1 diff -urNp linux-2.6.35.7/arch/alpha/include/asm/dma-mapping.h linux-2.6.35.7/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.35.7/arch/alpha/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3 +++ linux-2.6.35.7/arch/alpha/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.35.7/arch/alpha/include/asm/elf.h linux-2.6.35.7/arch/alpha/include/asm/elf.h
17 --- linux-2.6.35.7/arch/alpha/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
18 +++ linux-2.6.35.7/arch/alpha/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.35.7/arch/alpha/include/asm/pgtable.h linux-2.6.35.7/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.35.7/arch/alpha/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
35 +++ linux-2.6.35.7/arch/alpha/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.35.7/arch/alpha/kernel/module.c linux-2.6.35.7/arch/alpha/kernel/module.c
55 --- linux-2.6.35.7/arch/alpha/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
56 +++ linux-2.6.35.7/arch/alpha/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.35.7/arch/alpha/kernel/osf_sys.c linux-2.6.35.7/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.35.7/arch/alpha/kernel/osf_sys.c 2010-08-26 19:47:12.000000000 -0400
68 +++ linux-2.6.35.7/arch/alpha/kernel/osf_sys.c 2010-09-17 20:12:09.000000000 -0400
69 @@ -1170,7 +1170,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1206,6 +1206,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1213,8 +1217,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.35.7/arch/alpha/kernel/pci_iommu.c linux-2.6.35.7/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.35.7/arch/alpha/kernel/pci_iommu.c 2010-08-26 19:47:12.000000000 -0400
102 +++ linux-2.6.35.7/arch/alpha/kernel/pci_iommu.c 2010-09-17 20:12:09.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.35.7/arch/alpha/kernel/pci-noop.c linux-2.6.35.7/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.35.7/arch/alpha/kernel/pci-noop.c 2010-08-26 19:47:12.000000000 -0400
121 +++ linux-2.6.35.7/arch/alpha/kernel/pci-noop.c 2010-09-17 20:12:09.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.35.7/arch/alpha/mm/fault.c linux-2.6.35.7/arch/alpha/mm/fault.c
141 --- linux-2.6.35.7/arch/alpha/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
142 +++ linux-2.6.35.7/arch/alpha/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.35.7/arch/arm/include/asm/elf.h linux-2.6.35.7/arch/arm/include/asm/elf.h
300 --- linux-2.6.35.7/arch/arm/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
301 +++ linux-2.6.35.7/arch/arm/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
302 @@ -111,7 +111,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 diff -urNp linux-2.6.35.7/arch/arm/include/asm/kmap_types.h linux-2.6.35.7/arch/arm/include/asm/kmap_types.h
319 --- linux-2.6.35.7/arch/arm/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
320 +++ linux-2.6.35.7/arch/arm/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
321 @@ -21,6 +21,7 @@ enum km_type {
329 diff -urNp linux-2.6.35.7/arch/arm/include/asm/uaccess.h linux-2.6.35.7/arch/arm/include/asm/uaccess.h
330 --- linux-2.6.35.7/arch/arm/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
331 +++ linux-2.6.35.7/arch/arm/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
332 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
334 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
339 if (access_ok(VERIFY_READ, from, n))
340 n = __copy_from_user(to, from, n);
341 else /* security hole - plug it */
342 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
344 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
349 if (access_ok(VERIFY_WRITE, to, n))
350 n = __copy_to_user(to, from, n);
352 diff -urNp linux-2.6.35.7/arch/arm/kernel/kgdb.c linux-2.6.35.7/arch/arm/kernel/kgdb.c
353 --- linux-2.6.35.7/arch/arm/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
354 +++ linux-2.6.35.7/arch/arm/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
355 @@ -208,7 +208,7 @@ void kgdb_arch_exit(void)
356 * and we handle the normal undef case within the do_undefinstr
359 -struct kgdb_arch arch_kgdb_ops = {
360 +const struct kgdb_arch arch_kgdb_ops = {
362 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
363 #else /* ! __ARMEB__ */
364 diff -urNp linux-2.6.35.7/arch/arm/mach-at91/pm.c linux-2.6.35.7/arch/arm/mach-at91/pm.c
365 --- linux-2.6.35.7/arch/arm/mach-at91/pm.c 2010-08-26 19:47:12.000000000 -0400
366 +++ linux-2.6.35.7/arch/arm/mach-at91/pm.c 2010-09-17 20:12:09.000000000 -0400
367 @@ -294,7 +294,7 @@ static void at91_pm_end(void)
371 -static struct platform_suspend_ops at91_pm_ops ={
372 +static const struct platform_suspend_ops at91_pm_ops ={
373 .valid = at91_pm_valid_state,
374 .begin = at91_pm_begin,
375 .enter = at91_pm_enter,
376 diff -urNp linux-2.6.35.7/arch/arm/mach-davinci/pm.c linux-2.6.35.7/arch/arm/mach-davinci/pm.c
377 --- linux-2.6.35.7/arch/arm/mach-davinci/pm.c 2010-08-26 19:47:12.000000000 -0400
378 +++ linux-2.6.35.7/arch/arm/mach-davinci/pm.c 2010-09-17 20:12:09.000000000 -0400
379 @@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
383 -static struct platform_suspend_ops davinci_pm_ops = {
384 +static const struct platform_suspend_ops davinci_pm_ops = {
385 .enter = davinci_pm_enter,
386 .valid = suspend_valid_only_mem,
388 diff -urNp linux-2.6.35.7/arch/arm/mach-msm/last_radio_log.c linux-2.6.35.7/arch/arm/mach-msm/last_radio_log.c
389 --- linux-2.6.35.7/arch/arm/mach-msm/last_radio_log.c 2010-08-26 19:47:12.000000000 -0400
390 +++ linux-2.6.35.7/arch/arm/mach-msm/last_radio_log.c 2010-09-17 20:12:09.000000000 -0400
391 @@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
395 +/* cannot be const, see msm_init_last_radio_log */
396 static struct file_operations last_radio_log_fops = {
397 .read = last_radio_log_read
399 diff -urNp linux-2.6.35.7/arch/arm/mach-omap1/pm.c linux-2.6.35.7/arch/arm/mach-omap1/pm.c
400 --- linux-2.6.35.7/arch/arm/mach-omap1/pm.c 2010-08-26 19:47:12.000000000 -0400
401 +++ linux-2.6.35.7/arch/arm/mach-omap1/pm.c 2010-09-17 20:12:09.000000000 -0400
402 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
406 -static struct platform_suspend_ops omap_pm_ops ={
407 +static const struct platform_suspend_ops omap_pm_ops ={
408 .prepare = omap_pm_prepare,
409 .enter = omap_pm_enter,
410 .finish = omap_pm_finish,
411 diff -urNp linux-2.6.35.7/arch/arm/mach-omap2/pm24xx.c linux-2.6.35.7/arch/arm/mach-omap2/pm24xx.c
412 --- linux-2.6.35.7/arch/arm/mach-omap2/pm24xx.c 2010-08-26 19:47:12.000000000 -0400
413 +++ linux-2.6.35.7/arch/arm/mach-omap2/pm24xx.c 2010-09-17 20:12:09.000000000 -0400
414 @@ -325,7 +325,7 @@ static void omap2_pm_finish(void)
418 -static struct platform_suspend_ops omap_pm_ops = {
419 +static const struct platform_suspend_ops omap_pm_ops = {
420 .prepare = omap2_pm_prepare,
421 .enter = omap2_pm_enter,
422 .finish = omap2_pm_finish,
423 diff -urNp linux-2.6.35.7/arch/arm/mach-omap2/pm34xx.c linux-2.6.35.7/arch/arm/mach-omap2/pm34xx.c
424 --- linux-2.6.35.7/arch/arm/mach-omap2/pm34xx.c 2010-08-26 19:47:12.000000000 -0400
425 +++ linux-2.6.35.7/arch/arm/mach-omap2/pm34xx.c 2010-09-17 20:12:09.000000000 -0400
426 @@ -669,7 +669,7 @@ static void omap3_pm_end(void)
430 -static struct platform_suspend_ops omap_pm_ops = {
431 +static const struct platform_suspend_ops omap_pm_ops = {
432 .begin = omap3_pm_begin,
434 .prepare = omap3_pm_prepare,
435 diff -urNp linux-2.6.35.7/arch/arm/mach-pnx4008/pm.c linux-2.6.35.7/arch/arm/mach-pnx4008/pm.c
436 --- linux-2.6.35.7/arch/arm/mach-pnx4008/pm.c 2010-08-26 19:47:12.000000000 -0400
437 +++ linux-2.6.35.7/arch/arm/mach-pnx4008/pm.c 2010-09-17 20:12:09.000000000 -0400
438 @@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
439 (state == PM_SUSPEND_MEM);
442 -static struct platform_suspend_ops pnx4008_pm_ops = {
443 +static const struct platform_suspend_ops pnx4008_pm_ops = {
444 .enter = pnx4008_pm_enter,
445 .valid = pnx4008_pm_valid,
447 diff -urNp linux-2.6.35.7/arch/arm/mach-pxa/pm.c linux-2.6.35.7/arch/arm/mach-pxa/pm.c
448 --- linux-2.6.35.7/arch/arm/mach-pxa/pm.c 2010-08-26 19:47:12.000000000 -0400
449 +++ linux-2.6.35.7/arch/arm/mach-pxa/pm.c 2010-09-17 20:12:09.000000000 -0400
450 @@ -96,7 +96,7 @@ void pxa_pm_finish(void)
451 pxa_cpu_pm_fns->finish();
454 -static struct platform_suspend_ops pxa_pm_ops = {
455 +static const struct platform_suspend_ops pxa_pm_ops = {
456 .valid = pxa_pm_valid,
457 .enter = pxa_pm_enter,
458 .prepare = pxa_pm_prepare,
459 diff -urNp linux-2.6.35.7/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.35.7/arch/arm/mach-pxa/sharpsl_pm.c
460 --- linux-2.6.35.7/arch/arm/mach-pxa/sharpsl_pm.c 2010-08-26 19:47:12.000000000 -0400
461 +++ linux-2.6.35.7/arch/arm/mach-pxa/sharpsl_pm.c 2010-09-17 20:12:09.000000000 -0400
462 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
466 -static struct platform_suspend_ops sharpsl_pm_ops = {
467 +static const struct platform_suspend_ops sharpsl_pm_ops = {
468 .prepare = pxa_pm_prepare,
469 .finish = pxa_pm_finish,
470 .enter = corgi_pxa_pm_enter,
471 diff -urNp linux-2.6.35.7/arch/arm/mach-sa1100/pm.c linux-2.6.35.7/arch/arm/mach-sa1100/pm.c
472 --- linux-2.6.35.7/arch/arm/mach-sa1100/pm.c 2010-08-26 19:47:12.000000000 -0400
473 +++ linux-2.6.35.7/arch/arm/mach-sa1100/pm.c 2010-09-17 20:12:09.000000000 -0400
474 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
475 return virt_to_phys(sp);
478 -static struct platform_suspend_ops sa11x0_pm_ops = {
479 +static const struct platform_suspend_ops sa11x0_pm_ops = {
480 .enter = sa11x0_pm_enter,
481 .valid = suspend_valid_only_mem,
483 diff -urNp linux-2.6.35.7/arch/arm/mm/fault.c linux-2.6.35.7/arch/arm/mm/fault.c
484 --- linux-2.6.35.7/arch/arm/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
485 +++ linux-2.6.35.7/arch/arm/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
486 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
490 +#ifdef CONFIG_PAX_PAGEEXEC
491 + if (fsr & FSR_LNX_PF) {
492 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
493 + do_group_exit(SIGKILL);
497 tsk->thread.address = addr;
498 tsk->thread.error_code = fsr;
499 tsk->thread.trap_no = 14;
500 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
502 #endif /* CONFIG_MMU */
504 +#ifdef CONFIG_PAX_PAGEEXEC
505 +void pax_report_insns(void *pc, void *sp)
509 + printk(KERN_ERR "PAX: bytes at PC: ");
510 + for (i = 0; i < 20; i++) {
512 + if (get_user(c, (__force unsigned char __user *)pc+i))
513 + printk(KERN_CONT "?? ");
515 + printk(KERN_CONT "%02x ", c);
519 + printk(KERN_ERR "PAX: bytes at SP-4: ");
520 + for (i = -1; i < 20; i++) {
522 + if (get_user(c, (__force unsigned long __user *)sp+i))
523 + printk(KERN_CONT "???????? ");
525 + printk(KERN_CONT "%08lx ", c);
532 * First Level Translation Fault Handler
534 diff -urNp linux-2.6.35.7/arch/arm/mm/mmap.c linux-2.6.35.7/arch/arm/mm/mmap.c
535 --- linux-2.6.35.7/arch/arm/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
536 +++ linux-2.6.35.7/arch/arm/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
537 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
541 +#ifdef CONFIG_PAX_RANDMMAP
542 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
547 addr = COLOUR_ALIGN(addr, pgoff);
548 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
549 addr = PAGE_ALIGN(addr);
551 vma = find_vma(mm, addr);
552 - if (TASK_SIZE - len >= addr &&
553 - (!vma || addr + len <= vma->vm_start))
554 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
557 if (len > mm->cached_hole_size) {
558 - start_addr = addr = mm->free_area_cache;
559 + start_addr = addr = mm->free_area_cache;
561 - start_addr = addr = TASK_UNMAPPED_BASE;
562 - mm->cached_hole_size = 0;
563 + start_addr = addr = mm->mmap_base;
564 + mm->cached_hole_size = 0;
568 @@ -94,14 +97,14 @@ full_search:
569 * Start a new search - just in case we missed
572 - if (start_addr != TASK_UNMAPPED_BASE) {
573 - start_addr = addr = TASK_UNMAPPED_BASE;
574 + if (start_addr != mm->mmap_base) {
575 + start_addr = addr = mm->mmap_base;
576 mm->cached_hole_size = 0;
581 - if (!vma || addr + len <= vma->vm_start) {
582 + if (check_heap_stack_gap(vma, addr, len)) {
584 * Remember the place where we stopped the search:
586 diff -urNp linux-2.6.35.7/arch/arm/plat-samsung/pm.c linux-2.6.35.7/arch/arm/plat-samsung/pm.c
587 --- linux-2.6.35.7/arch/arm/plat-samsung/pm.c 2010-08-26 19:47:12.000000000 -0400
588 +++ linux-2.6.35.7/arch/arm/plat-samsung/pm.c 2010-09-17 20:12:09.000000000 -0400
589 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
590 s3c_pm_check_cleanup();
593 -static struct platform_suspend_ops s3c_pm_ops = {
594 +static const struct platform_suspend_ops s3c_pm_ops = {
595 .enter = s3c_pm_enter,
596 .prepare = s3c_pm_prepare,
597 .finish = s3c_pm_finish,
598 diff -urNp linux-2.6.35.7/arch/avr32/include/asm/elf.h linux-2.6.35.7/arch/avr32/include/asm/elf.h
599 --- linux-2.6.35.7/arch/avr32/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
600 +++ linux-2.6.35.7/arch/avr32/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
601 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
602 the loader. We need to make sure that it is out of the way of the program
603 that it will "exec", and that there is sufficient room for the brk. */
605 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
606 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
608 +#ifdef CONFIG_PAX_ASLR
609 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
611 +#define PAX_DELTA_MMAP_LEN 15
612 +#define PAX_DELTA_STACK_LEN 15
615 /* This yields a mask that user programs can use to figure out what
616 instruction set this CPU supports. This could be done in user space,
617 diff -urNp linux-2.6.35.7/arch/avr32/include/asm/kmap_types.h linux-2.6.35.7/arch/avr32/include/asm/kmap_types.h
618 --- linux-2.6.35.7/arch/avr32/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
619 +++ linux-2.6.35.7/arch/avr32/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
620 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
630 diff -urNp linux-2.6.35.7/arch/avr32/mach-at32ap/pm.c linux-2.6.35.7/arch/avr32/mach-at32ap/pm.c
631 --- linux-2.6.35.7/arch/avr32/mach-at32ap/pm.c 2010-08-26 19:47:12.000000000 -0400
632 +++ linux-2.6.35.7/arch/avr32/mach-at32ap/pm.c 2010-09-17 20:12:09.000000000 -0400
633 @@ -176,7 +176,7 @@ out:
637 -static struct platform_suspend_ops avr32_pm_ops = {
638 +static const struct platform_suspend_ops avr32_pm_ops = {
639 .valid = avr32_pm_valid_state,
640 .enter = avr32_pm_enter,
642 diff -urNp linux-2.6.35.7/arch/avr32/mm/fault.c linux-2.6.35.7/arch/avr32/mm/fault.c
643 --- linux-2.6.35.7/arch/avr32/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
644 +++ linux-2.6.35.7/arch/avr32/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
645 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
647 int exception_trace = 1;
649 +#ifdef CONFIG_PAX_PAGEEXEC
650 +void pax_report_insns(void *pc, void *sp)
654 + printk(KERN_ERR "PAX: bytes at PC: ");
655 + for (i = 0; i < 20; i++) {
657 + if (get_user(c, (unsigned char *)pc+i))
658 + printk(KERN_CONT "???????? ");
660 + printk(KERN_CONT "%02x ", c);
667 * This routine handles page faults. It determines the address and the
668 * problem, and then passes it off to one of the appropriate routines.
669 @@ -157,6 +174,16 @@ bad_area:
670 up_read(&mm->mmap_sem);
672 if (user_mode(regs)) {
674 +#ifdef CONFIG_PAX_PAGEEXEC
675 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
676 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
677 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
678 + do_group_exit(SIGKILL);
683 if (exception_trace && printk_ratelimit())
684 printk("%s%s[%d]: segfault at %08lx pc %08lx "
685 "sp %08lx ecr %lu\n",
686 diff -urNp linux-2.6.35.7/arch/blackfin/kernel/kgdb.c linux-2.6.35.7/arch/blackfin/kernel/kgdb.c
687 --- linux-2.6.35.7/arch/blackfin/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
688 +++ linux-2.6.35.7/arch/blackfin/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
689 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
690 return -1; /* this means that we do not want to exit from the handler */
693 -struct kgdb_arch arch_kgdb_ops = {
694 +const struct kgdb_arch arch_kgdb_ops = {
695 .gdb_bpt_instr = {0xa1},
697 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
698 diff -urNp linux-2.6.35.7/arch/blackfin/mach-common/pm.c linux-2.6.35.7/arch/blackfin/mach-common/pm.c
699 --- linux-2.6.35.7/arch/blackfin/mach-common/pm.c 2010-08-26 19:47:12.000000000 -0400
700 +++ linux-2.6.35.7/arch/blackfin/mach-common/pm.c 2010-09-17 20:12:09.000000000 -0400
701 @@ -232,7 +232,7 @@ static int bfin_pm_enter(suspend_state_t
705 -struct platform_suspend_ops bfin_pm_ops = {
706 +const struct platform_suspend_ops bfin_pm_ops = {
707 .enter = bfin_pm_enter,
708 .valid = bfin_pm_valid,
710 diff -urNp linux-2.6.35.7/arch/blackfin/mm/maccess.c linux-2.6.35.7/arch/blackfin/mm/maccess.c
711 --- linux-2.6.35.7/arch/blackfin/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
712 +++ linux-2.6.35.7/arch/blackfin/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
713 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
714 return bfin_mem_access_type(addr, size);
717 -long probe_kernel_read(void *dst, void *src, size_t size)
718 +long probe_kernel_read(void *dst, const void *src, size_t size)
720 unsigned long lsrc = (unsigned long)src;
722 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
726 -long probe_kernel_write(void *dst, void *src, size_t size)
727 +long probe_kernel_write(void *dst, const void *src, size_t size)
729 unsigned long ldst = (unsigned long)dst;
731 diff -urNp linux-2.6.35.7/arch/frv/include/asm/kmap_types.h linux-2.6.35.7/arch/frv/include/asm/kmap_types.h
732 --- linux-2.6.35.7/arch/frv/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
733 +++ linux-2.6.35.7/arch/frv/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
734 @@ -23,6 +23,7 @@ enum km_type {
742 diff -urNp linux-2.6.35.7/arch/frv/mm/elf-fdpic.c linux-2.6.35.7/arch/frv/mm/elf-fdpic.c
743 --- linux-2.6.35.7/arch/frv/mm/elf-fdpic.c 2010-08-26 19:47:12.000000000 -0400
744 +++ linux-2.6.35.7/arch/frv/mm/elf-fdpic.c 2010-09-17 20:12:09.000000000 -0400
745 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
747 addr = PAGE_ALIGN(addr);
748 vma = find_vma(current->mm, addr);
749 - if (TASK_SIZE - len >= addr &&
750 - (!vma || addr + len <= vma->vm_start))
751 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
755 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
756 for (; vma; vma = vma->vm_next) {
759 - if (addr + len <= vma->vm_start)
760 + if (check_heap_stack_gap(vma, addr, len))
764 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
765 for (; vma; vma = vma->vm_next) {
768 - if (addr + len <= vma->vm_start)
769 + if (check_heap_stack_gap(vma, addr, len))
773 diff -urNp linux-2.6.35.7/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.35.7/arch/ia64/hp/common/hwsw_iommu.c
774 --- linux-2.6.35.7/arch/ia64/hp/common/hwsw_iommu.c 2010-08-26 19:47:12.000000000 -0400
775 +++ linux-2.6.35.7/arch/ia64/hp/common/hwsw_iommu.c 2010-09-17 20:12:09.000000000 -0400
777 #include <linux/swiotlb.h>
778 #include <asm/machvec.h>
780 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
781 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
783 /* swiotlb declarations & definitions: */
784 extern int swiotlb_late_init_with_default_size (size_t size);
785 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
786 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
789 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
790 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
792 if (use_swiotlb(dev))
793 return &swiotlb_dma_ops;
794 diff -urNp linux-2.6.35.7/arch/ia64/hp/common/sba_iommu.c linux-2.6.35.7/arch/ia64/hp/common/sba_iommu.c
795 --- linux-2.6.35.7/arch/ia64/hp/common/sba_iommu.c 2010-08-26 19:47:12.000000000 -0400
796 +++ linux-2.6.35.7/arch/ia64/hp/common/sba_iommu.c 2010-09-17 20:12:09.000000000 -0400
797 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
801 -extern struct dma_map_ops swiotlb_dma_ops;
802 +extern const struct dma_map_ops swiotlb_dma_ops;
806 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
808 __setup("sbapagesize=",sba_page_override);
810 -struct dma_map_ops sba_dma_ops = {
811 +const struct dma_map_ops sba_dma_ops = {
812 .alloc_coherent = sba_alloc_coherent,
813 .free_coherent = sba_free_coherent,
814 .map_page = sba_map_page,
815 diff -urNp linux-2.6.35.7/arch/ia64/include/asm/dma-mapping.h linux-2.6.35.7/arch/ia64/include/asm/dma-mapping.h
816 --- linux-2.6.35.7/arch/ia64/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
817 +++ linux-2.6.35.7/arch/ia64/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
820 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
822 -extern struct dma_map_ops *dma_ops;
823 +extern const struct dma_map_ops *dma_ops;
824 extern struct ia64_machine_vector ia64_mv;
825 extern void set_iommu_machvec(void);
827 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
828 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
829 dma_addr_t *daddr, gfp_t gfp)
831 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
832 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
835 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
836 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
837 static inline void dma_free_coherent(struct device *dev, size_t size,
838 void *caddr, dma_addr_t daddr)
840 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
841 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
842 debug_dma_free_coherent(dev, size, caddr, daddr);
843 ops->free_coherent(dev, size, caddr, daddr);
845 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
847 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
849 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
850 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
851 return ops->mapping_error(dev, daddr);
854 static inline int dma_supported(struct device *dev, u64 mask)
856 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
857 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
858 return ops->dma_supported(dev, mask);
861 diff -urNp linux-2.6.35.7/arch/ia64/include/asm/elf.h linux-2.6.35.7/arch/ia64/include/asm/elf.h
862 --- linux-2.6.35.7/arch/ia64/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
863 +++ linux-2.6.35.7/arch/ia64/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
866 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
868 +#ifdef CONFIG_PAX_ASLR
869 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
871 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
872 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
875 #define PT_IA_64_UNWIND 0x70000001
877 /* IA-64 relocations: */
878 diff -urNp linux-2.6.35.7/arch/ia64/include/asm/machvec.h linux-2.6.35.7/arch/ia64/include/asm/machvec.h
879 --- linux-2.6.35.7/arch/ia64/include/asm/machvec.h 2010-08-26 19:47:12.000000000 -0400
880 +++ linux-2.6.35.7/arch/ia64/include/asm/machvec.h 2010-09-17 20:12:09.000000000 -0400
881 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
882 /* DMA-mapping interface: */
883 typedef void ia64_mv_dma_init (void);
884 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
885 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
886 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
889 * WARNING: The legacy I/O space is _architected_. Platforms are
890 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
891 # endif /* CONFIG_IA64_GENERIC */
893 extern void swiotlb_dma_init(void);
894 -extern struct dma_map_ops *dma_get_ops(struct device *);
895 +extern const struct dma_map_ops *dma_get_ops(struct device *);
898 * Define default versions so we can extend machvec for new platforms without having
899 diff -urNp linux-2.6.35.7/arch/ia64/include/asm/pgtable.h linux-2.6.35.7/arch/ia64/include/asm/pgtable.h
900 --- linux-2.6.35.7/arch/ia64/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
901 +++ linux-2.6.35.7/arch/ia64/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
903 * David Mosberger-Tang <davidm@hpl.hp.com>
907 +#include <linux/const.h>
908 #include <asm/mman.h>
909 #include <asm/page.h>
910 #include <asm/processor.h>
912 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
913 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
914 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
916 +#ifdef CONFIG_PAX_PAGEEXEC
917 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
918 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
919 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
921 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
922 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
923 +# define PAGE_COPY_NOEXEC PAGE_COPY
926 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
927 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
928 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
929 diff -urNp linux-2.6.35.7/arch/ia64/include/asm/uaccess.h linux-2.6.35.7/arch/ia64/include/asm/uaccess.h
930 --- linux-2.6.35.7/arch/ia64/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
931 +++ linux-2.6.35.7/arch/ia64/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
932 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
933 const void *__cu_from = (from); \
934 long __cu_len = (n); \
936 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
937 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
938 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
941 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
942 long __cu_len = (n); \
944 __chk_user_ptr(__cu_from); \
945 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
946 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
947 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
950 diff -urNp linux-2.6.35.7/arch/ia64/kernel/dma-mapping.c linux-2.6.35.7/arch/ia64/kernel/dma-mapping.c
951 --- linux-2.6.35.7/arch/ia64/kernel/dma-mapping.c 2010-08-26 19:47:12.000000000 -0400
952 +++ linux-2.6.35.7/arch/ia64/kernel/dma-mapping.c 2010-09-17 20:12:09.000000000 -0400
954 /* Set this to 1 if there is a HW IOMMU in the system */
955 int iommu_detected __read_mostly;
957 -struct dma_map_ops *dma_ops;
958 +const struct dma_map_ops *dma_ops;
959 EXPORT_SYMBOL(dma_ops);
961 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
962 @@ -16,7 +16,7 @@ static int __init dma_init(void)
964 fs_initcall(dma_init);
966 -struct dma_map_ops *dma_get_ops(struct device *dev)
967 +const struct dma_map_ops *dma_get_ops(struct device *dev)
971 diff -urNp linux-2.6.35.7/arch/ia64/kernel/module.c linux-2.6.35.7/arch/ia64/kernel/module.c
972 --- linux-2.6.35.7/arch/ia64/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
973 +++ linux-2.6.35.7/arch/ia64/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
974 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
976 module_free (struct module *mod, void *module_region)
978 - if (mod && mod->arch.init_unw_table &&
979 - module_region == mod->module_init) {
980 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
981 unw_remove_unwind_table(mod->arch.init_unw_table);
982 mod->arch.init_unw_table = NULL;
984 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
988 +in_init_rx (const struct module *mod, uint64_t addr)
990 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
994 +in_init_rw (const struct module *mod, uint64_t addr)
996 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1000 in_init (const struct module *mod, uint64_t addr)
1002 - return addr - (uint64_t) mod->module_init < mod->init_size;
1003 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1007 +in_core_rx (const struct module *mod, uint64_t addr)
1009 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1013 +in_core_rw (const struct module *mod, uint64_t addr)
1015 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1019 in_core (const struct module *mod, uint64_t addr)
1021 - return addr - (uint64_t) mod->module_core < mod->core_size;
1022 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1026 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1030 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1031 + if (in_init_rx(mod, val))
1032 + val -= (uint64_t) mod->module_init_rx;
1033 + else if (in_init_rw(mod, val))
1034 + val -= (uint64_t) mod->module_init_rw;
1035 + else if (in_core_rx(mod, val))
1036 + val -= (uint64_t) mod->module_core_rx;
1037 + else if (in_core_rw(mod, val))
1038 + val -= (uint64_t) mod->module_core_rw;
1042 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1043 * addresses have been selected...
1046 - if (mod->core_size > MAX_LTOFF)
1047 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1049 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1050 * at the end of the module.
1052 - gp = mod->core_size - MAX_LTOFF / 2;
1053 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1055 - gp = mod->core_size / 2;
1056 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1057 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1058 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1060 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1062 diff -urNp linux-2.6.35.7/arch/ia64/kernel/pci-dma.c linux-2.6.35.7/arch/ia64/kernel/pci-dma.c
1063 --- linux-2.6.35.7/arch/ia64/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
1064 +++ linux-2.6.35.7/arch/ia64/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
1065 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1066 .dma_mask = &fallback_dev.coherent_dma_mask,
1069 -extern struct dma_map_ops intel_dma_ops;
1070 +extern const struct dma_map_ops intel_dma_ops;
1072 static int __init pci_iommu_init(void)
1074 diff -urNp linux-2.6.35.7/arch/ia64/kernel/pci-swiotlb.c linux-2.6.35.7/arch/ia64/kernel/pci-swiotlb.c
1075 --- linux-2.6.35.7/arch/ia64/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
1076 +++ linux-2.6.35.7/arch/ia64/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
1077 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1078 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1081 -struct dma_map_ops swiotlb_dma_ops = {
1082 +const struct dma_map_ops swiotlb_dma_ops = {
1083 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1084 .free_coherent = swiotlb_free_coherent,
1085 .map_page = swiotlb_map_page,
1086 diff -urNp linux-2.6.35.7/arch/ia64/kernel/sys_ia64.c linux-2.6.35.7/arch/ia64/kernel/sys_ia64.c
1087 --- linux-2.6.35.7/arch/ia64/kernel/sys_ia64.c 2010-08-26 19:47:12.000000000 -0400
1088 +++ linux-2.6.35.7/arch/ia64/kernel/sys_ia64.c 2010-09-17 20:12:09.000000000 -0400
1089 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1090 if (REGION_NUMBER(addr) == RGN_HPAGE)
1094 +#ifdef CONFIG_PAX_RANDMMAP
1095 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1096 + addr = mm->free_area_cache;
1101 addr = mm->free_area_cache;
1103 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1104 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1105 /* At this point: (!vma || addr < vma->vm_end). */
1106 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1107 - if (start_addr != TASK_UNMAPPED_BASE) {
1108 + if (start_addr != mm->mmap_base) {
1109 /* Start a new search --- just in case we missed some holes. */
1110 - addr = TASK_UNMAPPED_BASE;
1111 + addr = mm->mmap_base;
1116 - if (!vma || addr + len <= vma->vm_start) {
1117 + if (check_heap_stack_gap(vma, addr, len)) {
1118 /* Remember the address where we stopped this search: */
1119 mm->free_area_cache = addr + len;
1121 diff -urNp linux-2.6.35.7/arch/ia64/kernel/vmlinux.lds.S linux-2.6.35.7/arch/ia64/kernel/vmlinux.lds.S
1122 --- linux-2.6.35.7/arch/ia64/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
1123 +++ linux-2.6.35.7/arch/ia64/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
1124 @@ -196,7 +196,7 @@ SECTIONS
1126 . = ALIGN(PERCPU_PAGE_SIZE);
1127 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1128 - __phys_per_cpu_start = __per_cpu_load;
1129 + __phys_per_cpu_start = per_cpu_load;
1130 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1131 * into percpu page size
1133 diff -urNp linux-2.6.35.7/arch/ia64/mm/fault.c linux-2.6.35.7/arch/ia64/mm/fault.c
1134 --- linux-2.6.35.7/arch/ia64/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1135 +++ linux-2.6.35.7/arch/ia64/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1136 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1137 return pte_present(pte);
1140 +#ifdef CONFIG_PAX_PAGEEXEC
1141 +void pax_report_insns(void *pc, void *sp)
1145 + printk(KERN_ERR "PAX: bytes at PC: ");
1146 + for (i = 0; i < 8; i++) {
1148 + if (get_user(c, (unsigned int *)pc+i))
1149 + printk(KERN_CONT "???????? ");
1151 + printk(KERN_CONT "%08x ", c);
1158 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1160 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1161 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1162 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1164 - if ((vma->vm_flags & mask) != mask)
1165 + if ((vma->vm_flags & mask) != mask) {
1167 +#ifdef CONFIG_PAX_PAGEEXEC
1168 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1169 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1172 + up_read(&mm->mmap_sem);
1173 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1174 + do_group_exit(SIGKILL);
1183 * If for any reason at all we couldn't handle the fault, make
1184 * sure we exit gracefully rather than endlessly redo the
1185 diff -urNp linux-2.6.35.7/arch/ia64/mm/hugetlbpage.c linux-2.6.35.7/arch/ia64/mm/hugetlbpage.c
1186 --- linux-2.6.35.7/arch/ia64/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
1187 +++ linux-2.6.35.7/arch/ia64/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
1188 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1189 /* At this point: (!vmm || addr < vmm->vm_end). */
1190 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1192 - if (!vmm || (addr + len) <= vmm->vm_start)
1193 + if (check_heap_stack_gap(vmm, addr, len))
1195 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1197 diff -urNp linux-2.6.35.7/arch/ia64/mm/init.c linux-2.6.35.7/arch/ia64/mm/init.c
1198 --- linux-2.6.35.7/arch/ia64/mm/init.c 2010-08-26 19:47:12.000000000 -0400
1199 +++ linux-2.6.35.7/arch/ia64/mm/init.c 2010-09-17 20:12:09.000000000 -0400
1200 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1201 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1202 vma->vm_end = vma->vm_start + PAGE_SIZE;
1203 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1205 +#ifdef CONFIG_PAX_PAGEEXEC
1206 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1207 + vma->vm_flags &= ~VM_EXEC;
1209 +#ifdef CONFIG_PAX_MPROTECT
1210 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1211 + vma->vm_flags &= ~VM_MAYEXEC;
1217 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1218 down_write(¤t->mm->mmap_sem);
1219 if (insert_vm_struct(current->mm, vma)) {
1220 diff -urNp linux-2.6.35.7/arch/ia64/sn/pci/pci_dma.c linux-2.6.35.7/arch/ia64/sn/pci/pci_dma.c
1221 --- linux-2.6.35.7/arch/ia64/sn/pci/pci_dma.c 2010-08-26 19:47:12.000000000 -0400
1222 +++ linux-2.6.35.7/arch/ia64/sn/pci/pci_dma.c 2010-09-17 20:12:09.000000000 -0400
1223 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1227 -static struct dma_map_ops sn_dma_ops = {
1228 +static const struct dma_map_ops sn_dma_ops = {
1229 .alloc_coherent = sn_dma_alloc_coherent,
1230 .free_coherent = sn_dma_free_coherent,
1231 .map_page = sn_dma_map_page,
1232 diff -urNp linux-2.6.35.7/arch/m32r/lib/usercopy.c linux-2.6.35.7/arch/m32r/lib/usercopy.c
1233 --- linux-2.6.35.7/arch/m32r/lib/usercopy.c 2010-08-26 19:47:12.000000000 -0400
1234 +++ linux-2.6.35.7/arch/m32r/lib/usercopy.c 2010-09-17 20:12:09.000000000 -0400
1237 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1243 if (access_ok(VERIFY_WRITE, to, n))
1244 __copy_user(to,from,n);
1245 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1247 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1253 if (access_ok(VERIFY_READ, from, n))
1254 __copy_user_zeroing(to,from,n);
1255 diff -urNp linux-2.6.35.7/arch/microblaze/include/asm/device.h linux-2.6.35.7/arch/microblaze/include/asm/device.h
1256 --- linux-2.6.35.7/arch/microblaze/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1257 +++ linux-2.6.35.7/arch/microblaze/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1258 @@ -13,7 +13,7 @@ struct device_node;
1260 struct dev_archdata {
1261 /* DMA operations on that device */
1262 - struct dma_map_ops *dma_ops;
1263 + const struct dma_map_ops *dma_ops;
1267 diff -urNp linux-2.6.35.7/arch/microblaze/include/asm/dma-mapping.h linux-2.6.35.7/arch/microblaze/include/asm/dma-mapping.h
1268 --- linux-2.6.35.7/arch/microblaze/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1269 +++ linux-2.6.35.7/arch/microblaze/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
1270 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1271 return 0xfffffffful;
1274 -extern struct dma_map_ops *dma_ops;
1275 +extern const struct dma_map_ops *dma_ops;
1278 * Available generic sets of operations
1280 -extern struct dma_map_ops dma_direct_ops;
1281 +extern const struct dma_map_ops dma_direct_ops;
1283 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1284 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1286 /* We don't handle the NULL dev case for ISA for now. We could
1287 * do it via an out of line call but it is not needed for now. The
1288 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1289 return dev->archdata.dma_ops;
1292 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1293 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1295 dev->archdata.dma_ops = ops;
1298 static inline int dma_supported(struct device *dev, u64 mask)
1300 - struct dma_map_ops *ops = get_dma_ops(dev);
1301 + const struct dma_map_ops *ops = get_dma_ops(dev);
1305 @@ -87,7 +87,7 @@ static inline int dma_supported(struct d
1307 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1309 - struct dma_map_ops *ops = get_dma_ops(dev);
1310 + const struct dma_map_ops *ops = get_dma_ops(dev);
1312 if (unlikely(ops == NULL))
1314 @@ -103,7 +103,7 @@ static inline int dma_set_mask(struct de
1316 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1318 - struct dma_map_ops *ops = get_dma_ops(dev);
1319 + const struct dma_map_ops *ops = get_dma_ops(dev);
1320 if (ops->mapping_error)
1321 return ops->mapping_error(dev, dma_addr);
1323 @@ -117,7 +117,7 @@ static inline int dma_mapping_error(stru
1324 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1325 dma_addr_t *dma_handle, gfp_t flag)
1327 - struct dma_map_ops *ops = get_dma_ops(dev);
1328 + const struct dma_map_ops *ops = get_dma_ops(dev);
1332 @@ -131,7 +131,7 @@ static inline void *dma_alloc_coherent(s
1333 static inline void dma_free_coherent(struct device *dev, size_t size,
1334 void *cpu_addr, dma_addr_t dma_handle)
1336 - struct dma_map_ops *ops = get_dma_ops(dev);
1337 + const struct dma_map_ops *ops = get_dma_ops(dev);
1340 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1341 diff -urNp linux-2.6.35.7/arch/microblaze/include/asm/pci.h linux-2.6.35.7/arch/microblaze/include/asm/pci.h
1342 --- linux-2.6.35.7/arch/microblaze/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
1343 +++ linux-2.6.35.7/arch/microblaze/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
1344 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1348 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1349 -extern struct dma_map_ops *get_pci_dma_ops(void);
1350 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1351 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1352 #else /* CONFIG_PCI */
1353 #define set_pci_dma_ops(d)
1354 #define get_pci_dma_ops() NULL
1355 diff -urNp linux-2.6.35.7/arch/microblaze/kernel/dma.c linux-2.6.35.7/arch/microblaze/kernel/dma.c
1356 --- linux-2.6.35.7/arch/microblaze/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
1357 +++ linux-2.6.35.7/arch/microblaze/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
1358 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1359 __dma_sync_page(dma_address, 0 , size, direction);
1362 -struct dma_map_ops dma_direct_ops = {
1363 +const struct dma_map_ops dma_direct_ops = {
1364 .alloc_coherent = dma_direct_alloc_coherent,
1365 .free_coherent = dma_direct_free_coherent,
1366 .map_sg = dma_direct_map_sg,
1367 diff -urNp linux-2.6.35.7/arch/microblaze/pci/pci-common.c linux-2.6.35.7/arch/microblaze/pci/pci-common.c
1368 --- linux-2.6.35.7/arch/microblaze/pci/pci-common.c 2010-08-26 19:47:12.000000000 -0400
1369 +++ linux-2.6.35.7/arch/microblaze/pci/pci-common.c 2010-09-17 20:12:09.000000000 -0400
1370 @@ -46,14 +46,14 @@ resource_size_t isa_mem_base;
1371 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1372 unsigned int pci_flags;
1374 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1375 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1377 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1378 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1380 pci_dma_ops = dma_ops;
1383 -struct dma_map_ops *get_pci_dma_ops(void)
1384 +const struct dma_map_ops *get_pci_dma_ops(void)
1388 diff -urNp linux-2.6.35.7/arch/mips/alchemy/devboards/pm.c linux-2.6.35.7/arch/mips/alchemy/devboards/pm.c
1389 --- linux-2.6.35.7/arch/mips/alchemy/devboards/pm.c 2010-08-26 19:47:12.000000000 -0400
1390 +++ linux-2.6.35.7/arch/mips/alchemy/devboards/pm.c 2010-09-17 20:12:09.000000000 -0400
1391 @@ -110,7 +110,7 @@ static void db1x_pm_end(void)
1395 -static struct platform_suspend_ops db1x_pm_ops = {
1396 +static const struct platform_suspend_ops db1x_pm_ops = {
1397 .valid = suspend_valid_only_mem,
1398 .begin = db1x_pm_begin,
1399 .enter = db1x_pm_enter,
1400 diff -urNp linux-2.6.35.7/arch/mips/include/asm/elf.h linux-2.6.35.7/arch/mips/include/asm/elf.h
1401 --- linux-2.6.35.7/arch/mips/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1402 +++ linux-2.6.35.7/arch/mips/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1403 @@ -368,6 +368,13 @@ extern const char *__elf_platform;
1404 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1407 +#ifdef CONFIG_PAX_ASLR
1408 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1410 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1411 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1414 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1415 struct linux_binprm;
1416 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1417 diff -urNp linux-2.6.35.7/arch/mips/include/asm/page.h linux-2.6.35.7/arch/mips/include/asm/page.h
1418 --- linux-2.6.35.7/arch/mips/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
1419 +++ linux-2.6.35.7/arch/mips/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
1420 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1421 #ifdef CONFIG_CPU_MIPS32
1422 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1423 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1424 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1425 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1427 typedef struct { unsigned long long pte; } pte_t;
1428 #define pte_val(x) ((x).pte)
1429 diff -urNp linux-2.6.35.7/arch/mips/include/asm/system.h linux-2.6.35.7/arch/mips/include/asm/system.h
1430 --- linux-2.6.35.7/arch/mips/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
1431 +++ linux-2.6.35.7/arch/mips/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
1432 @@ -234,6 +234,6 @@ extern void per_cpu_trap_init(void);
1434 #define __ARCH_WANT_UNLOCKED_CTXSW
1436 -extern unsigned long arch_align_stack(unsigned long sp);
1437 +#define arch_align_stack(x) ((x) & ALMASK)
1439 #endif /* _ASM_SYSTEM_H */
1440 diff -urNp linux-2.6.35.7/arch/mips/kernel/binfmt_elfn32.c linux-2.6.35.7/arch/mips/kernel/binfmt_elfn32.c
1441 --- linux-2.6.35.7/arch/mips/kernel/binfmt_elfn32.c 2010-08-26 19:47:12.000000000 -0400
1442 +++ linux-2.6.35.7/arch/mips/kernel/binfmt_elfn32.c 2010-09-17 20:12:09.000000000 -0400
1443 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1444 #undef ELF_ET_DYN_BASE
1445 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1447 +#ifdef CONFIG_PAX_ASLR
1448 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1450 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1451 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1454 #include <asm/processor.h>
1455 #include <linux/module.h>
1456 #include <linux/elfcore.h>
1457 diff -urNp linux-2.6.35.7/arch/mips/kernel/binfmt_elfo32.c linux-2.6.35.7/arch/mips/kernel/binfmt_elfo32.c
1458 --- linux-2.6.35.7/arch/mips/kernel/binfmt_elfo32.c 2010-08-26 19:47:12.000000000 -0400
1459 +++ linux-2.6.35.7/arch/mips/kernel/binfmt_elfo32.c 2010-09-17 20:12:09.000000000 -0400
1460 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1461 #undef ELF_ET_DYN_BASE
1462 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1464 +#ifdef CONFIG_PAX_ASLR
1465 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1467 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1468 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1471 #include <asm/processor.h>
1474 diff -urNp linux-2.6.35.7/arch/mips/kernel/kgdb.c linux-2.6.35.7/arch/mips/kernel/kgdb.c
1475 --- linux-2.6.35.7/arch/mips/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
1476 +++ linux-2.6.35.7/arch/mips/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
1477 @@ -270,6 +270,7 @@ int kgdb_arch_handle_exception(int vecto
1481 +/* cannot be const, see kgdb_arch_init */
1482 struct kgdb_arch arch_kgdb_ops;
1485 diff -urNp linux-2.6.35.7/arch/mips/kernel/process.c linux-2.6.35.7/arch/mips/kernel/process.c
1486 --- linux-2.6.35.7/arch/mips/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
1487 +++ linux-2.6.35.7/arch/mips/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
1488 @@ -474,15 +474,3 @@ unsigned long get_wchan(struct task_stru
1494 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1495 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1497 -unsigned long arch_align_stack(unsigned long sp)
1499 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1500 - sp -= get_random_int() & ~PAGE_MASK;
1502 - return sp & ALMASK;
1504 diff -urNp linux-2.6.35.7/arch/mips/kernel/syscall.c linux-2.6.35.7/arch/mips/kernel/syscall.c
1505 --- linux-2.6.35.7/arch/mips/kernel/syscall.c 2010-08-26 19:47:12.000000000 -0400
1506 +++ linux-2.6.35.7/arch/mips/kernel/syscall.c 2010-09-17 20:12:09.000000000 -0400
1507 @@ -106,17 +106,21 @@ unsigned long arch_get_unmapped_area(str
1509 if (filp || (flags & MAP_SHARED))
1512 +#ifdef CONFIG_PAX_RANDMMAP
1513 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1518 addr = COLOUR_ALIGN(addr, pgoff);
1520 addr = PAGE_ALIGN(addr);
1521 vmm = find_vma(current->mm, addr);
1522 - if (task_size - len >= addr &&
1523 - (!vmm || addr + len <= vmm->vm_start))
1524 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1527 - addr = TASK_UNMAPPED_BASE;
1528 + addr = current->mm->mmap_base;
1530 addr = COLOUR_ALIGN(addr, pgoff);
1532 @@ -126,7 +130,7 @@ unsigned long arch_get_unmapped_area(str
1533 /* At this point: (!vmm || addr < vmm->vm_end). */
1534 if (task_size - len < addr)
1536 - if (!vmm || addr + len <= vmm->vm_start)
1537 + if (check_heap_stack_gap(vmm, addr, len))
1541 diff -urNp linux-2.6.35.7/arch/mips/loongson/common/pm.c linux-2.6.35.7/arch/mips/loongson/common/pm.c
1542 --- linux-2.6.35.7/arch/mips/loongson/common/pm.c 2010-08-26 19:47:12.000000000 -0400
1543 +++ linux-2.6.35.7/arch/mips/loongson/common/pm.c 2010-09-17 20:12:09.000000000 -0400
1544 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1548 -static struct platform_suspend_ops loongson_pm_ops = {
1549 +static const struct platform_suspend_ops loongson_pm_ops = {
1550 .valid = loongson_pm_valid_state,
1551 .enter = loongson_pm_enter,
1553 diff -urNp linux-2.6.35.7/arch/mips/mm/fault.c linux-2.6.35.7/arch/mips/mm/fault.c
1554 --- linux-2.6.35.7/arch/mips/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1555 +++ linux-2.6.35.7/arch/mips/mm/fault.c 2010-10-11 22:41:44.000000000 -0400
1557 #include <asm/ptrace.h>
1558 #include <asm/highmem.h> /* For VMALLOC_END */
1560 +#ifdef CONFIG_PAX_PAGEEXEC
1561 +void pax_report_insns(void *pc, void *sp)
1565 + printk(KERN_ERR "PAX: bytes at PC: ");
1566 + for (i = 0; i < 5; i++) {
1568 + if (get_user(c, (unsigned int *)pc+i))
1569 + printk(KERN_CONT "???????? ");
1571 + printk(KERN_CONT "%08x ", c);
1578 * This routine handles page faults. It determines the address,
1579 * and the problem, and then passes it off to one of the appropriate
1580 diff -urNp linux-2.6.35.7/arch/parisc/include/asm/elf.h linux-2.6.35.7/arch/parisc/include/asm/elf.h
1581 --- linux-2.6.35.7/arch/parisc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1582 +++ linux-2.6.35.7/arch/parisc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1583 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1585 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1587 +#ifdef CONFIG_PAX_ASLR
1588 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1590 +#define PAX_DELTA_MMAP_LEN 16
1591 +#define PAX_DELTA_STACK_LEN 16
1594 /* This yields a mask that user programs can use to figure out what
1595 instruction set this CPU supports. This could be done in user space,
1596 but it's not easy, and we've already done it here. */
1597 diff -urNp linux-2.6.35.7/arch/parisc/include/asm/pgtable.h linux-2.6.35.7/arch/parisc/include/asm/pgtable.h
1598 --- linux-2.6.35.7/arch/parisc/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
1599 +++ linux-2.6.35.7/arch/parisc/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
1600 @@ -207,6 +207,17 @@
1601 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1602 #define PAGE_COPY PAGE_EXECREAD
1603 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1605 +#ifdef CONFIG_PAX_PAGEEXEC
1606 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1607 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1608 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1610 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1611 +# define PAGE_COPY_NOEXEC PAGE_COPY
1612 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1615 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1616 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1617 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1618 diff -urNp linux-2.6.35.7/arch/parisc/kernel/module.c linux-2.6.35.7/arch/parisc/kernel/module.c
1619 --- linux-2.6.35.7/arch/parisc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
1620 +++ linux-2.6.35.7/arch/parisc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
1623 /* three functions to determine where in the module core
1624 * or init pieces the location is */
1625 +static inline int in_init_rx(struct module *me, void *loc)
1627 + return (loc >= me->module_init_rx &&
1628 + loc < (me->module_init_rx + me->init_size_rx));
1631 +static inline int in_init_rw(struct module *me, void *loc)
1633 + return (loc >= me->module_init_rw &&
1634 + loc < (me->module_init_rw + me->init_size_rw));
1637 static inline int in_init(struct module *me, void *loc)
1639 - return (loc >= me->module_init &&
1640 - loc <= (me->module_init + me->init_size));
1641 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1644 +static inline int in_core_rx(struct module *me, void *loc)
1646 + return (loc >= me->module_core_rx &&
1647 + loc < (me->module_core_rx + me->core_size_rx));
1650 +static inline int in_core_rw(struct module *me, void *loc)
1652 + return (loc >= me->module_core_rw &&
1653 + loc < (me->module_core_rw + me->core_size_rw));
1656 static inline int in_core(struct module *me, void *loc)
1658 - return (loc >= me->module_core &&
1659 - loc <= (me->module_core + me->core_size));
1660 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1663 static inline int in_local(struct module *me, void *loc)
1664 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1667 /* align things a bit */
1668 - me->core_size = ALIGN(me->core_size, 16);
1669 - me->arch.got_offset = me->core_size;
1670 - me->core_size += gots * sizeof(struct got_entry);
1672 - me->core_size = ALIGN(me->core_size, 16);
1673 - me->arch.fdesc_offset = me->core_size;
1674 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1675 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1676 + me->arch.got_offset = me->core_size_rw;
1677 + me->core_size_rw += gots * sizeof(struct got_entry);
1679 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1680 + me->arch.fdesc_offset = me->core_size_rw;
1681 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1683 me->arch.got_max = gots;
1684 me->arch.fdesc_max = fdescs;
1685 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1689 - got = me->module_core + me->arch.got_offset;
1690 + got = me->module_core_rw + me->arch.got_offset;
1691 for (i = 0; got[i].addr; i++)
1692 if (got[i].addr == value)
1694 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1696 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1698 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1699 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1702 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1703 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1705 /* Create new one */
1706 fdesc->addr = value;
1707 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1708 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1709 return (Elf_Addr)fdesc;
1711 #endif /* CONFIG_64BIT */
1712 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1714 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1715 end = table + sechdrs[me->arch.unwind_section].sh_size;
1716 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1717 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1719 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1720 me->arch.unwind_section, table, end, gp);
1721 diff -urNp linux-2.6.35.7/arch/parisc/kernel/sys_parisc.c linux-2.6.35.7/arch/parisc/kernel/sys_parisc.c
1722 --- linux-2.6.35.7/arch/parisc/kernel/sys_parisc.c 2010-08-26 19:47:12.000000000 -0400
1723 +++ linux-2.6.35.7/arch/parisc/kernel/sys_parisc.c 2010-09-17 20:12:09.000000000 -0400
1724 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1725 /* At this point: (!vma || addr < vma->vm_end). */
1726 if (TASK_SIZE - len < addr)
1728 - if (!vma || addr + len <= vma->vm_start)
1729 + if (check_heap_stack_gap(vma, addr, len))
1733 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1734 /* At this point: (!vma || addr < vma->vm_end). */
1735 if (TASK_SIZE - len < addr)
1737 - if (!vma || addr + len <= vma->vm_start)
1738 + if (check_heap_stack_gap(vma, addr, len))
1740 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1741 if (addr < vma->vm_end) /* handle wraparound */
1742 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1743 if (flags & MAP_FIXED)
1746 - addr = TASK_UNMAPPED_BASE;
1747 + addr = current->mm->mmap_base;
1750 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1751 diff -urNp linux-2.6.35.7/arch/parisc/kernel/traps.c linux-2.6.35.7/arch/parisc/kernel/traps.c
1752 --- linux-2.6.35.7/arch/parisc/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
1753 +++ linux-2.6.35.7/arch/parisc/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
1754 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1756 down_read(¤t->mm->mmap_sem);
1757 vma = find_vma(current->mm,regs->iaoq[0]);
1758 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1759 - && (vma->vm_flags & VM_EXEC)) {
1761 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1762 fault_address = regs->iaoq[0];
1763 fault_space = regs->iasq[0];
1765 diff -urNp linux-2.6.35.7/arch/parisc/mm/fault.c linux-2.6.35.7/arch/parisc/mm/fault.c
1766 --- linux-2.6.35.7/arch/parisc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1767 +++ linux-2.6.35.7/arch/parisc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1769 #include <linux/sched.h>
1770 #include <linux/interrupt.h>
1771 #include <linux/module.h>
1772 +#include <linux/unistd.h>
1774 #include <asm/uaccess.h>
1775 #include <asm/traps.h>
1776 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1777 static unsigned long
1778 parisc_acctyp(unsigned long code, unsigned int inst)
1780 - if (code == 6 || code == 16)
1781 + if (code == 6 || code == 7 || code == 16)
1784 switch (inst & 0xf0000000) {
1785 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1789 +#ifdef CONFIG_PAX_PAGEEXEC
1791 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1793 + * returns 1 when task should be killed
1794 + * 2 when rt_sigreturn trampoline was detected
1795 + * 3 when unpatched PLT trampoline was detected
1797 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1800 +#ifdef CONFIG_PAX_EMUPLT
1803 + do { /* PaX: unpatched PLT emulation */
1804 + unsigned int bl, depwi;
1806 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1807 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1812 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1813 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1815 + err = get_user(ldw, (unsigned int *)addr);
1816 + err |= get_user(bv, (unsigned int *)(addr+4));
1817 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1822 + if (ldw == 0x0E801096U &&
1823 + bv == 0xEAC0C000U &&
1824 + ldw2 == 0x0E881095U)
1826 + unsigned int resolver, map;
1828 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1829 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1833 + regs->gr[20] = instruction_pointer(regs)+8;
1834 + regs->gr[21] = map;
1835 + regs->gr[22] = resolver;
1836 + regs->iaoq[0] = resolver | 3UL;
1837 + regs->iaoq[1] = regs->iaoq[0] + 4;
1844 +#ifdef CONFIG_PAX_EMUTRAMP
1846 +#ifndef CONFIG_PAX_EMUSIGRT
1847 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1851 + do { /* PaX: rt_sigreturn emulation */
1852 + unsigned int ldi1, ldi2, bel, nop;
1854 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1855 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1856 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1857 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1862 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1863 + ldi2 == 0x3414015AU &&
1864 + bel == 0xE4008200U &&
1865 + nop == 0x08000240U)
1867 + regs->gr[25] = (ldi1 & 2) >> 1;
1868 + regs->gr[20] = __NR_rt_sigreturn;
1869 + regs->gr[31] = regs->iaoq[1] + 16;
1870 + regs->sr[0] = regs->iasq[1];
1871 + regs->iaoq[0] = 0x100UL;
1872 + regs->iaoq[1] = regs->iaoq[0] + 4;
1873 + regs->iasq[0] = regs->sr[2];
1874 + regs->iasq[1] = regs->sr[2];
1883 +void pax_report_insns(void *pc, void *sp)
1887 + printk(KERN_ERR "PAX: bytes at PC: ");
1888 + for (i = 0; i < 5; i++) {
1890 + if (get_user(c, (unsigned int *)pc+i))
1891 + printk(KERN_CONT "???????? ");
1893 + printk(KERN_CONT "%08x ", c);
1899 int fixup_exception(struct pt_regs *regs)
1901 const struct exception_table_entry *fix;
1902 @@ -192,8 +303,33 @@ good_area:
1904 acc_type = parisc_acctyp(code,regs->iir);
1906 - if ((vma->vm_flags & acc_type) != acc_type)
1907 + if ((vma->vm_flags & acc_type) != acc_type) {
1909 +#ifdef CONFIG_PAX_PAGEEXEC
1910 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1911 + (address & ~3UL) == instruction_pointer(regs))
1913 + up_read(&mm->mmap_sem);
1914 + switch (pax_handle_fetch_fault(regs)) {
1916 +#ifdef CONFIG_PAX_EMUPLT
1921 +#ifdef CONFIG_PAX_EMUTRAMP
1927 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1928 + do_group_exit(SIGKILL);
1936 * If for any reason at all we couldn't handle the fault, make
1937 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/device.h linux-2.6.35.7/arch/powerpc/include/asm/device.h
1938 --- linux-2.6.35.7/arch/powerpc/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1939 +++ linux-2.6.35.7/arch/powerpc/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1940 @@ -11,7 +11,7 @@ struct device_node;
1942 struct dev_archdata {
1943 /* DMA operations on that device */
1944 - struct dma_map_ops *dma_ops;
1945 + const struct dma_map_ops *dma_ops;
1948 * When an iommu is in use, dma_data is used as a ptr to the base of the
1949 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/dma-mapping.h linux-2.6.35.7/arch/powerpc/include/asm/dma-mapping.h
1950 --- linux-2.6.35.7/arch/powerpc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1951 +++ linux-2.6.35.7/arch/powerpc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
1952 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
1954 * Available generic sets of operations
1956 +/* cannot be const */
1958 extern struct dma_map_ops dma_iommu_ops;
1960 -extern struct dma_map_ops dma_direct_ops;
1961 +extern const struct dma_map_ops dma_direct_ops;
1963 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1964 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1966 /* We don't handle the NULL dev case for ISA for now. We could
1967 * do it via an out of line call but it is not needed for now. The
1968 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
1969 return dev->archdata.dma_ops;
1972 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1973 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1975 dev->archdata.dma_ops = ops;
1977 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
1979 static inline int dma_supported(struct device *dev, u64 mask)
1981 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1982 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1984 if (unlikely(dma_ops == NULL))
1986 @@ -129,7 +130,7 @@ static inline int dma_supported(struct d
1988 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1990 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1991 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1993 if (unlikely(dma_ops == NULL))
1995 @@ -144,7 +145,7 @@ static inline int dma_set_mask(struct de
1996 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1997 dma_addr_t *dma_handle, gfp_t flag)
1999 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2000 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2004 @@ -159,7 +160,7 @@ static inline void *dma_alloc_coherent(s
2005 static inline void dma_free_coherent(struct device *dev, size_t size,
2006 void *cpu_addr, dma_addr_t dma_handle)
2008 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2009 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2013 @@ -170,7 +171,7 @@ static inline void dma_free_coherent(str
2015 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2017 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2018 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2020 if (dma_ops->mapping_error)
2021 return dma_ops->mapping_error(dev, dma_addr);
2022 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/elf.h linux-2.6.35.7/arch/powerpc/include/asm/elf.h
2023 --- linux-2.6.35.7/arch/powerpc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2024 +++ linux-2.6.35.7/arch/powerpc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
2025 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2026 the loader. We need to make sure that it is out of the way of the program
2027 that it will "exec", and that there is sufficient room for the brk. */
2029 -extern unsigned long randomize_et_dyn(unsigned long base);
2030 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2031 +#define ELF_ET_DYN_BASE (0x20000000)
2033 +#ifdef CONFIG_PAX_ASLR
2034 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2036 +#ifdef __powerpc64__
2037 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2038 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2040 +#define PAX_DELTA_MMAP_LEN 15
2041 +#define PAX_DELTA_STACK_LEN 15
2046 * Our registers are always unsigned longs, whether we're a 32 bit
2047 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2048 (0x7ff >> (PAGE_SHIFT - 12)) : \
2049 (0x3ffff >> (PAGE_SHIFT - 12)))
2051 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2052 -#define arch_randomize_brk arch_randomize_brk
2054 #endif /* __KERNEL__ */
2057 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/iommu.h linux-2.6.35.7/arch/powerpc/include/asm/iommu.h
2058 --- linux-2.6.35.7/arch/powerpc/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
2059 +++ linux-2.6.35.7/arch/powerpc/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
2060 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2061 extern void iommu_init_early_dart(void);
2062 extern void iommu_init_early_pasemi(void);
2065 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2068 extern void pci_iommu_init(void);
2069 extern void pci_direct_iommu_init(void);
2070 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/kmap_types.h linux-2.6.35.7/arch/powerpc/include/asm/kmap_types.h
2071 --- linux-2.6.35.7/arch/powerpc/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
2072 +++ linux-2.6.35.7/arch/powerpc/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
2073 @@ -27,6 +27,7 @@ enum km_type {
2081 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/page_64.h linux-2.6.35.7/arch/powerpc/include/asm/page_64.h
2082 --- linux-2.6.35.7/arch/powerpc/include/asm/page_64.h 2010-08-26 19:47:12.000000000 -0400
2083 +++ linux-2.6.35.7/arch/powerpc/include/asm/page_64.h 2010-09-17 20:12:09.000000000 -0400
2084 @@ -172,15 +172,18 @@ do { \
2085 * stack by default, so in the absense of a PT_GNU_STACK program header
2086 * we turn execute permission off.
2088 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2089 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2090 +#define VM_STACK_DEFAULT_FLAGS32 \
2091 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2092 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2094 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2095 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2097 +#ifndef CONFIG_PAX_PAGEEXEC
2098 #define VM_STACK_DEFAULT_FLAGS \
2099 (test_thread_flag(TIF_32BIT) ? \
2100 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2103 #include <asm-generic/getorder.h>
2105 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/page.h linux-2.6.35.7/arch/powerpc/include/asm/page.h
2106 --- linux-2.6.35.7/arch/powerpc/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
2107 +++ linux-2.6.35.7/arch/powerpc/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
2108 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2109 * and needs to be executable. This means the whole heap ends
2110 * up being executable.
2112 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2113 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2114 +#define VM_DATA_DEFAULT_FLAGS32 \
2115 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2116 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2118 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2119 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2120 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2121 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2124 +#define ktla_ktva(addr) (addr)
2125 +#define ktva_ktla(addr) (addr)
2127 #ifndef __ASSEMBLY__
2129 #undef STRICT_MM_TYPECHECKS
2130 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/pci.h linux-2.6.35.7/arch/powerpc/include/asm/pci.h
2131 --- linux-2.6.35.7/arch/powerpc/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
2132 +++ linux-2.6.35.7/arch/powerpc/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
2133 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2137 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2138 -extern struct dma_map_ops *get_pci_dma_ops(void);
2139 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2140 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2141 #else /* CONFIG_PCI */
2142 #define set_pci_dma_ops(d)
2143 #define get_pci_dma_ops() NULL
2144 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/pte-hash32.h linux-2.6.35.7/arch/powerpc/include/asm/pte-hash32.h
2145 --- linux-2.6.35.7/arch/powerpc/include/asm/pte-hash32.h 2010-08-26 19:47:12.000000000 -0400
2146 +++ linux-2.6.35.7/arch/powerpc/include/asm/pte-hash32.h 2010-09-17 20:12:09.000000000 -0400
2148 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2149 #define _PAGE_USER 0x004 /* usermode access allowed */
2150 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2151 +#define _PAGE_EXEC _PAGE_GUARDED
2152 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2153 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2154 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2155 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/reg.h linux-2.6.35.7/arch/powerpc/include/asm/reg.h
2156 --- linux-2.6.35.7/arch/powerpc/include/asm/reg.h 2010-08-26 19:47:12.000000000 -0400
2157 +++ linux-2.6.35.7/arch/powerpc/include/asm/reg.h 2010-09-17 20:12:09.000000000 -0400
2159 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2160 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2161 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2162 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2163 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2164 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2165 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2166 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/swiotlb.h linux-2.6.35.7/arch/powerpc/include/asm/swiotlb.h
2167 --- linux-2.6.35.7/arch/powerpc/include/asm/swiotlb.h 2010-08-26 19:47:12.000000000 -0400
2168 +++ linux-2.6.35.7/arch/powerpc/include/asm/swiotlb.h 2010-09-17 20:12:09.000000000 -0400
2171 #include <linux/swiotlb.h>
2173 -extern struct dma_map_ops swiotlb_dma_ops;
2174 +extern const struct dma_map_ops swiotlb_dma_ops;
2176 static inline void dma_mark_clean(void *addr, size_t size) {}
2178 diff -urNp linux-2.6.35.7/arch/powerpc/include/asm/uaccess.h linux-2.6.35.7/arch/powerpc/include/asm/uaccess.h
2179 --- linux-2.6.35.7/arch/powerpc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
2180 +++ linux-2.6.35.7/arch/powerpc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
2182 #define VERIFY_READ 0
2183 #define VERIFY_WRITE 1
2185 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2188 * The fs value determines whether argument validity checking should be
2189 * performed or not. If get_fs() == USER_DS, checking is performed, with
2190 @@ -327,52 +329,6 @@ do { \
2191 extern unsigned long __copy_tofrom_user(void __user *to,
2192 const void __user *from, unsigned long size);
2194 -#ifndef __powerpc64__
2196 -static inline unsigned long copy_from_user(void *to,
2197 - const void __user *from, unsigned long n)
2199 - unsigned long over;
2201 - if (access_ok(VERIFY_READ, from, n))
2202 - return __copy_tofrom_user((__force void __user *)to, from, n);
2203 - if ((unsigned long)from < TASK_SIZE) {
2204 - over = (unsigned long)from + n - TASK_SIZE;
2205 - return __copy_tofrom_user((__force void __user *)to, from,
2211 -static inline unsigned long copy_to_user(void __user *to,
2212 - const void *from, unsigned long n)
2214 - unsigned long over;
2216 - if (access_ok(VERIFY_WRITE, to, n))
2217 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2218 - if ((unsigned long)to < TASK_SIZE) {
2219 - over = (unsigned long)to + n - TASK_SIZE;
2220 - return __copy_tofrom_user(to, (__force void __user *)from,
2226 -#else /* __powerpc64__ */
2228 -#define __copy_in_user(to, from, size) \
2229 - __copy_tofrom_user((to), (from), (size))
2231 -extern unsigned long copy_from_user(void *to, const void __user *from,
2233 -extern unsigned long copy_to_user(void __user *to, const void *from,
2235 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2238 -#endif /* __powerpc64__ */
2240 static inline unsigned long __copy_from_user_inatomic(void *to,
2241 const void __user *from, unsigned long n)
2243 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2248 + if (!__builtin_constant_p(n))
2249 + check_object_size(to, n, false);
2251 return __copy_tofrom_user((__force void __user *)to, from, n);
2254 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2259 + if (!__builtin_constant_p(n))
2260 + check_object_size(from, n, true);
2262 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2265 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2266 return __copy_to_user_inatomic(to, from, size);
2269 +#ifndef __powerpc64__
2271 +static inline unsigned long __must_check copy_from_user(void *to,
2272 + const void __user *from, unsigned long n)
2274 + unsigned long over;
2279 + if (access_ok(VERIFY_READ, from, n)) {
2280 + if (!__builtin_constant_p(n))
2281 + check_object_size(to, n, false);
2282 + return __copy_tofrom_user((__force void __user *)to, from, n);
2284 + if ((unsigned long)from < TASK_SIZE) {
2285 + over = (unsigned long)from + n - TASK_SIZE;
2286 + if (!__builtin_constant_p(n - over))
2287 + check_object_size(to, n - over, false);
2288 + return __copy_tofrom_user((__force void __user *)to, from,
2294 +static inline unsigned long __must_check copy_to_user(void __user *to,
2295 + const void *from, unsigned long n)
2297 + unsigned long over;
2302 + if (access_ok(VERIFY_WRITE, to, n)) {
2303 + if (!__builtin_constant_p(n))
2304 + check_object_size(from, n, true);
2305 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2307 + if ((unsigned long)to < TASK_SIZE) {
2308 + over = (unsigned long)to + n - TASK_SIZE;
2309 + if (!__builtin_constant_p(n))
2310 + check_object_size(from, n - over, true);
2311 + return __copy_tofrom_user(to, (__force void __user *)from,
2317 +#else /* __powerpc64__ */
2319 +#define __copy_in_user(to, from, size) \
2320 + __copy_tofrom_user((to), (from), (size))
2322 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2324 + if ((long)n < 0 || n > INT_MAX)
2327 + if (!__builtin_constant_p(n))
2328 + check_object_size(to, n, false);
2330 + if (likely(access_ok(VERIFY_READ, from, n)))
2331 + n = __copy_from_user(to, from, n);
2337 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2339 + if ((long)n < 0 || n > INT_MAX)
2342 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2343 + if (!__builtin_constant_p(n))
2344 + check_object_size(from, n, true);
2345 + n = __copy_to_user(to, from, n);
2350 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2353 +#endif /* __powerpc64__ */
2355 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2357 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2358 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/dma.c linux-2.6.35.7/arch/powerpc/kernel/dma.c
2359 --- linux-2.6.35.7/arch/powerpc/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
2360 +++ linux-2.6.35.7/arch/powerpc/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
2361 @@ -135,7 +135,7 @@ static inline void dma_direct_sync_singl
2365 -struct dma_map_ops dma_direct_ops = {
2366 +const struct dma_map_ops dma_direct_ops = {
2367 .alloc_coherent = dma_direct_alloc_coherent,
2368 .free_coherent = dma_direct_free_coherent,
2369 .map_sg = dma_direct_map_sg,
2370 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/dma-iommu.c linux-2.6.35.7/arch/powerpc/kernel/dma-iommu.c
2371 --- linux-2.6.35.7/arch/powerpc/kernel/dma-iommu.c 2010-08-26 19:47:12.000000000 -0400
2372 +++ linux-2.6.35.7/arch/powerpc/kernel/dma-iommu.c 2010-09-17 20:12:09.000000000 -0400
2373 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2376 /* We support DMA to/from any memory page via the iommu */
2377 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2378 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2380 struct iommu_table *tbl = get_iommu_table_base(dev);
2382 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.35.7/arch/powerpc/kernel/dma-swiotlb.c
2383 --- linux-2.6.35.7/arch/powerpc/kernel/dma-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
2384 +++ linux-2.6.35.7/arch/powerpc/kernel/dma-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
2385 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2386 * map_page, and unmap_page on highmem, use normal dma_ops
2387 * for everything else.
2389 -struct dma_map_ops swiotlb_dma_ops = {
2390 +const struct dma_map_ops swiotlb_dma_ops = {
2391 .alloc_coherent = dma_direct_alloc_coherent,
2392 .free_coherent = dma_direct_free_coherent,
2393 .map_sg = swiotlb_map_sg_attrs,
2394 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/exceptions-64e.S linux-2.6.35.7/arch/powerpc/kernel/exceptions-64e.S
2395 --- linux-2.6.35.7/arch/powerpc/kernel/exceptions-64e.S 2010-08-26 19:47:12.000000000 -0400
2396 +++ linux-2.6.35.7/arch/powerpc/kernel/exceptions-64e.S 2010-09-17 20:12:09.000000000 -0400
2397 @@ -455,6 +455,7 @@ storage_fault_common:
2400 addi r3,r1,STACK_FRAME_OVERHEAD
2404 ld r14,PACA_EXGEN+EX_R14(r13)
2405 @@ -464,8 +465,7 @@ storage_fault_common:
2408 b .ret_from_except_lite
2412 addi r3,r1,STACK_FRAME_OVERHEAD
2415 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/exceptions-64s.S linux-2.6.35.7/arch/powerpc/kernel/exceptions-64s.S
2416 --- linux-2.6.35.7/arch/powerpc/kernel/exceptions-64s.S 2010-08-26 19:47:12.000000000 -0400
2417 +++ linux-2.6.35.7/arch/powerpc/kernel/exceptions-64s.S 2010-09-17 20:12:09.000000000 -0400
2418 @@ -840,10 +840,10 @@ handle_page_fault:
2421 addi r3,r1,STACK_FRAME_OVERHEAD
2428 addi r3,r1,STACK_FRAME_OVERHEAD
2430 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/ibmebus.c linux-2.6.35.7/arch/powerpc/kernel/ibmebus.c
2431 --- linux-2.6.35.7/arch/powerpc/kernel/ibmebus.c 2010-08-26 19:47:12.000000000 -0400
2432 +++ linux-2.6.35.7/arch/powerpc/kernel/ibmebus.c 2010-09-17 20:12:09.000000000 -0400
2433 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2437 -static struct dma_map_ops ibmebus_dma_ops = {
2438 +static const struct dma_map_ops ibmebus_dma_ops = {
2439 .alloc_coherent = ibmebus_alloc_coherent,
2440 .free_coherent = ibmebus_free_coherent,
2441 .map_sg = ibmebus_map_sg,
2442 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/kgdb.c linux-2.6.35.7/arch/powerpc/kernel/kgdb.c
2443 --- linux-2.6.35.7/arch/powerpc/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
2444 +++ linux-2.6.35.7/arch/powerpc/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
2445 @@ -128,7 +128,7 @@ static int kgdb_handle_breakpoint(struct
2446 if (kgdb_handle_exception(1, SIGTRAP, 0, regs) != 0)
2449 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2450 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2454 @@ -360,7 +360,7 @@ int kgdb_arch_handle_exception(int vecto
2458 -struct kgdb_arch arch_kgdb_ops = {
2459 +const struct kgdb_arch arch_kgdb_ops = {
2460 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2463 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/module_32.c linux-2.6.35.7/arch/powerpc/kernel/module_32.c
2464 --- linux-2.6.35.7/arch/powerpc/kernel/module_32.c 2010-08-26 19:47:12.000000000 -0400
2465 +++ linux-2.6.35.7/arch/powerpc/kernel/module_32.c 2010-09-17 20:12:09.000000000 -0400
2466 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2467 me->arch.core_plt_section = i;
2469 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2470 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2471 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2475 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2477 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2478 /* Init, or core PLT? */
2479 - if (location >= mod->module_core
2480 - && location < mod->module_core + mod->core_size)
2481 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2482 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2483 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2485 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2486 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2487 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2489 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2493 /* Find this entry, or if that fails, the next avail. entry */
2494 while (entry->jump[0]) {
2495 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/module.c linux-2.6.35.7/arch/powerpc/kernel/module.c
2496 --- linux-2.6.35.7/arch/powerpc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
2497 +++ linux-2.6.35.7/arch/powerpc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
2500 LIST_HEAD(module_bug_list);
2502 +#ifdef CONFIG_PAX_KERNEXEC
2503 void *module_alloc(unsigned long size)
2508 + return vmalloc(size);
2511 +void *module_alloc_exec(unsigned long size)
2513 +void *module_alloc(unsigned long size)
2520 return vmalloc_exec(size);
2523 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2524 vfree(module_region);
2527 +#ifdef CONFIG_PAX_KERNEXEC
2528 +void module_free_exec(struct module *mod, void *module_region)
2530 + module_free(mod, module_region);
2534 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2535 const Elf_Shdr *sechdrs,
2537 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/pci-common.c linux-2.6.35.7/arch/powerpc/kernel/pci-common.c
2538 --- linux-2.6.35.7/arch/powerpc/kernel/pci-common.c 2010-08-26 19:47:12.000000000 -0400
2539 +++ linux-2.6.35.7/arch/powerpc/kernel/pci-common.c 2010-09-17 20:12:09.000000000 -0400
2540 @@ -51,14 +51,14 @@ resource_size_t isa_mem_base;
2541 unsigned int ppc_pci_flags = 0;
2544 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2545 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2547 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2548 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2550 pci_dma_ops = dma_ops;
2553 -struct dma_map_ops *get_pci_dma_ops(void)
2554 +const struct dma_map_ops *get_pci_dma_ops(void)
2558 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/process.c linux-2.6.35.7/arch/powerpc/kernel/process.c
2559 --- linux-2.6.35.7/arch/powerpc/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
2560 +++ linux-2.6.35.7/arch/powerpc/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
2561 @@ -1215,51 +1215,3 @@ unsigned long arch_align_stack(unsigned
2562 sp -= get_random_int() & ~PAGE_MASK;
2566 -static inline unsigned long brk_rnd(void)
2568 - unsigned long rnd = 0;
2570 - /* 8MB for 32bit, 1GB for 64bit */
2571 - if (is_32bit_task())
2572 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2574 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2576 - return rnd << PAGE_SHIFT;
2579 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2581 - unsigned long base = mm->brk;
2582 - unsigned long ret;
2584 -#ifdef CONFIG_PPC_STD_MMU_64
2586 - * If we are using 1TB segments and we are allowed to randomise
2587 - * the heap, we can put it above 1TB so it is backed by a 1TB
2588 - * segment. Otherwise the heap will be in the bottom 1TB
2589 - * which always uses 256MB segments and this may result in a
2590 - * performance penalty.
2592 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2593 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2596 - ret = PAGE_ALIGN(base + brk_rnd());
2598 - if (ret < mm->brk)
2604 -unsigned long randomize_et_dyn(unsigned long base)
2606 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2613 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/signal_32.c linux-2.6.35.7/arch/powerpc/kernel/signal_32.c
2614 --- linux-2.6.35.7/arch/powerpc/kernel/signal_32.c 2010-08-26 19:47:12.000000000 -0400
2615 +++ linux-2.6.35.7/arch/powerpc/kernel/signal_32.c 2010-09-17 20:12:09.000000000 -0400
2616 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2617 /* Save user registers on the stack */
2618 frame = &rt_sf->uc.uc_mcontext;
2620 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2621 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2622 if (save_user_regs(regs, frame, 0, 1))
2624 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2625 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/signal_64.c linux-2.6.35.7/arch/powerpc/kernel/signal_64.c
2626 --- linux-2.6.35.7/arch/powerpc/kernel/signal_64.c 2010-08-26 19:47:12.000000000 -0400
2627 +++ linux-2.6.35.7/arch/powerpc/kernel/signal_64.c 2010-09-17 20:12:09.000000000 -0400
2628 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2629 current->thread.fpscr.val = 0;
2631 /* Set up to return from userspace. */
2632 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2633 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2634 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2636 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2637 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/vdso.c linux-2.6.35.7/arch/powerpc/kernel/vdso.c
2638 --- linux-2.6.35.7/arch/powerpc/kernel/vdso.c 2010-08-26 19:47:12.000000000 -0400
2639 +++ linux-2.6.35.7/arch/powerpc/kernel/vdso.c 2010-09-17 20:12:09.000000000 -0400
2641 #include <asm/firmware.h>
2642 #include <asm/vdso.h>
2643 #include <asm/vdso_datapage.h>
2644 +#include <asm/mman.h>
2648 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2649 vdso_base = VDSO32_MBASE;
2652 - current->mm->context.vdso_base = 0;
2653 + current->mm->context.vdso_base = ~0UL;
2655 /* vDSO has a problem and was disabled, just don't "enable" it for the
2657 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2658 vdso_base = get_unmapped_area(NULL, vdso_base,
2659 (vdso_pages << PAGE_SHIFT) +
2660 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2662 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2663 if (IS_ERR_VALUE(vdso_base)) {
2666 diff -urNp linux-2.6.35.7/arch/powerpc/kernel/vio.c linux-2.6.35.7/arch/powerpc/kernel/vio.c
2667 --- linux-2.6.35.7/arch/powerpc/kernel/vio.c 2010-08-26 19:47:12.000000000 -0400
2668 +++ linux-2.6.35.7/arch/powerpc/kernel/vio.c 2010-09-17 20:12:09.000000000 -0400
2669 @@ -602,11 +602,12 @@ static void vio_dma_iommu_unmap_sg(struc
2670 vio_cmo_dealloc(viodev, alloc_size);
2673 -struct dma_map_ops vio_dma_mapping_ops = {
2674 +static const struct dma_map_ops vio_dma_mapping_ops = {
2675 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2676 .free_coherent = vio_dma_iommu_free_coherent,
2677 .map_sg = vio_dma_iommu_map_sg,
2678 .unmap_sg = vio_dma_iommu_unmap_sg,
2679 + .dma_supported = dma_iommu_dma_supported,
2680 .map_page = vio_dma_iommu_map_page,
2681 .unmap_page = vio_dma_iommu_unmap_page,
2683 @@ -860,7 +861,6 @@ static void vio_cmo_bus_remove(struct vi
2685 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2687 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2688 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2691 diff -urNp linux-2.6.35.7/arch/powerpc/lib/usercopy_64.c linux-2.6.35.7/arch/powerpc/lib/usercopy_64.c
2692 --- linux-2.6.35.7/arch/powerpc/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
2693 +++ linux-2.6.35.7/arch/powerpc/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
2695 #include <linux/module.h>
2696 #include <asm/uaccess.h>
2698 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2700 - if (likely(access_ok(VERIFY_READ, from, n)))
2701 - n = __copy_from_user(to, from, n);
2707 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2709 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2710 - n = __copy_to_user(to, from, n);
2714 unsigned long copy_in_user(void __user *to, const void __user *from,
2717 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2721 -EXPORT_SYMBOL(copy_from_user);
2722 -EXPORT_SYMBOL(copy_to_user);
2723 EXPORT_SYMBOL(copy_in_user);
2725 diff -urNp linux-2.6.35.7/arch/powerpc/mm/fault.c linux-2.6.35.7/arch/powerpc/mm/fault.c
2726 --- linux-2.6.35.7/arch/powerpc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
2727 +++ linux-2.6.35.7/arch/powerpc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
2729 #include <linux/kprobes.h>
2730 #include <linux/kdebug.h>
2731 #include <linux/perf_event.h>
2732 +#include <linux/slab.h>
2733 +#include <linux/pagemap.h>
2734 +#include <linux/compiler.h>
2735 +#include <linux/unistd.h>
2737 #include <asm/firmware.h>
2738 #include <asm/page.h>
2740 #include <asm/tlbflush.h>
2741 #include <asm/siginfo.h>
2742 #include <mm/mmu_decl.h>
2743 +#include <asm/ptrace.h>
2745 #ifdef CONFIG_KPROBES
2746 static inline int notify_page_fault(struct pt_regs *regs)
2747 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2751 +#ifdef CONFIG_PAX_PAGEEXEC
2753 + * PaX: decide what to do with offenders (regs->nip = fault address)
2755 + * returns 1 when task should be killed
2757 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2762 +void pax_report_insns(void *pc, void *sp)
2766 + printk(KERN_ERR "PAX: bytes at PC: ");
2767 + for (i = 0; i < 5; i++) {
2769 + if (get_user(c, (unsigned int __user *)pc+i))
2770 + printk(KERN_CONT "???????? ");
2772 + printk(KERN_CONT "%08x ", c);
2779 * Check whether the instruction at regs->nip is a store using
2780 * an update addressing form which will update r1.
2781 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2782 * indicate errors in DSISR but can validly be set in SRR1.
2785 - error_code &= 0x48200000;
2786 + error_code &= 0x58200000;
2788 is_write = error_code & DSISR_ISSTORE;
2790 @@ -257,7 +289,7 @@ good_area:
2791 * "undefined". Of those that can be set, this is the only
2792 * one which seems bad.
2794 - if (error_code & 0x10000000)
2795 + if (error_code & DSISR_GUARDED)
2796 /* Guarded storage error. */
2798 #endif /* CONFIG_8xx */
2799 @@ -272,7 +304,7 @@ good_area:
2800 * processors use the same I/D cache coherency mechanism
2803 - if (error_code & DSISR_PROTFAULT)
2804 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2806 #endif /* CONFIG_PPC_STD_MMU */
2808 @@ -341,6 +373,23 @@ bad_area:
2809 bad_area_nosemaphore:
2810 /* User mode accesses cause a SIGSEGV */
2811 if (user_mode(regs)) {
2813 +#ifdef CONFIG_PAX_PAGEEXEC
2814 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2815 +#ifdef CONFIG_PPC_STD_MMU
2816 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2818 + if (is_exec && regs->nip == address) {
2820 + switch (pax_handle_fetch_fault(regs)) {
2823 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2824 + do_group_exit(SIGKILL);
2829 _exception(SIGSEGV, regs, code, address);
2832 diff -urNp linux-2.6.35.7/arch/powerpc/mm/mmap_64.c linux-2.6.35.7/arch/powerpc/mm/mmap_64.c
2833 --- linux-2.6.35.7/arch/powerpc/mm/mmap_64.c 2010-08-26 19:47:12.000000000 -0400
2834 +++ linux-2.6.35.7/arch/powerpc/mm/mmap_64.c 2010-09-17 20:12:09.000000000 -0400
2835 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2837 if (mmap_is_legacy()) {
2838 mm->mmap_base = TASK_UNMAPPED_BASE;
2840 +#ifdef CONFIG_PAX_RANDMMAP
2841 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2842 + mm->mmap_base += mm->delta_mmap;
2845 mm->get_unmapped_area = arch_get_unmapped_area;
2846 mm->unmap_area = arch_unmap_area;
2848 mm->mmap_base = mmap_base();
2850 +#ifdef CONFIG_PAX_RANDMMAP
2851 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2852 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2855 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2856 mm->unmap_area = arch_unmap_area_topdown;
2858 diff -urNp linux-2.6.35.7/arch/powerpc/mm/slice.c linux-2.6.35.7/arch/powerpc/mm/slice.c
2859 --- linux-2.6.35.7/arch/powerpc/mm/slice.c 2010-08-26 19:47:12.000000000 -0400
2860 +++ linux-2.6.35.7/arch/powerpc/mm/slice.c 2010-09-17 20:12:09.000000000 -0400
2861 @@ -98,10 +98,9 @@ static int slice_area_is_free(struct mm_
2862 if ((mm->task_size - len) < addr)
2864 vma = find_vma(mm, addr);
2865 - return (!vma || (addr + len) <= vma->vm_start);
2866 + return check_heap_stack_gap(vma, addr, len);
2869 -static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2871 return !slice_area_is_free(mm, slice << SLICE_LOW_SHIFT,
2872 1ul << SLICE_LOW_SHIFT);
2873 @@ -256,7 +255,7 @@ full_search:
2874 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2877 - if (!vma || addr + len <= vma->vm_start) {
2878 + if (check_heap_stack_gap(vma, addr, len)) {
2880 * Remember the place where we stopped the search:
2882 @@ -336,7 +335,7 @@ static unsigned long slice_find_area_top
2883 * return with success:
2885 vma = find_vma(mm, addr);
2886 - if (!vma || (addr + len) <= vma->vm_start) {
2887 + if (check_heap_stack_gap(vma, addr, len)) {
2888 /* remember the address as a hint for next time */
2890 mm->free_area_cache = addr;
2891 @@ -426,6 +425,11 @@ unsigned long slice_get_unmapped_area(un
2892 if (fixed && addr > (mm->task_size - len))
2895 +#ifdef CONFIG_PAX_RANDMMAP
2896 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2900 /* If hint, make sure it matches our alignment restrictions */
2901 if (!fixed && addr) {
2902 addr = _ALIGN_UP(addr, 1ul << pshift);
2903 diff -urNp linux-2.6.35.7/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.35.7/arch/powerpc/platforms/52xx/lite5200_pm.c
2904 --- linux-2.6.35.7/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-08-26 19:47:12.000000000 -0400
2905 +++ linux-2.6.35.7/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-09-17 20:12:09.000000000 -0400
2906 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2907 lite5200_pm_target_state = PM_SUSPEND_ON;
2910 -static struct platform_suspend_ops lite5200_pm_ops = {
2911 +static const struct platform_suspend_ops lite5200_pm_ops = {
2912 .valid = lite5200_pm_valid,
2913 .begin = lite5200_pm_begin,
2914 .prepare = lite5200_pm_prepare,
2915 diff -urNp linux-2.6.35.7/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.35.7/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2916 --- linux-2.6.35.7/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-08-26 19:47:12.000000000 -0400
2917 +++ linux-2.6.35.7/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-09-17 20:12:09.000000000 -0400
2918 @@ -189,7 +189,7 @@ void mpc52xx_pm_finish(void)
2922 -static struct platform_suspend_ops mpc52xx_pm_ops = {
2923 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
2924 .valid = mpc52xx_pm_valid,
2925 .prepare = mpc52xx_pm_prepare,
2926 .enter = mpc52xx_pm_enter,
2927 diff -urNp linux-2.6.35.7/arch/powerpc/platforms/83xx/suspend.c linux-2.6.35.7/arch/powerpc/platforms/83xx/suspend.c
2928 --- linux-2.6.35.7/arch/powerpc/platforms/83xx/suspend.c 2010-08-26 19:47:12.000000000 -0400
2929 +++ linux-2.6.35.7/arch/powerpc/platforms/83xx/suspend.c 2010-09-17 20:12:09.000000000 -0400
2930 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
2934 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
2935 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2936 .valid = mpc83xx_suspend_valid,
2937 .begin = mpc83xx_suspend_begin,
2938 .enter = mpc83xx_suspend_enter,
2939 diff -urNp linux-2.6.35.7/arch/powerpc/platforms/cell/iommu.c linux-2.6.35.7/arch/powerpc/platforms/cell/iommu.c
2940 --- linux-2.6.35.7/arch/powerpc/platforms/cell/iommu.c 2010-08-26 19:47:12.000000000 -0400
2941 +++ linux-2.6.35.7/arch/powerpc/platforms/cell/iommu.c 2010-09-17 20:12:09.000000000 -0400
2942 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
2944 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2946 -struct dma_map_ops dma_iommu_fixed_ops = {
2947 +const struct dma_map_ops dma_iommu_fixed_ops = {
2948 .alloc_coherent = dma_fixed_alloc_coherent,
2949 .free_coherent = dma_fixed_free_coherent,
2950 .map_sg = dma_fixed_map_sg,
2951 diff -urNp linux-2.6.35.7/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.35.7/arch/powerpc/platforms/ps3/system-bus.c
2952 --- linux-2.6.35.7/arch/powerpc/platforms/ps3/system-bus.c 2010-08-26 19:47:12.000000000 -0400
2953 +++ linux-2.6.35.7/arch/powerpc/platforms/ps3/system-bus.c 2010-09-17 20:12:09.000000000 -0400
2954 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
2955 return mask >= DMA_BIT_MASK(32);
2958 -static struct dma_map_ops ps3_sb_dma_ops = {
2959 +static const struct dma_map_ops ps3_sb_dma_ops = {
2960 .alloc_coherent = ps3_alloc_coherent,
2961 .free_coherent = ps3_free_coherent,
2962 .map_sg = ps3_sb_map_sg,
2963 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
2964 .unmap_page = ps3_unmap_page,
2967 -static struct dma_map_ops ps3_ioc0_dma_ops = {
2968 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
2969 .alloc_coherent = ps3_alloc_coherent,
2970 .free_coherent = ps3_free_coherent,
2971 .map_sg = ps3_ioc0_map_sg,
2972 diff -urNp linux-2.6.35.7/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.35.7/arch/powerpc/sysdev/fsl_pmc.c
2973 --- linux-2.6.35.7/arch/powerpc/sysdev/fsl_pmc.c 2010-08-26 19:47:12.000000000 -0400
2974 +++ linux-2.6.35.7/arch/powerpc/sysdev/fsl_pmc.c 2010-09-17 20:12:09.000000000 -0400
2975 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
2979 -static struct platform_suspend_ops pmc_suspend_ops = {
2980 +static const struct platform_suspend_ops pmc_suspend_ops = {
2981 .valid = pmc_suspend_valid,
2982 .enter = pmc_suspend_enter,
2984 diff -urNp linux-2.6.35.7/arch/s390/include/asm/elf.h linux-2.6.35.7/arch/s390/include/asm/elf.h
2985 --- linux-2.6.35.7/arch/s390/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2986 +++ linux-2.6.35.7/arch/s390/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
2987 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
2988 that it will "exec", and that there is sufficient room for the brk. */
2989 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2991 +#ifdef CONFIG_PAX_ASLR
2992 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2994 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2995 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2998 /* This yields a mask that user programs can use to figure out what
2999 instruction set this CPU supports. */
3001 diff -urNp linux-2.6.35.7/arch/s390/include/asm/uaccess.h linux-2.6.35.7/arch/s390/include/asm/uaccess.h
3002 --- linux-2.6.35.7/arch/s390/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3003 +++ linux-2.6.35.7/arch/s390/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3004 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3005 copy_to_user(void __user *to, const void *from, unsigned long n)
3012 if (access_ok(VERIFY_WRITE, to, n))
3013 n = __copy_to_user(to, from, n);
3015 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3016 static inline unsigned long __must_check
3017 __copy_from_user(void *to, const void __user *from, unsigned long n)
3022 if (__builtin_constant_p(n) && (n <= 256))
3023 return uaccess.copy_from_user_small(n, from, to);
3025 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3026 unsigned int sz = __compiletime_object_size(to);
3033 if (unlikely(sz != -1 && sz < n)) {
3034 copy_from_user_overflow();
3036 diff -urNp linux-2.6.35.7/arch/s390/Kconfig linux-2.6.35.7/arch/s390/Kconfig
3037 --- linux-2.6.35.7/arch/s390/Kconfig 2010-08-26 19:47:12.000000000 -0400
3038 +++ linux-2.6.35.7/arch/s390/Kconfig 2010-09-17 20:12:09.000000000 -0400
3039 @@ -230,13 +230,12 @@ config AUDIT_ARCH
3041 config S390_EXEC_PROTECT
3042 bool "Data execute protection"
3045 This option allows to enable a buffer overflow protection for user
3046 - space programs and it also selects the addressing mode option above.
3047 - The kernel parameter noexec=on will enable this feature and also
3048 - switch the addressing modes, default is disabled. Enabling this (via
3049 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3050 - will reduce system performance.
3052 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3053 + reduce system performance.
3055 comment "Code generation options"
3057 diff -urNp linux-2.6.35.7/arch/s390/kernel/module.c linux-2.6.35.7/arch/s390/kernel/module.c
3058 --- linux-2.6.35.7/arch/s390/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
3059 +++ linux-2.6.35.7/arch/s390/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
3060 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3062 /* Increase core size by size of got & plt and set start
3063 offsets for got and plt. */
3064 - me->core_size = ALIGN(me->core_size, 4);
3065 - me->arch.got_offset = me->core_size;
3066 - me->core_size += me->arch.got_size;
3067 - me->arch.plt_offset = me->core_size;
3068 - me->core_size += me->arch.plt_size;
3069 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3070 + me->arch.got_offset = me->core_size_rw;
3071 + me->core_size_rw += me->arch.got_size;
3072 + me->arch.plt_offset = me->core_size_rx;
3073 + me->core_size_rx += me->arch.plt_size;
3077 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3078 if (info->got_initialized == 0) {
3081 - gotent = me->module_core + me->arch.got_offset +
3082 + gotent = me->module_core_rw + me->arch.got_offset +
3085 info->got_initialized = 1;
3086 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3087 else if (r_type == R_390_GOTENT ||
3088 r_type == R_390_GOTPLTENT)
3089 *(unsigned int *) loc =
3090 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3091 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3092 else if (r_type == R_390_GOT64 ||
3093 r_type == R_390_GOTPLT64)
3094 *(unsigned long *) loc = val;
3095 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3096 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3097 if (info->plt_initialized == 0) {
3099 - ip = me->module_core + me->arch.plt_offset +
3100 + ip = me->module_core_rx + me->arch.plt_offset +
3102 #ifndef CONFIG_64BIT
3103 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3104 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3105 val - loc + 0xffffUL < 0x1ffffeUL) ||
3106 (r_type == R_390_PLT32DBL &&
3107 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3108 - val = (Elf_Addr) me->module_core +
3109 + val = (Elf_Addr) me->module_core_rx +
3110 me->arch.plt_offset +
3112 val += rela->r_addend - loc;
3113 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3114 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3115 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3116 val = val + rela->r_addend -
3117 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3118 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3119 if (r_type == R_390_GOTOFF16)
3120 *(unsigned short *) loc = val;
3121 else if (r_type == R_390_GOTOFF32)
3122 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3124 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3125 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3126 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3127 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3128 rela->r_addend - loc;
3129 if (r_type == R_390_GOTPC)
3130 *(unsigned int *) loc = val;
3131 diff -urNp linux-2.6.35.7/arch/s390/kernel/setup.c linux-2.6.35.7/arch/s390/kernel/setup.c
3132 --- linux-2.6.35.7/arch/s390/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
3133 +++ linux-2.6.35.7/arch/s390/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
3134 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3136 early_param("mem", early_parse_mem);
3138 -unsigned int user_mode = HOME_SPACE_MODE;
3139 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3140 EXPORT_SYMBOL_GPL(user_mode);
3142 static int set_amode_and_uaccess(unsigned long user_amode,
3143 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3148 - * Switch kernel/user addressing modes?
3150 -static int __init early_parse_switch_amode(char *p)
3152 - if (user_mode != SECONDARY_SPACE_MODE)
3153 - user_mode = PRIMARY_SPACE_MODE;
3156 -early_param("switch_amode", early_parse_switch_amode);
3158 static int __init early_parse_user_mode(char *p)
3160 if (p && strcmp(p, "primary") == 0)
3161 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3163 early_param("user_mode", early_parse_user_mode);
3165 -#ifdef CONFIG_S390_EXEC_PROTECT
3167 - * Enable execute protection?
3169 -static int __init early_parse_noexec(char *p)
3171 - if (!strncmp(p, "off", 3))
3173 - user_mode = SECONDARY_SPACE_MODE;
3176 -early_param("noexec", early_parse_noexec);
3177 -#endif /* CONFIG_S390_EXEC_PROTECT */
3179 static void setup_addressing_mode(void)
3181 if (user_mode == SECONDARY_SPACE_MODE) {
3182 diff -urNp linux-2.6.35.7/arch/s390/mm/maccess.c linux-2.6.35.7/arch/s390/mm/maccess.c
3183 --- linux-2.6.35.7/arch/s390/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
3184 +++ linux-2.6.35.7/arch/s390/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
3185 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3186 return rc ? rc : count;
3189 -long probe_kernel_write(void *dst, void *src, size_t size)
3190 +long probe_kernel_write(void *dst, const void *src, size_t size)
3194 diff -urNp linux-2.6.35.7/arch/s390/mm/mmap.c linux-2.6.35.7/arch/s390/mm/mmap.c
3195 --- linux-2.6.35.7/arch/s390/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3196 +++ linux-2.6.35.7/arch/s390/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3197 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3199 if (mmap_is_legacy()) {
3200 mm->mmap_base = TASK_UNMAPPED_BASE;
3202 +#ifdef CONFIG_PAX_RANDMMAP
3203 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3204 + mm->mmap_base += mm->delta_mmap;
3207 mm->get_unmapped_area = arch_get_unmapped_area;
3208 mm->unmap_area = arch_unmap_area;
3210 mm->mmap_base = mmap_base();
3212 +#ifdef CONFIG_PAX_RANDMMAP
3213 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3214 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3217 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3218 mm->unmap_area = arch_unmap_area_topdown;
3220 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3222 if (mmap_is_legacy()) {
3223 mm->mmap_base = TASK_UNMAPPED_BASE;
3225 +#ifdef CONFIG_PAX_RANDMMAP
3226 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3227 + mm->mmap_base += mm->delta_mmap;
3230 mm->get_unmapped_area = s390_get_unmapped_area;
3231 mm->unmap_area = arch_unmap_area;
3233 mm->mmap_base = mmap_base();
3235 +#ifdef CONFIG_PAX_RANDMMAP
3236 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3237 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3240 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3241 mm->unmap_area = arch_unmap_area_topdown;
3243 diff -urNp linux-2.6.35.7/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.35.7/arch/sh/boards/mach-hp6xx/pm.c
3244 --- linux-2.6.35.7/arch/sh/boards/mach-hp6xx/pm.c 2010-08-26 19:47:12.000000000 -0400
3245 +++ linux-2.6.35.7/arch/sh/boards/mach-hp6xx/pm.c 2010-09-17 20:12:09.000000000 -0400
3246 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3250 -static struct platform_suspend_ops hp6x0_pm_ops = {
3251 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3252 .enter = hp6x0_pm_enter,
3253 .valid = suspend_valid_only_mem,
3255 diff -urNp linux-2.6.35.7/arch/sh/include/asm/dma-mapping.h linux-2.6.35.7/arch/sh/include/asm/dma-mapping.h
3256 --- linux-2.6.35.7/arch/sh/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3257 +++ linux-2.6.35.7/arch/sh/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3259 #ifndef __ASM_SH_DMA_MAPPING_H
3260 #define __ASM_SH_DMA_MAPPING_H
3262 -extern struct dma_map_ops *dma_ops;
3263 +extern const struct dma_map_ops *dma_ops;
3264 extern void no_iommu_init(void);
3266 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3267 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3271 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3273 static inline int dma_supported(struct device *dev, u64 mask)
3275 - struct dma_map_ops *ops = get_dma_ops(dev);
3276 + const struct dma_map_ops *ops = get_dma_ops(dev);
3278 if (ops->dma_supported)
3279 return ops->dma_supported(dev, mask);
3280 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3282 static inline int dma_set_mask(struct device *dev, u64 mask)
3284 - struct dma_map_ops *ops = get_dma_ops(dev);
3285 + const struct dma_map_ops *ops = get_dma_ops(dev);
3287 if (!dev->dma_mask || !dma_supported(dev, mask))
3289 @@ -59,7 +59,7 @@ static inline int dma_get_cache_alignmen
3291 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3293 - struct dma_map_ops *ops = get_dma_ops(dev);
3294 + const struct dma_map_ops *ops = get_dma_ops(dev);
3296 if (ops->mapping_error)
3297 return ops->mapping_error(dev, dma_addr);
3298 @@ -70,7 +70,7 @@ static inline int dma_mapping_error(stru
3299 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3300 dma_addr_t *dma_handle, gfp_t gfp)
3302 - struct dma_map_ops *ops = get_dma_ops(dev);
3303 + const struct dma_map_ops *ops = get_dma_ops(dev);
3306 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3307 @@ -87,7 +87,7 @@ static inline void *dma_alloc_coherent(s
3308 static inline void dma_free_coherent(struct device *dev, size_t size,
3309 void *vaddr, dma_addr_t dma_handle)
3311 - struct dma_map_ops *ops = get_dma_ops(dev);
3312 + const struct dma_map_ops *ops = get_dma_ops(dev);
3314 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3316 diff -urNp linux-2.6.35.7/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.35.7/arch/sh/kernel/cpu/shmobile/pm.c
3317 --- linux-2.6.35.7/arch/sh/kernel/cpu/shmobile/pm.c 2010-08-26 19:47:12.000000000 -0400
3318 +++ linux-2.6.35.7/arch/sh/kernel/cpu/shmobile/pm.c 2010-09-17 20:12:09.000000000 -0400
3319 @@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
3323 -static struct platform_suspend_ops sh_pm_ops = {
3324 +static const struct platform_suspend_ops sh_pm_ops = {
3325 .enter = sh_pm_enter,
3326 .valid = suspend_valid_only_mem,
3328 diff -urNp linux-2.6.35.7/arch/sh/kernel/dma-nommu.c linux-2.6.35.7/arch/sh/kernel/dma-nommu.c
3329 --- linux-2.6.35.7/arch/sh/kernel/dma-nommu.c 2010-08-26 19:47:12.000000000 -0400
3330 +++ linux-2.6.35.7/arch/sh/kernel/dma-nommu.c 2010-09-17 20:12:09.000000000 -0400
3331 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3335 -struct dma_map_ops nommu_dma_ops = {
3336 +const struct dma_map_ops nommu_dma_ops = {
3337 .alloc_coherent = dma_generic_alloc_coherent,
3338 .free_coherent = dma_generic_free_coherent,
3339 .map_page = nommu_map_page,
3340 diff -urNp linux-2.6.35.7/arch/sh/kernel/kgdb.c linux-2.6.35.7/arch/sh/kernel/kgdb.c
3341 --- linux-2.6.35.7/arch/sh/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
3342 +++ linux-2.6.35.7/arch/sh/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
3343 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3344 unregister_die_notifier(&kgdb_notifier);
3347 -struct kgdb_arch arch_kgdb_ops = {
3348 +const struct kgdb_arch arch_kgdb_ops = {
3349 /* Breakpoint instruction: trapa #0x3c */
3350 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3351 .gdb_bpt_instr = { 0x3c, 0xc3 },
3352 diff -urNp linux-2.6.35.7/arch/sh/mm/consistent.c linux-2.6.35.7/arch/sh/mm/consistent.c
3353 --- linux-2.6.35.7/arch/sh/mm/consistent.c 2010-08-26 19:47:12.000000000 -0400
3354 +++ linux-2.6.35.7/arch/sh/mm/consistent.c 2010-09-17 20:12:09.000000000 -0400
3357 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3359 -struct dma_map_ops *dma_ops;
3360 +const struct dma_map_ops *dma_ops;
3361 EXPORT_SYMBOL(dma_ops);
3363 static int __init dma_init(void)
3364 diff -urNp linux-2.6.35.7/arch/sh/mm/mmap.c linux-2.6.35.7/arch/sh/mm/mmap.c
3365 --- linux-2.6.35.7/arch/sh/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3366 +++ linux-2.6.35.7/arch/sh/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3367 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3368 addr = PAGE_ALIGN(addr);
3370 vma = find_vma(mm, addr);
3371 - if (TASK_SIZE - len >= addr &&
3372 - (!vma || addr + len <= vma->vm_start))
3373 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3377 @@ -106,7 +105,7 @@ full_search:
3381 - if (likely(!vma || addr + len <= vma->vm_start)) {
3382 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3384 * Remember the place where we stopped the search:
3386 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3387 addr = PAGE_ALIGN(addr);
3389 vma = find_vma(mm, addr);
3390 - if (TASK_SIZE - len >= addr &&
3391 - (!vma || addr + len <= vma->vm_start))
3392 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3396 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3397 /* make sure it can fit in the remaining address space */
3398 if (likely(addr > len)) {
3399 vma = find_vma(mm, addr-len);
3400 - if (!vma || addr <= vma->vm_start) {
3401 + if (check_heap_stack_gap(vma, addr - len, len)) {
3402 /* remember the address as a hint for next time */
3403 return (mm->free_area_cache = addr-len);
3405 @@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3406 * return with success:
3408 vma = find_vma(mm, addr);
3409 - if (likely(!vma || addr+len <= vma->vm_start)) {
3410 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3411 /* remember the address as a hint for next time */
3412 return (mm->free_area_cache = addr);
3414 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h
3415 --- linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h 2010-08-26 19:47:12.000000000 -0400
3416 +++ linux-2.6.35.7/arch/sparc/include/asm/atomic_64.h 2010-10-11 22:41:44.000000000 -0400
3418 #define ATOMIC64_INIT(i) { (i) }
3420 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3421 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3423 + return v->counter;
3425 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3426 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3428 + return v->counter;
3431 #define atomic_set(v, i) (((v)->counter) = i)
3432 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3436 #define atomic64_set(v, i) (((v)->counter) = i)
3437 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3442 extern void atomic_add(int, atomic_t *);
3443 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3444 extern void atomic64_add(long, atomic64_t *);
3445 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3446 extern void atomic_sub(int, atomic_t *);
3447 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3448 extern void atomic64_sub(long, atomic64_t *);
3449 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3451 extern int atomic_add_ret(int, atomic_t *);
3452 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3453 extern long atomic64_add_ret(long, atomic64_t *);
3454 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3455 extern int atomic_sub_ret(int, atomic_t *);
3456 extern long atomic64_sub_ret(long, atomic64_t *);
3458 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3459 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3461 #define atomic_inc_return(v) atomic_add_ret(1, v)
3462 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3464 + return atomic_add_ret_unchecked(1, v);
3466 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3467 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3469 + return atomic64_add_ret_unchecked(1, v);
3472 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3473 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3475 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3476 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3478 + return atomic_add_ret_unchecked(i, v);
3480 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3483 @@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi
3484 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3486 #define atomic_inc(v) atomic_add(1, v)
3487 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3489 + atomic_add_unchecked(1, v);
3491 #define atomic64_inc(v) atomic64_add(1, v)
3492 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3494 + atomic64_add_unchecked(1, v);
3497 #define atomic_dec(v) atomic_sub(1, v)
3498 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3500 + atomic_sub_unchecked(1, v);
3502 #define atomic64_dec(v) atomic64_sub(1, v)
3503 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3505 + atomic64_sub_unchecked(1, v);
3508 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3509 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3510 @@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi
3512 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3518 - if (unlikely(c == (u)))
3519 + if (unlikely(c == u))
3521 - old = atomic_cmpxchg((v), c, c + (a));
3523 + asm volatile("addcc %2, %0, %0\n"
3525 +#ifdef CONFIG_PAX_REFCOUNT
3530 + : "0" (c), "ir" (a)
3533 + old = atomic_cmpxchg(v, c, new);
3534 if (likely(old == c))
3542 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3543 @@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom
3545 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3549 c = atomic64_read(v);
3551 - if (unlikely(c == (u)))
3552 + if (unlikely(c == u))
3554 - old = atomic64_cmpxchg((v), c, c + (a));
3556 + asm volatile("addcc %2, %0, %0\n"
3558 +#ifdef CONFIG_PAX_REFCOUNT
3563 + : "0" (c), "ir" (a)
3566 + old = atomic64_cmpxchg(v, c, new);
3567 if (likely(old == c))
3575 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3576 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/dma-mapping.h linux-2.6.35.7/arch/sparc/include/asm/dma-mapping.h
3577 --- linux-2.6.35.7/arch/sparc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3578 +++ linux-2.6.35.7/arch/sparc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3579 @@ -13,10 +13,10 @@ extern int dma_supported(struct device *
3580 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3581 #define dma_is_consistent(d, h) (1)
3583 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3584 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3585 extern struct bus_type pci_bus_type;
3587 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3588 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3590 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3591 if (dev->bus == &pci_bus_type)
3592 @@ -30,7 +30,7 @@ static inline struct dma_map_ops *get_dm
3593 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3594 dma_addr_t *dma_handle, gfp_t flag)
3596 - struct dma_map_ops *ops = get_dma_ops(dev);
3597 + const struct dma_map_ops *ops = get_dma_ops(dev);
3600 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3601 @@ -41,7 +41,7 @@ static inline void *dma_alloc_coherent(s
3602 static inline void dma_free_coherent(struct device *dev, size_t size,
3603 void *cpu_addr, dma_addr_t dma_handle)
3605 - struct dma_map_ops *ops = get_dma_ops(dev);
3606 + const struct dma_map_ops *ops = get_dma_ops(dev);
3608 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3609 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3610 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/elf_32.h linux-2.6.35.7/arch/sparc/include/asm/elf_32.h
3611 --- linux-2.6.35.7/arch/sparc/include/asm/elf_32.h 2010-08-26 19:47:12.000000000 -0400
3612 +++ linux-2.6.35.7/arch/sparc/include/asm/elf_32.h 2010-09-17 20:12:09.000000000 -0400
3613 @@ -114,6 +114,13 @@ typedef struct {
3615 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3617 +#ifdef CONFIG_PAX_ASLR
3618 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3620 +#define PAX_DELTA_MMAP_LEN 16
3621 +#define PAX_DELTA_STACK_LEN 16
3624 /* This yields a mask that user programs can use to figure out what
3625 instruction set this cpu supports. This can NOT be done in userspace
3627 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/elf_64.h linux-2.6.35.7/arch/sparc/include/asm/elf_64.h
3628 --- linux-2.6.35.7/arch/sparc/include/asm/elf_64.h 2010-08-26 19:47:12.000000000 -0400
3629 +++ linux-2.6.35.7/arch/sparc/include/asm/elf_64.h 2010-09-17 20:12:09.000000000 -0400
3630 @@ -162,6 +162,12 @@ typedef struct {
3631 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3632 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3634 +#ifdef CONFIG_PAX_ASLR
3635 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3637 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3638 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3641 /* This yields a mask that user programs can use to figure out what
3642 instruction set this cpu supports. */
3643 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/pgtable_32.h linux-2.6.35.7/arch/sparc/include/asm/pgtable_32.h
3644 --- linux-2.6.35.7/arch/sparc/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
3645 +++ linux-2.6.35.7/arch/sparc/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
3646 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3647 BTFIXUPDEF_INT(page_none)
3648 BTFIXUPDEF_INT(page_copy)
3649 BTFIXUPDEF_INT(page_readonly)
3651 +#ifdef CONFIG_PAX_PAGEEXEC
3652 +BTFIXUPDEF_INT(page_shared_noexec)
3653 +BTFIXUPDEF_INT(page_copy_noexec)
3654 +BTFIXUPDEF_INT(page_readonly_noexec)
3657 BTFIXUPDEF_INT(page_kernel)
3659 #define PMD_SHIFT SUN4C_PMD_SHIFT
3660 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3661 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3662 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3664 +#ifdef CONFIG_PAX_PAGEEXEC
3665 +extern pgprot_t PAGE_SHARED_NOEXEC;
3666 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3667 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3669 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3670 +# define PAGE_COPY_NOEXEC PAGE_COPY
3671 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3674 extern unsigned long page_kernel;
3677 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.35.7/arch/sparc/include/asm/pgtsrmmu.h
3678 --- linux-2.6.35.7/arch/sparc/include/asm/pgtsrmmu.h 2010-08-26 19:47:12.000000000 -0400
3679 +++ linux-2.6.35.7/arch/sparc/include/asm/pgtsrmmu.h 2010-09-17 20:12:09.000000000 -0400
3680 @@ -115,6 +115,13 @@
3681 SRMMU_EXEC | SRMMU_REF)
3682 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3683 SRMMU_EXEC | SRMMU_REF)
3685 +#ifdef CONFIG_PAX_PAGEEXEC
3686 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3687 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3688 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3691 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3692 SRMMU_DIRTY | SRMMU_REF)
3694 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/spinlock_64.h linux-2.6.35.7/arch/sparc/include/asm/spinlock_64.h
3695 --- linux-2.6.35.7/arch/sparc/include/asm/spinlock_64.h 2010-08-26 19:47:12.000000000 -0400
3696 +++ linux-2.6.35.7/arch/sparc/include/asm/spinlock_64.h 2010-09-17 20:12:09.000000000 -0400
3697 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3698 __asm__ __volatile__ (
3699 "1: ldsw [%2], %0\n"
3701 -"4: add %0, 1, %1\n"
3702 +"4: addcc %0, 1, %1\n"
3704 +#ifdef CONFIG_PAX_REFCOUNT
3708 " cas [%2], %0, %1\n"
3710 " bne,pn %%icc, 1b\n"
3711 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3713 : "=&r" (tmp1), "=&r" (tmp2)
3716 + : "memory", "cc");
3719 static int inline arch_read_trylock(arch_rwlock_t *lock)
3720 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3721 "1: ldsw [%2], %0\n"
3722 " brlz,a,pn %0, 2f\n"
3725 +" addcc %0, 1, %1\n"
3727 +#ifdef CONFIG_PAX_REFCOUNT
3731 " cas [%2], %0, %1\n"
3733 " bne,pn %%icc, 1b\n"
3734 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3736 __asm__ __volatile__(
3737 "1: lduw [%2], %0\n"
3739 +" subcc %0, 1, %1\n"
3741 +#ifdef CONFIG_PAX_REFCOUNT
3745 " cas [%2], %0, %1\n"
3747 " bne,pn %%xcc, 1b\n"
3748 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/uaccess_32.h linux-2.6.35.7/arch/sparc/include/asm/uaccess_32.h
3749 --- linux-2.6.35.7/arch/sparc/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
3750 +++ linux-2.6.35.7/arch/sparc/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
3751 @@ -249,14 +249,25 @@ extern unsigned long __copy_user(void __
3753 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3755 - if (n && __access_ok((unsigned long) to, n))
3759 + if (n && __access_ok((unsigned long) to, n)) {
3760 + if (!__builtin_constant_p(n))
3761 + check_object_size(from, n, true);
3762 return __copy_user(to, (__force void __user *) from, n);
3768 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3773 + if (!__builtin_constant_p(n))
3774 + check_object_size(from, n, true);
3776 return __copy_user(to, (__force void __user *) from, n);
3779 @@ -272,19 +283,27 @@ static inline unsigned long copy_from_us
3781 int sz = __compiletime_object_size(to);
3786 if (unlikely(sz != -1 && sz < n)) {
3787 copy_from_user_overflow();
3791 - if (n && __access_ok((unsigned long) from, n))
3792 + if (n && __access_ok((unsigned long) from, n)) {
3793 + if (!__builtin_constant_p(n))
3794 + check_object_size(to, n, false);
3795 return __copy_user((__force void __user *) to, from, n);
3801 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3806 return __copy_user((__force void __user *) to, from, n);
3809 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/uaccess_64.h linux-2.6.35.7/arch/sparc/include/asm/uaccess_64.h
3810 --- linux-2.6.35.7/arch/sparc/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
3811 +++ linux-2.6.35.7/arch/sparc/include/asm/uaccess_64.h 2010-09-17 20:12:09.000000000 -0400
3813 #include <linux/compiler.h>
3814 #include <linux/string.h>
3815 #include <linux/thread_info.h>
3816 +#include <linux/kernel.h>
3817 #include <asm/asi.h>
3818 #include <asm/system.h>
3819 #include <asm/spitfire.h>
3820 @@ -224,6 +225,12 @@ copy_from_user(void *to, const void __us
3821 int sz = __compiletime_object_size(to);
3822 unsigned long ret = size;
3824 + if ((long)size < 0 || size > INT_MAX)
3827 + if (!__builtin_constant_p(size))
3828 + check_object_size(to, size, false);
3830 if (likely(sz == -1 || sz >= size)) {
3831 ret = ___copy_from_user(to, from, size);
3833 @@ -243,8 +250,15 @@ extern unsigned long copy_to_user_fixup(
3834 static inline unsigned long __must_check
3835 copy_to_user(void __user *to, const void *from, unsigned long size)
3837 - unsigned long ret = ___copy_to_user(to, from, size);
3838 + unsigned long ret;
3840 + if ((long)size < 0 || size > INT_MAX)
3843 + if (!__builtin_constant_p(size))
3844 + check_object_size(from, size, true);
3846 + ret = ___copy_to_user(to, from, size);
3848 ret = copy_to_user_fixup(to, from, size);
3850 diff -urNp linux-2.6.35.7/arch/sparc/include/asm/uaccess.h linux-2.6.35.7/arch/sparc/include/asm/uaccess.h
3851 --- linux-2.6.35.7/arch/sparc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3852 +++ linux-2.6.35.7/arch/sparc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3854 #ifndef ___ASM_SPARC_UACCESS_H
3855 #define ___ASM_SPARC_UACCESS_H
3858 +#ifndef __ASSEMBLY__
3859 +#include <linux/types.h>
3860 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3864 #if defined(__sparc__) && defined(__arch64__)
3865 #include <asm/uaccess_64.h>
3867 diff -urNp linux-2.6.35.7/arch/sparc/kernel/iommu.c linux-2.6.35.7/arch/sparc/kernel/iommu.c
3868 --- linux-2.6.35.7/arch/sparc/kernel/iommu.c 2010-08-26 19:47:12.000000000 -0400
3869 +++ linux-2.6.35.7/arch/sparc/kernel/iommu.c 2010-09-17 20:12:09.000000000 -0400
3870 @@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3871 spin_unlock_irqrestore(&iommu->lock, flags);
3874 -static struct dma_map_ops sun4u_dma_ops = {
3875 +static const struct dma_map_ops sun4u_dma_ops = {
3876 .alloc_coherent = dma_4u_alloc_coherent,
3877 .free_coherent = dma_4u_free_coherent,
3878 .map_page = dma_4u_map_page,
3879 @@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
3880 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3883 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3884 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3885 EXPORT_SYMBOL(dma_ops);
3887 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3888 diff -urNp linux-2.6.35.7/arch/sparc/kernel/ioport.c linux-2.6.35.7/arch/sparc/kernel/ioport.c
3889 --- linux-2.6.35.7/arch/sparc/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
3890 +++ linux-2.6.35.7/arch/sparc/kernel/ioport.c 2010-09-17 20:12:09.000000000 -0400
3891 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3895 -struct dma_map_ops sbus_dma_ops = {
3896 +const struct dma_map_ops sbus_dma_ops = {
3897 .alloc_coherent = sbus_alloc_coherent,
3898 .free_coherent = sbus_free_coherent,
3899 .map_page = sbus_map_page,
3900 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3901 .sync_sg_for_device = sbus_sync_sg_for_device,
3904 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
3905 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3906 EXPORT_SYMBOL(dma_ops);
3908 static int __init sparc_register_ioport(void)
3909 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
3913 -struct dma_map_ops pci32_dma_ops = {
3914 +const struct dma_map_ops pci32_dma_ops = {
3915 .alloc_coherent = pci32_alloc_coherent,
3916 .free_coherent = pci32_free_coherent,
3917 .map_page = pci32_map_page,
3918 diff -urNp linux-2.6.35.7/arch/sparc/kernel/kgdb_32.c linux-2.6.35.7/arch/sparc/kernel/kgdb_32.c
3919 --- linux-2.6.35.7/arch/sparc/kernel/kgdb_32.c 2010-08-26 19:47:12.000000000 -0400
3920 +++ linux-2.6.35.7/arch/sparc/kernel/kgdb_32.c 2010-09-17 20:12:09.000000000 -0400
3921 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3922 regs->npc = regs->pc + 4;
3925 -struct kgdb_arch arch_kgdb_ops = {
3926 +const struct kgdb_arch arch_kgdb_ops = {
3927 /* Breakpoint instruction: ta 0x7d */
3928 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3930 diff -urNp linux-2.6.35.7/arch/sparc/kernel/kgdb_64.c linux-2.6.35.7/arch/sparc/kernel/kgdb_64.c
3931 --- linux-2.6.35.7/arch/sparc/kernel/kgdb_64.c 2010-08-26 19:47:12.000000000 -0400
3932 +++ linux-2.6.35.7/arch/sparc/kernel/kgdb_64.c 2010-09-17 20:12:09.000000000 -0400
3933 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3934 regs->tnpc = regs->tpc + 4;
3937 -struct kgdb_arch arch_kgdb_ops = {
3938 +const struct kgdb_arch arch_kgdb_ops = {
3939 /* Breakpoint instruction: ta 0x72 */
3940 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
3942 diff -urNp linux-2.6.35.7/arch/sparc/kernel/Makefile linux-2.6.35.7/arch/sparc/kernel/Makefile
3943 --- linux-2.6.35.7/arch/sparc/kernel/Makefile 2010-08-26 19:47:12.000000000 -0400
3944 +++ linux-2.6.35.7/arch/sparc/kernel/Makefile 2010-09-17 20:12:09.000000000 -0400
3949 -ccflags-y := -Werror
3950 +#ccflags-y := -Werror
3952 extra-y := head_$(BITS).o
3953 extra-y += init_task.o
3954 diff -urNp linux-2.6.35.7/arch/sparc/kernel/pci_sun4v.c linux-2.6.35.7/arch/sparc/kernel/pci_sun4v.c
3955 --- linux-2.6.35.7/arch/sparc/kernel/pci_sun4v.c 2010-08-26 19:47:12.000000000 -0400
3956 +++ linux-2.6.35.7/arch/sparc/kernel/pci_sun4v.c 2010-09-17 20:12:09.000000000 -0400
3957 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
3958 spin_unlock_irqrestore(&iommu->lock, flags);
3961 -static struct dma_map_ops sun4v_dma_ops = {
3962 +static const struct dma_map_ops sun4v_dma_ops = {
3963 .alloc_coherent = dma_4v_alloc_coherent,
3964 .free_coherent = dma_4v_free_coherent,
3965 .map_page = dma_4v_map_page,
3966 diff -urNp linux-2.6.35.7/arch/sparc/kernel/sys_sparc_32.c linux-2.6.35.7/arch/sparc/kernel/sys_sparc_32.c
3967 --- linux-2.6.35.7/arch/sparc/kernel/sys_sparc_32.c 2010-08-26 19:47:12.000000000 -0400
3968 +++ linux-2.6.35.7/arch/sparc/kernel/sys_sparc_32.c 2010-09-17 20:12:09.000000000 -0400
3969 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
3970 if (ARCH_SUN4C && len > 0x20000000)
3973 - addr = TASK_UNMAPPED_BASE;
3974 + addr = current->mm->mmap_base;
3976 if (flags & MAP_SHARED)
3977 addr = COLOUR_ALIGN(addr);
3978 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
3980 if (TASK_SIZE - PAGE_SIZE - len < addr)
3982 - if (!vmm || addr + len <= vmm->vm_start)
3983 + if (check_heap_stack_gap(vmm, addr, len))
3986 if (flags & MAP_SHARED)
3987 diff -urNp linux-2.6.35.7/arch/sparc/kernel/sys_sparc_64.c linux-2.6.35.7/arch/sparc/kernel/sys_sparc_64.c
3988 --- linux-2.6.35.7/arch/sparc/kernel/sys_sparc_64.c 2010-08-26 19:47:12.000000000 -0400
3989 +++ linux-2.6.35.7/arch/sparc/kernel/sys_sparc_64.c 2010-09-17 20:12:09.000000000 -0400
3990 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
3991 /* We do not accept a shared mapping if it would violate
3992 * cache aliasing constraints.
3994 - if ((flags & MAP_SHARED) &&
3995 + if ((filp || (flags & MAP_SHARED)) &&
3996 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3999 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4000 if (filp || (flags & MAP_SHARED))
4003 +#ifdef CONFIG_PAX_RANDMMAP
4004 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4009 addr = COLOUR_ALIGN(addr, pgoff);
4010 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4011 addr = PAGE_ALIGN(addr);
4013 vma = find_vma(mm, addr);
4014 - if (task_size - len >= addr &&
4015 - (!vma || addr + len <= vma->vm_start))
4016 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4020 if (len > mm->cached_hole_size) {
4021 - start_addr = addr = mm->free_area_cache;
4022 + start_addr = addr = mm->free_area_cache;
4024 - start_addr = addr = TASK_UNMAPPED_BASE;
4025 + start_addr = addr = mm->mmap_base;
4026 mm->cached_hole_size = 0;
4029 @@ -174,14 +177,14 @@ full_search:
4030 vma = find_vma(mm, VA_EXCLUDE_END);
4032 if (unlikely(task_size < addr)) {
4033 - if (start_addr != TASK_UNMAPPED_BASE) {
4034 - start_addr = addr = TASK_UNMAPPED_BASE;
4035 + if (start_addr != mm->mmap_base) {
4036 + start_addr = addr = mm->mmap_base;
4037 mm->cached_hole_size = 0;
4042 - if (likely(!vma || addr + len <= vma->vm_start)) {
4043 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4045 * Remember the place where we stopped the search:
4047 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4048 /* We do not accept a shared mapping if it would violate
4049 * cache aliasing constraints.
4051 - if ((flags & MAP_SHARED) &&
4052 + if ((filp || (flags & MAP_SHARED)) &&
4053 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4056 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4057 addr = PAGE_ALIGN(addr);
4059 vma = find_vma(mm, addr);
4060 - if (task_size - len >= addr &&
4061 - (!vma || addr + len <= vma->vm_start))
4062 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4066 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4067 /* make sure it can fit in the remaining address space */
4068 if (likely(addr > len)) {
4069 vma = find_vma(mm, addr-len);
4070 - if (!vma || addr <= vma->vm_start) {
4071 + if (check_heap_stack_gap(vma, addr - len, len)) {
4072 /* remember the address as a hint for next time */
4073 return (mm->free_area_cache = addr-len);
4075 @@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4076 * return with success:
4078 vma = find_vma(mm, addr);
4079 - if (likely(!vma || addr+len <= vma->vm_start)) {
4080 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4081 /* remember the address as a hint for next time */
4082 return (mm->free_area_cache = addr);
4084 @@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
4085 gap == RLIM_INFINITY ||
4086 sysctl_legacy_va_layout) {
4087 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4089 +#ifdef CONFIG_PAX_RANDMMAP
4090 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4091 + mm->mmap_base += mm->delta_mmap;
4094 mm->get_unmapped_area = arch_get_unmapped_area;
4095 mm->unmap_area = arch_unmap_area;
4097 @@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
4098 gap = (task_size / 6 * 5);
4100 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4102 +#ifdef CONFIG_PAX_RANDMMAP
4103 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4104 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4107 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4108 mm->unmap_area = arch_unmap_area_topdown;
4110 diff -urNp linux-2.6.35.7/arch/sparc/kernel/traps_64.c linux-2.6.35.7/arch/sparc/kernel/traps_64.c
4111 --- linux-2.6.35.7/arch/sparc/kernel/traps_64.c 2010-08-26 19:47:12.000000000 -0400
4112 +++ linux-2.6.35.7/arch/sparc/kernel/traps_64.c 2010-09-17 20:12:09.000000000 -0400
4113 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4116 if (regs->tstate & TSTATE_PRIV) {
4118 +#ifdef CONFIG_PAX_REFCOUNT
4120 + pax_report_refcount_overflow(regs);
4123 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4124 die_if_kernel(buffer, regs);
4126 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4127 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4132 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4133 0, lvl, SIGTRAP) == NOTIFY_STOP)
4136 +#ifdef CONFIG_PAX_REFCOUNT
4138 + pax_report_refcount_overflow(regs);
4141 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4143 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4144 diff -urNp linux-2.6.35.7/arch/sparc/lib/atomic_64.S linux-2.6.35.7/arch/sparc/lib/atomic_64.S
4145 --- linux-2.6.35.7/arch/sparc/lib/atomic_64.S 2010-08-26 19:47:12.000000000 -0400
4146 +++ linux-2.6.35.7/arch/sparc/lib/atomic_64.S 2010-09-26 22:04:10.000000000 -0400
4148 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4152 + addcc %g1, %o0, %g7
4154 +#ifdef CONFIG_PAX_REFCOUNT
4161 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4162 2: BACKOFF_SPIN(%o2, %o3, 1b)
4163 .size atomic_add, .-atomic_add
4165 + .globl atomic_add_unchecked
4166 + .type atomic_add_unchecked,#function
4167 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4168 + BACKOFF_SETUP(%o2)
4171 + cas [%o1], %g1, %g7
4177 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4178 + .size atomic_add_unchecked, .-atomic_add_unchecked
4181 .type atomic_sub,#function
4182 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4186 + subcc %g1, %o0, %g7
4188 +#ifdef CONFIG_PAX_REFCOUNT
4195 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4196 2: BACKOFF_SPIN(%o2, %o3, 1b)
4197 .size atomic_sub, .-atomic_sub
4199 + .globl atomic_sub_unchecked
4200 + .type atomic_sub_unchecked,#function
4201 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4202 + BACKOFF_SETUP(%o2)
4205 + cas [%o1], %g1, %g7
4211 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4212 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4214 .globl atomic_add_ret
4215 .type atomic_add_ret,#function
4216 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4220 + addcc %g1, %o0, %g7
4222 +#ifdef CONFIG_PAX_REFCOUNT
4229 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4230 2: BACKOFF_SPIN(%o2, %o3, 1b)
4231 .size atomic_add_ret, .-atomic_add_ret
4233 + .globl atomic_add_ret_unchecked
4234 + .type atomic_add_ret_unchecked,#function
4235 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4236 + BACKOFF_SETUP(%o2)
4238 + addcc %g1, %o0, %g7
4239 + cas [%o1], %g1, %g7
4246 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4247 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4249 .globl atomic_sub_ret
4250 .type atomic_sub_ret,#function
4251 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4255 + subcc %g1, %o0, %g7
4257 +#ifdef CONFIG_PAX_REFCOUNT
4264 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4265 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4269 + addcc %g1, %o0, %g7
4271 +#ifdef CONFIG_PAX_REFCOUNT
4275 casx [%o1], %g1, %g7
4278 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4279 2: BACKOFF_SPIN(%o2, %o3, 1b)
4280 .size atomic64_add, .-atomic64_add
4282 + .globl atomic64_add_unchecked
4283 + .type atomic64_add_unchecked,#function
4284 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4285 + BACKOFF_SETUP(%o2)
4287 + addcc %g1, %o0, %g7
4288 + casx [%o1], %g1, %g7
4294 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4295 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4298 .type atomic64_sub,#function
4299 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4303 + subcc %g1, %o0, %g7
4305 +#ifdef CONFIG_PAX_REFCOUNT
4309 casx [%o1], %g1, %g7
4312 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4313 2: BACKOFF_SPIN(%o2, %o3, 1b)
4314 .size atomic64_sub, .-atomic64_sub
4316 + .globl atomic64_sub_unchecked
4317 + .type atomic64_sub_unchecked,#function
4318 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4319 + BACKOFF_SETUP(%o2)
4321 + subcc %g1, %o0, %g7
4322 + casx [%o1], %g1, %g7
4328 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4329 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4331 .globl atomic64_add_ret
4332 .type atomic64_add_ret,#function
4333 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4337 + addcc %g1, %o0, %g7
4339 +#ifdef CONFIG_PAX_REFCOUNT
4343 casx [%o1], %g1, %g7
4346 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4347 2: BACKOFF_SPIN(%o2, %o3, 1b)
4348 .size atomic64_add_ret, .-atomic64_add_ret
4350 + .globl atomic64_add_ret_unchecked
4351 + .type atomic64_add_ret_unchecked,#function
4352 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4353 + BACKOFF_SETUP(%o2)
4355 + addcc %g1, %o0, %g7
4356 + casx [%o1], %g1, %g7
4363 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4364 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4366 .globl atomic64_sub_ret
4367 .type atomic64_sub_ret,#function
4368 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4372 + subcc %g1, %o0, %g7
4374 +#ifdef CONFIG_PAX_REFCOUNT
4378 casx [%o1], %g1, %g7
4381 diff -urNp linux-2.6.35.7/arch/sparc/lib/ksyms.c linux-2.6.35.7/arch/sparc/lib/ksyms.c
4382 --- linux-2.6.35.7/arch/sparc/lib/ksyms.c 2010-08-26 19:47:12.000000000 -0400
4383 +++ linux-2.6.35.7/arch/sparc/lib/ksyms.c 2010-09-17 20:12:09.000000000 -0400
4384 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4386 /* Atomic counter implementation. */
4387 EXPORT_SYMBOL(atomic_add);
4388 +EXPORT_SYMBOL(atomic_add_unchecked);
4389 EXPORT_SYMBOL(atomic_add_ret);
4390 EXPORT_SYMBOL(atomic_sub);
4391 +EXPORT_SYMBOL(atomic_sub_unchecked);
4392 EXPORT_SYMBOL(atomic_sub_ret);
4393 EXPORT_SYMBOL(atomic64_add);
4394 +EXPORT_SYMBOL(atomic64_add_unchecked);
4395 EXPORT_SYMBOL(atomic64_add_ret);
4396 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4397 EXPORT_SYMBOL(atomic64_sub);
4398 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4399 EXPORT_SYMBOL(atomic64_sub_ret);
4401 /* Atomic bit operations. */
4402 diff -urNp linux-2.6.35.7/arch/sparc/lib/rwsem_64.S linux-2.6.35.7/arch/sparc/lib/rwsem_64.S
4403 --- linux-2.6.35.7/arch/sparc/lib/rwsem_64.S 2010-08-26 19:47:12.000000000 -0400
4404 +++ linux-2.6.35.7/arch/sparc/lib/rwsem_64.S 2010-09-17 20:12:09.000000000 -0400
4412 +#ifdef CONFIG_PAX_REFCOUNT
4419 @@ -33,7 +38,12 @@ __down_read:
4420 .globl __down_read_trylock
4421 __down_read_trylock:
4426 +#ifdef CONFIG_PAX_REFCOUNT
4433 @@ -51,7 +61,12 @@ __down_write:
4434 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4438 + addcc %g3, %g1, %g7
4440 +#ifdef CONFIG_PAX_REFCOUNT
4447 @@ -77,7 +92,12 @@ __down_write_trylock:
4452 + addcc %g3, %g1, %g7
4454 +#ifdef CONFIG_PAX_REFCOUNT
4461 @@ -90,7 +110,12 @@ __down_write_trylock:
4468 +#ifdef CONFIG_PAX_REFCOUNT
4475 @@ -118,7 +143,12 @@ __up_write:
4476 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4480 + subcc %g3, %g1, %g7
4482 +#ifdef CONFIG_PAX_REFCOUNT
4489 @@ -143,7 +173,12 @@ __downgrade_write:
4490 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4494 + subcc %g3, %g1, %g7
4496 +#ifdef CONFIG_PAX_REFCOUNT
4503 diff -urNp linux-2.6.35.7/arch/sparc/Makefile linux-2.6.35.7/arch/sparc/Makefile
4504 --- linux-2.6.35.7/arch/sparc/Makefile 2010-08-26 19:47:12.000000000 -0400
4505 +++ linux-2.6.35.7/arch/sparc/Makefile 2010-09-17 20:12:37.000000000 -0400
4506 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4507 # Export what is needed by arch/sparc/boot/Makefile
4508 export VMLINUX_INIT VMLINUX_MAIN
4509 VMLINUX_INIT := $(head-y) $(init-y)
4510 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4511 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4512 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4513 VMLINUX_MAIN += $(drivers-y) $(net-y)
4515 diff -urNp linux-2.6.35.7/arch/sparc/mm/fault_32.c linux-2.6.35.7/arch/sparc/mm/fault_32.c
4516 --- linux-2.6.35.7/arch/sparc/mm/fault_32.c 2010-08-26 19:47:12.000000000 -0400
4517 +++ linux-2.6.35.7/arch/sparc/mm/fault_32.c 2010-09-17 20:12:09.000000000 -0400
4519 #include <linux/interrupt.h>
4520 #include <linux/module.h>
4521 #include <linux/kdebug.h>
4522 +#include <linux/slab.h>
4523 +#include <linux/pagemap.h>
4524 +#include <linux/compiler.h>
4526 #include <asm/system.h>
4527 #include <asm/page.h>
4528 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4529 return safe_compute_effective_address(regs, insn);
4532 +#ifdef CONFIG_PAX_PAGEEXEC
4533 +#ifdef CONFIG_PAX_DLRESOLVE
4534 +static void pax_emuplt_close(struct vm_area_struct *vma)
4536 + vma->vm_mm->call_dl_resolve = 0UL;
4539 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4541 + unsigned int *kaddr;
4543 + vmf->page = alloc_page(GFP_HIGHUSER);
4545 + return VM_FAULT_OOM;
4547 + kaddr = kmap(vmf->page);
4548 + memset(kaddr, 0, PAGE_SIZE);
4549 + kaddr[0] = 0x9DE3BFA8U; /* save */
4550 + flush_dcache_page(vmf->page);
4551 + kunmap(vmf->page);
4552 + return VM_FAULT_MAJOR;
4555 +static const struct vm_operations_struct pax_vm_ops = {
4556 + .close = pax_emuplt_close,
4557 + .fault = pax_emuplt_fault
4560 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4564 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4565 + vma->vm_mm = current->mm;
4566 + vma->vm_start = addr;
4567 + vma->vm_end = addr + PAGE_SIZE;
4568 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4569 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4570 + vma->vm_ops = &pax_vm_ops;
4572 + ret = insert_vm_struct(current->mm, vma);
4576 + ++current->mm->total_vm;
4582 + * PaX: decide what to do with offenders (regs->pc = fault address)
4584 + * returns 1 when task should be killed
4585 + * 2 when patched PLT trampoline was detected
4586 + * 3 when unpatched PLT trampoline was detected
4588 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4591 +#ifdef CONFIG_PAX_EMUPLT
4594 + do { /* PaX: patched PLT emulation #1 */
4595 + unsigned int sethi1, sethi2, jmpl;
4597 + err = get_user(sethi1, (unsigned int *)regs->pc);
4598 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4599 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4604 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4605 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4606 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4608 + unsigned int addr;
4610 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4611 + addr = regs->u_regs[UREG_G1];
4612 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4614 + regs->npc = addr+4;
4619 + { /* PaX: patched PLT emulation #2 */
4622 + err = get_user(ba, (unsigned int *)regs->pc);
4624 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4625 + unsigned int addr;
4627 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4629 + regs->npc = addr+4;
4634 + do { /* PaX: patched PLT emulation #3 */
4635 + unsigned int sethi, jmpl, nop;
4637 + err = get_user(sethi, (unsigned int *)regs->pc);
4638 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4639 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4644 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4645 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4646 + nop == 0x01000000U)
4648 + unsigned int addr;
4650 + addr = (sethi & 0x003FFFFFU) << 10;
4651 + regs->u_regs[UREG_G1] = addr;
4652 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4654 + regs->npc = addr+4;
4659 + do { /* PaX: unpatched PLT emulation step 1 */
4660 + unsigned int sethi, ba, nop;
4662 + err = get_user(sethi, (unsigned int *)regs->pc);
4663 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4664 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4669 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4670 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4671 + nop == 0x01000000U)
4673 + unsigned int addr, save, call;
4675 + if ((ba & 0xFFC00000U) == 0x30800000U)
4676 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4678 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4680 + err = get_user(save, (unsigned int *)addr);
4681 + err |= get_user(call, (unsigned int *)(addr+4));
4682 + err |= get_user(nop, (unsigned int *)(addr+8));
4686 +#ifdef CONFIG_PAX_DLRESOLVE
4687 + if (save == 0x9DE3BFA8U &&
4688 + (call & 0xC0000000U) == 0x40000000U &&
4689 + nop == 0x01000000U)
4691 + struct vm_area_struct *vma;
4692 + unsigned long call_dl_resolve;
4694 + down_read(¤t->mm->mmap_sem);
4695 + call_dl_resolve = current->mm->call_dl_resolve;
4696 + up_read(¤t->mm->mmap_sem);
4697 + if (likely(call_dl_resolve))
4700 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4702 + down_write(¤t->mm->mmap_sem);
4703 + if (current->mm->call_dl_resolve) {
4704 + call_dl_resolve = current->mm->call_dl_resolve;
4705 + up_write(¤t->mm->mmap_sem);
4707 + kmem_cache_free(vm_area_cachep, vma);
4711 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4712 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4713 + up_write(¤t->mm->mmap_sem);
4715 + kmem_cache_free(vm_area_cachep, vma);
4719 + if (pax_insert_vma(vma, call_dl_resolve)) {
4720 + up_write(¤t->mm->mmap_sem);
4721 + kmem_cache_free(vm_area_cachep, vma);
4725 + current->mm->call_dl_resolve = call_dl_resolve;
4726 + up_write(¤t->mm->mmap_sem);
4729 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4730 + regs->pc = call_dl_resolve;
4731 + regs->npc = addr+4;
4736 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4737 + if ((save & 0xFFC00000U) == 0x05000000U &&
4738 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4739 + nop == 0x01000000U)
4741 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4742 + regs->u_regs[UREG_G2] = addr + 4;
4743 + addr = (save & 0x003FFFFFU) << 10;
4744 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4746 + regs->npc = addr+4;
4752 + do { /* PaX: unpatched PLT emulation step 2 */
4753 + unsigned int save, call, nop;
4755 + err = get_user(save, (unsigned int *)(regs->pc-4));
4756 + err |= get_user(call, (unsigned int *)regs->pc);
4757 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4761 + if (save == 0x9DE3BFA8U &&
4762 + (call & 0xC0000000U) == 0x40000000U &&
4763 + nop == 0x01000000U)
4765 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4767 + regs->u_regs[UREG_RETPC] = regs->pc;
4768 + regs->pc = dl_resolve;
4769 + regs->npc = dl_resolve+4;
4778 +void pax_report_insns(void *pc, void *sp)
4782 + printk(KERN_ERR "PAX: bytes at PC: ");
4783 + for (i = 0; i < 8; i++) {
4785 + if (get_user(c, (unsigned int *)pc+i))
4786 + printk(KERN_CONT "???????? ");
4788 + printk(KERN_CONT "%08x ", c);
4794 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4797 @@ -282,6 +547,24 @@ good_area:
4798 if(!(vma->vm_flags & VM_WRITE))
4802 +#ifdef CONFIG_PAX_PAGEEXEC
4803 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4804 + up_read(&mm->mmap_sem);
4805 + switch (pax_handle_fetch_fault(regs)) {
4807 +#ifdef CONFIG_PAX_EMUPLT
4814 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4815 + do_group_exit(SIGKILL);
4819 /* Allow reads even for write-only mappings */
4820 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4822 diff -urNp linux-2.6.35.7/arch/sparc/mm/fault_64.c linux-2.6.35.7/arch/sparc/mm/fault_64.c
4823 --- linux-2.6.35.7/arch/sparc/mm/fault_64.c 2010-08-26 19:47:12.000000000 -0400
4824 +++ linux-2.6.35.7/arch/sparc/mm/fault_64.c 2010-09-17 20:12:09.000000000 -0400
4826 #include <linux/kprobes.h>
4827 #include <linux/kdebug.h>
4828 #include <linux/percpu.h>
4829 +#include <linux/slab.h>
4830 +#include <linux/pagemap.h>
4831 +#include <linux/compiler.h>
4833 #include <asm/page.h>
4834 #include <asm/pgtable.h>
4835 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
4839 +#ifdef CONFIG_PAX_PAGEEXEC
4840 +#ifdef CONFIG_PAX_DLRESOLVE
4841 +static void pax_emuplt_close(struct vm_area_struct *vma)
4843 + vma->vm_mm->call_dl_resolve = 0UL;
4846 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4848 + unsigned int *kaddr;
4850 + vmf->page = alloc_page(GFP_HIGHUSER);
4852 + return VM_FAULT_OOM;
4854 + kaddr = kmap(vmf->page);
4855 + memset(kaddr, 0, PAGE_SIZE);
4856 + kaddr[0] = 0x9DE3BFA8U; /* save */
4857 + flush_dcache_page(vmf->page);
4858 + kunmap(vmf->page);
4859 + return VM_FAULT_MAJOR;
4862 +static const struct vm_operations_struct pax_vm_ops = {
4863 + .close = pax_emuplt_close,
4864 + .fault = pax_emuplt_fault
4867 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4871 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4872 + vma->vm_mm = current->mm;
4873 + vma->vm_start = addr;
4874 + vma->vm_end = addr + PAGE_SIZE;
4875 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4876 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4877 + vma->vm_ops = &pax_vm_ops;
4879 + ret = insert_vm_struct(current->mm, vma);
4883 + ++current->mm->total_vm;
4889 + * PaX: decide what to do with offenders (regs->tpc = fault address)
4891 + * returns 1 when task should be killed
4892 + * 2 when patched PLT trampoline was detected
4893 + * 3 when unpatched PLT trampoline was detected
4895 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4898 +#ifdef CONFIG_PAX_EMUPLT
4901 + do { /* PaX: patched PLT emulation #1 */
4902 + unsigned int sethi1, sethi2, jmpl;
4904 + err = get_user(sethi1, (unsigned int *)regs->tpc);
4905 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4906 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4911 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4912 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4913 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4915 + unsigned long addr;
4917 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4918 + addr = regs->u_regs[UREG_G1];
4919 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4921 + if (test_thread_flag(TIF_32BIT))
4922 + addr &= 0xFFFFFFFFUL;
4925 + regs->tnpc = addr+4;
4930 + { /* PaX: patched PLT emulation #2 */
4933 + err = get_user(ba, (unsigned int *)regs->tpc);
4935 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4936 + unsigned long addr;
4938 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4940 + if (test_thread_flag(TIF_32BIT))
4941 + addr &= 0xFFFFFFFFUL;
4944 + regs->tnpc = addr+4;
4949 + do { /* PaX: patched PLT emulation #3 */
4950 + unsigned int sethi, jmpl, nop;
4952 + err = get_user(sethi, (unsigned int *)regs->tpc);
4953 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4954 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4959 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4960 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4961 + nop == 0x01000000U)
4963 + unsigned long addr;
4965 + addr = (sethi & 0x003FFFFFU) << 10;
4966 + regs->u_regs[UREG_G1] = addr;
4967 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4969 + if (test_thread_flag(TIF_32BIT))
4970 + addr &= 0xFFFFFFFFUL;
4973 + regs->tnpc = addr+4;
4978 + do { /* PaX: patched PLT emulation #4 */
4979 + unsigned int sethi, mov1, call, mov2;
4981 + err = get_user(sethi, (unsigned int *)regs->tpc);
4982 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4983 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
4984 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4989 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4990 + mov1 == 0x8210000FU &&
4991 + (call & 0xC0000000U) == 0x40000000U &&
4992 + mov2 == 0x9E100001U)
4994 + unsigned long addr;
4996 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4997 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4999 + if (test_thread_flag(TIF_32BIT))
5000 + addr &= 0xFFFFFFFFUL;
5003 + regs->tnpc = addr+4;
5008 + do { /* PaX: patched PLT emulation #5 */
5009 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5011 + err = get_user(sethi, (unsigned int *)regs->tpc);
5012 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5013 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5014 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5015 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5016 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5017 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5018 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5023 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5024 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5025 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5026 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5027 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5028 + sllx == 0x83287020U &&
5029 + jmpl == 0x81C04005U &&
5030 + nop == 0x01000000U)
5032 + unsigned long addr;
5034 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5035 + regs->u_regs[UREG_G1] <<= 32;
5036 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5037 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5039 + regs->tnpc = addr+4;
5044 + do { /* PaX: patched PLT emulation #6 */
5045 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5047 + err = get_user(sethi, (unsigned int *)regs->tpc);
5048 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5049 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5050 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5051 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5052 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5053 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5058 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5059 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5060 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5061 + sllx == 0x83287020U &&
5062 + (or & 0xFFFFE000U) == 0x8A116000U &&
5063 + jmpl == 0x81C04005U &&
5064 + nop == 0x01000000U)
5066 + unsigned long addr;
5068 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5069 + regs->u_regs[UREG_G1] <<= 32;
5070 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5071 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5073 + regs->tnpc = addr+4;
5078 + do { /* PaX: unpatched PLT emulation step 1 */
5079 + unsigned int sethi, ba, nop;
5081 + err = get_user(sethi, (unsigned int *)regs->tpc);
5082 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5083 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5088 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5089 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5090 + nop == 0x01000000U)
5092 + unsigned long addr;
5093 + unsigned int save, call;
5094 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5096 + if ((ba & 0xFFC00000U) == 0x30800000U)
5097 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5099 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5101 + if (test_thread_flag(TIF_32BIT))
5102 + addr &= 0xFFFFFFFFUL;
5104 + err = get_user(save, (unsigned int *)addr);
5105 + err |= get_user(call, (unsigned int *)(addr+4));
5106 + err |= get_user(nop, (unsigned int *)(addr+8));
5110 +#ifdef CONFIG_PAX_DLRESOLVE
5111 + if (save == 0x9DE3BFA8U &&
5112 + (call & 0xC0000000U) == 0x40000000U &&
5113 + nop == 0x01000000U)
5115 + struct vm_area_struct *vma;
5116 + unsigned long call_dl_resolve;
5118 + down_read(¤t->mm->mmap_sem);
5119 + call_dl_resolve = current->mm->call_dl_resolve;
5120 + up_read(¤t->mm->mmap_sem);
5121 + if (likely(call_dl_resolve))
5124 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5126 + down_write(¤t->mm->mmap_sem);
5127 + if (current->mm->call_dl_resolve) {
5128 + call_dl_resolve = current->mm->call_dl_resolve;
5129 + up_write(¤t->mm->mmap_sem);
5131 + kmem_cache_free(vm_area_cachep, vma);
5135 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5136 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5137 + up_write(¤t->mm->mmap_sem);
5139 + kmem_cache_free(vm_area_cachep, vma);
5143 + if (pax_insert_vma(vma, call_dl_resolve)) {
5144 + up_write(¤t->mm->mmap_sem);
5145 + kmem_cache_free(vm_area_cachep, vma);
5149 + current->mm->call_dl_resolve = call_dl_resolve;
5150 + up_write(¤t->mm->mmap_sem);
5153 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5154 + regs->tpc = call_dl_resolve;
5155 + regs->tnpc = addr+4;
5160 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5161 + if ((save & 0xFFC00000U) == 0x05000000U &&
5162 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5163 + nop == 0x01000000U)
5165 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5166 + regs->u_regs[UREG_G2] = addr + 4;
5167 + addr = (save & 0x003FFFFFU) << 10;
5168 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5170 + if (test_thread_flag(TIF_32BIT))
5171 + addr &= 0xFFFFFFFFUL;
5174 + regs->tnpc = addr+4;
5178 + /* PaX: 64-bit PLT stub */
5179 + err = get_user(sethi1, (unsigned int *)addr);
5180 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5181 + err |= get_user(or1, (unsigned int *)(addr+8));
5182 + err |= get_user(or2, (unsigned int *)(addr+12));
5183 + err |= get_user(sllx, (unsigned int *)(addr+16));
5184 + err |= get_user(add, (unsigned int *)(addr+20));
5185 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5186 + err |= get_user(nop, (unsigned int *)(addr+28));
5190 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5191 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5192 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5193 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5194 + sllx == 0x89293020U &&
5195 + add == 0x8A010005U &&
5196 + jmpl == 0x89C14000U &&
5197 + nop == 0x01000000U)
5199 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5200 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5201 + regs->u_regs[UREG_G4] <<= 32;
5202 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5203 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5204 + regs->u_regs[UREG_G4] = addr + 24;
5205 + addr = regs->u_regs[UREG_G5];
5207 + regs->tnpc = addr+4;
5213 +#ifdef CONFIG_PAX_DLRESOLVE
5214 + do { /* PaX: unpatched PLT emulation step 2 */
5215 + unsigned int save, call, nop;
5217 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5218 + err |= get_user(call, (unsigned int *)regs->tpc);
5219 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5223 + if (save == 0x9DE3BFA8U &&
5224 + (call & 0xC0000000U) == 0x40000000U &&
5225 + nop == 0x01000000U)
5227 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5229 + if (test_thread_flag(TIF_32BIT))
5230 + dl_resolve &= 0xFFFFFFFFUL;
5232 + regs->u_regs[UREG_RETPC] = regs->tpc;
5233 + regs->tpc = dl_resolve;
5234 + regs->tnpc = dl_resolve+4;
5240 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5241 + unsigned int sethi, ba, nop;
5243 + err = get_user(sethi, (unsigned int *)regs->tpc);
5244 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5245 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5250 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5251 + (ba & 0xFFF00000U) == 0x30600000U &&
5252 + nop == 0x01000000U)
5254 + unsigned long addr;
5256 + addr = (sethi & 0x003FFFFFU) << 10;
5257 + regs->u_regs[UREG_G1] = addr;
5258 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5260 + if (test_thread_flag(TIF_32BIT))
5261 + addr &= 0xFFFFFFFFUL;
5264 + regs->tnpc = addr+4;
5274 +void pax_report_insns(void *pc, void *sp)
5278 + printk(KERN_ERR "PAX: bytes at PC: ");
5279 + for (i = 0; i < 8; i++) {
5281 + if (get_user(c, (unsigned int *)pc+i))
5282 + printk(KERN_CONT "???????? ");
5284 + printk(KERN_CONT "%08x ", c);
5290 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5292 struct mm_struct *mm = current->mm;
5293 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5297 +#ifdef CONFIG_PAX_PAGEEXEC
5298 + /* PaX: detect ITLB misses on non-exec pages */
5299 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5300 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5302 + if (address != regs->tpc)
5305 + up_read(&mm->mmap_sem);
5306 + switch (pax_handle_fetch_fault(regs)) {
5308 +#ifdef CONFIG_PAX_EMUPLT
5315 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5316 + do_group_exit(SIGKILL);
5320 /* Pure DTLB misses do not tell us whether the fault causing
5321 * load/store/atomic was a write or not, it only says that there
5322 * was no match. So in such a case we (carefully) read the
5323 diff -urNp linux-2.6.35.7/arch/sparc/mm/hugetlbpage.c linux-2.6.35.7/arch/sparc/mm/hugetlbpage.c
5324 --- linux-2.6.35.7/arch/sparc/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
5325 +++ linux-2.6.35.7/arch/sparc/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
5326 @@ -68,7 +68,7 @@ full_search:
5330 - if (likely(!vma || addr + len <= vma->vm_start)) {
5331 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5333 * Remember the place where we stopped the search:
5335 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5336 /* make sure it can fit in the remaining address space */
5337 if (likely(addr > len)) {
5338 vma = find_vma(mm, addr-len);
5339 - if (!vma || addr <= vma->vm_start) {
5340 + if (check_heap_stack_gap(vma, addr - len, len)) {
5341 /* remember the address as a hint for next time */
5342 return (mm->free_area_cache = addr-len);
5344 @@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5345 * return with success:
5347 vma = find_vma(mm, addr);
5348 - if (likely(!vma || addr+len <= vma->vm_start)) {
5349 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5350 /* remember the address as a hint for next time */
5351 return (mm->free_area_cache = addr);
5353 @@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5355 addr = ALIGN(addr, HPAGE_SIZE);
5356 vma = find_vma(mm, addr);
5357 - if (task_size - len >= addr &&
5358 - (!vma || addr + len <= vma->vm_start))
5359 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5362 if (mm->get_unmapped_area == arch_get_unmapped_area)
5363 diff -urNp linux-2.6.35.7/arch/sparc/mm/init_32.c linux-2.6.35.7/arch/sparc/mm/init_32.c
5364 --- linux-2.6.35.7/arch/sparc/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
5365 +++ linux-2.6.35.7/arch/sparc/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
5366 @@ -318,6 +318,9 @@ extern void device_scan(void);
5367 pgprot_t PAGE_SHARED __read_mostly;
5368 EXPORT_SYMBOL(PAGE_SHARED);
5370 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5371 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5373 void __init paging_init(void)
5375 switch(sparc_cpu_model) {
5376 @@ -346,17 +349,17 @@ void __init paging_init(void)
5378 /* Initialize the protection map with non-constant, MMU dependent values. */
5379 protection_map[0] = PAGE_NONE;
5380 - protection_map[1] = PAGE_READONLY;
5381 - protection_map[2] = PAGE_COPY;
5382 - protection_map[3] = PAGE_COPY;
5383 + protection_map[1] = PAGE_READONLY_NOEXEC;
5384 + protection_map[2] = PAGE_COPY_NOEXEC;
5385 + protection_map[3] = PAGE_COPY_NOEXEC;
5386 protection_map[4] = PAGE_READONLY;
5387 protection_map[5] = PAGE_READONLY;
5388 protection_map[6] = PAGE_COPY;
5389 protection_map[7] = PAGE_COPY;
5390 protection_map[8] = PAGE_NONE;
5391 - protection_map[9] = PAGE_READONLY;
5392 - protection_map[10] = PAGE_SHARED;
5393 - protection_map[11] = PAGE_SHARED;
5394 + protection_map[9] = PAGE_READONLY_NOEXEC;
5395 + protection_map[10] = PAGE_SHARED_NOEXEC;
5396 + protection_map[11] = PAGE_SHARED_NOEXEC;
5397 protection_map[12] = PAGE_READONLY;
5398 protection_map[13] = PAGE_READONLY;
5399 protection_map[14] = PAGE_SHARED;
5400 diff -urNp linux-2.6.35.7/arch/sparc/mm/Makefile linux-2.6.35.7/arch/sparc/mm/Makefile
5401 --- linux-2.6.35.7/arch/sparc/mm/Makefile 2010-08-26 19:47:12.000000000 -0400
5402 +++ linux-2.6.35.7/arch/sparc/mm/Makefile 2010-09-17 20:12:09.000000000 -0400
5407 -ccflags-y := -Werror
5408 +#ccflags-y := -Werror
5410 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5411 obj-y += fault_$(BITS).o
5412 diff -urNp linux-2.6.35.7/arch/sparc/mm/srmmu.c linux-2.6.35.7/arch/sparc/mm/srmmu.c
5413 --- linux-2.6.35.7/arch/sparc/mm/srmmu.c 2010-08-26 19:47:12.000000000 -0400
5414 +++ linux-2.6.35.7/arch/sparc/mm/srmmu.c 2010-09-17 20:12:09.000000000 -0400
5415 @@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
5416 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5417 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5418 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5420 +#ifdef CONFIG_PAX_PAGEEXEC
5421 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5422 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5423 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5426 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5427 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5429 diff -urNp linux-2.6.35.7/arch/um/include/asm/kmap_types.h linux-2.6.35.7/arch/um/include/asm/kmap_types.h
5430 --- linux-2.6.35.7/arch/um/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
5431 +++ linux-2.6.35.7/arch/um/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
5432 @@ -23,6 +23,7 @@ enum km_type {
5440 diff -urNp linux-2.6.35.7/arch/um/include/asm/page.h linux-2.6.35.7/arch/um/include/asm/page.h
5441 --- linux-2.6.35.7/arch/um/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
5442 +++ linux-2.6.35.7/arch/um/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
5444 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5445 #define PAGE_MASK (~(PAGE_SIZE-1))
5447 +#define ktla_ktva(addr) (addr)
5448 +#define ktva_ktla(addr) (addr)
5450 #ifndef __ASSEMBLY__
5453 diff -urNp linux-2.6.35.7/arch/um/sys-i386/syscalls.c linux-2.6.35.7/arch/um/sys-i386/syscalls.c
5454 --- linux-2.6.35.7/arch/um/sys-i386/syscalls.c 2010-08-26 19:47:12.000000000 -0400
5455 +++ linux-2.6.35.7/arch/um/sys-i386/syscalls.c 2010-09-17 20:12:09.000000000 -0400
5457 #include "asm/uaccess.h"
5458 #include "asm/unistd.h"
5460 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5462 + unsigned long pax_task_size = TASK_SIZE;
5464 +#ifdef CONFIG_PAX_SEGMEXEC
5465 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5466 + pax_task_size = SEGMEXEC_TASK_SIZE;
5469 + if (len > pax_task_size || addr > pax_task_size - len)
5476 * The prototype on i386 is:
5478 diff -urNp linux-2.6.35.7/arch/x86/boot/bitops.h linux-2.6.35.7/arch/x86/boot/bitops.h
5479 --- linux-2.6.35.7/arch/x86/boot/bitops.h 2010-08-26 19:47:12.000000000 -0400
5480 +++ linux-2.6.35.7/arch/x86/boot/bitops.h 2010-09-17 20:12:09.000000000 -0400
5481 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5483 const u32 *p = (const u32 *)addr;
5485 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5486 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5490 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5492 static inline void set_bit(int nr, void *addr)
5494 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5495 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5498 #endif /* BOOT_BITOPS_H */
5499 diff -urNp linux-2.6.35.7/arch/x86/boot/boot.h linux-2.6.35.7/arch/x86/boot/boot.h
5500 --- linux-2.6.35.7/arch/x86/boot/boot.h 2010-08-26 19:47:12.000000000 -0400
5501 +++ linux-2.6.35.7/arch/x86/boot/boot.h 2010-09-17 20:12:09.000000000 -0400
5502 @@ -82,7 +82,7 @@ static inline void io_delay(void)
5503 static inline u16 ds(void)
5506 - asm("movw %%ds,%0" : "=rm" (seg));
5507 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5511 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
5512 static inline int memcmp(const void *s1, const void *s2, size_t len)
5515 - asm("repe; cmpsb; setnz %0"
5516 + asm volatile("repe; cmpsb; setnz %0"
5517 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5520 diff -urNp linux-2.6.35.7/arch/x86/boot/compressed/head_32.S linux-2.6.35.7/arch/x86/boot/compressed/head_32.S
5521 --- linux-2.6.35.7/arch/x86/boot/compressed/head_32.S 2010-08-26 19:47:12.000000000 -0400
5522 +++ linux-2.6.35.7/arch/x86/boot/compressed/head_32.S 2010-09-17 20:12:09.000000000 -0400
5523 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5527 - movl $LOAD_PHYSICAL_ADDR, %ebx
5528 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5531 /* Target address to relocate to for decompression */
5532 @@ -149,7 +149,7 @@ relocated:
5533 * and where it was actually loaded.
5536 - subl $LOAD_PHYSICAL_ADDR, %ebx
5537 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5538 jz 2f /* Nothing to be done if loaded at compiled addr. */
5540 * Process relocations.
5541 @@ -157,8 +157,7 @@ relocated:
5548 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5551 diff -urNp linux-2.6.35.7/arch/x86/boot/compressed/head_64.S linux-2.6.35.7/arch/x86/boot/compressed/head_64.S
5552 --- linux-2.6.35.7/arch/x86/boot/compressed/head_64.S 2010-08-26 19:47:12.000000000 -0400
5553 +++ linux-2.6.35.7/arch/x86/boot/compressed/head_64.S 2010-09-17 20:12:09.000000000 -0400
5554 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5558 - movl $LOAD_PHYSICAL_ADDR, %ebx
5559 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5562 /* Target address to relocate to for decompression */
5563 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5567 - movq $LOAD_PHYSICAL_ADDR, %rbp
5568 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5571 /* Target address to relocate to for decompression */
5572 diff -urNp linux-2.6.35.7/arch/x86/boot/compressed/misc.c linux-2.6.35.7/arch/x86/boot/compressed/misc.c
5573 --- linux-2.6.35.7/arch/x86/boot/compressed/misc.c 2010-08-26 19:47:12.000000000 -0400
5574 +++ linux-2.6.35.7/arch/x86/boot/compressed/misc.c 2010-09-17 20:12:09.000000000 -0400
5575 @@ -285,7 +285,7 @@ static void parse_elf(void *output)
5577 #ifdef CONFIG_RELOCATABLE
5579 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5580 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5582 dest = (void *)(phdr->p_paddr);
5584 @@ -332,7 +332,7 @@ asmlinkage void decompress_kernel(void *
5585 error("Destination address too large");
5587 #ifndef CONFIG_RELOCATABLE
5588 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5589 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5590 error("Wrong destination address");
5593 diff -urNp linux-2.6.35.7/arch/x86/boot/compressed/mkpiggy.c linux-2.6.35.7/arch/x86/boot/compressed/mkpiggy.c
5594 --- linux-2.6.35.7/arch/x86/boot/compressed/mkpiggy.c 2010-08-26 19:47:12.000000000 -0400
5595 +++ linux-2.6.35.7/arch/x86/boot/compressed/mkpiggy.c 2010-09-17 20:12:09.000000000 -0400
5596 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5598 offs = (olen > ilen) ? olen - ilen : 0;
5599 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5600 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5601 + offs += 64*1024; /* Add 64K bytes slack */
5602 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5604 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
5605 diff -urNp linux-2.6.35.7/arch/x86/boot/compressed/relocs.c linux-2.6.35.7/arch/x86/boot/compressed/relocs.c
5606 --- linux-2.6.35.7/arch/x86/boot/compressed/relocs.c 2010-08-26 19:47:12.000000000 -0400
5607 +++ linux-2.6.35.7/arch/x86/boot/compressed/relocs.c 2010-09-17 20:12:09.000000000 -0400
5610 static void die(char *fmt, ...);
5612 +#include "../../../../include/generated/autoconf.h"
5614 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5615 static Elf32_Ehdr ehdr;
5616 +static Elf32_Phdr *phdr;
5617 static unsigned long reloc_count, reloc_idx;
5618 static unsigned long *relocs;
5620 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5624 +static void read_phdrs(FILE *fp)
5628 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5630 + die("Unable to allocate %d program headers\n",
5633 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5634 + die("Seek to %d failed: %s\n",
5635 + ehdr.e_phoff, strerror(errno));
5637 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5638 + die("Cannot read ELF program headers: %s\n",
5641 + for(i = 0; i < ehdr.e_phnum; i++) {
5642 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5643 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5644 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5645 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5646 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5647 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5648 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5649 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5654 static void read_shdrs(FILE *fp)
5660 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5661 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5663 static void read_strtabs(FILE *fp)
5667 for (i = 0; i < ehdr.e_shnum; i++) {
5668 struct section *sec = &secs[i];
5669 if (sec->shdr.sh_type != SHT_STRTAB) {
5670 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5672 static void read_symtabs(FILE *fp)
5676 for (i = 0; i < ehdr.e_shnum; i++) {
5677 struct section *sec = &secs[i];
5678 if (sec->shdr.sh_type != SHT_SYMTAB) {
5679 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5681 static void read_relocs(FILE *fp)
5687 for (i = 0; i < ehdr.e_shnum; i++) {
5688 struct section *sec = &secs[i];
5689 if (sec->shdr.sh_type != SHT_REL) {
5690 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5691 die("Cannot read symbol table: %s\n",
5695 + for (j = 0; j < ehdr.e_phnum; j++) {
5696 + if (phdr[j].p_type != PT_LOAD )
5698 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5700 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5703 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5704 Elf32_Rel *rel = &sec->reltab[j];
5705 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5706 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5707 rel->r_info = elf32_to_cpu(rel->r_info);
5710 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5712 static void print_absolute_symbols(void)
5716 printf("Absolute symbols\n");
5717 printf(" Num: Value Size Type Bind Visibility Name\n");
5718 for (i = 0; i < ehdr.e_shnum; i++) {
5719 struct section *sec = &secs[i];
5721 Elf32_Sym *sh_symtab;
5725 if (sec->shdr.sh_type != SHT_SYMTAB) {
5727 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5729 static void print_absolute_relocs(void)
5731 - int i, printed = 0;
5732 + unsigned int i, printed = 0;
5734 for (i = 0; i < ehdr.e_shnum; i++) {
5735 struct section *sec = &secs[i];
5736 struct section *sec_applies, *sec_symtab;
5738 Elf32_Sym *sh_symtab;
5741 if (sec->shdr.sh_type != SHT_REL) {
5744 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5746 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5750 /* Walk through the relocations */
5751 for (i = 0; i < ehdr.e_shnum; i++) {
5753 Elf32_Sym *sh_symtab;
5754 struct section *sec_applies, *sec_symtab;
5757 struct section *sec = &secs[i];
5759 if (sec->shdr.sh_type != SHT_REL) {
5760 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5761 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5764 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5765 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5768 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5769 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5770 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5772 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5774 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5776 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5783 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5785 static void emit_relocs(int as_text)
5789 /* Count how many relocations I have and allocate space for them. */
5791 walk_relocs(count_reloc);
5792 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5793 fname, strerror(errno));
5800 diff -urNp linux-2.6.35.7/arch/x86/boot/cpucheck.c linux-2.6.35.7/arch/x86/boot/cpucheck.c
5801 --- linux-2.6.35.7/arch/x86/boot/cpucheck.c 2010-08-26 19:47:12.000000000 -0400
5802 +++ linux-2.6.35.7/arch/x86/boot/cpucheck.c 2010-09-17 20:12:09.000000000 -0400
5803 @@ -74,7 +74,7 @@ static int has_fpu(void)
5804 u16 fcw = -1, fsw = -1;
5807 - asm("movl %%cr0,%0" : "=r" (cr0));
5808 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5809 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5810 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5811 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5812 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5817 + asm volatile("pushfl ; "
5821 @@ -115,7 +115,7 @@ static void get_flags(void)
5822 set_bit(X86_FEATURE_FPU, cpu.flags);
5824 if (has_eflag(X86_EFLAGS_ID)) {
5826 + asm volatile("cpuid"
5827 : "=a" (max_intel_level),
5828 "=b" (cpu_vendor[0]),
5829 "=d" (cpu_vendor[1]),
5830 @@ -124,7 +124,7 @@ static void get_flags(void)
5832 if (max_intel_level >= 0x00000001 &&
5833 max_intel_level <= 0x0000ffff) {
5835 + asm volatile("cpuid"
5837 "=c" (cpu.flags[4]),
5839 @@ -136,7 +136,7 @@ static void get_flags(void)
5840 cpu.model += ((tfms >> 16) & 0xf) << 4;
5844 + asm volatile("cpuid"
5845 : "=a" (max_amd_level)
5847 : "ebx", "ecx", "edx");
5848 @@ -144,7 +144,7 @@ static void get_flags(void)
5849 if (max_amd_level >= 0x80000001 &&
5850 max_amd_level <= 0x8000ffff) {
5851 u32 eax = 0x80000001;
5853 + asm volatile("cpuid"
5855 "=c" (cpu.flags[6]),
5857 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5858 u32 ecx = MSR_K7_HWCR;
5861 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5862 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5864 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5865 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5867 get_flags(); /* Make sure it really did something */
5868 err = check_flags();
5869 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5870 u32 ecx = MSR_VIA_FCR;
5873 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5874 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5875 eax |= (1<<1)|(1<<7);
5876 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5877 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5879 set_bit(X86_FEATURE_CX8, cpu.flags);
5880 err = check_flags();
5881 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5885 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5886 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5888 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5889 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5890 + asm volatile("cpuid"
5891 : "+a" (level), "=d" (cpu.flags[0])
5893 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5894 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5896 err = check_flags();
5898 diff -urNp linux-2.6.35.7/arch/x86/boot/header.S linux-2.6.35.7/arch/x86/boot/header.S
5899 --- linux-2.6.35.7/arch/x86/boot/header.S 2010-08-26 19:47:12.000000000 -0400
5900 +++ linux-2.6.35.7/arch/x86/boot/header.S 2010-09-17 20:12:09.000000000 -0400
5901 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5902 # single linked list of
5905 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5906 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5908 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5909 #define VO_INIT_SIZE (VO__end - VO__text)
5910 diff -urNp linux-2.6.35.7/arch/x86/boot/memory.c linux-2.6.35.7/arch/x86/boot/memory.c
5911 --- linux-2.6.35.7/arch/x86/boot/memory.c 2010-08-26 19:47:12.000000000 -0400
5912 +++ linux-2.6.35.7/arch/x86/boot/memory.c 2010-09-17 20:12:09.000000000 -0400
5915 static int detect_memory_e820(void)
5918 + unsigned int count = 0;
5919 struct biosregs ireg, oreg;
5920 struct e820entry *desc = boot_params.e820_map;
5921 static struct e820entry buf; /* static so it is zeroed */
5922 diff -urNp linux-2.6.35.7/arch/x86/boot/video.c linux-2.6.35.7/arch/x86/boot/video.c
5923 --- linux-2.6.35.7/arch/x86/boot/video.c 2010-08-26 19:47:12.000000000 -0400
5924 +++ linux-2.6.35.7/arch/x86/boot/video.c 2010-09-17 20:12:09.000000000 -0400
5925 @@ -96,7 +96,7 @@ static void store_mode_params(void)
5926 static unsigned int get_entry(void)
5930 + unsigned int i, len = 0;
5934 diff -urNp linux-2.6.35.7/arch/x86/boot/video-vesa.c linux-2.6.35.7/arch/x86/boot/video-vesa.c
5935 --- linux-2.6.35.7/arch/x86/boot/video-vesa.c 2010-08-26 19:47:12.000000000 -0400
5936 +++ linux-2.6.35.7/arch/x86/boot/video-vesa.c 2010-09-17 20:12:09.000000000 -0400
5937 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5939 boot_params.screen_info.vesapm_seg = oreg.es;
5940 boot_params.screen_info.vesapm_off = oreg.di;
5941 + boot_params.screen_info.vesapm_size = oreg.cx;
5945 diff -urNp linux-2.6.35.7/arch/x86/ia32/ia32_aout.c linux-2.6.35.7/arch/x86/ia32/ia32_aout.c
5946 --- linux-2.6.35.7/arch/x86/ia32/ia32_aout.c 2010-08-26 19:47:12.000000000 -0400
5947 +++ linux-2.6.35.7/arch/x86/ia32/ia32_aout.c 2010-09-23 20:32:33.000000000 -0400
5948 @@ -168,6 +168,8 @@ static int aout_core_dump(long signr, st
5949 unsigned long dump_start, dump_size;
5952 + memset(&dump, 0, sizeof(dump));
5957 @@ -217,12 +219,6 @@ static int aout_core_dump(long signr, st
5958 dump_size = dump.u_ssize << PAGE_SHIFT;
5959 DUMP_WRITE(dump_start, dump_size);
5962 - * Finally dump the task struct. Not be used by gdb, but
5965 - set_fs(KERNEL_DS);
5966 - DUMP_WRITE(current, sizeof(*current));
5970 diff -urNp linux-2.6.35.7/arch/x86/ia32/ia32entry.S linux-2.6.35.7/arch/x86/ia32/ia32entry.S
5971 --- linux-2.6.35.7/arch/x86/ia32/ia32entry.S 2010-09-20 17:33:09.000000000 -0400
5972 +++ linux-2.6.35.7/arch/x86/ia32/ia32entry.S 2010-09-17 20:12:37.000000000 -0400
5974 #include <asm/thread_info.h>
5975 #include <asm/segment.h>
5976 #include <asm/irqflags.h>
5977 +#include <asm/pgtable.h>
5978 #include <linux/linkage.h>
5980 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
5981 @@ -120,6 +121,11 @@ ENTRY(ia32_sysenter_target)
5983 movq PER_CPU_VAR(kernel_stack), %rsp
5984 addq $(KERNEL_STACK_OFFSET),%rsp
5986 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5987 + call pax_enter_kernel_user
5991 * No need to follow this irqs on/off section: the syscall
5992 * disabled irqs, here we enable it straight after entry:
5993 @@ -150,6 +156,12 @@ ENTRY(ia32_sysenter_target)
5995 /* no need to do an access_ok check here because rbp has been
5996 32bit zero extended */
5998 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5999 + mov $PAX_USER_SHADOW_BASE,%r10
6004 .section __ex_table,"a"
6005 .quad 1b,ia32_badarg
6006 @@ -172,6 +184,11 @@ sysenter_dispatch:
6007 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6009 sysexit_from_sys_call:
6011 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6012 + call pax_exit_kernel_user
6015 andl $~TS_COMPAT,TI_status(%r10)
6016 /* clear IF, that popfq doesn't enable interrupts early */
6017 andl $~0x200,EFLAGS-R11(%rsp)
6018 @@ -290,6 +307,11 @@ ENTRY(ia32_cstar_target)
6021 movq PER_CPU_VAR(kernel_stack),%rsp
6023 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6024 + call pax_enter_kernel_user
6028 * No need to follow this irqs on/off section: the syscall
6029 * disabled irqs and here we enable it straight after entry:
6030 @@ -311,6 +333,12 @@ ENTRY(ia32_cstar_target)
6031 /* no need to do an access_ok check here because r8 has been
6032 32bit zero extended */
6033 /* hardware stack frame is complete now */
6035 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6036 + mov $PAX_USER_SHADOW_BASE,%r10
6041 .section __ex_table,"a"
6042 .quad 1b,ia32_badarg
6043 @@ -333,6 +361,11 @@ cstar_dispatch:
6044 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6046 sysretl_from_sys_call:
6048 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6049 + call pax_exit_kernel_user
6052 andl $~TS_COMPAT,TI_status(%r10)
6053 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6054 movl RIP-ARGOFFSET(%rsp),%ecx
6055 @@ -415,6 +448,11 @@ ENTRY(ia32_syscall)
6056 CFI_REL_OFFSET rip,RIP-RIP
6057 PARAVIRT_ADJUST_EXCEPTION_FRAME
6060 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6061 + call pax_enter_kernel_user
6065 * No need to follow this irqs on/off section: the syscall
6066 * disabled irqs and here we enable it straight after entry:
6067 diff -urNp linux-2.6.35.7/arch/x86/ia32/ia32_signal.c linux-2.6.35.7/arch/x86/ia32/ia32_signal.c
6068 --- linux-2.6.35.7/arch/x86/ia32/ia32_signal.c 2010-08-26 19:47:12.000000000 -0400
6069 +++ linux-2.6.35.7/arch/x86/ia32/ia32_signal.c 2010-10-11 22:41:44.000000000 -0400
6070 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6072 /* Align the stack pointer according to the i386 ABI,
6073 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6074 - sp = ((sp + 4) & -16ul) - 4;
6075 + sp = ((sp - 12) & -16ul) - 4;
6076 return (void __user *) sp;
6079 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6081 __NR_ia32_rt_sigreturn,
6087 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6088 @@ -534,8 +534,11 @@ int ia32_setup_rt_frame(int sig, struct
6089 if (ka->sa.sa_flags & SA_RESTORER)
6090 restorer = ka->sa.sa_restorer;
6092 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6094 + /* Return stub is in 32bit vsyscall page */
6095 + if (current->mm->context.vdso)
6096 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6098 + restorer = &frame->retcode;
6099 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6102 diff -urNp linux-2.6.35.7/arch/x86/include/asm/alternative.h linux-2.6.35.7/arch/x86/include/asm/alternative.h
6103 --- linux-2.6.35.7/arch/x86/include/asm/alternative.h 2010-08-26 19:47:12.000000000 -0400
6104 +++ linux-2.6.35.7/arch/x86/include/asm/alternative.h 2010-09-17 20:12:09.000000000 -0400
6105 @@ -91,7 +91,7 @@ static inline int alternatives_text_rese
6106 " .byte 664f-663f\n" /* replacementlen */ \
6107 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6109 - ".section .altinstr_replacement, \"ax\"\n" \
6110 + ".section .altinstr_replacement, \"a\"\n" \
6111 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6114 diff -urNp linux-2.6.35.7/arch/x86/include/asm/apm.h linux-2.6.35.7/arch/x86/include/asm/apm.h
6115 --- linux-2.6.35.7/arch/x86/include/asm/apm.h 2010-08-26 19:47:12.000000000 -0400
6116 +++ linux-2.6.35.7/arch/x86/include/asm/apm.h 2010-09-17 20:12:09.000000000 -0400
6117 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6118 __asm__ __volatile__(APM_DO_ZERO_SEGS
6121 - "lcall *%%cs:apm_bios_entry\n\t"
6122 + "lcall *%%ss:apm_bios_entry\n\t"
6126 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6127 __asm__ __volatile__(APM_DO_ZERO_SEGS
6130 - "lcall *%%cs:apm_bios_entry\n\t"
6131 + "lcall *%%ss:apm_bios_entry\n\t"
6135 diff -urNp linux-2.6.35.7/arch/x86/include/asm/asm.h linux-2.6.35.7/arch/x86/include/asm/asm.h
6136 --- linux-2.6.35.7/arch/x86/include/asm/asm.h 2010-08-26 19:47:12.000000000 -0400
6137 +++ linux-2.6.35.7/arch/x86/include/asm/asm.h 2010-09-17 20:12:09.000000000 -0400
6139 #define _ASM_SI __ASM_REG(si)
6140 #define _ASM_DI __ASM_REG(di)
6142 +#ifdef CONFIG_X86_32
6143 +#define _ASM_INTO "into"
6145 +#define _ASM_INTO "int $4"
6148 /* Exception table entry */
6150 # define _ASM_EXTABLE(from,to) \
6151 diff -urNp linux-2.6.35.7/arch/x86/include/asm/atomic64_32.h linux-2.6.35.7/arch/x86/include/asm/atomic64_32.h
6152 --- linux-2.6.35.7/arch/x86/include/asm/atomic64_32.h 2010-08-26 19:47:12.000000000 -0400
6153 +++ linux-2.6.35.7/arch/x86/include/asm/atomic64_32.h 2010-09-17 20:12:09.000000000 -0400
6154 @@ -12,6 +12,14 @@ typedef struct {
6155 u64 __aligned(8) counter;
6158 +#ifdef CONFIG_PAX_REFCOUNT
6160 + u64 __aligned(8) counter;
6161 +} atomic64_unchecked_t;
6163 +typedef atomic64_t atomic64_unchecked_t;
6166 #define ATOMIC64_INIT(val) { (val) }
6168 #ifdef CONFIG_X86_CMPXCHG64
6169 diff -urNp linux-2.6.35.7/arch/x86/include/asm/atomic64_64.h linux-2.6.35.7/arch/x86/include/asm/atomic64_64.h
6170 --- linux-2.6.35.7/arch/x86/include/asm/atomic64_64.h 2010-08-26 19:47:12.000000000 -0400
6171 +++ linux-2.6.35.7/arch/x86/include/asm/atomic64_64.h 2010-09-26 22:02:10.000000000 -0400
6172 @@ -22,6 +22,18 @@ static inline long atomic64_read(const a
6176 + * atomic64_read_unchecked - read atomic64 variable
6177 + * @v: pointer of type atomic64_unchecked_t
6179 + * Atomically reads the value of @v.
6180 + * Doesn't imply a read memory barrier.
6182 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6184 + return v->counter;
6188 * atomic64_set - set atomic64 variable
6189 * @v: pointer to type atomic64_t
6190 * @i: required value
6191 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6195 + * atomic64_set_unchecked - set atomic64 variable
6196 + * @v: pointer to type atomic64_unchecked_t
6197 + * @i: required value
6199 + * Atomically sets the value of @v to @i.
6201 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6207 * atomic64_add - add integer to atomic64 variable
6208 * @i: integer value to add
6209 * @v: pointer to type atomic64_t
6210 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6212 static inline void atomic64_add(long i, atomic64_t *v)
6214 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6216 +#ifdef CONFIG_PAX_REFCOUNT
6218 + LOCK_PREFIX "subq %1,%0\n"
6220 + _ASM_EXTABLE(0b, 0b)
6223 + : "=m" (v->counter)
6224 + : "er" (i), "m" (v->counter));
6228 + * atomic64_add_unchecked - add integer to atomic64 variable
6229 + * @i: integer value to add
6230 + * @v: pointer to type atomic64_unchecked_t
6232 + * Atomically adds @i to @v.
6234 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6236 asm volatile(LOCK_PREFIX "addq %1,%0"
6238 : "er" (i), "m" (v->counter));
6239 @@ -56,7 +102,15 @@ static inline void atomic64_add(long i,
6241 static inline void atomic64_sub(long i, atomic64_t *v)
6243 - asm volatile(LOCK_PREFIX "subq %1,%0"
6244 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6246 +#ifdef CONFIG_PAX_REFCOUNT
6248 + LOCK_PREFIX "addq %1,%0\n"
6250 + _ASM_EXTABLE(0b, 0b)
6254 : "er" (i), "m" (v->counter));
6256 @@ -74,7 +128,16 @@ static inline int atomic64_sub_and_test(
6260 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6261 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6263 +#ifdef CONFIG_PAX_REFCOUNT
6265 + LOCK_PREFIX "addq %2,%0\n"
6267 + _ASM_EXTABLE(0b, 0b)
6271 : "=m" (v->counter), "=qm" (c)
6272 : "er" (i), "m" (v->counter) : "memory");
6274 @@ -88,6 +151,27 @@ static inline int atomic64_sub_and_test(
6276 static inline void atomic64_inc(atomic64_t *v)
6278 + asm volatile(LOCK_PREFIX "incq %0\n"
6280 +#ifdef CONFIG_PAX_REFCOUNT
6282 + LOCK_PREFIX "decq %0\n"
6284 + _ASM_EXTABLE(0b, 0b)
6287 + : "=m" (v->counter)
6288 + : "m" (v->counter));
6292 + * atomic64_inc_unchecked - increment atomic64 variable
6293 + * @v: pointer to type atomic64_unchecked_t
6295 + * Atomically increments @v by 1.
6297 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6299 asm volatile(LOCK_PREFIX "incq %0"
6301 : "m" (v->counter));
6302 @@ -101,7 +185,28 @@ static inline void atomic64_inc(atomic64
6304 static inline void atomic64_dec(atomic64_t *v)
6306 - asm volatile(LOCK_PREFIX "decq %0"
6307 + asm volatile(LOCK_PREFIX "decq %0\n"
6309 +#ifdef CONFIG_PAX_REFCOUNT
6311 + LOCK_PREFIX "incq %0\n"
6313 + _ASM_EXTABLE(0b, 0b)
6316 + : "=m" (v->counter)
6317 + : "m" (v->counter));
6321 + * atomic64_dec_unchecked - decrement atomic64 variable
6322 + * @v: pointer to type atomic64_t
6324 + * Atomically decrements @v by 1.
6326 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6328 + asm volatile(LOCK_PREFIX "decq %0\n"
6330 : "m" (v->counter));
6332 @@ -118,7 +223,16 @@ static inline int atomic64_dec_and_test(
6336 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6337 + asm volatile(LOCK_PREFIX "decq %0\n"
6339 +#ifdef CONFIG_PAX_REFCOUNT
6341 + LOCK_PREFIX "incq %0\n"
6343 + _ASM_EXTABLE(0b, 0b)
6347 : "=m" (v->counter), "=qm" (c)
6348 : "m" (v->counter) : "memory");
6350 @@ -136,7 +250,16 @@ static inline int atomic64_inc_and_test(
6354 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6355 + asm volatile(LOCK_PREFIX "incq %0\n"
6357 +#ifdef CONFIG_PAX_REFCOUNT
6359 + LOCK_PREFIX "decq %0\n"
6361 + _ASM_EXTABLE(0b, 0b)
6365 : "=m" (v->counter), "=qm" (c)
6366 : "m" (v->counter) : "memory");
6368 @@ -155,7 +278,16 @@ static inline int atomic64_add_negative(
6372 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6373 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6375 +#ifdef CONFIG_PAX_REFCOUNT
6377 + LOCK_PREFIX "subq %2,%0\n"
6379 + _ASM_EXTABLE(0b, 0b)
6383 : "=m" (v->counter), "=qm" (c)
6384 : "er" (i), "m" (v->counter) : "memory");
6386 @@ -171,7 +303,31 @@ static inline int atomic64_add_negative(
6387 static inline long atomic64_add_return(long i, atomic64_t *v)
6390 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6391 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6393 +#ifdef CONFIG_PAX_REFCOUNT
6397 + _ASM_EXTABLE(0b, 0b)
6400 + : "+r" (i), "+m" (v->counter)
6406 + * atomic64_add_return_unchecked - add and return
6407 + * @i: integer value to add
6408 + * @v: pointer to type atomic64_unchecked_t
6410 + * Atomically adds @i to @v and returns @i + @v
6412 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6415 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6416 : "+r" (i), "+m" (v->counter)
6419 @@ -183,6 +339,10 @@ static inline long atomic64_sub_return(l
6422 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6423 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6425 + return atomic64_add_return_unchecked(1, v);
6427 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6429 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6430 @@ -206,17 +366,30 @@ static inline long atomic64_xchg(atomic6
6432 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6436 c = atomic64_read(v);
6438 - if (unlikely(c == (u)))
6439 + if (unlikely(c == u))
6441 - old = atomic64_cmpxchg((v), c, c + (a));
6443 + asm volatile("add %2,%0\n"
6445 +#ifdef CONFIG_PAX_REFCOUNT
6449 + _ASM_EXTABLE(0b, 0b)
6453 + : "0" (c), "ir" (a));
6455 + old = atomic64_cmpxchg(v, c, new);
6456 if (likely(old == c))
6464 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6465 diff -urNp linux-2.6.35.7/arch/x86/include/asm/atomic.h linux-2.6.35.7/arch/x86/include/asm/atomic.h
6466 --- linux-2.6.35.7/arch/x86/include/asm/atomic.h 2010-08-26 19:47:12.000000000 -0400
6467 +++ linux-2.6.35.7/arch/x86/include/asm/atomic.h 2010-09-26 22:02:10.000000000 -0400
6468 @@ -26,6 +26,17 @@ static inline int atomic_read(const atom
6472 + * atomic_read_unchecked - read atomic variable
6473 + * @v: pointer of type atomic_unchecked_t
6475 + * Atomically reads the value of @v.
6477 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6479 + return v->counter;
6483 * atomic_set - set atomic variable
6484 * @v: pointer of type atomic_t
6485 * @i: required value
6486 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6490 + * atomic_set_unchecked - set atomic variable
6491 + * @v: pointer of type atomic_unchecked_t
6492 + * @i: required value
6494 + * Atomically sets the value of @v to @i.
6496 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6502 * atomic_add - add integer to atomic variable
6503 * @i: integer value to add
6504 * @v: pointer of type atomic_t
6505 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6507 static inline void atomic_add(int i, atomic_t *v)
6509 - asm volatile(LOCK_PREFIX "addl %1,%0"
6510 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6512 +#ifdef CONFIG_PAX_REFCOUNT
6514 + LOCK_PREFIX "subl %1,%0\n"
6515 + _ASM_INTO "\n0:\n"
6516 + _ASM_EXTABLE(0b, 0b)
6519 + : "+m" (v->counter)
6524 + * atomic_add_unchecked - add integer to atomic variable
6525 + * @i: integer value to add
6526 + * @v: pointer of type atomic_unchecked_t
6528 + * Atomically adds @i to @v.
6530 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6532 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6536 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6538 static inline void atomic_sub(int i, atomic_t *v)
6540 - asm volatile(LOCK_PREFIX "subl %1,%0"
6541 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6543 +#ifdef CONFIG_PAX_REFCOUNT
6545 + LOCK_PREFIX "addl %1,%0\n"
6546 + _ASM_INTO "\n0:\n"
6547 + _ASM_EXTABLE(0b, 0b)
6550 + : "+m" (v->counter)
6555 + * atomic_sub_unchecked - subtract integer from atomic variable
6556 + * @i: integer value to subtract
6557 + * @v: pointer of type atomic_t
6559 + * Atomically subtracts @i from @v.
6561 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6563 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6567 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6571 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6572 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6574 +#ifdef CONFIG_PAX_REFCOUNT
6576 + LOCK_PREFIX "addl %2,%0\n"
6577 + _ASM_INTO "\n0:\n"
6578 + _ASM_EXTABLE(0b, 0b)
6582 : "+m" (v->counter), "=qm" (c)
6583 : "ir" (i) : "memory");
6585 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6587 static inline void atomic_inc(atomic_t *v)
6589 - asm volatile(LOCK_PREFIX "incl %0"
6590 + asm volatile(LOCK_PREFIX "incl %0\n"
6592 +#ifdef CONFIG_PAX_REFCOUNT
6594 + LOCK_PREFIX "decl %0\n"
6595 + _ASM_INTO "\n0:\n"
6596 + _ASM_EXTABLE(0b, 0b)
6599 + : "+m" (v->counter));
6603 + * atomic_inc_unchecked - increment atomic variable
6604 + * @v: pointer of type atomic_unchecked_t
6606 + * Atomically increments @v by 1.
6608 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6610 + asm volatile(LOCK_PREFIX "incl %0\n"
6611 : "+m" (v->counter));
6614 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6616 static inline void atomic_dec(atomic_t *v)
6618 - asm volatile(LOCK_PREFIX "decl %0"
6619 + asm volatile(LOCK_PREFIX "decl %0\n"
6621 +#ifdef CONFIG_PAX_REFCOUNT
6623 + LOCK_PREFIX "incl %0\n"
6624 + _ASM_INTO "\n0:\n"
6625 + _ASM_EXTABLE(0b, 0b)
6628 + : "+m" (v->counter));
6632 + * atomic_dec_unchecked - decrement atomic variable
6633 + * @v: pointer of type atomic_t
6635 + * Atomically decrements @v by 1.
6637 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6639 + asm volatile(LOCK_PREFIX "decl %0\n"
6640 : "+m" (v->counter));
6643 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6647 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6648 + asm volatile(LOCK_PREFIX "decl %0\n"
6650 +#ifdef CONFIG_PAX_REFCOUNT
6652 + LOCK_PREFIX "incl %0\n"
6653 + _ASM_INTO "\n0:\n"
6654 + _ASM_EXTABLE(0b, 0b)
6658 : "+m" (v->counter), "=qm" (c)
6661 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
6665 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
6666 + asm volatile(LOCK_PREFIX "incl %0\n"
6668 +#ifdef CONFIG_PAX_REFCOUNT
6670 + LOCK_PREFIX "decl %0\n"
6671 + _ASM_INTO "\n0:\n"
6672 + _ASM_EXTABLE(0b, 0b)
6676 : "+m" (v->counter), "=qm" (c)
6679 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
6683 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6684 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6686 +#ifdef CONFIG_PAX_REFCOUNT
6688 + LOCK_PREFIX "subl %2,%0\n"
6689 + _ASM_INTO "\n0:\n"
6690 + _ASM_EXTABLE(0b, 0b)
6694 : "+m" (v->counter), "=qm" (c)
6695 : "ir" (i) : "memory");
6697 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
6699 /* Modern 486+ processor */
6701 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6703 +#ifdef CONFIG_PAX_REFCOUNT
6706 + _ASM_INTO "\n0:\n"
6707 + _ASM_EXTABLE(0b, 0b)
6710 + : "+r" (i), "+m" (v->counter)
6715 +no_xadd: /* Legacy 386 processor */
6716 + local_irq_save(flags);
6717 + __i = atomic_read(v);
6718 + atomic_set(v, i + __i);
6719 + local_irq_restore(flags);
6725 + * atomic_add_return_unchecked - add integer and return
6726 + * @v: pointer of type atomic_unchecked_t
6727 + * @i: integer value to add
6729 + * Atomically adds @i to @v and returns @i + @v
6731 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6735 + unsigned long flags;
6736 + if (unlikely(boot_cpu_data.x86 <= 3))
6739 + /* Modern 486+ processor */
6741 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6742 : "+r" (i), "+m" (v->counter)
6744 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
6747 #define atomic_inc_return(v) (atomic_add_return(1, v))
6748 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6750 + return atomic_add_return_unchecked(1, v);
6752 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6754 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6755 @@ -231,17 +418,30 @@ static inline int atomic_xchg(atomic_t *
6757 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6763 - if (unlikely(c == (u)))
6764 + if (unlikely(c == u))
6766 - old = atomic_cmpxchg((v), c, c + (a));
6768 + asm volatile("addl %2,%0\n"
6770 +#ifdef CONFIG_PAX_REFCOUNT
6773 + _ASM_INTO "\n0:\n"
6774 + _ASM_EXTABLE(0b, 0b)
6778 + : "0" (c), "ir" (a));
6780 + old = atomic_cmpxchg(v, c, new);
6781 if (likely(old == c))
6789 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6790 diff -urNp linux-2.6.35.7/arch/x86/include/asm/boot.h linux-2.6.35.7/arch/x86/include/asm/boot.h
6791 --- linux-2.6.35.7/arch/x86/include/asm/boot.h 2010-08-26 19:47:12.000000000 -0400
6792 +++ linux-2.6.35.7/arch/x86/include/asm/boot.h 2010-09-17 20:12:09.000000000 -0400
6794 #include <asm/pgtable_types.h>
6796 /* Physical address where kernel should be loaded. */
6797 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6798 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6799 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6800 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6802 +#ifndef __ASSEMBLY__
6803 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
6804 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6807 /* Minimum kernel alignment, as a power of two */
6808 #ifdef CONFIG_X86_64
6809 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
6810 diff -urNp linux-2.6.35.7/arch/x86/include/asm/cacheflush.h linux-2.6.35.7/arch/x86/include/asm/cacheflush.h
6811 --- linux-2.6.35.7/arch/x86/include/asm/cacheflush.h 2010-08-26 19:47:12.000000000 -0400
6812 +++ linux-2.6.35.7/arch/x86/include/asm/cacheflush.h 2010-09-17 20:12:09.000000000 -0400
6813 @@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
6814 unsigned long pg_flags = pg->flags & _PGMT_MASK;
6816 if (pg_flags == _PGMT_DEFAULT)
6819 else if (pg_flags == _PGMT_WC)
6820 return _PAGE_CACHE_WC;
6821 else if (pg_flags == _PGMT_UC_MINUS)
6822 diff -urNp linux-2.6.35.7/arch/x86/include/asm/cache.h linux-2.6.35.7/arch/x86/include/asm/cache.h
6823 --- linux-2.6.35.7/arch/x86/include/asm/cache.h 2010-08-26 19:47:12.000000000 -0400
6824 +++ linux-2.6.35.7/arch/x86/include/asm/cache.h 2010-09-17 20:12:09.000000000 -0400
6826 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6828 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
6829 +#define __read_only __attribute__((__section__(".data..read_only")))
6831 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
6832 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
6833 diff -urNp linux-2.6.35.7/arch/x86/include/asm/checksum_32.h linux-2.6.35.7/arch/x86/include/asm/checksum_32.h
6834 --- linux-2.6.35.7/arch/x86/include/asm/checksum_32.h 2010-08-26 19:47:12.000000000 -0400
6835 +++ linux-2.6.35.7/arch/x86/include/asm/checksum_32.h 2010-09-17 20:12:09.000000000 -0400
6836 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6837 int len, __wsum sum,
6838 int *src_err_ptr, int *dst_err_ptr);
6840 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6841 + int len, __wsum sum,
6842 + int *src_err_ptr, int *dst_err_ptr);
6844 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6845 + int len, __wsum sum,
6846 + int *src_err_ptr, int *dst_err_ptr);
6849 * Note: when you get a NULL pointer exception here this means someone
6850 * passed in an incorrect kernel address to one of these functions.
6851 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6855 - return csum_partial_copy_generic((__force void *)src, dst,
6856 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
6857 len, sum, err_ptr, NULL);
6860 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
6863 if (access_ok(VERIFY_WRITE, dst, len))
6864 - return csum_partial_copy_generic(src, (__force void *)dst,
6865 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6866 len, sum, NULL, err_ptr);
6869 diff -urNp linux-2.6.35.7/arch/x86/include/asm/cpufeature.h linux-2.6.35.7/arch/x86/include/asm/cpufeature.h
6870 --- linux-2.6.35.7/arch/x86/include/asm/cpufeature.h 2010-08-26 19:47:12.000000000 -0400
6871 +++ linux-2.6.35.7/arch/x86/include/asm/cpufeature.h 2010-09-17 20:12:09.000000000 -0400
6872 @@ -323,7 +323,7 @@ static __always_inline __pure bool __sta
6873 " .byte 4f - 3f\n" /* replacement len */
6874 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* padding */
6876 - ".section .altinstr_replacement,\"ax\"\n"
6877 + ".section .altinstr_replacement,\"a\"\n"
6881 diff -urNp linux-2.6.35.7/arch/x86/include/asm/desc.h linux-2.6.35.7/arch/x86/include/asm/desc.h
6882 --- linux-2.6.35.7/arch/x86/include/asm/desc.h 2010-08-26 19:47:12.000000000 -0400
6883 +++ linux-2.6.35.7/arch/x86/include/asm/desc.h 2010-09-17 20:12:09.000000000 -0400
6885 #include <asm/desc_defs.h>
6886 #include <asm/ldt.h>
6887 #include <asm/mmu.h>
6888 +#include <asm/pgtable.h>
6889 #include <linux/smp.h>
6891 static inline void fill_ldt(struct desc_struct *desc,
6892 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
6893 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
6894 desc->type = (info->read_exec_only ^ 1) << 1;
6895 desc->type |= info->contents << 2;
6896 + desc->type |= info->seg_not_present ^ 1;
6899 desc->p = info->seg_not_present ^ 1;
6900 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
6903 extern struct desc_ptr idt_descr;
6904 -extern gate_desc idt_table[];
6907 - struct desc_struct gdt[GDT_ENTRIES];
6908 -} __attribute__((aligned(PAGE_SIZE)));
6909 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
6910 +extern gate_desc idt_table[256];
6912 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
6913 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
6915 - return per_cpu(gdt_page, cpu).gdt;
6916 + return cpu_gdt_table[cpu];
6919 #ifdef CONFIG_X86_64
6920 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
6921 static inline void native_write_idt_entry(gate_desc *idt, int entry,
6922 const gate_desc *gate)
6924 + pax_open_kernel();
6925 memcpy(&idt[entry], gate, sizeof(*gate));
6926 + pax_close_kernel();
6929 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
6932 + pax_open_kernel();
6933 memcpy(&ldt[entry], desc, 8);
6934 + pax_close_kernel();
6937 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
6938 const void *desc, int type)
6944 size = sizeof(tss_desc);
6945 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
6946 size = sizeof(struct desc_struct);
6950 + pax_open_kernel();
6951 memcpy(&gdt[entry], desc, size);
6952 + pax_close_kernel();
6955 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
6956 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
6958 static inline void native_load_tr_desc(void)
6960 + pax_open_kernel();
6961 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
6962 + pax_close_kernel();
6965 static inline void native_load_gdt(const struct desc_ptr *dtr)
6966 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
6968 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
6970 + pax_open_kernel();
6971 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
6972 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
6973 + pax_close_kernel();
6976 #define _LDT_empty(info) \
6977 @@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
6978 desc->limit = (limit >> 16) & 0xf;
6981 -static inline void _set_gate(int gate, unsigned type, void *addr,
6982 +static inline void _set_gate(int gate, unsigned type, const void *addr,
6983 unsigned dpl, unsigned ist, unsigned seg)
6986 @@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
6987 * Pentium F0 0F bugfix can have resulted in the mapped
6988 * IDT being write-protected.
