ -377,7 +377,7 @@ static int __setup_rt_frame(int sig, str
10885 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
10887 /* Set up to return from userspace. */
10888 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
10889 + restorer = (void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
10890 if (ka->sa.sa_flags & SA_RESTORER)
10891 restorer = ka->sa.sa_restorer;
10892 put_user_ex(restorer, &frame->pretcode);
10893 @@ -789,7 +789,7 @@ static void do_signal(struct pt_regs *re
10894 * X86_32: vm86 regs switched out by assembly code before reaching
10895 * here, so testing against kernel CS suffices.
10897 - if (!user_mode(regs))
10898 + if (!user_mode_novm(regs))
10901 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
10902 diff -urNp linux-2.6.31/arch/x86/kernel/smpboot.c linux-2.6.31/arch/x86/kernel/smpboot.c
10903 --- linux-2.6.31/arch/x86/kernel/smpboot.c 2009-08-27 20:59:04.000000000 -0400
10904 +++ linux-2.6.31/arch/x86/kernel/smpboot.c 2009-09-06 15:29:11.220280381 -0400
10905 @@ -685,6 +685,10 @@ static int __cpuinit do_boot_cpu(int api
10906 .done = COMPLETION_INITIALIZER_ONSTACK(c_idle.done),
10909 +#ifdef CONFIG_PAX_KERNEXEC
10910 + unsigned long cr0;
10913 INIT_WORK(&c_idle.work, do_fork_idle);
10915 alternatives_smp_switch(1);
10916 @@ -727,7 +731,17 @@ do_rest:
10917 (unsigned long)task_stack_page(c_idle.idle) -
10918 KERNEL_STACK_OFFSET + THREAD_SIZE;
10921 +#ifdef CONFIG_PAX_KERNEXEC
10922 + pax_open_kernel(cr0);
10925 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10927 +#ifdef CONFIG_PAX_KERNEXEC
10928 + pax_close_kernel(cr0);
10931 initial_code = (unsigned long)start_secondary;
10932 stack_start.sp = (void *) c_idle.idle->thread.sp;
10934 diff -urNp linux-2.6.31/arch/x86/kernel/step.c linux-2.6.31/arch/x86/kernel/step.c
10935 --- linux-2.6.31/arch/x86/kernel/step.c 2009-08-27 20:59:04.000000000 -0400
10936 +++ linux-2.6.31/arch/x86/kernel/step.c 2009-09-06 15:29:11.220280381 -0400
10937 @@ -23,22 +23,20 @@ unsigned long convert_ip_to_linear(struc
10938 * and APM bios ones we just ignore here.
10940 if ((seg & SEGMENT_TI_MASK) == SEGMENT_LDT) {
10942 + struct desc_struct *desc;
10943 unsigned long base;
10948 mutex_lock(&child->mm->context.lock);
10949 - if (unlikely((seg >> 3) >= child->mm->context.size))
10950 - addr = -1L; /* bogus selector, access would fault */
10951 + if (unlikely(seg >= child->mm->context.size))
10954 - desc = child->mm->context.ldt + seg;
10955 - base = ((desc[0] >> 16) |
10956 - ((desc[1] & 0xff) << 16) |
10957 - (desc[1] & 0xff000000));
10958 + desc = &child->mm->context.ldt[seg];
10959 + base = (desc->a >> 16) | ((desc->b & 0xff) << 16) | (desc->b & 0xff000000);
10961 /* 16-bit code segment? */
10962 - if (!((desc[1] >> 22) & 1))
10963 + if (!((desc->b >> 22) & 1))
10967 @@ -54,6 +52,9 @@ static int is_setting_trap_flag(struct t
10968 unsigned char opcode[15];
10969 unsigned long addr = convert_ip_to_linear(child, regs);
10971 + if (addr == -EINVAL)
10974 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
10975 for (i = 0; i < copied; i++) {
10976 switch (opcode[i]) {
10977 @@ -75,7 +76,7 @@ static int is_setting_trap_flag(struct t
10979 #ifdef CONFIG_X86_64
10980 case 0x40 ... 0x4f:
10981 - if (regs->cs != __USER_CS)
10982 + if ((regs->cs & 0xffff) != __USER_CS)
10983 /* 32-bit mode: register increment */
10985 /* 64-bit mode: REX prefix */
10986 diff -urNp linux-2.6.31/arch/x86/kernel/syscall_table_32.S linux-2.6.31/arch/x86/kernel/syscall_table_32.S
10987 --- linux-2.6.31/arch/x86/kernel/syscall_table_32.S 2009-08-27 20:59:04.000000000 -0400
10988 +++ linux-2.6.31/arch/x86/kernel/syscall_table_32.S 2009-09-06 15:29:11.220280381 -0400
10990 +.section .rodata,"a",@progbits
10991 ENTRY(sys_call_table)
10992 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
10994 diff -urNp linux-2.6.31/arch/x86/kernel/sys_i386_32.c linux-2.6.31/arch/x86/kernel/sys_i386_32.c
10995 --- linux-2.6.31/arch/x86/kernel/sys_i386_32.c 2009-08-27 20:59:04.000000000 -0400
10996 +++ linux-2.6.31/arch/x86/kernel/sys_i386_32.c 2009-09-06 15:29:11.221249461 -0400
10999 #include <asm/syscalls.h>
11001 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
11003 + unsigned long pax_task_size = TASK_SIZE;
11005 +#ifdef CONFIG_PAX_SEGMEXEC
11006 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
11007 + pax_task_size = SEGMEXEC_TASK_SIZE;
11010 + if (len > pax_task_size || addr > pax_task_size - len)
11016 asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
11017 unsigned long prot, unsigned long flags,
11018 unsigned long fd, unsigned long pgoff)
11019 @@ -83,6 +98,205 @@ out:
11024 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
11025 + unsigned long len, unsigned long pgoff, unsigned long flags)
11027 + struct mm_struct *mm = current->mm;
11028 + struct vm_area_struct *vma;
11029 + unsigned long start_addr, pax_task_size = TASK_SIZE;
11031 +#ifdef CONFIG_PAX_SEGMEXEC
11032 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
11033 + pax_task_size = SEGMEXEC_TASK_SIZE;
11036 + if (len > pax_task_size)
11039 + if (flags & MAP_FIXED)
11042 +#ifdef CONFIG_PAX_RANDMMAP
11043 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
11047 + addr = PAGE_ALIGN(addr);
11048 + vma = find_vma(mm, addr);
11049 + if (pax_task_size - len >= addr &&
11050 + (!vma || addr + len <= vma->vm_start))
11053 + if (len > mm->cached_hole_size) {
11054 + start_addr = addr = mm->free_area_cache;
11056 + start_addr = addr = mm->mmap_base;
11057 + mm->cached_hole_size = 0;
11060 +#ifdef CONFIG_PAX_PAGEEXEC
11061 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
11062 + start_addr = 0x00110000UL;
11064 +#ifdef CONFIG_PAX_RANDMMAP
11065 + if (mm->pax_flags & MF_PAX_RANDMMAP)
11066 + start_addr += mm->delta_mmap & 0x03FFF000UL;
11069 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
11070 + start_addr = addr = mm->mmap_base;
11072 + addr = start_addr;
11077 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
11078 + /* At this point: (!vma || addr < vma->vm_end). */
11079 + if (pax_task_size - len < addr) {
11081 + * Start a new search - just in case we missed
11084 + if (start_addr != mm->mmap_base) {
11085 + start_addr = addr = mm->mmap_base;
11086 + mm->cached_hole_size = 0;
11087 + goto full_search;
11091 + if (!vma || addr + len <= vma->vm_start) {
11093 + * Remember the place where we stopped the search:
11095 + mm->free_area_cache = addr + len;
11098 + if (addr + mm->cached_hole_size < vma->vm_start)
11099 + mm->cached_hole_size = vma->vm_start - addr;
11100 + addr = vma->vm_end;
11101 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
11102 + start_addr = addr = mm->mmap_base;
11103 + mm->cached_hole_size = 0;
11104 + goto full_search;
11110 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11111 + const unsigned long len, const unsigned long pgoff,
11112 + const unsigned long flags)
11114 + struct vm_area_struct *vma;
11115 + struct mm_struct *mm = current->mm;
11116 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
11118 +#ifdef CONFIG_PAX_SEGMEXEC
11119 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
11120 + pax_task_size = SEGMEXEC_TASK_SIZE;
11123 + /* requested length too big for entire address space */
11124 + if (len > pax_task_size)
11127 + if (flags & MAP_FIXED)
11130 +#ifdef CONFIG_PAX_PAGEEXEC
11131 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
11135 +#ifdef CONFIG_PAX_RANDMMAP
11136 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
11139 + /* requesting a specific address */
11141 + addr = PAGE_ALIGN(addr);
11142 + vma = find_vma(mm, addr);
11143 + if (pax_task_size - len >= addr &&
11144 + (!vma || addr + len <= vma->vm_start))
11148 + /* check if free_area_cache is useful for us */
11149 + if (len <= mm->cached_hole_size) {
11150 + mm->cached_hole_size = 0;
11151 + mm->free_area_cache = mm->mmap_base;
11154 + /* either no address requested or can't fit in requested address hole */
11155 + addr = mm->free_area_cache;
11157 + /* make sure it can fit in the remaining address space */
11158 + if (addr > len) {
11159 + vma = find_vma(mm, addr-len);
11160 + if (!vma || addr <= vma->vm_start)
11161 + /* remember the address as a hint for next time */
11162 + return (mm->free_area_cache = addr-len);
11165 + if (mm->mmap_base < len)
11168 + addr = mm->mmap_base-len;
11172 + * Lookup failure means no vma is above this address,
11173 + * else if new region fits below vma->vm_start,
11174 + * return with success:
11176 + vma = find_vma(mm, addr);
11177 + if (!vma || addr+len <= vma->vm_start)
11178 + /* remember the address as a hint for next time */
11179 + return (mm->free_area_cache = addr);
11181 + /* remember the largest hole we saw so far */
11182 + if (addr + mm->cached_hole_size < vma->vm_start)
11183 + mm->cached_hole_size = vma->vm_start - addr;
11185 + /* try just below the current vma->vm_start */
11186 + addr = vma->vm_start-len;
11187 + } while (len < vma->vm_start);
11191 + * A failed mmap() very likely causes application failure,
11192 + * so fall back to the bottom-up function here. This scenario
11193 + * can happen with large stack limits and large mmap()
11197 +#ifdef CONFIG_PAX_SEGMEXEC
11198 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
11199 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
11203 + mm->mmap_base = TASK_UNMAPPED_BASE;
11205 +#ifdef CONFIG_PAX_RANDMMAP
11206 + if (mm->pax_flags & MF_PAX_RANDMMAP)
11207 + mm->mmap_base += mm->delta_mmap;
11210 + mm->free_area_cache = mm->mmap_base;
11211 + mm->cached_hole_size = ~0UL;
11212 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
11214 + * Restore the topdown base:
11216 + mm->mmap_base = base;
11217 + mm->free_area_cache = base;
11218 + mm->cached_hole_size = ~0UL;
11223 struct sel_arg_struct {
11225 diff -urNp linux-2.6.31/arch/x86/kernel/sys_x86_64.c linux-2.6.31/arch/x86/kernel/sys_x86_64.c
11226 --- linux-2.6.31/arch/x86/kernel/sys_x86_64.c 2009-08-27 20:59:04.000000000 -0400
11227 +++ linux-2.6.31/arch/x86/kernel/sys_x86_64.c 2009-09-06 15:29:11.221249461 -0400
11228 @@ -47,8 +47,8 @@ out:
11232 -static void find_start_end(unsigned long flags, unsigned long *begin,
11233 - unsigned long *end)
11234 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
11235 + unsigned long *begin, unsigned long *end)
11237 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
11238 unsigned long new_begin;
11239 @@ -67,7 +67,7 @@ static void find_start_end(unsigned long
11240 *begin = new_begin;
11243 - *begin = TASK_UNMAPPED_BASE;
11244 + *begin = mm->mmap_base;
11248 @@ -84,11 +84,15 @@ arch_get_unmapped_area(struct file *filp
11249 if (flags & MAP_FIXED)
11252 - find_start_end(flags, &begin, &end);
11253 + find_start_end(mm, flags, &begin, &end);
11258 +#ifdef CONFIG_PAX_RANDMMAP
11259 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
11263 addr = PAGE_ALIGN(addr);
11264 vma = find_vma(mm, addr);
11265 @@ -143,7 +147,7 @@ arch_get_unmapped_area_topdown(struct fi
11267 struct vm_area_struct *vma;
11268 struct mm_struct *mm = current->mm;
11269 - unsigned long addr = addr0;
11270 + unsigned long base = mm->mmap_base, addr = addr0;
11272 /* requested length too big for entire address space */
11273 if (len > TASK_SIZE)
11274 @@ -156,6 +160,10 @@ arch_get_unmapped_area_topdown(struct fi
11275 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
11278 +#ifdef CONFIG_PAX_RANDMMAP
11279 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
11282 /* requesting a specific address */
11284 addr = PAGE_ALIGN(addr);
11285 @@ -213,13 +221,21 @@ bottomup:
11286 * can happen with large stack limits and large mmap()
11289 + mm->mmap_base = TASK_UNMAPPED_BASE;
11291 +#ifdef CONFIG_PAX_RANDMMAP
11292 + if (mm->pax_flags & MF_PAX_RANDMMAP)
11293 + mm->mmap_base += mm->delta_mmap;
11296 + mm->free_area_cache = mm->mmap_base;
11297 mm->cached_hole_size = ~0UL;
11298 - mm->free_area_cache = TASK_UNMAPPED_BASE;
11299 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
11301 * Restore the topdown base:
11303 - mm->free_area_cache = mm->mmap_base;
11304 + mm->mmap_base = base;
11305 + mm->free_area_cache = base;
11306 mm->cached_hole_size = ~0UL;
11309 diff -urNp linux-2.6.31/arch/x86/kernel/time_32.c linux-2.6.31/arch/x86/kernel/time_32.c
11310 --- linux-2.6.31/arch/x86/kernel/time_32.c 2009-08-27 20:59:04.000000000 -0400
11311 +++ linux-2.6.31/arch/x86/kernel/time_32.c 2009-09-06 15:29:11.222199914 -0400
11312 @@ -47,22 +47,32 @@ unsigned long profile_pc(struct pt_regs
11313 unsigned long pc = instruction_pointer(regs);
11316 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
11317 + if (!user_mode(regs) && in_lock_functions(pc)) {
11318 #ifdef CONFIG_FRAME_POINTER
11319 - return *(unsigned long *)(regs->bp + sizeof(long));
11320 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
11322 unsigned long *sp = (unsigned long *)®s->sp;
11324 /* Return address is either directly at stack pointer
11325 or above a saved flags. Eflags has bits 22-31 zero,
11326 kernel addresses don't. */
11328 +#ifdef CONFIG_PAX_KERNEXEC
11329 + return ktla_ktva(sp[0]);
11341 + if (!user_mode(regs))
11342 + pc = ktla_ktva(pc);
11346 EXPORT_SYMBOL(profile_pc);
11347 diff -urNp linux-2.6.31/arch/x86/kernel/time_64.c linux-2.6.31/arch/x86/kernel/time_64.c
11348 --- linux-2.6.31/arch/x86/kernel/time_64.c 2009-08-27 20:59:04.000000000 -0400
11349 +++ linux-2.6.31/arch/x86/kernel/time_64.c 2009-09-06 15:29:11.223154518 -0400
11351 #include <asm/time.h>
11352 #include <asm/timer.h>
11354 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
11356 unsigned long profile_pc(struct pt_regs *regs)
11358 unsigned long pc = instruction_pointer(regs);
11359 @@ -34,7 +32,7 @@ unsigned long profile_pc(struct pt_regs
11360 /* Assume the lock function has either no stack frame or a copy
11361 of flags from PUSHF
11362 Eflags always has bits 22 and up cleared unlike kernel addresses. */
11363 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
11364 + if (!user_mode(regs) && in_lock_functions(pc)) {
11365 #ifdef CONFIG_FRAME_POINTER
11366 return *(unsigned long *)(regs->bp + sizeof(long));
11368 diff -urNp linux-2.6.31/arch/x86/kernel/tls.c linux-2.6.31/arch/x86/kernel/tls.c
11369 --- linux-2.6.31/arch/x86/kernel/tls.c 2009-08-27 20:59:04.000000000 -0400
11370 +++ linux-2.6.31/arch/x86/kernel/tls.c 2009-09-06 15:29:11.223154518 -0400
11371 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
11372 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
11375 +#ifdef CONFIG_PAX_SEGMEXEC
11376 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
11380 set_tls_desc(p, idx, &info, 1);
11383 diff -urNp linux-2.6.31/arch/x86/kernel/traps.c linux-2.6.31/arch/x86/kernel/traps.c
11384 --- linux-2.6.31/arch/x86/kernel/traps.c 2009-08-27 20:59:04.000000000 -0400
11385 +++ linux-2.6.31/arch/x86/kernel/traps.c 2009-09-06 15:29:11.223154518 -0400
11386 @@ -70,14 +70,6 @@ asmlinkage int system_call(void);
11388 /* Do we ignore FPU interrupts ? */
11389 char ignore_fpu_irq;
11392 - * The IDT has to be page-aligned to simplify the Pentium
11393 - * F0 0F bug workaround.. We have a special link segment
11396 -gate_desc idt_table[256]
11397 - __attribute__((__section__(".data.idt"))) = { { { { 0, 0 } } }, };
11400 DECLARE_BITMAP(used_vectors, NR_VECTORS);
11401 @@ -115,7 +107,7 @@ static inline void preempt_conditional_c
11403 die_if_kernel(const char *str, struct pt_regs *regs, long err)
11405 - if (!user_mode_vm(regs))
11406 + if (!user_mode(regs))
11407 die(str, regs, err);
11410 @@ -127,7 +119,7 @@ do_trap(int trapnr, int signr, char *str
11411 struct task_struct *tsk = current;
11413 #ifdef CONFIG_X86_32
11414 - if (regs->flags & X86_VM_MASK) {
11415 + if (v8086_mode(regs)) {
11417 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
11418 * On nmi (interrupt 2), do_trap should not be called.
11419 @@ -138,7 +130,7 @@ do_trap(int trapnr, int signr, char *str
11423 - if (!user_mode(regs))
11424 + if (!user_mode_novm(regs))
11427 #ifdef CONFIG_X86_32
11428 @@ -161,7 +153,7 @@ trap_signal:
11429 printk_ratelimit()) {
11431 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
11432 - tsk->comm, tsk->pid, str,
11433 + tsk->comm, task_pid_nr(tsk), str,
11434 regs->ip, regs->sp, error_code);
11435 print_vma_addr(" in ", regs->ip);
11437 @@ -180,6 +172,12 @@ kernel_trap:
11438 tsk->thread.trap_no = trapnr;
11439 die(str, regs, error_code);
11442 +#ifdef CONFIG_PAX_REFCOUNT
11444 + pax_report_refcount_overflow(regs);
11449 #ifdef CONFIG_X86_32
11450 @@ -268,14 +266,30 @@ do_general_protection(struct pt_regs *re
11451 conditional_sti(regs);
11453 #ifdef CONFIG_X86_32
11454 - if (regs->flags & X86_VM_MASK)
11455 + if (v8086_mode(regs))
11460 - if (!user_mode(regs))
11461 + if (!user_mode_novm(regs))
11464 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
11465 + if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
11466 + struct mm_struct *mm = tsk->mm;
11467 + unsigned long limit;
11469 + down_write(&mm->mmap_sem);
11470 + limit = mm->context.user_cs_limit;
11471 + if (limit < TASK_SIZE) {
11472 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
11473 + up_write(&mm->mmap_sem);
11476 + up_write(&mm->mmap_sem);
11480 tsk->thread.error_code = error_code;
11481 tsk->thread.trap_no = 13;
11483 @@ -308,6 +322,13 @@ gp_in_kernel:
11484 if (notify_die(DIE_GPF, "general protection fault", regs,
11485 error_code, 13, SIGSEGV) == NOTIFY_STOP)
11488 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
11489 + if ((regs->cs & 0xFFFF) == __KERNEL_CS)
11490 + die("PAX: suspicious general protection fault", regs, error_code);
11494 die("general protection fault", regs, error_code);
11497 @@ -561,7 +582,7 @@ dotraplinkage void __kprobes do_debug(st
11500 #ifdef CONFIG_X86_32
11501 - if (regs->flags & X86_VM_MASK)
11502 + if (v8086_mode(regs))
11506 @@ -573,7 +594,7 @@ dotraplinkage void __kprobes do_debug(st
11507 * kernel space (but re-enable TF when returning to user mode).
11509 if (condition & DR_STEP) {
11510 - if (!user_mode(regs))
11511 + if (!user_mode_novm(regs))
11512 goto clear_TF_reenable;
11515 @@ -760,7 +781,7 @@ do_simd_coprocessor_error(struct pt_regs
11516 * Handle strange cache flush from user space exception
11517 * in all other cases. This is undocumented behaviour.
11519 - if (regs->flags & X86_VM_MASK) {
11520 + if (v8086_mode(regs)) {
11521 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
11524 @@ -789,19 +810,14 @@ do_spurious_interrupt_bug(struct pt_regs
11525 #ifdef CONFIG_X86_32
11526 unsigned long patch_espfix_desc(unsigned long uesp, unsigned long kesp)
11528 - struct desc_struct *gdt = get_cpu_gdt_table(smp_processor_id());
11529 unsigned long base = (kesp - uesp) & -THREAD_SIZE;
11530 unsigned long new_kesp = kesp - base;
11531 unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
11532 - __u64 desc = *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS];
11533 + struct desc_struct ss;
11535 /* Set up base for espfix segment */
11536 - desc &= 0x00f0ff0000000000ULL;
11537 - desc |= ((((__u64)base) << 16) & 0x000000ffffff0000ULL) |
11538 - ((((__u64)base) << 32) & 0xff00000000000000ULL) |
11539 - ((((__u64)lim_pages) << 32) & 0x000f000000000000ULL) |
11540 - (lim_pages & 0xffff);
11541 - *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS] = desc;
11542 + pack_descriptor(&ss, base, lim_pages, 0x93, 0xC);
11543 + write_gdt_entry(get_cpu_gdt_table(smp_processor_id()), GDT_ENTRY_ESPFIX_SS, &ss, DESCTYPE_S);
11547 diff -urNp linux-2.6.31/arch/x86/kernel/tsc.c linux-2.6.31/arch/x86/kernel/tsc.c
11548 --- linux-2.6.31/arch/x86/kernel/tsc.c 2009-08-27 20:59:04.000000000 -0400
11549 +++ linux-2.6.31/arch/x86/kernel/tsc.c 2009-09-06 15:29:11.224159479 -0400
11550 @@ -790,7 +790,7 @@ static struct dmi_system_id __initdata b
11551 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
11555 + { NULL, NULL, {{0, {0}}}, NULL}
11558 static void __init check_system_tsc_reliable(void)
11559 diff -urNp linux-2.6.31/arch/x86/kernel/vm86_32.c linux-2.6.31/arch/x86/kernel/vm86_32.c
11560 --- linux-2.6.31/arch/x86/kernel/vm86_32.c 2009-08-27 20:59:04.000000000 -0400
11561 +++ linux-2.6.31/arch/x86/kernel/vm86_32.c 2009-09-06 15:29:11.227509734 -0400
11562 @@ -148,7 +148,7 @@ struct pt_regs *save_v86_state(struct ke
11566 - tss = &per_cpu(init_tss, get_cpu());
11567 + tss = init_tss + get_cpu();
11568 current->thread.sp0 = current->thread.saved_sp0;
11569 current->thread.sysenter_cs = __KERNEL_CS;
11570 load_sp0(tss, ¤t->thread);
11571 @@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm
11572 tsk->thread.saved_fs = info->regs32->fs;
11573 tsk->thread.saved_gs = get_user_gs(info->regs32);
11575 - tss = &per_cpu(init_tss, get_cpu());
11576 + tss = init_tss + get_cpu();
11577 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
11579 tsk->thread.sysenter_cs = 0;
11580 diff -urNp linux-2.6.31/arch/x86/kernel/vmi_32.c linux-2.6.31/arch/x86/kernel/vmi_32.c
11581 --- linux-2.6.31/arch/x86/kernel/vmi_32.c 2009-08-27 20:59:04.000000000 -0400
11582 +++ linux-2.6.31/arch/x86/kernel/vmi_32.c 2009-09-06 15:29:11.228210710 -0400
11583 @@ -102,18 +102,43 @@ static unsigned patch_internal(int call,
11586 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
11588 +#ifdef CONFIG_PAX_KERNEXEC
11589 + unsigned long cr0;
11592 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
11593 switch(rel->type) {
11594 case VMI_RELOCATION_CALL_REL:
11597 +#ifdef CONFIG_PAX_KERNEXEC
11598 + pax_open_kernel(cr0);
11601 *(char *)insnbuf = MNEM_CALL;
11602 patch_offset(insnbuf, ip, (unsigned long)rel->eip);
11604 +#ifdef CONFIG_PAX_KERNEXEC
11605 + pax_close_kernel(cr0);
11610 case VMI_RELOCATION_JUMP_REL:
11613 +#ifdef CONFIG_PAX_KERNEXEC
11614 + pax_open_kernel(cr0);
11617 *(char *)insnbuf = MNEM_JMP;
11618 patch_offset(insnbuf, ip, (unsigned long)rel->eip);
11620 +#ifdef CONFIG_PAX_KERNEXEC
11621 + pax_close_kernel(cr0);
11626 case VMI_RELOCATION_NOP:
11627 @@ -404,13 +429,13 @@ static void vmi_set_pud(pud_t *pudp, pud
11629 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
11631 - const pte_t pte = { .pte = 0 };
11632 + const pte_t pte = __pte(0ULL);
11633 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
11636 static void vmi_pmd_clear(pmd_t *pmd)
11638 - const pte_t pte = { .pte = 0 };
11639 + const pte_t pte = __pte(0ULL);
11640 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
11643 @@ -438,8 +463,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
11644 ap.ss = __KERNEL_DS;
11645 ap.esp = (unsigned long) start_esp;
11647 - ap.ds = __USER_DS;
11648 - ap.es = __USER_DS;
11649 + ap.ds = __KERNEL_DS;
11650 + ap.es = __KERNEL_DS;
11651 ap.fs = __KERNEL_PERCPU;
11652 ap.gs = __KERNEL_STACK_CANARY;
11654 @@ -640,12 +665,20 @@ static inline int __init activate_vmi(vo
11656 const struct vmi_relocation_info *rel = (struct vmi_relocation_info *)&reloc;
11658 +#ifdef CONFIG_PAX_KERNEXEC
11659 + unsigned long cr0;
11662 if (call_vrom_func(vmi_rom, vmi_init) != 0) {
11663 printk(KERN_ERR "VMI ROM failed to initialize!");
11666 savesegment(cs, kernel_cs);
11668 +#ifdef CONFIG_PAX_KERNEXEC
11669 + pax_open_kernel(cr0);
11672 pv_info.paravirt_enabled = 1;
11673 pv_info.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK;
11674 pv_info.name = "vmi";
11675 @@ -836,6 +869,10 @@ static inline int __init activate_vmi(vo
11677 para_fill(pv_irq_ops.safe_halt, Halt);
11679 +#ifdef CONFIG_PAX_KERNEXEC
11680 + pax_close_kernel(cr0);
11684 * Alternative instruction rewriting doesn't happen soon enough
11685 * to convert VMI_IRET to a call instead of a jump; so we have
11686 diff -urNp linux-2.6.31/arch/x86/kernel/vmlinux.lds.S linux-2.6.31/arch/x86/kernel/vmlinux.lds.S
11687 --- linux-2.6.31/arch/x86/kernel/vmlinux.lds.S 2009-08-27 20:59:04.000000000 -0400
11688 +++ linux-2.6.31/arch/x86/kernel/vmlinux.lds.S 2009-09-06 15:29:11.228210710 -0400
11690 #include <asm/page_types.h>
11691 #include <asm/cache.h>
11692 #include <asm/boot.h>
11693 +#include <asm/segment.h>
11697 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
11698 +#define PMD_SHIFT 21
11700 +#define PMD_SHIFT 22
11702 +#define PMD_SIZE (1 << PMD_SHIFT)
11704 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
11705 +#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + (((____LOAD_PHYSICAL_ADDR + PMD_SIZE - 1) - 1) & ~(PMD_SIZE - 1)))
11707 +#define __KERNEL_TEXT_OFFSET 0
11710 #undef i386 /* in case the preprocessor is a 32bit one */
11712 @@ -34,40 +50,52 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
11713 #ifdef CONFIG_X86_32
11715 ENTRY(phys_startup_32)
11716 -jiffies = jiffies_64;
11718 OUTPUT_ARCH(i386:x86-64)
11719 ENTRY(phys_startup_64)
11720 -jiffies_64 = jiffies;
11723 +jiffies = jiffies_64;
11726 text PT_LOAD FLAGS(5); /* R_E */
11727 - data PT_LOAD FLAGS(7); /* RWE */
11728 + rodata PT_LOAD FLAGS(4); /* R__ */
11729 + data PT_LOAD FLAGS(6); /* RW_ */
11730 #ifdef CONFIG_X86_64
11731 - user PT_LOAD FLAGS(7); /* RWE */
11732 + user PT_LOAD FLAGS(5); /* R_E */
11734 + smp PT_LOAD FLAGS(6); /* RW_ */
11736 - percpu PT_LOAD FLAGS(7); /* RWE */
11737 + percpu PT_LOAD FLAGS(6); /* RW_ */
11739 + text.init PT_LOAD FLAGS(5); /* R_E */
11740 init PT_LOAD FLAGS(7); /* RWE */
11742 note PT_NOTE FLAGS(0); /* ___ */
11747 #ifdef CONFIG_X86_32
11748 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
11749 - phys_startup_32 = startup_32 - LOAD_OFFSET;
11750 +#ifdef CONFIG_PAX_KERNEXEC
11753 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
11756 - . = __START_KERNEL;
11757 - phys_startup_64 = startup_64 - LOAD_OFFSET;
11758 + . = __START_KERNEL;
11761 /* Text and read-only data */
11763 /* bootstrapping code */
11764 - .text.head : AT(ADDR(.text.head) - LOAD_OFFSET) {
11765 + .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
11766 +#ifdef CONFIG_X86_32
11767 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
11769 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
11771 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
11772 + KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
11776 @@ -92,7 +120,10 @@ SECTIONS
11780 - NOTES :text :note
11781 + . += __KERNEL_TEXT_OFFSET;
11783 + . = ALIGN(PAGE_SIZE);
11784 + NOTES :rodata :note
11786 /* Exception table */
11788 @@ -100,22 +131,53 @@ SECTIONS
11789 __start___ex_table = .;
11791 __stop___ex_table = .;
11797 +#ifdef CONFIG_X86_32
11798 + . = ALIGN(PAGE_SIZE);
11799 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
11801 + . = ALIGN(PAGE_SIZE);
11802 + *(.empty_zero_page)
11803 + *(.swapper_pg_pmd)
11804 + *(.swapper_pg_dir)
11806 +#if defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_MODULES)
11807 + . = ALIGN(PMD_SIZE);
11812 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
11813 + . = ALIGN(PAGE_SIZE);
11814 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
11815 + MODULES_EXEC_VADDR = .;
11817 + . += (8 * 1024 * 1024);
11818 + . = ALIGN(PMD_SIZE);
11819 + MODULES_EXEC_END = . - 1;
11825 .data : AT(ADDR(.data) - LOAD_OFFSET) {
11827 +#ifdef CONFIG_PAX_KERNEXEC
11828 + . = ALIGN(PMD_SIZE);
11830 + . = ALIGN(PAGE_SIZE);
11833 /* Start of data section */
11837 INIT_TASK_DATA(THREAD_SIZE)
11839 -#ifdef CONFIG_X86_32
11840 - /* 32 bit has nosave before _edata */
11844 PAGE_ALIGNED_DATA(PAGE_SIZE)
11846 @@ -182,12 +244,6 @@ SECTIONS
11848 vgetcpu_mode = VVIRT(.vgetcpu_mode);
11850 - . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
11851 - .jiffies : AT(VLOAD(.jiffies)) {
11854 - jiffies = VVIRT(.jiffies);
11856 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
11859 @@ -204,13 +260,31 @@ SECTIONS
11861 #endif /* CONFIG_X86_64 */
11864 + * smp_locks might be freed after init
11865 + * start/end must be page aligned
11867 + . = ALIGN(PAGE_SIZE);
11868 + .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
11870 +#ifdef CONFIG_PAX_KERNEXEC
11871 + . = ALIGN(PMD_SIZE);
11873 + . = ALIGN(PAGE_SIZE);
11878 + __smp_locks_end = .;
11881 /* Init code and data - will be freed after init */
11882 . = ALIGN(PAGE_SIZE);
11883 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
11884 __init_begin = .; /* paired with __init_end */
11887 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
11890 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
11891 * output PHDR, so the next output section - .init.text - should
11892 @@ -219,18 +293,25 @@ SECTIONS
11893 PERCPU_VADDR(0, :percpu)
11896 - .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
11898 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
11905 + * .exit.text is discard at runtime, not link time, to deal with
11906 + * references from .altinstructions and .eh_frame
11908 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
11911 -#ifdef CONFIG_X86_64
11914 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
11916 .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
11922 .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
11923 @@ -276,14 +357,6 @@ SECTIONS
11924 *(.altinstr_replacement)
11928 - * .exit.text is discard at runtime, not link time, to deal with
11929 - * references from .altinstructions and .eh_frame
11931 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
11935 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
11938 @@ -297,7 +370,7 @@ SECTIONS
11942 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
11943 +#ifndef CONFIG_SMP
11947 @@ -308,24 +381,6 @@ SECTIONS
11952 - * smp_locks might be freed after init
11953 - * start/end must be page aligned
11955 - . = ALIGN(PAGE_SIZE);
11956 - .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
11959 - __smp_locks_end = .;
11960 - . = ALIGN(PAGE_SIZE);
11963 -#ifdef CONFIG_X86_64
11964 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
11970 . = ALIGN(PAGE_SIZE);
11971 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
11972 @@ -341,6 +396,7 @@ SECTIONS
11974 . += 64 * 1024; /* 64k alignment slop space */
11975 *(.brk_reservation) /* areas brk users have reserved */
11976 + . = ALIGN(PMD_SIZE);
11980 @@ -369,13 +425,12 @@ SECTIONS
11981 * for the boot processor.
11983 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
11984 -INIT_PER_CPU(gdt_page);
11985 INIT_PER_CPU(irq_stack_union);
11988 * Build-time check on the image size:
11990 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
11991 +. = ASSERT((_end - KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
11992 "kernel image bigger than KERNEL_IMAGE_SIZE");
11995 diff -urNp linux-2.6.31/arch/x86/kernel/vsyscall_64.c linux-2.6.31/arch/x86/kernel/vsyscall_64.c
11996 --- linux-2.6.31/arch/x86/kernel/vsyscall_64.c 2009-08-27 20:59:04.000000000 -0400
11997 +++ linux-2.6.31/arch/x86/kernel/vsyscall_64.c 2009-09-06 15:29:11.229372192 -0400
11998 @@ -79,6 +79,7 @@ void update_vsyscall(struct timespec *wa
12000 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
12001 /* copy vsyscall data */
12002 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
12003 vsyscall_gtod_data.clock.vread = clock->vread;
12004 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
12005 vsyscall_gtod_data.clock.mask = clock->mask;
12006 @@ -201,7 +202,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
12007 We do this here because otherwise user space would do it on
12008 its own in a likely inferior way (no access to jiffies).
12009 If you don't like it pass NULL. */
12010 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
12011 + if (tcache && tcache->blob[0] == (j = jiffies)) {
12012 p = tcache->blob[1];
12013 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
12014 /* Load per CPU data from RDTSCP */
12015 @@ -240,13 +241,13 @@ static ctl_table kernel_table2[] = {
12016 .data = &vsyscall_gtod_data.sysctl_enabled, .maxlen = sizeof(int),
12018 .proc_handler = vsyscall_sysctl_change },
12020 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
12023 static ctl_table kernel_root_table2[] = {
12024 { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
12025 .child = kernel_table2 },
12027 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
12031 diff -urNp linux-2.6.31/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.31/arch/x86/kernel/x8664_ksyms_64.c
12032 --- linux-2.6.31/arch/x86/kernel/x8664_ksyms_64.c 2009-08-27 20:59:04.000000000 -0400
12033 +++ linux-2.6.31/arch/x86/kernel/x8664_ksyms_64.c 2009-09-06 15:29:11.229372192 -0400
12034 @@ -30,8 +30,6 @@ EXPORT_SYMBOL(__put_user_8);
12036 EXPORT_SYMBOL(copy_user_generic);
12037 EXPORT_SYMBOL(__copy_user_nocache);
12038 -EXPORT_SYMBOL(copy_from_user);
12039 -EXPORT_SYMBOL(copy_to_user);
12040 EXPORT_SYMBOL(__copy_from_user_inatomic);
12042 EXPORT_SYMBOL(copy_page);
12043 diff -urNp linux-2.6.31/arch/x86/kvm/svm.c linux-2.6.31/arch/x86/kvm/svm.c
12044 --- linux-2.6.31/arch/x86/kvm/svm.c 2009-08-27 20:59:04.000000000 -0400
12045 +++ linux-2.6.31/arch/x86/kvm/svm.c 2009-09-06 15:29:11.230496162 -0400
12046 @@ -2289,7 +2289,19 @@ static void reload_tss(struct kvm_vcpu *
12047 int cpu = raw_smp_processor_id();
12049 struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
12051 +#ifdef CONFIG_PAX_KERNEXEC
12052 + unsigned long cr0;
12054 + pax_open_kernel(cr0);
12057 svm_data->tss_desc->type = 9; /* available 32/64-bit TSS */
12059 +#ifdef CONFIG_PAX_KERNEXEC
12060 + pax_close_kernel(cr0);
12066 @@ -2673,7 +2685,7 @@ static u64 svm_get_mt_mask(struct kvm_vc
12070 -static struct kvm_x86_ops svm_x86_ops = {
12071 +static const struct kvm_x86_ops svm_x86_ops = {
12072 .cpu_has_kvm_support = has_svm,
12073 .disabled_by_bios = is_disabled,
12074 .hardware_setup = svm_hardware_setup,
12075 diff -urNp linux-2.6.31/arch/x86/kvm/vmx.c linux-2.6.31/arch/x86/kvm/vmx.c
12076 --- linux-2.6.31/arch/x86/kvm/vmx.c 2009-08-27 20:59:04.000000000 -0400
12077 +++ linux-2.6.31/arch/x86/kvm/vmx.c 2009-09-06 15:29:11.232197800 -0400
12078 @@ -519,9 +519,23 @@ static void reload_tss(void)
12079 struct descriptor_table gdt;
12080 struct desc_struct *descs;
12082 +#ifdef CONFIG_PAX_KERNEXEC
12083 + unsigned long cr0;
12087 descs = (void *)gdt.base;
12089 +#ifdef CONFIG_PAX_KERNEXEC
12090 + pax_open_kernel(cr0);
12093 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
12095 +#ifdef CONFIG_PAX_KERNEXEC
12096 + pax_close_kernel(cr0);
12102 @@ -1324,6 +1338,11 @@ static __init int alloc_kvm_area(void)
12104 static __init int hardware_setup(void)
12107 +#ifdef CONFIG_PAX_KERNEXEC
12108 + unsigned long cr0;
12111 if (setup_vmcs_config(&vmcs_config) < 0)
12114 @@ -1339,8 +1358,19 @@ static __init int hardware_setup(void)
12115 if (!cpu_has_vmx_flexpriority())
12116 flexpriority_enabled = 0;
12118 - if (!cpu_has_vmx_tpr_shadow())
12119 - kvm_x86_ops->update_cr8_intercept = NULL;
12120 + if (!cpu_has_vmx_tpr_shadow()) {
12122 +#ifdef CONFIG_PAX_KERNEXEC
12123 + pax_open_kernel(cr0);
12126 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
12128 +#ifdef CONFIG_PAX_KERNEXEC
12129 + pax_close_kernel(cr0);
12134 return alloc_kvm_area();
12136 @@ -2242,7 +2272,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
12137 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
12139 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
12140 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
12141 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
12142 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
12143 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
12144 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
12145 @@ -3494,6 +3524,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
12146 "jmp .Lkvm_vmx_return \n\t"
12147 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
12148 ".Lkvm_vmx_return: "
12150 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
12151 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
12152 + ".Lkvm_vmx_return2: "
12155 /* Save guest registers, load host registers, keep flags */
12156 "xchg %0, (%%"R"sp) \n\t"
12157 "mov %%"R"ax, %c[rax](%0) \n\t"
12158 @@ -3540,6 +3576,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
12159 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
12161 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
12163 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
12164 + ,[cs]"i"(__KERNEL_CS)
12168 , R"bx", R"di", R"si"
12169 #ifdef CONFIG_X86_64
12170 @@ -3556,7 +3597,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
12171 if (vmx->rmode.irq.pending)
12172 fixup_rmode_irq(vmx);
12174 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
12175 + asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
12178 vmx_complete_interrupts(vmx);
12179 @@ -3699,7 +3740,7 @@ static u64 vmx_get_mt_mask(struct kvm_vc
12183 -static struct kvm_x86_ops vmx_x86_ops = {
12184 +static const struct kvm_x86_ops vmx_x86_ops = {
12185 .cpu_has_kvm_support = cpu_has_kvm_support,
12186 .disabled_by_bios = vmx_disabled_by_bios,
12187 .hardware_setup = hardware_setup,
12188 diff -urNp linux-2.6.31/arch/x86/kvm/x86.c linux-2.6.31/arch/x86/kvm/x86.c
12189 --- linux-2.6.31/arch/x86/kvm/x86.c 2009-08-27 20:59:04.000000000 -0400
12190 +++ linux-2.6.31/arch/x86/kvm/x86.c 2009-09-06 15:29:11.233293906 -0400
12191 @@ -73,42 +73,42 @@ static int kvm_dev_ioctl_get_supported_c
12192 struct kvm_cpuid_entry2 *kvm_find_cpuid_entry(struct kvm_vcpu *vcpu,
12193 u32 function, u32 index);
12195 -struct kvm_x86_ops *kvm_x86_ops;
12196 +const struct kvm_x86_ops *kvm_x86_ops;
12197 EXPORT_SYMBOL_GPL(kvm_x86_ops);
12199 struct kvm_stats_debugfs_item debugfs_entries[] = {
12200 - { "pf_fixed", VCPU_STAT(pf_fixed) },
12201 - { "pf_guest", VCPU_STAT(pf_guest) },
12202 - { "tlb_flush", VCPU_STAT(tlb_flush) },
12203 - { "invlpg", VCPU_STAT(invlpg) },
12204 - { "exits", VCPU_STAT(exits) },
12205 - { "io_exits", VCPU_STAT(io_exits) },
12206 - { "mmio_exits", VCPU_STAT(mmio_exits) },
12207 - { "signal_exits", VCPU_STAT(signal_exits) },
12208 - { "irq_window", VCPU_STAT(irq_window_exits) },
12209 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
12210 - { "halt_exits", VCPU_STAT(halt_exits) },
12211 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
12212 - { "hypercalls", VCPU_STAT(hypercalls) },
12213 - { "request_irq", VCPU_STAT(request_irq_exits) },
12214 - { "irq_exits", VCPU_STAT(irq_exits) },
12215 - { "host_state_reload", VCPU_STAT(host_state_reload) },
12216 - { "efer_reload", VCPU_STAT(efer_reload) },
12217 - { "fpu_reload", VCPU_STAT(fpu_reload) },
12218 - { "insn_emulation", VCPU_STAT(insn_emulation) },
12219 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
12220 - { "irq_injections", VCPU_STAT(irq_injections) },
12221 - { "nmi_injections", VCPU_STAT(nmi_injections) },
12222 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
12223 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
12224 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
12225 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
12226 - { "mmu_flooded", VM_STAT(mmu_flooded) },
12227 - { "mmu_recycled", VM_STAT(mmu_recycled) },
12228 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
12229 - { "mmu_unsync", VM_STAT(mmu_unsync) },
12230 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
12231 - { "largepages", VM_STAT(lpages) },
12232 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
12233 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
12234 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
12235 + { "invlpg", VCPU_STAT(invlpg), NULL },
12236 + { "exits", VCPU_STAT(exits), NULL },
12237 + { "io_exits", VCPU_STAT(io_exits), NULL },
12238 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
12239 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
12240 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
12241 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
12242 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
12243 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
12244 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
12245 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
12246 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
12247 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
12248 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
12249 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
12250 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
12251 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
12252 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
12253 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
12254 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
12255 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
12256 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
12257 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
12258 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
12259 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
12260 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
12261 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
12262 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
12263 + { "largepages", VM_STAT(lpages), NULL },
12267 @@ -1472,7 +1472,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
12268 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
12269 struct kvm_interrupt *irq)
12271 - if (irq->irq < 0 || irq->irq >= 256)
12272 + if (irq->irq >= 256)
12274 if (irqchip_in_kernel(vcpu->kvm))
12276 @@ -2797,10 +2797,10 @@ static struct notifier_block kvmclock_cp
12277 .notifier_call = kvmclock_cpufreq_notifier
12280 -int kvm_arch_init(void *opaque)
12281 +int kvm_arch_init(const void *opaque)
12284 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
12285 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
12288 printk(KERN_ERR "kvm: already loaded the other module\n");
12289 diff -urNp linux-2.6.31/arch/x86/lguest/Kconfig linux-2.6.31/arch/x86/lguest/Kconfig
12290 --- linux-2.6.31/arch/x86/lguest/Kconfig 2009-08-27 20:59:04.000000000 -0400
12291 +++ linux-2.6.31/arch/x86/lguest/Kconfig 2009-09-06 15:29:11.234179927 -0400
12292 @@ -2,6 +2,7 @@ config LGUEST_GUEST
12293 bool "Lguest guest support"
12296 + depends on !PAX_KERNEXEC
12299 select VIRTIO_CONSOLE
12300 diff -urNp linux-2.6.31/arch/x86/lib/checksum_32.S linux-2.6.31/arch/x86/lib/checksum_32.S
12301 --- linux-2.6.31/arch/x86/lib/checksum_32.S 2009-08-27 20:59:04.000000000 -0400
12302 +++ linux-2.6.31/arch/x86/lib/checksum_32.S 2009-09-06 15:29:11.235224872 -0400
12304 #include <linux/linkage.h>
12305 #include <asm/dwarf2.h>
12306 #include <asm/errno.h>
12308 +#include <asm/segment.h>
12311 * computes a partial checksum, e.g. for TCP/UDP fragments
12313 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
12318 -ENTRY(csum_partial_copy_generic)
12320 +ENTRY(csum_partial_copy_generic_to_user)
12322 + pushl $(__USER_DS)
12323 + CFI_ADJUST_CFA_OFFSET 4
12325 + CFI_ADJUST_CFA_OFFSET -4
12326 + jmp csum_partial_copy_generic
12328 +ENTRY(csum_partial_copy_generic_from_user)
12329 + pushl $(__USER_DS)
12330 + CFI_ADJUST_CFA_OFFSET 4
12332 + CFI_ADJUST_CFA_OFFSET -4
12334 +ENTRY(csum_partial_copy_generic)
12336 CFI_ADJUST_CFA_OFFSET 4
12338 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
12340 SRC(1: movw (%esi), %bx )
12342 -DST( movw %bx, (%edi) )
12343 +DST( movw %bx, %es:(%edi) )
12347 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
12348 SRC(1: movl (%esi), %ebx )
12349 SRC( movl 4(%esi), %edx )
12351 -DST( movl %ebx, (%edi) )
12352 +DST( movl %ebx, %es:(%edi) )
12354 -DST( movl %edx, 4(%edi) )
12355 +DST( movl %edx, %es:4(%edi) )
12357 SRC( movl 8(%esi), %ebx )
12358 SRC( movl 12(%esi), %edx )
12360 -DST( movl %ebx, 8(%edi) )
12361 +DST( movl %ebx, %es:8(%edi) )
12363 -DST( movl %edx, 12(%edi) )
12364 +DST( movl %edx, %es:12(%edi) )
12366 SRC( movl 16(%esi), %ebx )
12367 SRC( movl 20(%esi), %edx )
12369 -DST( movl %ebx, 16(%edi) )
12370 +DST( movl %ebx, %es:16(%edi) )
12372 -DST( movl %edx, 20(%edi) )
12373 +DST( movl %edx, %es:20(%edi) )
12375 SRC( movl 24(%esi), %ebx )
12376 SRC( movl 28(%esi), %edx )
12378 -DST( movl %ebx, 24(%edi) )
12379 +DST( movl %ebx, %es:24(%edi) )
12381 -DST( movl %edx, 28(%edi) )
12382 +DST( movl %edx, %es:28(%edi) )
12386 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
12387 shrl $2, %edx # This clears CF
12388 SRC(3: movl (%esi), %ebx )
12390 -DST( movl %ebx, (%edi) )
12391 +DST( movl %ebx, %es:(%edi) )
12395 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
12397 SRC( movw (%esi), %cx )
12399 -DST( movw %cx, (%edi) )
12400 +DST( movw %cx, %es:(%edi) )
12404 SRC(5: movb (%esi), %cl )
12405 -DST( movb %cl, (%edi) )
12406 +DST( movb %cl, %es:(%edi) )
12410 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
12413 movl ARGBASE+20(%esp), %ebx # src_err_ptr
12414 - movl $-EFAULT, (%ebx)
12415 + movl $-EFAULT, %ss:(%ebx)
12417 # zero the complete destination - computing the rest
12419 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
12422 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
12423 - movl $-EFAULT,(%ebx)
12424 + movl $-EFAULT,%ss:(%ebx)
12430 + CFI_ADJUST_CFA_OFFSET 4
12432 + CFI_ADJUST_CFA_OFFSET -4
12434 + CFI_ADJUST_CFA_OFFSET 4
12436 + CFI_ADJUST_CFA_OFFSET -4
12438 CFI_ADJUST_CFA_OFFSET -4
12440 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
12441 CFI_ADJUST_CFA_OFFSET -4
12444 -ENDPROC(csum_partial_copy_generic)
12445 +ENDPROC(csum_partial_copy_generic_to_user)
12449 /* Version for PentiumII/PPro */
12451 #define ROUND1(x) \
12453 SRC(movl x(%esi), %ebx ) ; \
12454 addl %ebx, %eax ; \
12455 - DST(movl %ebx, x(%edi) ) ;
12456 + DST(movl %ebx, %es:x(%edi)) ;
12460 SRC(movl x(%esi), %ebx ) ; \
12461 adcl %ebx, %eax ; \
12462 - DST(movl %ebx, x(%edi) ) ;
12463 + DST(movl %ebx, %es:x(%edi)) ;
12467 -ENTRY(csum_partial_copy_generic)
12469 +ENTRY(csum_partial_copy_generic_to_user)
12471 + pushl $(__USER_DS)
12472 + CFI_ADJUST_CFA_OFFSET 4
12474 + CFI_ADJUST_CFA_OFFSET -4
12475 + jmp csum_partial_copy_generic
12477 +ENTRY(csum_partial_copy_generic_from_user)
12478 + pushl $(__USER_DS)
12479 + CFI_ADJUST_CFA_OFFSET 4
12481 + CFI_ADJUST_CFA_OFFSET -4
12483 +ENTRY(csum_partial_copy_generic)
12485 CFI_ADJUST_CFA_OFFSET 4
12486 CFI_REL_OFFSET ebx, 0
12487 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
12491 - lea 3f(%ebx,%ebx), %ebx
12492 + lea 3f(%ebx,%ebx,2), %ebx
12496 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
12498 SRC( movw (%esi), %dx )
12500 -DST( movw %dx, (%edi) )
12501 +DST( movw %dx, %es:(%edi) )
12506 SRC( movb (%esi), %dl )
12507 -DST( movb %dl, (%edi) )
12508 +DST( movb %dl, %es:(%edi) )
12512 .section .fixup, "ax"
12513 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
12514 - movl $-EFAULT, (%ebx)
12515 + movl $-EFAULT, %ss:(%ebx)
12516 # zero the complete destination (computing the rest is too much work)
12517 movl ARGBASE+8(%esp),%edi # dst
12518 movl ARGBASE+12(%esp),%ecx # len
12519 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
12522 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
12523 - movl $-EFAULT, (%ebx)
12524 + movl $-EFAULT, %ss:(%ebx)
12529 + CFI_ADJUST_CFA_OFFSET 4
12531 + CFI_ADJUST_CFA_OFFSET -4
12533 + CFI_ADJUST_CFA_OFFSET 4
12535 + CFI_ADJUST_CFA_OFFSET -4
12537 CFI_ADJUST_CFA_OFFSET -4
12539 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
12543 -ENDPROC(csum_partial_copy_generic)
12544 +ENDPROC(csum_partial_copy_generic_to_user)
12548 diff -urNp linux-2.6.31/arch/x86/lib/clear_page_64.S linux-2.6.31/arch/x86/lib/clear_page_64.S
12549 --- linux-2.6.31/arch/x86/lib/clear_page_64.S 2009-08-27 20:59:04.000000000 -0400
12550 +++ linux-2.6.31/arch/x86/lib/clear_page_64.S 2009-09-06 15:29:11.235224872 -0400
12551 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
12553 #include <asm/cpufeature.h>
12555 - .section .altinstr_replacement,"ax"
12556 + .section .altinstr_replacement,"a"
12557 1: .byte 0xeb /* jmp <disp8> */
12558 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
12560 diff -urNp linux-2.6.31/arch/x86/lib/copy_page_64.S linux-2.6.31/arch/x86/lib/copy_page_64.S
12561 --- linux-2.6.31/arch/x86/lib/copy_page_64.S 2009-08-27 20:59:04.000000000 -0400
12562 +++ linux-2.6.31/arch/x86/lib/copy_page_64.S 2009-09-06 15:29:11.235224872 -0400
12563 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
12565 #include <asm/cpufeature.h>
12567 - .section .altinstr_replacement,"ax"
12568 + .section .altinstr_replacement,"a"
12569 1: .byte 0xeb /* jmp <disp8> */
12570 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
12572 diff -urNp linux-2.6.31/arch/x86/lib/copy_user_64.S linux-2.6.31/arch/x86/lib/copy_user_64.S
12573 --- linux-2.6.31/arch/x86/lib/copy_user_64.S 2009-08-27 20:59:04.000000000 -0400
12574 +++ linux-2.6.31/arch/x86/lib/copy_user_64.S 2009-09-06 15:29:11.236230809 -0400
12576 .byte 0xe9 /* 32bit jump */
12577 .long \orig-1f /* by default jump to orig */
12579 - .section .altinstr_replacement,"ax"
12580 + .section .altinstr_replacement,"a"
12581 2: .byte 0xe9 /* near jump with 32bit immediate */
12582 .long \alt-1b /* offset */ /* or alternatively to alt */
12588 -/* Standard copy_to_user with segment limit checking */
12589 -ENTRY(copy_to_user)
12591 - GET_THREAD_INFO(%rax)
12595 - cmpq TI_addr_limit(%rax),%rcx
12597 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
12599 -ENDPROC(copy_to_user)
12601 -/* Standard copy_from_user with segment limit checking */
12602 -ENTRY(copy_from_user)
12604 - GET_THREAD_INFO(%rax)
12608 - cmpq TI_addr_limit(%rax),%rcx
12609 - jae bad_from_user
12610 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
12612 -ENDPROC(copy_from_user)
12614 ENTRY(copy_user_generic)
12616 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
12617 @@ -107,6 +81,8 @@ ENDPROC(__copy_from_user_inatomic)
12618 ENTRY(bad_from_user)
12626 diff -urNp linux-2.6.31/arch/x86/lib/getuser.S linux-2.6.31/arch/x86/lib/getuser.S
12627 --- linux-2.6.31/arch/x86/lib/getuser.S 2009-08-27 20:59:04.000000000 -0400
12628 +++ linux-2.6.31/arch/x86/lib/getuser.S 2009-09-06 15:29:11.236230809 -0400
12630 #include <asm/asm-offsets.h>
12631 #include <asm/thread_info.h>
12632 #include <asm/asm.h>
12633 +#include <asm/segment.h>
12636 ENTRY(__get_user_1)
12637 @@ -40,7 +41,19 @@ ENTRY(__get_user_1)
12638 GET_THREAD_INFO(%_ASM_DX)
12639 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
12642 +#ifdef CONFIG_X86_32
12643 + pushl $(__USER_DS)
12647 1: movzb (%_ASM_AX),%edx
12649 +#ifdef CONFIG_X86_32
12657 @@ -53,7 +66,19 @@ ENTRY(__get_user_2)
12658 GET_THREAD_INFO(%_ASM_DX)
12659 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
12662 +#ifdef CONFIG_X86_32
12663 + pushl $(__USER_DS)
12667 2: movzwl -1(%_ASM_AX),%edx
12669 +#ifdef CONFIG_X86_32
12677 @@ -66,7 +91,19 @@ ENTRY(__get_user_4)
12678 GET_THREAD_INFO(%_ASM_DX)
12679 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
12682 +#ifdef CONFIG_X86_32
12683 + pushl $(__USER_DS)
12687 3: mov -3(%_ASM_AX),%edx
12689 +#ifdef CONFIG_X86_32
12697 @@ -89,6 +126,12 @@ ENDPROC(__get_user_8)
12702 +#ifdef CONFIG_X86_32
12708 mov $(-EFAULT),%_ASM_AX
12710 diff -urNp linux-2.6.31/arch/x86/lib/memcpy_64.S linux-2.6.31/arch/x86/lib/memcpy_64.S
12711 --- linux-2.6.31/arch/x86/lib/memcpy_64.S 2009-08-27 20:59:04.000000000 -0400
12712 +++ linux-2.6.31/arch/x86/lib/memcpy_64.S 2009-09-06 15:29:11.236230809 -0400
12713 @@ -128,7 +128,7 @@ ENDPROC(__memcpy)
12714 * It is also a lot simpler. Use this when possible:
12717 - .section .altinstr_replacement, "ax"
12718 + .section .altinstr_replacement, "a"
12719 1: .byte 0xeb /* jmp <disp8> */
12720 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
12722 diff -urNp linux-2.6.31/arch/x86/lib/memset_64.S linux-2.6.31/arch/x86/lib/memset_64.S
12723 --- linux-2.6.31/arch/x86/lib/memset_64.S 2009-08-27 20:59:04.000000000 -0400
12724 +++ linux-2.6.31/arch/x86/lib/memset_64.S 2009-09-06 15:29:11.237175046 -0400
12725 @@ -118,7 +118,7 @@ ENDPROC(__memset)
12727 #include <asm/cpufeature.h>
12729 - .section .altinstr_replacement,"ax"
12730 + .section .altinstr_replacement,"a"
12731 1: .byte 0xeb /* jmp <disp8> */
12732 .byte (memset_c - memset) - (2f - 1b) /* offset */
12734 diff -urNp linux-2.6.31/arch/x86/lib/mmx_32.c linux-2.6.31/arch/x86/lib/mmx_32.c
12735 --- linux-2.6.31/arch/x86/lib/mmx_32.c 2009-08-27 20:59:04.000000000 -0400
12736 +++ linux-2.6.31/arch/x86/lib/mmx_32.c 2009-09-06 15:29:11.237175046 -0400
12737 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
12741 + unsigned long cr0;
12743 if (unlikely(in_interrupt()))
12744 return __memcpy(to, from, len);
12745 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
12746 kernel_fpu_begin();
12748 __asm__ __volatile__ (
12749 - "1: prefetch (%0)\n" /* This set is 28 bytes */
12750 - " prefetch 64(%0)\n"
12751 - " prefetch 128(%0)\n"
12752 - " prefetch 192(%0)\n"
12753 - " prefetch 256(%0)\n"
12754 + "1: prefetch (%1)\n" /* This set is 28 bytes */
12755 + " prefetch 64(%1)\n"
12756 + " prefetch 128(%1)\n"
12757 + " prefetch 192(%1)\n"
12758 + " prefetch 256(%1)\n"
12760 ".section .fixup, \"ax\"\n"
12761 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
12764 +#ifdef CONFIG_PAX_KERNEXEC
12765 + " movl %%cr0, %0\n"
12766 + " movl %0, %%eax\n"
12767 + " andl $0xFFFEFFFF, %%eax\n"
12768 + " movl %%eax, %%cr0\n"
12771 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
12773 +#ifdef CONFIG_PAX_KERNEXEC
12774 + " movl %0, %%cr0\n"
12779 _ASM_EXTABLE(1b, 3b)
12781 + : "=&r" (cr0) : "r" (from) : "ax");
12783 for ( ; i > 5; i--) {
12784 __asm__ __volatile__ (
12785 - "1: prefetch 320(%0)\n"
12786 - "2: movq (%0), %%mm0\n"
12787 - " movq 8(%0), %%mm1\n"
12788 - " movq 16(%0), %%mm2\n"
12789 - " movq 24(%0), %%mm3\n"
12790 - " movq %%mm0, (%1)\n"
12791 - " movq %%mm1, 8(%1)\n"
12792 - " movq %%mm2, 16(%1)\n"
12793 - " movq %%mm3, 24(%1)\n"
12794 - " movq 32(%0), %%mm0\n"
12795 - " movq 40(%0), %%mm1\n"
12796 - " movq 48(%0), %%mm2\n"
12797 - " movq 56(%0), %%mm3\n"
12798 - " movq %%mm0, 32(%1)\n"
12799 - " movq %%mm1, 40(%1)\n"
12800 - " movq %%mm2, 48(%1)\n"
12801 - " movq %%mm3, 56(%1)\n"
12802 + "1: prefetch 320(%1)\n"
12803 + "2: movq (%1), %%mm0\n"
12804 + " movq 8(%1), %%mm1\n"
12805 + " movq 16(%1), %%mm2\n"
12806 + " movq 24(%1), %%mm3\n"
12807 + " movq %%mm0, (%2)\n"
12808 + " movq %%mm1, 8(%2)\n"
12809 + " movq %%mm2, 16(%2)\n"
12810 + " movq %%mm3, 24(%2)\n"
12811 + " movq 32(%1), %%mm0\n"
12812 + " movq 40(%1), %%mm1\n"
12813 + " movq 48(%1), %%mm2\n"
12814 + " movq 56(%1), %%mm3\n"
12815 + " movq %%mm0, 32(%2)\n"
12816 + " movq %%mm1, 40(%2)\n"
12817 + " movq %%mm2, 48(%2)\n"
12818 + " movq %%mm3, 56(%2)\n"
12819 ".section .fixup, \"ax\"\n"
12820 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
12823 +#ifdef CONFIG_PAX_KERNEXEC
12824 + " movl %%cr0, %0\n"
12825 + " movl %0, %%eax\n"
12826 + " andl $0xFFFEFFFF, %%eax\n"
12827 + " movl %%eax, %%cr0\n"
12830 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
12832 +#ifdef CONFIG_PAX_KERNEXEC
12833 + " movl %0, %%cr0\n"
12838 _ASM_EXTABLE(1b, 3b)
12839 - : : "r" (from), "r" (to) : "memory");
12840 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
12844 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
12845 static void fast_copy_page(void *to, void *from)
12848 + unsigned long cr0;
12850 kernel_fpu_begin();
12852 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
12853 * but that is for later. -AV
12855 __asm__ __volatile__(
12856 - "1: prefetch (%0)\n"
12857 - " prefetch 64(%0)\n"
12858 - " prefetch 128(%0)\n"
12859 - " prefetch 192(%0)\n"
12860 - " prefetch 256(%0)\n"
12861 + "1: prefetch (%1)\n"
12862 + " prefetch 64(%1)\n"
12863 + " prefetch 128(%1)\n"
12864 + " prefetch 192(%1)\n"
12865 + " prefetch 256(%1)\n"
12867 ".section .fixup, \"ax\"\n"
12868 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
12871 +#ifdef CONFIG_PAX_KERNEXEC
12872 + " movl %%cr0, %0\n"
12873 + " movl %0, %%eax\n"
12874 + " andl $0xFFFEFFFF, %%eax\n"
12875 + " movl %%eax, %%cr0\n"
12878 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
12880 +#ifdef CONFIG_PAX_KERNEXEC
12881 + " movl %0, %%cr0\n"
12886 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
12887 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
12889 for (i = 0; i < (4096-320)/64; i++) {
12890 __asm__ __volatile__ (
12891 - "1: prefetch 320(%0)\n"
12892 - "2: movq (%0), %%mm0\n"
12893 - " movntq %%mm0, (%1)\n"
12894 - " movq 8(%0), %%mm1\n"
12895 - " movntq %%mm1, 8(%1)\n"
12896 - " movq 16(%0), %%mm2\n"
12897 - " movntq %%mm2, 16(%1)\n"
12898 - " movq 24(%0), %%mm3\n"
12899 - " movntq %%mm3, 24(%1)\n"
12900 - " movq 32(%0), %%mm4\n"
12901 - " movntq %%mm4, 32(%1)\n"
12902 - " movq 40(%0), %%mm5\n"
12903 - " movntq %%mm5, 40(%1)\n"
12904 - " movq 48(%0), %%mm6\n"
12905 - " movntq %%mm6, 48(%1)\n"
12906 - " movq 56(%0), %%mm7\n"
12907 - " movntq %%mm7, 56(%1)\n"
12908 + "1: prefetch 320(%1)\n"
12909 + "2: movq (%1), %%mm0\n"
12910 + " movntq %%mm0, (%2)\n"
12911 + " movq 8(%1), %%mm1\n"
12912 + " movntq %%mm1, 8(%2)\n"
12913 + " movq 16(%1), %%mm2\n"
12914 + " movntq %%mm2, 16(%2)\n"
12915 + " movq 24(%1), %%mm3\n"
12916 + " movntq %%mm3, 24(%2)\n"
12917 + " movq 32(%1), %%mm4\n"
12918 + " movntq %%mm4, 32(%2)\n"
12919 + " movq 40(%1), %%mm5\n"
12920 + " movntq %%mm5, 40(%2)\n"
12921 + " movq 48(%1), %%mm6\n"
12922 + " movntq %%mm6, 48(%2)\n"
12923 + " movq 56(%1), %%mm7\n"
12924 + " movntq %%mm7, 56(%2)\n"
12925 ".section .fixup, \"ax\"\n"
12926 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
12929 +#ifdef CONFIG_PAX_KERNEXEC
12930 + " movl %%cr0, %0\n"
12931 + " movl %0, %%eax\n"
12932 + " andl $0xFFFEFFFF, %%eax\n"
12933 + " movl %%eax, %%cr0\n"
12936 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
12938 +#ifdef CONFIG_PAX_KERNEXEC
12939 + " movl %0, %%cr0\n"
12944 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
12945 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
12949 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
12950 static void fast_copy_page(void *to, void *from)
12953 + unsigned long cr0;
12955 kernel_fpu_begin();
12957 __asm__ __volatile__ (
12958 - "1: prefetch (%0)\n"
12959 - " prefetch 64(%0)\n"
12960 - " prefetch 128(%0)\n"
12961 - " prefetch 192(%0)\n"
12962 - " prefetch 256(%0)\n"
12963 + "1: prefetch (%1)\n"
12964 + " prefetch 64(%1)\n"
12965 + " prefetch 128(%1)\n"
12966 + " prefetch 192(%1)\n"
12967 + " prefetch 256(%1)\n"
12969 ".section .fixup, \"ax\"\n"
12970 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
12973 +#ifdef CONFIG_PAX_KERNEXEC
12974 + " movl %%cr0, %0\n"
12975 + " movl %0, %%eax\n"
12976 + " andl $0xFFFEFFFF, %%eax\n"
12977 + " movl %%eax, %%cr0\n"
12980 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
12982 +#ifdef CONFIG_PAX_KERNEXEC
12983 + " movl %0, %%cr0\n"
12988 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
12989 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
12991 for (i = 0; i < 4096/64; i++) {
12992 __asm__ __volatile__ (
12993 - "1: prefetch 320(%0)\n"
12994 - "2: movq (%0), %%mm0\n"
12995 - " movq 8(%0), %%mm1\n"
12996 - " movq 16(%0), %%mm2\n"
12997 - " movq 24(%0), %%mm3\n"
12998 - " movq %%mm0, (%1)\n"
12999 - " movq %%mm1, 8(%1)\n"
13000 - " movq %%mm2, 16(%1)\n"
13001 - " movq %%mm3, 24(%1)\n"
13002 - " movq 32(%0), %%mm0\n"
13003 - " movq 40(%0), %%mm1\n"
13004 - " movq 48(%0), %%mm2\n"
13005 - " movq 56(%0), %%mm3\n"
13006 - " movq %%mm0, 32(%1)\n"
13007 - " movq %%mm1, 40(%1)\n"
13008 - " movq %%mm2, 48(%1)\n"
13009 - " movq %%mm3, 56(%1)\n"
13010 + "1: prefetch 320(%1)\n"
13011 + "2: movq (%1), %%mm0\n"
13012 + " movq 8(%1), %%mm1\n"
13013 + " movq 16(%1), %%mm2\n"
13014 + " movq 24(%1), %%mm3\n"
13015 + " movq %%mm0, (%2)\n"
13016 + " movq %%mm1, 8(%2)\n"
13017 + " movq %%mm2, 16(%2)\n"
13018 + " movq %%mm3, 24(%2)\n"
13019 + " movq 32(%1), %%mm0\n"
13020 + " movq 40(%1), %%mm1\n"
13021 + " movq 48(%1), %%mm2\n"
13022 + " movq 56(%1), %%mm3\n"
13023 + " movq %%mm0, 32(%2)\n"
13024 + " movq %%mm1, 40(%2)\n"
13025 + " movq %%mm2, 48(%2)\n"
13026 + " movq %%mm3, 56(%2)\n"
13027 ".section .fixup, \"ax\"\n"
13028 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
13031 +#ifdef CONFIG_PAX_KERNEXEC
13032 + " movl %%cr0, %0\n"
13033 + " movl %0, %%eax\n"
13034 + " andl $0xFFFEFFFF, %%eax\n"
13035 + " movl %%eax, %%cr0\n"
13038 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
13040 +#ifdef CONFIG_PAX_KERNEXEC
13041 + " movl %0, %%cr0\n"
13046 _ASM_EXTABLE(1b, 3b)
13047 - : : "r" (from), "r" (to) : "memory");
13048 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
13052 diff -urNp linux-2.6.31/arch/x86/lib/putuser.S linux-2.6.31/arch/x86/lib/putuser.S
13053 --- linux-2.6.31/arch/x86/lib/putuser.S 2009-08-27 20:59:04.000000000 -0400
13054 +++ linux-2.6.31/arch/x86/lib/putuser.S 2009-09-06 15:29:11.237175046 -0400
13056 #include <asm/thread_info.h>
13057 #include <asm/errno.h>
13058 #include <asm/asm.h>
13059 +#include <asm/segment.h>
13063 @@ -39,7 +40,19 @@ ENTRY(__put_user_1)
13065 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
13068 +#ifdef CONFIG_X86_32
13069 + pushl $(__USER_DS)
13073 1: movb %al,(%_ASM_CX)
13075 +#ifdef CONFIG_X86_32
13082 ENDPROC(__put_user_1)
13083 @@ -50,7 +63,19 @@ ENTRY(__put_user_2)
13085 cmp %_ASM_BX,%_ASM_CX
13088 +#ifdef CONFIG_X86_32
13089 + pushl $(__USER_DS)
13093 2: movw %ax,(%_ASM_CX)
13095 +#ifdef CONFIG_X86_32
13102 ENDPROC(__put_user_2)
13103 @@ -61,7 +86,19 @@ ENTRY(__put_user_4)
13105 cmp %_ASM_BX,%_ASM_CX
13108 +#ifdef CONFIG_X86_32
13109 + pushl $(__USER_DS)
13113 3: movl %eax,(%_ASM_CX)
13115 +#ifdef CONFIG_X86_32
13122 ENDPROC(__put_user_4)
13123 @@ -72,16 +109,34 @@ ENTRY(__put_user_8)
13125 cmp %_ASM_BX,%_ASM_CX
13128 +#ifdef CONFIG_X86_32
13129 + pushl $(__USER_DS)
13133 4: mov %_ASM_AX,(%_ASM_CX)
13134 #ifdef CONFIG_X86_32
13135 5: movl %edx,4(%_ASM_CX)
13138 +#ifdef CONFIG_X86_32
13145 ENDPROC(__put_user_8)
13150 +#ifdef CONFIG_X86_32
13158 diff -urNp linux-2.6.31/arch/x86/lib/usercopy_32.c linux-2.6.31/arch/x86/lib/usercopy_32.c
13159 --- linux-2.6.31/arch/x86/lib/usercopy_32.c 2009-08-27 20:59:04.000000000 -0400
13160 +++ linux-2.6.31/arch/x86/lib/usercopy_32.c 2009-09-06 15:29:11.238175602 -0400
13161 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
13162 * Copy a null terminated string from userspace.
13165 -#define __do_strncpy_from_user(dst, src, count, res) \
13167 - int __d0, __d1, __d2; \
13169 - __asm__ __volatile__( \
13170 - " testl %1,%1\n" \
13174 - " testb %%al,%%al\n" \
13178 - "1: subl %1,%0\n" \
13180 - ".section .fixup,\"ax\"\n" \
13181 - "3: movl %5,%0\n" \
13184 - _ASM_EXTABLE(0b,3b) \
13185 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
13187 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
13190 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
13192 + int __d0, __d1, __d2;
13193 + long res = -EFAULT;
13196 + __asm__ __volatile__(
13197 + " movw %w10,%%ds\n"
13202 + " testb %%al,%%al\n"
13206 + "1: subl %1,%0\n"
13210 + ".section .fixup,\"ax\"\n"
13211 + "3: movl %5,%0\n"
13214 + _ASM_EXTABLE(0b,3b)
13215 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
13217 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
13224 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
13225 @@ -85,9 +92,7 @@ do { \
13227 __strncpy_from_user(char *dst, const char __user *src, long count)
13230 - __do_strncpy_from_user(dst, src, count, res);
13232 + return __do_strncpy_from_user(dst, src, count);
13234 EXPORT_SYMBOL(__strncpy_from_user);
13236 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
13238 long res = -EFAULT;
13239 if (access_ok(VERIFY_READ, src, 1))
13240 - __do_strncpy_from_user(dst, src, count, res);
13241 + res = __do_strncpy_from_user(dst, src, count);
13244 EXPORT_SYMBOL(strncpy_from_user);
13245 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
13249 -#define __do_clear_user(addr,size) \
13253 - __asm__ __volatile__( \
13254 - "0: rep; stosl\n" \
13255 - " movl %2,%0\n" \
13256 - "1: rep; stosb\n" \
13258 - ".section .fixup,\"ax\"\n" \
13259 - "3: lea 0(%2,%0,4),%0\n" \
13262 - _ASM_EXTABLE(0b,3b) \
13263 - _ASM_EXTABLE(1b,2b) \
13264 - : "=&c"(size), "=&D" (__d0) \
13265 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
13267 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
13272 + __asm__ __volatile__(
13273 + " movw %w6,%%es\n"
13274 + "0: rep; stosl\n"
13276 + "1: rep; stosb\n"
13280 + ".section .fixup,\"ax\"\n"
13281 + "3: lea 0(%2,%0,4),%0\n"
13284 + _ASM_EXTABLE(0b,3b)
13285 + _ASM_EXTABLE(1b,2b)
13286 + : "=&c"(size), "=&D" (__d0)
13287 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
13293 * clear_user: - Zero a block of memory in user space.
13294 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
13297 if (access_ok(VERIFY_WRITE, to, n))
13298 - __do_clear_user(to, n);
13299 + n = __do_clear_user(to, n);
13302 EXPORT_SYMBOL(clear_user);
13303 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
13305 __clear_user(void __user *to, unsigned long n)
13307 - __do_clear_user(to, n);
13309 + return __do_clear_user(to, n);
13311 EXPORT_SYMBOL(__clear_user);
13313 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
13316 __asm__ __volatile__(
13317 + " movw %w8,%%es\n"
13320 - " andl %0,%%ecx\n"
13321 + " movl %0,%%ecx\n"
13322 "0: repne; scasb\n"
13329 ".section .fixup,\"ax\"\n"
13330 "2: xorl %%eax,%%eax\n"
13332 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
13335 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
13336 - :"0" (n), "1" (s), "2" (0), "3" (mask)
13337 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
13341 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
13343 #ifdef CONFIG_X86_INTEL_USERCOPY
13344 static unsigned long
13345 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
13346 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
13349 + __asm__ __volatile__(
13350 + " movw %w6, %%es\n"
13351 + " .align 2,0x90\n"
13352 + "1: movl 32(%4), %%eax\n"
13353 + " cmpl $67, %0\n"
13355 + "2: movl 64(%4), %%eax\n"
13356 + " .align 2,0x90\n"
13357 + "3: movl 0(%4), %%eax\n"
13358 + "4: movl 4(%4), %%edx\n"
13359 + "5: movl %%eax, %%es:0(%3)\n"
13360 + "6: movl %%edx, %%es:4(%3)\n"
13361 + "7: movl 8(%4), %%eax\n"
13362 + "8: movl 12(%4),%%edx\n"
13363 + "9: movl %%eax, %%es:8(%3)\n"
13364 + "10: movl %%edx, %%es:12(%3)\n"
13365 + "11: movl 16(%4), %%eax\n"
13366 + "12: movl 20(%4), %%edx\n"
13367 + "13: movl %%eax, %%es:16(%3)\n"
13368 + "14: movl %%edx, %%es:20(%3)\n"
13369 + "15: movl 24(%4), %%eax\n"
13370 + "16: movl 28(%4), %%edx\n"
13371 + "17: movl %%eax, %%es:24(%3)\n"
13372 + "18: movl %%edx, %%es:28(%3)\n"
13373 + "19: movl 32(%4), %%eax\n"
13374 + "20: movl 36(%4), %%edx\n"
13375 + "21: movl %%eax, %%es:32(%3)\n"
13376 + "22: movl %%edx, %%es:36(%3)\n"
13377 + "23: movl 40(%4), %%eax\n"
13378 + "24: movl 44(%4), %%edx\n"
13379 + "25: movl %%eax, %%es:40(%3)\n"
13380 + "26: movl %%edx, %%es:44(%3)\n"
13381 + "27: movl 48(%4), %%eax\n"
13382 + "28: movl 52(%4), %%edx\n"
13383 + "29: movl %%eax, %%es:48(%3)\n"
13384 + "30: movl %%edx, %%es:52(%3)\n"
13385 + "31: movl 56(%4), %%eax\n"
13386 + "32: movl 60(%4), %%edx\n"
13387 + "33: movl %%eax, %%es:56(%3)\n"
13388 + "34: movl %%edx, %%es:60(%3)\n"
13389 + " addl $-64, %0\n"
13390 + " addl $64, %4\n"
13391 + " addl $64, %3\n"
13392 + " cmpl $63, %0\n"
13394 + "35: movl %0, %%eax\n"
13396 + " andl $3, %%eax\n"
13398 + "99: rep; movsl\n"
13399 + "36: movl %%eax, %0\n"
13400 + "37: rep; movsb\n"
13404 + ".section .fixup,\"ax\"\n"
13405 + "101: lea 0(%%eax,%0,4),%0\n"
13408 + ".section __ex_table,\"a\"\n"
13410 + " .long 1b,100b\n"
13411 + " .long 2b,100b\n"
13412 + " .long 3b,100b\n"
13413 + " .long 4b,100b\n"
13414 + " .long 5b,100b\n"
13415 + " .long 6b,100b\n"
13416 + " .long 7b,100b\n"
13417 + " .long 8b,100b\n"
13418 + " .long 9b,100b\n"
13419 + " .long 10b,100b\n"
13420 + " .long 11b,100b\n"
13421 + " .long 12b,100b\n"
13422 + " .long 13b,100b\n"
13423 + " .long 14b,100b\n"
13424 + " .long 15b,100b\n"
13425 + " .long 16b,100b\n"
13426 + " .long 17b,100b\n"
13427 + " .long 18b,100b\n"
13428 + " .long 19b,100b\n"
13429 + " .long 20b,100b\n"
13430 + " .long 21b,100b\n"
13431 + " .long 22b,100b\n"
13432 + " .long 23b,100b\n"
13433 + " .long 24b,100b\n"
13434 + " .long 25b,100b\n"
13435 + " .long 26b,100b\n"
13436 + " .long 27b,100b\n"
13437 + " .long 28b,100b\n"
13438 + " .long 29b,100b\n"
13439 + " .long 30b,100b\n"
13440 + " .long 31b,100b\n"
13441 + " .long 32b,100b\n"
13442 + " .long 33b,100b\n"
13443 + " .long 34b,100b\n"
13444 + " .long 35b,100b\n"
13445 + " .long 36b,100b\n"
13446 + " .long 37b,100b\n"
13447 + " .long 99b,101b\n"
13449 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
13450 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
13451 + : "eax", "edx", "memory");
13455 +static unsigned long
13456 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
13459 __asm__ __volatile__(
13460 + " movw %w6, %%ds\n"
13462 "1: movl 32(%4), %%eax\n"
13464 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
13466 "3: movl 0(%4), %%eax\n"
13467 "4: movl 4(%4), %%edx\n"
13468 - "5: movl %%eax, 0(%3)\n"
13469 - "6: movl %%edx, 4(%3)\n"
13470 + "5: movl %%eax, %%es:0(%3)\n"
13471 + "6: movl %%edx, %%es:4(%3)\n"
13472 "7: movl 8(%4), %%eax\n"
13473 "8: movl 12(%4),%%edx\n"
13474 - "9: movl %%eax, 8(%3)\n"
13475 - "10: movl %%edx, 12(%3)\n"
13476 + "9: movl %%eax, %%es:8(%3)\n"
13477 + "10: movl %%edx, %%es:12(%3)\n"
13478 "11: movl 16(%4), %%eax\n"
13479 "12: movl 20(%4), %%edx\n"
13480 - "13: movl %%eax, 16(%3)\n"
13481 - "14: movl %%edx, 20(%3)\n"
13482 + "13: movl %%eax, %%es:16(%3)\n"
13483 + "14: movl %%edx, %%es:20(%3)\n"
13484 "15: movl 24(%4), %%eax\n"
13485 "16: movl 28(%4), %%edx\n"
13486 - "17: movl %%eax, 24(%3)\n"
13487 - "18: movl %%edx, 28(%3)\n"
13488 + "17: movl %%eax, %%es:24(%3)\n"
13489 + "18: movl %%edx, %%es:28(%3)\n"
13490 "19: movl 32(%4), %%eax\n"
13491 "20: movl 36(%4), %%edx\n"
13492 - "21: movl %%eax, 32(%3)\n"
13493 - "22: movl %%edx, 36(%3)\n"
13494 + "21: movl %%eax, %%es:32(%3)\n"
13495 + "22: movl %%edx, %%es:36(%3)\n"
13496 "23: movl 40(%4), %%eax\n"
13497 "24: movl 44(%4), %%edx\n"
13498 - "25: movl %%eax, 40(%3)\n"
13499 - "26: movl %%edx, 44(%3)\n"
13500 + "25: movl %%eax, %%es:40(%3)\n"
13501 + "26: movl %%edx, %%es:44(%3)\n"
13502 "27: movl 48(%4), %%eax\n"
13503 "28: movl 52(%4), %%edx\n"
13504 - "29: movl %%eax, 48(%3)\n"
13505 - "30: movl %%edx, 52(%3)\n"
13506 + "29: movl %%eax, %%es:48(%3)\n"
13507 + "30: movl %%edx, %%es:52(%3)\n"
13508 "31: movl 56(%4), %%eax\n"
13509 "32: movl 60(%4), %%edx\n"
13510 - "33: movl %%eax, 56(%3)\n"
13511 - "34: movl %%edx, 60(%3)\n"
13512 + "33: movl %%eax, %%es:56(%3)\n"
13513 + "34: movl %%edx, %%es:60(%3)\n"
13517 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
13518 "36: movl %%eax, %0\n"
13523 ".section .fixup,\"ax\"\n"
13524 "101: lea 0(%%eax,%0,4),%0\n"
13526 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
13527 " .long 99b,101b\n"
13529 : "=&c"(size), "=&D" (d0), "=&S" (d1)
13530 - : "1"(to), "2"(from), "0"(size)
13531 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
13532 : "eax", "edx", "memory");
13535 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
13538 __asm__ __volatile__(
13539 + " movw %w6, %%ds\n"
13541 "0: movl 32(%4), %%eax\n"
13543 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
13545 "2: movl 0(%4), %%eax\n"
13546 "21: movl 4(%4), %%edx\n"
13547 - " movl %%eax, 0(%3)\n"
13548 - " movl %%edx, 4(%3)\n"
13549 + " movl %%eax, %%es:0(%3)\n"
13550 + " movl %%edx, %%es:4(%3)\n"
13551 "3: movl 8(%4), %%eax\n"
13552 "31: movl 12(%4),%%edx\n"
13553 - " movl %%eax, 8(%3)\n"
13554 - " movl %%edx, 12(%3)\n"
13555 + " movl %%eax, %%es:8(%3)\n"
13556 + " movl %%edx, %%es:12(%3)\n"
13557 "4: movl 16(%4), %%eax\n"
13558 "41: movl 20(%4), %%edx\n"
13559 - " movl %%eax, 16(%3)\n"
13560 - " movl %%edx, 20(%3)\n"
13561 + " movl %%eax, %%es:16(%3)\n"
13562 + " movl %%edx, %%es:20(%3)\n"
13563 "10: movl 24(%4), %%eax\n"
13564 "51: movl 28(%4), %%edx\n"
13565 - " movl %%eax, 24(%3)\n"
13566 - " movl %%edx, 28(%3)\n"
13567 + " movl %%eax, %%es:24(%3)\n"
13568 + " movl %%edx, %%es:28(%3)\n"
13569 "11: movl 32(%4), %%eax\n"
13570 "61: movl 36(%4), %%edx\n"
13571 - " movl %%eax, 32(%3)\n"
13572 - " movl %%edx, 36(%3)\n"
13573 + " movl %%eax, %%es:32(%3)\n"
13574 + " movl %%edx, %%es:36(%3)\n"
13575 "12: movl 40(%4), %%eax\n"
13576 "71: movl 44(%4), %%edx\n"
13577 - " movl %%eax, 40(%3)\n"
13578 - " movl %%edx, 44(%3)\n"
13579 + " movl %%eax, %%es:40(%3)\n"
13580 + " movl %%edx, %%es:44(%3)\n"
13581 "13: movl 48(%4), %%eax\n"
13582 "81: movl 52(%4), %%edx\n"
13583 - " movl %%eax, 48(%3)\n"
13584 - " movl %%edx, 52(%3)\n"
13585 + " movl %%eax, %%es:48(%3)\n"
13586 + " movl %%edx, %%es:52(%3)\n"
13587 "14: movl 56(%4), %%eax\n"
13588 "91: movl 60(%4), %%edx\n"
13589 - " movl %%eax, 56(%3)\n"
13590 - " movl %%edx, 60(%3)\n"
13591 + " movl %%eax, %%es:56(%3)\n"
13592 + " movl %%edx, %%es:60(%3)\n"
13596 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
13602 ".section .fixup,\"ax\"\n"
13603 "9: lea 0(%%eax,%0,4),%0\n"
13605 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
13608 : "=&c"(size), "=&D" (d0), "=&S" (d1)
13609 - : "1"(to), "2"(from), "0"(size)
13610 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
13611 : "eax", "edx", "memory");
13614 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
13617 __asm__ __volatile__(
13618 + " movw %w6, %%ds\n"
13620 "0: movl 32(%4), %%eax\n"
13622 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
13624 "2: movl 0(%4), %%eax\n"
13625 "21: movl 4(%4), %%edx\n"
13626 - " movnti %%eax, 0(%3)\n"
13627 - " movnti %%edx, 4(%3)\n"
13628 + " movnti %%eax, %%es:0(%3)\n"
13629 + " movnti %%edx, %%es:4(%3)\n"
13630 "3: movl 8(%4), %%eax\n"
13631 "31: movl 12(%4),%%edx\n"
13632 - " movnti %%eax, 8(%3)\n"
13633 - " movnti %%edx, 12(%3)\n"
13634 + " movnti %%eax, %%es:8(%3)\n"
13635 + " movnti %%edx, %%es:12(%3)\n"
13636 "4: movl 16(%4), %%eax\n"
13637 "41: movl 20(%4), %%edx\n"
13638 - " movnti %%eax, 16(%3)\n"
13639 - " movnti %%edx, 20(%3)\n"
13640 + " movnti %%eax, %%es:16(%3)\n"
13641 + " movnti %%edx, %%es:20(%3)\n"
13642 "10: movl 24(%4), %%eax\n"
13643 "51: movl 28(%4), %%edx\n"
13644 - " movnti %%eax, 24(%3)\n"
13645 - " movnti %%edx, 28(%3)\n"
13646 + " movnti %%eax, %%es:24(%3)\n"
13647 + " movnti %%edx, %%es:28(%3)\n"
13648 "11: movl 32(%4), %%eax\n"
13649 "61: movl 36(%4), %%edx\n"
13650 - " movnti %%eax, 32(%3)\n"
13651 - " movnti %%edx, 36(%3)\n"
13652 + " movnti %%eax, %%es:32(%3)\n"
13653 + " movnti %%edx, %%es:36(%3)\n"
13654 "12: movl 40(%4), %%eax\n"
13655 "71: movl 44(%4), %%edx\n"
13656 - " movnti %%eax, 40(%3)\n"
13657 - " movnti %%edx, 44(%3)\n"
13658 + " movnti %%eax, %%es:40(%3)\n"
13659 + " movnti %%edx, %%es:44(%3)\n"
13660 "13: movl 48(%4), %%eax\n"
13661 "81: movl 52(%4), %%edx\n"
13662 - " movnti %%eax, 48(%3)\n"
13663 - " movnti %%edx, 52(%3)\n"
13664 + " movnti %%eax, %%es:48(%3)\n"
13665 + " movnti %%edx, %%es:52(%3)\n"
13666 "14: movl 56(%4), %%eax\n"
13667 "91: movl 60(%4), %%edx\n"
13668 - " movnti %%eax, 56(%3)\n"
13669 - " movnti %%edx, 60(%3)\n"
13670 + " movnti %%eax, %%es:56(%3)\n"
13671 + " movnti %%edx, %%es:60(%3)\n"
13675 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
13681 ".section .fixup,\"ax\"\n"
13682 "9: lea 0(%%eax,%0,4),%0\n"
13684 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
13687 : "=&c"(size), "=&D" (d0), "=&S" (d1)
13688 - : "1"(to), "2"(from), "0"(size)
13689 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
13690 : "eax", "edx", "memory");
13693 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
13696 __asm__ __volatile__(
13697 + " movw %w6, %%ds\n"
13699 "0: movl 32(%4), %%eax\n"
13701 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
13703 "2: movl 0(%4), %%eax\n"
13704 "21: movl 4(%4), %%edx\n"
13705 - " movnti %%eax, 0(%3)\n"
13706 - " movnti %%edx, 4(%3)\n"
13707 + " movnti %%eax, %%es:0(%3)\n"
13708 + " movnti %%edx, %%es:4(%3)\n"
13709 "3: movl 8(%4), %%eax\n"
13710 "31: movl 12(%4),%%edx\n"
13711 - " movnti %%eax, 8(%3)\n"
13712 - " movnti %%edx, 12(%3)\n"
13713 + " movnti %%eax, %%es:8(%3)\n"
13714 + " movnti %%edx, %%es:12(%3)\n"
13715 "4: movl 16(%4), %%eax\n"
13716 "41: movl 20(%4), %%edx\n"
13717 - " movnti %%eax, 16(%3)\n"
13718 - " movnti %%edx, 20(%3)\n"
13719 + " movnti %%eax, %%es:16(%3)\n"
13720 + " movnti %%edx, %%es:20(%3)\n"
13721 "10: movl 24(%4), %%eax\n"
13722 "51: movl 28(%4), %%edx\n"
13723 - " movnti %%eax, 24(%3)\n"
13724 - " movnti %%edx, 28(%3)\n"
13725 + " movnti %%eax, %%es:24(%3)\n"
13726 + " movnti %%edx, %%es:28(%3)\n"
13727 "11: movl 32(%4), %%eax\n"
13728 "61: movl 36(%4), %%edx\n"
13729 - " movnti %%eax, 32(%3)\n"
13730 - " movnti %%edx, 36(%3)\n"
13731 + " movnti %%eax, %%es:32(%3)\n"
13732 + " movnti %%edx, %%es:36(%3)\n"
13733 "12: movl 40(%4), %%eax\n"
13734 "71: movl 44(%4), %%edx\n"
13735 - " movnti %%eax, 40(%3)\n"
13736 - " movnti %%edx, 44(%3)\n"
13737 + " movnti %%eax, %%es:40(%3)\n"
13738 + " movnti %%edx, %%es:44(%3)\n"
13739 "13: movl 48(%4), %%eax\n"
13740 "81: movl 52(%4), %%edx\n"
13741 - " movnti %%eax, 48(%3)\n"
13742 - " movnti %%edx, 52(%3)\n"
13743 + " movnti %%eax, %%es:48(%3)\n"
13744 + " movnti %%edx, %%es:52(%3)\n"
13745 "14: movl 56(%4), %%eax\n"
13746 "91: movl 60(%4), %%edx\n"
13747 - " movnti %%eax, 56(%3)\n"
13748 - " movnti %%edx, 60(%3)\n"
13749 + " movnti %%eax, %%es:56(%3)\n"
13750 + " movnti %%edx, %%es:60(%3)\n"
13754 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
13760 ".section .fixup,\"ax\"\n"
13761 "9: lea 0(%%eax,%0,4),%0\n"
13763 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
13766 : "=&c"(size), "=&D" (d0), "=&S" (d1)
13767 - : "1"(to), "2"(from), "0"(size)
13768 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
13769 : "eax", "edx", "memory");
13772 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
13774 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
13775 unsigned long size);
13776 -unsigned long __copy_user_intel(void __user *to, const void *from,
13777 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
13778 + unsigned long size);
13779 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
13780 unsigned long size);
13781 unsigned long __copy_user_zeroing_intel_nocache(void *to,
13782 const void __user *from, unsigned long size);
13783 #endif /* CONFIG_X86_INTEL_USERCOPY */
13785 /* Generic arbitrary sized copy. */
13786 -#define __copy_user(to, from, size) \
13788 - int __d0, __d1, __d2; \
13789 - __asm__ __volatile__( \
13792 - " movl %1,%0\n" \
13794 - " andl $7,%0\n" \
13795 - " subl %0,%3\n" \
13796 - "4: rep; movsb\n" \
13797 - " movl %3,%0\n" \
13798 - " shrl $2,%0\n" \
13799 - " andl $3,%3\n" \
13800 - " .align 2,0x90\n" \
13801 - "0: rep; movsl\n" \
13802 - " movl %3,%0\n" \
13803 - "1: rep; movsb\n" \
13805 - ".section .fixup,\"ax\"\n" \
13806 - "5: addl %3,%0\n" \
13808 - "3: lea 0(%3,%0,4),%0\n" \
13811 - ".section __ex_table,\"a\"\n" \
13813 - " .long 4b,5b\n" \
13814 - " .long 0b,3b\n" \
13815 - " .long 1b,2b\n" \
13817 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
13818 - : "3"(size), "0"(size), "1"(to), "2"(from) \
13822 -#define __copy_user_zeroing(to, from, size) \
13824 - int __d0, __d1, __d2; \
13825 - __asm__ __volatile__( \
13828 - " movl %1,%0\n" \
13830 - " andl $7,%0\n" \
13831 - " subl %0,%3\n" \
13832 - "4: rep; movsb\n" \
13833 - " movl %3,%0\n" \
13834 - " shrl $2,%0\n" \
13835 - " andl $3,%3\n" \
13836 - " .align 2,0x90\n" \
13837 - "0: rep; movsl\n" \
13838 - " movl %3,%0\n" \
13839 - "1: rep; movsb\n" \
13841 - ".section .fixup,\"ax\"\n" \
13842 - "5: addl %3,%0\n" \
13844 - "3: lea 0(%3,%0,4),%0\n" \
13845 - "6: pushl %0\n" \
13846 - " pushl %%eax\n" \
13847 - " xorl %%eax,%%eax\n" \
13848 - " rep; stosb\n" \
13849 - " popl %%eax\n" \
13853 - ".section __ex_table,\"a\"\n" \
13855 - " .long 4b,5b\n" \
13856 - " .long 0b,3b\n" \
13857 - " .long 1b,6b\n" \
13859 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
13860 - : "3"(size), "0"(size), "1"(to), "2"(from) \
13863 +static unsigned long
13864 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
13866 + int __d0, __d1, __d2;
13868 + __asm__ __volatile__(
13869 + " movw %w8,%%es\n"
13876 + "4: rep; movsb\n"
13880 + " .align 2,0x90\n"
13881 + "0: rep; movsl\n"
13883 + "1: rep; movsb\n"
13887 + ".section .fixup,\"ax\"\n"
13888 + "5: addl %3,%0\n"
13890 + "3: lea 0(%3,%0,4),%0\n"
13893 + ".section __ex_table,\"a\"\n"
13899 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
13900 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
13905 +static unsigned long
13906 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
13908 + int __d0, __d1, __d2;
13910 + __asm__ __volatile__(
13911 + " movw %w8,%%ds\n"
13918 + "4: rep; movsb\n"
13922 + " .align 2,0x90\n"
13923 + "0: rep; movsl\n"
13925 + "1: rep; movsb\n"
13929 + ".section .fixup,\"ax\"\n"
13930 + "5: addl %3,%0\n"
13932 + "3: lea 0(%3,%0,4),%0\n"
13935 + ".section __ex_table,\"a\"\n"
13941 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
13942 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
13947 +static unsigned long
13948 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
13950 + int __d0, __d1, __d2;
13952 + __asm__ __volatile__(
13953 + " movw %w8,%%ds\n"
13960 + "4: rep; movsb\n"
13964 + " .align 2,0x90\n"
13965 + "0: rep; movsl\n"
13967 + "1: rep; movsb\n"
13971 + ".section .fixup,\"ax\"\n"
13972 + "5: addl %3,%0\n"
13974 + "3: lea 0(%3,%0,4),%0\n"
13977 + " xorl %%eax,%%eax\n"
13983 + ".section __ex_table,\"a\"\n"
13989 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
13990 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
13995 unsigned long __copy_to_user_ll(void __user *to, const void *from,
13997 @@ -775,9 +966,9 @@ survive:
14000 if (movsl_is_ok(to, from, n))
14001 - __copy_user(to, from, n);
14002 + n = __generic_copy_to_user(to, from, n);
14004 - n = __copy_user_intel(to, from, n);
14005 + n = __generic_copy_to_user_intel(to, from, n);
14008 EXPORT_SYMBOL(__copy_to_user_ll);
14009 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
14012 if (movsl_is_ok(to, from, n))
14013 - __copy_user_zeroing(to, from, n);
14014 + n = __copy_user_zeroing(to, from, n);
14016 n = __copy_user_zeroing_intel(to, from, n);
14018 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
14021 if (movsl_is_ok(to, from, n))
14022 - __copy_user(to, from, n);
14023 + n = __generic_copy_from_user(to, from, n);
14025 - n = __copy_user_intel((void __user *)to,
14026 - (const void *)from, n);
14027 + n = __generic_copy_from_user_intel(to, from, n);
14030 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
14031 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
14032 if (n > 64 && cpu_has_xmm2)
14033 n = __copy_user_zeroing_intel_nocache(to, from, n);
14035 - __copy_user_zeroing(to, from, n);
14036 + n = __copy_user_zeroing(to, from, n);
14038 - __copy_user_zeroing(to, from, n);
14039 + n = __copy_user_zeroing(to, from, n);
14043 @@ -827,59 +1017,37 @@ unsigned long __copy_from_user_ll_nocach
14044 if (n > 64 && cpu_has_xmm2)
14045 n = __copy_user_intel_nocache(to, from, n);
14047 - __copy_user(to, from, n);
14048 + n = __generic_copy_from_user(to, from, n);
14050 - __copy_user(to, from, n);
14051 + n = __generic_copy_from_user(to, from, n);
14055 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
14058 - * copy_to_user: - Copy a block of data into user space.
14059 - * @to: Destination address, in user space.
14060 - * @from: Source address, in kernel space.
14061 - * @n: Number of bytes to copy.
14063 - * Context: User context only. This function may sleep.
14065 - * Copy data from kernel space to user space.
14067 - * Returns number of bytes that could not be copied.
14068 - * On success, this will be zero.
14071 -copy_to_user(void __user *to, const void *from, unsigned long n)
14072 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14073 +void __set_fs(mm_segment_t x, int cpu)
14075 - if (access_ok(VERIFY_WRITE, to, n))
14076 - n = __copy_to_user(to, from, n);
14078 + unsigned long limit = x.seg;
14079 + struct desc_struct d;
14081 + current_thread_info()->addr_limit = x;
14082 + if (likely(limit))
14083 + limit = (limit - 1UL) >> PAGE_SHIFT;
14084 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
14085 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
14087 -EXPORT_SYMBOL(copy_to_user);
14090 - * copy_from_user: - Copy a block of data from user space.
14091 - * @to: Destination address, in kernel space.
14092 - * @from: Source address, in user space.
14093 - * @n: Number of bytes to copy.
14095 - * Context: User context only. This function may sleep.
14097 - * Copy data from user space to kernel space.
14099 - * Returns number of bytes that could not be copied.
14100 - * On success, this will be zero.
14102 - * If some data could not be copied, this function will pad the copied
14103 - * data to the requested size using zero bytes.
14106 -copy_from_user(void *to, const void __user *from, unsigned long n)
14107 +void set_fs(mm_segment_t x)
14109 - if (access_ok(VERIFY_READ, from, n))
14110 - n = __copy_from_user(to, from, n);
14112 - memset(to, 0, n);
14114 + __set_fs(x, get_cpu());
14117 -EXPORT_SYMBOL(copy_from_user);
14119 +void set_fs(mm_segment_t x)
14121 + current_thread_info()->addr_limit = x;
14125 +EXPORT_SYMBOL(set_fs);
14126 diff -urNp linux-2.6.31/arch/x86/Makefile linux-2.6.31/arch/x86/Makefile
14127 --- linux-2.6.31/arch/x86/Makefile 2009-08-27 20:59:04.000000000 -0400
14128 +++ linux-2.6.31/arch/x86/Makefile 2009-09-06 15:29:11.238175602 -0400
14129 @@ -188,3 +188,12 @@ define archhelp
14130 echo ' FDARGS="..." arguments for the booted kernel'
14131 echo ' FDINITRD=file initrd for the booted kernel'
14136 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
14137 +*** Please upgrade your binutils to 2.18 or newer
14141 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
14142 diff -urNp linux-2.6.31/arch/x86/mm/extable.c linux-2.6.31/arch/x86/mm/extable.c
14143 --- linux-2.6.31/arch/x86/mm/extable.c 2009-08-27 20:59:04.000000000 -0400
14144 +++ linux-2.6.31/arch/x86/mm/extable.c 2009-09-06 15:29:11.239326964 -0400
14146 #include <linux/module.h>
14147 #include <linux/spinlock.h>
14148 +#include <linux/sort.h>
14149 #include <asm/uaccess.h>
14152 + * The exception table needs to be sorted so that the binary
14153 + * search that we use to find entries in it works properly.
14154 + * This is used both for the kernel exception table and for
14155 + * the exception tables of modules that get loaded.
14157 +static int cmp_ex(const void *a, const void *b)
14159 + const struct exception_table_entry *x = a, *y = b;
14161 + /* avoid overflow */
14162 + if (x->insn > y->insn)
14164 + if (x->insn < y->insn)
14169 +static void swap_ex(void *a, void *b, int size)
14171 + struct exception_table_entry t, *x = a, *y = b;
14173 +#ifdef CONFIG_PAX_KERNEXEC
14174 + unsigned long cr0;
14179 +#ifdef CONFIG_PAX_KERNEXEC
14180 + pax_open_kernel(cr0);
14186 +#ifdef CONFIG_PAX_KERNEXEC
14187 + pax_close_kernel(cr0);
14192 +void sort_extable(struct exception_table_entry *start,
14193 + struct exception_table_entry *finish)
14195 + sort(start, finish - start, sizeof(struct exception_table_entry),
14196 + cmp_ex, swap_ex);
14199 +#ifdef CONFIG_MODULES
14201 + * If the exception table is sorted, any referring to the module init
14202 + * will be at the beginning or the end.
14204 +void trim_init_extable(struct module *m)
14206 + /*trim the beginning*/
14207 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
14209 + m->num_exentries--;
14212 + while (m->num_exentries &&
14213 + within_module_init(m->extable[m->num_exentries-1].insn, m))
14214 + m->num_exentries--;
14216 +#endif /* CONFIG_MODULES */
14218 int fixup_exception(struct pt_regs *regs)
14220 const struct exception_table_entry *fixup;
14222 #ifdef CONFIG_PNPBIOS
14223 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
14224 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
14225 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
14226 extern u32 pnp_bios_is_utter_crap;
14227 pnp_bios_is_utter_crap = 1;
14228 diff -urNp linux-2.6.31/arch/x86/mm/fault.c linux-2.6.31/arch/x86/mm/fault.c
14229 --- linux-2.6.31/arch/x86/mm/fault.c 2009-08-27 20:59:04.000000000 -0400
14230 +++ linux-2.6.31/arch/x86/mm/fault.c 2009-09-11 21:07:39.447754963 -0400
14231 @@ -11,10 +11,14 @@
14232 #include <linux/kprobes.h> /* __kprobes, ... */
14233 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
14234 #include <linux/perf_counter.h> /* perf_swcounter_event */
14235 +#include <linux/unistd.h>
14236 +#include <linux/compiler.h>
14238 #include <asm/traps.h> /* dotraplinkage, ... */
14239 #include <asm/pgalloc.h> /* pgd_*(), ... */
14240 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
14241 +#include <asm/tlbflush.h>
14242 +#include <asm/vsyscall.h>
14245 * Page fault error code bits:
14246 @@ -51,7 +55,7 @@ static inline int notify_page_fault(stru
14249 /* kprobe_running() needs smp_processor_id() */
14250 - if (kprobes_built_in() && !user_mode_vm(regs)) {
14251 + if (kprobes_built_in() && !user_mode(regs)) {
14253 if (kprobe_running() && kprobe_fault_handler(regs, 14))
14255 @@ -171,6 +175,30 @@ force_sig_info_fault(int si_signo, int s
14256 force_sig_info(si_signo, &info, tsk);
14259 +#ifdef CONFIG_PAX_EMUTRAMP
14260 +static int pax_handle_fetch_fault(struct pt_regs *regs);
14263 +#ifdef CONFIG_PAX_PAGEEXEC
14264 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
14270 + pgd = pgd_offset(mm, address);
14271 + if (!pgd_present(*pgd))
14273 + pud = pud_offset(pgd, address);
14274 + if (!pud_present(*pud))
14276 + pmd = pmd_offset(pud, address);
14277 + if (!pmd_present(*pmd))
14283 DEFINE_SPINLOCK(pgd_lock);
14284 LIST_HEAD(pgd_list);
14286 @@ -543,7 +571,7 @@ static int is_errata93(struct pt_regs *r
14287 static int is_errata100(struct pt_regs *regs, unsigned long address)
14289 #ifdef CONFIG_X86_64
14290 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
14291 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
14295 @@ -570,7 +598,7 @@ static int is_f00f_bug(struct pt_regs *r
14298 static const char nx_warning[] = KERN_CRIT
14299 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
14300 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
14303 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
14304 @@ -579,15 +607,31 @@ show_fault_oops(struct pt_regs *regs, un
14305 if (!oops_may_print())
14308 - if (error_code & PF_INSTR) {
14309 + if (nx_enabled && (error_code & PF_INSTR)) {
14310 unsigned int level;
14312 pte_t *pte = lookup_address(address, &level);
14314 if (pte && pte_present(*pte) && !pte_exec(*pte))
14315 - printk(nx_warning, current_uid());
14316 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
14319 +#ifdef CONFIG_PAX_KERNEXEC
14320 +#if defined(CONFIG_x86_32) && defined(CONFIG_MODULES)
14321 + if (init_mm.start_code <= address && address < (unsigned long)&MODULES_EXEC_END)
14323 + if (init_mm.start_code <= address && address < init_mm.end_code)
14326 + if (current->signal->curr_ip)
14327 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
14328 + NIPQUAD(current->signal->curr_ip), current->comm, task_pid_nr(current), current_uid(), current_euid());
14330 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
14331 + current->comm, task_pid_nr(current), current_uid(), current_euid());
14335 printk(KERN_ALERT "BUG: unable to handle kernel ");
14336 if (address < PAGE_SIZE)
14337 printk(KERN_CONT "NULL pointer dereference");
14338 @@ -712,6 +756,68 @@ __bad_area_nosemaphore(struct pt_regs *r
14339 unsigned long address, int si_code)
14341 struct task_struct *tsk = current;
14342 + struct mm_struct *mm = tsk->mm;
14344 +#ifdef CONFIG_X86_64
14345 + if (mm && (error_code & PF_INSTR)) {
14346 + if (regs->ip == (unsigned long)vgettimeofday) {
14347 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
14349 + } else if (regs->ip == (unsigned long)vtime) {
14350 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
14352 + } else if (regs->ip == (unsigned long)vgetcpu) {
14353 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
14359 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14360 + if (mm && (error_code & PF_USER)) {
14361 + unsigned long ip = regs->ip;
14363 + if (v8086_mode(regs))
14364 + ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
14367 + * It's possible to have interrupts off here:
14369 + local_irq_enable();
14371 +#ifdef CONFIG_PAX_PAGEEXEC
14372 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
14373 + ((nx_enabled && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
14375 +#ifdef CONFIG_PAX_EMUTRAMP
14376 + switch (pax_handle_fetch_fault(regs)) {
14382 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
14383 + do_group_exit(SIGKILL);
14387 +#ifdef CONFIG_PAX_SEGMEXEC
14388 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
14390 +#ifdef CONFIG_PAX_EMUTRAMP
14391 + switch (pax_handle_fetch_fault(regs)) {
14397 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
14398 + do_group_exit(SIGKILL);
14405 /* User mode accesses just cause a SIGSEGV */
14406 if (error_code & PF_USER) {
14407 @@ -846,6 +952,106 @@ static int spurious_fault_check(unsigned
14411 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14412 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
14417 + unsigned char pte_mask;
14419 + if (nx_enabled || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
14420 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
14423 + /* PaX: it's our fault, let's handle it if we can */
14425 + /* PaX: take a look at read faults before acquiring any locks */
14426 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
14427 + /* instruction fetch attempt from a protected page in user mode */
14428 + up_read(&mm->mmap_sem);
14430 +#ifdef CONFIG_PAX_EMUTRAMP
14431 + switch (pax_handle_fetch_fault(regs)) {
14437 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
14438 + do_group_exit(SIGKILL);
14441 + pmd = pax_get_pmd(mm, address);
14442 + if (unlikely(!pmd))
14445 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
14446 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
14447 + pte_unmap_unlock(pte, ptl);
14451 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
14452 + /* write attempt to a protected page in user mode */
14453 + pte_unmap_unlock(pte, ptl);
14458 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
14460 + if (likely(address > get_limit(regs->cs)))
14463 + set_pte(pte, pte_mkread(*pte));
14464 + __flush_tlb_one(address);
14465 + pte_unmap_unlock(pte, ptl);
14466 + up_read(&mm->mmap_sem);
14470 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
14473 + * PaX: fill DTLB with user rights and retry
14475 + __asm__ __volatile__ (
14476 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14477 + "movw %w4,%%es\n"
14480 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
14482 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
14483 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
14484 + * page fault when examined during a TLB load attempt. this is true not only
14485 + * for PTEs holding a non-present entry but also present entries that will
14486 + * raise a page fault (such as those set up by PaX, or the copy-on-write
14487 + * mechanism). in effect it means that we do *not* need to flush the TLBs
14488 + * for our target pages since their PTEs are simply not in the TLBs at all.
14490 + * the best thing in omitting it is that we gain around 15-20% speed in the
14491 + * fast path of the page fault handler and can get rid of tracing since we
14492 + * can no longer flush unintended entries.
14496 + "testb $0,%%es:(%0)\n"
14498 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14503 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
14504 + : "memory", "cc");
14505 + pte_unmap_unlock(pte, ptl);
14506 + up_read(&mm->mmap_sem);
14512 * Handle a spurious fault caused by a stale TLB entry.
14514 @@ -912,6 +1118,9 @@ int show_unhandled_signals = 1;
14516 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
14518 + if (nx_enabled && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
14522 /* write, present and write, not present: */
14523 if (unlikely(!(vma->vm_flags & VM_WRITE)))
14524 @@ -945,17 +1154,16 @@ do_page_fault(struct pt_regs *regs, unsi
14526 struct vm_area_struct *vma;
14527 struct task_struct *tsk;
14528 - unsigned long address;
14529 struct mm_struct *mm;
14533 + /* Get the faulting address: */
14534 + const unsigned long address = read_cr2();
14539 - /* Get the faulting address: */
14540 - address = read_cr2();
14543 * Detect and handle instructions that would cause a page fault for
14544 * both a tracked kernel page and a userspace page.
14545 @@ -1015,7 +1223,7 @@ do_page_fault(struct pt_regs *regs, unsi
14546 * User-mode registers count as a user access even for any
14547 * potential system fault or CPU buglet:
14549 - if (user_mode_vm(regs)) {
14550 + if (user_mode(regs)) {
14551 local_irq_enable();
14552 error_code |= PF_USER;
14554 @@ -1069,6 +1277,11 @@ do_page_fault(struct pt_regs *regs, unsi
14558 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14559 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
14563 vma = find_vma(mm, address);
14564 if (unlikely(!vma)) {
14565 bad_area(regs, error_code, address);
14566 @@ -1080,18 +1293,24 @@ do_page_fault(struct pt_regs *regs, unsi
14567 bad_area(regs, error_code, address);
14570 - if (error_code & PF_USER) {
14572 - * Accessing the stack below %sp is always a bug.
14573 - * The large cushion allows instructions like enter
14574 - * and pusha to work. ("enter $65535, $31" pushes
14575 - * 32 pointers and then decrements %sp by 65535.)
14577 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
14578 - bad_area(regs, error_code, address);
14582 + * Accessing the stack below %sp is always a bug.
14583 + * The large cushion allows instructions like enter
14584 + * and pusha to work. ("enter $65535, $31" pushes
14585 + * 32 pointers and then decrements %sp by 65535.)
14587 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
14588 + bad_area(regs, error_code, address);
14592 +#ifdef CONFIG_PAX_SEGMEXEC
14593 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
14594 + bad_area(regs, error_code, address);
14599 if (unlikely(expand_stack(vma, address))) {
14600 bad_area(regs, error_code, address);
14602 @@ -1135,3 +1354,174 @@ good_area:
14604 up_read(&mm->mmap_sem);
14607 +#ifdef CONFIG_PAX_EMUTRAMP
14608 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
14612 + do { /* PaX: gcc trampoline emulation #1 */
14613 + unsigned char mov1, mov2;
14614 + unsigned short jmp;
14615 + unsigned int addr1, addr2;
14617 +#ifdef CONFIG_X86_64
14618 + if ((regs->ip + 11) >> 32)
14622 + err = get_user(mov1, (unsigned char __user *)regs->ip);
14623 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
14624 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
14625 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
14626 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
14631 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
14632 + regs->cx = addr1;
14633 + regs->ax = addr2;
14634 + regs->ip = addr2;
14639 + do { /* PaX: gcc trampoline emulation #2 */
14640 + unsigned char mov, jmp;
14641 + unsigned int addr1, addr2;
14643 +#ifdef CONFIG_X86_64
14644 + if ((regs->ip + 9) >> 32)
14648 + err = get_user(mov, (unsigned char __user *)regs->ip);
14649 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
14650 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
14651 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
14656 + if (mov == 0xB9 && jmp == 0xE9) {
14657 + regs->cx = addr1;
14658 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
14663 + return 1; /* PaX in action */
14666 +#ifdef CONFIG_X86_64
14667 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
14671 + do { /* PaX: gcc trampoline emulation #1 */
14672 + unsigned short mov1, mov2, jmp1;
14673 + unsigned char jmp2;
14674 + unsigned int addr1;
14675 + unsigned long addr2;
14677 + err = get_user(mov1, (unsigned short __user *)regs->ip);
14678 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
14679 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
14680 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
14681 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
14682 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
14687 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
14688 + regs->r11 = addr1;
14689 + regs->r10 = addr2;
14690 + regs->ip = addr1;
14695 + do { /* PaX: gcc trampoline emulation #2 */
14696 + unsigned short mov1, mov2, jmp1;
14697 + unsigned char jmp2;
14698 + unsigned long addr1, addr2;
14700 + err = get_user(mov1, (unsigned short __user *)regs->ip);
14701 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
14702 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
14703 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
14704 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
14705 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
14710 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
14711 + regs->r11 = addr1;
14712 + regs->r10 = addr2;
14713 + regs->ip = addr1;
14718 + return 1; /* PaX in action */
14723 + * PaX: decide what to do with offenders (regs->ip = fault address)
14725 + * returns 1 when task should be killed
14726 + * 2 when gcc trampoline was detected
14728 +static int pax_handle_fetch_fault(struct pt_regs *regs)
14730 + if (v8086_mode(regs))
14733 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
14736 +#ifdef CONFIG_X86_32
14737 + return pax_handle_fetch_fault_32(regs);
14739 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
14740 + return pax_handle_fetch_fault_32(regs);
14742 + return pax_handle_fetch_fault_64(regs);
14747 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14748 +void pax_report_insns(void *pc, void *sp)
14752 + printk(KERN_ERR "PAX: bytes at PC: ");
14753 + for (i = 0; i < 20; i++) {
14755 + if (get_user(c, (unsigned char __user *)pc+i))
14756 + printk(KERN_CONT "?? ");
14758 + printk(KERN_CONT "%02x ", c);
14762 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
14763 + for (i = -1; i < 80 / sizeof(long); i++) {
14765 + if (get_user(c, (unsigned long __user *)sp+i))
14766 +#ifdef CONFIG_X86_32
14767 + printk(KERN_CONT "???????? ");
14769 + printk(KERN_CONT "???????????????? ");
14772 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
14777 diff -urNp linux-2.6.31/arch/x86/mm/highmem_32.c linux-2.6.31/arch/x86/mm/highmem_32.c
14778 --- linux-2.6.31/arch/x86/mm/highmem_32.c 2009-08-27 20:59:04.000000000 -0400
14779 +++ linux-2.6.31/arch/x86/mm/highmem_32.c 2009-09-06 15:29:11.240303148 -0400
14780 @@ -32,6 +32,10 @@ void *kmap_atomic_prot(struct page *page
14781 enum fixed_addresses idx;
14782 unsigned long vaddr;
14784 +#ifdef CONFIG_PAX_KERNEXEC
14785 + unsigned long cr0;
14788 /* even !CONFIG_PREEMPT needs this, for in_atomic in do_page_fault */
14789 pagefault_disable();
14791 @@ -43,8 +47,17 @@ void *kmap_atomic_prot(struct page *page
14792 idx = type + KM_TYPE_NR*smp_processor_id();
14793 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
14794 BUG_ON(!pte_none(*(kmap_pte-idx)));
14796 +#ifdef CONFIG_PAX_KERNEXEC
14797 + pax_open_kernel(cr0);
14800 set_pte(kmap_pte-idx, mk_pte(page, prot));
14802 +#ifdef CONFIG_PAX_KERNEXEC
14803 + pax_close_kernel(cr0);
14806 return (void *)vaddr;
14809 @@ -58,15 +71,29 @@ void kunmap_atomic(void *kvaddr, enum km
14810 unsigned long vaddr = (unsigned long) kvaddr & PAGE_MASK;
14811 enum fixed_addresses idx = type + KM_TYPE_NR*smp_processor_id();
14813 +#ifdef CONFIG_PAX_KERNEXEC
14814 + unsigned long cr0;
14818 * Force other mappings to Oops if they'll try to access this pte
14819 * without first remap it. Keeping stale mappings around is a bad idea
14820 * also, in case the page changes cacheability attributes or becomes
14821 * a protected page in a hypervisor.
14823 - if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx))
14824 + if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx)) {
14826 +#ifdef CONFIG_PAX_KERNEXEC
14827 + pax_open_kernel(cr0);
14830 kpte_clear_flush(kmap_pte-idx, vaddr);
14833 +#ifdef CONFIG_PAX_KERNEXEC
14834 + pax_close_kernel(cr0);
14838 #ifdef CONFIG_DEBUG_HIGHMEM
14839 BUG_ON(vaddr < PAGE_OFFSET);
14840 BUG_ON(vaddr >= (unsigned long)high_memory);
14841 diff -urNp linux-2.6.31/arch/x86/mm/hugetlbpage.c linux-2.6.31/arch/x86/mm/hugetlbpage.c
14842 --- linux-2.6.31/arch/x86/mm/hugetlbpage.c 2009-08-27 20:59:04.000000000 -0400
14843 +++ linux-2.6.31/arch/x86/mm/hugetlbpage.c 2009-09-06 15:29:11.240303148 -0400
14844 @@ -267,13 +267,18 @@ static unsigned long hugetlb_get_unmappe
14845 struct hstate *h = hstate_file(file);
14846 struct mm_struct *mm = current->mm;
14847 struct vm_area_struct *vma;
14848 - unsigned long start_addr;
14849 + unsigned long start_addr, pax_task_size = TASK_SIZE;
14851 +#ifdef CONFIG_PAX_SEGMEXEC
14852 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14853 + pax_task_size = SEGMEXEC_TASK_SIZE;
14856 if (len > mm->cached_hole_size) {
14857 - start_addr = mm->free_area_cache;
14858 + start_addr = mm->free_area_cache;
14860 - start_addr = TASK_UNMAPPED_BASE;
14861 - mm->cached_hole_size = 0;
14862 + start_addr = mm->mmap_base;
14863 + mm->cached_hole_size = 0;
14867 @@ -281,13 +286,13 @@ full_search:
14869 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
14870 /* At this point: (!vma || addr < vma->vm_end). */
14871 - if (TASK_SIZE - len < addr) {
14872 + if (pax_task_size - len < addr) {
14874 * Start a new search - just in case we missed
14877 - if (start_addr != TASK_UNMAPPED_BASE) {
14878 - start_addr = TASK_UNMAPPED_BASE;
14879 + if (start_addr != mm->mmap_base) {
14880 + start_addr = mm->mmap_base;
14881 mm->cached_hole_size = 0;
14884 @@ -310,9 +315,8 @@ static unsigned long hugetlb_get_unmappe
14885 struct hstate *h = hstate_file(file);
14886 struct mm_struct *mm = current->mm;
14887 struct vm_area_struct *vma, *prev_vma;
14888 - unsigned long base = mm->mmap_base, addr = addr0;
14889 + unsigned long base = mm->mmap_base, addr;
14890 unsigned long largest_hole = mm->cached_hole_size;
14891 - int first_time = 1;
14893 /* don't allow allocations above current base */
14894 if (mm->free_area_cache > base)
14895 @@ -322,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
14897 mm->free_area_cache = base;
14901 /* make sure it can fit in the remaining address space */
14902 if (mm->free_area_cache < len)
14904 @@ -364,22 +368,26 @@ try_again:
14908 - * if hint left us with no space for the requested
14909 - * mapping then try again:
14911 - if (first_time) {
14912 - mm->free_area_cache = base;
14913 - largest_hole = 0;
14918 * A failed mmap() very likely causes application failure,
14919 * so fall back to the bottom-up function here. This scenario
14920 * can happen with large stack limits and large mmap()
14923 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14925 +#ifdef CONFIG_PAX_SEGMEXEC
14926 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14927 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14931 + mm->mmap_base = TASK_UNMAPPED_BASE;
14933 +#ifdef CONFIG_PAX_RANDMMAP
14934 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14935 + mm->mmap_base += mm->delta_mmap;
14938 + mm->free_area_cache = mm->mmap_base;
14939 mm->cached_hole_size = ~0UL;
14940 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
14941 len, pgoff, flags);
14942 @@ -387,6 +395,7 @@ fail:
14944 * Restore the topdown base:
14946 + mm->mmap_base = base;
14947 mm->free_area_cache = base;
14948 mm->cached_hole_size = ~0UL;
14950 @@ -400,10 +409,17 @@ hugetlb_get_unmapped_area(struct file *f
14951 struct hstate *h = hstate_file(file);
14952 struct mm_struct *mm = current->mm;
14953 struct vm_area_struct *vma;
14954 + unsigned long pax_task_size = TASK_SIZE;
14956 if (len & ~huge_page_mask(h))
14958 - if (len > TASK_SIZE)
14960 +#ifdef CONFIG_PAX_SEGMEXEC
14961 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14962 + pax_task_size = SEGMEXEC_TASK_SIZE;
14965 + if (len > pax_task_size)
14968 if (flags & MAP_FIXED) {
14969 @@ -415,7 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
14971 addr = ALIGN(addr, huge_page_size(h));
14972 vma = find_vma(mm, addr);
14973 - if (TASK_SIZE - len >= addr &&
14974 + if (pax_task_size - len >= addr &&
14975 (!vma || addr + len <= vma->vm_start))
14978 diff -urNp linux-2.6.31/arch/x86/mm/init_32.c linux-2.6.31/arch/x86/mm/init_32.c
14979 --- linux-2.6.31/arch/x86/mm/init_32.c 2009-08-27 20:59:04.000000000 -0400
14980 +++ linux-2.6.31/arch/x86/mm/init_32.c 2009-09-06 15:29:11.241240068 -0400
14982 #include <asm/cacheflush.h>
14983 #include <asm/page_types.h>
14984 #include <asm/init.h>
14985 +#include <asm/desc.h>
14987 unsigned long highstart_pfn, highend_pfn;
14989 @@ -72,36 +73,6 @@ static __init void *alloc_low_page(void)
14993 - * Creates a middle page table and puts a pointer to it in the
14994 - * given global directory entry. This only returns the gd entry
14995 - * in non-PAE compilation mode, since the middle layer is folded.
14997 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
15000 - pmd_t *pmd_table;
15002 -#ifdef CONFIG_X86_PAE
15003 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
15004 - if (after_bootmem)
15005 - pmd_table = (pmd_t *)alloc_bootmem_low_pages(PAGE_SIZE);
15007 - pmd_table = (pmd_t *)alloc_low_page();
15008 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
15009 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
15010 - pud = pud_offset(pgd, 0);
15011 - BUG_ON(pmd_table != pmd_offset(pud, 0));
15013 - return pmd_table;
15016 - pud = pud_offset(pgd, 0);
15017 - pmd_table = pmd_offset(pud, 0);
15019 - return pmd_table;
15023 * Create a page table and place a pointer to it in a middle page
15026 @@ -121,13 +92,28 @@ static pte_t * __init one_page_table_ini
15027 page_table = (pte_t *)alloc_low_page();
15029 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
15030 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15031 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
15033 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
15035 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
15038 return pte_offset_kernel(pmd, 0);
15041 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
15044 + pmd_t *pmd_table;
15046 + pud = pud_offset(pgd, 0);
15047 + pmd_table = pmd_offset(pud, 0);
15049 + return pmd_table;
15052 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
15054 int pgd_idx = pgd_index(vaddr);
15055 @@ -201,6 +187,7 @@ page_table_range_init(unsigned long star
15056 int pgd_idx, pmd_idx;
15057 unsigned long vaddr;
15063 @@ -210,8 +197,13 @@ page_table_range_init(unsigned long star
15064 pgd = pgd_base + pgd_idx;
15066 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
15067 - pmd = one_md_table_init(pgd);
15068 - pmd = pmd + pmd_index(vaddr);
15069 + pud = pud_offset(pgd, vaddr);
15070 + pmd = pmd_offset(pud, vaddr);
15072 +#ifdef CONFIG_X86_PAE
15073 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
15076 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
15077 pmd++, pmd_idx++) {
15078 pte = page_table_kmap_check(one_page_table_init(pmd),
15079 @@ -223,11 +215,23 @@ page_table_range_init(unsigned long star
15083 -static inline int is_kernel_text(unsigned long addr)
15084 +static inline int is_kernel_text(unsigned long start, unsigned long end)
15086 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
15089 + unsigned long etext;
15091 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
15092 + etext = ktva_ktla((unsigned long)&MODULES_EXEC_END);
15094 + etext = (unsigned long)&_etext;
15097 + if ((start > ktla_ktva(etext) ||
15098 + end <= ktla_ktva((unsigned long)_stext)) &&
15099 + (start > ktla_ktva((unsigned long)_einittext) ||
15100 + end <= ktla_ktva((unsigned long)_sinittext)) &&
15101 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
15107 @@ -243,9 +247,10 @@ kernel_physical_mapping_init(unsigned lo
15108 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
15109 unsigned long start_pfn, end_pfn;
15110 pgd_t *pgd_base = swapper_pg_dir;
15111 - int pgd_idx, pmd_idx, pte_ofs;
15112 + unsigned int pgd_idx, pmd_idx, pte_ofs;
15118 unsigned pages_2m, pages_4k;
15119 @@ -278,8 +283,13 @@ repeat:
15121 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
15122 pgd = pgd_base + pgd_idx;
15123 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
15124 - pmd = one_md_table_init(pgd);
15125 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
15126 + pud = pud_offset(pgd, 0);
15127 + pmd = pmd_offset(pud, 0);
15129 +#ifdef CONFIG_X86_PAE
15130 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
15133 if (pfn >= end_pfn)
15135 @@ -291,14 +301,13 @@ repeat:
15137 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
15138 pmd++, pmd_idx++) {
15139 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
15140 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
15143 * Map with big pages if possible, otherwise
15144 * create normal page tables:
15147 - unsigned int addr2;
15148 pgprot_t prot = PAGE_KERNEL_LARGE;
15150 * first pass will use the same initial
15151 @@ -308,11 +317,7 @@ repeat:
15152 __pgprot(PTE_IDENT_ATTR |
15155 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
15156 - PAGE_OFFSET + PAGE_SIZE-1;
15158 - if (is_kernel_text(addr) ||
15159 - is_kernel_text(addr2))
15160 + if (is_kernel_text(address, address + PMD_SIZE))
15161 prot = PAGE_KERNEL_LARGE_EXEC;
15164 @@ -329,7 +334,7 @@ repeat:
15165 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
15167 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
15168 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
15169 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
15170 pgprot_t prot = PAGE_KERNEL;
15172 * first pass will use the same initial
15173 @@ -337,7 +342,7 @@ repeat:
15175 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
15177 - if (is_kernel_text(addr))
15178 + if (is_kernel_text(address, address + PAGE_SIZE))
15179 prot = PAGE_KERNEL_EXEC;
15182 @@ -489,7 +494,7 @@ void __init native_pagetable_setup_start
15184 pud = pud_offset(pgd, va);
15185 pmd = pmd_offset(pud, va);
15186 - if (!pmd_present(*pmd))
15187 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
15190 pte = pte_offset_kernel(pmd, va);
15191 @@ -541,9 +546,7 @@ void __init early_ioremap_page_table_ran
15193 static void __init pagetable_init(void)
15195 - pgd_t *pgd_base = swapper_pg_dir;
15197 - permanent_kmaps_init(pgd_base);
15198 + permanent_kmaps_init(swapper_pg_dir);
15201 #ifdef CONFIG_ACPI_SLEEP
15202 @@ -551,12 +554,12 @@ static void __init pagetable_init(void)
15203 * ACPI suspend needs this for resume, because things like the intel-agp
15204 * driver might have split up a kernel 4MB mapping.
15206 -char swsusp_pg_dir[PAGE_SIZE]
15207 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
15208 __attribute__ ((aligned(PAGE_SIZE)));
15210 static inline void save_pg_dir(void)
15212 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
15213 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
15215 #else /* !CONFIG_ACPI_SLEEP */
15216 static inline void save_pg_dir(void)
15217 @@ -588,7 +591,7 @@ void zap_low_mappings(bool early)
15221 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
15222 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
15223 EXPORT_SYMBOL_GPL(__supported_pte_mask);
15225 /* user-defined highmem size */
15226 @@ -883,7 +886,7 @@ void __init mem_init(void)
15227 set_highmem_pages_init();
15229 codesize = (unsigned long) &_etext - (unsigned long) &_text;
15230 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
15231 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
15232 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
15234 kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
15235 @@ -929,10 +932,10 @@ void __init mem_init(void)
15236 ((unsigned long)&__init_end -
15237 (unsigned long)&__init_begin) >> 10,
15239 - (unsigned long)&_etext, (unsigned long)&_edata,
15240 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
15241 + (unsigned long)&_sdata, (unsigned long)&_edata,
15242 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
15244 - (unsigned long)&_text, (unsigned long)&_etext,
15245 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
15246 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
15249 diff -urNp linux-2.6.31/arch/x86/mm/init_64.c linux-2.6.31/arch/x86/mm/init_64.c
15250 --- linux-2.6.31/arch/x86/mm/init_64.c 2009-08-27 20:59:04.000000000 -0400
15251 +++ linux-2.6.31/arch/x86/mm/init_64.c 2009-09-06 15:29:11.242252166 -0400
15252 @@ -159,12 +159,24 @@ void set_pte_vaddr_pud(pud_t *pud_page,
15256 +#ifdef CONFIG_PAX_KERNEXEC
15257 + unsigned long cr0;
15260 pud = pud_page + pud_index(vaddr);
15261 pmd = fill_pmd(pud, vaddr);
15262 pte = fill_pte(pmd, vaddr);
15264 +#ifdef CONFIG_PAX_KERNEXEC
15265 + pax_open_kernel(cr0);
15268 set_pte(pte, new_pte);
15270 +#ifdef CONFIG_PAX_KERNEXEC
15271 + pax_close_kernel(cr0);
15275 * It's enough to flush this one mapping.
15276 * (PGE mappings get flushed as well)
15277 @@ -222,14 +234,12 @@ static void __init __init_extra_mapping(
15278 pgd = pgd_offset_k((unsigned long)__va(phys));
15279 if (pgd_none(*pgd)) {
15280 pud = (pud_t *) spp_getpage();
15281 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
15283 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
15285 pud = pud_offset(pgd, (unsigned long)__va(phys));
15286 if (pud_none(*pud)) {
15287 pmd = (pmd_t *) spp_getpage();
15288 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
15290 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
15292 pmd = pmd_offset(pud, phys);
15293 BUG_ON(!pmd_none(*pmd));
15294 @@ -848,8 +858,8 @@ int kern_addr_valid(unsigned long addr)
15295 static struct vm_area_struct gate_vma = {
15296 .vm_start = VSYSCALL_START,
15297 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
15298 - .vm_page_prot = PAGE_READONLY_EXEC,
15299 - .vm_flags = VM_READ | VM_EXEC
15300 + .vm_page_prot = PAGE_READONLY,
15301 + .vm_flags = VM_READ
15304 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
15305 @@ -883,7 +893,7 @@ int in_gate_area_no_task(unsigned long a
15307 const char *arch_vma_name(struct vm_area_struct *vma)
15309 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
15310 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
15312 if (vma == &gate_vma)
15313 return "[vsyscall]";
15314 diff -urNp linux-2.6.31/arch/x86/mm/init.c linux-2.6.31/arch/x86/mm/init.c
15315 --- linux-2.6.31/arch/x86/mm/init.c 2009-08-27 20:59:04.000000000 -0400
15316 +++ linux-2.6.31/arch/x86/mm/init.c 2009-09-06 15:29:11.242252166 -0400
15317 @@ -28,11 +28,11 @@ int direct_gbpages
15321 +#ifdef CONFIG_X86_32
15325 -#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
15326 -static int disable_nx __cpuinitdata;
15328 +#if defined(CONFIG_X86_PAE) && !defined(CONFIG_PAX_PAGEEXEC)
15332 @@ -46,11 +46,9 @@ static int __init noexec_setup(char *str
15335 if (!strncmp(str, "on", 2)) {
15336 - __supported_pte_mask |= _PAGE_NX;
15339 } else if (!strncmp(str, "off", 3)) {
15341 - __supported_pte_mask &= ~_PAGE_NX;
15346 @@ -60,18 +58,13 @@ early_param("noexec", noexec_setup);
15347 #ifdef CONFIG_X86_PAE
15348 static void __init set_nx(void)
15350 - unsigned int v[4], l, h;
15351 + if (!nx_enabled && cpu_has_nx) {
15354 - if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
15355 - cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
15357 - if ((v[3] & (1 << 20)) && !disable_nx) {
15358 - rdmsr(MSR_EFER, l, h);
15360 - wrmsr(MSR_EFER, l, h);
15362 - __supported_pte_mask |= _PAGE_NX;
15364 + __supported_pte_mask &= ~_PAGE_NX;
15365 + rdmsr(MSR_EFER, l, h);
15367 + wrmsr(MSR_EFER, l, h);
15371 @@ -86,7 +79,7 @@ void __cpuinit check_efer(void)
15372 unsigned long efer;
15374 rdmsrl(MSR_EFER, efer);
15375 - if (!(efer & EFER_NX) || disable_nx)
15376 + if (!(efer & EFER_NX) || !nx_enabled)
15377 __supported_pte_mask &= ~_PAGE_NX;
15380 @@ -394,7 +387,13 @@ unsigned long __init_refok init_memory_m
15382 int devmem_is_allowed(unsigned long pagenr)
15384 - if (pagenr <= 256)
15387 +#ifdef CONFIG_VM86
15388 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
15391 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
15393 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
15395 @@ -442,6 +441,76 @@ void free_init_pages(char *what, unsigne
15397 void free_initmem(void)
15400 +#ifdef CONFIG_PAX_KERNEXEC
15405 +#ifdef CONFIG_X86_32
15406 + /* PaX: limit KERNEL_CS to actual size */
15407 + unsigned long addr, limit;
15408 + struct desc_struct d;
15411 +#ifdef CONFIG_MODULES
15412 + limit = ktva_ktla((unsigned long)&MODULES_EXEC_END);
15414 + limit = (unsigned long)&_etext;
15416 + limit = (limit - 1UL) >> PAGE_SHIFT;
15418 + memset(KERNEL_TEXT_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
15419 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
15420 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
15421 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
15424 + /* PaX: make KERNEL_CS read-only */
15425 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
15426 + pgd = pgd_offset_k(addr);
15427 + pud = pud_offset(pgd, addr);
15428 + pmd = pmd_offset(pud, addr);
15429 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
15431 +#ifdef CONFIG_X86_PAE
15432 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
15433 + pgd = pgd_offset_k(addr);
15434 + pud = pud_offset(pgd, addr);
15435 + pmd = pmd_offset(pud, addr);
15436 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
15440 + unsigned long addr, end;
15442 + /* PaX: make kernel code/rodata read-only, rest non-executable */
15443 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
15444 + pgd = pgd_offset_k(addr);
15445 + pud = pud_offset(pgd, addr);
15446 + pmd = pmd_offset(pud, addr);
15447 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
15448 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
15450 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
15453 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
15454 + end = addr + KERNEL_IMAGE_SIZE;
15455 + for (; addr < end; addr += PMD_SIZE) {
15456 + pgd = pgd_offset_k(addr);
15457 + pud = pud_offset(pgd, addr);
15458 + pmd = pmd_offset(pud, addr);
15459 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
15460 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
15462 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
15469 free_init_pages("unused kernel memory",
15470 (unsigned long)(&__init_begin),
15471 (unsigned long)(&__init_end));
15472 diff -urNp linux-2.6.31/arch/x86/mm/iomap_32.c linux-2.6.31/arch/x86/mm/iomap_32.c
15473 --- linux-2.6.31/arch/x86/mm/iomap_32.c 2009-08-27 20:59:04.000000000 -0400
15474 +++ linux-2.6.31/arch/x86/mm/iomap_32.c 2009-09-06 15:29:11.242252166 -0400
15475 @@ -37,12 +37,26 @@ void *kmap_atomic_prot_pfn(unsigned long
15476 enum fixed_addresses idx;
15477 unsigned long vaddr;
15479 +#ifdef CONFIG_PAX_KERNEXEC
15480 + unsigned long cr0;
15483 pagefault_disable();
15485 debug_kmap_atomic(type);
15486 idx = type + KM_TYPE_NR * smp_processor_id();
15487 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
15489 +#ifdef CONFIG_PAX_KERNEXEC
15490 + pax_open_kernel(cr0);
15493 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
15495 +#ifdef CONFIG_PAX_KERNEXEC
15496 + pax_close_kernel(cr0);
15499 arch_flush_lazy_mmu_mode();
15501 return (void *)vaddr;
15502 diff -urNp linux-2.6.31/arch/x86/mm/ioremap.c linux-2.6.31/arch/x86/mm/ioremap.c
15503 --- linux-2.6.31/arch/x86/mm/ioremap.c 2009-08-27 20:59:04.000000000 -0400
15504 +++ linux-2.6.31/arch/x86/mm/ioremap.c 2009-09-06 15:30:00.015296947 -0400
15505 @@ -111,8 +111,8 @@ int page_is_ram(unsigned long pagenr)
15506 * Second special case: Some BIOSen report the PC BIOS
15507 * area (640->1Mb) as ram even though it is not.
15509 - if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
15510 - pagenr < (BIOS_END >> PAGE_SHIFT))
15511 + if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
15512 + pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
15515 for (i = 0; i < e820.nr_map; i++) {
15516 @@ -207,10 +207,7 @@ static void __iomem *__ioremap_caller(re
15518 * Don't allow anybody to remap normal RAM that we're using..
15520 - for (pfn = phys_addr >> PAGE_SHIFT;
15521 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
15524 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
15525 int is_ram = page_is_ram(pfn);
15527 if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
15528 @@ -272,6 +269,8 @@ static void __iomem *__ioremap_caller(re
15532 + prot = canon_pgprot(prot);
15537 @@ -489,7 +488,7 @@ static int __init early_ioremap_debug_se
15538 early_param("early_ioremap_debug", early_ioremap_debug_setup);
15540 static __initdata int after_paging_init;
15541 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
15542 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
15544 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
15546 @@ -521,8 +520,7 @@ void __init early_ioremap_init(void)
15547 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
15549 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
15550 - memset(bm_pte, 0, sizeof(bm_pte));
15551 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
15552 + pmd_populate_user(&init_mm, pmd, bm_pte);
15555 * The boot-ioremap range spans multiple pmds, for which
15556 diff -urNp linux-2.6.31/arch/x86/mm/mmap.c linux-2.6.31/arch/x86/mm/mmap.c
15557 --- linux-2.6.31/arch/x86/mm/mmap.c 2009-08-27 20:59:04.000000000 -0400
15558 +++ linux-2.6.31/arch/x86/mm/mmap.c 2009-09-06 15:29:11.243227672 -0400
15560 * Leave an at least ~128 MB hole.