6990 -static inline void set_intr_gate(unsigned int n, void *addr)
6991 +static inline void set_intr_gate(unsigned int n, const void *addr)
6993 BUG_ON((unsigned)n > 0xFF);
6994 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
6995 @@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
6997 * This routine sets up an interrupt gate at directory privilege level 3.
6999 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7000 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7002 BUG_ON((unsigned)n > 0xFF);
7003 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7006 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7007 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7009 BUG_ON((unsigned)n > 0xFF);
7010 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7013 -static inline void set_trap_gate(unsigned int n, void *addr)
7014 +static inline void set_trap_gate(unsigned int n, const void *addr)
7016 BUG_ON((unsigned)n > 0xFF);
7017 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7018 @@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
7019 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7021 BUG_ON((unsigned)n > 0xFF);
7022 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7023 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7026 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7027 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7029 BUG_ON((unsigned)n > 0xFF);
7030 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7033 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7034 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7036 BUG_ON((unsigned)n > 0xFF);
7037 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7040 +#ifdef CONFIG_X86_32
7041 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7043 + struct desc_struct d;
7045 + if (likely(limit))
7046 + limit = (limit - 1UL) >> PAGE_SHIFT;
7047 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7048 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7052 #endif /* _ASM_X86_DESC_H */
7053 diff -urNp linux-2.6.35.7/arch/x86/include/asm/device.h linux-2.6.35.7/arch/x86/include/asm/device.h
7054 --- linux-2.6.35.7/arch/x86/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
7055 +++ linux-2.6.35.7/arch/x86/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
7056 @@ -6,7 +6,7 @@ struct dev_archdata {
7059 #ifdef CONFIG_X86_64
7060 -struct dma_map_ops *dma_ops;
7061 + const struct dma_map_ops *dma_ops;
7063 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7064 void *iommu; /* hook for IOMMU specific extension */
7065 diff -urNp linux-2.6.35.7/arch/x86/include/asm/dma-mapping.h linux-2.6.35.7/arch/x86/include/asm/dma-mapping.h
7066 --- linux-2.6.35.7/arch/x86/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
7067 +++ linux-2.6.35.7/arch/x86/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
7068 @@ -26,9 +26,9 @@ extern int iommu_merge;
7069 extern struct device x86_dma_fallback_dev;
7070 extern int panic_on_overflow;
7072 -extern struct dma_map_ops *dma_ops;
7073 +extern const struct dma_map_ops *dma_ops;
7075 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7076 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7078 #ifdef CONFIG_X86_32
7080 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7081 /* Make sure we keep the same behaviour */
7082 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7084 - struct dma_map_ops *ops = get_dma_ops(dev);
7085 + const struct dma_map_ops *ops = get_dma_ops(dev);
7086 if (ops->mapping_error)
7087 return ops->mapping_error(dev, dma_addr);
7089 @@ -123,7 +123,7 @@ static inline void *
7090 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7093 - struct dma_map_ops *ops = get_dma_ops(dev);
7094 + const struct dma_map_ops *ops = get_dma_ops(dev);
7097 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7098 @@ -150,7 +150,7 @@ dma_alloc_coherent(struct device *dev, s
7099 static inline void dma_free_coherent(struct device *dev, size_t size,
7100 void *vaddr, dma_addr_t bus)
7102 - struct dma_map_ops *ops = get_dma_ops(dev);
7103 + const struct dma_map_ops *ops = get_dma_ops(dev);
7105 WARN_ON(irqs_disabled()); /* for portability */
7107 diff -urNp linux-2.6.35.7/arch/x86/include/asm/e820.h linux-2.6.35.7/arch/x86/include/asm/e820.h
7108 --- linux-2.6.35.7/arch/x86/include/asm/e820.h 2010-08-26 19:47:12.000000000 -0400
7109 +++ linux-2.6.35.7/arch/x86/include/asm/e820.h 2010-09-17 20:12:09.000000000 -0400
7110 @@ -69,7 +69,7 @@ struct e820map {
7111 #define ISA_START_ADDRESS 0xa0000
7112 #define ISA_END_ADDRESS 0x100000
7114 -#define BIOS_BEGIN 0x000a0000
7115 +#define BIOS_BEGIN 0x000c0000
7116 #define BIOS_END 0x00100000
7119 diff -urNp linux-2.6.35.7/arch/x86/include/asm/elf.h linux-2.6.35.7/arch/x86/include/asm/elf.h
7120 --- linux-2.6.35.7/arch/x86/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
7121 +++ linux-2.6.35.7/arch/x86/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
7122 @@ -237,7 +237,25 @@ extern int force_personality32;
7123 the loader. We need to make sure that it is out of the way of the program
7124 that it will "exec", and that there is sufficient room for the brk. */
7126 +#ifdef CONFIG_PAX_SEGMEXEC
7127 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7129 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7132 +#ifdef CONFIG_PAX_ASLR
7133 +#ifdef CONFIG_X86_32
7134 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7136 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7137 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7139 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7141 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7142 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7146 /* This yields a mask that user programs can use to figure out what
7147 instruction set this CPU supports. This could be done in user space,
7148 @@ -291,8 +309,7 @@ do { \
7149 #define ARCH_DLINFO \
7152 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7153 - (unsigned long)current->mm->context.vdso); \
7154 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7157 #define AT_SYSINFO 32
7158 @@ -303,7 +320,7 @@ do { \
7160 #endif /* !CONFIG_X86_32 */
7162 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7163 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7165 #define VDSO_ENTRY \
7166 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7167 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7168 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7169 #define compat_arch_setup_additional_pages syscall32_setup_pages
7171 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7172 -#define arch_randomize_brk arch_randomize_brk
7174 #endif /* _ASM_X86_ELF_H */
7175 diff -urNp linux-2.6.35.7/arch/x86/include/asm/futex.h linux-2.6.35.7/arch/x86/include/asm/futex.h
7176 --- linux-2.6.35.7/arch/x86/include/asm/futex.h 2010-08-26 19:47:12.000000000 -0400
7177 +++ linux-2.6.35.7/arch/x86/include/asm/futex.h 2010-09-17 20:12:09.000000000 -0400
7179 #include <asm/processor.h>
7180 #include <asm/system.h>
7182 +#ifdef CONFIG_X86_32
7183 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7185 + "movw\t%w6, %%ds\n" \
7186 + "1:\t" insn "\n" \
7187 + "2:\tpushl\t%%ss\n" \
7188 + "\tpopl\t%%ds\n" \
7189 + "\t.section .fixup,\"ax\"\n" \
7190 + "3:\tmov\t%3, %1\n" \
7193 + _ASM_EXTABLE(1b, 3b) \
7194 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7195 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
7197 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7198 + asm volatile("movw\t%w7, %%es\n" \
7199 + "1:\tmovl\t%%es:%2, %0\n" \
7200 + "\tmovl\t%0, %3\n" \
7202 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
7204 + "3:\tpushl\t%%ss\n" \
7205 + "\tpopl\t%%es\n" \
7206 + "\t.section .fixup,\"ax\"\n" \
7207 + "4:\tmov\t%5, %1\n" \
7210 + _ASM_EXTABLE(1b, 4b) \
7211 + _ASM_EXTABLE(2b, 4b) \
7212 + : "=&a" (oldval), "=&r" (ret), \
7213 + "+m" (*uaddr), "=&r" (tem) \
7214 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
7216 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7217 + typecheck(u32 *, uaddr); \
7218 asm volatile("1:\t" insn "\n" \
7219 "2:\t.section .fixup,\"ax\"\n" \
7220 "3:\tmov\t%3, %1\n" \
7223 _ASM_EXTABLE(1b, 3b) \
7224 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7225 + : "=r" (oldval), "=r" (ret), \
7226 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))\
7227 : "i" (-EFAULT), "0" (oparg), "1" (0))
7229 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7230 + typecheck(u32 *, uaddr); \
7231 asm volatile("1:\tmovl %2, %0\n" \
7232 "\tmovl\t%0, %3\n" \
7235 _ASM_EXTABLE(1b, 4b) \
7236 _ASM_EXTABLE(2b, 4b) \
7237 : "=&a" (oldval), "=&r" (ret), \
7238 - "+m" (*uaddr), "=&r" (tem) \
7239 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4)),\
7241 : "r" (oparg), "i" (-EFAULT), "1" (0))
7244 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7245 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7247 int op = (encoded_op >> 28) & 7;
7248 int cmp = (encoded_op >> 24) & 15;
7249 @@ -61,11 +100,20 @@ static inline int futex_atomic_op_inuser
7253 +#ifdef CONFIG_X86_32
7254 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
7256 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7260 +#ifdef CONFIG_X86_32
7261 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
7264 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7269 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
7270 @@ -109,7 +157,7 @@ static inline int futex_atomic_op_inuser
7274 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7275 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7279 @@ -119,17 +167,31 @@ static inline int futex_atomic_cmpxchg_i
7283 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7284 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7287 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7288 - "2:\t.section .fixup, \"ax\"\n"
7290 +#ifdef CONFIG_X86_32
7291 + "\tmovw %w5, %%ds\n"
7292 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %%ds:%1\n"
7293 + "2:\tpushl %%ss\n"
7296 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7299 + "\t.section .fixup, \"ax\"\n"
7303 _ASM_EXTABLE(1b, 3b)
7304 +#ifdef CONFIG_X86_32
7305 : "=a" (oldval), "+m" (*uaddr)
7306 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
7308 + : "=a" (oldval), "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))
7309 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7314 diff -urNp linux-2.6.35.7/arch/x86/include/asm/i387.h linux-2.6.35.7/arch/x86/include/asm/i387.h
7315 --- linux-2.6.35.7/arch/x86/include/asm/i387.h 2010-08-26 19:47:12.000000000 -0400
7316 +++ linux-2.6.35.7/arch/x86/include/asm/i387.h 2010-09-17 20:12:09.000000000 -0400
7317 @@ -77,6 +77,11 @@ static inline int fxrstor_checking(struc
7321 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7322 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7323 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7326 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7328 ".section .fixup,\"ax\"\n"
7329 @@ -127,6 +132,11 @@ static inline int fxsave_user(struct i38
7333 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7334 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7335 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7338 asm volatile("1: rex64/fxsave (%[fx])\n\t"
7340 ".section .fixup,\"ax\"\n"
7341 @@ -220,13 +230,8 @@ static inline int fxrstor_checking(struc
7344 /* We need a safe address that is cheap to find and that is already
7345 - in L1 during context switch. The best choices are unfortunately
7346 - different for UP and SMP */
7348 -#define safe_address (__per_cpu_offset[0])
7350 -#define safe_address (kstat_cpu(0).cpustat.user)
7352 + in L1 during context switch. */
7353 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7356 * These must be called with preempt disabled
7357 diff -urNp linux-2.6.35.7/arch/x86/include/asm/io.h linux-2.6.35.7/arch/x86/include/asm/io.h
7358 --- linux-2.6.35.7/arch/x86/include/asm/io.h 2010-08-26 19:47:12.000000000 -0400
7359 +++ linux-2.6.35.7/arch/x86/include/asm/io.h 2010-09-17 20:12:09.000000000 -0400
7360 @@ -213,6 +213,17 @@ extern void iounmap(volatile void __iome
7362 #include <linux/vmalloc.h>
7364 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7365 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7367 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7370 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7372 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7376 * Convert a virtual cached pointer to an uncached pointer
7378 diff -urNp linux-2.6.35.7/arch/x86/include/asm/iommu.h linux-2.6.35.7/arch/x86/include/asm/iommu.h
7379 --- linux-2.6.35.7/arch/x86/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
7380 +++ linux-2.6.35.7/arch/x86/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
7382 #ifndef _ASM_X86_IOMMU_H
7383 #define _ASM_X86_IOMMU_H
7385 -extern struct dma_map_ops nommu_dma_ops;
7386 +extern const struct dma_map_ops nommu_dma_ops;
7387 extern int force_iommu, no_iommu;
7388 extern int iommu_detected;
7389 extern int iommu_pass_through;
7390 diff -urNp linux-2.6.35.7/arch/x86/include/asm/irqflags.h linux-2.6.35.7/arch/x86/include/asm/irqflags.h
7391 --- linux-2.6.35.7/arch/x86/include/asm/irqflags.h 2010-08-26 19:47:12.000000000 -0400
7392 +++ linux-2.6.35.7/arch/x86/include/asm/irqflags.h 2010-09-17 20:12:09.000000000 -0400
7393 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
7397 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7398 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7399 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7400 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7403 #define INTERRUPT_RETURN iret
7404 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7405 diff -urNp linux-2.6.35.7/arch/x86/include/asm/kvm_host.h linux-2.6.35.7/arch/x86/include/asm/kvm_host.h
7406 --- linux-2.6.35.7/arch/x86/include/asm/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
7407 +++ linux-2.6.35.7/arch/x86/include/asm/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
7408 @@ -536,7 +536,7 @@ struct kvm_x86_ops {
7409 const struct trace_print_flags *exit_reasons_str;
7412 -extern struct kvm_x86_ops *kvm_x86_ops;
7413 +extern const struct kvm_x86_ops *kvm_x86_ops;
7415 int kvm_mmu_module_init(void);
7416 void kvm_mmu_module_exit(void);
7417 diff -urNp linux-2.6.35.7/arch/x86/include/asm/local.h linux-2.6.35.7/arch/x86/include/asm/local.h
7418 --- linux-2.6.35.7/arch/x86/include/asm/local.h 2010-08-26 19:47:12.000000000 -0400
7419 +++ linux-2.6.35.7/arch/x86/include/asm/local.h 2010-09-17 20:12:09.000000000 -0400
7420 @@ -18,26 +18,90 @@ typedef struct {
7422 static inline void local_inc(local_t *l)
7424 - asm volatile(_ASM_INC "%0"
7425 + asm volatile(_ASM_INC "%0\n"
7427 +#ifdef CONFIG_PAX_REFCOUNT
7428 +#ifdef CONFIG_X86_32
7434 + ".pushsection .fixup,\"ax\"\n"
7439 + _ASM_EXTABLE(0b, 1b)
7442 : "+m" (l->a.counter));
7445 static inline void local_dec(local_t *l)
7447 - asm volatile(_ASM_DEC "%0"
7448 + asm volatile(_ASM_DEC "%0\n"
7450 +#ifdef CONFIG_PAX_REFCOUNT
7451 +#ifdef CONFIG_X86_32
7457 + ".pushsection .fixup,\"ax\"\n"
7462 + _ASM_EXTABLE(0b, 1b)
7465 : "+m" (l->a.counter));
7468 static inline void local_add(long i, local_t *l)
7470 - asm volatile(_ASM_ADD "%1,%0"
7471 + asm volatile(_ASM_ADD "%1,%0\n"
7473 +#ifdef CONFIG_PAX_REFCOUNT
7474 +#ifdef CONFIG_X86_32
7480 + ".pushsection .fixup,\"ax\"\n"
7482 + _ASM_SUB "%1,%0\n"
7485 + _ASM_EXTABLE(0b, 1b)
7488 : "+m" (l->a.counter)
7492 static inline void local_sub(long i, local_t *l)
7494 - asm volatile(_ASM_SUB "%1,%0"
7495 + asm volatile(_ASM_SUB "%1,%0\n"
7497 +#ifdef CONFIG_PAX_REFCOUNT
7498 +#ifdef CONFIG_X86_32
7504 + ".pushsection .fixup,\"ax\"\n"
7506 + _ASM_ADD "%1,%0\n"
7509 + _ASM_EXTABLE(0b, 1b)
7512 : "+m" (l->a.counter)
7515 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7519 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7520 + asm volatile(_ASM_SUB "%2,%0\n"
7522 +#ifdef CONFIG_PAX_REFCOUNT
7523 +#ifdef CONFIG_X86_32
7529 + ".pushsection .fixup,\"ax\"\n"
7531 + _ASM_ADD "%2,%0\n"
7534 + _ASM_EXTABLE(0b, 1b)
7538 : "+m" (l->a.counter), "=qm" (c)
7539 : "ir" (i) : "memory");
7541 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7545 - asm volatile(_ASM_DEC "%0; sete %1"
7546 + asm volatile(_ASM_DEC "%0\n"
7548 +#ifdef CONFIG_PAX_REFCOUNT
7549 +#ifdef CONFIG_X86_32
7555 + ".pushsection .fixup,\"ax\"\n"
7560 + _ASM_EXTABLE(0b, 1b)
7564 : "+m" (l->a.counter), "=qm" (c)
7567 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7571 - asm volatile(_ASM_INC "%0; sete %1"
7572 + asm volatile(_ASM_INC "%0\n"
7574 +#ifdef CONFIG_PAX_REFCOUNT
7575 +#ifdef CONFIG_X86_32
7581 + ".pushsection .fixup,\"ax\"\n"
7586 + _ASM_EXTABLE(0b, 1b)
7590 : "+m" (l->a.counter), "=qm" (c)
7593 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7597 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7598 + asm volatile(_ASM_ADD "%2,%0\n"
7600 +#ifdef CONFIG_PAX_REFCOUNT
7601 +#ifdef CONFIG_X86_32
7607 + ".pushsection .fixup,\"ax\"\n"
7609 + _ASM_SUB "%2,%0\n"
7612 + _ASM_EXTABLE(0b, 1b)
7616 : "+m" (l->a.counter), "=qm" (c)
7617 : "ir" (i) : "memory");
7619 @@ -133,7 +265,23 @@ static inline long local_add_return(long
7621 /* Modern 486+ processor */
7623 - asm volatile(_ASM_XADD "%0, %1;"
7624 + asm volatile(_ASM_XADD "%0, %1\n"
7626 +#ifdef CONFIG_PAX_REFCOUNT
7627 +#ifdef CONFIG_X86_32
7633 + ".pushsection .fixup,\"ax\"\n"
7635 + _ASM_MOV "%0,%1\n"
7638 + _ASM_EXTABLE(0b, 1b)
7641 : "+r" (i), "+m" (l->a.counter)
7644 diff -urNp linux-2.6.35.7/arch/x86/include/asm/mc146818rtc.h linux-2.6.35.7/arch/x86/include/asm/mc146818rtc.h
7645 --- linux-2.6.35.7/arch/x86/include/asm/mc146818rtc.h 2010-08-26 19:47:12.000000000 -0400
7646 +++ linux-2.6.35.7/arch/x86/include/asm/mc146818rtc.h 2010-09-17 20:12:09.000000000 -0400
7647 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7649 #define lock_cmos_prefix(reg) do {} while (0)
7650 #define lock_cmos_suffix(reg) do {} while (0)
7651 -#define lock_cmos(reg)
7652 -#define unlock_cmos()
7653 +#define lock_cmos(reg) do {} while (0)
7654 +#define unlock_cmos() do {} while (0)
7655 #define do_i_have_lock_cmos() 0
7656 #define current_lock_cmos_reg() 0
7658 diff -urNp linux-2.6.35.7/arch/x86/include/asm/microcode.h linux-2.6.35.7/arch/x86/include/asm/microcode.h
7659 --- linux-2.6.35.7/arch/x86/include/asm/microcode.h 2010-08-26 19:47:12.000000000 -0400
7660 +++ linux-2.6.35.7/arch/x86/include/asm/microcode.h 2010-09-17 20:12:09.000000000 -0400
7661 @@ -12,13 +12,13 @@ struct device;
7662 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7664 struct microcode_ops {
7665 - enum ucode_state (*request_microcode_user) (int cpu,
7666 + enum ucode_state (* const request_microcode_user) (int cpu,
7667 const void __user *buf, size_t size);
7669 - enum ucode_state (*request_microcode_fw) (int cpu,
7670 + enum ucode_state (* const request_microcode_fw) (int cpu,
7671 struct device *device);
7673 - void (*microcode_fini_cpu) (int cpu);
7674 + void (* const microcode_fini_cpu) (int cpu);
7677 * The generic 'microcode_core' part guarantees that
7678 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
7679 extern struct ucode_cpu_info ucode_cpu_info[];
7681 #ifdef CONFIG_MICROCODE_INTEL
7682 -extern struct microcode_ops * __init init_intel_microcode(void);
7683 +extern const struct microcode_ops * __init init_intel_microcode(void);
7685 -static inline struct microcode_ops * __init init_intel_microcode(void)
7686 +static inline const struct microcode_ops * __init init_intel_microcode(void)
7690 #endif /* CONFIG_MICROCODE_INTEL */
7692 #ifdef CONFIG_MICROCODE_AMD
7693 -extern struct microcode_ops * __init init_amd_microcode(void);
7694 +extern const struct microcode_ops * __init init_amd_microcode(void);
7696 -static inline struct microcode_ops * __init init_amd_microcode(void)
7697 +static inline const struct microcode_ops * __init init_amd_microcode(void)
7701 diff -urNp linux-2.6.35.7/arch/x86/include/asm/mman.h linux-2.6.35.7/arch/x86/include/asm/mman.h
7702 --- linux-2.6.35.7/arch/x86/include/asm/mman.h 2010-08-26 19:47:12.000000000 -0400
7703 +++ linux-2.6.35.7/arch/x86/include/asm/mman.h 2010-09-17 20:12:09.000000000 -0400
7706 #include <asm-generic/mman.h>
7709 +#ifndef __ASSEMBLY__
7710 +#ifdef CONFIG_X86_32
7711 +#define arch_mmap_check i386_mmap_check
7712 +int i386_mmap_check(unsigned long addr, unsigned long len,
7713 + unsigned long flags);
7718 #endif /* _ASM_X86_MMAN_H */
7719 diff -urNp linux-2.6.35.7/arch/x86/include/asm/mmu_context.h linux-2.6.35.7/arch/x86/include/asm/mmu_context.h
7720 --- linux-2.6.35.7/arch/x86/include/asm/mmu_context.h 2010-08-26 19:47:12.000000000 -0400
7721 +++ linux-2.6.35.7/arch/x86/include/asm/mmu_context.h 2010-09-17 20:12:09.000000000 -0400
7722 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
7724 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7727 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7731 + pax_open_kernel();
7732 + pgd = get_cpu_pgd(smp_processor_id());
7733 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7734 + if (paravirt_enabled())
7735 + set_pgd(pgd+i, native_make_pgd(0));
7737 + pgd[i] = native_make_pgd(0);
7738 + pax_close_kernel();
7742 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7743 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7744 @@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
7745 struct task_struct *tsk)
7747 unsigned cpu = smp_processor_id();
7748 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7749 + int tlbstate = TLBSTATE_OK;
7752 if (likely(prev != next)) {
7753 /* stop flush ipis for the previous mm */
7754 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7756 +#ifdef CONFIG_X86_32
7757 + tlbstate = percpu_read(cpu_tlbstate.state);
7759 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7760 percpu_write(cpu_tlbstate.active_mm, next);
7762 cpumask_set_cpu(cpu, mm_cpumask(next));
7764 /* Re-load page tables */
7765 +#ifdef CONFIG_PAX_PER_CPU_PGD
7766 + pax_open_kernel();
7767 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7768 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7769 + pax_close_kernel();
7770 + load_cr3(get_cpu_pgd(cpu));
7772 load_cr3(next->pgd);
7776 * load the LDT, if the LDT is different:
7778 if (unlikely(prev->context.ldt != next->context.ldt))
7779 load_LDT_nolock(&next->context);
7782 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7783 + if (!(__supported_pte_mask & _PAGE_NX)) {
7784 + smp_mb__before_clear_bit();
7785 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7786 + smp_mb__after_clear_bit();
7787 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7791 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7792 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7793 + prev->context.user_cs_limit != next->context.user_cs_limit))
7794 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7796 + else if (unlikely(tlbstate != TLBSTATE_OK))
7797 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7804 +#ifdef CONFIG_PAX_PER_CPU_PGD
7805 + pax_open_kernel();
7806 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7807 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7808 + pax_close_kernel();
7809 + load_cr3(get_cpu_pgd(cpu));
7813 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7814 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
7816 @@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
7817 * tlb flush IPI delivery. We must reload CR3
7818 * to make sure to use no freed page tables.
7821 +#ifndef CONFIG_PAX_PER_CPU_PGD
7822 load_cr3(next->pgd);
7825 load_LDT_nolock(&next->context);
7827 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7828 + if (!(__supported_pte_mask & _PAGE_NX))
7829 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7832 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7833 +#ifdef CONFIG_PAX_PAGEEXEC
7834 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7836 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7845 #define activate_mm(prev, next) \
7846 diff -urNp linux-2.6.35.7/arch/x86/include/asm/mmu.h linux-2.6.35.7/arch/x86/include/asm/mmu.h
7847 --- linux-2.6.35.7/arch/x86/include/asm/mmu.h 2010-08-26 19:47:12.000000000 -0400
7848 +++ linux-2.6.35.7/arch/x86/include/asm/mmu.h 2010-09-17 20:12:09.000000000 -0400
7850 * we put the segment information here.
7854 + struct desc_struct *ldt;
7858 + unsigned long vdso;
7860 +#ifdef CONFIG_X86_32
7861 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7862 + unsigned long user_cs_base;
7863 + unsigned long user_cs_limit;
7865 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7866 + cpumask_t cpu_user_cs_mask;
7875 diff -urNp linux-2.6.35.7/arch/x86/include/asm/module.h linux-2.6.35.7/arch/x86/include/asm/module.h
7876 --- linux-2.6.35.7/arch/x86/include/asm/module.h 2010-08-26 19:47:12.000000000 -0400
7877 +++ linux-2.6.35.7/arch/x86/include/asm/module.h 2010-09-17 20:12:37.000000000 -0400
7879 #error unknown processor family
7882 +#ifdef CONFIG_PAX_MEMORY_UDEREF
7883 +#define MODULE_PAX_UDEREF "UDEREF "
7885 +#define MODULE_PAX_UDEREF ""
7888 #ifdef CONFIG_X86_32
7889 # ifdef CONFIG_4KSTACKS
7890 # define MODULE_STACKSIZE "4KSTACKS "
7892 # define MODULE_STACKSIZE ""
7894 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
7895 +# ifdef CONFIG_PAX_KERNEXEC
7896 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
7898 +# define MODULE_PAX_KERNEXEC ""
7900 +# ifdef CONFIG_GRKERNSEC
7901 +# define MODULE_GRSEC "GRSECURITY "
7903 +# define MODULE_GRSEC ""
7905 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
7907 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
7910 #endif /* _ASM_X86_MODULE_H */
7911 diff -urNp linux-2.6.35.7/arch/x86/include/asm/page_32_types.h linux-2.6.35.7/arch/x86/include/asm/page_32_types.h
7912 --- linux-2.6.35.7/arch/x86/include/asm/page_32_types.h 2010-08-26 19:47:12.000000000 -0400
7913 +++ linux-2.6.35.7/arch/x86/include/asm/page_32_types.h 2010-09-17 20:12:09.000000000 -0400
7916 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
7918 +#ifdef CONFIG_PAX_PAGEEXEC
7919 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
7922 #ifdef CONFIG_4KSTACKS
7923 #define THREAD_ORDER 0
7925 diff -urNp linux-2.6.35.7/arch/x86/include/asm/paravirt.h linux-2.6.35.7/arch/x86/include/asm/paravirt.h
7926 --- linux-2.6.35.7/arch/x86/include/asm/paravirt.h 2010-08-26 19:47:12.000000000 -0400
7927 +++ linux-2.6.35.7/arch/x86/include/asm/paravirt.h 2010-09-17 20:12:09.000000000 -0400
7928 @@ -720,6 +720,21 @@ static inline void __set_fixmap(unsigned
7929 pv_mmu_ops.set_fixmap(idx, phys, flags);
7932 +#ifdef CONFIG_PAX_KERNEXEC
7933 +static inline unsigned long pax_open_kernel(void)
7935 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
7938 +static inline unsigned long pax_close_kernel(void)
7940 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
7943 +static inline unsigned long pax_open_kernel(void) { return 0; }
7944 +static inline unsigned long pax_close_kernel(void) { return 0; }
7947 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7949 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
7950 @@ -936,7 +951,7 @@ extern void default_banner(void);
7952 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7953 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7954 -#define PARA_INDIRECT(addr) *%cs:addr
7955 +#define PARA_INDIRECT(addr) *%ss:addr
7958 #define INTERRUPT_RETURN \
7959 @@ -1013,6 +1028,21 @@ extern void default_banner(void);
7960 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
7962 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
7964 +#define GET_CR0_INTO_RDI \
7965 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7968 +#define SET_RDI_INTO_CR0 \
7969 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
7971 +#define GET_CR3_INTO_RDI \
7972 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
7975 +#define SET_RDI_INTO_CR3 \
7976 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
7978 #endif /* CONFIG_X86_32 */
7980 #endif /* __ASSEMBLY__ */
7981 diff -urNp linux-2.6.35.7/arch/x86/include/asm/paravirt_types.h linux-2.6.35.7/arch/x86/include/asm/paravirt_types.h
7982 --- linux-2.6.35.7/arch/x86/include/asm/paravirt_types.h 2010-08-26 19:47:12.000000000 -0400
7983 +++ linux-2.6.35.7/arch/x86/include/asm/paravirt_types.h 2010-09-17 20:12:09.000000000 -0400
7984 @@ -312,6 +312,12 @@ struct pv_mmu_ops {
7985 an mfn. We can tell which is which from the index. */
7986 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
7987 phys_addr_t phys, pgprot_t flags);
7989 +#ifdef CONFIG_PAX_KERNEXEC
7990 + unsigned long (*pax_open_kernel)(void);
7991 + unsigned long (*pax_close_kernel)(void);
7996 struct arch_spinlock;
7997 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pci_x86.h linux-2.6.35.7/arch/x86/include/asm/pci_x86.h
7998 --- linux-2.6.35.7/arch/x86/include/asm/pci_x86.h 2010-08-26 19:47:12.000000000 -0400
7999 +++ linux-2.6.35.7/arch/x86/include/asm/pci_x86.h 2010-09-17 20:12:09.000000000 -0400
8000 @@ -91,16 +91,16 @@ extern int (*pcibios_enable_irq)(struct
8001 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8003 struct pci_raw_ops {
8004 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8005 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8006 int reg, int len, u32 *val);
8007 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8008 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8009 int reg, int len, u32 val);
8012 -extern struct pci_raw_ops *raw_pci_ops;
8013 -extern struct pci_raw_ops *raw_pci_ext_ops;
8014 +extern const struct pci_raw_ops *raw_pci_ops;
8015 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8017 -extern struct pci_raw_ops pci_direct_conf1;
8018 +extern const struct pci_raw_ops pci_direct_conf1;
8019 extern bool port_cf9_safe;
8021 /* arch_initcall level */
8022 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pgalloc.h linux-2.6.35.7/arch/x86/include/asm/pgalloc.h
8023 --- linux-2.6.35.7/arch/x86/include/asm/pgalloc.h 2010-08-26 19:47:12.000000000 -0400
8024 +++ linux-2.6.35.7/arch/x86/include/asm/pgalloc.h 2010-09-17 20:12:09.000000000 -0400
8025 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8026 pmd_t *pmd, pte_t *pte)
8028 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8029 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8032 +static inline void pmd_populate_user(struct mm_struct *mm,
8033 + pmd_t *pmd, pte_t *pte)
8035 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8036 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8039 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pgtable-2level.h linux-2.6.35.7/arch/x86/include/asm/pgtable-2level.h
8040 --- linux-2.6.35.7/arch/x86/include/asm/pgtable-2level.h 2010-08-26 19:47:12.000000000 -0400
8041 +++ linux-2.6.35.7/arch/x86/include/asm/pgtable-2level.h 2010-09-17 20:12:09.000000000 -0400
8042 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8044 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8046 + pax_open_kernel();
8048 + pax_close_kernel();
8051 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8052 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pgtable_32.h linux-2.6.35.7/arch/x86/include/asm/pgtable_32.h
8053 --- linux-2.6.35.7/arch/x86/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
8054 +++ linux-2.6.35.7/arch/x86/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
8057 struct vm_area_struct;
8059 -extern pgd_t swapper_pg_dir[1024];
8061 static inline void pgtable_cache_init(void) { }
8062 static inline void check_pgt_cache(void) { }
8063 void paging_init(void);
8064 @@ -47,6 +45,11 @@ extern void set_pmd_pfn(unsigned long, u
8065 # include <asm/pgtable-2level.h>
8068 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8069 +#ifdef CONFIG_X86_PAE
8070 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8073 #if defined(CONFIG_HIGHPTE)
8075 (in_nmi() ? KM_NMI_PTE : \
8076 @@ -71,7 +74,9 @@ extern void set_pmd_pfn(unsigned long, u
8077 /* Clear a kernel PTE and flush it from the TLB */
8078 #define kpte_clear_flush(ptep, vaddr) \
8080 + pax_open_kernel(); \
8081 pte_clear(&init_mm, (vaddr), (ptep)); \
8082 + pax_close_kernel(); \
8083 __flush_tlb_one((vaddr)); \
8086 @@ -83,6 +88,9 @@ do { \
8088 #endif /* !__ASSEMBLY__ */
8090 +#define HAVE_ARCH_UNMAPPED_AREA
8091 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8094 * kern_addr_valid() is (1) for FLATMEM and (0) for
8095 * SPARSEMEM and DISCONTIGMEM
8096 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pgtable_32_types.h linux-2.6.35.7/arch/x86/include/asm/pgtable_32_types.h
8097 --- linux-2.6.35.7/arch/x86/include/asm/pgtable_32_types.h 2010-08-26 19:47:12.000000000 -0400
8098 +++ linux-2.6.35.7/arch/x86/include/asm/pgtable_32_types.h 2010-09-17 20:12:09.000000000 -0400
8101 #ifdef CONFIG_X86_PAE
8102 # include <asm/pgtable-3level_types.h>
8103 -# define PMD_SIZE (1UL << PMD_SHIFT)
8104 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8105 # define PMD_MASK (~(PMD_SIZE - 1))
8107 # include <asm/pgtable-2level_types.h>
8108 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8109 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8112 +#ifdef CONFIG_PAX_KERNEXEC
8113 +#ifndef __ASSEMBLY__
8114 +extern unsigned char MODULES_EXEC_VADDR[];
8115 +extern unsigned char MODULES_EXEC_END[];
8117 +#include <asm/boot.h>
8118 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8119 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8121 +#define ktla_ktva(addr) (addr)
8122 +#define ktva_ktla(addr) (addr)
8125 #define MODULES_VADDR VMALLOC_START
8126 #define MODULES_END VMALLOC_END
8127 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8128 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pgtable-3level.h linux-2.6.35.7/arch/x86/include/asm/pgtable-3level.h
8129 --- linux-2.6.35.7/arch/x86/include/asm/pgtable-3level.h 2010-08-26 19:47:12.000000000 -0400
8130 +++ linux-2.6.35.7/arch/x86/include/asm/pgtable-3level.h 2010-09-17 20:12:09.000000000 -0400
8131 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8133 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8135 + pax_open_kernel();
8136 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8137 + pax_close_kernel();
8140 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8142 + pax_open_kernel();
8143 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8144 + pax_close_kernel();
8148 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pgtable_64.h linux-2.6.35.7/arch/x86/include/asm/pgtable_64.h
8149 --- linux-2.6.35.7/arch/x86/include/asm/pgtable_64.h 2010-08-26 19:47:12.000000000 -0400
8150 +++ linux-2.6.35.7/arch/x86/include/asm/pgtable_64.h 2010-09-17 20:12:09.000000000 -0400
8153 extern pud_t level3_kernel_pgt[512];
8154 extern pud_t level3_ident_pgt[512];
8155 +extern pud_t level3_vmalloc_pgt[512];
8156 +extern pud_t level3_vmemmap_pgt[512];
8157 +extern pud_t level2_vmemmap_pgt[512];
8158 extern pmd_t level2_kernel_pgt[512];
8159 extern pmd_t level2_fixmap_pgt[512];
8160 -extern pmd_t level2_ident_pgt[512];
8161 -extern pgd_t init_level4_pgt[];
8162 +extern pmd_t level2_ident_pgt[512*2];
8163 +extern pgd_t init_level4_pgt[512];
8165 #define swapper_pg_dir init_level4_pgt
8167 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8169 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8171 + pax_open_kernel();
8173 + pax_close_kernel();
8176 static inline void native_pmd_clear(pmd_t *pmd)
8177 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8179 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8181 + pax_open_kernel();
8183 + pax_close_kernel();
8186 static inline void native_pgd_clear(pgd_t *pgd)
8187 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pgtable_64_types.h linux-2.6.35.7/arch/x86/include/asm/pgtable_64_types.h
8188 --- linux-2.6.35.7/arch/x86/include/asm/pgtable_64_types.h 2010-08-26 19:47:12.000000000 -0400
8189 +++ linux-2.6.35.7/arch/x86/include/asm/pgtable_64_types.h 2010-09-17 20:12:09.000000000 -0400
8190 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8191 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8192 #define MODULES_END _AC(0xffffffffff000000, UL)
8193 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8194 +#define MODULES_EXEC_VADDR MODULES_VADDR
8195 +#define MODULES_EXEC_END MODULES_END
8197 +#define ktla_ktva(addr) (addr)
8198 +#define ktva_ktla(addr) (addr)
8200 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8201 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pgtable.h linux-2.6.35.7/arch/x86/include/asm/pgtable.h
8202 --- linux-2.6.35.7/arch/x86/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
8203 +++ linux-2.6.35.7/arch/x86/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
8204 @@ -76,12 +76,51 @@ extern struct list_head pgd_list;
8206 #define arch_end_context_switch(prev) do {} while(0)
8208 +#define pax_open_kernel() native_pax_open_kernel()
8209 +#define pax_close_kernel() native_pax_close_kernel()
8210 #endif /* CONFIG_PARAVIRT */
8212 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8213 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8215 +#ifdef CONFIG_PAX_KERNEXEC
8216 +static inline unsigned long native_pax_open_kernel(void)
8218 + unsigned long cr0;
8220 + preempt_disable();
8222 + cr0 = read_cr0() ^ X86_CR0_WP;
8223 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8225 + return cr0 ^ X86_CR0_WP;
8228 +static inline unsigned long native_pax_close_kernel(void)
8230 + unsigned long cr0;
8232 + cr0 = read_cr0() ^ X86_CR0_WP;
8233 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8236 + preempt_enable_no_resched();
8237 + return cr0 ^ X86_CR0_WP;
8240 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8241 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8245 * The following only work if pte_present() is true.
8246 * Undefined behaviour if not..
8248 +static inline int pte_user(pte_t pte)
8250 + return pte_val(pte) & _PAGE_USER;
8253 static inline int pte_dirty(pte_t pte)
8255 return pte_flags(pte) & _PAGE_DIRTY;
8256 @@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
8257 return pte_clear_flags(pte, _PAGE_RW);
8260 +static inline pte_t pte_mkread(pte_t pte)
8262 + return __pte(pte_val(pte) | _PAGE_USER);
8265 static inline pte_t pte_mkexec(pte_t pte)
8267 - return pte_clear_flags(pte, _PAGE_NX);
8268 +#ifdef CONFIG_X86_PAE
8269 + if (__supported_pte_mask & _PAGE_NX)
8270 + return pte_clear_flags(pte, _PAGE_NX);
8273 + return pte_set_flags(pte, _PAGE_USER);
8276 +static inline pte_t pte_exprotect(pte_t pte)
8278 +#ifdef CONFIG_X86_PAE
8279 + if (__supported_pte_mask & _PAGE_NX)
8280 + return pte_set_flags(pte, _PAGE_NX);
8283 + return pte_clear_flags(pte, _PAGE_USER);
8286 static inline pte_t pte_mkdirty(pte_t pte)
8287 @@ -304,6 +363,15 @@ pte_t *populate_extra_pte(unsigned long
8290 #ifndef __ASSEMBLY__
8292 +#ifdef CONFIG_PAX_PER_CPU_PGD
8293 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8294 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8296 + return cpu_pgd[cpu];
8300 #include <linux/mm_types.h>
8302 static inline int pte_none(pte_t pte)
8303 @@ -474,7 +542,7 @@ static inline pud_t *pud_offset(pgd_t *p
8305 static inline int pgd_bad(pgd_t pgd)
8307 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8308 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8311 static inline int pgd_none(pgd_t pgd)
8312 @@ -497,7 +565,12 @@ static inline int pgd_none(pgd_t pgd)
8313 * pgd_offset() returns a (pgd_t *)
8314 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8316 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8317 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8319 +#ifdef CONFIG_PAX_PER_CPU_PGD
8320 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8324 * a shortcut which implies the use of the kernel's pgd, instead
8326 @@ -508,6 +581,20 @@ static inline int pgd_none(pgd_t pgd)
8327 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8328 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8330 +#ifdef CONFIG_X86_32
8331 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8333 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8334 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8336 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8337 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8339 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8344 #ifndef __ASSEMBLY__
8346 extern int direct_gbpages;
8347 @@ -613,11 +700,23 @@ static inline void ptep_set_wrprotect(st
8348 * dst and src can be on the same page, but the range must not overlap,
8349 * and must not cross a page boundary.
8351 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8352 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8354 - memcpy(dst, src, count * sizeof(pgd_t));
8355 + pax_open_kernel();
8358 + pax_close_kernel();
8361 +#ifdef CONFIG_PAX_PER_CPU_PGD
8362 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8365 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8366 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8368 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8371 #include <asm-generic/pgtable.h>
8372 #endif /* __ASSEMBLY__ */
8373 diff -urNp linux-2.6.35.7/arch/x86/include/asm/pgtable_types.h linux-2.6.35.7/arch/x86/include/asm/pgtable_types.h
8374 --- linux-2.6.35.7/arch/x86/include/asm/pgtable_types.h 2010-08-26 19:47:12.000000000 -0400
8375 +++ linux-2.6.35.7/arch/x86/include/asm/pgtable_types.h 2010-09-17 20:12:09.000000000 -0400
8377 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8378 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8379 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8380 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8381 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8382 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8383 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8384 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8385 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8386 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8387 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8388 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8390 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8392 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8393 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8394 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8395 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8396 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8397 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8398 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8401 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8402 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8404 +#elif defined(CONFIG_KMEMCHECK)
8405 #define _PAGE_NX (_AT(pteval_t, 0))
8407 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8410 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8412 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8415 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8416 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8418 #define __PAGE_KERNEL_EXEC \
8419 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8420 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8422 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8423 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8424 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8425 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8426 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8427 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8428 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8429 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8430 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8431 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8433 * bits are combined, this will alow user to access the high address mapped
8434 * VDSO in the presence of CONFIG_COMPAT_VDSO
8436 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8437 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8438 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8439 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8440 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8443 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8445 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8449 +#if PAGETABLE_LEVELS == 3
8450 +#include <asm-generic/pgtable-nopud.h>
8453 +#if PAGETABLE_LEVELS == 2
8454 +#include <asm-generic/pgtable-nopmd.h>
8457 +#ifndef __ASSEMBLY__
8458 #if PAGETABLE_LEVELS > 3
8459 typedef struct { pudval_t pud; } pud_t;
8461 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8465 -#include <asm-generic/pgtable-nopud.h>
8467 static inline pudval_t native_pud_val(pud_t pud)
8469 return native_pgd_val(pud.pgd);
8470 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8474 -#include <asm-generic/pgtable-nopmd.h>
8476 static inline pmdval_t native_pmd_val(pmd_t pmd)
8478 return native_pgd_val(pmd.pud.pgd);
8479 @@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
8481 extern pteval_t __supported_pte_mask;
8482 extern void set_nx(void);
8483 -extern int nx_enabled;
8485 #define pgprot_writecombine pgprot_writecombine
8486 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8487 diff -urNp linux-2.6.35.7/arch/x86/include/asm/processor.h linux-2.6.35.7/arch/x86/include/asm/processor.h
8488 --- linux-2.6.35.7/arch/x86/include/asm/processor.h 2010-08-26 19:47:12.000000000 -0400
8489 +++ linux-2.6.35.7/arch/x86/include/asm/processor.h 2010-09-17 20:12:09.000000000 -0400
8490 @@ -269,7 +269,7 @@ struct tss_struct {
8492 } ____cacheline_aligned;
8494 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8495 +extern struct tss_struct init_tss[NR_CPUS];
8498 * Save the original ist values for checking stack pointers during debugging
8499 @@ -884,8 +884,15 @@ static inline void spin_lock_prefetch(co
8501 #define TASK_SIZE PAGE_OFFSET
8502 #define TASK_SIZE_MAX TASK_SIZE
8504 +#ifdef CONFIG_PAX_SEGMEXEC
8505 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8506 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8508 #define STACK_TOP TASK_SIZE
8509 -#define STACK_TOP_MAX STACK_TOP
8512 +#define STACK_TOP_MAX TASK_SIZE
8514 #define INIT_THREAD { \
8515 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8516 @@ -902,7 +909,7 @@ static inline void spin_lock_prefetch(co
8518 #define INIT_TSS { \
8520 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8521 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8522 .ss0 = __KERNEL_DS, \
8523 .ss1 = __KERNEL_CS, \
8524 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8525 @@ -913,11 +920,7 @@ static inline void spin_lock_prefetch(co
8526 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8528 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8529 -#define KSTK_TOP(info) \
8531 - unsigned long *__ptr = (unsigned long *)(info); \
8532 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8534 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8537 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8538 @@ -932,7 +935,7 @@ extern unsigned long thread_saved_pc(str
8539 #define task_pt_regs(task) \
8541 struct pt_regs *__regs__; \
8542 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8543 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8547 @@ -942,13 +945,13 @@ extern unsigned long thread_saved_pc(str
8549 * User space process size. 47bits minus one guard page.
8551 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8552 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8554 /* This decides where the kernel will search for a free chunk of vm
8555 * space during mmap's.
8557 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8558 - 0xc0000000 : 0xFFFFe000)
8559 + 0xc0000000 : 0xFFFFf000)
8561 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8562 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8563 @@ -985,6 +988,10 @@ extern void start_thread(struct pt_regs
8565 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8567 +#ifdef CONFIG_PAX_SEGMEXEC
8568 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8571 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8573 /* Get/set a process' ability to use the timestamp counter instruction */
8574 diff -urNp linux-2.6.35.7/arch/x86/include/asm/ptrace.h linux-2.6.35.7/arch/x86/include/asm/ptrace.h
8575 --- linux-2.6.35.7/arch/x86/include/asm/ptrace.h 2010-08-26 19:47:12.000000000 -0400
8576 +++ linux-2.6.35.7/arch/x86/include/asm/ptrace.h 2010-09-17 20:12:09.000000000 -0400
8577 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8581 - * user_mode_vm(regs) determines whether a register set came from user mode.
8582 + * user_mode(regs) determines whether a register set came from user mode.
8583 * This is true if V8086 mode was enabled OR if the register set was from
8584 * protected mode with RPL-3 CS value. This tricky test checks that with
8585 * one comparison. Many places in the kernel can bypass this full check
8586 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8587 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8590 -static inline int user_mode(struct pt_regs *regs)
8591 +static inline int user_mode_novm(struct pt_regs *regs)
8593 #ifdef CONFIG_X86_32
8594 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8596 - return !!(regs->cs & 3);
8597 + return !!(regs->cs & SEGMENT_RPL_MASK);
8601 -static inline int user_mode_vm(struct pt_regs *regs)
8602 +static inline int user_mode(struct pt_regs *regs)
8604 #ifdef CONFIG_X86_32
8605 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8608 - return user_mode(regs);
8609 + return user_mode_novm(regs);
8613 diff -urNp linux-2.6.35.7/arch/x86/include/asm/reboot.h linux-2.6.35.7/arch/x86/include/asm/reboot.h
8614 --- linux-2.6.35.7/arch/x86/include/asm/reboot.h 2010-08-26 19:47:12.000000000 -0400
8615 +++ linux-2.6.35.7/arch/x86/include/asm/reboot.h 2010-09-17 20:12:09.000000000 -0400
8616 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8618 void native_machine_crash_shutdown(struct pt_regs *regs);
8619 void native_machine_shutdown(void);
8620 -void machine_real_restart(const unsigned char *code, int length);
8621 +void machine_real_restart(const unsigned char *code, unsigned int length);
8623 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8624 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8625 diff -urNp linux-2.6.35.7/arch/x86/include/asm/rwsem.h linux-2.6.35.7/arch/x86/include/asm/rwsem.h
8626 --- linux-2.6.35.7/arch/x86/include/asm/rwsem.h 2010-08-26 19:47:12.000000000 -0400
8627 +++ linux-2.6.35.7/arch/x86/include/asm/rwsem.h 2010-09-17 20:12:09.000000000 -0400
8628 @@ -118,10 +118,26 @@ static inline void __down_read(struct rw
8630 asm volatile("# beginning down_read\n\t"
8631 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8633 +#ifdef CONFIG_PAX_REFCOUNT
8634 +#ifdef CONFIG_X86_32
8640 + ".pushsection .fixup,\"ax\"\n"
8642 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8645 + _ASM_EXTABLE(0b, 1b)
8648 /* adds 0x00000001, returns the old value */
8651 " call call_rwsem_down_read_failed\n"
8654 "# ending down_read\n\t"
8657 @@ -136,13 +152,29 @@ static inline int __down_read_trylock(st
8658 rwsem_count_t result, tmp;
8659 asm volatile("# beginning __down_read_trylock\n\t"
8667 +#ifdef CONFIG_PAX_REFCOUNT
8668 +#ifdef CONFIG_X86_32
8674 + ".pushsection .fixup,\"ax\"\n"
8679 + _ASM_EXTABLE(0b, 1b)
8683 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8688 "# ending __down_read_trylock\n\t"
8689 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8690 : "i" (RWSEM_ACTIVE_READ_BIAS)
8691 @@ -160,12 +192,28 @@ static inline void __down_write_nested(s
8692 tmp = RWSEM_ACTIVE_WRITE_BIAS;
8693 asm volatile("# beginning down_write\n\t"
8694 LOCK_PREFIX " xadd %1,(%2)\n\t"
8696 +#ifdef CONFIG_PAX_REFCOUNT
8697 +#ifdef CONFIG_X86_32
8703 + ".pushsection .fixup,\"ax\"\n"
8708 + _ASM_EXTABLE(0b, 1b)
8711 /* subtract 0x0000ffff, returns the old value */
8713 /* was the count 0 before? */
8716 " call call_rwsem_down_write_failed\n"
8719 "# ending down_write"
8720 : "+m" (sem->count), "=d" (tmp)
8721 : "a" (sem), "1" (tmp)
8722 @@ -198,10 +246,26 @@ static inline void __up_read(struct rw_s
8723 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
8724 asm volatile("# beginning __up_read\n\t"
8725 LOCK_PREFIX " xadd %1,(%2)\n\t"
8727 +#ifdef CONFIG_PAX_REFCOUNT
8728 +#ifdef CONFIG_X86_32
8734 + ".pushsection .fixup,\"ax\"\n"
8739 + _ASM_EXTABLE(0b, 1b)
8742 /* subtracts 1, returns the old value */
8745 " call call_rwsem_wake\n"
8748 "# ending __up_read\n"
8749 : "+m" (sem->count), "=d" (tmp)
8750 : "a" (sem), "1" (tmp)
8751 @@ -216,11 +280,27 @@ static inline void __up_write(struct rw_
8753 asm volatile("# beginning __up_write\n\t"
8754 LOCK_PREFIX " xadd %1,(%2)\n\t"
8756 +#ifdef CONFIG_PAX_REFCOUNT
8757 +#ifdef CONFIG_X86_32
8763 + ".pushsection .fixup,\"ax\"\n"
8768 + _ASM_EXTABLE(0b, 1b)
8771 /* tries to transition
8772 0xffff0001 -> 0x00000000 */
8775 " call call_rwsem_wake\n"
8778 "# ending __up_write\n"
8779 : "+m" (sem->count), "=d" (tmp)
8780 : "a" (sem), "1" (-RWSEM_ACTIVE_WRITE_BIAS)
8781 @@ -234,13 +314,29 @@ static inline void __downgrade_write(str
8783 asm volatile("# beginning __downgrade_write\n\t"
8784 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
8786 +#ifdef CONFIG_PAX_REFCOUNT
8787 +#ifdef CONFIG_X86_32
8793 + ".pushsection .fixup,\"ax\"\n"
8795 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
8798 + _ASM_EXTABLE(0b, 1b)
8802 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
8803 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
8807 " call call_rwsem_downgrade_wake\n"
8810 "# ending __downgrade_write\n"
8812 : "a" (sem), "er" (-RWSEM_WAITING_BIAS)
8813 @@ -253,7 +349,23 @@ static inline void __downgrade_write(str
8814 static inline void rwsem_atomic_add(rwsem_count_t delta,
8815 struct rw_semaphore *sem)
8817 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
8818 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
8820 +#ifdef CONFIG_PAX_REFCOUNT
8821 +#ifdef CONFIG_X86_32
8827 + ".pushsection .fixup,\"ax\"\n"
8829 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
8832 + _ASM_EXTABLE(0b, 1b)
8838 @@ -266,7 +378,23 @@ static inline rwsem_count_t rwsem_atomic
8840 rwsem_count_t tmp = delta;
8842 - asm volatile(LOCK_PREFIX "xadd %0,%1"
8843 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8845 +#ifdef CONFIG_PAX_REFCOUNT
8846 +#ifdef CONFIG_X86_32
8852 + ".pushsection .fixup,\"ax\"\n"
8857 + _ASM_EXTABLE(0b, 1b)
8860 : "+r" (tmp), "+m" (sem->count)
8863 diff -urNp linux-2.6.35.7/arch/x86/include/asm/segment.h linux-2.6.35.7/arch/x86/include/asm/segment.h
8864 --- linux-2.6.35.7/arch/x86/include/asm/segment.h 2010-08-26 19:47:12.000000000 -0400
8865 +++ linux-2.6.35.7/arch/x86/include/asm/segment.h 2010-09-17 20:12:09.000000000 -0400
8867 * 26 - ESPFIX small SS
8868 * 27 - per-cpu [ offset to per-cpu data area ]
8869 * 28 - stack_canary-20 [ for stack protector ]
8872 + * 29 - PCI BIOS CS
8873 + * 30 - PCI BIOS DS
8874 * 31 - TSS for double fault handler
8876 #define GDT_ENTRY_TLS_MIN 6
8879 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
8881 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8883 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
8885 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
8887 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
8888 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
8890 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8891 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8893 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
8895 @@ -102,6 +104,12 @@
8896 #define __KERNEL_STACK_CANARY 0
8899 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
8900 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8902 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
8903 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8905 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8911 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8912 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8913 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8918 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
8919 #define __USER32_DS __USER_DS
8921 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8923 #define GDT_ENTRY_TSS 8 /* needs two entries */
8924 #define GDT_ENTRY_LDT 10 /* needs two entries */
8925 #define GDT_ENTRY_TLS_MIN 12
8929 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
8930 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
8931 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
8932 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
8933 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
8934 diff -urNp linux-2.6.35.7/arch/x86/include/asm/smp.h linux-2.6.35.7/arch/x86/include/asm/smp.h
8935 --- linux-2.6.35.7/arch/x86/include/asm/smp.h 2010-08-26 19:47:12.000000000 -0400
8936 +++ linux-2.6.35.7/arch/x86/include/asm/smp.h 2010-10-11 22:41:44.000000000 -0400
8937 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
8938 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
8939 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
8940 DECLARE_PER_CPU(u16, cpu_llc_id);
8941 -DECLARE_PER_CPU(int, cpu_number);
8942 +DECLARE_PER_CPU(unsigned int, cpu_number);
8944 static inline struct cpumask *cpu_sibling_mask(int cpu)
8946 diff -urNp linux-2.6.35.7/arch/x86/include/asm/spinlock.h linux-2.6.35.7/arch/x86/include/asm/spinlock.h
8947 --- linux-2.6.35.7/arch/x86/include/asm/spinlock.h 2010-08-26 19:47:12.000000000 -0400
8948 +++ linux-2.6.35.7/arch/x86/include/asm/spinlock.h 2010-09-17 20:12:09.000000000 -0400
8949 @@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
8950 static inline void arch_read_lock(arch_rwlock_t *rw)
8952 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
8954 - "call __read_lock_failed\n\t"
8956 +#ifdef CONFIG_PAX_REFCOUNT
8957 +#ifdef CONFIG_X86_32
8963 + ".pushsection .fixup,\"ax\"\n"
8965 + LOCK_PREFIX " addl $1,(%0)\n"
8968 + _ASM_EXTABLE(0b, 1b)
8972 + "call __read_lock_failed\n\t"
8974 ::LOCK_PTR_REG (rw) : "memory");
8977 static inline void arch_write_lock(arch_rwlock_t *rw)
8979 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
8981 - "call __write_lock_failed\n\t"
8983 +#ifdef CONFIG_PAX_REFCOUNT
8984 +#ifdef CONFIG_X86_32
8990 + ".pushsection .fixup,\"ax\"\n"
8992 + LOCK_PREFIX " addl %1,(%0)\n"
8995 + _ASM_EXTABLE(0b, 1b)
8999 + "call __write_lock_failed\n\t"
9001 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
9004 @@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
9006 static inline void arch_read_unlock(arch_rwlock_t *rw)
9008 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9009 + asm volatile(LOCK_PREFIX "incl %0\n"
9011 +#ifdef CONFIG_PAX_REFCOUNT
9012 +#ifdef CONFIG_X86_32
9018 + ".pushsection .fixup,\"ax\"\n"
9020 + LOCK_PREFIX "decl %0\n"
9023 + _ASM_EXTABLE(0b, 1b)
9026 + :"+m" (rw->lock) : : "memory");
9029 static inline void arch_write_unlock(arch_rwlock_t *rw)
9031 - asm volatile(LOCK_PREFIX "addl %1, %0"
9032 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9034 +#ifdef CONFIG_PAX_REFCOUNT
9035 +#ifdef CONFIG_X86_32
9041 + ".pushsection .fixup,\"ax\"\n"
9043 + LOCK_PREFIX "subl %1,%0\n"
9046 + _ASM_EXTABLE(0b, 1b)
9049 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9052 diff -urNp linux-2.6.35.7/arch/x86/include/asm/system.h linux-2.6.35.7/arch/x86/include/asm/system.h
9053 --- linux-2.6.35.7/arch/x86/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
9054 +++ linux-2.6.35.7/arch/x86/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
9055 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9057 unsigned long __limit;
9058 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9059 - return __limit + 1;
9063 static inline void native_clts(void)
9064 @@ -342,7 +342,7 @@ void enable_hlt(void);
9066 void cpu_idle_wait(void);
9068 -extern unsigned long arch_align_stack(unsigned long sp);
9069 +#define arch_align_stack(x) ((x) & ~0xfUL)
9070 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9072 void default_idle(void);
9073 diff -urNp linux-2.6.35.7/arch/x86/include/asm/uaccess_32.h linux-2.6.35.7/arch/x86/include/asm/uaccess_32.h
9074 --- linux-2.6.35.7/arch/x86/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
9075 +++ linux-2.6.35.7/arch/x86/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
9076 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9077 static __always_inline unsigned long __must_check
9078 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9083 if (__builtin_constant_p(n)) {
9086 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9090 + if (!__builtin_constant_p(n))
9091 + check_object_size(from, n, true);
9092 return __copy_to_user_ll(to, from, n);
9095 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9096 static __always_inline unsigned long
9097 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9102 /* Avoid zeroing the tail if the copy fails..
9103 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9104 * but as the zeroing behaviour is only significant when n is not
9105 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9106 __copy_from_user(void *to, const void __user *from, unsigned long n)
9113 if (__builtin_constant_p(n)) {
9116 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9120 + if (!__builtin_constant_p(n))
9121 + check_object_size(to, n, false);
9122 return __copy_from_user_ll(to, from, n);
9125 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9126 const void __user *from, unsigned long n)
9133 if (__builtin_constant_p(n)) {
9136 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9137 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9140 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9145 -unsigned long __must_check copy_to_user(void __user *to,
9146 - const void *from, unsigned long n);
9147 -unsigned long __must_check _copy_from_user(void *to,
9148 - const void __user *from,
9150 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9153 +extern void copy_to_user_overflow(void)
9154 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9155 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9157 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9161 extern void copy_from_user_overflow(void)
9162 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9163 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9167 -static inline unsigned long __must_check copy_from_user(void *to,
9168 - const void __user *from,
9171 + * copy_to_user: - Copy a block of data into user space.
9172 + * @to: Destination address, in user space.
9173 + * @from: Source address, in kernel space.
9174 + * @n: Number of bytes to copy.
9176 + * Context: User context only. This function may sleep.
9178 + * Copy data from kernel space to user space.
9180 + * Returns number of bytes that could not be copied.
9181 + * On success, this will be zero.
9183 +static inline unsigned long __must_check
9184 +copy_to_user(void __user *to, const void *from, unsigned long n)
9186 + int sz = __compiletime_object_size(from);
9188 + if (unlikely(sz != -1 && sz < n))
9189 + copy_to_user_overflow();
9190 + else if (access_ok(VERIFY_WRITE, to, n))
9191 + n = __copy_to_user(to, from, n);
9196 + * copy_from_user: - Copy a block of data from user space.
9197 + * @to: Destination address, in kernel space.
9198 + * @from: Source address, in user space.
9199 + * @n: Number of bytes to copy.
9201 + * Context: User context only. This function may sleep.
9203 + * Copy data from user space to kernel space.
9205 + * Returns number of bytes that could not be copied.
9206 + * On success, this will be zero.
9208 + * If some data could not be copied, this function will pad the copied
9209 + * data to the requested size using zero bytes.
9211 +static inline unsigned long __must_check
9212 +copy_from_user(void *to, const void __user *from, unsigned long n)
9214 int sz = __compiletime_object_size(to);
9216 - if (likely(sz == -1 || sz >= n))
9217 - n = _copy_from_user(to, from, n);
9219 + if (unlikely(sz != -1 && sz < n))
9220 copy_from_user_overflow();
9222 + else if (access_ok(VERIFY_READ, from, n))
9223 + n = __copy_from_user(to, from, n);
9224 + else if ((long)n > 0) {
9225 + if (!__builtin_constant_p(n))
9226 + check_object_size(to, n, false);
9232 diff -urNp linux-2.6.35.7/arch/x86/include/asm/uaccess_64.h linux-2.6.35.7/arch/x86/include/asm/uaccess_64.h
9233 --- linux-2.6.35.7/arch/x86/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
9234 +++ linux-2.6.35.7/arch/x86/include/asm/uaccess_64.h 2010-10-02 11:47:12.000000000 -0400
9236 #include <asm/alternative.h>
9237 #include <asm/cpufeature.h>
9238 #include <asm/page.h>
9239 +#include <asm/pgtable.h>
9241 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9244 * Copy To/From Userspace
9245 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
9249 -__must_check unsigned long
9250 -_copy_to_user(void __user *to, const void *from, unsigned len);
9251 -__must_check unsigned long
9252 -_copy_from_user(void *to, const void __user *from, unsigned len);
9253 +static __always_inline __must_check unsigned long
9254 +__copy_to_user(void __user *to, const void *from, unsigned len);
9255 +static __always_inline __must_check unsigned long
9256 +__copy_from_user(void *to, const void __user *from, unsigned len);
9257 __must_check unsigned long
9258 copy_in_user(void __user *to, const void __user *from, unsigned len);
9260 static inline unsigned long __must_check copy_from_user(void *to,
9261 const void __user *from,
9265 - int sz = __compiletime_object_size(to);
9268 - if (likely(sz == -1 || sz >= n))
9269 - n = _copy_from_user(to, from, n);
9270 -#ifdef CONFIG_DEBUG_VM
9272 - WARN(1, "Buffer overflow detected!\n");
9275 + if (access_ok(VERIFY_READ, from, n))
9276 + n = __copy_from_user(to, from, n);
9277 + else if ((int)n > 0) {
9278 + if (!__builtin_constant_p(n))
9279 + check_object_size(to, n, false);
9285 @@ -65,17 +68,35 @@ int copy_to_user(void __user *dst, const
9289 - return _copy_to_user(dst, src, size);
9290 + if (access_ok(VERIFY_WRITE, dst, size))
9291 + size = __copy_to_user(dst, src, size);
9295 static __always_inline __must_check
9296 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9297 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9300 + int sz = __compiletime_object_size(dst);
9304 - if (!__builtin_constant_p(size))
9306 + if ((int)size < 0)
9309 + if (unlikely(sz != -1 && sz < size)) {
9310 +#ifdef CONFIG_DEBUG_VM
9311 + WARN(1, "Buffer overflow detected!\n");
9316 + if (!__builtin_constant_p(size)) {
9317 + check_object_size(dst, size, false);
9318 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9319 + src += PAX_USER_SHADOW_BASE;
9320 return copy_user_generic(dst, (__force void *)src, size);
9323 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9324 ret, "b", "b", "=q", 1);
9325 @@ -108,18 +129,36 @@ int __copy_from_user(void *dst, const vo
9326 ret, "q", "", "=r", 8);
9329 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9330 + src += PAX_USER_SHADOW_BASE;
9331 return copy_user_generic(dst, (__force void *)src, size);
9335 static __always_inline __must_check
9336 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9337 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9340 + int sz = __compiletime_object_size(src);
9344 - if (!__builtin_constant_p(size))
9346 + if ((int)size < 0)
9349 + if (unlikely(sz != -1 && sz < size)) {
9350 +#ifdef CONFIG_DEBUG_VM
9351 + WARN(1, "Buffer overflow detected!\n");
9356 + if (!__builtin_constant_p(size)) {
9357 + check_object_size(src, size, true);
9358 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9359 + dst += PAX_USER_SHADOW_BASE;
9360 return copy_user_generic((__force void *)dst, src, size);
9363 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9364 ret, "b", "b", "iq", 1);
9365 @@ -152,19 +191,30 @@ int __copy_to_user(void __user *dst, con
9366 ret, "q", "", "er", 8);
9369 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9370 + dst += PAX_USER_SHADOW_BASE;
9371 return copy_user_generic((__force void *)dst, src, size);
9375 static __always_inline __must_check
9376 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9377 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9383 - if (!__builtin_constant_p(size))
9385 + if ((int)size < 0)
9388 + if (!__builtin_constant_p(size)) {
9389 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9390 + src += PAX_USER_SHADOW_BASE;
9391 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9392 + dst += PAX_USER_SHADOW_BASE;
9393 return copy_user_generic((__force void *)dst,
9394 (__force void *)src, size);
9399 @@ -204,6 +254,10 @@ int __copy_in_user(void __user *dst, con
9403 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9404 + src += PAX_USER_SHADOW_BASE;
9405 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9406 + dst += PAX_USER_SHADOW_BASE;
9407 return copy_user_generic((__force void *)dst,
9408 (__force void *)src, size);
9410 @@ -222,33 +276,45 @@ __must_check unsigned long __clear_user(
9411 static __must_check __always_inline int
9412 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9414 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9415 + src += PAX_USER_SHADOW_BASE;
9416 return copy_user_generic(dst, (__force const void *)src, size);
9419 -static __must_check __always_inline int
9420 +static __must_check __always_inline unsigned long
9421 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9423 + if ((int)size < 0)
9426 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9427 + dst += PAX_USER_SHADOW_BASE;
9428 return copy_user_generic((__force void *)dst, src, size);
9431 -extern long __copy_user_nocache(void *dst, const void __user *src,
9432 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9433 unsigned size, int zerorest);
9436 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9437 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9441 + if ((int)size < 0)
9444 return __copy_user_nocache(dst, src, size, 1);
9448 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9449 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9452 + if ((int)size < 0)
9455 return __copy_user_nocache(dst, src, size, 0);
9459 +extern unsigned long
9460 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9462 #endif /* _ASM_X86_UACCESS_64_H */
9463 diff -urNp linux-2.6.35.7/arch/x86/include/asm/uaccess.h linux-2.6.35.7/arch/x86/include/asm/uaccess.h
9464 --- linux-2.6.35.7/arch/x86/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
9465 +++ linux-2.6.35.7/arch/x86/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
9467 #include <linux/thread_info.h>
9468 #include <linux/prefetch.h>
9469 #include <linux/string.h>
9470 +#include <linux/sched.h>
9471 #include <asm/asm.h>
9472 #include <asm/page.h>
9474 #define VERIFY_READ 0
9475 #define VERIFY_WRITE 1
9477 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9480 * The fs value determines whether argument validity checking should be
9481 * performed or not. If get_fs() == USER_DS, checking is performed, with
9484 #define get_ds() (KERNEL_DS)
9485 #define get_fs() (current_thread_info()->addr_limit)
9486 +#ifdef CONFIG_X86_32
9487 +void __set_fs(mm_segment_t x, int cpu);
9488 +void set_fs(mm_segment_t x);
9490 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9493 #define segment_eq(a, b) ((a).seg == (b).seg)
9496 * checks that the pointer is in the user space range - after calling
9497 * this function, memory access functions may still return -EFAULT.
9499 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9500 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9501 +#define access_ok(type, addr, size) \
9503 + long __size = size; \
9504 + unsigned long __addr = (unsigned long)addr; \
9505 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9506 + unsigned long __end_ao = __addr + __size - 1; \
9507 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9508 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9509 + while(__addr_ao <= __end_ao) { \
9511 + __addr_ao += PAGE_SIZE; \
9512 + if (__size > PAGE_SIZE) \
9514 + if (__get_user(__c_ao, (char __user *)__addr)) \
9516 + if (type != VERIFY_WRITE) { \
9517 + __addr = __addr_ao; \
9520 + if (__put_user(__c_ao, (char __user *)__addr)) \
9522 + __addr = __addr_ao; \
9529 * The exception table consists of pairs of addresses: the first is the
9530 @@ -183,13 +217,21 @@ extern int __get_user_bad(void);
9531 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9532 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9535 +#ifdef CONFIG_X86_32
9536 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
9537 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
9539 +#define _ASM_LOAD_USER_DS(ds)
9540 +#define _ASM_LOAD_KERNEL_DS
9543 #ifdef CONFIG_X86_32
9544 #define __put_user_asm_u64(x, addr, err, errret) \
9545 - asm volatile("1: movl %%eax,0(%2)\n" \
9546 - "2: movl %%edx,4(%2)\n" \
9547 + asm volatile(_ASM_LOAD_USER_DS(5) \
9548 + "1: movl %%eax,%%ds:0(%2)\n" \
9549 + "2: movl %%edx,%%ds:4(%2)\n" \
9551 + _ASM_LOAD_KERNEL_DS \
9552 ".section .fixup,\"ax\"\n" \
9555 @@ -197,15 +239,18 @@ extern int __get_user_bad(void);
9556 _ASM_EXTABLE(1b, 4b) \
9557 _ASM_EXTABLE(2b, 4b) \
9559 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
9560 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
9563 #define __put_user_asm_ex_u64(x, addr) \
9564 - asm volatile("1: movl %%eax,0(%1)\n" \
9565 - "2: movl %%edx,4(%1)\n" \
9566 + asm volatile(_ASM_LOAD_USER_DS(2) \
9567 + "1: movl %%eax,%%ds:0(%1)\n" \
9568 + "2: movl %%edx,%%ds:4(%1)\n" \
9570 + _ASM_LOAD_KERNEL_DS \
9571 _ASM_EXTABLE(1b, 2b - 1b) \
9572 _ASM_EXTABLE(2b, 3b - 2b) \
9573 - : : "A" (x), "r" (addr))
9574 + : : "A" (x), "r" (addr), "r"(__USER_DS))
9576 #define __put_user_x8(x, ptr, __ret_pu) \
9577 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
9578 @@ -374,16 +419,18 @@ do { \
9581 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9582 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9583 + asm volatile(_ASM_LOAD_USER_DS(5) \
9584 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
9586 + _ASM_LOAD_KERNEL_DS \
9587 ".section .fixup,\"ax\"\n" \
9589 " xor"itype" %"rtype"1,%"rtype"1\n" \
9592 _ASM_EXTABLE(1b, 3b) \
9593 - : "=r" (err), ltype(x) \
9594 - : "m" (__m(addr)), "i" (errret), "0" (err))
9595 + : "=r" (err), ltype (x) \
9596 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
9598 #define __get_user_size_ex(x, ptr, size) \
9600 @@ -407,10 +454,12 @@ do { \
9603 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9604 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9605 + asm volatile(_ASM_LOAD_USER_DS(2) \
9606 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
9608 + _ASM_LOAD_KERNEL_DS \
9609 _ASM_EXTABLE(1b, 2b - 1b) \
9610 - : ltype(x) : "m" (__m(addr)))
9611 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
9613 #define __put_user_nocheck(x, ptr, size) \
9615 @@ -424,13 +473,24 @@ do { \
9617 unsigned long __gu_val; \
9618 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9619 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9620 + (x) = (__typeof__(*(ptr)))__gu_val; \
9624 /* FIXME: this hack is definitely wrong -AK */
9625 struct __large_struct { unsigned long buf[100]; };
9626 -#define __m(x) (*(struct __large_struct __user *)(x))
9627 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9630 + unsigned long ____x = (unsigned long)(x); \
9631 + if (____x < PAX_USER_SHADOW_BASE) \
9632 + ____x += PAX_USER_SHADOW_BASE; \
9633 + (void __user *)____x; \
9636 +#define ____m(x) (x)
9638 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9641 * Tell gcc we read from memory instead of writing: this is because
9642 @@ -438,21 +498,26 @@ struct __large_struct { unsigned long bu
9645 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9646 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9647 + asm volatile(_ASM_LOAD_USER_DS(5) \
9648 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
9650 + _ASM_LOAD_KERNEL_DS \
9651 ".section .fixup,\"ax\"\n" \
9655 _ASM_EXTABLE(1b, 3b) \
9657 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9658 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
9661 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9662 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9663 + asm volatile(_ASM_LOAD_USER_DS(2) \
9664 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
9666 + _ASM_LOAD_KERNEL_DS \
9667 _ASM_EXTABLE(1b, 2b - 1b) \
9668 - : : ltype(x), "m" (__m(addr)))
9669 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
9672 * uaccess_try and catch
9673 @@ -530,7 +595,7 @@ struct __large_struct { unsigned long bu
9674 #define get_user_ex(x, ptr) do { \
9675 unsigned long __gue_val; \
9676 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9677 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9678 + (x) = (__typeof__(*(ptr)))__gue_val; \
9681 #ifdef CONFIG_X86_WP_WORKS_OK
9682 @@ -567,6 +632,7 @@ extern struct movsl_mask {
9684 #define ARCH_HAS_NOCACHE_UACCESS 1
9686 +#define ARCH_HAS_SORT_EXTABLE
9687 #ifdef CONFIG_X86_32
9688 # include "uaccess_32.h"
9690 diff -urNp linux-2.6.35.7/arch/x86/include/asm/vgtod.h linux-2.6.35.7/arch/x86/include/asm/vgtod.h
9691 --- linux-2.6.35.7/arch/x86/include/asm/vgtod.h 2010-08-26 19:47:12.000000000 -0400
9692 +++ linux-2.6.35.7/arch/x86/include/asm/vgtod.h 2010-09-17 20:12:09.000000000 -0400
9693 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
9695 struct timezone sys_tz;
9696 struct { /* extract of a clocksource struct */
9698 cycle_t (*vread)(void);
9701 diff -urNp linux-2.6.35.7/arch/x86/include/asm/vmi.h linux-2.6.35.7/arch/x86/include/asm/vmi.h
9702 --- linux-2.6.35.7/arch/x86/include/asm/vmi.h 2010-08-26 19:47:12.000000000 -0400
9703 +++ linux-2.6.35.7/arch/x86/include/asm/vmi.h 2010-09-17 20:12:09.000000000 -0400
9704 @@ -191,6 +191,7 @@ struct vrom_header {
9705 u8 reserved[96]; /* Reserved for headers */
9706 char vmi_init[8]; /* VMI_Init jump point */
9707 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
9708 + char rom_data[8048]; /* rest of the option ROM */
9709 } __attribute__((packed));
9712 diff -urNp linux-2.6.35.7/arch/x86/include/asm/vsyscall.h linux-2.6.35.7/arch/x86/include/asm/vsyscall.h
9713 --- linux-2.6.35.7/arch/x86/include/asm/vsyscall.h 2010-08-26 19:47:12.000000000 -0400
9714 +++ linux-2.6.35.7/arch/x86/include/asm/vsyscall.h 2010-09-17 20:12:09.000000000 -0400
9715 @@ -15,9 +15,10 @@ enum vsyscall_num {
9718 #include <linux/seqlock.h>
9719 +#include <linux/getcpu.h>
9720 +#include <linux/time.h>
9722 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9723 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9725 /* Definitions for CONFIG_GENERIC_TIME definitions */
9726 #define __section_vsyscall_gtod_data __attribute__ \
9727 @@ -31,7 +32,6 @@ enum vsyscall_num {
9728 #define VGETCPU_LSL 2
9730 extern int __vgetcpu_mode;
9731 -extern volatile unsigned long __jiffies;
9733 /* kernel space (writeable) */
9734 extern int vgetcpu_mode;
9735 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9737 extern void map_vsyscall(void);
9739 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9740 +extern time_t vtime(time_t *t);
9741 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9742 #endif /* __KERNEL__ */
9744 #endif /* _ASM_X86_VSYSCALL_H */
9745 diff -urNp linux-2.6.35.7/arch/x86/include/asm/xsave.h linux-2.6.35.7/arch/x86/include/asm/xsave.h
9746 --- linux-2.6.35.7/arch/x86/include/asm/xsave.h 2010-08-26 19:47:12.000000000 -0400
9747 +++ linux-2.6.35.7/arch/x86/include/asm/xsave.h 2010-09-17 20:12:09.000000000 -0400
9748 @@ -59,6 +59,12 @@ static inline int fpu_xrstor_checking(st
9749 static inline int xsave_user(struct xsave_struct __user *buf)
9753 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9754 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
9755 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
9758 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
9760 ".section .fixup,\"ax\"\n"
9761 @@ -85,6 +91,11 @@ static inline int xrestore_user(struct x
9763 u32 hmask = mask >> 32;
9765 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9766 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
9767 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
9770 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
9772 ".section .fixup,\"ax\"\n"
9773 diff -urNp linux-2.6.35.7/arch/x86/Kconfig linux-2.6.35.7/arch/x86/Kconfig
9774 --- linux-2.6.35.7/arch/x86/Kconfig 2010-08-26 19:47:12.000000000 -0400
9775 +++ linux-2.6.35.7/arch/x86/Kconfig 2010-09-17 20:12:37.000000000 -0400
9776 @@ -1038,7 +1038,7 @@ choice
9780 - depends on !X86_NUMAQ
9781 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9783 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
9784 However, the address space of 32-bit x86 processors is only 4
9785 @@ -1075,7 +1075,7 @@ config NOHIGHMEM
9789 - depends on !X86_NUMAQ
9790 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9792 Select this if you have a 32-bit processor and between 1 and 4
9793 gigabytes of physical RAM.
9794 @@ -1129,7 +1129,7 @@ config PAGE_OFFSET
9796 default 0xB0000000 if VMSPLIT_3G_OPT
9797 default 0x80000000 if VMSPLIT_2G
9798 - default 0x78000000 if VMSPLIT_2G_OPT
9799 + default 0x70000000 if VMSPLIT_2G_OPT
9800 default 0x40000000 if VMSPLIT_1G
9803 @@ -1461,7 +1461,7 @@ config ARCH_USES_PG_UNCACHED
9806 bool "EFI runtime service support"
9808 + depends on ACPI && !PAX_KERNEXEC
9810 This enables the kernel to use EFI runtime services that are
9811 available (such as the EFI variable services).
9812 @@ -1548,6 +1548,7 @@ config KEXEC_JUMP
9813 config PHYSICAL_START
9814 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
9816 + range 0x400000 0x40000000
9818 This gives the physical address where the kernel is loaded.
9820 @@ -1611,6 +1612,7 @@ config X86_NEED_RELOCS
9821 config PHYSICAL_ALIGN
9822 hex "Alignment value to which kernel should be aligned" if X86_32
9824 + range 0x400000 0x1000000 if PAX_KERNEXEC
9825 range 0x2000 0x1000000
9827 This value puts the alignment restrictions on physical address
9828 @@ -1642,9 +1644,10 @@ config HOTPLUG_CPU
9829 Say N if you want to disable CPU hotplug.
9834 prompt "Compat VDSO support"
9835 depends on X86_32 || IA32_EMULATION
9836 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
9838 Map the 32-bit VDSO to the predictable old-style address too.
9840 diff -urNp linux-2.6.35.7/arch/x86/Kconfig.cpu linux-2.6.35.7/arch/x86/Kconfig.cpu
9841 --- linux-2.6.35.7/arch/x86/Kconfig.cpu 2010-08-26 19:47:12.000000000 -0400
9842 +++ linux-2.6.35.7/arch/x86/Kconfig.cpu 2010-09-17 20:12:09.000000000 -0400
9843 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
9847 - depends on M586MMX || M586TSC || M586 || M486 || M386
9848 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
9852 @@ -360,7 +360,7 @@ config X86_POPAD_OK
9854 config X86_ALIGNMENT_16
9856 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9857 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9859 config X86_INTEL_USERCOPY
9861 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
9865 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9866 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9868 config X86_MINIMUM_CPU_FAMILY
9870 diff -urNp linux-2.6.35.7/arch/x86/Kconfig.debug linux-2.6.35.7/arch/x86/Kconfig.debug
9871 --- linux-2.6.35.7/arch/x86/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
9872 +++ linux-2.6.35.7/arch/x86/Kconfig.debug 2010-09-17 20:12:09.000000000 -0400
9873 @@ -97,7 +97,7 @@ config X86_PTDUMP
9875 bool "Write protect kernel read-only data structures"
9877 - depends on DEBUG_KERNEL
9878 + depends on DEBUG_KERNEL && BROKEN
9880 Mark the kernel read-only data as write-protected in the pagetables,
9881 in order to catch accidental (and incorrect) writes to such const
9882 diff -urNp linux-2.6.35.7/arch/x86/kernel/acpi/boot.c linux-2.6.35.7/arch/x86/kernel/acpi/boot.c
9883 --- linux-2.6.35.7/arch/x86/kernel/acpi/boot.c 2010-08-26 19:47:12.000000000 -0400
9884 +++ linux-2.6.35.7/arch/x86/kernel/acpi/boot.c 2010-09-17 20:12:09.000000000 -0400
9885 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
9886 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
9890 + { NULL, NULL, {{0, {0}}}, NULL}
9894 diff -urNp linux-2.6.35.7/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.35.7/arch/x86/kernel/acpi/realmode/wakeup.S
9895 --- linux-2.6.35.7/arch/x86/kernel/acpi/realmode/wakeup.S 2010-08-26 19:47:12.000000000 -0400
9896 +++ linux-2.6.35.7/arch/x86/kernel/acpi/realmode/wakeup.S 2010-09-17 20:12:09.000000000 -0400
9897 @@ -104,7 +104,7 @@ _start:
9901 - movl $0xc0000080, %ecx
9902 + mov $MSR_EFER, %ecx
9906 diff -urNp linux-2.6.35.7/arch/x86/kernel/acpi/sleep.c linux-2.6.35.7/arch/x86/kernel/acpi/sleep.c
9907 --- linux-2.6.35.7/arch/x86/kernel/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
9908 +++ linux-2.6.35.7/arch/x86/kernel/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
9910 #include <linux/cpumask.h>
9911 #include <asm/segment.h>
9912 #include <asm/desc.h>
9913 +#include <asm/e820.h>
9915 #include "realmode/wakeup.h"
9918 -unsigned long acpi_wakeup_address;
9919 +unsigned long acpi_wakeup_address = 0x2000;
9920 unsigned long acpi_realmode_flags;
9922 /* address in low memory of the wakeup routine. */
9923 @@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
9924 header->trampoline_segment = setup_trampoline() >> 4;
9926 stack_start.sp = temp_stack + sizeof(temp_stack);
9928 + pax_open_kernel();
9929 early_gdt_descr.address =
9930 (unsigned long)get_cpu_gdt_table(smp_processor_id());
9931 + pax_close_kernel();
9933 initial_gs = per_cpu_offset(smp_processor_id());
9935 initial_code = (unsigned long)wakeup_long64;
9936 diff -urNp linux-2.6.35.7/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.35.7/arch/x86/kernel/acpi/wakeup_32.S
9937 --- linux-2.6.35.7/arch/x86/kernel/acpi/wakeup_32.S 2010-08-26 19:47:12.000000000 -0400
9938 +++ linux-2.6.35.7/arch/x86/kernel/acpi/wakeup_32.S 2010-09-17 20:12:09.000000000 -0400
9939 @@ -30,13 +30,11 @@ wakeup_pmode_return:
9940 # and restore the stack ... but you need gdt for this to work
9941 movl saved_context_esp, %esp
9943 - movl %cs:saved_magic, %eax
9944 - cmpl $0x12345678, %eax
9945 + cmpl $0x12345678, saved_magic
9948 # jump to place where we left off
9949 - movl saved_eip, %eax
9955 diff -urNp linux-2.6.35.7/arch/x86/kernel/alternative.c linux-2.6.35.7/arch/x86/kernel/alternative.c
9956 --- linux-2.6.35.7/arch/x86/kernel/alternative.c 2010-08-26 19:47:12.000000000 -0400
9957 +++ linux-2.6.35.7/arch/x86/kernel/alternative.c 2010-09-17 20:12:09.000000000 -0400
9958 @@ -247,7 +247,7 @@ static void alternatives_smp_lock(const
9959 if (!*poff || ptr < text || ptr >= text_end)
9961 /* turn DS segment override prefix into lock prefix */
9963 + if (*ktla_ktva(ptr) == 0x3e)
9964 text_poke(ptr, ((unsigned char []){0xf0}), 1);
9966 mutex_unlock(&text_mutex);
9967 @@ -268,7 +268,7 @@ static void alternatives_smp_unlock(cons
9968 if (!*poff || ptr < text || ptr >= text_end)
9970 /* turn lock prefix into DS segment override prefix */
9972 + if (*ktla_ktva(ptr) == 0xf0)
9973 text_poke(ptr, ((unsigned char []){0x3E}), 1);
9975 mutex_unlock(&text_mutex);
9976 @@ -436,7 +436,7 @@ void __init_or_module apply_paravirt(str
9978 BUG_ON(p->len > MAX_PATCH_LEN);
9979 /* prep the buffer with the original instructions */
9980 - memcpy(insnbuf, p->instr, p->len);
9981 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
9982 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
9983 (unsigned long)p->instr, p->len);
9985 @@ -504,7 +504,7 @@ void __init alternative_instructions(voi
9987 free_init_pages("SMP alternatives",
9988 (unsigned long)__smp_locks,
9989 - (unsigned long)__smp_locks_end);
9990 + PAGE_ALIGN((unsigned long)__smp_locks_end));
9994 @@ -521,13 +521,17 @@ void __init alternative_instructions(voi
9995 * instructions. And on the local CPU you need to be protected again NMI or MCE
9996 * handlers seeing an inconsistent instruction while you patch.
9998 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
9999 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
10002 unsigned long flags;
10003 local_irq_save(flags);
10004 - memcpy(addr, opcode, len);
10006 + pax_open_kernel();
10007 + memcpy(ktla_ktva(addr), opcode, len);
10009 + pax_close_kernel();
10011 local_irq_restore(flags);
10012 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10013 that causes hangs on some VIA CPUs. */
10014 @@ -549,36 +553,22 @@ static void *__init_or_module text_poke_
10016 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10018 - unsigned long flags;
10020 + unsigned char *vaddr = ktla_ktva(addr);
10021 struct page *pages[2];
10025 if (!core_kernel_text((unsigned long)addr)) {
10026 - pages[0] = vmalloc_to_page(addr);
10027 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10028 + pages[0] = vmalloc_to_page(vaddr);
10029 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10031 - pages[0] = virt_to_page(addr);
10032 + pages[0] = virt_to_page(vaddr);
10033 WARN_ON(!PageReserved(pages[0]));
10034 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10035 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10038 - local_irq_save(flags);
10039 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10041 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10042 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10043 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10044 - clear_fixmap(FIX_TEXT_POKE0);
10046 - clear_fixmap(FIX_TEXT_POKE1);
10047 - local_flush_tlb();
10049 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10050 - that causes hangs on some VIA CPUs. */
10051 + text_poke_early(addr, opcode, len);
10052 for (i = 0; i < len; i++)
10053 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10054 - local_irq_restore(flags);
10055 + BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
10059 diff -urNp linux-2.6.35.7/arch/x86/kernel/amd_iommu.c linux-2.6.35.7/arch/x86/kernel/amd_iommu.c
10060 --- linux-2.6.35.7/arch/x86/kernel/amd_iommu.c 2010-08-26 19:47:12.000000000 -0400
10061 +++ linux-2.6.35.7/arch/x86/kernel/amd_iommu.c 2010-09-17 20:12:09.000000000 -0400
10062 @@ -2284,7 +2284,7 @@ static void prealloc_protection_domains(
10066 -static struct dma_map_ops amd_iommu_dma_ops = {
10067 +static const struct dma_map_ops amd_iommu_dma_ops = {
10068 .alloc_coherent = alloc_coherent,
10069 .free_coherent = free_coherent,
10070 .map_page = map_page,
10071 diff -urNp linux-2.6.35.7/arch/x86/kernel/apic/io_apic.c linux-2.6.35.7/arch/x86/kernel/apic/io_apic.c
10072 --- linux-2.6.35.7/arch/x86/kernel/apic/io_apic.c 2010-09-20 17:33:09.000000000 -0400
10073 +++ linux-2.6.35.7/arch/x86/kernel/apic/io_apic.c 2010-09-20 17:33:32.000000000 -0400
10074 @@ -691,7 +691,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10075 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10077 if (!ioapic_entries)
10081 for (apic = 0; apic < nr_ioapics; apic++) {
10082 ioapic_entries[apic] =
10083 @@ -708,7 +708,7 @@ nomem:
10084 kfree(ioapic_entries[apic]);
10085 kfree(ioapic_entries);
10092 @@ -1118,7 +1118,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10094 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10096 -void lock_vector_lock(void)
10097 +void lock_vector_lock(void) __acquires(vector_lock)
10099 /* Used to the online set of cpus does not change
10100 * during assign_irq_vector.
10101 @@ -1126,7 +1126,7 @@ void lock_vector_lock(void)
10102 raw_spin_lock(&vector_lock);
10105 -void unlock_vector_lock(void)
10106 +void unlock_vector_lock(void) __releases(vector_lock)
10108 raw_spin_unlock(&vector_lock);
10110 diff -urNp linux-2.6.35.7/arch/x86/kernel/apm_32.c linux-2.6.35.7/arch/x86/kernel/apm_32.c
10111 --- linux-2.6.35.7/arch/x86/kernel/apm_32.c 2010-08-26 19:47:12.000000000 -0400
10112 +++ linux-2.6.35.7/arch/x86/kernel/apm_32.c 2010-09-17 20:12:09.000000000 -0400
10113 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10114 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10115 * even though they are called in protected mode.
10117 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10118 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10119 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10121 static const char driver_version[] = "1.16ac"; /* no spaces */
10122 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10124 gdt = get_cpu_gdt_table(cpu);
10125 save_desc_40 = gdt[0x40 / 8];
10127 + pax_open_kernel();
10128 gdt[0x40 / 8] = bad_bios_desc;
10129 + pax_close_kernel();
10131 apm_irq_save(flags);
10133 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10135 APM_DO_RESTORE_SEGS;
10136 apm_irq_restore(flags);
10138 + pax_open_kernel();
10139 gdt[0x40 / 8] = save_desc_40;
10140 + pax_close_kernel();
10144 return call->eax & 0xff;
10145 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10147 gdt = get_cpu_gdt_table(cpu);
10148 save_desc_40 = gdt[0x40 / 8];
10150 + pax_open_kernel();
10151 gdt[0x40 / 8] = bad_bios_desc;
10152 + pax_close_kernel();
10154 apm_irq_save(flags);
10156 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10158 APM_DO_RESTORE_SEGS;
10159 apm_irq_restore(flags);
10161 + pax_open_kernel();
10162 gdt[0x40 / 8] = save_desc_40;
10163 + pax_close_kernel();
10168 @@ -975,7 +989,7 @@ recalc:
10170 static void apm_power_off(void)
10172 - unsigned char po_bios_call[] = {
10173 + const unsigned char po_bios_call[] = {
10174 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10175 0x8e, 0xd0, /* movw ax,ss */
10176 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10177 @@ -1931,7 +1945,10 @@ static const struct file_operations apm_
10178 static struct miscdevice apm_device = {
10189 @@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
10190 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10194 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10198 @@ -2355,12 +2372,15 @@ static int __init apm_init(void)
10199 * code to that CPU.
10201 gdt = get_cpu_gdt_table(0);
10203 + pax_open_kernel();
10204 set_desc_base(&gdt[APM_CS >> 3],
10205 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10206 set_desc_base(&gdt[APM_CS_16 >> 3],
10207 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10208 set_desc_base(&gdt[APM_DS >> 3],
10209 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10210 + pax_close_kernel();
10212 proc_create("apm", 0, NULL, &apm_file_ops);
10214 diff -urNp linux-2.6.35.7/arch/x86/kernel/asm-offsets_32.c linux-2.6.35.7/arch/x86/kernel/asm-offsets_32.c
10215 --- linux-2.6.35.7/arch/x86/kernel/asm-offsets_32.c 2010-08-26 19:47:12.000000000 -0400
10216 +++ linux-2.6.35.7/arch/x86/kernel/asm-offsets_32.c 2010-09-17 20:12:09.000000000 -0400
10217 @@ -115,6 +115,11 @@ void foo(void)
10218 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10219 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10220 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10222 +#ifdef CONFIG_PAX_KERNEXEC
10223 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10229 diff -urNp linux-2.6.35.7/arch/x86/kernel/asm-offsets_64.c linux-2.6.35.7/arch/x86/kernel/asm-offsets_64.c
10230 --- linux-2.6.35.7/arch/x86/kernel/asm-offsets_64.c 2010-08-26 19:47:12.000000000 -0400
10231 +++ linux-2.6.35.7/arch/x86/kernel/asm-offsets_64.c 2010-09-17 20:12:09.000000000 -0400
10232 @@ -63,6 +63,18 @@ int main(void)
10233 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10234 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10235 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10237 +#ifdef CONFIG_PAX_KERNEXEC
10238 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10239 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10242 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10243 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10244 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10245 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10251 @@ -115,6 +127,7 @@ int main(void)
10255 + DEFINE(TSS_size, sizeof(struct tss_struct));
10256 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10258 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10259 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/common.c linux-2.6.35.7/arch/x86/kernel/cpu/common.c
10260 --- linux-2.6.35.7/arch/x86/kernel/cpu/common.c 2010-08-26 19:47:12.000000000 -0400
10261 +++ linux-2.6.35.7/arch/x86/kernel/cpu/common.c 2010-09-17 20:12:09.000000000 -0400
10262 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10264 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10266 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10267 -#ifdef CONFIG_X86_64
10269 - * We need valid kernel segments for data and code in long mode too
10270 - * IRET will check the segment types kkeil 2000/10/28
10271 - * Also sysret mandates a special GDT layout
10273 - * TLS descriptors are currently at a different place compared to i386.
10274 - * Hopefully nobody expects them at a fixed place (Wine?)
10276 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10277 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10278 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10279 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10280 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10281 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10283 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10284 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10285 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10286 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10288 - * Segments used for calling PnP BIOS have byte granularity.
10289 - * They code segments and data segments have fixed 64k limits,
10290 - * the transfer segment sizes are set at run time.
10292 - /* 32-bit code */
10293 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10294 - /* 16-bit code */
10295 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10296 - /* 16-bit data */
10297 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10298 - /* 16-bit data */
10299 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10300 - /* 16-bit data */
10301 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10303 - * The APM segments have byte granularity and their bases
10304 - * are set at run time. All have 64k limits.
10306 - /* 32-bit code */
10307 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10308 - /* 16-bit code */
10309 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10311 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10313 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10314 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10315 - GDT_STACK_CANARY_INIT
10318 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10320 static int __init x86_xsave_setup(char *s)
10322 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10323 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
10325 struct desc_ptr gdt_descr;
10327 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10328 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10329 gdt_descr.size = GDT_SIZE - 1;
10330 load_gdt(&gdt_descr);
10331 /* Reload the per-cpu base */
10332 @@ -802,6 +748,10 @@ static void __cpuinit identify_cpu(struc
10333 /* Filter out anything that depends on CPUID levels we don't have */
10334 filter_cpuid_features(c, true);
10336 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10337 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10340 /* If the model name is still unset, do table lookup. */
10341 if (!c->x86_model_id[0]) {
10343 @@ -1117,7 +1067,7 @@ void __cpuinit cpu_init(void)
10346 cpu = stack_smp_processor_id();
10347 - t = &per_cpu(init_tss, cpu);
10348 + t = init_tss + cpu;
10349 oist = &per_cpu(orig_ist, cpu);
10352 @@ -1143,7 +1093,7 @@ void __cpuinit cpu_init(void)
10353 switch_to_new_gdt(cpu);
10354 loadsegment(fs, 0);
10356 - load_idt((const struct desc_ptr *)&idt_descr);
10357 + load_idt(&idt_descr);
10359 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10361 @@ -1205,7 +1155,7 @@ void __cpuinit cpu_init(void)
10363 int cpu = smp_processor_id();
10364 struct task_struct *curr = current;
10365 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10366 + struct tss_struct *t = init_tss + cpu;
10367 struct thread_struct *thread = &curr->thread;
10369 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10370 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.35.7/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10371 --- linux-2.6.35.7/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-08-26 19:47:12.000000000 -0400
10372 +++ linux-2.6.35.7/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-09-17 20:12:09.000000000 -0400
10373 @@ -484,7 +484,7 @@ static const struct dmi_system_id sw_any
10374 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10378 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10381 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10382 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.35.7/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10383 --- linux-2.6.35.7/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-08-26 19:47:12.000000000 -0400
10384 +++ linux-2.6.35.7/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-09-17 20:12:09.000000000 -0400
10385 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10386 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10387 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10390 + { NULL, NULL, 0, NULL}
10394 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/intel.c linux-2.6.35.7/arch/x86/kernel/cpu/intel.c
10395 --- linux-2.6.35.7/arch/x86/kernel/cpu/intel.c 2010-08-26 19:47:12.000000000 -0400
10396 +++ linux-2.6.35.7/arch/x86/kernel/cpu/intel.c 2010-09-17 20:12:09.000000000 -0400
10397 @@ -160,7 +160,7 @@ static void __cpuinit trap_init_f00f_bug
10398 * Update the IDT descriptor and reload the IDT so that
10399 * it uses the read-only mapped virtual address.
10401 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10402 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10403 load_idt(&idt_descr);
10406 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/Makefile linux-2.6.35.7/arch/x86/kernel/cpu/Makefile
10407 --- linux-2.6.35.7/arch/x86/kernel/cpu/Makefile 2010-08-26 19:47:12.000000000 -0400
10408 +++ linux-2.6.35.7/arch/x86/kernel/cpu/Makefile 2010-09-17 20:12:09.000000000 -0400
10409 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10410 CFLAGS_REMOVE_perf_event.o = -pg
10413 -# Make sure load_percpu_segment has no stackprotector
10414 -nostackp := $(call cc-option, -fno-stack-protector)
10415 -CFLAGS_common.o := $(nostackp)
10417 obj-y := intel_cacheinfo.o addon_cpuid_features.o
10418 obj-y += proc.o capflags.o powerflags.o common.o
10419 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10420 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.35.7/arch/x86/kernel/cpu/mcheck/mce.c
10421 --- linux-2.6.35.7/arch/x86/kernel/cpu/mcheck/mce.c 2010-08-26 19:47:12.000000000 -0400
10422 +++ linux-2.6.35.7/arch/x86/kernel/cpu/mcheck/mce.c 2010-09-17 20:12:09.000000000 -0400
10423 @@ -219,7 +219,7 @@ static void print_mce(struct mce *m)
10424 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10427 - if (m->cs == __KERNEL_CS)
10428 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10429 print_symbol("{%s}", m->ip);
10432 @@ -1471,14 +1471,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10435 static DEFINE_SPINLOCK(mce_state_lock);
10436 -static int open_count; /* #times opened */
10437 +static atomic_t open_count; /* #times opened */
10438 static int open_exclu; /* already open exclusive? */
10440 static int mce_open(struct inode *inode, struct file *file)
10442 spin_lock(&mce_state_lock);
10444 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10445 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
10446 spin_unlock(&mce_state_lock);
10449 @@ -1486,7 +1486,7 @@ static int mce_open(struct inode *inode,
10451 if (file->f_flags & O_EXCL)
10454 + atomic_inc(&open_count);
10456 spin_unlock(&mce_state_lock);
10458 @@ -1497,7 +1497,7 @@ static int mce_release(struct inode *ino
10460 spin_lock(&mce_state_lock);
10463 + atomic_dec(&open_count);
10466 spin_unlock(&mce_state_lock);
10467 @@ -1683,6 +1683,7 @@ static struct miscdevice mce_log_device
10471 + {NULL, NULL}, NULL, NULL
10475 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/generic.c
10476 --- linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/generic.c 2010-08-26 19:47:12.000000000 -0400
10477 +++ linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/generic.c 2010-09-17 20:12:09.000000000 -0400
10478 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10479 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10480 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10481 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10486 static unsigned long smp_changes_mask;
10487 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/main.c
10488 --- linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/main.c 2010-08-26 19:47:12.000000000 -0400
10489 +++ linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/main.c 2010-09-17 20:12:09.000000000 -0400
10490 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10491 u64 size_or_mask, size_and_mask;
10492 static bool mtrr_aps_delayed_init;
10494 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10495 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10497 const struct mtrr_ops *mtrr_if;
10499 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/mtrr.h
10500 --- linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-08-26 19:47:12.000000000 -0400
10501 +++ linux-2.6.35.7/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-09-17 20:12:09.000000000 -0400
10502 @@ -12,19 +12,19 @@
10503 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10507 - u32 use_intel_if;
10508 - void (*set)(unsigned int reg, unsigned long base,
10509 + const u32 vendor;
10510 + const u32 use_intel_if;
10511 + void (* const set)(unsigned int reg, unsigned long base,
10512 unsigned long size, mtrr_type type);
10513 - void (*set_all)(void);
10514 + void (* const set_all)(void);
10516 - void (*get)(unsigned int reg, unsigned long *base,
10517 + void (* const get)(unsigned int reg, unsigned long *base,
10518 unsigned long *size, mtrr_type *type);
10519 - int (*get_free_region)(unsigned long base, unsigned long size,
10520 + int (* const get_free_region)(unsigned long base, unsigned long size,
10522 - int (*validate_add_page)(unsigned long base, unsigned long size,
10523 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10524 unsigned int type);
10525 - int (*have_wrcomb)(void);
10526 + int (* const have_wrcomb)(void);
10529 extern int generic_get_free_region(unsigned long base, unsigned long size,
10530 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.35.7/arch/x86/kernel/cpu/perfctr-watchdog.c
10531 --- linux-2.6.35.7/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-08-26 19:47:12.000000000 -0400
10532 +++ linux-2.6.35.7/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-09-17 20:12:09.000000000 -0400
10533 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
10535 /* Interface defining a CPU specific perfctr watchdog */
10537 - int (*reserve)(void);
10538 - void (*unreserve)(void);
10539 - int (*setup)(unsigned nmi_hz);
10540 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10541 - void (*stop)(void);
10542 + int (* const reserve)(void);
10543 + void (* const unreserve)(void);
10544 + int (* const setup)(unsigned nmi_hz);
10545 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10546 + void (* const stop)(void);
10550 @@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
10551 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
10552 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
10554 +/* cannot be const, see probe_nmi_watchdog */
10555 static struct wd_ops intel_arch_wd_ops;
10557 static int setup_intel_arch_watchdog(unsigned nmi_hz)
10558 @@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
10562 +/* cannot be const */
10563 static struct wd_ops intel_arch_wd_ops __read_mostly = {
10564 .reserve = single_msr_reserve,
10565 .unreserve = single_msr_unreserve,
10566 diff -urNp linux-2.6.35.7/arch/x86/kernel/cpu/perf_event.c linux-2.6.35.7/arch/x86/kernel/cpu/perf_event.c
10567 --- linux-2.6.35.7/arch/x86/kernel/cpu/perf_event.c 2010-08-26 19:47:12.000000000 -0400
10568 +++ linux-2.6.35.7/arch/x86/kernel/cpu/perf_event.c 2010-09-17 20:12:09.000000000 -0400
10569 @@ -1685,7 +1685,7 @@ perf_callchain_user(struct pt_regs *regs
10572 callchain_store(entry, frame.return_address);
10573 - fp = frame.next_frame;
10574 + fp = (__force const void __user *)frame.next_frame;
10578 diff -urNp linux-2.6.35.7/arch/x86/kernel/crash.c linux-2.6.35.7/arch/x86/kernel/crash.c
10579 --- linux-2.6.35.7/arch/x86/kernel/crash.c 2010-08-26 19:47:12.000000000 -0400
10580 +++ linux-2.6.35.7/arch/x86/kernel/crash.c 2010-09-17 20:12:09.000000000 -0400
10581 @@ -40,7 +40,7 @@ static void kdump_nmi_callback(int cpu,
10584 #ifdef CONFIG_X86_32
10585 - if (!user_mode_vm(regs)) {
10586 + if (!user_mode(regs)) {
10587 crash_fixup_ss_esp(&fixed_regs, regs);
10588 regs = &fixed_regs;
10590 diff -urNp linux-2.6.35.7/arch/x86/kernel/doublefault_32.c linux-2.6.35.7/arch/x86/kernel/doublefault_32.c
10591 --- linux-2.6.35.7/arch/x86/kernel/doublefault_32.c 2010-08-26 19:47:12.000000000 -0400
10592 +++ linux-2.6.35.7/arch/x86/kernel/doublefault_32.c 2010-09-17 20:12:09.000000000 -0400
10595 #define DOUBLEFAULT_STACKSIZE (1024)
10596 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10597 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10598 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10600 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10602 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10603 unsigned long gdt, tss;
10605 store_gdt(&gdt_desc);
10606 - gdt = gdt_desc.address;
10607 + gdt = (unsigned long)gdt_desc.address;
10609 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10611 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10612 /* 0x2 bit is always set */
10613 .flags = X86_EFLAGS_SF | 0x2,
10616 + .es = __KERNEL_DS,
10620 + .ds = __KERNEL_DS,
10621 .fs = __KERNEL_PERCPU,
10623 .__cr3 = __pa_nodebug(swapper_pg_dir),
10624 diff -urNp linux-2.6.35.7/arch/x86/kernel/dumpstack_32.c linux-2.6.35.7/arch/x86/kernel/dumpstack_32.c
10625 --- linux-2.6.35.7/arch/x86/kernel/dumpstack_32.c 2010-08-26 19:47:12.000000000 -0400
10626 +++ linux-2.6.35.7/arch/x86/kernel/dumpstack_32.c 2010-09-17 20:12:09.000000000 -0400
10627 @@ -107,11 +107,12 @@ void show_registers(struct pt_regs *regs
10628 * When in-kernel, we also print out the stack and code at the
10629 * time of the fault..
10631 - if (!user_mode_vm(regs)) {
10632 + if (!user_mode(regs)) {
10633 unsigned int code_prologue = code_bytes * 43 / 64;
10634 unsigned int code_len = code_bytes;
10637 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10639 printk(KERN_EMERG "Stack:\n");
10640 show_stack_log_lvl(NULL, regs, ®s->sp,
10641 @@ -119,10 +120,10 @@ void show_registers(struct pt_regs *regs
10643 printk(KERN_EMERG "Code: ");
10645 - ip = (u8 *)regs->ip - code_prologue;
10646 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10647 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10648 /* try starting at IP */
10649 - ip = (u8 *)regs->ip;
10650 + ip = (u8 *)regs->ip + cs_base;
10651 code_len = code_len - code_prologue + 1;
10653 for (i = 0; i < code_len; i++, ip++) {
10654 @@ -131,7 +132,7 @@ void show_registers(struct pt_regs *regs
10655 printk(" Bad EIP value.");
10658 - if (ip == (u8 *)regs->ip)
10659 + if (ip == (u8 *)regs->ip + cs_base)
10660 printk("<%02x> ", c);
10662 printk("%02x ", c);
10663 @@ -144,6 +145,7 @@ int is_valid_bugaddr(unsigned long ip)
10665 unsigned short ud2;
10667 + ip = ktla_ktva(ip);
10668 if (ip < PAGE_OFFSET)
10670 if (probe_kernel_address((unsigned short *)ip, ud2))
10671 diff -urNp linux-2.6.35.7/arch/x86/kernel/dumpstack.c linux-2.6.35.7/arch/x86/kernel/dumpstack.c
10672 --- linux-2.6.35.7/arch/x86/kernel/dumpstack.c 2010-08-26 19:47:12.000000000 -0400
10673 +++ linux-2.6.35.7/arch/x86/kernel/dumpstack.c 2010-09-17 20:12:09.000000000 -0400
10674 @@ -207,7 +207,7 @@ void dump_stack(void)
10677 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
10678 - current->pid, current->comm, current->xid, print_tainted(),
10679 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
10680 init_utsname()->release,
10681 (int)strcspn(init_utsname()->version, " "),
10682 init_utsname()->version);
10683 @@ -263,7 +263,7 @@ void __kprobes oops_end(unsigned long fl
10684 panic("Fatal exception in interrupt");
10686 panic("Fatal exception");
10688 + do_group_exit(signr);
10691 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
10692 @@ -290,7 +290,7 @@ int __kprobes __die(const char *str, str
10694 show_registers(regs);
10695 #ifdef CONFIG_X86_32
10696 - if (user_mode_vm(regs)) {
10697 + if (user_mode(regs)) {
10699 ss = regs->ss & 0xffff;
10701 @@ -318,7 +318,7 @@ void die(const char *str, struct pt_regs
10702 unsigned long flags = oops_begin();
10705 - if (!user_mode_vm(regs))
10706 + if (!user_mode(regs))
10707 report_bug(regs->ip, regs);
10709 if (__die(str, regs, err))
10710 diff -urNp linux-2.6.35.7/arch/x86/kernel/efi_32.c linux-2.6.35.7/arch/x86/kernel/efi_32.c
10711 --- linux-2.6.35.7/arch/x86/kernel/efi_32.c 2010-08-26 19:47:12.000000000 -0400
10712 +++ linux-2.6.35.7/arch/x86/kernel/efi_32.c 2010-09-17 20:12:09.000000000 -0400
10713 @@ -38,70 +38,38 @@
10716 static unsigned long efi_rt_eflags;
10717 -static pgd_t efi_bak_pg_dir_pointer[2];
10718 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10720 -void efi_call_phys_prelog(void)
10721 +void __init efi_call_phys_prelog(void)
10723 - unsigned long cr4;
10724 - unsigned long temp;
10725 struct desc_ptr gdt_descr;
10727 local_irq_save(efi_rt_eflags);
10730 - * If I don't have PAE, I should just duplicate two entries in page
10731 - * directory. If I have PAE, I just need to duplicate one entry in
10732 - * page directory.
10734 - cr4 = read_cr4_safe();
10736 - if (cr4 & X86_CR4_PAE) {
10737 - efi_bak_pg_dir_pointer[0].pgd =
10738 - swapper_pg_dir[pgd_index(0)].pgd;
10739 - swapper_pg_dir[0].pgd =
10740 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10742 - efi_bak_pg_dir_pointer[0].pgd =
10743 - swapper_pg_dir[pgd_index(0)].pgd;
10744 - efi_bak_pg_dir_pointer[1].pgd =
10745 - swapper_pg_dir[pgd_index(0x400000)].pgd;
10746 - swapper_pg_dir[pgd_index(0)].pgd =
10747 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10748 - temp = PAGE_OFFSET + 0x400000;
10749 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10750 - swapper_pg_dir[pgd_index(temp)].pgd;
10752 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10753 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10754 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10757 * After the lock is released, the original page table is restored.
10761 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
10762 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10763 gdt_descr.size = GDT_SIZE - 1;
10764 load_gdt(&gdt_descr);
10767 -void efi_call_phys_epilog(void)
10768 +void __init efi_call_phys_epilog(void)
10770 - unsigned long cr4;
10771 struct desc_ptr gdt_descr;
10773 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10774 + gdt_descr.address = get_cpu_gdt_table(0);
10775 gdt_descr.size = GDT_SIZE - 1;
10776 load_gdt(&gdt_descr);
10778 - cr4 = read_cr4_safe();
10780 - if (cr4 & X86_CR4_PAE) {
10781 - swapper_pg_dir[pgd_index(0)].pgd =
10782 - efi_bak_pg_dir_pointer[0].pgd;
10784 - swapper_pg_dir[pgd_index(0)].pgd =
10785 - efi_bak_pg_dir_pointer[0].pgd;
10786 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10787 - efi_bak_pg_dir_pointer[1].pgd;
10789 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10792 * After the lock is released, the original page table is restored.
10793 diff -urNp linux-2.6.35.7/arch/x86/kernel/efi_stub_32.S linux-2.6.35.7/arch/x86/kernel/efi_stub_32.S
10794 --- linux-2.6.35.7/arch/x86/kernel/efi_stub_32.S 2010-08-26 19:47:12.000000000 -0400
10795 +++ linux-2.6.35.7/arch/x86/kernel/efi_stub_32.S 2010-09-17 20:12:09.000000000 -0400
10799 #include <linux/linkage.h>
10800 +#include <linux/init.h>
10801 #include <asm/page_types.h>
10805 * service functions will comply with gcc calling convention, too.
10810 ENTRY(efi_call_phys)
10812 * 0. The function can only be called in Linux kernel. So CS has been
10813 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
10814 * The mapping of lower virtual memory has been created in prelog and
10818 - subl $__PAGE_OFFSET, %edx
10820 + jmp 1f-__PAGE_OFFSET
10824 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
10825 * parameter 2, ..., param n. To make things easy, we save the return
10826 * address of efi_call_phys in a global variable.
10829 - movl %edx, saved_return_addr
10830 - /* get the function pointer into ECX*/
10832 - movl %ecx, efi_rt_function_ptr
10834 - subl $__PAGE_OFFSET, %edx
10836 + popl (saved_return_addr)
10837 + popl (efi_rt_function_ptr)
10840 * 3. Clear PG bit in %CR0.
10841 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
10843 * 5. Call the physical function.
10846 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
10850 * 6. After EFI runtime service returns, control will return to
10851 * following instruction. We'd better readjust stack pointer first.
10852 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
10854 orl $0x80000000, %edx
10860 * 8. Now restore the virtual mode from flat mode by
10861 * adding EIP with PAGE_OFFSET.
10865 + jmp 1f+__PAGE_OFFSET
10869 * 9. Balance the stack. And because EAX contain the return value,
10870 * we'd better not clobber it.
10872 - leal efi_rt_function_ptr, %edx
10873 - movl (%edx), %ecx
10875 + pushl (efi_rt_function_ptr)
10878 - * 10. Push the saved return address onto the stack and return.
10879 + * 10. Return to the saved return address.
10881 - leal saved_return_addr, %edx
10882 - movl (%edx), %ecx
10885 + jmpl *(saved_return_addr)
10886 ENDPROC(efi_call_phys)
10893 efi_rt_function_ptr:
10894 diff -urNp linux-2.6.35.7/arch/x86/kernel/entry_32.S linux-2.6.35.7/arch/x86/kernel/entry_32.S
10895 --- linux-2.6.35.7/arch/x86/kernel/entry_32.S 2010-08-26 19:47:12.000000000 -0400
10896 +++ linux-2.6.35.7/arch/x86/kernel/entry_32.S 2010-09-17 20:12:09.000000000 -0400
10897 @@ -192,7 +192,67 @@
10899 #endif /* CONFIG_X86_32_LAZY_GS */
10902 +.macro PAX_EXIT_KERNEL
10903 +#ifdef CONFIG_PAX_KERNEXEC
10904 +#ifdef CONFIG_PARAVIRT
10905 + push %eax; push %ecx;
10908 + cmp $__KERNEXEC_KERNEL_CS, %esi
10910 +#ifdef CONFIG_PARAVIRT
10911 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
10917 + ljmp $__KERNEL_CS, $1f
10919 +#ifdef CONFIG_PARAVIRT
10921 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
10926 +#ifdef CONFIG_PARAVIRT
10927 + pop %ecx; pop %eax
10932 +.macro PAX_ENTER_KERNEL
10933 +#ifdef CONFIG_PAX_KERNEXEC
10934 +#ifdef CONFIG_PARAVIRT
10935 + push %eax; push %ecx;
10936 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
10944 + cmp $__KERNEL_CS, %esi
10946 + ljmp $__KERNEL_CS, $3f
10947 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
10949 +#ifdef CONFIG_PARAVIRT
10951 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10956 +#ifdef CONFIG_PARAVIRT
10957 + pop %ecx; pop %eax
10962 +.macro __SAVE_ALL _DS
10966 @@ -225,7 +285,7 @@
10968 CFI_ADJUST_CFA_OFFSET 4
10969 CFI_REL_OFFSET ebx, 0
10970 - movl $(__USER_DS), %edx
10974 movl $(__KERNEL_PERCPU), %edx
10975 @@ -233,6 +293,15 @@
10980 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
10981 + __SAVE_ALL __KERNEL_DS
10984 + __SAVE_ALL __USER_DS
10988 .macro RESTORE_INT_REGS
10990 CFI_ADJUST_CFA_OFFSET -4
10991 @@ -357,7 +426,15 @@ check_userspace:
10992 movb PT_CS(%esp), %al
10993 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
10994 cmpl $USER_RPL, %eax
10996 +#ifdef CONFIG_PAX_KERNEXEC
10997 + jae resume_userspace
11000 + jmp resume_kernel
11002 jb resume_kernel # not returning to v8086 or userspace
11005 ENTRY(resume_userspace)
11007 @@ -423,10 +500,9 @@ sysenter_past_esp:
11008 /*CFI_REL_OFFSET cs, 0*/
11010 * Push current_thread_info()->sysenter_return to the stack.
11011 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11012 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11014 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
11015 + GET_THREAD_INFO(%ebp)
11016 + pushl TI_sysenter_return(%ebp)
11017 CFI_ADJUST_CFA_OFFSET 4
11018 CFI_REL_OFFSET eip, 0
11020 @@ -439,9 +515,19 @@ sysenter_past_esp:
11021 * Load the potential sixth argument from user stack.
11022 * Careful about security.
11024 + movl PT_OLDESP(%esp),%ebp
11026 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11027 + mov PT_OLDSS(%esp),%ds
11028 +1: movl %ds:(%ebp),%ebp
11032 cmpl $__PAGE_OFFSET-3,%ebp
11034 1: movl (%ebp),%ebp
11037 movl %ebp,PT_EBP(%esp)
11038 .section __ex_table,"a"
11040 @@ -464,12 +550,23 @@ sysenter_do_call:
11041 testl $_TIF_ALLWORK_MASK, %ecx
11045 +#ifdef CONFIG_PAX_RANDKSTACK
11047 + CFI_ADJUST_CFA_OFFSET 4
11048 + call pax_randomize_kstack
11050 + CFI_ADJUST_CFA_OFFSET -4
11053 /* if something modifies registers it must also disable sysexit */
11054 movl PT_EIP(%esp), %edx
11055 movl PT_OLDESP(%esp), %ecx
11058 1: mov PT_FS(%esp), %fs
11059 +2: mov PT_DS(%esp), %ds
11060 +3: mov PT_ES(%esp), %es
11062 ENABLE_INTERRUPTS_SYSEXIT
11064 @@ -513,11 +610,17 @@ sysexit_audit:
11067 .pushsection .fixup,"ax"
11068 -2: movl $0,PT_FS(%esp)
11069 +4: movl $0,PT_FS(%esp)
11071 +5: movl $0,PT_DS(%esp)
11073 +6: movl $0,PT_ES(%esp)
11075 .section __ex_table,"a"
11083 ENDPROC(ia32_sysenter_target)
11084 @@ -551,6 +654,10 @@ syscall_exit:
11085 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11086 jne syscall_exit_work
11088 +#ifdef CONFIG_PAX_RANDKSTACK
11089 + call pax_randomize_kstack
11094 restore_all_notrace:
11095 @@ -615,7 +722,13 @@ ldt_ss:
11096 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11097 mov %dx, %ax /* eax: new kernel esp */
11098 sub %eax, %edx /* offset (low word is 0) */
11099 - PER_CPU(gdt_page, %ebx)
11101 + movl PER_CPU_VAR(cpu_number), %ebx
11102 + shll $PAGE_SHIFT_asm, %ebx
11103 + addl $cpu_gdt_table, %ebx
11105 + movl $cpu_gdt_table, %ebx
11108 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
11109 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
11110 @@ -655,25 +768,19 @@ work_resched:
11112 work_notifysig: # deal with pending signals and
11113 # notify-resume requests
11116 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11118 - jne work_notifysig_v86 # returning to kernel-space or
11119 + jz 1f # returning to kernel-space or
11122 - call do_notify_resume
11123 - jmp resume_userspace_sig
11126 -work_notifysig_v86:
11127 pushl %ecx # save ti_flags for do_notify_resume
11128 CFI_ADJUST_CFA_OFFSET 4
11129 call save_v86_state # %eax contains pt_regs pointer
11131 CFI_ADJUST_CFA_OFFSET -4
11138 call do_notify_resume
11139 @@ -708,6 +815,10 @@ END(syscall_exit_work)
11141 RING0_INT_FRAME # can't unwind into user space anyway
11143 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11147 GET_THREAD_INFO(%ebp)
11148 movl $-EFAULT,PT_EAX(%esp)
11149 jmp resume_userspace
11150 @@ -791,7 +902,13 @@ ptregs_clone:
11151 * normal stack and adjusts ESP with the matching offset.
11153 /* fixup the stack */
11154 - PER_CPU(gdt_page, %ebx)
11156 + movl PER_CPU_VAR(cpu_number), %ebx
11157 + shll $PAGE_SHIFT_asm, %ebx
11158 + addl $cpu_gdt_table, %ebx
11160 + movl $cpu_gdt_table, %ebx
11162 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
11163 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
11165 @@ -1273,7 +1390,6 @@ return_to_handler:
11169 -.section .rodata,"a"
11170 #include "syscall_table_32.S"
11172 syscall_table_size=(.-sys_call_table)
11173 @@ -1330,9 +1446,12 @@ error_code:
11174 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11177 - movl $(__USER_DS), %ecx
11178 + movl $(__KERNEL_DS), %ecx
11185 movl %esp,%eax # pt_regs pointer
11187 @@ -1426,6 +1545,9 @@ nmi_stack_correct:
11188 xorl %edx,%edx # zero error code
11189 movl %esp,%eax # pt_regs pointer
11194 jmp restore_all_notrace
11197 @@ -1466,6 +1588,9 @@ nmi_espfix_stack:
11198 FIXUP_ESPFIX_STACK # %eax == %esp
11199 xorl %edx,%edx # zero error code
11205 lss 12+4(%esp), %esp # back to espfix stack
11206 CFI_ADJUST_CFA_OFFSET -24
11207 diff -urNp linux-2.6.35.7/arch/x86/kernel/entry_64.S linux-2.6.35.7/arch/x86/kernel/entry_64.S
11208 --- linux-2.6.35.7/arch/x86/kernel/entry_64.S 2010-08-26 19:47:12.000000000 -0400
11209 +++ linux-2.6.35.7/arch/x86/kernel/entry_64.S 2010-09-17 20:12:09.000000000 -0400
11211 #include <asm/paravirt.h>
11212 #include <asm/ftrace.h>
11213 #include <asm/percpu.h>
11214 +#include <asm/pgtable.h>
11216 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11217 #include <linux/elf-em.h>
11218 @@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11219 ENDPROC(native_usergs_sysret64)
11220 #endif /* CONFIG_PARAVIRT */
11222 + .macro ljmpq sel, off
11223 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11224 + .byte 0x48; ljmp *1234f(%rip)
11225 + .pushsection .rodata
11227 + 1234: .quad \off; .word \sel
11236 +ENTRY(pax_enter_kernel)
11238 +#ifdef CONFIG_PAX_KERNEXEC
11241 +#ifdef CONFIG_PARAVIRT
11242 + PV_SAVE_REGS(CLBR_RDI)
11249 + cmp $__KERNEL_CS,%edi
11251 + ljmpq __KERNEL_CS,3f
11252 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11253 +2: SET_RDI_INTO_CR0
11256 +#ifdef CONFIG_PARAVIRT
11257 + PV_RESTORE_REGS(CLBR_RDI)
11264 +ENDPROC(pax_enter_kernel)
11266 +ENTRY(pax_exit_kernel)
11268 +#ifdef CONFIG_PAX_KERNEXEC
11271 +#ifdef CONFIG_PARAVIRT
11272 + PV_SAVE_REGS(CLBR_RDI)
11276 + cmp $__KERNEXEC_KERNEL_CS,%edi
11280 + ljmpq __KERNEL_CS,1f
11281 +1: SET_RDI_INTO_CR0
11284 +#ifdef CONFIG_PARAVIRT
11285 + PV_RESTORE_REGS(CLBR_RDI);
11292 +ENDPROC(pax_exit_kernel)
11294 +ENTRY(pax_enter_kernel_user)
11296 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11300 +#ifdef CONFIG_PARAVIRT
11301 + PV_SAVE_REGS(CLBR_RDI)
11306 + add $__START_KERNEL_map,%rbx
11307 + sub phys_base(%rip),%rbx
11309 +#ifdef CONFIG_PARAVIRT
11311 + cmpl $0, pv_info+PARAVIRT_enabled
11314 + .rept USER_PGD_PTRS
11315 + mov i*8(%rbx),%rsi
11317 + lea i*8(%rbx),%rdi
11318 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11326 + .rept USER_PGD_PTRS
11327 + movb $0,i*8(%rbx)
11331 +#ifdef CONFIG_PARAVIRT
11336 +#ifdef CONFIG_PAX_KERNEXEC
11342 +#ifdef CONFIG_PARAVIRT
11343 + PV_RESTORE_REGS(CLBR_RDI)
11351 +ENDPROC(pax_enter_kernel_user)
11353 +ENTRY(pax_exit_kernel_user)
11355 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11358 +#ifdef CONFIG_PARAVIRT
11360 + PV_SAVE_REGS(CLBR_RDI)
11363 +#ifdef CONFIG_PAX_KERNEXEC
11370 + add $__START_KERNEL_map,%rdi
11371 + sub phys_base(%rip),%rdi
11373 +#ifdef CONFIG_PARAVIRT
11374 + cmpl $0, pv_info+PARAVIRT_enabled
11378 + .rept USER_PGD_PTRS
11379 + mov i*8(%rbx),%rsi
11381 + lea i*8(%rbx),%rdi
11382 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11390 + .rept USER_PGD_PTRS
11391 + movb $0x67,i*8(%rdi)
11395 +#ifdef CONFIG_PARAVIRT
11396 +2: PV_RESTORE_REGS(CLBR_RDI)
11404 +ENDPROC(pax_exit_kernel_user)
11406 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11407 #ifdef CONFIG_TRACE_IRQFLAGS
11408 @@ -317,7 +501,7 @@ ENTRY(save_args)
11409 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11410 movq_cfi rbp, 8 /* push %rbp */
11411 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11412 - testl $3, CS(%rdi)
11413 + testb $3, CS(%rdi)
11417 @@ -409,7 +593,7 @@ ENTRY(ret_from_fork)
11421 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11422 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11423 je int_ret_from_sys_call
11425 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11426 @@ -468,6 +652,11 @@ ENTRY(system_call_after_swapgs)
11428 movq %rsp,PER_CPU_VAR(old_rsp)
11429 movq PER_CPU_VAR(kernel_stack),%rsp
11431 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11432 + call pax_enter_kernel_user
11436 * No need to follow this irqs off/on section - it's straight
11438 @@ -502,6 +691,11 @@ sysret_check:
11443 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11444 + call pax_exit_kernel_user
11448 * sysretq will re-enable interrupts:
11450 @@ -613,7 +807,7 @@ tracesys:
11451 GLOBAL(int_ret_from_sys_call)
11452 DISABLE_INTERRUPTS(CLBR_NONE)
11454 - testl $3,CS-ARGOFFSET(%rsp)
11455 + testb $3,CS-ARGOFFSET(%rsp)
11456 je retint_restore_args
11457 movl $_TIF_ALLWORK_MASK,%edi
11458 /* edi: mask to check */
11459 @@ -800,6 +994,16 @@ END(interrupt)
11460 CFI_ADJUST_CFA_OFFSET 10*8
11463 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11464 + testb $3, CS(%rdi)
11466 + call pax_enter_kernel
11468 +1: call pax_enter_kernel_user
11471 + call pax_enter_kernel
11476 @@ -826,7 +1030,7 @@ ret_from_intr:
11477 CFI_ADJUST_CFA_OFFSET -8
11479 GET_THREAD_INFO(%rcx)
11480 - testl $3,CS-ARGOFFSET(%rsp)
11481 + testb $3,CS-ARGOFFSET(%rsp)
11484 /* Interrupt came from user space */
11485 @@ -848,12 +1052,18 @@ retint_swapgs: /* return to user-space
11486 * The iretq could re-enable interrupts:
11488 DISABLE_INTERRUPTS(CLBR_ANY)
11490 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11491 + call pax_exit_kernel_user
11498 retint_restore_args: /* return to kernel space */
11499 DISABLE_INTERRUPTS(CLBR_ANY)
11500 + call pax_exit_kernel
11502 * The iretq could re-enable interrupts:
11504 @@ -1040,6 +1250,16 @@ ENTRY(\sym)
11505 CFI_ADJUST_CFA_OFFSET 15*8
11508 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11509 + testb $3, CS(%rsp)
11511 + call pax_enter_kernel
11513 +1: call pax_enter_kernel_user
11516 + call pax_enter_kernel
11518 movq %rsp,%rdi /* pt_regs pointer */
11519 xorl %esi,%esi /* no error code */
11521 @@ -1057,6 +1277,16 @@ ENTRY(\sym)
11525 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11526 + testb $3, CS(%rsp)
11528 + call pax_enter_kernel
11530 +1: call pax_enter_kernel_user
11533 + call pax_enter_kernel
11535 movq %rsp,%rdi /* pt_regs pointer */
11536 xorl %esi,%esi /* no error code */
11538 @@ -1074,9 +1304,24 @@ ENTRY(\sym)
11542 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11543 + testb $3, CS(%rsp)
11545 + call pax_enter_kernel
11547 +1: call pax_enter_kernel_user
11550 + call pax_enter_kernel
11552 movq %rsp,%rdi /* pt_regs pointer */
11553 xorl %esi,%esi /* no error code */
11554 - PER_CPU(init_tss, %r12)
11556 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11557 + lea init_tss(%r12), %r12
11559 + lea init_tss(%rip), %r12
11561 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11563 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11564 @@ -1093,6 +1338,16 @@ ENTRY(\sym)
11565 CFI_ADJUST_CFA_OFFSET 15*8
11568 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11569 + testb $3, CS(%rsp)
11571 + call pax_enter_kernel
11573 +1: call pax_enter_kernel_user
11576 + call pax_enter_kernel
11578 movq %rsp,%rdi /* pt_regs pointer */
11579 movq ORIG_RAX(%rsp),%rsi /* get error code */
11580 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11581 @@ -1112,6 +1367,16 @@ ENTRY(\sym)
11585 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11586 + testb $3, CS(%rsp)
11588 + call pax_enter_kernel
11590 +1: call pax_enter_kernel_user
11593 + call pax_enter_kernel
11595 movq %rsp,%rdi /* pt_regs pointer */
11596 movq ORIG_RAX(%rsp),%rsi /* get error code */
11597 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11598 @@ -1370,14 +1635,27 @@ ENTRY(paranoid_exit)
11600 testl %ebx,%ebx /* swapgs needed? */
11601 jnz paranoid_restore
11602 - testl $3,CS(%rsp)
11603 + testb $3,CS(%rsp)
11604 jnz paranoid_userspace
11605 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11606 + call pax_exit_kernel
11607 + TRACE_IRQS_IRETQ 0
11608 + SWAPGS_UNSAFE_STACK
11613 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11614 + call pax_exit_kernel_user
11616 + call pax_exit_kernel
11619 SWAPGS_UNSAFE_STACK
11623 + call pax_exit_kernel
11627 @@ -1435,7 +1713,7 @@ ENTRY(error_entry)
11628 movq_cfi r14, R14+8
11629 movq_cfi r15, R15+8
11631 - testl $3,CS+8(%rsp)
11632 + testb $3,CS+8(%rsp)
11633 je error_kernelspace
11636 @@ -1499,6 +1777,16 @@ ENTRY(nmi)
11637 CFI_ADJUST_CFA_OFFSET 15*8
11640 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11641 + testb $3, CS(%rsp)
11643 + call pax_enter_kernel
11645 +1: call pax_enter_kernel_user
11648 + call pax_enter_kernel
11650 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11653 @@ -1509,11 +1797,12 @@ ENTRY(nmi)
11654 DISABLE_INTERRUPTS(CLBR_NONE)
11655 testl %ebx,%ebx /* swapgs needed? */
11657 - testl $3,CS(%rsp)
11658 + testb $3,CS(%rsp)
11661 SWAPGS_UNSAFE_STACK
11663 + call pax_exit_kernel
11667 diff -urNp linux-2.6.35.7/arch/x86/kernel/ftrace.c linux-2.6.35.7/arch/x86/kernel/ftrace.c
11668 --- linux-2.6.35.7/arch/x86/kernel/ftrace.c 2010-08-26 19:47:12.000000000 -0400
11669 +++ linux-2.6.35.7/arch/x86/kernel/ftrace.c 2010-09-17 20:12:09.000000000 -0400
11670 @@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
11672 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11674 + pax_open_kernel();
11676 + pax_close_kernel();
11677 atomic_inc(&nmi_update_count);
11679 /* Must have previous changes seen before executions */
11680 @@ -260,7 +262,7 @@ do_ftrace_mod_code(unsigned long ip, voi
11684 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
11685 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
11687 static unsigned char *ftrace_nop_replace(void)
11689 @@ -273,6 +275,8 @@ ftrace_modify_code(unsigned long ip, uns
11691 unsigned char replaced[MCOUNT_INSN_SIZE];
11693 + ip = ktla_ktva(ip);
11696 * Note: Due to modules and __init, code can
11697 * disappear and change, we need to protect against faulting
11698 @@ -329,7 +333,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11699 unsigned char old[MCOUNT_INSN_SIZE], *new;
11702 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11703 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11704 new = ftrace_call_replace(ip, (unsigned long)func);
11705 ret = ftrace_modify_code(ip, old, new);
11707 @@ -382,15 +386,15 @@ int __init ftrace_dyn_arch_init(void *da
11710 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
11711 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
11712 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
11715 pr_info("converting mcount calls to 66 66 66 66 90\n");
11716 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
11717 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
11720 pr_info("converting mcount calls to jmp . + 5\n");
11721 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
11722 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
11726 @@ -411,6 +415,8 @@ static int ftrace_mod_jmp(unsigned long
11728 unsigned char code[MCOUNT_INSN_SIZE];
11730 + ip = ktla_ktva(ip);
11732 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11735 diff -urNp linux-2.6.35.7/arch/x86/kernel/head32.c linux-2.6.35.7/arch/x86/kernel/head32.c
11736 --- linux-2.6.35.7/arch/x86/kernel/head32.c 2010-08-26 19:47:12.000000000 -0400
11737 +++ linux-2.6.35.7/arch/x86/kernel/head32.c 2010-09-17 20:12:09.000000000 -0400
11739 #include <asm/apic.h>
11740 #include <asm/io_apic.h>
11741 #include <asm/bios_ebda.h>
11742 +#include <asm/boot.h>
11744 static void __init i386_default_early_setup(void)
11746 @@ -40,7 +41,7 @@ void __init i386_start_kernel(void)
11750 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11751 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11753 #ifdef CONFIG_BLK_DEV_INITRD
11754 /* Reserve INITRD */
11755 diff -urNp linux-2.6.35.7/arch/x86/kernel/head_32.S linux-2.6.35.7/arch/x86/kernel/head_32.S
11756 --- linux-2.6.35.7/arch/x86/kernel/head_32.S 2010-08-26 19:47:12.000000000 -0400
11757 +++ linux-2.6.35.7/arch/x86/kernel/head_32.S 2010-09-17 20:12:09.000000000 -0400
11759 /* Physical address */
11760 #define pa(X) ((X) - __PAGE_OFFSET)
11762 +#ifdef CONFIG_PAX_KERNEXEC
11765 +#define ta(X) ((X) - __PAGE_OFFSET)
11769 * References to members of the new_cpu_data structure.
11772 * and small than max_low_pfn, otherwise will waste some page table entries
11775 -#if PTRS_PER_PMD > 1
11776 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
11778 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
11780 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
11782 /* Enough space to fit pagetables for the low memory linear map */
11783 MAPPING_BEYOND_END = \
11784 @@ -75,6 +77,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
11785 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11788 + * Real beginning of normal "text" segment
11794 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
11795 * %esi points to the real-mode code as a 32-bit pointer.
11796 * CS and DS must be 4 GB flat segments, but we don't depend on
11797 @@ -82,6 +90,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11802 +#ifdef CONFIG_PAX_KERNEXEC
11804 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
11805 +.fill PAGE_SIZE-5,1,0xcc
11809 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
11810 us to not reload segments */
11811 @@ -99,6 +114,55 @@ ENTRY(startup_32)
11816 + movl $pa(cpu_gdt_table),%edi
11817 + movl $__per_cpu_load,%eax
11818 + movw %ax,__KERNEL_PERCPU + 2(%edi)
11820 + movb %al,__KERNEL_PERCPU + 4(%edi)
11821 + movb %ah,__KERNEL_PERCPU + 7(%edi)
11822 + movl $__per_cpu_end - 1,%eax
11823 + subl $__per_cpu_start,%eax
11824 + movw %ax,__KERNEL_PERCPU + 0(%edi)
11827 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11828 + movl $NR_CPUS,%ecx
11829 + movl $pa(cpu_gdt_table),%edi
11831 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
11832 + addl $PAGE_SIZE_asm,%edi
11836 +#ifdef CONFIG_PAX_KERNEXEC
11837 + movl $pa(boot_gdt),%edi
11838 + movl $__LOAD_PHYSICAL_ADDR,%eax
11839 + movw %ax,__BOOT_CS + 2(%edi)
11841 + movb %al,__BOOT_CS + 4(%edi)
11842 + movb %ah,__BOOT_CS + 7(%edi)
11845 + ljmp $(__BOOT_CS),$1f
11848 + movl $NR_CPUS,%ecx
11849 + movl $pa(cpu_gdt_table),%edi
11850 + addl $__PAGE_OFFSET,%eax
11852 + movw %ax,__KERNEL_CS + 2(%edi)
11853 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
11855 + movb %al,__KERNEL_CS + 4(%edi)
11856 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
11857 + movb %ah,__KERNEL_CS + 7(%edi)
11858 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
11860 + addl $PAGE_SIZE_asm,%edi
11865 * Clear BSS first so that there are no surprises...
11867 @@ -142,9 +206,7 @@ ENTRY(startup_32)
11868 cmpl $num_subarch_entries, %eax
11871 - movl pa(subarch_entries)(,%eax,4), %eax
11872 - subl $__PAGE_OFFSET, %eax
11874 + jmp *pa(subarch_entries)(,%eax,4)
11878 @@ -156,10 +218,10 @@ WEAK(xen_entry)
11882 - .long default_entry /* normal x86/PC */
11883 - .long lguest_entry /* lguest hypervisor */
11884 - .long xen_entry /* Xen hypervisor */
11885 - .long default_entry /* Moorestown MID */
11886 + .long ta(default_entry) /* normal x86/PC */
11887 + .long ta(lguest_entry) /* lguest hypervisor */
11888 + .long ta(xen_entry) /* Xen hypervisor */
11889 + .long ta(default_entry) /* Moorestown MID */
11890 num_subarch_entries = (. - subarch_entries) / 4
11892 #endif /* CONFIG_PARAVIRT */
11893 @@ -220,8 +282,11 @@ default_entry:
11894 movl %eax, pa(max_pfn_mapped)
11896 /* Do early initialization of the fixmap area */
11897 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
11898 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11899 +#ifdef CONFIG_COMPAT_VDSO
11900 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11902 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11904 #else /* Not PAE */
11906 page_pde_offset = (__PAGE_OFFSET >> 20);
11907 @@ -251,8 +316,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
11908 movl %eax, pa(max_pfn_mapped)
11910 /* Do early initialization of the fixmap area */
11911 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
11912 - movl %eax,pa(swapper_pg_dir+0xffc)
11913 +#ifdef CONFIG_COMPAT_VDSO
11914 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
11916 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
11921 @@ -299,6 +367,7 @@ ENTRY(startup_32_smp)
11925 +#ifdef CONFIG_X86_PAE
11926 testb $X86_CR4_PAE, %al # check if PAE is enabled
11929 @@ -323,6 +392,9 @@ ENTRY(startup_32_smp)
11930 /* Make changes effective */
11933 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
11939 @@ -348,9 +420,7 @@ ENTRY(startup_32_smp)
11943 - jz 1f /* Initial CPU cleans BSS */
11946 + jnz checkCPUtype /* Initial CPU cleans BSS */
11947 #endif /* CONFIG_SMP */
11950 @@ -428,7 +498,7 @@ is386: movl $2,%ecx # set MP
11951 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
11952 movl %eax,%ss # after changing gdt.
11954 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
11955 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
11959 @@ -442,8 +512,11 @@ is386: movl $2,%ecx # set MP
11963 - movl $gdt_page,%eax
11964 + movl $cpu_gdt_table,%eax
11965 movl $stack_canary,%ecx
11967 + addl $__per_cpu_load,%ecx
11969 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
11971 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
11972 @@ -461,10 +534,6 @@ is386: movl $2,%ecx # set MP
11976 - cmpb $0,%cl # the first CPU calls start_kernel
11978 - movl (stack_start), %esp
11980 #endif /* CONFIG_SMP */
11981 jmp *(initial_code)
11983 @@ -550,22 +619,22 @@ early_page_fault:
11988 #ifdef CONFIG_PRINTK
11989 + cmpl $1,%ss:early_recursion_flag
11991 + incl %ss:early_recursion_flag
11994 movl $(__KERNEL_DS),%eax
11997 - cmpl $2,early_recursion_flag
11999 - incl early_recursion_flag
12002 pushl %edx /* trapno */
12011 @@ -573,8 +642,11 @@ hlt_loop:
12012 /* This is the default interrupt "handler" :-) */
12016 #ifdef CONFIG_PRINTK
12017 + cmpl $2,%ss:early_recursion_flag
12019 + incl %ss:early_recursion_flag
12024 @@ -583,9 +655,6 @@ ignore_int:
12025 movl $(__KERNEL_DS),%eax
12028 - cmpl $2,early_recursion_flag
12030 - incl early_recursion_flag
12034 @@ -612,27 +681,38 @@ ENTRY(initial_code)
12038 -__PAGE_ALIGNED_BSS
12039 - .align PAGE_SIZE_asm
12040 #ifdef CONFIG_X86_PAE
12041 +.section .swapper_pg_pmd,"a",@progbits
12043 .fill 1024*KPMDS,4,0
12045 +.section .swapper_pg_dir,"a",@progbits
12046 ENTRY(swapper_pg_dir)
12053 +.section .empty_zero_page,"a",@progbits
12054 ENTRY(empty_zero_page)
12058 + * The IDT has to be page-aligned to simplify the Pentium
12059 + * F0 0F bug workaround.. We have a special link segment
12062 +.section .idt,"a",@progbits
12067 * This starts the data section.
12069 #ifdef CONFIG_X86_PAE
12070 -__PAGE_ALIGNED_DATA
12071 - /* Page-aligned for the benefit of paravirt? */
12072 - .align PAGE_SIZE_asm
12073 +.section .swapper_pg_dir,"a",@progbits
12075 ENTRY(swapper_pg_dir)
12076 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12078 @@ -651,15 +731,24 @@ ENTRY(swapper_pg_dir)
12079 # error "Kernel PMDs should be 1, 2 or 3"
12081 .align PAGE_SIZE_asm /* needs to be page-sized too */
12083 +#ifdef CONFIG_PAX_PER_CPU_PGD
12094 - .long init_thread_union+THREAD_SIZE
12095 + .long init_thread_union+THREAD_SIZE-8
12100 +.section .rodata,"a",@progbits
12101 early_recursion_flag:
12104 @@ -695,7 +784,7 @@ fault_msg:
12105 .word 0 # 32 bit align gdt_desc.address
12108 - .long boot_gdt - __PAGE_OFFSET
12109 + .long pa(boot_gdt)
12111 .word 0 # 32-bit align idt_desc.address
12113 @@ -706,7 +795,7 @@ idt_descr:
12114 .word 0 # 32 bit align gdt_desc.address
12115 ENTRY(early_gdt_descr)
12116 .word GDT_ENTRIES*8-1
12117 - .long gdt_page /* Overwritten for secondary CPUs */
12118 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12121 * The boot_gdt must mirror the equivalent in setup.S and is
12122 @@ -715,5 +804,65 @@ ENTRY(early_gdt_descr)
12123 .align L1_CACHE_BYTES
12125 .fill GDT_ENTRY_BOOT_CS,8,0
12126 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12127 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12128 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12129 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12131 + .align PAGE_SIZE_asm
12132 +ENTRY(cpu_gdt_table)
12134 + .quad 0x0000000000000000 /* NULL descriptor */
12135 + .quad 0x0000000000000000 /* 0x0b reserved */
12136 + .quad 0x0000000000000000 /* 0x13 reserved */
12137 + .quad 0x0000000000000000 /* 0x1b reserved */
12139 +#ifdef CONFIG_PAX_KERNEXEC
12140 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12142 + .quad 0x0000000000000000 /* 0x20 unused */
12145 + .quad 0x0000000000000000 /* 0x28 unused */
12146 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12147 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12148 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12149 + .quad 0x0000000000000000 /* 0x4b reserved */
12150 + .quad 0x0000000000000000 /* 0x53 reserved */
12151 + .quad 0x0000000000000000 /* 0x5b reserved */
12153 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12154 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12155 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12156 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12158 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12159 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12162 + * Segments used for calling PnP BIOS have byte granularity.
12163 + * The code segments and data segments have fixed 64k limits,
12164 + * the transfer segment sizes are set at run time.
12166 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12167 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12168 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12169 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12170 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12173 + * The APM segments have byte granularity and their bases
12174 + * are set at run time. All have 64k limits.
12176 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12177 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12178 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12180 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12181 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12182 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12183 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12184 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12185 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12187 + /* Be sure this is zeroed to avoid false validations in Xen */
12188 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12190 diff -urNp linux-2.6.35.7/arch/x86/kernel/head_64.S linux-2.6.35.7/arch/x86/kernel/head_64.S
12191 --- linux-2.6.35.7/arch/x86/kernel/head_64.S 2010-08-26 19:47:12.000000000 -0400
12192 +++ linux-2.6.35.7/arch/x86/kernel/head_64.S 2010-09-17 20:12:09.000000000 -0400
12194 #include <asm/cache.h>
12195 #include <asm/processor-flags.h>
12196 #include <asm/percpu.h>
12197 +#include <asm/cpufeature.h>
12199 #ifdef CONFIG_PARAVIRT
12200 #include <asm/asm-offsets.h>
12201 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12202 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12203 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12204 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12205 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12206 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12207 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12208 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12212 @@ -85,35 +90,22 @@ startup_64:
12214 addq %rbp, init_level4_pgt + 0(%rip)
12215 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12216 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12217 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12218 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12220 addq %rbp, level3_ident_pgt + 0(%rip)
12221 +#ifndef CONFIG_XEN
12222 + addq %rbp, level3_ident_pgt + 8(%rip)
12225 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12226 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12227 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12229 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12230 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12231 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12233 - /* Add an Identity mapping if I am above 1G */
12234 - leaq _text(%rip), %rdi
12235 - andq $PMD_PAGE_MASK, %rdi
12238 - shrq $PUD_SHIFT, %rax
12239 - andq $(PTRS_PER_PUD - 1), %rax
12240 - jz ident_complete
12242 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12243 - leaq level3_ident_pgt(%rip), %rbx
12244 - movq %rdx, 0(%rbx, %rax, 8)
12247 - shrq $PMD_SHIFT, %rax
12248 - andq $(PTRS_PER_PMD - 1), %rax
12249 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12250 - leaq level2_spare_pgt(%rip), %rbx
12251 - movq %rdx, 0(%rbx, %rax, 8)
12253 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12254 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12257 * Fixup the kernel text+data virtual addresses. Note that
12258 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12259 * after the boot processor executes this code.
12262 - /* Enable PAE mode and PGE */
12263 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12264 + /* Enable PAE mode and PSE/PGE */
12265 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12268 /* Setup early boot stage 4 level pagetables. */
12269 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12270 movl $MSR_EFER, %ecx
12272 btsl $_EFER_SCE, %eax /* Enable System Call */
12273 - btl $20,%edi /* No Execute supported? */
12274 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12276 btsl $_EFER_NX, %eax
12277 + leaq init_level4_pgt(%rip), %rdi
12278 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12279 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12280 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12281 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12282 1: wrmsr /* Make changes effective */
12285 @@ -271,7 +268,7 @@ ENTRY(secondary_startup_64)
12289 - .section ".init.text","ax"
12291 #ifdef CONFIG_EARLY_PRINTK
12292 .globl early_idt_handlers
12293 early_idt_handlers:
12294 @@ -316,18 +313,23 @@ ENTRY(early_idt_handler)
12295 #endif /* EARLY_PRINTK */
12300 #ifdef CONFIG_EARLY_PRINTK
12302 early_recursion_flag:
12306 + .section .rodata,"a",@progbits
12308 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12311 -#endif /* CONFIG_EARLY_PRINTK */
12313 +#endif /* CONFIG_EARLY_PRINTK */
12315 + .section .rodata,"a",@progbits
12316 #define NEXT_PAGE(name) \
12317 .balign PAGE_SIZE; \
12319 @@ -351,13 +353,36 @@ NEXT_PAGE(init_level4_pgt)
12320 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12321 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12322 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12323 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12324 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12325 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12326 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12327 .org init_level4_pgt + L4_START_KERNEL*8, 0
12328 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12329 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12331 +#ifdef CONFIG_PAX_PER_CPU_PGD
12332 +NEXT_PAGE(cpu_pgd)
12338 NEXT_PAGE(level3_ident_pgt)
12339 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12343 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12347 +NEXT_PAGE(level3_vmalloc_pgt)
12350 +NEXT_PAGE(level3_vmemmap_pgt)
12351 + .fill L3_VMEMMAP_START,8,0
12352 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12354 NEXT_PAGE(level3_kernel_pgt)
12355 .fill L3_START_KERNEL,8,0
12356 @@ -365,20 +390,23 @@ NEXT_PAGE(level3_kernel_pgt)
12357 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12358 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12360 +NEXT_PAGE(level2_vmemmap_pgt)
12363 NEXT_PAGE(level2_fixmap_pgt)
12365 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12366 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12369 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12370 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12373 -NEXT_PAGE(level1_fixmap_pgt)
12374 +NEXT_PAGE(level1_vsyscall_pgt)
12377 -NEXT_PAGE(level2_ident_pgt)
12378 - /* Since I easily can, map the first 1G.
12379 + /* Since I easily can, map the first 2G.
12380 * Don't set NX because code runs from these pages.
12382 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12383 +NEXT_PAGE(level2_ident_pgt)
12384 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12386 NEXT_PAGE(level2_kernel_pgt)
12388 @@ -391,33 +419,55 @@ NEXT_PAGE(level2_kernel_pgt)
12389 * If you want to increase this then increase MODULES_VADDR
12392 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12393 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12395 -NEXT_PAGE(level2_spare_pgt)
12397 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12404 +ENTRY(cpu_gdt_table)
12406 + .quad 0x0000000000000000 /* NULL descriptor */
12407 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12408 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12409 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12410 + .quad 0x00cffb000000ffff /* __USER32_CS */
12411 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12412 + .quad 0x00affb000000ffff /* __USER_CS */
12414 +#ifdef CONFIG_PAX_KERNEXEC
12415 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12417 + .quad 0x0 /* unused */
12420 + .quad 0,0 /* TSS */
12421 + .quad 0,0 /* LDT */
12422 + .quad 0,0,0 /* three TLS descriptors */
12423 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12424 + /* asm/segment.h:GDT_ENTRIES must match this */
12426 + /* zero the remaining page */
12427 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12431 .globl early_gdt_descr
12433 .word GDT_ENTRIES*8-1
12434 early_gdt_descr_base:
12435 - .quad INIT_PER_CPU_VAR(gdt_page)
12436 + .quad cpu_gdt_table
12439 /* This must match the first entry in level2_kernel_pgt */
12440 .quad 0x0000000000000000
12442 #include "../../x86/xen/xen-head.S"
12444 - .section .bss, "aw", @nobits
12446 + .section .rodata,"a",@progbits
12447 .align L1_CACHE_BYTES
12449 - .skip IDT_ENTRIES * 16
12454 diff -urNp linux-2.6.35.7/arch/x86/kernel/i386_ksyms_32.c linux-2.6.35.7/arch/x86/kernel/i386_ksyms_32.c
12455 --- linux-2.6.35.7/arch/x86/kernel/i386_ksyms_32.c 2010-08-26 19:47:12.000000000 -0400
12456 +++ linux-2.6.35.7/arch/x86/kernel/i386_ksyms_32.c 2010-09-17 20:12:09.000000000 -0400
12457 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12458 EXPORT_SYMBOL(cmpxchg8b_emu);
12461 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12463 /* Networking helper routines. */
12464 EXPORT_SYMBOL(csum_partial_copy_generic);
12465 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12466 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12468 EXPORT_SYMBOL(__get_user_1);
12469 EXPORT_SYMBOL(__get_user_2);
12470 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12472 EXPORT_SYMBOL(csum_partial);
12473 EXPORT_SYMBOL(empty_zero_page);
12475 +#ifdef CONFIG_PAX_KERNEXEC
12476 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12478 diff -urNp linux-2.6.35.7/arch/x86/kernel/init_task.c linux-2.6.35.7/arch/x86/kernel/init_task.c
12479 --- linux-2.6.35.7/arch/x86/kernel/init_task.c 2010-08-26 19:47:12.000000000 -0400
12480 +++ linux-2.6.35.7/arch/x86/kernel/init_task.c 2010-09-17 20:12:09.000000000 -0400
12481 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12482 * section. Since TSS's are completely CPU-local, we want them
12483 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12485 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12487 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12488 +EXPORT_SYMBOL(init_tss);
12489 diff -urNp linux-2.6.35.7/arch/x86/kernel/ioport.c linux-2.6.35.7/arch/x86/kernel/ioport.c
12490 --- linux-2.6.35.7/arch/x86/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
12491 +++ linux-2.6.35.7/arch/x86/kernel/ioport.c 2010-09-17 20:12:37.000000000 -0400
12493 #include <linux/sched.h>
12494 #include <linux/kernel.h>
12495 #include <linux/capability.h>
12496 +#include <linux/security.h>
12497 #include <linux/errno.h>
12498 #include <linux/types.h>
12499 #include <linux/ioport.h>
12500 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12502 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12504 +#ifdef CONFIG_GRKERNSEC_IO
12505 + if (turn_on && grsec_disable_privio) {
12506 + gr_handle_ioperm();
12510 if (turn_on && !capable(CAP_SYS_RAWIO))
12513 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12514 * because the ->io_bitmap_max value must match the bitmap
12517 - tss = &per_cpu(init_tss, get_cpu());
12518 + tss = init_tss + get_cpu();
12520 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12522 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12524 /* Trying to gain more privileges? */
12526 +#ifdef CONFIG_GRKERNSEC_IO
12527 + if (grsec_disable_privio) {
12528 + gr_handle_iopl();
12532 if (!capable(CAP_SYS_RAWIO))
12535 diff -urNp linux-2.6.35.7/arch/x86/kernel/irq_32.c linux-2.6.35.7/arch/x86/kernel/irq_32.c
12536 --- linux-2.6.35.7/arch/x86/kernel/irq_32.c 2010-08-26 19:47:12.000000000 -0400
12537 +++ linux-2.6.35.7/arch/x86/kernel/irq_32.c 2010-09-17 20:12:09.000000000 -0400
12538 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
12541 /* build the stack frame on the IRQ stack */
12542 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12543 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12544 irqctx->tinfo.task = curctx->tinfo.task;
12545 irqctx->tinfo.previous_esp = current_stack_pointer;
12547 @@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
12548 irqctx->tinfo.previous_esp = current_stack_pointer;
12550 /* build the stack frame on the softirq stack */
12551 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12552 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12554 call_on_stack(__do_softirq, isp);
12556 diff -urNp linux-2.6.35.7/arch/x86/kernel/kgdb.c linux-2.6.35.7/arch/x86/kernel/kgdb.c
12557 --- linux-2.6.35.7/arch/x86/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
12558 +++ linux-2.6.35.7/arch/x86/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
12559 @@ -77,7 +77,7 @@ void pt_regs_to_gdb_regs(unsigned long *
12560 gdb_regs[GDB_CS] = regs->cs;
12561 gdb_regs[GDB_FS] = 0xFFFF;
12562 gdb_regs[GDB_GS] = 0xFFFF;
12563 - if (user_mode_vm(regs)) {
12564 + if (user_mode(regs)) {
12565 gdb_regs[GDB_SS] = regs->ss;
12566 gdb_regs[GDB_SP] = regs->sp;
12568 @@ -720,7 +720,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12572 -struct kgdb_arch arch_kgdb_ops = {
12573 +const struct kgdb_arch arch_kgdb_ops = {
12574 /* Breakpoint instruction: */
12575 .gdb_bpt_instr = { 0xcc },
12576 .flags = KGDB_HW_BREAKPOINT,
12577 diff -urNp linux-2.6.35.7/arch/x86/kernel/kprobes.c linux-2.6.35.7/arch/x86/kernel/kprobes.c
12578 --- linux-2.6.35.7/arch/x86/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
12579 +++ linux-2.6.35.7/arch/x86/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
12580 @@ -114,9 +114,12 @@ static void __kprobes __synthesize_relat
12582 } __attribute__((packed)) *insn;
12584 - insn = (struct __arch_relative_insn *)from;
12585 + insn = (struct __arch_relative_insn *)(ktla_ktva(from));
12587 + pax_open_kernel();
12588 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12590 + pax_close_kernel();
12593 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12594 @@ -315,7 +318,9 @@ static int __kprobes __copy_instruction(
12597 insn_get_length(&insn);
12598 + pax_open_kernel();
12599 memcpy(dest, insn.kaddr, insn.length);
12600 + pax_close_kernel();
12602 #ifdef CONFIG_X86_64
12603 if (insn_rip_relative(&insn)) {
12604 @@ -339,7 +344,9 @@ static int __kprobes __copy_instruction(
12606 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12607 disp = (u8 *) dest + insn_offset_displacement(&insn);
12608 + pax_open_kernel();
12609 *(s32 *) disp = (s32) newdisp;
12610 + pax_close_kernel();
12613 return insn.length;
12614 @@ -353,12 +360,12 @@ static void __kprobes arch_copy_kprobe(s
12616 __copy_instruction(p->ainsn.insn, p->addr, 0);
12618 - if (can_boost(p->addr))
12619 + if (can_boost(ktla_ktva(p->addr)))
12620 p->ainsn.boostable = 0;
12622 p->ainsn.boostable = -1;
12624 - p->opcode = *p->addr;
12625 + p->opcode = *(ktla_ktva(p->addr));
12628 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12629 @@ -475,7 +482,7 @@ static void __kprobes setup_singlestep(s
12630 * nor set current_kprobe, because it doesn't use single
12633 - regs->ip = (unsigned long)p->ainsn.insn;
12634 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12635 preempt_enable_no_resched();
12638 @@ -494,7 +501,7 @@ static void __kprobes setup_singlestep(s
12639 if (p->opcode == BREAKPOINT_INSTRUCTION)
12640 regs->ip = (unsigned long)p->addr;
12642 - regs->ip = (unsigned long)p->ainsn.insn;
12643 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12647 @@ -573,7 +580,7 @@ static int __kprobes kprobe_handler(stru
12648 setup_singlestep(p, regs, kcb, 0);
12651 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12652 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12654 * The breakpoint instruction was removed right
12655 * after we hit it. Another cpu has removed
12656 @@ -799,7 +806,7 @@ static void __kprobes resume_execution(s
12657 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12659 unsigned long *tos = stack_addr(regs);
12660 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12661 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12662 unsigned long orig_ip = (unsigned long)p->addr;
12663 kprobe_opcode_t *insn = p->ainsn.insn;
12665 @@ -982,7 +989,7 @@ int __kprobes kprobe_exceptions_notify(s
12666 struct die_args *args = data;
12667 int ret = NOTIFY_DONE;
12669 - if (args->regs && user_mode_vm(args->regs))
12670 + if (args->regs && user_mode(args->regs))
12674 diff -urNp linux-2.6.35.7/arch/x86/kernel/ldt.c linux-2.6.35.7/arch/x86/kernel/ldt.c
12675 --- linux-2.6.35.7/arch/x86/kernel/ldt.c 2010-08-26 19:47:12.000000000 -0400
12676 +++ linux-2.6.35.7/arch/x86/kernel/ldt.c 2010-10-11 22:41:44.000000000 -0400
12677 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
12682 + load_LDT_nolock(pc);
12683 if (!cpumask_equal(mm_cpumask(current->mm),
12684 cpumask_of(smp_processor_id())))
12685 smp_call_function(flush_ldt, current->mm, 1);
12689 + load_LDT_nolock(pc);
12693 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
12696 for (i = 0; i < old->size; i++)
12697 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
12698 + write_ldt_entry(new->ldt, i, old->ldt + i);
12702 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
12703 retval = copy_ldt(&mm->context, &old_mm->context);
12704 mutex_unlock(&old_mm->context.lock);
12707 + if (tsk == current) {
12708 + mm->context.vdso = 0;
12710 +#ifdef CONFIG_X86_32
12711 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
12712 + mm->context.user_cs_base = 0UL;
12713 + mm->context.user_cs_limit = ~0UL;
12715 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
12716 + cpus_clear(mm->context.cpu_user_cs_mask);
12727 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
12731 +#ifdef CONFIG_PAX_SEGMEXEC
12732 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
12738 fill_ldt(&ldt, &ldt_info);
12741 diff -urNp linux-2.6.35.7/arch/x86/kernel/machine_kexec_32.c linux-2.6.35.7/arch/x86/kernel/machine_kexec_32.c
12742 --- linux-2.6.35.7/arch/x86/kernel/machine_kexec_32.c 2010-08-26 19:47:12.000000000 -0400
12743 +++ linux-2.6.35.7/arch/x86/kernel/machine_kexec_32.c 2010-09-17 20:12:09.000000000 -0400
12745 #include <asm/cacheflush.h>
12746 #include <asm/debugreg.h>
12748 -static void set_idt(void *newidt, __u16 limit)
12749 +static void set_idt(struct desc_struct *newidt, __u16 limit)
12751 struct desc_ptr curidt;
12753 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
12757 -static void set_gdt(void *newgdt, __u16 limit)
12758 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
12760 struct desc_ptr curgdt;
12762 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
12765 control_page = page_address(image->control_code_page);
12766 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
12767 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
12769 relocate_kernel_ptr = control_page;
12770 page_list[PA_CONTROL_PAGE] = __pa(control_page);
12771 diff -urNp linux-2.6.35.7/arch/x86/kernel/microcode_amd.c linux-2.6.35.7/arch/x86/kernel/microcode_amd.c
12772 --- linux-2.6.35.7/arch/x86/kernel/microcode_amd.c 2010-08-26 19:47:12.000000000 -0400
12773 +++ linux-2.6.35.7/arch/x86/kernel/microcode_amd.c 2010-09-17 20:12:09.000000000 -0400
12774 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
12778 -static struct microcode_ops microcode_amd_ops = {
12779 +static const struct microcode_ops microcode_amd_ops = {
12780 .request_microcode_user = request_microcode_user,
12781 .request_microcode_fw = request_microcode_fw,
12782 .collect_cpu_info = collect_cpu_info_amd,
12783 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
12784 .microcode_fini_cpu = microcode_fini_cpu_amd,
12787 -struct microcode_ops * __init init_amd_microcode(void)
12788 +const struct microcode_ops * __init init_amd_microcode(void)
12790 return µcode_amd_ops;
12792 diff -urNp linux-2.6.35.7/arch/x86/kernel/microcode_core.c linux-2.6.35.7/arch/x86/kernel/microcode_core.c
12793 --- linux-2.6.35.7/arch/x86/kernel/microcode_core.c 2010-08-26 19:47:12.000000000 -0400
12794 +++ linux-2.6.35.7/arch/x86/kernel/microcode_core.c 2010-09-17 20:12:09.000000000 -0400
12795 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
12797 #define MICROCODE_VERSION "2.00"
12799 -static struct microcode_ops *microcode_ops;
12800 +static const struct microcode_ops *microcode_ops;
12804 diff -urNp linux-2.6.35.7/arch/x86/kernel/microcode_intel.c linux-2.6.35.7/arch/x86/kernel/microcode_intel.c
12805 --- linux-2.6.35.7/arch/x86/kernel/microcode_intel.c 2010-08-26 19:47:12.000000000 -0400
12806 +++ linux-2.6.35.7/arch/x86/kernel/microcode_intel.c 2010-09-17 20:12:09.000000000 -0400
12807 @@ -446,13 +446,13 @@ static enum ucode_state request_microcod
12809 static int get_ucode_user(void *to, const void *from, size_t n)
12811 - return copy_from_user(to, from, n);
12812 + return copy_from_user(to, (__force const void __user *)from, n);
12815 static enum ucode_state
12816 request_microcode_user(int cpu, const void __user *buf, size_t size)
12818 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
12819 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
12822 static void microcode_fini_cpu(int cpu)
12823 @@ -463,7 +463,7 @@ static void microcode_fini_cpu(int cpu)
12827 -static struct microcode_ops microcode_intel_ops = {
12828 +static const struct microcode_ops microcode_intel_ops = {
12829 .request_microcode_user = request_microcode_user,
12830 .request_microcode_fw = request_microcode_fw,
12831 .collect_cpu_info = collect_cpu_info,
12832 @@ -471,7 +471,7 @@ static struct microcode_ops microcode_in
12833 .microcode_fini_cpu = microcode_fini_cpu,
12836 -struct microcode_ops * __init init_intel_microcode(void)
12837 +const struct microcode_ops * __init init_intel_microcode(void)
12839 return µcode_intel_ops;
12841 diff -urNp linux-2.6.35.7/arch/x86/kernel/module.c linux-2.6.35.7/arch/x86/kernel/module.c
12842 --- linux-2.6.35.7/arch/x86/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
12843 +++ linux-2.6.35.7/arch/x86/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
12845 #define DEBUGP(fmt...)
12848 -void *module_alloc(unsigned long size)
12849 +static void *__module_alloc(unsigned long size, pgprot_t prot)
12851 struct vm_struct *area;
12853 @@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
12857 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
12858 - PAGE_KERNEL_EXEC);
12859 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
12862 +void *module_alloc(unsigned long size)
12865 +#ifdef CONFIG_PAX_KERNEXEC
12866 + return __module_alloc(size, PAGE_KERNEL);
12868 + return __module_alloc(size, PAGE_KERNEL_EXEC);
12873 /* Free memory returned from module_alloc */
12874 @@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
12875 vfree(module_region);
12878 +#ifdef CONFIG_PAX_KERNEXEC
12879 +#ifdef CONFIG_X86_32
12880 +void *module_alloc_exec(unsigned long size)
12882 + struct vm_struct *area;
12887 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
12888 + return area ? area->addr : NULL;
12890 +EXPORT_SYMBOL(module_alloc_exec);
12892 +void module_free_exec(struct module *mod, void *module_region)
12894 + vunmap(module_region);
12896 +EXPORT_SYMBOL(module_free_exec);
12898 +void module_free_exec(struct module *mod, void *module_region)
12900 + module_free(mod, module_region);
12902 +EXPORT_SYMBOL(module_free_exec);
12904 +void *module_alloc_exec(unsigned long size)
12906 + return __module_alloc(size, PAGE_KERNEL_RX);
12908 +EXPORT_SYMBOL(module_alloc_exec);
12912 /* We don't need anything special. */
12913 int module_frob_arch_sections(Elf_Ehdr *hdr,
12915 @@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
12917 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
12919 - uint32_t *location;
12920 + uint32_t *plocation, location;
12922 DEBUGP("Applying relocate section %u to %u\n", relsec,
12923 sechdrs[relsec].sh_info);
12924 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
12925 /* This is where to make the change */
12926 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
12927 - + rel[i].r_offset;
12928 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
12929 + location = (uint32_t)plocation;
12930 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
12931 + plocation = ktla_ktva((void *)plocation);
12932 /* This is the symbol it is referring to. Note that all
12933 undefined symbols have been resolved. */
12934 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
12935 @@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
12936 switch (ELF32_R_TYPE(rel[i].r_info)) {
12938 /* We add the value into the location given */
12939 - *location += sym->st_value;
12940 + pax_open_kernel();
12941 + *plocation += sym->st_value;
12942 + pax_close_kernel();
12945 /* Add the value, subtract its postition */
12946 - *location += sym->st_value - (uint32_t)location;
12947 + pax_open_kernel();
12948 + *plocation += sym->st_value - location;
12949 + pax_close_kernel();
12952 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
12953 @@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
12954 case R_X86_64_NONE:
12957 + pax_open_kernel();
12959 + pax_close_kernel();
12962 + pax_open_kernel();
12964 + pax_close_kernel();
12965 if (val != *(u32 *)loc)
12969 + pax_open_kernel();
12971 + pax_close_kernel();
12972 if ((s64)val != *(s32 *)loc)
12975 case R_X86_64_PC32:
12977 + pax_open_kernel();
12979 + pax_close_kernel();
12982 if ((s64)val != *(s32 *)loc)
12984 diff -urNp linux-2.6.35.7/arch/x86/kernel/paravirt.c linux-2.6.35.7/arch/x86/kernel/paravirt.c
12985 --- linux-2.6.35.7/arch/x86/kernel/paravirt.c 2010-08-26 19:47:12.000000000 -0400
12986 +++ linux-2.6.35.7/arch/x86/kernel/paravirt.c 2010-09-17 20:12:09.000000000 -0400
12987 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
12988 * corresponding structure. */
12989 static void *get_call_destination(u8 type)
12991 - struct paravirt_patch_template tmpl = {
12992 + const struct paravirt_patch_template tmpl = {
12993 .pv_init_ops = pv_init_ops,
12994 .pv_time_ops = pv_time_ops,
12995 .pv_cpu_ops = pv_cpu_ops,
12996 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
12997 if (opfunc == NULL)
12998 /* If there's no function, patch it with a ud2a (BUG) */
12999 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13000 - else if (opfunc == _paravirt_nop)
13001 + else if (opfunc == (void *)_paravirt_nop)
13002 /* If the operation is a nop, then nop the callsite */
13003 ret = paravirt_patch_nop();
13005 /* identity functions just return their single argument */
13006 - else if (opfunc == _paravirt_ident_32)
13007 + else if (opfunc == (void *)_paravirt_ident_32)
13008 ret = paravirt_patch_ident_32(insnbuf, len);
13009 - else if (opfunc == _paravirt_ident_64)
13010 + else if (opfunc == (void *)_paravirt_ident_64)
13011 ret = paravirt_patch_ident_64(insnbuf, len);
13013 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13014 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13015 if (insn_len > len || start == NULL)
13018 - memcpy(insnbuf, start, insn_len);
13019 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13023 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13027 -struct pv_info pv_info = {
13028 +struct pv_info pv_info __read_only = {
13029 .name = "bare hardware",
13030 .paravirt_enabled = 0,
13032 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13035 -struct pv_init_ops pv_init_ops = {
13036 +struct pv_init_ops pv_init_ops __read_only = {
13037 .patch = native_patch,
13040 -struct pv_time_ops pv_time_ops = {
13041 +struct pv_time_ops pv_time_ops __read_only = {
13042 .sched_clock = native_sched_clock,
13045 -struct pv_irq_ops pv_irq_ops = {
13046 +struct pv_irq_ops pv_irq_ops __read_only = {
13047 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13048 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13049 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13050 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13054 -struct pv_cpu_ops pv_cpu_ops = {
13055 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13056 .cpuid = native_cpuid,
13057 .get_debugreg = native_get_debugreg,
13058 .set_debugreg = native_set_debugreg,
13059 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13060 .end_context_switch = paravirt_nop,
13063 -struct pv_apic_ops pv_apic_ops = {
13064 +struct pv_apic_ops pv_apic_ops __read_only = {
13065 #ifdef CONFIG_X86_LOCAL_APIC
13066 .startup_ipi_hook = paravirt_nop,
13068 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13069 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13072 -struct pv_mmu_ops pv_mmu_ops = {
13073 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13075 .read_cr2 = native_read_cr2,
13076 .write_cr2 = native_write_cr2,
13077 @@ -463,6 +463,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13080 .set_fixmap = native_set_fixmap,
13082 +#ifdef CONFIG_PAX_KERNEXEC
13083 + .pax_open_kernel = native_pax_open_kernel,
13084 + .pax_close_kernel = native_pax_close_kernel,
13089 EXPORT_SYMBOL_GPL(pv_time_ops);
13090 diff -urNp linux-2.6.35.7/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.35.7/arch/x86/kernel/paravirt-spinlocks.c
13091 --- linux-2.6.35.7/arch/x86/kernel/paravirt-spinlocks.c 2010-08-26 19:47:12.000000000 -0400
13092 +++ linux-2.6.35.7/arch/x86/kernel/paravirt-spinlocks.c 2010-09-17 20:12:09.000000000 -0400
13093 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13094 arch_spin_lock(lock);
13097 -struct pv_lock_ops pv_lock_ops = {
13098 +struct pv_lock_ops pv_lock_ops __read_only = {
13100 .spin_is_locked = __ticket_spin_is_locked,
13101 .spin_is_contended = __ticket_spin_is_contended,
13102 diff -urNp linux-2.6.35.7/arch/x86/kernel/pci-calgary_64.c linux-2.6.35.7/arch/x86/kernel/pci-calgary_64.c
13103 --- linux-2.6.35.7/arch/x86/kernel/pci-calgary_64.c 2010-08-26 19:47:12.000000000 -0400
13104 +++ linux-2.6.35.7/arch/x86/kernel/pci-calgary_64.c 2010-09-17 20:12:09.000000000 -0400
13105 @@ -475,7 +475,7 @@ static void calgary_free_coherent(struct
13106 free_pages((unsigned long)vaddr, get_order(size));
13109 -static struct dma_map_ops calgary_dma_ops = {
13110 +static const struct dma_map_ops calgary_dma_ops = {
13111 .alloc_coherent = calgary_alloc_coherent,
13112 .free_coherent = calgary_free_coherent,
13113 .map_sg = calgary_map_sg,
13114 diff -urNp linux-2.6.35.7/arch/x86/kernel/pci-dma.c linux-2.6.35.7/arch/x86/kernel/pci-dma.c
13115 --- linux-2.6.35.7/arch/x86/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
13116 +++ linux-2.6.35.7/arch/x86/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
13119 static int forbid_dac __read_mostly;
13121 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13122 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13123 EXPORT_SYMBOL(dma_ops);
13125 static int iommu_sac_force __read_mostly;
13126 @@ -248,7 +248,7 @@ early_param("iommu", iommu_setup);
13128 int dma_supported(struct device *dev, u64 mask)
13130 - struct dma_map_ops *ops = get_dma_ops(dev);
13131 + const struct dma_map_ops *ops = get_dma_ops(dev);
13134 if (mask > 0xffffffff && forbid_dac > 0) {
13135 diff -urNp linux-2.6.35.7/arch/x86/kernel/pci-gart_64.c linux-2.6.35.7/arch/x86/kernel/pci-gart_64.c
13136 --- linux-2.6.35.7/arch/x86/kernel/pci-gart_64.c 2010-08-26 19:47:12.000000000 -0400
13137 +++ linux-2.6.35.7/arch/x86/kernel/pci-gart_64.c 2010-09-17 20:12:09.000000000 -0400
13138 @@ -699,7 +699,7 @@ static __init int init_k8_gatt(struct ag
13142 -static struct dma_map_ops gart_dma_ops = {
13143 +static const struct dma_map_ops gart_dma_ops = {
13144 .map_sg = gart_map_sg,
13145 .unmap_sg = gart_unmap_sg,
13146 .map_page = gart_map_page,
13147 diff -urNp linux-2.6.35.7/arch/x86/kernel/pci-nommu.c linux-2.6.35.7/arch/x86/kernel/pci-nommu.c
13148 --- linux-2.6.35.7/arch/x86/kernel/pci-nommu.c 2010-08-26 19:47:12.000000000 -0400
13149 +++ linux-2.6.35.7/arch/x86/kernel/pci-nommu.c 2010-09-17 20:12:09.000000000 -0400
13150 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13151 flush_write_buffers();
13154 -struct dma_map_ops nommu_dma_ops = {
13155 +const struct dma_map_ops nommu_dma_ops = {
13156 .alloc_coherent = dma_generic_alloc_coherent,
13157 .free_coherent = nommu_free_coherent,
13158 .map_sg = nommu_map_sg,
13159 diff -urNp linux-2.6.35.7/arch/x86/kernel/pci-swiotlb.c linux-2.6.35.7/arch/x86/kernel/pci-swiotlb.c
13160 --- linux-2.6.35.7/arch/x86/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
13161 +++ linux-2.6.35.7/arch/x86/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
13162 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
13163 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13166 -static struct dma_map_ops swiotlb_dma_ops = {
13167 +static const struct dma_map_ops swiotlb_dma_ops = {
13168 .mapping_error = swiotlb_dma_mapping_error,
13169 .alloc_coherent = x86_swiotlb_alloc_coherent,
13170 .free_coherent = swiotlb_free_coherent,
13171 diff -urNp linux-2.6.35.7/arch/x86/kernel/process_32.c linux-2.6.35.7/arch/x86/kernel/process_32.c
13172 --- linux-2.6.35.7/arch/x86/kernel/process_32.c 2010-08-26 19:47:12.000000000 -0400
13173 +++ linux-2.6.35.7/arch/x86/kernel/process_32.c 2010-09-17 20:12:09.000000000 -0400
13174 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
13175 unsigned long thread_saved_pc(struct task_struct *tsk)
13177 return ((unsigned long *)tsk->thread.sp)[3];
13178 +//XXX return tsk->thread.eip;
13182 @@ -126,7 +127,7 @@ void __show_regs(struct pt_regs *regs, i
13184 unsigned short ss, gs;
13186 - if (user_mode_vm(regs)) {
13187 + if (user_mode(regs)) {
13189 ss = regs->ss & 0xffff;
13190 gs = get_user_gs(regs);
13191 @@ -196,7 +197,7 @@ int copy_thread(unsigned long clone_flag
13192 struct task_struct *tsk;
13195 - childregs = task_pt_regs(p);
13196 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13197 *childregs = *regs;
13199 childregs->sp = sp;
13200 @@ -230,6 +231,7 @@ int copy_thread(unsigned long clone_flag
13201 * Set a new TLS for the child thread?
13203 if (clone_flags & CLONE_SETTLS)
13204 +//XXX needs set_fs()?
13205 err = do_set_thread_area(p, -1,
13206 (struct user_desc __user *)childregs->si, 0);
13208 @@ -293,7 +295,7 @@ __switch_to(struct task_struct *prev_p,
13209 struct thread_struct *prev = &prev_p->thread,
13210 *next = &next_p->thread;
13211 int cpu = smp_processor_id();
13212 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13213 + struct tss_struct *tss = init_tss + cpu;
13216 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13217 @@ -328,6 +330,11 @@ __switch_to(struct task_struct *prev_p,
13219 lazy_save_gs(prev->gs);
13221 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13222 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
13223 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
13227 * Load the per-thread Thread-Local Storage descriptor.
13229 @@ -404,3 +411,27 @@ unsigned long get_wchan(struct task_stru
13233 +#ifdef CONFIG_PAX_RANDKSTACK
13234 +asmlinkage void pax_randomize_kstack(void)
13236 + struct thread_struct *thread = ¤t->thread;
13237 + unsigned long time;
13239 + if (!randomize_va_space)
13244 + /* P4 seems to return a 0 LSB, ignore it */
13245 +#ifdef CONFIG_MPENTIUM4
13253 + thread->sp0 ^= time;
13254 + load_sp0(init_tss + smp_processor_id(), thread);
13257 diff -urNp linux-2.6.35.7/arch/x86/kernel/process_64.c linux-2.6.35.7/arch/x86/kernel/process_64.c
13258 --- linux-2.6.35.7/arch/x86/kernel/process_64.c 2010-08-26 19:47:12.000000000 -0400
13259 +++ linux-2.6.35.7/arch/x86/kernel/process_64.c 2010-09-17 20:12:09.000000000 -0400
13260 @@ -87,7 +87,7 @@ static void __exit_idle(void)
13261 void exit_idle(void)
13263 /* idle loop has pid 0 */
13264 - if (current->pid)
13265 + if (task_pid_nr(current))
13269 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
13270 struct thread_struct *prev = &prev_p->thread;
13271 struct thread_struct *next = &next_p->thread;
13272 int cpu = smp_processor_id();
13273 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13274 + struct tss_struct *tss = init_tss + cpu;
13275 unsigned fsindex, gsindex;
13278 @@ -528,12 +528,11 @@ unsigned long get_wchan(struct task_stru
13279 if (!p || p == current || p->state == TASK_RUNNING)
13281 stack = (unsigned long)task_stack_page(p);
13282 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13283 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13285 fp = *(u64 *)(p->thread.sp);
13287 - if (fp < (unsigned long)stack ||
13288 - fp >= (unsigned long)stack+THREAD_SIZE)
13289 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13291 ip = *(u64 *)(fp+8);
13292 if (!in_sched_functions(ip))
13293 diff -urNp linux-2.6.35.7/arch/x86/kernel/process.c linux-2.6.35.7/arch/x86/kernel/process.c
13294 --- linux-2.6.35.7/arch/x86/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
13295 +++ linux-2.6.35.7/arch/x86/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
13296 @@ -73,7 +73,7 @@ void exit_thread(void)
13297 unsigned long *bp = t->io_bitmap_ptr;
13300 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13301 + struct tss_struct *tss = init_tss + get_cpu();
13303 t->io_bitmap_ptr = NULL;
13304 clear_thread_flag(TIF_IO_BITMAP);
13305 @@ -117,6 +117,9 @@ void flush_thread(void)
13307 struct task_struct *tsk = current;
13309 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
13310 + loadsegment(gs, 0);
13312 flush_ptrace_hw_breakpoint(tsk);
13313 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13315 @@ -279,8 +282,8 @@ int kernel_thread(int (*fn)(void *), voi
13316 regs.di = (unsigned long) arg;
13318 #ifdef CONFIG_X86_32
13319 - regs.ds = __USER_DS;
13320 - regs.es = __USER_DS;
13321 + regs.ds = __KERNEL_DS;
13322 + regs.es = __KERNEL_DS;
13323 regs.fs = __KERNEL_PERCPU;
13324 regs.gs = __KERNEL_STACK_CANARY;
13326 @@ -689,17 +692,3 @@ static int __init idle_setup(char *str)
13329 early_param("idle", idle_setup);
13331 -unsigned long arch_align_stack(unsigned long sp)
13333 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13334 - sp -= get_random_int() % 8192;
13335 - return sp & ~0xf;
13338 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13340 - unsigned long range_end = mm->brk + 0x02000000;
13341 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13344 diff -urNp linux-2.6.35.7/arch/x86/kernel/ptrace.c linux-2.6.35.7/arch/x86/kernel/ptrace.c
13345 --- linux-2.6.35.7/arch/x86/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
13346 +++ linux-2.6.35.7/arch/x86/kernel/ptrace.c 2010-09-17 20:12:09.000000000 -0400
13347 @@ -804,7 +804,7 @@ static const struct user_regset_view use
13348 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
13351 - unsigned long __user *datap = (unsigned long __user *)data;
13352 + unsigned long __user *datap = (__force unsigned long __user *)data;
13355 /* read the word at location addr in the USER area. */
13356 @@ -891,14 +891,14 @@ long arch_ptrace(struct task_struct *chi
13359 ret = do_get_thread_area(child, addr,
13360 - (struct user_desc __user *) data);
13361 + (__force struct user_desc __user *) data);
13364 case PTRACE_SET_THREAD_AREA:
13367 ret = do_set_thread_area(child, addr,
13368 - (struct user_desc __user *) data, 0);
13369 + (__force struct user_desc __user *) data, 0);
13373 @@ -1315,7 +1315,7 @@ static void fill_sigtrap_info(struct tas
13374 memset(info, 0, sizeof(*info));
13375 info->si_signo = SIGTRAP;
13376 info->si_code = si_code;
13377 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13378 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13381 void user_single_step_siginfo(struct task_struct *tsk,
13382 diff -urNp linux-2.6.35.7/arch/x86/kernel/reboot.c linux-2.6.35.7/arch/x86/kernel/reboot.c
13383 --- linux-2.6.35.7/arch/x86/kernel/reboot.c 2010-08-26 19:47:12.000000000 -0400
13384 +++ linux-2.6.35.7/arch/x86/kernel/reboot.c 2010-09-17 20:12:09.000000000 -0400
13385 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
13386 EXPORT_SYMBOL(pm_power_off);
13388 static const struct desc_ptr no_idt = {};
13389 -static int reboot_mode;
13390 +static unsigned short reboot_mode;
13391 enum reboot_type reboot_type = BOOT_KBD;
13394 @@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
13395 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
13399 + { NULL, NULL, {{0, {0}}}, NULL}
13402 static int __init reboot_init(void)
13403 @@ -300,12 +300,12 @@ core_initcall(reboot_init);
13404 controller to pulse the CPU reset line, which is more thorough, but
13405 doesn't work with at least one type of 486 motherboard. It is easy
13406 to stop this code working; hence the copious comments. */
13407 -static const unsigned long long
13408 -real_mode_gdt_entries [3] =
13409 +static struct desc_struct
13410 +real_mode_gdt_entries [3] __read_only =
13412 - 0x0000000000000000ULL, /* Null descriptor */
13413 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13414 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13415 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13416 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13417 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13420 static const struct desc_ptr
13421 @@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
13422 * specified by the code and length parameters.
13423 * We assume that length will aways be less that 100!
13425 -void machine_real_restart(const unsigned char *code, int length)
13426 +void machine_real_restart(const unsigned char *code, unsigned int length)
13428 local_irq_disable();
13430 @@ -374,8 +374,8 @@ void machine_real_restart(const unsigned
13431 /* Remap the kernel at virtual address zero, as well as offset zero
13432 from the kernel segment. This assumes the kernel segment starts at
13433 virtual address PAGE_OFFSET. */
13434 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13435 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
13436 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13437 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13440 * Use `swapper_pg_dir' as our page directory.
13441 @@ -387,16 +387,15 @@ void machine_real_restart(const unsigned
13442 boot)". This seems like a fairly standard thing that gets set by
13443 REBOOT.COM programs, and the previous reset routine did this
13445 - *((unsigned short *)0x472) = reboot_mode;
13446 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13448 /* For the switch to real mode, copy some code to low memory. It has
13449 to be in the first 64k because it is running in 16-bit mode, and it
13450 has to have the same physical and virtual address, because it turns
13451 off paging. Copy it near the end of the first page, out of the way
13452 of BIOS variables. */
13453 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13454 - real_mode_switch, sizeof (real_mode_switch));
13455 - memcpy((void *)(0x1000 - 100), code, length);
13456 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13457 + memcpy(__va(0x1000 - 100), code, length);
13459 /* Set up the IDT for real mode. */
13460 load_idt(&real_mode_idt);
13461 diff -urNp linux-2.6.35.7/arch/x86/kernel/setup.c linux-2.6.35.7/arch/x86/kernel/setup.c
13462 --- linux-2.6.35.7/arch/x86/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
13463 +++ linux-2.6.35.7/arch/x86/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
13464 @@ -704,7 +704,7 @@ static void __init trim_bios_range(void)
13465 * area (640->1Mb) as ram even though it is not.
13468 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13469 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13470 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13473 @@ -791,14 +791,14 @@ void __init setup_arch(char **cmdline_p)
13475 if (!boot_params.hdr.root_flags)
13476 root_mountflags &= ~MS_RDONLY;
13477 - init_mm.start_code = (unsigned long) _text;
13478 - init_mm.end_code = (unsigned long) _etext;
13479 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13480 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13481 init_mm.end_data = (unsigned long) _edata;
13482 init_mm.brk = _brk_end;
13484 - code_resource.start = virt_to_phys(_text);
13485 - code_resource.end = virt_to_phys(_etext)-1;
13486 - data_resource.start = virt_to_phys(_etext);
13487 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13488 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13489 + data_resource.start = virt_to_phys(_sdata);
13490 data_resource.end = virt_to_phys(_edata)-1;
13491 bss_resource.start = virt_to_phys(&__bss_start);
13492 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13493 diff -urNp linux-2.6.35.7/arch/x86/kernel/setup_percpu.c linux-2.6.35.7/arch/x86/kernel/setup_percpu.c
13494 --- linux-2.6.35.7/arch/x86/kernel/setup_percpu.c 2010-08-26 19:47:12.000000000 -0400
13495 +++ linux-2.6.35.7/arch/x86/kernel/setup_percpu.c 2010-10-11 22:41:44.000000000 -0400
13496 @@ -21,19 +21,17 @@
13497 #include <asm/cpu.h>
13498 #include <asm/stackprotector.h>
13500 -DEFINE_PER_CPU(int, cpu_number);
13502 +DEFINE_PER_CPU(unsigned int, cpu_number);
13503 EXPORT_PER_CPU_SYMBOL(cpu_number);
13506 -#ifdef CONFIG_X86_64
13507 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13509 -#define BOOT_PERCPU_OFFSET 0
13512 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13513 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13515 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13516 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13517 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13519 EXPORT_SYMBOL(__per_cpu_offset);
13520 @@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
13522 #ifdef CONFIG_X86_32
13523 struct desc_struct gdt;
13524 + unsigned long base = per_cpu_offset(cpu);
13526 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13527 - 0x2 | DESCTYPE_S, 0x8);
13529 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13530 + 0x83 | DESCTYPE_S, 0xC);
13531 write_gdt_entry(get_cpu_gdt_table(cpu),
13532 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13534 @@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
13535 /* alrighty, percpu areas up and running */
13536 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13537 for_each_possible_cpu(cpu) {
13538 +#ifdef CONFIG_CC_STACKPROTECTOR
13539 +#ifdef CONFIG_x86_32
13540 + unsigned long canary = per_cpu(stack_canary, cpu);
13543 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13544 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13545 per_cpu(cpu_number, cpu) = cpu;
13546 @@ -249,6 +252,12 @@ void __init setup_per_cpu_areas(void)
13547 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13550 +#ifdef CONFIG_CC_STACKPROTECTOR
13551 +#ifdef CONFIG_x86_32
13552 + if (cpu == boot_cpu_id)
13553 + per_cpu(stack_canary, cpu) = canary;
13557 * Up to this point, the boot CPU has been using .init.data
13558 * area. Reload any changed state for the boot CPU.
13559 diff -urNp linux-2.6.35.7/arch/x86/kernel/signal.c linux-2.6.35.7/arch/x86/kernel/signal.c
13560 --- linux-2.6.35.7/arch/x86/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
13561 +++ linux-2.6.35.7/arch/x86/kernel/signal.c 2010-10-11 22:41:44.000000000 -0400
13562 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13563 * Align the stack pointer according to the i386 ABI,
13564 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13566 - sp = ((sp + 4) & -16ul) - 4;
13567 + sp = ((sp - 12) & -16ul) - 4;
13568 #else /* !CONFIG_X86_32 */
13569 sp = round_down(sp, 16) - 8;
13571 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13572 * Return an always-bogus address instead so we will die with SIGSEGV.
13574 if (onsigstack && !likely(on_sig_stack(sp)))
13575 - return (void __user *)-1L;
13576 + return (__force void __user *)-1L;
13578 /* save i387 state */
13579 if (used_math() && save_i387_xstate(*fpstate) < 0)
13580 - return (void __user *)-1L;
13581 + return (__force void __user *)-1L;
13583 return (void __user *)sp;
13585 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13588 if (current->mm->context.vdso)
13589 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13590 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13592 - restorer = &frame->retcode;
13593 + restorer = (void __user *)&frame->retcode;
13594 if (ka->sa.sa_flags & SA_RESTORER)
13595 restorer = ka->sa.sa_restorer;
13597 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13598 * reasons and because gdb uses it as a signature to notice
13599 * signal handler stack frames.
13601 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13602 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13606 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
13607 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13609 /* Set up to return from userspace. */
13610 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13611 + if (current->mm->context.vdso)
13612 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13614 + restorer = (void __user *)&frame->retcode;
13615 if (ka->sa.sa_flags & SA_RESTORER)
13616 restorer = ka->sa.sa_restorer;
13617 put_user_ex(restorer, &frame->pretcode);
13618 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
13619 * reasons and because gdb uses it as a signature to notice
13620 * signal handler stack frames.
13622 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13623 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13624 } put_user_catch(err);
13627 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
13628 * X86_32: vm86 regs switched out by assembly code before reaching
13629 * here, so testing against kernel CS suffices.
13631 - if (!user_mode(regs))
13632 + if (!user_mode_novm(regs))
13635 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13636 diff -urNp linux-2.6.35.7/arch/x86/kernel/smpboot.c linux-2.6.35.7/arch/x86/kernel/smpboot.c
13637 --- linux-2.6.35.7/arch/x86/kernel/smpboot.c 2010-08-26 19:47:12.000000000 -0400
13638 +++ linux-2.6.35.7/arch/x86/kernel/smpboot.c 2010-09-17 20:12:09.000000000 -0400
13639 @@ -780,7 +780,11 @@ do_rest:
13640 (unsigned long)task_stack_page(c_idle.idle) -
13641 KERNEL_STACK_OFFSET + THREAD_SIZE;
13644 + pax_open_kernel();
13645 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13646 + pax_close_kernel();
13648 initial_code = (unsigned long)start_secondary;
13649 stack_start.sp = (void *) c_idle.idle->thread.sp;
13651 @@ -920,6 +924,12 @@ int __cpuinit native_cpu_up(unsigned int
13653 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13655 +#ifdef CONFIG_PAX_PER_CPU_PGD
13656 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13657 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13658 + KERNEL_PGD_PTRS);
13661 #ifdef CONFIG_X86_32
13662 /* init low mem mapping */
13663 clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13664 diff -urNp linux-2.6.35.7/arch/x86/kernel/step.c linux-2.6.35.7/arch/x86/kernel/step.c
13665 --- linux-2.6.35.7/arch/x86/kernel/step.c 2010-08-26 19:47:12.000000000 -0400
13666 +++ linux-2.6.35.7/arch/x86/kernel/step.c 2010-09-17 20:12:09.000000000 -0400
13667 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
13668 struct desc_struct *desc;
13669 unsigned long base;
13674 mutex_lock(&child->mm->context.lock);
13675 - if (unlikely((seg >> 3) >= child->mm->context.size))
13676 + if (unlikely(seg >= child->mm->context.size))
13677 addr = -1L; /* bogus selector, access would fault */
13679 desc = child->mm->context.ldt + seg;
13680 @@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
13681 unsigned char opcode[15];
13682 unsigned long addr = convert_ip_to_linear(child, regs);
13684 + if (addr == -EINVAL)
13687 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
13688 for (i = 0; i < copied; i++) {
13689 switch (opcode[i]) {
13690 @@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
13692 #ifdef CONFIG_X86_64
13693 case 0x40 ... 0x4f:
13694 - if (regs->cs != __USER_CS)
13695 + if ((regs->cs & 0xffff) != __USER_CS)
13696 /* 32-bit mode: register increment */
13698 /* 64-bit mode: REX prefix */
13699 diff -urNp linux-2.6.35.7/arch/x86/kernel/syscall_table_32.S linux-2.6.35.7/arch/x86/kernel/syscall_table_32.S
13700 --- linux-2.6.35.7/arch/x86/kernel/syscall_table_32.S 2010-08-26 19:47:12.000000000 -0400
13701 +++ linux-2.6.35.7/arch/x86/kernel/syscall_table_32.S 2010-09-17 20:12:09.000000000 -0400
13703 +.section .rodata,"a",@progbits
13704 ENTRY(sys_call_table)
13705 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
13707 diff -urNp linux-2.6.35.7/arch/x86/kernel/sys_i386_32.c linux-2.6.35.7/arch/x86/kernel/sys_i386_32.c
13708 --- linux-2.6.35.7/arch/x86/kernel/sys_i386_32.c 2010-08-26 19:47:12.000000000 -0400
13709 +++ linux-2.6.35.7/arch/x86/kernel/sys_i386_32.c 2010-09-26 22:02:10.000000000 -0400
13710 @@ -24,6 +24,228 @@
13712 #include <asm/syscalls.h>
13714 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
13716 + unsigned long pax_task_size = TASK_SIZE;
13718 +#ifdef CONFIG_PAX_SEGMEXEC
13719 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
13720 + pax_task_size = SEGMEXEC_TASK_SIZE;
13723 + if (len > pax_task_size || addr > pax_task_size - len)
13730 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
13731 + unsigned long len, unsigned long pgoff, unsigned long flags)
13733 + struct mm_struct *mm = current->mm;
13734 + struct vm_area_struct *vma;
13735 + unsigned long start_addr, pax_task_size = TASK_SIZE;
13737 +#ifdef CONFIG_PAX_SEGMEXEC
13738 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13739 + pax_task_size = SEGMEXEC_TASK_SIZE;
13742 + pax_task_size -= PAGE_SIZE;
13744 + if (len > pax_task_size)
13747 + if (flags & MAP_FIXED)
13750 +#ifdef CONFIG_PAX_RANDMMAP
13751 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13755 + addr = PAGE_ALIGN(addr);
13756 + if (pax_task_size - len >= addr) {
13757 + vma = find_vma(mm, addr);
13758 + if (check_heap_stack_gap(vma, addr, len))
13762 + if (len > mm->cached_hole_size) {
13763 + start_addr = addr = mm->free_area_cache;
13765 + start_addr = addr = mm->mmap_base;
13766 + mm->cached_hole_size = 0;
13769 +#ifdef CONFIG_PAX_PAGEEXEC
13770 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
13771 + start_addr = 0x00110000UL;
13773 +#ifdef CONFIG_PAX_RANDMMAP
13774 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13775 + start_addr += mm->delta_mmap & 0x03FFF000UL;
13778 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
13779 + start_addr = addr = mm->mmap_base;
13781 + addr = start_addr;
13786 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
13787 + /* At this point: (!vma || addr < vma->vm_end). */
13788 + if (pax_task_size - len < addr) {
13790 + * Start a new search - just in case we missed
13793 + if (start_addr != mm->mmap_base) {
13794 + start_addr = addr = mm->mmap_base;
13795 + mm->cached_hole_size = 0;
13796 + goto full_search;
13800 + if (check_heap_stack_gap(vma, addr, len))
13802 + if (addr + mm->cached_hole_size < vma->vm_start)
13803 + mm->cached_hole_size = vma->vm_start - addr;
13804 + addr = vma->vm_end;
13805 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
13806 + start_addr = addr = mm->mmap_base;
13807 + mm->cached_hole_size = 0;
13808 + goto full_search;
13813 + * Remember the place where we stopped the search:
13815 + mm->free_area_cache = addr + len;
13820 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
13821 + const unsigned long len, const unsigned long pgoff,
13822 + const unsigned long flags)
13824 + struct vm_area_struct *vma;
13825 + struct mm_struct *mm = current->mm;
13826 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
13828 +#ifdef CONFIG_PAX_SEGMEXEC
13829 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13830 + pax_task_size = SEGMEXEC_TASK_SIZE;
13833 + pax_task_size -= PAGE_SIZE;
13835 + /* requested length too big for entire address space */
13836 + if (len > pax_task_size)
13839 + if (flags & MAP_FIXED)
13842 +#ifdef CONFIG_PAX_PAGEEXEC
13843 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
13847 +#ifdef CONFIG_PAX_RANDMMAP
13848 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13851 + /* requesting a specific address */
13853 + addr = PAGE_ALIGN(addr);
13854 + if (pax_task_size - len >= addr) {
13855 + vma = find_vma(mm, addr);
13856 + if (check_heap_stack_gap(vma, addr, len))
13861 + /* check if free_area_cache is useful for us */
13862 + if (len <= mm->cached_hole_size) {
13863 + mm->cached_hole_size = 0;
13864 + mm->free_area_cache = mm->mmap_base;
13867 + /* either no address requested or can't fit in requested address hole */
13868 + addr = mm->free_area_cache;
13870 + /* make sure it can fit in the remaining address space */
13871 + if (addr > len) {
13872 + vma = find_vma(mm, addr-len);
13873 + if (check_heap_stack_gap(vma, addr - len, len))
13874 + /* remember the address as a hint for next time */
13875 + return (mm->free_area_cache = addr-len);
13878 + if (mm->mmap_base < len)
13881 + addr = mm->mmap_base-len;
13885 + * Lookup failure means no vma is above this address,
13886 + * else if new region fits below vma->vm_start,
13887 + * return with success:
13889 + vma = find_vma(mm, addr);
13890 + if (check_heap_stack_gap(vma, addr, len))
13891 + /* remember the address as a hint for next time */
13892 + return (mm->free_area_cache = addr);
13894 + /* remember the largest hole we saw so far */
13895 + if (addr + mm->cached_hole_size < vma->vm_start)
13896 + mm->cached_hole_size = vma->vm_start - addr;
13898 + /* try just below the current vma->vm_start */
13899 + addr = vma->vm_start-len;
13900 + } while (len < vma->vm_start);
13904 + * A failed mmap() very likely causes application failure,
13905 + * so fall back to the bottom-up function here. This scenario
13906 + * can happen with large stack limits and large mmap()
13910 +#ifdef CONFIG_PAX_SEGMEXEC
13911 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13912 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
13916 + mm->mmap_base = TASK_UNMAPPED_BASE;
13918 +#ifdef CONFIG_PAX_RANDMMAP
13919 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13920 + mm->mmap_base += mm->delta_mmap;
13923 + mm->free_area_cache = mm->mmap_base;
13924 + mm->cached_hole_size = ~0UL;
13925 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
13927 + * Restore the topdown base:
13929 + mm->mmap_base = base;
13930 + mm->free_area_cache = base;
13931 + mm->cached_hole_size = ~0UL;
13937 * Do a system call from kernel instead of calling sys_execve so we
13938 * end up with proper pt_regs.