15562 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
15563 -#define MAX_GAP (TASK_SIZE/6*5)
15564 +#define MAX_GAP (pax_task_size/6*5)
15567 * True on X86_32 or when emulating IA32 on X86_64
15568 @@ -81,27 +81,40 @@ static unsigned long mmap_rnd(void)
15569 return rnd << PAGE_SHIFT;
15572 -static unsigned long mmap_base(void)
15573 +static unsigned long mmap_base(struct mm_struct *mm)
15575 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
15576 + unsigned long pax_task_size = TASK_SIZE;
15578 +#ifdef CONFIG_PAX_SEGMEXEC
15579 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15580 + pax_task_size = SEGMEXEC_TASK_SIZE;
15585 else if (gap > MAX_GAP)
15588 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
15589 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
15593 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
15594 * does, but not when emulating X86_32
15596 -static unsigned long mmap_legacy_base(void)
15597 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
15599 - if (mmap_is_ia32())
15600 + if (mmap_is_ia32()) {
15602 +#ifdef CONFIG_PAX_SEGMEXEC
15603 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15604 + return SEGMEXEC_TASK_UNMAPPED_BASE;
15608 return TASK_UNMAPPED_BASE;
15611 return TASK_UNMAPPED_BASE + mmap_rnd();
15614 @@ -112,11 +125,23 @@ static unsigned long mmap_legacy_base(vo
15615 void arch_pick_mmap_layout(struct mm_struct *mm)
15617 if (mmap_is_legacy()) {
15618 - mm->mmap_base = mmap_legacy_base();
15619 + mm->mmap_base = mmap_legacy_base(mm);
15621 +#ifdef CONFIG_PAX_RANDMMAP
15622 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15623 + mm->mmap_base += mm->delta_mmap;
15626 mm->get_unmapped_area = arch_get_unmapped_area;
15627 mm->unmap_area = arch_unmap_area;
15629 - mm->mmap_base = mmap_base();
15630 + mm->mmap_base = mmap_base(mm);
15632 +#ifdef CONFIG_PAX_RANDMMAP
15633 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15634 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
15637 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
15638 mm->unmap_area = arch_unmap_area_topdown;
15640 diff -urNp linux-2.6.31/arch/x86/mm/numa_32.c linux-2.6.31/arch/x86/mm/numa_32.c
15641 --- linux-2.6.31/arch/x86/mm/numa_32.c 2009-08-27 20:59:04.000000000 -0400
15642 +++ linux-2.6.31/arch/x86/mm/numa_32.c 2009-09-06 15:29:11.244205366 -0400
15643 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
15647 -extern unsigned long find_max_low_pfn(void);
15648 extern unsigned long highend_pfn, highstart_pfn;
15650 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
15651 diff -urNp linux-2.6.31/arch/x86/mm/pageattr.c linux-2.6.31/arch/x86/mm/pageattr.c
15652 --- linux-2.6.31/arch/x86/mm/pageattr.c 2009-08-27 20:59:04.000000000 -0400
15653 +++ linux-2.6.31/arch/x86/mm/pageattr.c 2009-09-06 15:29:11.244205366 -0400
15655 #include <asm/pgalloc.h>
15656 #include <asm/proto.h>
15657 #include <asm/pat.h>
15658 +#include <asm/desc.h>
15661 * The current flushing context - we pass it instead of 5 arguments:
15662 @@ -266,9 +267,10 @@ static inline pgprot_t static_protection
15663 * Does not cover __inittext since that is gone later on. On
15664 * 64bit we do not enforce !NX on the low mapping
15666 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
15667 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
15668 pgprot_val(forbidden) |= _PAGE_NX;
15670 +#ifdef CONFIG_DEBUG_RODATA
15672 * The .rodata section needs to be read-only. Using the pfn
15673 * catches all aliases.
15674 @@ -276,6 +278,7 @@ static inline pgprot_t static_protection
15675 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
15676 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
15677 pgprot_val(forbidden) |= _PAGE_RW;
15680 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
15682 @@ -328,8 +331,20 @@ EXPORT_SYMBOL_GPL(lookup_address);
15684 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
15687 +#ifdef CONFIG_PAX_KERNEXEC
15688 + unsigned long cr0;
15690 + pax_open_kernel(cr0);
15693 /* change init_mm */
15694 set_pte_atomic(kpte, pte);
15696 +#ifdef CONFIG_PAX_KERNEXEC
15697 + pax_close_kernel(cr0);
15700 #ifdef CONFIG_X86_32
15701 if (!SHARED_KERNEL_PMD) {
15703 diff -urNp linux-2.6.31/arch/x86/mm/pageattr-test.c linux-2.6.31/arch/x86/mm/pageattr-test.c
15704 --- linux-2.6.31/arch/x86/mm/pageattr-test.c 2009-08-27 20:59:04.000000000 -0400
15705 +++ linux-2.6.31/arch/x86/mm/pageattr-test.c 2009-09-06 15:29:11.245186270 -0400
15706 @@ -36,7 +36,7 @@ enum {
15708 static int pte_testbit(pte_t pte)
15710 - return pte_flags(pte) & _PAGE_UNUSED1;
15711 + return pte_flags(pte) & _PAGE_CPA_TEST;
15714 struct split_state {
15715 diff -urNp linux-2.6.31/arch/x86/mm/pat.c linux-2.6.31/arch/x86/mm/pat.c
15716 --- linux-2.6.31/arch/x86/mm/pat.c 2009-08-27 20:59:04.000000000 -0400
15717 +++ linux-2.6.31/arch/x86/mm/pat.c 2009-09-06 15:29:11.245186270 -0400
15718 @@ -213,7 +213,7 @@ chk_conflict(struct memtype *new, struct
15721 printk(KERN_INFO "%s:%d conflicting memory types "
15722 - "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
15723 + "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
15724 new->end, cattr_name(new->type), cattr_name(entry->type));
15727 @@ -487,7 +487,7 @@ int free_memtype(u64 start, u64 end)
15730 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
15731 - current->comm, current->pid, start, end);
15732 + current->comm, task_pid_nr(current), start, end);
15735 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
15736 @@ -588,7 +588,7 @@ int kernel_map_sync_memtype(u64 base, un
15738 "%s:%d ioremap_change_attr failed %s "
15740 - current->comm, current->pid,
15741 + current->comm, task_pid_nr(current),
15743 base, (unsigned long long)(base + size));
15745 @@ -628,7 +628,7 @@ static int reserve_pfn_range(u64 paddr,
15746 free_memtype(paddr, paddr + size);
15747 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
15748 " for %Lx-%Lx, got %s\n",
15749 - current->comm, current->pid,
15750 + current->comm, task_pid_nr(current),
15751 cattr_name(want_flags),
15752 (unsigned long long)paddr,
15753 (unsigned long long)(paddr + size),
15754 @@ -827,7 +827,7 @@ static int memtype_seq_show(struct seq_f
15758 -static struct seq_operations memtype_seq_ops = {
15759 +static const struct seq_operations memtype_seq_ops = {
15760 .start = memtype_seq_start,
15761 .next = memtype_seq_next,
15762 .stop = memtype_seq_stop,
15763 diff -urNp linux-2.6.31/arch/x86/mm/pgtable_32.c linux-2.6.31/arch/x86/mm/pgtable_32.c
15764 --- linux-2.6.31/arch/x86/mm/pgtable_32.c 2009-08-27 20:59:04.000000000 -0400
15765 +++ linux-2.6.31/arch/x86/mm/pgtable_32.c 2009-09-06 15:29:11.246158105 -0400
15766 @@ -33,6 +33,10 @@ void set_pte_vaddr(unsigned long vaddr,
15770 +#ifdef CONFIG_PAX_KERNEXEC
15771 + unsigned long cr0;
15774 pgd = swapper_pg_dir + pgd_index(vaddr);
15775 if (pgd_none(*pgd)) {
15777 @@ -49,11 +53,20 @@ void set_pte_vaddr(unsigned long vaddr,
15780 pte = pte_offset_kernel(pmd, vaddr);
15782 +#ifdef CONFIG_PAX_KERNEXEC
15783 + pax_open_kernel(cr0);
15786 if (pte_val(pteval))
15787 set_pte_at(&init_mm, vaddr, pte, pteval);
15789 pte_clear(&init_mm, vaddr, pte);
15791 +#ifdef CONFIG_PAX_KERNEXEC
15792 + pax_close_kernel(cr0);
15796 * It's enough to flush this one mapping.
15797 * (PGE mappings get flushed as well)
15798 diff -urNp linux-2.6.31/arch/x86/mm/tlb.c linux-2.6.31/arch/x86/mm/tlb.c
15799 --- linux-2.6.31/arch/x86/mm/tlb.c 2009-08-27 20:59:04.000000000 -0400
15800 +++ linux-2.6.31/arch/x86/mm/tlb.c 2009-09-06 15:29:11.246158105 -0400
15802 #include <asm/uv/uv.h>
15804 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
15805 - = { &init_mm, 0, };
15806 + = { &init_mm, 0 };
15809 * Smarter SMP flushing macros.
15810 diff -urNp linux-2.6.31/arch/x86/oprofile/backtrace.c linux-2.6.31/arch/x86/oprofile/backtrace.c
15811 --- linux-2.6.31/arch/x86/oprofile/backtrace.c 2009-08-27 20:59:04.000000000 -0400
15812 +++ linux-2.6.31/arch/x86/oprofile/backtrace.c 2009-09-06 15:29:11.247628498 -0400
15813 @@ -37,7 +37,7 @@ static void backtrace_address(void *data
15814 unsigned int *depth = data;
15817 - oprofile_add_trace(addr);
15818 + oprofile_add_trace(ktla_ktva(addr));
15821 static struct stacktrace_ops backtrace_ops = {
15822 @@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const reg
15824 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
15826 - if (!user_mode_vm(regs)) {
15827 + if (!user_mode(regs)) {
15828 unsigned long stack = kernel_stack_pointer(regs);
15830 dump_trace(NULL, regs, (unsigned long *)stack, 0,
15831 diff -urNp linux-2.6.31/arch/x86/oprofile/op_model_p4.c linux-2.6.31/arch/x86/oprofile/op_model_p4.c
15832 --- linux-2.6.31/arch/x86/oprofile/op_model_p4.c 2009-08-27 20:59:04.000000000 -0400
15833 +++ linux-2.6.31/arch/x86/oprofile/op_model_p4.c 2009-09-06 15:29:11.247628498 -0400
15834 @@ -48,7 +48,7 @@ static inline void setup_num_counters(vo
15838 -static int inline addr_increment(void)
15839 +static inline int addr_increment(void)
15842 return smp_num_siblings == 2 ? 2 : 1;
15843 diff -urNp linux-2.6.31/arch/x86/pci/common.c linux-2.6.31/arch/x86/pci/common.c
15844 --- linux-2.6.31/arch/x86/pci/common.c 2009-08-27 20:59:04.000000000 -0400
15845 +++ linux-2.6.31/arch/x86/pci/common.c 2009-09-06 15:29:11.248624686 -0400
15846 @@ -370,7 +370,7 @@ static const struct dmi_system_id __devi
15847 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
15851 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
15854 void __init dmi_check_pciprobe(void)
15855 diff -urNp linux-2.6.31/arch/x86/pci/fixup.c linux-2.6.31/arch/x86/pci/fixup.c
15856 --- linux-2.6.31/arch/x86/pci/fixup.c 2009-08-27 20:59:04.000000000 -0400
15857 +++ linux-2.6.31/arch/x86/pci/fixup.c 2009-09-06 15:29:11.249576752 -0400
15858 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
15859 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
15863 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
15867 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
15868 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
15872 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
15875 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
15876 diff -urNp linux-2.6.31/arch/x86/pci/i386.c linux-2.6.31/arch/x86/pci/i386.c
15877 --- linux-2.6.31/arch/x86/pci/i386.c 2009-08-27 20:59:04.000000000 -0400
15878 +++ linux-2.6.31/arch/x86/pci/i386.c 2009-09-06 15:29:11.249576752 -0400
15879 @@ -266,7 +266,7 @@ void pcibios_set_master(struct pci_dev *
15880 pci_write_config_byte(dev, PCI_LATENCY_TIMER, lat);
15883 -static struct vm_operations_struct pci_mmap_ops = {
15884 +static const struct vm_operations_struct pci_mmap_ops = {
15885 .access = generic_access_phys,
15888 diff -urNp linux-2.6.31/arch/x86/pci/irq.c linux-2.6.31/arch/x86/pci/irq.c
15889 --- linux-2.6.31/arch/x86/pci/irq.c 2009-08-27 20:59:04.000000000 -0400
15890 +++ linux-2.6.31/arch/x86/pci/irq.c 2009-09-06 15:29:11.250200765 -0400
15891 @@ -543,7 +543,7 @@ static __init int intel_router_probe(str
15892 static struct pci_device_id __initdata pirq_440gx[] = {
15893 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
15894 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
15896 + { PCI_DEVICE(0, 0) }
15899 /* 440GX has a proprietary PIRQ router -- don't use it */
15900 @@ -1107,7 +1107,7 @@ static struct dmi_system_id __initdata p
15901 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
15905 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
15908 int __init pcibios_irq_init(void)
15909 diff -urNp linux-2.6.31/arch/x86/pci/pcbios.c linux-2.6.31/arch/x86/pci/pcbios.c
15910 --- linux-2.6.31/arch/x86/pci/pcbios.c 2009-08-27 20:59:04.000000000 -0400
15911 +++ linux-2.6.31/arch/x86/pci/pcbios.c 2009-09-06 15:29:11.250200765 -0400
15912 @@ -56,50 +56,120 @@ union bios32 {
15914 unsigned long address;
15915 unsigned short segment;
15916 -} bios32_indirect = { 0, __KERNEL_CS };
15917 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
15920 * Returns the entry point for the given service, NULL on error
15923 -static unsigned long bios32_service(unsigned long service)
15924 +static unsigned long __devinit bios32_service(unsigned long service)
15926 unsigned char return_code; /* %al */
15927 unsigned long address; /* %ebx */
15928 unsigned long length; /* %ecx */
15929 unsigned long entry; /* %edx */
15930 unsigned long flags;
15931 + struct desc_struct d, *gdt;
15933 +#ifdef CONFIG_PAX_KERNEXEC
15934 + unsigned long cr0;
15937 local_irq_save(flags);
15938 - __asm__("lcall *(%%edi); cld"
15940 + gdt = get_cpu_gdt_table(smp_processor_id());
15942 +#ifdef CONFIG_PAX_KERNEXEC
15943 + pax_open_kernel(cr0);
15946 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
15947 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
15948 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
15949 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
15951 +#ifdef CONFIG_PAX_KERNEXEC
15952 + pax_close_kernel(cr0);
15955 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
15956 : "=a" (return_code),
15962 - "D" (&bios32_indirect));
15963 + "D" (&bios32_indirect),
15964 + "r"(__PCIBIOS_DS)
15967 +#ifdef CONFIG_PAX_KERNEXEC
15968 + pax_open_kernel(cr0);
15971 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
15972 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
15973 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
15974 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
15976 +#ifdef CONFIG_PAX_KERNEXEC
15977 + pax_close_kernel(cr0);
15980 local_irq_restore(flags);
15982 switch (return_code) {
15984 - return address + entry;
15985 - case 0x80: /* Not present */
15986 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
15988 - default: /* Shouldn't happen */
15989 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
15990 - service, return_code);
15993 + unsigned char flags;
15995 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
15996 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
15997 + printk(KERN_WARNING "bios32_service: not valid\n");
16000 + address = address + PAGE_OFFSET;
16001 + length += 16UL; /* some BIOSs underreport this... */
16003 + if (length >= 64*1024*1024) {
16004 + length >>= PAGE_SHIFT;
16008 +#ifdef CONFIG_PAX_KERNEXEC
16009 + pax_open_kernel(cr0);
16012 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
16013 + gdt = get_cpu_gdt_table(cpu);
16014 + pack_descriptor(&d, address, length, 0x9b, flags);
16015 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
16016 + pack_descriptor(&d, address, length, 0x93, flags);
16017 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
16020 +#ifdef CONFIG_PAX_KERNEXEC
16021 + pax_close_kernel(cr0);
16026 + case 0x80: /* Not present */
16027 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
16029 + default: /* Shouldn't happen */
16030 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
16031 + service, return_code);
16037 unsigned long address;
16038 unsigned short segment;
16039 -} pci_indirect = { 0, __KERNEL_CS };
16040 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
16042 -static int pci_bios_present;
16043 +static int pci_bios_present __read_only;
16045 static int __devinit check_pcibios(void)
16047 @@ -108,11 +178,13 @@ static int __devinit check_pcibios(void)
16048 unsigned long flags, pcibios_entry;
16050 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
16051 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
16052 + pci_indirect.address = pcibios_entry;
16054 local_irq_save(flags);
16056 - "lcall *(%%edi); cld\n\t"
16057 + __asm__("movw %w6, %%ds\n\t"
16058 + "lcall *%%ss:(%%edi); cld\n\t"
16064 @@ -121,7 +193,8 @@ static int __devinit check_pcibios(void)
16067 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
16068 - "D" (&pci_indirect)
16069 + "D" (&pci_indirect),
16070 + "r" (__PCIBIOS_DS)
16072 local_irq_restore(flags);
16074 @@ -165,7 +238,10 @@ static int pci_bios_read(unsigned int se
16078 - __asm__("lcall *(%%esi); cld\n\t"
16079 + __asm__("movw %w6, %%ds\n\t"
16080 + "lcall *%%ss:(%%esi); cld\n\t"
16086 @@ -174,7 +250,8 @@ static int pci_bios_read(unsigned int se
16087 : "1" (PCIBIOS_READ_CONFIG_BYTE),
16090 - "S" (&pci_indirect));
16091 + "S" (&pci_indirect),
16092 + "r" (__PCIBIOS_DS));
16094 * Zero-extend the result beyond 8 bits, do not trust the
16095 * BIOS having done it:
16096 @@ -182,7 +259,10 @@ static int pci_bios_read(unsigned int se
16100 - __asm__("lcall *(%%esi); cld\n\t"
16101 + __asm__("movw %w6, %%ds\n\t"
16102 + "lcall *%%ss:(%%esi); cld\n\t"
16108 @@ -191,7 +271,8 @@ static int pci_bios_read(unsigned int se
16109 : "1" (PCIBIOS_READ_CONFIG_WORD),
16112 - "S" (&pci_indirect));
16113 + "S" (&pci_indirect),
16114 + "r" (__PCIBIOS_DS));
16116 * Zero-extend the result beyond 16 bits, do not trust the
16117 * BIOS having done it:
16118 @@ -199,7 +280,10 @@ static int pci_bios_read(unsigned int se
16122 - __asm__("lcall *(%%esi); cld\n\t"
16123 + __asm__("movw %w6, %%ds\n\t"
16124 + "lcall *%%ss:(%%esi); cld\n\t"
16130 @@ -208,7 +292,8 @@ static int pci_bios_read(unsigned int se
16131 : "1" (PCIBIOS_READ_CONFIG_DWORD),
16134 - "S" (&pci_indirect));
16135 + "S" (&pci_indirect),
16136 + "r" (__PCIBIOS_DS));
16140 @@ -231,7 +316,10 @@ static int pci_bios_write(unsigned int s
16144 - __asm__("lcall *(%%esi); cld\n\t"
16145 + __asm__("movw %w6, %%ds\n\t"
16146 + "lcall *%%ss:(%%esi); cld\n\t"
16152 @@ -240,10 +328,14 @@ static int pci_bios_write(unsigned int s
16156 - "S" (&pci_indirect));
16157 + "S" (&pci_indirect),
16158 + "r" (__PCIBIOS_DS));
16161 - __asm__("lcall *(%%esi); cld\n\t"
16162 + __asm__("movw %w6, %%ds\n\t"
16163 + "lcall *%%ss:(%%esi); cld\n\t"
16169 @@ -252,10 +344,14 @@ static int pci_bios_write(unsigned int s
16173 - "S" (&pci_indirect));
16174 + "S" (&pci_indirect),
16175 + "r" (__PCIBIOS_DS));
16178 - __asm__("lcall *(%%esi); cld\n\t"
16179 + __asm__("movw %w6, %%ds\n\t"
16180 + "lcall *%%ss:(%%esi); cld\n\t"
16186 @@ -264,7 +360,8 @@ static int pci_bios_write(unsigned int s
16190 - "S" (&pci_indirect));
16191 + "S" (&pci_indirect),
16192 + "r" (__PCIBIOS_DS));
16196 @@ -368,10 +465,13 @@ struct irq_routing_table * pcibios_get_i
16198 DBG("PCI: Fetching IRQ routing table... ");
16199 __asm__("push %%es\n\t"
16200 + "movw %w8, %%ds\n\t"
16203 - "lcall *(%%esi); cld\n\t"
16204 + "lcall *%%ss:(%%esi); cld\n\t"
16211 @@ -382,7 +482,8 @@ struct irq_routing_table * pcibios_get_i
16214 "S" (&pci_indirect),
16217 + "r" (__PCIBIOS_DS)
16219 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
16221 @@ -406,7 +507,10 @@ int pcibios_set_irq_routing(struct pci_d
16225 - __asm__("lcall *(%%esi); cld\n\t"
16226 + __asm__("movw %w5, %%ds\n\t"
16227 + "lcall *%%ss:(%%esi); cld\n\t"
16233 @@ -414,7 +518,8 @@ int pcibios_set_irq_routing(struct pci_d
16234 : "0" (PCIBIOS_SET_PCI_HW_INT),
16235 "b" ((dev->bus->number << 8) | dev->devfn),
16236 "c" ((irq << 8) | (pin + 10)),
16237 - "S" (&pci_indirect));
16238 + "S" (&pci_indirect),
16239 + "r" (__PCIBIOS_DS));
16240 return !(ret & 0xff00);
16242 EXPORT_SYMBOL(pcibios_set_irq_routing);
16243 diff -urNp linux-2.6.31/arch/x86/power/cpu.c linux-2.6.31/arch/x86/power/cpu.c
16244 --- linux-2.6.31/arch/x86/power/cpu.c 2009-08-27 20:59:04.000000000 -0400
16245 +++ linux-2.6.31/arch/x86/power/cpu.c 2009-09-06 15:29:11.251258894 -0400
16246 @@ -126,7 +126,11 @@ static void do_fpu_end(void)
16247 static void fix_processor_context(void)
16249 int cpu = smp_processor_id();
16250 - struct tss_struct *t = &per_cpu(init_tss, cpu);
16251 + struct tss_struct *t = init_tss + cpu;
16253 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_KERNEXEC)
16254 + unsigned long cr0;
16257 set_tss_desc(cpu, t); /*
16258 * This just modifies memory; should not be
16259 @@ -136,8 +140,17 @@ static void fix_processor_context(void)
16262 #ifdef CONFIG_X86_64
16264 +#ifdef CONFIG_PAX_KERNEXEC
16265 + pax_open_kernel(cr0);
16268 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
16270 +#ifdef CONFIG_PAX_KERNEXEC
16271 + pax_close_kernel(cr0);
16274 syscall_init(); /* This sets MSR_*STAR and related */
16276 load_TR_desc(); /* This does ltr */
16277 diff -urNp linux-2.6.31/arch/x86/vdso/Makefile linux-2.6.31/arch/x86/vdso/Makefile
16278 --- linux-2.6.31/arch/x86/vdso/Makefile 2009-08-27 20:59:04.000000000 -0400
16279 +++ linux-2.6.31/arch/x86/vdso/Makefile 2009-09-06 15:29:11.251258894 -0400
16280 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
16281 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
16282 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
16284 -VDSO_LDFLAGS = -fPIC -shared $(call ld-option, -Wl$(comma)--hash-style=sysv)
16285 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call ld-option, -Wl$(comma)--hash-style=sysv)
16289 diff -urNp linux-2.6.31/arch/x86/vdso/vclock_gettime.c linux-2.6.31/arch/x86/vdso/vclock_gettime.c
16290 --- linux-2.6.31/arch/x86/vdso/vclock_gettime.c 2009-08-27 20:59:04.000000000 -0400
16291 +++ linux-2.6.31/arch/x86/vdso/vclock_gettime.c 2009-09-06 15:29:11.252181238 -0400
16292 @@ -22,24 +22,48 @@
16293 #include <asm/hpet.h>
16294 #include <asm/unistd.h>
16295 #include <asm/io.h>
16296 +#include <asm/fixmap.h>
16297 #include "vextern.h"
16299 #define gtod vdso_vsyscall_gtod_data
16301 +notrace noinline long __vdso_fallback_time(long *t)
16304 + asm volatile("syscall"
16306 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
16310 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
16313 asm("syscall" : "=a" (ret) :
16314 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
16315 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
16319 +notrace static inline cycle_t __vdso_vread_hpet(void)
16321 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
16324 +notrace static inline cycle_t __vdso_vread_tsc(void)
16326 + cycle_t ret = (cycle_t)vget_cycles();
16328 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
16331 notrace static inline long vgetns(void)
16334 - cycles_t (*vread)(void);
16335 - vread = gtod->clock.vread;
16336 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
16337 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
16338 + v = __vdso_vread_tsc();
16340 + v = __vdso_vread_hpet();
16341 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
16342 return (v * gtod->clock.mult) >> gtod->clock.shift;
16345 @@ -88,7 +112,9 @@ notrace static noinline int do_monotonic
16347 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
16349 - if (likely(gtod->sysctl_enabled && gtod->clock.vread))
16350 + if (likely(gtod->sysctl_enabled &&
16351 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
16352 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
16354 case CLOCK_REALTIME:
16355 return do_realtime(ts);
16356 @@ -100,10 +126,20 @@ notrace int __vdso_clock_gettime(clockid
16357 int clock_gettime(clockid_t, struct timespec *)
16358 __attribute__((weak, alias("__vdso_clock_gettime")));
16360 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
16361 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
16364 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
16365 + asm("syscall" : "=a" (ret) :
16366 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
16370 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
16372 + if (likely(gtod->sysctl_enabled &&
16373 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
16374 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
16376 if (likely(tv != NULL)) {
16377 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
16378 offsetof(struct timespec, tv_nsec) ||
16379 @@ -118,9 +154,7 @@ notrace int __vdso_gettimeofday(struct t
16383 - asm("syscall" : "=a" (ret) :
16384 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
16386 + return __vdso_fallback_gettimeofday(tv, tz);
16388 int gettimeofday(struct timeval *, struct timezone *)
16389 __attribute__((weak, alias("__vdso_gettimeofday")));
16390 diff -urNp linux-2.6.31/arch/x86/vdso/vdso32-setup.c linux-2.6.31/arch/x86/vdso/vdso32-setup.c
16391 --- linux-2.6.31/arch/x86/vdso/vdso32-setup.c 2009-08-27 20:59:04.000000000 -0400
16392 +++ linux-2.6.31/arch/x86/vdso/vdso32-setup.c 2009-09-06 15:29:11.252181238 -0400
16393 @@ -226,7 +226,7 @@ static inline void map_compat_vdso(int m
16394 void enable_sep_cpu(void)
16396 int cpu = get_cpu();
16397 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16398 + struct tss_struct *tss = init_tss + cpu;
16400 if (!boot_cpu_has(X86_FEATURE_SEP)) {
16402 @@ -249,7 +249,7 @@ static int __init gate_vma_init(void)
16403 gate_vma.vm_start = FIXADDR_USER_START;
16404 gate_vma.vm_end = FIXADDR_USER_END;
16405 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
16406 - gate_vma.vm_page_prot = __P101;
16407 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
16409 * Make sure the vDSO gets into every core dump.
16410 * Dumping its contents makes post-mortem fully interpretable later
16411 @@ -331,14 +331,14 @@ int arch_setup_additional_pages(struct l
16413 addr = VDSO_HIGH_BASE;
16415 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
16416 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
16417 if (IS_ERR_VALUE(addr)) {
16423 - current->mm->context.vdso = (void *)addr;
16424 + current->mm->context.vdso = addr;
16426 if (compat_uses_vma || !compat) {
16428 @@ -365,7 +365,7 @@ int arch_setup_additional_pages(struct l
16432 - current->mm->context.vdso = NULL;
16433 + current->mm->context.vdso = 0;
16435 up_write(&mm->mmap_sem);
16437 @@ -388,7 +388,7 @@ static ctl_table abi_table2[] = {
16439 .proc_handler = proc_dointvec
16442 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
16445 static ctl_table abi_root_table2[] = {
16446 @@ -398,7 +398,7 @@ static ctl_table abi_root_table2[] = {
16448 .child = abi_table2
16451 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
16454 static __init int ia32_binfmt_init(void)
16455 @@ -413,8 +413,14 @@ __initcall(ia32_binfmt_init);
16457 const char *arch_vma_name(struct vm_area_struct *vma)
16459 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
16460 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
16463 +#ifdef CONFIG_PAX_SEGMEXEC
16464 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
16471 @@ -423,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
16472 struct mm_struct *mm = tsk->mm;
16474 /* Check to see if this task was created in compat vdso mode */
16475 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
16476 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
16480 diff -urNp linux-2.6.31/arch/x86/vdso/vdso.lds.S linux-2.6.31/arch/x86/vdso/vdso.lds.S
16481 --- linux-2.6.31/arch/x86/vdso/vdso.lds.S 2009-08-27 20:59:04.000000000 -0400
16482 +++ linux-2.6.31/arch/x86/vdso/vdso.lds.S 2009-09-06 15:29:11.252181238 -0400
16483 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
16484 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
16485 #include "vextern.h"
16488 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
16489 +VEXTERN(fallback_gettimeofday)
16490 +VEXTERN(fallback_time)
16493 diff -urNp linux-2.6.31/arch/x86/vdso/vextern.h linux-2.6.31/arch/x86/vdso/vextern.h
16494 --- linux-2.6.31/arch/x86/vdso/vextern.h 2009-08-27 20:59:04.000000000 -0400
16495 +++ linux-2.6.31/arch/x86/vdso/vextern.h 2009-09-06 15:29:11.253487231 -0400
16497 put into vextern.h and be referenced as a pointer with vdso prefix.
16498 The main kernel later fills in the values. */
16501 VEXTERN(vgetcpu_mode)
16502 VEXTERN(vsyscall_gtod_data)
16503 diff -urNp linux-2.6.31/arch/x86/vdso/vma.c linux-2.6.31/arch/x86/vdso/vma.c
16504 --- linux-2.6.31/arch/x86/vdso/vma.c 2009-08-27 20:59:04.000000000 -0400
16505 +++ linux-2.6.31/arch/x86/vdso/vma.c 2009-09-06 15:29:11.253487231 -0400
16506 @@ -57,7 +57,7 @@ static int __init init_vdso_vars(void)
16510 - if (memcmp(vbase, "\177ELF", 4)) {
16511 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
16512 printk("VDSO: I'm broken; not ELF\n");
16515 @@ -66,6 +66,7 @@ static int __init init_vdso_vars(void)
16516 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
16517 #include "vextern.h"
16523 @@ -116,7 +117,7 @@ int arch_setup_additional_pages(struct l
16527 - current->mm->context.vdso = (void *)addr;
16528 + current->mm->context.vdso = addr;
16530 ret = install_special_mapping(mm, addr, vdso_size,
16532 @@ -124,7 +125,7 @@ int arch_setup_additional_pages(struct l
16536 - current->mm->context.vdso = NULL;
16537 + current->mm->context.vdso = 0;
16541 @@ -132,10 +133,3 @@ up_fail:
16542 up_write(&mm->mmap_sem);
16546 -static __init int vdso_setup(char *s)
16548 - vdso_enabled = simple_strtoul(s, NULL, 0);
16551 -__setup("vdso=", vdso_setup);
16552 diff -urNp linux-2.6.31/arch/x86/xen/debugfs.c linux-2.6.31/arch/x86/xen/debugfs.c
16553 --- linux-2.6.31/arch/x86/xen/debugfs.c 2009-08-27 20:59:04.000000000 -0400
16554 +++ linux-2.6.31/arch/x86/xen/debugfs.c 2009-09-06 15:29:11.253487231 -0400
16555 @@ -100,7 +100,7 @@ static int xen_array_release(struct inod
16559 -static struct file_operations u32_array_fops = {
16560 +static const struct file_operations u32_array_fops = {
16561 .owner = THIS_MODULE,
16562 .open = u32_array_open,
16563 .release= xen_array_release,
16564 diff -urNp linux-2.6.31/arch/x86/xen/enlighten.c linux-2.6.31/arch/x86/xen/enlighten.c
16565 --- linux-2.6.31/arch/x86/xen/enlighten.c 2009-09-06 19:00:55.653073529 -0400
16566 +++ linux-2.6.31/arch/x86/xen/enlighten.c 2009-09-06 19:01:14.295604089 -0400
16567 @@ -69,8 +69,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
16569 struct shared_info xen_dummy_shared_info;
16571 -void *xen_initial_gdt;
16574 * Point at some empty memory to start with. We map the real shared_info
16575 * page as soon as fixmap is up and running.
16576 @@ -490,7 +488,7 @@ static void xen_write_idt_entry(gate_des
16580 - start = __get_cpu_var(idt_desc).address;
16581 + start = (unsigned long)__get_cpu_var(idt_desc).address;
16582 end = start + __get_cpu_var(idt_desc).size + 1;
16585 @@ -1010,13 +1008,6 @@ asmlinkage void __init xen_start_kernel(
16587 machine_ops = xen_machine_ops;
16590 - * The only reliable way to retain the initial address of the
16591 - * percpu gdt_page is to remember it here, so we can go and
16592 - * mark it RW later, when the initial percpu area is freed.
16594 - xen_initial_gdt = &per_cpu(gdt_page, 0);
16599 diff -urNp linux-2.6.31/arch/x86/xen/Kconfig linux-2.6.31/arch/x86/xen/Kconfig
16600 --- linux-2.6.31/arch/x86/xen/Kconfig 2009-08-27 20:59:04.000000000 -0400
16601 +++ linux-2.6.31/arch/x86/xen/Kconfig 2009-09-06 15:29:11.254463677 -0400
16602 @@ -8,6 +8,7 @@ config XEN
16603 select PARAVIRT_CLOCK
16604 depends on X86_64 || (X86_32 && X86_PAE && !X86_VISWS)
16605 depends on X86_CMPXCHG && X86_TSC
16606 + depends on !PAX_KERNEXEC
16608 This is the Linux Xen port. Enabling this will allow the
16609 kernel to boot in a paravirtualized environment under the
16610 diff -urNp linux-2.6.31/arch/x86/xen/mmu.c linux-2.6.31/arch/x86/xen/mmu.c
16611 --- linux-2.6.31/arch/x86/xen/mmu.c 2009-08-27 20:59:04.000000000 -0400
16612 +++ linux-2.6.31/arch/x86/xen/mmu.c 2009-09-06 15:30:00.015296947 -0400
16613 @@ -1707,6 +1707,8 @@ __init pgd_t *xen_setup_kernel_pagetable
16614 convert_pfn_mfn(init_level4_pgt);
16615 convert_pfn_mfn(level3_ident_pgt);
16616 convert_pfn_mfn(level3_kernel_pgt);
16617 + convert_pfn_mfn(level3_vmalloc_pgt);
16618 + convert_pfn_mfn(level3_vmemmap_pgt);
16620 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
16621 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
16622 @@ -1725,6 +1727,8 @@ __init pgd_t *xen_setup_kernel_pagetable
16623 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
16624 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
16625 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
16626 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
16627 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
16628 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
16629 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
16630 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
16631 diff -urNp linux-2.6.31/arch/x86/xen/smp.c linux-2.6.31/arch/x86/xen/smp.c
16632 --- linux-2.6.31/arch/x86/xen/smp.c 2009-08-27 20:59:04.000000000 -0400
16633 +++ linux-2.6.31/arch/x86/xen/smp.c 2009-09-06 15:29:11.255422927 -0400
16634 @@ -167,11 +167,6 @@ static void __init xen_smp_prepare_boot_
16636 BUG_ON(smp_processor_id() != 0);
16637 native_smp_prepare_boot_cpu();
16639 - /* We've switched to the "real" per-cpu gdt, so make sure the
16640 - old memory can be recycled */
16641 - make_lowmem_page_readwrite(xen_initial_gdt);
16643 xen_setup_vcpu_info_placement();
16646 @@ -231,8 +226,8 @@ cpu_initialize_context(unsigned int cpu,
16647 gdt = get_cpu_gdt_table(cpu);
16649 ctxt->flags = VGCF_IN_KERNEL;
16650 - ctxt->user_regs.ds = __USER_DS;
16651 - ctxt->user_regs.es = __USER_DS;
16652 + ctxt->user_regs.ds = __KERNEL_DS;
16653 + ctxt->user_regs.es = __KERNEL_DS;
16654 ctxt->user_regs.ss = __KERNEL_DS;
16655 #ifdef CONFIG_X86_32
16656 ctxt->user_regs.fs = __KERNEL_PERCPU;
16657 diff -urNp linux-2.6.31/arch/x86/xen/xen-ops.h linux-2.6.31/arch/x86/xen/xen-ops.h
16658 --- linux-2.6.31/arch/x86/xen/xen-ops.h 2009-08-27 20:59:04.000000000 -0400
16659 +++ linux-2.6.31/arch/x86/xen/xen-ops.h 2009-09-06 15:29:11.256322338 -0400
16661 extern const char xen_hypervisor_callback[];
16662 extern const char xen_failsafe_callback[];
16664 -extern void *xen_initial_gdt;
16667 void xen_copy_trap_info(struct trap_info *traps);
16669 diff -urNp linux-2.6.31/arch/xtensa/include/asm/atomic.h linux-2.6.31/arch/xtensa/include/asm/atomic.h
16670 --- linux-2.6.31/arch/xtensa/include/asm/atomic.h 2009-08-27 20:59:04.000000000 -0400
16671 +++ linux-2.6.31/arch/xtensa/include/asm/atomic.h 2009-09-11 22:48:03.715902334 -0400
16673 #define atomic_read(v) ((v)->counter)
16676 + * atomic_read_unchecked - read atomic variable
16677 + * @v: pointer of type atomic_unchecked_t
16679 + * Atomically reads the value of @v.
16681 +#define atomic_read_unchecked(v) ((v)->counter)
16684 * atomic_set - set atomic variable
16685 * @v: pointer of type atomic_t
16686 * @i: required value
16688 #define atomic_set(v,i) ((v)->counter = (i))
16691 + * atomic_set_unchecked - set atomic variable
16692 + * @v: pointer of type atomic_unchecked_t
16693 + * @i: required value
16695 + * Atomically sets the value of @v to @i.
16697 +#define atomic_set_unchecked(v,i) ((v)->counter = (i))
16700 * atomic_add - add integer to atomic variable
16701 * @i: integer value to add
16702 * @v: pointer of type atomic_t
16703 @@ -81,6 +98,11 @@ static inline void atomic_add(int i, ato
16707 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t * v)
16709 + atomic_add(i, (atomic_t *)v);
16713 * atomic_sub - subtract the atomic variable
16714 * @i: integer value to subtract
16715 @@ -105,6 +127,11 @@ static inline void atomic_sub(int i, ato
16719 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
16721 + atomic_sub(i, (atomic_t *)v);
16725 * We use atomic_{add|sub}_return to define other functions.
16727 @@ -165,6 +192,7 @@ static inline int atomic_sub_return(int
16728 * Atomically increments @v by 1.
16730 #define atomic_inc(v) atomic_add(1,(v))
16731 +#define atomic_inc_unchecked(v) atomic_add_unchecked(1,(v))
16734 * atomic_inc - increment atomic variable
16735 diff -urNp linux-2.6.31/crypto/lrw.c linux-2.6.31/crypto/lrw.c
16736 --- linux-2.6.31/crypto/lrw.c 2009-08-27 20:59:04.000000000 -0400
16737 +++ linux-2.6.31/crypto/lrw.c 2009-09-06 15:29:11.256322338 -0400
16738 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
16739 struct priv *ctx = crypto_tfm_ctx(parent);
16740 struct crypto_cipher *child = ctx->child;
16742 - be128 tmp = { 0 };
16743 + be128 tmp = { 0, 0 };
16744 int bsize = crypto_cipher_blocksize(child);
16746 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
16747 diff -urNp linux-2.6.31/Documentation/dontdiff linux-2.6.31/Documentation/dontdiff
16748 --- linux-2.6.31/Documentation/dontdiff 2009-08-27 20:59:04.000000000 -0400
16749 +++ linux-2.6.31/Documentation/dontdiff 2009-09-10 19:30:54.799680162 -0400
16758 @@ -49,11 +50,16 @@
16775 @@ -76,7 +82,9 @@ btfixupprep
16785 @@ -103,13 +111,14 @@ gen_crc32table
16792 initramfs_data.cpio
16793 +initramfs_data.cpio.bz2
16794 initramfs_data.cpio.gz
16801 @@ -133,6 +142,7 @@ mkboot
16809 @@ -149,6 +159,7 @@ patches*
16817 @@ -164,6 +175,7 @@ setup
16825 @@ -187,14 +199,20 @@ version.h*
16846 diff -urNp linux-2.6.31/Documentation/kernel-parameters.txt linux-2.6.31/Documentation/kernel-parameters.txt
16847 --- linux-2.6.31/Documentation/kernel-parameters.txt 2009-08-27 20:59:04.000000000 -0400
16848 +++ linux-2.6.31/Documentation/kernel-parameters.txt 2009-09-06 16:57:53.681966445 -0400
16849 @@ -1776,6 +1776,12 @@ and is between 256 and 4096 characters.
16850 the specified number of seconds. This is to be used if
16851 your oopses keep scrolling off the screen.
16853 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
16854 + virtualization environments that don't cope well with the
16855 + expand down segment used by UDEREF on X86-32.
16857 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
16862 diff -urNp linux-2.6.31/drivers/acpi/blacklist.c linux-2.6.31/drivers/acpi/blacklist.c
16863 --- linux-2.6.31/drivers/acpi/blacklist.c 2009-08-27 20:59:04.000000000 -0400
16864 +++ linux-2.6.31/drivers/acpi/blacklist.c 2009-09-06 15:29:11.257399684 -0400
16865 @@ -71,7 +71,7 @@ static struct acpi_blacklist_item acpi_b
16866 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
16867 "Incorrect _ADR", 1},
16870 + {"", "", 0, 0, 0, all_versions, 0}
16873 #if CONFIG_ACPI_BLACKLIST_YEAR
16874 diff -urNp linux-2.6.31/drivers/acpi/osl.c linux-2.6.31/drivers/acpi/osl.c
16875 --- linux-2.6.31/drivers/acpi/osl.c 2009-08-27 20:59:04.000000000 -0400
16876 +++ linux-2.6.31/drivers/acpi/osl.c 2009-09-06 15:29:11.258176013 -0400
16877 @@ -521,6 +521,8 @@ acpi_os_read_memory(acpi_physical_addres
16878 void __iomem *virt_addr;
16880 virt_addr = ioremap(phys_addr, width);
16882 + return AE_NO_MEMORY;
16886 @@ -549,6 +551,8 @@ acpi_os_write_memory(acpi_physical_addre
16887 void __iomem *virt_addr;
16889 virt_addr = ioremap(phys_addr, width);
16891 + return AE_NO_MEMORY;
16895 diff -urNp linux-2.6.31/drivers/acpi/processor_core.c linux-2.6.31/drivers/acpi/processor_core.c
16896 --- linux-2.6.31/drivers/acpi/processor_core.c 2009-08-27 20:59:04.000000000 -0400
16897 +++ linux-2.6.31/drivers/acpi/processor_core.c 2009-09-06 15:29:11.259342465 -0400
16898 @@ -712,7 +712,7 @@ static int __cpuinit acpi_processor_star
16902 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
16903 + BUG_ON(pr->id >= nr_cpu_ids);
16907 diff -urNp linux-2.6.31/drivers/acpi/processor_idle.c linux-2.6.31/drivers/acpi/processor_idle.c
16908 --- linux-2.6.31/drivers/acpi/processor_idle.c 2009-08-27 20:59:04.000000000 -0400
16909 +++ linux-2.6.31/drivers/acpi/processor_idle.c 2009-09-06 15:29:11.259342465 -0400
16910 @@ -108,7 +108,7 @@ static struct dmi_system_id __cpuinitdat
16911 DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
16912 DMI_MATCH(DMI_BIOS_VERSION,"SHE845M0.86C.0013.D.0302131307")},
16915 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
16919 diff -urNp linux-2.6.31/drivers/acpi/video.c linux-2.6.31/drivers/acpi/video.c
16920 --- linux-2.6.31/drivers/acpi/video.c 2009-09-06 19:00:55.656338093 -0400
16921 +++ linux-2.6.31/drivers/acpi/video.c 2009-09-06 19:01:14.309093981 -0400
16922 @@ -283,7 +283,7 @@ static int acpi_video_device_brightness_
16923 struct file *file);
16924 static ssize_t acpi_video_device_write_brightness(struct file *file,
16925 const char __user *buffer, size_t count, loff_t *data);
16926 -static struct file_operations acpi_video_device_brightness_fops = {
16927 +static const struct file_operations acpi_video_device_brightness_fops = {
16928 .owner = THIS_MODULE,
16929 .open = acpi_video_device_brightness_open_fs,
16931 diff -urNp linux-2.6.31/drivers/ata/ahci.c linux-2.6.31/drivers/ata/ahci.c
16932 --- linux-2.6.31/drivers/ata/ahci.c 2009-08-27 20:59:04.000000000 -0400
16933 +++ linux-2.6.31/drivers/ata/ahci.c 2009-09-06 15:29:11.334288407 -0400
16934 @@ -629,7 +629,7 @@ static const struct pci_device_id ahci_p
16935 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
16936 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
16938 - { } /* terminate list */
16939 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
16943 diff -urNp linux-2.6.31/drivers/ata/ata_piix.c linux-2.6.31/drivers/ata/ata_piix.c
16944 --- linux-2.6.31/drivers/ata/ata_piix.c 2009-09-06 19:00:55.666106508 -0400
16945 +++ linux-2.6.31/drivers/ata/ata_piix.c 2009-09-06 19:01:14.310480703 -0400
16946 @@ -291,7 +291,7 @@ static const struct pci_device_id piix_p
16947 { 0x8086, 0x3b2d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
16948 /* SATA Controller IDE (PCH) */
16949 { 0x8086, 0x3b2e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
16950 - { } /* terminate list */
16951 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
16954 static struct pci_driver piix_pci_driver = {
16955 @@ -608,7 +608,7 @@ static const struct ich_laptop ich_lapto
16956 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
16957 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
16964 @@ -1086,7 +1086,7 @@ static int piix_broken_suspend(void)
16968 - { } /* terminate list */
16969 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
16971 static const char *oemstrs[] = {
16973 diff -urNp linux-2.6.31/drivers/ata/libata-core.c linux-2.6.31/drivers/ata/libata-core.c
16974 --- linux-2.6.31/drivers/ata/libata-core.c 2009-08-27 20:59:04.000000000 -0400
16975 +++ linux-2.6.31/drivers/ata/libata-core.c 2009-09-06 15:29:11.359441739 -0400
16976 @@ -890,7 +890,7 @@ static const struct ata_xfer_ent {
16977 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
16978 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
16979 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
16985 @@ -3135,7 +3135,7 @@ static const struct ata_timing ata_timin
16986 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
16987 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
16990 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
16993 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
16994 @@ -4333,7 +4333,7 @@ static const struct ata_blacklist_entry
16995 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
16999 + { NULL, NULL, 0 }
17002 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
17003 diff -urNp linux-2.6.31/drivers/atm/adummy.c linux-2.6.31/drivers/atm/adummy.c
17004 --- linux-2.6.31/drivers/atm/adummy.c 2009-08-27 20:59:04.000000000 -0400
17005 +++ linux-2.6.31/drivers/atm/adummy.c 2009-09-06 15:29:11.359441739 -0400
17006 @@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
17007 vcc->pop(vcc, skb);
17009 dev_kfree_skb_any(skb);
17010 - atomic_inc(&vcc->stats->tx);
17011 + atomic_inc_unchecked(&vcc->stats->tx);
17015 diff -urNp linux-2.6.31/drivers/atm/ambassador.c linux-2.6.31/drivers/atm/ambassador.c
17016 --- linux-2.6.31/drivers/atm/ambassador.c 2009-08-27 20:59:04.000000000 -0400
17017 +++ linux-2.6.31/drivers/atm/ambassador.c 2009-09-06 15:29:11.360373882 -0400
17018 @@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
17019 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
17022 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
17023 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
17025 // free the descriptor
17027 @@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
17028 dump_skb ("<<<", vc, skb);
17031 - atomic_inc(&atm_vcc->stats->rx);
17032 + atomic_inc_unchecked(&atm_vcc->stats->rx);
17033 __net_timestamp(skb);
17034 // end of our responsability
17035 atm_vcc->push (atm_vcc, skb);
17036 @@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
17038 PRINTK (KERN_INFO, "dropped over-size frame");
17039 // should we count this?
17040 - atomic_inc(&atm_vcc->stats->rx_drop);
17041 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
17045 @@ -1349,7 +1349,7 @@ static int amb_send (struct atm_vcc * at
17048 if (check_area (skb->data, skb->len)) {
17049 - atomic_inc(&atm_vcc->stats->tx_err);
17050 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
17051 return -ENOMEM; // ?
17054 diff -urNp linux-2.6.31/drivers/atm/atmtcp.c linux-2.6.31/drivers/atm/atmtcp.c
17055 --- linux-2.6.31/drivers/atm/atmtcp.c 2009-08-27 20:59:04.000000000 -0400
17056 +++ linux-2.6.31/drivers/atm/atmtcp.c 2009-09-06 15:29:11.361160880 -0400
17057 @@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
17058 if (vcc->pop) vcc->pop(vcc,skb);
17059 else dev_kfree_skb(skb);
17060 if (dev_data) return 0;
17061 - atomic_inc(&vcc->stats->tx_err);
17062 + atomic_inc_unchecked(&vcc->stats->tx_err);
17065 size = skb->len+sizeof(struct atmtcp_hdr);
17066 @@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
17068 if (vcc->pop) vcc->pop(vcc,skb);
17069 else dev_kfree_skb(skb);
17070 - atomic_inc(&vcc->stats->tx_err);
17071 + atomic_inc_unchecked(&vcc->stats->tx_err);
17074 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
17075 @@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
17076 if (vcc->pop) vcc->pop(vcc,skb);
17077 else dev_kfree_skb(skb);
17078 out_vcc->push(out_vcc,new_skb);
17079 - atomic_inc(&vcc->stats->tx);
17080 - atomic_inc(&out_vcc->stats->rx);
17081 + atomic_inc_unchecked(&vcc->stats->tx);
17082 + atomic_inc_unchecked(&out_vcc->stats->rx);
17086 @@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
17087 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
17088 read_unlock(&vcc_sklist_lock);
17090 - atomic_inc(&vcc->stats->tx_err);
17091 + atomic_inc_unchecked(&vcc->stats->tx_err);
17094 skb_pull(skb,sizeof(struct atmtcp_hdr));
17095 @@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
17096 __net_timestamp(new_skb);
17097 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
17098 out_vcc->push(out_vcc,new_skb);
17099 - atomic_inc(&vcc->stats->tx);
17100 - atomic_inc(&out_vcc->stats->rx);
17101 + atomic_inc_unchecked(&vcc->stats->tx);
17102 + atomic_inc_unchecked(&out_vcc->stats->rx);
17104 if (vcc->pop) vcc->pop(vcc,skb);
17105 else dev_kfree_skb(skb);
17106 diff -urNp linux-2.6.31/drivers/atm/eni.c linux-2.6.31/drivers/atm/eni.c
17107 --- linux-2.6.31/drivers/atm/eni.c 2009-08-27 20:59:04.000000000 -0400
17108 +++ linux-2.6.31/drivers/atm/eni.c 2009-09-06 15:29:11.362203807 -0400
17109 @@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
17110 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
17113 - atomic_inc(&vcc->stats->rx_err);
17114 + atomic_inc_unchecked(&vcc->stats->rx_err);
17117 length = ATM_CELL_SIZE-1; /* no HEC */
17118 @@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
17122 - atomic_inc(&vcc->stats->rx_err);
17123 + atomic_inc_unchecked(&vcc->stats->rx_err);
17126 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
17127 @@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
17128 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
17129 vcc->dev->number,vcc->vci,length,size << 2,descr);
17131 - atomic_inc(&vcc->stats->rx_err);
17132 + atomic_inc_unchecked(&vcc->stats->rx_err);
17135 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
17136 @@ -770,7 +770,7 @@ rx_dequeued++;
17137 vcc->push(vcc,skb);
17140 - atomic_inc(&vcc->stats->rx);
17141 + atomic_inc_unchecked(&vcc->stats->rx);
17143 wake_up(&eni_dev->rx_wait);
17145 @@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
17147 if (vcc->pop) vcc->pop(vcc,skb);
17148 else dev_kfree_skb_irq(skb);
17149 - atomic_inc(&vcc->stats->tx);
17150 + atomic_inc_unchecked(&vcc->stats->tx);
17151 wake_up(&eni_dev->tx_wait);
17154 diff -urNp linux-2.6.31/drivers/atm/firestream.c linux-2.6.31/drivers/atm/firestream.c
17155 --- linux-2.6.31/drivers/atm/firestream.c 2009-08-27 20:59:04.000000000 -0400
17156 +++ linux-2.6.31/drivers/atm/firestream.c 2009-09-06 15:29:11.363263365 -0400
17157 @@ -748,7 +748,7 @@ static void process_txdone_queue (struct
17161 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
17162 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
17164 fs_dprintk (FS_DEBUG_TXMEM, "i");
17165 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
17166 @@ -815,7 +815,7 @@ static void process_incoming (struct fs_
17168 skb_put (skb, qe->p1 & 0xffff);
17169 ATM_SKB(skb)->vcc = atm_vcc;
17170 - atomic_inc(&atm_vcc->stats->rx);
17171 + atomic_inc_unchecked(&atm_vcc->stats->rx);
17172 __net_timestamp(skb);
17173 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
17174 atm_vcc->push (atm_vcc, skb);
17175 @@ -836,12 +836,12 @@ static void process_incoming (struct fs_
17179 - atomic_inc(&atm_vcc->stats->rx_drop);
17180 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
17182 case 0x1f: /* Reassembly abort: no buffers. */
17183 /* Silently increment error counter. */
17185 - atomic_inc(&atm_vcc->stats->rx_drop);
17186 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
17188 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
17189 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
17190 diff -urNp linux-2.6.31/drivers/atm/fore200e.c linux-2.6.31/drivers/atm/fore200e.c
17191 --- linux-2.6.31/drivers/atm/fore200e.c 2009-08-27 20:59:04.000000000 -0400
17192 +++ linux-2.6.31/drivers/atm/fore200e.c 2009-09-06 15:29:11.364132516 -0400
17193 @@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
17195 /* check error condition */
17196 if (*entry->status & STATUS_ERROR)
17197 - atomic_inc(&vcc->stats->tx_err);
17198 + atomic_inc_unchecked(&vcc->stats->tx_err);
17200 - atomic_inc(&vcc->stats->tx);
17201 + atomic_inc_unchecked(&vcc->stats->tx);
17205 @@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
17207 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
17209 - atomic_inc(&vcc->stats->rx_drop);
17210 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17214 @@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
17216 dev_kfree_skb_any(skb);
17218 - atomic_inc(&vcc->stats->rx_drop);
17219 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17223 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
17225 vcc->push(vcc, skb);
17226 - atomic_inc(&vcc->stats->rx);
17227 + atomic_inc_unchecked(&vcc->stats->rx);
17229 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
17231 @@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
17232 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
17233 fore200e->atm_dev->number,
17234 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
17235 - atomic_inc(&vcc->stats->rx_err);
17236 + atomic_inc_unchecked(&vcc->stats->rx_err);
17240 @@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
17244 - atomic_inc(&vcc->stats->tx_err);
17245 + atomic_inc_unchecked(&vcc->stats->tx_err);
17247 fore200e->tx_sat++;
17248 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
17249 diff -urNp linux-2.6.31/drivers/atm/he.c linux-2.6.31/drivers/atm/he.c
17250 --- linux-2.6.31/drivers/atm/he.c 2009-08-27 20:59:04.000000000 -0400
17251 +++ linux-2.6.31/drivers/atm/he.c 2009-09-06 15:29:11.364910298 -0400
17252 @@ -1728,7 +1728,7 @@ he_service_rbrq(struct he_dev *he_dev, i
17254 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
17255 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
17256 - atomic_inc(&vcc->stats->rx_drop);
17257 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17258 goto return_host_buffers;
17261 @@ -1761,7 +1761,7 @@ he_service_rbrq(struct he_dev *he_dev, i
17262 RBRQ_LEN_ERR(he_dev->rbrq_head)
17264 vcc->vpi, vcc->vci);
17265 - atomic_inc(&vcc->stats->rx_err);
17266 + atomic_inc_unchecked(&vcc->stats->rx_err);
17267 goto return_host_buffers;
17270 @@ -1820,7 +1820,7 @@ he_service_rbrq(struct he_dev *he_dev, i
17271 vcc->push(vcc, skb);
17272 spin_lock(&he_dev->global_lock);
17274 - atomic_inc(&vcc->stats->rx);
17275 + atomic_inc_unchecked(&vcc->stats->rx);
17277 return_host_buffers:
17279 @@ -2165,7 +2165,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
17280 tpd->vcc->pop(tpd->vcc, tpd->skb);
17282 dev_kfree_skb_any(tpd->skb);
17283 - atomic_inc(&tpd->vcc->stats->tx_err);
17284 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
17286 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
17288 @@ -2577,7 +2577,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
17289 vcc->pop(vcc, skb);
17291 dev_kfree_skb_any(skb);
17292 - atomic_inc(&vcc->stats->tx_err);
17293 + atomic_inc_unchecked(&vcc->stats->tx_err);
17297 @@ -2588,7 +2588,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
17298 vcc->pop(vcc, skb);
17300 dev_kfree_skb_any(skb);
17301 - atomic_inc(&vcc->stats->tx_err);
17302 + atomic_inc_unchecked(&vcc->stats->tx_err);
17306 @@ -2600,7 +2600,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
17307 vcc->pop(vcc, skb);
17309 dev_kfree_skb_any(skb);
17310 - atomic_inc(&vcc->stats->tx_err);
17311 + atomic_inc_unchecked(&vcc->stats->tx_err);
17312 spin_unlock_irqrestore(&he_dev->global_lock, flags);
17315 @@ -2642,7 +2642,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
17316 vcc->pop(vcc, skb);
17318 dev_kfree_skb_any(skb);
17319 - atomic_inc(&vcc->stats->tx_err);
17320 + atomic_inc_unchecked(&vcc->stats->tx_err);
17321 spin_unlock_irqrestore(&he_dev->global_lock, flags);
17324 @@ -2673,7 +2673,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
17325 __enqueue_tpd(he_dev, tpd, cid);
17326 spin_unlock_irqrestore(&he_dev->global_lock, flags);
17328 - atomic_inc(&vcc->stats->tx);
17329 + atomic_inc_unchecked(&vcc->stats->tx);
17333 diff -urNp linux-2.6.31/drivers/atm/horizon.c linux-2.6.31/drivers/atm/horizon.c
17334 --- linux-2.6.31/drivers/atm/horizon.c 2009-08-27 20:59:04.000000000 -0400
17335 +++ linux-2.6.31/drivers/atm/horizon.c 2009-09-06 15:29:11.367021842 -0400
17336 @@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
17338 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
17340 - atomic_inc(&vcc->stats->rx);
17341 + atomic_inc_unchecked(&vcc->stats->rx);
17342 __net_timestamp(skb);
17343 // end of our responsability
17344 vcc->push (vcc, skb);
17345 @@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
17346 dev->tx_iovec = NULL;
17349 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
17350 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
17353 hrz_kfree_skb (skb);
17354 diff -urNp linux-2.6.31/drivers/atm/idt77252.c linux-2.6.31/drivers/atm/idt77252.c
17355 --- linux-2.6.31/drivers/atm/idt77252.c 2009-08-27 20:59:04.000000000 -0400
17356 +++ linux-2.6.31/drivers/atm/idt77252.c 2009-09-06 15:29:11.368071823 -0400
17357 @@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
17359 dev_kfree_skb(skb);
17361 - atomic_inc(&vcc->stats->tx);
17362 + atomic_inc_unchecked(&vcc->stats->tx);
17365 atomic_dec(&scq->used);
17366 @@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
17367 if ((sb = dev_alloc_skb(64)) == NULL) {
17368 printk("%s: Can't allocate buffers for aal0.\n",
17370 - atomic_add(i, &vcc->stats->rx_drop);
17371 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
17374 if (!atm_charge(vcc, sb->truesize)) {
17375 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
17377 - atomic_add(i - 1, &vcc->stats->rx_drop);
17378 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
17382 @@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
17383 ATM_SKB(sb)->vcc = vcc;
17384 __net_timestamp(sb);
17385 vcc->push(vcc, sb);
17386 - atomic_inc(&vcc->stats->rx);
17387 + atomic_inc_unchecked(&vcc->stats->rx);
17389 cell += ATM_CELL_PAYLOAD;
17391 @@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
17393 card->name, len, rpp->len, readl(SAR_REG_CDC));
17394 recycle_rx_pool_skb(card, rpp);
17395 - atomic_inc(&vcc->stats->rx_err);
17396 + atomic_inc_unchecked(&vcc->stats->rx_err);
17399 if (stat & SAR_RSQE_CRC) {
17400 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
17401 recycle_rx_pool_skb(card, rpp);
17402 - atomic_inc(&vcc->stats->rx_err);
17403 + atomic_inc_unchecked(&vcc->stats->rx_err);
17406 if (skb_queue_len(&rpp->queue) > 1) {
17407 @@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
17408 RXPRINTK("%s: Can't alloc RX skb.\n",
17410 recycle_rx_pool_skb(card, rpp);
17411 - atomic_inc(&vcc->stats->rx_err);
17412 + atomic_inc_unchecked(&vcc->stats->rx_err);
17415 if (!atm_charge(vcc, skb->truesize)) {
17416 @@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
17417 __net_timestamp(skb);
17419 vcc->push(vcc, skb);
17420 - atomic_inc(&vcc->stats->rx);
17421 + atomic_inc_unchecked(&vcc->stats->rx);
17425 @@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
17426 __net_timestamp(skb);
17428 vcc->push(vcc, skb);
17429 - atomic_inc(&vcc->stats->rx);
17430 + atomic_inc_unchecked(&vcc->stats->rx);
17432 if (skb->truesize > SAR_FB_SIZE_3)
17433 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
17434 @@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
17435 if (vcc->qos.aal != ATM_AAL0) {
17436 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
17437 card->name, vpi, vci);
17438 - atomic_inc(&vcc->stats->rx_drop);
17439 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17443 if ((sb = dev_alloc_skb(64)) == NULL) {
17444 printk("%s: Can't allocate buffers for AAL0.\n",
17446 - atomic_inc(&vcc->stats->rx_err);
17447 + atomic_inc_unchecked(&vcc->stats->rx_err);
17451 @@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
17452 ATM_SKB(sb)->vcc = vcc;
17453 __net_timestamp(sb);
17454 vcc->push(vcc, sb);
17455 - atomic_inc(&vcc->stats->rx);
17456 + atomic_inc_unchecked(&vcc->stats->rx);
17459 skb_pull(queue, 64);
17460 @@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
17463 printk("%s: NULL connection in send().\n", card->name);
17464 - atomic_inc(&vcc->stats->tx_err);
17465 + atomic_inc_unchecked(&vcc->stats->tx_err);
17466 dev_kfree_skb(skb);
17469 if (!test_bit(VCF_TX, &vc->flags)) {
17470 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
17471 - atomic_inc(&vcc->stats->tx_err);
17472 + atomic_inc_unchecked(&vcc->stats->tx_err);
17473 dev_kfree_skb(skb);
17476 @@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
17479 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
17480 - atomic_inc(&vcc->stats->tx_err);
17481 + atomic_inc_unchecked(&vcc->stats->tx_err);
17482 dev_kfree_skb(skb);
17486 if (skb_shinfo(skb)->nr_frags != 0) {
17487 printk("%s: No scatter-gather yet.\n", card->name);
17488 - atomic_inc(&vcc->stats->tx_err);
17489 + atomic_inc_unchecked(&vcc->stats->tx_err);
17490 dev_kfree_skb(skb);
17493 @@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
17495 err = queue_skb(card, vc, skb, oam);
17497 - atomic_inc(&vcc->stats->tx_err);
17498 + atomic_inc_unchecked(&vcc->stats->tx_err);
17499 dev_kfree_skb(skb);
17502 @@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
17503 skb = dev_alloc_skb(64);
17505 printk("%s: Out of memory in send_oam().\n", card->name);
17506 - atomic_inc(&vcc->stats->tx_err);
17507 + atomic_inc_unchecked(&vcc->stats->tx_err);
17510 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
17511 diff -urNp linux-2.6.31/drivers/atm/iphase.c linux-2.6.31/drivers/atm/iphase.c
17512 --- linux-2.6.31/drivers/atm/iphase.c 2009-08-27 20:59:04.000000000 -0400
17513 +++ linux-2.6.31/drivers/atm/iphase.c 2009-09-06 17:10:25.340163597 -0400
17514 @@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
17515 status = (u_short) (buf_desc_ptr->desc_mode);
17516 if (status & (RX_CER | RX_PTE | RX_OFL))
17518 - atomic_inc(&vcc->stats->rx_err);
17519 + atomic_inc_unchecked(&vcc->stats->rx_err);
17520 IF_ERR(printk("IA: bad packet, dropping it");)
17521 if (status & RX_CER) {
17522 IF_ERR(printk(" cause: packet CRC error\n");)
17523 @@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
17524 len = dma_addr - buf_addr;
17525 if (len > iadev->rx_buf_sz) {
17526 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
17527 - atomic_inc(&vcc->stats->rx_err);
17528 + atomic_inc_unchecked(&vcc->stats->rx_err);
17529 goto out_free_desc;
17532 @@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
17533 ia_vcc = INPH_IA_VCC(vcc);
17534 if (ia_vcc == NULL)
17536 - atomic_inc(&vcc->stats->rx_err);
17537 + atomic_inc_unchecked(&vcc->stats->rx_err);
17538 dev_kfree_skb_any(skb);
17539 atm_return(vcc, atm_guess_pdu2truesize(len));
17541 @@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
17542 if ((length > iadev->rx_buf_sz) || (length >
17543 (skb->len - sizeof(struct cpcs_trailer))))
17545 - atomic_inc(&vcc->stats->rx_err);
17546 + atomic_inc_unchecked(&vcc->stats->rx_err);
17547 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
17548 length, skb->len);)
17549 dev_kfree_skb_any(skb);
17550 @@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
17552 IF_RX(printk("rx_dle_intr: skb push");)
17553 vcc->push(vcc,skb);
17554 - atomic_inc(&vcc->stats->rx);
17555 + atomic_inc_unchecked(&vcc->stats->rx);
17556 iadev->rx_pkt_cnt++;
17559 @@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
17561 struct k_sonet_stats *stats;
17562 stats = &PRIV(_ia_dev[board])->sonet_stats;
17563 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
17564 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
17565 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
17566 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
17567 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
17568 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
17569 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
17570 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
17571 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
17572 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
17573 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
17574 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
17575 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
17576 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
17577 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
17578 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
17579 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
17580 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
17582 ia_cmds.status = 0;
17584 @@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
17585 if ((desc == 0) || (desc > iadev->num_tx_desc))
17587 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
17588 - atomic_inc(&vcc->stats->tx);
17589 + atomic_inc_unchecked(&vcc->stats->tx);
17591 vcc->pop(vcc, skb);
17593 @@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
17594 ATM_DESC(skb) = vcc->vci;
17595 skb_queue_tail(&iadev->tx_dma_q, skb);
17597 - atomic_inc(&vcc->stats->tx);
17598 + atomic_inc_unchecked(&vcc->stats->tx);
17599 iadev->tx_pkt_cnt++;
17600 /* Increment transaction counter */
17601 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
17604 /* add flow control logic */
17605 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
17606 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
17607 if (iavcc->vc_desc_cnt > 10) {
17608 vcc->tx_quota = vcc->tx_quota * 3 / 4;
17609 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
17610 diff -urNp linux-2.6.31/drivers/atm/lanai.c linux-2.6.31/drivers/atm/lanai.c
17611 --- linux-2.6.31/drivers/atm/lanai.c 2009-08-27 20:59:04.000000000 -0400
17612 +++ linux-2.6.31/drivers/atm/lanai.c 2009-09-06 15:29:11.370987929 -0400
17613 @@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
17614 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
17615 lanai_endtx(lanai, lvcc);
17616 lanai_free_skb(lvcc->tx.atmvcc, skb);
17617 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
17618 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
17621 /* Try to fill the buffer - don't call unless there is backlog */
17622 @@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
17623 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
17624 __net_timestamp(skb);
17625 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
17626 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
17627 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
17629 lvcc->rx.buf.ptr = end;
17630 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
17631 @@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
17632 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
17633 "vcc %d\n", lanai->number, (unsigned int) s, vci);
17634 lanai->stats.service_rxnotaal5++;
17635 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
17636 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
17639 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
17640 @@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
17642 read_unlock(&vcc_sklist_lock);
17643 DPRINTK("got trashed rx pdu on vci %d\n", vci);
17644 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
17645 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
17646 lvcc->stats.x.aal5.service_trash++;
17647 bytes = (SERVICE_GET_END(s) * 16) -
17648 (((unsigned long) lvcc->rx.buf.ptr) -
17649 @@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
17651 if (s & SERVICE_STREAM) {
17652 read_unlock(&vcc_sklist_lock);
17653 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
17654 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
17655 lvcc->stats.x.aal5.service_stream++;
17656 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
17657 "PDU on VCI %d!\n", lanai->number, vci);
17658 @@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
17661 DPRINTK("got rx crc error on vci %d\n", vci);
17662 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
17663 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
17664 lvcc->stats.x.aal5.service_rxcrc++;
17665 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
17666 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
17667 diff -urNp linux-2.6.31/drivers/atm/nicstar.c linux-2.6.31/drivers/atm/nicstar.c
17668 --- linux-2.6.31/drivers/atm/nicstar.c 2009-08-27 20:59:04.000000000 -0400
17669 +++ linux-2.6.31/drivers/atm/nicstar.c 2009-09-06 15:29:11.371908584 -0400
17670 @@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
17671 if ((vc = (vc_map *) vcc->dev_data) == NULL)
17673 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
17674 - atomic_inc(&vcc->stats->tx_err);
17675 + atomic_inc_unchecked(&vcc->stats->tx_err);
17676 dev_kfree_skb_any(skb);
17679 @@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
17682 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
17683 - atomic_inc(&vcc->stats->tx_err);
17684 + atomic_inc_unchecked(&vcc->stats->tx_err);
17685 dev_kfree_skb_any(skb);
17688 @@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
17689 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
17691 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
17692 - atomic_inc(&vcc->stats->tx_err);
17693 + atomic_inc_unchecked(&vcc->stats->tx_err);
17694 dev_kfree_skb_any(skb);
17697 @@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
17698 if (skb_shinfo(skb)->nr_frags != 0)
17700 printk("nicstar%d: No scatter-gather yet.\n", card->index);
17701 - atomic_inc(&vcc->stats->tx_err);
17702 + atomic_inc_unchecked(&vcc->stats->tx_err);
17703 dev_kfree_skb_any(skb);
17706 @@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
17708 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
17710 - atomic_inc(&vcc->stats->tx_err);
17711 + atomic_inc_unchecked(&vcc->stats->tx_err);
17712 dev_kfree_skb_any(skb);
17715 - atomic_inc(&vcc->stats->tx);
17716 + atomic_inc_unchecked(&vcc->stats->tx);
17720 @@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
17722 printk("nicstar%d: Can't allocate buffers for aal0.\n",
17724 - atomic_add(i,&vcc->stats->rx_drop);
17725 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
17728 if (!atm_charge(vcc, sb->truesize))
17730 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
17732 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
17733 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
17734 dev_kfree_skb_any(sb);
17737 @@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
17738 ATM_SKB(sb)->vcc = vcc;
17739 __net_timestamp(sb);
17740 vcc->push(vcc, sb);
17741 - atomic_inc(&vcc->stats->rx);
17742 + atomic_inc_unchecked(&vcc->stats->rx);
17743 cell += ATM_CELL_PAYLOAD;
17746 @@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
17749 printk("nicstar%d: Out of iovec buffers.\n", card->index);
17750 - atomic_inc(&vcc->stats->rx_drop);
17751 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17752 recycle_rx_buf(card, skb);
17755 @@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
17756 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
17758 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
17759 - atomic_inc(&vcc->stats->rx_err);
17760 + atomic_inc_unchecked(&vcc->stats->rx_err);
17761 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
17762 NS_SKB(iovb)->iovcnt = 0;
17764 @@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
17765 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
17767 which_list(card, skb);
17768 - atomic_inc(&vcc->stats->rx_err);
17769 + atomic_inc_unchecked(&vcc->stats->rx_err);
17770 recycle_rx_buf(card, skb);
17772 recycle_iov_buf(card, iovb);
17773 @@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
17774 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
17776 which_list(card, skb);
17777 - atomic_inc(&vcc->stats->rx_err);
17778 + atomic_inc_unchecked(&vcc->stats->rx_err);
17779 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
17780 NS_SKB(iovb)->iovcnt);
17782 @@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
17783 printk(" - PDU size mismatch.\n");
17786 - atomic_inc(&vcc->stats->rx_err);
17787 + atomic_inc_unchecked(&vcc->stats->rx_err);
17788 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
17789 NS_SKB(iovb)->iovcnt);
17791 @@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
17792 if (!atm_charge(vcc, skb->truesize))
17794 push_rxbufs(card, skb);
17795 - atomic_inc(&vcc->stats->rx_drop);
17796 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17800 @@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
17801 ATM_SKB(skb)->vcc = vcc;
17802 __net_timestamp(skb);
17803 vcc->push(vcc, skb);
17804 - atomic_inc(&vcc->stats->rx);
17805 + atomic_inc_unchecked(&vcc->stats->rx);
17808 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
17809 @@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
17810 if (!atm_charge(vcc, sb->truesize))
17812 push_rxbufs(card, sb);
17813 - atomic_inc(&vcc->stats->rx_drop);
17814 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17818 @@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
17819 ATM_SKB(sb)->vcc = vcc;
17820 __net_timestamp(sb);
17821 vcc->push(vcc, sb);
17822 - atomic_inc(&vcc->stats->rx);
17823 + atomic_inc_unchecked(&vcc->stats->rx);
17826 push_rxbufs(card, skb);
17827 @@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
17828 if (!atm_charge(vcc, skb->truesize))
17830 push_rxbufs(card, skb);
17831 - atomic_inc(&vcc->stats->rx_drop);
17832 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17836 @@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
17837 ATM_SKB(skb)->vcc = vcc;
17838 __net_timestamp(skb);
17839 vcc->push(vcc, skb);
17840 - atomic_inc(&vcc->stats->rx);
17841 + atomic_inc_unchecked(&vcc->stats->rx);
17844 push_rxbufs(card, sb);
17845 @@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
17848 printk("nicstar%d: Out of huge buffers.\n", card->index);
17849 - atomic_inc(&vcc->stats->rx_drop);
17850 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17851 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
17852 NS_SKB(iovb)->iovcnt);
17854 @@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
17857 dev_kfree_skb_any(hb);
17858 - atomic_inc(&vcc->stats->rx_drop);
17859 + atomic_inc_unchecked(&vcc->stats->rx_drop);
17863 @@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
17864 #endif /* NS_USE_DESTRUCTORS */
17865 __net_timestamp(hb);
17866 vcc->push(vcc, hb);
17867 - atomic_inc(&vcc->stats->rx);
17868 + atomic_inc_unchecked(&vcc->stats->rx);
17872 diff -urNp linux-2.6.31/drivers/atm/solos-pci.c linux-2.6.31/drivers/atm/solos-pci.c
17873 --- linux-2.6.31/drivers/atm/solos-pci.c 2009-08-27 20:59:04.000000000 -0400
17874 +++ linux-2.6.31/drivers/atm/solos-pci.c 2009-09-06 15:29:11.372920076 -0400
17875 @@ -663,7 +663,7 @@ void solos_bh(unsigned long card_arg)
17877 atm_charge(vcc, skb->truesize);
17878 vcc->push(vcc, skb);
17879 - atomic_inc(&vcc->stats->rx);
17880 + atomic_inc_unchecked(&vcc->stats->rx);
17884 @@ -966,7 +966,7 @@ static uint32_t fpga_tx(struct solos_car
17885 vcc = SKB_CB(oldskb)->vcc;
17888 - atomic_inc(&vcc->stats->tx);
17889 + atomic_inc_unchecked(&vcc->stats->tx);
17890 solos_pop(vcc, oldskb);
17892 dev_kfree_skb_irq(oldskb);
17893 diff -urNp linux-2.6.31/drivers/atm/suni.c linux-2.6.31/drivers/atm/suni.c
17894 --- linux-2.6.31/drivers/atm/suni.c 2009-08-27 20:59:04.000000000 -0400
17895 +++ linux-2.6.31/drivers/atm/suni.c 2009-09-06 15:29:11.373954988 -0400
17896 @@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
17899 #define ADD_LIMITED(s,v) \
17900 - atomic_add((v),&stats->s); \
17901 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
17902 + atomic_add_unchecked((v),&stats->s); \
17903 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
17906 static void suni_hz(unsigned long from_timer)
17907 diff -urNp linux-2.6.31/drivers/atm/uPD98402.c linux-2.6.31/drivers/atm/uPD98402.c
17908 --- linux-2.6.31/drivers/atm/uPD98402.c 2009-08-27 20:59:04.000000000 -0400
17909 +++ linux-2.6.31/drivers/atm/uPD98402.c 2009-09-06 17:17:04.796189467 -0400
17910 @@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
17911 struct sonet_stats tmp;
17914 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
17915 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
17916 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
17917 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
17918 if (zero && !error) {
17919 @@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
17922 #define ADD_LIMITED(s,v) \
17923 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
17924 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
17925 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
17926 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
17927 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
17928 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
17931 static void stat_event(struct atm_dev *dev)
17932 @@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
17933 if (reason & uPD98402_INT_PFM) stat_event(dev);
17934 if (reason & uPD98402_INT_PCO) {
17935 (void) GET(PCOCR); /* clear interrupt cause */
17936 - atomic_add(GET(HECCT),
17937 + atomic_add_unchecked(GET(HECCT),
17938 &PRIV(dev)->sonet_stats.uncorr_hcs);
17940 if ((reason & uPD98402_INT_RFO) &&
17941 @@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
17942 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
17943 uPD98402_INT_LOS),PIMR); /* enable them */
17944 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
17945 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
17946 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
17947 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
17948 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
17949 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
17950 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
17954 diff -urNp linux-2.6.31/drivers/atm/zatm.c linux-2.6.31/drivers/atm/zatm.c
17955 --- linux-2.6.31/drivers/atm/zatm.c 2009-08-27 20:59:04.000000000 -0400
17956 +++ linux-2.6.31/drivers/atm/zatm.c 2009-09-06 15:29:11.373954988 -0400
17957 @@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
17960 dev_kfree_skb_irq(skb);
17961 - if (vcc) atomic_inc(&vcc->stats->rx_err);
17962 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
17965 if (!atm_charge(vcc,skb->truesize)) {
17966 @@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
17968 ATM_SKB(skb)->vcc = vcc;
17969 vcc->push(vcc,skb);
17970 - atomic_inc(&vcc->stats->rx);
17971 + atomic_inc_unchecked(&vcc->stats->rx);
17973 zout(pos & 0xffff,MTA(mbx));
17974 #if 0 /* probably a stupid idea */
17975 @@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
17976 skb_queue_head(&zatm_vcc->backlog,skb);
17979 - atomic_inc(&vcc->stats->tx);
17980 + atomic_inc_unchecked(&vcc->stats->tx);
17981 wake_up(&zatm_vcc->tx_wait);
17984 diff -urNp linux-2.6.31/drivers/block/cciss.c linux-2.6.31/drivers/block/cciss.c
17985 --- linux-2.6.31/drivers/block/cciss.c 2009-08-27 20:59:04.000000000 -0400
17986 +++ linux-2.6.31/drivers/block/cciss.c 2009-09-06 15:29:11.375910017 -0400
17987 @@ -363,7 +363,7 @@ static void cciss_seq_stop(struct seq_fi
17988 h->busy_configuring = 0;
17991 -static struct seq_operations cciss_seq_ops = {
17992 +static const struct seq_operations cciss_seq_ops = {
17993 .start = cciss_seq_start,
17994 .show = cciss_seq_show,
17995 .next = cciss_seq_next,
17996 @@ -426,7 +426,7 @@ out:
18000 -static struct file_operations cciss_proc_fops = {
18001 +static const struct file_operations cciss_proc_fops = {
18002 .owner = THIS_MODULE,
18003 .open = cciss_seq_open,
18005 diff -urNp linux-2.6.31/drivers/char/agp/agp.h linux-2.6.31/drivers/char/agp/agp.h
18006 --- linux-2.6.31/drivers/char/agp/agp.h 2009-08-27 20:59:04.000000000 -0400
18007 +++ linux-2.6.31/drivers/char/agp/agp.h 2009-09-06 15:29:11.376907094 -0400
18008 @@ -126,7 +126,7 @@ struct agp_bridge_driver {
18009 struct agp_bridge_data {
18010 const struct agp_version *version;
18011 const struct agp_bridge_driver *driver;
18012 - struct vm_operations_struct *vm_ops;
18013 + const struct vm_operations_struct *vm_ops;
18014 void *previous_size;
18015 void *current_size;
18016 void *dev_private_data;
18017 diff -urNp linux-2.6.31/drivers/char/agp/alpha-agp.c linux-2.6.31/drivers/char/agp/alpha-agp.c
18018 --- linux-2.6.31/drivers/char/agp/alpha-agp.c 2009-08-27 20:59:04.000000000 -0400
18019 +++ linux-2.6.31/drivers/char/agp/alpha-agp.c 2009-09-06 15:29:11.376907094 -0400
18020 @@ -40,7 +40,7 @@ static struct aper_size_info_fixed alpha
18021 { 0, 0, 0 }, /* filled in by alpha_core_agp_setup */
18024 -struct vm_operations_struct alpha_core_agp_vm_ops = {
18025 +const struct vm_operations_struct alpha_core_agp_vm_ops = {
18026 .fault = alpha_core_agp_vm_fault,
18029 diff -urNp linux-2.6.31/drivers/char/agp/frontend.c linux-2.6.31/drivers/char/agp/frontend.c
18030 --- linux-2.6.31/drivers/char/agp/frontend.c 2009-08-27 20:59:04.000000000 -0400
18031 +++ linux-2.6.31/drivers/char/agp/frontend.c 2009-09-06 15:29:11.377978709 -0400
18032 @@ -824,7 +824,7 @@ static int agpioc_reserve_wrap(struct ag
18033 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
18036 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
18037 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
18040 client = agp_find_client_by_pid(reserve.pid);
18041 diff -urNp linux-2.6.31/drivers/char/agp/intel-agp.c linux-2.6.31/drivers/char/agp/intel-agp.c
18042 --- linux-2.6.31/drivers/char/agp/intel-agp.c 2009-09-09 19:20:52.855106203 -0400
18043 +++ linux-2.6.31/drivers/char/agp/intel-agp.c 2009-09-09 19:28:34.805221606 -0400
18044 @@ -2404,7 +2404,7 @@ static struct pci_device_id agp_intel_pc
18045 ID(PCI_DEVICE_ID_INTEL_IGDNG_D_HB),
18046 ID(PCI_DEVICE_ID_INTEL_IGDNG_M_HB),
18047 ID(PCI_DEVICE_ID_INTEL_IGDNG_MA_HB),
18049 + { 0, 0, 0, 0, 0, 0, 0 }
18052 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
18053 diff -urNp linux-2.6.31/drivers/char/apm-emulation.c linux-2.6.31/drivers/char/apm-emulation.c
18054 --- linux-2.6.31/drivers/char/apm-emulation.c 2009-08-27 20:59:04.000000000 -0400
18055 +++ linux-2.6.31/drivers/char/apm-emulation.c 2009-09-06 15:29:11.378925163 -0400
18056 @@ -393,7 +393,7 @@ static int apm_open(struct inode * inode
18057 return as ? 0 : -ENOMEM;
18060 -static struct file_operations apm_bios_fops = {
18061 +static const struct file_operations apm_bios_fops = {
18062 .owner = THIS_MODULE,
18065 diff -urNp linux-2.6.31/drivers/char/bfin-otp.c linux-2.6.31/drivers/char/bfin-otp.c
18066 --- linux-2.6.31/drivers/char/bfin-otp.c 2009-08-27 20:59:04.000000000 -0400
18067 +++ linux-2.6.31/drivers/char/bfin-otp.c 2009-09-06 15:29:11.378925163 -0400
18068 @@ -133,7 +133,7 @@ static ssize_t bfin_otp_write(struct fil
18069 # define bfin_otp_write NULL
18072 -static struct file_operations bfin_otp_fops = {
18073 +static const struct file_operations bfin_otp_fops = {
18074 .owner = THIS_MODULE,
18075 .read = bfin_otp_read,
18076 .write = bfin_otp_write,
18077 diff -urNp linux-2.6.31/drivers/char/hpet.c linux-2.6.31/drivers/char/hpet.c
18078 --- linux-2.6.31/drivers/char/hpet.c 2009-08-27 20:59:04.000000000 -0400
18079 +++ linux-2.6.31/drivers/char/hpet.c 2009-09-06 15:29:11.379954384 -0400
18080 @@ -995,7 +995,7 @@ static struct acpi_driver hpet_acpi_driv
18084 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
18085 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
18087 static int __init hpet_init(void)
18089 diff -urNp linux-2.6.31/drivers/char/hvcs.c linux-2.6.31/drivers/char/hvcs.c
18090 --- linux-2.6.31/drivers/char/hvcs.c 2009-08-27 20:59:04.000000000 -0400
18091 +++ linux-2.6.31/drivers/char/hvcs.c 2009-09-06 15:29:11.379954384 -0400
18092 @@ -269,7 +269,7 @@ struct hvcs_struct {
18093 unsigned int index;
18095 struct tty_struct *tty;
18097 + atomic_t open_count;
18100 * Used to tell the driver kernel_thread what operations need to take
18101 diff -urNp linux-2.6.31/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.31/drivers/char/ipmi/ipmi_msghandler.c
18102 --- linux-2.6.31/drivers/char/ipmi/ipmi_msghandler.c 2009-08-27 20:59:04.000000000 -0400
18103 +++ linux-2.6.31/drivers/char/ipmi/ipmi_msghandler.c 2009-09-06 15:29:11.381907311 -0400
18104 @@ -413,7 +413,7 @@ struct ipmi_smi {
18105 struct proc_dir_entry *proc_dir;
18106 char proc_dir_name[10];
18108 - atomic_t stats[IPMI_NUM_STATS];
18109 + atomic_unchecked_t stats[IPMI_NUM_STATS];
18112 * run_to_completion duplicate of smb_info, smi_info
18113 @@ -446,9 +446,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
18116 #define ipmi_inc_stat(intf, stat) \
18117 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
18118 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
18119 #define ipmi_get_stat(intf, stat) \
18120 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
18121 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
18123 static int is_lan_addr(struct ipmi_addr *addr)
18125 @@ -2807,7 +2807,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
18126 INIT_LIST_HEAD(&intf->cmd_rcvrs);
18127 init_waitqueue_head(&intf->waitq);
18128 for (i = 0; i < IPMI_NUM_STATS; i++)
18129 - atomic_set(&intf->stats[i], 0);
18130 + atomic_set_unchecked(&intf->stats[i], 0);
18132 intf->proc_dir = NULL;
18134 diff -urNp linux-2.6.31/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.31/drivers/char/ipmi/ipmi_si_intf.c
18135 --- linux-2.6.31/drivers/char/ipmi/ipmi_si_intf.c 2009-08-27 20:59:04.000000000 -0400
18136 +++ linux-2.6.31/drivers/char/ipmi/ipmi_si_intf.c 2009-09-06 15:29:11.385901177 -0400
18137 @@ -277,7 +277,7 @@ struct smi_info {
18138 unsigned char slave_addr;
18140 /* Counters and things for the proc filesystem. */
18141 - atomic_t stats[SI_NUM_STATS];
18142 + atomic_unchecked_t stats[SI_NUM_STATS];
18144 struct task_struct *thread;
18146 @@ -285,9 +285,9 @@ struct smi_info {
18149 #define smi_inc_stat(smi, stat) \
18150 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
18151 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
18152 #define smi_get_stat(smi, stat) \
18153 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
18154 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
18156 #define SI_MAX_PARMS 4
18158 @@ -2926,7 +2926,7 @@ static int try_smi_init(struct smi_info
18159 atomic_set(&new_smi->req_events, 0);
18160 new_smi->run_to_completion = 0;
18161 for (i = 0; i < SI_NUM_STATS; i++)
18162 - atomic_set(&new_smi->stats[i], 0);
18163 + atomic_set_unchecked(&new_smi->stats[i], 0);
18165 new_smi->interrupt_disabled = 0;
18166 atomic_set(&new_smi->stop_operation, 0);
18167 diff -urNp linux-2.6.31/drivers/char/keyboard.c linux-2.6.31/drivers/char/keyboard.c
18168 --- linux-2.6.31/drivers/char/keyboard.c 2009-08-27 20:59:04.000000000 -0400
18169 +++ linux-2.6.31/drivers/char/keyboard.c 2009-09-06 15:29:11.386918893 -0400
18170 @@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
18171 kbd->kbdmode == VC_MEDIUMRAW) &&
18172 value != KVAL(K_SAK))
18173 return; /* SAK is allowed even in raw mode */
18175 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
18177 + void *func = fn_handler[value];
18178 + if (func == fn_show_state || func == fn_show_ptregs ||
18179 + func == fn_show_mem)
18184 fn_handler[value](vc);
18187 @@ -1386,7 +1396,7 @@ static const struct input_device_id kbd_
18188 .evbit = { BIT_MASK(EV_SND) },
18191 - { }, /* Terminating entry */
18192 + { 0 }, /* Terminating entry */
18195 MODULE_DEVICE_TABLE(input, kbd_ids);
18196 diff -urNp linux-2.6.31/drivers/char/mem.c linux-2.6.31/drivers/char/mem.c
18197 --- linux-2.6.31/drivers/char/mem.c 2009-08-27 20:59:04.000000000 -0400
18198 +++ linux-2.6.31/drivers/char/mem.c 2009-09-06 15:29:11.386918893 -0400
18200 #include <linux/raw.h>
18201 #include <linux/tty.h>
18202 #include <linux/capability.h>
18203 +#include <linux/security.h>
18204 #include <linux/ptrace.h>
18205 #include <linux/device.h>
18206 #include <linux/highmem.h>
18208 # include <linux/efi.h>
18211 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
18212 +extern struct file_operations grsec_fops;
18216 * Architectures vary in how they handle caching for addresses
18217 * outside of main memory.
18218 @@ -192,6 +197,11 @@ static ssize_t write_mem(struct file * f
18219 if (!valid_phys_addr_range(p, count))
18222 +#ifdef CONFIG_GRKERNSEC_KMEM
18223 + gr_handle_mem_write();
18229 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
18230 @@ -301,7 +311,7 @@ static inline int private_mapping_ok(str
18234 -static struct vm_operations_struct mmap_mem_ops = {
18235 +static const struct vm_operations_struct mmap_mem_ops = {
18236 #ifdef CONFIG_HAVE_IOREMAP_PROT
18237 .access = generic_access_phys
18239 @@ -324,6 +334,11 @@ static int mmap_mem(struct file * file,
18240 &vma->vm_page_prot))
18243 +#ifdef CONFIG_GRKERNSEC_KMEM
18244 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
18248 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
18250 vma->vm_page_prot);
18251 @@ -558,6 +573,11 @@ static ssize_t write_kmem(struct file *
18253 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
18255 +#ifdef CONFIG_GRKERNSEC_KMEM
18256 + gr_handle_kmem_write();
18260 if (p < (unsigned long) high_memory) {
18263 @@ -763,6 +783,16 @@ static loff_t memory_lseek(struct file *
18265 static int open_port(struct inode * inode, struct file * filp)
18267 +#ifdef CONFIG_GRKERNSEC_KMEM
18268 + gr_handle_open_port();
18272 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
18275 +static int open_mem(struct inode * inode, struct file * filp)
18277 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
18280 @@ -770,7 +800,6 @@ static int open_port(struct inode * inod
18281 #define full_lseek null_lseek
18282 #define write_zero write_null
18283 #define read_full read_zero
18284 -#define open_mem open_port
18285 #define open_kmem open_mem
18286 #define open_oldmem open_mem
18288 @@ -888,6 +917,9 @@ static const struct {
18289 #ifdef CONFIG_CRASH_DUMP
18290 {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops, NULL},
18292 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
18293 + {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
18297 static int memory_open(struct inode *inode, struct file *filp)
18298 diff -urNp linux-2.6.31/drivers/char/misc.c linux-2.6.31/drivers/char/misc.c
18299 --- linux-2.6.31/drivers/char/misc.c 2009-08-27 20:59:04.000000000 -0400
18300 +++ linux-2.6.31/drivers/char/misc.c 2009-09-06 15:29:11.388001318 -0400
18301 @@ -91,7 +91,7 @@ static int misc_seq_show(struct seq_file
18305 -static struct seq_operations misc_seq_ops = {
18306 +static const struct seq_operations misc_seq_ops = {
18307 .start = misc_seq_start,
18308 .next = misc_seq_next,
18309 .stop = misc_seq_stop,
18310 diff -urNp linux-2.6.31/drivers/char/mspec.c linux-2.6.31/drivers/char/mspec.c
18311 --- linux-2.6.31/drivers/char/mspec.c 2009-08-27 20:59:04.000000000 -0400
18312 +++ linux-2.6.31/drivers/char/mspec.c 2009-09-06 15:29:11.388001318 -0400
18313 @@ -239,7 +239,7 @@ mspec_fault(struct vm_area_struct *vma,
18314 return VM_FAULT_NOPAGE;
18317 -static struct vm_operations_struct mspec_vm_ops = {
18318 +static const struct vm_operations_struct mspec_vm_ops = {
18319 .open = mspec_open,
18320 .close = mspec_close,
18321 .fault = mspec_fault,
18322 diff -urNp linux-2.6.31/drivers/char/nvram.c linux-2.6.31/drivers/char/nvram.c
18323 --- linux-2.6.31/drivers/char/nvram.c 2009-08-27 20:59:04.000000000 -0400
18324 +++ linux-2.6.31/drivers/char/nvram.c 2009-09-06 15:29:11.389005600 -0400
18325 @@ -429,7 +429,10 @@ static const struct file_operations nvra
18326 static struct miscdevice nvram_dev = {
18336 static int __init nvram_init(void)
18337 diff -urNp linux-2.6.31/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.31/drivers/char/pcmcia/ipwireless/tty.c
18338 --- linux-2.6.31/drivers/char/pcmcia/ipwireless/tty.c 2009-08-27 20:59:04.000000000 -0400
18339 +++ linux-2.6.31/drivers/char/pcmcia/ipwireless/tty.c 2009-09-06 15:29:11.389005600 -0400
18340 @@ -51,7 +51,7 @@ struct ipw_tty {
18342 struct ipw_network *network;
18343 struct tty_struct *linux_tty;
18345 + atomic_t open_count;
18346 unsigned int control_lines;
18347 struct mutex ipw_tty_mutex;
18348 int tx_bytes_queued;
18349 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
18350 mutex_unlock(&tty->ipw_tty_mutex);
18353 - if (tty->open_count == 0)
18354 + if (atomic_read(&tty->open_count) == 0)
18355 tty->tx_bytes_queued = 0;
18357 - tty->open_count++;
18358 + atomic_inc(&tty->open_count);
18360 tty->linux_tty = linux_tty;
18361 linux_tty->driver_data = tty;
18362 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
18364 static void do_ipw_close(struct ipw_tty *tty)
18366 - tty->open_count--;
18368 - if (tty->open_count == 0) {
18369 + if (atomic_dec_return(&tty->open_count) == 0) {
18370 struct tty_struct *linux_tty = tty->linux_tty;
18372 if (linux_tty != NULL) {
18373 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
18376 mutex_lock(&tty->ipw_tty_mutex);
18377 - if (tty->open_count == 0) {
18378 + if (atomic_read(&tty->open_count) == 0) {
18379 mutex_unlock(&tty->ipw_tty_mutex);
18382 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
18386 - if (!tty->open_count) {
18387 + if (!atomic_read(&tty->open_count)) {
18388 mutex_unlock(&tty->ipw_tty_mutex);
18391 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
18394 mutex_lock(&tty->ipw_tty_mutex);
18395 - if (!tty->open_count) {
18396 + if (!atomic_read(&tty->open_count)) {
18397 mutex_unlock(&tty->ipw_tty_mutex);
18400 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
18404 - if (!tty->open_count)
18405 + if (!atomic_read(&tty->open_count))
18408 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
18409 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
18413 - if (!tty->open_count)
18414 + if (!atomic_read(&tty->open_count))
18417 return tty->tx_bytes_queued;
18418 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
18422 - if (!tty->open_count)
18423 + if (!atomic_read(&tty->open_count))
18426 return get_control_lines(tty);
18427 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
18431 - if (!tty->open_count)
18432 + if (!atomic_read(&tty->open_count))
18435 return set_control_lines(tty, set, clear);
18436 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
18440 - if (!tty->open_count)
18441 + if (!atomic_read(&tty->open_count))
18444 /* FIXME: Exactly how is the tty object locked here .. */
18445 @@ -591,7 +589,7 @@ void ipwireless_tty_free(struct ipw_tty
18446 against a parallel ioctl etc */
18447 mutex_lock(&ttyj->ipw_tty_mutex);
18449 - while (ttyj->open_count)
18450 + while (atomic_read(&ttyj->open_count))
18451 do_ipw_close(ttyj);
18452 ipwireless_disassociate_network_ttys(network,
18453 ttyj->channel_idx);
18454 diff -urNp linux-2.6.31/drivers/char/random.c linux-2.6.31/drivers/char/random.c
18455 --- linux-2.6.31/drivers/char/random.c 2009-08-27 20:59:04.000000000 -0400
18456 +++ linux-2.6.31/drivers/char/random.c 2009-09-06 15:29:11.389959667 -0400
18457 @@ -253,8 +253,13 @@
18459 * Configuration information
18461 +#ifdef CONFIG_GRKERNSEC_RANDNET
18462 +#define INPUT_POOL_WORDS 512
18463 +#define OUTPUT_POOL_WORDS 128
18465 #define INPUT_POOL_WORDS 128
18466 #define OUTPUT_POOL_WORDS 32
18468 #define SEC_XFER_SIZE 512
18471 @@ -291,10 +296,17 @@ static struct poolinfo {
18473 int tap1, tap2, tap3, tap4, tap5;
18474 } poolinfo_table[] = {
18475 +#ifdef CONFIG_GRKERNSEC_RANDNET
18476 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
18477 + { 512, 411, 308, 208, 104, 1 },
18478 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
18479 + { 128, 103, 76, 51, 25, 1 },
18481 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
18482 { 128, 103, 76, 51, 25, 1 },
18483 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
18484 { 32, 26, 20, 14, 7, 1 },
18487 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
18488 { 2048, 1638, 1231, 819, 411, 1 },
18489 @@ -1204,7 +1216,7 @@ EXPORT_SYMBOL(generate_random_uuid);
18490 #include <linux/sysctl.h>
18492 static int min_read_thresh = 8, min_write_thresh;
18493 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
18494 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
18495 static int max_write_thresh = INPUT_POOL_WORDS * 32;
18496 static char sysctl_bootid[16];
18498 diff -urNp linux-2.6.31/drivers/char/sonypi.c linux-2.6.31/drivers/char/sonypi.c
18499 --- linux-2.6.31/drivers/char/sonypi.c 2009-08-27 20:59:04.000000000 -0400
18500 +++ linux-2.6.31/drivers/char/sonypi.c 2009-09-06 15:29:11.389959667 -0400
18501 @@ -490,7 +490,7 @@ static struct sonypi_device {
18502 spinlock_t fifo_lock;
18503 wait_queue_head_t fifo_proc_list;
18504 struct fasync_struct *fifo_async;
18506 + atomic_t open_count;
18508 struct input_dev *input_jog_dev;
18509 struct input_dev *input_key_dev;
18510 @@ -894,7 +894,7 @@ static int sonypi_misc_fasync(int fd, st
18511 static int sonypi_misc_release(struct inode *inode, struct file *file)
18513 mutex_lock(&sonypi_device.lock);
18514 - sonypi_device.open_count--;
18515 + atomic_dec(&sonypi_device.open_count);
18516 mutex_unlock(&sonypi_device.lock);
18519 @@ -904,9 +904,9 @@ static int sonypi_misc_open(struct inode
18521 mutex_lock(&sonypi_device.lock);
18522 /* Flush input queue on first open */
18523 - if (!sonypi_device.open_count)
18524 + if (!atomic_read(&sonypi_device.open_count))
18525 kfifo_reset(sonypi_device.fifo);
18526 - sonypi_device.open_count++;
18527 + atomic_inc(&sonypi_device.open_count);
18528 mutex_unlock(&sonypi_device.lock);
18531 diff -urNp linux-2.6.31/drivers/char/tpm/tpm_bios.c linux-2.6.31/drivers/char/tpm/tpm_bios.c
18532 --- linux-2.6.31/drivers/char/tpm/tpm_bios.c 2009-08-27 20:59:04.000000000 -0400
18533 +++ linux-2.6.31/drivers/char/tpm/tpm_bios.c 2009-09-06 15:29:11.392012091 -0400
18534 @@ -343,14 +343,14 @@ static int tpm_ascii_bios_measurements_s
18538 -static struct seq_operations tpm_ascii_b_measurments_seqops = {
18539 +static const struct seq_operations tpm_ascii_b_measurments_seqops = {
18540 .start = tpm_bios_measurements_start,
18541 .next = tpm_bios_measurements_next,
18542 .stop = tpm_bios_measurements_stop,
18543 .show = tpm_ascii_bios_measurements_show,
18546 -static struct seq_operations tpm_binary_b_measurments_seqops = {
18547 +static const struct seq_operations tpm_binary_b_measurments_seqops = {
18548 .start = tpm_bios_measurements_start,
18549 .next = tpm_bios_measurements_next,
18550 .stop = tpm_bios_measurements_stop,
18551 diff -urNp linux-2.6.31/drivers/char/tty_ldisc.c linux-2.6.31/drivers/char/tty_ldisc.c
18552 --- linux-2.6.31/drivers/char/tty_ldisc.c 2009-08-27 20:59:04.000000000 -0400
18553 +++ linux-2.6.31/drivers/char/tty_ldisc.c 2009-09-06 15:29:11.392012091 -0400
18554 @@ -73,7 +73,7 @@ static void put_ldisc(struct tty_ldisc *
18555 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
18556 struct tty_ldisc_ops *ldo = ld->ops;
18559 + atomic_dec(&ldo->refcount);
18560 module_put(ldo->owner);
18561 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
18563 @@ -107,7 +107,7 @@ int tty_register_ldisc(int disc, struct
18564 spin_lock_irqsave(&tty_ldisc_lock, flags);
18565 tty_ldiscs[disc] = new_ldisc;
18566 new_ldisc->num = disc;
18567 - new_ldisc->refcount = 0;
18568 + atomic_set(&new_ldisc->refcount, 0);
18569 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
18572 @@ -135,7 +135,7 @@ int tty_unregister_ldisc(int disc)
18575 spin_lock_irqsave(&tty_ldisc_lock, flags);
18576 - if (tty_ldiscs[disc]->refcount)
18577 + if (atomic_read(&tty_ldiscs[disc]->refcount))
18580 tty_ldiscs[disc] = NULL;
18581 @@ -175,7 +175,7 @@ static struct tty_ldisc *tty_ldisc_try_g
18585 - ldops->refcount++;
18586 + atomic_inc(&ldops->refcount);
18588 atomic_set(&ld->users, 1);
18590 diff -urNp linux-2.6.31/drivers/char/vt_ioctl.c linux-2.6.31/drivers/char/vt_ioctl.c
18591 --- linux-2.6.31/drivers/char/vt_ioctl.c 2009-08-27 20:59:04.000000000 -0400
18592 +++ linux-2.6.31/drivers/char/vt_ioctl.c 2009-09-06 15:29:11.392012091 -0400
18593 @@ -97,6 +97,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
18598 +#ifdef CONFIG_GRKERNSEC
18599 + if (!capable(CAP_SYS_TTY_CONFIG))
18603 if (!i && v == K_NOSUCHMAP) {
18604 /* deallocate map */
18605 key_map = key_maps[s];
18606 @@ -237,6 +243,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
18610 +#ifdef CONFIG_GRKERNSEC
18611 + if (!capable(CAP_SYS_TTY_CONFIG)) {
18618 first_free = funcbufptr + (funcbufsize - funcbufleft);
18619 for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
18620 diff -urNp linux-2.6.31/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.31/drivers/char/xilinx_hwicap/xilinx_hwicap.c
18621 --- linux-2.6.31/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2009-08-27 20:59:04.000000000 -0400
18622 +++ linux-2.6.31/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2009-09-06 15:29:11.393912433 -0400
18623 @@ -559,7 +559,7 @@ static int hwicap_release(struct inode *
18627 -static struct file_operations hwicap_fops = {
18628 +static const struct file_operations hwicap_fops = {
18629 .owner = THIS_MODULE,
18630 .write = hwicap_write,
18631 .read = hwicap_read,
18632 diff -urNp linux-2.6.31/drivers/edac/edac_core.h linux-2.6.31/drivers/edac/edac_core.h
18633 --- linux-2.6.31/drivers/edac/edac_core.h 2009-08-27 20:59:04.000000000 -0400
18634 +++ linux-2.6.31/drivers/edac/edac_core.h 2009-09-06 15:29:11.393912433 -0400
18635 @@ -99,11 +99,11 @@ extern int edac_debug_level;
18637 #else /* !CONFIG_EDAC_DEBUG */
18639 -#define debugf0( ... )
18640 -#define debugf1( ... )
18641 -#define debugf2( ... )
18642 -#define debugf3( ... )
18643 -#define debugf4( ... )
18644 +#define debugf0( ... ) do {} while (0)
18645 +#define debugf1( ... ) do {} while (0)
18646 +#define debugf2( ... ) do {} while (0)
18647 +#define debugf3( ... ) do {} while (0)
18648 +#define debugf4( ... ) do {} while (0)
18650 #endif /* !CONFIG_EDAC_DEBUG */
18652 diff -urNp linux-2.6.31/drivers/firmware/dmi_scan.c linux-2.6.31/drivers/firmware/dmi_scan.c
18653 --- linux-2.6.31/drivers/firmware/dmi_scan.c 2009-08-27 20:59:04.000000000 -0400
18654 +++ linux-2.6.31/drivers/firmware/dmi_scan.c 2009-09-06 15:29:11.394934786 -0400
18655 @@ -391,11 +391,6 @@ void __init dmi_scan_machine(void)
18660 - * no iounmap() for that ioremap(); it would be a no-op, but
18661 - * it's so early in setup that sucker gets confused into doing
18662 - * what it shouldn't if we actually call it.
18664 p = dmi_ioremap(0xF0000, 0x10000);
18667 diff -urNp linux-2.6.31/drivers/gpio/gpiolib.c linux-2.6.31/drivers/gpio/gpiolib.c
18668 --- linux-2.6.31/drivers/gpio/gpiolib.c 2009-08-27 20:59:04.000000000 -0400
18669 +++ linux-2.6.31/drivers/gpio/gpiolib.c 2009-09-06 15:29:11.394934786 -0400
18670 @@ -1244,7 +1244,7 @@ static int gpiolib_open(struct inode *in
18671 return single_open(file, gpiolib_show, NULL);
18674 -static struct file_operations gpiolib_operations = {
18675 +static const struct file_operations gpiolib_operations = {
18676 .open = gpiolib_open,
18678 .llseek = seq_lseek,
18679 diff -urNp linux-2.6.31/drivers/gpu/drm/drm_drv.c linux-2.6.31/drivers/gpu/drm/drm_drv.c
18680 --- linux-2.6.31/drivers/gpu/drm/drm_drv.c 2009-08-27 20:59:04.000000000 -0400
18681 +++ linux-2.6.31/drivers/gpu/drm/drm_drv.c 2009-09-06 15:29:11.395956726 -0400
18682 @@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
18683 char *kdata = NULL;
18685 atomic_inc(&dev->ioctl_count);
18686 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
18687 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
18688 ++file_priv->ioctl_count;
18690 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
18691 diff -urNp linux-2.6.31/drivers/gpu/drm/drm_fops.c linux-2.6.31/drivers/gpu/drm/drm_fops.c
18692 --- linux-2.6.31/drivers/gpu/drm/drm_fops.c 2009-08-27 20:59:04.000000000 -0400
18693 +++ linux-2.6.31/drivers/gpu/drm/drm_fops.c 2009-09-06 15:29:11.395956726 -0400
18694 @@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
18697 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
18698 - atomic_set(&dev->counts[i], 0);
18699 + atomic_set_unchecked(&dev->counts[i], 0);
18701 dev->sigdata.lock = NULL;
18703 @@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
18705 retcode = drm_open_helper(inode, filp, dev);
18707 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
18708 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
18709 spin_lock(&dev->count_lock);
18710 - if (!dev->open_count++) {
18711 + if (atomic_inc_return(&dev->open_count) == 1) {
18712 spin_unlock(&dev->count_lock);
18713 retcode = drm_setup(dev);
18715 @@ -433,7 +433,7 @@ int drm_release(struct inode *inode, str
18719 - DRM_DEBUG("open_count = %d\n", dev->open_count);
18720 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
18722 if (dev->driver->preclose)
18723 dev->driver->preclose(dev, file_priv);
18724 @@ -445,7 +445,7 @@ int drm_release(struct inode *inode, str
18725 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
18726 task_pid_nr(current),
18727 (long)old_encode_dev(file_priv->minor->device),
18728 - dev->open_count);
18729 + atomic_read(&dev->open_count));
18731 /* if the master has gone away we can't do anything with the lock */
18732 if (file_priv->minor->master)
18733 @@ -522,9 +522,9 @@ int drm_release(struct inode *inode, str
18734 * End inline drm_release
18737 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
18738 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
18739 spin_lock(&dev->count_lock);
18740 - if (!--dev->open_count) {
18741 + if (atomic_dec_and_test(&dev->open_count)) {
18742 if (atomic_read(&dev->ioctl_count)) {
18743 DRM_ERROR("Device busy: %d\n",
18744 atomic_read(&dev->ioctl_count));
18745 diff -urNp linux-2.6.31/drivers/gpu/drm/drm_ioctl.c linux-2.6.31/drivers/gpu/drm/drm_ioctl.c
18746 --- linux-2.6.31/drivers/gpu/drm/drm_ioctl.c 2009-08-27 20:59:04.000000000 -0400
18747 +++ linux-2.6.31/drivers/gpu/drm/drm_ioctl.c 2009-09-06 15:29:11.396904770 -0400
18748 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
18749 stats->data[i].value =
18750 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
18752 - stats->data[i].value = atomic_read(&dev->counts[i]);
18753 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
18754 stats->data[i].type = dev->types[i];
18757 diff -urNp linux-2.6.31/drivers/gpu/drm/drm_lock.c linux-2.6.31/drivers/gpu/drm/drm_lock.c
18758 --- linux-2.6.31/drivers/gpu/drm/drm_lock.c 2009-08-27 20:59:04.000000000 -0400
18759 +++ linux-2.6.31/drivers/gpu/drm/drm_lock.c 2009-09-06 15:29:11.396904770 -0400
18760 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
18761 if (drm_lock_take(&master->lock, lock->context)) {
18762 master->lock.file_priv = file_priv;
18763 master->lock.lock_time = jiffies;
18764 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
18765 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
18766 break; /* Got lock */
18769 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
18773 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
18774 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
18776 /* kernel_context_switch isn't used by any of the x86 drm
18777 * modules but is required by the Sparc driver.
18778 diff -urNp linux-2.6.31/drivers/gpu/drm/drm_vm.c linux-2.6.31/drivers/gpu/drm/drm_vm.c
18779 --- linux-2.6.31/drivers/gpu/drm/drm_vm.c 2009-08-27 20:59:04.000000000 -0400
18780 +++ linux-2.6.31/drivers/gpu/drm/drm_vm.c 2009-09-06 15:29:11.397924184 -0400
18781 @@ -369,28 +369,28 @@ static int drm_vm_sg_fault(struct vm_are
18784 /** AGP virtual memory operations */
18785 -static struct vm_operations_struct drm_vm_ops = {
18786 +static const struct vm_operations_struct drm_vm_ops = {
18787 .fault = drm_vm_fault,
18788 .open = drm_vm_open,
18789 .close = drm_vm_close,
18792 /** Shared virtual memory operations */
18793 -static struct vm_operations_struct drm_vm_shm_ops = {
18794 +static const struct vm_operations_struct drm_vm_shm_ops = {
18795 .fault = drm_vm_shm_fault,
18796 .open = drm_vm_open,
18797 .close = drm_vm_shm_close,
18800 /** DMA virtual memory operations */
18801 -static struct vm_operations_struct drm_vm_dma_ops = {
18802 +static const struct vm_operations_struct drm_vm_dma_ops = {
18803 .fault = drm_vm_dma_fault,
18804 .open = drm_vm_open,
18805 .close = drm_vm_close,
18808 /** Scatter-gather virtual memory operations */
18809 -static struct vm_operations_struct drm_vm_sg_ops = {
18810 +static const struct vm_operations_struct drm_vm_sg_ops = {
18811 .fault = drm_vm_sg_fault,
18812 .open = drm_vm_open,
18813 .close = drm_vm_close,
18814 diff -urNp linux-2.6.31/drivers/gpu/drm/i810/i810_dma.c linux-2.6.31/drivers/gpu/drm/i810/i810_dma.c
18815 --- linux-2.6.31/drivers/gpu/drm/i810/i810_dma.c 2009-08-27 20:59:04.000000000 -0400
18816 +++ linux-2.6.31/drivers/gpu/drm/i810/i810_dma.c 2009-09-06 15:29:11.397924184 -0400
18817 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
18818 dma->buflist[vertex->idx],
18819 vertex->discard, vertex->used);
18821 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
18822 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
18823 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
18824 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
18825 sarea_priv->last_enqueue = dev_priv->counter - 1;
18826 sarea_priv->last_dispatch = (int)hw_status[5];
18828 @@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
18829 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
18832 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
18833 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
18834 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
18835 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
18836 sarea_priv->last_enqueue = dev_priv->counter - 1;
18837 sarea_priv->last_dispatch = (int)hw_status[5];
18839 diff -urNp linux-2.6.31/drivers/gpu/drm/i915/i915_drv.c linux-2.6.31/drivers/gpu/drm/i915/i915_drv.c
18840 --- linux-2.6.31/drivers/gpu/drm/i915/i915_drv.c 2009-08-27 20:59:04.000000000 -0400
18841 +++ linux-2.6.31/drivers/gpu/drm/i915/i915_drv.c 2009-09-06 15:29:11.398926858 -0400
18842 @@ -154,7 +154,7 @@ i915_pci_resume(struct pci_dev *pdev)
18843 return i915_resume(dev);
18846 -static struct vm_operations_struct i915_gem_vm_ops = {
18847 +static const struct vm_operations_struct i915_gem_vm_ops = {
18848 .fault = i915_gem_fault,
18849 .open = drm_gem_vm_open,
18850 .close = drm_gem_vm_close,
18851 diff -urNp linux-2.6.31/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.31/drivers/gpu/drm/radeon/radeon_atombios.c
18852 --- linux-2.6.31/drivers/gpu/drm/radeon/radeon_atombios.c 2009-08-27 20:59:04.000000000 -0400
18853 +++ linux-2.6.31/drivers/gpu/drm/radeon/radeon_atombios.c 2009-09-06 15:29:11.398926858 -0400
18854 @@ -425,13 +425,13 @@ bool radeon_get_atom_connector_info_from
18858 -struct bios_connector {
18859 +static struct bios_connector {
18863 int connector_type;
18864 struct radeon_i2c_bus_rec ddc_bus;
18866 +} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];;
18868 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
18870 @@ -447,7 +447,6 @@ bool radeon_get_atom_connector_info_from
18872 union atom_supported_devices *supported_devices;
18874 - struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
18876 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
18878 diff -urNp linux-2.6.31/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.31/drivers/gpu/drm/radeon/radeon_state.c
18879 --- linux-2.6.31/drivers/gpu/drm/radeon/radeon_state.c 2009-08-27 20:59:04.000000000 -0400
18880 +++ linux-2.6.31/drivers/gpu/drm/radeon/radeon_state.c 2009-09-06 15:29:11.399921158 -0400
18881 @@ -3007,7 +3007,7 @@ static int radeon_cp_getparam(struct drm
18883 drm_radeon_private_t *dev_priv = dev->dev_private;
18884 drm_radeon_getparam_t *param = data;
18888 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
18890 diff -urNp linux-2.6.31/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.31/drivers/gpu/drm/radeon/radeon_ttm.c
18891 --- linux-2.6.31/drivers/gpu/drm/radeon/radeon_ttm.c 2009-08-27 20:59:04.000000000 -0400
18892 +++ linux-2.6.31/drivers/gpu/drm/radeon/radeon_ttm.c 2009-09-06 15:29:11.400912381 -0400
18893 @@ -500,27 +500,10 @@ void radeon_ttm_fini(struct radeon_devic
18894 DRM_INFO("radeon: ttm finalized\n");
18897 -static struct vm_operations_struct radeon_ttm_vm_ops;
18898 -static struct vm_operations_struct *ttm_vm_ops = NULL;
18900 -static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
18902 - struct ttm_buffer_object *bo;
18905 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
18906 - if (bo == NULL) {
18907 - return VM_FAULT_NOPAGE;
18909 - r = ttm_vm_ops->fault(vma, vmf);
18913 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
18915 struct drm_file *file_priv;
18916 struct radeon_device *rdev;
18919 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
18920 return drm_mmap(filp, vma);
18921 @@ -528,20 +511,9 @@ int radeon_mmap(struct file *filp, struc
18923 file_priv = (struct drm_file *)filp->private_data;
18924 rdev = file_priv->minor->dev->dev_private;
18925 - if (rdev == NULL) {
18929 - r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
18930 - if (unlikely(r != 0)) {
18933 - if (unlikely(ttm_vm_ops == NULL)) {
18934 - ttm_vm_ops = vma->vm_ops;
18935 - radeon_ttm_vm_ops = *ttm_vm_ops;
18936 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
18938 - vma->vm_ops = &radeon_ttm_vm_ops;
18940 + return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
18944 diff -urNp linux-2.6.31/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.31/drivers/gpu/drm/ttm/ttm_bo_vm.c
18945 --- linux-2.6.31/drivers/gpu/drm/ttm/ttm_bo_vm.c 2009-08-27 20:59:04.000000000 -0400
18946 +++ linux-2.6.31/drivers/gpu/drm/ttm/ttm_bo_vm.c 2009-09-06 15:29:11.401923410 -0400
18947 @@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
18949 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
18950 vma->vm_private_data;
18951 - struct ttm_bo_device *bdev = bo->bdev;
18952 + struct ttm_bo_device *bdev;
18953 unsigned long bus_base;
18954 unsigned long bus_offset;
18955 unsigned long bus_size;
18956 @@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
18957 unsigned long address = (unsigned long)vmf->virtual_address;
18958 int retval = VM_FAULT_NOPAGE;
18961 + return VM_FAULT_NOPAGE;
18965 * Work around locking order reversal in fault / nopfn
18966 * between mmap_sem and bo_reserve: Perform a trylock operation
18967 @@ -228,7 +232,7 @@ static void ttm_bo_vm_close(struct vm_ar
18968 vma->vm_private_data = NULL;
18971 -static struct vm_operations_struct ttm_bo_vm_ops = {
18972 +static const struct vm_operations_struct ttm_bo_vm_ops = {
18973 .fault = ttm_bo_vm_fault,
18974 .open = ttm_bo_vm_open,
18975 .close = ttm_bo_vm_close
18976 diff -urNp linux-2.6.31/drivers/hwmon/fschmd.c linux-2.6.31/drivers/hwmon/fschmd.c
18977 --- linux-2.6.31/drivers/hwmon/fschmd.c 2009-08-27 20:59:04.000000000 -0400
18978 +++ linux-2.6.31/drivers/hwmon/fschmd.c 2009-09-06 15:29:11.436121579 -0400
18979 @@ -915,7 +915,7 @@ static int watchdog_ioctl(struct inode *
18983 -static struct file_operations watchdog_fops = {
18984 +static const struct file_operations watchdog_fops = {
18985 .owner = THIS_MODULE,
18986 .llseek = no_llseek,
18987 .open = watchdog_open,
18988 diff -urNp linux-2.6.31/drivers/hwmon/fscpos.c linux-2.6.31/drivers/hwmon/fscpos.c
18989 --- linux-2.6.31/drivers/hwmon/fscpos.c 2009-08-27 20:59:04.000000000 -0400
18990 +++ linux-2.6.31/drivers/hwmon/fscpos.c 2009-09-06 15:29:11.438073190 -0400
18991 @@ -240,7 +240,6 @@ static ssize_t set_pwm(struct i2c_client
18992 unsigned long v = simple_strtoul(buf, NULL, 10);
18994 /* Range: 0..255 */
18995 - if (v < 0) v = 0;
18996 if (v > 255) v = 255;
18998 mutex_lock(&data->update_lock);
18999 diff -urNp linux-2.6.31/drivers/hwmon/k8temp.c linux-2.6.31/drivers/hwmon/k8temp.c
19000 --- linux-2.6.31/drivers/hwmon/k8temp.c 2009-08-27 20:59:04.000000000 -0400
19001 +++ linux-2.6.31/drivers/hwmon/k8temp.c 2009-09-06 15:29:11.442165896 -0400
19002 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
19004 static struct pci_device_id k8temp_ids[] = {
19005 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
19007 + { 0, 0, 0, 0, 0, 0, 0 },
19010 MODULE_DEVICE_TABLE(pci, k8temp_ids);
19011 diff -urNp linux-2.6.31/drivers/hwmon/sis5595.c linux-2.6.31/drivers/hwmon/sis5595.c
19012 --- linux-2.6.31/drivers/hwmon/sis5595.c 2009-08-27 20:59:04.000000000 -0400
19013 +++ linux-2.6.31/drivers/hwmon/sis5595.c 2009-09-06 15:29:11.453757939 -0400
19014 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
19016 static struct pci_device_id sis5595_pci_ids[] = {
19017 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
19019 + { 0, 0, 0, 0, 0, 0, 0 }
19022 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
19023 diff -urNp linux-2.6.31/drivers/hwmon/via686a.c linux-2.6.31/drivers/hwmon/via686a.c
19024 --- linux-2.6.31/drivers/hwmon/via686a.c 2009-08-27 20:59:04.000000000 -0400
19025 +++ linux-2.6.31/drivers/hwmon/via686a.c 2009-09-06 15:29:11.465990830 -0400
19026 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
19028 static struct pci_device_id via686a_pci_ids[] = {
19029 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
19031 + { 0, 0, 0, 0, 0, 0, 0 }
19034 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
19035 diff -urNp linux-2.6.31/drivers/hwmon/vt8231.c linux-2.6.31/drivers/hwmon/vt8231.c
19036 --- linux-2.6.31/drivers/hwmon/vt8231.c 2009-08-27 20:59:04.000000000 -0400
19037 +++ linux-2.6.31/drivers/hwmon/vt8231.c 2009-09-06 15:29:11.481155862 -0400
19038 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
19040 static struct pci_device_id vt8231_pci_ids[] = {
19041 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
19043 + { 0, 0, 0, 0, 0, 0, 0 }
19046 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
19047 diff -urNp linux-2.6.31/drivers/hwmon/w83791d.c linux-2.6.31/drivers/hwmon/w83791d.c
19048 --- linux-2.6.31/drivers/hwmon/w83791d.c 2009-08-27 20:59:04.000000000 -0400
19049 +++ linux-2.6.31/drivers/hwmon/w83791d.c 2009-09-06 15:29:11.501698330 -0400
19050 @@ -330,8 +330,8 @@ static int w83791d_detect(struct i2c_cli
19051 struct i2c_board_info *info);
19052 static int w83791d_remove(struct i2c_client *client);
19054 -static int w83791d_read(struct i2c_client *client, u8 register);
19055 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
19056 +static int w83791d_read(struct i2c_client *client, u8 reg);
19057 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
19058 static struct w83791d_data *w83791d_update_device(struct device *dev);
19061 diff -urNp linux-2.6.31/drivers/i2c/busses/i2c-i801.c linux-2.6.31/drivers/i2c/busses/i2c-i801.c
19062 --- linux-2.6.31/drivers/i2c/busses/i2c-i801.c 2009-08-27 20:59:04.000000000 -0400
19063 +++ linux-2.6.31/drivers/i2c/busses/i2c-i801.c 2009-09-06 15:29:11.514121519 -0400
19064 @@ -578,7 +578,7 @@ static struct pci_device_id i801_ids[] =
19065 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_4) },
19066 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
19067 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
19069 + { 0, 0, 0, 0, 0, 0, 0 }
19072 MODULE_DEVICE_TABLE (pci, i801_ids);
19073 diff -urNp linux-2.6.31/drivers/i2c/busses/i2c-piix4.c linux-2.6.31/drivers/i2c/busses/i2c-piix4.c
19074 --- linux-2.6.31/drivers/i2c/busses/i2c-piix4.c 2009-08-27 20:59:04.000000000 -0400
19075 +++ linux-2.6.31/drivers/i2c/busses/i2c-piix4.c 2009-09-06 15:29:11.515215043 -0400
19076 @@ -123,7 +123,7 @@ static struct dmi_system_id __devinitdat
19078 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
19081 + { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL },
19084 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
19085 @@ -489,7 +489,7 @@ static struct pci_device_id piix4_ids[]
19086 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
19087 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
19088 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
19090 + { 0, 0, 0, 0, 0, 0, 0 }
19093 MODULE_DEVICE_TABLE (pci, piix4_ids);
19094 diff -urNp linux-2.6.31/drivers/i2c/busses/i2c-sis630.c linux-2.6.31/drivers/i2c/busses/i2c-sis630.c
19095 --- linux-2.6.31/drivers/i2c/busses/i2c-sis630.c 2009-08-27 20:59:04.000000000 -0400
19096 +++ linux-2.6.31/drivers/i2c/busses/i2c-sis630.c 2009-09-06 15:29:11.525431051 -0400
19097 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
19098 static struct pci_device_id sis630_ids[] __devinitdata = {
19099 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
19100 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
19102 + { 0, 0, 0, 0, 0, 0, 0 }
19105 MODULE_DEVICE_TABLE (pci, sis630_ids);
19106 diff -urNp linux-2.6.31/drivers/i2c/busses/i2c-sis96x.c linux-2.6.31/drivers/i2c/busses/i2c-sis96x.c
19107 --- linux-2.6.31/drivers/i2c/busses/i2c-sis96x.c 2009-08-27 20:59:04.000000000 -0400
19108 +++ linux-2.6.31/drivers/i2c/busses/i2c-sis96x.c 2009-09-06 15:29:11.533015508 -0400
19109 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
19111 static struct pci_device_id sis96x_ids[] = {
19112 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
19114 + { 0, 0, 0, 0, 0, 0, 0 }
19117 MODULE_DEVICE_TABLE (pci, sis96x_ids);
19118 diff -urNp linux-2.6.31/drivers/ieee1394/dma.c linux-2.6.31/drivers/ieee1394/dma.c
19119 --- linux-2.6.31/drivers/ieee1394/dma.c 2009-08-27 20:59:04.000000000 -0400
19120 +++ linux-2.6.31/drivers/ieee1394/dma.c 2009-09-06 15:29:11.533015508 -0400
19121 @@ -247,7 +247,7 @@ static int dma_region_pagefault(struct v
19125 -static struct vm_operations_struct dma_region_vm_ops = {
19126 +static const struct vm_operations_struct dma_region_vm_ops = {
19127 .fault = dma_region_pagefault,
19130 diff -urNp linux-2.6.31/drivers/ieee1394/dv1394.c linux-2.6.31/drivers/ieee1394/dv1394.c
19131 --- linux-2.6.31/drivers/ieee1394/dv1394.c 2009-08-27 20:59:04.000000000 -0400
19132 +++ linux-2.6.31/drivers/ieee1394/dv1394.c 2009-09-06 15:29:11.533015508 -0400
19133 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
19134 based upon DIF section and sequence
19137 -static void inline
19138 +static inline void
19139 frame_put_packet (struct frame *f, struct packet *p)
19141 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
19142 @@ -2178,7 +2178,7 @@ static const struct ieee1394_device_id d
19143 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
19144 .version = AVC_SW_VERSION_ENTRY & 0xffffff
19147 + { 0, 0, 0, 0, 0, 0 }
19150 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
19151 diff -urNp linux-2.6.31/drivers/ieee1394/eth1394.c linux-2.6.31/drivers/ieee1394/eth1394.c
19152 --- linux-2.6.31/drivers/ieee1394/eth1394.c 2009-08-27 20:59:04.000000000 -0400
19153 +++ linux-2.6.31/drivers/ieee1394/eth1394.c 2009-09-06 15:29:11.534177429 -0400
19154 @@ -445,7 +445,7 @@ static const struct ieee1394_device_id e
19155 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
19156 .version = ETHER1394_GASP_VERSION,
19159 + { 0, 0, 0, 0, 0, 0 }
19162 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
19163 diff -urNp linux-2.6.31/drivers/ieee1394/hosts.c linux-2.6.31/drivers/ieee1394/hosts.c
19164 --- linux-2.6.31/drivers/ieee1394/hosts.c 2009-08-27 20:59:04.000000000 -0400
19165 +++ linux-2.6.31/drivers/ieee1394/hosts.c 2009-09-06 15:29:11.538156027 -0400
19166 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
19169 static struct hpsb_host_driver dummy_driver = {
19171 .transmit_packet = dummy_transmit_packet,
19172 .devctl = dummy_devctl,
19173 .isoctl = dummy_isoctl
19174 diff -urNp linux-2.6.31/drivers/ieee1394/ohci1394.c linux-2.6.31/drivers/ieee1394/ohci1394.c
19175 --- linux-2.6.31/drivers/ieee1394/ohci1394.c 2009-08-27 20:59:04.000000000 -0400
19176 +++ linux-2.6.31/drivers/ieee1394/ohci1394.c 2009-09-06 15:29:11.538156027 -0400
19177 @@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
19178 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
19180 /* Module Parameters */
19181 -static int phys_dma = 1;
19182 +static int phys_dma;
19183 module_param(phys_dma, int, 0444);
19184 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
19185 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
19187 static void dma_trm_tasklet(unsigned long data);
19188 static void dma_trm_reset(struct dma_trm_ctx *d);
19189 @@ -3449,7 +3449,7 @@ static struct pci_device_id ohci1394_pci
19190 .subvendor = PCI_ANY_ID,
19191 .subdevice = PCI_ANY_ID,
19194 + { 0, 0, 0, 0, 0, 0, 0 },
19197 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
19198 diff -urNp linux-2.6.31/drivers/ieee1394/raw1394.c linux-2.6.31/drivers/ieee1394/raw1394.c
19199 --- linux-2.6.31/drivers/ieee1394/raw1394.c 2009-08-27 20:59:04.000000000 -0400
19200 +++ linux-2.6.31/drivers/ieee1394/raw1394.c 2009-09-06 15:29:11.540241654 -0400
19201 @@ -2999,7 +2999,7 @@ static const struct ieee1394_device_id r
19202 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
19203 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
19204 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
19206 + { 0, 0, 0, 0, 0, 0 }
19209 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
19210 diff -urNp linux-2.6.31/drivers/ieee1394/sbp2.c linux-2.6.31/drivers/ieee1394/sbp2.c
19211 --- linux-2.6.31/drivers/ieee1394/sbp2.c 2009-08-27 20:59:04.000000000 -0400
19212 +++ linux-2.6.31/drivers/ieee1394/sbp2.c 2009-09-06 15:29:11.542258505 -0400
19213 @@ -290,7 +290,7 @@ static const struct ieee1394_device_id s
19214 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
19215 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
19216 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
19218 + { 0, 0, 0, 0, 0, 0 }
19220 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
19222 @@ -2112,7 +2112,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
19223 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
19224 MODULE_LICENSE("GPL");
19226 -static int sbp2_module_init(void)
19227 +static int __init sbp2_module_init(void)
19231 diff -urNp linux-2.6.31/drivers/ieee1394/video1394.c linux-2.6.31/drivers/ieee1394/video1394.c
19232 --- linux-2.6.31/drivers/ieee1394/video1394.c 2009-08-27 20:59:04.000000000 -0400
19233 +++ linux-2.6.31/drivers/ieee1394/video1394.c 2009-09-06 15:29:11.542924424 -0400
19234 @@ -1310,7 +1310,7 @@ static const struct ieee1394_device_id v
19235 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
19236 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
19239 + { 0, 0, 0, 0, 0, 0 }
19242 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
19243 diff -urNp linux-2.6.31/drivers/infiniband/hw/ehca/ehca_uverbs.c linux-2.6.31/drivers/infiniband/hw/ehca/ehca_uverbs.c
19244 --- linux-2.6.31/drivers/infiniband/hw/ehca/ehca_uverbs.c 2009-08-27 20:59:04.000000000 -0400
19245 +++ linux-2.6.31/drivers/infiniband/hw/ehca/ehca_uverbs.c 2009-09-06 15:29:11.543927485 -0400
19246 @@ -95,7 +95,7 @@ static void ehca_mm_close(struct vm_area
19247 vma->vm_start, vma->vm_end, *count);
19250 -static struct vm_operations_struct vm_ops = {
19251 +static const struct vm_operations_struct vm_ops = {
19252 .open = ehca_mm_open,
19253 .close = ehca_mm_close,
19255 diff -urNp linux-2.6.31/drivers/infiniband/hw/ipath/ipath_file_ops.c linux-2.6.31/drivers/infiniband/hw/ipath/ipath_file_ops.c
19256 --- linux-2.6.31/drivers/infiniband/hw/ipath/ipath_file_ops.c 2009-08-27 20:59:04.000000000 -0400
19257 +++ linux-2.6.31/drivers/infiniband/hw/ipath/ipath_file_ops.c 2009-09-06 15:29:11.545000968 -0400
19258 @@ -1151,7 +1151,7 @@ static int ipath_file_vma_fault(struct v
19262 -static struct vm_operations_struct ipath_file_vm_ops = {
19263 +static const struct vm_operations_struct ipath_file_vm_ops = {
19264 .fault = ipath_file_vma_fault,
19267 diff -urNp linux-2.6.31/drivers/infiniband/hw/ipath/ipath_mmap.c linux-2.6.31/drivers/infiniband/hw/ipath/ipath_mmap.c
19268 --- linux-2.6.31/drivers/infiniband/hw/ipath/ipath_mmap.c 2009-08-27 20:59:04.000000000 -0400
19269 +++ linux-2.6.31/drivers/infiniband/hw/ipath/ipath_mmap.c 2009-09-06 15:29:11.545000968 -0400
19270 @@ -74,7 +74,7 @@ static void ipath_vma_close(struct vm_ar
19271 kref_put(&ip->ref, ipath_release_mmap_info);
19274 -static struct vm_operations_struct ipath_vm_ops = {
19275 +static const struct vm_operations_struct ipath_vm_ops = {
19276 .open = ipath_vma_open,
19277 .close = ipath_vma_close,
19279 diff -urNp linux-2.6.31/drivers/input/keyboard/atkbd.c linux-2.6.31/drivers/input/keyboard/atkbd.c
19280 --- linux-2.6.31/drivers/input/keyboard/atkbd.c 2009-09-06 19:00:55.677237471 -0400
19281 +++ linux-2.6.31/drivers/input/keyboard/atkbd.c 2009-09-06 19:01:14.323176924 -0400
19282 @@ -1188,7 +1188,7 @@ static struct serio_device_id atkbd_seri
19284 .extra = SERIO_ANY,
19290 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
19291 diff -urNp linux-2.6.31/drivers/input/mouse/lifebook.c linux-2.6.31/drivers/input/mouse/lifebook.c
19292 --- linux-2.6.31/drivers/input/mouse/lifebook.c 2009-08-27 20:59:04.000000000 -0400
19293 +++ linux-2.6.31/drivers/input/mouse/lifebook.c 2009-09-06 15:29:11.607087499 -0400
19294 @@ -116,7 +116,7 @@ static const struct dmi_system_id lifebo
19295 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
19299 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19302 static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
19303 diff -urNp linux-2.6.31/drivers/input/mouse/psmouse-base.c linux-2.6.31/drivers/input/mouse/psmouse-base.c
19304 --- linux-2.6.31/drivers/input/mouse/psmouse-base.c 2009-08-27 20:59:04.000000000 -0400
19305 +++ linux-2.6.31/drivers/input/mouse/psmouse-base.c 2009-09-06 15:29:11.607087499 -0400
19306 @@ -1380,7 +1380,7 @@ static struct serio_device_id psmouse_se
19308 .extra = SERIO_ANY,
19314 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
19315 diff -urNp linux-2.6.31/drivers/input/mouse/synaptics.c linux-2.6.31/drivers/input/mouse/synaptics.c
19316 --- linux-2.6.31/drivers/input/mouse/synaptics.c 2009-08-27 20:59:04.000000000 -0400
19317 +++ linux-2.6.31/drivers/input/mouse/synaptics.c 2009-09-06 15:29:11.611195100 -0400
19318 @@ -437,7 +437,7 @@ static void synaptics_process_packet(str
19321 if (SYN_MODEL_PEN(priv->model_id))
19322 - ; /* Nothing, treat a pen as a single finger */
19323 + break; /* Nothing, treat a pen as a single finger */
19326 if (SYN_CAP_PALMDETECT(priv->capabilities))
19327 @@ -653,7 +653,7 @@ static const struct dmi_system_id toshib
19328 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
19332 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19336 diff -urNp linux-2.6.31/drivers/input/mousedev.c linux-2.6.31/drivers/input/mousedev.c
19337 --- linux-2.6.31/drivers/input/mousedev.c 2009-08-27 20:59:04.000000000 -0400
19338 +++ linux-2.6.31/drivers/input/mousedev.c 2009-09-06 15:29:11.629469840 -0400
19339 @@ -1056,7 +1056,7 @@ static struct input_handler mousedev_han
19341 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
19342 static struct miscdevice psaux_mouse = {
19343 - PSMOUSE_MINOR, "psaux", &mousedev_fops
19344 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
19346 static int psaux_registered;
19348 diff -urNp linux-2.6.31/drivers/input/serio/i8042-x86ia64io.h linux-2.6.31/drivers/input/serio/i8042-x86ia64io.h
19349 --- linux-2.6.31/drivers/input/serio/i8042-x86ia64io.h 2009-09-06 19:00:55.677237471 -0400
19350 +++ linux-2.6.31/drivers/input/serio/i8042-x86ia64io.h 2009-09-06 19:09:30.692908855 -0400
19351 @@ -167,7 +167,7 @@ static struct dmi_system_id __initdata i
19352 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
19356 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19360 @@ -390,7 +390,7 @@ static struct dmi_system_id __initdata i
19361 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
19365 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19368 static struct dmi_system_id __initdata i8042_dmi_reset_table[] = {
19369 @@ -436,7 +436,7 @@ static struct dmi_system_id __initdata i
19370 DMI_MATCH(DMI_PRODUCT_NAME, "N10"),
19374 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19378 @@ -455,7 +455,7 @@ static struct dmi_system_id __initdata i
19379 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
19383 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19387 @@ -522,7 +522,7 @@ static struct dmi_system_id __initdata i
19388 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
19392 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19395 #endif /* CONFIG_X86 */
19396 diff -urNp linux-2.6.31/drivers/input/serio/serio_raw.c linux-2.6.31/drivers/input/serio/serio_raw.c
19397 --- linux-2.6.31/drivers/input/serio/serio_raw.c 2009-08-27 20:59:04.000000000 -0400
19398 +++ linux-2.6.31/drivers/input/serio/serio_raw.c 2009-09-06 15:29:11.637319393 -0400
19399 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
19401 .extra = SERIO_ANY,
19407 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
19408 diff -urNp linux-2.6.31/drivers/isdn/capi/kcapi_proc.c linux-2.6.31/drivers/isdn/capi/kcapi_proc.c
19409 --- linux-2.6.31/drivers/isdn/capi/kcapi_proc.c 2009-08-27 20:59:04.000000000 -0400
19410 +++ linux-2.6.31/drivers/isdn/capi/kcapi_proc.c 2009-09-06 15:29:11.652272012 -0400
19411 @@ -89,14 +89,14 @@ static int contrstats_show(struct seq_fi
19415 -static struct seq_operations seq_controller_ops = {
19416 +static const struct seq_operations seq_controller_ops = {
19417 .start = controller_start,
19418 .next = controller_next,
19419 .stop = controller_stop,
19420 .show = controller_show,
19423 -static struct seq_operations seq_contrstats_ops = {
19424 +static const struct seq_operations seq_contrstats_ops = {
19425 .start = controller_start,
19426 .next = controller_next,
19427 .stop = controller_stop,
19428 @@ -194,14 +194,14 @@ applstats_show(struct seq_file *seq, voi
19432 -static struct seq_operations seq_applications_ops = {
19433 +static const struct seq_operations seq_applications_ops = {
19434 .start = applications_start,
19435 .next = applications_next,
19436 .stop = applications_stop,
19437 .show = applications_show,
19440 -static struct seq_operations seq_applstats_ops = {
19441 +static const struct seq_operations seq_applstats_ops = {
19442 .start = applications_start,
19443 .next = applications_next,
19444 .stop = applications_stop,
19445 @@ -264,7 +264,7 @@ static int capi_driver_show(struct seq_f
19449 -static struct seq_operations seq_capi_driver_ops = {
19450 +static const struct seq_operations seq_capi_driver_ops = {
19451 .start = capi_driver_start,
19452 .next = capi_driver_next,
19453 .stop = capi_driver_stop,
19454 diff -urNp linux-2.6.31/drivers/isdn/gigaset/common.c linux-2.6.31/drivers/isdn/gigaset/common.c
19455 --- linux-2.6.31/drivers/isdn/gigaset/common.c 2009-08-27 20:59:04.000000000 -0400
19456 +++ linux-2.6.31/drivers/isdn/gigaset/common.c 2009-09-06 15:29:11.653287436 -0400
19457 @@ -665,7 +665,7 @@ struct cardstate *gigaset_initcs(struct
19458 cs->commands_pending = 0;
19459 cs->cur_at_seq = 0;
19461 - cs->open_count = 0;
19462 + atomic_set(&cs->open_count, 0);
19465 cs->tty_dev = NULL;
19466 diff -urNp linux-2.6.31/drivers/isdn/gigaset/gigaset.h linux-2.6.31/drivers/isdn/gigaset/gigaset.h
19467 --- linux-2.6.31/drivers/isdn/gigaset/gigaset.h 2009-08-27 20:59:04.000000000 -0400
19468 +++ linux-2.6.31/drivers/isdn/gigaset/gigaset.h 2009-09-06 15:29:11.657166620 -0400
19469 @@ -446,7 +446,7 @@ struct cardstate {
19470 spinlock_t cmdlock;
19471 unsigned curlen, cmdbytes;
19473 - unsigned open_count;
19474 + atomic_t open_count;
19475 struct tty_struct *tty;
19476 struct tasklet_struct if_wake_tasklet;
19477 unsigned control_state;
19478 diff -urNp linux-2.6.31/drivers/isdn/gigaset/interface.c linux-2.6.31/drivers/isdn/gigaset/interface.c
19479 --- linux-2.6.31/drivers/isdn/gigaset/interface.c 2009-08-27 20:59:04.000000000 -0400
19480 +++ linux-2.6.31/drivers/isdn/gigaset/interface.c 2009-09-06 15:29:11.664631198 -0400
19481 @@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
19482 return -ERESTARTSYS; // FIXME -EINTR?
19483 tty->driver_data = cs;
19485 - ++cs->open_count;
19487 - if (cs->open_count == 1) {
19488 + if (atomic_inc_return(&cs->open_count) == 1) {
19489 spin_lock_irqsave(&cs->lock, flags);
19491 spin_unlock_irqrestore(&cs->lock, flags);
19492 @@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
19494 if (!cs->connected)
19495 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
19496 - else if (!cs->open_count)
19497 + else if (!atomic_read(&cs->open_count))
19498 dev_warn(cs->dev, "%s: device not opened\n", __func__);
19500 - if (!--cs->open_count) {
19501 + if (!atomic_dec_return(&cs->open_count)) {
19502 spin_lock_irqsave(&cs->lock, flags);
19504 spin_unlock_irqrestore(&cs->lock, flags);
19505 @@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
19506 if (!cs->connected) {
19507 gig_dbg(DEBUG_IF, "not connected");
19509 - } else if (!cs->open_count)
19510 + } else if (!atomic_read(&cs->open_count))
19511 dev_warn(cs->dev, "%s: device not opened\n", __func__);
19514 @@ -361,7 +359,7 @@ static int if_write(struct tty_struct *t
19515 if (!cs->connected) {
19516 gig_dbg(DEBUG_IF, "not connected");
19518 - } else if (!cs->open_count)
19519 + } else if (!atomic_read(&cs->open_count))
19520 dev_warn(cs->dev, "%s: device not opened\n", __func__);
19521 else if (cs->mstate != MS_LOCKED) {
19522 dev_warn(cs->dev, "can't write to unlocked device\n");
19523 @@ -395,7 +393,7 @@ static int if_write_room(struct tty_stru
19524 if (!cs->connected) {
19525 gig_dbg(DEBUG_IF, "not connected");
19527 - } else if (!cs->open_count)
19528 + } else if (!atomic_read(&cs->open_count))
19529 dev_warn(cs->dev, "%s: device not opened\n", __func__);
19530 else if (cs->mstate != MS_LOCKED) {
19531 dev_warn(cs->dev, "can't write to unlocked device\n");
19532 @@ -429,7 +427,7 @@ static int if_chars_in_buffer(struct tty
19534 if (!cs->connected)
19535 gig_dbg(DEBUG_IF, "not connected");
19536 - else if (!cs->open_count)
19537 + else if (!atomic_read(&cs->open_count))
19538 dev_warn(cs->dev, "%s: device not opened\n", __func__);
19539 else if (cs->mstate != MS_LOCKED)
19540 dev_warn(cs->dev, "can't write to unlocked device\n");
19541 @@ -458,7 +456,7 @@ static void if_throttle(struct tty_struc
19543 if (!cs->connected)
19544 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
19545 - else if (!cs->open_count)
19546 + else if (!atomic_read(&cs->open_count))
19547 dev_warn(cs->dev, "%s: device not opened\n", __func__);
19550 @@ -483,7 +481,7 @@ static void if_unthrottle(struct tty_str
19552 if (!cs->connected)
19553 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
19554 - else if (!cs->open_count)
19555 + else if (!atomic_read(&cs->open_count))
19556 dev_warn(cs->dev, "%s: device not opened\n", __func__);
19559 @@ -515,7 +513,7 @@ static void if_set_termios(struct tty_st
19563 - if (!cs->open_count) {
19564 + if (!atomic_read(&cs->open_count)) {
19565 dev_warn(cs->dev, "%s: device not opened\n", __func__);
19568 diff -urNp linux-2.6.31/drivers/lguest/core.c linux-2.6.31/drivers/lguest/core.c
19569 --- linux-2.6.31/drivers/lguest/core.c 2009-08-27 20:59:04.000000000 -0400
19570 +++ linux-2.6.31/drivers/lguest/core.c 2009-09-06 15:29:11.669811931 -0400
19571 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
19572 * it's worked so far. The end address needs +1 because __get_vm_area
19573 * allocates an extra guard page, so we need space for that.
19576 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19577 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
19578 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
19579 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
19581 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
19582 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
19583 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
19586 if (!switcher_vma) {
19588 printk("lguest: could not map switcher pages high\n");
19589 diff -urNp linux-2.6.31/drivers/lguest/lguest_user.c linux-2.6.31/drivers/lguest/lguest_user.c
19590 --- linux-2.6.31/drivers/lguest/lguest_user.c 2009-08-27 20:59:04.000000000 -0400
19591 +++ linux-2.6.31/drivers/lguest/lguest_user.c 2009-09-06 15:29:11.670004477 -0400
19592 @@ -508,7 +508,7 @@ static int close(struct inode *inode, st
19593 * uses: reading and writing a character device called /dev/lguest. All the
19594 * work happens in the read(), write() and close() routines:
19596 -static struct file_operations lguest_fops = {
19597 +static const struct file_operations lguest_fops = {
19598 .owner = THIS_MODULE,
19601 diff -urNp linux-2.6.31/drivers/md/bitmap.c linux-2.6.31/drivers/md/bitmap.c
19602 --- linux-2.6.31/drivers/md/bitmap.c 2009-08-27 20:59:04.000000000 -0400
19603 +++ linux-2.6.31/drivers/md/bitmap.c 2009-09-06 15:29:11.670915085 -0400
19606 # define PRINTK(x...) printk(KERN_DEBUG x)
19608 -# define PRINTK(x...)
19609 +# define PRINTK(x...) do {} while (0)
19613 diff -urNp linux-2.6.31/drivers/md/dm-table.c linux-2.6.31/drivers/md/dm-table.c
19614 --- linux-2.6.31/drivers/md/dm-table.c 2009-09-06 19:00:55.683595162 -0400
19615 +++ linux-2.6.31/drivers/md/dm-table.c 2009-09-06 19:07:40.220581277 -0400
19616 @@ -359,7 +359,7 @@ static int device_area_is_invalid(struct
19620 - if ((start >= dev_size) || (start + len > dev_size)) {
19621 + if ((start >= dev_size) || (len > dev_size - start)) {
19622 DMWARN("%s: %s too small for target: "
19623 "start=%llu, len=%llu, dev_size=%llu",
19624 dm_device_name(ti->table->md), bdevname(bdev, b),
19625 diff -urNp linux-2.6.31/drivers/md/md.c linux-2.6.31/drivers/md/md.c
19626 --- linux-2.6.31/drivers/md/md.c 2009-08-27 20:59:04.000000000 -0400
19627 +++ linux-2.6.31/drivers/md/md.c 2009-09-06 15:29:11.672930470 -0400
19628 @@ -5963,7 +5963,7 @@ static int md_seq_show(struct seq_file *
19629 chunk_kb ? "KB" : "B");
19630 if (bitmap->file) {
19631 seq_printf(seq, ", file: ");
19632 - seq_path(seq, &bitmap->file->f_path, " \t\n");
19633 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
19636 seq_printf(seq, "\n");
19637 @@ -6057,7 +6057,7 @@ static int is_mddev_idle(mddev_t *mddev,
19638 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
19639 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
19640 (int)part_stat_read(&disk->part0, sectors[1]) -
19641 - atomic_read(&disk->sync_io);
19642 + atomic_read_unchecked(&disk->sync_io);
19643 /* sync IO will cause sync_io to increase before the disk_stats
19644 * as sync_io is counted when a request starts, and
19645 * disk_stats is counted when it completes.
19646 diff -urNp linux-2.6.31/drivers/md/md.h linux-2.6.31/drivers/md/md.h
19647 --- linux-2.6.31/drivers/md/md.h 2009-08-27 20:59:04.000000000 -0400
19648 +++ linux-2.6.31/drivers/md/md.h 2009-09-06 15:29:11.674903617 -0400
19649 @@ -303,7 +303,7 @@ static inline void rdev_dec_pending(mdk_
19651 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
19653 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
19654 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
19657 struct mdk_personality
19658 diff -urNp linux-2.6.31/drivers/media/dvb/dvb-core/dmxdev.c linux-2.6.31/drivers/media/dvb/dvb-core/dmxdev.c
19659 --- linux-2.6.31/drivers/media/dvb/dvb-core/dmxdev.c 2009-08-27 20:59:04.000000000 -0400
19660 +++ linux-2.6.31/drivers/media/dvb/dvb-core/dmxdev.c 2009-09-06 15:29:11.676348212 -0400
19661 @@ -1086,7 +1086,7 @@ static unsigned int dvb_dvr_poll(struct
19665 -static struct file_operations dvb_dvr_fops = {
19666 +static const struct file_operations dvb_dvr_fops = {
19667 .owner = THIS_MODULE,
19668 .read = dvb_dvr_read,
19669 .write = dvb_dvr_write,
19670 diff -urNp linux-2.6.31/drivers/media/dvb/firewire/firedtv-ci.c linux-2.6.31/drivers/media/dvb/firewire/firedtv-ci.c
19671 --- linux-2.6.31/drivers/media/dvb/firewire/firedtv-ci.c 2009-08-27 20:59:04.000000000 -0400
19672 +++ linux-2.6.31/drivers/media/dvb/firewire/firedtv-ci.c 2009-09-06 15:29:11.676348212 -0400
19673 @@ -215,7 +215,7 @@ static unsigned int fdtv_ca_io_poll(stru
19677 -static struct file_operations fdtv_ca_fops = {
19678 +static const struct file_operations fdtv_ca_fops = {
19679 .owner = THIS_MODULE,
19680 .ioctl = dvb_generic_ioctl,
19681 .open = dvb_generic_open,
19682 diff -urNp linux-2.6.31/drivers/media/video/cafe_ccic.c linux-2.6.31/drivers/media/video/cafe_ccic.c
19683 --- linux-2.6.31/drivers/media/video/cafe_ccic.c 2009-08-27 20:59:04.000000000 -0400
19684 +++ linux-2.6.31/drivers/media/video/cafe_ccic.c 2009-09-06 15:29:11.677159721 -0400
19685 @@ -1326,7 +1326,7 @@ static void cafe_v4l_vm_close(struct vm_
19686 mutex_unlock(&sbuf->cam->s_mutex);
19689 -static struct vm_operations_struct cafe_v4l_vm_ops = {
19690 +static const struct vm_operations_struct cafe_v4l_vm_ops = {
19691 .open = cafe_v4l_vm_open,
19692 .close = cafe_v4l_vm_close
19694 diff -urNp linux-2.6.31/drivers/media/video/et61x251/et61x251_core.c linux-2.6.31/drivers/media/video/et61x251/et61x251_core.c
19695 --- linux-2.6.31/drivers/media/video/et61x251/et61x251_core.c 2009-08-27 20:59:04.000000000 -0400
19696 +++ linux-2.6.31/drivers/media/video/et61x251/et61x251_core.c 2009-09-06 15:29:11.678180158 -0400
19697 @@ -1494,7 +1494,7 @@ static void et61x251_vm_close(struct vm_
19701 -static struct vm_operations_struct et61x251_vm_ops = {
19702 +static const struct vm_operations_struct et61x251_vm_ops = {
19703 .open = et61x251_vm_open,
19704 .close = et61x251_vm_close,
19706 diff -urNp linux-2.6.31/drivers/media/video/gspca/gspca.c linux-2.6.31/drivers/media/video/gspca/gspca.c
19707 --- linux-2.6.31/drivers/media/video/gspca/gspca.c 2009-08-27 20:59:04.000000000 -0400
19708 +++ linux-2.6.31/drivers/media/video/gspca/gspca.c 2009-09-06 15:29:11.679175764 -0400
19709 @@ -99,7 +99,7 @@ static void gspca_vm_close(struct vm_are
19710 frame->v4l2_buf.flags &= ~V4L2_BUF_FLAG_MAPPED;
19713 -static struct vm_operations_struct gspca_vm_ops = {
19714 +static const struct vm_operations_struct gspca_vm_ops = {
19715 .open = gspca_vm_open,
19716 .close = gspca_vm_close,
19718 diff -urNp linux-2.6.31/drivers/media/video/meye.c linux-2.6.31/drivers/media/video/meye.c
19719 --- linux-2.6.31/drivers/media/video/meye.c 2009-08-27 20:59:04.000000000 -0400
19720 +++ linux-2.6.31/drivers/media/video/meye.c 2009-09-06 15:29:11.680164049 -0400
19721 @@ -1589,7 +1589,7 @@ static void meye_vm_close(struct vm_area
19722 meye.vma_use_count[idx]--;
19725 -static struct vm_operations_struct meye_vm_ops = {
19726 +static const struct vm_operations_struct meye_vm_ops = {
19727 .open = meye_vm_open,
19728 .close = meye_vm_close,
19730 diff -urNp linux-2.6.31/drivers/media/video/sn9c102/sn9c102_core.c linux-2.6.31/drivers/media/video/sn9c102/sn9c102_core.c
19731 --- linux-2.6.31/drivers/media/video/sn9c102/sn9c102_core.c 2009-08-27 20:59:04.000000000 -0400
19732 +++ linux-2.6.31/drivers/media/video/sn9c102/sn9c102_core.c 2009-09-06 15:29:11.681177224 -0400
19733 @@ -2075,7 +2075,7 @@ static void sn9c102_vm_close(struct vm_a
19737 -static struct vm_operations_struct sn9c102_vm_ops = {
19738 +static const struct vm_operations_struct sn9c102_vm_ops = {
19739 .open = sn9c102_vm_open,
19740 .close = sn9c102_vm_close,
19742 diff -urNp linux-2.6.31/drivers/media/video/stk-webcam.c linux-2.6.31/drivers/media/video/stk-webcam.c
19743 --- linux-2.6.31/drivers/media/video/stk-webcam.c 2009-08-27 20:59:04.000000000 -0400
19744 +++ linux-2.6.31/drivers/media/video/stk-webcam.c 2009-09-06 15:29:11.682155733 -0400
19745 @@ -790,7 +790,7 @@ static void stk_v4l_vm_close(struct vm_a
19746 if (sbuf->mapcount == 0)
19747 sbuf->v4lbuf.flags &= ~V4L2_BUF_FLAG_MAPPED;
19749 -static struct vm_operations_struct stk_v4l_vm_ops = {
19750 +static const struct vm_operations_struct stk_v4l_vm_ops = {
19751 .open = stk_v4l_vm_open,
19752 .close = stk_v4l_vm_close
19754 diff -urNp linux-2.6.31/drivers/media/video/usbvideo/konicawc.c linux-2.6.31/drivers/media/video/usbvideo/konicawc.c
19755 --- linux-2.6.31/drivers/media/video/usbvideo/konicawc.c 2009-08-27 20:59:04.000000000 -0400
19756 +++ linux-2.6.31/drivers/media/video/usbvideo/konicawc.c 2009-09-06 15:29:11.688561045 -0400
19757 @@ -225,7 +225,7 @@ static void konicawc_register_input(stru
19760 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
19761 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
19762 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
19764 cam->input = input_dev = input_allocate_device();
19766 diff -urNp linux-2.6.31/drivers/media/video/usbvideo/quickcam_messenger.c linux-2.6.31/drivers/media/video/usbvideo/quickcam_messenger.c
19767 --- linux-2.6.31/drivers/media/video/usbvideo/quickcam_messenger.c 2009-08-27 20:59:04.000000000 -0400
19768 +++ linux-2.6.31/drivers/media/video/usbvideo/quickcam_messenger.c 2009-09-06 15:29:11.689369495 -0400
19769 @@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
19772 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
19773 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
19774 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
19776 cam->input = input_dev = input_allocate_device();
19778 diff -urNp linux-2.6.31/drivers/media/video/uvc/uvc_v4l2.c linux-2.6.31/drivers/media/video/uvc/uvc_v4l2.c
19779 --- linux-2.6.31/drivers/media/video/uvc/uvc_v4l2.c 2009-08-27 20:59:04.000000000 -0400
19780 +++ linux-2.6.31/drivers/media/video/uvc/uvc_v4l2.c 2009-09-06 15:29:11.691731792 -0400
19781 @@ -1063,7 +1063,7 @@ static void uvc_vm_close(struct vm_area_
19782 buffer->vma_use_count--;
19785 -static struct vm_operations_struct uvc_vm_ops = {
19786 +static const struct vm_operations_struct uvc_vm_ops = {
19787 .open = uvc_vm_open,
19788 .close = uvc_vm_close,
19790 diff -urNp linux-2.6.31/drivers/media/video/videobuf-dma-contig.c linux-2.6.31/drivers/media/video/videobuf-dma-contig.c
19791 --- linux-2.6.31/drivers/media/video/videobuf-dma-contig.c 2009-08-27 20:59:04.000000000 -0400
19792 +++ linux-2.6.31/drivers/media/video/videobuf-dma-contig.c 2009-09-06 15:29:11.693530921 -0400
19793 @@ -105,7 +105,7 @@ static void videobuf_vm_close(struct vm_
19797 -static struct vm_operations_struct videobuf_vm_ops = {
19798 +static const struct vm_operations_struct videobuf_vm_ops = {
19799 .open = videobuf_vm_open,
19800 .close = videobuf_vm_close,
19802 diff -urNp linux-2.6.31/drivers/media/video/vino.c linux-2.6.31/drivers/media/video/vino.c
19803 --- linux-2.6.31/drivers/media/video/vino.c 2009-08-27 20:59:04.000000000 -0400
19804 +++ linux-2.6.31/drivers/media/video/vino.c 2009-09-06 15:29:11.694196185 -0400
19805 @@ -3858,7 +3858,7 @@ static void vino_vm_close(struct vm_area
19806 dprintk("vino_vm_close(): count = %d\n", fb->map_count);
19809 -static struct vm_operations_struct vino_vm_ops = {
19810 +static const struct vm_operations_struct vino_vm_ops = {
19811 .open = vino_vm_open,
19812 .close = vino_vm_close,
19814 diff -urNp linux-2.6.31/drivers/media/video/zc0301/zc0301_core.c linux-2.6.31/drivers/media/video/zc0301/zc0301_core.c
19815 --- linux-2.6.31/drivers/media/video/zc0301/zc0301_core.c 2009-08-27 20:59:04.000000000 -0400
19816 +++ linux-2.6.31/drivers/media/video/zc0301/zc0301_core.c 2009-09-06 15:29:11.695170786 -0400
19817 @@ -933,7 +933,7 @@ static void zc0301_vm_close(struct vm_ar
19821 -static struct vm_operations_struct zc0301_vm_ops = {
19822 +static const struct vm_operations_struct zc0301_vm_ops = {
19823 .open = zc0301_vm_open,
19824 .close = zc0301_vm_close,
19826 diff -urNp linux-2.6.31/drivers/media/video/zoran/zoran_driver.c linux-2.6.31/drivers/media/video/zoran/zoran_driver.c
19827 --- linux-2.6.31/drivers/media/video/zoran/zoran_driver.c 2009-08-27 20:59:04.000000000 -0400
19828 +++ linux-2.6.31/drivers/media/video/zoran/zoran_driver.c 2009-09-06 15:29:11.696176882 -0400
19829 @@ -3172,7 +3172,7 @@ zoran_vm_close (struct vm_area_struct *v
19830 mutex_unlock(&zr->resource_lock);
19833 -static struct vm_operations_struct zoran_vm_ops = {
19834 +static const struct vm_operations_struct zoran_vm_ops = {
19835 .open = zoran_vm_open,
19836 .close = zoran_vm_close,
19838 diff -urNp linux-2.6.31/drivers/message/i2o/i2o_proc.c linux-2.6.31/drivers/message/i2o/i2o_proc.c
19839 --- linux-2.6.31/drivers/message/i2o/i2o_proc.c 2009-08-27 20:59:04.000000000 -0400
19840 +++ linux-2.6.31/drivers/message/i2o/i2o_proc.c 2009-09-06 15:29:11.698316893 -0400
19841 @@ -259,13 +259,6 @@ static char *scsi_devices[] = {
19842 "Array Controller Device"
19845 -static char *chtostr(u8 * chars, int n)
19849 - return strncat(tmp, (char *)chars, n);
19852 static int i2o_report_query_status(struct seq_file *seq, int block_status,
19855 @@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
19857 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
19858 seq_printf(seq, "%-#8x", ddm_table.module_id);
19859 - seq_printf(seq, "%-29s",
19860 - chtostr(ddm_table.module_name_version, 28));
19861 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
19862 seq_printf(seq, "%9d ", ddm_table.data_size);
19863 seq_printf(seq, "%8d", ddm_table.code_size);
19865 @@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
19867 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
19868 seq_printf(seq, "%-#8x", dst->module_id);
19869 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
19870 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
19871 + seq_printf(seq, "%-.28s", dst->module_name_version);
19872 + seq_printf(seq, "%-.8s", dst->date);
19873 seq_printf(seq, "%8d ", dst->module_size);
19874 seq_printf(seq, "%8d ", dst->mpb_size);
19875 seq_printf(seq, "0x%04x", dst->module_flags);
19876 @@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
19877 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
19878 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
19879 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
19880 - seq_printf(seq, "Vendor info : %s\n",
19881 - chtostr((u8 *) (work32 + 2), 16));
19882 - seq_printf(seq, "Product info : %s\n",
19883 - chtostr((u8 *) (work32 + 6), 16));
19884 - seq_printf(seq, "Description : %s\n",
19885 - chtostr((u8 *) (work32 + 10), 16));
19886 - seq_printf(seq, "Product rev. : %s\n",
19887 - chtostr((u8 *) (work32 + 14), 8));
19888 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
19889 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
19890 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
19891 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
19893 seq_printf(seq, "Serial number : ");
19894 print_serial_number(seq, (u8 *) (work32 + 16),
19895 @@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
19898 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
19899 - seq_printf(seq, "Module name : %s\n",
19900 - chtostr(result.module_name, 24));
19901 - seq_printf(seq, "Module revision : %s\n",
19902 - chtostr(result.module_rev, 8));
19903 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
19904 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
19906 seq_printf(seq, "Serial number : ");
19907 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
19908 @@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
19912 - seq_printf(seq, "Device name : %s\n",
19913 - chtostr(result.device_name, 64));
19914 - seq_printf(seq, "Service name : %s\n",
19915 - chtostr(result.service_name, 64));
19916 - seq_printf(seq, "Physical name : %s\n",
19917 - chtostr(result.physical_location, 64));
19918 - seq_printf(seq, "Instance number : %s\n",
19919 - chtostr(result.instance_number, 4));
19920 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
19921 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
19922 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
19923 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
19927 diff -urNp linux-2.6.31/drivers/misc/ibmasm/ibmasmfs.c linux-2.6.31/drivers/misc/ibmasm/ibmasmfs.c
19928 --- linux-2.6.31/drivers/misc/ibmasm/ibmasmfs.c 2009-08-27 20:59:04.000000000 -0400
19929 +++ linux-2.6.31/drivers/misc/ibmasm/ibmasmfs.c 2009-09-06 15:29:11.699286001 -0400
19930 @@ -97,7 +97,7 @@ static int ibmasmfs_get_super(struct fil
19931 return get_sb_single(fst, flags, data, ibmasmfs_fill_super, mnt);
19934 -static struct super_operations ibmasmfs_s_ops = {
19935 +static const struct super_operations ibmasmfs_s_ops = {
19936 .statfs = simple_statfs,
19937 .drop_inode = generic_delete_inode,
19939 diff -urNp linux-2.6.31/drivers/misc/phantom.c linux-2.6.31/drivers/misc/phantom.c
19940 --- linux-2.6.31/drivers/misc/phantom.c 2009-08-27 20:59:04.000000000 -0400
19941 +++ linux-2.6.31/drivers/misc/phantom.c 2009-09-06 15:29:11.699286001 -0400
19942 @@ -271,7 +271,7 @@ static unsigned int phantom_poll(struct
19946 -static struct file_operations phantom_file_ops = {
19947 +static const struct file_operations phantom_file_ops = {
19948 .open = phantom_open,
19949 .release = phantom_release,
19950 .unlocked_ioctl = phantom_ioctl,
19951 diff -urNp linux-2.6.31/drivers/misc/sgi-gru/grufile.c linux-2.6.31/drivers/misc/sgi-gru/grufile.c
19952 --- linux-2.6.31/drivers/misc/sgi-gru/grufile.c 2009-08-27 20:59:04.000000000 -0400
19953 +++ linux-2.6.31/drivers/misc/sgi-gru/grufile.c 2009-09-06 15:29:11.699286001 -0400
19954 @@ -53,7 +53,7 @@ struct gru_stats_s gru_stats;
19955 /* Guaranteed user available resources on each node */
19956 static int max_user_cbrs, max_user_dsr_bytes;
19958 -static struct file_operations gru_fops;
19959 +static const struct file_operations gru_fops;
19960 static struct miscdevice gru_miscdev;
19963 @@ -426,7 +426,7 @@ static void __exit gru_exit(void)
19967 -static struct file_operations gru_fops = {
19968 +static const struct file_operations gru_fops = {
19969 .owner = THIS_MODULE,
19970 .unlocked_ioctl = gru_file_unlocked_ioctl,
19971 .mmap = gru_file_mmap,
19972 @@ -438,7 +438,7 @@ static struct miscdevice gru_miscdev = {
19976 -struct vm_operations_struct gru_vm_ops = {
19977 +const struct vm_operations_struct gru_vm_ops = {
19978 .close = gru_vma_close,
19979 .fault = gru_fault,
19981 diff -urNp linux-2.6.31/drivers/misc/sgi-gru/grutables.h linux-2.6.31/drivers/misc/sgi-gru/grutables.h
19982 --- linux-2.6.31/drivers/misc/sgi-gru/grutables.h 2009-08-27 20:59:04.000000000 -0400
19983 +++ linux-2.6.31/drivers/misc/sgi-gru/grutables.h 2009-09-06 15:29:11.700275159 -0400
19984 @@ -624,7 +624,7 @@ static inline int is_kernel_context(stru
19986 struct gru_unload_context_req;
19988 -extern struct vm_operations_struct gru_vm_ops;
19989 +extern const struct vm_operations_struct gru_vm_ops;
19990 extern struct device *grudev;
19992 extern struct gru_vma_data *gru_alloc_vma_data(struct vm_area_struct *vma,
19993 diff -urNp linux-2.6.31/drivers/mmc/core/debugfs.c linux-2.6.31/drivers/mmc/core/debugfs.c
19994 --- linux-2.6.31/drivers/mmc/core/debugfs.c 2009-08-27 20:59:04.000000000 -0400
19995 +++ linux-2.6.31/drivers/mmc/core/debugfs.c 2009-09-06 15:29:11.718149950 -0400
19996 @@ -240,7 +240,7 @@ static int mmc_ext_csd_release(struct in
20000 -static struct file_operations mmc_dbg_ext_csd_fops = {
20001 +static const struct file_operations mmc_dbg_ext_csd_fops = {
20002 .open = mmc_ext_csd_open,
20003 .read = mmc_ext_csd_read,
20004 .release = mmc_ext_csd_release,
20005 diff -urNp linux-2.6.31/drivers/mtd/devices/doc2000.c linux-2.6.31/drivers/mtd/devices/doc2000.c
20006 --- linux-2.6.31/drivers/mtd/devices/doc2000.c 2009-08-27 20:59:04.000000000 -0400
20007 +++ linux-2.6.31/drivers/mtd/devices/doc2000.c 2009-09-06 15:29:11.718149950 -0400
20008 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
20010 /* The ECC will not be calculated correctly if less than 512 is written */
20012 - if (len != 0x200 && eccbuf)
20013 + if (len != 0x200)
20014 printk(KERN_WARNING
20015 "ECC needs a full sector write (adr: %lx size %lx)\n",
20016 (long) to, (long) len);
20017 diff -urNp linux-2.6.31/drivers/mtd/devices/doc2001.c linux-2.6.31/drivers/mtd/devices/doc2001.c
20018 --- linux-2.6.31/drivers/mtd/devices/doc2001.c 2009-08-27 20:59:04.000000000 -0400
20019 +++ linux-2.6.31/drivers/mtd/devices/doc2001.c 2009-09-06 15:29:11.719178073 -0400
20020 @@ -395,6 +395,8 @@ static int doc_read (struct mtd_info *mt
20021 /* Don't allow read past end of device */
20022 if (from >= this->totlen)
20027 /* Don't allow a single read to cross a 512-byte block boundary */
20028 if (from + len > ((from | 0x1ff) + 1))
20029 diff -urNp linux-2.6.31/drivers/mtd/ubi/build.c linux-2.6.31/drivers/mtd/ubi/build.c
20030 --- linux-2.6.31/drivers/mtd/ubi/build.c 2009-08-27 20:59:04.000000000 -0400
20031 +++ linux-2.6.31/drivers/mtd/ubi/build.c 2009-09-06 15:29:11.720174413 -0400
20032 @@ -1257,7 +1257,7 @@ static int __init bytes_str_to_int(const
20033 unsigned long result;
20035 result = simple_strtoul(str, &endp, 0);
20036 - if (str == endp || result < 0) {
20037 + if (str == endp) {
20038 printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
20041 diff -urNp linux-2.6.31/drivers/net/irda/vlsi_ir.c linux-2.6.31/drivers/net/irda/vlsi_ir.c
20042 --- linux-2.6.31/drivers/net/irda/vlsi_ir.c 2009-08-27 20:59:04.000000000 -0400
20043 +++ linux-2.6.31/drivers/net/irda/vlsi_ir.c 2009-09-06 15:29:11.731942177 -0400
20044 @@ -906,13 +906,12 @@ static int vlsi_hard_start_xmit(struct s
20045 /* no race - tx-ring already empty */
20046 vlsi_set_baud(idev, iobase);
20047 netif_wake_queue(ndev);
20052 /* keep the speed change pending like it would
20053 * for any len>0 packet. tx completion interrupt
20054 * will apply it when the tx ring becomes empty.
20057 spin_unlock_irqrestore(&idev->lock, flags);
20058 dev_kfree_skb_any(skb);
20060 diff -urNp linux-2.6.31/drivers/net/pcnet32.c linux-2.6.31/drivers/net/pcnet32.c
20061 --- linux-2.6.31/drivers/net/pcnet32.c 2009-08-27 20:59:04.000000000 -0400
20062 +++ linux-2.6.31/drivers/net/pcnet32.c 2009-09-06 15:29:11.747156002 -0400
20063 @@ -78,7 +78,7 @@ static int cards_found;
20065 * VLB I/O addresses
20067 -static unsigned int pcnet32_portlist[] __initdata =
20068 +static unsigned int pcnet32_portlist[] __devinitdata =
20069 { 0x300, 0x320, 0x340, 0x360, 0 };
20071 static int pcnet32_debug = 0;
20072 diff -urNp linux-2.6.31/drivers/net/tg3.h linux-2.6.31/drivers/net/tg3.h
20073 --- linux-2.6.31/drivers/net/tg3.h 2009-08-27 20:59:04.000000000 -0400
20074 +++ linux-2.6.31/drivers/net/tg3.h 2009-09-06 15:29:11.756758234 -0400
20076 #define CHIPREV_ID_5750_A0 0x4000
20077 #define CHIPREV_ID_5750_A1 0x4001
20078 #define CHIPREV_ID_5750_A3 0x4003
20079 +#define CHIPREV_ID_5750_C1 0x4201
20080 #define CHIPREV_ID_5750_C2 0x4202
20081 #define CHIPREV_ID_5752_A0_HW 0x5000
20082 #define CHIPREV_ID_5752_A0 0x6000
20083 diff -urNp linux-2.6.31/drivers/net/usb/hso.c linux-2.6.31/drivers/net/usb/hso.c
20084 --- linux-2.6.31/drivers/net/usb/hso.c 2009-08-27 20:59:04.000000000 -0400
20085 +++ linux-2.6.31/drivers/net/usb/hso.c 2009-09-06 15:29:11.764908399 -0400
20086 @@ -258,7 +258,7 @@ struct hso_serial {
20088 /* from usb_serial_port */
20089 struct tty_struct *tty;
20091 + atomic_t open_count;
20092 spinlock_t serial_lock;
20094 int (*write_data) (struct hso_serial *serial);
20095 @@ -1179,7 +1179,7 @@ static void put_rxbuf_data_and_resubmit_
20098 urb = serial->rx_urb[0];
20099 - if (serial->open_count > 0) {
20100 + if (atomic_read(&serial->open_count) > 0) {
20101 count = put_rxbuf_data(urb, serial);
20104 @@ -1215,7 +1215,7 @@ static void hso_std_serial_read_bulk_cal
20105 DUMP1(urb->transfer_buffer, urb->actual_length);
20107 /* Anyone listening? */
20108 - if (serial->open_count == 0)
20109 + if (atomic_read(&serial->open_count) == 0)
20113 @@ -1310,8 +1310,7 @@ static int hso_serial_open(struct tty_st
20114 spin_unlock_irq(&serial->serial_lock);
20116 /* check for port already opened, if not set the termios */
20117 - serial->open_count++;
20118 - if (serial->open_count == 1) {
20119 + if (atomic_inc_return(&serial->open_count) == 1) {
20120 tty->low_latency = 1;
20121 serial->rx_state = RX_IDLE;
20122 /* Force default termio settings */
20123 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
20124 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
20126 hso_stop_serial_device(serial->parent);
20127 - serial->open_count--;
20128 + atomic_dec(&serial->open_count);
20129 kref_put(&serial->parent->ref, hso_serial_ref_free);
20132 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
20134 /* reset the rts and dtr */
20135 /* do the actual close */
20136 - serial->open_count--;
20137 + atomic_dec(&serial->open_count);
20138 kref_put(&serial->parent->ref, hso_serial_ref_free);
20139 - if (serial->open_count <= 0) {
20140 - serial->open_count = 0;
20141 + if (atomic_read(&serial->open_count) <= 0) {
20142 + atomic_set(&serial->open_count, 0);
20143 spin_lock_irq(&serial->serial_lock);
20144 if (serial->tty == tty) {
20145 serial->tty->driver_data = NULL;
20146 @@ -1444,7 +1443,7 @@ static void hso_serial_set_termios(struc
20148 /* the actual setup */
20149 spin_lock_irqsave(&serial->serial_lock, flags);
20150 - if (serial->open_count)
20151 + if (atomic_read(&serial->open_count))
20152 _hso_serial_set_termios(tty, old);
20154 tty->termios = old;
20155 @@ -3087,7 +3086,7 @@ static int hso_resume(struct usb_interfa
20156 /* Start all serial ports */
20157 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
20158 if (serial_table[i] && (serial_table[i]->interface == iface)) {
20159 - if (dev2ser(serial_table[i])->open_count) {
20160 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
20162 hso_start_serial_device(serial_table[i], GFP_NOIO);
20163 hso_kick_transmit(dev2ser(serial_table[i]));
20164 diff -urNp linux-2.6.31/drivers/oprofile/buffer_sync.c linux-2.6.31/drivers/oprofile/buffer_sync.c
20165 --- linux-2.6.31/drivers/oprofile/buffer_sync.c 2009-08-27 20:59:04.000000000 -0400
20166 +++ linux-2.6.31/drivers/oprofile/buffer_sync.c 2009-09-06 15:29:11.764908399 -0400
20167 @@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
20168 if (cookie == NO_COOKIE)
20170 if (cookie == INVALID_COOKIE) {
20171 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
20172 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
20175 if (cookie != last_cookie) {
20176 @@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
20177 /* add userspace sample */
20180 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
20181 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
20185 cookie = lookup_dcookie(mm, s->eip, &offset);
20187 if (cookie == INVALID_COOKIE) {
20188 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
20189 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
20193 @@ -561,7 +561,7 @@ void sync_buffer(int cpu)
20194 /* ignore backtraces if failed to add a sample */
20195 if (state == sb_bt_start) {
20196 state = sb_bt_ignore;
20197 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
20198 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
20202 diff -urNp linux-2.6.31/drivers/oprofile/event_buffer.c linux-2.6.31/drivers/oprofile/event_buffer.c
20203 --- linux-2.6.31/drivers/oprofile/event_buffer.c 2009-08-27 20:59:04.000000000 -0400
20204 +++ linux-2.6.31/drivers/oprofile/event_buffer.c 2009-09-06 15:29:11.766184688 -0400
20205 @@ -42,7 +42,7 @@ static atomic_t buffer_ready = ATOMIC_IN
20206 void add_event_entry(unsigned long value)
20208 if (buffer_pos == buffer_size) {
20209 - atomic_inc(&oprofile_stats.event_lost_overflow);
20210 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
20214 diff -urNp linux-2.6.31/drivers/oprofile/oprofilefs.c linux-2.6.31/drivers/oprofile/oprofilefs.c
20215 --- linux-2.6.31/drivers/oprofile/oprofilefs.c 2009-08-27 20:59:04.000000000 -0400
20216 +++ linux-2.6.31/drivers/oprofile/oprofilefs.c 2009-09-06 15:29:11.766184688 -0400
20217 @@ -35,7 +35,7 @@ static struct inode *oprofilefs_get_inod
20221 -static struct super_operations s_ops = {
20222 +static const struct super_operations s_ops = {
20223 .statfs = simple_statfs,
20224 .drop_inode = generic_delete_inode,
20226 @@ -187,7 +187,7 @@ static const struct file_operations atom
20229 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
20230 - char const *name, atomic_t *val)
20231 + char const *name, atomic_unchecked_t *val)
20233 struct dentry *d = __oprofilefs_create_file(sb, root, name,
20234 &atomic_ro_fops, 0444);
20235 diff -urNp linux-2.6.31/drivers/oprofile/oprofile_stats.c linux-2.6.31/drivers/oprofile/oprofile_stats.c
20236 --- linux-2.6.31/drivers/oprofile/oprofile_stats.c 2009-08-27 20:59:04.000000000 -0400
20237 +++ linux-2.6.31/drivers/oprofile/oprofile_stats.c 2009-09-06 15:29:11.767169396 -0400
20238 @@ -30,10 +30,10 @@ void oprofile_reset_stats(void)
20239 cpu_buf->sample_invalid_eip = 0;
20242 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
20243 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
20244 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
20245 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
20246 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
20247 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
20248 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
20249 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
20253 diff -urNp linux-2.6.31/drivers/oprofile/oprofile_stats.h linux-2.6.31/drivers/oprofile/oprofile_stats.h
20254 --- linux-2.6.31/drivers/oprofile/oprofile_stats.h 2009-08-27 20:59:04.000000000 -0400
20255 +++ linux-2.6.31/drivers/oprofile/oprofile_stats.h 2009-09-06 15:29:11.767169396 -0400
20256 @@ -13,10 +13,10 @@
20257 #include <asm/atomic.h>
20259 struct oprofile_stat_struct {
20260 - atomic_t sample_lost_no_mm;
20261 - atomic_t sample_lost_no_mapping;
20262 - atomic_t bt_lost_no_mapping;
20263 - atomic_t event_lost_overflow;
20264 + atomic_unchecked_t sample_lost_no_mm;
20265 + atomic_unchecked_t sample_lost_no_mapping;
20266 + atomic_unchecked_t bt_lost_no_mapping;
20267 + atomic_unchecked_t event_lost_overflow;
20270 extern struct oprofile_stat_struct oprofile_stats;
20271 diff -urNp linux-2.6.31/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.31/drivers/pci/hotplug/cpqphp_nvram.c
20272 --- linux-2.6.31/drivers/pci/hotplug/cpqphp_nvram.c 2009-08-27 20:59:04.000000000 -0400
20273 +++ linux-2.6.31/drivers/pci/hotplug/cpqphp_nvram.c 2009-09-06 15:29:11.780031262 -0400
20274 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
20276 void compaq_nvram_init (void __iomem *rom_start)
20279 +#ifndef CONFIG_PAX_KERNEXEC
20281 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
20285 dbg("int15 entry = %p\n", compaq_int15_entry_point);
20287 /* initialize our int15 lock */
20288 diff -urNp linux-2.6.31/drivers/pci/pcie/portdrv_pci.c linux-2.6.31/drivers/pci/pcie/portdrv_pci.c
20289 --- linux-2.6.31/drivers/pci/pcie/portdrv_pci.c 2009-08-27 20:59:04.000000000 -0400
20290 +++ linux-2.6.31/drivers/pci/pcie/portdrv_pci.c 2009-09-06 15:29:11.780031262 -0400
20291 @@ -249,7 +249,7 @@ static void pcie_portdrv_err_resume(stru
20292 static const struct pci_device_id port_pci_ids[] = { {
20293 /* handle any PCI-Express port */
20294 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
20295 - }, { /* end: all zeroes */ }
20296 + }, { 0, 0, 0, 0, 0, 0, 0 }
20298 MODULE_DEVICE_TABLE(pci, port_pci_ids);
20300 diff -urNp linux-2.6.31/drivers/pci/proc.c linux-2.6.31/drivers/pci/proc.c
20301 --- linux-2.6.31/drivers/pci/proc.c 2009-08-27 20:59:04.000000000 -0400
20302 +++ linux-2.6.31/drivers/pci/proc.c 2009-09-06 15:29:11.781327750 -0400
20303 @@ -480,7 +480,16 @@ static const struct file_operations proc
20304 static int __init pci_proc_init(void)
20306 struct pci_dev *dev = NULL;
20308 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
20309 +#ifdef CONFIG_GRKERNSEC_PROC_USER
20310 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
20311 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
20312 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
20315 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
20317 proc_create("devices", 0, proc_bus_pci_dir,
20318 &proc_bus_pci_dev_operations);
20319 proc_initialized = 1;
20320 diff -urNp linux-2.6.31/drivers/pcmcia/ti113x.h linux-2.6.31/drivers/pcmcia/ti113x.h
20321 --- linux-2.6.31/drivers/pcmcia/ti113x.h 2009-08-27 20:59:04.000000000 -0400
20322 +++ linux-2.6.31/drivers/pcmcia/ti113x.h 2009-09-06 15:29:11.781327750 -0400
20323 @@ -903,7 +903,7 @@ static struct pci_device_id ene_tune_tbl
20324 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
20325 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
20328 + { 0, 0, 0, 0, 0, 0, 0 }
20331 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
20332 diff -urNp linux-2.6.31/drivers/pcmcia/yenta_socket.c linux-2.6.31/drivers/pcmcia/yenta_socket.c
20333 --- linux-2.6.31/drivers/pcmcia/yenta_socket.c 2009-08-27 20:59:04.000000000 -0400
20334 +++ linux-2.6.31/drivers/pcmcia/yenta_socket.c 2009-09-06 15:29:11.782283889 -0400
20335 @@ -1366,7 +1366,7 @@ static struct pci_device_id yenta_table
20337 /* match any cardbus bridge */
20338 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
20339 - { /* all zeroes */ }
20340 + { 0, 0, 0, 0, 0, 0, 0 }
20342 MODULE_DEVICE_TABLE(pci, yenta_table);
20344 diff -urNp linux-2.6.31/drivers/pnp/pnpbios/bioscalls.c linux-2.6.31/drivers/pnp/pnpbios/bioscalls.c
20345 --- linux-2.6.31/drivers/pnp/pnpbios/bioscalls.c 2009-08-27 20:59:04.000000000 -0400
20346 +++ linux-2.6.31/drivers/pnp/pnpbios/bioscalls.c 2009-09-06 15:29:11.783174437 -0400
20347 @@ -60,7 +60,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
20348 set_limit(gdt[(selname) >> 3], size); \
20351 -static struct desc_struct bad_bios_desc;
20352 +static struct desc_struct bad_bios_desc __read_only;
20355 * At some point we want to use this stack frame pointer to unwind
20356 @@ -87,6 +87,10 @@ static inline u16 call_pnp_bios(u16 func
20357 struct desc_struct save_desc_40;
20360 +#ifdef CONFIG_PAX_KERNEXEC
20361 + unsigned long cr0;
20365 * PnP BIOSes are generally not terribly re-entrant.
20366 * Also, don't rely on them to save everything correctly.
20367 @@ -96,8 +100,17 @@ static inline u16 call_pnp_bios(u16 func
20370 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
20372 +#ifdef CONFIG_PAX_KERNEXEC
20373 + pax_open_kernel(cr0);
20376 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
20378 +#ifdef CONFIG_PAX_KERNEXEC
20379 + pax_close_kernel(cr0);
20382 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
20383 spin_lock_irqsave(&pnp_bios_lock, flags);
20385 @@ -134,7 +147,16 @@ static inline u16 call_pnp_bios(u16 func
20387 spin_unlock_irqrestore(&pnp_bios_lock, flags);
20389 +#ifdef CONFIG_PAX_KERNEXEC
20390 + pax_open_kernel(cr0);
20393 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
20395 +#ifdef CONFIG_PAX_KERNEXEC
20396 + pax_close_kernel(cr0);
20401 /* If we get here and this is set then the PnP BIOS faulted on us. */
20402 @@ -468,16 +490,24 @@ int pnp_bios_read_escd(char *data, u32 n
20406 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
20407 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
20411 +#ifdef CONFIG_PAX_KERNEXEC
20412 + unsigned long cr0;
20415 spin_lock_init(&pnp_bios_lock);
20416 pnp_bios_callpoint.offset = header->fields.pm16offset;
20417 pnp_bios_callpoint.segment = PNP_CS16;
20419 +#ifdef CONFIG_PAX_KERNEXEC
20420 + pax_open_kernel(cr0);
20423 bad_bios_desc.a = 0;
20424 - bad_bios_desc.b = 0x00409200;
20425 + bad_bios_desc.b = 0x00409300;
20427 set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
20428 _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
20429 @@ -491,4 +521,9 @@ void pnpbios_calls_init(union pnp_bios_i
20430 set_base(gdt[GDT_ENTRY_PNPBIOS_DS],
20431 __va(header->fields.pm16dseg));
20434 +#ifdef CONFIG_PAX_KERNEXEC
20435 + pax_close_kernel(cr0);
20439 diff -urNp linux-2.6.31/drivers/pnp/quirks.c linux-2.6.31/drivers/pnp/quirks.c
20440 --- linux-2.6.31/drivers/pnp/quirks.c 2009-08-27 20:59:04.000000000 -0400
20441 +++ linux-2.6.31/drivers/pnp/quirks.c 2009-09-06 15:29:11.783174437 -0400
20442 @@ -327,7 +327,7 @@ static struct pnp_fixup pnp_fixups[] = {
20443 /* PnP resources that might overlap PCI BARs */
20444 {"PNP0c01", quirk_system_pci_resources},
20445 {"PNP0c02", quirk_system_pci_resources},
20450 void pnp_fixup_device(struct pnp_dev *dev)
20451 diff -urNp linux-2.6.31/drivers/pnp/resource.c linux-2.6.31/drivers/pnp/resource.c
20452 --- linux-2.6.31/drivers/pnp/resource.c 2009-08-27 20:59:04.000000000 -0400
20453 +++ linux-2.6.31/drivers/pnp/resource.c 2009-09-06 15:29:11.784264734 -0400
20454 @@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
20457 /* check if the resource is valid */
20458 - if (*irq < 0 || *irq > 15)
20462 /* check if the resource is reserved */
20463 @@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
20466 /* check if the resource is valid */
20467 - if (*dma < 0 || *dma == 4 || *dma > 7)
20468 + if (*dma == 4 || *dma > 7)
20471 /* check if the resource is reserved */
20472 diff -urNp linux-2.6.31/drivers/s390/cio/qdio_debug.c linux-2.6.31/drivers/s390/cio/qdio_debug.c
20473 --- linux-2.6.31/drivers/s390/cio/qdio_debug.c 2009-08-27 20:59:04.000000000 -0400
20474 +++ linux-2.6.31/drivers/s390/cio/qdio_debug.c 2009-09-06 15:29:11.784264734 -0400
20475 @@ -144,7 +144,7 @@ static void remove_debugfs_entry(struct
20479 -static struct file_operations debugfs_fops = {
20480 +static const struct file_operations debugfs_fops = {
20481 .owner = THIS_MODULE,
20482 .open = qstat_seq_open,
20484 diff -urNp linux-2.6.31/drivers/s390/cio/qdio_perf.c linux-2.6.31/drivers/s390/cio/qdio_perf.c
20485 --- linux-2.6.31/drivers/s390/cio/qdio_perf.c 2009-08-27 20:59:04.000000000 -0400
20486 +++ linux-2.6.31/drivers/s390/cio/qdio_perf.c 2009-09-06 15:29:11.785238202 -0400
20487 @@ -84,7 +84,7 @@ static int qdio_perf_seq_open(struct ino
20488 return single_open(filp, qdio_perf_proc_show, NULL);
20491 -static struct file_operations qdio_perf_proc_fops = {
20492 +static const struct file_operations qdio_perf_proc_fops = {
20493 .owner = THIS_MODULE,
20494 .open = qdio_perf_seq_open,
20496 diff -urNp linux-2.6.31/drivers/scsi/libfc/fc_exch.c linux-2.6.31/drivers/scsi/libfc/fc_exch.c
20497 --- linux-2.6.31/drivers/scsi/libfc/fc_exch.c 2009-08-27 20:59:04.000000000 -0400
20498 +++ linux-2.6.31/drivers/scsi/libfc/fc_exch.c 2009-09-06 15:29:11.807151300 -0400
20499 @@ -73,12 +73,12 @@ struct fc_exch_mgr {
20500 * all together if not used XXX
20503 - atomic_t no_free_exch;
20504 - atomic_t no_free_exch_xid;
20505 - atomic_t xid_not_found;
20506 - atomic_t xid_busy;
20507 - atomic_t seq_not_found;
20508 - atomic_t non_bls_resp;
20509 + atomic_unchecked_t no_free_exch;
20510 + atomic_unchecked_t no_free_exch_xid;
20511 + atomic_unchecked_t xid_not_found;
20512 + atomic_unchecked_t xid_busy;
20513 + atomic_unchecked_t seq_not_found;
20514 + atomic_unchecked_t non_bls_resp;
20516 struct fc_exch **exches; /* for exch pointers indexed by xid */
20518 @@ -523,7 +523,7 @@ struct fc_exch *fc_exch_alloc(struct fc_
20519 /* allocate memory for exchange */
20520 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
20522 - atomic_inc(&mp->stats.no_free_exch);
20523 + atomic_inc_unchecked(&mp->stats.no_free_exch);
20526 memset(ep, 0, sizeof(*ep));
20527 @@ -568,7 +568,7 @@ out:
20530 spin_unlock_bh(&mp->em_lock);
20531 - atomic_inc(&mp->stats.no_free_exch_xid);
20532 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
20533 mempool_free(ep, mp->ep_pool);
20536 @@ -671,7 +671,7 @@ static enum fc_pf_rjt_reason fc_seq_look
20537 xid = ntohs(fh->fh_ox_id); /* we originated exch */
20538 ep = fc_exch_find(mp, xid);
20540 - atomic_inc(&mp->stats.xid_not_found);
20541 + atomic_inc_unchecked(&mp->stats.xid_not_found);
20542 reject = FC_RJT_OX_ID;
20545 @@ -701,7 +701,7 @@ static enum fc_pf_rjt_reason fc_seq_look
20546 ep = fc_exch_find(mp, xid);
20547 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
20549 - atomic_inc(&mp->stats.xid_busy);
20550 + atomic_inc_unchecked(&mp->stats.xid_busy);
20551 reject = FC_RJT_RX_ID;
20554 @@ -712,7 +712,7 @@ static enum fc_pf_rjt_reason fc_seq_look
20556 xid = ep->xid; /* get our XID */
20558 - atomic_inc(&mp->stats.xid_not_found);
20559 + atomic_inc_unchecked(&mp->stats.xid_not_found);
20560 reject = FC_RJT_RX_ID; /* XID not found */
20563 @@ -733,7 +733,7 @@ static enum fc_pf_rjt_reason fc_seq_look
20566 if (sp->id != fh->fh_seq_id) {
20567 - atomic_inc(&mp->stats.seq_not_found);
20568 + atomic_inc_unchecked(&mp->stats.seq_not_found);
20569 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
20572 @@ -1145,22 +1145,22 @@ static void fc_exch_recv_seq_resp(struct
20574 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
20576 - atomic_inc(&mp->stats.xid_not_found);
20577 + atomic_inc_unchecked(&mp->stats.xid_not_found);
20580 if (ep->esb_stat & ESB_ST_COMPLETE) {
20581 - atomic_inc(&mp->stats.xid_not_found);
20582 + atomic_inc_unchecked(&mp->stats.xid_not_found);
20585 if (ep->rxid == FC_XID_UNKNOWN)
20586 ep->rxid = ntohs(fh->fh_rx_id);
20587 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
20588 - atomic_inc(&mp->stats.xid_not_found);
20589 + atomic_inc_unchecked(&mp->stats.xid_not_found);
20592 if (ep->did != ntoh24(fh->fh_s_id) &&
20593 ep->did != FC_FID_FLOGI) {
20594 - atomic_inc(&mp->stats.xid_not_found);
20595 + atomic_inc_unchecked(&mp->stats.xid_not_found);
20599 @@ -1171,7 +1171,7 @@ static void fc_exch_recv_seq_resp(struct
20602 if (sp->id != fh->fh_seq_id) {
20603 - atomic_inc(&mp->stats.seq_not_found);
20604 + atomic_inc_unchecked(&mp->stats.seq_not_found);
20608 @@ -1230,10 +1230,10 @@ static void fc_exch_recv_resp(struct fc_
20610 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
20612 - atomic_inc(&mp->stats.xid_not_found);
20613 + atomic_inc_unchecked(&mp->stats.xid_not_found);
20614 FC_EM_DBG(mp, "seq lookup failed\n");
20616 - atomic_inc(&mp->stats.non_bls_resp);
20617 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
20618 FC_EM_DBG(mp, "non-BLS response to sequence");
20621 diff -urNp linux-2.6.31/drivers/scsi/scsi_logging.h linux-2.6.31/drivers/scsi/scsi_logging.h
20622 --- linux-2.6.31/drivers/scsi/scsi_logging.h 2009-08-27 20:59:04.000000000 -0400
20623 +++ linux-2.6.31/drivers/scsi/scsi_logging.h 2009-09-06 15:29:11.814356439 -0400
20624 @@ -51,7 +51,7 @@ do { \
20628 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
20629 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
20630 #endif /* CONFIG_SCSI_LOGGING */
20633 diff -urNp linux-2.6.31/drivers/scsi/sg.c linux-2.6.31/drivers/scsi/sg.c
20634 --- linux-2.6.31/drivers/scsi/sg.c 2009-08-27 20:59:04.000000000 -0400
20635 +++ linux-2.6.31/drivers/scsi/sg.c 2009-09-06 15:29:11.821006281 -0400
20636 @@ -1185,7 +1185,7 @@ sg_vma_fault(struct vm_area_struct *vma,
20637 return VM_FAULT_SIGBUS;
20640 -static struct vm_operations_struct sg_mmap_vm_ops = {
20641 +static const struct vm_operations_struct sg_mmap_vm_ops = {
20642 .fault = sg_vma_fault,
20645 @@ -1317,7 +1317,7 @@ static void sg_rq_end_io(struct request
20649 -static struct file_operations sg_fops = {
20650 +static const struct file_operations sg_fops = {
20651 .owner = THIS_MODULE,
20654 @@ -2194,8 +2194,11 @@ static int sg_proc_seq_show_int(struct s
20655 static int sg_proc_single_open_adio(struct inode *inode, struct file *file);
20656 static ssize_t sg_proc_write_adio(struct file *filp, const char __user *buffer,
20657 size_t count, loff_t *off);
20658 -static struct file_operations adio_fops = {
20659 - /* .owner, .read and .llseek added in sg_proc_init() */
20661 +static const struct file_operations adio_fops = {
20662 + .owner = THIS_MODULE,
20663 + .read = seq_read,
20664 + .llseek = seq_lseek,
20665 .open = sg_proc_single_open_adio,
20666 .write = sg_proc_write_adio,
20667 .release = single_release,
20668 @@ -2204,7 +2207,10 @@ static struct file_operations adio_fops
20669 static int sg_proc_single_open_dressz(struct inode *inode, struct file *file);
20670 static ssize_t sg_proc_write_dressz(struct file *filp,
20671 const char __user *buffer, size_t count, loff_t *off);
20672 -static struct file_operations dressz_fops = {
20673 +static const struct file_operations dressz_fops = {
20674 + .owner = THIS_MODULE,
20675 + .read = seq_read,
20676 + .llseek = seq_lseek,
20677 .open = sg_proc_single_open_dressz,
20678 .write = sg_proc_write_dressz,
20679 .release = single_release,
20680 @@ -2212,14 +2218,20 @@ static struct file_operations dressz_fop
20682 static int sg_proc_seq_show_version(struct seq_file *s, void *v);
20683 static int sg_proc_single_open_version(struct inode *inode, struct file *file);
20684 -static struct file_operations version_fops = {
20685 +static const struct file_operations version_fops = {
20686 + .owner = THIS_MODULE,
20687 + .read = seq_read,
20688 + .llseek = seq_lseek,
20689 .open = sg_proc_single_open_version,
20690 .release = single_release,
20693 static int sg_proc_seq_show_devhdr(struct seq_file *s, void *v);
20694 static int sg_proc_single_open_devhdr(struct inode *inode, struct file *file);
20695 -static struct file_operations devhdr_fops = {
20696 +static const struct file_operations devhdr_fops = {
20697 + .owner = THIS_MODULE,
20698 + .read = seq_read,
20699 + .llseek = seq_lseek,
20700 .open = sg_proc_single_open_devhdr,
20701 .release = single_release,
20703 @@ -2229,11 +2241,14 @@ static int sg_proc_open_dev(struct inode
20704 static void * dev_seq_start(struct seq_file *s, loff_t *pos);
20705 static void * dev_seq_next(struct seq_file *s, void *v, loff_t *pos);
20706 static void dev_seq_stop(struct seq_file *s, void *v);
20707 -static struct file_operations dev_fops = {
20708 +static const struct file_operations dev_fops = {
20709 + .owner = THIS_MODULE,
20710 + .read = seq_read,
20711 + .llseek = seq_lseek,
20712 .open = sg_proc_open_dev,
20713 .release = seq_release,
20715 -static struct seq_operations dev_seq_ops = {
20716 +static const struct seq_operations dev_seq_ops = {
20717 .start = dev_seq_start,
20718 .next = dev_seq_next,
20719 .stop = dev_seq_stop,
20720 @@ -2242,11 +2257,14 @@ static struct seq_operations dev_seq_ops
20722 static int sg_proc_seq_show_devstrs(struct seq_file *s, void *v);
20723 static int sg_proc_open_devstrs(struct inode *inode, struct file *file);
20724 -static struct file_operations devstrs_fops = {
20725 +static const struct file_operations devstrs_fops = {
20726 + .owner = THIS_MODULE,
20727 + .read = seq_read,
20728 + .llseek = seq_lseek,
20729 .open = sg_proc_open_devstrs,
20730 .release = seq_release,
20732 -static struct seq_operations devstrs_seq_ops = {
20733 +static const struct seq_operations devstrs_seq_ops = {
20734 .start = dev_seq_start,
20735 .next = dev_seq_next,
20736 .stop = dev_seq_stop,
20737 @@ -2255,11 +2273,14 @@ static struct seq_operations devstrs_seq
20739 static int sg_proc_seq_show_debug(struct seq_file *s, void *v);
20740 static int sg_proc_open_debug(struct inode *inode, struct file *file);
20741 -static struct file_operations debug_fops = {
20742 +static const struct file_operations debug_fops = {
20743 + .owner = THIS_MODULE,
20744 + .read = seq_read,
20745 + .llseek = seq_lseek,
20746 .open = sg_proc_open_debug,
20747 .release = seq_release,
20749 -static struct seq_operations debug_seq_ops = {
20750 +static const struct seq_operations debug_seq_ops = {
20751 .start = dev_seq_start,
20752 .next = dev_seq_next,
20753 .stop = dev_seq_stop,
20754 @@ -2269,7 +2290,7 @@ static struct seq_operations debug_seq_o
20756 struct sg_proc_leaf {
20758 - struct file_operations * fops;
20759 + const struct file_operations * fops;
20762 static struct sg_proc_leaf sg_proc_leaf_arr[] = {
20763 @@ -2295,9 +2316,6 @@ sg_proc_init(void)
20764 for (k = 0; k < num_leaves; ++k) {
20765 leaf = &sg_proc_leaf_arr[k];
20766 mask = leaf->fops->write ? S_IRUGO | S_IWUSR : S_IRUGO;
20767 - leaf->fops->owner = THIS_MODULE;
20768 - leaf->fops->read = seq_read;
20769 - leaf->fops->llseek = seq_lseek;
20770 proc_create(leaf->name, mask, sg_proc_sgp, leaf->fops);
20773 diff -urNp linux-2.6.31/drivers/serial/8250_pci.c linux-2.6.31/drivers/serial/8250_pci.c
20774 --- linux-2.6.31/drivers/serial/8250_pci.c 2009-08-27 20:59:04.000000000 -0400
20775 +++ linux-2.6.31/drivers/serial/8250_pci.c 2009-09-06 15:29:11.822157703 -0400
20776 @@ -3580,7 +3580,7 @@ static struct pci_device_id serial_pci_t
20777 PCI_ANY_ID, PCI_ANY_ID,
20778 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
20779 0xffff00, pbn_default },
20781 + { 0, 0, 0, 0, 0, 0, 0 }
20784 static struct pci_driver serial_pci_driver = {
20785 diff -urNp linux-2.6.31/drivers/spi/spidev.c linux-2.6.31/drivers/spi/spidev.c
20786 --- linux-2.6.31/drivers/spi/spidev.c 2009-08-27 20:59:04.000000000 -0400
20787 +++ linux-2.6.31/drivers/spi/spidev.c 2009-09-06 15:29:11.829574856 -0400
20788 @@ -537,7 +537,7 @@ static int spidev_release(struct inode *
20792 -static struct file_operations spidev_fops = {
20793 +static const struct file_operations spidev_fops = {
20794 .owner = THIS_MODULE,
20795 /* REVISIT switch to aio primitives, so that userspace
20796 * gets more complete API coverage. It'll simplify things
20797 diff -urNp linux-2.6.31/drivers/staging/android/binder.c linux-2.6.31/drivers/staging/android/binder.c
20798 --- linux-2.6.31/drivers/staging/android/binder.c 2009-08-27 20:59:04.000000000 -0400
20799 +++ linux-2.6.31/drivers/staging/android/binder.c 2009-09-06 15:29:11.830157644 -0400
20800 @@ -2717,7 +2717,7 @@ static void binder_vma_close(struct vm_a
20801 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
20804 -static struct vm_operations_struct binder_vm_ops = {
20805 +static const struct vm_operations_struct binder_vm_ops = {
20806 .open = binder_vma_open,
20807 .close = binder_vma_close,
20809 diff -urNp linux-2.6.31/drivers/staging/b3dfg/b3dfg.c linux-2.6.31/drivers/staging/b3dfg/b3dfg.c
20810 --- linux-2.6.31/drivers/staging/b3dfg/b3dfg.c 2009-08-27 20:59:04.000000000 -0400
20811 +++ linux-2.6.31/drivers/staging/b3dfg/b3dfg.c 2009-09-06 15:29:11.838465125 -0400
20812 @@ -454,7 +454,7 @@ static int b3dfg_vma_fault(struct vm_are
20813 return VM_FAULT_NOPAGE;
20816 -static struct vm_operations_struct b3dfg_vm_ops = {
20817 +static const struct vm_operations_struct b3dfg_vm_ops = {
20818 .fault = b3dfg_vma_fault,
20821 @@ -854,7 +854,7 @@ static int b3dfg_mmap(struct file *filp,
20825 -static struct file_operations b3dfg_fops = {
20826 +static const struct file_operations b3dfg_fops = {
20827 .owner = THIS_MODULE,
20828 .open = b3dfg_open,
20829 .release = b3dfg_release,
20830 diff -urNp linux-2.6.31/drivers/staging/comedi/comedi_fops.c linux-2.6.31/drivers/staging/comedi/comedi_fops.c
20831 --- linux-2.6.31/drivers/staging/comedi/comedi_fops.c 2009-08-27 20:59:04.000000000 -0400
20832 +++ linux-2.6.31/drivers/staging/comedi/comedi_fops.c 2009-09-06 15:29:11.839264368 -0400
20833 @@ -1370,7 +1370,7 @@ void comedi_unmap(struct vm_area_struct
20834 mutex_unlock(&dev->mutex);
20837 -static struct vm_operations_struct comedi_vm_ops = {
20838 +static const struct vm_operations_struct comedi_vm_ops = {
20839 .close = comedi_unmap,
20842 diff -urNp linux-2.6.31/drivers/staging/cpc-usb/cpc-usb_drv.c linux-2.6.31/drivers/staging/cpc-usb/cpc-usb_drv.c
20843 --- linux-2.6.31/drivers/staging/cpc-usb/cpc-usb_drv.c 2009-08-27 20:59:04.000000000 -0400
20844 +++ linux-2.6.31/drivers/staging/cpc-usb/cpc-usb_drv.c 2009-09-06 15:29:11.847020048 -0400
20845 @@ -104,7 +104,7 @@ static void cpcusb_read_interrupt_callba
20847 static int cpcusb_setup_intrep(CPC_USB_T *card);
20849 -static struct file_operations cpcusb_fops = {
20850 +static const struct file_operations cpcusb_fops = {
20852 * The owner field is part of the module-locking
20853 * mechanism. The idea is that the kernel knows
20854 diff -urNp linux-2.6.31/drivers/staging/epl/EplApiLinuxKernel.c linux-2.6.31/drivers/staging/epl/EplApiLinuxKernel.c
20855 --- linux-2.6.31/drivers/staging/epl/EplApiLinuxKernel.c 2009-08-27 20:59:04.000000000 -0400
20856 +++ linux-2.6.31/drivers/staging/epl/EplApiLinuxKernel.c 2009-09-06 15:29:11.848237420 -0400
20857 @@ -203,7 +203,7 @@ static int EplLinIoctl(struct inode *pDe
20858 module_init(EplLinInit);
20859 module_exit(EplLinExit);
20861 -static struct file_operations EplLinFileOps_g = {
20862 +static const struct file_operations EplLinFileOps_g = {
20863 .owner = THIS_MODULE,
20864 .open = EplLinOpen,
20865 .release = EplLinRelease,
20866 diff -urNp linux-2.6.31/drivers/staging/go7007/go7007-v4l2.c linux-2.6.31/drivers/staging/go7007/go7007-v4l2.c
20867 --- linux-2.6.31/drivers/staging/go7007/go7007-v4l2.c 2009-08-27 20:59:04.000000000 -0400
20868 +++ linux-2.6.31/drivers/staging/go7007/go7007-v4l2.c 2009-09-06 15:29:11.848237420 -0400
20869 @@ -1717,7 +1717,7 @@ static int go7007_vm_fault(struct vm_are
20873 -static struct vm_operations_struct go7007_vm_ops = {
20874 +static const struct vm_operations_struct go7007_vm_ops = {
20875 .open = go7007_vm_open,
20876 .close = go7007_vm_close,
20877 .fault = go7007_vm_fault,
20878 diff -urNp linux-2.6.31/drivers/staging/panel/panel.c linux-2.6.31/drivers/staging/panel/panel.c
20879 --- linux-2.6.31/drivers/staging/panel/panel.c 2009-08-27 20:59:04.000000000 -0400
20880 +++ linux-2.6.31/drivers/staging/panel/panel.c 2009-09-06 15:29:11.849154555 -0400
20881 @@ -1263,7 +1263,7 @@ static int lcd_release(struct inode *ino
20885 -static struct file_operations lcd_fops = {
20886 +static const struct file_operations lcd_fops = {
20887 .write = lcd_write,
20889 .release = lcd_release,
20890 @@ -1519,7 +1519,7 @@ static int keypad_release(struct inode *
20894 -static struct file_operations keypad_fops = {
20895 +static const struct file_operations keypad_fops = {
20896 .read = keypad_read, /* read */
20897 .open = keypad_open, /* open */
20898 .release = keypad_release, /* close */
20899 diff -urNp linux-2.6.31/drivers/staging/poch/poch.c linux-2.6.31/drivers/staging/poch/poch.c
20900 --- linux-2.6.31/drivers/staging/poch/poch.c 2009-08-27 20:59:04.000000000 -0400
20901 +++ linux-2.6.31/drivers/staging/poch/poch.c 2009-09-06 15:29:11.866156697 -0400
20902 @@ -1056,7 +1056,7 @@ static int poch_ioctl(struct inode *inod
20906 -static struct file_operations poch_fops = {
20907 +static const struct file_operations poch_fops = {
20908 .owner = THIS_MODULE,
20910 .release = poch_release,
20911 diff -urNp linux-2.6.31/drivers/staging/rtl8192su/ieee80211/proc.c linux-2.6.31/drivers/staging/rtl8192su/ieee80211/proc.c
20912 --- linux-2.6.31/drivers/staging/rtl8192su/ieee80211/proc.c 2009-08-27 20:59:04.000000000 -0400
20913 +++ linux-2.6.31/drivers/staging/rtl8192su/ieee80211/proc.c 2009-09-06 15:29:11.872729455 -0400
20914 @@ -87,7 +87,7 @@ static int c_show(struct seq_file *m, vo
20918 -static struct seq_operations crypto_seq_ops = {
20919 +static const struct seq_operations crypto_seq_ops = {
20923 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
20924 return seq_open(file, &crypto_seq_ops);
20927 -static struct file_operations proc_crypto_ops = {
20928 +static const struct file_operations proc_crypto_ops = {
20929 .open = crypto_info_open,
20931 .llseek = seq_lseek,
20932 diff -urNp linux-2.6.31/drivers/uio/uio.c linux-2.6.31/drivers/uio/uio.c
20933 --- linux-2.6.31/drivers/uio/uio.c 2009-08-27 20:59:04.000000000 -0400
20934 +++ linux-2.6.31/drivers/uio/uio.c 2009-09-06 15:29:11.873165013 -0400
20935 @@ -658,7 +658,7 @@ static int uio_vma_fault(struct vm_area_
20939 -static struct vm_operations_struct uio_vm_ops = {
20940 +static const struct vm_operations_struct uio_vm_ops = {
20941 .open = uio_vma_open,
20942 .close = uio_vma_close,
20943 .fault = uio_vma_fault,
20944 diff -urNp linux-2.6.31/drivers/usb/atm/usbatm.c linux-2.6.31/drivers/usb/atm/usbatm.c
20945 --- linux-2.6.31/drivers/usb/atm/usbatm.c 2009-08-27 20:59:04.000000000 -0400
20946 +++ linux-2.6.31/drivers/usb/atm/usbatm.c 2009-09-06 15:29:11.883935279 -0400
20947 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
20948 if (printk_ratelimit())
20949 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
20950 __func__, vpi, vci);
20951 - atomic_inc(&vcc->stats->rx_err);
20952 + atomic_inc_unchecked(&vcc->stats->rx_err);
20956 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
20957 if (length > ATM_MAX_AAL5_PDU) {
20958 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
20959 __func__, length, vcc);
20960 - atomic_inc(&vcc->stats->rx_err);
20961 + atomic_inc_unchecked(&vcc->stats->rx_err);
20965 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
20966 if (sarb->len < pdu_length) {
20967 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
20968 __func__, pdu_length, sarb->len, vcc);
20969 - atomic_inc(&vcc->stats->rx_err);
20970 + atomic_inc_unchecked(&vcc->stats->rx_err);
20974 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
20975 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
20977 - atomic_inc(&vcc->stats->rx_err);
20978 + atomic_inc_unchecked(&vcc->stats->rx_err);
20982 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
20983 if (printk_ratelimit())
20984 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
20986 - atomic_inc(&vcc->stats->rx_drop);
20987 + atomic_inc_unchecked(&vcc->stats->rx_drop);
20991 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
20993 vcc->push(vcc, skb);
20995 - atomic_inc(&vcc->stats->rx);
20996 + atomic_inc_unchecked(&vcc->stats->rx);
21000 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
21001 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
21003 usbatm_pop(vcc, skb);
21004 - atomic_inc(&vcc->stats->tx);
21005 + atomic_inc_unchecked(&vcc->stats->tx);
21007 skb = skb_dequeue(&instance->sndqueue);
21009 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
21011 return sprintf(page,
21012 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
21013 - atomic_read(&atm_dev->stats.aal5.tx),
21014 - atomic_read(&atm_dev->stats.aal5.tx_err),
21015 - atomic_read(&atm_dev->stats.aal5.rx),
21016 - atomic_read(&atm_dev->stats.aal5.rx_err),
21017 - atomic_read(&atm_dev->stats.aal5.rx_drop));
21018 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
21019 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
21020 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
21021 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
21022 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
21025 if (instance->disconnected)
21026 diff -urNp linux-2.6.31/drivers/usb/class/cdc-acm.c linux-2.6.31/drivers/usb/class/cdc-acm.c
21027 --- linux-2.6.31/drivers/usb/class/cdc-acm.c 2009-08-27 20:59:04.000000000 -0400
21028 +++ linux-2.6.31/drivers/usb/class/cdc-acm.c 2009-09-06 15:29:11.895662398 -0400
21029 @@ -1529,7 +1529,7 @@ static struct usb_device_id acm_ids[] =
21030 USB_CDC_ACM_PROTO_AT_CDMA) },
21032 /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
21034 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
21037 MODULE_DEVICE_TABLE(usb, acm_ids);
21038 diff -urNp linux-2.6.31/drivers/usb/class/usblp.c linux-2.6.31/drivers/usb/class/usblp.c
21039 --- linux-2.6.31/drivers/usb/class/usblp.c 2009-08-27 20:59:04.000000000 -0400
21040 +++ linux-2.6.31/drivers/usb/class/usblp.c 2009-09-06 15:29:11.896326225 -0400
21041 @@ -228,7 +228,7 @@ static const struct quirk_printer_struct
21042 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
21043 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
21044 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
21049 static int usblp_wwait(struct usblp *usblp, int nonblock);
21050 @@ -1412,7 +1412,7 @@ static struct usb_device_id usblp_ids []
21051 { USB_INTERFACE_INFO(7, 1, 2) },
21052 { USB_INTERFACE_INFO(7, 1, 3) },
21053 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
21054 - { } /* Terminating entry */
21055 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
21058 MODULE_DEVICE_TABLE (usb, usblp_ids);
21059 diff -urNp linux-2.6.31/drivers/usb/class/usbtmc.c linux-2.6.31/drivers/usb/class/usbtmc.c
21060 --- linux-2.6.31/drivers/usb/class/usbtmc.c 2009-08-27 20:59:04.000000000 -0400
21061 +++ linux-2.6.31/drivers/usb/class/usbtmc.c 2009-09-06 15:29:11.897180911 -0400
21062 @@ -956,7 +956,7 @@ static long usbtmc_ioctl(struct file *fi
21066 -static struct file_operations fops = {
21067 +static const struct file_operations fops = {
21068 .owner = THIS_MODULE,
21069 .read = usbtmc_read,
21070 .write = usbtmc_write,
21071 diff -urNp linux-2.6.31/drivers/usb/core/hub.c linux-2.6.31/drivers/usb/core/hub.c
21072 --- linux-2.6.31/drivers/usb/core/hub.c 2009-08-27 20:59:04.000000000 -0400
21073 +++ linux-2.6.31/drivers/usb/core/hub.c 2009-09-06 15:29:11.908111193 -0400
21074 @@ -3284,7 +3284,7 @@ static struct usb_device_id hub_id_table
21075 .bDeviceClass = USB_CLASS_HUB},
21076 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
21077 .bInterfaceClass = USB_CLASS_HUB},
21078 - { } /* Terminating entry */
21079 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
21082 MODULE_DEVICE_TABLE (usb, hub_id_table);
21083 diff -urNp linux-2.6.31/drivers/usb/core/inode.c linux-2.6.31/drivers/usb/core/inode.c
21084 --- linux-2.6.31/drivers/usb/core/inode.c 2009-08-27 20:59:04.000000000 -0400
21085 +++ linux-2.6.31/drivers/usb/core/inode.c 2009-09-06 15:29:11.925250521 -0400
21087 #define USBFS_DEFAULT_BUSMODE (S_IXUGO | S_IRUGO)
21088 #define USBFS_DEFAULT_LISTMODE S_IRUGO
21090 -static struct super_operations usbfs_ops;
21091 +static const struct super_operations usbfs_ops;
21092 static const struct file_operations default_file_operations;
21093 static struct vfsmount *usbfs_mount;
21094 static int usbfs_mount_count; /* = 0 */
21095 @@ -449,7 +449,7 @@ static const struct file_operations defa
21096 .llseek = default_file_lseek,
21099 -static struct super_operations usbfs_ops = {
21100 +static const struct super_operations usbfs_ops = {
21101 .statfs = simple_statfs,
21102 .drop_inode = generic_delete_inode,
21103 .remount_fs = remount,
21104 diff -urNp linux-2.6.31/drivers/usb/core/message.c linux-2.6.31/drivers/usb/core/message.c
21105 --- linux-2.6.31/drivers/usb/core/message.c 2009-08-27 20:59:04.000000000 -0400
21106 +++ linux-2.6.31/drivers/usb/core/message.c 2009-09-06 15:29:11.931631211 -0400
21107 @@ -926,8 +926,8 @@ char *usb_cache_string(struct usb_device
21108 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_KERNEL);
21110 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
21112 - smallbuf = kmalloc(++len, GFP_KERNEL);
21114 + smallbuf = kmalloc(len, GFP_KERNEL);
21117 memcpy(smallbuf, buf, len);
21118 diff -urNp linux-2.6.31/drivers/usb/gadget/inode.c linux-2.6.31/drivers/usb/gadget/inode.c
21119 --- linux-2.6.31/drivers/usb/gadget/inode.c 2009-08-27 20:59:04.000000000 -0400
21120 +++ linux-2.6.31/drivers/usb/gadget/inode.c 2009-09-06 15:29:11.939398227 -0400
21121 @@ -2033,7 +2033,7 @@ gadgetfs_create_file (struct super_block
21125 -static struct super_operations gadget_fs_operations = {
21126 +static const struct super_operations gadget_fs_operations = {
21127 .statfs = simple_statfs,
21128 .drop_inode = generic_delete_inode,
21130 diff -urNp linux-2.6.31/drivers/usb/gadget/printer.c linux-2.6.31/drivers/usb/gadget/printer.c
21131 --- linux-2.6.31/drivers/usb/gadget/printer.c 2009-08-27 20:59:04.000000000 -0400
21132 +++ linux-2.6.31/drivers/usb/gadget/printer.c 2009-09-06 15:29:11.944161050 -0400
21133 @@ -875,7 +875,7 @@ printer_ioctl(struct file *fd, unsigned
21136 /* used after endpoint configuration */
21137 -static struct file_operations printer_io_operations = {
21138 +static const struct file_operations printer_io_operations = {
21139 .owner = THIS_MODULE,
21140 .open = printer_open,
21141 .read = printer_read,
21142 diff -urNp linux-2.6.31/drivers/usb/host/ehci-pci.c linux-2.6.31/drivers/usb/host/ehci-pci.c
21143 --- linux-2.6.31/drivers/usb/host/ehci-pci.c 2009-08-27 20:59:04.000000000 -0400
21144 +++ linux-2.6.31/drivers/usb/host/ehci-pci.c 2009-09-06 15:29:11.955157191 -0400
21145 @@ -416,7 +416,7 @@ static const struct pci_device_id pci_id
21146 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
21147 .driver_data = (unsigned long) &ehci_pci_hc_driver,
21149 - { /* end: all zeroes */ }
21150 + { 0, 0, 0, 0, 0, 0, 0 }
21152 MODULE_DEVICE_TABLE(pci, pci_ids);
21154 diff -urNp linux-2.6.31/drivers/usb/host/uhci-hcd.c linux-2.6.31/drivers/usb/host/uhci-hcd.c
21155 --- linux-2.6.31/drivers/usb/host/uhci-hcd.c 2009-08-27 20:59:04.000000000 -0400
21156 +++ linux-2.6.31/drivers/usb/host/uhci-hcd.c 2009-09-06 15:29:11.962755825 -0400
21157 @@ -927,7 +927,7 @@ static const struct pci_device_id uhci_p
21158 /* handle any USB UHCI controller */
21159 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
21160 .driver_data = (unsigned long) &uhci_driver,
21161 - }, { /* end: all zeroes */ }
21162 + }, { 0, 0, 0, 0, 0, 0, 0 }
21165 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
21166 diff -urNp linux-2.6.31/drivers/usb/host/whci/debug.c linux-2.6.31/drivers/usb/host/whci/debug.c
21167 --- linux-2.6.31/drivers/usb/host/whci/debug.c 2009-08-27 20:59:04.000000000 -0400
21168 +++ linux-2.6.31/drivers/usb/host/whci/debug.c 2009-09-06 15:29:11.965422653 -0400
21169 @@ -134,7 +134,7 @@ static int pzl_open(struct inode *inode,
21170 return single_open(file, pzl_print, inode->i_private);
21173 -static struct file_operations di_fops = {
21174 +static const struct file_operations di_fops = {
21177 .llseek = seq_lseek,
21178 @@ -142,7 +142,7 @@ static struct file_operations di_fops =
21179 .owner = THIS_MODULE,
21182 -static struct file_operations asl_fops = {
21183 +static const struct file_operations asl_fops = {
21186 .llseek = seq_lseek,
21187 @@ -150,7 +150,7 @@ static struct file_operations asl_fops =
21188 .owner = THIS_MODULE,
21191 -static struct file_operations pzl_fops = {
21192 +static const struct file_operations pzl_fops = {
21195 .llseek = seq_lseek,
21196 diff -urNp linux-2.6.31/drivers/usb/mon/mon_bin.c linux-2.6.31/drivers/usb/mon/mon_bin.c
21197 --- linux-2.6.31/drivers/usb/mon/mon_bin.c 2009-08-27 20:59:04.000000000 -0400
21198 +++ linux-2.6.31/drivers/usb/mon/mon_bin.c 2009-09-06 15:29:11.966261808 -0400
21199 @@ -1184,7 +1184,7 @@ static int mon_bin_vma_fault(struct vm_a
21203 -static struct vm_operations_struct mon_bin_vm_ops = {
21204 +static const struct vm_operations_struct mon_bin_vm_ops = {
21205 .open = mon_bin_vma_open,
21206 .close = mon_bin_vma_close,
21207 .fault = mon_bin_vma_fault,
21208 diff -urNp linux-2.6.31/drivers/usb/storage/debug.h linux-2.6.31/drivers/usb/storage/debug.h
21209 --- linux-2.6.31/drivers/usb/storage/debug.h 2009-08-27 20:59:04.000000000 -0400
21210 +++ linux-2.6.31/drivers/usb/storage/debug.h 2009-09-06 15:29:11.966261808 -0400
21211 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
21212 #define US_DEBUGPX(x...) printk( x )
21213 #define US_DEBUG(x) x
21215 -#define US_DEBUGP(x...)
21216 -#define US_DEBUGPX(x...)
21217 -#define US_DEBUG(x)
21218 +#define US_DEBUGP(x...) do {} while (0)
21219 +#define US_DEBUGPX(x...) do {} while (0)
21220 +#define US_DEBUG(x) do {} while (0)
21224 diff -urNp linux-2.6.31/drivers/usb/storage/usb.c linux-2.6.31/drivers/usb/storage/usb.c
21225 --- linux-2.6.31/drivers/usb/storage/usb.c 2009-08-27 20:59:04.000000000 -0400
21226 +++ linux-2.6.31/drivers/usb/storage/usb.c 2009-09-06 15:29:11.967274632 -0400
21227 @@ -118,7 +118,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
21229 static struct us_unusual_dev us_unusual_dev_list[] = {
21230 # include "unusual_devs.h"
21231 - { } /* Terminating entry */
21232 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
21236 diff -urNp linux-2.6.31/drivers/usb/storage/usual-tables.c linux-2.6.31/drivers/usb/storage/usual-tables.c
21237 --- linux-2.6.31/drivers/usb/storage/usual-tables.c 2009-08-27 20:59:04.000000000 -0400
21238 +++ linux-2.6.31/drivers/usb/storage/usual-tables.c 2009-09-06 15:29:11.968165129 -0400
21241 struct usb_device_id usb_storage_usb_ids[] = {
21242 # include "unusual_devs.h"
21243 - { } /* Terminating entry */
21244 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
21246 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
21248 diff -urNp linux-2.6.31/drivers/uwb/uwb-debug.c linux-2.6.31/drivers/uwb/uwb-debug.c
21249 --- linux-2.6.31/drivers/uwb/uwb-debug.c 2009-08-27 20:59:04.000000000 -0400
21250 +++ linux-2.6.31/drivers/uwb/uwb-debug.c 2009-09-06 15:29:11.968165129 -0400
21251 @@ -205,7 +205,7 @@ static ssize_t command_write(struct file
21252 return ret < 0 ? ret : len;
21255 -static struct file_operations command_fops = {
21256 +static const struct file_operations command_fops = {
21257 .open = command_open,
21258 .write = command_write,
21260 @@ -255,7 +255,7 @@ static int reservations_open(struct inod
21261 return single_open(file, reservations_print, inode->i_private);
21264 -static struct file_operations reservations_fops = {
21265 +static const struct file_operations reservations_fops = {
21266 .open = reservations_open,
21268 .llseek = seq_lseek,
21269 @@ -283,7 +283,7 @@ static int drp_avail_open(struct inode *
21270 return single_open(file, drp_avail_print, inode->i_private);
21273 -static struct file_operations drp_avail_fops = {
21274 +static const struct file_operations drp_avail_fops = {
21275 .open = drp_avail_open,
21277 .llseek = seq_lseek,
21278 diff -urNp linux-2.6.31/drivers/uwb/wlp/messages.c linux-2.6.31/drivers/uwb/wlp/messages.c
21279 --- linux-2.6.31/drivers/uwb/wlp/messages.c 2009-08-27 20:59:04.000000000 -0400
21280 +++ linux-2.6.31/drivers/uwb/wlp/messages.c 2009-09-06 15:29:11.969325167 -0400
21281 @@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
21282 size_t len = skb->len;
21285 - struct wlp_nonce enonce, rnonce;
21286 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
21287 enum wlp_assc_error assc_err;
21288 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
21289 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
21290 diff -urNp linux-2.6.31/drivers/video/fb_defio.c linux-2.6.31/drivers/video/fb_defio.c
21291 --- linux-2.6.31/drivers/video/fb_defio.c 2009-08-27 20:59:04.000000000 -0400
21292 +++ linux-2.6.31/drivers/video/fb_defio.c 2009-09-06 15:29:11.969325167 -0400
21293 @@ -125,7 +125,7 @@ page_already_added:
21297 -static struct vm_operations_struct fb_deferred_io_vm_ops = {
21298 +static const struct vm_operations_struct fb_deferred_io_vm_ops = {
21299 .fault = fb_deferred_io_fault,
21300 .page_mkwrite = fb_deferred_io_mkwrite,
21302 diff -urNp linux-2.6.31/drivers/video/fbmem.c linux-2.6.31/drivers/video/fbmem.c
21303 --- linux-2.6.31/drivers/video/fbmem.c 2009-08-27 20:59:04.000000000 -0400
21304 +++ linux-2.6.31/drivers/video/fbmem.c 2009-09-06 15:29:11.970183970 -0400
21305 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
21306 image->dx += image->width + 8;
21308 } else if (rotate == FB_ROTATE_UD) {
21309 - for (x = 0; x < num && image->dx >= 0; x++) {
21310 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
21311 info->fbops->fb_imageblit(info, image);
21312 image->dx -= image->width + 8;
21314 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
21315 image->dy += image->height + 8;
21317 } else if (rotate == FB_ROTATE_CCW) {
21318 - for (x = 0; x < num && image->dy >= 0; x++) {
21319 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
21320 info->fbops->fb_imageblit(info, image);
21321 image->dy -= image->height + 8;
21323 @@ -1108,7 +1108,7 @@ static long do_fb_ioctl(struct fb_info *
21325 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
21327 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
21328 + if (con2fb.framebuffer >= FB_MAX)
21330 if (!registered_fb[con2fb.framebuffer])
21331 request_module("fb%d", con2fb.framebuffer);
21332 diff -urNp linux-2.6.31/drivers/video/fbmon.c linux-2.6.31/drivers/video/fbmon.c
21333 --- linux-2.6.31/drivers/video/fbmon.c 2009-08-27 20:59:04.000000000 -0400
21334 +++ linux-2.6.31/drivers/video/fbmon.c 2009-09-06 15:29:11.971272438 -0400
21337 #define DPRINTK(fmt, args...) printk(fmt,## args)
21339 -#define DPRINTK(fmt, args...)
21340 +#define DPRINTK(fmt, args...) do {} while (0)
21343 #define FBMON_FIX_HEADER 1
21344 diff -urNp linux-2.6.31/drivers/video/i810/i810_accel.c linux-2.6.31/drivers/video/i810/i810_accel.c
21345 --- linux-2.6.31/drivers/video/i810/i810_accel.c 2009-08-27 20:59:04.000000000 -0400
21346 +++ linux-2.6.31/drivers/video/i810/i810_accel.c 2009-09-06 15:29:11.971272438 -0400
21347 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
21350 printk("ringbuffer lockup!!!\n");
21351 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
21352 i810_report_error(mmio);
21353 par->dev_flags |= LOCKUP;
21354 info->pixmap.scan_align = 1;
21355 diff -urNp linux-2.6.31/drivers/video/i810/i810_main.c linux-2.6.31/drivers/video/i810/i810_main.c
21356 --- linux-2.6.31/drivers/video/i810/i810_main.c 2009-08-27 20:59:04.000000000 -0400
21357 +++ linux-2.6.31/drivers/video/i810/i810_main.c 2009-09-06 15:29:11.972172786 -0400
21358 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
21359 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
21360 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
21361 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
21363 + { 0, 0, 0, 0, 0, 0, 0 },
21366 static struct pci_driver i810fb_driver = {
21367 diff -urNp linux-2.6.31/drivers/video/modedb.c linux-2.6.31/drivers/video/modedb.c
21368 --- linux-2.6.31/drivers/video/modedb.c 2009-08-27 20:59:04.000000000 -0400
21369 +++ linux-2.6.31/drivers/video/modedb.c 2009-09-06 15:29:11.973230230 -0400
21370 @@ -38,240 +38,240 @@ static const struct fb_videomode modedb[
21372 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
21373 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
21374 - 0, FB_VMODE_NONINTERLACED
21375 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21377 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
21378 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
21379 - 0, FB_VMODE_NONINTERLACED
21380 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21382 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
21383 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
21384 - 0, FB_VMODE_NONINTERLACED
21385 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21387 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
21388 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
21389 - 0, FB_VMODE_INTERLACED
21390 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
21392 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
21393 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
21394 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21395 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21397 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
21398 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
21399 - 0, FB_VMODE_NONINTERLACED
21400 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21402 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
21403 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
21404 - 0, FB_VMODE_NONINTERLACED
21405 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21407 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
21408 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
21409 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21410 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21412 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
21413 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
21414 - 0, FB_VMODE_NONINTERLACED
21415 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21417 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
21418 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
21419 - 0, FB_VMODE_INTERLACED
21420 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
21422 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
21423 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
21424 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21425 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21427 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
21428 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
21429 - 0, FB_VMODE_NONINTERLACED
21430 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21432 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
21433 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
21434 - 0, FB_VMODE_NONINTERLACED
21435 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21437 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
21438 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
21439 - 0, FB_VMODE_NONINTERLACED
21440 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21442 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
21443 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
21444 - 0, FB_VMODE_NONINTERLACED
21445 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21447 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
21448 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
21449 - 0, FB_VMODE_NONINTERLACED
21450 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21452 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
21453 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
21454 - 0, FB_VMODE_INTERLACED
21455 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
21457 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
21458 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
21459 - 0, FB_VMODE_NONINTERLACED
21460 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21462 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
21463 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
21464 - 0, FB_VMODE_NONINTERLACED
21465 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21467 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
21468 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
21469 - 0, FB_VMODE_NONINTERLACED
21470 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21472 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
21473 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
21474 - 0, FB_VMODE_NONINTERLACED
21475 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21477 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
21478 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
21479 - 0, FB_VMODE_NONINTERLACED
21480 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21482 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
21483 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
21484 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21485 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21487 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
21488 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
21489 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21490 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21492 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
21493 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
21494 - 0, FB_VMODE_NONINTERLACED
21495 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21497 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
21498 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
21499 - 0, FB_VMODE_NONINTERLACED
21500 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21502 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
21503 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
21504 - 0, FB_VMODE_NONINTERLACED
21505 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21507 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
21508 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
21509 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21510 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21512 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
21513 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
21514 - 0, FB_VMODE_NONINTERLACED
21515 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21517 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
21518 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
21519 - 0, FB_VMODE_NONINTERLACED
21520 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21522 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
21523 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
21524 - 0, FB_VMODE_NONINTERLACED
21525 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21527 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
21528 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
21529 - 0, FB_VMODE_NONINTERLACED
21530 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21532 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
21533 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
21534 - 0, FB_VMODE_NONINTERLACED
21535 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21537 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
21538 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
21539 - 0, FB_VMODE_NONINTERLACED
21540 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21542 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
21543 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
21544 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21545 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21547 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
21548 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
21549 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21550 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21552 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
21553 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
21554 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21555 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21557 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
21558 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
21559 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21560 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21562 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
21563 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
21564 - 0, FB_VMODE_NONINTERLACED
21565 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21567 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
21568 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
21569 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21570 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21572 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
21573 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
21574 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21575 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21577 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
21578 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
21579 - 0, FB_VMODE_NONINTERLACED
21580 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21582 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
21583 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
21584 - 0, FB_VMODE_NONINTERLACED
21585 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21587 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
21588 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
21589 - 0, FB_VMODE_DOUBLE
21590 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21592 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
21593 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
21594 - 0, FB_VMODE_DOUBLE
21595 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21597 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
21598 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
21599 - 0, FB_VMODE_DOUBLE
21600 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21602 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
21603 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
21604 - 0, FB_VMODE_DOUBLE
21605 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21607 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
21608 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
21609 - 0, FB_VMODE_DOUBLE
21610 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21612 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
21613 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
21614 - 0, FB_VMODE_DOUBLE
21615 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21617 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
21618 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
21619 - 0, FB_VMODE_DOUBLE
21620 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21622 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
21623 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
21624 - 0, FB_VMODE_DOUBLE
21625 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21627 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
21628 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
21629 - 0, FB_VMODE_DOUBLE
21630 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21632 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
21633 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
21634 - 0, FB_VMODE_DOUBLE
21635 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
21637 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
21638 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
21639 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
21640 - FB_VMODE_NONINTERLACED
21641 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21643 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
21644 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
21645 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
21646 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21648 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
21649 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
21650 - 0, FB_VMODE_NONINTERLACED
21651 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21653 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
21654 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
21655 - 0, FB_VMODE_NONINTERLACED
21656 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
21658 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
21659 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
21660 - 0, FB_VMODE_INTERLACED
21661 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
21663 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
21664 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
21665 - 0, FB_VMODE_INTERLACED
21666 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
21670 diff -urNp linux-2.6.31/drivers/video/omap/dispc.c linux-2.6.31/drivers/video/omap/dispc.c
21671 --- linux-2.6.31/drivers/video/omap/dispc.c 2009-08-27 20:59:04.000000000 -0400
21672 +++ linux-2.6.31/drivers/video/omap/dispc.c 2009-09-06 15:29:11.974192351 -0400
21673 @@ -1013,7 +1013,7 @@ static void mmap_user_close(struct vm_ar
21674 atomic_dec(&dispc.map_count[plane]);
21677 -static struct vm_operations_struct mmap_user_ops = {
21678 +static const struct vm_operations_struct mmap_user_ops = {
21679 .open = mmap_user_open,
21680 .close = mmap_user_close,
21682 diff -urNp linux-2.6.31/drivers/video/uvesafb.c linux-2.6.31/drivers/video/uvesafb.c
21683 --- linux-2.6.31/drivers/video/uvesafb.c 2009-08-27 20:59:04.000000000 -0400
21684 +++ linux-2.6.31/drivers/video/uvesafb.c 2009-09-06 15:29:11.974192351 -0400
21686 #include <linux/fb.h>
21687 #include <linux/io.h>
21688 #include <linux/mutex.h>
21689 +#include <linux/moduleloader.h>
21690 #include <video/edid.h>
21691 #include <video/uvesafb.h>
21693 @@ -118,7 +119,7 @@ static int uvesafb_helper_start(void)
21697 - return call_usermodehelper(v86d_path, argv, envp, 1);
21698 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
21702 @@ -566,10 +567,34 @@ static int __devinit uvesafb_vbe_getpmi(
21703 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
21704 par->pmi_setpal = par->ypan = 0;
21707 +#ifdef CONFIG_PAX_KERNEXEC
21708 +#ifdef CONFIG_MODULES
21709 + unsigned long cr0;
21711 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
21713 + if (!par->pmi_code) {
21714 + par->pmi_setpal = par->ypan = 0;
21719 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
21720 + task->t.regs.edi);
21722 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
21723 + pax_open_kernel(cr0);
21724 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
21725 + pax_close_kernel(cr0);
21727 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
21728 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
21730 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
21731 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
21734 printk(KERN_INFO "uvesafb: protected mode interface info at "
21736 (u16)task->t.regs.es, (u16)task->t.regs.edi);
21737 @@ -1825,6 +1850,11 @@ out:
21738 if (par->vbe_modes)
21739 kfree(par->vbe_modes);
21741 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
21742 + if (par->pmi_code)
21743 + module_free_exec(NULL, par->pmi_code);
21746 framebuffer_release(info);
21749 @@ -1851,6 +1881,12 @@ static int uvesafb_remove(struct platfor
21750 kfree(par->vbe_state_orig);
21751 if (par->vbe_state_saved)
21752 kfree(par->vbe_state_saved);
21754 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
21755 + if (par->pmi_code)
21756 + module_free_exec(NULL, par->pmi_code);
21761 framebuffer_release(info);
21762 diff -urNp linux-2.6.31/drivers/video/vesafb.c linux-2.6.31/drivers/video/vesafb.c
21763 --- linux-2.6.31/drivers/video/vesafb.c 2009-08-27 20:59:04.000000000 -0400
21764 +++ linux-2.6.31/drivers/video/vesafb.c 2009-09-06 15:29:11.975166668 -0400
21768 #include <linux/module.h>
21769 +#include <linux/moduleloader.h>
21770 #include <linux/kernel.h>
21771 #include <linux/errno.h>
21772 #include <linux/string.h>
21773 @@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
21774 static int vram_total __initdata; /* Set total amount of memory */
21775 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
21776 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
21777 -static void (*pmi_start)(void) __read_mostly;
21778 -static void (*pmi_pal) (void) __read_mostly;
21779 +static void (*pmi_start)(void) __read_only;
21780 +static void (*pmi_pal) (void) __read_only;
21781 static int depth __read_mostly;
21782 static int vga_compat __read_mostly;
21783 /* --------------------------------------------------------------------- */
21784 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
21785 unsigned int size_vmode;
21786 unsigned int size_remap;
21787 unsigned int size_total;
21788 + void *pmi_code = NULL;
21790 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
21792 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
21793 size_remap = size_total;
21794 vesafb_fix.smem_len = size_remap;
21797 - screen_info.vesapm_seg = 0;
21800 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
21801 printk(KERN_WARNING
21802 "vesafb: cannot reserve video memory at 0x%lx\n",
21803 @@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
21804 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
21805 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
21809 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
21810 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
21812 +#elif !defined(CONFIG_PAX_KERNEXEC)
21817 + screen_info.vesapm_seg = 0;
21819 if (screen_info.vesapm_seg) {
21820 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
21821 - screen_info.vesapm_seg,screen_info.vesapm_off);
21822 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
21823 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
21826 if (screen_info.vesapm_seg < 0xc000)
21827 @@ -325,9 +335,29 @@ static int __init vesafb_probe(struct pl
21829 if (ypan || pmi_setpal) {
21830 unsigned short *pmi_base;
21831 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
21832 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
21833 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
21835 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
21836 + unsigned long cr0;
21839 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
21841 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
21842 + pax_open_kernel(cr0);
21843 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
21845 + pmi_code = pmi_base;
21848 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
21849 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
21851 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
21852 + pmi_start = ktva_ktla(pmi_start);
21853 + pmi_pal = ktva_ktla(pmi_pal);
21854 + pax_close_kernel(cr0);
21857 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
21859 printk(KERN_INFO "vesafb: pmi: ports = ");
21860 @@ -469,6 +499,11 @@ static int __init vesafb_probe(struct pl
21861 info->node, info->fix.id);
21865 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
21866 + module_free_exec(NULL, pmi_code);
21869 if (info->screen_base)
21870 iounmap(info->screen_base);
21871 framebuffer_release(info);
21872 diff -urNp linux-2.6.31/fs/9p/vfs_inode.c linux-2.6.31/fs/9p/vfs_inode.c
21873 --- linux-2.6.31/fs/9p/vfs_inode.c 2009-08-27 20:59:04.000000000 -0400
21874 +++ linux-2.6.31/fs/9p/vfs_inode.c 2009-09-06 15:29:11.976157420 -0400
21875 @@ -1025,7 +1025,7 @@ static void *v9fs_vfs_follow_link(struct
21877 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
21879 - char *s = nd_get_link(nd);
21880 + const char *s = nd_get_link(nd);
21882 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
21883 IS_ERR(s) ? "<error>" : s);
21884 diff -urNp linux-2.6.31/fs/afs/proc.c linux-2.6.31/fs/afs/proc.c
21885 --- linux-2.6.31/fs/afs/proc.c 2009-08-27 20:59:04.000000000 -0400
21886 +++ linux-2.6.31/fs/afs/proc.c 2009-09-06 15:29:11.976157420 -0400
21887 @@ -28,7 +28,7 @@ static int afs_proc_cells_show(struct se
21888 static ssize_t afs_proc_cells_write(struct file *file, const char __user *buf,
21889 size_t size, loff_t *_pos);
21891 -static struct seq_operations afs_proc_cells_ops = {
21892 +static const struct seq_operations afs_proc_cells_ops = {
21893 .start = afs_proc_cells_start,
21894 .next = afs_proc_cells_next,
21895 .stop = afs_proc_cells_stop,
21896 @@ -70,7 +70,7 @@ static void *afs_proc_cell_volumes_next(
21897 static void afs_proc_cell_volumes_stop(struct seq_file *p, void *v);
21898 static int afs_proc_cell_volumes_show(struct seq_file *m, void *v);
21900 -static struct seq_operations afs_proc_cell_volumes_ops = {
21901 +static const struct seq_operations afs_proc_cell_volumes_ops = {
21902 .start = afs_proc_cell_volumes_start,
21903 .next = afs_proc_cell_volumes_next,
21904 .stop = afs_proc_cell_volumes_stop,
21905 @@ -95,7 +95,7 @@ static void *afs_proc_cell_vlservers_nex
21906 static void afs_proc_cell_vlservers_stop(struct seq_file *p, void *v);
21907 static int afs_proc_cell_vlservers_show(struct seq_file *m, void *v);
21909 -static struct seq_operations afs_proc_cell_vlservers_ops = {
21910 +static const struct seq_operations afs_proc_cell_vlservers_ops = {
21911 .start = afs_proc_cell_vlservers_start,
21912 .next = afs_proc_cell_vlservers_next,
21913 .stop = afs_proc_cell_vlservers_stop,
21914 @@ -119,7 +119,7 @@ static void *afs_proc_cell_servers_next(
21915 static void afs_proc_cell_servers_stop(struct seq_file *p, void *v);
21916 static int afs_proc_cell_servers_show(struct seq_file *m, void *v);
21918 -static struct seq_operations afs_proc_cell_servers_ops = {
21919 +static const struct seq_operations afs_proc_cell_servers_ops = {
21920 .start = afs_proc_cell_servers_start,
21921 .next = afs_proc_cell_servers_next,
21922 .stop = afs_proc_cell_servers_stop,
21923 diff -urNp linux-2.6.31/fs/aio.c linux-2.6.31/fs/aio.c
21924 --- linux-2.6.31/fs/aio.c 2009-08-27 20:59:04.000000000 -0400
21925 +++ linux-2.6.31/fs/aio.c 2009-09-06 15:29:11.976157420 -0400
21926 @@ -114,7 +114,7 @@ static int aio_setup_ring(struct kioctx
21927 size += sizeof(struct io_event) * nr_events;
21928 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
21930 - if (nr_pages < 0)
21931 + if (nr_pages <= 0)
21934 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
21935 diff -urNp linux-2.6.31/fs/autofs/root.c linux-2.6.31/fs/autofs/root.c
21936 --- linux-2.6.31/fs/autofs/root.c 2009-08-27 20:59:04.000000000 -0400
21937 +++ linux-2.6.31/fs/autofs/root.c 2009-09-06 15:29:11.977562624 -0400
21938 @@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
21939 set_bit(n,sbi->symlink_bitmap);
21940 sl = &sbi->symlink[n];
21941 sl->len = strlen(symname);
21942 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
21943 + slsize = sl->len+1;
21944 + sl->data = kmalloc(slsize, GFP_KERNEL);
21946 clear_bit(n,sbi->symlink_bitmap);
21948 diff -urNp linux-2.6.31/fs/autofs4/symlink.c linux-2.6.31/fs/autofs4/symlink.c
21949 --- linux-2.6.31/fs/autofs4/symlink.c 2009-08-27 20:59:04.000000000 -0400
21950 +++ linux-2.6.31/fs/autofs4/symlink.c 2009-09-06 15:29:11.977562624 -0400
21952 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
21954 struct autofs_info *ino = autofs4_dentry_ino(dentry);
21955 - nd_set_link(nd, (char *)ino->u.symlink);
21956 + nd_set_link(nd, ino->u.symlink);
21960 diff -urNp linux-2.6.31/fs/befs/linuxvfs.c linux-2.6.31/fs/befs/linuxvfs.c
21961 --- linux-2.6.31/fs/befs/linuxvfs.c 2009-08-27 20:59:04.000000000 -0400
21962 +++ linux-2.6.31/fs/befs/linuxvfs.c 2009-09-06 15:29:11.977562624 -0400
21963 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
21965 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
21966 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
21967 - char *link = nd_get_link(nd);
21968 + const char *link = nd_get_link(nd);
21972 diff -urNp linux-2.6.31/fs/binfmt_aout.c linux-2.6.31/fs/binfmt_aout.c
21973 --- linux-2.6.31/fs/binfmt_aout.c 2009-08-27 20:59:04.000000000 -0400
21974 +++ linux-2.6.31/fs/binfmt_aout.c 2009-09-06 15:29:11.978602145 -0400
21976 #include <linux/string.h>
21977 #include <linux/fs.h>
21978 #include <linux/file.h>
21979 +#include <linux/security.h>
21980 #include <linux/stat.h>
21981 #include <linux/fcntl.h>
21982 #include <linux/ptrace.h>
21983 @@ -113,10 +114,12 @@ static int aout_core_dump(long signr, st
21985 /* If the size of the dump file exceeds the rlimit, then see what would happen
21986 if we wrote the stack, but not the data area. */
21987 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
21988 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
21991 /* Make sure we have enough room to write the stack and data areas. */
21992 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
21993 if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
21996 @@ -249,6 +252,8 @@ static int load_aout_binary(struct linux
21997 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
21998 if (rlim >= RLIM_INFINITY)
22001 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
22002 if (ex.a_data + ex.a_bss > rlim)
22005 @@ -276,6 +281,27 @@ static int load_aout_binary(struct linux
22006 install_exec_creds(bprm);
22007 current->flags &= ~PF_FORKNOEXEC;
22009 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
22010 + current->mm->pax_flags = 0UL;
22013 +#ifdef CONFIG_PAX_PAGEEXEC
22014 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
22015 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
22017 +#ifdef CONFIG_PAX_EMUTRAMP
22018 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
22019 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
22022 +#ifdef CONFIG_PAX_MPROTECT
22023 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
22024 + current->mm->pax_flags |= MF_PAX_MPROTECT;
22030 if (N_MAGIC(ex) == OMAGIC) {
22031 unsigned long text_addr, map_size;
22033 @@ -348,7 +374,7 @@ static int load_aout_binary(struct linux
22035 down_write(¤t->mm->mmap_sem);
22036 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
22037 - PROT_READ | PROT_WRITE | PROT_EXEC,
22038 + PROT_READ | PROT_WRITE,
22039 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
22040 fd_offset + ex.a_text);
22041 up_write(¤t->mm->mmap_sem);
22042 diff -urNp linux-2.6.31/fs/binfmt_elf.c linux-2.6.31/fs/binfmt_elf.c
22043 --- linux-2.6.31/fs/binfmt_elf.c 2009-08-27 20:59:04.000000000 -0400
22044 +++ linux-2.6.31/fs/binfmt_elf.c 2009-09-06 15:29:11.984456308 -0400
22046 #include <asm/param.h>
22047 #include <asm/page.h>
22049 +#ifdef CONFIG_PAX_SEGMEXEC
22050 +#include <asm/desc.h>
22053 static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
22054 static int load_elf_library(struct file *);
22055 static unsigned long elf_map(struct file *, unsigned long, struct elf_phdr *,
22056 @@ -50,6 +54,10 @@ static int elf_core_dump(long signr, str
22057 #define elf_core_dump NULL
22060 +#ifdef CONFIG_PAX_MPROTECT
22061 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
22064 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
22065 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
22067 @@ -69,6 +77,11 @@ static struct linux_binfmt elf_format =
22068 .load_binary = load_elf_binary,
22069 .load_shlib = load_elf_library,
22070 .core_dump = elf_core_dump,
22072 +#ifdef CONFIG_PAX_MPROTECT
22073 + .handle_mprotect= elf_handle_mprotect,
22076 .min_coredump = ELF_EXEC_PAGESIZE,
22079 @@ -77,6 +90,8 @@ static struct linux_binfmt elf_format =
22081 static int set_brk(unsigned long start, unsigned long end)
22083 + unsigned long e = end;
22085 start = ELF_PAGEALIGN(start);
22086 end = ELF_PAGEALIGN(end);
22088 @@ -87,7 +102,7 @@ static int set_brk(unsigned long start,
22089 if (BAD_ADDR(addr))
22092 - current->mm->start_brk = current->mm->brk = end;
22093 + current->mm->start_brk = current->mm->brk = e;
22097 @@ -148,7 +163,7 @@ create_elf_tables(struct linux_binprm *b
22098 elf_addr_t __user *u_rand_bytes;
22099 const char *k_platform = ELF_PLATFORM;
22100 const char *k_base_platform = ELF_BASE_PLATFORM;
22101 - unsigned char k_rand_bytes[16];
22102 + u32 k_rand_bytes[4];
22104 elf_addr_t *elf_info;
22106 @@ -195,6 +210,10 @@ create_elf_tables(struct linux_binprm *b
22107 * Generate 16 random bytes for userspace PRNG seeding.
22109 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
22110 + srandom32(k_rand_bytes[0] ^ random32());
22111 + srandom32(k_rand_bytes[1] ^ random32());
22112 + srandom32(k_rand_bytes[2] ^ random32());
22113 + srandom32(k_rand_bytes[3] ^ random32());
22114 u_rand_bytes = (elf_addr_t __user *)
22115 STACK_ALLOC(p, sizeof(k_rand_bytes));
22116 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
22117 @@ -385,10 +404,10 @@ static unsigned long load_elf_interp(str
22119 struct elf_phdr *elf_phdata;
22120 struct elf_phdr *eppnt;
22121 - unsigned long load_addr = 0;
22122 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
22123 int load_addr_set = 0;
22124 unsigned long last_bss = 0, elf_bss = 0;
22125 - unsigned long error = ~0UL;
22126 + unsigned long error = -EINVAL;
22127 unsigned long total_size;
22128 int retval, i, size;
22130 @@ -434,6 +453,11 @@ static unsigned long load_elf_interp(str
22134 +#ifdef CONFIG_PAX_SEGMEXEC
22135 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
22136 + pax_task_size = SEGMEXEC_TASK_SIZE;
22139 eppnt = elf_phdata;
22140 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
22141 if (eppnt->p_type == PT_LOAD) {
22142 @@ -477,8 +501,8 @@ static unsigned long load_elf_interp(str
22143 k = load_addr + eppnt->p_vaddr;
22145 eppnt->p_filesz > eppnt->p_memsz ||
22146 - eppnt->p_memsz > TASK_SIZE ||
22147 - TASK_SIZE - eppnt->p_memsz < k) {
22148 + eppnt->p_memsz > pax_task_size ||
22149 + pax_task_size - eppnt->p_memsz < k) {
22153 @@ -532,6 +556,177 @@ out:
22157 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
22158 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
22160 + unsigned long pax_flags = 0UL;
22162 +#ifdef CONFIG_PAX_PAGEEXEC
22163 + if (elf_phdata->p_flags & PF_PAGEEXEC)
22164 + pax_flags |= MF_PAX_PAGEEXEC;
22167 +#ifdef CONFIG_PAX_SEGMEXEC
22168 + if (elf_phdata->p_flags & PF_SEGMEXEC)
22169 + pax_flags |= MF_PAX_SEGMEXEC;
22172 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
22173 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
22175 + pax_flags &= ~MF_PAX_SEGMEXEC;
22177 + pax_flags &= ~MF_PAX_PAGEEXEC;
22181 +#ifdef CONFIG_PAX_EMUTRAMP
22182 + if (elf_phdata->p_flags & PF_EMUTRAMP)
22183 + pax_flags |= MF_PAX_EMUTRAMP;
22186 +#ifdef CONFIG_PAX_MPROTECT
22187 + if (elf_phdata->p_flags & PF_MPROTECT)
22188 + pax_flags |= MF_PAX_MPROTECT;
22191 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
22192 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
22193 + pax_flags |= MF_PAX_RANDMMAP;
22196 + return pax_flags;
22200 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
22201 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
22203 + unsigned long pax_flags = 0UL;
22205 +#ifdef CONFIG_PAX_PAGEEXEC
22206 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
22207 + pax_flags |= MF_PAX_PAGEEXEC;
22210 +#ifdef CONFIG_PAX_SEGMEXEC
22211 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
22212 + pax_flags |= MF_PAX_SEGMEXEC;
22215 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
22216 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
22218 + pax_flags &= ~MF_PAX_SEGMEXEC;
22220 + pax_flags &= ~MF_PAX_PAGEEXEC;
22224 +#ifdef CONFIG_PAX_EMUTRAMP
22225 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
22226 + pax_flags |= MF_PAX_EMUTRAMP;
22229 +#ifdef CONFIG_PAX_MPROTECT
22230 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
22231 + pax_flags |= MF_PAX_MPROTECT;
22234 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
22235 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
22236 + pax_flags |= MF_PAX_RANDMMAP;
22239 + return pax_flags;
22243 +#ifdef CONFIG_PAX_EI_PAX
22244 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
22246 + unsigned long pax_flags = 0UL;
22248 +#ifdef CONFIG_PAX_PAGEEXEC
22249 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
22250 + pax_flags |= MF_PAX_PAGEEXEC;
22253 +#ifdef CONFIG_PAX_SEGMEXEC
22254 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
22255 + pax_flags |= MF_PAX_SEGMEXEC;
22258 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
22259 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
22261 + pax_flags &= ~MF_PAX_SEGMEXEC;
22263 + pax_flags &= ~MF_PAX_PAGEEXEC;
22267 +#ifdef CONFIG_PAX_EMUTRAMP
22268 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
22269 + pax_flags |= MF_PAX_EMUTRAMP;
22272 +#ifdef CONFIG_PAX_MPROTECT
22273 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
22274 + pax_flags |= MF_PAX_MPROTECT;
22277 +#ifdef CONFIG_PAX_ASLR
22278 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
22279 + pax_flags |= MF_PAX_RANDMMAP;
22282 + return pax_flags;
22286 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
22287 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
22289 + unsigned long pax_flags = 0UL;
22291 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
22295 +#ifdef CONFIG_PAX_EI_PAX
22296 + pax_flags = pax_parse_ei_pax(elf_ex);
22299 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
22300 + for (i = 0UL; i < elf_ex->e_phnum; i++)
22301 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
22302 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
22303 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
22304 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
22305 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
22306 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
22309 +#ifdef CONFIG_PAX_SOFTMODE
22310 + if (pax_softmode)
22311 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
22315 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
22320 + if (0 > pax_check_flags(&pax_flags))
22323 + current->mm->pax_flags = pax_flags;
22329 * These are the functions used to load ELF style executables and shared
22330 * libraries. There is no binary dependent code anywhere else.
22331 @@ -548,6 +743,11 @@ static unsigned long randomize_stack_top
22333 unsigned int random_variable = 0;
22335 +#ifdef CONFIG_PAX_RANDUSTACK
22336 + if (randomize_va_space)
22337 + return stack_top - current->mm->delta_stack;
22340 if ((current->flags & PF_RANDOMIZE) &&
22341 !(current->personality & ADDR_NO_RANDOMIZE)) {
22342 random_variable = get_random_int() & STACK_RND_MASK;
22343 @@ -566,7 +766,7 @@ static int load_elf_binary(struct linux_
22344 unsigned long load_addr = 0, load_bias = 0;
22345 int load_addr_set = 0;
22346 char * elf_interpreter = NULL;
22347 - unsigned long error;
22348 + unsigned long error = 0;
22349 struct elf_phdr *elf_ppnt, *elf_phdata;
22350 unsigned long elf_bss, elf_brk;
22352 @@ -576,11 +776,11 @@ static int load_elf_binary(struct linux_
22353 unsigned long start_code, end_code, start_data, end_data;
22354 unsigned long reloc_func_desc = 0;
22355 int executable_stack = EXSTACK_DEFAULT;
22356 - unsigned long def_flags = 0;
22358 struct elfhdr elf_ex;
22359 struct elfhdr interp_elf_ex;
22361 + unsigned long pax_task_size = TASK_SIZE;
22363 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
22365 @@ -742,11 +942,80 @@ static int load_elf_binary(struct linux_
22367 /* OK, This is the point of no return */
22368 current->flags &= ~PF_FORKNOEXEC;
22369 - current->mm->def_flags = def_flags;
22371 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
22372 + current->mm->pax_flags = 0UL;
22375 +#ifdef CONFIG_PAX_DLRESOLVE
22376 + current->mm->call_dl_resolve = 0UL;
22379 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
22380 + current->mm->call_syscall = 0UL;
22383 +#ifdef CONFIG_PAX_ASLR
22384 + current->mm->delta_mmap = 0UL;
22385 + current->mm->delta_stack = 0UL;
22388 + current->mm->def_flags = 0;
22390 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
22391 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
22392 + send_sig(SIGKILL, current, 0);
22393 + goto out_free_dentry;
22397 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
22398 + pax_set_initial_flags(bprm);
22399 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
22400 + if (pax_set_initial_flags_func)
22401 + (pax_set_initial_flags_func)(bprm);
22404 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
22405 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
22406 + current->mm->context.user_cs_limit = PAGE_SIZE;
22407 + current->mm->def_flags |= VM_PAGEEXEC;
22411 +#ifdef CONFIG_PAX_SEGMEXEC
22412 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
22413 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
22414 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
22415 + pax_task_size = SEGMEXEC_TASK_SIZE;
22419 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
22420 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
22421 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
22426 +#ifdef CONFIG_PAX_ASLR
22427 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
22428 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
22429 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
22433 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
22434 may depend on the personality. */
22435 SET_PERSONALITY(loc->elf_ex);
22437 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22438 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
22439 + executable_stack = EXSTACK_DISABLE_X;
22440 + current->personality &= ~READ_IMPLIES_EXEC;
22444 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
22445 current->personality |= READ_IMPLIES_EXEC;
22447 @@ -827,6 +1096,20 @@ static int load_elf_binary(struct linux_
22449 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
22452 +#ifdef CONFIG_PAX_RANDMMAP
22453 + /* PaX: randomize base address at the default exe base if requested */
22454 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
22455 +#ifdef CONFIG_SPARC64
22456 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
22458 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
22460 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
22461 + elf_flags |= MAP_FIXED;
22467 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
22468 @@ -859,9 +1142,9 @@ static int load_elf_binary(struct linux_
22469 * allowed task size. Note that p_filesz must always be
22470 * <= p_memsz so it is only necessary to check p_memsz.
22472 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
22473 - elf_ppnt->p_memsz > TASK_SIZE ||
22474 - TASK_SIZE - elf_ppnt->p_memsz < k) {
22475 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
22476 + elf_ppnt->p_memsz > pax_task_size ||
22477 + pax_task_size - elf_ppnt->p_memsz < k) {
22478 /* set_brk can never work. Avoid overflows. */
22479 send_sig(SIGKILL, current, 0);
22481 @@ -889,6 +1172,11 @@ static int load_elf_binary(struct linux_
22482 start_data += load_bias;
22483 end_data += load_bias;
22485 +#ifdef CONFIG_PAX_RANDMMAP
22486 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
22487 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
22490 /* Calling set_brk effectively mmaps the pages that we need
22491 * for the bss and break sections. We must do this before
22492 * mapping in the interpreter, to make sure it doesn't wind
22493 @@ -900,9 +1188,11 @@ static int load_elf_binary(struct linux_
22494 goto out_free_dentry;
22496 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
22497 - send_sig(SIGSEGV, current, 0);
22498 - retval = -EFAULT; /* Nobody gets to see this, but.. */
22499 - goto out_free_dentry;
22501 + * This bss-zeroing can fail if the ELF
22502 + * file specifies odd protections. So
22503 + * we don't check the return value
22507 if (elf_interpreter) {
22508 @@ -1135,8 +1425,10 @@ static int dump_seek(struct file *file,
22509 unsigned long n = off;
22512 - if (!dump_write(file, buf, n))
22513 + if (!dump_write(file, buf, n)) {
22514 + free_page((unsigned long)buf);
22519 free_page((unsigned long)buf);
22520 @@ -1148,7 +1440,7 @@ static int dump_seek(struct file *file,
22521 * Decide what to dump of a segment, part, all or none.
22523 static unsigned long vma_dump_size(struct vm_area_struct *vma,
22524 - unsigned long mm_flags)
22525 + unsigned long mm_flags, long signr)
22527 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
22529 @@ -1182,7 +1474,7 @@ static unsigned long vma_dump_size(struc
22530 if (vma->vm_file == NULL)
22533 - if (FILTER(MAPPED_PRIVATE))
22534 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
22538 @@ -1278,8 +1570,11 @@ static int writenote(struct memelfnote *
22541 #define DUMP_WRITE(addr, nr) \
22543 + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
22544 if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
22545 - goto end_coredump;
22546 + goto end_coredump; \
22548 #define DUMP_SEEK(off) \
22549 if (!dump_seek(file, (off))) \
22551 @@ -1991,7 +2286,7 @@ static int elf_core_dump(long signr, str
22552 phdr.p_offset = offset;
22553 phdr.p_vaddr = vma->vm_start;
22555 - phdr.p_filesz = vma_dump_size(vma, mm_flags);
22556 + phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
22557 phdr.p_memsz = vma->vm_end - vma->vm_start;
22558 offset += phdr.p_filesz;
22559 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
22560 @@ -2023,7 +2318,7 @@ static int elf_core_dump(long signr, str
22561 unsigned long addr;
22564 - end = vma->vm_start + vma_dump_size(vma, mm_flags);
22565 + end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
22567 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
22569 @@ -2043,6 +2338,7 @@ static int elf_core_dump(long signr, str
22570 flush_cache_page(tmp_vma, addr,
22571 page_to_pfn(page));
22572 kaddr = kmap(page);
22573 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
22574 if ((size += PAGE_SIZE) > limit ||
22575 !dump_write(file, kaddr,
22577 @@ -2073,6 +2369,99 @@ out:
22579 #endif /* USE_ELF_CORE_DUMP */
22581 +#ifdef CONFIG_PAX_MPROTECT
22582 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
22583 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
22584 + * we'll remove VM_MAYWRITE for good on RELRO segments.
22586 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
22587 + * basis because we want to allow the common case and not the special ones.
22589 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
22591 + struct elfhdr elf_h;
22592 + struct elf_phdr elf_p;
22594 + unsigned long oldflags;
22595 + bool is_textrel_rw, is_textrel_rx, is_relro;
22597 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
22600 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
22601 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
22603 +#ifdef CONFIG_PAX_NOELFRELOCS
22604 + is_textrel_rw = false;
22605 + is_textrel_rx = false;
22607 + /* possible TEXTREL */
22608 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
22609 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
22612 + /* possible RELRO */
22613 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
22615 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
22618 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
22619 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
22621 +#ifdef CONFIG_PAX_ETEXECRELOCS
22622 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
22624 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
22627 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
22628 + !elf_check_arch(&elf_h) ||
22629 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
22630 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
22633 + for (i = 0UL; i < elf_h.e_phnum; i++) {
22634 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
22636 + switch (elf_p.p_type) {
22637 + case PT_DYNAMIC: {
22638 + elf_addr_t dyn_offset = 0UL;
22641 + if (!is_textrel_rw && !is_textrel_rx)
22643 + dyn_offset = elf_p.p_offset;
22646 + if (sizeof(dyn) != kernel_read(vma->vm_file, dyn_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
22648 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
22649 + gr_log_textrel(vma);
22650 + if (is_textrel_rw)
22651 + vma->vm_flags |= VM_MAYWRITE;
22653 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
22654 + vma->vm_flags &= ~VM_MAYWRITE;
22658 + } while (dyn.d_tag != DT_NULL);
22662 + case PT_GNU_RELRO:
22665 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start) {
22666 + vma->vm_flags &= ~VM_MAYWRITE;
22674 static int __init init_elf_binfmt(void)
22676 return register_binfmt(&elf_format);
22677 diff -urNp linux-2.6.31/fs/binfmt_flat.c linux-2.6.31/fs/binfmt_flat.c
22678 --- linux-2.6.31/fs/binfmt_flat.c 2009-08-27 20:59:04.000000000 -0400
22679 +++ linux-2.6.31/fs/binfmt_flat.c 2009-09-06 15:29:11.985159025 -0400
22680 @@ -565,7 +565,9 @@ static int load_flat_file(struct linux_b
22681 realdatastart = (unsigned long) -ENOMEM;
22682 printk("Unable to allocate RAM for process data, errno %d\n",
22683 (int)-realdatastart);
22684 + down_write(¤t->mm->mmap_sem);
22685 do_munmap(current->mm, textpos, text_len);
22686 + up_write(¤t->mm->mmap_sem);
22687 ret = realdatastart;
22690 @@ -589,8 +591,10 @@ static int load_flat_file(struct linux_b
22692 if (result >= (unsigned long)-4096) {
22693 printk("Unable to read data+bss, errno %d\n", (int)-result);
22694 + down_write(¤t->mm->mmap_sem);
22695 do_munmap(current->mm, textpos, text_len);
22696 do_munmap(current->mm, realdatastart, data_len + extra);
22697 + up_write(¤t->mm->mmap_sem);
22701 @@ -659,8 +663,10 @@ static int load_flat_file(struct linux_b
22703 if (result >= (unsigned long)-4096) {
22704 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
22705 + down_write(¤t->mm->mmap_sem);
22706 do_munmap(current->mm, textpos, text_len + data_len + extra +
22707 MAX_SHARED_LIBS * sizeof(unsigned long));
22708 + up_write(¤t->mm->mmap_sem);
22712 diff -urNp linux-2.6.31/fs/binfmt_misc.c linux-2.6.31/fs/binfmt_misc.c
22713 --- linux-2.6.31/fs/binfmt_misc.c 2009-08-27 20:59:04.000000000 -0400
22714 +++ linux-2.6.31/fs/binfmt_misc.c 2009-09-06 15:29:11.985159025 -0400
22715 @@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
22716 static struct tree_descr bm_files[] = {
22717 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
22718 [3] = {"register", &bm_register_operations, S_IWUSR},
22719 - /* last one */ {""}
22720 + /* last one */ {"", NULL, 0}
22722 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
22724 diff -urNp linux-2.6.31/fs/btrfs/ctree.h linux-2.6.31/fs/btrfs/ctree.h
22725 --- linux-2.6.31/fs/btrfs/ctree.h 2009-08-27 20:59:04.000000000 -0400
22726 +++ linux-2.6.31/fs/btrfs/ctree.h 2009-09-06 15:29:11.986419144 -0400
22727 @@ -2286,7 +2286,7 @@ int btrfs_sync_file(struct file *file, s
22728 int btrfs_drop_extent_cache(struct inode *inode, u64 start, u64 end,
22730 int btrfs_check_file(struct btrfs_root *root, struct inode *inode);
22731 -extern struct file_operations btrfs_file_operations;
22732 +extern const struct file_operations btrfs_file_operations;
22733 int btrfs_drop_extents(struct btrfs_trans_handle *trans,
22734 struct btrfs_root *root, struct inode *inode,
22735 u64 start, u64 end, u64 locked_end,
22736 diff -urNp linux-2.6.31/fs/btrfs/disk-io.c linux-2.6.31/fs/btrfs/disk-io.c
22737 --- linux-2.6.31/fs/btrfs/disk-io.c 2009-08-27 20:59:04.000000000 -0400
22738 +++ linux-2.6.31/fs/btrfs/disk-io.c 2009-09-06 15:29:11.987388609 -0400
22739 @@ -772,7 +772,7 @@ static void btree_invalidatepage(struct
22743 -static struct address_space_operations btree_aops = {
22744 +static const struct address_space_operations btree_aops = {
22745 .readpage = btree_readpage,
22746 .writepage = btree_writepage,
22747 .writepages = btree_writepages,
22748 diff -urNp linux-2.6.31/fs/btrfs/file.c linux-2.6.31/fs/btrfs/file.c
22749 --- linux-2.6.31/fs/btrfs/file.c 2009-08-27 20:59:04.000000000 -0400
22750 +++ linux-2.6.31/fs/btrfs/file.c 2009-09-06 15:29:11.987388609 -0400
22751 @@ -1203,7 +1203,7 @@ out:
22752 return ret > 0 ? EIO : ret;
22755 -static struct vm_operations_struct btrfs_file_vm_ops = {
22756 +static const struct vm_operations_struct btrfs_file_vm_ops = {
22757 .fault = filemap_fault,
22758 .page_mkwrite = btrfs_page_mkwrite,
22760 @@ -1215,7 +1215,7 @@ static int btrfs_file_mmap(struct file *
22764 -struct file_operations btrfs_file_operations = {
22765 +const struct file_operations btrfs_file_operations = {
22766 .llseek = generic_file_llseek,
22767 .read = do_sync_read,
22768 .aio_read = generic_file_aio_read,
22769 diff -urNp linux-2.6.31/fs/btrfs/inode.c linux-2.6.31/fs/btrfs/inode.c
22770 --- linux-2.6.31/fs/btrfs/inode.c 2009-08-27 20:59:04.000000000 -0400
22771 +++ linux-2.6.31/fs/btrfs/inode.c 2009-09-06 15:29:11.989149892 -0400
22772 @@ -55,14 +55,14 @@ struct btrfs_iget_args {
22773 struct btrfs_root *root;
22776 -static struct inode_operations btrfs_dir_inode_operations;
22777 -static struct inode_operations btrfs_symlink_inode_operations;
22778 -static struct inode_operations btrfs_dir_ro_inode_operations;
22779 -static struct inode_operations btrfs_special_inode_operations;
22780 -static struct inode_operations btrfs_file_inode_operations;
22781 -static struct address_space_operations btrfs_aops;
22782 -static struct address_space_operations btrfs_symlink_aops;
22783 -static struct file_operations btrfs_dir_file_operations;
22784 +static const struct inode_operations btrfs_dir_inode_operations;
22785 +static const struct inode_operations btrfs_symlink_inode_operations;
22786 +static const struct inode_operations btrfs_dir_ro_inode_operations;
22787 +static const struct inode_operations btrfs_special_inode_operations;
22788 +static const struct inode_operations btrfs_file_inode_operations;
22789 +static const struct address_space_operations btrfs_aops;
22790 +static const struct address_space_operations btrfs_symlink_aops;
22791 +static const struct file_operations btrfs_dir_file_operations;
22792 static struct extent_io_ops btrfs_extent_io_ops;
22794 static struct kmem_cache *btrfs_inode_cachep;
22795 @@ -5201,7 +5201,7 @@ static int btrfs_permission(struct inode
22796 return generic_permission(inode, mask, btrfs_check_acl);
22799 -static struct inode_operations btrfs_dir_inode_operations = {
22800 +static const struct inode_operations btrfs_dir_inode_operations = {
22801 .getattr = btrfs_getattr,
22802 .lookup = btrfs_lookup,
22803 .create = btrfs_create,
22804 @@ -5219,11 +5219,11 @@ static struct inode_operations btrfs_dir
22805 .removexattr = btrfs_removexattr,
22806 .permission = btrfs_permission,
22808 -static struct inode_operations btrfs_dir_ro_inode_operations = {
22809 +static const struct inode_operations btrfs_dir_ro_inode_operations = {
22810 .lookup = btrfs_lookup,
22811 .permission = btrfs_permission,
22813 -static struct file_operations btrfs_dir_file_operations = {
22814 +static const struct file_operations btrfs_dir_file_operations = {
22815 .llseek = generic_file_llseek,
22816 .read = generic_read_dir,
22817 .readdir = btrfs_real_readdir,
22818 @@ -5259,7 +5259,7 @@ static struct extent_io_ops btrfs_extent
22820 * For now we're avoiding this by dropping bmap.
22822 -static struct address_space_operations btrfs_aops = {
22823 +static const struct address_space_operations btrfs_aops = {
22824 .readpage = btrfs_readpage,
22825 .writepage = btrfs_writepage,
22826 .writepages = btrfs_writepages,
22827 @@ -5271,14 +5271,14 @@ static struct address_space_operations b
22828 .set_page_dirty = btrfs_set_page_dirty,
22831 -static struct address_space_operations btrfs_symlink_aops = {
22832 +static const struct address_space_operations btrfs_symlink_aops = {
22833 .readpage = btrfs_readpage,
22834 .writepage = btrfs_writepage,
22835 .invalidatepage = btrfs_invalidatepage,
22836 .releasepage = btrfs_releasepage,
22839 -static struct inode_operations btrfs_file_inode_operations = {
22840 +static const struct inode_operations btrfs_file_inode_operations = {
22841 .truncate = btrfs_truncate,
22842 .getattr = btrfs_getattr,
22843 .setattr = btrfs_setattr,
22844 @@ -5290,7 +5290,7 @@ static struct inode_operations btrfs_fil
22845 .fallocate = btrfs_fallocate,
22846 .fiemap = btrfs_fiemap,
22848 -static struct inode_operations btrfs_special_inode_operations = {
22849 +static const struct inode_operations btrfs_special_inode_operations = {
22850 .getattr = btrfs_getattr,
22851 .setattr = btrfs_setattr,
22852 .permission = btrfs_permission,
22853 @@ -5299,7 +5299,7 @@ static struct inode_operations btrfs_spe
22854 .listxattr = btrfs_listxattr,
22855 .removexattr = btrfs_removexattr,
22857 -static struct inode_operations btrfs_symlink_inode_operations = {
22858 +static const struct inode_operations btrfs_symlink_inode_operations = {
22859 .readlink = generic_readlink,
22860 .follow_link = page_follow_link_light,
22861 .put_link = page_put_link,
22862 diff -urNp linux-2.6.31/fs/btrfs/super.c linux-2.6.31/fs/btrfs/super.c
22863 --- linux-2.6.31/fs/btrfs/super.c 2009-08-27 20:59:04.000000000 -0400
22864 +++ linux-2.6.31/fs/btrfs/super.c 2009-09-06 15:29:11.989149892 -0400
22866 #include "export.h"
22867 #include "compression.h"
22869 -static struct super_operations btrfs_super_ops;
22870 +static const struct super_operations btrfs_super_ops;
22872 static void btrfs_put_super(struct super_block *sb)
22874 @@ -675,7 +675,7 @@ static int btrfs_unfreeze(struct super_b
22878 -static struct super_operations btrfs_super_ops = {
22879 +static const struct super_operations btrfs_super_ops = {
22880 .delete_inode = btrfs_delete_inode,
22881 .put_super = btrfs_put_super,
22882 .sync_fs = btrfs_sync_fs,
22883 diff -urNp linux-2.6.31/fs/buffer.c linux-2.6.31/fs/buffer.c
22884 --- linux-2.6.31/fs/buffer.c 2009-08-27 20:59:04.000000000 -0400
22885 +++ linux-2.6.31/fs/buffer.c 2009-09-06 15:29:11.990228081 -0400
22887 #include <linux/percpu.h>
22888 #include <linux/slab.h>
22889 #include <linux/capability.h>
22890 +#include <linux/security.h>
22891 #include <linux/blkdev.h>
22892 #include <linux/file.h>
22893 #include <linux/quotaops.h>
22894 @@ -2233,6 +2234,7 @@ int generic_cont_expand_simple(struct in
22897 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
22898 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
22899 if (limit != RLIM_INFINITY && size > (loff_t)limit) {
22900 send_sig(SIGXFSZ, current, 0);
22902 diff -urNp linux-2.6.31/fs/cifs/cifs_dfs_ref.c linux-2.6.31/fs/cifs/cifs_dfs_ref.c
22903 --- linux-2.6.31/fs/cifs/cifs_dfs_ref.c 2009-08-27 20:59:04.000000000 -0400
22904 +++ linux-2.6.31/fs/cifs/cifs_dfs_ref.c 2009-09-06 15:29:11.991297402 -0400
22905 @@ -385,7 +385,7 @@ out_err:
22909 -struct inode_operations cifs_dfs_referral_inode_operations = {
22910 +const struct inode_operations cifs_dfs_referral_inode_operations = {
22911 .follow_link = cifs_dfs_follow_mountpoint,
22914 diff -urNp linux-2.6.31/fs/cifs/cifsfs.h linux-2.6.31/fs/cifs/cifsfs.h
22915 --- linux-2.6.31/fs/cifs/cifsfs.h 2009-08-27 20:59:04.000000000 -0400
22916 +++ linux-2.6.31/fs/cifs/cifsfs.h 2009-09-06 15:29:11.991297402 -0400
22917 @@ -67,7 +67,7 @@ extern int cifs_setattr(struct dentry *,
22919 extern const struct inode_operations cifs_file_inode_ops;
22920 extern const struct inode_operations cifs_symlink_inode_ops;
22921 -extern struct inode_operations cifs_dfs_referral_inode_operations;
22922 +extern const struct inode_operations cifs_dfs_referral_inode_operations;
22925 /* Functions related to files and directories */
22926 diff -urNp linux-2.6.31/fs/cifs/cifs_uniupr.h linux-2.6.31/fs/cifs/cifs_uniupr.h
22927 --- linux-2.6.31/fs/cifs/cifs_uniupr.h 2009-08-27 20:59:04.000000000 -0400
22928 +++ linux-2.6.31/fs/cifs/cifs_uniupr.h 2009-09-06 15:29:11.992234467 -0400
22929 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
22930 {0x0490, 0x04cc, UniCaseRangeU0490},
22931 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
22932 {0xff40, 0xff5a, UniCaseRangeUff40},
22938 diff -urNp linux-2.6.31/fs/cifs/link.c linux-2.6.31/fs/cifs/link.c
22939 --- linux-2.6.31/fs/cifs/link.c 2009-08-27 20:59:04.000000000 -0400
22940 +++ linux-2.6.31/fs/cifs/link.c 2009-09-06 15:29:11.992234467 -0400
22941 @@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
22943 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
22945 - char *p = nd_get_link(nd);
22946 + const char *p = nd_get_link(nd);
22950 diff -urNp linux-2.6.31/fs/compat.c linux-2.6.31/fs/compat.c
22951 --- linux-2.6.31/fs/compat.c 2009-09-06 19:00:55.778294232 -0400
22952 +++ linux-2.6.31/fs/compat.c 2009-09-06 19:01:14.417154469 -0400
22953 @@ -1417,14 +1417,12 @@ static int compat_copy_strings(int argc,
22954 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
22957 -#ifdef CONFIG_STACK_GROWSUP
22958 ret = expand_stack_downwards(bprm->vma, pos);
22960 /* We've exceed the stack rlimit. */
22965 ret = get_user_pages(current, bprm->mm, pos,
22966 1, 1, 1, &page, NULL);
22968 @@ -1470,6 +1468,11 @@ int compat_do_execve(char * filename,
22969 compat_uptr_t __user *envp,
22970 struct pt_regs * regs)
22972 +#ifdef CONFIG_GRKERNSEC
22973 + struct file *old_exec_file;
22974 + struct acl_subject_label *old_acl;
22975 + struct rlimit old_rlim[RLIM_NLIMITS];
22977 struct linux_binprm *bprm;
22979 struct files_struct *displaced;
22980 @@ -1506,6 +1509,14 @@ int compat_do_execve(char * filename,
22981 bprm->filename = filename;
22982 bprm->interp = filename;
22984 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
22985 + retval = -EAGAIN;
22986 + if (gr_handle_nproc())
22988 + retval = -EACCES;
22989 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
22992 retval = bprm_mm_init(bprm);
22995 @@ -1535,9 +1546,40 @@ int compat_do_execve(char * filename,
22999 + if (!gr_tpe_allow(file)) {
23000 + retval = -EACCES;
23004 + if (gr_check_crash_exec(file)) {
23005 + retval = -EACCES;
23009 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
23011 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
23013 +#ifdef CONFIG_GRKERNSEC
23014 + old_acl = current->acl;
23015 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
23016 + old_exec_file = current->exec_file;
23018 + current->exec_file = file;
23021 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
23022 + bprm->unsafe & LSM_UNSAFE_SHARE);
23026 retval = search_binary_handler(bprm, regs);
23030 +#ifdef CONFIG_GRKERNSEC
23031 + if (old_exec_file)
23032 + fput(old_exec_file);
23035 /* execve succeeded */
23036 current->fs->in_exec = 0;
23037 @@ -1548,6 +1590,14 @@ int compat_do_execve(char * filename,
23038 put_files_struct(displaced);
23042 +#ifdef CONFIG_GRKERNSEC
23043 + current->acl = old_acl;
23044 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
23045 + fput(current->exec_file);
23046 + current->exec_file = old_exec_file;
23052 diff -urNp linux-2.6.31/fs/compat_ioctl.c linux-2.6.31/fs/compat_ioctl.c
23053 --- linux-2.6.31/fs/compat_ioctl.c 2009-08-27 20:59:04.000000000 -0400
23054 +++ linux-2.6.31/fs/compat_ioctl.c 2009-09-06 15:29:11.994216658 -0400
23055 @@ -1827,15 +1827,15 @@ struct ioctl_trans {
23058 #define HANDLE_IOCTL(cmd,handler) \
23059 - { (cmd), (ioctl_trans_handler_t)(handler) },
23060 + { (cmd), (ioctl_trans_handler_t)(handler), NULL },
23062 /* pointer to compatible structure or no argument */
23063 #define COMPATIBLE_IOCTL(cmd) \
23064 - { (cmd), do_ioctl32_pointer },
23065 + { (cmd), do_ioctl32_pointer, NULL },
23067 /* argument is an unsigned long integer, not a pointer */
23068 #define ULONG_IOCTL(cmd) \
23069 - { (cmd), (ioctl_trans_handler_t)sys_ioctl },
23070 + { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
23072 /* ioctl should not be warned about even if it's not implemented.