13939 diff -urNp linux-2.6.35.7/arch/x86/kernel/sys_x86_64.c linux-2.6.35.7/arch/x86/kernel/sys_x86_64.c
13940 --- linux-2.6.35.7/arch/x86/kernel/sys_x86_64.c 2010-08-26 19:47:12.000000000 -0400
13941 +++ linux-2.6.35.7/arch/x86/kernel/sys_x86_64.c 2010-09-17 20:12:09.000000000 -0400
13942 @@ -32,8 +32,8 @@ out:
13946 -static void find_start_end(unsigned long flags, unsigned long *begin,
13947 - unsigned long *end)
13948 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
13949 + unsigned long *begin, unsigned long *end)
13951 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
13952 unsigned long new_begin;
13953 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
13954 *begin = new_begin;
13957 - *begin = TASK_UNMAPPED_BASE;
13958 + *begin = mm->mmap_base;
13962 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
13963 if (flags & MAP_FIXED)
13966 - find_start_end(flags, &begin, &end);
13967 + find_start_end(mm, flags, &begin, &end);
13972 +#ifdef CONFIG_PAX_RANDMMAP
13973 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13977 addr = PAGE_ALIGN(addr);
13978 vma = find_vma(mm, addr);
13979 - if (end - len >= addr &&
13980 - (!vma || addr + len <= vma->vm_start))
13981 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
13984 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
13985 @@ -106,7 +109,7 @@ full_search:
13989 - if (!vma || addr + len <= vma->vm_start) {
13990 + if (check_heap_stack_gap(vma, addr, len)) {
13992 * Remember the place where we stopped the search:
13994 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
13996 struct vm_area_struct *vma;
13997 struct mm_struct *mm = current->mm;
13998 - unsigned long addr = addr0;
13999 + unsigned long base = mm->mmap_base, addr = addr0;
14001 /* requested length too big for entire address space */
14002 if (len > TASK_SIZE)
14003 @@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
14004 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
14007 +#ifdef CONFIG_PAX_RANDMMAP
14008 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14011 /* requesting a specific address */
14013 addr = PAGE_ALIGN(addr);
14014 vma = find_vma(mm, addr);
14015 - if (TASK_SIZE - len >= addr &&
14016 - (!vma || addr + len <= vma->vm_start))
14017 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
14021 @@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
14022 /* make sure it can fit in the remaining address space */
14024 vma = find_vma(mm, addr-len);
14025 - if (!vma || addr <= vma->vm_start)
14026 + if (check_heap_stack_gap(vma, addr - len, len))
14027 /* remember the address as a hint for next time */
14028 return mm->free_area_cache = addr-len;
14030 @@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
14031 * return with success:
14033 vma = find_vma(mm, addr);
14034 - if (!vma || addr+len <= vma->vm_start)
14035 + if (check_heap_stack_gap(vma, addr, len))
14036 /* remember the address as a hint for next time */
14037 return mm->free_area_cache = addr;
14039 @@ -198,13 +204,21 @@ bottomup:
14040 * can happen with large stack limits and large mmap()
14043 + mm->mmap_base = TASK_UNMAPPED_BASE;
14045 +#ifdef CONFIG_PAX_RANDMMAP
14046 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14047 + mm->mmap_base += mm->delta_mmap;
14050 + mm->free_area_cache = mm->mmap_base;
14051 mm->cached_hole_size = ~0UL;
14052 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14053 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14055 * Restore the topdown base:
14057 - mm->free_area_cache = mm->mmap_base;
14058 + mm->mmap_base = base;
14059 + mm->free_area_cache = base;
14060 mm->cached_hole_size = ~0UL;
14063 diff -urNp linux-2.6.35.7/arch/x86/kernel/time.c linux-2.6.35.7/arch/x86/kernel/time.c
14064 --- linux-2.6.35.7/arch/x86/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
14065 +++ linux-2.6.35.7/arch/x86/kernel/time.c 2010-09-17 20:12:09.000000000 -0400
14066 @@ -26,17 +26,13 @@
14070 -#ifdef CONFIG_X86_64
14071 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14074 unsigned long profile_pc(struct pt_regs *regs)
14076 unsigned long pc = instruction_pointer(regs);
14078 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14079 + if (!user_mode(regs) && in_lock_functions(pc)) {
14080 #ifdef CONFIG_FRAME_POINTER
14081 - return *(unsigned long *)(regs->bp + sizeof(long));
14082 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14084 unsigned long *sp =
14085 (unsigned long *)kernel_stack_pointer(regs);
14086 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14087 * or above a saved flags. Eflags has bits 22-31 zero,
14088 * kernel addresses don't.
14091 +#ifdef CONFIG_PAX_KERNEXEC
14092 + return ktla_ktva(sp[0]);
14104 diff -urNp linux-2.6.35.7/arch/x86/kernel/tls.c linux-2.6.35.7/arch/x86/kernel/tls.c
14105 --- linux-2.6.35.7/arch/x86/kernel/tls.c 2010-08-26 19:47:12.000000000 -0400
14106 +++ linux-2.6.35.7/arch/x86/kernel/tls.c 2010-09-17 20:12:09.000000000 -0400
14107 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14108 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14111 +#ifdef CONFIG_PAX_SEGMEXEC
14112 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14116 set_tls_desc(p, idx, &info, 1);
14119 diff -urNp linux-2.6.35.7/arch/x86/kernel/trampoline_32.S linux-2.6.35.7/arch/x86/kernel/trampoline_32.S
14120 --- linux-2.6.35.7/arch/x86/kernel/trampoline_32.S 2010-08-26 19:47:12.000000000 -0400
14121 +++ linux-2.6.35.7/arch/x86/kernel/trampoline_32.S 2010-09-17 20:12:09.000000000 -0400
14123 #include <asm/segment.h>
14124 #include <asm/page_types.h>
14126 +#ifdef CONFIG_PAX_KERNEXEC
14129 +#define ta(X) ((X) - __PAGE_OFFSET)
14132 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14135 @@ -60,7 +66,7 @@ r_base = .
14136 inc %ax # protected mode (PE) bit
14137 lmsw %ax # into protected mode
14138 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14139 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14140 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14142 # These need to be in the same 64K segment as the above;
14143 # hence we don't use the boot_gdt_descr defined in head.S
14144 diff -urNp linux-2.6.35.7/arch/x86/kernel/trampoline_64.S linux-2.6.35.7/arch/x86/kernel/trampoline_64.S
14145 --- linux-2.6.35.7/arch/x86/kernel/trampoline_64.S 2010-08-26 19:47:12.000000000 -0400
14146 +++ linux-2.6.35.7/arch/x86/kernel/trampoline_64.S 2010-10-10 15:54:54.000000000 -0400
14147 @@ -91,7 +91,7 @@ startup_32:
14148 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
14151 - movl $X86_CR4_PAE, %eax
14152 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
14153 movl %eax, %cr4 # Enable PAE mode
14155 # Setup trampoline 4 level pagetables
14156 @@ -138,7 +138,7 @@ tidt:
14157 # so the kernel can live anywhere
14160 - .short tgdt_end - tgdt # gdt limit
14161 + .short tgdt_end - tgdt - 1 # gdt limit
14162 .long tgdt - r_base
14164 .quad 0x00cf9b000000ffff # __KERNEL32_CS
14165 diff -urNp linux-2.6.35.7/arch/x86/kernel/traps.c linux-2.6.35.7/arch/x86/kernel/traps.c
14166 --- linux-2.6.35.7/arch/x86/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
14167 +++ linux-2.6.35.7/arch/x86/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
14168 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14170 /* Do we ignore FPU interrupts ? */
14171 char ignore_fpu_irq;
14174 - * The IDT has to be page-aligned to simplify the Pentium
14175 - * F0 0F bug workaround.
14177 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14180 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14181 @@ -110,13 +104,13 @@ static inline void preempt_conditional_c
14184 static void __kprobes
14185 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14186 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14187 long error_code, siginfo_t *info)
14189 struct task_struct *tsk = current;
14191 #ifdef CONFIG_X86_32
14192 - if (regs->flags & X86_VM_MASK) {
14193 + if (v8086_mode(regs)) {
14195 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14196 * On nmi (interrupt 2), do_trap should not be called.
14197 @@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
14201 - if (!user_mode(regs))
14202 + if (!user_mode_novm(regs))
14205 #ifdef CONFIG_X86_32
14206 @@ -150,7 +144,7 @@ trap_signal:
14207 printk_ratelimit()) {
14209 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14210 - tsk->comm, tsk->pid, str,
14211 + tsk->comm, task_pid_nr(tsk), str,
14212 regs->ip, regs->sp, error_code);
14213 print_vma_addr(" in ", regs->ip);
14215 @@ -167,8 +161,20 @@ kernel_trap:
14216 if (!fixup_exception(regs)) {
14217 tsk->thread.error_code = error_code;
14218 tsk->thread.trap_no = trapnr;
14220 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14221 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14222 + str = "PAX: suspicious stack segment fault";
14225 die(str, regs, error_code);
14228 +#ifdef CONFIG_PAX_REFCOUNT
14230 + pax_report_refcount_overflow(regs);
14235 #ifdef CONFIG_X86_32
14236 @@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
14237 conditional_sti(regs);
14239 #ifdef CONFIG_X86_32
14240 - if (regs->flags & X86_VM_MASK)
14241 + if (v8086_mode(regs))
14246 - if (!user_mode(regs))
14247 + if (!user_mode_novm(regs))
14250 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14251 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14252 + struct mm_struct *mm = tsk->mm;
14253 + unsigned long limit;
14255 + down_write(&mm->mmap_sem);
14256 + limit = mm->context.user_cs_limit;
14257 + if (limit < TASK_SIZE) {
14258 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14259 + up_write(&mm->mmap_sem);
14262 + up_write(&mm->mmap_sem);
14266 tsk->thread.error_code = error_code;
14267 tsk->thread.trap_no = 13;
14269 @@ -297,6 +319,13 @@ gp_in_kernel:
14270 if (notify_die(DIE_GPF, "general protection fault", regs,
14271 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14274 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14275 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14276 + die("PAX: suspicious general protection fault", regs, error_code);
14280 die("general protection fault", regs, error_code);
14283 @@ -565,7 +594,7 @@ dotraplinkage void __kprobes do_debug(st
14284 /* It's safe to allow irq's after DR6 has been saved */
14285 preempt_conditional_sti(regs);
14287 - if (regs->flags & X86_VM_MASK) {
14288 + if (v8086_mode(regs)) {
14289 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14292 @@ -578,7 +607,7 @@ dotraplinkage void __kprobes do_debug(st
14293 * We already checked v86 mode above, so we can check for kernel mode
14294 * by just checking the CPL of CS.
14296 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14297 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14298 tsk->thread.debugreg6 &= ~DR_STEP;
14299 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14300 regs->flags &= ~X86_EFLAGS_TF;
14301 @@ -607,7 +636,7 @@ void math_error(struct pt_regs *regs, in
14303 conditional_sti(regs);
14305 - if (!user_mode_vm(regs))
14306 + if (!user_mode(regs))
14308 if (!fixup_exception(regs)) {
14309 task->thread.error_code = error_code;
14310 diff -urNp linux-2.6.35.7/arch/x86/kernel/tsc.c linux-2.6.35.7/arch/x86/kernel/tsc.c
14311 --- linux-2.6.35.7/arch/x86/kernel/tsc.c 2010-09-20 17:33:09.000000000 -0400
14312 +++ linux-2.6.35.7/arch/x86/kernel/tsc.c 2010-09-20 17:33:32.000000000 -0400
14313 @@ -833,7 +833,7 @@ static struct dmi_system_id __initdata b
14314 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14318 + { NULL, NULL, {{0, {0}}}, NULL}
14321 static void __init check_system_tsc_reliable(void)
14322 diff -urNp linux-2.6.35.7/arch/x86/kernel/vm86_32.c linux-2.6.35.7/arch/x86/kernel/vm86_32.c
14323 --- linux-2.6.35.7/arch/x86/kernel/vm86_32.c 2010-08-26 19:47:12.000000000 -0400
14324 +++ linux-2.6.35.7/arch/x86/kernel/vm86_32.c 2010-09-17 20:12:37.000000000 -0400
14326 #include <linux/ptrace.h>
14327 #include <linux/audit.h>
14328 #include <linux/stddef.h>
14329 +#include <linux/grsecurity.h>
14331 #include <asm/uaccess.h>
14332 #include <asm/io.h>
14333 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14337 - tss = &per_cpu(init_tss, get_cpu());
14338 + tss = init_tss + get_cpu();
14339 current->thread.sp0 = current->thread.saved_sp0;
14340 current->thread.sysenter_cs = __KERNEL_CS;
14341 load_sp0(tss, ¤t->thread);
14342 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14343 struct task_struct *tsk;
14344 int tmp, ret = -EPERM;
14346 +#ifdef CONFIG_GRKERNSEC_VM86
14347 + if (!capable(CAP_SYS_RAWIO)) {
14348 + gr_handle_vm86();
14354 if (tsk->thread.saved_sp0)
14356 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14358 struct vm86plus_struct __user *v86;
14360 +#ifdef CONFIG_GRKERNSEC_VM86
14361 + if (!capable(CAP_SYS_RAWIO)) {
14362 + gr_handle_vm86();
14370 case VM86_REQUEST_IRQ:
14371 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
14372 tsk->thread.saved_fs = info->regs32->fs;
14373 tsk->thread.saved_gs = get_user_gs(info->regs32);
14375 - tss = &per_cpu(init_tss, get_cpu());
14376 + tss = init_tss + get_cpu();
14377 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14379 tsk->thread.sysenter_cs = 0;
14380 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14381 goto cannot_handle;
14382 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14383 goto cannot_handle;
14384 - intr_ptr = (unsigned long __user *) (i << 2);
14385 + intr_ptr = (__force unsigned long __user *) (i << 2);
14386 if (get_user(segoffs, intr_ptr))
14387 goto cannot_handle;
14388 if ((segoffs >> 16) == BIOSSEG)
14389 diff -urNp linux-2.6.35.7/arch/x86/kernel/vmi_32.c linux-2.6.35.7/arch/x86/kernel/vmi_32.c
14390 --- linux-2.6.35.7/arch/x86/kernel/vmi_32.c 2010-08-26 19:47:12.000000000 -0400
14391 +++ linux-2.6.35.7/arch/x86/kernel/vmi_32.c 2010-09-17 20:12:09.000000000 -0400
14392 @@ -46,12 +46,17 @@ typedef u32 __attribute__((regparm(1)))
14393 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
14395 #define call_vrom_func(rom,func) \
14396 - (((VROMFUNC *)(rom->func))())
14397 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
14399 #define call_vrom_long_func(rom,func,arg) \
14400 - (((VROMLONGFUNC *)(rom->func)) (arg))
14402 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
14403 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
14404 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
14408 -static struct vrom_header *vmi_rom;
14409 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
14410 static int disable_pge;
14411 static int disable_pse;
14412 static int disable_sep;
14413 @@ -78,10 +83,10 @@ static struct {
14414 void (*set_initial_ap_state)(int, int);
14415 void (*halt)(void);
14416 void (*set_lazy_mode)(int mode);
14418 +} vmi_ops __read_only;
14420 /* Cached VMI operations */
14421 -struct vmi_timer_ops vmi_timer_ops;
14422 +struct vmi_timer_ops vmi_timer_ops __read_only;
14425 * VMI patching routines.
14426 @@ -96,7 +101,7 @@ struct vmi_timer_ops vmi_timer_ops;
14427 static inline void patch_offset(void *insnbuf,
14428 unsigned long ip, unsigned long dest)
14430 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
14431 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
14434 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
14435 @@ -104,6 +109,7 @@ static unsigned patch_internal(int call,
14438 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
14440 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
14441 switch(rel->type) {
14442 case VMI_RELOCATION_CALL_REL:
14443 @@ -382,13 +388,13 @@ static void vmi_set_pud(pud_t *pudp, pud
14445 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
14447 - const pte_t pte = { .pte = 0 };
14448 + const pte_t pte = __pte(0ULL);
14449 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
14452 static void vmi_pmd_clear(pmd_t *pmd)
14454 - const pte_t pte = { .pte = 0 };
14455 + const pte_t pte = __pte(0ULL);
14456 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
14459 @@ -416,8 +422,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
14460 ap.ss = __KERNEL_DS;
14461 ap.esp = (unsigned long) start_esp;
14463 - ap.ds = __USER_DS;
14464 - ap.es = __USER_DS;
14465 + ap.ds = __KERNEL_DS;
14466 + ap.es = __KERNEL_DS;
14467 ap.fs = __KERNEL_PERCPU;
14468 ap.gs = __KERNEL_STACK_CANARY;
14470 @@ -464,6 +470,18 @@ static void vmi_leave_lazy_mmu(void)
14471 paravirt_leave_lazy_mmu();
14474 +#ifdef CONFIG_PAX_KERNEXEC
14475 +static unsigned long vmi_pax_open_kernel(void)
14480 +static unsigned long vmi_pax_close_kernel(void)
14486 static inline int __init check_vmi_rom(struct vrom_header *rom)
14488 struct pci_header *pci;
14489 @@ -476,6 +494,10 @@ static inline int __init check_vmi_rom(s
14491 if (rom->vrom_signature != VMI_SIGNATURE)
14493 + if (rom->rom_length * 512 > sizeof(*rom)) {
14494 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
14497 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
14498 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
14499 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
14500 @@ -540,7 +562,7 @@ static inline int __init probe_vmi_rom(v
14501 struct vrom_header *romstart;
14502 romstart = (struct vrom_header *)isa_bus_to_virt(base);
14503 if (check_vmi_rom(romstart)) {
14504 - vmi_rom = romstart;
14505 + vmi_rom = *romstart;
14509 @@ -816,6 +838,11 @@ static inline int __init activate_vmi(vo
14511 para_fill(pv_irq_ops.safe_halt, Halt);
14513 +#ifdef CONFIG_PAX_KERNEXEC
14514 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
14515 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
14519 * Alternative instruction rewriting doesn't happen soon enough
14520 * to convert VMI_IRET to a call instead of a jump; so we have
14521 @@ -833,16 +860,16 @@ static inline int __init activate_vmi(vo
14523 void __init vmi_init(void)
14526 + if (!vmi_rom.rom_signature)
14529 - check_vmi_rom(vmi_rom);
14530 + check_vmi_rom(&vmi_rom);
14532 /* In case probing for or validating the ROM failed, basil */
14534 + if (!vmi_rom.rom_signature)
14537 - reserve_top_address(-vmi_rom->virtual_top);
14538 + reserve_top_address(-vmi_rom.virtual_top);
14540 #ifdef CONFIG_X86_IO_APIC
14541 /* This is virtual hardware; timer routing is wired correctly */
14542 @@ -854,7 +881,7 @@ void __init vmi_activate(void)
14544 unsigned long flags;
14547 + if (!vmi_rom.rom_signature)
14550 local_irq_save(flags);
14551 diff -urNp linux-2.6.35.7/arch/x86/kernel/vmlinux.lds.S linux-2.6.35.7/arch/x86/kernel/vmlinux.lds.S
14552 --- linux-2.6.35.7/arch/x86/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
14553 +++ linux-2.6.35.7/arch/x86/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
14555 #include <asm/page_types.h>
14556 #include <asm/cache.h>
14557 #include <asm/boot.h>
14558 +#include <asm/segment.h>
14560 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14561 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14563 +#define __KERNEL_TEXT_OFFSET 0
14566 #undef i386 /* in case the preprocessor is a 32bit one */
14568 @@ -34,13 +41,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14569 #ifdef CONFIG_X86_32
14571 ENTRY(phys_startup_32)
14572 -jiffies = jiffies_64;
14574 OUTPUT_ARCH(i386:x86-64)
14575 ENTRY(phys_startup_64)
14576 -jiffies_64 = jiffies;
14579 +jiffies = jiffies_64;
14581 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14583 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
14584 @@ -69,31 +76,46 @@ jiffies_64 = jiffies;
14587 text PT_LOAD FLAGS(5); /* R_E */
14588 - data PT_LOAD FLAGS(7); /* RWE */
14589 +#ifdef CONFIG_X86_32
14590 + module PT_LOAD FLAGS(5); /* R_E */
14593 + rodata PT_LOAD FLAGS(5); /* R_E */
14595 + rodata PT_LOAD FLAGS(4); /* R__ */
14597 + data PT_LOAD FLAGS(6); /* RW_ */
14598 #ifdef CONFIG_X86_64
14599 user PT_LOAD FLAGS(5); /* R_E */
14601 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14603 percpu PT_LOAD FLAGS(6); /* RW_ */
14605 + text.init PT_LOAD FLAGS(5); /* R_E */
14606 + text.exit PT_LOAD FLAGS(5); /* R_E */
14607 init PT_LOAD FLAGS(7); /* RWE */
14609 note PT_NOTE FLAGS(0); /* ___ */
14614 #ifdef CONFIG_X86_32
14615 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14616 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14617 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14619 - . = __START_KERNEL;
14620 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14621 + . = __START_KERNEL;
14624 /* Text and read-only data */
14625 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14627 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14628 /* bootstrapping code */
14629 +#ifdef CONFIG_X86_32
14630 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14632 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14634 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14637 #ifdef CONFIG_X86_32
14638 . = ALIGN(PAGE_SIZE);
14639 @@ -108,13 +130,50 @@ SECTIONS
14643 - /* End of text section */
14647 - NOTES :text :note
14648 + . += __KERNEL_TEXT_OFFSET;
14650 +#ifdef CONFIG_X86_32
14651 + . = ALIGN(PAGE_SIZE);
14652 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
14656 + . = ALIGN(PAGE_SIZE);
14657 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14659 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14660 + MODULES_EXEC_VADDR = .;
14662 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14663 + . = ALIGN(HPAGE_SIZE);
14664 + MODULES_EXEC_END = . - 1;
14670 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14671 + /* End of text section */
14672 + _etext = . - __KERNEL_TEXT_OFFSET;
14675 +#ifdef CONFIG_X86_32
14676 + . = ALIGN(PAGE_SIZE);
14677 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14679 + . = ALIGN(PAGE_SIZE);
14680 + *(.empty_zero_page)
14681 + *(.swapper_pg_pmd)
14682 + *(.swapper_pg_dir)
14686 + . = ALIGN(PAGE_SIZE);
14687 + NOTES :rodata :note
14689 - EXCEPTION_TABLE(16) :text = 0x9090
14690 + EXCEPTION_TABLE(16) :rodata
14692 X64_ALIGN_DEBUG_RODATA_BEGIN
14694 @@ -122,16 +181,20 @@ SECTIONS
14697 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14699 +#ifdef CONFIG_PAX_KERNEXEC
14700 + . = ALIGN(HPAGE_SIZE);
14702 + . = ALIGN(PAGE_SIZE);
14705 /* Start of data section */
14709 INIT_TASK_DATA(THREAD_SIZE)
14711 -#ifdef CONFIG_X86_32
14712 - /* 32 bit has nosave before _edata */
14716 PAGE_ALIGNED_DATA(PAGE_SIZE)
14718 @@ -194,12 +257,6 @@ SECTIONS
14720 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14722 - . = ALIGN(L1_CACHE_BYTES);
14723 - .jiffies : AT(VLOAD(.jiffies)) {
14726 - jiffies = VVIRT(.jiffies);
14728 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14731 @@ -215,12 +272,19 @@ SECTIONS
14732 #endif /* CONFIG_X86_64 */
14734 /* Init code and data - will be freed after init */
14735 - . = ALIGN(PAGE_SIZE);
14736 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14739 +#ifdef CONFIG_PAX_KERNEXEC
14740 + . = ALIGN(HPAGE_SIZE);
14742 + . = ALIGN(PAGE_SIZE);
14745 __init_begin = .; /* paired with __init_end */
14749 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14752 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14753 * output PHDR, so the next output section - .init.text - should
14754 @@ -229,12 +293,27 @@ SECTIONS
14755 PERCPU_VADDR(0, :percpu)
14758 - INIT_TEXT_SECTION(PAGE_SIZE)
14759 -#ifdef CONFIG_X86_64
14762 + . = ALIGN(PAGE_SIZE);
14764 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14765 + VMLINUX_SYMBOL(_sinittext) = .;
14767 + VMLINUX_SYMBOL(_einittext) = .;
14768 + . = ALIGN(PAGE_SIZE);
14772 + * .exit.text is discard at runtime, not link time, to deal with
14773 + * references from .altinstructions and .eh_frame
14775 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14779 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
14781 - INIT_DATA_SECTION(16)
14782 + . = ALIGN(PAGE_SIZE);
14783 + INIT_DATA_SECTION(16) :init
14785 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14786 __x86_cpu_dev_start = .;
14787 @@ -260,19 +339,11 @@ SECTIONS
14788 *(.altinstr_replacement)
14792 - * .exit.text is discard at runtime, not link time, to deal with
14793 - * references from .altinstructions and .eh_frame
14795 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
14799 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
14803 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
14804 +#ifndef CONFIG_SMP
14808 @@ -291,16 +362,10 @@ SECTIONS
14809 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
14812 - . = ALIGN(PAGE_SIZE);
14813 __smp_locks_end = .;
14814 + . = ALIGN(PAGE_SIZE);
14817 -#ifdef CONFIG_X86_64
14818 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
14824 . = ALIGN(PAGE_SIZE);
14825 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
14826 @@ -316,6 +381,7 @@ SECTIONS
14828 . += 64 * 1024; /* 64k alignment slop space */
14829 *(.brk_reservation) /* areas brk users have reserved */
14830 + . = ALIGN(HPAGE_SIZE);
14834 @@ -342,13 +408,12 @@ SECTIONS
14835 * for the boot processor.
14837 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
14838 -INIT_PER_CPU(gdt_page);
14839 INIT_PER_CPU(irq_stack_union);
14842 * Build-time check on the image size:
14844 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
14845 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
14846 "kernel image bigger than KERNEL_IMAGE_SIZE");
14849 diff -urNp linux-2.6.35.7/arch/x86/kernel/vsyscall_64.c linux-2.6.35.7/arch/x86/kernel/vsyscall_64.c
14850 --- linux-2.6.35.7/arch/x86/kernel/vsyscall_64.c 2010-08-26 19:47:12.000000000 -0400
14851 +++ linux-2.6.35.7/arch/x86/kernel/vsyscall_64.c 2010-09-17 20:12:09.000000000 -0400
14852 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
14854 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
14855 /* copy vsyscall data */
14856 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
14857 vsyscall_gtod_data.clock.vread = clock->vread;
14858 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
14859 vsyscall_gtod_data.clock.mask = clock->mask;
14860 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
14861 We do this here because otherwise user space would do it on
14862 its own in a likely inferior way (no access to jiffies).
14863 If you don't like it pass NULL. */
14864 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
14865 + if (tcache && tcache->blob[0] == (j = jiffies)) {
14866 p = tcache->blob[1];
14867 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
14868 /* Load per CPU data from RDTSCP */
14869 diff -urNp linux-2.6.35.7/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.35.7/arch/x86/kernel/x8664_ksyms_64.c
14870 --- linux-2.6.35.7/arch/x86/kernel/x8664_ksyms_64.c 2010-08-26 19:47:12.000000000 -0400
14871 +++ linux-2.6.35.7/arch/x86/kernel/x8664_ksyms_64.c 2010-09-17 20:12:09.000000000 -0400
14872 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
14873 EXPORT_SYMBOL(copy_user_generic_string);
14874 EXPORT_SYMBOL(copy_user_generic_unrolled);
14875 EXPORT_SYMBOL(__copy_user_nocache);
14876 -EXPORT_SYMBOL(_copy_from_user);
14877 -EXPORT_SYMBOL(_copy_to_user);
14879 EXPORT_SYMBOL(copy_page);
14880 EXPORT_SYMBOL(clear_page);
14881 diff -urNp linux-2.6.35.7/arch/x86/kernel/xsave.c linux-2.6.35.7/arch/x86/kernel/xsave.c
14882 --- linux-2.6.35.7/arch/x86/kernel/xsave.c 2010-08-26 19:47:12.000000000 -0400
14883 +++ linux-2.6.35.7/arch/x86/kernel/xsave.c 2010-09-17 20:12:09.000000000 -0400
14884 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
14885 fx_sw_user->xstate_size > fx_sw_user->extended_size)
14888 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
14889 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
14890 fx_sw_user->extended_size -
14891 FP_XSTATE_MAGIC2_SIZE));
14893 @@ -196,7 +196,7 @@ fx_only:
14894 * the other extended state.
14896 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
14897 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
14898 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
14902 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
14904 err = restore_user_xstate(buf);
14906 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
14907 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
14909 if (unlikely(err)) {
14911 diff -urNp linux-2.6.35.7/arch/x86/kvm/emulate.c linux-2.6.35.7/arch/x86/kvm/emulate.c
14912 --- linux-2.6.35.7/arch/x86/kvm/emulate.c 2010-09-26 17:32:11.000000000 -0400
14913 +++ linux-2.6.35.7/arch/x86/kvm/emulate.c 2010-09-26 17:32:46.000000000 -0400
14914 @@ -88,11 +88,11 @@
14915 #define Src2CL (1<<29)
14916 #define Src2ImmByte (2<<29)
14917 #define Src2One (3<<29)
14918 -#define Src2Imm16 (4<<29)
14919 -#define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
14920 +#define Src2Imm16 (4U<<29)
14921 +#define Src2Mem16 (5U<<29) /* Used for Ep encoding. First argument has to be
14922 in memory and second argument is located
14923 immediately after the first one in memory. */
14924 -#define Src2Mask (7<<29)
14925 +#define Src2Mask (7U<<29)
14928 Group1_80, Group1_81, Group1_82, Group1_83,
14929 @@ -446,6 +446,7 @@ static u32 group2_table[] = {
14931 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
14933 + unsigned long _tmp; \
14934 __asm__ __volatile__ ( \
14935 _PRE_EFLAGS("0", "4", "2") \
14936 _op _suffix " %"_x"3,%1; " \
14937 @@ -459,8 +460,6 @@ static u32 group2_table[] = {
14938 /* Raw emulation: instruction has two explicit operands. */
14939 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
14941 - unsigned long _tmp; \
14943 switch ((_dst).bytes) { \
14945 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
14946 @@ -476,7 +475,6 @@ static u32 group2_table[] = {
14948 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
14950 - unsigned long _tmp; \
14951 switch ((_dst).bytes) { \
14953 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
14954 diff -urNp linux-2.6.35.7/arch/x86/kvm/lapic.c linux-2.6.35.7/arch/x86/kvm/lapic.c
14955 --- linux-2.6.35.7/arch/x86/kvm/lapic.c 2010-08-26 19:47:12.000000000 -0400
14956 +++ linux-2.6.35.7/arch/x86/kvm/lapic.c 2010-09-17 20:12:09.000000000 -0400
14958 #define APIC_BUS_CYCLE_NS 1
14960 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
14961 -#define apic_debug(fmt, arg...)
14962 +#define apic_debug(fmt, arg...) do {} while (0)
14964 #define APIC_LVT_NUM 6
14965 /* 14 is the version for Xeon and Pentium 8.4.8*/
14966 diff -urNp linux-2.6.35.7/arch/x86/kvm/svm.c linux-2.6.35.7/arch/x86/kvm/svm.c
14967 --- linux-2.6.35.7/arch/x86/kvm/svm.c 2010-08-26 19:47:12.000000000 -0400
14968 +++ linux-2.6.35.7/arch/x86/kvm/svm.c 2010-09-17 20:12:09.000000000 -0400
14969 @@ -2796,7 +2796,11 @@ static void reload_tss(struct kvm_vcpu *
14970 int cpu = raw_smp_processor_id();
14972 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
14974 + pax_open_kernel();
14975 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
14976 + pax_close_kernel();
14981 @@ -3337,7 +3341,7 @@ static void svm_fpu_deactivate(struct kv
14982 update_cr0_intercept(svm);
14985 -static struct kvm_x86_ops svm_x86_ops = {
14986 +static const struct kvm_x86_ops svm_x86_ops = {
14987 .cpu_has_kvm_support = has_svm,
14988 .disabled_by_bios = is_disabled,
14989 .hardware_setup = svm_hardware_setup,
14990 diff -urNp linux-2.6.35.7/arch/x86/kvm/vmx.c linux-2.6.35.7/arch/x86/kvm/vmx.c
14991 --- linux-2.6.35.7/arch/x86/kvm/vmx.c 2010-09-26 17:32:11.000000000 -0400
14992 +++ linux-2.6.35.7/arch/x86/kvm/vmx.c 2010-09-28 18:50:03.000000000 -0400
14993 @@ -654,7 +654,11 @@ static void reload_tss(void)
14995 native_store_gdt(&gdt);
14996 descs = (void *)gdt.address;
14998 + pax_open_kernel();
14999 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15000 + pax_close_kernel();
15005 @@ -1554,8 +1558,11 @@ static __init int hardware_setup(void)
15006 if (!cpu_has_vmx_flexpriority())
15007 flexpriority_enabled = 0;
15009 - if (!cpu_has_vmx_tpr_shadow())
15010 - kvm_x86_ops->update_cr8_intercept = NULL;
15011 + if (!cpu_has_vmx_tpr_shadow()) {
15012 + pax_open_kernel();
15013 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15014 + pax_close_kernel();
15017 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15018 kvm_disable_largepages();
15019 @@ -2537,7 +2544,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15020 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15022 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15023 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15024 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15025 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15026 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15027 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15028 @@ -3913,6 +3920,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15029 "jmp .Lkvm_vmx_return \n\t"
15030 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15031 ".Lkvm_vmx_return: "
15033 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15034 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15035 + ".Lkvm_vmx_return2: "
15038 /* Save guest registers, load host registers, keep flags */
15039 "xchg %0, (%%"R"sp) \n\t"
15040 "mov %%"R"ax, %c[rax](%0) \n\t"
15041 @@ -3959,8 +3972,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
15042 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15044 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15046 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15047 + ,[cs]"i"(__KERNEL_CS)
15051 - , R"bx", R"di", R"si"
15052 + , R"ax", R"bx", R"di", R"si"
15053 #ifdef CONFIG_X86_64
15054 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
15056 @@ -3974,7 +3992,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15057 if (vmx->rmode.irq.pending)
15058 fixup_rmode_irq(vmx);
15060 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15061 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
15064 vmx_complete_interrupts(vmx);
15065 @@ -4195,7 +4213,7 @@ static void vmx_set_supported_cpuid(u32
15069 -static struct kvm_x86_ops vmx_x86_ops = {
15070 +static const struct kvm_x86_ops vmx_x86_ops = {
15071 .cpu_has_kvm_support = cpu_has_kvm_support,
15072 .disabled_by_bios = vmx_disabled_by_bios,
15073 .hardware_setup = hardware_setup,
15074 diff -urNp linux-2.6.35.7/arch/x86/kvm/x86.c linux-2.6.35.7/arch/x86/kvm/x86.c
15075 --- linux-2.6.35.7/arch/x86/kvm/x86.c 2010-09-26 17:32:11.000000000 -0400
15076 +++ linux-2.6.35.7/arch/x86/kvm/x86.c 2010-09-26 17:32:46.000000000 -0400
15077 @@ -86,7 +86,7 @@ static void update_cr8_intercept(struct
15078 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15079 struct kvm_cpuid_entry2 __user *entries);
15081 -struct kvm_x86_ops *kvm_x86_ops;
15082 +const struct kvm_x86_ops *kvm_x86_ops;
15083 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15085 int ignore_msrs = 0;
15086 @@ -112,38 +112,38 @@ static struct kvm_shared_msrs_global __r
15087 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15089 struct kvm_stats_debugfs_item debugfs_entries[] = {
15090 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15091 - { "pf_guest", VCPU_STAT(pf_guest) },
15092 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15093 - { "invlpg", VCPU_STAT(invlpg) },
15094 - { "exits", VCPU_STAT(exits) },
15095 - { "io_exits", VCPU_STAT(io_exits) },
15096 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15097 - { "signal_exits", VCPU_STAT(signal_exits) },
15098 - { "irq_window", VCPU_STAT(irq_window_exits) },
15099 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15100 - { "halt_exits", VCPU_STAT(halt_exits) },
15101 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15102 - { "hypercalls", VCPU_STAT(hypercalls) },
15103 - { "request_irq", VCPU_STAT(request_irq_exits) },
15104 - { "irq_exits", VCPU_STAT(irq_exits) },
15105 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15106 - { "efer_reload", VCPU_STAT(efer_reload) },
15107 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15108 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15109 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15110 - { "irq_injections", VCPU_STAT(irq_injections) },
15111 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15112 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15113 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15114 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15115 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15116 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15117 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15118 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15119 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15120 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15121 - { "largepages", VM_STAT(lpages) },
15122 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15123 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15124 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15125 + { "invlpg", VCPU_STAT(invlpg), NULL },
15126 + { "exits", VCPU_STAT(exits), NULL },
15127 + { "io_exits", VCPU_STAT(io_exits), NULL },
15128 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15129 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15130 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15131 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15132 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15133 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15134 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15135 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15136 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15137 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15138 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15139 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15140 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15141 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15142 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15143 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15144 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15145 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15146 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15147 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15148 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15149 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15150 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15151 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15152 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15153 + { "largepages", VM_STAT(lpages), NULL },
15157 @@ -1672,6 +1672,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15158 if (n < msr_list.nmsrs)
15161 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15163 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15164 num_msrs_to_save * sizeof(u32)))
15166 @@ -2103,7 +2105,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15167 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15168 struct kvm_interrupt *irq)
15170 - if (irq->irq < 0 || irq->irq >= 256)
15171 + if (irq->irq >= 256)
15173 if (irqchip_in_kernel(vcpu->kvm))
15175 @@ -4070,10 +4072,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15177 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15179 -int kvm_arch_init(void *opaque)
15180 +int kvm_arch_init(const void *opaque)
15183 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15184 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15187 printk(KERN_ERR "kvm: already loaded the other module\n");
15188 diff -urNp linux-2.6.35.7/arch/x86/lib/atomic64_cx8_32.S linux-2.6.35.7/arch/x86/lib/atomic64_cx8_32.S
15189 --- linux-2.6.35.7/arch/x86/lib/atomic64_cx8_32.S 2010-08-26 19:47:12.000000000 -0400
15190 +++ linux-2.6.35.7/arch/x86/lib/atomic64_cx8_32.S 2010-09-26 22:02:10.000000000 -0400
15191 @@ -86,13 +86,23 @@ ENTRY(atomic64_\func\()_return_cx8)
15193 \ins\()l %esi, %ebx
15194 \insc\()l %edi, %ecx
15196 +#ifdef CONFIG_PAX_REFCOUNT
15199 + _ASM_EXTABLE(2b, 3f)
15210 +#ifdef CONFIG_PAX_REFCOUNT
15217 @@ -116,13 +126,24 @@ ENTRY(atomic64_\func\()_return_cx8)
15222 +#ifdef CONFIG_PAX_REFCOUNT
15225 + _ASM_EXTABLE(2b, 3f)
15236 +#ifdef CONFIG_PAX_REFCOUNT
15243 @@ -176,6 +197,13 @@ ENTRY(atomic64_add_unless_cx8)
15248 +#ifdef CONFIG_PAX_REFCOUNT
15251 + _ASM_EXTABLE(1234b, 1234b)
15257 @@ -208,6 +236,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
15262 +#ifdef CONFIG_PAX_REFCOUNT
15265 + _ASM_EXTABLE(1234b, 1234b)
15271 diff -urNp linux-2.6.35.7/arch/x86/lib/checksum_32.S linux-2.6.35.7/arch/x86/lib/checksum_32.S
15272 --- linux-2.6.35.7/arch/x86/lib/checksum_32.S 2010-08-26 19:47:12.000000000 -0400
15273 +++ linux-2.6.35.7/arch/x86/lib/checksum_32.S 2010-09-17 20:12:09.000000000 -0400
15275 #include <linux/linkage.h>
15276 #include <asm/dwarf2.h>
15277 #include <asm/errno.h>
15279 +#include <asm/segment.h>
15282 * computes a partial checksum, e.g. for TCP/UDP fragments
15284 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
15289 -ENTRY(csum_partial_copy_generic)
15291 +ENTRY(csum_partial_copy_generic_to_user)
15293 + pushl $(__USER_DS)
15294 + CFI_ADJUST_CFA_OFFSET 4
15296 + CFI_ADJUST_CFA_OFFSET -4
15297 + jmp csum_partial_copy_generic
15299 +ENTRY(csum_partial_copy_generic_from_user)
15300 + pushl $(__USER_DS)
15301 + CFI_ADJUST_CFA_OFFSET 4
15303 + CFI_ADJUST_CFA_OFFSET -4
15305 +ENTRY(csum_partial_copy_generic)
15307 CFI_ADJUST_CFA_OFFSET 4
15309 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
15311 SRC(1: movw (%esi), %bx )
15313 -DST( movw %bx, (%edi) )
15314 +DST( movw %bx, %es:(%edi) )
15318 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
15319 SRC(1: movl (%esi), %ebx )
15320 SRC( movl 4(%esi), %edx )
15322 -DST( movl %ebx, (%edi) )
15323 +DST( movl %ebx, %es:(%edi) )
15325 -DST( movl %edx, 4(%edi) )
15326 +DST( movl %edx, %es:4(%edi) )
15328 SRC( movl 8(%esi), %ebx )
15329 SRC( movl 12(%esi), %edx )
15331 -DST( movl %ebx, 8(%edi) )
15332 +DST( movl %ebx, %es:8(%edi) )
15334 -DST( movl %edx, 12(%edi) )
15335 +DST( movl %edx, %es:12(%edi) )
15337 SRC( movl 16(%esi), %ebx )
15338 SRC( movl 20(%esi), %edx )
15340 -DST( movl %ebx, 16(%edi) )
15341 +DST( movl %ebx, %es:16(%edi) )
15343 -DST( movl %edx, 20(%edi) )
15344 +DST( movl %edx, %es:20(%edi) )
15346 SRC( movl 24(%esi), %ebx )
15347 SRC( movl 28(%esi), %edx )
15349 -DST( movl %ebx, 24(%edi) )
15350 +DST( movl %ebx, %es:24(%edi) )
15352 -DST( movl %edx, 28(%edi) )
15353 +DST( movl %edx, %es:28(%edi) )
15357 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
15358 shrl $2, %edx # This clears CF
15359 SRC(3: movl (%esi), %ebx )
15361 -DST( movl %ebx, (%edi) )
15362 +DST( movl %ebx, %es:(%edi) )
15366 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
15368 SRC( movw (%esi), %cx )
15370 -DST( movw %cx, (%edi) )
15371 +DST( movw %cx, %es:(%edi) )
15375 SRC(5: movb (%esi), %cl )
15376 -DST( movb %cl, (%edi) )
15377 +DST( movb %cl, %es:(%edi) )
15381 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
15384 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15385 - movl $-EFAULT, (%ebx)
15386 + movl $-EFAULT, %ss:(%ebx)
15388 # zero the complete destination - computing the rest
15390 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
15393 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15394 - movl $-EFAULT,(%ebx)
15395 + movl $-EFAULT,%ss:(%ebx)
15401 + CFI_ADJUST_CFA_OFFSET 4
15403 + CFI_ADJUST_CFA_OFFSET -4
15405 + CFI_ADJUST_CFA_OFFSET 4
15407 + CFI_ADJUST_CFA_OFFSET -4
15409 CFI_ADJUST_CFA_OFFSET -4
15411 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
15412 CFI_ADJUST_CFA_OFFSET -4
15415 -ENDPROC(csum_partial_copy_generic)
15416 +ENDPROC(csum_partial_copy_generic_to_user)
15420 /* Version for PentiumII/PPro */
15422 #define ROUND1(x) \
15424 SRC(movl x(%esi), %ebx ) ; \
15425 addl %ebx, %eax ; \
15426 - DST(movl %ebx, x(%edi) ) ;
15427 + DST(movl %ebx, %es:x(%edi)) ;
15431 SRC(movl x(%esi), %ebx ) ; \
15432 adcl %ebx, %eax ; \
15433 - DST(movl %ebx, x(%edi) ) ;
15434 + DST(movl %ebx, %es:x(%edi)) ;
15438 -ENTRY(csum_partial_copy_generic)
15440 +ENTRY(csum_partial_copy_generic_to_user)
15442 + pushl $(__USER_DS)
15443 + CFI_ADJUST_CFA_OFFSET 4
15445 + CFI_ADJUST_CFA_OFFSET -4
15446 + jmp csum_partial_copy_generic
15448 +ENTRY(csum_partial_copy_generic_from_user)
15449 + pushl $(__USER_DS)
15450 + CFI_ADJUST_CFA_OFFSET 4
15452 + CFI_ADJUST_CFA_OFFSET -4
15454 +ENTRY(csum_partial_copy_generic)
15456 CFI_ADJUST_CFA_OFFSET 4
15457 CFI_REL_OFFSET ebx, 0
15458 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
15462 - lea 3f(%ebx,%ebx), %ebx
15463 + lea 3f(%ebx,%ebx,2), %ebx
15467 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
15469 SRC( movw (%esi), %dx )
15471 -DST( movw %dx, (%edi) )
15472 +DST( movw %dx, %es:(%edi) )
15477 SRC( movb (%esi), %dl )
15478 -DST( movb %dl, (%edi) )
15479 +DST( movb %dl, %es:(%edi) )
15483 .section .fixup, "ax"
15484 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15485 - movl $-EFAULT, (%ebx)
15486 + movl $-EFAULT, %ss:(%ebx)
15487 # zero the complete destination (computing the rest is too much work)
15488 movl ARGBASE+8(%esp),%edi # dst
15489 movl ARGBASE+12(%esp),%ecx # len
15490 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
15493 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15494 - movl $-EFAULT, (%ebx)
15495 + movl $-EFAULT, %ss:(%ebx)
15500 + CFI_ADJUST_CFA_OFFSET 4
15502 + CFI_ADJUST_CFA_OFFSET -4
15504 + CFI_ADJUST_CFA_OFFSET 4
15506 + CFI_ADJUST_CFA_OFFSET -4
15508 CFI_ADJUST_CFA_OFFSET -4
15510 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
15514 -ENDPROC(csum_partial_copy_generic)
15515 +ENDPROC(csum_partial_copy_generic_to_user)
15519 diff -urNp linux-2.6.35.7/arch/x86/lib/clear_page_64.S linux-2.6.35.7/arch/x86/lib/clear_page_64.S
15520 --- linux-2.6.35.7/arch/x86/lib/clear_page_64.S 2010-08-26 19:47:12.000000000 -0400
15521 +++ linux-2.6.35.7/arch/x86/lib/clear_page_64.S 2010-09-17 20:12:09.000000000 -0400
15522 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15524 #include <asm/cpufeature.h>
15526 - .section .altinstr_replacement,"ax"
15527 + .section .altinstr_replacement,"a"
15528 1: .byte 0xeb /* jmp <disp8> */
15529 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15531 diff -urNp linux-2.6.35.7/arch/x86/lib/copy_page_64.S linux-2.6.35.7/arch/x86/lib/copy_page_64.S
15532 --- linux-2.6.35.7/arch/x86/lib/copy_page_64.S 2010-08-26 19:47:12.000000000 -0400
15533 +++ linux-2.6.35.7/arch/x86/lib/copy_page_64.S 2010-09-17 20:12:09.000000000 -0400
15534 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15536 #include <asm/cpufeature.h>
15538 - .section .altinstr_replacement,"ax"
15539 + .section .altinstr_replacement,"a"
15540 1: .byte 0xeb /* jmp <disp8> */
15541 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15543 diff -urNp linux-2.6.35.7/arch/x86/lib/copy_user_64.S linux-2.6.35.7/arch/x86/lib/copy_user_64.S
15544 --- linux-2.6.35.7/arch/x86/lib/copy_user_64.S 2010-08-26 19:47:12.000000000 -0400
15545 +++ linux-2.6.35.7/arch/x86/lib/copy_user_64.S 2010-09-17 20:12:09.000000000 -0400
15546 @@ -15,13 +15,14 @@
15547 #include <asm/asm-offsets.h>
15548 #include <asm/thread_info.h>
15549 #include <asm/cpufeature.h>
15550 +#include <asm/pgtable.h>
15552 .macro ALTERNATIVE_JUMP feature,orig,alt
15554 .byte 0xe9 /* 32bit jump */
15555 .long \orig-1f /* by default jump to orig */
15557 - .section .altinstr_replacement,"ax"
15558 + .section .altinstr_replacement,"a"
15559 2: .byte 0xe9 /* near jump with 32bit immediate */
15560 .long \alt-1b /* offset */ /* or alternatively to alt */
15562 @@ -64,37 +65,13 @@
15566 -/* Standard copy_to_user with segment limit checking */
15567 -ENTRY(_copy_to_user)
15569 - GET_THREAD_INFO(%rax)
15573 - cmpq TI_addr_limit(%rax),%rcx
15575 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15577 -ENDPROC(_copy_to_user)
15579 -/* Standard copy_from_user with segment limit checking */
15580 -ENTRY(_copy_from_user)
15582 - GET_THREAD_INFO(%rax)
15586 - cmpq TI_addr_limit(%rax),%rcx
15587 - jae bad_from_user
15588 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15590 -ENDPROC(_copy_from_user)
15592 .section .fixup,"ax"
15593 /* must zero dest */
15594 ENTRY(bad_from_user)
15602 diff -urNp linux-2.6.35.7/arch/x86/lib/copy_user_nocache_64.S linux-2.6.35.7/arch/x86/lib/copy_user_nocache_64.S
15603 --- linux-2.6.35.7/arch/x86/lib/copy_user_nocache_64.S 2010-08-26 19:47:12.000000000 -0400
15604 +++ linux-2.6.35.7/arch/x86/lib/copy_user_nocache_64.S 2010-09-17 20:12:09.000000000 -0400
15606 #include <asm/current.h>
15607 #include <asm/asm-offsets.h>
15608 #include <asm/thread_info.h>
15609 +#include <asm/pgtable.h>
15611 .macro ALIGN_DESTINATION
15612 #ifdef FIX_ALIGNMENT
15615 ENTRY(__copy_user_nocache)
15618 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15619 + mov $PAX_USER_SHADOW_BASE,%rcx
15627 jb 20f /* less then 8 bytes, go to byte copy loop */
15629 diff -urNp linux-2.6.35.7/arch/x86/lib/csum-wrappers_64.c linux-2.6.35.7/arch/x86/lib/csum-wrappers_64.c
15630 --- linux-2.6.35.7/arch/x86/lib/csum-wrappers_64.c 2010-08-26 19:47:12.000000000 -0400
15631 +++ linux-2.6.35.7/arch/x86/lib/csum-wrappers_64.c 2010-09-17 20:12:09.000000000 -0400
15632 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15636 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15637 + src += PAX_USER_SHADOW_BASE;
15638 isum = csum_partial_copy_generic((__force const void *)src,
15639 dst, len, isum, errp, NULL);
15640 if (unlikely(*errp))
15641 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15645 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15646 + dst += PAX_USER_SHADOW_BASE;
15647 return csum_partial_copy_generic(src, (void __force *)dst,
15648 len, isum, NULL, errp);
15650 diff -urNp linux-2.6.35.7/arch/x86/lib/getuser.S linux-2.6.35.7/arch/x86/lib/getuser.S
15651 --- linux-2.6.35.7/arch/x86/lib/getuser.S 2010-08-26 19:47:12.000000000 -0400
15652 +++ linux-2.6.35.7/arch/x86/lib/getuser.S 2010-09-17 20:12:09.000000000 -0400
15653 @@ -33,14 +33,38 @@
15654 #include <asm/asm-offsets.h>
15655 #include <asm/thread_info.h>
15656 #include <asm/asm.h>
15657 +#include <asm/segment.h>
15658 +#include <asm/pgtable.h>
15661 ENTRY(__get_user_1)
15664 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15665 + pushl $(__USER_DS)
15668 GET_THREAD_INFO(%_ASM_DX)
15669 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15672 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15673 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15674 + cmp %_ASM_DX,%_ASM_AX
15676 + add %_ASM_DX,%_ASM_AX
15682 1: movzb (%_ASM_AX),%edx
15684 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15692 @@ -49,11 +73,33 @@ ENDPROC(__get_user_1)
15693 ENTRY(__get_user_2)
15697 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15698 + pushl $(__USER_DS)
15702 GET_THREAD_INFO(%_ASM_DX)
15703 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15706 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15707 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15708 + cmp %_ASM_DX,%_ASM_AX
15710 + add %_ASM_DX,%_ASM_AX
15716 2: movzwl -1(%_ASM_AX),%edx
15718 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15726 @@ -62,11 +108,33 @@ ENDPROC(__get_user_2)
15727 ENTRY(__get_user_4)
15731 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15732 + pushl $(__USER_DS)
15736 GET_THREAD_INFO(%_ASM_DX)
15737 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15740 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15741 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15742 + cmp %_ASM_DX,%_ASM_AX
15744 + add %_ASM_DX,%_ASM_AX
15750 3: mov -3(%_ASM_AX),%edx
15752 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15760 @@ -80,6 +148,15 @@ ENTRY(__get_user_8)
15761 GET_THREAD_INFO(%_ASM_DX)
15762 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15765 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15766 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15767 + cmp %_ASM_DX,%_ASM_AX
15769 + add %_ASM_DX,%_ASM_AX
15773 4: movq -7(%_ASM_AX),%_ASM_DX
15776 @@ -89,6 +166,12 @@ ENDPROC(__get_user_8)
15781 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15787 mov $(-EFAULT),%_ASM_AX
15789 diff -urNp linux-2.6.35.7/arch/x86/lib/insn.c linux-2.6.35.7/arch/x86/lib/insn.c
15790 --- linux-2.6.35.7/arch/x86/lib/insn.c 2010-08-26 19:47:12.000000000 -0400
15791 +++ linux-2.6.35.7/arch/x86/lib/insn.c 2010-09-17 20:12:09.000000000 -0400
15793 #include <linux/string.h>
15794 #include <asm/inat.h>
15795 #include <asm/insn.h>
15796 +#include <asm/pgtable_types.h>
15798 #define get_next(t, insn) \
15799 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15801 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15803 memset(insn, 0, sizeof(*insn));
15804 - insn->kaddr = kaddr;
15805 - insn->next_byte = kaddr;
15806 + insn->kaddr = ktla_ktva(kaddr);
15807 + insn->next_byte = ktla_ktva(kaddr);
15808 insn->x86_64 = x86_64 ? 1 : 0;
15809 insn->opnd_bytes = 4;
15811 diff -urNp linux-2.6.35.7/arch/x86/lib/mmx_32.c linux-2.6.35.7/arch/x86/lib/mmx_32.c
15812 --- linux-2.6.35.7/arch/x86/lib/mmx_32.c 2010-08-26 19:47:12.000000000 -0400
15813 +++ linux-2.6.35.7/arch/x86/lib/mmx_32.c 2010-09-17 20:12:09.000000000 -0400
15814 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
15818 + unsigned long cr0;
15820 if (unlikely(in_interrupt()))
15821 return __memcpy(to, from, len);
15822 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
15823 kernel_fpu_begin();
15825 __asm__ __volatile__ (
15826 - "1: prefetch (%0)\n" /* This set is 28 bytes */
15827 - " prefetch 64(%0)\n"
15828 - " prefetch 128(%0)\n"
15829 - " prefetch 192(%0)\n"
15830 - " prefetch 256(%0)\n"
15831 + "1: prefetch (%1)\n" /* This set is 28 bytes */
15832 + " prefetch 64(%1)\n"
15833 + " prefetch 128(%1)\n"
15834 + " prefetch 192(%1)\n"
15835 + " prefetch 256(%1)\n"
15837 ".section .fixup, \"ax\"\n"
15838 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15841 +#ifdef CONFIG_PAX_KERNEXEC
15842 + " movl %%cr0, %0\n"
15843 + " movl %0, %%eax\n"
15844 + " andl $0xFFFEFFFF, %%eax\n"
15845 + " movl %%eax, %%cr0\n"
15848 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15850 +#ifdef CONFIG_PAX_KERNEXEC
15851 + " movl %0, %%cr0\n"
15856 _ASM_EXTABLE(1b, 3b)
15858 + : "=&r" (cr0) : "r" (from) : "ax");
15860 for ( ; i > 5; i--) {
15861 __asm__ __volatile__ (
15862 - "1: prefetch 320(%0)\n"
15863 - "2: movq (%0), %%mm0\n"
15864 - " movq 8(%0), %%mm1\n"
15865 - " movq 16(%0), %%mm2\n"
15866 - " movq 24(%0), %%mm3\n"
15867 - " movq %%mm0, (%1)\n"
15868 - " movq %%mm1, 8(%1)\n"
15869 - " movq %%mm2, 16(%1)\n"
15870 - " movq %%mm3, 24(%1)\n"
15871 - " movq 32(%0), %%mm0\n"
15872 - " movq 40(%0), %%mm1\n"
15873 - " movq 48(%0), %%mm2\n"
15874 - " movq 56(%0), %%mm3\n"
15875 - " movq %%mm0, 32(%1)\n"
15876 - " movq %%mm1, 40(%1)\n"
15877 - " movq %%mm2, 48(%1)\n"
15878 - " movq %%mm3, 56(%1)\n"
15879 + "1: prefetch 320(%1)\n"
15880 + "2: movq (%1), %%mm0\n"
15881 + " movq 8(%1), %%mm1\n"
15882 + " movq 16(%1), %%mm2\n"
15883 + " movq 24(%1), %%mm3\n"
15884 + " movq %%mm0, (%2)\n"
15885 + " movq %%mm1, 8(%2)\n"
15886 + " movq %%mm2, 16(%2)\n"
15887 + " movq %%mm3, 24(%2)\n"
15888 + " movq 32(%1), %%mm0\n"
15889 + " movq 40(%1), %%mm1\n"
15890 + " movq 48(%1), %%mm2\n"
15891 + " movq 56(%1), %%mm3\n"
15892 + " movq %%mm0, 32(%2)\n"
15893 + " movq %%mm1, 40(%2)\n"
15894 + " movq %%mm2, 48(%2)\n"
15895 + " movq %%mm3, 56(%2)\n"
15896 ".section .fixup, \"ax\"\n"
15897 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15900 +#ifdef CONFIG_PAX_KERNEXEC
15901 + " movl %%cr0, %0\n"
15902 + " movl %0, %%eax\n"
15903 + " andl $0xFFFEFFFF, %%eax\n"
15904 + " movl %%eax, %%cr0\n"
15907 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15909 +#ifdef CONFIG_PAX_KERNEXEC
15910 + " movl %0, %%cr0\n"
15915 _ASM_EXTABLE(1b, 3b)
15916 - : : "r" (from), "r" (to) : "memory");
15917 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15921 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
15922 static void fast_copy_page(void *to, void *from)
15925 + unsigned long cr0;
15927 kernel_fpu_begin();
15929 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
15930 * but that is for later. -AV
15932 __asm__ __volatile__(
15933 - "1: prefetch (%0)\n"
15934 - " prefetch 64(%0)\n"
15935 - " prefetch 128(%0)\n"
15936 - " prefetch 192(%0)\n"
15937 - " prefetch 256(%0)\n"
15938 + "1: prefetch (%1)\n"
15939 + " prefetch 64(%1)\n"
15940 + " prefetch 128(%1)\n"
15941 + " prefetch 192(%1)\n"
15942 + " prefetch 256(%1)\n"
15944 ".section .fixup, \"ax\"\n"
15945 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15948 +#ifdef CONFIG_PAX_KERNEXEC
15949 + " movl %%cr0, %0\n"
15950 + " movl %0, %%eax\n"
15951 + " andl $0xFFFEFFFF, %%eax\n"
15952 + " movl %%eax, %%cr0\n"
15955 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15957 +#ifdef CONFIG_PAX_KERNEXEC
15958 + " movl %0, %%cr0\n"
15963 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
15964 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
15966 for (i = 0; i < (4096-320)/64; i++) {
15967 __asm__ __volatile__ (
15968 - "1: prefetch 320(%0)\n"
15969 - "2: movq (%0), %%mm0\n"
15970 - " movntq %%mm0, (%1)\n"
15971 - " movq 8(%0), %%mm1\n"
15972 - " movntq %%mm1, 8(%1)\n"
15973 - " movq 16(%0), %%mm2\n"
15974 - " movntq %%mm2, 16(%1)\n"
15975 - " movq 24(%0), %%mm3\n"
15976 - " movntq %%mm3, 24(%1)\n"
15977 - " movq 32(%0), %%mm4\n"
15978 - " movntq %%mm4, 32(%1)\n"
15979 - " movq 40(%0), %%mm5\n"
15980 - " movntq %%mm5, 40(%1)\n"
15981 - " movq 48(%0), %%mm6\n"
15982 - " movntq %%mm6, 48(%1)\n"
15983 - " movq 56(%0), %%mm7\n"
15984 - " movntq %%mm7, 56(%1)\n"
15985 + "1: prefetch 320(%1)\n"
15986 + "2: movq (%1), %%mm0\n"
15987 + " movntq %%mm0, (%2)\n"
15988 + " movq 8(%1), %%mm1\n"
15989 + " movntq %%mm1, 8(%2)\n"
15990 + " movq 16(%1), %%mm2\n"
15991 + " movntq %%mm2, 16(%2)\n"
15992 + " movq 24(%1), %%mm3\n"
15993 + " movntq %%mm3, 24(%2)\n"
15994 + " movq 32(%1), %%mm4\n"
15995 + " movntq %%mm4, 32(%2)\n"
15996 + " movq 40(%1), %%mm5\n"
15997 + " movntq %%mm5, 40(%2)\n"
15998 + " movq 48(%1), %%mm6\n"
15999 + " movntq %%mm6, 48(%2)\n"
16000 + " movq 56(%1), %%mm7\n"
16001 + " movntq %%mm7, 56(%2)\n"
16002 ".section .fixup, \"ax\"\n"
16003 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16006 +#ifdef CONFIG_PAX_KERNEXEC
16007 + " movl %%cr0, %0\n"
16008 + " movl %0, %%eax\n"
16009 + " andl $0xFFFEFFFF, %%eax\n"
16010 + " movl %%eax, %%cr0\n"
16013 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16015 +#ifdef CONFIG_PAX_KERNEXEC
16016 + " movl %0, %%cr0\n"
16021 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16022 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16026 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16027 static void fast_copy_page(void *to, void *from)
16030 + unsigned long cr0;
16032 kernel_fpu_begin();
16034 __asm__ __volatile__ (
16035 - "1: prefetch (%0)\n"
16036 - " prefetch 64(%0)\n"
16037 - " prefetch 128(%0)\n"
16038 - " prefetch 192(%0)\n"
16039 - " prefetch 256(%0)\n"
16040 + "1: prefetch (%1)\n"
16041 + " prefetch 64(%1)\n"
16042 + " prefetch 128(%1)\n"
16043 + " prefetch 192(%1)\n"
16044 + " prefetch 256(%1)\n"
16046 ".section .fixup, \"ax\"\n"
16047 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16050 +#ifdef CONFIG_PAX_KERNEXEC
16051 + " movl %%cr0, %0\n"
16052 + " movl %0, %%eax\n"
16053 + " andl $0xFFFEFFFF, %%eax\n"
16054 + " movl %%eax, %%cr0\n"
16057 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16059 +#ifdef CONFIG_PAX_KERNEXEC
16060 + " movl %0, %%cr0\n"
16065 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16066 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16068 for (i = 0; i < 4096/64; i++) {
16069 __asm__ __volatile__ (
16070 - "1: prefetch 320(%0)\n"
16071 - "2: movq (%0), %%mm0\n"
16072 - " movq 8(%0), %%mm1\n"
16073 - " movq 16(%0), %%mm2\n"
16074 - " movq 24(%0), %%mm3\n"
16075 - " movq %%mm0, (%1)\n"
16076 - " movq %%mm1, 8(%1)\n"
16077 - " movq %%mm2, 16(%1)\n"
16078 - " movq %%mm3, 24(%1)\n"
16079 - " movq 32(%0), %%mm0\n"
16080 - " movq 40(%0), %%mm1\n"
16081 - " movq 48(%0), %%mm2\n"
16082 - " movq 56(%0), %%mm3\n"
16083 - " movq %%mm0, 32(%1)\n"
16084 - " movq %%mm1, 40(%1)\n"
16085 - " movq %%mm2, 48(%1)\n"
16086 - " movq %%mm3, 56(%1)\n"
16087 + "1: prefetch 320(%1)\n"
16088 + "2: movq (%1), %%mm0\n"
16089 + " movq 8(%1), %%mm1\n"
16090 + " movq 16(%1), %%mm2\n"
16091 + " movq 24(%1), %%mm3\n"
16092 + " movq %%mm0, (%2)\n"
16093 + " movq %%mm1, 8(%2)\n"
16094 + " movq %%mm2, 16(%2)\n"
16095 + " movq %%mm3, 24(%2)\n"
16096 + " movq 32(%1), %%mm0\n"
16097 + " movq 40(%1), %%mm1\n"
16098 + " movq 48(%1), %%mm2\n"
16099 + " movq 56(%1), %%mm3\n"
16100 + " movq %%mm0, 32(%2)\n"
16101 + " movq %%mm1, 40(%2)\n"
16102 + " movq %%mm2, 48(%2)\n"
16103 + " movq %%mm3, 56(%2)\n"
16104 ".section .fixup, \"ax\"\n"
16105 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16108 +#ifdef CONFIG_PAX_KERNEXEC
16109 + " movl %%cr0, %0\n"
16110 + " movl %0, %%eax\n"
16111 + " andl $0xFFFEFFFF, %%eax\n"
16112 + " movl %%eax, %%cr0\n"
16115 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16117 +#ifdef CONFIG_PAX_KERNEXEC
16118 + " movl %0, %%cr0\n"
16123 _ASM_EXTABLE(1b, 3b)
16124 - : : "r" (from), "r" (to) : "memory");
16125 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16129 diff -urNp linux-2.6.35.7/arch/x86/lib/putuser.S linux-2.6.35.7/arch/x86/lib/putuser.S
16130 --- linux-2.6.35.7/arch/x86/lib/putuser.S 2010-08-26 19:47:12.000000000 -0400
16131 +++ linux-2.6.35.7/arch/x86/lib/putuser.S 2010-09-17 20:12:09.000000000 -0400
16133 #include <asm/thread_info.h>
16134 #include <asm/errno.h>
16135 #include <asm/asm.h>
16137 +#include <asm/segment.h>
16138 +#include <asm/pgtable.h>
16142 @@ -29,59 +30,162 @@
16143 * as they get called from within inline assembly.
16146 -#define ENTER CFI_STARTPROC ; \
16147 - GET_THREAD_INFO(%_ASM_BX)
16148 +#define ENTER CFI_STARTPROC
16149 #define EXIT ret ; \
16152 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16153 +#define _DEST %_ASM_CX,%_ASM_BX
16155 +#define _DEST %_ASM_CX
16159 ENTRY(__put_user_1)
16162 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16163 + pushl $(__USER_DS)
16166 + GET_THREAD_INFO(%_ASM_BX)
16167 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16169 -1: movb %al,(%_ASM_CX)
16171 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16172 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16173 + cmp %_ASM_BX,%_ASM_CX
16181 +1: movb %al,(_DEST)
16183 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16190 ENDPROC(__put_user_1)
16192 ENTRY(__put_user_2)
16195 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16196 + pushl $(__USER_DS)
16199 + GET_THREAD_INFO(%_ASM_BX)
16200 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16202 cmp %_ASM_BX,%_ASM_CX
16204 -2: movw %ax,(%_ASM_CX)
16206 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16207 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16208 + cmp %_ASM_BX,%_ASM_CX
16216 +2: movw %ax,(_DEST)
16218 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16225 ENDPROC(__put_user_2)
16227 ENTRY(__put_user_4)
16230 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16231 + pushl $(__USER_DS)
16234 + GET_THREAD_INFO(%_ASM_BX)
16235 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16237 cmp %_ASM_BX,%_ASM_CX
16239 -3: movl %eax,(%_ASM_CX)
16241 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16242 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16243 + cmp %_ASM_BX,%_ASM_CX
16251 +3: movl %eax,(_DEST)
16253 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16260 ENDPROC(__put_user_4)
16262 ENTRY(__put_user_8)
16265 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16266 + pushl $(__USER_DS)
16269 + GET_THREAD_INFO(%_ASM_BX)
16270 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16272 cmp %_ASM_BX,%_ASM_CX
16274 -4: mov %_ASM_AX,(%_ASM_CX)
16276 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16277 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16278 + cmp %_ASM_BX,%_ASM_CX
16286 +4: mov %_ASM_AX,(_DEST)
16287 #ifdef CONFIG_X86_32
16288 -5: movl %edx,4(%_ASM_CX)
16289 +5: movl %edx,4(_DEST)
16292 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16299 ENDPROC(__put_user_8)
16304 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16312 diff -urNp linux-2.6.35.7/arch/x86/lib/usercopy_32.c linux-2.6.35.7/arch/x86/lib/usercopy_32.c
16313 --- linux-2.6.35.7/arch/x86/lib/usercopy_32.c 2010-08-26 19:47:12.000000000 -0400
16314 +++ linux-2.6.35.7/arch/x86/lib/usercopy_32.c 2010-09-17 20:12:09.000000000 -0400
16315 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
16316 * Copy a null terminated string from userspace.
16319 -#define __do_strncpy_from_user(dst, src, count, res) \
16321 - int __d0, __d1, __d2; \
16323 - __asm__ __volatile__( \
16324 - " testl %1,%1\n" \
16328 - " testb %%al,%%al\n" \
16332 - "1: subl %1,%0\n" \
16334 - ".section .fixup,\"ax\"\n" \
16335 - "3: movl %5,%0\n" \
16338 - _ASM_EXTABLE(0b,3b) \
16339 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
16341 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
16344 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
16346 + int __d0, __d1, __d2;
16347 + long res = -EFAULT;
16350 + __asm__ __volatile__(
16351 + " movw %w10,%%ds\n"
16356 + " testb %%al,%%al\n"
16360 + "1: subl %1,%0\n"
16364 + ".section .fixup,\"ax\"\n"
16365 + "3: movl %5,%0\n"
16368 + _ASM_EXTABLE(0b,3b)
16369 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
16371 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
16378 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
16379 @@ -85,9 +92,7 @@ do { \
16381 __strncpy_from_user(char *dst, const char __user *src, long count)
16384 - __do_strncpy_from_user(dst, src, count, res);
16386 + return __do_strncpy_from_user(dst, src, count);
16388 EXPORT_SYMBOL(__strncpy_from_user);
16390 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
16392 long res = -EFAULT;
16393 if (access_ok(VERIFY_READ, src, 1))
16394 - __do_strncpy_from_user(dst, src, count, res);
16395 + res = __do_strncpy_from_user(dst, src, count);
16398 EXPORT_SYMBOL(strncpy_from_user);
16399 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
16403 -#define __do_clear_user(addr,size) \
16407 - __asm__ __volatile__( \
16408 - "0: rep; stosl\n" \
16409 - " movl %2,%0\n" \
16410 - "1: rep; stosb\n" \
16412 - ".section .fixup,\"ax\"\n" \
16413 - "3: lea 0(%2,%0,4),%0\n" \
16416 - _ASM_EXTABLE(0b,3b) \
16417 - _ASM_EXTABLE(1b,2b) \
16418 - : "=&c"(size), "=&D" (__d0) \
16419 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
16421 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
16426 + __asm__ __volatile__(
16427 + " movw %w6,%%es\n"
16428 + "0: rep; stosl\n"
16430 + "1: rep; stosb\n"
16434 + ".section .fixup,\"ax\"\n"
16435 + "3: lea 0(%2,%0,4),%0\n"
16438 + _ASM_EXTABLE(0b,3b)
16439 + _ASM_EXTABLE(1b,2b)
16440 + : "=&c"(size), "=&D" (__d0)
16441 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
16447 * clear_user: - Zero a block of memory in user space.
16448 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
16451 if (access_ok(VERIFY_WRITE, to, n))
16452 - __do_clear_user(to, n);
16453 + n = __do_clear_user(to, n);
16456 EXPORT_SYMBOL(clear_user);
16457 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
16459 __clear_user(void __user *to, unsigned long n)
16461 - __do_clear_user(to, n);
16463 + return __do_clear_user(to, n);
16465 EXPORT_SYMBOL(__clear_user);
16467 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
16470 __asm__ __volatile__(
16471 + " movw %w8,%%es\n"
16474 - " andl %0,%%ecx\n"
16475 + " movl %0,%%ecx\n"
16476 "0: repne; scasb\n"
16483 ".section .fixup,\"ax\"\n"
16484 "2: xorl %%eax,%%eax\n"
16486 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
16489 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
16490 - :"0" (n), "1" (s), "2" (0), "3" (mask)
16491 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
16495 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
16497 #ifdef CONFIG_X86_INTEL_USERCOPY
16498 static unsigned long
16499 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16500 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16503 + __asm__ __volatile__(
16504 + " movw %w6, %%es\n"
16505 + " .align 2,0x90\n"
16506 + "1: movl 32(%4), %%eax\n"
16507 + " cmpl $67, %0\n"
16509 + "2: movl 64(%4), %%eax\n"
16510 + " .align 2,0x90\n"
16511 + "3: movl 0(%4), %%eax\n"
16512 + "4: movl 4(%4), %%edx\n"
16513 + "5: movl %%eax, %%es:0(%3)\n"
16514 + "6: movl %%edx, %%es:4(%3)\n"
16515 + "7: movl 8(%4), %%eax\n"
16516 + "8: movl 12(%4),%%edx\n"
16517 + "9: movl %%eax, %%es:8(%3)\n"
16518 + "10: movl %%edx, %%es:12(%3)\n"
16519 + "11: movl 16(%4), %%eax\n"
16520 + "12: movl 20(%4), %%edx\n"
16521 + "13: movl %%eax, %%es:16(%3)\n"
16522 + "14: movl %%edx, %%es:20(%3)\n"
16523 + "15: movl 24(%4), %%eax\n"
16524 + "16: movl 28(%4), %%edx\n"
16525 + "17: movl %%eax, %%es:24(%3)\n"
16526 + "18: movl %%edx, %%es:28(%3)\n"
16527 + "19: movl 32(%4), %%eax\n"
16528 + "20: movl 36(%4), %%edx\n"
16529 + "21: movl %%eax, %%es:32(%3)\n"
16530 + "22: movl %%edx, %%es:36(%3)\n"
16531 + "23: movl 40(%4), %%eax\n"
16532 + "24: movl 44(%4), %%edx\n"
16533 + "25: movl %%eax, %%es:40(%3)\n"
16534 + "26: movl %%edx, %%es:44(%3)\n"
16535 + "27: movl 48(%4), %%eax\n"
16536 + "28: movl 52(%4), %%edx\n"
16537 + "29: movl %%eax, %%es:48(%3)\n"
16538 + "30: movl %%edx, %%es:52(%3)\n"
16539 + "31: movl 56(%4), %%eax\n"
16540 + "32: movl 60(%4), %%edx\n"
16541 + "33: movl %%eax, %%es:56(%3)\n"
16542 + "34: movl %%edx, %%es:60(%3)\n"
16543 + " addl $-64, %0\n"
16544 + " addl $64, %4\n"
16545 + " addl $64, %3\n"
16546 + " cmpl $63, %0\n"
16548 + "35: movl %0, %%eax\n"
16550 + " andl $3, %%eax\n"
16552 + "99: rep; movsl\n"
16553 + "36: movl %%eax, %0\n"
16554 + "37: rep; movsb\n"
16558 + ".section .fixup,\"ax\"\n"
16559 + "101: lea 0(%%eax,%0,4),%0\n"
16562 + ".section __ex_table,\"a\"\n"
16564 + " .long 1b,100b\n"
16565 + " .long 2b,100b\n"
16566 + " .long 3b,100b\n"
16567 + " .long 4b,100b\n"
16568 + " .long 5b,100b\n"
16569 + " .long 6b,100b\n"
16570 + " .long 7b,100b\n"
16571 + " .long 8b,100b\n"
16572 + " .long 9b,100b\n"
16573 + " .long 10b,100b\n"
16574 + " .long 11b,100b\n"
16575 + " .long 12b,100b\n"
16576 + " .long 13b,100b\n"
16577 + " .long 14b,100b\n"
16578 + " .long 15b,100b\n"
16579 + " .long 16b,100b\n"
16580 + " .long 17b,100b\n"
16581 + " .long 18b,100b\n"
16582 + " .long 19b,100b\n"
16583 + " .long 20b,100b\n"
16584 + " .long 21b,100b\n"
16585 + " .long 22b,100b\n"
16586 + " .long 23b,100b\n"
16587 + " .long 24b,100b\n"
16588 + " .long 25b,100b\n"
16589 + " .long 26b,100b\n"
16590 + " .long 27b,100b\n"
16591 + " .long 28b,100b\n"
16592 + " .long 29b,100b\n"
16593 + " .long 30b,100b\n"
16594 + " .long 31b,100b\n"
16595 + " .long 32b,100b\n"
16596 + " .long 33b,100b\n"
16597 + " .long 34b,100b\n"
16598 + " .long 35b,100b\n"
16599 + " .long 36b,100b\n"
16600 + " .long 37b,100b\n"
16601 + " .long 99b,101b\n"
16603 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16604 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16605 + : "eax", "edx", "memory");
16609 +static unsigned long
16610 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16613 __asm__ __volatile__(
16614 + " movw %w6, %%ds\n"
16616 "1: movl 32(%4), %%eax\n"
16618 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
16620 "3: movl 0(%4), %%eax\n"
16621 "4: movl 4(%4), %%edx\n"
16622 - "5: movl %%eax, 0(%3)\n"
16623 - "6: movl %%edx, 4(%3)\n"
16624 + "5: movl %%eax, %%es:0(%3)\n"
16625 + "6: movl %%edx, %%es:4(%3)\n"
16626 "7: movl 8(%4), %%eax\n"
16627 "8: movl 12(%4),%%edx\n"
16628 - "9: movl %%eax, 8(%3)\n"
16629 - "10: movl %%edx, 12(%3)\n"
16630 + "9: movl %%eax, %%es:8(%3)\n"
16631 + "10: movl %%edx, %%es:12(%3)\n"
16632 "11: movl 16(%4), %%eax\n"
16633 "12: movl 20(%4), %%edx\n"
16634 - "13: movl %%eax, 16(%3)\n"
16635 - "14: movl %%edx, 20(%3)\n"
16636 + "13: movl %%eax, %%es:16(%3)\n"
16637 + "14: movl %%edx, %%es:20(%3)\n"
16638 "15: movl 24(%4), %%eax\n"
16639 "16: movl 28(%4), %%edx\n"
16640 - "17: movl %%eax, 24(%3)\n"
16641 - "18: movl %%edx, 28(%3)\n"
16642 + "17: movl %%eax, %%es:24(%3)\n"
16643 + "18: movl %%edx, %%es:28(%3)\n"
16644 "19: movl 32(%4), %%eax\n"
16645 "20: movl 36(%4), %%edx\n"
16646 - "21: movl %%eax, 32(%3)\n"
16647 - "22: movl %%edx, 36(%3)\n"
16648 + "21: movl %%eax, %%es:32(%3)\n"
16649 + "22: movl %%edx, %%es:36(%3)\n"
16650 "23: movl 40(%4), %%eax\n"
16651 "24: movl 44(%4), %%edx\n"
16652 - "25: movl %%eax, 40(%3)\n"
16653 - "26: movl %%edx, 44(%3)\n"
16654 + "25: movl %%eax, %%es:40(%3)\n"
16655 + "26: movl %%edx, %%es:44(%3)\n"
16656 "27: movl 48(%4), %%eax\n"
16657 "28: movl 52(%4), %%edx\n"
16658 - "29: movl %%eax, 48(%3)\n"
16659 - "30: movl %%edx, 52(%3)\n"
16660 + "29: movl %%eax, %%es:48(%3)\n"
16661 + "30: movl %%edx, %%es:52(%3)\n"
16662 "31: movl 56(%4), %%eax\n"
16663 "32: movl 60(%4), %%edx\n"
16664 - "33: movl %%eax, 56(%3)\n"
16665 - "34: movl %%edx, 60(%3)\n"
16666 + "33: movl %%eax, %%es:56(%3)\n"
16667 + "34: movl %%edx, %%es:60(%3)\n"
16671 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
16672 "36: movl %%eax, %0\n"
16677 ".section .fixup,\"ax\"\n"
16678 "101: lea 0(%%eax,%0,4),%0\n"
16680 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
16681 " .long 99b,101b\n"
16683 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16684 - : "1"(to), "2"(from), "0"(size)
16685 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16686 : "eax", "edx", "memory");
16689 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
16692 __asm__ __volatile__(
16693 + " movw %w6, %%ds\n"
16695 "0: movl 32(%4), %%eax\n"
16697 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
16699 "2: movl 0(%4), %%eax\n"
16700 "21: movl 4(%4), %%edx\n"
16701 - " movl %%eax, 0(%3)\n"
16702 - " movl %%edx, 4(%3)\n"
16703 + " movl %%eax, %%es:0(%3)\n"
16704 + " movl %%edx, %%es:4(%3)\n"
16705 "3: movl 8(%4), %%eax\n"
16706 "31: movl 12(%4),%%edx\n"
16707 - " movl %%eax, 8(%3)\n"
16708 - " movl %%edx, 12(%3)\n"
16709 + " movl %%eax, %%es:8(%3)\n"
16710 + " movl %%edx, %%es:12(%3)\n"
16711 "4: movl 16(%4), %%eax\n"
16712 "41: movl 20(%4), %%edx\n"
16713 - " movl %%eax, 16(%3)\n"
16714 - " movl %%edx, 20(%3)\n"
16715 + " movl %%eax, %%es:16(%3)\n"
16716 + " movl %%edx, %%es:20(%3)\n"
16717 "10: movl 24(%4), %%eax\n"
16718 "51: movl 28(%4), %%edx\n"
16719 - " movl %%eax, 24(%3)\n"
16720 - " movl %%edx, 28(%3)\n"
16721 + " movl %%eax, %%es:24(%3)\n"
16722 + " movl %%edx, %%es:28(%3)\n"
16723 "11: movl 32(%4), %%eax\n"
16724 "61: movl 36(%4), %%edx\n"
16725 - " movl %%eax, 32(%3)\n"
16726 - " movl %%edx, 36(%3)\n"
16727 + " movl %%eax, %%es:32(%3)\n"
16728 + " movl %%edx, %%es:36(%3)\n"
16729 "12: movl 40(%4), %%eax\n"
16730 "71: movl 44(%4), %%edx\n"
16731 - " movl %%eax, 40(%3)\n"
16732 - " movl %%edx, 44(%3)\n"
16733 + " movl %%eax, %%es:40(%3)\n"
16734 + " movl %%edx, %%es:44(%3)\n"
16735 "13: movl 48(%4), %%eax\n"
16736 "81: movl 52(%4), %%edx\n"
16737 - " movl %%eax, 48(%3)\n"
16738 - " movl %%edx, 52(%3)\n"
16739 + " movl %%eax, %%es:48(%3)\n"
16740 + " movl %%edx, %%es:52(%3)\n"
16741 "14: movl 56(%4), %%eax\n"
16742 "91: movl 60(%4), %%edx\n"
16743 - " movl %%eax, 56(%3)\n"
16744 - " movl %%edx, 60(%3)\n"
16745 + " movl %%eax, %%es:56(%3)\n"
16746 + " movl %%edx, %%es:60(%3)\n"
16750 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
16756 ".section .fixup,\"ax\"\n"
16757 "9: lea 0(%%eax,%0,4),%0\n"
16759 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
16762 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16763 - : "1"(to), "2"(from), "0"(size)
16764 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16765 : "eax", "edx", "memory");
16768 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
16771 __asm__ __volatile__(
16772 + " movw %w6, %%ds\n"
16774 "0: movl 32(%4), %%eax\n"
16776 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
16778 "2: movl 0(%4), %%eax\n"
16779 "21: movl 4(%4), %%edx\n"
16780 - " movnti %%eax, 0(%3)\n"
16781 - " movnti %%edx, 4(%3)\n"
16782 + " movnti %%eax, %%es:0(%3)\n"
16783 + " movnti %%edx, %%es:4(%3)\n"
16784 "3: movl 8(%4), %%eax\n"
16785 "31: movl 12(%4),%%edx\n"
16786 - " movnti %%eax, 8(%3)\n"
16787 - " movnti %%edx, 12(%3)\n"
16788 + " movnti %%eax, %%es:8(%3)\n"
16789 + " movnti %%edx, %%es:12(%3)\n"
16790 "4: movl 16(%4), %%eax\n"
16791 "41: movl 20(%4), %%edx\n"
16792 - " movnti %%eax, 16(%3)\n"
16793 - " movnti %%edx, 20(%3)\n"
16794 + " movnti %%eax, %%es:16(%3)\n"
16795 + " movnti %%edx, %%es:20(%3)\n"
16796 "10: movl 24(%4), %%eax\n"
16797 "51: movl 28(%4), %%edx\n"
16798 - " movnti %%eax, 24(%3)\n"
16799 - " movnti %%edx, 28(%3)\n"
16800 + " movnti %%eax, %%es:24(%3)\n"
16801 + " movnti %%edx, %%es:28(%3)\n"
16802 "11: movl 32(%4), %%eax\n"
16803 "61: movl 36(%4), %%edx\n"
16804 - " movnti %%eax, 32(%3)\n"
16805 - " movnti %%edx, 36(%3)\n"
16806 + " movnti %%eax, %%es:32(%3)\n"
16807 + " movnti %%edx, %%es:36(%3)\n"
16808 "12: movl 40(%4), %%eax\n"
16809 "71: movl 44(%4), %%edx\n"
16810 - " movnti %%eax, 40(%3)\n"
16811 - " movnti %%edx, 44(%3)\n"
16812 + " movnti %%eax, %%es:40(%3)\n"
16813 + " movnti %%edx, %%es:44(%3)\n"
16814 "13: movl 48(%4), %%eax\n"
16815 "81: movl 52(%4), %%edx\n"
16816 - " movnti %%eax, 48(%3)\n"
16817 - " movnti %%edx, 52(%3)\n"
16818 + " movnti %%eax, %%es:48(%3)\n"
16819 + " movnti %%edx, %%es:52(%3)\n"
16820 "14: movl 56(%4), %%eax\n"
16821 "91: movl 60(%4), %%edx\n"
16822 - " movnti %%eax, 56(%3)\n"
16823 - " movnti %%edx, 60(%3)\n"
16824 + " movnti %%eax, %%es:56(%3)\n"
16825 + " movnti %%edx, %%es:60(%3)\n"
16829 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
16835 ".section .fixup,\"ax\"\n"
16836 "9: lea 0(%%eax,%0,4),%0\n"
16838 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
16841 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16842 - : "1"(to), "2"(from), "0"(size)
16843 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16844 : "eax", "edx", "memory");
16847 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
16850 __asm__ __volatile__(
16851 + " movw %w6, %%ds\n"
16853 "0: movl 32(%4), %%eax\n"
16855 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
16857 "2: movl 0(%4), %%eax\n"
16858 "21: movl 4(%4), %%edx\n"
16859 - " movnti %%eax, 0(%3)\n"
16860 - " movnti %%edx, 4(%3)\n"
16861 + " movnti %%eax, %%es:0(%3)\n"
16862 + " movnti %%edx, %%es:4(%3)\n"
16863 "3: movl 8(%4), %%eax\n"
16864 "31: movl 12(%4),%%edx\n"
16865 - " movnti %%eax, 8(%3)\n"
16866 - " movnti %%edx, 12(%3)\n"
16867 + " movnti %%eax, %%es:8(%3)\n"
16868 + " movnti %%edx, %%es:12(%3)\n"
16869 "4: movl 16(%4), %%eax\n"
16870 "41: movl 20(%4), %%edx\n"
16871 - " movnti %%eax, 16(%3)\n"
16872 - " movnti %%edx, 20(%3)\n"
16873 + " movnti %%eax, %%es:16(%3)\n"
16874 + " movnti %%edx, %%es:20(%3)\n"
16875 "10: movl 24(%4), %%eax\n"
16876 "51: movl 28(%4), %%edx\n"
16877 - " movnti %%eax, 24(%3)\n"
16878 - " movnti %%edx, 28(%3)\n"
16879 + " movnti %%eax, %%es:24(%3)\n"
16880 + " movnti %%edx, %%es:28(%3)\n"
16881 "11: movl 32(%4), %%eax\n"
16882 "61: movl 36(%4), %%edx\n"
16883 - " movnti %%eax, 32(%3)\n"
16884 - " movnti %%edx, 36(%3)\n"
16885 + " movnti %%eax, %%es:32(%3)\n"
16886 + " movnti %%edx, %%es:36(%3)\n"
16887 "12: movl 40(%4), %%eax\n"
16888 "71: movl 44(%4), %%edx\n"
16889 - " movnti %%eax, 40(%3)\n"
16890 - " movnti %%edx, 44(%3)\n"
16891 + " movnti %%eax, %%es:40(%3)\n"
16892 + " movnti %%edx, %%es:44(%3)\n"
16893 "13: movl 48(%4), %%eax\n"
16894 "81: movl 52(%4), %%edx\n"
16895 - " movnti %%eax, 48(%3)\n"
16896 - " movnti %%edx, 52(%3)\n"
16897 + " movnti %%eax, %%es:48(%3)\n"
16898 + " movnti %%edx, %%es:52(%3)\n"
16899 "14: movl 56(%4), %%eax\n"
16900 "91: movl 60(%4), %%edx\n"
16901 - " movnti %%eax, 56(%3)\n"
16902 - " movnti %%edx, 60(%3)\n"
16903 + " movnti %%eax, %%es:56(%3)\n"
16904 + " movnti %%edx, %%es:60(%3)\n"
16908 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
16914 ".section .fixup,\"ax\"\n"
16915 "9: lea 0(%%eax,%0,4),%0\n"
16917 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
16920 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16921 - : "1"(to), "2"(from), "0"(size)
16922 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16923 : "eax", "edx", "memory");
16926 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
16928 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16929 unsigned long size);
16930 -unsigned long __copy_user_intel(void __user *to, const void *from,
16931 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16932 + unsigned long size);
16933 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16934 unsigned long size);
16935 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16936 const void __user *from, unsigned long size);
16937 #endif /* CONFIG_X86_INTEL_USERCOPY */
16939 /* Generic arbitrary sized copy. */
16940 -#define __copy_user(to, from, size) \
16942 - int __d0, __d1, __d2; \
16943 - __asm__ __volatile__( \
16946 - " movl %1,%0\n" \
16948 - " andl $7,%0\n" \
16949 - " subl %0,%3\n" \
16950 - "4: rep; movsb\n" \
16951 - " movl %3,%0\n" \
16952 - " shrl $2,%0\n" \
16953 - " andl $3,%3\n" \
16954 - " .align 2,0x90\n" \
16955 - "0: rep; movsl\n" \
16956 - " movl %3,%0\n" \
16957 - "1: rep; movsb\n" \
16959 - ".section .fixup,\"ax\"\n" \
16960 - "5: addl %3,%0\n" \
16962 - "3: lea 0(%3,%0,4),%0\n" \
16965 - ".section __ex_table,\"a\"\n" \
16967 - " .long 4b,5b\n" \
16968 - " .long 0b,3b\n" \
16969 - " .long 1b,2b\n" \
16971 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
16972 - : "3"(size), "0"(size), "1"(to), "2"(from) \
16976 -#define __copy_user_zeroing(to, from, size) \
16978 - int __d0, __d1, __d2; \
16979 - __asm__ __volatile__( \
16982 - " movl %1,%0\n" \
16984 - " andl $7,%0\n" \
16985 - " subl %0,%3\n" \
16986 - "4: rep; movsb\n" \
16987 - " movl %3,%0\n" \
16988 - " shrl $2,%0\n" \
16989 - " andl $3,%3\n" \
16990 - " .align 2,0x90\n" \
16991 - "0: rep; movsl\n" \
16992 - " movl %3,%0\n" \
16993 - "1: rep; movsb\n" \
16995 - ".section .fixup,\"ax\"\n" \
16996 - "5: addl %3,%0\n" \
16998 - "3: lea 0(%3,%0,4),%0\n" \
16999 - "6: pushl %0\n" \
17000 - " pushl %%eax\n" \
17001 - " xorl %%eax,%%eax\n" \
17002 - " rep; stosb\n" \
17003 - " popl %%eax\n" \
17007 - ".section __ex_table,\"a\"\n" \
17009 - " .long 4b,5b\n" \
17010 - " .long 0b,3b\n" \
17011 - " .long 1b,6b\n" \
17013 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
17014 - : "3"(size), "0"(size), "1"(to), "2"(from) \
17017 +static unsigned long
17018 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
17020 + int __d0, __d1, __d2;
17022 + __asm__ __volatile__(
17023 + " movw %w8,%%es\n"
17030 + "4: rep; movsb\n"
17034 + " .align 2,0x90\n"
17035 + "0: rep; movsl\n"
17037 + "1: rep; movsb\n"
17041 + ".section .fixup,\"ax\"\n"
17042 + "5: addl %3,%0\n"
17044 + "3: lea 0(%3,%0,4),%0\n"
17047 + ".section __ex_table,\"a\"\n"
17053 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17054 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17059 +static unsigned long
17060 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
17062 + int __d0, __d1, __d2;
17064 + __asm__ __volatile__(
17065 + " movw %w8,%%ds\n"
17072 + "4: rep; movsb\n"
17076 + " .align 2,0x90\n"
17077 + "0: rep; movsl\n"
17079 + "1: rep; movsb\n"
17083 + ".section .fixup,\"ax\"\n"
17084 + "5: addl %3,%0\n"
17086 + "3: lea 0(%3,%0,4),%0\n"
17089 + ".section __ex_table,\"a\"\n"
17095 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17096 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17101 +static unsigned long
17102 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
17104 + int __d0, __d1, __d2;
17106 + __asm__ __volatile__(
17107 + " movw %w8,%%ds\n"
17114 + "4: rep; movsb\n"
17118 + " .align 2,0x90\n"
17119 + "0: rep; movsl\n"
17121 + "1: rep; movsb\n"
17125 + ".section .fixup,\"ax\"\n"
17126 + "5: addl %3,%0\n"
17128 + "3: lea 0(%3,%0,4),%0\n"
17131 + " xorl %%eax,%%eax\n"
17137 + ".section __ex_table,\"a\"\n"
17143 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17144 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17149 unsigned long __copy_to_user_ll(void __user *to, const void *from,
17151 @@ -775,9 +966,9 @@ survive:
17154 if (movsl_is_ok(to, from, n))
17155 - __copy_user(to, from, n);
17156 + n = __generic_copy_to_user(to, from, n);
17158 - n = __copy_user_intel(to, from, n);
17159 + n = __generic_copy_to_user_intel(to, from, n);
17162 EXPORT_SYMBOL(__copy_to_user_ll);
17163 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
17166 if (movsl_is_ok(to, from, n))
17167 - __copy_user_zeroing(to, from, n);
17168 + n = __copy_user_zeroing(to, from, n);
17170 n = __copy_user_zeroing_intel(to, from, n);
17172 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
17175 if (movsl_is_ok(to, from, n))
17176 - __copy_user(to, from, n);
17177 + n = __generic_copy_from_user(to, from, n);
17179 - n = __copy_user_intel((void __user *)to,
17180 - (const void *)from, n);
17181 + n = __generic_copy_from_user_intel(to, from, n);
17184 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17185 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
17186 if (n > 64 && cpu_has_xmm2)
17187 n = __copy_user_zeroing_intel_nocache(to, from, n);
17189 - __copy_user_zeroing(to, from, n);
17190 + n = __copy_user_zeroing(to, from, n);
17192 - __copy_user_zeroing(to, from, n);
17193 + n = __copy_user_zeroing(to, from, n);
17197 @@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
17198 if (n > 64 && cpu_has_xmm2)
17199 n = __copy_user_intel_nocache(to, from, n);
17201 - __copy_user(to, from, n);
17202 + n = __generic_copy_from_user(to, from, n);
17204 - __copy_user(to, from, n);
17205 + n = __generic_copy_from_user(to, from, n);
17209 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17212 - * copy_to_user: - Copy a block of data into user space.
17213 - * @to: Destination address, in user space.
17214 - * @from: Source address, in kernel space.
17215 - * @n: Number of bytes to copy.
17217 - * Context: User context only. This function may sleep.
17219 - * Copy data from kernel space to user space.
17221 - * Returns number of bytes that could not be copied.
17222 - * On success, this will be zero.
17225 -copy_to_user(void __user *to, const void *from, unsigned long n)
17226 +void copy_from_user_overflow(void)
17228 - if (access_ok(VERIFY_WRITE, to, n))
17229 - n = __copy_to_user(to, from, n);
17231 + WARN(1, "Buffer overflow detected!\n");
17233 -EXPORT_SYMBOL(copy_to_user);
17234 +EXPORT_SYMBOL(copy_from_user_overflow);
17237 - * copy_from_user: - Copy a block of data from user space.
17238 - * @to: Destination address, in kernel space.
17239 - * @from: Source address, in user space.
17240 - * @n: Number of bytes to copy.
17242 - * Context: User context only. This function may sleep.
17244 - * Copy data from user space to kernel space.
17246 - * Returns number of bytes that could not be copied.
17247 - * On success, this will be zero.
17249 - * If some data could not be copied, this function will pad the copied
17250 - * data to the requested size using zero bytes.
17253 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17254 +void copy_to_user_overflow(void)
17256 - if (access_ok(VERIFY_READ, from, n))
17257 - n = __copy_from_user(to, from, n);
17259 - memset(to, 0, n);
17261 + WARN(1, "Buffer overflow detected!\n");
17263 -EXPORT_SYMBOL(_copy_from_user);
17264 +EXPORT_SYMBOL(copy_to_user_overflow);
17266 -void copy_from_user_overflow(void)
17267 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17268 +void __set_fs(mm_segment_t x, int cpu)
17270 - WARN(1, "Buffer overflow detected!\n");
17271 + unsigned long limit = x.seg;
17272 + struct desc_struct d;
17274 + current_thread_info()->addr_limit = x;
17275 + if (unlikely(paravirt_enabled()))
17278 + if (likely(limit))
17279 + limit = (limit - 1UL) >> PAGE_SHIFT;
17280 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
17281 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
17283 -EXPORT_SYMBOL(copy_from_user_overflow);
17285 +void set_fs(mm_segment_t x)
17287 + __set_fs(x, get_cpu());
17290 +EXPORT_SYMBOL(copy_from_user);
17292 +void set_fs(mm_segment_t x)
17294 + current_thread_info()->addr_limit = x;
17298 +EXPORT_SYMBOL(set_fs);
17299 diff -urNp linux-2.6.35.7/arch/x86/lib/usercopy_64.c linux-2.6.35.7/arch/x86/lib/usercopy_64.c
17300 --- linux-2.6.35.7/arch/x86/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
17301 +++ linux-2.6.35.7/arch/x86/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
17302 @@ -42,6 +42,8 @@ long
17303 __strncpy_from_user(char *dst, const char __user *src, long count)
17306 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17307 + src += PAX_USER_SHADOW_BASE;
17308 __do_strncpy_from_user(dst, src, count, res);
17311 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17315 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17316 + addr += PAX_USER_SHADOW_BASE;
17317 /* no memory constraint because it doesn't change any memory gcc knows
17320 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17322 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17324 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17325 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17326 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17327 + to += PAX_USER_SHADOW_BASE;
17328 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17329 + from += PAX_USER_SHADOW_BASE;
17330 return copy_user_generic((__force void *)to, (__force void *)from, len);
17336 EXPORT_SYMBOL(copy_in_user);
17338 diff -urNp linux-2.6.35.7/arch/x86/Makefile linux-2.6.35.7/arch/x86/Makefile
17339 --- linux-2.6.35.7/arch/x86/Makefile 2010-08-26 19:47:12.000000000 -0400
17340 +++ linux-2.6.35.7/arch/x86/Makefile 2010-09-17 20:12:09.000000000 -0400
17341 @@ -191,3 +191,12 @@ define archhelp
17342 echo ' FDARGS="..." arguments for the booted kernel'
17343 echo ' FDINITRD=file initrd for the booted kernel'
17348 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17349 +*** Please upgrade your binutils to 2.18 or newer
17353 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17354 diff -urNp linux-2.6.35.7/arch/x86/mm/extable.c linux-2.6.35.7/arch/x86/mm/extable.c
17355 --- linux-2.6.35.7/arch/x86/mm/extable.c 2010-08-26 19:47:12.000000000 -0400
17356 +++ linux-2.6.35.7/arch/x86/mm/extable.c 2010-09-17 20:12:09.000000000 -0400
17358 #include <linux/module.h>
17359 #include <linux/spinlock.h>
17360 +#include <linux/sort.h>
17361 #include <asm/uaccess.h>
17362 +#include <asm/pgtable.h>
17365 + * The exception table needs to be sorted so that the binary
17366 + * search that we use to find entries in it works properly.
17367 + * This is used both for the kernel exception table and for
17368 + * the exception tables of modules that get loaded.
17370 +static int cmp_ex(const void *a, const void *b)
17372 + const struct exception_table_entry *x = a, *y = b;
17374 + /* avoid overflow */
17375 + if (x->insn > y->insn)
17377 + if (x->insn < y->insn)
17382 +static void swap_ex(void *a, void *b, int size)
17384 + struct exception_table_entry t, *x = a, *y = b;
17388 + pax_open_kernel();
17391 + pax_close_kernel();
17394 +void sort_extable(struct exception_table_entry *start,
17395 + struct exception_table_entry *finish)
17397 + sort(start, finish - start, sizeof(struct exception_table_entry),
17398 + cmp_ex, swap_ex);
17401 +#ifdef CONFIG_MODULES
17403 + * If the exception table is sorted, any referring to the module init
17404 + * will be at the beginning or the end.
17406 +void trim_init_extable(struct module *m)
17408 + /*trim the beginning*/
17409 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17411 + m->num_exentries--;
17414 + while (m->num_exentries &&
17415 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17416 + m->num_exentries--;
17418 +#endif /* CONFIG_MODULES */
17420 int fixup_exception(struct pt_regs *regs)
17422 const struct exception_table_entry *fixup;
17424 #ifdef CONFIG_PNPBIOS
17425 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17426 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17427 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17428 extern u32 pnp_bios_is_utter_crap;
17429 pnp_bios_is_utter_crap = 1;
17430 diff -urNp linux-2.6.35.7/arch/x86/mm/fault.c linux-2.6.35.7/arch/x86/mm/fault.c
17431 --- linux-2.6.35.7/arch/x86/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
17432 +++ linux-2.6.35.7/arch/x86/mm/fault.c 2010-10-11 22:41:44.000000000 -0400
17433 @@ -11,10 +11,19 @@
17434 #include <linux/kprobes.h> /* __kprobes, ... */
17435 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17436 #include <linux/perf_event.h> /* perf_sw_event */
17437 +#include <linux/unistd.h>
17438 +#include <linux/compiler.h>
17440 #include <asm/traps.h> /* dotraplinkage, ... */
17441 #include <asm/pgalloc.h> /* pgd_*(), ... */
17442 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17443 +#include <asm/vsyscall.h>
17444 +#include <asm/tlbflush.h>
17446 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17447 +#include <asm/stacktrace.h>
17448 +#include "../kernel/dumpstack.h"
17452 * Page fault error code bits:
17453 @@ -52,7 +61,7 @@ static inline int __kprobes notify_page_
17456 /* kprobe_running() needs smp_processor_id() */
17457 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17458 + if (kprobes_built_in() && !user_mode(regs)) {
17460 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17462 @@ -173,6 +182,30 @@ force_sig_info_fault(int si_signo, int s
17463 force_sig_info(si_signo, &info, tsk);
17466 +#ifdef CONFIG_PAX_EMUTRAMP
17467 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17470 +#ifdef CONFIG_PAX_PAGEEXEC
17471 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17477 + pgd = pgd_offset(mm, address);
17478 + if (!pgd_present(*pgd))
17480 + pud = pud_offset(pgd, address);
17481 + if (!pud_present(*pud))
17483 + pmd = pmd_offset(pud, address);
17484 + if (!pmd_present(*pmd))
17490 DEFINE_SPINLOCK(pgd_lock);
17491 LIST_HEAD(pgd_list);
17493 @@ -225,11 +258,24 @@ void vmalloc_sync_all(void)
17494 address += PMD_SIZE) {
17496 unsigned long flags;
17498 +#ifdef CONFIG_PAX_PER_CPU_PGD
17499 + unsigned long cpu;
17504 spin_lock_irqsave(&pgd_lock, flags);
17506 +#ifdef CONFIG_PAX_PER_CPU_PGD
17507 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17508 + pgd_t *pgd = get_cpu_pgd(cpu);
17510 list_for_each_entry(page, &pgd_list, lru) {
17511 - if (!vmalloc_sync_one(page_address(page), address))
17512 + pgd_t *pgd = page_address(page);
17515 + if (!vmalloc_sync_one(pgd, address))
17518 spin_unlock_irqrestore(&pgd_lock, flags);
17519 @@ -259,6 +305,11 @@ static noinline __kprobes int vmalloc_fa
17520 * an interrupt in the middle of a task switch..
17522 pgd_paddr = read_cr3();
17524 +#ifdef CONFIG_PAX_PER_CPU_PGD
17525 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17528 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17531 @@ -333,15 +384,27 @@ void vmalloc_sync_all(void)
17533 const pgd_t *pgd_ref = pgd_offset_k(address);
17534 unsigned long flags;
17536 +#ifdef CONFIG_PAX_PER_CPU_PGD
17537 + unsigned long cpu;
17542 if (pgd_none(*pgd_ref))
17545 spin_lock_irqsave(&pgd_lock, flags);
17547 +#ifdef CONFIG_PAX_PER_CPU_PGD
17548 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17549 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
17551 list_for_each_entry(page, &pgd_list, lru) {
17553 pgd = (pgd_t *)page_address(page) + pgd_index(address);
17556 if (pgd_none(*pgd))
17557 set_pgd(pgd, *pgd_ref);
17559 @@ -374,7 +437,14 @@ static noinline __kprobes int vmalloc_fa
17560 * happen within a race in page table update. In the later
17564 +#ifdef CONFIG_PAX_PER_CPU_PGD
17565 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17566 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17568 pgd = pgd_offset(current->active_mm, address);
17571 pgd_ref = pgd_offset_k(address);
17572 if (pgd_none(*pgd_ref))
17574 @@ -536,7 +606,7 @@ static int is_errata93(struct pt_regs *r
17575 static int is_errata100(struct pt_regs *regs, unsigned long address)
17577 #ifdef CONFIG_X86_64
17578 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17579 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17583 @@ -563,7 +633,7 @@ static int is_f00f_bug(struct pt_regs *r
17586 static const char nx_warning[] = KERN_CRIT
17587 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17588 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17591 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17592 @@ -572,15 +642,26 @@ show_fault_oops(struct pt_regs *regs, un
17593 if (!oops_may_print())
17596 - if (error_code & PF_INSTR) {
17597 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17598 unsigned int level;
17600 pte_t *pte = lookup_address(address, &level);
17602 if (pte && pte_present(*pte) && !pte_exec(*pte))
17603 - printk(nx_warning, current_uid());
17604 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17607 +#ifdef CONFIG_PAX_KERNEXEC
17608 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17609 + if (current->signal->curr_ip)
17610 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17611 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17613 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17614 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17618 printk(KERN_ALERT "BUG: unable to handle kernel ");
17619 if (address < PAGE_SIZE)
17620 printk(KERN_CONT "NULL pointer dereference");
17621 @@ -705,6 +786,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17622 unsigned long address, int si_code)
17624 struct task_struct *tsk = current;
17625 + struct mm_struct *mm = tsk->mm;
17627 +#ifdef CONFIG_X86_64
17628 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
17629 + if (regs->ip == (unsigned long)vgettimeofday) {
17630 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17632 + } else if (regs->ip == (unsigned long)vtime) {
17633 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17635 + } else if (regs->ip == (unsigned long)vgetcpu) {
17636 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17642 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17643 + if (mm && (error_code & PF_USER)) {
17644 + unsigned long ip = regs->ip;
17646 + if (v8086_mode(regs))
17647 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
17650 + * It's possible to have interrupts off here:
17652 + local_irq_enable();
17654 +#ifdef CONFIG_PAX_PAGEEXEC
17655 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17656 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
17658 +#ifdef CONFIG_PAX_EMUTRAMP
17659 + switch (pax_handle_fetch_fault(regs)) {
17665 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17666 + do_group_exit(SIGKILL);
17670 +#ifdef CONFIG_PAX_SEGMEXEC
17671 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
17673 +#ifdef CONFIG_PAX_EMUTRAMP
17674 + switch (pax_handle_fetch_fault(regs)) {
17680 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17681 + do_group_exit(SIGKILL);
17688 /* User mode accesses just cause a SIGSEGV */
17689 if (error_code & PF_USER) {
17690 @@ -851,6 +994,106 @@ static int spurious_fault_check(unsigned
17694 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17695 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17700 + unsigned char pte_mask;
17702 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17703 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17706 + /* PaX: it's our fault, let's handle it if we can */
17708 + /* PaX: take a look at read faults before acquiring any locks */
17709 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17710 + /* instruction fetch attempt from a protected page in user mode */
17711 + up_read(&mm->mmap_sem);
17713 +#ifdef CONFIG_PAX_EMUTRAMP
17714 + switch (pax_handle_fetch_fault(regs)) {
17720 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17721 + do_group_exit(SIGKILL);
17724 + pmd = pax_get_pmd(mm, address);
17725 + if (unlikely(!pmd))
17728 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17729 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17730 + pte_unmap_unlock(pte, ptl);
17734 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17735 + /* write attempt to a protected page in user mode */
17736 + pte_unmap_unlock(pte, ptl);
17741 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17743 + if (likely(address > get_limit(regs->cs)))
17746 + set_pte(pte, pte_mkread(*pte));
17747 + __flush_tlb_one(address);
17748 + pte_unmap_unlock(pte, ptl);
17749 + up_read(&mm->mmap_sem);
17753 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17756 + * PaX: fill DTLB with user rights and retry
17758 + __asm__ __volatile__ (
17759 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17760 + "movw %w4,%%es\n"
17763 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17765 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17766 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17767 + * page fault when examined during a TLB load attempt. this is true not only
17768 + * for PTEs holding a non-present entry but also present entries that will
17769 + * raise a page fault (such as those set up by PaX, or the copy-on-write
17770 + * mechanism). in effect it means that we do *not* need to flush the TLBs
17771 + * for our target pages since their PTEs are simply not in the TLBs at all.
17773 + * the best thing in omitting it is that we gain around 15-20% speed in the
17774 + * fast path of the page fault handler and can get rid of tracing since we
17775 + * can no longer flush unintended entries.
17779 + "testb $0,%%es:(%0)\n"
17781 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17786 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
17787 + : "memory", "cc");
17788 + pte_unmap_unlock(pte, ptl);
17789 + up_read(&mm->mmap_sem);
17795 * Handle a spurious fault caused by a stale TLB entry.
17797 @@ -917,6 +1160,9 @@ int show_unhandled_signals = 1;
17799 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
17801 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
17805 /* write, present and write, not present: */
17806 if (unlikely(!(vma->vm_flags & VM_WRITE)))
17807 @@ -950,17 +1196,31 @@ do_page_fault(struct pt_regs *regs, unsi
17809 struct vm_area_struct *vma;
17810 struct task_struct *tsk;
17811 - unsigned long address;
17812 struct mm_struct *mm;
17816 + /* Get the faulting address: */
17817 + unsigned long address = read_cr2();
17819 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17820 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17821 + if (!search_exception_tables(regs->ip)) {
17822 + bad_area_nosemaphore(regs, error_code, address);
17825 + if (address < PAX_USER_SHADOW_BASE) {
17826 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17827 + printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip);
17828 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
17830 + address -= PAX_USER_SHADOW_BASE;
17837 - /* Get the faulting address: */
17838 - address = read_cr2();
17841 * Detect and handle instructions that would cause a page fault for
17842 * both a tracked kernel page and a userspace page.
17843 @@ -1020,7 +1280,7 @@ do_page_fault(struct pt_regs *regs, unsi
17844 * User-mode registers count as a user access even for any
17845 * potential system fault or CPU buglet:
17847 - if (user_mode_vm(regs)) {
17848 + if (user_mode(regs)) {
17849 local_irq_enable();
17850 error_code |= PF_USER;
17852 @@ -1074,6 +1334,11 @@ do_page_fault(struct pt_regs *regs, unsi
17856 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17857 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17861 vma = find_vma(mm, address);
17862 if (unlikely(!vma)) {
17863 bad_area(regs, error_code, address);
17864 @@ -1085,18 +1350,24 @@ do_page_fault(struct pt_regs *regs, unsi
17865 bad_area(regs, error_code, address);
17868 - if (error_code & PF_USER) {
17870 - * Accessing the stack below %sp is always a bug.
17871 - * The large cushion allows instructions like enter
17872 - * and pusha to work. ("enter $65535, $31" pushes
17873 - * 32 pointers and then decrements %sp by 65535.)
17875 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17876 - bad_area(regs, error_code, address);
17880 + * Accessing the stack below %sp is always a bug.
17881 + * The large cushion allows instructions like enter
17882 + * and pusha to work. ("enter $65535, $31" pushes
17883 + * 32 pointers and then decrements %sp by 65535.)
17885 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17886 + bad_area(regs, error_code, address);
17890 +#ifdef CONFIG_PAX_SEGMEXEC
17891 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17892 + bad_area(regs, error_code, address);
17897 if (unlikely(expand_stack(vma, address))) {
17898 bad_area(regs, error_code, address);
17900 @@ -1140,3 +1411,199 @@ good_area:
17902 up_read(&mm->mmap_sem);
17905 +#ifdef CONFIG_PAX_EMUTRAMP
17906 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17910 + do { /* PaX: gcc trampoline emulation #1 */
17911 + unsigned char mov1, mov2;
17912 + unsigned short jmp;
17913 + unsigned int addr1, addr2;
17915 +#ifdef CONFIG_X86_64
17916 + if ((regs->ip + 11) >> 32)
17920 + err = get_user(mov1, (unsigned char __user *)regs->ip);
17921 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17922 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17923 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17924 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17929 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17930 + regs->cx = addr1;
17931 + regs->ax = addr2;
17932 + regs->ip = addr2;
17937 + do { /* PaX: gcc trampoline emulation #2 */
17938 + unsigned char mov, jmp;
17939 + unsigned int addr1, addr2;
17941 +#ifdef CONFIG_X86_64
17942 + if ((regs->ip + 9) >> 32)
17946 + err = get_user(mov, (unsigned char __user *)regs->ip);
17947 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17948 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17949 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17954 + if (mov == 0xB9 && jmp == 0xE9) {
17955 + regs->cx = addr1;
17956 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17961 + return 1; /* PaX in action */
17964 +#ifdef CONFIG_X86_64
17965 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17969 + do { /* PaX: gcc trampoline emulation #1 */
17970 + unsigned short mov1, mov2, jmp1;
17971 + unsigned char jmp2;
17972 + unsigned int addr1;
17973 + unsigned long addr2;
17975 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17976 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17977 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
17978 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
17979 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
17980 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
17985 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17986 + regs->r11 = addr1;
17987 + regs->r10 = addr2;
17988 + regs->ip = addr1;
17993 + do { /* PaX: gcc trampoline emulation #2 */
17994 + unsigned short mov1, mov2, jmp1;
17995 + unsigned char jmp2;
17996 + unsigned long addr1, addr2;
17998 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17999 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
18000 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
18001 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
18002 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
18003 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
18008 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18009 + regs->r11 = addr1;
18010 + regs->r10 = addr2;
18011 + regs->ip = addr1;
18016 + return 1; /* PaX in action */
18021 + * PaX: decide what to do with offenders (regs->ip = fault address)
18023 + * returns 1 when task should be killed
18024 + * 2 when gcc trampoline was detected
18026 +static int pax_handle_fetch_fault(struct pt_regs *regs)
18028 + if (v8086_mode(regs))
18031 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
18034 +#ifdef CONFIG_X86_32
18035 + return pax_handle_fetch_fault_32(regs);
18037 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
18038 + return pax_handle_fetch_fault_32(regs);
18040 + return pax_handle_fetch_fault_64(regs);
18045 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18046 +void pax_report_insns(void *pc, void *sp)
18050 + printk(KERN_ERR "PAX: bytes at PC: ");
18051 + for (i = 0; i < 20; i++) {
18053 + if (get_user(c, (__force unsigned char __user *)pc+i))
18054 + printk(KERN_CONT "?? ");
18056 + printk(KERN_CONT "%02x ", c);
18060 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
18061 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
18063 + if (get_user(c, (__force unsigned long __user *)sp+i))
18064 +#ifdef CONFIG_X86_32
18065 + printk(KERN_CONT "???????? ");
18067 + printk(KERN_CONT "???????????????? ");
18070 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
18077 + * probe_kernel_write(): safely attempt to write to a location
18078 + * @dst: address to write to
18079 + * @src: pointer to the data that shall be written
18080 + * @size: size of the data chunk
18082 + * Safely write to address @dst from the buffer at @src. If a kernel fault
18083 + * happens, handle that and return -EFAULT.
18085 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
18088 + mm_segment_t old_fs = get_fs();
18090 + set_fs(KERNEL_DS);
18091 + pagefault_disable();
18092 + pax_open_kernel();
18093 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
18094 + pax_close_kernel();
18095 + pagefault_enable();
18098 + return ret ? -EFAULT : 0;
18100 diff -urNp linux-2.6.35.7/arch/x86/mm/gup.c linux-2.6.35.7/arch/x86/mm/gup.c
18101 --- linux-2.6.35.7/arch/x86/mm/gup.c 2010-08-26 19:47:12.000000000 -0400
18102 +++ linux-2.6.35.7/arch/x86/mm/gup.c 2010-09-17 20:12:09.000000000 -0400
18103 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
18105 len = (unsigned long) nr_pages << PAGE_SHIFT;
18107 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18108 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18109 (void __user *)start, len)))
18112 diff -urNp linux-2.6.35.7/arch/x86/mm/highmem_32.c linux-2.6.35.7/arch/x86/mm/highmem_32.c
18113 --- linux-2.6.35.7/arch/x86/mm/highmem_32.c 2010-08-26 19:47:12.000000000 -0400
18114 +++ linux-2.6.35.7/arch/x86/mm/highmem_32.c 2010-09-17 20:12:09.000000000 -0400
18115 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
18116 idx = type + KM_TYPE_NR*smp_processor_id();
18117 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18118 BUG_ON(!pte_none(*(kmap_pte-idx)));
18120 + pax_open_kernel();
18121 set_pte(kmap_pte-idx, mk_pte(page, prot));
18122 + pax_close_kernel();
18124 return (void *)vaddr;
18126 diff -urNp linux-2.6.35.7/arch/x86/mm/hugetlbpage.c linux-2.6.35.7/arch/x86/mm/hugetlbpage.c
18127 --- linux-2.6.35.7/arch/x86/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
18128 +++ linux-2.6.35.7/arch/x86/mm/hugetlbpage.c 2010-09-26 22:02:10.000000000 -0400
18129 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
18130 struct hstate *h = hstate_file(file);
18131 struct mm_struct *mm = current->mm;
18132 struct vm_area_struct *vma;
18133 - unsigned long start_addr;
18134 + unsigned long start_addr, pax_task_size = TASK_SIZE;
18136 +#ifdef CONFIG_PAX_SEGMEXEC
18137 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18138 + pax_task_size = SEGMEXEC_TASK_SIZE;
18141 + pax_task_size -= PAGE_SIZE;
18143 if (len > mm->cached_hole_size) {
18144 - start_addr = mm->free_area_cache;
18145 + start_addr = mm->free_area_cache;
18147 - start_addr = TASK_UNMAPPED_BASE;
18148 - mm->cached_hole_size = 0;
18149 + start_addr = mm->mmap_base;
18150 + mm->cached_hole_size = 0;
18154 @@ -280,26 +287,27 @@ full_search:
18156 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18157 /* At this point: (!vma || addr < vma->vm_end). */
18158 - if (TASK_SIZE - len < addr) {
18159 + if (pax_task_size - len < addr) {
18161 * Start a new search - just in case we missed
18164 - if (start_addr != TASK_UNMAPPED_BASE) {
18165 - start_addr = TASK_UNMAPPED_BASE;
18166 + if (start_addr != mm->mmap_base) {
18167 + start_addr = mm->mmap_base;
18168 mm->cached_hole_size = 0;
18173 - if (!vma || addr + len <= vma->vm_start) {
18174 - mm->free_area_cache = addr + len;
18177 + if (check_heap_stack_gap(vma, addr, len))
18179 if (addr + mm->cached_hole_size < vma->vm_start)
18180 mm->cached_hole_size = vma->vm_start - addr;
18181 addr = ALIGN(vma->vm_end, huge_page_size(h));
18184 + mm->free_area_cache = addr + len;
18188 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18189 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
18191 struct hstate *h = hstate_file(file);
18192 struct mm_struct *mm = current->mm;
18193 - struct vm_area_struct *vma, *prev_vma;
18194 - unsigned long base = mm->mmap_base, addr = addr0;
18195 + struct vm_area_struct *vma;
18196 + unsigned long base = mm->mmap_base, addr;
18197 unsigned long largest_hole = mm->cached_hole_size;
18198 - int first_time = 1;
18200 /* don't allow allocations above current base */
18201 if (mm->free_area_cache > base)
18202 @@ -321,7 +328,7 @@ static unsigned long hugetlb_get_unmappe
18204 mm->free_area_cache = base;
18208 /* make sure it can fit in the remaining address space */
18209 if (mm->free_area_cache < len)
18211 @@ -329,33 +336,27 @@ try_again:
18212 /* either no address requested or cant fit in requested address hole */
18213 addr = (mm->free_area_cache - len) & huge_page_mask(h);
18215 + vma = find_vma(mm, addr);
18217 * Lookup failure means no vma is above this address,
18218 * i.e. return with success:
18220 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18224 * new region fits between prev_vma->vm_end and
18225 * vma->vm_start, use it:
18227 - if (addr + len <= vma->vm_start &&
18228 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18229 + if (check_heap_stack_gap(vma, addr, len)) {
18230 /* remember the address as a hint for next time */
18231 - mm->cached_hole_size = largest_hole;
18232 - return (mm->free_area_cache = addr);
18234 - /* pull free_area_cache down to the first hole */
18235 - if (mm->free_area_cache == vma->vm_end) {
18236 - mm->free_area_cache = vma->vm_start;
18237 - mm->cached_hole_size = largest_hole;
18239 + mm->cached_hole_size = largest_hole;
18240 + return (mm->free_area_cache = addr);
18242 + /* pull free_area_cache down to the first hole */
18243 + if (mm->free_area_cache == vma->vm_end) {
18244 + mm->free_area_cache = vma->vm_start;
18245 + mm->cached_hole_size = largest_hole;
18248 /* remember the largest hole we saw so far */
18249 if (addr + largest_hole < vma->vm_start)
18250 - largest_hole = vma->vm_start - addr;
18251 + largest_hole = vma->vm_start - addr;
18253 /* try just below the current vma->vm_start */
18254 addr = (vma->vm_start - len) & huge_page_mask(h);
18255 @@ -363,22 +364,26 @@ try_again:
18259 - * if hint left us with no space for the requested
18260 - * mapping then try again:
18262 - if (first_time) {
18263 - mm->free_area_cache = base;
18264 - largest_hole = 0;
18269 * A failed mmap() very likely causes application failure,
18270 * so fall back to the bottom-up function here. This scenario
18271 * can happen with large stack limits and large mmap()
18274 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18276 +#ifdef CONFIG_PAX_SEGMEXEC
18277 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18278 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18282 + mm->mmap_base = TASK_UNMAPPED_BASE;
18284 +#ifdef CONFIG_PAX_RANDMMAP
18285 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18286 + mm->mmap_base += mm->delta_mmap;
18289 + mm->free_area_cache = mm->mmap_base;
18290 mm->cached_hole_size = ~0UL;
18291 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18292 len, pgoff, flags);
18293 @@ -386,6 +391,7 @@ fail:
18295 * Restore the topdown base:
18297 + mm->mmap_base = base;
18298 mm->free_area_cache = base;
18299 mm->cached_hole_size = ~0UL;
18301 @@ -399,10 +405,19 @@ hugetlb_get_unmapped_area(struct file *f
18302 struct hstate *h = hstate_file(file);
18303 struct mm_struct *mm = current->mm;
18304 struct vm_area_struct *vma;
18305 + unsigned long pax_task_size = TASK_SIZE;
18307 if (len & ~huge_page_mask(h))
18309 - if (len > TASK_SIZE)
18311 +#ifdef CONFIG_PAX_SEGMEXEC
18312 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18313 + pax_task_size = SEGMEXEC_TASK_SIZE;
18316 + pax_task_size -= PAGE_SIZE;
18318 + if (len > pax_task_size)
18321 if (flags & MAP_FIXED) {
18322 @@ -414,8 +429,7 @@ hugetlb_get_unmapped_area(struct file *f
18324 addr = ALIGN(addr, huge_page_size(h));
18325 vma = find_vma(mm, addr);
18326 - if (TASK_SIZE - len >= addr &&
18327 - (!vma || addr + len <= vma->vm_start))
18328 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18331 if (mm->get_unmapped_area == arch_get_unmapped_area)
18332 diff -urNp linux-2.6.35.7/arch/x86/mm/init_32.c linux-2.6.35.7/arch/x86/mm/init_32.c
18333 --- linux-2.6.35.7/arch/x86/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
18334 +++ linux-2.6.35.7/arch/x86/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
18335 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
18339 - * Creates a middle page table and puts a pointer to it in the
18340 - * given global directory entry. This only returns the gd entry
18341 - * in non-PAE compilation mode, since the middle layer is folded.
18343 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18346 - pmd_t *pmd_table;
18348 -#ifdef CONFIG_X86_PAE
18349 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18350 - if (after_bootmem)
18351 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18353 - pmd_table = (pmd_t *)alloc_low_page();
18354 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18355 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18356 - pud = pud_offset(pgd, 0);
18357 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18359 - return pmd_table;
18362 - pud = pud_offset(pgd, 0);
18363 - pmd_table = pmd_offset(pud, 0);
18365 - return pmd_table;
18369 * Create a page table and place a pointer to it in a middle page
18372 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
18373 page_table = (pte_t *)alloc_low_page();
18375 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18376 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18377 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18379 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18381 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18384 return pte_offset_kernel(pmd, 0);
18387 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18390 + pmd_t *pmd_table;
18392 + pud = pud_offset(pgd, 0);
18393 + pmd_table = pmd_offset(pud, 0);
18395 + return pmd_table;
18398 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18400 int pgd_idx = pgd_index(vaddr);
18401 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
18402 int pgd_idx, pmd_idx;
18403 unsigned long vaddr;
18409 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
18410 pgd = pgd_base + pgd_idx;
18412 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18413 - pmd = one_md_table_init(pgd);
18414 - pmd = pmd + pmd_index(vaddr);
18415 + pud = pud_offset(pgd, vaddr);
18416 + pmd = pmd_offset(pud, vaddr);
18418 +#ifdef CONFIG_X86_PAE
18419 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18422 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18423 pmd++, pmd_idx++) {
18424 pte = page_table_kmap_check(one_page_table_init(pmd),
18425 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
18429 -static inline int is_kernel_text(unsigned long addr)
18430 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18432 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18435 + if ((start > ktla_ktva((unsigned long)_etext) ||
18436 + end <= ktla_ktva((unsigned long)_stext)) &&
18437 + (start > ktla_ktva((unsigned long)_einittext) ||
18438 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18440 +#ifdef CONFIG_ACPI_SLEEP
18441 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18444 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18450 @@ -244,9 +244,10 @@ kernel_physical_mapping_init(unsigned lo
18451 unsigned long last_map_addr = end;
18452 unsigned long start_pfn, end_pfn;
18453 pgd_t *pgd_base = swapper_pg_dir;
18454 - int pgd_idx, pmd_idx, pte_ofs;
18455 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18461 unsigned pages_2m, pages_4k;
18462 @@ -279,8 +280,13 @@ repeat:
18464 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18465 pgd = pgd_base + pgd_idx;
18466 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18467 - pmd = one_md_table_init(pgd);
18468 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18469 + pud = pud_offset(pgd, 0);
18470 + pmd = pmd_offset(pud, 0);
18472 +#ifdef CONFIG_X86_PAE
18473 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18476 if (pfn >= end_pfn)
18478 @@ -292,14 +298,13 @@ repeat:
18480 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18481 pmd++, pmd_idx++) {
18482 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18483 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18486 * Map with big pages if possible, otherwise
18487 * create normal page tables:
18490 - unsigned int addr2;
18491 pgprot_t prot = PAGE_KERNEL_LARGE;
18493 * first pass will use the same initial
18494 @@ -309,11 +314,7 @@ repeat:
18495 __pgprot(PTE_IDENT_ATTR |
18498 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18499 - PAGE_OFFSET + PAGE_SIZE-1;
18501 - if (is_kernel_text(addr) ||
18502 - is_kernel_text(addr2))
18503 + if (is_kernel_text(address, address + PMD_SIZE))
18504 prot = PAGE_KERNEL_LARGE_EXEC;
18507 @@ -330,7 +331,7 @@ repeat:
18508 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18510 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18511 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18512 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18513 pgprot_t prot = PAGE_KERNEL;
18515 * first pass will use the same initial
18516 @@ -338,7 +339,7 @@ repeat:
18518 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18520 - if (is_kernel_text(addr))
18521 + if (is_kernel_text(address, address + PAGE_SIZE))
18522 prot = PAGE_KERNEL_EXEC;
18525 @@ -491,7 +492,7 @@ void __init native_pagetable_setup_start
18527 pud = pud_offset(pgd, va);
18528 pmd = pmd_offset(pud, va);
18529 - if (!pmd_present(*pmd))
18530 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18533 pte = pte_offset_kernel(pmd, va);
18534 @@ -543,9 +544,7 @@ void __init early_ioremap_page_table_ran
18536 static void __init pagetable_init(void)
18538 - pgd_t *pgd_base = swapper_pg_dir;
18540 - permanent_kmaps_init(pgd_base);
18541 + permanent_kmaps_init(swapper_pg_dir);
18544 #ifdef CONFIG_ACPI_SLEEP
18545 @@ -553,12 +552,12 @@ static void __init pagetable_init(void)
18546 * ACPI suspend needs this for resume, because things like the intel-agp
18547 * driver might have split up a kernel 4MB mapping.
18549 -char swsusp_pg_dir[PAGE_SIZE]
18550 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
18551 __attribute__ ((aligned(PAGE_SIZE)));
18553 static inline void save_pg_dir(void)
18555 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
18556 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
18558 #else /* !CONFIG_ACPI_SLEEP */
18559 static inline void save_pg_dir(void)
18560 @@ -590,7 +589,7 @@ void zap_low_mappings(bool early)
18564 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18565 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18566 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18568 /* user-defined highmem size */
18569 @@ -781,7 +780,7 @@ void __init setup_bootmem_allocator(void
18570 * Initialize the boot-time allocator (with low memory only):
18572 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
18573 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18574 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18576 if (bootmap == -1L)
18577 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
18578 @@ -871,6 +870,12 @@ void __init mem_init(void)
18582 +#ifdef CONFIG_PAX_PER_CPU_PGD
18583 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18584 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18585 + KERNEL_PGD_PTRS);
18588 #ifdef CONFIG_FLATMEM
18591 @@ -888,7 +893,7 @@ void __init mem_init(void)
18592 set_highmem_pages_init();
18594 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18595 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18596 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18597 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18599 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18600 @@ -929,10 +934,10 @@ void __init mem_init(void)
18601 ((unsigned long)&__init_end -
18602 (unsigned long)&__init_begin) >> 10,
18604 - (unsigned long)&_etext, (unsigned long)&_edata,
18605 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18606 + (unsigned long)&_sdata, (unsigned long)&_edata,
18607 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18609 - (unsigned long)&_text, (unsigned long)&_etext,
18610 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18611 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18614 @@ -1013,6 +1018,7 @@ void set_kernel_text_rw(void)
18615 if (!kernel_set_to_readonly)
18618 + start = ktla_ktva(start);
18619 pr_debug("Set kernel text: %lx - %lx for read write\n",
18620 start, start+size);
18622 @@ -1027,6 +1033,7 @@ void set_kernel_text_ro(void)
18623 if (!kernel_set_to_readonly)
18626 + start = ktla_ktva(start);
18627 pr_debug("Set kernel text: %lx - %lx for read only\n",
18628 start, start+size);
18630 @@ -1038,6 +1045,7 @@ void mark_rodata_ro(void)
18631 unsigned long start = PFN_ALIGN(_text);
18632 unsigned long size = PFN_ALIGN(_etext) - start;
18634 + start = ktla_ktva(start);
18635 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18636 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18638 diff -urNp linux-2.6.35.7/arch/x86/mm/init_64.c linux-2.6.35.7/arch/x86/mm/init_64.c
18639 --- linux-2.6.35.7/arch/x86/mm/init_64.c 2010-08-26 19:47:12.000000000 -0400
18640 +++ linux-2.6.35.7/arch/x86/mm/init_64.c 2010-09-17 20:12:09.000000000 -0400
18642 #include <asm/numa.h>
18643 #include <asm/cacheflush.h>
18644 #include <asm/init.h>
18645 -#include <linux/bootmem.h>
18647 static unsigned long dma_reserve __initdata;
18649 @@ -74,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
18650 * around without checking the pgd every time.
18653 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18654 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18655 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18657 int force_personality32;
18658 @@ -165,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18659 pmd = fill_pmd(pud, vaddr);
18660 pte = fill_pte(pmd, vaddr);
18662 + pax_open_kernel();
18663 set_pte(pte, new_pte);
18664 + pax_close_kernel();
18667 * It's enough to flush this one mapping.
18668 @@ -224,14 +225,12 @@ static void __init __init_extra_mapping(
18669 pgd = pgd_offset_k((unsigned long)__va(phys));
18670 if (pgd_none(*pgd)) {
18671 pud = (pud_t *) spp_getpage();
18672 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18674 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18676 pud = pud_offset(pgd, (unsigned long)__va(phys));
18677 if (pud_none(*pud)) {
18678 pmd = (pmd_t *) spp_getpage();
18679 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18681 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18683 pmd = pmd_offset(pud, phys);
18684 BUG_ON(!pmd_none(*pmd));
18685 @@ -680,6 +679,12 @@ void __init mem_init(void)
18689 +#ifdef CONFIG_PAX_PER_CPU_PGD
18690 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18691 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18692 + KERNEL_PGD_PTRS);
18695 /* clear_bss() already clear the empty_zero_page */
18698 @@ -886,8 +891,8 @@ int kern_addr_valid(unsigned long addr)
18699 static struct vm_area_struct gate_vma = {
18700 .vm_start = VSYSCALL_START,
18701 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18702 - .vm_page_prot = PAGE_READONLY_EXEC,
18703 - .vm_flags = VM_READ | VM_EXEC
18704 + .vm_page_prot = PAGE_READONLY,
18705 + .vm_flags = VM_READ
18708 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18709 @@ -921,7 +926,7 @@ int in_gate_area_no_task(unsigned long a
18711 const char *arch_vma_name(struct vm_area_struct *vma)
18713 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18714 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18716 if (vma == &gate_vma)
18717 return "[vsyscall]";
18718 diff -urNp linux-2.6.35.7/arch/x86/mm/init.c linux-2.6.35.7/arch/x86/mm/init.c
18719 --- linux-2.6.35.7/arch/x86/mm/init.c 2010-08-26 19:47:12.000000000 -0400
18720 +++ linux-2.6.35.7/arch/x86/mm/init.c 2010-09-17 20:12:09.000000000 -0400
18721 @@ -70,11 +70,7 @@ static void __init find_early_table_spac
18722 * cause a hotspot and fill up ZONE_DMA. The page tables
18723 * need roughly 0.5KB per GB.
18725 -#ifdef CONFIG_X86_32
18730 + start = 0x100000;
18731 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
18732 tables, PAGE_SIZE);
18733 if (e820_table_start == -1UL)
18734 @@ -321,7 +317,13 @@ unsigned long __init_refok init_memory_m
18736 int devmem_is_allowed(unsigned long pagenr)
18738 - if (pagenr <= 256)
18741 +#ifdef CONFIG_VM86
18742 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18745 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18747 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18749 @@ -380,6 +382,88 @@ void free_init_pages(char *what, unsigne
18751 void free_initmem(void)
18754 +#ifdef CONFIG_PAX_KERNEXEC
18755 +#ifdef CONFIG_X86_32
18756 + /* PaX: limit KERNEL_CS to actual size */
18757 + unsigned long addr, limit;
18758 + struct desc_struct d;
18761 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18762 + limit = (limit - 1UL) >> PAGE_SHIFT;
18764 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18765 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
18766 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18767 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18770 + /* PaX: make KERNEL_CS read-only */
18771 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18772 + if (!paravirt_enabled())
18773 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18775 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18776 + pgd = pgd_offset_k(addr);
18777 + pud = pud_offset(pgd, addr);
18778 + pmd = pmd_offset(pud, addr);
18779 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18782 +#ifdef CONFIG_X86_PAE
18783 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18785 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18786 + pgd = pgd_offset_k(addr);
18787 + pud = pud_offset(pgd, addr);
18788 + pmd = pmd_offset(pud, addr);
18789 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18794 +#ifdef CONFIG_MODULES
18795 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18802 + unsigned long addr, end;
18804 + /* PaX: make kernel code/rodata read-only, rest non-executable */
18805 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18806 + pgd = pgd_offset_k(addr);
18807 + pud = pud_offset(pgd, addr);
18808 + pmd = pmd_offset(pud, addr);
18809 + if (!pmd_present(*pmd))
18811 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18812 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18814 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18817 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18818 + end = addr + KERNEL_IMAGE_SIZE;
18819 + for (; addr < end; addr += PMD_SIZE) {
18820 + pgd = pgd_offset_k(addr);
18821 + pud = pud_offset(pgd, addr);
18822 + pmd = pmd_offset(pud, addr);
18823 + if (!pmd_present(*pmd))
18825 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18826 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18828 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18835 free_init_pages("unused kernel memory",
18836 (unsigned long)(&__init_begin),
18837 (unsigned long)(&__init_end));
18838 diff -urNp linux-2.6.35.7/arch/x86/mm/iomap_32.c linux-2.6.35.7/arch/x86/mm/iomap_32.c
18839 --- linux-2.6.35.7/arch/x86/mm/iomap_32.c 2010-08-26 19:47:12.000000000 -0400
18840 +++ linux-2.6.35.7/arch/x86/mm/iomap_32.c 2010-09-17 20:12:09.000000000 -0400
18841 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
18842 debug_kmap_atomic(type);
18843 idx = type + KM_TYPE_NR * smp_processor_id();
18844 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18846 + pax_open_kernel();
18847 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
18848 + pax_close_kernel();
18850 arch_flush_lazy_mmu_mode();
18852 return (void *)vaddr;
18853 diff -urNp linux-2.6.35.7/arch/x86/mm/ioremap.c linux-2.6.35.7/arch/x86/mm/ioremap.c
18854 --- linux-2.6.35.7/arch/x86/mm/ioremap.c 2010-08-26 19:47:12.000000000 -0400
18855 +++ linux-2.6.35.7/arch/x86/mm/ioremap.c 2010-09-17 20:12:09.000000000 -0400
18856 @@ -100,13 +100,10 @@ static void __iomem *__ioremap_caller(re
18858 * Don't allow anybody to remap normal RAM that we're using..
18860 - for (pfn = phys_addr >> PAGE_SHIFT;
18861 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
18864 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
18865 int is_ram = page_is_ram(pfn);
18867 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18868 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18870 WARN_ON_ONCE(is_ram);
18872 @@ -346,7 +343,7 @@ static int __init early_ioremap_debug_se
18873 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18875 static __initdata int after_paging_init;
18876 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18877 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18879 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18881 @@ -378,8 +375,7 @@ void __init early_ioremap_init(void)
18882 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18884 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18885 - memset(bm_pte, 0, sizeof(bm_pte));
18886 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
18887 + pmd_populate_user(&init_mm, pmd, bm_pte);
18890 * The boot-ioremap range spans multiple pmds, for which
18891 diff -urNp linux-2.6.35.7/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.35.7/arch/x86/mm/kmemcheck/kmemcheck.c
18892 --- linux-2.6.35.7/arch/x86/mm/kmemcheck/kmemcheck.c 2010-08-26 19:47:12.000000000 -0400
18893 +++ linux-2.6.35.7/arch/x86/mm/kmemcheck/kmemcheck.c 2010-09-17 20:12:09.000000000 -0400
18894 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18895 * memory (e.g. tracked pages)? For now, we need this to avoid
18896 * invoking kmemcheck for PnP BIOS calls.
18898 - if (regs->flags & X86_VM_MASK)
18899 + if (v8086_mode(regs))
18901 - if (regs->cs != __KERNEL_CS)
18902 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18905 pte = kmemcheck_pte_lookup(address);
18906 diff -urNp linux-2.6.35.7/arch/x86/mm/mmap.c linux-2.6.35.7/arch/x86/mm/mmap.c
18907 --- linux-2.6.35.7/arch/x86/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
18908 +++ linux-2.6.35.7/arch/x86/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
18909 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18910 * Leave an at least ~128 MB hole with possible stack randomization.
18912 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
18913 -#define MAX_GAP (TASK_SIZE/6*5)
18914 +#define MAX_GAP (pax_task_size/6*5)
18917 * True on X86_32 or when emulating IA32 on X86_64
18918 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
18919 return rnd << PAGE_SHIFT;
18922 -static unsigned long mmap_base(void)
18923 +static unsigned long mmap_base(struct mm_struct *mm)
18925 unsigned long gap = rlimit(RLIMIT_STACK);
18926 + unsigned long pax_task_size = TASK_SIZE;
18928 +#ifdef CONFIG_PAX_SEGMEXEC
18929 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18930 + pax_task_size = SEGMEXEC_TASK_SIZE;
18935 else if (gap > MAX_GAP)
18938 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18939 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18943 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18944 * does, but not when emulating X86_32
18946 -static unsigned long mmap_legacy_base(void)
18947 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
18949 - if (mmap_is_ia32())
18950 + if (mmap_is_ia32()) {
18952 +#ifdef CONFIG_PAX_SEGMEXEC
18953 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18954 + return SEGMEXEC_TASK_UNMAPPED_BASE;
18958 return TASK_UNMAPPED_BASE;
18961 return TASK_UNMAPPED_BASE + mmap_rnd();
18964 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
18965 void arch_pick_mmap_layout(struct mm_struct *mm)
18967 if (mmap_is_legacy()) {
18968 - mm->mmap_base = mmap_legacy_base();
18969 + mm->mmap_base = mmap_legacy_base(mm);
18971 +#ifdef CONFIG_PAX_RANDMMAP
18972 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18973 + mm->mmap_base += mm->delta_mmap;
18976 mm->get_unmapped_area = arch_get_unmapped_area;
18977 mm->unmap_area = arch_unmap_area;
18979 - mm->mmap_base = mmap_base();
18980 + mm->mmap_base = mmap_base(mm);
18982 +#ifdef CONFIG_PAX_RANDMMAP
18983 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18984 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
18987 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
18988 mm->unmap_area = arch_unmap_area_topdown;
18990 diff -urNp linux-2.6.35.7/arch/x86/mm/numa_32.c linux-2.6.35.7/arch/x86/mm/numa_32.c
18991 --- linux-2.6.35.7/arch/x86/mm/numa_32.c 2010-08-26 19:47:12.000000000 -0400
18992 +++ linux-2.6.35.7/arch/x86/mm/numa_32.c 2010-09-17 20:12:09.000000000 -0400
18993 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
18997 -extern unsigned long find_max_low_pfn(void);
18998 extern unsigned long highend_pfn, highstart_pfn;
19000 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
19001 diff -urNp linux-2.6.35.7/arch/x86/mm/pageattr.c linux-2.6.35.7/arch/x86/mm/pageattr.c
19002 --- linux-2.6.35.7/arch/x86/mm/pageattr.c 2010-08-26 19:47:12.000000000 -0400
19003 +++ linux-2.6.35.7/arch/x86/mm/pageattr.c 2010-09-17 20:12:09.000000000 -0400
19004 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
19005 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
19007 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
19008 - pgprot_val(forbidden) |= _PAGE_NX;
19009 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19012 * The kernel text needs to be executable for obvious reasons
19013 * Does not cover __inittext since that is gone later on. On
19014 * 64bit we do not enforce !NX on the low mapping
19016 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
19017 - pgprot_val(forbidden) |= _PAGE_NX;
19018 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
19019 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19021 +#ifdef CONFIG_DEBUG_RODATA
19023 * The .rodata section needs to be read-only. Using the pfn
19024 * catches all aliases.
19025 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
19026 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
19027 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
19028 pgprot_val(forbidden) |= _PAGE_RW;
19031 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
19033 @@ -316,6 +318,13 @@ static inline pgprot_t static_protection
19037 +#ifdef CONFIG_PAX_KERNEXEC
19038 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
19039 + pgprot_val(forbidden) |= _PAGE_RW;
19040 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19044 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
19047 @@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
19048 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
19050 /* change init_mm */
19051 + pax_open_kernel();
19052 set_pte_atomic(kpte, pte);
19054 #ifdef CONFIG_X86_32
19055 if (!SHARED_KERNEL_PMD) {
19057 +#ifdef CONFIG_PAX_PER_CPU_PGD
19058 + unsigned long cpu;
19063 +#ifdef CONFIG_PAX_PER_CPU_PGD
19064 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19065 + pgd_t *pgd = get_cpu_pgd(cpu);
19067 list_for_each_entry(page, &pgd_list, lru) {
19069 + pgd_t *pgd = (pgd_t *)page_address(page);
19075 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
19076 + pgd += pgd_index(address);
19077 pud = pud_offset(pgd, address);
19078 pmd = pmd_offset(pud, address);
19079 set_pte_atomic((pte_t *)pmd, pte);
19083 + pax_close_kernel();
19087 diff -urNp linux-2.6.35.7/arch/x86/mm/pageattr-test.c linux-2.6.35.7/arch/x86/mm/pageattr-test.c
19088 --- linux-2.6.35.7/arch/x86/mm/pageattr-test.c 2010-08-26 19:47:12.000000000 -0400
19089 +++ linux-2.6.35.7/arch/x86/mm/pageattr-test.c 2010-09-17 20:12:09.000000000 -0400
19090 @@ -36,7 +36,7 @@ enum {
19092 static int pte_testbit(pte_t pte)
19094 - return pte_flags(pte) & _PAGE_UNUSED1;
19095 + return pte_flags(pte) & _PAGE_CPA_TEST;
19098 struct split_state {
19099 diff -urNp linux-2.6.35.7/arch/x86/mm/pat.c linux-2.6.35.7/arch/x86/mm/pat.c
19100 --- linux-2.6.35.7/arch/x86/mm/pat.c 2010-08-26 19:47:12.000000000 -0400
19101 +++ linux-2.6.35.7/arch/x86/mm/pat.c 2010-09-17 20:12:09.000000000 -0400
19102 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
19105 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
19106 - current->comm, current->pid, start, end);
19107 + current->comm, task_pid_nr(current), start, end);
19111 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
19112 while (cursor < to) {
19113 if (!devmem_is_allowed(pfn)) {
19115 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
19116 - current->comm, from, to);
19117 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
19118 + current->comm, from, to, cursor);
19121 cursor += PAGE_SIZE;
19122 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
19124 "%s:%d ioremap_change_attr failed %s "
19126 - current->comm, current->pid,
19127 + current->comm, task_pid_nr(current),
19129 base, (unsigned long long)(base + size));
19131 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
19132 if (want_flags != flags) {
19133 printk(KERN_WARNING
19134 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
19135 - current->comm, current->pid,
19136 + current->comm, task_pid_nr(current),
19137 cattr_name(want_flags),
19138 (unsigned long long)paddr,
19139 (unsigned long long)(paddr + size),
19140 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
19141 free_memtype(paddr, paddr + size);
19142 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
19143 " for %Lx-%Lx, got %s\n",
19144 - current->comm, current->pid,
19145 + current->comm, task_pid_nr(current),
19146 cattr_name(want_flags),
19147 (unsigned long long)paddr,
19148 (unsigned long long)(paddr + size),
19149 diff -urNp linux-2.6.35.7/arch/x86/mm/pgtable_32.c linux-2.6.35.7/arch/x86/mm/pgtable_32.c
19150 --- linux-2.6.35.7/arch/x86/mm/pgtable_32.c 2010-08-26 19:47:12.000000000 -0400
19151 +++ linux-2.6.35.7/arch/x86/mm/pgtable_32.c 2010-09-17 20:12:09.000000000 -0400
19152 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
19155 pte = pte_offset_kernel(pmd, vaddr);
19157 + pax_open_kernel();
19158 if (pte_val(pteval))
19159 set_pte_at(&init_mm, vaddr, pte, pteval);
19161 pte_clear(&init_mm, vaddr, pte);
19162 + pax_close_kernel();
19165 * It's enough to flush this one mapping.
19166 diff -urNp linux-2.6.35.7/arch/x86/mm/pgtable.c linux-2.6.35.7/arch/x86/mm/pgtable.c
19167 --- linux-2.6.35.7/arch/x86/mm/pgtable.c 2010-08-26 19:47:12.000000000 -0400
19168 +++ linux-2.6.35.7/arch/x86/mm/pgtable.c 2010-10-10 15:54:54.000000000 -0400
19169 @@ -84,8 +84,58 @@ static inline void pgd_list_del(pgd_t *p
19170 list_del(&page->lru);
19173 -#define UNSHARED_PTRS_PER_PGD \
19174 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19175 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19176 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19178 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19181 + *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER);
19185 +#ifdef CONFIG_PAX_PER_CPU_PGD
19186 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19190 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19191 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19199 +#ifdef CONFIG_PAX_PER_CPU_PGD
19200 +static inline void pgd_ctor(pgd_t *pgd) {}
19201 +static inline void pgd_dtor(pgd_t *pgd) {}
19202 +#ifdef CONFIG_X86_64
19203 +#define pxd_t pud_t
19204 +#define pyd_t pgd_t
19205 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19206 +#define pxd_free(mm, pud) pud_free((mm), (pud))
19207 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19208 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19209 +#define PYD_SIZE PGDIR_SIZE
19211 +#define pxd_t pmd_t
19212 +#define pyd_t pud_t
19213 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19214 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
19215 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19216 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19217 +#define PYD_SIZE PUD_SIZE
19220 +#define pxd_t pmd_t
19221 +#define pyd_t pud_t
19222 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19223 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19224 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19225 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19226 +#define PYD_SIZE PUD_SIZE
19228 static void pgd_ctor(pgd_t *pgd)
19230 @@ -120,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
19232 spin_unlock_irqrestore(&pgd_lock, flags);
19237 * List of all pgd's needed for non-PAE so it can invalidate entries
19238 @@ -132,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
19242 -#ifdef CONFIG_X86_PAE
19243 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19245 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19246 * updating the top-level pagetable entries to guarantee the
19247 @@ -144,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
19248 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19249 * and initialize the kernel pmds here.
19251 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19252 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19254 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19256 @@ -163,36 +214,38 @@ void pud_populate(struct mm_struct *mm,
19257 if (mm == current->active_mm)
19258 write_cr3(read_cr3());
19260 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19261 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19262 #else /* !CONFIG_X86_PAE */
19264 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19265 -#define PREALLOCATED_PMDS 0
19266 +#define PREALLOCATED_PXDS 0
19268 #endif /* CONFIG_X86_PAE */
19270 -static void free_pmds(pmd_t *pmds[])
19271 +static void free_pxds(pxd_t *pxds[])
19275 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19277 - free_page((unsigned long)pmds[i]);
19278 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19280 + free_page((unsigned long)pxds[i]);
19283 -static int preallocate_pmds(pmd_t *pmds[])
19284 +static int preallocate_pxds(pxd_t *pxds[])
19287 bool failed = false;
19289 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19290 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19292 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19293 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19306 @@ -205,51 +258,56 @@ static int preallocate_pmds(pmd_t *pmds[
19307 * preallocate which never got a corresponding vma will need to be
19310 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19311 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19315 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19316 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19317 pgd_t pgd = pgdp[i];
19319 if (pgd_val(pgd) != 0) {
19320 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19321 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19323 - pgdp[i] = native_make_pgd(0);
19324 + set_pgd(pgdp + i, native_make_pgd(0));
19326 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19327 - pmd_free(mm, pmd);
19328 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19329 + pxd_free(mm, pxd);
19334 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19335 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19339 unsigned long addr;
19342 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19343 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19346 - pud = pud_offset(pgd, 0);
19347 +#ifdef CONFIG_X86_64
19348 + pyd = pyd_offset(mm, 0L);
19350 + pyd = pyd_offset(pgd, 0L);
19353 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19354 - i++, pud++, addr += PUD_SIZE) {
19355 - pmd_t *pmd = pmds[i];
19356 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19357 + i++, pyd++, addr += PYD_SIZE) {
19358 + pxd_t *pxd = pxds[i];
19360 if (i >= KERNEL_PGD_BOUNDARY)
19361 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19362 - sizeof(pmd_t) * PTRS_PER_PMD);
19363 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19364 + sizeof(pxd_t) * PTRS_PER_PMD);
19366 - pud_populate(mm, pud, pmd);
19367 + pyd_populate(mm, pyd, pxd);
19371 pgd_t *pgd_alloc(struct mm_struct *mm)
19374 - pmd_t *pmds[PREALLOCATED_PMDS];
19375 + pxd_t *pxds[PREALLOCATED_PXDS];
19377 unsigned long flags;
19379 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19380 @@ -259,11 +317,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19384 - if (preallocate_pmds(pmds) != 0)
19385 + if (preallocate_pxds(pxds) != 0)
19388 if (paravirt_pgd_alloc(mm) != 0)
19389 - goto out_free_pmds;
19390 + goto out_free_pxds;
19393 * Make sure that pre-populating the pmds is atomic with
19394 @@ -273,14 +331,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19395 spin_lock_irqsave(&pgd_lock, flags);
19398 - pgd_prepopulate_pmd(mm, pgd, pmds);
19399 + pgd_prepopulate_pxd(mm, pgd, pxds);
19401 spin_unlock_irqrestore(&pgd_lock, flags);
19410 free_page((unsigned long)pgd);
19412 @@ -289,7 +347,7 @@ out:
19414 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19416 - pgd_mop_up_pmds(mm, pgd);
19417 + pgd_mop_up_pxds(mm, pgd);
19419 paravirt_pgd_free(mm, pgd);
19420 free_page((unsigned long)pgd);
19421 diff -urNp linux-2.6.35.7/arch/x86/mm/setup_nx.c linux-2.6.35.7/arch/x86/mm/setup_nx.c
19422 --- linux-2.6.35.7/arch/x86/mm/setup_nx.c 2010-08-26 19:47:12.000000000 -0400
19423 +++ linux-2.6.35.7/arch/x86/mm/setup_nx.c 2010-09-17 20:12:09.000000000 -0400
19425 #include <asm/pgtable.h>
19426 #include <asm/proto.h>
19428 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19429 static int disable_nx __cpuinitdata;
19431 +#ifndef CONFIG_PAX_PAGEEXEC
19435 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19438 early_param("noexec", noexec_setup);
19443 void __cpuinit x86_configure_nx(void)
19445 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19446 if (cpu_has_nx && !disable_nx)
19447 __supported_pte_mask |= _PAGE_NX;
19450 __supported_pte_mask &= ~_PAGE_NX;
19453 diff -urNp linux-2.6.35.7/arch/x86/mm/tlb.c linux-2.6.35.7/arch/x86/mm/tlb.c
19454 --- linux-2.6.35.7/arch/x86/mm/tlb.c 2010-08-26 19:47:12.000000000 -0400
19455 +++ linux-2.6.35.7/arch/x86/mm/tlb.c 2010-09-17 20:12:09.000000000 -0400
19457 #include <asm/uv/uv.h>
19459 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19460 - = { &init_mm, 0, };
19461 + = { &init_mm, 0 };
19464 * Smarter SMP flushing macros.
19465 @@ -62,7 +62,11 @@ void leave_mm(int cpu)
19467 cpumask_clear_cpu(cpu,
19468 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19470 +#ifndef CONFIG_PAX_PER_CPU_PGD
19471 load_cr3(swapper_pg_dir);
19475 EXPORT_SYMBOL_GPL(leave_mm);
19477 diff -urNp linux-2.6.35.7/arch/x86/oprofile/backtrace.c linux-2.6.35.7/arch/x86/oprofile/backtrace.c
19478 --- linux-2.6.35.7/arch/x86/oprofile/backtrace.c 2010-08-26 19:47:12.000000000 -0400
19479 +++ linux-2.6.35.7/arch/x86/oprofile/backtrace.c 2010-09-17 20:12:09.000000000 -0400
19480 @@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
19481 struct frame_head bufhead[2];
19483 /* Also check accessibility of one struct frame_head beyond */
19484 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19485 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19487 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19489 @@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
19491 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
19493 - if (!user_mode_vm(regs)) {
19494 + if (!user_mode(regs)) {
19495 unsigned long stack = kernel_stack_pointer(regs);
19497 dump_trace(NULL, regs, (unsigned long *)stack, 0,
19498 diff -urNp linux-2.6.35.7/arch/x86/oprofile/op_model_p4.c linux-2.6.35.7/arch/x86/oprofile/op_model_p4.c
19499 --- linux-2.6.35.7/arch/x86/oprofile/op_model_p4.c 2010-08-26 19:47:12.000000000 -0400
19500 +++ linux-2.6.35.7/arch/x86/oprofile/op_model_p4.c 2010-09-17 20:12:09.000000000 -0400
19501 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19505 -static int inline addr_increment(void)
19506 +static inline int addr_increment(void)
19509 return smp_num_siblings == 2 ? 2 : 1;
19510 diff -urNp linux-2.6.35.7/arch/x86/pci/common.c linux-2.6.35.7/arch/x86/pci/common.c
19511 --- linux-2.6.35.7/arch/x86/pci/common.c 2010-08-26 19:47:12.000000000 -0400
19512 +++ linux-2.6.35.7/arch/x86/pci/common.c 2010-09-17 20:12:09.000000000 -0400
19513 @@ -32,8 +32,8 @@ int noioapicreroute = 1;
19514 int pcibios_last_bus = -1;
19515 unsigned long pirq_table_addr;
19516 struct pci_bus *pci_root_bus;
19517 -struct pci_raw_ops *raw_pci_ops;
19518 -struct pci_raw_ops *raw_pci_ext_ops;
19519 +const struct pci_raw_ops *raw_pci_ops;
19520 +const struct pci_raw_ops *raw_pci_ext_ops;
19522 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19523 int reg, int len, u32 *val)
19524 @@ -365,7 +365,7 @@ static const struct dmi_system_id __devi
19525 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19529 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19532 void __init dmi_check_pciprobe(void)
19533 diff -urNp linux-2.6.35.7/arch/x86/pci/direct.c linux-2.6.35.7/arch/x86/pci/direct.c
19534 --- linux-2.6.35.7/arch/x86/pci/direct.c 2010-08-26 19:47:12.000000000 -0400
19535 +++ linux-2.6.35.7/arch/x86/pci/direct.c 2010-09-17 20:12:09.000000000 -0400
19536 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19538 #undef PCI_CONF1_ADDRESS
19540 -struct pci_raw_ops pci_direct_conf1 = {
19541 +const struct pci_raw_ops pci_direct_conf1 = {
19542 .read = pci_conf1_read,
19543 .write = pci_conf1_write,
19545 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19547 #undef PCI_CONF2_ADDRESS
19549 -struct pci_raw_ops pci_direct_conf2 = {
19550 +const struct pci_raw_ops pci_direct_conf2 = {
19551 .read = pci_conf2_read,
19552 .write = pci_conf2_write,
19554 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19555 * This should be close to trivial, but it isn't, because there are buggy
19556 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19558 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19559 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19563 diff -urNp linux-2.6.35.7/arch/x86/pci/fixup.c linux-2.6.35.7/arch/x86/pci/fixup.c
19564 --- linux-2.6.35.7/arch/x86/pci/fixup.c 2010-08-26 19:47:12.000000000 -0400
19565 +++ linux-2.6.35.7/arch/x86/pci/fixup.c 2010-09-17 20:12:09.000000000 -0400
19566 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19567 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19571 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19575 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19576 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19580 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19583 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19584 diff -urNp linux-2.6.35.7/arch/x86/pci/irq.c linux-2.6.35.7/arch/x86/pci/irq.c
19585 --- linux-2.6.35.7/arch/x86/pci/irq.c 2010-08-26 19:47:12.000000000 -0400
19586 +++ linux-2.6.35.7/arch/x86/pci/irq.c 2010-09-17 20:12:09.000000000 -0400
19587 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19588 static struct pci_device_id __initdata pirq_440gx[] = {
19589 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19590 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19592 + { PCI_DEVICE(0, 0) }
19595 /* 440GX has a proprietary PIRQ router -- don't use it */
19596 @@ -1113,7 +1113,7 @@ static struct dmi_system_id __initdata p
19597 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19601 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19604 void __init pcibios_irq_init(void)
19605 diff -urNp linux-2.6.35.7/arch/x86/pci/mmconfig_32.c linux-2.6.35.7/arch/x86/pci/mmconfig_32.c
19606 --- linux-2.6.35.7/arch/x86/pci/mmconfig_32.c 2010-08-26 19:47:12.000000000 -0400
19607 +++ linux-2.6.35.7/arch/x86/pci/mmconfig_32.c 2010-09-17 20:12:09.000000000 -0400
19608 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19612 -static struct pci_raw_ops pci_mmcfg = {
19613 +static const struct pci_raw_ops pci_mmcfg = {
19614 .read = pci_mmcfg_read,
19615 .write = pci_mmcfg_write,
19617 diff -urNp linux-2.6.35.7/arch/x86/pci/mmconfig_64.c linux-2.6.35.7/arch/x86/pci/mmconfig_64.c
19618 --- linux-2.6.35.7/arch/x86/pci/mmconfig_64.c 2010-08-26 19:47:12.000000000 -0400
19619 +++ linux-2.6.35.7/arch/x86/pci/mmconfig_64.c 2010-09-17 20:12:09.000000000 -0400
19620 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19624 -static struct pci_raw_ops pci_mmcfg = {
19625 +static const struct pci_raw_ops pci_mmcfg = {
19626 .read = pci_mmcfg_read,
19627 .write = pci_mmcfg_write,
19629 diff -urNp linux-2.6.35.7/arch/x86/pci/numaq_32.c linux-2.6.35.7/arch/x86/pci/numaq_32.c
19630 --- linux-2.6.35.7/arch/x86/pci/numaq_32.c 2010-08-26 19:47:12.000000000 -0400
19631 +++ linux-2.6.35.7/arch/x86/pci/numaq_32.c 2010-09-17 20:12:09.000000000 -0400
19632 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19634 #undef PCI_CONF1_MQ_ADDRESS
19636 -static struct pci_raw_ops pci_direct_conf1_mq = {
19637 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19638 .read = pci_conf1_mq_read,
19639 .write = pci_conf1_mq_write
19641 diff -urNp linux-2.6.35.7/arch/x86/pci/olpc.c linux-2.6.35.7/arch/x86/pci/olpc.c
19642 --- linux-2.6.35.7/arch/x86/pci/olpc.c 2010-08-26 19:47:12.000000000 -0400
19643 +++ linux-2.6.35.7/arch/x86/pci/olpc.c 2010-09-17 20:12:09.000000000 -0400
19644 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19648 -static struct pci_raw_ops pci_olpc_conf = {
19649 +static const struct pci_raw_ops pci_olpc_conf = {
19650 .read = pci_olpc_read,
19651 .write = pci_olpc_write,
19653 diff -urNp linux-2.6.35.7/arch/x86/pci/pcbios.c linux-2.6.35.7/arch/x86/pci/pcbios.c
19654 --- linux-2.6.35.7/arch/x86/pci/pcbios.c 2010-08-26 19:47:12.000000000 -0400
19655 +++ linux-2.6.35.7/arch/x86/pci/pcbios.c 2010-09-17 20:12:09.000000000 -0400
19656 @@ -57,50 +57,93 @@ union bios32 {
19658 unsigned long address;
19659 unsigned short segment;
19660 -} bios32_indirect = { 0, __KERNEL_CS };
19661 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19664 * Returns the entry point for the given service, NULL on error
19667 -static unsigned long bios32_service(unsigned long service)
19668 +static unsigned long __devinit bios32_service(unsigned long service)
19670 unsigned char return_code; /* %al */
19671 unsigned long address; /* %ebx */
19672 unsigned long length; /* %ecx */
19673 unsigned long entry; /* %edx */
19674 unsigned long flags;
19675 + struct desc_struct d, *gdt;
19677 local_irq_save(flags);
19678 - __asm__("lcall *(%%edi); cld"
19680 + gdt = get_cpu_gdt_table(smp_processor_id());
19682 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19683 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19684 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19685 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19687 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19688 : "=a" (return_code),
19694 - "D" (&bios32_indirect));
19695 + "D" (&bios32_indirect),
19696 + "r"(__PCIBIOS_DS)
19699 + pax_open_kernel();
19700 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19701 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19702 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19703 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19704 + pax_close_kernel();
19706 local_irq_restore(flags);
19708 switch (return_code) {
19710 - return address + entry;
19711 - case 0x80: /* Not present */
19712 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19714 - default: /* Shouldn't happen */
19715 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19716 - service, return_code);
19719 + unsigned char flags;
19721 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19722 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19723 + printk(KERN_WARNING "bios32_service: not valid\n");
19726 + address = address + PAGE_OFFSET;
19727 + length += 16UL; /* some BIOSs underreport this... */
19729 + if (length >= 64*1024*1024) {
19730 + length >>= PAGE_SHIFT;
19734 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19735 + gdt = get_cpu_gdt_table(cpu);
19736 + pack_descriptor(&d, address, length, 0x9b, flags);
19737 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19738 + pack_descriptor(&d, address, length, 0x93, flags);
19739 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19743 + case 0x80: /* Not present */
19744 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19746 + default: /* Shouldn't happen */
19747 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19748 + service, return_code);
19754 unsigned long address;
19755 unsigned short segment;
19756 -} pci_indirect = { 0, __KERNEL_CS };
19757 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19759 -static int pci_bios_present;
19760 +static int pci_bios_present __read_only;
19762 static int __devinit check_pcibios(void)
19764 @@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
19765 unsigned long flags, pcibios_entry;
19767 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19768 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19769 + pci_indirect.address = pcibios_entry;
19771 local_irq_save(flags);
19773 - "lcall *(%%edi); cld\n\t"
19774 + __asm__("movw %w6, %%ds\n\t"
19775 + "lcall *%%ss:(%%edi); cld\n\t"
19781 @@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
19784 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19785 - "D" (&pci_indirect)
19786 + "D" (&pci_indirect),
19787 + "r" (__PCIBIOS_DS)
19789 local_irq_restore(flags);
19791 @@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
19795 - __asm__("lcall *(%%esi); cld\n\t"
19796 + __asm__("movw %w6, %%ds\n\t"
19797 + "lcall *%%ss:(%%esi); cld\n\t"
19803 @@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
19804 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19807 - "S" (&pci_indirect));
19808 + "S" (&pci_indirect),
19809 + "r" (__PCIBIOS_DS));
19811 * Zero-extend the result beyond 8 bits, do not trust the
19812 * BIOS having done it:
19813 @@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
19817 - __asm__("lcall *(%%esi); cld\n\t"
19818 + __asm__("movw %w6, %%ds\n\t"
19819 + "lcall *%%ss:(%%esi); cld\n\t"
19825 @@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
19826 : "1" (PCIBIOS_READ_CONFIG_WORD),
19829 - "S" (&pci_indirect));
19830 + "S" (&pci_indirect),
19831 + "r" (__PCIBIOS_DS));
19833 * Zero-extend the result beyond 16 bits, do not trust the
19834 * BIOS having done it:
19835 @@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
19839 - __asm__("lcall *(%%esi); cld\n\t"
19840 + __asm__("movw %w6, %%ds\n\t"
19841 + "lcall *%%ss:(%%esi); cld\n\t"
19847 @@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
19848 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19851 - "S" (&pci_indirect));
19852 + "S" (&pci_indirect),
19853 + "r" (__PCIBIOS_DS));
19857 @@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
19861 - __asm__("lcall *(%%esi); cld\n\t"
19862 + __asm__("movw %w6, %%ds\n\t"
19863 + "lcall *%%ss:(%%esi); cld\n\t"
19869 @@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
19873 - "S" (&pci_indirect));
19874 + "S" (&pci_indirect),
19875 + "r" (__PCIBIOS_DS));
19878 - __asm__("lcall *(%%esi); cld\n\t"
19879 + __asm__("movw %w6, %%ds\n\t"
19880 + "lcall *%%ss:(%%esi); cld\n\t"
19886 @@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
19890 - "S" (&pci_indirect));
19891 + "S" (&pci_indirect),
19892 + "r" (__PCIBIOS_DS));
19895 - __asm__("lcall *(%%esi); cld\n\t"
19896 + __asm__("movw %w6, %%ds\n\t"
19897 + "lcall *%%ss:(%%esi); cld\n\t"
19903 @@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
19907 - "S" (&pci_indirect));
19908 + "S" (&pci_indirect),
19909 + "r" (__PCIBIOS_DS));
19913 @@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
19914 * Function table for BIOS32 access
19917 -static struct pci_raw_ops pci_bios_access = {
19918 +static const struct pci_raw_ops pci_bios_access = {
19919 .read = pci_bios_read,
19920 .write = pci_bios_write
19922 @@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
19923 * Try to find PCI BIOS.
19926 -static struct pci_raw_ops * __devinit pci_find_bios(void)
19927 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
19929 union bios32 *check;
19931 @@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
19933 DBG("PCI: Fetching IRQ routing table... ");
19934 __asm__("push %%es\n\t"
19935 + "movw %w8, %%ds\n\t"
19938 - "lcall *(%%esi); cld\n\t"
19939 + "lcall *%%ss:(%%esi); cld\n\t"
19946 @@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
19949 "S" (&pci_indirect),
19952 + "r" (__PCIBIOS_DS)
19954 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19956 @@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
19960 - __asm__("lcall *(%%esi); cld\n\t"
19961 + __asm__("movw %w5, %%ds\n\t"
19962 + "lcall *%%ss:(%%esi); cld\n\t"
19968 @@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
19969 : "0" (PCIBIOS_SET_PCI_HW_INT),
19970 "b" ((dev->bus->number << 8) | dev->devfn),
19971 "c" ((irq << 8) | (pin + 10)),
19972 - "S" (&pci_indirect));
19973 + "S" (&pci_indirect),
19974 + "r" (__PCIBIOS_DS));
19975 return !(ret & 0xff00);
19977 EXPORT_SYMBOL(pcibios_set_irq_routing);
19978 diff -urNp linux-2.6.35.7/arch/x86/power/cpu.c linux-2.6.35.7/arch/x86/power/cpu.c
19979 --- linux-2.6.35.7/arch/x86/power/cpu.c 2010-09-20 17:33:09.000000000 -0400
19980 +++ linux-2.6.35.7/arch/x86/power/cpu.c 2010-09-20 17:33:32.000000000 -0400
19981 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
19982 static void fix_processor_context(void)
19984 int cpu = smp_processor_id();
19985 - struct tss_struct *t = &per_cpu(init_tss, cpu);
19986 + struct tss_struct *t = init_tss + cpu;
19988 set_tss_desc(cpu, t); /*
19989 * This just modifies memory; should not be
19990 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
19993 #ifdef CONFIG_X86_64
19994 + pax_open_kernel();
19995 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
19996 + pax_close_kernel();
19998 syscall_init(); /* This sets MSR_*STAR and related */
20000 diff -urNp linux-2.6.35.7/arch/x86/vdso/Makefile linux-2.6.35.7/arch/x86/vdso/Makefile
20001 --- linux-2.6.35.7/arch/x86/vdso/Makefile 2010-08-26 19:47:12.000000000 -0400
20002 +++ linux-2.6.35.7/arch/x86/vdso/Makefile 2010-09-17 20:12:09.000000000 -0400
20003 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
20004 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
20005 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
20007 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20008 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20012 diff -urNp linux-2.6.35.7/arch/x86/vdso/vclock_gettime.c linux-2.6.35.7/arch/x86/vdso/vclock_gettime.c
20013 --- linux-2.6.35.7/arch/x86/vdso/vclock_gettime.c 2010-08-26 19:47:12.000000000 -0400
20014 +++ linux-2.6.35.7/arch/x86/vdso/vclock_gettime.c 2010-09-17 20:12:09.000000000 -0400
20015 @@ -22,24 +22,48 @@
20016 #include <asm/hpet.h>
20017 #include <asm/unistd.h>
20018 #include <asm/io.h>
20019 +#include <asm/fixmap.h>
20020 #include "vextern.h"
20022 #define gtod vdso_vsyscall_gtod_data
20024 +notrace noinline long __vdso_fallback_time(long *t)
20027 + asm volatile("syscall"
20029 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
20033 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
20036 asm("syscall" : "=a" (ret) :
20037 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
20038 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
20042 +notrace static inline cycle_t __vdso_vread_hpet(void)
20044 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20047 +notrace static inline cycle_t __vdso_vread_tsc(void)
20049 + cycle_t ret = (cycle_t)vget_cycles();
20051 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20054 notrace static inline long vgetns(void)
20057 - cycles_t (*vread)(void);
20058 - vread = gtod->clock.vread;
20059 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20060 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20061 + v = __vdso_vread_tsc();
20063 + v = __vdso_vread_hpet();
20064 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20065 return (v * gtod->clock.mult) >> gtod->clock.shift;
20068 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
20070 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20072 - if (likely(gtod->sysctl_enabled))
20073 + if (likely(gtod->sysctl_enabled &&
20074 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20075 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20077 case CLOCK_REALTIME:
20078 if (likely(gtod->clock.vread))
20079 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20080 int clock_gettime(clockid_t, struct timespec *)
20081 __attribute__((weak, alias("__vdso_clock_gettime")));
20083 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20084 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20087 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20088 + asm("syscall" : "=a" (ret) :
20089 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20093 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20095 + if (likely(gtod->sysctl_enabled &&
20096 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20097 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20099 if (likely(tv != NULL)) {
20100 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20101 offsetof(struct timespec, tv_nsec) ||
20102 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20106 - asm("syscall" : "=a" (ret) :
20107 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20109 + return __vdso_fallback_gettimeofday(tv, tz);
20111 int gettimeofday(struct timeval *, struct timezone *)
20112 __attribute__((weak, alias("__vdso_gettimeofday")));
20113 diff -urNp linux-2.6.35.7/arch/x86/vdso/vdso32-setup.c linux-2.6.35.7/arch/x86/vdso/vdso32-setup.c
20114 --- linux-2.6.35.7/arch/x86/vdso/vdso32-setup.c 2010-08-26 19:47:12.000000000 -0400
20115 +++ linux-2.6.35.7/arch/x86/vdso/vdso32-setup.c 2010-09-17 20:12:09.000000000 -0400
20117 #include <asm/tlbflush.h>
20118 #include <asm/vdso.h>
20119 #include <asm/proto.h>
20120 +#include <asm/mman.h>
20124 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20125 void enable_sep_cpu(void)
20127 int cpu = get_cpu();
20128 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20129 + struct tss_struct *tss = init_tss + cpu;
20131 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20133 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20134 gate_vma.vm_start = FIXADDR_USER_START;
20135 gate_vma.vm_end = FIXADDR_USER_END;
20136 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20137 - gate_vma.vm_page_prot = __P101;
20138 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20140 * Make sure the vDSO gets into every core dump.
20141 * Dumping its contents makes post-mortem fully interpretable later
20142 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20144 addr = VDSO_HIGH_BASE;
20146 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20147 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20148 if (IS_ERR_VALUE(addr)) {
20154 - current->mm->context.vdso = (void *)addr;
20155 + current->mm->context.vdso = addr;
20157 if (compat_uses_vma || !compat) {
20159 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20162 current_thread_info()->sysenter_return =
20163 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20164 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20168 - current->mm->context.vdso = NULL;
20169 + current->mm->context.vdso = 0;
20171 up_write(&mm->mmap_sem);
20173 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20175 const char *arch_vma_name(struct vm_area_struct *vma)
20177 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20178 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20181 +#ifdef CONFIG_PAX_SEGMEXEC
20182 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20189 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20190 struct mm_struct *mm = tsk->mm;
20192 /* Check to see if this task was created in compat vdso mode */
20193 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20194 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20198 diff -urNp linux-2.6.35.7/arch/x86/vdso/vdso.lds.S linux-2.6.35.7/arch/x86/vdso/vdso.lds.S
20199 --- linux-2.6.35.7/arch/x86/vdso/vdso.lds.S 2010-08-26 19:47:12.000000000 -0400
20200 +++ linux-2.6.35.7/arch/x86/vdso/vdso.lds.S 2010-09-17 20:12:09.000000000 -0400
20201 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20202 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20203 #include "vextern.h"
20206 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20207 +VEXTERN(fallback_gettimeofday)
20208 +VEXTERN(fallback_time)
20211 diff -urNp linux-2.6.35.7/arch/x86/vdso/vextern.h linux-2.6.35.7/arch/x86/vdso/vextern.h
20212 --- linux-2.6.35.7/arch/x86/vdso/vextern.h 2010-08-26 19:47:12.000000000 -0400
20213 +++ linux-2.6.35.7/arch/x86/vdso/vextern.h 2010-09-17 20:12:09.000000000 -0400
20215 put into vextern.h and be referenced as a pointer with vdso prefix.
20216 The main kernel later fills in the values. */
20219 VEXTERN(vgetcpu_mode)
20220 VEXTERN(vsyscall_gtod_data)
20221 diff -urNp linux-2.6.35.7/arch/x86/vdso/vma.c linux-2.6.35.7/arch/x86/vdso/vma.c
20222 --- linux-2.6.35.7/arch/x86/vdso/vma.c 2010-08-26 19:47:12.000000000 -0400
20223 +++ linux-2.6.35.7/arch/x86/vdso/vma.c 2010-09-17 20:12:09.000000000 -0400
20224 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20228 - if (memcmp(vbase, "\177ELF", 4)) {
20229 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20230 printk("VDSO: I'm broken; not ELF\n");
20233 @@ -67,6 +67,7 @@ static int __init init_vdso_vars(void)
20234 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
20235 #include "vextern.h"
20241 @@ -117,7 +118,7 @@ int arch_setup_additional_pages(struct l
20245 - current->mm->context.vdso = (void *)addr;
20246 + current->mm->context.vdso = addr;
20248 ret = install_special_mapping(mm, addr, vdso_size,
20250 @@ -125,7 +126,7 @@ int arch_setup_additional_pages(struct l
20254 - current->mm->context.vdso = NULL;
20255 + current->mm->context.vdso = 0;
20259 @@ -133,10 +134,3 @@ up_fail:
20260 up_write(&mm->mmap_sem);
20264 -static __init int vdso_setup(char *s)
20266 - vdso_enabled = simple_strtoul(s, NULL, 0);
20269 -__setup("vdso=", vdso_setup);
20270 diff -urNp linux-2.6.35.7/arch/x86/xen/enlighten.c linux-2.6.35.7/arch/x86/xen/enlighten.c
20271 --- linux-2.6.35.7/arch/x86/xen/enlighten.c 2010-08-26 19:47:12.000000000 -0400
20272 +++ linux-2.6.35.7/arch/x86/xen/enlighten.c 2010-09-17 20:12:09.000000000 -0400
20273 @@ -74,8 +74,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20275 struct shared_info xen_dummy_shared_info;
20277 -void *xen_initial_gdt;
20280 * Point at some empty memory to start with. We map the real shared_info
20281 * page as soon as fixmap is up and running.
20282 @@ -551,7 +549,7 @@ static void xen_write_idt_entry(gate_des
20286 - start = __get_cpu_var(idt_desc).address;
20287 + start = (unsigned long)__get_cpu_var(idt_desc).address;
20288 end = start + __get_cpu_var(idt_desc).size + 1;
20291 @@ -1103,7 +1101,17 @@ asmlinkage void __init xen_start_kernel(
20292 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20294 /* Work out if we support NX */
20295 - x86_configure_nx();
20296 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20297 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20298 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20301 + __supported_pte_mask |= _PAGE_NX;
20302 + rdmsr(MSR_EFER, l, h);
20304 + wrmsr(MSR_EFER, l, h);
20308 xen_setup_features();
20310 @@ -1134,13 +1142,6 @@ asmlinkage void __init xen_start_kernel(
20312 machine_ops = xen_machine_ops;
20315 - * The only reliable way to retain the initial address of the
20316 - * percpu gdt_page is to remember it here, so we can go and
20317 - * mark it RW later, when the initial percpu area is freed.
20319 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20323 pgd = (pgd_t *)xen_start_info->pt_base;
20324 diff -urNp linux-2.6.35.7/arch/x86/xen/mmu.c linux-2.6.35.7/arch/x86/xen/mmu.c
20325 --- linux-2.6.35.7/arch/x86/xen/mmu.c 2010-08-26 19:47:12.000000000 -0400
20326 +++ linux-2.6.35.7/arch/x86/xen/mmu.c 2010-09-17 20:12:09.000000000 -0400
20327 @@ -1694,6 +1694,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20328 convert_pfn_mfn(init_level4_pgt);
20329 convert_pfn_mfn(level3_ident_pgt);
20330 convert_pfn_mfn(level3_kernel_pgt);
20331 + convert_pfn_mfn(level3_vmalloc_pgt);
20332 + convert_pfn_mfn(level3_vmemmap_pgt);
20334 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20335 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20336 @@ -1712,7 +1714,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20337 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20338 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20339 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20340 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20341 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20342 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20343 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20344 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20345 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20347 diff -urNp linux-2.6.35.7/arch/x86/xen/smp.c linux-2.6.35.7/arch/x86/xen/smp.c
20348 --- linux-2.6.35.7/arch/x86/xen/smp.c 2010-08-26 19:47:12.000000000 -0400
20349 +++ linux-2.6.35.7/arch/x86/xen/smp.c 2010-09-17 20:12:09.000000000 -0400
20350 @@ -169,11 +169,6 @@ static void __init xen_smp_prepare_boot_
20352 BUG_ON(smp_processor_id() != 0);
20353 native_smp_prepare_boot_cpu();
20355 - /* We've switched to the "real" per-cpu gdt, so make sure the
20356 - old memory can be recycled */
20357 - make_lowmem_page_readwrite(xen_initial_gdt);
20359 xen_setup_vcpu_info_placement();
20362 @@ -233,8 +228,8 @@ cpu_initialize_context(unsigned int cpu,
20363 gdt = get_cpu_gdt_table(cpu);
20365 ctxt->flags = VGCF_IN_KERNEL;
20366 - ctxt->user_regs.ds = __USER_DS;
20367 - ctxt->user_regs.es = __USER_DS;
20368 + ctxt->user_regs.ds = __KERNEL_DS;
20369 + ctxt->user_regs.es = __KERNEL_DS;
20370 ctxt->user_regs.ss = __KERNEL_DS;
20371 #ifdef CONFIG_X86_32
20372 ctxt->user_regs.fs = __KERNEL_PERCPU;
20373 diff -urNp linux-2.6.35.7/arch/x86/xen/xen-head.S linux-2.6.35.7/arch/x86/xen/xen-head.S
20374 --- linux-2.6.35.7/arch/x86/xen/xen-head.S 2010-08-26 19:47:12.000000000 -0400
20375 +++ linux-2.6.35.7/arch/x86/xen/xen-head.S 2010-09-17 20:12:09.000000000 -0400
20376 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20377 #ifdef CONFIG_X86_32
20378 mov %esi,xen_start_info
20379 mov $init_thread_union+THREAD_SIZE,%esp
20381 + movl $cpu_gdt_table,%edi
20382 + movl $__per_cpu_load,%eax
20383 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20385 + movb %al,__KERNEL_PERCPU + 4(%edi)
20386 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20387 + movl $__per_cpu_end - 1,%eax
20388 + subl $__per_cpu_start,%eax
20389 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20392 mov %rsi,xen_start_info
20393 mov $init_thread_union+THREAD_SIZE,%rsp
20394 diff -urNp linux-2.6.35.7/arch/x86/xen/xen-ops.h linux-2.6.35.7/arch/x86/xen/xen-ops.h
20395 --- linux-2.6.35.7/arch/x86/xen/xen-ops.h 2010-08-26 19:47:12.000000000 -0400
20396 +++ linux-2.6.35.7/arch/x86/xen/xen-ops.h 2010-09-17 20:12:09.000000000 -0400
20398 extern const char xen_hypervisor_callback[];
20399 extern const char xen_failsafe_callback[];
20401 -extern void *xen_initial_gdt;
20404 void xen_copy_trap_info(struct trap_info *traps);
20406 diff -urNp linux-2.6.35.7/block/blk-iopoll.c linux-2.6.35.7/block/blk-iopoll.c
20407 --- linux-2.6.35.7/block/blk-iopoll.c 2010-08-26 19:47:12.000000000 -0400
20408 +++ linux-2.6.35.7/block/blk-iopoll.c 2010-09-17 20:12:09.000000000 -0400
20409 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20411 EXPORT_SYMBOL(blk_iopoll_complete);
20413 -static void blk_iopoll_softirq(struct softirq_action *h)
20414 +static void blk_iopoll_softirq(void)
20416 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20417 int rearm = 0, budget = blk_iopoll_budget;
20418 diff -urNp linux-2.6.35.7/block/blk-map.c linux-2.6.35.7/block/blk-map.c
20419 --- linux-2.6.35.7/block/blk-map.c 2010-08-26 19:47:12.000000000 -0400
20420 +++ linux-2.6.35.7/block/blk-map.c 2010-09-17 20:12:09.000000000 -0400
20421 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
20422 * direct dma. else, set up kernel bounce buffers
20424 uaddr = (unsigned long) ubuf;
20425 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
20426 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
20427 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
20429 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
20430 @@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
20434 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
20435 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
20437 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20439 diff -urNp linux-2.6.35.7/block/blk-softirq.c linux-2.6.35.7/block/blk-softirq.c
20440 --- linux-2.6.35.7/block/blk-softirq.c 2010-08-26 19:47:12.000000000 -0400
20441 +++ linux-2.6.35.7/block/blk-softirq.c 2010-09-17 20:12:09.000000000 -0400
20442 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20443 * Softirq action handler - move entries to local list and loop over them
20444 * while passing them to the queue registered handler.
20446 -static void blk_done_softirq(struct softirq_action *h)
20447 +static void blk_done_softirq(void)
20449 struct list_head *cpu_list, local_list;
20451 diff -urNp linux-2.6.35.7/crypto/lrw.c linux-2.6.35.7/crypto/lrw.c
20452 --- linux-2.6.35.7/crypto/lrw.c 2010-08-26 19:47:12.000000000 -0400
20453 +++ linux-2.6.35.7/crypto/lrw.c 2010-09-17 20:12:09.000000000 -0400
20454 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20455 struct priv *ctx = crypto_tfm_ctx(parent);
20456 struct crypto_cipher *child = ctx->child;
20458 - be128 tmp = { 0 };
20459 + be128 tmp = { 0, 0 };
20460 int bsize = crypto_cipher_blocksize(child);
20462 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20463 diff -urNp linux-2.6.35.7/Documentation/dontdiff linux-2.6.35.7/Documentation/dontdiff
20464 --- linux-2.6.35.7/Documentation/dontdiff 2010-08-26 19:47:12.000000000 -0400
20465 +++ linux-2.6.35.7/Documentation/dontdiff 2010-09-17 20:12:09.000000000 -0400
20485 @@ -49,11 +52,16 @@
20502 @@ -76,7 +84,10 @@ btfixupprep
20513 @@ -100,19 +111,22 @@ fore200e_mkfirm
20528 initramfs_data.cpio
20529 +initramfs_data.cpio.bz2
20530 initramfs_data.cpio.gz
20537 @@ -136,10 +150,13 @@ mkboot
20551 @@ -151,7 +168,9 @@ parse.h
20561 @@ -160,12 +179,14 @@ qconf
20576 @@ -189,14 +210,20 @@ version.h*
20597 diff -urNp linux-2.6.35.7/Documentation/filesystems/sysfs.txt linux-2.6.35.7/Documentation/filesystems/sysfs.txt
20598 --- linux-2.6.35.7/Documentation/filesystems/sysfs.txt 2010-08-26 19:47:12.000000000 -0400
20599 +++ linux-2.6.35.7/Documentation/filesystems/sysfs.txt 2010-09-17 20:12:09.000000000 -0400
20600 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20601 show and store methods of the attribute owners.
20604 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20605 - ssize_t (*store)(struct kobject *, struct attribute *, const char *);
20606 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20607 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *);
20610 [ Subsystems should have already defined a struct kobj_type as a
20611 diff -urNp linux-2.6.35.7/Documentation/kernel-parameters.txt linux-2.6.35.7/Documentation/kernel-parameters.txt
20612 --- linux-2.6.35.7/Documentation/kernel-parameters.txt 2010-08-26 19:47:12.000000000 -0400
20613 +++ linux-2.6.35.7/Documentation/kernel-parameters.txt 2010-09-17 20:12:09.000000000 -0400
20614 @@ -1910,6 +1910,12 @@ and is between 256 and 4096 characters.
20615 the specified number of seconds. This is to be used if
20616 your oopses keep scrolling off the screen.
20618 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
20619 + virtualization environments that don't cope well with the
20620 + expand down segment used by UDEREF on X86-32.
20622 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
20627 diff -urNp linux-2.6.35.7/drivers/acpi/battery.c linux-2.6.35.7/drivers/acpi/battery.c
20628 --- linux-2.6.35.7/drivers/acpi/battery.c 2010-08-26 19:47:12.000000000 -0400
20629 +++ linux-2.6.35.7/drivers/acpi/battery.c 2010-09-17 20:12:09.000000000 -0400
20630 @@ -810,7 +810,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20633 static struct battery_file {
20634 - struct file_operations ops;
20635 + const struct file_operations ops;
20638 } acpi_battery_file[] = {
20639 diff -urNp linux-2.6.35.7/drivers/acpi/blacklist.c linux-2.6.35.7/drivers/acpi/blacklist.c
20640 --- linux-2.6.35.7/drivers/acpi/blacklist.c 2010-08-26 19:47:12.000000000 -0400
20641 +++ linux-2.6.35.7/drivers/acpi/blacklist.c 2010-09-17 20:12:09.000000000 -0400
20642 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20643 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20644 "Incorrect _ADR", 1},
20647 + {"", "", 0, NULL, all_versions, NULL, 0}
20650 #if CONFIG_ACPI_BLACKLIST_YEAR
20651 diff -urNp linux-2.6.35.7/drivers/acpi/dock.c linux-2.6.35.7/drivers/acpi/dock.c
20652 --- linux-2.6.35.7/drivers/acpi/dock.c 2010-08-26 19:47:12.000000000 -0400
20653 +++ linux-2.6.35.7/drivers/acpi/dock.c 2010-09-17 20:12:09.000000000 -0400
20654 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20655 struct list_head list;
20656 struct list_head hotplug_list;
20657 acpi_handle handle;
20658 - struct acpi_dock_ops *ops;
20659 + const struct acpi_dock_ops *ops;
20663 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20664 * the dock driver after _DCK is executed.