23073 Valid reasons to use this:
23074 diff -urNp linux-2.6.31/fs/debugfs/inode.c linux-2.6.31/fs/debugfs/inode.c
23075 --- linux-2.6.31/fs/debugfs/inode.c 2009-08-27 20:59:04.000000000 -0400
23076 +++ linux-2.6.31/fs/debugfs/inode.c 2009-09-06 15:29:11.994216658 -0400
23077 @@ -118,7 +118,7 @@ static inline int debugfs_positive(struc
23079 static int debug_fill_super(struct super_block *sb, void *data, int silent)
23081 - static struct tree_descr debug_files[] = {{""}};
23082 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
23084 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
23086 diff -urNp linux-2.6.31/fs/dlm/debug_fs.c linux-2.6.31/fs/dlm/debug_fs.c
23087 --- linux-2.6.31/fs/dlm/debug_fs.c 2009-08-27 20:59:04.000000000 -0400
23088 +++ linux-2.6.31/fs/dlm/debug_fs.c 2009-09-06 15:29:11.995198144 -0400
23089 @@ -386,9 +386,9 @@ static int table_seq_show(struct seq_fil
23093 -static struct seq_operations format1_seq_ops;
23094 -static struct seq_operations format2_seq_ops;
23095 -static struct seq_operations format3_seq_ops;
23096 +static const struct seq_operations format1_seq_ops;
23097 +static const struct seq_operations format2_seq_ops;
23098 +static const struct seq_operations format3_seq_ops;
23100 static void *table_seq_start(struct seq_file *seq, loff_t *pos)
23102 @@ -534,21 +534,21 @@ static void table_seq_stop(struct seq_fi
23106 -static struct seq_operations format1_seq_ops = {
23107 +static const struct seq_operations format1_seq_ops = {
23108 .start = table_seq_start,
23109 .next = table_seq_next,
23110 .stop = table_seq_stop,
23111 .show = table_seq_show,
23114 -static struct seq_operations format2_seq_ops = {
23115 +static const struct seq_operations format2_seq_ops = {
23116 .start = table_seq_start,
23117 .next = table_seq_next,
23118 .stop = table_seq_stop,
23119 .show = table_seq_show,
23122 -static struct seq_operations format3_seq_ops = {
23123 +static const struct seq_operations format3_seq_ops = {
23124 .start = table_seq_start,
23125 .next = table_seq_next,
23126 .stop = table_seq_stop,
23127 diff -urNp linux-2.6.31/fs/ecryptfs/ecryptfs_kernel.h linux-2.6.31/fs/ecryptfs/ecryptfs_kernel.h
23128 --- linux-2.6.31/fs/ecryptfs/ecryptfs_kernel.h 2009-08-27 20:59:04.000000000 -0400
23129 +++ linux-2.6.31/fs/ecryptfs/ecryptfs_kernel.h 2009-09-06 15:29:11.995198144 -0400
23130 @@ -582,7 +582,7 @@ extern const struct inode_operations ecr
23131 extern const struct inode_operations ecryptfs_symlink_iops;
23132 extern const struct super_operations ecryptfs_sops;
23133 extern const struct dentry_operations ecryptfs_dops;
23134 -extern struct address_space_operations ecryptfs_aops;
23135 +extern const struct address_space_operations ecryptfs_aops;
23136 extern int ecryptfs_verbosity;
23137 extern unsigned int ecryptfs_message_buf_len;
23138 extern signed long ecryptfs_message_wait_timeout;
23139 diff -urNp linux-2.6.31/fs/ecryptfs/mmap.c linux-2.6.31/fs/ecryptfs/mmap.c
23140 --- linux-2.6.31/fs/ecryptfs/mmap.c 2009-08-27 20:59:04.000000000 -0400
23141 +++ linux-2.6.31/fs/ecryptfs/mmap.c 2009-09-06 15:29:11.995198144 -0400
23142 @@ -545,7 +545,7 @@ static sector_t ecryptfs_bmap(struct add
23146 -struct address_space_operations ecryptfs_aops = {
23147 +const struct address_space_operations ecryptfs_aops = {
23148 .writepage = ecryptfs_writepage,
23149 .readpage = ecryptfs_readpage,
23150 .write_begin = ecryptfs_write_begin,
23151 diff -urNp linux-2.6.31/fs/exec.c linux-2.6.31/fs/exec.c
23152 --- linux-2.6.31/fs/exec.c 2009-09-06 19:00:55.779225259 -0400
23153 +++ linux-2.6.31/fs/exec.c 2009-09-10 19:57:27.236070107 -0400
23154 @@ -55,12 +55,24 @@
23155 #include <linux/kmod.h>
23156 #include <linux/fsnotify.h>
23157 #include <linux/fs_struct.h>
23158 +#include <linux/random.h>
23159 +#include <linux/seq_file.h>
23161 +#ifdef CONFIG_PAX_REFCOUNT
23162 +#include <linux/kallsyms.h>
23163 +#include <linux/kdebug.h>
23166 #include <asm/uaccess.h>
23167 #include <asm/mmu_context.h>
23168 #include <asm/tlb.h>
23169 #include "internal.h"
23171 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
23172 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
23173 +EXPORT_SYMBOL(pax_set_initial_flags_func);
23177 char core_pattern[CORENAME_MAX_SIZE] = "core";
23178 int suid_dumpable = 0;
23179 @@ -113,7 +125,7 @@ SYSCALL_DEFINE1(uselib, const char __use
23182 file = do_filp_open(AT_FDCWD, tmp,
23183 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
23184 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
23185 MAY_READ | MAY_EXEC | MAY_OPEN);
23187 error = PTR_ERR(file);
23188 @@ -161,18 +173,10 @@ static struct page *get_arg_page(struct
23194 -#ifdef CONFIG_STACK_GROWSUP
23196 - ret = expand_stack_downwards(bprm->vma, pos);
23201 - ret = get_user_pages(current, bprm->mm, pos,
23202 - 1, write, 1, &page, NULL);
23204 + if (0 > expand_stack_downwards(bprm->vma, pos))
23206 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
23210 @@ -244,6 +248,11 @@ static int __bprm_mm_init(struct linux_b
23211 vma->vm_end = STACK_TOP_MAX;
23212 vma->vm_start = vma->vm_end - PAGE_SIZE;
23213 vma->vm_flags = VM_STACK_FLAGS;
23215 +#ifdef CONFIG_PAX_SEGMEXEC
23216 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
23219 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
23220 err = insert_vm_struct(mm, vma);
23222 @@ -252,6 +261,12 @@ static int __bprm_mm_init(struct linux_b
23223 mm->stack_vm = mm->total_vm = 1;
23224 up_write(&mm->mmap_sem);
23225 bprm->p = vma->vm_end - sizeof(void *);
23227 +#ifdef CONFIG_PAX_RANDUSTACK
23228 + if (randomize_va_space)
23229 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
23234 up_write(&mm->mmap_sem);
23235 @@ -503,7 +518,8 @@ static int shift_arg_pages(struct vm_are
23236 unsigned long new_end = old_end - shift;
23237 struct mmu_gather *tlb;
23239 - BUG_ON(new_start > new_end);
23240 + if (new_start >= new_end || new_start < mmap_min_addr)
23244 * ensure there are no vmas between where we want to go
23245 @@ -512,6 +528,10 @@ static int shift_arg_pages(struct vm_are
23246 if (vma != find_vma(mm, new_start))
23249 +#ifdef CONFIG_PAX_SEGMEXEC
23250 + BUG_ON(pax_find_mirror_vma(vma));
23254 * cover the whole range: [new_start, old_end)
23256 @@ -600,6 +620,14 @@ int setup_arg_pages(struct linux_binprm
23257 bprm->exec -= stack_shift;
23259 down_write(&mm->mmap_sem);
23261 + /* Move stack pages down in memory. */
23262 + if (stack_shift) {
23263 + ret = shift_arg_pages(vma, stack_shift);
23268 vm_flags = VM_STACK_FLAGS;
23271 @@ -613,21 +641,24 @@ int setup_arg_pages(struct linux_binprm
23272 vm_flags &= ~VM_EXEC;
23273 vm_flags |= mm->def_flags;
23275 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
23276 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
23277 + vm_flags &= ~VM_EXEC;
23279 +#ifdef CONFIG_PAX_MPROTECT
23280 + if (mm->pax_flags & MF_PAX_MPROTECT)
23281 + vm_flags &= ~VM_MAYEXEC;
23287 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
23291 BUG_ON(prev != vma);
23293 - /* Move stack pages down in memory. */
23294 - if (stack_shift) {
23295 - ret = shift_arg_pages(vma, stack_shift);
23297 - up_write(&mm->mmap_sem);
23302 #ifdef CONFIG_STACK_GROWSUP
23303 stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
23305 @@ -639,7 +670,7 @@ int setup_arg_pages(struct linux_binprm
23308 up_write(&mm->mmap_sem);
23312 EXPORT_SYMBOL(setup_arg_pages);
23314 @@ -651,7 +682,7 @@ struct file *open_exec(const char *name)
23317 file = do_filp_open(AT_FDCWD, name,
23318 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
23319 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
23320 MAY_EXEC | MAY_OPEN);
23323 @@ -1085,7 +1116,7 @@ int check_unsafe_exec(struct linux_binpr
23327 - if (p->fs->users > n_fs) {
23328 + if (atomic_read(&p->fs->users) > n_fs) {
23329 bprm->unsafe |= LSM_UNSAFE_SHARE;
23332 @@ -1284,6 +1315,11 @@ int do_execve(char * filename,
23333 char __user *__user *envp,
23334 struct pt_regs * regs)
23336 +#ifdef CONFIG_GRKERNSEC
23337 + struct file *old_exec_file;
23338 + struct acl_subject_label *old_acl;
23339 + struct rlimit old_rlim[RLIM_NLIMITS];
23341 struct linux_binprm *bprm;
23343 struct files_struct *displaced;
23344 @@ -1320,6 +1356,18 @@ int do_execve(char * filename,
23345 bprm->filename = filename;
23346 bprm->interp = filename;
23348 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
23350 + if (gr_handle_nproc()) {
23351 + retval = -EAGAIN;
23355 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
23356 + retval = -EACCES;
23360 retval = bprm_mm_init(bprm);
23363 @@ -1349,10 +1397,41 @@ int do_execve(char * filename,
23367 + if (!gr_tpe_allow(file)) {
23368 + retval = -EACCES;
23372 + if (gr_check_crash_exec(file)) {
23373 + retval = -EACCES;
23377 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
23379 + gr_handle_exec_args(bprm, argv);
23381 +#ifdef CONFIG_GRKERNSEC
23382 + old_acl = current->acl;
23383 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
23384 + old_exec_file = current->exec_file;
23386 + current->exec_file = file;
23389 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
23390 + bprm->unsafe & LSM_UNSAFE_SHARE);
23394 current->flags &= ~PF_KTHREAD;
23395 retval = search_binary_handler(bprm,regs);
23399 +#ifdef CONFIG_GRKERNSEC
23400 + if (old_exec_file)
23401 + fput(old_exec_file);
23404 /* execve succeeded */
23405 current->fs->in_exec = 0;
23406 @@ -1363,6 +1442,14 @@ int do_execve(char * filename,
23407 put_files_struct(displaced);
23411 +#ifdef CONFIG_GRKERNSEC
23412 + current->acl = old_acl;
23413 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
23414 + fput(current->exec_file);
23415 + current->exec_file = old_exec_file;
23421 @@ -1528,6 +1615,164 @@ out:
23425 +int pax_check_flags(unsigned long *flags)
23429 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
23430 + if (*flags & MF_PAX_SEGMEXEC)
23432 + *flags &= ~MF_PAX_SEGMEXEC;
23433 + retval = -EINVAL;
23437 + if ((*flags & MF_PAX_PAGEEXEC)
23439 +#ifdef CONFIG_PAX_PAGEEXEC
23440 + && (*flags & MF_PAX_SEGMEXEC)
23445 + *flags &= ~MF_PAX_PAGEEXEC;
23446 + retval = -EINVAL;
23449 + if ((*flags & MF_PAX_MPROTECT)
23451 +#ifdef CONFIG_PAX_MPROTECT
23452 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
23457 + *flags &= ~MF_PAX_MPROTECT;
23458 + retval = -EINVAL;
23461 + if ((*flags & MF_PAX_EMUTRAMP)
23463 +#ifdef CONFIG_PAX_EMUTRAMP
23464 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
23469 + *flags &= ~MF_PAX_EMUTRAMP;
23470 + retval = -EINVAL;
23476 +EXPORT_SYMBOL(pax_check_flags);
23478 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
23479 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
23481 + struct task_struct *tsk = current;
23482 + struct mm_struct *mm = current->mm;
23483 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
23484 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
23485 + char *path_exec = NULL;
23486 + char *path_fault = NULL;
23487 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
23489 + if (buffer_exec && buffer_fault) {
23490 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
23492 + down_read(&mm->mmap_sem);
23494 + while (vma && (!vma_exec || !vma_fault)) {
23495 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
23497 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
23499 + vma = vma->vm_next;
23502 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
23503 + if (IS_ERR(path_exec))
23504 + path_exec = "<path too long>";
23506 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
23509 + path_exec = buffer_exec;
23511 + path_exec = "<path too long>";
23515 + start = vma_fault->vm_start;
23516 + end = vma_fault->vm_end;
23517 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
23518 + if (vma_fault->vm_file) {
23519 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
23520 + if (IS_ERR(path_fault))
23521 + path_fault = "<path too long>";
23523 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
23524 + if (path_fault) {
23526 + path_fault = buffer_fault;
23528 + path_fault = "<path too long>";
23531 + path_fault = "<anonymous mapping>";
23533 + up_read(&mm->mmap_sem);
23535 + if (tsk->signal->curr_ip)
23536 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
23538 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
23539 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
23540 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
23541 + task_uid(tsk), task_euid(tsk), pc, sp);
23542 + free_page((unsigned long)buffer_exec);
23543 + free_page((unsigned long)buffer_fault);
23544 + pax_report_insns(pc, sp);
23545 + do_coredump(SIGKILL, SIGKILL, regs);
23549 +#ifdef CONFIG_PAX_REFCOUNT
23550 +void pax_report_refcount_overflow(struct pt_regs *regs)
23552 + if (current->signal->curr_ip)
23553 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
23554 + NIPQUAD(current->signal->curr_ip), current->comm, task_pid_nr(current), current_uid(), current_euid());
23556 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
23557 + current->comm, task_pid_nr(current), current_uid(), current_euid());
23558 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
23559 + show_registers(regs);
23560 + force_sig_specific(SIGKILL, current);
23564 +#ifdef CONFIG_PAX_USERCOPY
23565 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
23567 + if (current->signal->curr_ip)
23568 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: kernel memory leak attempt detected from %p (%lu bytes)\n", NIPQUAD(current->signal->curr_ip), ptr, len);
23570 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
23572 + do_group_exit(SIGKILL);
23575 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
23577 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
23579 + do_group_exit(SIGKILL);
23583 static int zap_process(struct task_struct *start)
23585 struct task_struct *t;
23586 @@ -1787,6 +2032,10 @@ void do_coredump(long signr, int exit_co
23588 clear_thread_flag(TIF_SIGPENDING);
23590 + if (signr == SIGKILL || signr == SIGILL)
23591 + gr_handle_brute_attach(current);
23592 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
23595 * lock_kernel() because format_corename() is controlled by sysctl, which
23596 * uses lock_kernel()
23597 diff -urNp linux-2.6.31/fs/ext2/balloc.c linux-2.6.31/fs/ext2/balloc.c
23598 --- linux-2.6.31/fs/ext2/balloc.c 2009-08-27 20:59:04.000000000 -0400
23599 +++ linux-2.6.31/fs/ext2/balloc.c 2009-09-06 15:29:11.997182938 -0400
23600 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
23602 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
23603 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
23604 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
23605 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
23606 sbi->s_resuid != current_fsuid() &&
23607 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
23609 diff -urNp linux-2.6.31/fs/ext3/balloc.c linux-2.6.31/fs/ext3/balloc.c
23610 --- linux-2.6.31/fs/ext3/balloc.c 2009-08-27 20:59:04.000000000 -0400
23611 +++ linux-2.6.31/fs/ext3/balloc.c 2009-09-06 15:29:11.998202334 -0400
23612 @@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
23614 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
23615 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
23616 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
23617 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
23618 sbi->s_resuid != current_fsuid() &&
23619 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
23621 diff -urNp linux-2.6.31/fs/ext3/namei.c linux-2.6.31/fs/ext3/namei.c
23622 --- linux-2.6.31/fs/ext3/namei.c 2009-08-27 20:59:04.000000000 -0400
23623 +++ linux-2.6.31/fs/ext3/namei.c 2009-09-06 15:29:11.998202334 -0400
23624 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
23625 char *data1 = (*bh)->b_data, *data2;
23626 unsigned split, move, size;
23627 struct ext3_dir_entry_2 *de = NULL, *de2;
23631 bh2 = ext3_append (handle, dir, &newblock, &err);
23633 diff -urNp linux-2.6.31/fs/ext3/xattr.c linux-2.6.31/fs/ext3/xattr.c
23634 --- linux-2.6.31/fs/ext3/xattr.c 2009-08-27 20:59:04.000000000 -0400
23635 +++ linux-2.6.31/fs/ext3/xattr.c 2009-09-06 15:29:11.999231326 -0400
23640 -# define ea_idebug(f...)
23641 -# define ea_bdebug(f...)
23642 +# define ea_idebug(f...) do {} while (0)
23643 +# define ea_bdebug(f...) do {} while (0)
23646 static void ext3_xattr_cache_insert(struct buffer_head *);
23647 diff -urNp linux-2.6.31/fs/ext4/balloc.c linux-2.6.31/fs/ext4/balloc.c
23648 --- linux-2.6.31/fs/ext4/balloc.c 2009-08-27 20:59:04.000000000 -0400
23649 +++ linux-2.6.31/fs/ext4/balloc.c 2009-09-06 15:29:11.999231326 -0400
23650 @@ -573,7 +573,7 @@ int ext4_has_free_blocks(struct ext4_sb_
23651 /* Hm, nope. Are (enough) root reserved blocks available? */
23652 if (sbi->s_resuid == current_fsuid() ||
23653 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
23654 - capable(CAP_SYS_RESOURCE)) {
23655 + capable_nolog(CAP_SYS_RESOURCE)) {
23656 if (free_blocks >= (nblocks + dirty_blocks))
23659 diff -urNp linux-2.6.31/fs/ext4/file.c linux-2.6.31/fs/ext4/file.c
23660 --- linux-2.6.31/fs/ext4/file.c 2009-08-27 20:59:04.000000000 -0400
23661 +++ linux-2.6.31/fs/ext4/file.c 2009-09-06 15:29:12.000181261 -0400
23662 @@ -130,7 +130,7 @@ force_commit:
23666 -static struct vm_operations_struct ext4_file_vm_ops = {
23667 +static const struct vm_operations_struct ext4_file_vm_ops = {
23668 .fault = filemap_fault,
23669 .page_mkwrite = ext4_page_mkwrite,
23671 diff -urNp linux-2.6.31/fs/ext4/mballoc.c linux-2.6.31/fs/ext4/mballoc.c
23672 --- linux-2.6.31/fs/ext4/mballoc.c 2009-08-27 20:59:04.000000000 -0400
23673 +++ linux-2.6.31/fs/ext4/mballoc.c 2009-09-06 15:29:12.001346538 -0400
23674 @@ -2205,7 +2205,7 @@ static void ext4_mb_seq_history_stop(str
23678 -static struct seq_operations ext4_mb_seq_history_ops = {
23679 +static const struct seq_operations ext4_mb_seq_history_ops = {
23680 .start = ext4_mb_seq_history_start,
23681 .next = ext4_mb_seq_history_next,
23682 .stop = ext4_mb_seq_history_stop,
23683 @@ -2287,7 +2287,7 @@ static ssize_t ext4_mb_seq_history_write
23687 -static struct file_operations ext4_mb_seq_history_fops = {
23688 +static const struct file_operations ext4_mb_seq_history_fops = {
23689 .owner = THIS_MODULE,
23690 .open = ext4_mb_seq_history_open,
23692 @@ -2366,7 +2366,7 @@ static void ext4_mb_seq_groups_stop(stru
23696 -static struct seq_operations ext4_mb_seq_groups_ops = {
23697 +static const struct seq_operations ext4_mb_seq_groups_ops = {
23698 .start = ext4_mb_seq_groups_start,
23699 .next = ext4_mb_seq_groups_next,
23700 .stop = ext4_mb_seq_groups_stop,
23701 @@ -2387,7 +2387,7 @@ static int ext4_mb_seq_groups_open(struc
23705 -static struct file_operations ext4_mb_seq_groups_fops = {
23706 +static const struct file_operations ext4_mb_seq_groups_fops = {
23707 .owner = THIS_MODULE,
23708 .open = ext4_mb_seq_groups_open,
23710 diff -urNp linux-2.6.31/fs/ext4/namei.c linux-2.6.31/fs/ext4/namei.c
23711 --- linux-2.6.31/fs/ext4/namei.c 2009-08-27 20:59:04.000000000 -0400
23712 +++ linux-2.6.31/fs/ext4/namei.c 2009-09-06 15:29:12.002220863 -0400
23713 @@ -1203,7 +1203,7 @@ static struct ext4_dir_entry_2 *do_split
23714 char *data1 = (*bh)->b_data, *data2;
23715 unsigned split, move, size;
23716 struct ext4_dir_entry_2 *de = NULL, *de2;
23720 bh2 = ext4_append (handle, dir, &newblock, &err);
23722 diff -urNp linux-2.6.31/fs/fcntl.c linux-2.6.31/fs/fcntl.c
23723 --- linux-2.6.31/fs/fcntl.c 2009-08-27 20:59:04.000000000 -0400
23724 +++ linux-2.6.31/fs/fcntl.c 2009-09-06 15:29:12.003190739 -0400
23725 @@ -271,6 +271,7 @@ static long do_fcntl(int fd, unsigned in
23728 case F_DUPFD_CLOEXEC:
23729 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
23730 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
23732 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
23733 @@ -421,7 +422,8 @@ static inline int sigio_perm(struct task
23734 ret = ((fown->euid == 0 ||
23735 fown->euid == cred->suid || fown->euid == cred->uid ||
23736 fown->uid == cred->suid || fown->uid == cred->uid) &&
23737 - !security_file_send_sigiotask(p, fown, sig));
23738 + !security_file_send_sigiotask(p, fown, sig) &&
23739 + !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
23743 diff -urNp linux-2.6.31/fs/file.c linux-2.6.31/fs/file.c
23744 --- linux-2.6.31/fs/file.c 2009-08-27 20:59:04.000000000 -0400
23745 +++ linux-2.6.31/fs/file.c 2009-09-06 15:29:12.003190739 -0400
23747 #include <linux/slab.h>
23748 #include <linux/vmalloc.h>
23749 #include <linux/file.h>
23750 +#include <linux/security.h>
23751 #include <linux/fdtable.h>
23752 #include <linux/bitops.h>
23753 #include <linux/interrupt.h>
23754 @@ -256,6 +257,8 @@ int expand_files(struct files_struct *fi
23755 * N.B. For clone tasks sharing a files structure, this test
23756 * will limit the total number of files that can be opened.
23759 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
23760 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
23763 diff -urNp linux-2.6.31/fs/fs_struct.c linux-2.6.31/fs/fs_struct.c
23764 --- linux-2.6.31/fs/fs_struct.c 2009-08-27 20:59:04.000000000 -0400
23765 +++ linux-2.6.31/fs/fs_struct.c 2009-09-06 15:29:12.004169260 -0400
23766 @@ -89,7 +89,7 @@ void exit_fs(struct task_struct *tsk)
23768 write_lock(&fs->lock);
23770 - kill = !--fs->users;
23771 + kill = !atomic_dec_return(&fs->users);
23772 write_unlock(&fs->lock);
23775 @@ -102,7 +102,7 @@ struct fs_struct *copy_fs_struct(struct
23776 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
23777 /* We don't need to lock fs - think why ;-) */
23780 + atomic_set(&fs->users, 1);
23782 rwlock_init(&fs->lock);
23783 fs->umask = old->umask;
23784 @@ -127,7 +127,7 @@ int unshare_fs_struct(void)
23786 task_lock(current);
23787 write_lock(&fs->lock);
23788 - kill = !--fs->users;
23789 + kill = !atomic_dec_return(&fs->users);
23790 current->fs = new_fs;
23791 write_unlock(&fs->lock);
23792 task_unlock(current);
23793 @@ -147,7 +147,7 @@ EXPORT_SYMBOL(current_umask);
23795 /* to be mentioned only in INIT_TASK */
23796 struct fs_struct init_fs = {
23798 + .users = ATOMIC_INIT(1),
23799 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
23802 @@ -162,12 +162,12 @@ void daemonize_fs_struct(void)
23803 task_lock(current);
23805 write_lock(&init_fs.lock);
23807 + atomic_inc(&init_fs.users);
23808 write_unlock(&init_fs.lock);
23810 write_lock(&fs->lock);
23811 current->fs = &init_fs;
23812 - kill = !--fs->users;
23813 + kill = !atomic_dec_return(&fs->users);
23814 write_unlock(&fs->lock);
23816 task_unlock(current);
23817 diff -urNp linux-2.6.31/fs/fuse/control.c linux-2.6.31/fs/fuse/control.c
23818 --- linux-2.6.31/fs/fuse/control.c 2009-08-27 20:59:04.000000000 -0400
23819 +++ linux-2.6.31/fs/fuse/control.c 2009-09-06 15:29:12.004169260 -0400
23820 @@ -161,7 +161,7 @@ void fuse_ctl_remove_conn(struct fuse_co
23822 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
23824 - struct tree_descr empty_descr = {""};
23825 + struct tree_descr empty_descr = {"", NULL, 0};
23826 struct fuse_conn *fc;
23829 diff -urNp linux-2.6.31/fs/fuse/dev.c linux-2.6.31/fs/fuse/dev.c
23830 --- linux-2.6.31/fs/fuse/dev.c 2009-08-27 20:59:04.000000000 -0400
23831 +++ linux-2.6.31/fs/fuse/dev.c 2009-09-06 15:29:12.004169260 -0400
23832 @@ -885,7 +885,7 @@ static int fuse_notify_inval_entry(struc
23834 struct fuse_notify_inval_entry_out outarg;
23836 - char buf[FUSE_NAME_MAX+1];
23837 + char *buf = NULL;
23840 if (size < sizeof(outarg))
23841 @@ -899,6 +899,11 @@ static int fuse_notify_inval_entry(struc
23842 if (outarg.namelen > FUSE_NAME_MAX)
23846 + buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
23851 name.len = outarg.namelen;
23852 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
23853 @@ -910,17 +915,15 @@ static int fuse_notify_inval_entry(struc
23855 down_read(&fc->killsb);
23860 - err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
23864 + err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
23865 up_read(&fc->killsb);
23870 fuse_copy_finish(cs);
23875 diff -urNp linux-2.6.31/fs/fuse/dir.c linux-2.6.31/fs/fuse/dir.c
23876 --- linux-2.6.31/fs/fuse/dir.c 2009-08-27 20:59:04.000000000 -0400
23877 +++ linux-2.6.31/fs/fuse/dir.c 2009-09-06 15:29:12.005311849 -0400
23878 @@ -1122,7 +1122,7 @@ static char *read_link(struct dentry *de
23882 -static void free_link(char *link)
23883 +static void free_link(const char *link)
23886 free_page((unsigned long) link);
23887 diff -urNp linux-2.6.31/fs/fuse/file.c linux-2.6.31/fs/fuse/file.c
23888 --- linux-2.6.31/fs/fuse/file.c 2009-08-27 20:59:04.000000000 -0400
23889 +++ linux-2.6.31/fs/fuse/file.c 2009-09-06 15:29:12.006440852 -0400
23890 @@ -1313,7 +1313,7 @@ static int fuse_page_mkwrite(struct vm_a
23894 -static struct vm_operations_struct fuse_file_vm_ops = {
23895 +static const struct vm_operations_struct fuse_file_vm_ops = {
23896 .close = fuse_vma_close,
23897 .fault = filemap_fault,
23898 .page_mkwrite = fuse_page_mkwrite,
23899 diff -urNp linux-2.6.31/fs/gfs2/file.c linux-2.6.31/fs/gfs2/file.c
23900 --- linux-2.6.31/fs/gfs2/file.c 2009-08-27 20:59:04.000000000 -0400
23901 +++ linux-2.6.31/fs/gfs2/file.c 2009-09-06 15:29:12.006440852 -0400
23902 @@ -419,7 +419,7 @@ out:
23906 -static struct vm_operations_struct gfs2_vm_ops = {
23907 +static const struct vm_operations_struct gfs2_vm_ops = {
23908 .fault = filemap_fault,
23909 .page_mkwrite = gfs2_page_mkwrite,
23911 diff -urNp linux-2.6.31/fs/hfs/inode.c linux-2.6.31/fs/hfs/inode.c
23912 --- linux-2.6.31/fs/hfs/inode.c 2009-08-27 20:59:04.000000000 -0400
23913 +++ linux-2.6.31/fs/hfs/inode.c 2009-09-06 15:29:12.006440852 -0400
23914 @@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
23916 if (S_ISDIR(main_inode->i_mode)) {
23917 if (fd.entrylength < sizeof(struct hfs_cat_dir))
23920 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
23921 sizeof(struct hfs_cat_dir));
23922 if (rec.type != HFS_CDR_DIR ||
23923 @@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
23924 sizeof(struct hfs_cat_file));
23926 if (fd.entrylength < sizeof(struct hfs_cat_file))
23929 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
23930 sizeof(struct hfs_cat_file));
23931 if (rec.type != HFS_CDR_FIL ||
23932 diff -urNp linux-2.6.31/fs/hfsplus/inode.c linux-2.6.31/fs/hfsplus/inode.c
23933 --- linux-2.6.31/fs/hfsplus/inode.c 2009-08-27 20:59:04.000000000 -0400
23934 +++ linux-2.6.31/fs/hfsplus/inode.c 2009-09-06 15:29:12.007408006 -0400
23935 @@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
23936 struct hfsplus_cat_folder *folder = &entry.folder;
23938 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
23941 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
23942 sizeof(struct hfsplus_cat_folder));
23943 hfsplus_get_perms(inode, &folder->permissions, 1);
23944 @@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
23945 struct hfsplus_cat_file *file = &entry.file;
23947 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
23950 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
23951 sizeof(struct hfsplus_cat_file));
23953 @@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
23954 struct hfsplus_cat_folder *folder = &entry.folder;
23956 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
23959 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
23960 sizeof(struct hfsplus_cat_folder));
23961 /* simple node checks? */
23962 @@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
23963 struct hfsplus_cat_file *file = &entry.file;
23965 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
23968 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
23969 sizeof(struct hfsplus_cat_file));
23970 hfsplus_inode_write_fork(inode, &file->data_fork);
23971 diff -urNp linux-2.6.31/fs/jbd2/journal.c linux-2.6.31/fs/jbd2/journal.c
23972 --- linux-2.6.31/fs/jbd2/journal.c 2009-08-27 20:59:04.000000000 -0400
23973 +++ linux-2.6.31/fs/jbd2/journal.c 2009-09-06 15:29:12.012276994 -0400
23974 @@ -768,7 +768,7 @@ static void jbd2_seq_history_stop(struct
23978 -static struct seq_operations jbd2_seq_history_ops = {
23979 +static const struct seq_operations jbd2_seq_history_ops = {
23980 .start = jbd2_seq_history_start,
23981 .next = jbd2_seq_history_next,
23982 .stop = jbd2_seq_history_stop,
23983 @@ -818,7 +818,7 @@ static int jbd2_seq_history_release(stru
23984 return seq_release(inode, file);
23987 -static struct file_operations jbd2_seq_history_fops = {
23988 +static const struct file_operations jbd2_seq_history_fops = {
23989 .owner = THIS_MODULE,
23990 .open = jbd2_seq_history_open,
23992 @@ -872,7 +872,7 @@ static void jbd2_seq_info_stop(struct se
23996 -static struct seq_operations jbd2_seq_info_ops = {
23997 +static const struct seq_operations jbd2_seq_info_ops = {
23998 .start = jbd2_seq_info_start,
23999 .next = jbd2_seq_info_next,
24000 .stop = jbd2_seq_info_stop,
24001 @@ -920,7 +920,7 @@ static int jbd2_seq_info_release(struct
24002 return seq_release(inode, file);
24005 -static struct file_operations jbd2_seq_info_fops = {
24006 +static const struct file_operations jbd2_seq_info_fops = {
24007 .owner = THIS_MODULE,
24008 .open = jbd2_seq_info_open,
24010 diff -urNp linux-2.6.31/fs/jffs2/debug.h linux-2.6.31/fs/jffs2/debug.h
24011 --- linux-2.6.31/fs/jffs2/debug.h 2009-08-27 20:59:04.000000000 -0400
24012 +++ linux-2.6.31/fs/jffs2/debug.h 2009-09-06 15:29:12.012276994 -0400
24013 @@ -52,13 +52,13 @@
24014 #if CONFIG_JFFS2_FS_DEBUG > 0
24018 +#define D1(x) do {} while (0);
24021 #if CONFIG_JFFS2_FS_DEBUG > 1
24025 +#define D2(x) do {} while (0);
24028 /* The prefixes of JFFS2 messages */
24029 @@ -114,73 +114,73 @@
24030 #ifdef JFFS2_DBG_READINODE_MESSAGES
24031 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24033 -#define dbg_readinode(fmt, ...)
24034 +#define dbg_readinode(fmt, ...) do {} while (0)
24036 #ifdef JFFS2_DBG_READINODE2_MESSAGES
24037 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24039 -#define dbg_readinode2(fmt, ...)
24040 +#define dbg_readinode2(fmt, ...) do {} while (0)
24043 /* Fragtree build debugging messages */
24044 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
24045 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24047 -#define dbg_fragtree(fmt, ...)
24048 +#define dbg_fragtree(fmt, ...) do {} while (0)
24050 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
24051 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24053 -#define dbg_fragtree2(fmt, ...)
24054 +#define dbg_fragtree2(fmt, ...) do {} while (0)
24057 /* Directory entry list manilulation debugging messages */
24058 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
24059 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24061 -#define dbg_dentlist(fmt, ...)
24062 +#define dbg_dentlist(fmt, ...) do {} while (0)
24065 /* Print the messages about manipulating node_refs */
24066 #ifdef JFFS2_DBG_NODEREF_MESSAGES
24067 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24069 -#define dbg_noderef(fmt, ...)
24070 +#define dbg_noderef(fmt, ...) do {} while (0)
24073 /* Manipulations with the list of inodes (JFFS2 inocache) */
24074 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
24075 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24077 -#define dbg_inocache(fmt, ...)
24078 +#define dbg_inocache(fmt, ...) do {} while (0)
24081 /* Summary debugging messages */
24082 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
24083 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24085 -#define dbg_summary(fmt, ...)
24086 +#define dbg_summary(fmt, ...) do {} while (0)
24089 /* File system build messages */
24090 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
24091 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24093 -#define dbg_fsbuild(fmt, ...)
24094 +#define dbg_fsbuild(fmt, ...) do {} while (0)
24097 /* Watch the object allocations */
24098 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
24099 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24101 -#define dbg_memalloc(fmt, ...)
24102 +#define dbg_memalloc(fmt, ...) do {} while (0)
24105 /* Watch the XATTR subsystem */
24106 #ifdef JFFS2_DBG_XATTR_MESSAGES
24107 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
24109 -#define dbg_xattr(fmt, ...)
24110 +#define dbg_xattr(fmt, ...) do {} while (0)
24113 /* "Sanity" checks */
24114 diff -urNp linux-2.6.31/fs/jffs2/erase.c linux-2.6.31/fs/jffs2/erase.c
24115 --- linux-2.6.31/fs/jffs2/erase.c 2009-08-27 20:59:04.000000000 -0400
24116 +++ linux-2.6.31/fs/jffs2/erase.c 2009-09-06 15:29:12.013150987 -0400
24117 @@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
24118 struct jffs2_unknown_node marker = {
24119 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
24120 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
24121 - .totlen = cpu_to_je32(c->cleanmarker_size)
24122 + .totlen = cpu_to_je32(c->cleanmarker_size),
24123 + .hdr_crc = cpu_to_je32(0)
24126 jffs2_prealloc_raw_node_refs(c, jeb, 1);
24127 diff -urNp linux-2.6.31/fs/jffs2/summary.h linux-2.6.31/fs/jffs2/summary.h
24128 --- linux-2.6.31/fs/jffs2/summary.h 2009-08-27 20:59:04.000000000 -0400
24129 +++ linux-2.6.31/fs/jffs2/summary.h 2009-09-06 15:29:12.013150987 -0400
24130 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
24132 #define jffs2_sum_active() (0)
24133 #define jffs2_sum_init(a) (0)
24134 -#define jffs2_sum_exit(a)
24135 -#define jffs2_sum_disable_collecting(a)
24136 +#define jffs2_sum_exit(a) do {} while (0)
24137 +#define jffs2_sum_disable_collecting(a) do {} while (0)
24138 #define jffs2_sum_is_disabled(a) (0)
24139 -#define jffs2_sum_reset_collected(a)
24140 +#define jffs2_sum_reset_collected(a) do {} while (0)
24141 #define jffs2_sum_add_kvec(a,b,c,d) (0)
24142 -#define jffs2_sum_move_collected(a,b)
24143 +#define jffs2_sum_move_collected(a,b) do {} while (0)
24144 #define jffs2_sum_write_sumnode(a) (0)
24145 -#define jffs2_sum_add_padding_mem(a,b)
24146 -#define jffs2_sum_add_inode_mem(a,b,c)
24147 -#define jffs2_sum_add_dirent_mem(a,b,c)
24148 -#define jffs2_sum_add_xattr_mem(a,b,c)
24149 -#define jffs2_sum_add_xref_mem(a,b,c)
24150 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
24151 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
24152 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
24153 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
24154 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
24155 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
24157 #endif /* CONFIG_JFFS2_SUMMARY */
24158 diff -urNp linux-2.6.31/fs/jffs2/wbuf.c linux-2.6.31/fs/jffs2/wbuf.c
24159 --- linux-2.6.31/fs/jffs2/wbuf.c 2009-09-06 19:00:55.780302780 -0400
24160 +++ linux-2.6.31/fs/jffs2/wbuf.c 2009-09-06 19:01:14.418463427 -0400
24161 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
24163 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
24164 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
24165 - .totlen = constant_cpu_to_je32(8)
24166 + .totlen = constant_cpu_to_je32(8),
24167 + .hdr_crc = constant_cpu_to_je32(0)
24171 diff -urNp linux-2.6.31/fs/locks.c linux-2.6.31/fs/locks.c
24172 --- linux-2.6.31/fs/locks.c 2009-08-27 20:59:04.000000000 -0400
24173 +++ linux-2.6.31/fs/locks.c 2009-09-06 15:29:12.014194935 -0400
24174 @@ -2007,16 +2007,16 @@ void locks_remove_flock(struct file *fil
24177 if (filp->f_op && filp->f_op->flock) {
24178 - struct file_lock fl = {
24179 + struct file_lock flock = {
24180 .fl_pid = current->tgid,
24182 .fl_flags = FL_FLOCK,
24183 .fl_type = F_UNLCK,
24184 .fl_end = OFFSET_MAX,
24186 - filp->f_op->flock(filp, F_SETLKW, &fl);
24187 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
24188 - fl.fl_ops->fl_release_private(&fl);
24189 + filp->f_op->flock(filp, F_SETLKW, &flock);
24190 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
24191 + flock.fl_ops->fl_release_private(&flock);
24195 diff -urNp linux-2.6.31/fs/namei.c linux-2.6.31/fs/namei.c
24196 --- linux-2.6.31/fs/namei.c 2009-09-09 19:20:53.054234659 -0400
24197 +++ linux-2.6.31/fs/namei.c 2009-09-09 19:27:52.423043223 -0400
24198 @@ -631,7 +631,7 @@ static __always_inline int __do_follow_l
24199 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
24200 error = PTR_ERR(cookie);
24201 if (!IS_ERR(cookie)) {
24202 - char *s = nd_get_link(nd);
24203 + const char *s = nd_get_link(nd);
24206 error = __vfs_follow_link(nd, s);
24207 @@ -662,6 +662,13 @@ static inline int do_follow_link(struct
24208 err = security_inode_follow_link(path->dentry, nd);
24212 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
24213 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
24218 current->link_count++;
24219 current->total_link_count++;
24221 @@ -1005,11 +1012,18 @@ return_reval:
24225 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
24226 + path_put(&nd->path);
24231 path_put_conditional(&next, nd);
24234 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
24237 path_put(&nd->path);
24240 @@ -1608,12 +1622,19 @@ static int __open_namei_create(struct na
24242 struct dentry *dir = nd->path.dentry;
24244 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
24249 if (!IS_POSIXACL(dir->d_inode))
24250 mode &= ~current_umask();
24251 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
24254 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
24256 + gr_handle_create(path->dentry, nd->path.mnt);
24258 mutex_unlock(&dir->d_inode->i_mutex);
24259 dput(nd->path.dentry);
24260 @@ -1696,6 +1717,17 @@ struct file *do_filp_open(int dfd, const
24263 return ERR_PTR(error);
24265 + if (gr_handle_rawio(nd.path.dentry->d_inode)) {
24270 + if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
24278 @@ -1782,6 +1814,20 @@ do_last:
24280 * It already exists.
24283 + if (gr_handle_rawio(path.dentry->d_inode)) {
24285 + goto exit_mutex_unlock;
24287 + if (!gr_acl_handle_open(path.dentry, nd.path.mnt, flag)) {
24289 + goto exit_mutex_unlock;
24291 + if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
24293 + goto exit_mutex_unlock;
24296 mutex_unlock(&dir->d_inode->i_mutex);
24297 audit_inode(pathname, path.dentry);
24299 @@ -1874,6 +1920,13 @@ do_link:
24300 error = security_inode_follow_link(path.dentry, &nd);
24304 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
24305 + path.dentry, nd.path.mnt)) {
24310 error = __do_follow_link(&path, &nd);
24312 /* Does someone understand code flow here? Or it is only
24313 @@ -2048,6 +2101,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
24314 error = may_mknod(mode);
24318 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
24323 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
24328 error = mnt_want_write(nd.path.mnt);
24331 @@ -2068,6 +2132,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
24334 mnt_drop_write(nd.path.mnt);
24337 + gr_handle_create(dentry, nd.path.mnt);
24341 @@ -2121,6 +2188,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
24342 if (IS_ERR(dentry))
24345 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
24350 if (!IS_POSIXACL(nd.path.dentry->d_inode))
24351 mode &= ~current_umask();
24352 error = mnt_want_write(nd.path.mnt);
24353 @@ -2132,6 +2204,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
24354 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
24356 mnt_drop_write(nd.path.mnt);
24359 + gr_handle_create(dentry, nd.path.mnt);
24364 @@ -2213,6 +2289,8 @@ static long do_rmdir(int dfd, const char
24366 struct dentry *dentry;
24367 struct nameidata nd;
24368 + ino_t saved_ino = 0;
24369 + dev_t saved_dev = 0;
24371 error = user_path_parent(dfd, pathname, &nd, &name);
24373 @@ -2237,6 +2315,19 @@ static long do_rmdir(int dfd, const char
24374 error = PTR_ERR(dentry);
24375 if (IS_ERR(dentry))
24378 + if (dentry->d_inode != NULL) {
24379 + if (dentry->d_inode->i_nlink <= 1) {
24380 + saved_ino = dentry->d_inode->i_ino;
24381 + saved_dev = dentry->d_inode->i_sb->s_dev;
24384 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
24390 error = mnt_want_write(nd.path.mnt);
24393 @@ -2244,6 +2335,8 @@ static long do_rmdir(int dfd, const char
24396 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
24397 + if (!error && (saved_dev || saved_ino))
24398 + gr_handle_delete(saved_ino, saved_dev);
24400 mnt_drop_write(nd.path.mnt);
24402 @@ -2305,6 +2398,8 @@ static long do_unlinkat(int dfd, const c
24403 struct dentry *dentry;
24404 struct nameidata nd;
24405 struct inode *inode = NULL;
24406 + ino_t saved_ino = 0;
24407 + dev_t saved_dev = 0;
24409 error = user_path_parent(dfd, pathname, &nd, &name);
24411 @@ -2324,8 +2419,19 @@ static long do_unlinkat(int dfd, const c
24412 if (nd.last.name[nd.last.len])
24414 inode = dentry->d_inode;
24417 + if (inode->i_nlink <= 1) {
24418 + saved_ino = inode->i_ino;
24419 + saved_dev = inode->i_sb->s_dev;
24422 atomic_inc(&inode->i_count);
24424 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
24429 error = mnt_want_write(nd.path.mnt);
24432 @@ -2333,6 +2439,8 @@ static long do_unlinkat(int dfd, const c
24435 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
24436 + if (!error && (saved_ino || saved_dev))
24437 + gr_handle_delete(saved_ino, saved_dev);
24439 mnt_drop_write(nd.path.mnt);
24441 @@ -2411,6 +2519,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
24442 if (IS_ERR(dentry))
24445 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
24450 error = mnt_want_write(nd.path.mnt);
24453 @@ -2418,6 +2531,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
24455 goto out_drop_write;
24456 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
24458 + gr_handle_create(dentry, nd.path.mnt);
24460 mnt_drop_write(nd.path.mnt);
24462 @@ -2511,6 +2626,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
24463 error = PTR_ERR(new_dentry);
24464 if (IS_ERR(new_dentry))
24467 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
24468 + old_path.dentry->d_inode,
24469 + old_path.dentry->d_inode->i_mode, to)) {
24474 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
24475 + old_path.dentry, old_path.mnt, to)) {
24480 error = mnt_want_write(nd.path.mnt);
24483 @@ -2518,6 +2647,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
24485 goto out_drop_write;
24486 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
24488 + gr_handle_create(new_dentry, nd.path.mnt);
24490 mnt_drop_write(nd.path.mnt);
24492 @@ -2751,6 +2882,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
24493 if (new_dentry == trap)
24496 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
24497 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
24502 error = mnt_want_write(oldnd.path.mnt);
24505 @@ -2760,6 +2897,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
24507 error = vfs_rename(old_dir->d_inode, old_dentry,
24508 new_dir->d_inode, new_dentry);
24510 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
24511 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
24513 mnt_drop_write(oldnd.path.mnt);
24515 diff -urNp linux-2.6.31/fs/namespace.c linux-2.6.31/fs/namespace.c
24516 --- linux-2.6.31/fs/namespace.c 2009-08-27 20:59:04.000000000 -0400
24517 +++ linux-2.6.31/fs/namespace.c 2009-09-06 15:29:12.016049773 -0400
24518 @@ -1083,6 +1083,9 @@ static int do_umount(struct vfsmount *mn
24519 if (!(sb->s_flags & MS_RDONLY))
24520 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
24521 up_write(&sb->s_umount);
24523 + gr_log_remount(mnt->mnt_devname, retval);
24528 @@ -1104,6 +1107,9 @@ static int do_umount(struct vfsmount *mn
24529 security_sb_umount_busy(mnt);
24530 up_write(&namespace_sem);
24531 release_mounts(&umount_list);
24533 + gr_log_unmount(mnt->mnt_devname, retval);
24538 @@ -1940,6 +1946,11 @@ long do_mount(char *dev_name, char *dir_
24542 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
24547 if (flags & MS_REMOUNT)
24548 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
24550 @@ -1954,6 +1965,9 @@ long do_mount(char *dev_name, char *dir_
24551 dev_name, data_page);
24555 + gr_log_mount(dev_name, dir_name, retval);
24560 @@ -2158,6 +2172,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
24564 + if (gr_handle_chroot_pivot()) {
24570 read_lock(¤t->fs->lock);
24571 root = current->fs->root;
24572 path_get(¤t->fs->root);
24573 diff -urNp linux-2.6.31/fs/nfs/client.c linux-2.6.31/fs/nfs/client.c
24574 --- linux-2.6.31/fs/nfs/client.c 2009-08-27 20:59:04.000000000 -0400
24575 +++ linux-2.6.31/fs/nfs/client.c 2009-09-06 15:29:12.017080496 -0400
24576 @@ -1533,7 +1533,7 @@ static void *nfs_server_list_next(struct
24577 static void nfs_server_list_stop(struct seq_file *p, void *v);
24578 static int nfs_server_list_show(struct seq_file *m, void *v);
24580 -static struct seq_operations nfs_server_list_ops = {
24581 +static const struct seq_operations nfs_server_list_ops = {
24582 .start = nfs_server_list_start,
24583 .next = nfs_server_list_next,
24584 .stop = nfs_server_list_stop,
24585 @@ -1554,7 +1554,7 @@ static void *nfs_volume_list_next(struct
24586 static void nfs_volume_list_stop(struct seq_file *p, void *v);
24587 static int nfs_volume_list_show(struct seq_file *m, void *v);
24589 -static struct seq_operations nfs_volume_list_ops = {
24590 +static const struct seq_operations nfs_volume_list_ops = {
24591 .start = nfs_volume_list_start,
24592 .next = nfs_volume_list_next,
24593 .stop = nfs_volume_list_stop,
24594 diff -urNp linux-2.6.31/fs/nfs/file.c linux-2.6.31/fs/nfs/file.c
24595 --- linux-2.6.31/fs/nfs/file.c 2009-08-27 20:59:04.000000000 -0400
24596 +++ linux-2.6.31/fs/nfs/file.c 2009-09-06 15:29:12.020133517 -0400
24597 @@ -59,7 +59,7 @@ static int nfs_lock(struct file *filp, i
24598 static int nfs_flock(struct file *filp, int cmd, struct file_lock *fl);
24599 static int nfs_setlease(struct file *file, long arg, struct file_lock **fl);
24601 -static struct vm_operations_struct nfs_file_vm_ops;
24602 +static const struct vm_operations_struct nfs_file_vm_ops;
24604 const struct file_operations nfs_file_operations = {
24605 .llseek = nfs_file_llseek,
24606 @@ -526,7 +526,7 @@ out_unlock:
24607 return VM_FAULT_SIGBUS;
24610 -static struct vm_operations_struct nfs_file_vm_ops = {
24611 +static const struct vm_operations_struct nfs_file_vm_ops = {
24612 .fault = filemap_fault,
24613 .page_mkwrite = nfs_vm_page_mkwrite,
24615 diff -urNp linux-2.6.31/fs/nfs/nfs4proc.c linux-2.6.31/fs/nfs/nfs4proc.c
24616 --- linux-2.6.31/fs/nfs/nfs4proc.c 2009-08-27 20:59:04.000000000 -0400
24617 +++ linux-2.6.31/fs/nfs/nfs4proc.c 2009-09-06 15:29:12.022060099 -0400
24618 @@ -1123,7 +1123,7 @@ static int _nfs4_do_open_reclaim(struct
24619 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
24621 struct nfs_server *server = NFS_SERVER(state->inode);
24622 - struct nfs4_exception exception = { };
24623 + struct nfs4_exception exception = {0, 0};
24626 err = _nfs4_do_open_reclaim(ctx, state);
24627 @@ -1165,7 +1165,7 @@ static int _nfs4_open_delegation_recall(
24629 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
24631 - struct nfs4_exception exception = { };
24632 + struct nfs4_exception exception = {0, 0};
24633 struct nfs_server *server = NFS_SERVER(state->inode);
24636 @@ -1481,7 +1481,7 @@ static int _nfs4_open_expired(struct nfs
24637 static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
24639 struct nfs_server *server = NFS_SERVER(state->inode);
24640 - struct nfs4_exception exception = { };
24641 + struct nfs4_exception exception = {0, 0};
24645 @@ -1579,7 +1579,7 @@ out_err:
24647 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
24649 - struct nfs4_exception exception = { };
24650 + struct nfs4_exception exception = {0, 0};
24651 struct nfs4_state *res;
24654 @@ -1670,7 +1670,7 @@ static int nfs4_do_setattr(struct inode
24655 struct nfs4_state *state)
24657 struct nfs_server *server = NFS_SERVER(inode);
24658 - struct nfs4_exception exception = { };
24659 + struct nfs4_exception exception = {0, 0};
24662 err = nfs4_handle_exception(server,
24663 @@ -2014,7 +2014,7 @@ static int _nfs4_server_capabilities(str
24665 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
24667 - struct nfs4_exception exception = { };
24668 + struct nfs4_exception exception = {0, 0};
24671 err = nfs4_handle_exception(server,
24672 @@ -2048,7 +2048,7 @@ static int _nfs4_lookup_root(struct nfs_
24673 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
24674 struct nfs_fsinfo *info)
24676 - struct nfs4_exception exception = { };
24677 + struct nfs4_exception exception = {0, 0};
24680 err = nfs4_handle_exception(server,
24681 @@ -2137,7 +2137,7 @@ static int _nfs4_proc_getattr(struct nfs
24683 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
24685 - struct nfs4_exception exception = { };
24686 + struct nfs4_exception exception = {0, 0};
24689 err = nfs4_handle_exception(server,
24690 @@ -2225,7 +2225,7 @@ static int nfs4_proc_lookupfh(struct nfs
24691 struct qstr *name, struct nfs_fh *fhandle,
24692 struct nfs_fattr *fattr)
24694 - struct nfs4_exception exception = { };
24695 + struct nfs4_exception exception = {0, 0};
24698 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
24699 @@ -2254,7 +2254,7 @@ static int _nfs4_proc_lookup(struct inod
24701 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
24703 - struct nfs4_exception exception = { };
24704 + struct nfs4_exception exception = {0, 0};
24707 err = nfs4_handle_exception(NFS_SERVER(dir),
24708 @@ -2318,7 +2318,7 @@ static int _nfs4_proc_access(struct inod
24710 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
24712 - struct nfs4_exception exception = { };
24713 + struct nfs4_exception exception = {0, 0};
24716 err = nfs4_handle_exception(NFS_SERVER(inode),
24717 @@ -2374,7 +2374,7 @@ static int _nfs4_proc_readlink(struct in
24718 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
24719 unsigned int pgbase, unsigned int pglen)
24721 - struct nfs4_exception exception = { };
24722 + struct nfs4_exception exception = {0, 0};
24725 err = nfs4_handle_exception(NFS_SERVER(inode),
24726 @@ -2472,7 +2472,7 @@ static int _nfs4_proc_remove(struct inod
24728 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
24730 - struct nfs4_exception exception = { };
24731 + struct nfs4_exception exception = {0, 0};
24734 err = nfs4_handle_exception(NFS_SERVER(dir),
24735 @@ -2546,7 +2546,7 @@ static int _nfs4_proc_rename(struct inod
24736 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
24737 struct inode *new_dir, struct qstr *new_name)
24739 - struct nfs4_exception exception = { };
24740 + struct nfs4_exception exception = {0, 0};
24743 err = nfs4_handle_exception(NFS_SERVER(old_dir),
24744 @@ -2593,7 +2593,7 @@ static int _nfs4_proc_link(struct inode
24746 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
24748 - struct nfs4_exception exception = { };
24749 + struct nfs4_exception exception = {0, 0};
24752 err = nfs4_handle_exception(NFS_SERVER(inode),
24753 @@ -2685,7 +2685,7 @@ out:
24754 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
24755 struct page *page, unsigned int len, struct iattr *sattr)
24757 - struct nfs4_exception exception = { };
24758 + struct nfs4_exception exception = {0, 0};
24761 err = nfs4_handle_exception(NFS_SERVER(dir),
24762 @@ -2716,7 +2716,7 @@ out:
24763 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
24764 struct iattr *sattr)
24766 - struct nfs4_exception exception = { };
24767 + struct nfs4_exception exception = {0, 0};
24770 err = nfs4_handle_exception(NFS_SERVER(dir),
24771 @@ -2765,7 +2765,7 @@ static int _nfs4_proc_readdir(struct den
24772 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
24773 u64 cookie, struct page *page, unsigned int count, int plus)
24775 - struct nfs4_exception exception = { };
24776 + struct nfs4_exception exception = {0, 0};
24779 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
24780 @@ -2813,7 +2813,7 @@ out:
24781 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
24782 struct iattr *sattr, dev_t rdev)
24784 - struct nfs4_exception exception = { };
24785 + struct nfs4_exception exception = {0, 0};
24788 err = nfs4_handle_exception(NFS_SERVER(dir),
24789 @@ -2845,7 +2845,7 @@ static int _nfs4_proc_statfs(struct nfs_
24791 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
24793 - struct nfs4_exception exception = { };
24794 + struct nfs4_exception exception = {0, 0};
24797 err = nfs4_handle_exception(server,
24798 @@ -2876,7 +2876,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
24800 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
24802 - struct nfs4_exception exception = { };
24803 + struct nfs4_exception exception = {0, 0};
24807 @@ -2922,7 +2922,7 @@ static int _nfs4_proc_pathconf(struct nf
24808 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
24809 struct nfs_pathconf *pathconf)
24811 - struct nfs4_exception exception = { };
24812 + struct nfs4_exception exception = {0, 0};
24816 @@ -3224,7 +3224,7 @@ out_free:
24818 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
24820 - struct nfs4_exception exception = { };
24821 + struct nfs4_exception exception = {0, 0};
24824 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
24825 @@ -3280,7 +3280,7 @@ static int __nfs4_proc_set_acl(struct in
24827 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
24829 - struct nfs4_exception exception = { };
24830 + struct nfs4_exception exception = {0, 0};
24833 err = nfs4_handle_exception(NFS_SERVER(inode),
24834 @@ -3545,7 +3545,7 @@ out:
24835 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
24837 struct nfs_server *server = NFS_SERVER(inode);
24838 - struct nfs4_exception exception = { };
24839 + struct nfs4_exception exception = {0, 0};
24842 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
24843 @@ -3618,7 +3618,7 @@ out:
24845 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
24847 - struct nfs4_exception exception = { };
24848 + struct nfs4_exception exception = {0, 0};
24852 @@ -3992,7 +3992,7 @@ static int _nfs4_do_setlk(struct nfs4_st
24853 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
24855 struct nfs_server *server = NFS_SERVER(state->inode);
24856 - struct nfs4_exception exception = { };
24857 + struct nfs4_exception exception = {0, 0};
24861 @@ -4010,7 +4010,7 @@ static int nfs4_lock_reclaim(struct nfs4
24862 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
24864 struct nfs_server *server = NFS_SERVER(state->inode);
24865 - struct nfs4_exception exception = { };
24866 + struct nfs4_exception exception = {0, 0};
24869 err = nfs4_set_lock_state(state, request);
24870 @@ -4065,7 +4065,7 @@ out:
24872 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
24874 - struct nfs4_exception exception = { };
24875 + struct nfs4_exception exception = {0, 0};
24879 @@ -4125,7 +4125,7 @@ nfs4_proc_lock(struct file *filp, int cm
24880 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
24882 struct nfs_server *server = NFS_SERVER(state->inode);
24883 - struct nfs4_exception exception = { };
24884 + struct nfs4_exception exception = {0, 0};
24887 err = nfs4_set_lock_state(state, fl);
24888 diff -urNp linux-2.6.31/fs/nfsd/export.c linux-2.6.31/fs/nfsd/export.c
24889 --- linux-2.6.31/fs/nfsd/export.c 2009-08-27 20:59:04.000000000 -0400
24890 +++ linux-2.6.31/fs/nfsd/export.c 2009-09-06 15:29:12.022060099 -0400
24891 @@ -1505,7 +1505,7 @@ static int e_show(struct seq_file *m, vo
24892 return svc_export_show(m, &svc_export_cache, cp);
24895 -struct seq_operations nfs_exports_op = {
24896 +const struct seq_operations nfs_exports_op = {
24900 diff -urNp linux-2.6.31/fs/nfsd/nfsctl.c linux-2.6.31/fs/nfsd/nfsctl.c
24901 --- linux-2.6.31/fs/nfsd/nfsctl.c 2009-08-27 20:59:04.000000000 -0400
24902 +++ linux-2.6.31/fs/nfsd/nfsctl.c 2009-09-06 15:29:12.023003976 -0400
24903 @@ -174,7 +174,7 @@ static const struct file_operations expo
24905 extern int nfsd_pool_stats_open(struct inode *inode, struct file *file);
24907 -static struct file_operations pool_stats_operations = {
24908 +static const struct file_operations pool_stats_operations = {
24909 .open = nfsd_pool_stats_open,
24911 .llseek = seq_lseek,
24912 diff -urNp linux-2.6.31/fs/nilfs2/btnode.c linux-2.6.31/fs/nilfs2/btnode.c
24913 --- linux-2.6.31/fs/nilfs2/btnode.c 2009-09-06 19:00:55.780302780 -0400
24914 +++ linux-2.6.31/fs/nilfs2/btnode.c 2009-09-06 19:01:14.418463427 -0400
24915 @@ -46,7 +46,7 @@ void nilfs_btnode_cache_init_once(struct
24916 INIT_LIST_HEAD(&btnc->i_mmap_nonlinear);
24919 -static struct address_space_operations def_btnode_aops = {
24920 +static const struct address_space_operations def_btnode_aops = {
24921 .sync_page = block_sync_page,
24924 diff -urNp linux-2.6.31/fs/nilfs2/dir.c linux-2.6.31/fs/nilfs2/dir.c
24925 --- linux-2.6.31/fs/nilfs2/dir.c 2009-08-27 20:59:04.000000000 -0400
24926 +++ linux-2.6.31/fs/nilfs2/dir.c 2009-09-06 15:29:12.024025709 -0400
24927 @@ -697,7 +697,7 @@ not_empty:
24931 -struct file_operations nilfs_dir_operations = {
24932 +const struct file_operations nilfs_dir_operations = {
24933 .llseek = generic_file_llseek,
24934 .read = generic_read_dir,
24935 .readdir = nilfs_readdir,
24936 diff -urNp linux-2.6.31/fs/nilfs2/file.c linux-2.6.31/fs/nilfs2/file.c
24937 --- linux-2.6.31/fs/nilfs2/file.c 2009-08-27 20:59:04.000000000 -0400
24938 +++ linux-2.6.31/fs/nilfs2/file.c 2009-09-06 15:29:12.024025709 -0400
24939 @@ -117,7 +117,7 @@ static int nilfs_page_mkwrite(struct vm_
24943 -struct vm_operations_struct nilfs_file_vm_ops = {
24944 +const struct vm_operations_struct nilfs_file_vm_ops = {
24945 .fault = filemap_fault,
24946 .page_mkwrite = nilfs_page_mkwrite,
24948 @@ -134,7 +134,7 @@ static int nilfs_file_mmap(struct file *
24949 * We have mostly NULL's here: the current defaults are ok for
24950 * the nilfs filesystem.
24952 -struct file_operations nilfs_file_operations = {
24953 +const struct file_operations nilfs_file_operations = {
24954 .llseek = generic_file_llseek,
24955 .read = do_sync_read,
24956 .write = do_sync_write,
24957 @@ -151,7 +151,7 @@ struct file_operations nilfs_file_operat
24958 .splice_read = generic_file_splice_read,
24961 -struct inode_operations nilfs_file_inode_operations = {
24962 +const struct inode_operations nilfs_file_inode_operations = {
24963 .truncate = nilfs_truncate,
24964 .setattr = nilfs_setattr,
24965 .permission = nilfs_permission,
24966 diff -urNp linux-2.6.31/fs/nilfs2/gcinode.c linux-2.6.31/fs/nilfs2/gcinode.c
24967 --- linux-2.6.31/fs/nilfs2/gcinode.c 2009-08-27 20:59:04.000000000 -0400
24968 +++ linux-2.6.31/fs/nilfs2/gcinode.c 2009-09-06 15:29:12.024025709 -0400
24973 -static struct address_space_operations def_gcinode_aops = {
24974 +static const struct address_space_operations def_gcinode_aops = {
24975 .sync_page = block_sync_page,
24978 diff -urNp linux-2.6.31/fs/nilfs2/inode.c linux-2.6.31/fs/nilfs2/inode.c
24979 --- linux-2.6.31/fs/nilfs2/inode.c 2009-08-27 20:59:04.000000000 -0400
24980 +++ linux-2.6.31/fs/nilfs2/inode.c 2009-09-06 15:29:12.025009296 -0400
24981 @@ -238,7 +238,7 @@ nilfs_direct_IO(int rw, struct kiocb *io
24985 -struct address_space_operations nilfs_aops = {
24986 +const struct address_space_operations nilfs_aops = {
24987 .writepage = nilfs_writepage,
24988 .readpage = nilfs_readpage,
24989 .sync_page = block_sync_page,
24990 diff -urNp linux-2.6.31/fs/nilfs2/mdt.c linux-2.6.31/fs/nilfs2/mdt.c
24991 --- linux-2.6.31/fs/nilfs2/mdt.c 2009-08-27 20:59:04.000000000 -0400
24992 +++ linux-2.6.31/fs/nilfs2/mdt.c 2009-09-06 15:29:12.025009296 -0400
24993 @@ -430,7 +430,7 @@ nilfs_mdt_write_page(struct page *page,
24997 -static struct address_space_operations def_mdt_aops = {
24998 +static const struct address_space_operations def_mdt_aops = {
24999 .writepage = nilfs_mdt_write_page,
25000 .sync_page = block_sync_page,
25002 diff -urNp linux-2.6.31/fs/nilfs2/namei.c linux-2.6.31/fs/nilfs2/namei.c
25003 --- linux-2.6.31/fs/nilfs2/namei.c 2009-08-27 20:59:04.000000000 -0400
25004 +++ linux-2.6.31/fs/nilfs2/namei.c 2009-09-06 15:29:12.025919717 -0400
25005 @@ -448,7 +448,7 @@ out:
25009 -struct inode_operations nilfs_dir_inode_operations = {
25010 +const struct inode_operations nilfs_dir_inode_operations = {
25011 .create = nilfs_create,
25012 .lookup = nilfs_lookup,
25013 .link = nilfs_link,
25014 @@ -462,12 +462,12 @@ struct inode_operations nilfs_dir_inode_
25015 .permission = nilfs_permission,
25018 -struct inode_operations nilfs_special_inode_operations = {
25019 +const struct inode_operations nilfs_special_inode_operations = {
25020 .setattr = nilfs_setattr,
25021 .permission = nilfs_permission,
25024 -struct inode_operations nilfs_symlink_inode_operations = {
25025 +const struct inode_operations nilfs_symlink_inode_operations = {
25026 .readlink = generic_readlink,
25027 .follow_link = page_follow_link_light,
25028 .put_link = page_put_link,
25029 diff -urNp linux-2.6.31/fs/nilfs2/nilfs.h linux-2.6.31/fs/nilfs2/nilfs.h
25030 --- linux-2.6.31/fs/nilfs2/nilfs.h 2009-08-27 20:59:04.000000000 -0400
25031 +++ linux-2.6.31/fs/nilfs2/nilfs.h 2009-09-06 15:29:12.025919717 -0400
25032 @@ -294,13 +294,13 @@ void nilfs_clear_gcdat_inode(struct the_
25034 * Inodes and files operations
25036 -extern struct file_operations nilfs_dir_operations;
25037 -extern struct inode_operations nilfs_file_inode_operations;
25038 -extern struct file_operations nilfs_file_operations;
25039 -extern struct address_space_operations nilfs_aops;
25040 -extern struct inode_operations nilfs_dir_inode_operations;
25041 -extern struct inode_operations nilfs_special_inode_operations;
25042 -extern struct inode_operations nilfs_symlink_inode_operations;
25043 +extern const struct file_operations nilfs_dir_operations;
25044 +extern const struct inode_operations nilfs_file_inode_operations;
25045 +extern const struct file_operations nilfs_file_operations;
25046 +extern const struct address_space_operations nilfs_aops;
25047 +extern const struct inode_operations nilfs_dir_inode_operations;
25048 +extern const struct inode_operations nilfs_special_inode_operations;
25049 +extern const struct inode_operations nilfs_symlink_inode_operations;
25053 diff -urNp linux-2.6.31/fs/nilfs2/super.c linux-2.6.31/fs/nilfs2/super.c
25054 --- linux-2.6.31/fs/nilfs2/super.c 2009-08-27 20:59:04.000000000 -0400
25055 +++ linux-2.6.31/fs/nilfs2/super.c 2009-09-06 15:29:12.026942095 -0400
25056 @@ -529,7 +529,7 @@ static int nilfs_statfs(struct dentry *d
25060 -static struct super_operations nilfs_sops = {
25061 +static const struct super_operations nilfs_sops = {
25062 .alloc_inode = nilfs_alloc_inode,
25063 .destroy_inode = nilfs_destroy_inode,
25064 .dirty_inode = nilfs_dirty_inode,
25065 diff -urNp linux-2.6.31/fs/nls/nls_base.c linux-2.6.31/fs/nls/nls_base.c
25066 --- linux-2.6.31/fs/nls/nls_base.c 2009-08-27 20:59:04.000000000 -0400
25067 +++ linux-2.6.31/fs/nls/nls_base.c 2009-09-06 15:29:12.026942095 -0400
25068 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
25069 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
25070 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
25071 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
25072 - {0, /* end of table */}
25073 + {0, 0, 0, 0, 0, /* end of table */}
25076 #define UNICODE_MAX 0x0010ffff
25077 diff -urNp linux-2.6.31/fs/ntfs/file.c linux-2.6.31/fs/ntfs/file.c
25078 --- linux-2.6.31/fs/ntfs/file.c 2009-08-27 20:59:04.000000000 -0400
25079 +++ linux-2.6.31/fs/ntfs/file.c 2009-09-06 15:29:12.027976092 -0400
25080 @@ -2291,6 +2291,6 @@ const struct inode_operations ntfs_file_
25081 #endif /* NTFS_RW */
25084 -const struct file_operations ntfs_empty_file_ops = {};
25085 +const struct file_operations ntfs_empty_file_ops;
25087 -const struct inode_operations ntfs_empty_inode_ops = {};
25088 +const struct inode_operations ntfs_empty_inode_ops;
25089 diff -urNp linux-2.6.31/fs/ocfs2/cluster/heartbeat.c linux-2.6.31/fs/ocfs2/cluster/heartbeat.c
25090 --- linux-2.6.31/fs/ocfs2/cluster/heartbeat.c 2009-08-27 20:59:04.000000000 -0400
25091 +++ linux-2.6.31/fs/ocfs2/cluster/heartbeat.c 2009-09-06 15:29:12.027976092 -0400
25092 @@ -966,7 +966,7 @@ static ssize_t o2hb_debug_read(struct fi
25094 #endif /* CONFIG_DEBUG_FS */
25096 -static struct file_operations o2hb_debug_fops = {
25097 +static const struct file_operations o2hb_debug_fops = {
25098 .open = o2hb_debug_open,
25099 .release = o2hb_debug_release,
25100 .read = o2hb_debug_read,
25101 diff -urNp linux-2.6.31/fs/ocfs2/cluster/netdebug.c linux-2.6.31/fs/ocfs2/cluster/netdebug.c
25102 --- linux-2.6.31/fs/ocfs2/cluster/netdebug.c 2009-08-27 20:59:04.000000000 -0400
25103 +++ linux-2.6.31/fs/ocfs2/cluster/netdebug.c 2009-09-06 15:29:12.028908816 -0400
25104 @@ -163,7 +163,7 @@ static void nst_seq_stop(struct seq_file
25108 -static struct seq_operations nst_seq_ops = {
25109 +static const struct seq_operations nst_seq_ops = {
25110 .start = nst_seq_start,
25111 .next = nst_seq_next,
25112 .stop = nst_seq_stop,
25113 @@ -207,7 +207,7 @@ static int nst_fop_release(struct inode
25114 return seq_release_private(inode, file);
25117 -static struct file_operations nst_seq_fops = {
25118 +static const struct file_operations nst_seq_fops = {
25119 .open = nst_fop_open,
25121 .llseek = seq_lseek,
25122 @@ -344,7 +344,7 @@ static void sc_seq_stop(struct seq_file
25126 -static struct seq_operations sc_seq_ops = {
25127 +static const struct seq_operations sc_seq_ops = {
25128 .start = sc_seq_start,
25129 .next = sc_seq_next,
25130 .stop = sc_seq_stop,
25131 @@ -388,7 +388,7 @@ static int sc_fop_release(struct inode *
25132 return seq_release_private(inode, file);
25135 -static struct file_operations sc_seq_fops = {
25136 +static const struct file_operations sc_seq_fops = {
25137 .open = sc_fop_open,
25139 .llseek = seq_lseek,
25140 diff -urNp linux-2.6.31/fs/ocfs2/dlm/dlmdebug.c linux-2.6.31/fs/ocfs2/dlm/dlmdebug.c
25141 --- linux-2.6.31/fs/ocfs2/dlm/dlmdebug.c 2009-08-27 20:59:04.000000000 -0400
25142 +++ linux-2.6.31/fs/ocfs2/dlm/dlmdebug.c 2009-09-06 15:29:12.028908816 -0400
25143 @@ -479,7 +479,7 @@ bail:
25147 -static struct file_operations debug_purgelist_fops = {
25148 +static const struct file_operations debug_purgelist_fops = {
25149 .open = debug_purgelist_open,
25150 .release = debug_buffer_release,
25151 .read = debug_buffer_read,
25152 @@ -539,7 +539,7 @@ bail:
25156 -static struct file_operations debug_mle_fops = {
25157 +static const struct file_operations debug_mle_fops = {
25158 .open = debug_mle_open,
25159 .release = debug_buffer_release,
25160 .read = debug_buffer_read,
25161 @@ -683,7 +683,7 @@ static int lockres_seq_show(struct seq_f
25165 -static struct seq_operations debug_lockres_ops = {
25166 +static const struct seq_operations debug_lockres_ops = {
25167 .start = lockres_seq_start,
25168 .stop = lockres_seq_stop,
25169 .next = lockres_seq_next,
25170 @@ -742,7 +742,7 @@ static int debug_lockres_release(struct
25171 return seq_release_private(inode, file);
25174 -static struct file_operations debug_lockres_fops = {
25175 +static const struct file_operations debug_lockres_fops = {
25176 .open = debug_lockres_open,
25177 .release = debug_lockres_release,
25179 @@ -926,7 +926,7 @@ bail:
25183 -static struct file_operations debug_state_fops = {
25184 +static const struct file_operations debug_state_fops = {
25185 .open = debug_state_open,
25186 .release = debug_buffer_release,
25187 .read = debug_buffer_read,
25188 diff -urNp linux-2.6.31/fs/ocfs2/localalloc.c linux-2.6.31/fs/ocfs2/localalloc.c
25189 --- linux-2.6.31/fs/ocfs2/localalloc.c 2009-08-27 20:59:04.000000000 -0400
25190 +++ linux-2.6.31/fs/ocfs2/localalloc.c 2009-09-06 15:29:12.029906981 -0400
25191 @@ -1186,7 +1186,7 @@ static int ocfs2_local_alloc_slide_windo
25195 - atomic_inc(&osb->alloc_stats.moves);
25196 + atomic_inc_unchecked(&osb->alloc_stats.moves);
25200 diff -urNp linux-2.6.31/fs/ocfs2/mmap.c linux-2.6.31/fs/ocfs2/mmap.c
25201 --- linux-2.6.31/fs/ocfs2/mmap.c 2009-08-27 20:59:04.000000000 -0400
25202 +++ linux-2.6.31/fs/ocfs2/mmap.c 2009-09-06 15:29:12.029906981 -0400
25203 @@ -202,7 +202,7 @@ out:
25207 -static struct vm_operations_struct ocfs2_file_vm_ops = {
25208 +static const struct vm_operations_struct ocfs2_file_vm_ops = {
25209 .fault = ocfs2_fault,
25210 .page_mkwrite = ocfs2_page_mkwrite,
25212 diff -urNp linux-2.6.31/fs/ocfs2/ocfs2.h linux-2.6.31/fs/ocfs2/ocfs2.h
25213 --- linux-2.6.31/fs/ocfs2/ocfs2.h 2009-08-27 20:59:04.000000000 -0400
25214 +++ linux-2.6.31/fs/ocfs2/ocfs2.h 2009-09-06 15:29:12.029906981 -0400
25215 @@ -191,11 +191,11 @@ enum ocfs2_vol_state
25217 struct ocfs2_alloc_stats
25220 - atomic_t local_data;
25221 - atomic_t bitmap_data;
25222 - atomic_t bg_allocs;
25223 - atomic_t bg_extends;
25224 + atomic_unchecked_t moves;
25225 + atomic_unchecked_t local_data;
25226 + atomic_unchecked_t bitmap_data;
25227 + atomic_unchecked_t bg_allocs;
25228 + atomic_unchecked_t bg_extends;
25231 enum ocfs2_local_alloc_state
25232 diff -urNp linux-2.6.31/fs/ocfs2/suballoc.c linux-2.6.31/fs/ocfs2/suballoc.c
25233 --- linux-2.6.31/fs/ocfs2/suballoc.c 2009-08-27 20:59:04.000000000 -0400
25234 +++ linux-2.6.31/fs/ocfs2/suballoc.c 2009-09-06 15:29:12.031008567 -0400
25235 @@ -620,7 +620,7 @@ static int ocfs2_reserve_suballoc_bits(s
25236 mlog_errno(status);
25239 - atomic_inc(&osb->alloc_stats.bg_extends);
25240 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
25242 /* You should never ask for this much metadata */
25243 BUG_ON(bits_wanted >
25244 @@ -1650,7 +1650,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
25245 mlog_errno(status);
25248 - atomic_inc(&osb->alloc_stats.bg_allocs);
25249 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
25251 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
25252 ac->ac_bits_given += (*num_bits);
25253 @@ -1724,7 +1724,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
25254 mlog_errno(status);
25257 - atomic_inc(&osb->alloc_stats.bg_allocs);
25258 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
25260 BUG_ON(num_bits != 1);
25262 @@ -1826,7 +1826,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
25266 - atomic_inc(&osb->alloc_stats.local_data);
25267 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
25269 if (min_clusters > (osb->bitmap_cpg - 1)) {
25270 /* The only paths asking for contiguousness
25271 @@ -1854,7 +1854,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
25272 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
25275 - atomic_inc(&osb->alloc_stats.bitmap_data);
25276 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
25280 diff -urNp linux-2.6.31/fs/ocfs2/super.c linux-2.6.31/fs/ocfs2/super.c
25281 --- linux-2.6.31/fs/ocfs2/super.c 2009-08-27 20:59:04.000000000 -0400
25282 +++ linux-2.6.31/fs/ocfs2/super.c 2009-09-06 15:29:12.031008567 -0400
25283 @@ -284,11 +284,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
25284 "%10s => GlobalAllocs: %d LocalAllocs: %d "
25285 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
25287 - atomic_read(&osb->alloc_stats.bitmap_data),
25288 - atomic_read(&osb->alloc_stats.local_data),
25289 - atomic_read(&osb->alloc_stats.bg_allocs),
25290 - atomic_read(&osb->alloc_stats.moves),
25291 - atomic_read(&osb->alloc_stats.bg_extends));
25292 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
25293 + atomic_read_unchecked(&osb->alloc_stats.local_data),
25294 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
25295 + atomic_read_unchecked(&osb->alloc_stats.moves),
25296 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
25298 out += snprintf(buf + out, len - out,
25299 "%10s => State: %u Descriptor: %llu Size: %u bits "
25300 @@ -373,7 +373,7 @@ static ssize_t ocfs2_debug_read(struct f
25302 #endif /* CONFIG_DEBUG_FS */
25304 -static struct file_operations ocfs2_osb_debug_fops = {
25305 +static const struct file_operations ocfs2_osb_debug_fops = {
25306 .open = ocfs2_osb_debug_open,
25307 .release = ocfs2_debug_release,
25308 .read = ocfs2_debug_read,
25309 @@ -1991,11 +1991,11 @@ static int ocfs2_initialize_super(struct
25310 spin_lock_init(&osb->osb_xattr_lock);
25311 ocfs2_init_inode_steal_slot(osb);
25313 - atomic_set(&osb->alloc_stats.moves, 0);
25314 - atomic_set(&osb->alloc_stats.local_data, 0);
25315 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
25316 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
25317 - atomic_set(&osb->alloc_stats.bg_extends, 0);
25318 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
25319 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
25320 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
25321 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
25322 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
25324 /* Copy the blockcheck stats from the superblock probe */
25325 osb->osb_ecc_stats = *stats;
25326 diff -urNp linux-2.6.31/fs/omfs/dir.c linux-2.6.31/fs/omfs/dir.c
25327 --- linux-2.6.31/fs/omfs/dir.c 2009-08-27 20:59:04.000000000 -0400
25328 +++ linux-2.6.31/fs/omfs/dir.c 2009-09-06 15:29:12.031927279 -0400
25329 @@ -489,7 +489,7 @@ out:
25333 -struct inode_operations omfs_dir_inops = {
25334 +const struct inode_operations omfs_dir_inops = {
25335 .lookup = omfs_lookup,
25336 .mkdir = omfs_mkdir,
25337 .rename = omfs_rename,
25338 @@ -498,7 +498,7 @@ struct inode_operations omfs_dir_inops =
25339 .rmdir = omfs_rmdir,
25342 -struct file_operations omfs_dir_operations = {
25343 +const struct file_operations omfs_dir_operations = {
25344 .read = generic_read_dir,
25345 .readdir = omfs_readdir,
25346 .llseek = generic_file_llseek,
25347 diff -urNp linux-2.6.31/fs/omfs/file.c linux-2.6.31/fs/omfs/file.c
25348 --- linux-2.6.31/fs/omfs/file.c 2009-08-27 20:59:04.000000000 -0400
25349 +++ linux-2.6.31/fs/omfs/file.c 2009-09-06 15:29:12.031927279 -0400
25350 @@ -322,7 +322,7 @@ static sector_t omfs_bmap(struct address
25351 return generic_block_bmap(mapping, block, omfs_get_block);
25354 -struct file_operations omfs_file_operations = {
25355 +const struct file_operations omfs_file_operations = {
25356 .llseek = generic_file_llseek,
25357 .read = do_sync_read,
25358 .write = do_sync_write,
25359 @@ -333,11 +333,11 @@ struct file_operations omfs_file_operati
25360 .splice_read = generic_file_splice_read,
25363 -struct inode_operations omfs_file_inops = {
25364 +const struct inode_operations omfs_file_inops = {
25365 .truncate = omfs_truncate
25368 -struct address_space_operations omfs_aops = {
25369 +const struct address_space_operations omfs_aops = {
25370 .readpage = omfs_readpage,
25371 .readpages = omfs_readpages,
25372 .writepage = omfs_writepage,
25373 diff -urNp linux-2.6.31/fs/omfs/inode.c linux-2.6.31/fs/omfs/inode.c
25374 --- linux-2.6.31/fs/omfs/inode.c 2009-08-27 20:59:04.000000000 -0400
25375 +++ linux-2.6.31/fs/omfs/inode.c 2009-09-06 15:29:12.031927279 -0400
25376 @@ -278,7 +278,7 @@ static int omfs_statfs(struct dentry *de
25380 -static struct super_operations omfs_sops = {
25381 +static const struct super_operations omfs_sops = {
25382 .write_inode = omfs_write_inode,
25383 .delete_inode = omfs_delete_inode,
25384 .put_super = omfs_put_super,
25385 diff -urNp linux-2.6.31/fs/omfs/omfs.h linux-2.6.31/fs/omfs/omfs.h
25386 --- linux-2.6.31/fs/omfs/omfs.h 2009-08-27 20:59:04.000000000 -0400
25387 +++ linux-2.6.31/fs/omfs/omfs.h 2009-09-06 15:29:12.033003469 -0400
25388 @@ -44,16 +44,16 @@ extern int omfs_allocate_range(struct su
25389 extern int omfs_clear_range(struct super_block *sb, u64 block, int count);
25392 -extern struct file_operations omfs_dir_operations;
25393 -extern struct inode_operations omfs_dir_inops;
25394 +extern const struct file_operations omfs_dir_operations;
25395 +extern const struct inode_operations omfs_dir_inops;
25396 extern int omfs_make_empty(struct inode *inode, struct super_block *sb);
25397 extern int omfs_is_bad(struct omfs_sb_info *sbi, struct omfs_header *header,
25401 -extern struct file_operations omfs_file_operations;
25402 -extern struct inode_operations omfs_file_inops;
25403 -extern struct address_space_operations omfs_aops;
25404 +extern const struct file_operations omfs_file_operations;
25405 +extern const struct inode_operations omfs_file_inops;
25406 +extern const struct address_space_operations omfs_aops;
25407 extern void omfs_make_empty_table(struct buffer_head *bh, int offset);
25408 extern int omfs_shrink_inode(struct inode *inode);
25410 diff -urNp linux-2.6.31/fs/open.c linux-2.6.31/fs/open.c
25411 --- linux-2.6.31/fs/open.c 2009-08-27 20:59:04.000000000 -0400
25412 +++ linux-2.6.31/fs/open.c 2009-09-06 15:29:12.033003469 -0400
25413 @@ -206,6 +206,9 @@ int do_truncate(struct dentry *dentry, l
25417 + if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
25420 newattrs.ia_size = length;
25421 newattrs.ia_valid = ATTR_SIZE | time_attrs;
25423 @@ -510,6 +513,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
25424 if (__mnt_is_readonly(path.mnt))
25427 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
25433 @@ -536,6 +542,8 @@ SYSCALL_DEFINE1(chdir, const char __user
25437 + gr_log_chdir(path.dentry, path.mnt);
25439 set_fs_pwd(current->fs, &path);
25442 @@ -562,6 +570,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
25445 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
25447 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
25451 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
25454 set_fs_pwd(current->fs, &file->f_path);
25456 @@ -587,7 +602,18 @@ SYSCALL_DEFINE1(chroot, const char __use
25457 if (!capable(CAP_SYS_CHROOT))
25460 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
25461 + goto dput_and_out;
25463 + if (gr_handle_chroot_caps(&path)) {
25465 + goto dput_and_out;
25468 set_fs_root(current->fs, &path);
25470 + gr_handle_chroot_chdir(&path);
25475 @@ -615,13 +641,28 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
25476 err = mnt_want_write_file(file);
25480 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
25482 + goto out_drop_write;
25485 mutex_lock(&inode->i_mutex);
25486 if (mode == (mode_t) -1)
25487 mode = inode->i_mode;
25489 + if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
25491 + mutex_unlock(&inode->i_mutex);
25492 + goto out_drop_write;
25495 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
25496 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
25497 err = notify_change(dentry, &newattrs);
25498 mutex_unlock(&inode->i_mutex);
25501 mnt_drop_write(file->f_path.mnt);
25504 @@ -644,13 +685,28 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
25505 error = mnt_want_write(path.mnt);
25509 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
25511 + goto out_drop_write;
25514 mutex_lock(&inode->i_mutex);
25515 if (mode == (mode_t) -1)
25516 mode = inode->i_mode;
25518 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
25520 + mutex_unlock(&inode->i_mutex);
25521 + goto out_drop_write;
25524 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
25525 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
25526 error = notify_change(path.dentry, &newattrs);
25527 mutex_unlock(&inode->i_mutex);
25530 mnt_drop_write(path.mnt);
25533 @@ -663,12 +719,15 @@ SYSCALL_DEFINE2(chmod, const char __user
25534 return sys_fchmodat(AT_FDCWD, filename, mode);
25537 -static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
25538 +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
25540 struct inode *inode = dentry->d_inode;
25542 struct iattr newattrs;
25544 + if (!gr_acl_handle_chown(dentry, mnt))
25547 newattrs.ia_valid = ATTR_CTIME;
25548 if (user != (uid_t) -1) {
25549 newattrs.ia_valid |= ATTR_UID;
25550 @@ -699,7 +758,7 @@ SYSCALL_DEFINE3(chown, const char __user
25551 error = cow_check_and_break(&path);
25554 - error = chown_common(path.dentry, user, group);
25555 + error = chown_common(path.dentry, user, group, path.mnt);
25556 mnt_drop_write(path.mnt);
25559 @@ -724,7 +783,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
25560 error = cow_check_and_break(&path);
25563 - error = chown_common(path.dentry, user, group);
25564 + error = chown_common(path.dentry, user, group, path.mnt);
25565 mnt_drop_write(path.mnt);
25568 @@ -743,7 +802,7 @@ SYSCALL_DEFINE3(lchown, const char __use
25569 error = cow_check_and_break(&path);
25572 - error = chown_common(path.dentry, user, group);
25573 + error = chown_common(path.dentry, user, group, path.mnt);
25574 mnt_drop_write(path.mnt);
25577 @@ -766,7 +825,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
25579 dentry = file->f_path.dentry;
25580 audit_inode(NULL, dentry);
25581 - error = chown_common(dentry, user, group);
25582 + error = chown_common(dentry, user, group, file->f_path.mnt);
25583 mnt_drop_write(file->f_path.mnt);
25586 diff -urNp linux-2.6.31/fs/pipe.c linux-2.6.31/fs/pipe.c
25587 --- linux-2.6.31/fs/pipe.c 2009-08-27 20:59:04.000000000 -0400
25588 +++ linux-2.6.31/fs/pipe.c 2009-09-06 15:29:12.033923207 -0400
25589 @@ -886,7 +886,7 @@ void free_pipe_info(struct inode *inode)
25590 inode->i_pipe = NULL;
25593 -static struct vfsmount *pipe_mnt __read_mostly;
25594 +struct vfsmount *pipe_mnt __read_mostly;
25595 static int pipefs_delete_dentry(struct dentry *dentry)
25598 diff -urNp linux-2.6.31/fs/proc/array.c linux-2.6.31/fs/proc/array.c
25599 --- linux-2.6.31/fs/proc/array.c 2009-08-27 20:59:04.000000000 -0400
25600 +++ linux-2.6.31/fs/proc/array.c 2009-09-06 15:29:12.033923207 -0400
25601 @@ -321,6 +321,21 @@ static inline void task_context_switch_c
25605 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
25606 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
25609 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
25610 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
25611 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
25612 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
25613 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
25614 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
25616 + seq_printf(m, "PaX:\t-----\n");
25620 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
25621 struct pid *pid, struct task_struct *task)
25623 @@ -340,9 +355,20 @@ int proc_pid_status(struct seq_file *m,
25624 task_show_regs(m, task);
25626 task_context_switch_counts(m, task);
25628 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
25629 + task_pax(m, task);
25635 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
25636 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
25637 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
25638 + _mm->pax_flags & MF_PAX_SEGMEXEC))
25641 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
25642 struct pid *pid, struct task_struct *task, int whole)
25644 @@ -439,6 +465,19 @@ static int do_task_stat(struct seq_file
25645 gtime = task_gtime(task);
25648 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
25649 + if (PAX_RAND_FLAGS(mm)) {
25655 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25661 /* scale priority and nice values from timeslices to -20..20 */
25662 /* to make it look like a "normal" Unix priority/nice value */
25663 priority = task_prio(task);
25664 @@ -479,9 +518,15 @@ static int do_task_stat(struct seq_file
25666 mm ? get_mm_rss(mm) : 0,
25668 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
25669 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
25670 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
25671 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
25673 mm ? mm->start_code : 0,
25674 mm ? mm->end_code : 0,
25675 (permitted && mm) ? mm->start_stack : 0,
25679 /* The signal information here is obsolete.
25680 @@ -534,3 +579,10 @@ int proc_pid_statm(struct seq_file *m, s
25685 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
25686 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
25688 + return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
25691 diff -urNp linux-2.6.31/fs/proc/base.c linux-2.6.31/fs/proc/base.c
25692 --- linux-2.6.31/fs/proc/base.c 2009-08-27 20:59:04.000000000 -0400
25693 +++ linux-2.6.31/fs/proc/base.c 2009-09-06 15:29:12.035224674 -0400
25694 @@ -213,6 +213,9 @@ static int check_mem_permission(struct t
25695 if (task == current)
25698 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
25702 * If current is actively ptrace'ing, and would also be
25703 * permitted to freshly attach with ptrace now, permit it.
25704 @@ -260,6 +263,9 @@ static int proc_pid_cmdline(struct task_
25706 goto out_mm; /* Shh! No looking before we're done */
25708 + if (gr_acl_handle_procpidmem(task))
25711 len = mm->arg_end - mm->arg_start;
25713 if (len > PAGE_SIZE)
25714 @@ -287,12 +293,26 @@ out:
25718 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
25719 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
25720 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
25721 + _mm->pax_flags & MF_PAX_SEGMEXEC))
25724 static int proc_pid_auxv(struct task_struct *task, char *buffer)
25727 struct mm_struct *mm = get_task_mm(task);
25729 unsigned int nwords = 0;
25731 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
25732 + if (PAX_RAND_FLAGS(mm)) {
25740 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
25741 @@ -328,7 +348,7 @@ static int proc_pid_wchan(struct task_st
25743 #endif /* CONFIG_KALLSYMS */
25745 -#ifdef CONFIG_STACKTRACE
25746 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
25748 #define MAX_STACK_TRACE_DEPTH 64
25750 @@ -521,7 +541,7 @@ static int proc_pid_limits(struct task_s
25754 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
25755 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
25756 static int proc_pid_syscall(struct task_struct *task, char *buffer)
25759 @@ -935,6 +955,9 @@ static ssize_t environ_read(struct file
25763 + if (gr_acl_handle_procpidmem(task))
25766 if (!ptrace_may_access(task, PTRACE_MODE_READ))
25769 @@ -1438,7 +1461,11 @@ static struct inode *proc_pid_make_inode
25771 cred = __task_cred(task);
25772 inode->i_uid = cred->euid;
25773 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
25774 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
25776 inode->i_gid = cred->egid;
25780 security_task_to_inode(task, inode);
25781 @@ -1456,6 +1483,9 @@ static int pid_getattr(struct vfsmount *
25782 struct inode *inode = dentry->d_inode;
25783 struct task_struct *task;
25784 const struct cred *cred;
25785 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25786 + const struct cred *tmpcred = current_cred();
25789 generic_fillattr(inode, stat);
25791 @@ -1463,12 +1493,34 @@ static int pid_getattr(struct vfsmount *
25794 task = pid_task(proc_pid(inode), PIDTYPE_PID);
25796 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
25797 + rcu_read_unlock();
25802 + cred = __task_cred(task);
25803 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25804 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
25805 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
25806 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
25810 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
25811 +#ifdef CONFIG_GRKERNSEC_PROC_USER
25812 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
25813 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25814 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
25816 task_dumpable(task)) {
25817 - cred = __task_cred(task);
25818 stat->uid = cred->euid;
25819 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
25820 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
25822 stat->gid = cred->egid;
25827 @@ -1500,11 +1552,20 @@ static int pid_revalidate(struct dentry
25830 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
25831 +#ifdef CONFIG_GRKERNSEC_PROC_USER
25832 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
25833 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25834 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
25836 task_dumpable(task)) {
25838 cred = __task_cred(task);
25839 inode->i_uid = cred->euid;
25840 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
25841 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
25843 inode->i_gid = cred->egid;
25848 @@ -1625,7 +1686,8 @@ static int proc_fd_info(struct inode *in
25849 int fd = proc_fd(inode);
25852 - files = get_files_struct(task);
25853 + if (!gr_acl_handle_procpidmem(task))
25854 + files = get_files_struct(task);
25855 put_task_struct(task);
25858 @@ -1877,12 +1939,22 @@ static const struct file_operations proc
25859 static int proc_fd_permission(struct inode *inode, int mask)
25862 + struct task_struct *task;
25864 rv = generic_permission(inode, mask, NULL);
25868 if (task_pid(current) == proc_pid(inode))
25871 + task = get_proc_task(inode);
25872 + if (task == NULL)
25875 + if (gr_acl_handle_procpidmem(task))
25878 + put_task_struct(task);
25883 @@ -1991,6 +2063,9 @@ static struct dentry *proc_pident_lookup
25887 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
25891 * Yes, it does not scale. And it should not. Don't add
25892 * new entries into /proc/<tgid>/ without very good reasons.
25893 @@ -2035,6 +2110,9 @@ static int proc_pident_readdir(struct fi
25897 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
25903 @@ -2401,6 +2479,9 @@ static struct dentry *proc_base_lookup(s
25907 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
25910 error = proc_base_instantiate(dir, dentry, task, p);
25913 @@ -2487,7 +2568,7 @@ static const struct pid_entry tgid_base_
25914 #ifdef CONFIG_SCHED_DEBUG
25915 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
25917 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
25918 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
25919 INF("syscall", S_IRUSR, proc_pid_syscall),
25921 INF("cmdline", S_IRUGO, proc_pid_cmdline),
25922 @@ -2515,7 +2596,7 @@ static const struct pid_entry tgid_base_
25923 #ifdef CONFIG_KALLSYMS
25924 INF("wchan", S_IRUGO, proc_pid_wchan),
25926 -#ifdef CONFIG_STACKTRACE
25927 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
25928 ONE("stack", S_IRUSR, proc_pid_stack),
25930 #ifdef CONFIG_SCHEDSTATS
25931 @@ -2545,6 +2626,9 @@ static const struct pid_entry tgid_base_
25932 #ifdef CONFIG_TASK_IO_ACCOUNTING
25933 INF("io", S_IRUGO, proc_tgid_io_accounting),
25935 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
25936 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
25938 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
25941 @@ -2674,7 +2758,14 @@ static struct dentry *proc_pid_instantia
25945 +#ifdef CONFIG_GRKERNSEC_PROC_USER
25946 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
25947 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25948 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
25949 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
25951 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
25953 inode->i_op = &proc_tgid_base_inode_operations;
25954 inode->i_fop = &proc_tgid_base_operations;
25955 inode->i_flags|=S_IMMUTABLE;
25956 @@ -2716,7 +2807,11 @@ struct dentry *proc_pid_lookup(struct in
25960 + if (gr_check_hidden_task(task))
25961 + goto out_put_task;
25963 result = proc_pid_instantiate(dir, dentry, task, NULL);
25965 put_task_struct(task);
25968 @@ -2781,6 +2876,10 @@ int proc_pid_readdir(struct file * filp,
25970 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
25971 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
25972 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25973 + const struct cred *tmpcred = current_cred();
25974 + const struct cred *itercred;
25976 struct tgid_iter iter;
25977 struct pid_namespace *ns;
25979 @@ -2799,6 +2898,20 @@ int proc_pid_readdir(struct file * filp,
25980 for (iter = next_tgid(ns, iter);
25982 iter.tgid += 1, iter = next_tgid(ns, iter)) {
25983 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25984 + itercred = __task_cred(iter.task);
25986 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
25987 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25988 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
25989 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
25990 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
25997 filp->f_pos = iter.tgid + TGID_OFFSET;
25998 if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
25999 put_task_struct(iter.task);
26000 @@ -2826,7 +2939,7 @@ static const struct pid_entry tid_base_s
26001 #ifdef CONFIG_SCHED_DEBUG
26002 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
26004 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
26005 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
26006 INF("syscall", S_IRUSR, proc_pid_syscall),
26008 INF("cmdline", S_IRUGO, proc_pid_cmdline),
26009 @@ -2853,7 +2966,7 @@ static const struct pid_entry tid_base_s
26010 #ifdef CONFIG_KALLSYMS
26011 INF("wchan", S_IRUGO, proc_pid_wchan),
26013 -#ifdef CONFIG_STACKTRACE
26014 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
26015 ONE("stack", S_IRUSR, proc_pid_stack),
26017 #ifdef CONFIG_SCHEDSTATS
26018 diff -urNp linux-2.6.31/fs/proc/cmdline.c linux-2.6.31/fs/proc/cmdline.c
26019 --- linux-2.6.31/fs/proc/cmdline.c 2009-08-27 20:59:04.000000000 -0400
26020 +++ linux-2.6.31/fs/proc/cmdline.c 2009-09-06 15:29:12.035224674 -0400
26021 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
26023 static int __init proc_cmdline_init(void)
26025 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
26026 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
26028 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
26032 module_init(proc_cmdline_init);
26033 diff -urNp linux-2.6.31/fs/proc/devices.c linux-2.6.31/fs/proc/devices.c
26034 --- linux-2.6.31/fs/proc/devices.c 2009-08-27 20:59:04.000000000 -0400
26035 +++ linux-2.6.31/fs/proc/devices.c 2009-09-06 15:29:12.035959231 -0400
26036 @@ -64,7 +64,11 @@ static const struct file_operations proc
26038 static int __init proc_devices_init(void)
26040 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
26041 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
26043 proc_create("devices", 0, NULL, &proc_devinfo_operations);
26047 module_init(proc_devices_init);
26048 diff -urNp linux-2.6.31/fs/proc/inode.c linux-2.6.31/fs/proc/inode.c
26049 --- linux-2.6.31/fs/proc/inode.c 2009-08-27 20:59:04.000000000 -0400
26050 +++ linux-2.6.31/fs/proc/inode.c 2009-09-06 15:29:12.035959231 -0400
26051 @@ -457,7 +457,11 @@ struct inode *proc_get_inode(struct supe
26053 inode->i_mode = de->mode;
26054 inode->i_uid = de->uid;
26055 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
26056 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
26058 inode->i_gid = de->gid;
26062 inode->i_size = de->size;
26063 diff -urNp linux-2.6.31/fs/proc/internal.h linux-2.6.31/fs/proc/internal.h
26064 --- linux-2.6.31/fs/proc/internal.h 2009-08-27 20:59:04.000000000 -0400
26065 +++ linux-2.6.31/fs/proc/internal.h 2009-09-06 15:29:12.035959231 -0400
26066 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
26067 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
26068 struct pid *pid, struct task_struct *task);
26070 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
26071 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
26073 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
26075 extern const struct file_operations proc_maps_operations;
26076 diff -urNp linux-2.6.31/fs/proc/Kconfig linux-2.6.31/fs/proc/Kconfig
26077 --- linux-2.6.31/fs/proc/Kconfig 2009-08-27 20:59:04.000000000 -0400
26078 +++ linux-2.6.31/fs/proc/Kconfig 2009-09-06 15:29:12.035959231 -0400
26079 @@ -30,12 +30,12 @@ config PROC_FS
26082 bool "/proc/kcore support" if !ARM
26083 - depends on PROC_FS && MMU
26084 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
26087 bool "/proc/vmcore support (EXPERIMENTAL)"
26088 - depends on PROC_FS && CRASH_DUMP
26090 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
26093 Exports the dump image of crashed kernel in ELF format.
26095 @@ -59,8 +59,8 @@ config PROC_SYSCTL
26098 config PROC_PAGE_MONITOR
26100 - depends on PROC_FS && MMU
26102 + depends on PROC_FS && MMU && !GRKERNSEC
26103 bool "Enable /proc page monitoring" if EMBEDDED
26105 Various /proc files exist to monitor process memory utilization:
26106 diff -urNp linux-2.6.31/fs/proc/kcore.c linux-2.6.31/fs/proc/kcore.c
26107 --- linux-2.6.31/fs/proc/kcore.c 2009-08-27 20:59:04.000000000 -0400
26108 +++ linux-2.6.31/fs/proc/kcore.c 2009-09-06 15:29:12.037021785 -0400
26109 @@ -404,10 +404,12 @@ read_kcore(struct file *file, char __use
26111 static int __init proc_kcore_init(void)
26113 +#if !defined(CONFIG_GRKERNSEC_PROC_ADD) && !defined(CONFIG_GRKERNSEC_HIDESYM)
26114 proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations);
26115 if (proc_root_kcore)
26116 proc_root_kcore->size =
26117 (size_t)high_memory - PAGE_OFFSET + PAGE_SIZE;
26121 module_init(proc_kcore_init);
26122 diff -urNp linux-2.6.31/fs/proc/nommu.c linux-2.6.31/fs/proc/nommu.c
26123 --- linux-2.6.31/fs/proc/nommu.c 2009-08-27 20:59:04.000000000 -0400
26124 +++ linux-2.6.31/fs/proc/nommu.c 2009-09-06 15:29:12.037021785 -0400
26125 @@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
26128 seq_printf(m, "%*c", len, ' ');
26129 - seq_path(m, &file->f_path, "");
26130 + seq_path(m, &file->f_path, "\n\\");
26134 @@ -109,7 +109,7 @@ static void *nommu_region_list_next(stru
26135 return rb_next((struct rb_node *) v);
26138 -static struct seq_operations proc_nommu_region_list_seqop = {
26139 +static const struct seq_operations proc_nommu_region_list_seqop = {
26140 .start = nommu_region_list_start,
26141 .next = nommu_region_list_next,
26142 .stop = nommu_region_list_stop,
26143 diff -urNp linux-2.6.31/fs/proc/proc_net.c linux-2.6.31/fs/proc/proc_net.c
26144 --- linux-2.6.31/fs/proc/proc_net.c 2009-08-27 20:59:04.000000000 -0400
26145 +++ linux-2.6.31/fs/proc/proc_net.c 2009-09-06 15:29:12.037021785 -0400
26146 @@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
26147 struct task_struct *task;
26148 struct nsproxy *ns;
26149 struct net *net = NULL;
26150 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
26151 + const struct cred *cred = current_cred();
26154 +#ifdef CONFIG_GRKERNSEC_PROC_USER
26157 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
26158 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
26163 task = pid_task(proc_pid(dir), PIDTYPE_PID);
26164 diff -urNp linux-2.6.31/fs/proc/proc_sysctl.c linux-2.6.31/fs/proc/proc_sysctl.c
26165 --- linux-2.6.31/fs/proc/proc_sysctl.c 2009-08-27 20:59:04.000000000 -0400
26166 +++ linux-2.6.31/fs/proc/proc_sysctl.c 2009-09-06 15:29:12.037021785 -0400
26168 #include <linux/security.h>
26169 #include "internal.h"
26171 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
26173 static const struct dentry_operations proc_sys_dentry_operations;
26174 static const struct file_operations proc_sys_file_operations;
26175 static const struct inode_operations proc_sys_inode_operations;
26176 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
26180 + if (gr_handle_sysctl(p, MAY_EXEC))
26183 err = ERR_PTR(-ENOMEM);
26184 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
26186 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
26187 if (*pos < file->f_pos)
26190 + if (gr_handle_sysctl(table, 0))
26193 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
26196 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
26198 return PTR_ERR(head);
26200 + if (table && gr_handle_sysctl(table, MAY_EXEC))
26203 generic_fillattr(inode, stat);
26205 stat->mode = (stat->mode & S_IFMT) | table->mode;
26206 diff -urNp linux-2.6.31/fs/proc/root.c linux-2.6.31/fs/proc/root.c
26207 --- linux-2.6.31/fs/proc/root.c 2009-08-27 20:59:04.000000000 -0400
26208 +++ linux-2.6.31/fs/proc/root.c 2009-09-06 15:29:12.038141970 -0400
26209 @@ -101,6 +101,11 @@ static struct file_system_type proc_fs_t
26210 .kill_sb = proc_kill_sb,
26213 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26214 +static const struct file_operations __kallsyms_operations = {
26218 void __init proc_root_init(void)
26221 @@ -134,9 +139,22 @@ void __init proc_root_init(void)
26222 #ifdef CONFIG_PROC_DEVICETREE
26223 proc_device_tree_init();
26225 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
26226 +#ifdef CONFIG_GRKERNSEC_PROC_USER
26227 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
26228 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
26229 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
26232 proc_mkdir("bus", NULL);
26237 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26238 + /* fake kallsyms to workaround klogd bug */
26239 + proc_create("kallsyms", 0444, NULL, &__kallsyms_operations);
26243 static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat
26244 diff -urNp linux-2.6.31/fs/proc/task_mmu.c linux-2.6.31/fs/proc/task_mmu.c
26245 --- linux-2.6.31/fs/proc/task_mmu.c 2009-08-27 20:59:04.000000000 -0400
26246 +++ linux-2.6.31/fs/proc/task_mmu.c 2009-09-06 15:29:12.038141970 -0400
26247 @@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
26248 "VmStk:\t%8lu kB\n"
26249 "VmExe:\t%8lu kB\n"
26250 "VmLib:\t%8lu kB\n"
26251 - "VmPTE:\t%8lu kB\n",
26252 - hiwater_vm << (PAGE_SHIFT-10),
26253 + "VmPTE:\t%8lu kB\n"
26255 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
26256 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
26259 + ,hiwater_vm << (PAGE_SHIFT-10),
26260 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
26261 mm->locked_vm << (PAGE_SHIFT-10),
26262 hiwater_rss << (PAGE_SHIFT-10),
26263 total_rss << (PAGE_SHIFT-10),
26264 data << (PAGE_SHIFT-10),
26265 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
26266 - (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
26267 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
26269 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
26270 + , mm->context.user_cs_base, mm->context.user_cs_limit
26276 unsigned long task_vsize(struct mm_struct *mm)
26277 @@ -199,6 +210,12 @@ static int do_maps_open(struct inode *in
26281 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
26282 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
26283 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
26284 + _mm->pax_flags & MF_PAX_SEGMEXEC))
26287 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
26289 struct mm_struct *mm = vma->vm_mm;
26290 @@ -217,13 +234,22 @@ static void show_map_vma(struct seq_file
26293 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
26294 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
26295 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
26296 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
26301 flags & VM_READ ? 'r' : '-',
26302 flags & VM_WRITE ? 'w' : '-',
26303 flags & VM_EXEC ? 'x' : '-',
26304 flags & VM_MAYSHARE ? 's' : 'p',
26305 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
26306 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
26310 MAJOR(dev), MINOR(dev), ino, &len);
26313 @@ -232,16 +258,16 @@ static void show_map_vma(struct seq_file
26316 pad_len_spaces(m, len);
26317 - seq_path(m, &file->f_path, "\n");
26318 + seq_path(m, &file->f_path, "\n\\");
26320 const char *name = arch_vma_name(vma);
26323 - if (vma->vm_start <= mm->start_brk &&
26324 - vma->vm_end >= mm->brk) {
26325 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
26327 - } else if (vma->vm_start <= mm->start_stack &&
26328 - vma->vm_end >= mm->start_stack) {
26329 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
26330 + (vma->vm_start <= mm->start_stack &&
26331 + vma->vm_end >= mm->start_stack)) {
26335 @@ -384,9 +410,16 @@ static int show_smap(struct seq_file *m,
26338 memset(&mss, 0, sizeof mss);
26340 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
26341 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
26343 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
26344 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
26347 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
26348 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
26349 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
26353 show_map_vma(m, vma);
26355 @@ -402,7 +435,11 @@ static int show_smap(struct seq_file *m,
26357 "KernelPageSize: %8lu kB\n"
26358 "MMUPageSize: %8lu kB\n",
26359 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
26360 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
26362 (vma->vm_end - vma->vm_start) >> 10,
26364 mss.resident >> 10,
26365 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
26366 mss.shared_clean >> 10,
26367 diff -urNp linux-2.6.31/fs/proc/task_nommu.c linux-2.6.31/fs/proc/task_nommu.c
26368 --- linux-2.6.31/fs/proc/task_nommu.c 2009-08-27 20:59:04.000000000 -0400
26369 +++ linux-2.6.31/fs/proc/task_nommu.c 2009-09-06 15:29:12.038141970 -0400
26370 @@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
26372 bytes += kobjsize(mm);
26374 - if (current->fs && current->fs->users > 1)
26375 + if (current->fs && atomic_read(¤t->fs->users) > 1)
26376 sbytes += kobjsize(current->fs);
26378 bytes += kobjsize(current->fs);
26379 @@ -154,7 +154,7 @@ static int nommu_vma_show(struct seq_fil
26382 seq_printf(m, "%*c", len, ' ');
26383 - seq_path(m, &file->f_path, "");
26384 + seq_path(m, &file->f_path, "\n\\");
26388 diff -urNp linux-2.6.31/fs/readdir.c linux-2.6.31/fs/readdir.c
26389 --- linux-2.6.31/fs/readdir.c 2009-08-27 20:59:04.000000000 -0400
26390 +++ linux-2.6.31/fs/readdir.c 2009-09-06 15:29:12.039050857 -0400
26392 #include <linux/security.h>
26393 #include <linux/syscalls.h>
26394 #include <linux/unistd.h>
26395 +#include <linux/namei.h>
26397 #include <asm/uaccess.h>
26399 @@ -67,6 +68,7 @@ struct old_linux_dirent {
26401 struct readdir_callback {
26402 struct old_linux_dirent __user * dirent;
26403 + struct file * file;
26407 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
26408 buf->result = -EOVERFLOW;
26412 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
26416 dirent = buf->dirent;
26417 if (!access_ok(VERIFY_WRITE, dirent,
26418 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
26421 buf.dirent = dirent;
26424 error = vfs_readdir(file, fillonedir, &buf);
26426 @@ -142,6 +149,7 @@ struct linux_dirent {
26427 struct getdents_callback {
26428 struct linux_dirent __user * current_dir;
26429 struct linux_dirent __user * previous;
26430 + struct file * file;
26434 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
26435 buf->error = -EOVERFLOW;
26439 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
26442 dirent = buf->previous;
26444 if (__put_user(offset, &dirent->d_off))
26445 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
26446 buf.previous = NULL;
26451 error = vfs_readdir(file, filldir, &buf);
26453 @@ -228,6 +241,7 @@ out:
26454 struct getdents_callback64 {
26455 struct linux_dirent64 __user * current_dir;
26456 struct linux_dirent64 __user * previous;
26457 + struct file *file;
26461 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
26462 buf->error = -EINVAL; /* only used if we fail.. */
26463 if (reclen > buf->count)
26466 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
26469 dirent = buf->previous;
26471 if (__put_user(offset, &dirent->d_off))
26472 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
26474 buf.current_dir = dirent;
26475 buf.previous = NULL;
26480 diff -urNp linux-2.6.31/fs/reiserfs/do_balan.c linux-2.6.31/fs/reiserfs/do_balan.c
26481 --- linux-2.6.31/fs/reiserfs/do_balan.c 2009-08-27 20:59:04.000000000 -0400
26482 +++ linux-2.6.31/fs/reiserfs/do_balan.c 2009-09-06 15:29:12.039050857 -0400
26483 @@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb,
26487 - atomic_inc(&(fs_generation(tb->tb_sb)));
26488 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
26489 do_balance_starts(tb);
26491 /* balance leaf returns 0 except if combining L R and S into
26492 diff -urNp linux-2.6.31/fs/reiserfs/procfs.c linux-2.6.31/fs/reiserfs/procfs.c
26493 --- linux-2.6.31/fs/reiserfs/procfs.c 2009-08-27 20:59:04.000000000 -0400
26494 +++ linux-2.6.31/fs/reiserfs/procfs.c 2009-09-06 15:29:12.040124576 -0400
26495 @@ -123,7 +123,7 @@ static int show_super(struct seq_file *m
26496 "SMALL_TAILS " : "NO_TAILS ",
26497 replay_only(sb) ? "REPLAY_ONLY " : "",
26498 convert_reiserfs(sb) ? "CONV " : "",
26499 - atomic_read(&r->s_generation_counter),
26500 + atomic_read_unchecked(&r->s_generation_counter),
26501 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
26502 SF(s_do_balance), SF(s_unneeded_left_neighbor),
26503 SF(s_good_search_by_key_reada), SF(s_bmaps),
26504 diff -urNp linux-2.6.31/fs/romfs/super.c linux-2.6.31/fs/romfs/super.c
26505 --- linux-2.6.31/fs/romfs/super.c 2009-08-27 20:59:04.000000000 -0400
26506 +++ linux-2.6.31/fs/romfs/super.c 2009-09-06 15:29:12.040124576 -0400
26507 @@ -284,7 +284,7 @@ static const struct file_operations romf
26508 .readdir = romfs_readdir,
26511 -static struct inode_operations romfs_dir_inode_operations = {
26512 +static const struct inode_operations romfs_dir_inode_operations = {
26513 .lookup = romfs_lookup,
26516 diff -urNp linux-2.6.31/fs/select.c linux-2.6.31/fs/select.c
26517 --- linux-2.6.31/fs/select.c 2009-08-27 20:59:04.000000000 -0400
26518 +++ linux-2.6.31/fs/select.c 2009-09-06 15:29:12.040124576 -0400
26520 #include <linux/module.h>
26521 #include <linux/slab.h>
26522 #include <linux/poll.h>
26523 +#include <linux/security.h>
26524 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
26525 #include <linux/file.h>
26526 #include <linux/fdtable.h>
26527 @@ -814,6 +815,7 @@ int do_sys_poll(struct pollfd __user *uf
26528 struct poll_list *walk = head;
26529 unsigned long todo = nfds;
26531 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
26532 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
26535 diff -urNp linux-2.6.31/fs/seq_file.c linux-2.6.31/fs/seq_file.c
26536 --- linux-2.6.31/fs/seq_file.c 2009-08-27 20:59:04.000000000 -0400
26537 +++ linux-2.6.31/fs/seq_file.c 2009-09-06 15:29:12.041122754 -0400
26538 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
26542 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
26543 + m->size = PAGE_SIZE;
26544 + m->buf = kmalloc(m->size, GFP_KERNEL);
26548 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
26552 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
26554 + m->buf = kmalloc(m->size, GFP_KERNEL);
26555 return !m->buf ? -ENOMEM : -EAGAIN;
26558 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
26559 m->version = file->f_version;
26560 /* grab buffer if we didn't have one */
26562 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
26563 + m->size = PAGE_SIZE;
26564 + m->buf = kmalloc(m->size, GFP_KERNEL);
26568 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
26572 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
26574 + m->buf = kmalloc(m->size, GFP_KERNEL);
26578 diff -urNp linux-2.6.31/fs/smbfs/symlink.c linux-2.6.31/fs/smbfs/symlink.c
26579 --- linux-2.6.31/fs/smbfs/symlink.c 2009-08-27 20:59:04.000000000 -0400
26580 +++ linux-2.6.31/fs/smbfs/symlink.c 2009-09-06 15:29:12.041122754 -0400
26581 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
26583 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
26585 - char *s = nd_get_link(nd);
26586 + const char *s = nd_get_link(nd);
26590 diff -urNp linux-2.6.31/fs/squashfs/super.c linux-2.6.31/fs/squashfs/super.c
26591 --- linux-2.6.31/fs/squashfs/super.c 2009-08-27 20:59:04.000000000 -0400
26592 +++ linux-2.6.31/fs/squashfs/super.c 2009-09-06 15:29:12.041122754 -0400
26594 #include "squashfs.h"
26596 static struct file_system_type squashfs_fs_type;
26597 -static struct super_operations squashfs_super_ops;
26598 +static const struct super_operations squashfs_super_ops;
26600 static int supported_squashfs_filesystem(short major, short minor, short comp)
26602 @@ -444,7 +444,7 @@ static struct file_system_type squashfs_
26603 .fs_flags = FS_REQUIRES_DEV
26606 -static struct super_operations squashfs_super_ops = {
26607 +static const struct super_operations squashfs_super_ops = {
26608 .alloc_inode = squashfs_alloc_inode,
26609 .destroy_inode = squashfs_destroy_inode,
26610 .statfs = squashfs_statfs,
26611 diff -urNp linux-2.6.31/fs/sysfs/bin.c linux-2.6.31/fs/sysfs/bin.c
26612 --- linux-2.6.31/fs/sysfs/bin.c 2009-08-27 20:59:04.000000000 -0400
26613 +++ linux-2.6.31/fs/sysfs/bin.c 2009-09-06 15:29:12.041122754 -0400
26614 @@ -40,7 +40,7 @@ struct bin_buffer {
26615 struct mutex mutex;
26618 - struct vm_operations_struct *vm_ops;
26619 + const struct vm_operations_struct *vm_ops;
26621 struct hlist_node list;
26623 @@ -331,7 +331,7 @@ static int bin_migrate(struct vm_area_st
26627 -static struct vm_operations_struct bin_vm_ops = {
26628 +static const struct vm_operations_struct bin_vm_ops = {
26629 .open = bin_vma_open,
26630 .close = bin_vma_close,
26631 .fault = bin_fault,
26632 diff -urNp linux-2.6.31/fs/sysfs/symlink.c linux-2.6.31/fs/sysfs/symlink.c
26633 --- linux-2.6.31/fs/sysfs/symlink.c 2009-08-27 20:59:04.000000000 -0400
26634 +++ linux-2.6.31/fs/sysfs/symlink.c 2009-09-06 15:29:12.042086395 -0400
26635 @@ -203,7 +203,7 @@ static void *sysfs_follow_link(struct de
26637 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
26639 - char *page = nd_get_link(nd);
26640 + const char *page = nd_get_link(nd);
26642 free_page((unsigned long)page);
26644 diff -urNp linux-2.6.31/fs/ubifs/file.c linux-2.6.31/fs/ubifs/file.c
26645 --- linux-2.6.31/fs/ubifs/file.c 2009-08-27 20:59:04.000000000 -0400
26646 +++ linux-2.6.31/fs/ubifs/file.c 2009-09-06 15:29:12.042086395 -0400
26647 @@ -1536,7 +1536,7 @@ out_unlock:
26651 -static struct vm_operations_struct ubifs_file_vm_ops = {
26652 +static const struct vm_operations_struct ubifs_file_vm_ops = {
26653 .fault = filemap_fault,
26654 .page_mkwrite = ubifs_vm_page_mkwrite,
26656 diff -urNp linux-2.6.31/fs/udf/balloc.c linux-2.6.31/fs/udf/balloc.c
26657 --- linux-2.6.31/fs/udf/balloc.c 2009-08-27 20:59:04.000000000 -0400
26658 +++ linux-2.6.31/fs/udf/balloc.c 2009-09-06 15:29:12.042911894 -0400
26659 @@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
26661 mutex_lock(&sbi->s_alloc_mutex);
26662 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
26663 - if (bloc->logicalBlockNum < 0 ||
26664 - (bloc->logicalBlockNum + count) >
26665 - partmap->s_partition_len) {
26666 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
26667 udf_debug("%d < %d || %d + %d > %d\n",
26668 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
26669 count, partmap->s_partition_len);
26670 @@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
26672 mutex_lock(&sbi->s_alloc_mutex);
26673 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
26674 - if (bloc->logicalBlockNum < 0 ||
26675 - (bloc->logicalBlockNum + count) >
26676 - partmap->s_partition_len) {
26677 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
26678 udf_debug("%d < %d || %d + %d > %d\n",
26679 bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
26680 partmap->s_partition_len);
26681 diff -urNp linux-2.6.31/fs/utimes.c linux-2.6.31/fs/utimes.c
26682 --- linux-2.6.31/fs/utimes.c 2009-08-27 20:59:04.000000000 -0400
26683 +++ linux-2.6.31/fs/utimes.c 2009-09-06 15:29:12.042911894 -0400
26685 #include <linux/compiler.h>
26686 #include <linux/file.h>
26687 #include <linux/fs.h>
26688 +#include <linux/security.h>
26689 #include <linux/linkage.h>
26690 #include <linux/mount.h>
26691 #include <linux/namei.h>
26692 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
26693 goto mnt_drop_write_and_out;
26697 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
26699 + goto mnt_drop_write_and_out;
26702 mutex_lock(&inode->i_mutex);
26703 error = notify_change(path->dentry, &newattrs);
26704 mutex_unlock(&inode->i_mutex);
26705 diff -urNp linux-2.6.31/fs/xfs/linux-2.6/xfs_file.c linux-2.6.31/fs/xfs/linux-2.6/xfs_file.c
26706 --- linux-2.6.31/fs/xfs/linux-2.6/xfs_file.c 2009-08-27 20:59:04.000000000 -0400
26707 +++ linux-2.6.31/fs/xfs/linux-2.6/xfs_file.c 2009-09-06 15:29:12.044035344 -0400
26710 #include <linux/dcache.h>
26712 -static struct vm_operations_struct xfs_file_vm_ops;
26713 +static const struct vm_operations_struct xfs_file_vm_ops;
26717 @@ -271,7 +271,7 @@ const struct file_operations xfs_dir_fil
26718 .fsync = xfs_file_fsync,
26721 -static struct vm_operations_struct xfs_file_vm_ops = {
26722 +static const struct vm_operations_struct xfs_file_vm_ops = {
26723 .fault = filemap_fault,
26724 .page_mkwrite = xfs_vm_page_mkwrite,
26726 diff -urNp linux-2.6.31/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.31/fs/xfs/linux-2.6/xfs_iops.c
26727 --- linux-2.6.31/fs/xfs/linux-2.6/xfs_iops.c 2009-08-27 20:59:04.000000000 -0400
26728 +++ linux-2.6.31/fs/xfs/linux-2.6/xfs_iops.c 2009-09-06 15:29:12.044035344 -0400
26729 @@ -478,7 +478,7 @@ xfs_vn_put_link(
26730 struct nameidata *nd,
26733 - char *s = nd_get_link(nd);
26734 + const char *s = nd_get_link(nd);
26738 diff -urNp linux-2.6.31/fs/xfs/linux-2.6/xfs_super.c linux-2.6.31/fs/xfs/linux-2.6/xfs_super.c
26739 --- linux-2.6.31/fs/xfs/linux-2.6/xfs_super.c 2009-08-27 20:59:04.000000000 -0400
26740 +++ linux-2.6.31/fs/xfs/linux-2.6/xfs_super.c 2009-09-06 15:29:12.045010894 -0400
26742 #include <linux/freezer.h>
26743 #include <linux/parser.h>
26745 -static struct super_operations xfs_super_operations;
26746 +static const struct super_operations xfs_super_operations;
26747 static kmem_zone_t *xfs_ioend_zone;
26748 mempool_t *xfs_ioend_pool;
26750 @@ -1532,7 +1532,7 @@ xfs_fs_get_sb(
26754 -static struct super_operations xfs_super_operations = {
26755 +static const struct super_operations xfs_super_operations = {
26756 .alloc_inode = xfs_fs_alloc_inode,
26757 .destroy_inode = xfs_fs_destroy_inode,
26758 .write_inode = xfs_fs_write_inode,
26759 diff -urNp linux-2.6.31/fs/xfs/xfs_bmap.c linux-2.6.31/fs/xfs/xfs_bmap.c
26760 --- linux-2.6.31/fs/xfs/xfs_bmap.c 2009-08-27 20:59:04.000000000 -0400
26761 +++ linux-2.6.31/fs/xfs/xfs_bmap.c 2009-09-06 15:29:12.046000132 -0400
26762 @@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
26766 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
26767 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
26770 #if defined(XFS_RW_TRACE)
26771 diff -urNp linux-2.6.31/grsecurity/gracl_alloc.c linux-2.6.31/grsecurity/gracl_alloc.c
26772 --- linux-2.6.31/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
26773 +++ linux-2.6.31/grsecurity/gracl_alloc.c 2009-09-06 15:29:12.046923005 -0400
26775 +#include <linux/kernel.h>
26776 +#include <linux/mm.h>
26777 +#include <linux/slab.h>
26778 +#include <linux/vmalloc.h>
26779 +#include <linux/gracl.h>
26780 +#include <linux/grsecurity.h>
26782 +static unsigned long alloc_stack_next = 1;
26783 +static unsigned long alloc_stack_size = 1;
26784 +static void **alloc_stack;
26786 +static __inline__ int
26789 + if (alloc_stack_next == 1)
26792 + kfree(alloc_stack[alloc_stack_next - 2]);
26794 + alloc_stack_next--;
26799 +static __inline__ int
26800 +alloc_push(void *buf)
26802 + if (alloc_stack_next >= alloc_stack_size)
26805 + alloc_stack[alloc_stack_next - 1] = buf;
26807 + alloc_stack_next++;
26813 +acl_alloc(unsigned long len)
26815 + void *ret = NULL;
26817 + if (!len || len > PAGE_SIZE)
26820 + ret = kmalloc(len, GFP_KERNEL);
26823 + if (alloc_push(ret)) {
26834 +acl_alloc_num(unsigned long num, unsigned long len)
26836 + if (!len || (num > (PAGE_SIZE / len)))
26839 + return acl_alloc(num * len);
26843 +acl_free_all(void)
26845 + if (gr_acl_is_enabled() || !alloc_stack)
26848 + while (alloc_pop()) ;
26850 + if (alloc_stack) {
26851 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
26852 + kfree(alloc_stack);
26854 + vfree(alloc_stack);
26857 + alloc_stack = NULL;
26858 + alloc_stack_size = 1;
26859 + alloc_stack_next = 1;
26865 +acl_alloc_stack_init(unsigned long size)
26867 + if ((size * sizeof (void *)) <= PAGE_SIZE)
26869 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
26871 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
26873 + alloc_stack_size = size;
26875 + if (!alloc_stack)
26880 diff -urNp linux-2.6.31/grsecurity/gracl.c linux-2.6.31/grsecurity/gracl.c
26881 --- linux-2.6.31/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
26882 +++ linux-2.6.31/grsecurity/gracl.c 2009-09-06 17:07:59.499927195 -0400
26884 +#include <linux/kernel.h>
26885 +#include <linux/module.h>
26886 +#include <linux/sched.h>
26887 +#include <linux/mm.h>
26888 +#include <linux/file.h>
26889 +#include <linux/fs.h>
26890 +#include <linux/namei.h>
26891 +#include <linux/mount.h>
26892 +#include <linux/tty.h>
26893 +#include <linux/proc_fs.h>
26894 +#include <linux/smp_lock.h>
26895 +#include <linux/slab.h>
26896 +#include <linux/vmalloc.h>
26897 +#include <linux/types.h>
26898 +#include <linux/sysctl.h>
26899 +#include <linux/netdevice.h>
26900 +#include <linux/ptrace.h>
26901 +#include <linux/gracl.h>
26902 +#include <linux/gralloc.h>
26903 +#include <linux/grsecurity.h>
26904 +#include <linux/grinternal.h>
26905 +#include <linux/pid_namespace.h>
26906 +#include <linux/fdtable.h>
26907 +#include <linux/percpu.h>
26909 +#include <asm/uaccess.h>
26910 +#include <asm/errno.h>
26911 +#include <asm/mman.h>
26913 +static struct acl_role_db acl_role_set;
26914 +static struct name_db name_set;
26915 +static struct inodev_db inodev_set;
26917 +/* for keeping track of userspace pointers used for subjects, so we
26918 + can share references in the kernel as well
26921 +static struct dentry *real_root;
26922 +static struct vfsmount *real_root_mnt;
26924 +static struct acl_subj_map_db subj_map_set;
26926 +static struct acl_role_label *default_role;
26928 +static u16 acl_sp_role_value;
26930 +extern char *gr_shared_page[4];
26931 +static DECLARE_MUTEX(gr_dev_sem);
26932 +DEFINE_RWLOCK(gr_inode_lock);
26934 +struct gr_arg *gr_usermode;
26936 +#ifdef CONFIG_PAX_KERNEXEC
26937 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
26939 +static unsigned int gr_status = GR_STATUS_INIT;
26942 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
26943 +extern void gr_clear_learn_entries(void);
26945 +#ifdef CONFIG_GRKERNSEC_RESLOG
26946 +extern void gr_log_resource(const struct task_struct *task,
26947 + const int res, const unsigned long wanted, const int gt);
26950 +unsigned char *gr_system_salt;
26951 +unsigned char *gr_system_sum;
26953 +static struct sprole_pw **acl_special_roles = NULL;
26954 +static __u16 num_sprole_pws = 0;
26956 +static struct acl_role_label *kernel_role = NULL;
26958 +static unsigned int gr_auth_attempts = 0;
26959 +static unsigned long gr_auth_expires = 0UL;
26961 +extern struct vfsmount *sock_mnt;
26962 +extern struct vfsmount *pipe_mnt;
26963 +extern struct vfsmount *shm_mnt;
26964 +static struct acl_object_label *fakefs_obj;
26966 +extern int gr_init_uidset(void);
26967 +extern void gr_free_uidset(void);
26968 +extern void gr_remove_uid(uid_t uid);
26969 +extern int gr_find_uid(uid_t uid);
26972 +gr_acl_is_enabled(void)
26974 + return (gr_status & GR_READY);
26977 +char gr_roletype_to_char(void)
26979 + switch (current->role->roletype &
26980 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
26981 + GR_ROLE_SPECIAL)) {
26982 + case GR_ROLE_DEFAULT:
26984 + case GR_ROLE_USER:
26986 + case GR_ROLE_GROUP:
26988 + case GR_ROLE_SPECIAL:
26996 +gr_acl_tpe_check(void)
26998 + if (unlikely(!(gr_status & GR_READY)))
27000 + if (current->role->roletype & GR_ROLE_TPE)
27007 +gr_handle_rawio(const struct inode *inode)
27009 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
27010 + if (inode && S_ISBLK(inode->i_mode) &&
27011 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
27012 + !capable(CAP_SYS_RAWIO))
27019 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
27022 + unsigned long *l1;
27023 + unsigned long *l2;
27024 + unsigned char *c1;
27025 + unsigned char *c2;
27028 + if (likely(lena != lenb))
27031 + l1 = (unsigned long *)a;
27032 + l2 = (unsigned long *)b;
27034 + num_longs = lena / sizeof(unsigned long);
27036 + for (i = num_longs; i--; l1++, l2++) {
27037 + if (unlikely(*l1 != *l2))
27041 + c1 = (unsigned char *) l1;
27042 + c2 = (unsigned char *) l2;
27044 + i = lena - (num_longs * sizeof(unsigned long));
27046 + for (; i--; c1++, c2++) {
27047 + if (unlikely(*c1 != *c2))
27054 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
27055 + struct dentry *root, struct vfsmount *rootmnt,
27056 + char *buffer, int buflen)
27058 + char * end = buffer+buflen;
27067 + /* Get '/' right */
27072 + struct dentry * parent;
27074 + if (dentry == root && vfsmnt == rootmnt)
27076 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
27077 + /* Global root? */
27078 + spin_lock(&vfsmount_lock);
27079 + if (vfsmnt->mnt_parent == vfsmnt) {
27080 + spin_unlock(&vfsmount_lock);
27081 + goto global_root;
27083 + dentry = vfsmnt->mnt_mountpoint;
27084 + vfsmnt = vfsmnt->mnt_parent;
27085 + spin_unlock(&vfsmount_lock);
27088 + parent = dentry->d_parent;
27089 + prefetch(parent);
27090 + namelen = dentry->d_name.len;
27091 + buflen -= namelen + 1;
27095 + memcpy(end, dentry->d_name.name, namelen);
27104 + namelen = dentry->d_name.len;
27105 + buflen -= namelen;
27108 + retval -= namelen-1; /* hit the slash */
27109 + memcpy(retval, dentry->d_name.name, namelen);
27112 + return ERR_PTR(-ENAMETOOLONG);
27116 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
27117 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
27121 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
27122 + if (unlikely(IS_ERR(retval)))
27123 + retval = strcpy(buf, "<path too long>");
27124 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
27125 + retval[1] = '\0';
27131 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
27132 + char *buf, int buflen)
27136 + /* we can use real_root, real_root_mnt, because this is only called
27137 + by the RBAC system */
27138 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
27144 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
27145 + char *buf, int buflen)
27148 + struct dentry *root;
27149 + struct vfsmount *rootmnt;
27150 + struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
27152 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
27153 + read_lock(&reaper->fs->lock);
27154 + root = dget(reaper->fs->root.dentry);
27155 + rootmnt = mntget(reaper->fs->root.mnt);
27156 + read_unlock(&reaper->fs->lock);
27158 + spin_lock(&dcache_lock);
27159 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
27160 + spin_unlock(&dcache_lock);
27168 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
27171 + spin_lock(&dcache_lock);
27172 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
27174 + spin_unlock(&dcache_lock);
27179 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
27181 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
27186 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
27188 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
27193 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
27195 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
27200 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
27202 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
27207 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
27209 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
27214 +to_gr_audit(const __u32 reqmode)
27216 + /* masks off auditable permission flags, then shifts them to create
27217 + auditing flags, and adds the special case of append auditing if
27218 + we're requesting write */
27219 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
27222 +struct acl_subject_label *
27223 +lookup_subject_map(const struct acl_subject_label *userp)
27225 + unsigned int index = shash(userp, subj_map_set.s_size);
27226 + struct subject_map *match;
27228 + match = subj_map_set.s_hash[index];
27230 + while (match && match->user != userp)
27231 + match = match->next;
27233 + if (match != NULL)
27234 + return match->kernel;
27240 +insert_subj_map_entry(struct subject_map *subjmap)
27242 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
27243 + struct subject_map **curr;
27245 + subjmap->prev = NULL;
27247 + curr = &subj_map_set.s_hash[index];
27248 + if (*curr != NULL)
27249 + (*curr)->prev = subjmap;
27251 + subjmap->next = *curr;
27257 +static struct acl_role_label *
27258 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
27261 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
27262 + struct acl_role_label *match;
27263 + struct role_allowed_ip *ipp;
27266 + match = acl_role_set.r_hash[index];
27269 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
27270 + for (x = 0; x < match->domain_child_num; x++) {
27271 + if (match->domain_children[x] == uid)
27274 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
27276 + match = match->next;
27279 + if (match == NULL) {
27281 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
27282 + match = acl_role_set.r_hash[index];
27285 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
27286 + for (x = 0; x < match->domain_child_num; x++) {
27287 + if (match->domain_children[x] == gid)
27290 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
27292 + match = match->next;
27295 + if (match == NULL)
27296 + match = default_role;
27297 + if (match->allowed_ips == NULL)
27300 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
27302 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
27303 + (ntohl(ipp->addr) & ipp->netmask)))
27306 + match = default_role;
27308 + } else if (match->allowed_ips == NULL) {
27311 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
27313 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
27314 + (ntohl(ipp->addr) & ipp->netmask)))
27323 +struct acl_subject_label *
27324 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
27325 + const struct acl_role_label *role)
27327 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
27328 + struct acl_subject_label *match;
27330 + match = role->subj_hash[index];
27332 + while (match && (match->inode != ino || match->device != dev ||
27333 + (match->mode & GR_DELETED))) {
27334 + match = match->next;
27337 + if (match && !(match->mode & GR_DELETED))
27343 +struct acl_subject_label *
27344 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
27345 + const struct acl_role_label *role)
27347 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
27348 + struct acl_subject_label *match;
27350 + match = role->subj_hash[index];
27352 + while (match && (match->inode != ino || match->device != dev ||
27353 + !(match->mode & GR_DELETED))) {
27354 + match = match->next;
27357 + if (match && (match->mode & GR_DELETED))
27363 +static struct acl_object_label *
27364 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
27365 + const struct acl_subject_label *subj)
27367 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
27368 + struct acl_object_label *match;
27370 + match = subj->obj_hash[index];
27372 + while (match && (match->inode != ino || match->device != dev ||
27373 + (match->mode & GR_DELETED))) {
27374 + match = match->next;
27377 + if (match && !(match->mode & GR_DELETED))
27383 +static struct acl_object_label *
27384 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
27385 + const struct acl_subject_label *subj)
27387 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
27388 + struct acl_object_label *match;
27390 + match = subj->obj_hash[index];
27392 + while (match && (match->inode != ino || match->device != dev ||
27393 + !(match->mode & GR_DELETED))) {
27394 + match = match->next;
27397 + if (match && (match->mode & GR_DELETED))
27400 + match = subj->obj_hash[index];
27402 + while (match && (match->inode != ino || match->device != dev ||
27403 + (match->mode & GR_DELETED))) {
27404 + match = match->next;
27407 + if (match && !(match->mode & GR_DELETED))
27413 +static struct name_entry *
27414 +lookup_name_entry(const char *name)
27416 + unsigned int len = strlen(name);
27417 + unsigned int key = full_name_hash(name, len);
27418 + unsigned int index = key % name_set.n_size;
27419 + struct name_entry *match;
27421 + match = name_set.n_hash[index];
27423 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
27424 + match = match->next;
27429 +static struct name_entry *
27430 +lookup_name_entry_create(const char *name)
27432 + unsigned int len = strlen(name);
27433 + unsigned int key = full_name_hash(name, len);
27434 + unsigned int index = key % name_set.n_size;
27435 + struct name_entry *match;
27437 + match = name_set.n_hash[index];
27439 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
27440 + !match->deleted))
27441 + match = match->next;
27443 + if (match && match->deleted)
27446 + match = name_set.n_hash[index];
27448 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
27450 + match = match->next;
27452 + if (match && !match->deleted)
27458 +static struct inodev_entry *
27459 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
27461 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
27462 + struct inodev_entry *match;
27464 + match = inodev_set.i_hash[index];
27466 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
27467 + match = match->next;
27473 +insert_inodev_entry(struct inodev_entry *entry)
27475 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
27476 + inodev_set.i_size);
27477 + struct inodev_entry **curr;
27479 + entry->prev = NULL;
27481 + curr = &inodev_set.i_hash[index];
27482 + if (*curr != NULL)
27483 + (*curr)->prev = entry;
27485 + entry->next = *curr;
27492 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
27494 + unsigned int index =
27495 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
27496 + struct acl_role_label **curr;
27498 + role->prev = NULL;
27500 + curr = &acl_role_set.r_hash[index];
27501 + if (*curr != NULL)
27502 + (*curr)->prev = role;
27504 + role->next = *curr;
27511 +insert_acl_role_label(struct acl_role_label *role)
27515 + if (role->roletype & GR_ROLE_DOMAIN) {
27516 + for (i = 0; i < role->domain_child_num; i++)
27517 + __insert_acl_role_label(role, role->domain_children[i]);
27519 + __insert_acl_role_label(role, role->uidgid);
27523 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
27525 + struct name_entry **curr, *nentry;
27526 + struct inodev_entry *ientry;
27527 + unsigned int len = strlen(name);
27528 + unsigned int key = full_name_hash(name, len);
27529 + unsigned int index = key % name_set.n_size;
27531 + curr = &name_set.n_hash[index];
27533 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
27534 + curr = &((*curr)->next);
27536 + if (*curr != NULL)
27539 + nentry = acl_alloc(sizeof (struct name_entry));
27540 + if (nentry == NULL)
27542 + ientry = acl_alloc(sizeof (struct inodev_entry));
27543 + if (ientry == NULL)
27545 + ientry->nentry = nentry;
27547 + nentry->key = key;
27548 + nentry->name = name;
27549 + nentry->inode = inode;
27550 + nentry->device = device;
27551 + nentry->len = len;
27552 + nentry->deleted = deleted;
27554 + nentry->prev = NULL;
27555 + curr = &name_set.n_hash[index];
27556 + if (*curr != NULL)
27557 + (*curr)->prev = nentry;
27558 + nentry->next = *curr;
27561 + /* insert us into the table searchable by inode/dev */
27562 + insert_inodev_entry(ientry);
27568 +insert_acl_obj_label(struct acl_object_label *obj,
27569 + struct acl_subject_label *subj)
27571 + unsigned int index =
27572 + fhash(obj->inode, obj->device, subj->obj_hash_size);
27573 + struct acl_object_label **curr;
27576 + obj->prev = NULL;
27578 + curr = &subj->obj_hash[index];
27579 + if (*curr != NULL)
27580 + (*curr)->prev = obj;
27582 + obj->next = *curr;
27589 +insert_acl_subj_label(struct acl_subject_label *obj,
27590 + struct acl_role_label *role)
27592 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
27593 + struct acl_subject_label **curr;
27595 + obj->prev = NULL;
27597 + curr = &role->subj_hash[index];
27598 + if (*curr != NULL)
27599 + (*curr)->prev = obj;
27601 + obj->next = *curr;
27607 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
27610 +create_table(__u32 * len, int elementsize)
27612 + unsigned int table_sizes[] = {
27613 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
27614 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
27615 + 4194301, 8388593, 16777213, 33554393, 67108859
27617 + void *newtable = NULL;
27618 + unsigned int pwr = 0;
27620 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
27621 + table_sizes[pwr] <= *len)
27624 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
27627 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
27629 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
27631 + newtable = vmalloc(table_sizes[pwr] * elementsize);
27633 + *len = table_sizes[pwr];
27639 +init_variables(const struct gr_arg *arg)
27641 + struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
27642 + unsigned int stacksize;
27644 + subj_map_set.s_size = arg->role_db.num_subjects;
27645 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
27646 + name_set.n_size = arg->role_db.num_objects;
27647 + inodev_set.i_size = arg->role_db.num_objects;
27649 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
27650 + !name_set.n_size || !inodev_set.i_size)
27653 + if (!gr_init_uidset())
27656 + /* set up the stack that holds allocation info */
27658 + stacksize = arg->role_db.num_pointers + 5;
27660 + if (!acl_alloc_stack_init(stacksize))
27663 + /* grab reference for the real root dentry and vfsmount */
27664 + read_lock(&reaper->fs->lock);
27665 + real_root_mnt = mntget(reaper->fs->root.mnt);
27666 + real_root = dget(reaper->fs->root.dentry);
27667 + read_unlock(&reaper->fs->lock);
27669 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
27670 + if (fakefs_obj == NULL)
27672 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
27674 + subj_map_set.s_hash =
27675 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
27676 + acl_role_set.r_hash =
27677 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
27678 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
27679 + inodev_set.i_hash =
27680 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
27682 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
27683 + !name_set.n_hash || !inodev_set.i_hash)
27686 + memset(subj_map_set.s_hash, 0,
27687 + sizeof(struct subject_map *) * subj_map_set.s_size);
27688 + memset(acl_role_set.r_hash, 0,
27689 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
27690 + memset(name_set.n_hash, 0,
27691 + sizeof (struct name_entry *) * name_set.n_size);
27692 + memset(inodev_set.i_hash, 0,
27693 + sizeof (struct inodev_entry *) * inodev_set.i_size);
27698 +/* free information not needed after startup
27699 + currently contains user->kernel pointer mappings for subjects
27703 +free_init_variables(void)
27707 + if (subj_map_set.s_hash) {
27708 + for (i = 0; i < subj_map_set.s_size; i++) {
27709 + if (subj_map_set.s_hash[i]) {
27710 + kfree(subj_map_set.s_hash[i]);
27711 + subj_map_set.s_hash[i] = NULL;
27715 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
27717 + kfree(subj_map_set.s_hash);
27719 + vfree(subj_map_set.s_hash);
27726 +free_variables(void)
27728 + struct acl_subject_label *s;
27729 + struct acl_role_label *r;
27730 + struct task_struct *task, *task2;
27731 + unsigned int i, x;
27733 + gr_clear_learn_entries();
27735 + read_lock(&tasklist_lock);
27736 + do_each_thread(task2, task) {
27737 + task->acl_sp_role = 0;
27738 + task->acl_role_id = 0;
27739 + task->acl = NULL;
27740 + task->role = NULL;
27741 + } while_each_thread(task2, task);
27742 + read_unlock(&tasklist_lock);
27744 + /* release the reference to the real root dentry and vfsmount */
27747 + real_root = NULL;
27748 + if (real_root_mnt)
27749 + mntput(real_root_mnt);
27750 + real_root_mnt = NULL;
27752 + /* free all object hash tables */
27754 + FOR_EACH_ROLE_START(r, i)
27755 + if (r->subj_hash == NULL)
27757 + FOR_EACH_SUBJECT_START(r, s, x)
27758 + if (s->obj_hash == NULL)
27760 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
27761 + kfree(s->obj_hash);
27763 + vfree(s->obj_hash);
27764 + FOR_EACH_SUBJECT_END(s, x)
27765 + FOR_EACH_NESTED_SUBJECT_START(r, s)
27766 + if (s->obj_hash == NULL)
27768 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
27769 + kfree(s->obj_hash);
27771 + vfree(s->obj_hash);
27772 + FOR_EACH_NESTED_SUBJECT_END(s)
27773 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
27774 + kfree(r->subj_hash);
27776 + vfree(r->subj_hash);
27777 + r->subj_hash = NULL;
27778 + FOR_EACH_ROLE_END(r,i)
27782 + if (acl_role_set.r_hash) {
27783 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
27785 + kfree(acl_role_set.r_hash);
27787 + vfree(acl_role_set.r_hash);
27789 + if (name_set.n_hash) {
27790 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
27792 + kfree(name_set.n_hash);
27794 + vfree(name_set.n_hash);
27797 + if (inodev_set.i_hash) {
27798 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
27800 + kfree(inodev_set.i_hash);
27802 + vfree(inodev_set.i_hash);
27805 + gr_free_uidset();
27807 + memset(&name_set, 0, sizeof (struct name_db));
27808 + memset(&inodev_set, 0, sizeof (struct inodev_db));
27809 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
27810 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
27812 + default_role = NULL;
27818 +count_user_objs(struct acl_object_label *userp)
27820 + struct acl_object_label o_tmp;
27824 + if (copy_from_user(&o_tmp, userp,
27825 + sizeof (struct acl_object_label)))
27828 + userp = o_tmp.prev;
27835 +static struct acl_subject_label *
27836 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
27839 +copy_user_glob(struct acl_object_label *obj)
27841 + struct acl_object_label *g_tmp, **guser;
27842 + unsigned int len;
27845 + if (obj->globbed == NULL)
27848 + guser = &obj->globbed;
27850 + g_tmp = (struct acl_object_label *)
27851 + acl_alloc(sizeof (struct acl_object_label));
27852 + if (g_tmp == NULL)
27855 + if (copy_from_user(g_tmp, *guser,
27856 + sizeof (struct acl_object_label)))
27859 + len = strnlen_user(g_tmp->filename, PATH_MAX);
27861 + if (!len || len >= PATH_MAX)
27864 + if ((tmp = (char *) acl_alloc(len)) == NULL)
27867 + if (copy_from_user(tmp, g_tmp->filename, len))
27869 + tmp[len-1] = '\0';
27870 + g_tmp->filename = tmp;
27873 + guser = &(g_tmp->next);
27880 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
27881 + struct acl_role_label *role)
27883 + struct acl_object_label *o_tmp;
27884 + unsigned int len;
27889 + if ((o_tmp = (struct acl_object_label *)
27890 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
27893 + if (copy_from_user(o_tmp, userp,
27894 + sizeof (struct acl_object_label)))
27897 + userp = o_tmp->prev;
27899 + len = strnlen_user(o_tmp->filename, PATH_MAX);
27901 + if (!len || len >= PATH_MAX)
27904 + if ((tmp = (char *) acl_alloc(len)) == NULL)
27907 + if (copy_from_user(tmp, o_tmp->filename, len))
27909 + tmp[len-1] = '\0';
27910 + o_tmp->filename = tmp;
27912 + insert_acl_obj_label(o_tmp, subj);
27913 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
27914 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
27917 + ret = copy_user_glob(o_tmp);
27921 + if (o_tmp->nested) {
27922 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
27923 + if (IS_ERR(o_tmp->nested))
27924 + return PTR_ERR(o_tmp->nested);
27926 + /* insert into nested subject list */
27927 + o_tmp->nested->next = role->hash->first;
27928 + role->hash->first = o_tmp->nested;
27936 +count_user_subjs(struct acl_subject_label *userp)
27938 + struct acl_subject_label s_tmp;
27942 + if (copy_from_user(&s_tmp, userp,
27943 + sizeof (struct acl_subject_label)))
27946 + userp = s_tmp.prev;
27947 + /* do not count nested subjects against this count, since
27948 + they are not included in the hash table, but are
27949 + attached to objects. We have already counted
27950 + the subjects in userspace for the allocation
27953 + if (!(s_tmp.mode & GR_NESTED))
27961 +copy_user_allowedips(struct acl_role_label *rolep)
27963 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
27965 + ruserip = rolep->allowed_ips;
27967 + while (ruserip) {
27970 + if ((rtmp = (struct role_allowed_ip *)
27971 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
27974 + if (copy_from_user(rtmp, ruserip,
27975 + sizeof (struct role_allowed_ip)))
27978 + ruserip = rtmp->prev;
27981 + rtmp->prev = NULL;
27982 + rolep->allowed_ips = rtmp;
27984 + rlast->next = rtmp;
27985 + rtmp->prev = rlast;
27989 + rtmp->next = NULL;
27996 +copy_user_transitions(struct acl_role_label *rolep)
27998 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
28000 + unsigned int len;
28003 + rusertp = rolep->transitions;
28005 + while (rusertp) {
28008 + if ((rtmp = (struct role_transition *)
28009 + acl_alloc(sizeof (struct role_transition))) == NULL)
28012 + if (copy_from_user(rtmp, rusertp,
28013 + sizeof (struct role_transition)))
28016 + rusertp = rtmp->prev;
28018 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
28020 + if (!len || len >= GR_SPROLE_LEN)
28023 + if ((tmp = (char *) acl_alloc(len)) == NULL)
28026 + if (copy_from_user(tmp, rtmp->rolename, len))
28028 + tmp[len-1] = '\0';
28029 + rtmp->rolename = tmp;
28032 + rtmp->prev = NULL;
28033 + rolep->transitions = rtmp;
28035 + rlast->next = rtmp;
28036 + rtmp->prev = rlast;
28040 + rtmp->next = NULL;
28046 +static struct acl_subject_label *
28047 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
28049 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
28050 + unsigned int len;
28053 + struct acl_ip_label **i_tmp, *i_utmp2;
28054 + struct gr_hash_struct ghash;
28055 + struct subject_map *subjmap;
28056 + unsigned int i_num;
28059 + s_tmp = lookup_subject_map(userp);
28061 + /* we've already copied this subject into the kernel, just return
28062 + the reference to it, and don't copy it over again
28067 + if ((s_tmp = (struct acl_subject_label *)
28068 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
28069 + return ERR_PTR(-ENOMEM);
28071 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
28072 + if (subjmap == NULL)
28073 + return ERR_PTR(-ENOMEM);
28075 + subjmap->user = userp;
28076 + subjmap->kernel = s_tmp;
28077 + insert_subj_map_entry(subjmap);
28079 + if (copy_from_user(s_tmp, userp,
28080 + sizeof (struct acl_subject_label)))
28081 + return ERR_PTR(-EFAULT);
28083 + len = strnlen_user(s_tmp->filename, PATH_MAX);
28085 + if (!len || len >= PATH_MAX)
28086 + return ERR_PTR(-EINVAL);
28088 + if ((tmp = (char *) acl_alloc(len)) == NULL)
28089 + return ERR_PTR(-ENOMEM);
28091 + if (copy_from_user(tmp, s_tmp->filename, len))
28092 + return ERR_PTR(-EFAULT);
28093 + tmp[len-1] = '\0';
28094 + s_tmp->filename = tmp;
28096 + if (!strcmp(s_tmp->filename, "/"))
28097 + role->root_label = s_tmp;
28099 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
28100 + return ERR_PTR(-EFAULT);
28102 + /* copy user and group transition tables */
28104 + if (s_tmp->user_trans_num) {
28107 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
28108 + if (uidlist == NULL)
28109 + return ERR_PTR(-ENOMEM);
28110 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
28111 + return ERR_PTR(-EFAULT);
28113 + s_tmp->user_transitions = uidlist;
28116 + if (s_tmp->group_trans_num) {
28119 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
28120 + if (gidlist == NULL)
28121 + return ERR_PTR(-ENOMEM);
28122 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
28123 + return ERR_PTR(-EFAULT);
28125 + s_tmp->group_transitions = gidlist;
28128 + /* set up object hash table */
28129 + num_objs = count_user_objs(ghash.first);
28131 + s_tmp->obj_hash_size = num_objs;
28132 + s_tmp->obj_hash =
28133 + (struct acl_object_label **)
28134 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
28136 + if (!s_tmp->obj_hash)
28137 + return ERR_PTR(-ENOMEM);
28139 + memset(s_tmp->obj_hash, 0,
28140 + s_tmp->obj_hash_size *
28141 + sizeof (struct acl_object_label *));
28143 + /* add in objects */
28144 + err = copy_user_objs(ghash.first, s_tmp, role);
28147 + return ERR_PTR(err);
28149 + /* set pointer for parent subject */
28150 + if (s_tmp->parent_subject) {
28151 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
28153 + if (IS_ERR(s_tmp2))
28156 + s_tmp->parent_subject = s_tmp2;
28159 + /* add in ip acls */
28161 + if (!s_tmp->ip_num) {
28162 + s_tmp->ips = NULL;
28167 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
28168 + sizeof (struct acl_ip_label *));
28171 + return ERR_PTR(-ENOMEM);
28173 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
28174 + *(i_tmp + i_num) =
28175 + (struct acl_ip_label *)
28176 + acl_alloc(sizeof (struct acl_ip_label));
28177 + if (!*(i_tmp + i_num))
28178 + return ERR_PTR(-ENOMEM);
28180 + if (copy_from_user
28181 + (&i_utmp2, s_tmp->ips + i_num,
28182 + sizeof (struct acl_ip_label *)))
28183 + return ERR_PTR(-EFAULT);
28185 + if (copy_from_user
28186 + (*(i_tmp + i_num), i_utmp2,
28187 + sizeof (struct acl_ip_label)))
28188 + return ERR_PTR(-EFAULT);
28190 + if ((*(i_tmp + i_num))->iface == NULL)
28193 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
28194 + if (!len || len >= IFNAMSIZ)
28195 + return ERR_PTR(-EINVAL);
28196 + tmp = acl_alloc(len);
28198 + return ERR_PTR(-ENOMEM);
28199 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
28200 + return ERR_PTR(-EFAULT);
28201 + (*(i_tmp + i_num))->iface = tmp;
28204 + s_tmp->ips = i_tmp;
28207 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
28208 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
28209 + return ERR_PTR(-ENOMEM);
28215 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
28217 + struct acl_subject_label s_pre;
28218 + struct acl_subject_label * ret;
28222 + if (copy_from_user(&s_pre, userp,
28223 + sizeof (struct acl_subject_label)))
28226 + /* do not add nested subjects here, add
28227 + while parsing objects
28230 + if (s_pre.mode & GR_NESTED) {
28231 + userp = s_pre.prev;
28235 + ret = do_copy_user_subj(userp, role);
28237 + err = PTR_ERR(ret);
28241 + insert_acl_subj_label(ret, role);
28243 + userp = s_pre.prev;
28250 +copy_user_acl(struct gr_arg *arg)
28252 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
28253 + struct sprole_pw *sptmp;
28254 + struct gr_hash_struct *ghash;
28255 + uid_t *domainlist;
28256 + unsigned int r_num;
28257 + unsigned int len;
28263 + /* we need a default and kernel role */
28264 + if (arg->role_db.num_roles < 2)
28267 + /* copy special role authentication info from userspace */
28269 + num_sprole_pws = arg->num_sprole_pws;
28270 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
28272 + if (!acl_special_roles) {
28277 + for (i = 0; i < num_sprole_pws; i++) {
28278 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
28283 + if (copy_from_user(sptmp, arg->sprole_pws + i,
28284 + sizeof (struct sprole_pw))) {
28290 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
28292 + if (!len || len >= GR_SPROLE_LEN) {
28297 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
28302 + if (copy_from_user(tmp, sptmp->rolename, len)) {
28306 + tmp[len-1] = '\0';
28307 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
28308 + printk(KERN_ALERT "Copying special role %s\n", tmp);
28310 + sptmp->rolename = tmp;
28311 + acl_special_roles[i] = sptmp;
28314 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
28316 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
28317 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
28324 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
28325 + sizeof (struct acl_role_label *))) {
28330 + if (copy_from_user(r_tmp, r_utmp2,
28331 + sizeof (struct acl_role_label))) {
28336 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
28338 + if (!len || len >= PATH_MAX) {
28343 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
28347 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
28351 + tmp[len-1] = '\0';
28352 + r_tmp->rolename = tmp;
28354 + if (!strcmp(r_tmp->rolename, "default")
28355 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
28356 + default_role = r_tmp;
28357 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
28358 + kernel_role = r_tmp;
28361 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
28365 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
28370 + r_tmp->hash = ghash;
28372 + num_subjs = count_user_subjs(r_tmp->hash->first);
28374 + r_tmp->subj_hash_size = num_subjs;
28375 + r_tmp->subj_hash =
28376 + (struct acl_subject_label **)
28377 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
28379 + if (!r_tmp->subj_hash) {
28384 + err = copy_user_allowedips(r_tmp);
28388 + /* copy domain info */
28389 + if (r_tmp->domain_children != NULL) {
28390 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
28391 + if (domainlist == NULL) {
28395 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
28399 + r_tmp->domain_children = domainlist;
28402 + err = copy_user_transitions(r_tmp);
28406 + memset(r_tmp->subj_hash, 0,
28407 + r_tmp->subj_hash_size *
28408 + sizeof (struct acl_subject_label *));
28410 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
28415 + /* set nested subject list to null */
28416 + r_tmp->hash->first = NULL;
28418 + insert_acl_role_label(r_tmp);
28423 + free_variables();
28430 +gracl_init(struct gr_arg *args)
28434 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
28435 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
28437 + if (init_variables(args)) {
28438 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
28440 + free_variables();
28444 + error = copy_user_acl(args);
28445 + free_init_variables();
28447 + free_variables();
28451 + if ((error = gr_set_acls(0))) {
28452 + free_variables();
28456 +#ifdef CONFIG_PAX_KERNEXEC
28458 + unsigned long cr0;
28460 + pax_open_kernel(cr0);
28461 + gr_status |= GR_READY;
28462 + pax_close_kernel(cr0);
28465 + gr_status |= GR_READY;
28472 +/* derived from glibc fnmatch() 0: match, 1: no match*/
28475 +glob_match(const char *p, const char *n)
28479 + while ((c = *p++) != '\0') {
28484 + else if (*n == '/')
28492 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
28495 + else if (c == '?') {
28505 + const char *endp;
28507 + if ((endp = strchr(n, '/')) == NULL)
28508 + endp = n + strlen(n);
28511 + for (--p; n < endp; ++n)
28512 + if (!glob_match(p, n))
28514 + } else if (c == '/') {
28515 + while (*n != '\0' && *n != '/')
28517 + if (*n == '/' && !glob_match(p, n + 1))
28520 + for (--p; n < endp; ++n)
28521 + if (*n == c && !glob_match(p, n))
28532 + if (*n == '\0' || *n == '/')
28535 + not = (*p == '!' || *p == '^');
28541 + unsigned char fn = (unsigned char)*n;
28551 + if (c == '-' && *p != ']') {
28552 + unsigned char cend = *p++;
28554 + if (cend == '\0')
28557 + if (cold <= fn && fn <= cend)
28571 + while (c != ']') {
28598 +static struct acl_object_label *
28599 +chk_glob_label(struct acl_object_label *globbed,
28600 + struct dentry *dentry, struct vfsmount *mnt, char **path)
28602 + struct acl_object_label *tmp;
28604 + if (*path == NULL)
28605 + *path = gr_to_filename_nolock(dentry, mnt);
28610 + if (!glob_match(tmp->filename, *path))
28618 +static struct acl_object_label *
28619 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
28620 + const ino_t curr_ino, const dev_t curr_dev,
28621 + const struct acl_subject_label *subj, char **path, const int checkglob)
28623 + struct acl_subject_label *tmpsubj;
28624 + struct acl_object_label *retval;
28625 + struct acl_object_label *retval2;
28627 + tmpsubj = (struct acl_subject_label *) subj;
28628 + read_lock(&gr_inode_lock);
28630 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
28632 + if (checkglob && retval->globbed) {
28633 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