20667 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20668 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20671 struct dock_dependent_device *dd;
20672 diff -urNp linux-2.6.35.7/drivers/acpi/osl.c linux-2.6.35.7/drivers/acpi/osl.c
20673 --- linux-2.6.35.7/drivers/acpi/osl.c 2010-08-26 19:47:12.000000000 -0400
20674 +++ linux-2.6.35.7/drivers/acpi/osl.c 2010-09-17 20:12:09.000000000 -0400
20675 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
20676 void __iomem *virt_addr;
20678 virt_addr = ioremap(phys_addr, width);
20680 + return AE_NO_MEMORY;
20684 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
20685 void __iomem *virt_addr;
20687 virt_addr = ioremap(phys_addr, width);
20689 + return AE_NO_MEMORY;
20693 diff -urNp linux-2.6.35.7/drivers/acpi/power_meter.c linux-2.6.35.7/drivers/acpi/power_meter.c
20694 --- linux-2.6.35.7/drivers/acpi/power_meter.c 2010-08-26 19:47:12.000000000 -0400
20695 +++ linux-2.6.35.7/drivers/acpi/power_meter.c 2010-09-17 20:12:09.000000000 -0400
20696 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20703 mutex_lock(&resource->lock);
20704 resource->trip[attr->index - 7] = temp;
20705 diff -urNp linux-2.6.35.7/drivers/acpi/proc.c linux-2.6.35.7/drivers/acpi/proc.c
20706 --- linux-2.6.35.7/drivers/acpi/proc.c 2010-08-26 19:47:12.000000000 -0400
20707 +++ linux-2.6.35.7/drivers/acpi/proc.c 2010-09-17 20:12:09.000000000 -0400
20708 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
20709 size_t count, loff_t * ppos)
20711 struct list_head *node, *next;
20713 - char str[5] = "";
20714 - unsigned int len = count;
20715 + char strbuf[5] = {0};
20716 struct acpi_device *found_dev = NULL;
20725 - if (copy_from_user(strbuf, buffer, len))
20726 + if (copy_from_user(strbuf, buffer, count))
20728 - strbuf[len] = '\0';
20729 - sscanf(strbuf, "%s", str);
20730 + strbuf[count] = '\0';
20732 mutex_lock(&acpi_device_lock);
20733 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20734 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
20735 if (!dev->wakeup.flags.valid)
20738 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
20739 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20740 dev->wakeup.state.enabled =
20741 dev->wakeup.state.enabled ? 0 : 1;
20743 diff -urNp linux-2.6.35.7/drivers/acpi/processor_driver.c linux-2.6.35.7/drivers/acpi/processor_driver.c
20744 --- linux-2.6.35.7/drivers/acpi/processor_driver.c 2010-08-26 19:47:12.000000000 -0400
20745 +++ linux-2.6.35.7/drivers/acpi/processor_driver.c 2010-09-17 20:12:09.000000000 -0400
20746 @@ -586,7 +586,7 @@ static int __cpuinit acpi_processor_add(
20750 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20751 + BUG_ON(pr->id >= nr_cpu_ids);
20755 diff -urNp linux-2.6.35.7/drivers/acpi/processor_idle.c linux-2.6.35.7/drivers/acpi/processor_idle.c
20756 --- linux-2.6.35.7/drivers/acpi/processor_idle.c 2010-08-26 19:47:12.000000000 -0400
20757 +++ linux-2.6.35.7/drivers/acpi/processor_idle.c 2010-09-17 20:12:09.000000000 -0400
20758 @@ -124,7 +124,7 @@ static struct dmi_system_id __cpuinitdat
20759 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20760 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20763 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20767 diff -urNp linux-2.6.35.7/drivers/acpi/sleep.c linux-2.6.35.7/drivers/acpi/sleep.c
20768 --- linux-2.6.35.7/drivers/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
20769 +++ linux-2.6.35.7/drivers/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
20770 @@ -318,7 +318,7 @@ static int acpi_suspend_state_valid(susp
20774 -static struct platform_suspend_ops acpi_suspend_ops = {
20775 +static const struct platform_suspend_ops acpi_suspend_ops = {
20776 .valid = acpi_suspend_state_valid,
20777 .begin = acpi_suspend_begin,
20778 .prepare_late = acpi_pm_prepare,
20779 @@ -346,7 +346,7 @@ static int acpi_suspend_begin_old(suspen
20780 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20783 -static struct platform_suspend_ops acpi_suspend_ops_old = {
20784 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
20785 .valid = acpi_suspend_state_valid,
20786 .begin = acpi_suspend_begin_old,
20787 .prepare_late = acpi_pm_freeze,
20788 @@ -478,7 +478,7 @@ static void acpi_pm_thaw(void)
20789 acpi_enable_all_runtime_gpes();
20792 -static struct platform_hibernation_ops acpi_hibernation_ops = {
20793 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
20794 .begin = acpi_hibernation_begin,
20795 .end = acpi_pm_end,
20796 .pre_snapshot = acpi_hibernation_pre_snapshot,
20797 @@ -528,7 +528,7 @@ static int acpi_hibernation_pre_snapshot
20798 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20801 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
20802 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
20803 .begin = acpi_hibernation_begin_old,
20804 .end = acpi_pm_end,
20805 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
20806 diff -urNp linux-2.6.35.7/drivers/acpi/video.c linux-2.6.35.7/drivers/acpi/video.c
20807 --- linux-2.6.35.7/drivers/acpi/video.c 2010-08-26 19:47:12.000000000 -0400
20808 +++ linux-2.6.35.7/drivers/acpi/video.c 2010-09-17 20:12:09.000000000 -0400
20809 @@ -363,7 +363,7 @@ static int acpi_video_set_brightness(str
20810 vd->brightness->levels[request_level]);
20813 -static struct backlight_ops acpi_backlight_ops = {
20814 +static const struct backlight_ops acpi_backlight_ops = {
20815 .get_brightness = acpi_video_get_brightness,
20816 .update_status = acpi_video_set_brightness,
20818 diff -urNp linux-2.6.35.7/drivers/ata/ahci.c linux-2.6.35.7/drivers/ata/ahci.c
20819 --- linux-2.6.35.7/drivers/ata/ahci.c 2010-08-26 19:47:12.000000000 -0400
20820 +++ linux-2.6.35.7/drivers/ata/ahci.c 2010-09-17 20:12:09.000000000 -0400
20821 @@ -89,17 +89,17 @@ static int ahci_pci_device_suspend(struc
20822 static int ahci_pci_device_resume(struct pci_dev *pdev);
20825 -static struct ata_port_operations ahci_vt8251_ops = {
20826 +static const struct ata_port_operations ahci_vt8251_ops = {
20827 .inherits = &ahci_ops,
20828 .hardreset = ahci_vt8251_hardreset,
20831 -static struct ata_port_operations ahci_p5wdh_ops = {
20832 +static const struct ata_port_operations ahci_p5wdh_ops = {
20833 .inherits = &ahci_ops,
20834 .hardreset = ahci_p5wdh_hardreset,
20837 -static struct ata_port_operations ahci_sb600_ops = {
20838 +static const struct ata_port_operations ahci_sb600_ops = {
20839 .inherits = &ahci_ops,
20840 .softreset = ahci_sb600_softreset,
20841 .pmp_softreset = ahci_sb600_softreset,
20842 @@ -370,7 +370,7 @@ static const struct pci_device_id ahci_p
20843 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20844 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20846 - { } /* terminate list */
20847 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20851 diff -urNp linux-2.6.35.7/drivers/ata/ahci.h linux-2.6.35.7/drivers/ata/ahci.h
20852 --- linux-2.6.35.7/drivers/ata/ahci.h 2010-08-26 19:47:12.000000000 -0400
20853 +++ linux-2.6.35.7/drivers/ata/ahci.h 2010-09-17 20:12:09.000000000 -0400
20854 @@ -298,7 +298,7 @@ struct ahci_host_priv {
20855 extern int ahci_ignore_sss;
20857 extern struct scsi_host_template ahci_sht;
20858 -extern struct ata_port_operations ahci_ops;
20859 +extern const struct ata_port_operations ahci_ops;
20861 void ahci_save_initial_config(struct device *dev,
20862 struct ahci_host_priv *hpriv,
20863 diff -urNp linux-2.6.35.7/drivers/ata/ata_generic.c linux-2.6.35.7/drivers/ata/ata_generic.c
20864 --- linux-2.6.35.7/drivers/ata/ata_generic.c 2010-08-26 19:47:12.000000000 -0400
20865 +++ linux-2.6.35.7/drivers/ata/ata_generic.c 2010-09-17 20:12:09.000000000 -0400
20866 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
20867 ATA_BMDMA_SHT(DRV_NAME),
20870 -static struct ata_port_operations generic_port_ops = {
20871 +static const struct ata_port_operations generic_port_ops = {
20872 .inherits = &ata_bmdma_port_ops,
20873 .cable_detect = ata_cable_unknown,
20874 .set_mode = generic_set_mode,
20875 diff -urNp linux-2.6.35.7/drivers/ata/ata_piix.c linux-2.6.35.7/drivers/ata/ata_piix.c
20876 --- linux-2.6.35.7/drivers/ata/ata_piix.c 2010-08-26 19:47:12.000000000 -0400
20877 +++ linux-2.6.35.7/drivers/ata/ata_piix.c 2010-09-17 20:12:09.000000000 -0400
20878 @@ -302,7 +302,7 @@ static const struct pci_device_id piix_p
20879 { 0x8086, 0x1c08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20880 /* SATA Controller IDE (CPT) */
20881 { 0x8086, 0x1c09, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20882 - { } /* terminate list */
20883 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20886 static struct pci_driver piix_pci_driver = {
20887 @@ -320,12 +320,12 @@ static struct scsi_host_template piix_sh
20888 ATA_BMDMA_SHT(DRV_NAME),
20891 -static struct ata_port_operations piix_sata_ops = {
20892 +static const struct ata_port_operations piix_sata_ops = {
20893 .inherits = &ata_bmdma32_port_ops,
20894 .sff_irq_check = piix_irq_check,
20897 -static struct ata_port_operations piix_pata_ops = {
20898 +static const struct ata_port_operations piix_pata_ops = {
20899 .inherits = &piix_sata_ops,
20900 .cable_detect = ata_cable_40wire,
20901 .set_piomode = piix_set_piomode,
20902 @@ -333,18 +333,18 @@ static struct ata_port_operations piix_p
20903 .prereset = piix_pata_prereset,
20906 -static struct ata_port_operations piix_vmw_ops = {
20907 +static const struct ata_port_operations piix_vmw_ops = {
20908 .inherits = &piix_pata_ops,
20909 .bmdma_status = piix_vmw_bmdma_status,
20912 -static struct ata_port_operations ich_pata_ops = {
20913 +static const struct ata_port_operations ich_pata_ops = {
20914 .inherits = &piix_pata_ops,
20915 .cable_detect = ich_pata_cable_detect,
20916 .set_dmamode = ich_set_dmamode,
20919 -static struct ata_port_operations piix_sidpr_sata_ops = {
20920 +static const struct ata_port_operations piix_sidpr_sata_ops = {
20921 .inherits = &piix_sata_ops,
20922 .hardreset = sata_std_hardreset,
20923 .scr_read = piix_sidpr_scr_read,
20924 @@ -620,7 +620,7 @@ static const struct ich_laptop ich_lapto
20925 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20926 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20933 @@ -1112,7 +1112,7 @@ static int piix_broken_suspend(void)
20937 - { } /* terminate list */
20938 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20940 static const char *oemstrs[] = {
20942 diff -urNp linux-2.6.35.7/drivers/ata/libahci.c linux-2.6.35.7/drivers/ata/libahci.c
20943 --- linux-2.6.35.7/drivers/ata/libahci.c 2010-09-20 17:33:09.000000000 -0400
20944 +++ linux-2.6.35.7/drivers/ata/libahci.c 2010-09-20 17:33:32.000000000 -0400
20945 @@ -149,7 +149,7 @@ struct scsi_host_template ahci_sht = {
20947 EXPORT_SYMBOL_GPL(ahci_sht);
20949 -struct ata_port_operations ahci_ops = {
20950 +const struct ata_port_operations ahci_ops = {
20951 .inherits = &sata_pmp_port_ops,
20953 .qc_defer = ahci_pmp_qc_defer,
20954 diff -urNp linux-2.6.35.7/drivers/ata/libata-acpi.c linux-2.6.35.7/drivers/ata/libata-acpi.c
20955 --- linux-2.6.35.7/drivers/ata/libata-acpi.c 2010-08-26 19:47:12.000000000 -0400
20956 +++ linux-2.6.35.7/drivers/ata/libata-acpi.c 2010-09-17 20:12:09.000000000 -0400
20957 @@ -224,12 +224,12 @@ static void ata_acpi_dev_uevent(acpi_han
20958 ata_acpi_uevent(dev->link->ap, dev, event);
20961 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20962 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20963 .handler = ata_acpi_dev_notify_dock,
20964 .uevent = ata_acpi_dev_uevent,
20967 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20968 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20969 .handler = ata_acpi_ap_notify_dock,
20970 .uevent = ata_acpi_ap_uevent,
20972 diff -urNp linux-2.6.35.7/drivers/ata/libata-core.c linux-2.6.35.7/drivers/ata/libata-core.c
20973 --- linux-2.6.35.7/drivers/ata/libata-core.c 2010-09-20 17:33:09.000000000 -0400
20974 +++ linux-2.6.35.7/drivers/ata/libata-core.c 2010-10-11 22:41:44.000000000 -0400
20975 @@ -901,7 +901,7 @@ static const struct ata_xfer_ent {
20976 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20977 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20978 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20984 @@ -3073,7 +3073,7 @@ static const struct ata_timing ata_timin
20985 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
20986 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
20989 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
20992 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
20993 @@ -4323,7 +4323,7 @@ static const struct ata_blacklist_entry
20994 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
20998 + { NULL, NULL, 0 }
21001 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
21002 @@ -4884,7 +4884,7 @@ void ata_qc_free(struct ata_queued_cmd *
21003 struct ata_port *ap;
21006 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21007 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21011 @@ -4900,7 +4900,7 @@ void __ata_qc_complete(struct ata_queued
21012 struct ata_port *ap;
21013 struct ata_link *link;
21015 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21016 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21017 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
21019 link = qc->dev->link;
21020 @@ -5881,7 +5881,7 @@ static void ata_host_stop(struct device
21024 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
21025 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
21027 static DEFINE_SPINLOCK(lock);
21028 const struct ata_port_operations *cur;
21029 @@ -5893,6 +5893,7 @@ static void ata_finalize_port_ops(struct
21033 + pax_open_kernel();
21035 for (cur = ops->inherits; cur; cur = cur->inherits) {
21036 void **inherit = (void **)cur;
21037 @@ -5906,8 +5907,9 @@ static void ata_finalize_port_ops(struct
21041 - ops->inherits = NULL;
21042 + ((struct ata_port_operations *)ops)->inherits = NULL;
21044 + pax_close_kernel();
21045 spin_unlock(&lock);
21048 @@ -6004,7 +6006,7 @@ int ata_host_start(struct ata_host *host
21050 /* KILLME - the only user left is ipr */
21051 void ata_host_init(struct ata_host *host, struct device *dev,
21052 - unsigned long flags, struct ata_port_operations *ops)
21053 + unsigned long flags, const struct ata_port_operations *ops)
21055 spin_lock_init(&host->lock);
21057 @@ -6654,7 +6656,7 @@ static void ata_dummy_error_handler(stru
21061 -struct ata_port_operations ata_dummy_port_ops = {
21062 +const struct ata_port_operations ata_dummy_port_ops = {
21063 .qc_prep = ata_noop_qc_prep,
21064 .qc_issue = ata_dummy_qc_issue,
21065 .error_handler = ata_dummy_error_handler,
21066 diff -urNp linux-2.6.35.7/drivers/ata/libata-eh.c linux-2.6.35.7/drivers/ata/libata-eh.c
21067 --- linux-2.6.35.7/drivers/ata/libata-eh.c 2010-09-20 17:33:09.000000000 -0400
21068 +++ linux-2.6.35.7/drivers/ata/libata-eh.c 2010-09-20 17:33:32.000000000 -0400
21069 @@ -3684,7 +3684,7 @@ void ata_do_eh(struct ata_port *ap, ata_
21071 void ata_std_error_handler(struct ata_port *ap)
21073 - struct ata_port_operations *ops = ap->ops;
21074 + const struct ata_port_operations *ops = ap->ops;
21075 ata_reset_fn_t hardreset = ops->hardreset;
21077 /* ignore built-in hardreset if SCR access is not available */
21078 diff -urNp linux-2.6.35.7/drivers/ata/libata-pmp.c linux-2.6.35.7/drivers/ata/libata-pmp.c
21079 --- linux-2.6.35.7/drivers/ata/libata-pmp.c 2010-08-26 19:47:12.000000000 -0400
21080 +++ linux-2.6.35.7/drivers/ata/libata-pmp.c 2010-09-17 20:12:09.000000000 -0400
21081 @@ -868,7 +868,7 @@ static int sata_pmp_handle_link_fail(str
21083 static int sata_pmp_eh_recover(struct ata_port *ap)
21085 - struct ata_port_operations *ops = ap->ops;
21086 + const struct ata_port_operations *ops = ap->ops;
21087 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21088 struct ata_link *pmp_link = &ap->link;
21089 struct ata_device *pmp_dev = pmp_link->device;
21090 diff -urNp linux-2.6.35.7/drivers/ata/pata_acpi.c linux-2.6.35.7/drivers/ata/pata_acpi.c
21091 --- linux-2.6.35.7/drivers/ata/pata_acpi.c 2010-08-26 19:47:12.000000000 -0400
21092 +++ linux-2.6.35.7/drivers/ata/pata_acpi.c 2010-09-17 20:12:09.000000000 -0400
21093 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
21094 ATA_BMDMA_SHT(DRV_NAME),
21097 -static struct ata_port_operations pacpi_ops = {
21098 +static const struct ata_port_operations pacpi_ops = {
21099 .inherits = &ata_bmdma_port_ops,
21100 .qc_issue = pacpi_qc_issue,
21101 .cable_detect = pacpi_cable_detect,
21102 diff -urNp linux-2.6.35.7/drivers/ata/pata_ali.c linux-2.6.35.7/drivers/ata/pata_ali.c
21103 --- linux-2.6.35.7/drivers/ata/pata_ali.c 2010-08-26 19:47:12.000000000 -0400
21104 +++ linux-2.6.35.7/drivers/ata/pata_ali.c 2010-09-17 20:12:09.000000000 -0400
21105 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21106 * Port operations for PIO only ALi
21109 -static struct ata_port_operations ali_early_port_ops = {
21110 +static const struct ata_port_operations ali_early_port_ops = {
21111 .inherits = &ata_sff_port_ops,
21112 .cable_detect = ata_cable_40wire,
21113 .set_piomode = ali_set_piomode,
21114 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21115 * Port operations for DMA capable ALi without cable
21118 -static struct ata_port_operations ali_20_port_ops = {
21119 +static const struct ata_port_operations ali_20_port_ops = {
21120 .inherits = &ali_dma_base_ops,
21121 .cable_detect = ata_cable_40wire,
21122 .mode_filter = ali_20_filter,
21123 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21125 * Port operations for DMA capable ALi with cable detect
21127 -static struct ata_port_operations ali_c2_port_ops = {
21128 +static const struct ata_port_operations ali_c2_port_ops = {
21129 .inherits = &ali_dma_base_ops,
21130 .check_atapi_dma = ali_check_atapi_dma,
21131 .cable_detect = ali_c2_cable_detect,
21132 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21134 * Port operations for DMA capable ALi with cable detect
21136 -static struct ata_port_operations ali_c4_port_ops = {
21137 +static const struct ata_port_operations ali_c4_port_ops = {
21138 .inherits = &ali_dma_base_ops,
21139 .check_atapi_dma = ali_check_atapi_dma,
21140 .cable_detect = ali_c2_cable_detect,
21141 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21143 * Port operations for DMA capable ALi with cable detect and LBA48
21145 -static struct ata_port_operations ali_c5_port_ops = {
21146 +static const struct ata_port_operations ali_c5_port_ops = {
21147 .inherits = &ali_dma_base_ops,
21148 .check_atapi_dma = ali_check_atapi_dma,
21149 .dev_config = ali_warn_atapi_dma,
21150 diff -urNp linux-2.6.35.7/drivers/ata/pata_amd.c linux-2.6.35.7/drivers/ata/pata_amd.c
21151 --- linux-2.6.35.7/drivers/ata/pata_amd.c 2010-08-26 19:47:12.000000000 -0400
21152 +++ linux-2.6.35.7/drivers/ata/pata_amd.c 2010-09-17 20:12:09.000000000 -0400
21153 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21154 .prereset = amd_pre_reset,
21157 -static struct ata_port_operations amd33_port_ops = {
21158 +static const struct ata_port_operations amd33_port_ops = {
21159 .inherits = &amd_base_port_ops,
21160 .cable_detect = ata_cable_40wire,
21161 .set_piomode = amd33_set_piomode,
21162 .set_dmamode = amd33_set_dmamode,
21165 -static struct ata_port_operations amd66_port_ops = {
21166 +static const struct ata_port_operations amd66_port_ops = {
21167 .inherits = &amd_base_port_ops,
21168 .cable_detect = ata_cable_unknown,
21169 .set_piomode = amd66_set_piomode,
21170 .set_dmamode = amd66_set_dmamode,
21173 -static struct ata_port_operations amd100_port_ops = {
21174 +static const struct ata_port_operations amd100_port_ops = {
21175 .inherits = &amd_base_port_ops,
21176 .cable_detect = ata_cable_unknown,
21177 .set_piomode = amd100_set_piomode,
21178 .set_dmamode = amd100_set_dmamode,
21181 -static struct ata_port_operations amd133_port_ops = {
21182 +static const struct ata_port_operations amd133_port_ops = {
21183 .inherits = &amd_base_port_ops,
21184 .cable_detect = amd_cable_detect,
21185 .set_piomode = amd133_set_piomode,
21186 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21187 .host_stop = nv_host_stop,
21190 -static struct ata_port_operations nv100_port_ops = {
21191 +static const struct ata_port_operations nv100_port_ops = {
21192 .inherits = &nv_base_port_ops,
21193 .set_piomode = nv100_set_piomode,
21194 .set_dmamode = nv100_set_dmamode,
21197 -static struct ata_port_operations nv133_port_ops = {
21198 +static const struct ata_port_operations nv133_port_ops = {
21199 .inherits = &nv_base_port_ops,
21200 .set_piomode = nv133_set_piomode,
21201 .set_dmamode = nv133_set_dmamode,
21202 diff -urNp linux-2.6.35.7/drivers/ata/pata_artop.c linux-2.6.35.7/drivers/ata/pata_artop.c
21203 --- linux-2.6.35.7/drivers/ata/pata_artop.c 2010-08-26 19:47:12.000000000 -0400
21204 +++ linux-2.6.35.7/drivers/ata/pata_artop.c 2010-09-17 20:12:09.000000000 -0400
21205 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
21206 ATA_BMDMA_SHT(DRV_NAME),
21209 -static struct ata_port_operations artop6210_ops = {
21210 +static const struct ata_port_operations artop6210_ops = {
21211 .inherits = &ata_bmdma_port_ops,
21212 .cable_detect = ata_cable_40wire,
21213 .set_piomode = artop6210_set_piomode,
21214 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
21215 .qc_defer = artop6210_qc_defer,
21218 -static struct ata_port_operations artop6260_ops = {
21219 +static const struct ata_port_operations artop6260_ops = {
21220 .inherits = &ata_bmdma_port_ops,
21221 .cable_detect = artop6260_cable_detect,
21222 .set_piomode = artop6260_set_piomode,
21223 diff -urNp linux-2.6.35.7/drivers/ata/pata_at32.c linux-2.6.35.7/drivers/ata/pata_at32.c
21224 --- linux-2.6.35.7/drivers/ata/pata_at32.c 2010-08-26 19:47:12.000000000 -0400
21225 +++ linux-2.6.35.7/drivers/ata/pata_at32.c 2010-09-17 20:12:09.000000000 -0400
21226 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21227 ATA_PIO_SHT(DRV_NAME),
21230 -static struct ata_port_operations at32_port_ops = {
21231 +static const struct ata_port_operations at32_port_ops = {
21232 .inherits = &ata_sff_port_ops,
21233 .cable_detect = ata_cable_40wire,
21234 .set_piomode = pata_at32_set_piomode,
21235 diff -urNp linux-2.6.35.7/drivers/ata/pata_at91.c linux-2.6.35.7/drivers/ata/pata_at91.c
21236 --- linux-2.6.35.7/drivers/ata/pata_at91.c 2010-08-26 19:47:12.000000000 -0400
21237 +++ linux-2.6.35.7/drivers/ata/pata_at91.c 2010-09-17 20:12:09.000000000 -0400
21238 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21239 ATA_PIO_SHT(DRV_NAME),
21242 -static struct ata_port_operations pata_at91_port_ops = {
21243 +static const struct ata_port_operations pata_at91_port_ops = {
21244 .inherits = &ata_sff_port_ops,
21246 .sff_data_xfer = pata_at91_data_xfer_noirq,
21247 diff -urNp linux-2.6.35.7/drivers/ata/pata_atiixp.c linux-2.6.35.7/drivers/ata/pata_atiixp.c
21248 --- linux-2.6.35.7/drivers/ata/pata_atiixp.c 2010-08-26 19:47:12.000000000 -0400
21249 +++ linux-2.6.35.7/drivers/ata/pata_atiixp.c 2010-09-17 20:12:09.000000000 -0400
21250 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21251 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21254 -static struct ata_port_operations atiixp_port_ops = {
21255 +static const struct ata_port_operations atiixp_port_ops = {
21256 .inherits = &ata_bmdma_port_ops,
21258 .qc_prep = ata_bmdma_dumb_qc_prep,
21259 diff -urNp linux-2.6.35.7/drivers/ata/pata_atp867x.c linux-2.6.35.7/drivers/ata/pata_atp867x.c
21260 --- linux-2.6.35.7/drivers/ata/pata_atp867x.c 2010-08-26 19:47:12.000000000 -0400
21261 +++ linux-2.6.35.7/drivers/ata/pata_atp867x.c 2010-09-17 20:12:09.000000000 -0400
21262 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21263 ATA_BMDMA_SHT(DRV_NAME),
21266 -static struct ata_port_operations atp867x_ops = {
21267 +static const struct ata_port_operations atp867x_ops = {
21268 .inherits = &ata_bmdma_port_ops,
21269 .cable_detect = atp867x_cable_detect,
21270 .set_piomode = atp867x_set_piomode,
21271 diff -urNp linux-2.6.35.7/drivers/ata/pata_bf54x.c linux-2.6.35.7/drivers/ata/pata_bf54x.c
21272 --- linux-2.6.35.7/drivers/ata/pata_bf54x.c 2010-08-26 19:47:12.000000000 -0400
21273 +++ linux-2.6.35.7/drivers/ata/pata_bf54x.c 2010-09-17 20:12:09.000000000 -0400
21274 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21275 .dma_boundary = ATA_DMA_BOUNDARY,
21278 -static struct ata_port_operations bfin_pata_ops = {
21279 +static const struct ata_port_operations bfin_pata_ops = {
21280 .inherits = &ata_bmdma_port_ops,
21282 .set_piomode = bfin_set_piomode,
21283 diff -urNp linux-2.6.35.7/drivers/ata/pata_cmd640.c linux-2.6.35.7/drivers/ata/pata_cmd640.c
21284 --- linux-2.6.35.7/drivers/ata/pata_cmd640.c 2010-08-26 19:47:12.000000000 -0400
21285 +++ linux-2.6.35.7/drivers/ata/pata_cmd640.c 2010-09-17 20:12:09.000000000 -0400
21286 @@ -165,7 +165,7 @@ static struct scsi_host_template cmd640_
21287 ATA_PIO_SHT(DRV_NAME),
21290 -static struct ata_port_operations cmd640_port_ops = {
21291 +static const struct ata_port_operations cmd640_port_ops = {
21292 .inherits = &ata_sff_port_ops,
21293 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21294 .sff_data_xfer = ata_sff_data_xfer_noirq,
21295 diff -urNp linux-2.6.35.7/drivers/ata/pata_cmd64x.c linux-2.6.35.7/drivers/ata/pata_cmd64x.c
21296 --- linux-2.6.35.7/drivers/ata/pata_cmd64x.c 2010-09-20 17:33:09.000000000 -0400
21297 +++ linux-2.6.35.7/drivers/ata/pata_cmd64x.c 2010-09-20 17:33:32.000000000 -0400
21298 @@ -268,18 +268,18 @@ static const struct ata_port_operations
21299 .set_dmamode = cmd64x_set_dmamode,
21302 -static struct ata_port_operations cmd64x_port_ops = {
21303 +static const struct ata_port_operations cmd64x_port_ops = {
21304 .inherits = &cmd64x_base_ops,
21305 .cable_detect = ata_cable_40wire,
21308 -static struct ata_port_operations cmd646r1_port_ops = {
21309 +static const struct ata_port_operations cmd646r1_port_ops = {
21310 .inherits = &cmd64x_base_ops,
21311 .bmdma_stop = cmd646r1_bmdma_stop,
21312 .cable_detect = ata_cable_40wire,
21315 -static struct ata_port_operations cmd648_port_ops = {
21316 +static const struct ata_port_operations cmd648_port_ops = {
21317 .inherits = &cmd64x_base_ops,
21318 .bmdma_stop = cmd648_bmdma_stop,
21319 .cable_detect = cmd648_cable_detect,
21320 diff -urNp linux-2.6.35.7/drivers/ata/pata_cs5520.c linux-2.6.35.7/drivers/ata/pata_cs5520.c
21321 --- linux-2.6.35.7/drivers/ata/pata_cs5520.c 2010-08-26 19:47:12.000000000 -0400
21322 +++ linux-2.6.35.7/drivers/ata/pata_cs5520.c 2010-09-17 20:12:09.000000000 -0400
21323 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21324 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21327 -static struct ata_port_operations cs5520_port_ops = {
21328 +static const struct ata_port_operations cs5520_port_ops = {
21329 .inherits = &ata_bmdma_port_ops,
21330 .qc_prep = ata_bmdma_dumb_qc_prep,
21331 .cable_detect = ata_cable_40wire,
21332 diff -urNp linux-2.6.35.7/drivers/ata/pata_cs5530.c linux-2.6.35.7/drivers/ata/pata_cs5530.c
21333 --- linux-2.6.35.7/drivers/ata/pata_cs5530.c 2010-08-26 19:47:12.000000000 -0400
21334 +++ linux-2.6.35.7/drivers/ata/pata_cs5530.c 2010-09-17 20:12:09.000000000 -0400
21335 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21336 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21339 -static struct ata_port_operations cs5530_port_ops = {
21340 +static const struct ata_port_operations cs5530_port_ops = {
21341 .inherits = &ata_bmdma_port_ops,
21343 .qc_prep = ata_bmdma_dumb_qc_prep,
21344 diff -urNp linux-2.6.35.7/drivers/ata/pata_cs5535.c linux-2.6.35.7/drivers/ata/pata_cs5535.c
21345 --- linux-2.6.35.7/drivers/ata/pata_cs5535.c 2010-08-26 19:47:12.000000000 -0400
21346 +++ linux-2.6.35.7/drivers/ata/pata_cs5535.c 2010-09-17 20:12:09.000000000 -0400
21347 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21348 ATA_BMDMA_SHT(DRV_NAME),
21351 -static struct ata_port_operations cs5535_port_ops = {
21352 +static const struct ata_port_operations cs5535_port_ops = {
21353 .inherits = &ata_bmdma_port_ops,
21354 .cable_detect = cs5535_cable_detect,
21355 .set_piomode = cs5535_set_piomode,
21356 diff -urNp linux-2.6.35.7/drivers/ata/pata_cs5536.c linux-2.6.35.7/drivers/ata/pata_cs5536.c
21357 --- linux-2.6.35.7/drivers/ata/pata_cs5536.c 2010-08-26 19:47:12.000000000 -0400
21358 +++ linux-2.6.35.7/drivers/ata/pata_cs5536.c 2010-09-17 20:12:09.000000000 -0400
21359 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
21360 ATA_BMDMA_SHT(DRV_NAME),
21363 -static struct ata_port_operations cs5536_port_ops = {
21364 +static const struct ata_port_operations cs5536_port_ops = {
21365 .inherits = &ata_bmdma32_port_ops,
21366 .cable_detect = cs5536_cable_detect,
21367 .set_piomode = cs5536_set_piomode,
21368 diff -urNp linux-2.6.35.7/drivers/ata/pata_cypress.c linux-2.6.35.7/drivers/ata/pata_cypress.c
21369 --- linux-2.6.35.7/drivers/ata/pata_cypress.c 2010-08-26 19:47:12.000000000 -0400
21370 +++ linux-2.6.35.7/drivers/ata/pata_cypress.c 2010-09-17 20:12:09.000000000 -0400
21371 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21372 ATA_BMDMA_SHT(DRV_NAME),
21375 -static struct ata_port_operations cy82c693_port_ops = {
21376 +static const struct ata_port_operations cy82c693_port_ops = {
21377 .inherits = &ata_bmdma_port_ops,
21378 .cable_detect = ata_cable_40wire,
21379 .set_piomode = cy82c693_set_piomode,
21380 diff -urNp linux-2.6.35.7/drivers/ata/pata_efar.c linux-2.6.35.7/drivers/ata/pata_efar.c
21381 --- linux-2.6.35.7/drivers/ata/pata_efar.c 2010-08-26 19:47:12.000000000 -0400
21382 +++ linux-2.6.35.7/drivers/ata/pata_efar.c 2010-09-17 20:12:09.000000000 -0400
21383 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21384 ATA_BMDMA_SHT(DRV_NAME),
21387 -static struct ata_port_operations efar_ops = {
21388 +static const struct ata_port_operations efar_ops = {
21389 .inherits = &ata_bmdma_port_ops,
21390 .cable_detect = efar_cable_detect,
21391 .set_piomode = efar_set_piomode,
21392 diff -urNp linux-2.6.35.7/drivers/ata/pata_hpt366.c linux-2.6.35.7/drivers/ata/pata_hpt366.c
21393 --- linux-2.6.35.7/drivers/ata/pata_hpt366.c 2010-08-26 19:47:12.000000000 -0400
21394 +++ linux-2.6.35.7/drivers/ata/pata_hpt366.c 2010-09-17 20:12:09.000000000 -0400
21395 @@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
21396 * Configuration for HPT366/68
21399 -static struct ata_port_operations hpt366_port_ops = {
21400 +static const struct ata_port_operations hpt366_port_ops = {
21401 .inherits = &ata_bmdma_port_ops,
21402 .cable_detect = hpt36x_cable_detect,
21403 .mode_filter = hpt366_filter,
21404 diff -urNp linux-2.6.35.7/drivers/ata/pata_hpt37x.c linux-2.6.35.7/drivers/ata/pata_hpt37x.c
21405 --- linux-2.6.35.7/drivers/ata/pata_hpt37x.c 2010-08-26 19:47:12.000000000 -0400
21406 +++ linux-2.6.35.7/drivers/ata/pata_hpt37x.c 2010-09-17 20:12:09.000000000 -0400
21407 @@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
21408 * Configuration for HPT370
21411 -static struct ata_port_operations hpt370_port_ops = {
21412 +static const struct ata_port_operations hpt370_port_ops = {
21413 .inherits = &ata_bmdma_port_ops,
21415 .bmdma_stop = hpt370_bmdma_stop,
21416 @@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
21417 * Configuration for HPT370A. Close to 370 but less filters
21420 -static struct ata_port_operations hpt370a_port_ops = {
21421 +static const struct ata_port_operations hpt370a_port_ops = {
21422 .inherits = &hpt370_port_ops,
21423 .mode_filter = hpt370a_filter,
21425 @@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
21426 * and DMA mode setting functionality.
21429 -static struct ata_port_operations hpt372_port_ops = {
21430 +static const struct ata_port_operations hpt372_port_ops = {
21431 .inherits = &ata_bmdma_port_ops,
21433 .bmdma_stop = hpt37x_bmdma_stop,
21434 @@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
21435 * but we have a different cable detection procedure for function 1.
21438 -static struct ata_port_operations hpt374_fn1_port_ops = {
21439 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21440 .inherits = &hpt372_port_ops,
21441 .cable_detect = hpt374_fn1_cable_detect,
21442 .prereset = hpt37x_pre_reset,
21443 diff -urNp linux-2.6.35.7/drivers/ata/pata_hpt3x2n.c linux-2.6.35.7/drivers/ata/pata_hpt3x2n.c
21444 --- linux-2.6.35.7/drivers/ata/pata_hpt3x2n.c 2010-08-26 19:47:12.000000000 -0400
21445 +++ linux-2.6.35.7/drivers/ata/pata_hpt3x2n.c 2010-09-17 20:12:09.000000000 -0400
21446 @@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
21447 * Configuration for HPT3x2n.
21450 -static struct ata_port_operations hpt3x2n_port_ops = {
21451 +static const struct ata_port_operations hpt3x2n_port_ops = {
21452 .inherits = &ata_bmdma_port_ops,
21454 .bmdma_stop = hpt3x2n_bmdma_stop,
21455 diff -urNp linux-2.6.35.7/drivers/ata/pata_hpt3x3.c linux-2.6.35.7/drivers/ata/pata_hpt3x3.c
21456 --- linux-2.6.35.7/drivers/ata/pata_hpt3x3.c 2010-08-26 19:47:12.000000000 -0400
21457 +++ linux-2.6.35.7/drivers/ata/pata_hpt3x3.c 2010-09-17 20:12:09.000000000 -0400
21458 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21459 ATA_BMDMA_SHT(DRV_NAME),
21462 -static struct ata_port_operations hpt3x3_port_ops = {
21463 +static const struct ata_port_operations hpt3x3_port_ops = {
21464 .inherits = &ata_bmdma_port_ops,
21465 .cable_detect = ata_cable_40wire,
21466 .set_piomode = hpt3x3_set_piomode,
21467 diff -urNp linux-2.6.35.7/drivers/ata/pata_icside.c linux-2.6.35.7/drivers/ata/pata_icside.c
21468 --- linux-2.6.35.7/drivers/ata/pata_icside.c 2010-08-26 19:47:12.000000000 -0400
21469 +++ linux-2.6.35.7/drivers/ata/pata_icside.c 2010-09-17 20:12:09.000000000 -0400
21470 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21474 -static struct ata_port_operations pata_icside_port_ops = {
21475 +static const struct ata_port_operations pata_icside_port_ops = {
21476 .inherits = &ata_bmdma_port_ops,
21477 /* no need to build any PRD tables for DMA */
21478 .qc_prep = ata_noop_qc_prep,
21479 diff -urNp linux-2.6.35.7/drivers/ata/pata_isapnp.c linux-2.6.35.7/drivers/ata/pata_isapnp.c
21480 --- linux-2.6.35.7/drivers/ata/pata_isapnp.c 2010-08-26 19:47:12.000000000 -0400
21481 +++ linux-2.6.35.7/drivers/ata/pata_isapnp.c 2010-09-17 20:12:09.000000000 -0400
21482 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21483 ATA_PIO_SHT(DRV_NAME),
21486 -static struct ata_port_operations isapnp_port_ops = {
21487 +static const struct ata_port_operations isapnp_port_ops = {
21488 .inherits = &ata_sff_port_ops,
21489 .cable_detect = ata_cable_40wire,
21492 -static struct ata_port_operations isapnp_noalt_port_ops = {
21493 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21494 .inherits = &ata_sff_port_ops,
21495 .cable_detect = ata_cable_40wire,
21496 /* No altstatus so we don't want to use the lost interrupt poll */
21497 diff -urNp linux-2.6.35.7/drivers/ata/pata_it8213.c linux-2.6.35.7/drivers/ata/pata_it8213.c
21498 --- linux-2.6.35.7/drivers/ata/pata_it8213.c 2010-08-26 19:47:12.000000000 -0400
21499 +++ linux-2.6.35.7/drivers/ata/pata_it8213.c 2010-09-17 20:12:09.000000000 -0400
21500 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21504 -static struct ata_port_operations it8213_ops = {
21505 +static const struct ata_port_operations it8213_ops = {
21506 .inherits = &ata_bmdma_port_ops,
21507 .cable_detect = it8213_cable_detect,
21508 .set_piomode = it8213_set_piomode,
21509 diff -urNp linux-2.6.35.7/drivers/ata/pata_it821x.c linux-2.6.35.7/drivers/ata/pata_it821x.c
21510 --- linux-2.6.35.7/drivers/ata/pata_it821x.c 2010-08-26 19:47:12.000000000 -0400
21511 +++ linux-2.6.35.7/drivers/ata/pata_it821x.c 2010-09-17 20:12:09.000000000 -0400
21512 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21513 ATA_BMDMA_SHT(DRV_NAME),
21516 -static struct ata_port_operations it821x_smart_port_ops = {
21517 +static const struct ata_port_operations it821x_smart_port_ops = {
21518 .inherits = &ata_bmdma_port_ops,
21520 .check_atapi_dma= it821x_check_atapi_dma,
21521 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21522 .port_start = it821x_port_start,
21525 -static struct ata_port_operations it821x_passthru_port_ops = {
21526 +static const struct ata_port_operations it821x_passthru_port_ops = {
21527 .inherits = &ata_bmdma_port_ops,
21529 .check_atapi_dma= it821x_check_atapi_dma,
21530 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21531 .port_start = it821x_port_start,
21534 -static struct ata_port_operations it821x_rdc_port_ops = {
21535 +static const struct ata_port_operations it821x_rdc_port_ops = {
21536 .inherits = &ata_bmdma_port_ops,
21538 .check_atapi_dma= it821x_check_atapi_dma,
21539 diff -urNp linux-2.6.35.7/drivers/ata/pata_ixp4xx_cf.c linux-2.6.35.7/drivers/ata/pata_ixp4xx_cf.c
21540 --- linux-2.6.35.7/drivers/ata/pata_ixp4xx_cf.c 2010-08-26 19:47:12.000000000 -0400
21541 +++ linux-2.6.35.7/drivers/ata/pata_ixp4xx_cf.c 2010-09-17 20:12:09.000000000 -0400
21542 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21543 ATA_PIO_SHT(DRV_NAME),
21546 -static struct ata_port_operations ixp4xx_port_ops = {
21547 +static const struct ata_port_operations ixp4xx_port_ops = {
21548 .inherits = &ata_sff_port_ops,
21549 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21550 .cable_detect = ata_cable_40wire,
21551 diff -urNp linux-2.6.35.7/drivers/ata/pata_jmicron.c linux-2.6.35.7/drivers/ata/pata_jmicron.c
21552 --- linux-2.6.35.7/drivers/ata/pata_jmicron.c 2010-08-26 19:47:12.000000000 -0400
21553 +++ linux-2.6.35.7/drivers/ata/pata_jmicron.c 2010-09-17 20:12:09.000000000 -0400
21554 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21555 ATA_BMDMA_SHT(DRV_NAME),
21558 -static struct ata_port_operations jmicron_ops = {
21559 +static const struct ata_port_operations jmicron_ops = {
21560 .inherits = &ata_bmdma_port_ops,
21561 .prereset = jmicron_pre_reset,
21563 diff -urNp linux-2.6.35.7/drivers/ata/pata_legacy.c linux-2.6.35.7/drivers/ata/pata_legacy.c
21564 --- linux-2.6.35.7/drivers/ata/pata_legacy.c 2010-08-26 19:47:12.000000000 -0400
21565 +++ linux-2.6.35.7/drivers/ata/pata_legacy.c 2010-09-17 20:12:09.000000000 -0400
21566 @@ -113,7 +113,7 @@ struct legacy_probe {
21568 struct legacy_controller {
21570 - struct ata_port_operations *ops;
21571 + const struct ata_port_operations *ops;
21572 unsigned int pio_mask;
21573 unsigned int flags;
21574 unsigned int pflags;
21575 @@ -230,12 +230,12 @@ static const struct ata_port_operations
21576 * pio_mask as well.
21579 -static struct ata_port_operations simple_port_ops = {
21580 +static const struct ata_port_operations simple_port_ops = {
21581 .inherits = &legacy_base_port_ops,
21582 .sff_data_xfer = ata_sff_data_xfer_noirq,
21585 -static struct ata_port_operations legacy_port_ops = {
21586 +static const struct ata_port_operations legacy_port_ops = {
21587 .inherits = &legacy_base_port_ops,
21588 .sff_data_xfer = ata_sff_data_xfer_noirq,
21589 .set_mode = legacy_set_mode,
21590 @@ -331,7 +331,7 @@ static unsigned int pdc_data_xfer_vlb(st
21594 -static struct ata_port_operations pdc20230_port_ops = {
21595 +static const struct ata_port_operations pdc20230_port_ops = {
21596 .inherits = &legacy_base_port_ops,
21597 .set_piomode = pdc20230_set_piomode,
21598 .sff_data_xfer = pdc_data_xfer_vlb,
21599 @@ -364,7 +364,7 @@ static void ht6560a_set_piomode(struct a
21600 ioread8(ap->ioaddr.status_addr);
21603 -static struct ata_port_operations ht6560a_port_ops = {
21604 +static const struct ata_port_operations ht6560a_port_ops = {
21605 .inherits = &legacy_base_port_ops,
21606 .set_piomode = ht6560a_set_piomode,
21608 @@ -407,7 +407,7 @@ static void ht6560b_set_piomode(struct a
21609 ioread8(ap->ioaddr.status_addr);
21612 -static struct ata_port_operations ht6560b_port_ops = {
21613 +static const struct ata_port_operations ht6560b_port_ops = {
21614 .inherits = &legacy_base_port_ops,
21615 .set_piomode = ht6560b_set_piomode,
21617 @@ -506,7 +506,7 @@ static void opti82c611a_set_piomode(stru
21621 -static struct ata_port_operations opti82c611a_port_ops = {
21622 +static const struct ata_port_operations opti82c611a_port_ops = {
21623 .inherits = &legacy_base_port_ops,
21624 .set_piomode = opti82c611a_set_piomode,
21626 @@ -616,7 +616,7 @@ static unsigned int opti82c46x_qc_issue(
21627 return ata_sff_qc_issue(qc);
21630 -static struct ata_port_operations opti82c46x_port_ops = {
21631 +static const struct ata_port_operations opti82c46x_port_ops = {
21632 .inherits = &legacy_base_port_ops,
21633 .set_piomode = opti82c46x_set_piomode,
21634 .qc_issue = opti82c46x_qc_issue,
21635 @@ -778,20 +778,20 @@ static int qdi_port(struct platform_devi
21639 -static struct ata_port_operations qdi6500_port_ops = {
21640 +static const struct ata_port_operations qdi6500_port_ops = {
21641 .inherits = &legacy_base_port_ops,
21642 .set_piomode = qdi6500_set_piomode,
21643 .qc_issue = qdi_qc_issue,
21644 .sff_data_xfer = vlb32_data_xfer,
21647 -static struct ata_port_operations qdi6580_port_ops = {
21648 +static const struct ata_port_operations qdi6580_port_ops = {
21649 .inherits = &legacy_base_port_ops,
21650 .set_piomode = qdi6580_set_piomode,
21651 .sff_data_xfer = vlb32_data_xfer,
21654 -static struct ata_port_operations qdi6580dp_port_ops = {
21655 +static const struct ata_port_operations qdi6580dp_port_ops = {
21656 .inherits = &legacy_base_port_ops,
21657 .set_piomode = qdi6580dp_set_piomode,
21658 .qc_issue = qdi_qc_issue,
21659 @@ -863,7 +863,7 @@ static int winbond_port(struct platform_
21663 -static struct ata_port_operations winbond_port_ops = {
21664 +static const struct ata_port_operations winbond_port_ops = {
21665 .inherits = &legacy_base_port_ops,
21666 .set_piomode = winbond_set_piomode,
21667 .sff_data_xfer = vlb32_data_xfer,
21668 @@ -986,7 +986,7 @@ static __init int legacy_init_one(struct
21669 int pio_modes = controller->pio_mask;
21670 unsigned long io = probe->port;
21671 u32 mask = (1 << probe->slot);
21672 - struct ata_port_operations *ops = controller->ops;
21673 + const struct ata_port_operations *ops = controller->ops;
21674 struct legacy_data *ld = &legacy_data[probe->slot];
21675 struct ata_host *host = NULL;
21676 struct ata_port *ap;
21677 diff -urNp linux-2.6.35.7/drivers/ata/pata_macio.c linux-2.6.35.7/drivers/ata/pata_macio.c
21678 --- linux-2.6.35.7/drivers/ata/pata_macio.c 2010-08-26 19:47:12.000000000 -0400
21679 +++ linux-2.6.35.7/drivers/ata/pata_macio.c 2010-09-17 20:12:09.000000000 -0400
21680 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
21681 .slave_configure = pata_macio_slave_config,
21684 -static struct ata_port_operations pata_macio_ops = {
21685 +static const struct ata_port_operations pata_macio_ops = {
21686 .inherits = &ata_bmdma_port_ops,
21688 .freeze = pata_macio_freeze,
21689 .set_piomode = pata_macio_set_timings,
21690 .set_dmamode = pata_macio_set_timings,
21691 diff -urNp linux-2.6.35.7/drivers/ata/pata_marvell.c linux-2.6.35.7/drivers/ata/pata_marvell.c
21692 --- linux-2.6.35.7/drivers/ata/pata_marvell.c 2010-08-26 19:47:12.000000000 -0400
21693 +++ linux-2.6.35.7/drivers/ata/pata_marvell.c 2010-09-17 20:12:09.000000000 -0400
21694 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21695 ATA_BMDMA_SHT(DRV_NAME),
21698 -static struct ata_port_operations marvell_ops = {
21699 +static const struct ata_port_operations marvell_ops = {
21700 .inherits = &ata_bmdma_port_ops,
21701 .cable_detect = marvell_cable_detect,
21702 .prereset = marvell_pre_reset,
21703 diff -urNp linux-2.6.35.7/drivers/ata/pata_mpc52xx.c linux-2.6.35.7/drivers/ata/pata_mpc52xx.c
21704 --- linux-2.6.35.7/drivers/ata/pata_mpc52xx.c 2010-08-26 19:47:12.000000000 -0400
21705 +++ linux-2.6.35.7/drivers/ata/pata_mpc52xx.c 2010-09-17 20:12:09.000000000 -0400
21706 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21707 ATA_PIO_SHT(DRV_NAME),
21710 -static struct ata_port_operations mpc52xx_ata_port_ops = {
21711 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
21712 .inherits = &ata_sff_port_ops,
21713 .sff_dev_select = mpc52xx_ata_dev_select,
21714 .set_piomode = mpc52xx_ata_set_piomode,
21715 diff -urNp linux-2.6.35.7/drivers/ata/pata_mpiix.c linux-2.6.35.7/drivers/ata/pata_mpiix.c
21716 --- linux-2.6.35.7/drivers/ata/pata_mpiix.c 2010-08-26 19:47:12.000000000 -0400
21717 +++ linux-2.6.35.7/drivers/ata/pata_mpiix.c 2010-09-17 20:12:09.000000000 -0400
21718 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21719 ATA_PIO_SHT(DRV_NAME),
21722 -static struct ata_port_operations mpiix_port_ops = {
21723 +static const struct ata_port_operations mpiix_port_ops = {
21724 .inherits = &ata_sff_port_ops,
21725 .qc_issue = mpiix_qc_issue,
21726 .cable_detect = ata_cable_40wire,
21727 diff -urNp linux-2.6.35.7/drivers/ata/pata_netcell.c linux-2.6.35.7/drivers/ata/pata_netcell.c
21728 --- linux-2.6.35.7/drivers/ata/pata_netcell.c 2010-08-26 19:47:12.000000000 -0400
21729 +++ linux-2.6.35.7/drivers/ata/pata_netcell.c 2010-09-17 20:12:09.000000000 -0400
21730 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21731 ATA_BMDMA_SHT(DRV_NAME),
21734 -static struct ata_port_operations netcell_ops = {
21735 +static const struct ata_port_operations netcell_ops = {
21736 .inherits = &ata_bmdma_port_ops,
21737 .cable_detect = ata_cable_80wire,
21738 .read_id = netcell_read_id,
21739 diff -urNp linux-2.6.35.7/drivers/ata/pata_ninja32.c linux-2.6.35.7/drivers/ata/pata_ninja32.c
21740 --- linux-2.6.35.7/drivers/ata/pata_ninja32.c 2010-08-26 19:47:12.000000000 -0400
21741 +++ linux-2.6.35.7/drivers/ata/pata_ninja32.c 2010-09-17 20:12:09.000000000 -0400
21742 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21743 ATA_BMDMA_SHT(DRV_NAME),
21746 -static struct ata_port_operations ninja32_port_ops = {
21747 +static const struct ata_port_operations ninja32_port_ops = {
21748 .inherits = &ata_bmdma_port_ops,
21749 .sff_dev_select = ninja32_dev_select,
21750 .cable_detect = ata_cable_40wire,
21751 diff -urNp linux-2.6.35.7/drivers/ata/pata_ns87410.c linux-2.6.35.7/drivers/ata/pata_ns87410.c
21752 --- linux-2.6.35.7/drivers/ata/pata_ns87410.c 2010-08-26 19:47:12.000000000 -0400
21753 +++ linux-2.6.35.7/drivers/ata/pata_ns87410.c 2010-09-17 20:12:09.000000000 -0400
21754 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21755 ATA_PIO_SHT(DRV_NAME),
21758 -static struct ata_port_operations ns87410_port_ops = {
21759 +static const struct ata_port_operations ns87410_port_ops = {
21760 .inherits = &ata_sff_port_ops,
21761 .qc_issue = ns87410_qc_issue,
21762 .cable_detect = ata_cable_40wire,
21763 diff -urNp linux-2.6.35.7/drivers/ata/pata_ns87415.c linux-2.6.35.7/drivers/ata/pata_ns87415.c
21764 --- linux-2.6.35.7/drivers/ata/pata_ns87415.c 2010-08-26 19:47:12.000000000 -0400
21765 +++ linux-2.6.35.7/drivers/ata/pata_ns87415.c 2010-09-17 20:12:09.000000000 -0400
21766 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21768 #endif /* 87560 SuperIO Support */
21770 -static struct ata_port_operations ns87415_pata_ops = {
21771 +static const struct ata_port_operations ns87415_pata_ops = {
21772 .inherits = &ata_bmdma_port_ops,
21774 .check_atapi_dma = ns87415_check_atapi_dma,
21775 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21778 #if defined(CONFIG_SUPERIO)
21779 -static struct ata_port_operations ns87560_pata_ops = {
21780 +static const struct ata_port_operations ns87560_pata_ops = {
21781 .inherits = &ns87415_pata_ops,
21782 .sff_tf_read = ns87560_tf_read,
21783 .sff_check_status = ns87560_check_status,
21784 diff -urNp linux-2.6.35.7/drivers/ata/pata_octeon_cf.c linux-2.6.35.7/drivers/ata/pata_octeon_cf.c
21785 --- linux-2.6.35.7/drivers/ata/pata_octeon_cf.c 2010-08-26 19:47:12.000000000 -0400
21786 +++ linux-2.6.35.7/drivers/ata/pata_octeon_cf.c 2010-09-17 20:12:09.000000000 -0400
21787 @@ -782,6 +782,7 @@ static unsigned int octeon_cf_qc_issue(s
21791 +/* cannot be const */
21792 static struct ata_port_operations octeon_cf_ops = {
21793 .inherits = &ata_sff_port_ops,
21794 .check_atapi_dma = octeon_cf_check_atapi_dma,
21795 diff -urNp linux-2.6.35.7/drivers/ata/pata_oldpiix.c linux-2.6.35.7/drivers/ata/pata_oldpiix.c
21796 --- linux-2.6.35.7/drivers/ata/pata_oldpiix.c 2010-08-26 19:47:12.000000000 -0400
21797 +++ linux-2.6.35.7/drivers/ata/pata_oldpiix.c 2010-09-17 20:12:09.000000000 -0400
21798 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21799 ATA_BMDMA_SHT(DRV_NAME),
21802 -static struct ata_port_operations oldpiix_pata_ops = {
21803 +static const struct ata_port_operations oldpiix_pata_ops = {
21804 .inherits = &ata_bmdma_port_ops,
21805 .qc_issue = oldpiix_qc_issue,
21806 .cable_detect = ata_cable_40wire,
21807 diff -urNp linux-2.6.35.7/drivers/ata/pata_opti.c linux-2.6.35.7/drivers/ata/pata_opti.c
21808 --- linux-2.6.35.7/drivers/ata/pata_opti.c 2010-08-26 19:47:12.000000000 -0400
21809 +++ linux-2.6.35.7/drivers/ata/pata_opti.c 2010-09-17 20:12:09.000000000 -0400
21810 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21811 ATA_PIO_SHT(DRV_NAME),
21814 -static struct ata_port_operations opti_port_ops = {
21815 +static const struct ata_port_operations opti_port_ops = {
21816 .inherits = &ata_sff_port_ops,
21817 .cable_detect = ata_cable_40wire,
21818 .set_piomode = opti_set_piomode,
21819 diff -urNp linux-2.6.35.7/drivers/ata/pata_optidma.c linux-2.6.35.7/drivers/ata/pata_optidma.c
21820 --- linux-2.6.35.7/drivers/ata/pata_optidma.c 2010-08-26 19:47:12.000000000 -0400
21821 +++ linux-2.6.35.7/drivers/ata/pata_optidma.c 2010-09-17 20:12:09.000000000 -0400
21822 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21823 ATA_BMDMA_SHT(DRV_NAME),
21826 -static struct ata_port_operations optidma_port_ops = {
21827 +static const struct ata_port_operations optidma_port_ops = {
21828 .inherits = &ata_bmdma_port_ops,
21829 .cable_detect = ata_cable_40wire,
21830 .set_piomode = optidma_set_pio_mode,
21831 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21832 .prereset = optidma_pre_reset,
21835 -static struct ata_port_operations optiplus_port_ops = {
21836 +static const struct ata_port_operations optiplus_port_ops = {
21837 .inherits = &optidma_port_ops,
21838 .set_piomode = optiplus_set_pio_mode,
21839 .set_dmamode = optiplus_set_dma_mode,
21840 diff -urNp linux-2.6.35.7/drivers/ata/pata_palmld.c linux-2.6.35.7/drivers/ata/pata_palmld.c
21841 --- linux-2.6.35.7/drivers/ata/pata_palmld.c 2010-08-26 19:47:12.000000000 -0400
21842 +++ linux-2.6.35.7/drivers/ata/pata_palmld.c 2010-09-17 20:12:09.000000000 -0400
21843 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21844 ATA_PIO_SHT(DRV_NAME),
21847 -static struct ata_port_operations palmld_port_ops = {
21848 +static const struct ata_port_operations palmld_port_ops = {
21849 .inherits = &ata_sff_port_ops,
21850 .sff_data_xfer = ata_sff_data_xfer_noirq,
21851 .cable_detect = ata_cable_40wire,
21852 diff -urNp linux-2.6.35.7/drivers/ata/pata_pcmcia.c linux-2.6.35.7/drivers/ata/pata_pcmcia.c
21853 --- linux-2.6.35.7/drivers/ata/pata_pcmcia.c 2010-08-26 19:47:12.000000000 -0400
21854 +++ linux-2.6.35.7/drivers/ata/pata_pcmcia.c 2010-09-17 20:12:09.000000000 -0400
21855 @@ -153,14 +153,14 @@ static struct scsi_host_template pcmcia_
21856 ATA_PIO_SHT(DRV_NAME),
21859 -static struct ata_port_operations pcmcia_port_ops = {
21860 +static const struct ata_port_operations pcmcia_port_ops = {
21861 .inherits = &ata_sff_port_ops,
21862 .sff_data_xfer = ata_sff_data_xfer_noirq,
21863 .cable_detect = ata_cable_40wire,
21864 .set_mode = pcmcia_set_mode,
21867 -static struct ata_port_operations pcmcia_8bit_port_ops = {
21868 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
21869 .inherits = &ata_sff_port_ops,
21870 .sff_data_xfer = ata_data_xfer_8bit,
21871 .cable_detect = ata_cable_40wire,
21872 @@ -243,7 +243,7 @@ static int pcmcia_init_one(struct pcmcia
21873 unsigned long io_base, ctl_base;
21874 void __iomem *io_addr, *ctl_addr;
21876 - struct ata_port_operations *ops = &pcmcia_port_ops;
21877 + const struct ata_port_operations *ops = &pcmcia_port_ops;
21879 /* Set up attributes in order to probe card and get resources */
21880 pdev->io.Attributes1 = IO_DATA_PATH_WIDTH_AUTO;
21881 diff -urNp linux-2.6.35.7/drivers/ata/pata_pdc2027x.c linux-2.6.35.7/drivers/ata/pata_pdc2027x.c
21882 --- linux-2.6.35.7/drivers/ata/pata_pdc2027x.c 2010-08-26 19:47:12.000000000 -0400
21883 +++ linux-2.6.35.7/drivers/ata/pata_pdc2027x.c 2010-09-17 20:12:09.000000000 -0400
21884 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21885 ATA_BMDMA_SHT(DRV_NAME),
21888 -static struct ata_port_operations pdc2027x_pata100_ops = {
21889 +static const struct ata_port_operations pdc2027x_pata100_ops = {
21890 .inherits = &ata_bmdma_port_ops,
21891 .check_atapi_dma = pdc2027x_check_atapi_dma,
21892 .cable_detect = pdc2027x_cable_detect,
21893 .prereset = pdc2027x_prereset,
21896 -static struct ata_port_operations pdc2027x_pata133_ops = {
21897 +static const struct ata_port_operations pdc2027x_pata133_ops = {
21898 .inherits = &pdc2027x_pata100_ops,
21899 .mode_filter = pdc2027x_mode_filter,
21900 .set_piomode = pdc2027x_set_piomode,
21901 diff -urNp linux-2.6.35.7/drivers/ata/pata_pdc202xx_old.c linux-2.6.35.7/drivers/ata/pata_pdc202xx_old.c
21902 --- linux-2.6.35.7/drivers/ata/pata_pdc202xx_old.c 2010-08-26 19:47:12.000000000 -0400
21903 +++ linux-2.6.35.7/drivers/ata/pata_pdc202xx_old.c 2010-09-17 20:12:09.000000000 -0400
21904 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
21905 ATA_BMDMA_SHT(DRV_NAME),
21908 -static struct ata_port_operations pdc2024x_port_ops = {
21909 +static const struct ata_port_operations pdc2024x_port_ops = {
21910 .inherits = &ata_bmdma_port_ops,
21912 .cable_detect = ata_cable_40wire,
21913 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
21914 .sff_exec_command = pdc202xx_exec_command,
21917 -static struct ata_port_operations pdc2026x_port_ops = {
21918 +static const struct ata_port_operations pdc2026x_port_ops = {
21919 .inherits = &pdc2024x_port_ops,
21921 .check_atapi_dma = pdc2026x_check_atapi_dma,
21922 diff -urNp linux-2.6.35.7/drivers/ata/pata_piccolo.c linux-2.6.35.7/drivers/ata/pata_piccolo.c
21923 --- linux-2.6.35.7/drivers/ata/pata_piccolo.c 2010-08-26 19:47:12.000000000 -0400
21924 +++ linux-2.6.35.7/drivers/ata/pata_piccolo.c 2010-09-17 20:12:09.000000000 -0400
21925 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21926 ATA_BMDMA_SHT(DRV_NAME),
21929 -static struct ata_port_operations tosh_port_ops = {
21930 +static const struct ata_port_operations tosh_port_ops = {
21931 .inherits = &ata_bmdma_port_ops,
21932 .cable_detect = ata_cable_unknown,
21933 .set_piomode = tosh_set_piomode,
21934 diff -urNp linux-2.6.35.7/drivers/ata/pata_platform.c linux-2.6.35.7/drivers/ata/pata_platform.c
21935 --- linux-2.6.35.7/drivers/ata/pata_platform.c 2010-08-26 19:47:12.000000000 -0400
21936 +++ linux-2.6.35.7/drivers/ata/pata_platform.c 2010-09-17 20:12:09.000000000 -0400
21937 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21938 ATA_PIO_SHT(DRV_NAME),
21941 -static struct ata_port_operations pata_platform_port_ops = {
21942 +static const struct ata_port_operations pata_platform_port_ops = {
21943 .inherits = &ata_sff_port_ops,
21944 .sff_data_xfer = ata_sff_data_xfer_noirq,
21945 .cable_detect = ata_cable_unknown,
21946 diff -urNp linux-2.6.35.7/drivers/ata/pata_qdi.c linux-2.6.35.7/drivers/ata/pata_qdi.c
21947 --- linux-2.6.35.7/drivers/ata/pata_qdi.c 2010-08-26 19:47:12.000000000 -0400
21948 +++ linux-2.6.35.7/drivers/ata/pata_qdi.c 2010-09-17 20:12:09.000000000 -0400
21949 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21950 ATA_PIO_SHT(DRV_NAME),
21953 -static struct ata_port_operations qdi6500_port_ops = {
21954 +static const struct ata_port_operations qdi6500_port_ops = {
21955 .inherits = &ata_sff_port_ops,
21956 .qc_issue = qdi_qc_issue,
21957 .sff_data_xfer = qdi_data_xfer,
21958 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21959 .set_piomode = qdi6500_set_piomode,
21962 -static struct ata_port_operations qdi6580_port_ops = {
21963 +static const struct ata_port_operations qdi6580_port_ops = {
21964 .inherits = &qdi6500_port_ops,
21965 .set_piomode = qdi6580_set_piomode,
21967 diff -urNp linux-2.6.35.7/drivers/ata/pata_radisys.c linux-2.6.35.7/drivers/ata/pata_radisys.c
21968 --- linux-2.6.35.7/drivers/ata/pata_radisys.c 2010-08-26 19:47:12.000000000 -0400
21969 +++ linux-2.6.35.7/drivers/ata/pata_radisys.c 2010-09-17 20:12:09.000000000 -0400
21970 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21971 ATA_BMDMA_SHT(DRV_NAME),
21974 -static struct ata_port_operations radisys_pata_ops = {
21975 +static const struct ata_port_operations radisys_pata_ops = {
21976 .inherits = &ata_bmdma_port_ops,
21977 .qc_issue = radisys_qc_issue,
21978 .cable_detect = ata_cable_unknown,
21979 diff -urNp linux-2.6.35.7/drivers/ata/pata_rb532_cf.c linux-2.6.35.7/drivers/ata/pata_rb532_cf.c
21980 --- linux-2.6.35.7/drivers/ata/pata_rb532_cf.c 2010-08-26 19:47:12.000000000 -0400
21981 +++ linux-2.6.35.7/drivers/ata/pata_rb532_cf.c 2010-09-17 20:12:09.000000000 -0400
21982 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
21983 return IRQ_HANDLED;
21986 -static struct ata_port_operations rb532_pata_port_ops = {
21987 +static const struct ata_port_operations rb532_pata_port_ops = {
21988 .inherits = &ata_sff_port_ops,
21989 .sff_data_xfer = ata_sff_data_xfer32,
21991 diff -urNp linux-2.6.35.7/drivers/ata/pata_rdc.c linux-2.6.35.7/drivers/ata/pata_rdc.c
21992 --- linux-2.6.35.7/drivers/ata/pata_rdc.c 2010-08-26 19:47:12.000000000 -0400
21993 +++ linux-2.6.35.7/drivers/ata/pata_rdc.c 2010-09-17 20:12:09.000000000 -0400
21994 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
21995 pci_write_config_byte(dev, 0x48, udma_enable);
21998 -static struct ata_port_operations rdc_pata_ops = {
21999 +static const struct ata_port_operations rdc_pata_ops = {
22000 .inherits = &ata_bmdma32_port_ops,
22001 .cable_detect = rdc_pata_cable_detect,
22002 .set_piomode = rdc_set_piomode,
22003 diff -urNp linux-2.6.35.7/drivers/ata/pata_rz1000.c linux-2.6.35.7/drivers/ata/pata_rz1000.c
22004 --- linux-2.6.35.7/drivers/ata/pata_rz1000.c 2010-08-26 19:47:12.000000000 -0400
22005 +++ linux-2.6.35.7/drivers/ata/pata_rz1000.c 2010-09-17 20:12:09.000000000 -0400
22006 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
22007 ATA_PIO_SHT(DRV_NAME),
22010 -static struct ata_port_operations rz1000_port_ops = {
22011 +static const struct ata_port_operations rz1000_port_ops = {
22012 .inherits = &ata_sff_port_ops,
22013 .cable_detect = ata_cable_40wire,
22014 .set_mode = rz1000_set_mode,
22015 diff -urNp linux-2.6.35.7/drivers/ata/pata_sc1200.c linux-2.6.35.7/drivers/ata/pata_sc1200.c
22016 --- linux-2.6.35.7/drivers/ata/pata_sc1200.c 2010-08-26 19:47:12.000000000 -0400
22017 +++ linux-2.6.35.7/drivers/ata/pata_sc1200.c 2010-09-17 20:12:09.000000000 -0400
22018 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
22019 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22022 -static struct ata_port_operations sc1200_port_ops = {
22023 +static const struct ata_port_operations sc1200_port_ops = {
22024 .inherits = &ata_bmdma_port_ops,
22025 .qc_prep = ata_bmdma_dumb_qc_prep,
22026 .qc_issue = sc1200_qc_issue,
22027 diff -urNp linux-2.6.35.7/drivers/ata/pata_scc.c linux-2.6.35.7/drivers/ata/pata_scc.c
22028 --- linux-2.6.35.7/drivers/ata/pata_scc.c 2010-08-26 19:47:12.000000000 -0400
22029 +++ linux-2.6.35.7/drivers/ata/pata_scc.c 2010-09-17 20:12:09.000000000 -0400
22030 @@ -927,7 +927,7 @@ static struct scsi_host_template scc_sht
22031 ATA_BMDMA_SHT(DRV_NAME),
22034 -static struct ata_port_operations scc_pata_ops = {
22035 +static const struct ata_port_operations scc_pata_ops = {
22036 .inherits = &ata_bmdma_port_ops,
22038 .set_piomode = scc_set_piomode,
22039 diff -urNp linux-2.6.35.7/drivers/ata/pata_sch.c linux-2.6.35.7/drivers/ata/pata_sch.c
22040 --- linux-2.6.35.7/drivers/ata/pata_sch.c 2010-08-26 19:47:12.000000000 -0400
22041 +++ linux-2.6.35.7/drivers/ata/pata_sch.c 2010-09-17 20:12:09.000000000 -0400
22042 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22043 ATA_BMDMA_SHT(DRV_NAME),
22046 -static struct ata_port_operations sch_pata_ops = {
22047 +static const struct ata_port_operations sch_pata_ops = {
22048 .inherits = &ata_bmdma_port_ops,
22049 .cable_detect = ata_cable_unknown,
22050 .set_piomode = sch_set_piomode,
22051 diff -urNp linux-2.6.35.7/drivers/ata/pata_serverworks.c linux-2.6.35.7/drivers/ata/pata_serverworks.c
22052 --- linux-2.6.35.7/drivers/ata/pata_serverworks.c 2010-08-26 19:47:12.000000000 -0400
22053 +++ linux-2.6.35.7/drivers/ata/pata_serverworks.c 2010-09-17 20:12:09.000000000 -0400
22054 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22055 ATA_BMDMA_SHT(DRV_NAME),
22058 -static struct ata_port_operations serverworks_osb4_port_ops = {
22059 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22060 .inherits = &ata_bmdma_port_ops,
22061 .cable_detect = serverworks_cable_detect,
22062 .mode_filter = serverworks_osb4_filter,
22063 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22064 .set_dmamode = serverworks_set_dmamode,
22067 -static struct ata_port_operations serverworks_csb_port_ops = {
22068 +static const struct ata_port_operations serverworks_csb_port_ops = {
22069 .inherits = &serverworks_osb4_port_ops,
22070 .mode_filter = serverworks_csb_filter,
22072 diff -urNp linux-2.6.35.7/drivers/ata/pata_sil680.c linux-2.6.35.7/drivers/ata/pata_sil680.c
22073 --- linux-2.6.35.7/drivers/ata/pata_sil680.c 2010-08-26 19:47:12.000000000 -0400
22074 +++ linux-2.6.35.7/drivers/ata/pata_sil680.c 2010-09-17 20:12:09.000000000 -0400
22075 @@ -214,8 +214,7 @@ static struct scsi_host_template sil680_
22076 ATA_BMDMA_SHT(DRV_NAME),
22080 -static struct ata_port_operations sil680_port_ops = {
22081 +static const struct ata_port_operations sil680_port_ops = {
22082 .inherits = &ata_bmdma32_port_ops,
22083 .sff_exec_command = sil680_sff_exec_command,
22084 .cable_detect = sil680_cable_detect,
22085 diff -urNp linux-2.6.35.7/drivers/ata/pata_sis.c linux-2.6.35.7/drivers/ata/pata_sis.c
22086 --- linux-2.6.35.7/drivers/ata/pata_sis.c 2010-08-26 19:47:12.000000000 -0400
22087 +++ linux-2.6.35.7/drivers/ata/pata_sis.c 2010-09-17 20:12:09.000000000 -0400
22088 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22089 ATA_BMDMA_SHT(DRV_NAME),
22092 -static struct ata_port_operations sis_133_for_sata_ops = {
22093 +static const struct ata_port_operations sis_133_for_sata_ops = {
22094 .inherits = &ata_bmdma_port_ops,
22095 .set_piomode = sis_133_set_piomode,
22096 .set_dmamode = sis_133_set_dmamode,
22097 .cable_detect = sis_133_cable_detect,
22100 -static struct ata_port_operations sis_base_ops = {
22101 +static const struct ata_port_operations sis_base_ops = {
22102 .inherits = &ata_bmdma_port_ops,
22103 .prereset = sis_pre_reset,
22106 -static struct ata_port_operations sis_133_ops = {
22107 +static const struct ata_port_operations sis_133_ops = {
22108 .inherits = &sis_base_ops,
22109 .set_piomode = sis_133_set_piomode,
22110 .set_dmamode = sis_133_set_dmamode,
22111 .cable_detect = sis_133_cable_detect,
22114 -static struct ata_port_operations sis_133_early_ops = {
22115 +static const struct ata_port_operations sis_133_early_ops = {
22116 .inherits = &sis_base_ops,
22117 .set_piomode = sis_100_set_piomode,
22118 .set_dmamode = sis_133_early_set_dmamode,
22119 .cable_detect = sis_66_cable_detect,
22122 -static struct ata_port_operations sis_100_ops = {
22123 +static const struct ata_port_operations sis_100_ops = {
22124 .inherits = &sis_base_ops,
22125 .set_piomode = sis_100_set_piomode,
22126 .set_dmamode = sis_100_set_dmamode,
22127 .cable_detect = sis_66_cable_detect,
22130 -static struct ata_port_operations sis_66_ops = {
22131 +static const struct ata_port_operations sis_66_ops = {
22132 .inherits = &sis_base_ops,
22133 .set_piomode = sis_old_set_piomode,
22134 .set_dmamode = sis_66_set_dmamode,
22135 .cable_detect = sis_66_cable_detect,
22138 -static struct ata_port_operations sis_old_ops = {
22139 +static const struct ata_port_operations sis_old_ops = {
22140 .inherits = &sis_base_ops,
22141 .set_piomode = sis_old_set_piomode,
22142 .set_dmamode = sis_old_set_dmamode,
22143 diff -urNp linux-2.6.35.7/drivers/ata/pata_sl82c105.c linux-2.6.35.7/drivers/ata/pata_sl82c105.c
22144 --- linux-2.6.35.7/drivers/ata/pata_sl82c105.c 2010-08-26 19:47:12.000000000 -0400
22145 +++ linux-2.6.35.7/drivers/ata/pata_sl82c105.c 2010-09-17 20:12:09.000000000 -0400
22146 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
22147 ATA_BMDMA_SHT(DRV_NAME),
22150 -static struct ata_port_operations sl82c105_port_ops = {
22151 +static const struct ata_port_operations sl82c105_port_ops = {
22152 .inherits = &ata_bmdma_port_ops,
22153 .qc_defer = sl82c105_qc_defer,
22154 .bmdma_start = sl82c105_bmdma_start,
22155 diff -urNp linux-2.6.35.7/drivers/ata/pata_triflex.c linux-2.6.35.7/drivers/ata/pata_triflex.c
22156 --- linux-2.6.35.7/drivers/ata/pata_triflex.c 2010-08-26 19:47:12.000000000 -0400
22157 +++ linux-2.6.35.7/drivers/ata/pata_triflex.c 2010-09-17 20:12:09.000000000 -0400
22158 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22159 ATA_BMDMA_SHT(DRV_NAME),
22162 -static struct ata_port_operations triflex_port_ops = {
22163 +static const struct ata_port_operations triflex_port_ops = {
22164 .inherits = &ata_bmdma_port_ops,
22165 .bmdma_start = triflex_bmdma_start,
22166 .bmdma_stop = triflex_bmdma_stop,
22167 diff -urNp linux-2.6.35.7/drivers/ata/pata_via.c linux-2.6.35.7/drivers/ata/pata_via.c
22168 --- linux-2.6.35.7/drivers/ata/pata_via.c 2010-09-20 17:33:09.000000000 -0400
22169 +++ linux-2.6.35.7/drivers/ata/pata_via.c 2010-09-20 17:33:32.000000000 -0400
22170 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
22171 ATA_BMDMA_SHT(DRV_NAME),
22174 -static struct ata_port_operations via_port_ops = {
22175 +static const struct ata_port_operations via_port_ops = {
22176 .inherits = &ata_bmdma_port_ops,
22177 .cable_detect = via_cable_detect,
22178 .set_piomode = via_set_piomode,
22179 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
22180 .mode_filter = via_mode_filter,
22183 -static struct ata_port_operations via_port_ops_noirq = {
22184 +static const struct ata_port_operations via_port_ops_noirq = {
22185 .inherits = &via_port_ops,
22186 .sff_data_xfer = ata_sff_data_xfer_noirq,
22188 diff -urNp linux-2.6.35.7/drivers/ata/pata_winbond.c linux-2.6.35.7/drivers/ata/pata_winbond.c
22189 --- linux-2.6.35.7/drivers/ata/pata_winbond.c 2010-08-26 19:47:12.000000000 -0400
22190 +++ linux-2.6.35.7/drivers/ata/pata_winbond.c 2010-09-17 20:12:09.000000000 -0400
22191 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
22192 ATA_PIO_SHT(DRV_NAME),
22195 -static struct ata_port_operations winbond_port_ops = {
22196 +static const struct ata_port_operations winbond_port_ops = {
22197 .inherits = &ata_sff_port_ops,
22198 .sff_data_xfer = winbond_data_xfer,
22199 .cable_detect = ata_cable_40wire,
22200 diff -urNp linux-2.6.35.7/drivers/ata/pdc_adma.c linux-2.6.35.7/drivers/ata/pdc_adma.c
22201 --- linux-2.6.35.7/drivers/ata/pdc_adma.c 2010-08-26 19:47:12.000000000 -0400
22202 +++ linux-2.6.35.7/drivers/ata/pdc_adma.c 2010-09-17 20:12:09.000000000 -0400
22203 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22204 .dma_boundary = ADMA_DMA_BOUNDARY,
22207 -static struct ata_port_operations adma_ata_ops = {
22208 +static const struct ata_port_operations adma_ata_ops = {
22209 .inherits = &ata_sff_port_ops,
22211 .lost_interrupt = ATA_OP_NULL,
22212 diff -urNp linux-2.6.35.7/drivers/ata/sata_fsl.c linux-2.6.35.7/drivers/ata/sata_fsl.c
22213 --- linux-2.6.35.7/drivers/ata/sata_fsl.c 2010-08-26 19:47:12.000000000 -0400
22214 +++ linux-2.6.35.7/drivers/ata/sata_fsl.c 2010-09-17 20:12:09.000000000 -0400
22215 @@ -1261,7 +1261,7 @@ static struct scsi_host_template sata_fs
22216 .dma_boundary = ATA_DMA_BOUNDARY,
22219 -static struct ata_port_operations sata_fsl_ops = {
22220 +static const struct ata_port_operations sata_fsl_ops = {
22221 .inherits = &sata_pmp_port_ops,
22223 .qc_defer = ata_std_qc_defer,
22224 diff -urNp linux-2.6.35.7/drivers/ata/sata_inic162x.c linux-2.6.35.7/drivers/ata/sata_inic162x.c
22225 --- linux-2.6.35.7/drivers/ata/sata_inic162x.c 2010-08-26 19:47:12.000000000 -0400
22226 +++ linux-2.6.35.7/drivers/ata/sata_inic162x.c 2010-09-17 20:12:09.000000000 -0400
22227 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22231 -static struct ata_port_operations inic_port_ops = {
22232 +static const struct ata_port_operations inic_port_ops = {
22233 .inherits = &sata_port_ops,
22235 .check_atapi_dma = inic_check_atapi_dma,
22236 diff -urNp linux-2.6.35.7/drivers/ata/sata_mv.c linux-2.6.35.7/drivers/ata/sata_mv.c
22237 --- linux-2.6.35.7/drivers/ata/sata_mv.c 2010-09-20 17:33:09.000000000 -0400
22238 +++ linux-2.6.35.7/drivers/ata/sata_mv.c 2010-09-20 17:33:32.000000000 -0400
22239 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22240 .dma_boundary = MV_DMA_BOUNDARY,
22243 -static struct ata_port_operations mv5_ops = {
22244 +static const struct ata_port_operations mv5_ops = {
22245 .inherits = &ata_sff_port_ops,
22247 .lost_interrupt = ATA_OP_NULL,
22248 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22249 .port_stop = mv_port_stop,
22252 -static struct ata_port_operations mv6_ops = {
22253 +static const struct ata_port_operations mv6_ops = {
22254 .inherits = &ata_bmdma_port_ops,
22256 .lost_interrupt = ATA_OP_NULL,
22257 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22258 .port_stop = mv_port_stop,
22261 -static struct ata_port_operations mv_iie_ops = {
22262 +static const struct ata_port_operations mv_iie_ops = {
22263 .inherits = &mv6_ops,
22264 .dev_config = ATA_OP_NULL,
22265 .qc_prep = mv_qc_prep_iie,
22266 diff -urNp linux-2.6.35.7/drivers/ata/sata_nv.c linux-2.6.35.7/drivers/ata/sata_nv.c
22267 --- linux-2.6.35.7/drivers/ata/sata_nv.c 2010-08-26 19:47:12.000000000 -0400
22268 +++ linux-2.6.35.7/drivers/ata/sata_nv.c 2010-09-17 20:12:09.000000000 -0400
22269 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22270 * cases. Define nv_hardreset() which only kicks in for post-boot
22271 * probing and use it for all variants.
22273 -static struct ata_port_operations nv_generic_ops = {
22274 +static const struct ata_port_operations nv_generic_ops = {
22275 .inherits = &ata_bmdma_port_ops,
22276 .lost_interrupt = ATA_OP_NULL,
22277 .scr_read = nv_scr_read,
22278 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22279 .hardreset = nv_hardreset,
22282 -static struct ata_port_operations nv_nf2_ops = {
22283 +static const struct ata_port_operations nv_nf2_ops = {
22284 .inherits = &nv_generic_ops,
22285 .freeze = nv_nf2_freeze,
22286 .thaw = nv_nf2_thaw,
22289 -static struct ata_port_operations nv_ck804_ops = {
22290 +static const struct ata_port_operations nv_ck804_ops = {
22291 .inherits = &nv_generic_ops,
22292 .freeze = nv_ck804_freeze,
22293 .thaw = nv_ck804_thaw,
22294 .host_stop = nv_ck804_host_stop,
22297 -static struct ata_port_operations nv_adma_ops = {
22298 +static const struct ata_port_operations nv_adma_ops = {
22299 .inherits = &nv_ck804_ops,
22301 .check_atapi_dma = nv_adma_check_atapi_dma,
22302 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22303 .host_stop = nv_adma_host_stop,
22306 -static struct ata_port_operations nv_swncq_ops = {
22307 +static const struct ata_port_operations nv_swncq_ops = {
22308 .inherits = &nv_generic_ops,
22310 .qc_defer = ata_std_qc_defer,
22311 diff -urNp linux-2.6.35.7/drivers/ata/sata_promise.c linux-2.6.35.7/drivers/ata/sata_promise.c
22312 --- linux-2.6.35.7/drivers/ata/sata_promise.c 2010-08-26 19:47:12.000000000 -0400
22313 +++ linux-2.6.35.7/drivers/ata/sata_promise.c 2010-09-17 20:12:09.000000000 -0400
22314 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22315 .error_handler = pdc_error_handler,
22318 -static struct ata_port_operations pdc_sata_ops = {
22319 +static const struct ata_port_operations pdc_sata_ops = {
22320 .inherits = &pdc_common_ops,
22321 .cable_detect = pdc_sata_cable_detect,
22322 .freeze = pdc_sata_freeze,
22323 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22325 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22326 and ->freeze/thaw that ignore the hotplug controls. */
22327 -static struct ata_port_operations pdc_old_sata_ops = {
22328 +static const struct ata_port_operations pdc_old_sata_ops = {
22329 .inherits = &pdc_sata_ops,
22330 .freeze = pdc_freeze,
22332 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22335 -static struct ata_port_operations pdc_pata_ops = {
22336 +static const struct ata_port_operations pdc_pata_ops = {
22337 .inherits = &pdc_common_ops,
22338 .cable_detect = pdc_pata_cable_detect,
22339 .freeze = pdc_freeze,
22340 diff -urNp linux-2.6.35.7/drivers/ata/sata_qstor.c linux-2.6.35.7/drivers/ata/sata_qstor.c
22341 --- linux-2.6.35.7/drivers/ata/sata_qstor.c 2010-08-26 19:47:12.000000000 -0400
22342 +++ linux-2.6.35.7/drivers/ata/sata_qstor.c 2010-09-17 20:12:09.000000000 -0400
22343 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22344 .dma_boundary = QS_DMA_BOUNDARY,
22347 -static struct ata_port_operations qs_ata_ops = {
22348 +static const struct ata_port_operations qs_ata_ops = {
22349 .inherits = &ata_sff_port_ops,
22351 .check_atapi_dma = qs_check_atapi_dma,
22352 diff -urNp linux-2.6.35.7/drivers/ata/sata_sil24.c linux-2.6.35.7/drivers/ata/sata_sil24.c
22353 --- linux-2.6.35.7/drivers/ata/sata_sil24.c 2010-08-26 19:47:12.000000000 -0400
22354 +++ linux-2.6.35.7/drivers/ata/sata_sil24.c 2010-09-17 20:12:09.000000000 -0400
22355 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22356 .dma_boundary = ATA_DMA_BOUNDARY,
22359 -static struct ata_port_operations sil24_ops = {
22360 +static const struct ata_port_operations sil24_ops = {
22361 .inherits = &sata_pmp_port_ops,
22363 .qc_defer = sil24_qc_defer,
22364 diff -urNp linux-2.6.35.7/drivers/ata/sata_sil.c linux-2.6.35.7/drivers/ata/sata_sil.c
22365 --- linux-2.6.35.7/drivers/ata/sata_sil.c 2010-08-26 19:47:12.000000000 -0400
22366 +++ linux-2.6.35.7/drivers/ata/sata_sil.c 2010-09-17 20:12:09.000000000 -0400
22367 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22368 .sg_tablesize = ATA_MAX_PRD
22371 -static struct ata_port_operations sil_ops = {
22372 +static const struct ata_port_operations sil_ops = {
22373 .inherits = &ata_bmdma32_port_ops,
22374 .dev_config = sil_dev_config,
22375 .set_mode = sil_set_mode,
22376 diff -urNp linux-2.6.35.7/drivers/ata/sata_sis.c linux-2.6.35.7/drivers/ata/sata_sis.c
22377 --- linux-2.6.35.7/drivers/ata/sata_sis.c 2010-08-26 19:47:12.000000000 -0400
22378 +++ linux-2.6.35.7/drivers/ata/sata_sis.c 2010-09-17 20:12:09.000000000 -0400
22379 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22380 ATA_BMDMA_SHT(DRV_NAME),
22383 -static struct ata_port_operations sis_ops = {
22384 +static const struct ata_port_operations sis_ops = {
22385 .inherits = &ata_bmdma_port_ops,
22386 .scr_read = sis_scr_read,
22387 .scr_write = sis_scr_write,
22388 diff -urNp linux-2.6.35.7/drivers/ata/sata_svw.c linux-2.6.35.7/drivers/ata/sata_svw.c
22389 --- linux-2.6.35.7/drivers/ata/sata_svw.c 2010-08-26 19:47:12.000000000 -0400
22390 +++ linux-2.6.35.7/drivers/ata/sata_svw.c 2010-09-17 20:12:09.000000000 -0400
22391 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22395 -static struct ata_port_operations k2_sata_ops = {
22396 +static const struct ata_port_operations k2_sata_ops = {
22397 .inherits = &ata_bmdma_port_ops,
22398 .sff_tf_load = k2_sata_tf_load,
22399 .sff_tf_read = k2_sata_tf_read,
22400 diff -urNp linux-2.6.35.7/drivers/ata/sata_sx4.c linux-2.6.35.7/drivers/ata/sata_sx4.c
22401 --- linux-2.6.35.7/drivers/ata/sata_sx4.c 2010-08-26 19:47:12.000000000 -0400
22402 +++ linux-2.6.35.7/drivers/ata/sata_sx4.c 2010-09-17 20:12:09.000000000 -0400
22403 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22406 /* TODO: inherit from base port_ops after converting to new EH */
22407 -static struct ata_port_operations pdc_20621_ops = {
22408 +static const struct ata_port_operations pdc_20621_ops = {
22409 .inherits = &ata_sff_port_ops,
22411 .check_atapi_dma = pdc_check_atapi_dma,
22412 diff -urNp linux-2.6.35.7/drivers/ata/sata_uli.c linux-2.6.35.7/drivers/ata/sata_uli.c
22413 --- linux-2.6.35.7/drivers/ata/sata_uli.c 2010-08-26 19:47:12.000000000 -0400
22414 +++ linux-2.6.35.7/drivers/ata/sata_uli.c 2010-09-17 20:12:09.000000000 -0400
22415 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22416 ATA_BMDMA_SHT(DRV_NAME),
22419 -static struct ata_port_operations uli_ops = {
22420 +static const struct ata_port_operations uli_ops = {
22421 .inherits = &ata_bmdma_port_ops,
22422 .scr_read = uli_scr_read,
22423 .scr_write = uli_scr_write,
22424 diff -urNp linux-2.6.35.7/drivers/ata/sata_via.c linux-2.6.35.7/drivers/ata/sata_via.c
22425 --- linux-2.6.35.7/drivers/ata/sata_via.c 2010-08-26 19:47:12.000000000 -0400
22426 +++ linux-2.6.35.7/drivers/ata/sata_via.c 2010-09-17 20:12:09.000000000 -0400
22427 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22428 ATA_BMDMA_SHT(DRV_NAME),
22431 -static struct ata_port_operations svia_base_ops = {
22432 +static const struct ata_port_operations svia_base_ops = {
22433 .inherits = &ata_bmdma_port_ops,
22434 .sff_tf_load = svia_tf_load,
22437 -static struct ata_port_operations vt6420_sata_ops = {
22438 +static const struct ata_port_operations vt6420_sata_ops = {
22439 .inherits = &svia_base_ops,
22440 .freeze = svia_noop_freeze,
22441 .prereset = vt6420_prereset,
22442 .bmdma_start = vt6420_bmdma_start,
22445 -static struct ata_port_operations vt6421_pata_ops = {
22446 +static const struct ata_port_operations vt6421_pata_ops = {
22447 .inherits = &svia_base_ops,
22448 .cable_detect = vt6421_pata_cable_detect,
22449 .set_piomode = vt6421_set_pio_mode,
22450 .set_dmamode = vt6421_set_dma_mode,
22453 -static struct ata_port_operations vt6421_sata_ops = {
22454 +static const struct ata_port_operations vt6421_sata_ops = {
22455 .inherits = &svia_base_ops,
22456 .scr_read = svia_scr_read,
22457 .scr_write = svia_scr_write,
22460 -static struct ata_port_operations vt8251_ops = {
22461 +static const struct ata_port_operations vt8251_ops = {
22462 .inherits = &svia_base_ops,
22463 .hardreset = sata_std_hardreset,
22464 .scr_read = vt8251_scr_read,
22465 diff -urNp linux-2.6.35.7/drivers/ata/sata_vsc.c linux-2.6.35.7/drivers/ata/sata_vsc.c
22466 --- linux-2.6.35.7/drivers/ata/sata_vsc.c 2010-08-26 19:47:12.000000000 -0400
22467 +++ linux-2.6.35.7/drivers/ata/sata_vsc.c 2010-09-17 20:12:09.000000000 -0400
22468 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22472 -static struct ata_port_operations vsc_sata_ops = {
22473 +static const struct ata_port_operations vsc_sata_ops = {
22474 .inherits = &ata_bmdma_port_ops,
22475 /* The IRQ handling is not quite standard SFF behaviour so we
22476 cannot use the default lost interrupt handler */
22477 diff -urNp linux-2.6.35.7/drivers/atm/adummy.c linux-2.6.35.7/drivers/atm/adummy.c
22478 --- linux-2.6.35.7/drivers/atm/adummy.c 2010-08-26 19:47:12.000000000 -0400
22479 +++ linux-2.6.35.7/drivers/atm/adummy.c 2010-09-17 20:12:09.000000000 -0400
22480 @@ -78,7 +78,7 @@ adummy_send(struct atm_vcc *vcc, struct
22481 vcc->pop(vcc, skb);
22483 dev_kfree_skb_any(skb);
22484 - atomic_inc(&vcc->stats->tx);
22485 + atomic_inc_unchecked(&vcc->stats->tx);
22489 diff -urNp linux-2.6.35.7/drivers/atm/ambassador.c linux-2.6.35.7/drivers/atm/ambassador.c
22490 --- linux-2.6.35.7/drivers/atm/ambassador.c 2010-08-26 19:47:12.000000000 -0400
22491 +++ linux-2.6.35.7/drivers/atm/ambassador.c 2010-09-17 20:12:09.000000000 -0400
22492 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22493 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22496 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22497 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22499 // free the descriptor
22501 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22502 dump_skb ("<<<", vc, skb);
22505 - atomic_inc(&atm_vcc->stats->rx);
22506 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22507 __net_timestamp(skb);
22508 // end of our responsability
22509 atm_vcc->push (atm_vcc, skb);
22510 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22512 PRINTK (KERN_INFO, "dropped over-size frame");
22513 // should we count this?
22514 - atomic_inc(&atm_vcc->stats->rx_drop);
22515 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22519 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22522 if (check_area (skb->data, skb->len)) {
22523 - atomic_inc(&atm_vcc->stats->tx_err);
22524 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22525 return -ENOMEM; // ?
22528 diff -urNp linux-2.6.35.7/drivers/atm/atmtcp.c linux-2.6.35.7/drivers/atm/atmtcp.c
22529 --- linux-2.6.35.7/drivers/atm/atmtcp.c 2010-08-26 19:47:12.000000000 -0400
22530 +++ linux-2.6.35.7/drivers/atm/atmtcp.c 2010-09-17 20:12:09.000000000 -0400
22531 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22532 if (vcc->pop) vcc->pop(vcc,skb);
22533 else dev_kfree_skb(skb);
22534 if (dev_data) return 0;
22535 - atomic_inc(&vcc->stats->tx_err);
22536 + atomic_inc_unchecked(&vcc->stats->tx_err);
22539 size = skb->len+sizeof(struct atmtcp_hdr);
22540 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22542 if (vcc->pop) vcc->pop(vcc,skb);
22543 else dev_kfree_skb(skb);
22544 - atomic_inc(&vcc->stats->tx_err);
22545 + atomic_inc_unchecked(&vcc->stats->tx_err);
22548 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22549 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22550 if (vcc->pop) vcc->pop(vcc,skb);
22551 else dev_kfree_skb(skb);
22552 out_vcc->push(out_vcc,new_skb);
22553 - atomic_inc(&vcc->stats->tx);
22554 - atomic_inc(&out_vcc->stats->rx);
22555 + atomic_inc_unchecked(&vcc->stats->tx);
22556 + atomic_inc_unchecked(&out_vcc->stats->rx);
22560 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22561 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22562 read_unlock(&vcc_sklist_lock);
22564 - atomic_inc(&vcc->stats->tx_err);
22565 + atomic_inc_unchecked(&vcc->stats->tx_err);
22568 skb_pull(skb,sizeof(struct atmtcp_hdr));
22569 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22570 __net_timestamp(new_skb);
22571 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22572 out_vcc->push(out_vcc,new_skb);
22573 - atomic_inc(&vcc->stats->tx);
22574 - atomic_inc(&out_vcc->stats->rx);
22575 + atomic_inc_unchecked(&vcc->stats->tx);
22576 + atomic_inc_unchecked(&out_vcc->stats->rx);
22578 if (vcc->pop) vcc->pop(vcc,skb);
22579 else dev_kfree_skb(skb);
22580 diff -urNp linux-2.6.35.7/drivers/atm/eni.c linux-2.6.35.7/drivers/atm/eni.c
22581 --- linux-2.6.35.7/drivers/atm/eni.c 2010-08-26 19:47:12.000000000 -0400
22582 +++ linux-2.6.35.7/drivers/atm/eni.c 2010-09-17 20:12:09.000000000 -0400
22583 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22584 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22587 - atomic_inc(&vcc->stats->rx_err);
22588 + atomic_inc_unchecked(&vcc->stats->rx_err);
22591 length = ATM_CELL_SIZE-1; /* no HEC */
22592 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22596 - atomic_inc(&vcc->stats->rx_err);
22597 + atomic_inc_unchecked(&vcc->stats->rx_err);
22600 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22601 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22602 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22603 vcc->dev->number,vcc->vci,length,size << 2,descr);
22605 - atomic_inc(&vcc->stats->rx_err);
22606 + atomic_inc_unchecked(&vcc->stats->rx_err);
22609 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22610 @@ -771,7 +771,7 @@ rx_dequeued++;
22611 vcc->push(vcc,skb);
22614 - atomic_inc(&vcc->stats->rx);
22615 + atomic_inc_unchecked(&vcc->stats->rx);
22617 wake_up(&eni_dev->rx_wait);
22619 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22621 if (vcc->pop) vcc->pop(vcc,skb);
22622 else dev_kfree_skb_irq(skb);
22623 - atomic_inc(&vcc->stats->tx);
22624 + atomic_inc_unchecked(&vcc->stats->tx);
22625 wake_up(&eni_dev->tx_wait);
22628 diff -urNp linux-2.6.35.7/drivers/atm/firestream.c linux-2.6.35.7/drivers/atm/firestream.c
22629 --- linux-2.6.35.7/drivers/atm/firestream.c 2010-08-26 19:47:12.000000000 -0400
22630 +++ linux-2.6.35.7/drivers/atm/firestream.c 2010-09-17 20:12:09.000000000 -0400
22631 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22635 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22636 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22638 fs_dprintk (FS_DEBUG_TXMEM, "i");
22639 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22640 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22642 skb_put (skb, qe->p1 & 0xffff);
22643 ATM_SKB(skb)->vcc = atm_vcc;
22644 - atomic_inc(&atm_vcc->stats->rx);
22645 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22646 __net_timestamp(skb);
22647 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22648 atm_vcc->push (atm_vcc, skb);
22649 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
22653 - atomic_inc(&atm_vcc->stats->rx_drop);
22654 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22656 case 0x1f: /* Reassembly abort: no buffers. */
22657 /* Silently increment error counter. */
22659 - atomic_inc(&atm_vcc->stats->rx_drop);
22660 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22662 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22663 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
22664 diff -urNp linux-2.6.35.7/drivers/atm/fore200e.c linux-2.6.35.7/drivers/atm/fore200e.c
22665 --- linux-2.6.35.7/drivers/atm/fore200e.c 2010-08-26 19:47:12.000000000 -0400
22666 +++ linux-2.6.35.7/drivers/atm/fore200e.c 2010-09-17 20:12:09.000000000 -0400
22667 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
22669 /* check error condition */
22670 if (*entry->status & STATUS_ERROR)
22671 - atomic_inc(&vcc->stats->tx_err);
22672 + atomic_inc_unchecked(&vcc->stats->tx_err);
22674 - atomic_inc(&vcc->stats->tx);
22675 + atomic_inc_unchecked(&vcc->stats->tx);
22679 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
22681 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22683 - atomic_inc(&vcc->stats->rx_drop);
22684 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22688 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
22690 dev_kfree_skb_any(skb);
22692 - atomic_inc(&vcc->stats->rx_drop);
22693 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22697 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22699 vcc->push(vcc, skb);
22700 - atomic_inc(&vcc->stats->rx);
22701 + atomic_inc_unchecked(&vcc->stats->rx);
22703 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22705 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
22706 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22707 fore200e->atm_dev->number,
22708 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22709 - atomic_inc(&vcc->stats->rx_err);
22710 + atomic_inc_unchecked(&vcc->stats->rx_err);
22714 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
22718 - atomic_inc(&vcc->stats->tx_err);
22719 + atomic_inc_unchecked(&vcc->stats->tx_err);
22721 fore200e->tx_sat++;
22722 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
22723 diff -urNp linux-2.6.35.7/drivers/atm/he.c linux-2.6.35.7/drivers/atm/he.c
22724 --- linux-2.6.35.7/drivers/atm/he.c 2010-08-26 19:47:12.000000000 -0400
22725 +++ linux-2.6.35.7/drivers/atm/he.c 2010-09-17 20:12:09.000000000 -0400
22726 @@ -1770,7 +1770,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22728 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22729 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22730 - atomic_inc(&vcc->stats->rx_drop);
22731 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22732 goto return_host_buffers;
22735 @@ -1803,7 +1803,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22736 RBRQ_LEN_ERR(he_dev->rbrq_head)
22738 vcc->vpi, vcc->vci);
22739 - atomic_inc(&vcc->stats->rx_err);
22740 + atomic_inc_unchecked(&vcc->stats->rx_err);
22741 goto return_host_buffers;
22744 @@ -1862,7 +1862,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22745 vcc->push(vcc, skb);
22746 spin_lock(&he_dev->global_lock);
22748 - atomic_inc(&vcc->stats->rx);
22749 + atomic_inc_unchecked(&vcc->stats->rx);
22751 return_host_buffers:
22753 @@ -2207,7 +2207,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
22754 tpd->vcc->pop(tpd->vcc, tpd->skb);
22756 dev_kfree_skb_any(tpd->skb);
22757 - atomic_inc(&tpd->vcc->stats->tx_err);
22758 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22760 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22762 @@ -2619,7 +2619,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22763 vcc->pop(vcc, skb);
22765 dev_kfree_skb_any(skb);
22766 - atomic_inc(&vcc->stats->tx_err);
22767 + atomic_inc_unchecked(&vcc->stats->tx_err);
22771 @@ -2630,7 +2630,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22772 vcc->pop(vcc, skb);
22774 dev_kfree_skb_any(skb);
22775 - atomic_inc(&vcc->stats->tx_err);
22776 + atomic_inc_unchecked(&vcc->stats->tx_err);
22780 @@ -2642,7 +2642,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22781 vcc->pop(vcc, skb);
22783 dev_kfree_skb_any(skb);
22784 - atomic_inc(&vcc->stats->tx_err);
22785 + atomic_inc_unchecked(&vcc->stats->tx_err);
22786 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22789 @@ -2684,7 +2684,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22790 vcc->pop(vcc, skb);
22792 dev_kfree_skb_any(skb);
22793 - atomic_inc(&vcc->stats->tx_err);
22794 + atomic_inc_unchecked(&vcc->stats->tx_err);
22795 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22798 @@ -2715,7 +2715,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22799 __enqueue_tpd(he_dev, tpd, cid);
22800 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22802 - atomic_inc(&vcc->stats->tx);
22803 + atomic_inc_unchecked(&vcc->stats->tx);
22807 diff -urNp linux-2.6.35.7/drivers/atm/horizon.c linux-2.6.35.7/drivers/atm/horizon.c
22808 --- linux-2.6.35.7/drivers/atm/horizon.c 2010-08-26 19:47:12.000000000 -0400
22809 +++ linux-2.6.35.7/drivers/atm/horizon.c 2010-09-17 20:12:09.000000000 -0400
22810 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
22812 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22814 - atomic_inc(&vcc->stats->rx);
22815 + atomic_inc_unchecked(&vcc->stats->rx);
22816 __net_timestamp(skb);
22817 // end of our responsability
22818 vcc->push (vcc, skb);
22819 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
22820 dev->tx_iovec = NULL;
22823 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22824 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22827 hrz_kfree_skb (skb);
22828 diff -urNp linux-2.6.35.7/drivers/atm/idt77252.c linux-2.6.35.7/drivers/atm/idt77252.c
22829 --- linux-2.6.35.7/drivers/atm/idt77252.c 2010-08-26 19:47:12.000000000 -0400
22830 +++ linux-2.6.35.7/drivers/atm/idt77252.c 2010-09-17 20:12:09.000000000 -0400
22831 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
22833 dev_kfree_skb(skb);
22835 - atomic_inc(&vcc->stats->tx);
22836 + atomic_inc_unchecked(&vcc->stats->tx);
22839 atomic_dec(&scq->used);
22840 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
22841 if ((sb = dev_alloc_skb(64)) == NULL) {
22842 printk("%s: Can't allocate buffers for aal0.\n",
22844 - atomic_add(i, &vcc->stats->rx_drop);
22845 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
22848 if (!atm_charge(vcc, sb->truesize)) {
22849 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22851 - atomic_add(i - 1, &vcc->stats->rx_drop);
22852 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22856 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
22857 ATM_SKB(sb)->vcc = vcc;
22858 __net_timestamp(sb);
22859 vcc->push(vcc, sb);
22860 - atomic_inc(&vcc->stats->rx);
22861 + atomic_inc_unchecked(&vcc->stats->rx);
22863 cell += ATM_CELL_PAYLOAD;
22865 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
22867 card->name, len, rpp->len, readl(SAR_REG_CDC));
22868 recycle_rx_pool_skb(card, rpp);
22869 - atomic_inc(&vcc->stats->rx_err);
22870 + atomic_inc_unchecked(&vcc->stats->rx_err);
22873 if (stat & SAR_RSQE_CRC) {
22874 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22875 recycle_rx_pool_skb(card, rpp);
22876 - atomic_inc(&vcc->stats->rx_err);
22877 + atomic_inc_unchecked(&vcc->stats->rx_err);
22880 if (skb_queue_len(&rpp->queue) > 1) {
22881 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
22882 RXPRINTK("%s: Can't alloc RX skb.\n",
22884 recycle_rx_pool_skb(card, rpp);
22885 - atomic_inc(&vcc->stats->rx_err);
22886 + atomic_inc_unchecked(&vcc->stats->rx_err);
22889 if (!atm_charge(vcc, skb->truesize)) {
22890 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
22891 __net_timestamp(skb);
22893 vcc->push(vcc, skb);
22894 - atomic_inc(&vcc->stats->rx);
22895 + atomic_inc_unchecked(&vcc->stats->rx);
22899 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
22900 __net_timestamp(skb);
22902 vcc->push(vcc, skb);
22903 - atomic_inc(&vcc->stats->rx);
22904 + atomic_inc_unchecked(&vcc->stats->rx);
22906 if (skb->truesize > SAR_FB_SIZE_3)
22907 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
22908 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
22909 if (vcc->qos.aal != ATM_AAL0) {
22910 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22911 card->name, vpi, vci);
22912 - atomic_inc(&vcc->stats->rx_drop);
22913 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22917 if ((sb = dev_alloc_skb(64)) == NULL) {
22918 printk("%s: Can't allocate buffers for AAL0.\n",
22920 - atomic_inc(&vcc->stats->rx_err);
22921 + atomic_inc_unchecked(&vcc->stats->rx_err);
22925 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
22926 ATM_SKB(sb)->vcc = vcc;
22927 __net_timestamp(sb);
22928 vcc->push(vcc, sb);
22929 - atomic_inc(&vcc->stats->rx);
22930 + atomic_inc_unchecked(&vcc->stats->rx);
22933 skb_pull(queue, 64);
22934 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22937 printk("%s: NULL connection in send().\n", card->name);
22938 - atomic_inc(&vcc->stats->tx_err);
22939 + atomic_inc_unchecked(&vcc->stats->tx_err);
22940 dev_kfree_skb(skb);
22943 if (!test_bit(VCF_TX, &vc->flags)) {
22944 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22945 - atomic_inc(&vcc->stats->tx_err);
22946 + atomic_inc_unchecked(&vcc->stats->tx_err);
22947 dev_kfree_skb(skb);
22950 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22953 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22954 - atomic_inc(&vcc->stats->tx_err);
22955 + atomic_inc_unchecked(&vcc->stats->tx_err);
22956 dev_kfree_skb(skb);
22960 if (skb_shinfo(skb)->nr_frags != 0) {
22961 printk("%s: No scatter-gather yet.\n", card->name);
22962 - atomic_inc(&vcc->stats->tx_err);
22963 + atomic_inc_unchecked(&vcc->stats->tx_err);
22964 dev_kfree_skb(skb);
22967 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22969 err = queue_skb(card, vc, skb, oam);
22971 - atomic_inc(&vcc->stats->tx_err);
22972 + atomic_inc_unchecked(&vcc->stats->tx_err);
22973 dev_kfree_skb(skb);
22976 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
22977 skb = dev_alloc_skb(64);
22979 printk("%s: Out of memory in send_oam().\n", card->name);
22980 - atomic_inc(&vcc->stats->tx_err);
22981 + atomic_inc_unchecked(&vcc->stats->tx_err);
22984 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
22985 diff -urNp linux-2.6.35.7/drivers/atm/iphase.c linux-2.6.35.7/drivers/atm/iphase.c
22986 --- linux-2.6.35.7/drivers/atm/iphase.c 2010-08-26 19:47:12.000000000 -0400
22987 +++ linux-2.6.35.7/drivers/atm/iphase.c 2010-09-17 20:12:09.000000000 -0400
22988 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
22989 status = (u_short) (buf_desc_ptr->desc_mode);
22990 if (status & (RX_CER | RX_PTE | RX_OFL))
22992 - atomic_inc(&vcc->stats->rx_err);
22993 + atomic_inc_unchecked(&vcc->stats->rx_err);
22994 IF_ERR(printk("IA: bad packet, dropping it");)
22995 if (status & RX_CER) {
22996 IF_ERR(printk(" cause: packet CRC error\n");)
22997 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
22998 len = dma_addr - buf_addr;
22999 if (len > iadev->rx_buf_sz) {
23000 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
23001 - atomic_inc(&vcc->stats->rx_err);
23002 + atomic_inc_unchecked(&vcc->stats->rx_err);
23003 goto out_free_desc;
23006 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
23007 ia_vcc = INPH_IA_VCC(vcc);
23008 if (ia_vcc == NULL)
23010 - atomic_inc(&vcc->stats->rx_err);
23011 + atomic_inc_unchecked(&vcc->stats->rx_err);
23012 dev_kfree_skb_any(skb);
23013 atm_return(vcc, atm_guess_pdu2truesize(len));
23015 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
23016 if ((length > iadev->rx_buf_sz) || (length >
23017 (skb->len - sizeof(struct cpcs_trailer))))
23019 - atomic_inc(&vcc->stats->rx_err);
23020 + atomic_inc_unchecked(&vcc->stats->rx_err);
23021 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23022 length, skb->len);)
23023 dev_kfree_skb_any(skb);
23024 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
23026 IF_RX(printk("rx_dle_intr: skb push");)
23027 vcc->push(vcc,skb);
23028 - atomic_inc(&vcc->stats->rx);
23029 + atomic_inc_unchecked(&vcc->stats->rx);
23030 iadev->rx_pkt_cnt++;
23033 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
23035 struct k_sonet_stats *stats;
23036 stats = &PRIV(_ia_dev[board])->sonet_stats;
23037 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23038 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23039 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23040 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23041 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23042 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23043 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23044 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23045 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23046 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23047 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23048 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23049 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23050 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23051 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23052 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23053 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23054 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23056 ia_cmds.status = 0;
23058 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23059 if ((desc == 0) || (desc > iadev->num_tx_desc))
23061 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23062 - atomic_inc(&vcc->stats->tx);
23063 + atomic_inc_unchecked(&vcc->stats->tx);
23065 vcc->pop(vcc, skb);
23067 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23068 ATM_DESC(skb) = vcc->vci;
23069 skb_queue_tail(&iadev->tx_dma_q, skb);
23071 - atomic_inc(&vcc->stats->tx);
23072 + atomic_inc_unchecked(&vcc->stats->tx);
23073 iadev->tx_pkt_cnt++;
23074 /* Increment transaction counter */
23075 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23078 /* add flow control logic */
23079 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23080 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23081 if (iavcc->vc_desc_cnt > 10) {
23082 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23083 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23084 diff -urNp linux-2.6.35.7/drivers/atm/lanai.c linux-2.6.35.7/drivers/atm/lanai.c
23085 --- linux-2.6.35.7/drivers/atm/lanai.c 2010-08-26 19:47:12.000000000 -0400
23086 +++ linux-2.6.35.7/drivers/atm/lanai.c 2010-09-17 20:12:09.000000000 -0400
23087 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23088 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23089 lanai_endtx(lanai, lvcc);
23090 lanai_free_skb(lvcc->tx.atmvcc, skb);
23091 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23092 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23095 /* Try to fill the buffer - don't call unless there is backlog */
23096 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23097 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23098 __net_timestamp(skb);
23099 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23100 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23101 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23103 lvcc->rx.buf.ptr = end;
23104 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23105 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23106 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23107 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23108 lanai->stats.service_rxnotaal5++;
23109 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23110 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23113 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23114 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23116 read_unlock(&vcc_sklist_lock);
23117 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23118 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23119 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23120 lvcc->stats.x.aal5.service_trash++;
23121 bytes = (SERVICE_GET_END(s) * 16) -
23122 (((unsigned long) lvcc->rx.buf.ptr) -
23123 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23125 if (s & SERVICE_STREAM) {
23126 read_unlock(&vcc_sklist_lock);
23127 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23128 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23129 lvcc->stats.x.aal5.service_stream++;
23130 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23131 "PDU on VCI %d!\n", lanai->number, vci);
23132 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23135 DPRINTK("got rx crc error on vci %d\n", vci);
23136 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23137 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23138 lvcc->stats.x.aal5.service_rxcrc++;
23139 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23140 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23141 diff -urNp linux-2.6.35.7/drivers/atm/nicstar.c linux-2.6.35.7/drivers/atm/nicstar.c
23142 --- linux-2.6.35.7/drivers/atm/nicstar.c 2010-08-26 19:47:12.000000000 -0400
23143 +++ linux-2.6.35.7/drivers/atm/nicstar.c 2010-09-17 20:12:09.000000000 -0400
23144 @@ -1722,7 +1722,7 @@ static int ns_send(struct atm_vcc *vcc,
23145 if ((vc = (vc_map *) vcc->dev_data) == NULL)
23147 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
23148 - atomic_inc(&vcc->stats->tx_err);
23149 + atomic_inc_unchecked(&vcc->stats->tx_err);
23150 dev_kfree_skb_any(skb);
23153 @@ -1730,7 +1730,7 @@ static int ns_send(struct atm_vcc *vcc,
23156 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
23157 - atomic_inc(&vcc->stats->tx_err);
23158 + atomic_inc_unchecked(&vcc->stats->tx_err);
23159 dev_kfree_skb_any(skb);
23162 @@ -1738,7 +1738,7 @@ static int ns_send(struct atm_vcc *vcc,
23163 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
23165 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
23166 - atomic_inc(&vcc->stats->tx_err);
23167 + atomic_inc_unchecked(&vcc->stats->tx_err);
23168 dev_kfree_skb_any(skb);
23171 @@ -1746,7 +1746,7 @@ static int ns_send(struct atm_vcc *vcc,
23172 if (skb_shinfo(skb)->nr_frags != 0)
23174 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23175 - atomic_inc(&vcc->stats->tx_err);
23176 + atomic_inc_unchecked(&vcc->stats->tx_err);
23177 dev_kfree_skb_any(skb);
23180 @@ -1791,11 +1791,11 @@ static int ns_send(struct atm_vcc *vcc,
23182 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
23184 - atomic_inc(&vcc->stats->tx_err);
23185 + atomic_inc_unchecked(&vcc->stats->tx_err);
23186 dev_kfree_skb_any(skb);
23189 - atomic_inc(&vcc->stats->tx);
23190 + atomic_inc_unchecked(&vcc->stats->tx);
23194 @@ -2110,14 +2110,14 @@ static void dequeue_rx(ns_dev *card, ns_
23196 printk("nicstar%d: Can't allocate buffers for aal0.\n",
23198 - atomic_add(i,&vcc->stats->rx_drop);
23199 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
23202 if (!atm_charge(vcc, sb->truesize))
23204 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
23206 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23207 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23208 dev_kfree_skb_any(sb);
23211 @@ -2132,7 +2132,7 @@ static void dequeue_rx(ns_dev *card, ns_
23212 ATM_SKB(sb)->vcc = vcc;
23213 __net_timestamp(sb);
23214 vcc->push(vcc, sb);
23215 - atomic_inc(&vcc->stats->rx);
23216 + atomic_inc_unchecked(&vcc->stats->rx);
23217 cell += ATM_CELL_PAYLOAD;
23220 @@ -2151,7 +2151,7 @@ static void dequeue_rx(ns_dev *card, ns_
23223 printk("nicstar%d: Out of iovec buffers.\n", card->index);
23224 - atomic_inc(&vcc->stats->rx_drop);
23225 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23226 recycle_rx_buf(card, skb);
23229 @@ -2181,7 +2181,7 @@ static void dequeue_rx(ns_dev *card, ns_
23230 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
23232 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23233 - atomic_inc(&vcc->stats->rx_err);
23234 + atomic_inc_unchecked(&vcc->stats->rx_err);
23235 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
23236 NS_SKB(iovb)->iovcnt = 0;
23238 @@ -2201,7 +2201,7 @@ static void dequeue_rx(ns_dev *card, ns_
23239 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
23241 which_list(card, skb);
23242 - atomic_inc(&vcc->stats->rx_err);
23243 + atomic_inc_unchecked(&vcc->stats->rx_err);
23244 recycle_rx_buf(card, skb);
23246 recycle_iov_buf(card, iovb);
23247 @@ -2215,7 +2215,7 @@ static void dequeue_rx(ns_dev *card, ns_
23248 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
23250 which_list(card, skb);
23251 - atomic_inc(&vcc->stats->rx_err);
23252 + atomic_inc_unchecked(&vcc->stats->rx_err);
23253 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23254 NS_SKB(iovb)->iovcnt);
23256 @@ -2239,7 +2239,7 @@ static void dequeue_rx(ns_dev *card, ns_
23257 printk(" - PDU size mismatch.\n");
23260 - atomic_inc(&vcc->stats->rx_err);
23261 + atomic_inc_unchecked(&vcc->stats->rx_err);
23262 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23263 NS_SKB(iovb)->iovcnt);
23265 @@ -2255,7 +2255,7 @@ static void dequeue_rx(ns_dev *card, ns_
23266 if (!atm_charge(vcc, skb->truesize))
23268 push_rxbufs(card, skb);
23269 - atomic_inc(&vcc->stats->rx_drop);
23270 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23274 @@ -2267,7 +2267,7 @@ static void dequeue_rx(ns_dev *card, ns_
23275 ATM_SKB(skb)->vcc = vcc;
23276 __net_timestamp(skb);
23277 vcc->push(vcc, skb);
23278 - atomic_inc(&vcc->stats->rx);
23279 + atomic_inc_unchecked(&vcc->stats->rx);
23282 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
23283 @@ -2282,7 +2282,7 @@ static void dequeue_rx(ns_dev *card, ns_
23284 if (!atm_charge(vcc, sb->truesize))
23286 push_rxbufs(card, sb);
23287 - atomic_inc(&vcc->stats->rx_drop);
23288 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23292 @@ -2294,7 +2294,7 @@ static void dequeue_rx(ns_dev *card, ns_
23293 ATM_SKB(sb)->vcc = vcc;
23294 __net_timestamp(sb);
23295 vcc->push(vcc, sb);
23296 - atomic_inc(&vcc->stats->rx);
23297 + atomic_inc_unchecked(&vcc->stats->rx);
23300 push_rxbufs(card, skb);
23301 @@ -2305,7 +2305,7 @@ static void dequeue_rx(ns_dev *card, ns_
23302 if (!atm_charge(vcc, skb->truesize))
23304 push_rxbufs(card, skb);
23305 - atomic_inc(&vcc->stats->rx_drop);
23306 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23310 @@ -2319,7 +2319,7 @@ static void dequeue_rx(ns_dev *card, ns_
23311 ATM_SKB(skb)->vcc = vcc;
23312 __net_timestamp(skb);
23313 vcc->push(vcc, skb);
23314 - atomic_inc(&vcc->stats->rx);
23315 + atomic_inc_unchecked(&vcc->stats->rx);
23318 push_rxbufs(card, sb);
23319 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev *card, ns_
23322 printk("nicstar%d: Out of huge buffers.\n", card->index);
23323 - atomic_inc(&vcc->stats->rx_drop);
23324 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23325 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23326 NS_SKB(iovb)->iovcnt);
23328 @@ -2392,7 +2392,7 @@ static void dequeue_rx(ns_dev *card, ns_
23331 dev_kfree_skb_any(hb);
23332 - atomic_inc(&vcc->stats->rx_drop);
23333 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23337 @@ -2426,7 +2426,7 @@ static void dequeue_rx(ns_dev *card, ns_
23338 #endif /* NS_USE_DESTRUCTORS */
23339 __net_timestamp(hb);
23340 vcc->push(vcc, hb);
23341 - atomic_inc(&vcc->stats->rx);
23342 + atomic_inc_unchecked(&vcc->stats->rx);
23346 diff -urNp linux-2.6.35.7/drivers/atm/solos-pci.c linux-2.6.35.7/drivers/atm/solos-pci.c
23347 --- linux-2.6.35.7/drivers/atm/solos-pci.c 2010-08-26 19:47:12.000000000 -0400
23348 +++ linux-2.6.35.7/drivers/atm/solos-pci.c 2010-09-17 20:12:09.000000000 -0400
23349 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
23351 atm_charge(vcc, skb->truesize);
23352 vcc->push(vcc, skb);
23353 - atomic_inc(&vcc->stats->rx);
23354 + atomic_inc_unchecked(&vcc->stats->rx);
23358 @@ -1023,7 +1023,7 @@ static uint32_t fpga_tx(struct solos_car
23359 vcc = SKB_CB(oldskb)->vcc;
23362 - atomic_inc(&vcc->stats->tx);
23363 + atomic_inc_unchecked(&vcc->stats->tx);
23364 solos_pop(vcc, oldskb);
23366 dev_kfree_skb_irq(oldskb);
23367 diff -urNp linux-2.6.35.7/drivers/atm/suni.c linux-2.6.35.7/drivers/atm/suni.c
23368 --- linux-2.6.35.7/drivers/atm/suni.c 2010-08-26 19:47:12.000000000 -0400
23369 +++ linux-2.6.35.7/drivers/atm/suni.c 2010-09-17 20:12:09.000000000 -0400
23370 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23373 #define ADD_LIMITED(s,v) \
23374 - atomic_add((v),&stats->s); \
23375 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23376 + atomic_add_unchecked((v),&stats->s); \
23377 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23380 static void suni_hz(unsigned long from_timer)
23381 diff -urNp linux-2.6.35.7/drivers/atm/uPD98402.c linux-2.6.35.7/drivers/atm/uPD98402.c
23382 --- linux-2.6.35.7/drivers/atm/uPD98402.c 2010-08-26 19:47:12.000000000 -0400
23383 +++ linux-2.6.35.7/drivers/atm/uPD98402.c 2010-09-17 20:12:09.000000000 -0400
23384 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23385 struct sonet_stats tmp;
23388 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23389 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23390 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23391 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23392 if (zero && !error) {
23393 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23396 #define ADD_LIMITED(s,v) \
23397 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23398 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23399 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23400 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23401 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23402 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23405 static void stat_event(struct atm_dev *dev)
23406 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23407 if (reason & uPD98402_INT_PFM) stat_event(dev);
23408 if (reason & uPD98402_INT_PCO) {
23409 (void) GET(PCOCR); /* clear interrupt cause */
23410 - atomic_add(GET(HECCT),
23411 + atomic_add_unchecked(GET(HECCT),
23412 &PRIV(dev)->sonet_stats.uncorr_hcs);
23414 if ((reason & uPD98402_INT_RFO) &&
23415 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23416 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23417 uPD98402_INT_LOS),PIMR); /* enable them */
23418 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23419 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23420 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23421 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23422 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23423 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23424 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23428 diff -urNp linux-2.6.35.7/drivers/atm/zatm.c linux-2.6.35.7/drivers/atm/zatm.c
23429 --- linux-2.6.35.7/drivers/atm/zatm.c 2010-08-26 19:47:12.000000000 -0400
23430 +++ linux-2.6.35.7/drivers/atm/zatm.c 2010-09-17 20:12:09.000000000 -0400
23431 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23434 dev_kfree_skb_irq(skb);
23435 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23436 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23439 if (!atm_charge(vcc,skb->truesize)) {
23440 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23442 ATM_SKB(skb)->vcc = vcc;
23443 vcc->push(vcc,skb);
23444 - atomic_inc(&vcc->stats->rx);
23445 + atomic_inc_unchecked(&vcc->stats->rx);
23447 zout(pos & 0xffff,MTA(mbx));
23448 #if 0 /* probably a stupid idea */
23449 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23450 skb_queue_head(&zatm_vcc->backlog,skb);
23453 - atomic_inc(&vcc->stats->tx);
23454 + atomic_inc_unchecked(&vcc->stats->tx);
23455 wake_up(&zatm_vcc->tx_wait);
23458 diff -urNp linux-2.6.35.7/drivers/block/pktcdvd.c linux-2.6.35.7/drivers/block/pktcdvd.c
23459 --- linux-2.6.35.7/drivers/block/pktcdvd.c 2010-08-26 19:47:12.000000000 -0400
23460 +++ linux-2.6.35.7/drivers/block/pktcdvd.c 2010-09-27 18:50:29.000000000 -0400
23461 @@ -2368,7 +2368,7 @@ static void pkt_release_dev(struct pktcd
23462 pkt_shrink_pktlist(pd);
23465 -static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
23466 +static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
23468 if (dev_minor >= MAX_WRITERS)
23470 diff -urNp linux-2.6.35.7/drivers/char/agp/frontend.c linux-2.6.35.7/drivers/char/agp/frontend.c
23471 --- linux-2.6.35.7/drivers/char/agp/frontend.c 2010-08-26 19:47:12.000000000 -0400
23472 +++ linux-2.6.35.7/drivers/char/agp/frontend.c 2010-09-17 20:12:09.000000000 -0400
23473 @@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
23474 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23477 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23478 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23481 client = agp_find_client_by_pid(reserve.pid);
23482 diff -urNp linux-2.6.35.7/drivers/char/agp/intel-agp.c linux-2.6.35.7/drivers/char/agp/intel-agp.c
23483 --- linux-2.6.35.7/drivers/char/agp/intel-agp.c 2010-09-26 17:32:11.000000000 -0400
23484 +++ linux-2.6.35.7/drivers/char/agp/intel-agp.c 2010-09-26 17:35:29.000000000 -0400
23485 @@ -1054,7 +1054,7 @@ static struct pci_device_id agp_intel_pc
23486 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23487 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23488 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
23490 + { 0, 0, 0, 0, 0, 0, 0 }
23493 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23494 diff -urNp linux-2.6.35.7/drivers/char/hpet.c linux-2.6.35.7/drivers/char/hpet.c
23495 --- linux-2.6.35.7/drivers/char/hpet.c 2010-08-26 19:47:12.000000000 -0400
23496 +++ linux-2.6.35.7/drivers/char/hpet.c 2010-09-17 20:12:09.000000000 -0400
23497 @@ -429,7 +429,7 @@ static int hpet_release(struct inode *in
23501 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
23502 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
23504 static long hpet_ioctl(struct file *file, unsigned int cmd,
23506 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23510 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
23511 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
23513 struct hpet_timer __iomem *timer;
23514 struct hpet __iomem *hpet;
23515 @@ -998,7 +998,7 @@ static struct acpi_driver hpet_acpi_driv
23519 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23520 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23522 static int __init hpet_init(void)
23524 diff -urNp linux-2.6.35.7/drivers/char/hvc_console.h linux-2.6.35.7/drivers/char/hvc_console.h
23525 --- linux-2.6.35.7/drivers/char/hvc_console.h 2010-08-26 19:47:12.000000000 -0400
23526 +++ linux-2.6.35.7/drivers/char/hvc_console.h 2010-09-17 20:12:09.000000000 -0400
23527 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
23528 /* register a vterm for hvc tty operation (module_init or hotplug add) */
23529 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
23530 const struct hv_ops *ops, int outbuf_size);
23532 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
23533 extern int hvc_remove(struct hvc_struct *hp);
23535 diff -urNp linux-2.6.35.7/drivers/char/hvcs.c linux-2.6.35.7/drivers/char/hvcs.c
23536 --- linux-2.6.35.7/drivers/char/hvcs.c 2010-08-26 19:47:12.000000000 -0400
23537 +++ linux-2.6.35.7/drivers/char/hvcs.c 2010-09-17 20:12:09.000000000 -0400
23538 @@ -270,7 +270,7 @@ struct hvcs_struct {
23539 unsigned int index;
23541 struct tty_struct *tty;
23543 + atomic_t open_count;
23546 * Used to tell the driver kernel_thread what operations need to take
23547 @@ -420,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
23549 spin_lock_irqsave(&hvcsd->lock, flags);
23551 - if (hvcsd->open_count > 0) {
23552 + if (atomic_read(&hvcsd->open_count) > 0) {
23553 spin_unlock_irqrestore(&hvcsd->lock, flags);
23554 printk(KERN_INFO "HVCS: vterm state unchanged. "
23555 "The hvcs device node is still in use.\n");
23556 @@ -1136,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
23557 if ((retval = hvcs_partner_connect(hvcsd)))
23558 goto error_release;
23560 - hvcsd->open_count = 1;
23561 + atomic_set(&hvcsd->open_count, 1);
23563 tty->driver_data = hvcsd;
23565 @@ -1170,7 +1170,7 @@ fast_open:
23567 spin_lock_irqsave(&hvcsd->lock, flags);
23568 kref_get(&hvcsd->kref);
23569 - hvcsd->open_count++;
23570 + atomic_inc(&hvcsd->open_count);
23571 hvcsd->todo_mask |= HVCS_SCHED_READ;
23572 spin_unlock_irqrestore(&hvcsd->lock, flags);
23574 @@ -1214,7 +1214,7 @@ static void hvcs_close(struct tty_struct
23575 hvcsd = tty->driver_data;
23577 spin_lock_irqsave(&hvcsd->lock, flags);
23578 - if (--hvcsd->open_count == 0) {
23579 + if (atomic_dec_and_test(&hvcsd->open_count)) {
23581 vio_disable_interrupts(hvcsd->vdev);
23583 @@ -1240,10 +1240,10 @@ static void hvcs_close(struct tty_struct
23584 free_irq(irq, hvcsd);
23585 kref_put(&hvcsd->kref, destroy_hvcs_struct);
23587 - } else if (hvcsd->open_count < 0) {
23588 + } else if (atomic_read(&hvcsd->open_count) < 0) {
23589 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
23590 " is missmanaged.\n",
23591 - hvcsd->vdev->unit_address, hvcsd->open_count);
23592 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
23595 spin_unlock_irqrestore(&hvcsd->lock, flags);
23596 @@ -1259,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
23598 spin_lock_irqsave(&hvcsd->lock, flags);
23599 /* Preserve this so that we know how many kref refs to put */
23600 - temp_open_count = hvcsd->open_count;
23601 + temp_open_count = atomic_read(&hvcsd->open_count);
23604 * Don't kref put inside the spinlock because the destruction
23605 @@ -1274,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
23606 hvcsd->tty->driver_data = NULL;
23609 - hvcsd->open_count = 0;
23610 + atomic_set(&hvcsd->open_count, 0);
23612 /* This will drop any buffered data on the floor which is OK in a hangup
23614 @@ -1345,7 +1345,7 @@ static int hvcs_write(struct tty_struct
23615 * the middle of a write operation? This is a crummy place to do this
23616 * but we want to keep it all in the spinlock.
23618 - if (hvcsd->open_count <= 0) {
23619 + if (atomic_read(&hvcsd->open_count) <= 0) {
23620 spin_unlock_irqrestore(&hvcsd->lock, flags);
23623 @@ -1419,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
23625 struct hvcs_struct *hvcsd = tty->driver_data;
23627 - if (!hvcsd || hvcsd->open_count <= 0)
23628 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
23631 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
23632 diff -urNp linux-2.6.35.7/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.35.7/drivers/char/ipmi/ipmi_msghandler.c
23633 --- linux-2.6.35.7/drivers/char/ipmi/ipmi_msghandler.c 2010-08-26 19:47:12.000000000 -0400
23634 +++ linux-2.6.35.7/drivers/char/ipmi/ipmi_msghandler.c 2010-09-17 20:12:09.000000000 -0400
23635 @@ -414,7 +414,7 @@ struct ipmi_smi {
23636 struct proc_dir_entry *proc_dir;
23637 char proc_dir_name[10];
23639 - atomic_t stats[IPMI_NUM_STATS];
23640 + atomic_unchecked_t stats[IPMI_NUM_STATS];
23643 * run_to_completion duplicate of smb_info, smi_info
23644 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
23647 #define ipmi_inc_stat(intf, stat) \
23648 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23649 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23650 #define ipmi_get_stat(intf, stat) \
23651 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23652 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23654 static int is_lan_addr(struct ipmi_addr *addr)
23656 @@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
23657 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23658 init_waitqueue_head(&intf->waitq);
23659 for (i = 0; i < IPMI_NUM_STATS; i++)
23660 - atomic_set(&intf->stats[i], 0);
23661 + atomic_set_unchecked(&intf->stats[i], 0);
23663 intf->proc_dir = NULL;
23665 diff -urNp linux-2.6.35.7/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.35.7/drivers/char/ipmi/ipmi_si_intf.c
23666 --- linux-2.6.35.7/drivers/char/ipmi/ipmi_si_intf.c 2010-08-26 19:47:12.000000000 -0400
23667 +++ linux-2.6.35.7/drivers/char/ipmi/ipmi_si_intf.c 2010-09-17 20:12:09.000000000 -0400
23668 @@ -286,7 +286,7 @@ struct smi_info {
23669 unsigned char slave_addr;
23671 /* Counters and things for the proc filesystem. */
23672 - atomic_t stats[SI_NUM_STATS];
23673 + atomic_unchecked_t stats[SI_NUM_STATS];
23675 struct task_struct *thread;
23677 @@ -294,9 +294,9 @@ struct smi_info {
23680 #define smi_inc_stat(smi, stat) \
23681 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23682 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23683 #define smi_get_stat(smi, stat) \
23684 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23685 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23687 #define SI_MAX_PARMS 4
23689 @@ -3143,7 +3143,7 @@ static int try_smi_init(struct smi_info
23690 atomic_set(&new_smi->req_events, 0);
23691 new_smi->run_to_completion = 0;
23692 for (i = 0; i < SI_NUM_STATS; i++)
23693 - atomic_set(&new_smi->stats[i], 0);
23694 + atomic_set_unchecked(&new_smi->stats[i], 0);
23696 new_smi->interrupt_disabled = 1;
23697 atomic_set(&new_smi->stop_operation, 0);
23698 diff -urNp linux-2.6.35.7/drivers/char/keyboard.c linux-2.6.35.7/drivers/char/keyboard.c
23699 --- linux-2.6.35.7/drivers/char/keyboard.c 2010-08-26 19:47:12.000000000 -0400
23700 +++ linux-2.6.35.7/drivers/char/keyboard.c 2010-09-17 20:12:37.000000000 -0400
23701 @@ -640,6 +640,16 @@ static void k_spec(struct vc_data *vc, u
23702 kbd->kbdmode == VC_MEDIUMRAW) &&
23703 value != KVAL(K_SAK))
23704 return; /* SAK is allowed even in raw mode */
23706 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
23708 + void *func = fn_handler[value];
23709 + if (func == fn_show_state || func == fn_show_ptregs ||
23710 + func == fn_show_mem)
23715 fn_handler[value](vc);
23718 @@ -1392,7 +1402,7 @@ static const struct input_device_id kbd_
23719 .evbit = { BIT_MASK(EV_SND) },
23722 - { }, /* Terminating entry */
23723 + { 0 }, /* Terminating entry */
23726 MODULE_DEVICE_TABLE(input, kbd_ids);
23727 diff -urNp linux-2.6.35.7/drivers/char/mem.c linux-2.6.35.7/drivers/char/mem.c
23728 --- linux-2.6.35.7/drivers/char/mem.c 2010-09-26 17:32:11.000000000 -0400
23729 +++ linux-2.6.35.7/drivers/char/mem.c 2010-09-26 17:32:46.000000000 -0400
23731 #include <linux/raw.h>
23732 #include <linux/tty.h>
23733 #include <linux/capability.h>
23734 +#include <linux/security.h>
23735 #include <linux/ptrace.h>
23736 #include <linux/device.h>
23737 #include <linux/highmem.h>
23739 # include <linux/efi.h>
23742 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23743 +extern struct file_operations grsec_fops;
23746 static inline unsigned long size_inside_page(unsigned long start,
23747 unsigned long size)
23749 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23751 while (count > 0) {
23752 unsigned long remaining;
23755 sz = size_inside_page(p, count);
23757 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23761 - remaining = copy_to_user(buf, ptr, sz);
23762 +#ifdef CONFIG_PAX_USERCOPY
23763 + temp = kmalloc(sz, GFP_KERNEL);
23765 + unxlate_dev_mem_ptr(p, ptr);
23768 + memcpy(temp, ptr, sz);
23773 + remaining = copy_to_user(buf, temp, sz);
23775 +#ifdef CONFIG_PAX_USERCOPY
23779 unxlate_dev_mem_ptr(p, ptr);
23782 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
23783 if (!valid_phys_addr_range(p, count))
23786 +#ifdef CONFIG_GRKERNSEC_KMEM
23787 + gr_handle_mem_write();
23793 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
23794 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
23795 &vma->vm_page_prot))
23798 +#ifdef CONFIG_GRKERNSEC_KMEM
23799 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23803 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23805 vma->vm_page_prot);
23806 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23807 size_t count, loff_t *ppos)
23809 unsigned long p = *ppos;
23810 - ssize_t low_count, read, sz;
23811 + ssize_t low_count, read, sz, err = 0;
23812 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23816 if (p < (unsigned long) high_memory) {
23817 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23820 while (low_count > 0) {
23823 sz = size_inside_page(p, low_count);
23826 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23828 kbuf = xlate_dev_kmem_ptr((char *)p);
23830 - if (copy_to_user(buf, kbuf, sz))
23831 +#ifdef CONFIG_PAX_USERCOPY
23832 + temp = kmalloc(sz, GFP_KERNEL);
23835 + memcpy(temp, kbuf, sz);
23840 + err = copy_to_user(buf, temp, sz);
23842 +#ifdef CONFIG_PAX_USERCOPY
23850 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
23851 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
23854 +#ifdef CONFIG_GRKERNSEC_KMEM
23855 + gr_handle_kmem_write();
23859 if (p < (unsigned long) high_memory) {
23860 unsigned long to_write = min_t(unsigned long, count,
23861 (unsigned long)high_memory - p);
23862 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
23864 static int open_port(struct inode * inode, struct file * filp)
23866 +#ifdef CONFIG_GRKERNSEC_KMEM
23867 + gr_handle_open_port();
23871 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23874 +static int open_mem(struct inode * inode, struct file * filp)
23876 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23879 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
23880 #define full_lseek null_lseek
23881 #define write_zero write_null
23882 #define read_full read_zero
23883 -#define open_mem open_port
23884 #define open_kmem open_mem
23885 #define open_oldmem open_mem
23887 @@ -855,6 +917,9 @@ static const struct memdev {
23888 #ifdef CONFIG_CRASH_DUMP
23889 [12] = { "oldmem", 0, &oldmem_fops, NULL },
23891 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23892 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
23896 static int memory_open(struct inode *inode, struct file *filp)
23897 diff -urNp linux-2.6.35.7/drivers/char/n_tty.c linux-2.6.35.7/drivers/char/n_tty.c
23898 --- linux-2.6.35.7/drivers/char/n_tty.c 2010-08-26 19:47:12.000000000 -0400
23899 +++ linux-2.6.35.7/drivers/char/n_tty.c 2010-09-17 20:12:09.000000000 -0400
23900 @@ -2105,6 +2105,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
23902 *ops = tty_ldisc_N_TTY;
23904 - ops->refcount = ops->flags = 0;
23905 + atomic_set(&ops->refcount, 0);
23908 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
23909 diff -urNp linux-2.6.35.7/drivers/char/nvram.c linux-2.6.35.7/drivers/char/nvram.c
23910 --- linux-2.6.35.7/drivers/char/nvram.c 2010-08-26 19:47:12.000000000 -0400
23911 +++ linux-2.6.35.7/drivers/char/nvram.c 2010-09-17 20:12:09.000000000 -0400
23912 @@ -245,7 +245,7 @@ static ssize_t nvram_read(struct file *f
23914 spin_unlock_irq(&rtc_lock);
23916 - if (copy_to_user(buf, contents, tmp - contents))
23917 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23921 @@ -434,7 +434,10 @@ static const struct file_operations nvra
23922 static struct miscdevice nvram_dev = {
23932 static int __init nvram_init(void)
23933 diff -urNp linux-2.6.35.7/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.35.7/drivers/char/pcmcia/ipwireless/tty.c
23934 --- linux-2.6.35.7/drivers/char/pcmcia/ipwireless/tty.c 2010-08-26 19:47:12.000000000 -0400
23935 +++ linux-2.6.35.7/drivers/char/pcmcia/ipwireless/tty.c 2010-09-17 20:12:09.000000000 -0400
23936 @@ -51,7 +51,7 @@ struct ipw_tty {
23938 struct ipw_network *network;
23939 struct tty_struct *linux_tty;
23941 + atomic_t open_count;
23942 unsigned int control_lines;
23943 struct mutex ipw_tty_mutex;
23944 int tx_bytes_queued;
23945 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
23946 mutex_unlock(&tty->ipw_tty_mutex);
23949 - if (tty->open_count == 0)
23950 + if (atomic_read(&tty->open_count) == 0)
23951 tty->tx_bytes_queued = 0;
23953 - tty->open_count++;
23954 + atomic_inc(&tty->open_count);
23956 tty->linux_tty = linux_tty;
23957 linux_tty->driver_data = tty;
23958 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
23960 static void do_ipw_close(struct ipw_tty *tty)
23962 - tty->open_count--;
23964 - if (tty->open_count == 0) {
23965 + if (atomic_dec_return(&tty->open_count) == 0) {
23966 struct tty_struct *linux_tty = tty->linux_tty;
23968 if (linux_tty != NULL) {
23969 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
23972 mutex_lock(&tty->ipw_tty_mutex);
23973 - if (tty->open_count == 0) {
23974 + if (atomic_read(&tty->open_count) == 0) {
23975 mutex_unlock(&tty->ipw_tty_mutex);
23978 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
23982 - if (!tty->open_count) {
23983 + if (!atomic_read(&tty->open_count)) {
23984 mutex_unlock(&tty->ipw_tty_mutex);
23987 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
23990 mutex_lock(&tty->ipw_tty_mutex);
23991 - if (!tty->open_count) {
23992 + if (!atomic_read(&tty->open_count)) {
23993 mutex_unlock(&tty->ipw_tty_mutex);
23996 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
24000 - if (!tty->open_count)
24001 + if (!atomic_read(&tty->open_count))
24004 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
24005 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
24009 - if (!tty->open_count)
24010 + if (!atomic_read(&tty->open_count))
24013 return tty->tx_bytes_queued;
24014 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
24018 - if (!tty->open_count)
24019 + if (!atomic_read(&tty->open_count))
24022 return get_control_lines(tty);
24023 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
24027 - if (!tty->open_count)
24028 + if (!atomic_read(&tty->open_count))
24031 return set_control_lines(tty, set, clear);
24032 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
24036 - if (!tty->open_count)
24037 + if (!atomic_read(&tty->open_count))
24040 /* FIXME: Exactly how is the tty object locked here .. */
24041 @@ -582,7 +580,7 @@ void ipwireless_tty_free(struct ipw_tty
24042 against a parallel ioctl etc */
24043 mutex_lock(&ttyj->ipw_tty_mutex);
24045 - while (ttyj->open_count)
24046 + while (atomic_read(&ttyj->open_count))
24047 do_ipw_close(ttyj);
24048 ipwireless_disassociate_network_ttys(network,
24049 ttyj->channel_idx);
24050 diff -urNp linux-2.6.35.7/drivers/char/pty.c linux-2.6.35.7/drivers/char/pty.c
24051 --- linux-2.6.35.7/drivers/char/pty.c 2010-08-26 19:47:12.000000000 -0400
24052 +++ linux-2.6.35.7/drivers/char/pty.c 2010-09-17 20:12:09.000000000 -0400
24053 @@ -677,7 +677,18 @@ static int ptmx_open(struct inode *inode
24057 -static struct file_operations ptmx_fops;
24058 +static const struct file_operations ptmx_fops = {
24059 + .llseek = no_llseek,
24060 + .read = tty_read,
24061 + .write = tty_write,
24062 + .poll = tty_poll,
24063 + .unlocked_ioctl = tty_ioctl,
24064 + .compat_ioctl = tty_compat_ioctl,
24065 + .open = ptmx_open,
24066 + .release = tty_release,
24067 + .fasync = tty_fasync,
24071 static void __init unix98_pty_init(void)
24073 @@ -731,9 +742,6 @@ static void __init unix98_pty_init(void)
24074 register_sysctl_table(pty_root_table);
24076 /* Now create the /dev/ptmx special device */
24077 - tty_default_fops(&ptmx_fops);
24078 - ptmx_fops.open = ptmx_open;
24080 cdev_init(&ptmx_cdev, &ptmx_fops);
24081 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
24082 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
24083 diff -urNp linux-2.6.35.7/drivers/char/random.c linux-2.6.35.7/drivers/char/random.c
24084 --- linux-2.6.35.7/drivers/char/random.c 2010-08-26 19:47:12.000000000 -0400
24085 +++ linux-2.6.35.7/drivers/char/random.c 2010-09-17 20:24:41.000000000 -0400
24086 @@ -254,8 +254,13 @@
24088 * Configuration information
24090 +#ifdef CONFIG_GRKERNSEC_RANDNET
24091 +#define INPUT_POOL_WORDS 512
24092 +#define OUTPUT_POOL_WORDS 128
24094 #define INPUT_POOL_WORDS 128
24095 #define OUTPUT_POOL_WORDS 32
24097 #define SEC_XFER_SIZE 512
24098 #define EXTRACT_SIZE 10
24100 @@ -293,10 +298,17 @@ static struct poolinfo {
24102 int tap1, tap2, tap3, tap4, tap5;
24103 } poolinfo_table[] = {
24104 +#ifdef CONFIG_GRKERNSEC_RANDNET
24105 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
24106 + { 512, 411, 308, 208, 104, 1 },
24107 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
24108 + { 128, 103, 76, 51, 25, 1 },
24110 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
24111 { 128, 103, 76, 51, 25, 1 },
24112 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
24113 { 32, 26, 20, 14, 7, 1 },
24116 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
24117 { 2048, 1638, 1231, 819, 411, 1 },
24118 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
24120 extract_buf(r, tmp);
24121 i = min_t(int, nbytes, EXTRACT_SIZE);
24122 - if (copy_to_user(buf, tmp, i)) {
24123 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
24127 @@ -1205,7 +1217,7 @@ EXPORT_SYMBOL(generate_random_uuid);
24128 #include <linux/sysctl.h>
24130 static int min_read_thresh = 8, min_write_thresh;
24131 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
24132 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
24133 static int max_write_thresh = INPUT_POOL_WORDS * 32;
24134 static char sysctl_bootid[16];
24136 diff -urNp linux-2.6.35.7/drivers/char/sonypi.c linux-2.6.35.7/drivers/char/sonypi.c
24137 --- linux-2.6.35.7/drivers/char/sonypi.c 2010-08-26 19:47:12.000000000 -0400
24138 +++ linux-2.6.35.7/drivers/char/sonypi.c 2010-09-17 20:12:09.000000000 -0400
24139 @@ -491,7 +491,7 @@ static struct sonypi_device {
24140 spinlock_t fifo_lock;
24141 wait_queue_head_t fifo_proc_list;
24142 struct fasync_struct *fifo_async;
24144 + atomic_t open_count;
24146 struct input_dev *input_jog_dev;
24147 struct input_dev *input_key_dev;
24148 @@ -898,7 +898,7 @@ static int sonypi_misc_fasync(int fd, st
24149 static int sonypi_misc_release(struct inode *inode, struct file *file)
24151 mutex_lock(&sonypi_device.lock);
24152 - sonypi_device.open_count--;
24153 + atomic_dec(&sonypi_device.open_count);
24154 mutex_unlock(&sonypi_device.lock);
24157 @@ -907,9 +907,9 @@ static int sonypi_misc_open(struct inode
24159 mutex_lock(&sonypi_device.lock);
24160 /* Flush input queue on first open */
24161 - if (!sonypi_device.open_count)
24162 + if (!atomic_read(&sonypi_device.open_count))
24163 kfifo_reset(&sonypi_device.fifo);
24164 - sonypi_device.open_count++;
24165 + atomic_inc(&sonypi_device.open_count);
24166 mutex_unlock(&sonypi_device.lock);
24169 diff -urNp linux-2.6.35.7/drivers/char/tpm/tpm_bios.c linux-2.6.35.7/drivers/char/tpm/tpm_bios.c
24170 --- linux-2.6.35.7/drivers/char/tpm/tpm_bios.c 2010-08-26 19:47:12.000000000 -0400
24171 +++ linux-2.6.35.7/drivers/char/tpm/tpm_bios.c 2010-09-17 20:12:09.000000000 -0400
24172 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24175 if ((event->event_type == 0 && event->event_size == 0) ||
24176 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24177 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24181 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24184 if ((event->event_type == 0 && event->event_size == 0) ||
24185 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24186 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24190 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24193 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24194 - seq_putc(m, data[i]);
24195 + if (!seq_putc(m, data[i]))
24200 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24201 log->bios_event_log_end = log->bios_event_log + len;
24203 virt = acpi_os_map_memory(start, len);
24205 + kfree(log->bios_event_log);
24206 + log->bios_event_log = NULL;
24210 memcpy(log->bios_event_log, virt, len);
24212 diff -urNp linux-2.6.35.7/drivers/char/tty_io.c linux-2.6.35.7/drivers/char/tty_io.c
24213 --- linux-2.6.35.7/drivers/char/tty_io.c 2010-08-26 19:47:12.000000000 -0400
24214 +++ linux-2.6.35.7/drivers/char/tty_io.c 2010-09-17 20:12:09.000000000 -0400
24215 @@ -136,20 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
24216 DEFINE_MUTEX(tty_mutex);
24217 EXPORT_SYMBOL(tty_mutex);
24219 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
24220 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
24221 ssize_t redirected_tty_write(struct file *, const char __user *,
24223 -static unsigned int tty_poll(struct file *, poll_table *);
24224 static int tty_open(struct inode *, struct file *);
24225 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
24226 -#ifdef CONFIG_COMPAT
24227 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24228 - unsigned long arg);
24230 -#define tty_compat_ioctl NULL
24232 -static int tty_fasync(int fd, struct file *filp, int on);
24233 static void release_tty(struct tty_struct *tty, int idx);
24234 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24235 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24236 @@ -871,7 +861,7 @@ EXPORT_SYMBOL(start_tty);
24237 * read calls may be outstanding in parallel.
24240 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24241 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24245 @@ -899,6 +889,8 @@ static ssize_t tty_read(struct file *fil
24249 +EXPORT_SYMBOL(tty_read);
24251 void tty_write_unlock(struct tty_struct *tty)
24253 mutex_unlock(&tty->atomic_write_lock);
24254 @@ -1048,7 +1040,7 @@ void tty_write_message(struct tty_struct
24255 * write method will not be invoked in parallel for each device.
24258 -static ssize_t tty_write(struct file *file, const char __user *buf,
24259 +ssize_t tty_write(struct file *file, const char __user *buf,
24260 size_t count, loff_t *ppos)
24262 struct tty_struct *tty;
24263 @@ -1075,6 +1067,8 @@ static ssize_t tty_write(struct file *fi
24267 +EXPORT_SYMBOL(tty_write);
24269 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
24270 size_t count, loff_t *ppos)
24272 @@ -1897,6 +1891,8 @@ got_driver:
24276 +EXPORT_SYMBOL(tty_release);
24279 * tty_poll - check tty status
24280 * @filp: file being polled
24281 @@ -1909,7 +1905,7 @@ got_driver:
24282 * may be re-entered freely by other callers.
24285 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
24286 +unsigned int tty_poll(struct file *filp, poll_table *wait)
24288 struct tty_struct *tty;
24289 struct tty_ldisc *ld;
24290 @@ -1926,7 +1922,9 @@ static unsigned int tty_poll(struct file
24294 -static int tty_fasync(int fd, struct file *filp, int on)
24295 +EXPORT_SYMBOL(tty_poll);
24297 +int tty_fasync(int fd, struct file *filp, int on)
24299 struct tty_struct *tty;
24300 unsigned long flags;
24301 @@ -1970,6 +1968,8 @@ out:
24305 +EXPORT_SYMBOL(tty_fasync);
24308 * tiocsti - fake input character
24309 * @tty: tty to fake input into
24310 @@ -2602,8 +2602,10 @@ long tty_ioctl(struct file *file, unsign
24314 +EXPORT_SYMBOL(tty_ioctl);
24316 #ifdef CONFIG_COMPAT
24317 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24318 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
24321 struct inode *inode = file->f_dentry->d_inode;
24322 @@ -2627,6 +2629,9 @@ static long tty_compat_ioctl(struct file
24327 +EXPORT_SYMBOL(tty_compat_ioctl);
24332 @@ -3070,11 +3075,6 @@ struct tty_struct *get_current_tty(void)
24334 EXPORT_SYMBOL_GPL(get_current_tty);
24336 -void tty_default_fops(struct file_operations *fops)
24338 - *fops = tty_fops;
24342 * Initialize the console device. This is called *early*, so
24343 * we can't necessarily depend on lots of kernel help here.
24344 diff -urNp linux-2.6.35.7/drivers/char/tty_ldisc.c linux-2.6.35.7/drivers/char/tty_ldisc.c
24345 --- linux-2.6.35.7/drivers/char/tty_ldisc.c 2010-08-26 19:47:12.000000000 -0400
24346 +++ linux-2.6.35.7/drivers/char/tty_ldisc.c 2010-09-17 20:12:09.000000000 -0400
24347 @@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
24348 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
24349 struct tty_ldisc_ops *ldo = ld->ops;
24352 + atomic_dec(&ldo->refcount);
24353 module_put(ldo->owner);
24354 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24356 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
24357 spin_lock_irqsave(&tty_ldisc_lock, flags);
24358 tty_ldiscs[disc] = new_ldisc;
24359 new_ldisc->num = disc;
24360 - new_ldisc->refcount = 0;
24361 + atomic_set(&new_ldisc->refcount, 0);
24362 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24365 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
24368 spin_lock_irqsave(&tty_ldisc_lock, flags);
24369 - if (tty_ldiscs[disc]->refcount)
24370 + if (atomic_read(&tty_ldiscs[disc]->refcount))
24373 tty_ldiscs[disc] = NULL;
24374 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
24376 ret = ERR_PTR(-EAGAIN);
24377 if (try_module_get(ldops->owner)) {
24378 - ldops->refcount++;
24379 + atomic_inc(&ldops->refcount);
24383 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
24384 unsigned long flags;
24386 spin_lock_irqsave(&tty_ldisc_lock, flags);
24387 - ldops->refcount--;
24388 + atomic_dec(&ldops->refcount);
24389 module_put(ldops->owner);
24390 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24392 diff -urNp linux-2.6.35.7/drivers/char/vt_ioctl.c linux-2.6.35.7/drivers/char/vt_ioctl.c
24393 --- linux-2.6.35.7/drivers/char/vt_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24394 +++ linux-2.6.35.7/drivers/char/vt_ioctl.c 2010-09-17 20:12:37.000000000 -0400
24395 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24396 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
24399 - if (!capable(CAP_SYS_TTY_CONFIG))
24404 key_map = key_maps[s];
24405 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24406 val = (i ? K_HOLE : K_NOSUCHMAP);
24407 return put_user(val, &user_kbe->kb_value);
24409 + if (!capable(CAP_SYS_TTY_CONFIG))
24415 if (!i && v == K_NOSUCHMAP) {
24416 /* deallocate map */
24417 key_map = key_maps[s];
24418 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24422 - if (!capable(CAP_SYS_TTY_CONFIG))
24425 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
24428 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24430 return ((p && *p) ? -EOVERFLOW : 0);
24432 + if (!capable(CAP_SYS_TTY_CONFIG))
24438 diff -urNp linux-2.6.35.7/drivers/cpuidle/sysfs.c linux-2.6.35.7/drivers/cpuidle/sysfs.c
24439 --- linux-2.6.35.7/drivers/cpuidle/sysfs.c 2010-08-26 19:47:12.000000000 -0400
24440 +++ linux-2.6.35.7/drivers/cpuidle/sysfs.c 2010-09-17 20:12:09.000000000 -0400
24441 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24442 .release = cpuidle_state_sysfs_release,
24445 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24446 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24448 kobject_put(&device->kobjs[i]->kobj);
24449 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24450 diff -urNp linux-2.6.35.7/drivers/edac/edac_core.h linux-2.6.35.7/drivers/edac/edac_core.h
24451 --- linux-2.6.35.7/drivers/edac/edac_core.h 2010-08-26 19:47:12.000000000 -0400
24452 +++ linux-2.6.35.7/drivers/edac/edac_core.h 2010-09-17 20:12:09.000000000 -0400
24453 @@ -100,11 +100,11 @@ extern const char *edac_mem_types[];
24455 #else /* !CONFIG_EDAC_DEBUG */
24457 -#define debugf0( ... )
24458 -#define debugf1( ... )
24459 -#define debugf2( ... )
24460 -#define debugf3( ... )
24461 -#define debugf4( ... )
24462 +#define debugf0( ... ) do {} while (0)
24463 +#define debugf1( ... ) do {} while (0)
24464 +#define debugf2( ... ) do {} while (0)
24465 +#define debugf3( ... ) do {} while (0)
24466 +#define debugf4( ... ) do {} while (0)
24468 #endif /* !CONFIG_EDAC_DEBUG */
24470 diff -urNp linux-2.6.35.7/drivers/edac/edac_mc_sysfs.c linux-2.6.35.7/drivers/edac/edac_mc_sysfs.c
24471 --- linux-2.6.35.7/drivers/edac/edac_mc_sysfs.c 2010-08-26 19:47:12.000000000 -0400
24472 +++ linux-2.6.35.7/drivers/edac/edac_mc_sysfs.c 2010-09-17 20:12:09.000000000 -0400
24473 @@ -776,7 +776,7 @@ static void edac_inst_grp_release(struct
24476 /* Intermediate show/store table */
24477 -static struct sysfs_ops inst_grp_ops = {
24478 +static const struct sysfs_ops inst_grp_ops = {
24479 .show = inst_grp_show,
24480 .store = inst_grp_store
24482 diff -urNp linux-2.6.35.7/drivers/firewire/core-cdev.c linux-2.6.35.7/drivers/firewire/core-cdev.c
24483 --- linux-2.6.35.7/drivers/firewire/core-cdev.c 2010-08-26 19:47:12.000000000 -0400
24484 +++ linux-2.6.35.7/drivers/firewire/core-cdev.c 2010-09-17 20:12:09.000000000 -0400
24485 @@ -1195,8 +1195,7 @@ static int init_iso_resource(struct clie
24488 if ((request->channels == 0 && request->bandwidth == 0) ||
24489 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24490 - request->bandwidth < 0)
24491 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24494 r = kmalloc(sizeof(*r), GFP_KERNEL);
24495 diff -urNp linux-2.6.35.7/drivers/firmware/dmi_scan.c linux-2.6.35.7/drivers/firmware/dmi_scan.c
24496 --- linux-2.6.35.7/drivers/firmware/dmi_scan.c 2010-08-26 19:47:12.000000000 -0400
24497 +++ linux-2.6.35.7/drivers/firmware/dmi_scan.c 2010-09-17 20:12:09.000000000 -0400
24498 @@ -387,11 +387,6 @@ void __init dmi_scan_machine(void)
24503 - * no iounmap() for that ioremap(); it would be a no-op, but
24504 - * it's so early in setup that sucker gets confused into doing
24505 - * what it shouldn't if we actually call it.
24507 p = dmi_ioremap(0xF0000, 0x10000);
24510 diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.35.7/drivers/gpu/drm/drm_crtc_helper.c
24511 --- linux-2.6.35.7/drivers/gpu/drm/drm_crtc_helper.c 2010-09-20 17:33:09.000000000 -0400
24512 +++ linux-2.6.35.7/drivers/gpu/drm/drm_crtc_helper.c 2010-10-11 22:41:44.000000000 -0400
24513 @@ -262,7 +262,7 @@ static bool drm_encoder_crtc_ok(struct d
24514 struct drm_crtc *tmp;
24517 - WARN(!crtc, "checking null crtc?");
24522 diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_drv.c linux-2.6.35.7/drivers/gpu/drm/drm_drv.c
24523 --- linux-2.6.35.7/drivers/gpu/drm/drm_drv.c 2010-08-26 19:47:12.000000000 -0400
24524 +++ linux-2.6.35.7/drivers/gpu/drm/drm_drv.c 2010-09-17 20:12:09.000000000 -0400
24525 @@ -449,7 +449,7 @@ long drm_ioctl(struct file *filp,
24527 dev = file_priv->minor->dev;
24528 atomic_inc(&dev->ioctl_count);
24529 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24530 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24531 ++file_priv->ioctl_count;
24533 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24534 diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_fops.c linux-2.6.35.7/drivers/gpu/drm/drm_fops.c
24535 --- linux-2.6.35.7/drivers/gpu/drm/drm_fops.c 2010-08-26 19:47:12.000000000 -0400
24536 +++ linux-2.6.35.7/drivers/gpu/drm/drm_fops.c 2010-09-17 20:12:09.000000000 -0400
24537 @@ -67,7 +67,7 @@ static int drm_setup(struct drm_device *
24540 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24541 - atomic_set(&dev->counts[i], 0);
24542 + atomic_set_unchecked(&dev->counts[i], 0);
24544 dev->sigdata.lock = NULL;
24546 @@ -131,9 +131,9 @@ int drm_open(struct inode *inode, struct
24548 retcode = drm_open_helper(inode, filp, dev);
24550 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24551 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24552 spin_lock(&dev->count_lock);
24553 - if (!dev->open_count++) {
24554 + if (atomic_inc_return(&dev->open_count) == 1) {
24555 spin_unlock(&dev->count_lock);
24556 retcode = drm_setup(dev);
24558 @@ -474,7 +474,7 @@ int drm_release(struct inode *inode, str
24562 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24563 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
24565 if (dev->driver->preclose)
24566 dev->driver->preclose(dev, file_priv);
24567 @@ -486,7 +486,7 @@ int drm_release(struct inode *inode, str
24568 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24569 task_pid_nr(current),
24570 (long)old_encode_dev(file_priv->minor->device),
24571 - dev->open_count);
24572 + atomic_read(&dev->open_count));
24574 /* if the master has gone away we can't do anything with the lock */
24575 if (file_priv->minor->master)
24576 @@ -567,9 +567,9 @@ int drm_release(struct inode *inode, str
24577 * End inline drm_release
24580 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24581 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24582 spin_lock(&dev->count_lock);
24583 - if (!--dev->open_count) {
24584 + if (atomic_dec_and_test(&dev->open_count)) {
24585 if (atomic_read(&dev->ioctl_count)) {
24586 DRM_ERROR("Device busy: %d\n",
24587 atomic_read(&dev->ioctl_count));
24588 diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_info.c linux-2.6.35.7/drivers/gpu/drm/drm_info.c
24589 --- linux-2.6.35.7/drivers/gpu/drm/drm_info.c 2010-08-26 19:47:12.000000000 -0400
24590 +++ linux-2.6.35.7/drivers/gpu/drm/drm_info.c 2010-10-11 22:41:44.000000000 -0400
24591 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
24592 struct drm_local_map *map;
24593 struct drm_map_list *r_list;
24595 - /* Hardcoded from _DRM_FRAME_BUFFER,
24596 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
24597 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
24598 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
24599 + static const char * const types[] = {
24600 + [_DRM_FRAME_BUFFER] = "FB",
24601 + [_DRM_REGISTERS] = "REG",
24602 + [_DRM_SHM] = "SHM",
24603 + [_DRM_AGP] = "AGP",
24604 + [_DRM_SCATTER_GATHER] = "SG",
24605 + [_DRM_CONSISTENT] = "PCI",
24606 + [_DRM_GEM] = "GEM" };
24610 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
24614 - if (map->type < 0 || map->type > 5)
24615 + if (map->type >= ARRAY_SIZE(types))
24618 type = types[map->type];
24619 diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_ioctl.c linux-2.6.35.7/drivers/gpu/drm/drm_ioctl.c
24620 --- linux-2.6.35.7/drivers/gpu/drm/drm_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24621 +++ linux-2.6.35.7/drivers/gpu/drm/drm_ioctl.c 2010-09-17 20:12:09.000000000 -0400
24622 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
24623 stats->data[i].value =
24624 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24626 - stats->data[i].value = atomic_read(&dev->counts[i]);
24627 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24628 stats->data[i].type = dev->types[i];
24631 diff -urNp linux-2.6.35.7/drivers/gpu/drm/drm_lock.c linux-2.6.35.7/drivers/gpu/drm/drm_lock.c
24632 --- linux-2.6.35.7/drivers/gpu/drm/drm_lock.c 2010-08-26 19:47:12.000000000 -0400
24633 +++ linux-2.6.35.7/drivers/gpu/drm/drm_lock.c 2010-09-17 20:12:09.000000000 -0400
24634 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
24635 if (drm_lock_take(&master->lock, lock->context)) {
24636 master->lock.file_priv = file_priv;
24637 master->lock.lock_time = jiffies;
24638 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24639 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24640 break; /* Got lock */
24643 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
24647 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24648 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24650 /* kernel_context_switch isn't used by any of the x86 drm
24651 * modules but is required by the Sparc driver.
24652 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i810/i810_dma.c linux-2.6.35.7/drivers/gpu/drm/i810/i810_dma.c
24653 --- linux-2.6.35.7/drivers/gpu/drm/i810/i810_dma.c 2010-08-26 19:47:12.000000000 -0400
24654 +++ linux-2.6.35.7/drivers/gpu/drm/i810/i810_dma.c 2010-09-17 20:12:09.000000000 -0400
24655 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
24656 dma->buflist[vertex->idx],
24657 vertex->discard, vertex->used);
24659 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24660 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24661 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24662 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24663 sarea_priv->last_enqueue = dev_priv->counter - 1;
24664 sarea_priv->last_dispatch = (int)hw_status[5];
24666 @@ -1116,8 +1116,8 @@ static int i810_dma_mc(struct drm_device
24667 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24670 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24671 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24672 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24673 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24674 sarea_priv->last_enqueue = dev_priv->counter - 1;
24675 sarea_priv->last_dispatch = (int)hw_status[5];
24677 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ch7017.c
24678 --- linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ch7017.c 2010-08-26 19:47:12.000000000 -0400
24679 +++ linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ch7017.c 2010-09-17 20:12:09.000000000 -0400
24680 @@ -402,7 +402,7 @@ static void ch7017_destroy(struct intel_
24684 -struct intel_dvo_dev_ops ch7017_ops = {
24685 +const struct intel_dvo_dev_ops ch7017_ops = {
24686 .init = ch7017_init,
24687 .detect = ch7017_detect,
24688 .mode_valid = ch7017_mode_valid,
24689 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ch7xxx.c
24690 --- linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-08-26 19:47:12.000000000 -0400
24691 +++ linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-09-17 20:12:09.000000000 -0400
24692 @@ -322,7 +322,7 @@ static void ch7xxx_destroy(struct intel_
24696 -struct intel_dvo_dev_ops ch7xxx_ops = {
24697 +const struct intel_dvo_dev_ops ch7xxx_ops = {
24698 .init = ch7xxx_init,
24699 .detect = ch7xxx_detect,
24700 .mode_valid = ch7xxx_mode_valid,
24701 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i915/dvo.h linux-2.6.35.7/drivers/gpu/drm/i915/dvo.h
24702 --- linux-2.6.35.7/drivers/gpu/drm/i915/dvo.h 2010-08-26 19:47:12.000000000 -0400
24703 +++ linux-2.6.35.7/drivers/gpu/drm/i915/dvo.h 2010-09-17 20:12:09.000000000 -0400
24704 @@ -125,23 +125,23 @@ struct intel_dvo_dev_ops {
24706 * \return singly-linked list of modes or NULL if no modes found.
24708 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24709 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24712 * Clean up driver-specific bits of the output
24714 - void (*destroy) (struct intel_dvo_device *dvo);
24715 + void (* const destroy) (struct intel_dvo_device *dvo);
24718 * Debugging hook to dump device registers to log file
24720 - void (*dump_regs)(struct intel_dvo_device *dvo);
24721 + void (* const dump_regs)(struct intel_dvo_device *dvo);
24724 -extern struct intel_dvo_dev_ops sil164_ops;
24725 -extern struct intel_dvo_dev_ops ch7xxx_ops;
24726 -extern struct intel_dvo_dev_ops ivch_ops;
24727 -extern struct intel_dvo_dev_ops tfp410_ops;
24728 -extern struct intel_dvo_dev_ops ch7017_ops;
24729 +extern const struct intel_dvo_dev_ops sil164_ops;
24730 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
24731 +extern const struct intel_dvo_dev_ops ivch_ops;
24732 +extern const struct intel_dvo_dev_ops tfp410_ops;
24733 +extern const struct intel_dvo_dev_ops ch7017_ops;
24735 #endif /* _INTEL_DVO_H */
24736 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ivch.c
24737 --- linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ivch.c 2010-08-26 19:47:12.000000000 -0400
24738 +++ linux-2.6.35.7/drivers/gpu/drm/i915/dvo_ivch.c 2010-09-17 20:12:09.000000000 -0400
24739 @@ -412,7 +412,7 @@ static void ivch_destroy(struct intel_dv
24743 -struct intel_dvo_dev_ops ivch_ops= {
24744 +const struct intel_dvo_dev_ops ivch_ops= {
24747 .mode_valid = ivch_mode_valid,
24748 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.35.7/drivers/gpu/drm/i915/dvo_sil164.c
24749 --- linux-2.6.35.7/drivers/gpu/drm/i915/dvo_sil164.c 2010-08-26 19:47:12.000000000 -0400
24750 +++ linux-2.6.35.7/drivers/gpu/drm/i915/dvo_sil164.c 2010-09-17 20:12:09.000000000 -0400
24751 @@ -254,7 +254,7 @@ static void sil164_destroy(struct intel_
24755 -struct intel_dvo_dev_ops sil164_ops = {
24756 +const struct intel_dvo_dev_ops sil164_ops = {
24757 .init = sil164_init,
24758 .detect = sil164_detect,
24759 .mode_valid = sil164_mode_valid,
24760 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.35.7/drivers/gpu/drm/i915/dvo_tfp410.c
24761 --- linux-2.6.35.7/drivers/gpu/drm/i915/dvo_tfp410.c 2010-08-26 19:47:12.000000000 -0400
24762 +++ linux-2.6.35.7/drivers/gpu/drm/i915/dvo_tfp410.c 2010-09-17 20:12:09.000000000 -0400
24763 @@ -295,7 +295,7 @@ static void tfp410_destroy(struct intel_
24767 -struct intel_dvo_dev_ops tfp410_ops = {
24768 +const struct intel_dvo_dev_ops tfp410_ops = {
24769 .init = tfp410_init,
24770 .detect = tfp410_detect,
24771 .mode_valid = tfp410_mode_valid,
24772 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i915/i915_dma.c linux-2.6.35.7/drivers/gpu/drm/i915/i915_dma.c
24773 --- linux-2.6.35.7/drivers/gpu/drm/i915/i915_dma.c 2010-09-20 17:33:09.000000000 -0400
24774 +++ linux-2.6.35.7/drivers/gpu/drm/i915/i915_dma.c 2010-09-20 17:33:32.000000000 -0400
24775 @@ -1348,7 +1348,7 @@ static bool i915_switcheroo_can_switch(s
24778 spin_lock(&dev->count_lock);
24779 - can_switch = (dev->open_count == 0);
24780 + can_switch = (atomic_read(&dev->open_count) == 0);
24781 spin_unlock(&dev->count_lock);
24784 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i915/i915_drv.c linux-2.6.35.7/drivers/gpu/drm/i915/i915_drv.c
24785 --- linux-2.6.35.7/drivers/gpu/drm/i915/i915_drv.c 2010-09-26 17:32:11.000000000 -0400
24786 +++ linux-2.6.35.7/drivers/gpu/drm/i915/i915_drv.c 2010-09-26 17:32:46.000000000 -0400
24787 @@ -497,7 +497,7 @@ const struct dev_pm_ops i915_pm_ops = {
24788 .restore = i915_pm_resume,
24791 -static struct vm_operations_struct i915_gem_vm_ops = {
24792 +static const struct vm_operations_struct i915_gem_vm_ops = {
24793 .fault = i915_gem_fault,
24794 .open = drm_gem_vm_open,
24795 .close = drm_gem_vm_close,
24796 diff -urNp linux-2.6.35.7/drivers/gpu/drm/i915/i915_gem.c linux-2.6.35.7/drivers/gpu/drm/i915/i915_gem.c
24797 --- linux-2.6.35.7/drivers/gpu/drm/i915/i915_gem.c 2010-09-20 17:33:09.000000000 -0400
24798 +++ linux-2.6.35.7/drivers/gpu/drm/i915/i915_gem.c 2010-09-28 18:50:18.000000000 -0400
24799 @@ -469,6 +469,11 @@ i915_gem_pread_ioctl(struct drm_device *
24803 + if (!access_ok(VERIFY_WRITE, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
24804 + drm_gem_object_unreference_unlocked(obj);
24808 if (i915_gem_object_needs_bit17_swizzle(obj)) {
24809 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
24811 @@ -932,6 +937,11 @@ i915_gem_pwrite_ioctl(struct drm_device
24815 + if (!access_ok(VERIFY_READ, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
24816 + drm_gem_object_unreference_unlocked(obj);
24820 /* We can only do the GTT pwrite on untiled buffers, as otherwise
24821 * it would end up going through the fenced access, and we'll get
24822 * different detiling behavior between reading and writing.
24823 diff -urNp linux-2.6.35.7/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.35.7/drivers/gpu/drm/nouveau/nouveau_backlight.c
24824 --- linux-2.6.35.7/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-08-26 19:47:12.000000000 -0400
24825 +++ linux-2.6.35.7/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-09-17 20:12:09.000000000 -0400
24826 @@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
24830 -static struct backlight_ops nv40_bl_ops = {
24831 +static const struct backlight_ops nv40_bl_ops = {
24832 .options = BL_CORE_SUSPENDRESUME,
24833 .get_brightness = nv40_get_intensity,
24834 .update_status = nv40_set_intensity,
24835 @@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
24839 -static struct backlight_ops nv50_bl_ops = {
24840 +static const struct backlight_ops nv50_bl_ops = {
24841 .options = BL_CORE_SUSPENDRESUME,
24842 .get_brightness = nv50_get_intensity,
24843 .update_status = nv50_set_intensity,
24844 diff -urNp linux-2.6.35.7/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.35.7/drivers/gpu/drm/nouveau/nouveau_state.c
24845 --- linux-2.6.35.7/drivers/gpu/drm/nouveau/nouveau_state.c 2010-08-26 19:47:12.000000000 -0400
24846 +++ linux-2.6.35.7/drivers/gpu/drm/nouveau/nouveau_state.c 2010-09-17 20:12:09.000000000 -0400
24847 @@ -395,7 +395,7 @@ static bool nouveau_switcheroo_can_switc
24850 spin_lock(&dev->count_lock);
24851 - can_switch = (dev->open_count == 0);
24852 + can_switch = (atomic_read(&dev->open_count) == 0);
24853 spin_unlock(&dev->count_lock);
24856 diff -urNp linux-2.6.35.7/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.35.7/drivers/gpu/drm/radeon/mkregtable.c
24857 --- linux-2.6.35.7/drivers/gpu/drm/radeon/mkregtable.c 2010-08-26 19:47:12.000000000 -0400
24858 +++ linux-2.6.35.7/drivers/gpu/drm/radeon/mkregtable.c 2010-09-17 20:12:09.000000000 -0400
24859 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24861 regmatch_t match[4];
24869 struct offset *offset;
24870 char last_reg_s[10];
24872 + unsigned long last_reg;
24875 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
24876 diff -urNp linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_device.c
24877 --- linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_device.c 2010-08-26 19:47:12.000000000 -0400
24878 +++ linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_device.c 2010-09-17 20:12:09.000000000 -0400
24879 @@ -562,7 +562,7 @@ static bool radeon_switcheroo_can_switch
24882 spin_lock(&dev->count_lock);
24883 - can_switch = (dev->open_count == 0);
24884 + can_switch = (atomic_read(&dev->open_count) == 0);
24885 spin_unlock(&dev->count_lock);
24888 diff -urNp linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_display.c
24889 --- linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_display.c 2010-08-26 19:47:12.000000000 -0400
24890 +++ linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_display.c 2010-09-17 20:12:09.000000000 -0400
24891 @@ -559,7 +559,7 @@ static void radeon_compute_pll_legacy(st
24893 if (pll->flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
24894 error = freq - current_freq;
24895 - error = error < 0 ? 0xffffffff : error;
24896 + error = (int32_t)error < 0 ? 0xffffffff : error;
24898 error = abs(current_freq - freq);
24899 vco_diff = abs(vco - best_vco);
24900 diff -urNp linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_state.c
24901 --- linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_state.c 2010-08-26 19:47:12.000000000 -0400
24902 +++ linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_state.c 2010-09-17 20:12:09.000000000 -0400
24903 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
24904 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24905 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24907 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24908 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24909 sarea_priv->nbox * sizeof(depth_boxes[0])))
24912 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
24914 drm_radeon_private_t *dev_priv = dev->dev_private;
24915 drm_radeon_getparam_t *param = data;
24919 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24921 diff -urNp linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_ttm.c
24922 --- linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_ttm.c 2010-08-26 19:47:12.000000000 -0400
24923 +++ linux-2.6.35.7/drivers/gpu/drm/radeon/radeon_ttm.c 2010-09-17 20:12:09.000000000 -0400
24924 @@ -601,8 +601,9 @@ void radeon_ttm_fini(struct radeon_devic
24925 DRM_INFO("radeon: ttm finalized\n");
24928 -static struct vm_operations_struct radeon_ttm_vm_ops;
24929 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
24930 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24931 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24932 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24934 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24936 @@ -610,17 +611,22 @@ static int radeon_ttm_fault(struct vm_ar
24937 struct radeon_device *rdev;
24940 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
24941 - if (bo == NULL) {
24942 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
24944 return VM_FAULT_NOPAGE;
24946 rdev = radeon_get_rdev(bo->bdev);
24947 mutex_lock(&rdev->vram_mutex);
24948 - r = ttm_vm_ops->fault(vma, vmf);
24949 + r = ttm_bo_vm_fault(vma, vmf);
24950 mutex_unlock(&rdev->vram_mutex);
24954 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
24955 + .fault = radeon_ttm_fault,
24956 + .open = ttm_bo_vm_open,
24957 + .close = ttm_bo_vm_close
24960 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24962 struct drm_file *file_priv;
24963 @@ -633,18 +639,11 @@ int radeon_mmap(struct file *filp, struc
24965 file_priv = (struct drm_file *)filp->private_data;
24966 rdev = file_priv->minor->dev->dev_private;
24967 - if (rdev == NULL) {
24971 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
24972 - if (unlikely(r != 0)) {
24976 - if (unlikely(ttm_vm_ops == NULL)) {
24977 - ttm_vm_ops = vma->vm_ops;
24978 - radeon_ttm_vm_ops = *ttm_vm_ops;
24979 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24981 vma->vm_ops = &radeon_ttm_vm_ops;
24984 diff -urNp linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_bo.c
24985 --- linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_bo.c 2010-08-26 19:47:12.000000000 -0400
24986 +++ linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_bo.c 2010-09-17 20:12:09.000000000 -0400
24988 #include <linux/module.h>
24990 #define TTM_ASSERT_LOCKED(param)
24991 -#define TTM_DEBUG(fmt, arg...)
24992 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
24993 #define TTM_BO_HASH_ORDER 13
24995 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
24996 diff -urNp linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_bo_vm.c
24997 --- linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-08-26 19:47:12.000000000 -0400
24998 +++ linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-09-20 17:14:49.000000000 -0400
24999 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
25003 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25004 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25006 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
25007 vma->vm_private_data;
25008 - struct ttm_bo_device *bdev = bo->bdev;
25009 + struct ttm_bo_device *bdev;
25010 unsigned long page_offset;
25011 unsigned long page_last;
25013 @@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
25014 unsigned long address = (unsigned long)vmf->virtual_address;
25015 int retval = VM_FAULT_NOPAGE;
25018 + return VM_FAULT_NOPAGE;
25022 * Work around locking order reversal in fault / nopfn
25023 * between mmap_sem and bo_reserve: Perform a trylock operation
25024 @@ -212,22 +216,25 @@ out_unlock:
25025 ttm_bo_unreserve(bo);
25028 +EXPORT_SYMBOL(ttm_bo_vm_fault);
25030 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
25031 +void ttm_bo_vm_open(struct vm_area_struct *vma)
25033 struct ttm_buffer_object *bo =
25034 (struct ttm_buffer_object *)vma->vm_private_data;
25036 (void)ttm_bo_reference(bo);
25038 +EXPORT_SYMBOL(ttm_bo_vm_open);
25040 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
25041 +void ttm_bo_vm_close(struct vm_area_struct *vma)
25043 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
25046 vma->vm_private_data = NULL;
25048 +EXPORT_SYMBOL(ttm_bo_vm_close);
25050 static const struct vm_operations_struct ttm_bo_vm_ops = {
25051 .fault = ttm_bo_vm_fault,
25052 diff -urNp linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_global.c
25053 --- linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_global.c 2010-08-26 19:47:12.000000000 -0400
25054 +++ linux-2.6.35.7/drivers/gpu/drm/ttm/ttm_global.c 2010-09-17 20:12:09.000000000 -0400
25056 struct ttm_global_item {
25057 struct mutex mutex;
25060 + atomic_t refcount;
25063 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
25064 @@ -49,7 +49,7 @@ void ttm_global_init(void)
25065 struct ttm_global_item *item = &glob[i];
25066 mutex_init(&item->mutex);
25067 item->object = NULL;
25068 - item->refcount = 0;
25069 + atomic_set(&item->refcount, 0);
25073 @@ -59,7 +59,7 @@ void ttm_global_release(void)
25074 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
25075 struct ttm_global_item *item = &glob[i];
25076 BUG_ON(item->object != NULL);
25077 - BUG_ON(item->refcount != 0);
25078 + BUG_ON(atomic_read(&item->refcount) != 0);
25082 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
25085 mutex_lock(&item->mutex);
25086 - if (item->refcount == 0) {
25087 + if (atomic_read(&item->refcount) == 0) {
25088 item->object = kzalloc(ref->size, GFP_KERNEL);
25089 if (unlikely(item->object == NULL)) {
25091 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
25095 - ++item->refcount;
25096 + atomic_inc(&item->refcount);
25097 ref->object = item->object;
25098 object = item->object;
25099 mutex_unlock(&item->mutex);
25100 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
25101 struct ttm_global_item *item = &glob[ref->global_type];
25103 mutex_lock(&item->mutex);
25104 - BUG_ON(item->refcount == 0);
25105 + BUG_ON(atomic_read(&item->refcount) == 0);
25106 BUG_ON(ref->object != item->object);
25107 - if (--item->refcount == 0) {
25108 + if (atomic_dec_and_test(&item->refcount)) {
25110 item->object = NULL;
25112 diff -urNp linux-2.6.35.7/drivers/hid/hidraw.c linux-2.6.35.7/drivers/hid/hidraw.c
25113 --- linux-2.6.35.7/drivers/hid/hidraw.c 2010-08-26 19:47:12.000000000 -0400
25114 +++ linux-2.6.35.7/drivers/hid/hidraw.c 2010-09-28 18:52:39.000000000 -0400
25115 @@ -246,6 +246,10 @@ static long hidraw_ioctl(struct file *fi
25117 mutex_lock(&minors_lock);
25118 dev = hidraw_table[minor];
25119 + if (dev == NULL) {
25125 case HIDIOCGRDESCSIZE:
25126 @@ -319,6 +323,7 @@ static long hidraw_ioctl(struct file *fi
25131 mutex_unlock(&minors_lock);
25134 diff -urNp linux-2.6.35.7/drivers/hid/usbhid/hiddev.c linux-2.6.35.7/drivers/hid/usbhid/hiddev.c
25135 --- linux-2.6.35.7/drivers/hid/usbhid/hiddev.c 2010-08-26 19:47:12.000000000 -0400
25136 +++ linux-2.6.35.7/drivers/hid/usbhid/hiddev.c 2010-09-17 20:12:09.000000000 -0400
25137 @@ -616,7 +616,7 @@ static long hiddev_ioctl(struct file *fi
25138 return put_user(HID_VERSION, (int __user *)arg);
25140 case HIDIOCAPPLICATION:
25141 - if (arg < 0 || arg >= hid->maxapplication)
25142 + if (arg >= hid->maxapplication)
25145 for (i = 0; i < hid->maxcollection; i++)
25146 diff -urNp linux-2.6.35.7/drivers/hwmon/k8temp.c linux-2.6.35.7/drivers/hwmon/k8temp.c
25147 --- linux-2.6.35.7/drivers/hwmon/k8temp.c 2010-09-20 17:33:09.000000000 -0400
25148 +++ linux-2.6.35.7/drivers/hwmon/k8temp.c 2010-09-20 17:33:32.000000000 -0400
25149 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
25151 static const struct pci_device_id k8temp_ids[] = {
25152 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
25154 + { 0, 0, 0, 0, 0, 0, 0 },
25157 MODULE_DEVICE_TABLE(pci, k8temp_ids);
25158 diff -urNp linux-2.6.35.7/drivers/hwmon/sis5595.c linux-2.6.35.7/drivers/hwmon/sis5595.c
25159 --- linux-2.6.35.7/drivers/hwmon/sis5595.c 2010-08-26 19:47:12.000000000 -0400
25160 +++ linux-2.6.35.7/drivers/hwmon/sis5595.c 2010-09-17 20:12:09.000000000 -0400
25161 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
25163 static const struct pci_device_id sis5595_pci_ids[] = {
25164 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25166 + { 0, 0, 0, 0, 0, 0, 0 }
25169 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
25170 diff -urNp linux-2.6.35.7/drivers/hwmon/via686a.c linux-2.6.35.7/drivers/hwmon/via686a.c
25171 --- linux-2.6.35.7/drivers/hwmon/via686a.c 2010-08-26 19:47:12.000000000 -0400
25172 +++ linux-2.6.35.7/drivers/hwmon/via686a.c 2010-09-17 20:12:09.000000000 -0400
25173 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
25175 static const struct pci_device_id via686a_pci_ids[] = {
25176 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
25178 + { 0, 0, 0, 0, 0, 0, 0 }
25181 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
25182 diff -urNp linux-2.6.35.7/drivers/hwmon/vt8231.c linux-2.6.35.7/drivers/hwmon/vt8231.c
25183 --- linux-2.6.35.7/drivers/hwmon/vt8231.c 2010-08-26 19:47:12.000000000 -0400
25184 +++ linux-2.6.35.7/drivers/hwmon/vt8231.c 2010-09-17 20:12:09.000000000 -0400
25185 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
25187 static const struct pci_device_id vt8231_pci_ids[] = {
25188 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
25190 + { 0, 0, 0, 0, 0, 0, 0 }
25193 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
25194 diff -urNp linux-2.6.35.7/drivers/hwmon/w83791d.c linux-2.6.35.7/drivers/hwmon/w83791d.c
25195 --- linux-2.6.35.7/drivers/hwmon/w83791d.c 2010-08-26 19:47:12.000000000 -0400
25196 +++ linux-2.6.35.7/drivers/hwmon/w83791d.c 2010-09-17 20:12:09.000000000 -0400
25197 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
25198 struct i2c_board_info *info);
25199 static int w83791d_remove(struct i2c_client *client);
25201 -static int w83791d_read(struct i2c_client *client, u8 register);
25202 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
25203 +static int w83791d_read(struct i2c_client *client, u8 reg);
25204 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
25205 static struct w83791d_data *w83791d_update_device(struct device *dev);
25208 diff -urNp linux-2.6.35.7/drivers/i2c/busses/i2c-i801.c linux-2.6.35.7/drivers/i2c/busses/i2c-i801.c
25209 --- linux-2.6.35.7/drivers/i2c/busses/i2c-i801.c 2010-08-26 19:47:12.000000000 -0400
25210 +++ linux-2.6.35.7/drivers/i2c/busses/i2c-i801.c 2010-09-17 20:12:09.000000000 -0400
25211 @@ -592,7 +592,7 @@ static const struct pci_device_id i801_i
25212 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
25213 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
25214 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CPT_SMBUS) },
25216 + { 0, 0, 0, 0, 0, 0, 0 }
25219 MODULE_DEVICE_TABLE(pci, i801_ids);
25220 diff -urNp linux-2.6.35.7/drivers/i2c/busses/i2c-piix4.c linux-2.6.35.7/drivers/i2c/busses/i2c-piix4.c
25221 --- linux-2.6.35.7/drivers/i2c/busses/i2c-piix4.c 2010-08-26 19:47:12.000000000 -0400
25222 +++ linux-2.6.35.7/drivers/i2c/busses/i2c-piix4.c 2010-09-17 20:12:09.000000000 -0400
25223 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
25225 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
25228 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25231 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
25232 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
25233 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
25234 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
25235 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
25237 + { 0, 0, 0, 0, 0, 0, 0 }
25240 MODULE_DEVICE_TABLE (pci, piix4_ids);
25241 diff -urNp linux-2.6.35.7/drivers/i2c/busses/i2c-sis630.c linux-2.6.35.7/drivers/i2c/busses/i2c-sis630.c
25242 --- linux-2.6.35.7/drivers/i2c/busses/i2c-sis630.c 2010-08-26 19:47:12.000000000 -0400
25243 +++ linux-2.6.35.7/drivers/i2c/busses/i2c-sis630.c 2010-09-17 20:12:09.000000000 -0400
25244 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
25245 static const struct pci_device_id sis630_ids[] __devinitconst = {
25246 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25247 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
25249 + { 0, 0, 0, 0, 0, 0, 0 }
25252 MODULE_DEVICE_TABLE (pci, sis630_ids);
25253 diff -urNp linux-2.6.35.7/drivers/i2c/busses/i2c-sis96x.c linux-2.6.35.7/drivers/i2c/busses/i2c-sis96x.c
25254 --- linux-2.6.35.7/drivers/i2c/busses/i2c-sis96x.c 2010-08-26 19:47:12.000000000 -0400
25255 +++ linux-2.6.35.7/drivers/i2c/busses/i2c-sis96x.c 2010-09-17 20:12:09.000000000 -0400
25256 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
25258 static const struct pci_device_id sis96x_ids[] = {
25259 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
25261 + { 0, 0, 0, 0, 0, 0, 0 }
25264 MODULE_DEVICE_TABLE (pci, sis96x_ids);
25265 diff -urNp linux-2.6.35.7/drivers/ide/ide-cd.c linux-2.6.35.7/drivers/ide/ide-cd.c
25266 --- linux-2.6.35.7/drivers/ide/ide-cd.c 2010-08-26 19:47:12.000000000 -0400
25267 +++ linux-2.6.35.7/drivers/ide/ide-cd.c 2010-09-17 20:12:09.000000000 -0400
25268 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
25269 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
25270 if ((unsigned long)buf & alignment
25271 || blk_rq_bytes(rq) & q->dma_pad_mask
25272 - || object_is_on_stack(buf))
25273 + || object_starts_on_stack(buf))
25277 diff -urNp linux-2.6.35.7/drivers/ieee1394/dv1394.c linux-2.6.35.7/drivers/ieee1394/dv1394.c
25278 --- linux-2.6.35.7/drivers/ieee1394/dv1394.c 2010-08-26 19:47:12.000000000 -0400
25279 +++ linux-2.6.35.7/drivers/ieee1394/dv1394.c 2010-09-17 20:12:09.000000000 -0400
25280 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
25281 based upon DIF section and sequence
25284 -static void inline
25285 +static inline void
25286 frame_put_packet (struct frame *f, struct packet *p)
25288 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
25289 @@ -2179,7 +2179,7 @@ static const struct ieee1394_device_id d
25290 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
25291 .version = AVC_SW_VERSION_ENTRY & 0xffffff
25294 + { 0, 0, 0, 0, 0, 0 }
25297 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
25298 diff -urNp linux-2.6.35.7/drivers/ieee1394/eth1394.c linux-2.6.35.7/drivers/ieee1394/eth1394.c
25299 --- linux-2.6.35.7/drivers/ieee1394/eth1394.c 2010-08-26 19:47:12.000000000 -0400
25300 +++ linux-2.6.35.7/drivers/ieee1394/eth1394.c 2010-09-17 20:12:09.000000000 -0400
25301 @@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
25302 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
25303 .version = ETHER1394_GASP_VERSION,
25306 + { 0, 0, 0, 0, 0, 0 }
25309 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
25310 diff -urNp linux-2.6.35.7/drivers/ieee1394/hosts.c linux-2.6.35.7/drivers/ieee1394/hosts.c
25311 --- linux-2.6.35.7/drivers/ieee1394/hosts.c 2010-08-26 19:47:12.000000000 -0400
25312 +++ linux-2.6.35.7/drivers/ieee1394/hosts.c 2010-09-17 20:12:09.000000000 -0400
25313 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
25316 static struct hpsb_host_driver dummy_driver = {
25318 .transmit_packet = dummy_transmit_packet,
25319 .devctl = dummy_devctl,
25320 .isoctl = dummy_isoctl
25321 diff -urNp linux-2.6.35.7/drivers/ieee1394/ohci1394.c linux-2.6.35.7/drivers/ieee1394/ohci1394.c
25322 --- linux-2.6.35.7/drivers/ieee1394/ohci1394.c 2010-08-26 19:47:12.000000000 -0400
25323 +++ linux-2.6.35.7/drivers/ieee1394/ohci1394.c 2010-09-17 20:12:09.000000000 -0400
25324 @@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
25325 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
25327 /* Module Parameters */
25328 -static int phys_dma = 1;
25329 +static int phys_dma;
25330 module_param(phys_dma, int, 0444);
25331 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
25332 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
25334 static void dma_trm_tasklet(unsigned long data);
25335 static void dma_trm_reset(struct dma_trm_ctx *d);
25336 @@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
25337 .subvendor = PCI_ANY_ID,
25338 .subdevice = PCI_ANY_ID,
25341 + { 0, 0, 0, 0, 0, 0, 0 },
25344 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
25345 diff -urNp linux-2.6.35.7/drivers/ieee1394/raw1394.c linux-2.6.35.7/drivers/ieee1394/raw1394.c
25346 --- linux-2.6.35.7/drivers/ieee1394/raw1394.c 2010-08-26 19:47:12.000000000 -0400
25347 +++ linux-2.6.35.7/drivers/ieee1394/raw1394.c 2010-09-17 20:12:09.000000000 -0400
25348 @@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
25349 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25350 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25351 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
25353 + { 0, 0, 0, 0, 0, 0 }
25356 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
25357 diff -urNp linux-2.6.35.7/drivers/ieee1394/sbp2.c linux-2.6.35.7/drivers/ieee1394/sbp2.c
25358 --- linux-2.6.35.7/drivers/ieee1394/sbp2.c 2010-08-26 19:47:12.000000000 -0400
25359 +++ linux-2.6.35.7/drivers/ieee1394/sbp2.c 2010-09-17 20:12:09.000000000 -0400
25360 @@ -289,7 +289,7 @@ static const struct ieee1394_device_id s
25361 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25362 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
25363 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
25365 + { 0, 0, 0, 0, 0, 0 }
25367 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
25369 @@ -2110,7 +2110,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
25370 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
25371 MODULE_LICENSE("GPL");
25373 -static int sbp2_module_init(void)
25374 +static int __init sbp2_module_init(void)
25378 diff -urNp linux-2.6.35.7/drivers/ieee1394/video1394.c linux-2.6.35.7/drivers/ieee1394/video1394.c
25379 --- linux-2.6.35.7/drivers/ieee1394/video1394.c 2010-08-26 19:47:12.000000000 -0400
25380 +++ linux-2.6.35.7/drivers/ieee1394/video1394.c 2010-09-17 20:12:09.000000000 -0400
25381 @@ -1312,7 +1312,7 @@ static const struct ieee1394_device_id v
25382 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25383 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
25386 + { 0, 0, 0, 0, 0, 0 }
25389 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
25390 diff -urNp linux-2.6.35.7/drivers/infiniband/core/cm.c linux-2.6.35.7/drivers/infiniband/core/cm.c
25391 --- linux-2.6.35.7/drivers/infiniband/core/cm.c 2010-08-26 19:47:12.000000000 -0400
25392 +++ linux-2.6.35.7/drivers/infiniband/core/cm.c 2010-09-17 20:12:09.000000000 -0400
25393 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
25395 struct cm_counter_group {
25396 struct kobject obj;
25397 - atomic_long_t counter[CM_ATTR_COUNT];
25398 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25401 struct cm_counter_attribute {
25402 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
25403 struct ib_mad_send_buf *msg = NULL;
25406 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25407 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25408 counter[CM_REQ_COUNTER]);
25410 /* Quick state check to discard duplicate REQs. */
25411 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
25415 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25416 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25417 counter[CM_REP_COUNTER]);
25418 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25420 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
25421 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25422 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25423 spin_unlock_irq(&cm_id_priv->lock);
25424 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25425 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25426 counter[CM_RTU_COUNTER]);
25429 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
25430 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25431 dreq_msg->local_comm_id);
25433 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25434 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25435 counter[CM_DREQ_COUNTER]);
25436 cm_issue_drep(work->port, work->mad_recv_wc);
25438 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
25439 case IB_CM_MRA_REP_RCVD:
25441 case IB_CM_TIMEWAIT:
25442 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25443 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25444 counter[CM_DREQ_COUNTER]);
25445 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25447 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25450 case IB_CM_DREQ_RCVD:
25451 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25452 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25453 counter[CM_DREQ_COUNTER]);
25456 @@ -2502,7 +2502,7 @@ static int cm_mra_handler(struct cm_work
25457 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25458 cm_id_priv->msg, timeout)) {
25459 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25460 - atomic_long_inc(&work->port->
25461 + atomic_long_inc_unchecked(&work->port->
25462 counter_group[CM_RECV_DUPLICATES].
25463 counter[CM_MRA_COUNTER]);
25465 @@ -2511,7 +2511,7 @@ static int cm_mra_handler(struct cm_work
25467 case IB_CM_MRA_REQ_RCVD:
25468 case IB_CM_MRA_REP_RCVD:
25469 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25470 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25471 counter[CM_MRA_COUNTER]);
25474 @@ -2673,7 +2673,7 @@ static int cm_lap_handler(struct cm_work
25475 case IB_CM_LAP_IDLE:
25477 case IB_CM_MRA_LAP_SENT:
25478 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25479 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25480 counter[CM_LAP_COUNTER]);
25481 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25483 @@ -2689,7 +2689,7 @@ static int cm_lap_handler(struct cm_work
25486 case IB_CM_LAP_RCVD:
25487 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25488 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25489 counter[CM_LAP_COUNTER]);
25492 @@ -2973,7 +2973,7 @@ static int cm_sidr_req_handler(struct cm
25493 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25494 if (cur_cm_id_priv) {
25495 spin_unlock_irq(&cm.lock);
25496 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25497 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25498 counter[CM_SIDR_REQ_COUNTER]);
25499 goto out; /* Duplicate message. */
25501 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
25502 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25505 - atomic_long_add(1 + msg->retries,
25506 + atomic_long_add_unchecked(1 + msg->retries,
25507 &port->counter_group[CM_XMIT].counter[attr_index]);
25509 - atomic_long_add(msg->retries,
25510 + atomic_long_add_unchecked(msg->retries,
25511 &port->counter_group[CM_XMIT_RETRIES].
25512 counter[attr_index]);
25514 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
25517 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25518 - atomic_long_inc(&port->counter_group[CM_RECV].
25519 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25520 counter[attr_id - CM_ATTR_ID_OFFSET]);
25522 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25523 @@ -3595,7 +3595,7 @@ static ssize_t cm_show_counter(struct ko
25524 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25526 return sprintf(buf, "%ld\n",
25527 - atomic_long_read(&group->counter[cm_attr->index]));
25528 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25531 static const struct sysfs_ops cm_counter_ops = {
25532 diff -urNp linux-2.6.35.7/drivers/infiniband/hw/qib/qib.h linux-2.6.35.7/drivers/infiniband/hw/qib/qib.h
25533 --- linux-2.6.35.7/drivers/infiniband/hw/qib/qib.h 2010-08-26 19:47:12.000000000 -0400
25534 +++ linux-2.6.35.7/drivers/infiniband/hw/qib/qib.h 2010-09-17 20:12:09.000000000 -0400
25536 #include <linux/completion.h>
25537 #include <linux/kref.h>
25538 #include <linux/sched.h>
25539 +#include <linux/slab.h>
25541 #include "qib_common.h"
25542 #include "qib_verbs.h"
25543 diff -urNp linux-2.6.35.7/drivers/input/keyboard/atkbd.c linux-2.6.35.7/drivers/input/keyboard/atkbd.c
25544 --- linux-2.6.35.7/drivers/input/keyboard/atkbd.c 2010-08-26 19:47:12.000000000 -0400
25545 +++ linux-2.6.35.7/drivers/input/keyboard/atkbd.c 2010-09-17 20:12:09.000000000 -0400
25546 @@ -1240,7 +1240,7 @@ static struct serio_device_id atkbd_seri
25548 .extra = SERIO_ANY,
25554 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
25555 diff -urNp linux-2.6.35.7/drivers/input/mouse/lifebook.c linux-2.6.35.7/drivers/input/mouse/lifebook.c
25556 --- linux-2.6.35.7/drivers/input/mouse/lifebook.c 2010-08-26 19:47:12.000000000 -0400
25557 +++ linux-2.6.35.7/drivers/input/mouse/lifebook.c 2010-09-17 20:12:09.000000000 -0400
25558 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
25559 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25563 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25566 void __init lifebook_module_init(void)
25567 diff -urNp linux-2.6.35.7/drivers/input/mouse/psmouse-base.c linux-2.6.35.7/drivers/input/mouse/psmouse-base.c
25568 --- linux-2.6.35.7/drivers/input/mouse/psmouse-base.c 2010-08-26 19:47:12.000000000 -0400
25569 +++ linux-2.6.35.7/drivers/input/mouse/psmouse-base.c 2010-09-17 20:12:09.000000000 -0400
25570 @@ -1460,7 +1460,7 @@ static struct serio_device_id psmouse_se
25572 .extra = SERIO_ANY,
25578 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
25579 diff -urNp linux-2.6.35.7/drivers/input/mouse/synaptics.c linux-2.6.35.7/drivers/input/mouse/synaptics.c
25580 --- linux-2.6.35.7/drivers/input/mouse/synaptics.c 2010-08-26 19:47:12.000000000 -0400
25581 +++ linux-2.6.35.7/drivers/input/mouse/synaptics.c 2010-09-17 20:12:09.000000000 -0400
25582 @@ -476,7 +476,7 @@ static void synaptics_process_packet(str
25585 if (SYN_MODEL_PEN(priv->model_id))
25586 - ; /* Nothing, treat a pen as a single finger */
25587 + break; /* Nothing, treat a pen as a single finger */
25590 if (SYN_CAP_PALMDETECT(priv->capabilities))
25591 @@ -701,7 +701,6 @@ static const struct dmi_system_id __init
25592 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
25593 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25598 /* Toshiba Portege M300 */
25599 @@ -710,9 +709,8 @@ static const struct dmi_system_id __init
25600 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25601 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25606 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25610 diff -urNp linux-2.6.35.7/drivers/input/mousedev.c linux-2.6.35.7/drivers/input/mousedev.c
25611 --- linux-2.6.35.7/drivers/input/mousedev.c 2010-08-26 19:47:12.000000000 -0400
25612 +++ linux-2.6.35.7/drivers/input/mousedev.c 2010-09-17 20:12:09.000000000 -0400
25613 @@ -754,7 +754,7 @@ static ssize_t mousedev_read(struct file
25615 spin_unlock_irq(&client->packet_lock);
25617 - if (copy_to_user(buffer, data, count))
25618 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25622 @@ -1051,7 +1051,7 @@ static struct input_handler mousedev_han
25624 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25625 static struct miscdevice psaux_mouse = {
25626 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25627 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25629 static int psaux_registered;
25631 diff -urNp linux-2.6.35.7/drivers/input/serio/i8042-x86ia64io.h linux-2.6.35.7/drivers/input/serio/i8042-x86ia64io.h
25632 --- linux-2.6.35.7/drivers/input/serio/i8042-x86ia64io.h 2010-08-26 19:47:12.000000000 -0400
25633 +++ linux-2.6.35.7/drivers/input/serio/i8042-x86ia64io.h 2010-09-17 20:12:09.000000000 -0400
25634 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25635 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25639 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25643 @@ -413,7 +413,7 @@ static const struct dmi_system_id __init
25644 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
25648 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25651 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
25652 @@ -487,7 +487,7 @@ static const struct dmi_system_id __init
25653 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
25657 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25661 @@ -506,7 +506,7 @@ static const struct dmi_system_id __init
25662 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25666 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25669 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
25670 @@ -530,7 +530,7 @@ static const struct dmi_system_id __init
25671 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25675 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25679 @@ -604,7 +604,7 @@ static const struct dmi_system_id __init
25680 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25684 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25687 #endif /* CONFIG_X86 */
25688 diff -urNp linux-2.6.35.7/drivers/input/serio/serio_raw.c linux-2.6.35.7/drivers/input/serio/serio_raw.c
25689 --- linux-2.6.35.7/drivers/input/serio/serio_raw.c 2010-08-26 19:47:12.000000000 -0400
25690 +++ linux-2.6.35.7/drivers/input/serio/serio_raw.c 2010-09-17 20:12:09.000000000 -0400
25691 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
25693 .extra = SERIO_ANY,
25699 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
25700 diff -urNp linux-2.6.35.7/drivers/isdn/gigaset/common.c linux-2.6.35.7/drivers/isdn/gigaset/common.c
25701 --- linux-2.6.35.7/drivers/isdn/gigaset/common.c 2010-08-26 19:47:12.000000000 -0400
25702 +++ linux-2.6.35.7/drivers/isdn/gigaset/common.c 2010-09-17 20:12:09.000000000 -0400
25703 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
25704 cs->commands_pending = 0;
25705 cs->cur_at_seq = 0;
25707 - cs->open_count = 0;
25708 + atomic_set(&cs->open_count, 0);
25711 cs->tty_dev = NULL;
25712 diff -urNp linux-2.6.35.7/drivers/isdn/gigaset/gigaset.h linux-2.6.35.7/drivers/isdn/gigaset/gigaset.h
25713 --- linux-2.6.35.7/drivers/isdn/gigaset/gigaset.h 2010-08-26 19:47:12.000000000 -0400
25714 +++ linux-2.6.35.7/drivers/isdn/gigaset/gigaset.h 2010-09-17 20:12:09.000000000 -0400
25715 @@ -442,7 +442,7 @@ struct cardstate {
25716 spinlock_t cmdlock;
25717 unsigned curlen, cmdbytes;
25719 - unsigned open_count;
25720 + atomic_t open_count;
25721 struct tty_struct *tty;
25722 struct tasklet_struct if_wake_tasklet;
25723 unsigned control_state;
25724 diff -urNp linux-2.6.35.7/drivers/isdn/gigaset/interface.c linux-2.6.35.7/drivers/isdn/gigaset/interface.c
25725 --- linux-2.6.35.7/drivers/isdn/gigaset/interface.c 2010-08-26 19:47:12.000000000 -0400
25726 +++ linux-2.6.35.7/drivers/isdn/gigaset/interface.c 2010-09-17 20:12:09.000000000 -0400
25727 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
25728 return -ERESTARTSYS;
25729 tty->driver_data = cs;
25731 - ++cs->open_count;
25733 - if (cs->open_count == 1) {
25734 + if (atomic_inc_return(&cs->open_count) == 1) {
25735 spin_lock_irqsave(&cs->lock, flags);
25737 spin_unlock_irqrestore(&cs->lock, flags);
25738 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
25740 if (!cs->connected)
25741 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25742 - else if (!cs->open_count)
25743 + else if (!atomic_read(&cs->open_count))
25744 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25746 - if (!--cs->open_count) {
25747 + if (!atomic_dec_return(&cs->open_count)) {
25748 spin_lock_irqsave(&cs->lock, flags);
25750 spin_unlock_irqrestore(&cs->lock, flags);
25751 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
25752 if (!cs->connected) {
25753 gig_dbg(DEBUG_IF, "not connected");
25755 - } else if (!cs->open_count)
25756 + } else if (!atomic_read(&cs->open_count))
25757 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25760 @@ -355,7 +353,7 @@ static int if_write(struct tty_struct *t
25761 if (!cs->connected) {
25762 gig_dbg(DEBUG_IF, "not connected");
25764 - } else if (!cs->open_count)
25765 + } else if (!atomic_read(&cs->open_count))
25766 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25767 else if (cs->mstate != MS_LOCKED) {
25768 dev_warn(cs->dev, "can't write to unlocked device\n");
25769 @@ -389,7 +387,7 @@ static int if_write_room(struct tty_stru
25770 if (!cs->connected) {
25771 gig_dbg(DEBUG_IF, "not connected");
25773 - } else if (!cs->open_count)
25774 + } else if (!atomic_read(&cs->open_count))
25775 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25776 else if (cs->mstate != MS_LOCKED) {
25777 dev_warn(cs->dev, "can't write to unlocked device\n");
25778 @@ -419,7 +417,7 @@ static int if_chars_in_buffer(struct tty
25780 if (!cs->connected)
25781 gig_dbg(DEBUG_IF, "not connected");
25782 - else if (!cs->open_count)
25783 + else if (!atomic_read(&cs->open_count))
25784 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25785 else if (cs->mstate != MS_LOCKED)
25786 dev_warn(cs->dev, "can't write to unlocked device\n");
25787 @@ -447,7 +445,7 @@ static void if_throttle(struct tty_struc
25789 if (!cs->connected)
25790 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25791 - else if (!cs->open_count)
25792 + else if (!atomic_read(&cs->open_count))
25793 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25795 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25796 @@ -471,7 +469,7 @@ static void if_unthrottle(struct tty_str
25798 if (!cs->connected)
25799 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25800 - else if (!cs->open_count)
25801 + else if (!atomic_read(&cs->open_count))
25802 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25804 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25805 @@ -502,7 +500,7 @@ static void if_set_termios(struct tty_st
25809 - if (!cs->open_count) {
25810 + if (!atomic_read(&cs->open_count)) {
25811 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25814 diff -urNp linux-2.6.35.7/drivers/isdn/hardware/avm/b1.c linux-2.6.35.7/drivers/isdn/hardware/avm/b1.c
25815 --- linux-2.6.35.7/drivers/isdn/hardware/avm/b1.c 2010-08-26 19:47:12.000000000 -0400
25816 +++ linux-2.6.35.7/drivers/isdn/hardware/avm/b1.c 2010-09-17 20:12:37.000000000 -0400
25817 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
25820 if (t4file->user) {
25821 - if (copy_from_user(buf, dp, left))
25822 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25825 memcpy(buf, dp, left);
25826 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
25829 if (config->user) {
25830 - if (copy_from_user(buf, dp, left))
25831 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25834 memcpy(buf, dp, left);
25835 diff -urNp linux-2.6.35.7/drivers/isdn/icn/icn.c linux-2.6.35.7/drivers/isdn/icn/icn.c
25836 --- linux-2.6.35.7/drivers/isdn/icn/icn.c 2010-08-26 19:47:12.000000000 -0400
25837 +++ linux-2.6.35.7/drivers/isdn/icn/icn.c 2010-09-17 20:12:37.000000000 -0400
25838 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
25842 - if (copy_from_user(msg, buf, count))
25843 + if (count > sizeof(msg) || copy_from_user(msg, buf, count))
25846 memcpy(msg, buf, count);
25847 diff -urNp linux-2.6.35.7/drivers/isdn/sc/interrupt.c linux-2.6.35.7/drivers/isdn/sc/interrupt.c
25848 --- linux-2.6.35.7/drivers/isdn/sc/interrupt.c 2010-08-26 19:47:12.000000000 -0400
25849 +++ linux-2.6.35.7/drivers/isdn/sc/interrupt.c 2010-10-10 15:58:05.000000000 -0400
25850 @@ -112,11 +112,19 @@ irqreturn_t interrupt_handler(int dummy,
25852 else if(callid>=0x0000 && callid<=0x7FFF)
25856 pr_debug("%s: Got Incoming Call\n",
25857 sc_adapter[card]->devicename);
25858 - strcpy(setup.phone,&(rcvmsg.msg_data.byte_array[4]));
25859 - strcpy(setup.eazmsn,
25860 - sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn);
25861 + len = strlcpy(setup.phone, &(rcvmsg.msg_data.byte_array[4]),
25862 + sizeof(setup.phone));
25863 + if (len >= sizeof(setup.phone))
25865 + len = strlcpy(setup.eazmsn,
25866 + sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
25867 + sizeof(setup.eazmsn));
25868 + if (len >= sizeof(setup.eazmsn))
25873 @@ -176,7 +184,9 @@ irqreturn_t interrupt_handler(int dummy,
25874 * Handle a GetMyNumber Rsp
25876 if (IS_CE_MESSAGE(rcvmsg,Call,0,GetMyNumber)){
25877 - strcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn,rcvmsg.msg_data.byte_array);
25878 + strlcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
25879 + rcvmsg.msg_data.byte_array,
25880 + sizeof(rcvmsg.msg_data.byte_array));
25884 diff -urNp linux-2.6.35.7/drivers/lguest/core.c linux-2.6.35.7/drivers/lguest/core.c
25885 --- linux-2.6.35.7/drivers/lguest/core.c 2010-08-26 19:47:12.000000000 -0400
25886 +++ linux-2.6.35.7/drivers/lguest/core.c 2010-09-17 20:12:09.000000000 -0400
25887 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
25888 * it's worked so far. The end address needs +1 because __get_vm_area
25889 * allocates an extra guard page, so we need space for that.
25892 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25893 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25894 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25895 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25897 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25898 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25899 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25902 if (!switcher_vma) {
25904 printk("lguest: could not map switcher pages high\n");
25905 diff -urNp linux-2.6.35.7/drivers/macintosh/via-pmu-backlight.c linux-2.6.35.7/drivers/macintosh/via-pmu-backlight.c
25906 --- linux-2.6.35.7/drivers/macintosh/via-pmu-backlight.c 2010-08-26 19:47:12.000000000 -0400
25907 +++ linux-2.6.35.7/drivers/macintosh/via-pmu-backlight.c 2010-09-17 20:12:09.000000000 -0400
25910 #define MAX_PMU_LEVEL 0xFF
25912 -static struct backlight_ops pmu_backlight_data;
25913 +static const struct backlight_ops pmu_backlight_data;
25914 static DEFINE_SPINLOCK(pmu_backlight_lock);
25915 static int sleeping, uses_pmu_bl;
25916 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
25917 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
25918 return bd->props.brightness;
25921 -static struct backlight_ops pmu_backlight_data = {
25922 +static const struct backlight_ops pmu_backlight_data = {
25923 .get_brightness = pmu_backlight_get_brightness,
25924 .update_status = pmu_backlight_update_status,
25926 diff -urNp linux-2.6.35.7/drivers/macintosh/via-pmu.c linux-2.6.35.7/drivers/macintosh/via-pmu.c
25927 --- linux-2.6.35.7/drivers/macintosh/via-pmu.c 2010-08-26 19:47:12.000000000 -0400
25928 +++ linux-2.6.35.7/drivers/macintosh/via-pmu.c 2010-09-17 20:12:09.000000000 -0400
25929 @@ -2254,7 +2254,7 @@ static int pmu_sleep_valid(suspend_state
25930 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
25933 -static struct platform_suspend_ops pmu_pm_ops = {
25934 +static const struct platform_suspend_ops pmu_pm_ops = {
25935 .enter = powerbook_sleep,
25936 .valid = pmu_sleep_valid,
25938 diff -urNp linux-2.6.35.7/drivers/md/bitmap.c linux-2.6.35.7/drivers/md/bitmap.c
25939 --- linux-2.6.35.7/drivers/md/bitmap.c 2010-08-26 19:47:12.000000000 -0400
25940 +++ linux-2.6.35.7/drivers/md/bitmap.c 2010-09-17 20:12:09.000000000 -0400
25943 # define PRINTK(x...) printk(KERN_DEBUG x)
25945 -# define PRINTK(x...)
25946 +# define PRINTK(x...) do {} while (0)
25950 diff -urNp linux-2.6.35.7/drivers/md/dm-table.c linux-2.6.35.7/drivers/md/dm-table.c
25951 --- linux-2.6.35.7/drivers/md/dm-table.c 2010-08-26 19:47:12.000000000 -0400
25952 +++ linux-2.6.35.7/drivers/md/dm-table.c 2010-09-17 20:12:09.000000000 -0400
25953 @@ -363,7 +363,7 @@ static int device_area_is_invalid(struct
25957 - if ((start >= dev_size) || (start + len > dev_size)) {
25958 + if ((start >= dev_size) || (len > dev_size - start)) {
25959 DMWARN("%s: %s too small for target: "
25960 "start=%llu, len=%llu, dev_size=%llu",
25961 dm_device_name(ti->table->md), bdevname(bdev, b),
25962 diff -urNp linux-2.6.35.7/drivers/md/md.c linux-2.6.35.7/drivers/md/md.c
25963 --- linux-2.6.35.7/drivers/md/md.c 2010-08-26 19:47:12.000000000 -0400
25964 +++ linux-2.6.35.7/drivers/md/md.c 2010-09-17 20:12:09.000000000 -0400
25965 @@ -6352,7 +6352,7 @@ static int md_seq_show(struct seq_file *
25966 chunk_kb ? "KB" : "B");
25967 if (bitmap->file) {
25968 seq_printf(seq, ", file: ");
25969 - seq_path(seq, &bitmap->file->f_path, " \t\n");
25970 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25973 seq_printf(seq, "\n");
25974 @@ -6446,7 +6446,7 @@ static int is_mddev_idle(mddev_t *mddev,
25975 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25976 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25977 (int)part_stat_read(&disk->part0, sectors[1]) -
25978 - atomic_read(&disk->sync_io);
25979 + atomic_read_unchecked(&disk->sync_io);
25980 /* sync IO will cause sync_io to increase before the disk_stats
25981 * as sync_io is counted when a request starts, and
25982 * disk_stats is counted when it completes.