28634 + (struct vfsmount *)orig_mnt, path);
28636 + retval = retval2;
28640 + } while ((tmpsubj = tmpsubj->parent_subject));
28641 + read_unlock(&gr_inode_lock);
28646 +static __inline__ struct acl_object_label *
28647 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
28648 + const struct dentry *curr_dentry,
28649 + const struct acl_subject_label *subj, char **path, const int checkglob)
28651 + return __full_lookup(orig_dentry, orig_mnt,
28652 + curr_dentry->d_inode->i_ino,
28653 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
28656 +static struct acl_object_label *
28657 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
28658 + const struct acl_subject_label *subj, char *path, const int checkglob)
28660 + struct dentry *dentry = (struct dentry *) l_dentry;
28661 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
28662 + struct acl_object_label *retval;
28664 + spin_lock(&dcache_lock);
28666 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
28667 + /* ignore Eric Biederman */
28668 + IS_PRIVATE(l_dentry->d_inode))) {
28669 + retval = fakefs_obj;
28674 + if (dentry == real_root && mnt == real_root_mnt)
28677 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
28678 + if (mnt->mnt_parent == mnt)
28681 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
28682 + if (retval != NULL)
28685 + dentry = mnt->mnt_mountpoint;
28686 + mnt = mnt->mnt_parent;
28690 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
28691 + if (retval != NULL)
28694 + dentry = dentry->d_parent;
28697 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
28699 + if (retval == NULL)
28700 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
28702 + spin_unlock(&dcache_lock);
28706 +static __inline__ struct acl_object_label *
28707 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
28708 + const struct acl_subject_label *subj)
28710 + char *path = NULL;
28711 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
28714 +static __inline__ struct acl_object_label *
28715 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
28716 + const struct acl_subject_label *subj)
28718 + char *path = NULL;
28719 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
28722 +static __inline__ struct acl_object_label *
28723 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
28724 + const struct acl_subject_label *subj, char *path)
28726 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
28729 +static struct acl_subject_label *
28730 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
28731 + const struct acl_role_label *role)
28733 + struct dentry *dentry = (struct dentry *) l_dentry;
28734 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
28735 + struct acl_subject_label *retval;
28737 + spin_lock(&dcache_lock);
28740 + if (dentry == real_root && mnt == real_root_mnt)
28742 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
28743 + if (mnt->mnt_parent == mnt)
28746 + read_lock(&gr_inode_lock);
28748 + lookup_acl_subj_label(dentry->d_inode->i_ino,
28749 + dentry->d_inode->i_sb->s_dev, role);
28750 + read_unlock(&gr_inode_lock);
28751 + if (retval != NULL)
28754 + dentry = mnt->mnt_mountpoint;
28755 + mnt = mnt->mnt_parent;
28759 + read_lock(&gr_inode_lock);
28760 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
28761 + dentry->d_inode->i_sb->s_dev, role);
28762 + read_unlock(&gr_inode_lock);
28763 + if (retval != NULL)
28766 + dentry = dentry->d_parent;
28769 + read_lock(&gr_inode_lock);
28770 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
28771 + dentry->d_inode->i_sb->s_dev, role);
28772 + read_unlock(&gr_inode_lock);
28774 + if (unlikely(retval == NULL)) {
28775 + read_lock(&gr_inode_lock);
28776 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
28777 + real_root->d_inode->i_sb->s_dev, role);
28778 + read_unlock(&gr_inode_lock);
28781 + spin_unlock(&dcache_lock);
28787 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
28789 + struct task_struct *task = current;
28790 + const struct cred *cred = current_cred();
28792 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
28793 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
28794 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
28795 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
28801 +gr_log_learn_sysctl(const char *path, const __u32 mode)
28803 + struct task_struct *task = current;
28804 + const struct cred *cred = current_cred();
28806 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
28807 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
28808 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
28809 + 1UL, 1UL, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
28815 +gr_log_learn_id_change(const char type, const unsigned int real,
28816 + const unsigned int effective, const unsigned int fs)
28818 + struct task_struct *task = current;
28819 + const struct cred *cred = current_cred();
28821 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
28822 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
28823 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
28824 + type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
28830 +gr_check_link(const struct dentry * new_dentry,
28831 + const struct dentry * parent_dentry,
28832 + const struct vfsmount * parent_mnt,
28833 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
28835 + struct acl_object_label *obj;
28836 + __u32 oldmode, newmode;
28839 + if (unlikely(!(gr_status & GR_READY)))
28840 + return (GR_CREATE | GR_LINK);
28842 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
28843 + oldmode = obj->mode;
28845 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
28846 + oldmode |= (GR_CREATE | GR_LINK);
28848 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
28849 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
28850 + needmode |= GR_SETID | GR_AUDIT_SETID;
28853 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
28854 + oldmode | needmode);
28856 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
28857 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
28858 + GR_INHERIT | GR_AUDIT_INHERIT);
28860 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
28863 + if ((oldmode & needmode) != needmode)
28866 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
28867 + if ((newmode & needmode) != needmode)
28870 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
28873 + needmode = oldmode;
28874 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
28875 + needmode |= GR_SETID;
28877 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
28878 + gr_log_learn(old_dentry, old_mnt, needmode);
28879 + return (GR_CREATE | GR_LINK);
28880 + } else if (newmode & GR_SUPPRESS)
28881 + return GR_SUPPRESS;
28887 +gr_search_file(const struct dentry * dentry, const __u32 mode,
28888 + const struct vfsmount * mnt)
28890 + __u32 retval = mode;
28891 + struct acl_subject_label *curracl;
28892 + struct acl_object_label *currobj;
28894 + if (unlikely(!(gr_status & GR_READY)))
28895 + return (mode & ~GR_AUDITS);
28897 + curracl = current->acl;
28899 + currobj = chk_obj_label(dentry, mnt, curracl);
28900 + retval = currobj->mode & mode;
28903 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
28904 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
28905 + __u32 new_mode = mode;
28907 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
28909 + retval = new_mode;
28911 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
28912 + new_mode |= GR_INHERIT;
28914 + if (!(mode & GR_NOLEARN))
28915 + gr_log_learn(dentry, mnt, new_mode);
28922 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
28923 + const struct vfsmount * mnt, const __u32 mode)
28925 + struct name_entry *match;
28926 + struct acl_object_label *matchpo;
28927 + struct acl_subject_label *curracl;
28931 + if (unlikely(!(gr_status & GR_READY)))
28932 + return (mode & ~GR_AUDITS);
28934 + preempt_disable();
28935 + path = gr_to_filename_rbac(new_dentry, mnt);
28936 + match = lookup_name_entry_create(path);
28939 + goto check_parent;
28941 + curracl = current->acl;
28943 + read_lock(&gr_inode_lock);
28944 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
28945 + read_unlock(&gr_inode_lock);
28948 + if ((matchpo->mode & mode) !=
28949 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
28950 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
28951 + __u32 new_mode = mode;
28953 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
28955 + gr_log_learn(new_dentry, mnt, new_mode);
28957 + preempt_enable();
28960 + preempt_enable();
28961 + return (matchpo->mode & mode);
28965 + curracl = current->acl;
28967 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
28968 + retval = matchpo->mode & mode;
28970 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
28971 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
28972 + __u32 new_mode = mode;
28974 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
28976 + gr_log_learn(new_dentry, mnt, new_mode);
28977 + preempt_enable();
28981 + preempt_enable();
28986 +gr_check_hidden_task(const struct task_struct *task)
28988 + if (unlikely(!(gr_status & GR_READY)))
28991 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
28998 +gr_check_protected_task(const struct task_struct *task)
29000 + if (unlikely(!(gr_status & GR_READY) || !task))
29003 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
29004 + task->acl != current->acl)
29011 +gr_copy_label(struct task_struct *tsk)
29013 + tsk->signal->used_accept = 0;
29014 + tsk->acl_sp_role = 0;
29015 + tsk->acl_role_id = current->acl_role_id;
29016 + tsk->acl = current->acl;
29017 + tsk->role = current->role;
29018 + tsk->signal->curr_ip = current->signal->curr_ip;
29019 + if (current->exec_file)
29020 + get_file(current->exec_file);
29021 + tsk->exec_file = current->exec_file;
29022 + tsk->is_writable = current->is_writable;
29023 + if (unlikely(current->signal->used_accept))
29024 + current->signal->curr_ip = 0;
29030 +gr_set_proc_res(struct task_struct *task)
29032 + struct acl_subject_label *proc;
29033 + unsigned short i;
29035 + proc = task->acl;
29037 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
29040 + for (i = 0; i < RLIM_NLIMITS; i++) {
29041 + if (!(proc->resmask & (1 << i)))
29044 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
29045 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
29052 +gr_check_user_change(int real, int effective, int fs)
29059 + int effectiveok = 0;
29062 + if (unlikely(!(gr_status & GR_READY)))
29065 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
29066 + gr_log_learn_id_change('u', real, effective, fs);
29068 + num = current->acl->user_trans_num;
29069 + uidlist = current->acl->user_transitions;
29071 + if (uidlist == NULL)
29076 + if (effective == -1)
29081 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
29082 + for (i = 0; i < num; i++) {
29083 + curuid = (int)uidlist[i];
29084 + if (real == curuid)
29086 + if (effective == curuid)
29088 + if (fs == curuid)
29091 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
29092 + for (i = 0; i < num; i++) {
29093 + curuid = (int)uidlist[i];
29094 + if (real == curuid)
29096 + if (effective == curuid)
29098 + if (fs == curuid)
29101 + /* not in deny list */
29109 + if (realok && effectiveok && fsok)
29112 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
29118 +gr_check_group_change(int real, int effective, int fs)
29125 + int effectiveok = 0;
29128 + if (unlikely(!(gr_status & GR_READY)))
29131 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
29132 + gr_log_learn_id_change('g', real, effective, fs);
29134 + num = current->acl->group_trans_num;
29135 + gidlist = current->acl->group_transitions;
29137 + if (gidlist == NULL)
29142 + if (effective == -1)
29147 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
29148 + for (i = 0; i < num; i++) {
29149 + curgid = (int)gidlist[i];
29150 + if (real == curgid)
29152 + if (effective == curgid)
29154 + if (fs == curgid)
29157 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
29158 + for (i = 0; i < num; i++) {
29159 + curgid = (int)gidlist[i];
29160 + if (real == curgid)
29162 + if (effective == curgid)
29164 + if (fs == curgid)
29167 + /* not in deny list */
29175 + if (realok && effectiveok && fsok)
29178 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
29184 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
29186 + struct acl_role_label *role = task->role;
29187 + struct acl_subject_label *subj = NULL;
29188 + struct acl_object_label *obj;
29189 + struct file *filp;
29191 + if (unlikely(!(gr_status & GR_READY)))
29194 + filp = task->exec_file;
29196 + /* kernel process, we'll give them the kernel role */
29197 + if (unlikely(!filp)) {
29198 + task->role = kernel_role;
29199 + task->acl = kernel_role->root_label;
29201 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
29202 + role = lookup_acl_role_label(task, uid, gid);
29204 + /* perform subject lookup in possibly new role
29205 + we can use this result below in the case where role == task->role
29207 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
29209 + /* if we changed uid/gid, but result in the same role
29210 + and are using inheritance, don't lose the inherited subject
29211 + if current subject is other than what normal lookup
29212 + would result in, we arrived via inheritance, don't
29215 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
29216 + (subj == task->acl)))
29217 + task->acl = subj;
29219 + task->role = role;
29221 + task->is_writable = 0;
29223 + /* ignore additional mmap checks for processes that are writable
29224 + by the default ACL */
29225 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
29226 + if (unlikely(obj->mode & GR_WRITE))
29227 + task->is_writable = 1;
29228 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
29229 + if (unlikely(obj->mode & GR_WRITE))
29230 + task->is_writable = 1;
29232 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
29233 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
29236 + gr_set_proc_res(task);
29242 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
29243 + const int unsafe_share)
29245 + struct task_struct *task = current;
29246 + struct acl_subject_label *newacl;
29247 + struct acl_object_label *obj;
29250 + if (unlikely(!(gr_status & GR_READY)))
29253 + newacl = chk_subj_label(dentry, mnt, task->role);
29256 + if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
29257 + GR_POVERRIDE) && (task->acl != newacl) &&
29258 + !(task->role->roletype & GR_ROLE_GOD) &&
29259 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
29260 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))
29261 + || unsafe_share) {
29262 + task_unlock(task);
29263 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
29266 + task_unlock(task);
29268 + obj = chk_obj_label(dentry, mnt, task->acl);
29269 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
29271 + if (!(task->acl->mode & GR_INHERITLEARN) &&
29272 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
29274 + task->acl = obj->nested;
29276 + task->acl = newacl;
29277 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
29278 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
29280 + task->is_writable = 0;
29282 + /* ignore additional mmap checks for processes that are writable
29283 + by the default ACL */
29284 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
29285 + if (unlikely(obj->mode & GR_WRITE))
29286 + task->is_writable = 1;
29287 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
29288 + if (unlikely(obj->mode & GR_WRITE))
29289 + task->is_writable = 1;
29291 + gr_set_proc_res(task);
29293 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
29294 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
29299 +/* always called with valid inodev ptr */
29301 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
29303 + struct acl_object_label *matchpo;
29304 + struct acl_subject_label *matchps;
29305 + struct acl_subject_label *subj;
29306 + struct acl_role_label *role;
29307 + unsigned int i, x;
29309 + FOR_EACH_ROLE_START(role, i)
29310 + FOR_EACH_SUBJECT_START(role, subj, x)
29311 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
29312 + matchpo->mode |= GR_DELETED;
29313 + FOR_EACH_SUBJECT_END(subj,x)
29314 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
29315 + if (subj->inode == ino && subj->device == dev)
29316 + subj->mode |= GR_DELETED;
29317 + FOR_EACH_NESTED_SUBJECT_END(subj)
29318 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
29319 + matchps->mode |= GR_DELETED;
29320 + FOR_EACH_ROLE_END(role,i)
29322 + inodev->nentry->deleted = 1;
29328 +gr_handle_delete(const ino_t ino, const dev_t dev)
29330 + struct inodev_entry *inodev;
29332 + if (unlikely(!(gr_status & GR_READY)))
29335 + write_lock(&gr_inode_lock);
29336 + inodev = lookup_inodev_entry(ino, dev);
29337 + if (inodev != NULL)
29338 + do_handle_delete(inodev, ino, dev);
29339 + write_unlock(&gr_inode_lock);
29345 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
29346 + const ino_t newinode, const dev_t newdevice,
29347 + struct acl_subject_label *subj)
29349 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
29350 + struct acl_object_label *match;
29352 + match = subj->obj_hash[index];
29354 + while (match && (match->inode != oldinode ||
29355 + match->device != olddevice ||
29356 + !(match->mode & GR_DELETED)))
29357 + match = match->next;
29359 + if (match && (match->inode == oldinode)
29360 + && (match->device == olddevice)
29361 + && (match->mode & GR_DELETED)) {
29362 + if (match->prev == NULL) {
29363 + subj->obj_hash[index] = match->next;
29364 + if (match->next != NULL)
29365 + match->next->prev = NULL;
29367 + match->prev->next = match->next;
29368 + if (match->next != NULL)
29369 + match->next->prev = match->prev;
29371 + match->prev = NULL;
29372 + match->next = NULL;
29373 + match->inode = newinode;
29374 + match->device = newdevice;
29375 + match->mode &= ~GR_DELETED;
29377 + insert_acl_obj_label(match, subj);
29384 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
29385 + const ino_t newinode, const dev_t newdevice,
29386 + struct acl_role_label *role)
29388 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
29389 + struct acl_subject_label *match;
29391 + match = role->subj_hash[index];
29393 + while (match && (match->inode != oldinode ||
29394 + match->device != olddevice ||
29395 + !(match->mode & GR_DELETED)))
29396 + match = match->next;
29398 + if (match && (match->inode == oldinode)
29399 + && (match->device == olddevice)
29400 + && (match->mode & GR_DELETED)) {
29401 + if (match->prev == NULL) {
29402 + role->subj_hash[index] = match->next;
29403 + if (match->next != NULL)
29404 + match->next->prev = NULL;
29406 + match->prev->next = match->next;
29407 + if (match->next != NULL)
29408 + match->next->prev = match->prev;
29410 + match->prev = NULL;
29411 + match->next = NULL;
29412 + match->inode = newinode;
29413 + match->device = newdevice;
29414 + match->mode &= ~GR_DELETED;
29416 + insert_acl_subj_label(match, role);
29423 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
29424 + const ino_t newinode, const dev_t newdevice)
29426 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
29427 + struct inodev_entry *match;
29429 + match = inodev_set.i_hash[index];
29431 + while (match && (match->nentry->inode != oldinode ||
29432 + match->nentry->device != olddevice || !match->nentry->deleted))
29433 + match = match->next;
29435 + if (match && (match->nentry->inode == oldinode)
29436 + && (match->nentry->device == olddevice) &&
29437 + match->nentry->deleted) {
29438 + if (match->prev == NULL) {
29439 + inodev_set.i_hash[index] = match->next;
29440 + if (match->next != NULL)
29441 + match->next->prev = NULL;
29443 + match->prev->next = match->next;
29444 + if (match->next != NULL)
29445 + match->next->prev = match->prev;
29447 + match->prev = NULL;
29448 + match->next = NULL;
29449 + match->nentry->inode = newinode;
29450 + match->nentry->device = newdevice;
29451 + match->nentry->deleted = 0;
29453 + insert_inodev_entry(match);
29460 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
29461 + const struct vfsmount *mnt)
29463 + struct acl_subject_label *subj;
29464 + struct acl_role_label *role;
29465 + unsigned int i, x;
29467 + FOR_EACH_ROLE_START(role, i)
29468 + update_acl_subj_label(matchn->inode, matchn->device,
29469 + dentry->d_inode->i_ino,
29470 + dentry->d_inode->i_sb->s_dev, role);
29472 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
29473 + if ((subj->inode == dentry->d_inode->i_ino) &&
29474 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
29475 + subj->inode = dentry->d_inode->i_ino;
29476 + subj->device = dentry->d_inode->i_sb->s_dev;
29478 + FOR_EACH_NESTED_SUBJECT_END(subj)
29479 + FOR_EACH_SUBJECT_START(role, subj, x)
29480 + update_acl_obj_label(matchn->inode, matchn->device,
29481 + dentry->d_inode->i_ino,
29482 + dentry->d_inode->i_sb->s_dev, subj);
29483 + FOR_EACH_SUBJECT_END(subj,x)
29484 + FOR_EACH_ROLE_END(role,i)
29486 + update_inodev_entry(matchn->inode, matchn->device,
29487 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
29493 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
29495 + struct name_entry *matchn;
29497 + if (unlikely(!(gr_status & GR_READY)))
29500 + preempt_disable();
29501 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
29503 + if (unlikely((unsigned long)matchn)) {
29504 + write_lock(&gr_inode_lock);
29505 + do_handle_create(matchn, dentry, mnt);
29506 + write_unlock(&gr_inode_lock);
29508 + preempt_enable();
29514 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
29515 + struct dentry *old_dentry,
29516 + struct dentry *new_dentry,
29517 + struct vfsmount *mnt, const __u8 replace)
29519 + struct name_entry *matchn;
29520 + struct inodev_entry *inodev;
29522 + /* vfs_rename swaps the name and parent link for old_dentry and
29524 + at this point, old_dentry has the new name, parent link, and inode
29525 + for the renamed file
29526 + if a file is being replaced by a rename, new_dentry has the inode
29527 + and name for the replaced file
29530 + if (unlikely(!(gr_status & GR_READY)))
29533 + preempt_disable();
29534 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
29536 + /* we wouldn't have to check d_inode if it weren't for
29537 + NFS silly-renaming
29540 + write_lock(&gr_inode_lock);
29541 + if (unlikely(replace && new_dentry->d_inode)) {
29542 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
29543 + new_dentry->d_inode->i_sb->s_dev);
29544 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
29545 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
29546 + new_dentry->d_inode->i_sb->s_dev);
29549 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
29550 + old_dentry->d_inode->i_sb->s_dev);
29551 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
29552 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
29553 + old_dentry->d_inode->i_sb->s_dev);
29555 + if (unlikely((unsigned long)matchn))
29556 + do_handle_create(matchn, old_dentry, mnt);
29558 + write_unlock(&gr_inode_lock);
29559 + preempt_enable();
29565 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
29566 + unsigned char **sum)
29568 + struct acl_role_label *r;
29569 + struct role_allowed_ip *ipp;
29570 + struct role_transition *trans;
29574 + /* check transition table */
29576 + for (trans = current->role->transitions; trans; trans = trans->next) {
29577 + if (!strcmp(rolename, trans->rolename)) {
29586 + /* handle special roles that do not require authentication
29589 + FOR_EACH_ROLE_START(r, i)
29590 + if (!strcmp(rolename, r->rolename) &&
29591 + (r->roletype & GR_ROLE_SPECIAL)) {
29593 + if (r->allowed_ips != NULL) {
29594 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
29595 + if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
29596 + (ntohl(ipp->addr) & ipp->netmask))
29604 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
29605 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
29611 + FOR_EACH_ROLE_END(r,i)
29613 + for (i = 0; i < num_sprole_pws; i++) {
29614 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
29615 + *salt = acl_special_roles[i]->salt;
29616 + *sum = acl_special_roles[i]->sum;
29625 +assign_special_role(char *rolename)
29627 + struct acl_object_label *obj;
29628 + struct acl_role_label *r;
29629 + struct acl_role_label *assigned = NULL;
29630 + struct task_struct *tsk;
29631 + struct file *filp;
29634 + FOR_EACH_ROLE_START(r, i)
29635 + if (!strcmp(rolename, r->rolename) &&
29636 + (r->roletype & GR_ROLE_SPECIAL))
29638 + FOR_EACH_ROLE_END(r,i)
29643 + read_lock(&tasklist_lock);
29644 + read_lock(&grsec_exec_file_lock);
29646 + tsk = current->parent;
29650 + filp = tsk->exec_file;
29651 + if (filp == NULL)
29654 + tsk->is_writable = 0;
29656 + tsk->acl_sp_role = 1;
29657 + tsk->acl_role_id = ++acl_sp_role_value;
29658 + tsk->role = assigned;
29659 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
29661 + /* ignore additional mmap checks for processes that are writable
29662 + by the default ACL */
29663 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
29664 + if (unlikely(obj->mode & GR_WRITE))
29665 + tsk->is_writable = 1;
29666 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
29667 + if (unlikely(obj->mode & GR_WRITE))
29668 + tsk->is_writable = 1;
29670 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
29671 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
29675 + read_unlock(&grsec_exec_file_lock);
29676 + read_unlock(&tasklist_lock);
29680 +int gr_check_secure_terminal(struct task_struct *task)
29682 + struct task_struct *p, *p2, *p3;
29683 + struct files_struct *files;
29684 + struct fdtable *fdt;
29685 + struct file *our_file = NULL, *file;
29688 + if (task->signal->tty == NULL)
29691 + files = get_files_struct(task);
29692 + if (files != NULL) {
29694 + fdt = files_fdtable(files);
29695 + for (i=0; i < fdt->max_fds; i++) {
29696 + file = fcheck_files(files, i);
29697 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
29702 + rcu_read_unlock();
29703 + put_files_struct(files);
29706 + if (our_file == NULL)
29709 + read_lock(&tasklist_lock);
29710 + do_each_thread(p2, p) {
29711 + files = get_files_struct(p);
29712 + if (files == NULL ||
29713 + (p->signal && p->signal->tty == task->signal->tty)) {
29714 + if (files != NULL)
29715 + put_files_struct(files);
29719 + fdt = files_fdtable(files);
29720 + for (i=0; i < fdt->max_fds; i++) {
29721 + file = fcheck_files(files, i);
29722 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
29723 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
29725 + while (p3->pid > 0) {
29732 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
29733 + gr_handle_alertkill(p);
29734 + rcu_read_unlock();
29735 + put_files_struct(files);
29736 + read_unlock(&tasklist_lock);
29741 + rcu_read_unlock();
29742 + put_files_struct(files);
29743 + } while_each_thread(p2, p);
29744 + read_unlock(&tasklist_lock);
29751 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
29753 + struct gr_arg_wrapper uwrap;
29754 + unsigned char *sprole_salt;
29755 + unsigned char *sprole_sum;
29756 + int error = sizeof (struct gr_arg_wrapper);
29759 + down(&gr_dev_sem);
29761 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
29766 + if (count != sizeof (struct gr_arg_wrapper)) {
29767 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
29773 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
29774 + gr_auth_expires = 0;
29775 + gr_auth_attempts = 0;
29778 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
29783 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
29788 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
29793 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
29794 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
29795 + time_after(gr_auth_expires, get_seconds())) {
29800 + /* if non-root trying to do anything other than use a special role,
29801 + do not attempt authentication, do not count towards authentication
29805 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
29806 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
29812 + /* ensure pw and special role name are null terminated */
29814 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
29815 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
29818 + * We have our enough of the argument structure..(we have yet
29819 + * to copy_from_user the tables themselves) . Copy the tables
29820 + * only if we need them, i.e. for loading operations. */
29822 + switch (gr_usermode->mode) {
29824 + if (gr_status & GR_READY) {
29826 + if (!gr_check_secure_terminal(current))
29831 + case GR_SHUTDOWN:
29832 + if ((gr_status & GR_READY)
29833 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
29834 +#ifdef CONFIG_PAX_KERNEXEC
29836 + unsigned long cr0;
29838 + pax_open_kernel(cr0);
29839 + gr_status &= ~GR_READY;
29840 + pax_close_kernel(cr0);
29843 + gr_status &= ~GR_READY;
29845 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
29846 + free_variables();
29847 + memset(gr_usermode, 0, sizeof (struct gr_arg));
29848 + memset(gr_system_salt, 0, GR_SALT_LEN);
29849 + memset(gr_system_sum, 0, GR_SHA_LEN);
29850 + } else if (gr_status & GR_READY) {
29851 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
29854 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
29859 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
29860 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
29862 + if (gr_status & GR_READY)
29866 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
29870 + if (!(gr_status & GR_READY)) {
29871 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
29873 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
29875 +#ifdef CONFIG_PAX_KERNEXEC
29877 + unsigned long cr0;
29879 + pax_open_kernel(cr0);
29880 + gr_status &= ~GR_READY;
29881 + pax_close_kernel(cr0);
29884 + gr_status &= ~GR_READY;
29886 + free_variables();
29887 + if (!(error2 = gracl_init(gr_usermode))) {
29889 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
29893 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
29896 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
29901 + if (unlikely(!(gr_status & GR_READY))) {
29902 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
29907 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
29908 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
29909 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
29910 + struct acl_subject_label *segvacl;
29912 + lookup_acl_subj_label(gr_usermode->segv_inode,
29913 + gr_usermode->segv_device,
29916 + segvacl->crashes = 0;
29917 + segvacl->expires = 0;
29919 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
29920 + gr_remove_uid(gr_usermode->segv_uid);
29923 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
29928 + case GR_SPROLEPAM:
29929 + if (unlikely(!(gr_status & GR_READY))) {
29930 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
29935 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
29936 + current->role->expires = 0;
29937 + current->role->auth_attempts = 0;
29940 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
29941 + time_after(current->role->expires, get_seconds())) {
29946 + if (lookup_special_role_auth
29947 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
29948 + && ((!sprole_salt && !sprole_sum)
29949 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
29951 + assign_special_role(gr_usermode->sp_role);
29952 + read_lock(&tasklist_lock);
29953 + if (current->parent)
29954 + p = current->parent->role->rolename;
29955 + read_unlock(&tasklist_lock);
29956 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
29957 + p, acl_sp_role_value);
29959 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
29961 + if(!(current->role->auth_attempts++))
29962 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
29967 + case GR_UNSPROLE:
29968 + if (unlikely(!(gr_status & GR_READY))) {
29969 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
29974 + if (current->role->roletype & GR_ROLE_SPECIAL) {
29978 + read_lock(&tasklist_lock);
29979 + if (current->parent) {
29980 + p = current->parent->role->rolename;
29981 + i = current->parent->acl_role_id;
29983 + read_unlock(&tasklist_lock);
29985 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
29988 + gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
29994 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
29999 + if (error != -EPERM)
30002 + if(!(gr_auth_attempts++))
30003 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
30011 +gr_set_acls(const int type)
30013 + struct acl_object_label *obj;
30014 + struct task_struct *task, *task2;
30015 + struct file *filp;
30016 + struct acl_role_label *role = current->role;
30017 + __u16 acl_role_id = current->acl_role_id;
30018 + const struct cred *cred;
30020 + struct name_entry *nmatch;
30021 + struct acl_subject_label *tmpsubj;
30023 + read_lock(&tasklist_lock);
30024 + read_lock(&grsec_exec_file_lock);
30025 + do_each_thread(task2, task) {
30026 + /* check to see if we're called from the exit handler,
30027 + if so, only replace ACLs that have inherited the admin
30030 + if (type && (task->role != role ||
30031 + task->acl_role_id != acl_role_id))
30034 + task->acl_role_id = 0;
30035 + task->acl_sp_role = 0;
30037 + if ((filp = task->exec_file)) {
30038 + cred = __task_cred(task);
30039 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
30041 + /* the following is to apply the correct subject
30042 + on binaries running when the RBAC system
30043 + is enabled, when the binaries have been
30044 + replaced or deleted since their execution
30046 + when the RBAC system starts, the inode/dev
30047 + from exec_file will be one the RBAC system
30048 + is unaware of. It only knows the inode/dev
30049 + of the present file on disk, or the absence
30052 + preempt_disable();
30053 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
30055 + nmatch = lookup_name_entry(tmpname);
30056 + preempt_enable();
30059 + if (nmatch->deleted)
30060 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
30062 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
30063 + if (tmpsubj != NULL)
30064 + task->acl = tmpsubj;
30066 + if (tmpsubj == NULL)
30067 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
30070 + struct acl_subject_label *curr;
30071 + curr = task->acl;
30073 + task->is_writable = 0;
30074 + /* ignore additional mmap checks for processes that are writable
30075 + by the default ACL */
30076 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
30077 + if (unlikely(obj->mode & GR_WRITE))
30078 + task->is_writable = 1;
30079 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
30080 + if (unlikely(obj->mode & GR_WRITE))
30081 + task->is_writable = 1;
30083 + gr_set_proc_res(task);
30085 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
30086 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
30089 + read_unlock(&grsec_exec_file_lock);
30090 + read_unlock(&tasklist_lock);
30091 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
30095 + // it's a kernel process
30096 + task->role = kernel_role;
30097 + task->acl = kernel_role->root_label;
30098 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
30099 + task->acl->mode &= ~GR_PROCFIND;
30102 + } while_each_thread(task2, task);
30103 + read_unlock(&grsec_exec_file_lock);
30104 + read_unlock(&tasklist_lock);
30109 +gr_learn_resource(const struct task_struct *task,
30110 + const int res, const unsigned long wanted, const int gt)
30112 + struct acl_subject_label *acl;
30113 + const struct cred *cred;
30115 + if (unlikely((gr_status & GR_READY) &&
30116 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
30117 + goto skip_reslog;
30119 +#ifdef CONFIG_GRKERNSEC_RESLOG
30120 + gr_log_resource(task, res, wanted, gt);
30124 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
30129 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
30130 + !(acl->resmask & (1 << (unsigned short) res))))
30133 + if (wanted >= acl->res[res].rlim_cur) {
30134 + unsigned long res_add;
30136 + res_add = wanted;
30139 + res_add += GR_RLIM_CPU_BUMP;
30141 + case RLIMIT_FSIZE:
30142 + res_add += GR_RLIM_FSIZE_BUMP;
30144 + case RLIMIT_DATA:
30145 + res_add += GR_RLIM_DATA_BUMP;
30147 + case RLIMIT_STACK:
30148 + res_add += GR_RLIM_STACK_BUMP;
30150 + case RLIMIT_CORE:
30151 + res_add += GR_RLIM_CORE_BUMP;
30154 + res_add += GR_RLIM_RSS_BUMP;
30156 + case RLIMIT_NPROC:
30157 + res_add += GR_RLIM_NPROC_BUMP;
30159 + case RLIMIT_NOFILE:
30160 + res_add += GR_RLIM_NOFILE_BUMP;
30162 + case RLIMIT_MEMLOCK:
30163 + res_add += GR_RLIM_MEMLOCK_BUMP;
30166 + res_add += GR_RLIM_AS_BUMP;
30168 + case RLIMIT_LOCKS:
30169 + res_add += GR_RLIM_LOCKS_BUMP;
30171 + case RLIMIT_SIGPENDING:
30172 + res_add += GR_RLIM_SIGPENDING_BUMP;
30174 + case RLIMIT_MSGQUEUE:
30175 + res_add += GR_RLIM_MSGQUEUE_BUMP;
30177 + case RLIMIT_NICE:
30178 + res_add += GR_RLIM_NICE_BUMP;
30180 + case RLIMIT_RTPRIO:
30181 + res_add += GR_RLIM_RTPRIO_BUMP;
30183 + case RLIMIT_RTTIME:
30184 + res_add += GR_RLIM_RTTIME_BUMP;
30188 + acl->res[res].rlim_cur = res_add;
30190 + if (wanted > acl->res[res].rlim_max)
30191 + acl->res[res].rlim_max = res_add;
30193 + /* only log the subject filename, since resource logging is supported for
30194 + single-subject learning only */
30195 + cred = __task_cred(task);
30196 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
30197 + task->role->roletype, cred->uid, cred->gid, acl->filename,
30198 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
30199 + "", (unsigned long) res, NIPQUAD(task->signal->curr_ip));
30205 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
30207 +pax_set_initial_flags(struct linux_binprm *bprm)
30209 + struct task_struct *task = current;
30210 + struct acl_subject_label *proc;
30211 + unsigned long flags;
30213 + if (unlikely(!(gr_status & GR_READY)))
30216 + flags = pax_get_flags(task);
30218 + proc = task->acl;
30220 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
30221 + flags &= ~MF_PAX_PAGEEXEC;
30222 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
30223 + flags &= ~MF_PAX_SEGMEXEC;
30224 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
30225 + flags &= ~MF_PAX_RANDMMAP;
30226 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
30227 + flags &= ~MF_PAX_EMUTRAMP;
30228 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
30229 + flags &= ~MF_PAX_MPROTECT;
30231 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
30232 + flags |= MF_PAX_PAGEEXEC;
30233 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
30234 + flags |= MF_PAX_SEGMEXEC;
30235 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
30236 + flags |= MF_PAX_RANDMMAP;
30237 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
30238 + flags |= MF_PAX_EMUTRAMP;
30239 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
30240 + flags |= MF_PAX_MPROTECT;
30242 + pax_set_flags(task, flags);
30248 +#ifdef CONFIG_SYSCTL
30249 +/* Eric Biederman likes breaking userland ABI and every inode-based security
30250 + system to save 35kb of memory */
30252 +/* we modify the passed in filename, but adjust it back before returning */
30253 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
30255 + struct name_entry *nmatch;
30256 + char *p, *lastp = NULL;
30257 + struct acl_object_label *obj = NULL, *tmp;
30258 + struct acl_subject_label *tmpsubj;
30261 + read_lock(&gr_inode_lock);
30263 + p = name + len - 1;
30265 + nmatch = lookup_name_entry(name);
30266 + if (lastp != NULL)
30269 + if (nmatch == NULL)
30270 + goto next_component;
30271 + tmpsubj = current->acl;
30273 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
30274 + if (obj != NULL) {
30275 + tmp = obj->globbed;
30277 + if (!glob_match(tmp->filename, name)) {
30285 + } while ((tmpsubj = tmpsubj->parent_subject));
30291 + while (*p != '/')
30303 + read_unlock(&gr_inode_lock);
30304 + /* obj returned will always be non-null */
30308 +/* returns 0 when allowing, non-zero on error
30309 + op of 0 is used for readdir, so we don't log the names of hidden files
30312 +gr_handle_sysctl(const struct ctl_table *table, const int op)
30315 + const char *proc_sys = "/proc/sys";
30317 + struct acl_object_label *obj;
30318 + unsigned short len = 0, pos = 0, depth = 0, i;
30322 + if (unlikely(!(gr_status & GR_READY)))
30325 + /* for now, ignore operations on non-sysctl entries if it's not a
30327 + if (table->child != NULL && op != 0)
30331 + /* it's only a read if it's an entry, read on dirs is for readdir */
30332 + if (op & MAY_READ)
30334 + if (op & MAY_WRITE)
30335 + mode |= GR_WRITE;
30337 + preempt_disable();
30339 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
30341 + /* it's only a read/write if it's an actual entry, not a dir
30342 + (which are opened for readdir)
30345 + /* convert the requested sysctl entry into a pathname */
30347 + for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
30348 + len += strlen(tmp->procname);
30353 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
30358 + memset(path, 0, PAGE_SIZE);
30360 + memcpy(path, proc_sys, strlen(proc_sys));
30362 + pos += strlen(proc_sys);
30364 + for (; depth > 0; depth--) {
30367 + for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
30368 + if (depth == i) {
30369 + memcpy(path + pos, tmp->procname,
30370 + strlen(tmp->procname));
30371 + pos += strlen(tmp->procname);
30377 + obj = gr_lookup_by_name(path, pos);
30378 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
30380 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
30381 + ((err & mode) != mode))) {
30382 + __u32 new_mode = mode;
30384 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
30387 + gr_log_learn_sysctl(path, new_mode);
30388 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
30389 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
30391 + } else if (!(err & GR_FIND)) {
30393 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
30394 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
30395 + path, (mode & GR_READ) ? " reading" : "",
30396 + (mode & GR_WRITE) ? " writing" : "");
30398 + } else if ((err & mode) != mode) {
30400 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
30401 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
30402 + path, (mode & GR_READ) ? " reading" : "",
30403 + (mode & GR_WRITE) ? " writing" : "");
30409 + preempt_enable();
30416 +gr_handle_proc_ptrace(struct task_struct *task)
30418 + struct file *filp;
30419 + struct task_struct *tmp = task;
30420 + struct task_struct *curtemp = current;
30423 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
30424 + if (unlikely(!(gr_status & GR_READY)))
30428 + read_lock(&tasklist_lock);
30429 + read_lock(&grsec_exec_file_lock);
30430 + filp = task->exec_file;
30432 + while (tmp->pid > 0) {
30433 + if (tmp == curtemp)
30435 + tmp = tmp->parent;
30438 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
30439 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
30440 + read_unlock(&grsec_exec_file_lock);
30441 + read_unlock(&tasklist_lock);
30445 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
30446 + if (!(gr_status & GR_READY)) {
30447 + read_unlock(&grsec_exec_file_lock);
30448 + read_unlock(&tasklist_lock);
30453 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
30454 + read_unlock(&grsec_exec_file_lock);
30455 + read_unlock(&tasklist_lock);
30457 + if (retmode & GR_NOPTRACE)
30460 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
30461 + && (current->acl != task->acl || (current->acl != current->role->root_label
30462 + && current->pid != task->pid)))
30469 +gr_handle_ptrace(struct task_struct *task, const long request)
30471 + struct task_struct *tmp = task;
30472 + struct task_struct *curtemp = current;
30475 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
30476 + if (unlikely(!(gr_status & GR_READY)))
30480 + read_lock(&tasklist_lock);
30481 + while (tmp->pid > 0) {
30482 + if (tmp == curtemp)
30484 + tmp = tmp->parent;
30487 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
30488 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
30489 + read_unlock(&tasklist_lock);
30490 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
30493 + read_unlock(&tasklist_lock);
30495 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
30496 + if (!(gr_status & GR_READY))
30500 + read_lock(&grsec_exec_file_lock);
30501 + if (unlikely(!task->exec_file)) {
30502 + read_unlock(&grsec_exec_file_lock);
30506 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
30507 + read_unlock(&grsec_exec_file_lock);
30509 + if (retmode & GR_NOPTRACE) {
30510 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
30514 + if (retmode & GR_PTRACERD) {
30515 + switch (request) {
30516 + case PTRACE_POKETEXT:
30517 + case PTRACE_POKEDATA:
30518 + case PTRACE_POKEUSR:
30519 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
30520 + case PTRACE_SETREGS:
30521 + case PTRACE_SETFPREGS:
30524 + case PTRACE_SETFPXREGS:
30526 +#ifdef CONFIG_ALTIVEC
30527 + case PTRACE_SETVRREGS:
30533 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
30534 + !(current->role->roletype & GR_ROLE_GOD) &&
30535 + (current->acl != task->acl)) {
30536 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
30543 +static int is_writable_mmap(const struct file *filp)
30545 + struct task_struct *task = current;
30546 + struct acl_object_label *obj, *obj2;
30548 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
30549 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode)) {
30550 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
30551 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
30552 + task->role->root_label);
30553 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
30554 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
30562 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
30566 + if (unlikely(!file || !(prot & PROT_EXEC)))
30569 + if (is_writable_mmap(file))
30573 + gr_search_file(file->f_path.dentry,
30574 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
30575 + file->f_path.mnt);
30577 + if (!gr_tpe_allow(file))
30580 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
30581 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
30583 + } else if (unlikely(!(mode & GR_EXEC))) {
30585 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
30586 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
30594 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
30598 + if (unlikely(!file || !(prot & PROT_EXEC)))
30601 + if (is_writable_mmap(file))
30605 + gr_search_file(file->f_path.dentry,
30606 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
30607 + file->f_path.mnt);
30609 + if (!gr_tpe_allow(file))
30612 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
30613 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
30615 + } else if (unlikely(!(mode & GR_EXEC))) {
30617 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
30618 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
30626 +gr_acl_handle_psacct(struct task_struct *task, const long code)
30628 + unsigned long runtime;
30629 + unsigned long cputime;
30630 + unsigned int wday, cday;
30634 + struct timespec timeval;
30636 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
30637 + !(task->acl->mode & GR_PROCACCT)))
30640 + do_posix_clock_monotonic_gettime(&timeval);
30641 + runtime = timeval.tv_sec - task->start_time.tv_sec;
30642 + wday = runtime / (3600 * 24);
30643 + runtime -= wday * (3600 * 24);
30644 + whr = runtime / 3600;
30645 + runtime -= whr * 3600;
30646 + wmin = runtime / 60;
30647 + runtime -= wmin * 60;
30650 + cputime = (task->utime + task->stime) / HZ;
30651 + cday = cputime / (3600 * 24);
30652 + cputime -= cday * (3600 * 24);
30653 + chr = cputime / 3600;
30654 + cputime -= chr * 3600;
30655 + cmin = cputime / 60;
30656 + cputime -= cmin * 60;
30659 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
30664 +void gr_set_kernel_label(struct task_struct *task)
30666 + if (gr_status & GR_READY) {
30667 + task->role = kernel_role;
30668 + task->acl = kernel_role->root_label;
30673 +#ifdef CONFIG_TASKSTATS
30674 +int gr_is_taskstats_denied(int pid)
30676 + struct task_struct *task;
30677 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30678 + const struct cred *cred;
30682 + /* restrict taskstats viewing to un-chrooted root users
30683 + who have the 'view' subject flag if the RBAC system is enabled
30686 + read_lock(&tasklist_lock);
30687 + task = find_task_by_vpid(pid);
30690 +#ifdef CONFIG_GRKERNSEC_CHROOT
30691 + if (proc_is_chrooted(task))
30694 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30695 + cred = __task_cred(task);
30696 +#ifdef CONFIG_GRKERNSEC_PROC_USER
30697 + if (cred->uid != 0)
30699 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30700 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
30704 + if (gr_status & GR_READY) {
30705 + if (!(task->acl->mode & GR_VIEW))
30709 + task_unlock(task);
30713 + read_unlock(&tasklist_lock);
30719 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
30721 + struct task_struct *task = current;
30722 + struct dentry *dentry = file->f_path.dentry;
30723 + struct vfsmount *mnt = file->f_path.mnt;
30724 + struct acl_object_label *obj, *tmp;
30725 + struct acl_subject_label *subj;
30726 + unsigned int bufsize;
30730 + if (unlikely(!(gr_status & GR_READY)))
30733 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
30736 + /* ignore Eric Biederman */
30737 + if (IS_PRIVATE(dentry->d_inode))
30740 + subj = task->acl;
30742 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
30744 + return (obj->mode & GR_FIND) ? 1 : 0;
30745 + } while ((subj = subj->parent_subject));
30747 + /* this is purely an optimization since we're looking for an object
30748 + for the directory we're doing a readdir on
30749 + if it's possible for any globbed object to match the entry we're
30750 + filling into the directory, then the object we find here will be
30751 + an anchor point with attached globbed objects
30753 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
30754 + if (obj->globbed == NULL)
30755 + return (obj->mode & GR_FIND) ? 1 : 0;
30757 + is_not_root = ((obj->filename[0] == '/') &&
30758 + (obj->filename[1] == '\0')) ? 0 : 1;
30759 + bufsize = PAGE_SIZE - namelen - is_not_root;
30761 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
30762 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
30765 + preempt_disable();
30766 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
30769 + bufsize = strlen(path);
30771 + /* if base is "/", don't append an additional slash */
30773 + *(path + bufsize) = '/';
30774 + memcpy(path + bufsize + is_not_root, name, namelen);
30775 + *(path + bufsize + namelen + is_not_root) = '\0';
30777 + tmp = obj->globbed;
30779 + if (!glob_match(tmp->filename, path)) {
30780 + preempt_enable();
30781 + return (tmp->mode & GR_FIND) ? 1 : 0;
30785 + preempt_enable();
30786 + return (obj->mode & GR_FIND) ? 1 : 0;
30789 +EXPORT_SYMBOL(gr_learn_resource);
30790 +EXPORT_SYMBOL(gr_set_kernel_label);
30791 +#ifdef CONFIG_SECURITY
30792 +EXPORT_SYMBOL(gr_check_user_change);
30793 +EXPORT_SYMBOL(gr_check_group_change);
30796 diff -urNp linux-2.6.31/grsecurity/gracl_cap.c linux-2.6.31/grsecurity/gracl_cap.c
30797 --- linux-2.6.31/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
30798 +++ linux-2.6.31/grsecurity/gracl_cap.c 2009-09-06 15:29:12.048915591 -0400
30800 +#include <linux/kernel.h>
30801 +#include <linux/module.h>
30802 +#include <linux/sched.h>
30803 +#include <linux/gracl.h>
30804 +#include <linux/grsecurity.h>
30805 +#include <linux/grinternal.h>
30807 +static const char *captab_log[] = {
30809 + "CAP_DAC_OVERRIDE",
30810 + "CAP_DAC_READ_SEARCH",
30817 + "CAP_LINUX_IMMUTABLE",
30818 + "CAP_NET_BIND_SERVICE",
30819 + "CAP_NET_BROADCAST",
30824 + "CAP_SYS_MODULE",
30826 + "CAP_SYS_CHROOT",
30827 + "CAP_SYS_PTRACE",
30832 + "CAP_SYS_RESOURCE",
30834 + "CAP_SYS_TTY_CONFIG",
30837 + "CAP_AUDIT_WRITE",
30838 + "CAP_AUDIT_CONTROL",
30840 + "CAP_MAC_OVERRIDE",
30844 +EXPORT_SYMBOL(gr_is_capable);
30845 +EXPORT_SYMBOL(gr_is_capable_nolog);
30848 +gr_is_capable(const int cap)
30850 + struct task_struct *task = current;
30851 + const struct cred *cred = current_cred();
30852 + struct acl_subject_label *curracl;
30853 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
30855 + if (!gr_acl_is_enabled())
30858 + curracl = task->acl;
30860 + cap_drop = curracl->cap_lower;
30861 + cap_mask = curracl->cap_mask;
30863 + while ((curracl = curracl->parent_subject)) {
30864 + /* if the cap isn't specified in the current computed mask but is specified in the
30865 + current level subject, and is lowered in the current level subject, then add
30866 + it to the set of dropped capabilities
30867 + otherwise, add the current level subject's mask to the current computed mask
30869 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
30870 + cap_raise(cap_mask, cap);
30871 + if (cap_raised(curracl->cap_lower, cap))
30872 + cap_raise(cap_drop, cap);
30876 + if (!cap_raised(cap_drop, cap))
30879 + curracl = task->acl;
30881 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
30882 + && cap_raised(cred->cap_effective, cap)) {
30883 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
30884 + task->role->roletype, cred->uid,
30885 + cred->gid, task->exec_file ?
30886 + gr_to_filename(task->exec_file->f_path.dentry,
30887 + task->exec_file->f_path.mnt) : curracl->filename,
30888 + curracl->filename, 0UL,
30889 + 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
30893 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap))
30894 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
30899 +gr_is_capable_nolog(const int cap)
30901 + struct acl_subject_label *curracl;
30902 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
30904 + if (!gr_acl_is_enabled())
30907 + curracl = current->acl;
30909 + cap_drop = curracl->cap_lower;
30910 + cap_mask = curracl->cap_mask;
30912 + while ((curracl = curracl->parent_subject)) {
30913 + /* if the cap isn't specified in the current computed mask but is specified in the
30914 + current level subject, and is lowered in the current level subject, then add
30915 + it to the set of dropped capabilities
30916 + otherwise, add the current level subject's mask to the current computed mask
30918 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
30919 + cap_raise(cap_mask, cap);
30920 + if (cap_raised(curracl->cap_lower, cap))
30921 + cap_raise(cap_drop, cap);
30925 + if (!cap_raised(cap_drop, cap))
30931 diff -urNp linux-2.6.31/grsecurity/gracl_fs.c linux-2.6.31/grsecurity/gracl_fs.c
30932 --- linux-2.6.31/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
30933 +++ linux-2.6.31/grsecurity/gracl_fs.c 2009-09-06 15:29:12.048915591 -0400
30935 +#include <linux/kernel.h>
30936 +#include <linux/sched.h>
30937 +#include <linux/types.h>
30938 +#include <linux/fs.h>
30939 +#include <linux/file.h>
30940 +#include <linux/stat.h>
30941 +#include <linux/grsecurity.h>
30942 +#include <linux/grinternal.h>
30943 +#include <linux/gracl.h>
30946 +gr_acl_handle_hidden_file(const struct dentry * dentry,
30947 + const struct vfsmount * mnt)
30951 + if (unlikely(!dentry->d_inode))
30955 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
30957 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
30958 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
30960 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
30961 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
30963 + } else if (unlikely(!(mode & GR_FIND)))
30970 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
30973 + __u32 reqmode = GR_FIND;
30976 + if (unlikely(!dentry->d_inode))
30979 + if (unlikely(fmode & O_APPEND))
30980 + reqmode |= GR_APPEND;
30981 + else if (unlikely(fmode & FMODE_WRITE))
30982 + reqmode |= GR_WRITE;
30983 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
30984 + reqmode |= GR_READ;
30985 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
30986 + reqmode &= ~GR_READ;
30988 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
30991 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
30992 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
30993 + reqmode & GR_READ ? " reading" : "",
30994 + reqmode & GR_WRITE ? " writing" : reqmode &
30995 + GR_APPEND ? " appending" : "");
30998 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
31000 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
31001 + reqmode & GR_READ ? " reading" : "",
31002 + reqmode & GR_WRITE ? " writing" : reqmode &
31003 + GR_APPEND ? " appending" : "");
31005 + } else if (unlikely((mode & reqmode) != reqmode))
31012 +gr_acl_handle_creat(const struct dentry * dentry,
31013 + const struct dentry * p_dentry,
31014 + const struct vfsmount * p_mnt, const int fmode,
31017 + __u32 reqmode = GR_WRITE | GR_CREATE;
31020 + if (unlikely(fmode & O_APPEND))
31021 + reqmode |= GR_APPEND;
31022 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
31023 + reqmode |= GR_READ;
31024 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
31025 + reqmode |= GR_SETID;
31028 + gr_check_create(dentry, p_dentry, p_mnt,
31029 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
31031 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
31032 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
31033 + reqmode & GR_READ ? " reading" : "",
31034 + reqmode & GR_WRITE ? " writing" : reqmode &
31035 + GR_APPEND ? " appending" : "");
31038 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
31040 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
31041 + reqmode & GR_READ ? " reading" : "",
31042 + reqmode & GR_WRITE ? " writing" : reqmode &
31043 + GR_APPEND ? " appending" : "");
31045 + } else if (unlikely((mode & reqmode) != reqmode))
31052 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
31055 + __u32 mode, reqmode = GR_FIND;
31057 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
31058 + reqmode |= GR_EXEC;
31059 + if (fmode & S_IWOTH)
31060 + reqmode |= GR_WRITE;
31061 + if (fmode & S_IROTH)
31062 + reqmode |= GR_READ;
31065 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
31068 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
31069 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
31070 + reqmode & GR_READ ? " reading" : "",
31071 + reqmode & GR_WRITE ? " writing" : "",
31072 + reqmode & GR_EXEC ? " executing" : "");
31075 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
31077 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
31078 + reqmode & GR_READ ? " reading" : "",
31079 + reqmode & GR_WRITE ? " writing" : "",
31080 + reqmode & GR_EXEC ? " executing" : "");
31082 + } else if (unlikely((mode & reqmode) != reqmode))
31088 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
31092 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
31094 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
31095 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
31097 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
31098 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
31100 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
31103 + return (reqmode);
31107 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
31109 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
31113 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
31115 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
31119 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
31121 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
31125 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
31127 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
31131 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
31134 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
31137 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
31138 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
31139 + GR_FCHMOD_ACL_MSG);
31141 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
31146 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
31149 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
31150 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
31151 + GR_CHMOD_ACL_MSG);
31153 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
31158 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
31160 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
31164 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
31166 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
31170 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
31172 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
31173 + GR_UNIXCONNECT_ACL_MSG);
31176 +/* hardlinks require at minimum create permission,
31177 + any additional privilege required is based on the
31178 + privilege of the file being linked to
31181 +gr_acl_handle_link(const struct dentry * new_dentry,
31182 + const struct dentry * parent_dentry,
31183 + const struct vfsmount * parent_mnt,
31184 + const struct dentry * old_dentry,
31185 + const struct vfsmount * old_mnt, const char *to)
31188 + __u32 needmode = GR_CREATE | GR_LINK;
31189 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
31192 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
31195 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
31196 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
31198 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
31199 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
31201 + } else if (unlikely((mode & needmode) != needmode))
31208 +gr_acl_handle_symlink(const struct dentry * new_dentry,
31209 + const struct dentry * parent_dentry,
31210 + const struct vfsmount * parent_mnt, const char *from)
31212 + __u32 needmode = GR_WRITE | GR_CREATE;
31216 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
31217 + GR_CREATE | GR_AUDIT_CREATE |
31218 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
31220 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
31221 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
31223 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
31224 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
31226 + } else if (unlikely((mode & needmode) != needmode))
31229 + return (GR_WRITE | GR_CREATE);
31232 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
31236 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
31238 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
31239 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
31241 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
31242 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
31244 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
31247 + return (reqmode);
31251 +gr_acl_handle_mknod(const struct dentry * new_dentry,
31252 + const struct dentry * parent_dentry,
31253 + const struct vfsmount * parent_mnt,
31256 + __u32 reqmode = GR_WRITE | GR_CREATE;
31257 + if (unlikely(mode & (S_ISUID | S_ISGID)))
31258 + reqmode |= GR_SETID;
31260 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
31261 + reqmode, GR_MKNOD_ACL_MSG);
31265 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
31266 + const struct dentry *parent_dentry,
31267 + const struct vfsmount *parent_mnt)
31269 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
31270 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
31273 +#define RENAME_CHECK_SUCCESS(old, new) \
31274 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
31275 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
31278 +gr_acl_handle_rename(struct dentry *new_dentry,
31279 + struct dentry *parent_dentry,
31280 + const struct vfsmount *parent_mnt,
31281 + struct dentry *old_dentry,
31282 + struct inode *old_parent_inode,
31283 + struct vfsmount *old_mnt, const char *newname)
31285 + __u32 comp1, comp2;
31288 + if (unlikely(!gr_acl_is_enabled()))
31291 + if (!new_dentry->d_inode) {
31292 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
31293 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
31294 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
31295 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
31296 + GR_DELETE | GR_AUDIT_DELETE |
31297 + GR_AUDIT_READ | GR_AUDIT_WRITE |
31298 + GR_SUPPRESS, old_mnt);
31300 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
31301 + GR_CREATE | GR_DELETE |
31302 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
31303 + GR_AUDIT_READ | GR_AUDIT_WRITE |
31304 + GR_SUPPRESS, parent_mnt);
31306 + gr_search_file(old_dentry,
31307 + GR_READ | GR_WRITE | GR_AUDIT_READ |
31308 + GR_DELETE | GR_AUDIT_DELETE |
31309 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
31312 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
31313 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
31314 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
31315 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
31316 + && !(comp2 & GR_SUPPRESS)) {
31317 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
31319 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
31326 +gr_acl_handle_exit(void)
31330 + struct file *exec_file;
31332 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
31333 + id = current->acl_role_id;
31334 + rolename = current->role->rolename;
31336 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
31339 + write_lock(&grsec_exec_file_lock);
31340 + exec_file = current->exec_file;
31341 + current->exec_file = NULL;
31342 + write_unlock(&grsec_exec_file_lock);
31349 +gr_acl_handle_procpidmem(const struct task_struct *task)
31351 + if (unlikely(!gr_acl_is_enabled()))
31354 + if (task != current && task->acl->mode & GR_PROTPROCFD)
31359 diff -urNp linux-2.6.31/grsecurity/gracl_ip.c linux-2.6.31/grsecurity/gracl_ip.c
31360 --- linux-2.6.31/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
31361 +++ linux-2.6.31/grsecurity/gracl_ip.c 2009-09-06 15:29:12.048915591 -0400
31363 +#include <linux/kernel.h>
31364 +#include <asm/uaccess.h>
31365 +#include <asm/errno.h>
31366 +#include <net/sock.h>
31367 +#include <linux/file.h>
31368 +#include <linux/fs.h>
31369 +#include <linux/net.h>
31370 +#include <linux/in.h>
31371 +#include <linux/skbuff.h>
31372 +#include <linux/ip.h>
31373 +#include <linux/udp.h>
31374 +#include <linux/smp_lock.h>
31375 +#include <linux/types.h>
31376 +#include <linux/sched.h>
31377 +#include <linux/netdevice.h>
31378 +#include <linux/inetdevice.h>
31379 +#include <linux/gracl.h>
31380 +#include <linux/grsecurity.h>
31381 +#include <linux/grinternal.h>
31383 +#define GR_BIND 0x01
31384 +#define GR_CONNECT 0x02
31385 +#define GR_INVERT 0x04
31386 +#define GR_BINDOVERRIDE 0x08
31387 +#define GR_CONNECTOVERRIDE 0x10
31389 +static const char * gr_protocols[256] = {
31390 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
31391 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
31392 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
31393 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
31394 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
31395 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
31396 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
31397 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
31398 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
31399 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
31400 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
31401 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
31402 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
31403 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
31404 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
31405 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
31406 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
31407 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
31408 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
31409 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
31410 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
31411 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
31412 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
31413 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
31414 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
31415 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
31416 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
31417 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
31418 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
31419 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
31420 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
31421 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
31424 +static const char * gr_socktypes[11] = {
31425 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
31426 + "unknown:7", "unknown:8", "unknown:9", "packet"
31430 +gr_proto_to_name(unsigned char proto)
31432 + return gr_protocols[proto];
31436 +gr_socktype_to_name(unsigned char type)
31438 + return gr_socktypes[type];
31442 +gr_search_socket(const int domain, const int type, const int protocol)
31444 + struct acl_subject_label *curr;
31445 + const struct cred *cred = current_cred();
31447 + if (unlikely(!gr_acl_is_enabled()))
31450 + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
31451 + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
31452 + goto exit; // let the kernel handle it
31454 + curr = current->acl;
31459 + if ((curr->ip_type & (1 << type)) &&
31460 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
31463 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
31464 + /* we don't place acls on raw sockets , and sometimes
31465 + dgram/ip sockets are opened for ioctl and not
31466 + bind/connect, so we'll fake a bind learn log */
31467 + if (type == SOCK_RAW || type == SOCK_PACKET) {
31468 + __u32 fakeip = 0;
31469 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
31470 + current->role->roletype, cred->uid,
31471 + cred->gid, current->exec_file ?
31472 + gr_to_filename(current->exec_file->f_path.dentry,
31473 + current->exec_file->f_path.mnt) :
31474 + curr->filename, curr->filename,
31475 + NIPQUAD(fakeip), 0, type,
31476 + protocol, GR_CONNECT,
31477 +NIPQUAD(current->signal->curr_ip));
31478 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
31479 + __u32 fakeip = 0;
31480 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
31481 + current->role->roletype, cred->uid,
31482 + cred->gid, current->exec_file ?
31483 + gr_to_filename(current->exec_file->f_path.dentry,
31484 + current->exec_file->f_path.mnt) :
31485 + curr->filename, curr->filename,
31486 + NIPQUAD(fakeip), 0, type,
31487 + protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
31489 + /* we'll log when they use connect or bind */
31493 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
31494 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
31501 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
31503 + if ((ip->mode & mode) &&
31504 + (ip_port >= ip->low) &&
31505 + (ip_port <= ip->high) &&
31506 + ((ntohl(ip_addr) & our_netmask) ==
31507 + (ntohl(our_addr) & our_netmask))
31508 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
31509 + && (ip->type & (1 << type))) {
31510 + if (ip->mode & GR_INVERT)
31511 + return 2; // specifically denied
31513 + return 1; // allowed
31516 + return 0; // not specifically allowed, may continue parsing
31520 +gr_search_connectbind(const int full_mode, struct sock *sk,
31521 + struct sockaddr_in *addr, const int type)
31523 + char iface[IFNAMSIZ] = {0};
31524 + struct acl_subject_label *curr;
31525 + struct acl_ip_label *ip;
31526 + struct inet_sock *isk;
31527 + struct net_device *dev;
31528 + struct in_device *idev;
31531 + int mode = full_mode & (GR_BIND | GR_CONNECT);
31532 + __u32 ip_addr = 0;
31534 + __u32 our_netmask;
31536 + __u16 ip_port = 0;
31537 + const struct cred *cred = current_cred();
31539 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
31542 + curr = current->acl;
31543 + isk = inet_sk(sk);
31545 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
31546 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
31547 + addr->sin_addr.s_addr = curr->inaddr_any_override;
31548 + if ((full_mode & GR_CONNECT) && isk->saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
31549 + struct sockaddr_in saddr;
31552 + saddr.sin_family = AF_INET;
31553 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
31554 + saddr.sin_port = isk->sport;
31556 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
31560 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
31568 + ip_addr = addr->sin_addr.s_addr;
31569 + ip_port = ntohs(addr->sin_port);
31571 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
31572 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
31573 + current->role->roletype, cred->uid,
31574 + cred->gid, current->exec_file ?
31575 + gr_to_filename(current->exec_file->f_path.dentry,
31576 + current->exec_file->f_path.mnt) :
31577 + curr->filename, curr->filename,
31578 + NIPQUAD(ip_addr), ip_port, type,
31579 + sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
31583 + for (i = 0; i < curr->ip_num; i++) {
31584 + ip = *(curr->ips + i);
31585 + if (ip->iface != NULL) {
31586 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
31587 + p = strchr(iface, ':');
31590 + dev = dev_get_by_name(sock_net(sk), iface);
31593 + idev = in_dev_get(dev);
31594 + if (idev == NULL) {
31600 + if (!strcmp(ip->iface, ifa->ifa_label)) {
31601 + our_addr = ifa->ifa_address;
31602 + our_netmask = 0xffffffff;
31603 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
31605 + rcu_read_unlock();
31606 + in_dev_put(idev);
31609 + } else if (ret == 2) {
31610 + rcu_read_unlock();
31611 + in_dev_put(idev);
31616 + } endfor_ifa(idev);
31617 + rcu_read_unlock();
31618 + in_dev_put(idev);
31621 + our_addr = ip->addr;
31622 + our_netmask = ip->netmask;
31623 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
31626 + else if (ret == 2)
31632 + if (mode == GR_BIND)
31633 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
31634 + else if (mode == GR_CONNECT)
31635 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
31641 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
31643 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
31647 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
31649 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
31652 +int gr_search_listen(struct socket *sock)
31654 + struct sock *sk = sock->sk;
31655 + struct sockaddr_in addr;
31657 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
31658 + addr.sin_port = inet_sk(sk)->sport;
31660 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
31663 +int gr_search_accept(struct socket *sock)
31665 + struct sock *sk = sock->sk;
31666 + struct sockaddr_in addr;
31668 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
31669 + addr.sin_port = inet_sk(sk)->sport;
31671 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
31675 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
31678 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
31680 + struct sockaddr_in sin;
31681 + const struct inet_sock *inet = inet_sk(sk);
31683 + sin.sin_addr.s_addr = inet->daddr;
31684 + sin.sin_port = inet->dport;
31686 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
31691 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
31693 + struct sockaddr_in sin;
31695 + if (unlikely(skb->len < sizeof (struct udphdr)))
31696 + return 0; // skip this packet
31698 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
31699 + sin.sin_port = udp_hdr(skb)->source;
31701 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
31703 diff -urNp linux-2.6.31/grsecurity/gracl_learn.c linux-2.6.31/grsecurity/gracl_learn.c
31704 --- linux-2.6.31/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
31705 +++ linux-2.6.31/grsecurity/gracl_learn.c 2009-09-06 15:29:12.050058383 -0400
31707 +#include <linux/kernel.h>
31708 +#include <linux/mm.h>
31709 +#include <linux/sched.h>
31710 +#include <linux/poll.h>
31711 +#include <linux/smp_lock.h>
31712 +#include <linux/string.h>
31713 +#include <linux/file.h>
31714 +#include <linux/types.h>
31715 +#include <linux/vmalloc.h>
31716 +#include <linux/grinternal.h>
31718 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
31719 + size_t count, loff_t *ppos);
31720 +extern int gr_acl_is_enabled(void);
31722 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
31723 +static int gr_learn_attached;
31725 +/* use a 512k buffer */
31726 +#define LEARN_BUFFER_SIZE (512 * 1024)
31728 +static DEFINE_SPINLOCK(gr_learn_lock);
31729 +static DECLARE_MUTEX(gr_learn_user_sem);
31731 +/* we need to maintain two buffers, so that the kernel context of grlearn
31732 + uses a semaphore around the userspace copying, and the other kernel contexts
31733 + use a spinlock when copying into the buffer, since they cannot sleep
31735 +static char *learn_buffer;
31736 +static char *learn_buffer_user;
31737 +static int learn_buffer_len;
31738 +static int learn_buffer_user_len;
31741 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
31743 + DECLARE_WAITQUEUE(wait, current);
31744 + ssize_t retval = 0;
31746 + add_wait_queue(&learn_wait, &wait);
31747 + set_current_state(TASK_INTERRUPTIBLE);
31749 + down(&gr_learn_user_sem);
31750 + spin_lock(&gr_learn_lock);
31751 + if (learn_buffer_len)
31753 + spin_unlock(&gr_learn_lock);
31754 + up(&gr_learn_user_sem);
31755 + if (file->f_flags & O_NONBLOCK) {
31756 + retval = -EAGAIN;
31759 + if (signal_pending(current)) {
31760 + retval = -ERESTARTSYS;
31767 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
31768 + learn_buffer_user_len = learn_buffer_len;
31769 + retval = learn_buffer_len;
31770 + learn_buffer_len = 0;
31772 + spin_unlock(&gr_learn_lock);
31774 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
31775 + retval = -EFAULT;
31777 + up(&gr_learn_user_sem);
31779 + set_current_state(TASK_RUNNING);
31780 + remove_wait_queue(&learn_wait, &wait);
31784 +static unsigned int
31785 +poll_learn(struct file * file, poll_table * wait)
31787 + poll_wait(file, &learn_wait, wait);
31789 + if (learn_buffer_len)
31790 + return (POLLIN | POLLRDNORM);
31796 +gr_clear_learn_entries(void)
31800 + down(&gr_learn_user_sem);
31801 + if (learn_buffer != NULL) {
31802 + spin_lock(&gr_learn_lock);
31803 + tmp = learn_buffer;
31804 + learn_buffer = NULL;
31805 + spin_unlock(&gr_learn_lock);
31806 + vfree(learn_buffer);
31808 + if (learn_buffer_user != NULL) {
31809 + vfree(learn_buffer_user);
31810 + learn_buffer_user = NULL;
31812 + learn_buffer_len = 0;
31813 + up(&gr_learn_user_sem);
31819 +gr_add_learn_entry(const char *fmt, ...)
31822 + unsigned int len;
31824 + if (!gr_learn_attached)
31827 + spin_lock(&gr_learn_lock);
31829 + /* leave a gap at the end so we know when it's "full" but don't have to
31830 + compute the exact length of the string we're trying to append
31832 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
31833 + spin_unlock(&gr_learn_lock);
31834 + wake_up_interruptible(&learn_wait);
31837 + if (learn_buffer == NULL) {
31838 + spin_unlock(&gr_learn_lock);
31842 + va_start(args, fmt);
31843 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
31846 + learn_buffer_len += len + 1;
31848 + spin_unlock(&gr_learn_lock);
31849 + wake_up_interruptible(&learn_wait);
31855 +open_learn(struct inode *inode, struct file *file)
31857 + if (file->f_mode & FMODE_READ && gr_learn_attached)
31859 + if (file->f_mode & FMODE_READ) {
31861 + down(&gr_learn_user_sem);
31862 + if (learn_buffer == NULL)
31863 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
31864 + if (learn_buffer_user == NULL)
31865 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
31866 + if (learn_buffer == NULL) {
31867 + retval = -ENOMEM;
31870 + if (learn_buffer_user == NULL) {
31871 + retval = -ENOMEM;
31874 + learn_buffer_len = 0;
31875 + learn_buffer_user_len = 0;
31876 + gr_learn_attached = 1;
31878 + up(&gr_learn_user_sem);
31885 +close_learn(struct inode *inode, struct file *file)
31889 + if (file->f_mode & FMODE_READ) {
31890 + down(&gr_learn_user_sem);
31891 + if (learn_buffer != NULL) {
31892 + spin_lock(&gr_learn_lock);
31893 + tmp = learn_buffer;
31894 + learn_buffer = NULL;
31895 + spin_unlock(&gr_learn_lock);
31898 + if (learn_buffer_user != NULL) {
31899 + vfree(learn_buffer_user);
31900 + learn_buffer_user = NULL;
31902 + learn_buffer_len = 0;
31903 + learn_buffer_user_len = 0;
31904 + gr_learn_attached = 0;
31905 + up(&gr_learn_user_sem);
31911 +const struct file_operations grsec_fops = {
31912 + .read = read_learn,
31913 + .write = write_grsec_handler,
31914 + .open = open_learn,
31915 + .release = close_learn,
31916 + .poll = poll_learn,
31918 diff -urNp linux-2.6.31/grsecurity/gracl_res.c linux-2.6.31/grsecurity/gracl_res.c
31919 --- linux-2.6.31/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
31920 +++ linux-2.6.31/grsecurity/gracl_res.c 2009-09-06 15:29:12.050058383 -0400
31922 +#include <linux/kernel.h>
31923 +#include <linux/sched.h>
31924 +#include <linux/gracl.h>
31925 +#include <linux/grinternal.h>
31927 +static const char *restab_log[] = {
31928 + [RLIMIT_CPU] = "RLIMIT_CPU",
31929 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
31930 + [RLIMIT_DATA] = "RLIMIT_DATA",
31931 + [RLIMIT_STACK] = "RLIMIT_STACK",
31932 + [RLIMIT_CORE] = "RLIMIT_CORE",
31933 + [RLIMIT_RSS] = "RLIMIT_RSS",
31934 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
31935 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
31936 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
31937 + [RLIMIT_AS] = "RLIMIT_AS",
31938 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
31939 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
31940 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
31941 + [RLIMIT_NICE] = "RLIMIT_NICE",
31942 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
31943 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
31944 + [GR_CRASH_RES] = "RLIMIT_CRASH"
31948 +gr_log_resource(const struct task_struct *task,
31949 + const int res, const unsigned long wanted, const int gt)
31951 + const struct cred *cred = __task_cred(task);
31953 + if (res == RLIMIT_NPROC &&
31954 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
31955 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
31957 + else if (res == RLIMIT_MEMLOCK &&
31958 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
31960 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
31963 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
31966 + // not yet supported resource
31967 + if (!restab_log[res])
31970 + preempt_disable();
31972 + if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
31973 + (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
31974 + task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
31975 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
31976 + preempt_enable_no_resched();
31980 diff -urNp linux-2.6.31/grsecurity/gracl_segv.c linux-2.6.31/grsecurity/gracl_segv.c
31981 --- linux-2.6.31/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
31982 +++ linux-2.6.31/grsecurity/gracl_segv.c 2009-09-06 15:29:12.050058383 -0400
31984 +#include <linux/kernel.h>
31985 +#include <linux/mm.h>
31986 +#include <asm/uaccess.h>
31987 +#include <asm/errno.h>
31988 +#include <asm/mman.h>
31989 +#include <net/sock.h>
31990 +#include <linux/file.h>
31991 +#include <linux/fs.h>
31992 +#include <linux/net.h>
31993 +#include <linux/in.h>
31994 +#include <linux/smp_lock.h>
31995 +#include <linux/slab.h>
31996 +#include <linux/types.h>
31997 +#include <linux/sched.h>
31998 +#include <linux/timer.h>
31999 +#include <linux/gracl.h>
32000 +#include <linux/grsecurity.h>
32001 +#include <linux/grinternal.h>
32003 +static struct crash_uid *uid_set;
32004 +static unsigned short uid_used;
32005 +static DEFINE_SPINLOCK(gr_uid_lock);
32006 +extern rwlock_t gr_inode_lock;
32007 +extern struct acl_subject_label *
32008 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
32009 + struct acl_role_label *role);
32010 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
32013 +gr_init_uidset(void)
32016 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
32019 + return uid_set ? 1 : 0;
32023 +gr_free_uidset(void)
32032 +gr_find_uid(const uid_t uid)
32034 + struct crash_uid *tmp = uid_set;
32036 + int low = 0, high = uid_used - 1, mid;
32038 + while (high >= low) {
32039 + mid = (low + high) >> 1;
32040 + buid = tmp[mid].uid;
32052 +static __inline__ void
32053 +gr_insertsort(void)
32055 + unsigned short i, j;
32056 + struct crash_uid index;
32058 + for (i = 1; i < uid_used; i++) {
32059 + index = uid_set[i];
32061 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
32062 + uid_set[j] = uid_set[j - 1];
32065 + uid_set[j] = index;
32071 +static __inline__ void
32072 +gr_insert_uid(const uid_t uid, const unsigned long expires)
32076 + if (uid_used == GR_UIDTABLE_MAX)
32079 + loc = gr_find_uid(uid);
32082 + uid_set[loc].expires = expires;
32086 + uid_set[uid_used].uid = uid;
32087 + uid_set[uid_used].expires = expires;
32096 +gr_remove_uid(const unsigned short loc)
32098 + unsigned short i;
32100 + for (i = loc + 1; i < uid_used; i++)
32101 + uid_set[i - 1] = uid_set[i];
32109 +gr_check_crash_uid(const uid_t uid)
32114 + if (unlikely(!gr_acl_is_enabled()))
32117 + spin_lock(&gr_uid_lock);
32118 + loc = gr_find_uid(uid);
32123 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
32124 + gr_remove_uid(loc);
32129 + spin_unlock(&gr_uid_lock);
32133 +static __inline__ int
32134 +proc_is_setxid(const struct cred *cred)
32136 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
32137 + cred->uid != cred->fsuid)
32139 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
32140 + cred->gid != cred->fsgid)
32145 +static __inline__ int
32146 +gr_fake_force_sig(int sig, struct task_struct *t)
32148 + unsigned long int flags;
32149 + int ret, blocked, ignored;
32150 + struct k_sigaction *action;
32152 + spin_lock_irqsave(&t->sighand->siglock, flags);
32153 + action = &t->sighand->action[sig-1];
32154 + ignored = action->sa.sa_handler == SIG_IGN;
32155 + blocked = sigismember(&t->blocked, sig);
32156 + if (blocked || ignored) {
32157 + action->sa.sa_handler = SIG_DFL;
32159 + sigdelset(&t->blocked, sig);
32160 + recalc_sigpending_and_wake(t);
32163 + if (action->sa.sa_handler == SIG_DFL)
32164 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
32165 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
32167 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
32173 +gr_handle_crash(struct task_struct *task, const int sig)
32175 + struct acl_subject_label *curr;
32176 + struct acl_subject_label *curr2;
32177 + struct task_struct *tsk, *tsk2;
32178 + const struct cred *cred = __task_cred(task);
32179 + const struct cred *cred2;
32181 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
32184 + if (unlikely(!gr_acl_is_enabled()))
32187 + curr = task->acl;
32189 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
32192 + if (time_before_eq(curr->expires, get_seconds())) {
32193 + curr->expires = 0;
32194 + curr->crashes = 0;
32199 + if (!curr->expires)
32200 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
32202 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
32203 + time_after(curr->expires, get_seconds())) {
32204 + if (cred->uid && proc_is_setxid(cred)) {
32205 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
32206 + spin_lock(&gr_uid_lock);
32207 + gr_insert_uid(cred->uid, curr->expires);
32208 + spin_unlock(&gr_uid_lock);
32209 + curr->expires = 0;
32210 + curr->crashes = 0;
32211 + read_lock(&tasklist_lock);
32212 + do_each_thread(tsk2, tsk) {
32213 + cred2 = __task_cred(tsk);
32214 + if (tsk != task && cred2->uid == cred->uid)
32215 + gr_fake_force_sig(SIGKILL, tsk);
32216 + } while_each_thread(tsk2, tsk);
32217 + read_unlock(&tasklist_lock);
32219 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
32220 + read_lock(&tasklist_lock);
32221 + do_each_thread(tsk2, tsk) {
32222 + if (likely(tsk != task)) {
32223 + curr2 = tsk->acl;
32225 + if (curr2->device == curr->device &&
32226 + curr2->inode == curr->inode)
32227 + gr_fake_force_sig(SIGKILL, tsk);
32229 + } while_each_thread(tsk2, tsk);
32230 + read_unlock(&tasklist_lock);
32238 +gr_check_crash_exec(const struct file *filp)
32240 + struct acl_subject_label *curr;
32242 + if (unlikely(!gr_acl_is_enabled()))
32245 + read_lock(&gr_inode_lock);
32246 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
32247 + filp->f_path.dentry->d_inode->i_sb->s_dev,
32249 + read_unlock(&gr_inode_lock);
32251 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
32252 + (!curr->crashes && !curr->expires))
32255 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
32256 + time_after(curr->expires, get_seconds()))
32258 + else if (time_before_eq(curr->expires, get_seconds())) {
32259 + curr->crashes = 0;
32260 + curr->expires = 0;
32267 +gr_handle_alertkill(struct task_struct *task)
32269 + struct acl_subject_label *curracl;
32271 + struct task_struct *p, *p2;
32273 + if (unlikely(!gr_acl_is_enabled()))
32276 + curracl = task->acl;
32277 + curr_ip = task->signal->curr_ip;
32279 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
32280 + read_lock(&tasklist_lock);
32281 + do_each_thread(p2, p) {
32282 + if (p->signal->curr_ip == curr_ip)
32283 + gr_fake_force_sig(SIGKILL, p);
32284 + } while_each_thread(p2, p);
32285 + read_unlock(&tasklist_lock);
32286 + } else if (curracl->mode & GR_KILLPROC)
32287 + gr_fake_force_sig(SIGKILL, task);
32291 diff -urNp linux-2.6.31/grsecurity/gracl_shm.c linux-2.6.31/grsecurity/gracl_shm.c
32292 --- linux-2.6.31/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
32293 +++ linux-2.6.31/grsecurity/gracl_shm.c 2009-09-06 15:29:12.050058383 -0400
32295 +#include <linux/kernel.h>
32296 +#include <linux/mm.h>
32297 +#include <linux/sched.h>
32298 +#include <linux/file.h>
32299 +#include <linux/ipc.h>
32300 +#include <linux/gracl.h>
32301 +#include <linux/grsecurity.h>
32302 +#include <linux/grinternal.h>
32305 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
32306 + const time_t shm_createtime, const uid_t cuid, const int shmid)
32308 + struct task_struct *task;
32310 + if (!gr_acl_is_enabled())
32313 + read_lock(&tasklist_lock);
32315 + task = find_task_by_vpid(shm_cprid);
32317 + if (unlikely(!task))
32318 + task = find_task_by_vpid(shm_lapid);
32320 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
32321 + (task->pid == shm_lapid)) &&
32322 + (task->acl->mode & GR_PROTSHM) &&
32323 + (task->acl != current->acl))) {
32324 + read_unlock(&tasklist_lock);
32325 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
32328 + read_unlock(&tasklist_lock);
32332 diff -urNp linux-2.6.31/grsecurity/grsec_chdir.c linux-2.6.31/grsecurity/grsec_chdir.c
32333 --- linux-2.6.31/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
32334 +++ linux-2.6.31/grsecurity/grsec_chdir.c 2009-09-06 15:29:12.050058383 -0400
32336 +#include <linux/kernel.h>
32337 +#include <linux/sched.h>
32338 +#include <linux/fs.h>
32339 +#include <linux/file.h>
32340 +#include <linux/grsecurity.h>
32341 +#include <linux/grinternal.h>
32344 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
32346 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
32347 + if ((grsec_enable_chdir && grsec_enable_group &&
32348 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
32349 + !grsec_enable_group)) {
32350 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
32355 diff -urNp linux-2.6.31/grsecurity/grsec_chroot.c linux-2.6.31/grsecurity/grsec_chroot.c
32356 --- linux-2.6.31/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
32357 +++ linux-2.6.31/grsecurity/grsec_chroot.c 2009-09-06 15:29:12.050906867 -0400
32359 +#include <linux/kernel.h>
32360 +#include <linux/module.h>
32361 +#include <linux/sched.h>
32362 +#include <linux/file.h>
32363 +#include <linux/fs.h>
32364 +#include <linux/mount.h>
32365 +#include <linux/types.h>
32366 +#include <linux/pid_namespace.h>
32367 +#include <linux/grsecurity.h>
32368 +#include <linux/grinternal.h>
32371 +gr_handle_chroot_unix(const pid_t pid)
32373 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
32374 + struct pid *spid = NULL;
32376 + if (unlikely(!grsec_enable_chroot_unix))
32379 + if (likely(!proc_is_chrooted(current)))
32382 + read_lock(&tasklist_lock);
32384 + spid = find_vpid(pid);
32386 + struct task_struct *p;
32387 + p = pid_task(spid, PIDTYPE_PID);
32389 + if (unlikely(!have_same_root(current, p))) {
32391 + read_unlock(&tasklist_lock);
32392 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
32397 + read_unlock(&tasklist_lock);
32403 +gr_handle_chroot_nice(void)
32405 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
32406 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
32407 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
32415 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
32417 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
32418 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
32419 + && proc_is_chrooted(current)) {
32420 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
32428 +gr_handle_chroot_rawio(const struct inode *inode)
32430 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
32431 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
32432 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
32439 +gr_pid_is_chrooted(struct task_struct *p)
32441 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
32442 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
32446 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
32447 + !have_same_root(current, p)) {
32456 +EXPORT_SYMBOL(gr_pid_is_chrooted);
32458 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
32459 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
32461 + struct dentry *dentry = (struct dentry *)u_dentry;
32462 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
32463 + struct dentry *realroot;
32464 + struct vfsmount *realrootmnt;
32465 + struct dentry *currentroot;
32466 + struct vfsmount *currentmnt;
32467 + struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
32470 + read_lock(&reaper->fs->lock);
32471 + realrootmnt = mntget(reaper->fs->root.mnt);
32472 + realroot = dget(reaper->fs->root.dentry);
32473 + read_unlock(&reaper->fs->lock);
32475 + read_lock(¤t->fs->lock);
32476 + currentmnt = mntget(current->fs->root.mnt);
32477 + currentroot = dget(current->fs->root.dentry);
32478 + read_unlock(¤t->fs->lock);
32480 + spin_lock(&dcache_lock);
32482 + if (unlikely((dentry == realroot && mnt == realrootmnt)
32483 + || (dentry == currentroot && mnt == currentmnt)))
32485 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
32486 + if (mnt->mnt_parent == mnt)
32488 + dentry = mnt->mnt_mountpoint;
32489 + mnt = mnt->mnt_parent;
32492 + dentry = dentry->d_parent;
32494 + spin_unlock(&dcache_lock);
32496 + dput(currentroot);
32497 + mntput(currentmnt);
32499 + /* access is outside of chroot */
32500 + if (dentry == realroot && mnt == realrootmnt)
32504 + mntput(realrootmnt);
32510 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
32512 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
32513 + if (!grsec_enable_chroot_fchdir)
32516 + if (!proc_is_chrooted(current))
32518 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
32519 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
32527 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
32528 + const time_t shm_createtime)
32530 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
32531 + struct pid *pid = NULL;
32532 + time_t starttime;
32534 + if (unlikely(!grsec_enable_chroot_shmat))
32537 + if (likely(!proc_is_chrooted(current)))
32540 + read_lock(&tasklist_lock);
32542 + pid = find_vpid(shm_cprid);
32544 + struct task_struct *p;
32545 + p = pid_task(pid, PIDTYPE_PID);
32547 + starttime = p->start_time.tv_sec;
32548 + if (unlikely(!have_same_root(current, p) &&
32549 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
32551 + read_unlock(&tasklist_lock);
32552 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
32557 + pid = find_vpid(shm_lapid);
32559 + struct task_struct *p;
32560 + p = pid_task(pid, PIDTYPE_PID);
32562 + if (unlikely(!have_same_root(current, p))) {
32564 + read_unlock(&tasklist_lock);
32565 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
32572 + read_unlock(&tasklist_lock);
32578 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
32580 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
32581 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
32582 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
32588 +gr_handle_chroot_mknod(const struct dentry *dentry,
32589 + const struct vfsmount *mnt, const int mode)
32591 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
32592 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
32593 + proc_is_chrooted(current)) {
32594 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
32602 +gr_handle_chroot_mount(const struct dentry *dentry,
32603 + const struct vfsmount *mnt, const char *dev_name)
32605 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
32606 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
32607 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
32615 +gr_handle_chroot_pivot(void)
32617 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
32618 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
32619 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
32627 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
32629 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
32630 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
32631 + !gr_is_outside_chroot(dentry, mnt)) {
32632 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
32640 +gr_handle_chroot_caps(struct path *path)
32642 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
32643 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
32644 + ((current->nsproxy->pid_ns->child_reaper->fs->root.dentry->d_inode->i_sb !=
32645 + path->dentry->d_inode->i_sb) ||
32646 + (current->nsproxy->pid_ns->child_reaper->fs->root.dentry->d_inode->i_ino !=
32647 + path->dentry->d_inode->i_ino))) {
32649 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
32650 + const struct cred *old = current_cred();
32651 + struct cred *new = prepare_creds();
32655 + new->cap_permitted = cap_drop(old->cap_permitted,
32657 + new->cap_inheritable = cap_drop(old->cap_inheritable,
32659 + new->cap_effective = cap_drop(old->cap_effective,
32662 + commit_creds(new);
32671 +gr_handle_chroot_sysctl(const int op)
32673 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
32674 + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
32675 + && (op & MAY_WRITE))
32682 +gr_handle_chroot_chdir(struct path *path)
32684 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
32685 + if (grsec_enable_chroot_chdir)
32686 + set_fs_pwd(current->fs, path);
32692 +gr_handle_chroot_chmod(const struct dentry *dentry,
32693 + const struct vfsmount *mnt, const int mode)
32695 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
32696 + if (grsec_enable_chroot_chmod &&
32697 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
32698 + proc_is_chrooted(current)) {
32699 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
32706 +#ifdef CONFIG_SECURITY
32707 +EXPORT_SYMBOL(gr_handle_chroot_caps);
32709 diff -urNp linux-2.6.31/grsecurity/grsec_disabled.c linux-2.6.31/grsecurity/grsec_disabled.c
32710 --- linux-2.6.31/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
32711 +++ linux-2.6.31/grsecurity/grsec_disabled.c 2009-09-06 15:29:12.050906867 -0400
32713 +#include <linux/kernel.h>
32714 +#include <linux/module.h>
32715 +#include <linux/sched.h>
32716 +#include <linux/file.h>
32717 +#include <linux/fs.h>
32718 +#include <linux/kdev_t.h>
32719 +#include <linux/net.h>
32720 +#include <linux/in.h>
32721 +#include <linux/ip.h>
32722 +#include <linux/skbuff.h>
32723 +#include <linux/sysctl.h>
32725 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
32727 +pax_set_initial_flags(struct linux_binprm *bprm)
32733 +#ifdef CONFIG_SYSCTL
32735 +gr_handle_sysctl(const struct ctl_table * table, const int op)
32741 +#ifdef CONFIG_TASKSTATS
32742 +int gr_is_taskstats_denied(int pid)
32749 +gr_acl_is_enabled(void)
32755 +gr_handle_rawio(const struct inode *inode)
32761 +gr_acl_handle_psacct(struct task_struct *task, const long code)
32767 +gr_handle_ptrace(struct task_struct *task, const long request)
32773 +gr_handle_proc_ptrace(struct task_struct *task)
32779 +gr_learn_resource(const struct task_struct *task,
32780 + const int res, const unsigned long wanted, const int gt)
32786 +gr_set_acls(const int type)
32792 +gr_check_hidden_task(const struct task_struct *tsk)
32798 +gr_check_protected_task(const struct task_struct *task)
32804 +gr_copy_label(struct task_struct *tsk)
32810 +gr_set_pax_flags(struct task_struct *task)
32816 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
32817 + const int unsafe_share)
32823 +gr_handle_delete(const ino_t ino, const dev_t dev)
32829 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
32835 +gr_handle_crash(struct task_struct *task, const int sig)
32841 +gr_check_crash_exec(const struct file *filp)
32847 +gr_check_crash_uid(const uid_t uid)
32853 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
32854 + struct dentry *old_dentry,
32855 + struct dentry *new_dentry,
32856 + struct vfsmount *mnt, const __u8 replace)
32862 +gr_search_socket(const int family, const int type, const int protocol)
32868 +gr_search_connectbind(const int mode, const struct socket *sock,
32869 + const struct sockaddr_in *addr)
32875 +gr_is_capable(const int cap)
32881 +gr_is_capable_nolog(const int cap)
32887 +gr_handle_alertkill(struct task_struct *task)
32893 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
32899 +gr_acl_handle_hidden_file(const struct dentry * dentry,
32900 + const struct vfsmount * mnt)
32906 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
32913 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
32919 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
32925 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
32926 + unsigned int *vm_flags)
32932 +gr_acl_handle_truncate(const struct dentry * dentry,
32933 + const struct vfsmount * mnt)
32939 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
32945 +gr_acl_handle_access(const struct dentry * dentry,
32946 + const struct vfsmount * mnt, const int fmode)
32952 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
32959 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
32966 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
32972 +grsecurity_init(void)
32978 +gr_acl_handle_mknod(const struct dentry * new_dentry,
32979 + const struct dentry * parent_dentry,
32980 + const struct vfsmount * parent_mnt,
32987 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
32988 + const struct dentry * parent_dentry,
32989 + const struct vfsmount * parent_mnt)
32995 +gr_acl_handle_symlink(const struct dentry * new_dentry,
32996 + const struct dentry * parent_dentry,
32997 + const struct vfsmount * parent_mnt, const char *from)
33003 +gr_acl_handle_link(const struct dentry * new_dentry,
33004 + const struct dentry * parent_dentry,
33005 + const struct vfsmount * parent_mnt,
33006 + const struct dentry * old_dentry,
33007 + const struct vfsmount * old_mnt, const char *to)
33013 +gr_acl_handle_rename(const struct dentry *new_dentry,
33014 + const struct dentry *parent_dentry,
33015 + const struct vfsmount *parent_mnt,
33016 + const struct dentry *old_dentry,
33017 + const struct inode *old_parent_inode,
33018 + const struct vfsmount *old_mnt, const char *newname)
33024 +gr_acl_handle_filldir(const struct file *file, const char *name,
33025 + const int namelen, const ino_t ino)
33031 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
33032 + const time_t shm_createtime, const uid_t cuid, const int shmid)
33038 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
33044 +gr_search_accept(const struct socket *sock)
33050 +gr_search_listen(const struct socket *sock)
33056 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
33062 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
33068 +gr_acl_handle_creat(const struct dentry * dentry,
33069 + const struct dentry * p_dentry,
33070 + const struct vfsmount * p_mnt, const int fmode,
33077 +gr_acl_handle_exit(void)
33083 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
33089 +gr_set_role_label(const uid_t uid, const gid_t gid)
33095 +gr_acl_handle_procpidmem(const struct task_struct *task)
33101 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
33107 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
33113 +gr_set_kernel_label(struct task_struct *task)
33119 +gr_check_user_change(int real, int effective, int fs)
33125 +gr_check_group_change(int real, int effective, int fs)
33131 +EXPORT_SYMBOL(gr_is_capable);
33132 +EXPORT_SYMBOL(gr_is_capable_nolog);
33133 +EXPORT_SYMBOL(gr_learn_resource);
33134 +EXPORT_SYMBOL(gr_set_kernel_label);
33135 +#ifdef CONFIG_SECURITY
33136 +EXPORT_SYMBOL(gr_check_user_change);
33137 +EXPORT_SYMBOL(gr_check_group_change);
33139 diff -urNp linux-2.6.31/grsecurity/grsec_exec.c linux-2.6.31/grsecurity/grsec_exec.c
33140 --- linux-2.6.31/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
33141 +++ linux-2.6.31/grsecurity/grsec_exec.c 2009-09-06 17:04:35.971517357 -0400
33143 +#include <linux/kernel.h>
33144 +#include <linux/sched.h>
33145 +#include <linux/file.h>
33146 +#include <linux/binfmts.h>
33147 +#include <linux/smp_lock.h>
33148 +#include <linux/fs.h>
33149 +#include <linux/types.h>
33150 +#include <linux/grdefs.h>
33151 +#include <linux/grinternal.h>
33152 +#include <linux/capability.h>
33154 +#include <asm/uaccess.h>
33156 +#ifdef CONFIG_GRKERNSEC_EXECLOG
33157 +static char gr_exec_arg_buf[132];
33158 +static DECLARE_MUTEX(gr_exec_arg_sem);
33162 +gr_handle_nproc(void)
33164 +#ifdef CONFIG_GRKERNSEC_EXECVE
33165 + const struct cred *cred = current_cred();
33166 + if (grsec_enable_execve && cred->user &&
33167 + (atomic_read(&cred->user->processes) >
33168 + current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
33169 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
33170 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
33178 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
33180 +#ifdef CONFIG_GRKERNSEC_EXECLOG
33181 + char *grarg = gr_exec_arg_buf;
33182 + unsigned int i, x, execlen = 0;
33185 + if (!((grsec_enable_execlog && grsec_enable_group &&
33186 + in_group_p(grsec_audit_gid))
33187 + || (grsec_enable_execlog && !grsec_enable_group)))
33190 + down(&gr_exec_arg_sem);
33191 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
33193 + if (unlikely(argv == NULL))
33196 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
33197 + const char __user *p;
33198 + unsigned int len;
33200 + if (copy_from_user(&p, argv + i, sizeof(p)))
33204 + len = strnlen_user(p, 128 - execlen);
33205 + if (len > 128 - execlen)
33206 + len = 128 - execlen;
33207 + else if (len > 0)
33209 + if (copy_from_user(grarg + execlen, p, len))
33212 + /* rewrite unprintable characters */
33213 + for (x = 0; x < len; x++) {
33214 + c = *(grarg + execlen + x);
33215 + if (c < 32 || c > 126)
33216 + *(grarg + execlen + x) = ' ';
33220 + *(grarg + execlen) = ' ';
33221 + *(grarg + execlen + 1) = '\0';
33226 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
33227 + bprm->file->f_path.mnt, grarg);
33228 + up(&gr_exec_arg_sem);
33232 diff -urNp linux-2.6.31/grsecurity/grsec_fifo.c linux-2.6.31/grsecurity/grsec_fifo.c
33233 --- linux-2.6.31/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
33234 +++ linux-2.6.31/grsecurity/grsec_fifo.c 2009-09-06 15:29:12.051972439 -0400
33236 +#include <linux/kernel.h>
33237 +#include <linux/sched.h>
33238 +#include <linux/fs.h>
33239 +#include <linux/file.h>
33240 +#include <linux/grinternal.h>
33243 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
33244 + const struct dentry *dir, const int flag, const int acc_mode)
33246 +#ifdef CONFIG_GRKERNSEC_FIFO
33247 + const struct cred *cred = current_cred();
33249 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
33250 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
33251 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
33252 + (cred->fsuid != dentry->d_inode->i_uid)) {
33253 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
33254 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
33260 diff -urNp linux-2.6.31/grsecurity/grsec_fork.c linux-2.6.31/grsecurity/grsec_fork.c
33261 --- linux-2.6.31/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
33262 +++ linux-2.6.31/grsecurity/grsec_fork.c 2009-09-06 15:29:12.051972439 -0400
33264 +#include <linux/kernel.h>
33265 +#include <linux/sched.h>
33266 +#include <linux/grsecurity.h>
33267 +#include <linux/grinternal.h>
33268 +#include <linux/errno.h>
33271 +gr_log_forkfail(const int retval)
33273 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
33274 + if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
33275 + gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
33279 diff -urNp linux-2.6.31/grsecurity/grsec_init.c linux-2.6.31/grsecurity/grsec_init.c
33280 --- linux-2.6.31/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
33281 +++ linux-2.6.31/grsecurity/grsec_init.c 2009-09-06 16:27:13.006282149 -0400
33283 +#include <linux/kernel.h>
33284 +#include <linux/sched.h>
33285 +#include <linux/mm.h>
33286 +#include <linux/smp_lock.h>
33287 +#include <linux/gracl.h>
33288 +#include <linux/slab.h>
33289 +#include <linux/vmalloc.h>
33290 +#include <linux/percpu.h>
33292 +int grsec_enable_link;
33293 +int grsec_enable_dmesg;
33294 +int grsec_enable_harden_ptrace;
33295 +int grsec_enable_fifo;
33296 +int grsec_enable_execve;
33297 +int grsec_enable_execlog;
33298 +int grsec_enable_signal;
33299 +int grsec_enable_forkfail;
33300 +int grsec_enable_time;
33301 +int grsec_enable_audit_textrel;
33302 +int grsec_enable_group;
33303 +int grsec_audit_gid;
33304 +int grsec_enable_chdir;
33305 +int grsec_enable_audit_ipc;
33306 +int grsec_enable_mount;
33307 +int grsec_enable_chroot_findtask;
33308 +int grsec_enable_chroot_mount;
33309 +int grsec_enable_chroot_shmat;
33310 +int grsec_enable_chroot_fchdir;
33311 +int grsec_enable_chroot_double;
33312 +int grsec_enable_chroot_pivot;
33313 +int grsec_enable_chroot_chdir;
33314 +int grsec_enable_chroot_chmod;
33315 +int grsec_enable_chroot_mknod;
33316 +int grsec_enable_chroot_nice;
33317 +int grsec_enable_chroot_execlog;
33318 +int grsec_enable_chroot_caps;
33319 +int grsec_enable_chroot_sysctl;
33320 +int grsec_enable_chroot_unix;
33321 +int grsec_enable_tpe;
33322 +int grsec_tpe_gid;
33323 +int grsec_enable_tpe_all;
33324 +int grsec_enable_socket_all;
33325 +int grsec_socket_all_gid;
33326 +int grsec_enable_socket_client;
33327 +int grsec_socket_client_gid;
33328 +int grsec_enable_socket_server;
33329 +int grsec_socket_server_gid;
33330 +int grsec_resource_logging;
33333 +DEFINE_SPINLOCK(grsec_alert_lock);
33334 +unsigned long grsec_alert_wtime = 0;
33335 +unsigned long grsec_alert_fyet = 0;
33337 +DEFINE_SPINLOCK(grsec_audit_lock);
33339 +DEFINE_RWLOCK(grsec_exec_file_lock);
33341 +char *gr_shared_page[4];
33343 +char *gr_alert_log_fmt;
33344 +char *gr_audit_log_fmt;
33345 +char *gr_alert_log_buf;
33346 +char *gr_audit_log_buf;
33348 +extern struct gr_arg *gr_usermode;
33349 +extern unsigned char *gr_system_salt;
33350 +extern unsigned char *gr_system_sum;
33353 +grsecurity_init(void)
33356 + /* create the per-cpu shared pages */
33359 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
33362 + for (j = 0; j < 4; j++) {
33363 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
33364 + if (gr_shared_page[j] == NULL) {
33365 + panic("Unable to allocate grsecurity shared page");
33370 + /* allocate log buffers */
33371 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
33372 + if (!gr_alert_log_fmt) {
33373 + panic("Unable to allocate grsecurity alert log format buffer");
33376 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
33377 + if (!gr_audit_log_fmt) {
33378 + panic("Unable to allocate grsecurity audit log format buffer");
33381 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
33382 + if (!gr_alert_log_buf) {
33383 + panic("Unable to allocate grsecurity alert log buffer");
33386 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
33387 + if (!gr_audit_log_buf) {
33388 + panic("Unable to allocate grsecurity audit log buffer");
33392 + /* allocate memory for authentication structure */
33393 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
33394 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
33395 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
33397 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
33398 + panic("Unable to allocate grsecurity authentication structure");
33402 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
33403 +#ifndef CONFIG_GRKERNSEC_SYSCTL
33406 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
33407 + grsec_enable_audit_textrel = 1;
33409 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
33410 + grsec_enable_group = 1;
33411 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
33413 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
33414 + grsec_enable_chdir = 1;
33416 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
33417 + grsec_enable_audit_ipc = 1;
33419 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
33420 + grsec_enable_harden_ptrace = 1;
33422 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
33423 + grsec_enable_mount = 1;
33425 +#ifdef CONFIG_GRKERNSEC_LINK
33426 + grsec_enable_link = 1;
33428 +#ifdef CONFIG_GRKERNSEC_DMESG
33429 + grsec_enable_dmesg = 1;
33431 +#ifdef CONFIG_GRKERNSEC_FIFO
33432 + grsec_enable_fifo = 1;
33434 +#ifdef CONFIG_GRKERNSEC_EXECVE
33435 + grsec_enable_execve = 1;
33437 +#ifdef CONFIG_GRKERNSEC_EXECLOG
33438 + grsec_enable_execlog = 1;
33440 +#ifdef CONFIG_GRKERNSEC_SIGNAL
33441 + grsec_enable_signal = 1;
33443 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
33444 + grsec_enable_forkfail = 1;
33446 +#ifdef CONFIG_GRKERNSEC_TIME
33447 + grsec_enable_time = 1;
33449 +#ifdef CONFIG_GRKERNSEC_RESLOG
33450 + grsec_resource_logging = 1;
33452 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
33453 + grsec_enable_chroot_findtask = 1;
33455 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
33456 + grsec_enable_chroot_unix = 1;
33458 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
33459 + grsec_enable_chroot_mount = 1;
33461 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
33462 + grsec_enable_chroot_fchdir = 1;
33464 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
33465 + grsec_enable_chroot_shmat = 1;
33467 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
33468 + grsec_enable_chroot_double = 1;
33470 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
33471 + grsec_enable_chroot_pivot = 1;
33473 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
33474 + grsec_enable_chroot_chdir = 1;
33476 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
33477 + grsec_enable_chroot_chmod = 1;
33479 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
33480 + grsec_enable_chroot_mknod = 1;
33482 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
33483 + grsec_enable_chroot_nice = 1;
33485 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
33486 + grsec_enable_chroot_execlog = 1;
33488 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
33489 + grsec_enable_chroot_caps = 1;
33491 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
33492 + grsec_enable_chroot_sysctl = 1;
33494 +#ifdef CONFIG_GRKERNSEC_TPE
33495 + grsec_enable_tpe = 1;
33496 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
33497 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
33498 + grsec_enable_tpe_all = 1;
33501 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
33502 + grsec_enable_socket_all = 1;
33503 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
33505 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
33506 + grsec_enable_socket_client = 1;
33507 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
33509 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
33510 + grsec_enable_socket_server = 1;
33511 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
33517 diff -urNp linux-2.6.31/grsecurity/grsec_ipc.c linux-2.6.31/grsecurity/grsec_ipc.c
33518 --- linux-2.6.31/grsecurity/grsec_ipc.c 1969-12-31 19:00:00.000000000 -0500
33519 +++ linux-2.6.31/grsecurity/grsec_ipc.c 2009-09-06 15:29:12.076307660 -0400
33521 +#include <linux/kernel.h>
33522 +#include <linux/sched.h>
33523 +#include <linux/types.h>
33524 +#include <linux/ipc.h>
33525 +#include <linux/grsecurity.h>
33526 +#include <linux/grinternal.h>
33529 +gr_log_msgget(const int ret, const int msgflg)
33531 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
33532 + if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
33533 + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
33534 + !grsec_enable_group)) && (ret >= 0)
33535 + && (msgflg & IPC_CREAT))
33536 + gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
33542 +gr_log_msgrm(const uid_t uid, const uid_t cuid)
33544 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
33545 + if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
33546 + grsec_enable_audit_ipc) ||
33547 + (grsec_enable_audit_ipc && !grsec_enable_group))
33548 + gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
33554 +gr_log_semget(const int err, const int semflg)
33556 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
33557 + if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
33558 + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
33559 + !grsec_enable_group)) && (err >= 0)
33560 + && (semflg & IPC_CREAT))
33561 + gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
33567 +gr_log_semrm(const uid_t uid, const uid_t cuid)
33569 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
33570 + if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
33571 + grsec_enable_audit_ipc) ||
33572 + (grsec_enable_audit_ipc && !grsec_enable_group))
33573 + gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
33579 +gr_log_shmget(const int err, const int shmflg, const size_t size)
33581 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
33582 + if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
33583 + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
33584 + !grsec_enable_group)) && (err >= 0)
33585 + && (shmflg & IPC_CREAT))
33586 + gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
33592 +gr_log_shmrm(const uid_t uid, const uid_t cuid)
33594 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
33595 + if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
33596 + grsec_enable_audit_ipc) ||
33597 + (grsec_enable_audit_ipc && !grsec_enable_group))
33598 + gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
33602 diff -urNp linux-2.6.31/grsecurity/grsec_link.c linux-2.6.31/grsecurity/grsec_link.c
33603 --- linux-2.6.31/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
33604 +++ linux-2.6.31/grsecurity/grsec_link.c 2009-09-06 15:29:12.076307660 -0400
33606 +#include <linux/kernel.h>
33607 +#include <linux/sched.h>
33608 +#include <linux/fs.h>
33609 +#include <linux/file.h>
33610 +#include <linux/grinternal.h>
33613 +gr_handle_follow_link(const struct inode *parent,
33614 + const struct inode *inode,
33615 + const struct dentry *dentry, const struct vfsmount *mnt)
33617 +#ifdef CONFIG_GRKERNSEC_LINK
33618 + const struct cred *cred = current_cred();
33620 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
33621 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
33622 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
33623 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
33631 +gr_handle_hardlink(const struct dentry *dentry,
33632 + const struct vfsmount *mnt,
33633 + struct inode *inode, const int mode, const char *to)
33635 +#ifdef CONFIG_GRKERNSEC_LINK
33636 + const struct cred *cred = current_cred();
33638 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
33639 + (!S_ISREG(mode) || (mode & S_ISUID) ||
33640 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
33641 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
33642 + !capable(CAP_FOWNER) && cred->uid) {
33643 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
33649 diff -urNp linux-2.6.31/grsecurity/grsec_log.c linux-2.6.31/grsecurity/grsec_log.c
33650 --- linux-2.6.31/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
33651 +++ linux-2.6.31/grsecurity/grsec_log.c 2009-09-06 15:29:12.076942978 -0400
33653 +#include <linux/kernel.h>
33654 +#include <linux/sched.h>
33655 +#include <linux/file.h>
33656 +#include <linux/tty.h>
33657 +#include <linux/fs.h>
33658 +#include <linux/grinternal.h>
33660 +#define BEGIN_LOCKS(x) \
33661 + read_lock(&tasklist_lock); \
33662 + read_lock(&grsec_exec_file_lock); \
33663 + if (x != GR_DO_AUDIT) \
33664 + spin_lock(&grsec_alert_lock); \
33666 + spin_lock(&grsec_audit_lock)
33668 +#define END_LOCKS(x) \
33669 + if (x != GR_DO_AUDIT) \
33670 + spin_unlock(&grsec_alert_lock); \
33672 + spin_unlock(&grsec_audit_lock); \
33673 + read_unlock(&grsec_exec_file_lock); \
33674 + read_unlock(&tasklist_lock); \
33675 + if (x == GR_DONT_AUDIT) \
33676 + gr_handle_alertkill(current)
33683 +extern char *gr_alert_log_fmt;
33684 +extern char *gr_audit_log_fmt;
33685 +extern char *gr_alert_log_buf;
33686 +extern char *gr_audit_log_buf;
33688 +static int gr_log_start(int audit)
33690 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
33691 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
33692 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
33694 + if (audit == GR_DO_AUDIT)
33697 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
33698 + grsec_alert_wtime = jiffies;
33699 + grsec_alert_fyet = 0;
33700 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
33701 + grsec_alert_fyet++;
33702 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
33703 + grsec_alert_wtime = jiffies;
33704 + grsec_alert_fyet++;
33705 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
33707 + } else return FLOODING;
33710 + memset(buf, 0, PAGE_SIZE);
33711 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
33712 + sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
33713 + snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
33714 + } else if (current->signal->curr_ip) {
33715 + sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
33716 + snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
33717 + } else if (gr_acl_is_enabled()) {
33718 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
33719 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
33721 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
33722 + strcpy(buf, fmt);
33725 + return NO_FLOODING;
33728 +static void gr_log_middle(int audit, const char *msg, va_list ap)
33729 + __attribute__ ((format (printf, 2, 0)));
33731 +static void gr_log_middle(int audit, const char *msg, va_list ap)
33733 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
33734 + unsigned int len = strlen(buf);
33736 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
33741 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
33742 + __attribute__ ((format (printf, 2, 3)));
33744 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
33746 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
33747 + unsigned int len = strlen(buf);
33750 + va_start(ap, msg);
33751 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
33757 +static void gr_log_end(int audit)
33759 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
33760 + unsigned int len = strlen(buf);
33762 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
33763 + printk("%s\n", buf);
33768 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
33771 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
33772 + char *str1, *str2, *str3;
33774 + unsigned long ulong1, ulong2;
33775 + struct dentry *dentry;
33776 + struct vfsmount *mnt;
33777 + struct file *file;
33778 + struct task_struct *task;
33779 + const struct cred *cred, *pcred;
33782 + BEGIN_LOCKS(audit);
33783 + logtype = gr_log_start(audit);
33784 + if (logtype == FLOODING) {
33785 + END_LOCKS(audit);
33788 + va_start(ap, argtypes);
33789 + switch (argtypes) {
33790 + case GR_TTYSNIFF:
33791 + task = va_arg(ap, struct task_struct *);
33792 + gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
33794 + case GR_SYSCTL_HIDDEN:
33795 + str1 = va_arg(ap, char *);
33796 + gr_log_middle_varargs(audit, msg, result, str1);
33799 + dentry = va_arg(ap, struct dentry *);
33800 + mnt = va_arg(ap, struct vfsmount *);
33801 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
33803 + case GR_RBAC_STR:
33804 + dentry = va_arg(ap, struct dentry *);
33805 + mnt = va_arg(ap, struct vfsmount *);
33806 + str1 = va_arg(ap, char *);
33807 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
33809 + case GR_STR_RBAC:
33810 + str1 = va_arg(ap, char *);
33811 + dentry = va_arg(ap, struct dentry *);
33812 + mnt = va_arg(ap, struct vfsmount *);
33813 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
33815 + case GR_RBAC_MODE2:
33816 + dentry = va_arg(ap, struct dentry *);
33817 + mnt = va_arg(ap, struct vfsmount *);
33818 + str1 = va_arg(ap, char *);
33819 + str2 = va_arg(ap, char *);
33820 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
33822 + case GR_RBAC_MODE3:
33823 + dentry = va_arg(ap, struct dentry *);
33824 + mnt = va_arg(ap, struct vfsmount *);
33825 + str1 = va_arg(ap, char *);
33826 + str2 = va_arg(ap, char *);
33827 + str3 = va_arg(ap, char *);
33828 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
33830 + case GR_FILENAME:
33831 + dentry = va_arg(ap, struct dentry *);
33832 + mnt = va_arg(ap, struct vfsmount *);
33833 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
33835 + case GR_STR_FILENAME:
33836 + str1 = va_arg(ap, char *);
33837 + dentry = va_arg(ap, struct dentry *);
33838 + mnt = va_arg(ap, struct vfsmount *);
33839 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
33841 + case GR_FILENAME_STR:
33842 + dentry = va_arg(ap, struct dentry *);
33843 + mnt = va_arg(ap, struct vfsmount *);
33844 + str1 = va_arg(ap, char *);
33845 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
33847 + case GR_FILENAME_TWO_INT:
33848 + dentry = va_arg(ap, struct dentry *);
33849 + mnt = va_arg(ap, struct vfsmount *);
33850 + num1 = va_arg(ap, int);
33851 + num2 = va_arg(ap, int);
33852 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
33854 + case GR_FILENAME_TWO_INT_STR:
33855 + dentry = va_arg(ap, struct dentry *);
33856 + mnt = va_arg(ap, struct vfsmount *);
33857 + num1 = va_arg(ap, int);
33858 + num2 = va_arg(ap, int);
33859 + str1 = va_arg(ap, char *);
33860 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
33863 + file = va_arg(ap, struct file *);
33864 + ulong1 = va_arg(ap, unsigned long);
33865 + ulong2 = va_arg(ap, unsigned long);
33866 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
33869 + task = va_arg(ap, struct task_struct *);
33870 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
33872 + case GR_RESOURCE:
33873 + task = va_arg(ap, struct task_struct *);
33874 + cred = __task_cred(task);
33875 + pcred = __task_cred(task->parent);
33876 + ulong1 = va_arg(ap, unsigned long);
33877 + str1 = va_arg(ap, char *);
33878 + ulong2 = va_arg(ap, unsigned long);
33879 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
33882 + task = va_arg(ap, struct task_struct *);
33883 + cred = __task_cred(task);
33884 + pcred = __task_cred(task->parent);
33885 + str1 = va_arg(ap, char *);
33886 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
33889 + task = va_arg(ap, struct task_struct *);
33890 + cred = __task_cred(task);
33891 + pcred = __task_cred(task->parent);
33892 + num1 = va_arg(ap, int);
33893 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
33896 + task = va_arg(ap, struct task_struct *);
33897 + cred = __task_cred(task);
33898 + pcred = __task_cred(task->parent);
33899 + ulong1 = va_arg(ap, unsigned long);
33900 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
33903 + task = va_arg(ap, struct task_struct *);
33904 + cred = __task_cred(task);
33905 + pcred = __task_cred(task->parent);
33906 + ulong1 = va_arg(ap, unsigned long);
33907 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
33911 + unsigned int wday, cday;
33915 + char cur_tty[64] = { 0 };
33916 + char parent_tty[64] = { 0 };
33918 + task = va_arg(ap, struct task_struct *);
33919 + wday = va_arg(ap, unsigned int);
33920 + cday = va_arg(ap, unsigned int);
33921 + whr = va_arg(ap, int);
33922 + chr = va_arg(ap, int);
33923 + wmin = va_arg(ap, int);
33924 + cmin = va_arg(ap, int);
33925 + wsec = va_arg(ap, int);
33926 + csec = va_arg(ap, int);
33927 + ulong1 = va_arg(ap, unsigned long);
33928 + cred = __task_cred(task);
33929 + pcred = __task_cred(task->parent);
33931 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
33935 + gr_log_middle(audit, msg, ap);
33938 + gr_log_end(audit);
33939 + END_LOCKS(audit);
33941 diff -urNp linux-2.6.31/grsecurity/grsec_mem.c linux-2.6.31/grsecurity/grsec_mem.c
33942 --- linux-2.6.31/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
33943 +++ linux-2.6.31/grsecurity/grsec_mem.c 2009-09-06 15:29:12.076942978 -0400
33945 +#include <linux/kernel.h>
33946 +#include <linux/sched.h>
33947 +#include <linux/mm.h>
33948 +#include <linux/mman.h>
33949 +#include <linux/grinternal.h>
33952 +gr_handle_ioperm(void)
33954 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
33959 +gr_handle_iopl(void)
33961 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
33966 +gr_handle_mem_write(void)
33968 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
33973 +gr_handle_kmem_write(void)
33975 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
33980 +gr_handle_open_port(void)
33982 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
33987 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
33989 + unsigned long start, end;
33992 + end = start + vma->vm_end - vma->vm_start;
33994 + if (start > end) {
33995 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
33999 + /* allowed ranges : ISA I/O BIOS */
34000 + if ((start >= __pa(high_memory))
34002 + || (start >= 0x000a0000 && end <= 0x00100000)
34003 + || (start >= 0x00000000 && end <= 0x00001000)
34008 + if (vma->vm_flags & VM_WRITE) {
34009 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
34012 + vma->vm_flags &= ~VM_MAYWRITE;
34018 +gr_log_nonroot_mod_load(const char *modname)
34020 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
34024 diff -urNp linux-2.6.31/grsecurity/grsec_mount.c linux-2.6.31/grsecurity/grsec_mount.c
34025 --- linux-2.6.31/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
34026 +++ linux-2.6.31/grsecurity/grsec_mount.c 2009-09-06 15:29:12.076942978 -0400
34028 +#include <linux/kernel.h>
34029 +#include <linux/sched.h>
34030 +#include <linux/grsecurity.h>
34031 +#include <linux/grinternal.h>
34034 +gr_log_remount(const char *devname, const int retval)
34036 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
34037 + if (grsec_enable_mount && (retval >= 0))
34038 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
34044 +gr_log_unmount(const char *devname, const int retval)
34046 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
34047 + if (grsec_enable_mount && (retval >= 0))
34048 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
34054 +gr_log_mount(const char *from, const char *to, const int retval)
34056 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
34057 + if (grsec_enable_mount && (retval >= 0))
34058 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
34062 diff -urNp linux-2.6.31/grsecurity/grsec_sig.c linux-2.6.31/grsecurity/grsec_sig.c
34063 --- linux-2.6.31/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
34064 +++ linux-2.6.31/grsecurity/grsec_sig.c 2009-09-06 15:29:12.076942978 -0400
34066 +#include <linux/kernel.h>
34067 +#include <linux/sched.h>
34068 +#include <linux/delay.h>
34069 +#include <linux/grsecurity.h>
34070 +#include <linux/grinternal.h>
34073 +gr_log_signal(const int sig, const struct task_struct *t)
34075 +#ifdef CONFIG_GRKERNSEC_SIGNAL
34076 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
34077 + (sig == SIGABRT) || (sig == SIGBUS))) {
34078 + if (t->pid == current->pid) {
34079 + gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
34081 + gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
34089 +gr_handle_signal(const struct task_struct *p, const int sig)
34091 +#ifdef CONFIG_GRKERNSEC
34092 + if (current->pid > 1 && gr_check_protected_task(p)) {
34093 + gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
34095 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
34102 +void gr_handle_brute_attach(struct task_struct *p)
34104 +#ifdef CONFIG_GRKERNSEC_BRUTE
34105 + read_lock(&tasklist_lock);
34106 + read_lock(&grsec_exec_file_lock);
34107 + if (p->parent && p->parent->exec_file == p->exec_file)
34108 + p->parent->brute = 1;
34109 + read_unlock(&grsec_exec_file_lock);
34110 + read_unlock(&tasklist_lock);
34115 +void gr_handle_brute_check(void)
34117 +#ifdef CONFIG_GRKERNSEC_BRUTE
34118 + if (current->brute)
34119 + msleep(30 * 1000);
34124 diff -urNp linux-2.6.31/grsecurity/grsec_sock.c linux-2.6.31/grsecurity/grsec_sock.c
34125 --- linux-2.6.31/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
34126 +++ linux-2.6.31/grsecurity/grsec_sock.c 2009-09-06 15:29:12.076942978 -0400
34128 +#include <linux/kernel.h>
34129 +#include <linux/module.h>
34130 +#include <linux/sched.h>
34131 +#include <linux/file.h>
34132 +#include <linux/net.h>
34133 +#include <linux/in.h>
34134 +#include <linux/ip.h>
34135 +#include <net/sock.h>
34136 +#include <net/inet_sock.h>
34137 +#include <linux/grsecurity.h>
34138 +#include <linux/grinternal.h>
34139 +#include <linux/gracl.h>
34141 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
34142 +EXPORT_SYMBOL(gr_cap_rtnetlink);
34144 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
34145 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
34147 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
34148 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
34150 +#ifdef CONFIG_UNIX_MODULE
34151 +EXPORT_SYMBOL(gr_acl_handle_unix);
34152 +EXPORT_SYMBOL(gr_acl_handle_mknod);
34153 +EXPORT_SYMBOL(gr_handle_chroot_unix);
34154 +EXPORT_SYMBOL(gr_handle_create);
34157 +#ifdef CONFIG_GRKERNSEC
34158 +#define gr_conn_table_size 32749
34159 +struct conn_table_entry {
34160 + struct conn_table_entry *next;
34161 + struct signal_struct *sig;
34164 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
34165 +DEFINE_SPINLOCK(gr_conn_table_lock);
34167 +extern const char * gr_socktype_to_name(unsigned char type);
34168 +extern const char * gr_proto_to_name(unsigned char proto);
34170 +static __inline__ int
34171 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
34173 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
34176 +static __inline__ int
34177 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
34178 + __u16 sport, __u16 dport)
34180 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
34181 + sig->gr_sport == sport && sig->gr_dport == dport))
34187 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
34189 + struct conn_table_entry **match;
34190 + unsigned int index;
34192 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
34193 + sig->gr_sport, sig->gr_dport,
34194 + gr_conn_table_size);
34196 + newent->sig = sig;
34198 + match = &gr_conn_table[index];
34199 + newent->next = *match;
34205 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
34207 + struct conn_table_entry *match, *last = NULL;
34208 + unsigned int index;
34210 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
34211 + sig->gr_sport, sig->gr_dport,
34212 + gr_conn_table_size);
34214 + match = gr_conn_table[index];
34215 + while (match && !conn_match(match->sig,
34216 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
34217 + sig->gr_dport)) {
34219 + match = match->next;
34224 + last->next = match->next;
34226 + gr_conn_table[index] = NULL;
34233 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
34234 + __u16 sport, __u16 dport)
34236 + struct conn_table_entry *match;
34237 + unsigned int index;
34239 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
34241 + match = gr_conn_table[index];
34242 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
34243 + match = match->next;
34246 + return match->sig;
34253 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
34255 +#ifdef CONFIG_GRKERNSEC
34256 + struct signal_struct *sig = task->signal;
34257 + struct conn_table_entry *newent;
34259 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
34260 + if (newent == NULL)
34262 + /* no bh lock needed since we are called with bh disabled */
34263 + spin_lock(&gr_conn_table_lock);
34264 + gr_del_task_from_ip_table_nolock(sig);
34265 + sig->gr_saddr = inet->rcv_saddr;
34266 + sig->gr_daddr = inet->daddr;
34267 + sig->gr_sport = inet->sport;
34268 + sig->gr_dport = inet->dport;
34269 + gr_add_to_task_ip_table_nolock(sig, newent);
34270 + spin_unlock(&gr_conn_table_lock);
34275 +void gr_del_task_from_ip_table(struct task_struct *task)
34277 +#ifdef CONFIG_GRKERNSEC
34278 + spin_lock_bh(&gr_conn_table_lock);
34279 + gr_del_task_from_ip_table_nolock(task->signal);
34280 + spin_unlock_bh(&gr_conn_table_lock);
34286 +gr_attach_curr_ip(const struct sock *sk)
34288 +#ifdef CONFIG_GRKERNSEC
34289 + struct signal_struct *p, *set;
34290 + const struct inet_sock *inet = inet_sk(sk);
34292 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
34295 + set = current->signal;
34297 + spin_lock_bh(&gr_conn_table_lock);
34298 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
34299 + inet->dport, inet->sport);
34300 + if (unlikely(p != NULL)) {
34301 + set->curr_ip = p->curr_ip;
34302 + set->used_accept = 1;
34303 + gr_del_task_from_ip_table_nolock(p);
34304 + spin_unlock_bh(&gr_conn_table_lock);
34307 + spin_unlock_bh(&gr_conn_table_lock);
34309 + set->curr_ip = inet->daddr;
34310 + set->used_accept = 1;
34316 +gr_handle_sock_all(const int family, const int type, const int protocol)
34318 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
34319 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
34320 + (family != AF_UNIX) && (family != AF_LOCAL)) {
34321 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
34329 +gr_handle_sock_server(const struct sockaddr *sck)
34331 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
34332 + if (grsec_enable_socket_server &&
34333 + in_group_p(grsec_socket_server_gid) &&
34334 + sck && (sck->sa_family != AF_UNIX) &&
34335 + (sck->sa_family != AF_LOCAL)) {
34336 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
34344 +gr_handle_sock_server_other(const struct sock *sck)
34346 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
34347 + if (grsec_enable_socket_server &&
34348 + in_group_p(grsec_socket_server_gid) &&
34349 + sck && (sck->sk_family != AF_UNIX) &&
34350 + (sck->sk_family != AF_LOCAL)) {
34351 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
34359 +gr_handle_sock_client(const struct sockaddr *sck)
34361 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
34362 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
34363 + sck && (sck->sa_family != AF_UNIX) &&
34364 + (sck->sa_family != AF_LOCAL)) {
34365 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
34373 +gr_cap_rtnetlink(struct sock *sock)
34375 +#ifdef CONFIG_GRKERNSEC
34376 + if (!gr_acl_is_enabled())
34377 + return current_cap();
34378 + else if (sock->sk_protocol == NETLINK_ISCSI &&
34379 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
34380 + gr_is_capable(CAP_SYS_ADMIN))
34381 + return current_cap();
34382 + else if (sock->sk_protocol == NETLINK_AUDIT &&
34383 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
34384 + gr_is_capable(CAP_AUDIT_WRITE) &&
34385 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
34386 + gr_is_capable(CAP_AUDIT_CONTROL))
34387 + return current_cap();
34388 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
34389 + gr_is_capable(CAP_NET_ADMIN))
34390 + return current_cap();
34392 + return __cap_empty_set;
34394 + return current_cap();
34397 diff -urNp linux-2.6.31/grsecurity/grsec_sysctl.c linux-2.6.31/grsecurity/grsec_sysctl.c
34398 --- linux-2.6.31/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
34399 +++ linux-2.6.31/grsecurity/grsec_sysctl.c 2009-09-06 16:29:02.371934268 -0400
34401 +#include <linux/kernel.h>
34402 +#include <linux/sched.h>
34403 +#include <linux/sysctl.h>
34404 +#include <linux/grsecurity.h>
34405 +#include <linux/grinternal.h>
34408 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
34410 +#ifdef CONFIG_GRKERNSEC_SYSCTL
34411 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
34412 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
34419 +#if defined(CONFIG_GRKERNSEC_SYSCTL)
34420 +ctl_table grsecurity_table[] = {
34421 +#ifdef CONFIG_GRKERNSEC_SYSCTL
34422 +#ifdef CONFIG_GRKERNSEC_LINK
34424 + .ctl_name = CTL_UNNUMBERED,
34425 + .procname = "linking_restrictions",
34426 + .data = &grsec_enable_link,
34427 + .maxlen = sizeof(int),
34429 + .proc_handler = &proc_dointvec,
34432 +#ifdef CONFIG_GRKERNSEC_FIFO
34434 + .ctl_name = CTL_UNNUMBERED,
34435 + .procname = "fifo_restrictions",
34436 + .data = &grsec_enable_fifo,
34437 + .maxlen = sizeof(int),
34439 + .proc_handler = &proc_dointvec,
34442 +#ifdef CONFIG_GRKERNSEC_EXECVE
34444 + .ctl_name = CTL_UNNUMBERED,
34445 + .procname = "execve_limiting",
34446 + .data = &grsec_enable_execve,
34447 + .maxlen = sizeof(int),
34449 + .proc_handler = &proc_dointvec,
34452 +#ifdef CONFIG_GRKERNSEC_EXECLOG
34454 + .ctl_name = CTL_UNNUMBERED,
34455 + .procname = "exec_logging",
34456 + .data = &grsec_enable_execlog,
34457 + .maxlen = sizeof(int),
34459 + .proc_handler = &proc_dointvec,
34462 +#ifdef CONFIG_GRKERNSEC_SIGNAL
34464 + .ctl_name = CTL_UNNUMBERED,
34465 + .procname = "signal_logging",
34466 + .data = &grsec_enable_signal,
34467 + .maxlen = sizeof(int),
34469 + .proc_handler = &proc_dointvec,
34472 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
34474 + .ctl_name = CTL_UNNUMBERED,
34475 + .procname = "forkfail_logging",
34476 + .data = &grsec_enable_forkfail,
34477 + .maxlen = sizeof(int),
34479 + .proc_handler = &proc_dointvec,
34482 +#ifdef CONFIG_GRKERNSEC_TIME
34484 + .ctl_name = CTL_UNNUMBERED,
34485 + .procname = "timechange_logging",
34486 + .data = &grsec_enable_time,
34487 + .maxlen = sizeof(int),
34489 + .proc_handler = &proc_dointvec,
34492 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
34494 + .ctl_name = CTL_UNNUMBERED,
34495 + .procname = "chroot_deny_shmat",
34496 + .data = &grsec_enable_chroot_shmat,
34497 + .maxlen = sizeof(int),
34499 + .proc_handler = &proc_dointvec,
34502 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
34504 + .ctl_name = CTL_UNNUMBERED,
34505 + .procname = "chroot_deny_unix",
34506 + .data = &grsec_enable_chroot_unix,
34507 + .maxlen = sizeof(int),
34509 + .proc_handler = &proc_dointvec,
34512 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
34514 + .ctl_name = CTL_UNNUMBERED,
34515 + .procname = "chroot_deny_mount",
34516 + .data = &grsec_enable_chroot_mount,
34517 + .maxlen = sizeof(int),
34519 + .proc_handler = &proc_dointvec,
34522 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
34524 + .ctl_name = CTL_UNNUMBERED,
34525 + .procname = "chroot_deny_fchdir",
34526 + .data = &grsec_enable_chroot_fchdir,
34527 + .maxlen = sizeof(int),
34529 + .proc_handler = &proc_dointvec,
34532 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
34534 + .ctl_name = CTL_UNNUMBERED,
34535 + .procname = "chroot_deny_chroot",
34536 + .data = &grsec_enable_chroot_double,
34537 + .maxlen = sizeof(int),
34539 + .proc_handler = &proc_dointvec,
34542 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
34544 + .ctl_name = CTL_UNNUMBERED,
34545 + .procname = "chroot_deny_pivot",
34546 + .data = &grsec_enable_chroot_pivot,
34547 + .maxlen = sizeof(int),
34549 + .proc_handler = &proc_dointvec,
34552 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
34554 + .ctl_name = CTL_UNNUMBERED,
34555 + .procname = "chroot_enforce_chdir",
34556 + .data = &grsec_enable_chroot_chdir,
34557 + .maxlen = sizeof(int),
34559 + .proc_handler = &proc_dointvec,
34562 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
34564 + .ctl_name = CTL_UNNUMBERED,
34565 + .procname = "chroot_deny_chmod",
34566 + .data = &grsec_enable_chroot_chmod,
34567 + .maxlen = sizeof(int),
34569 + .proc_handler = &proc_dointvec,
34572 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
34574 + .ctl_name = CTL_UNNUMBERED,
34575 + .procname = "chroot_deny_mknod",
34576 + .data = &grsec_enable_chroot_mknod,
34577 + .maxlen = sizeof(int),
34579 + .proc_handler = &proc_dointvec,
34582 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
34584 + .ctl_name = CTL_UNNUMBERED,
34585 + .procname = "chroot_restrict_nice",
34586 + .data = &grsec_enable_chroot_nice,
34587 + .maxlen = sizeof(int),
34589 + .proc_handler = &proc_dointvec,
34592 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
34594 + .ctl_name = CTL_UNNUMBERED,
34595 + .procname = "chroot_execlog",
34596 + .data = &grsec_enable_chroot_execlog,
34597 + .maxlen = sizeof(int),
34599 + .proc_handler = &proc_dointvec,
34602 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
34604 + .ctl_name = CTL_UNNUMBERED,
34605 + .procname = "chroot_caps",
34606 + .data = &grsec_enable_chroot_caps,
34607 + .maxlen = sizeof(int),
34609 + .proc_handler = &proc_dointvec,
34612 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
34614 + .ctl_name = CTL_UNNUMBERED,
34615 + .procname = "chroot_deny_sysctl",
34616 + .data = &grsec_enable_chroot_sysctl,
34617 + .maxlen = sizeof(int),
34619 + .proc_handler = &proc_dointvec,
34622 +#ifdef CONFIG_GRKERNSEC_TPE
34624 + .ctl_name = CTL_UNNUMBERED,
34625 + .procname = "tpe",
34626 + .data = &grsec_enable_tpe,
34627 + .maxlen = sizeof(int),
34629 + .proc_handler = &proc_dointvec,
34632 + .ctl_name = CTL_UNNUMBERED,
34633 + .procname = "tpe_gid",
34634 + .data = &grsec_tpe_gid,
34635 + .maxlen = sizeof(int),
34637 + .proc_handler = &proc_dointvec,
34640 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
34642 + .ctl_name = CTL_UNNUMBERED,
34643 + .procname = "tpe_restrict_all",
34644 + .data = &grsec_enable_tpe_all,
34645 + .maxlen = sizeof(int),
34647 + .proc_handler = &proc_dointvec,
34650 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
34652 + .ctl_name = CTL_UNNUMBERED,
34653 + .procname = "socket_all",
34654 + .data = &grsec_enable_socket_all,
34655 + .maxlen = sizeof(int),
34657 + .proc_handler = &proc_dointvec,
34660 + .ctl_name = CTL_UNNUMBERED,
34661 + .procname = "socket_all_gid",
34662 + .data = &grsec_socket_all_gid,
34663 + .maxlen = sizeof(int),
34665 + .proc_handler = &proc_dointvec,
34668 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
34670 + .ctl_name = CTL_UNNUMBERED,
34671 + .procname = "socket_client",
34672 + .data = &grsec_enable_socket_client,
34673 + .maxlen = sizeof(int),
34675 + .proc_handler = &proc_dointvec,
34678 + .ctl_name = CTL_UNNUMBERED,
34679 + .procname = "socket_client_gid",
34680 + .data = &grsec_socket_client_gid,
34681 + .maxlen = sizeof(int),
34683 + .proc_handler = &proc_dointvec,
34686 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
34688 + .ctl_name = CTL_UNNUMBERED,
34689 + .procname = "socket_server",
34690 + .data = &grsec_enable_socket_server,
34691 + .maxlen = sizeof(int),
34693 + .proc_handler = &proc_dointvec,
34696 + .ctl_name = CTL_UNNUMBERED,
34697 + .procname = "socket_server_gid",
34698 + .data = &grsec_socket_server_gid,
34699 + .maxlen = sizeof(int),
34701 + .proc_handler = &proc_dointvec,
34704 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
34706 + .ctl_name = CTL_UNNUMBERED,
34707 + .procname = "audit_group",
34708 + .data = &grsec_enable_group,
34709 + .maxlen = sizeof(int),
34711 + .proc_handler = &proc_dointvec,
34714 + .ctl_name = CTL_UNNUMBERED,
34715 + .procname = "audit_gid",
34716 + .data = &grsec_audit_gid,
34717 + .maxlen = sizeof(int),
34719 + .proc_handler = &proc_dointvec,
34722 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
34724 + .ctl_name = CTL_UNNUMBERED,
34725 + .procname = "audit_chdir",
34726 + .data = &grsec_enable_chdir,
34727 + .maxlen = sizeof(int),
34729 + .proc_handler = &proc_dointvec,
34732 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
34734 + .ctl_name = CTL_UNNUMBERED,
34735 + .procname = "audit_mount",
34736 + .data = &grsec_enable_mount,
34737 + .maxlen = sizeof(int),
34739 + .proc_handler = &proc_dointvec,
34742 +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
34744 + .ctl_name = CTL_UNNUMBERED,
34745 + .procname = "audit_ipc",
34746 + .data = &grsec_enable_audit_ipc,
34747 + .maxlen = sizeof(int),
34749 + .proc_handler = &proc_dointvec,
34752 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
34754 + .ctl_name = CTL_UNNUMBERED,
34755 + .procname = "audit_textrel",
34756 + .data = &grsec_enable_audit_textrel,
34757 + .maxlen = sizeof(int),
34759 + .proc_handler = &proc_dointvec,
34762 +#ifdef CONFIG_GRKERNSEC_DMESG
34764 + .ctl_name = CTL_UNNUMBERED,
34765 + .procname = "dmesg",
34766 + .data = &grsec_enable_dmesg,
34767 + .maxlen = sizeof(int),
34769 + .proc_handler = &proc_dointvec,
34772 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
34774 + .ctl_name = CTL_UNNUMBERED,
34775 + .procname = "chroot_findtask",
34776 + .data = &grsec_enable_chroot_findtask,
34777 + .maxlen = sizeof(int),
34779 + .proc_handler = &proc_dointvec,
34782 +#ifdef CONFIG_GRKERNSEC_RESLOG
34784 + .ctl_name = CTL_UNNUMBERED,
34785 + .procname = "resource_logging",
34786 + .data = &grsec_resource_logging,
34787 + .maxlen = sizeof(int),
34789 + .proc_handler = &proc_dointvec,
34792 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
34794 + .ctl_name = CTL_UNNUMBERED,
34795 + .procname = "harden_ptrace",
34796 + .data = &grsec_enable_harden_ptrace,
34797 + .maxlen = sizeof(int),
34799 + .proc_handler = &proc_dointvec,
34803 + .ctl_name = CTL_UNNUMBERED,
34804 + .procname = "grsec_lock",
34805 + .data = &grsec_lock,
34806 + .maxlen = sizeof(int),
34808 + .proc_handler = &proc_dointvec,
34811 + { .ctl_name = 0 }
34814 diff -urNp linux-2.6.31/grsecurity/grsec_textrel.c linux-2.6.31/grsecurity/grsec_textrel.c
34815 --- linux-2.6.31/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
34816 +++ linux-2.6.31/grsecurity/grsec_textrel.c 2009-09-06 15:29:12.078135627 -0400
34818 +#include <linux/kernel.h>
34819 +#include <linux/sched.h>
34820 +#include <linux/mm.h>
34821 +#include <linux/file.h>
34822 +#include <linux/grinternal.h>
34823 +#include <linux/grsecurity.h>
34826 +gr_log_textrel(struct vm_area_struct * vma)
34828 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
34829 + if (grsec_enable_audit_textrel)
34830 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
34834 diff -urNp linux-2.6.31/grsecurity/grsec_time.c linux-2.6.31/grsecurity/grsec_time.c
34835 --- linux-2.6.31/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
34836 +++ linux-2.6.31/grsecurity/grsec_time.c 2009-09-06 15:29:12.078135627 -0400
34838 +#include <linux/kernel.h>
34839 +#include <linux/sched.h>
34840 +#include <linux/grinternal.h>
34843 +gr_log_timechange(void)
34845 +#ifdef CONFIG_GRKERNSEC_TIME
34846 + if (grsec_enable_time)
34847 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
34851 diff -urNp linux-2.6.31/grsecurity/grsec_tpe.c linux-2.6.31/grsecurity/grsec_tpe.c
34852 --- linux-2.6.31/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
34853 +++ linux-2.6.31/grsecurity/grsec_tpe.c 2009-09-06 15:29:12.078135627 -0400
34855 +#include <linux/kernel.h>
34856 +#include <linux/sched.h>
34857 +#include <linux/file.h>
34858 +#include <linux/fs.h>
34859 +#include <linux/grinternal.h>
34861 +extern int gr_acl_tpe_check(void);
34864 +gr_tpe_allow(const struct file *file)
34866 +#ifdef CONFIG_GRKERNSEC
34867 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
34868 + const struct cred *cred = current_cred();
34870 + if (cred->uid && ((grsec_enable_tpe &&
34871 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
34872 + !in_group_p(grsec_tpe_gid)
34874 + in_group_p(grsec_tpe_gid)
34876 + ) || gr_acl_tpe_check()) &&
34877 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
34878 + (inode->i_mode & S_IWOTH))))) {
34879 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
34882 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
34883 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
34884 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
34885 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
34886 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
34893 diff -urNp linux-2.6.31/grsecurity/grsum.c linux-2.6.31/grsecurity/grsum.c
34894 --- linux-2.6.31/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
34895 +++ linux-2.6.31/grsecurity/grsum.c 2009-09-06 15:29:12.078135627 -0400
34897 +#include <linux/err.h>
34898 +#include <linux/kernel.h>
34899 +#include <linux/sched.h>
34900 +#include <linux/mm.h>
34901 +#include <linux/scatterlist.h>
34902 +#include <linux/crypto.h>
34903 +#include <linux/gracl.h>
34906 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
34907 +#error "crypto and sha256 must be built into the kernel"
34911 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
34914 + struct crypto_hash *tfm;
34915 + struct hash_desc desc;
34916 + struct scatterlist sg;
34917 + unsigned char temp_sum[GR_SHA_LEN];
34918 + volatile int retval = 0;
34919 + volatile int dummy = 0;
34922 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
34923 + if (IS_ERR(tfm)) {
34924 + /* should never happen, since sha256 should be built in */
34931 + crypto_hash_init(&desc);
34934 + sg_set_buf(&sg, p, GR_SALT_LEN);
34935 + crypto_hash_update(&desc, &sg, sg.length);
34938 + sg_set_buf(&sg, p, strlen(p));
34940 + crypto_hash_update(&desc, &sg, sg.length);
34942 + crypto_hash_final(&desc, temp_sum);
34944 + memset(entry->pw, 0, GR_PW_LEN);
34946 + for (i = 0; i < GR_SHA_LEN; i++)
34947 + if (sum[i] != temp_sum[i])
34950 + dummy = 1; // waste a cycle
34952 + crypto_free_hash(tfm);
34956 diff -urNp linux-2.6.31/grsecurity/Kconfig linux-2.6.31/grsecurity/Kconfig
34957 --- linux-2.6.31/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
34958 +++ linux-2.6.31/grsecurity/Kconfig 2009-09-06 16:36:29.318952834 -0400
34961 +# grecurity configuration
34967 + bool "Grsecurity"
34969 + select CRYPTO_SHA256
34971 + If you say Y here, you will be able to configure many features
34972 + that will enhance the security of your system. It is highly
34973 + recommended that you say Y here and read through the help
34974 + for each option so that you fully understand the features and
34975 + can evaluate their usefulness for your machine.
34978 + prompt "Security Level"
34979 + depends on GRKERNSEC
34980 + default GRKERNSEC_CUSTOM
34982 +config GRKERNSEC_LOW
34984 + select GRKERNSEC_LINK
34985 + select GRKERNSEC_FIFO
34986 + select GRKERNSEC_EXECVE
34987 + select GRKERNSEC_RANDNET
34988 + select GRKERNSEC_DMESG
34989 + select GRKERNSEC_CHROOT
34990 + select GRKERNSEC_CHROOT_CHDIR
34993 + If you choose this option, several of the grsecurity options will
34994 + be enabled that will give you greater protection against a number
34995 + of attacks, while assuring that none of your software will have any
34996 + conflicts with the additional security measures. If you run a lot
34997 + of unusual software, or you are having problems with the higher
34998 + security levels, you should say Y here. With this option, the
34999 + following features are enabled:
35001 + - Linking restrictions
35002 + - FIFO restrictions
35003 + - Enforcing RLIMIT_NPROC on execve
35004 + - Restricted dmesg
35005 + - Enforced chdir("/") on chroot
35006 + - Runtime module disabling
35008 +config GRKERNSEC_MEDIUM
35011 + select PAX_EI_PAX
35012 + select PAX_PT_PAX_FLAGS
35013 + select PAX_HAVE_ACL_FLAGS
35014 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
35015 + select GRKERNSEC_CHROOT
35016 + select GRKERNSEC_CHROOT_SYSCTL
35017 + select GRKERNSEC_LINK
35018 + select GRKERNSEC_FIFO
35019 + select GRKERNSEC_EXECVE
35020 + select GRKERNSEC_DMESG
35021 + select GRKERNSEC_RANDNET
35022 + select GRKERNSEC_FORKFAIL
35023 + select GRKERNSEC_TIME
35024 + select GRKERNSEC_SIGNAL
35025 + select GRKERNSEC_CHROOT
35026 + select GRKERNSEC_CHROOT_UNIX
35027 + select GRKERNSEC_CHROOT_MOUNT
35028 + select GRKERNSEC_CHROOT_PIVOT
35029 + select GRKERNSEC_CHROOT_DOUBLE
35030 + select GRKERNSEC_CHROOT_CHDIR
35031 + select GRKERNSEC_CHROOT_MKNOD
35032 + select GRKERNSEC_PROC
35033 + select GRKERNSEC_PROC_USERGROUP
35034 + select PAX_RANDUSTACK
35036 + select PAX_RANDMMAP
35037 + select PAX_REFCOUNT if (X86)
35038 + select PAX_USERCOPY if (X86 && (SLAB || SLUB || SLOB))
35041 + If you say Y here, several features in addition to those included
35042 + in the low additional security level will be enabled. These
35043 + features provide even more security to your system, though in rare
35044 + cases they may be incompatible with very old or poorly written
35045 + software. If you enable this option, make sure that your auth
35046 + service (identd) is running as gid 1001. With this option,
35047 + the following features (in addition to those provided in the
35048 + low additional security level) will be enabled:
35050 + - Failed fork logging
35051 + - Time change logging
35053 + - Deny mounts in chroot
35054 + - Deny double chrooting
35055 + - Deny sysctl writes in chroot
35056 + - Deny mknod in chroot
35057 + - Deny access to abstract AF_UNIX sockets out of chroot
35058 + - Deny pivot_root in chroot
35059 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
35060 + - /proc restrictions with special GID set to 10 (usually wheel)
35061 + - Address Space Layout Randomization (ASLR)
35062 + - Prevent exploitation of most refcount overflows
35063 + - Bounds checking of copying between the kernel and userland
35065 +config GRKERNSEC_HIGH
35067 + select GRKERNSEC_LINK
35068 + select GRKERNSEC_FIFO
35069 + select GRKERNSEC_EXECVE
35070 + select GRKERNSEC_DMESG
35071 + select GRKERNSEC_FORKFAIL
35072 + select GRKERNSEC_TIME
35073 + select GRKERNSEC_SIGNAL
35074 + select GRKERNSEC_CHROOT
35075 + select GRKERNSEC_CHROOT_SHMAT
35076 + select GRKERNSEC_CHROOT_UNIX
35077 + select GRKERNSEC_CHROOT_MOUNT
35078 + select GRKERNSEC_CHROOT_FCHDIR
35079 + select GRKERNSEC_CHROOT_PIVOT
35080 + select GRKERNSEC_CHROOT_DOUBLE
35081 + select GRKERNSEC_CHROOT_CHDIR
35082 + select GRKERNSEC_CHROOT_MKNOD
35083 + select GRKERNSEC_CHROOT_CAPS
35084 + select GRKERNSEC_CHROOT_SYSCTL
35085 + select GRKERNSEC_CHROOT_FINDTASK
35086 + select GRKERNSEC_PROC
35087 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
35088 + select GRKERNSEC_HIDESYM
35089 + select GRKERNSEC_BRUTE
35090 + select GRKERNSEC_PROC_USERGROUP
35091 + select GRKERNSEC_KMEM
35092 + select GRKERNSEC_RESLOG
35093 + select GRKERNSEC_RANDNET
35094 + select GRKERNSEC_PROC_ADD
35095 + select GRKERNSEC_CHROOT_CHMOD
35096 + select GRKERNSEC_CHROOT_NICE
35097 + select GRKERNSEC_AUDIT_MOUNT
35098 + select GRKERNSEC_MODHARDEN if (MODULES)
35099 + select GRKERNSEC_HARDEN_PTRACE
35101 + select PAX_RANDUSTACK
35103 + select PAX_RANDMMAP
35104 + select PAX_NOEXEC
35105 + select PAX_MPROTECT
35106 + select PAX_EI_PAX
35107 + select PAX_PT_PAX_FLAGS
35108 + select PAX_HAVE_ACL_FLAGS
35109 + select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
35110 + select PAX_MEMORY_UDEREF if (X86_32)
35111 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
35112 + select PAX_SEGMEXEC if (X86_32)
35113 + select PAX_PAGEEXEC
35114 + select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
35115 + select PAX_DLRESOLVE if (SPARC32 || SPARC64)
35116 + select PAX_SYSCALL if (PPC32)
35117 + select PAX_EMUTRAMP if (PARISC)
35118 + select PAX_EMUSIGRT if (PARISC)
35119 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
35120 + select PAX_REFCOUNT if (X86)
35121 + select PAX_USERCOPY if (X86 && (SLAB || SLUB || SLOB))
35123 + If you say Y here, many of the features of grsecurity will be
35124 + enabled, which will protect you against many kinds of attacks
35125 + against your system. The heightened security comes at a cost
35126 + of an increased chance of incompatibilities with rare software
35127 + on your machine. Since this security level enables PaX, you should
35128 + view <http://pax.grsecurity.net> and read about the PaX
35129 + project. While you are there, download chpax and run it on
35130 + binaries that cause problems with PaX. Also remember that
35131 + since the /proc restrictions are enabled, you must run your
35132 + identd as gid 1001. This security level enables the following
35133 + features in addition to those listed in the low and medium
35136 + - Additional /proc restrictions
35137 + - Chmod restrictions in chroot
35138 + - No signals, ptrace, or viewing of processes outside of chroot
35139 + - Capability restrictions in chroot
35140 + - Deny fchdir out of chroot
35141 + - Priority restrictions in chroot
35142 + - Segmentation-based implementation of PaX
35143 + - Mprotect restrictions
35144 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
35145 + - Kernel stack randomization
35146 + - Mount/unmount/remount logging
35147 + - Kernel symbol hiding
35148 + - Prevention of memory exhaustion-based exploits
35149 + - Hardening of module auto-loading
35150 + - Ptrace restrictions
35152 +config GRKERNSEC_CUSTOM
35155 + If you say Y here, you will be able to configure every grsecurity
35156 + option, which allows you to enable many more features that aren't
35157 + covered in the basic security levels. These additional features
35158 + include TPE, socket restrictions, and the sysctl system for
35159 + grsecurity. It is advised that you read through the help for
35160 + each option to determine its usefulness in your situation.
35164 +menu "Address Space Protection"
35165 +depends on GRKERNSEC
35167 +config GRKERNSEC_KMEM
35168 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
35170 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
35171 + be written to via mmap or otherwise to modify the running kernel.
35172 + /dev/port will also not be allowed to be opened. If you have module
35173 + support disabled, enabling this will close up four ways that are
35174 + currently used to insert malicious code into the running kernel.
35175 + Even with all these features enabled, we still highly recommend that
35176 + you use the RBAC system, as it is still possible for an attacker to
35177 + modify the running kernel through privileged I/O granted by ioperm/iopl.
35178 + If you are not using XFree86, you may be able to stop this additional
35179 + case by enabling the 'Disable privileged I/O' option. Though nothing
35180 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
35181 + but only to video memory, which is the only writing we allow in this
35182 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
35183 + not be allowed to mprotect it with PROT_WRITE later.
35184 + It is highly recommended that you say Y here if you meet all the
35185 + conditions above.
35187 +config GRKERNSEC_IO
35188 + bool "Disable privileged I/O"
35191 + select RTC_INTF_DEV
35192 + select RTC_DRV_CMOS
35195 + If you say Y here, all ioperm and iopl calls will return an error.
35196 + Ioperm and iopl can be used to modify the running kernel.
35197 + Unfortunately, some programs need this access to operate properly,
35198 + the most notable of which are XFree86 and hwclock. hwclock can be
35199 + remedied by having RTC support in the kernel, so real-time
35200 + clock support is enabled if this option is enabled, to ensure
35201 + that hwclock operates correctly. XFree86 still will not
35202 + operate correctly with this option enabled, so DO NOT CHOOSE Y
35203 + IF YOU USE XFree86. If you use XFree86 and you still want to
35204 + protect your kernel against modification, use the RBAC system.
35206 +config GRKERNSEC_PROC_MEMMAP
35207 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
35208 + default y if (PAX_NOEXEC || PAX_ASLR)
35209 + depends on PAX_NOEXEC || PAX_ASLR
35211 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
35212 + give no information about the addresses of its mappings if
35213 + PaX features that rely on random addresses are enabled on the task.
35214 + If you use PaX it is greatly recommended that you say Y here as it
35215 + closes up a hole that makes the full ASLR useless for suid
35218 +config GRKERNSEC_BRUTE
35219 + bool "Deter exploit bruteforcing"
35221 + If you say Y here, attempts to bruteforce exploits against forking
35222 + daemons such as apache or sshd will be deterred. When a child of a
35223 + forking daemon is killed by PaX or crashes due to an illegal
35224 + instruction, the parent process will be delayed 30 seconds upon every
35225 + subsequent fork until the administrator is able to assess the
35226 + situation and restart the daemon. It is recommended that you also
35227 + enable signal logging in the auditing section so that logs are
35228 + generated when a process performs an illegal instruction.
35230 +config GRKERNSEC_MODHARDEN
35231 + bool "Harden module auto-loading"
35232 + depends on MODULES
35234 + If you say Y here, module auto-loading in response to use of some
35235 + feature implemented by an unloaded module will be restricted to
35236 + root users. Enabling this option helps defend against attacks
35237 + by unprivileged users who abuse the auto-loading behavior to
35238 + cause a vulnerable module to load that is then exploited.
35240 + If this option prevents a legitimate use of auto-loading for a
35241 + non-root user, the administrator can execute modprobe manually
35242 + with the exact name of the module mentioned in the alert log.
35243 + Alternatively, the administrator can add the module to the
35244 + list of modules loaded at boot by modifying init scripts.
35246 +config GRKERNSEC_HIDESYM
35247 + bool "Hide kernel symbols"
35249 + If you say Y here, getting information on loaded modules, and
35250 + displaying all kernel symbols through a syscall will be restricted
35251 + to users with CAP_SYS_MODULE. This option is only effective
35252 + provided the following conditions are met:
35253 + 1) The kernel using grsecurity is not precompiled by some distribution
35254 + 2) You are using the RBAC system and hiding other files such as your
35255 + kernel image and System.map. Alternatively, enabling this option
35256 + causes the permissions on /boot, /lib/modules, and the kernel
35257 + source directory to change at compile time to prevent
35258 + reading by non-root users.
35259 + If the above conditions are met, this option will aid to provide a
35260 + useful protection against local and remote kernel exploitation of
35261 + overflows and arbitrary read/write vulnerabilities.
35264 +menu "Role Based Access Control Options"
35265 +depends on GRKERNSEC
35267 +config GRKERNSEC_NO_RBAC
35268 + bool "Disable RBAC system"
35270 + If you say Y here, the /dev/grsec device will be removed from the kernel,
35271 + preventing the RBAC system from being enabled. You should only say Y
35272 + here if you have no intention of using the RBAC system, so as to prevent
35273 + an attacker with root access from misusing the RBAC system to hide files
35274 + and processes when loadable module support and /dev/[k]mem have been
35277 +config GRKERNSEC_ACL_HIDEKERN
35278 + bool "Hide kernel processes"
35280 + If you say Y here, all kernel threads will be hidden to all
35281 + processes but those whose subject has the "view hidden processes"
35284 +config GRKERNSEC_ACL_MAXTRIES
35285 + int "Maximum tries before password lockout"
35288 + This option enforces the maximum number of times a user can attempt
35289 + to authorize themselves with the grsecurity RBAC system before being
35290 + denied the ability to attempt authorization again for a specified time.
35291 + The lower the number, the harder it will be to brute-force a password.
35293 +config GRKERNSEC_ACL_TIMEOUT
35294 + int "Time to wait after max password tries, in seconds"
35297 + This option specifies the time the user must wait after attempting to
35298 + authorize to the RBAC system with the maximum number of invalid
35299 + passwords. The higher the number, the harder it will be to brute-force
35303 +menu "Filesystem Protections"
35304 +depends on GRKERNSEC
35306 +config GRKERNSEC_PROC
35307 + bool "Proc restrictions"
35309 + If you say Y here, the permissions of the /proc filesystem
35310 + will be altered to enhance system security and privacy. You MUST
35311 + choose either a user only restriction or a user and group restriction.
35312 + Depending upon the option you choose, you can either restrict users to
35313 + see only the processes they themselves run, or choose a group that can
35314 + view all processes and files normally restricted to root if you choose
35315 + the "restrict to user only" option. NOTE: If you're running identd as
35316 + a non-root user, you will have to run it as the group you specify here.
35318 +config GRKERNSEC_PROC_USER
35319 + bool "Restrict /proc to user only"
35320 + depends on GRKERNSEC_PROC
35322 + If you say Y here, non-root users will only be able to view their own
35323 + processes, and restricts them from viewing network-related information,
35324 + and viewing kernel symbol and module information.
35326 +config GRKERNSEC_PROC_USERGROUP
35327 + bool "Allow special group"
35328 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
35330 + If you say Y here, you will be able to select a group that will be
35331 + able to view all processes, network-related information, and
35332 + kernel and symbol information. This option is useful if you want
35333 + to run identd as a non-root user.
35335 +config GRKERNSEC_PROC_GID
35336 + int "GID for special group"
35337 + depends on GRKERNSEC_PROC_USERGROUP
35340 +config GRKERNSEC_PROC_ADD
35341 + bool "Additional restrictions"
35342 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
35344 + If you say Y here, additional restrictions will be placed on
35345 + /proc that keep normal users from viewing device information and
35346 + slabinfo information that could be useful for exploits.
35348 +config GRKERNSEC_LINK
35349 + bool "Linking restrictions"
35351 + If you say Y here, /tmp race exploits will be prevented, since users
35352 + will no longer be able to follow symlinks owned by other users in
35353 + world-writable +t directories (i.e. /tmp), unless the owner of the
35354 + symlink is the owner of the directory. users will also not be
35355 + able to hardlink to files they do not own. If the sysctl option is
35356 + enabled, a sysctl option with name "linking_restrictions" is created.
35358 +config GRKERNSEC_FIFO
35359 + bool "FIFO restrictions"
35361 + If you say Y here, users will not be able to write to FIFOs they don't
35362 + own in world-writable +t directories (i.e. /tmp), unless the owner of
35363 + the FIFO is the same owner of the directory it's held in. If the sysctl
35364 + option is enabled, a sysctl option with name "fifo_restrictions" is
35367 +config GRKERNSEC_CHROOT
35368 + bool "Chroot jail restrictions"
35370 + If you say Y here, you will be able to choose several options that will
35371 + make breaking out of a chrooted jail much more difficult. If you
35372 + encounter no software incompatibilities with the following options, it
35373 + is recommended that you enable each one.
35375 +config GRKERNSEC_CHROOT_MOUNT
35376 + bool "Deny mounts"
35377 + depends on GRKERNSEC_CHROOT
35379 + If you say Y here, processes inside a chroot will not be able to
35380 + mount or remount filesystems. If the sysctl option is enabled, a
35381 + sysctl option with name "chroot_deny_mount" is created.
35383 +config GRKERNSEC_CHROOT_DOUBLE
35384 + bool "Deny double-chroots"
35385 + depends on GRKERNSEC_CHROOT
35387 + If you say Y here, processes inside a chroot will not be able to chroot
35388 + again outside the chroot. This is a widely used method of breaking
35389 + out of a chroot jail and should not be allowed. If the sysctl
35390 + option is enabled, a sysctl option with name
35391 + "chroot_deny_chroot" is created.
35393 +config GRKERNSEC_CHROOT_PIVOT
35394 + bool "Deny pivot_root in chroot"
35395 + depends on GRKERNSEC_CHROOT
35397 + If you say Y here, processes inside a chroot will not be able to use
35398 + a function called pivot_root() that was introduced in Linux 2.3.41. It
35399 + works similar to chroot in that it changes the root filesystem. This
35400 + function could be misused in a chrooted process to attempt to break out
35401 + of the chroot, and therefore should not be allowed. If the sysctl
35402 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
35405 +config GRKERNSEC_CHROOT_CHDIR
35406 + bool "Enforce chdir(\"/\") on all chroots"
35407 + depends on GRKERNSEC_CHROOT
35409 + If you say Y here, the current working directory of all newly-chrooted
35410 + applications will be set to the the root directory of the chroot.
35411 + The man page on chroot(2) states:
35412 + Note that this call does not change the current working
35413 + directory, so that `.' can be outside the tree rooted at
35414 + `/'. In particular, the super-user can escape from a
35415 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
35417 + It is recommended that you say Y here, since it's not known to break
35418 + any software. If the sysctl option is enabled, a sysctl option with
35419 + name "chroot_enforce_chdir" is created.
35421 +config GRKERNSEC_CHROOT_CHMOD
35422 + bool "Deny (f)chmod +s"
35423 + depends on GRKERNSEC_CHROOT
35425 + If you say Y here, processes inside a chroot will not be able to chmod
35426 + or fchmod files to make them have suid or sgid bits. This protects
35427 + against another published method of breaking a chroot. If the sysctl
35428 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
35431 +config GRKERNSEC_CHROOT_FCHDIR
35432 + bool "Deny fchdir out of chroot"
35433 + depends on GRKERNSEC_CHROOT
35435 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
35436 + to a file descriptor of the chrooting process that points to a directory
35437 + outside the filesystem will be stopped. If the sysctl option
35438 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
35440 +config GRKERNSEC_CHROOT_MKNOD
35441 + bool "Deny mknod"
35442 + depends on GRKERNSEC_CHROOT
35444 + If you say Y here, processes inside a chroot will not be allowed to
35445 + mknod. The problem with using mknod inside a chroot is that it
35446 + would allow an attacker to create a device entry that is the same
35447 + as one on the physical root of your system, which could range from
35448 + anything from the console device to a device for your harddrive (which
35449 + they could then use to wipe the drive or steal data). It is recommended
35450 + that you say Y here, unless you run into software incompatibilities.
35451 + If the sysctl option is enabled, a sysctl option with name
35452 + "chroot_deny_mknod" is created.
35454 +config GRKERNSEC_CHROOT_SHMAT
35455 + bool "Deny shmat() out of chroot"
35456 + depends on GRKERNSEC_CHROOT
35458 + If you say Y here, processes inside a chroot will not be able to attach
35459 + to shared memory segments that were created outside of the chroot jail.
35460 + It is recommended that you say Y here. If the sysctl option is enabled,
35461 + a sysctl option with name "chroot_deny_shmat" is created.
35463 +config GRKERNSEC_CHROOT_UNIX
35464 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
35465 + depends on GRKERNSEC_CHROOT
35467 + If you say Y here, processes inside a chroot will not be able to
35468 + connect to abstract (meaning not belonging to a filesystem) Unix
35469 + domain sockets that were bound outside of a chroot. It is recommended
35470 + that you say Y here. If the sysctl option is enabled, a sysctl option
35471 + with name "chroot_deny_unix" is created.
35473 +config GRKERNSEC_CHROOT_FINDTASK
35474 + bool "Protect outside processes"
35475 + depends on GRKERNSEC_CHROOT
35477 + If you say Y here, processes inside a chroot will not be able to
35478 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
35479 + getsid, or view any process outside of the chroot. If the sysctl
35480 + option is enabled, a sysctl option with name "chroot_findtask" is
35483 +config GRKERNSEC_CHROOT_NICE
35484 + bool "Restrict priority changes"
35485 + depends on GRKERNSEC_CHROOT
35487 + If you say Y here, processes inside a chroot will not be able to raise
35488 + the priority of processes in the chroot, or alter the priority of
35489 + processes outside the chroot. This provides more security than simply
35490 + removing CAP_SYS_NICE from the process' capability set. If the
35491 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
35494 +config GRKERNSEC_CHROOT_SYSCTL
35495 + bool "Deny sysctl writes"
35496 + depends on GRKERNSEC_CHROOT
35498 + If you say Y here, an attacker in a chroot will not be able to
35499 + write to sysctl entries, either by sysctl(2) or through a /proc
35500 + interface. It is strongly recommended that you say Y here. If the
35501 + sysctl option is enabled, a sysctl option with name
35502 + "chroot_deny_sysctl" is created.
35504 +config GRKERNSEC_CHROOT_CAPS
35505 + bool "Capability restrictions"
35506 + depends on GRKERNSEC_CHROOT
35508 + If you say Y here, the capabilities on all root processes within a
35509 + chroot jail will be lowered to stop module insertion, raw i/o,
35510 + system and net admin tasks, rebooting the system, modifying immutable
35511 + files, modifying IPC owned by another, and changing the system time.
35512 + This is left an option because it can break some apps. Disable this
35513 + if your chrooted apps are having problems performing those kinds of
35514 + tasks. If the sysctl option is enabled, a sysctl option with
35515 + name "chroot_caps" is created.
35518 +menu "Kernel Auditing"
35519 +depends on GRKERNSEC
35521 +config GRKERNSEC_AUDIT_GROUP
35522 + bool "Single group for auditing"
35524 + If you say Y here, the exec, chdir, (un)mount, and ipc logging features
35525 + will only operate on a group you specify. This option is recommended
35526 + if you only want to watch certain users instead of having a large
35527 + amount of logs from the entire system. If the sysctl option is enabled,
35528 + a sysctl option with name "audit_group" is created.
35530 +config GRKERNSEC_AUDIT_GID
35531 + int "GID for auditing"
35532 + depends on GRKERNSEC_AUDIT_GROUP
35535 +config GRKERNSEC_EXECLOG
35536 + bool "Exec logging"
35538 + If you say Y here, all execve() calls will be logged (since the
35539 + other exec*() calls are frontends to execve(), all execution
35540 + will be logged). Useful for shell-servers that like to keep track
35541 + of their users. If the sysctl option is enabled, a sysctl option with
35542 + name "exec_logging" is created.
35543 + WARNING: This option when enabled will produce a LOT of logs, especially
35544 + on an active system.
35546 +config GRKERNSEC_RESLOG
35547 + bool "Resource logging"
35549 + If you say Y here, all attempts to overstep resource limits will
35550 + be logged with the resource name, the requested size, and the current
35551 + limit. It is highly recommended that you say Y here. If the sysctl
35552 + option is enabled, a sysctl option with name "resource_logging" is
35553 + created. If the RBAC system is enabled, the sysctl value is ignored.
35555 +config GRKERNSEC_CHROOT_EXECLOG
35556 + bool "Log execs within chroot"
35558 + If you say Y here, all executions inside a chroot jail will be logged
35559 + to syslog. This can cause a large amount of logs if certain
35560 + applications (eg. djb's daemontools) are installed on the system, and
35561 + is therefore left as an option. If the sysctl option is enabled, a
35562 + sysctl option with name "chroot_execlog" is created.
35564 +config GRKERNSEC_AUDIT_CHDIR
35565 + bool "Chdir logging"
35567 + If you say Y here, all chdir() calls will be logged. If the sysctl
35568 + option is enabled, a sysctl option with name "audit_chdir" is created.
35570 +config GRKERNSEC_AUDIT_MOUNT
35571 + bool "(Un)Mount logging"
35573 + If you say Y here, all mounts and unmounts will be logged. If the
35574 + sysctl option is enabled, a sysctl option with name "audit_mount" is
35577 +config GRKERNSEC_AUDIT_IPC
35578 + bool "IPC logging"
35580 + If you say Y here, creation and removal of message queues, semaphores,
35581 + and shared memory will be logged. If the sysctl option is enabled, a
35582 + sysctl option with name "audit_ipc" is created.
35584 +config GRKERNSEC_SIGNAL
35585 + bool "Signal logging"
35587 + If you say Y here, certain important signals will be logged, such as
35588 + SIGSEGV, which will as a result inform you of when a error in a program
35589 + occurred, which in some cases could mean a possible exploit attempt.
35590 + If the sysctl option is enabled, a sysctl option with name
35591 + "signal_logging" is created.
35593 +config GRKERNSEC_FORKFAIL
35594 + bool "Fork failure logging"
35596 + If you say Y here, all failed fork() attempts will be logged.
35597 + This could suggest a fork bomb, or someone attempting to overstep
35598 + their process limit. If the sysctl option is enabled, a sysctl option
35599 + with name "forkfail_logging" is created.
35601 +config GRKERNSEC_TIME
35602 + bool "Time change logging"
35604 + If you say Y here, any changes of the system clock will be logged.
35605 + If the sysctl option is enabled, a sysctl option with name
35606 + "timechange_logging" is created.
35608 +config GRKERNSEC_PROC_IPADDR
35609 + bool "/proc/<pid>/ipaddr support"
35611 + If you say Y here, a new entry will be added to each /proc/<pid>
35612 + directory that contains the IP address of the person using the task.
35613 + The IP is carried across local TCP and AF_UNIX stream sockets.
35614 + This information can be useful for IDS/IPSes to perform remote response
35615 + to a local attack. The entry is readable by only the owner of the
35616 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
35617 + the RBAC system), and thus does not create privacy concerns.
35619 +config GRKERNSEC_AUDIT_TEXTREL
35620 + bool 'ELF text relocations logging (READ HELP)'
35621 + depends on PAX_MPROTECT
35623 + If you say Y here, text relocations will be logged with the filename
35624 + of the offending library or binary. The purpose of the feature is
35625 + to help Linux distribution developers get rid of libraries and
35626 + binaries that need text relocations which hinder the future progress
35627 + of PaX. Only Linux distribution developers should say Y here, and
35628 + never on a production machine, as this option creates an information
35629 + leak that could aid an attacker in defeating the randomization of
35630 + a single memory region. If the sysctl option is enabled, a sysctl
35631 + option with name "audit_textrel" is created.
35635 +menu "Executable Protections"
35636 +depends on GRKERNSEC
35638 +config GRKERNSEC_EXECVE
35639 + bool "Enforce RLIMIT_NPROC on execs"
35641 + If you say Y here, users with a resource limit on processes will
35642 + have the value checked during execve() calls. The current system
35643 + only checks the system limit during fork() calls. If the sysctl option
35644 + is enabled, a sysctl option with name "execve_limiting" is created.
35646 +config GRKERNSEC_DMESG
35647 + bool "Dmesg(8) restriction"
35649 + If you say Y here, non-root users will not be able to use dmesg(8)
35650 + to view up to the last 4kb of messages in the kernel's log buffer.
35651 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
35654 +config GRKERNSEC_HARDEN_PTRACE
35655 + bool "Deter ptrace-based process snooping"
35657 + If you say Y here, TTY sniffers and other malicious monitoring
35658 + programs implemented through ptrace will be defeated. If you
35659 + have been using the RBAC system, this option has already been
35660 + enabled for several years for all users, with the ability to make
35661 + fine-grained exceptions.
35663 + This option only affects the ability of non-root users to ptrace
35664 + processes that are not a descendent of the ptracing process.
35665 + This means that strace ./binary and gdb ./binary will still work,
35666 + but attaching to arbitrary processes will not. If the sysctl
35667 + option is enabled, a sysctl option with name "harden_ptrace" is
35670 +config GRKERNSEC_TPE
35671 + bool "Trusted Path Execution (TPE)"
35673 + If you say Y here, you will be able to choose a gid to add to the
35674 + supplementary groups of users you want to mark as "untrusted."
35675 + These users will not be able to execute any files that are not in
35676 + root-owned directories writable only by root. If the sysctl option
35677 + is enabled, a sysctl option with name "tpe" is created.
35679 +config GRKERNSEC_TPE_ALL
35680 + bool "Partially restrict non-root users"
35681 + depends on GRKERNSEC_TPE
35683 + If you say Y here, All non-root users other than the ones in the
35684 + group specified in the main TPE option will only be allowed to
35685 + execute files in directories they own that are not group or
35686 + world-writable, or in directories owned by root and writable only by
35687 + root. If the sysctl option is enabled, a sysctl option with name
35688 + "tpe_restrict_all" is created.
35690 +config GRKERNSEC_TPE_INVERT
35691 + bool "Invert GID option"
35692 + depends on GRKERNSEC_TPE
35694 + If you say Y here, the group you specify in the TPE configuration will
35695 + decide what group TPE restrictions will be *disabled* for. This
35696 + option is useful if you want TPE restrictions to be applied to most
35697 + users on the system.
35699 +config GRKERNSEC_TPE_GID
35700 + int "GID for untrusted users"
35701 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
35704 + If you have selected the "Invert GID option" above, setting this
35705 + GID determines what group TPE restrictions will be *disabled* for.
35706 + If you have not selected the "Invert GID option" above, setting this
35707 + GID determines what group TPE restrictions will be *enabled* for.
35708 + If the sysctl option is enabled, a sysctl option with name "tpe_gid"
35711 +config GRKERNSEC_TPE_GID
35712 + int "GID for trusted users"
35713 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
35716 + If you have selected the "Invert GID option" above, setting this
35717 + GID determines what group TPE restrictions will be *disabled* for.
35718 + If you have not selected the "Invert GID option" above, setting this
35719 + GID determines what group TPE restrictions will be *enabled* for.
35720 + If the sysctl option is enabled, a sysctl option with name "tpe_gid"
35724 +menu "Network Protections"
35725 +depends on GRKERNSEC
35727 +config GRKERNSEC_RANDNET
35728 + bool "Larger entropy pools"
35730 + If you say Y here, the entropy pools used for many features of Linux
35731 + and grsecurity will be doubled in size. Since several grsecurity
35732 + features use additional randomness, it is recommended that you say Y
35733 + here. Saying Y here has a similar effect as modifying
35734 + /proc/sys/kernel/random/poolsize.
35736 +config GRKERNSEC_BLACKHOLE
35737 + bool "TCP/UDP blackhole"
35739 + If you say Y here, neither TCP resets nor ICMP
35740 + destination-unreachable packets will be sent in response to packets
35741 + send to ports for which no associated listening process exists.
35742 + This feature supports both IPV4 and IPV6 and exempts the
35743 + loopback interface from blackholing. Enabling this feature
35744 + makes a host more resilient to DoS attacks and reduces network
35745 + visibility against scanners.
35747 +config GRKERNSEC_SOCKET
35748 + bool "Socket restrictions"
35750 + If you say Y here, you will be able to choose from several options.
35751 + If you assign a GID on your system and add it to the supplementary
35752 + groups of users you want to restrict socket access to, this patch
35753 + will perform up to three things, based on the option(s) you choose.
35755 +config GRKERNSEC_SOCKET_ALL
35756 + bool "Deny any sockets to group"
35757 + depends on GRKERNSEC_SOCKET
35759 + If you say Y here, you will be able to choose a GID of whose users will
35760 + be unable to connect to other hosts from your machine or run server
35761 + applications from your machine. If the sysctl option is enabled, a
35762 + sysctl option with name "socket_all" is created.
35764 +config GRKERNSEC_SOCKET_ALL_GID
35765 + int "GID to deny all sockets for"
35766 + depends on GRKERNSEC_SOCKET_ALL
35769 + Here you can choose the GID to disable socket access for. Remember to
35770 + add the users you want socket access disabled for to the GID
35771 + specified here. If the sysctl option is enabled, a sysctl option
35772 + with name "socket_all_gid" is created.
35774 +config GRKERNSEC_SOCKET_CLIENT
35775 + bool "Deny client sockets to group"
35776 + depends on GRKERNSEC_SOCKET
35778 + If you say Y here, you will be able to choose a GID of whose users will
35779 + be unable to connect to other hosts from your machine, but will be
35780 + able to run servers. If this option is enabled, all users in the group
35781 + you specify will have to use passive mode when initiating ftp transfers
35782 + from the shell on your machine. If the sysctl option is enabled, a
35783 + sysctl option with name "socket_client" is created.
35785 +config GRKERNSEC_SOCKET_CLIENT_GID
35786 + int "GID to deny client sockets for"
35787 + depends on GRKERNSEC_SOCKET_CLIENT
35790 + Here you can choose the GID to disable client socket access for.
35791 + Remember to add the users you want client socket access disabled for to
35792 + the GID specified here. If the sysctl option is enabled, a sysctl
35793 + option with name "socket_client_gid" is created.
35795 +config GRKERNSEC_SOCKET_SERVER
35796 + bool "Deny server sockets to group"
35797 + depends on GRKERNSEC_SOCKET
35799 + If you say Y here, you will be able to choose a GID of whose users will
35800 + be unable to run server applications from your machine. If the sysctl
35801 + option is enabled, a sysctl option with name "socket_server" is created.
35803 +config GRKERNSEC_SOCKET_SERVER_GID
35804 + int "GID to deny server sockets for"
35805 + depends on GRKERNSEC_SOCKET_SERVER
35808 + Here you can choose the GID to disable server socket access for.
35809 + Remember to add the users you want server socket access disabled for to
35810 + the GID specified here. If the sysctl option is enabled, a sysctl
35811 + option with name "socket_server_gid" is created.
35814 +menu "Sysctl support"
35815 +depends on GRKERNSEC && SYSCTL
35817 +config GRKERNSEC_SYSCTL
35818 + bool "Sysctl support"
35820 + If you say Y here, you will be able to change the options that
35821 + grsecurity runs with at bootup, without having to recompile your
35822 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
35823 + to enable (1) or disable (0) various features. All the sysctl entries
35824 + are mutable until the "grsec_lock" entry is set to a non-zero value.
35825 + All features enabled in the kernel configuration are disabled at boot
35826 + if you do not say Y to the "Turn on features by default" option.
35827 + All options should be set at startup, and the grsec_lock entry should
35828 + be set to a non-zero value after all the options are set.
35829 + *THIS IS EXTREMELY IMPORTANT*
35831 +config GRKERNSEC_SYSCTL_ON
35832 + bool "Turn on features by default"
35833 + depends on GRKERNSEC_SYSCTL
35835 + If you say Y here, instead of having all features enabled in the
35836 + kernel configuration disabled at boot time, the features will be
35837 + enabled at boot time. It is recommended you say Y here unless
35838 + there is some reason you would want all sysctl-tunable features to
35839 + be disabled by default. As mentioned elsewhere, it is important
35840 + to enable the grsec_lock entry once you have finished modifying
35841 + the sysctl entries.
35844 +menu "Logging Options"
35845 +depends on GRKERNSEC
35847 +config GRKERNSEC_FLOODTIME
35848 + int "Seconds in between log messages (minimum)"
35851 + This option allows you to enforce the number of seconds between
35852 + grsecurity log messages. The default should be suitable for most
35853 + people, however, if you choose to change it, choose a value small enough
35854 + to allow informative logs to be produced, but large enough to
35855 + prevent flooding.
35857 +config GRKERNSEC_FLOODBURST
35858 + int "Number of messages in a burst (maximum)"
35861 + This option allows you to choose the maximum number of messages allowed
35862 + within the flood time interval you chose in a separate option. The
35863 + default should be suitable for most people, however if you find that
35864 + many of your logs are being interpreted as flooding, you may want to
35865 + raise this value.
35870 diff -urNp linux-2.6.31/grsecurity/Makefile linux-2.6.31/grsecurity/Makefile
35871 --- linux-2.6.31/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
35872 +++ linux-2.6.31/grsecurity/Makefile 2009-09-06 15:29:12.079175235 -0400
35874 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
35875 +# during 2001-2009 it has been completely redesigned by Brad Spengler
35876 +# into an RBAC system
35878 +# All code in this directory and various hooks inserted throughout the kernel
35879 +# are copyright Brad Spengler - Open Source Security, Inc., and released
35880 +# under the GPL v2 or higher
35882 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
35883 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
35884 + grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
35886 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
35887 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
35888 + gracl_learn.o grsec_log.o
35889 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
35891 +ifndef CONFIG_GRKERNSEC
35892 +obj-y += grsec_disabled.o
35895 +ifdef CONFIG_GRKERNSEC_HIDESYM
35896 +extra-y := grsec_hidesym.o
35897 +$(obj)/grsec_hidesym.o:
35898 + @-chmod -f 500 /boot
35899 + @-chmod -f 500 /lib/modules
35901 + @echo ' grsec: protected kernel image paths'
35903 diff -urNp linux-2.6.31/include/asm-generic/atomic.h linux-2.6.31/include/asm-generic/atomic.h
35904 --- linux-2.6.31/include/asm-generic/atomic.h 2009-08-27 20:59:04.000000000 -0400
35905 +++ linux-2.6.31/include/asm-generic/atomic.h 2009-09-11 22:17:37.469806298 -0400
35907 #define atomic_read(v) ((v)->counter)
35910 + * atomic_read_unchecked - read atomic variable
35911 + * @v: pointer of type atomic_unchecked_t
35913 + * Atomically reads the value of @v. Note that the guaranteed
35914 + * useful range of an atomic_unchecked_t is only 24 bits.
35916 +#define atomic_read_unchecked(v) ((v)->counter)
35919 * atomic_set - set atomic variable
35920 * @v: pointer of type atomic_t
35921 * @i: required value
35924 #define atomic_set(v, i) (((v)->counter) = (i))
35927 + * atomic_set_unchecked - set atomic variable
35928 + * @v: pointer of type atomic_unchecked_t
35929 + * @i: required value
35931 + * Atomically sets the value of @v to @i. Note that the guaranteed
35932 + * useful range of an atomic_unchecked_t is only 24 bits.
35934 +#define atomic_set_unchecked(v, i) (((v)->counter) = (i))
35936 #include <asm/system.h>
35939 @@ -101,16 +120,31 @@ static inline void atomic_add(int i, ato
35940 atomic_add_return(i, v);
35943 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
35945 + atomic_add_return(i, (atomic_t *)v);
35948 static inline void atomic_sub(int i, atomic_t *v)
35950 atomic_sub_return(i, v);
35953 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
35955 + atomic_sub_return(i, (atomic_t *)v);
35958 static inline void atomic_inc(atomic_t *v)
35960 atomic_add_return(1, v);
35963 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
35965 + atomic_add_return(1, (atomic_t *)v);
35968 static inline void atomic_dec(atomic_t *v)
35970 atomic_sub_return(1, v);
35971 diff -urNp linux-2.6.31/include/asm-generic/futex.h linux-2.6.31/include/asm-generic/futex.h
35972 --- linux-2.6.31/include/asm-generic/futex.h 2009-08-27 20:59:04.000000000 -0400
35973 +++ linux-2.6.31/include/asm-generic/futex.h 2009-09-06 15:29:12.079175235 -0400
35975 #include <asm/errno.h>
35978 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
35979 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
35981 int op = (encoded_op >> 28) & 7;
35982 int cmp = (encoded_op >> 24) & 15;
35983 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
35987 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
35988 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
35992 diff -urNp linux-2.6.31/include/asm-generic/int-l64.h linux-2.6.31/include/asm-generic/int-l64.h
35993 --- linux-2.6.31/include/asm-generic/int-l64.h 2009-08-27 20:59:04.000000000 -0400
35994 +++ linux-2.6.31/include/asm-generic/int-l64.h 2009-09-06 15:29:12.079175235 -0400
35995 @@ -46,6 +46,8 @@ typedef unsigned int u32;
35996 typedef signed long s64;
35997 typedef unsigned long u64;
35999 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
36002 #define U8_C(x) x ## U
36004 diff -urNp linux-2.6.31/include/asm-generic/int-ll64.h linux-2.6.31/include/asm-generic/int-ll64.h
36005 --- linux-2.6.31/include/asm-generic/int-ll64.h 2009-08-27 20:59:04.000000000 -0400
36006 +++ linux-2.6.31/include/asm-generic/int-ll64.h 2009-09-06 15:29:12.079175235 -0400
36007 @@ -51,6 +51,8 @@ typedef unsigned int u32;
36008 typedef signed long long s64;
36009 typedef unsigned long long u64;
36011 +typedef unsigned long long intoverflow_t;
36014 #define U8_C(x) x ## U
36016 diff -urNp linux-2.6.31/include/asm-generic/kmap_types.h linux-2.6.31/include/asm-generic/kmap_types.h
36017 --- linux-2.6.31/include/asm-generic/kmap_types.h 2009-08-27 20:59:04.000000000 -0400
36018 +++ linux-2.6.31/include/asm-generic/kmap_types.h 2009-09-06 15:29:12.080122868 -0400
36019 @@ -27,7 +27,8 @@ D(15) KM_UML_USERCOPY, /* UML specific,
36024 +D(19) KM_CLEARPAGE,
36029 diff -urNp linux-2.6.31/include/asm-generic/vmlinux.lds.h linux-2.6.31/include/asm-generic/vmlinux.lds.h
36030 --- linux-2.6.31/include/asm-generic/vmlinux.lds.h 2009-08-27 20:59:04.000000000 -0400
36031 +++ linux-2.6.31/include/asm-generic/vmlinux.lds.h 2009-09-06 15:29:12.080122868 -0400
36032 @@ -201,6 +201,7 @@
36033 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
36034 VMLINUX_SYMBOL(__start_rodata) = .; \
36035 *(.rodata) *(.rodata.*) \
36036 + *(.data.read_only) \
36037 *(__vermagic) /* Kernel version magic */ \
36038 *(__markers_strings) /* Markers: strings */ \
36039 *(__tracepoints_strings)/* Tracepoints: strings */ \
36040 @@ -641,22 +642,24 @@
36041 * section in the linker script will go there too. @phdr should have
36044 - * Note that this macros defines __per_cpu_load as an absolute symbol.
36045 + * Note that this macros defines per_cpu_load as an absolute symbol.
36046 * If there is no need to put the percpu section at a predetermined
36047 * address, use PERCPU().
36049 #define PERCPU_VADDR(vaddr, phdr) \
36050 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
36051 - .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
36052 + per_cpu_load = .; \
36053 + .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
36055 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
36056 VMLINUX_SYMBOL(__per_cpu_start) = .; \
36057 *(.data.percpu.first) \
36058 - *(.data.percpu.page_aligned) \
36060 + . = ALIGN(PAGE_SIZE); \
36061 + *(.data.percpu.page_aligned) \
36062 *(.data.percpu.shared_aligned) \
36063 VMLINUX_SYMBOL(__per_cpu_end) = .; \
36065 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
36066 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
36069 * PERCPU - define output section for percpu area, simple version
36070 diff -urNp linux-2.6.31/include/drm/drm_pciids.h linux-2.6.31/include/drm/drm_pciids.h
36071 --- linux-2.6.31/include/drm/drm_pciids.h 2009-08-27 20:59:04.000000000 -0400
36072 +++ linux-2.6.31/include/drm/drm_pciids.h 2009-09-06 15:29:12.080122868 -0400
36073 @@ -375,7 +375,7 @@
36074 {0x1002, 0x9712, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
36075 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
36076 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
36078 + {0, 0, 0, 0, 0, 0}
36080 #define r128_PCI_IDS \
36081 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36082 @@ -415,14 +415,14 @@
36083 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36084 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36085 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36087 + {0, 0, 0, 0, 0, 0}
36089 #define mga_PCI_IDS \
36090 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
36091 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
36092 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
36093 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
36095 + {0, 0, 0, 0, 0, 0}
36097 #define mach64_PCI_IDS \
36098 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36099 @@ -445,7 +445,7 @@
36100 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36101 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36102 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36104 + {0, 0, 0, 0, 0, 0}
36106 #define sisdrv_PCI_IDS \
36107 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36108 @@ -456,7 +456,7 @@
36109 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36110 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
36111 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
36113 + {0, 0, 0, 0, 0, 0}
36115 #define tdfx_PCI_IDS \
36116 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36117 @@ -465,7 +465,7 @@
36118 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36119 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36120 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36122 + {0, 0, 0, 0, 0, 0}
36124 #define viadrv_PCI_IDS \
36125 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36126 @@ -477,14 +477,14 @@
36127 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36128 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
36129 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
36131 + {0, 0, 0, 0, 0, 0}
36133 #define i810_PCI_IDS \
36134 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36135 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36136 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36137 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36139 + {0, 0, 0, 0, 0, 0}
36141 #define i830_PCI_IDS \
36142 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36143 @@ -492,11 +492,11 @@
36144 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36145 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36146 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36148 + {0, 0, 0, 0, 0, 0}
36150 #define gamma_PCI_IDS \
36151 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
36153 + {0, 0, 0, 0, 0, 0}
36155 #define savage_PCI_IDS \
36156 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
36157 @@ -522,10 +522,10 @@
36158 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
36159 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
36160 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
36162 + {0, 0, 0, 0, 0, 0}
36164 #define ffb_PCI_IDS \
36166 + {0, 0, 0, 0, 0, 0}
36168 #define i915_PCI_IDS \
36169 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
36170 @@ -557,4 +557,4 @@
36171 {0x8086, 0x35e8, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
36172 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
36173 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
36175 + {0, 0, 0, 0, 0, 0}
36176 diff -urNp linux-2.6.31/include/drm/drmP.h linux-2.6.31/include/drm/drmP.h
36177 --- linux-2.6.31/include/drm/drmP.h 2009-08-27 20:59:04.000000000 -0400
36178 +++ linux-2.6.31/include/drm/drmP.h 2009-09-06 15:29:12.080994514 -0400
36179 @@ -787,7 +787,7 @@ struct drm_driver {
36180 void (*gem_free_object) (struct drm_gem_object *obj);
36182 /* Driver private ops for this object */
36183 - struct vm_operations_struct *gem_vm_ops;
36184 + const struct vm_operations_struct *gem_vm_ops;
36188 @@ -890,7 +890,7 @@ struct drm_device {
36190 /** \name Usage Counters */
36192 - int open_count; /**< Outstanding files open */
36193 + atomic_t open_count; /**< Outstanding files open */
36194 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
36195 atomic_t vma_count; /**< Outstanding vma areas open */
36196 int buf_use; /**< Buffers in use -- cannot alloc */
36197 @@ -901,7 +901,7 @@ struct drm_device {
36199 unsigned long counters;
36200 enum drm_stat_type types[15];
36201 - atomic_t counts[15];
36202 + atomic_unchecked_t counts[15];
36205 struct list_head filelist;
36206 diff -urNp linux-2.6.31/include/linux/agp_backend.h linux-2.6.31/include/linux/agp_backend.h
36207 --- linux-2.6.31/include/linux/agp_backend.h 2009-08-27 20:59:04.000000000 -0400
36208 +++ linux-2.6.31/include/linux/agp_backend.h 2009-09-06 15:29:12.080994514 -0400
36209 @@ -53,7 +53,7 @@ struct agp_kern_info {
36210 int current_memory;
36211 bool cant_use_aperture;
36212 unsigned long page_mask;
36213 - struct vm_operations_struct *vm_ops;
36214 + const struct vm_operations_struct *vm_ops;
36218 diff -urNp linux-2.6.31/include/linux/a.out.h linux-2.6.31/include/linux/a.out.h
36219 --- linux-2.6.31/include/linux/a.out.h 2009-08-27 20:59:04.000000000 -0400
36220 +++ linux-2.6.31/include/linux/a.out.h 2009-09-06 15:29:12.082025513 -0400
36221 @@ -39,6 +39,14 @@ enum machine_type {
36222 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
36225 +/* Constants for the N_FLAGS field */
36226 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
36227 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
36228 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
36229 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
36230 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
36231 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
36233 #if !defined (N_MAGIC)
36234 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
36236 diff -urNp linux-2.6.31/include/linux/atmdev.h linux-2.6.31/include/linux/atmdev.h
36237 --- linux-2.6.31/include/linux/atmdev.h 2009-08-27 20:59:04.000000000 -0400
36238 +++ linux-2.6.31/include/linux/atmdev.h 2009-09-06 15:29:12.082025513 -0400
36239 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
36242 struct k_atm_aal_stats {
36243 -#define __HANDLE_ITEM(i) atomic_t i
36244 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
36246 #undef __HANDLE_ITEM
36248 diff -urNp linux-2.6.31/include/linux/binfmts.h linux-2.6.31/include/linux/binfmts.h
36249 --- linux-2.6.31/include/linux/binfmts.h 2009-09-06 19:00:55.784445924 -0400
36250 +++ linux-2.6.31/include/linux/binfmts.h 2009-09-06 19:01:14.422554387 -0400
36251 @@ -78,6 +78,7 @@ struct linux_binfmt {
36252 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
36253 int (*load_shlib)(struct file *);
36254 int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
36255 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
36256 unsigned long min_coredump; /* minimal dump size */
36259 diff -urNp linux-2.6.31/include/linux/cache.h linux-2.6.31/include/linux/cache.h
36260 --- linux-2.6.31/include/linux/cache.h 2009-08-27 20:59:04.000000000 -0400
36261 +++ linux-2.6.31/include/linux/cache.h 2009-09-06 15:29:12.082947042 -0400
36263 #define __read_mostly
36266 +#ifndef __read_only
36267 +#define __read_only __read_mostly
36270 #ifndef ____cacheline_aligned
36271 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
36273 diff -urNp linux-2.6.31/include/linux/capability.h linux-2.6.31/include/linux/capability.h
36274 --- linux-2.6.31/include/linux/capability.h 2009-08-27 20:59:04.000000000 -0400
36275 +++ linux-2.6.31/include/linux/capability.h 2009-09-06 15:29:12.082947042 -0400
36276 @@ -563,6 +563,7 @@ extern const kernel_cap_t __cap_init_eff
36277 (security_real_capable_noaudit((t), (cap)) == 0)
36279 extern int capable(int cap);
36280 +int capable_nolog(int cap);
36282 /* audit system wants to get cap info from files as well */
36284 diff -urNp linux-2.6.31/include/linux/cgroup.h linux-2.6.31/include/linux/cgroup.h
36285 --- linux-2.6.31/include/linux/cgroup.h 2009-08-27 20:59:04.000000000 -0400
36286 +++ linux-2.6.31/include/linux/cgroup.h 2009-09-06 15:29:12.082947042 -0400
36287 @@ -37,7 +37,7 @@ extern void cgroup_exit(struct task_stru
36288 extern int cgroupstats_build(struct cgroupstats *stats,
36289 struct dentry *dentry);
36291 -extern struct file_operations proc_cgroup_operations;
36292 +extern const struct file_operations proc_cgroup_operations;
36294 /* Define the enumeration of all cgroup subsystems */
36295 #define SUBSYS(_x) _x ## _subsys_id,
36296 diff -urNp linux-2.6.31/include/linux/cpumask.h linux-2.6.31/include/linux/cpumask.h
36297 --- linux-2.6.31/include/linux/cpumask.h 2009-08-27 20:59:04.000000000 -0400
36298 +++ linux-2.6.31/include/linux/cpumask.h 2009-09-06 15:29:12.084068549 -0400
36299 @@ -142,7 +142,6 @@
36300 #include <linux/bitmap.h>
36302 typedef struct cpumask { DECLARE_BITMAP(bits, NR_CPUS); } cpumask_t;
36303 -extern cpumask_t _unused_cpumask_arg_;
36305 #ifndef CONFIG_DISABLE_OBSOLETE_CPUMASK_FUNCTIONS
36306 #define cpu_set(cpu, dst) __cpu_set((cpu), &(dst))
36307 diff -urNp linux-2.6.31/include/linux/decompress/mm.h linux-2.6.31/include/linux/decompress/mm.h
36308 --- linux-2.6.31/include/linux/decompress/mm.h 2009-08-27 20:59:04.000000000 -0400
36309 +++ linux-2.6.31/include/linux/decompress/mm.h 2009-09-06 15:29:12.084068549 -0400
36310 @@ -68,7 +68,7 @@ static void free(void *where)
36311 * warnings when not needed (indeed large_malloc / large_free are not
36312 * needed by inflate */
36314 -#define malloc(a) kmalloc(a, GFP_KERNEL)
36315 +#define malloc(a) kmalloc((a), GFP_KERNEL)
36316 #define free(a) kfree(a)
36318 #define large_malloc(a) vmalloc(a)
36319 diff -urNp linux-2.6.31/include/linux/elf.h linux-2.6.31/include/linux/elf.h
36320 --- linux-2.6.31/include/linux/elf.h 2009-08-27 20:59:04.000000000 -0400
36321 +++ linux-2.6.31/include/linux/elf.h 2009-09-06 15:29:12.084068549 -0400
36322 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
36323 #define PT_GNU_EH_FRAME 0x6474e550
36325 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
36326 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
36328 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
36330 +/* Constants for the e_flags field */
36331 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
36332 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
36333 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
36334 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
36335 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
36336 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
36338 /* These constants define the different elf file types */
36340 @@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
36341 #define DT_DEBUG 21
36342 #define DT_TEXTREL 22
36343 #define DT_JMPREL 23
36344 +#define DT_FLAGS 30
36345 + #define DF_TEXTREL 0x00000004
36346 #define DT_ENCODING 32
36347 #define OLD_DT_LOOS 0x60000000
36348 #define DT_LOOS 0x6000000d
36349 @@ -230,6 +243,19 @@ typedef struct elf64_hdr {
36353 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
36354 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
36355 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
36356 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
36357 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
36358 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
36359 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
36360 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
36361 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
36362 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
36363 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
36364 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
36366 typedef struct elf32_phdr{
36368 Elf32_Off p_offset;
36369 @@ -322,6 +348,8 @@ typedef struct elf64_shdr {
36375 #define ELFMAG0 0x7f /* EI_MAG */
36376 #define ELFMAG1 'E'
36377 #define ELFMAG2 'L'
36378 @@ -385,6 +413,7 @@ extern Elf32_Dyn _DYNAMIC [];
36379 #define elf_phdr elf32_phdr
36380 #define elf_note elf32_note
36381 #define elf_addr_t Elf32_Off
36382 +#define elf_dyn Elf32_Dyn
36386 @@ -393,6 +422,7 @@ extern Elf64_Dyn _DYNAMIC [];
36387 #define elf_phdr elf64_phdr
36388 #define elf_note elf64_note
36389 #define elf_addr_t Elf64_Off
36390 +#define elf_dyn Elf64_Dyn
36394 diff -urNp linux-2.6.31/include/linux/fs.h linux-2.6.31/include/linux/fs.h
36395 --- linux-2.6.31/include/linux/fs.h 2009-08-27 20:59:04.000000000 -0400
36396 +++ linux-2.6.31/include/linux/fs.h 2009-09-06 15:29:12.084908291 -0400
36397 @@ -87,6 +87,10 @@ struct inodes_stat_t {
36399 #define FMODE_NOCMTIME ((__force fmode_t)2048)
36401 +/* Hack for grsec so as not to require read permission simply to execute
36403 +#define FMODE_GREXEC ((__force fmode_t)8192)
36406 * The below are the various read and write types that we support. Some of
36407 * them include behavioral modifiers that send information down to the
36408 @@ -2430,7 +2434,7 @@ static int __fops ## _open(struct inode
36409 __simple_attr_check_format(__fmt, 0ull); \
36410 return simple_attr_open(inode, file, __get, __set, __fmt); \
36412 -static struct file_operations __fops = { \
36413 +static const struct file_operations __fops = { \
36414 .owner = THIS_MODULE, \
36415 .open = __fops ## _open, \
36416 .release = simple_attr_release, \
36417 diff -urNp linux-2.6.31/include/linux/fs_struct.h linux-2.6.31/include/linux/fs_struct.h
36418 --- linux-2.6.31/include/linux/fs_struct.h 2009-08-27 20:59:04.000000000 -0400
36419 +++ linux-2.6.31/include/linux/fs_struct.h 2009-09-06 15:29:12.086023867 -0400
36421 #include <linux/path.h>
36429 diff -urNp linux-2.6.31/include/linux/genhd.h linux-2.6.31/include/linux/genhd.h
36430 --- linux-2.6.31/include/linux/genhd.h 2009-08-27 20:59:04.000000000 -0400
36431 +++ linux-2.6.31/include/linux/genhd.h 2009-09-06 15:29:12.086023867 -0400
36432 @@ -161,7 +161,7 @@ struct gendisk {
36434 struct timer_rand_state *random;
36436 - atomic_t sync_io; /* RAID */
36437 + atomic_unchecked_t sync_io; /* RAID */
36438 struct work_struct async_notify;
36439 #ifdef CONFIG_BLK_DEV_INTEGRITY
36440 struct blk_integrity *integrity;
36441 diff -urNp linux-2.6.31/include/linux/gracl.h linux-2.6.31/include/linux/gracl.h
36442 --- linux-2.6.31/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
36443 +++ linux-2.6.31/include/linux/gracl.h 2009-09-10 19:32:47.448174115 -0400
36448 +#include <linux/grdefs.h>
36449 +#include <linux/resource.h>
36450 +#include <linux/capability.h>
36451 +#include <linux/dcache.h>
36452 +#include <asm/resource.h>
36454 +/* Major status information */
36456 +#define GR_VERSION "grsecurity 2.1.14"
36457 +#define GRSECURITY_VERSION 0x2114
36468 + GR_SPROLEPAM = 8,
36471 +/* Password setup definitions
36472 + * kernel/grhash.c */
36475 + GR_SALT_LEN = 16,
36480 + GR_SPROLE_LEN = 64,
36483 +#define GR_NLIMITS 32
36485 +/* Begin Data Structures */
36487 +struct sprole_pw {
36488 + unsigned char *rolename;
36489 + unsigned char salt[GR_SALT_LEN];
36490 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
36493 +struct name_entry {
36500 + struct name_entry *prev;
36501 + struct name_entry *next;
36504 +struct inodev_entry {
36505 + struct name_entry *nentry;
36506 + struct inodev_entry *prev;
36507 + struct inodev_entry *next;
36510 +struct acl_role_db {
36511 + struct acl_role_label **r_hash;
36515 +struct inodev_db {
36516 + struct inodev_entry **i_hash;
36521 + struct name_entry **n_hash;
36525 +struct crash_uid {
36527 + unsigned long expires;
36530 +struct gr_hash_struct {
36532 + void **nametable;
36534 + __u32 table_size;
36539 +/* Userspace Grsecurity ACL data structures */
36541 +struct acl_subject_label {
36546 + kernel_cap_t cap_mask;
36547 + kernel_cap_t cap_lower;
36549 + struct rlimit res[GR_NLIMITS];
36552 + __u8 user_trans_type;
36553 + __u8 group_trans_type;
36554 + uid_t *user_transitions;
36555 + gid_t *group_transitions;
36556 + __u16 user_trans_num;
36557 + __u16 group_trans_num;
36559 + __u32 ip_proto[8];
36561 + struct acl_ip_label **ips;
36563 + __u32 inaddr_any_override;
36566 + unsigned long expires;
36568 + struct acl_subject_label *parent_subject;
36569 + struct gr_hash_struct *hash;
36570 + struct acl_subject_label *prev;
36571 + struct acl_subject_label *next;
36573 + struct acl_object_label **obj_hash;
36574 + __u32 obj_hash_size;
36578 +struct role_allowed_ip {
36582 + struct role_allowed_ip *prev;
36583 + struct role_allowed_ip *next;
36586 +struct role_transition {
36589 + struct role_transition *prev;
36590 + struct role_transition *next;
36593 +struct acl_role_label {
36598 + __u16 auth_attempts;
36599 + unsigned long expires;
36601 + struct acl_subject_label *root_label;
36602 + struct gr_hash_struct *hash;
36604 + struct acl_role_label *prev;
36605 + struct acl_role_label *next;
36607 + struct role_transition *transitions;
36608 + struct role_allowed_ip *allowed_ips;
36609 + uid_t *domain_children;
36610 + __u16 domain_child_num;
36612 + struct acl_subject_label **subj_hash;
36613 + __u32 subj_hash_size;
36616 +struct user_acl_role_db {
36617 + struct acl_role_label **r_table;
36618 + __u32 num_pointers; /* Number of allocations to track */
36619 + __u32 num_roles; /* Number of roles */
36620 + __u32 num_domain_children; /* Number of domain children */
36621 + __u32 num_subjects; /* Number of subjects */
36622 + __u32 num_objects; /* Number of objects */
36625 +struct acl_object_label {
36631 + struct acl_subject_label *nested;
36632 + struct acl_object_label *globbed;
36634 + /* next two structures not used */
36636 + struct acl_object_label *prev;
36637 + struct acl_object_label *next;
36640 +struct acl_ip_label {
36649 + /* next two structures not used */
36651 + struct acl_ip_label *prev;
36652 + struct acl_ip_label *next;
36656 + struct user_acl_role_db role_db;
36657 + unsigned char pw[GR_PW_LEN];
36658 + unsigned char salt[GR_SALT_LEN];
36659 + unsigned char sum[GR_SHA_LEN];
36660 + unsigned char sp_role[GR_SPROLE_LEN];
36661 + struct sprole_pw *sprole_pws;
36662 + dev_t segv_device;
36663 + ino_t segv_inode;
36665 + __u16 num_sprole_pws;
36669 +struct gr_arg_wrapper {
36670 + struct gr_arg *arg;
36675 +struct subject_map {
36676 + struct acl_subject_label *user;
36677 + struct acl_subject_label *kernel;
36678 + struct subject_map *prev;
36679 + struct subject_map *next;
36682 +struct acl_subj_map_db {
36683 + struct subject_map **s_hash;
36687 +/* End Data Structures Section */
36689 +/* Hash functions generated by empirical testing by Brad Spengler
36690 + Makes good use of the low bits of the inode. Generally 0-1 times
36691 + in loop for successful match. 0-3 for unsuccessful match.
36692 + Shift/add algorithm with modulus of table size and an XOR*/
36694 +static __inline__ unsigned int
36695 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
36697 + return (((uid << type) + (uid ^ type)) % sz);
36700 + static __inline__ unsigned int
36701 +shash(const struct acl_subject_label *userp, const unsigned int sz)
36703 + return ((const unsigned long)userp % sz);
36706 +static __inline__ unsigned int
36707 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
36709 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
36712 +static __inline__ unsigned int
36713 +nhash(const char *name, const __u16 len, const unsigned int sz)
36715 + return full_name_hash(name, len) % sz;
36718 +#define FOR_EACH_ROLE_START(role,iter) \
36721 + while (iter < acl_role_set.r_size) { \
36722 + if (role == NULL) \
36723 + role = acl_role_set.r_hash[iter]; \
36724 + if (role == NULL) { \
36729 +#define FOR_EACH_ROLE_END(role,iter) \
36730 + role = role->next; \
36731 + if (role == NULL) \
36735 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
36738 + while (iter < role->subj_hash_size) { \
36739 + if (subj == NULL) \
36740 + subj = role->subj_hash[iter]; \
36741 + if (subj == NULL) { \
36746 +#define FOR_EACH_SUBJECT_END(subj,iter) \
36747 + subj = subj->next; \
36748 + if (subj == NULL) \
36753 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
36754 + subj = role->hash->first; \
36755 + while (subj != NULL) {
36757 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
36758 + subj = subj->next; \
36763 diff -urNp linux-2.6.31/include/linux/gralloc.h linux-2.6.31/include/linux/gralloc.h
36764 --- linux-2.6.31/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
36765 +++ linux-2.6.31/include/linux/gralloc.h 2009-09-06 15:29:12.086023867 -0400
36767 +#ifndef __GRALLOC_H
36768 +#define __GRALLOC_H
36770 +void acl_free_all(void);
36771 +int acl_alloc_stack_init(unsigned long size);
36772 +void *acl_alloc(unsigned long len);
36773 +void *acl_alloc_num(unsigned long num, unsigned long len);
36776 diff -urNp linux-2.6.31/include/linux/grdefs.h linux-2.6.31/include/linux/grdefs.h
36777 --- linux-2.6.31/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
36778 +++ linux-2.6.31/include/linux/grdefs.h 2009-09-06 15:29:12.086949158 -0400
36783 +/* Begin grsecurity status declarations */
36787 + GR_STATUS_INIT = 0x00 // disabled state
36790 +/* Begin ACL declarations */
36795 + GR_ROLE_USER = 0x0001,
36796 + GR_ROLE_GROUP = 0x0002,
36797 + GR_ROLE_DEFAULT = 0x0004,
36798 + GR_ROLE_SPECIAL = 0x0008,
36799 + GR_ROLE_AUTH = 0x0010,
36800 + GR_ROLE_NOPW = 0x0020,
36801 + GR_ROLE_GOD = 0x0040,
36802 + GR_ROLE_LEARN = 0x0080,
36803 + GR_ROLE_TPE = 0x0100,
36804 + GR_ROLE_DOMAIN = 0x0200,
36805 + GR_ROLE_PAM = 0x0400
36808 +/* ACL Subject and Object mode flags */
36810 + GR_DELETED = 0x80000000
36813 +/* ACL Object-only mode flags */
36815 + GR_READ = 0x00000001,
36816 + GR_APPEND = 0x00000002,
36817 + GR_WRITE = 0x00000004,
36818 + GR_EXEC = 0x00000008,
36819 + GR_FIND = 0x00000010,
36820 + GR_INHERIT = 0x00000020,
36821 + GR_SETID = 0x00000040,
36822 + GR_CREATE = 0x00000080,
36823 + GR_DELETE = 0x00000100,
36824 + GR_LINK = 0x00000200,
36825 + GR_AUDIT_READ = 0x00000400,
36826 + GR_AUDIT_APPEND = 0x00000800,
36827 + GR_AUDIT_WRITE = 0x00001000,
36828 + GR_AUDIT_EXEC = 0x00002000,
36829 + GR_AUDIT_FIND = 0x00004000,
36830 + GR_AUDIT_INHERIT= 0x00008000,
36831 + GR_AUDIT_SETID = 0x00010000,
36832 + GR_AUDIT_CREATE = 0x00020000,
36833 + GR_AUDIT_DELETE = 0x00040000,
36834 + GR_AUDIT_LINK = 0x00080000,
36835 + GR_PTRACERD = 0x00100000,
36836 + GR_NOPTRACE = 0x00200000,
36837 + GR_SUPPRESS = 0x00400000,
36838 + GR_NOLEARN = 0x00800000
36841 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
36842 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
36843 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
36845 +/* ACL subject-only mode flags */
36847 + GR_KILL = 0x00000001,
36848 + GR_VIEW = 0x00000002,
36849 + GR_PROTECTED = 0x00000004,
36850 + GR_LEARN = 0x00000008,
36851 + GR_OVERRIDE = 0x00000010,
36852 + /* just a placeholder, this mode is only used in userspace */
36853 + GR_DUMMY = 0x00000020,
36854 + GR_PROTSHM = 0x00000040,
36855 + GR_KILLPROC = 0x00000080,
36856 + GR_KILLIPPROC = 0x00000100,
36857 + /* just a placeholder, this mode is only used in userspace */
36858 + GR_NOTROJAN = 0x00000200,
36859 + GR_PROTPROCFD = 0x00000400,
36860 + GR_PROCACCT = 0x00000800,
36861 + GR_RELAXPTRACE = 0x00001000,
36862 + GR_NESTED = 0x00002000,
36863 + GR_INHERITLEARN = 0x00004000,
36864 + GR_PROCFIND = 0x00008000,
36865 + GR_POVERRIDE = 0x00010000,
36866 + GR_KERNELAUTH = 0x00020000,
36870 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
36871 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
36872 + GR_PAX_ENABLE_MPROTECT = 0x0004,
36873 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
36874 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
36875 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
36876 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
36877 + GR_PAX_DISABLE_MPROTECT = 0x0400,
36878 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
36879 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
36883 + GR_ID_USER = 0x01,
36884 + GR_ID_GROUP = 0x02,
36888 + GR_ID_ALLOW = 0x01,
36889 + GR_ID_DENY = 0x02,
36892 +#define GR_CRASH_RES 31
36893 +#define GR_UIDTABLE_MAX 500
36895 +/* begin resource learning section */
36897 + GR_RLIM_CPU_BUMP = 60,
36898 + GR_RLIM_FSIZE_BUMP = 50000,
36899 + GR_RLIM_DATA_BUMP = 10000,
36900 + GR_RLIM_STACK_BUMP = 1000,
36901 + GR_RLIM_CORE_BUMP = 10000,
36902 + GR_RLIM_RSS_BUMP = 500000,
36903 + GR_RLIM_NPROC_BUMP = 1,
36904 + GR_RLIM_NOFILE_BUMP = 5,
36905 + GR_RLIM_MEMLOCK_BUMP = 50000,
36906 + GR_RLIM_AS_BUMP = 500000,
36907 + GR_RLIM_LOCKS_BUMP = 2,
36908 + GR_RLIM_SIGPENDING_BUMP = 5,
36909 + GR_RLIM_MSGQUEUE_BUMP = 10000,
36910 + GR_RLIM_NICE_BUMP = 1,
36911 + GR_RLIM_RTPRIO_BUMP = 1,
36912 + GR_RLIM_RTTIME_BUMP = 1000000
36916 diff -urNp linux-2.6.31/include/linux/grinternal.h linux-2.6.31/include/linux/grinternal.h
36917 --- linux-2.6.31/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
36918 +++ linux-2.6.31/include/linux/grinternal.h 2009-09-06 16:28:09.330920287 -0400
36920 +#ifndef __GRINTERNAL_H
36921 +#define __GRINTERNAL_H
36923 +#ifdef CONFIG_GRKERNSEC
36925 +#include <linux/fs.h>
36926 +#include <linux/gracl.h>
36927 +#include <linux/grdefs.h>
36928 +#include <linux/grmsg.h>
36930 +void gr_add_learn_entry(const char *fmt, ...)
36931 + __attribute__ ((format (printf, 1, 2)));
36932 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
36933 + const struct vfsmount *mnt);
36934 +__u32 gr_check_create(const struct dentry *new_dentry,
36935 + const struct dentry *parent,
36936 + const struct vfsmount *mnt, const __u32 mode);
36937 +int gr_check_protected_task(const struct task_struct *task);
36938 +__u32 to_gr_audit(const __u32 reqmode);
36939 +int gr_set_acls(const int type);
36941 +int gr_acl_is_enabled(void);
36942 +char gr_roletype_to_char(void);
36944 +void gr_handle_alertkill(struct task_struct *task);
36945 +char *gr_to_filename(const struct dentry *dentry,
36946 + const struct vfsmount *mnt);
36947 +char *gr_to_filename1(const struct dentry *dentry,
36948 + const struct vfsmount *mnt);
36949 +char *gr_to_filename2(const struct dentry *dentry,
36950 + const struct vfsmount *mnt);
36951 +char *gr_to_filename3(const struct dentry *dentry,
36952 + const struct vfsmount *mnt);
36954 +extern int grsec_enable_harden_ptrace;
36955 +extern int grsec_enable_link;
36956 +extern int grsec_enable_fifo;
36957 +extern int grsec_enable_execve;
36958 +extern int grsec_enable_shm;
36959 +extern int grsec_enable_execlog;
36960 +extern int grsec_enable_signal;
36961 +extern int grsec_enable_forkfail;
36962 +extern int grsec_enable_time;
36963 +extern int grsec_enable_chroot_shmat;
36964 +extern int grsec_enable_chroot_findtask;
36965 +extern int grsec_enable_chroot_mount;
36966 +extern int grsec_enable_chroot_double;
36967 +extern int grsec_enable_chroot_pivot;
36968 +extern int grsec_enable_chroot_chdir;
36969 +extern int grsec_enable_chroot_chmod;
36970 +extern int grsec_enable_chroot_mknod;
36971 +extern int grsec_enable_chroot_fchdir;
36972 +extern int grsec_enable_chroot_nice;
36973 +extern int grsec_enable_chroot_execlog;
36974 +extern int grsec_enable_chroot_caps;
36975 +extern int grsec_enable_chroot_sysctl;
36976 +extern int grsec_enable_chroot_unix;
36977 +extern int grsec_enable_tpe;
36978 +extern int grsec_tpe_gid;
36979 +extern int grsec_enable_tpe_all;
36980 +extern int grsec_enable_sidcaps;
36981 +extern int grsec_enable_socket_all;
36982 +extern int grsec_socket_all_gid;
36983 +extern int grsec_enable_socket_client;
36984 +extern int grsec_socket_client_gid;
36985 +extern int grsec_enable_socket_server;
36986 +extern int grsec_socket_server_gid;
36987 +extern int grsec_audit_gid;
36988 +extern int grsec_enable_group;
36989 +extern int grsec_enable_audit_ipc;
36990 +extern int grsec_enable_audit_textrel;
36991 +extern int grsec_enable_mount;
36992 +extern int grsec_enable_chdir;
36993 +extern int grsec_resource_logging;
36994 +extern int grsec_lock;
36996 +extern spinlock_t grsec_alert_lock;
36997 +extern unsigned long grsec_alert_wtime;
36998 +extern unsigned long grsec_alert_fyet;
37000 +extern spinlock_t grsec_audit_lock;
37002 +extern rwlock_t grsec_exec_file_lock;
37004 +#define gr_task_fullpath(tsk) (tsk->exec_file ? \
37005 + gr_to_filename2(tsk->exec_file->f_path.dentry, \
37006 + tsk->exec_file->f_vfsmnt) : "/")
37008 +#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
37009 + gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
37010 + tsk->parent->exec_file->f_vfsmnt) : "/")
37012 +#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
37013 + gr_to_filename(tsk->exec_file->f_path.dentry, \
37014 + tsk->exec_file->f_vfsmnt) : "/")
37016 +#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
37017 + gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
37018 + tsk->parent->exec_file->f_vfsmnt) : "/")
37020 +#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
37021 + ((tsk_a->fs->root.dentry->d_inode->i_sb->s_dev != \
37022 + tsk_a->nsproxy->pid_ns->child_reaper->fs->root.dentry->d_inode->i_sb->s_dev) || \
37023 + (tsk_a->fs->root.dentry->d_inode->i_ino != \
37024 + tsk_a->nsproxy->pid_ns->child_reaper->fs->root.dentry->d_inode->i_ino)))
37026 +#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
37027 + (tsk_a->fs->root.dentry->d_inode->i_sb->s_dev == \
37028 + tsk_b->fs->root.dentry->d_inode->i_sb->s_dev) && \
37029 + (tsk_a->fs->root.dentry->d_inode->i_ino == \
37030 + tsk_b->fs->root.dentry->d_inode->i_ino))
37032 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
37033 + task->pid, cred->uid, \
37034 + cred->euid, cred->gid, cred->egid, \
37035 + gr_parent_task_fullpath(task), \
37036 + task->parent->comm, task->parent->pid, \
37037 + pcred->uid, pcred->euid, \
37038 + pcred->gid, pcred->egid
37040 +#define GR_CHROOT_CAPS {{ \
37041 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
37042 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
37043 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
37044 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
37045 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
37046 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
37048 +#define security_learn(normal_msg,args...) \
37050 + read_lock(&grsec_exec_file_lock); \
37051 + gr_add_learn_entry(normal_msg "\n", ## args); \
37052 + read_unlock(&grsec_exec_file_lock); \
37058 + GR_DONT_AUDIT_GOOD
37069 + GR_SYSCTL_HIDDEN,
37072 + GR_ONE_INT_TWO_STR,
37077 + GR_FIVE_INT_TWO_STR,
37083 + GR_FILENAME_TWO_INT,
37084 + GR_FILENAME_TWO_INT_STR,
37095 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
37096 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
37097 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
37098 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
37099 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
37100 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
37101 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
37102 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
37103 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
37104 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
37105 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
37106 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
37107 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
37108 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
37109 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
37110 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
37111 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
37112 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
37113 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
37114 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
37115 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
37116 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
37117 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
37118 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
37119 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
37120 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
37121 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
37122 +#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
37123 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
37124 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
37125 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
37127 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
37132 diff -urNp linux-2.6.31/include/linux/grmsg.h linux-2.6.31/include/linux/grmsg.h
37133 --- linux-2.6.31/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
37134 +++ linux-2.6.31/include/linux/grmsg.h 2009-09-06 15:29:12.086949158 -0400
37136 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
37137 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
37138 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
37139 +#define GR_STOPMOD_MSG "denied modification of module state by "
37140 +#define GR_IOPERM_MSG "denied use of ioperm() by "
37141 +#define GR_IOPL_MSG "denied use of iopl() by "
37142 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
37143 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
37144 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
37145 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
37146 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
37147 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
37148 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
37149 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
37150 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
37151 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
37152 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
37153 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
37154 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
37155 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
37156 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
37157 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
37158 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
37159 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
37160 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
37161 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
37162 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
37163 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
37164 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
37165 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
37166 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
37167 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
37168 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
37169 +#define GR_NPROC_MSG "denied overstep of process limit by "
37170 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
37171 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
37172 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
37173 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
37174 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
37175 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
37176 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
37177 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
37178 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
37179 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
37180 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
37181 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
37182 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
37183 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
37184 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
37185 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
37186 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
37187 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
37188 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
37189 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
37190 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
37191 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
37192 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
37193 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
37194 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
37195 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
37196 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
37197 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
37198 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
37199 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
37200 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
37201 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
37202 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
37203 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
37204 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
37205 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
37206 +#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
37207 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
37208 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
37209 +#define GR_FAILFORK_MSG "failed fork with errno %d by "
37210 +#define GR_NICE_CHROOT_MSG "denied priority change by "
37211 +#define GR_UNISIGLOG_MSG "signal %d sent to "
37212 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
37213 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
37214 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
37215 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
37216 +#define GR_TIME_MSG "time set by "
37217 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
37218 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
37219 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
37220 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
37221 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
37222 +#define GR_BIND_MSG "denied bind() by "
37223 +#define GR_CONNECT_MSG "denied connect() by "
37224 +#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
37225 +#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
37226 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
37227 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
37228 +#define GR_CAP_ACL_MSG "use of %s denied for "
37229 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
37230 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
37231 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
37232 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
37233 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
37234 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
37235 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
37236 +#define GR_MSGQ_AUDIT_MSG "message queue created by "
37237 +#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
37238 +#define GR_SEM_AUDIT_MSG "semaphore created by "
37239 +#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
37240 +#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
37241 +#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
37242 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
37243 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
37244 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
37245 diff -urNp linux-2.6.31/include/linux/grsecurity.h linux-2.6.31/include/linux/grsecurity.h
37246 --- linux-2.6.31/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
37247 +++ linux-2.6.31/include/linux/grsecurity.h 2009-09-06 15:29:12.086949158 -0400
37249 +#ifndef GR_SECURITY_H
37250 +#define GR_SECURITY_H
37251 +#include <linux/fs.h>
37252 +#include <linux/fs_struct.h>
37253 +#include <linux/binfmts.h>
37254 +#include <linux/gracl.h>
37256 +/* notify of brain-dead configs */
37257 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
37258 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
37260 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
37261 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
37263 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
37264 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
37266 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
37267 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
37269 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
37270 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
37273 +void gr_handle_brute_attach(struct task_struct *p);
37274 +void gr_handle_brute_check(void);
37276 +char gr_roletype_to_char(void);
37278 +int gr_check_user_change(int real, int effective, int fs);
37279 +int gr_check_group_change(int real, int effective, int fs);
37281 +void gr_del_task_from_ip_table(struct task_struct *p);
37283 +int gr_pid_is_chrooted(struct task_struct *p);
37284 +int gr_handle_chroot_nice(void);
37285 +int gr_handle_chroot_sysctl(const int op);
37286 +int gr_handle_chroot_setpriority(struct task_struct *p,
37287 + const int niceval);
37288 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
37289 +int gr_handle_chroot_chroot(const struct dentry *dentry,
37290 + const struct vfsmount *mnt);
37291 +int gr_handle_chroot_caps(struct path *path);
37292 +void gr_handle_chroot_chdir(struct path *path);
37293 +int gr_handle_chroot_chmod(const struct dentry *dentry,
37294 + const struct vfsmount *mnt, const int mode);
37295 +int gr_handle_chroot_mknod(const struct dentry *dentry,
37296 + const struct vfsmount *mnt, const int mode);
37297 +int gr_handle_chroot_mount(const struct dentry *dentry,
37298 + const struct vfsmount *mnt,
37299 + const char *dev_name);
37300 +int gr_handle_chroot_pivot(void);
37301 +int gr_handle_chroot_unix(const pid_t pid);
37303 +int gr_handle_rawio(const struct inode *inode);
37304 +int gr_handle_nproc(void);
37306 +void gr_handle_ioperm(void);
37307 +void gr_handle_iopl(void);
37309 +int gr_tpe_allow(const struct file *file);
37311 +int gr_random_pid(void);
37313 +void gr_log_forkfail(const int retval);
37314 +void gr_log_timechange(void);
37315 +void gr_log_signal(const int sig, const struct task_struct *t);
37316 +void gr_log_chdir(const struct dentry *dentry,
37317 + const struct vfsmount *mnt);
37318 +void gr_log_chroot_exec(const struct dentry *dentry,
37319 + const struct vfsmount *mnt);
37320 +void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
37321 +void gr_log_remount(const char *devname, const int retval);
37322 +void gr_log_unmount(const char *devname, const int retval);
37323 +void gr_log_mount(const char *from, const char *to, const int retval);
37324 +void gr_log_msgget(const int ret, const int msgflg);
37325 +void gr_log_msgrm(const uid_t uid, const uid_t cuid);
37326 +void gr_log_semget(const int err, const int semflg);
37327 +void gr_log_semrm(const uid_t uid, const uid_t cuid);
37328 +void gr_log_shmget(const int err, const int shmflg, const size_t size);
37329 +void gr_log_shmrm(const uid_t uid, const uid_t cuid);
37330 +void gr_log_textrel(struct vm_area_struct *vma);
37332 +int gr_handle_follow_link(const struct inode *parent,
37333 + const struct inode *inode,
37334 + const struct dentry *dentry,
37335 + const struct vfsmount *mnt);
37336 +int gr_handle_fifo(const struct dentry *dentry,
37337 + const struct vfsmount *mnt,
37338 + const struct dentry *dir, const int flag,
37339 + const int acc_mode);
37340 +int gr_handle_hardlink(const struct dentry *dentry,
37341 + const struct vfsmount *mnt,
37342 + struct inode *inode,
37343 + const int mode, const char *to);
37345 +int gr_is_capable(const int cap);
37346 +int gr_is_capable_nolog(const int cap);
37347 +void gr_learn_resource(const struct task_struct *task, const int limit,
37348 + const unsigned long wanted, const int gt);
37349 +void gr_copy_label(struct task_struct *tsk);
37350 +void gr_handle_crash(struct task_struct *task, const int sig);
37351 +int gr_handle_signal(const struct task_struct *p, const int sig);
37352 +int gr_check_crash_uid(const uid_t uid);
37353 +int gr_check_protected_task(const struct task_struct *task);
37354 +int gr_acl_handle_mmap(const struct file *file,
37355 + const unsigned long prot);
37356 +int gr_acl_handle_mprotect(const struct file *file,
37357 + const unsigned long prot);
37358 +int gr_check_hidden_task(const struct task_struct *tsk);
37359 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
37360 + const struct vfsmount *mnt);
37361 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
37362 + const struct vfsmount *mnt);
37363 +__u32 gr_acl_handle_access(const struct dentry *dentry,
37364 + const struct vfsmount *mnt, const int fmode);
37365 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
37366 + const struct vfsmount *mnt, mode_t mode);
37367 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
37368 + const struct vfsmount *mnt, mode_t mode);
37369 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
37370 + const struct vfsmount *mnt);
37371 +int gr_handle_ptrace(struct task_struct *task, const long request);
37372 +int gr_handle_proc_ptrace(struct task_struct *task);
37373 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
37374 + const struct vfsmount *mnt);
37375 +int gr_check_crash_exec(const struct file *filp);
37376 +int gr_acl_is_enabled(void);
37377 +void gr_set_kernel_label(struct task_struct *task);
37378 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
37379 + const gid_t gid);
37380 +int gr_set_proc_label(const struct dentry *dentry,
37381 + const struct vfsmount *mnt,
37382 + const int unsafe_share);
37383 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
37384 + const struct vfsmount *mnt);
37385 +__u32 gr_acl_handle_open(const struct dentry *dentry,
37386 + const struct vfsmount *mnt, const int fmode);
37387 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
37388 + const struct dentry *p_dentry,
37389 + const struct vfsmount *p_mnt, const int fmode,
37390 + const int imode);
37391 +void gr_handle_create(const struct dentry *dentry,
37392 + const struct vfsmount *mnt);
37393 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
37394 + const struct dentry *parent_dentry,
37395 + const struct vfsmount *parent_mnt,
37397 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
37398 + const struct dentry *parent_dentry,
37399 + const struct vfsmount *parent_mnt);
37400 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
37401 + const struct vfsmount *mnt);
37402 +void gr_handle_delete(const ino_t ino, const dev_t dev);
37403 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
37404 + const struct vfsmount *mnt);
37405 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
37406 + const struct dentry *parent_dentry,
37407 + const struct vfsmount *parent_mnt,
37408 + const char *from);
37409 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
37410 + const struct dentry *parent_dentry,
37411 + const struct vfsmount *parent_mnt,
37412 + const struct dentry *old_dentry,
37413 + const struct vfsmount *old_mnt, const char *to);
37414 +int gr_acl_handle_rename(struct dentry *new_dentry,
37415 + struct dentry *parent_dentry,
37416 + const struct vfsmount *parent_mnt,
37417 + struct dentry *old_dentry,
37418 + struct inode *old_parent_inode,
37419 + struct vfsmount *old_mnt, const char *newname);
37420 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
37421 + struct dentry *old_dentry,
37422 + struct dentry *new_dentry,
37423 + struct vfsmount *mnt, const __u8 replace);
37424 +__u32 gr_check_link(const struct dentry *new_dentry,
37425 + const struct dentry *parent_dentry,
37426 + const struct vfsmount *parent_mnt,
37427 + const struct dentry *old_dentry,
37428 + const struct vfsmount *old_mnt);
37429 +int gr_acl_handle_filldir(const struct file *file, const char *name,
37430 + const unsigned int namelen, const ino_t ino);
37432 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
37433 + const struct vfsmount *mnt);
37434 +void gr_acl_handle_exit(void);
37435 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
37436 +int gr_acl_handle_procpidmem(const struct task_struct *task);
37438 +#ifdef CONFIG_GRKERNSEC
37439 +void gr_log_nonroot_mod_load(const char *modname);
37440 +void gr_handle_mem_write(void);
37441 +void gr_handle_kmem_write(void);
37442 +void gr_handle_open_port(void);
37443 +int gr_handle_mem_mmap(const unsigned long offset,
37444 + struct vm_area_struct *vma);
37446 +extern int grsec_enable_dmesg;
37447 +extern int grsec_enable_randsrc;
37448 +extern int grsec_enable_shm;
37452 diff -urNp linux-2.6.31/include/linux/hdpu_features.h linux-2.6.31/include/linux/hdpu_features.h
37453 --- linux-2.6.31/include/linux/hdpu_features.h 2009-08-27 20:59:04.000000000 -0400
37454 +++ linux-2.6.31/include/linux/hdpu_features.h 2009-09-06 15:29:12.087975038 -0400
37456 struct cpustate_t {
37460 + atomic_t open_count;
37461 unsigned char cached_val;
37463 unsigned long *set_addr;
37464 diff -urNp linux-2.6.31/include/linux/highmem.h linux-2.6.31/include/linux/highmem.h
37465 --- linux-2.6.31/include/linux/highmem.h 2009-08-27 20:59:04.000000000 -0400
37466 +++ linux-2.6.31/include/linux/highmem.h 2009-09-06 15:29:12.087975038 -0400
37467 @@ -137,6 +137,18 @@ static inline void clear_highpage(struct
37468 kunmap_atomic(kaddr, KM_USER0);
37471 +static inline void sanitize_highpage(struct page *page)
37474 + unsigned long flags;
37476 + local_irq_save(flags);
37477 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
37478 + clear_page(kaddr);
37479 + kunmap_atomic(kaddr, KM_CLEARPAGE);
37480 + local_irq_restore(flags);
37483 static inline void zero_user_segments(struct page *page,
37484 unsigned start1, unsigned end1,
37485 unsigned start2, unsigned end2)
37486 diff -urNp linux-2.6.31/include/linux/hugetlb.h linux-2.6.31/include/linux/hugetlb.h
37487 --- linux-2.6.31/include/linux/hugetlb.h 2009-08-27 20:59:04.000000000 -0400
37488 +++ linux-2.6.31/include/linux/hugetlb.h 2009-09-06 15:29:12.087975038 -0400
37489 @@ -146,7 +146,7 @@ static inline struct hugetlbfs_sb_info *
37492 extern const struct file_operations hugetlbfs_file_operations;
37493 -extern struct vm_operations_struct hugetlb_vm_ops;
37494 +extern const struct vm_operations_struct hugetlb_vm_ops;
37495 struct file *hugetlb_file_setup(const char *name, size_t size, int acct,
37496 struct user_struct **user);
37497 int hugetlb_get_quota(struct address_space *mapping, long delta);
37498 diff -urNp linux-2.6.31/include/linux/jbd2.h linux-2.6.31/include/linux/jbd2.h
37499 --- linux-2.6.31/include/linux/jbd2.h 2009-08-27 20:59:04.000000000 -0400
37500 +++ linux-2.6.31/include/linux/jbd2.h 2009-09-06 15:29:12.088951119 -0400
37501 @@ -66,7 +66,7 @@ extern u8 jbd2_journal_enable_debug;
37505 -#define jbd_debug(f, a...) /**/
37506 +#define jbd_debug(f, a...) do {} while (0)
37509 static inline void *jbd2_alloc(size_t size, gfp_t flags)
37510 diff -urNp linux-2.6.31/include/linux/jbd.h linux-2.6.31/include/linux/jbd.h
37511 --- linux-2.6.31/include/linux/jbd.h 2009-08-27 20:59:04.000000000 -0400
37512 +++ linux-2.6.31/include/linux/jbd.h 2009-09-06 15:29:12.088951119 -0400
37513 @@ -66,7 +66,7 @@ extern u8 journal_enable_debug;
37517 -#define jbd_debug(f, a...) /**/
37518 +#define jbd_debug(f, a...) do {} while (0)
37521 static inline void *jbd_alloc(size_t size, gfp_t flags)
37522 diff -urNp linux-2.6.31/include/linux/kvm_host.h linux-2.6.31/include/linux/kvm_host.h
37523 --- linux-2.6.31/include/linux/kvm_host.h 2009-08-27 20:59:04.000000000 -0400
37524 +++ linux-2.6.31/include/linux/kvm_host.h 2009-09-06 15:29:12.088951119 -0400
37525 @@ -173,7 +173,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
37526 void vcpu_load(struct kvm_vcpu *vcpu);
37527 void vcpu_put(struct kvm_vcpu *vcpu);
37529 -int kvm_init(void *opaque, unsigned int vcpu_size,
37530 +int kvm_init(const void *opaque, unsigned int vcpu_size,
37531 struct module *module);
37532 void kvm_exit(void);
37534 @@ -280,7 +280,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
37535 struct kvm_guest_debug *dbg);
37536 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
37538 -int kvm_arch_init(void *opaque);
37539 +int kvm_arch_init(const void *opaque);
37540 void kvm_arch_exit(void);
37542 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
37543 diff -urNp linux-2.6.31/include/linux/libata.h linux-2.6.31/include/linux/libata.h
37544 --- linux-2.6.31/include/linux/libata.h 2009-08-27 20:59:04.000000000 -0400
37545 +++ linux-2.6.31/include/linux/libata.h 2009-09-06 15:29:12.089927901 -0400
37546 @@ -64,11 +64,11 @@
37547 #ifdef ATA_VERBOSE_DEBUG
37548 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
37550 -#define VPRINTK(fmt, args...)
37551 +#define VPRINTK(fmt, args...) do {} while (0)
37552 #endif /* ATA_VERBOSE_DEBUG */
37554 -#define DPRINTK(fmt, args...)
37555 -#define VPRINTK(fmt, args...)
37556 +#define DPRINTK(fmt, args...) do {} while (0)
37557 +#define VPRINTK(fmt, args...) do {} while (0)
37558 #endif /* ATA_DEBUG */
37560 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
37561 diff -urNp linux-2.6.31/include/linux/mm.h linux-2.6.31/include/linux/mm.h
37562 --- linux-2.6.31/include/linux/mm.h 2009-08-27 20:59:04.000000000 -0400
37563 +++ linux-2.6.31/include/linux/mm.h 2009-09-06 15:29:12.090912748 -0400
37564 @@ -37,6 +37,7 @@ extern int sysctl_legacy_va_layout;
37565 #include <asm/page.h>
37566 #include <asm/pgtable.h>
37567 #include <asm/processor.h>
37568 +#include <asm/mman.h>
37570 #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
37572 @@ -104,6 +105,10 @@ extern unsigned int kobjsize(const void
37573 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
37574 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
37576 +#ifdef CONFIG_PAX_PAGEEXEC
37577 +#define VM_PAGEEXEC 0x80000000 /* vma->vm_page_prot needs special handling */
37580 #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
37581 #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
37583 @@ -871,6 +876,8 @@ struct shrinker {
37584 extern void register_shrinker(struct shrinker *);
37585 extern void unregister_shrinker(struct shrinker *);
37587 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
37589 int vma_wants_writenotify(struct vm_area_struct *vma);
37591 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
37592 @@ -1141,6 +1148,7 @@ out:
37595 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
37596 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
37598 extern unsigned long do_brk(unsigned long, unsigned long);
37600 @@ -1195,6 +1203,10 @@ extern struct vm_area_struct * find_vma(
37601 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
37602 struct vm_area_struct **pprev);
37604 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
37605 +extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
37606 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
37608 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
37609 NULL if none. Assume start_addr < end_addr. */
37610 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
37611 @@ -1211,7 +1223,6 @@ static inline unsigned long vma_pages(st
37612 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
37615 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
37616 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
37617 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
37618 unsigned long pfn, unsigned long size, pgprot_t);
37619 @@ -1303,5 +1314,12 @@ void vmemmap_populate_print_last(void);
37620 extern int account_locked_memory(struct mm_struct *mm, struct rlimit *rlim,
37622 extern void refund_locked_memory(struct mm_struct *mm, size_t size);
37624 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
37625 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
37627 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
37630 #endif /* __KERNEL__ */
37631 #endif /* _LINUX_MM_H */
37632 diff -urNp linux-2.6.31/include/linux/mm_types.h linux-2.6.31/include/linux/mm_types.h
37633 --- linux-2.6.31/include/linux/mm_types.h 2009-08-27 20:59:04.000000000 -0400
37634 +++ linux-2.6.31/include/linux/mm_types.h 2009-09-06 15:29:12.090912748 -0400
37635 @@ -171,7 +171,7 @@ struct vm_area_struct {
37636 struct anon_vma *anon_vma; /* Serialized by page_table_lock */
37638 /* Function pointers to deal with this struct. */
37639 - struct vm_operations_struct * vm_ops;
37640 + const struct vm_operations_struct * vm_ops;
37642 /* Information about our backing store: */
37643 unsigned long vm_pgoff; /* Offset (within vm_file) in PAGE_SIZE
37644 @@ -186,6 +186,8 @@ struct vm_area_struct {
37646 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
37649 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
37652 struct core_thread {
37653 @@ -286,6 +288,24 @@ struct mm_struct {
37654 #ifdef CONFIG_MMU_NOTIFIER
37655 struct mmu_notifier_mm *mmu_notifier_mm;
37658 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
37659 + unsigned long pax_flags;
37662 +#ifdef CONFIG_PAX_DLRESOLVE
37663 + unsigned long call_dl_resolve;
37666 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
37667 + unsigned long call_syscall;
37670 +#ifdef CONFIG_PAX_ASLR
37671 + unsigned long delta_mmap; /* randomized offset */
37672 + unsigned long delta_stack; /* randomized offset */
37677 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
37678 diff -urNp linux-2.6.31/include/linux/mod_devicetable.h linux-2.6.31/include/linux/mod_devicetable.h
37679 --- linux-2.6.31/include/linux/mod_devicetable.h 2009-08-27 20:59:04.000000000 -0400
37680 +++ linux-2.6.31/include/linux/mod_devicetable.h 2009-09-06 15:29:12.091951411 -0400
37682 typedef unsigned long kernel_ulong_t;
37685 -#define PCI_ANY_ID (~0)
37686 +#define PCI_ANY_ID ((__u16)~0)
37688 struct pci_device_id {
37689 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
37690 @@ -131,7 +131,7 @@ struct usb_device_id {
37691 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
37692 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
37694 -#define HID_ANY_ID (~0)
37695 +#define HID_ANY_ID (~0U)
37697 struct hid_device_id {
37699 diff -urNp linux-2.6.31/include/linux/module.h linux-2.6.31/include/linux/module.h
37700 --- linux-2.6.31/include/linux/module.h 2009-08-27 20:59:04.000000000 -0400
37701 +++ linux-2.6.31/include/linux/module.h 2009-09-06 15:29:12.091951411 -0400
37702 @@ -283,16 +283,16 @@ struct module
37705 /* If this is non-NULL, vfree after init() returns */
37706 - void *module_init;
37707 + void *module_init_rx, *module_init_rw;
37709 /* Here is the actual code + data, vfree'd on unload. */
37710 - void *module_core;
37711 + void *module_core_rx, *module_core_rw;
37713 /* Here are the sizes of the init and core sections */
37714 - unsigned int init_size, core_size;
37715 + unsigned int init_size_rw, core_size_rw;
37717 /* The size of the executable code in each section. */
37718 - unsigned int init_text_size, core_text_size;
37719 + unsigned int init_size_rx, core_size_rx;
37721 /* Arch-specific module values */
37722 struct mod_arch_specific arch;
37723 @@ -389,16 +389,46 @@ struct module *__module_address(unsigned
37724 bool is_module_address(unsigned long addr);
37725 bool is_module_text_address(unsigned long addr);
37727 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
37730 +#ifdef CONFIG_PAX_KERNEXEC
37731 + if (ktla_ktva(addr) >= (unsigned long)start &&
37732 + ktla_ktva(addr) < (unsigned long)start + size)
37736 + return ((void *)addr >= start && (void *)addr < start + size);
37739 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
37741 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
37744 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
37746 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
37749 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
37751 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
37754 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
37756 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
37759 static inline int within_module_core(unsigned long addr, struct module *mod)
37761 - return (unsigned long)mod->module_core <= addr &&
37762 - addr < (unsigned long)mod->module_core + mod->core_size;
37763 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
37766 static inline int within_module_init(unsigned long addr, struct module *mod)
37768 - return (unsigned long)mod->module_init <= addr &&
37769 - addr < (unsigned long)mod->module_init + mod->init_size;
37770 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
37773 /* Search for module by name: must hold module_mutex. */
37774 @@ -451,7 +481,11 @@ void symbol_put_addr(void *addr);
37775 static inline local_t *__module_ref_addr(struct module *mod, int cpu)
37778 +#ifdef CONFIG_X86_32
37779 + return (local_t *) (mod->refptr + __per_cpu_offset[cpu]);
37781 return (local_t *) (mod->refptr + per_cpu_offset(cpu));
37786 diff -urNp linux-2.6.31/include/linux/moduleloader.h linux-2.6.31/include/linux/moduleloader.h
37787 --- linux-2.6.31/include/linux/moduleloader.h 2009-08-27 20:59:04.000000000 -0400
37788 +++ linux-2.6.31/include/linux/moduleloader.h 2009-09-06 15:29:12.092954930 -0400
37789 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
37790 sections. Returns NULL on failure. */
37791 void *module_alloc(unsigned long size);
37793 +#ifdef CONFIG_PAX_KERNEXEC
37794 +void *module_alloc_exec(unsigned long size);
37796 +#define module_alloc_exec(x) module_alloc(x)
37799 /* Free memory returned from module_alloc. */
37800 void module_free(struct module *mod, void *module_region);
37802 +#ifdef CONFIG_PAX_KERNEXEC
37803 +void module_free_exec(struct module *mod, void *module_region);
37805 +#define module_free_exec(x, y) module_free(x, y)
37808 /* Apply the given relocation to the (simplified) ELF. Return -error
37810 int apply_relocate(Elf_Shdr *sechdrs,
37811 diff -urNp linux-2.6.31/include/linux/moduleparam.h linux-2.6.31/include/linux/moduleparam.h
37812 --- linux-2.6.31/include/linux/moduleparam.h 2009-08-27 20:59:04.000000000 -0400
37813 +++ linux-2.6.31/include/linux/moduleparam.h 2009-09-06 15:29:12.092954930 -0400
37814 @@ -37,7 +37,6 @@ typedef int (*param_set_fn)(const char *
37815 typedef int (*param_get_fn)(char *buffer, struct kernel_param *kp);
37817 /* Flag bits for kernel_param.flags */
37818 -#define KPARAM_KMALLOCED 1
37819 #define KPARAM_ISBOOL 2
37821 struct kernel_param {
37822 diff -urNp linux-2.6.31/include/linux/namei.h linux-2.6.31/include/linux/namei.h
37823 --- linux-2.6.31/include/linux/namei.h 2009-08-27 20:59:04.000000000 -0400
37824 +++ linux-2.6.31/include/linux/namei.h 2009-09-06 15:29:12.092954930 -0400
37825 @@ -22,7 +22,7 @@ struct nameidata {
37826 unsigned int flags;
37829 - char *saved_names[MAX_NESTED_LINKS + 1];
37830 + const char *saved_names[MAX_NESTED_LINKS + 1];
37834 @@ -84,12 +84,12 @@ extern int follow_up(struct path *);
37835 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
37836 extern void unlock_rename(struct dentry *, struct dentry *);
37838 -static inline void nd_set_link(struct nameidata *nd, char *path)
37839 +static inline void nd_set_link(struct nameidata *nd, const char *path)
37841 nd->saved_names[nd->depth] = path;
37844 -static inline char *nd_get_link(struct nameidata *nd)
37845 +static inline const char *nd_get_link(struct nameidata *nd)
37847 return nd->saved_names[nd->depth];
37849 diff -urNp linux-2.6.31/include/linux/nfsd/nfsd.h linux-2.6.31/include/linux/nfsd/nfsd.h
37850 --- linux-2.6.31/include/linux/nfsd/nfsd.h 2009-08-27 20:59:04.000000000 -0400
37851 +++ linux-2.6.31/include/linux/nfsd/nfsd.h 2009-09-06 15:29:12.092954930 -0400
37852 @@ -57,7 +57,7 @@ extern u32 nfsd_supported_minorversion
37853 extern struct mutex nfsd_mutex;
37854 extern struct svc_serv *nfsd_serv;
37856 -extern struct seq_operations nfs_exports_op;
37857 +extern const struct seq_operations nfs_exports_op;
37860 * Function prototypes.
37861 diff -urNp linux-2.6.31/include/linux/nodemask.h linux-2.6.31/include/linux/nodemask.h
37862 --- linux-2.6.31/include/linux/nodemask.h 2009-08-27 20:59:04.000000000 -0400
37863 +++ linux-2.6.31/include/linux/nodemask.h 2009-09-06 15:29:12.093920731 -0400
37864 @@ -464,11 +464,11 @@ static inline int num_node_state(enum no
37866 #define any_online_node(mask) \
37869 - for_each_node_mask(node, (mask)) \
37870 - if (node_online(node)) \
37872 + for_each_node_mask(__node, (mask)) \
37873 + if (node_online(__node)) \
37879 #define num_online_nodes() num_node_state(N_ONLINE)
37880 diff -urNp linux-2.6.31/include/linux/oprofile.h linux-2.6.31/include/linux/oprofile.h
37881 --- linux-2.6.31/include/linux/oprofile.h 2009-08-27 20:59:04.000000000 -0400
37882 +++ linux-2.6.31/include/linux/oprofile.h 2009-09-06 15:29:12.093920731 -0400
37883 @@ -128,7 +128,7 @@ int oprofilefs_create_ro_ulong(struct su
37885 /** Create a file for read-only access to an atomic_t. */
37886 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
37887 - char const * name, atomic_t * val);
37888 + char const * name, atomic_unchecked_t * val);
37890 /** create a directory */
37891 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
37892 diff -urNp linux-2.6.31/include/linux/poison.h linux-2.6.31/include/linux/poison.h
37893 --- linux-2.6.31/include/linux/poison.h 2009-08-27 20:59:04.000000000 -0400
37894 +++ linux-2.6.31/include/linux/poison.h 2009-09-06 15:29:12.093920731 -0400
37896 * under normal circumstances, used to verify that nobody uses
37897 * non-initialized list entries.
37899 -#define LIST_POISON1 ((void *) 0x00100100)
37900 -#define LIST_POISON2 ((void *) 0x00200200)
37901 +#define LIST_POISON1 ((void *) 0xFF1001FFFF1001FFULL)
37902 +#define LIST_POISON2 ((void *) 0xFF2002FFFF2002FFULL)
37904 /********** include/linux/timer.h **********/
37906 diff -urNp linux-2.6.31/include/linux/proc_fs.h linux-2.6.31/include/linux/proc_fs.h
37907 --- linux-2.6.31/include/linux/proc_fs.h 2009-08-27 20:59:04.000000000 -0400
37908 +++ linux-2.6.31/include/linux/proc_fs.h 2009-09-06 15:29:12.094977531 -0400
37909 @@ -146,6 +146,19 @@ static inline struct proc_dir_entry *pro
37910 return proc_create_data(name, mode, parent, proc_fops, NULL);
37913 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
37914 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
37916 +#ifdef CONFIG_GRKERNSEC_PROC_USER
37917 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
37918 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37919 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
37921 + return proc_create_data(name, mode, parent, proc_fops, NULL);
37926 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
37927 mode_t mode, struct proc_dir_entry *base,
37928 read_proc_t *read_proc, void * data)
37929 diff -urNp linux-2.6.31/include/linux/random.h linux-2.6.31/include/linux/random.h
37930 --- linux-2.6.31/include/linux/random.h 2009-08-27 20:59:04.000000000 -0400
37931 +++ linux-2.6.31/include/linux/random.h 2009-09-06 15:29:12.094977531 -0400
37932 @@ -74,6 +74,11 @@ unsigned long randomize_range(unsigned l
37933 u32 random32(void);
37934 void srandom32(u32 seed);
37936 +static inline unsigned long pax_get_random_long(void)
37938 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
37941 #endif /* __KERNEL___ */
37943 #endif /* _LINUX_RANDOM_H */
37944 diff -urNp linux-2.6.31/include/linux/reiserfs_fs.h linux-2.6.31/include/linux/reiserfs_fs.h
37945 --- linux-2.6.31/include/linux/reiserfs_fs.h 2009-08-27 20:59:04.000000000 -0400
37946 +++ linux-2.6.31/include/linux/reiserfs_fs.h 2009-09-06 15:29:12.094977531 -0400
37947 @@ -1326,7 +1326,7 @@ static inline loff_t max_reiserfs_offset
37948 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
37950 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
37951 -#define get_generation(s) atomic_read (&fs_generation(s))
37952 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
37953 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
37954 #define __fs_changed(gen,s) (gen != get_generation (s))
37955 #define fs_changed(gen,s) ({cond_resched(); __fs_changed(gen, s);})
37956 diff -urNp linux-2.6.31/include/linux/reiserfs_fs_sb.h linux-2.6.31/include/linux/reiserfs_fs_sb.h
37957 --- linux-2.6.31/include/linux/reiserfs_fs_sb.h 2009-08-27 20:59:04.000000000 -0400
37958 +++ linux-2.6.31/include/linux/reiserfs_fs_sb.h 2009-09-06 15:29:12.096134128 -0400
37959 @@ -377,7 +377,7 @@ struct reiserfs_sb_info {
37960 /* Comment? -Hans */
37961 wait_queue_head_t s_wait;
37962 /* To be obsoleted soon by per buffer seals.. -Hans */
37963 - atomic_t s_generation_counter; // increased by one every time the
37964 + atomic_unchecked_t s_generation_counter; // increased by one every time the
37965 // tree gets re-balanced
37966 unsigned long s_properties; /* File system properties. Currently holds
37967 on-disk FS format */
37968 diff -urNp linux-2.6.31/include/linux/sched.h linux-2.6.31/include/linux/sched.h
37969 --- linux-2.6.31/include/linux/sched.h 2009-08-27 20:59:04.000000000 -0400
37970 +++ linux-2.6.31/include/linux/sched.h 2009-09-06 15:29:12.097230294 -0400
37971 @@ -99,6 +99,7 @@ struct bio;
37973 struct bts_context;
37974 struct perf_counter_context;
37975 +struct linux_binprm;
37978 * List of flags we want to share for kernel threads,
37979 @@ -629,6 +630,15 @@ struct signal_struct {
37980 unsigned audit_tty;
37981 struct tty_audit_buf *tty_audit_buf;
37984 +#ifdef CONFIG_GRKERNSEC
37990 + u8 used_accept:1;
37994 /* Context switch must be unlocked if interrupts are to be enabled */
37995 @@ -1161,11 +1171,12 @@ struct sched_rt_entity {
37996 /* rq "owned" by this entity/group: */
37997 struct rt_rq *my_q;
38002 struct task_struct {
38003 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
38005 + struct thread_info *stack;
38007 unsigned int flags; /* per process flags, defined below */
38008 unsigned int ptrace;
38009 @@ -1269,8 +1280,8 @@ struct task_struct {
38010 struct list_head thread_group;
38012 struct completion *vfork_done; /* for vfork() */
38013 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
38014 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
38015 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
38016 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
38018 cputime_t utime, stime, utimescaled, stimescaled;
38020 @@ -1284,15 +1295,6 @@ struct task_struct {
38021 struct task_cputime cputime_expires;
38022 struct list_head cpu_timers[3];
38024 -/* process credentials */
38025 - const struct cred *real_cred; /* objective and real subjective task
38026 - * credentials (COW) */
38027 - const struct cred *cred; /* effective (overridable) subjective task
38028 - * credentials (COW) */
38029 - struct mutex cred_guard_mutex; /* guard against foreign influences on
38030 - * credential calculations
38031 - * (notably. ptrace) */
38033 char comm[TASK_COMM_LEN]; /* executable name excluding path
38034 - access with [gs]et_task_comm (which lock
38035 it with task_lock())
38036 @@ -1429,6 +1431,16 @@ struct task_struct {
38037 struct mutex perf_counter_mutex;
38038 struct list_head perf_counter_list;
38041 +/* process credentials */
38042 + const struct cred *real_cred; /* objective and real subjective task
38043 + * credentials (COW) */
38044 + const struct cred *cred; /* effective (overridable) subjective task
38045 + * credentials (COW) */
38046 + struct mutex cred_guard_mutex; /* guard against foreign influences on
38047 + * credential calculations
38048 + * (notably. ptrace) */
38051 struct mempolicy *mempolicy; /* Protected by alloc_lock */
38053 @@ -1480,8 +1492,66 @@ struct task_struct {
38054 /* bitmask of trace recursion */
38055 unsigned long trace_recursion;
38056 #endif /* CONFIG_TRACING */
38058 +#ifdef CONFIG_GRKERNSEC
38060 + struct acl_subject_label *acl;
38061 + struct acl_role_label *role;
38062 + struct file *exec_file;
38071 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
38072 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
38073 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
38074 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
38075 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
38076 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
38078 +#ifdef CONFIG_PAX_SOFTMODE
38079 +extern unsigned int pax_softmode;
38082 +extern int pax_check_flags(unsigned long *);
38084 +/* if tsk != current then task_lock must be held on it */
38085 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
38086 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
38088 + if (likely(tsk->mm))
38089 + return tsk->mm->pax_flags;
38094 +/* if tsk != current then task_lock must be held on it */
38095 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
38097 + if (likely(tsk->mm)) {
38098 + tsk->mm->pax_flags = flags;
38105 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
38106 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
38107 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
38108 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
38111 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
38112 +void pax_report_insns(void *pc, void *sp);
38113 +void pax_report_refcount_overflow(struct pt_regs *regs);
38114 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
38115 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
38117 /* Future-safe accessor for struct task_struct's cpus_allowed. */
38118 #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
38120 @@ -2046,7 +2116,7 @@ extern void __cleanup_sighand(struct sig
38121 extern void exit_itimers(struct signal_struct *);
38122 extern void flush_itimer_signals(void);
38124 -extern NORET_TYPE void do_group_exit(int);
38125 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
38127 extern void daemonize(const char *, ...);
38128 extern int allow_signal(int);
38129 @@ -2159,8 +2229,8 @@ static inline void unlock_task_sighand(s
38131 #ifndef __HAVE_THREAD_FUNCTIONS
38133 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
38134 -#define task_stack_page(task) ((task)->stack)
38135 +#define task_thread_info(task) ((task)->stack)
38136 +#define task_stack_page(task) ((void *)(task)->stack)
38138 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
38140 @@ -2175,7 +2245,7 @@ static inline unsigned long *end_of_stac
38144 -static inline int object_is_on_stack(void *obj)
38145 +static inline int object_is_on_stack(const void *obj)
38147 void *stack = task_stack_page(current);
38149 diff -urNp linux-2.6.31/include/linux/screen_info.h linux-2.6.31/include/linux/screen_info.h
38150 --- linux-2.6.31/include/linux/screen_info.h 2009-08-27 20:59:04.000000000 -0400
38151 +++ linux-2.6.31/include/linux/screen_info.h 2009-09-06 15:29:12.097230294 -0400
38152 @@ -42,7 +42,8 @@ struct screen_info {
38153 __u16 pages; /* 0x32 */
38154 __u16 vesa_attributes; /* 0x34 */
38155 __u32 capabilities; /* 0x36 */
38156 - __u8 _reserved[6]; /* 0x3a */
38157 + __u16 vesapm_size; /* 0x3a */
38158 + __u8 _reserved[4]; /* 0x3c */
38159 } __attribute__((packed));
38161 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
38162 diff -urNp linux-2.6.31/include/linux/security.h linux-2.6.31/include/linux/security.h
38163 --- linux-2.6.31/include/linux/security.h 2009-08-27 20:59:04.000000000 -0400
38164 +++ linux-2.6.31/include/linux/security.h 2009-09-06 15:29:12.098193097 -0400
38166 #include <linux/key.h>
38167 #include <linux/xfrm.h>
38168 #include <linux/gfp.h>
38169 +#include <linux/grsecurity.h>
38170 #include <net/flow.h>
38172 /* Maximum number of letters for an LSM name string */
38173 diff -urNp linux-2.6.31/include/linux/shm.h linux-2.6.31/include/linux/shm.h
38174 --- linux-2.6.31/include/linux/shm.h 2009-08-27 20:59:04.000000000 -0400
38175 +++ linux-2.6.31/include/linux/shm.h 2009-09-06 15:29:12.098910352 -0400
38176 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
38179 struct user_struct *mlock_user;
38180 +#ifdef CONFIG_GRKERNSEC
38181 + time_t shm_createtime;
38186 /* shm_mode upper byte flags */
38187 diff -urNp linux-2.6.31/include/linux/slab.h linux-2.6.31/include/linux/slab.h
38188 --- linux-2.6.31/include/linux/slab.h 2009-08-27 20:59:04.000000000 -0400
38189 +++ linux-2.6.31/include/linux/slab.h 2009-09-06 15:29:12.098910352 -0400
38191 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
38192 * Both make kfree a no-op.
38194 -#define ZERO_SIZE_PTR ((void *)16)
38195 +#define ZERO_SIZE_PTR ((void *)-1024L)
38197 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
38198 - (unsigned long)ZERO_SIZE_PTR)
38199 +#define ZERO_OR_NULL_PTR(x) (!(x) || (x) == ZERO_SIZE_PTR)
38202 * struct kmem_cache related prototypes
38203 @@ -138,6 +137,7 @@ void * __must_check krealloc(const void
38204 void kfree(const void *);
38205 void kzfree(const void *);
38206 size_t ksize(const void *);
38207 +void check_object_size(const void *ptr, unsigned long n, bool to);
38210 * Allocator specific definitions. These are mainly used to establish optimized
38211 @@ -328,4 +328,37 @@ static inline void *kzalloc_node(size_t
38213 void __init kmem_cache_init_late(void);
38215 +#define kmalloc(x, y) \
38217 + void *___retval; \
38218 + intoverflow_t ___x = (intoverflow_t)x; \
38219 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
38220 + ___retval = NULL; \
38222 + ___retval = kmalloc((size_t)___x, (y)); \
38226 +#define kmalloc_node(x, y, z) \
38228 + void *___retval; \
38229 + intoverflow_t ___x = (intoverflow_t)x; \
38230 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
38231 + ___retval = NULL; \
38233 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
38237 +#define kzalloc(x, y) \
38239 + void *___retval; \
38240 + intoverflow_t ___x = (intoverflow_t)x; \
38241 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
38242 + ___retval = NULL; \
38244 + ___retval = kzalloc((size_t)___x, (y)); \
38248 #endif /* _LINUX_SLAB_H */
38249 diff -urNp linux-2.6.31/include/linux/slub_def.h linux-2.6.31/include/linux/slub_def.h
38250 --- linux-2.6.31/include/linux/slub_def.h 2009-08-27 20:59:04.000000000 -0400
38251 +++ linux-2.6.31/include/linux/slub_def.h 2009-09-06 15:29:12.099921660 -0400
38252 @@ -86,7 +86,7 @@ struct kmem_cache {
38253 struct kmem_cache_order_objects max;
38254 struct kmem_cache_order_objects min;
38255 gfp_t allocflags; /* gfp flags to use on each alloc */
38256 - int refcount; /* Refcount for slab cache destroy */
38257 + atomic_t refcount; /* Refcount for slab cache destroy */
38258 void (*ctor)(void *);
38259 int inuse; /* Offset to metadata */
38260 int align; /* Alignment */
38261 diff -urNp linux-2.6.31/include/linux/sonet.h linux-2.6.31/include/linux/sonet.h
38262 --- linux-2.6.31/include/linux/sonet.h 2009-08-27 20:59:04.000000000 -0400
38263 +++ linux-2.6.31/include/linux/sonet.h 2009-09-06 15:29:12.099921660 -0400
38264 @@ -61,7 +61,7 @@ struct sonet_stats {
38265 #include <asm/atomic.h>
38267 struct k_sonet_stats {
38268 -#define __HANDLE_ITEM(i) atomic_t i
38269 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
38271 #undef __HANDLE_ITEM
38273 diff -urNp linux-2.6.31/include/linux/sysctl.h linux-2.6.31/include/linux/sysctl.h
38274 --- linux-2.6.31/include/linux/sysctl.h 2009-08-27 20:59:04.000000000 -0400
38275 +++ linux-2.6.31/include/linux/sysctl.h 2009-09-06 15:29:12.099921660 -0400
38276 @@ -165,7 +165,11 @@ enum
38277 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
38281 +#ifdef CONFIG_PAX_SOFTMODE
38283 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
38287 /* CTL_VM names: */
38289 diff -urNp linux-2.6.31/include/linux/thread_info.h linux-2.6.31/include/linux/thread_info.h
38290 --- linux-2.6.31/include/linux/thread_info.h 2009-08-27 20:59:04.000000000 -0400
38291 +++ linux-2.6.31/include/linux/thread_info.h 2009-09-06 15:29:12.101158649 -0400
38292 @@ -23,7 +23,7 @@ struct restart_block {
38294 /* For futex_wait and futex_wait_requeue_pi */
38297 + u32 __user *uaddr;
38301 diff -urNp linux-2.6.31/include/linux/tty_ldisc.h linux-2.6.31/include/linux/tty_ldisc.h
38302 --- linux-2.6.31/include/linux/tty_ldisc.h 2009-08-27 20:59:04.000000000 -0400
38303 +++ linux-2.6.31/include/linux/tty_ldisc.h 2009-09-06 15:29:12.101158649 -0400
38304 @@ -139,7 +139,7 @@ struct tty_ldisc_ops {
38306 struct module *owner;
38309 + atomic_t refcount;
38313 diff -urNp linux-2.6.31/include/linux/types.h linux-2.6.31/include/linux/types.h
38314 --- linux-2.6.31/include/linux/types.h 2009-08-27 20:59:04.000000000 -0400
38315 +++ linux-2.6.31/include/linux/types.h 2009-09-06 15:29:12.102003307 -0400
38316 @@ -191,10 +191,26 @@ typedef struct {
38317 volatile int counter;
38320 +#ifdef CONFIG_PAX_REFCOUNT
38322 + volatile int counter;
38323 +} atomic_unchecked_t;
38325 +typedef atomic_t atomic_unchecked_t;
38328 #ifdef CONFIG_64BIT
38330 volatile long counter;
38333 +#ifdef CONFIG_PAX_REFCOUNT
38335 + volatile long counter;
38336 +} atomic64_unchecked_t;
38338 +typedef atomic64_t atomic64_unchecked_t;
38343 diff -urNp linux-2.6.31/include/linux/uaccess.h linux-2.6.31/include/linux/uaccess.h
38344 --- linux-2.6.31/include/linux/uaccess.h 2009-08-27 20:59:04.000000000 -0400
38345 +++ linux-2.6.31/include/linux/uaccess.h 2009-09-06 15:29:12.102003307 -0400
38346 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
38348 mm_segment_t old_fs = get_fs(); \
38350 - set_fs(KERNEL_DS); \
38351 pagefault_disable(); \
38352 + set_fs(KERNEL_DS); \
38353 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
38354 - pagefault_enable(); \
38356 + pagefault_enable(); \
38360 diff -urNp linux-2.6.31/include/linux/vmalloc.h linux-2.6.31/include/linux/vmalloc.h
38361 --- linux-2.6.31/include/linux/vmalloc.h 2009-08-27 20:59:04.000000000 -0400
38362 +++ linux-2.6.31/include/linux/vmalloc.h 2009-09-06 15:29:12.102003307 -0400
38363 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
38364 #define VM_MAP 0x00000004 /* vmap()ed pages */
38365 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
38366 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
38368 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
38369 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
38372 /* bits [20..32] reserved for arch specific ioremap internals */
38375 @@ -115,4 +120,81 @@ extern rwlock_t vmlist_lock;
38376 extern struct vm_struct *vmlist;
38377 extern __init void vm_area_register_early(struct vm_struct *vm, size_t align);
38379 +#define vmalloc(x) \
38381 + void *___retval; \
38382 + intoverflow_t ___x = (intoverflow_t)x; \
38383 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
38384 + ___retval = NULL; \
38386 + ___retval = vmalloc((unsigned long)___x); \
38390 +#define __vmalloc(x, y, z) \
38392 + void *___retval; \
38393 + intoverflow_t ___x = (intoverflow_t)x; \
38394 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
38395 + ___retval = NULL; \
38397 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
38401 +#define vmalloc_user(x) \
38403 + void *___retval; \
38404 + intoverflow_t ___x = (intoverflow_t)x; \
38405 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
38406 + ___retval = NULL; \
38408 + ___retval = vmalloc_user((unsigned long)___x); \
38412 +#define vmalloc_exec(x) \
38414 + void *___retval; \
38415 + intoverflow_t ___x = (intoverflow_t)x; \
38416 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
38417 + ___retval = NULL; \
38419 + ___retval = vmalloc_exec((unsigned long)___x); \
38423 +#define vmalloc_node(x, y) \
38425 + void *___retval; \
38426 + intoverflow_t ___x = (intoverflow_t)x; \
38427 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
38428 + ___retval = NULL; \
38430 + ___retval = vmalloc_node((unsigned long)___x, (y));\
38434 +#define vmalloc_32(x) \
38436 + void *___retval; \
38437 + intoverflow_t ___x = (intoverflow_t)x; \
38438 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
38439 + ___retval = NULL; \
38441 + ___retval = vmalloc_32((unsigned long)___x); \
38445 +#define vmalloc_32_user(x) \
38447 + void *___retval; \
38448 + intoverflow_t ___x = (intoverflow_t)x; \
38449 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
38450 + ___retval = NULL; \
38452 + ___retval = vmalloc_32_user((unsigned long)___x);\
38456 #endif /* _LINUX_VMALLOC_H */
38457 diff -urNp linux-2.6.31/include/net/irda/ircomm_tty.h linux-2.6.31/include/net/irda/ircomm_tty.h
38458 --- linux-2.6.31/include/net/irda/ircomm_tty.h 2009-08-27 20:59:04.000000000 -0400
38459 +++ linux-2.6.31/include/net/irda/ircomm_tty.h 2009-09-06 15:29:12.102981945 -0400
38460 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
38461 unsigned short close_delay;
38462 unsigned short closing_wait; /* time to wait before closing */
38465 - int blocked_open; /* # of blocked opens */
38466 + atomic_t open_count;
38467 + atomic_t blocked_open; /* # of blocked opens */
38469 /* Protect concurent access to :
38470 * o self->open_count
38471 diff -urNp linux-2.6.31/include/net/sctp/sctp.h linux-2.6.31/include/net/sctp/sctp.h
38472 --- linux-2.6.31/include/net/sctp/sctp.h 2009-08-27 20:59:04.000000000 -0400
38473 +++ linux-2.6.31/include/net/sctp/sctp.h 2009-09-06 15:29:12.102981945 -0400
38474 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
38476 #else /* SCTP_DEBUG */
38478 -#define SCTP_DEBUG_PRINTK(whatever...)