25983 diff -urNp linux-2.6.35.7/drivers/md/md.h linux-2.6.35.7/drivers/md/md.h
25984 --- linux-2.6.35.7/drivers/md/md.h 2010-08-26 19:47:12.000000000 -0400
25985 +++ linux-2.6.35.7/drivers/md/md.h 2010-09-17 20:12:09.000000000 -0400
25986 @@ -334,7 +334,7 @@ static inline void rdev_dec_pending(mdk_
25988 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25990 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25991 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25994 struct mdk_personality
25995 diff -urNp linux-2.6.35.7/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.35.7/drivers/media/dvb/dvb-core/dvbdev.c
25996 --- linux-2.6.35.7/drivers/media/dvb/dvb-core/dvbdev.c 2010-08-26 19:47:12.000000000 -0400
25997 +++ linux-2.6.35.7/drivers/media/dvb/dvb-core/dvbdev.c 2010-09-17 20:12:09.000000000 -0400
25998 @@ -196,6 +196,7 @@ int dvb_register_device(struct dvb_adapt
25999 const struct dvb_device *template, void *priv, int type)
26001 struct dvb_device *dvbdev;
26002 + /* cannot be const, see this function */
26003 struct file_operations *dvbdevfops;
26004 struct device *clsdev;
26006 diff -urNp linux-2.6.35.7/drivers/media/radio/radio-cadet.c linux-2.6.35.7/drivers/media/radio/radio-cadet.c
26007 --- linux-2.6.35.7/drivers/media/radio/radio-cadet.c 2010-08-26 19:47:12.000000000 -0400
26008 +++ linux-2.6.35.7/drivers/media/radio/radio-cadet.c 2010-09-17 20:12:37.000000000 -0400
26009 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
26010 while (i < count && dev->rdsin != dev->rdsout)
26011 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
26013 - if (copy_to_user(data, readbuf, i))
26014 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
26018 diff -urNp linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c
26019 --- linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c 2010-08-26 19:47:12.000000000 -0400
26020 +++ linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c 2010-10-19 18:15:40.000000000 -0400
26021 @@ -193,17 +193,24 @@ static int put_video_window32(struct vid
26022 struct video_code32 {
26023 char loadwhat[16]; /* name or tag of file being passed */
26024 compat_int_t datasize;
26025 - unsigned char *data;
26026 + compat_uptr_t data;
26029 -static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
26030 +static struct video_code __user *get_microcode32(struct video_code32 *kp)
26032 - if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
26033 - copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
26034 - get_user(kp->datasize, &up->datasize) ||
26035 - copy_from_user(kp->data, up->data, up->datasize))
26038 + struct video_code __user *up;
26040 + up = compat_alloc_user_space(sizeof(*up));
26043 + * NOTE! We don't actually care if these fail. If the
26044 + * user address is invalid, the native ioctl will do
26045 + * the error handling for us
26047 + (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
26048 + (void) put_user(kp->datasize, &up->datasize);
26049 + (void) put_user(compat_ptr(kp->data), &up->data);
26053 #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
26054 @@ -744,7 +751,7 @@ static long do_video_ioctl(struct file *
26055 struct video_tuner vt;
26056 struct video_buffer vb;
26057 struct video_window vw;
26058 - struct video_code vc;
26059 + struct video_code32 vc;
26060 struct video_audio va;
26062 struct v4l2_format v2f;
26063 @@ -823,8 +830,11 @@ static long do_video_ioctl(struct file *
26066 case VIDIOCSMICROCODE:
26067 - err = get_microcode32(&karg.vc, up);
26068 - compatible_arg = 0;
26069 + /* Copy the 32-bit "video_code32" to kernel space */
26070 + if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
26072 + /* Convert the 32-bit version to a 64-bit version in user space */
26073 + up = get_microcode32(&karg.vc);
26077 diff -urNp linux-2.6.35.7/drivers/message/fusion/mptbase.c linux-2.6.35.7/drivers/message/fusion/mptbase.c
26078 --- linux-2.6.35.7/drivers/message/fusion/mptbase.c 2010-08-26 19:47:12.000000000 -0400
26079 +++ linux-2.6.35.7/drivers/message/fusion/mptbase.c 2010-09-17 20:12:37.000000000 -0400
26080 @@ -6715,8 +6715,14 @@ procmpt_iocinfo_read(char *buf, char **s
26081 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
26082 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
26084 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26085 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
26088 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
26089 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
26093 * Rounding UP to nearest 4-kB boundary here...
26095 diff -urNp linux-2.6.35.7/drivers/message/fusion/mptdebug.h linux-2.6.35.7/drivers/message/fusion/mptdebug.h
26096 --- linux-2.6.35.7/drivers/message/fusion/mptdebug.h 2010-08-26 19:47:12.000000000 -0400
26097 +++ linux-2.6.35.7/drivers/message/fusion/mptdebug.h 2010-09-17 20:12:09.000000000 -0400
26102 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
26103 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
26107 diff -urNp linux-2.6.35.7/drivers/message/fusion/mptsas.c linux-2.6.35.7/drivers/message/fusion/mptsas.c
26108 --- linux-2.6.35.7/drivers/message/fusion/mptsas.c 2010-08-26 19:47:12.000000000 -0400
26109 +++ linux-2.6.35.7/drivers/message/fusion/mptsas.c 2010-09-17 20:12:09.000000000 -0400
26110 @@ -437,6 +437,23 @@ mptsas_is_end_device(struct mptsas_devin
26114 +static inline void
26115 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26117 + if (phy_info->port_details) {
26118 + phy_info->port_details->rphy = rphy;
26119 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26120 + ioc->name, rphy));
26124 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26125 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26126 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26127 + ioc->name, rphy, rphy->dev.release));
26133 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
26134 @@ -475,23 +492,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
26138 -static inline void
26139 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26141 - if (phy_info->port_details) {
26142 - phy_info->port_details->rphy = rphy;
26143 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26144 - ioc->name, rphy));
26148 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26149 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26150 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26151 - ioc->name, rphy, rphy->dev.release));
26155 static inline struct sas_port *
26156 mptsas_get_port(struct mptsas_phyinfo *phy_info)
26158 diff -urNp linux-2.6.35.7/drivers/message/fusion/mptscsih.c linux-2.6.35.7/drivers/message/fusion/mptscsih.c
26159 --- linux-2.6.35.7/drivers/message/fusion/mptscsih.c 2010-09-26 17:32:11.000000000 -0400
26160 +++ linux-2.6.35.7/drivers/message/fusion/mptscsih.c 2010-10-11 22:41:44.000000000 -0400
26161 @@ -1244,15 +1244,16 @@ mptscsih_info(struct Scsi_Host *SChost)
26163 h = shost_priv(SChost);
26166 - if (h->info_kbuf == NULL)
26167 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26168 - return h->info_kbuf;
26169 - h->info_kbuf[0] = '\0';
26173 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26174 - h->info_kbuf[size-1] = '\0';
26176 + if (h->info_kbuf == NULL)
26177 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26178 + return h->info_kbuf;
26179 + h->info_kbuf[0] = '\0';
26181 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26182 + h->info_kbuf[size-1] = '\0';
26184 return h->info_kbuf;
26186 diff -urNp linux-2.6.35.7/drivers/message/i2o/i2o_proc.c linux-2.6.35.7/drivers/message/i2o/i2o_proc.c
26187 --- linux-2.6.35.7/drivers/message/i2o/i2o_proc.c 2010-08-26 19:47:12.000000000 -0400
26188 +++ linux-2.6.35.7/drivers/message/i2o/i2o_proc.c 2010-09-17 20:12:09.000000000 -0400
26189 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
26190 "Array Controller Device"
26193 -static char *chtostr(u8 * chars, int n)
26197 - return strncat(tmp, (char *)chars, n);
26200 static int i2o_report_query_status(struct seq_file *seq, int block_status,
26203 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
26205 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
26206 seq_printf(seq, "%-#8x", ddm_table.module_id);
26207 - seq_printf(seq, "%-29s",
26208 - chtostr(ddm_table.module_name_version, 28));
26209 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
26210 seq_printf(seq, "%9d ", ddm_table.data_size);
26211 seq_printf(seq, "%8d", ddm_table.code_size);
26213 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
26215 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
26216 seq_printf(seq, "%-#8x", dst->module_id);
26217 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
26218 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
26219 + seq_printf(seq, "%-.28s", dst->module_name_version);
26220 + seq_printf(seq, "%-.8s", dst->date);
26221 seq_printf(seq, "%8d ", dst->module_size);
26222 seq_printf(seq, "%8d ", dst->mpb_size);
26223 seq_printf(seq, "0x%04x", dst->module_flags);
26224 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
26225 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
26226 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
26227 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
26228 - seq_printf(seq, "Vendor info : %s\n",
26229 - chtostr((u8 *) (work32 + 2), 16));
26230 - seq_printf(seq, "Product info : %s\n",
26231 - chtostr((u8 *) (work32 + 6), 16));
26232 - seq_printf(seq, "Description : %s\n",
26233 - chtostr((u8 *) (work32 + 10), 16));
26234 - seq_printf(seq, "Product rev. : %s\n",
26235 - chtostr((u8 *) (work32 + 14), 8));
26236 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
26237 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
26238 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
26239 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
26241 seq_printf(seq, "Serial number : ");
26242 print_serial_number(seq, (u8 *) (work32 + 16),
26243 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
26246 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
26247 - seq_printf(seq, "Module name : %s\n",
26248 - chtostr(result.module_name, 24));
26249 - seq_printf(seq, "Module revision : %s\n",
26250 - chtostr(result.module_rev, 8));
26251 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
26252 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
26254 seq_printf(seq, "Serial number : ");
26255 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
26256 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
26260 - seq_printf(seq, "Device name : %s\n",
26261 - chtostr(result.device_name, 64));
26262 - seq_printf(seq, "Service name : %s\n",
26263 - chtostr(result.service_name, 64));
26264 - seq_printf(seq, "Physical name : %s\n",
26265 - chtostr(result.physical_location, 64));
26266 - seq_printf(seq, "Instance number : %s\n",
26267 - chtostr(result.instance_number, 4));
26268 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
26269 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
26270 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
26271 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
26275 diff -urNp linux-2.6.35.7/drivers/mfd/janz-cmodio.c linux-2.6.35.7/drivers/mfd/janz-cmodio.c
26276 --- linux-2.6.35.7/drivers/mfd/janz-cmodio.c 2010-08-26 19:47:12.000000000 -0400
26277 +++ linux-2.6.35.7/drivers/mfd/janz-cmodio.c 2010-09-17 20:12:09.000000000 -0400
26280 #include <linux/kernel.h>
26281 #include <linux/module.h>
26282 +#include <linux/slab.h>
26283 #include <linux/init.h>
26284 #include <linux/pci.h>
26285 #include <linux/interrupt.h>
26286 diff -urNp linux-2.6.35.7/drivers/misc/kgdbts.c linux-2.6.35.7/drivers/misc/kgdbts.c
26287 --- linux-2.6.35.7/drivers/misc/kgdbts.c 2010-08-26 19:47:12.000000000 -0400
26288 +++ linux-2.6.35.7/drivers/misc/kgdbts.c 2010-09-17 20:12:09.000000000 -0400
26289 @@ -118,7 +118,7 @@
26291 #define MAX_CONFIG_LEN 40
26293 -static struct kgdb_io kgdbts_io_ops;
26294 +static const struct kgdb_io kgdbts_io_ops;
26295 static char get_buf[BUFMAX];
26296 static int get_buf_cnt;
26297 static char put_buf[BUFMAX];
26298 @@ -1114,7 +1114,7 @@ static void kgdbts_post_exp_handler(void
26299 module_put(THIS_MODULE);
26302 -static struct kgdb_io kgdbts_io_ops = {
26303 +static const struct kgdb_io kgdbts_io_ops = {
26305 .read_char = kgdbts_get_char,
26306 .write_char = kgdbts_put_char,
26307 diff -urNp linux-2.6.35.7/drivers/misc/sgi-gru/gruhandles.c linux-2.6.35.7/drivers/misc/sgi-gru/gruhandles.c
26308 --- linux-2.6.35.7/drivers/misc/sgi-gru/gruhandles.c 2010-08-26 19:47:12.000000000 -0400
26309 +++ linux-2.6.35.7/drivers/misc/sgi-gru/gruhandles.c 2010-09-17 20:12:09.000000000 -0400
26310 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
26311 unsigned long nsec;
26313 nsec = CLKS2NSEC(clks);
26314 - atomic_long_inc(&mcs_op_statistics[op].count);
26315 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
26316 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
26317 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
26318 if (mcs_op_statistics[op].max < nsec)
26319 mcs_op_statistics[op].max = nsec;
26321 diff -urNp linux-2.6.35.7/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.35.7/drivers/misc/sgi-gru/gruprocfs.c
26322 --- linux-2.6.35.7/drivers/misc/sgi-gru/gruprocfs.c 2010-08-26 19:47:12.000000000 -0400
26323 +++ linux-2.6.35.7/drivers/misc/sgi-gru/gruprocfs.c 2010-09-17 20:12:09.000000000 -0400
26326 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
26328 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
26329 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
26331 - unsigned long val = atomic_long_read(v);
26332 + unsigned long val = atomic_long_read_unchecked(v);
26334 seq_printf(s, "%16lu %s\n", val, id);
26336 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
26338 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
26339 for (op = 0; op < mcsop_last; op++) {
26340 - count = atomic_long_read(&mcs_op_statistics[op].count);
26341 - total = atomic_long_read(&mcs_op_statistics[op].total);
26342 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
26343 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
26344 max = mcs_op_statistics[op].max;
26345 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
26346 count ? total / count : 0, max);
26347 diff -urNp linux-2.6.35.7/drivers/misc/sgi-gru/grutables.h linux-2.6.35.7/drivers/misc/sgi-gru/grutables.h
26348 --- linux-2.6.35.7/drivers/misc/sgi-gru/grutables.h 2010-08-26 19:47:12.000000000 -0400
26349 +++ linux-2.6.35.7/drivers/misc/sgi-gru/grutables.h 2010-09-17 20:12:09.000000000 -0400
26350 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
26353 struct gru_stats_s {
26354 - atomic_long_t vdata_alloc;
26355 - atomic_long_t vdata_free;
26356 - atomic_long_t gts_alloc;
26357 - atomic_long_t gts_free;
26358 - atomic_long_t gms_alloc;
26359 - atomic_long_t gms_free;
26360 - atomic_long_t gts_double_allocate;
26361 - atomic_long_t assign_context;
26362 - atomic_long_t assign_context_failed;
26363 - atomic_long_t free_context;
26364 - atomic_long_t load_user_context;
26365 - atomic_long_t load_kernel_context;
26366 - atomic_long_t lock_kernel_context;
26367 - atomic_long_t unlock_kernel_context;
26368 - atomic_long_t steal_user_context;
26369 - atomic_long_t steal_kernel_context;
26370 - atomic_long_t steal_context_failed;
26371 - atomic_long_t nopfn;
26372 - atomic_long_t asid_new;
26373 - atomic_long_t asid_next;
26374 - atomic_long_t asid_wrap;
26375 - atomic_long_t asid_reuse;
26376 - atomic_long_t intr;
26377 - atomic_long_t intr_cbr;
26378 - atomic_long_t intr_tfh;
26379 - atomic_long_t intr_spurious;
26380 - atomic_long_t intr_mm_lock_failed;
26381 - atomic_long_t call_os;
26382 - atomic_long_t call_os_wait_queue;
26383 - atomic_long_t user_flush_tlb;
26384 - atomic_long_t user_unload_context;
26385 - atomic_long_t user_exception;
26386 - atomic_long_t set_context_option;
26387 - atomic_long_t check_context_retarget_intr;
26388 - atomic_long_t check_context_unload;
26389 - atomic_long_t tlb_dropin;
26390 - atomic_long_t tlb_preload_page;
26391 - atomic_long_t tlb_dropin_fail_no_asid;
26392 - atomic_long_t tlb_dropin_fail_upm;
26393 - atomic_long_t tlb_dropin_fail_invalid;
26394 - atomic_long_t tlb_dropin_fail_range_active;
26395 - atomic_long_t tlb_dropin_fail_idle;
26396 - atomic_long_t tlb_dropin_fail_fmm;
26397 - atomic_long_t tlb_dropin_fail_no_exception;
26398 - atomic_long_t tfh_stale_on_fault;
26399 - atomic_long_t mmu_invalidate_range;
26400 - atomic_long_t mmu_invalidate_page;
26401 - atomic_long_t flush_tlb;
26402 - atomic_long_t flush_tlb_gru;
26403 - atomic_long_t flush_tlb_gru_tgh;
26404 - atomic_long_t flush_tlb_gru_zero_asid;
26406 - atomic_long_t copy_gpa;
26407 - atomic_long_t read_gpa;
26409 - atomic_long_t mesq_receive;
26410 - atomic_long_t mesq_receive_none;
26411 - atomic_long_t mesq_send;
26412 - atomic_long_t mesq_send_failed;
26413 - atomic_long_t mesq_noop;
26414 - atomic_long_t mesq_send_unexpected_error;
26415 - atomic_long_t mesq_send_lb_overflow;
26416 - atomic_long_t mesq_send_qlimit_reached;
26417 - atomic_long_t mesq_send_amo_nacked;
26418 - atomic_long_t mesq_send_put_nacked;
26419 - atomic_long_t mesq_page_overflow;
26420 - atomic_long_t mesq_qf_locked;
26421 - atomic_long_t mesq_qf_noop_not_full;
26422 - atomic_long_t mesq_qf_switch_head_failed;
26423 - atomic_long_t mesq_qf_unexpected_error;
26424 - atomic_long_t mesq_noop_unexpected_error;
26425 - atomic_long_t mesq_noop_lb_overflow;
26426 - atomic_long_t mesq_noop_qlimit_reached;
26427 - atomic_long_t mesq_noop_amo_nacked;
26428 - atomic_long_t mesq_noop_put_nacked;
26429 - atomic_long_t mesq_noop_page_overflow;
26430 + atomic_long_unchecked_t vdata_alloc;
26431 + atomic_long_unchecked_t vdata_free;
26432 + atomic_long_unchecked_t gts_alloc;
26433 + atomic_long_unchecked_t gts_free;
26434 + atomic_long_unchecked_t gms_alloc;
26435 + atomic_long_unchecked_t gms_free;
26436 + atomic_long_unchecked_t gts_double_allocate;
26437 + atomic_long_unchecked_t assign_context;
26438 + atomic_long_unchecked_t assign_context_failed;
26439 + atomic_long_unchecked_t free_context;
26440 + atomic_long_unchecked_t load_user_context;
26441 + atomic_long_unchecked_t load_kernel_context;
26442 + atomic_long_unchecked_t lock_kernel_context;
26443 + atomic_long_unchecked_t unlock_kernel_context;
26444 + atomic_long_unchecked_t steal_user_context;
26445 + atomic_long_unchecked_t steal_kernel_context;
26446 + atomic_long_unchecked_t steal_context_failed;
26447 + atomic_long_unchecked_t nopfn;
26448 + atomic_long_unchecked_t asid_new;
26449 + atomic_long_unchecked_t asid_next;
26450 + atomic_long_unchecked_t asid_wrap;
26451 + atomic_long_unchecked_t asid_reuse;
26452 + atomic_long_unchecked_t intr;
26453 + atomic_long_unchecked_t intr_cbr;
26454 + atomic_long_unchecked_t intr_tfh;
26455 + atomic_long_unchecked_t intr_spurious;
26456 + atomic_long_unchecked_t intr_mm_lock_failed;
26457 + atomic_long_unchecked_t call_os;
26458 + atomic_long_unchecked_t call_os_wait_queue;
26459 + atomic_long_unchecked_t user_flush_tlb;
26460 + atomic_long_unchecked_t user_unload_context;
26461 + atomic_long_unchecked_t user_exception;
26462 + atomic_long_unchecked_t set_context_option;
26463 + atomic_long_unchecked_t check_context_retarget_intr;
26464 + atomic_long_unchecked_t check_context_unload;
26465 + atomic_long_unchecked_t tlb_dropin;
26466 + atomic_long_unchecked_t tlb_preload_page;
26467 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26468 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26469 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26470 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26471 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26472 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26473 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26474 + atomic_long_unchecked_t tfh_stale_on_fault;
26475 + atomic_long_unchecked_t mmu_invalidate_range;
26476 + atomic_long_unchecked_t mmu_invalidate_page;
26477 + atomic_long_unchecked_t flush_tlb;
26478 + atomic_long_unchecked_t flush_tlb_gru;
26479 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26480 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26482 + atomic_long_unchecked_t copy_gpa;
26483 + atomic_long_unchecked_t read_gpa;
26485 + atomic_long_unchecked_t mesq_receive;
26486 + atomic_long_unchecked_t mesq_receive_none;
26487 + atomic_long_unchecked_t mesq_send;
26488 + atomic_long_unchecked_t mesq_send_failed;
26489 + atomic_long_unchecked_t mesq_noop;
26490 + atomic_long_unchecked_t mesq_send_unexpected_error;
26491 + atomic_long_unchecked_t mesq_send_lb_overflow;
26492 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26493 + atomic_long_unchecked_t mesq_send_amo_nacked;
26494 + atomic_long_unchecked_t mesq_send_put_nacked;
26495 + atomic_long_unchecked_t mesq_page_overflow;
26496 + atomic_long_unchecked_t mesq_qf_locked;
26497 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26498 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26499 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26500 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26501 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26502 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26503 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26504 + atomic_long_unchecked_t mesq_noop_put_nacked;
26505 + atomic_long_unchecked_t mesq_noop_page_overflow;
26509 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26510 tghop_invalidate, mcsop_last};
26512 struct mcs_op_statistic {
26513 - atomic_long_t count;
26514 - atomic_long_t total;
26515 + atomic_long_unchecked_t count;
26516 + atomic_long_unchecked_t total;
26520 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26522 #define STAT(id) do { \
26523 if (gru_options & OPT_STATS) \
26524 - atomic_long_inc(&gru_stats.id); \
26525 + atomic_long_inc_unchecked(&gru_stats.id); \
26528 #ifdef CONFIG_SGI_GRU_DEBUG
26529 diff -urNp linux-2.6.35.7/drivers/mtd/devices/doc2000.c linux-2.6.35.7/drivers/mtd/devices/doc2000.c
26530 --- linux-2.6.35.7/drivers/mtd/devices/doc2000.c 2010-08-26 19:47:12.000000000 -0400
26531 +++ linux-2.6.35.7/drivers/mtd/devices/doc2000.c 2010-09-17 20:12:09.000000000 -0400
26532 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26534 /* The ECC will not be calculated correctly if less than 512 is written */
26536 - if (len != 0x200 && eccbuf)
26537 + if (len != 0x200)
26538 printk(KERN_WARNING
26539 "ECC needs a full sector write (adr: %lx size %lx)\n",
26540 (long) to, (long) len);
26541 diff -urNp linux-2.6.35.7/drivers/mtd/devices/doc2001.c linux-2.6.35.7/drivers/mtd/devices/doc2001.c
26542 --- linux-2.6.35.7/drivers/mtd/devices/doc2001.c 2010-08-26 19:47:12.000000000 -0400
26543 +++ linux-2.6.35.7/drivers/mtd/devices/doc2001.c 2010-09-17 20:12:09.000000000 -0400
26544 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26545 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26547 /* Don't allow read past end of device */
26548 - if (from >= this->totlen)
26549 + if (from >= this->totlen || !len)
26552 /* Don't allow a single read to cross a 512-byte block boundary */
26553 diff -urNp linux-2.6.35.7/drivers/mtd/nand/denali.c linux-2.6.35.7/drivers/mtd/nand/denali.c
26554 --- linux-2.6.35.7/drivers/mtd/nand/denali.c 2010-08-26 19:47:12.000000000 -0400
26555 +++ linux-2.6.35.7/drivers/mtd/nand/denali.c 2010-09-17 20:12:09.000000000 -0400
26557 #include <linux/pci.h>
26558 #include <linux/mtd/mtd.h>
26559 #include <linux/module.h>
26560 +#include <linux/slab.h>
26562 #include "denali.h"
26564 diff -urNp linux-2.6.35.7/drivers/mtd/ubi/build.c linux-2.6.35.7/drivers/mtd/ubi/build.c
26565 --- linux-2.6.35.7/drivers/mtd/ubi/build.c 2010-08-26 19:47:12.000000000 -0400
26566 +++ linux-2.6.35.7/drivers/mtd/ubi/build.c 2010-09-17 20:12:09.000000000 -0400
26567 @@ -1282,7 +1282,7 @@ module_exit(ubi_exit);
26568 static int __init bytes_str_to_int(const char *str)
26571 - unsigned long result;
26572 + unsigned long result, scale = 1;
26574 result = simple_strtoul(str, &endp, 0);
26575 if (str == endp || result >= INT_MAX) {
26576 @@ -1293,11 +1293,11 @@ static int __init bytes_str_to_int(const
26588 if (endp[1] == 'i' && endp[2] == 'B')
26591 @@ -1308,7 +1308,13 @@ static int __init bytes_str_to_int(const
26596 + if ((intoverflow_t)result*scale >= INT_MAX) {
26597 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26602 + return result*scale;
26606 diff -urNp linux-2.6.35.7/drivers/net/cxgb3/cxgb3_main.c linux-2.6.35.7/drivers/net/cxgb3/cxgb3_main.c
26607 --- linux-2.6.35.7/drivers/net/cxgb3/cxgb3_main.c 2010-09-26 17:32:11.000000000 -0400
26608 +++ linux-2.6.35.7/drivers/net/cxgb3/cxgb3_main.c 2010-09-26 17:32:46.000000000 -0400
26609 @@ -2296,7 +2296,7 @@ static int cxgb_extension_ioctl(struct n
26610 case CHELSIO_GET_QSET_NUM:{
26611 struct ch_reg edata;
26613 - memset(&edata, 0, sizeof(struct ch_reg));
26614 + memset(&edata, 0, sizeof(edata));
26616 edata.cmd = CHELSIO_GET_QSET_NUM;
26617 edata.val = pi->nqsets;
26618 diff -urNp linux-2.6.35.7/drivers/net/e1000e/82571.c linux-2.6.35.7/drivers/net/e1000e/82571.c
26619 --- linux-2.6.35.7/drivers/net/e1000e/82571.c 2010-08-26 19:47:12.000000000 -0400
26620 +++ linux-2.6.35.7/drivers/net/e1000e/82571.c 2010-09-17 20:12:09.000000000 -0400
26621 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
26623 struct e1000_hw *hw = &adapter->hw;
26624 struct e1000_mac_info *mac = &hw->mac;
26625 + /* cannot be const */
26626 struct e1000_mac_operations *func = &mac->ops;
26629 @@ -1703,7 +1704,7 @@ static void e1000_clear_hw_cntrs_82571(s
26633 -static struct e1000_mac_operations e82571_mac_ops = {
26634 +static const struct e1000_mac_operations e82571_mac_ops = {
26635 /* .check_mng_mode: mac type dependent */
26636 /* .check_for_link: media type dependent */
26637 .id_led_init = e1000e_id_led_init,
26638 @@ -1725,7 +1726,7 @@ static struct e1000_mac_operations e8257
26639 .read_mac_addr = e1000_read_mac_addr_82571,
26642 -static struct e1000_phy_operations e82_phy_ops_igp = {
26643 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26644 .acquire = e1000_get_hw_semaphore_82571,
26645 .check_polarity = e1000_check_polarity_igp,
26646 .check_reset_block = e1000e_check_reset_block_generic,
26647 @@ -1743,7 +1744,7 @@ static struct e1000_phy_operations e82_p
26648 .cfg_on_link_up = NULL,
26651 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26652 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26653 .acquire = e1000_get_hw_semaphore_82571,
26654 .check_polarity = e1000_check_polarity_m88,
26655 .check_reset_block = e1000e_check_reset_block_generic,
26656 @@ -1761,7 +1762,7 @@ static struct e1000_phy_operations e82_p
26657 .cfg_on_link_up = NULL,
26660 -static struct e1000_phy_operations e82_phy_ops_bm = {
26661 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26662 .acquire = e1000_get_hw_semaphore_82571,
26663 .check_polarity = e1000_check_polarity_m88,
26664 .check_reset_block = e1000e_check_reset_block_generic,
26665 @@ -1779,7 +1780,7 @@ static struct e1000_phy_operations e82_p
26666 .cfg_on_link_up = NULL,
26669 -static struct e1000_nvm_operations e82571_nvm_ops = {
26670 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26671 .acquire = e1000_acquire_nvm_82571,
26672 .read = e1000e_read_nvm_eerd,
26673 .release = e1000_release_nvm_82571,
26674 diff -urNp linux-2.6.35.7/drivers/net/e1000e/e1000.h linux-2.6.35.7/drivers/net/e1000e/e1000.h
26675 --- linux-2.6.35.7/drivers/net/e1000e/e1000.h 2010-08-26 19:47:12.000000000 -0400
26676 +++ linux-2.6.35.7/drivers/net/e1000e/e1000.h 2010-09-17 20:12:09.000000000 -0400
26677 @@ -377,9 +377,9 @@ struct e1000_info {
26679 u32 max_hw_frame_size;
26680 s32 (*get_variants)(struct e1000_adapter *);
26681 - struct e1000_mac_operations *mac_ops;
26682 - struct e1000_phy_operations *phy_ops;
26683 - struct e1000_nvm_operations *nvm_ops;
26684 + const struct e1000_mac_operations *mac_ops;
26685 + const struct e1000_phy_operations *phy_ops;
26686 + const struct e1000_nvm_operations *nvm_ops;
26689 /* hardware capability, feature, and workaround flags */
26690 diff -urNp linux-2.6.35.7/drivers/net/e1000e/es2lan.c linux-2.6.35.7/drivers/net/e1000e/es2lan.c
26691 --- linux-2.6.35.7/drivers/net/e1000e/es2lan.c 2010-08-26 19:47:12.000000000 -0400
26692 +++ linux-2.6.35.7/drivers/net/e1000e/es2lan.c 2010-09-17 20:12:09.000000000 -0400
26693 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
26695 struct e1000_hw *hw = &adapter->hw;
26696 struct e1000_mac_info *mac = &hw->mac;
26697 + /* cannot be const */
26698 struct e1000_mac_operations *func = &mac->ops;
26700 /* Set media type */
26701 @@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
26705 -static struct e1000_mac_operations es2_mac_ops = {
26706 +static const struct e1000_mac_operations es2_mac_ops = {
26707 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26708 .id_led_init = e1000e_id_led_init,
26709 .check_mng_mode = e1000e_check_mng_mode_generic,
26710 @@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
26711 .setup_led = e1000e_setup_led_generic,
26714 -static struct e1000_phy_operations es2_phy_ops = {
26715 +static const struct e1000_phy_operations es2_phy_ops = {
26716 .acquire = e1000_acquire_phy_80003es2lan,
26717 .check_polarity = e1000_check_polarity_m88,
26718 .check_reset_block = e1000e_check_reset_block_generic,
26719 @@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
26720 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26723 -static struct e1000_nvm_operations es2_nvm_ops = {
26724 +static const struct e1000_nvm_operations es2_nvm_ops = {
26725 .acquire = e1000_acquire_nvm_80003es2lan,
26726 .read = e1000e_read_nvm_eerd,
26727 .release = e1000_release_nvm_80003es2lan,
26728 diff -urNp linux-2.6.35.7/drivers/net/e1000e/hw.h linux-2.6.35.7/drivers/net/e1000e/hw.h
26729 --- linux-2.6.35.7/drivers/net/e1000e/hw.h 2010-08-26 19:47:12.000000000 -0400
26730 +++ linux-2.6.35.7/drivers/net/e1000e/hw.h 2010-09-17 20:12:09.000000000 -0400
26731 @@ -791,13 +791,13 @@ struct e1000_phy_operations {
26733 /* Function pointers for the NVM. */
26734 struct e1000_nvm_operations {
26735 - s32 (*acquire)(struct e1000_hw *);
26736 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26737 - void (*release)(struct e1000_hw *);
26738 - s32 (*update)(struct e1000_hw *);
26739 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26740 - s32 (*validate)(struct e1000_hw *);
26741 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26742 + s32 (* const acquire)(struct e1000_hw *);
26743 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26744 + void (* const release)(struct e1000_hw *);
26745 + s32 (* const update)(struct e1000_hw *);
26746 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26747 + s32 (* const validate)(struct e1000_hw *);
26748 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26751 struct e1000_mac_info {
26752 @@ -877,6 +877,7 @@ struct e1000_phy_info {
26755 struct e1000_nvm_info {
26756 + /* cannot be const */
26757 struct e1000_nvm_operations ops;
26759 enum e1000_nvm_type type;
26760 diff -urNp linux-2.6.35.7/drivers/net/e1000e/ich8lan.c linux-2.6.35.7/drivers/net/e1000e/ich8lan.c
26761 --- linux-2.6.35.7/drivers/net/e1000e/ich8lan.c 2010-08-26 19:47:12.000000000 -0400
26762 +++ linux-2.6.35.7/drivers/net/e1000e/ich8lan.c 2010-09-17 20:12:09.000000000 -0400
26763 @@ -3388,7 +3388,7 @@ static void e1000_clear_hw_cntrs_ich8lan
26767 -static struct e1000_mac_operations ich8_mac_ops = {
26768 +static const struct e1000_mac_operations ich8_mac_ops = {
26769 .id_led_init = e1000e_id_led_init,
26770 .check_mng_mode = e1000_check_mng_mode_ich8lan,
26771 .check_for_link = e1000_check_for_copper_link_ich8lan,
26772 @@ -3407,7 +3407,7 @@ static struct e1000_mac_operations ich8_
26773 /* id_led_init dependent on mac type */
26776 -static struct e1000_phy_operations ich8_phy_ops = {
26777 +static const struct e1000_phy_operations ich8_phy_ops = {
26778 .acquire = e1000_acquire_swflag_ich8lan,
26779 .check_reset_block = e1000_check_reset_block_ich8lan,
26781 @@ -3421,7 +3421,7 @@ static struct e1000_phy_operations ich8_
26782 .write_reg = e1000e_write_phy_reg_igp,
26785 -static struct e1000_nvm_operations ich8_nvm_ops = {
26786 +static const struct e1000_nvm_operations ich8_nvm_ops = {
26787 .acquire = e1000_acquire_nvm_ich8lan,
26788 .read = e1000_read_nvm_ich8lan,
26789 .release = e1000_release_nvm_ich8lan,
26790 diff -urNp linux-2.6.35.7/drivers/net/eql.c linux-2.6.35.7/drivers/net/eql.c
26791 --- linux-2.6.35.7/drivers/net/eql.c 2010-09-26 17:32:11.000000000 -0400
26792 +++ linux-2.6.35.7/drivers/net/eql.c 2010-09-26 17:32:46.000000000 -0400
26793 @@ -555,7 +555,7 @@ static int eql_g_master_cfg(struct net_d
26795 master_config_t mc;
26797 - memset(&mc, 0, sizeof(master_config_t));
26798 + memset(&mc, 0, sizeof(mc));
26800 if (eql_is_master(dev)) {
26801 eql = netdev_priv(dev);
26802 diff -urNp linux-2.6.35.7/drivers/net/igb/e1000_82575.c linux-2.6.35.7/drivers/net/igb/e1000_82575.c
26803 --- linux-2.6.35.7/drivers/net/igb/e1000_82575.c 2010-08-26 19:47:12.000000000 -0400
26804 +++ linux-2.6.35.7/drivers/net/igb/e1000_82575.c 2010-09-17 20:12:09.000000000 -0400
26805 @@ -1597,7 +1597,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
26809 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
26810 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26811 .init_hw = igb_init_hw_82575,
26812 .check_for_link = igb_check_for_link_82575,
26813 .rar_set = igb_rar_set,
26814 @@ -1605,13 +1605,13 @@ static struct e1000_mac_operations e1000
26815 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26818 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
26819 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26820 .acquire = igb_acquire_phy_82575,
26821 .get_cfg_done = igb_get_cfg_done_82575,
26822 .release = igb_release_phy_82575,
26825 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26826 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26827 .acquire = igb_acquire_nvm_82575,
26828 .read = igb_read_nvm_eerd,
26829 .release = igb_release_nvm_82575,
26830 diff -urNp linux-2.6.35.7/drivers/net/igb/e1000_hw.h linux-2.6.35.7/drivers/net/igb/e1000_hw.h
26831 --- linux-2.6.35.7/drivers/net/igb/e1000_hw.h 2010-08-26 19:47:12.000000000 -0400
26832 +++ linux-2.6.35.7/drivers/net/igb/e1000_hw.h 2010-09-17 20:12:09.000000000 -0400
26833 @@ -323,17 +323,17 @@ struct e1000_phy_operations {
26836 struct e1000_nvm_operations {
26837 - s32 (*acquire)(struct e1000_hw *);
26838 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26839 - void (*release)(struct e1000_hw *);
26840 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26841 + s32 (* const acquire)(struct e1000_hw *);
26842 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26843 + void (* const release)(struct e1000_hw *);
26844 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26847 struct e1000_info {
26848 s32 (*get_invariants)(struct e1000_hw *);
26849 - struct e1000_mac_operations *mac_ops;
26850 - struct e1000_phy_operations *phy_ops;
26851 - struct e1000_nvm_operations *nvm_ops;
26852 + const struct e1000_mac_operations *mac_ops;
26853 + const struct e1000_phy_operations *phy_ops;
26854 + const struct e1000_nvm_operations *nvm_ops;
26857 extern const struct e1000_info e1000_82575_info;
26858 @@ -412,6 +412,7 @@ struct e1000_phy_info {
26861 struct e1000_nvm_info {
26862 + /* cannot be const */
26863 struct e1000_nvm_operations ops;
26865 enum e1000_nvm_type type;
26866 diff -urNp linux-2.6.35.7/drivers/net/irda/vlsi_ir.c linux-2.6.35.7/drivers/net/irda/vlsi_ir.c
26867 --- linux-2.6.35.7/drivers/net/irda/vlsi_ir.c 2010-08-26 19:47:12.000000000 -0400
26868 +++ linux-2.6.35.7/drivers/net/irda/vlsi_ir.c 2010-09-17 20:12:09.000000000 -0400
26869 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
26870 /* no race - tx-ring already empty */
26871 vlsi_set_baud(idev, iobase);
26872 netif_wake_queue(ndev);
26877 /* keep the speed change pending like it would
26878 * for any len>0 packet. tx completion interrupt
26879 * will apply it when the tx ring becomes empty.
26882 spin_unlock_irqrestore(&idev->lock, flags);
26883 dev_kfree_skb_any(skb);
26884 return NETDEV_TX_OK;
26885 diff -urNp linux-2.6.35.7/drivers/net/pcnet32.c linux-2.6.35.7/drivers/net/pcnet32.c
26886 --- linux-2.6.35.7/drivers/net/pcnet32.c 2010-08-26 19:47:12.000000000 -0400
26887 +++ linux-2.6.35.7/drivers/net/pcnet32.c 2010-09-17 20:12:09.000000000 -0400
26888 @@ -82,7 +82,7 @@ static int cards_found;
26890 * VLB I/O addresses
26892 -static unsigned int pcnet32_portlist[] __initdata =
26893 +static unsigned int pcnet32_portlist[] __devinitdata =
26894 { 0x300, 0x320, 0x340, 0x360, 0 };
26896 static int pcnet32_debug;
26897 diff -urNp linux-2.6.35.7/drivers/net/ppp_generic.c linux-2.6.35.7/drivers/net/ppp_generic.c
26898 --- linux-2.6.35.7/drivers/net/ppp_generic.c 2010-08-26 19:47:12.000000000 -0400
26899 +++ linux-2.6.35.7/drivers/net/ppp_generic.c 2010-09-17 20:12:09.000000000 -0400
26900 @@ -992,7 +992,6 @@ ppp_net_ioctl(struct net_device *dev, st
26901 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26902 struct ppp_stats stats;
26903 struct ppp_comp_stats cstats;
26907 case SIOCGPPPSTATS:
26908 @@ -1014,8 +1013,7 @@ ppp_net_ioctl(struct net_device *dev, st
26912 - vers = PPP_VERSION;
26913 - if (copy_to_user(addr, vers, strlen(vers) + 1))
26914 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26918 diff -urNp linux-2.6.35.7/drivers/net/tg3.c linux-2.6.35.7/drivers/net/tg3.c
26919 --- linux-2.6.35.7/drivers/net/tg3.c 2010-08-26 19:47:12.000000000 -0400
26920 +++ linux-2.6.35.7/drivers/net/tg3.c 2010-09-17 20:12:09.000000000 -0400
26921 @@ -12410,7 +12410,7 @@ static void __devinit tg3_read_vpd(struc
26922 cnt = pci_read_vpd(tp->pdev, pos,
26923 TG3_NVM_VPD_LEN - pos,
26925 - if (cnt == -ETIMEDOUT || -EINTR)
26926 + if (cnt == -ETIMEDOUT || cnt == -EINTR)
26929 goto out_not_found;
26930 diff -urNp linux-2.6.35.7/drivers/net/tg3.h linux-2.6.35.7/drivers/net/tg3.h
26931 --- linux-2.6.35.7/drivers/net/tg3.h 2010-08-26 19:47:12.000000000 -0400
26932 +++ linux-2.6.35.7/drivers/net/tg3.h 2010-09-17 20:12:09.000000000 -0400
26933 @@ -130,6 +130,7 @@
26934 #define CHIPREV_ID_5750_A0 0x4000
26935 #define CHIPREV_ID_5750_A1 0x4001
26936 #define CHIPREV_ID_5750_A3 0x4003
26937 +#define CHIPREV_ID_5750_C1 0x4201
26938 #define CHIPREV_ID_5750_C2 0x4202
26939 #define CHIPREV_ID_5752_A0_HW 0x5000
26940 #define CHIPREV_ID_5752_A0 0x6000
26941 diff -urNp linux-2.6.35.7/drivers/net/tulip/de4x5.c linux-2.6.35.7/drivers/net/tulip/de4x5.c
26942 --- linux-2.6.35.7/drivers/net/tulip/de4x5.c 2010-08-26 19:47:12.000000000 -0400
26943 +++ linux-2.6.35.7/drivers/net/tulip/de4x5.c 2010-09-17 20:12:37.000000000 -0400
26944 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
26945 for (i=0; i<ETH_ALEN; i++) {
26946 tmp.addr[i] = dev->dev_addr[i];
26948 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26949 + if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26952 case DE4X5_SET_HWADDR: /* Set the hardware address */
26953 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
26954 spin_lock_irqsave(&lp->lock, flags);
26955 memcpy(&statbuf, &lp->pktStats, ioc->len);
26956 spin_unlock_irqrestore(&lp->lock, flags);
26957 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
26958 + if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
26962 @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
26963 tmp.lval[6] = inl(DE4X5_STRR); j+=4;
26964 tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
26966 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26967 + if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
26970 #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
26971 diff -urNp linux-2.6.35.7/drivers/net/usb/hso.c linux-2.6.35.7/drivers/net/usb/hso.c
26972 --- linux-2.6.35.7/drivers/net/usb/hso.c 2010-09-26 17:32:11.000000000 -0400
26973 +++ linux-2.6.35.7/drivers/net/usb/hso.c 2010-09-26 17:32:46.000000000 -0400
26974 @@ -258,7 +258,7 @@ struct hso_serial {
26976 /* from usb_serial_port */
26977 struct tty_struct *tty;
26979 + atomic_t open_count;
26980 spinlock_t serial_lock;
26982 int (*write_data) (struct hso_serial *serial);
26983 @@ -1201,7 +1201,7 @@ static void put_rxbuf_data_and_resubmit_
26986 urb = serial->rx_urb[0];
26987 - if (serial->open_count > 0) {
26988 + if (atomic_read(&serial->open_count) > 0) {
26989 count = put_rxbuf_data(urb, serial);
26992 @@ -1237,7 +1237,7 @@ static void hso_std_serial_read_bulk_cal
26993 DUMP1(urb->transfer_buffer, urb->actual_length);
26995 /* Anyone listening? */
26996 - if (serial->open_count == 0)
26997 + if (atomic_read(&serial->open_count) == 0)
27001 @@ -1332,8 +1332,7 @@ static int hso_serial_open(struct tty_st
27002 spin_unlock_irq(&serial->serial_lock);
27004 /* check for port already opened, if not set the termios */
27005 - serial->open_count++;
27006 - if (serial->open_count == 1) {
27007 + if (atomic_inc_return(&serial->open_count) == 1) {
27008 serial->rx_state = RX_IDLE;
27009 /* Force default termio settings */
27010 _hso_serial_set_termios(tty, NULL);
27011 @@ -1345,7 +1344,7 @@ static int hso_serial_open(struct tty_st
27012 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
27014 hso_stop_serial_device(serial->parent);
27015 - serial->open_count--;
27016 + atomic_dec(&serial->open_count);
27017 kref_put(&serial->parent->ref, hso_serial_ref_free);
27020 @@ -1382,10 +1381,10 @@ static void hso_serial_close(struct tty_
27022 /* reset the rts and dtr */
27023 /* do the actual close */
27024 - serial->open_count--;
27025 + atomic_dec(&serial->open_count);
27027 - if (serial->open_count <= 0) {
27028 - serial->open_count = 0;
27029 + if (atomic_read(&serial->open_count) <= 0) {
27030 + atomic_set(&serial->open_count, 0);
27031 spin_lock_irq(&serial->serial_lock);
27032 if (serial->tty == tty) {
27033 serial->tty->driver_data = NULL;
27034 @@ -1467,7 +1466,7 @@ static void hso_serial_set_termios(struc
27036 /* the actual setup */
27037 spin_lock_irqsave(&serial->serial_lock, flags);
27038 - if (serial->open_count)
27039 + if (atomic_read(&serial->open_count))
27040 _hso_serial_set_termios(tty, old);
27042 tty->termios = old;
27043 @@ -1653,10 +1652,11 @@ static int hso_get_count(struct hso_seri
27044 struct uart_icount cnow;
27045 struct hso_tiocmget *tiocmget = serial->tiocmget;
27047 - memset(&icount, 0, sizeof(struct serial_icounter_struct));
27052 + memset(&icount, 0, sizeof(icount));
27054 spin_lock_irq(&serial->serial_lock);
27055 memcpy(&cnow, &tiocmget->icount, sizeof(struct uart_icount));
27056 spin_unlock_irq(&serial->serial_lock);
27057 @@ -1931,7 +1931,7 @@ static void intr_callback(struct urb *ur
27058 D1("Pending read interrupt on port %d\n", i);
27059 spin_lock(&serial->serial_lock);
27060 if (serial->rx_state == RX_IDLE &&
27061 - serial->open_count > 0) {
27062 + atomic_read(&serial->open_count) > 0) {
27063 /* Setup and send a ctrl req read on
27065 if (!serial->rx_urb_filled[0]) {
27066 @@ -3121,7 +3121,7 @@ static int hso_resume(struct usb_interfa
27067 /* Start all serial ports */
27068 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
27069 if (serial_table[i] && (serial_table[i]->interface == iface)) {
27070 - if (dev2ser(serial_table[i])->open_count) {
27071 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
27073 hso_start_serial_device(serial_table[i], GFP_NOIO);
27074 hso_kick_transmit(dev2ser(serial_table[i]));
27075 diff -urNp linux-2.6.35.7/drivers/net/wireless/b43/debugfs.c linux-2.6.35.7/drivers/net/wireless/b43/debugfs.c
27076 --- linux-2.6.35.7/drivers/net/wireless/b43/debugfs.c 2010-08-26 19:47:12.000000000 -0400
27077 +++ linux-2.6.35.7/drivers/net/wireless/b43/debugfs.c 2010-09-17 20:12:09.000000000 -0400
27078 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
27079 struct b43_debugfs_fops {
27080 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
27081 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
27082 - struct file_operations fops;
27083 + const struct file_operations fops;
27084 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
27085 size_t file_struct_offset;
27087 diff -urNp linux-2.6.35.7/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.35.7/drivers/net/wireless/b43legacy/debugfs.c
27088 --- linux-2.6.35.7/drivers/net/wireless/b43legacy/debugfs.c 2010-08-26 19:47:12.000000000 -0400
27089 +++ linux-2.6.35.7/drivers/net/wireless/b43legacy/debugfs.c 2010-09-17 20:12:09.000000000 -0400
27090 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
27091 struct b43legacy_debugfs_fops {
27092 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
27093 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
27094 - struct file_operations fops;
27095 + const struct file_operations fops;
27096 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
27097 size_t file_struct_offset;
27098 /* Take wl->irq_lock before calling read/write? */
27099 diff -urNp linux-2.6.35.7/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.35.7/drivers/net/wireless/iwlwifi/iwl-debug.h
27100 --- linux-2.6.35.7/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-08-26 19:47:12.000000000 -0400
27101 +++ linux-2.6.35.7/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-09-17 20:12:09.000000000 -0400
27102 @@ -68,8 +68,8 @@ do {
27106 -#define IWL_DEBUG(__priv, level, fmt, args...)
27107 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
27108 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
27109 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
27110 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
27113 diff -urNp linux-2.6.35.7/drivers/net/wireless/libertas/debugfs.c linux-2.6.35.7/drivers/net/wireless/libertas/debugfs.c
27114 --- linux-2.6.35.7/drivers/net/wireless/libertas/debugfs.c 2010-08-26 19:47:12.000000000 -0400
27115 +++ linux-2.6.35.7/drivers/net/wireless/libertas/debugfs.c 2010-09-17 20:12:09.000000000 -0400
27116 @@ -718,7 +718,7 @@ out_unlock:
27117 struct lbs_debugfs_files {
27120 - struct file_operations fops;
27121 + const struct file_operations fops;
27124 static const struct lbs_debugfs_files debugfs_files[] = {
27125 diff -urNp linux-2.6.35.7/drivers/net/wireless/rndis_wlan.c linux-2.6.35.7/drivers/net/wireless/rndis_wlan.c
27126 --- linux-2.6.35.7/drivers/net/wireless/rndis_wlan.c 2010-08-26 19:47:12.000000000 -0400
27127 +++ linux-2.6.35.7/drivers/net/wireless/rndis_wlan.c 2010-09-17 20:12:09.000000000 -0400
27128 @@ -1235,7 +1235,7 @@ static int set_rts_threshold(struct usbn
27130 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
27132 - if (rts_threshold < 0 || rts_threshold > 2347)
27133 + if (rts_threshold > 2347)
27134 rts_threshold = 2347;
27136 tmp = cpu_to_le32(rts_threshold);
27137 diff -urNp linux-2.6.35.7/drivers/oprofile/buffer_sync.c linux-2.6.35.7/drivers/oprofile/buffer_sync.c
27138 --- linux-2.6.35.7/drivers/oprofile/buffer_sync.c 2010-09-20 17:33:09.000000000 -0400
27139 +++ linux-2.6.35.7/drivers/oprofile/buffer_sync.c 2010-09-20 17:33:32.000000000 -0400
27140 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
27141 if (cookie == NO_COOKIE)
27143 if (cookie == INVALID_COOKIE) {
27144 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27145 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27148 if (cookie != last_cookie) {
27149 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
27150 /* add userspace sample */
27153 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
27154 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
27158 cookie = lookup_dcookie(mm, s->eip, &offset);
27160 if (cookie == INVALID_COOKIE) {
27161 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27162 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27166 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
27167 /* ignore backtraces if failed to add a sample */
27168 if (state == sb_bt_start) {
27169 state = sb_bt_ignore;
27170 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
27171 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
27175 diff -urNp linux-2.6.35.7/drivers/oprofile/event_buffer.c linux-2.6.35.7/drivers/oprofile/event_buffer.c
27176 --- linux-2.6.35.7/drivers/oprofile/event_buffer.c 2010-08-26 19:47:12.000000000 -0400
27177 +++ linux-2.6.35.7/drivers/oprofile/event_buffer.c 2010-09-17 20:12:09.000000000 -0400
27178 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
27181 if (buffer_pos == buffer_size) {
27182 - atomic_inc(&oprofile_stats.event_lost_overflow);
27183 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
27187 diff -urNp linux-2.6.35.7/drivers/oprofile/oprof.c linux-2.6.35.7/drivers/oprofile/oprof.c
27188 --- linux-2.6.35.7/drivers/oprofile/oprof.c 2010-08-26 19:47:12.000000000 -0400
27189 +++ linux-2.6.35.7/drivers/oprofile/oprof.c 2010-09-17 20:12:09.000000000 -0400
27190 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
27191 if (oprofile_ops.switch_events())
27194 - atomic_inc(&oprofile_stats.multiplex_counter);
27195 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
27196 start_switch_worker();
27199 diff -urNp linux-2.6.35.7/drivers/oprofile/oprofilefs.c linux-2.6.35.7/drivers/oprofile/oprofilefs.c
27200 --- linux-2.6.35.7/drivers/oprofile/oprofilefs.c 2010-08-26 19:47:12.000000000 -0400
27201 +++ linux-2.6.35.7/drivers/oprofile/oprofilefs.c 2010-09-17 20:12:09.000000000 -0400
27202 @@ -187,7 +187,7 @@ static const struct file_operations atom
27205 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
27206 - char const *name, atomic_t *val)
27207 + char const *name, atomic_unchecked_t *val)
27209 struct dentry *d = __oprofilefs_create_file(sb, root, name,
27210 &atomic_ro_fops, 0444);
27211 diff -urNp linux-2.6.35.7/drivers/oprofile/oprofile_stats.c linux-2.6.35.7/drivers/oprofile/oprofile_stats.c
27212 --- linux-2.6.35.7/drivers/oprofile/oprofile_stats.c 2010-08-26 19:47:12.000000000 -0400
27213 +++ linux-2.6.35.7/drivers/oprofile/oprofile_stats.c 2010-09-17 20:12:09.000000000 -0400
27214 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
27215 cpu_buf->sample_invalid_eip = 0;
27218 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
27219 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
27220 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
27221 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
27222 - atomic_set(&oprofile_stats.multiplex_counter, 0);
27223 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
27224 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
27225 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
27226 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
27227 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
27231 diff -urNp linux-2.6.35.7/drivers/oprofile/oprofile_stats.h linux-2.6.35.7/drivers/oprofile/oprofile_stats.h
27232 --- linux-2.6.35.7/drivers/oprofile/oprofile_stats.h 2010-08-26 19:47:12.000000000 -0400
27233 +++ linux-2.6.35.7/drivers/oprofile/oprofile_stats.h 2010-09-17 20:12:09.000000000 -0400
27234 @@ -13,11 +13,11 @@
27235 #include <asm/atomic.h>
27237 struct oprofile_stat_struct {
27238 - atomic_t sample_lost_no_mm;
27239 - atomic_t sample_lost_no_mapping;
27240 - atomic_t bt_lost_no_mapping;
27241 - atomic_t event_lost_overflow;
27242 - atomic_t multiplex_counter;
27243 + atomic_unchecked_t sample_lost_no_mm;
27244 + atomic_unchecked_t sample_lost_no_mapping;
27245 + atomic_unchecked_t bt_lost_no_mapping;
27246 + atomic_unchecked_t event_lost_overflow;
27247 + atomic_unchecked_t multiplex_counter;
27250 extern struct oprofile_stat_struct oprofile_stats;
27251 diff -urNp linux-2.6.35.7/drivers/parport/procfs.c linux-2.6.35.7/drivers/parport/procfs.c
27252 --- linux-2.6.35.7/drivers/parport/procfs.c 2010-08-26 19:47:12.000000000 -0400
27253 +++ linux-2.6.35.7/drivers/parport/procfs.c 2010-09-17 20:12:37.000000000 -0400
27254 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
27258 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
27259 + return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
27262 #ifdef CONFIG_PARPORT_1284
27263 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
27267 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
27268 + return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
27270 #endif /* IEEE1284.3 support. */
27272 diff -urNp linux-2.6.35.7/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.35.7/drivers/pci/hotplug/acpiphp_glue.c
27273 --- linux-2.6.35.7/drivers/pci/hotplug/acpiphp_glue.c 2010-08-26 19:47:12.000000000 -0400
27274 +++ linux-2.6.35.7/drivers/pci/hotplug/acpiphp_glue.c 2010-09-17 20:12:09.000000000 -0400
27275 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
27279 -static struct acpi_dock_ops acpiphp_dock_ops = {
27280 +static const struct acpi_dock_ops acpiphp_dock_ops = {
27281 .handler = handle_hotplug_event_func,
27284 diff -urNp linux-2.6.35.7/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.35.7/drivers/pci/hotplug/cpqphp_nvram.c
27285 --- linux-2.6.35.7/drivers/pci/hotplug/cpqphp_nvram.c 2010-08-26 19:47:12.000000000 -0400
27286 +++ linux-2.6.35.7/drivers/pci/hotplug/cpqphp_nvram.c 2010-09-17 20:12:09.000000000 -0400
27287 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
27289 void compaq_nvram_init (void __iomem *rom_start)
27292 +#ifndef CONFIG_PAX_KERNEXEC
27294 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
27298 dbg("int15 entry = %p\n", compaq_int15_entry_point);
27300 /* initialize our int15 lock */
27301 diff -urNp linux-2.6.35.7/drivers/pci/intel-iommu.c linux-2.6.35.7/drivers/pci/intel-iommu.c
27302 --- linux-2.6.35.7/drivers/pci/intel-iommu.c 2010-09-26 17:32:11.000000000 -0400
27303 +++ linux-2.6.35.7/drivers/pci/intel-iommu.c 2010-09-26 17:32:46.000000000 -0400
27304 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
27308 -struct dma_map_ops intel_dma_ops = {
27309 +const struct dma_map_ops intel_dma_ops = {
27310 .alloc_coherent = intel_alloc_coherent,
27311 .free_coherent = intel_free_coherent,
27312 .map_sg = intel_map_sg,
27313 diff -urNp linux-2.6.35.7/drivers/pci/pcie/portdrv_pci.c linux-2.6.35.7/drivers/pci/pcie/portdrv_pci.c
27314 --- linux-2.6.35.7/drivers/pci/pcie/portdrv_pci.c 2010-08-26 19:47:12.000000000 -0400
27315 +++ linux-2.6.35.7/drivers/pci/pcie/portdrv_pci.c 2010-09-17 20:12:09.000000000 -0400
27316 @@ -250,7 +250,7 @@ static void pcie_portdrv_err_resume(stru
27317 static const struct pci_device_id port_pci_ids[] = { {
27318 /* handle any PCI-Express port */
27319 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
27320 - }, { /* end: all zeroes */ }
27321 + }, { 0, 0, 0, 0, 0, 0, 0 }
27323 MODULE_DEVICE_TABLE(pci, port_pci_ids);
27325 diff -urNp linux-2.6.35.7/drivers/pci/probe.c linux-2.6.35.7/drivers/pci/probe.c
27326 --- linux-2.6.35.7/drivers/pci/probe.c 2010-08-26 19:47:12.000000000 -0400
27327 +++ linux-2.6.35.7/drivers/pci/probe.c 2010-09-17 20:12:09.000000000 -0400
27328 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
27332 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
27333 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
27334 struct device_attribute *attr,
27337 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
27340 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
27341 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
27342 struct device_attribute *attr,
27345 diff -urNp linux-2.6.35.7/drivers/pci/proc.c linux-2.6.35.7/drivers/pci/proc.c
27346 --- linux-2.6.35.7/drivers/pci/proc.c 2010-08-26 19:47:12.000000000 -0400
27347 +++ linux-2.6.35.7/drivers/pci/proc.c 2010-09-17 20:12:37.000000000 -0400
27348 @@ -481,7 +481,16 @@ static const struct file_operations proc
27349 static int __init pci_proc_init(void)
27351 struct pci_dev *dev = NULL;
27353 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
27354 +#ifdef CONFIG_GRKERNSEC_PROC_USER
27355 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
27356 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27357 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27360 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27362 proc_create("devices", 0, proc_bus_pci_dir,
27363 &proc_bus_pci_dev_operations);
27364 proc_initialized = 1;
27365 diff -urNp linux-2.6.35.7/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.35.7/drivers/pcmcia/pcmcia_ioctl.c
27366 --- linux-2.6.35.7/drivers/pcmcia/pcmcia_ioctl.c 2010-08-26 19:47:12.000000000 -0400
27367 +++ linux-2.6.35.7/drivers/pcmcia/pcmcia_ioctl.c 2010-09-17 20:12:09.000000000 -0400
27368 @@ -850,7 +850,7 @@ static int ds_ioctl(struct file *file, u
27372 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
27373 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
27377 diff -urNp linux-2.6.35.7/drivers/pcmcia/ti113x.h linux-2.6.35.7/drivers/pcmcia/ti113x.h
27378 --- linux-2.6.35.7/drivers/pcmcia/ti113x.h 2010-08-26 19:47:12.000000000 -0400
27379 +++ linux-2.6.35.7/drivers/pcmcia/ti113x.h 2010-09-17 20:12:09.000000000 -0400
27380 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27381 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27382 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27385 + { 0, 0, 0, 0, 0, 0, 0 }
27388 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27389 diff -urNp linux-2.6.35.7/drivers/pcmcia/yenta_socket.c linux-2.6.35.7/drivers/pcmcia/yenta_socket.c
27390 --- linux-2.6.35.7/drivers/pcmcia/yenta_socket.c 2010-08-26 19:47:12.000000000 -0400
27391 +++ linux-2.6.35.7/drivers/pcmcia/yenta_socket.c 2010-09-17 20:12:09.000000000 -0400
27392 @@ -1428,7 +1428,7 @@ static struct pci_device_id yenta_table[
27394 /* match any cardbus bridge */
27395 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27396 - { /* all zeroes */ }
27397 + { 0, 0, 0, 0, 0, 0, 0 }
27399 MODULE_DEVICE_TABLE(pci, yenta_table);
27401 diff -urNp linux-2.6.35.7/drivers/platform/x86/acer-wmi.c linux-2.6.35.7/drivers/platform/x86/acer-wmi.c
27402 --- linux-2.6.35.7/drivers/platform/x86/acer-wmi.c 2010-08-26 19:47:12.000000000 -0400
27403 +++ linux-2.6.35.7/drivers/platform/x86/acer-wmi.c 2010-09-17 20:12:09.000000000 -0400
27404 @@ -916,7 +916,7 @@ static int update_bl_status(struct backl
27408 -static struct backlight_ops acer_bl_ops = {
27409 +static const struct backlight_ops acer_bl_ops = {
27410 .get_brightness = read_brightness,
27411 .update_status = update_bl_status,
27413 diff -urNp linux-2.6.35.7/drivers/platform/x86/asus_acpi.c linux-2.6.35.7/drivers/platform/x86/asus_acpi.c
27414 --- linux-2.6.35.7/drivers/platform/x86/asus_acpi.c 2010-08-26 19:47:12.000000000 -0400
27415 +++ linux-2.6.35.7/drivers/platform/x86/asus_acpi.c 2010-09-17 20:12:09.000000000 -0400
27416 @@ -1464,7 +1464,7 @@ static int asus_hotk_remove(struct acpi_
27420 -static struct backlight_ops asus_backlight_data = {
27421 +static const struct backlight_ops asus_backlight_data = {
27422 .get_brightness = read_brightness,
27423 .update_status = set_brightness_status,
27425 diff -urNp linux-2.6.35.7/drivers/platform/x86/asus-laptop.c linux-2.6.35.7/drivers/platform/x86/asus-laptop.c
27426 --- linux-2.6.35.7/drivers/platform/x86/asus-laptop.c 2010-08-26 19:47:12.000000000 -0400
27427 +++ linux-2.6.35.7/drivers/platform/x86/asus-laptop.c 2010-09-17 20:12:09.000000000 -0400
27428 @@ -224,7 +224,6 @@ struct asus_laptop {
27429 struct asus_led gled;
27430 struct asus_led kled;
27431 struct workqueue_struct *led_workqueue;
27433 int wireless_status;
27436 @@ -621,7 +620,7 @@ static int update_bl_status(struct backl
27437 return asus_lcd_set(asus, value);
27440 -static struct backlight_ops asusbl_ops = {
27441 +static const struct backlight_ops asusbl_ops = {
27442 .get_brightness = asus_read_brightness,
27443 .update_status = update_bl_status,
27445 diff -urNp linux-2.6.35.7/drivers/platform/x86/compal-laptop.c linux-2.6.35.7/drivers/platform/x86/compal-laptop.c
27446 --- linux-2.6.35.7/drivers/platform/x86/compal-laptop.c 2010-08-26 19:47:12.000000000 -0400
27447 +++ linux-2.6.35.7/drivers/platform/x86/compal-laptop.c 2010-09-17 20:12:09.000000000 -0400
27448 @@ -168,7 +168,7 @@ static int bl_update_status(struct backl
27449 return set_lcd_level(b->props.brightness);
27452 -static struct backlight_ops compalbl_ops = {
27453 +static const struct backlight_ops compalbl_ops = {
27454 .get_brightness = bl_get_brightness,
27455 .update_status = bl_update_status,
27457 diff -urNp linux-2.6.35.7/drivers/platform/x86/dell-laptop.c linux-2.6.35.7/drivers/platform/x86/dell-laptop.c
27458 --- linux-2.6.35.7/drivers/platform/x86/dell-laptop.c 2010-08-26 19:47:12.000000000 -0400
27459 +++ linux-2.6.35.7/drivers/platform/x86/dell-laptop.c 2010-09-17 20:12:09.000000000 -0400
27460 @@ -469,7 +469,7 @@ out:
27461 return buffer->output[1];
27464 -static struct backlight_ops dell_ops = {
27465 +static const struct backlight_ops dell_ops = {
27466 .get_brightness = dell_get_intensity,
27467 .update_status = dell_send_intensity,
27469 diff -urNp linux-2.6.35.7/drivers/platform/x86/eeepc-laptop.c linux-2.6.35.7/drivers/platform/x86/eeepc-laptop.c
27470 --- linux-2.6.35.7/drivers/platform/x86/eeepc-laptop.c 2010-08-26 19:47:12.000000000 -0400
27471 +++ linux-2.6.35.7/drivers/platform/x86/eeepc-laptop.c 2010-09-17 20:12:09.000000000 -0400
27472 @@ -1114,7 +1114,7 @@ static int update_bl_status(struct backl
27473 return set_brightness(bd, bd->props.brightness);
27476 -static struct backlight_ops eeepcbl_ops = {
27477 +static const struct backlight_ops eeepcbl_ops = {
27478 .get_brightness = read_brightness,
27479 .update_status = update_bl_status,
27481 diff -urNp linux-2.6.35.7/drivers/platform/x86/fujitsu-laptop.c linux-2.6.35.7/drivers/platform/x86/fujitsu-laptop.c
27482 --- linux-2.6.35.7/drivers/platform/x86/fujitsu-laptop.c 2010-08-26 19:47:12.000000000 -0400
27483 +++ linux-2.6.35.7/drivers/platform/x86/fujitsu-laptop.c 2010-09-17 20:12:09.000000000 -0400
27484 @@ -437,7 +437,7 @@ static int bl_update_status(struct backl
27488 -static struct backlight_ops fujitsubl_ops = {
27489 +static const struct backlight_ops fujitsubl_ops = {
27490 .get_brightness = bl_get_brightness,
27491 .update_status = bl_update_status,
27493 diff -urNp linux-2.6.35.7/drivers/platform/x86/sony-laptop.c linux-2.6.35.7/drivers/platform/x86/sony-laptop.c
27494 --- linux-2.6.35.7/drivers/platform/x86/sony-laptop.c 2010-08-26 19:47:12.000000000 -0400
27495 +++ linux-2.6.35.7/drivers/platform/x86/sony-laptop.c 2010-09-17 20:12:09.000000000 -0400
27496 @@ -857,7 +857,7 @@ static int sony_backlight_get_brightness
27499 static struct backlight_device *sony_backlight_device;
27500 -static struct backlight_ops sony_backlight_ops = {
27501 +static const struct backlight_ops sony_backlight_ops = {
27502 .update_status = sony_backlight_update_status,
27503 .get_brightness = sony_backlight_get_brightness,
27505 diff -urNp linux-2.6.35.7/drivers/platform/x86/thinkpad_acpi.c linux-2.6.35.7/drivers/platform/x86/thinkpad_acpi.c
27506 --- linux-2.6.35.7/drivers/platform/x86/thinkpad_acpi.c 2010-08-26 19:47:12.000000000 -0400
27507 +++ linux-2.6.35.7/drivers/platform/x86/thinkpad_acpi.c 2010-09-17 20:12:09.000000000 -0400
27508 @@ -6142,7 +6142,7 @@ static void tpacpi_brightness_notify_cha
27509 BACKLIGHT_UPDATE_HOTKEY);
27512 -static struct backlight_ops ibm_backlight_data = {
27513 +static const struct backlight_ops ibm_backlight_data = {
27514 .get_brightness = brightness_get,
27515 .update_status = brightness_update_status,
27517 diff -urNp linux-2.6.35.7/drivers/platform/x86/toshiba_acpi.c linux-2.6.35.7/drivers/platform/x86/toshiba_acpi.c
27518 --- linux-2.6.35.7/drivers/platform/x86/toshiba_acpi.c 2010-08-26 19:47:12.000000000 -0400
27519 +++ linux-2.6.35.7/drivers/platform/x86/toshiba_acpi.c 2010-09-17 20:12:09.000000000 -0400
27520 @@ -741,7 +741,7 @@ static acpi_status remove_device(void)
27524 -static struct backlight_ops toshiba_backlight_data = {
27525 +static const struct backlight_ops toshiba_backlight_data = {
27526 .get_brightness = get_lcd,
27527 .update_status = set_lcd_status,
27529 diff -urNp linux-2.6.35.7/drivers/pnp/pnpbios/bioscalls.c linux-2.6.35.7/drivers/pnp/pnpbios/bioscalls.c
27530 --- linux-2.6.35.7/drivers/pnp/pnpbios/bioscalls.c 2010-08-26 19:47:12.000000000 -0400
27531 +++ linux-2.6.35.7/drivers/pnp/pnpbios/bioscalls.c 2010-09-17 20:12:09.000000000 -0400
27532 @@ -59,7 +59,7 @@ do { \
27533 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27536 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27537 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27538 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27541 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27544 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27546 + pax_open_kernel();
27547 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27548 + pax_close_kernel();
27550 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27551 spin_lock_irqsave(&pnp_bios_lock, flags);
27552 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27554 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27556 + pax_open_kernel();
27557 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27558 + pax_close_kernel();
27562 /* If we get here and this is set then the PnP BIOS faulted on us. */
27563 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27567 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27568 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27572 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27573 pnp_bios_callpoint.offset = header->fields.pm16offset;
27574 pnp_bios_callpoint.segment = PNP_CS16;
27576 + pax_open_kernel();
27578 for_each_possible_cpu(i) {
27579 struct desc_struct *gdt = get_cpu_gdt_table(i);
27581 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27582 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27583 (unsigned long)__va(header->fields.pm16dseg));
27586 + pax_close_kernel();
27588 diff -urNp linux-2.6.35.7/drivers/pnp/quirks.c linux-2.6.35.7/drivers/pnp/quirks.c
27589 --- linux-2.6.35.7/drivers/pnp/quirks.c 2010-08-26 19:47:12.000000000 -0400
27590 +++ linux-2.6.35.7/drivers/pnp/quirks.c 2010-09-17 20:12:09.000000000 -0400
27591 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27592 /* PnP resources that might overlap PCI BARs */
27593 {"PNP0c01", quirk_system_pci_resources},
27594 {"PNP0c02", quirk_system_pci_resources},
27599 void pnp_fixup_device(struct pnp_dev *dev)
27600 diff -urNp linux-2.6.35.7/drivers/pnp/resource.c linux-2.6.35.7/drivers/pnp/resource.c
27601 --- linux-2.6.35.7/drivers/pnp/resource.c 2010-08-26 19:47:12.000000000 -0400
27602 +++ linux-2.6.35.7/drivers/pnp/resource.c 2010-09-17 20:12:09.000000000 -0400
27603 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27606 /* check if the resource is valid */
27607 - if (*irq < 0 || *irq > 15)
27611 /* check if the resource is reserved */
27612 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27615 /* check if the resource is valid */
27616 - if (*dma < 0 || *dma == 4 || *dma > 7)
27617 + if (*dma == 4 || *dma > 7)
27620 /* check if the resource is reserved */
27621 diff -urNp linux-2.6.35.7/drivers/s390/cio/qdio_debug.c linux-2.6.35.7/drivers/s390/cio/qdio_debug.c
27622 --- linux-2.6.35.7/drivers/s390/cio/qdio_debug.c 2010-08-26 19:47:12.000000000 -0400
27623 +++ linux-2.6.35.7/drivers/s390/cio/qdio_debug.c 2010-09-17 20:12:09.000000000 -0400
27624 @@ -233,7 +233,7 @@ static int qperf_seq_open(struct inode *
27625 filp->f_path.dentry->d_inode->i_private);
27628 -static struct file_operations debugfs_perf_fops = {
27629 +static const struct file_operations debugfs_perf_fops = {
27630 .owner = THIS_MODULE,
27631 .open = qperf_seq_open,
27633 diff -urNp linux-2.6.35.7/drivers/scsi/ipr.c linux-2.6.35.7/drivers/scsi/ipr.c
27634 --- linux-2.6.35.7/drivers/scsi/ipr.c 2010-08-26 19:47:12.000000000 -0400
27635 +++ linux-2.6.35.7/drivers/scsi/ipr.c 2010-09-17 20:12:09.000000000 -0400
27636 @@ -6091,7 +6091,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27640 -static struct ata_port_operations ipr_sata_ops = {
27641 +static const struct ata_port_operations ipr_sata_ops = {
27642 .phy_reset = ipr_ata_phy_reset,
27643 .hardreset = ipr_sata_reset,
27644 .post_internal_cmd = ipr_ata_post_internal,
27645 diff -urNp linux-2.6.35.7/drivers/scsi/libfc/fc_exch.c linux-2.6.35.7/drivers/scsi/libfc/fc_exch.c
27646 --- linux-2.6.35.7/drivers/scsi/libfc/fc_exch.c 2010-08-26 19:47:12.000000000 -0400
27647 +++ linux-2.6.35.7/drivers/scsi/libfc/fc_exch.c 2010-09-17 20:12:09.000000000 -0400
27648 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
27649 * all together if not used XXX
27652 - atomic_t no_free_exch;
27653 - atomic_t no_free_exch_xid;
27654 - atomic_t xid_not_found;
27655 - atomic_t xid_busy;
27656 - atomic_t seq_not_found;
27657 - atomic_t non_bls_resp;
27658 + atomic_unchecked_t no_free_exch;
27659 + atomic_unchecked_t no_free_exch_xid;
27660 + atomic_unchecked_t xid_not_found;
27661 + atomic_unchecked_t xid_busy;
27662 + atomic_unchecked_t seq_not_found;
27663 + atomic_unchecked_t non_bls_resp;
27666 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
27667 @@ -671,7 +671,7 @@ static struct fc_exch *fc_exch_em_alloc(
27668 /* allocate memory for exchange */
27669 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27671 - atomic_inc(&mp->stats.no_free_exch);
27672 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27675 memset(ep, 0, sizeof(*ep));
27676 @@ -719,7 +719,7 @@ out:
27679 spin_unlock_bh(&pool->lock);
27680 - atomic_inc(&mp->stats.no_free_exch_xid);
27681 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27682 mempool_free(ep, mp->ep_pool);
27685 @@ -864,7 +864,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27686 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27687 ep = fc_exch_find(mp, xid);
27689 - atomic_inc(&mp->stats.xid_not_found);
27690 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27691 reject = FC_RJT_OX_ID;
27694 @@ -894,7 +894,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27695 ep = fc_exch_find(mp, xid);
27696 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27698 - atomic_inc(&mp->stats.xid_busy);
27699 + atomic_inc_unchecked(&mp->stats.xid_busy);
27700 reject = FC_RJT_RX_ID;
27703 @@ -905,7 +905,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27705 xid = ep->xid; /* get our XID */
27707 - atomic_inc(&mp->stats.xid_not_found);
27708 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27709 reject = FC_RJT_RX_ID; /* XID not found */
27712 @@ -922,7 +922,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27715 if (sp->id != fh->fh_seq_id) {
27716 - atomic_inc(&mp->stats.seq_not_found);
27717 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27718 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27721 @@ -1303,22 +1303,22 @@ static void fc_exch_recv_seq_resp(struct
27723 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27725 - atomic_inc(&mp->stats.xid_not_found);
27726 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27729 if (ep->esb_stat & ESB_ST_COMPLETE) {
27730 - atomic_inc(&mp->stats.xid_not_found);
27731 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27734 if (ep->rxid == FC_XID_UNKNOWN)
27735 ep->rxid = ntohs(fh->fh_rx_id);
27736 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27737 - atomic_inc(&mp->stats.xid_not_found);
27738 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27741 if (ep->did != ntoh24(fh->fh_s_id) &&
27742 ep->did != FC_FID_FLOGI) {
27743 - atomic_inc(&mp->stats.xid_not_found);
27744 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27748 @@ -1327,7 +1327,7 @@ static void fc_exch_recv_seq_resp(struct
27749 sp->ssb_stat |= SSB_ST_RESP;
27750 sp->id = fh->fh_seq_id;
27751 } else if (sp->id != fh->fh_seq_id) {
27752 - atomic_inc(&mp->stats.seq_not_found);
27753 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27757 @@ -1390,9 +1390,9 @@ static void fc_exch_recv_resp(struct fc_
27758 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
27761 - atomic_inc(&mp->stats.xid_not_found);
27762 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27764 - atomic_inc(&mp->stats.non_bls_resp);
27765 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
27769 diff -urNp linux-2.6.35.7/drivers/scsi/libsas/sas_ata.c linux-2.6.35.7/drivers/scsi/libsas/sas_ata.c
27770 --- linux-2.6.35.7/drivers/scsi/libsas/sas_ata.c 2010-08-26 19:47:12.000000000 -0400
27771 +++ linux-2.6.35.7/drivers/scsi/libsas/sas_ata.c 2010-09-17 20:12:09.000000000 -0400
27772 @@ -344,7 +344,7 @@ static int sas_ata_scr_read(struct ata_l
27776 -static struct ata_port_operations sas_sata_ops = {
27777 +static const struct ata_port_operations sas_sata_ops = {
27778 .phy_reset = sas_ata_phy_reset,
27779 .post_internal_cmd = sas_ata_post_internal,
27780 .qc_prep = ata_noop_qc_prep,
27781 diff -urNp linux-2.6.35.7/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.35.7/drivers/scsi/mpt2sas/mpt2sas_debug.h
27782 --- linux-2.6.35.7/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-08-26 19:47:12.000000000 -0400
27783 +++ linux-2.6.35.7/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-09-17 20:12:09.000000000 -0400
27788 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27789 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27790 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27793 diff -urNp linux-2.6.35.7/drivers/scsi/qla2xxx/qla_os.c linux-2.6.35.7/drivers/scsi/qla2xxx/qla_os.c
27794 --- linux-2.6.35.7/drivers/scsi/qla2xxx/qla_os.c 2010-08-26 19:47:12.000000000 -0400
27795 +++ linux-2.6.35.7/drivers/scsi/qla2xxx/qla_os.c 2010-09-17 20:12:09.000000000 -0400
27796 @@ -3899,7 +3899,7 @@ static struct pci_driver qla2xxx_pci_dri
27797 .err_handler = &qla2xxx_err_handler,
27800 -static struct file_operations apidev_fops = {
27801 +static const struct file_operations apidev_fops = {
27802 .owner = THIS_MODULE,
27805 diff -urNp linux-2.6.35.7/drivers/scsi/scsi_logging.h linux-2.6.35.7/drivers/scsi/scsi_logging.h
27806 --- linux-2.6.35.7/drivers/scsi/scsi_logging.h 2010-08-26 19:47:12.000000000 -0400
27807 +++ linux-2.6.35.7/drivers/scsi/scsi_logging.h 2010-09-17 20:12:09.000000000 -0400
27808 @@ -51,7 +51,7 @@ do { \
27812 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27813 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27814 #endif /* CONFIG_SCSI_LOGGING */
27817 diff -urNp linux-2.6.35.7/drivers/scsi/sg.c linux-2.6.35.7/drivers/scsi/sg.c
27818 --- linux-2.6.35.7/drivers/scsi/sg.c 2010-08-26 19:47:12.000000000 -0400
27819 +++ linux-2.6.35.7/drivers/scsi/sg.c 2010-09-17 20:12:09.000000000 -0400
27820 @@ -2302,7 +2302,7 @@ struct sg_proc_leaf {
27821 const struct file_operations * fops;
27824 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27825 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27826 {"allow_dio", &adio_fops},
27827 {"debug", &debug_fops},
27828 {"def_reserved_size", &dressz_fops},
27829 @@ -2317,7 +2317,7 @@ sg_proc_init(void)
27832 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27833 - struct sg_proc_leaf * leaf;
27834 + const struct sg_proc_leaf * leaf;
27836 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27838 diff -urNp linux-2.6.35.7/drivers/serial/8250_pci.c linux-2.6.35.7/drivers/serial/8250_pci.c
27839 --- linux-2.6.35.7/drivers/serial/8250_pci.c 2010-08-26 19:47:12.000000000 -0400
27840 +++ linux-2.6.35.7/drivers/serial/8250_pci.c 2010-09-17 20:12:09.000000000 -0400
27841 @@ -3777,7 +3777,7 @@ static struct pci_device_id serial_pci_t
27842 PCI_ANY_ID, PCI_ANY_ID,
27843 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27844 0xffff00, pbn_default },
27846 + { 0, 0, 0, 0, 0, 0, 0 }
27849 static struct pci_driver serial_pci_driver = {
27850 diff -urNp linux-2.6.35.7/drivers/serial/kgdboc.c linux-2.6.35.7/drivers/serial/kgdboc.c
27851 --- linux-2.6.35.7/drivers/serial/kgdboc.c 2010-08-26 19:47:12.000000000 -0400
27852 +++ linux-2.6.35.7/drivers/serial/kgdboc.c 2010-09-17 20:12:09.000000000 -0400
27855 #define MAX_CONFIG_LEN 40
27857 -static struct kgdb_io kgdboc_io_ops;
27858 +static struct kgdb_io kgdboc_io_ops;
27860 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27861 static int configured = -1;
27862 diff -urNp linux-2.6.35.7/drivers/staging/comedi/comedi_fops.c linux-2.6.35.7/drivers/staging/comedi/comedi_fops.c
27863 --- linux-2.6.35.7/drivers/staging/comedi/comedi_fops.c 2010-08-26 19:47:12.000000000 -0400
27864 +++ linux-2.6.35.7/drivers/staging/comedi/comedi_fops.c 2010-09-17 20:12:09.000000000 -0400
27865 @@ -1425,7 +1425,7 @@ static void comedi_unmap(struct vm_area_
27866 mutex_unlock(&dev->mutex);
27869 -static struct vm_operations_struct comedi_vm_ops = {
27870 +static const struct vm_operations_struct comedi_vm_ops = {
27871 .close = comedi_unmap,
27874 diff -urNp linux-2.6.35.7/drivers/staging/dream/pmem.c linux-2.6.35.7/drivers/staging/dream/pmem.c
27875 --- linux-2.6.35.7/drivers/staging/dream/pmem.c 2010-08-26 19:47:12.000000000 -0400
27876 +++ linux-2.6.35.7/drivers/staging/dream/pmem.c 2010-09-17 20:12:09.000000000 -0400
27877 @@ -175,7 +175,7 @@ static int pmem_mmap(struct file *, stru
27878 static int pmem_open(struct inode *, struct file *);
27879 static long pmem_ioctl(struct file *, unsigned int, unsigned long);
27881 -struct file_operations pmem_fops = {
27882 +const struct file_operations pmem_fops = {
27883 .release = pmem_release,
27886 @@ -1201,7 +1201,7 @@ static ssize_t debug_read(struct file *f
27887 return simple_read_from_buffer(buf, count, ppos, buffer, n);
27890 -static struct file_operations debug_fops = {
27891 +static const struct file_operations debug_fops = {
27892 .read = debug_read,
27893 .open = debug_open,
27895 diff -urNp linux-2.6.35.7/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.35.7/drivers/staging/dream/qdsp5/adsp_driver.c
27896 --- linux-2.6.35.7/drivers/staging/dream/qdsp5/adsp_driver.c 2010-08-26 19:47:12.000000000 -0400
27897 +++ linux-2.6.35.7/drivers/staging/dream/qdsp5/adsp_driver.c 2010-09-17 20:12:09.000000000 -0400
27898 @@ -577,7 +577,7 @@ static struct adsp_device *inode_to_devi
27899 static dev_t adsp_devno;
27900 static struct class *adsp_class;
27902 -static struct file_operations adsp_fops = {
27903 +static const struct file_operations adsp_fops = {
27904 .owner = THIS_MODULE,
27906 .unlocked_ioctl = adsp_ioctl,
27907 diff -urNp linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_aac.c
27908 --- linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_aac.c 2010-08-26 19:47:12.000000000 -0400
27909 +++ linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_aac.c 2010-09-17 20:12:09.000000000 -0400
27910 @@ -1023,7 +1023,7 @@ done:
27914 -static struct file_operations audio_aac_fops = {
27915 +static const struct file_operations audio_aac_fops = {
27916 .owner = THIS_MODULE,
27917 .open = audio_open,
27918 .release = audio_release,
27919 diff -urNp linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_amrnb.c
27920 --- linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-08-26 19:47:12.000000000 -0400
27921 +++ linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-09-17 20:12:09.000000000 -0400
27922 @@ -834,7 +834,7 @@ done:
27926 -static struct file_operations audio_amrnb_fops = {
27927 +static const struct file_operations audio_amrnb_fops = {
27928 .owner = THIS_MODULE,
27929 .open = audamrnb_open,
27930 .release = audamrnb_release,
27931 diff -urNp linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_evrc.c
27932 --- linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_evrc.c 2010-08-26 19:47:12.000000000 -0400
27933 +++ linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_evrc.c 2010-09-17 20:12:09.000000000 -0400
27934 @@ -806,7 +806,7 @@ dma_fail:
27938 -static struct file_operations audio_evrc_fops = {
27939 +static const struct file_operations audio_evrc_fops = {
27940 .owner = THIS_MODULE,
27941 .open = audevrc_open,
27942 .release = audevrc_release,
27943 diff -urNp linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_in.c
27944 --- linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_in.c 2010-08-26 19:47:12.000000000 -0400
27945 +++ linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_in.c 2010-09-17 20:12:09.000000000 -0400
27946 @@ -914,7 +914,7 @@ static int audpre_open(struct inode *ino
27950 -static struct file_operations audio_fops = {
27951 +static const struct file_operations audio_fops = {
27952 .owner = THIS_MODULE,
27953 .open = audio_in_open,
27954 .release = audio_in_release,
27955 @@ -923,7 +923,7 @@ static struct file_operations audio_fops
27956 .unlocked_ioctl = audio_in_ioctl,
27959 -static struct file_operations audpre_fops = {
27960 +static const struct file_operations audpre_fops = {
27961 .owner = THIS_MODULE,
27962 .open = audpre_open,
27963 .unlocked_ioctl = audpre_ioctl,
27964 diff -urNp linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_mp3.c
27965 --- linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_mp3.c 2010-08-26 19:47:12.000000000 -0400
27966 +++ linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_mp3.c 2010-09-17 20:12:09.000000000 -0400
27967 @@ -941,7 +941,7 @@ done:
27971 -static struct file_operations audio_mp3_fops = {
27972 +static const struct file_operations audio_mp3_fops = {
27973 .owner = THIS_MODULE,
27974 .open = audio_open,
27975 .release = audio_release,
27976 diff -urNp linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_out.c
27977 --- linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_out.c 2010-08-26 19:47:12.000000000 -0400
27978 +++ linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_out.c 2010-09-17 20:12:09.000000000 -0400
27979 @@ -800,7 +800,7 @@ static int audpp_open(struct inode *inod
27983 -static struct file_operations audio_fops = {
27984 +static const struct file_operations audio_fops = {
27985 .owner = THIS_MODULE,
27986 .open = audio_open,
27987 .release = audio_release,
27988 @@ -809,7 +809,7 @@ static struct file_operations audio_fops
27989 .unlocked_ioctl = audio_ioctl,
27992 -static struct file_operations audpp_fops = {
27993 +static const struct file_operations audpp_fops = {
27994 .owner = THIS_MODULE,
27995 .open = audpp_open,
27996 .unlocked_ioctl = audpp_ioctl,
27997 diff -urNp linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_qcelp.c
27998 --- linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-08-26 19:47:12.000000000 -0400
27999 +++ linux-2.6.35.7/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-09-17 20:12:09.000000000 -0400
28000 @@ -817,7 +817,7 @@ err:
28004 -static struct file_operations audio_qcelp_fops = {
28005 +static const struct file_operations audio_qcelp_fops = {
28006 .owner = THIS_MODULE,
28007 .open = audqcelp_open,
28008 .release = audqcelp_release,
28009 diff -urNp linux-2.6.35.7/drivers/staging/dream/qdsp5/snd.c linux-2.6.35.7/drivers/staging/dream/qdsp5/snd.c
28010 --- linux-2.6.35.7/drivers/staging/dream/qdsp5/snd.c 2010-08-26 19:47:12.000000000 -0400
28011 +++ linux-2.6.35.7/drivers/staging/dream/qdsp5/snd.c 2010-09-17 20:12:09.000000000 -0400
28012 @@ -242,7 +242,7 @@ err:
28016 -static struct file_operations snd_fops = {
28017 +static const struct file_operations snd_fops = {
28018 .owner = THIS_MODULE,
28020 .release = snd_release,
28021 diff -urNp linux-2.6.35.7/drivers/staging/dt3155/dt3155_drv.c linux-2.6.35.7/drivers/staging/dt3155/dt3155_drv.c
28022 --- linux-2.6.35.7/drivers/staging/dt3155/dt3155_drv.c 2010-08-26 19:47:12.000000000 -0400
28023 +++ linux-2.6.35.7/drivers/staging/dt3155/dt3155_drv.c 2010-09-17 20:12:09.000000000 -0400
28024 @@ -853,7 +853,7 @@ dt3155_unlocked_ioctl(struct file *file,
28025 * needed by init_module
28027 *****************************************************/
28028 -static struct file_operations dt3155_fops = {
28029 +static const struct file_operations dt3155_fops = {
28030 .read = dt3155_read,
28031 .unlocked_ioctl = dt3155_unlocked_ioctl,
28032 .mmap = dt3155_mmap,
28033 diff -urNp linux-2.6.35.7/drivers/staging/go7007/go7007-v4l2.c linux-2.6.35.7/drivers/staging/go7007/go7007-v4l2.c
28034 --- linux-2.6.35.7/drivers/staging/go7007/go7007-v4l2.c 2010-08-26 19:47:12.000000000 -0400
28035 +++ linux-2.6.35.7/drivers/staging/go7007/go7007-v4l2.c 2010-09-17 20:12:09.000000000 -0400
28036 @@ -1673,7 +1673,7 @@ static int go7007_vm_fault(struct vm_are
28040 -static struct vm_operations_struct go7007_vm_ops = {
28041 +static const struct vm_operations_struct go7007_vm_ops = {
28042 .open = go7007_vm_open,
28043 .close = go7007_vm_close,
28044 .fault = go7007_vm_fault,
28045 diff -urNp linux-2.6.35.7/drivers/staging/hv/hv.c linux-2.6.35.7/drivers/staging/hv/hv.c
28046 --- linux-2.6.35.7/drivers/staging/hv/hv.c 2010-08-26 19:47:12.000000000 -0400
28047 +++ linux-2.6.35.7/drivers/staging/hv/hv.c 2010-09-17 20:12:09.000000000 -0400
28048 @@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
28049 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
28050 u32 outputAddressHi = outputAddress >> 32;
28051 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
28052 - volatile void *hypercallPage = gHvContext.HypercallPage;
28053 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
28055 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
28056 Control, Input, Output);
28057 diff -urNp linux-2.6.35.7/drivers/staging/msm/msm_fb_bl.c linux-2.6.35.7/drivers/staging/msm/msm_fb_bl.c
28058 --- linux-2.6.35.7/drivers/staging/msm/msm_fb_bl.c 2010-08-26 19:47:12.000000000 -0400
28059 +++ linux-2.6.35.7/drivers/staging/msm/msm_fb_bl.c 2010-09-17 20:12:09.000000000 -0400
28060 @@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
28064 -static struct backlight_ops msm_fb_bl_ops = {
28065 +static const struct backlight_ops msm_fb_bl_ops = {
28066 .get_brightness = msm_fb_bl_get_brightness,
28067 .update_status = msm_fb_bl_update_status,
28069 diff -urNp linux-2.6.35.7/drivers/staging/panel/panel.c linux-2.6.35.7/drivers/staging/panel/panel.c
28070 --- linux-2.6.35.7/drivers/staging/panel/panel.c 2010-08-26 19:47:12.000000000 -0400
28071 +++ linux-2.6.35.7/drivers/staging/panel/panel.c 2010-09-17 20:12:09.000000000 -0400
28072 @@ -1304,7 +1304,7 @@ static int lcd_release(struct inode *ino
28076 -static struct file_operations lcd_fops = {
28077 +static const struct file_operations lcd_fops = {
28078 .write = lcd_write,
28080 .release = lcd_release,
28081 @@ -1564,7 +1564,7 @@ static int keypad_release(struct inode *
28085 -static struct file_operations keypad_fops = {
28086 +static const struct file_operations keypad_fops = {
28087 .read = keypad_read, /* read */
28088 .open = keypad_open, /* open */
28089 .release = keypad_release, /* close */
28090 diff -urNp linux-2.6.35.7/drivers/staging/phison/phison.c linux-2.6.35.7/drivers/staging/phison/phison.c
28091 --- linux-2.6.35.7/drivers/staging/phison/phison.c 2010-08-26 19:47:12.000000000 -0400
28092 +++ linux-2.6.35.7/drivers/staging/phison/phison.c 2010-09-17 20:12:09.000000000 -0400
28093 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
28094 ATA_BMDMA_SHT(DRV_NAME),
28097 -static struct ata_port_operations phison_ops = {
28098 +static const struct ata_port_operations phison_ops = {
28099 .inherits = &ata_bmdma_port_ops,
28100 .prereset = phison_pre_reset,
28102 diff -urNp linux-2.6.35.7/drivers/staging/pohmelfs/inode.c linux-2.6.35.7/drivers/staging/pohmelfs/inode.c
28103 --- linux-2.6.35.7/drivers/staging/pohmelfs/inode.c 2010-08-26 19:47:12.000000000 -0400
28104 +++ linux-2.6.35.7/drivers/staging/pohmelfs/inode.c 2010-09-17 20:12:09.000000000 -0400
28105 @@ -1846,7 +1846,7 @@ static int pohmelfs_fill_super(struct su
28106 mutex_init(&psb->mcache_lock);
28107 psb->mcache_root = RB_ROOT;
28108 psb->mcache_timeout = msecs_to_jiffies(5000);
28109 - atomic_long_set(&psb->mcache_gen, 0);
28110 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
28112 psb->trans_max_pages = 100;
28114 diff -urNp linux-2.6.35.7/drivers/staging/pohmelfs/mcache.c linux-2.6.35.7/drivers/staging/pohmelfs/mcache.c
28115 --- linux-2.6.35.7/drivers/staging/pohmelfs/mcache.c 2010-08-26 19:47:12.000000000 -0400
28116 +++ linux-2.6.35.7/drivers/staging/pohmelfs/mcache.c 2010-09-17 20:12:09.000000000 -0400
28117 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
28121 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
28122 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
28124 mutex_lock(&psb->mcache_lock);
28125 err = pohmelfs_mcache_insert(psb, m);
28126 diff -urNp linux-2.6.35.7/drivers/staging/pohmelfs/netfs.h linux-2.6.35.7/drivers/staging/pohmelfs/netfs.h
28127 --- linux-2.6.35.7/drivers/staging/pohmelfs/netfs.h 2010-08-26 19:47:12.000000000 -0400
28128 +++ linux-2.6.35.7/drivers/staging/pohmelfs/netfs.h 2010-09-17 20:12:09.000000000 -0400
28129 @@ -571,7 +571,7 @@ struct pohmelfs_config;
28130 struct pohmelfs_sb {
28131 struct rb_root mcache_root;
28132 struct mutex mcache_lock;
28133 - atomic_long_t mcache_gen;
28134 + atomic_long_unchecked_t mcache_gen;
28135 unsigned long mcache_timeout;
28138 diff -urNp linux-2.6.35.7/drivers/staging/ramzswap/ramzswap_drv.c linux-2.6.35.7/drivers/staging/ramzswap/ramzswap_drv.c
28139 --- linux-2.6.35.7/drivers/staging/ramzswap/ramzswap_drv.c 2010-08-26 19:47:12.000000000 -0400
28140 +++ linux-2.6.35.7/drivers/staging/ramzswap/ramzswap_drv.c 2010-09-17 20:12:09.000000000 -0400
28141 @@ -693,7 +693,7 @@ void ramzswap_slot_free_notify(struct bl
28145 -static struct block_device_operations ramzswap_devops = {
28146 +static const struct block_device_operations ramzswap_devops = {
28147 .ioctl = ramzswap_ioctl,
28148 .swap_slot_free_notify = ramzswap_slot_free_notify,
28149 .owner = THIS_MODULE
28150 diff -urNp linux-2.6.35.7/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.35.7/drivers/staging/rtl8192u/ieee80211/proc.c
28151 --- linux-2.6.35.7/drivers/staging/rtl8192u/ieee80211/proc.c 2010-08-26 19:47:12.000000000 -0400
28152 +++ linux-2.6.35.7/drivers/staging/rtl8192u/ieee80211/proc.c 2010-09-17 20:12:09.000000000 -0400
28153 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
28154 return seq_open(file, &crypto_seq_ops);
28157 -static struct file_operations proc_crypto_ops = {
28158 +static const struct file_operations proc_crypto_ops = {
28159 .open = crypto_info_open,
28161 .llseek = seq_lseek,
28162 diff -urNp linux-2.6.35.7/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.35.7/drivers/staging/samsung-laptop/samsung-laptop.c
28163 --- linux-2.6.35.7/drivers/staging/samsung-laptop/samsung-laptop.c 2010-08-26 19:47:12.000000000 -0400
28164 +++ linux-2.6.35.7/drivers/staging/samsung-laptop/samsung-laptop.c 2010-09-17 20:12:09.000000000 -0400
28165 @@ -269,7 +269,7 @@ static int update_status(struct backligh
28169 -static struct backlight_ops backlight_ops = {
28170 +static const struct backlight_ops backlight_ops = {
28171 .get_brightness = get_brightness,
28172 .update_status = update_status,
28174 diff -urNp linux-2.6.35.7/drivers/staging/sep/sep_driver.c linux-2.6.35.7/drivers/staging/sep/sep_driver.c
28175 --- linux-2.6.35.7/drivers/staging/sep/sep_driver.c 2010-08-26 19:47:12.000000000 -0400
28176 +++ linux-2.6.35.7/drivers/staging/sep/sep_driver.c 2010-09-17 20:12:09.000000000 -0400
28177 @@ -2637,7 +2637,7 @@ static struct pci_driver sep_pci_driver
28178 static dev_t sep_devno;
28180 /* the files operations structure of the driver */
28181 -static struct file_operations sep_file_operations = {
28182 +static const struct file_operations sep_file_operations = {
28183 .owner = THIS_MODULE,
28184 .unlocked_ioctl = sep_ioctl,
28186 diff -urNp linux-2.6.35.7/drivers/staging/vme/devices/vme_user.c linux-2.6.35.7/drivers/staging/vme/devices/vme_user.c
28187 --- linux-2.6.35.7/drivers/staging/vme/devices/vme_user.c 2010-08-26 19:47:12.000000000 -0400
28188 +++ linux-2.6.35.7/drivers/staging/vme/devices/vme_user.c 2010-09-17 20:12:09.000000000 -0400
28189 @@ -136,7 +136,7 @@ static long vme_user_unlocked_ioctl(stru
28190 static int __init vme_user_probe(struct device *, int, int);
28191 static int __exit vme_user_remove(struct device *, int, int);
28193 -static struct file_operations vme_user_fops = {
28194 +static const struct file_operations vme_user_fops = {
28195 .open = vme_user_open,
28196 .release = vme_user_release,
28197 .read = vme_user_read,
28198 diff -urNp linux-2.6.35.7/drivers/usb/atm/cxacru.c linux-2.6.35.7/drivers/usb/atm/cxacru.c
28199 --- linux-2.6.35.7/drivers/usb/atm/cxacru.c 2010-09-20 17:33:09.000000000 -0400
28200 +++ linux-2.6.35.7/drivers/usb/atm/cxacru.c 2010-10-11 22:41:44.000000000 -0400
28201 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
28202 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
28205 - if (index < 0 || index > 0x7f)
28206 + if (index > 0x7f)
28210 diff -urNp linux-2.6.35.7/drivers/usb/atm/usbatm.c linux-2.6.35.7/drivers/usb/atm/usbatm.c
28211 --- linux-2.6.35.7/drivers/usb/atm/usbatm.c 2010-08-26 19:47:12.000000000 -0400
28212 +++ linux-2.6.35.7/drivers/usb/atm/usbatm.c 2010-09-17 20:12:09.000000000 -0400
28213 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
28214 if (printk_ratelimit())
28215 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
28216 __func__, vpi, vci);
28217 - atomic_inc(&vcc->stats->rx_err);
28218 + atomic_inc_unchecked(&vcc->stats->rx_err);
28222 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
28223 if (length > ATM_MAX_AAL5_PDU) {
28224 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
28225 __func__, length, vcc);
28226 - atomic_inc(&vcc->stats->rx_err);
28227 + atomic_inc_unchecked(&vcc->stats->rx_err);
28231 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
28232 if (sarb->len < pdu_length) {
28233 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
28234 __func__, pdu_length, sarb->len, vcc);
28235 - atomic_inc(&vcc->stats->rx_err);
28236 + atomic_inc_unchecked(&vcc->stats->rx_err);
28240 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
28241 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
28243 - atomic_inc(&vcc->stats->rx_err);
28244 + atomic_inc_unchecked(&vcc->stats->rx_err);
28248 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
28249 if (printk_ratelimit())
28250 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
28252 - atomic_inc(&vcc->stats->rx_drop);
28253 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28257 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
28259 vcc->push(vcc, skb);
28261 - atomic_inc(&vcc->stats->rx);
28262 + atomic_inc_unchecked(&vcc->stats->rx);
28266 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
28267 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
28269 usbatm_pop(vcc, skb);
28270 - atomic_inc(&vcc->stats->tx);
28271 + atomic_inc_unchecked(&vcc->stats->tx);
28273 skb = skb_dequeue(&instance->sndqueue);
28275 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
28277 return sprintf(page,
28278 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
28279 - atomic_read(&atm_dev->stats.aal5.tx),
28280 - atomic_read(&atm_dev->stats.aal5.tx_err),
28281 - atomic_read(&atm_dev->stats.aal5.rx),
28282 - atomic_read(&atm_dev->stats.aal5.rx_err),
28283 - atomic_read(&atm_dev->stats.aal5.rx_drop));
28284 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
28285 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
28286 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
28287 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
28288 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
28291 if (instance->disconnected)
28292 diff -urNp linux-2.6.35.7/drivers/usb/class/cdc-acm.c linux-2.6.35.7/drivers/usb/class/cdc-acm.c
28293 --- linux-2.6.35.7/drivers/usb/class/cdc-acm.c 2010-09-20 17:33:09.000000000 -0400
28294 +++ linux-2.6.35.7/drivers/usb/class/cdc-acm.c 2010-09-20 17:33:32.000000000 -0400
28295 @@ -1640,7 +1640,7 @@ static const struct usb_device_id acm_id
28296 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
28297 USB_CDC_ACM_PROTO_AT_CDMA) },
28300 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
28303 MODULE_DEVICE_TABLE(usb, acm_ids);
28304 diff -urNp linux-2.6.35.7/drivers/usb/class/cdc-wdm.c linux-2.6.35.7/drivers/usb/class/cdc-wdm.c
28305 --- linux-2.6.35.7/drivers/usb/class/cdc-wdm.c 2010-08-26 19:47:12.000000000 -0400
28306 +++ linux-2.6.35.7/drivers/usb/class/cdc-wdm.c 2010-09-17 20:12:09.000000000 -0400
28307 @@ -342,7 +342,7 @@ static ssize_t wdm_write
28311 - if (!file->f_flags && O_NONBLOCK)
28312 + if (!(file->f_flags & O_NONBLOCK))
28313 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
28316 diff -urNp linux-2.6.35.7/drivers/usb/class/usblp.c linux-2.6.35.7/drivers/usb/class/usblp.c
28317 --- linux-2.6.35.7/drivers/usb/class/usblp.c 2010-08-26 19:47:12.000000000 -0400
28318 +++ linux-2.6.35.7/drivers/usb/class/usblp.c 2010-09-17 20:12:09.000000000 -0400
28319 @@ -226,7 +226,7 @@ static const struct quirk_printer_struct
28320 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
28321 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
28322 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
28327 static int usblp_wwait(struct usblp *usblp, int nonblock);
28328 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
28329 { USB_INTERFACE_INFO(7, 1, 2) },
28330 { USB_INTERFACE_INFO(7, 1, 3) },
28331 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
28332 - { } /* Terminating entry */
28333 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28336 MODULE_DEVICE_TABLE (usb, usblp_ids);
28337 diff -urNp linux-2.6.35.7/drivers/usb/core/hcd.c linux-2.6.35.7/drivers/usb/core/hcd.c
28338 --- linux-2.6.35.7/drivers/usb/core/hcd.c 2010-08-26 19:47:12.000000000 -0400
28339 +++ linux-2.6.35.7/drivers/usb/core/hcd.c 2010-09-17 20:12:09.000000000 -0400
28340 @@ -2381,7 +2381,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
28342 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
28344 -struct usb_mon_operations *mon_ops;
28345 +const struct usb_mon_operations *mon_ops;
28348 * The registration is unlocked.
28349 @@ -2391,7 +2391,7 @@ struct usb_mon_operations *mon_ops;
28350 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
28353 -int usb_mon_register (struct usb_mon_operations *ops)
28354 +int usb_mon_register (const struct usb_mon_operations *ops)
28358 diff -urNp linux-2.6.35.7/drivers/usb/core/hub.c linux-2.6.35.7/drivers/usb/core/hub.c
28359 --- linux-2.6.35.7/drivers/usb/core/hub.c 2010-08-26 19:47:12.000000000 -0400
28360 +++ linux-2.6.35.7/drivers/usb/core/hub.c 2010-09-17 20:12:09.000000000 -0400
28361 @@ -3453,7 +3453,7 @@ static const struct usb_device_id hub_id
28362 .bDeviceClass = USB_CLASS_HUB},
28363 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
28364 .bInterfaceClass = USB_CLASS_HUB},
28365 - { } /* Terminating entry */
28366 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28369 MODULE_DEVICE_TABLE (usb, hub_id_table);
28370 diff -urNp linux-2.6.35.7/drivers/usb/core/message.c linux-2.6.35.7/drivers/usb/core/message.c
28371 --- linux-2.6.35.7/drivers/usb/core/message.c 2010-09-20 17:33:09.000000000 -0400
28372 +++ linux-2.6.35.7/drivers/usb/core/message.c 2010-09-20 17:33:32.000000000 -0400
28373 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
28374 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
28376 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
28378 - smallbuf = kmalloc(++len, GFP_NOIO);
28380 + smallbuf = kmalloc(len, GFP_NOIO);
28383 memcpy(smallbuf, buf, len);
28384 diff -urNp linux-2.6.35.7/drivers/usb/early/ehci-dbgp.c linux-2.6.35.7/drivers/usb/early/ehci-dbgp.c
28385 --- linux-2.6.35.7/drivers/usb/early/ehci-dbgp.c 2010-08-26 19:47:12.000000000 -0400
28386 +++ linux-2.6.35.7/drivers/usb/early/ehci-dbgp.c 2010-09-17 20:12:09.000000000 -0400
28387 @@ -1026,6 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
28388 early_dbgp_write(NULL, &chr, 1);
28391 +/* cannot be const, see kgdbdbgp_parse_config() */
28392 static struct kgdb_io kgdbdbgp_io_ops = {
28393 .name = "kgdbdbgp",
28394 .read_char = kgdbdbgp_read_char,
28395 diff -urNp linux-2.6.35.7/drivers/usb/host/ehci-pci.c linux-2.6.35.7/drivers/usb/host/ehci-pci.c
28396 --- linux-2.6.35.7/drivers/usb/host/ehci-pci.c 2010-08-26 19:47:12.000000000 -0400
28397 +++ linux-2.6.35.7/drivers/usb/host/ehci-pci.c 2010-09-17 20:12:09.000000000 -0400
28398 @@ -419,7 +419,7 @@ static const struct pci_device_id pci_id
28399 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28400 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28402 - { /* end: all zeroes */ }
28403 + { 0, 0, 0, 0, 0, 0, 0 }
28405 MODULE_DEVICE_TABLE(pci, pci_ids);
28407 diff -urNp linux-2.6.35.7/drivers/usb/host/uhci-hcd.c linux-2.6.35.7/drivers/usb/host/uhci-hcd.c
28408 --- linux-2.6.35.7/drivers/usb/host/uhci-hcd.c 2010-08-26 19:47:12.000000000 -0400
28409 +++ linux-2.6.35.7/drivers/usb/host/uhci-hcd.c 2010-09-17 20:12:09.000000000 -0400
28410 @@ -941,7 +941,7 @@ static const struct pci_device_id uhci_p
28411 /* handle any USB UHCI controller */
28412 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28413 .driver_data = (unsigned long) &uhci_driver,
28414 - }, { /* end: all zeroes */ }
28415 + }, { 0, 0, 0, 0, 0, 0, 0 }
28418 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28419 diff -urNp linux-2.6.35.7/drivers/usb/mon/mon_main.c linux-2.6.35.7/drivers/usb/mon/mon_main.c
28420 --- linux-2.6.35.7/drivers/usb/mon/mon_main.c 2010-08-26 19:47:12.000000000 -0400
28421 +++ linux-2.6.35.7/drivers/usb/mon/mon_main.c 2010-09-17 20:12:09.000000000 -0400
28422 @@ -240,7 +240,7 @@ static struct notifier_block mon_nb = {
28426 -static struct usb_mon_operations mon_ops_0 = {
28427 +static const struct usb_mon_operations mon_ops_0 = {
28428 .urb_submit = mon_submit,
28429 .urb_submit_error = mon_submit_error,
28430 .urb_complete = mon_complete,
28431 diff -urNp linux-2.6.35.7/drivers/usb/storage/debug.h linux-2.6.35.7/drivers/usb/storage/debug.h
28432 --- linux-2.6.35.7/drivers/usb/storage/debug.h 2010-08-26 19:47:12.000000000 -0400
28433 +++ linux-2.6.35.7/drivers/usb/storage/debug.h 2010-09-17 20:12:09.000000000 -0400
28434 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28435 #define US_DEBUGPX(x...) printk( x )
28436 #define US_DEBUG(x) x
28438 -#define US_DEBUGP(x...)
28439 -#define US_DEBUGPX(x...)
28440 -#define US_DEBUG(x)
28441 +#define US_DEBUGP(x...) do {} while (0)
28442 +#define US_DEBUGPX(x...) do {} while (0)
28443 +#define US_DEBUG(x) do {} while (0)
28447 diff -urNp linux-2.6.35.7/drivers/usb/storage/usb.c linux-2.6.35.7/drivers/usb/storage/usb.c
28448 --- linux-2.6.35.7/drivers/usb/storage/usb.c 2010-08-26 19:47:12.000000000 -0400
28449 +++ linux-2.6.35.7/drivers/usb/storage/usb.c 2010-09-17 20:12:09.000000000 -0400
28450 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28452 static struct us_unusual_dev us_unusual_dev_list[] = {
28453 # include "unusual_devs.h"
28454 - { } /* Terminating entry */
28455 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28459 diff -urNp linux-2.6.35.7/drivers/usb/storage/usual-tables.c linux-2.6.35.7/drivers/usb/storage/usual-tables.c
28460 --- linux-2.6.35.7/drivers/usb/storage/usual-tables.c 2010-08-26 19:47:12.000000000 -0400
28461 +++ linux-2.6.35.7/drivers/usb/storage/usual-tables.c 2010-09-17 20:12:09.000000000 -0400
28464 struct usb_device_id usb_storage_usb_ids[] = {
28465 # include "unusual_devs.h"
28466 - { } /* Terminating entry */
28467 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28469 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28471 diff -urNp linux-2.6.35.7/drivers/uwb/wlp/messages.c linux-2.6.35.7/drivers/uwb/wlp/messages.c
28472 --- linux-2.6.35.7/drivers/uwb/wlp/messages.c 2010-08-26 19:47:12.000000000 -0400
28473 +++ linux-2.6.35.7/drivers/uwb/wlp/messages.c 2010-09-17 20:12:09.000000000 -0400
28474 @@ -920,7 +920,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
28475 size_t len = skb->len;
28478 - struct wlp_nonce enonce, rnonce;
28479 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
28480 enum wlp_assc_error assc_err;
28481 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
28482 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
28483 diff -urNp linux-2.6.35.7/drivers/vhost/vhost.c linux-2.6.35.7/drivers/vhost/vhost.c
28484 --- linux-2.6.35.7/drivers/vhost/vhost.c 2010-08-26 19:47:12.000000000 -0400
28485 +++ linux-2.6.35.7/drivers/vhost/vhost.c 2010-09-17 20:12:09.000000000 -0400
28486 @@ -357,7 +357,7 @@ static int init_used(struct vhost_virtqu
28487 return get_user(vq->last_used_idx, &used->idx);
28490 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28491 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28493 struct file *eventfp, *filep = NULL,
28494 *pollstart = NULL, *pollstop = NULL;
28495 diff -urNp linux-2.6.35.7/drivers/video/atmel_lcdfb.c linux-2.6.35.7/drivers/video/atmel_lcdfb.c
28496 --- linux-2.6.35.7/drivers/video/atmel_lcdfb.c 2010-08-26 19:47:12.000000000 -0400
28497 +++ linux-2.6.35.7/drivers/video/atmel_lcdfb.c 2010-09-17 20:12:09.000000000 -0400
28498 @@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
28499 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
28502 -static struct backlight_ops atmel_lcdc_bl_ops = {
28503 +static const struct backlight_ops atmel_lcdc_bl_ops = {
28504 .update_status = atmel_bl_update_status,
28505 .get_brightness = atmel_bl_get_brightness,
28507 diff -urNp linux-2.6.35.7/drivers/video/aty/aty128fb.c linux-2.6.35.7/drivers/video/aty/aty128fb.c
28508 --- linux-2.6.35.7/drivers/video/aty/aty128fb.c 2010-08-26 19:47:12.000000000 -0400
28509 +++ linux-2.6.35.7/drivers/video/aty/aty128fb.c 2010-09-17 20:12:09.000000000 -0400
28510 @@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
28511 return bd->props.brightness;
28514 -static struct backlight_ops aty128_bl_data = {
28515 +static const struct backlight_ops aty128_bl_data = {
28516 .get_brightness = aty128_bl_get_brightness,
28517 .update_status = aty128_bl_update_status,
28519 diff -urNp linux-2.6.35.7/drivers/video/aty/atyfb_base.c linux-2.6.35.7/drivers/video/aty/atyfb_base.c
28520 --- linux-2.6.35.7/drivers/video/aty/atyfb_base.c 2010-08-26 19:47:12.000000000 -0400
28521 +++ linux-2.6.35.7/drivers/video/aty/atyfb_base.c 2010-09-17 20:12:09.000000000 -0400
28522 @@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
28523 return bd->props.brightness;
28526 -static struct backlight_ops aty_bl_data = {
28527 +static const struct backlight_ops aty_bl_data = {
28528 .get_brightness = aty_bl_get_brightness,
28529 .update_status = aty_bl_update_status,
28531 diff -urNp linux-2.6.35.7/drivers/video/aty/radeon_backlight.c linux-2.6.35.7/drivers/video/aty/radeon_backlight.c
28532 --- linux-2.6.35.7/drivers/video/aty/radeon_backlight.c 2010-08-26 19:47:12.000000000 -0400
28533 +++ linux-2.6.35.7/drivers/video/aty/radeon_backlight.c 2010-09-17 20:12:09.000000000 -0400
28534 @@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
28535 return bd->props.brightness;
28538 -static struct backlight_ops radeon_bl_data = {
28539 +static const struct backlight_ops radeon_bl_data = {
28540 .get_brightness = radeon_bl_get_brightness,
28541 .update_status = radeon_bl_update_status,
28543 diff -urNp linux-2.6.35.7/drivers/video/backlight/88pm860x_bl.c linux-2.6.35.7/drivers/video/backlight/88pm860x_bl.c
28544 --- linux-2.6.35.7/drivers/video/backlight/88pm860x_bl.c 2010-08-26 19:47:12.000000000 -0400
28545 +++ linux-2.6.35.7/drivers/video/backlight/88pm860x_bl.c 2010-09-17 20:12:09.000000000 -0400
28546 @@ -155,7 +155,7 @@ out:
28550 -static struct backlight_ops pm860x_backlight_ops = {
28551 +static const struct backlight_ops pm860x_backlight_ops = {
28552 .options = BL_CORE_SUSPENDRESUME,
28553 .update_status = pm860x_backlight_update_status,
28554 .get_brightness = pm860x_backlight_get_brightness,
28555 diff -urNp linux-2.6.35.7/drivers/video/backlight/max8925_bl.c linux-2.6.35.7/drivers/video/backlight/max8925_bl.c
28556 --- linux-2.6.35.7/drivers/video/backlight/max8925_bl.c 2010-08-26 19:47:12.000000000 -0400
28557 +++ linux-2.6.35.7/drivers/video/backlight/max8925_bl.c 2010-09-17 20:12:09.000000000 -0400
28558 @@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
28562 -static struct backlight_ops max8925_backlight_ops = {
28563 +static const struct backlight_ops max8925_backlight_ops = {
28564 .options = BL_CORE_SUSPENDRESUME,
28565 .update_status = max8925_backlight_update_status,
28566 .get_brightness = max8925_backlight_get_brightness,
28567 diff -urNp linux-2.6.35.7/drivers/video/fbcmap.c linux-2.6.35.7/drivers/video/fbcmap.c
28568 --- linux-2.6.35.7/drivers/video/fbcmap.c 2010-08-26 19:47:12.000000000 -0400
28569 +++ linux-2.6.35.7/drivers/video/fbcmap.c 2010-09-17 20:12:09.000000000 -0400
28570 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28574 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28575 - !info->fbops->fb_setcmap)) {
28576 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28580 diff -urNp linux-2.6.35.7/drivers/video/fbmem.c linux-2.6.35.7/drivers/video/fbmem.c
28581 --- linux-2.6.35.7/drivers/video/fbmem.c 2010-08-26 19:47:12.000000000 -0400
28582 +++ linux-2.6.35.7/drivers/video/fbmem.c 2010-09-17 20:12:09.000000000 -0400
28583 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28584 image->dx += image->width + 8;
28586 } else if (rotate == FB_ROTATE_UD) {
28587 - for (x = 0; x < num && image->dx >= 0; x++) {
28588 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28589 info->fbops->fb_imageblit(info, image);
28590 image->dx -= image->width + 8;
28592 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28593 image->dy += image->height + 8;
28595 } else if (rotate == FB_ROTATE_CCW) {
28596 - for (x = 0; x < num && image->dy >= 0; x++) {
28597 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28598 info->fbops->fb_imageblit(info, image);
28599 image->dy -= image->height + 8;
28601 @@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
28603 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28605 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28606 + if (con2fb.framebuffer >= FB_MAX)
28608 if (!registered_fb[con2fb.framebuffer])
28609 request_module("fb%d", con2fb.framebuffer);
28610 diff -urNp linux-2.6.35.7/drivers/video/fbmon.c linux-2.6.35.7/drivers/video/fbmon.c
28611 --- linux-2.6.35.7/drivers/video/fbmon.c 2010-08-26 19:47:12.000000000 -0400
28612 +++ linux-2.6.35.7/drivers/video/fbmon.c 2010-09-17 20:12:09.000000000 -0400
28615 #define DPRINTK(fmt, args...) printk(fmt,## args)
28617 -#define DPRINTK(fmt, args...)
28618 +#define DPRINTK(fmt, args...) do {} while (0)
28621 #define FBMON_FIX_HEADER 1
28622 diff -urNp linux-2.6.35.7/drivers/video/i810/i810_accel.c linux-2.6.35.7/drivers/video/i810/i810_accel.c
28623 --- linux-2.6.35.7/drivers/video/i810/i810_accel.c 2010-08-26 19:47:12.000000000 -0400
28624 +++ linux-2.6.35.7/drivers/video/i810/i810_accel.c 2010-09-17 20:12:09.000000000 -0400
28625 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28628 printk("ringbuffer lockup!!!\n");
28629 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28630 i810_report_error(mmio);
28631 par->dev_flags |= LOCKUP;
28632 info->pixmap.scan_align = 1;
28633 diff -urNp linux-2.6.35.7/drivers/video/i810/i810_main.c linux-2.6.35.7/drivers/video/i810/i810_main.c
28634 --- linux-2.6.35.7/drivers/video/i810/i810_main.c 2010-08-26 19:47:12.000000000 -0400
28635 +++ linux-2.6.35.7/drivers/video/i810/i810_main.c 2010-09-17 20:12:09.000000000 -0400
28636 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28637 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28638 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28639 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28641 + { 0, 0, 0, 0, 0, 0, 0 },
28644 static struct pci_driver i810fb_driver = {
28645 diff -urNp linux-2.6.35.7/drivers/video/modedb.c linux-2.6.35.7/drivers/video/modedb.c
28646 --- linux-2.6.35.7/drivers/video/modedb.c 2010-08-26 19:47:12.000000000 -0400
28647 +++ linux-2.6.35.7/drivers/video/modedb.c 2010-09-17 20:12:09.000000000 -0400
28648 @@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
28650 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28651 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
28652 - 0, FB_VMODE_NONINTERLACED
28653 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28655 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28656 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
28657 - 0, FB_VMODE_NONINTERLACED
28658 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28660 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28661 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
28662 - 0, FB_VMODE_NONINTERLACED
28663 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28665 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28666 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
28667 - 0, FB_VMODE_INTERLACED
28668 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28670 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28671 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28672 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28673 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28675 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28676 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
28677 - 0, FB_VMODE_NONINTERLACED
28678 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28680 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28681 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
28682 - 0, FB_VMODE_NONINTERLACED
28683 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28685 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28686 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28687 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28688 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28690 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28691 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
28692 - 0, FB_VMODE_NONINTERLACED
28693 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28695 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28696 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
28697 - 0, FB_VMODE_INTERLACED
28698 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28700 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28701 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28702 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28703 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28705 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28706 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
28707 - 0, FB_VMODE_NONINTERLACED
28708 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28710 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28711 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
28712 - 0, FB_VMODE_NONINTERLACED
28713 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28715 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28716 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
28717 - 0, FB_VMODE_NONINTERLACED
28718 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28720 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28721 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
28722 - 0, FB_VMODE_NONINTERLACED
28723 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28725 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28726 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
28727 - 0, FB_VMODE_NONINTERLACED
28728 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28730 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28731 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
28732 - 0, FB_VMODE_INTERLACED
28733 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28735 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28736 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
28737 - 0, FB_VMODE_NONINTERLACED
28738 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28740 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28741 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
28742 - 0, FB_VMODE_NONINTERLACED
28743 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28745 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28746 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
28747 - 0, FB_VMODE_NONINTERLACED
28748 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28750 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28751 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
28752 - 0, FB_VMODE_NONINTERLACED
28753 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28755 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28756 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
28757 - 0, FB_VMODE_NONINTERLACED
28758 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28760 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28761 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28762 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28763 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28765 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28766 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28767 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28768 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28770 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28771 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
28772 - 0, FB_VMODE_NONINTERLACED
28773 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28775 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28776 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
28777 - 0, FB_VMODE_NONINTERLACED
28778 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28780 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28781 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
28782 - 0, FB_VMODE_NONINTERLACED
28783 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28785 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28786 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28787 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28788 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28790 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28791 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
28792 - 0, FB_VMODE_NONINTERLACED
28793 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28795 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28796 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
28797 - 0, FB_VMODE_NONINTERLACED
28798 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28800 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28801 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
28802 - 0, FB_VMODE_NONINTERLACED
28803 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28805 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28806 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
28807 - 0, FB_VMODE_NONINTERLACED
28808 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28810 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28811 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
28812 - 0, FB_VMODE_NONINTERLACED
28813 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28815 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28816 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
28817 - 0, FB_VMODE_NONINTERLACED
28818 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28820 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28821 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28822 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28823 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28825 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28826 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28827 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28828 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28830 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28831 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28832 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28833 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28835 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28836 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28837 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28838 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28840 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28841 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
28842 - 0, FB_VMODE_NONINTERLACED
28843 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28845 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28846 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28847 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28848 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28850 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28851 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28852 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28853 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28855 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28856 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
28857 - 0, FB_VMODE_NONINTERLACED
28858 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28860 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28861 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
28862 - 0, FB_VMODE_NONINTERLACED
28863 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28865 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28866 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
28867 - 0, FB_VMODE_DOUBLE
28868 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28870 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28871 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
28872 - 0, FB_VMODE_DOUBLE
28873 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28875 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28876 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
28877 - 0, FB_VMODE_DOUBLE
28878 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28880 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28881 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
28882 - 0, FB_VMODE_DOUBLE
28883 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28885 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28886 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
28887 - 0, FB_VMODE_DOUBLE
28888 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28890 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28891 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
28892 - 0, FB_VMODE_DOUBLE
28893 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28895 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28896 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
28897 - 0, FB_VMODE_DOUBLE
28898 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28900 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28901 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
28902 - 0, FB_VMODE_DOUBLE
28903 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28905 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28906 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
28907 - 0, FB_VMODE_DOUBLE
28908 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28910 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28911 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
28912 - 0, FB_VMODE_DOUBLE
28913 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28915 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28916 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28917 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28918 - FB_VMODE_NONINTERLACED
28919 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28921 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28922 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28923 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28924 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28926 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28927 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
28928 - 0, FB_VMODE_NONINTERLACED
28929 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28931 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28932 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
28933 - 0, FB_VMODE_NONINTERLACED
28934 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28936 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28937 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
28938 - 0, FB_VMODE_INTERLACED
28939 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28941 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28942 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
28943 - 0, FB_VMODE_INTERLACED
28944 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28948 diff -urNp linux-2.6.35.7/drivers/video/nvidia/nv_backlight.c linux-2.6.35.7/drivers/video/nvidia/nv_backlight.c
28949 --- linux-2.6.35.7/drivers/video/nvidia/nv_backlight.c 2010-08-26 19:47:12.000000000 -0400
28950 +++ linux-2.6.35.7/drivers/video/nvidia/nv_backlight.c 2010-09-17 20:12:09.000000000 -0400
28951 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
28952 return bd->props.brightness;
28955 -static struct backlight_ops nvidia_bl_ops = {
28956 +static const struct backlight_ops nvidia_bl_ops = {
28957 .get_brightness = nvidia_bl_get_brightness,
28958 .update_status = nvidia_bl_update_status,
28960 diff -urNp linux-2.6.35.7/drivers/video/omap2/displays/panel-taal.c linux-2.6.35.7/drivers/video/omap2/displays/panel-taal.c
28961 --- linux-2.6.35.7/drivers/video/omap2/displays/panel-taal.c 2010-08-26 19:47:12.000000000 -0400
28962 +++ linux-2.6.35.7/drivers/video/omap2/displays/panel-taal.c 2010-09-17 20:12:09.000000000 -0400
28963 @@ -319,7 +319,7 @@ static int taal_bl_get_intensity(struct
28967 -static struct backlight_ops taal_bl_ops = {
28968 +static const struct backlight_ops taal_bl_ops = {
28969 .get_brightness = taal_bl_get_intensity,
28970 .update_status = taal_bl_update_status,
28972 diff -urNp linux-2.6.35.7/drivers/video/riva/fbdev.c linux-2.6.35.7/drivers/video/riva/fbdev.c
28973 --- linux-2.6.35.7/drivers/video/riva/fbdev.c 2010-08-26 19:47:12.000000000 -0400
28974 +++ linux-2.6.35.7/drivers/video/riva/fbdev.c 2010-09-17 20:12:09.000000000 -0400
28975 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
28976 return bd->props.brightness;
28979 -static struct backlight_ops riva_bl_ops = {
28980 +static const struct backlight_ops riva_bl_ops = {
28981 .get_brightness = riva_bl_get_brightness,
28982 .update_status = riva_bl_update_status,
28984 diff -urNp linux-2.6.35.7/drivers/video/uvesafb.c linux-2.6.35.7/drivers/video/uvesafb.c
28985 --- linux-2.6.35.7/drivers/video/uvesafb.c 2010-08-26 19:47:12.000000000 -0400
28986 +++ linux-2.6.35.7/drivers/video/uvesafb.c 2010-09-17 20:12:09.000000000 -0400
28988 #include <linux/io.h>
28989 #include <linux/mutex.h>
28990 #include <linux/slab.h>
28991 +#include <linux/moduleloader.h>
28992 #include <video/edid.h>
28993 #include <video/uvesafb.h>
28995 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
28999 - return call_usermodehelper(v86d_path, argv, envp, 1);
29000 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
29004 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
29005 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
29006 par->pmi_setpal = par->ypan = 0;
29009 +#ifdef CONFIG_PAX_KERNEXEC
29010 +#ifdef CONFIG_MODULES
29011 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
29013 + if (!par->pmi_code) {
29014 + par->pmi_setpal = par->ypan = 0;
29019 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
29020 + task->t.regs.edi);
29022 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29023 + pax_open_kernel();
29024 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
29025 + pax_close_kernel();
29027 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
29028 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
29030 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
29031 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
29034 printk(KERN_INFO "uvesafb: protected mode interface info at "
29036 (u16)task->t.regs.es, (u16)task->t.regs.edi);
29037 @@ -1800,6 +1823,11 @@ out:
29038 if (par->vbe_modes)
29039 kfree(par->vbe_modes);
29041 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29042 + if (par->pmi_code)
29043 + module_free_exec(NULL, par->pmi_code);
29046 framebuffer_release(info);
29049 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
29050 kfree(par->vbe_state_orig);
29051 if (par->vbe_state_saved)
29052 kfree(par->vbe_state_saved);
29054 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29055 + if (par->pmi_code)
29056 + module_free_exec(NULL, par->pmi_code);
29061 framebuffer_release(info);
29062 diff -urNp linux-2.6.35.7/drivers/video/vesafb.c linux-2.6.35.7/drivers/video/vesafb.c
29063 --- linux-2.6.35.7/drivers/video/vesafb.c 2010-08-26 19:47:12.000000000 -0400
29064 +++ linux-2.6.35.7/drivers/video/vesafb.c 2010-09-17 20:12:09.000000000 -0400
29068 #include <linux/module.h>
29069 +#include <linux/moduleloader.h>
29070 #include <linux/kernel.h>
29071 #include <linux/errno.h>
29072 #include <linux/string.h>
29073 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
29074 static int vram_total __initdata; /* Set total amount of memory */
29075 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
29076 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
29077 -static void (*pmi_start)(void) __read_mostly;
29078 -static void (*pmi_pal) (void) __read_mostly;
29079 +static void (*pmi_start)(void) __read_only;
29080 +static void (*pmi_pal) (void) __read_only;
29081 static int depth __read_mostly;
29082 static int vga_compat __read_mostly;
29083 /* --------------------------------------------------------------------- */
29084 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
29085 unsigned int size_vmode;
29086 unsigned int size_remap;
29087 unsigned int size_total;
29088 + void *pmi_code = NULL;
29090 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
29092 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
29093 size_remap = size_total;
29094 vesafb_fix.smem_len = size_remap;
29097 - screen_info.vesapm_seg = 0;
29100 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
29101 printk(KERN_WARNING
29102 "vesafb: cannot reserve video memory at 0x%lx\n",
29103 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
29104 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
29105 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
29109 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29110 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
29112 +#elif !defined(CONFIG_PAX_KERNEXEC)
29117 + screen_info.vesapm_seg = 0;
29119 if (screen_info.vesapm_seg) {
29120 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
29121 - screen_info.vesapm_seg,screen_info.vesapm_off);
29122 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
29123 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
29126 if (screen_info.vesapm_seg < 0xc000)
29127 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
29129 if (ypan || pmi_setpal) {
29130 unsigned short *pmi_base;
29131 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29132 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
29133 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
29135 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29137 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29138 + pax_open_kernel();
29139 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
29141 + pmi_code = pmi_base;
29144 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
29145 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
29147 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29148 + pmi_start = ktva_ktla(pmi_start);
29149 + pmi_pal = ktva_ktla(pmi_pal);
29150 + pax_close_kernel();
29153 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
29155 printk(KERN_INFO "vesafb: pmi: ports = ");
29156 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
29157 info->node, info->fix.id);
29161 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29162 + module_free_exec(NULL, pmi_code);
29165 if (info->screen_base)
29166 iounmap(info->screen_base);
29167 framebuffer_release(info);
29168 diff -urNp linux-2.6.35.7/fs/9p/vfs_inode.c linux-2.6.35.7/fs/9p/vfs_inode.c
29169 --- linux-2.6.35.7/fs/9p/vfs_inode.c 2010-08-26 19:47:12.000000000 -0400
29170 +++ linux-2.6.35.7/fs/9p/vfs_inode.c 2010-09-17 20:12:09.000000000 -0400
29171 @@ -1087,7 +1087,7 @@ static void *v9fs_vfs_follow_link(struct
29173 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
29175 - char *s = nd_get_link(nd);
29176 + const char *s = nd_get_link(nd);
29178 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
29179 IS_ERR(s) ? "<error>" : s);
29180 diff -urNp linux-2.6.35.7/fs/aio.c linux-2.6.35.7/fs/aio.c
29181 --- linux-2.6.35.7/fs/aio.c 2010-09-26 17:32:11.000000000 -0400
29182 +++ linux-2.6.35.7/fs/aio.c 2010-09-26 17:32:46.000000000 -0400
29183 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
29184 size += sizeof(struct io_event) * nr_events;
29185 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
29187 - if (nr_pages < 0)
29188 + if (nr_pages <= 0)
29191 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
29192 diff -urNp linux-2.6.35.7/fs/attr.c linux-2.6.35.7/fs/attr.c
29193 --- linux-2.6.35.7/fs/attr.c 2010-08-26 19:47:12.000000000 -0400
29194 +++ linux-2.6.35.7/fs/attr.c 2010-09-17 20:12:37.000000000 -0400
29195 @@ -82,6 +82,7 @@ int inode_newsize_ok(const struct inode
29196 unsigned long limit;
29198 limit = rlimit(RLIMIT_FSIZE);
29199 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
29200 if (limit != RLIM_INFINITY && offset > limit)
29202 if (offset > inode->i_sb->s_maxbytes)
29203 diff -urNp linux-2.6.35.7/fs/autofs/root.c linux-2.6.35.7/fs/autofs/root.c
29204 --- linux-2.6.35.7/fs/autofs/root.c 2010-08-26 19:47:12.000000000 -0400
29205 +++ linux-2.6.35.7/fs/autofs/root.c 2010-09-17 20:12:09.000000000 -0400
29206 @@ -301,7 +301,8 @@ static int autofs_root_symlink(struct in
29207 set_bit(n,sbi->symlink_bitmap);
29208 sl = &sbi->symlink[n];
29209 sl->len = strlen(symname);
29210 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
29211 + slsize = sl->len+1;
29212 + sl->data = kmalloc(slsize, GFP_KERNEL);
29214 clear_bit(n,sbi->symlink_bitmap);
29216 diff -urNp linux-2.6.35.7/fs/autofs4/symlink.c linux-2.6.35.7/fs/autofs4/symlink.c
29217 --- linux-2.6.35.7/fs/autofs4/symlink.c 2010-08-26 19:47:12.000000000 -0400
29218 +++ linux-2.6.35.7/fs/autofs4/symlink.c 2010-09-17 20:12:09.000000000 -0400
29220 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
29222 struct autofs_info *ino = autofs4_dentry_ino(dentry);
29223 - nd_set_link(nd, (char *)ino->u.symlink);
29224 + nd_set_link(nd, ino->u.symlink);
29228 diff -urNp linux-2.6.35.7/fs/befs/linuxvfs.c linux-2.6.35.7/fs/befs/linuxvfs.c
29229 --- linux-2.6.35.7/fs/befs/linuxvfs.c 2010-08-26 19:47:12.000000000 -0400
29230 +++ linux-2.6.35.7/fs/befs/linuxvfs.c 2010-09-17 20:12:09.000000000 -0400
29231 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
29233 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
29234 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
29235 - char *link = nd_get_link(nd);
29236 + const char *link = nd_get_link(nd);
29240 diff -urNp linux-2.6.35.7/fs/binfmt_aout.c linux-2.6.35.7/fs/binfmt_aout.c
29241 --- linux-2.6.35.7/fs/binfmt_aout.c 2010-08-26 19:47:12.000000000 -0400
29242 +++ linux-2.6.35.7/fs/binfmt_aout.c 2010-09-23 20:16:12.000000000 -0400
29244 #include <linux/string.h>
29245 #include <linux/fs.h>
29246 #include <linux/file.h>
29247 +#include <linux/security.h>
29248 #include <linux/stat.h>
29249 #include <linux/fcntl.h>
29250 #include <linux/ptrace.h>
29251 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
29253 # define START_STACK(u) ((void __user *)u.start_stack)
29255 + memset(&dump, 0, sizeof(dump));
29260 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
29262 /* If the size of the dump file exceeds the rlimit, then see what would happen
29263 if we wrote the stack, but not the data area. */
29264 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
29265 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
29268 /* Make sure we have enough room to write the stack and data areas. */
29269 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
29270 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
29273 @@ -134,10 +139,7 @@ static int aout_core_dump(struct coredum
29274 if (!dump_write(file, dump_start, dump_size))
29277 -/* Finally dump the task struct. Not be used by gdb, but could be useful */
29278 - set_fs(KERNEL_DS);
29279 - if (!dump_write(file, current, sizeof(*current)))
29280 - goto end_coredump;
29281 +/* Finally let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
29285 @@ -238,6 +240,8 @@ static int load_aout_binary(struct linux
29286 rlim = rlimit(RLIMIT_DATA);
29287 if (rlim >= RLIM_INFINITY)
29290 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
29291 if (ex.a_data + ex.a_bss > rlim)
29294 @@ -266,6 +270,27 @@ static int load_aout_binary(struct linux
29295 install_exec_creds(bprm);
29296 current->flags &= ~PF_FORKNOEXEC;
29298 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29299 + current->mm->pax_flags = 0UL;
29302 +#ifdef CONFIG_PAX_PAGEEXEC
29303 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
29304 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
29306 +#ifdef CONFIG_PAX_EMUTRAMP
29307 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
29308 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
29311 +#ifdef CONFIG_PAX_MPROTECT
29312 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
29313 + current->mm->pax_flags |= MF_PAX_MPROTECT;
29319 if (N_MAGIC(ex) == OMAGIC) {
29320 unsigned long text_addr, map_size;
29322 @@ -338,7 +363,7 @@ static int load_aout_binary(struct linux
29324 down_write(¤t->mm->mmap_sem);
29325 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
29326 - PROT_READ | PROT_WRITE | PROT_EXEC,
29327 + PROT_READ | PROT_WRITE,
29328 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29329 fd_offset + ex.a_text);
29330 up_write(¤t->mm->mmap_sem);
29331 diff -urNp linux-2.6.35.7/fs/binfmt_elf.c linux-2.6.35.7/fs/binfmt_elf.c
29332 --- linux-2.6.35.7/fs/binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
29333 +++ linux-2.6.35.7/fs/binfmt_elf.c 2010-09-17 20:12:37.000000000 -0400
29334 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29335 #define elf_core_dump NULL
29338 +#ifdef CONFIG_PAX_MPROTECT
29339 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29342 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29343 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29345 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29346 .load_binary = load_elf_binary,
29347 .load_shlib = load_elf_library,
29348 .core_dump = elf_core_dump,
29350 +#ifdef CONFIG_PAX_MPROTECT
29351 + .handle_mprotect= elf_handle_mprotect,
29354 .min_coredump = ELF_EXEC_PAGESIZE,
29357 @@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
29359 static int set_brk(unsigned long start, unsigned long end)
29361 + unsigned long e = end;
29363 start = ELF_PAGEALIGN(start);
29364 end = ELF_PAGEALIGN(end);
29366 @@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
29367 if (BAD_ADDR(addr))
29370 - current->mm->start_brk = current->mm->brk = end;
29371 + current->mm->start_brk = current->mm->brk = e;
29375 @@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
29376 elf_addr_t __user *u_rand_bytes;
29377 const char *k_platform = ELF_PLATFORM;
29378 const char *k_base_platform = ELF_BASE_PLATFORM;
29379 - unsigned char k_rand_bytes[16];
29380 + u32 k_rand_bytes[4];
29382 elf_addr_t *elf_info;
29384 @@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
29385 * Generate 16 random bytes for userspace PRNG seeding.
29387 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29388 - u_rand_bytes = (elf_addr_t __user *)
29389 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29390 + srandom32(k_rand_bytes[0] ^ random32());
29391 + srandom32(k_rand_bytes[1] ^ random32());
29392 + srandom32(k_rand_bytes[2] ^ random32());
29393 + srandom32(k_rand_bytes[3] ^ random32());
29394 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29395 + u_rand_bytes = (elf_addr_t __user *) p;
29396 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29399 @@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
29401 struct elf_phdr *elf_phdata;
29402 struct elf_phdr *eppnt;
29403 - unsigned long load_addr = 0;
29404 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29405 int load_addr_set = 0;
29406 unsigned long last_bss = 0, elf_bss = 0;
29407 - unsigned long error = ~0UL;
29408 + unsigned long error = -EINVAL;
29409 unsigned long total_size;
29410 int retval, i, size;
29412 @@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
29416 +#ifdef CONFIG_PAX_SEGMEXEC
29417 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29418 + pax_task_size = SEGMEXEC_TASK_SIZE;
29421 eppnt = elf_phdata;
29422 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29423 if (eppnt->p_type == PT_LOAD) {
29424 @@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
29425 k = load_addr + eppnt->p_vaddr;
29427 eppnt->p_filesz > eppnt->p_memsz ||
29428 - eppnt->p_memsz > TASK_SIZE ||
29429 - TASK_SIZE - eppnt->p_memsz < k) {
29430 + eppnt->p_memsz > pax_task_size ||
29431 + pax_task_size - eppnt->p_memsz < k) {
29435 @@ -533,6 +553,177 @@ out:
29439 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29440 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29442 + unsigned long pax_flags = 0UL;
29444 +#ifdef CONFIG_PAX_PAGEEXEC
29445 + if (elf_phdata->p_flags & PF_PAGEEXEC)
29446 + pax_flags |= MF_PAX_PAGEEXEC;
29449 +#ifdef CONFIG_PAX_SEGMEXEC
29450 + if (elf_phdata->p_flags & PF_SEGMEXEC)
29451 + pax_flags |= MF_PAX_SEGMEXEC;
29454 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29455 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29456 + if ((__supported_pte_mask & _PAGE_NX))
29457 + pax_flags &= ~MF_PAX_SEGMEXEC;
29459 + pax_flags &= ~MF_PAX_PAGEEXEC;
29463 +#ifdef CONFIG_PAX_EMUTRAMP
29464 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29465 + pax_flags |= MF_PAX_EMUTRAMP;
29468 +#ifdef CONFIG_PAX_MPROTECT
29469 + if (elf_phdata->p_flags & PF_MPROTECT)
29470 + pax_flags |= MF_PAX_MPROTECT;
29473 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29474 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29475 + pax_flags |= MF_PAX_RANDMMAP;
29478 + return pax_flags;
29482 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29483 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29485 + unsigned long pax_flags = 0UL;
29487 +#ifdef CONFIG_PAX_PAGEEXEC
29488 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29489 + pax_flags |= MF_PAX_PAGEEXEC;
29492 +#ifdef CONFIG_PAX_SEGMEXEC
29493 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29494 + pax_flags |= MF_PAX_SEGMEXEC;
29497 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29498 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29499 + if ((__supported_pte_mask & _PAGE_NX))
29500 + pax_flags &= ~MF_PAX_SEGMEXEC;
29502 + pax_flags &= ~MF_PAX_PAGEEXEC;
29506 +#ifdef CONFIG_PAX_EMUTRAMP
29507 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29508 + pax_flags |= MF_PAX_EMUTRAMP;
29511 +#ifdef CONFIG_PAX_MPROTECT
29512 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29513 + pax_flags |= MF_PAX_MPROTECT;
29516 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29517 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29518 + pax_flags |= MF_PAX_RANDMMAP;
29521 + return pax_flags;
29525 +#ifdef CONFIG_PAX_EI_PAX
29526 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29528 + unsigned long pax_flags = 0UL;
29530 +#ifdef CONFIG_PAX_PAGEEXEC
29531 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29532 + pax_flags |= MF_PAX_PAGEEXEC;
29535 +#ifdef CONFIG_PAX_SEGMEXEC
29536 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29537 + pax_flags |= MF_PAX_SEGMEXEC;
29540 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29541 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29542 + if ((__supported_pte_mask & _PAGE_NX))
29543 + pax_flags &= ~MF_PAX_SEGMEXEC;
29545 + pax_flags &= ~MF_PAX_PAGEEXEC;
29549 +#ifdef CONFIG_PAX_EMUTRAMP
29550 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29551 + pax_flags |= MF_PAX_EMUTRAMP;
29554 +#ifdef CONFIG_PAX_MPROTECT
29555 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29556 + pax_flags |= MF_PAX_MPROTECT;
29559 +#ifdef CONFIG_PAX_ASLR
29560 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29561 + pax_flags |= MF_PAX_RANDMMAP;
29564 + return pax_flags;
29568 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29569 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29571 + unsigned long pax_flags = 0UL;
29573 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29577 +#ifdef CONFIG_PAX_EI_PAX
29578 + pax_flags = pax_parse_ei_pax(elf_ex);
29581 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29582 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29583 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29584 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29585 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29586 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29587 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29588 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29591 +#ifdef CONFIG_PAX_SOFTMODE
29592 + if (pax_softmode)
29593 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29597 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29602 + if (0 > pax_check_flags(&pax_flags))
29605 + current->mm->pax_flags = pax_flags;
29611 * These are the functions used to load ELF style executables and shared
29612 * libraries. There is no binary dependent code anywhere else.
29613 @@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
29615 unsigned int random_variable = 0;
29617 +#ifdef CONFIG_PAX_RANDUSTACK
29618 + if (randomize_va_space)
29619 + return stack_top - current->mm->delta_stack;
29622 if ((current->flags & PF_RANDOMIZE) &&
29623 !(current->personality & ADDR_NO_RANDOMIZE)) {
29624 random_variable = get_random_int() & STACK_RND_MASK;
29625 @@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
29626 unsigned long load_addr = 0, load_bias = 0;
29627 int load_addr_set = 0;
29628 char * elf_interpreter = NULL;
29629 - unsigned long error;
29630 + unsigned long error = 0;
29631 struct elf_phdr *elf_ppnt, *elf_phdata;
29632 unsigned long elf_bss, elf_brk;
29634 @@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
29635 unsigned long start_code, end_code, start_data, end_data;
29636 unsigned long reloc_func_desc = 0;
29637 int executable_stack = EXSTACK_DEFAULT;
29638 - unsigned long def_flags = 0;
29640 struct elfhdr elf_ex;
29641 struct elfhdr interp_elf_ex;
29643 + unsigned long pax_task_size = TASK_SIZE;
29645 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29647 @@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
29649 /* OK, This is the point of no return */
29650 current->flags &= ~PF_FORKNOEXEC;
29651 - current->mm->def_flags = def_flags;
29653 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29654 + current->mm->pax_flags = 0UL;
29657 +#ifdef CONFIG_PAX_DLRESOLVE
29658 + current->mm->call_dl_resolve = 0UL;
29661 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29662 + current->mm->call_syscall = 0UL;
29665 +#ifdef CONFIG_PAX_ASLR
29666 + current->mm->delta_mmap = 0UL;
29667 + current->mm->delta_stack = 0UL;
29670 + current->mm->def_flags = 0;
29672 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29673 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29674 + send_sig(SIGKILL, current, 0);
29675 + goto out_free_dentry;
29679 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29680 + pax_set_initial_flags(bprm);
29681 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29682 + if (pax_set_initial_flags_func)
29683 + (pax_set_initial_flags_func)(bprm);
29686 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29687 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29688 + current->mm->context.user_cs_limit = PAGE_SIZE;
29689 + current->mm->def_flags |= VM_PAGEEXEC;
29693 +#ifdef CONFIG_PAX_SEGMEXEC
29694 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29695 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29696 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29697 + pax_task_size = SEGMEXEC_TASK_SIZE;
29701 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29702 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29703 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29708 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29709 may depend on the personality. */
29710 SET_PERSONALITY(loc->elf_ex);
29712 +#ifdef CONFIG_PAX_ASLR
29713 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29714 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29715 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29719 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29720 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29721 + executable_stack = EXSTACK_DISABLE_X;
29722 + current->personality &= ~READ_IMPLIES_EXEC;
29726 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29727 current->personality |= READ_IMPLIES_EXEC;
29729 @@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
29731 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29734 +#ifdef CONFIG_PAX_RANDMMAP
29735 + /* PaX: randomize base address at the default exe base if requested */
29736 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29737 +#ifdef CONFIG_SPARC64
29738 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29740 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29742 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29743 + elf_flags |= MAP_FIXED;
29749 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29750 @@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
29751 * allowed task size. Note that p_filesz must always be
29752 * <= p_memsz so it is only necessary to check p_memsz.
29754 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29755 - elf_ppnt->p_memsz > TASK_SIZE ||
29756 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29757 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29758 + elf_ppnt->p_memsz > pax_task_size ||
29759 + pax_task_size - elf_ppnt->p_memsz < k) {
29760 /* set_brk can never work. Avoid overflows. */
29761 send_sig(SIGKILL, current, 0);
29763 @@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
29764 start_data += load_bias;
29765 end_data += load_bias;
29767 +#ifdef CONFIG_PAX_RANDMMAP
29768 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29769 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29772 /* Calling set_brk effectively mmaps the pages that we need
29773 * for the bss and break sections. We must do this before
29774 * mapping in the interpreter, to make sure it doesn't wind
29775 @@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
29776 goto out_free_dentry;
29778 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29779 - send_sig(SIGSEGV, current, 0);
29780 - retval = -EFAULT; /* Nobody gets to see this, but.. */
29781 - goto out_free_dentry;
29783 + * This bss-zeroing can fail if the ELF
29784 + * file specifies odd protections. So
29785 + * we don't check the return value
29789 if (elf_interpreter) {
29790 @@ -1091,7 +1377,7 @@ out:
29791 * Decide what to dump of a segment, part, all or none.
29793 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29794 - unsigned long mm_flags)
29795 + unsigned long mm_flags, long signr)
29797 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29799 @@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
29800 if (vma->vm_file == NULL)
29803 - if (FILTER(MAPPED_PRIVATE))
29804 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29808 @@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
29810 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29815 - while (auxv[i - 2] != AT_NULL);
29816 + } while (auxv[i - 2] != AT_NULL);
29817 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29820 @@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
29823 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29824 - unsigned long mm_flags)
29825 + struct coredump_params *cprm)
29827 struct vm_area_struct *vma;
29830 for (vma = first_vma(current, gate_vma); vma != NULL;
29831 vma = next_vma(vma, gate_vma))
29832 - size += vma_dump_size(vma, mm_flags);
29833 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29837 @@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
29839 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29841 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29842 + offset += elf_core_vma_data_size(gate_vma, cprm);
29843 offset += elf_core_extra_data_size();
29846 @@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
29849 size += sizeof(*elf);
29850 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29851 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29854 size += sizeof(*phdr4note);
29855 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29856 if (size > cprm->limit
29857 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29859 @@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
29860 phdr.p_offset = offset;
29861 phdr.p_vaddr = vma->vm_start;
29863 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29864 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29865 phdr.p_memsz = vma->vm_end - vma->vm_start;
29866 offset += phdr.p_filesz;
29867 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
29868 @@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
29869 phdr.p_align = ELF_EXEC_PAGESIZE;
29871 size += sizeof(phdr);
29872 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29873 if (size > cprm->limit
29874 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29876 @@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
29877 unsigned long addr;
29880 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29881 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29883 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29885 @@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
29886 page = get_dump_page(addr);
29888 void *kaddr = kmap(page);
29889 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29890 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29891 !dump_write(cprm->file, kaddr,
29893 @@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
29895 if (e_phnum == PN_XNUM) {
29896 size += sizeof(*shdr4extnum);
29897 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29898 if (size > cprm->limit
29899 || !dump_write(cprm->file, shdr4extnum,
29900 sizeof(*shdr4extnum)))
29901 @@ -2068,6 +2359,97 @@ out:
29903 #endif /* CONFIG_ELF_CORE */
29905 +#ifdef CONFIG_PAX_MPROTECT
29906 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
29907 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29908 + * we'll remove VM_MAYWRITE for good on RELRO segments.
29910 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29911 + * basis because we want to allow the common case and not the special ones.
29913 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29915 + struct elfhdr elf_h;
29916 + struct elf_phdr elf_p;
29918 + unsigned long oldflags;
29919 + bool is_textrel_rw, is_textrel_rx, is_relro;
29921 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29924 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29925 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29927 +#ifdef CONFIG_PAX_ELFRELOCS
29928 + /* possible TEXTREL */
29929 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29930 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
29932 + is_textrel_rw = false;
29933 + is_textrel_rx = false;
29936 + /* possible RELRO */
29937 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29939 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29942 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29943 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29945 +#ifdef CONFIG_PAX_ETEXECRELOCS
29946 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29948 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29951 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29952 + !elf_check_arch(&elf_h) ||
29953 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29954 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29957 + for (i = 0UL; i < elf_h.e_phnum; i++) {
29958 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29960 + switch (elf_p.p_type) {
29962 + if (!is_textrel_rw && !is_textrel_rx)
29965 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29968 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29970 + if (dyn.d_tag == DT_NULL)
29972 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29973 + gr_log_textrel(vma);
29974 + if (is_textrel_rw)
29975 + vma->vm_flags |= VM_MAYWRITE;
29977 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29978 + vma->vm_flags &= ~VM_MAYWRITE;
29985 + case PT_GNU_RELRO:
29988 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
29989 + vma->vm_flags &= ~VM_MAYWRITE;
29996 static int __init init_elf_binfmt(void)
29998 return register_binfmt(&elf_format);
29999 diff -urNp linux-2.6.35.7/fs/binfmt_flat.c linux-2.6.35.7/fs/binfmt_flat.c
30000 --- linux-2.6.35.7/fs/binfmt_flat.c 2010-08-26 19:47:12.000000000 -0400
30001 +++ linux-2.6.35.7/fs/binfmt_flat.c 2010-09-17 20:12:09.000000000 -0400
30002 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
30003 realdatastart = (unsigned long) -ENOMEM;
30004 printk("Unable to allocate RAM for process data, errno %d\n",
30005 (int)-realdatastart);
30006 + down_write(¤t->mm->mmap_sem);
30007 do_munmap(current->mm, textpos, text_len);
30008 + up_write(¤t->mm->mmap_sem);
30009 ret = realdatastart;
30012 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
30014 if (IS_ERR_VALUE(result)) {
30015 printk("Unable to read data+bss, errno %d\n", (int)-result);
30016 + down_write(¤t->mm->mmap_sem);
30017 do_munmap(current->mm, textpos, text_len);
30018 do_munmap(current->mm, realdatastart, len);
30019 + up_write(¤t->mm->mmap_sem);
30023 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
30025 if (IS_ERR_VALUE(result)) {
30026 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
30027 + down_write(¤t->mm->mmap_sem);
30028 do_munmap(current->mm, textpos, text_len + data_len + extra +
30029 MAX_SHARED_LIBS * sizeof(unsigned long));
30030 + up_write(¤t->mm->mmap_sem);
30034 diff -urNp linux-2.6.35.7/fs/binfmt_misc.c linux-2.6.35.7/fs/binfmt_misc.c
30035 --- linux-2.6.35.7/fs/binfmt_misc.c 2010-09-20 17:33:09.000000000 -0400
30036 +++ linux-2.6.35.7/fs/binfmt_misc.c 2010-09-20 17:33:32.000000000 -0400
30037 @@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
30038 static struct tree_descr bm_files[] = {
30039 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
30040 [3] = {"register", &bm_register_operations, S_IWUSR},
30041 - /* last one */ {""}
30042 + /* last one */ {"", NULL, 0}
30044 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
30046 diff -urNp linux-2.6.35.7/fs/bio.c linux-2.6.35.7/fs/bio.c
30047 --- linux-2.6.35.7/fs/bio.c 2010-08-26 19:47:12.000000000 -0400
30048 +++ linux-2.6.35.7/fs/bio.c 2010-09-17 20:12:09.000000000 -0400
30049 @@ -1213,7 +1213,7 @@ static void bio_copy_kern_endio(struct b
30050 const int read = bio_data_dir(bio) == READ;
30051 struct bio_map_data *bmd = bio->bi_private;
30053 - char *p = bmd->sgvecs[0].iov_base;
30054 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
30056 __bio_for_each_segment(bvec, bio, i, 0) {
30057 char *addr = page_address(bvec->bv_page);
30058 diff -urNp linux-2.6.35.7/fs/block_dev.c linux-2.6.35.7/fs/block_dev.c
30059 --- linux-2.6.35.7/fs/block_dev.c 2010-08-26 19:47:12.000000000 -0400
30060 +++ linux-2.6.35.7/fs/block_dev.c 2010-09-17 20:12:09.000000000 -0400
30061 @@ -647,7 +647,7 @@ static bool bd_may_claim(struct block_de
30062 else if (bdev->bd_contains == bdev)
30063 return true; /* is a whole device which isn't held */
30065 - else if (whole->bd_holder == bd_claim)
30066 + else if (whole->bd_holder == (void *)bd_claim)
30067 return true; /* is a partition of a device that is being partitioned */
30068 else if (whole->bd_holder != NULL)
30069 return false; /* is a partition of a held device */
30070 diff -urNp linux-2.6.35.7/fs/btrfs/ctree.c linux-2.6.35.7/fs/btrfs/ctree.c
30071 --- linux-2.6.35.7/fs/btrfs/ctree.c 2010-08-26 19:47:12.000000000 -0400
30072 +++ linux-2.6.35.7/fs/btrfs/ctree.c 2010-10-11 22:41:44.000000000 -0400
30073 @@ -468,9 +468,12 @@ static noinline int __btrfs_cow_block(st
30074 free_extent_buffer(buf);
30075 add_root_to_dirty_list(root);
30077 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
30078 - parent_start = parent->start;
30080 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
30082 + parent_start = parent->start;
30084 + parent_start = 0;
30088 WARN_ON(trans->transid != btrfs_header_generation(parent));
30089 @@ -3763,7 +3766,6 @@ setup_items_for_insert(struct btrfs_tran
30093 - struct btrfs_disk_key disk_key;
30094 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
30095 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
30097 diff -urNp linux-2.6.35.7/fs/btrfs/disk-io.c linux-2.6.35.7/fs/btrfs/disk-io.c
30098 --- linux-2.6.35.7/fs/btrfs/disk-io.c 2010-08-26 19:47:12.000000000 -0400
30099 +++ linux-2.6.35.7/fs/btrfs/disk-io.c 2010-09-17 20:12:09.000000000 -0400
30101 #include "tree-log.h"
30102 #include "free-space-cache.h"
30104 -static struct extent_io_ops btree_extent_io_ops;
30105 +static const struct extent_io_ops btree_extent_io_ops;
30106 static void end_workqueue_fn(struct btrfs_work *work);
30107 static void free_fs_root(struct btrfs_root *root);
30109 @@ -2597,7 +2597,7 @@ out:
30113 -static struct extent_io_ops btree_extent_io_ops = {
30114 +static const struct extent_io_ops btree_extent_io_ops = {
30115 .write_cache_pages_lock_hook = btree_lock_page_hook,
30116 .readpage_end_io_hook = btree_readpage_end_io_hook,
30117 .submit_bio_hook = btree_submit_bio_hook,
30118 diff -urNp linux-2.6.35.7/fs/btrfs/extent_io.h linux-2.6.35.7/fs/btrfs/extent_io.h
30119 --- linux-2.6.35.7/fs/btrfs/extent_io.h 2010-08-26 19:47:12.000000000 -0400
30120 +++ linux-2.6.35.7/fs/btrfs/extent_io.h 2010-09-17 20:12:09.000000000 -0400
30121 @@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
30122 struct bio *bio, int mirror_num,
30123 unsigned long bio_flags, u64 bio_offset);
30124 struct extent_io_ops {
30125 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
30126 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
30127 u64 start, u64 end, int *page_started,
30128 unsigned long *nr_written);
30129 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
30130 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
30131 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
30132 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
30133 extent_submit_bio_hook_t *submit_bio_hook;
30134 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
30135 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
30136 size_t size, struct bio *bio,
30137 unsigned long bio_flags);
30138 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
30139 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
30140 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
30141 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
30142 u64 start, u64 end,
30143 struct extent_state *state);
30144 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
30145 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
30146 u64 start, u64 end,
30147 struct extent_state *state);
30148 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30149 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30150 struct extent_state *state);
30151 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30152 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30153 struct extent_state *state, int uptodate);
30154 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
30155 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
30157 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
30158 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
30160 - int (*merge_extent_hook)(struct inode *inode,
30161 + int (* const merge_extent_hook)(struct inode *inode,
30162 struct extent_state *new,
30163 struct extent_state *other);
30164 - int (*split_extent_hook)(struct inode *inode,
30165 + int (* const split_extent_hook)(struct inode *inode,
30166 struct extent_state *orig, u64 split);
30167 - int (*write_cache_pages_lock_hook)(struct page *page);
30168 + int (* const write_cache_pages_lock_hook)(struct page *page);
30171 struct extent_io_tree {
30172 @@ -90,7 +90,7 @@ struct extent_io_tree {
30175 spinlock_t buffer_lock;
30176 - struct extent_io_ops *ops;
30177 + const struct extent_io_ops *ops;
30180 struct extent_state {
30181 diff -urNp linux-2.6.35.7/fs/btrfs/free-space-cache.c linux-2.6.35.7/fs/btrfs/free-space-cache.c
30182 --- linux-2.6.35.7/fs/btrfs/free-space-cache.c 2010-08-26 19:47:12.000000000 -0400
30183 +++ linux-2.6.35.7/fs/btrfs/free-space-cache.c 2010-09-17 20:12:09.000000000 -0400
30184 @@ -1075,8 +1075,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
30187 if (entry->bytes < bytes || entry->offset < min_start) {
30188 - struct rb_node *node;
30190 node = rb_next(&entry->offset_index);
30193 @@ -1227,7 +1225,7 @@ again:
30195 while (entry->bitmap || found_bitmap ||
30196 (!entry->bitmap && entry->bytes < min_bytes)) {
30197 - struct rb_node *node = rb_next(&entry->offset_index);
30198 + node = rb_next(&entry->offset_index);
30200 if (entry->bitmap && entry->bytes > bytes + empty_size) {
30201 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
30202 diff -urNp linux-2.6.35.7/fs/btrfs/inode.c linux-2.6.35.7/fs/btrfs/inode.c
30203 --- linux-2.6.35.7/fs/btrfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30204 +++ linux-2.6.35.7/fs/btrfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30205 @@ -64,7 +64,7 @@ static const struct inode_operations btr
30206 static const struct address_space_operations btrfs_aops;
30207 static const struct address_space_operations btrfs_symlink_aops;
30208 static const struct file_operations btrfs_dir_file_operations;
30209 -static struct extent_io_ops btrfs_extent_io_ops;
30210 +static const struct extent_io_ops btrfs_extent_io_ops;
30212 static struct kmem_cache *btrfs_inode_cachep;
30213 struct kmem_cache *btrfs_trans_handle_cachep;
30214 @@ -6958,7 +6958,7 @@ static const struct file_operations btrf
30215 .fsync = btrfs_sync_file,
30218 -static struct extent_io_ops btrfs_extent_io_ops = {
30219 +static const struct extent_io_ops btrfs_extent_io_ops = {
30220 .fill_delalloc = run_delalloc_range,
30221 .submit_bio_hook = btrfs_submit_bio_hook,
30222 .merge_bio_hook = btrfs_merge_bio_hook,
30223 diff -urNp linux-2.6.35.7/fs/btrfs/relocation.c linux-2.6.35.7/fs/btrfs/relocation.c
30224 --- linux-2.6.35.7/fs/btrfs/relocation.c 2010-08-26 19:47:12.000000000 -0400
30225 +++ linux-2.6.35.7/fs/btrfs/relocation.c 2010-10-11 22:41:44.000000000 -0400
30226 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
30228 spin_unlock(&rc->reloc_root_tree.lock);
30230 - BUG_ON((struct btrfs_root *)node->data != root);
30231 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
30234 spin_lock(&rc->reloc_root_tree.lock);
30235 diff -urNp linux-2.6.35.7/fs/cachefiles/bind.c linux-2.6.35.7/fs/cachefiles/bind.c
30236 --- linux-2.6.35.7/fs/cachefiles/bind.c 2010-08-26 19:47:12.000000000 -0400
30237 +++ linux-2.6.35.7/fs/cachefiles/bind.c 2010-09-17 20:12:09.000000000 -0400
30238 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
30241 /* start by checking things over */
30242 - ASSERT(cache->fstop_percent >= 0 &&
30243 - cache->fstop_percent < cache->fcull_percent &&
30244 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
30245 cache->fcull_percent < cache->frun_percent &&
30246 cache->frun_percent < 100);
30248 - ASSERT(cache->bstop_percent >= 0 &&
30249 - cache->bstop_percent < cache->bcull_percent &&
30250 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
30251 cache->bcull_percent < cache->brun_percent &&
30252 cache->brun_percent < 100);
30254 diff -urNp linux-2.6.35.7/fs/cachefiles/daemon.c linux-2.6.35.7/fs/cachefiles/daemon.c
30255 --- linux-2.6.35.7/fs/cachefiles/daemon.c 2010-08-26 19:47:12.000000000 -0400
30256 +++ linux-2.6.35.7/fs/cachefiles/daemon.c 2010-09-17 20:12:09.000000000 -0400
30257 @@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
30261 - if (copy_to_user(_buffer, buffer, n) != 0)
30262 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
30266 @@ -221,7 +221,7 @@ static ssize_t cachefiles_daemon_write(s
30267 if (test_bit(CACHEFILES_DEAD, &cache->flags))
30270 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
30271 + if (datalen > PAGE_SIZE - 1)
30272 return -EOPNOTSUPP;
30274 /* drag the command string into the kernel so we can parse it */
30275 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
30276 if (args[0] != '%' || args[1] != '\0')
30279 - if (fstop < 0 || fstop >= cache->fcull_percent)
30280 + if (fstop >= cache->fcull_percent)
30281 return cachefiles_daemon_range_error(cache, args);
30283 cache->fstop_percent = fstop;
30284 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
30285 if (args[0] != '%' || args[1] != '\0')
30288 - if (bstop < 0 || bstop >= cache->bcull_percent)
30289 + if (bstop >= cache->bcull_percent)
30290 return cachefiles_daemon_range_error(cache, args);
30292 cache->bstop_percent = bstop;
30293 diff -urNp linux-2.6.35.7/fs/cachefiles/rdwr.c linux-2.6.35.7/fs/cachefiles/rdwr.c
30294 --- linux-2.6.35.7/fs/cachefiles/rdwr.c 2010-08-26 19:47:12.000000000 -0400
30295 +++ linux-2.6.35.7/fs/cachefiles/rdwr.c 2010-09-17 20:12:09.000000000 -0400
30296 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
30299 ret = file->f_op->write(
30300 - file, (const void __user *) data, len, &pos);
30301 + file, (__force const void __user *) data, len, &pos);
30305 diff -urNp linux-2.6.35.7/fs/ceph/dir.c linux-2.6.35.7/fs/ceph/dir.c
30306 --- linux-2.6.35.7/fs/ceph/dir.c 2010-08-26 19:47:12.000000000 -0400
30307 +++ linux-2.6.35.7/fs/ceph/dir.c 2010-10-11 22:41:44.000000000 -0400
30308 @@ -228,7 +228,7 @@ static int ceph_readdir(struct file *fil
30309 struct ceph_client *client = ceph_inode_to_client(inode);
30310 struct ceph_mds_client *mdsc = &client->mdsc;
30311 unsigned frag = fpos_frag(filp->f_pos);
30312 - int off = fpos_off(filp->f_pos);
30313 + unsigned int off = fpos_off(filp->f_pos);
30316 struct ceph_mds_reply_info_parsed *rinfo;
30317 @@ -357,7 +357,7 @@ more:
30318 rinfo = &fi->last_readdir->r_reply_info;
30319 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
30320 rinfo->dir_nr, off, fi->offset);
30321 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
30322 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
30323 u64 pos = ceph_make_fpos(frag, off);
30324 struct ceph_mds_reply_inode *in =
30325 rinfo->dir_in[off - fi->offset].in;
30326 diff -urNp linux-2.6.35.7/fs/cifs/cifs_uniupr.h linux-2.6.35.7/fs/cifs/cifs_uniupr.h
30327 --- linux-2.6.35.7/fs/cifs/cifs_uniupr.h 2010-08-26 19:47:12.000000000 -0400
30328 +++ linux-2.6.35.7/fs/cifs/cifs_uniupr.h 2010-09-17 20:12:09.000000000 -0400
30329 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
30330 {0x0490, 0x04cc, UniCaseRangeU0490},
30331 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
30332 {0xff40, 0xff5a, UniCaseRangeUff40},
30338 diff -urNp linux-2.6.35.7/fs/cifs/link.c linux-2.6.35.7/fs/cifs/link.c
30339 --- linux-2.6.35.7/fs/cifs/link.c 2010-08-26 19:47:12.000000000 -0400
30340 +++ linux-2.6.35.7/fs/cifs/link.c 2010-09-17 20:12:09.000000000 -0400
30341 @@ -216,7 +216,7 @@ cifs_symlink(struct inode *inode, struct
30343 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
30345 - char *p = nd_get_link(nd);
30346 + const char *p = nd_get_link(nd);
30350 diff -urNp linux-2.6.35.7/fs/compat_binfmt_elf.c linux-2.6.35.7/fs/compat_binfmt_elf.c
30351 --- linux-2.6.35.7/fs/compat_binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
30352 +++ linux-2.6.35.7/fs/compat_binfmt_elf.c 2010-09-17 20:12:09.000000000 -0400
30353 @@ -30,11 +30,13 @@
30359 #define elfhdr elf32_hdr
30360 #define elf_phdr elf32_phdr
30361 #define elf_shdr elf32_shdr
30362 #define elf_note elf32_note
30363 +#define elf_dyn Elf32_Dyn
30364 #define elf_addr_t Elf32_Addr
30367 diff -urNp linux-2.6.35.7/fs/compat.c linux-2.6.35.7/fs/compat.c
30368 --- linux-2.6.35.7/fs/compat.c 2010-09-26 17:32:11.000000000 -0400
30369 +++ linux-2.6.35.7/fs/compat.c 2010-10-11 22:41:44.000000000 -0400
30370 @@ -590,7 +590,7 @@ ssize_t compat_rw_copy_check_uvector(int
30374 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
30375 + if (nr_segs > UIO_MAXIOV)
30377 if (nr_segs > fast_segs) {
30379 @@ -1433,14 +1433,12 @@ static int compat_copy_strings(int argc,
30380 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
30383 -#ifdef CONFIG_STACK_GROWSUP
30384 ret = expand_stack_downwards(bprm->vma, pos);
30386 /* We've exceed the stack rlimit. */
30391 ret = get_user_pages(current, bprm->mm, pos,
30392 1, 1, 1, &page, NULL);
30394 @@ -1486,6 +1484,11 @@ int compat_do_execve(char * filename,
30395 compat_uptr_t __user *envp,
30396 struct pt_regs * regs)
30398 +#ifdef CONFIG_GRKERNSEC
30399 + struct file *old_exec_file;
30400 + struct acl_subject_label *old_acl;
30401 + struct rlimit old_rlim[RLIM_NLIMITS];
30403 struct linux_binprm *bprm;
30405 struct files_struct *displaced;
30406 @@ -1522,6 +1525,14 @@ int compat_do_execve(char * filename,
30407 bprm->filename = filename;
30408 bprm->interp = filename;
30410 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30411 + retval = -EAGAIN;
30412 + if (gr_handle_nproc())
30414 + retval = -EACCES;
30415 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30418 retval = bprm_mm_init(bprm);
30421 @@ -1551,9 +1562,40 @@ int compat_do_execve(char * filename,
30425 + if (!gr_tpe_allow(file)) {
30426 + retval = -EACCES;
30430 + if (gr_check_crash_exec(file)) {
30431 + retval = -EACCES;
30435 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30437 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
30439 +#ifdef CONFIG_GRKERNSEC
30440 + old_acl = current->acl;
30441 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30442 + old_exec_file = current->exec_file;
30444 + current->exec_file = file;
30447 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30448 + bprm->unsafe & LSM_UNSAFE_SHARE);
30452 retval = search_binary_handler(bprm, regs);
30456 +#ifdef CONFIG_GRKERNSEC
30457 + if (old_exec_file)
30458 + fput(old_exec_file);
30461 /* execve succeeded */
30462 current->fs->in_exec = 0;
30463 @@ -1564,6 +1606,14 @@ int compat_do_execve(char * filename,
30464 put_files_struct(displaced);
30468 +#ifdef CONFIG_GRKERNSEC
30469 + current->acl = old_acl;
30470 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30471 + fput(current->exec_file);
30472 + current->exec_file = old_exec_file;
30478 diff -urNp linux-2.6.35.7/fs/compat_ioctl.c linux-2.6.35.7/fs/compat_ioctl.c
30479 --- linux-2.6.35.7/fs/compat_ioctl.c 2010-08-26 19:47:12.000000000 -0400
30480 +++ linux-2.6.35.7/fs/compat_ioctl.c 2010-10-11 22:41:44.000000000 -0400
30481 @@ -227,6 +227,8 @@ static int do_video_set_spu_palette(unsi
30483 err = get_user(palp, &up->palette);
30484 err |= get_user(length, &up->length);
30488 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
30489 err = put_user(compat_ptr(palp), &up_native->palette);
30490 diff -urNp linux-2.6.35.7/fs/debugfs/inode.c linux-2.6.35.7/fs/debugfs/inode.c
30491 --- linux-2.6.35.7/fs/debugfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30492 +++ linux-2.6.35.7/fs/debugfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30493 @@ -129,7 +129,7 @@ static inline int debugfs_positive(struc
30495 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30497 - static struct tree_descr debug_files[] = {{""}};
30498 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
30500 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30502 diff -urNp linux-2.6.35.7/fs/dlm/lockspace.c linux-2.6.35.7/fs/dlm/lockspace.c
30503 --- linux-2.6.35.7/fs/dlm/lockspace.c 2010-08-26 19:47:12.000000000 -0400
30504 +++ linux-2.6.35.7/fs/dlm/lockspace.c 2010-09-17 20:12:09.000000000 -0400
30505 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30509 -static struct kset_uevent_ops dlm_uevent_ops = {
30510 +static const struct kset_uevent_ops dlm_uevent_ops = {
30511 .uevent = dlm_uevent,
30514 diff -urNp linux-2.6.35.7/fs/ecryptfs/inode.c linux-2.6.35.7/fs/ecryptfs/inode.c
30515 --- linux-2.6.35.7/fs/ecryptfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30516 +++ linux-2.6.35.7/fs/ecryptfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30517 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
30520 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30521 - (char __user *)lower_buf,
30522 + (__force char __user *)lower_buf,
30526 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
30530 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30531 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30535 @@ -719,7 +719,7 @@ out:
30537 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30539 - char *buf = nd_get_link(nd);
30540 + const char *buf = nd_get_link(nd);
30541 if (!IS_ERR(buf)) {
30542 /* Free the char* */
30544 diff -urNp linux-2.6.35.7/fs/ecryptfs/miscdev.c linux-2.6.35.7/fs/ecryptfs/miscdev.c
30545 --- linux-2.6.35.7/fs/ecryptfs/miscdev.c 2010-08-26 19:47:12.000000000 -0400
30546 +++ linux-2.6.35.7/fs/ecryptfs/miscdev.c 2010-09-17 20:12:09.000000000 -0400
30547 @@ -328,7 +328,7 @@ check_list:
30548 goto out_unlock_msg_ctx;
30550 if (msg_ctx->msg) {
30551 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30552 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30553 goto out_unlock_msg_ctx;
30554 i += packet_length_size;
30555 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30556 diff -urNp linux-2.6.35.7/fs/exec.c linux-2.6.35.7/fs/exec.c
30557 --- linux-2.6.35.7/fs/exec.c 2010-08-26 19:47:12.000000000 -0400
30558 +++ linux-2.6.35.7/fs/exec.c 2010-09-28 18:50:18.000000000 -0400
30559 @@ -55,12 +55,24 @@
30560 #include <linux/fsnotify.h>
30561 #include <linux/fs_struct.h>
30562 #include <linux/pipe_fs_i.h>
30563 +#include <linux/random.h>
30564 +#include <linux/seq_file.h>
30566 +#ifdef CONFIG_PAX_REFCOUNT
30567 +#include <linux/kallsyms.h>
30568 +#include <linux/kdebug.h>
30571 #include <asm/uaccess.h>
30572 #include <asm/mmu_context.h>
30573 #include <asm/tlb.h>
30574 #include "internal.h"
30576 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30577 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30578 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30582 char core_pattern[CORENAME_MAX_SIZE] = "core";
30583 unsigned int core_pipe_limit;
30584 @@ -114,7 +126,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30587 file = do_filp_open(AT_FDCWD, tmp,
30588 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30589 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30590 MAY_READ | MAY_EXEC | MAY_OPEN);
30592 error = PTR_ERR(file);
30593 @@ -162,18 +174,10 @@ static struct page *get_arg_page(struct
30599 -#ifdef CONFIG_STACK_GROWSUP
30601 - ret = expand_stack_downwards(bprm->vma, pos);
30606 - ret = get_user_pages(current, bprm->mm, pos,
30607 - 1, write, 1, &page, NULL);
30609 + if (0 > expand_stack_downwards(bprm->vma, pos))
30611 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30615 @@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
30616 vma->vm_end = STACK_TOP_MAX;
30617 vma->vm_start = vma->vm_end - PAGE_SIZE;
30618 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30620 +#ifdef CONFIG_PAX_SEGMEXEC
30621 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30624 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30625 INIT_LIST_HEAD(&vma->anon_vma_chain);
30626 err = insert_vm_struct(mm, vma);
30627 @@ -255,6 +264,12 @@ static int __bprm_mm_init(struct linux_b
30628 mm->stack_vm = mm->total_vm = 1;
30629 up_write(&mm->mmap_sem);
30630 bprm->p = vma->vm_end - sizeof(void *);
30632 +#ifdef CONFIG_PAX_RANDUSTACK
30633 + if (randomize_va_space)
30634 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30639 up_write(&mm->mmap_sem);
30640 @@ -377,6 +392,9 @@ static int count(char __user * __user *
30645 + if (fatal_signal_pending(current))
30646 + return -ERESTARTNOHAND;
30650 @@ -420,6 +438,12 @@ static int copy_strings(int argc, char _
30652 int offset, bytes_to_copy;
30654 + if (fatal_signal_pending(current)) {
30655 + ret = -ERESTARTNOHAND;
30660 offset = pos % PAGE_SIZE;
30662 offset = PAGE_SIZE;
30663 @@ -476,7 +500,7 @@ int copy_strings_kernel(int argc,char **
30665 mm_segment_t oldfs = get_fs();
30667 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
30668 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
30672 @@ -506,7 +530,8 @@ static int shift_arg_pages(struct vm_are
30673 unsigned long new_end = old_end - shift;
30674 struct mmu_gather *tlb;
30676 - BUG_ON(new_start > new_end);
30677 + if (new_start >= new_end || new_start < mmap_min_addr)
30681 * ensure there are no vmas between where we want to go
30682 @@ -515,6 +540,10 @@ static int shift_arg_pages(struct vm_are
30683 if (vma != find_vma(mm, new_start))
30686 +#ifdef CONFIG_PAX_SEGMEXEC
30687 + BUG_ON(pax_find_mirror_vma(vma));
30691 * cover the whole range: [new_start, old_end)
30693 @@ -605,8 +634,28 @@ int setup_arg_pages(struct linux_binprm
30694 bprm->exec -= stack_shift;
30696 down_write(&mm->mmap_sem);
30698 + /* Move stack pages down in memory. */
30699 + if (stack_shift) {
30700 + ret = shift_arg_pages(vma, stack_shift);
30705 vm_flags = VM_STACK_FLAGS;
30707 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30708 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30709 + vm_flags &= ~VM_EXEC;
30711 +#ifdef CONFIG_PAX_MPROTECT
30712 + if (mm->pax_flags & MF_PAX_MPROTECT)
30713 + vm_flags &= ~VM_MAYEXEC;
30720 * Adjust stack execute permissions; explicitly enable for
30721 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30722 @@ -625,13 +674,6 @@ int setup_arg_pages(struct linux_binprm
30724 BUG_ON(prev != vma);
30726 - /* Move stack pages down in memory. */
30727 - if (stack_shift) {
30728 - ret = shift_arg_pages(vma, stack_shift);
30733 /* mprotect_fixup is overkill to remove the temporary stack flags */
30734 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30736 @@ -671,7 +713,7 @@ struct file *open_exec(const char *name)
30739 file = do_filp_open(AT_FDCWD, name,
30740 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30741 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30742 MAY_EXEC | MAY_OPEN);
30745 @@ -708,7 +750,7 @@ int kernel_read(struct file *file, loff_
30748 /* The cast to a user pointer is valid due to the set_fs() */
30749 - result = vfs_read(file, (void __user *)addr, count, &pos);
30750 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
30754 @@ -1125,7 +1167,7 @@ int check_unsafe_exec(struct linux_binpr
30758 - if (p->fs->users > n_fs) {
30759 + if (atomic_read(&p->fs->users) > n_fs) {
30760 bprm->unsafe |= LSM_UNSAFE_SHARE;
30763 @@ -1321,6 +1363,11 @@ int do_execve(char * filename,
30764 char __user *__user *envp,
30765 struct pt_regs * regs)
30767 +#ifdef CONFIG_GRKERNSEC
30768 + struct file *old_exec_file;
30769 + struct acl_subject_label *old_acl;
30770 + struct rlimit old_rlim[RLIM_NLIMITS];
30772 struct linux_binprm *bprm;
30774 struct files_struct *displaced;
30775 @@ -1357,6 +1404,18 @@ int do_execve(char * filename,
30776 bprm->filename = filename;
30777 bprm->interp = filename;
30779 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30781 + if (gr_handle_nproc()) {
30782 + retval = -EAGAIN;
30786 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30787 + retval = -EACCES;
30791 retval = bprm_mm_init(bprm);
30794 @@ -1386,10 +1445,41 @@ int do_execve(char * filename,
30798 + if (!gr_tpe_allow(file)) {
30799 + retval = -EACCES;
30803 + if (gr_check_crash_exec(file)) {
30804 + retval = -EACCES;
30808 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30810 + gr_handle_exec_args(bprm, argv);
30812 +#ifdef CONFIG_GRKERNSEC
30813 + old_acl = current->acl;
30814 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30815 + old_exec_file = current->exec_file;
30817 + current->exec_file = file;
30820 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30821 + bprm->unsafe & LSM_UNSAFE_SHARE);
30825 current->flags &= ~PF_KTHREAD;
30826 retval = search_binary_handler(bprm,regs);
30830 +#ifdef CONFIG_GRKERNSEC
30831 + if (old_exec_file)
30832 + fput(old_exec_file);
30835 /* execve succeeded */
30836 current->fs->in_exec = 0;
30837 @@ -1400,6 +1490,14 @@ int do_execve(char * filename,
30838 put_files_struct(displaced);
30842 +#ifdef CONFIG_GRKERNSEC
30843 + current->acl = old_acl;
30844 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30845 + fput(current->exec_file);
30846 + current->exec_file = old_exec_file;
30852 @@ -1563,6 +1661,217 @@ out:
30856 +int pax_check_flags(unsigned long *flags)
30860 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30861 + if (*flags & MF_PAX_SEGMEXEC)
30863 + *flags &= ~MF_PAX_SEGMEXEC;
30864 + retval = -EINVAL;
30868 + if ((*flags & MF_PAX_PAGEEXEC)
30870 +#ifdef CONFIG_PAX_PAGEEXEC
30871 + && (*flags & MF_PAX_SEGMEXEC)
30876 + *flags &= ~MF_PAX_PAGEEXEC;
30877 + retval = -EINVAL;
30880 + if ((*flags & MF_PAX_MPROTECT)
30882 +#ifdef CONFIG_PAX_MPROTECT
30883 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30888 + *flags &= ~MF_PAX_MPROTECT;
30889 + retval = -EINVAL;
30892 + if ((*flags & MF_PAX_EMUTRAMP)
30894 +#ifdef CONFIG_PAX_EMUTRAMP
30895 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30900 + *flags &= ~MF_PAX_EMUTRAMP;
30901 + retval = -EINVAL;
30907 +EXPORT_SYMBOL(pax_check_flags);
30909 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30910 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
30912 + struct task_struct *tsk = current;
30913 + struct mm_struct *mm = current->mm;
30914 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
30915 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
30916 + char *path_exec = NULL;
30917 + char *path_fault = NULL;
30918 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
30920 + if (buffer_exec && buffer_fault) {
30921 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
30923 + down_read(&mm->mmap_sem);
30925 + while (vma && (!vma_exec || !vma_fault)) {
30926 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
30928 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
30930 + vma = vma->vm_next;
30933 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
30934 + if (IS_ERR(path_exec))
30935 + path_exec = "<path too long>";
30937 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
30940 + path_exec = buffer_exec;
30942 + path_exec = "<path too long>";
30946 + start = vma_fault->vm_start;
30947 + end = vma_fault->vm_end;
30948 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
30949 + if (vma_fault->vm_file) {
30950 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
30951 + if (IS_ERR(path_fault))
30952 + path_fault = "<path too long>";
30954 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
30955 + if (path_fault) {
30957 + path_fault = buffer_fault;
30959 + path_fault = "<path too long>";
30962 + path_fault = "<anonymous mapping>";
30964 + up_read(&mm->mmap_sem);
30966 + if (tsk->signal->curr_ip)
30967 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
30969 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
30970 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
30971 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
30972 + task_uid(tsk), task_euid(tsk), pc, sp);
30973 + free_page((unsigned long)buffer_exec);
30974 + free_page((unsigned long)buffer_fault);
30975 + pax_report_insns(pc, sp);
30976 + do_coredump(SIGKILL, SIGKILL, regs);
30980 +#ifdef CONFIG_PAX_REFCOUNT
30981 +void pax_report_refcount_overflow(struct pt_regs *regs)
30983 + if (current->signal->curr_ip)
30984 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30985 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
30987 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30988 + current->comm, task_pid_nr(current), current_uid(), current_euid());
30989 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
30991 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
30995 +#ifdef CONFIG_PAX_USERCOPY
30996 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
30997 +int object_is_on_stack(const void *obj, unsigned long len)
30999 + const void * const stack = task_stack_page(current);
31000 + const void * const stackend = stack + THREAD_SIZE;
31002 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31003 + const void *frame = NULL;
31004 + const void *oldframe;
31007 + if (obj + len < obj)
31010 + if (obj + len <= stack || stackend <= obj)
31013 + if (obj < stack || stackend < obj + len)
31016 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31017 + oldframe = __builtin_frame_address(1);
31019 + frame = __builtin_frame_address(2);
31021 + low ----------------------------------------------> high
31022 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
31023 + ^----------------^
31024 + allow copies only within here
31026 + while (stack <= frame && frame < stackend) {
31027 + /* if obj + len extends past the last frame, this
31028 + check won't pass and the next frame will be 0,
31029 + causing us to bail out and correctly report
31030 + the copy as invalid
31032 + if (obj + len <= frame)
31033 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
31034 + oldframe = frame;
31035 + frame = *(const void * const *)frame;
31044 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
31046 + if (current->signal->curr_ip)
31047 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
31048 + ¤t->signal->curr_ip, ptr, len);
31050 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
31052 + do_group_exit(SIGKILL);
31055 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
31057 + if (current->signal->curr_ip)
31058 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
31059 + ¤t->signal->curr_ip, ptr, len);
31061 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
31063 + do_group_exit(SIGKILL);
31067 static int zap_process(struct task_struct *start, int exit_code)
31069 struct task_struct *t;
31070 @@ -1773,17 +2082,17 @@ static void wait_for_dump_helpers(struct
31071 pipe = file->f_path.dentry->d_inode->i_pipe;
31076 + atomic_inc(&pipe->readers);
31077 + atomic_dec(&pipe->writers);
31079 - while ((pipe->readers > 1) && (!signal_pending(current))) {
31080 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
31081 wake_up_interruptible_sync(&pipe->wait);
31082 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
31088 + atomic_dec(&pipe->readers);
31089 + atomic_inc(&pipe->writers);
31093 @@ -1891,6 +2200,10 @@ void do_coredump(long signr, int exit_co
31095 clear_thread_flag(TIF_SIGPENDING);
31097 + if (signr == SIGKILL || signr == SIGILL)
31098 + gr_handle_brute_attach(current);
31099 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
31102 * lock_kernel() because format_corename() is controlled by sysctl, which
31103 * uses lock_kernel()
31104 diff -urNp linux-2.6.35.7/fs/ext2/balloc.c linux-2.6.35.7/fs/ext2/balloc.c
31105 --- linux-2.6.35.7/fs/ext2/balloc.c 2010-08-26 19:47:12.000000000 -0400
31106 +++ linux-2.6.35.7/fs/ext2/balloc.c 2010-09-17 20:12:37.000000000 -0400
31107 @@ -1193,7 +1193,7 @@ static int ext2_has_free_blocks(struct e
31109 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31110 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31111 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31112 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31113 sbi->s_resuid != current_fsuid() &&
31114 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31116 diff -urNp linux-2.6.35.7/fs/ext2/xattr.c linux-2.6.35.7/fs/ext2/xattr.c
31117 --- linux-2.6.35.7/fs/ext2/xattr.c 2010-08-26 19:47:12.000000000 -0400
31118 +++ linux-2.6.35.7/fs/ext2/xattr.c 2010-09-17 20:12:09.000000000 -0400
31123 -# define ea_idebug(f...)
31124 -# define ea_bdebug(f...)
31125 +# define ea_idebug(inode, f...) do {} while (0)
31126 +# define ea_bdebug(bh, f...) do {} while (0)
31129 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
31130 diff -urNp linux-2.6.35.7/fs/ext3/balloc.c linux-2.6.35.7/fs/ext3/balloc.c
31131 --- linux-2.6.35.7/fs/ext3/balloc.c 2010-08-26 19:47:12.000000000 -0400
31132 +++ linux-2.6.35.7/fs/ext3/balloc.c 2010-09-17 20:12:37.000000000 -0400
31133 @@ -1422,7 +1422,7 @@ static int ext3_has_free_blocks(struct e
31135 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31136 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31137 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31138 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31139 sbi->s_resuid != current_fsuid() &&
31140 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31142 diff -urNp linux-2.6.35.7/fs/ext3/namei.c linux-2.6.35.7/fs/ext3/namei.c
31143 --- linux-2.6.35.7/fs/ext3/namei.c 2010-08-26 19:47:12.000000000 -0400
31144 +++ linux-2.6.35.7/fs/ext3/namei.c 2010-09-17 20:12:09.000000000 -0400
31145 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
31146 char *data1 = (*bh)->b_data, *data2;
31147 unsigned split, move, size;
31148 struct ext3_dir_entry_2 *de = NULL, *de2;
31152 bh2 = ext3_append (handle, dir, &newblock, &err);
31154 diff -urNp linux-2.6.35.7/fs/ext3/xattr.c linux-2.6.35.7/fs/ext3/xattr.c
31155 --- linux-2.6.35.7/fs/ext3/xattr.c 2010-08-26 19:47:12.000000000 -0400
31156 +++ linux-2.6.35.7/fs/ext3/xattr.c 2010-09-17 20:12:09.000000000 -0400
31161 -# define ea_idebug(f...)
31162 -# define ea_bdebug(f...)
31163 +# define ea_idebug(f...) do {} while (0)
31164 +# define ea_bdebug(f...) do {} while (0)
31167 static void ext3_xattr_cache_insert(struct buffer_head *);
31168 diff -urNp linux-2.6.35.7/fs/ext4/balloc.c linux-2.6.35.7/fs/ext4/balloc.c
31169 --- linux-2.6.35.7/fs/ext4/balloc.c 2010-08-26 19:47:12.000000000 -0400
31170 +++ linux-2.6.35.7/fs/ext4/balloc.c 2010-09-17 20:12:37.000000000 -0400
31171 @@ -522,7 +522,7 @@ int ext4_has_free_blocks(struct ext4_sb_
31172 /* Hm, nope. Are (enough) root reserved blocks available? */
31173 if (sbi->s_resuid == current_fsuid() ||
31174 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
31175 - capable(CAP_SYS_RESOURCE)) {
31176 + capable_nolog(CAP_SYS_RESOURCE)) {
31177 if (free_blocks >= (nblocks + dirty_blocks))
31180 diff -urNp linux-2.6.35.7/fs/ext4/namei.c linux-2.6.35.7/fs/ext4/namei.c
31181 --- linux-2.6.35.7/fs/ext4/namei.c 2010-08-26 19:47:12.000000000 -0400
31182 +++ linux-2.6.35.7/fs/ext4/namei.c 2010-09-17 20:12:09.000000000 -0400
31183 @@ -1197,7 +1197,7 @@ static struct ext4_dir_entry_2 *do_split
31184 char *data1 = (*bh)->b_data, *data2;
31185 unsigned split, move, size;
31186 struct ext4_dir_entry_2 *de = NULL, *de2;
31190 bh2 = ext4_append (handle, dir, &newblock, &err);
31192 diff -urNp linux-2.6.35.7/fs/ext4/xattr.c linux-2.6.35.7/fs/ext4/xattr.c
31193 --- linux-2.6.35.7/fs/ext4/xattr.c 2010-08-26 19:47:12.000000000 -0400
31194 +++ linux-2.6.35.7/fs/ext4/xattr.c 2010-09-17 20:12:09.000000000 -0400
31199 -# define ea_idebug(f...)
31200 -# define ea_bdebug(f...)
31201 +# define ea_idebug(inode, f...) do {} while (0)
31202 +# define ea_bdebug(bh, f...) do {} while (0)
31205 static void ext4_xattr_cache_insert(struct buffer_head *);
31206 diff -urNp linux-2.6.35.7/fs/fcntl.c linux-2.6.35.7/fs/fcntl.c
31207 --- linux-2.6.35.7/fs/fcntl.c 2010-08-26 19:47:12.000000000 -0400
31208 +++ linux-2.6.35.7/fs/fcntl.c 2010-09-17 20:12:37.000000000 -0400
31209 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
31213 + if (gr_handle_chroot_fowner(pid, type))
31215 + if (gr_check_protected_task_fowner(pid, type))
31218 f_modown(filp, pid, type, force);
31221 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
31224 case F_DUPFD_CLOEXEC:
31225 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
31226 if (arg >= rlimit(RLIMIT_NOFILE))
31228 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
31229 diff -urNp linux-2.6.35.7/fs/fifo.c linux-2.6.35.7/fs/fifo.c
31230 --- linux-2.6.35.7/fs/fifo.c 2010-08-26 19:47:12.000000000 -0400
31231 +++ linux-2.6.35.7/fs/fifo.c 2010-09-17 20:12:09.000000000 -0400
31232 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
31234 filp->f_op = &read_pipefifo_fops;
31236 - if (pipe->readers++ == 0)
31237 + if (atomic_inc_return(&pipe->readers) == 1)
31238 wake_up_partner(inode);
31240 - if (!pipe->writers) {
31241 + if (!atomic_read(&pipe->writers)) {
31242 if ((filp->f_flags & O_NONBLOCK)) {
31243 /* suppress POLLHUP until we have
31245 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
31246 * errno=ENXIO when there is no process reading the FIFO.
31249 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
31250 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
31253 filp->f_op = &write_pipefifo_fops;
31255 - if (!pipe->writers++)
31256 + if (atomic_inc_return(&pipe->writers) == 1)
31257 wake_up_partner(inode);
31259 - if (!pipe->readers) {
31260 + if (!atomic_read(&pipe->readers)) {
31261 wait_for_partner(inode, &pipe->r_counter);
31262 if (signal_pending(current))
31264 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
31266 filp->f_op = &rdwr_pipefifo_fops;
31270 + atomic_inc(&pipe->readers);
31271 + atomic_inc(&pipe->writers);
31274 - if (pipe->readers == 1 || pipe->writers == 1)
31275 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
31276 wake_up_partner(inode);
31279 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
31283 - if (!--pipe->readers)
31284 + if (atomic_dec_and_test(&pipe->readers))
31285 wake_up_interruptible(&pipe->wait);
31286 ret = -ERESTARTSYS;
31290 - if (!--pipe->writers)
31291 + if (atomic_dec_and_test(&pipe->writers))
31292 wake_up_interruptible(&pipe->wait);
31293 ret = -ERESTARTSYS;
31297 - if (!pipe->readers && !pipe->writers)
31298 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
31299 free_pipe_info(inode);
31302 diff -urNp linux-2.6.35.7/fs/file.c linux-2.6.35.7/fs/file.c
31303 --- linux-2.6.35.7/fs/file.c 2010-08-26 19:47:12.000000000 -0400
31304 +++ linux-2.6.35.7/fs/file.c 2010-09-17 20:12:37.000000000 -0400
31306 #include <linux/slab.h>
31307 #include <linux/vmalloc.h>
31308 #include <linux/file.h>
31309 +#include <linux/security.h>
31310 #include <linux/fdtable.h>
31311 #include <linux/bitops.h>
31312 #include <linux/interrupt.h>
31313 @@ -257,6 +258,7 @@ int expand_files(struct files_struct *fi
31314 * N.B. For clone tasks sharing a files structure, this test
31315 * will limit the total number of files that can be opened.
31317 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
31318 if (nr >= rlimit(RLIMIT_NOFILE))
31321 diff -urNp linux-2.6.35.7/fs/fs_struct.c linux-2.6.35.7/fs/fs_struct.c
31322 --- linux-2.6.35.7/fs/fs_struct.c 2010-08-26 19:47:12.000000000 -0400
31323 +++ linux-2.6.35.7/fs/fs_struct.c 2010-09-17 20:12:37.000000000 -0400
31325 #include <linux/slab.h>
31326 #include <linux/fs_struct.h>
31327 #include <linux/vserver/global.h>
31328 +#include <linux/grsecurity.h>
31331 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
31332 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
31333 old_root = fs->root;
31336 + gr_set_chroot_entries(current, path);
31337 write_unlock(&fs->lock);
31338 if (old_root.dentry)
31339 path_put(&old_root);
31340 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
31341 && fs->root.mnt == old_root->mnt) {
31342 path_get(new_root);
31343 fs->root = *new_root;
31344 + gr_set_chroot_entries(p, new_root);
31347 if (fs->pwd.dentry == old_root->dentry
31348 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
31350 write_lock(&fs->lock);
31352 - kill = !--fs->users;
31353 + gr_clear_chroot_entries(tsk);
31354 + kill = !atomic_dec_return(&fs->users);
31355 write_unlock(&fs->lock);
31358 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
31359 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
31360 /* We don't need to lock fs - think why ;-) */
31363 + atomic_set(&fs->users, 1);
31365 rwlock_init(&fs->lock);
31366 fs->umask = old->umask;
31367 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
31369 task_lock(current);
31370 write_lock(&fs->lock);
31371 - kill = !--fs->users;
31372 + kill = !atomic_dec_return(&fs->users);
31373 current->fs = new_fs;
31374 + gr_set_chroot_entries(current, &new_fs->root);
31375 write_unlock(&fs->lock);
31376 task_unlock(current);
31378 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
31380 /* to be mentioned only in INIT_TASK */
31381 struct fs_struct init_fs = {
31383 + .users = ATOMIC_INIT(1),
31384 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
31387 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
31388 task_lock(current);
31390 write_lock(&init_fs.lock);
31392 + atomic_inc(&init_fs.users);
31393 write_unlock(&init_fs.lock);
31395 write_lock(&fs->lock);
31396 current->fs = &init_fs;
31397 - kill = !--fs->users;
31398 + gr_set_chroot_entries(current, ¤t->fs->root);
31399 + kill = !atomic_dec_return(&fs->users);
31400 write_unlock(&fs->lock);
31402 task_unlock(current);
31403 diff -urNp linux-2.6.35.7/fs/fuse/control.c linux-2.6.35.7/fs/fuse/control.c
31404 --- linux-2.6.35.7/fs/fuse/control.c 2010-08-26 19:47:12.000000000 -0400
31405 +++ linux-2.6.35.7/fs/fuse/control.c 2010-09-17 20:12:09.000000000 -0400
31406 @@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31408 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31410 - struct tree_descr empty_descr = {""};
31411 + struct tree_descr empty_descr = {"", NULL, 0};
31412 struct fuse_conn *fc;
31415 diff -urNp linux-2.6.35.7/fs/fuse/cuse.c linux-2.6.35.7/fs/fuse/cuse.c
31416 --- linux-2.6.35.7/fs/fuse/cuse.c 2010-08-26 19:47:12.000000000 -0400
31417 +++ linux-2.6.35.7/fs/fuse/cuse.c 2010-09-17 20:12:09.000000000 -0400
31418 @@ -529,8 +529,18 @@ static int cuse_channel_release(struct i
31422 -static struct file_operations cuse_channel_fops; /* initialized during init */
31424 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
31425 + .owner = THIS_MODULE,
31426 + .llseek = no_llseek,
31427 + .read = do_sync_read,
31428 + .aio_read = fuse_dev_read,
31429 + .write = do_sync_write,
31430 + .aio_write = fuse_dev_write,
31431 + .poll = fuse_dev_poll,
31432 + .open = cuse_channel_open,
31433 + .release = cuse_channel_release,
31434 + .fasync = fuse_dev_fasync,
31437 /**************************************************************************
31438 * Misc stuff and module initializatiion
31439 @@ -576,12 +586,6 @@ static int __init cuse_init(void)
31440 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31441 INIT_LIST_HEAD(&cuse_conntbl[i]);
31443 - /* inherit and extend fuse_dev_operations */
31444 - cuse_channel_fops = fuse_dev_operations;
31445 - cuse_channel_fops.owner = THIS_MODULE;
31446 - cuse_channel_fops.open = cuse_channel_open;
31447 - cuse_channel_fops.release = cuse_channel_release;
31449 cuse_class = class_create(THIS_MODULE, "cuse");
31450 if (IS_ERR(cuse_class))
31451 return PTR_ERR(cuse_class);
31452 diff -urNp linux-2.6.35.7/fs/fuse/dev.c linux-2.6.35.7/fs/fuse/dev.c
31453 --- linux-2.6.35.7/fs/fuse/dev.c 2010-09-20 17:33:09.000000000 -0400
31454 +++ linux-2.6.35.7/fs/fuse/dev.c 2010-09-20 17:33:32.000000000 -0400
31455 @@ -1031,7 +1031,7 @@ static ssize_t fuse_dev_do_read(struct f
31459 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31460 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31461 unsigned long nr_segs, loff_t pos)
31463 struct fuse_copy_state cs;
31464 @@ -1045,6 +1045,8 @@ static ssize_t fuse_dev_read(struct kioc
31465 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
31468 +EXPORT_SYMBOL_GPL(fuse_dev_read);
31470 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31471 struct pipe_buffer *buf)
31473 @@ -1088,7 +1090,7 @@ static ssize_t fuse_dev_splice_read(stru
31477 - if (!pipe->readers) {
31478 + if (!atomic_read(&pipe->readers)) {
31479 send_sig(SIGPIPE, current, 0);
31482 @@ -1387,7 +1389,7 @@ static ssize_t fuse_dev_do_write(struct
31486 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31487 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31488 unsigned long nr_segs, loff_t pos)
31490 struct fuse_copy_state cs;
31491 @@ -1400,6 +1402,8 @@ static ssize_t fuse_dev_write(struct kio
31492 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
31495 +EXPORT_SYMBOL_GPL(fuse_dev_write);
31497 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31498 struct file *out, loff_t *ppos,
31499 size_t len, unsigned int flags)
31500 @@ -1478,7 +1482,7 @@ out:
31504 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31505 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31507 unsigned mask = POLLOUT | POLLWRNORM;
31508 struct fuse_conn *fc = fuse_get_conn(file);
31509 @@ -1497,6 +1501,8 @@ static unsigned fuse_dev_poll(struct fil
31513 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
31516 * Abort all requests on the given list (pending or processing)
31518 @@ -1612,7 +1618,7 @@ int fuse_dev_release(struct inode *inode
31520 EXPORT_SYMBOL_GPL(fuse_dev_release);
31522 -static int fuse_dev_fasync(int fd, struct file *file, int on)
31523 +int fuse_dev_fasync(int fd, struct file *file, int on)
31525 struct fuse_conn *fc = fuse_get_conn(file);
31527 @@ -1622,6 +1628,8 @@ static int fuse_dev_fasync(int fd, struc
31528 return fasync_helper(fd, file, on, &fc->fasync);
31531 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31533 const struct file_operations fuse_dev_operations = {
31534 .owner = THIS_MODULE,
31535 .llseek = no_llseek,
31536 diff -urNp linux-2.6.35.7/fs/fuse/dir.c linux-2.6.35.7/fs/fuse/dir.c
31537 --- linux-2.6.35.7/fs/fuse/dir.c 2010-08-26 19:47:12.000000000 -0400
31538 +++ linux-2.6.35.7/fs/fuse/dir.c 2010-09-17 20:12:09.000000000 -0400
31539 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
31543 -static void free_link(char *link)
31544 +static void free_link(const char *link)
31547 free_page((unsigned long) link);
31548 diff -urNp linux-2.6.35.7/fs/fuse/fuse_i.h linux-2.6.35.7/fs/fuse/fuse_i.h
31549 --- linux-2.6.35.7/fs/fuse/fuse_i.h 2010-08-26 19:47:12.000000000 -0400
31550 +++ linux-2.6.35.7/fs/fuse/fuse_i.h 2010-09-17 20:12:09.000000000 -0400
31551 @@ -524,6 +524,16 @@ extern const struct file_operations fuse
31553 extern const struct dentry_operations fuse_dentry_operations;
31555 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31556 + unsigned long nr_segs, loff_t pos);
31558 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31559 + unsigned long nr_segs, loff_t pos);
31561 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31563 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31566 * Inode to nodeid comparison.