38479 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
38480 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
38481 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
38482 #define SCTP_ENABLE_DEBUG
38483 #define SCTP_DISABLE_DEBUG
38484 #define SCTP_ASSERT(expr, str, func)
38485 diff -urNp linux-2.6.31/include/sound/core.h linux-2.6.31/include/sound/core.h
38486 --- linux-2.6.31/include/sound/core.h 2009-08-27 20:59:04.000000000 -0400
38487 +++ linux-2.6.31/include/sound/core.h 2009-09-06 15:29:12.103934830 -0400
38488 @@ -430,7 +430,7 @@ static inline int __snd_bug_on(int cond)
38490 #define snd_printdd(format, args...) snd_printk(format, ##args)
38492 -#define snd_printdd(format, args...) /* nothing */
38493 +#define snd_printdd(format, args...) do {} while (0)
38497 diff -urNp linux-2.6.31/include/video/uvesafb.h linux-2.6.31/include/video/uvesafb.h
38498 --- linux-2.6.31/include/video/uvesafb.h 2009-08-27 20:59:04.000000000 -0400
38499 +++ linux-2.6.31/include/video/uvesafb.h 2009-09-06 15:29:12.103934830 -0400
38500 @@ -177,6 +177,7 @@ struct uvesafb_par {
38501 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
38502 u8 pmi_setpal; /* PMI for palette changes */
38503 u16 *pmi_base; /* protected mode interface location */
38504 + u8 *pmi_code; /* protected mode code location */
38507 u8 *vbe_state_orig; /*
38508 diff -urNp linux-2.6.31/init/do_mounts.c linux-2.6.31/init/do_mounts.c
38509 --- linux-2.6.31/init/do_mounts.c 2009-08-27 20:59:04.000000000 -0400
38510 +++ linux-2.6.31/init/do_mounts.c 2009-09-06 15:29:12.114669498 -0400
38511 @@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
38513 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
38515 - int err = sys_mount(name, "/root", fs, flags, data);
38516 + int err = sys_mount((char __user *)name, (char __user *)"/root", (char __user *)fs, flags, (void __user *)data);
38520 - sys_chdir("/root");
38521 + sys_chdir((char __user *)"/root");
38522 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
38523 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
38524 current->fs->pwd.mnt->mnt_sb->s_type->name,
38525 @@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
38526 va_start(args, fmt);
38527 vsprintf(buf, fmt, args);
38529 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
38530 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
38532 sys_ioctl(fd, FDEJECT, 0);
38535 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
38536 - fd = sys_open("/dev/console", O_RDWR, 0);
38537 + fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
38539 sys_ioctl(fd, TCGETS, (long)&termios);
38540 termios.c_lflag &= ~ICANON;
38541 sys_ioctl(fd, TCSETSF, (long)&termios);
38542 - sys_read(fd, &c, 1);
38543 + sys_read(fd, (char __user *)&c, 1);
38544 termios.c_lflag |= ICANON;
38545 sys_ioctl(fd, TCSETSF, (long)&termios);
38547 @@ -415,7 +415,7 @@ void __init prepare_namespace(void)
38551 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
38553 + sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
38554 + sys_chroot((char __user *)".");
38557 diff -urNp linux-2.6.31/init/do_mounts.h linux-2.6.31/init/do_mounts.h
38558 --- linux-2.6.31/init/do_mounts.h 2009-08-27 20:59:04.000000000 -0400
38559 +++ linux-2.6.31/init/do_mounts.h 2009-09-06 15:29:12.131445576 -0400
38560 @@ -15,15 +15,15 @@ extern int root_mountflags;
38562 static inline int create_dev(char *name, dev_t dev)
38564 - sys_unlink(name);
38565 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
38566 + sys_unlink((char __user *)name);
38567 + return sys_mknod((char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
38570 #if BITS_PER_LONG == 32
38571 static inline u32 bstat(char *name)
38573 struct stat64 stat;
38574 - if (sys_stat64(name, &stat) != 0)
38575 + if (sys_stat64((char __user *)name, (struct stat64 __user *)&stat) != 0)
38577 if (!S_ISBLK(stat.st_mode))
38579 diff -urNp linux-2.6.31/init/do_mounts_initrd.c linux-2.6.31/init/do_mounts_initrd.c
38580 --- linux-2.6.31/init/do_mounts_initrd.c 2009-08-27 20:59:04.000000000 -0400
38581 +++ linux-2.6.31/init/do_mounts_initrd.c 2009-09-06 15:29:12.136681513 -0400
38582 @@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
38583 sys_close(old_fd);sys_close(root_fd);
38584 sys_close(0);sys_close(1);sys_close(2);
38586 - (void) sys_open("/dev/console",O_RDWR,0);
38587 + (void) sys_open((const char __user *)"/dev/console",O_RDWR,0);
38590 return kernel_execve(shell, argv, envp_init);
38591 @@ -47,13 +47,13 @@ static void __init handle_initrd(void)
38592 create_dev("/dev/root.old", Root_RAM0);
38593 /* mount initrd on rootfs' /root */
38594 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
38595 - sys_mkdir("/old", 0700);
38596 - root_fd = sys_open("/", 0, 0);
38597 - old_fd = sys_open("/old", 0, 0);
38598 + sys_mkdir((const char __user *)"/old", 0700);
38599 + root_fd = sys_open((const char __user *)"/", 0, 0);
38600 + old_fd = sys_open((const char __user *)"/old", 0, 0);
38601 /* move initrd over / and chdir/chroot in initrd root */
38602 - sys_chdir("/root");
38603 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
38605 + sys_chdir((const char __user *)"/root");
38606 + sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
38607 + sys_chroot((const char __user *)".");
38610 * In case that a resume from disk is carried out by linuxrc or one of
38611 @@ -70,15 +70,15 @@ static void __init handle_initrd(void)
38613 /* move initrd to rootfs' /old */
38614 sys_fchdir(old_fd);
38615 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
38616 + sys_mount((char __user *)"/", (char __user *)".", NULL, MS_MOVE, NULL);
38617 /* switch root and cwd back to / of rootfs */
38618 sys_fchdir(root_fd);
38620 + sys_chroot((const char __user *)".");
38622 sys_close(root_fd);
38624 if (new_decode_dev(real_root_dev) == Root_RAM0) {
38625 - sys_chdir("/old");
38626 + sys_chdir((const char __user *)"/old");
38630 @@ -86,17 +86,17 @@ static void __init handle_initrd(void)
38633 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
38634 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
38635 + error = sys_mount((char __user *)"/old", (char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
38639 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
38640 + int fd = sys_open((const char __user *)"/dev/root.old", O_RDWR, 0);
38641 if (error == -ENOENT)
38642 printk("/initrd does not exist. Ignored.\n");
38644 printk("failed\n");
38645 printk(KERN_NOTICE "Unmounting old root\n");
38646 - sys_umount("/old", MNT_DETACH);
38647 + sys_umount((char __user *)"/old", MNT_DETACH);
38648 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
38651 @@ -119,11 +119,11 @@ int __init initrd_load(void)
38652 * mounted in the normal path.
38654 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
38655 - sys_unlink("/initrd.image");
38656 + sys_unlink((const char __user *)"/initrd.image");
38661 - sys_unlink("/initrd.image");
38662 + sys_unlink((const char __user *)"/initrd.image");
38665 diff -urNp linux-2.6.31/init/do_mounts_md.c linux-2.6.31/init/do_mounts_md.c
38666 --- linux-2.6.31/init/do_mounts_md.c 2009-08-27 20:59:04.000000000 -0400
38667 +++ linux-2.6.31/init/do_mounts_md.c 2009-09-06 15:29:12.137211986 -0400
38668 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
38669 partitioned ? "_d" : "", minor,
38670 md_setup_args[ent].device_names);
38672 - fd = sys_open(name, 0, 0);
38673 + fd = sys_open((char __user *)name, 0, 0);
38675 printk(KERN_ERR "md: open failed - cannot start "
38676 "array %s\n", name);
38677 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
38681 - fd = sys_open(name, 0, 0);
38682 + fd = sys_open((char __user *)name, 0, 0);
38683 sys_ioctl(fd, BLKRRPART, 0);
38686 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
38688 wait_for_device_probe();
38690 - fd = sys_open("/dev/md0", 0, 0);
38691 + fd = sys_open((char __user *)"/dev/md0", 0, 0);
38693 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
38695 diff -urNp linux-2.6.31/init/initramfs.c linux-2.6.31/init/initramfs.c
38696 --- linux-2.6.31/init/initramfs.c 2009-08-27 20:59:04.000000000 -0400
38697 +++ linux-2.6.31/init/initramfs.c 2009-09-06 15:29:12.138269157 -0400
38698 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
38700 char *old = find_link(major, minor, ino, mode, collected);
38702 - return (sys_link(old, collected) < 0) ? -1 : 1;
38703 + return (sys_link((char __user *)old, (char __user *)collected) < 0) ? -1 : 1;
38707 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
38711 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
38712 + if (!sys_newlstat((char __user *)path, (struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
38713 if (S_ISDIR(st.st_mode))
38715 + sys_rmdir((char __user *)path);
38717 - sys_unlink(path);
38718 + sys_unlink((char __user *)path);
38722 @@ -305,7 +305,7 @@ static int __init do_name(void)
38723 int openflags = O_WRONLY|O_CREAT;
38725 openflags |= O_TRUNC;
38726 - wfd = sys_open(collected, openflags, mode);
38727 + wfd = sys_open((char __user *)collected, openflags, mode);
38730 sys_fchown(wfd, uid, gid);
38731 @@ -317,16 +317,16 @@ static int __init do_name(void)
38734 } else if (S_ISDIR(mode)) {
38735 - sys_mkdir(collected, mode);
38736 - sys_chown(collected, uid, gid);
38737 - sys_chmod(collected, mode);
38738 + sys_mkdir((char __user *)collected, mode);
38739 + sys_chown((char __user *)collected, uid, gid);
38740 + sys_chmod((char __user *)collected, mode);
38741 dir_add(collected, mtime);
38742 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
38743 S_ISFIFO(mode) || S_ISSOCK(mode)) {
38744 if (maybe_link() == 0) {
38745 - sys_mknod(collected, mode, rdev);
38746 - sys_chown(collected, uid, gid);
38747 - sys_chmod(collected, mode);
38748 + sys_mknod((char __user *)collected, mode, rdev);
38749 + sys_chown((char __user *)collected, uid, gid);
38750 + sys_chmod((char __user *)collected, mode);
38751 do_utime(collected, mtime);
38754 @@ -336,7 +336,7 @@ static int __init do_name(void)
38755 static int __init do_copy(void)
38757 if (count >= body_len) {
38758 - sys_write(wfd, victim, body_len);
38759 + sys_write(wfd, (char __user *)victim, body_len);
38761 do_utime(vcollected, mtime);
38763 @@ -344,7 +344,7 @@ static int __init do_copy(void)
38767 - sys_write(wfd, victim, count);
38768 + sys_write(wfd, (char __user *)victim, count);
38772 @@ -355,8 +355,8 @@ static int __init do_symlink(void)
38774 collected[N_ALIGN(name_len) + body_len] = '\0';
38775 clean_path(collected, 0);
38776 - sys_symlink(collected + N_ALIGN(name_len), collected);
38777 - sys_lchown(collected, uid, gid);
38778 + sys_symlink((char __user *)collected + N_ALIGN(name_len), (char __user *)collected);
38779 + sys_lchown((char __user *)collected, uid, gid);
38780 do_utime(collected, mtime);
38782 next_state = Reset;
38783 diff -urNp linux-2.6.31/init/Kconfig linux-2.6.31/init/Kconfig
38784 --- linux-2.6.31/init/Kconfig 2009-08-27 20:59:04.000000000 -0400
38785 +++ linux-2.6.31/init/Kconfig 2009-09-06 15:29:12.138269157 -0400
38786 @@ -786,6 +786,7 @@ config SYSCTL_SYSCALL
38788 bool "Load all symbols for debugging/ksymoops" if EMBEDDED
38790 + depends on !GRKERNSEC_HIDESYM
38792 Say Y here to let the kernel print out symbolic crash information and
38793 symbolic stack backtraces. This increases the size of the kernel
38794 @@ -1014,7 +1015,7 @@ config STRIP_ASM_SYMS
38797 bool "Disable heap randomization"
38801 Randomizing heap placement makes heap exploits harder, but it
38802 also breaks ancient binaries (including anything libc5 based).
38803 @@ -1101,9 +1102,9 @@ config HAVE_GENERIC_DMA_COHERENT
38807 - depends on PROC_FS
38808 + depends on PROC_FS && !GRKERNSEC_PROC_ADD
38809 depends on SLAB || SLUB_DEBUG
38815 diff -urNp linux-2.6.31/init/main.c linux-2.6.31/init/main.c
38816 --- linux-2.6.31/init/main.c 2009-08-27 20:59:04.000000000 -0400
38817 +++ linux-2.6.31/init/main.c 2009-09-10 19:30:55.032975374 -0400
38818 @@ -96,6 +96,7 @@ static inline void mark_rodata_ro(void)
38820 extern void tc_init(void);
38822 +extern void grsecurity_init(void);
38824 enum system_states system_state __read_mostly;
38825 EXPORT_SYMBOL(system_state);
38826 @@ -182,6 +183,35 @@ static int __init set_reset_devices(char
38828 __setup("reset_devices", set_reset_devices);
38830 +#if defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32)
38831 +static int __init setup_pax_nouderef(char *str)
38833 + unsigned int cpu;
38835 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
38836 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
38837 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
38839 + asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
38840 + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
38841 + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
38845 +early_param("pax_nouderef", setup_pax_nouderef);
38848 +#ifdef CONFIG_PAX_SOFTMODE
38849 +unsigned int pax_softmode;
38851 +static int __init setup_pax_softmode(char *str)
38853 + get_option(&str, &pax_softmode);
38856 +__setup("pax_softmode=", setup_pax_softmode);
38859 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
38860 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
38861 static const char *panic_later, *panic_param;
38862 @@ -375,7 +405,7 @@ static void __init setup_nr_cpu_ids(void
38865 #ifndef CONFIG_HAVE_SETUP_PER_CPU_AREA
38866 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly;
38867 +unsigned long __per_cpu_offset[NR_CPUS] __read_only;
38869 EXPORT_SYMBOL(__per_cpu_offset);
38871 @@ -741,6 +771,7 @@ int do_one_initcall(initcall_t fn)
38873 int count = preempt_count();
38874 ktime_t calltime, delta, rettime;
38875 + const char *msg1 = "", *msg2 = "";
38877 if (initcall_debug) {
38878 call.caller = task_pid_nr(current);
38879 @@ -768,15 +799,15 @@ int do_one_initcall(initcall_t fn)
38880 sprintf(msgbuf, "error code %d ", ret.result);
38882 if (preempt_count() != count) {
38883 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
38884 + msg1 = " preemption imbalance";
38885 preempt_count() = count;
38887 if (irqs_disabled()) {
38888 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
38889 + msg2 = " disabled interrupts";
38890 local_irq_enable();
38893 - printk("initcall %pF returned with %s\n", fn, msgbuf);
38894 + if (msgbuf[0] || *msg1 || *msg2) {
38895 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
38899 @@ -923,6 +954,8 @@ static int __init kernel_init(void * unu
38900 prepare_namespace();
38903 + grsecurity_init();
38906 * Ok, we have completed the initial bootup, and
38907 * we're essentially up and running. Get rid of the
38908 diff -urNp linux-2.6.31/init/noinitramfs.c linux-2.6.31/init/noinitramfs.c
38909 --- linux-2.6.31/init/noinitramfs.c 2009-08-27 20:59:04.000000000 -0400
38910 +++ linux-2.6.31/init/noinitramfs.c 2009-09-06 15:29:12.140231970 -0400
38911 @@ -29,7 +29,7 @@ static int __init default_rootfs(void)
38915 - err = sys_mkdir("/dev", 0755);
38916 + err = sys_mkdir((const char __user *)"/dev", 0755);
38920 @@ -39,7 +39,7 @@ static int __init default_rootfs(void)
38924 - err = sys_mkdir("/root", 0700);
38925 + err = sys_mkdir((const char __user *)"/root", 0700);
38929 diff -urNp linux-2.6.31/ipc/ipc_sysctl.c linux-2.6.31/ipc/ipc_sysctl.c
38930 --- linux-2.6.31/ipc/ipc_sysctl.c 2009-08-27 20:59:04.000000000 -0400
38931 +++ linux-2.6.31/ipc/ipc_sysctl.c 2009-09-06 15:29:12.140231970 -0400
38932 @@ -267,7 +267,7 @@ static struct ctl_table ipc_kern_table[]
38937 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
38940 static struct ctl_table ipc_root_table[] = {
38941 @@ -277,7 +277,7 @@ static struct ctl_table ipc_root_table[]
38943 .child = ipc_kern_table,
38946 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
38949 static int __init ipc_sysctl_init(void)
38950 diff -urNp linux-2.6.31/ipc/mqueue.c linux-2.6.31/ipc/mqueue.c
38951 --- linux-2.6.31/ipc/mqueue.c 2009-08-27 20:59:04.000000000 -0400
38952 +++ linux-2.6.31/ipc/mqueue.c 2009-09-06 15:29:12.140231970 -0400
38953 @@ -77,7 +77,7 @@ struct mqueue_inode_info {
38955 static const struct inode_operations mqueue_dir_inode_operations;
38956 static const struct file_operations mqueue_file_operations;
38957 -static struct super_operations mqueue_super_ops;
38958 +static const struct super_operations mqueue_super_ops;
38959 static void remove_notification(struct mqueue_inode_info *info);
38961 static struct kmem_cache *mqueue_inode_cachep;
38962 @@ -150,6 +150,7 @@ static struct inode *mqueue_get_inode(st
38963 mq_bytes = (mq_msg_tblsz +
38964 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
38966 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
38967 spin_lock(&mq_lock);
38968 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
38969 u->mq_bytes + mq_bytes >
38970 @@ -1224,7 +1225,7 @@ static const struct file_operations mque
38971 .read = mqueue_read_file,
38974 -static struct super_operations mqueue_super_ops = {
38975 +static const struct super_operations mqueue_super_ops = {
38976 .alloc_inode = mqueue_alloc_inode,
38977 .destroy_inode = mqueue_destroy_inode,
38978 .statfs = simple_statfs,
38979 diff -urNp linux-2.6.31/ipc/msg.c linux-2.6.31/ipc/msg.c
38980 --- linux-2.6.31/ipc/msg.c 2009-08-27 20:59:04.000000000 -0400
38981 +++ linux-2.6.31/ipc/msg.c 2009-09-06 15:29:12.141192517 -0400
38982 @@ -314,6 +314,7 @@ SYSCALL_DEFINE2(msgget, key_t, key, int,
38983 struct ipc_namespace *ns;
38984 struct ipc_ops msg_ops;
38985 struct ipc_params msg_params;
38988 ns = current->nsproxy->ipc_ns;
38990 @@ -324,7 +325,11 @@ SYSCALL_DEFINE2(msgget, key_t, key, int,
38991 msg_params.key = key;
38992 msg_params.flg = msgflg;
38994 - return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
38995 + err = ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
38997 + gr_log_msgget(err, msgflg);
39002 static inline unsigned long
39003 @@ -434,6 +439,7 @@ static int msgctl_down(struct ipc_namesp
39007 + gr_log_msgrm(ipcp->uid, ipcp->cuid);
39011 diff -urNp linux-2.6.31/ipc/sem.c linux-2.6.31/ipc/sem.c
39012 --- linux-2.6.31/ipc/sem.c 2009-08-27 20:59:04.000000000 -0400
39013 +++ linux-2.6.31/ipc/sem.c 2009-09-06 15:29:12.142155742 -0400
39014 @@ -313,6 +313,7 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
39015 struct ipc_namespace *ns;
39016 struct ipc_ops sem_ops;
39017 struct ipc_params sem_params;
39020 ns = current->nsproxy->ipc_ns;
39022 @@ -327,7 +328,11 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
39023 sem_params.flg = semflg;
39024 sem_params.u.nsems = nsems;
39026 - return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
39027 + err = ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
39029 + gr_log_semget(err, semflg);
39035 @@ -870,6 +875,7 @@ static int semctl_down(struct ipc_namesp
39039 + gr_log_semrm(ipcp->uid, ipcp->cuid);
39043 diff -urNp linux-2.6.31/ipc/shm.c linux-2.6.31/ipc/shm.c
39044 --- linux-2.6.31/ipc/shm.c 2009-08-27 20:59:04.000000000 -0400
39045 +++ linux-2.6.31/ipc/shm.c 2009-09-06 15:29:12.142155742 -0400
39046 @@ -55,7 +55,7 @@ struct shm_file_data {
39047 #define shm_file_data(file) (*((struct shm_file_data **)&(file)->private_data))
39049 static const struct file_operations shm_file_operations;
39050 -static struct vm_operations_struct shm_vm_ops;
39051 +static const struct vm_operations_struct shm_vm_ops;
39053 #define shm_ids(ns) ((ns)->ids[IPC_SHM_IDS])
39055 @@ -70,6 +70,14 @@ static void shm_destroy (struct ipc_name
39056 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
39059 +#ifdef CONFIG_GRKERNSEC
39060 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39061 + const time_t shm_createtime, const uid_t cuid,
39062 + const int shmid);
39063 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39064 + const time_t shm_createtime);
39067 void shm_init_ns(struct ipc_namespace *ns)
39069 ns->shm_ctlmax = SHMMAX;
39070 @@ -88,6 +96,8 @@ static void do_shm_rmid(struct ipc_names
39071 struct shmid_kernel *shp;
39072 shp = container_of(ipcp, struct shmid_kernel, shm_perm);
39074 + gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
39076 if (shp->shm_nattch){
39077 shp->shm_perm.mode |= SHM_DEST;
39078 /* Do not find it any more */
39079 @@ -312,7 +322,7 @@ static const struct file_operations shm_
39080 .get_unmapped_area = shm_get_unmapped_area,
39083 -static struct vm_operations_struct shm_vm_ops = {
39084 +static const struct vm_operations_struct shm_vm_ops = {
39085 .open = shm_open, /* callback for a new vm-area open */
39086 .close = shm_close, /* callback for when the vm-area is released */
39087 .fault = shm_fault,
39088 @@ -395,6 +405,14 @@ static int newseg(struct ipc_namespace *
39089 shp->shm_lprid = 0;
39090 shp->shm_atim = shp->shm_dtim = 0;
39091 shp->shm_ctim = get_seconds();
39092 +#ifdef CONFIG_GRKERNSEC
39094 + struct timespec timeval;
39095 + do_posix_clock_monotonic_gettime(&timeval);
39097 + shp->shm_createtime = timeval.tv_sec;
39100 shp->shm_segsz = size;
39101 shp->shm_nattch = 0;
39102 shp->shm_file = file;
39103 @@ -450,6 +468,7 @@ SYSCALL_DEFINE3(shmget, key_t, key, size
39104 struct ipc_namespace *ns;
39105 struct ipc_ops shm_ops;
39106 struct ipc_params shm_params;
39109 ns = current->nsproxy->ipc_ns;
39111 @@ -461,7 +480,11 @@ SYSCALL_DEFINE3(shmget, key_t, key, size
39112 shm_params.flg = shmflg;
39113 shm_params.u.size = size;
39115 - return ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
39116 + err = ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
39118 + gr_log_shmget(err, shmflg, size);
39123 static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
39124 @@ -878,9 +901,21 @@ long do_shmat(int shmid, char __user *sh
39128 +#ifdef CONFIG_GRKERNSEC
39129 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
39130 + shp->shm_perm.cuid, shmid) ||
39131 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
39137 path.dentry = dget(shp->shm_file->f_path.dentry);
39138 path.mnt = shp->shm_file->f_path.mnt;
39140 +#ifdef CONFIG_GRKERNSEC
39141 + shp->shm_lapid = current->pid;
39143 size = i_size_read(path.dentry->d_inode);
39146 diff -urNp linux-2.6.31/ipc/util.c linux-2.6.31/ipc/util.c
39147 --- linux-2.6.31/ipc/util.c 2009-08-27 20:59:04.000000000 -0400
39148 +++ linux-2.6.31/ipc/util.c 2009-09-06 15:29:12.143156554 -0400
39149 @@ -942,7 +942,7 @@ static int sysvipc_proc_show(struct seq_
39150 return iface->show(s, it);
39153 -static struct seq_operations sysvipc_proc_seqops = {
39154 +static const struct seq_operations sysvipc_proc_seqops = {
39155 .start = sysvipc_proc_start,
39156 .stop = sysvipc_proc_stop,
39157 .next = sysvipc_proc_next,
39158 diff -urNp linux-2.6.31/kernel/acct.c linux-2.6.31/kernel/acct.c
39159 --- linux-2.6.31/kernel/acct.c 2009-08-27 20:59:04.000000000 -0400
39160 +++ linux-2.6.31/kernel/acct.c 2009-09-06 15:29:12.143156554 -0400
39161 @@ -574,7 +574,7 @@ static void do_acct_process(struct bsd_a
39163 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
39164 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
39165 - file->f_op->write(file, (char *)&ac,
39166 + file->f_op->write(file, (char __user *)&ac,
39167 sizeof(acct_t), &file->f_pos);
39168 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
39170 diff -urNp linux-2.6.31/kernel/capability.c linux-2.6.31/kernel/capability.c
39171 --- linux-2.6.31/kernel/capability.c 2009-08-27 20:59:04.000000000 -0400
39172 +++ linux-2.6.31/kernel/capability.c 2009-09-06 15:29:12.144162999 -0400
39173 @@ -306,10 +306,21 @@ int capable(int cap)
39177 - if (security_capable(cap) == 0) {
39178 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
39179 current->flags |= PF_SUPERPRIV;
39185 +int capable_nolog(int cap)
39187 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
39188 + current->flags |= PF_SUPERPRIV;
39194 EXPORT_SYMBOL(capable);
39195 +EXPORT_SYMBOL(capable_nolog);
39196 diff -urNp linux-2.6.31/kernel/cgroup.c linux-2.6.31/kernel/cgroup.c
39197 --- linux-2.6.31/kernel/cgroup.c 2009-08-27 20:59:04.000000000 -0400
39198 +++ linux-2.6.31/kernel/cgroup.c 2009-09-06 15:29:12.144162999 -0400
39199 @@ -596,8 +596,8 @@ void cgroup_unlock(void)
39200 static int cgroup_mkdir(struct inode *dir, struct dentry *dentry, int mode);
39201 static int cgroup_rmdir(struct inode *unused_dir, struct dentry *dentry);
39202 static int cgroup_populate_dir(struct cgroup *cgrp);
39203 -static struct inode_operations cgroup_dir_inode_operations;
39204 -static struct file_operations proc_cgroupstats_operations;
39205 +static const struct inode_operations cgroup_dir_inode_operations;
39206 +static const struct file_operations proc_cgroupstats_operations;
39208 static struct backing_dev_info cgroup_backing_dev_info = {
39209 .capabilities = BDI_CAP_NO_ACCT_AND_WRITEBACK,
39210 @@ -960,7 +960,7 @@ static int cgroup_remount(struct super_b
39214 -static struct super_operations cgroup_ops = {
39215 +static const struct super_operations cgroup_ops = {
39216 .statfs = simple_statfs,
39217 .drop_inode = generic_delete_inode,
39218 .show_options = cgroup_show_options,
39219 @@ -1643,7 +1643,7 @@ static int cgroup_seqfile_release(struct
39220 return single_release(inode, file);
39223 -static struct file_operations cgroup_seqfile_operations = {
39224 +static const struct file_operations cgroup_seqfile_operations = {
39226 .write = cgroup_file_write,
39227 .llseek = seq_lseek,
39228 @@ -1702,7 +1702,7 @@ static int cgroup_rename(struct inode *o
39229 return simple_rename(old_dir, old_dentry, new_dir, new_dentry);
39232 -static struct file_operations cgroup_file_operations = {
39233 +static const struct file_operations cgroup_file_operations = {
39234 .read = cgroup_file_read,
39235 .write = cgroup_file_write,
39236 .llseek = generic_file_llseek,
39237 @@ -1710,7 +1710,7 @@ static struct file_operations cgroup_fil
39238 .release = cgroup_file_release,
39241 -static struct inode_operations cgroup_dir_inode_operations = {
39242 +static const struct inode_operations cgroup_dir_inode_operations = {
39243 .lookup = simple_lookup,
39244 .mkdir = cgroup_mkdir,
39245 .rmdir = cgroup_rmdir,
39246 @@ -2313,7 +2313,7 @@ static int cgroup_tasks_show(struct seq_
39247 return seq_printf(s, "%d\n", *(int *)v);
39250 -static struct seq_operations cgroup_tasks_seq_operations = {
39251 +static const struct seq_operations cgroup_tasks_seq_operations = {
39252 .start = cgroup_tasks_start,
39253 .stop = cgroup_tasks_stop,
39254 .next = cgroup_tasks_next,
39255 @@ -2350,7 +2350,7 @@ static int cgroup_tasks_release(struct i
39256 return seq_release(inode, file);
39259 -static struct file_operations cgroup_tasks_operations = {
39260 +static const struct file_operations cgroup_tasks_operations = {
39262 .llseek = seq_lseek,
39263 .write = cgroup_file_write,
39264 @@ -3016,7 +3016,7 @@ static int cgroup_open(struct inode *ino
39265 return single_open(file, proc_cgroup_show, pid);
39268 -struct file_operations proc_cgroup_operations = {
39269 +const struct file_operations proc_cgroup_operations = {
39270 .open = cgroup_open,
39272 .llseek = seq_lseek,
39273 @@ -3045,7 +3045,7 @@ static int cgroupstats_open(struct inode
39274 return single_open(file, proc_cgroupstats_show, NULL);
39277 -static struct file_operations proc_cgroupstats_operations = {
39278 +static const struct file_operations proc_cgroupstats_operations = {
39279 .open = cgroupstats_open,
39281 .llseek = seq_lseek,
39282 diff -urNp linux-2.6.31/kernel/configs.c linux-2.6.31/kernel/configs.c
39283 --- linux-2.6.31/kernel/configs.c 2009-08-27 20:59:04.000000000 -0400
39284 +++ linux-2.6.31/kernel/configs.c 2009-09-06 15:29:12.145274720 -0400
39285 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
39286 struct proc_dir_entry *entry;
39288 /* create the current config file */
39289 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
39290 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
39291 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
39292 + &ikconfig_file_ops);
39293 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
39294 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
39295 + &ikconfig_file_ops);
39298 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
39299 &ikconfig_file_ops);
39305 diff -urNp linux-2.6.31/kernel/cpu.c linux-2.6.31/kernel/cpu.c
39306 --- linux-2.6.31/kernel/cpu.c 2009-08-27 20:59:04.000000000 -0400
39307 +++ linux-2.6.31/kernel/cpu.c 2009-09-06 15:29:12.145274720 -0400
39309 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
39310 static DEFINE_MUTEX(cpu_add_remove_lock);
39312 -static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
39313 +static RAW_NOTIFIER_HEAD(cpu_chain);
39315 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
39316 * Should always be manipulated under cpu_add_remove_lock
39317 diff -urNp linux-2.6.31/kernel/cred.c linux-2.6.31/kernel/cred.c
39318 --- linux-2.6.31/kernel/cred.c 2009-08-27 20:59:04.000000000 -0400
39319 +++ linux-2.6.31/kernel/cred.c 2009-09-06 15:29:12.146216240 -0400
39320 @@ -366,6 +366,8 @@ int commit_creds(struct cred *new)
39322 get_cred(new); /* we will require a ref for the subj creds too */
39324 + gr_set_role_label(task, new->uid, new->gid);
39326 /* dumpability changes */
39327 if (old->euid != new->euid ||
39328 old->egid != new->egid ||
39329 diff -urNp linux-2.6.31/kernel/exit.c linux-2.6.31/kernel/exit.c
39330 --- linux-2.6.31/kernel/exit.c 2009-08-27 20:59:04.000000000 -0400
39331 +++ linux-2.6.31/kernel/exit.c 2009-09-06 15:29:12.146216240 -0400
39333 #include <asm/mmu_context.h>
39334 #include "cred-internals.h"
39336 +#ifdef CONFIG_GRKERNSEC
39337 +extern rwlock_t grsec_exec_file_lock;
39340 static void exit_mm(struct task_struct * tsk);
39342 static void __unhash_process(struct task_struct *p)
39343 @@ -167,6 +171,8 @@ void release_task(struct task_struct * p
39344 struct task_struct *leader;
39347 + gr_del_task_from_ip_table(p);
39349 tracehook_prepare_release_task(p);
39350 /* don't need to get the RCU readlock here - the process is dead and
39351 * can't be modifying its own credentials */
39352 @@ -334,11 +340,22 @@ static void reparent_to_kthreadd(void)
39354 write_lock_irq(&tasklist_lock);
39356 +#ifdef CONFIG_GRKERNSEC
39357 + write_lock(&grsec_exec_file_lock);
39358 + if (current->exec_file) {
39359 + fput(current->exec_file);
39360 + current->exec_file = NULL;
39362 + write_unlock(&grsec_exec_file_lock);
39365 ptrace_unlink(current);
39366 /* Reparent to init */
39367 current->real_parent = current->parent = kthreadd_task;
39368 list_move_tail(¤t->sibling, ¤t->real_parent->children);
39370 + gr_set_kernel_label(current);
39372 /* Set the exit signal to SIGCHLD so we signal init on exit */
39373 current->exit_signal = SIGCHLD;
39375 @@ -426,6 +443,17 @@ void daemonize(const char *name, ...)
39376 vsnprintf(current->comm, sizeof(current->comm), name, args);
39379 +#ifdef CONFIG_GRKERNSEC
39380 + write_lock(&grsec_exec_file_lock);
39381 + if (current->exec_file) {
39382 + fput(current->exec_file);
39383 + current->exec_file = NULL;
39385 + write_unlock(&grsec_exec_file_lock);
39388 + gr_set_kernel_label(current);
39391 * If we were started as result of loading a module, close all of the
39392 * user space pages. We don't need them, and if we didn't close them
39393 @@ -953,6 +981,9 @@ NORET_TYPE void do_exit(long code)
39394 tsk->exit_code = code;
39395 taskstats_exit(tsk, group_dead);
39397 + gr_acl_handle_psacct(tsk, code);
39398 + gr_acl_handle_exit();
39403 @@ -1171,7 +1202,7 @@ static int wait_task_zombie(struct wait_
39405 if (unlikely(wo->wo_flags & WNOWAIT)) {
39406 int exit_code = p->exit_code;
39410 get_task_struct(p);
39411 read_unlock(&tasklist_lock);
39412 diff -urNp linux-2.6.31/kernel/fork.c linux-2.6.31/kernel/fork.c
39413 --- linux-2.6.31/kernel/fork.c 2009-08-27 20:59:04.000000000 -0400
39414 +++ linux-2.6.31/kernel/fork.c 2009-09-06 15:29:12.147220825 -0400
39415 @@ -244,7 +244,7 @@ static struct task_struct *dup_task_stru
39416 *stackend = STACK_END_MAGIC; /* for overflow detection */
39418 #ifdef CONFIG_CC_STACKPROTECTOR
39419 - tsk->stack_canary = get_random_int();
39420 + tsk->stack_canary = pax_get_random_long();
39423 /* One for us, one for whoever does the "release_task()" (usually parent) */
39424 @@ -281,8 +281,8 @@ static int dup_mmap(struct mm_struct *mm
39427 mm->mmap_cache = NULL;
39428 - mm->free_area_cache = oldmm->mmap_base;
39429 - mm->cached_hole_size = ~0UL;
39430 + mm->free_area_cache = oldmm->free_area_cache;
39431 + mm->cached_hole_size = oldmm->cached_hole_size;
39433 cpumask_clear(mm_cpumask(mm));
39434 mm->mm_rb = RB_ROOT;
39435 @@ -319,6 +319,7 @@ static int dup_mmap(struct mm_struct *mm
39436 tmp->vm_flags &= ~VM_LOCKED;
39438 tmp->vm_next = NULL;
39439 + tmp->vm_mirror = NULL;
39440 anon_vma_link(tmp);
39441 file = tmp->vm_file;
39443 @@ -366,6 +367,31 @@ static int dup_mmap(struct mm_struct *mm
39448 +#ifdef CONFIG_PAX_SEGMEXEC
39449 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
39450 + struct vm_area_struct *mpnt_m;
39452 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
39453 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
39455 + if (!mpnt->vm_mirror)
39458 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
39459 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
39460 + mpnt->vm_mirror = mpnt_m;
39462 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
39463 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
39464 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
39465 + mpnt->vm_mirror->vm_mirror = mpnt;
39472 /* a new mm has just been created */
39473 arch_dup_mmap(oldmm, mm);
39475 @@ -546,9 +572,11 @@ void mm_release(struct task_struct *tsk,
39476 #ifdef CONFIG_FUTEX
39477 if (unlikely(tsk->robust_list))
39478 exit_robust_list(tsk);
39479 + tsk->robust_list = NULL;
39480 #ifdef CONFIG_COMPAT
39481 if (unlikely(tsk->compat_robust_list))
39482 compat_exit_robust_list(tsk);
39483 + tsk->compat_robust_list = NULL;
39487 @@ -567,6 +595,7 @@ void mm_release(struct task_struct *tsk,
39488 * the value intact in a core dump, and to save the unnecessary
39489 * trouble otherwise. Userland only wants this done for a sys_exit.
39492 if (tsk->clear_child_tid) {
39493 if (!(tsk->flags & PF_SIGNALED) &&
39494 atomic_read(&mm->mm_users) > 1) {
39495 @@ -576,7 +605,7 @@ void mm_release(struct task_struct *tsk,
39497 put_user(0, tsk->clear_child_tid);
39498 sys_futex(tsk->clear_child_tid, FUTEX_WAKE,
39499 - 1, NULL, NULL, 0);
39500 + 1, NULL, NULL, 0);
39502 tsk->clear_child_tid = NULL;
39504 @@ -694,7 +723,7 @@ static int copy_fs(unsigned long clone_f
39505 write_unlock(&fs->lock);
39509 + atomic_inc(&fs->users);
39510 write_unlock(&fs->lock);
39513 @@ -977,6 +1006,9 @@ static struct task_struct *copy_process(
39515 if (!vx_nproc_avail(1))
39516 goto bad_fork_cleanup_vm;
39518 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
39520 if (atomic_read(&p->real_cred->user->processes) >=
39521 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
39522 if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
39523 @@ -1133,6 +1165,8 @@ static struct task_struct *copy_process(
39524 goto bad_fork_free_pid;
39527 + gr_copy_label(p);
39529 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
39531 * Clear TID on mm_release()?
39532 @@ -1302,6 +1336,8 @@ bad_fork_cleanup_count:
39536 + gr_log_forkfail(retval);
39538 return ERR_PTR(retval);
39541 @@ -1395,6 +1431,8 @@ long do_fork(unsigned long clone_flags,
39542 if (clone_flags & CLONE_PARENT_SETTID)
39543 put_user(nr, parent_tidptr);
39545 + gr_handle_brute_check();
39547 if (clone_flags & CLONE_VFORK) {
39548 p->vfork_done = &vfork;
39549 init_completion(&vfork);
39550 @@ -1527,7 +1565,7 @@ static int unshare_fs(unsigned long unsh
39553 /* don't need lock here; in the worst case we'll do useless copy */
39554 - if (fs->users == 1)
39555 + if (atomic_read(&fs->users) == 1)
39558 *new_fsp = copy_fs_struct(fs);
39559 @@ -1650,7 +1688,7 @@ SYSCALL_DEFINE1(unshare, unsigned long,
39561 write_lock(&fs->lock);
39562 current->fs = new_fs;
39564 + if (atomic_dec_return(&fs->users))
39568 diff -urNp linux-2.6.31/kernel/futex.c linux-2.6.31/kernel/futex.c
39569 --- linux-2.6.31/kernel/futex.c 2009-08-27 20:59:04.000000000 -0400
39570 +++ linux-2.6.31/kernel/futex.c 2009-09-06 15:29:12.148177720 -0400
39571 @@ -218,6 +218,11 @@ get_futex_key(u32 __user *uaddr, int fsh
39575 +#ifdef CONFIG_PAX_SEGMEXEC
39576 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
39581 * The futex address must be "naturally" aligned.
39583 @@ -1788,7 +1793,7 @@ static int futex_wait(u32 __user *uaddr,
39585 restart = ¤t_thread_info()->restart_block;
39586 restart->fn = futex_wait_restart;
39587 - restart->futex.uaddr = (u32 *)uaddr;
39588 + restart->futex.uaddr = uaddr;
39589 restart->futex.val = val;
39590 restart->futex.time = abs_time->tv64;
39591 restart->futex.bitset = bitset;
39592 @@ -2403,7 +2408,7 @@ retry:
39594 static inline int fetch_robust_entry(struct robust_list __user **entry,
39595 struct robust_list __user * __user *head,
39597 + unsigned int *pi)
39599 unsigned long uentry;
39601 diff -urNp linux-2.6.31/kernel/gcov/base.c linux-2.6.31/kernel/gcov/base.c
39602 --- linux-2.6.31/kernel/gcov/base.c 2009-08-27 20:59:04.000000000 -0400
39603 +++ linux-2.6.31/kernel/gcov/base.c 2009-09-06 17:06:36.489170417 -0400
39604 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
39607 #ifdef CONFIG_MODULES
39608 -static inline int within(void *addr, void *start, unsigned long size)
39610 - return ((addr >= start) && (addr < start + size));
39613 /* Update list and generate events when modules are unloaded. */
39614 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
39616 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
39618 /* Remove entries located in module from linked list. */
39619 for (info = gcov_info_head; info; info = info->next) {
39620 - if (within(info, mod->module_core, mod->core_size)) {
39621 + if (within_module_core_rw((unsigned long)info, mod)) {
39623 prev->next = info->next;
39625 diff -urNp linux-2.6.31/kernel/kallsyms.c linux-2.6.31/kernel/kallsyms.c
39626 --- linux-2.6.31/kernel/kallsyms.c 2009-08-27 20:59:04.000000000 -0400
39627 +++ linux-2.6.31/kernel/kallsyms.c 2009-09-06 15:29:12.149167803 -0400
39628 @@ -51,6 +51,9 @@ extern const unsigned long kallsyms_mark
39630 static inline int is_kernel_inittext(unsigned long addr)
39632 + if (system_state != SYSTEM_BOOTING)
39635 if (addr >= (unsigned long)_sinittext
39636 && addr <= (unsigned long)_einittext)
39638 @@ -66,6 +69,16 @@ static inline int is_kernel_text(unsigne
39640 static inline int is_kernel(unsigned long addr)
39643 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
39644 + if ((unsigned long)&MODULES_EXEC_VADDR <= ktla_ktva(addr) &&
39645 + ktla_ktva(addr) < (unsigned long)&MODULES_EXEC_END)
39649 + if (is_kernel_inittext(addr))
39652 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
39654 return in_gate_area_no_task(addr);
39655 @@ -412,7 +425,6 @@ static unsigned long get_ksymbol_core(st
39657 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
39659 - iter->name[0] = '\0';
39660 iter->nameoff = get_symbol_offset(new_pos);
39661 iter->pos = new_pos;
39663 @@ -500,7 +512,7 @@ static int kallsyms_open(struct inode *i
39664 struct kallsym_iter *iter;
39667 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
39668 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
39671 reset_iter(iter, 0);
39672 @@ -522,7 +534,15 @@ static const struct file_operations kall
39674 static int __init kallsyms_init(void)
39676 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
39677 +#ifdef CONFIG_GRKERNSEC_PROC_USER
39678 + proc_create("kallsyms", S_IFREG | S_IRUSR, NULL, &kallsyms_operations);
39679 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
39680 + proc_create("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL, &kallsyms_operations);
39683 proc_create("kallsyms", 0444, NULL, &kallsyms_operations);
39687 device_initcall(kallsyms_init);
39688 diff -urNp linux-2.6.31/kernel/kmod.c linux-2.6.31/kernel/kmod.c
39689 --- linux-2.6.31/kernel/kmod.c 2009-08-27 20:59:04.000000000 -0400
39690 +++ linux-2.6.31/kernel/kmod.c 2009-09-06 15:29:12.149167803 -0400
39691 @@ -84,6 +84,18 @@ int __request_module(bool wait, const ch
39692 if (ret >= MODULE_NAME_LEN)
39693 return -ENAMETOOLONG;
39695 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
39696 + /* we could do a tighter check here, but some distros
39697 + are taking it upon themselves to remove CAP_SYS_MODULE
39698 + from even root-running apps which cause modules to be
39701 + if (current_uid()) {
39702 + gr_log_nonroot_mod_load(module_name);
39707 /* If modprobe needs a service that is in a module, we get a recursive
39708 * loop. Limit the number of running kmod threads to max_threads/2 or
39709 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
39710 diff -urNp linux-2.6.31/kernel/kprobes.c linux-2.6.31/kernel/kprobes.c
39711 --- linux-2.6.31/kernel/kprobes.c 2009-08-27 20:59:04.000000000 -0400
39712 +++ linux-2.6.31/kernel/kprobes.c 2009-09-06 15:29:12.150160074 -0400
39713 @@ -184,7 +184,7 @@ static kprobe_opcode_t __kprobes *__get_
39714 * kernel image and loaded module images reside. This is required
39715 * so x86_64 can correctly handle the %rip-relative fixups.
39717 - kip->insns = module_alloc(PAGE_SIZE);
39718 + kip->insns = module_alloc_exec(PAGE_SIZE);
39722 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
39723 hlist_add_head(&kip->hlist,
39724 &kprobe_insn_pages);
39726 - module_free(NULL, kip->insns);
39727 + module_free_exec(NULL, kip->insns);
39731 @@ -1329,7 +1329,7 @@ static int __kprobes show_kprobe_addr(st
39735 -static struct seq_operations kprobes_seq_ops = {
39736 +static const struct seq_operations kprobes_seq_ops = {
39737 .start = kprobe_seq_start,
39738 .next = kprobe_seq_next,
39739 .stop = kprobe_seq_stop,
39740 @@ -1341,7 +1341,7 @@ static int __kprobes kprobes_open(struct
39741 return seq_open(filp, &kprobes_seq_ops);
39744 -static struct file_operations debugfs_kprobes_operations = {
39745 +static const struct file_operations debugfs_kprobes_operations = {
39746 .open = kprobes_open,
39748 .llseek = seq_lseek,
39749 @@ -1523,7 +1523,7 @@ static ssize_t write_enabled_file_bool(s
39753 -static struct file_operations fops_kp = {
39754 +static const struct file_operations fops_kp = {
39755 .read = read_enabled_file_bool,
39756 .write = write_enabled_file_bool,
39758 diff -urNp linux-2.6.31/kernel/lockdep.c linux-2.6.31/kernel/lockdep.c
39759 --- linux-2.6.31/kernel/lockdep.c 2009-08-27 20:59:04.000000000 -0400
39760 +++ linux-2.6.31/kernel/lockdep.c 2009-09-06 17:54:25.063031502 -0400
39761 @@ -630,6 +630,10 @@ static int static_obj(void *obj)
39765 +#ifdef CONFIG_PAX_KERNEXEC
39766 + start = (unsigned long )&_sdata;
39772 @@ -641,9 +645,12 @@ static int static_obj(void *obj)
39775 for_each_possible_cpu(i) {
39776 +#ifdef CONFIG_X86_32
39777 + start = per_cpu_offset(i);
39779 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
39780 - end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
39781 - + per_cpu_offset(i);
39783 + end = start + PERCPU_ENOUGH_ROOM;
39785 if ((addr >= start) && (addr < end))
39787 diff -urNp linux-2.6.31/kernel/lockdep_proc.c linux-2.6.31/kernel/lockdep_proc.c
39788 --- linux-2.6.31/kernel/lockdep_proc.c 2009-08-27 20:59:04.000000000 -0400
39789 +++ linux-2.6.31/kernel/lockdep_proc.c 2009-09-06 15:29:12.151469136 -0400
39790 @@ -670,7 +670,7 @@ static int ls_show(struct seq_file *m, v
39794 -static struct seq_operations lockstat_ops = {
39795 +static const struct seq_operations lockstat_ops = {
39799 diff -urNp linux-2.6.31/kernel/module.c linux-2.6.31/kernel/module.c
39800 --- linux-2.6.31/kernel/module.c 2009-09-06 19:00:55.786376670 -0400
39801 +++ linux-2.6.31/kernel/module.c 2009-09-06 19:01:57.406916102 -0400
39803 #include <linux/rculist.h>
39804 #include <asm/uaccess.h>
39805 #include <asm/cacheflush.h>
39807 +#ifdef CONFIG_PAX_KERNEXEC
39808 +#include <asm/desc.h>
39811 #include <linux/license.h>
39812 #include <asm/sections.h>
39813 #include <linux/tracepoint.h>
39814 @@ -83,7 +88,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
39815 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
39817 /* Bounds of module allocation, for speeding __module_address */
39818 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
39819 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
39820 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
39822 int register_module_notifier(struct notifier_block * nb)
39824 @@ -239,7 +245,7 @@ bool each_symbol(bool (*fn)(const struct
39827 list_for_each_entry_rcu(mod, &modules, list) {
39828 - struct symsearch arr[] = {
39829 + struct symsearch modarr[] = {
39830 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
39831 NOT_GPL_ONLY, false },
39832 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
39833 @@ -261,7 +267,7 @@ bool each_symbol(bool (*fn)(const struct
39837 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
39838 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
39842 @@ -436,7 +442,7 @@ static void *percpu_modalloc(unsigned lo
39846 - if (align > PAGE_SIZE) {
39847 + if (align-1 >= PAGE_SIZE) {
39848 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
39849 name, align, PAGE_SIZE);
39851 @@ -549,7 +555,11 @@ static void percpu_modcopy(void *pcpudes
39854 for_each_possible_cpu(cpu)
39855 +#ifdef CONFIG_X86_32
39856 + memcpy(pcpudest + __per_cpu_offset[cpu], from, size);
39858 memcpy(pcpudest + per_cpu_offset(cpu), from, size);
39862 #else /* ... !CONFIG_SMP */
39863 @@ -1513,7 +1523,8 @@ static void free_module(struct module *m
39864 destroy_params(mod->kp, mod->num_kp);
39866 /* This may be NULL, but that's OK */
39867 - module_free(mod, mod->module_init);
39868 + module_free(mod, mod->module_init_rw);
39869 + module_free_exec(mod, mod->module_init_rx);
39872 percpu_modfree(mod->percpu);
39873 @@ -1522,10 +1533,12 @@ static void free_module(struct module *m
39874 percpu_modfree(mod->refptr);
39876 /* Free lock-classes: */
39877 - lockdep_free_key_range(mod->module_core, mod->core_size);
39878 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
39879 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
39881 /* Finally, free the core (containing the module structure) */
39882 - module_free(mod, mod->module_core);
39883 + module_free_exec(mod, mod->module_core_rx);
39884 + module_free(mod, mod->module_core_rw);
39887 void *__symbol_get(const char *symbol)
39888 @@ -1593,6 +1606,10 @@ static int simplify_symbols(Elf_Shdr *se
39890 const struct kernel_symbol *ksym;
39892 +#ifdef CONFIG_PAX_KERNEXEC
39893 + unsigned long cr0;
39896 for (i = 1; i < n; i++) {
39897 switch (sym[i].st_shndx) {
39899 @@ -1615,7 +1632,17 @@ static int simplify_symbols(Elf_Shdr *se
39900 strtab + sym[i].st_name, mod);
39901 /* Ok if resolved. */
39904 +#ifdef CONFIG_PAX_KERNEXEC
39905 + pax_open_kernel(cr0);
39908 sym[i].st_value = ksym->value;
39910 +#ifdef CONFIG_PAX_KERNEXEC
39911 + pax_close_kernel(cr0);
39917 @@ -1634,7 +1661,17 @@ static int simplify_symbols(Elf_Shdr *se
39918 secbase = (unsigned long)mod->percpu;
39920 secbase = sechdrs[sym[i].st_shndx].sh_addr;
39922 +#ifdef CONFIG_PAX_KERNEXEC
39923 + pax_open_kernel(cr0);
39926 sym[i].st_value += secbase;
39928 +#ifdef CONFIG_PAX_KERNEXEC
39929 + pax_close_kernel(cr0);
39935 @@ -1695,11 +1732,12 @@ static void layout_sections(struct modul
39936 || s->sh_entsize != ~0UL
39937 || strstarts(secstrings + s->sh_name, ".init"))
39939 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
39940 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
39941 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
39943 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
39944 DEBUGP("\t%s\n", secstrings + s->sh_name);
39947 - mod->core_text_size = mod->core_size;
39950 DEBUGP("Init section allocation order:\n");
39951 @@ -1712,12 +1750,13 @@ static void layout_sections(struct modul
39952 || s->sh_entsize != ~0UL
39953 || !strstarts(secstrings + s->sh_name, ".init"))
39955 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
39956 - | INIT_OFFSET_MASK);
39957 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
39958 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
39960 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
39961 + s->sh_entsize |= INIT_OFFSET_MASK;
39962 DEBUGP("\t%s\n", secstrings + s->sh_name);
39965 - mod->init_text_size = mod->init_size;
39969 @@ -1856,14 +1895,31 @@ static void add_kallsyms(struct module *
39973 +#ifdef CONFIG_PAX_KERNEXEC
39974 + unsigned long cr0;
39977 mod->symtab = (void *)sechdrs[symindex].sh_addr;
39978 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
39979 mod->strtab = (void *)sechdrs[strindex].sh_addr;
39981 /* Set types up while we still have access to sections. */
39982 - for (i = 0; i < mod->num_symtab; i++)
39983 - mod->symtab[i].st_info
39984 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
39986 + for (i = 0; i < mod->num_symtab; i++) {
39987 + char type = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
39989 +#ifdef CONFIG_PAX_KERNEXEC
39990 + pax_open_kernel(cr0);
39993 + mod->symtab[i].st_info = type;
39995 +#ifdef CONFIG_PAX_KERNEXEC
39996 + pax_close_kernel(cr0);
40003 static inline void add_kallsyms(struct module *mod,
40004 @@ -1884,16 +1940,30 @@ static void dynamic_debug_setup(struct _
40008 -static void *module_alloc_update_bounds(unsigned long size)
40009 +static void *module_alloc_update_bounds_rw(unsigned long size)
40011 void *ret = module_alloc(size);
40014 /* Update module bounds. */
40015 - if ((unsigned long)ret < module_addr_min)
40016 - module_addr_min = (unsigned long)ret;
40017 - if ((unsigned long)ret + size > module_addr_max)
40018 - module_addr_max = (unsigned long)ret + size;
40019 + if ((unsigned long)ret < module_addr_min_rw)
40020 + module_addr_min_rw = (unsigned long)ret;
40021 + if ((unsigned long)ret + size > module_addr_max_rw)
40022 + module_addr_max_rw = (unsigned long)ret + size;
40027 +static void *module_alloc_update_bounds_rx(unsigned long size)
40029 + void *ret = module_alloc_exec(size);
40032 + /* Update module bounds. */
40033 + if ((unsigned long)ret < module_addr_min_rx)
40034 + module_addr_min_rx = (unsigned long)ret;
40035 + if ((unsigned long)ret + size > module_addr_max_rx)
40036 + module_addr_max_rx = (unsigned long)ret + size;
40040 @@ -1905,8 +1975,8 @@ static void kmemleak_load_module(struct
40043 /* only scan the sections containing data */
40044 - kmemleak_scan_area(mod->module_core, (unsigned long)mod -
40045 - (unsigned long)mod->module_core,
40046 + kmemleak_scan_area(mod->module_core_rw, (unsigned long)mod -
40047 + (unsigned long)mod->module_core_rw,
40048 sizeof(struct module), GFP_KERNEL);
40050 for (i = 1; i < hdr->e_shnum; i++) {
40051 @@ -1916,8 +1986,8 @@ static void kmemleak_load_module(struct
40052 && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
40055 - kmemleak_scan_area(mod->module_core, sechdrs[i].sh_addr -
40056 - (unsigned long)mod->module_core,
40057 + kmemleak_scan_area(mod->module_core_rw, sechdrs[i].sh_addr -
40058 + (unsigned long)mod->module_core_rw,
40059 sechdrs[i].sh_size, GFP_KERNEL);
40062 @@ -1947,6 +2017,10 @@ static noinline struct module *load_modu
40063 void *percpu = NULL, *ptr = NULL; /* Stops spurious gcc warning */
40064 mm_segment_t old_fs;
40066 +#ifdef CONFIG_PAX_KERNEXEC
40067 + unsigned long cr0;
40070 DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
40072 if (len < sizeof(*hdr))
40073 @@ -2097,7 +2171,7 @@ static noinline struct module *load_modu
40074 layout_sections(mod, hdr, sechdrs, secstrings);
40076 /* Do the allocs. */
40077 - ptr = module_alloc_update_bounds(mod->core_size);
40078 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
40080 * The pointer to this block is stored in the module structure
40081 * which is inside the block. Just mark it as not being a
40082 @@ -2108,23 +2182,61 @@ static noinline struct module *load_modu
40086 - memset(ptr, 0, mod->core_size);
40087 - mod->module_core = ptr;
40088 + memset(ptr, 0, mod->core_size_rw);
40089 + mod->module_core_rw = ptr;
40091 - ptr = module_alloc_update_bounds(mod->init_size);
40092 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
40094 * The pointer to this block is stored in the module structure
40095 * which is inside the block. This block doesn't need to be
40096 * scanned as it contains data and code that will be freed
40097 * after the module is initialized.
40099 - kmemleak_ignore(ptr);
40100 - if (!ptr && mod->init_size) {
40101 + kmemleak_not_leak(ptr);
40102 + if (!ptr && mod->init_size_rw) {
40105 + goto free_core_rw;
40107 - memset(ptr, 0, mod->init_size);
40108 - mod->module_init = ptr;
40109 + memset(ptr, 0, mod->init_size_rw);
40110 + mod->module_init_rw = ptr;
40112 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
40113 + kmemleak_not_leak(ptr);
40116 + goto free_init_rw;
40119 +#ifdef CONFIG_PAX_KERNEXEC
40120 + pax_open_kernel(cr0);
40123 + memset(ptr, 0, mod->core_size_rx);
40125 +#ifdef CONFIG_PAX_KERNEXEC
40126 + pax_close_kernel(cr0);
40129 + mod->module_core_rx = ptr;
40131 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
40132 + kmemleak_not_leak(ptr);
40133 + if (!ptr && mod->init_size_rx) {
40135 + goto free_core_rx;
40138 +#ifdef CONFIG_PAX_KERNEXEC
40139 + pax_open_kernel(cr0);
40142 + memset(ptr, 0, mod->init_size_rx);
40144 +#ifdef CONFIG_PAX_KERNEXEC
40145 + pax_close_kernel(cr0);
40148 + mod->module_init_rx = ptr;
40150 /* Transfer each section which specifies SHF_ALLOC */
40151 DEBUGP("final section addresses:\n");
40152 @@ -2134,17 +2246,41 @@ static noinline struct module *load_modu
40153 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
40156 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
40157 - dest = mod->module_init
40158 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
40160 - dest = mod->module_core + sechdrs[i].sh_entsize;
40161 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
40162 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
40163 + dest = mod->module_init_rw
40164 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
40166 + dest = mod->module_init_rx
40167 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
40169 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
40170 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
40172 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
40175 + if (sechdrs[i].sh_type != SHT_NOBITS) {
40177 - if (sechdrs[i].sh_type != SHT_NOBITS)
40178 - memcpy(dest, (void *)sechdrs[i].sh_addr,
40179 - sechdrs[i].sh_size);
40180 +#ifdef CONFIG_PAX_KERNEXEC
40181 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
40182 + pax_open_kernel(cr0);
40183 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
40184 + pax_close_kernel(cr0);
40188 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
40190 /* Update sh_addr to point to copy in image. */
40191 - sechdrs[i].sh_addr = (unsigned long)dest;
40193 +#ifdef CONFIG_PAX_KERNEXEC
40194 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
40195 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
40199 + sechdrs[i].sh_addr = (unsigned long)dest;
40200 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
40202 /* Module has been moved. */
40203 @@ -2156,7 +2292,7 @@ static noinline struct module *load_modu
40205 if (!mod->refptr) {
40208 + goto free_init_rx;
40211 /* Now we've moved module, initialize linked lists, etc. */
40212 @@ -2269,8 +2405,8 @@ static noinline struct module *load_modu
40214 /* Now do relocations. */
40215 for (i = 1; i < hdr->e_shnum; i++) {
40216 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
40217 unsigned int info = sechdrs[i].sh_info;
40218 + strtab = (char *)sechdrs[strindex].sh_addr;
40220 /* Not a valid relocation section? */
40221 if (info >= hdr->e_shnum)
40222 @@ -2328,12 +2464,12 @@ static noinline struct module *load_modu
40223 * Do it before processing of module parameters, so the module
40224 * can provide parameter accessor functions of its own.
40226 - if (mod->module_init)
40227 - flush_icache_range((unsigned long)mod->module_init,
40228 - (unsigned long)mod->module_init
40229 - + mod->init_size);
40230 - flush_icache_range((unsigned long)mod->module_core,
40231 - (unsigned long)mod->module_core + mod->core_size);
40232 + if (mod->module_init_rx)
40233 + flush_icache_range((unsigned long)mod->module_init_rx,
40234 + (unsigned long)mod->module_init_rx
40235 + + mod->init_size_rx);
40236 + flush_icache_range((unsigned long)mod->module_core_rx,
40237 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
40241 @@ -2378,12 +2514,16 @@ static noinline struct module *load_modu
40243 module_unload_free(mod);
40244 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
40247 percpu_modfree(mod->refptr);
40249 - module_free(mod, mod->module_init);
40251 - module_free(mod, mod->module_core);
40252 + module_free_exec(mod, mod->module_init_rx);
40254 + module_free_exec(mod, mod->module_core_rx);
40256 + module_free(mod, mod->module_init_rw);
40258 + module_free(mod, mod->module_core_rw);
40259 /* mod will be freed with core. Don't access it beyond this line! */
40262 @@ -2479,10 +2619,12 @@ SYSCALL_DEFINE3(init_module, void __user
40263 /* Drop initial reference. */
40265 trim_init_extable(mod);
40266 - module_free(mod, mod->module_init);
40267 - mod->module_init = NULL;
40268 - mod->init_size = 0;
40269 - mod->init_text_size = 0;
40270 + module_free(mod, mod->module_init_rw);
40271 + module_free_exec(mod, mod->module_init_rx);
40272 + mod->module_init_rw = NULL;
40273 + mod->module_init_rx = NULL;
40274 + mod->init_size_rw = 0;
40275 + mod->init_size_rx = 0;
40276 mutex_unlock(&module_mutex);
40279 @@ -2513,10 +2655,16 @@ static const char *get_ksymbol(struct mo
40280 unsigned long nextval;
40282 /* At worse, next value is at end of module */
40283 - if (within_module_init(addr, mod))
40284 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
40285 + if (within_module_init_rx(addr, mod))
40286 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
40287 + else if (within_module_init_rw(addr, mod))
40288 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
40289 + else if (within_module_core_rx(addr, mod))
40290 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
40291 + else if (within_module_core_rw(addr, mod))
40292 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
40294 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
40297 /* Scan for closest preceeding symbol, and next symbol. (ELF
40298 starts real symbols at 1). */
40299 @@ -2762,7 +2910,7 @@ static int m_show(struct seq_file *m, vo
40302 seq_printf(m, "%s %u",
40303 - mod->name, mod->init_size + mod->core_size);
40304 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
40305 print_unload_info(m, mod);
40307 /* Informative for users. */
40308 @@ -2771,7 +2919,7 @@ static int m_show(struct seq_file *m, vo
40309 mod->state == MODULE_STATE_COMING ? "Loading":
40311 /* Used by oprofile and other similar tools. */
40312 - seq_printf(m, " 0x%p", mod->module_core);
40313 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
40317 @@ -2807,7 +2955,17 @@ static const struct file_operations proc
40319 static int __init proc_modules_init(void)
40321 +#ifndef CONFIG_GRKERNSEC_HIDESYM
40322 +#ifdef CONFIG_GRKERNSEC_PROC_USER
40323 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
40324 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
40325 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
40327 proc_create("modules", 0, NULL, &proc_modules_operations);
40330 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
40334 module_init(proc_modules_init);
40335 @@ -2866,12 +3024,12 @@ struct module *__module_address(unsigned
40337 struct module *mod;
40339 - if (addr < module_addr_min || addr > module_addr_max)
40340 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
40341 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
40344 list_for_each_entry_rcu(mod, &modules, list)
40345 - if (within_module_core(addr, mod)
40346 - || within_module_init(addr, mod))
40347 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
40351 @@ -2905,11 +3063,20 @@ bool is_module_text_address(unsigned lon
40353 struct module *__module_text_address(unsigned long addr)
40355 - struct module *mod = __module_address(addr);
40356 + struct module *mod;
40358 +#ifdef CONFIG_X86_32
40359 + addr = ktla_ktva(addr);
40362 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
40365 + mod = __module_address(addr);
40368 /* Make sure it's within the text section. */
40369 - if (!within(addr, mod->module_init, mod->init_text_size)
40370 - && !within(addr, mod->module_core, mod->core_text_size))
40371 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
40375 diff -urNp linux-2.6.31/kernel/panic.c linux-2.6.31/kernel/panic.c
40376 --- linux-2.6.31/kernel/panic.c 2009-08-27 20:59:04.000000000 -0400
40377 +++ linux-2.6.31/kernel/panic.c 2009-09-06 15:29:12.153438658 -0400
40378 @@ -391,7 +391,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
40380 void __stack_chk_fail(void)
40382 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
40384 + panic("stack-protector: Kernel stack is corrupted in: %pS\n",
40385 __builtin_return_address(0));
40387 EXPORT_SYMBOL(__stack_chk_fail);
40388 diff -urNp linux-2.6.31/kernel/params.c linux-2.6.31/kernel/params.c
40389 --- linux-2.6.31/kernel/params.c 2009-08-27 20:59:04.000000000 -0400
40390 +++ linux-2.6.31/kernel/params.c 2009-09-06 15:29:12.154386582 -0400
40391 @@ -217,13 +217,9 @@ int param_set_charp(const char *val, str
40395 - if (kp->flags & KPARAM_KMALLOCED)
40396 - kfree(*(char **)kp->arg);
40398 /* This is a hack. We can't need to strdup in early boot, and we
40399 * don't need to; this mangled commandline is preserved. */
40400 if (slab_is_available()) {
40401 - kp->flags |= KPARAM_KMALLOCED;
40402 *(char **)kp->arg = kstrdup(val, GFP_KERNEL);
40405 @@ -607,7 +603,7 @@ void destroy_params(const struct kernel_
40408 for (i = 0; i < num; i++)
40409 - if (params[i].flags & KPARAM_KMALLOCED)
40410 + if (params[i].set == param_set_charp)
40411 kfree(*(char **)params[i].arg);
40414 diff -urNp linux-2.6.31/kernel/perf_counter.c linux-2.6.31/kernel/perf_counter.c
40415 --- linux-2.6.31/kernel/perf_counter.c 2009-09-06 19:00:55.787187854 -0400
40416 +++ linux-2.6.31/kernel/perf_counter.c 2009-09-06 19:01:14.427445794 -0400
40417 @@ -2214,7 +2214,7 @@ static void perf_mmap_close(struct vm_ar
40421 -static struct vm_operations_struct perf_mmap_vmops = {
40422 +static const struct vm_operations_struct perf_mmap_vmops = {
40423 .open = perf_mmap_open,
40424 .close = perf_mmap_close,
40425 .fault = perf_mmap_fault,
40426 diff -urNp linux-2.6.31/kernel/pid.c linux-2.6.31/kernel/pid.c
40427 --- linux-2.6.31/kernel/pid.c 2009-08-27 20:59:04.000000000 -0400
40428 +++ linux-2.6.31/kernel/pid.c 2009-09-06 15:29:12.158178660 -0400
40430 #include <linux/rculist.h>
40431 #include <linux/bootmem.h>
40432 #include <linux/hash.h>
40433 +#include <linux/security.h>
40434 #include <linux/pid_namespace.h>
40435 #include <linux/init_task.h>
40436 #include <linux/syscalls.h>
40437 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
40439 int pid_max = PID_MAX_DEFAULT;
40441 -#define RESERVED_PIDS 300
40442 +#define RESERVED_PIDS 500
40444 int pid_max_min = RESERVED_PIDS + 1;
40445 int pid_max_max = PID_MAX_LIMIT;
40446 @@ -380,7 +381,14 @@ EXPORT_SYMBOL(pid_task);
40448 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
40450 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
40451 + struct task_struct *task;
40453 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
40455 + if (gr_pid_is_chrooted(task))
40461 struct task_struct *find_task_by_vpid(pid_t vnr)
40462 diff -urNp linux-2.6.31/kernel/posix-cpu-timers.c linux-2.6.31/kernel/posix-cpu-timers.c
40463 --- linux-2.6.31/kernel/posix-cpu-timers.c 2009-08-27 20:59:04.000000000 -0400
40464 +++ linux-2.6.31/kernel/posix-cpu-timers.c 2009-09-06 15:29:12.158178660 -0400
40466 #include <linux/posix-timers.h>
40467 #include <linux/errno.h>
40468 #include <linux/math64.h>
40469 +#include <linux/security.h>
40470 #include <asm/uaccess.h>
40471 #include <linux/kernel_stat.h>
40473 @@ -1041,6 +1042,7 @@ static void check_thread_timers(struct t
40474 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
40477 + gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout, 1);
40478 if (tsk->rt.timeout > DIV_ROUND_UP(*soft, USEC_PER_SEC/HZ)) {
40480 * At the soft limit, send a SIGXCPU every second.
40481 @@ -1196,6 +1198,7 @@ static void check_process_timers(struct
40482 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
40485 + gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
40486 if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
40488 * At the soft limit, send a SIGXCPU every second.
40489 diff -urNp linux-2.6.31/kernel/power/poweroff.c linux-2.6.31/kernel/power/poweroff.c
40490 --- linux-2.6.31/kernel/power/poweroff.c 2009-08-27 20:59:04.000000000 -0400
40491 +++ linux-2.6.31/kernel/power/poweroff.c 2009-09-06 15:29:12.159226019 -0400
40492 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
40493 .enable_mask = SYSRQ_ENABLE_BOOT,
40496 -static int pm_sysrq_init(void)
40497 +static int __init pm_sysrq_init(void)
40499 register_sysrq_key('o', &sysrq_poweroff_op);
40501 diff -urNp linux-2.6.31/kernel/power/process.c linux-2.6.31/kernel/power/process.c
40502 --- linux-2.6.31/kernel/power/process.c 2009-08-27 20:59:04.000000000 -0400
40503 +++ linux-2.6.31/kernel/power/process.c 2009-09-06 15:30:00.016157904 -0400
40504 @@ -36,12 +36,15 @@ static int try_to_freeze_tasks(bool sig_
40505 struct timeval start, end;
40506 u64 elapsed_csecs64;
40507 unsigned int elapsed_csecs;
40508 + bool timedout = false;
40510 do_gettimeofday(&start);
40512 end_time = jiffies + TIMEOUT;
40515 + if (time_after(jiffies, end_time))
40517 read_lock(&tasklist_lock);
40518 do_each_thread(g, p) {
40519 if (frozen(p) || !freezeable(p))
40520 @@ -56,15 +59,17 @@ static int try_to_freeze_tasks(bool sig_
40521 * It is "frozen enough". If the task does wake
40522 * up, it will immediately call try_to_freeze.
40524 - if (!task_is_stopped_or_traced(p) &&
40525 - !freezer_should_skip(p))
40526 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
40529 + printk(KERN_ERR "Task refusing to freeze:\n");
40530 + sched_show_task(p);
40533 } while_each_thread(g, p);
40534 read_unlock(&tasklist_lock);
40535 yield(); /* Yield is okay here */
40536 - if (time_after(jiffies, end_time))
40539 + } while (todo && !timedout);
40541 do_gettimeofday(&end);
40542 elapsed_csecs64 = timeval_to_ns(&end) - timeval_to_ns(&start);
40543 diff -urNp linux-2.6.31/kernel/printk.c linux-2.6.31/kernel/printk.c
40544 --- linux-2.6.31/kernel/printk.c 2009-08-27 20:59:04.000000000 -0400
40545 +++ linux-2.6.31/kernel/printk.c 2009-09-06 15:29:12.159226019 -0400
40546 @@ -272,6 +272,11 @@ int do_syslog(int type, char __user *buf
40550 +#ifdef CONFIG_GRKERNSEC_DMESG
40551 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
40555 error = security_syslog(type);
40558 diff -urNp linux-2.6.31/kernel/ptrace.c linux-2.6.31/kernel/ptrace.c
40559 --- linux-2.6.31/kernel/ptrace.c 2009-08-27 20:59:04.000000000 -0400
40560 +++ linux-2.6.31/kernel/ptrace.c 2009-09-06 15:29:12.160249320 -0400
40561 @@ -141,7 +141,7 @@ int __ptrace_may_access(struct task_stru
40562 cred->gid != tcred->egid ||
40563 cred->gid != tcred->sgid ||
40564 cred->gid != tcred->gid) &&
40565 - !capable(CAP_SYS_PTRACE)) {
40566 + !capable_nolog(CAP_SYS_PTRACE)) {
40570 @@ -149,7 +149,7 @@ int __ptrace_may_access(struct task_stru
40573 dumpable = get_dumpable(task->mm);
40574 - if (!dumpable && !capable(CAP_SYS_PTRACE))
40575 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
40578 return security_ptrace_may_access(task, mode);
40579 @@ -199,7 +199,7 @@ int ptrace_attach(struct task_struct *ta
40580 goto unlock_tasklist;
40582 task->ptrace = PT_PTRACED;
40583 - if (capable(CAP_SYS_PTRACE))
40584 + if (capable_nolog(CAP_SYS_PTRACE))
40585 task->ptrace |= PT_PTRACE_CAP;
40587 __ptrace_link(task, current);
40588 @@ -633,6 +633,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
40590 goto out_put_task_struct;
40592 + if (gr_handle_ptrace(child, request)) {
40594 + goto out_put_task_struct;
40597 ret = arch_ptrace(child, request, addr, data);
40599 out_put_task_struct:
40600 diff -urNp linux-2.6.31/kernel/rcupreempt_trace.c linux-2.6.31/kernel/rcupreempt_trace.c
40601 --- linux-2.6.31/kernel/rcupreempt_trace.c 2009-08-27 20:59:04.000000000 -0400
40602 +++ linux-2.6.31/kernel/rcupreempt_trace.c 2009-09-06 15:29:12.160249320 -0400
40603 @@ -261,17 +261,17 @@ static ssize_t rcuctrs_read(struct file
40607 -static struct file_operations rcustats_fops = {
40608 +static const struct file_operations rcustats_fops = {
40609 .owner = THIS_MODULE,
40610 .read = rcustats_read,
40613 -static struct file_operations rcugp_fops = {
40614 +static const struct file_operations rcugp_fops = {
40615 .owner = THIS_MODULE,
40616 .read = rcugp_read,
40619 -static struct file_operations rcuctrs_fops = {
40620 +static const struct file_operations rcuctrs_fops = {
40621 .owner = THIS_MODULE,
40622 .read = rcuctrs_read,
40624 diff -urNp linux-2.6.31/kernel/rcutree_trace.c linux-2.6.31/kernel/rcutree_trace.c
40625 --- linux-2.6.31/kernel/rcutree_trace.c 2009-08-27 20:59:04.000000000 -0400
40626 +++ linux-2.6.31/kernel/rcutree_trace.c 2009-09-06 15:29:12.161195970 -0400
40627 @@ -88,7 +88,7 @@ static int rcudata_open(struct inode *in
40628 return single_open(file, show_rcudata, NULL);
40631 -static struct file_operations rcudata_fops = {
40632 +static const struct file_operations rcudata_fops = {
40633 .owner = THIS_MODULE,
40634 .open = rcudata_open,
40636 @@ -136,7 +136,7 @@ static int rcudata_csv_open(struct inode
40637 return single_open(file, show_rcudata_csv, NULL);
40640 -static struct file_operations rcudata_csv_fops = {
40641 +static const struct file_operations rcudata_csv_fops = {
40642 .owner = THIS_MODULE,
40643 .open = rcudata_csv_open,
40645 @@ -183,7 +183,7 @@ static int rcuhier_open(struct inode *in
40646 return single_open(file, show_rcuhier, NULL);
40649 -static struct file_operations rcuhier_fops = {
40650 +static const struct file_operations rcuhier_fops = {
40651 .owner = THIS_MODULE,
40652 .open = rcuhier_open,
40654 @@ -205,7 +205,7 @@ static int rcugp_open(struct inode *inod
40655 return single_open(file, show_rcugp, NULL);
40658 -static struct file_operations rcugp_fops = {
40659 +static const struct file_operations rcugp_fops = {
40660 .owner = THIS_MODULE,
40661 .open = rcugp_open,
40663 @@ -255,7 +255,7 @@ static int rcu_pending_open(struct inode
40664 return single_open(file, show_rcu_pending, NULL);
40667 -static struct file_operations rcu_pending_fops = {
40668 +static const struct file_operations rcu_pending_fops = {
40669 .owner = THIS_MODULE,
40670 .open = rcu_pending_open,
40672 diff -urNp linux-2.6.31/kernel/relay.c linux-2.6.31/kernel/relay.c
40673 --- linux-2.6.31/kernel/relay.c 2009-08-27 20:59:04.000000000 -0400
40674 +++ linux-2.6.31/kernel/relay.c 2009-09-06 15:29:12.161195970 -0400
40675 @@ -60,7 +60,7 @@ static int relay_buf_fault(struct vm_are
40677 * vm_ops for relay file mappings.
40679 -static struct vm_operations_struct relay_file_mmap_ops = {
40680 +static const struct vm_operations_struct relay_file_mmap_ops = {
40681 .fault = relay_buf_fault,
40682 .close = relay_file_mmap_close,
40684 @@ -1292,7 +1292,7 @@ static int subbuf_splice_actor(struct fi
40687 ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
40688 - if (ret < 0 || ret < total_len)
40689 + if ((int)ret < 0 || ret < total_len)
40692 if (read_start + ret == nonpad_end)
40693 diff -urNp linux-2.6.31/kernel/resource.c linux-2.6.31/kernel/resource.c
40694 --- linux-2.6.31/kernel/resource.c 2009-08-27 20:59:04.000000000 -0400
40695 +++ linux-2.6.31/kernel/resource.c 2009-09-06 15:29:12.161924324 -0400
40696 @@ -132,8 +132,18 @@ static const struct file_operations proc
40698 static int __init ioresources_init(void)
40700 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
40701 +#ifdef CONFIG_GRKERNSEC_PROC_USER
40702 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
40703 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
40704 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
40705 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
40706 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
40709 proc_create("ioports", 0, NULL, &proc_ioports_operations);
40710 proc_create("iomem", 0, NULL, &proc_iomem_operations);
40714 __initcall(ioresources_init);
40715 diff -urNp linux-2.6.31/kernel/sched.c linux-2.6.31/kernel/sched.c
40716 --- linux-2.6.31/kernel/sched.c 2009-08-27 20:59:04.000000000 -0400
40717 +++ linux-2.6.31/kernel/sched.c 2009-09-06 15:29:12.164145969 -0400
40718 @@ -820,7 +820,7 @@ static int sched_feat_open(struct inode
40719 return single_open(filp, sched_feat_show, NULL);
40722 -static struct file_operations sched_feat_fops = {
40723 +static const struct file_operations sched_feat_fops = {
40724 .open = sched_feat_open,
40725 .write = sched_feat_write,
40727 @@ -5978,6 +5978,8 @@ int can_nice(const struct task_struct *p
40728 /* convert nice value [19,-20] to rlimit style value [1,40] */
40729 int nice_rlim = 20 - nice;
40731 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
40733 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
40734 capable(CAP_SYS_NICE));
40736 @@ -6011,7 +6013,8 @@ SYSCALL_DEFINE1(nice, int, increment)
40740 - if (increment < 0 && !can_nice(current, nice))
40741 + if (increment < 0 && (!can_nice(current, nice) ||
40742 + gr_handle_chroot_nice()))
40743 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
40745 retval = security_task_setnice(current, nice);
40746 @@ -6153,6 +6156,8 @@ recheck:
40747 if (rt_policy(policy)) {
40748 unsigned long rlim_rtprio;
40750 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
40752 if (!lock_task_sighand(p, &flags))
40754 rlim_rtprio = p->signal->rlim[RLIMIT_RTPRIO].rlim_cur;
40755 @@ -7300,7 +7305,7 @@ static struct ctl_table sd_ctl_dir[] = {
40756 .procname = "sched_domain",
40760 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
40763 static struct ctl_table sd_ctl_root[] = {
40764 @@ -7310,7 +7315,7 @@ static struct ctl_table sd_ctl_root[] =
40766 .child = sd_ctl_dir,
40769 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
40772 static struct ctl_table *sd_alloc_ctl_entry(int n)
40773 diff -urNp linux-2.6.31/kernel/signal.c linux-2.6.31/kernel/signal.c
40774 --- linux-2.6.31/kernel/signal.c 2009-08-27 20:59:04.000000000 -0400
40775 +++ linux-2.6.31/kernel/signal.c 2009-09-06 15:29:12.165960051 -0400
40776 @@ -207,6 +207,9 @@ static struct sigqueue *__sigqueue_alloc
40778 user = get_uid(__task_cred(t)->user);
40779 atomic_inc(&user->sigpending);
40781 + if (!override_rlimit)
40782 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
40783 if (override_rlimit ||
40784 atomic_read(&user->sigpending) <=
40785 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
40786 @@ -625,6 +628,9 @@ static int check_kill_permission(int sig
40790 + if (gr_handle_signal(t, sig))
40793 return security_task_kill(t, info, sig, 0);
40796 @@ -939,8 +945,8 @@ static void print_fatal_signal(struct pt
40797 for (i = 0; i < 16; i++) {
40798 unsigned char insn;
40800 - __get_user(insn, (unsigned char *)(regs->ip + i));
40801 - printk("%02x ", insn);
40802 + if (!get_user(insn, (unsigned char __user *)(regs->ip + i)))
40803 + printk("%02x ", insn);
40807 @@ -965,7 +971,7 @@ __group_send_sig_info(int sig, struct si
40808 return send_signal(sig, info, p, 1);
40813 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
40815 return send_signal(sig, info, t, 0);
40816 @@ -1005,6 +1011,9 @@ force_sig_info(int sig, struct siginfo *
40817 ret = specific_send_sig_info(sig, info, t);
40818 spin_unlock_irqrestore(&t->sighand->siglock, flags);
40820 + gr_log_signal(sig, t);
40821 + gr_handle_crash(t, sig);
40826 @@ -1079,6 +1088,8 @@ int group_send_sig_info(int sig, struct
40827 ret = __group_send_sig_info(sig, info, p);
40828 unlock_task_sighand(p, &flags);
40831 + gr_log_signal(sig, p);
40835 diff -urNp linux-2.6.31/kernel/sys.c linux-2.6.31/kernel/sys.c
40836 --- linux-2.6.31/kernel/sys.c 2009-08-27 20:59:04.000000000 -0400
40837 +++ linux-2.6.31/kernel/sys.c 2009-09-06 15:29:12.167024518 -0400
40838 @@ -133,6 +133,12 @@ static int set_one_prio(struct task_stru
40843 + if (gr_handle_chroot_setpriority(p, niceval)) {
40848 no_nice = security_task_setnice(p, niceval);
40851 @@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
40855 + if (gr_check_group_change(new->gid, new->egid, -1))
40858 if (rgid != (gid_t) -1 ||
40859 (egid != (gid_t) -1 && egid != old->gid))
40860 new->sgid = new->egid;
40861 @@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
40866 + if (gr_check_group_change(gid, gid, gid))
40869 if (capable(CAP_SETGID))
40870 new->gid = new->egid = new->sgid = new->fsgid = gid;
40871 else if (gid == old->gid || gid == old->sgid)
40872 @@ -632,6 +645,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
40876 + if (gr_check_user_change(new->uid, new->euid, -1))
40879 if (new->uid != old->uid) {
40880 retval = set_user(new);
40882 @@ -680,6 +696,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
40887 + if (gr_check_crash_uid(uid))
40889 + if (gr_check_user_change(uid, uid, uid))
40892 if (capable(CAP_SETUID)) {
40893 new->suid = new->uid = uid;
40894 if (uid != old->uid) {
40895 @@ -737,6 +759,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
40899 + if (gr_check_user_change(ruid, euid, -1))
40902 if (ruid != (uid_t) -1) {
40904 if (ruid != old->uid) {
40905 @@ -805,6 +830,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
40909 + if (gr_check_group_change(rgid, egid, -1))
40912 if (rgid != (gid_t) -1)
40914 if (egid != (gid_t) -1)
40915 @@ -854,6 +882,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
40916 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
40919 + if (gr_check_user_change(-1, -1, uid))
40922 if (uid == old->uid || uid == old->euid ||
40923 uid == old->suid || uid == old->fsuid ||
40924 capable(CAP_SETUID)) {
40925 @@ -894,6 +925,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
40926 if (gid == old->gid || gid == old->egid ||
40927 gid == old->sgid || gid == old->fsgid ||
40928 capable(CAP_SETGID)) {
40929 + if (gr_check_group_change(-1, -1, gid))
40932 if (gid != old_fsgid) {
40935 @@ -1443,7 +1477,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
40936 error = get_dumpable(me->mm);
40938 case PR_SET_DUMPABLE:
40939 - if (arg2 < 0 || arg2 > 1) {
40944 diff -urNp linux-2.6.31/kernel/sysctl.c linux-2.6.31/kernel/sysctl.c
40945 --- linux-2.6.31/kernel/sysctl.c 2009-08-27 20:59:04.000000000 -0400
40946 +++ linux-2.6.31/kernel/sysctl.c 2009-09-06 15:29:12.168034410 -0400
40948 static int deprecated_sysctl_warning(struct __sysctl_args *args);
40950 #if defined(CONFIG_SYSCTL)
40951 +#include <linux/grsecurity.h>
40952 +#include <linux/grinternal.h>
40954 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
40955 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
40957 +extern int gr_handle_chroot_sysctl(const int op);
40959 /* External variables not in a header file. */
40961 @@ -163,6 +170,7 @@ static int proc_do_cad_pid(struct ctl_ta
40962 static int proc_taint(struct ctl_table *table, int write, struct file *filp,
40963 void __user *buffer, size_t *lenp, loff_t *ppos);
40965 +extern ctl_table grsecurity_table[];
40967 static struct ctl_table root_table[];
40968 static struct ctl_table_root sysctl_table_root;
40969 @@ -195,6 +203,21 @@ extern struct ctl_table epoll_table[];
40970 int sysctl_legacy_va_layout;
40973 +#ifdef CONFIG_PAX_SOFTMODE
40974 +static ctl_table pax_table[] = {
40976 + .ctl_name = CTL_UNNUMBERED,
40977 + .procname = "softmode",
40978 + .data = &pax_softmode,
40979 + .maxlen = sizeof(unsigned int),
40981 + .proc_handler = &proc_dointvec,
40984 + { .ctl_name = 0 }
40988 extern int prove_locking;
40989 extern int lock_stat;
40991 @@ -246,6 +269,24 @@ static int max_wakeup_granularity_ns = N
40994 static struct ctl_table kern_table[] = {
40995 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
40997 + .ctl_name = CTL_UNNUMBERED,
40998 + .procname = "grsecurity",
41000 + .child = grsecurity_table,
41004 +#ifdef CONFIG_PAX_SOFTMODE
41006 + .ctl_name = CTL_UNNUMBERED,
41007 + .procname = "pax",
41009 + .child = pax_table,
41013 #ifdef CONFIG_SCHED_DEBUG
41015 .ctl_name = CTL_UNNUMBERED,
41016 @@ -1734,6 +1775,8 @@ static int do_sysctl_strategy(struct ctl
41020 +static int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op);
41022 static int parse_table(int __user *name, int nlen,
41023 void __user *oldval, size_t __user *oldlenp,
41024 void __user *newval, size_t newlen,
41025 @@ -1752,7 +1795,7 @@ repeat:
41026 if (n == table->ctl_name) {
41028 if (table->child) {
41029 - if (sysctl_perm(root, table, MAY_EXEC))
41030 + if (sysctl_perm_nochk(root, table, MAY_EXEC))
41034 @@ -1837,6 +1880,33 @@ int sysctl_perm(struct ctl_table_root *r
41038 + if (table->parent != NULL && table->parent->procname != NULL &&
41039 + table->procname != NULL &&
41040 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
41042 + if (gr_handle_chroot_sysctl(op))
41044 + error = gr_handle_sysctl(table, op);
41048 + error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
41052 + if (root->permissions)
41053 + mode = root->permissions(root, current->nsproxy, table);
41055 + mode = table->mode;
41057 + return test_perm(mode, op);
41060 +int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op)
41065 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
41068 diff -urNp linux-2.6.31/kernel/taskstats.c linux-2.6.31/kernel/taskstats.c
41069 --- linux-2.6.31/kernel/taskstats.c 2009-08-27 20:59:04.000000000 -0400
41070 +++ linux-2.6.31/kernel/taskstats.c 2009-09-06 15:29:12.168992057 -0400
41072 #include <linux/cgroup.h>
41073 #include <linux/fs.h>
41074 #include <linux/file.h>
41075 +#include <linux/grsecurity.h>
41076 #include <net/genetlink.h>
41077 #include <asm/atomic.h>
41079 +extern int gr_is_taskstats_denied(int pid);
41082 * Maximum length of a cpumask that can be specified in
41083 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
41084 @@ -433,6 +436,9 @@ static int taskstats_user_cmd(struct sk_
41086 cpumask_var_t mask;
41088 + if (gr_is_taskstats_denied(current->pid))
41091 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
41094 diff -urNp linux-2.6.31/kernel/time/tick-broadcast.c linux-2.6.31/kernel/time/tick-broadcast.c
41095 --- linux-2.6.31/kernel/time/tick-broadcast.c 2009-08-27 20:59:04.000000000 -0400
41096 +++ linux-2.6.31/kernel/time/tick-broadcast.c 2009-09-06 15:29:12.171086755 -0400
41097 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
41098 * then clear the broadcast bit.
41100 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
41101 - int cpu = smp_processor_id();
41102 + cpu = smp_processor_id();
41104 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
41105 tick_broadcast_clear_oneshot(cpu);
41106 diff -urNp linux-2.6.31/kernel/time/timer_list.c linux-2.6.31/kernel/time/timer_list.c
41107 --- linux-2.6.31/kernel/time/timer_list.c 2009-08-27 20:59:04.000000000 -0400
41108 +++ linux-2.6.31/kernel/time/timer_list.c 2009-09-06 15:29:12.172060074 -0400
41109 @@ -275,7 +275,7 @@ static int timer_list_open(struct inode
41110 return single_open(filp, timer_list_show, NULL);
41113 -static struct file_operations timer_list_fops = {
41114 +static const struct file_operations timer_list_fops = {
41115 .open = timer_list_open,
41117 .llseek = seq_lseek,
41118 diff -urNp linux-2.6.31/kernel/time/timer_stats.c linux-2.6.31/kernel/time/timer_stats.c
41119 --- linux-2.6.31/kernel/time/timer_stats.c 2009-08-27 20:59:04.000000000 -0400
41120 +++ linux-2.6.31/kernel/time/timer_stats.c 2009-09-06 15:29:12.173058128 -0400
41121 @@ -395,7 +395,7 @@ static int tstats_open(struct inode *ino
41122 return single_open(filp, tstats_show, NULL);
41125 -static struct file_operations tstats_fops = {
41126 +static const struct file_operations tstats_fops = {
41127 .open = tstats_open,
41129 .write = tstats_write,
41130 diff -urNp linux-2.6.31/kernel/time.c linux-2.6.31/kernel/time.c
41131 --- linux-2.6.31/kernel/time.c 2009-08-27 20:59:04.000000000 -0400
41132 +++ linux-2.6.31/kernel/time.c 2009-09-06 15:29:12.173058128 -0400
41133 @@ -94,6 +94,9 @@ SYSCALL_DEFINE1(stime, time_t __user *,
41136 vx_settimeofday(&tv);
41138 + gr_log_timechange();
41143 @@ -202,6 +205,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
41147 + gr_log_timechange();
41149 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
41152 @@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
41153 * Avoid unnecessary multiplications/divisions in the
41154 * two most common HZ cases:
41156 -unsigned int inline jiffies_to_msecs(const unsigned long j)
41157 +inline unsigned int jiffies_to_msecs(const unsigned long j)
41159 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
41160 return (MSEC_PER_SEC / HZ) * j;
41161 @@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
41163 EXPORT_SYMBOL(jiffies_to_msecs);
41165 -unsigned int inline jiffies_to_usecs(const unsigned long j)
41166 +inline unsigned int jiffies_to_usecs(const unsigned long j)
41168 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
41169 return (USEC_PER_SEC / HZ) * j;
41170 diff -urNp linux-2.6.31/kernel/trace/ftrace.c linux-2.6.31/kernel/trace/ftrace.c
41171 --- linux-2.6.31/kernel/trace/ftrace.c 2009-08-27 20:59:04.000000000 -0400
41172 +++ linux-2.6.31/kernel/trace/ftrace.c 2009-09-06 15:29:12.173915158 -0400
41173 @@ -1567,7 +1567,7 @@ static int t_show(struct seq_file *m, vo
41177 -static struct seq_operations show_ftrace_seq_ops = {
41178 +static const struct seq_operations show_ftrace_seq_ops = {
41182 @@ -2565,7 +2565,7 @@ static int g_show(struct seq_file *m, vo
41186 -static struct seq_operations ftrace_graph_seq_ops = {
41187 +static const struct seq_operations ftrace_graph_seq_ops = {
41191 diff -urNp linux-2.6.31/kernel/trace/Kconfig linux-2.6.31/kernel/trace/Kconfig
41192 --- linux-2.6.31/kernel/trace/Kconfig 2009-08-27 20:59:04.000000000 -0400
41193 +++ linux-2.6.31/kernel/trace/Kconfig 2009-09-06 15:29:12.173915158 -0400
41194 @@ -111,6 +111,7 @@ if FTRACE
41195 config FUNCTION_TRACER
41196 bool "Kernel Function Tracer"
41197 depends on HAVE_FUNCTION_TRACER
41198 + depends on !PAX_KERNEXEC
41199 select FRAME_POINTER
41201 select GENERIC_TRACER
41202 @@ -326,6 +327,7 @@ config POWER_TRACER
41203 config STACK_TRACER
41204 bool "Trace max stack"
41205 depends on HAVE_FUNCTION_TRACER
41206 + depends on !PAX_KERNEXEC
41207 select FUNCTION_TRACER
41210 diff -urNp linux-2.6.31/kernel/trace/trace.c linux-2.6.31/kernel/trace/trace.c
41211 --- linux-2.6.31/kernel/trace/trace.c 2009-08-27 20:59:04.000000000 -0400
41212 +++ linux-2.6.31/kernel/trace/trace.c 2009-09-06 15:29:12.175045935 -0400
41213 @@ -1885,7 +1885,7 @@ static int s_show(struct seq_file *m, vo
41217 -static struct seq_operations tracer_seq_ops = {
41218 +static const struct seq_operations tracer_seq_ops = {
41222 @@ -2097,7 +2097,7 @@ static int t_show(struct seq_file *m, vo
41226 -static struct seq_operations show_traces_seq_ops = {
41227 +static const struct seq_operations show_traces_seq_ops = {
41231 diff -urNp linux-2.6.31/kernel/trace/trace_output.c linux-2.6.31/kernel/trace/trace_output.c
41232 --- linux-2.6.31/kernel/trace/trace_output.c 2009-08-27 20:59:04.000000000 -0400
41233 +++ linux-2.6.31/kernel/trace/trace_output.c 2009-09-06 15:29:12.176028893 -0400
41234 @@ -234,7 +234,7 @@ int trace_seq_path(struct trace_seq *s,
41236 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
41238 - p = mangle_path(s->buffer + s->len, p, "\n");
41239 + p = mangle_path(s->buffer + s->len, p, "\n\\");
41241 s->len = p - s->buffer;
41243 diff -urNp linux-2.6.31/kernel/utsname_sysctl.c linux-2.6.31/kernel/utsname_sysctl.c
41244 --- linux-2.6.31/kernel/utsname_sysctl.c 2009-08-27 20:59:04.000000000 -0400
41245 +++ linux-2.6.31/kernel/utsname_sysctl.c 2009-09-06 15:29:12.177034823 -0400
41246 @@ -123,7 +123,7 @@ static struct ctl_table uts_kern_table[]
41247 .proc_handler = proc_do_uts_string,
41248 .strategy = sysctl_uts_string,
41251 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
41254 static struct ctl_table uts_root_table[] = {
41255 @@ -133,7 +133,7 @@ static struct ctl_table uts_root_table[]
41257 .child = uts_kern_table,
41260 + { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
41263 static int __init utsname_sysctl_init(void)
41264 diff -urNp linux-2.6.31/lib/inflate.c linux-2.6.31/lib/inflate.c
41265 --- linux-2.6.31/lib/inflate.c 2009-08-27 20:59:04.000000000 -0400
41266 +++ linux-2.6.31/lib/inflate.c 2009-09-06 15:29:12.177034823 -0400
41267 @@ -266,7 +266,7 @@ static void free(void *where)
41268 malloc_ptr = free_mem_ptr;
41271 -#define malloc(a) kmalloc(a, GFP_KERNEL)
41272 +#define malloc(a) kmalloc((a), GFP_KERNEL)
41273 #define free(a) kfree(a)
41276 diff -urNp linux-2.6.31/lib/Kconfig.debug linux-2.6.31/lib/Kconfig.debug
41277 --- linux-2.6.31/lib/Kconfig.debug 2009-08-27 20:59:04.000000000 -0400
41278 +++ linux-2.6.31/lib/Kconfig.debug 2009-09-06 15:29:12.178074128 -0400
41279 @@ -866,7 +866,7 @@ config LATENCYTOP
41283 - depends on HAVE_LATENCYTOP_SUPPORT
41284 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
41286 Enable this option if you want to use the LatencyTOP tool
41287 to find out which userspace is blocking on what kernel operations.
41288 diff -urNp linux-2.6.31/lib/parser.c linux-2.6.31/lib/parser.c
41289 --- linux-2.6.31/lib/parser.c 2009-08-27 20:59:04.000000000 -0400
41290 +++ linux-2.6.31/lib/parser.c 2009-09-06 15:29:12.178074128 -0400
41291 @@ -126,7 +126,7 @@ static int match_number(substring_t *s,
41295 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
41296 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
41299 memcpy(buf, s->from, s->to - s->from);
41300 diff -urNp linux-2.6.31/lib/radix-tree.c linux-2.6.31/lib/radix-tree.c
41301 --- linux-2.6.31/lib/radix-tree.c 2009-08-27 20:59:04.000000000 -0400
41302 +++ linux-2.6.31/lib/radix-tree.c 2009-09-06 15:29:12.178995956 -0400
41303 @@ -81,7 +81,7 @@ struct radix_tree_preload {
41305 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
41307 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
41308 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
41310 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
41312 diff -urNp linux-2.6.31/lib/random32.c linux-2.6.31/lib/random32.c
41313 --- linux-2.6.31/lib/random32.c 2009-08-27 20:59:04.000000000 -0400
41314 +++ linux-2.6.31/lib/random32.c 2009-09-06 15:29:12.178995956 -0400
41315 @@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
41317 static inline u32 __seed(u32 x, u32 m)
41319 - return (x < m) ? x + m : x;
41320 + return (x <= m) ? x + m + 1 : x;
41324 diff -urNp linux-2.6.31/localversion-grsec linux-2.6.31/localversion-grsec
41325 --- linux-2.6.31/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
41326 +++ linux-2.6.31/localversion-grsec 2009-09-06 15:29:12.178995956 -0400
41329 diff -urNp linux-2.6.31/Makefile linux-2.6.31/Makefile
41330 --- linux-2.6.31/Makefile 2009-09-09 19:20:52.741218364 -0400
41331 +++ linux-2.6.31/Makefile 2009-09-09 19:27:51.949516254 -0400
41332 @@ -221,8 +221,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
41336 -HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
41337 -HOSTCXXFLAGS = -O2
41338 +HOSTCFLAGS = -Wall -W -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
41339 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
41341 # Decide whether to build built-in, modular, or both.
41342 # Normally, just do built-in.
41343 @@ -639,7 +639,7 @@ export mod_strip_cmd
41346 ifeq ($(KBUILD_EXTMOD),)
41347 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
41348 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
41350 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
41351 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
41352 diff -urNp linux-2.6.31/mm/filemap.c linux-2.6.31/mm/filemap.c
41353 --- linux-2.6.31/mm/filemap.c 2009-08-27 20:59:04.000000000 -0400
41354 +++ linux-2.6.31/mm/filemap.c 2009-09-06 15:29:12.181116756 -0400
41355 @@ -1648,7 +1648,7 @@ page_not_uptodate:
41357 EXPORT_SYMBOL(filemap_fault);
41359 -struct vm_operations_struct generic_file_vm_ops = {
41360 +const struct vm_operations_struct generic_file_vm_ops = {
41361 .fault = filemap_fault,
41364 @@ -1659,7 +1659,7 @@ int generic_file_mmap(struct file * file
41365 struct address_space *mapping = file->f_mapping;
41367 if (!mapping->a_ops->readpage)
41370 file_accessed(file);
41371 vma->vm_ops = &generic_file_vm_ops;
41372 vma->vm_flags |= VM_CAN_NONLINEAR;
41373 @@ -2019,6 +2019,7 @@ inline int generic_write_checks(struct f
41374 *pos = i_size_read(inode);
41376 if (limit != RLIM_INFINITY) {
41377 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
41378 if (*pos >= limit) {
41379 send_sig(SIGXFSZ, current, 0);
41381 diff -urNp linux-2.6.31/mm/filemap_xip.c linux-2.6.31/mm/filemap_xip.c
41382 --- linux-2.6.31/mm/filemap_xip.c 2009-08-27 20:59:04.000000000 -0400
41383 +++ linux-2.6.31/mm/filemap_xip.c 2009-09-06 15:29:12.181116756 -0400
41384 @@ -296,7 +296,7 @@ out:
41388 -static struct vm_operations_struct xip_file_vm_ops = {
41389 +static const struct vm_operations_struct xip_file_vm_ops = {
41390 .fault = xip_file_fault,
41393 diff -urNp linux-2.6.31/mm/fremap.c linux-2.6.31/mm/fremap.c
41394 --- linux-2.6.31/mm/fremap.c 2009-08-27 20:59:04.000000000 -0400
41395 +++ linux-2.6.31/mm/fremap.c 2009-09-06 15:29:12.181116756 -0400
41396 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
41398 vma = find_vma(mm, start);
41400 +#ifdef CONFIG_PAX_SEGMEXEC
41401 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
41406 * Make sure the vma is shared, that it supports prefaulting,
41407 * and that the remapped range is valid and fully within
41408 diff -urNp linux-2.6.31/mm/highmem.c linux-2.6.31/mm/highmem.c
41409 --- linux-2.6.31/mm/highmem.c 2009-08-27 20:59:04.000000000 -0400
41410 +++ linux-2.6.31/mm/highmem.c 2009-09-06 15:29:12.182118990 -0400
41411 @@ -94,6 +94,9 @@ static void flush_all_zero_pkmaps(void)
41413 for (i = 0; i < LAST_PKMAP; i++) {
41415 +#ifdef CONFIG_PAX_KERNEXEC
41416 + unsigned long cr0;
41420 * zero means we don't have anything to do,
41421 @@ -116,9 +119,18 @@ static void flush_all_zero_pkmaps(void)
41422 * So no dangers, even with speculative execution.
41424 page = pte_page(pkmap_page_table[i]);
41426 +#ifdef CONFIG_PAX_KERNEXEC
41427 + pax_open_kernel(cr0);
41430 pte_clear(&init_mm, (unsigned long)page_address(page),
41431 &pkmap_page_table[i]);
41433 +#ifdef CONFIG_PAX_KERNEXEC
41434 + pax_close_kernel(cr0);
41437 set_page_address(page, NULL);
41440 @@ -140,6 +152,9 @@ static inline unsigned long map_new_virt
41442 unsigned long vaddr;
41444 +#ifdef CONFIG_PAX_KERNEXEC
41445 + unsigned long cr0;
41449 count = LAST_PKMAP;
41450 @@ -177,8 +192,14 @@ start:
41453 vaddr = PKMAP_ADDR(last_pkmap_nr);
41454 +#ifdef CONFIG_PAX_KERNEXEC
41455 + pax_open_kernel(cr0);
41457 set_pte_at(&init_mm, vaddr,
41458 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
41459 +#ifdef CONFIG_PAX_KERNEXEC
41460 + pax_close_kernel(cr0);
41463 pkmap_count[last_pkmap_nr] = 1;
41464 set_page_address(page, (void *)vaddr);
41465 diff -urNp linux-2.6.31/mm/hugetlb.c linux-2.6.31/mm/hugetlb.c
41466 --- linux-2.6.31/mm/hugetlb.c 2009-08-27 20:59:04.000000000 -0400
41467 +++ linux-2.6.31/mm/hugetlb.c 2009-09-06 15:29:12.182118990 -0400
41468 @@ -1689,7 +1689,7 @@ static int hugetlb_vm_op_fault(struct vm
41472 -struct vm_operations_struct hugetlb_vm_ops = {
41473 +const struct vm_operations_struct hugetlb_vm_ops = {
41474 .fault = hugetlb_vm_op_fault,
41475 .open = hugetlb_vm_op_open,
41476 .close = hugetlb_vm_op_close,
41477 @@ -1892,6 +1892,26 @@ static int unmap_ref_private(struct mm_s
41481 +#ifdef CONFIG_PAX_SEGMEXEC
41482 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
41484 + struct mm_struct *mm = vma->vm_mm;
41485 + struct vm_area_struct *vma_m;
41486 + unsigned long address_m;
41489 + vma_m = pax_find_mirror_vma(vma);
41493 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
41494 + address_m = address + SEGMEXEC_TASK_SIZE;
41495 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
41496 + get_page(page_m);
41497 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
41501 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
41502 unsigned long address, pte_t *ptep, pte_t pte,
41503 struct page *pagecache_page)
41504 @@ -1963,6 +1983,11 @@ retry_avoidcopy:
41505 huge_ptep_clear_flush(vma, address, ptep);
41506 set_huge_pte_at(mm, address, ptep,
41507 make_huge_pte(vma, new_page, 1));
41509 +#ifdef CONFIG_PAX_SEGMEXEC
41510 + pax_mirror_huge_pte(vma, address, new_page);
41513 /* Make the old page be freed below */
41514 new_page = old_page;
41516 @@ -2072,6 +2097,10 @@ retry:
41517 && (vma->vm_flags & VM_SHARED)));
41518 set_huge_pte_at(mm, address, ptep, new_pte);
41520 +#ifdef CONFIG_PAX_SEGMEXEC
41521 + pax_mirror_huge_pte(vma, address, page);
41524 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
41525 /* Optimization, do the COW without a second fault */
41526 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
41527 @@ -2100,6 +2129,28 @@ int hugetlb_fault(struct mm_struct *mm,
41528 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
41529 struct hstate *h = hstate_vma(vma);
41531 +#ifdef CONFIG_PAX_SEGMEXEC
41532 + struct vm_area_struct *vma_m;
41534 + vma_m = pax_find_mirror_vma(vma);
41536 + unsigned long address_m;
41538 + if (vma->vm_start > vma_m->vm_start) {
41539 + address_m = address;
41540 + address -= SEGMEXEC_TASK_SIZE;
41542 + h = hstate_vma(vma);
41544 + address_m = address + SEGMEXEC_TASK_SIZE;
41546 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
41547 + return VM_FAULT_OOM;
41548 + address_m &= HPAGE_MASK;
41549 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
41553 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
41555 return VM_FAULT_OOM;
41556 diff -urNp linux-2.6.31/mm/Kconfig linux-2.6.31/mm/Kconfig
41557 --- linux-2.6.31/mm/Kconfig 2009-08-27 20:59:04.000000000 -0400
41558 +++ linux-2.6.31/mm/Kconfig 2009-09-08 19:13:45.070656661 -0400
41559 @@ -216,7 +216,7 @@ config MMU_NOTIFIER
41561 config DEFAULT_MMAP_MIN_ADDR
41562 int "Low address space to protect from user allocation"
41566 This is the portion of low virtual memory which should be protected
41567 from userspace allocation. Keeping a user from writing to low pages
41568 diff -urNp linux-2.6.31/mm/madvise.c linux-2.6.31/mm/madvise.c
41569 --- linux-2.6.31/mm/madvise.c 2009-08-27 20:59:04.000000000 -0400
41570 +++ linux-2.6.31/mm/madvise.c 2009-09-06 15:29:12.182990921 -0400
41571 @@ -43,6 +43,10 @@ static long madvise_behavior(struct vm_a
41573 int new_flags = vma->vm_flags;
41575 +#ifdef CONFIG_PAX_SEGMEXEC
41576 + struct vm_area_struct *vma_m;
41579 switch (behavior) {
41581 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
41582 @@ -92,6 +96,13 @@ success:
41584 * vm_flags is protected by the mmap_sem held in write mode.
41587 +#ifdef CONFIG_PAX_SEGMEXEC
41588 + vma_m = pax_find_mirror_vma(vma);
41590 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
41593 vma->vm_flags = new_flags;
41596 @@ -235,6 +246,17 @@ madvise_vma(struct vm_area_struct *vma,
41598 case MADV_DONTNEED:
41599 error = madvise_dontneed(vma, prev, start, end);
41601 +#ifdef CONFIG_PAX_SEGMEXEC
41603 + struct vm_area_struct *vma_m, *prev_m;
41605 + vma_m = pax_find_mirror_vma(vma);
41607 + error = madvise_dontneed(vma_m, &prev_m, start + SEGMEXEC_TASK_SIZE, end + SEGMEXEC_TASK_SIZE);
41614 @@ -328,6 +350,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
41618 +#ifdef CONFIG_PAX_SEGMEXEC
41619 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
41620 + if (end > SEGMEXEC_TASK_SIZE)
41625 + if (end > TASK_SIZE)
41631 diff -urNp linux-2.6.31/mm/memory.c linux-2.6.31/mm/memory.c
41632 --- linux-2.6.31/mm/memory.c 2009-08-27 20:59:04.000000000 -0400
41633 +++ linux-2.6.31/mm/memory.c 2009-09-06 15:29:12.184153723 -0400
41635 #include <linux/pagemap.h>
41636 #include <linux/rmap.h>
41637 #include <linux/module.h>
41638 +#include <linux/security.h>
41639 #include <linux/delayacct.h>
41640 #include <linux/init.h>
41641 #include <linux/writeback.h>
41642 @@ -1228,11 +1229,11 @@ int __get_user_pages(struct task_struct
41643 vm_flags &= force ? (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
41647 + while (nr_pages) {
41648 struct vm_area_struct *vma;
41649 unsigned int foll_flags;
41651 - vma = find_extend_vma(mm, start);
41652 + vma = find_vma(mm, start);
41653 if (!vma && in_gate_area(tsk, start)) {
41654 unsigned long pg = start & PAGE_MASK;
41655 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
41656 @@ -1274,7 +1275,7 @@ int __get_user_pages(struct task_struct
41661 + if (!vma || start < vma->vm_start ||
41662 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
41663 (!ignore && !(vm_flags & vma->vm_flags)))
41664 return i ? : -EFAULT;
41665 @@ -1360,7 +1361,7 @@ int __get_user_pages(struct task_struct
41666 start += PAGE_SIZE;
41668 } while (nr_pages && start < vma->vm_end);
41669 - } while (nr_pages);
41674 @@ -1926,6 +1927,186 @@ static inline void cow_user_page(struct
41675 copy_user_highpage(dst, src, va, vma);
41678 +#ifdef CONFIG_PAX_SEGMEXEC
41679 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
41681 + struct mm_struct *mm = vma->vm_mm;
41683 + pte_t *pte, entry;
41685 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
41687 + if (!pte_present(entry)) {
41688 + if (!pte_none(entry)) {
41689 + BUG_ON(pte_file(entry));
41690 + free_swap_and_cache(pte_to_swp_entry(entry));
41691 + pte_clear_not_present_full(mm, address, pte, 0);
41694 + struct page *page;
41696 + flush_cache_page(vma, address, pte_pfn(entry));
41697 + entry = ptep_clear_flush(vma, address, pte);
41698 + BUG_ON(pte_dirty(entry));
41699 + page = vm_normal_page(vma, address, entry);
41701 + update_hiwater_rss(mm);
41702 + if (PageAnon(page))
41703 + dec_mm_counter(mm, anon_rss);
41705 + dec_mm_counter(mm, file_rss);
41706 + page_remove_rmap(page);
41707 + page_cache_release(page);
41710 + pte_unmap_unlock(pte, ptl);
41713 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
41715 + * the ptl of the lower mapped page is held on entry and is not released on exit
41716 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
41718 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
41720 + struct mm_struct *mm = vma->vm_mm;
41721 + unsigned long address_m;
41722 + spinlock_t *ptl_m;
41723 + struct vm_area_struct *vma_m;
41725 + pte_t *pte_m, entry_m;
41727 + BUG_ON(!page_m || !PageAnon(page_m));
41729 + vma_m = pax_find_mirror_vma(vma);
41733 + BUG_ON(!PageLocked(page_m));
41734 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
41735 + address_m = address + SEGMEXEC_TASK_SIZE;
41736 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
41737 + pte_m = pte_offset_map_nested(pmd_m, address_m);
41738 + ptl_m = pte_lockptr(mm, pmd_m);
41739 + if (ptl != ptl_m) {
41740 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
41741 + if (!pte_none(*pte_m))
41745 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
41746 + page_cache_get(page_m);
41747 + page_add_anon_rmap(page_m, vma_m, address_m);
41748 + inc_mm_counter(mm, anon_rss);
41749 + set_pte_at(mm, address_m, pte_m, entry_m);
41750 + update_mmu_cache(vma_m, address_m, entry_m);
41752 + if (ptl != ptl_m)
41753 + spin_unlock(ptl_m);
41754 + pte_unmap_nested(pte_m);
41755 + unlock_page(page_m);
41758 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
41760 + struct mm_struct *mm = vma->vm_mm;
41761 + unsigned long address_m;
41762 + spinlock_t *ptl_m;
41763 + struct vm_area_struct *vma_m;
41765 + pte_t *pte_m, entry_m;
41767 + BUG_ON(!page_m || PageAnon(page_m));
41769 + vma_m = pax_find_mirror_vma(vma);
41773 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
41774 + address_m = address + SEGMEXEC_TASK_SIZE;
41775 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
41776 + pte_m = pte_offset_map_nested(pmd_m, address_m);
41777 + ptl_m = pte_lockptr(mm, pmd_m);
41778 + if (ptl != ptl_m) {
41779 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
41780 + if (!pte_none(*pte_m))
41784 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
41785 + page_cache_get(page_m);
41786 + page_add_file_rmap(page_m);
41787 + inc_mm_counter(mm, file_rss);
41788 + set_pte_at(mm, address_m, pte_m, entry_m);
41789 + update_mmu_cache(vma_m, address_m, entry_m);
41791 + if (ptl != ptl_m)
41792 + spin_unlock(ptl_m);
41793 + pte_unmap_nested(pte_m);
41796 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
41798 + struct mm_struct *mm = vma->vm_mm;
41799 + unsigned long address_m;
41800 + spinlock_t *ptl_m;
41801 + struct vm_area_struct *vma_m;
41803 + pte_t *pte_m, entry_m;
41805 + vma_m = pax_find_mirror_vma(vma);
41809 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
41810 + address_m = address + SEGMEXEC_TASK_SIZE;
41811 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
41812 + pte_m = pte_offset_map_nested(pmd_m, address_m);
41813 + ptl_m = pte_lockptr(mm, pmd_m);
41814 + if (ptl != ptl_m) {
41815 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
41816 + if (!pte_none(*pte_m))
41820 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
41821 + set_pte_at(mm, address_m, pte_m, entry_m);
41823 + if (ptl != ptl_m)
41824 + spin_unlock(ptl_m);
41825 + pte_unmap_nested(pte_m);
41828 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
41830 + struct page *page_m;
41833 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
41837 + page_m = vm_normal_page(vma, address, entry);
41839 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
41840 + else if (PageAnon(page_m)) {
41841 + if (pax_find_mirror_vma(vma)) {
41842 + pte_unmap_unlock(pte, ptl);
41843 + lock_page(page_m);
41844 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
41845 + if (pte_same(entry, *pte))
41846 + pax_mirror_anon_pte(vma, address, page_m, ptl);
41848 + unlock_page(page_m);
41851 + pax_mirror_file_pte(vma, address, page_m, ptl);
41854 + pte_unmap_unlock(pte, ptl);
41859 * This routine handles present pages, when users try to write
41860 * to a shared page. It is done by copying the page to a new address
41861 @@ -2098,6 +2279,12 @@ gotten:
41863 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
41864 if (likely(pte_same(*page_table, orig_pte))) {
41866 +#ifdef CONFIG_PAX_SEGMEXEC
41867 + if (pax_find_mirror_vma(vma))
41868 + BUG_ON(!trylock_page(new_page));
41872 if (!PageAnon(old_page)) {
41873 dec_mm_counter(mm, file_rss);
41874 @@ -2144,6 +2331,10 @@ gotten:
41875 page_remove_rmap(old_page);
41878 +#ifdef CONFIG_PAX_SEGMEXEC
41879 + pax_mirror_anon_pte(vma, address, new_page, ptl);
41882 /* Free the old page.. */
41883 new_page = old_page;
41884 ret |= VM_FAULT_WRITE;
41885 @@ -2425,6 +2616,7 @@ int vmtruncate(struct inode * inode, lof
41886 unsigned long limit;
41888 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
41889 + gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
41890 if (limit != RLIM_INFINITY && offset > limit)
41892 if (offset > inode->i_sb->s_maxbytes)
41893 @@ -2587,6 +2779,11 @@ static int do_swap_page(struct mm_struct
41895 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
41896 try_to_free_swap(page);
41898 +#ifdef CONFIG_PAX_SEGMEXEC
41899 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
41904 if (flags & FAULT_FLAG_WRITE) {
41905 @@ -2598,6 +2795,11 @@ static int do_swap_page(struct mm_struct
41907 /* No need to invalidate - it was non-present before */
41908 update_mmu_cache(vma, address, pte);
41910 +#ifdef CONFIG_PAX_SEGMEXEC
41911 + pax_mirror_anon_pte(vma, address, page, ptl);
41915 pte_unmap_unlock(page_table, ptl);
41917 @@ -2643,12 +2845,23 @@ static int do_anonymous_page(struct mm_s
41918 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
41919 if (!pte_none(*page_table))
41922 +#ifdef CONFIG_PAX_SEGMEXEC
41923 + if (pax_find_mirror_vma(vma))
41924 + BUG_ON(!trylock_page(page));
41927 inc_mm_counter(mm, anon_rss);
41928 page_add_new_anon_rmap(page, vma, address);
41929 set_pte_at(mm, address, page_table, entry);
41931 /* No need to invalidate - it was non-present before */
41932 update_mmu_cache(vma, address, entry);
41934 +#ifdef CONFIG_PAX_SEGMEXEC
41935 + pax_mirror_anon_pte(vma, address, page, ptl);
41939 pte_unmap_unlock(page_table, ptl);
41941 @@ -2785,6 +2998,12 @@ static int __do_fault(struct mm_struct *
41943 /* Only go through if we didn't race with anybody else... */
41944 if (likely(pte_same(*page_table, orig_pte))) {
41946 +#ifdef CONFIG_PAX_SEGMEXEC
41947 + if (anon && pax_find_mirror_vma(vma))
41948 + BUG_ON(!trylock_page(page));
41951 flush_icache_page(vma, page);
41952 entry = mk_pte(page, vma->vm_page_prot);
41953 if (flags & FAULT_FLAG_WRITE)
41954 @@ -2804,6 +3023,14 @@ static int __do_fault(struct mm_struct *
41956 /* no need to invalidate: a not-present page won't be cached */
41957 update_mmu_cache(vma, address, entry);
41959 +#ifdef CONFIG_PAX_SEGMEXEC
41961 + pax_mirror_anon_pte(vma, address, page, ptl);
41963 + pax_mirror_file_pte(vma, address, page, ptl);
41968 mem_cgroup_uncharge_page(page);
41969 @@ -2951,6 +3178,12 @@ static inline int handle_pte_fault(struc
41970 if (flags & FAULT_FLAG_WRITE)
41971 flush_tlb_page(vma, address);
41974 +#ifdef CONFIG_PAX_SEGMEXEC
41975 + pax_mirror_pte(vma, address, pte, pmd, ptl);
41980 pte_unmap_unlock(pte, ptl);
41982 @@ -2967,6 +3200,10 @@ int handle_mm_fault(struct mm_struct *mm
41986 +#ifdef CONFIG_PAX_SEGMEXEC
41987 + struct vm_area_struct *vma_m;
41990 __set_current_state(TASK_RUNNING);
41992 count_vm_event(PGFAULT);
41993 @@ -2974,6 +3211,34 @@ int handle_mm_fault(struct mm_struct *mm
41994 if (unlikely(is_vm_hugetlb_page(vma)))
41995 return hugetlb_fault(mm, vma, address, flags);
41997 +#ifdef CONFIG_PAX_SEGMEXEC
41998 + vma_m = pax_find_mirror_vma(vma);
42000 + unsigned long address_m;
42005 + if (vma->vm_start > vma_m->vm_start) {
42006 + address_m = address;
42007 + address -= SEGMEXEC_TASK_SIZE;
42010 + address_m = address + SEGMEXEC_TASK_SIZE;
42012 + pgd_m = pgd_offset(mm, address_m);
42013 + pud_m = pud_alloc(mm, pgd_m, address_m);
42015 + return VM_FAULT_OOM;
42016 + pmd_m = pmd_alloc(mm, pud_m, address_m);
42018 + return VM_FAULT_OOM;
42019 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
42020 + return VM_FAULT_OOM;
42021 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
42025 pgd = pgd_offset(mm, address);
42026 pud = pud_alloc(mm, pgd, address);
42028 @@ -3071,7 +3336,7 @@ static int __init gate_vma_init(void)
42029 gate_vma.vm_start = FIXADDR_USER_START;
42030 gate_vma.vm_end = FIXADDR_USER_END;
42031 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
42032 - gate_vma.vm_page_prot = __P101;
42033 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
42035 * Make sure the vDSO gets into every core dump.
42036 * Dumping its contents makes post-mortem fully interpretable later
42037 diff -urNp linux-2.6.31/mm/mempolicy.c linux-2.6.31/mm/mempolicy.c
42038 --- linux-2.6.31/mm/mempolicy.c 2009-08-27 20:59:04.000000000 -0400
42039 +++ linux-2.6.31/mm/mempolicy.c 2009-09-06 15:29:12.185145139 -0400
42040 @@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_st
42041 struct vm_area_struct *next;
42044 +#ifdef CONFIG_PAX_SEGMEXEC
42045 + struct vm_area_struct *vma_m;
42049 for (; vma && vma->vm_start < end; vma = next) {
42050 next = vma->vm_next;
42051 @@ -584,6 +588,16 @@ static int mbind_range(struct vm_area_st
42052 err = policy_vma(vma, new);
42056 +#ifdef CONFIG_PAX_SEGMEXEC
42057 + vma_m = pax_find_mirror_vma(vma);
42059 + err = policy_vma(vma_m, new);
42068 @@ -1002,6 +1016,17 @@ static long do_mbind(unsigned long start
42073 +#ifdef CONFIG_PAX_SEGMEXEC
42074 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
42075 + if (end > SEGMEXEC_TASK_SIZE)
42080 + if (end > TASK_SIZE)
42086 @@ -1206,6 +1231,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
42090 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
42091 + if (mm != current->mm &&
42092 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
42099 * Check if this process has the right to modify the specified
42100 * process. The right exists if the process has administrative
42101 @@ -1215,8 +1248,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
42103 tcred = __task_cred(task);
42104 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
42105 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
42106 - !capable(CAP_SYS_NICE)) {
42107 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
42111 @@ -2385,7 +2417,7 @@ int show_numa_map(struct seq_file *m, vo
42114 seq_printf(m, " file=");
42115 - seq_path(m, &file->f_path, "\n\t= ");
42116 + seq_path(m, &file->f_path, "\n\t\\= ");
42117 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
42118 seq_printf(m, " heap");
42119 } else if (vma->vm_start <= mm->start_stack &&
42120 diff -urNp linux-2.6.31/mm/migrate.c linux-2.6.31/mm/migrate.c
42121 --- linux-2.6.31/mm/migrate.c 2009-08-27 20:59:04.000000000 -0400
42122 +++ linux-2.6.31/mm/migrate.c 2009-09-06 15:29:12.186933519 -0400
42123 @@ -1087,6 +1087,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
42127 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
42128 + if (mm != current->mm &&
42129 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
42136 * Check if this process has the right to modify the specified
42137 * process. The right exists if the process has administrative
42138 @@ -1096,8 +1104,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
42140 tcred = __task_cred(task);
42141 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
42142 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
42143 - !capable(CAP_SYS_NICE)) {
42144 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
42148 diff -urNp linux-2.6.31/mm/mlock.c linux-2.6.31/mm/mlock.c
42149 --- linux-2.6.31/mm/mlock.c 2009-08-27 20:59:04.000000000 -0400
42150 +++ linux-2.6.31/mm/mlock.c 2009-09-06 15:29:12.196062852 -0400
42152 #include <linux/pagemap.h>
42153 #include <linux/mempolicy.h>
42154 #include <linux/syscalls.h>
42155 +#include <linux/security.h>
42156 #include <linux/sched.h>
42157 #include <linux/module.h>
42158 #include <linux/rmap.h>
42159 @@ -431,6 +432,17 @@ static int do_mlock(unsigned long start,
42164 +#ifdef CONFIG_PAX_SEGMEXEC
42165 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
42166 + if (end > SEGMEXEC_TASK_SIZE)
42171 + if (end > TASK_SIZE)
42174 vma = find_vma_prev(current->mm, start, &prev);
42175 if (!vma || vma->vm_start > start)
42177 @@ -490,6 +502,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
42178 lock_limit >>= PAGE_SHIFT;
42180 /* check against resource limits */
42181 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
42182 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
42183 error = do_mlock(start, len, 1);
42184 up_write(¤t->mm->mmap_sem);
42185 @@ -511,10 +524,10 @@ SYSCALL_DEFINE2(munlock, unsigned long,
42186 static int do_mlockall(int flags)
42188 struct vm_area_struct * vma, * prev = NULL;
42189 - unsigned int def_flags = 0;
42190 + unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
42192 if (flags & MCL_FUTURE)
42193 - def_flags = VM_LOCKED;
42194 + def_flags |= VM_LOCKED;
42195 current->mm->def_flags = def_flags;
42196 if (flags == MCL_FUTURE)
42198 @@ -522,6 +535,12 @@ static int do_mlockall(int flags)
42199 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
42200 unsigned int newflags;
42202 +#ifdef CONFIG_PAX_SEGMEXEC
42203 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
42207 + BUG_ON(vma->vm_end > TASK_SIZE);
42208 newflags = vma->vm_flags | VM_LOCKED;
42209 if (!(flags & MCL_CURRENT))
42210 newflags &= ~VM_LOCKED;
42211 @@ -553,6 +572,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
42213 if (!vx_vmlocked_avail(current->mm, current->mm->total_vm))
42215 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
42216 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
42217 capable(CAP_IPC_LOCK))
42218 ret = do_mlockall(flags);
42219 diff -urNp linux-2.6.31/mm/mmap.c linux-2.6.31/mm/mmap.c
42220 --- linux-2.6.31/mm/mmap.c 2009-08-27 20:59:04.000000000 -0400
42221 +++ linux-2.6.31/mm/mmap.c 2009-09-06 15:29:12.196953444 -0400
42223 #define arch_rebalance_pgtables(addr, len) (addr)
42226 +static inline void verify_mm_writelocked(struct mm_struct *mm)
42228 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
42229 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
42230 + up_read(&mm->mmap_sem);
42236 static void unmap_region(struct mm_struct *mm,
42237 struct vm_area_struct *vma, struct vm_area_struct *prev,
42238 unsigned long start, unsigned long end);
42239 @@ -70,16 +80,25 @@ static void unmap_region(struct mm_struc
42240 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
42243 -pgprot_t protection_map[16] = {
42244 +pgprot_t protection_map[16] __read_only = {
42245 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
42246 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
42249 pgprot_t vm_get_page_prot(unsigned long vm_flags)
42251 - return __pgprot(pgprot_val(protection_map[vm_flags &
42252 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
42253 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
42254 pgprot_val(arch_vm_get_page_prot(vm_flags)));
42256 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
42257 + if (!nx_enabled &&
42258 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
42259 + (vm_flags & (VM_READ | VM_WRITE)))
42260 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
42265 EXPORT_SYMBOL(vm_get_page_prot);
42267 @@ -231,6 +250,7 @@ static struct vm_area_struct *remove_vma
42268 struct vm_area_struct *next = vma->vm_next;
42271 + BUG_ON(vma->vm_mirror);
42272 if (vma->vm_ops && vma->vm_ops->close)
42273 vma->vm_ops->close(vma);
42274 if (vma->vm_file) {
42275 @@ -267,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
42276 * not page aligned -Ram Gupta
42278 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
42279 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
42280 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
42281 (mm->end_data - mm->start_data) > rlim)
42283 @@ -696,6 +717,12 @@ static int
42284 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
42285 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
42288 +#ifdef CONFIG_PAX_SEGMEXEC
42289 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
42293 if (is_mergeable_vma(vma, file, vm_flags) &&
42294 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
42295 if (vma->vm_pgoff == vm_pgoff)
42296 @@ -715,6 +742,12 @@ static int
42297 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
42298 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
42301 +#ifdef CONFIG_PAX_SEGMEXEC
42302 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
42306 if (is_mergeable_vma(vma, file, vm_flags) &&
42307 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
42309 @@ -757,12 +790,19 @@ can_vma_merge_after(struct vm_area_struc
42310 struct vm_area_struct *vma_merge(struct mm_struct *mm,
42311 struct vm_area_struct *prev, unsigned long addr,
42312 unsigned long end, unsigned long vm_flags,
42313 - struct anon_vma *anon_vma, struct file *file,
42314 + struct anon_vma *anon_vma, struct file *file,
42315 pgoff_t pgoff, struct mempolicy *policy)
42317 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
42318 struct vm_area_struct *area, *next;
42320 +#ifdef CONFIG_PAX_SEGMEXEC
42321 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
42322 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
42324 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
42328 * We later require that vma->vm_flags == vm_flags,
42329 * so this tests vma->vm_flags & VM_SPECIAL, too.
42330 @@ -778,6 +818,15 @@ struct vm_area_struct *vma_merge(struct
42331 if (next && next->vm_end == end) /* cases 6, 7, 8 */
42332 next = next->vm_next;
42334 +#ifdef CONFIG_PAX_SEGMEXEC
42336 + prev_m = pax_find_mirror_vma(prev);
42338 + area_m = pax_find_mirror_vma(area);
42340 + next_m = pax_find_mirror_vma(next);
42344 * Can it merge with the predecessor?
42346 @@ -797,9 +846,24 @@ struct vm_area_struct *vma_merge(struct
42348 vma_adjust(prev, prev->vm_start,
42349 next->vm_end, prev->vm_pgoff, NULL);
42350 - } else /* cases 2, 5, 7 */
42352 +#ifdef CONFIG_PAX_SEGMEXEC
42354 + vma_adjust(prev_m, prev_m->vm_start,
42355 + next_m->vm_end, prev_m->vm_pgoff, NULL);
42358 + } else { /* cases 2, 5, 7 */
42359 vma_adjust(prev, prev->vm_start,
42360 end, prev->vm_pgoff, NULL);
42362 +#ifdef CONFIG_PAX_SEGMEXEC
42364 + vma_adjust(prev_m, prev_m->vm_start,
42365 + end_m, prev_m->vm_pgoff, NULL);
42372 @@ -810,12 +874,27 @@ struct vm_area_struct *vma_merge(struct
42373 mpol_equal(policy, vma_policy(next)) &&
42374 can_vma_merge_before(next, vm_flags,
42375 anon_vma, file, pgoff+pglen)) {
42376 - if (prev && addr < prev->vm_end) /* case 4 */
42377 + if (prev && addr < prev->vm_end) { /* case 4 */
42378 vma_adjust(prev, prev->vm_start,
42379 addr, prev->vm_pgoff, NULL);
42380 - else /* cases 3, 8 */
42382 +#ifdef CONFIG_PAX_SEGMEXEC
42384 + vma_adjust(prev_m, prev_m->vm_start,
42385 + addr_m, prev_m->vm_pgoff, NULL);
42388 + } else { /* cases 3, 8 */
42389 vma_adjust(area, addr, next->vm_end,
42390 next->vm_pgoff - pglen, NULL);
42392 +#ifdef CONFIG_PAX_SEGMEXEC
42394 + vma_adjust(area_m, addr_m, next_m->vm_end,
42395 + next_m->vm_pgoff - pglen, NULL);
42402 @@ -890,14 +969,11 @@ none:
42403 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
42404 struct file *file, long pages)
42406 - const unsigned long stack_flags
42407 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
42410 mm->shared_vm += pages;
42411 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
42412 mm->exec_vm += pages;
42413 - } else if (flags & stack_flags)
42414 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
42415 mm->stack_vm += pages;
42416 if (flags & (VM_RESERVED|VM_IO))
42417 mm->reserved_vm += pages;
42418 @@ -924,7 +1000,7 @@ unsigned long do_mmap_pgoff(struct file
42419 * (the exception is when the underlying filesystem is noexec
42420 * mounted, in which case we dont add PROT_EXEC.)
42422 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
42423 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
42424 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
42427 @@ -934,15 +1010,15 @@ unsigned long do_mmap_pgoff(struct file
42428 if (!(flags & MAP_FIXED))
42429 addr = round_hint_to_min(addr);
42431 - error = arch_mmap_check(addr, len, flags);
42435 /* Careful about overflows.. */
42436 len = PAGE_ALIGN(len);
42437 if (!len || len > TASK_SIZE)
42440 + error = arch_mmap_check(addr, len, flags);
42444 /* offset overflow? */
42445 if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
42447 @@ -954,7 +1030,7 @@ unsigned long do_mmap_pgoff(struct file
42448 /* Obtain the address to map to. we verify (or select) it and ensure
42449 * that it represents a valid section of the address space.
42451 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
42452 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
42453 if (addr & ~PAGE_MASK)
42456 @@ -965,6 +1041,26 @@ unsigned long do_mmap_pgoff(struct file
42457 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
42458 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
42460 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42461 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
42463 +#ifdef CONFIG_PAX_MPROTECT
42464 + if (mm->pax_flags & MF_PAX_MPROTECT) {
42465 + if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
42466 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
42468 + vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
42475 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
42476 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
42477 + vm_flags &= ~VM_PAGEEXEC;
42480 if (flags & MAP_LOCKED) {
42481 if (!can_do_mlock())
42483 @@ -978,6 +1074,7 @@ unsigned long do_mmap_pgoff(struct file
42484 locked += mm->locked_vm;
42485 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
42486 lock_limit >>= PAGE_SHIFT;
42487 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
42488 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
42491 @@ -1051,6 +1148,9 @@ unsigned long do_mmap_pgoff(struct file
42495 + if (!gr_acl_handle_mmap(file, prot))
42498 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
42500 EXPORT_SYMBOL(do_mmap_pgoff);
42501 @@ -1063,10 +1163,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
42503 int vma_wants_writenotify(struct vm_area_struct *vma)
42505 - unsigned int vm_flags = vma->vm_flags;
42506 + unsigned long vm_flags = vma->vm_flags;
42508 /* If it was private or non-writable, the write bit is already clear */
42509 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
42510 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
42513 /* The backer wishes to know when pages are first written to? */
42514 @@ -1115,14 +1215,24 @@ unsigned long mmap_region(struct file *f
42515 unsigned long charged = 0;
42516 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
42518 +#ifdef CONFIG_PAX_SEGMEXEC
42519 + struct vm_area_struct *vma_m = NULL;
42523 + * mm->mmap_sem is required to protect against another thread
42524 + * changing the mappings in case we sleep.
42526 + verify_mm_writelocked(mm);
42528 /* Clear old maps */
42531 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
42532 if (vma && vma->vm_start < addr + len) {
42533 if (do_munmap(mm, addr, len))
42535 - goto munmap_back;
42536 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
42537 + BUG_ON(vma && vma->vm_start < addr + len);
42540 /* Check against address space limit. */
42541 @@ -1171,6 +1281,16 @@ munmap_back:
42545 +#ifdef CONFIG_PAX_SEGMEXEC
42546 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
42547 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
42556 vma->vm_start = addr;
42557 vma->vm_end = addr + len;
42558 @@ -1193,6 +1313,19 @@ munmap_back:
42559 error = file->f_op->mmap(file, vma);
42561 goto unmap_and_free_vma;
42563 +#ifdef CONFIG_PAX_SEGMEXEC
42564 + if (vma_m && (vm_flags & VM_EXECUTABLE))
42565 + added_exe_file_vma(mm);
42568 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
42569 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
42570 + vma->vm_flags |= VM_PAGEEXEC;
42571 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
42575 if (vm_flags & VM_EXECUTABLE)
42576 added_exe_file_vma(mm);
42577 } else if (vm_flags & VM_SHARED) {
42578 @@ -1216,6 +1349,11 @@ munmap_back:
42579 vma_link(mm, vma, prev, rb_link, rb_parent);
42580 file = vma->vm_file;
42582 +#ifdef CONFIG_PAX_SEGMEXEC
42584 + pax_mirror_vma(vma_m, vma);
42587 /* Once vma denies write, undo our temporary denial count */
42588 if (correct_wcount)
42589 atomic_inc(&inode->i_writecount);
42590 @@ -1224,6 +1362,7 @@ out:
42592 mm->total_vm += len >> PAGE_SHIFT;
42593 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
42594 + track_exec_limit(mm, addr, addr + len, vm_flags);
42595 if (vm_flags & VM_LOCKED) {
42597 * makes pages present; downgrades, drops, reacquires mmap_sem
42598 @@ -1246,6 +1385,12 @@ unmap_and_free_vma:
42599 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
42603 +#ifdef CONFIG_PAX_SEGMEXEC
42605 + kmem_cache_free(vm_area_cachep, vma_m);
42608 kmem_cache_free(vm_area_cachep, vma);
42611 @@ -1279,6 +1424,10 @@ arch_get_unmapped_area(struct file *filp
42612 if (flags & MAP_FIXED)
42615 +#ifdef CONFIG_PAX_RANDMMAP
42616 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
42620 addr = PAGE_ALIGN(addr);
42621 vma = find_vma(mm, addr);
42622 @@ -1287,10 +1436,10 @@ arch_get_unmapped_area(struct file *filp
42625 if (len > mm->cached_hole_size) {
42626 - start_addr = addr = mm->free_area_cache;
42627 + start_addr = addr = mm->free_area_cache;
42629 - start_addr = addr = TASK_UNMAPPED_BASE;
42630 - mm->cached_hole_size = 0;
42631 + start_addr = addr = mm->mmap_base;
42632 + mm->cached_hole_size = 0;
42636 @@ -1301,9 +1450,8 @@ full_search:
42637 * Start a new search - just in case we missed
42640 - if (start_addr != TASK_UNMAPPED_BASE) {
42641 - addr = TASK_UNMAPPED_BASE;
42642 - start_addr = addr;
42643 + if (start_addr != mm->mmap_base) {
42644 + start_addr = addr = mm->mmap_base;
42645 mm->cached_hole_size = 0;
42648 @@ -1325,10 +1473,16 @@ full_search:
42650 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
42653 +#ifdef CONFIG_PAX_SEGMEXEC
42654 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
42659 * Is this a new hole at the lowest possible address?
42661 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
42662 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
42663 mm->free_area_cache = addr;
42664 mm->cached_hole_size = ~0UL;
42666 @@ -1346,7 +1500,7 @@ arch_get_unmapped_area_topdown(struct fi
42668 struct vm_area_struct *vma;
42669 struct mm_struct *mm = current->mm;
42670 - unsigned long addr = addr0;
42671 + unsigned long base = mm->mmap_base, addr = addr0;
42673 /* requested length too big for entire address space */
42674 if (len > TASK_SIZE)
42675 @@ -1355,6 +1509,10 @@ arch_get_unmapped_area_topdown(struct fi
42676 if (flags & MAP_FIXED)
42679 +#ifdef CONFIG_PAX_RANDMMAP
42680 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
42683 /* requesting a specific address */
42685 addr = PAGE_ALIGN(addr);
42686 @@ -1412,13 +1570,21 @@ bottomup:
42687 * can happen with large stack limits and large mmap()
42690 + mm->mmap_base = TASK_UNMAPPED_BASE;
42692 +#ifdef CONFIG_PAX_RANDMMAP
42693 + if (mm->pax_flags & MF_PAX_RANDMMAP)
42694 + mm->mmap_base += mm->delta_mmap;
42697 + mm->free_area_cache = mm->mmap_base;
42698 mm->cached_hole_size = ~0UL;
42699 - mm->free_area_cache = TASK_UNMAPPED_BASE;
42700 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
42702 * Restore the topdown base:
42704 - mm->free_area_cache = mm->mmap_base;
42705 + mm->mmap_base = base;
42706 + mm->free_area_cache = base;
42707 mm->cached_hole_size = ~0UL;
42710 @@ -1427,6 +1593,12 @@ bottomup:
42712 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
42715 +#ifdef CONFIG_PAX_SEGMEXEC
42716 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
42721 * Is this a new hole at the highest possible address?
42723 @@ -1434,8 +1606,10 @@ void arch_unmap_area_topdown(struct mm_s
42724 mm->free_area_cache = addr;
42726 /* dont allow allocations above current base */
42727 - if (mm->free_area_cache > mm->mmap_base)
42728 + if (mm->free_area_cache > mm->mmap_base) {
42729 mm->free_area_cache = mm->mmap_base;
42730 + mm->cached_hole_size = ~0UL;
42735 @@ -1535,6 +1709,27 @@ out:
42736 return prev ? prev->vm_next : vma;
42739 +#ifdef CONFIG_PAX_SEGMEXEC
42740 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
42742 + struct vm_area_struct *vma_m;
42744 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
42745 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
42746 + BUG_ON(vma->vm_mirror);
42749 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
42750 + vma_m = vma->vm_mirror;
42751 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
42752 + BUG_ON(vma->vm_file != vma_m->vm_file);
42753 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
42754 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
42755 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
42761 * Verify that the stack growth is acceptable and
42762 * update accounting. This is shared with both the
42763 @@ -1551,6 +1746,7 @@ static int acct_stack_growth(struct vm_a
42766 /* Stack limit test */
42767 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
42768 if (size > rlim[RLIMIT_STACK].rlim_cur)
42771 @@ -1560,6 +1756,7 @@ static int acct_stack_growth(struct vm_a
42772 unsigned long limit;
42773 locked = mm->locked_vm + grow;
42774 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
42775 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
42776 if (locked > limit && !capable(CAP_IPC_LOCK))
42779 @@ -1595,35 +1792,40 @@ static
42781 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
42784 + int error, locknext;
42786 if (!(vma->vm_flags & VM_GROWSUP))
42789 + /* Also guard against wrapping around to address 0. */
42790 + if (address < PAGE_ALIGN(address+1))
42791 + address = PAGE_ALIGN(address+1);
42796 * We must make sure the anon_vma is allocated
42797 * so that the anon_vma locking is not a noop.
42799 if (unlikely(anon_vma_prepare(vma)))
42801 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
42802 + if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
42804 anon_vma_lock(vma);
42806 + anon_vma_lock(vma->vm_next);
42809 * vma->vm_start/vm_end cannot change under us because the caller
42810 * is required to hold the mmap_sem in read mode. We need the
42811 - * anon_vma lock to serialize against concurrent expand_stacks.
42812 - * Also guard against wrapping around to address 0.
42813 + * anon_vma locks to serialize against concurrent expand_stacks
42814 + * and expand_upwards.
42816 - if (address < PAGE_ALIGN(address+4))
42817 - address = PAGE_ALIGN(address+4);
42819 - anon_vma_unlock(vma);
42824 /* Somebody else might have raced and expanded it already */
42825 - if (address > vma->vm_end) {
42826 + if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
42827 unsigned long size, grow;
42829 size = address - vma->vm_start;
42830 @@ -1633,6 +1835,8 @@ int expand_upwards(struct vm_area_struct
42832 vma->vm_end = address;
42835 + anon_vma_unlock(vma->vm_next);
42836 anon_vma_unlock(vma);
42839 @@ -1644,7 +1848,8 @@ int expand_upwards(struct vm_area_struct
42840 static int expand_downwards(struct vm_area_struct *vma,
42841 unsigned long address)
42844 + int error, lockprev = 0;
42845 + struct vm_area_struct *prev = NULL;
42848 * We must make sure the anon_vma is allocated
42849 @@ -1658,6 +1863,15 @@ static int expand_downwards(struct vm_ar
42853 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
42854 + find_vma_prev(vma->vm_mm, address, &prev);
42855 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
42857 + if (lockprev && unlikely(anon_vma_prepare(prev)))
42860 + anon_vma_lock(prev);
42862 anon_vma_lock(vma);
42865 @@ -1667,9 +1881,15 @@ static int expand_downwards(struct vm_ar
42868 /* Somebody else might have raced and expanded it already */
42869 - if (address < vma->vm_start) {
42870 + if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
42871 unsigned long size, grow;
42873 +#ifdef CONFIG_PAX_SEGMEXEC
42874 + struct vm_area_struct *vma_m;
42876 + vma_m = pax_find_mirror_vma(vma);
42879 size = vma->vm_end - address;
42880 grow = (vma->vm_start - address) >> PAGE_SHIFT;
42882 @@ -1677,9 +1897,20 @@ static int expand_downwards(struct vm_ar
42884 vma->vm_start = address;
42885 vma->vm_pgoff -= grow;
42886 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
42888 +#ifdef CONFIG_PAX_SEGMEXEC
42890 + vma_m->vm_start -= grow << PAGE_SHIFT;
42891 + vma_m->vm_pgoff -= grow;
42897 anon_vma_unlock(vma);
42899 + anon_vma_unlock(prev);
42903 @@ -1755,6 +1986,13 @@ static void remove_vma_list(struct mm_st
42905 long nrpages = vma_pages(vma);
42907 +#ifdef CONFIG_PAX_SEGMEXEC
42908 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
42909 + vma = remove_vma(vma);
42914 // mm->total_vm -= nrpages;
42915 vx_vmpages_sub(mm, nrpages);
42916 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
42917 @@ -1799,6 +2037,16 @@ detach_vmas_to_be_unmapped(struct mm_str
42919 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
42922 +#ifdef CONFIG_PAX_SEGMEXEC
42923 + if (vma->vm_mirror) {
42924 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
42925 + vma->vm_mirror->vm_mirror = NULL;
42926 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
42927 + vma->vm_mirror = NULL;
42931 rb_erase(&vma->vm_rb, &mm->mm_rb);
42934 @@ -1818,6 +2066,108 @@ detach_vmas_to_be_unmapped(struct mm_str
42935 * Split a vma into two pieces at address 'addr', a new vma is allocated
42936 * either for the first part or the tail.
42939 +#ifdef CONFIG_PAX_SEGMEXEC
42940 +int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
42941 + unsigned long addr, int new_below)
42943 + struct mempolicy *pol;
42944 + struct vm_area_struct *new, *vma_m, *new_m = NULL;
42945 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
42947 + if (is_vm_hugetlb_page(vma) && (addr & ~HPAGE_MASK))
42950 + vma_m = pax_find_mirror_vma(vma);
42952 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
42953 + if (mm->map_count >= sysctl_max_map_count-1)
42955 + } else if (mm->map_count >= sysctl_max_map_count)
42958 + new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
42963 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
42965 + kmem_cache_free(vm_area_cachep, new);
42970 + /* most fields are the same, copy all, and then fixup */
42974 + new->vm_end = addr;
42976 + new->vm_start = addr;
42977 + new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
42982 + new_m->vm_mirror = new;
42983 + new->vm_mirror = new_m;
42986 + new_m->vm_end = addr_m;
42988 + new_m->vm_start = addr_m;
42989 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
42993 + pol = mpol_dup(vma_policy(vma));
42994 + if (IS_ERR(pol)) {
42996 + kmem_cache_free(vm_area_cachep, new_m);
42997 + kmem_cache_free(vm_area_cachep, new);
42998 + return PTR_ERR(pol);
43000 + vma_set_policy(new, pol);
43002 + if (new->vm_file) {
43003 + get_file(new->vm_file);
43004 + if (vma->vm_flags & VM_EXECUTABLE)
43005 + added_exe_file_vma(mm);
43008 + if (new->vm_ops && new->vm_ops->open)
43009 + new->vm_ops->open(new);
43012 + vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
43013 + ((addr - new->vm_start) >> PAGE_SHIFT), new);
43015 + vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
43019 + vma_set_policy(new_m, pol);
43021 + if (new_m->vm_file) {
43022 + get_file(new_m->vm_file);
43023 + if (vma_m->vm_flags & VM_EXECUTABLE)
43024 + added_exe_file_vma(mm);
43027 + if (new_m->vm_ops && new_m->vm_ops->open)
43028 + new_m->vm_ops->open(new_m);
43031 + vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
43032 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
43034 + vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
43040 int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
43041 unsigned long addr, int new_below)
43043 @@ -1869,17 +2219,37 @@ int split_vma(struct mm_struct * mm, str
43049 /* Munmap is split into 2 main parts -- this part which finds
43050 * what needs doing, and the areas themselves, which do the
43051 * work. This now handles partial unmappings.
43052 * Jeremy Fitzhardinge <jeremy@goop.org>
43054 +#ifdef CONFIG_PAX_SEGMEXEC
43055 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
43057 + int ret = __do_munmap(mm, start, len);
43058 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
43061 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
43064 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
43066 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
43070 struct vm_area_struct *vma, *prev, *last;
43073 + * mm->mmap_sem is required to protect against another thread
43074 + * changing the mappings in case we sleep.
43076 + verify_mm_writelocked(mm);
43078 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
43081 @@ -1943,6 +2313,8 @@ int do_munmap(struct mm_struct *mm, unsi
43082 /* Fix up all other VM information */
43083 remove_vma_list(mm, vma);
43085 + track_exec_limit(mm, start, end, 0UL);
43090 @@ -1955,22 +2327,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
43092 profile_munmap(addr);
43094 +#ifdef CONFIG_PAX_SEGMEXEC
43095 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
43096 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
43100 down_write(&mm->mmap_sem);
43101 ret = do_munmap(mm, addr, len);
43102 up_write(&mm->mmap_sem);
43106 -static inline void verify_mm_writelocked(struct mm_struct *mm)
43108 -#ifdef CONFIG_DEBUG_VM
43109 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
43111 - up_read(&mm->mmap_sem);
43117 * this is really a simplified "do_mmap". it only handles
43118 * anonymous maps. eventually we may be able to do some
43119 @@ -1984,6 +2352,11 @@ unsigned long do_brk(unsigned long addr,
43120 struct rb_node ** rb_link, * rb_parent;
43121 pgoff_t pgoff = addr >> PAGE_SHIFT;
43123 + unsigned long charged;
43125 +#ifdef CONFIG_PAX_SEGMEXEC
43126 + struct vm_area_struct *vma_m = NULL;
43129 len = PAGE_ALIGN(len);
43131 @@ -2001,19 +2374,34 @@ unsigned long do_brk(unsigned long addr,
43133 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
43135 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
43136 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43137 + flags &= ~VM_EXEC;
43139 +#ifdef CONFIG_PAX_MPROTECT
43140 + if (mm->pax_flags & MF_PAX_MPROTECT)
43141 + flags &= ~VM_MAYEXEC;
43147 error = arch_mmap_check(addr, len, flags);
43151 + charged = len >> PAGE_SHIFT;
43154 * mlock MCL_FUTURE?
43156 if (mm->def_flags & VM_LOCKED) {
43157 unsigned long locked, lock_limit;
43158 - locked = len >> PAGE_SHIFT;
43159 + locked = charged;
43160 locked += mm->locked_vm;
43161 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
43162 lock_limit >>= PAGE_SHIFT;
43163 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
43164 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
43167 @@ -2027,23 +2415,23 @@ unsigned long do_brk(unsigned long addr,
43169 * Clear old maps. this also does some error checking for us
43172 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
43173 if (vma && vma->vm_start < addr + len) {
43174 if (do_munmap(mm, addr, len))
43176 - goto munmap_back;
43177 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
43178 + BUG_ON(vma && vma->vm_start < addr + len);
43181 /* Check against address space limits *after* clearing old maps... */
43182 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
43183 + if (!may_expand_vm(mm, charged))
43186 if (mm->map_count > sysctl_max_map_count)
43189 - if (security_vm_enough_memory(len >> PAGE_SHIFT) ||
43190 - !vx_vmpages_avail(mm, len >> PAGE_SHIFT))
43191 + if (security_vm_enough_memory(charged) ||
43192 + !vx_vmpages_avail(mm, charged))
43195 /* Can we just expand an old private anonymous mapping? */
43196 @@ -2056,10 +2444,21 @@ unsigned long do_brk(unsigned long addr,
43198 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
43200 - vm_unacct_memory(len >> PAGE_SHIFT);
43201 + vm_unacct_memory(charged);
43205 +#ifdef CONFIG_PAX_SEGMEXEC
43206 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
43207 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
43209 + kmem_cache_free(vm_area_cachep, vma);
43210 + vm_unacct_memory(charged);
43217 vma->vm_start = addr;
43218 vma->vm_end = addr + len;
43219 @@ -2068,14 +2467,13 @@ unsigned long do_brk(unsigned long addr,
43220 vma->vm_page_prot = vm_get_page_prot(flags);
43221 vma_link(mm, vma, prev, rb_link, rb_parent);
43223 - // mm->total_vm += len >> PAGE_SHIFT;
43224 - vx_vmpages_add(mm, len >> PAGE_SHIFT);
43225 + vx_vmpages_add(mm, charged);
43227 if (flags & VM_LOCKED) {
43228 if (!mlock_vma_pages_range(vma, addr, addr + len))
43229 - // mm->locked_vm += (len >> PAGE_SHIFT);
43230 - vx_vmlocked_add(mm, len >> PAGE_SHIFT);
43231 + vx_vmlocked_add(mm, charged);
43233 + track_exec_limit(mm, addr, addr + len, flags);
43237 @@ -2118,8 +2518,10 @@ void exit_mmap(struct mm_struct *mm)
43238 * Walk the list again, actually closing and freeing it,
43239 * with preemption enabled, without holding any MM locks.
43243 + vma->vm_mirror = NULL;
43244 vma = remove_vma(vma);
43247 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
43249 @@ -2133,6 +2535,10 @@ int insert_vm_struct(struct mm_struct *
43250 struct vm_area_struct * __vma, * prev;
43251 struct rb_node ** rb_link, * rb_parent;
43253 +#ifdef CONFIG_PAX_SEGMEXEC
43254 + struct vm_area_struct *vma_m = NULL;
43258 * The vm_pgoff of a purely anonymous vma should be irrelevant
43259 * until its first write fault, when page's anon_vma and index
43260 @@ -2155,7 +2561,22 @@ int insert_vm_struct(struct mm_struct *
43261 if ((vma->vm_flags & VM_ACCOUNT) &&
43262 security_vm_enough_memory_mm(mm, vma_pages(vma)))
43265 +#ifdef CONFIG_PAX_SEGMEXEC
43266 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
43267 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
43273 vma_link(mm, vma, prev, rb_link, rb_parent);
43275 +#ifdef CONFIG_PAX_SEGMEXEC
43277 + pax_mirror_vma(vma_m, vma);
43283 @@ -2173,6 +2594,8 @@ struct vm_area_struct *copy_vma(struct v
43284 struct rb_node **rb_link, *rb_parent;
43285 struct mempolicy *pol;
43287 + BUG_ON(vma->vm_mirror);
43290 * If anonymous vma has not yet been faulted, update new pgoff
43291 * to match new location, to increase its chance of merging.
43292 @@ -2216,6 +2639,35 @@ struct vm_area_struct *copy_vma(struct v
43296 +#ifdef CONFIG_PAX_SEGMEXEC
43297 +void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
43299 + struct vm_area_struct *prev_m;
43300 + struct rb_node **rb_link_m, *rb_parent_m;
43301 + struct mempolicy *pol_m;
43303 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
43304 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
43305 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
43307 + pol_m = vma_policy(vma_m);
43309 + vma_set_policy(vma_m, pol_m);
43310 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
43311 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
43312 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
43313 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
43314 + if (vma_m->vm_file)
43315 + get_file(vma_m->vm_file);
43316 + if (vma_m->vm_ops && vma_m->vm_ops->open)
43317 + vma_m->vm_ops->open(vma_m);
43318 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
43319 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
43320 + vma_m->vm_mirror = vma;
43321 + vma->vm_mirror = vma_m;
43326 * Return true if the calling process may expand its vm space by the passed
43328 @@ -2226,7 +2678,7 @@ int may_expand_vm(struct mm_struct *mm,
43331 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
43333 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
43334 if (cur + npages > lim)
43337 @@ -2267,7 +2719,7 @@ static void special_mapping_close(struct
43341 -static struct vm_operations_struct special_mapping_vmops = {
43342 +static const struct vm_operations_struct special_mapping_vmops = {
43343 .close = special_mapping_close,
43344 .fault = special_mapping_fault,
43346 @@ -2295,6 +2747,15 @@ int install_special_mapping(struct mm_st
43347 vma->vm_start = addr;
43348 vma->vm_end = addr + len;
43350 +#ifdef CONFIG_PAX_MPROTECT
43351 + if (mm->pax_flags & MF_PAX_MPROTECT) {
43352 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
43353 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
43355 + vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
43359 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
43360 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
43362 diff -urNp linux-2.6.31/mm/mprotect.c linux-2.6.31/mm/mprotect.c
43363 --- linux-2.6.31/mm/mprotect.c 2009-08-27 20:59:04.000000000 -0400
43364 +++ linux-2.6.31/mm/mprotect.c 2009-09-06 15:29:12.197911003 -0400
43365 @@ -24,10 +24,16 @@
43366 #include <linux/mmu_notifier.h>
43367 #include <linux/migrate.h>
43368 #include <linux/perf_counter.h>
43370 +#ifdef CONFIG_PAX_MPROTECT
43371 +#include <linux/elf.h>
43374 #include <asm/uaccess.h>
43375 #include <asm/pgtable.h>
43376 #include <asm/cacheflush.h>
43377 #include <asm/tlbflush.h>
43378 +#include <asm/mmu_context.h>
43380 #ifndef pgprot_modify
43381 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
43382 @@ -132,6 +138,48 @@ static void change_protection(struct vm_
43383 flush_tlb_range(vma, start, end);
43386 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
43387 +/* called while holding the mmap semaphor for writing except stack expansion */
43388 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
43390 + unsigned long oldlimit, newlimit = 0UL;
43392 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
43395 + spin_lock(&mm->page_table_lock);
43396 + oldlimit = mm->context.user_cs_limit;
43397 + if ((prot & VM_EXEC) && oldlimit < end)
43398 + /* USER_CS limit moved up */
43400 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
43401 + /* USER_CS limit moved down */
43402 + newlimit = start;
43405 + mm->context.user_cs_limit = newlimit;
43409 + cpus_clear(mm->context.cpu_user_cs_mask);
43410 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
43413 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
43415 + spin_unlock(&mm->page_table_lock);
43416 + if (newlimit == end) {
43417 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
43419 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
43420 + if (is_vm_hugetlb_page(vma))
43421 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
43423 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
43429 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
43430 unsigned long start, unsigned long end, unsigned long newflags)
43431 @@ -144,6 +192,14 @@ mprotect_fixup(struct vm_area_struct *vm
43433 int dirty_accountable = 0;
43435 +#ifdef CONFIG_PAX_SEGMEXEC
43436 + struct vm_area_struct *vma_m = NULL;
43437 + unsigned long start_m, end_m;
43439 + start_m = start + SEGMEXEC_TASK_SIZE;
43440 + end_m = end + SEGMEXEC_TASK_SIZE;
43443 if (newflags == oldflags) {
43446 @@ -165,6 +221,38 @@ mprotect_fixup(struct vm_area_struct *vm
43450 +#ifdef CONFIG_PAX_SEGMEXEC
43451 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
43452 + if (start != vma->vm_start) {
43453 + error = split_vma(mm, vma, start, 1);
43456 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
43457 + *pprev = (*pprev)->vm_next;
43460 + if (end != vma->vm_end) {
43461 + error = split_vma(mm, vma, end, 0);
43466 + if (pax_find_mirror_vma(vma)) {
43467 + error = __do_munmap(mm, start_m, end_m - start_m);
43471 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
43476 + vma->vm_flags = newflags;
43477 + pax_mirror_vma(vma_m, vma);
43483 * First try to merge with previous and/or next vma.
43485 @@ -196,8 +284,14 @@ success:
43486 * held in write mode.
43488 vma->vm_flags = newflags;
43490 +#ifdef CONFIG_PAX_MPROTECT
43491 + if (current->binfmt && current->binfmt->handle_mprotect)
43492 + current->binfmt->handle_mprotect(vma, newflags);
43495 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
43496 - vm_get_page_prot(newflags));
43497 + vm_get_page_prot(vma->vm_flags));
43499 if (vma_wants_writenotify(vma)) {
43500 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
43501 @@ -238,6 +332,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
43506 +#ifdef CONFIG_PAX_SEGMEXEC
43507 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
43508 + if (end > SEGMEXEC_TASK_SIZE)
43513 + if (end > TASK_SIZE)
43516 if (!arch_validate_prot(prot))
43519 @@ -245,7 +350,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
43521 * Does the application expect PROT_READ to imply PROT_EXEC:
43523 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
43524 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
43527 vm_flags = calc_vm_prot_bits(prot);
43528 @@ -277,6 +382,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
43529 if (start > vma->vm_start)
43532 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
43537 +#ifdef CONFIG_PAX_MPROTECT
43538 + if (current->binfmt && current->binfmt->handle_mprotect)
43539 + current->binfmt->handle_mprotect(vma, vm_flags);
43542 for (nstart = start ; ; ) {
43543 unsigned long newflags;
43545 @@ -301,6 +416,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
43548 perf_counter_mmap(vma);
43550 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
43554 if (nstart < prev->vm_end)
43555 diff -urNp linux-2.6.31/mm/mremap.c linux-2.6.31/mm/mremap.c
43556 --- linux-2.6.31/mm/mremap.c 2009-08-27 20:59:04.000000000 -0400
43557 +++ linux-2.6.31/mm/mremap.c 2009-09-06 15:29:12.197911003 -0400
43558 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
43560 pte = ptep_clear_flush(vma, old_addr, old_pte);
43561 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
43563 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
43564 + if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
43565 + pte = pte_exprotect(pte);
43568 set_pte_at(mm, new_addr, new_pte, pte);
43571 @@ -262,6 +268,7 @@ unsigned long do_mremap(unsigned long ad
43572 struct vm_area_struct *vma;
43573 unsigned long ret = -EINVAL;
43574 unsigned long charged = 0;
43575 + unsigned long pax_task_size = TASK_SIZE;
43577 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
43579 @@ -280,6 +287,15 @@ unsigned long do_mremap(unsigned long ad
43583 +#ifdef CONFIG_PAX_SEGMEXEC
43584 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
43585 + pax_task_size = SEGMEXEC_TASK_SIZE;
43588 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
43589 + old_len > pax_task_size || addr > pax_task_size-old_len)
43592 /* new_addr is only valid if MREMAP_FIXED is specified */
43593 if (flags & MREMAP_FIXED) {
43594 if (new_addr & ~PAGE_MASK)
43595 @@ -287,16 +303,13 @@ unsigned long do_mremap(unsigned long ad
43596 if (!(flags & MREMAP_MAYMOVE))
43599 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
43600 + if (new_addr > pax_task_size - new_len)
43603 /* Check if the location we're moving into overlaps the
43604 * old location at all, and fail if it does.
43606 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
43609 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
43610 + if (addr + old_len > new_addr && new_addr + new_len > addr)
43613 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
43614 @@ -334,6 +347,14 @@ unsigned long do_mremap(unsigned long ad
43619 +#ifdef CONFIG_PAX_SEGMEXEC
43620 + if (pax_find_mirror_vma(vma)) {
43626 /* We can't remap across vm area boundaries */
43627 if (old_len > vma->vm_end - addr)
43629 @@ -367,7 +388,7 @@ unsigned long do_mremap(unsigned long ad
43630 if (old_len == vma->vm_end - addr &&
43631 !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
43632 (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
43633 - unsigned long max_addr = TASK_SIZE;
43634 + unsigned long max_addr = pax_task_size;
43636 max_addr = vma->vm_next->vm_start;
43637 /* can we just expand the current mapping? */
43638 @@ -385,6 +406,7 @@ unsigned long do_mremap(unsigned long ad
43642 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
43646 @@ -395,8 +417,8 @@ unsigned long do_mremap(unsigned long ad
43649 if (flags & MREMAP_MAYMOVE) {
43650 + unsigned long map_flags = 0;
43651 if (!(flags & MREMAP_FIXED)) {
43652 - unsigned long map_flags = 0;
43653 if (vma->vm_flags & VM_MAYSHARE)
43654 map_flags |= MAP_SHARED;
43656 @@ -411,7 +433,12 @@ unsigned long do_mremap(unsigned long ad
43660 + map_flags = vma->vm_flags;
43661 ret = move_vma(vma, addr, old_len, new_len, new_addr);
43662 + if (!(ret & ~PAGE_MASK)) {
43663 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
43664 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
43668 if (ret & ~PAGE_MASK)
43669 diff -urNp linux-2.6.31/mm/nommu.c linux-2.6.31/mm/nommu.c
43670 --- linux-2.6.31/mm/nommu.c 2009-09-06 19:00:55.788345103 -0400
43671 +++ linux-2.6.31/mm/nommu.c 2009-09-06 19:01:14.428404175 -0400
43672 @@ -79,7 +79,7 @@ static struct kmem_cache *vm_region_jar;
43673 struct rb_root nommu_region_tree = RB_ROOT;
43674 DECLARE_RWSEM(nommu_region_sem);
43676 -struct vm_operations_struct generic_file_vm_ops = {
43677 +const struct vm_operations_struct generic_file_vm_ops = {
43681 @@ -780,15 +780,6 @@ struct vm_area_struct *find_vma(struct m
43682 EXPORT_SYMBOL(find_vma);
43686 - * - we don't extend stack VMAs under NOMMU conditions
43688 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
43690 - return find_vma(mm, addr);
43694 * expand a stack to a given address
43695 * - not supported under NOMMU conditions
43697 diff -urNp linux-2.6.31/mm/page_alloc.c linux-2.6.31/mm/page_alloc.c
43698 --- linux-2.6.31/mm/page_alloc.c 2009-09-06 19:00:55.789155480 -0400
43699 +++ linux-2.6.31/mm/page_alloc.c 2009-09-06 19:01:14.429165029 -0400
43700 @@ -559,6 +559,10 @@ static void __free_pages_ok(struct page
43702 int wasMlocked = TestClearPageMlocked(page);
43704 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
43705 + unsigned long index = 1UL << order;
43708 kmemcheck_free_shadow(page, order);
43710 for (i = 0 ; i < (1 << order) ; ++i)
43711 @@ -571,6 +575,12 @@ static void __free_pages_ok(struct page
43712 debug_check_no_obj_freed(page_address(page),
43713 PAGE_SIZE << order);
43716 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
43717 + for (; index; --index)
43718 + sanitize_highpage(page + index - 1);
43721 arch_free_page(page, order);
43722 kernel_map_pages(page, 1 << order, 0);
43724 @@ -662,8 +672,10 @@ static int prep_new_page(struct page *pa
43725 arch_alloc_page(page, order);
43726 kernel_map_pages(page, 1 << order, 1);
43728 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
43729 if (gfp_flags & __GFP_ZERO)
43730 prep_zero_page(page, order, gfp_flags);
43733 if (order && (gfp_flags & __GFP_COMP))
43734 prep_compound_page(page, order);
43735 @@ -1039,6 +1051,11 @@ static void free_hot_cold_page(struct pa
43736 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
43737 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
43740 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
43741 + sanitize_highpage(page);
43744 arch_free_page(page, 0);
43745 kernel_map_pages(page, 1, 0);
43747 diff -urNp linux-2.6.31/mm/percpu.c linux-2.6.31/mm/percpu.c
43748 --- linux-2.6.31/mm/percpu.c 2009-09-06 19:00:55.790171774 -0400
43749 +++ linux-2.6.31/mm/percpu.c 2009-09-06 19:01:14.430358003 -0400
43750 @@ -105,7 +105,7 @@ static int pcpu_nr_slots __read_mostly;
43751 static size_t pcpu_chunk_struct_size __read_mostly;
43753 /* the address of the first chunk which starts with the kernel static area */
43754 -void *pcpu_base_addr __read_mostly;
43755 +void *pcpu_base_addr __read_only;
43756 EXPORT_SYMBOL_GPL(pcpu_base_addr);
43759 diff -urNp linux-2.6.31/mm/rmap.c linux-2.6.31/mm/rmap.c
43760 --- linux-2.6.31/mm/rmap.c 2009-08-27 20:59:04.000000000 -0400
43761 +++ linux-2.6.31/mm/rmap.c 2009-09-06 15:29:12.201956701 -0400
43762 @@ -103,6 +103,10 @@ int anon_vma_prepare(struct vm_area_stru
43763 struct mm_struct *mm = vma->vm_mm;
43764 struct anon_vma *allocated;
43766 +#ifdef CONFIG_PAX_SEGMEXEC
43767 + struct vm_area_struct *vma_m;
43770 anon_vma = find_mergeable_anon_vma(vma);
43773 @@ -116,6 +120,15 @@ int anon_vma_prepare(struct vm_area_stru
43774 /* page_table_lock to protect against threads */
43775 spin_lock(&mm->page_table_lock);
43776 if (likely(!vma->anon_vma)) {
43778 +#ifdef CONFIG_PAX_SEGMEXEC
43779 + vma_m = pax_find_mirror_vma(vma);
43781 + vma_m->anon_vma = anon_vma;
43782 + __anon_vma_link(vma_m);
43786 vma->anon_vma = anon_vma;
43787 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
43789 diff -urNp linux-2.6.31/mm/shmem.c linux-2.6.31/mm/shmem.c
43790 --- linux-2.6.31/mm/shmem.c 2009-08-27 20:59:04.000000000 -0400
43791 +++ linux-2.6.31/mm/shmem.c 2009-09-06 15:29:12.201956701 -0400
43793 #include <linux/swap.h>
43794 #include <linux/ima.h>
43796 -static struct vfsmount *shm_mnt;
43797 +struct vfsmount *shm_mnt;
43799 #ifdef CONFIG_SHMEM
43801 @@ -219,7 +219,7 @@ static const struct file_operations shme
43802 static const struct inode_operations shmem_inode_operations;
43803 static const struct inode_operations shmem_dir_inode_operations;
43804 static const struct inode_operations shmem_special_inode_operations;
43805 -static struct vm_operations_struct shmem_vm_ops;
43806 +static const struct vm_operations_struct shmem_vm_ops;
43808 static struct backing_dev_info shmem_backing_dev_info __read_mostly = {
43809 .ra_pages = 0, /* No readahead */
43810 @@ -2497,7 +2497,7 @@ static const struct super_operations shm
43811 .put_super = shmem_put_super,
43814 -static struct vm_operations_struct shmem_vm_ops = {
43815 +static const struct vm_operations_struct shmem_vm_ops = {
43816 .fault = shmem_fault,
43818 .set_policy = shmem_set_policy,
43819 diff -urNp linux-2.6.31/mm/slab.c linux-2.6.31/mm/slab.c
43820 --- linux-2.6.31/mm/slab.c 2009-08-27 20:59:04.000000000 -0400
43821 +++ linux-2.6.31/mm/slab.c 2009-09-06 15:29:12.203076903 -0400
43822 @@ -308,7 +308,7 @@ struct kmem_list3 {
43823 * Need this for bootstrapping a per node allocator.
43825 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
43826 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
43827 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
43828 #define CACHE_CACHE 0
43829 #define SIZE_AC MAX_NUMNODES
43830 #define SIZE_L3 (2 * MAX_NUMNODES)
43831 @@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
43832 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
43834 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
43835 - const struct slab *slab, void *obj)
43836 + const struct slab *slab, const void *obj)
43838 u32 offset = (obj - slab->s_mem);
43839 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
43840 @@ -584,14 +584,14 @@ struct cache_names {
43841 static struct cache_names __initdata cache_names[] = {
43842 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
43843 #include <linux/kmalloc_sizes.h>
43849 static struct arraycache_init initarray_cache __initdata =
43850 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
43851 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
43852 static struct arraycache_init initarray_generic =
43853 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
43854 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
43856 /* internal cache of cache description objs */
43857 static struct kmem_cache cache_cache = {
43858 @@ -4473,15 +4473,64 @@ static const struct file_operations proc
43860 static int __init slab_proc_init(void)
43862 +#if !defined(CONFIG_GRKERNSEC_PROC_ADD)
43863 proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
43864 #ifdef CONFIG_DEBUG_SLAB_LEAK
43865 proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
43870 module_init(slab_proc_init);
43873 +void check_object_size(const void *ptr, unsigned long n, bool to)
43876 +#ifdef CONFIG_PAX_USERCOPY
43877 + struct kmem_cache *cachep;
43878 + struct slab *slabp;
43879 + struct page *page;
43880 + unsigned int objnr;
43881 + unsigned long offset;
43886 + if (ZERO_OR_NULL_PTR(ptr))
43889 + if (!virt_addr_valid(ptr))
43892 + page = virt_to_head_page(ptr);
43894 + /* XXX: can get a little tighter with this stack check */
43895 + if (!PageSlab(page) && object_is_on_stack(ptr) &&
43896 + (n > ((unsigned long)task_stack_page(current) + THREAD_SIZE -
43897 + (unsigned long)ptr)))
43902 + cachep = page_get_cache(page);
43903 + slabp = page_get_slab(page);
43904 + objnr = obj_to_index(cachep, slabp, ptr);
43905 + BUG_ON(objnr >= cachep->num);
43906 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
43907 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
43912 + pax_report_leak_to_user(ptr, n);
43914 + pax_report_overflow_from_user(ptr, n);
43918 +EXPORT_SYMBOL(check_object_size);
43921 * ksize - get the actual amount of memory allocated for a given object
43922 * @objp: Pointer to the object
43923 diff -urNp linux-2.6.31/mm/slob.c linux-2.6.31/mm/slob.c
43924 --- linux-2.6.31/mm/slob.c 2009-08-27 20:59:04.000000000 -0400
43925 +++ linux-2.6.31/mm/slob.c 2009-09-06 15:29:12.204173926 -0400
43927 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
43928 * alloc_pages() directly, allocating compound pages so the page order
43929 * does not have to be separately tracked, and also stores the exact
43930 - * allocation size in page->private so that it can be used to accurately
43931 + * allocation size in slob_page->size so that it can be used to accurately
43932 * provide ksize(). These objects are detected in kfree() because slob_page()
43933 * is false for them.
43938 #include <linux/kernel.h>
43939 +#include <linux/sched.h>
43940 #include <linux/slab.h>
43941 #include <linux/mm.h>
43942 #include <linux/swap.h> /* struct reclaim_state */
43943 @@ -100,7 +101,8 @@ struct slob_page {
43944 unsigned long flags; /* mandatory */
43945 atomic_t _count; /* mandatory */
43946 slobidx_t units; /* free units left in page */
43947 - unsigned long pad[2];
43948 + unsigned long pad[1];
43949 + unsigned long size; /* size when >=PAGE_SIZE */
43950 slob_t *free; /* first free slob_t in page */
43951 struct list_head list; /* linked list of free pages */
43953 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
43955 static inline int is_slob_page(struct slob_page *sp)
43957 - return PageSlab((struct page *)sp);
43958 + return PageSlab((struct page *)sp) && !sp->size;
43961 static inline void set_slob_page(struct slob_page *sp)
43962 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
43964 * Return the size of a slob block.
43966 -static slobidx_t slob_units(slob_t *s)
43967 +static slobidx_t slob_units(const slob_t *s)
43971 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
43973 * Return the next free slob block pointer after this one.
43975 -static slob_t *slob_next(slob_t *s)
43976 +static slob_t *slob_next(const slob_t *s)
43978 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
43980 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
43982 * Returns true if s is the last free block in its page.
43984 -static int slob_last(slob_t *s)
43985 +static int slob_last(const slob_t *s)
43987 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
43989 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
43993 + set_slob_page(page);
43994 return page_address(page);
43997 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
44001 - set_slob_page(sp);
44003 spin_lock_irqsave(&slob_lock, flags);
44004 sp->units = SLOB_UNITS(PAGE_SIZE);
44007 INIT_LIST_HEAD(&sp->list);
44008 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
44009 set_slob_page_free(sp, slob_list);
44010 @@ -475,10 +478,9 @@ out:
44011 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
44014 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
44015 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
44018 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
44022 lockdep_trace_alloc(gfp);
44023 @@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
44028 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
44029 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
44030 + m[0].units = size;
44031 + m[1].units = align;
44032 ret = (void *)m + align;
44034 trace_kmalloc_node(_RET_IP_, ret,
44035 @@ -501,9 +506,9 @@ void *__kmalloc_node(size_t size, gfp_t
44037 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
44039 - struct page *page;
44040 - page = virt_to_page(ret);
44041 - page->private = size;
44042 + struct slob_page *sp;
44043 + sp = (struct slob_page *)virt_to_head_page(ret);
44047 trace_kmalloc_node(_RET_IP_, ret,
44048 @@ -513,6 +518,13 @@ void *__kmalloc_node(size_t size, gfp_t
44049 kmemleak_alloc(ret, size, 1, gfp);
44053 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
44055 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
44057 + return __kmalloc_node_align(size, gfp, node, align);
44059 EXPORT_SYMBOL(__kmalloc_node);
44061 void kfree(const void *block)
44062 @@ -528,13 +540,86 @@ void kfree(const void *block)
44063 sp = slob_page(block);
44064 if (is_slob_page(sp)) {
44065 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
44066 - unsigned int *m = (unsigned int *)(block - align);
44067 - slob_free(m, *m + align);
44069 + slob_t *m = (slob_t *)(block - align);
44070 + slob_free(m, m[0].units + align);
44072 + clear_slob_page(sp);
44073 + free_slob_page(sp);
44075 put_page(&sp->page);
44078 EXPORT_SYMBOL(kfree);
44080 +void check_object_size(const void *ptr, unsigned long n, bool to)
44083 +#ifdef CONFIG_PAX_USERCOPY
44084 + struct slob_page *sp;
44085 + const slob_t *free;
44086 + const void *base;
44091 + if (ZERO_OR_NULL_PTR(ptr))
44094 + if (!virt_addr_valid(ptr))
44097 + sp = (struct slob_page *)virt_to_head_page(ptr);
44098 + /* XXX: can get a little tighter with this stack check */
44099 + if (!PageSlobPage((struct page*)sp) && object_is_on_stack(ptr) &&
44100 + (n > ((unsigned long)task_stack_page(current) + THREAD_SIZE -
44101 + (unsigned long)ptr)))
44107 + base = page_address(&sp->page);
44108 + if (base <= ptr && n <= sp->size - (ptr - base))
44113 + /* some tricky double walking to find the chunk */
44114 + base = (void *)((unsigned long)ptr & PAGE_MASK);
44117 + while (!slob_last(free) && (void *)free <= ptr) {
44118 + base = free + slob_units(free);
44119 + free = slob_next(free);
44122 + while (base < (void *)free) {
44123 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
44124 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
44127 + if (ptr < base + align)
44130 + offset = ptr - base - align;
44131 + if (offset < m) {
44132 + if (n <= m - offset)
44141 + pax_report_leak_to_user(ptr, n);
44143 + pax_report_overflow_from_user(ptr, n);
44147 +EXPORT_SYMBOL(check_object_size);
44149 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
44150 size_t ksize(const void *block)
44152 @@ -547,10 +632,10 @@ size_t ksize(const void *block)
44153 sp = slob_page(block);
44154 if (is_slob_page(sp)) {
44155 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
44156 - unsigned int *m = (unsigned int *)(block - align);
44157 - return SLOB_UNITS(*m) * SLOB_UNIT;
44158 + slob_t *m = (slob_t *)(block - align);
44159 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
44161 - return sp->page.private;
44164 EXPORT_SYMBOL(ksize);
44166 @@ -605,17 +690,25 @@ void *kmem_cache_alloc_node(struct kmem_
44170 +#ifdef CONFIG_PAX_USERCOPY
44171 + b = __kmalloc_node_align(c->size, flags, node, c->align);
44173 if (c->size < PAGE_SIZE) {
44174 b = slob_alloc(c->size, flags, c->align, node);
44175 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
44176 SLOB_UNITS(c->size) * SLOB_UNIT,
44179 + struct slob_page *sp;
44181 b = slob_new_pages(flags, get_order(c->size), node);
44182 + sp = (struct slob_page *)virt_to_head_page(b);
44183 + sp->size = c->size;
44184 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
44185 PAGE_SIZE << get_order(c->size),
44192 @@ -627,10 +720,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
44194 static void __kmem_cache_free(void *b, int size)
44196 - if (size < PAGE_SIZE)
44197 + struct slob_page *sp = (struct slob_page *)virt_to_head_page(b);
44199 + if (slob_page(sp))
44200 slob_free(b, size);
44203 + clear_slob_page(sp);
44204 + free_slob_page(sp);
44206 slob_free_pages(b, get_order(size));
44210 static void kmem_rcu_free(struct rcu_head *head)
44211 @@ -643,15 +742,24 @@ static void kmem_rcu_free(struct rcu_hea
44213 void kmem_cache_free(struct kmem_cache *c, void *b)
44215 + int size = c->size;
44217 +#ifdef CONFIG_PAX_USERCOPY
44218 + if (size + c->align < PAGE_SIZE) {
44219 + size += c->align;
44224 kmemleak_free_recursive(b, c->flags);
44225 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
44226 struct slob_rcu *slob_rcu;
44227 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
44228 + slob_rcu = b + (size - sizeof(struct slob_rcu));
44229 INIT_RCU_HEAD(&slob_rcu->head);
44230 - slob_rcu->size = c->size;
44231 + slob_rcu->size = size;
44232 call_rcu(&slob_rcu->head, kmem_rcu_free);
44234 - __kmem_cache_free(b, c->size);
44235 + __kmem_cache_free(b, size);
44238 trace_kmem_cache_free(_RET_IP_, b);
44239 diff -urNp linux-2.6.31/mm/slub.c linux-2.6.31/mm/slub.c
44240 --- linux-2.6.31/mm/slub.c 2009-09-06 19:00:55.791265797 -0400
44241 +++ linux-2.6.31/mm/slub.c 2009-09-06 19:01:14.431242543 -0400
44242 @@ -1915,7 +1915,7 @@ static int slub_min_objects;
44243 * Merge control. If this is set then no merging of slab caches will occur.
44244 * (Could be removed. This was introduced to pacify the merge skeptics.)
44246 -static int slub_nomerge;
44247 +static int slub_nomerge = 1;
44250 * Calculate the order of allocation given an slab object size.
44251 @@ -2458,7 +2458,7 @@ static int kmem_cache_open(struct kmem_c
44252 * list to avoid pounding the page allocator excessively.
44254 set_min_partial(s, ilog2(s->size));
44256 + atomic_set(&s->refcount, 1);
44258 s->remote_node_defrag_ratio = 1000;
44260 @@ -2595,8 +2595,7 @@ static inline int kmem_cache_close(struc
44261 void kmem_cache_destroy(struct kmem_cache *s)
44263 down_write(&slub_lock);
44265 - if (!s->refcount) {
44266 + if (atomic_dec_and_test(&s->refcount)) {
44267 list_del(&s->list);
44268 up_write(&slub_lock);
44269 if (kmem_cache_close(s)) {
44270 @@ -2875,6 +2874,48 @@ void *__kmalloc_node(size_t size, gfp_t
44271 EXPORT_SYMBOL(__kmalloc_node);
44274 +void check_object_size(const void *ptr, unsigned long n, bool to)
44277 +#ifdef CONFIG_PAX_USERCOPY
44278 + struct page *page;
44279 + struct kmem_cache *s;
44280 + unsigned long offset;
44285 + if (ZERO_OR_NULL_PTR(ptr))
44288 + if (!virt_addr_valid(ptr))
44291 + page = get_object_page(ptr);
44293 + /* XXX: can get a little tighter with this stack check */
44294 + if (!page && object_is_on_stack(ptr) &&
44295 + (n > ((unsigned long)task_stack_page(current) + THREAD_SIZE -
44296 + (unsigned long)ptr)))
44302 + offset = (ptr - page_address(page)) % s->size;
44303 + if (offset <= s->objsize && n <= s->objsize - offset)
44308 + pax_report_leak_to_user(ptr, n);
44310 + pax_report_overflow_from_user(ptr, n);
44314 +EXPORT_SYMBOL(check_object_size);
44316 size_t ksize(const void *object)
44319 @@ -3146,7 +3187,7 @@ void __init kmem_cache_init(void)
44321 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
44322 sizeof(struct kmem_cache_node), GFP_NOWAIT);
44323 - kmalloc_caches[0].refcount = -1;
44324 + atomic_set(&kmalloc_caches[0].refcount, -1);
44327 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
44328 @@ -3240,7 +3281,7 @@ static int slab_unmergeable(struct kmem_
44330 * We may have set a slab to be unmergeable during bootstrap.
44332 - if (s->refcount < 0)
44333 + if (atomic_read(&s->refcount) < 0)
44337 @@ -3297,7 +3338,7 @@ struct kmem_cache *kmem_cache_create(con
44342 + atomic_inc(&s->refcount);
44344 * Adjust the object sizes so that we clear
44345 * the complete object on kzalloc.
44346 @@ -3316,7 +3357,7 @@ struct kmem_cache *kmem_cache_create(con
44348 if (sysfs_slab_alias(s, name)) {
44349 down_write(&slub_lock);
44351 + atomic_dec(&s->refcount);
44352 up_write(&slub_lock);
44355 @@ -4045,7 +4086,7 @@ SLAB_ATTR_RO(ctor);
44357 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
44359 - return sprintf(buf, "%d\n", s->refcount - 1);
44360 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
44362 SLAB_ATTR_RO(aliases);
44364 @@ -4726,7 +4767,9 @@ static const struct file_operations proc
44366 static int __init slab_proc_init(void)
44368 +#if !defined(CONFIG_GRKERNSEC_PROC_ADD)
44369 proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
44373 module_init(slab_proc_init);
44374 diff -urNp linux-2.6.31/mm/util.c linux-2.6.31/mm/util.c
44375 --- linux-2.6.31/mm/util.c 2009-08-27 20:59:04.000000000 -0400
44376 +++ linux-2.6.31/mm/util.c 2009-09-06 15:29:12.206144967 -0400
44377 @@ -224,6 +224,12 @@ EXPORT_SYMBOL(strndup_user);
44378 void arch_pick_mmap_layout(struct mm_struct *mm)
44380 mm->mmap_base = TASK_UNMAPPED_BASE;
44382 +#ifdef CONFIG_PAX_RANDMMAP
44383 + if (mm->pax_flags & MF_PAX_RANDMMAP)
44384 + mm->mmap_base += mm->delta_mmap;
44387 mm->get_unmapped_area = arch_get_unmapped_area;
44388 mm->unmap_area = arch_unmap_area;
44390 diff -urNp linux-2.6.31/mm/vmalloc.c linux-2.6.31/mm/vmalloc.c
44391 --- linux-2.6.31/mm/vmalloc.c 2009-08-27 20:59:04.000000000 -0400
44392 +++ linux-2.6.31/mm/vmalloc.c 2009-09-06 15:29:12.206144967 -0400
44393 @@ -91,6 +91,11 @@ static int vmap_pte_range(pmd_t *pmd, un
44394 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
44397 + int ret = -ENOMEM;
44399 +#ifdef CONFIG_PAX_KERNEXEC
44400 + unsigned long cr0;
44404 * nr is a running index into the array which helps higher level
44405 @@ -100,17 +105,33 @@ static int vmap_pte_range(pmd_t *pmd, un
44406 pte = pte_alloc_kernel(pmd, addr);
44410 +#ifdef CONFIG_PAX_KERNEXEC
44411 + pax_open_kernel(cr0);
44415 struct page *page = pages[*nr];
44417 - if (WARN_ON(!pte_none(*pte)))
44419 - if (WARN_ON(!page))
44421 + if (WARN_ON(!pte_none(*pte))) {
44425 + if (WARN_ON(!page)) {
44429 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
44431 } while (pte++, addr += PAGE_SIZE, addr != end);
44436 +#ifdef CONFIG_PAX_KERNEXEC
44437 + pax_close_kernel(cr0);
44443 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
44444 @@ -1132,6 +1153,16 @@ static struct vm_struct *__get_vm_area_n
44445 unsigned long align = 1;
44447 BUG_ON(in_interrupt());
44449 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
44450 + if (flags & VM_KERNEXEC) {
44451 + if (start != VMALLOC_START || end != VMALLOC_END)
44453 + start = (unsigned long)&MODULES_EXEC_VADDR;
44454 + end = (unsigned long)&MODULES_EXEC_END;
44458 if (flags & VM_IOREMAP) {
44459 int bit = fls(size);
44461 @@ -1371,6 +1402,11 @@ void *vmap(struct page **pages, unsigned
44462 if (count > num_physpages)
44465 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
44466 + if (!(pgprot_val(prot) & _PAGE_NX))
44467 + flags |= VM_KERNEXEC;
44470 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
44471 __builtin_return_address(0));
44473 @@ -1478,6 +1514,13 @@ static void *__vmalloc_node(unsigned lon
44474 if (!size || (size >> PAGE_SHIFT) > num_physpages)
44477 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
44478 + if (!(pgprot_val(prot) & _PAGE_NX))
44479 + area = __get_vm_area_node(size, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
44480 + node, gfp_mask, caller);
44484 area = __get_vm_area_node(size, VM_ALLOC, VMALLOC_START, VMALLOC_END,
44485 node, gfp_mask, caller);
44487 @@ -1496,6 +1539,7 @@ static void *__vmalloc_node(unsigned lon
44492 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
44494 return __vmalloc_node(size, gfp_mask, prot, -1,
44495 @@ -1512,6 +1556,7 @@ EXPORT_SYMBOL(__vmalloc);
44496 * For tight control over page level allocator and protection flags
44497 * use __vmalloc() instead.
44500 void *vmalloc(unsigned long size)
44502 return __vmalloc_node(size, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
44503 @@ -1526,6 +1571,7 @@ EXPORT_SYMBOL(vmalloc);
44504 * The resulting memory area is zeroed so it can be mapped to userspace
44505 * without leaking data.
44507 +#undef vmalloc_user
44508 void *vmalloc_user(unsigned long size)
44510 struct vm_struct *area;
44511 @@ -1552,6 +1598,7 @@ EXPORT_SYMBOL(vmalloc_user);
44512 * For tight control over page level allocator and protection flags
44513 * use __vmalloc() instead.
44515 +#undef vmalloc_node
44516 void *vmalloc_node(unsigned long size, int node)
44518 return __vmalloc_node(size, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
44519 @@ -1574,10 +1621,10 @@ EXPORT_SYMBOL(vmalloc_node);
44520 * For tight control over page level allocator and protection flags
44521 * use __vmalloc() instead.
44524 +#undef vmalloc_exec
44525 void *vmalloc_exec(unsigned long size)
44527 - return __vmalloc_node(size, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
44528 + return __vmalloc_node(size, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
44529 -1, __builtin_return_address(0));
44532 @@ -1596,6 +1643,7 @@ void *vmalloc_exec(unsigned long size)
44533 * Allocate enough 32bit PA addressable pages to cover @size from the
44534 * page level allocator and map them into contiguous kernel virtual space.
44537 void *vmalloc_32(unsigned long size)
44539 return __vmalloc_node(size, GFP_VMALLOC32, PAGE_KERNEL,
44540 @@ -1610,6 +1658,7 @@ EXPORT_SYMBOL(vmalloc_32);
44541 * The resulting memory area is 32bit addressable and zeroed so it can be
44542 * mapped to userspace without leaking data.
44544 +#undef vmalloc_32_user
44545 void *vmalloc_32_user(unsigned long size)
44547 struct vm_struct *area;
44548 diff -urNp linux-2.6.31/net/atm/atm_misc.c linux-2.6.31/net/atm/atm_misc.c
44549 --- linux-2.6.31/net/atm/atm_misc.c 2009-08-27 20:59:04.000000000 -0400
44550 +++ linux-2.6.31/net/atm/atm_misc.c 2009-09-06 15:29:12.207121824 -0400
44551 @@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
44552 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
44554 atm_return(vcc,truesize);
44555 - atomic_inc(&vcc->stats->rx_drop);
44556 + atomic_inc_unchecked(&vcc->stats->rx_drop);
44560 @@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
44563 atm_return(vcc,guess);
44564 - atomic_inc(&vcc->stats->rx_drop);
44565 + atomic_inc_unchecked(&vcc->stats->rx_drop);
44569 @@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
44571 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
44573 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
44574 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
44576 #undef __HANDLE_ITEM
44578 @@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
44580 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
44582 -#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
44583 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
44585 #undef __HANDLE_ITEM
44587 diff -urNp linux-2.6.31/net/atm/proc.c linux-2.6.31/net/atm/proc.c
44588 --- linux-2.6.31/net/atm/proc.c 2009-08-27 20:59:04.000000000 -0400
44589 +++ linux-2.6.31/net/atm/proc.c 2009-09-06 15:29:12.207121824 -0400
44590 @@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
44591 const struct k_atm_aal_stats *stats)
44593 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
44594 - atomic_read(&stats->tx),atomic_read(&stats->tx_err),
44595 - atomic_read(&stats->rx),atomic_read(&stats->rx_err),
44596 - atomic_read(&stats->rx_drop));
44597 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
44598 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
44599 + atomic_read_unchecked(&stats->rx_drop));
44602 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
44603 diff -urNp linux-2.6.31/net/atm/resources.c linux-2.6.31/net/atm/resources.c
44604 --- linux-2.6.31/net/atm/resources.c 2009-08-27 20:59:04.000000000 -0400
44605 +++ linux-2.6.31/net/atm/resources.c 2009-09-06 15:29:12.207955071 -0400
44606 @@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
44607 static void copy_aal_stats(struct k_atm_aal_stats *from,
44608 struct atm_aal_stats *to)
44610 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
44611 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
44613 #undef __HANDLE_ITEM
44615 @@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
44616 static void subtract_aal_stats(struct k_atm_aal_stats *from,
44617 struct atm_aal_stats *to)
44619 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
44620 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
44622 #undef __HANDLE_ITEM
44624 diff -urNp linux-2.6.31/net/bridge/br_stp_if.c linux-2.6.31/net/bridge/br_stp_if.c
44625 --- linux-2.6.31/net/bridge/br_stp_if.c 2009-08-27 20:59:04.000000000 -0400
44626 +++ linux-2.6.31/net/bridge/br_stp_if.c 2009-09-06 15:29:12.207955071 -0400
44627 @@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
44628 char *envp[] = { NULL };
44630 if (br->stp_enabled == BR_USER_STP) {
44631 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
44632 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
44633 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
44636 diff -urNp linux-2.6.31/net/core/flow.c linux-2.6.31/net/core/flow.c
44637 --- linux-2.6.31/net/core/flow.c 2009-08-27 20:59:04.000000000 -0400
44638 +++ linux-2.6.31/net/core/flow.c 2009-09-06 15:29:12.207955071 -0400
44639 @@ -39,7 +39,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
44641 static u32 flow_hash_shift;
44642 #define flow_hash_size (1 << flow_hash_shift)
44643 -static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
44644 +static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
44646 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
44648 @@ -52,7 +52,7 @@ struct flow_percpu_info {
44652 -static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
44653 +static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
44655 #define flow_hash_rnd_recalc(cpu) \
44656 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
44657 @@ -69,7 +69,7 @@ struct flow_flush_info {
44659 struct completion completion;
44661 -static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
44662 +static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
44664 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
44666 diff -urNp linux-2.6.31/net/dccp/ccids/ccid3.c linux-2.6.31/net/dccp/ccids/ccid3.c
44667 --- linux-2.6.31/net/dccp/ccids/ccid3.c 2009-08-27 20:59:04.000000000 -0400
44668 +++ linux-2.6.31/net/dccp/ccids/ccid3.c 2009-09-06 15:29:12.209058297 -0400
44670 static int ccid3_debug;
44671 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
44673 -#define ccid3_pr_debug(format, a...)
44674 +#define ccid3_pr_debug(format, a...) do {} while (0)
44678 diff -urNp linux-2.6.31/net/dccp/dccp.h linux-2.6.31/net/dccp/dccp.h
44679 --- linux-2.6.31/net/dccp/dccp.h 2009-08-27 20:59:04.000000000 -0400
44680 +++ linux-2.6.31/net/dccp/dccp.h 2009-09-06 15:29:12.209058297 -0400
44681 @@ -44,9 +44,9 @@ extern int dccp_debug;
44682 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
44683 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
44685 -#define dccp_pr_debug(format, a...)
44686 -#define dccp_pr_debug_cat(format, a...)
44687 -#define dccp_debug(format, a...)
44688 +#define dccp_pr_debug(format, a...) do {} while (0)
44689 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
44690 +#define dccp_debug(format, a...) do {} while (0)
44693 extern struct inet_hashinfo dccp_hashinfo;
44694 diff -urNp linux-2.6.31/net/ipv4/inet_hashtables.c linux-2.6.31/net/ipv4/inet_hashtables.c
44695 --- linux-2.6.31/net/ipv4/inet_hashtables.c 2009-08-27 20:59:04.000000000 -0400
44696 +++ linux-2.6.31/net/ipv4/inet_hashtables.c 2009-09-06 15:29:12.209058297 -0400
44697 @@ -18,12 +18,15 @@
44698 #include <linux/sched.h>
44699 #include <linux/slab.h>
44700 #include <linux/wait.h>
44701 +#include <linux/security.h>
44703 #include <net/inet_connection_sock.h>
44704 #include <net/inet_hashtables.h>
44705 #include <net/route.h>
44706 #include <net/ip.h>
44708 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
44711 * Allocate and initialize a new local port bind bucket.
44712 * The bindhash mutex for snum's hash chain must be held here.
44713 @@ -490,6 +493,8 @@ ok:
44715 spin_unlock(&head->lock);
44717 + gr_update_task_in_ip_table(current, inet_sk(sk));
44720 inet_twsk_deschedule(tw, death_row);
44722 diff -urNp linux-2.6.31/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.31/net/ipv4/netfilter/nf_nat_snmp_basic.c
44723 --- linux-2.6.31/net/ipv4/netfilter/nf_nat_snmp_basic.c 2009-08-27 20:59:04.000000000 -0400
44724 +++ linux-2.6.31/net/ipv4/netfilter/nf_nat_snmp_basic.c 2009-09-06 15:29:12.210051614 -0400
44725 @@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
44729 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
44730 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
44731 if (*octets == NULL) {
44732 if (net_ratelimit())
44733 printk("OOM in bsalg (%d)\n", __LINE__);
44734 diff -urNp linux-2.6.31/net/ipv4/tcp_ipv4.c linux-2.6.31/net/ipv4/tcp_ipv4.c
44735 --- linux-2.6.31/net/ipv4/tcp_ipv4.c 2009-08-27 20:59:04.000000000 -0400
44736 +++ linux-2.6.31/net/ipv4/tcp_ipv4.c 2009-09-06 15:29:12.210051614 -0400
44737 @@ -1504,6 +1504,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
44741 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
44742 + if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
44744 tcp_v4_send_reset(rsk, skb);
44747 @@ -1612,6 +1615,9 @@ no_tcp_socket:
44749 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
44751 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
44752 + if (skb->dev->flags & IFF_LOOPBACK)
44754 tcp_v4_send_reset(NULL, skb);
44757 diff -urNp linux-2.6.31/net/ipv4/tcp_minisocks.c linux-2.6.31/net/ipv4/tcp_minisocks.c
44758 --- linux-2.6.31/net/ipv4/tcp_minisocks.c 2009-08-27 20:59:04.000000000 -0400
44759 +++ linux-2.6.31/net/ipv4/tcp_minisocks.c 2009-09-06 15:29:12.211030931 -0400
44760 @@ -695,8 +695,11 @@ listen_overflow:
44763 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
44765 +#ifndef CONFIG_GRKERNSEC_BLACKHOLE
44766 if (!(flg & TCP_FLAG_RST))
44767 req->rsk_ops->send_reset(sk, skb);
44770 inet_csk_reqsk_queue_drop(sk, req, prev);
44772 diff -urNp linux-2.6.31/net/ipv4/udp.c linux-2.6.31/net/ipv4/udp.c
44773 --- linux-2.6.31/net/ipv4/udp.c 2009-08-27 20:59:04.000000000 -0400
44774 +++ linux-2.6.31/net/ipv4/udp.c 2009-09-06 15:29:12.211030931 -0400
44776 #include <linux/types.h>
44777 #include <linux/fcntl.h>
44778 #include <linux/module.h>
44779 +#include <linux/security.h>
44780 #include <linux/socket.h>
44781 #include <linux/sockios.h>
44782 #include <linux/igmp.h>
44783 @@ -369,6 +370,9 @@ found:
44787 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
44788 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
44791 * This routine is called by the ICMP module when it gets some
44792 * sort of error condition. If err < 0 then the socket should
44793 @@ -631,9 +635,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
44794 dport = usin->sin_port;
44798 + err = gr_search_udp_sendmsg(sk, usin);
44802 if (sk->sk_state != TCP_ESTABLISHED)
44803 return -EDESTADDRREQ;
44805 + err = gr_search_udp_sendmsg(sk, NULL);
44809 daddr = inet->daddr;
44810 dport = inet->dport;
44811 /* Open fast path for connected socket.
44812 @@ -903,6 +916,10 @@ try_again:
44816 + err = gr_search_udp_recvmsg(sk, skb);
44820 ulen = skb->len - sizeof(struct udphdr);
44823 @@ -1293,6 +1310,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
44826 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
44827 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
44828 + if (skb->dev->flags & IFF_LOOPBACK)
44830 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
44833 diff -urNp linux-2.6.31/net/ipv6/exthdrs.c linux-2.6.31/net/ipv6/exthdrs.c
44834 --- linux-2.6.31/net/ipv6/exthdrs.c 2009-08-27 20:59:04.000000000 -0400
44835 +++ linux-2.6.31/net/ipv6/exthdrs.c 2009-09-06 15:29:12.212006340 -0400
44836 @@ -630,7 +630,7 @@ static struct tlvtype_proc tlvprochopopt
44837 .type = IPV6_TLV_JUMBO,
44838 .func = ipv6_hop_jumbo,
44844 int ipv6_parse_hopopts(struct sk_buff *skb)
44845 diff -urNp linux-2.6.31/net/ipv6/ip6mr.c linux-2.6.31/net/ipv6/ip6mr.c
44846 --- linux-2.6.31/net/ipv6/ip6mr.c 2009-08-27 20:59:04.000000000 -0400
44847 +++ linux-2.6.31/net/ipv6/ip6mr.c 2009-09-06 15:29:12.212006340 -0400
44848 @@ -204,7 +204,7 @@ static int ip6mr_vif_seq_show(struct seq
44852 -static struct seq_operations ip6mr_vif_seq_ops = {
44853 +static const struct seq_operations ip6mr_vif_seq_ops = {
44854 .start = ip6mr_vif_seq_start,
44855 .next = ip6mr_vif_seq_next,
44856 .stop = ip6mr_vif_seq_stop,
44857 @@ -217,7 +217,7 @@ static int ip6mr_vif_open(struct inode *
44858 sizeof(struct ipmr_vif_iter));
44861 -static struct file_operations ip6mr_vif_fops = {
44862 +static const struct file_operations ip6mr_vif_fops = {
44863 .owner = THIS_MODULE,
44864 .open = ip6mr_vif_open,
44866 @@ -328,7 +328,7 @@ static int ipmr_mfc_seq_show(struct seq_
44870 -static struct seq_operations ipmr_mfc_seq_ops = {
44871 +static const struct seq_operations ipmr_mfc_seq_ops = {
44872 .start = ipmr_mfc_seq_start,
44873 .next = ipmr_mfc_seq_next,
44874 .stop = ipmr_mfc_seq_stop,
44875 @@ -341,7 +341,7 @@ static int ipmr_mfc_open(struct inode *i
44876 sizeof(struct ipmr_mfc_iter));
44879 -static struct file_operations ip6mr_mfc_fops = {
44880 +static const struct file_operations ip6mr_mfc_fops = {
44881 .owner = THIS_MODULE,
44882 .open = ipmr_mfc_open,
44884 diff -urNp linux-2.6.31/net/ipv6/raw.c linux-2.6.31/net/ipv6/raw.c
44885 --- linux-2.6.31/net/ipv6/raw.c 2009-08-27 20:59:04.000000000 -0400
44886 +++ linux-2.6.31/net/ipv6/raw.c 2009-09-06 15:29:12.212978969 -0400
44887 @@ -600,7 +600,7 @@ out:
44891 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
44892 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
44893 struct flowi *fl, struct rt6_info *rt,
44894 unsigned int flags)
44896 diff -urNp linux-2.6.31/net/ipv6/tcp_ipv6.c linux-2.6.31/net/ipv6/tcp_ipv6.c
44897 --- linux-2.6.31/net/ipv6/tcp_ipv6.c 2009-08-27 20:59:04.000000000 -0400
44898 +++ linux-2.6.31/net/ipv6/tcp_ipv6.c 2009-09-06 15:29:12.213957498 -0400
44899 @@ -1577,6 +1577,9 @@ static int tcp_v6_do_rcv(struct sock *sk
44903 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
44904 + if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
44906 tcp_v6_send_reset(sk, skb);
44909 @@ -1699,6 +1702,9 @@ no_tcp_socket:
44911 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
44913 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
44914 + if (skb->dev->flags & IFF_LOOPBACK)
44916 tcp_v6_send_reset(NULL, skb);
44919 diff -urNp linux-2.6.31/net/ipv6/udp.c linux-2.6.31/net/ipv6/udp.c
44920 --- linux-2.6.31/net/ipv6/udp.c 2009-08-27 20:59:04.000000000 -0400
44921 +++ linux-2.6.31/net/ipv6/udp.c 2009-09-06 15:29:12.213957498 -0400
44922 @@ -589,6 +589,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
44923 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
44924 proto == IPPROTO_UDPLITE);
44926 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
44927 + if (skb->dev->flags & IFF_LOOPBACK)
44929 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
44932 diff -urNp linux-2.6.31/net/irda/ircomm/ircomm_tty.c linux-2.6.31/net/irda/ircomm/ircomm_tty.c
44933 --- linux-2.6.31/net/irda/ircomm/ircomm_tty.c 2009-08-27 20:59:04.000000000 -0400
44934 +++ linux-2.6.31/net/irda/ircomm/ircomm_tty.c 2009-09-06 15:29:12.214931967 -0400
44935 @@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
44936 add_wait_queue(&self->open_wait, &wait);
44938 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
44939 - __FILE__,__LINE__, tty->driver->name, self->open_count );
44940 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
44942 /* As far as I can see, we protect open_count - Jean II */
44943 spin_lock_irqsave(&self->spinlock, flags);
44944 if (!tty_hung_up_p(filp)) {
44946 - self->open_count--;
44947 + atomic_dec(&self->open_count);
44949 spin_unlock_irqrestore(&self->spinlock, flags);
44950 - self->blocked_open++;
44951 + atomic_inc(&self->blocked_open);
44954 if (tty->termios->c_cflag & CBAUD) {
44955 @@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
44958 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
44959 - __FILE__,__LINE__, tty->driver->name, self->open_count );
44960 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
44964 @@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
44966 /* ++ is not atomic, so this should be protected - Jean II */
44967 spin_lock_irqsave(&self->spinlock, flags);
44968 - self->open_count++;
44969 + atomic_inc(&self->open_count);
44970 spin_unlock_irqrestore(&self->spinlock, flags);
44972 - self->blocked_open--;
44973 + atomic_dec(&self->blocked_open);
44975 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
44976 - __FILE__,__LINE__, tty->driver->name, self->open_count);
44977 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
44980 self->flags |= ASYNC_NORMAL_ACTIVE;
44981 @@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
44983 /* ++ is not atomic, so this should be protected - Jean II */
44984 spin_lock_irqsave(&self->spinlock, flags);
44985 - self->open_count++;
44986 + atomic_inc(&self->open_count);
44988 tty->driver_data = self;
44990 spin_unlock_irqrestore(&self->spinlock, flags);
44992 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
44993 - self->line, self->open_count);
44994 + self->line, atomic_read(&self->open_count));
44996 /* Not really used by us, but lets do it anyway */
44997 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
44998 @@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
45002 - if ((tty->count == 1) && (self->open_count != 1)) {
45003 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
45005 * Uh, oh. tty->count is 1, which means that the tty
45006 * structure will be freed. state->count should always
45007 @@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
45009 IRDA_DEBUG(0, "%s(), bad serial port count; "
45010 "tty->count is 1, state->count is %d\n", __func__ ,
45011 - self->open_count);
45012 - self->open_count = 1;
45013 + atomic_read(&self->open_count));
45014 + atomic_set(&self->open_count, 1);
45017 - if (--self->open_count < 0) {
45018 + if (atomic_dec_return(&self->open_count) < 0) {
45019 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
45020 - __func__, self->line, self->open_count);
45021 - self->open_count = 0;
45022 + __func__, self->line, atomic_read(&self->open_count));
45023 + atomic_set(&self->open_count, 0);
45025 - if (self->open_count) {
45026 + if (atomic_read(&self->open_count)) {
45027 spin_unlock_irqrestore(&self->spinlock, flags);
45029 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
45030 @@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
45034 - if (self->blocked_open) {
45035 + if (atomic_read(&self->blocked_open)) {
45036 if (self->close_delay)
45037 schedule_timeout_interruptible(self->close_delay);
45038 wake_up_interruptible(&self->open_wait);
45039 @@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
45040 spin_lock_irqsave(&self->spinlock, flags);
45041 self->flags &= ~ASYNC_NORMAL_ACTIVE;
45043 - self->open_count = 0;
45044 + atomic_set(&self->open_count, 0);
45045 spin_unlock_irqrestore(&self->spinlock, flags);
45047 wake_up_interruptible(&self->open_wait);
45048 @@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
45051 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
45052 - seq_printf(m, "Open count: %d\n", self->open_count);
45053 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
45054 seq_printf(m, "Max data size: %d\n", self->max_data_size);
45055 seq_printf(m, "Max header size: %d\n", self->max_header_size);
45057 diff -urNp linux-2.6.31/net/key/af_key.c linux-2.6.31/net/key/af_key.c
45058 --- linux-2.6.31/net/key/af_key.c 2009-08-27 20:59:04.000000000 -0400
45059 +++ linux-2.6.31/net/key/af_key.c 2009-09-06 15:29:12.215914604 -0400
45060 @@ -3705,7 +3705,7 @@ static void pfkey_seq_stop(struct seq_fi
45061 read_unlock(&pfkey_table_lock);
45064 -static struct seq_operations pfkey_seq_ops = {
45065 +static const struct seq_operations pfkey_seq_ops = {
45066 .start = pfkey_seq_start,
45067 .next = pfkey_seq_next,
45068 .stop = pfkey_seq_stop,
45069 @@ -3718,7 +3718,7 @@ static int pfkey_seq_open(struct inode *
45070 sizeof(struct seq_net_private));
45073 -static struct file_operations pfkey_proc_ops = {
45074 +static const struct file_operations pfkey_proc_ops = {
45075 .open = pfkey_seq_open,
45077 .llseek = seq_lseek,
45078 diff -urNp linux-2.6.31/net/mac80211/ieee80211_i.h linux-2.6.31/net/mac80211/ieee80211_i.h
45079 --- linux-2.6.31/net/mac80211/ieee80211_i.h 2009-08-27 20:59:04.000000000 -0400
45080 +++ linux-2.6.31/net/mac80211/ieee80211_i.h 2009-09-06 15:29:12.215914604 -0400
45081 @@ -609,7 +609,7 @@ struct ieee80211_local {
45082 spinlock_t queue_stop_reason_lock;
45084 struct net_device *mdev; /* wmaster# - "master" 802.11 device */
45086 + atomic_t open_count;
45087 int monitors, cooked_mntrs;
45088 /* number of interfaces with corresponding FIF_ flags */
45089 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss;
45090 diff -urNp linux-2.6.31/net/mac80211/iface.c linux-2.6.31/net/mac80211/iface.c
45091 --- linux-2.6.31/net/mac80211/iface.c 2009-08-27 20:59:04.000000000 -0400
45092 +++ linux-2.6.31/net/mac80211/iface.c 2009-09-06 15:29:12.216952725 -0400
45093 @@ -164,7 +164,7 @@ static int ieee80211_open(struct net_dev
45097 - if (local->open_count == 0) {
45098 + if (atomic_read(&local->open_count) == 0) {
45099 res = drv_start(local);
45102 @@ -198,7 +198,7 @@ static int ieee80211_open(struct net_dev
45103 * Validate the MAC address for this device.
45105 if (!is_valid_ether_addr(dev->dev_addr)) {
45106 - if (!local->open_count)
45107 + if (!atomic_read(&local->open_count))
45109 return -EADDRNOTAVAIL;
45111 @@ -281,7 +281,7 @@ static int ieee80211_open(struct net_dev
45115 - if (local->open_count == 0) {
45116 + if (atomic_read(&local->open_count) == 0) {
45117 res = dev_open(local->mdev);
45120 @@ -303,7 +303,7 @@ static int ieee80211_open(struct net_dev
45122 hw_reconf_flags |= __ieee80211_recalc_idle(local);
45124 - local->open_count++;
45125 + atomic_inc(&local->open_count);
45126 if (hw_reconf_flags) {
45127 ieee80211_hw_config(local, hw_reconf_flags);
45129 @@ -331,7 +331,7 @@ static int ieee80211_open(struct net_dev
45131 drv_remove_interface(local, &conf);
45133 - if (!local->open_count)
45134 + if (!atomic_read(&local->open_count))
45138 @@ -429,7 +429,7 @@ static int ieee80211_stop(struct net_dev
45139 WARN_ON(!list_empty(&sdata->u.ap.vlans));
45142 - local->open_count--;
45143 + atomic_dec(&local->open_count);
45145 switch (sdata->vif.type) {
45146 case NL80211_IFTYPE_AP_VLAN:
45147 @@ -554,7 +554,7 @@ static int ieee80211_stop(struct net_dev
45149 ieee80211_recalc_ps(local, -1);
45151 - if (local->open_count == 0) {
45152 + if (atomic_read(&local->open_count) == 0) {
45153 if (netif_running(local->mdev))
45154 dev_close(local->mdev);
45156 diff -urNp linux-2.6.31/net/mac80211/main.c linux-2.6.31/net/mac80211/main.c
45157 --- linux-2.6.31/net/mac80211/main.c 2009-08-27 20:59:04.000000000 -0400
45158 +++ linux-2.6.31/net/mac80211/main.c 2009-09-06 15:29:12.216952725 -0400
45159 @@ -193,7 +193,7 @@ int ieee80211_hw_config(struct ieee80211
45160 local->hw.conf.power_level = power;
45163 - if (changed && local->open_count) {
45164 + if (changed && atomic_read(&local->open_count)) {
45165 ret = drv_config(local, changed);
45168 diff -urNp linux-2.6.31/net/mac80211/pm.c linux-2.6.31/net/mac80211/pm.c
45169 --- linux-2.6.31/net/mac80211/pm.c 2009-08-27 20:59:04.000000000 -0400
45170 +++ linux-2.6.31/net/mac80211/pm.c 2009-09-06 15:29:12.218185393 -0400
45171 @@ -103,7 +103,7 @@ int __ieee80211_suspend(struct ieee80211
45174 /* stop hardware - this must stop RX */
45175 - if (local->open_count) {
45176 + if (atomic_read(&local->open_count)) {
45177 ieee80211_led_radio(local, false);
45180 diff -urNp linux-2.6.31/net/mac80211/rate.c linux-2.6.31/net/mac80211/rate.c
45181 --- linux-2.6.31/net/mac80211/rate.c 2009-08-27 20:59:04.000000000 -0400
45182 +++ linux-2.6.31/net/mac80211/rate.c 2009-09-06 15:29:12.218185393 -0400
45183 @@ -258,7 +258,7 @@ int ieee80211_init_rate_ctrl_alg(struct
45184 struct rate_control_ref *ref, *old;
45187 - if (local->open_count || netif_running(local->mdev))
45188 + if (atomic_read(&local->open_count) || netif_running(local->mdev))
45191 ref = rate_control_alloc(name, local);
45192 diff -urNp linux-2.6.31/net/mac80211/rc80211_minstrel_debugfs.c linux-2.6.31/net/mac80211/rc80211_minstrel_debugfs.c
45193 --- linux-2.6.31/net/mac80211/rc80211_minstrel_debugfs.c 2009-08-27 20:59:04.000000000 -0400
45194 +++ linux-2.6.31/net/mac80211/rc80211_minstrel_debugfs.c 2009-09-06 15:29:12.218185393 -0400
45195 @@ -139,7 +139,7 @@ minstrel_stats_release(struct inode *ino
45199 -static struct file_operations minstrel_stat_fops = {
45200 +static const struct file_operations minstrel_stat_fops = {
45201 .owner = THIS_MODULE,
45202 .open = minstrel_stats_open,
45203 .read = minstrel_stats_read,
45204 diff -urNp linux-2.6.31/net/mac80211/rc80211_pid_debugfs.c linux-2.6.31/net/mac80211/rc80211_pid_debugfs.c
45205 --- linux-2.6.31/net/mac80211/rc80211_pid_debugfs.c 2009-08-27 20:59:04.000000000 -0400
45206 +++ linux-2.6.31/net/mac80211/rc80211_pid_debugfs.c 2009-09-06 15:29:12.219106310 -0400
45207 @@ -198,7 +198,7 @@ static ssize_t rate_control_pid_events_r
45209 #undef RC_PID_PRINT_BUF_SIZE
45211 -static struct file_operations rc_pid_fop_events = {
45212 +static const struct file_operations rc_pid_fop_events = {
45213 .owner = THIS_MODULE,
45214 .read = rate_control_pid_events_read,
45215 .poll = rate_control_pid_events_poll,
45216 diff -urNp linux-2.6.31/net/mac80211/util.c linux-2.6.31/net/mac80211/util.c
45217 --- linux-2.6.31/net/mac80211/util.c 2009-08-27 20:59:04.000000000 -0400
45218 +++ linux-2.6.31/net/mac80211/util.c 2009-09-06 15:29:12.219106310 -0400
45219 @@ -991,7 +991,7 @@ int ieee80211_reconfig(struct ieee80211_
45220 local->suspended = false;
45222 /* restart hardware */
45223 - if (local->open_count) {
45224 + if (atomic_read(&local->open_count)) {
45225 res = drv_start(local);
45227 ieee80211_led_radio(local, true);
45228 diff -urNp linux-2.6.31/net/packet/af_packet.c linux-2.6.31/net/packet/af_packet.c
45229 --- linux-2.6.31/net/packet/af_packet.c 2009-08-27 20:59:04.000000000 -0400
45230 +++ linux-2.6.31/net/packet/af_packet.c 2009-09-06 15:29:12.219106310 -0400
45231 @@ -2086,7 +2086,7 @@ static void packet_mm_close(struct vm_ar
45232 atomic_dec(&pkt_sk(sk)->mapped);
45235 -static struct vm_operations_struct packet_mmap_ops = {
45236 +static const struct vm_operations_struct packet_mmap_ops = {
45237 .open = packet_mm_open,
45238 .close =packet_mm_close,
45240 diff -urNp linux-2.6.31/net/sctp/socket.c linux-2.6.31/net/sctp/socket.c
45241 --- linux-2.6.31/net/sctp/socket.c 2009-08-27 20:59:04.000000000 -0400
45242 +++ linux-2.6.31/net/sctp/socket.c 2009-09-06 15:29:12.221274249 -0400
45243 @@ -1471,7 +1471,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
45244 struct sctp_sndrcvinfo *sinfo;
45245 struct sctp_initmsg *sinit;
45246 sctp_assoc_t associd = 0;
45247 - sctp_cmsgs_t cmsgs = { NULL };
45248 + sctp_cmsgs_t cmsgs = { NULL, NULL };
45250 sctp_scope_t scope;
45252 @@ -5790,7 +5790,6 @@ pp_found:
45254 int reuse = sk->sk_reuse;
45256 - struct hlist_node *node;
45258 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
45259 if (pp->fastreuse && sk->sk_reuse &&
45260 diff -urNp linux-2.6.31/net/socket.c linux-2.6.31/net/socket.c
45261 --- linux-2.6.31/net/socket.c 2009-08-27 20:59:04.000000000 -0400
45262 +++ linux-2.6.31/net/socket.c 2009-09-06 15:29:12.222117844 -0400
45264 #include <linux/audit.h>
45265 #include <linux/wireless.h>
45266 #include <linux/nsproxy.h>
45267 +#include <linux/in.h>
45269 #include <asm/uaccess.h>
45270 #include <asm/unistd.h>
45272 #include <net/sock.h>
45273 #include <linux/netfilter.h>
45275 +extern void gr_attach_curr_ip(const struct sock *sk);
45276 +extern int gr_handle_sock_all(const int family, const int type,
45277 + const int protocol);
45278 +extern int gr_handle_sock_server(const struct sockaddr *sck);
45279 +extern int gr_handle_sock_server_other(const struct socket *sck);
45280 +extern int gr_handle_sock_client(const struct sockaddr *sck);
45281 +extern int gr_search_connect(struct socket * sock,
45282 + struct sockaddr_in * addr);
45283 +extern int gr_search_bind(struct socket * sock,
45284 + struct sockaddr_in * addr);
45285 +extern int gr_search_listen(struct socket * sock);
45286 +extern int gr_search_accept(struct socket * sock);
45287 +extern int gr_search_socket(const int domain, const int type,
45288 + const int protocol);
45290 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
45291 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
45292 unsigned long nr_segs, loff_t pos);
45293 @@ -285,7 +301,7 @@ static int init_inodecache(void)
45297 -static struct super_operations sockfs_ops = {
45298 +static const struct super_operations sockfs_ops = {
45299 .alloc_inode = sock_alloc_inode,
45300 .destroy_inode =sock_destroy_inode,
45301 .statfs = simple_statfs,
45302 @@ -299,7 +315,7 @@ static int sockfs_get_sb(struct file_sys
45306 -static struct vfsmount *sock_mnt __read_mostly;
45307 +struct vfsmount *sock_mnt __read_mostly;
45309 static struct file_system_type sock_fs_type = {
45311 @@ -1283,6 +1299,16 @@ SYSCALL_DEFINE3(socket, int, family, int
45312 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
45313 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
45315 + if(!gr_search_socket(family, type, protocol)) {
45316 + retval = -EACCES;
45320 + if (gr_handle_sock_all(family, type, protocol)) {
45321 + retval = -EACCES;
45325 retval = sock_create(family, type, protocol, &sock);
45328 @@ -1415,6 +1441,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
45330 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
45332 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
45336 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
45340 err = security_socket_bind(sock,
45341 (struct sockaddr *)&address,
45343 @@ -1423,6 +1457,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
45344 (struct sockaddr *)
45345 &address, addrlen);
45348 fput_light(sock->file, fput_needed);
45351 @@ -1446,10 +1481,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
45352 if ((unsigned)backlog > somaxconn)
45353 backlog = somaxconn;
45355 + if (gr_handle_sock_server_other(sock)) {
45360 + err = gr_search_listen(sock);
45364 err = security_socket_listen(sock, backlog);
45366 err = sock->ops->listen(sock, backlog);
45369 fput_light(sock->file, fput_needed);
45372 @@ -1492,6 +1537,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
45373 newsock->type = sock->type;
45374 newsock->ops = sock->ops;
45376 + if (gr_handle_sock_server_other(sock)) {
45378 + sock_release(newsock);
45382 + err = gr_search_accept(sock);
45384 + sock_release(newsock);
45389 * We don't need try_module_get here, as the listening socket (sock)
45390 * has the protocol module (sock->ops->owner) held.
45391 @@ -1534,6 +1591,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
45392 fd_install(newfd, newfile);
45395 + gr_attach_curr_ip(newsock->sk);
45398 fput_light(sock->file, fput_needed);
45400 @@ -1571,6 +1630,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
45403 struct socket *sock;
45404 + struct sockaddr *sck;
45405 struct sockaddr_storage address;
45406 int err, fput_needed;
45408 @@ -1581,6 +1641,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
45412 + sck = (struct sockaddr *)&address;
45414 + if (gr_handle_sock_client(sck)) {
45419 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
45424 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
45426 diff -urNp linux-2.6.31/net/sunrpc/rpc_pipe.c linux-2.6.31/net/sunrpc/rpc_pipe.c
45427 --- linux-2.6.31/net/sunrpc/rpc_pipe.c 2009-08-27 20:59:04.000000000 -0400
45428 +++ linux-2.6.31/net/sunrpc/rpc_pipe.c 2009-09-06 15:29:12.222117844 -0400
45429 @@ -858,7 +858,7 @@ EXPORT_SYMBOL_GPL(rpc_unlink);
45431 * populate the filesystem
45433 -static struct super_operations s_ops = {
45434 +static const struct super_operations s_ops = {
45435 .alloc_inode = rpc_alloc_inode,
45436 .destroy_inode = rpc_destroy_inode,
45437 .statfs = simple_statfs,
45438 diff -urNp linux-2.6.31/net/unix/af_unix.c linux-2.6.31/net/unix/af_unix.c
45439 --- linux-2.6.31/net/unix/af_unix.c 2009-08-27 20:59:04.000000000 -0400
45440 +++ linux-2.6.31/net/unix/af_unix.c 2009-09-06 15:29:12.222991388 -0400
45441 @@ -734,6 +734,12 @@ static struct sock *unix_find_other(stru
45442 err = -ECONNREFUSED;
45443 if (!S_ISSOCK(inode->i_mode))
45446 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
45451 u = unix_find_socket_byinode(net, inode);
45454 @@ -754,6 +760,13 @@ static struct sock *unix_find_other(stru
45456 struct dentry *dentry;
45457 dentry = unix_sk(u)->dentry;
45459 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
45466 touch_atime(unix_sk(u)->mnt, dentry);
45468 @@ -839,11 +852,18 @@ static int unix_bind(struct socket *sock
45469 err = security_path_mknod(&nd.path, dentry, mode, 0);
45471 goto out_mknod_drop_write;
45472 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
45474 + goto out_mknod_drop_write;
45476 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
45477 out_mknod_drop_write:
45478 mnt_drop_write(nd.path.mnt);
45480 goto out_mknod_dput;
45482 + gr_handle_create(dentry, nd.path.mnt);
45484 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
45485 dput(nd.path.dentry);
45486 nd.path.dentry = dentry;
45487 @@ -861,6 +881,10 @@ out_mknod_drop_write:
45491 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
45492 + sk->sk_peercred.pid = current->pid;
45495 list = &unix_socket_table[addr->hash];
45497 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
45498 diff -urNp linux-2.6.31/net/xfrm/xfrm_proc.c linux-2.6.31/net/xfrm/xfrm_proc.c
45499 --- linux-2.6.31/net/xfrm/xfrm_proc.c 2009-08-27 20:59:04.000000000 -0400
45500 +++ linux-2.6.31/net/xfrm/xfrm_proc.c 2009-09-06 15:29:12.222991388 -0400
45501 @@ -60,7 +60,7 @@ static int xfrm_statistics_seq_open(stru
45502 return single_open_net(inode, file, xfrm_statistics_seq_show);
45505 -static struct file_operations xfrm_statistics_seq_fops = {
45506 +static const struct file_operations xfrm_statistics_seq_fops = {
45507 .owner = THIS_MODULE,
45508 .open = xfrm_statistics_seq_open,
45510 diff -urNp linux-2.6.31/samples/markers/marker-example.c linux-2.6.31/samples/markers/marker-example.c
45511 --- linux-2.6.31/samples/markers/marker-example.c 2009-08-27 20:59:04.000000000 -0400
45512 +++ linux-2.6.31/samples/markers/marker-example.c 2009-09-06 15:29:12.224078604 -0400
45513 @@ -26,7 +26,7 @@ static int my_open(struct inode *inode,
45517 -static struct file_operations mark_ops = {
45518 +static const struct file_operations mark_ops = {
45522 diff -urNp linux-2.6.31/samples/tracepoints/tracepoint-sample.c linux-2.6.31/samples/tracepoints/tracepoint-sample.c
45523 --- linux-2.6.31/samples/tracepoints/tracepoint-sample.c 2009-08-27 20:59:04.000000000 -0400
45524 +++ linux-2.6.31/samples/tracepoints/tracepoint-sample.c 2009-09-06 15:29:12.224078604 -0400
45525 @@ -28,7 +28,7 @@ static int my_open(struct inode *inode,
45529 -static struct file_operations mark_ops = {
45530 +static const struct file_operations mark_ops = {
45534 diff -urNp linux-2.6.31/scripts/basic/fixdep.c linux-2.6.31/scripts/basic/fixdep.c
45535 --- linux-2.6.31/scripts/basic/fixdep.c 2009-08-27 20:59:04.000000000 -0400
45536 +++ linux-2.6.31/scripts/basic/fixdep.c 2009-09-06 15:29:12.224078604 -0400
45537 @@ -224,9 +224,9 @@ void use_config(char *m, int slen)
45539 void parse_config_file(char *map, size_t len)
45541 - int *end = (int *) (map + len);
45542 + unsigned int *end = (unsigned int *) (map + len);
45543 /* start at +1, so that p can never be < map */
45544 - int *m = (int *) map + 1;
45545 + unsigned int *m = (unsigned int *) map + 1;
45548 for (; m < end; m++) {
45549 @@ -373,7 +373,7 @@ void print_deps(void)
45552 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
45553 - int *p = (int *)test;
45554 + unsigned int *p = (unsigned int *)test;
45556 if (*p != INT_CONF) {
45557 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
45558 diff -urNp linux-2.6.31/scripts/kallsyms.c linux-2.6.31/scripts/kallsyms.c
45559 --- linux-2.6.31/scripts/kallsyms.c 2009-08-27 20:59:04.000000000 -0400
45560 +++ linux-2.6.31/scripts/kallsyms.c 2009-09-06 15:29:12.224078604 -0400
45561 @@ -43,10 +43,10 @@ struct text_range {
45563 static unsigned long long _text;
45564 static struct text_range text_ranges[] = {
45565 - { "_stext", "_etext" },
45566 - { "_sinittext", "_einittext" },
45567 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
45568 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
45569 + { "_stext", "_etext", 0, 0 },
45570 + { "_sinittext", "_einittext", 0, 0 },
45571 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
45572 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
45574 #define text_range_text (&text_ranges[0])
45575 #define text_range_inittext (&text_ranges[1])
45576 diff -urNp linux-2.6.31/scripts/kconfig/lkc.h linux-2.6.31/scripts/kconfig/lkc.h
45577 --- linux-2.6.31/scripts/kconfig/lkc.h 2009-08-27 20:59:04.000000000 -0400
45578 +++ linux-2.6.31/scripts/kconfig/lkc.h 2009-09-06 15:29:12.225167481 -0400
45579 @@ -97,7 +97,7 @@ void menu_add_expr(enum prop_type type,
45580 void menu_add_symbol(enum prop_type type, struct symbol *sym, struct expr *dep);
45581 void menu_add_option(int token, char *arg);
45582 void menu_finalize(struct menu *parent);
45583 -void menu_set_type(int type);
45584 +void menu_set_type(unsigned int type);
45587 struct file *file_lookup(const char *name);
45588 diff -urNp linux-2.6.31/scripts/kconfig/mconf.c linux-2.6.31/scripts/kconfig/mconf.c
45589 --- linux-2.6.31/scripts/kconfig/mconf.c 2009-08-27 20:59:04.000000000 -0400
45590 +++ linux-2.6.31/scripts/kconfig/mconf.c 2009-09-06 15:29:12.225167481 -0400
45591 @@ -361,7 +361,7 @@ static char filename[PATH_MAX+1];
45592 static void set_config_filename(const char *config_filename)
45594 static char menu_backtitle[PATH_MAX+128];
45596 + unsigned int size;
45597 struct symbol *sym;
45599 sym = sym_lookup("KERNELVERSION", 0);
45600 diff -urNp linux-2.6.31/scripts/kconfig/menu.c linux-2.6.31/scripts/kconfig/menu.c
45601 --- linux-2.6.31/scripts/kconfig/menu.c 2009-08-27 20:59:04.000000000 -0400
45602 +++ linux-2.6.31/scripts/kconfig/menu.c 2009-09-06 15:29:12.225956744 -0400
45603 @@ -104,7 +104,7 @@ void menu_add_dep(struct expr *dep)
45604 current_entry->dep = expr_alloc_and(current_entry->dep, menu_check_dep(dep));
45607 -void menu_set_type(int type)
45608 +void menu_set_type(unsigned int type)
45610 struct symbol *sym = current_entry->sym;
45612 diff -urNp linux-2.6.31/scripts/mod/file2alias.c linux-2.6.31/scripts/mod/file2alias.c
45613 --- linux-2.6.31/scripts/mod/file2alias.c 2009-08-27 20:59:04.000000000 -0400
45614 +++ linux-2.6.31/scripts/mod/file2alias.c 2009-09-06 15:29:12.225956744 -0400
45615 @@ -72,7 +72,7 @@ static void device_id_check(const char *
45616 unsigned long size, unsigned long id_size,
45622 if (size % id_size || size < id_size) {
45623 if (cross_build != 0)
45624 @@ -102,7 +102,7 @@ static void device_id_check(const char *
45625 /* USB is special because the bcdDevice can be matched against a numeric range */
45626 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
45627 static void do_usb_entry(struct usb_device_id *id,
45628 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
45629 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
45630 unsigned char range_lo, unsigned char range_hi,
45631 struct module *mod)
45633 @@ -368,7 +368,7 @@ static void do_pnp_device_entry(void *sy
45634 for (i = 0; i < count; i++) {
45635 const char *id = (char *)devs[i].id;
45636 char acpi_id[sizeof(devs[0].id)];
45640 buf_printf(&mod->dev_table_buf,
45641 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
45642 @@ -398,7 +398,7 @@ static void do_pnp_card_entries(void *sy
45644 for (j = 0; j < PNP_MAX_DEVICES; j++) {
45645 const char *id = (char *)card->devs[j].id;
45647 + unsigned int i2, j2;
45651 @@ -424,7 +424,7 @@ static void do_pnp_card_entries(void *sy
45652 /* add an individual alias for every device entry */
45654 char acpi_id[sizeof(card->devs[0].id)];
45658 buf_printf(&mod->dev_table_buf,
45659 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
45660 @@ -690,7 +690,7 @@ static void dmi_ascii_filter(char *d, co
45661 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
45665 + unsigned int i, j;
45667 sprintf(alias, "dmi*");
45669 diff -urNp linux-2.6.31/scripts/mod/modpost.c linux-2.6.31/scripts/mod/modpost.c
45670 --- linux-2.6.31/scripts/mod/modpost.c 2009-08-27 20:59:04.000000000 -0400
45671 +++ linux-2.6.31/scripts/mod/modpost.c 2009-09-06 15:29:12.226917748 -0400
45672 @@ -835,6 +835,7 @@ enum mismatch {
45675 EXPORT_TO_INIT_EXIT,
45679 struct sectioncheck {
45680 @@ -920,6 +921,12 @@ const struct sectioncheck sectioncheck[]
45681 .fromsec = { "__ksymtab*", NULL },
45682 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
45683 .mismatch = EXPORT_TO_INIT_EXIT
45685 +/* Do not reference code from writable data */
45687 + .fromsec = { DATA_SECTIONS, NULL },
45688 + .tosec = { TEXT_SECTIONS, NULL },
45689 + .mismatch = DATA_TO_TEXT
45693 @@ -1024,10 +1031,10 @@ static Elf_Sym *find_elf_symbol(struct e
45695 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
45697 - if (sym->st_value == addr)
45699 /* Find a symbol nearby - addr are maybe negative */
45700 d = sym->st_value - addr;
45704 d = addr - sym->st_value;
45705 if (d < distance) {
45706 @@ -1268,6 +1275,14 @@ static void report_sec_mismatch(const ch
45707 "Fix this by removing the %sannotation of %s "
45708 "or drop the export.\n",
45709 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
45710 + case DATA_TO_TEXT:
45713 + "The variable %s references\n"
45714 + "the %s %s%s%s\n",
45715 + fromsym, to, sec2annotation(tosec), tosym, to_p);
45719 /* To get warnings on missing members */
45721 @@ -1651,7 +1666,7 @@ void __attribute__((format(printf, 2, 3)
45725 -void buf_write(struct buffer *buf, const char *s, int len)
45726 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
45728 if (buf->size - buf->pos < len) {
45729 buf->size += len + SZ;
45730 @@ -1863,7 +1878,7 @@ static void write_if_changed(struct buff
45731 if (fstat(fileno(file), &st) < 0)
45734 - if (st.st_size != b->pos)
45735 + if (st.st_size != (off_t)b->pos)
45738 tmp = NOFAIL(malloc(b->pos));
45739 diff -urNp linux-2.6.31/scripts/mod/modpost.h linux-2.6.31/scripts/mod/modpost.h
45740 --- linux-2.6.31/scripts/mod/modpost.h 2009-08-27 20:59:04.000000000 -0400
45741 +++ linux-2.6.31/scripts/mod/modpost.h 2009-09-06 15:29:12.226917748 -0400
45742 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
45748 + unsigned int pos;
45749 + unsigned int size;
45752 void __attribute__((format(printf, 2, 3)))
45753 buf_printf(struct buffer *buf, const char *fmt, ...);
45756 -buf_write(struct buffer *buf, const char *s, int len);
45757 +buf_write(struct buffer *buf, const char *s, unsigned int len);
45760 struct module *next;
45761 diff -urNp linux-2.6.31/scripts/mod/sumversion.c linux-2.6.31/scripts/mod/sumversion.c
45762 --- linux-2.6.31/scripts/mod/sumversion.c 2009-08-27 20:59:04.000000000 -0400
45763 +++ linux-2.6.31/scripts/mod/sumversion.c 2009-09-06 15:29:12.226917748 -0400
45764 @@ -457,7 +457,7 @@ static void write_version(const char *fi
45768 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
45769 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
45770 warn("writing sum in %s failed: %s\n",
45771 filename, strerror(errno));
45773 diff -urNp linux-2.6.31/scripts/pnmtologo.c linux-2.6.31/scripts/pnmtologo.c
45774 --- linux-2.6.31/scripts/pnmtologo.c 2009-08-27 20:59:04.000000000 -0400
45775 +++ linux-2.6.31/scripts/pnmtologo.c 2009-09-06 15:29:12.228046042 -0400
45776 @@ -237,14 +237,14 @@ static void write_header(void)
45777 fprintf(out, " * Linux logo %s\n", logoname);
45778 fputs(" */\n\n", out);
45779 fputs("#include <linux/linux_logo.h>\n\n", out);
45780 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
45781 + fprintf(out, "static unsigned char %s_data[] = {\n",
45785 static void write_footer(void)
45787 fputs("\n};\n\n", out);
45788 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
45789 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
45790 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
45791 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
45792 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
45793 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
45794 fputs("\n};\n\n", out);
45796 /* write logo clut */
45797 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
45798 + fprintf(out, "static unsigned char %s_clut[] = {\n",
45801 for (i = 0; i < logo_clutsize; i++) {
45802 diff -urNp linux-2.6.31/security/commoncap.c linux-2.6.31/security/commoncap.c
45803 --- linux-2.6.31/security/commoncap.c 2009-08-27 20:59:04.000000000 -0400
45804 +++ linux-2.6.31/security/commoncap.c 2009-09-06 15:29:12.228046042 -0400
45806 #include <linux/prctl.h>
45807 #include <linux/securebits.h>
45808 #include <linux/vs_context.h>
45810 +#include <net/sock.h>
45812 * If a non-root user executes a setuid-root binary in
45813 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
45814 @@ -50,9 +50,11 @@ static void warn_setuid_and_fcaps_mixed(
45818 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
45820 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
45822 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
45823 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
45827 diff -urNp linux-2.6.31/security/integrity/ima/ima_fs.c linux-2.6.31/security/integrity/ima/ima_fs.c
45828 --- linux-2.6.31/security/integrity/ima/ima_fs.c 2009-08-27 20:59:04.000000000 -0400
45829 +++ linux-2.6.31/security/integrity/ima/ima_fs.c 2009-09-06 15:29:12.228046042 -0400
45830 @@ -43,7 +43,7 @@ static ssize_t ima_show_htable_violation
45831 return ima_show_htable_value(buf, count, ppos, &ima_htable.violations);
45834 -static struct file_operations ima_htable_violations_ops = {
45835 +static const struct file_operations ima_htable_violations_ops = {
45836 .read = ima_show_htable_violations
45839 @@ -55,7 +55,7 @@ static ssize_t ima_show_measurements_cou
45843 -static struct file_operations ima_measurements_count_ops = {
45844 +static const struct file_operations ima_measurements_count_ops = {
45845 .read = ima_show_measurements_count
45848 @@ -146,7 +146,7 @@ static int ima_measurements_show(struct
45852 -static struct seq_operations ima_measurments_seqops = {
45853 +static const struct seq_operations ima_measurments_seqops = {
45854 .start = ima_measurements_start,
45855 .next = ima_measurements_next,
45856 .stop = ima_measurements_stop,
45857 @@ -158,7 +158,7 @@ static int ima_measurements_open(struct
45858 return seq_open(file, &ima_measurments_seqops);
45861 -static struct file_operations ima_measurements_ops = {
45862 +static const struct file_operations ima_measurements_ops = {
45863 .open = ima_measurements_open,
45865 .llseek = seq_lseek,
45866 @@ -221,7 +221,7 @@ static int ima_ascii_measurements_show(s
45870 -static struct seq_operations ima_ascii_measurements_seqops = {
45871 +static const struct seq_operations ima_ascii_measurements_seqops = {
45872 .start = ima_measurements_start,
45873 .next = ima_measurements_next,
45874 .stop = ima_measurements_stop,
45875 @@ -233,7 +233,7 @@ static int ima_ascii_measurements_open(s
45876 return seq_open(file, &ima_ascii_measurements_seqops);
45879 -static struct file_operations ima_ascii_measurements_ops = {
45880 +static const struct file_operations ima_ascii_measurements_ops = {
45881 .open = ima_ascii_measurements_open,
45883 .llseek = seq_lseek,
45884 @@ -313,7 +313,7 @@ static int ima_release_policy(struct ino
45888 -static struct file_operations ima_measure_policy_ops = {
45889 +static const struct file_operations ima_measure_policy_ops = {
45890 .open = ima_open_policy,
45891 .write = ima_write_policy,
45892 .release = ima_release_policy
45893 diff -urNp linux-2.6.31/security/Kconfig linux-2.6.31/security/Kconfig
45894 --- linux-2.6.31/security/Kconfig 2009-08-27 20:59:04.000000000 -0400
45895 +++ linux-2.6.31/security/Kconfig 2009-09-06 15:29:12.229103257 -0400
45898 menu "Security options"
45900 +source grsecurity/Kconfig
45905 + bool "Enable various PaX features"
45906 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86)
45908 + This allows you to enable various PaX features. PaX adds
45909 + intrusion prevention mechanisms to the kernel that reduce
45910 + the risks posed by exploitable memory corruption bugs.
45912 +menu "PaX Control"
45915 +config PAX_SOFTMODE
45916 + bool 'Support soft mode'
45918 + Enabling this option will allow you to run PaX in soft mode, that
45919 + is, PaX features will not be enforced by default, only on executables
45920 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
45921 + is the only way to mark executables for soft mode use.
45923 + Soft mode can be activated by using the "pax_softmode=1" kernel command
45924 + line option on boot. Furthermore you can control various PaX features
45925 + at runtime via the entries in /proc/sys/kernel/pax.
45928 + bool 'Use legacy ELF header marking'
45930 + Enabling this option will allow you to control PaX features on
45931 + a per executable basis via the 'chpax' utility available at
45932 + http://pax.grsecurity.net/. The control flags will be read from
45933 + an otherwise reserved part of the ELF header. This marking has
45934 + numerous drawbacks (no support for soft-mode, toolchain does not
45935 + know about the non-standard use of the ELF header) therefore it
45936 + has been deprecated in favour of PT_PAX_FLAGS support.
45938 + If you have applications not marked by the PT_PAX_FLAGS ELF
45939 + program header then you MUST enable this option otherwise they
45940 + will not get any protection.
45942 + Note that if you enable PT_PAX_FLAGS marking support as well,
45943 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
45945 +config PAX_PT_PAX_FLAGS
45946 + bool 'Use ELF program header marking'
45948 + Enabling this option will allow you to control PaX features on
45949 + a per executable basis via the 'paxctl' utility available at
45950 + http://pax.grsecurity.net/. The control flags will be read from
45951 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
45952 + has the benefits of supporting both soft mode and being fully
45953 + integrated into the toolchain (the binutils patch is available
45954 + from http://pax.grsecurity.net).
45956 + If you have applications not marked by the PT_PAX_FLAGS ELF
45957 + program header then you MUST enable the EI_PAX marking support
45958 + otherwise they will not get any protection.
45960 + Note that if you enable the legacy EI_PAX marking support as well,
45961 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
45964 + prompt 'MAC system integration'
45965 + default PAX_HAVE_ACL_FLAGS
45967 + Mandatory Access Control systems have the option of controlling
45968 + PaX flags on a per executable basis, choose the method supported
45969 + by your particular system.
45971 + - "none": if your MAC system does not interact with PaX,
45972 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
45973 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
45975 + NOTE: this option is for developers/integrators only.
45977 + config PAX_NO_ACL_FLAGS
45980 + config PAX_HAVE_ACL_FLAGS
45983 + config PAX_HOOK_ACL_FLAGS
45989 +menu "Non-executable pages"
45993 + bool "Enforce non-executable pages"
45994 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86)
45996 + By design some architectures do not allow for protecting memory
45997 + pages against execution or even if they do, Linux does not make
45998 + use of this feature. In practice this means that if a page is
45999 + readable (such as the stack or heap) it is also executable.
46001 + There is a well known exploit technique that makes use of this
46002 + fact and a common programming mistake where an attacker can
46003 + introduce code of his choice somewhere in the attacked program's
46004 + memory (typically the stack or the heap) and then execute it.
46006 + If the attacked program was running with different (typically
46007 + higher) privileges than that of the attacker, then he can elevate
46008 + his own privilege level (e.g. get a root shell, write to files for
46009 + which he does not have write access to, etc).
46011 + Enabling this option will let you choose from various features
46012 + that prevent the injection and execution of 'foreign' code in
46015 + This will also break programs that rely on the old behaviour and
46016 + expect that dynamically allocated memory via the malloc() family
46017 + of functions is executable (which it is not). Notable examples
46018 + are the XFree86 4.x server, the java runtime and wine.
46020 +config PAX_PAGEEXEC
46021 + bool "Paging based non-executable pages"
46022 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
46024 + This implementation is based on the paging feature of the CPU.
46025 + On i386 without hardware non-executable bit support there is a
46026 + variable but usually low performance impact, however on Intel's
46027 + P4 core based CPUs it is very high so you should not enable this
46028 + for kernels meant to be used on such CPUs.
46030 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
46031 + with hardware non-executable bit support there is no performance
46032 + impact, on ppc the impact is negligible.
46034 + Note that several architectures require various emulations due to
46035 + badly designed userland ABIs, this will cause a performance impact
46036 + but will disappear as soon as userland is fixed (e.g., ppc users
46037 + can make use of the secure-plt feature found in binutils).
46039 +config PAX_SEGMEXEC
46040 + bool "Segmentation based non-executable pages"
46041 + depends on PAX_NOEXEC && X86_32
46043 + This implementation is based on the segmentation feature of the
46044 + CPU and has a very small performance impact, however applications
46045 + will be limited to a 1.5 GB address space instead of the normal
46048 +config PAX_EMUTRAMP
46049 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
46050 + default y if PARISC || PPC32
46052 + There are some programs and libraries that for one reason or
46053 + another attempt to execute special small code snippets from
46054 + non-executable memory pages. Most notable examples are the
46055 + signal handler return code generated by the kernel itself and
46056 + the GCC trampolines.
46058 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
46059 + such programs will no longer work under your kernel.
46061 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
46062 + utilities to enable trampoline emulation for the affected programs
46063 + yet still have the protection provided by the non-executable pages.
46065 + On parisc and ppc you MUST enable this option and EMUSIGRT as
46066 + well, otherwise your system will not even boot.
46068 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
46069 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
46070 + for the affected files.
46072 + NOTE: enabling this feature *may* open up a loophole in the
46073 + protection provided by non-executable pages that an attacker
46074 + could abuse. Therefore the best solution is to not have any
46075 + files on your system that would require this option. This can
46076 + be achieved by not using libc5 (which relies on the kernel
46077 + signal handler return code) and not using or rewriting programs
46078 + that make use of the nested function implementation of GCC.
46079 + Skilled users can just fix GCC itself so that it implements
46080 + nested function calls in a way that does not interfere with PaX.
46082 +config PAX_EMUSIGRT
46083 + bool "Automatically emulate sigreturn trampolines"
46084 + depends on PAX_EMUTRAMP && (PARISC || PPC32)
46087 + Enabling this option will have the kernel automatically detect
46088 + and emulate signal return trampolines executing on the stack
46089 + that would otherwise lead to task termination.
46091 + This solution is intended as a temporary one for users with
46092 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
46093 + Modula-3 runtime, etc) or executables linked to such, basically
46094 + everything that does not specify its own SA_RESTORER function in
46095 + normal executable memory like glibc 2.1+ does.
46097 + On parisc and ppc you MUST enable this option, otherwise your
46098 + system will not even boot.
46100 + NOTE: this feature cannot be disabled on a per executable basis
46101 + and since it *does* open up a loophole in the protection provided
46102 + by non-executable pages, the best solution is to not have any
46103 + files on your system that would require this option.
46105 +config PAX_MPROTECT
46106 + bool "Restrict mprotect()"
46107 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
46109 + Enabling this option will prevent programs from
46110 + - changing the executable status of memory pages that were
46111 + not originally created as executable,
46112 + - making read-only executable pages writable again,
46113 + - creating executable pages from anonymous memory.
46115 + You should say Y here to complete the protection provided by
46116 + the enforcement of non-executable pages.
46118 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
46119 + this feature on a per file basis.
46121 +config PAX_NOELFRELOCS
46122 + bool "Disallow ELF text relocations"
46123 + depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86)
46125 + Non-executable pages and mprotect() restrictions are effective
46126 + in preventing the introduction of new executable code into an
46127 + attacked task's address space. There remain only two venues
46128 + for this kind of attack: if the attacker can execute already
46129 + existing code in the attacked task then he can either have it
46130 + create and mmap() a file containing his code or have it mmap()
46131 + an already existing ELF library that does not have position
46132 + independent code in it and use mprotect() on it to make it
46133 + writable and copy his code there. While protecting against
46134 + the former approach is beyond PaX, the latter can be prevented
46135 + by having only PIC ELF libraries on one's system (which do not
46136 + need to relocate their code). If you are sure this is your case,
46137 + then enable this option otherwise be careful as you may not even
46138 + be able to boot or log on your system (for example, some PAM
46139 + modules are erroneously compiled as non-PIC by default).
46141 + NOTE: if you are using dynamic ELF executables (as suggested
46142 + when using ASLR) then you must have made sure that you linked
46143 + your files using the PIC version of crt1 (the et_dyn.tar.gz package
46144 + referenced there has already been updated to support this).
46146 +config PAX_ETEXECRELOCS
46147 + bool "Allow ELF ET_EXEC text relocations"
46148 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
46151 + On some architectures there are incorrectly created applications
46152 + that require text relocations and would not work without enabling
46153 + this option. If you are an alpha, ia64 or parisc user, you should
46154 + enable this option and disable it once you have made sure that
46155 + none of your applications need it.
46158 + bool "Automatically emulate ELF PLT"
46159 + depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
46162 + Enabling this option will have the kernel automatically detect
46163 + and emulate the Procedure Linkage Table entries in ELF files.
46164 + On some architectures such entries are in writable memory, and
46165 + become non-executable leading to task termination. Therefore
46166 + it is mandatory that you enable this option on alpha, parisc,
46167 + ppc (if secure-plt is not used throughout in userland), sparc
46168 + and sparc64, otherwise your system would not even boot.
46170 + NOTE: this feature *does* open up a loophole in the protection
46171 + provided by the non-executable pages, therefore the proper
46172 + solution is to modify the toolchain to produce a PLT that does
46173 + not need to be writable.
46175 +config PAX_DLRESOLVE
46177 + depends on PAX_EMUPLT && (SPARC32 || SPARC64)
46180 +config PAX_SYSCALL
46182 + depends on PAX_PAGEEXEC && PPC32
46185 +config PAX_KERNEXEC
46186 + bool "Enforce non-executable kernel pages"
46187 + depends on PAX_NOEXEC && X86 && (!X86_32 || X86_WP_WORKS_OK)
46189 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
46190 + that is, enabling this option will make it harder to inject
46191 + and execute 'foreign' code in kernel memory itself.
46195 +menu "Address Space Layout Randomization"
46199 + bool "Address Space Layout Randomization"
46200 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
46202 + Many if not most exploit techniques rely on the knowledge of
46203 + certain addresses in the attacked program. The following options
46204 + will allow the kernel to apply a certain amount of randomization
46205 + to specific parts of the program thereby forcing an attacker to
46206 + guess them in most cases. Any failed guess will most likely crash
46207 + the attacked program which allows the kernel to detect such attempts
46208 + and react on them. PaX itself provides no reaction mechanisms,
46209 + instead it is strongly encouraged that you make use of Nergal's
46210 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
46211 + (http://www.grsecurity.net/) built-in crash detection features or
46212 + develop one yourself.
46214 + By saying Y here you can choose to randomize the following areas:
46215 + - top of the task's kernel stack
46216 + - top of the task's userland stack
46217 + - base address for mmap() requests that do not specify one
46218 + (this includes all libraries)
46219 + - base address of the main executable
46221 + It is strongly recommended to say Y here as address space layout
46222 + randomization has negligible impact on performance yet it provides
46223 + a very effective protection.
46225 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
46226 + this feature on a per file basis.
46228 +config PAX_RANDKSTACK
46229 + bool "Randomize kernel stack base"
46230 + depends on PAX_ASLR && X86_TSC && X86_32
46232 + By saying Y here the kernel will randomize every task's kernel
46233 + stack on every system call. This will not only force an attacker
46234 + to guess it but also prevent him from making use of possible
46235 + leaked information about it.
46237 + Since the kernel stack is a rather scarce resource, randomization
46238 + may cause unexpected stack overflows, therefore you should very
46239 + carefully test your system. Note that once enabled in the kernel
46240 + configuration, this feature cannot be disabled on a per file basis.
46242 +config PAX_RANDUSTACK
46243 + bool "Randomize user stack base"
46244 + depends on PAX_ASLR
46246 + By saying Y here the kernel will randomize every task's userland
46247 + stack. The randomization is done in two steps where the second
46248 + one may apply a big amount of shift to the top of the stack and
46249 + cause problems for programs that want to use lots of memory (more
46250 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
46251 + For this reason the second step can be controlled by 'chpax' or
46252 + 'paxctl' on a per file basis.
46254 +config PAX_RANDMMAP
46255 + bool "Randomize mmap() base"
46256 + depends on PAX_ASLR
46258 + By saying Y here the kernel will use a randomized base address for
46259 + mmap() requests that do not specify one themselves. As a result
46260 + all dynamically loaded libraries will appear at random addresses
46261 + and therefore be harder to exploit by a technique where an attacker
46262 + attempts to execute library code for his purposes (e.g. spawn a
46263 + shell from an exploited program that is running at an elevated
46264 + privilege level).
46266 + Furthermore, if a program is relinked as a dynamic ELF file, its
46267 + base address will be randomized as well, completing the full
46268 + randomization of the address space layout. Attacking such programs
46269 + becomes a guess game. You can find an example of doing this at
46270 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
46271 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
46273 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
46274 + feature on a per file basis.
46278 +menu "Miscellaneous hardening features"
46280 +config PAX_MEMORY_SANITIZE
46281 + bool "Sanitize all freed memory"
46283 + By saying Y here the kernel will erase memory pages as soon as they
46284 + are freed. This in turn reduces the lifetime of data stored in the
46285 + pages, making it less likely that sensitive information such as
46286 + passwords, cryptographic secrets, etc stay in memory for too long.
46288 + This is especially useful for programs whose runtime is short, long
46289 + lived processes and the kernel itself benefit from this as long as
46290 + they operate on whole memory pages and ensure timely freeing of pages
46291 + that may hold sensitive information.
46293 + The tradeoff is performance impact, on a single CPU system kernel
46294 + compilation sees a 3% slowdown, other systems and workloads may vary
46295 + and you are advised to test this feature on your expected workload
46296 + before deploying it.
46298 + Note that this feature does not protect data stored in live pages,
46299 + e.g., process memory swapped to disk may stay there for a long time.
46301 +config PAX_MEMORY_UDEREF
46302 + bool "Prevent invalid userland pointer dereference"
46303 + depends on X86_32 && !UML_X86
46305 + By saying Y here the kernel will be prevented from dereferencing
46306 + userland pointers in contexts where the kernel expects only kernel
46307 + pointers. This is both a useful runtime debugging feature and a
46308 + security measure that prevents exploiting a class of kernel bugs.
46310 + The tradeoff is that some virtualization solutions may experience
46311 + a huge slowdown and therefore you should not enable this feature
46312 + for kernels meant to run in such environments. Whether a given VM
46313 + solution is affected or not is best determined by simply trying it
46314 + out, the performance impact will be obvious right on boot as this
46315 + mechanism engages from very early on. A good rule of thumb is that
46316 + VMs running on CPUs without hardware virtualization support (i.e.,
46317 + the majority of IA-32 CPUs) will likely experience the slowdown.
46319 +config PAX_REFCOUNT
46320 + bool "Prevent various kernel object reference counter overflows"
46321 + depends on GRKERNSEC && X86
46323 + By saying Y here the kernel will detect and prevent overflowing
46324 + various (but not all) kinds of object reference counters. Such
46325 + overflows can normally occur due to bugs only and are often, if
46326 + not always, exploitable.
46328 + The tradeoff is that data structures protected by an overflowed
46329 + refcount will never be freed and therefore will leak memory. Note
46330 + that this leak also happens even without this protection but in
46331 + that case the overflow can eventually trigger the freeing of the
46332 + data structure while it is still being used elsewhere, resulting
46333 + in the exploitable situation that this feature prevents.
46335 + Since this has a negligible performance impact, you should enable
46338 +config PAX_USERCOPY
46339 + bool "Bounds check heap object copies between kernel and userland"
46341 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
46343 + By saying Y here the kernel will enforce the size of heap objects
46344 + when they are copied in either direction between the kernel and
46345 + userland, even if only a part of the heap object is copied.
46347 + Specifically, this checking prevents information leaking from the
46348 + kernel heap during kernel to userland copies (if the kernel heap
46349 + object is otherwise fully initialized) and prevents kernel heap
46350 + overflows during userland to kernel copies.
46352 + Note that the current implementation provides the strictest checks
46353 + for the SLUB allocator.
46355 + Since this has a negligible performance impact, you should enable
46362 bool "Enable access key retention support"
46364 diff -urNp linux-2.6.31/security/smack/smackfs.c linux-2.6.31/security/smack/smackfs.c
46365 --- linux-2.6.31/security/smack/smackfs.c 2009-08-27 20:59:04.000000000 -0400
46366 +++ linux-2.6.31/security/smack/smackfs.c 2009-09-06 15:29:12.229103257 -0400
46367 @@ -187,7 +187,7 @@ static void load_seq_stop(struct seq_fil
46371 -static struct seq_operations load_seq_ops = {
46372 +static const struct seq_operations load_seq_ops = {
46373 .start = load_seq_start,
46374 .next = load_seq_next,
46375 .show = load_seq_show,
46376 @@ -503,7 +503,7 @@ static void cipso_seq_stop(struct seq_fi
46380 -static struct seq_operations cipso_seq_ops = {
46381 +static const struct seq_operations cipso_seq_ops = {
46382 .start = cipso_seq_start,
46383 .stop = cipso_seq_stop,
46384 .next = cipso_seq_next,
46385 @@ -697,7 +697,7 @@ static void netlbladdr_seq_stop(struct s
46389 -static struct seq_operations netlbladdr_seq_ops = {
46390 +static const struct seq_operations netlbladdr_seq_ops = {
46391 .start = netlbladdr_seq_start,
46392 .stop = netlbladdr_seq_stop,
46393 .next = netlbladdr_seq_next,
46394 diff -urNp linux-2.6.31/sound/aoa/codecs/onyx.c linux-2.6.31/sound/aoa/codecs/onyx.c
46395 --- linux-2.6.31/sound/aoa/codecs/onyx.c 2009-08-27 20:59:04.000000000 -0400
46396 +++ linux-2.6.31/sound/aoa/codecs/onyx.c 2009-09-06 15:29:12.345547346 -0400
46397 @@ -53,7 +53,7 @@ struct onyx {
46402 + atomic_t open_count;
46403 struct codec_info *codec_info;
46405 /* mutex serializes concurrent access to the device
46406 diff -urNp linux-2.6.31/sound/core/oss/pcm_oss.c linux-2.6.31/sound/core/oss/pcm_oss.c
46407 --- linux-2.6.31/sound/core/oss/pcm_oss.c 2009-08-27 20:59:04.000000000 -0400
46408 +++ linux-2.6.31/sound/core/oss/pcm_oss.c 2009-09-06 15:29:12.391029308 -0400
46409 @@ -2943,8 +2943,8 @@ static void snd_pcm_oss_proc_done(struct
46412 #else /* !CONFIG_SND_VERBOSE_PROCFS */
46413 -#define snd_pcm_oss_proc_init(pcm)
46414 -#define snd_pcm_oss_proc_done(pcm)
46415 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
46416 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
46417 #endif /* CONFIG_SND_VERBOSE_PROCFS */
46420 diff -urNp linux-2.6.31/sound/core/seq/seq_lock.h linux-2.6.31/sound/core/seq/seq_lock.h
46421 --- linux-2.6.31/sound/core/seq/seq_lock.h 2009-08-27 20:59:04.000000000 -0400
46422 +++ linux-2.6.31/sound/core/seq/seq_lock.h 2009-09-06 15:29:12.487947312 -0400
46423 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
46424 #else /* SMP || CONFIG_SND_DEBUG */
46426 typedef spinlock_t snd_use_lock_t; /* dummy */
46427 -#define snd_use_lock_init(lockp) /**/
46428 -#define snd_use_lock_use(lockp) /**/
46429 -#define snd_use_lock_free(lockp) /**/
46430 -#define snd_use_lock_sync(lockp) /**/
46431 +#define snd_use_lock_init(lockp) do {} while (0)
46432 +#define snd_use_lock_use(lockp) do {} while (0)
46433 +#define snd_use_lock_free(lockp) do {} while (0)
46434 +#define snd_use_lock_sync(lockp) do {} while (0)
46436 #endif /* SMP || CONFIG_SND_DEBUG */
46438 diff -urNp linux-2.6.31/sound/drivers/mts64.c linux-2.6.31/sound/drivers/mts64.c
46439 --- linux-2.6.31/sound/drivers/mts64.c 2009-08-27 20:59:04.000000000 -0400
46440 +++ linux-2.6.31/sound/drivers/mts64.c 2009-09-06 15:29:12.588308207 -0400
46441 @@ -65,7 +65,7 @@ struct mts64 {
46442 struct pardevice *pardev;
46443 int pardev_claimed;
46446 + atomic_t open_count;
46447 int current_midi_output_port;
46448 int current_midi_input_port;
46449 u8 mode[MTS64_NUM_INPUT_PORTS];
46450 @@ -695,7 +695,7 @@ static int snd_mts64_rawmidi_open(struct
46452 struct mts64 *mts = substream->rmidi->private_data;
46454 - if (mts->open_count == 0) {
46455 + if (atomic_read(&mts->open_count) == 0) {
46456 /* We don't need a spinlock here, because this is just called
46457 if the device has not been opened before.
46458 So there aren't any IRQs from the device */
46459 @@ -703,7 +703,7 @@ static int snd_mts64_rawmidi_open(struct
46463 - ++(mts->open_count);
46464 + atomic_inc(&mts->open_count);
46468 @@ -713,8 +713,7 @@ static int snd_mts64_rawmidi_close(struc
46469 struct mts64 *mts = substream->rmidi->private_data;
46470 unsigned long flags;
46472 - --(mts->open_count);
46473 - if (mts->open_count == 0) {
46474 + if (atomic_dec_return(&mts->open_count) == 0) {
46475 /* We need the spinlock_irqsave here because we can still
46476 have IRQs at this point */
46477 spin_lock_irqsave(&mts->lock, flags);
46478 @@ -723,8 +722,8 @@ static int snd_mts64_rawmidi_close(struc
46482 - } else if (mts->open_count < 0)
46483 - mts->open_count = 0;
46484 + } else if (atomic_read(&mts->open_count) < 0)
46485 + atomic_set(&mts->open_count, 0);
46489 diff -urNp linux-2.6.31/sound/drivers/portman2x4.c linux-2.6.31/sound/drivers/portman2x4.c
46490 --- linux-2.6.31/sound/drivers/portman2x4.c 2009-08-27 20:59:04.000000000 -0400
46491 +++ linux-2.6.31/sound/drivers/portman2x4.c 2009-09-06 15:29:12.595326857 -0400
46492 @@ -83,7 +83,7 @@ struct portman {
46493 struct pardevice *pardev;
46494 int pardev_claimed;
46497 + atomic_t open_count;
46498 int mode[PORTMAN_NUM_INPUT_PORTS];
46499 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
46501 diff -urNp linux-2.6.31/sound/pci/ac97/ac97_patch.c linux-2.6.31/sound/pci/ac97/ac97_patch.c
46502 --- linux-2.6.31/sound/pci/ac97/ac97_patch.c 2009-08-27 20:59:04.000000000 -0400
46503 +++ linux-2.6.31/sound/pci/ac97/ac97_patch.c 2009-09-06 15:29:12.607257487 -0400
46504 @@ -1501,7 +1501,7 @@ static const struct snd_ac97_res_table a
46505 { AC97_VIDEO, 0x9f1f },
46506 { AC97_AUX, 0x9f1f },
46507 { AC97_PCM, 0x9f1f },
46508 - { } /* terminator */
46509 + { 0, 0 } /* terminator */
46512 static int patch_ad1819(struct snd_ac97 * ac97)
46513 @@ -3876,7 +3876,7 @@ static struct snd_ac97_res_table lm4550_
46514 { AC97_AUX, 0x1f1f },
46515 { AC97_PCM, 0x1f1f },
46516 { AC97_REC_GAIN, 0x0f0f },
46517 - { } /* terminator */
46518 + { 0, 0 } /* terminator */
46521 static int patch_lm4550(struct snd_ac97 *ac97)
46522 diff -urNp linux-2.6.31/sound/pci/ens1370.c linux-2.6.31/sound/pci/ens1370.c
46523 --- linux-2.6.31/sound/pci/ens1370.c 2009-08-27 20:59:04.000000000 -0400
46524 +++ linux-2.6.31/sound/pci/ens1370.c 2009-09-06 15:29:12.617151740 -0400
46525 @@ -452,7 +452,7 @@ static struct pci_device_id snd_audiopci
46526 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
46527 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
46530 + { 0, 0, 0, 0, 0, 0, 0 }
46533 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
46534 diff -urNp linux-2.6.31/sound/pci/intel8x0.c linux-2.6.31/sound/pci/intel8x0.c
46535 --- linux-2.6.31/sound/pci/intel8x0.c 2009-08-27 20:59:04.000000000 -0400
46536 +++ linux-2.6.31/sound/pci/intel8x0.c 2009-09-06 15:29:12.622167719 -0400
46537 @@ -444,7 +444,7 @@ static struct pci_device_id snd_intel8x0
46538 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
46539 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
46540 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
46542 + { 0, 0, 0, 0, 0, 0, 0 }
46545 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
46546 @@ -2105,7 +2105,7 @@ static struct ac97_quirk ac97_quirks[] _
46547 .type = AC97_TUNE_HP_ONLY
46550 - { } /* terminator */
46551 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
46554 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
46555 diff -urNp linux-2.6.31/sound/pci/intel8x0m.c linux-2.6.31/sound/pci/intel8x0m.c
46556 --- linux-2.6.31/sound/pci/intel8x0m.c 2009-08-27 20:59:04.000000000 -0400
46557 +++ linux-2.6.31/sound/pci/intel8x0m.c 2009-09-06 15:29:12.637303440 -0400
46558 @@ -239,7 +239,7 @@ static struct pci_device_id snd_intel8x0
46559 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
46560 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
46563 + { 0, 0, 0, 0, 0, 0, 0 }
46566 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
46567 @@ -1264,7 +1264,7 @@ static struct shortname_table {
46568 { 0x5455, "ALi M5455" },
46569 { 0x746d, "AMD AMD8111" },
46575 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
46576 diff -urNp linux-2.6.31/sound/usb/usx2y/us122l.c linux-2.6.31/sound/usb/usx2y/us122l.c
46577 --- linux-2.6.31/sound/usb/usx2y/us122l.c 2009-08-27 20:59:04.000000000 -0400
46578 +++ linux-2.6.31/sound/usb/usx2y/us122l.c 2009-09-06 15:29:12.652955379 -0400
46579 @@ -154,7 +154,7 @@ static void usb_stream_hwdep_vm_close(st
46580 snd_printdd(KERN_DEBUG "%i\n", atomic_read(&us122l->mmap_count));
46583 -static struct vm_operations_struct usb_stream_hwdep_vm_ops = {
46584 +static const struct vm_operations_struct usb_stream_hwdep_vm_ops = {
46585 .open = usb_stream_hwdep_vm_open,
46586 .fault = usb_stream_hwdep_vm_fault,
46587 .close = usb_stream_hwdep_vm_close,
46588 diff -urNp linux-2.6.31/sound/usb/usx2y/usX2Yhwdep.c linux-2.6.31/sound/usb/usx2y/usX2Yhwdep.c
46589 --- linux-2.6.31/sound/usb/usx2y/usX2Yhwdep.c 2009-08-27 20:59:04.000000000 -0400
46590 +++ linux-2.6.31/sound/usb/usx2y/usX2Yhwdep.c 2009-09-06 15:29:12.662976917 -0400
46591 @@ -53,7 +53,7 @@ static int snd_us428ctls_vm_fault(struct
46595 -static struct vm_operations_struct us428ctls_vm_ops = {
46596 +static const struct vm_operations_struct us428ctls_vm_ops = {
46597 .fault = snd_us428ctls_vm_fault,
46600 diff -urNp linux-2.6.31/sound/usb/usx2y/usx2yhwdeppcm.c linux-2.6.31/sound/usb/usx2y/usx2yhwdeppcm.c
46601 --- linux-2.6.31/sound/usb/usx2y/usx2yhwdeppcm.c 2009-08-27 20:59:04.000000000 -0400
46602 +++ linux-2.6.31/sound/usb/usx2y/usx2yhwdeppcm.c 2009-09-06 15:29:12.662976917 -0400
46603 @@ -697,7 +697,7 @@ static int snd_usX2Y_hwdep_pcm_vm_fault(
46607 -static struct vm_operations_struct snd_usX2Y_hwdep_pcm_vm_ops = {
46608 +static const struct vm_operations_struct snd_usX2Y_hwdep_pcm_vm_ops = {
46609 .open = snd_usX2Y_hwdep_pcm_vm_open,
46610 .close = snd_usX2Y_hwdep_pcm_vm_close,
46611 .fault = snd_usX2Y_hwdep_pcm_vm_fault,
46612 diff -urNp linux-2.6.31/usr/gen_init_cpio.c linux-2.6.31/usr/gen_init_cpio.c
46613 --- linux-2.6.31/usr/gen_init_cpio.c 2009-08-27 20:59:04.000000000 -0400
46614 +++ linux-2.6.31/usr/gen_init_cpio.c 2009-09-06 15:29:12.664163728 -0400
46615 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
46624 @@ -383,9 +383,10 @@ static char *cpio_replace_env(char *new_
46625 *env_var = *expanded = '\0';
46626 strncat(env_var, start + 2, end - start - 2);
46627 strncat(expanded, new_location, start - new_location);
46628 - strncat(expanded, getenv(env_var), PATH_MAX);
46629 - strncat(expanded, end + 1, PATH_MAX);
46630 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
46631 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
46632 strncpy(new_location, expanded, PATH_MAX);
46633 + new_location[PATH_MAX] = 0;
46637 diff -urNp linux-2.6.31/virt/kvm/kvm_main.c linux-2.6.31/virt/kvm/kvm_main.c
46638 --- linux-2.6.31/virt/kvm/kvm_main.c 2009-08-27 20:59:04.000000000 -0400
46639 +++ linux-2.6.31/virt/kvm/kvm_main.c 2009-09-06 15:29:12.664163728 -0400
46640 @@ -2353,6 +2353,9 @@ static struct miscdevice kvm_dev = {
46649 static void hardware_enable(void *junk)
46650 @@ -2512,7 +2515,7 @@ static int vcpu_stat_get(void *_offset,
46652 DEFINE_SIMPLE_ATTRIBUTE(vcpu_stat_fops, vcpu_stat_get, NULL, "%llu\n");
46654 -static struct file_operations *stat_fops[] = {
46655 +static const struct file_operations *stat_fops[] = {
46656 [KVM_STAT_VCPU] = &vcpu_stat_fops,
46657 [KVM_STAT_VM] = &vm_stat_fops,
46659 @@ -2584,7 +2587,7 @@ static void kvm_sched_out(struct preempt
46660 kvm_arch_vcpu_put(vcpu);
46663 -int kvm_init(void *opaque, unsigned int vcpu_size,
46664 +int kvm_init(const void *opaque, unsigned int vcpu_size,
46665 struct module *module)
46668 diff -u linux-2.6.31/arch/sparc/mm/fault_32.c linux-2.6.31/arch/sparc/mm/fault_32.c
46669 --- linux-2.6.31/arch/sparc/mm/fault_32.c 2009-09-06 15:29:11.154359141 -0400
46670 +++ linux-2.6.31/arch/sparc/mm/fault_32.c 2009-09-12 16:46:03.981340680 -0400
46671 @@ -376,6 +376,7 @@
46673 unsigned long addr;
46675 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
46676 addr = (save & 0x003FFFFFU) << 10;
46677 regs->u_regs[UREG_G2] = addr;
46678 addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
46680 diff -u linux-2.6.31/arch/sparc/mm/fault_64.c linux-2.6.31/arch/sparc/mm/fault_64.c
46681 --- linux-2.6.31/arch/sparc/mm/fault_64.c 2009-09-10 19:30:54.839077430 -0400
46682 +++ linux-2.6.31/arch/sparc/mm/fault_64.c 2009-09-23 19:35:08.312133590 -0400
46683 @@ -408,6 +408,10 @@
46685 regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
46686 addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
46688 + if (test_thread_flag(TIF_32BIT))
46689 + addr &= 0xFFFFFFFFUL;
46692 regs->tnpc = addr+4;
46694 @@ -499,6 +503,10 @@
46695 addr = (sethi & 0x003FFFFFU) << 10;
46696 regs->u_regs[UREG_G1] = addr;
46697 addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
46699 + if (test_thread_flag(TIF_32BIT))
46700 + addr &= 0xFFFFFFFFUL;
46703 regs->tnpc = addr+4;
46705 diff -u linux-2.6.31/arch/x86/boot/compressed/relocs.c linux-2.6.31/arch/x86/boot/compressed/relocs.c
46706 --- linux-2.6.31/arch/x86/boot/compressed/relocs.c 2009-09-06 15:29:11.165162482 -0400
46707 +++ linux-2.6.31/arch/x86/boot/compressed/relocs.c 2009-09-23 19:36:44.127930546 -0400
46708 @@ -551,19 +551,14 @@
46709 /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
46710 if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
46713 #if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
46714 /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
46715 - if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
46716 - if (strcmp(sym_name(sym_strtab, sym), "__init_begin"))
46719 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
46721 if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
46723 - if (!strcmp(sec_name(sym->st_shndx), ".text.head")) {
46724 - if (strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET"))
46727 - if (!strcmp(sec_name(sym->st_shndx), ".text"))
46728 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
46731 if (r_type == R_386_NONE || r_type == R_386_PC32) {
46732 diff -u linux-2.6.31/arch/x86/include/asm/pgtable_32_types.h linux-2.6.31/arch/x86/include/asm/pgtable_32_types.h
46733 --- linux-2.6.31/arch/x86/include/asm/pgtable_32_types.h 2009-09-06 15:29:11.185669248 -0400
46734 +++ linux-2.6.31/arch/x86/include/asm/pgtable_32_types.h 2009-09-23 19:35:08.323713226 -0400
46735 @@ -50,10 +50,10 @@
46736 #ifndef __ASSEMBLY__
46737 extern unsigned char MODULES_EXEC_VADDR[];
46738 extern unsigned char MODULES_EXEC_END[];
46739 -extern unsigned char KERNEL_TEXT_OFFSET[];
46741 -#define ktla_ktva(addr) (addr + (unsigned long)KERNEL_TEXT_OFFSET)
46742 -#define ktva_ktla(addr) (addr - (unsigned long)KERNEL_TEXT_OFFSET)
46743 +#include <asm/boot.h>
46744 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
46745 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
46747 #define ktla_ktva(addr) (addr)
46748 #define ktva_ktla(addr) (addr)
46749 diff -u linux-2.6.31/arch/x86/include/asm/pgtable_64.h linux-2.6.31/arch/x86/include/asm/pgtable_64.h
46750 --- linux-2.6.31/arch/x86/include/asm/pgtable_64.h 2009-09-06 15:30:00.013375877 -0400
46751 +++ linux-2.6.31/arch/x86/include/asm/pgtable_64.h 2009-09-23 19:36:44.127930546 -0400
46753 extern pud_t level3_ident_pgt[512];
46754 extern pud_t level3_vmalloc_pgt[512];
46755 extern pud_t level3_vmemmap_pgt[512];
46756 +extern pud_t level2_vmemmap_pgt[512];
46757 extern pmd_t level2_kernel_pgt[512];
46758 extern pmd_t level2_fixmap_pgt[512];
46759 extern pmd_t level2_ident_pgt[512*4];
46760 diff -u linux-2.6.31/arch/x86/include/asm/pgtable_types.h linux-2.6.31/arch/x86/include/asm/pgtable_types.h
46761 --- linux-2.6.31/arch/x86/include/asm/pgtable_types.h 2009-09-10 19:30:54.922535723 -0400
46762 +++ linux-2.6.31/arch/x86/include/asm/pgtable_types.h 2009-09-23 19:35:08.324829017 -0400
46763 @@ -281,8 +281,12 @@
46765 extern pteval_t __supported_pte_mask;
46766 #ifdef CONFIG_X86_32
46767 +#ifdef CONFIG_X86_PAE
46768 extern int nx_enabled;
46770 +#define nx_enabled (0)
46773 #define nx_enabled (1)
46776 diff -u linux-2.6.31/arch/x86/kernel/head_32.S linux-2.6.31/arch/x86/kernel/head_32.S
46777 --- linux-2.6.31/arch/x86/kernel/head_32.S 2009-09-10 19:30:54.973203235 -0400
46778 +++ linux-2.6.31/arch/x86/kernel/head_32.S 2009-09-23 19:35:08.345826891 -0400
46779 @@ -130,7 +130,7 @@
46781 #ifdef CONFIG_PAX_KERNEXEC
46782 movl $pa(boot_gdt),%edi
46783 - movl $KERNEL_TEXT_OFFSET,%eax
46784 + movl $__LOAD_PHYSICAL_ADDR + __PAGE_OFFSET,%eax
46785 movw %ax,__BOOT_CS + 2(%edi)
46787 movb %al,__BOOT_CS + 4(%edi)
46788 @@ -352,6 +352,7 @@
46792 +#ifdef CONFIG_X86_PAE
46793 btl $5, %eax # check if PAE is enabled
46796 @@ -376,7 +377,7 @@
46798 btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
46799 movl $1,pa(nx_enabled)
46805 diff -u linux-2.6.31/arch/x86/kernel/head_64.S linux-2.6.31/arch/x86/kernel/head_64.S
46806 --- linux-2.6.31/arch/x86/kernel/head_64.S 2009-09-06 15:30:00.014344371 -0400
46807 +++ linux-2.6.31/arch/x86/kernel/head_64.S 2009-09-23 19:36:44.127930546 -0400
46808 @@ -360,10 +360,14 @@
46810 NEXT_PAGE(level3_ident_pgt)
46811 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
46815 .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
46816 .quad level2_ident_pgt + 2*PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
46817 .quad level2_ident_pgt + 3*PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
46821 NEXT_PAGE(level3_vmalloc_pgt)
46823 diff -u linux-2.6.31/arch/x86/kernel/i386_ksyms_32.c linux-2.6.31/arch/x86/kernel/i386_ksyms_32.c
46824 --- linux-2.6.31/arch/x86/kernel/i386_ksyms_32.c 2009-09-06 15:29:11.209316692 -0400
46825 +++ linux-2.6.31/arch/x86/kernel/i386_ksyms_32.c 2009-09-23 19:35:08.346801595 -0400
46827 #ifdef CONFIG_PAX_KERNEXEC
46828 -EXPORT_SYMBOL(KERNEL_TEXT_OFFSET);
46829 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
46831 diff -u linux-2.6.31/arch/x86/kernel/vmlinux.lds.S linux-2.6.31/arch/x86/kernel/vmlinux.lds.S
46832 --- linux-2.6.31/arch/x86/kernel/vmlinux.lds.S 2009-09-06 15:29:11.228210710 -0400
46833 +++ linux-2.6.31/arch/x86/kernel/vmlinux.lds.S 2009-09-23 19:36:44.128906916 -0400
46835 #define PMD_SIZE (1 << PMD_SHIFT)
46837 #if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
46838 -#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + (((____LOAD_PHYSICAL_ADDR + PMD_SIZE - 1) - 1) & ~(PMD_SIZE - 1)))
46839 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
46841 #define __KERNEL_TEXT_OFFSET 0
46843 @@ -64,11 +64,12 @@
46844 #ifdef CONFIG_X86_64
46845 user PT_LOAD FLAGS(5); /* R_E */
46847 - smp PT_LOAD FLAGS(6); /* RW_ */
46848 + init.begin PT_LOAD FLAGS(6); /* RW_ */
46850 percpu PT_LOAD FLAGS(6); /* RW_ */
46852 text.init PT_LOAD FLAGS(5); /* R_E */
46853 + text.exit PT_LOAD FLAGS(5); /* R_E */
46854 init PT_LOAD FLAGS(7); /* RWE */
46855 note PT_NOTE FLAGS(0); /* ___ */
46857 @@ -76,32 +77,25 @@
46860 #ifdef CONFIG_X86_32
46861 -#ifdef CONFIG_PAX_KERNEXEC
46864 . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
46867 . = __START_KERNEL;
46870 /* Text and read-only data */
46872 - /* bootstrapping code */
46873 - .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
46874 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
46875 + /* bootstrapping code */
46876 #ifdef CONFIG_X86_32
46877 phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
46879 phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
46881 __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
46882 - KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
46887 - /* The rest of the text */
46888 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
46889 + /* The rest of the text */
46890 #ifdef CONFIG_X86_32
46891 /* not really needed, already page aligned */
46892 . = ALIGN(PAGE_SIZE);
46893 @@ -260,12 +254,9 @@
46895 #endif /* CONFIG_X86_64 */
46898 - * smp_locks might be freed after init
46899 - * start/end must be page aligned
46901 - . = ALIGN(PAGE_SIZE);
46902 - .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
46903 + /* Init code and data - will be freed after init */
46904 + .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
46907 #ifdef CONFIG_PAX_KERNEXEC
46908 . = ALIGN(PMD_SIZE);
46909 @@ -273,16 +264,8 @@
46910 . = ALIGN(PAGE_SIZE);
46915 - __smp_locks_end = .;
46918 - /* Init code and data - will be freed after init */
46919 - . = ALIGN(PAGE_SIZE);
46920 - .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
46921 __init_begin = .; /* paired with __init_end */
46927 @@ -306,7 +289,8 @@
46929 .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
46934 . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
46936 .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
46937 @@ -381,6 +365,18 @@
46942 + * smp_locks might be freed after init
46943 + * start/end must be page aligned
46945 + . = ALIGN(PAGE_SIZE);
46946 + .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
46949 + __smp_locks_end = .;
46950 + . = ALIGN(PAGE_SIZE);
46954 . = ALIGN(PAGE_SIZE);
46955 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
46956 @@ -430,7 +426,7 @@
46958 * Build-time check on the image size:
46960 -. = ASSERT((_end - KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
46961 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
46962 "kernel image bigger than KERNEL_IMAGE_SIZE");
46965 diff -u linux-2.6.31/arch/x86/mm/fault.c linux-2.6.31/arch/x86/mm/fault.c
46966 --- linux-2.6.31/arch/x86/mm/fault.c 2009-09-11 21:07:39.447754963 -0400
46967 +++ linux-2.6.31/arch/x86/mm/fault.c 2009-09-23 19:35:08.370727775 -0400
46969 #include <asm/traps.h> /* dotraplinkage, ... */
46970 #include <asm/pgalloc.h> /* pgd_*(), ... */
46971 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
46972 -#include <asm/tlbflush.h>
46973 #include <asm/vsyscall.h>
46974 +#include <asm/tlbflush.h>
46977 * Page fault error code bits:
46978 diff -u linux-2.6.31/arch/x86/mm/init.c linux-2.6.31/arch/x86/mm/init.c
46979 --- linux-2.6.31/arch/x86/mm/init.c 2009-09-12 18:39:06.077137325 -0400
46980 +++ linux-2.6.31/arch/x86/mm/init.c 2009-09-23 19:35:08.372682367 -0400
46981 @@ -28,11 +28,10 @@
46985 -#ifdef CONFIG_X86_32
46986 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
46990 -#if defined(CONFIG_X86_PAE) && !defined(CONFIG_PAX_PAGEEXEC)
46991 +#ifndef CONFIG_PAX_PAGEEXEC
46997 early_param("noexec", noexec_setup);
47001 #ifdef CONFIG_X86_PAE
47002 static void __init set_nx(void)
47003 @@ -460,7 +460,7 @@
47005 limit = (limit - 1UL) >> PAGE_SHIFT;
47007 - memset(KERNEL_TEXT_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
47008 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
47009 for (cpu = 0; cpu < NR_CPUS; cpu++) {
47010 pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
47011 write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
47012 diff -u linux-2.6.31/arch/x86/xen/mmu.c linux-2.6.31/arch/x86/xen/mmu.c
47013 --- linux-2.6.31/arch/x86/xen/mmu.c 2009-09-06 15:30:00.015296947 -0400
47014 +++ linux-2.6.31/arch/x86/xen/mmu.c 2009-09-23 19:36:44.128906916 -0400
47015 @@ -1730,6 +1730,7 @@
47016 set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
47017 set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
47018 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
47019 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
47020 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
47021 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
47023 diff -u linux-2.6.31/mm/slob.c linux-2.6.31/mm/slob.c
47024 --- linux-2.6.31/mm/slob.c 2009-09-06 15:29:12.204173926 -0400
47025 +++ linux-2.6.31/mm/slob.c 2009-09-23 19:37:56.543267332 -0400
47026 @@ -150,7 +150,7 @@
47028 static inline struct slob_page *slob_page(const void *addr)
47030 - return (struct slob_page *)virt_to_page(addr);
47031 + return (struct slob_page *)virt_to_head_page(addr);
47035 @@ -507,7 +507,7 @@
47036 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
47038 struct slob_page *sp;
47039 - sp = (struct slob_page *)virt_to_head_page(ret);
47040 + sp = slob_page(ret);
47044 @@ -568,7 +568,7 @@
47045 if (!virt_addr_valid(ptr))
47048 - sp = (struct slob_page *)virt_to_head_page(ptr);
47049 + sp = slob_page(ptr);
47050 /* XXX: can get a little tighter with this stack check */
47051 if (!PageSlobPage((struct page*)sp) && object_is_on_stack(ptr) &&
47052 (n > ((unsigned long)task_stack_page(current) + THREAD_SIZE -
47053 @@ -702,7 +702,7 @@
47054 struct slob_page *sp;
47056 b = slob_new_pages(flags, get_order(c->size), node);
47057 - sp = (struct slob_page *)virt_to_head_page(b);
47058 + sp = slob_page(b);
47059 sp->size = c->size;
47060 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
47061 PAGE_SIZE << get_order(c->size),
47062 @@ -720,9 +720,9 @@
47064 static void __kmem_cache_free(void *b, int size)
47066 - struct slob_page *sp = (struct slob_page *)virt_to_head_page(b);
47067 + struct slob_page *sp = slob_page(b);
47069 - if (slob_page(sp))
47070 + if (is_slob_page(sp))
47071 slob_free(b, size);
47073 clear_slob_page(sp);
47076 --- linux-2.6.31/arch/x86/kernel/cpu/Makefile 2009-09-09 18:13:59.000000000 -0400
47077 +++ linux-2.6.31/arch/x86/kernel/cpu/Makefile 2009-09-23 19:36:44.129883872 -0400
47078 @@ -7,10 +7,6 @@ ifdef CONFIG_FUNCTION_TRACER
47079 CFLAGS_REMOVE_common.o = -pg
47082 -# Make sure load_percpu_segment has no stackprotector
47083 -nostackp := $(call cc-option, -fno-stack-protector)
47084 -CFLAGS_common.o := $(nostackp)
47086 obj-y := intel_cacheinfo.o addon_cpuid_features.o
47087 obj-y += proc.o capflags.o powerflags.o common.o
47088 obj-y += vmware.o hypervisor.o