31568 diff -urNp linux-2.6.35.7/fs/hfs/inode.c linux-2.6.35.7/fs/hfs/inode.c
31569 --- linux-2.6.35.7/fs/hfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31570 +++ linux-2.6.35.7/fs/hfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31571 @@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
31573 if (S_ISDIR(main_inode->i_mode)) {
31574 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31577 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31578 sizeof(struct hfs_cat_dir));
31579 if (rec.type != HFS_CDR_DIR ||
31580 @@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
31581 sizeof(struct hfs_cat_file));
31583 if (fd.entrylength < sizeof(struct hfs_cat_file))
31586 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31587 sizeof(struct hfs_cat_file));
31588 if (rec.type != HFS_CDR_FIL ||
31589 diff -urNp linux-2.6.35.7/fs/hfsplus/inode.c linux-2.6.35.7/fs/hfsplus/inode.c
31590 --- linux-2.6.35.7/fs/hfsplus/inode.c 2010-08-26 19:47:12.000000000 -0400
31591 +++ linux-2.6.35.7/fs/hfsplus/inode.c 2010-09-17 20:12:09.000000000 -0400
31592 @@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
31593 struct hfsplus_cat_folder *folder = &entry.folder;
31595 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31598 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31599 sizeof(struct hfsplus_cat_folder));
31600 hfsplus_get_perms(inode, &folder->permissions, 1);
31601 @@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
31602 struct hfsplus_cat_file *file = &entry.file;
31604 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31607 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31608 sizeof(struct hfsplus_cat_file));
31610 @@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
31611 struct hfsplus_cat_folder *folder = &entry.folder;
31613 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31616 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31617 sizeof(struct hfsplus_cat_folder));
31618 /* simple node checks? */
31619 @@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
31620 struct hfsplus_cat_file *file = &entry.file;
31622 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31625 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31626 sizeof(struct hfsplus_cat_file));
31627 hfsplus_inode_write_fork(inode, &file->data_fork);
31628 diff -urNp linux-2.6.35.7/fs/hugetlbfs/inode.c linux-2.6.35.7/fs/hugetlbfs/inode.c
31629 --- linux-2.6.35.7/fs/hugetlbfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31630 +++ linux-2.6.35.7/fs/hugetlbfs/inode.c 2010-09-17 20:12:37.000000000 -0400
31631 @@ -908,7 +908,7 @@ static struct file_system_type hugetlbfs
31632 .kill_sb = kill_litter_super,
31635 -static struct vfsmount *hugetlbfs_vfsmount;
31636 +struct vfsmount *hugetlbfs_vfsmount;
31638 static int can_do_hugetlb_shm(void)
31640 diff -urNp linux-2.6.35.7/fs/ioctl.c linux-2.6.35.7/fs/ioctl.c
31641 --- linux-2.6.35.7/fs/ioctl.c 2010-08-26 19:47:12.000000000 -0400
31642 +++ linux-2.6.35.7/fs/ioctl.c 2010-09-17 20:12:09.000000000 -0400
31643 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
31644 u64 phys, u64 len, u32 flags)
31646 struct fiemap_extent extent;
31647 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
31648 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
31650 /* only count the extents */
31651 if (fieinfo->fi_extents_max == 0) {
31652 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
31654 fieinfo.fi_flags = fiemap.fm_flags;
31655 fieinfo.fi_extents_max = fiemap.fm_extent_count;
31656 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
31657 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
31659 if (fiemap.fm_extent_count != 0 &&
31660 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
31661 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
31662 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
31663 fiemap.fm_flags = fieinfo.fi_flags;
31664 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
31665 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
31666 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
31670 diff -urNp linux-2.6.35.7/fs/jffs2/debug.h linux-2.6.35.7/fs/jffs2/debug.h
31671 --- linux-2.6.35.7/fs/jffs2/debug.h 2010-08-26 19:47:12.000000000 -0400
31672 +++ linux-2.6.35.7/fs/jffs2/debug.h 2010-09-17 20:12:09.000000000 -0400
31673 @@ -52,13 +52,13 @@
31674 #if CONFIG_JFFS2_FS_DEBUG > 0
31678 +#define D1(x) do {} while (0);
31681 #if CONFIG_JFFS2_FS_DEBUG > 1
31685 +#define D2(x) do {} while (0);
31688 /* The prefixes of JFFS2 messages */
31689 @@ -114,73 +114,73 @@
31690 #ifdef JFFS2_DBG_READINODE_MESSAGES
31691 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31693 -#define dbg_readinode(fmt, ...)
31694 +#define dbg_readinode(fmt, ...) do {} while (0)
31696 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31697 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31699 -#define dbg_readinode2(fmt, ...)
31700 +#define dbg_readinode2(fmt, ...) do {} while (0)
31703 /* Fragtree build debugging messages */
31704 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31705 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31707 -#define dbg_fragtree(fmt, ...)
31708 +#define dbg_fragtree(fmt, ...) do {} while (0)
31710 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31711 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31713 -#define dbg_fragtree2(fmt, ...)
31714 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31717 /* Directory entry list manilulation debugging messages */
31718 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31719 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31721 -#define dbg_dentlist(fmt, ...)
31722 +#define dbg_dentlist(fmt, ...) do {} while (0)
31725 /* Print the messages about manipulating node_refs */
31726 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31727 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31729 -#define dbg_noderef(fmt, ...)
31730 +#define dbg_noderef(fmt, ...) do {} while (0)
31733 /* Manipulations with the list of inodes (JFFS2 inocache) */
31734 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31735 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31737 -#define dbg_inocache(fmt, ...)
31738 +#define dbg_inocache(fmt, ...) do {} while (0)
31741 /* Summary debugging messages */
31742 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
31743 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31745 -#define dbg_summary(fmt, ...)
31746 +#define dbg_summary(fmt, ...) do {} while (0)
31749 /* File system build messages */
31750 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
31751 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31753 -#define dbg_fsbuild(fmt, ...)
31754 +#define dbg_fsbuild(fmt, ...) do {} while (0)
31757 /* Watch the object allocations */
31758 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
31759 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31761 -#define dbg_memalloc(fmt, ...)
31762 +#define dbg_memalloc(fmt, ...) do {} while (0)
31765 /* Watch the XATTR subsystem */
31766 #ifdef JFFS2_DBG_XATTR_MESSAGES
31767 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31769 -#define dbg_xattr(fmt, ...)
31770 +#define dbg_xattr(fmt, ...) do {} while (0)
31773 /* "Sanity" checks */
31774 diff -urNp linux-2.6.35.7/fs/jffs2/erase.c linux-2.6.35.7/fs/jffs2/erase.c
31775 --- linux-2.6.35.7/fs/jffs2/erase.c 2010-08-26 19:47:12.000000000 -0400
31776 +++ linux-2.6.35.7/fs/jffs2/erase.c 2010-09-17 20:12:09.000000000 -0400
31777 @@ -438,7 +438,8 @@ static void jffs2_mark_erased_block(stru
31778 struct jffs2_unknown_node marker = {
31779 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
31780 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31781 - .totlen = cpu_to_je32(c->cleanmarker_size)
31782 + .totlen = cpu_to_je32(c->cleanmarker_size),
31783 + .hdr_crc = cpu_to_je32(0)
31786 jffs2_prealloc_raw_node_refs(c, jeb, 1);
31787 diff -urNp linux-2.6.35.7/fs/jffs2/summary.h linux-2.6.35.7/fs/jffs2/summary.h
31788 --- linux-2.6.35.7/fs/jffs2/summary.h 2010-08-26 19:47:12.000000000 -0400
31789 +++ linux-2.6.35.7/fs/jffs2/summary.h 2010-09-17 20:12:09.000000000 -0400
31790 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
31792 #define jffs2_sum_active() (0)
31793 #define jffs2_sum_init(a) (0)
31794 -#define jffs2_sum_exit(a)
31795 -#define jffs2_sum_disable_collecting(a)
31796 +#define jffs2_sum_exit(a) do {} while (0)
31797 +#define jffs2_sum_disable_collecting(a) do {} while (0)
31798 #define jffs2_sum_is_disabled(a) (0)
31799 -#define jffs2_sum_reset_collected(a)
31800 +#define jffs2_sum_reset_collected(a) do {} while (0)
31801 #define jffs2_sum_add_kvec(a,b,c,d) (0)
31802 -#define jffs2_sum_move_collected(a,b)
31803 +#define jffs2_sum_move_collected(a,b) do {} while (0)
31804 #define jffs2_sum_write_sumnode(a) (0)
31805 -#define jffs2_sum_add_padding_mem(a,b)
31806 -#define jffs2_sum_add_inode_mem(a,b,c)
31807 -#define jffs2_sum_add_dirent_mem(a,b,c)
31808 -#define jffs2_sum_add_xattr_mem(a,b,c)
31809 -#define jffs2_sum_add_xref_mem(a,b,c)
31810 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
31811 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
31812 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
31813 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
31814 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
31815 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
31817 #endif /* CONFIG_JFFS2_SUMMARY */
31818 diff -urNp linux-2.6.35.7/fs/jffs2/wbuf.c linux-2.6.35.7/fs/jffs2/wbuf.c
31819 --- linux-2.6.35.7/fs/jffs2/wbuf.c 2010-08-26 19:47:12.000000000 -0400
31820 +++ linux-2.6.35.7/fs/jffs2/wbuf.c 2010-09-17 20:12:09.000000000 -0400
31821 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
31823 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
31824 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31825 - .totlen = constant_cpu_to_je32(8)
31826 + .totlen = constant_cpu_to_je32(8),
31827 + .hdr_crc = constant_cpu_to_je32(0)
31831 diff -urNp linux-2.6.35.7/fs/Kconfig.binfmt linux-2.6.35.7/fs/Kconfig.binfmt
31832 --- linux-2.6.35.7/fs/Kconfig.binfmt 2010-08-26 19:47:12.000000000 -0400
31833 +++ linux-2.6.35.7/fs/Kconfig.binfmt 2010-09-23 20:17:27.000000000 -0400
31834 @@ -86,7 +86,7 @@ config HAVE_AOUT
31837 tristate "Kernel support for a.out and ECOFF binaries"
31838 - depends on HAVE_AOUT
31839 + depends on HAVE_AOUT && BROKEN
31841 A.out (Assembler.OUTput) is a set of formats for libraries and
31842 executables used in the earliest versions of UNIX. Linux used
31843 diff -urNp linux-2.6.35.7/fs/lockd/svc.c linux-2.6.35.7/fs/lockd/svc.c
31844 --- linux-2.6.35.7/fs/lockd/svc.c 2010-08-26 19:47:12.000000000 -0400
31845 +++ linux-2.6.35.7/fs/lockd/svc.c 2010-09-17 20:12:09.000000000 -0400
31848 static struct svc_program nlmsvc_program;
31850 -struct nlmsvc_binding * nlmsvc_ops;
31851 +const struct nlmsvc_binding * nlmsvc_ops;
31852 EXPORT_SYMBOL_GPL(nlmsvc_ops);
31854 static DEFINE_MUTEX(nlmsvc_mutex);
31855 diff -urNp linux-2.6.35.7/fs/locks.c linux-2.6.35.7/fs/locks.c
31856 --- linux-2.6.35.7/fs/locks.c 2010-08-26 19:47:12.000000000 -0400
31857 +++ linux-2.6.35.7/fs/locks.c 2010-09-17 20:12:09.000000000 -0400
31858 @@ -2008,16 +2008,16 @@ void locks_remove_flock(struct file *fil
31861 if (filp->f_op && filp->f_op->flock) {
31862 - struct file_lock fl = {
31863 + struct file_lock flock = {
31864 .fl_pid = current->tgid,
31866 .fl_flags = FL_FLOCK,
31867 .fl_type = F_UNLCK,
31868 .fl_end = OFFSET_MAX,
31870 - filp->f_op->flock(filp, F_SETLKW, &fl);
31871 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
31872 - fl.fl_ops->fl_release_private(&fl);
31873 + filp->f_op->flock(filp, F_SETLKW, &flock);
31874 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
31875 + flock.fl_ops->fl_release_private(&flock);
31879 diff -urNp linux-2.6.35.7/fs/namei.c linux-2.6.35.7/fs/namei.c
31880 --- linux-2.6.35.7/fs/namei.c 2010-08-26 19:47:12.000000000 -0400
31881 +++ linux-2.6.35.7/fs/namei.c 2010-09-17 20:12:37.000000000 -0400
31882 @@ -548,7 +548,7 @@ __do_follow_link(struct path *path, stru
31883 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
31884 error = PTR_ERR(*p);
31886 - char *s = nd_get_link(nd);
31887 + const char *s = nd_get_link(nd);
31890 error = __vfs_follow_link(nd, s);
31891 @@ -581,6 +581,13 @@ static inline int do_follow_link(struct
31892 err = security_inode_follow_link(path->dentry, nd);
31896 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
31897 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
31902 current->link_count++;
31903 current->total_link_count++;
31905 @@ -965,11 +972,18 @@ return_reval:
31909 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
31910 + path_put(&nd->path);
31915 path_put_conditional(&next, nd);
31918 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
31921 path_put(&nd->path);
31924 @@ -1506,12 +1520,19 @@ static int __open_namei_create(struct na
31926 struct dentry *dir = nd->path.dentry;
31928 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, open_flag, mode)) {
31933 if (!IS_POSIXACL(dir->d_inode))
31934 mode &= ~current_umask();
31935 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
31938 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
31940 + gr_handle_create(path->dentry, nd->path.mnt);
31942 mutex_unlock(&dir->d_inode->i_mutex);
31943 dput(nd->path.dentry);
31944 @@ -1614,6 +1635,7 @@ static struct file *do_last(struct namei
31945 int mode, const char *pathname)
31947 struct dentry *dir = nd->path.dentry;
31948 + int flag = open_to_namei_flags(open_flag);
31950 int error = -EISDIR;
31952 @@ -1662,6 +1684,22 @@ static struct file *do_last(struct namei
31954 path_to_nameidata(path, nd);
31955 audit_inode(pathname, nd->path.dentry);
31957 + if (gr_handle_rofs_blockwrite(nd->path.dentry, nd->path.mnt, acc_mode)) {
31962 + if (gr_handle_rawio(nd->path.dentry->d_inode)) {
31967 + if (!gr_acl_handle_open(nd->path.dentry, nd->path.mnt, flag)) {
31975 @@ -1714,6 +1752,24 @@ static struct file *do_last(struct namei
31977 * It already exists.
31980 + if (gr_handle_rofs_blockwrite(path->dentry, nd->path.mnt, acc_mode)) {
31982 + goto exit_mutex_unlock;
31984 + if (gr_handle_rawio(path->dentry->d_inode)) {
31986 + goto exit_mutex_unlock;
31988 + if (!gr_acl_handle_open(path->dentry, nd->path.mnt, flag)) {
31990 + goto exit_mutex_unlock;
31992 + if (gr_handle_fifo(path->dentry, nd->path.mnt, dir, flag, acc_mode)) {
31994 + goto exit_mutex_unlock;
31997 mutex_unlock(&dir->d_inode->i_mutex);
31998 audit_inode(pathname, path->dentry);
32000 @@ -2034,6 +2090,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32001 error = may_mknod(mode);
32005 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
32010 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
32015 error = mnt_want_write(nd.path.mnt);
32018 @@ -2054,6 +2121,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32021 mnt_drop_write(nd.path.mnt);
32024 + gr_handle_create(dentry, nd.path.mnt);
32028 @@ -2106,6 +2176,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32029 if (IS_ERR(dentry))
32032 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
32037 if (!IS_POSIXACL(nd.path.dentry->d_inode))
32038 mode &= ~current_umask();
32039 error = mnt_want_write(nd.path.mnt);
32040 @@ -2117,6 +2192,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32041 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
32043 mnt_drop_write(nd.path.mnt);
32046 + gr_handle_create(dentry, nd.path.mnt);
32051 @@ -2198,6 +2277,8 @@ static long do_rmdir(int dfd, const char
32053 struct dentry *dentry;
32054 struct nameidata nd;
32055 + ino_t saved_ino = 0;
32056 + dev_t saved_dev = 0;
32058 error = user_path_parent(dfd, pathname, &nd, &name);
32060 @@ -2222,6 +2303,19 @@ static long do_rmdir(int dfd, const char
32061 error = PTR_ERR(dentry);
32062 if (IS_ERR(dentry))
32065 + if (dentry->d_inode != NULL) {
32066 + if (dentry->d_inode->i_nlink <= 1) {
32067 + saved_ino = dentry->d_inode->i_ino;
32068 + saved_dev = dentry->d_inode->i_sb->s_dev;
32071 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
32077 error = mnt_want_write(nd.path.mnt);
32080 @@ -2229,6 +2323,8 @@ static long do_rmdir(int dfd, const char
32083 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
32084 + if (!error && (saved_dev || saved_ino))
32085 + gr_handle_delete(saved_ino, saved_dev);
32087 mnt_drop_write(nd.path.mnt);
32089 @@ -2291,6 +2387,8 @@ static long do_unlinkat(int dfd, const c
32090 struct dentry *dentry;
32091 struct nameidata nd;
32092 struct inode *inode = NULL;
32093 + ino_t saved_ino = 0;
32094 + dev_t saved_dev = 0;
32096 error = user_path_parent(dfd, pathname, &nd, &name);
32098 @@ -2310,8 +2408,19 @@ static long do_unlinkat(int dfd, const c
32099 if (nd.last.name[nd.last.len])
32101 inode = dentry->d_inode;
32104 + if (inode->i_nlink <= 1) {
32105 + saved_ino = inode->i_ino;
32106 + saved_dev = inode->i_sb->s_dev;
32109 atomic_inc(&inode->i_count);
32111 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
32116 error = mnt_want_write(nd.path.mnt);
32119 @@ -2319,6 +2428,8 @@ static long do_unlinkat(int dfd, const c
32122 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
32123 + if (!error && (saved_ino || saved_dev))
32124 + gr_handle_delete(saved_ino, saved_dev);
32126 mnt_drop_write(nd.path.mnt);
32128 @@ -2396,6 +2507,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
32129 if (IS_ERR(dentry))
32132 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
32137 error = mnt_want_write(nd.path.mnt);
32140 @@ -2403,6 +2519,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
32142 goto out_drop_write;
32143 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
32145 + gr_handle_create(dentry, nd.path.mnt);
32147 mnt_drop_write(nd.path.mnt);
32149 @@ -2495,6 +2613,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32150 error = PTR_ERR(new_dentry);
32151 if (IS_ERR(new_dentry))
32154 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
32155 + old_path.dentry->d_inode,
32156 + old_path.dentry->d_inode->i_mode, to)) {
32161 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
32162 + old_path.dentry, old_path.mnt, to)) {
32167 error = mnt_want_write(nd.path.mnt);
32170 @@ -2502,6 +2634,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32172 goto out_drop_write;
32173 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
32175 + gr_handle_create(new_dentry, nd.path.mnt);
32177 mnt_drop_write(nd.path.mnt);
32179 @@ -2735,6 +2869,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32180 if (new_dentry == trap)
32183 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
32184 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
32189 error = mnt_want_write(oldnd.path.mnt);
32192 @@ -2744,6 +2884,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32194 error = vfs_rename(old_dir->d_inode, old_dentry,
32195 new_dir->d_inode, new_dentry);
32197 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
32198 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
32200 mnt_drop_write(oldnd.path.mnt);
32202 diff -urNp linux-2.6.35.7/fs/namespace.c linux-2.6.35.7/fs/namespace.c
32203 --- linux-2.6.35.7/fs/namespace.c 2010-08-26 19:47:12.000000000 -0400
32204 +++ linux-2.6.35.7/fs/namespace.c 2010-09-17 20:21:58.000000000 -0400
32205 @@ -1099,6 +1099,9 @@ static int do_umount(struct vfsmount *mn
32206 if (!(sb->s_flags & MS_RDONLY))
32207 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
32208 up_write(&sb->s_umount);
32210 + gr_log_remount(mnt->mnt_devname, retval);
32215 @@ -1118,6 +1121,9 @@ static int do_umount(struct vfsmount *mn
32216 spin_unlock(&vfsmount_lock);
32217 up_write(&namespace_sem);
32218 release_mounts(&umount_list);
32220 + gr_log_unmount(mnt->mnt_devname, retval);
32225 @@ -1988,6 +1994,16 @@ long do_mount(char *dev_name, char *dir_
32226 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
32229 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
32234 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
32239 if (flags & MS_REMOUNT)
32240 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
32242 @@ -2002,6 +2018,9 @@ long do_mount(char *dev_name, char *dir_
32243 dev_name, data_page);
32247 + gr_log_mount(dev_name, dir_name, retval);
32252 @@ -2208,6 +2227,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
32256 + if (gr_handle_chroot_pivot()) {
32262 read_lock(¤t->fs->lock);
32263 root = current->fs->root;
32264 path_get(¤t->fs->root);
32265 diff -urNp linux-2.6.35.7/fs/nfs/inode.c linux-2.6.35.7/fs/nfs/inode.c
32266 --- linux-2.6.35.7/fs/nfs/inode.c 2010-08-26 19:47:12.000000000 -0400
32267 +++ linux-2.6.35.7/fs/nfs/inode.c 2010-09-17 20:12:09.000000000 -0400
32268 @@ -915,16 +915,16 @@ static int nfs_size_need_update(const st
32269 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
32272 -static atomic_long_t nfs_attr_generation_counter;
32273 +static atomic_long_unchecked_t nfs_attr_generation_counter;
32275 static unsigned long nfs_read_attr_generation_counter(void)
32277 - return atomic_long_read(&nfs_attr_generation_counter);
32278 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
32281 unsigned long nfs_inc_attr_generation_counter(void)
32283 - return atomic_long_inc_return(&nfs_attr_generation_counter);
32284 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
32287 void nfs_fattr_init(struct nfs_fattr *fattr)
32288 diff -urNp linux-2.6.35.7/fs/nfs/nfs4proc.c linux-2.6.35.7/fs/nfs/nfs4proc.c
32289 --- linux-2.6.35.7/fs/nfs/nfs4proc.c 2010-08-26 19:47:12.000000000 -0400
32290 +++ linux-2.6.35.7/fs/nfs/nfs4proc.c 2010-09-17 20:12:09.000000000 -0400
32291 @@ -1166,7 +1166,7 @@ static int _nfs4_do_open_reclaim(struct
32292 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
32294 struct nfs_server *server = NFS_SERVER(state->inode);
32295 - struct nfs4_exception exception = { };
32296 + struct nfs4_exception exception = {0, 0};
32299 err = _nfs4_do_open_reclaim(ctx, state);
32300 @@ -1208,7 +1208,7 @@ static int _nfs4_open_delegation_recall(
32302 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
32304 - struct nfs4_exception exception = { };
32305 + struct nfs4_exception exception = {0, 0};
32306 struct nfs_server *server = NFS_SERVER(state->inode);
32309 @@ -1581,7 +1581,7 @@ static int _nfs4_open_expired(struct nfs
32310 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
32312 struct nfs_server *server = NFS_SERVER(state->inode);
32313 - struct nfs4_exception exception = { };
32314 + struct nfs4_exception exception = {0, 0};
32318 @@ -1697,7 +1697,7 @@ out_err:
32320 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
32322 - struct nfs4_exception exception = { };
32323 + struct nfs4_exception exception = {0, 0};
32324 struct nfs4_state *res;
32327 @@ -1788,7 +1788,7 @@ static int nfs4_do_setattr(struct inode
32328 struct nfs4_state *state)
32330 struct nfs_server *server = NFS_SERVER(inode);
32331 - struct nfs4_exception exception = { };
32332 + struct nfs4_exception exception = {0, 0};
32335 err = nfs4_handle_exception(server,
32336 @@ -2166,7 +2166,7 @@ static int _nfs4_server_capabilities(str
32338 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
32340 - struct nfs4_exception exception = { };
32341 + struct nfs4_exception exception = {0, 0};
32344 err = nfs4_handle_exception(server,
32345 @@ -2200,7 +2200,7 @@ static int _nfs4_lookup_root(struct nfs_
32346 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
32347 struct nfs_fsinfo *info)
32349 - struct nfs4_exception exception = { };
32350 + struct nfs4_exception exception = {0, 0};
32353 err = nfs4_handle_exception(server,
32354 @@ -2289,7 +2289,7 @@ static int _nfs4_proc_getattr(struct nfs
32356 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32358 - struct nfs4_exception exception = { };
32359 + struct nfs4_exception exception = {0, 0};
32362 err = nfs4_handle_exception(server,
32363 @@ -2377,7 +2377,7 @@ static int nfs4_proc_lookupfh(struct nfs
32364 struct qstr *name, struct nfs_fh *fhandle,
32365 struct nfs_fattr *fattr)
32367 - struct nfs4_exception exception = { };
32368 + struct nfs4_exception exception = {0, 0};
32371 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
32372 @@ -2406,7 +2406,7 @@ static int _nfs4_proc_lookup(struct inod
32374 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32376 - struct nfs4_exception exception = { };
32377 + struct nfs4_exception exception = {0, 0};
32380 err = nfs4_handle_exception(NFS_SERVER(dir),
32381 @@ -2473,7 +2473,7 @@ static int _nfs4_proc_access(struct inod
32383 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32385 - struct nfs4_exception exception = { };
32386 + struct nfs4_exception exception = {0, 0};
32389 err = nfs4_handle_exception(NFS_SERVER(inode),
32390 @@ -2529,7 +2529,7 @@ static int _nfs4_proc_readlink(struct in
32391 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32392 unsigned int pgbase, unsigned int pglen)
32394 - struct nfs4_exception exception = { };
32395 + struct nfs4_exception exception = {0, 0};
32398 err = nfs4_handle_exception(NFS_SERVER(inode),
32399 @@ -2625,7 +2625,7 @@ out:
32401 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32403 - struct nfs4_exception exception = { };
32404 + struct nfs4_exception exception = {0, 0};
32407 err = nfs4_handle_exception(NFS_SERVER(dir),
32408 @@ -2700,7 +2700,7 @@ out:
32409 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32410 struct inode *new_dir, struct qstr *new_name)
32412 - struct nfs4_exception exception = { };
32413 + struct nfs4_exception exception = {0, 0};
32416 err = nfs4_handle_exception(NFS_SERVER(old_dir),
32417 @@ -2749,7 +2749,7 @@ out:
32419 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32421 - struct nfs4_exception exception = { };
32422 + struct nfs4_exception exception = {0, 0};
32425 err = nfs4_handle_exception(NFS_SERVER(inode),
32426 @@ -2841,7 +2841,7 @@ out:
32427 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32428 struct page *page, unsigned int len, struct iattr *sattr)
32430 - struct nfs4_exception exception = { };
32431 + struct nfs4_exception exception = {0, 0};
32434 err = nfs4_handle_exception(NFS_SERVER(dir),
32435 @@ -2872,7 +2872,7 @@ out:
32436 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32437 struct iattr *sattr)
32439 - struct nfs4_exception exception = { };
32440 + struct nfs4_exception exception = {0, 0};
32443 err = nfs4_handle_exception(NFS_SERVER(dir),
32444 @@ -2921,7 +2921,7 @@ static int _nfs4_proc_readdir(struct den
32445 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32446 u64 cookie, struct page *page, unsigned int count, int plus)
32448 - struct nfs4_exception exception = { };
32449 + struct nfs4_exception exception = {0, 0};
32452 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
32453 @@ -2969,7 +2969,7 @@ out:
32454 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32455 struct iattr *sattr, dev_t rdev)
32457 - struct nfs4_exception exception = { };
32458 + struct nfs4_exception exception = {0, 0};
32461 err = nfs4_handle_exception(NFS_SERVER(dir),
32462 @@ -3001,7 +3001,7 @@ static int _nfs4_proc_statfs(struct nfs_
32464 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32466 - struct nfs4_exception exception = { };
32467 + struct nfs4_exception exception = {0, 0};
32470 err = nfs4_handle_exception(server,
32471 @@ -3032,7 +3032,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
32473 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32475 - struct nfs4_exception exception = { };
32476 + struct nfs4_exception exception = {0, 0};
32480 @@ -3078,7 +3078,7 @@ static int _nfs4_proc_pathconf(struct nf
32481 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32482 struct nfs_pathconf *pathconf)
32484 - struct nfs4_exception exception = { };
32485 + struct nfs4_exception exception = {0, 0};
32489 @@ -3399,7 +3399,7 @@ out_free:
32491 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32493 - struct nfs4_exception exception = { };
32494 + struct nfs4_exception exception = {0, 0};
32497 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
32498 @@ -3455,7 +3455,7 @@ static int __nfs4_proc_set_acl(struct in
32500 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32502 - struct nfs4_exception exception = { };
32503 + struct nfs4_exception exception = {0, 0};
32506 err = nfs4_handle_exception(NFS_SERVER(inode),
32507 @@ -3745,7 +3745,7 @@ out:
32508 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32510 struct nfs_server *server = NFS_SERVER(inode);
32511 - struct nfs4_exception exception = { };
32512 + struct nfs4_exception exception = {0, 0};
32515 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
32516 @@ -3818,7 +3818,7 @@ out:
32518 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32520 - struct nfs4_exception exception = { };
32521 + struct nfs4_exception exception = {0, 0};
32525 @@ -4232,7 +4232,7 @@ static int _nfs4_do_setlk(struct nfs4_st
32526 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32528 struct nfs_server *server = NFS_SERVER(state->inode);
32529 - struct nfs4_exception exception = { };
32530 + struct nfs4_exception exception = {0, 0};
32534 @@ -4250,7 +4250,7 @@ static int nfs4_lock_reclaim(struct nfs4
32535 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32537 struct nfs_server *server = NFS_SERVER(state->inode);
32538 - struct nfs4_exception exception = { };
32539 + struct nfs4_exception exception = {0, 0};
32542 err = nfs4_set_lock_state(state, request);
32543 @@ -4315,7 +4315,7 @@ out:
32545 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32547 - struct nfs4_exception exception = { };
32548 + struct nfs4_exception exception = {0, 0};
32552 @@ -4375,7 +4375,7 @@ nfs4_proc_lock(struct file *filp, int cm
32553 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32555 struct nfs_server *server = NFS_SERVER(state->inode);
32556 - struct nfs4_exception exception = { };
32557 + struct nfs4_exception exception = {0, 0};
32560 err = nfs4_set_lock_state(state, fl);
32561 diff -urNp linux-2.6.35.7/fs/nfsd/lockd.c linux-2.6.35.7/fs/nfsd/lockd.c
32562 --- linux-2.6.35.7/fs/nfsd/lockd.c 2010-08-26 19:47:12.000000000 -0400
32563 +++ linux-2.6.35.7/fs/nfsd/lockd.c 2010-09-17 20:12:09.000000000 -0400
32564 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32568 -static struct nlmsvc_binding nfsd_nlm_ops = {
32569 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32570 .fopen = nlm_fopen, /* open file for locking */
32571 .fclose = nlm_fclose, /* close file */
32573 diff -urNp linux-2.6.35.7/fs/nfsd/nfsctl.c linux-2.6.35.7/fs/nfsd/nfsctl.c
32574 --- linux-2.6.35.7/fs/nfsd/nfsctl.c 2010-08-26 19:47:12.000000000 -0400
32575 +++ linux-2.6.35.7/fs/nfsd/nfsctl.c 2010-09-17 20:12:09.000000000 -0400
32576 @@ -163,7 +163,7 @@ static int export_features_open(struct i
32577 return single_open(file, export_features_show, NULL);
32580 -static struct file_operations export_features_operations = {
32581 +static const struct file_operations export_features_operations = {
32582 .open = export_features_open,
32584 .llseek = seq_lseek,
32585 diff -urNp linux-2.6.35.7/fs/nfsd/vfs.c linux-2.6.35.7/fs/nfsd/vfs.c
32586 --- linux-2.6.35.7/fs/nfsd/vfs.c 2010-08-26 19:47:12.000000000 -0400
32587 +++ linux-2.6.35.7/fs/nfsd/vfs.c 2010-09-17 20:12:09.000000000 -0400
32588 @@ -933,7 +933,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32592 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32593 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32597 @@ -1056,7 +1056,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32599 /* Write the data. */
32600 oldfs = get_fs(); set_fs(KERNEL_DS);
32601 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32602 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32606 @@ -1541,7 +1541,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32609 oldfs = get_fs(); set_fs(KERNEL_DS);
32610 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32611 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32615 diff -urNp linux-2.6.35.7/fs/nls/nls_base.c linux-2.6.35.7/fs/nls/nls_base.c
32616 --- linux-2.6.35.7/fs/nls/nls_base.c 2010-08-26 19:47:12.000000000 -0400
32617 +++ linux-2.6.35.7/fs/nls/nls_base.c 2010-09-17 20:12:09.000000000 -0400
32618 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32619 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32620 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32621 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32622 - {0, /* end of table */}
32623 + {0, 0, 0, 0, 0, /* end of table */}
32626 #define UNICODE_MAX 0x0010ffff
32627 diff -urNp linux-2.6.35.7/fs/ntfs/dir.c linux-2.6.35.7/fs/ntfs/dir.c
32628 --- linux-2.6.35.7/fs/ntfs/dir.c 2010-08-26 19:47:12.000000000 -0400
32629 +++ linux-2.6.35.7/fs/ntfs/dir.c 2010-10-11 22:41:44.000000000 -0400
32630 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
32631 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
32632 ~(s64)(ndir->itype.index.block_size - 1)));
32633 /* Bounds checks. */
32634 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32635 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32636 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
32637 "inode 0x%lx or driver bug.", vdir->i_ino);
32639 diff -urNp linux-2.6.35.7/fs/ntfs/file.c linux-2.6.35.7/fs/ntfs/file.c
32640 --- linux-2.6.35.7/fs/ntfs/file.c 2010-08-26 19:47:12.000000000 -0400
32641 +++ linux-2.6.35.7/fs/ntfs/file.c 2010-09-17 20:12:09.000000000 -0400
32642 @@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
32643 #endif /* NTFS_RW */
32646 -const struct file_operations ntfs_empty_file_ops = {};
32647 +const struct file_operations ntfs_empty_file_ops __read_only;
32649 -const struct inode_operations ntfs_empty_inode_ops = {};
32650 +const struct inode_operations ntfs_empty_inode_ops __read_only;
32651 diff -urNp linux-2.6.35.7/fs/ocfs2/localalloc.c linux-2.6.35.7/fs/ocfs2/localalloc.c
32652 --- linux-2.6.35.7/fs/ocfs2/localalloc.c 2010-08-26 19:47:12.000000000 -0400
32653 +++ linux-2.6.35.7/fs/ocfs2/localalloc.c 2010-09-17 20:12:09.000000000 -0400
32654 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
32658 - atomic_inc(&osb->alloc_stats.moves);
32659 + atomic_inc_unchecked(&osb->alloc_stats.moves);
32663 diff -urNp linux-2.6.35.7/fs/ocfs2/ocfs2.h linux-2.6.35.7/fs/ocfs2/ocfs2.h
32664 --- linux-2.6.35.7/fs/ocfs2/ocfs2.h 2010-08-26 19:47:12.000000000 -0400
32665 +++ linux-2.6.35.7/fs/ocfs2/ocfs2.h 2010-09-17 20:12:09.000000000 -0400
32666 @@ -223,11 +223,11 @@ enum ocfs2_vol_state
32668 struct ocfs2_alloc_stats
32671 - atomic_t local_data;
32672 - atomic_t bitmap_data;
32673 - atomic_t bg_allocs;
32674 - atomic_t bg_extends;
32675 + atomic_unchecked_t moves;
32676 + atomic_unchecked_t local_data;
32677 + atomic_unchecked_t bitmap_data;
32678 + atomic_unchecked_t bg_allocs;
32679 + atomic_unchecked_t bg_extends;
32682 enum ocfs2_local_alloc_state
32683 diff -urNp linux-2.6.35.7/fs/ocfs2/suballoc.c linux-2.6.35.7/fs/ocfs2/suballoc.c
32684 --- linux-2.6.35.7/fs/ocfs2/suballoc.c 2010-08-26 19:47:12.000000000 -0400
32685 +++ linux-2.6.35.7/fs/ocfs2/suballoc.c 2010-09-17 20:12:09.000000000 -0400
32686 @@ -856,7 +856,7 @@ static int ocfs2_reserve_suballoc_bits(s
32687 mlog_errno(status);
32690 - atomic_inc(&osb->alloc_stats.bg_extends);
32691 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
32693 /* You should never ask for this much metadata */
32694 BUG_ON(bits_wanted >
32695 @@ -1968,7 +1968,7 @@ int ocfs2_claim_metadata(handle_t *handl
32696 mlog_errno(status);
32699 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32700 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32702 *suballoc_loc = res.sr_bg_blkno;
32703 *suballoc_bit_start = res.sr_bit_offset;
32704 @@ -2045,7 +2045,7 @@ int ocfs2_claim_new_inode(handle_t *hand
32705 mlog_errno(status);
32708 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32709 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32711 BUG_ON(res.sr_bits != 1);
32713 @@ -2150,7 +2150,7 @@ int __ocfs2_claim_clusters(handle_t *han
32717 - atomic_inc(&osb->alloc_stats.local_data);
32718 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
32720 if (min_clusters > (osb->bitmap_cpg - 1)) {
32721 /* The only paths asking for contiguousness
32722 @@ -2176,7 +2176,7 @@ int __ocfs2_claim_clusters(handle_t *han
32723 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
32725 res.sr_bit_offset);
32726 - atomic_inc(&osb->alloc_stats.bitmap_data);
32727 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
32728 *num_clusters = res.sr_bits;
32731 diff -urNp linux-2.6.35.7/fs/ocfs2/super.c linux-2.6.35.7/fs/ocfs2/super.c
32732 --- linux-2.6.35.7/fs/ocfs2/super.c 2010-08-26 19:47:12.000000000 -0400
32733 +++ linux-2.6.35.7/fs/ocfs2/super.c 2010-09-17 20:12:09.000000000 -0400
32734 @@ -293,11 +293,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
32735 "%10s => GlobalAllocs: %d LocalAllocs: %d "
32736 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
32738 - atomic_read(&osb->alloc_stats.bitmap_data),
32739 - atomic_read(&osb->alloc_stats.local_data),
32740 - atomic_read(&osb->alloc_stats.bg_allocs),
32741 - atomic_read(&osb->alloc_stats.moves),
32742 - atomic_read(&osb->alloc_stats.bg_extends));
32743 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
32744 + atomic_read_unchecked(&osb->alloc_stats.local_data),
32745 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
32746 + atomic_read_unchecked(&osb->alloc_stats.moves),
32747 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
32749 out += snprintf(buf + out, len - out,
32750 "%10s => State: %u Descriptor: %llu Size: %u bits "
32751 @@ -2047,11 +2047,11 @@ static int ocfs2_initialize_super(struct
32752 spin_lock_init(&osb->osb_xattr_lock);
32753 ocfs2_init_steal_slots(osb);
32755 - atomic_set(&osb->alloc_stats.moves, 0);
32756 - atomic_set(&osb->alloc_stats.local_data, 0);
32757 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
32758 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
32759 - atomic_set(&osb->alloc_stats.bg_extends, 0);
32760 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
32761 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
32762 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
32763 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
32764 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
32766 /* Copy the blockcheck stats from the superblock probe */
32767 osb->osb_ecc_stats = *stats;
32768 diff -urNp linux-2.6.35.7/fs/ocfs2/symlink.c linux-2.6.35.7/fs/ocfs2/symlink.c
32769 --- linux-2.6.35.7/fs/ocfs2/symlink.c 2010-08-26 19:47:12.000000000 -0400
32770 +++ linux-2.6.35.7/fs/ocfs2/symlink.c 2010-09-17 20:12:09.000000000 -0400
32771 @@ -148,7 +148,7 @@ bail:
32773 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32775 - char *link = nd_get_link(nd);
32776 + const char *link = nd_get_link(nd);
32780 diff -urNp linux-2.6.35.7/fs/open.c linux-2.6.35.7/fs/open.c
32781 --- linux-2.6.35.7/fs/open.c 2010-08-26 19:47:12.000000000 -0400
32782 +++ linux-2.6.35.7/fs/open.c 2010-09-17 20:12:37.000000000 -0400
32783 @@ -42,6 +42,9 @@ int do_truncate(struct dentry *dentry, l
32787 + if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
32790 newattrs.ia_size = length;
32791 newattrs.ia_valid = ATTR_SIZE | time_attrs;
32793 @@ -345,6 +348,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
32794 if (__mnt_is_readonly(path.mnt))
32797 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
32803 @@ -371,6 +377,8 @@ SYSCALL_DEFINE1(chdir, const char __user
32807 + gr_log_chdir(path.dentry, path.mnt);
32809 set_fs_pwd(current->fs, &path);
32812 @@ -397,6 +405,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
32815 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
32817 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
32821 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
32824 set_fs_pwd(current->fs, &file->f_path);
32826 @@ -425,7 +440,18 @@ SYSCALL_DEFINE1(chroot, const char __use
32830 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
32831 + goto dput_and_out;
32833 + if (gr_handle_chroot_caps(&path)) {
32835 + goto dput_and_out;
32838 set_fs_root(current->fs, &path);
32840 + gr_handle_chroot_chdir(&path);
32845 @@ -453,6 +479,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32846 err = mnt_want_write_file(file);
32850 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
32852 + goto out_drop_write;
32855 mutex_lock(&inode->i_mutex);
32856 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
32858 @@ -464,6 +496,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32859 err = notify_change(dentry, &newattrs);
32861 mutex_unlock(&inode->i_mutex);
32863 mnt_drop_write(file->f_path.mnt);
32866 @@ -486,17 +519,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
32867 error = mnt_want_write(path.mnt);
32871 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
32873 + goto out_drop_write;
32876 mutex_lock(&inode->i_mutex);
32877 error = security_path_chmod(path.dentry, path.mnt, mode);
32880 if (mode == (mode_t) -1)
32881 mode = inode->i_mode;
32883 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
32888 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
32889 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
32890 error = notify_change(path.dentry, &newattrs);
32892 mutex_unlock(&inode->i_mutex);
32894 mnt_drop_write(path.mnt);
32897 @@ -515,6 +561,9 @@ static int chown_common(struct path *pat
32899 struct iattr newattrs;
32901 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
32904 newattrs.ia_valid = ATTR_CTIME;
32905 if (user != (uid_t) -1) {
32906 newattrs.ia_valid |= ATTR_UID;
32907 diff -urNp linux-2.6.35.7/fs/pipe.c linux-2.6.35.7/fs/pipe.c
32908 --- linux-2.6.35.7/fs/pipe.c 2010-08-26 19:47:12.000000000 -0400
32909 +++ linux-2.6.35.7/fs/pipe.c 2010-10-11 22:41:44.000000000 -0400
32910 @@ -382,7 +382,7 @@ pipe_read(struct kiocb *iocb, const stru
32911 error = ops->confirm(pipe, buf);
32919 @@ -420,9 +420,9 @@ redo:
32921 if (bufs) /* More to do? */
32923 - if (!pipe->writers)
32924 + if (!atomic_read(&pipe->writers))
32926 - if (!pipe->waiting_writers) {
32927 + if (!atomic_read(&pipe->waiting_writers)) {
32928 /* syscall merging: Usually we must not sleep
32929 * if O_NONBLOCK is set, or if we got some data.
32930 * But if a writer sleeps in kernel space, then
32931 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
32932 mutex_lock(&inode->i_mutex);
32933 pipe = inode->i_pipe;
32935 - if (!pipe->readers) {
32936 + if (!atomic_read(&pipe->readers)) {
32937 send_sig(SIGPIPE, current, 0);
32940 @@ -530,7 +530,7 @@ redo1:
32944 - if (!pipe->readers) {
32945 + if (!atomic_read(&pipe->readers)) {
32946 send_sig(SIGPIPE, current, 0);
32949 @@ -616,9 +616,9 @@ redo2:
32950 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
32953 - pipe->waiting_writers++;
32954 + atomic_inc(&pipe->waiting_writers);
32956 - pipe->waiting_writers--;
32957 + atomic_dec(&pipe->waiting_writers);
32960 mutex_unlock(&inode->i_mutex);
32961 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
32963 if (filp->f_mode & FMODE_READ) {
32964 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
32965 - if (!pipe->writers && filp->f_version != pipe->w_counter)
32966 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
32970 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
32971 * Most Unices do not set POLLERR for FIFOs but on Linux they
32972 * behave exactly like pipes for poll().
32974 - if (!pipe->readers)
32975 + if (!atomic_read(&pipe->readers))
32979 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
32981 mutex_lock(&inode->i_mutex);
32982 pipe = inode->i_pipe;
32983 - pipe->readers -= decr;
32984 - pipe->writers -= decw;
32985 + atomic_sub(decr, &pipe->readers);
32986 + atomic_sub(decw, &pipe->writers);
32988 - if (!pipe->readers && !pipe->writers) {
32989 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
32990 free_pipe_info(inode);
32992 wake_up_interruptible_sync(&pipe->wait);
32993 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
32995 if (inode->i_pipe) {
32997 - inode->i_pipe->readers++;
32998 + atomic_inc(&inode->i_pipe->readers);
33001 mutex_unlock(&inode->i_mutex);
33002 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
33004 if (inode->i_pipe) {
33006 - inode->i_pipe->writers++;
33007 + atomic_inc(&inode->i_pipe->writers);
33010 mutex_unlock(&inode->i_mutex);
33011 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
33012 if (inode->i_pipe) {
33014 if (filp->f_mode & FMODE_READ)
33015 - inode->i_pipe->readers++;
33016 + atomic_inc(&inode->i_pipe->readers);
33017 if (filp->f_mode & FMODE_WRITE)
33018 - inode->i_pipe->writers++;
33019 + atomic_inc(&inode->i_pipe->writers);
33022 mutex_unlock(&inode->i_mutex);
33023 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
33024 inode->i_pipe = NULL;
33027 -static struct vfsmount *pipe_mnt __read_mostly;
33028 +struct vfsmount *pipe_mnt __read_mostly;
33031 * pipefs_dname() is called from d_path().
33032 @@ -959,7 +959,8 @@ static struct inode * get_pipe_inode(voi
33034 inode->i_pipe = pipe;
33036 - pipe->readers = pipe->writers = 1;
33037 + atomic_set(&pipe->readers, 1);
33038 + atomic_set(&pipe->writers, 1);
33039 inode->i_fop = &rdwr_pipefifo_fops;
33042 diff -urNp linux-2.6.35.7/fs/proc/array.c linux-2.6.35.7/fs/proc/array.c
33043 --- linux-2.6.35.7/fs/proc/array.c 2010-08-26 19:47:12.000000000 -0400
33044 +++ linux-2.6.35.7/fs/proc/array.c 2010-09-17 20:12:37.000000000 -0400
33045 @@ -337,6 +337,21 @@ static void task_cpus_allowed(struct seq
33046 seq_printf(m, "\n");
33049 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33050 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
33053 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
33054 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
33055 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
33056 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
33057 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
33058 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
33060 + seq_printf(m, "PaX:\t-----\n");
33064 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
33065 struct pid *pid, struct task_struct *task)
33067 @@ -357,9 +372,20 @@ int proc_pid_status(struct seq_file *m,
33068 task_show_regs(m, task);
33070 task_context_switch_counts(m, task);
33072 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33073 + task_pax(m, task);
33079 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33080 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33081 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33082 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33085 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
33086 struct pid *pid, struct task_struct *task, int whole)
33088 @@ -452,6 +478,19 @@ static int do_task_stat(struct seq_file
33089 gtime = task->gtime;
33092 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33093 + if (PAX_RAND_FLAGS(mm)) {
33099 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33105 /* scale priority and nice values from timeslices to -20..20 */
33106 /* to make it look like a "normal" Unix priority/nice value */
33107 priority = task_prio(task);
33108 @@ -492,9 +531,15 @@ static int do_task_stat(struct seq_file
33110 mm ? get_mm_rss(mm) : 0,
33112 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33113 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
33114 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
33115 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
33117 mm ? mm->start_code : 0,
33118 mm ? mm->end_code : 0,
33119 (permitted && mm) ? mm->start_stack : 0,
33123 /* The signal information here is obsolete.
33124 @@ -547,3 +592,10 @@ int proc_pid_statm(struct seq_file *m, s
33129 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33130 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
33132 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
33135 diff -urNp linux-2.6.35.7/fs/proc/base.c linux-2.6.35.7/fs/proc/base.c
33136 --- linux-2.6.35.7/fs/proc/base.c 2010-08-26 19:47:12.000000000 -0400
33137 +++ linux-2.6.35.7/fs/proc/base.c 2010-09-22 18:45:42.000000000 -0400
33138 @@ -103,6 +103,22 @@ struct pid_entry {
33142 +struct getdents_callback {
33143 + struct linux_dirent __user * current_dir;
33144 + struct linux_dirent __user * previous;
33145 + struct file * file;
33150 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
33151 + loff_t offset, u64 ino, unsigned int d_type)
33153 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
33154 + buf->error = -EINVAL;
33158 #define NOD(NAME, MODE, IOP, FOP, OP) { \
33160 .len = sizeof(NAME) - 1, \
33161 @@ -202,6 +218,9 @@ static int check_mem_permission(struct t
33162 if (task == current)
33165 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
33169 * If current is actively ptrace'ing, and would also be
33170 * permitted to freshly attach with ptrace now, permit it.
33171 @@ -249,6 +268,9 @@ static int proc_pid_cmdline(struct task_
33173 goto out_mm; /* Shh! No looking before we're done */
33175 + if (gr_acl_handle_procpidmem(task))
33178 len = mm->arg_end - mm->arg_start;
33180 if (len > PAGE_SIZE)
33181 @@ -276,12 +298,26 @@ out:
33185 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33186 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33187 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33188 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33191 static int proc_pid_auxv(struct task_struct *task, char *buffer)
33194 struct mm_struct *mm = get_task_mm(task);
33196 unsigned int nwords = 0;
33198 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33199 + if (PAX_RAND_FLAGS(mm)) {
33207 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
33208 @@ -295,7 +331,7 @@ static int proc_pid_auxv(struct task_str
33212 -#ifdef CONFIG_KALLSYMS
33213 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33215 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
33216 * Returns the resolved symbol. If that fails, simply return the address.
33217 @@ -317,7 +353,7 @@ static int proc_pid_wchan(struct task_st
33219 #endif /* CONFIG_KALLSYMS */
33221 -#ifdef CONFIG_STACKTRACE
33222 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33224 #define MAX_STACK_TRACE_DEPTH 64
33226 @@ -511,7 +547,7 @@ static int proc_pid_limits(struct task_s
33230 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33231 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33232 static int proc_pid_syscall(struct task_struct *task, char *buffer)
33235 @@ -920,6 +956,9 @@ static ssize_t environ_read(struct file
33239 + if (gr_acl_handle_procpidmem(task))
33242 if (!ptrace_may_access(task, PTRACE_MODE_READ))
33245 @@ -1514,7 +1553,11 @@ static struct inode *proc_pid_make_inode
33247 cred = __task_cred(task);
33248 inode->i_uid = cred->euid;
33249 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33250 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33252 inode->i_gid = cred->egid;
33256 security_task_to_inode(task, inode);
33257 @@ -1532,6 +1575,9 @@ static int pid_getattr(struct vfsmount *
33258 struct inode *inode = dentry->d_inode;
33259 struct task_struct *task;
33260 const struct cred *cred;
33261 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33262 + const struct cred *tmpcred = current_cred();
33265 generic_fillattr(inode, stat);
33267 @@ -1539,12 +1585,34 @@ static int pid_getattr(struct vfsmount *
33270 task = pid_task(proc_pid(inode), PIDTYPE_PID);
33272 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
33273 + rcu_read_unlock();
33278 + cred = __task_cred(task);
33279 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33280 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
33281 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33282 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33286 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33287 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33288 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33289 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33290 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33292 task_dumpable(task)) {
33293 - cred = __task_cred(task);
33294 stat->uid = cred->euid;
33295 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33296 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
33298 stat->gid = cred->egid;
33303 @@ -1576,11 +1644,20 @@ static int pid_revalidate(struct dentry
33306 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33307 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33308 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33309 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33310 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33312 task_dumpable(task)) {
33314 cred = __task_cred(task);
33315 inode->i_uid = cred->euid;
33316 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33317 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33319 inode->i_gid = cred->egid;
33324 @@ -1701,7 +1778,8 @@ static int proc_fd_info(struct inode *in
33325 int fd = proc_fd(inode);
33328 - files = get_files_struct(task);
33329 + if (!gr_acl_handle_procpidmem(task))
33330 + files = get_files_struct(task);
33331 put_task_struct(task);
33334 @@ -1953,12 +2031,22 @@ static const struct file_operations proc
33335 static int proc_fd_permission(struct inode *inode, int mask)
33338 + struct task_struct *task;
33340 rv = generic_permission(inode, mask, NULL);
33344 if (task_pid(current) == proc_pid(inode))
33347 + task = get_proc_task(inode);
33348 + if (task == NULL)
33351 + if (gr_acl_handle_procpidmem(task))
33354 + put_task_struct(task);
33359 @@ -2067,6 +2155,9 @@ static struct dentry *proc_pident_lookup
33363 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33367 * Yes, it does not scale. And it should not. Don't add
33368 * new entries into /proc/<tgid>/ without very good reasons.
33369 @@ -2111,6 +2202,9 @@ static int proc_pident_readdir(struct fi
33373 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33379 @@ -2380,7 +2474,7 @@ static void *proc_self_follow_link(struc
33380 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
33383 - char *s = nd_get_link(nd);
33384 + const char *s = nd_get_link(nd);
33388 @@ -2580,7 +2674,7 @@ static const struct pid_entry tgid_base_
33389 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33391 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33392 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33393 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33394 INF("syscall", S_IRUSR, proc_pid_syscall),
33396 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33397 @@ -2605,10 +2699,10 @@ static const struct pid_entry tgid_base_
33398 #ifdef CONFIG_SECURITY
33399 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33401 -#ifdef CONFIG_KALLSYMS
33402 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33403 INF("wchan", S_IRUGO, proc_pid_wchan),
33405 -#ifdef CONFIG_STACKTRACE
33406 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33407 ONE("stack", S_IRUSR, proc_pid_stack),
33409 #ifdef CONFIG_SCHEDSTATS
33410 @@ -2638,6 +2732,9 @@ static const struct pid_entry tgid_base_
33411 INF("io", S_IRUGO, proc_tgid_io_accounting),
33413 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
33414 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33415 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33419 static int proc_tgid_base_readdir(struct file * filp,
33420 @@ -2762,7 +2859,14 @@ static struct dentry *proc_pid_instantia
33424 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33425 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33426 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33427 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33428 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33430 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33432 inode->i_op = &proc_tgid_base_inode_operations;
33433 inode->i_fop = &proc_tgid_base_operations;
33434 inode->i_flags|=S_IMMUTABLE;
33435 @@ -2804,7 +2908,11 @@ struct dentry *proc_pid_lookup(struct in
33439 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33440 + goto out_put_task;
33442 result = proc_pid_instantiate(dir, dentry, task, NULL);
33444 put_task_struct(task);
33447 @@ -2869,6 +2977,11 @@ int proc_pid_readdir(struct file * filp,
33449 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33450 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
33451 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33452 + const struct cred *tmpcred = current_cred();
33453 + const struct cred *itercred;
33455 + filldir_t __filldir = filldir;
33456 struct tgid_iter iter;
33457 struct pid_namespace *ns;
33459 @@ -2887,8 +3000,27 @@ int proc_pid_readdir(struct file * filp,
33460 for (iter = next_tgid(ns, iter);
33462 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33463 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33465 + itercred = __task_cred(iter.task);
33467 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33468 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33469 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33470 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33471 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33476 + __filldir = &gr_fake_filldir;
33478 + __filldir = filldir;
33479 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33480 + rcu_read_unlock();
33482 filp->f_pos = iter.tgid + TGID_OFFSET;
33483 if (!vx_proc_task_visible(iter.task))
33485 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33486 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33487 put_task_struct(iter.task);
33488 @@ -2915,7 +3047,7 @@ static const struct pid_entry tid_base_s
33489 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33491 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33492 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33493 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33494 INF("syscall", S_IRUSR, proc_pid_syscall),
33496 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33497 @@ -2939,10 +3071,10 @@ static const struct pid_entry tid_base_s
33498 #ifdef CONFIG_SECURITY
33499 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33501 -#ifdef CONFIG_KALLSYMS
33502 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33503 INF("wchan", S_IRUGO, proc_pid_wchan),
33505 -#ifdef CONFIG_STACKTRACE
33506 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33507 ONE("stack", S_IRUSR, proc_pid_stack),
33509 #ifdef CONFIG_SCHEDSTATS
33510 diff -urNp linux-2.6.35.7/fs/proc/cmdline.c linux-2.6.35.7/fs/proc/cmdline.c
33511 --- linux-2.6.35.7/fs/proc/cmdline.c 2010-08-26 19:47:12.000000000 -0400
33512 +++ linux-2.6.35.7/fs/proc/cmdline.c 2010-09-17 20:12:37.000000000 -0400
33513 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
33515 static int __init proc_cmdline_init(void)
33517 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33518 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33520 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33524 module_init(proc_cmdline_init);
33525 diff -urNp linux-2.6.35.7/fs/proc/devices.c linux-2.6.35.7/fs/proc/devices.c
33526 --- linux-2.6.35.7/fs/proc/devices.c 2010-08-26 19:47:12.000000000 -0400
33527 +++ linux-2.6.35.7/fs/proc/devices.c 2010-09-17 20:12:37.000000000 -0400
33528 @@ -64,7 +64,11 @@ static const struct file_operations proc
33530 static int __init proc_devices_init(void)
33532 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33533 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33535 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33539 module_init(proc_devices_init);
33540 diff -urNp linux-2.6.35.7/fs/proc/inode.c linux-2.6.35.7/fs/proc/inode.c
33541 --- linux-2.6.35.7/fs/proc/inode.c 2010-08-26 19:47:12.000000000 -0400
33542 +++ linux-2.6.35.7/fs/proc/inode.c 2010-09-17 20:12:37.000000000 -0400
33543 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
33545 inode->i_mode = de->mode;
33546 inode->i_uid = de->uid;
33547 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33548 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33550 inode->i_gid = de->gid;
33554 inode->i_size = de->size;
33555 diff -urNp linux-2.6.35.7/fs/proc/internal.h linux-2.6.35.7/fs/proc/internal.h
33556 --- linux-2.6.35.7/fs/proc/internal.h 2010-08-26 19:47:12.000000000 -0400
33557 +++ linux-2.6.35.7/fs/proc/internal.h 2010-09-17 20:12:37.000000000 -0400
33558 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33559 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
33560 struct pid *pid, struct task_struct *task);
33562 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33563 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33565 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33567 extern const struct file_operations proc_maps_operations;
33568 diff -urNp linux-2.6.35.7/fs/proc/Kconfig linux-2.6.35.7/fs/proc/Kconfig
33569 --- linux-2.6.35.7/fs/proc/Kconfig 2010-08-26 19:47:12.000000000 -0400
33570 +++ linux-2.6.35.7/fs/proc/Kconfig 2010-09-17 20:12:37.000000000 -0400
33571 @@ -30,12 +30,12 @@ config PROC_FS
33574 bool "/proc/kcore support" if !ARM
33575 - depends on PROC_FS && MMU
33576 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33579 bool "/proc/vmcore support (EXPERIMENTAL)"
33580 - depends on PROC_FS && CRASH_DUMP
33582 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33585 Exports the dump image of crashed kernel in ELF format.
33587 @@ -59,8 +59,8 @@ config PROC_SYSCTL
33590 config PROC_PAGE_MONITOR
33592 - depends on PROC_FS && MMU
33594 + depends on PROC_FS && MMU && !GRKERNSEC
33595 bool "Enable /proc page monitoring" if EMBEDDED
33597 Various /proc files exist to monitor process memory utilization:
33598 diff -urNp linux-2.6.35.7/fs/proc/kcore.c linux-2.6.35.7/fs/proc/kcore.c
33599 --- linux-2.6.35.7/fs/proc/kcore.c 2010-08-26 19:47:12.000000000 -0400
33600 +++ linux-2.6.35.7/fs/proc/kcore.c 2010-09-17 20:12:37.000000000 -0400
33601 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33602 * the addresses in the elf_phdr on our list.
33604 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33605 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33606 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33607 + if (tsz > buflen)
33612 struct kcore_list *m;
33614 @@ -509,20 +510,18 @@ read_kcore(struct file *file, char __use
33617 if (kern_addr_valid(start)) {
33621 - n = copy_to_user(buffer, (char *)start, tsz);
33623 - * We cannot distingush between fault on source
33624 - * and fault on destination. When this happens
33625 - * we clear too and hope it will trigger the
33629 - if (clear_user(buffer + tsz - n,
33631 + elf_buf = kmalloc(tsz, GFP_KERNEL);
33634 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
33635 + if (copy_to_user(buffer, elf_buf, tsz)) {
33642 if (clear_user(buffer, tsz))
33644 @@ -542,6 +541,9 @@ read_kcore(struct file *file, char __use
33646 static int open_kcore(struct inode *inode, struct file *filp)
33648 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
33651 if (!capable(CAP_SYS_RAWIO))
33653 if (kcore_need_update)
33654 diff -urNp linux-2.6.35.7/fs/proc/meminfo.c linux-2.6.35.7/fs/proc/meminfo.c
33655 --- linux-2.6.35.7/fs/proc/meminfo.c 2010-08-26 19:47:12.000000000 -0400
33656 +++ linux-2.6.35.7/fs/proc/meminfo.c 2010-09-17 20:12:09.000000000 -0400
33657 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
33659 vmi.largest_chunk >> 10
33660 #ifdef CONFIG_MEMORY_FAILURE
33661 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
33662 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
33666 diff -urNp linux-2.6.35.7/fs/proc/nommu.c linux-2.6.35.7/fs/proc/nommu.c
33667 --- linux-2.6.35.7/fs/proc/nommu.c 2010-08-26 19:47:12.000000000 -0400
33668 +++ linux-2.6.35.7/fs/proc/nommu.c 2010-09-17 20:12:09.000000000 -0400
33669 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
33672 seq_printf(m, "%*c", len, ' ');
33673 - seq_path(m, &file->f_path, "");
33674 + seq_path(m, &file->f_path, "\n\\");
33678 diff -urNp linux-2.6.35.7/fs/proc/proc_net.c linux-2.6.35.7/fs/proc/proc_net.c
33679 --- linux-2.6.35.7/fs/proc/proc_net.c 2010-08-26 19:47:12.000000000 -0400
33680 +++ linux-2.6.35.7/fs/proc/proc_net.c 2010-09-17 20:12:37.000000000 -0400
33681 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
33682 struct task_struct *task;
33683 struct nsproxy *ns;
33684 struct net *net = NULL;
33685 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33686 + const struct cred *cred = current_cred();
33689 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33692 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33693 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
33698 task = pid_task(proc_pid(dir), PIDTYPE_PID);
33699 diff -urNp linux-2.6.35.7/fs/proc/proc_sysctl.c linux-2.6.35.7/fs/proc/proc_sysctl.c
33700 --- linux-2.6.35.7/fs/proc/proc_sysctl.c 2010-08-26 19:47:12.000000000 -0400
33701 +++ linux-2.6.35.7/fs/proc/proc_sysctl.c 2010-09-17 20:12:37.000000000 -0400
33703 #include <linux/security.h>
33704 #include "internal.h"
33706 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
33708 static const struct dentry_operations proc_sys_dentry_operations;
33709 static const struct file_operations proc_sys_file_operations;
33710 static const struct inode_operations proc_sys_inode_operations;
33711 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
33715 + if (gr_handle_sysctl(p, MAY_EXEC))
33718 err = ERR_PTR(-ENOMEM);
33719 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
33721 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
33722 if (*pos < file->f_pos)
33725 + if (gr_handle_sysctl(table, 0))
33728 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
33731 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
33733 return PTR_ERR(head);
33735 + if (table && gr_handle_sysctl(table, MAY_EXEC))
33738 generic_fillattr(inode, stat);
33740 stat->mode = (stat->mode & S_IFMT) | table->mode;
33741 diff -urNp linux-2.6.35.7/fs/proc/root.c linux-2.6.35.7/fs/proc/root.c
33742 --- linux-2.6.35.7/fs/proc/root.c 2010-08-26 19:47:12.000000000 -0400
33743 +++ linux-2.6.35.7/fs/proc/root.c 2010-09-17 20:12:37.000000000 -0400
33744 @@ -133,7 +133,15 @@ void __init proc_root_init(void)
33745 #ifdef CONFIG_PROC_DEVICETREE
33746 proc_device_tree_init();
33748 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33749 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33750 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
33751 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33752 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33755 proc_mkdir("bus", NULL);
33760 diff -urNp linux-2.6.35.7/fs/proc/task_mmu.c linux-2.6.35.7/fs/proc/task_mmu.c
33761 --- linux-2.6.35.7/fs/proc/task_mmu.c 2010-08-26 19:47:12.000000000 -0400
33762 +++ linux-2.6.35.7/fs/proc/task_mmu.c 2010-09-17 20:12:37.000000000 -0400
33763 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
33764 "VmExe:\t%8lu kB\n"
33765 "VmLib:\t%8lu kB\n"
33766 "VmPTE:\t%8lu kB\n"
33767 - "VmSwap:\t%8lu kB\n",
33768 - hiwater_vm << (PAGE_SHIFT-10),
33769 + "VmSwap:\t%8lu kB\n"
33771 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33772 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
33775 + ,hiwater_vm << (PAGE_SHIFT-10),
33776 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
33777 mm->locked_vm << (PAGE_SHIFT-10),
33778 hiwater_rss << (PAGE_SHIFT-10),
33779 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
33780 data << (PAGE_SHIFT-10),
33781 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
33782 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
33783 - swap << (PAGE_SHIFT-10));
33784 + swap << (PAGE_SHIFT-10)
33786 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33787 + , mm->context.user_cs_base, mm->context.user_cs_limit
33793 unsigned long task_vsize(struct mm_struct *mm)
33794 @@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
33798 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33799 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33800 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33801 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33804 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
33806 struct mm_struct *mm = vma->vm_mm;
33807 @@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
33808 int flags = vma->vm_flags;
33809 unsigned long ino = 0;
33810 unsigned long long pgoff = 0;
33811 - unsigned long start;
33815 @@ -221,19 +237,24 @@ static void show_map_vma(struct seq_file
33816 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
33819 - /* We don't show the stack guard page in /proc/maps */
33820 - start = vma->vm_start;
33821 - if (vma->vm_flags & VM_GROWSDOWN)
33822 - start += PAGE_SIZE;
33824 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
33826 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33827 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
33828 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
33833 flags & VM_READ ? 'r' : '-',
33834 flags & VM_WRITE ? 'w' : '-',
33835 flags & VM_EXEC ? 'x' : '-',
33836 flags & VM_MAYSHARE ? 's' : 'p',
33837 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33838 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
33842 MAJOR(dev), MINOR(dev), ino, &len);
33845 @@ -242,16 +263,16 @@ static void show_map_vma(struct seq_file
33848 pad_len_spaces(m, len);
33849 - seq_path(m, &file->f_path, "\n");
33850 + seq_path(m, &file->f_path, "\n\\");
33852 const char *name = arch_vma_name(vma);
33855 - if (vma->vm_start <= mm->start_brk &&
33856 - vma->vm_end >= mm->brk) {
33857 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
33859 - } else if (vma->vm_start <= mm->start_stack &&
33860 - vma->vm_end >= mm->start_stack) {
33861 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
33862 + (vma->vm_start <= mm->start_stack &&
33863 + vma->vm_end >= mm->start_stack)) {
33867 @@ -393,11 +414,16 @@ static int show_smap(struct seq_file *m,
33870 memset(&mss, 0, sizeof mss);
33872 - /* mmap_sem is held in m_start */
33873 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33874 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33876 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33877 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
33880 + /* mmap_sem is held in m_start */
33881 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33882 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33883 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33886 show_map_vma(m, vma);
33889 @@ -412,7 +438,11 @@ static int show_smap(struct seq_file *m,
33891 "KernelPageSize: %8lu kB\n"
33892 "MMUPageSize: %8lu kB\n",
33893 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33894 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
33896 (vma->vm_end - vma->vm_start) >> 10,
33898 mss.resident >> 10,
33899 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
33900 mss.shared_clean >> 10,
33901 diff -urNp linux-2.6.35.7/fs/proc/task_nommu.c linux-2.6.35.7/fs/proc/task_nommu.c
33902 --- linux-2.6.35.7/fs/proc/task_nommu.c 2010-08-26 19:47:12.000000000 -0400
33903 +++ linux-2.6.35.7/fs/proc/task_nommu.c 2010-09-17 20:12:09.000000000 -0400
33904 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
33906 bytes += kobjsize(mm);
33908 - if (current->fs && current->fs->users > 1)
33909 + if (current->fs && atomic_read(¤t->fs->users) > 1)
33910 sbytes += kobjsize(current->fs);
33912 bytes += kobjsize(current->fs);
33913 @@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
33916 pad_len_spaces(m, len);
33917 - seq_path(m, &file->f_path, "");
33918 + seq_path(m, &file->f_path, "\n\\");
33920 if (vma->vm_start <= mm->start_stack &&
33921 vma->vm_end >= mm->start_stack) {
33922 diff -urNp linux-2.6.35.7/fs/readdir.c linux-2.6.35.7/fs/readdir.c
33923 --- linux-2.6.35.7/fs/readdir.c 2010-08-26 19:47:12.000000000 -0400
33924 +++ linux-2.6.35.7/fs/readdir.c 2010-09-17 20:12:37.000000000 -0400
33926 #include <linux/security.h>
33927 #include <linux/syscalls.h>
33928 #include <linux/unistd.h>
33929 +#include <linux/namei.h>
33931 #include <asm/uaccess.h>
33933 @@ -67,6 +68,7 @@ struct old_linux_dirent {
33935 struct readdir_callback {
33936 struct old_linux_dirent __user * dirent;
33937 + struct file * file;
33941 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
33942 buf->result = -EOVERFLOW;
33946 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33950 dirent = buf->dirent;
33951 if (!access_ok(VERIFY_WRITE, dirent,
33952 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
33955 buf.dirent = dirent;
33958 error = vfs_readdir(file, fillonedir, &buf);
33960 @@ -142,6 +149,7 @@ struct linux_dirent {
33961 struct getdents_callback {
33962 struct linux_dirent __user * current_dir;
33963 struct linux_dirent __user * previous;
33964 + struct file * file;
33968 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
33969 buf->error = -EOVERFLOW;
33973 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33976 dirent = buf->previous;
33978 if (__put_user(offset, &dirent->d_off))
33979 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
33980 buf.previous = NULL;
33985 error = vfs_readdir(file, filldir, &buf);
33987 @@ -228,6 +241,7 @@ out:
33988 struct getdents_callback64 {
33989 struct linux_dirent64 __user * current_dir;
33990 struct linux_dirent64 __user * previous;
33991 + struct file *file;
33995 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
33996 buf->error = -EINVAL; /* only used if we fail.. */
33997 if (reclen > buf->count)
34000 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34003 dirent = buf->previous;
34005 if (__put_user(offset, &dirent->d_off))
34006 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
34008 buf.current_dir = dirent;
34009 buf.previous = NULL;
34014 diff -urNp linux-2.6.35.7/fs/reiserfs/do_balan.c linux-2.6.35.7/fs/reiserfs/do_balan.c
34015 --- linux-2.6.35.7/fs/reiserfs/do_balan.c 2010-08-26 19:47:12.000000000 -0400
34016 +++ linux-2.6.35.7/fs/reiserfs/do_balan.c 2010-09-17 20:12:09.000000000 -0400
34017 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
34021 - atomic_inc(&(fs_generation(tb->tb_sb)));
34022 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
34023 do_balance_starts(tb);
34025 /* balance leaf returns 0 except if combining L R and S into
34026 diff -urNp linux-2.6.35.7/fs/reiserfs/item_ops.c linux-2.6.35.7/fs/reiserfs/item_ops.c
34027 --- linux-2.6.35.7/fs/reiserfs/item_ops.c 2010-08-26 19:47:12.000000000 -0400
34028 +++ linux-2.6.35.7/fs/reiserfs/item_ops.c 2010-09-17 20:12:09.000000000 -0400
34029 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
34030 vi->vi_index, vi->vi_type, vi->vi_ih);
34033 -static struct item_operations stat_data_ops = {
34034 +static const struct item_operations stat_data_ops = {
34035 .bytes_number = sd_bytes_number,
34036 .decrement_key = sd_decrement_key,
34037 .is_left_mergeable = sd_is_left_mergeable,
34038 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
34039 vi->vi_index, vi->vi_type, vi->vi_ih);
34042 -static struct item_operations direct_ops = {
34043 +static const struct item_operations direct_ops = {
34044 .bytes_number = direct_bytes_number,
34045 .decrement_key = direct_decrement_key,
34046 .is_left_mergeable = direct_is_left_mergeable,
34047 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
34048 vi->vi_index, vi->vi_type, vi->vi_ih);
34051 -static struct item_operations indirect_ops = {
34052 +static const struct item_operations indirect_ops = {
34053 .bytes_number = indirect_bytes_number,
34054 .decrement_key = indirect_decrement_key,
34055 .is_left_mergeable = indirect_is_left_mergeable,
34056 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
34060 -static struct item_operations direntry_ops = {
34061 +static const struct item_operations direntry_ops = {
34062 .bytes_number = direntry_bytes_number,
34063 .decrement_key = direntry_decrement_key,
34064 .is_left_mergeable = direntry_is_left_mergeable,
34065 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
34066 "Invalid item type observed, run fsck ASAP");
34069 -static struct item_operations errcatch_ops = {
34070 +static const struct item_operations errcatch_ops = {
34071 errcatch_bytes_number,
34072 errcatch_decrement_key,
34073 errcatch_is_left_mergeable,
34074 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
34075 #error Item types must use disk-format assigned values.
34078 -struct item_operations *item_ops[TYPE_ANY + 1] = {
34079 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
34083 diff -urNp linux-2.6.35.7/fs/reiserfs/procfs.c linux-2.6.35.7/fs/reiserfs/procfs.c
34084 --- linux-2.6.35.7/fs/reiserfs/procfs.c 2010-08-26 19:47:12.000000000 -0400
34085 +++ linux-2.6.35.7/fs/reiserfs/procfs.c 2010-09-17 20:12:09.000000000 -0400
34086 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
34087 "SMALL_TAILS " : "NO_TAILS ",
34088 replay_only(sb) ? "REPLAY_ONLY " : "",
34089 convert_reiserfs(sb) ? "CONV " : "",
34090 - atomic_read(&r->s_generation_counter),
34091 + atomic_read_unchecked(&r->s_generation_counter),
34092 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
34093 SF(s_do_balance), SF(s_unneeded_left_neighbor),
34094 SF(s_good_search_by_key_reada), SF(s_bmaps),
34095 diff -urNp linux-2.6.35.7/fs/select.c linux-2.6.35.7/fs/select.c
34096 --- linux-2.6.35.7/fs/select.c 2010-08-26 19:47:12.000000000 -0400
34097 +++ linux-2.6.35.7/fs/select.c 2010-09-17 20:12:37.000000000 -0400
34099 #include <linux/module.h>
34100 #include <linux/slab.h>
34101 #include <linux/poll.h>
34102 +#include <linux/security.h>
34103 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
34104 #include <linux/file.h>
34105 #include <linux/fdtable.h>
34106 @@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
34107 struct poll_list *walk = head;
34108 unsigned long todo = nfds;
34110 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
34111 if (nfds > rlimit(RLIMIT_NOFILE))
34114 diff -urNp linux-2.6.35.7/fs/seq_file.c linux-2.6.35.7/fs/seq_file.c
34115 --- linux-2.6.35.7/fs/seq_file.c 2010-08-26 19:47:12.000000000 -0400
34116 +++ linux-2.6.35.7/fs/seq_file.c 2010-09-17 20:12:09.000000000 -0400
34117 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
34121 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34122 + m->size = PAGE_SIZE;
34123 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34127 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
34131 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34133 + m->buf = kmalloc(m->size, GFP_KERNEL);
34134 return !m->buf ? -ENOMEM : -EAGAIN;
34137 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
34138 m->version = file->f_version;
34139 /* grab buffer if we didn't have one */
34141 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34142 + m->size = PAGE_SIZE;
34143 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34147 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
34151 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34153 + m->buf = kmalloc(m->size, GFP_KERNEL);
34157 diff -urNp linux-2.6.35.7/fs/smbfs/symlink.c linux-2.6.35.7/fs/smbfs/symlink.c
34158 --- linux-2.6.35.7/fs/smbfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
34159 +++ linux-2.6.35.7/fs/smbfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
34160 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
34162 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
34164 - char *s = nd_get_link(nd);
34165 + const char *s = nd_get_link(nd);
34169 diff -urNp linux-2.6.35.7/fs/splice.c linux-2.6.35.7/fs/splice.c
34170 --- linux-2.6.35.7/fs/splice.c 2010-08-26 19:47:12.000000000 -0400
34171 +++ linux-2.6.35.7/fs/splice.c 2010-09-17 20:12:09.000000000 -0400
34172 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
34176 - if (!pipe->readers) {
34177 + if (!atomic_read(&pipe->readers)) {
34178 send_sig(SIGPIPE, current, 0);
34181 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
34185 - pipe->waiting_writers++;
34186 + atomic_inc(&pipe->waiting_writers);
34188 - pipe->waiting_writers--;
34189 + atomic_dec(&pipe->waiting_writers);
34193 @@ -566,7 +566,7 @@ static ssize_t kernel_readv(struct file
34196 /* The cast to a user pointer is valid due to the set_fs() */
34197 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
34198 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
34202 @@ -581,7 +581,7 @@ static ssize_t kernel_write(struct file
34205 /* The cast to a user pointer is valid due to the set_fs() */
34206 - res = vfs_write(file, (const char __user *)buf, count, &pos);
34207 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
34211 @@ -634,7 +634,7 @@ ssize_t default_file_splice_read(struct
34214 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
34215 - vec[i].iov_base = (void __user *) page_address(page);
34216 + vec[i].iov_base = (__force void __user *) page_address(page);
34217 vec[i].iov_len = this_len;
34218 spd.pages[i] = page;
34220 @@ -861,10 +861,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
34221 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
34223 while (!pipe->nrbufs) {
34224 - if (!pipe->writers)
34225 + if (!atomic_read(&pipe->writers))
34228 - if (!pipe->waiting_writers && sd->num_spliced)
34229 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
34232 if (sd->flags & SPLICE_F_NONBLOCK)
34233 @@ -1201,7 +1201,7 @@ ssize_t splice_direct_to_actor(struct fi
34234 * out of the pipe right after the splice_to_pipe(). So set
34235 * PIPE_READERS appropriately.
34237 - pipe->readers = 1;
34238 + atomic_set(&pipe->readers, 1);
34240 current->splice_pipe = pipe;
34242 @@ -1769,9 +1769,9 @@ static int ipipe_prep(struct pipe_inode_
34243 ret = -ERESTARTSYS;
34246 - if (!pipe->writers)
34247 + if (!atomic_read(&pipe->writers))
34249 - if (!pipe->waiting_writers) {
34250 + if (!atomic_read(&pipe->waiting_writers)) {
34251 if (flags & SPLICE_F_NONBLOCK) {
34254 @@ -1803,7 +1803,7 @@ static int opipe_prep(struct pipe_inode_
34257 while (pipe->nrbufs >= pipe->buffers) {
34258 - if (!pipe->readers) {
34259 + if (!atomic_read(&pipe->readers)) {
34260 send_sig(SIGPIPE, current, 0);
34263 @@ -1816,9 +1816,9 @@ static int opipe_prep(struct pipe_inode_
34264 ret = -ERESTARTSYS;
34267 - pipe->waiting_writers++;
34268 + atomic_inc(&pipe->waiting_writers);
34270 - pipe->waiting_writers--;
34271 + atomic_dec(&pipe->waiting_writers);
34275 @@ -1854,14 +1854,14 @@ retry:
34276 pipe_double_lock(ipipe, opipe);
34279 - if (!opipe->readers) {
34280 + if (!atomic_read(&opipe->readers)) {
34281 send_sig(SIGPIPE, current, 0);
34287 - if (!ipipe->nrbufs && !ipipe->writers)
34288 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
34292 @@ -1961,7 +1961,7 @@ static int link_pipe(struct pipe_inode_i
34293 pipe_double_lock(ipipe, opipe);
34296 - if (!opipe->readers) {
34297 + if (!atomic_read(&opipe->readers)) {
34298 send_sig(SIGPIPE, current, 0);
34301 @@ -2006,7 +2006,7 @@ static int link_pipe(struct pipe_inode_i
34302 * return EAGAIN if we have the potential of some data in the
34303 * future, otherwise just return 0
34305 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
34306 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
34309 pipe_unlock(ipipe);
34310 diff -urNp linux-2.6.35.7/fs/sysfs/symlink.c linux-2.6.35.7/fs/sysfs/symlink.c
34311 --- linux-2.6.35.7/fs/sysfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
34312 +++ linux-2.6.35.7/fs/sysfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
34313 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
34315 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
34317 - char *page = nd_get_link(nd);
34318 + const char *page = nd_get_link(nd);
34320 free_page((unsigned long)page);
34322 diff -urNp linux-2.6.35.7/fs/udf/misc.c linux-2.6.35.7/fs/udf/misc.c
34323 --- linux-2.6.35.7/fs/udf/misc.c 2010-08-26 19:47:12.000000000 -0400
34324 +++ linux-2.6.35.7/fs/udf/misc.c 2010-09-17 20:12:09.000000000 -0400
34325 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
34326 iinfo->i_lenEAttr += size;
34327 return (struct genericFormat *)&ea[offset];
34331 + if (loc & 0x02) {
34336 diff -urNp linux-2.6.35.7/fs/udf/udfdecl.h linux-2.6.35.7/fs/udf/udfdecl.h
34337 --- linux-2.6.35.7/fs/udf/udfdecl.h 2010-08-26 19:47:12.000000000 -0400
34338 +++ linux-2.6.35.7/fs/udf/udfdecl.h 2010-09-17 20:12:09.000000000 -0400
34339 @@ -26,7 +26,7 @@ do { \
34343 -#define udf_debug(f, a...) /**/
34344 +#define udf_debug(f, a...) do {} while (0)
34347 #define udf_info(f, a...) \
34348 diff -urNp linux-2.6.35.7/fs/utimes.c linux-2.6.35.7/fs/utimes.c
34349 --- linux-2.6.35.7/fs/utimes.c 2010-08-26 19:47:12.000000000 -0400
34350 +++ linux-2.6.35.7/fs/utimes.c 2010-09-17 20:12:37.000000000 -0400
34352 #include <linux/compiler.h>
34353 #include <linux/file.h>
34354 #include <linux/fs.h>
34355 +#include <linux/security.h>
34356 #include <linux/linkage.h>
34357 #include <linux/mount.h>
34358 #include <linux/namei.h>
34359 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
34360 goto mnt_drop_write_and_out;
34364 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
34366 + goto mnt_drop_write_and_out;
34369 mutex_lock(&inode->i_mutex);
34370 error = notify_change(path->dentry, &newattrs);
34371 mutex_unlock(&inode->i_mutex);
34372 diff -urNp linux-2.6.35.7/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.35.7/fs/xfs/linux-2.6/xfs_ioctl.c
34373 --- linux-2.6.35.7/fs/xfs/linux-2.6/xfs_ioctl.c 2010-09-26 17:32:11.000000000 -0400
34374 +++ linux-2.6.35.7/fs/xfs/linux-2.6/xfs_ioctl.c 2010-09-26 17:32:50.000000000 -0400
34375 @@ -136,7 +136,7 @@ xfs_find_handle(
34379 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
34380 + if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
34381 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
34384 diff -urNp linux-2.6.35.7/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.35.7/fs/xfs/linux-2.6/xfs_iops.c
34385 --- linux-2.6.35.7/fs/xfs/linux-2.6/xfs_iops.c 2010-08-26 19:47:12.000000000 -0400
34386 +++ linux-2.6.35.7/fs/xfs/linux-2.6/xfs_iops.c 2010-09-17 20:12:09.000000000 -0400
34387 @@ -480,7 +480,7 @@ xfs_vn_put_link(
34388 struct nameidata *nd,
34391 - char *s = nd_get_link(nd);
34392 + const char *s = nd_get_link(nd);
34396 diff -urNp linux-2.6.35.7/fs/xfs/xfs_bmap.c linux-2.6.35.7/fs/xfs/xfs_bmap.c
34397 --- linux-2.6.35.7/fs/xfs/xfs_bmap.c 2010-08-26 19:47:12.000000000 -0400
34398 +++ linux-2.6.35.7/fs/xfs/xfs_bmap.c 2010-09-17 20:12:09.000000000 -0400
34399 @@ -296,7 +296,7 @@ xfs_bmap_validate_ret(
34403 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
34404 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34408 diff -urNp linux-2.6.35.7/grsecurity/gracl_alloc.c linux-2.6.35.7/grsecurity/gracl_alloc.c
34409 --- linux-2.6.35.7/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34410 +++ linux-2.6.35.7/grsecurity/gracl_alloc.c 2010-09-17 20:12:37.000000000 -0400
34412 +#include <linux/kernel.h>
34413 +#include <linux/mm.h>
34414 +#include <linux/slab.h>
34415 +#include <linux/vmalloc.h>
34416 +#include <linux/gracl.h>
34417 +#include <linux/grsecurity.h>
34419 +static unsigned long alloc_stack_next = 1;
34420 +static unsigned long alloc_stack_size = 1;
34421 +static void **alloc_stack;
34423 +static __inline__ int
34426 + if (alloc_stack_next == 1)
34429 + kfree(alloc_stack[alloc_stack_next - 2]);
34431 + alloc_stack_next--;
34436 +static __inline__ int
34437 +alloc_push(void *buf)
34439 + if (alloc_stack_next >= alloc_stack_size)
34442 + alloc_stack[alloc_stack_next - 1] = buf;
34444 + alloc_stack_next++;
34450 +acl_alloc(unsigned long len)
34452 + void *ret = NULL;
34454 + if (!len || len > PAGE_SIZE)
34457 + ret = kmalloc(len, GFP_KERNEL);
34460 + if (alloc_push(ret)) {
34471 +acl_alloc_num(unsigned long num, unsigned long len)
34473 + if (!len || (num > (PAGE_SIZE / len)))
34476 + return acl_alloc(num * len);
34480 +acl_free_all(void)
34482 + if (gr_acl_is_enabled() || !alloc_stack)
34485 + while (alloc_pop()) ;
34487 + if (alloc_stack) {
34488 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
34489 + kfree(alloc_stack);
34491 + vfree(alloc_stack);
34494 + alloc_stack = NULL;
34495 + alloc_stack_size = 1;
34496 + alloc_stack_next = 1;
34502 +acl_alloc_stack_init(unsigned long size)
34504 + if ((size * sizeof (void *)) <= PAGE_SIZE)
34506 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
34508 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
34510 + alloc_stack_size = size;
34512 + if (!alloc_stack)
34517 diff -urNp linux-2.6.35.7/grsecurity/gracl.c linux-2.6.35.7/grsecurity/gracl.c
34518 --- linux-2.6.35.7/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
34519 +++ linux-2.6.35.7/grsecurity/gracl.c 2010-09-28 19:08:51.000000000 -0400
34521 +#include <linux/kernel.h>
34522 +#include <linux/module.h>
34523 +#include <linux/sched.h>
34524 +#include <linux/mm.h>
34525 +#include <linux/file.h>
34526 +#include <linux/fs.h>
34527 +#include <linux/namei.h>
34528 +#include <linux/mount.h>
34529 +#include <linux/tty.h>
34530 +#include <linux/proc_fs.h>
34531 +#include <linux/smp_lock.h>
34532 +#include <linux/slab.h>
34533 +#include <linux/vmalloc.h>
34534 +#include <linux/types.h>
34535 +#include <linux/sysctl.h>
34536 +#include <linux/netdevice.h>
34537 +#include <linux/ptrace.h>
34538 +#include <linux/gracl.h>
34539 +#include <linux/gralloc.h>
34540 +#include <linux/grsecurity.h>
34541 +#include <linux/grinternal.h>
34542 +#include <linux/pid_namespace.h>
34543 +#include <linux/fdtable.h>
34544 +#include <linux/percpu.h>
34546 +#include <asm/uaccess.h>
34547 +#include <asm/errno.h>
34548 +#include <asm/mman.h>
34550 +static struct acl_role_db acl_role_set;
34551 +static struct name_db name_set;
34552 +static struct inodev_db inodev_set;
34554 +/* for keeping track of userspace pointers used for subjects, so we
34555 + can share references in the kernel as well
34558 +static struct dentry *real_root;
34559 +static struct vfsmount *real_root_mnt;
34561 +static struct acl_subj_map_db subj_map_set;
34563 +static struct acl_role_label *default_role;
34565 +static struct acl_role_label *role_list;
34567 +static u16 acl_sp_role_value;
34569 +extern char *gr_shared_page[4];
34570 +static DECLARE_MUTEX(gr_dev_sem);
34571 +DEFINE_RWLOCK(gr_inode_lock);
34573 +struct gr_arg *gr_usermode;
34575 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
34577 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
34578 +extern void gr_clear_learn_entries(void);
34580 +#ifdef CONFIG_GRKERNSEC_RESLOG
34581 +extern void gr_log_resource(const struct task_struct *task,
34582 + const int res, const unsigned long wanted, const int gt);
34585 +unsigned char *gr_system_salt;
34586 +unsigned char *gr_system_sum;
34588 +static struct sprole_pw **acl_special_roles = NULL;
34589 +static __u16 num_sprole_pws = 0;
34591 +static struct acl_role_label *kernel_role = NULL;
34593 +static unsigned int gr_auth_attempts = 0;
34594 +static unsigned long gr_auth_expires = 0UL;
34596 +extern struct vfsmount *sock_mnt;
34597 +extern struct vfsmount *pipe_mnt;
34598 +extern struct vfsmount *shm_mnt;
34599 +#ifdef CONFIG_HUGETLBFS
34600 +extern struct vfsmount *hugetlbfs_vfsmount;
34603 +static struct acl_object_label *fakefs_obj;
34605 +extern int gr_init_uidset(void);
34606 +extern void gr_free_uidset(void);
34607 +extern void gr_remove_uid(uid_t uid);
34608 +extern int gr_find_uid(uid_t uid);
34610 +extern spinlock_t vfsmount_lock;
34613 +gr_acl_is_enabled(void)
34615 + return (gr_status & GR_READY);
34618 +char gr_roletype_to_char(void)
34620 + switch (current->role->roletype &
34621 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
34622 + GR_ROLE_SPECIAL)) {
34623 + case GR_ROLE_DEFAULT:
34625 + case GR_ROLE_USER:
34627 + case GR_ROLE_GROUP:
34629 + case GR_ROLE_SPECIAL:
34637 +gr_acl_tpe_check(void)
34639 + if (unlikely(!(gr_status & GR_READY)))
34641 + if (current->role->roletype & GR_ROLE_TPE)
34648 +gr_handle_rawio(const struct inode *inode)
34650 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
34651 + if (inode && S_ISBLK(inode->i_mode) &&
34652 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
34653 + !capable(CAP_SYS_RAWIO))
34660 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
34662 + if (likely(lena != lenb))
34665 + return !memcmp(a, b, lena);
34668 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34669 + struct dentry *root, struct vfsmount *rootmnt,
34670 + char *buffer, int buflen)
34672 + char * end = buffer+buflen;
34676 + spin_lock(&vfsmount_lock);
34682 + /* Get '/' right */
34687 + struct dentry * parent;
34689 + if (dentry == root && vfsmnt == rootmnt)
34691 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
34692 + /* Global root? */
34693 + if (vfsmnt->mnt_parent == vfsmnt) {
34694 + goto global_root;
34696 + dentry = vfsmnt->mnt_mountpoint;
34697 + vfsmnt = vfsmnt->mnt_parent;
34700 + parent = dentry->d_parent;
34701 + prefetch(parent);
34702 + namelen = dentry->d_name.len;
34703 + buflen -= namelen + 1;
34707 + memcpy(end, dentry->d_name.name, namelen);
34714 + spin_unlock(&vfsmount_lock);
34718 + namelen = dentry->d_name.len;
34719 + buflen -= namelen;
34722 + retval -= namelen-1; /* hit the slash */
34723 + memcpy(retval, dentry->d_name.name, namelen);
34726 + retval = ERR_PTR(-ENAMETOOLONG);
34731 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34732 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
34736 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
34737 + if (unlikely(IS_ERR(retval)))
34738 + retval = strcpy(buf, "<path too long>");
34739 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
34740 + retval[1] = '\0';
34746 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34747 + char *buf, int buflen)
34751 + /* we can use real_root, real_root_mnt, because this is only called
34752 + by the RBAC system */
34753 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
34759 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34760 + char *buf, int buflen)
34763 + struct dentry *root;
34764 + struct vfsmount *rootmnt;
34765 + struct task_struct *reaper = &init_task;
34767 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
34768 + read_lock(&reaper->fs->lock);
34769 + root = dget(reaper->fs->root.dentry);
34770 + rootmnt = mntget(reaper->fs->root.mnt);
34771 + read_unlock(&reaper->fs->lock);
34773 + spin_lock(&dcache_lock);
34774 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
34775 + spin_unlock(&dcache_lock);
34783 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
34786 + spin_lock(&dcache_lock);
34787 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34789 + spin_unlock(&dcache_lock);
34794 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
34796 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34801 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
34803 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
34808 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
34810 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
34815 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
34817 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
34822 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
34824 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
34829 +to_gr_audit(const __u32 reqmode)
34831 + /* masks off auditable permission flags, then shifts them to create
34832 + auditing flags, and adds the special case of append auditing if
34833 + we're requesting write */
34834 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
34837 +struct acl_subject_label *
34838 +lookup_subject_map(const struct acl_subject_label *userp)
34840 + unsigned int index = shash(userp, subj_map_set.s_size);
34841 + struct subject_map *match;
34843 + match = subj_map_set.s_hash[index];
34845 + while (match && match->user != userp)
34846 + match = match->next;
34848 + if (match != NULL)
34849 + return match->kernel;
34855 +insert_subj_map_entry(struct subject_map *subjmap)
34857 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
34858 + struct subject_map **curr;
34860 + subjmap->prev = NULL;
34862 + curr = &subj_map_set.s_hash[index];
34863 + if (*curr != NULL)
34864 + (*curr)->prev = subjmap;
34866 + subjmap->next = *curr;
34872 +static struct acl_role_label *
34873 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
34876 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
34877 + struct acl_role_label *match;
34878 + struct role_allowed_ip *ipp;
34881 + match = acl_role_set.r_hash[index];
34884 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
34885 + for (x = 0; x < match->domain_child_num; x++) {
34886 + if (match->domain_children[x] == uid)
34889 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
34891 + match = match->next;
34894 + if (match == NULL) {
34896 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
34897 + match = acl_role_set.r_hash[index];
34900 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
34901 + for (x = 0; x < match->domain_child_num; x++) {
34902 + if (match->domain_children[x] == gid)
34905 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
34907 + match = match->next;
34910 + if (match == NULL)
34911 + match = default_role;
34912 + if (match->allowed_ips == NULL)
34915 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34917 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34918 + (ntohl(ipp->addr) & ipp->netmask)))
34921 + match = default_role;
34923 + } else if (match->allowed_ips == NULL) {
34926 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34928 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34929 + (ntohl(ipp->addr) & ipp->netmask)))
34938 +struct acl_subject_label *
34939 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
34940 + const struct acl_role_label *role)
34942 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34943 + struct acl_subject_label *match;
34945 + match = role->subj_hash[index];
34947 + while (match && (match->inode != ino || match->device != dev ||
34948 + (match->mode & GR_DELETED))) {
34949 + match = match->next;
34952 + if (match && !(match->mode & GR_DELETED))
34958 +struct acl_subject_label *
34959 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
34960 + const struct acl_role_label *role)
34962 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34963 + struct acl_subject_label *match;
34965 + match = role->subj_hash[index];
34967 + while (match && (match->inode != ino || match->device != dev ||
34968 + !(match->mode & GR_DELETED))) {
34969 + match = match->next;
34972 + if (match && (match->mode & GR_DELETED))
34978 +static struct acl_object_label *
34979 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
34980 + const struct acl_subject_label *subj)
34982 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34983 + struct acl_object_label *match;
34985 + match = subj->obj_hash[index];
34987 + while (match && (match->inode != ino || match->device != dev ||
34988 + (match->mode & GR_DELETED))) {
34989 + match = match->next;
34992 + if (match && !(match->mode & GR_DELETED))
34998 +static struct acl_object_label *
34999 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
35000 + const struct acl_subject_label *subj)
35002 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35003 + struct acl_object_label *match;
35005 + match = subj->obj_hash[index];
35007 + while (match && (match->inode != ino || match->device != dev ||
35008 + !(match->mode & GR_DELETED))) {
35009 + match = match->next;
35012 + if (match && (match->mode & GR_DELETED))
35015 + match = subj->obj_hash[index];
35017 + while (match && (match->inode != ino || match->device != dev ||
35018 + (match->mode & GR_DELETED))) {
35019 + match = match->next;
35022 + if (match && !(match->mode & GR_DELETED))
35028 +static struct name_entry *
35029 +lookup_name_entry(const char *name)
35031 + unsigned int len = strlen(name);
35032 + unsigned int key = full_name_hash(name, len);
35033 + unsigned int index = key % name_set.n_size;
35034 + struct name_entry *match;
35036 + match = name_set.n_hash[index];
35038 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
35039 + match = match->next;
35044 +static struct name_entry *
35045 +lookup_name_entry_create(const char *name)
35047 + unsigned int len = strlen(name);
35048 + unsigned int key = full_name_hash(name, len);
35049 + unsigned int index = key % name_set.n_size;
35050 + struct name_entry *match;
35052 + match = name_set.n_hash[index];
35054 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35055 + !match->deleted))
35056 + match = match->next;
35058 + if (match && match->deleted)
35061 + match = name_set.n_hash[index];
35063 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35065 + match = match->next;
35067 + if (match && !match->deleted)
35073 +static struct inodev_entry *
35074 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
35076 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
35077 + struct inodev_entry *match;
35079 + match = inodev_set.i_hash[index];
35081 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
35082 + match = match->next;
35088 +insert_inodev_entry(struct inodev_entry *entry)
35090 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
35091 + inodev_set.i_size);
35092 + struct inodev_entry **curr;
35094 + entry->prev = NULL;
35096 + curr = &inodev_set.i_hash[index];
35097 + if (*curr != NULL)
35098 + (*curr)->prev = entry;
35100 + entry->next = *curr;
35107 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
35109 + unsigned int index =
35110 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
35111 + struct acl_role_label **curr;
35112 + struct acl_role_label *tmp;
35114 + curr = &acl_role_set.r_hash[index];
35116 + /* if role was already inserted due to domains and already has
35117 + a role in the same bucket as it attached, then we need to
35118 + combine these two buckets
35120 + if (role->next) {
35121 + tmp = role->next;
35122 + while (tmp->next)
35124 + tmp->next = *curr;
35126 + role->next = *curr;
35133 +insert_acl_role_label(struct acl_role_label *role)
35137 + if (role_list == NULL) {
35138 + role_list = role;
35139 + role->prev = NULL;
35141 + role->prev = role_list;
35142 + role_list = role;
35145 + /* used for hash chains */
35146 + role->next = NULL;
35148 + if (role->roletype & GR_ROLE_DOMAIN) {
35149 + for (i = 0; i < role->domain_child_num; i++)
35150 + __insert_acl_role_label(role, role->domain_children[i]);
35152 + __insert_acl_role_label(role, role->uidgid);
35156 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
35158 + struct name_entry **curr, *nentry;
35159 + struct inodev_entry *ientry;
35160 + unsigned int len = strlen(name);
35161 + unsigned int key = full_name_hash(name, len);
35162 + unsigned int index = key % name_set.n_size;
35164 + curr = &name_set.n_hash[index];
35166 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
35167 + curr = &((*curr)->next);
35169 + if (*curr != NULL)
35172 + nentry = acl_alloc(sizeof (struct name_entry));
35173 + if (nentry == NULL)
35175 + ientry = acl_alloc(sizeof (struct inodev_entry));
35176 + if (ientry == NULL)
35178 + ientry->nentry = nentry;
35180 + nentry->key = key;
35181 + nentry->name = name;
35182 + nentry->inode = inode;
35183 + nentry->device = device;
35184 + nentry->len = len;
35185 + nentry->deleted = deleted;
35187 + nentry->prev = NULL;
35188 + curr = &name_set.n_hash[index];
35189 + if (*curr != NULL)
35190 + (*curr)->prev = nentry;
35191 + nentry->next = *curr;
35194 + /* insert us into the table searchable by inode/dev */
35195 + insert_inodev_entry(ientry);
35201 +insert_acl_obj_label(struct acl_object_label *obj,
35202 + struct acl_subject_label *subj)
35204 + unsigned int index =
35205 + fhash(obj->inode, obj->device, subj->obj_hash_size);
35206 + struct acl_object_label **curr;
35209 + obj->prev = NULL;
35211 + curr = &subj->obj_hash[index];
35212 + if (*curr != NULL)
35213 + (*curr)->prev = obj;
35215 + obj->next = *curr;
35222 +insert_acl_subj_label(struct acl_subject_label *obj,
35223 + struct acl_role_label *role)
35225 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
35226 + struct acl_subject_label **curr;
35228 + obj->prev = NULL;
35230 + curr = &role->subj_hash[index];
35231 + if (*curr != NULL)
35232 + (*curr)->prev = obj;
35234 + obj->next = *curr;
35240 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
35243 +create_table(__u32 * len, int elementsize)
35245 + unsigned int table_sizes[] = {
35246 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
35247 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
35248 + 4194301, 8388593, 16777213, 33554393, 67108859
35250 + void *newtable = NULL;
35251 + unsigned int pwr = 0;
35253 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
35254 + table_sizes[pwr] <= *len)
35257 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
35260 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
35262 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
35264 + newtable = vmalloc(table_sizes[pwr] * elementsize);
35266 + *len = table_sizes[pwr];
35272 +init_variables(const struct gr_arg *arg)
35274 + struct task_struct *reaper = &init_task;
35275 + unsigned int stacksize;
35277 + subj_map_set.s_size = arg->role_db.num_subjects;
35278 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
35279 + name_set.n_size = arg->role_db.num_objects;
35280 + inodev_set.i_size = arg->role_db.num_objects;
35282 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
35283 + !name_set.n_size || !inodev_set.i_size)
35286 + if (!gr_init_uidset())
35289 + /* set up the stack that holds allocation info */
35291 + stacksize = arg->role_db.num_pointers + 5;
35293 + if (!acl_alloc_stack_init(stacksize))
35296 + /* grab reference for the real root dentry and vfsmount */
35297 + read_lock(&reaper->fs->lock);
35298 + real_root_mnt = mntget(reaper->fs->root.mnt);
35299 + real_root = dget(reaper->fs->root.dentry);
35300 + read_unlock(&reaper->fs->lock);
35302 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
35303 + if (fakefs_obj == NULL)
35305 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
35307 + subj_map_set.s_hash =
35308 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
35309 + acl_role_set.r_hash =
35310 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
35311 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
35312 + inodev_set.i_hash =
35313 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
35315 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
35316 + !name_set.n_hash || !inodev_set.i_hash)
35319 + memset(subj_map_set.s_hash, 0,
35320 + sizeof(struct subject_map *) * subj_map_set.s_size);
35321 + memset(acl_role_set.r_hash, 0,
35322 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
35323 + memset(name_set.n_hash, 0,
35324 + sizeof (struct name_entry *) * name_set.n_size);
35325 + memset(inodev_set.i_hash, 0,
35326 + sizeof (struct inodev_entry *) * inodev_set.i_size);
35331 +/* free information not needed after startup
35332 + currently contains user->kernel pointer mappings for subjects
35336 +free_init_variables(void)
35340 + if (subj_map_set.s_hash) {
35341 + for (i = 0; i < subj_map_set.s_size; i++) {
35342 + if (subj_map_set.s_hash[i]) {
35343 + kfree(subj_map_set.s_hash[i]);
35344 + subj_map_set.s_hash[i] = NULL;
35348 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
35350 + kfree(subj_map_set.s_hash);
35352 + vfree(subj_map_set.s_hash);
35359 +free_variables(void)
35361 + struct acl_subject_label *s;
35362 + struct acl_role_label *r;
35363 + struct task_struct *task, *task2;
35366 + gr_clear_learn_entries();
35368 + read_lock(&tasklist_lock);
35369 + do_each_thread(task2, task) {
35370 + task->acl_sp_role = 0;
35371 + task->acl_role_id = 0;
35372 + task->acl = NULL;
35373 + task->role = NULL;
35374 + } while_each_thread(task2, task);
35375 + read_unlock(&tasklist_lock);
35377 + /* release the reference to the real root dentry and vfsmount */
35380 + real_root = NULL;
35381 + if (real_root_mnt)
35382 + mntput(real_root_mnt);
35383 + real_root_mnt = NULL;
35385 + /* free all object hash tables */
35387 + FOR_EACH_ROLE_START(r)
35388 + if (r->subj_hash == NULL)
35390 + FOR_EACH_SUBJECT_START(r, s, x)
35391 + if (s->obj_hash == NULL)
35393 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35394 + kfree(s->obj_hash);
35396 + vfree(s->obj_hash);
35397 + FOR_EACH_SUBJECT_END(s, x)
35398 + FOR_EACH_NESTED_SUBJECT_START(r, s)
35399 + if (s->obj_hash == NULL)
35401 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35402 + kfree(s->obj_hash);
35404 + vfree(s->obj_hash);
35405 + FOR_EACH_NESTED_SUBJECT_END(s)
35406 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
35407 + kfree(r->subj_hash);
35409 + vfree(r->subj_hash);
35410 + r->subj_hash = NULL;
35412 + FOR_EACH_ROLE_END(r)
35416 + if (acl_role_set.r_hash) {
35417 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
35419 + kfree(acl_role_set.r_hash);
35421 + vfree(acl_role_set.r_hash);
35423 + if (name_set.n_hash) {
35424 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
35426 + kfree(name_set.n_hash);
35428 + vfree(name_set.n_hash);
35431 + if (inodev_set.i_hash) {
35432 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
35434 + kfree(inodev_set.i_hash);
35436 + vfree(inodev_set.i_hash);
35439 + gr_free_uidset();
35441 + memset(&name_set, 0, sizeof (struct name_db));
35442 + memset(&inodev_set, 0, sizeof (struct inodev_db));
35443 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
35444 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
35446 + default_role = NULL;
35447 + role_list = NULL;
35453 +count_user_objs(struct acl_object_label *userp)
35455 + struct acl_object_label o_tmp;
35459 + if (copy_from_user(&o_tmp, userp,
35460 + sizeof (struct acl_object_label)))
35463 + userp = o_tmp.prev;
35470 +static struct acl_subject_label *
35471 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
35474 +copy_user_glob(struct acl_object_label *obj)
35476 + struct acl_object_label *g_tmp, **guser;
35477 + unsigned int len;
35480 + if (obj->globbed == NULL)
35483 + guser = &obj->globbed;
35485 + g_tmp = (struct acl_object_label *)
35486 + acl_alloc(sizeof (struct acl_object_label));
35487 + if (g_tmp == NULL)
35490 + if (copy_from_user(g_tmp, *guser,
35491 + sizeof (struct acl_object_label)))
35494 + len = strnlen_user(g_tmp->filename, PATH_MAX);
35496 + if (!len || len >= PATH_MAX)
35499 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35502 + if (copy_from_user(tmp, g_tmp->filename, len))
35504 + tmp[len-1] = '\0';
35505 + g_tmp->filename = tmp;
35508 + guser = &(g_tmp->next);
35515 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
35516 + struct acl_role_label *role)
35518 + struct acl_object_label *o_tmp;
35519 + unsigned int len;
35524 + if ((o_tmp = (struct acl_object_label *)
35525 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
35528 + if (copy_from_user(o_tmp, userp,
35529 + sizeof (struct acl_object_label)))
35532 + userp = o_tmp->prev;
35534 + len = strnlen_user(o_tmp->filename, PATH_MAX);
35536 + if (!len || len >= PATH_MAX)
35539 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35542 + if (copy_from_user(tmp, o_tmp->filename, len))
35544 + tmp[len-1] = '\0';
35545 + o_tmp->filename = tmp;
35547 + insert_acl_obj_label(o_tmp, subj);
35548 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
35549 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
35552 + ret = copy_user_glob(o_tmp);
35556 + if (o_tmp->nested) {
35557 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
35558 + if (IS_ERR(o_tmp->nested))
35559 + return PTR_ERR(o_tmp->nested);
35561 + /* insert into nested subject list */
35562 + o_tmp->nested->next = role->hash->first;
35563 + role->hash->first = o_tmp->nested;
35571 +count_user_subjs(struct acl_subject_label *userp)
35573 + struct acl_subject_label s_tmp;
35577 + if (copy_from_user(&s_tmp, userp,
35578 + sizeof (struct acl_subject_label)))
35581 + userp = s_tmp.prev;
35582 + /* do not count nested subjects against this count, since
35583 + they are not included in the hash table, but are
35584 + attached to objects. We have already counted
35585 + the subjects in userspace for the allocation
35588 + if (!(s_tmp.mode & GR_NESTED))
35596 +copy_user_allowedips(struct acl_role_label *rolep)
35598 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
35600 + ruserip = rolep->allowed_ips;
35602 + while (ruserip) {
35605 + if ((rtmp = (struct role_allowed_ip *)
35606 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
35609 + if (copy_from_user(rtmp, ruserip,
35610 + sizeof (struct role_allowed_ip)))
35613 + ruserip = rtmp->prev;
35616 + rtmp->prev = NULL;
35617 + rolep->allowed_ips = rtmp;
35619 + rlast->next = rtmp;
35620 + rtmp->prev = rlast;
35624 + rtmp->next = NULL;
35631 +copy_user_transitions(struct acl_role_label *rolep)
35633 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
35635 + unsigned int len;
35638 + rusertp = rolep->transitions;
35640 + while (rusertp) {
35643 + if ((rtmp = (struct role_transition *)
35644 + acl_alloc(sizeof (struct role_transition))) == NULL)
35647 + if (copy_from_user(rtmp, rusertp,
35648 + sizeof (struct role_transition)))
35651 + rusertp = rtmp->prev;
35653 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
35655 + if (!len || len >= GR_SPROLE_LEN)
35658 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35661 + if (copy_from_user(tmp, rtmp->rolename, len))
35663 + tmp[len-1] = '\0';
35664 + rtmp->rolename = tmp;
35667 + rtmp->prev = NULL;
35668 + rolep->transitions = rtmp;
35670 + rlast->next = rtmp;
35671 + rtmp->prev = rlast;
35675 + rtmp->next = NULL;
35681 +static struct acl_subject_label *
35682 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
35684 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
35685 + unsigned int len;
35688 + struct acl_ip_label **i_tmp, *i_utmp2;
35689 + struct gr_hash_struct ghash;
35690 + struct subject_map *subjmap;
35691 + unsigned int i_num;
35694 + s_tmp = lookup_subject_map(userp);
35696 + /* we've already copied this subject into the kernel, just return
35697 + the reference to it, and don't copy it over again
35702 + if ((s_tmp = (struct acl_subject_label *)
35703 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
35704 + return ERR_PTR(-ENOMEM);
35706 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
35707 + if (subjmap == NULL)
35708 + return ERR_PTR(-ENOMEM);
35710 + subjmap->user = userp;
35711 + subjmap->kernel = s_tmp;
35712 + insert_subj_map_entry(subjmap);
35714 + if (copy_from_user(s_tmp, userp,
35715 + sizeof (struct acl_subject_label)))
35716 + return ERR_PTR(-EFAULT);
35718 + len = strnlen_user(s_tmp->filename, PATH_MAX);
35720 + if (!len || len >= PATH_MAX)
35721 + return ERR_PTR(-EINVAL);
35723 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35724 + return ERR_PTR(-ENOMEM);
35726 + if (copy_from_user(tmp, s_tmp->filename, len))
35727 + return ERR_PTR(-EFAULT);
35728 + tmp[len-1] = '\0';
35729 + s_tmp->filename = tmp;
35731 + if (!strcmp(s_tmp->filename, "/"))
35732 + role->root_label = s_tmp;
35734 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
35735 + return ERR_PTR(-EFAULT);
35737 + /* copy user and group transition tables */
35739 + if (s_tmp->user_trans_num) {
35742 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
35743 + if (uidlist == NULL)
35744 + return ERR_PTR(-ENOMEM);
35745 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
35746 + return ERR_PTR(-EFAULT);
35748 + s_tmp->user_transitions = uidlist;
35751 + if (s_tmp->group_trans_num) {
35754 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
35755 + if (gidlist == NULL)
35756 + return ERR_PTR(-ENOMEM);
35757 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
35758 + return ERR_PTR(-EFAULT);
35760 + s_tmp->group_transitions = gidlist;
35763 + /* set up object hash table */
35764 + num_objs = count_user_objs(ghash.first);
35766 + s_tmp->obj_hash_size = num_objs;
35767 + s_tmp->obj_hash =
35768 + (struct acl_object_label **)
35769 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
35771 + if (!s_tmp->obj_hash)
35772 + return ERR_PTR(-ENOMEM);
35774 + memset(s_tmp->obj_hash, 0,
35775 + s_tmp->obj_hash_size *
35776 + sizeof (struct acl_object_label *));
35778 + /* add in objects */
35779 + err = copy_user_objs(ghash.first, s_tmp, role);
35782 + return ERR_PTR(err);
35784 + /* set pointer for parent subject */
35785 + if (s_tmp->parent_subject) {
35786 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
35788 + if (IS_ERR(s_tmp2))
35791 + s_tmp->parent_subject = s_tmp2;
35794 + /* add in ip acls */
35796 + if (!s_tmp->ip_num) {
35797 + s_tmp->ips = NULL;
35802 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
35803 + sizeof (struct acl_ip_label *));
35806 + return ERR_PTR(-ENOMEM);
35808 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
35809 + *(i_tmp + i_num) =
35810 + (struct acl_ip_label *)
35811 + acl_alloc(sizeof (struct acl_ip_label));
35812 + if (!*(i_tmp + i_num))
35813 + return ERR_PTR(-ENOMEM);
35815 + if (copy_from_user
35816 + (&i_utmp2, s_tmp->ips + i_num,
35817 + sizeof (struct acl_ip_label *)))
35818 + return ERR_PTR(-EFAULT);
35820 + if (copy_from_user
35821 + (*(i_tmp + i_num), i_utmp2,
35822 + sizeof (struct acl_ip_label)))
35823 + return ERR_PTR(-EFAULT);
35825 + if ((*(i_tmp + i_num))->iface == NULL)
35828 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
35829 + if (!len || len >= IFNAMSIZ)
35830 + return ERR_PTR(-EINVAL);
35831 + tmp = acl_alloc(len);
35833 + return ERR_PTR(-ENOMEM);
35834 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
35835 + return ERR_PTR(-EFAULT);
35836 + (*(i_tmp + i_num))->iface = tmp;
35839 + s_tmp->ips = i_tmp;
35842 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
35843 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
35844 + return ERR_PTR(-ENOMEM);
35850 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
35852 + struct acl_subject_label s_pre;
35853 + struct acl_subject_label * ret;
35857 + if (copy_from_user(&s_pre, userp,
35858 + sizeof (struct acl_subject_label)))
35861 + /* do not add nested subjects here, add
35862 + while parsing objects
35865 + if (s_pre.mode & GR_NESTED) {
35866 + userp = s_pre.prev;
35870 + ret = do_copy_user_subj(userp, role);
35872 + err = PTR_ERR(ret);
35876 + insert_acl_subj_label(ret, role);
35878 + userp = s_pre.prev;
35885 +copy_user_acl(struct gr_arg *arg)
35887 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
35888 + struct sprole_pw *sptmp;
35889 + struct gr_hash_struct *ghash;
35890 + uid_t *domainlist;
35891 + unsigned int r_num;
35892 + unsigned int len;
35898 + /* we need a default and kernel role */
35899 + if (arg->role_db.num_roles < 2)
35902 + /* copy special role authentication info from userspace */
35904 + num_sprole_pws = arg->num_sprole_pws;
35905 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
35907 + if (!acl_special_roles) {
35912 + for (i = 0; i < num_sprole_pws; i++) {
35913 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
35918 + if (copy_from_user(sptmp, arg->sprole_pws + i,
35919 + sizeof (struct sprole_pw))) {
35925 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
35927 + if (!len || len >= GR_SPROLE_LEN) {
35932 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35937 + if (copy_from_user(tmp, sptmp->rolename, len)) {
35941 + tmp[len-1] = '\0';
35942 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35943 + printk(KERN_ALERT "Copying special role %s\n", tmp);
35945 + sptmp->rolename = tmp;
35946 + acl_special_roles[i] = sptmp;
35949 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
35951 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
35952 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
35959 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
35960 + sizeof (struct acl_role_label *))) {
35965 + if (copy_from_user(r_tmp, r_utmp2,
35966 + sizeof (struct acl_role_label))) {
35971 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
35973 + if (!len || len >= PATH_MAX) {
35978 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35982 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
35986 + tmp[len-1] = '\0';
35987 + r_tmp->rolename = tmp;
35989 + if (!strcmp(r_tmp->rolename, "default")
35990 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
35991 + default_role = r_tmp;
35992 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
35993 + kernel_role = r_tmp;
35996 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
36000 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
36005 + r_tmp->hash = ghash;
36007 + num_subjs = count_user_subjs(r_tmp->hash->first);
36009 + r_tmp->subj_hash_size = num_subjs;
36010 + r_tmp->subj_hash =
36011 + (struct acl_subject_label **)
36012 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
36014 + if (!r_tmp->subj_hash) {
36019 + err = copy_user_allowedips(r_tmp);
36023 + /* copy domain info */
36024 + if (r_tmp->domain_children != NULL) {
36025 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
36026 + if (domainlist == NULL) {
36030 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
36034 + r_tmp->domain_children = domainlist;
36037 + err = copy_user_transitions(r_tmp);
36041 + memset(r_tmp->subj_hash, 0,
36042 + r_tmp->subj_hash_size *
36043 + sizeof (struct acl_subject_label *));
36045 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
36050 + /* set nested subject list to null */
36051 + r_tmp->hash->first = NULL;
36053 + insert_acl_role_label(r_tmp);
36058 + free_variables();
36065 +gracl_init(struct gr_arg *args)
36069 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
36070 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
36072 + if (init_variables(args)) {
36073 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
36075 + free_variables();
36079 + error = copy_user_acl(args);
36080 + free_init_variables();
36082 + free_variables();
36086 + if ((error = gr_set_acls(0))) {
36087 + free_variables();
36091 + pax_open_kernel();
36092 + gr_status |= GR_READY;
36093 + pax_close_kernel();
36099 +/* derived from glibc fnmatch() 0: match, 1: no match*/
36102 +glob_match(const char *p, const char *n)
36106 + while ((c = *p++) != '\0') {
36111 + else if (*n == '/')
36119 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
36122 + else if (c == '?') {
36132 + const char *endp;
36134 + if ((endp = strchr(n, '/')) == NULL)
36135 + endp = n + strlen(n);
36138 + for (--p; n < endp; ++n)
36139 + if (!glob_match(p, n))
36141 + } else if (c == '/') {
36142 + while (*n != '\0' && *n != '/')
36144 + if (*n == '/' && !glob_match(p, n + 1))
36147 + for (--p; n < endp; ++n)
36148 + if (*n == c && !glob_match(p, n))
36159 + if (*n == '\0' || *n == '/')
36162 + not = (*p == '!' || *p == '^');
36168 + unsigned char fn = (unsigned char)*n;
36178 + if (c == '-' && *p != ']') {
36179 + unsigned char cend = *p++;
36181 + if (cend == '\0')
36184 + if (cold <= fn && fn <= cend)
36198 + while (c != ']') {
36225 +static struct acl_object_label *
36226 +chk_glob_label(struct acl_object_label *globbed,
36227 + struct dentry *dentry, struct vfsmount *mnt, char **path)
36229 + struct acl_object_label *tmp;
36231 + if (*path == NULL)
36232 + *path = gr_to_filename_nolock(dentry, mnt);
36237 + if (!glob_match(tmp->filename, *path))
36245 +static struct acl_object_label *
36246 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36247 + const ino_t curr_ino, const dev_t curr_dev,
36248 + const struct acl_subject_label *subj, char **path, const int checkglob)
36250 + struct acl_subject_label *tmpsubj;
36251 + struct acl_object_label *retval;
36252 + struct acl_object_label *retval2;
36254 + tmpsubj = (struct acl_subject_label *) subj;
36255 + read_lock(&gr_inode_lock);
36257 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
36259 + if (checkglob && retval->globbed) {
36260 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
36261 + (struct vfsmount *)orig_mnt, path);
36263 + retval = retval2;
36267 + } while ((tmpsubj = tmpsubj->parent_subject));
36268 + read_unlock(&gr_inode_lock);
36273 +static __inline__ struct acl_object_label *
36274 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36275 + const struct dentry *curr_dentry,
36276 + const struct acl_subject_label *subj, char **path, const int checkglob)
36278 + return __full_lookup(orig_dentry, orig_mnt,
36279 + curr_dentry->d_inode->i_ino,
36280 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
36283 +static struct acl_object_label *
36284 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36285 + const struct acl_subject_label *subj, char *path, const int checkglob)
36287 + struct dentry *dentry = (struct dentry *) l_dentry;
36288 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36289 + struct acl_object_label *retval;
36291 + spin_lock(&dcache_lock);
36293 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
36294 +#ifdef CONFIG_HUGETLBFS
36295 + mnt == hugetlbfs_vfsmount ||
36297 + /* ignore Eric Biederman */
36298 + IS_PRIVATE(l_dentry->d_inode))) {
36299 + retval = fakefs_obj;
36304 + if (dentry == real_root && mnt == real_root_mnt)
36307 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36308 + if (mnt->mnt_parent == mnt)
36311 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36312 + if (retval != NULL)
36315 + dentry = mnt->mnt_mountpoint;
36316 + mnt = mnt->mnt_parent;
36320 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36321 + if (retval != NULL)
36324 + dentry = dentry->d_parent;
36327 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36329 + if (retval == NULL)
36330 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
36332 + spin_unlock(&dcache_lock);
36336 +static __inline__ struct acl_object_label *
36337 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36338 + const struct acl_subject_label *subj)
36340 + char *path = NULL;
36341 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
36344 +static __inline__ struct acl_object_label *
36345 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36346 + const struct acl_subject_label *subj)
36348 + char *path = NULL;
36349 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
36352 +static __inline__ struct acl_object_label *
36353 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36354 + const struct acl_subject_label *subj, char *path)
36356 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
36359 +static struct acl_subject_label *
36360 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36361 + const struct acl_role_label *role)
36363 + struct dentry *dentry = (struct dentry *) l_dentry;
36364 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36365 + struct acl_subject_label *retval;
36367 + spin_lock(&dcache_lock);
36370 + if (dentry == real_root && mnt == real_root_mnt)
36372 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36373 + if (mnt->mnt_parent == mnt)
36376 + read_lock(&gr_inode_lock);
36378 + lookup_acl_subj_label(dentry->d_inode->i_ino,
36379 + dentry->d_inode->i_sb->s_dev, role);
36380 + read_unlock(&gr_inode_lock);
36381 + if (retval != NULL)
36384 + dentry = mnt->mnt_mountpoint;
36385 + mnt = mnt->mnt_parent;
36389 + read_lock(&gr_inode_lock);
36390 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36391 + dentry->d_inode->i_sb->s_dev, role);
36392 + read_unlock(&gr_inode_lock);
36393 + if (retval != NULL)
36396 + dentry = dentry->d_parent;
36399 + read_lock(&gr_inode_lock);
36400 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36401 + dentry->d_inode->i_sb->s_dev, role);
36402 + read_unlock(&gr_inode_lock);
36404 + if (unlikely(retval == NULL)) {
36405 + read_lock(&gr_inode_lock);
36406 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
36407 + real_root->d_inode->i_sb->s_dev, role);
36408 + read_unlock(&gr_inode_lock);
36411 + spin_unlock(&dcache_lock);
36417 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
36419 + struct task_struct *task = current;
36420 + const struct cred *cred = current_cred();
36422 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36423 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36424 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36425 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
36431 +gr_log_learn_sysctl(const char *path, const __u32 mode)
36433 + struct task_struct *task = current;
36434 + const struct cred *cred = current_cred();
36436 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36437 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36438 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36439 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
36445 +gr_log_learn_id_change(const char type, const unsigned int real,
36446 + const unsigned int effective, const unsigned int fs)
36448 + struct task_struct *task = current;
36449 + const struct cred *cred = current_cred();
36451 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
36452 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36453 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36454 + type, real, effective, fs, &task->signal->curr_ip);
36460 +gr_check_link(const struct dentry * new_dentry,
36461 + const struct dentry * parent_dentry,
36462 + const struct vfsmount * parent_mnt,
36463 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
36465 + struct acl_object_label *obj;
36466 + __u32 oldmode, newmode;
36469 + if (unlikely(!(gr_status & GR_READY)))
36470 + return (GR_CREATE | GR_LINK);
36472 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
36473 + oldmode = obj->mode;
36475 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36476 + oldmode |= (GR_CREATE | GR_LINK);
36478 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
36479 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36480 + needmode |= GR_SETID | GR_AUDIT_SETID;
36483 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
36484 + oldmode | needmode);
36486 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
36487 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
36488 + GR_INHERIT | GR_AUDIT_INHERIT);
36490 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
36493 + if ((oldmode & needmode) != needmode)
36496 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
36497 + if ((newmode & needmode) != needmode)
36500 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
36503 + needmode = oldmode;
36504 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36505 + needmode |= GR_SETID;
36507 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36508 + gr_log_learn(old_dentry, old_mnt, needmode);
36509 + return (GR_CREATE | GR_LINK);
36510 + } else if (newmode & GR_SUPPRESS)
36511 + return GR_SUPPRESS;
36517 +gr_search_file(const struct dentry * dentry, const __u32 mode,
36518 + const struct vfsmount * mnt)
36520 + __u32 retval = mode;
36521 + struct acl_subject_label *curracl;
36522 + struct acl_object_label *currobj;
36524 + if (unlikely(!(gr_status & GR_READY)))
36525 + return (mode & ~GR_AUDITS);
36527 + curracl = current->acl;
36529 + currobj = chk_obj_label(dentry, mnt, curracl);
36530 + retval = currobj->mode & mode;
36533 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
36534 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
36535 + __u32 new_mode = mode;
36537 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36539 + retval = new_mode;
36541 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
36542 + new_mode |= GR_INHERIT;
36544 + if (!(mode & GR_NOLEARN))
36545 + gr_log_learn(dentry, mnt, new_mode);
36552 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
36553 + const struct vfsmount * mnt, const __u32 mode)
36555 + struct name_entry *match;
36556 + struct acl_object_label *matchpo;
36557 + struct acl_subject_label *curracl;
36561 + if (unlikely(!(gr_status & GR_READY)))
36562 + return (mode & ~GR_AUDITS);
36564 + preempt_disable();
36565 + path = gr_to_filename_rbac(new_dentry, mnt);
36566 + match = lookup_name_entry_create(path);
36569 + goto check_parent;
36571 + curracl = current->acl;
36573 + read_lock(&gr_inode_lock);
36574 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
36575 + read_unlock(&gr_inode_lock);
36578 + if ((matchpo->mode & mode) !=
36579 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
36580 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36581 + __u32 new_mode = mode;
36583 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36585 + gr_log_learn(new_dentry, mnt, new_mode);
36587 + preempt_enable();
36590 + preempt_enable();
36591 + return (matchpo->mode & mode);
36595 + curracl = current->acl;
36597 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
36598 + retval = matchpo->mode & mode;
36600 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
36601 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
36602 + __u32 new_mode = mode;
36604 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36606 + gr_log_learn(new_dentry, mnt, new_mode);
36607 + preempt_enable();
36611 + preempt_enable();
36616 +gr_check_hidden_task(const struct task_struct *task)
36618 + if (unlikely(!(gr_status & GR_READY)))
36621 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
36628 +gr_check_protected_task(const struct task_struct *task)
36630 + if (unlikely(!(gr_status & GR_READY) || !task))
36633 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36634 + task->acl != current->acl)
36641 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
36643 + struct task_struct *p;
36646 + if (unlikely(!(gr_status & GR_READY) || !pid))
36649 + read_lock(&tasklist_lock);
36650 + do_each_pid_task(pid, type, p) {
36651 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36652 + p->acl != current->acl) {
36656 + } while_each_pid_task(pid, type, p);
36658 + read_unlock(&tasklist_lock);
36664 +gr_copy_label(struct task_struct *tsk)
36666 + tsk->signal->used_accept = 0;
36667 + tsk->acl_sp_role = 0;
36668 + tsk->acl_role_id = current->acl_role_id;
36669 + tsk->acl = current->acl;
36670 + tsk->role = current->role;
36671 + tsk->signal->curr_ip = current->signal->curr_ip;
36672 + if (current->exec_file)
36673 + get_file(current->exec_file);
36674 + tsk->exec_file = current->exec_file;
36675 + tsk->is_writable = current->is_writable;
36676 + if (unlikely(current->signal->used_accept))
36677 + current->signal->curr_ip = 0;
36683 +gr_set_proc_res(struct task_struct *task)
36685 + struct acl_subject_label *proc;
36686 + unsigned short i;
36688 + proc = task->acl;
36690 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
36693 + for (i = 0; i < RLIM_NLIMITS; i++) {
36694 + if (!(proc->resmask & (1 << i)))
36697 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
36698 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
36705 +gr_check_user_change(int real, int effective, int fs)
36712 + int effectiveok = 0;
36715 + if (unlikely(!(gr_status & GR_READY)))
36718 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36719 + gr_log_learn_id_change('u', real, effective, fs);
36721 + num = current->acl->user_trans_num;
36722 + uidlist = current->acl->user_transitions;
36724 + if (uidlist == NULL)
36729 + if (effective == -1)
36734 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
36735 + for (i = 0; i < num; i++) {
36736 + curuid = (int)uidlist[i];
36737 + if (real == curuid)
36739 + if (effective == curuid)
36741 + if (fs == curuid)
36744 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
36745 + for (i = 0; i < num; i++) {
36746 + curuid = (int)uidlist[i];
36747 + if (real == curuid)
36749 + if (effective == curuid)
36751 + if (fs == curuid)
36754 + /* not in deny list */
36762 + if (realok && effectiveok && fsok)
36765 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36771 +gr_check_group_change(int real, int effective, int fs)
36778 + int effectiveok = 0;
36781 + if (unlikely(!(gr_status & GR_READY)))
36784 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36785 + gr_log_learn_id_change('g', real, effective, fs);
36787 + num = current->acl->group_trans_num;
36788 + gidlist = current->acl->group_transitions;
36790 + if (gidlist == NULL)
36795 + if (effective == -1)
36800 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
36801 + for (i = 0; i < num; i++) {
36802 + curgid = (int)gidlist[i];
36803 + if (real == curgid)
36805 + if (effective == curgid)
36807 + if (fs == curgid)
36810 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
36811 + for (i = 0; i < num; i++) {
36812 + curgid = (int)gidlist[i];
36813 + if (real == curgid)
36815 + if (effective == curgid)
36817 + if (fs == curgid)
36820 + /* not in deny list */
36828 + if (realok && effectiveok && fsok)
36831 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36837 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
36839 + struct acl_role_label *role = task->role;
36840 + struct acl_subject_label *subj = NULL;
36841 + struct acl_object_label *obj;
36842 + struct file *filp;
36844 + if (unlikely(!(gr_status & GR_READY)))
36847 + filp = task->exec_file;
36849 + /* kernel process, we'll give them the kernel role */
36850 + if (unlikely(!filp)) {
36851 + task->role = kernel_role;
36852 + task->acl = kernel_role->root_label;
36854 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
36855 + role = lookup_acl_role_label(task, uid, gid);
36857 + /* perform subject lookup in possibly new role
36858 + we can use this result below in the case where role == task->role
36860 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
36862 + /* if we changed uid/gid, but result in the same role
36863 + and are using inheritance, don't lose the inherited subject
36864 + if current subject is other than what normal lookup
36865 + would result in, we arrived via inheritance, don't
36868 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
36869 + (subj == task->acl)))
36870 + task->acl = subj;
36872 + task->role = role;
36874 + task->is_writable = 0;
36876 + /* ignore additional mmap checks for processes that are writable
36877 + by the default ACL */
36878 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36879 + if (unlikely(obj->mode & GR_WRITE))
36880 + task->is_writable = 1;
36881 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
36882 + if (unlikely(obj->mode & GR_WRITE))
36883 + task->is_writable = 1;
36885 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36886 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36889 + gr_set_proc_res(task);
36895 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
36896 + const int unsafe_share)
36898 + struct task_struct *task = current;
36899 + struct acl_subject_label *newacl;
36900 + struct acl_object_label *obj;
36903 + if (unlikely(!(gr_status & GR_READY)))
36906 + newacl = chk_subj_label(dentry, mnt, task->role);
36909 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
36910 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
36911 + !(task->role->roletype & GR_ROLE_GOD) &&
36912 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
36913 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
36914 + task_unlock(task);
36915 + if (unsafe_share)
36916 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
36918 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
36921 + task_unlock(task);
36923 + obj = chk_obj_label(dentry, mnt, task->acl);
36924 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
36926 + if (!(task->acl->mode & GR_INHERITLEARN) &&
36927 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
36929 + task->acl = obj->nested;
36931 + task->acl = newacl;
36932 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
36933 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
36935 + task->is_writable = 0;
36937 + /* ignore additional mmap checks for processes that are writable
36938 + by the default ACL */
36939 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
36940 + if (unlikely(obj->mode & GR_WRITE))
36941 + task->is_writable = 1;
36942 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
36943 + if (unlikely(obj->mode & GR_WRITE))
36944 + task->is_writable = 1;
36946 + gr_set_proc_res(task);
36948 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36949 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36954 +/* always called with valid inodev ptr */
36956 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
36958 + struct acl_object_label *matchpo;
36959 + struct acl_subject_label *matchps;
36960 + struct acl_subject_label *subj;
36961 + struct acl_role_label *role;
36964 + FOR_EACH_ROLE_START(role)
36965 + FOR_EACH_SUBJECT_START(role, subj, x)
36966 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
36967 + matchpo->mode |= GR_DELETED;
36968 + FOR_EACH_SUBJECT_END(subj,x)
36969 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
36970 + if (subj->inode == ino && subj->device == dev)
36971 + subj->mode |= GR_DELETED;
36972 + FOR_EACH_NESTED_SUBJECT_END(subj)
36973 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
36974 + matchps->mode |= GR_DELETED;
36975 + FOR_EACH_ROLE_END(role)
36977 + inodev->nentry->deleted = 1;
36983 +gr_handle_delete(const ino_t ino, const dev_t dev)
36985 + struct inodev_entry *inodev;
36987 + if (unlikely(!(gr_status & GR_READY)))
36990 + write_lock(&gr_inode_lock);
36991 + inodev = lookup_inodev_entry(ino, dev);
36992 + if (inodev != NULL)
36993 + do_handle_delete(inodev, ino, dev);
36994 + write_unlock(&gr_inode_lock);
37000 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
37001 + const ino_t newinode, const dev_t newdevice,
37002 + struct acl_subject_label *subj)
37004 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
37005 + struct acl_object_label *match;
37007 + match = subj->obj_hash[index];
37009 + while (match && (match->inode != oldinode ||
37010 + match->device != olddevice ||
37011 + !(match->mode & GR_DELETED)))
37012 + match = match->next;
37014 + if (match && (match->inode == oldinode)
37015 + && (match->device == olddevice)
37016 + && (match->mode & GR_DELETED)) {
37017 + if (match->prev == NULL) {
37018 + subj->obj_hash[index] = match->next;
37019 + if (match->next != NULL)
37020 + match->next->prev = NULL;
37022 + match->prev->next = match->next;
37023 + if (match->next != NULL)
37024 + match->next->prev = match->prev;
37026 + match->prev = NULL;
37027 + match->next = NULL;
37028 + match->inode = newinode;
37029 + match->device = newdevice;
37030 + match->mode &= ~GR_DELETED;
37032 + insert_acl_obj_label(match, subj);
37039 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
37040 + const ino_t newinode, const dev_t newdevice,
37041 + struct acl_role_label *role)
37043 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
37044 + struct acl_subject_label *match;
37046 + match = role->subj_hash[index];
37048 + while (match && (match->inode != oldinode ||
37049 + match->device != olddevice ||
37050 + !(match->mode & GR_DELETED)))
37051 + match = match->next;
37053 + if (match && (match->inode == oldinode)
37054 + && (match->device == olddevice)
37055 + && (match->mode & GR_DELETED)) {
37056 + if (match->prev == NULL) {
37057 + role->subj_hash[index] = match->next;
37058 + if (match->next != NULL)
37059 + match->next->prev = NULL;
37061 + match->prev->next = match->next;
37062 + if (match->next != NULL)
37063 + match->next->prev = match->prev;
37065 + match->prev = NULL;
37066 + match->next = NULL;
37067 + match->inode = newinode;
37068 + match->device = newdevice;
37069 + match->mode &= ~GR_DELETED;
37071 + insert_acl_subj_label(match, role);
37078 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
37079 + const ino_t newinode, const dev_t newdevice)
37081 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
37082 + struct inodev_entry *match;
37084 + match = inodev_set.i_hash[index];
37086 + while (match && (match->nentry->inode != oldinode ||
37087 + match->nentry->device != olddevice || !match->nentry->deleted))
37088 + match = match->next;
37090 + if (match && (match->nentry->inode == oldinode)
37091 + && (match->nentry->device == olddevice) &&
37092 + match->nentry->deleted) {
37093 + if (match->prev == NULL) {
37094 + inodev_set.i_hash[index] = match->next;
37095 + if (match->next != NULL)
37096 + match->next->prev = NULL;
37098 + match->prev->next = match->next;
37099 + if (match->next != NULL)
37100 + match->next->prev = match->prev;
37102 + match->prev = NULL;
37103 + match->next = NULL;
37104 + match->nentry->inode = newinode;
37105 + match->nentry->device = newdevice;
37106 + match->nentry->deleted = 0;
37108 + insert_inodev_entry(match);
37115 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
37116 + const struct vfsmount *mnt)
37118 + struct acl_subject_label *subj;
37119 + struct acl_role_label *role;
37122 + FOR_EACH_ROLE_START(role)
37123 + update_acl_subj_label(matchn->inode, matchn->device,
37124 + dentry->d_inode->i_ino,
37125 + dentry->d_inode->i_sb->s_dev, role);
37127 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37128 + if ((subj->inode == dentry->d_inode->i_ino) &&
37129 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
37130 + subj->inode = dentry->d_inode->i_ino;
37131 + subj->device = dentry->d_inode->i_sb->s_dev;
37133 + FOR_EACH_NESTED_SUBJECT_END(subj)
37134 + FOR_EACH_SUBJECT_START(role, subj, x)
37135 + update_acl_obj_label(matchn->inode, matchn->device,
37136 + dentry->d_inode->i_ino,
37137 + dentry->d_inode->i_sb->s_dev, subj);
37138 + FOR_EACH_SUBJECT_END(subj,x)
37139 + FOR_EACH_ROLE_END(role)
37141 + update_inodev_entry(matchn->inode, matchn->device,
37142 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
37148 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
37150 + struct name_entry *matchn;
37152 + if (unlikely(!(gr_status & GR_READY)))
37155 + preempt_disable();
37156 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
37158 + if (unlikely((unsigned long)matchn)) {
37159 + write_lock(&gr_inode_lock);
37160 + do_handle_create(matchn, dentry, mnt);
37161 + write_unlock(&gr_inode_lock);
37163 + preempt_enable();
37169 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
37170 + struct dentry *old_dentry,
37171 + struct dentry *new_dentry,
37172 + struct vfsmount *mnt, const __u8 replace)
37174 + struct name_entry *matchn;
37175 + struct inodev_entry *inodev;
37177 + /* vfs_rename swaps the name and parent link for old_dentry and
37179 + at this point, old_dentry has the new name, parent link, and inode
37180 + for the renamed file
37181 + if a file is being replaced by a rename, new_dentry has the inode
37182 + and name for the replaced file
37185 + if (unlikely(!(gr_status & GR_READY)))
37188 + preempt_disable();
37189 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
37191 + /* we wouldn't have to check d_inode if it weren't for
37192 + NFS silly-renaming
37195 + write_lock(&gr_inode_lock);
37196 + if (unlikely(replace && new_dentry->d_inode)) {
37197 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
37198 + new_dentry->d_inode->i_sb->s_dev);
37199 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
37200 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
37201 + new_dentry->d_inode->i_sb->s_dev);
37204 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
37205 + old_dentry->d_inode->i_sb->s_dev);
37206 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
37207 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
37208 + old_dentry->d_inode->i_sb->s_dev);
37210 + if (unlikely((unsigned long)matchn))
37211 + do_handle_create(matchn, old_dentry, mnt);
37213 + write_unlock(&gr_inode_lock);
37214 + preempt_enable();
37220 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
37221 + unsigned char **sum)
37223 + struct acl_role_label *r;
37224 + struct role_allowed_ip *ipp;
37225 + struct role_transition *trans;
37229 + /* check transition table */
37231 + for (trans = current->role->transitions; trans; trans = trans->next) {
37232 + if (!strcmp(rolename, trans->rolename)) {
37241 + /* handle special roles that do not require authentication
37244 + FOR_EACH_ROLE_START(r)
37245 + if (!strcmp(rolename, r->rolename) &&
37246 + (r->roletype & GR_ROLE_SPECIAL)) {
37248 + if (r->allowed_ips != NULL) {
37249 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
37250 + if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
37251 + (ntohl(ipp->addr) & ipp->netmask))
37259 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
37260 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
37266 + FOR_EACH_ROLE_END(r)
37268 + for (i = 0; i < num_sprole_pws; i++) {
37269 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
37270 + *salt = acl_special_roles[i]->salt;
37271 + *sum = acl_special_roles[i]->sum;
37280 +assign_special_role(char *rolename)
37282 + struct acl_object_label *obj;
37283 + struct acl_role_label *r;
37284 + struct acl_role_label *assigned = NULL;
37285 + struct task_struct *tsk;
37286 + struct file *filp;
37288 + FOR_EACH_ROLE_START(r)
37289 + if (!strcmp(rolename, r->rolename) &&
37290 + (r->roletype & GR_ROLE_SPECIAL)) {
37294 + FOR_EACH_ROLE_END(r)
37299 + read_lock(&tasklist_lock);
37300 + read_lock(&grsec_exec_file_lock);
37302 + tsk = current->real_parent;
37306 + filp = tsk->exec_file;
37307 + if (filp == NULL)
37310 + tsk->is_writable = 0;
37312 + tsk->acl_sp_role = 1;
37313 + tsk->acl_role_id = ++acl_sp_role_value;
37314 + tsk->role = assigned;
37315 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
37317 + /* ignore additional mmap checks for processes that are writable
37318 + by the default ACL */
37319 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37320 + if (unlikely(obj->mode & GR_WRITE))
37321 + tsk->is_writable = 1;
37322 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
37323 + if (unlikely(obj->mode & GR_WRITE))
37324 + tsk->is_writable = 1;
37326 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37327 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
37331 + read_unlock(&grsec_exec_file_lock);
37332 + read_unlock(&tasklist_lock);
37336 +int gr_check_secure_terminal(struct task_struct *task)
37338 + struct task_struct *p, *p2, *p3;
37339 + struct files_struct *files;
37340 + struct fdtable *fdt;
37341 + struct file *our_file = NULL, *file;
37344 + if (task->signal->tty == NULL)
37347 + files = get_files_struct(task);
37348 + if (files != NULL) {
37350 + fdt = files_fdtable(files);
37351 + for (i=0; i < fdt->max_fds; i++) {
37352 + file = fcheck_files(files, i);
37353 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
37358 + rcu_read_unlock();
37359 + put_files_struct(files);
37362 + if (our_file == NULL)
37365 + read_lock(&tasklist_lock);
37366 + do_each_thread(p2, p) {
37367 + files = get_files_struct(p);
37368 + if (files == NULL ||
37369 + (p->signal && p->signal->tty == task->signal->tty)) {
37370 + if (files != NULL)
37371 + put_files_struct(files);
37375 + fdt = files_fdtable(files);
37376 + for (i=0; i < fdt->max_fds; i++) {
37377 + file = fcheck_files(files, i);
37378 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
37379 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
37381 + while (p3->pid > 0) {
37384 + p3 = p3->real_parent;
37388 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
37389 + gr_handle_alertkill(p);
37390 + rcu_read_unlock();
37391 + put_files_struct(files);
37392 + read_unlock(&tasklist_lock);
37397 + rcu_read_unlock();
37398 + put_files_struct(files);
37399 + } while_each_thread(p2, p);
37400 + read_unlock(&tasklist_lock);
37407 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
37409 + struct gr_arg_wrapper uwrap;
37410 + unsigned char *sprole_salt = NULL;
37411 + unsigned char *sprole_sum = NULL;
37412 + int error = sizeof (struct gr_arg_wrapper);
37415 + down(&gr_dev_sem);
37417 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
37422 + if (count != sizeof (struct gr_arg_wrapper)) {
37423 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
37429 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
37430 + gr_auth_expires = 0;
37431 + gr_auth_attempts = 0;
37434 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
37439 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
37444 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
37449 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37450 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37451 + time_after(gr_auth_expires, get_seconds())) {
37456 + /* if non-root trying to do anything other than use a special role,
37457 + do not attempt authentication, do not count towards authentication
37461 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
37462 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37468 + /* ensure pw and special role name are null terminated */
37470 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
37471 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
37474 + * We have our enough of the argument structure..(we have yet
37475 + * to copy_from_user the tables themselves) . Copy the tables
37476 + * only if we need them, i.e. for loading operations. */
37478 + switch (gr_usermode->mode) {
37480 + if (gr_status & GR_READY) {
37482 + if (!gr_check_secure_terminal(current))
37487 + case GR_SHUTDOWN:
37488 + if ((gr_status & GR_READY)
37489 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37490 + pax_open_kernel();
37491 + gr_status &= ~GR_READY;
37492 + pax_close_kernel();
37494 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
37495 + free_variables();
37496 + memset(gr_usermode, 0, sizeof (struct gr_arg));
37497 + memset(gr_system_salt, 0, GR_SALT_LEN);
37498 + memset(gr_system_sum, 0, GR_SHA_LEN);
37499 + } else if (gr_status & GR_READY) {
37500 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
37503 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
37508 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
37509 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
37511 + if (gr_status & GR_READY)
37515 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
37519 + if (!(gr_status & GR_READY)) {
37520 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
37522 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37525 + pax_open_kernel();
37526 + gr_status &= ~GR_READY;
37527 + pax_close_kernel();
37529 + free_variables();
37530 + if (!(error2 = gracl_init(gr_usermode))) {
37532 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
37536 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37539 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37544 + if (unlikely(!(gr_status & GR_READY))) {
37545 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
37550 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37551 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
37552 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
37553 + struct acl_subject_label *segvacl;
37555 + lookup_acl_subj_label(gr_usermode->segv_inode,
37556 + gr_usermode->segv_device,
37559 + segvacl->crashes = 0;
37560 + segvacl->expires = 0;
37562 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
37563 + gr_remove_uid(gr_usermode->segv_uid);
37566 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
37571 + case GR_SPROLEPAM:
37572 + if (unlikely(!(gr_status & GR_READY))) {
37573 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
37578 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
37579 + current->role->expires = 0;
37580 + current->role->auth_attempts = 0;
37583 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37584 + time_after(current->role->expires, get_seconds())) {
37589 + if (lookup_special_role_auth
37590 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
37591 + && ((!sprole_salt && !sprole_sum)
37592 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
37594 + assign_special_role(gr_usermode->sp_role);
37595 + read_lock(&tasklist_lock);
37596 + if (current->real_parent)
37597 + p = current->real_parent->role->rolename;
37598 + read_unlock(&tasklist_lock);
37599 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
37600 + p, acl_sp_role_value);
37602 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
37604 + if(!(current->role->auth_attempts++))
37605 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37610 + case GR_UNSPROLE:
37611 + if (unlikely(!(gr_status & GR_READY))) {
37612 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
37617 + if (current->role->roletype & GR_ROLE_SPECIAL) {
37621 + read_lock(&tasklist_lock);
37622 + if (current->real_parent) {
37623 + p = current->real_parent->role->rolename;
37624 + i = current->real_parent->acl_role_id;
37626 + read_unlock(&tasklist_lock);
37628 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
37636 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
37641 + if (error != -EPERM)
37644 + if(!(gr_auth_attempts++))
37645 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37653 +gr_set_acls(const int type)
37655 + struct acl_object_label *obj;
37656 + struct task_struct *task, *task2;
37657 + struct file *filp;
37658 + struct acl_role_label *role = current->role;
37659 + __u16 acl_role_id = current->acl_role_id;
37660 + const struct cred *cred;
37662 + struct name_entry *nmatch;
37663 + struct acl_subject_label *tmpsubj;
37666 + read_lock(&tasklist_lock);
37667 + read_lock(&grsec_exec_file_lock);
37668 + do_each_thread(task2, task) {
37669 + /* check to see if we're called from the exit handler,
37670 + if so, only replace ACLs that have inherited the admin
37673 + if (type && (task->role != role ||
37674 + task->acl_role_id != acl_role_id))
37677 + task->acl_role_id = 0;
37678 + task->acl_sp_role = 0;
37680 + if ((filp = task->exec_file)) {
37681 + cred = __task_cred(task);
37682 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
37684 + /* the following is to apply the correct subject
37685 + on binaries running when the RBAC system
37686 + is enabled, when the binaries have been
37687 + replaced or deleted since their execution
37689 + when the RBAC system starts, the inode/dev
37690 + from exec_file will be one the RBAC system
37691 + is unaware of. It only knows the inode/dev
37692 + of the present file on disk, or the absence
37695 + preempt_disable();
37696 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
37698 + nmatch = lookup_name_entry(tmpname);
37699 + preempt_enable();
37702 + if (nmatch->deleted)
37703 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
37705 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
37706 + if (tmpsubj != NULL)
37707 + task->acl = tmpsubj;
37709 + if (tmpsubj == NULL)
37710 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
37713 + struct acl_subject_label *curr;
37714 + curr = task->acl;
37716 + task->is_writable = 0;
37717 + /* ignore additional mmap checks for processes that are writable
37718 + by the default ACL */
37719 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37720 + if (unlikely(obj->mode & GR_WRITE))
37721 + task->is_writable = 1;
37722 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37723 + if (unlikely(obj->mode & GR_WRITE))
37724 + task->is_writable = 1;
37726 + gr_set_proc_res(task);
37728 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37729 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37732 + read_unlock(&grsec_exec_file_lock);
37733 + read_unlock(&tasklist_lock);
37734 + rcu_read_unlock();
37735 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
37739 + // it's a kernel process
37740 + task->role = kernel_role;
37741 + task->acl = kernel_role->root_label;
37742 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
37743 + task->acl->mode &= ~GR_PROCFIND;
37746 + } while_each_thread(task2, task);
37747 + read_unlock(&grsec_exec_file_lock);
37748 + read_unlock(&tasklist_lock);
37749 + rcu_read_unlock();
37755 +gr_learn_resource(const struct task_struct *task,
37756 + const int res, const unsigned long wanted, const int gt)
37758 + struct acl_subject_label *acl;
37759 + const struct cred *cred;
37761 + if (unlikely((gr_status & GR_READY) &&
37762 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
37763 + goto skip_reslog;
37765 +#ifdef CONFIG_GRKERNSEC_RESLOG
37766 + gr_log_resource(task, res, wanted, gt);
37770 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
37775 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
37776 + !(acl->resmask & (1 << (unsigned short) res))))
37779 + if (wanted >= acl->res[res].rlim_cur) {
37780 + unsigned long res_add;
37782 + res_add = wanted;
37785 + res_add += GR_RLIM_CPU_BUMP;
37787 + case RLIMIT_FSIZE:
37788 + res_add += GR_RLIM_FSIZE_BUMP;
37790 + case RLIMIT_DATA:
37791 + res_add += GR_RLIM_DATA_BUMP;
37793 + case RLIMIT_STACK:
37794 + res_add += GR_RLIM_STACK_BUMP;
37796 + case RLIMIT_CORE:
37797 + res_add += GR_RLIM_CORE_BUMP;
37800 + res_add += GR_RLIM_RSS_BUMP;
37802 + case RLIMIT_NPROC:
37803 + res_add += GR_RLIM_NPROC_BUMP;
37805 + case RLIMIT_NOFILE:
37806 + res_add += GR_RLIM_NOFILE_BUMP;
37808 + case RLIMIT_MEMLOCK:
37809 + res_add += GR_RLIM_MEMLOCK_BUMP;
37812 + res_add += GR_RLIM_AS_BUMP;
37814 + case RLIMIT_LOCKS:
37815 + res_add += GR_RLIM_LOCKS_BUMP;
37817 + case RLIMIT_SIGPENDING:
37818 + res_add += GR_RLIM_SIGPENDING_BUMP;
37820 + case RLIMIT_MSGQUEUE:
37821 + res_add += GR_RLIM_MSGQUEUE_BUMP;
37823 + case RLIMIT_NICE:
37824 + res_add += GR_RLIM_NICE_BUMP;
37826 + case RLIMIT_RTPRIO:
37827 + res_add += GR_RLIM_RTPRIO_BUMP;
37829 + case RLIMIT_RTTIME:
37830 + res_add += GR_RLIM_RTTIME_BUMP;
37834 + acl->res[res].rlim_cur = res_add;
37836 + if (wanted > acl->res[res].rlim_max)
37837 + acl->res[res].rlim_max = res_add;
37839 + /* only log the subject filename, since resource logging is supported for
37840 + single-subject learning only */
37842 + cred = __task_cred(task);
37843 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
37844 + task->role->roletype, cred->uid, cred->gid, acl->filename,
37845 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
37846 + "", (unsigned long) res, &task->signal->curr_ip);
37847 + rcu_read_unlock();
37853 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
37855 +pax_set_initial_flags(struct linux_binprm *bprm)
37857 + struct task_struct *task = current;
37858 + struct acl_subject_label *proc;
37859 + unsigned long flags;
37861 + if (unlikely(!(gr_status & GR_READY)))
37864 + flags = pax_get_flags(task);
37866 + proc = task->acl;
37868 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
37869 + flags &= ~MF_PAX_PAGEEXEC;
37870 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
37871 + flags &= ~MF_PAX_SEGMEXEC;
37872 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
37873 + flags &= ~MF_PAX_RANDMMAP;
37874 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
37875 + flags &= ~MF_PAX_EMUTRAMP;
37876 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
37877 + flags &= ~MF_PAX_MPROTECT;
37879 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
37880 + flags |= MF_PAX_PAGEEXEC;
37881 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
37882 + flags |= MF_PAX_SEGMEXEC;
37883 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
37884 + flags |= MF_PAX_RANDMMAP;
37885 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
37886 + flags |= MF_PAX_EMUTRAMP;
37887 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
37888 + flags |= MF_PAX_MPROTECT;
37890 + pax_set_flags(task, flags);
37896 +#ifdef CONFIG_SYSCTL
37897 +/* Eric Biederman likes breaking userland ABI and every inode-based security
37898 + system to save 35kb of memory */
37900 +/* we modify the passed in filename, but adjust it back before returning */
37901 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
37903 + struct name_entry *nmatch;
37904 + char *p, *lastp = NULL;
37905 + struct acl_object_label *obj = NULL, *tmp;
37906 + struct acl_subject_label *tmpsubj;
37909 + read_lock(&gr_inode_lock);
37911 + p = name + len - 1;
37913 + nmatch = lookup_name_entry(name);
37914 + if (lastp != NULL)
37917 + if (nmatch == NULL)
37918 + goto next_component;
37919 + tmpsubj = current->acl;
37921 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
37922 + if (obj != NULL) {
37923 + tmp = obj->globbed;
37925 + if (!glob_match(tmp->filename, name)) {
37933 + } while ((tmpsubj = tmpsubj->parent_subject));
37939 + while (*p != '/')
37951 + read_unlock(&gr_inode_lock);
37952 + /* obj returned will always be non-null */
37956 +/* returns 0 when allowing, non-zero on error
37957 + op of 0 is used for readdir, so we don't log the names of hidden files
37960 +gr_handle_sysctl(const struct ctl_table *table, const int op)
37962 + struct ctl_table *tmp;
37963 + const char *proc_sys = "/proc/sys";
37965 + struct acl_object_label *obj;
37966 + unsigned short len = 0, pos = 0, depth = 0, i;
37970 + if (unlikely(!(gr_status & GR_READY)))
37973 + /* for now, ignore operations on non-sysctl entries if it's not a
37975 + if (table->child != NULL && op != 0)
37979 + /* it's only a read if it's an entry, read on dirs is for readdir */
37980 + if (op & MAY_READ)
37982 + if (op & MAY_WRITE)
37983 + mode |= GR_WRITE;
37985 + preempt_disable();
37987 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
37989 + /* it's only a read/write if it's an actual entry, not a dir
37990 + (which are opened for readdir)
37993 + /* convert the requested sysctl entry into a pathname */
37995 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
37996 + len += strlen(tmp->procname);
38001 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
38006 + memset(path, 0, PAGE_SIZE);
38008 + memcpy(path, proc_sys, strlen(proc_sys));
38010 + pos += strlen(proc_sys);
38012 + for (; depth > 0; depth--) {
38015 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38016 + if (depth == i) {
38017 + memcpy(path + pos, tmp->procname,
38018 + strlen(tmp->procname));
38019 + pos += strlen(tmp->procname);
38025 + obj = gr_lookup_by_name(path, pos);
38026 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
38028 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
38029 + ((err & mode) != mode))) {
38030 + __u32 new_mode = mode;
38032 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38035 + gr_log_learn_sysctl(path, new_mode);
38036 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
38037 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
38039 + } else if (!(err & GR_FIND)) {
38041 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
38042 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
38043 + path, (mode & GR_READ) ? " reading" : "",
38044 + (mode & GR_WRITE) ? " writing" : "");
38046 + } else if ((err & mode) != mode) {
38048 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
38049 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
38050 + path, (mode & GR_READ) ? " reading" : "",
38051 + (mode & GR_WRITE) ? " writing" : "");
38057 + preempt_enable();
38064 +gr_handle_proc_ptrace(struct task_struct *task)
38066 + struct file *filp;
38067 + struct task_struct *tmp = task;
38068 + struct task_struct *curtemp = current;
38071 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38072 + if (unlikely(!(gr_status & GR_READY)))
38076 + read_lock(&tasklist_lock);
38077 + read_lock(&grsec_exec_file_lock);
38078 + filp = task->exec_file;
38080 + while (tmp->pid > 0) {
38081 + if (tmp == curtemp)
38083 + tmp = tmp->real_parent;
38086 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38087 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
38088 + read_unlock(&grsec_exec_file_lock);
38089 + read_unlock(&tasklist_lock);
38093 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38094 + if (!(gr_status & GR_READY)) {
38095 + read_unlock(&grsec_exec_file_lock);
38096 + read_unlock(&tasklist_lock);
38101 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
38102 + read_unlock(&grsec_exec_file_lock);
38103 + read_unlock(&tasklist_lock);
38105 + if (retmode & GR_NOPTRACE)
38108 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
38109 + && (current->acl != task->acl || (current->acl != current->role->root_label
38110 + && current->pid != task->pid)))
38117 +gr_handle_ptrace(struct task_struct *task, const long request)
38119 + struct task_struct *tmp = task;
38120 + struct task_struct *curtemp = current;
38123 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38124 + if (unlikely(!(gr_status & GR_READY)))
38128 + read_lock(&tasklist_lock);
38129 + while (tmp->pid > 0) {
38130 + if (tmp == curtemp)
38132 + tmp = tmp->real_parent;
38135 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38136 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
38137 + read_unlock(&tasklist_lock);
38138 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38141 + read_unlock(&tasklist_lock);
38143 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38144 + if (!(gr_status & GR_READY))
38148 + read_lock(&grsec_exec_file_lock);
38149 + if (unlikely(!task->exec_file)) {
38150 + read_unlock(&grsec_exec_file_lock);
38154 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
38155 + read_unlock(&grsec_exec_file_lock);
38157 + if (retmode & GR_NOPTRACE) {
38158 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38162 + if (retmode & GR_PTRACERD) {
38163 + switch (request) {
38164 + case PTRACE_POKETEXT:
38165 + case PTRACE_POKEDATA:
38166 + case PTRACE_POKEUSR:
38167 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
38168 + case PTRACE_SETREGS:
38169 + case PTRACE_SETFPREGS:
38172 + case PTRACE_SETFPXREGS:
38174 +#ifdef CONFIG_ALTIVEC
38175 + case PTRACE_SETVRREGS:
38181 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
38182 + !(current->role->roletype & GR_ROLE_GOD) &&
38183 + (current->acl != task->acl)) {
38184 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38191 +static int is_writable_mmap(const struct file *filp)
38193 + struct task_struct *task = current;
38194 + struct acl_object_label *obj, *obj2;
38196 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
38197 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
38198 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38199 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
38200 + task->role->root_label);
38201 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
38202 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
38210 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
38214 + if (unlikely(!file || !(prot & PROT_EXEC)))
38217 + if (is_writable_mmap(file))
38221 + gr_search_file(file->f_path.dentry,
38222 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38223 + file->f_path.mnt);
38225 + if (!gr_tpe_allow(file))
38228 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38229 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38231 + } else if (unlikely(!(mode & GR_EXEC))) {
38233 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38234 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38242 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38246 + if (unlikely(!file || !(prot & PROT_EXEC)))
38249 + if (is_writable_mmap(file))
38253 + gr_search_file(file->f_path.dentry,
38254 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38255 + file->f_path.mnt);
38257 + if (!gr_tpe_allow(file))
38260 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38261 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38263 + } else if (unlikely(!(mode & GR_EXEC))) {
38265 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38266 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38274 +gr_acl_handle_psacct(struct task_struct *task, const long code)
38276 + unsigned long runtime;
38277 + unsigned long cputime;
38278 + unsigned int wday, cday;
38282 + struct timespec timeval;
38284 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
38285 + !(task->acl->mode & GR_PROCACCT)))
38288 + do_posix_clock_monotonic_gettime(&timeval);
38289 + runtime = timeval.tv_sec - task->start_time.tv_sec;
38290 + wday = runtime / (3600 * 24);
38291 + runtime -= wday * (3600 * 24);
38292 + whr = runtime / 3600;
38293 + runtime -= whr * 3600;
38294 + wmin = runtime / 60;
38295 + runtime -= wmin * 60;
38298 + cputime = (task->utime + task->stime) / HZ;
38299 + cday = cputime / (3600 * 24);
38300 + cputime -= cday * (3600 * 24);
38301 + chr = cputime / 3600;
38302 + cputime -= chr * 3600;
38303 + cmin = cputime / 60;
38304 + cputime -= cmin * 60;
38307 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
38312 +void gr_set_kernel_label(struct task_struct *task)
38314 + if (gr_status & GR_READY) {
38315 + task->role = kernel_role;
38316 + task->acl = kernel_role->root_label;
38321 +#ifdef CONFIG_TASKSTATS
38322 +int gr_is_taskstats_denied(int pid)
38324 + struct task_struct *task;
38325 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38326 + const struct cred *cred;
38330 + /* restrict taskstats viewing to un-chrooted root users
38331 + who have the 'view' subject flag if the RBAC system is enabled
38335 + read_lock(&tasklist_lock);
38336 + task = find_task_by_vpid(pid);
38338 +#ifdef CONFIG_GRKERNSEC_CHROOT
38339 + if (proc_is_chrooted(task))
38342 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38343 + cred = __task_cred(task);
38344 +#ifdef CONFIG_GRKERNSEC_PROC_USER
38345 + if (cred->uid != 0)
38347 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38348 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
38352 + if (gr_status & GR_READY) {
38353 + if (!(task->acl->mode & GR_VIEW))
38359 + read_unlock(&tasklist_lock);
38360 + rcu_read_unlock();
38366 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
38368 + struct task_struct *task = current;
38369 + struct dentry *dentry = file->f_path.dentry;
38370 + struct vfsmount *mnt = file->f_path.mnt;
38371 + struct acl_object_label *obj, *tmp;
38372 + struct acl_subject_label *subj;
38373 + unsigned int bufsize;
38377 + if (unlikely(!(gr_status & GR_READY)))
38380 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38383 + /* ignore Eric Biederman */
38384 + if (IS_PRIVATE(dentry->d_inode))
38387 + subj = task->acl;
38389 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
38391 + return (obj->mode & GR_FIND) ? 1 : 0;
38392 + } while ((subj = subj->parent_subject));
38394 + /* this is purely an optimization since we're looking for an object
38395 + for the directory we're doing a readdir on
38396 + if it's possible for any globbed object to match the entry we're
38397 + filling into the directory, then the object we find here will be
38398 + an anchor point with attached globbed objects
38400 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
38401 + if (obj->globbed == NULL)
38402 + return (obj->mode & GR_FIND) ? 1 : 0;
38404 + is_not_root = ((obj->filename[0] == '/') &&
38405 + (obj->filename[1] == '\0')) ? 0 : 1;
38406 + bufsize = PAGE_SIZE - namelen - is_not_root;
38408 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
38409 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
38412 + preempt_disable();
38413 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
38416 + bufsize = strlen(path);
38418 + /* if base is "/", don't append an additional slash */
38420 + *(path + bufsize) = '/';
38421 + memcpy(path + bufsize + is_not_root, name, namelen);
38422 + *(path + bufsize + namelen + is_not_root) = '\0';
38424 + tmp = obj->globbed;
38426 + if (!glob_match(tmp->filename, path)) {
38427 + preempt_enable();
38428 + return (tmp->mode & GR_FIND) ? 1 : 0;
38432 + preempt_enable();
38433 + return (obj->mode & GR_FIND) ? 1 : 0;
38436 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
38437 +EXPORT_SYMBOL(gr_acl_is_enabled);
38439 +EXPORT_SYMBOL(gr_learn_resource);
38440 +EXPORT_SYMBOL(gr_set_kernel_label);
38441 +#ifdef CONFIG_SECURITY
38442 +EXPORT_SYMBOL(gr_check_user_change);
38443 +EXPORT_SYMBOL(gr_check_group_change);
38446 diff -urNp linux-2.6.35.7/grsecurity/gracl_cap.c linux-2.6.35.7/grsecurity/gracl_cap.c
38447 --- linux-2.6.35.7/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
38448 +++ linux-2.6.35.7/grsecurity/gracl_cap.c 2010-09-17 20:12:37.000000000 -0400
38450 +#include <linux/kernel.h>
38451 +#include <linux/module.h>
38452 +#include <linux/sched.h>
38453 +#include <linux/gracl.h>
38454 +#include <linux/grsecurity.h>
38455 +#include <linux/grinternal.h>
38457 +static const char *captab_log[] = {
38459 + "CAP_DAC_OVERRIDE",
38460 + "CAP_DAC_READ_SEARCH",
38467 + "CAP_LINUX_IMMUTABLE",
38468 + "CAP_NET_BIND_SERVICE",
38469 + "CAP_NET_BROADCAST",
38474 + "CAP_SYS_MODULE",
38476 + "CAP_SYS_CHROOT",
38477 + "CAP_SYS_PTRACE",
38482 + "CAP_SYS_RESOURCE",
38484 + "CAP_SYS_TTY_CONFIG",
38487 + "CAP_AUDIT_WRITE",
38488 + "CAP_AUDIT_CONTROL",
38490 + "CAP_MAC_OVERRIDE",
38494 +EXPORT_SYMBOL(gr_is_capable);
38495 +EXPORT_SYMBOL(gr_is_capable_nolog);
38498 +gr_is_capable(const int cap)
38500 + struct task_struct *task = current;
38501 + const struct cred *cred = current_cred();
38502 + struct acl_subject_label *curracl;
38503 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38504 + kernel_cap_t cap_audit = __cap_empty_set;
38506 + if (!gr_acl_is_enabled())
38509 + curracl = task->acl;
38511 + cap_drop = curracl->cap_lower;
38512 + cap_mask = curracl->cap_mask;
38513 + cap_audit = curracl->cap_invert_audit;
38515 + while ((curracl = curracl->parent_subject)) {
38516 + /* if the cap isn't specified in the current computed mask but is specified in the
38517 + current level subject, and is lowered in the current level subject, then add
38518 + it to the set of dropped capabilities
38519 + otherwise, add the current level subject's mask to the current computed mask
38521 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38522 + cap_raise(cap_mask, cap);
38523 + if (cap_raised(curracl->cap_lower, cap))
38524 + cap_raise(cap_drop, cap);
38525 + if (cap_raised(curracl->cap_invert_audit, cap))
38526 + cap_raise(cap_audit, cap);
38530 + if (!cap_raised(cap_drop, cap)) {
38531 + if (cap_raised(cap_audit, cap))
38532 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
38536 + curracl = task->acl;
38538 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
38539 + && cap_raised(cred->cap_effective, cap)) {
38540 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38541 + task->role->roletype, cred->uid,
38542 + cred->gid, task->exec_file ?
38543 + gr_to_filename(task->exec_file->f_path.dentry,
38544 + task->exec_file->f_path.mnt) : curracl->filename,
38545 + curracl->filename, 0UL,
38546 + 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
38550 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
38551 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
38556 +gr_is_capable_nolog(const int cap)
38558 + struct acl_subject_label *curracl;
38559 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38561 + if (!gr_acl_is_enabled())
38564 + curracl = current->acl;
38566 + cap_drop = curracl->cap_lower;
38567 + cap_mask = curracl->cap_mask;
38569 + while ((curracl = curracl->parent_subject)) {
38570 + /* if the cap isn't specified in the current computed mask but is specified in the
38571 + current level subject, and is lowered in the current level subject, then add
38572 + it to the set of dropped capabilities
38573 + otherwise, add the current level subject's mask to the current computed mask
38575 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38576 + cap_raise(cap_mask, cap);
38577 + if (cap_raised(curracl->cap_lower, cap))
38578 + cap_raise(cap_drop, cap);
38582 + if (!cap_raised(cap_drop, cap))
38588 diff -urNp linux-2.6.35.7/grsecurity/gracl_fs.c linux-2.6.35.7/grsecurity/gracl_fs.c
38589 --- linux-2.6.35.7/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
38590 +++ linux-2.6.35.7/grsecurity/gracl_fs.c 2010-09-17 20:12:37.000000000 -0400
38592 +#include <linux/kernel.h>
38593 +#include <linux/sched.h>
38594 +#include <linux/types.h>
38595 +#include <linux/fs.h>
38596 +#include <linux/file.h>
38597 +#include <linux/stat.h>
38598 +#include <linux/grsecurity.h>
38599 +#include <linux/grinternal.h>
38600 +#include <linux/gracl.h>
38603 +gr_acl_handle_hidden_file(const struct dentry * dentry,
38604 + const struct vfsmount * mnt)
38608 + if (unlikely(!dentry->d_inode))
38612 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
38614 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
38615 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38617 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
38618 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38620 + } else if (unlikely(!(mode & GR_FIND)))
38627 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38630 + __u32 reqmode = GR_FIND;
38633 + if (unlikely(!dentry->d_inode))
38636 + if (unlikely(fmode & O_APPEND))
38637 + reqmode |= GR_APPEND;
38638 + else if (unlikely(fmode & FMODE_WRITE))
38639 + reqmode |= GR_WRITE;
38640 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38641 + reqmode |= GR_READ;
38642 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
38643 + reqmode &= ~GR_READ;
38645 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38648 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38649 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38650 + reqmode & GR_READ ? " reading" : "",
38651 + reqmode & GR_WRITE ? " writing" : reqmode &
38652 + GR_APPEND ? " appending" : "");
38655 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38657 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38658 + reqmode & GR_READ ? " reading" : "",
38659 + reqmode & GR_WRITE ? " writing" : reqmode &
38660 + GR_APPEND ? " appending" : "");
38662 + } else if (unlikely((mode & reqmode) != reqmode))
38669 +gr_acl_handle_creat(const struct dentry * dentry,
38670 + const struct dentry * p_dentry,
38671 + const struct vfsmount * p_mnt, const int fmode,
38674 + __u32 reqmode = GR_WRITE | GR_CREATE;
38677 + if (unlikely(fmode & O_APPEND))
38678 + reqmode |= GR_APPEND;
38679 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38680 + reqmode |= GR_READ;
38681 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
38682 + reqmode |= GR_SETID;
38685 + gr_check_create(dentry, p_dentry, p_mnt,
38686 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38688 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38689 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38690 + reqmode & GR_READ ? " reading" : "",
38691 + reqmode & GR_WRITE ? " writing" : reqmode &
38692 + GR_APPEND ? " appending" : "");
38695 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38697 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38698 + reqmode & GR_READ ? " reading" : "",
38699 + reqmode & GR_WRITE ? " writing" : reqmode &
38700 + GR_APPEND ? " appending" : "");
38702 + } else if (unlikely((mode & reqmode) != reqmode))
38709 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
38712 + __u32 mode, reqmode = GR_FIND;
38714 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
38715 + reqmode |= GR_EXEC;
38716 + if (fmode & S_IWOTH)
38717 + reqmode |= GR_WRITE;
38718 + if (fmode & S_IROTH)
38719 + reqmode |= GR_READ;
38722 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38725 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38726 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38727 + reqmode & GR_READ ? " reading" : "",
38728 + reqmode & GR_WRITE ? " writing" : "",
38729 + reqmode & GR_EXEC ? " executing" : "");
38732 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38734 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38735 + reqmode & GR_READ ? " reading" : "",
38736 + reqmode & GR_WRITE ? " writing" : "",
38737 + reqmode & GR_EXEC ? " executing" : "");
38739 + } else if (unlikely((mode & reqmode) != reqmode))
38745 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
38749 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
38751 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38752 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
38754 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38755 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
38757 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38760 + return (reqmode);
38764 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38766 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
38770 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
38772 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
38776 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
38778 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
38782 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
38784 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
38788 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
38791 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
38794 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38795 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38796 + GR_FCHMOD_ACL_MSG);
38798 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
38803 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
38806 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38807 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38808 + GR_CHMOD_ACL_MSG);
38810 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
38815 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
38817 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
38821 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
38823 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
38827 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
38829 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
38830 + GR_UNIXCONNECT_ACL_MSG);
38833 +/* hardlinks require at minimum create permission,
38834 + any additional privilege required is based on the
38835 + privilege of the file being linked to
38838 +gr_acl_handle_link(const struct dentry * new_dentry,
38839 + const struct dentry * parent_dentry,
38840 + const struct vfsmount * parent_mnt,
38841 + const struct dentry * old_dentry,
38842 + const struct vfsmount * old_mnt, const char *to)
38845 + __u32 needmode = GR_CREATE | GR_LINK;
38846 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
38849 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
38852 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
38853 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38855 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38856 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38858 + } else if (unlikely((mode & needmode) != needmode))
38865 +gr_acl_handle_symlink(const struct dentry * new_dentry,
38866 + const struct dentry * parent_dentry,
38867 + const struct vfsmount * parent_mnt, const char *from)
38869 + __u32 needmode = GR_WRITE | GR_CREATE;
38873 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
38874 + GR_CREATE | GR_AUDIT_CREATE |
38875 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
38877 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
38878 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38880 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38881 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38883 + } else if (unlikely((mode & needmode) != needmode))
38886 + return (GR_WRITE | GR_CREATE);
38889 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
38893 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38895 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38896 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
38898 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38899 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
38901 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38904 + return (reqmode);
38908 +gr_acl_handle_mknod(const struct dentry * new_dentry,
38909 + const struct dentry * parent_dentry,
38910 + const struct vfsmount * parent_mnt,
38913 + __u32 reqmode = GR_WRITE | GR_CREATE;
38914 + if (unlikely(mode & (S_ISUID | S_ISGID)))
38915 + reqmode |= GR_SETID;
38917 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38918 + reqmode, GR_MKNOD_ACL_MSG);
38922 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
38923 + const struct dentry *parent_dentry,
38924 + const struct vfsmount *parent_mnt)
38926 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38927 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
38930 +#define RENAME_CHECK_SUCCESS(old, new) \
38931 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
38932 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
38935 +gr_acl_handle_rename(struct dentry *new_dentry,
38936 + struct dentry *parent_dentry,
38937 + const struct vfsmount *parent_mnt,
38938 + struct dentry *old_dentry,
38939 + struct inode *old_parent_inode,
38940 + struct vfsmount *old_mnt, const char *newname)
38942 + __u32 comp1, comp2;
38945 + if (unlikely(!gr_acl_is_enabled()))
38948 + if (!new_dentry->d_inode) {
38949 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
38950 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
38951 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
38952 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
38953 + GR_DELETE | GR_AUDIT_DELETE |
38954 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38955 + GR_SUPPRESS, old_mnt);
38957 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
38958 + GR_CREATE | GR_DELETE |
38959 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
38960 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38961 + GR_SUPPRESS, parent_mnt);
38963 + gr_search_file(old_dentry,
38964 + GR_READ | GR_WRITE | GR_AUDIT_READ |
38965 + GR_DELETE | GR_AUDIT_DELETE |
38966 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
38969 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
38970 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
38971 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38972 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
38973 + && !(comp2 & GR_SUPPRESS)) {
38974 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38976 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
38983 +gr_acl_handle_exit(void)
38987 + struct file *exec_file;
38989 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
38990 + id = current->acl_role_id;
38991 + rolename = current->role->rolename;
38993 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
38996 + write_lock(&grsec_exec_file_lock);
38997 + exec_file = current->exec_file;
38998 + current->exec_file = NULL;
38999 + write_unlock(&grsec_exec_file_lock);
39006 +gr_acl_handle_procpidmem(const struct task_struct *task)
39008 + if (unlikely(!gr_acl_is_enabled()))
39011 + if (task != current && task->acl->mode & GR_PROTPROCFD)
39016 diff -urNp linux-2.6.35.7/grsecurity/gracl_ip.c linux-2.6.35.7/grsecurity/gracl_ip.c
39017 --- linux-2.6.35.7/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
39018 +++ linux-2.6.35.7/grsecurity/gracl_ip.c 2010-09-17 20:12:37.000000000 -0400
39020 +#include <linux/kernel.h>
39021 +#include <asm/uaccess.h>
39022 +#include <asm/errno.h>
39023 +#include <net/sock.h>
39024 +#include <linux/file.h>
39025 +#include <linux/fs.h>
39026 +#include <linux/net.h>
39027 +#include <linux/in.h>
39028 +#include <linux/skbuff.h>
39029 +#include <linux/ip.h>
39030 +#include <linux/udp.h>
39031 +#include <linux/smp_lock.h>
39032 +#include <linux/types.h>
39033 +#include <linux/sched.h>
39034 +#include <linux/netdevice.h>
39035 +#include <linux/inetdevice.h>
39036 +#include <linux/gracl.h>
39037 +#include <linux/grsecurity.h>
39038 +#include <linux/grinternal.h>
39040 +#define GR_BIND 0x01
39041 +#define GR_CONNECT 0x02
39042 +#define GR_INVERT 0x04
39043 +#define GR_BINDOVERRIDE 0x08
39044 +#define GR_CONNECTOVERRIDE 0x10
39046 +static const char * gr_protocols[256] = {
39047 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
39048 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
39049 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
39050 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
39051 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
39052 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
39053 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
39054 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
39055 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
39056 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
39057 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
39058 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
39059 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
39060 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
39061 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
39062 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
39063 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
39064 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
39065 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
39066 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
39067 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
39068 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
39069 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
39070 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
39071 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
39072 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
39073 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
39074 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
39075 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
39076 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
39077 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
39078 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
39081 +static const char * gr_socktypes[11] = {
39082 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
39083 + "unknown:7", "unknown:8", "unknown:9", "packet"
39087 +gr_proto_to_name(unsigned char proto)
39089 + return gr_protocols[proto];
39093 +gr_socktype_to_name(unsigned char type)
39095 + return gr_socktypes[type];
39099 +gr_search_socket(const int domain, const int type, const int protocol)
39101 + struct acl_subject_label *curr;
39102 + const struct cred *cred = current_cred();
39104 + if (unlikely(!gr_acl_is_enabled()))
39107 + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
39108 + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
39109 + goto exit; // let the kernel handle it
39111 + curr = current->acl;
39116 + if ((curr->ip_type & (1 << type)) &&
39117 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
39120 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39121 + /* we don't place acls on raw sockets , and sometimes
39122 + dgram/ip sockets are opened for ioctl and not
39123 + bind/connect, so we'll fake a bind learn log */
39124 + if (type == SOCK_RAW || type == SOCK_PACKET) {
39125 + __u32 fakeip = 0;
39126 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39127 + current->role->roletype, cred->uid,
39128 + cred->gid, current->exec_file ?
39129 + gr_to_filename(current->exec_file->f_path.dentry,
39130 + current->exec_file->f_path.mnt) :
39131 + curr->filename, curr->filename,
39132 + &fakeip, 0, type,
39133 + protocol, GR_CONNECT, ¤t->signal->curr_ip);
39134 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
39135 + __u32 fakeip = 0;
39136 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39137 + current->role->roletype, cred->uid,
39138 + cred->gid, current->exec_file ?
39139 + gr_to_filename(current->exec_file->f_path.dentry,
39140 + current->exec_file->f_path.mnt) :
39141 + curr->filename, curr->filename,
39142 + &fakeip, 0, type,
39143 + protocol, GR_BIND, ¤t->signal->curr_ip);
39145 + /* we'll log when they use connect or bind */
39149 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
39150 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
39157 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
39159 + if ((ip->mode & mode) &&
39160 + (ip_port >= ip->low) &&
39161 + (ip_port <= ip->high) &&
39162 + ((ntohl(ip_addr) & our_netmask) ==
39163 + (ntohl(our_addr) & our_netmask))
39164 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
39165 + && (ip->type & (1 << type))) {
39166 + if (ip->mode & GR_INVERT)
39167 + return 2; // specifically denied
39169 + return 1; // allowed
39172 + return 0; // not specifically allowed, may continue parsing
39176 +gr_search_connectbind(const int full_mode, struct sock *sk,
39177 + struct sockaddr_in *addr, const int type)
39179 + char iface[IFNAMSIZ] = {0};
39180 + struct acl_subject_label *curr;
39181 + struct acl_ip_label *ip;
39182 + struct inet_sock *isk;
39183 + struct net_device *dev;
39184 + struct in_device *idev;
39187 + int mode = full_mode & (GR_BIND | GR_CONNECT);
39188 + __u32 ip_addr = 0;
39190 + __u32 our_netmask;
39192 + __u16 ip_port = 0;
39193 + const struct cred *cred = current_cred();
39195 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
39198 + curr = current->acl;
39199 + isk = inet_sk(sk);
39201 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
39202 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
39203 + addr->sin_addr.s_addr = curr->inaddr_any_override;
39204 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
39205 + struct sockaddr_in saddr;
39208 + saddr.sin_family = AF_INET;
39209 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
39210 + saddr.sin_port = isk->inet_sport;
39212 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39216 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39224 + ip_addr = addr->sin_addr.s_addr;
39225 + ip_port = ntohs(addr->sin_port);
39227 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39228 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39229 + current->role->roletype, cred->uid,
39230 + cred->gid, current->exec_file ?
39231 + gr_to_filename(current->exec_file->f_path.dentry,
39232 + current->exec_file->f_path.mnt) :
39233 + curr->filename, curr->filename,
39234 + &ip_addr, ip_port, type,
39235 + sk->sk_protocol, mode, ¤t->signal->curr_ip);
39239 + for (i = 0; i < curr->ip_num; i++) {
39240 + ip = *(curr->ips + i);
39241 + if (ip->iface != NULL) {
39242 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
39243 + p = strchr(iface, ':');
39246 + dev = dev_get_by_name(sock_net(sk), iface);
39249 + idev = in_dev_get(dev);
39250 + if (idev == NULL) {
39256 + if (!strcmp(ip->iface, ifa->ifa_label)) {
39257 + our_addr = ifa->ifa_address;
39258 + our_netmask = 0xffffffff;
39259 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39261 + rcu_read_unlock();
39262 + in_dev_put(idev);
39265 + } else if (ret == 2) {
39266 + rcu_read_unlock();
39267 + in_dev_put(idev);
39272 + } endfor_ifa(idev);
39273 + rcu_read_unlock();
39274 + in_dev_put(idev);
39277 + our_addr = ip->addr;
39278 + our_netmask = ip->netmask;
39279 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39282 + else if (ret == 2)
39288 + if (mode == GR_BIND)
39289 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39290 + else if (mode == GR_CONNECT)
39291 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39297 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
39299 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
39303 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
39305 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
39308 +int gr_search_listen(struct socket *sock)
39310 + struct sock *sk = sock->sk;
39311 + struct sockaddr_in addr;
39313 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39314 + addr.sin_port = inet_sk(sk)->inet_sport;
39316 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39319 +int gr_search_accept(struct socket *sock)
39321 + struct sock *sk = sock->sk;
39322 + struct sockaddr_in addr;
39324 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39325 + addr.sin_port = inet_sk(sk)->inet_sport;
39327 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39331 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
39334 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
39336 + struct sockaddr_in sin;
39337 + const struct inet_sock *inet = inet_sk(sk);
39339 + sin.sin_addr.s_addr = inet->inet_daddr;
39340 + sin.sin_port = inet->inet_dport;
39342 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
39347 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
39349 + struct sockaddr_in sin;
39351 + if (unlikely(skb->len < sizeof (struct udphdr)))
39352 + return 0; // skip this packet
39354 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
39355 + sin.sin_port = udp_hdr(skb)->source;
39357 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
39359 diff -urNp linux-2.6.35.7/grsecurity/gracl_learn.c linux-2.6.35.7/grsecurity/gracl_learn.c
39360 --- linux-2.6.35.7/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
39361 +++ linux-2.6.35.7/grsecurity/gracl_learn.c 2010-09-17 20:12:37.000000000 -0400
39363 +#include <linux/kernel.h>
39364 +#include <linux/mm.h>
39365 +#include <linux/sched.h>
39366 +#include <linux/poll.h>
39367 +#include <linux/smp_lock.h>
39368 +#include <linux/string.h>
39369 +#include <linux/file.h>
39370 +#include <linux/types.h>
39371 +#include <linux/vmalloc.h>
39372 +#include <linux/grinternal.h>
39374 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
39375 + size_t count, loff_t *ppos);
39376 +extern int gr_acl_is_enabled(void);
39378 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
39379 +static int gr_learn_attached;
39381 +/* use a 512k buffer */
39382 +#define LEARN_BUFFER_SIZE (512 * 1024)
39384 +static DEFINE_SPINLOCK(gr_learn_lock);
39385 +static DECLARE_MUTEX(gr_learn_user_sem);
39387 +/* we need to maintain two buffers, so that the kernel context of grlearn
39388 + uses a semaphore around the userspace copying, and the other kernel contexts
39389 + use a spinlock when copying into the buffer, since they cannot sleep
39391 +static char *learn_buffer;
39392 +static char *learn_buffer_user;
39393 +static int learn_buffer_len;
39394 +static int learn_buffer_user_len;
39397 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
39399 + DECLARE_WAITQUEUE(wait, current);
39400 + ssize_t retval = 0;
39402 + add_wait_queue(&learn_wait, &wait);
39403 + set_current_state(TASK_INTERRUPTIBLE);
39405 + down(&gr_learn_user_sem);
39406 + spin_lock(&gr_learn_lock);
39407 + if (learn_buffer_len)
39409 + spin_unlock(&gr_learn_lock);
39410 + up(&gr_learn_user_sem);
39411 + if (file->f_flags & O_NONBLOCK) {
39412 + retval = -EAGAIN;
39415 + if (signal_pending(current)) {
39416 + retval = -ERESTARTSYS;
39423 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
39424 + learn_buffer_user_len = learn_buffer_len;
39425 + retval = learn_buffer_len;
39426 + learn_buffer_len = 0;
39428 + spin_unlock(&gr_learn_lock);
39430 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
39431 + retval = -EFAULT;
39433 + up(&gr_learn_user_sem);
39435 + set_current_state(TASK_RUNNING);
39436 + remove_wait_queue(&learn_wait, &wait);
39440 +static unsigned int
39441 +poll_learn(struct file * file, poll_table * wait)
39443 + poll_wait(file, &learn_wait, wait);
39445 + if (learn_buffer_len)
39446 + return (POLLIN | POLLRDNORM);
39452 +gr_clear_learn_entries(void)
39456 + down(&gr_learn_user_sem);
39457 + if (learn_buffer != NULL) {
39458 + spin_lock(&gr_learn_lock);
39459 + tmp = learn_buffer;
39460 + learn_buffer = NULL;
39461 + spin_unlock(&gr_learn_lock);
39462 + vfree(learn_buffer);
39464 + if (learn_buffer_user != NULL) {
39465 + vfree(learn_buffer_user);
39466 + learn_buffer_user = NULL;
39468 + learn_buffer_len = 0;
39469 + up(&gr_learn_user_sem);
39475 +gr_add_learn_entry(const char *fmt, ...)
39478 + unsigned int len;
39480 + if (!gr_learn_attached)
39483 + spin_lock(&gr_learn_lock);
39485 + /* leave a gap at the end so we know when it's "full" but don't have to
39486 + compute the exact length of the string we're trying to append
39488 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
39489 + spin_unlock(&gr_learn_lock);
39490 + wake_up_interruptible(&learn_wait);
39493 + if (learn_buffer == NULL) {
39494 + spin_unlock(&gr_learn_lock);
39498 + va_start(args, fmt);
39499 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
39502 + learn_buffer_len += len + 1;
39504 + spin_unlock(&gr_learn_lock);
39505 + wake_up_interruptible(&learn_wait);
39511 +open_learn(struct inode *inode, struct file *file)
39513 + if (file->f_mode & FMODE_READ && gr_learn_attached)
39515 + if (file->f_mode & FMODE_READ) {
39517 + down(&gr_learn_user_sem);
39518 + if (learn_buffer == NULL)
39519 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
39520 + if (learn_buffer_user == NULL)
39521 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
39522 + if (learn_buffer == NULL) {
39523 + retval = -ENOMEM;
39526 + if (learn_buffer_user == NULL) {
39527 + retval = -ENOMEM;
39530 + learn_buffer_len = 0;
39531 + learn_buffer_user_len = 0;
39532 + gr_learn_attached = 1;
39534 + up(&gr_learn_user_sem);
39541 +close_learn(struct inode *inode, struct file *file)
39545 + if (file->f_mode & FMODE_READ) {
39546 + down(&gr_learn_user_sem);
39547 + if (learn_buffer != NULL) {
39548 + spin_lock(&gr_learn_lock);
39549 + tmp = learn_buffer;
39550 + learn_buffer = NULL;
39551 + spin_unlock(&gr_learn_lock);
39554 + if (learn_buffer_user != NULL) {
39555 + vfree(learn_buffer_user);
39556 + learn_buffer_user = NULL;
39558 + learn_buffer_len = 0;
39559 + learn_buffer_user_len = 0;
39560 + gr_learn_attached = 0;
39561 + up(&gr_learn_user_sem);
39567 +const struct file_operations grsec_fops = {
39568 + .read = read_learn,
39569 + .write = write_grsec_handler,
39570 + .open = open_learn,
39571 + .release = close_learn,
39572 + .poll = poll_learn,
39574 diff -urNp linux-2.6.35.7/grsecurity/gracl_res.c linux-2.6.35.7/grsecurity/gracl_res.c
39575 --- linux-2.6.35.7/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
39576 +++ linux-2.6.35.7/grsecurity/gracl_res.c 2010-09-17 20:12:37.000000000 -0400
39578 +#include <linux/kernel.h>
39579 +#include <linux/sched.h>
39580 +#include <linux/gracl.h>
39581 +#include <linux/grinternal.h>
39583 +static const char *restab_log[] = {
39584 + [RLIMIT_CPU] = "RLIMIT_CPU",
39585 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
39586 + [RLIMIT_DATA] = "RLIMIT_DATA",
39587 + [RLIMIT_STACK] = "RLIMIT_STACK",
39588 + [RLIMIT_CORE] = "RLIMIT_CORE",
39589 + [RLIMIT_RSS] = "RLIMIT_RSS",
39590 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
39591 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
39592 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
39593 + [RLIMIT_AS] = "RLIMIT_AS",
39594 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
39595 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
39596 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
39597 + [RLIMIT_NICE] = "RLIMIT_NICE",
39598 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
39599 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
39600 + [GR_CRASH_RES] = "RLIMIT_CRASH"
39604 +gr_log_resource(const struct task_struct *task,
39605 + const int res, const unsigned long wanted, const int gt)
39607 + const struct cred *cred;
39608 + unsigned long rlim;
39610 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
39613 + // not yet supported resource
39614 + if (unlikely(!restab_log[res]))
39617 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
39618 + rlim = task_rlimit_max(task, res);
39620 + rlim = task_rlimit(task, res);
39622 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
39626 + cred = __task_cred(task);
39628 + if (res == RLIMIT_NPROC &&
39629 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
39630 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
39631 + goto out_rcu_unlock;
39632 + else if (res == RLIMIT_MEMLOCK &&
39633 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
39634 + goto out_rcu_unlock;
39635 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
39636 + goto out_rcu_unlock;
39637 + rcu_read_unlock();
39639 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
39643 + rcu_read_unlock();
39646 diff -urNp linux-2.6.35.7/grsecurity/gracl_segv.c linux-2.6.35.7/grsecurity/gracl_segv.c
39647 --- linux-2.6.35.7/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
39648 +++ linux-2.6.35.7/grsecurity/gracl_segv.c 2010-09-17 20:12:37.000000000 -0400
39650 +#include <linux/kernel.h>
39651 +#include <linux/mm.h>
39652 +#include <asm/uaccess.h>
39653 +#include <asm/errno.h>
39654 +#include <asm/mman.h>
39655 +#include <net/sock.h>
39656 +#include <linux/file.h>
39657 +#include <linux/fs.h>
39658 +#include <linux/net.h>
39659 +#include <linux/in.h>
39660 +#include <linux/smp_lock.h>
39661 +#include <linux/slab.h>
39662 +#include <linux/types.h>
39663 +#include <linux/sched.h>
39664 +#include <linux/timer.h>
39665 +#include <linux/gracl.h>
39666 +#include <linux/grsecurity.h>
39667 +#include <linux/grinternal.h>
39669 +static struct crash_uid *uid_set;
39670 +static unsigned short uid_used;
39671 +static DEFINE_SPINLOCK(gr_uid_lock);
39672 +extern rwlock_t gr_inode_lock;
39673 +extern struct acl_subject_label *
39674 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
39675 + struct acl_role_label *role);
39676 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
39679 +gr_init_uidset(void)
39682 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
39685 + return uid_set ? 1 : 0;
39689 +gr_free_uidset(void)
39698 +gr_find_uid(const uid_t uid)
39700 + struct crash_uid *tmp = uid_set;
39702 + int low = 0, high = uid_used - 1, mid;
39704 + while (high >= low) {
39705 + mid = (low + high) >> 1;
39706 + buid = tmp[mid].uid;
39718 +static __inline__ void
39719 +gr_insertsort(void)
39721 + unsigned short i, j;
39722 + struct crash_uid index;
39724 + for (i = 1; i < uid_used; i++) {
39725 + index = uid_set[i];
39727 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
39728 + uid_set[j] = uid_set[j - 1];
39731 + uid_set[j] = index;
39737 +static __inline__ void
39738 +gr_insert_uid(const uid_t uid, const unsigned long expires)
39742 + if (uid_used == GR_UIDTABLE_MAX)
39745 + loc = gr_find_uid(uid);
39748 + uid_set[loc].expires = expires;
39752 + uid_set[uid_used].uid = uid;
39753 + uid_set[uid_used].expires = expires;
39762 +gr_remove_uid(const unsigned short loc)
39764 + unsigned short i;
39766 + for (i = loc + 1; i < uid_used; i++)
39767 + uid_set[i - 1] = uid_set[i];
39775 +gr_check_crash_uid(const uid_t uid)
39780 + if (unlikely(!gr_acl_is_enabled()))
39783 + spin_lock(&gr_uid_lock);
39784 + loc = gr_find_uid(uid);
39789 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
39790 + gr_remove_uid(loc);
39795 + spin_unlock(&gr_uid_lock);
39799 +static __inline__ int
39800 +proc_is_setxid(const struct cred *cred)
39802 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
39803 + cred->uid != cred->fsuid)
39805 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
39806 + cred->gid != cred->fsgid)
39811 +static __inline__ int
39812 +gr_fake_force_sig(int sig, struct task_struct *t)
39814 + unsigned long int flags;
39815 + int ret, blocked, ignored;
39816 + struct k_sigaction *action;
39818 + spin_lock_irqsave(&t->sighand->siglock, flags);
39819 + action = &t->sighand->action[sig-1];
39820 + ignored = action->sa.sa_handler == SIG_IGN;
39821 + blocked = sigismember(&t->blocked, sig);
39822 + if (blocked || ignored) {
39823 + action->sa.sa_handler = SIG_DFL;
39825 + sigdelset(&t->blocked, sig);
39826 + recalc_sigpending_and_wake(t);
39829 + if (action->sa.sa_handler == SIG_DFL)
39830 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
39831 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
39833 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
39839 +gr_handle_crash(struct task_struct *task, const int sig)
39841 + struct acl_subject_label *curr;
39842 + struct acl_subject_label *curr2;
39843 + struct task_struct *tsk, *tsk2;
39844 + const struct cred *cred;
39845 + const struct cred *cred2;
39847 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
39850 + if (unlikely(!gr_acl_is_enabled()))
39853 + curr = task->acl;
39855 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
39858 + if (time_before_eq(curr->expires, get_seconds())) {
39859 + curr->expires = 0;
39860 + curr->crashes = 0;
39865 + if (!curr->expires)
39866 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
39868 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39869 + time_after(curr->expires, get_seconds())) {
39871 + cred = __task_cred(task);
39872 + if (cred->uid && proc_is_setxid(cred)) {
39873 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39874 + spin_lock(&gr_uid_lock);
39875 + gr_insert_uid(cred->uid, curr->expires);
39876 + spin_unlock(&gr_uid_lock);
39877 + curr->expires = 0;
39878 + curr->crashes = 0;
39879 + read_lock(&tasklist_lock);
39880 + do_each_thread(tsk2, tsk) {
39881 + cred2 = __task_cred(tsk);
39882 + if (tsk != task && cred2->uid == cred->uid)
39883 + gr_fake_force_sig(SIGKILL, tsk);
39884 + } while_each_thread(tsk2, tsk);
39885 + read_unlock(&tasklist_lock);
39887 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39888 + read_lock(&tasklist_lock);
39889 + do_each_thread(tsk2, tsk) {
39890 + if (likely(tsk != task)) {
39891 + curr2 = tsk->acl;
39893 + if (curr2->device == curr->device &&
39894 + curr2->inode == curr->inode)
39895 + gr_fake_force_sig(SIGKILL, tsk);
39897 + } while_each_thread(tsk2, tsk);
39898 + read_unlock(&tasklist_lock);
39900 + rcu_read_unlock();
39907 +gr_check_crash_exec(const struct file *filp)
39909 + struct acl_subject_label *curr;
39911 + if (unlikely(!gr_acl_is_enabled()))
39914 + read_lock(&gr_inode_lock);
39915 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
39916 + filp->f_path.dentry->d_inode->i_sb->s_dev,
39918 + read_unlock(&gr_inode_lock);
39920 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
39921 + (!curr->crashes && !curr->expires))
39924 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39925 + time_after(curr->expires, get_seconds()))
39927 + else if (time_before_eq(curr->expires, get_seconds())) {
39928 + curr->crashes = 0;
39929 + curr->expires = 0;
39936 +gr_handle_alertkill(struct task_struct *task)
39938 + struct acl_subject_label *curracl;
39940 + struct task_struct *p, *p2;
39942 + if (unlikely(!gr_acl_is_enabled()))
39945 + curracl = task->acl;
39946 + curr_ip = task->signal->curr_ip;
39948 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
39949 + read_lock(&tasklist_lock);
39950 + do_each_thread(p2, p) {
39951 + if (p->signal->curr_ip == curr_ip)
39952 + gr_fake_force_sig(SIGKILL, p);
39953 + } while_each_thread(p2, p);
39954 + read_unlock(&tasklist_lock);
39955 + } else if (curracl->mode & GR_KILLPROC)
39956 + gr_fake_force_sig(SIGKILL, task);
39960 diff -urNp linux-2.6.35.7/grsecurity/gracl_shm.c linux-2.6.35.7/grsecurity/gracl_shm.c
39961 --- linux-2.6.35.7/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
39962 +++ linux-2.6.35.7/grsecurity/gracl_shm.c 2010-09-17 20:12:37.000000000 -0400
39964 +#include <linux/kernel.h>
39965 +#include <linux/mm.h>
39966 +#include <linux/sched.h>
39967 +#include <linux/file.h>
39968 +#include <linux/ipc.h>
39969 +#include <linux/gracl.h>
39970 +#include <linux/grsecurity.h>
39971 +#include <linux/grinternal.h>
39974 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39975 + const time_t shm_createtime, const uid_t cuid, const int shmid)
39977 + struct task_struct *task;
39979 + if (!gr_acl_is_enabled())
39983 + read_lock(&tasklist_lock);
39985 + task = find_task_by_vpid(shm_cprid);
39987 + if (unlikely(!task))
39988 + task = find_task_by_vpid(shm_lapid);
39990 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
39991 + (task->pid == shm_lapid)) &&
39992 + (task->acl->mode & GR_PROTSHM) &&
39993 + (task->acl != current->acl))) {
39994 + read_unlock(&tasklist_lock);
39995 + rcu_read_unlock();
39996 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
39999 + read_unlock(&tasklist_lock);
40000 + rcu_read_unlock();
40004 diff -urNp linux-2.6.35.7/grsecurity/grsec_chdir.c linux-2.6.35.7/grsecurity/grsec_chdir.c
40005 --- linux-2.6.35.7/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
40006 +++ linux-2.6.35.7/grsecurity/grsec_chdir.c 2010-09-17 20:12:37.000000000 -0400
40008 +#include <linux/kernel.h>
40009 +#include <linux/sched.h>
40010 +#include <linux/fs.h>
40011 +#include <linux/file.h>
40012 +#include <linux/grsecurity.h>
40013 +#include <linux/grinternal.h>
40016 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
40018 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40019 + if ((grsec_enable_chdir && grsec_enable_group &&
40020 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
40021 + !grsec_enable_group)) {
40022 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
40027 diff -urNp linux-2.6.35.7/grsecurity/grsec_chroot.c linux-2.6.35.7/grsecurity/grsec_chroot.c
40028 --- linux-2.6.35.7/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
40029 +++ linux-2.6.35.7/grsecurity/grsec_chroot.c 2010-09-17 20:12:37.000000000 -0400
40031 +#include <linux/kernel.h>
40032 +#include <linux/module.h>
40033 +#include <linux/sched.h>
40034 +#include <linux/file.h>
40035 +#include <linux/fs.h>
40036 +#include <linux/mount.h>
40037 +#include <linux/types.h>
40038 +#include <linux/pid_namespace.h>
40039 +#include <linux/grsecurity.h>
40040 +#include <linux/grinternal.h>
40042 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
40044 +#ifdef CONFIG_GRKERNSEC
40045 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
40046 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
40047 + task->gr_is_chrooted = 1;
40049 + task->gr_is_chrooted = 0;
40051 + task->gr_chroot_dentry = path->dentry;
40056 +void gr_clear_chroot_entries(struct task_struct *task)
40058 +#ifdef CONFIG_GRKERNSEC
40059 + task->gr_is_chrooted = 0;
40060 + task->gr_chroot_dentry = NULL;
40066 +gr_handle_chroot_unix(const pid_t pid)
40068 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40069 + struct pid *spid = NULL;
40071 + if (unlikely(!grsec_enable_chroot_unix))
40074 + if (likely(!proc_is_chrooted(current)))
40078 + read_lock(&tasklist_lock);
40080 + spid = find_vpid(pid);
40082 + struct task_struct *p;
40083 + p = pid_task(spid, PIDTYPE_PID);
40084 + if (unlikely(!have_same_root(current, p))) {
40085 + read_unlock(&tasklist_lock);
40086 + rcu_read_unlock();
40087 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
40091 + read_unlock(&tasklist_lock);
40092 + rcu_read_unlock();
40098 +gr_handle_chroot_nice(void)
40100 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40101 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
40102 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
40110 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
40112 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40113 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
40114 + && proc_is_chrooted(current)) {
40115 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
40123 +gr_handle_chroot_rawio(const struct inode *inode)
40125 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40126 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
40127 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
40134 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
40136 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40137 + struct task_struct *p;
40139 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
40142 + read_lock(&tasklist_lock);
40143 + do_each_pid_task(pid, type, p) {
40144 + if (!have_same_root(current, p)) {
40148 + } while_each_pid_task(pid, type, p);
40150 + read_unlock(&tasklist_lock);
40157 +gr_pid_is_chrooted(struct task_struct *p)
40159 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40160 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
40163 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
40164 + !have_same_root(current, p)) {
40171 +EXPORT_SYMBOL(gr_pid_is_chrooted);
40173 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
40174 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
40176 + struct dentry *dentry = (struct dentry *)u_dentry;
40177 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
40178 + struct dentry *realroot;
40179 + struct vfsmount *realrootmnt;
40180 + struct dentry *currentroot;
40181 + struct vfsmount *currentmnt;
40182 + struct task_struct *reaper = &init_task;
40185 + read_lock(&reaper->fs->lock);
40186 + realrootmnt = mntget(reaper->fs->root.mnt);
40187 + realroot = dget(reaper->fs->root.dentry);
40188 + read_unlock(&reaper->fs->lock);
40190 + read_lock(¤t->fs->lock);
40191 + currentmnt = mntget(current->fs->root.mnt);
40192 + currentroot = dget(current->fs->root.dentry);
40193 + read_unlock(¤t->fs->lock);
40195 + spin_lock(&dcache_lock);
40197 + if (unlikely((dentry == realroot && mnt == realrootmnt)
40198 + || (dentry == currentroot && mnt == currentmnt)))
40200 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
40201 + if (mnt->mnt_parent == mnt)
40203 + dentry = mnt->mnt_mountpoint;
40204 + mnt = mnt->mnt_parent;
40207 + dentry = dentry->d_parent;
40209 + spin_unlock(&dcache_lock);
40211 + dput(currentroot);
40212 + mntput(currentmnt);
40214 + /* access is outside of chroot */
40215 + if (dentry == realroot && mnt == realrootmnt)
40219 + mntput(realrootmnt);
40225 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
40227 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40228 + if (!grsec_enable_chroot_fchdir)
40231 + if (!proc_is_chrooted(current))
40233 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
40234 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
40242 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40243 + const time_t shm_createtime)
40245 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40246 + struct pid *pid = NULL;
40247 + time_t starttime;
40249 + if (unlikely(!grsec_enable_chroot_shmat))
40252 + if (likely(!proc_is_chrooted(current)))
40256 + read_lock(&tasklist_lock);
40258 + pid = find_vpid(shm_cprid);
40260 + struct task_struct *p;
40261 + p = pid_task(pid, PIDTYPE_PID);
40262 + starttime = p->start_time.tv_sec;
40263 + if (unlikely(!have_same_root(current, p) &&
40264 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
40265 + read_unlock(&tasklist_lock);
40266 + rcu_read_unlock();
40267 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40271 + pid = find_vpid(shm_lapid);
40273 + struct task_struct *p;
40274 + p = pid_task(pid, PIDTYPE_PID);
40275 + if (unlikely(!have_same_root(current, p))) {
40276 + read_unlock(&tasklist_lock);
40277 + rcu_read_unlock();
40278 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40284 + read_unlock(&tasklist_lock);
40285 + rcu_read_unlock();
40291 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
40293 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40294 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
40295 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
40301 +gr_handle_chroot_mknod(const struct dentry *dentry,
40302 + const struct vfsmount *mnt, const int mode)
40304 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40305 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
40306 + proc_is_chrooted(current)) {
40307 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
40315 +gr_handle_chroot_mount(const struct dentry *dentry,
40316 + const struct vfsmount *mnt, const char *dev_name)
40318 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40319 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
40320 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
40328 +gr_handle_chroot_pivot(void)
40330 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40331 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
40332 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
40340 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
40342 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40343 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
40344 + !gr_is_outside_chroot(dentry, mnt)) {
40345 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
40353 +gr_handle_chroot_caps(struct path *path)
40355 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40356 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
40357 + (init_task.fs->root.dentry != path->dentry) &&
40358 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
40360 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
40361 + const struct cred *old = current_cred();
40362 + struct cred *new = prepare_creds();
40366 + new->cap_permitted = cap_drop(old->cap_permitted,
40368 + new->cap_inheritable = cap_drop(old->cap_inheritable,
40370 + new->cap_effective = cap_drop(old->cap_effective,
40373 + commit_creds(new);
40382 +gr_handle_chroot_sysctl(const int op)
40384 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
40385 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
40386 + proc_is_chrooted(current))
40393 +gr_handle_chroot_chdir(struct path *path)
40395 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40396 + if (grsec_enable_chroot_chdir)
40397 + set_fs_pwd(current->fs, path);
40403 +gr_handle_chroot_chmod(const struct dentry *dentry,
40404 + const struct vfsmount *mnt, const int mode)
40406 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40407 + if (grsec_enable_chroot_chmod &&
40408 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
40409 + proc_is_chrooted(current)) {
40410 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
40417 +#ifdef CONFIG_SECURITY
40418 +EXPORT_SYMBOL(gr_handle_chroot_caps);
40420 diff -urNp linux-2.6.35.7/grsecurity/grsec_disabled.c linux-2.6.35.7/grsecurity/grsec_disabled.c
40421 --- linux-2.6.35.7/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
40422 +++ linux-2.6.35.7/grsecurity/grsec_disabled.c 2010-09-17 20:12:37.000000000 -0400
40424 +#include <linux/kernel.h>
40425 +#include <linux/module.h>
40426 +#include <linux/sched.h>
40427 +#include <linux/file.h>
40428 +#include <linux/fs.h>
40429 +#include <linux/kdev_t.h>
40430 +#include <linux/net.h>
40431 +#include <linux/in.h>
40432 +#include <linux/ip.h>
40433 +#include <linux/skbuff.h>
40434 +#include <linux/sysctl.h>
40436 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40438 +pax_set_initial_flags(struct linux_binprm *bprm)
40444 +#ifdef CONFIG_SYSCTL
40446 +gr_handle_sysctl(const struct ctl_table * table, const int op)
40452 +#ifdef CONFIG_TASKSTATS
40453 +int gr_is_taskstats_denied(int pid)
40460 +gr_acl_is_enabled(void)
40466 +gr_handle_rawio(const struct inode *inode)
40472 +gr_acl_handle_psacct(struct task_struct *task, const long code)
40478 +gr_handle_ptrace(struct task_struct *task, const long request)
40484 +gr_handle_proc_ptrace(struct task_struct *task)
40490 +gr_learn_resource(const struct task_struct *task,
40491 + const int res, const unsigned long wanted, const int gt)
40497 +gr_set_acls(const int type)
40503 +gr_check_hidden_task(const struct task_struct *tsk)
40509 +gr_check_protected_task(const struct task_struct *task)
40515 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
40521 +gr_copy_label(struct task_struct *tsk)
40527 +gr_set_pax_flags(struct task_struct *task)
40533 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
40534 + const int unsafe_share)
40540 +gr_handle_delete(const ino_t ino, const dev_t dev)
40546 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
40552 +gr_handle_crash(struct task_struct *task, const int sig)
40558 +gr_check_crash_exec(const struct file *filp)
40564 +gr_check_crash_uid(const uid_t uid)
40570 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
40571 + struct dentry *old_dentry,
40572 + struct dentry *new_dentry,
40573 + struct vfsmount *mnt, const __u8 replace)
40579 +gr_search_socket(const int family, const int type, const int protocol)
40585 +gr_search_connectbind(const int mode, const struct socket *sock,
40586 + const struct sockaddr_in *addr)
40592 +gr_is_capable(const int cap)
40598 +gr_is_capable_nolog(const int cap)
40604 +gr_handle_alertkill(struct task_struct *task)
40610 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
40616 +gr_acl_handle_hidden_file(const struct dentry * dentry,
40617 + const struct vfsmount * mnt)
40623 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
40630 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
40636 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
40642 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
40643 + unsigned int *vm_flags)
40649 +gr_acl_handle_truncate(const struct dentry * dentry,
40650 + const struct vfsmount * mnt)
40656 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
40662 +gr_acl_handle_access(const struct dentry * dentry,
40663 + const struct vfsmount * mnt, const int fmode)
40669 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
40676 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
40683 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
40689 +grsecurity_init(void)
40695 +gr_acl_handle_mknod(const struct dentry * new_dentry,
40696 + const struct dentry * parent_dentry,
40697 + const struct vfsmount * parent_mnt,
40704 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
40705 + const struct dentry * parent_dentry,
40706 + const struct vfsmount * parent_mnt)
40712 +gr_acl_handle_symlink(const struct dentry * new_dentry,
40713 + const struct dentry * parent_dentry,
40714 + const struct vfsmount * parent_mnt, const char *from)
40720 +gr_acl_handle_link(const struct dentry * new_dentry,
40721 + const struct dentry * parent_dentry,
40722 + const struct vfsmount * parent_mnt,
40723 + const struct dentry * old_dentry,
40724 + const struct vfsmount * old_mnt, const char *to)
40730 +gr_acl_handle_rename(const struct dentry *new_dentry,
40731 + const struct dentry *parent_dentry,
40732 + const struct vfsmount *parent_mnt,
40733 + const struct dentry *old_dentry,
40734 + const struct inode *old_parent_inode,
40735 + const struct vfsmount *old_mnt, const char *newname)
40741 +gr_acl_handle_filldir(const struct file *file, const char *name,
40742 + const int namelen, const ino_t ino)
40748 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40749 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40755 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
40761 +gr_search_accept(const struct socket *sock)
40767 +gr_search_listen(const struct socket *sock)
40773 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
40779 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
40785 +gr_acl_handle_creat(const struct dentry * dentry,
40786 + const struct dentry * p_dentry,
40787 + const struct vfsmount * p_mnt, const int fmode,
40794 +gr_acl_handle_exit(void)
40800 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
40806 +gr_set_role_label(const uid_t uid, const gid_t gid)
40812 +gr_acl_handle_procpidmem(const struct task_struct *task)
40818 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
40824 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
40830 +gr_set_kernel_label(struct task_struct *task)
40836 +gr_check_user_change(int real, int effective, int fs)
40842 +gr_check_group_change(int real, int effective, int fs)
40847 +EXPORT_SYMBOL(gr_is_capable);
40848 +EXPORT_SYMBOL(gr_is_capable_nolog);
40849 +EXPORT_SYMBOL(gr_learn_resource);
40850 +EXPORT_SYMBOL(gr_set_kernel_label);
40851 +#ifdef CONFIG_SECURITY
40852 +EXPORT_SYMBOL(gr_check_user_change);
40853 +EXPORT_SYMBOL(gr_check_group_change);
40855 diff -urNp linux-2.6.35.7/grsecurity/grsec_exec.c linux-2.6.35.7/grsecurity/grsec_exec.c
40856 --- linux-2.6.35.7/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
40857 +++ linux-2.6.35.7/grsecurity/grsec_exec.c 2010-09-17 20:12:37.000000000 -0400
40859 +#include <linux/kernel.h>
40860 +#include <linux/sched.h>
40861 +#include <linux/file.h>
40862 +#include <linux/binfmts.h>
40863 +#include <linux/smp_lock.h>
40864 +#include <linux/fs.h>
40865 +#include <linux/types.h>
40866 +#include <linux/grdefs.h>
40867 +#include <linux/grinternal.h>
40868 +#include <linux/capability.h>
40870 +#include <asm/uaccess.h>
40872 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40873 +static char gr_exec_arg_buf[132];
40874 +static DECLARE_MUTEX(gr_exec_arg_sem);
40878 +gr_handle_nproc(void)
40880 +#ifdef CONFIG_GRKERNSEC_EXECVE
40881 + const struct cred *cred = current_cred();
40882 + if (grsec_enable_execve && cred->user &&
40883 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
40884 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
40885 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
40893 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
40895 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40896 + char *grarg = gr_exec_arg_buf;
40897 + unsigned int i, x, execlen = 0;
40900 + if (!((grsec_enable_execlog && grsec_enable_group &&
40901 + in_group_p(grsec_audit_gid))
40902 + || (grsec_enable_execlog && !grsec_enable_group)))
40905 + down(&gr_exec_arg_sem);
40906 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
40908 + if (unlikely(argv == NULL))
40911 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
40912 + const char __user *p;
40913 + unsigned int len;
40915 + if (copy_from_user(&p, argv + i, sizeof(p)))
40919 + len = strnlen_user(p, 128 - execlen);
40920 + if (len > 128 - execlen)
40921 + len = 128 - execlen;
40922 + else if (len > 0)
40924 + if (copy_from_user(grarg + execlen, p, len))
40927 + /* rewrite unprintable characters */
40928 + for (x = 0; x < len; x++) {
40929 + c = *(grarg + execlen + x);
40930 + if (c < 32 || c > 126)
40931 + *(grarg + execlen + x) = ' ';
40935 + *(grarg + execlen) = ' ';
40936 + *(grarg + execlen + 1) = '\0';
40941 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
40942 + bprm->file->f_path.mnt, grarg);
40943 + up(&gr_exec_arg_sem);
40947 diff -urNp linux-2.6.35.7/grsecurity/grsec_fifo.c linux-2.6.35.7/grsecurity/grsec_fifo.c
40948 --- linux-2.6.35.7/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
40949 +++ linux-2.6.35.7/grsecurity/grsec_fifo.c 2010-09-17 20:12:37.000000000 -0400
40951 +#include <linux/kernel.h>
40952 +#include <linux/sched.h>
40953 +#include <linux/fs.h>
40954 +#include <linux/file.h>
40955 +#include <linux/grinternal.h>
40958 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
40959 + const struct dentry *dir, const int flag, const int acc_mode)
40961 +#ifdef CONFIG_GRKERNSEC_FIFO
40962 + const struct cred *cred = current_cred();
40964 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
40965 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
40966 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
40967 + (cred->fsuid != dentry->d_inode->i_uid)) {
40968 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
40969 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
40975 diff -urNp linux-2.6.35.7/grsecurity/grsec_fork.c linux-2.6.35.7/grsecurity/grsec_fork.c
40976 --- linux-2.6.35.7/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
40977 +++ linux-2.6.35.7/grsecurity/grsec_fork.c 2010-09-23 20:39:19.000000000 -0400
40979 +#include <linux/kernel.h>
40980 +#include <linux/sched.h>
40981 +#include <linux/grsecurity.h>
40982 +#include <linux/grinternal.h>
40983 +#include <linux/errno.h>
40986 +gr_log_forkfail(const int retval)
40988 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
40989 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
40990 + switch (retval) {
40992 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
40995 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
41002 diff -urNp linux-2.6.35.7/grsecurity/grsec_init.c linux-2.6.35.7/grsecurity/grsec_init.c
41003 --- linux-2.6.35.7/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
41004 +++ linux-2.6.35.7/grsecurity/grsec_init.c 2010-10-18 21:01:30.000000000 -0400
41006 +#include <linux/kernel.h>
41007 +#include <linux/sched.h>
41008 +#include <linux/mm.h>
41009 +#include <linux/smp_lock.h>
41010 +#include <linux/gracl.h>
41011 +#include <linux/slab.h>
41012 +#include <linux/vmalloc.h>
41013 +#include <linux/percpu.h>
41014 +#include <linux/module.h>
41016 +int grsec_enable_link;
41017 +int grsec_enable_dmesg;
41018 +int grsec_enable_harden_ptrace;
41019 +int grsec_enable_fifo;
41020 +int grsec_enable_execve;
41021 +int grsec_enable_execlog;
41022 +int grsec_enable_signal;
41023 +int grsec_enable_forkfail;
41024 +int grsec_enable_audit_ptrace;
41025 +int grsec_enable_time;
41026 +int grsec_enable_audit_textrel;
41027 +int grsec_enable_group;
41028 +int grsec_audit_gid;
41029 +int grsec_enable_chdir;
41030 +int grsec_enable_mount;
41031 +int grsec_enable_rofs;
41032 +int grsec_enable_chroot_findtask;
41033 +int grsec_enable_chroot_mount;
41034 +int grsec_enable_chroot_shmat;
41035 +int grsec_enable_chroot_fchdir;
41036 +int grsec_enable_chroot_double;
41037 +int grsec_enable_chroot_pivot;
41038 +int grsec_enable_chroot_chdir;
41039 +int grsec_enable_chroot_chmod;
41040 +int grsec_enable_chroot_mknod;
41041 +int grsec_enable_chroot_nice;
41042 +int grsec_enable_chroot_execlog;
41043 +int grsec_enable_chroot_caps;
41044 +int grsec_enable_chroot_sysctl;
41045 +int grsec_enable_chroot_unix;
41046 +int grsec_enable_tpe;
41047 +int grsec_tpe_gid;
41048 +int grsec_enable_blackhole;
41049 +#ifdef CONFIG_IPV6_MODULE
41050 +EXPORT_SYMBOL(grsec_enable_blackhole);
41052 +int grsec_lastack_retries;
41053 +int grsec_enable_tpe_all;
41054 +int grsec_enable_tpe_invert;
41055 +int grsec_enable_socket_all;
41056 +int grsec_socket_all_gid;
41057 +int grsec_enable_socket_client;
41058 +int grsec_socket_client_gid;
41059 +int grsec_enable_socket_server;
41060 +int grsec_socket_server_gid;
41061 +int grsec_resource_logging;
41062 +int grsec_disable_privio;
41063 +int grsec_enable_log_rwxmaps;
41066 +DEFINE_SPINLOCK(grsec_alert_lock);
41067 +unsigned long grsec_alert_wtime = 0;
41068 +unsigned long grsec_alert_fyet = 0;
41070 +DEFINE_SPINLOCK(grsec_audit_lock);
41072 +DEFINE_RWLOCK(grsec_exec_file_lock);
41074 +char *gr_shared_page[4];
41076 +char *gr_alert_log_fmt;
41077 +char *gr_audit_log_fmt;
41078 +char *gr_alert_log_buf;
41079 +char *gr_audit_log_buf;
41081 +extern struct gr_arg *gr_usermode;
41082 +extern unsigned char *gr_system_salt;
41083 +extern unsigned char *gr_system_sum;
41086 +grsecurity_init(void)
41089 + /* create the per-cpu shared pages */
41092 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
41095 + for (j = 0; j < 4; j++) {
41096 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
41097 + if (gr_shared_page[j] == NULL) {
41098 + panic("Unable to allocate grsecurity shared page");
41103 + /* allocate log buffers */
41104 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
41105 + if (!gr_alert_log_fmt) {
41106 + panic("Unable to allocate grsecurity alert log format buffer");
41109 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
41110 + if (!gr_audit_log_fmt) {
41111 + panic("Unable to allocate grsecurity audit log format buffer");
41114 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41115 + if (!gr_alert_log_buf) {
41116 + panic("Unable to allocate grsecurity alert log buffer");
41119 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41120 + if (!gr_audit_log_buf) {
41121 + panic("Unable to allocate grsecurity audit log buffer");
41125 + /* allocate memory for authentication structure */
41126 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
41127 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
41128 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
41130 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
41131 + panic("Unable to allocate grsecurity authentication structure");
41136 +#ifdef CONFIG_GRKERNSEC_IO
41137 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
41138 + grsec_disable_privio = 1;
41139 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41140 + grsec_disable_privio = 1;
41142 + grsec_disable_privio = 0;
41146 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41147 + /* for backward compatibility, tpe_invert always defaults to on if
41148 + enabled in the kernel
41150 + grsec_enable_tpe_invert = 1;
41153 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41154 +#ifndef CONFIG_GRKERNSEC_SYSCTL
41158 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
41159 + grsec_enable_audit_textrel = 1;
41161 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
41162 + grsec_enable_log_rwxmaps = 1;
41164 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
41165 + grsec_enable_group = 1;
41166 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
41168 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41169 + grsec_enable_chdir = 1;
41171 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
41172 + grsec_enable_harden_ptrace = 1;
41174 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41175 + grsec_enable_mount = 1;
41177 +#ifdef CONFIG_GRKERNSEC_LINK
41178 + grsec_enable_link = 1;
41180 +#ifdef CONFIG_GRKERNSEC_DMESG
41181 + grsec_enable_dmesg = 1;
41183 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41184 + grsec_enable_blackhole = 1;
41185 + grsec_lastack_retries = 4;
41187 +#ifdef CONFIG_GRKERNSEC_FIFO
41188 + grsec_enable_fifo = 1;
41190 +#ifdef CONFIG_GRKERNSEC_EXECVE
41191 + grsec_enable_execve = 1;
41193 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41194 + grsec_enable_execlog = 1;
41196 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41197 + grsec_enable_signal = 1;
41199 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41200 + grsec_enable_forkfail = 1;
41202 +#ifdef CONFIG_GRKERNSEC_TIME
41203 + grsec_enable_time = 1;
41205 +#ifdef CONFIG_GRKERNSEC_RESLOG
41206 + grsec_resource_logging = 1;
41208 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41209 + grsec_enable_chroot_findtask = 1;
41211 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41212 + grsec_enable_chroot_unix = 1;
41214 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41215 + grsec_enable_chroot_mount = 1;
41217 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41218 + grsec_enable_chroot_fchdir = 1;
41220 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41221 + grsec_enable_chroot_shmat = 1;
41223 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41224 + grsec_enable_audit_ptrace = 1;
41226 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41227 + grsec_enable_chroot_double = 1;
41229 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41230 + grsec_enable_chroot_pivot = 1;
41232 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41233 + grsec_enable_chroot_chdir = 1;
41235 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41236 + grsec_enable_chroot_chmod = 1;
41238 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41239 + grsec_enable_chroot_mknod = 1;
41241 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41242 + grsec_enable_chroot_nice = 1;
41244 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41245 + grsec_enable_chroot_execlog = 1;
41247 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41248 + grsec_enable_chroot_caps = 1;
41250 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41251 + grsec_enable_chroot_sysctl = 1;
41253 +#ifdef CONFIG_GRKERNSEC_TPE
41254 + grsec_enable_tpe = 1;
41255 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
41256 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
41257 + grsec_enable_tpe_all = 1;
41260 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41261 + grsec_enable_socket_all = 1;
41262 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
41264 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41265 + grsec_enable_socket_client = 1;
41266 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
41268 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41269 + grsec_enable_socket_server = 1;
41270 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
41276 diff -urNp linux-2.6.35.7/grsecurity/grsec_link.c linux-2.6.35.7/grsecurity/grsec_link.c
41277 --- linux-2.6.35.7/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
41278 +++ linux-2.6.35.7/grsecurity/grsec_link.c 2010-09-17 20:12:37.000000000 -0400
41280 +#include <linux/kernel.h>
41281 +#include <linux/sched.h>
41282 +#include <linux/fs.h>
41283 +#include <linux/file.h>
41284 +#include <linux/grinternal.h>
41287 +gr_handle_follow_link(const struct inode *parent,
41288 + const struct inode *inode,
41289 + const struct dentry *dentry, const struct vfsmount *mnt)
41291 +#ifdef CONFIG_GRKERNSEC_LINK
41292 + const struct cred *cred = current_cred();
41294 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
41295 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
41296 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
41297 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
41305 +gr_handle_hardlink(const struct dentry *dentry,
41306 + const struct vfsmount *mnt,
41307 + struct inode *inode, const int mode, const char *to)
41309 +#ifdef CONFIG_GRKERNSEC_LINK
41310 + const struct cred *cred = current_cred();
41312 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
41313 + (!S_ISREG(mode) || (mode & S_ISUID) ||
41314 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
41315 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
41316 + !capable(CAP_FOWNER) && cred->uid) {
41317 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
41323 diff -urNp linux-2.6.35.7/grsecurity/grsec_log.c linux-2.6.35.7/grsecurity/grsec_log.c
41324 --- linux-2.6.35.7/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
41325 +++ linux-2.6.35.7/grsecurity/grsec_log.c 2010-10-18 21:01:30.000000000 -0400
41327 +#include <linux/kernel.h>
41328 +#include <linux/sched.h>
41329 +#include <linux/file.h>
41330 +#include <linux/tty.h>
41331 +#include <linux/fs.h>
41332 +#include <linux/grinternal.h>
41334 +#ifdef CONFIG_TREE_PREEMPT_RCU
41335 +#define DISABLE_PREEMPT() preempt_disable()
41336 +#define ENABLE_PREEMPT() preempt_enable()
41338 +#define DISABLE_PREEMPT()
41339 +#define ENABLE_PREEMPT()
41342 +#define BEGIN_LOCKS(x) \
41343 + DISABLE_PREEMPT(); \
41344 + rcu_read_lock(); \
41345 + read_lock(&tasklist_lock); \
41346 + read_lock(&grsec_exec_file_lock); \
41347 + if (x != GR_DO_AUDIT) \
41348 + spin_lock(&grsec_alert_lock); \
41350 + spin_lock(&grsec_audit_lock)
41352 +#define END_LOCKS(x) \
41353 + if (x != GR_DO_AUDIT) \
41354 + spin_unlock(&grsec_alert_lock); \
41356 + spin_unlock(&grsec_audit_lock); \
41357 + read_unlock(&grsec_exec_file_lock); \
41358 + read_unlock(&tasklist_lock); \
41359 + rcu_read_unlock(); \
41360 + ENABLE_PREEMPT(); \
41361 + if (x == GR_DONT_AUDIT) \
41362 + gr_handle_alertkill(current)
41369 +extern char *gr_alert_log_fmt;
41370 +extern char *gr_audit_log_fmt;
41371 +extern char *gr_alert_log_buf;
41372 +extern char *gr_audit_log_buf;
41374 +static int gr_log_start(int audit)
41376 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
41377 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
41378 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41380 + if (audit == GR_DO_AUDIT)
41383 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
41384 + grsec_alert_wtime = jiffies;
41385 + grsec_alert_fyet = 0;
41386 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
41387 + grsec_alert_fyet++;
41388 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
41389 + grsec_alert_wtime = jiffies;
41390 + grsec_alert_fyet++;
41391 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
41393 + } else return FLOODING;
41396 + memset(buf, 0, PAGE_SIZE);
41397 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
41398 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
41399 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
41400 + } else if (current->signal->curr_ip) {
41401 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
41402 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
41403 + } else if (gr_acl_is_enabled()) {
41404 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
41405 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
41407 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
41408 + strcpy(buf, fmt);
41411 + return NO_FLOODING;
41414 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41415 + __attribute__ ((format (printf, 2, 0)));
41417 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41419 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41420 + unsigned int len = strlen(buf);
41422 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41427 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41428 + __attribute__ ((format (printf, 2, 3)));
41430 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41432 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41433 + unsigned int len = strlen(buf);
41436 + va_start(ap, msg);
41437 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41443 +static void gr_log_end(int audit)
41445 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41446 + unsigned int len = strlen(buf);
41448 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
41449 + printk("%s\n", buf);
41454 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
41457 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
41458 + char *str1, *str2, *str3;
41461 + unsigned long ulong1, ulong2;
41462 + struct dentry *dentry;
41463 + struct vfsmount *mnt;
41464 + struct file *file;
41465 + struct task_struct *task;
41466 + const struct cred *cred, *pcred;
41469 + BEGIN_LOCKS(audit);
41470 + logtype = gr_log_start(audit);
41471 + if (logtype == FLOODING) {
41472 + END_LOCKS(audit);
41475 + va_start(ap, argtypes);
41476 + switch (argtypes) {
41477 + case GR_TTYSNIFF:
41478 + task = va_arg(ap, struct task_struct *);
41479 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
41481 + case GR_SYSCTL_HIDDEN:
41482 + str1 = va_arg(ap, char *);
41483 + gr_log_middle_varargs(audit, msg, result, str1);
41486 + dentry = va_arg(ap, struct dentry *);
41487 + mnt = va_arg(ap, struct vfsmount *);
41488 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
41490 + case GR_RBAC_STR:
41491 + dentry = va_arg(ap, struct dentry *);
41492 + mnt = va_arg(ap, struct vfsmount *);
41493 + str1 = va_arg(ap, char *);
41494 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
41496 + case GR_STR_RBAC:
41497 + str1 = va_arg(ap, char *);
41498 + dentry = va_arg(ap, struct dentry *);
41499 + mnt = va_arg(ap, struct vfsmount *);
41500 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
41502 + case GR_RBAC_MODE2:
41503 + dentry = va_arg(ap, struct dentry *);
41504 + mnt = va_arg(ap, struct vfsmount *);
41505 + str1 = va_arg(ap, char *);
41506 + str2 = va_arg(ap, char *);
41507 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
41509 + case GR_RBAC_MODE3:
41510 + dentry = va_arg(ap, struct dentry *);
41511 + mnt = va_arg(ap, struct vfsmount *);
41512 + str1 = va_arg(ap, char *);
41513 + str2 = va_arg(ap, char *);
41514 + str3 = va_arg(ap, char *);
41515 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
41517 + case GR_FILENAME:
41518 + dentry = va_arg(ap, struct dentry *);
41519 + mnt = va_arg(ap, struct vfsmount *);
41520 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
41522 + case GR_STR_FILENAME:
41523 + str1 = va_arg(ap, char *);
41524 + dentry = va_arg(ap, struct dentry *);
41525 + mnt = va_arg(ap, struct vfsmount *);
41526 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
41528 + case GR_FILENAME_STR:
41529 + dentry = va_arg(ap, struct dentry *);
41530 + mnt = va_arg(ap, struct vfsmount *);
41531 + str1 = va_arg(ap, char *);
41532 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
41534 + case GR_FILENAME_TWO_INT:
41535 + dentry = va_arg(ap, struct dentry *);
41536 + mnt = va_arg(ap, struct vfsmount *);
41537 + num1 = va_arg(ap, int);
41538 + num2 = va_arg(ap, int);
41539 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
41541 + case GR_FILENAME_TWO_INT_STR:
41542 + dentry = va_arg(ap, struct dentry *);
41543 + mnt = va_arg(ap, struct vfsmount *);
41544 + num1 = va_arg(ap, int);
41545 + num2 = va_arg(ap, int);
41546 + str1 = va_arg(ap, char *);
41547 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
41550 + file = va_arg(ap, struct file *);
41551 + ulong1 = va_arg(ap, unsigned long);
41552 + ulong2 = va_arg(ap, unsigned long);
41553 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
41556 + task = va_arg(ap, struct task_struct *);
41557 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
41559 + case GR_RESOURCE:
41560 + task = va_arg(ap, struct task_struct *);
41561 + cred = __task_cred(task);
41562 + pcred = __task_cred(task->real_parent);
41563 + ulong1 = va_arg(ap, unsigned long);
41564 + str1 = va_arg(ap, char *);
41565 + ulong2 = va_arg(ap, unsigned long);
41566 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41569 + task = va_arg(ap, struct task_struct *);
41570 + cred = __task_cred(task);
41571 + pcred = __task_cred(task->real_parent);
41572 + str1 = va_arg(ap, char *);
41573 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41576 + str1 = va_arg(ap, char *);
41577 + voidptr = va_arg(ap, void *);
41578 + gr_log_middle_varargs(audit, msg, str1, voidptr);
41581 + task = va_arg(ap, struct task_struct *);
41582 + cred = __task_cred(task);
41583 + pcred = __task_cred(task->real_parent);
41584 + num1 = va_arg(ap, int);
41585 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41588 + task = va_arg(ap, struct task_struct *);
41589 + cred = __task_cred(task);
41590 + pcred = __task_cred(task->real_parent);
41591 + ulong1 = va_arg(ap, unsigned long);
41592 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
41595 + task = va_arg(ap, struct task_struct *);
41596 + cred = __task_cred(task);
41597 + pcred = __task_cred(task->real_parent);
41598 + ulong1 = va_arg(ap, unsigned long);
41599 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
41602 + file = va_arg(ap, struct file *);
41603 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
41607 + unsigned int wday, cday;
41611 + char cur_tty[64] = { 0 };
41612 + char parent_tty[64] = { 0 };
41614 + task = va_arg(ap, struct task_struct *);
41615 + wday = va_arg(ap, unsigned int);
41616 + cday = va_arg(ap, unsigned int);
41617 + whr = va_arg(ap, int);
41618 + chr = va_arg(ap, int);
41619 + wmin = va_arg(ap, int);
41620 + cmin = va_arg(ap, int);
41621 + wsec = va_arg(ap, int);
41622 + csec = va_arg(ap, int);
41623 + ulong1 = va_arg(ap, unsigned long);
41624 + cred = __task_cred(task);
41625 + pcred = __task_cred(task->real_parent);
41627 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41631 + gr_log_middle(audit, msg, ap);
41634 + gr_log_end(audit);
41635 + END_LOCKS(audit);
41637 diff -urNp linux-2.6.35.7/grsecurity/grsec_mem.c linux-2.6.35.7/grsecurity/grsec_mem.c
41638 --- linux-2.6.35.7/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
41639 +++ linux-2.6.35.7/grsecurity/grsec_mem.c 2010-09-17 20:12:37.000000000 -0400
41641 +#include <linux/kernel.h>
41642 +#include <linux/sched.h>
41643 +#include <linux/mm.h>
41644 +#include <linux/mman.h>
41645 +#include <linux/grinternal.h>
41648 +gr_handle_ioperm(void)
41650 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
41655 +gr_handle_iopl(void)
41657 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
41662 +gr_handle_mem_write(void)
41664 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
41669 +gr_handle_kmem_write(void)
41671 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
41676 +gr_handle_open_port(void)
41678 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
41683 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
41685 + unsigned long start, end;
41688 + end = start + vma->vm_end - vma->vm_start;
41690 + if (start > end) {
41691 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41695 + /* allowed ranges : ISA I/O BIOS */
41696 + if ((start >= __pa(high_memory))
41697 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
41698 + || (start >= 0x000a0000 && end <= 0x00100000)
41699 + || (start >= 0x00000000 && end <= 0x00001000)
41704 + if (vma->vm_flags & VM_WRITE) {
41705 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41708 + vma->vm_flags &= ~VM_MAYWRITE;
41714 +gr_log_nonroot_mod_load(const char *modname)
41716 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
41721 +gr_handle_vm86(void)
41723 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
41726 diff -urNp linux-2.6.35.7/grsecurity/grsec_mount.c linux-2.6.35.7/grsecurity/grsec_mount.c
41727 --- linux-2.6.35.7/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
41728 +++ linux-2.6.35.7/grsecurity/grsec_mount.c 2010-09-17 20:12:37.000000000 -0400
41730 +#include <linux/kernel.h>
41731 +#include <linux/sched.h>
41732 +#include <linux/mount.h>
41733 +#include <linux/grsecurity.h>
41734 +#include <linux/grinternal.h>
41737 +gr_log_remount(const char *devname, const int retval)
41739 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41740 + if (grsec_enable_mount && (retval >= 0))
41741 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
41747 +gr_log_unmount(const char *devname, const int retval)
41749 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41750 + if (grsec_enable_mount && (retval >= 0))
41751 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
41757 +gr_log_mount(const char *from, const char *to, const int retval)
41759 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41760 + if (grsec_enable_mount && (retval >= 0))
41761 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
41767 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
41769 +#ifdef CONFIG_GRKERNSEC_ROFS
41770 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
41771 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
41780 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
41782 +#ifdef CONFIG_GRKERNSEC_ROFS
41783 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
41784 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
41785 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
41792 diff -urNp linux-2.6.35.7/grsecurity/grsec_pax.c linux-2.6.35.7/grsecurity/grsec_pax.c
41793 --- linux-2.6.35.7/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
41794 +++ linux-2.6.35.7/grsecurity/grsec_pax.c 2010-10-18 21:01:30.000000000 -0400
41796 +#include <linux/kernel.h>
41797 +#include <linux/sched.h>
41798 +#include <linux/mm.h>
41799 +#include <linux/file.h>
41800 +#include <linux/grinternal.h>
41801 +#include <linux/grsecurity.h>
41804 +gr_log_textrel(struct vm_area_struct * vma)
41806 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
41807 + if (grsec_enable_audit_textrel)
41808 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
41814 +gr_log_rwxmmap(struct file *file)
41816 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
41817 + if (grsec_enable_log_rwxmaps)
41818 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
41824 +gr_log_rwxmprotect(struct file *file)
41826 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
41827 + if (grsec_enable_log_rwxmaps)
41828 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
41832 diff -urNp linux-2.6.35.7/grsecurity/grsec_ptrace.c linux-2.6.35.7/grsecurity/grsec_ptrace.c
41833 --- linux-2.6.35.7/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
41834 +++ linux-2.6.35.7/grsecurity/grsec_ptrace.c 2010-09-17 20:12:37.000000000 -0400
41836 +#include <linux/kernel.h>
41837 +#include <linux/sched.h>
41838 +#include <linux/grinternal.h>
41839 +#include <linux/grsecurity.h>
41842 +gr_audit_ptrace(struct task_struct *task)
41844 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41845 + if (grsec_enable_audit_ptrace)
41846 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
41850 diff -urNp linux-2.6.35.7/grsecurity/grsec_sig.c linux-2.6.35.7/grsecurity/grsec_sig.c
41851 --- linux-2.6.35.7/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
41852 +++ linux-2.6.35.7/grsecurity/grsec_sig.c 2010-09-28 19:09:19.000000000 -0400
41854 +#include <linux/kernel.h>
41855 +#include <linux/sched.h>
41856 +#include <linux/delay.h>
41857 +#include <linux/grsecurity.h>
41858 +#include <linux/grinternal.h>
41860 +char *signames[] = {
41861 + [SIGSEGV] = "Segmentation fault",
41862 + [SIGILL] = "Illegal instruction",
41863 + [SIGABRT] = "Abort",
41864 + [SIGBUS] = "Invalid alignment/Bus error"
41868 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
41870 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41871 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
41872 + (sig == SIGABRT) || (sig == SIGBUS))) {
41873 + if (t->pid == current->pid) {
41874 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
41876 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
41884 +gr_handle_signal(const struct task_struct *p, const int sig)
41886 +#ifdef CONFIG_GRKERNSEC
41887 + if (current->pid > 1 && gr_check_protected_task(p)) {
41888 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
41890 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
41897 +void gr_handle_brute_attach(struct task_struct *p)
41899 +#ifdef CONFIG_GRKERNSEC_BRUTE
41900 + read_lock(&tasklist_lock);
41901 + read_lock(&grsec_exec_file_lock);
41902 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
41903 + p->real_parent->brute = 1;
41904 + read_unlock(&grsec_exec_file_lock);
41905 + read_unlock(&tasklist_lock);
41910 +void gr_handle_brute_check(void)
41912 +#ifdef CONFIG_GRKERNSEC_BRUTE
41913 + if (current->brute)
41914 + msleep(30 * 1000);
41919 diff -urNp linux-2.6.35.7/grsecurity/grsec_sock.c linux-2.6.35.7/grsecurity/grsec_sock.c
41920 --- linux-2.6.35.7/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
41921 +++ linux-2.6.35.7/grsecurity/grsec_sock.c 2010-09-17 20:12:37.000000000 -0400
41923 +#include <linux/kernel.h>
41924 +#include <linux/module.h>
41925 +#include <linux/sched.h>
41926 +#include <linux/file.h>
41927 +#include <linux/net.h>
41928 +#include <linux/in.h>
41929 +#include <linux/ip.h>
41930 +#include <net/sock.h>
41931 +#include <net/inet_sock.h>
41932 +#include <linux/grsecurity.h>
41933 +#include <linux/grinternal.h>
41934 +#include <linux/gracl.h>
41936 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
41937 +EXPORT_SYMBOL(gr_cap_rtnetlink);
41939 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
41940 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
41942 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
41943 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
41945 +#ifdef CONFIG_UNIX_MODULE
41946 +EXPORT_SYMBOL(gr_acl_handle_unix);
41947 +EXPORT_SYMBOL(gr_acl_handle_mknod);
41948 +EXPORT_SYMBOL(gr_handle_chroot_unix);
41949 +EXPORT_SYMBOL(gr_handle_create);
41952 +#ifdef CONFIG_GRKERNSEC
41953 +#define gr_conn_table_size 32749
41954 +struct conn_table_entry {
41955 + struct conn_table_entry *next;
41956 + struct signal_struct *sig;
41959 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
41960 +DEFINE_SPINLOCK(gr_conn_table_lock);
41962 +extern const char * gr_socktype_to_name(unsigned char type);
41963 +extern const char * gr_proto_to_name(unsigned char proto);
41965 +static __inline__ int
41966 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
41968 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
41971 +static __inline__ int
41972 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
41973 + __u16 sport, __u16 dport)
41975 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
41976 + sig->gr_sport == sport && sig->gr_dport == dport))
41982 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
41984 + struct conn_table_entry **match;
41985 + unsigned int index;
41987 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41988 + sig->gr_sport, sig->gr_dport,
41989 + gr_conn_table_size);
41991 + newent->sig = sig;
41993 + match = &gr_conn_table[index];
41994 + newent->next = *match;
42000 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
42002 + struct conn_table_entry *match, *last = NULL;
42003 + unsigned int index;
42005 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42006 + sig->gr_sport, sig->gr_dport,
42007 + gr_conn_table_size);
42009 + match = gr_conn_table[index];
42010 + while (match && !conn_match(match->sig,
42011 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
42012 + sig->gr_dport)) {
42014 + match = match->next;
42019 + last->next = match->next;
42021 + gr_conn_table[index] = NULL;
42028 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
42029 + __u16 sport, __u16 dport)
42031 + struct conn_table_entry *match;
42032 + unsigned int index;
42034 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
42036 + match = gr_conn_table[index];
42037 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
42038 + match = match->next;
42041 + return match->sig;
42048 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
42050 +#ifdef CONFIG_GRKERNSEC
42051 + struct signal_struct *sig = task->signal;
42052 + struct conn_table_entry *newent;
42054 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
42055 + if (newent == NULL)
42057 + /* no bh lock needed since we are called with bh disabled */
42058 + spin_lock(&gr_conn_table_lock);
42059 + gr_del_task_from_ip_table_nolock(sig);
42060 + sig->gr_saddr = inet->inet_rcv_saddr;
42061 + sig->gr_daddr = inet->inet_daddr;
42062 + sig->gr_sport = inet->inet_sport;
42063 + sig->gr_dport = inet->inet_dport;
42064 + gr_add_to_task_ip_table_nolock(sig, newent);
42065 + spin_unlock(&gr_conn_table_lock);
42070 +void gr_del_task_from_ip_table(struct task_struct *task)
42072 +#ifdef CONFIG_GRKERNSEC
42073 + spin_lock_bh(&gr_conn_table_lock);
42074 + gr_del_task_from_ip_table_nolock(task->signal);
42075 + spin_unlock_bh(&gr_conn_table_lock);
42081 +gr_attach_curr_ip(const struct sock *sk)
42083 +#ifdef CONFIG_GRKERNSEC
42084 + struct signal_struct *p, *set;
42085 + const struct inet_sock *inet = inet_sk(sk);
42087 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
42090 + set = current->signal;
42092 + spin_lock_bh(&gr_conn_table_lock);
42093 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
42094 + inet->inet_dport, inet->inet_sport);
42095 + if (unlikely(p != NULL)) {
42096 + set->curr_ip = p->curr_ip;
42097 + set->used_accept = 1;
42098 + gr_del_task_from_ip_table_nolock(p);
42099 + spin_unlock_bh(&gr_conn_table_lock);
42102 + spin_unlock_bh(&gr_conn_table_lock);
42104 + set->curr_ip = inet->inet_daddr;
42105 + set->used_accept = 1;
42111 +gr_handle_sock_all(const int family, const int type, const int protocol)
42113 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42114 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
42115 + (family != AF_UNIX) && (family != AF_LOCAL)) {
42116 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
42124 +gr_handle_sock_server(const struct sockaddr *sck)
42126 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42127 + if (grsec_enable_socket_server &&
42128 + in_group_p(grsec_socket_server_gid) &&
42129 + sck && (sck->sa_family != AF_UNIX) &&
42130 + (sck->sa_family != AF_LOCAL)) {
42131 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42139 +gr_handle_sock_server_other(const struct sock *sck)
42141 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42142 + if (grsec_enable_socket_server &&
42143 + in_group_p(grsec_socket_server_gid) &&
42144 + sck && (sck->sk_family != AF_UNIX) &&
42145 + (sck->sk_family != AF_LOCAL)) {
42146 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42154 +gr_handle_sock_client(const struct sockaddr *sck)
42156 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42157 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
42158 + sck && (sck->sa_family != AF_UNIX) &&
42159 + (sck->sa_family != AF_LOCAL)) {
42160 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
42168 +gr_cap_rtnetlink(struct sock *sock)
42170 +#ifdef CONFIG_GRKERNSEC
42171 + if (!gr_acl_is_enabled())
42172 + return current_cap();
42173 + else if (sock->sk_protocol == NETLINK_ISCSI &&
42174 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
42175 + gr_is_capable(CAP_SYS_ADMIN))
42176 + return current_cap();
42177 + else if (sock->sk_protocol == NETLINK_AUDIT &&
42178 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
42179 + gr_is_capable(CAP_AUDIT_WRITE) &&
42180 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
42181 + gr_is_capable(CAP_AUDIT_CONTROL))
42182 + return current_cap();
42183 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
42184 + ((sock->sk_protocol == NETLINK_ROUTE) ?
42185 + gr_is_capable_nolog(CAP_NET_ADMIN) :
42186 + gr_is_capable(CAP_NET_ADMIN)))
42187 + return current_cap();
42189 + return __cap_empty_set;
42191 + return current_cap();
42194 diff -urNp linux-2.6.35.7/grsecurity/grsec_sysctl.c linux-2.6.35.7/grsecurity/grsec_sysctl.c
42195 --- linux-2.6.35.7/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
42196 +++ linux-2.6.35.7/grsecurity/grsec_sysctl.c 2010-10-18 21:02:33.000000000 -0400
42198 +#include <linux/kernel.h>
42199 +#include <linux/sched.h>
42200 +#include <linux/sysctl.h>
42201 +#include <linux/grsecurity.h>
42202 +#include <linux/grinternal.h>
42205 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
42207 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42208 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
42209 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
42216 +#ifdef CONFIG_GRKERNSEC_ROFS
42217 +static int __maybe_unused one = 1;
42220 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
42221 +struct ctl_table grsecurity_table[] = {
42222 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42223 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
42224 +#ifdef CONFIG_GRKERNSEC_IO
42226 + .procname = "disable_priv_io",
42227 + .data = &grsec_disable_privio,
42228 + .maxlen = sizeof(int),
42230 + .proc_handler = &proc_dointvec,
42234 +#ifdef CONFIG_GRKERNSEC_LINK
42236 + .procname = "linking_restrictions",
42237 + .data = &grsec_enable_link,
42238 + .maxlen = sizeof(int),
42240 + .proc_handler = &proc_dointvec,
42243 +#ifdef CONFIG_GRKERNSEC_FIFO
42245 + .procname = "fifo_restrictions",
42246 + .data = &grsec_enable_fifo,
42247 + .maxlen = sizeof(int),
42249 + .proc_handler = &proc_dointvec,
42252 +#ifdef CONFIG_GRKERNSEC_EXECVE
42254 + .procname = "execve_limiting",
42255 + .data = &grsec_enable_execve,
42256 + .maxlen = sizeof(int),
42258 + .proc_handler = &proc_dointvec,
42261 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
42263 + .procname = "ip_blackhole",
42264 + .data = &grsec_enable_blackhole,
42265 + .maxlen = sizeof(int),
42267 + .proc_handler = &proc_dointvec,
42270 + .procname = "lastack_retries",
42271 + .data = &grsec_lastack_retries,
42272 + .maxlen = sizeof(int),
42274 + .proc_handler = &proc_dointvec,
42277 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42279 + .procname = "exec_logging",
42280 + .data = &grsec_enable_execlog,
42281 + .maxlen = sizeof(int),
42283 + .proc_handler = &proc_dointvec,
42286 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42288 + .procname = "rwxmap_logging",
42289 + .data = &grsec_enable_log_rwxmaps,
42290 + .maxlen = sizeof(int),
42292 + .proc_handler = &proc_dointvec,
42295 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42297 + .procname = "signal_logging",
42298 + .data = &grsec_enable_signal,
42299 + .maxlen = sizeof(int),
42301 + .proc_handler = &proc_dointvec,
42304 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
42306 + .procname = "forkfail_logging",
42307 + .data = &grsec_enable_forkfail,
42308 + .maxlen = sizeof(int),
42310 + .proc_handler = &proc_dointvec,
42313 +#ifdef CONFIG_GRKERNSEC_TIME
42315 + .procname = "timechange_logging",
42316 + .data = &grsec_enable_time,
42317 + .maxlen = sizeof(int),
42319 + .proc_handler = &proc_dointvec,
42322 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
42324 + .procname = "chroot_deny_shmat",
42325 + .data = &grsec_enable_chroot_shmat,
42326 + .maxlen = sizeof(int),
42328 + .proc_handler = &proc_dointvec,
42331 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
42333 + .procname = "chroot_deny_unix",
42334 + .data = &grsec_enable_chroot_unix,
42335 + .maxlen = sizeof(int),
42337 + .proc_handler = &proc_dointvec,
42340 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
42342 + .procname = "chroot_deny_mount",
42343 + .data = &grsec_enable_chroot_mount,
42344 + .maxlen = sizeof(int),
42346 + .proc_handler = &proc_dointvec,
42349 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
42351 + .procname = "chroot_deny_fchdir",
42352 + .data = &grsec_enable_chroot_fchdir,
42353 + .maxlen = sizeof(int),
42355 + .proc_handler = &proc_dointvec,
42358 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
42360 + .procname = "chroot_deny_chroot",
42361 + .data = &grsec_enable_chroot_double,
42362 + .maxlen = sizeof(int),
42364 + .proc_handler = &proc_dointvec,
42367 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
42369 + .procname = "chroot_deny_pivot",
42370 + .data = &grsec_enable_chroot_pivot,
42371 + .maxlen = sizeof(int),
42373 + .proc_handler = &proc_dointvec,
42376 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
42378 + .procname = "chroot_enforce_chdir",
42379 + .data = &grsec_enable_chroot_chdir,
42380 + .maxlen = sizeof(int),
42382 + .proc_handler = &proc_dointvec,
42385 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
42387 + .procname = "chroot_deny_chmod",
42388 + .data = &grsec_enable_chroot_chmod,
42389 + .maxlen = sizeof(int),
42391 + .proc_handler = &proc_dointvec,
42394 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
42396 + .procname = "chroot_deny_mknod",
42397 + .data = &grsec_enable_chroot_mknod,
42398 + .maxlen = sizeof(int),
42400 + .proc_handler = &proc_dointvec,
42403 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
42405 + .procname = "chroot_restrict_nice",
42406 + .data = &grsec_enable_chroot_nice,
42407 + .maxlen = sizeof(int),
42409 + .proc_handler = &proc_dointvec,
42412 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
42414 + .procname = "chroot_execlog",
42415 + .data = &grsec_enable_chroot_execlog,
42416 + .maxlen = sizeof(int),
42418 + .proc_handler = &proc_dointvec,
42421 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
42423 + .procname = "chroot_caps",
42424 + .data = &grsec_enable_chroot_caps,
42425 + .maxlen = sizeof(int),
42427 + .proc_handler = &proc_dointvec,
42430 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
42432 + .procname = "chroot_deny_sysctl",
42433 + .data = &grsec_enable_chroot_sysctl,
42434 + .maxlen = sizeof(int),
42436 + .proc_handler = &proc_dointvec,
42439 +#ifdef CONFIG_GRKERNSEC_TPE
42441 + .procname = "tpe",
42442 + .data = &grsec_enable_tpe,
42443 + .maxlen = sizeof(int),
42445 + .proc_handler = &proc_dointvec,
42448 + .procname = "tpe_gid",
42449 + .data = &grsec_tpe_gid,
42450 + .maxlen = sizeof(int),
42452 + .proc_handler = &proc_dointvec,
42455 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42457 + .procname = "tpe_invert",
42458 + .data = &grsec_enable_tpe_invert,
42459 + .maxlen = sizeof(int),
42461 + .proc_handler = &proc_dointvec,
42464 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42466 + .procname = "tpe_restrict_all",
42467 + .data = &grsec_enable_tpe_all,
42468 + .maxlen = sizeof(int),
42470 + .proc_handler = &proc_dointvec,
42473 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42475 + .procname = "socket_all",
42476 + .data = &grsec_enable_socket_all,
42477 + .maxlen = sizeof(int),
42479 + .proc_handler = &proc_dointvec,
42482 + .procname = "socket_all_gid",
42483 + .data = &grsec_socket_all_gid,
42484 + .maxlen = sizeof(int),
42486 + .proc_handler = &proc_dointvec,
42489 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42491 + .procname = "socket_client",
42492 + .data = &grsec_enable_socket_client,
42493 + .maxlen = sizeof(int),
42495 + .proc_handler = &proc_dointvec,
42498 + .procname = "socket_client_gid",
42499 + .data = &grsec_socket_client_gid,
42500 + .maxlen = sizeof(int),
42502 + .proc_handler = &proc_dointvec,
42505 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42507 + .procname = "socket_server",
42508 + .data = &grsec_enable_socket_server,
42509 + .maxlen = sizeof(int),
42511 + .proc_handler = &proc_dointvec,
42514 + .procname = "socket_server_gid",
42515 + .data = &grsec_socket_server_gid,
42516 + .maxlen = sizeof(int),
42518 + .proc_handler = &proc_dointvec,
42521 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
42523 + .procname = "audit_group",
42524 + .data = &grsec_enable_group,
42525 + .maxlen = sizeof(int),
42527 + .proc_handler = &proc_dointvec,
42530 + .procname = "audit_gid",
42531 + .data = &grsec_audit_gid,
42532 + .maxlen = sizeof(int),
42534 + .proc_handler = &proc_dointvec,
42537 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
42539 + .procname = "audit_chdir",
42540 + .data = &grsec_enable_chdir,
42541 + .maxlen = sizeof(int),
42543 + .proc_handler = &proc_dointvec,
42546 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42548 + .procname = "audit_mount",
42549 + .data = &grsec_enable_mount,
42550 + .maxlen = sizeof(int),
42552 + .proc_handler = &proc_dointvec,
42555 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42557 + .procname = "audit_textrel",
42558 + .data = &grsec_enable_audit_textrel,
42559 + .maxlen = sizeof(int),
42561 + .proc_handler = &proc_dointvec,
42564 +#ifdef CONFIG_GRKERNSEC_DMESG
42566 + .procname = "dmesg",
42567 + .data = &grsec_enable_dmesg,
42568 + .maxlen = sizeof(int),
42570 + .proc_handler = &proc_dointvec,
42573 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
42575 + .procname = "chroot_findtask",
42576 + .data = &grsec_enable_chroot_findtask,
42577 + .maxlen = sizeof(int),
42579 + .proc_handler = &proc_dointvec,
42582 +#ifdef CONFIG_GRKERNSEC_RESLOG
42584 + .procname = "resource_logging",
42585 + .data = &grsec_resource_logging,
42586 + .maxlen = sizeof(int),
42588 + .proc_handler = &proc_dointvec,
42591 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42593 + .procname = "audit_ptrace",
42594 + .data = &grsec_enable_audit_ptrace,
42595 + .maxlen = sizeof(int),
42597 + .proc_handler = &proc_dointvec,
42600 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
42602 + .procname = "harden_ptrace",
42603 + .data = &grsec_enable_harden_ptrace,
42604 + .maxlen = sizeof(int),
42606 + .proc_handler = &proc_dointvec,
42610 + .procname = "grsec_lock",
42611 + .data = &grsec_lock,
42612 + .maxlen = sizeof(int),
42614 + .proc_handler = &proc_dointvec,
42617 +#ifdef CONFIG_GRKERNSEC_ROFS
42619 + .procname = "romount_protect",
42620 + .data = &grsec_enable_rofs,
42621 + .maxlen = sizeof(int),
42623 + .proc_handler = &proc_dointvec_minmax,
42631 diff -urNp linux-2.6.35.7/grsecurity/grsec_time.c linux-2.6.35.7/grsecurity/grsec_time.c
42632 --- linux-2.6.35.7/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
42633 +++ linux-2.6.35.7/grsecurity/grsec_time.c 2010-09-17 20:12:37.000000000 -0400
42635 +#include <linux/kernel.h>
42636 +#include <linux/sched.h>
42637 +#include <linux/grinternal.h>
42640 +gr_log_timechange(void)
42642 +#ifdef CONFIG_GRKERNSEC_TIME
42643 + if (grsec_enable_time)
42644 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
42648 diff -urNp linux-2.6.35.7/grsecurity/grsec_tpe.c linux-2.6.35.7/grsecurity/grsec_tpe.c
42649 --- linux-2.6.35.7/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
42650 +++ linux-2.6.35.7/grsecurity/grsec_tpe.c 2010-09-17 20:12:37.000000000 -0400
42652 +#include <linux/kernel.h>
42653 +#include <linux/sched.h>
42654 +#include <linux/file.h>
42655 +#include <linux/fs.h>
42656 +#include <linux/grinternal.h>
42658 +extern int gr_acl_tpe_check(void);
42661 +gr_tpe_allow(const struct file *file)
42663 +#ifdef CONFIG_GRKERNSEC
42664 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
42665 + const struct cred *cred = current_cred();
42667 + if (cred->uid && ((grsec_enable_tpe &&
42668 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42669 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
42670 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
42672 + in_group_p(grsec_tpe_gid)
42674 + ) || gr_acl_tpe_check()) &&
42675 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
42676 + (inode->i_mode & S_IWOTH))))) {
42677 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42680 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42681 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
42682 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
42683 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
42684 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42691 diff -urNp linux-2.6.35.7/grsecurity/grsum.c linux-2.6.35.7/grsecurity/grsum.c
42692 --- linux-2.6.35.7/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
42693 +++ linux-2.6.35.7/grsecurity/grsum.c 2010-09-17 20:12:37.000000000 -0400
42695 +#include <linux/err.h>
42696 +#include <linux/kernel.h>
42697 +#include <linux/sched.h>
42698 +#include <linux/mm.h>
42699 +#include <linux/scatterlist.h>
42700 +#include <linux/crypto.h>
42701 +#include <linux/gracl.h>
42704 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
42705 +#error "crypto and sha256 must be built into the kernel"
42709 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
42712 + struct crypto_hash *tfm;
42713 + struct hash_desc desc;
42714 + struct scatterlist sg;
42715 + unsigned char temp_sum[GR_SHA_LEN];
42716 + volatile int retval = 0;
42717 + volatile int dummy = 0;
42720 + sg_init_table(&sg, 1);
42722 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
42723 + if (IS_ERR(tfm)) {
42724 + /* should never happen, since sha256 should be built in */
42731 + crypto_hash_init(&desc);
42734 + sg_set_buf(&sg, p, GR_SALT_LEN);
42735 + crypto_hash_update(&desc, &sg, sg.length);
42738 + sg_set_buf(&sg, p, strlen(p));
42740 + crypto_hash_update(&desc, &sg, sg.length);
42742 + crypto_hash_final(&desc, temp_sum);
42744 + memset(entry->pw, 0, GR_PW_LEN);
42746 + for (i = 0; i < GR_SHA_LEN; i++)
42747 + if (sum[i] != temp_sum[i])
42750 + dummy = 1; // waste a cycle
42752 + crypto_free_hash(tfm);
42756 diff -urNp linux-2.6.35.7/grsecurity/Kconfig linux-2.6.35.7/grsecurity/Kconfig
42757 --- linux-2.6.35.7/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
42758 +++ linux-2.6.35.7/grsecurity/Kconfig 2010-10-18 21:01:30.000000000 -0400
42761 +# grecurity configuration
42767 + bool "Grsecurity"
42769 + select CRYPTO_SHA256
42771 + If you say Y here, you will be able to configure many features
42772 + that will enhance the security of your system. It is highly
42773 + recommended that you say Y here and read through the help
42774 + for each option so that you fully understand the features and
42775 + can evaluate their usefulness for your machine.
42778 + prompt "Security Level"
42779 + depends on GRKERNSEC
42780 + default GRKERNSEC_CUSTOM
42782 +config GRKERNSEC_LOW
42784 + select GRKERNSEC_LINK
42785 + select GRKERNSEC_FIFO
42786 + select GRKERNSEC_EXECVE
42787 + select GRKERNSEC_RANDNET
42788 + select GRKERNSEC_DMESG
42789 + select GRKERNSEC_CHROOT
42790 + select GRKERNSEC_CHROOT_CHDIR
42793 + If you choose this option, several of the grsecurity options will
42794 + be enabled that will give you greater protection against a number
42795 + of attacks, while assuring that none of your software will have any
42796 + conflicts with the additional security measures. If you run a lot
42797 + of unusual software, or you are having problems with the higher
42798 + security levels, you should say Y here. With this option, the
42799 + following features are enabled:
42801 + - Linking restrictions
42802 + - FIFO restrictions
42803 + - Enforcing RLIMIT_NPROC on execve
42804 + - Restricted dmesg
42805 + - Enforced chdir("/") on chroot
42806 + - Runtime module disabling
42808 +config GRKERNSEC_MEDIUM
42811 + select PAX_EI_PAX
42812 + select PAX_PT_PAX_FLAGS
42813 + select PAX_HAVE_ACL_FLAGS
42814 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42815 + select GRKERNSEC_CHROOT
42816 + select GRKERNSEC_CHROOT_SYSCTL
42817 + select GRKERNSEC_LINK
42818 + select GRKERNSEC_FIFO
42819 + select GRKERNSEC_EXECVE
42820 + select GRKERNSEC_DMESG
42821 + select GRKERNSEC_RANDNET
42822 + select GRKERNSEC_FORKFAIL
42823 + select GRKERNSEC_TIME
42824 + select GRKERNSEC_SIGNAL
42825 + select GRKERNSEC_CHROOT
42826 + select GRKERNSEC_CHROOT_UNIX
42827 + select GRKERNSEC_CHROOT_MOUNT
42828 + select GRKERNSEC_CHROOT_PIVOT
42829 + select GRKERNSEC_CHROOT_DOUBLE
42830 + select GRKERNSEC_CHROOT_CHDIR
42831 + select GRKERNSEC_CHROOT_MKNOD
42832 + select GRKERNSEC_PROC
42833 + select GRKERNSEC_PROC_USERGROUP
42834 + select PAX_RANDUSTACK
42836 + select PAX_RANDMMAP
42837 + select PAX_REFCOUNT if (X86 || SPARC64)
42838 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
42841 + If you say Y here, several features in addition to those included
42842 + in the low additional security level will be enabled. These
42843 + features provide even more security to your system, though in rare
42844 + cases they may be incompatible with very old or poorly written
42845 + software. If you enable this option, make sure that your auth
42846 + service (identd) is running as gid 1001. With this option,
42847 + the following features (in addition to those provided in the
42848 + low additional security level) will be enabled:
42850 + - Failed fork logging
42851 + - Time change logging
42853 + - Deny mounts in chroot
42854 + - Deny double chrooting
42855 + - Deny sysctl writes in chroot
42856 + - Deny mknod in chroot
42857 + - Deny access to abstract AF_UNIX sockets out of chroot
42858 + - Deny pivot_root in chroot
42859 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
42860 + - /proc restrictions with special GID set to 10 (usually wheel)
42861 + - Address Space Layout Randomization (ASLR)
42862 + - Prevent exploitation of most refcount overflows
42863 + - Bounds checking of copying between the kernel and userland
42865 +config GRKERNSEC_HIGH
42867 + select GRKERNSEC_LINK
42868 + select GRKERNSEC_FIFO
42869 + select GRKERNSEC_EXECVE
42870 + select GRKERNSEC_DMESG
42871 + select GRKERNSEC_FORKFAIL
42872 + select GRKERNSEC_TIME
42873 + select GRKERNSEC_SIGNAL
42874 + select GRKERNSEC_CHROOT
42875 + select GRKERNSEC_CHROOT_SHMAT
42876 + select GRKERNSEC_CHROOT_UNIX
42877 + select GRKERNSEC_CHROOT_MOUNT
42878 + select GRKERNSEC_CHROOT_FCHDIR
42879 + select GRKERNSEC_CHROOT_PIVOT
42880 + select GRKERNSEC_CHROOT_DOUBLE
42881 + select GRKERNSEC_CHROOT_CHDIR
42882 + select GRKERNSEC_CHROOT_MKNOD
42883 + select GRKERNSEC_CHROOT_CAPS
42884 + select GRKERNSEC_CHROOT_SYSCTL
42885 + select GRKERNSEC_CHROOT_FINDTASK
42886 + select GRKERNSEC_PROC
42887 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42888 + select GRKERNSEC_HIDESYM
42889 + select GRKERNSEC_BRUTE
42890 + select GRKERNSEC_PROC_USERGROUP
42891 + select GRKERNSEC_KMEM
42892 + select GRKERNSEC_RESLOG
42893 + select GRKERNSEC_RANDNET
42894 + select GRKERNSEC_PROC_ADD
42895 + select GRKERNSEC_CHROOT_CHMOD
42896 + select GRKERNSEC_CHROOT_NICE
42897 + select GRKERNSEC_AUDIT_MOUNT
42898 + select GRKERNSEC_MODHARDEN if (MODULES)
42899 + select GRKERNSEC_HARDEN_PTRACE
42900 + select GRKERNSEC_VM86 if (X86_32)
42902 + select PAX_RANDUSTACK
42904 + select PAX_RANDMMAP
42905 + select PAX_NOEXEC
42906 + select PAX_MPROTECT
42907 + select PAX_EI_PAX
42908 + select PAX_PT_PAX_FLAGS
42909 + select PAX_HAVE_ACL_FLAGS
42910 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
42911 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
42912 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
42913 + select PAX_SEGMEXEC if (X86_32)
42914 + select PAX_PAGEEXEC
42915 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
42916 + select PAX_EMUTRAMP if (PARISC)
42917 + select PAX_EMUSIGRT if (PARISC)
42918 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
42919 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
42920 + select PAX_REFCOUNT if (X86 || SPARC64)
42921 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
42923 + If you say Y here, many of the features of grsecurity will be
42924 + enabled, which will protect you against many kinds of attacks
42925 + against your system. The heightened security comes at a cost
42926 + of an increased chance of incompatibilities with rare software
42927 + on your machine. Since this security level enables PaX, you should
42928 + view <http://pax.grsecurity.net> and read about the PaX
42929 + project. While you are there, download chpax and run it on
42930 + binaries that cause problems with PaX. Also remember that
42931 + since the /proc restrictions are enabled, you must run your
42932 + identd as gid 1001. This security level enables the following
42933 + features in addition to those listed in the low and medium
42936 + - Additional /proc restrictions
42937 + - Chmod restrictions in chroot
42938 + - No signals, ptrace, or viewing of processes outside of chroot
42939 + - Capability restrictions in chroot
42940 + - Deny fchdir out of chroot
42941 + - Priority restrictions in chroot
42942 + - Segmentation-based implementation of PaX
42943 + - Mprotect restrictions
42944 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
42945 + - Kernel stack randomization
42946 + - Mount/unmount/remount logging
42947 + - Kernel symbol hiding
42948 + - Prevention of memory exhaustion-based exploits
42949 + - Hardening of module auto-loading
42950 + - Ptrace restrictions
42951 + - Restricted vm86 mode
42953 +config GRKERNSEC_CUSTOM
42956 + If you say Y here, you will be able to configure every grsecurity
42957 + option, which allows you to enable many more features that aren't
42958 + covered in the basic security levels. These additional features
42959 + include TPE, socket restrictions, and the sysctl system for
42960 + grsecurity. It is advised that you read through the help for
42961 + each option to determine its usefulness in your situation.
42965 +menu "Address Space Protection"
42966 +depends on GRKERNSEC
42968 +config GRKERNSEC_KMEM
42969 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
42971 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
42972 + be written to via mmap or otherwise to modify the running kernel.
42973 + /dev/port will also not be allowed to be opened. If you have module
42974 + support disabled, enabling this will close up four ways that are
42975 + currently used to insert malicious code into the running kernel.
42976 + Even with all these features enabled, we still highly recommend that
42977 + you use the RBAC system, as it is still possible for an attacker to
42978 + modify the running kernel through privileged I/O granted by ioperm/iopl.
42979 + If you are not using XFree86, you may be able to stop this additional
42980 + case by enabling the 'Disable privileged I/O' option. Though nothing
42981 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
42982 + but only to video memory, which is the only writing we allow in this
42983 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
42984 + not be allowed to mprotect it with PROT_WRITE later.
42985 + It is highly recommended that you say Y here if you meet all the
42986 + conditions above.
42988 +config GRKERNSEC_VM86
42989 + bool "Restrict VM86 mode"
42990 + depends on X86_32
42993 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
42994 + make use of a special execution mode on 32bit x86 processors called
42995 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
42996 + video cards and will still work with this option enabled. The purpose
42997 + of the option is to prevent exploitation of emulation errors in
42998 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
42999 + Nearly all users should be able to enable this option.
43001 +config GRKERNSEC_IO
43002 + bool "Disable privileged I/O"
43005 + select RTC_INTF_DEV
43006 + select RTC_DRV_CMOS
43009 + If you say Y here, all ioperm and iopl calls will return an error.
43010 + Ioperm and iopl can be used to modify the running kernel.
43011 + Unfortunately, some programs need this access to operate properly,
43012 + the most notable of which are XFree86 and hwclock. hwclock can be
43013 + remedied by having RTC support in the kernel, so real-time
43014 + clock support is enabled if this option is enabled, to ensure
43015 + that hwclock operates correctly. XFree86 still will not
43016 + operate correctly with this option enabled, so DO NOT CHOOSE Y
43017 + IF YOU USE XFree86. If you use XFree86 and you still want to
43018 + protect your kernel against modification, use the RBAC system.
43020 +config GRKERNSEC_PROC_MEMMAP
43021 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
43022 + default y if (PAX_NOEXEC || PAX_ASLR)
43023 + depends on PAX_NOEXEC || PAX_ASLR
43025 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
43026 + give no information about the addresses of its mappings if
43027 + PaX features that rely on random addresses are enabled on the task.
43028 + If you use PaX it is greatly recommended that you say Y here as it
43029 + closes up a hole that makes the full ASLR useless for suid
43032 +config GRKERNSEC_BRUTE
43033 + bool "Deter exploit bruteforcing"
43035 + If you say Y here, attempts to bruteforce exploits against forking
43036 + daemons such as apache or sshd will be deterred. When a child of a
43037 + forking daemon is killed by PaX or crashes due to an illegal
43038 + instruction, the parent process will be delayed 30 seconds upon every
43039 + subsequent fork until the administrator is able to assess the
43040 + situation and restart the daemon. It is recommended that you also
43041 + enable signal logging in the auditing section so that logs are
43042 + generated when a process performs an illegal instruction.
43044 +config GRKERNSEC_MODHARDEN
43045 + bool "Harden module auto-loading"
43046 + depends on MODULES
43048 + If you say Y here, module auto-loading in response to use of some
43049 + feature implemented by an unloaded module will be restricted to
43050 + root users. Enabling this option helps defend against attacks
43051 + by unprivileged users who abuse the auto-loading behavior to
43052 + cause a vulnerable module to load that is then exploited.
43054 + If this option prevents a legitimate use of auto-loading for a
43055 + non-root user, the administrator can execute modprobe manually
43056 + with the exact name of the module mentioned in the alert log.
43057 + Alternatively, the administrator can add the module to the list
43058 + of modules loaded at boot by modifying init scripts.
43060 + Modification of init scripts will most likely be needed on
43061 + Ubuntu servers with encrypted home directory support enabled,
43062 + as the first non-root user logging in will cause the ecb(aes),
43063 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
43065 +config GRKERNSEC_HIDESYM
43066 + bool "Hide kernel symbols"
43068 + If you say Y here, getting information on loaded modules, and
43069 + displaying all kernel symbols through a syscall will be restricted
43070 + to users with CAP_SYS_MODULE. For software compatibility reasons,
43071 + /proc/kallsyms will be restricted to the root user. The RBAC
43072 + system can hide that entry even from root.
43074 + This option also prevents leaking of kernel addresses through
43075 + several /proc entries.
43077 + Note that this option is only effective provided the following
43078 + conditions are met:
43079 + 1) The kernel using grsecurity is not precompiled by some distribution
43080 + 2) You are using the RBAC system and hiding other files such as your
43081 + kernel image and System.map. Alternatively, enabling this option
43082 + causes the permissions on /boot, /lib/modules, and the kernel
43083 + source directory to change at compile time to prevent
43084 + reading by non-root users.
43085 + If the above conditions are met, this option will aid in providing a
43086 + useful protection against local kernel exploitation of overflows
43087 + and arbitrary read/write vulnerabilities.
43090 +menu "Role Based Access Control Options"
43091 +depends on GRKERNSEC
43093 +config GRKERNSEC_NO_RBAC
43094 + bool "Disable RBAC system"
43096 + If you say Y here, the /dev/grsec device will be removed from the kernel,
43097 + preventing the RBAC system from being enabled. You should only say Y
43098 + here if you have no intention of using the RBAC system, so as to prevent
43099 + an attacker with root access from misusing the RBAC system to hide files
43100 + and processes when loadable module support and /dev/[k]mem have been
43103 +config GRKERNSEC_ACL_HIDEKERN
43104 + bool "Hide kernel processes"
43106 + If you say Y here, all kernel threads will be hidden to all
43107 + processes but those whose subject has the "view hidden processes"
43110 +config GRKERNSEC_ACL_MAXTRIES
43111 + int "Maximum tries before password lockout"
43114 + This option enforces the maximum number of times a user can attempt
43115 + to authorize themselves with the grsecurity RBAC system before being
43116 + denied the ability to attempt authorization again for a specified time.
43117 + The lower the number, the harder it will be to brute-force a password.
43119 +config GRKERNSEC_ACL_TIMEOUT
43120 + int "Time to wait after max password tries, in seconds"
43123 + This option specifies the time the user must wait after attempting to
43124 + authorize to the RBAC system with the maximum number of invalid
43125 + passwords. The higher the number, the harder it will be to brute-force
43129 +menu "Filesystem Protections"
43130 +depends on GRKERNSEC
43132 +config GRKERNSEC_PROC
43133 + bool "Proc restrictions"
43135 + If you say Y here, the permissions of the /proc filesystem
43136 + will be altered to enhance system security and privacy. You MUST
43137 + choose either a user only restriction or a user and group restriction.
43138 + Depending upon the option you choose, you can either restrict users to
43139 + see only the processes they themselves run, or choose a group that can
43140 + view all processes and files normally restricted to root if you choose
43141 + the "restrict to user only" option. NOTE: If you're running identd as
43142 + a non-root user, you will have to run it as the group you specify here.
43144 +config GRKERNSEC_PROC_USER
43145 + bool "Restrict /proc to user only"
43146 + depends on GRKERNSEC_PROC
43148 + If you say Y here, non-root users will only be able to view their own
43149 + processes, and restricts them from viewing network-related information,
43150 + and viewing kernel symbol and module information.
43152 +config GRKERNSEC_PROC_USERGROUP
43153 + bool "Allow special group"
43154 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
43156 + If you say Y here, you will be able to select a group that will be
43157 + able to view all processes, network-related information, and
43158 + kernel and symbol information. This option is useful if you want
43159 + to run identd as a non-root user.
43161 +config GRKERNSEC_PROC_GID
43162 + int "GID for special group"
43163 + depends on GRKERNSEC_PROC_USERGROUP
43166 +config GRKERNSEC_PROC_ADD
43167 + bool "Additional restrictions"
43168 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
43170 + If you say Y here, additional restrictions will be placed on
43171 + /proc that keep normal users from viewing device information and
43172 + slabinfo information that could be useful for exploits.
43174 +config GRKERNSEC_LINK
43175 + bool "Linking restrictions"
43177 + If you say Y here, /tmp race exploits will be prevented, since users
43178 + will no longer be able to follow symlinks owned by other users in
43179 + world-writable +t directories (i.e. /tmp), unless the owner of the
43180 + symlink is the owner of the directory. users will also not be
43181 + able to hardlink to files they do not own. If the sysctl option is
43182 + enabled, a sysctl option with name "linking_restrictions" is created.
43184 +config GRKERNSEC_FIFO
43185 + bool "FIFO restrictions"
43187 + If you say Y here, users will not be able to write to FIFOs they don't
43188 + own in world-writable +t directories (i.e. /tmp), unless the owner of
43189 + the FIFO is the same owner of the directory it's held in. If the sysctl
43190 + option is enabled, a sysctl option with name "fifo_restrictions" is
43193 +config GRKERNSEC_ROFS
43194 + bool "Runtime read-only mount protection"
43196 + If you say Y here, a sysctl option with name "romount_protect" will
43197 + be created. By setting this option to 1 at runtime, filesystems
43198 + will be protected in the following ways:
43199 + * No new writable mounts will be allowed
43200 + * Existing read-only mounts won't be able to be remounted read/write
43201 + * Write operations will be denied on all block devices
43202 + This option acts independently of grsec_lock: once it is set to 1,
43203 + it cannot be turned off. Therefore, please be mindful of the resulting
43204 + behavior if this option is enabled in an init script on a read-only
43205 + filesystem. This feature is mainly intended for secure embedded systems.
43207 +config GRKERNSEC_CHROOT
43208 + bool "Chroot jail restrictions"
43210 + If you say Y here, you will be able to choose several options that will
43211 + make breaking out of a chrooted jail much more difficult. If you
43212 + encounter no software incompatibilities with the following options, it
43213 + is recommended that you enable each one.
43215 +config GRKERNSEC_CHROOT_MOUNT
43216 + bool "Deny mounts"
43217 + depends on GRKERNSEC_CHROOT
43219 + If you say Y here, processes inside a chroot will not be able to
43220 + mount or remount filesystems. If the sysctl option is enabled, a
43221 + sysctl option with name "chroot_deny_mount" is created.
43223 +config GRKERNSEC_CHROOT_DOUBLE
43224 + bool "Deny double-chroots"
43225 + depends on GRKERNSEC_CHROOT
43227 + If you say Y here, processes inside a chroot will not be able to chroot
43228 + again outside the chroot. This is a widely used method of breaking
43229 + out of a chroot jail and should not be allowed. If the sysctl
43230 + option is enabled, a sysctl option with name
43231 + "chroot_deny_chroot" is created.
43233 +config GRKERNSEC_CHROOT_PIVOT
43234 + bool "Deny pivot_root in chroot"
43235 + depends on GRKERNSEC_CHROOT
43237 + If you say Y here, processes inside a chroot will not be able to use
43238 + a function called pivot_root() that was introduced in Linux 2.3.41. It
43239 + works similar to chroot in that it changes the root filesystem. This
43240 + function could be misused in a chrooted process to attempt to break out
43241 + of the chroot, and therefore should not be allowed. If the sysctl
43242 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
43245 +config GRKERNSEC_CHROOT_CHDIR
43246 + bool "Enforce chdir(\"/\") on all chroots"
43247 + depends on GRKERNSEC_CHROOT
43249 + If you say Y here, the current working directory of all newly-chrooted
43250 + applications will be set to the the root directory of the chroot.
43251 + The man page on chroot(2) states:
43252 + Note that this call does not change the current working
43253 + directory, so that `.' can be outside the tree rooted at
43254 + `/'. In particular, the super-user can escape from a
43255 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
43257 + It is recommended that you say Y here, since it's not known to break
43258 + any software. If the sysctl option is enabled, a sysctl option with
43259 + name "chroot_enforce_chdir" is created.
43261 +config GRKERNSEC_CHROOT_CHMOD
43262 + bool "Deny (f)chmod +s"
43263 + depends on GRKERNSEC_CHROOT
43265 + If you say Y here, processes inside a chroot will not be able to chmod
43266 + or fchmod files to make them have suid or sgid bits. This protects
43267 + against another published method of breaking a chroot. If the sysctl
43268 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
43271 +config GRKERNSEC_CHROOT_FCHDIR
43272 + bool "Deny fchdir out of chroot"
43273 + depends on GRKERNSEC_CHROOT
43275 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
43276 + to a file descriptor of the chrooting process that points to a directory
43277 + outside the filesystem will be stopped. If the sysctl option
43278 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
43280 +config GRKERNSEC_CHROOT_MKNOD
43281 + bool "Deny mknod"
43282 + depends on GRKERNSEC_CHROOT
43284 + If you say Y here, processes inside a chroot will not be allowed to
43285 + mknod. The problem with using mknod inside a chroot is that it
43286 + would allow an attacker to create a device entry that is the same
43287 + as one on the physical root of your system, which could range from
43288 + anything from the console device to a device for your harddrive (which
43289 + they could then use to wipe the drive or steal data). It is recommended
43290 + that you say Y here, unless you run into software incompatibilities.
43291 + If the sysctl option is enabled, a sysctl option with name
43292 + "chroot_deny_mknod" is created.
43294 +config GRKERNSEC_CHROOT_SHMAT
43295 + bool "Deny shmat() out of chroot"
43296 + depends on GRKERNSEC_CHROOT
43298 + If you say Y here, processes inside a chroot will not be able to attach
43299 + to shared memory segments that were created outside of the chroot jail.
43300 + It is recommended that you say Y here. If the sysctl option is enabled,
43301 + a sysctl option with name "chroot_deny_shmat" is created.
43303 +config GRKERNSEC_CHROOT_UNIX
43304 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
43305 + depends on GRKERNSEC_CHROOT
43307 + If you say Y here, processes inside a chroot will not be able to
43308 + connect to abstract (meaning not belonging to a filesystem) Unix
43309 + domain sockets that were bound outside of a chroot. It is recommended
43310 + that you say Y here. If the sysctl option is enabled, a sysctl option
43311 + with name "chroot_deny_unix" is created.
43313 +config GRKERNSEC_CHROOT_FINDTASK
43314 + bool "Protect outside processes"
43315 + depends on GRKERNSEC_CHROOT
43317 + If you say Y here, processes inside a chroot will not be able to
43318 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
43319 + getsid, or view any process outside of the chroot. If the sysctl
43320 + option is enabled, a sysctl option with name "chroot_findtask" is
43323 +config GRKERNSEC_CHROOT_NICE
43324 + bool "Restrict priority changes"
43325 + depends on GRKERNSEC_CHROOT
43327 + If you say Y here, processes inside a chroot will not be able to raise
43328 + the priority of processes in the chroot, or alter the priority of
43329 + processes outside the chroot. This provides more security than simply
43330 + removing CAP_SYS_NICE from the process' capability set. If the
43331 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
43334 +config GRKERNSEC_CHROOT_SYSCTL
43335 + bool "Deny sysctl writes"
43336 + depends on GRKERNSEC_CHROOT
43338 + If you say Y here, an attacker in a chroot will not be able to
43339 + write to sysctl entries, either by sysctl(2) or through a /proc
43340 + interface. It is strongly recommended that you say Y here. If the
43341 + sysctl option is enabled, a sysctl option with name
43342 + "chroot_deny_sysctl" is created.
43344 +config GRKERNSEC_CHROOT_CAPS
43345 + bool "Capability restrictions"
43346 + depends on GRKERNSEC_CHROOT
43348 + If you say Y here, the capabilities on all root processes within a
43349 + chroot jail will be lowered to stop module insertion, raw i/o,
43350 + system and net admin tasks, rebooting the system, modifying immutable
43351 + files, modifying IPC owned by another, and changing the system time.
43352 + This is left an option because it can break some apps. Disable this
43353 + if your chrooted apps are having problems performing those kinds of
43354 + tasks. If the sysctl option is enabled, a sysctl option with
43355 + name "chroot_caps" is created.
43358 +menu "Kernel Auditing"
43359 +depends on GRKERNSEC
43361 +config GRKERNSEC_AUDIT_GROUP
43362 + bool "Single group for auditing"
43364 + If you say Y here, the exec, chdir, and (un)mount logging features
43365 + will only operate on a group you specify. This option is recommended
43366 + if you only want to watch certain users instead of having a large
43367 + amount of logs from the entire system. If the sysctl option is enabled,
43368 + a sysctl option with name "audit_group" is created.
43370 +config GRKERNSEC_AUDIT_GID
43371 + int "GID for auditing"
43372 + depends on GRKERNSEC_AUDIT_GROUP
43375 +config GRKERNSEC_EXECLOG
43376 + bool "Exec logging"
43378 + If you say Y here, all execve() calls will be logged (since the
43379 + other exec*() calls are frontends to execve(), all execution
43380 + will be logged). Useful for shell-servers that like to keep track
43381 + of their users. If the sysctl option is enabled, a sysctl option with
43382 + name "exec_logging" is created.
43383 + WARNING: This option when enabled will produce a LOT of logs, especially
43384 + on an active system.
43386 +config GRKERNSEC_RESLOG
43387 + bool "Resource logging"
43389 + If you say Y here, all attempts to overstep resource limits will
43390 + be logged with the resource name, the requested size, and the current
43391 + limit. It is highly recommended that you say Y here. If the sysctl
43392 + option is enabled, a sysctl option with name "resource_logging" is
43393 + created. If the RBAC system is enabled, the sysctl value is ignored.
43395 +config GRKERNSEC_CHROOT_EXECLOG
43396 + bool "Log execs within chroot"
43398 + If you say Y here, all executions inside a chroot jail will be logged
43399 + to syslog. This can cause a large amount of logs if certain
43400 + applications (eg. djb's daemontools) are installed on the system, and
43401 + is therefore left as an option. If the sysctl option is enabled, a
43402 + sysctl option with name "chroot_execlog" is created.
43404 +config GRKERNSEC_AUDIT_PTRACE
43405 + bool "Ptrace logging"
43407 + If you say Y here, all attempts to attach to a process via ptrace
43408 + will be logged. If the sysctl option is enabled, a sysctl option
43409 + with name "audit_ptrace" is created.
43411 +config GRKERNSEC_AUDIT_CHDIR
43412 + bool "Chdir logging"
43414 + If you say Y here, all chdir() calls will be logged. If the sysctl
43415 + option is enabled, a sysctl option with name "audit_chdir" is created.
43417 +config GRKERNSEC_AUDIT_MOUNT
43418 + bool "(Un)Mount logging"
43420 + If you say Y here, all mounts and unmounts will be logged. If the
43421 + sysctl option is enabled, a sysctl option with name "audit_mount" is
43424 +config GRKERNSEC_SIGNAL
43425 + bool "Signal logging"
43427 + If you say Y here, certain important signals will be logged, such as
43428 + SIGSEGV, which will as a result inform you of when a error in a program
43429 + occurred, which in some cases could mean a possible exploit attempt.
43430 + If the sysctl option is enabled, a sysctl option with name
43431 + "signal_logging" is created.
43433 +config GRKERNSEC_FORKFAIL
43434 + bool "Fork failure logging"
43436 + If you say Y here, all failed fork() attempts will be logged.
43437 + This could suggest a fork bomb, or someone attempting to overstep
43438 + their process limit. If the sysctl option is enabled, a sysctl option
43439 + with name "forkfail_logging" is created.
43441 +config GRKERNSEC_TIME
43442 + bool "Time change logging"
43444 + If you say Y here, any changes of the system clock will be logged.
43445 + If the sysctl option is enabled, a sysctl option with name
43446 + "timechange_logging" is created.
43448 +config GRKERNSEC_PROC_IPADDR
43449 + bool "/proc/<pid>/ipaddr support"
43451 + If you say Y here, a new entry will be added to each /proc/<pid>
43452 + directory that contains the IP address of the person using the task.
43453 + The IP is carried across local TCP and AF_UNIX stream sockets.
43454 + This information can be useful for IDS/IPSes to perform remote response
43455 + to a local attack. The entry is readable by only the owner of the
43456 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
43457 + the RBAC system), and thus does not create privacy concerns.
43459 +config GRKERNSEC_RWXMAP_LOG
43460 + bool 'Denied RWX mmap/mprotect logging'
43461 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
43463 + If you say Y here, calls to mmap() and mprotect() with explicit
43464 + usage of PROT_WRITE and PROT_EXEC together will be logged when
43465 + denied by the PAX_MPROTECT feature. If the sysctl option is
43466 + enabled, a sysctl option with name "rwxmap_logging" is created.
43468 +config GRKERNSEC_AUDIT_TEXTREL
43469 + bool 'ELF text relocations logging (READ HELP)'
43470 + depends on PAX_MPROTECT
43472 + If you say Y here, text relocations will be logged with the filename
43473 + of the offending library or binary. The purpose of the feature is
43474 + to help Linux distribution developers get rid of libraries and
43475 + binaries that need text relocations which hinder the future progress
43476 + of PaX. Only Linux distribution developers should say Y here, and
43477 + never on a production machine, as this option creates an information
43478 + leak that could aid an attacker in defeating the randomization of
43479 + a single memory region. If the sysctl option is enabled, a sysctl
43480 + option with name "audit_textrel" is created.
43484 +menu "Executable Protections"
43485 +depends on GRKERNSEC
43487 +config GRKERNSEC_EXECVE
43488 + bool "Enforce RLIMIT_NPROC on execs"
43490 + If you say Y here, users with a resource limit on processes will
43491 + have the value checked during execve() calls. The current system
43492 + only checks the system limit during fork() calls. If the sysctl option
43493 + is enabled, a sysctl option with name "execve_limiting" is created.
43495 +config GRKERNSEC_DMESG
43496 + bool "Dmesg(8) restriction"
43498 + If you say Y here, non-root users will not be able to use dmesg(8)
43499 + to view up to the last 4kb of messages in the kernel's log buffer.
43500 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
43503 +config GRKERNSEC_HARDEN_PTRACE
43504 + bool "Deter ptrace-based process snooping"
43506 + If you say Y here, TTY sniffers and other malicious monitoring
43507 + programs implemented through ptrace will be defeated. If you
43508 + have been using the RBAC system, this option has already been
43509 + enabled for several years for all users, with the ability to make
43510 + fine-grained exceptions.
43512 + This option only affects the ability of non-root users to ptrace
43513 + processes that are not a descendent of the ptracing process.
43514 + This means that strace ./binary and gdb ./binary will still work,
43515 + but attaching to arbitrary processes will not. If the sysctl
43516 + option is enabled, a sysctl option with name "harden_ptrace" is
43519 +config GRKERNSEC_TPE
43520 + bool "Trusted Path Execution (TPE)"
43522 + If you say Y here, you will be able to choose a gid to add to the
43523 + supplementary groups of users you want to mark as "untrusted."
43524 + These users will not be able to execute any files that are not in
43525 + root-owned directories writable only by root. If the sysctl option
43526 + is enabled, a sysctl option with name "tpe" is created.
43528 +config GRKERNSEC_TPE_ALL
43529 + bool "Partially restrict all non-root users"
43530 + depends on GRKERNSEC_TPE
43532 + If you say Y here, all non-root users will be covered under
43533 + a weaker TPE restriction. This is separate from, and in addition to,
43534 + the main TPE options that you have selected elsewhere. Thus, if a
43535 + "trusted" GID is chosen, this restriction applies to even that GID.
43536 + Under this restriction, all non-root users will only be allowed to
43537 + execute files in directories they own that are not group or
43538 + world-writable, or in directories owned by root and writable only by
43539 + root. If the sysctl option is enabled, a sysctl option with name
43540 + "tpe_restrict_all" is created.
43542 +config GRKERNSEC_TPE_INVERT
43543 + bool "Invert GID option"
43544 + depends on GRKERNSEC_TPE
43546 + If you say Y here, the group you specify in the TPE configuration will
43547 + decide what group TPE restrictions will be *disabled* for. This
43548 + option is useful if you want TPE restrictions to be applied to most
43549 + users on the system. If the sysctl option is enabled, a sysctl option
43550 + with name "tpe_invert" is created. Unlike other sysctl options, this
43551 + entry will default to on for backward-compatibility.
43553 +config GRKERNSEC_TPE_GID
43554 + int "GID for untrusted users"
43555 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
43558 + Setting this GID determines what group TPE restrictions will be
43559 + *enabled* for. If the sysctl option is enabled, a sysctl option
43560 + with name "tpe_gid" is created.
43562 +config GRKERNSEC_TPE_GID
43563 + int "GID for trusted users"
43564 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
43567 + Setting this GID determines what group TPE restrictions will be
43568 + *disabled* for. If the sysctl option is enabled, a sysctl option
43569 + with name "tpe_gid" is created.
43572 +menu "Network Protections"
43573 +depends on GRKERNSEC
43575 +config GRKERNSEC_RANDNET
43576 + bool "Larger entropy pools"
43578 + If you say Y here, the entropy pools used for many features of Linux
43579 + and grsecurity will be doubled in size. Since several grsecurity
43580 + features use additional randomness, it is recommended that you say Y
43581 + here. Saying Y here has a similar effect as modifying
43582 + /proc/sys/kernel/random/poolsize.
43584 +config GRKERNSEC_BLACKHOLE
43585 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
43587 + If you say Y here, neither TCP resets nor ICMP
43588 + destination-unreachable packets will be sent in response to packets
43589 + sent to ports for which no associated listening process exists.
43590 + This feature supports both IPV4 and IPV6 and exempts the
43591 + loopback interface from blackholing. Enabling this feature
43592 + makes a host more resilient to DoS attacks and reduces network
43593 + visibility against scanners.
43595 + The blackhole feature as-implemented is equivalent to the FreeBSD
43596 + blackhole feature, as it prevents RST responses to all packets, not
43597 + just SYNs. Under most application behavior this causes no
43598 + problems, but applications (like haproxy) may not close certain
43599 + connections in a way that cleanly terminates them on the remote
43600 + end, leaving the remote host in LAST_ACK state. Because of this
43601 + side-effect and to prevent intentional LAST_ACK DoSes, this
43602 + feature also adds automatic mitigation against such attacks.
43603 + The mitigation drastically reduces the amount of time a socket
43604 + can spend in LAST_ACK state. If you're using haproxy and not
43605 + all servers it connects to have this option enabled, consider
43606 + disabling this feature on the haproxy host.
43608 + If the sysctl option is enabled, two sysctl options with names
43609 + "ip_blackhole" and "lastack_retries" will be created.
43610 + While "ip_blackhole" takes the standard zero/non-zero on/off
43611 + toggle, "lastack_retries" uses the same kinds of values as
43612 + "tcp_retries1" and "tcp_retries2". The default value of 4
43613 + prevents a socket from lasting more than 45 seconds in LAST_ACK
43616 +config GRKERNSEC_SOCKET
43617 + bool "Socket restrictions"
43619 + If you say Y here, you will be able to choose from several options.
43620 + If you assign a GID on your system and add it to the supplementary
43621 + groups of users you want to restrict socket access to, this patch
43622 + will perform up to three things, based on the option(s) you choose.
43624 +config GRKERNSEC_SOCKET_ALL
43625 + bool "Deny any sockets to group"
43626 + depends on GRKERNSEC_SOCKET
43628 + If you say Y here, you will be able to choose a GID of whose users will
43629 + be unable to connect to other hosts from your machine or run server
43630 + applications from your machine. If the sysctl option is enabled, a
43631 + sysctl option with name "socket_all" is created.
43633 +config GRKERNSEC_SOCKET_ALL_GID
43634 + int "GID to deny all sockets for"
43635 + depends on GRKERNSEC_SOCKET_ALL
43638 + Here you can choose the GID to disable socket access for. Remember to
43639 + add the users you want socket access disabled for to the GID
43640 + specified here. If the sysctl option is enabled, a sysctl option
43641 + with name "socket_all_gid" is created.
43643 +config GRKERNSEC_SOCKET_CLIENT
43644 + bool "Deny client sockets to group"
43645 + depends on GRKERNSEC_SOCKET
43647 + If you say Y here, you will be able to choose a GID of whose users will
43648 + be unable to connect to other hosts from your machine, but will be
43649 + able to run servers. If this option is enabled, all users in the group
43650 + you specify will have to use passive mode when initiating ftp transfers
43651 + from the shell on your machine. If the sysctl option is enabled, a
43652 + sysctl option with name "socket_client" is created.
43654 +config GRKERNSEC_SOCKET_CLIENT_GID
43655 + int "GID to deny client sockets for"
43656 + depends on GRKERNSEC_SOCKET_CLIENT
43659 + Here you can choose the GID to disable client socket access for.
43660 + Remember to add the users you want client socket access disabled for to
43661 + the GID specified here. If the sysctl option is enabled, a sysctl
43662 + option with name "socket_client_gid" is created.
43664 +config GRKERNSEC_SOCKET_SERVER
43665 + bool "Deny server sockets to group"
43666 + depends on GRKERNSEC_SOCKET
43668 + If you say Y here, you will be able to choose a GID of whose users will
43669 + be unable to run server applications from your machine. If the sysctl
43670 + option is enabled, a sysctl option with name "socket_server" is created.
43672 +config GRKERNSEC_SOCKET_SERVER_GID
43673 + int "GID to deny server sockets for"
43674 + depends on GRKERNSEC_SOCKET_SERVER
43677 + Here you can choose the GID to disable server socket access for.
43678 + Remember to add the users you want server socket access disabled for to
43679 + the GID specified here. If the sysctl option is enabled, a sysctl
43680 + option with name "socket_server_gid" is created.
43683 +menu "Sysctl support"
43684 +depends on GRKERNSEC && SYSCTL
43686 +config GRKERNSEC_SYSCTL
43687 + bool "Sysctl support"
43689 + If you say Y here, you will be able to change the options that
43690 + grsecurity runs with at bootup, without having to recompile your
43691 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
43692 + to enable (1) or disable (0) various features. All the sysctl entries
43693 + are mutable until the "grsec_lock" entry is set to a non-zero value.
43694 + All features enabled in the kernel configuration are disabled at boot
43695 + if you do not say Y to the "Turn on features by default" option.
43696 + All options should be set at startup, and the grsec_lock entry should
43697 + be set to a non-zero value after all the options are set.
43698 + *THIS IS EXTREMELY IMPORTANT*
43700 +config GRKERNSEC_SYSCTL_DISTRO
43701 + bool "Extra sysctl support for distro makers (READ HELP)"
43702 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
43704 + If you say Y here, additional sysctl options will be created
43705 + for features that affect processes running as root. Therefore,
43706 + it is critical when using this option that the grsec_lock entry be
43707 + enabled after boot. Only distros with prebuilt kernel packages
43708 + with this option enabled that can ensure grsec_lock is enabled
43709 + after boot should use this option.
43710 + *Failure to set grsec_lock after boot makes all grsec features
43711 + this option covers useless*
43713 + Currently this option creates the following sysctl entries:
43714 + "Disable Privileged I/O": "disable_priv_io"
43716 +config GRKERNSEC_SYSCTL_ON
43717 + bool "Turn on features by default"
43718 + depends on GRKERNSEC_SYSCTL
43720 + If you say Y here, instead of having all features enabled in the
43721 + kernel configuration disabled at boot time, the features will be
43722 + enabled at boot time. It is recommended you say Y here unless
43723 + there is some reason you would want all sysctl-tunable features to
43724 + be disabled by default. As mentioned elsewhere, it is important
43725 + to enable the grsec_lock entry once you have finished modifying
43726 + the sysctl entries.
43729 +menu "Logging Options"
43730 +depends on GRKERNSEC
43732 +config GRKERNSEC_FLOODTIME
43733 + int "Seconds in between log messages (minimum)"
43736 + This option allows you to enforce the number of seconds between
43737 + grsecurity log messages. The default should be suitable for most
43738 + people, however, if you choose to change it, choose a value small enough
43739 + to allow informative logs to be produced, but large enough to
43740 + prevent flooding.
43742 +config GRKERNSEC_FLOODBURST
43743 + int "Number of messages in a burst (maximum)"
43746 + This option allows you to choose the maximum number of messages allowed
43747 + within the flood time interval you chose in a separate option. The
43748 + default should be suitable for most people, however if you find that
43749 + many of your logs are being interpreted as flooding, you may want to
43750 + raise this value.
43755 diff -urNp linux-2.6.35.7/grsecurity/Makefile linux-2.6.35.7/grsecurity/Makefile
43756 --- linux-2.6.35.7/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
43757 +++ linux-2.6.35.7/grsecurity/Makefile 2010-10-18 21:01:30.000000000 -0400
43759 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
43760 +# during 2001-2009 it has been completely redesigned by Brad Spengler
43761 +# into an RBAC system
43763 +# All code in this directory and various hooks inserted throughout the kernel
43764 +# are copyright Brad Spengler - Open Source Security, Inc., and released
43765 +# under the GPL v2 or higher
43767 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
43768 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
43769 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
43771 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
43772 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
43773 + gracl_learn.o grsec_log.o
43774 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
43776 +ifndef CONFIG_GRKERNSEC
43777 +obj-y += grsec_disabled.o
43780 +ifdef CONFIG_GRKERNSEC_HIDESYM
43781 +extra-y := grsec_hidesym.o
43782 +$(obj)/grsec_hidesym.o:
43783 + @-chmod -f 500 /boot
43784 + @-chmod -f 500 /lib/modules
43786 + @echo ' grsec: protected kernel image paths'
43788 diff -urNp linux-2.6.35.7/include/acpi/acoutput.h linux-2.6.35.7/include/acpi/acoutput.h
43789 --- linux-2.6.35.7/include/acpi/acoutput.h 2010-08-26 19:47:12.000000000 -0400
43790 +++ linux-2.6.35.7/include/acpi/acoutput.h 2010-09-17 20:12:09.000000000 -0400
43791 @@ -268,8 +268,8 @@
43792 * leaving no executable debug code!
43794 #define ACPI_FUNCTION_NAME(a)
43795 -#define ACPI_DEBUG_PRINT(pl)
43796 -#define ACPI_DEBUG_PRINT_RAW(pl)
43797 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
43798 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
43800 #endif /* ACPI_DEBUG_OUTPUT */
43802 diff -urNp linux-2.6.35.7/include/acpi/acpi_drivers.h linux-2.6.35.7/include/acpi/acpi_drivers.h
43803 --- linux-2.6.35.7/include/acpi/acpi_drivers.h 2010-08-26 19:47:12.000000000 -0400
43804 +++ linux-2.6.35.7/include/acpi/acpi_drivers.h 2010-09-17 20:12:09.000000000 -0400
43805 @@ -121,8 +121,8 @@ int acpi_processor_set_thermal_limit(acp
43807 -------------------------------------------------------------------------- */
43808 struct acpi_dock_ops {
43809 - acpi_notify_handler handler;
43810 - acpi_notify_handler uevent;
43811 + const acpi_notify_handler handler;
43812 + const acpi_notify_handler uevent;
43815 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
43816 @@ -130,7 +130,7 @@ extern int is_dock_device(acpi_handle ha
43817 extern int register_dock_notifier(struct notifier_block *nb);
43818 extern void unregister_dock_notifier(struct notifier_block *nb);
43819 extern int register_hotplug_dock_device(acpi_handle handle,
43820 - struct acpi_dock_ops *ops,
43821 + const struct acpi_dock_ops *ops,
43823 extern void unregister_hotplug_dock_device(acpi_handle handle);
43825 @@ -146,7 +146,7 @@ static inline void unregister_dock_notif
43828 static inline int register_hotplug_dock_device(acpi_handle handle,
43829 - struct acpi_dock_ops *ops,
43830 + const struct acpi_dock_ops *ops,
43834 diff -urNp linux-2.6.35.7/include/asm-generic/atomic-long.h linux-2.6.35.7/include/asm-generic/atomic-long.h
43835 --- linux-2.6.35.7/include/asm-generic/atomic-long.h 2010-08-26 19:47:12.000000000 -0400
43836 +++ linux-2.6.35.7/include/asm-generic/atomic-long.h 2010-10-12 10:19:29.000000000 -0400
43839 typedef atomic64_t atomic_long_t;
43841 +#ifdef CONFIG_PAX_REFCOUNT
43842 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
43844 +typedef atomic64_t atomic_long_unchecked_t;
43847 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
43849 static inline long atomic_long_read(atomic_long_t *l)
43850 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
43851 return (long)atomic64_read(v);
43854 +#ifdef CONFIG_PAX_REFCOUNT
43855 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43857 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43859 + return (long)atomic64_read_unchecked(v);
43863 static inline void atomic_long_set(atomic_long_t *l, long i)
43865 atomic64_t *v = (atomic64_t *)l;
43866 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
43867 atomic64_set(v, i);
43870 +#ifdef CONFIG_PAX_REFCOUNT
43871 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43873 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43875 + atomic64_set_unchecked(v, i);
43879 static inline void atomic_long_inc(atomic_long_t *l)
43881 atomic64_t *v = (atomic64_t *)l;
43882 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
43886 +#ifdef CONFIG_PAX_REFCOUNT
43887 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43889 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43891 + atomic64_inc_unchecked(v);
43895 static inline void atomic_long_dec(atomic_long_t *l)
43897 atomic64_t *v = (atomic64_t *)l;
43898 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
43902 +#ifdef CONFIG_PAX_REFCOUNT
43903 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43905 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43907 + atomic64_dec_unchecked(v);
43911 static inline void atomic_long_add(long i, atomic_long_t *l)
43913 atomic64_t *v = (atomic64_t *)l;
43914 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
43915 atomic64_add(i, v);
43918 +#ifdef CONFIG_PAX_REFCOUNT
43919 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43921 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43923 + atomic64_add_unchecked(i, v);
43927 static inline void atomic_long_sub(long i, atomic_long_t *l)
43929 atomic64_t *v = (atomic64_t *)l;
43930 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
43931 return (long)atomic64_inc_return(v);
43934 +#ifdef CONFIG_PAX_REFCOUNT
43935 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43937 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43939 + return (long)atomic64_inc_return_unchecked(v);
43943 static inline long atomic_long_dec_return(atomic_long_t *l)
43945 atomic64_t *v = (atomic64_t *)l;
43946 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
43948 typedef atomic_t atomic_long_t;
43950 +#ifdef CONFIG_PAX_REFCOUNT
43951 +typedef atomic_unchecked_t atomic_long_unchecked_t;
43953 +typedef atomic_t atomic_long_unchecked_t;
43956 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
43957 static inline long atomic_long_read(atomic_long_t *l)
43959 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
43960 return (long)atomic_read(v);
43963 +#ifdef CONFIG_PAX_REFCOUNT
43964 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43966 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43968 + return (long)atomic_read_unchecked(v);
43972 static inline void atomic_long_set(atomic_long_t *l, long i)
43974 atomic_t *v = (atomic_t *)l;
43975 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
43979 +#ifdef CONFIG_PAX_REFCOUNT
43980 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43982 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43984 + atomic_set_unchecked(v, i);
43988 static inline void atomic_long_inc(atomic_long_t *l)
43990 atomic_t *v = (atomic_t *)l;
43991 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
43995 +#ifdef CONFIG_PAX_REFCOUNT
43996 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43998 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44000 + atomic_inc_unchecked(v);
44004 static inline void atomic_long_dec(atomic_long_t *l)
44006 atomic_t *v = (atomic_t *)l;
44007 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
44011 +#ifdef CONFIG_PAX_REFCOUNT
44012 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44014 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44016 + atomic_dec_unchecked(v);
44020 static inline void atomic_long_add(long i, atomic_long_t *l)
44022 atomic_t *v = (atomic_t *)l;
44023 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
44027 +#ifdef CONFIG_PAX_REFCOUNT
44028 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44030 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44032 + atomic_add_unchecked(i, v);
44036 static inline void atomic_long_sub(long i, atomic_long_t *l)
44038 atomic_t *v = (atomic_t *)l;
44039 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
44040 return (long)atomic_inc_return(v);
44043 +#ifdef CONFIG_PAX_REFCOUNT
44044 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44046 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44048 + return (long)atomic_inc_return_unchecked(v);
44052 static inline long atomic_long_dec_return(atomic_long_t *l)
44054 atomic_t *v = (atomic_t *)l;
44055 @@ -255,4 +375,39 @@ static inline long atomic_long_add_unles
44057 #endif /* BITS_PER_LONG == 64 */
44059 +#ifdef CONFIG_PAX_REFCOUNT
44060 +static inline void pax_refcount_needs_these_functions(void)
44062 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
44063 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
44064 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
44065 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
44066 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
44067 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
44068 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
44070 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
44071 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
44072 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
44073 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
44074 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
44075 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
44078 +#define atomic_read_unchecked(v) atomic_read(v)
44079 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
44080 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
44081 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
44082 +#define atomic_inc_unchecked(v) atomic_inc(v)
44083 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
44084 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
44086 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
44087 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
44088 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
44089 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
44090 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
44091 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
44094 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
44095 diff -urNp linux-2.6.35.7/include/asm-generic/dma-mapping-common.h linux-2.6.35.7/include/asm-generic/dma-mapping-common.h
44096 --- linux-2.6.35.7/include/asm-generic/dma-mapping-common.h 2010-08-26 19:47:12.000000000 -0400
44097 +++ linux-2.6.35.7/include/asm-generic/dma-mapping-common.h 2010-09-17 20:12:09.000000000 -0400
44098 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
44099 enum dma_data_direction dir,
44100 struct dma_attrs *attrs)
44102 - struct dma_map_ops *ops = get_dma_ops(dev);
44103 + const struct dma_map_ops *ops = get_dma_ops(dev);
44106 kmemcheck_mark_initialized(ptr, size);
44107 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
44108 enum dma_data_direction dir,
44109 struct dma_attrs *attrs)
44111 - struct dma_map_ops *ops = get_dma_ops(dev);
44112 + const struct dma_map_ops *ops = get_dma_ops(dev);
44114 BUG_ON(!valid_dma_direction(dir));
44115 if (ops->unmap_page)
44116 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
44117 int nents, enum dma_data_direction dir,
44118 struct dma_attrs *attrs)
44120 - struct dma_map_ops *ops = get_dma_ops(dev);
44121 + const struct dma_map_ops *ops = get_dma_ops(dev);
44123 struct scatterlist *s;
44125 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
44126 int nents, enum dma_data_direction dir,
44127 struct dma_attrs *attrs)
44129 - struct dma_map_ops *ops = get_dma_ops(dev);
44130 + const struct dma_map_ops *ops = get_dma_ops(dev);
44132 BUG_ON(!valid_dma_direction(dir));
44133 debug_dma_unmap_sg(dev, sg, nents, dir);
44134 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
44135 size_t offset, size_t size,
44136 enum dma_data_direction dir)
44138 - struct dma_map_ops *ops = get_dma_ops(dev);
44139 + const struct dma_map_ops *ops = get_dma_ops(dev);
44142 kmemcheck_mark_initialized(page_address(page) + offset, size);
44143 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
44144 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
44145 size_t size, enum dma_data_direction dir)
44147 - struct dma_map_ops *ops = get_dma_ops(dev);
44148 + const struct dma_map_ops *ops = get_dma_ops(dev);
44150 BUG_ON(!valid_dma_direction(dir));
44151 if (ops->unmap_page)
44152 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
44154 enum dma_data_direction dir)
44156 - struct dma_map_ops *ops = get_dma_ops(dev);
44157 + const struct dma_map_ops *ops = get_dma_ops(dev);
44159 BUG_ON(!valid_dma_direction(dir));
44160 if (ops->sync_single_for_cpu)
44161 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
44162 dma_addr_t addr, size_t size,
44163 enum dma_data_direction dir)
44165 - struct dma_map_ops *ops = get_dma_ops(dev);
44166 + const struct dma_map_ops *ops = get_dma_ops(dev);
44168 BUG_ON(!valid_dma_direction(dir));
44169 if (ops->sync_single_for_device)
44170 @@ -139,7 +139,7 @@ static inline void
44171 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
44172 int nelems, enum dma_data_direction dir)
44174 - struct dma_map_ops *ops = get_dma_ops(dev);
44175 + const struct dma_map_ops *ops = get_dma_ops(dev);
44177 BUG_ON(!valid_dma_direction(dir));
44178 if (ops->sync_sg_for_cpu)
44179 @@ -151,7 +151,7 @@ static inline void
44180 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
44181 int nelems, enum dma_data_direction dir)
44183 - struct dma_map_ops *ops = get_dma_ops(dev);
44184 + const struct dma_map_ops *ops = get_dma_ops(dev);
44186 BUG_ON(!valid_dma_direction(dir));
44187 if (ops->sync_sg_for_device)
44188 diff -urNp linux-2.6.35.7/include/asm-generic/futex.h linux-2.6.35.7/include/asm-generic/futex.h
44189 --- linux-2.6.35.7/include/asm-generic/futex.h 2010-08-26 19:47:12.000000000 -0400
44190 +++ linux-2.6.35.7/include/asm-generic/futex.h 2010-09-17 20:12:09.000000000 -0400
44192 #include <asm/errno.h>
44195 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
44196 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
44198 int op = (encoded_op >> 28) & 7;
44199 int cmp = (encoded_op >> 24) & 15;
44200 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
44204 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
44205 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
44209 diff -urNp linux-2.6.35.7/include/asm-generic/int-l64.h linux-2.6.35.7/include/asm-generic/int-l64.h
44210 --- linux-2.6.35.7/include/asm-generic/int-l64.h 2010-08-26 19:47:12.000000000 -0400
44211 +++ linux-2.6.35.7/include/asm-generic/int-l64.h 2010-09-17 20:12:09.000000000 -0400
44212 @@ -46,6 +46,8 @@ typedef unsigned int u32;
44213 typedef signed long s64;
44214 typedef unsigned long u64;
44216 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
44219 #define U8_C(x) x ## U
44221 diff -urNp linux-2.6.35.7/include/asm-generic/int-ll64.h linux-2.6.35.7/include/asm-generic/int-ll64.h
44222 --- linux-2.6.35.7/include/asm-generic/int-ll64.h 2010-08-26 19:47:12.000000000 -0400
44223 +++ linux-2.6.35.7/include/asm-generic/int-ll64.h 2010-09-17 20:12:09.000000000 -0400
44224 @@ -51,6 +51,8 @@ typedef unsigned int u32;
44225 typedef signed long long s64;
44226 typedef unsigned long long u64;
44228 +typedef unsigned long long intoverflow_t;
44231 #define U8_C(x) x ## U
44233 diff -urNp linux-2.6.35.7/include/asm-generic/kmap_types.h linux-2.6.35.7/include/asm-generic/kmap_types.h
44234 --- linux-2.6.35.7/include/asm-generic/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
44235 +++ linux-2.6.35.7/include/asm-generic/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
44236 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
44238 KMAP_D(18) KM_NMI_PTE,
44240 +KMAP_D(20) KM_CLEARPAGE,
44242 * Remember to update debug_kmap_atomic() when adding new kmap types!
44244 -KMAP_D(20) KM_TYPE_NR
44245 +KMAP_D(21) KM_TYPE_NR
44249 diff -urNp linux-2.6.35.7/include/asm-generic/pgtable.h linux-2.6.35.7/include/asm-generic/pgtable.h
44250 --- linux-2.6.35.7/include/asm-generic/pgtable.h 2010-08-26 19:47:12.000000000 -0400
44251 +++ linux-2.6.35.7/include/asm-generic/pgtable.h 2010-09-17 20:12:09.000000000 -0400
44252 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
44253 unsigned long size);
44256 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
44257 +static inline unsigned long pax_open_kernel(void) { return 0; }
44260 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
44261 +static inline unsigned long pax_close_kernel(void) { return 0; }
44264 #endif /* !__ASSEMBLY__ */
44266 #endif /* _ASM_GENERIC_PGTABLE_H */
44267 diff -urNp linux-2.6.35.7/include/asm-generic/pgtable-nopmd.h linux-2.6.35.7/include/asm-generic/pgtable-nopmd.h
44268 --- linux-2.6.35.7/include/asm-generic/pgtable-nopmd.h 2010-08-26 19:47:12.000000000 -0400
44269 +++ linux-2.6.35.7/include/asm-generic/pgtable-nopmd.h 2010-09-17 20:12:09.000000000 -0400
44271 #ifndef _PGTABLE_NOPMD_H
44272 #define _PGTABLE_NOPMD_H
44274 -#ifndef __ASSEMBLY__
44276 #include <asm-generic/pgtable-nopud.h>
44280 #define __PAGETABLE_PMD_FOLDED
44282 +#define PMD_SHIFT PUD_SHIFT
44283 +#define PTRS_PER_PMD 1
44284 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
44285 +#define PMD_MASK (~(PMD_SIZE-1))
44287 +#ifndef __ASSEMBLY__
44292 * Having the pmd type consist of a pud gets the size right, and allows
44293 * us to conceptually access the pud entry that this pmd is folded into
44294 @@ -16,11 +21,6 @@ struct mm_struct;
44296 typedef struct { pud_t pud; } pmd_t;
44298 -#define PMD_SHIFT PUD_SHIFT
44299 -#define PTRS_PER_PMD 1
44300 -#define PMD_SIZE (1UL << PMD_SHIFT)
44301 -#define PMD_MASK (~(PMD_SIZE-1))
44304 * The "pud_xxx()" functions here are trivial for a folded two-level
44305 * setup: the pmd is never bad, and a pmd always exists (as it's folded
44306 diff -urNp linux-2.6.35.7/include/asm-generic/pgtable-nopud.h linux-2.6.35.7/include/asm-generic/pgtable-nopud.h
44307 --- linux-2.6.35.7/include/asm-generic/pgtable-nopud.h 2010-08-26 19:47:12.000000000 -0400
44308 +++ linux-2.6.35.7/include/asm-generic/pgtable-nopud.h 2010-09-17 20:12:09.000000000 -0400
44310 #ifndef _PGTABLE_NOPUD_H
44311 #define _PGTABLE_NOPUD_H
44313 -#ifndef __ASSEMBLY__
44315 #define __PAGETABLE_PUD_FOLDED
44317 +#define PUD_SHIFT PGDIR_SHIFT
44318 +#define PTRS_PER_PUD 1
44319 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
44320 +#define PUD_MASK (~(PUD_SIZE-1))
44322 +#ifndef __ASSEMBLY__
44325 * Having the pud type consist of a pgd gets the size right, and allows
44326 * us to conceptually access the pgd entry that this pud is folded into
44329 typedef struct { pgd_t pgd; } pud_t;
44331 -#define PUD_SHIFT PGDIR_SHIFT
44332 -#define PTRS_PER_PUD 1
44333 -#define PUD_SIZE (1UL << PUD_SHIFT)
44334 -#define PUD_MASK (~(PUD_SIZE-1))
44337 * The "pgd_xxx()" functions here are trivial for a folded two-level
44338 * setup: the pud is never bad, and a pud always exists (as it's folded
44339 diff -urNp linux-2.6.35.7/include/asm-generic/vmlinux.lds.h linux-2.6.35.7/include/asm-generic/vmlinux.lds.h
44340 --- linux-2.6.35.7/include/asm-generic/vmlinux.lds.h 2010-08-26 19:47:12.000000000 -0400
44341 +++ linux-2.6.35.7/include/asm-generic/vmlinux.lds.h 2010-09-17 20:12:09.000000000 -0400
44342 @@ -213,6 +213,7 @@
44343 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
44344 VMLINUX_SYMBOL(__start_rodata) = .; \
44345 *(.rodata) *(.rodata.*) \
44346 + *(.data..read_only) \
44347 *(__vermagic) /* Kernel version magic */ \
44348 *(__markers_strings) /* Markers: strings */ \
44349 *(__tracepoints_strings)/* Tracepoints: strings */ \
44350 @@ -670,22 +671,24 @@
44351 * section in the linker script will go there too. @phdr should have
44354 - * Note that this macros defines __per_cpu_load as an absolute symbol.
44355 + * Note that this macros defines per_cpu_load as an absolute symbol.
44356 * If there is no need to put the percpu section at a predetermined
44357 * address, use PERCPU().
44359 #define PERCPU_VADDR(vaddr, phdr) \
44360 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
44361 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
44362 + per_cpu_load = .; \
44363 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
44365 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
44366 VMLINUX_SYMBOL(__per_cpu_start) = .; \
44367 *(.data..percpu..first) \
44368 - *(.data..percpu..page_aligned) \
44370 + . = ALIGN(PAGE_SIZE); \
44371 + *(.data..percpu..page_aligned) \
44372 *(.data..percpu..shared_aligned) \
44373 VMLINUX_SYMBOL(__per_cpu_end) = .; \
44375 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
44376 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
44379 * PERCPU - define output section for percpu area, simple version
44380 diff -urNp linux-2.6.35.7/include/drm/drm_pciids.h linux-2.6.35.7/include/drm/drm_pciids.h
44381 --- linux-2.6.35.7/include/drm/drm_pciids.h 2010-08-26 19:47:12.000000000 -0400
44382 +++ linux-2.6.35.7/include/drm/drm_pciids.h 2010-09-17 20:12:09.000000000 -0400
44383 @@ -419,7 +419,7 @@
44384 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
44385 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
44386 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
44388 + {0, 0, 0, 0, 0, 0}
44390 #define r128_PCI_IDS \
44391 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44392 @@ -459,14 +459,14 @@
44393 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44394 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44395 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44397 + {0, 0, 0, 0, 0, 0}
44399 #define mga_PCI_IDS \
44400 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
44401 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
44402 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
44403 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
44405 + {0, 0, 0, 0, 0, 0}
44407 #define mach64_PCI_IDS \
44408 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44409 @@ -489,7 +489,7 @@
44410 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44411 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44412 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44414 + {0, 0, 0, 0, 0, 0}
44416 #define sisdrv_PCI_IDS \
44417 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44418 @@ -500,7 +500,7 @@
44419 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44420 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
44421 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
44423 + {0, 0, 0, 0, 0, 0}
44425 #define tdfx_PCI_IDS \
44426 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44427 @@ -509,7 +509,7 @@
44428 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44429 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44430 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44432 + {0, 0, 0, 0, 0, 0}
44434 #define viadrv_PCI_IDS \
44435 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44436 @@ -521,14 +521,14 @@
44437 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44438 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
44439 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
44441 + {0, 0, 0, 0, 0, 0}
44443 #define i810_PCI_IDS \
44444 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44445 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44446 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44447 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44449 + {0, 0, 0, 0, 0, 0}
44451 #define i830_PCI_IDS \
44452 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44453 @@ -536,11 +536,11 @@
44454 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44455 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44456 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44458 + {0, 0, 0, 0, 0, 0}
44460 #define gamma_PCI_IDS \
44461 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44463 + {0, 0, 0, 0, 0, 0}
44465 #define savage_PCI_IDS \
44466 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
44467 @@ -566,10 +566,10 @@
44468 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
44469 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44470 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44472 + {0, 0, 0, 0, 0, 0}
44474 #define ffb_PCI_IDS \
44476 + {0, 0, 0, 0, 0, 0}
44478 #define i915_PCI_IDS \
44479 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44480 @@ -603,4 +603,4 @@
44481 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44482 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44483 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44485 + {0, 0, 0, 0, 0, 0}
44486 diff -urNp linux-2.6.35.7/include/drm/drmP.h linux-2.6.35.7/include/drm/drmP.h
44487 --- linux-2.6.35.7/include/drm/drmP.h 2010-08-26 19:47:12.000000000 -0400
44488 +++ linux-2.6.35.7/include/drm/drmP.h 2010-09-17 20:12:09.000000000 -0400
44489 @@ -808,7 +808,7 @@ struct drm_driver {
44490 void (*vgaarb_irq)(struct drm_device *dev, bool state);
44492 /* Driver private ops for this object */
44493 - struct vm_operations_struct *gem_vm_ops;
44494 + const struct vm_operations_struct *gem_vm_ops;
44498 @@ -917,7 +917,7 @@ struct drm_device {
44500 /** \name Usage Counters */
44502 - int open_count; /**< Outstanding files open */
44503 + atomic_t open_count; /**< Outstanding files open */
44504 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
44505 atomic_t vma_count; /**< Outstanding vma areas open */
44506 int buf_use; /**< Buffers in use -- cannot alloc */
44507 @@ -928,7 +928,7 @@ struct drm_device {
44509 unsigned long counters;
44510 enum drm_stat_type types[15];
44511 - atomic_t counts[15];
44512 + atomic_unchecked_t counts[15];
44515 struct list_head filelist;
44516 diff -urNp linux-2.6.35.7/include/linux/a.out.h linux-2.6.35.7/include/linux/a.out.h
44517 --- linux-2.6.35.7/include/linux/a.out.h 2010-08-26 19:47:12.000000000 -0400
44518 +++ linux-2.6.35.7/include/linux/a.out.h 2010-09-17 20:12:09.000000000 -0400
44519 @@ -39,6 +39,14 @@ enum machine_type {
44520 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
44523 +/* Constants for the N_FLAGS field */
44524 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44525 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
44526 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
44527 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
44528 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44529 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44531 #if !defined (N_MAGIC)
44532 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
44534 diff -urNp linux-2.6.35.7/include/linux/atmdev.h linux-2.6.35.7/include/linux/atmdev.h
44535 --- linux-2.6.35.7/include/linux/atmdev.h 2010-08-26 19:47:12.000000000 -0400
44536 +++ linux-2.6.35.7/include/linux/atmdev.h 2010-09-17 20:12:09.000000000 -0400
44537 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
44540 struct k_atm_aal_stats {
44541 -#define __HANDLE_ITEM(i) atomic_t i
44542 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
44544 #undef __HANDLE_ITEM
44546 diff -urNp linux-2.6.35.7/include/linux/binfmts.h linux-2.6.35.7/include/linux/binfmts.h
44547 --- linux-2.6.35.7/include/linux/binfmts.h 2010-08-26 19:47:12.000000000 -0400
44548 +++ linux-2.6.35.7/include/linux/binfmts.h 2010-09-17 20:12:09.000000000 -0400
44549 @@ -87,6 +87,7 @@ struct linux_binfmt {
44550 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
44551 int (*load_shlib)(struct file *);
44552 int (*core_dump)(struct coredump_params *cprm);
44553 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
44554 unsigned long min_coredump; /* minimal dump size */
44557 diff -urNp linux-2.6.35.7/include/linux/blkdev.h linux-2.6.35.7/include/linux/blkdev.h
44558 --- linux-2.6.35.7/include/linux/blkdev.h 2010-08-26 19:47:12.000000000 -0400
44559 +++ linux-2.6.35.7/include/linux/blkdev.h 2010-09-17 20:12:09.000000000 -0400
44560 @@ -1331,20 +1331,20 @@ static inline int blk_integrity_rq(struc
44561 #endif /* CONFIG_BLK_DEV_INTEGRITY */
44563 struct block_device_operations {
44564 - int (*open) (struct block_device *, fmode_t);
44565 - int (*release) (struct gendisk *, fmode_t);
44566 - int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44567 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44568 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44569 - int (*direct_access) (struct block_device *, sector_t,
44570 + int (* const open) (struct block_device *, fmode_t);
44571 + int (* const release) (struct gendisk *, fmode_t);
44572 + int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44573 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44574 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44575 + int (* const direct_access) (struct block_device *, sector_t,
44576 void **, unsigned long *);
44577 - int (*media_changed) (struct gendisk *);
44578 - void (*unlock_native_capacity) (struct gendisk *);
44579 - int (*revalidate_disk) (struct gendisk *);
44580 - int (*getgeo)(struct block_device *, struct hd_geometry *);
44581 + int (* const media_changed) (struct gendisk *);
44582 + void (* const unlock_native_capacity) (struct gendisk *);
44583 + int (* const revalidate_disk) (struct gendisk *);
44584 + int (*const getgeo)(struct block_device *, struct hd_geometry *);
44585 /* this callback is with swap_lock and sometimes page table lock held */
44586 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
44587 - struct module *owner;
44588 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
44589 + struct module * const owner;
44592 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
44593 diff -urNp linux-2.6.35.7/include/linux/cache.h linux-2.6.35.7/include/linux/cache.h
44594 --- linux-2.6.35.7/include/linux/cache.h 2010-08-26 19:47:12.000000000 -0400
44595 +++ linux-2.6.35.7/include/linux/cache.h 2010-09-17 20:12:09.000000000 -0400
44597 #define __read_mostly
44600 +#ifndef __read_only
44601 +#define __read_only __read_mostly
44604 #ifndef ____cacheline_aligned
44605 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
44607 diff -urNp linux-2.6.35.7/include/linux/capability.h linux-2.6.35.7/include/linux/capability.h
44608 --- linux-2.6.35.7/include/linux/capability.h 2010-08-26 19:47:12.000000000 -0400
44609 +++ linux-2.6.35.7/include/linux/capability.h 2010-09-17 20:12:37.000000000 -0400
44610 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
44611 (security_real_capable_noaudit((t), (cap)) == 0)
44613 extern int capable(int cap);
44614 +int capable_nolog(int cap);
44616 /* audit system wants to get cap info from files as well */
44618 diff -urNp linux-2.6.35.7/include/linux/compiler-gcc4.h linux-2.6.35.7/include/linux/compiler-gcc4.h
44619 --- linux-2.6.35.7/include/linux/compiler-gcc4.h 2010-08-26 19:47:12.000000000 -0400
44620 +++ linux-2.6.35.7/include/linux/compiler-gcc4.h 2010-09-17 20:12:09.000000000 -0400
44625 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
44626 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
44627 +#define __bos0(ptr) __bos((ptr), 0)
44628 +#define __bos1(ptr) __bos((ptr), 1)
44631 #if __GNUC_MINOR__ > 0
44632 diff -urNp linux-2.6.35.7/include/linux/compiler.h linux-2.6.35.7/include/linux/compiler.h
44633 --- linux-2.6.35.7/include/linux/compiler.h 2010-08-26 19:47:12.000000000 -0400
44634 +++ linux-2.6.35.7/include/linux/compiler.h 2010-09-17 20:12:09.000000000 -0400
44635 @@ -267,6 +267,22 @@ void ftrace_likely_update(struct ftrace_
44639 +#ifndef __alloc_size
44640 +#define __alloc_size
44655 /* Simple shorthand for a section definition */
44657 # define __section(S) __attribute__ ((__section__(#S)))
44658 diff -urNp linux-2.6.35.7/include/linux/decompress/mm.h linux-2.6.35.7/include/linux/decompress/mm.h
44659 --- linux-2.6.35.7/include/linux/decompress/mm.h 2010-08-26 19:47:12.000000000 -0400
44660 +++ linux-2.6.35.7/include/linux/decompress/mm.h 2010-09-17 20:12:09.000000000 -0400
44661 @@ -78,7 +78,7 @@ static void free(void *where)
44662 * warnings when not needed (indeed large_malloc / large_free are not
44663 * needed by inflate */
44665 -#define malloc(a) kmalloc(a, GFP_KERNEL)
44666 +#define malloc(a) kmalloc((a), GFP_KERNEL)
44667 #define free(a) kfree(a)
44669 #define large_malloc(a) vmalloc(a)
44670 diff -urNp linux-2.6.35.7/include/linux/dma-mapping.h linux-2.6.35.7/include/linux/dma-mapping.h
44671 --- linux-2.6.35.7/include/linux/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
44672 +++ linux-2.6.35.7/include/linux/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
44673 @@ -16,40 +16,40 @@ enum dma_data_direction {
44676 struct dma_map_ops {
44677 - void* (*alloc_coherent)(struct device *dev, size_t size,
44678 + void* (* const alloc_coherent)(struct device *dev, size_t size,
44679 dma_addr_t *dma_handle, gfp_t gfp);
44680 - void (*free_coherent)(struct device *dev, size_t size,
44681 + void (* const free_coherent)(struct device *dev, size_t size,
44682 void *vaddr, dma_addr_t dma_handle);
44683 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
44684 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
44685 unsigned long offset, size_t size,
44686 enum dma_data_direction dir,
44687 struct dma_attrs *attrs);
44688 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
44689 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
44690 size_t size, enum dma_data_direction dir,
44691 struct dma_attrs *attrs);
44692 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
44693 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
44694 int nents, enum dma_data_direction dir,
44695 struct dma_attrs *attrs);
44696 - void (*unmap_sg)(struct device *dev,
44697 + void (* const unmap_sg)(struct device *dev,
44698 struct scatterlist *sg, int nents,
44699 enum dma_data_direction dir,
44700 struct dma_attrs *attrs);
44701 - void (*sync_single_for_cpu)(struct device *dev,
44702 + void (* const sync_single_for_cpu)(struct device *dev,
44703 dma_addr_t dma_handle, size_t size,
44704 enum dma_data_direction dir);
44705 - void (*sync_single_for_device)(struct device *dev,
44706 + void (* const sync_single_for_device)(struct device *dev,
44707 dma_addr_t dma_handle, size_t size,
44708 enum dma_data_direction dir);
44709 - void (*sync_sg_for_cpu)(struct device *dev,
44710 + void (* const sync_sg_for_cpu)(struct device *dev,
44711 struct scatterlist *sg, int nents,
44712 enum dma_data_direction dir);
44713 - void (*sync_sg_for_device)(struct device *dev,
44714 + void (* const sync_sg_for_device)(struct device *dev,
44715 struct scatterlist *sg, int nents,
44716 enum dma_data_direction dir);
44717 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
44718 - int (*dma_supported)(struct device *dev, u64 mask);
44719 - int (*set_dma_mask)(struct device *dev, u64 mask);
44721 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
44722 + int (* const dma_supported)(struct device *dev, u64 mask);
44723 + int (* set_dma_mask)(struct device *dev, u64 mask);
44724 + const int is_phys;
44727 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
44728 diff -urNp linux-2.6.35.7/include/linux/elf.h linux-2.6.35.7/include/linux/elf.h
44729 --- linux-2.6.35.7/include/linux/elf.h 2010-08-26 19:47:12.000000000 -0400
44730 +++ linux-2.6.35.7/include/linux/elf.h 2010-09-17 20:12:09.000000000 -0400
44731 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
44732 #define PT_GNU_EH_FRAME 0x6474e550
44734 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
44735 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
44737 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
44739 +/* Constants for the e_flags field */
44740 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44741 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
44742 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
44743 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
44744 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44745 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44748 * Extended Numbering
44749 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
44750 #define DT_DEBUG 21
44751 #define DT_TEXTREL 22
44752 #define DT_JMPREL 23
44753 +#define DT_FLAGS 30
44754 + #define DF_TEXTREL 0x00000004
44755 #define DT_ENCODING 32
44756 #define OLD_DT_LOOS 0x60000000
44757 #define DT_LOOS 0x6000000d
44758 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
44762 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
44763 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
44764 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
44765 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
44766 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
44767 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
44768 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
44769 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
44770 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
44771 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
44772 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
44773 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
44775 typedef struct elf32_phdr{
44777 Elf32_Off p_offset;
44778 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
44784 #define ELFMAG0 0x7f /* EI_MAG */
44785 #define ELFMAG1 'E'
44786 #define ELFMAG2 'L'
44787 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
44788 #define elf_note elf32_note
44789 #define elf_addr_t Elf32_Off
44790 #define Elf_Half Elf32_Half
44791 +#define elf_dyn Elf32_Dyn
44795 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
44796 #define elf_note elf64_note
44797 #define elf_addr_t Elf64_Off
44798 #define Elf_Half Elf64_Half
44799 +#define elf_dyn Elf64_Dyn
44803 diff -urNp linux-2.6.35.7/include/linux/fs.h linux-2.6.35.7/include/linux/fs.h
44804 --- linux-2.6.35.7/include/linux/fs.h 2010-09-20 17:33:09.000000000 -0400
44805 +++ linux-2.6.35.7/include/linux/fs.h 2010-09-20 17:33:35.000000000 -0400
44806 @@ -90,6 +90,11 @@ struct inodes_stat_t {
44807 /* Expect random access pattern */
44808 #define FMODE_RANDOM ((__force fmode_t)0x1000)
44810 +/* Hack for grsec so as not to require read permission simply to execute
44813 +#define FMODE_GREXEC ((__force fmode_t)0x2000)
44816 * The below are the various read and write types that we support. Some of
44817 * them include behavioral modifiers that send information down to the
44818 @@ -572,41 +577,41 @@ typedef int (*read_actor_t)(read_descrip
44819 unsigned long, unsigned long);
44821 struct address_space_operations {
44822 - int (*writepage)(struct page *page, struct writeback_control *wbc);
44823 - int (*readpage)(struct file *, struct page *);
44824 - void (*sync_page)(struct page *);
44825 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
44826 + int (* const readpage)(struct file *, struct page *);
44827 + void (* const sync_page)(struct page *);
44829 /* Write back some dirty pages from this mapping. */
44830 - int (*writepages)(struct address_space *, struct writeback_control *);
44831 + int (* const writepages)(struct address_space *, struct writeback_control *);
44833 /* Set a page dirty. Return true if this dirtied it */
44834 - int (*set_page_dirty)(struct page *page);
44835 + int (* const set_page_dirty)(struct page *page);
44837 - int (*readpages)(struct file *filp, struct address_space *mapping,
44838 + int (* const readpages)(struct file *filp, struct address_space *mapping,
44839 struct list_head *pages, unsigned nr_pages);
44841 - int (*write_begin)(struct file *, struct address_space *mapping,
44842 + int (* const write_begin)(struct file *, struct address_space *mapping,
44843 loff_t pos, unsigned len, unsigned flags,
44844 struct page **pagep, void **fsdata);
44845 - int (*write_end)(struct file *, struct address_space *mapping,
44846 + int (* const write_end)(struct file *, struct address_space *mapping,
44847 loff_t pos, unsigned len, unsigned copied,
44848 struct page *page, void *fsdata);
44850 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
44851 - sector_t (*bmap)(struct address_space *, sector_t);
44852 - void (*invalidatepage) (struct page *, unsigned long);
44853 - int (*releasepage) (struct page *, gfp_t);
44854 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
44855 + sector_t (* const bmap)(struct address_space *, sector_t);
44856 + void (* const invalidatepage) (struct page *, unsigned long);
44857 + int (* const releasepage) (struct page *, gfp_t);
44858 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
44859 loff_t offset, unsigned long nr_segs);
44860 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
44861 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
44862 void **, unsigned long *);
44863 /* migrate the contents of a page to the specified target */
44864 - int (*migratepage) (struct address_space *,
44865 + int (* const migratepage) (struct address_space *,
44866 struct page *, struct page *);
44867 - int (*launder_page) (struct page *);
44868 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
44869 + int (* const launder_page) (struct page *);
44870 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
44872 - int (*error_remove_page)(struct address_space *, struct page *);
44873 + int (* const error_remove_page)(struct address_space *, struct page *);
44877 @@ -1036,19 +1041,19 @@ static inline int file_check_writeable(s
44878 typedef struct files_struct *fl_owner_t;
44880 struct file_lock_operations {
44881 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44882 - void (*fl_release_private)(struct file_lock *);
44883 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44884 + void (* const fl_release_private)(struct file_lock *);
44887 struct lock_manager_operations {
44888 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
44889 - void (*fl_notify)(struct file_lock *); /* unblock callback */
44890 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
44891 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44892 - void (*fl_release_private)(struct file_lock *);
44893 - void (*fl_break)(struct file_lock *);
44894 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
44895 - int (*fl_change)(struct file_lock **, int);
44896 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
44897 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
44898 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
44899 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44900 + void (* const fl_release_private)(struct file_lock *);
44901 + void (* const fl_break)(struct file_lock *);
44902 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
44903 + int (* const fl_change)(struct file_lock **, int);
44906 struct lock_manager {
44907 @@ -1441,7 +1446,7 @@ struct fiemap_extent_info {
44908 unsigned int fi_flags; /* Flags as passed from user */
44909 unsigned int fi_extents_mapped; /* Number of mapped extents */
44910 unsigned int fi_extents_max; /* Size of fiemap_extent array */
44911 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
44912 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
44915 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
44916 diff -urNp linux-2.6.35.7/include/linux/fs_struct.h linux-2.6.35.7/include/linux/fs_struct.h
44917 --- linux-2.6.35.7/include/linux/fs_struct.h 2010-08-26 19:47:12.000000000 -0400
44918 +++ linux-2.6.35.7/include/linux/fs_struct.h 2010-09-17 20:12:09.000000000 -0400
44920 #include <linux/path.h>
44928 diff -urNp linux-2.6.35.7/include/linux/genhd.h linux-2.6.35.7/include/linux/genhd.h
44929 --- linux-2.6.35.7/include/linux/genhd.h 2010-08-26 19:47:12.000000000 -0400
44930 +++ linux-2.6.35.7/include/linux/genhd.h 2010-09-17 20:12:09.000000000 -0400
44931 @@ -162,7 +162,7 @@ struct gendisk {
44933 struct timer_rand_state *random;
44935 - atomic_t sync_io; /* RAID */
44936 + atomic_unchecked_t sync_io; /* RAID */
44937 struct work_struct async_notify;
44938 #ifdef CONFIG_BLK_DEV_INTEGRITY
44939 struct blk_integrity *integrity;
44940 diff -urNp linux-2.6.35.7/include/linux/gracl.h linux-2.6.35.7/include/linux/gracl.h
44941 --- linux-2.6.35.7/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
44942 +++ linux-2.6.35.7/include/linux/gracl.h 2010-09-17 20:12:37.000000000 -0400
44947 +#include <linux/grdefs.h>
44948 +#include <linux/resource.h>
44949 +#include <linux/capability.h>
44950 +#include <linux/dcache.h>
44951 +#include <asm/resource.h>
44953 +/* Major status information */
44955 +#define GR_VERSION "grsecurity 2.2.0"
44956 +#define GRSECURITY_VERSION 0x2200
44967 + GR_SPROLEPAM = 8,
44970 +/* Password setup definitions
44971 + * kernel/grhash.c */
44974 + GR_SALT_LEN = 16,
44979 + GR_SPROLE_LEN = 64,
44982 +#define GR_NLIMITS 32
44984 +/* Begin Data Structures */
44986 +struct sprole_pw {
44987 + unsigned char *rolename;
44988 + unsigned char salt[GR_SALT_LEN];
44989 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
44992 +struct name_entry {
44999 + struct name_entry *prev;
45000 + struct name_entry *next;
45003 +struct inodev_entry {
45004 + struct name_entry *nentry;
45005 + struct inodev_entry *prev;
45006 + struct inodev_entry *next;
45009 +struct acl_role_db {
45010 + struct acl_role_label **r_hash;
45014 +struct inodev_db {
45015 + struct inodev_entry **i_hash;
45020 + struct name_entry **n_hash;
45024 +struct crash_uid {
45026 + unsigned long expires;
45029 +struct gr_hash_struct {
45031 + void **nametable;
45033 + __u32 table_size;
45038 +/* Userspace Grsecurity ACL data structures */
45040 +struct acl_subject_label {
45045 + kernel_cap_t cap_mask;
45046 + kernel_cap_t cap_lower;
45047 + kernel_cap_t cap_invert_audit;
45049 + struct rlimit res[GR_NLIMITS];
45052 + __u8 user_trans_type;
45053 + __u8 group_trans_type;
45054 + uid_t *user_transitions;
45055 + gid_t *group_transitions;
45056 + __u16 user_trans_num;
45057 + __u16 group_trans_num;
45059 + __u32 ip_proto[8];
45061 + struct acl_ip_label **ips;
45063 + __u32 inaddr_any_override;
45066 + unsigned long expires;
45068 + struct acl_subject_label *parent_subject;
45069 + struct gr_hash_struct *hash;
45070 + struct acl_subject_label *prev;
45071 + struct acl_subject_label *next;
45073 + struct acl_object_label **obj_hash;
45074 + __u32 obj_hash_size;
45078 +struct role_allowed_ip {
45082 + struct role_allowed_ip *prev;
45083 + struct role_allowed_ip *next;
45086 +struct role_transition {
45089 + struct role_transition *prev;
45090 + struct role_transition *next;
45093 +struct acl_role_label {
45098 + __u16 auth_attempts;
45099 + unsigned long expires;
45101 + struct acl_subject_label *root_label;
45102 + struct gr_hash_struct *hash;
45104 + struct acl_role_label *prev;
45105 + struct acl_role_label *next;
45107 + struct role_transition *transitions;
45108 + struct role_allowed_ip *allowed_ips;
45109 + uid_t *domain_children;
45110 + __u16 domain_child_num;
45112 + struct acl_subject_label **subj_hash;
45113 + __u32 subj_hash_size;
45116 +struct user_acl_role_db {
45117 + struct acl_role_label **r_table;
45118 + __u32 num_pointers; /* Number of allocations to track */
45119 + __u32 num_roles; /* Number of roles */
45120 + __u32 num_domain_children; /* Number of domain children */
45121 + __u32 num_subjects; /* Number of subjects */
45122 + __u32 num_objects; /* Number of objects */
45125 +struct acl_object_label {
45131 + struct acl_subject_label *nested;
45132 + struct acl_object_label *globbed;
45134 + /* next two structures not used */
45136 + struct acl_object_label *prev;
45137 + struct acl_object_label *next;
45140 +struct acl_ip_label {
45149 + /* next two structures not used */
45151 + struct acl_ip_label *prev;
45152 + struct acl_ip_label *next;
45156 + struct user_acl_role_db role_db;
45157 + unsigned char pw[GR_PW_LEN];
45158 + unsigned char salt[GR_SALT_LEN];
45159 + unsigned char sum[GR_SHA_LEN];
45160 + unsigned char sp_role[GR_SPROLE_LEN];
45161 + struct sprole_pw *sprole_pws;
45162 + dev_t segv_device;
45163 + ino_t segv_inode;
45165 + __u16 num_sprole_pws;
45169 +struct gr_arg_wrapper {
45170 + struct gr_arg *arg;
45175 +struct subject_map {
45176 + struct acl_subject_label *user;
45177 + struct acl_subject_label *kernel;
45178 + struct subject_map *prev;
45179 + struct subject_map *next;
45182 +struct acl_subj_map_db {
45183 + struct subject_map **s_hash;
45187 +/* End Data Structures Section */
45189 +/* Hash functions generated by empirical testing by Brad Spengler
45190 + Makes good use of the low bits of the inode. Generally 0-1 times
45191 + in loop for successful match. 0-3 for unsuccessful match.
45192 + Shift/add algorithm with modulus of table size and an XOR*/
45194 +static __inline__ unsigned int
45195 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
45197 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
45200 + static __inline__ unsigned int
45201 +shash(const struct acl_subject_label *userp, const unsigned int sz)
45203 + return ((const unsigned long)userp % sz);
45206 +static __inline__ unsigned int
45207 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
45209 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
45212 +static __inline__ unsigned int
45213 +nhash(const char *name, const __u16 len, const unsigned int sz)
45215 + return full_name_hash((const unsigned char *)name, len) % sz;
45218 +#define FOR_EACH_ROLE_START(role) \
45219 + role = role_list; \
45222 +#define FOR_EACH_ROLE_END(role) \
45223 + role = role->prev; \
45226 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
45229 + while (iter < role->subj_hash_size) { \
45230 + if (subj == NULL) \
45231 + subj = role->subj_hash[iter]; \
45232 + if (subj == NULL) { \
45237 +#define FOR_EACH_SUBJECT_END(subj,iter) \
45238 + subj = subj->next; \
45239 + if (subj == NULL) \
45244 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
45245 + subj = role->hash->first; \
45246 + while (subj != NULL) {
45248 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
45249 + subj = subj->next; \
45254 diff -urNp linux-2.6.35.7/include/linux/gralloc.h linux-2.6.35.7/include/linux/gralloc.h
45255 --- linux-2.6.35.7/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
45256 +++ linux-2.6.35.7/include/linux/gralloc.h 2010-09-17 20:12:37.000000000 -0400
45258 +#ifndef __GRALLOC_H
45259 +#define __GRALLOC_H
45261 +void acl_free_all(void);
45262 +int acl_alloc_stack_init(unsigned long size);
45263 +void *acl_alloc(unsigned long len);
45264 +void *acl_alloc_num(unsigned long num, unsigned long len);
45267 diff -urNp linux-2.6.35.7/include/linux/grdefs.h linux-2.6.35.7/include/linux/grdefs.h
45268 --- linux-2.6.35.7/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
45269 +++ linux-2.6.35.7/include/linux/grdefs.h 2010-09-17 20:12:37.000000000 -0400
45274 +/* Begin grsecurity status declarations */
45278 + GR_STATUS_INIT = 0x00 // disabled state
45281 +/* Begin ACL declarations */
45286 + GR_ROLE_USER = 0x0001,
45287 + GR_ROLE_GROUP = 0x0002,
45288 + GR_ROLE_DEFAULT = 0x0004,
45289 + GR_ROLE_SPECIAL = 0x0008,
45290 + GR_ROLE_AUTH = 0x0010,
45291 + GR_ROLE_NOPW = 0x0020,
45292 + GR_ROLE_GOD = 0x0040,
45293 + GR_ROLE_LEARN = 0x0080,
45294 + GR_ROLE_TPE = 0x0100,
45295 + GR_ROLE_DOMAIN = 0x0200,
45296 + GR_ROLE_PAM = 0x0400
45299 +/* ACL Subject and Object mode flags */
45301 + GR_DELETED = 0x80000000
45304 +/* ACL Object-only mode flags */
45306 + GR_READ = 0x00000001,
45307 + GR_APPEND = 0x00000002,
45308 + GR_WRITE = 0x00000004,
45309 + GR_EXEC = 0x00000008,
45310 + GR_FIND = 0x00000010,
45311 + GR_INHERIT = 0x00000020,
45312 + GR_SETID = 0x00000040,
45313 + GR_CREATE = 0x00000080,
45314 + GR_DELETE = 0x00000100,
45315 + GR_LINK = 0x00000200,
45316 + GR_AUDIT_READ = 0x00000400,
45317 + GR_AUDIT_APPEND = 0x00000800,
45318 + GR_AUDIT_WRITE = 0x00001000,
45319 + GR_AUDIT_EXEC = 0x00002000,
45320 + GR_AUDIT_FIND = 0x00004000,
45321 + GR_AUDIT_INHERIT= 0x00008000,
45322 + GR_AUDIT_SETID = 0x00010000,
45323 + GR_AUDIT_CREATE = 0x00020000,
45324 + GR_AUDIT_DELETE = 0x00040000,
45325 + GR_AUDIT_LINK = 0x00080000,
45326 + GR_PTRACERD = 0x00100000,
45327 + GR_NOPTRACE = 0x00200000,
45328 + GR_SUPPRESS = 0x00400000,
45329 + GR_NOLEARN = 0x00800000
45332 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
45333 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
45334 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
45336 +/* ACL subject-only mode flags */
45338 + GR_KILL = 0x00000001,
45339 + GR_VIEW = 0x00000002,
45340 + GR_PROTECTED = 0x00000004,
45341 + GR_LEARN = 0x00000008,
45342 + GR_OVERRIDE = 0x00000010,
45343 + /* just a placeholder, this mode is only used in userspace */
45344 + GR_DUMMY = 0x00000020,
45345 + GR_PROTSHM = 0x00000040,
45346 + GR_KILLPROC = 0x00000080,
45347 + GR_KILLIPPROC = 0x00000100,
45348 + /* just a placeholder, this mode is only used in userspace */
45349 + GR_NOTROJAN = 0x00000200,
45350 + GR_PROTPROCFD = 0x00000400,
45351 + GR_PROCACCT = 0x00000800,
45352 + GR_RELAXPTRACE = 0x00001000,
45353 + GR_NESTED = 0x00002000,
45354 + GR_INHERITLEARN = 0x00004000,
45355 + GR_PROCFIND = 0x00008000,
45356 + GR_POVERRIDE = 0x00010000,
45357 + GR_KERNELAUTH = 0x00020000,
45361 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
45362 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
45363 + GR_PAX_ENABLE_MPROTECT = 0x0004,
45364 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
45365 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
45366 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
45367 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
45368 + GR_PAX_DISABLE_MPROTECT = 0x0400,
45369 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
45370 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
45374 + GR_ID_USER = 0x01,
45375 + GR_ID_GROUP = 0x02,
45379 + GR_ID_ALLOW = 0x01,
45380 + GR_ID_DENY = 0x02,
45383 +#define GR_CRASH_RES 31
45384 +#define GR_UIDTABLE_MAX 500
45386 +/* begin resource learning section */
45388 + GR_RLIM_CPU_BUMP = 60,
45389 + GR_RLIM_FSIZE_BUMP = 50000,
45390 + GR_RLIM_DATA_BUMP = 10000,
45391 + GR_RLIM_STACK_BUMP = 1000,
45392 + GR_RLIM_CORE_BUMP = 10000,
45393 + GR_RLIM_RSS_BUMP = 500000,
45394 + GR_RLIM_NPROC_BUMP = 1,
45395 + GR_RLIM_NOFILE_BUMP = 5,
45396 + GR_RLIM_MEMLOCK_BUMP = 50000,
45397 + GR_RLIM_AS_BUMP = 500000,
45398 + GR_RLIM_LOCKS_BUMP = 2,
45399 + GR_RLIM_SIGPENDING_BUMP = 5,
45400 + GR_RLIM_MSGQUEUE_BUMP = 10000,
45401 + GR_RLIM_NICE_BUMP = 1,
45402 + GR_RLIM_RTPRIO_BUMP = 1,
45403 + GR_RLIM_RTTIME_BUMP = 1000000
45407 diff -urNp linux-2.6.35.7/include/linux/grinternal.h linux-2.6.35.7/include/linux/grinternal.h
45408 --- linux-2.6.35.7/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
45409 +++ linux-2.6.35.7/include/linux/grinternal.h 2010-10-18 21:05:08.000000000 -0400
45411 +#ifndef __GRINTERNAL_H
45412 +#define __GRINTERNAL_H
45414 +#ifdef CONFIG_GRKERNSEC
45416 +#include <linux/fs.h>
45417 +#include <linux/mnt_namespace.h>
45418 +#include <linux/nsproxy.h>
45419 +#include <linux/gracl.h>
45420 +#include <linux/grdefs.h>
45421 +#include <linux/grmsg.h>
45423 +void gr_add_learn_entry(const char *fmt, ...)
45424 + __attribute__ ((format (printf, 1, 2)));
45425 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
45426 + const struct vfsmount *mnt);
45427 +__u32 gr_check_create(const struct dentry *new_dentry,
45428 + const struct dentry *parent,
45429 + const struct vfsmount *mnt, const __u32 mode);
45430 +int gr_check_protected_task(const struct task_struct *task);
45431 +__u32 to_gr_audit(const __u32 reqmode);
45432 +int gr_set_acls(const int type);
45434 +int gr_acl_is_enabled(void);
45435 +char gr_roletype_to_char(void);
45437 +void gr_handle_alertkill(struct task_struct *task);
45438 +char *gr_to_filename(const struct dentry *dentry,
45439 + const struct vfsmount *mnt);
45440 +char *gr_to_filename1(const struct dentry *dentry,
45441 + const struct vfsmount *mnt);
45442 +char *gr_to_filename2(const struct dentry *dentry,
45443 + const struct vfsmount *mnt);
45444 +char *gr_to_filename3(const struct dentry *dentry,
45445 + const struct vfsmount *mnt);
45447 +extern int grsec_enable_harden_ptrace;
45448 +extern int grsec_enable_link;
45449 +extern int grsec_enable_fifo;
45450 +extern int grsec_enable_execve;
45451 +extern int grsec_enable_shm;
45452 +extern int grsec_enable_execlog;
45453 +extern int grsec_enable_signal;
45454 +extern int grsec_enable_audit_ptrace;
45455 +extern int grsec_enable_forkfail;
45456 +extern int grsec_enable_time;
45457 +extern int grsec_enable_rofs;
45458 +extern int grsec_enable_chroot_shmat;
45459 +extern int grsec_enable_chroot_findtask;
45460 +extern int grsec_enable_chroot_mount;
45461 +extern int grsec_enable_chroot_double;
45462 +extern int grsec_enable_chroot_pivot;
45463 +extern int grsec_enable_chroot_chdir;
45464 +extern int grsec_enable_chroot_chmod;
45465 +extern int grsec_enable_chroot_mknod;
45466 +extern int grsec_enable_chroot_fchdir;
45467 +extern int grsec_enable_chroot_nice;
45468 +extern int grsec_enable_chroot_execlog;
45469 +extern int grsec_enable_chroot_caps;
45470 +extern int grsec_enable_chroot_sysctl;
45471 +extern int grsec_enable_chroot_unix;
45472 +extern int grsec_enable_tpe;
45473 +extern int grsec_tpe_gid;
45474 +extern int grsec_enable_tpe_all;
45475 +extern int grsec_enable_tpe_invert;
45476 +extern int grsec_enable_socket_all;
45477 +extern int grsec_socket_all_gid;
45478 +extern int grsec_enable_socket_client;
45479 +extern int grsec_socket_client_gid;
45480 +extern int grsec_enable_socket_server;
45481 +extern int grsec_socket_server_gid;
45482 +extern int grsec_audit_gid;
45483 +extern int grsec_enable_group;
45484 +extern int grsec_enable_audit_textrel;
45485 +extern int grsec_enable_log_rwxmaps;
45486 +extern int grsec_enable_mount;
45487 +extern int grsec_enable_chdir;
45488 +extern int grsec_resource_logging;
45489 +extern int grsec_enable_blackhole;
45490 +extern int grsec_lastack_retries;
45491 +extern int grsec_lock;
45493 +extern spinlock_t grsec_alert_lock;
45494 +extern unsigned long grsec_alert_wtime;
45495 +extern unsigned long grsec_alert_fyet;
45497 +extern spinlock_t grsec_audit_lock;
45499 +extern rwlock_t grsec_exec_file_lock;
45501 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
45502 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
45503 + (tsk)->exec_file->f_vfsmnt) : "/")
45505 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
45506 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
45507 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
45509 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
45510 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
45511 + (tsk)->exec_file->f_vfsmnt) : "/")
45513 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
45514 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
45515 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
45517 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
45519 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
45521 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
45522 + (task)->pid, (cred)->uid, \
45523 + (cred)->euid, (cred)->gid, (cred)->egid, \
45524 + gr_parent_task_fullpath(task), \
45525 + (task)->real_parent->comm, (task)->real_parent->pid, \
45526 + (pcred)->uid, (pcred)->euid, \
45527 + (pcred)->gid, (pcred)->egid
45529 +#define GR_CHROOT_CAPS {{ \
45530 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
45531 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
45532 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
45533 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
45534 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
45535 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
45537 +#define security_learn(normal_msg,args...) \
45539 + read_lock(&grsec_exec_file_lock); \
45540 + gr_add_learn_entry(normal_msg "\n", ## args); \
45541 + read_unlock(&grsec_exec_file_lock); \
45547 + GR_DONT_AUDIT_GOOD
45558 + GR_SYSCTL_HIDDEN,
45561 + GR_ONE_INT_TWO_STR,
45566 + GR_FIVE_INT_TWO_STR,
45572 + GR_FILENAME_TWO_INT,
45573 + GR_FILENAME_TWO_INT_STR,
45586 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
45587 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
45588 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
45589 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
45590 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
45591 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
45592 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
45593 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
45594 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
45595 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
45596 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
45597 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
45598 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
45599 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
45600 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
45601 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
45602 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
45603 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
45604 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
45605 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
45606 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
45607 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
45608 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
45609 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
45610 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
45611 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
45612 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
45613 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
45614 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
45615 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
45616 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
45617 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
45618 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
45620 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
45625 diff -urNp linux-2.6.35.7/include/linux/grmsg.h linux-2.6.35.7/include/linux/grmsg.h
45626 --- linux-2.6.35.7/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
45627 +++ linux-2.6.35.7/include/linux/grmsg.h 2010-10-18 21:01:30.000000000 -0400
45629 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
45630 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
45631 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
45632 +#define GR_STOPMOD_MSG "denied modification of module state by "
45633 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
45634 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
45635 +#define GR_IOPERM_MSG "denied use of ioperm() by "
45636 +#define GR_IOPL_MSG "denied use of iopl() by "
45637 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
45638 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
45639 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
45640 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
45641 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
45642 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
45643 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
45644 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
45645 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
45646 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
45647 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
45648 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
45649 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
45650 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
45651 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
45652 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
45653 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
45654 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
45655 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
45656 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
45657 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
45658 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
45659 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
45660 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
45661 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
45662 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
45663 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
45664 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
45665 +#define GR_NPROC_MSG "denied overstep of process limit by "
45666 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
45667 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
45668 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
45669 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
45670 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
45671 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
45672 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
45673 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
45674 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
45675 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
45676 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
45677 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
45678 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
45679 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
45680 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
45681 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
45682 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
45683 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
45684 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
45685 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
45686 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
45687 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
45688 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
45689 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
45690 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
45691 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
45692 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
45693 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
45694 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
45695 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
45696 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
45697 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
45698 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
45699 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
45700 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
45701 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
45702 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
45703 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
45704 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
45705 +#define GR_NICE_CHROOT_MSG "denied priority change by "
45706 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
45707 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
45708 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
45709 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
45710 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
45711 +#define GR_TIME_MSG "time set by "
45712 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
45713 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
45714 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
45715 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
45716 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
45717 +#define GR_BIND_MSG "denied bind() by "
45718 +#define GR_CONNECT_MSG "denied connect() by "
45719 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
45720 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
45721 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
45722 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
45723 +#define GR_CAP_ACL_MSG "use of %s denied for "
45724 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
45725 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
45726 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
45727 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
45728 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
45729 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
45730 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
45731 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
45732 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
45733 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
45734 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
45735 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
45736 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
45737 +#define GR_VM86_MSG "denied use of vm86 by "
45738 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
45739 diff -urNp linux-2.6.35.7/include/linux/grsecurity.h linux-2.6.35.7/include/linux/grsecurity.h
45740 --- linux-2.6.35.7/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
45741 +++ linux-2.6.35.7/include/linux/grsecurity.h 2010-10-18 21:01:30.000000000 -0400
45743 +#ifndef GR_SECURITY_H
45744 +#define GR_SECURITY_H
45745 +#include <linux/fs.h>
45746 +#include <linux/fs_struct.h>
45747 +#include <linux/binfmts.h>
45748 +#include <linux/gracl.h>
45750 +/* notify of brain-dead configs */
45751 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
45752 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
45754 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45755 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45757 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45758 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45760 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
45761 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
45763 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
45764 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
45767 +void gr_handle_brute_attach(struct task_struct *p);
45768 +void gr_handle_brute_check(void);
45770 +char gr_roletype_to_char(void);
45772 +int gr_check_user_change(int real, int effective, int fs);
45773 +int gr_check_group_change(int real, int effective, int fs);
45775 +void gr_del_task_from_ip_table(struct task_struct *p);
45777 +int gr_pid_is_chrooted(struct task_struct *p);
45778 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
45779 +int gr_handle_chroot_nice(void);
45780 +int gr_handle_chroot_sysctl(const int op);
45781 +int gr_handle_chroot_setpriority(struct task_struct *p,
45782 + const int niceval);
45783 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
45784 +int gr_handle_chroot_chroot(const struct dentry *dentry,
45785 + const struct vfsmount *mnt);
45786 +int gr_handle_chroot_caps(struct path *path);
45787 +void gr_handle_chroot_chdir(struct path *path);
45788 +int gr_handle_chroot_chmod(const struct dentry *dentry,
45789 + const struct vfsmount *mnt, const int mode);
45790 +int gr_handle_chroot_mknod(const struct dentry *dentry,
45791 + const struct vfsmount *mnt, const int mode);
45792 +int gr_handle_chroot_mount(const struct dentry *dentry,
45793 + const struct vfsmount *mnt,
45794 + const char *dev_name);
45795 +int gr_handle_chroot_pivot(void);
45796 +int gr_handle_chroot_unix(const pid_t pid);
45798 +int gr_handle_rawio(const struct inode *inode);
45799 +int gr_handle_nproc(void);
45801 +void gr_handle_ioperm(void);
45802 +void gr_handle_iopl(void);
45804 +int gr_tpe_allow(const struct file *file);
45806 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
45807 +void gr_clear_chroot_entries(struct task_struct *task);
45809 +void gr_log_forkfail(const int retval);
45810 +void gr_log_timechange(void);
45811 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
45812 +void gr_log_chdir(const struct dentry *dentry,
45813 + const struct vfsmount *mnt);
45814 +void gr_log_chroot_exec(const struct dentry *dentry,
45815 + const struct vfsmount *mnt);
45816 +void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
45817 +void gr_log_remount(const char *devname, const int retval);
45818 +void gr_log_unmount(const char *devname, const int retval);
45819 +void gr_log_mount(const char *from, const char *to, const int retval);
45820 +void gr_log_textrel(struct vm_area_struct *vma);
45821 +void gr_log_rwxmmap(struct file *file);
45822 +void gr_log_rwxmprotect(struct file *file);
45824 +int gr_handle_follow_link(const struct inode *parent,
45825 + const struct inode *inode,
45826 + const struct dentry *dentry,
45827 + const struct vfsmount *mnt);
45828 +int gr_handle_fifo(const struct dentry *dentry,
45829 + const struct vfsmount *mnt,
45830 + const struct dentry *dir, const int flag,
45831 + const int acc_mode);
45832 +int gr_handle_hardlink(const struct dentry *dentry,
45833 + const struct vfsmount *mnt,
45834 + struct inode *inode,
45835 + const int mode, const char *to);
45837 +int gr_is_capable(const int cap);
45838 +int gr_is_capable_nolog(const int cap);
45839 +void gr_learn_resource(const struct task_struct *task, const int limit,
45840 + const unsigned long wanted, const int gt);
45841 +void gr_copy_label(struct task_struct *tsk);
45842 +void gr_handle_crash(struct task_struct *task, const int sig);
45843 +int gr_handle_signal(const struct task_struct *p, const int sig);
45844 +int gr_check_crash_uid(const uid_t uid);
45845 +int gr_check_protected_task(const struct task_struct *task);
45846 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
45847 +int gr_acl_handle_mmap(const struct file *file,
45848 + const unsigned long prot);
45849 +int gr_acl_handle_mprotect(const struct file *file,
45850 + const unsigned long prot);
45851 +int gr_check_hidden_task(const struct task_struct *tsk);
45852 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
45853 + const struct vfsmount *mnt);
45854 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
45855 + const struct vfsmount *mnt);
45856 +__u32 gr_acl_handle_access(const struct dentry *dentry,
45857 + const struct vfsmount *mnt, const int fmode);
45858 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
45859 + const struct vfsmount *mnt, mode_t mode);
45860 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
45861 + const struct vfsmount *mnt, mode_t mode);
45862 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
45863 + const struct vfsmount *mnt);
45864 +int gr_handle_ptrace(struct task_struct *task, const long request);
45865 +int gr_handle_proc_ptrace(struct task_struct *task);
45866 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
45867 + const struct vfsmount *mnt);
45868 +int gr_check_crash_exec(const struct file *filp);
45869 +int gr_acl_is_enabled(void);
45870 +void gr_set_kernel_label(struct task_struct *task);
45871 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
45872 + const gid_t gid);
45873 +int gr_set_proc_label(const struct dentry *dentry,
45874 + const struct vfsmount *mnt,
45875 + const int unsafe_share);
45876 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
45877 + const struct vfsmount *mnt);
45878 +__u32 gr_acl_handle_open(const struct dentry *dentry,
45879 + const struct vfsmount *mnt, const int fmode);
45880 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
45881 + const struct dentry *p_dentry,
45882 + const struct vfsmount *p_mnt, const int fmode,
45883 + const int imode);
45884 +void gr_handle_create(const struct dentry *dentry,
45885 + const struct vfsmount *mnt);
45886 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
45887 + const struct dentry *parent_dentry,
45888 + const struct vfsmount *parent_mnt,
45890 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
45891 + const struct dentry *parent_dentry,
45892 + const struct vfsmount *parent_mnt);
45893 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
45894 + const struct vfsmount *mnt);
45895 +void gr_handle_delete(const ino_t ino, const dev_t dev);
45896 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
45897 + const struct vfsmount *mnt);
45898 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
45899 + const struct dentry *parent_dentry,
45900 + const struct vfsmount *parent_mnt,
45901 + const char *from);
45902 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
45903 + const struct dentry *parent_dentry,
45904 + const struct vfsmount *parent_mnt,
45905 + const struct dentry *old_dentry,
45906 + const struct vfsmount *old_mnt, const char *to);
45907 +int gr_acl_handle_rename(struct dentry *new_dentry,
45908 + struct dentry *parent_dentry,
45909 + const struct vfsmount *parent_mnt,
45910 + struct dentry *old_dentry,
45911 + struct inode *old_parent_inode,
45912 + struct vfsmount *old_mnt, const char *newname);
45913 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
45914 + struct dentry *old_dentry,
45915 + struct dentry *new_dentry,
45916 + struct vfsmount *mnt, const __u8 replace);
45917 +__u32 gr_check_link(const struct dentry *new_dentry,
45918 + const struct dentry *parent_dentry,
45919 + const struct vfsmount *parent_mnt,
45920 + const struct dentry *old_dentry,
45921 + const struct vfsmount *old_mnt);
45922 +int gr_acl_handle_filldir(const struct file *file, const char *name,
45923 + const unsigned int namelen, const ino_t ino);
45925 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
45926 + const struct vfsmount *mnt);
45927 +void gr_acl_handle_exit(void);
45928 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
45929 +int gr_acl_handle_procpidmem(const struct task_struct *task);
45930 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
45931 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
45932 +void gr_audit_ptrace(struct task_struct *task);
45934 +#ifdef CONFIG_GRKERNSEC
45935 +void gr_log_nonroot_mod_load(const char *modname);
45936 +void gr_handle_vm86(void);
45937 +void gr_handle_mem_write(void);
45938 +void gr_handle_kmem_write(void);
45939 +void gr_handle_open_port(void);
45940 +int gr_handle_mem_mmap(const unsigned long offset,
45941 + struct vm_area_struct *vma);
45943 +extern int grsec_enable_dmesg;
45944 +extern int grsec_disable_privio;
45948 diff -urNp linux-2.6.35.7/include/linux/grsock.h linux-2.6.35.7/include/linux/grsock.h
45949 --- linux-2.6.35.7/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
45950 +++ linux-2.6.35.7/include/linux/grsock.h 2010-09-17 20:12:37.000000000 -0400
45952 +#ifndef __GRSOCK_H
45953 +#define __GRSOCK_H
45955 +extern void gr_attach_curr_ip(const struct sock *sk);
45956 +extern int gr_handle_sock_all(const int family, const int type,
45957 + const int protocol);
45958 +extern int gr_handle_sock_server(const struct sockaddr *sck);
45959 +extern int gr_handle_sock_server_other(const struct sock *sck);
45960 +extern int gr_handle_sock_client(const struct sockaddr *sck);
45961 +extern int gr_search_connect(struct socket * sock,
45962 + struct sockaddr_in * addr);
45963 +extern int gr_search_bind(struct socket * sock,
45964 + struct sockaddr_in * addr);
45965 +extern int gr_search_listen(struct socket * sock);
45966 +extern int gr_search_accept(struct socket * sock);
45967 +extern int gr_search_socket(const int domain, const int type,
45968 + const int protocol);
45971 diff -urNp linux-2.6.35.7/include/linux/highmem.h linux-2.6.35.7/include/linux/highmem.h
45972 --- linux-2.6.35.7/include/linux/highmem.h 2010-08-26 19:47:12.000000000 -0400
45973 +++ linux-2.6.35.7/include/linux/highmem.h 2010-09-17 20:12:09.000000000 -0400
45974 @@ -143,6 +143,18 @@ static inline void clear_highpage(struct
45975 kunmap_atomic(kaddr, KM_USER0);
45978 +static inline void sanitize_highpage(struct page *page)
45981 + unsigned long flags;
45983 + local_irq_save(flags);
45984 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
45985 + clear_page(kaddr);
45986 + kunmap_atomic(kaddr, KM_CLEARPAGE);
45987 + local_irq_restore(flags);
45990 static inline void zero_user_segments(struct page *page,
45991 unsigned start1, unsigned end1,
45992 unsigned start2, unsigned end2)
45993 diff -urNp linux-2.6.35.7/include/linux/interrupt.h linux-2.6.35.7/include/linux/interrupt.h
45994 --- linux-2.6.35.7/include/linux/interrupt.h 2010-08-26 19:47:12.000000000 -0400
45995 +++ linux-2.6.35.7/include/linux/interrupt.h 2010-09-17 20:12:09.000000000 -0400
45996 @@ -392,7 +392,7 @@ enum
45997 /* map softirq index to softirq name. update 'softirq_to_name' in
45998 * kernel/softirq.c when adding a new softirq.
46000 -extern char *softirq_to_name[NR_SOFTIRQS];
46001 +extern const char * const softirq_to_name[NR_SOFTIRQS];
46003 /* softirq mask and active fields moved to irq_cpustat_t in
46004 * asm/hardirq.h to get better cache usage. KAO
46005 @@ -400,12 +400,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
46007 struct softirq_action
46009 - void (*action)(struct softirq_action *);
46010 + void (*action)(void);
46013 asmlinkage void do_softirq(void);
46014 asmlinkage void __do_softirq(void);
46015 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
46016 +extern void open_softirq(int nr, void (*action)(void));
46017 extern void softirq_init(void);
46018 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
46019 extern void raise_softirq_irqoff(unsigned int nr);
46020 diff -urNp linux-2.6.35.7/include/linux/jbd2.h linux-2.6.35.7/include/linux/jbd2.h
46021 --- linux-2.6.35.7/include/linux/jbd2.h 2010-08-26 19:47:12.000000000 -0400
46022 +++ linux-2.6.35.7/include/linux/jbd2.h 2010-09-17 20:12:09.000000000 -0400
46023 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
46027 -#define jbd_debug(f, a...) /**/
46028 +#define jbd_debug(f, a...) do {} while (0)
46031 extern void *jbd2_alloc(size_t size, gfp_t flags);
46032 diff -urNp linux-2.6.35.7/include/linux/jbd.h linux-2.6.35.7/include/linux/jbd.h
46033 --- linux-2.6.35.7/include/linux/jbd.h 2010-08-26 19:47:12.000000000 -0400
46034 +++ linux-2.6.35.7/include/linux/jbd.h 2010-09-17 20:12:09.000000000 -0400
46035 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
46039 -#define jbd_debug(f, a...) /**/
46040 +#define jbd_debug(f, a...) do {} while (0)
46043 static inline void *jbd_alloc(size_t size, gfp_t flags)
46044 diff -urNp linux-2.6.35.7/include/linux/kallsyms.h linux-2.6.35.7/include/linux/kallsyms.h
46045 --- linux-2.6.35.7/include/linux/kallsyms.h 2010-08-26 19:47:12.000000000 -0400
46046 +++ linux-2.6.35.7/include/linux/kallsyms.h 2010-09-17 20:12:37.000000000 -0400
46051 -#ifdef CONFIG_KALLSYMS
46052 +#ifndef __INCLUDED_BY_HIDESYM
46053 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
46054 /* Lookup the address for a symbol. Returns 0 if not found. */
46055 unsigned long kallsyms_lookup_name(const char *name);
46057 @@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
46058 /* Stupid that this does nothing, but I didn't create this mess. */
46059 #define __print_symbol(fmt, addr)
46060 #endif /*CONFIG_KALLSYMS*/
46061 +#else /* when included by kallsyms.c, with HIDESYM enabled */
46062 +extern void __print_symbol(const char *fmt, unsigned long address);
46065 /* This macro allows us to keep printk typechecking */
46066 static void __check_printsym_format(const char *fmt, ...)
46067 diff -urNp linux-2.6.35.7/include/linux/kgdb.h linux-2.6.35.7/include/linux/kgdb.h
46068 --- linux-2.6.35.7/include/linux/kgdb.h 2010-08-26 19:47:12.000000000 -0400
46069 +++ linux-2.6.35.7/include/linux/kgdb.h 2010-09-17 20:12:09.000000000 -0400
46070 @@ -263,22 +263,22 @@ struct kgdb_arch {
46074 - int (*read_char) (void);
46075 - void (*write_char) (u8);
46076 - void (*flush) (void);
46077 - int (*init) (void);
46078 - void (*pre_exception) (void);
46079 - void (*post_exception) (void);
46080 + int (* const read_char) (void);
46081 + void (* const write_char) (u8);
46082 + void (* const flush) (void);
46083 + int (* const init) (void);
46084 + void (* const pre_exception) (void);
46085 + void (* const post_exception) (void);
46089 -extern struct kgdb_arch arch_kgdb_ops;
46090 +extern const struct kgdb_arch arch_kgdb_ops;
46092 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
46094 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
46095 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
46096 -extern struct kgdb_io *dbg_io_ops;
46097 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
46098 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
46099 +extern const struct kgdb_io *dbg_io_ops;
46101 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
46102 extern int kgdb_mem2hex(char *mem, char *buf, int count);
46103 diff -urNp linux-2.6.35.7/include/linux/kvm_host.h linux-2.6.35.7/include/linux/kvm_host.h
46104 --- linux-2.6.35.7/include/linux/kvm_host.h 2010-09-26 17:32:11.000000000 -0400
46105 +++ linux-2.6.35.7/include/linux/kvm_host.h 2010-09-26 17:32:50.000000000 -0400
46106 @@ -244,7 +244,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
46107 void vcpu_load(struct kvm_vcpu *vcpu);
46108 void vcpu_put(struct kvm_vcpu *vcpu);
46110 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
46111 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
46112 struct module *module);
46113 void kvm_exit(void);
46115 @@ -368,7 +368,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
46116 struct kvm_guest_debug *dbg);
46117 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
46119 -int kvm_arch_init(void *opaque);
46120 +int kvm_arch_init(const void *opaque);
46121 void kvm_arch_exit(void);
46123 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
46124 diff -urNp linux-2.6.35.7/include/linux/libata.h linux-2.6.35.7/include/linux/libata.h
46125 --- linux-2.6.35.7/include/linux/libata.h 2010-09-20 17:33:09.000000000 -0400
46126 +++ linux-2.6.35.7/include/linux/libata.h 2010-09-20 17:33:35.000000000 -0400
46127 @@ -64,11 +64,11 @@
46128 #ifdef ATA_VERBOSE_DEBUG
46129 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
46131 -#define VPRINTK(fmt, args...)
46132 +#define VPRINTK(fmt, args...) do {} while (0)
46133 #endif /* ATA_VERBOSE_DEBUG */
46135 -#define DPRINTK(fmt, args...)
46136 -#define VPRINTK(fmt, args...)
46137 +#define DPRINTK(fmt, args...) do {} while (0)
46138 +#define VPRINTK(fmt, args...) do {} while (0)
46139 #endif /* ATA_DEBUG */
46141 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
46142 @@ -524,11 +524,11 @@ struct ata_ioports {
46146 - struct device *dev;
46147 + struct device *dev;
46148 void __iomem * const *iomap;
46149 unsigned int n_ports;
46150 void *private_data;
46151 - struct ata_port_operations *ops;
46152 + const struct ata_port_operations *ops;
46153 unsigned long flags;
46154 #ifdef CONFIG_ATA_ACPI
46155 acpi_handle acpi_handle;
46156 @@ -710,7 +710,7 @@ struct ata_link {
46159 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
46160 - struct ata_port_operations *ops;
46161 + const struct ata_port_operations *ops;
46163 /* Flags owned by the EH context. Only EH should touch these once the
46165 @@ -895,7 +895,7 @@ struct ata_port_info {
46166 unsigned long pio_mask;
46167 unsigned long mwdma_mask;
46168 unsigned long udma_mask;
46169 - struct ata_port_operations *port_ops;
46170 + const struct ata_port_operations *port_ops;
46171 void *private_data;
46174 @@ -919,7 +919,7 @@ extern const unsigned long sata_deb_timi
46175 extern const unsigned long sata_deb_timing_hotplug[];
46176 extern const unsigned long sata_deb_timing_long[];
46178 -extern struct ata_port_operations ata_dummy_port_ops;
46179 +extern const struct ata_port_operations ata_dummy_port_ops;
46180 extern const struct ata_port_info ata_dummy_port_info;
46182 static inline const unsigned long *
46183 @@ -963,7 +963,7 @@ extern int ata_host_activate(struct ata_
46184 struct scsi_host_template *sht);
46185 extern void ata_host_detach(struct ata_host *host);
46186 extern void ata_host_init(struct ata_host *, struct device *,
46187 - unsigned long, struct ata_port_operations *);
46188 + unsigned long, const struct ata_port_operations *);
46189 extern int ata_scsi_detect(struct scsi_host_template *sht);
46190 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
46191 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
46192 diff -urNp linux-2.6.35.7/include/linux/lockd/bind.h linux-2.6.35.7/include/linux/lockd/bind.h
46193 --- linux-2.6.35.7/include/linux/lockd/bind.h 2010-08-26 19:47:12.000000000 -0400
46194 +++ linux-2.6.35.7/include/linux/lockd/bind.h 2010-09-17 20:12:09.000000000 -0400
46195 @@ -23,13 +23,13 @@ struct svc_rqst;
46196 * This is the set of functions for lockd->nfsd communication
46198 struct nlmsvc_binding {
46199 - __be32 (*fopen)(struct svc_rqst *,
46200 + __be32 (* const fopen)(struct svc_rqst *,
46203 - void (*fclose)(struct file *);
46204 + void (* const fclose)(struct file *);
46207 -extern struct nlmsvc_binding * nlmsvc_ops;
46208 +extern const struct nlmsvc_binding * nlmsvc_ops;
46211 * Similar to nfs_client_initdata, but without the NFS-specific
46212 diff -urNp linux-2.6.35.7/include/linux/mm.h linux-2.6.35.7/include/linux/mm.h
46213 --- linux-2.6.35.7/include/linux/mm.h 2010-09-26 17:32:11.000000000 -0400
46214 +++ linux-2.6.35.7/include/linux/mm.h 2010-09-26 17:32:50.000000000 -0400
46215 @@ -107,7 +107,14 @@ extern unsigned int kobjsize(const void
46217 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
46218 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
46220 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
46221 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
46222 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
46224 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
46227 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
46228 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
46230 @@ -1014,6 +1021,8 @@ struct shrinker {
46231 extern void register_shrinker(struct shrinker *);
46232 extern void unregister_shrinker(struct shrinker *);
46234 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
46236 int vma_wants_writenotify(struct vm_area_struct *vma);
46238 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
46239 @@ -1290,6 +1299,7 @@ out:
46242 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
46243 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
46245 extern unsigned long do_brk(unsigned long, unsigned long);
46247 @@ -1346,6 +1356,10 @@ extern struct vm_area_struct * find_vma(
46248 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
46249 struct vm_area_struct **pprev);
46251 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
46252 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
46253 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
46255 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
46256 NULL if none. Assume start_addr < end_addr. */
46257 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
46258 @@ -1362,7 +1376,6 @@ static inline unsigned long vma_pages(st
46259 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
46262 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
46263 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
46264 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
46265 unsigned long pfn, unsigned long size, pgprot_t);
46266 @@ -1469,10 +1482,16 @@ extern int unpoison_memory(unsigned long
46267 extern int sysctl_memory_failure_early_kill;
46268 extern int sysctl_memory_failure_recovery;
46269 extern void shake_page(struct page *p, int access);
46270 -extern atomic_long_t mce_bad_pages;
46271 +extern atomic_long_unchecked_t mce_bad_pages;
46272 extern int soft_offline_page(struct page *page, int flags);
46274 extern void dump_page(struct page *page);
46276 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46277 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
46279 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
46282 #endif /* __KERNEL__ */
46283 #endif /* _LINUX_MM_H */
46284 diff -urNp linux-2.6.35.7/include/linux/mm_types.h linux-2.6.35.7/include/linux/mm_types.h
46285 --- linux-2.6.35.7/include/linux/mm_types.h 2010-08-26 19:47:12.000000000 -0400
46286 +++ linux-2.6.35.7/include/linux/mm_types.h 2010-09-17 20:12:09.000000000 -0400
46287 @@ -183,6 +183,8 @@ struct vm_area_struct {
46289 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
46292 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
46295 struct core_thread {
46296 @@ -310,6 +312,24 @@ struct mm_struct {
46297 #ifdef CONFIG_MMU_NOTIFIER
46298 struct mmu_notifier_mm *mmu_notifier_mm;
46301 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
46302 + unsigned long pax_flags;
46305 +#ifdef CONFIG_PAX_DLRESOLVE
46306 + unsigned long call_dl_resolve;
46309 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
46310 + unsigned long call_syscall;
46313 +#ifdef CONFIG_PAX_ASLR
46314 + unsigned long delta_mmap; /* randomized offset */
46315 + unsigned long delta_stack; /* randomized offset */
46320 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
46321 diff -urNp linux-2.6.35.7/include/linux/mmu_notifier.h linux-2.6.35.7/include/linux/mmu_notifier.h
46322 --- linux-2.6.35.7/include/linux/mmu_notifier.h 2010-08-26 19:47:12.000000000 -0400
46323 +++ linux-2.6.35.7/include/linux/mmu_notifier.h 2010-09-17 20:12:09.000000000 -0400
46324 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
46326 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
46330 struct vm_area_struct *___vma = __vma; \
46331 unsigned long ___address = __address; \
46332 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
46333 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
46334 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
46339 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
46340 diff -urNp linux-2.6.35.7/include/linux/mmzone.h linux-2.6.35.7/include/linux/mmzone.h
46341 --- linux-2.6.35.7/include/linux/mmzone.h 2010-09-26 17:32:11.000000000 -0400
46342 +++ linux-2.6.35.7/include/linux/mmzone.h 2010-09-26 17:32:50.000000000 -0400
46343 @@ -352,7 +352,7 @@ struct zone {
46344 unsigned long flags; /* zone flags, see below */
46346 /* Zone statistics */
46347 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46348 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46351 * prev_priority holds the scanning priority for this zone. It is
46352 diff -urNp linux-2.6.35.7/include/linux/mod_devicetable.h linux-2.6.35.7/include/linux/mod_devicetable.h
46353 --- linux-2.6.35.7/include/linux/mod_devicetable.h 2010-08-26 19:47:12.000000000 -0400
46354 +++ linux-2.6.35.7/include/linux/mod_devicetable.h 2010-09-17 20:12:09.000000000 -0400
46356 typedef unsigned long kernel_ulong_t;
46359 -#define PCI_ANY_ID (~0)
46360 +#define PCI_ANY_ID ((__u16)~0)
46362 struct pci_device_id {
46363 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
46364 @@ -131,7 +131,7 @@ struct usb_device_id {
46365 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
46366 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
46368 -#define HID_ANY_ID (~0)
46369 +#define HID_ANY_ID (~0U)
46371 struct hid_device_id {
46373 diff -urNp linux-2.6.35.7/include/linux/module.h linux-2.6.35.7/include/linux/module.h
46374 --- linux-2.6.35.7/include/linux/module.h 2010-08-26 19:47:12.000000000 -0400
46375 +++ linux-2.6.35.7/include/linux/module.h 2010-09-17 20:12:09.000000000 -0400
46376 @@ -297,16 +297,16 @@ struct module
46379 /* If this is non-NULL, vfree after init() returns */
46380 - void *module_init;
46381 + void *module_init_rx, *module_init_rw;
46383 /* Here is the actual code + data, vfree'd on unload. */
46384 - void *module_core;
46385 + void *module_core_rx, *module_core_rw;
46387 /* Here are the sizes of the init and core sections */
46388 - unsigned int init_size, core_size;
46389 + unsigned int init_size_rw, core_size_rw;
46391 /* The size of the executable code in each section. */
46392 - unsigned int init_text_size, core_text_size;
46393 + unsigned int init_size_rx, core_size_rx;
46395 /* Arch-specific module values */
46396 struct mod_arch_specific arch;
46397 @@ -408,16 +408,46 @@ bool is_module_address(unsigned long add
46398 bool is_module_percpu_address(unsigned long addr);
46399 bool is_module_text_address(unsigned long addr);
46401 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
46404 +#ifdef CONFIG_PAX_KERNEXEC
46405 + if (ktla_ktva(addr) >= (unsigned long)start &&
46406 + ktla_ktva(addr) < (unsigned long)start + size)
46410 + return ((void *)addr >= start && (void *)addr < start + size);
46413 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
46415 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
46418 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
46420 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
46423 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
46425 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
46428 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
46430 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
46433 static inline int within_module_core(unsigned long addr, struct module *mod)
46435 - return (unsigned long)mod->module_core <= addr &&
46436 - addr < (unsigned long)mod->module_core + mod->core_size;
46437 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
46440 static inline int within_module_init(unsigned long addr, struct module *mod)
46442 - return (unsigned long)mod->module_init <= addr &&
46443 - addr < (unsigned long)mod->module_init + mod->init_size;
46444 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
46447 /* Search for module by name: must hold module_mutex. */
46448 diff -urNp linux-2.6.35.7/include/linux/moduleloader.h linux-2.6.35.7/include/linux/moduleloader.h
46449 --- linux-2.6.35.7/include/linux/moduleloader.h 2010-08-26 19:47:12.000000000 -0400
46450 +++ linux-2.6.35.7/include/linux/moduleloader.h 2010-09-17 20:12:09.000000000 -0400
46451 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
46452 sections. Returns NULL on failure. */
46453 void *module_alloc(unsigned long size);
46455 +#ifdef CONFIG_PAX_KERNEXEC
46456 +void *module_alloc_exec(unsigned long size);
46458 +#define module_alloc_exec(x) module_alloc(x)
46461 /* Free memory returned from module_alloc. */
46462 void module_free(struct module *mod, void *module_region);
46464 +#ifdef CONFIG_PAX_KERNEXEC
46465 +void module_free_exec(struct module *mod, void *module_region);
46467 +#define module_free_exec(x, y) module_free((x), (y))
46470 /* Apply the given relocation to the (simplified) ELF. Return -error
46472 int apply_relocate(Elf_Shdr *sechdrs,
46473 diff -urNp linux-2.6.35.7/include/linux/moduleparam.h linux-2.6.35.7/include/linux/moduleparam.h
46474 --- linux-2.6.35.7/include/linux/moduleparam.h 2010-08-26 19:47:12.000000000 -0400
46475 +++ linux-2.6.35.7/include/linux/moduleparam.h 2010-10-11 22:41:44.000000000 -0400
46476 @@ -132,7 +132,7 @@ struct kparam_array
46478 /* Actually copy string: maxlen param is usually sizeof(string). */
46479 #define module_param_string(name, string, len, perm) \
46480 - static const struct kparam_string __param_string_##name \
46481 + static const struct kparam_string __param_string_##name __used \
46482 = { len, string }; \
46483 __module_param_call(MODULE_PARAM_PREFIX, name, \
46484 param_set_copystring, param_get_string, \
46485 @@ -211,7 +211,7 @@ extern int param_get_invbool(char *buffe
46487 /* Comma-separated array: *nump is set to number they actually specified. */
46488 #define module_param_array_named(name, array, type, nump, perm) \
46489 - static const struct kparam_array __param_arr_##name \
46490 + static const struct kparam_array __param_arr_##name __used \
46491 = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\
46492 sizeof(array[0]), array }; \
46493 __module_param_call(MODULE_PARAM_PREFIX, name, \
46494 diff -urNp linux-2.6.35.7/include/linux/namei.h linux-2.6.35.7/include/linux/namei.h
46495 --- linux-2.6.35.7/include/linux/namei.h 2010-08-26 19:47:12.000000000 -0400
46496 +++ linux-2.6.35.7/include/linux/namei.h 2010-09-17 20:12:09.000000000 -0400
46497 @@ -22,7 +22,7 @@ struct nameidata {
46498 unsigned int flags;
46501 - char *saved_names[MAX_NESTED_LINKS + 1];
46502 + const char *saved_names[MAX_NESTED_LINKS + 1];
46506 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
46507 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
46508 extern void unlock_rename(struct dentry *, struct dentry *);
46510 -static inline void nd_set_link(struct nameidata *nd, char *path)
46511 +static inline void nd_set_link(struct nameidata *nd, const char *path)
46513 nd->saved_names[nd->depth] = path;
46516 -static inline char *nd_get_link(struct nameidata *nd)
46517 +static inline const char *nd_get_link(const struct nameidata *nd)
46519 return nd->saved_names[nd->depth];
46521 diff -urNp linux-2.6.35.7/include/linux/netfilter/xt_gradm.h linux-2.6.35.7/include/linux/netfilter/xt_gradm.h
46522 --- linux-2.6.35.7/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
46523 +++ linux-2.6.35.7/include/linux/netfilter/xt_gradm.h 2010-09-28 18:05:52.000000000 -0400
46525 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
46526 +#define _LINUX_NETFILTER_XT_GRADM_H 1
46528 +struct xt_gradm_mtinfo {
46534 diff -urNp linux-2.6.35.7/include/linux/oprofile.h linux-2.6.35.7/include/linux/oprofile.h
46535 --- linux-2.6.35.7/include/linux/oprofile.h 2010-08-26 19:47:12.000000000 -0400
46536 +++ linux-2.6.35.7/include/linux/oprofile.h 2010-09-17 20:12:09.000000000 -0400
46537 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
46538 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
46539 char const * name, ulong * val);
46541 -/** Create a file for read-only access to an atomic_t. */
46542 +/** Create a file for read-only access to an atomic_unchecked_t. */
46543 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
46544 - char const * name, atomic_t * val);
46545 + char const * name, atomic_unchecked_t * val);
46547 /** create a directory */
46548 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
46549 diff -urNp linux-2.6.35.7/include/linux/pipe_fs_i.h linux-2.6.35.7/include/linux/pipe_fs_i.h
46550 --- linux-2.6.35.7/include/linux/pipe_fs_i.h 2010-08-26 19:47:12.000000000 -0400
46551 +++ linux-2.6.35.7/include/linux/pipe_fs_i.h 2010-09-17 20:12:09.000000000 -0400
46552 @@ -45,9 +45,9 @@ struct pipe_buffer {
46553 struct pipe_inode_info {
46554 wait_queue_head_t wait;
46555 unsigned int nrbufs, curbuf, buffers;
46556 - unsigned int readers;
46557 - unsigned int writers;
46558 - unsigned int waiting_writers;
46559 + atomic_t readers;
46560 + atomic_t writers;
46561 + atomic_t waiting_writers;
46562 unsigned int r_counter;
46563 unsigned int w_counter;
46564 struct page *tmp_page;
46565 diff -urNp linux-2.6.35.7/include/linux/poison.h linux-2.6.35.7/include/linux/poison.h
46566 --- linux-2.6.35.7/include/linux/poison.h 2010-08-26 19:47:12.000000000 -0400
46567 +++ linux-2.6.35.7/include/linux/poison.h 2010-09-17 20:12:09.000000000 -0400
46569 * under normal circumstances, used to verify that nobody uses
46570 * non-initialized list entries.
46572 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
46573 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
46574 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
46575 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
46577 /********** include/linux/timer.h **********/
46579 diff -urNp linux-2.6.35.7/include/linux/proc_fs.h linux-2.6.35.7/include/linux/proc_fs.h
46580 --- linux-2.6.35.7/include/linux/proc_fs.h 2010-08-26 19:47:12.000000000 -0400
46581 +++ linux-2.6.35.7/include/linux/proc_fs.h 2010-09-17 20:12:37.000000000 -0400
46582 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
46583 return proc_create_data(name, mode, parent, proc_fops, NULL);
46586 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
46587 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
46589 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46590 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
46591 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46592 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
46594 + return proc_create_data(name, mode, parent, proc_fops, NULL);
46599 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
46600 mode_t mode, struct proc_dir_entry *base,
46601 read_proc_t *read_proc, void * data)
46602 diff -urNp linux-2.6.35.7/include/linux/random.h linux-2.6.35.7/include/linux/random.h
46603 --- linux-2.6.35.7/include/linux/random.h 2010-08-26 19:47:12.000000000 -0400
46604 +++ linux-2.6.35.7/include/linux/random.h 2010-09-17 20:12:09.000000000 -0400
46605 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
46607 u32 prandom32(struct rnd_state *);
46609 +static inline unsigned long pax_get_random_long(void)
46611 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
46615 * Handle minimum values for seeds
46617 static inline u32 __seed(u32 x, u32 m)
46619 - return (x < m) ? x + m : x;
46620 + return (x <= m) ? x + m + 1 : x;
46624 diff -urNp linux-2.6.35.7/include/linux/reiserfs_fs.h linux-2.6.35.7/include/linux/reiserfs_fs.h
46625 --- linux-2.6.35.7/include/linux/reiserfs_fs.h 2010-08-26 19:47:12.000000000 -0400
46626 +++ linux-2.6.35.7/include/linux/reiserfs_fs.h 2010-09-17 20:12:09.000000000 -0400
46627 @@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
46628 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
46630 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
46631 -#define get_generation(s) atomic_read (&fs_generation(s))
46632 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
46633 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
46634 #define __fs_changed(gen,s) (gen != get_generation (s))
46635 #define fs_changed(gen,s) \
46636 @@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
46639 struct item_operations {
46640 - int (*bytes_number) (struct item_head * ih, int block_size);
46641 - void (*decrement_key) (struct cpu_key *);
46642 - int (*is_left_mergeable) (struct reiserfs_key * ih,
46643 + int (* const bytes_number) (struct item_head * ih, int block_size);
46644 + void (* const decrement_key) (struct cpu_key *);
46645 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
46646 unsigned long bsize);
46647 - void (*print_item) (struct item_head *, char *item);
46648 - void (*check_item) (struct item_head *, char *item);
46649 + void (* const print_item) (struct item_head *, char *item);
46650 + void (* const check_item) (struct item_head *, char *item);
46652 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46653 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46654 int is_affected, int insert_size);
46655 - int (*check_left) (struct virtual_item * vi, int free,
46656 + int (* const check_left) (struct virtual_item * vi, int free,
46657 int start_skip, int end_skip);
46658 - int (*check_right) (struct virtual_item * vi, int free);
46659 - int (*part_size) (struct virtual_item * vi, int from, int to);
46660 - int (*unit_num) (struct virtual_item * vi);
46661 - void (*print_vi) (struct virtual_item * vi);
46662 + int (* const check_right) (struct virtual_item * vi, int free);
46663 + int (* const part_size) (struct virtual_item * vi, int from, int to);
46664 + int (* const unit_num) (struct virtual_item * vi);
46665 + void (* const print_vi) (struct virtual_item * vi);
46668 -extern struct item_operations *item_ops[TYPE_ANY + 1];
46669 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
46671 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
46672 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
46673 diff -urNp linux-2.6.35.7/include/linux/reiserfs_fs_sb.h linux-2.6.35.7/include/linux/reiserfs_fs_sb.h
46674 --- linux-2.6.35.7/include/linux/reiserfs_fs_sb.h 2010-08-26 19:47:12.000000000 -0400
46675 +++ linux-2.6.35.7/include/linux/reiserfs_fs_sb.h 2010-09-17 20:12:09.000000000 -0400
46676 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
46677 /* Comment? -Hans */
46678 wait_queue_head_t s_wait;
46679 /* To be obsoleted soon by per buffer seals.. -Hans */
46680 - atomic_t s_generation_counter; // increased by one every time the
46681 + atomic_unchecked_t s_generation_counter; // increased by one every time the
46682 // tree gets re-balanced
46683 unsigned long s_properties; /* File system properties. Currently holds
46684 on-disk FS format */
46685 diff -urNp linux-2.6.35.7/include/linux/rmap.h linux-2.6.35.7/include/linux/rmap.h
46686 --- linux-2.6.35.7/include/linux/rmap.h 2010-08-26 19:47:12.000000000 -0400
46687 +++ linux-2.6.35.7/include/linux/rmap.h 2010-09-17 20:12:09.000000000 -0400
46688 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
46689 void anon_vma_init(void); /* create anon_vma_cachep */
46690 int anon_vma_prepare(struct vm_area_struct *);
46691 void unlink_anon_vmas(struct vm_area_struct *);
46692 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
46693 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
46694 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
46695 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
46696 void __anon_vma_link(struct vm_area_struct *);
46697 void anon_vma_free(struct anon_vma *);
46699 diff -urNp linux-2.6.35.7/include/linux/sched.h linux-2.6.35.7/include/linux/sched.h
46700 --- linux-2.6.35.7/include/linux/sched.h 2010-08-26 19:47:12.000000000 -0400
46701 +++ linux-2.6.35.7/include/linux/sched.h 2010-09-17 20:12:37.000000000 -0400
46702 @@ -100,6 +100,7 @@ struct robust_list_head;
46705 struct perf_event_context;
46706 +struct linux_binprm;
46709 * List of flags we want to share for kernel threads,
46710 @@ -381,10 +382,12 @@ struct user_namespace;
46711 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
46713 extern int sysctl_max_map_count;
46714 +extern unsigned long sysctl_heap_stack_gap;
46716 #include <linux/aio.h>
46719 +extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
46720 extern void arch_pick_mmap_layout(struct mm_struct *mm);
46721 extern unsigned long
46722 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
46723 @@ -628,6 +631,15 @@ struct signal_struct {
46724 struct tty_audit_buf *tty_audit_buf;
46727 +#ifdef CONFIG_GRKERNSEC
46733 + u8 used_accept:1;
46736 int oom_adj; /* OOM kill score adjustment (bit shift) */
46739 @@ -1166,7 +1178,7 @@ struct rcu_node;
46741 struct task_struct {
46742 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
46744 + struct thread_info *stack;
46746 unsigned int flags; /* per process flags, defined below */
46747 unsigned int ptrace;
46748 @@ -1274,8 +1286,8 @@ struct task_struct {
46749 struct list_head thread_group;
46751 struct completion *vfork_done; /* for vfork() */
46752 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
46753 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46754 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
46755 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46757 cputime_t utime, stime, utimescaled, stimescaled;
46759 @@ -1291,16 +1303,6 @@ struct task_struct {
46760 struct task_cputime cputime_expires;
46761 struct list_head cpu_timers[3];
46763 -/* process credentials */
46764 - const struct cred *real_cred; /* objective and real subjective task
46765 - * credentials (COW) */
46766 - const struct cred *cred; /* effective (overridable) subjective task
46767 - * credentials (COW) */
46768 - struct mutex cred_guard_mutex; /* guard against foreign influences on
46769 - * credential calculations
46770 - * (notably. ptrace) */
46771 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46773 char comm[TASK_COMM_LEN]; /* executable name excluding path
46774 - access with [gs]et_task_comm (which lock
46775 it with task_lock())
46776 @@ -1384,6 +1386,15 @@ struct task_struct {
46777 int softirqs_enabled;
46778 int softirq_context;
46781 +/* process credentials */
46782 + const struct cred *real_cred; /* objective and real subjective task
46783 + * credentials (COW) */
46784 + struct mutex cred_guard_mutex; /* guard against foreign influences on
46785 + * credential calculations
46786 + * (notably. ptrace) */
46787 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46789 #ifdef CONFIG_LOCKDEP
46790 # define MAX_LOCK_DEPTH 48UL
46791 u64 curr_chain_key;
46792 @@ -1404,6 +1415,9 @@ struct task_struct {
46794 struct backing_dev_info *backing_dev_info;
46796 + const struct cred *cred; /* effective (overridable) subjective task
46797 + * credentials (COW) */
46799 struct io_context *io_context;
46801 unsigned long ptrace_message;
46802 @@ -1469,6 +1483,20 @@ struct task_struct {
46803 unsigned long default_timer_slack_ns;
46805 struct list_head *scm_work_list;
46807 +#ifdef CONFIG_GRKERNSEC
46809 + struct dentry *gr_chroot_dentry;
46810 + struct acl_subject_label *acl;
46811 + struct acl_role_label *role;
46812 + struct file *exec_file;
46817 + u8 gr_is_chrooted;
46820 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
46821 /* Index of current stored address in ret_stack */
46822 int curr_ret_stack;
46823 @@ -1500,6 +1528,52 @@ struct task_struct {
46827 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
46828 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
46829 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
46830 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
46831 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
46832 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
46834 +#ifdef CONFIG_PAX_SOFTMODE
46835 +extern unsigned int pax_softmode;
46838 +extern int pax_check_flags(unsigned long *);
46840 +/* if tsk != current then task_lock must be held on it */
46841 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
46842 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
46844 + if (likely(tsk->mm))
46845 + return tsk->mm->pax_flags;
46850 +/* if tsk != current then task_lock must be held on it */
46851 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
46853 + if (likely(tsk->mm)) {
46854 + tsk->mm->pax_flags = flags;
46861 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
46862 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
46863 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
46864 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
46867 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
46868 +void pax_report_insns(void *pc, void *sp);
46869 +void pax_report_refcount_overflow(struct pt_regs *regs);
46870 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
46871 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
46873 /* Future-safe accessor for struct task_struct's cpus_allowed. */
46874 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
46876 @@ -2101,7 +2175,7 @@ extern void __cleanup_sighand(struct sig
46877 extern void exit_itimers(struct signal_struct *);
46878 extern void flush_itimer_signals(void);
46880 -extern NORET_TYPE void do_group_exit(int);
46881 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
46883 extern void daemonize(const char *, ...);
46884 extern int allow_signal(int);
46885 @@ -2217,8 +2291,8 @@ static inline void unlock_task_sighand(s
46887 #ifndef __HAVE_THREAD_FUNCTIONS
46889 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
46890 -#define task_stack_page(task) ((task)->stack)
46891 +#define task_thread_info(task) ((task)->stack)
46892 +#define task_stack_page(task) ((void *)(task)->stack)
46894 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
46896 @@ -2233,13 +2307,17 @@ static inline unsigned long *end_of_stac
46900 -static inline int object_is_on_stack(void *obj)
46901 +static inline int object_starts_on_stack(void *obj)
46903 - void *stack = task_stack_page(current);
46904 + const void *stack = task_stack_page(current);
46906 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
46909 +#ifdef CONFIG_PAX_USERCOPY
46910 +extern int object_is_on_stack(const void *obj, unsigned long len);
46913 extern void thread_info_cache_init(void);
46915 #ifdef CONFIG_DEBUG_STACK_USAGE
46916 diff -urNp linux-2.6.35.7/include/linux/screen_info.h linux-2.6.35.7/include/linux/screen_info.h
46917 --- linux-2.6.35.7/include/linux/screen_info.h 2010-08-26 19:47:12.000000000 -0400
46918 +++ linux-2.6.35.7/include/linux/screen_info.h 2010-09-17 20:12:09.000000000 -0400
46919 @@ -43,7 +43,8 @@ struct screen_info {
46920 __u16 pages; /* 0x32 */
46921 __u16 vesa_attributes; /* 0x34 */
46922 __u32 capabilities; /* 0x36 */
46923 - __u8 _reserved[6]; /* 0x3a */
46924 + __u16 vesapm_size; /* 0x3a */
46925 + __u8 _reserved[4]; /* 0x3c */
46926 } __attribute__((packed));
46928 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
46929 diff -urNp linux-2.6.35.7/include/linux/security.h linux-2.6.35.7/include/linux/security.h
46930 --- linux-2.6.35.7/include/linux/security.h 2010-08-26 19:47:12.000000000 -0400
46931 +++ linux-2.6.35.7/include/linux/security.h 2010-09-17 20:12:37.000000000 -0400
46933 #include <linux/key.h>
46934 #include <linux/xfrm.h>
46935 #include <linux/slab.h>
46936 +#include <linux/grsecurity.h>
46937 #include <net/flow.h>
46939 /* Maximum number of letters for an LSM name string */
46940 diff -urNp linux-2.6.35.7/include/linux/shm.h linux-2.6.35.7/include/linux/shm.h
46941 --- linux-2.6.35.7/include/linux/shm.h 2010-08-26 19:47:12.000000000 -0400
46942 +++ linux-2.6.35.7/include/linux/shm.h 2010-09-17 20:12:37.000000000 -0400
46943 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
46946 struct user_struct *mlock_user;
46947 +#ifdef CONFIG_GRKERNSEC
46948 + time_t shm_createtime;
46953 /* shm_mode upper byte flags */
46954 diff -urNp linux-2.6.35.7/include/linux/slab.h linux-2.6.35.7/include/linux/slab.h
46955 --- linux-2.6.35.7/include/linux/slab.h 2010-08-26 19:47:12.000000000 -0400
46956 +++ linux-2.6.35.7/include/linux/slab.h 2010-09-17 20:12:09.000000000 -0400
46959 #include <linux/gfp.h>
46960 #include <linux/types.h>
46961 +#include <linux/err.h>
46964 * Flags to pass to kmem_cache_create().
46965 @@ -87,10 +88,13 @@
46966 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
46967 * Both make kfree a no-op.
46969 -#define ZERO_SIZE_PTR ((void *)16)
46970 +#define ZERO_SIZE_PTR \
46972 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
46973 + (void *)(-MAX_ERRNO-1L); \
46976 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
46977 - (unsigned long)ZERO_SIZE_PTR)
46978 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
46981 * struct kmem_cache related prototypes
46982 @@ -144,6 +148,7 @@ void * __must_check krealloc(const void
46983 void kfree(const void *);
46984 void kzfree(const void *);
46985 size_t ksize(const void *);
46986 +void check_object_size(const void *ptr, unsigned long n, bool to);
46989 * Allocator specific definitions. These are mainly used to establish optimized
46990 @@ -334,4 +339,37 @@ static inline void *kzalloc_node(size_t
46992 void __init kmem_cache_init_late(void);
46994 +#define kmalloc(x, y) \
46996 + void *___retval; \
46997 + intoverflow_t ___x = (intoverflow_t)x; \
46998 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
46999 + ___retval = NULL; \
47001 + ___retval = kmalloc((size_t)___x, (y)); \
47005 +#define kmalloc_node(x, y, z) \
47007 + void *___retval; \
47008 + intoverflow_t ___x = (intoverflow_t)x; \
47009 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
47010 + ___retval = NULL; \
47012 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
47016 +#define kzalloc(x, y) \
47018 + void *___retval; \
47019 + intoverflow_t ___x = (intoverflow_t)x; \
47020 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
47021 + ___retval = NULL; \
47023 + ___retval = kzalloc((size_t)___x, (y)); \
47027 #endif /* _LINUX_SLAB_H */
47028 diff -urNp linux-2.6.35.7/include/linux/slub_def.h linux-2.6.35.7/include/linux/slub_def.h
47029 --- linux-2.6.35.7/include/linux/slub_def.h 2010-08-26 19:47:12.000000000 -0400
47030 +++ linux-2.6.35.7/include/linux/slub_def.h 2010-09-17 20:12:09.000000000 -0400
47031 @@ -79,7 +79,7 @@ struct kmem_cache {
47032 struct kmem_cache_order_objects max;
47033 struct kmem_cache_order_objects min;
47034 gfp_t allocflags; /* gfp flags to use on each alloc */
47035 - int refcount; /* Refcount for slab cache destroy */
47036 + atomic_t refcount; /* Refcount for slab cache destroy */
47037 void (*ctor)(void *);
47038 int inuse; /* Offset to metadata */
47039 int align; /* Alignment */
47040 diff -urNp linux-2.6.35.7/include/linux/sonet.h linux-2.6.35.7/include/linux/sonet.h
47041 --- linux-2.6.35.7/include/linux/sonet.h 2010-08-26 19:47:12.000000000 -0400
47042 +++ linux-2.6.35.7/include/linux/sonet.h 2010-09-17 20:12:09.000000000 -0400
47043 @@ -61,7 +61,7 @@ struct sonet_stats {
47044 #include <asm/atomic.h>
47046 struct k_sonet_stats {
47047 -#define __HANDLE_ITEM(i) atomic_t i
47048 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
47050 #undef __HANDLE_ITEM
47052 diff -urNp linux-2.6.35.7/include/linux/suspend.h linux-2.6.35.7/include/linux/suspend.h
47053 --- linux-2.6.35.7/include/linux/suspend.h 2010-08-26 19:47:12.000000000 -0400
47054 +++ linux-2.6.35.7/include/linux/suspend.h 2010-09-17 20:12:09.000000000 -0400
47055 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
47056 * which require special recovery actions in that situation.
47058 struct platform_suspend_ops {
47059 - int (*valid)(suspend_state_t state);
47060 - int (*begin)(suspend_state_t state);
47061 - int (*prepare)(void);
47062 - int (*prepare_late)(void);
47063 - int (*enter)(suspend_state_t state);
47064 - void (*wake)(void);
47065 - void (*finish)(void);
47066 - void (*end)(void);
47067 - void (*recover)(void);
47068 + int (* const valid)(suspend_state_t state);
47069 + int (* const begin)(suspend_state_t state);
47070 + int (* const prepare)(void);
47071 + int (* const prepare_late)(void);
47072 + int (* const enter)(suspend_state_t state);
47073 + void (* const wake)(void);
47074 + void (* const finish)(void);
47075 + void (* const end)(void);
47076 + void (* const recover)(void);
47079 #ifdef CONFIG_SUSPEND
47080 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
47081 * suspend_set_ops - set platform dependent suspend operations
47082 * @ops: The new suspend operations to set.
47084 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
47085 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
47086 extern int suspend_valid_only_mem(suspend_state_t state);
47089 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
47090 #else /* !CONFIG_SUSPEND */
47091 #define suspend_valid_only_mem NULL
47093 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
47094 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
47095 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
47096 #endif /* !CONFIG_SUSPEND */
47098 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
47099 * platforms which require special recovery actions in that situation.
47101 struct platform_hibernation_ops {
47102 - int (*begin)(void);
47103 - void (*end)(void);
47104 - int (*pre_snapshot)(void);
47105 - void (*finish)(void);
47106 - int (*prepare)(void);
47107 - int (*enter)(void);
47108 - void (*leave)(void);
47109 - int (*pre_restore)(void);
47110 - void (*restore_cleanup)(void);
47111 - void (*recover)(void);
47112 + int (* const begin)(void);
47113 + void (* const end)(void);
47114 + int (* const pre_snapshot)(void);
47115 + void (* const finish)(void);
47116 + int (* const prepare)(void);
47117 + int (* const enter)(void);
47118 + void (* const leave)(void);
47119 + int (* const pre_restore)(void);
47120 + void (* const restore_cleanup)(void);
47121 + void (* const recover)(void);
47124 #ifdef CONFIG_HIBERNATION
47125 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
47126 extern void swsusp_unset_page_free(struct page *);
47127 extern unsigned long get_safe_page(gfp_t gfp_mask);
47129 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
47130 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
47131 extern int hibernate(void);
47132 extern bool system_entering_hibernation(void);
47133 #else /* CONFIG_HIBERNATION */
47134 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
47135 static inline void swsusp_set_page_free(struct page *p) {}
47136 static inline void swsusp_unset_page_free(struct page *p) {}
47138 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
47139 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
47140 static inline int hibernate(void) { return -ENOSYS; }
47141 static inline bool system_entering_hibernation(void) { return false; }
47142 #endif /* CONFIG_HIBERNATION */
47143 diff -urNp linux-2.6.35.7/include/linux/sysctl.h linux-2.6.35.7/include/linux/sysctl.h
47144 --- linux-2.6.35.7/include/linux/sysctl.h 2010-08-26 19:47:12.000000000 -0400
47145 +++ linux-2.6.35.7/include/linux/sysctl.h 2010-09-17 20:12:09.000000000 -0400
47146 @@ -155,7 +155,11 @@ enum
47147 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
47151 +#ifdef CONFIG_PAX_SOFTMODE
47153 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
47157 /* CTL_VM names: */
47159 diff -urNp linux-2.6.35.7/include/linux/sysfs.h linux-2.6.35.7/include/linux/sysfs.h
47160 --- linux-2.6.35.7/include/linux/sysfs.h 2010-08-26 19:47:12.000000000 -0400
47161 +++ linux-2.6.35.7/include/linux/sysfs.h 2010-09-17 20:12:09.000000000 -0400
47162 @@ -115,8 +115,8 @@ struct bin_attribute {
47163 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
47166 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
47167 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
47168 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
47169 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
47172 struct sysfs_dirent;
47173 diff -urNp linux-2.6.35.7/include/linux/thread_info.h linux-2.6.35.7/include/linux/thread_info.h
47174 --- linux-2.6.35.7/include/linux/thread_info.h 2010-08-26 19:47:12.000000000 -0400
47175 +++ linux-2.6.35.7/include/linux/thread_info.h 2010-09-17 20:12:09.000000000 -0400
47176 @@ -23,7 +23,7 @@ struct restart_block {
47178 /* For futex_wait and futex_wait_requeue_pi */
47181 + u32 __user *uaddr;
47185 diff -urNp linux-2.6.35.7/include/linux/tty.h linux-2.6.35.7/include/linux/tty.h
47186 --- linux-2.6.35.7/include/linux/tty.h 2010-08-26 19:47:12.000000000 -0400
47187 +++ linux-2.6.35.7/include/linux/tty.h 2010-09-17 20:12:09.000000000 -0400
47189 #include <linux/tty_driver.h>
47190 #include <linux/tty_ldisc.h>
47191 #include <linux/mutex.h>
47192 +#include <linux/poll.h>
47194 #include <asm/system.h>
47196 @@ -453,7 +454,6 @@ extern int tty_perform_flush(struct tty_
47197 extern dev_t tty_devnum(struct tty_struct *tty);
47198 extern void proc_clear_tty(struct task_struct *p);
47199 extern struct tty_struct *get_current_tty(void);
47200 -extern void tty_default_fops(struct file_operations *fops);
47201 extern struct tty_struct *alloc_tty_struct(void);
47202 extern void free_tty_struct(struct tty_struct *tty);
47203 extern void initialize_tty_struct(struct tty_struct *tty,
47204 @@ -514,6 +514,18 @@ extern void tty_ldisc_begin(void);
47205 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
47206 extern void tty_ldisc_enable(struct tty_struct *tty);
47209 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
47210 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
47211 +extern unsigned int tty_poll(struct file *, poll_table *);
47212 +#ifdef CONFIG_COMPAT
47213 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
47214 + unsigned long arg);
47216 +#define tty_compat_ioctl NULL
47218 +extern int tty_release(struct inode *, struct file *);
47219 +extern int tty_fasync(int fd, struct file *filp, int on);
47222 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
47223 diff -urNp linux-2.6.35.7/include/linux/tty_ldisc.h linux-2.6.35.7/include/linux/tty_ldisc.h
47224 --- linux-2.6.35.7/include/linux/tty_ldisc.h 2010-08-26 19:47:12.000000000 -0400
47225 +++ linux-2.6.35.7/include/linux/tty_ldisc.h 2010-09-17 20:12:09.000000000 -0400
47226 @@ -147,7 +147,7 @@ struct tty_ldisc_ops {
47228 struct module *owner;
47231 + atomic_t refcount;
47235 diff -urNp linux-2.6.35.7/include/linux/types.h linux-2.6.35.7/include/linux/types.h
47236 --- linux-2.6.35.7/include/linux/types.h 2010-08-26 19:47:12.000000000 -0400
47237 +++ linux-2.6.35.7/include/linux/types.h 2010-09-17 20:12:09.000000000 -0400
47238 @@ -191,10 +191,26 @@ typedef struct {
47242 +#ifdef CONFIG_PAX_REFCOUNT
47245 +} atomic_unchecked_t;
47247 +typedef atomic_t atomic_unchecked_t;
47250 #ifdef CONFIG_64BIT
47255 +#ifdef CONFIG_PAX_REFCOUNT
47258 +} atomic64_unchecked_t;
47260 +typedef atomic64_t atomic64_unchecked_t;
47265 diff -urNp linux-2.6.35.7/include/linux/uaccess.h linux-2.6.35.7/include/linux/uaccess.h
47266 --- linux-2.6.35.7/include/linux/uaccess.h 2010-08-26 19:47:12.000000000 -0400
47267 +++ linux-2.6.35.7/include/linux/uaccess.h 2010-09-17 20:12:09.000000000 -0400
47268 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
47270 mm_segment_t old_fs = get_fs(); \
47272 - set_fs(KERNEL_DS); \
47273 pagefault_disable(); \
47274 + set_fs(KERNEL_DS); \
47275 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
47276 - pagefault_enable(); \
47278 + pagefault_enable(); \
47282 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
47283 * Safely read from address @src to the buffer at @dst. If a kernel fault
47284 * happens, handle that and return -EFAULT.
47286 -extern long probe_kernel_read(void *dst, void *src, size_t size);
47287 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
47288 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
47289 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
47292 * probe_kernel_write(): safely attempt to write to a location
47293 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
47294 * Safely write to address @dst from the buffer at @src. If a kernel fault
47295 * happens, handle that and return -EFAULT.
47297 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
47298 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
47299 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
47300 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
47302 #endif /* __LINUX_UACCESS_H__ */
47303 diff -urNp linux-2.6.35.7/include/linux/usb/hcd.h linux-2.6.35.7/include/linux/usb/hcd.h
47304 --- linux-2.6.35.7/include/linux/usb/hcd.h 2010-08-26 19:47:12.000000000 -0400
47305 +++ linux-2.6.35.7/include/linux/usb/hcd.h 2010-09-17 20:12:09.000000000 -0400
47306 @@ -559,7 +559,7 @@ struct usb_mon_operations {
47307 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
47310 -extern struct usb_mon_operations *mon_ops;
47311 +extern const struct usb_mon_operations *mon_ops;
47313 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
47315 @@ -581,7 +581,7 @@ static inline void usbmon_urb_complete(s
47316 (*mon_ops->urb_complete)(bus, urb, status);
47319 -int usb_mon_register(struct usb_mon_operations *ops);
47320 +int usb_mon_register(const struct usb_mon_operations *ops);
47321 void usb_mon_deregister(void);
47324 diff -urNp linux-2.6.35.7/include/linux/vmalloc.h linux-2.6.35.7/include/linux/vmalloc.h
47325 --- linux-2.6.35.7/include/linux/vmalloc.h 2010-08-26 19:47:12.000000000 -0400
47326 +++ linux-2.6.35.7/include/linux/vmalloc.h 2010-09-17 20:12:09.000000000 -0400
47327 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
47328 #define VM_MAP 0x00000004 /* vmap()ed pages */
47329 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
47330 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
47332 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
47333 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
47336 /* bits [20..32] reserved for arch specific ioremap internals */
47339 @@ -121,4 +126,81 @@ struct vm_struct **pcpu_get_vm_areas(con
47341 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
47343 +#define vmalloc(x) \
47345 + void *___retval; \
47346 + intoverflow_t ___x = (intoverflow_t)x; \
47347 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
47348 + ___retval = NULL; \
47350 + ___retval = vmalloc((unsigned long)___x); \
47354 +#define __vmalloc(x, y, z) \
47356 + void *___retval; \
47357 + intoverflow_t ___x = (intoverflow_t)x; \
47358 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
47359 + ___retval = NULL; \
47361 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
47365 +#define vmalloc_user(x) \
47367 + void *___retval; \
47368 + intoverflow_t ___x = (intoverflow_t)x; \
47369 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
47370 + ___retval = NULL; \
47372 + ___retval = vmalloc_user((unsigned long)___x); \
47376 +#define vmalloc_exec(x) \
47378 + void *___retval; \
47379 + intoverflow_t ___x = (intoverflow_t)x; \
47380 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
47381 + ___retval = NULL; \
47383 + ___retval = vmalloc_exec((unsigned long)___x); \
47387 +#define vmalloc_node(x, y) \
47389 + void *___retval; \
47390 + intoverflow_t ___x = (intoverflow_t)x; \
47391 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
47392 + ___retval = NULL; \
47394 + ___retval = vmalloc_node((unsigned long)___x, (y));\
47398 +#define vmalloc_32(x) \
47400 + void *___retval; \
47401 + intoverflow_t ___x = (intoverflow_t)x; \
47402 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
47403 + ___retval = NULL; \
47405 + ___retval = vmalloc_32((unsigned long)___x); \
47409 +#define vmalloc_32_user(x) \
47411 + void *___retval; \
47412 + intoverflow_t ___x = (intoverflow_t)x; \
47413 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
47414 + ___retval = NULL; \
47416 + ___retval = vmalloc_32_user((unsigned long)___x);\
47420 #endif /* _LINUX_VMALLOC_H */
47421 diff -urNp linux-2.6.35.7/include/linux/vmstat.h linux-2.6.35.7/include/linux/vmstat.h
47422 --- linux-2.6.35.7/include/linux/vmstat.h 2010-09-26 17:32:11.000000000 -0400
47423 +++ linux-2.6.35.7/include/linux/vmstat.h 2010-09-26 22:02:02.000000000 -0400
47424 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
47426 * Zone based page accounting with per cpu differentials.
47428 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47429 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47431 static inline void zone_page_state_add(long x, struct zone *zone,
47432 enum zone_stat_item item)
47434 - atomic_long_add(x, &zone->vm_stat[item]);
47435 - atomic_long_add(x, &vm_stat[item]);
47436 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
47437 + atomic_long_add_unchecked(x, &vm_stat[item]);
47440 static inline unsigned long global_page_state(enum zone_stat_item item)
47442 - long x = atomic_long_read(&vm_stat[item]);
47443 + long x = atomic_long_read_unchecked(&vm_stat[item]);
47447 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
47448 static inline unsigned long zone_page_state(struct zone *zone,
47449 enum zone_stat_item item)
47451 - long x = atomic_long_read(&zone->vm_stat[item]);
47452 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
47456 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
47457 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
47458 enum zone_stat_item item)
47460 - long x = atomic_long_read(&zone->vm_stat[item]);
47461 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
47465 @@ -268,8 +268,8 @@ static inline void __mod_zone_page_state
47467 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
47469 - atomic_long_inc(&zone->vm_stat[item]);
47470 - atomic_long_inc(&vm_stat[item]);
47471 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
47472 + atomic_long_inc_unchecked(&vm_stat[item]);
47475 static inline void __inc_zone_page_state(struct page *page,
47476 @@ -280,8 +280,8 @@ static inline void __inc_zone_page_state
47478 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
47480 - atomic_long_dec(&zone->vm_stat[item]);
47481 - atomic_long_dec(&vm_stat[item]);
47482 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
47483 + atomic_long_dec_unchecked(&vm_stat[item]);
47486 static inline void __dec_zone_page_state(struct page *page,
47487 diff -urNp linux-2.6.35.7/include/net/inetpeer.h linux-2.6.35.7/include/net/inetpeer.h
47488 --- linux-2.6.35.7/include/net/inetpeer.h 2010-08-26 19:47:12.000000000 -0400
47489 +++ linux-2.6.35.7/include/net/inetpeer.h 2010-10-11 22:41:44.000000000 -0400
47490 @@ -22,8 +22,8 @@ struct inet_peer {
47491 __u32 dtime; /* the time of last use of not
47492 * referenced entries */
47494 - atomic_t rid; /* Frag reception counter */
47495 - atomic_t ip_id_count; /* IP ID for the next packet */
47496 + atomic_unchecked_t rid; /* Frag reception counter */
47497 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
47499 __u32 tcp_ts_stamp;
47501 @@ -40,7 +40,7 @@ extern void inet_putpeer(struct inet_pee
47502 static inline __u16 inet_getid(struct inet_peer *p, int more)
47505 - return atomic_add_return(more, &p->ip_id_count) - more;
47506 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
47509 #endif /* _NET_INETPEER_H */
47510 diff -urNp linux-2.6.35.7/include/net/irda/ircomm_tty.h linux-2.6.35.7/include/net/irda/ircomm_tty.h
47511 --- linux-2.6.35.7/include/net/irda/ircomm_tty.h 2010-08-26 19:47:12.000000000 -0400
47512 +++ linux-2.6.35.7/include/net/irda/ircomm_tty.h 2010-09-17 20:12:09.000000000 -0400
47513 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
47514 unsigned short close_delay;
47515 unsigned short closing_wait; /* time to wait before closing */
47518 - int blocked_open; /* # of blocked opens */
47519 + atomic_t open_count;
47520 + atomic_t blocked_open; /* # of blocked opens */
47522 /* Protect concurent access to :
47523 * o self->open_count
47524 diff -urNp linux-2.6.35.7/include/net/neighbour.h linux-2.6.35.7/include/net/neighbour.h
47525 --- linux-2.6.35.7/include/net/neighbour.h 2010-08-26 19:47:12.000000000 -0400
47526 +++ linux-2.6.35.7/include/net/neighbour.h 2010-09-17 20:12:09.000000000 -0400
47527 @@ -116,12 +116,12 @@ struct neighbour {
47531 - void (*solicit)(struct neighbour *, struct sk_buff*);
47532 - void (*error_report)(struct neighbour *, struct sk_buff*);
47533 - int (*output)(struct sk_buff*);
47534 - int (*connected_output)(struct sk_buff*);
47535 - int (*hh_output)(struct sk_buff*);
47536 - int (*queue_xmit)(struct sk_buff*);
47537 + void (* const solicit)(struct neighbour *, struct sk_buff*);
47538 + void (* const error_report)(struct neighbour *, struct sk_buff*);
47539 + int (* const output)(struct sk_buff*);
47540 + int (* const connected_output)(struct sk_buff*);
47541 + int (* const hh_output)(struct sk_buff*);
47542 + int (* const queue_xmit)(struct sk_buff*);
47545 struct pneigh_entry {
47546 diff -urNp linux-2.6.35.7/include/net/sctp/sctp.h linux-2.6.35.7/include/net/sctp/sctp.h
47547 --- linux-2.6.35.7/include/net/sctp/sctp.h 2010-08-26 19:47:12.000000000 -0400
47548 +++ linux-2.6.35.7/include/net/sctp/sctp.h 2010-09-17 20:12:09.000000000 -0400
47549 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
47551 #else /* SCTP_DEBUG */
47553 -#define SCTP_DEBUG_PRINTK(whatever...)
47554 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
47555 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
47556 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
47557 #define SCTP_ENABLE_DEBUG
47558 #define SCTP_DISABLE_DEBUG
47559 #define SCTP_ASSERT(expr, str, func)
47560 diff -urNp linux-2.6.35.7/include/net/tcp.h linux-2.6.35.7/include/net/tcp.h
47561 --- linux-2.6.35.7/include/net/tcp.h 2010-09-26 17:32:11.000000000 -0400
47562 +++ linux-2.6.35.7/include/net/tcp.h 2010-09-26 17:32:50.000000000 -0400
47563 @@ -1428,6 +1428,7 @@ enum tcp_seq_states {
47564 struct tcp_seq_afinfo {
47566 sa_family_t family;
47567 + /* cannot be const */
47568 struct file_operations seq_fops;
47569 struct seq_operations seq_ops;
47571 diff -urNp linux-2.6.35.7/include/net/udp.h linux-2.6.35.7/include/net/udp.h
47572 --- linux-2.6.35.7/include/net/udp.h 2010-09-26 17:32:11.000000000 -0400
47573 +++ linux-2.6.35.7/include/net/udp.h 2010-09-26 17:32:50.000000000 -0400
47574 @@ -222,6 +222,7 @@ struct udp_seq_afinfo {
47576 sa_family_t family;
47577 struct udp_table *udp_table;
47578 + /* cannot be const */
47579 struct file_operations seq_fops;
47580 struct seq_operations seq_ops;
47582 diff -urNp linux-2.6.35.7/include/sound/ac97_codec.h linux-2.6.35.7/include/sound/ac97_codec.h
47583 --- linux-2.6.35.7/include/sound/ac97_codec.h 2010-08-26 19:47:12.000000000 -0400
47584 +++ linux-2.6.35.7/include/sound/ac97_codec.h 2010-09-17 20:12:09.000000000 -0400
47585 @@ -419,15 +419,15 @@
47588 struct snd_ac97_build_ops {
47589 - int (*build_3d) (struct snd_ac97 *ac97);
47590 - int (*build_specific) (struct snd_ac97 *ac97);
47591 - int (*build_spdif) (struct snd_ac97 *ac97);
47592 - int (*build_post_spdif) (struct snd_ac97 *ac97);
47593 + int (* const build_3d) (struct snd_ac97 *ac97);
47594 + int (* const build_specific) (struct snd_ac97 *ac97);
47595 + int (* const build_spdif) (struct snd_ac97 *ac97);
47596 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
47598 - void (*suspend) (struct snd_ac97 *ac97);
47599 - void (*resume) (struct snd_ac97 *ac97);
47600 + void (* const suspend) (struct snd_ac97 *ac97);
47601 + void (* const resume) (struct snd_ac97 *ac97);
47603 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47604 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47607 struct snd_ac97_bus_ops {
47608 @@ -477,7 +477,7 @@ struct snd_ac97_template {
47611 /* -- lowlevel (hardware) driver specific -- */
47612 - struct snd_ac97_build_ops * build_ops;
47613 + const struct snd_ac97_build_ops * build_ops;
47614 void *private_data;
47615 void (*private_free) (struct snd_ac97 *ac97);
47617 diff -urNp linux-2.6.35.7/include/trace/events/irq.h linux-2.6.35.7/include/trace/events/irq.h
47618 --- linux-2.6.35.7/include/trace/events/irq.h 2010-08-26 19:47:12.000000000 -0400
47619 +++ linux-2.6.35.7/include/trace/events/irq.h 2010-09-17 20:12:09.000000000 -0400
47622 TRACE_EVENT(irq_handler_entry,
47624 - TP_PROTO(int irq, struct irqaction *action),
47625 + TP_PROTO(int irq, const struct irqaction *action),
47627 TP_ARGS(irq, action),
47629 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
47631 TRACE_EVENT(irq_handler_exit,
47633 - TP_PROTO(int irq, struct irqaction *action, int ret),
47634 + TP_PROTO(int irq, const struct irqaction *action, int ret),
47636 TP_ARGS(irq, action, ret),
47638 @@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
47640 DECLARE_EVENT_CLASS(softirq,
47642 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47643 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47647 @@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
47649 DEFINE_EVENT(softirq, softirq_entry,
47651 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47652 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47656 @@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
47658 DEFINE_EVENT(softirq, softirq_exit,
47660 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47661 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47665 diff -urNp linux-2.6.35.7/include/video/uvesafb.h linux-2.6.35.7/include/video/uvesafb.h
47666 --- linux-2.6.35.7/include/video/uvesafb.h 2010-08-26 19:47:12.000000000 -0400
47667 +++ linux-2.6.35.7/include/video/uvesafb.h 2010-09-17 20:12:09.000000000 -0400
47668 @@ -177,6 +177,7 @@ struct uvesafb_par {
47669 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
47670 u8 pmi_setpal; /* PMI for palette changes */
47671 u16 *pmi_base; /* protected mode interface location */
47672 + u8 *pmi_code; /* protected mode code location */
47675 u8 *vbe_state_orig; /*
47676 diff -urNp linux-2.6.35.7/init/do_mounts.c linux-2.6.35.7/init/do_mounts.c
47677 --- linux-2.6.35.7/init/do_mounts.c 2010-08-26 19:47:12.000000000 -0400
47678 +++ linux-2.6.35.7/init/do_mounts.c 2010-09-17 20:12:09.000000000 -0400
47679 @@ -217,11 +217,11 @@ static void __init get_fs_names(char *pa
47681 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
47683 - int err = sys_mount(name, "/root", fs, flags, data);
47684 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
47688 - sys_chdir("/root");
47689 + sys_chdir((__force char __user *)"/root");
47690 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
47691 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
47692 current->fs->pwd.mnt->mnt_sb->s_type->name,
47693 @@ -312,18 +312,18 @@ void __init change_floppy(char *fmt, ...
47694 va_start(args, fmt);
47695 vsprintf(buf, fmt, args);
47697 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
47698 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
47700 sys_ioctl(fd, FDEJECT, 0);
47703 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
47704 - fd = sys_open("/dev/console", O_RDWR, 0);
47705 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
47707 sys_ioctl(fd, TCGETS, (long)&termios);
47708 termios.c_lflag &= ~ICANON;
47709 sys_ioctl(fd, TCSETSF, (long)&termios);
47710 - sys_read(fd, &c, 1);
47711 + sys_read(fd, (char __user *)&c, 1);
47712 termios.c_lflag |= ICANON;
47713 sys_ioctl(fd, TCSETSF, (long)&termios);
47715 @@ -417,6 +417,6 @@ void __init prepare_namespace(void)
47718 devtmpfs_mount("dev");
47719 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47721 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47722 + sys_chroot((__force char __user *)".");
47724 diff -urNp linux-2.6.35.7/init/do_mounts.h linux-2.6.35.7/init/do_mounts.h
47725 --- linux-2.6.35.7/init/do_mounts.h 2010-08-26 19:47:12.000000000 -0400
47726 +++ linux-2.6.35.7/init/do_mounts.h 2010-09-17 20:12:09.000000000 -0400
47727 @@ -15,15 +15,15 @@ extern int root_mountflags;
47729 static inline int create_dev(char *name, dev_t dev)
47731 - sys_unlink(name);
47732 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
47733 + sys_unlink((__force char __user *)name);
47734 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
47737 #if BITS_PER_LONG == 32
47738 static inline u32 bstat(char *name)
47740 struct stat64 stat;
47741 - if (sys_stat64(name, &stat) != 0)
47742 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
47744 if (!S_ISBLK(stat.st_mode))
47746 diff -urNp linux-2.6.35.7/init/do_mounts_initrd.c linux-2.6.35.7/init/do_mounts_initrd.c
47747 --- linux-2.6.35.7/init/do_mounts_initrd.c 2010-08-26 19:47:12.000000000 -0400
47748 +++ linux-2.6.35.7/init/do_mounts_initrd.c 2010-09-17 20:12:09.000000000 -0400
47749 @@ -43,13 +43,13 @@ static void __init handle_initrd(void)
47750 create_dev("/dev/root.old", Root_RAM0);
47751 /* mount initrd on rootfs' /root */
47752 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
47753 - sys_mkdir("/old", 0700);
47754 - root_fd = sys_open("/", 0, 0);
47755 - old_fd = sys_open("/old", 0, 0);
47756 + sys_mkdir((__force const char __user *)"/old", 0700);
47757 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
47758 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
47759 /* move initrd over / and chdir/chroot in initrd root */
47760 - sys_chdir("/root");
47761 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47763 + sys_chdir((__force const char __user *)"/root");
47764 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47765 + sys_chroot((__force const char __user *)".");
47768 * In case that a resume from disk is carried out by linuxrc or one of
47769 @@ -66,15 +66,15 @@ static void __init handle_initrd(void)
47771 /* move initrd to rootfs' /old */
47772 sys_fchdir(old_fd);
47773 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
47774 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
47775 /* switch root and cwd back to / of rootfs */
47776 sys_fchdir(root_fd);
47778 + sys_chroot((__force const char __user *)".");
47780 sys_close(root_fd);
47782 if (new_decode_dev(real_root_dev) == Root_RAM0) {
47783 - sys_chdir("/old");
47784 + sys_chdir((__force const char __user *)"/old");
47788 @@ -82,17 +82,17 @@ static void __init handle_initrd(void)
47791 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
47792 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
47793 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
47797 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
47798 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
47799 if (error == -ENOENT)
47800 printk("/initrd does not exist. Ignored.\n");
47802 printk("failed\n");
47803 printk(KERN_NOTICE "Unmounting old root\n");
47804 - sys_umount("/old", MNT_DETACH);
47805 + sys_umount((__force char __user *)"/old", MNT_DETACH);
47806 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
47809 @@ -115,11 +115,11 @@ int __init initrd_load(void)
47810 * mounted in the normal path.
47812 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
47813 - sys_unlink("/initrd.image");
47814 + sys_unlink((__force const char __user *)"/initrd.image");
47819 - sys_unlink("/initrd.image");
47820 + sys_unlink((__force const char __user *)"/initrd.image");
47823 diff -urNp linux-2.6.35.7/init/do_mounts_md.c linux-2.6.35.7/init/do_mounts_md.c
47824 --- linux-2.6.35.7/init/do_mounts_md.c 2010-08-26 19:47:12.000000000 -0400
47825 +++ linux-2.6.35.7/init/do_mounts_md.c 2010-09-17 20:12:09.000000000 -0400
47826 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
47827 partitioned ? "_d" : "", minor,
47828 md_setup_args[ent].device_names);
47830 - fd = sys_open(name, 0, 0);
47831 + fd = sys_open((__force char __user *)name, 0, 0);
47833 printk(KERN_ERR "md: open failed - cannot start "
47834 "array %s\n", name);
47835 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
47839 - fd = sys_open(name, 0, 0);
47840 + fd = sys_open((__force char __user *)name, 0, 0);
47841 sys_ioctl(fd, BLKRRPART, 0);
47844 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
47846 wait_for_device_probe();
47848 - fd = sys_open("/dev/md0", 0, 0);
47849 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
47851 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
47853 diff -urNp linux-2.6.35.7/init/initramfs.c linux-2.6.35.7/init/initramfs.c
47854 --- linux-2.6.35.7/init/initramfs.c 2010-08-26 19:47:12.000000000 -0400
47855 +++ linux-2.6.35.7/init/initramfs.c 2010-09-17 20:12:09.000000000 -0400
47856 @@ -74,7 +74,7 @@ static void __init free_hash(void)
47860 -static long __init do_utime(char __user *filename, time_t mtime)
47861 +static long __init do_utime(__force char __user *filename, time_t mtime)
47863 struct timespec t[2];
47865 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
47866 struct dir_entry *de, *tmp;
47867 list_for_each_entry_safe(de, tmp, &dir_list, list) {
47868 list_del(&de->list);
47869 - do_utime(de->name, de->mtime);
47870 + do_utime((__force char __user *)de->name, de->mtime);
47874 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
47876 char *old = find_link(major, minor, ino, mode, collected);
47878 - return (sys_link(old, collected) < 0) ? -1 : 1;
47879 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
47883 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
47887 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
47888 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
47889 if (S_ISDIR(st.st_mode))
47891 + sys_rmdir((__force char __user *)path);
47893 - sys_unlink(path);
47894 + sys_unlink((__force char __user *)path);
47898 @@ -305,7 +305,7 @@ static int __init do_name(void)
47899 int openflags = O_WRONLY|O_CREAT;
47901 openflags |= O_TRUNC;
47902 - wfd = sys_open(collected, openflags, mode);
47903 + wfd = sys_open((__force char __user *)collected, openflags, mode);
47906 sys_fchown(wfd, uid, gid);
47907 @@ -317,17 +317,17 @@ static int __init do_name(void)
47910 } else if (S_ISDIR(mode)) {
47911 - sys_mkdir(collected, mode);
47912 - sys_chown(collected, uid, gid);
47913 - sys_chmod(collected, mode);
47914 + sys_mkdir((__force char __user *)collected, mode);
47915 + sys_chown((__force char __user *)collected, uid, gid);
47916 + sys_chmod((__force char __user *)collected, mode);
47917 dir_add(collected, mtime);
47918 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
47919 S_ISFIFO(mode) || S_ISSOCK(mode)) {
47920 if (maybe_link() == 0) {
47921 - sys_mknod(collected, mode, rdev);
47922 - sys_chown(collected, uid, gid);
47923 - sys_chmod(collected, mode);
47924 - do_utime(collected, mtime);
47925 + sys_mknod((__force char __user *)collected, mode, rdev);
47926 + sys_chown((__force char __user *)collected, uid, gid);
47927 + sys_chmod((__force char __user *)collected, mode);
47928 + do_utime((__force char __user *)collected, mtime);
47932 @@ -336,15 +336,15 @@ static int __init do_name(void)
47933 static int __init do_copy(void)
47935 if (count >= body_len) {
47936 - sys_write(wfd, victim, body_len);
47937 + sys_write(wfd, (__force char __user *)victim, body_len);
47939 - do_utime(vcollected, mtime);
47940 + do_utime((__force char __user *)vcollected, mtime);
47946 - sys_write(wfd, victim, count);
47947 + sys_write(wfd, (__force char __user *)victim, count);
47951 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
47953 collected[N_ALIGN(name_len) + body_len] = '\0';
47954 clean_path(collected, 0);
47955 - sys_symlink(collected + N_ALIGN(name_len), collected);
47956 - sys_lchown(collected, uid, gid);
47957 - do_utime(collected, mtime);
47958 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
47959 + sys_lchown((__force char __user *)collected, uid, gid);
47960 + do_utime((__force char __user *)collected, mtime);
47962 next_state = Reset;
47964 diff -urNp linux-2.6.35.7/init/Kconfig linux-2.6.35.7/init/Kconfig
47965 --- linux-2.6.35.7/init/Kconfig 2010-08-26 19:47:12.000000000 -0400
47966 +++ linux-2.6.35.7/init/Kconfig 2010-09-17 20:12:09.000000000 -0400
47967 @@ -1063,7 +1063,7 @@ config SLUB_DEBUG
47970 bool "Disable heap randomization"
47974 Randomizing heap placement makes heap exploits harder, but it
47975 also breaks ancient binaries (including anything libc5 based).
47976 diff -urNp linux-2.6.35.7/init/main.c linux-2.6.35.7/init/main.c
47977 --- linux-2.6.35.7/init/main.c 2010-08-26 19:47:12.000000000 -0400
47978 +++ linux-2.6.35.7/init/main.c 2010-10-11 22:41:44.000000000 -0400
47979 @@ -98,6 +98,7 @@ static inline void mark_rodata_ro(void)
47981 extern void tc_init(void);
47983 +extern void grsecurity_init(void);
47985 enum system_states system_state __read_mostly;
47986 EXPORT_SYMBOL(system_state);
47987 @@ -200,6 +201,47 @@ static int __init set_reset_devices(char
47989 __setup("reset_devices", set_reset_devices);
47991 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
47992 +extern void pax_enter_kernel_user(void);
47993 +extern void pax_exit_kernel_user(void);
47994 +extern pgdval_t clone_pgd_mask;
47997 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
47998 +static int __init setup_pax_nouderef(char *str)
48000 +#ifdef CONFIG_X86_32
48001 + unsigned int cpu;
48003 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
48004 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
48005 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
48007 + asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
48008 + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
48009 + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
48011 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
48012 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
48013 + clone_pgd_mask = ~(pgdval_t)0UL;
48018 +early_param("pax_nouderef", setup_pax_nouderef);
48021 +#ifdef CONFIG_PAX_SOFTMODE
48022 +unsigned int pax_softmode;
48024 +static int __init setup_pax_softmode(char *str)
48026 + get_option(&str, &pax_softmode);
48029 +__setup("pax_softmode=", setup_pax_softmode);
48032 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
48033 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
48034 static const char *panic_later, *panic_param;
48035 @@ -725,52 +767,53 @@ int initcall_debug;
48036 core_param(initcall_debug, initcall_debug, bool, 0644);
48038 static char msgbuf[64];
48039 -static struct boot_trace_call call;
48040 -static struct boot_trace_ret ret;
48041 +static struct boot_trace_call trace_call;
48042 +static struct boot_trace_ret trace_ret;
48044 int do_one_initcall(initcall_t fn)
48046 int count = preempt_count();
48047 ktime_t calltime, delta, rettime;
48048 + const char *msg1 = "", *msg2 = "";
48050 if (initcall_debug) {
48051 - call.caller = task_pid_nr(current);
48052 - printk("calling %pF @ %i\n", fn, call.caller);
48053 + trace_call.caller = task_pid_nr(current);
48054 + printk("calling %pF @ %i\n", fn, trace_call.caller);
48055 calltime = ktime_get();
48056 - trace_boot_call(&call, fn);
48057 + trace_boot_call(&trace_call, fn);
48058 enable_boot_trace();
48061 - ret.result = fn();
48062 + trace_ret.result = fn();
48064 if (initcall_debug) {
48065 disable_boot_trace();
48066 rettime = ktime_get();
48067 delta = ktime_sub(rettime, calltime);
48068 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
48069 - trace_boot_ret(&ret, fn);
48070 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
48071 + trace_boot_ret(&trace_ret, fn);
48072 printk("initcall %pF returned %d after %Ld usecs\n", fn,
48073 - ret.result, ret.duration);
48074 + trace_ret.result, trace_ret.duration);
48079 - if (ret.result && ret.result != -ENODEV && initcall_debug)
48080 - sprintf(msgbuf, "error code %d ", ret.result);
48081 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
48082 + sprintf(msgbuf, "error code %d ", trace_ret.result);
48084 if (preempt_count() != count) {
48085 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
48086 + msg1 = " preemption imbalance";
48087 preempt_count() = count;
48089 if (irqs_disabled()) {
48090 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
48091 + msg2 = " disabled interrupts";
48092 local_irq_enable();
48095 - printk("initcall %pF returned with %s\n", fn, msgbuf);
48096 + if (msgbuf[0] || *msg1 || *msg2) {
48097 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
48100 - return ret.result;
48101 + return trace_ret.result;
48105 @@ -902,7 +945,7 @@ static int __init kernel_init(void * unu
48108 /* Open the /dev/console on the rootfs, this should never fail */
48109 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
48110 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
48111 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
48114 @@ -915,11 +958,13 @@ static int __init kernel_init(void * unu
48115 if (!ramdisk_execute_command)
48116 ramdisk_execute_command = "/init";
48118 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
48119 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
48120 ramdisk_execute_command = NULL;
48121 prepare_namespace();
48124 + grsecurity_init();
48127 * Ok, we have completed the initial bootup, and
48128 * we're essentially up and running. Get rid of the
48129 diff -urNp linux-2.6.35.7/init/noinitramfs.c linux-2.6.35.7/init/noinitramfs.c
48130 --- linux-2.6.35.7/init/noinitramfs.c 2010-08-26 19:47:12.000000000 -0400
48131 +++ linux-2.6.35.7/init/noinitramfs.c 2010-09-17 20:12:09.000000000 -0400
48132 @@ -29,17 +29,17 @@ static int __init default_rootfs(void)
48136 - err = sys_mkdir("/dev", 0755);
48137 + err = sys_mkdir((const char __user *)"/dev", 0755);
48141 - err = sys_mknod((const char __user *) "/dev/console",
48142 + err = sys_mknod((__force const char __user *) "/dev/console",
48143 S_IFCHR | S_IRUSR | S_IWUSR,
48144 new_encode_dev(MKDEV(5, 1)));
48148 - err = sys_mkdir("/root", 0700);
48149 + err = sys_mkdir((const char __user *)"/root", 0700);
48153 diff -urNp linux-2.6.35.7/ipc/compat.c linux-2.6.35.7/ipc/compat.c
48154 --- linux-2.6.35.7/ipc/compat.c 2010-08-26 19:47:12.000000000 -0400
48155 +++ linux-2.6.35.7/ipc/compat.c 2010-10-10 16:03:15.000000000 -0400
48156 @@ -241,6 +241,8 @@ long compat_sys_semctl(int first, int se
48157 struct semid64_ds __user *up64;
48158 int version = compat_ipc_parse_version(&third);
48160 + memset(&s64, 0, sizeof(s64));
48164 if (get_user(pad, (u32 __user *) uptr))
48165 @@ -421,6 +423,8 @@ long compat_sys_msgctl(int first, int se
48166 int version = compat_ipc_parse_version(&second);
48169 + memset(&m64, 0, sizeof(m64));
48171 switch (second & (~IPC_64)) {
48174 @@ -594,6 +598,8 @@ long compat_sys_shmctl(int first, int se
48176 int version = compat_ipc_parse_version(&second);
48178 + memset(&s64, 0, sizeof(s64));
48180 switch (second & (~IPC_64)) {
48183 diff -urNp linux-2.6.35.7/ipc/compat_mq.c linux-2.6.35.7/ipc/compat_mq.c
48184 --- linux-2.6.35.7/ipc/compat_mq.c 2010-08-26 19:47:12.000000000 -0400
48185 +++ linux-2.6.35.7/ipc/compat_mq.c 2010-10-10 16:04:10.000000000 -0400
48186 @@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const
48187 void __user *p = NULL;
48188 if (u_attr && oflag & O_CREAT) {
48189 struct mq_attr attr;
48191 + memset(&attr, 0, sizeof(attr));
48193 p = compat_alloc_user_space(sizeof(attr));
48194 if (get_compat_mq_attr(&attr, u_attr) ||
48195 copy_to_user(p, &attr, sizeof(attr)))
48196 @@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr
48197 struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p));
48200 + memset(&mqstat, 0, sizeof(mqstat));
48203 if (get_compat_mq_attr(&mqstat, u_mqstat) ||
48204 copy_to_user(p, &mqstat, sizeof(mqstat)))
48205 diff -urNp linux-2.6.35.7/ipc/mqueue.c linux-2.6.35.7/ipc/mqueue.c
48206 --- linux-2.6.35.7/ipc/mqueue.c 2010-08-26 19:47:12.000000000 -0400
48207 +++ linux-2.6.35.7/ipc/mqueue.c 2010-09-17 20:12:37.000000000 -0400
48208 @@ -153,6 +153,7 @@ static struct inode *mqueue_get_inode(st
48209 mq_bytes = (mq_msg_tblsz +
48210 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
48212 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
48213 spin_lock(&mq_lock);
48214 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
48215 u->mq_bytes + mq_bytes >
48216 diff -urNp linux-2.6.35.7/ipc/sem.c linux-2.6.35.7/ipc/sem.c
48217 --- linux-2.6.35.7/ipc/sem.c 2010-08-26 19:47:12.000000000 -0400
48218 +++ linux-2.6.35.7/ipc/sem.c 2010-09-28 18:50:22.000000000 -0400
48219 @@ -743,6 +743,8 @@ static unsigned long copy_semid_to_user(
48221 struct semid_ds out;
48223 + memset(&out, 0, sizeof(out));
48225 ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);
48227 out.sem_otime = in->sem_otime;
48228 diff -urNp linux-2.6.35.7/ipc/shm.c linux-2.6.35.7/ipc/shm.c
48229 --- linux-2.6.35.7/ipc/shm.c 2010-08-26 19:47:12.000000000 -0400
48230 +++ linux-2.6.35.7/ipc/shm.c 2010-10-10 16:01:41.000000000 -0400
48231 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
48232 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
48235 +#ifdef CONFIG_GRKERNSEC
48236 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
48237 + const time_t shm_createtime, const uid_t cuid,
48238 + const int shmid);
48239 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
48240 + const time_t shm_createtime);
48243 void shm_init_ns(struct ipc_namespace *ns)
48245 ns->shm_ctlmax = SHMMAX;
48246 @@ -395,6 +403,14 @@ static int newseg(struct ipc_namespace *
48247 shp->shm_lprid = 0;
48248 shp->shm_atim = shp->shm_dtim = 0;
48249 shp->shm_ctim = get_seconds();
48250 +#ifdef CONFIG_GRKERNSEC
48252 + struct timespec timeval;
48253 + do_posix_clock_monotonic_gettime(&timeval);
48255 + shp->shm_createtime = timeval.tv_sec;
48258 shp->shm_segsz = size;
48259 shp->shm_nattch = 0;
48260 shp->shm_file = file;
48261 @@ -473,6 +489,8 @@ static inline unsigned long copy_shmid_t
48263 struct shmid_ds out;
48265 + memset(&out, 0, sizeof(out));
48267 ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
48268 out.shm_segsz = in->shm_segsz;
48269 out.shm_atime = in->shm_atime;
48270 @@ -877,9 +895,21 @@ long do_shmat(int shmid, char __user *sh
48274 +#ifdef CONFIG_GRKERNSEC
48275 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
48276 + shp->shm_perm.cuid, shmid) ||
48277 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
48283 path = shp->shm_file->f_path;
48286 +#ifdef CONFIG_GRKERNSEC
48287 + shp->shm_lapid = current->pid;
48289 size = i_size_read(path.dentry->d_inode);
48292 diff -urNp linux-2.6.35.7/kernel/acct.c linux-2.6.35.7/kernel/acct.c
48293 --- linux-2.6.35.7/kernel/acct.c 2010-08-26 19:47:12.000000000 -0400
48294 +++ linux-2.6.35.7/kernel/acct.c 2010-09-17 20:12:09.000000000 -0400
48295 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
48297 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
48298 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
48299 - file->f_op->write(file, (char *)&ac,
48300 + file->f_op->write(file, (__force char __user *)&ac,
48301 sizeof(acct_t), &file->f_pos);
48302 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
48304 diff -urNp linux-2.6.35.7/kernel/capability.c linux-2.6.35.7/kernel/capability.c
48305 --- linux-2.6.35.7/kernel/capability.c 2010-08-26 19:47:12.000000000 -0400
48306 +++ linux-2.6.35.7/kernel/capability.c 2010-09-17 20:12:37.000000000 -0400
48307 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
48308 * before modification is attempted and the application
48311 + if (tocopy > ARRAY_SIZE(kdata))
48314 if (copy_to_user(dataptr, kdata, tocopy
48315 * sizeof(struct __user_cap_data_struct))) {
48317 @@ -306,10 +309,21 @@ int capable(int cap)
48321 - if (security_capable(cap) == 0) {
48322 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
48323 + current->flags |= PF_SUPERPRIV;
48329 +int capable_nolog(int cap)
48331 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
48332 current->flags |= PF_SUPERPRIV;
48338 EXPORT_SYMBOL(capable);
48339 +EXPORT_SYMBOL(capable_nolog);
48340 diff -urNp linux-2.6.35.7/kernel/compat.c linux-2.6.35.7/kernel/compat.c
48341 --- linux-2.6.35.7/kernel/compat.c 2010-09-20 17:33:09.000000000 -0400
48342 +++ linux-2.6.35.7/kernel/compat.c 2010-09-17 20:12:37.000000000 -0400
48345 #include <linux/linkage.h>
48346 #include <linux/compat.h>
48347 +#include <linux/module.h>
48348 #include <linux/errno.h>
48349 #include <linux/time.h>
48350 #include <linux/signal.h>
48351 diff -urNp linux-2.6.35.7/kernel/configs.c linux-2.6.35.7/kernel/configs.c
48352 --- linux-2.6.35.7/kernel/configs.c 2010-08-26 19:47:12.000000000 -0400
48353 +++ linux-2.6.35.7/kernel/configs.c 2010-09-17 20:12:37.000000000 -0400
48354 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
48355 struct proc_dir_entry *entry;
48357 /* create the current config file */
48358 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
48359 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
48360 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
48361 + &ikconfig_file_ops);
48362 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48363 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
48364 + &ikconfig_file_ops);
48367 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
48368 &ikconfig_file_ops);
48374 diff -urNp linux-2.6.35.7/kernel/cred.c linux-2.6.35.7/kernel/cred.c
48375 --- linux-2.6.35.7/kernel/cred.c 2010-08-26 19:47:12.000000000 -0400
48376 +++ linux-2.6.35.7/kernel/cred.c 2010-09-17 20:12:37.000000000 -0400
48377 @@ -489,6 +489,8 @@ int commit_creds(struct cred *new)
48379 get_cred(new); /* we will require a ref for the subj creds too */
48381 + gr_set_role_label(task, new->uid, new->gid);
48383 /* dumpability changes */
48384 if (old->euid != new->euid ||
48385 old->egid != new->egid ||
48386 diff -urNp linux-2.6.35.7/kernel/debug/debug_core.c linux-2.6.35.7/kernel/debug/debug_core.c
48387 --- linux-2.6.35.7/kernel/debug/debug_core.c 2010-08-26 19:47:12.000000000 -0400
48388 +++ linux-2.6.35.7/kernel/debug/debug_core.c 2010-09-17 20:12:09.000000000 -0400
48389 @@ -71,7 +71,7 @@ int kgdb_io_module_registered;
48390 /* Guard for recursive entry */
48391 static int exception_level;
48393 -struct kgdb_io *dbg_io_ops;
48394 +const struct kgdb_io *dbg_io_ops;
48395 static DEFINE_SPINLOCK(kgdb_registration_lock);
48397 /* kgdb console driver is loaded */
48398 @@ -871,7 +871,7 @@ static void kgdb_initial_breakpoint(void
48400 * Register it with the KGDB core.
48402 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
48403 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
48407 @@ -916,7 +916,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
48409 * Unregister it with the KGDB core.
48411 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
48412 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
48414 BUG_ON(kgdb_connected);
48416 diff -urNp linux-2.6.35.7/kernel/debug/kdb/kdb_main.c linux-2.6.35.7/kernel/debug/kdb/kdb_main.c
48417 --- linux-2.6.35.7/kernel/debug/kdb/kdb_main.c 2010-08-26 19:47:12.000000000 -0400
48418 +++ linux-2.6.35.7/kernel/debug/kdb/kdb_main.c 2010-09-17 20:12:09.000000000 -0400
48419 @@ -1872,7 +1872,7 @@ static int kdb_lsmod(int argc, const cha
48420 list_for_each_entry(mod, kdb_modules, list) {
48422 kdb_printf("%-20s%8u 0x%p ", mod->name,
48423 - mod->core_size, (void *)mod);
48424 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
48425 #ifdef CONFIG_MODULE_UNLOAD
48426 kdb_printf("%4d ", module_refcount(mod));
48428 @@ -1882,7 +1882,7 @@ static int kdb_lsmod(int argc, const cha
48429 kdb_printf(" (Loading)");
48431 kdb_printf(" (Live)");
48432 - kdb_printf(" 0x%p", mod->module_core);
48433 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
48435 #ifdef CONFIG_MODULE_UNLOAD
48437 diff -urNp linux-2.6.35.7/kernel/exit.c linux-2.6.35.7/kernel/exit.c
48438 --- linux-2.6.35.7/kernel/exit.c 2010-09-26 17:32:11.000000000 -0400
48439 +++ linux-2.6.35.7/kernel/exit.c 2010-09-26 17:32:50.000000000 -0400
48441 #include <asm/pgtable.h>
48442 #include <asm/mmu_context.h>
48444 +#ifdef CONFIG_GRKERNSEC
48445 +extern rwlock_t grsec_exec_file_lock;
48448 static void exit_mm(struct task_struct * tsk);
48450 static void __unhash_process(struct task_struct *p, bool group_dead)
48451 @@ -162,6 +166,8 @@ void release_task(struct task_struct * p
48452 struct task_struct *leader;
48455 + gr_del_task_from_ip_table(p);
48457 tracehook_prepare_release_task(p);
48458 /* don't need to get the RCU readlock here - the process is dead and
48459 * can't be modifying its own credentials. But shut RCU-lockdep up */
48460 @@ -331,11 +337,22 @@ static void reparent_to_kthreadd(void)
48462 write_lock_irq(&tasklist_lock);
48464 +#ifdef CONFIG_GRKERNSEC
48465 + write_lock(&grsec_exec_file_lock);
48466 + if (current->exec_file) {
48467 + fput(current->exec_file);
48468 + current->exec_file = NULL;
48470 + write_unlock(&grsec_exec_file_lock);
48473 ptrace_unlink(current);
48474 /* Reparent to init */
48475 current->real_parent = current->parent = kthreadd_task;
48476 list_move_tail(¤t->sibling, ¤t->real_parent->children);
48478 + gr_set_kernel_label(current);
48480 /* Set the exit signal to SIGCHLD so we signal init on exit */
48481 current->exit_signal = SIGCHLD;
48483 @@ -387,7 +404,7 @@ int allow_signal(int sig)
48484 * know it'll be handled, so that they don't get converted to
48485 * SIGKILL or just silently dropped.
48487 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
48488 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
48489 recalc_sigpending();
48490 spin_unlock_irq(¤t->sighand->siglock);
48492 @@ -423,6 +440,17 @@ void daemonize(const char *name, ...)
48493 vsnprintf(current->comm, sizeof(current->comm), name, args);
48496 +#ifdef CONFIG_GRKERNSEC
48497 + write_lock(&grsec_exec_file_lock);
48498 + if (current->exec_file) {
48499 + fput(current->exec_file);
48500 + current->exec_file = NULL;
48502 + write_unlock(&grsec_exec_file_lock);
48505 + gr_set_kernel_label(current);
48508 * If we were started as result of loading a module, close all of the
48509 * user space pages. We don't need them, and if we didn't close them
48510 @@ -960,6 +988,9 @@ NORET_TYPE void do_exit(long code)
48511 tsk->exit_code = code;
48512 taskstats_exit(tsk, group_dead);
48514 + gr_acl_handle_psacct(tsk, code);
48515 + gr_acl_handle_exit();
48520 diff -urNp linux-2.6.35.7/kernel/fork.c linux-2.6.35.7/kernel/fork.c
48521 --- linux-2.6.35.7/kernel/fork.c 2010-08-26 19:47:12.000000000 -0400
48522 +++ linux-2.6.35.7/kernel/fork.c 2010-09-17 20:12:37.000000000 -0400
48523 @@ -276,7 +276,7 @@ static struct task_struct *dup_task_stru
48524 *stackend = STACK_END_MAGIC; /* for overflow detection */
48526 #ifdef CONFIG_CC_STACKPROTECTOR
48527 - tsk->stack_canary = get_random_int();
48528 + tsk->stack_canary = pax_get_random_long();
48531 /* One for us, one for whoever does the "release_task()" (usually parent) */
48532 @@ -298,13 +298,78 @@ out:
48536 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
48538 + struct vm_area_struct *tmp;
48539 + unsigned long charge;
48540 + struct mempolicy *pol;
48541 + struct file *file;
48544 + if (mpnt->vm_flags & VM_ACCOUNT) {
48545 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
48546 + if (security_vm_enough_memory(len))
48550 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
48555 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
48556 + pol = mpol_dup(vma_policy(mpnt));
48558 + goto fail_nomem_policy;
48559 + vma_set_policy(tmp, pol);
48560 + if (anon_vma_fork(tmp, mpnt))
48561 + goto fail_nomem_anon_vma_fork;
48562 + tmp->vm_flags &= ~VM_LOCKED;
48563 + tmp->vm_next = NULL;
48564 + tmp->vm_mirror = NULL;
48565 + file = tmp->vm_file;
48567 + struct inode *inode = file->f_path.dentry->d_inode;
48568 + struct address_space *mapping = file->f_mapping;
48571 + if (tmp->vm_flags & VM_DENYWRITE)
48572 + atomic_dec(&inode->i_writecount);
48573 + spin_lock(&mapping->i_mmap_lock);
48574 + if (tmp->vm_flags & VM_SHARED)
48575 + mapping->i_mmap_writable++;
48576 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
48577 + flush_dcache_mmap_lock(mapping);
48578 + /* insert tmp into the share list, just after mpnt */
48579 + vma_prio_tree_add(tmp, mpnt);
48580 + flush_dcache_mmap_unlock(mapping);
48581 + spin_unlock(&mapping->i_mmap_lock);
48585 + * Clear hugetlb-related page reserves for children. This only
48586 + * affects MAP_PRIVATE mappings. Faults generated by the child
48587 + * are not guaranteed to succeed, even if read-only
48589 + if (is_vm_hugetlb_page(tmp))
48590 + reset_vma_resv_huge_pages(tmp);
48594 +fail_nomem_anon_vma_fork:
48596 +fail_nomem_policy:
48597 + kmem_cache_free(vm_area_cachep, tmp);
48599 + vm_unacct_memory(charge);
48603 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
48605 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
48606 struct rb_node **rb_link, *rb_parent;
48608 - unsigned long charge;
48609 - struct mempolicy *pol;
48611 down_write(&oldmm->mmap_sem);
48612 flush_cache_dup_mm(oldmm);
48613 @@ -316,8 +381,8 @@ static int dup_mmap(struct mm_struct *mm
48616 mm->mmap_cache = NULL;
48617 - mm->free_area_cache = oldmm->mmap_base;
48618 - mm->cached_hole_size = ~0UL;
48619 + mm->free_area_cache = oldmm->free_area_cache;
48620 + mm->cached_hole_size = oldmm->cached_hole_size;
48622 cpumask_clear(mm_cpumask(mm));
48623 mm->mm_rb = RB_ROOT;
48624 @@ -330,8 +395,6 @@ static int dup_mmap(struct mm_struct *mm
48627 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
48628 - struct file *file;
48630 if (mpnt->vm_flags & VM_DONTCOPY) {
48631 long pages = vma_pages(mpnt);
48632 mm->total_vm -= pages;
48633 @@ -339,56 +402,13 @@ static int dup_mmap(struct mm_struct *mm
48638 - if (mpnt->vm_flags & VM_ACCOUNT) {
48639 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
48640 - if (security_vm_enough_memory(len))
48644 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
48648 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
48649 - pol = mpol_dup(vma_policy(mpnt));
48650 - retval = PTR_ERR(pol);
48652 - goto fail_nomem_policy;
48653 - vma_set_policy(tmp, pol);
48654 - if (anon_vma_fork(tmp, mpnt))
48655 - goto fail_nomem_anon_vma_fork;
48656 - tmp->vm_flags &= ~VM_LOCKED;
48658 - tmp->vm_next = tmp->vm_prev = NULL;
48659 - file = tmp->vm_file;
48661 - struct inode *inode = file->f_path.dentry->d_inode;
48662 - struct address_space *mapping = file->f_mapping;
48665 - if (tmp->vm_flags & VM_DENYWRITE)
48666 - atomic_dec(&inode->i_writecount);
48667 - spin_lock(&mapping->i_mmap_lock);
48668 - if (tmp->vm_flags & VM_SHARED)
48669 - mapping->i_mmap_writable++;
48670 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
48671 - flush_dcache_mmap_lock(mapping);
48672 - /* insert tmp into the share list, just after mpnt */
48673 - vma_prio_tree_add(tmp, mpnt);
48674 - flush_dcache_mmap_unlock(mapping);
48675 - spin_unlock(&mapping->i_mmap_lock);
48676 + tmp = dup_vma(mm, mpnt);
48678 + retval = -ENOMEM;
48683 - * Clear hugetlb-related page reserves for children. This only
48684 - * affects MAP_PRIVATE mappings. Faults generated by the child
48685 - * are not guaranteed to succeed, even if read-only
48687 - if (is_vm_hugetlb_page(tmp))
48688 - reset_vma_resv_huge_pages(tmp);
48691 * Link in the new vma and copy the page table entries.
48694 @@ -409,6 +429,31 @@ static int dup_mmap(struct mm_struct *mm
48699 +#ifdef CONFIG_PAX_SEGMEXEC
48700 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
48701 + struct vm_area_struct *mpnt_m;
48703 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
48704 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
48706 + if (!mpnt->vm_mirror)
48709 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
48710 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
48711 + mpnt->vm_mirror = mpnt_m;
48713 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
48714 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
48715 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
48716 + mpnt->vm_mirror->vm_mirror = mpnt;
48723 /* a new mm has just been created */
48724 arch_dup_mmap(oldmm, mm);
48726 @@ -417,14 +462,6 @@ out:
48727 flush_tlb_mm(oldmm);
48728 up_write(&oldmm->mmap_sem);
48730 -fail_nomem_anon_vma_fork:
48732 -fail_nomem_policy:
48733 - kmem_cache_free(vm_area_cachep, tmp);
48735 - retval = -ENOMEM;
48736 - vm_unacct_memory(charge);
48740 static inline int mm_alloc_pgd(struct mm_struct * mm)
48741 @@ -760,13 +797,14 @@ static int copy_fs(unsigned long clone_f
48742 write_unlock(&fs->lock);
48746 + atomic_inc(&fs->users);
48747 write_unlock(&fs->lock);
48750 tsk->fs = copy_fs_struct(fs);
48753 + gr_set_chroot_entries(tsk, &tsk->fs->root);
48757 @@ -1019,10 +1057,13 @@ static struct task_struct *copy_process(
48759 if (!vx_nproc_avail(1))
48760 goto bad_fork_free;
48762 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
48764 if (atomic_read(&p->real_cred->user->processes) >=
48765 task_rlimit(p, RLIMIT_NPROC)) {
48766 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
48767 - p->real_cred->user != INIT_USER)
48768 + if (p->real_cred->user != INIT_USER &&
48769 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
48770 goto bad_fork_free;
48773 @@ -1176,6 +1217,8 @@ static struct task_struct *copy_process(
48774 goto bad_fork_free_pid;
48777 + gr_copy_label(p);
48779 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
48781 * Clear TID on mm_release()?
48782 @@ -1328,6 +1371,8 @@ bad_fork_cleanup_count:
48786 + gr_log_forkfail(retval);
48788 return ERR_PTR(retval);
48791 @@ -1433,6 +1478,8 @@ long do_fork(unsigned long clone_flags,
48792 if (clone_flags & CLONE_PARENT_SETTID)
48793 put_user(nr, parent_tidptr);
48795 + gr_handle_brute_check();
48797 if (clone_flags & CLONE_VFORK) {
48798 p->vfork_done = &vfork;
48799 init_completion(&vfork);
48800 @@ -1557,7 +1604,7 @@ static int unshare_fs(unsigned long unsh
48803 /* don't need lock here; in the worst case we'll do useless copy */
48804 - if (fs->users == 1)
48805 + if (atomic_read(&fs->users) == 1)
48808 *new_fsp = copy_fs_struct(fs);
48809 @@ -1680,7 +1727,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
48811 write_lock(&fs->lock);
48812 current->fs = new_fs;
48814 + gr_set_chroot_entries(current, ¤t->fs->root);
48815 + if (atomic_dec_return(&fs->users))
48819 diff -urNp linux-2.6.35.7/kernel/futex.c linux-2.6.35.7/kernel/futex.c
48820 --- linux-2.6.35.7/kernel/futex.c 2010-08-26 19:47:12.000000000 -0400
48821 +++ linux-2.6.35.7/kernel/futex.c 2010-09-17 20:12:37.000000000 -0400
48823 #include <linux/mount.h>
48824 #include <linux/pagemap.h>
48825 #include <linux/syscalls.h>
48826 +#include <linux/ptrace.h>
48827 #include <linux/signal.h>
48828 #include <linux/module.h>
48829 #include <linux/magic.h>
48830 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
48834 +#ifdef CONFIG_PAX_SEGMEXEC
48835 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
48840 * The futex address must be "naturally" aligned.
48842 @@ -1843,7 +1849,7 @@ retry:
48844 restart = ¤t_thread_info()->restart_block;
48845 restart->fn = futex_wait_restart;
48846 - restart->futex.uaddr = (u32 *)uaddr;
48847 + restart->futex.uaddr = uaddr;
48848 restart->futex.val = val;
48849 restart->futex.time = abs_time->tv64;
48850 restart->futex.bitset = bitset;
48851 @@ -2376,7 +2382,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48853 struct robust_list_head __user *head;
48855 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48856 const struct cred *cred = current_cred(), *pcred;
48859 if (!futex_cmpxchg_enabled)
48861 @@ -2392,11 +2400,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48865 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48866 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48869 pcred = __task_cred(p);
48870 if (cred->euid != pcred->euid &&
48871 cred->euid != pcred->uid &&
48872 !capable(CAP_SYS_PTRACE))
48875 head = p->robust_list;
48878 @@ -2458,7 +2471,7 @@ retry:
48880 static inline int fetch_robust_entry(struct robust_list __user **entry,
48881 struct robust_list __user * __user *head,
48883 + unsigned int *pi)
48885 unsigned long uentry;
48887 diff -urNp linux-2.6.35.7/kernel/futex_compat.c linux-2.6.35.7/kernel/futex_compat.c
48888 --- linux-2.6.35.7/kernel/futex_compat.c 2010-08-26 19:47:12.000000000 -0400
48889 +++ linux-2.6.35.7/kernel/futex_compat.c 2010-09-17 20:12:37.000000000 -0400
48891 #include <linux/compat.h>
48892 #include <linux/nsproxy.h>
48893 #include <linux/futex.h>
48894 +#include <linux/ptrace.h>
48896 #include <asm/uaccess.h>
48898 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
48900 struct compat_robust_list_head __user *head;
48902 - const struct cred *cred = current_cred(), *pcred;
48903 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48904 + const struct cred *cred = current_cred();
48905 + const struct cred *pcred;
48908 if (!futex_cmpxchg_enabled)
48910 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
48914 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48915 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48918 pcred = __task_cred(p);
48919 if (cred->euid != pcred->euid &&
48920 cred->euid != pcred->uid &&
48921 !capable(CAP_SYS_PTRACE))
48924 head = p->compat_robust_list;
48927 diff -urNp linux-2.6.35.7/kernel/gcov/base.c linux-2.6.35.7/kernel/gcov/base.c
48928 --- linux-2.6.35.7/kernel/gcov/base.c 2010-08-26 19:47:12.000000000 -0400
48929 +++ linux-2.6.35.7/kernel/gcov/base.c 2010-09-17 20:12:09.000000000 -0400
48930 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
48933 #ifdef CONFIG_MODULES
48934 -static inline int within(void *addr, void *start, unsigned long size)
48936 - return ((addr >= start) && (addr < start + size));
48939 /* Update list and generate events when modules are unloaded. */
48940 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
48942 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
48944 /* Remove entries located in module from linked list. */
48945 for (info = gcov_info_head; info; info = info->next) {
48946 - if (within(info, mod->module_core, mod->core_size)) {
48947 + if (within_module_core_rw((unsigned long)info, mod)) {
48949 prev->next = info->next;
48951 diff -urNp linux-2.6.35.7/kernel/hrtimer.c linux-2.6.35.7/kernel/hrtimer.c
48952 --- linux-2.6.35.7/kernel/hrtimer.c 2010-08-26 19:47:12.000000000 -0400
48953 +++ linux-2.6.35.7/kernel/hrtimer.c 2010-09-17 20:12:09.000000000 -0400
48954 @@ -1398,7 +1398,7 @@ void hrtimer_peek_ahead_timers(void)
48955 local_irq_restore(flags);
48958 -static void run_hrtimer_softirq(struct softirq_action *h)
48959 +static void run_hrtimer_softirq(void)
48961 hrtimer_peek_ahead_timers();
48963 diff -urNp linux-2.6.35.7/kernel/kallsyms.c linux-2.6.35.7/kernel/kallsyms.c
48964 --- linux-2.6.35.7/kernel/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
48965 +++ linux-2.6.35.7/kernel/kallsyms.c 2010-09-17 20:12:37.000000000 -0400
48967 * Changed the compression method from stem compression to "table lookup"
48968 * compression (see scripts/kallsyms.c for a more complete description)
48970 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48971 +#define __INCLUDED_BY_HIDESYM 1
48973 #include <linux/kallsyms.h>
48974 #include <linux/module.h>
48975 #include <linux/init.h>
48976 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
48978 static inline int is_kernel_inittext(unsigned long addr)
48980 + if (system_state != SYSTEM_BOOTING)
48983 if (addr >= (unsigned long)_sinittext
48984 && addr <= (unsigned long)_einittext)
48989 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48990 +#ifdef CONFIG_MODULES
48991 +static inline int is_module_text(unsigned long addr)
48993 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
48996 + addr = ktla_ktva(addr);
48997 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
49000 +static inline int is_module_text(unsigned long addr)
49007 static inline int is_kernel_text(unsigned long addr)
49009 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
49010 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
49012 static inline int is_kernel(unsigned long addr)
49015 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49016 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
49019 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
49021 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
49025 return in_gate_area_no_task(addr);
49028 static int is_ksym_addr(unsigned long addr)
49031 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49032 + if (is_module_text(addr))
49037 return is_kernel(addr);
49039 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
49041 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
49043 - iter->name[0] = '\0';
49044 iter->nameoff = get_symbol_offset(new_pos);
49045 iter->pos = new_pos;
49047 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
49049 struct kallsym_iter *iter = m->private;
49051 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49052 + if (current_uid())
49056 /* Some debugging symbols have no name. Ignore them. */
49057 if (!iter->name[0])
49059 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
49060 struct kallsym_iter *iter;
49063 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
49064 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
49067 reset_iter(iter, 0);
49068 diff -urNp linux-2.6.35.7/kernel/kmod.c linux-2.6.35.7/kernel/kmod.c
49069 --- linux-2.6.35.7/kernel/kmod.c 2010-08-26 19:47:12.000000000 -0400
49070 +++ linux-2.6.35.7/kernel/kmod.c 2010-09-17 20:12:37.000000000 -0400
49071 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
49075 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
49076 + /* we could do a tighter check here, but some distros
49077 + are taking it upon themselves to remove CAP_SYS_MODULE
49078 + from even root-running apps which cause modules to be
49081 + if (current_uid()) {
49082 + gr_log_nonroot_mod_load(module_name);
49087 /* If modprobe needs a service that is in a module, we get a recursive
49088 * loop. Limit the number of running kmod threads to max_threads/2 or
49089 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
49090 diff -urNp linux-2.6.35.7/kernel/kprobes.c linux-2.6.35.7/kernel/kprobes.c
49091 --- linux-2.6.35.7/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
49092 +++ linux-2.6.35.7/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
49093 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
49094 * kernel image and loaded module images reside. This is required
49095 * so x86_64 can correctly handle the %rip-relative fixups.
49097 - kip->insns = module_alloc(PAGE_SIZE);
49098 + kip->insns = module_alloc_exec(PAGE_SIZE);
49102 @@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
49104 if (!list_is_singular(&kip->list)) {
49105 list_del(&kip->list);
49106 - module_free(NULL, kip->insns);
49107 + module_free_exec(NULL, kip->insns);
49111 @@ -1709,7 +1709,7 @@ static int __init init_kprobes(void)
49114 unsigned long offset = 0, size = 0;
49115 - char *modname, namebuf[128];
49116 + char *modname, namebuf[KSYM_NAME_LEN];
49117 const char *symbol_name;
49119 struct kprobe_blackpoint *kb;
49120 @@ -1835,7 +1835,7 @@ static int __kprobes show_kprobe_addr(st
49121 const char *sym = NULL;
49122 unsigned int i = *(loff_t *) v;
49123 unsigned long offset = 0;
49124 - char *modname, namebuf[128];
49125 + char *modname, namebuf[KSYM_NAME_LEN];
49127 head = &kprobe_table[i];
49129 diff -urNp linux-2.6.35.7/kernel/lockdep.c linux-2.6.35.7/kernel/lockdep.c
49130 --- linux-2.6.35.7/kernel/lockdep.c 2010-08-26 19:47:12.000000000 -0400
49131 +++ linux-2.6.35.7/kernel/lockdep.c 2010-09-17 20:12:09.000000000 -0400
49132 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
49133 end = (unsigned long) &_end,
49134 addr = (unsigned long) obj;
49136 +#ifdef CONFIG_PAX_KERNEXEC
49137 + start = ktla_ktva(start);
49143 @@ -696,6 +700,7 @@ register_lock_class(struct lockdep_map *
49144 if (!static_obj(lock->key)) {
49146 printk("INFO: trying to register non-static key.\n");
49147 + printk("lock:%pS key:%pS.\n", lock, lock->key);
49148 printk("the code is fine but needs lockdep annotation.\n");
49149 printk("turning off the locking correctness validator.\n");
49151 diff -urNp linux-2.6.35.7/kernel/lockdep_proc.c linux-2.6.35.7/kernel/lockdep_proc.c
49152 --- linux-2.6.35.7/kernel/lockdep_proc.c 2010-08-26 19:47:12.000000000 -0400
49153 +++ linux-2.6.35.7/kernel/lockdep_proc.c 2010-09-17 20:12:09.000000000 -0400
49154 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
49156 static void print_name(struct seq_file *m, struct lock_class *class)
49159 + char str[KSYM_NAME_LEN];
49160 const char *name = class->name;
49163 diff -urNp linux-2.6.35.7/kernel/module.c linux-2.6.35.7/kernel/module.c
49164 --- linux-2.6.35.7/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
49165 +++ linux-2.6.35.7/kernel/module.c 2010-09-17 20:12:37.000000000 -0400
49166 @@ -96,7 +96,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
49168 /* Bounds of module allocation, for speeding __module_address.
49169 * Protected by module_mutex. */
49170 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
49171 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
49172 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
49174 int register_module_notifier(struct notifier_block * nb)
49176 @@ -250,7 +251,7 @@ bool each_symbol(bool (*fn)(const struct
49179 list_for_each_entry_rcu(mod, &modules, list) {
49180 - struct symsearch arr[] = {
49181 + struct symsearch modarr[] = {
49182 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
49183 NOT_GPL_ONLY, false },
49184 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
49185 @@ -272,7 +273,7 @@ bool each_symbol(bool (*fn)(const struct
49189 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
49190 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
49194 @@ -383,7 +384,7 @@ static inline void __percpu *mod_percpu(
49195 static int percpu_modalloc(struct module *mod,
49196 unsigned long size, unsigned long align)
49198 - if (align > PAGE_SIZE) {
49199 + if (align-1 >= PAGE_SIZE) {
49200 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
49201 mod->name, align, PAGE_SIZE);
49203 @@ -1562,7 +1563,8 @@ static void free_module(struct module *m
49204 destroy_params(mod->kp, mod->num_kp);
49206 /* This may be NULL, but that's OK */
49207 - module_free(mod, mod->module_init);
49208 + module_free(mod, mod->module_init_rw);
49209 + module_free_exec(mod, mod->module_init_rx);
49211 percpu_modfree(mod);
49212 #if defined(CONFIG_MODULE_UNLOAD)
49213 @@ -1570,10 +1572,12 @@ static void free_module(struct module *m
49214 free_percpu(mod->refptr);
49216 /* Free lock-classes: */
49217 - lockdep_free_key_range(mod->module_core, mod->core_size);
49218 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
49219 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
49221 /* Finally, free the core (containing the module structure) */
49222 - module_free(mod, mod->module_core);
49223 + module_free_exec(mod, mod->module_core_rx);
49224 + module_free(mod, mod->module_core_rw);
49227 update_protections(current->mm);
49228 @@ -1670,7 +1674,9 @@ static int simplify_symbols(Elf_Shdr *se
49230 /* Ok if resolved. */
49231 if (ksym && !IS_ERR(ksym)) {
49232 + pax_open_kernel();
49233 sym[i].st_value = ksym->value;
49234 + pax_close_kernel();
49238 @@ -1690,7 +1696,9 @@ static int simplify_symbols(Elf_Shdr *se
49239 secbase = (unsigned long)mod_percpu(mod);
49241 secbase = sechdrs[sym[i].st_shndx].sh_addr;
49242 + pax_open_kernel();
49243 sym[i].st_value += secbase;
49244 + pax_close_kernel();
49248 @@ -1751,11 +1759,12 @@ static void layout_sections(struct modul
49249 || s->sh_entsize != ~0UL
49250 || strstarts(secstrings + s->sh_name, ".init"))
49252 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
49253 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
49254 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
49256 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
49257 DEBUGP("\t%s\n", secstrings + s->sh_name);
49260 - mod->core_text_size = mod->core_size;
49263 DEBUGP("Init section allocation order:\n");
49264 @@ -1768,12 +1777,13 @@ static void layout_sections(struct modul
49265 || s->sh_entsize != ~0UL
49266 || !strstarts(secstrings + s->sh_name, ".init"))
49268 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
49269 - | INIT_OFFSET_MASK);
49270 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
49271 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
49273 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
49274 + s->sh_entsize |= INIT_OFFSET_MASK;
49275 DEBUGP("\t%s\n", secstrings + s->sh_name);
49278 - mod->init_text_size = mod->init_size;
49282 @@ -1877,9 +1887,8 @@ static int is_exported(const char *name,
49285 static char elf_type(const Elf_Sym *sym,
49286 - Elf_Shdr *sechdrs,
49287 - const char *secstrings,
49288 - struct module *mod)
49289 + const Elf_Shdr *sechdrs,
49290 + const char *secstrings)
49292 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
49293 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
49294 @@ -1954,7 +1963,7 @@ static unsigned long layout_symtab(struc
49296 /* Put symbol section at end of init part of module. */
49297 symsect->sh_flags |= SHF_ALLOC;
49298 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
49299 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
49300 symindex) | INIT_OFFSET_MASK;
49301 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
49303 @@ -1971,19 +1980,19 @@ static unsigned long layout_symtab(struc
49306 /* Append room for core symbols at end of core part. */
49307 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
49308 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
49309 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
49310 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
49312 /* Put string table section at end of init part of module. */
49313 strsect->sh_flags |= SHF_ALLOC;
49314 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
49315 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
49316 strindex) | INIT_OFFSET_MASK;
49317 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
49319 /* Append room for core symbols' strings at end of core part. */
49320 - *pstroffs = mod->core_size;
49321 + *pstroffs = mod->core_size_rx;
49322 __set_bit(0, strmap);
49323 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
49324 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
49328 @@ -2007,12 +2016,14 @@ static void add_kallsyms(struct module *
49329 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
49330 mod->strtab = (void *)sechdrs[strindex].sh_addr;
49332 + pax_open_kernel();
49334 /* Set types up while we still have access to sections. */
49335 for (i = 0; i < mod->num_symtab; i++)
49336 mod->symtab[i].st_info
49337 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
49338 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
49340 - mod->core_symtab = dst = mod->module_core + symoffs;
49341 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
49344 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
49345 @@ -2024,10 +2035,12 @@ static void add_kallsyms(struct module *
49347 mod->core_num_syms = ndst;
49349 - mod->core_strtab = s = mod->module_core + stroffs;
49350 + mod->core_strtab = s = mod->module_core_rx + stroffs;
49351 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
49352 if (test_bit(i, strmap))
49353 *++s = mod->strtab[i];
49355 + pax_close_kernel();
49358 static inline unsigned long layout_symtab(struct module *mod,
49359 @@ -2070,17 +2083,33 @@ static void dynamic_debug_remove(struct
49360 ddebug_remove_module(debug->modname);
49363 -static void *module_alloc_update_bounds(unsigned long size)
49364 +static void *module_alloc_update_bounds_rw(unsigned long size)
49366 void *ret = module_alloc(size);
49369 mutex_lock(&module_mutex);
49370 /* Update module bounds. */
49371 - if ((unsigned long)ret < module_addr_min)
49372 - module_addr_min = (unsigned long)ret;
49373 - if ((unsigned long)ret + size > module_addr_max)
49374 - module_addr_max = (unsigned long)ret + size;
49375 + if ((unsigned long)ret < module_addr_min_rw)
49376 + module_addr_min_rw = (unsigned long)ret;
49377 + if ((unsigned long)ret + size > module_addr_max_rw)
49378 + module_addr_max_rw = (unsigned long)ret + size;
49379 + mutex_unlock(&module_mutex);
49384 +static void *module_alloc_update_bounds_rx(unsigned long size)
49386 + void *ret = module_alloc_exec(size);
49389 + mutex_lock(&module_mutex);
49390 + /* Update module bounds. */
49391 + if ((unsigned long)ret < module_addr_min_rx)
49392 + module_addr_min_rx = (unsigned long)ret;
49393 + if ((unsigned long)ret + size > module_addr_max_rx)
49394 + module_addr_max_rx = (unsigned long)ret + size;
49395 mutex_unlock(&module_mutex);
49398 @@ -2284,7 +2313,7 @@ static noinline struct module *load_modu
49399 secstrings, &stroffs, strmap);
49401 /* Do the allocs. */
49402 - ptr = module_alloc_update_bounds(mod->core_size);
49403 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
49405 * The pointer to this block is stored in the module structure
49406 * which is inside the block. Just mark it as not being a
49407 @@ -2295,23 +2324,47 @@ static noinline struct module *load_modu
49411 - memset(ptr, 0, mod->core_size);
49412 - mod->module_core = ptr;
49413 + memset(ptr, 0, mod->core_size_rw);
49414 + mod->module_core_rw = ptr;
49416 - ptr = module_alloc_update_bounds(mod->init_size);
49417 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
49419 * The pointer to this block is stored in the module structure
49420 * which is inside the block. This block doesn't need to be
49421 * scanned as it contains data and code that will be freed
49422 * after the module is initialized.
49424 - kmemleak_ignore(ptr);
49425 - if (!ptr && mod->init_size) {
49426 + kmemleak_not_leak(ptr);
49427 + if (!ptr && mod->init_size_rw) {
49429 + goto free_core_rw;
49431 + memset(ptr, 0, mod->init_size_rw);
49432 + mod->module_init_rw = ptr;
49434 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
49435 + kmemleak_not_leak(ptr);
49438 + goto free_init_rw;
49441 + pax_open_kernel();
49442 + memset(ptr, 0, mod->core_size_rx);
49443 + pax_close_kernel();
49444 + mod->module_core_rx = ptr;
49446 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
49447 + kmemleak_not_leak(ptr);
49448 + if (!ptr && mod->init_size_rx) {
49451 + goto free_core_rx;
49453 - memset(ptr, 0, mod->init_size);
49454 - mod->module_init = ptr;
49456 + pax_open_kernel();
49457 + memset(ptr, 0, mod->init_size_rx);
49458 + pax_close_kernel();
49459 + mod->module_init_rx = ptr;
49461 /* Transfer each section which specifies SHF_ALLOC */
49462 DEBUGP("final section addresses:\n");
49463 @@ -2321,17 +2374,41 @@ static noinline struct module *load_modu
49464 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
49467 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
49468 - dest = mod->module_init
49469 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
49471 - dest = mod->module_core + sechdrs[i].sh_entsize;
49472 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
49473 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
49474 + dest = mod->module_init_rw
49475 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
49477 + dest = mod->module_init_rx
49478 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
49480 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
49481 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
49483 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
49486 + if (sechdrs[i].sh_type != SHT_NOBITS) {
49488 - if (sechdrs[i].sh_type != SHT_NOBITS)
49489 - memcpy(dest, (void *)sechdrs[i].sh_addr,
49490 - sechdrs[i].sh_size);
49491 +#ifdef CONFIG_PAX_KERNEXEC
49492 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
49493 + pax_open_kernel();
49494 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
49495 + pax_close_kernel();
49499 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
49501 /* Update sh_addr to point to copy in image. */
49502 - sechdrs[i].sh_addr = (unsigned long)dest;
49504 +#ifdef CONFIG_PAX_KERNEXEC
49505 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
49506 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
49510 + sechdrs[i].sh_addr = (unsigned long)dest;
49511 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
49513 /* Module has been moved. */
49514 @@ -2342,7 +2419,7 @@ static noinline struct module *load_modu
49515 mod->refptr = alloc_percpu(struct module_ref);
49516 if (!mod->refptr) {
49519 + goto free_init_rx;
49522 /* Now we've moved module, initialize linked lists, etc. */
49523 @@ -2452,8 +2529,8 @@ static noinline struct module *load_modu
49525 /* Now do relocations. */
49526 for (i = 1; i < hdr->e_shnum; i++) {
49527 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
49528 unsigned int info = sechdrs[i].sh_info;
49529 + strtab = (char *)sechdrs[strindex].sh_addr;
49531 /* Not a valid relocation section? */
49532 if (info >= hdr->e_shnum)
49533 @@ -2503,12 +2580,12 @@ static noinline struct module *load_modu
49534 * Do it before processing of module parameters, so the module
49535 * can provide parameter accessor functions of its own.
49537 - if (mod->module_init)
49538 - flush_icache_range((unsigned long)mod->module_init,
49539 - (unsigned long)mod->module_init
49540 - + mod->init_size);
49541 - flush_icache_range((unsigned long)mod->module_core,
49542 - (unsigned long)mod->module_core + mod->core_size);
49543 + if (mod->module_init_rx)
49544 + flush_icache_range((unsigned long)mod->module_init_rx,
49545 + (unsigned long)mod->module_init_rx
49546 + + mod->init_size_rx);
49547 + flush_icache_range((unsigned long)mod->module_core_rx,
49548 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
49552 @@ -2574,12 +2651,16 @@ static noinline struct module *load_modu
49554 module_unload_free(mod);
49555 #if defined(CONFIG_MODULE_UNLOAD)
49557 free_percpu(mod->refptr);
49560 - module_free(mod, mod->module_init);
49562 - module_free(mod, mod->module_core);
49563 + module_free_exec(mod, mod->module_init_rx);
49565 + module_free_exec(mod, mod->module_core_rx);
49567 + module_free(mod, mod->module_init_rw);
49569 + module_free(mod, mod->module_core_rw);
49570 /* mod will be freed with core. Don't access it beyond this line! */
49572 free_percpu(percpu);
49573 @@ -2669,10 +2750,12 @@ SYSCALL_DEFINE3(init_module, void __user
49574 mod->symtab = mod->core_symtab;
49575 mod->strtab = mod->core_strtab;
49577 - module_free(mod, mod->module_init);
49578 - mod->module_init = NULL;
49579 - mod->init_size = 0;
49580 - mod->init_text_size = 0;
49581 + module_free(mod, mod->module_init_rw);
49582 + module_free_exec(mod, mod->module_init_rx);
49583 + mod->module_init_rw = NULL;
49584 + mod->module_init_rx = NULL;
49585 + mod->init_size_rw = 0;
49586 + mod->init_size_rx = 0;
49587 mutex_unlock(&module_mutex);
49590 @@ -2703,10 +2786,16 @@ static const char *get_ksymbol(struct mo
49591 unsigned long nextval;
49593 /* At worse, next value is at end of module */
49594 - if (within_module_init(addr, mod))
49595 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
49596 + if (within_module_init_rx(addr, mod))
49597 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
49598 + else if (within_module_init_rw(addr, mod))
49599 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
49600 + else if (within_module_core_rx(addr, mod))
49601 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
49602 + else if (within_module_core_rw(addr, mod))
49603 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
49605 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
49608 /* Scan for closest preceeding symbol, and next symbol. (ELF
49609 starts real symbols at 1). */
49610 @@ -2952,7 +3041,7 @@ static int m_show(struct seq_file *m, vo
49613 seq_printf(m, "%s %u",
49614 - mod->name, mod->init_size + mod->core_size);
49615 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
49616 print_unload_info(m, mod);
49618 /* Informative for users. */
49619 @@ -2961,7 +3050,7 @@ static int m_show(struct seq_file *m, vo
49620 mod->state == MODULE_STATE_COMING ? "Loading":
49622 /* Used by oprofile and other similar tools. */
49623 - seq_printf(m, " 0x%p", mod->module_core);
49624 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49628 @@ -2997,7 +3086,17 @@ static const struct file_operations proc
49630 static int __init proc_modules_init(void)
49632 +#ifndef CONFIG_GRKERNSEC_HIDESYM
49633 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49634 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49635 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49636 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
49638 proc_create("modules", 0, NULL, &proc_modules_operations);
49641 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49645 module_init(proc_modules_init);
49646 @@ -3056,12 +3155,12 @@ struct module *__module_address(unsigned
49648 struct module *mod;
49650 - if (addr < module_addr_min || addr > module_addr_max)
49651 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
49652 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
49655 list_for_each_entry_rcu(mod, &modules, list)
49656 - if (within_module_core(addr, mod)
49657 - || within_module_init(addr, mod))
49658 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
49662 @@ -3095,11 +3194,20 @@ bool is_module_text_address(unsigned lon
49664 struct module *__module_text_address(unsigned long addr)
49666 - struct module *mod = __module_address(addr);
49667 + struct module *mod;
49669 +#ifdef CONFIG_X86_32
49670 + addr = ktla_ktva(addr);
49673 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
49676 + mod = __module_address(addr);
49679 /* Make sure it's within the text section. */
49680 - if (!within(addr, mod->module_init, mod->init_text_size)
49681 - && !within(addr, mod->module_core, mod->core_text_size))
49682 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
49686 diff -urNp linux-2.6.35.7/kernel/panic.c linux-2.6.35.7/kernel/panic.c
49687 --- linux-2.6.35.7/kernel/panic.c 2010-08-26 19:47:12.000000000 -0400
49688 +++ linux-2.6.35.7/kernel/panic.c 2010-09-17 20:12:09.000000000 -0400
49689 @@ -429,7 +429,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
49691 void __stack_chk_fail(void)
49693 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
49695 + panic("stack-protector: Kernel stack is corrupted in: %pS\n",
49696 __builtin_return_address(0));
49698 EXPORT_SYMBOL(__stack_chk_fail);
49699 diff -urNp linux-2.6.35.7/kernel/pid.c linux-2.6.35.7/kernel/pid.c
49700 --- linux-2.6.35.7/kernel/pid.c 2010-08-26 19:47:12.000000000 -0400
49701 +++ linux-2.6.35.7/kernel/pid.c 2010-09-17 20:12:37.000000000 -0400
49703 #include <linux/rculist.h>
49704 #include <linux/bootmem.h>
49705 #include <linux/hash.h>
49706 +#include <linux/security.h>
49707 #include <linux/pid_namespace.h>
49708 #include <linux/init_task.h>
49709 #include <linux/syscalls.h>
49710 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
49712 int pid_max = PID_MAX_DEFAULT;
49714 -#define RESERVED_PIDS 300
49715 +#define RESERVED_PIDS 500
49717 int pid_max_min = RESERVED_PIDS + 1;
49718 int pid_max_max = PID_MAX_LIMIT;
49719 @@ -382,7 +383,14 @@ EXPORT_SYMBOL(pid_task);
49721 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
49723 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
49724 + struct task_struct *task;
49726 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
49728 + if (gr_pid_is_chrooted(task))
49734 struct task_struct *find_task_by_vpid(pid_t vnr)
49735 diff -urNp linux-2.6.35.7/kernel/posix-cpu-timers.c linux-2.6.35.7/kernel/posix-cpu-timers.c
49736 --- linux-2.6.35.7/kernel/posix-cpu-timers.c 2010-08-26 19:47:12.000000000 -0400
49737 +++ linux-2.6.35.7/kernel/posix-cpu-timers.c 2010-09-17 20:12:37.000000000 -0400
49739 #include <linux/posix-timers.h>
49740 #include <linux/errno.h>
49741 #include <linux/math64.h>
49742 +#include <linux/security.h>
49743 #include <asm/uaccess.h>
49744 #include <linux/kernel_stat.h>
49745 #include <trace/events/timer.h>
49746 @@ -972,6 +973,7 @@ static void check_thread_timers(struct t
49747 unsigned long hard =
49748 ACCESS_ONCE(sig->rlim[RLIMIT_RTTIME].rlim_max);
49750 + gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout * (USEC_PER_SEC/HZ), 1);
49751 if (hard != RLIM_INFINITY &&
49752 tsk->rt.timeout > DIV_ROUND_UP(hard, USEC_PER_SEC/HZ)) {
49754 @@ -1138,6 +1140,7 @@ static void check_process_timers(struct
49755 unsigned long hard =
49756 ACCESS_ONCE(sig->rlim[RLIMIT_CPU].rlim_max);
49758 + gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
49759 if (psecs >= hard) {
49761 * At the hard limit, we just die.
49762 diff -urNp linux-2.6.35.7/kernel/power/hibernate.c linux-2.6.35.7/kernel/power/hibernate.c
49763 --- linux-2.6.35.7/kernel/power/hibernate.c 2010-08-26 19:47:12.000000000 -0400
49764 +++ linux-2.6.35.7/kernel/power/hibernate.c 2010-09-17 20:12:09.000000000 -0400
49765 @@ -50,14 +50,14 @@ enum {
49767 static int hibernation_mode = HIBERNATION_SHUTDOWN;
49769 -static struct platform_hibernation_ops *hibernation_ops;
49770 +static const struct platform_hibernation_ops *hibernation_ops;
49773 * hibernation_set_ops - set the global hibernate operations
49774 * @ops: the hibernation operations to use in subsequent hibernation transitions
49777 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
49778 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
49780 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
49781 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
49782 diff -urNp linux-2.6.35.7/kernel/power/poweroff.c linux-2.6.35.7/kernel/power/poweroff.c
49783 --- linux-2.6.35.7/kernel/power/poweroff.c 2010-08-26 19:47:12.000000000 -0400
49784 +++ linux-2.6.35.7/kernel/power/poweroff.c 2010-09-17 20:12:09.000000000 -0400
49785 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
49786 .enable_mask = SYSRQ_ENABLE_BOOT,
49789 -static int pm_sysrq_init(void)
49790 +static int __init pm_sysrq_init(void)
49792 register_sysrq_key('o', &sysrq_poweroff_op);
49794 diff -urNp linux-2.6.35.7/kernel/power/process.c linux-2.6.35.7/kernel/power/process.c
49795 --- linux-2.6.35.7/kernel/power/process.c 2010-08-26 19:47:12.000000000 -0400
49796 +++ linux-2.6.35.7/kernel/power/process.c 2010-09-17 20:12:09.000000000 -0400
49797 @@ -38,12 +38,15 @@ static int try_to_freeze_tasks(bool sig_
49798 struct timeval start, end;
49799 u64 elapsed_csecs64;
49800 unsigned int elapsed_csecs;
49801 + bool timedout = false;
49803 do_gettimeofday(&start);
49805 end_time = jiffies + TIMEOUT;
49808 + if (time_after(jiffies, end_time))
49810 read_lock(&tasklist_lock);
49811 do_each_thread(g, p) {
49812 if (frozen(p) || !freezeable(p))
49813 @@ -58,12 +61,16 @@ static int try_to_freeze_tasks(bool sig_
49814 * It is "frozen enough". If the task does wake
49815 * up, it will immediately call try_to_freeze.
49817 - if (!task_is_stopped_or_traced(p) &&
49818 - !freezer_should_skip(p))
49819 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
49822 + printk(KERN_ERR "Task refusing to freeze:\n");
49823 + sched_show_task(p);
49826 } while_each_thread(g, p);
49827 read_unlock(&tasklist_lock);
49828 - if (!todo || time_after(jiffies, end_time))
49829 + if (!todo || timedout)
49833 diff -urNp linux-2.6.35.7/kernel/power/suspend.c linux-2.6.35.7/kernel/power/suspend.c
49834 --- linux-2.6.35.7/kernel/power/suspend.c 2010-08-26 19:47:12.000000000 -0400
49835 +++ linux-2.6.35.7/kernel/power/suspend.c 2010-09-17 20:12:09.000000000 -0400
49836 @@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
49837 [PM_SUSPEND_MEM] = "mem",
49840 -static struct platform_suspend_ops *suspend_ops;
49841 +static const struct platform_suspend_ops *suspend_ops;
49844 * suspend_set_ops - Set the global suspend method table.
49845 * @ops: Pointer to ops structure.
49847 -void suspend_set_ops(struct platform_suspend_ops *ops)
49848 +void suspend_set_ops(const struct platform_suspend_ops *ops)
49850 mutex_lock(&pm_mutex);
49852 diff -urNp linux-2.6.35.7/kernel/printk.c linux-2.6.35.7/kernel/printk.c
49853 --- linux-2.6.35.7/kernel/printk.c 2010-08-26 19:47:12.000000000 -0400
49854 +++ linux-2.6.35.7/kernel/printk.c 2010-09-17 20:12:37.000000000 -0400
49855 @@ -266,6 +266,11 @@ int do_syslog(int type, char __user *buf
49859 +#ifdef CONFIG_GRKERNSEC_DMESG
49860 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
49864 error = security_syslog(type, from_file);
49867 diff -urNp linux-2.6.35.7/kernel/ptrace.c linux-2.6.35.7/kernel/ptrace.c
49868 --- linux-2.6.35.7/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
49869 +++ linux-2.6.35.7/kernel/ptrace.c 2010-09-17 20:12:37.000000000 -0400
49870 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
49871 cred->gid != tcred->egid ||
49872 cred->gid != tcred->sgid ||
49873 cred->gid != tcred->gid) &&
49874 - !capable(CAP_SYS_PTRACE)) {
49875 + !capable_nolog(CAP_SYS_PTRACE)) {
49879 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
49882 dumpable = get_dumpable(task->mm);
49883 - if (!dumpable && !capable(CAP_SYS_PTRACE))
49884 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
49887 return security_ptrace_access_check(task, mode);
49888 @@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
49889 goto unlock_tasklist;
49891 task->ptrace = PT_PTRACED;
49892 - if (capable(CAP_SYS_PTRACE))
49893 + if (capable_nolog(CAP_SYS_PTRACE))
49894 task->ptrace |= PT_PTRACE_CAP;
49896 __ptrace_link(task, current);
49897 @@ -361,7 +361,7 @@ int ptrace_readdata(struct task_struct *
49901 - if (copy_to_user(dst, buf, retval))
49902 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
49906 @@ -572,18 +572,18 @@ int ptrace_request(struct task_struct *c
49907 ret = ptrace_setoptions(child, data);
49909 case PTRACE_GETEVENTMSG:
49910 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
49911 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
49914 case PTRACE_GETSIGINFO:
49915 ret = ptrace_getsiginfo(child, &siginfo);
49917 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
49918 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
49922 case PTRACE_SETSIGINFO:
49923 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
49924 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
49928 @@ -703,14 +703,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
49932 + if (gr_handle_ptrace(child, request)) {
49934 + goto out_put_task_struct;
49937 if (request == PTRACE_ATTACH) {
49938 ret = ptrace_attach(child);
49940 * Some architectures need to do book-keeping after
49945 arch_ptrace_attach(child);
49946 + gr_audit_ptrace(child);
49948 goto out_put_task_struct;
49951 diff -urNp linux-2.6.35.7/kernel/rcutree.c linux-2.6.35.7/kernel/rcutree.c
49952 --- linux-2.6.35.7/kernel/rcutree.c 2010-08-26 19:47:12.000000000 -0400
49953 +++ linux-2.6.35.7/kernel/rcutree.c 2010-09-17 20:12:09.000000000 -0400
49954 @@ -1356,7 +1356,7 @@ __rcu_process_callbacks(struct rcu_state
49956 * Do softirq processing for the current CPU.
49958 -static void rcu_process_callbacks(struct softirq_action *unused)
49959 +static void rcu_process_callbacks(void)
49962 * Memory references from any prior RCU read-side critical sections
49963 diff -urNp linux-2.6.35.7/kernel/resource.c linux-2.6.35.7/kernel/resource.c
49964 --- linux-2.6.35.7/kernel/resource.c 2010-08-26 19:47:12.000000000 -0400
49965 +++ linux-2.6.35.7/kernel/resource.c 2010-09-17 20:12:37.000000000 -0400
49966 @@ -133,8 +133,18 @@ static const struct file_operations proc
49968 static int __init ioresources_init(void)
49970 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49971 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49972 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
49973 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
49974 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49975 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
49976 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
49979 proc_create("ioports", 0, NULL, &proc_ioports_operations);
49980 proc_create("iomem", 0, NULL, &proc_iomem_operations);
49984 __initcall(ioresources_init);
49985 diff -urNp linux-2.6.35.7/kernel/rtmutex.c linux-2.6.35.7/kernel/rtmutex.c
49986 --- linux-2.6.35.7/kernel/rtmutex.c 2010-08-26 19:47:12.000000000 -0400
49987 +++ linux-2.6.35.7/kernel/rtmutex.c 2010-10-11 22:41:44.000000000 -0400
49988 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
49990 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
49992 - WARN_ON(!pendowner->pi_blocked_on);
49993 + BUG_ON(!pendowner->pi_blocked_on);
49994 WARN_ON(pendowner->pi_blocked_on != waiter);
49995 WARN_ON(pendowner->pi_blocked_on->lock != lock);
49997 diff -urNp linux-2.6.35.7/kernel/sched.c linux-2.6.35.7/kernel/sched.c
49998 --- linux-2.6.35.7/kernel/sched.c 2010-09-26 17:32:11.000000000 -0400
49999 +++ linux-2.6.35.7/kernel/sched.c 2010-10-11 22:41:44.000000000 -0400
50000 @@ -4266,6 +4266,8 @@ int can_nice(const struct task_struct *p
50001 /* convert nice value [19,-20] to rlimit style value [1,40] */
50002 int nice_rlim = 20 - nice;
50004 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
50006 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
50007 capable(CAP_SYS_NICE));
50009 @@ -4299,7 +4301,8 @@ SYSCALL_DEFINE1(nice, int, increment)
50013 - if (increment < 0 && !can_nice(current, nice))
50014 + if (increment < 0 && (!can_nice(current, nice) ||
50015 + gr_handle_chroot_nice()))
50016 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
50018 retval = security_task_setnice(current, nice);
50019 @@ -4446,6 +4449,7 @@ recheck:
50020 rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO);
50021 unlock_task_sighand(p, &flags);
50023 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
50024 /* can't set/change the rt policy */
50025 if (policy != p->policy && !rlim_rtprio)
50027 @@ -6588,7 +6592,7 @@ static void init_sched_groups_power(int
50031 - WARN_ON(!sd || !sd->groups);
50032 + BUG_ON(!sd || !sd->groups);
50034 if (cpu != group_first_cpu(sd->groups))
50036 diff -urNp linux-2.6.35.7/kernel/sched_fair.c linux-2.6.35.7/kernel/sched_fair.c
50037 --- linux-2.6.35.7/kernel/sched_fair.c 2010-08-26 19:47:12.000000000 -0400
50038 +++ linux-2.6.35.7/kernel/sched_fair.c 2010-09-17 20:12:09.000000000 -0400
50039 @@ -3390,7 +3390,7 @@ out:
50040 * In CONFIG_NO_HZ case, the idle load balance owner will do the
50041 * rebalancing for all the cpus for whom scheduler ticks are stopped.
50043 -static void run_rebalance_domains(struct softirq_action *h)
50044 +static void run_rebalance_domains(void)
50046 int this_cpu = smp_processor_id();
50047 struct rq *this_rq = cpu_rq(this_cpu);
50048 diff -urNp linux-2.6.35.7/kernel/signal.c linux-2.6.35.7/kernel/signal.c
50049 --- linux-2.6.35.7/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
50050 +++ linux-2.6.35.7/kernel/signal.c 2010-09-17 20:20:18.000000000 -0400
50051 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
50053 int print_fatal_signals __read_mostly;
50055 -static void __user *sig_handler(struct task_struct *t, int sig)
50056 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
50058 return t->sighand->action[sig - 1].sa.sa_handler;
50061 -static int sig_handler_ignored(void __user *handler, int sig)
50062 +static int sig_handler_ignored(__sighandler_t handler, int sig)
50064 /* Is it explicitly or implicitly ignored? */
50065 return handler == SIG_IGN ||
50066 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
50067 static int sig_task_ignored(struct task_struct *t, int sig,
50068 int from_ancestor_ns)
50070 - void __user *handler;
50071 + __sighandler_t handler;
50073 handler = sig_handler(t, sig);
50075 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
50076 atomic_inc(&user->sigpending);
50079 + if (!override_rlimit)
50080 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
50082 if (override_rlimit ||
50083 atomic_read(&user->sigpending) <=
50084 task_rlimit(t, RLIMIT_SIGPENDING)) {
50085 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
50087 int unhandled_signal(struct task_struct *tsk, int sig)
50089 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
50090 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
50091 if (is_global_init(tsk))
50093 if (handler != SIG_IGN && handler != SIG_DFL)
50094 @@ -705,6 +705,10 @@ static int check_kill_permission(int sig
50095 sig, info, t, vx_task_xid(t), t->pid, current->xid);
50099 + if (gr_handle_signal(t, sig))
50103 return security_task_kill(t, info, sig, 0);
50105 @@ -1025,7 +1031,7 @@ __group_send_sig_info(int sig, struct si
50106 return send_signal(sig, info, p, 1);
50111 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
50113 return send_signal(sig, info, t, 0);
50114 @@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo *
50115 ret = specific_send_sig_info(sig, info, t);
50116 spin_unlock_irqrestore(&t->sighand->siglock, flags);
50118 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
50119 + gr_handle_crash(t, sig);
50124 @@ -1136,8 +1145,11 @@ int group_send_sig_info(int sig, struct
50125 ret = check_kill_permission(sig, info, p);
50129 + if (!ret && sig) {
50130 ret = do_send_sig_info(sig, info, p, true);
50132 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
50137 diff -urNp linux-2.6.35.7/kernel/smp.c linux-2.6.35.7/kernel/smp.c
50138 --- linux-2.6.35.7/kernel/smp.c 2010-08-26 19:47:12.000000000 -0400
50139 +++ linux-2.6.35.7/kernel/smp.c 2010-09-17 20:12:09.000000000 -0400
50140 @@ -499,22 +499,22 @@ int smp_call_function(void (*func)(void
50142 EXPORT_SYMBOL(smp_call_function);
50144 -void ipi_call_lock(void)
50145 +void ipi_call_lock(void) __acquires(call_function.lock)
50147 raw_spin_lock(&call_function.lock);
50150 -void ipi_call_unlock(void)
50151 +void ipi_call_unlock(void) __releases(call_function.lock)
50153 raw_spin_unlock(&call_function.lock);
50156 -void ipi_call_lock_irq(void)
50157 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
50159 raw_spin_lock_irq(&call_function.lock);
50162 -void ipi_call_unlock_irq(void)
50163 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
50165 raw_spin_unlock_irq(&call_function.lock);
50167 diff -urNp linux-2.6.35.7/kernel/softirq.c linux-2.6.35.7/kernel/softirq.c
50168 --- linux-2.6.35.7/kernel/softirq.c 2010-08-26 19:47:12.000000000 -0400
50169 +++ linux-2.6.35.7/kernel/softirq.c 2010-09-17 20:12:09.000000000 -0400
50170 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
50172 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
50174 -char *softirq_to_name[NR_SOFTIRQS] = {
50175 +const char * const softirq_to_name[NR_SOFTIRQS] = {
50176 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
50177 "TASKLET", "SCHED", "HRTIMER", "RCU"
50179 @@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
50181 asmlinkage void __do_softirq(void)
50183 - struct softirq_action *h;
50184 + const struct softirq_action *h;
50186 int max_restart = MAX_SOFTIRQ_RESTART;
50188 @@ -216,7 +216,7 @@ restart:
50189 kstat_incr_softirqs_this_cpu(h - softirq_vec);
50191 trace_softirq_entry(h, softirq_vec);
50194 trace_softirq_exit(h, softirq_vec);
50195 if (unlikely(prev_count != preempt_count())) {
50196 printk(KERN_ERR "huh, entered softirq %td %s %p"
50197 @@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
50198 local_irq_restore(flags);
50201 -void open_softirq(int nr, void (*action)(struct softirq_action *))
50202 +void open_softirq(int nr, void (*action)(void))
50204 softirq_vec[nr].action = action;
50206 @@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
50208 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
50210 -static void tasklet_action(struct softirq_action *a)
50211 +static void tasklet_action(void)
50213 struct tasklet_struct *list;
50215 @@ -431,7 +431,7 @@ static void tasklet_action(struct softir
50219 -static void tasklet_hi_action(struct softirq_action *a)
50220 +static void tasklet_hi_action(void)
50222 struct tasklet_struct *list;
50224 diff -urNp linux-2.6.35.7/kernel/sys.c linux-2.6.35.7/kernel/sys.c
50225 --- linux-2.6.35.7/kernel/sys.c 2010-09-26 17:32:11.000000000 -0400
50226 +++ linux-2.6.35.7/kernel/sys.c 2010-09-26 17:32:50.000000000 -0400
50227 @@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
50232 + if (gr_handle_chroot_setpriority(p, niceval)) {
50237 no_nice = security_task_setnice(p, niceval);
50240 @@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
50244 + if (gr_check_group_change(new->gid, new->egid, -1))
50247 if (rgid != (gid_t) -1 ||
50248 (egid != (gid_t) -1 && egid != old->gid))
50249 new->sgid = new->egid;
50250 @@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
50251 old = current_cred();
50255 + if (gr_check_group_change(gid, gid, gid))
50258 if (capable(CAP_SETGID))
50259 new->gid = new->egid = new->sgid = new->fsgid = gid;
50260 else if (gid == old->gid || gid == old->sgid)
50261 @@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
50265 + if (gr_check_user_change(new->uid, new->euid, -1))
50268 if (new->uid != old->uid) {
50269 retval = set_user(new);
50271 @@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
50272 old = current_cred();
50276 + if (gr_check_crash_uid(uid))
50278 + if (gr_check_user_change(uid, uid, uid))
50281 if (capable(CAP_SETUID)) {
50282 new->suid = new->uid = uid;
50283 if (uid != old->uid) {
50284 @@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
50288 + if (gr_check_user_change(ruid, euid, -1))
50291 if (ruid != (uid_t) -1) {
50293 if (ruid != old->uid) {
50294 @@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
50298 + if (gr_check_group_change(rgid, egid, -1))
50301 if (rgid != (gid_t) -1)
50303 if (egid != (gid_t) -1)
50304 @@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
50305 old = current_cred();
50306 old_fsuid = old->fsuid;
50308 + if (gr_check_user_change(-1, -1, uid))
50311 if (uid == old->uid || uid == old->euid ||
50312 uid == old->suid || uid == old->fsuid ||
50313 capable(CAP_SETUID)) {
50314 @@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
50322 @@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
50323 if (gid == old->gid || gid == old->egid ||
50324 gid == old->sgid || gid == old->fsgid ||
50325 capable(CAP_SETGID)) {
50326 + if (gr_check_group_change(-1, -1, gid))
50329 if (gid != old_fsgid) {
50339 @@ -1493,7 +1529,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
50340 error = get_dumpable(me->mm);
50342 case PR_SET_DUMPABLE:
50343 - if (arg2 < 0 || arg2 > 1) {
50348 diff -urNp linux-2.6.35.7/kernel/sysctl.c linux-2.6.35.7/kernel/sysctl.c
50349 --- linux-2.6.35.7/kernel/sysctl.c 2010-08-26 19:47:12.000000000 -0400
50350 +++ linux-2.6.35.7/kernel/sysctl.c 2010-10-11 22:41:44.000000000 -0400
50354 #if defined(CONFIG_SYSCTL)
50355 +#include <linux/grsecurity.h>
50356 +#include <linux/grinternal.h>
50358 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
50359 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
50361 +extern int gr_handle_chroot_sysctl(const int op);
50363 /* External variables not in a header file. */
50364 extern int sysctl_overcommit_memory;
50365 @@ -185,6 +192,7 @@ static int sysrq_sysctl_handler(ctl_tabl
50369 +extern struct ctl_table grsecurity_table[];
50371 static struct ctl_table root_table[];
50372 static struct ctl_table_root sysctl_table_root;
50373 @@ -217,6 +225,20 @@ extern struct ctl_table epoll_table[];
50374 int sysctl_legacy_va_layout;
50377 +#ifdef CONFIG_PAX_SOFTMODE
50378 +static ctl_table pax_table[] = {
50380 + .procname = "softmode",
50381 + .data = &pax_softmode,
50382 + .maxlen = sizeof(unsigned int),
50384 + .proc_handler = &proc_dointvec,
50391 /* The default sysctl tables: */
50393 static struct ctl_table root_table[] = {
50394 @@ -269,6 +291,22 @@ static int max_extfrag_threshold = 1000;
50397 static struct ctl_table kern_table[] = {
50398 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
50400 + .procname = "grsecurity",
50402 + .child = grsecurity_table,
50406 +#ifdef CONFIG_PAX_SOFTMODE
50408 + .procname = "pax",
50410 + .child = pax_table,
50415 .procname = "sched_child_runs_first",
50416 .data = &sysctl_sched_child_runs_first,
50417 @@ -1171,6 +1209,13 @@ static struct ctl_table vm_table[] = {
50418 .proc_handler = proc_dointvec_minmax,
50422 + .procname = "heap_stack_gap",
50423 + .data = &sysctl_heap_stack_gap,
50424 + .maxlen = sizeof(sysctl_heap_stack_gap),
50426 + .proc_handler = proc_doulongvec_minmax,
50430 .procname = "nr_trim_pages",
50431 @@ -1686,6 +1731,16 @@ int sysctl_perm(struct ctl_table_root *r
50435 + if (table->parent != NULL && table->parent->procname != NULL &&
50436 + table->procname != NULL &&
50437 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
50439 + if (gr_handle_chroot_sysctl(op))
50441 + error = gr_handle_sysctl(table, op);
50445 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
50448 @@ -2201,6 +2256,8 @@ static int proc_put_long(void __user **b
50452 + if (len > sizeof(tmp))
50453 + len = sizeof(tmp);
50454 if (copy_to_user(*buf, tmp, len))
50457 @@ -2486,7 +2543,7 @@ static int __do_proc_doulongvec_minmax(v
50461 - for (; left && vleft--; i++, min++, max++, first=0) {
50462 + for (; left && vleft--; i++, first=0) {
50466 @@ -2506,8 +2563,11 @@ static int __do_proc_doulongvec_minmax(v
50469 val = convdiv * (*i) / convmul;
50472 err = proc_put_char(&buffer, &left, '\t');
50476 err = proc_put_long(&buffer, &left, val, false);
50479 diff -urNp linux-2.6.35.7/kernel/taskstats.c linux-2.6.35.7/kernel/taskstats.c
50480 --- linux-2.6.35.7/kernel/taskstats.c 2010-08-26 19:47:12.000000000 -0400
50481 +++ linux-2.6.35.7/kernel/taskstats.c 2010-09-17 20:12:37.000000000 -0400
50483 #include <linux/cgroup.h>
50484 #include <linux/fs.h>
50485 #include <linux/file.h>
50486 +#include <linux/grsecurity.h>
50487 #include <net/genetlink.h>
50488 #include <asm/atomic.h>
50490 +extern int gr_is_taskstats_denied(int pid);
50493 * Maximum length of a cpumask that can be specified in
50494 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
50495 @@ -432,6 +435,9 @@ static int taskstats_user_cmd(struct sk_
50497 cpumask_var_t mask;
50499 + if (gr_is_taskstats_denied(current->pid))
50502 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
50505 diff -urNp linux-2.6.35.7/kernel/time/tick-broadcast.c linux-2.6.35.7/kernel/time/tick-broadcast.c
50506 --- linux-2.6.35.7/kernel/time/tick-broadcast.c 2010-08-26 19:47:12.000000000 -0400
50507 +++ linux-2.6.35.7/kernel/time/tick-broadcast.c 2010-09-17 20:12:09.000000000 -0400
50508 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
50509 * then clear the broadcast bit.
50511 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
50512 - int cpu = smp_processor_id();
50513 + cpu = smp_processor_id();
50515 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
50516 tick_broadcast_clear_oneshot(cpu);
50517 diff -urNp linux-2.6.35.7/kernel/time/timer_list.c linux-2.6.35.7/kernel/time/timer_list.c
50518 --- linux-2.6.35.7/kernel/time/timer_list.c 2010-08-26 19:47:12.000000000 -0400
50519 +++ linux-2.6.35.7/kernel/time/timer_list.c 2010-09-17 20:12:37.000000000 -0400
50520 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
50522 static void print_name_offset(struct seq_file *m, void *sym)
50524 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50525 + SEQ_printf(m, "<%p>", NULL);
50527 char symname[KSYM_NAME_LEN];
50529 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
50530 SEQ_printf(m, "<%p>", sym);
50532 SEQ_printf(m, "%s", symname);
50537 @@ -112,7 +116,11 @@ next_one:
50539 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
50541 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50542 + SEQ_printf(m, " .base: %p\n", NULL);
50544 SEQ_printf(m, " .base: %p\n", base);
50546 SEQ_printf(m, " .index: %d\n",
50548 SEQ_printf(m, " .resolution: %Lu nsecs\n",
50549 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
50551 struct proc_dir_entry *pe;
50553 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50554 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
50556 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
50561 diff -urNp linux-2.6.35.7/kernel/time/timer_stats.c linux-2.6.35.7/kernel/time/timer_stats.c
50562 --- linux-2.6.35.7/kernel/time/timer_stats.c 2010-08-26 19:47:12.000000000 -0400
50563 +++ linux-2.6.35.7/kernel/time/timer_stats.c 2010-09-17 20:12:37.000000000 -0400
50564 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
50566 static void print_name_offset(struct seq_file *m, unsigned long addr)
50568 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50569 + seq_printf(m, "<%p>", NULL);
50571 char symname[KSYM_NAME_LEN];
50573 if (lookup_symbol_name(addr, symname) < 0)
50574 seq_printf(m, "<%p>", (void *)addr);
50576 seq_printf(m, "%s", symname);
50580 static int tstats_show(struct seq_file *m, void *v)
50581 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
50583 struct proc_dir_entry *pe;
50585 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50586 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
50588 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
50593 diff -urNp linux-2.6.35.7/kernel/time.c linux-2.6.35.7/kernel/time.c
50594 --- linux-2.6.35.7/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
50595 +++ linux-2.6.35.7/kernel/time.c 2010-09-17 20:12:37.000000000 -0400
50596 @@ -93,6 +93,9 @@ SYSCALL_DEFINE1(stime, time_t __user *,
50599 vx_settimeofday(&tv);
50601 + gr_log_timechange();
50606 @@ -200,6 +203,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
50610 + gr_log_timechange();
50612 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
50615 @@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
50616 * Avoid unnecessary multiplications/divisions in the
50617 * two most common HZ cases:
50619 -unsigned int inline jiffies_to_msecs(const unsigned long j)
50620 +inline unsigned int jiffies_to_msecs(const unsigned long j)
50622 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
50623 return (MSEC_PER_SEC / HZ) * j;
50624 @@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
50626 EXPORT_SYMBOL(jiffies_to_msecs);
50628 -unsigned int inline jiffies_to_usecs(const unsigned long j)
50629 +inline unsigned int jiffies_to_usecs(const unsigned long j)
50631 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
50632 return (USEC_PER_SEC / HZ) * j;
50633 diff -urNp linux-2.6.35.7/kernel/timer.c linux-2.6.35.7/kernel/timer.c
50634 --- linux-2.6.35.7/kernel/timer.c 2010-08-26 19:47:12.000000000 -0400
50635 +++ linux-2.6.35.7/kernel/timer.c 2010-09-17 20:12:09.000000000 -0400
50636 @@ -1272,7 +1272,7 @@ void update_process_times(int user_tick)
50638 * This function runs timers and the timer-tq in bottom half context.
50640 -static void run_timer_softirq(struct softirq_action *h)
50641 +static void run_timer_softirq(void)
50643 struct tvec_base *base = __get_cpu_var(tvec_bases);
50645 diff -urNp linux-2.6.35.7/kernel/trace/ftrace.c linux-2.6.35.7/kernel/trace/ftrace.c
50646 --- linux-2.6.35.7/kernel/trace/ftrace.c 2010-09-20 17:33:09.000000000 -0400
50647 +++ linux-2.6.35.7/kernel/trace/ftrace.c 2010-09-20 17:33:37.000000000 -0400
50648 @@ -1108,13 +1108,18 @@ ftrace_code_disable(struct module *mod,
50652 + ret = ftrace_arch_code_modify_prepare();
50653 + FTRACE_WARN_ON(ret);
50657 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
50658 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
50660 ftrace_bug(ret, ip);
50661 rec->flags |= FTRACE_FL_FAILED;
50665 + return ret ? 0 : 1;
50669 diff -urNp linux-2.6.35.7/kernel/trace/ring_buffer.c linux-2.6.35.7/kernel/trace/ring_buffer.c
50670 --- linux-2.6.35.7/kernel/trace/ring_buffer.c 2010-08-26 19:47:12.000000000 -0400
50671 +++ linux-2.6.35.7/kernel/trace/ring_buffer.c 2010-09-17 20:12:09.000000000 -0400
50672 @@ -635,7 +635,7 @@ static struct list_head *rb_list_head(st
50673 * the reader page). But if the next page is a header page,
50674 * its flags will be non zero.
50678 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
50679 struct buffer_page *page, struct list_head *list)
50681 diff -urNp linux-2.6.35.7/kernel/trace/trace.c linux-2.6.35.7/kernel/trace/trace.c
50682 --- linux-2.6.35.7/kernel/trace/trace.c 2010-08-26 19:47:12.000000000 -0400
50683 +++ linux-2.6.35.7/kernel/trace/trace.c 2010-09-17 20:12:09.000000000 -0400
50684 @@ -3965,10 +3965,9 @@ static const struct file_operations trac
50688 -static struct dentry *d_tracer;
50690 struct dentry *tracing_init_dentry(void)
50692 + static struct dentry *d_tracer;
50696 @@ -3988,10 +3987,9 @@ struct dentry *tracing_init_dentry(void)
50700 -static struct dentry *d_percpu;
50702 struct dentry *tracing_dentry_percpu(void)
50704 + static struct dentry *d_percpu;
50706 struct dentry *d_tracer;
50708 diff -urNp linux-2.6.35.7/kernel/trace/trace_output.c linux-2.6.35.7/kernel/trace/trace_output.c
50709 --- linux-2.6.35.7/kernel/trace/trace_output.c 2010-08-26 19:47:12.000000000 -0400
50710 +++ linux-2.6.35.7/kernel/trace/trace_output.c 2010-09-17 20:12:09.000000000 -0400
50711 @@ -281,7 +281,7 @@ int trace_seq_path(struct trace_seq *s,
50713 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
50715 - p = mangle_path(s->buffer + s->len, p, "\n");
50716 + p = mangle_path(s->buffer + s->len, p, "\n\\");
50718 s->len = p - s->buffer;
50720 diff -urNp linux-2.6.35.7/kernel/trace/trace_stack.c linux-2.6.35.7/kernel/trace/trace_stack.c
50721 --- linux-2.6.35.7/kernel/trace/trace_stack.c 2010-08-26 19:47:12.000000000 -0400
50722 +++ linux-2.6.35.7/kernel/trace/trace_stack.c 2010-09-17 20:12:09.000000000 -0400
50723 @@ -50,7 +50,7 @@ static inline void check_stack(void)
50726 /* we do not handle interrupt stacks yet */
50727 - if (!object_is_on_stack(&this_size))
50728 + if (!object_starts_on_stack(&this_size))
50731 local_irq_save(flags);
50732 diff -urNp linux-2.6.35.7/lib/bug.c linux-2.6.35.7/lib/bug.c
50733 --- linux-2.6.35.7/lib/bug.c 2010-08-26 19:47:12.000000000 -0400
50734 +++ linux-2.6.35.7/lib/bug.c 2010-09-17 20:12:09.000000000 -0400
50735 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
50736 return BUG_TRAP_TYPE_NONE;
50738 bug = find_bug(bugaddr);
50740 + return BUG_TRAP_TYPE_NONE;
50742 printk(KERN_EMERG "------------[ cut here ]------------\n");
50744 diff -urNp linux-2.6.35.7/lib/debugobjects.c linux-2.6.35.7/lib/debugobjects.c
50745 --- linux-2.6.35.7/lib/debugobjects.c 2010-08-26 19:47:12.000000000 -0400
50746 +++ linux-2.6.35.7/lib/debugobjects.c 2010-09-17 20:12:09.000000000 -0400
50747 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
50751 - is_on_stack = object_is_on_stack(addr);
50752 + is_on_stack = object_starts_on_stack(addr);
50753 if (is_on_stack == onstack)
50756 diff -urNp linux-2.6.35.7/lib/dma-debug.c linux-2.6.35.7/lib/dma-debug.c
50757 --- linux-2.6.35.7/lib/dma-debug.c 2010-08-26 19:47:12.000000000 -0400
50758 +++ linux-2.6.35.7/lib/dma-debug.c 2010-09-17 20:12:09.000000000 -0400
50759 @@ -861,7 +861,7 @@ out:
50761 static void check_for_stack(struct device *dev, void *addr)
50763 - if (object_is_on_stack(addr))
50764 + if (object_starts_on_stack(addr))
50765 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
50766 "stack [addr=%p]\n", addr);
50768 diff -urNp linux-2.6.35.7/lib/inflate.c linux-2.6.35.7/lib/inflate.c
50769 --- linux-2.6.35.7/lib/inflate.c 2010-08-26 19:47:12.000000000 -0400
50770 +++ linux-2.6.35.7/lib/inflate.c 2010-09-17 20:12:09.000000000 -0400
50771 @@ -267,7 +267,7 @@ static void free(void *where)
50772 malloc_ptr = free_mem_ptr;
50775 -#define malloc(a) kmalloc(a, GFP_KERNEL)
50776 +#define malloc(a) kmalloc((a), GFP_KERNEL)
50777 #define free(a) kfree(a)
50780 diff -urNp linux-2.6.35.7/lib/Kconfig.debug linux-2.6.35.7/lib/Kconfig.debug
50781 --- linux-2.6.35.7/lib/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
50782 +++ linux-2.6.35.7/lib/Kconfig.debug 2010-09-17 20:12:37.000000000 -0400
50783 @@ -970,7 +970,7 @@ config LATENCYTOP
50787 - depends on HAVE_LATENCYTOP_SUPPORT
50788 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
50790 Enable this option if you want to use the LatencyTOP tool
50791 to find out which userspace is blocking on what kernel operations.
50792 diff -urNp linux-2.6.35.7/lib/kref.c linux-2.6.35.7/lib/kref.c
50793 --- linux-2.6.35.7/lib/kref.c 2010-08-26 19:47:12.000000000 -0400
50794 +++ linux-2.6.35.7/lib/kref.c 2010-10-11 22:41:44.000000000 -0400
50795 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
50797 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
50799 - WARN_ON(release == NULL);
50800 + BUG_ON(release == NULL);
50801 WARN_ON(release == (void (*)(struct kref *))kfree);
50803 if (atomic_dec_and_test(&kref->refcount)) {
50804 diff -urNp linux-2.6.35.7/lib/parser.c linux-2.6.35.7/lib/parser.c
50805 --- linux-2.6.35.7/lib/parser.c 2010-08-26 19:47:12.000000000 -0400
50806 +++ linux-2.6.35.7/lib/parser.c 2010-09-17 20:12:09.000000000 -0400
50807 @@ -129,7 +129,7 @@ static int match_number(substring_t *s,
50811 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
50812 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
50815 memcpy(buf, s->from, s->to - s->from);
50816 diff -urNp linux-2.6.35.7/lib/radix-tree.c linux-2.6.35.7/lib/radix-tree.c
50817 --- linux-2.6.35.7/lib/radix-tree.c 2010-08-26 19:47:12.000000000 -0400
50818 +++ linux-2.6.35.7/lib/radix-tree.c 2010-09-17 20:12:09.000000000 -0400
50819 @@ -80,7 +80,7 @@ struct radix_tree_preload {
50821 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
50823 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
50824 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
50826 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
50828 diff -urNp linux-2.6.35.7/lib/vsprintf.c linux-2.6.35.7/lib/vsprintf.c
50829 --- linux-2.6.35.7/lib/vsprintf.c 2010-08-26 19:47:12.000000000 -0400
50830 +++ linux-2.6.35.7/lib/vsprintf.c 2010-09-22 19:19:27.000000000 -0400
50831 @@ -990,7 +990,7 @@ char *pointer(const char *fmt, char *buf
50832 struct printf_spec spec)
50835 - return string(buf, end, "(null)", spec);
50836 + return string(buf, end, "(nil)", spec);
50840 diff -urNp linux-2.6.35.7/localversion-grsec linux-2.6.35.7/localversion-grsec
50841 --- linux-2.6.35.7/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
50842 +++ linux-2.6.35.7/localversion-grsec 2010-09-17 20:12:37.000000000 -0400
50845 diff -urNp linux-2.6.35.7/Makefile linux-2.6.35.7/Makefile
50846 --- linux-2.6.35.7/Makefile 2010-09-28 17:23:57.000000000 -0400
50847 +++ linux-2.6.35.7/Makefile 2010-10-02 11:43:45.000000000 -0400
50848 @@ -230,8 +230,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
50852 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
50853 -HOSTCXXFLAGS = -O2
50854 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
50855 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
50857 # Decide whether to build built-in, modular, or both.
50858 # Normally, just do built-in.
50859 @@ -650,7 +650,7 @@ export mod_strip_cmd
50862 ifeq ($(KBUILD_EXTMOD),)
50863 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
50864 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
50866 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
50867 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
50868 diff -urNp linux-2.6.35.7/mm/bootmem.c linux-2.6.35.7/mm/bootmem.c
50869 --- linux-2.6.35.7/mm/bootmem.c 2010-08-26 19:47:12.000000000 -0400
50870 +++ linux-2.6.35.7/mm/bootmem.c 2010-09-17 20:12:09.000000000 -0400
50871 @@ -200,19 +200,30 @@ static void __init __free_pages_memory(u
50872 unsigned long __init free_all_memory_core_early(int nodeid)
50876 + u64 start, end, startrange, endrange;
50877 unsigned long count = 0;
50878 - struct range *range = NULL;
50879 + struct range *range = NULL, rangerange = { 0, 0 };
50882 nr_range = get_free_all_memory_range(&range, nodeid);
50883 + startrange = __pa(range) >> PAGE_SHIFT;
50884 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
50886 for (i = 0; i < nr_range; i++) {
50887 start = range[i].start;
50888 end = range[i].end;
50889 + if (start <= endrange && startrange < end) {
50890 + BUG_ON(rangerange.start | rangerange.end);
50891 + rangerange = range[i];
50894 count += end - start;
50895 __free_pages_memory(start, end);
50897 + start = rangerange.start;
50898 + end = rangerange.end;
50899 + count += end - start;
50900 + __free_pages_memory(start, end);
50904 diff -urNp linux-2.6.35.7/mm/filemap.c linux-2.6.35.7/mm/filemap.c
50905 --- linux-2.6.35.7/mm/filemap.c 2010-08-26 19:47:12.000000000 -0400
50906 +++ linux-2.6.35.7/mm/filemap.c 2010-09-17 20:12:37.000000000 -0400
50907 @@ -1640,7 +1640,7 @@ int generic_file_mmap(struct file * file
50908 struct address_space *mapping = file->f_mapping;
50910 if (!mapping->a_ops->readpage)
50913 file_accessed(file);
50914 vma->vm_ops = &generic_file_vm_ops;
50915 vma->vm_flags |= VM_CAN_NONLINEAR;
50916 @@ -2036,6 +2036,7 @@ inline int generic_write_checks(struct f
50917 *pos = i_size_read(inode);
50919 if (limit != RLIM_INFINITY) {
50920 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
50921 if (*pos >= limit) {
50922 send_sig(SIGXFSZ, current, 0);
50924 diff -urNp linux-2.6.35.7/mm/fremap.c linux-2.6.35.7/mm/fremap.c
50925 --- linux-2.6.35.7/mm/fremap.c 2010-08-26 19:47:12.000000000 -0400
50926 +++ linux-2.6.35.7/mm/fremap.c 2010-09-17 20:12:09.000000000 -0400
50927 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50929 vma = find_vma(mm, start);
50931 +#ifdef CONFIG_PAX_SEGMEXEC
50932 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
50937 * Make sure the vma is shared, that it supports prefaulting,
50938 * and that the remapped range is valid and fully within
50939 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50941 * drop PG_Mlocked flag for over-mapped range
50943 - unsigned int saved_flags = vma->vm_flags;
50944 + unsigned long saved_flags = vma->vm_flags;
50945 munlock_vma_pages_range(vma, start, start + size);
50946 vma->vm_flags = saved_flags;
50948 diff -urNp linux-2.6.35.7/mm/highmem.c linux-2.6.35.7/mm/highmem.c
50949 --- linux-2.6.35.7/mm/highmem.c 2010-08-26 19:47:12.000000000 -0400
50950 +++ linux-2.6.35.7/mm/highmem.c 2010-09-17 20:12:09.000000000 -0400
50951 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
50952 * So no dangers, even with speculative execution.
50954 page = pte_page(pkmap_page_table[i]);
50955 + pax_open_kernel();
50956 pte_clear(&init_mm, (unsigned long)page_address(page),
50957 &pkmap_page_table[i]);
50959 + pax_close_kernel();
50960 set_page_address(page, NULL);
50963 @@ -177,9 +178,11 @@ start:
50966 vaddr = PKMAP_ADDR(last_pkmap_nr);
50968 + pax_open_kernel();
50969 set_pte_at(&init_mm, vaddr,
50970 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
50972 + pax_close_kernel();
50973 pkmap_count[last_pkmap_nr] = 1;
50974 set_page_address(page, (void *)vaddr);
50976 diff -urNp linux-2.6.35.7/mm/hugetlb.c linux-2.6.35.7/mm/hugetlb.c
50977 --- linux-2.6.35.7/mm/hugetlb.c 2010-08-26 19:47:12.000000000 -0400
50978 +++ linux-2.6.35.7/mm/hugetlb.c 2010-09-17 20:12:09.000000000 -0400
50979 @@ -2272,6 +2272,26 @@ static int unmap_ref_private(struct mm_s
50983 +#ifdef CONFIG_PAX_SEGMEXEC
50984 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
50986 + struct mm_struct *mm = vma->vm_mm;
50987 + struct vm_area_struct *vma_m;
50988 + unsigned long address_m;
50991 + vma_m = pax_find_mirror_vma(vma);
50995 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50996 + address_m = address + SEGMEXEC_TASK_SIZE;
50997 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
50998 + get_page(page_m);
50999 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
51003 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
51004 unsigned long address, pte_t *ptep, pte_t pte,
51005 struct page *pagecache_page)
51006 @@ -2352,6 +2372,11 @@ retry_avoidcopy:
51007 huge_ptep_clear_flush(vma, address, ptep);
51008 set_huge_pte_at(mm, address, ptep,
51009 make_huge_pte(vma, new_page, 1));
51011 +#ifdef CONFIG_PAX_SEGMEXEC
51012 + pax_mirror_huge_pte(vma, address, new_page);
51015 /* Make the old page be freed below */
51016 new_page = old_page;
51018 @@ -2483,6 +2508,10 @@ retry:
51019 && (vma->vm_flags & VM_SHARED)));
51020 set_huge_pte_at(mm, address, ptep, new_pte);
51022 +#ifdef CONFIG_PAX_SEGMEXEC
51023 + pax_mirror_huge_pte(vma, address, page);
51026 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
51027 /* Optimization, do the COW without a second fault */
51028 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
51029 @@ -2511,6 +2540,28 @@ int hugetlb_fault(struct mm_struct *mm,
51030 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
51031 struct hstate *h = hstate_vma(vma);
51033 +#ifdef CONFIG_PAX_SEGMEXEC
51034 + struct vm_area_struct *vma_m;
51036 + vma_m = pax_find_mirror_vma(vma);
51038 + unsigned long address_m;
51040 + if (vma->vm_start > vma_m->vm_start) {
51041 + address_m = address;
51042 + address -= SEGMEXEC_TASK_SIZE;
51044 + h = hstate_vma(vma);
51046 + address_m = address + SEGMEXEC_TASK_SIZE;
51048 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
51049 + return VM_FAULT_OOM;
51050 + address_m &= HPAGE_MASK;
51051 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
51055 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
51057 return VM_FAULT_OOM;
51058 diff -urNp linux-2.6.35.7/mm/Kconfig linux-2.6.35.7/mm/Kconfig
51059 --- linux-2.6.35.7/mm/Kconfig 2010-08-26 19:47:12.000000000 -0400
51060 +++ linux-2.6.35.7/mm/Kconfig 2010-09-17 20:12:37.000000000 -0400
51061 @@ -240,7 +240,7 @@ config KSM
51062 config DEFAULT_MMAP_MIN_ADDR
51063 int "Low address space to protect from user allocation"
51068 This is the portion of low virtual memory which should be protected
51069 from userspace allocation. Keeping a user from writing to low pages
51070 diff -urNp linux-2.6.35.7/mm/maccess.c linux-2.6.35.7/mm/maccess.c
51071 --- linux-2.6.35.7/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
51072 +++ linux-2.6.35.7/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
51073 @@ -15,10 +15,10 @@
51074 * happens, handle that and return -EFAULT.
51077 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
51078 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
51079 __attribute__((alias("__probe_kernel_read")));
51081 -long __probe_kernel_read(void *dst, void *src, size_t size)
51082 +long __probe_kernel_read(void *dst, const void *src, size_t size)
51085 mm_segment_t old_fs = get_fs();
51086 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
51087 * Safely write to address @dst from the buffer at @src. If a kernel fault
51088 * happens, handle that and return -EFAULT.
51090 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
51091 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
51092 __attribute__((alias("__probe_kernel_write")));
51094 -long __probe_kernel_write(void *dst, void *src, size_t size)
51095 +long __probe_kernel_write(void *dst, const void *src, size_t size)
51098 mm_segment_t old_fs = get_fs();
51099 diff -urNp linux-2.6.35.7/mm/madvise.c linux-2.6.35.7/mm/madvise.c
51100 --- linux-2.6.35.7/mm/madvise.c 2010-08-26 19:47:12.000000000 -0400
51101 +++ linux-2.6.35.7/mm/madvise.c 2010-09-17 20:12:09.000000000 -0400
51102 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
51104 unsigned long new_flags = vma->vm_flags;
51106 +#ifdef CONFIG_PAX_SEGMEXEC
51107 + struct vm_area_struct *vma_m;
51110 switch (behavior) {
51112 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
51113 @@ -104,6 +108,13 @@ success:
51115 * vm_flags is protected by the mmap_sem held in write mode.
51118 +#ifdef CONFIG_PAX_SEGMEXEC
51119 + vma_m = pax_find_mirror_vma(vma);
51121 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
51124 vma->vm_flags = new_flags;
51127 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
51128 struct vm_area_struct ** prev,
51129 unsigned long start, unsigned long end)
51132 +#ifdef CONFIG_PAX_SEGMEXEC
51133 + struct vm_area_struct *vma_m;
51137 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
51139 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
51140 zap_page_range(vma, start, end - start, &details);
51142 zap_page_range(vma, start, end - start, NULL);
51144 +#ifdef CONFIG_PAX_SEGMEXEC
51145 + vma_m = pax_find_mirror_vma(vma);
51147 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
51148 + struct zap_details details = {
51149 + .nonlinear_vma = vma_m,
51150 + .last_index = ULONG_MAX,
51152 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
51154 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
51161 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
51165 +#ifdef CONFIG_PAX_SEGMEXEC
51166 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
51167 + if (end > SEGMEXEC_TASK_SIZE)
51172 + if (end > TASK_SIZE)
51178 diff -urNp linux-2.6.35.7/mm/memory.c linux-2.6.35.7/mm/memory.c
51179 --- linux-2.6.35.7/mm/memory.c 2010-09-26 17:32:11.000000000 -0400
51180 +++ linux-2.6.35.7/mm/memory.c 2010-10-11 22:41:44.000000000 -0400
51181 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
51184 pmd = pmd_offset(pud, start);
51186 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
51188 pmd_free_tlb(tlb, pmd, start);
51193 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
51194 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
51195 if (end - 1 > ceiling - 1)
51198 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
51199 pud = pud_offset(pgd, start);
51201 pud_free_tlb(tlb, pud, start);
51207 @@ -1363,10 +1370,10 @@ int __get_user_pages(struct task_struct
51208 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
51212 + while (nr_pages) {
51213 struct vm_area_struct *vma;
51215 - vma = find_extend_vma(mm, start);
51216 + vma = find_vma(mm, start);
51217 if (!vma && in_gate_area(tsk, start)) {
51218 unsigned long pg = start & PAGE_MASK;
51219 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
51220 @@ -1418,7 +1425,7 @@ int __get_user_pages(struct task_struct
51225 + if (!vma || start < vma->vm_start ||
51226 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
51227 !(vm_flags & vma->vm_flags))
51228 return i ? : -EFAULT;
51229 @@ -1493,7 +1500,7 @@ int __get_user_pages(struct task_struct
51230 start += PAGE_SIZE;
51232 } while (nr_pages && start < vma->vm_end);
51233 - } while (nr_pages);
51238 @@ -2089,6 +2096,186 @@ static inline void cow_user_page(struct
51239 copy_user_highpage(dst, src, va, vma);
51242 +#ifdef CONFIG_PAX_SEGMEXEC
51243 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
51245 + struct mm_struct *mm = vma->vm_mm;
51247 + pte_t *pte, entry;
51249 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
51251 + if (!pte_present(entry)) {
51252 + if (!pte_none(entry)) {
51253 + BUG_ON(pte_file(entry));
51254 + free_swap_and_cache(pte_to_swp_entry(entry));
51255 + pte_clear_not_present_full(mm, address, pte, 0);
51258 + struct page *page;
51260 + flush_cache_page(vma, address, pte_pfn(entry));
51261 + entry = ptep_clear_flush(vma, address, pte);
51262 + BUG_ON(pte_dirty(entry));
51263 + page = vm_normal_page(vma, address, entry);
51265 + update_hiwater_rss(mm);
51266 + if (PageAnon(page))
51267 + dec_mm_counter_fast(mm, MM_ANONPAGES);
51269 + dec_mm_counter_fast(mm, MM_FILEPAGES);
51270 + page_remove_rmap(page);
51271 + page_cache_release(page);
51274 + pte_unmap_unlock(pte, ptl);
51277 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
51279 + * the ptl of the lower mapped page is held on entry and is not released on exit
51280 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
51282 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
51284 + struct mm_struct *mm = vma->vm_mm;
51285 + unsigned long address_m;
51286 + spinlock_t *ptl_m;
51287 + struct vm_area_struct *vma_m;
51289 + pte_t *pte_m, entry_m;
51291 + BUG_ON(!page_m || !PageAnon(page_m));
51293 + vma_m = pax_find_mirror_vma(vma);
51297 + BUG_ON(!PageLocked(page_m));
51298 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
51299 + address_m = address + SEGMEXEC_TASK_SIZE;
51300 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
51301 + pte_m = pte_offset_map_nested(pmd_m, address_m);
51302 + ptl_m = pte_lockptr(mm, pmd_m);
51303 + if (ptl != ptl_m) {
51304 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
51305 + if (!pte_none(*pte_m))
51309 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
51310 + page_cache_get(page_m);
51311 + page_add_anon_rmap(page_m, vma_m, address_m);
51312 + inc_mm_counter_fast(mm, MM_ANONPAGES);
51313 + set_pte_at(mm, address_m, pte_m, entry_m);
51314 + update_mmu_cache(vma_m, address_m, entry_m);
51316 + if (ptl != ptl_m)
51317 + spin_unlock(ptl_m);
51318 + pte_unmap_nested(pte_m);
51319 + unlock_page(page_m);
51322 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
51324 + struct mm_struct *mm = vma->vm_mm;
51325 + unsigned long address_m;
51326 + spinlock_t *ptl_m;
51327 + struct vm_area_struct *vma_m;
51329 + pte_t *pte_m, entry_m;
51331 + BUG_ON(!page_m || PageAnon(page_m));
51333 + vma_m = pax_find_mirror_vma(vma);
51337 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
51338 + address_m = address + SEGMEXEC_TASK_SIZE;
51339 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
51340 + pte_m = pte_offset_map_nested(pmd_m, address_m);
51341 + ptl_m = pte_lockptr(mm, pmd_m);
51342 + if (ptl != ptl_m) {
51343 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
51344 + if (!pte_none(*pte_m))
51348 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
51349 + page_cache_get(page_m);
51350 + page_add_file_rmap(page_m);
51351 + inc_mm_counter_fast(mm, MM_FILEPAGES);
51352 + set_pte_at(mm, address_m, pte_m, entry_m);
51353 + update_mmu_cache(vma_m, address_m, entry_m);
51355 + if (ptl != ptl_m)
51356 + spin_unlock(ptl_m);
51357 + pte_unmap_nested(pte_m);
51360 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
51362 + struct mm_struct *mm = vma->vm_mm;
51363 + unsigned long address_m;
51364 + spinlock_t *ptl_m;
51365 + struct vm_area_struct *vma_m;
51367 + pte_t *pte_m, entry_m;
51369 + vma_m = pax_find_mirror_vma(vma);
51373 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
51374 + address_m = address + SEGMEXEC_TASK_SIZE;
51375 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
51376 + pte_m = pte_offset_map_nested(pmd_m, address_m);
51377 + ptl_m = pte_lockptr(mm, pmd_m);
51378 + if (ptl != ptl_m) {
51379 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
51380 + if (!pte_none(*pte_m))
51384 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
51385 + set_pte_at(mm, address_m, pte_m, entry_m);
51387 + if (ptl != ptl_m)
51388 + spin_unlock(ptl_m);
51389 + pte_unmap_nested(pte_m);
51392 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
51394 + struct page *page_m;
51397 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
51401 + page_m = vm_normal_page(vma, address, entry);
51403 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
51404 + else if (PageAnon(page_m)) {
51405 + if (pax_find_mirror_vma(vma)) {
51406 + pte_unmap_unlock(pte, ptl);
51407 + lock_page(page_m);
51408 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
51409 + if (pte_same(entry, *pte))
51410 + pax_mirror_anon_pte(vma, address, page_m, ptl);
51412 + unlock_page(page_m);
51415 + pax_mirror_file_pte(vma, address, page_m, ptl);
51418 + pte_unmap_unlock(pte, ptl);
51423 * This routine handles present pages, when users try to write
51424 * to a shared page. It is done by copying the page to a new address
51425 @@ -2275,6 +2462,12 @@ gotten:
51427 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
51428 if (likely(pte_same(*page_table, orig_pte))) {
51430 +#ifdef CONFIG_PAX_SEGMEXEC
51431 + if (pax_find_mirror_vma(vma))
51432 + BUG_ON(!trylock_page(new_page));
51436 if (!PageAnon(old_page)) {
51437 dec_mm_counter_fast(mm, MM_FILEPAGES);
51438 @@ -2326,6 +2519,10 @@ gotten:
51439 page_remove_rmap(old_page);
51442 +#ifdef CONFIG_PAX_SEGMEXEC
51443 + pax_mirror_anon_pte(vma, address, new_page, ptl);
51446 /* Free the old page.. */
51447 new_page = old_page;
51448 ret |= VM_FAULT_WRITE;
51449 @@ -2749,19 +2946,12 @@ static int do_swap_page(struct mm_struct
51451 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
51452 try_to_free_swap(page);
51454 +#ifdef CONFIG_PAX_SEGMEXEC
51455 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
51461 - * Hold the lock to avoid the swap entry to be reused
51462 - * until we take the PT lock for the pte_same() check
51463 - * (to avoid false positives from pte_same). For
51464 - * further safety release the lock after the swap_free
51465 - * so that the swap count won't change under a
51466 - * parallel locked swapcache.
51468 - unlock_page(swapcache);
51469 - page_cache_release(swapcache);
51472 if (flags & FAULT_FLAG_WRITE) {
51473 ret |= do_wp_page(mm, vma, address, page_table, pmd, ptl, pte);
51474 @@ -2772,6 +2962,11 @@ static int do_swap_page(struct mm_struct
51476 /* No need to invalidate - it was non-present before */
51477 update_mmu_cache(vma, address, page_table);
51479 +#ifdef CONFIG_PAX_SEGMEXEC
51480 + pax_mirror_anon_pte(vma, address, page, ptl);
51484 pte_unmap_unlock(page_table, ptl);
51486 @@ -2783,48 +2978,10 @@ out_page:
51489 page_cache_release(page);
51491 - unlock_page(swapcache);
51492 - page_cache_release(swapcache);
51498 - * This is like a special single-page "expand_{down|up}wards()",
51499 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
51500 - * doesn't hit another vma.
51502 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
51504 - address &= PAGE_MASK;
51505 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
51506 - struct vm_area_struct *prev = vma->vm_prev;
51509 - * Is there a mapping abutting this one below?
51511 - * That's only ok if it's the same stack mapping
51512 - * that has gotten split..
51514 - if (prev && prev->vm_end == address)
51515 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
51517 - expand_stack(vma, address - PAGE_SIZE);
51519 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
51520 - struct vm_area_struct *next = vma->vm_next;
51522 - /* As VM_GROWSDOWN but s/below/above/ */
51523 - if (next && next->vm_start == address + PAGE_SIZE)
51524 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
51526 - expand_upwards(vma, address + PAGE_SIZE);
51532 * We enter with non-exclusive mmap_sem (to exclude vma changes,
51533 * but allow concurrent faults), and pte mapped but not yet locked.
51534 * We return with mmap_sem still held, but pte unmapped and unlocked.
51535 @@ -2833,27 +2990,23 @@ static int do_anonymous_page(struct mm_s
51536 unsigned long address, pte_t *page_table, pmd_t *pmd,
51537 unsigned int flags)
51539 - struct page *page;
51540 + struct page *page = NULL;
51544 - pte_unmap(page_table);
51546 - /* Check if we need to add a guard page to the stack */
51547 - if (check_stack_guard_page(vma, address) < 0)
51548 - return VM_FAULT_SIGBUS;
51550 - /* Use the zero-page for reads */
51551 if (!(flags & FAULT_FLAG_WRITE)) {
51552 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
51553 vma->vm_page_prot));
51554 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
51555 + ptl = pte_lockptr(mm, pmd);
51557 if (!pte_none(*page_table))
51562 /* Allocate our own private page. */
51563 + pte_unmap(page_table);
51565 if (unlikely(anon_vma_prepare(vma)))
51567 page = alloc_zeroed_user_highpage_movable(vma, address);
51568 @@ -2872,6 +3025,11 @@ static int do_anonymous_page(struct mm_s
51569 if (!pte_none(*page_table))
51572 +#ifdef CONFIG_PAX_SEGMEXEC
51573 + if (pax_find_mirror_vma(vma))
51574 + BUG_ON(!trylock_page(page));
51577 inc_mm_counter_fast(mm, MM_ANONPAGES);
51578 page_add_new_anon_rmap(page, vma, address);
51580 @@ -2879,6 +3037,12 @@ setpte:
51582 /* No need to invalidate - it was non-present before */
51583 update_mmu_cache(vma, address, page_table);
51585 +#ifdef CONFIG_PAX_SEGMEXEC
51587 + pax_mirror_anon_pte(vma, address, page, ptl);
51591 pte_unmap_unlock(page_table, ptl);
51593 @@ -3021,6 +3185,12 @@ static int __do_fault(struct mm_struct *
51595 /* Only go through if we didn't race with anybody else... */
51596 if (likely(pte_same(*page_table, orig_pte))) {
51598 +#ifdef CONFIG_PAX_SEGMEXEC
51599 + if (anon && pax_find_mirror_vma(vma))
51600 + BUG_ON(!trylock_page(page));
51603 flush_icache_page(vma, page);
51604 entry = mk_pte(page, vma->vm_page_prot);
51605 if (flags & FAULT_FLAG_WRITE)
51606 @@ -3040,6 +3210,14 @@ static int __do_fault(struct mm_struct *
51608 /* no need to invalidate: a not-present page won't be cached */
51609 update_mmu_cache(vma, address, page_table);
51611 +#ifdef CONFIG_PAX_SEGMEXEC
51613 + pax_mirror_anon_pte(vma, address, page, ptl);
51615 + pax_mirror_file_pte(vma, address, page, ptl);
51620 mem_cgroup_uncharge_page(page);
51621 @@ -3187,6 +3365,12 @@ static inline int handle_pte_fault(struc
51622 if (flags & FAULT_FLAG_WRITE)
51623 flush_tlb_page(vma, address);
51626 +#ifdef CONFIG_PAX_SEGMEXEC
51627 + pax_mirror_pte(vma, address, pte, pmd, ptl);
51632 pte_unmap_unlock(pte, ptl);
51634 @@ -3203,6 +3387,10 @@ int handle_mm_fault(struct mm_struct *mm
51638 +#ifdef CONFIG_PAX_SEGMEXEC
51639 + struct vm_area_struct *vma_m;
51642 __set_current_state(TASK_RUNNING);
51644 count_vm_event(PGFAULT);
51645 @@ -3213,6 +3401,34 @@ int handle_mm_fault(struct mm_struct *mm
51646 if (unlikely(is_vm_hugetlb_page(vma)))
51647 return hugetlb_fault(mm, vma, address, flags);
51649 +#ifdef CONFIG_PAX_SEGMEXEC
51650 + vma_m = pax_find_mirror_vma(vma);
51652 + unsigned long address_m;
51657 + if (vma->vm_start > vma_m->vm_start) {
51658 + address_m = address;
51659 + address -= SEGMEXEC_TASK_SIZE;
51662 + address_m = address + SEGMEXEC_TASK_SIZE;
51664 + pgd_m = pgd_offset(mm, address_m);
51665 + pud_m = pud_alloc(mm, pgd_m, address_m);
51667 + return VM_FAULT_OOM;
51668 + pmd_m = pmd_alloc(mm, pud_m, address_m);
51670 + return VM_FAULT_OOM;
51671 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
51672 + return VM_FAULT_OOM;
51673 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
51677 pgd = pgd_offset(mm, address);
51678 pud = pud_alloc(mm, pgd, address);
51680 @@ -3310,7 +3526,7 @@ static int __init gate_vma_init(void)
51681 gate_vma.vm_start = FIXADDR_USER_START;
51682 gate_vma.vm_end = FIXADDR_USER_END;
51683 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
51684 - gate_vma.vm_page_prot = __P101;
51685 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
51687 * Make sure the vDSO gets into every core dump.
51688 * Dumping its contents makes post-mortem fully interpretable later
51689 diff -urNp linux-2.6.35.7/mm/memory-failure.c linux-2.6.35.7/mm/memory-failure.c
51690 --- linux-2.6.35.7/mm/memory-failure.c 2010-08-26 19:47:12.000000000 -0400
51691 +++ linux-2.6.35.7/mm/memory-failure.c 2010-09-17 20:12:09.000000000 -0400
51692 @@ -51,7 +51,7 @@ int sysctl_memory_failure_early_kill __r
51694 int sysctl_memory_failure_recovery __read_mostly = 1;
51696 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51697 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51699 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
51701 @@ -939,7 +939,7 @@ int __memory_failure(unsigned long pfn,
51705 - atomic_long_add(1, &mce_bad_pages);
51706 + atomic_long_add_unchecked(1, &mce_bad_pages);
51709 * We need/can do nothing about count=0 pages.
51710 @@ -1003,7 +1003,7 @@ int __memory_failure(unsigned long pfn,
51712 if (hwpoison_filter(p)) {
51713 if (TestClearPageHWPoison(p))
51714 - atomic_long_dec(&mce_bad_pages);
51715 + atomic_long_dec_unchecked(&mce_bad_pages);
51719 @@ -1096,7 +1096,7 @@ int unpoison_memory(unsigned long pfn)
51721 if (!get_page_unless_zero(page)) {
51722 if (TestClearPageHWPoison(p))
51723 - atomic_long_dec(&mce_bad_pages);
51724 + atomic_long_dec_unchecked(&mce_bad_pages);
51725 pr_debug("MCE: Software-unpoisoned free page %#lx\n", pfn);
51728 @@ -1110,7 +1110,7 @@ int unpoison_memory(unsigned long pfn)
51730 if (TestClearPageHWPoison(p)) {
51731 pr_debug("MCE: Software-unpoisoned page %#lx\n", pfn);
51732 - atomic_long_dec(&mce_bad_pages);
51733 + atomic_long_dec_unchecked(&mce_bad_pages);
51737 @@ -1291,7 +1291,7 @@ int soft_offline_page(struct page *page,
51741 - atomic_long_add(1, &mce_bad_pages);
51742 + atomic_long_add_unchecked(1, &mce_bad_pages);
51743 SetPageHWPoison(page);
51744 /* keep elevated page count for bad page */
51746 diff -urNp linux-2.6.35.7/mm/mempolicy.c linux-2.6.35.7/mm/mempolicy.c
51747 --- linux-2.6.35.7/mm/mempolicy.c 2010-08-26 19:47:12.000000000 -0400
51748 +++ linux-2.6.35.7/mm/mempolicy.c 2010-09-17 20:12:37.000000000 -0400
51749 @@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
51750 unsigned long vmstart;
51751 unsigned long vmend;
51753 +#ifdef CONFIG_PAX_SEGMEXEC
51754 + struct vm_area_struct *vma_m;
51757 vma = find_vma_prev(mm, start, &prev);
51758 if (!vma || vma->vm_start > start)
51760 @@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
51761 err = policy_vma(vma, new_pol);
51765 +#ifdef CONFIG_PAX_SEGMEXEC
51766 + vma_m = pax_find_mirror_vma(vma);
51768 + err = policy_vma(vma_m, new_pol);
51777 @@ -1098,6 +1112,17 @@ static long do_mbind(unsigned long start
51782 +#ifdef CONFIG_PAX_SEGMEXEC
51783 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
51784 + if (end > SEGMEXEC_TASK_SIZE)
51789 + if (end > TASK_SIZE)
51795 @@ -1303,6 +1328,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
51799 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51800 + if (mm != current->mm &&
51801 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51808 * Check if this process has the right to modify the specified
51809 * process. The right exists if the process has administrative
51810 @@ -1312,8 +1345,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
51812 tcred = __task_cred(task);
51813 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51814 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
51815 - !capable(CAP_SYS_NICE)) {
51816 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51820 @@ -2564,7 +2596,7 @@ int show_numa_map(struct seq_file *m, vo
51823 seq_printf(m, " file=");
51824 - seq_path(m, &file->f_path, "\n\t= ");
51825 + seq_path(m, &file->f_path, "\n\t\\= ");
51826 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
51827 seq_printf(m, " heap");
51828 } else if (vma->vm_start <= mm->start_stack &&
51829 diff -urNp linux-2.6.35.7/mm/migrate.c linux-2.6.35.7/mm/migrate.c
51830 --- linux-2.6.35.7/mm/migrate.c 2010-08-26 19:47:12.000000000 -0400
51831 +++ linux-2.6.35.7/mm/migrate.c 2010-09-17 20:12:37.000000000 -0400
51832 @@ -1102,6 +1102,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
51836 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51837 + if (mm != current->mm &&
51838 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51845 * Check if this process has the right to modify the specified
51846 * process. The right exists if the process has administrative
51847 @@ -1111,8 +1119,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
51849 tcred = __task_cred(task);
51850 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51851 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
51852 - !capable(CAP_SYS_NICE)) {
51853 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51857 diff -urNp linux-2.6.35.7/mm/mlock.c linux-2.6.35.7/mm/mlock.c
51858 --- linux-2.6.35.7/mm/mlock.c 2010-08-26 19:47:12.000000000 -0400
51859 +++ linux-2.6.35.7/mm/mlock.c 2010-09-17 20:12:37.000000000 -0400
51861 #include <linux/pagemap.h>
51862 #include <linux/mempolicy.h>
51863 #include <linux/syscalls.h>
51864 +#include <linux/security.h>
51865 #include <linux/sched.h>
51866 #include <linux/module.h>
51867 #include <linux/rmap.h>
51868 @@ -135,19 +136,6 @@ void munlock_vma_page(struct page *page)
51872 -/* Is the vma a continuation of the stack vma above it? */
51873 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
51875 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
51878 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
51880 - return (vma->vm_flags & VM_GROWSDOWN) &&
51881 - (vma->vm_start == addr) &&
51882 - !vma_stack_continue(vma->vm_prev, addr);
51886 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
51888 @@ -180,12 +168,6 @@ static long __mlock_vma_pages_range(stru
51889 if (vma->vm_flags & VM_WRITE)
51890 gup_flags |= FOLL_WRITE;
51892 - /* We don't try to access the guard page of a stack vma */
51893 - if (stack_guard_page(vma, start)) {
51894 - addr += PAGE_SIZE;
51898 while (nr_pages > 0) {
51901 @@ -451,6 +433,9 @@ static int do_mlock(unsigned long start,
51905 + if (end > TASK_SIZE)
51908 vma = find_vma_prev(current->mm, start, &prev);
51909 if (!vma || vma->vm_start > start)
51911 @@ -461,6 +446,11 @@ static int do_mlock(unsigned long start,
51912 for (nstart = start ; ; ) {
51913 unsigned int newflags;
51915 +#ifdef CONFIG_PAX_SEGMEXEC
51916 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51920 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
51922 newflags = vma->vm_flags | VM_LOCKED;
51923 @@ -510,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
51924 lock_limit >>= PAGE_SHIFT;
51926 /* check against resource limits */
51927 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
51928 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
51929 error = do_mlock(start, len, 1);
51930 up_write(¤t->mm->mmap_sem);
51931 @@ -531,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
51932 static int do_mlockall(int flags)
51934 struct vm_area_struct * vma, * prev = NULL;
51935 - unsigned int def_flags = 0;
51937 if (flags & MCL_FUTURE)
51938 - def_flags = VM_LOCKED;
51939 - current->mm->def_flags = def_flags;
51940 + current->mm->def_flags |= VM_LOCKED;
51942 + current->mm->def_flags &= ~VM_LOCKED;
51943 if (flags == MCL_FUTURE)
51946 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
51947 - unsigned int newflags;
51948 + unsigned long newflags;
51950 +#ifdef CONFIG_PAX_SEGMEXEC
51951 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51955 + BUG_ON(vma->vm_end > TASK_SIZE);
51956 newflags = vma->vm_flags | VM_LOCKED;
51957 if (!(flags & MCL_CURRENT))
51958 newflags &= ~VM_LOCKED;
51959 @@ -573,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
51960 lock_limit >>= PAGE_SHIFT;
51963 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
51964 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
51965 capable(CAP_IPC_LOCK))
51966 ret = do_mlockall(flags);
51967 diff -urNp linux-2.6.35.7/mm/mmap.c linux-2.6.35.7/mm/mmap.c
51968 --- linux-2.6.35.7/mm/mmap.c 2010-09-26 17:32:11.000000000 -0400
51969 +++ linux-2.6.35.7/mm/mmap.c 2010-10-18 21:01:30.000000000 -0400
51971 #define arch_rebalance_pgtables(addr, len) (addr)
51974 +static inline void verify_mm_writelocked(struct mm_struct *mm)
51976 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
51977 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
51978 + up_read(&mm->mmap_sem);
51984 static void unmap_region(struct mm_struct *mm,
51985 struct vm_area_struct *vma, struct vm_area_struct *prev,
51986 unsigned long start, unsigned long end);
51987 @@ -69,22 +79,32 @@ static void unmap_region(struct mm_struc
51988 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
51991 -pgprot_t protection_map[16] = {
51992 +pgprot_t protection_map[16] __read_only = {
51993 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
51994 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
51997 pgprot_t vm_get_page_prot(unsigned long vm_flags)
51999 - return __pgprot(pgprot_val(protection_map[vm_flags &
52000 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
52001 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
52002 pgprot_val(arch_vm_get_page_prot(vm_flags)));
52004 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
52005 + if (!(__supported_pte_mask & _PAGE_NX) &&
52006 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
52007 + (vm_flags & (VM_READ | VM_WRITE)))
52008 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
52013 EXPORT_SYMBOL(vm_get_page_prot);
52015 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
52016 int sysctl_overcommit_ratio = 50; /* default is 50% */
52017 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
52018 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
52019 struct percpu_counter vm_committed_as;
52022 @@ -230,6 +250,7 @@ static struct vm_area_struct *remove_vma
52023 struct vm_area_struct *next = vma->vm_next;
52026 + BUG_ON(vma->vm_mirror);
52027 if (vma->vm_ops && vma->vm_ops->close)
52028 vma->vm_ops->close(vma);
52029 if (vma->vm_file) {
52030 @@ -266,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
52031 * not page aligned -Ram Gupta
52033 rlim = rlimit(RLIMIT_DATA);
52034 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
52035 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
52036 (mm->end_data - mm->start_data) > rlim)
52038 @@ -695,6 +717,12 @@ static int
52039 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
52040 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
52043 +#ifdef CONFIG_PAX_SEGMEXEC
52044 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
52048 if (is_mergeable_vma(vma, file, vm_flags) &&
52049 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
52050 if (vma->vm_pgoff == vm_pgoff)
52051 @@ -714,6 +742,12 @@ static int
52052 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
52053 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
52056 +#ifdef CONFIG_PAX_SEGMEXEC
52057 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
52061 if (is_mergeable_vma(vma, file, vm_flags) &&
52062 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
52064 @@ -756,13 +790,20 @@ can_vma_merge_after(struct vm_area_struc
52065 struct vm_area_struct *vma_merge(struct mm_struct *mm,
52066 struct vm_area_struct *prev, unsigned long addr,
52067 unsigned long end, unsigned long vm_flags,
52068 - struct anon_vma *anon_vma, struct file *file,
52069 + struct anon_vma *anon_vma, struct file *file,
52070 pgoff_t pgoff, struct mempolicy *policy)
52072 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
52073 struct vm_area_struct *area, *next;
52076 +#ifdef CONFIG_PAX_SEGMEXEC
52077 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
52078 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
52080 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
52084 * We later require that vma->vm_flags == vm_flags,
52085 * so this tests vma->vm_flags & VM_SPECIAL, too.
52086 @@ -778,6 +819,15 @@ struct vm_area_struct *vma_merge(struct
52087 if (next && next->vm_end == end) /* cases 6, 7, 8 */
52088 next = next->vm_next;
52090 +#ifdef CONFIG_PAX_SEGMEXEC
52092 + prev_m = pax_find_mirror_vma(prev);
52094 + area_m = pax_find_mirror_vma(area);
52096 + next_m = pax_find_mirror_vma(next);
52100 * Can it merge with the predecessor?
52102 @@ -797,9 +847,24 @@ struct vm_area_struct *vma_merge(struct
52104 err = vma_adjust(prev, prev->vm_start,
52105 next->vm_end, prev->vm_pgoff, NULL);
52106 - } else /* cases 2, 5, 7 */
52108 +#ifdef CONFIG_PAX_SEGMEXEC
52109 + if (!err && prev_m)
52110 + err = vma_adjust(prev_m, prev_m->vm_start,
52111 + next_m->vm_end, prev_m->vm_pgoff, NULL);
52114 + } else { /* cases 2, 5, 7 */
52115 err = vma_adjust(prev, prev->vm_start,
52116 end, prev->vm_pgoff, NULL);
52118 +#ifdef CONFIG_PAX_SEGMEXEC
52119 + if (!err && prev_m)
52120 + err = vma_adjust(prev_m, prev_m->vm_start,
52121 + end_m, prev_m->vm_pgoff, NULL);
52128 @@ -812,12 +877,27 @@ struct vm_area_struct *vma_merge(struct
52129 mpol_equal(policy, vma_policy(next)) &&
52130 can_vma_merge_before(next, vm_flags,
52131 anon_vma, file, pgoff+pglen)) {
52132 - if (prev && addr < prev->vm_end) /* case 4 */
52133 + if (prev && addr < prev->vm_end) { /* case 4 */
52134 err = vma_adjust(prev, prev->vm_start,
52135 addr, prev->vm_pgoff, NULL);
52136 - else /* cases 3, 8 */
52138 +#ifdef CONFIG_PAX_SEGMEXEC
52139 + if (!err && prev_m)
52140 + err = vma_adjust(prev_m, prev_m->vm_start,
52141 + addr_m, prev_m->vm_pgoff, NULL);
52144 + } else { /* cases 3, 8 */
52145 err = vma_adjust(area, addr, next->vm_end,
52146 next->vm_pgoff - pglen, NULL);
52148 +#ifdef CONFIG_PAX_SEGMEXEC
52149 + if (!err && area_m)
52150 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
52151 + next_m->vm_pgoff - pglen, NULL);
52158 @@ -932,14 +1012,11 @@ none:
52159 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
52160 struct file *file, long pages)
52162 - const unsigned long stack_flags
52163 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
52166 mm->shared_vm += pages;
52167 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
52168 mm->exec_vm += pages;
52169 - } else if (flags & stack_flags)
52170 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
52171 mm->stack_vm += pages;
52172 if (flags & (VM_RESERVED|VM_IO))
52173 mm->reserved_vm += pages;
52174 @@ -966,7 +1043,7 @@ unsigned long do_mmap_pgoff(struct file
52175 * (the exception is when the underlying filesystem is noexec
52176 * mounted, in which case we dont add PROT_EXEC.)
52178 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
52179 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
52180 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
52183 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
52184 /* Obtain the address to map to. we verify (or select) it and ensure
52185 * that it represents a valid section of the address space.
52187 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
52188 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
52189 if (addr & ~PAGE_MASK)
52192 @@ -1003,6 +1080,31 @@ unsigned long do_mmap_pgoff(struct file
52193 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
52194 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
52196 +#ifdef CONFIG_PAX_MPROTECT
52197 + if (mm->pax_flags & MF_PAX_MPROTECT) {
52198 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
52199 + gr_log_rwxmmap(file);
52201 +#ifdef CONFIG_PAX_EMUPLT
52202 + vm_flags &= ~VM_EXEC;
52209 + if (!(vm_flags & VM_EXEC))
52210 + vm_flags &= ~VM_MAYEXEC;
52212 + vm_flags &= ~VM_MAYWRITE;
52216 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
52217 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
52218 + vm_flags &= ~VM_PAGEEXEC;
52221 if (flags & MAP_LOCKED)
52222 if (!can_do_mlock())
52224 @@ -1014,6 +1116,7 @@ unsigned long do_mmap_pgoff(struct file
52225 locked += mm->locked_vm;
52226 lock_limit = rlimit(RLIMIT_MEMLOCK);
52227 lock_limit >>= PAGE_SHIFT;
52228 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
52229 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
52232 @@ -1084,6 +1187,9 @@ unsigned long do_mmap_pgoff(struct file
52236 + if (!gr_acl_handle_mmap(file, prot))
52239 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
52241 EXPORT_SYMBOL(do_mmap_pgoff);
52242 @@ -1160,10 +1266,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
52244 int vma_wants_writenotify(struct vm_area_struct *vma)
52246 - unsigned int vm_flags = vma->vm_flags;
52247 + unsigned long vm_flags = vma->vm_flags;
52249 /* If it was private or non-writable, the write bit is already clear */
52250 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
52251 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
52254 /* The backer wishes to know when pages are first written to? */
52255 @@ -1212,14 +1318,24 @@ unsigned long mmap_region(struct file *f
52256 unsigned long charged = 0;
52257 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
52259 +#ifdef CONFIG_PAX_SEGMEXEC
52260 + struct vm_area_struct *vma_m = NULL;
52264 + * mm->mmap_sem is required to protect against another thread
52265 + * changing the mappings in case we sleep.
52267 + verify_mm_writelocked(mm);
52269 /* Clear old maps */
52272 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52273 if (vma && vma->vm_start < addr + len) {
52274 if (do_munmap(mm, addr, len))
52276 - goto munmap_back;
52277 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52278 + BUG_ON(vma && vma->vm_start < addr + len);
52281 /* Check against address space limit. */
52282 @@ -1268,6 +1384,16 @@ munmap_back:
52286 +#ifdef CONFIG_PAX_SEGMEXEC
52287 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
52288 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52297 vma->vm_start = addr;
52298 vma->vm_end = addr + len;
52299 @@ -1291,6 +1417,19 @@ munmap_back:
52300 error = file->f_op->mmap(file, vma);
52302 goto unmap_and_free_vma;
52304 +#ifdef CONFIG_PAX_SEGMEXEC
52305 + if (vma_m && (vm_flags & VM_EXECUTABLE))
52306 + added_exe_file_vma(mm);
52309 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
52310 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
52311 + vma->vm_flags |= VM_PAGEEXEC;
52312 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
52316 if (vm_flags & VM_EXECUTABLE)
52317 added_exe_file_vma(mm);
52319 @@ -1326,6 +1465,11 @@ munmap_back:
52320 vma_link(mm, vma, prev, rb_link, rb_parent);
52321 file = vma->vm_file;
52323 +#ifdef CONFIG_PAX_SEGMEXEC
52325 + BUG_ON(pax_mirror_vma(vma_m, vma));
52328 /* Once vma denies write, undo our temporary denial count */
52329 if (correct_wcount)
52330 atomic_inc(&inode->i_writecount);
52331 @@ -1334,6 +1478,7 @@ out:
52333 mm->total_vm += len >> PAGE_SHIFT;
52334 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
52335 + track_exec_limit(mm, addr, addr + len, vm_flags);
52336 if (vm_flags & VM_LOCKED) {
52337 if (!mlock_vma_pages_range(vma, addr, addr + len))
52338 mm->locked_vm += (len >> PAGE_SHIFT);
52339 @@ -1351,6 +1496,12 @@ unmap_and_free_vma:
52340 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
52344 +#ifdef CONFIG_PAX_SEGMEXEC
52346 + kmem_cache_free(vm_area_cachep, vma_m);
52349 kmem_cache_free(vm_area_cachep, vma);
52352 @@ -1358,6 +1509,33 @@ unacct_error:
52356 +bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
52359 +#ifdef CONFIG_STACK_GROWSUP
52360 + if (addr > sysctl_heap_stack_gap)
52361 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
52363 + vma = find_vma(current->mm, 0);
52364 + if (vma && (vma->vm_flags & VM_GROWSUP))
52370 + if (addr + len > vma->vm_start)
52373 + if (vma->vm_flags & VM_GROWSDOWN)
52374 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
52375 +#ifdef CONFIG_STACK_GROWSUP
52376 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
52377 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
52383 /* Get an address range which is currently unmapped.
52384 * For shmat() with addr=0.
52386 @@ -1384,18 +1562,23 @@ arch_get_unmapped_area(struct file *filp
52387 if (flags & MAP_FIXED)
52390 +#ifdef CONFIG_PAX_RANDMMAP
52391 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
52395 addr = PAGE_ALIGN(addr);
52396 - vma = find_vma(mm, addr);
52397 - if (TASK_SIZE - len >= addr &&
52398 - (!vma || addr + len <= vma->vm_start))
52400 + if (TASK_SIZE - len >= addr) {
52401 + vma = find_vma(mm, addr);
52402 + if (check_heap_stack_gap(vma, addr, len))
52406 if (len > mm->cached_hole_size) {
52407 - start_addr = addr = mm->free_area_cache;
52408 + start_addr = addr = mm->free_area_cache;
52410 - start_addr = addr = TASK_UNMAPPED_BASE;
52411 - mm->cached_hole_size = 0;
52412 + start_addr = addr = mm->mmap_base;
52413 + mm->cached_hole_size = 0;
52417 @@ -1406,34 +1589,40 @@ full_search:
52418 * Start a new search - just in case we missed
52421 - if (start_addr != TASK_UNMAPPED_BASE) {
52422 - addr = TASK_UNMAPPED_BASE;
52423 - start_addr = addr;
52424 + if (start_addr != mm->mmap_base) {
52425 + start_addr = addr = mm->mmap_base;
52426 mm->cached_hole_size = 0;
52431 - if (!vma || addr + len <= vma->vm_start) {
52433 - * Remember the place where we stopped the search:
52435 - mm->free_area_cache = addr + len;
52438 + if (check_heap_stack_gap(vma, addr, len))
52440 if (addr + mm->cached_hole_size < vma->vm_start)
52441 mm->cached_hole_size = vma->vm_start - addr;
52442 addr = vma->vm_end;
52446 + * Remember the place where we stopped the search:
52448 + mm->free_area_cache = addr + len;
52453 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
52456 +#ifdef CONFIG_PAX_SEGMEXEC
52457 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
52462 * Is this a new hole at the lowest possible address?
52464 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
52465 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
52466 mm->free_area_cache = addr;
52467 mm->cached_hole_size = ~0UL;
52469 @@ -1451,7 +1640,7 @@ arch_get_unmapped_area_topdown(struct fi
52471 struct vm_area_struct *vma;
52472 struct mm_struct *mm = current->mm;
52473 - unsigned long addr = addr0;
52474 + unsigned long base = mm->mmap_base, addr = addr0;
52476 /* requested length too big for entire address space */
52477 if (len > TASK_SIZE)
52478 @@ -1460,13 +1649,18 @@ arch_get_unmapped_area_topdown(struct fi
52479 if (flags & MAP_FIXED)
52482 +#ifdef CONFIG_PAX_RANDMMAP
52483 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
52486 /* requesting a specific address */
52488 addr = PAGE_ALIGN(addr);
52489 - vma = find_vma(mm, addr);
52490 - if (TASK_SIZE - len >= addr &&
52491 - (!vma || addr + len <= vma->vm_start))
52493 + if (TASK_SIZE - len >= addr) {
52494 + vma = find_vma(mm, addr);
52495 + if (check_heap_stack_gap(vma, addr, len))
52500 /* check if free_area_cache is useful for us */
52501 @@ -1481,7 +1675,7 @@ arch_get_unmapped_area_topdown(struct fi
52502 /* make sure it can fit in the remaining address space */
52504 vma = find_vma(mm, addr-len);
52505 - if (!vma || addr <= vma->vm_start)
52506 + if (check_heap_stack_gap(vma, addr - len, len))
52507 /* remember the address as a hint for next time */
52508 return (mm->free_area_cache = addr-len);
52510 @@ -1498,7 +1692,7 @@ arch_get_unmapped_area_topdown(struct fi
52511 * return with success:
52513 vma = find_vma(mm, addr);
52514 - if (!vma || addr+len <= vma->vm_start)
52515 + if (check_heap_stack_gap(vma, addr, len))
52516 /* remember the address as a hint for next time */
52517 return (mm->free_area_cache = addr);
52519 @@ -1517,13 +1711,21 @@ bottomup:
52520 * can happen with large stack limits and large mmap()
52523 + mm->mmap_base = TASK_UNMAPPED_BASE;
52525 +#ifdef CONFIG_PAX_RANDMMAP
52526 + if (mm->pax_flags & MF_PAX_RANDMMAP)
52527 + mm->mmap_base += mm->delta_mmap;
52530 + mm->free_area_cache = mm->mmap_base;
52531 mm->cached_hole_size = ~0UL;
52532 - mm->free_area_cache = TASK_UNMAPPED_BASE;
52533 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
52535 * Restore the topdown base:
52537 - mm->free_area_cache = mm->mmap_base;
52538 + mm->mmap_base = base;
52539 + mm->free_area_cache = base;
52540 mm->cached_hole_size = ~0UL;
52543 @@ -1532,6 +1734,12 @@ bottomup:
52545 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
52548 +#ifdef CONFIG_PAX_SEGMEXEC
52549 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
52554 * Is this a new hole at the highest possible address?
52556 @@ -1539,8 +1747,10 @@ void arch_unmap_area_topdown(struct mm_s
52557 mm->free_area_cache = addr;
52559 /* dont allow allocations above current base */
52560 - if (mm->free_area_cache > mm->mmap_base)
52561 + if (mm->free_area_cache > mm->mmap_base) {
52562 mm->free_area_cache = mm->mmap_base;
52563 + mm->cached_hole_size = ~0UL;
52568 @@ -1648,6 +1858,34 @@ out:
52569 return prev ? prev->vm_next : vma;
52572 +#ifdef CONFIG_PAX_SEGMEXEC
52573 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
52575 + struct vm_area_struct *vma_m;
52577 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
52578 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
52579 + BUG_ON(vma->vm_mirror);
52582 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
52583 + vma_m = vma->vm_mirror;
52584 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
52585 + BUG_ON(vma->vm_file != vma_m->vm_file);
52586 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
52587 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
52588 + if (vma->anon_vma != vma_m->anon_vma) {
52589 + struct anon_vma_chain *avc, *avc_m;
52591 + avc = list_entry(vma->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
52592 + avc_m = list_entry(vma_m->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
52593 + BUG_ON(avc->anon_vma != avc_m->anon_vma);
52595 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
52601 * Verify that the stack growth is acceptable and
52602 * update accounting. This is shared with both the
52603 @@ -1664,6 +1902,7 @@ static int acct_stack_growth(struct vm_a
52606 /* Stack limit test */
52607 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
52608 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
52611 @@ -1674,6 +1913,7 @@ static int acct_stack_growth(struct vm_a
52612 locked = mm->locked_vm + grow;
52613 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
52614 limit >>= PAGE_SHIFT;
52615 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
52616 if (locked > limit && !capable(CAP_IPC_LOCK))
52619 @@ -1704,37 +1944,47 @@ static int acct_stack_growth(struct vm_a
52620 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
52621 * vma is the last one with address > vma->vm_end. Have to extend vma.
52623 +#ifndef CONFIG_IA64
52626 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
52629 + int error, locknext;
52631 if (!(vma->vm_flags & VM_GROWSUP))
52634 + /* Also guard against wrapping around to address 0. */
52635 + if (address < PAGE_ALIGN(address+1))
52636 + address = PAGE_ALIGN(address+1);
52641 * We must make sure the anon_vma is allocated
52642 * so that the anon_vma locking is not a noop.
52644 if (unlikely(anon_vma_prepare(vma)))
52646 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
52647 + if (locknext && anon_vma_prepare(vma->vm_next))
52649 anon_vma_lock(vma);
52651 + anon_vma_lock(vma->vm_next);
52654 * vma->vm_start/vm_end cannot change under us because the caller
52655 * is required to hold the mmap_sem in read mode. We need the
52656 - * anon_vma lock to serialize against concurrent expand_stacks.
52657 - * Also guard against wrapping around to address 0.
52658 + * anon_vma locks to serialize against concurrent expand_stacks
52659 + * and expand_upwards.
52661 - if (address < PAGE_ALIGN(address+4))
52662 - address = PAGE_ALIGN(address+4);
52664 - anon_vma_unlock(vma);
52669 /* Somebody else might have raced and expanded it already */
52670 - if (address > vma->vm_end) {
52671 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
52673 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
52674 unsigned long size, grow;
52676 size = address - vma->vm_start;
52677 @@ -1744,6 +1994,8 @@ int expand_upwards(struct vm_area_struct
52679 vma->vm_end = address;
52682 + anon_vma_unlock(vma->vm_next);
52683 anon_vma_unlock(vma);
52686 @@ -1755,7 +2007,8 @@ int expand_upwards(struct vm_area_struct
52687 static int expand_downwards(struct vm_area_struct *vma,
52688 unsigned long address)
52691 + int error, lockprev = 0;
52692 + struct vm_area_struct *prev;
52695 * We must make sure the anon_vma is allocated
52696 @@ -1769,6 +2022,15 @@ static int expand_downwards(struct vm_ar
52700 + prev = vma->vm_prev;
52701 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
52702 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
52704 + if (lockprev && anon_vma_prepare(prev))
52707 + anon_vma_lock(prev);
52709 anon_vma_lock(vma);
52712 @@ -1778,9 +2040,17 @@ static int expand_downwards(struct vm_ar
52715 /* Somebody else might have raced and expanded it already */
52716 - if (address < vma->vm_start) {
52717 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
52719 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
52720 unsigned long size, grow;
52722 +#ifdef CONFIG_PAX_SEGMEXEC
52723 + struct vm_area_struct *vma_m;
52725 + vma_m = pax_find_mirror_vma(vma);
52728 size = vma->vm_end - address;
52729 grow = (vma->vm_start - address) >> PAGE_SHIFT;
52731 @@ -1788,9 +2058,20 @@ static int expand_downwards(struct vm_ar
52733 vma->vm_start = address;
52734 vma->vm_pgoff -= grow;
52735 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
52737 +#ifdef CONFIG_PAX_SEGMEXEC
52739 + vma_m->vm_start -= grow << PAGE_SHIFT;
52740 + vma_m->vm_pgoff -= grow;
52746 anon_vma_unlock(vma);
52748 + anon_vma_unlock(prev);
52752 @@ -1864,6 +2145,13 @@ static void remove_vma_list(struct mm_st
52754 long nrpages = vma_pages(vma);
52756 +#ifdef CONFIG_PAX_SEGMEXEC
52757 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
52758 + vma = remove_vma(vma);
52763 mm->total_vm -= nrpages;
52764 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
52765 vma = remove_vma(vma);
52766 @@ -1909,6 +2197,16 @@ detach_vmas_to_be_unmapped(struct mm_str
52767 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
52768 vma->vm_prev = NULL;
52771 +#ifdef CONFIG_PAX_SEGMEXEC
52772 + if (vma->vm_mirror) {
52773 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
52774 + vma->vm_mirror->vm_mirror = NULL;
52775 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
52776 + vma->vm_mirror = NULL;
52780 rb_erase(&vma->vm_rb, &mm->mm_rb);
52783 @@ -1937,14 +2235,33 @@ static int __split_vma(struct mm_struct
52784 struct vm_area_struct *new;
52787 +#ifdef CONFIG_PAX_SEGMEXEC
52788 + struct vm_area_struct *vma_m, *new_m = NULL;
52789 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
52792 if (is_vm_hugetlb_page(vma) && (addr &
52793 ~(huge_page_mask(hstate_vma(vma)))))
52796 +#ifdef CONFIG_PAX_SEGMEXEC
52797 + vma_m = pax_find_mirror_vma(vma);
52800 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52804 +#ifdef CONFIG_PAX_SEGMEXEC
52806 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52808 + kmem_cache_free(vm_area_cachep, new);
52814 /* most fields are the same, copy all, and then fixup */
52817 @@ -1957,6 +2274,22 @@ static int __split_vma(struct mm_struct
52818 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
52821 +#ifdef CONFIG_PAX_SEGMEXEC
52824 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
52825 + new_m->vm_mirror = new;
52826 + new->vm_mirror = new_m;
52829 + new_m->vm_end = addr_m;
52831 + new_m->vm_start = addr_m;
52832 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
52837 pol = mpol_dup(vma_policy(vma));
52839 err = PTR_ERR(pol);
52840 @@ -1982,6 +2315,42 @@ static int __split_vma(struct mm_struct
52842 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
52844 +#ifdef CONFIG_PAX_SEGMEXEC
52845 + if (!err && vma_m) {
52846 + if (anon_vma_clone(new_m, vma_m))
52847 + goto out_free_mpol;
52850 + vma_set_policy(new_m, pol);
52852 + if (new_m->vm_file) {
52853 + get_file(new_m->vm_file);
52854 + if (vma_m->vm_flags & VM_EXECUTABLE)
52855 + added_exe_file_vma(mm);
52858 + if (new_m->vm_ops && new_m->vm_ops->open)
52859 + new_m->vm_ops->open(new_m);
52862 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
52863 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
52865 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
52868 + if (new_m->vm_ops && new_m->vm_ops->close)
52869 + new_m->vm_ops->close(new_m);
52870 + if (new_m->vm_file) {
52871 + if (vma_m->vm_flags & VM_EXECUTABLE)
52872 + removed_exe_file_vma(mm);
52873 + fput(new_m->vm_file);
52883 @@ -1994,10 +2363,18 @@ static int __split_vma(struct mm_struct
52884 removed_exe_file_vma(mm);
52885 fput(new->vm_file);
52887 - unlink_anon_vmas(new);
52892 +#ifdef CONFIG_PAX_SEGMEXEC
52894 + unlink_anon_vmas(new_m);
52895 + kmem_cache_free(vm_area_cachep, new_m);
52899 + unlink_anon_vmas(new);
52900 kmem_cache_free(vm_area_cachep, new);
52903 @@ -2010,6 +2387,15 @@ static int __split_vma(struct mm_struct
52904 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
52905 unsigned long addr, int new_below)
52908 +#ifdef CONFIG_PAX_SEGMEXEC
52909 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
52910 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
52911 + if (mm->map_count >= sysctl_max_map_count-1)
52916 if (mm->map_count >= sysctl_max_map_count)
52919 @@ -2021,11 +2407,30 @@ int split_vma(struct mm_struct *mm, stru
52920 * work. This now handles partial unmappings.
52921 * Jeremy Fitzhardinge <jeremy@goop.org>
52923 +#ifdef CONFIG_PAX_SEGMEXEC
52924 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52926 + int ret = __do_munmap(mm, start, len);
52927 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
52930 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
52933 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52935 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52939 struct vm_area_struct *vma, *prev, *last;
52942 + * mm->mmap_sem is required to protect against another thread
52943 + * changing the mappings in case we sleep.
52945 + verify_mm_writelocked(mm);
52947 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
52950 @@ -2099,6 +2504,8 @@ int do_munmap(struct mm_struct *mm, unsi
52951 /* Fix up all other VM information */
52952 remove_vma_list(mm, vma);
52954 + track_exec_limit(mm, start, end, 0UL);
52959 @@ -2111,22 +2518,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
52961 profile_munmap(addr);
52963 +#ifdef CONFIG_PAX_SEGMEXEC
52964 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
52965 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
52969 down_write(&mm->mmap_sem);
52970 ret = do_munmap(mm, addr, len);
52971 up_write(&mm->mmap_sem);
52975 -static inline void verify_mm_writelocked(struct mm_struct *mm)
52977 -#ifdef CONFIG_DEBUG_VM
52978 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
52980 - up_read(&mm->mmap_sem);
52986 * this is really a simplified "do_mmap". it only handles
52987 * anonymous maps. eventually we may be able to do some
52988 @@ -2140,6 +2543,7 @@ unsigned long do_brk(unsigned long addr,
52989 struct rb_node ** rb_link, * rb_parent;
52990 pgoff_t pgoff = addr >> PAGE_SHIFT;
52992 + unsigned long charged;
52994 len = PAGE_ALIGN(len);
52996 @@ -2151,16 +2555,30 @@ unsigned long do_brk(unsigned long addr,
52998 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
53000 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53001 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
53002 + flags &= ~VM_EXEC;
53004 +#ifdef CONFIG_PAX_MPROTECT
53005 + if (mm->pax_flags & MF_PAX_MPROTECT)
53006 + flags &= ~VM_MAYEXEC;
53012 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
53013 if (error & ~PAGE_MASK)
53016 + charged = len >> PAGE_SHIFT;
53019 * mlock MCL_FUTURE?
53021 if (mm->def_flags & VM_LOCKED) {
53022 unsigned long locked, lock_limit;
53023 - locked = len >> PAGE_SHIFT;
53024 + locked = charged;
53025 locked += mm->locked_vm;
53026 lock_limit = rlimit(RLIMIT_MEMLOCK);
53027 lock_limit >>= PAGE_SHIFT;
53028 @@ -2177,22 +2595,22 @@ unsigned long do_brk(unsigned long addr,
53030 * Clear old maps. this also does some error checking for us
53033 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53034 if (vma && vma->vm_start < addr + len) {
53035 if (do_munmap(mm, addr, len))
53037 - goto munmap_back;
53038 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53039 + BUG_ON(vma && vma->vm_start < addr + len);
53042 /* Check against address space limits *after* clearing old maps... */
53043 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
53044 + if (!may_expand_vm(mm, charged))
53047 if (mm->map_count > sysctl_max_map_count)
53050 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
53051 + if (security_vm_enough_memory(charged))
53054 /* Can we just expand an old private anonymous mapping? */
53055 @@ -2206,7 +2624,7 @@ unsigned long do_brk(unsigned long addr,
53057 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53059 - vm_unacct_memory(len >> PAGE_SHIFT);
53060 + vm_unacct_memory(charged);
53064 @@ -2219,11 +2637,12 @@ unsigned long do_brk(unsigned long addr,
53065 vma->vm_page_prot = vm_get_page_prot(flags);
53066 vma_link(mm, vma, prev, rb_link, rb_parent);
53068 - mm->total_vm += len >> PAGE_SHIFT;
53069 + mm->total_vm += charged;
53070 if (flags & VM_LOCKED) {
53071 if (!mlock_vma_pages_range(vma, addr, addr + len))
53072 - mm->locked_vm += (len >> PAGE_SHIFT);
53073 + mm->locked_vm += charged;
53075 + track_exec_limit(mm, addr, addr + len, flags);
53079 @@ -2270,8 +2689,10 @@ void exit_mmap(struct mm_struct *mm)
53080 * Walk the list again, actually closing and freeing it,
53081 * with preemption enabled, without holding any MM locks.
53085 + vma->vm_mirror = NULL;
53086 vma = remove_vma(vma);
53089 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
53091 @@ -2285,6 +2706,10 @@ int insert_vm_struct(struct mm_struct *
53092 struct vm_area_struct * __vma, * prev;
53093 struct rb_node ** rb_link, * rb_parent;
53095 +#ifdef CONFIG_PAX_SEGMEXEC
53096 + struct vm_area_struct *vma_m = NULL;
53100 * The vm_pgoff of a purely anonymous vma should be irrelevant
53101 * until its first write fault, when page's anon_vma and index
53102 @@ -2307,7 +2732,22 @@ int insert_vm_struct(struct mm_struct *
53103 if ((vma->vm_flags & VM_ACCOUNT) &&
53104 security_vm_enough_memory_mm(mm, vma_pages(vma)))
53107 +#ifdef CONFIG_PAX_SEGMEXEC
53108 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
53109 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53115 vma_link(mm, vma, prev, rb_link, rb_parent);
53117 +#ifdef CONFIG_PAX_SEGMEXEC
53119 + BUG_ON(pax_mirror_vma(vma_m, vma));
53125 @@ -2325,6 +2765,8 @@ struct vm_area_struct *copy_vma(struct v
53126 struct rb_node **rb_link, *rb_parent;
53127 struct mempolicy *pol;
53129 + BUG_ON(vma->vm_mirror);
53132 * If anonymous vma has not yet been faulted, update new pgoff
53133 * to match new location, to increase its chance of merging.
53134 @@ -2374,6 +2816,39 @@ struct vm_area_struct *copy_vma(struct v
53135 kmem_cache_free(vm_area_cachep, new_vma);
53139 +#ifdef CONFIG_PAX_SEGMEXEC
53140 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
53142 + struct vm_area_struct *prev_m;
53143 + struct rb_node **rb_link_m, *rb_parent_m;
53144 + struct mempolicy *pol_m;
53146 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
53147 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
53148 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
53150 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
53151 + if (anon_vma_clone(vma_m, vma))
53153 + pol_m = vma_policy(vma_m);
53155 + vma_set_policy(vma_m, pol_m);
53156 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
53157 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
53158 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
53159 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
53160 + if (vma_m->vm_file)
53161 + get_file(vma_m->vm_file);
53162 + if (vma_m->vm_ops && vma_m->vm_ops->open)
53163 + vma_m->vm_ops->open(vma_m);
53164 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
53165 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
53166 + vma_m->vm_mirror = vma;
53167 + vma->vm_mirror = vma_m;
53173 * Return true if the calling process may expand its vm space by the passed
53174 @@ -2385,7 +2860,7 @@ int may_expand_vm(struct mm_struct *mm,
53177 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
53179 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
53180 if (cur + npages > lim)
53183 @@ -2455,6 +2930,17 @@ int install_special_mapping(struct mm_st
53184 vma->vm_start = addr;
53185 vma->vm_end = addr + len;
53187 +#ifdef CONFIG_PAX_MPROTECT
53188 + if (mm->pax_flags & MF_PAX_MPROTECT) {
53189 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
53191 + if (!(vm_flags & VM_EXEC))
53192 + vm_flags &= ~VM_MAYEXEC;
53194 + vm_flags &= ~VM_MAYWRITE;
53198 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
53199 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
53201 diff -urNp linux-2.6.35.7/mm/mprotect.c linux-2.6.35.7/mm/mprotect.c
53202 --- linux-2.6.35.7/mm/mprotect.c 2010-08-26 19:47:12.000000000 -0400
53203 +++ linux-2.6.35.7/mm/mprotect.c 2010-10-18 21:01:30.000000000 -0400
53204 @@ -23,10 +23,16 @@
53205 #include <linux/mmu_notifier.h>
53206 #include <linux/migrate.h>
53207 #include <linux/perf_event.h>
53209 +#ifdef CONFIG_PAX_MPROTECT
53210 +#include <linux/elf.h>
53213 #include <asm/uaccess.h>
53214 #include <asm/pgtable.h>
53215 #include <asm/cacheflush.h>
53216 #include <asm/tlbflush.h>
53217 +#include <asm/mmu_context.h>
53219 #ifndef pgprot_modify
53220 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
53221 @@ -131,6 +137,48 @@ static void change_protection(struct vm_
53222 flush_tlb_range(vma, start, end);
53225 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
53226 +/* called while holding the mmap semaphor for writing except stack expansion */
53227 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
53229 + unsigned long oldlimit, newlimit = 0UL;
53231 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
53234 + spin_lock(&mm->page_table_lock);
53235 + oldlimit = mm->context.user_cs_limit;
53236 + if ((prot & VM_EXEC) && oldlimit < end)
53237 + /* USER_CS limit moved up */
53239 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
53240 + /* USER_CS limit moved down */
53241 + newlimit = start;
53244 + mm->context.user_cs_limit = newlimit;
53248 + cpus_clear(mm->context.cpu_user_cs_mask);
53249 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
53252 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
53254 + spin_unlock(&mm->page_table_lock);
53255 + if (newlimit == end) {
53256 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
53258 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
53259 + if (is_vm_hugetlb_page(vma))
53260 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
53262 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
53268 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
53269 unsigned long start, unsigned long end, unsigned long newflags)
53270 @@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
53272 int dirty_accountable = 0;
53274 +#ifdef CONFIG_PAX_SEGMEXEC
53275 + struct vm_area_struct *vma_m = NULL;
53276 + unsigned long start_m, end_m;
53278 + start_m = start + SEGMEXEC_TASK_SIZE;
53279 + end_m = end + SEGMEXEC_TASK_SIZE;
53282 if (newflags == oldflags) {
53287 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
53288 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
53290 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
53293 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
53298 * If we make a private mapping writable we increase our commit;
53299 * but (without finer accounting) cannot reduce our commit if we
53300 @@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
53304 +#ifdef CONFIG_PAX_SEGMEXEC
53305 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
53306 + if (start != vma->vm_start) {
53307 + error = split_vma(mm, vma, start, 1);
53310 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
53311 + *pprev = (*pprev)->vm_next;
53314 + if (end != vma->vm_end) {
53315 + error = split_vma(mm, vma, end, 0);
53320 + if (pax_find_mirror_vma(vma)) {
53321 + error = __do_munmap(mm, start_m, end_m - start_m);
53325 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53330 + vma->vm_flags = newflags;
53331 + error = pax_mirror_vma(vma_m, vma);
53333 + vma->vm_flags = oldflags;
53341 * First try to merge with previous and/or next vma.
53343 @@ -194,9 +296,21 @@ success:
53344 * vm_flags and vm_page_prot are protected by the mmap_sem
53345 * held in write mode.
53348 +#ifdef CONFIG_PAX_SEGMEXEC
53349 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
53350 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
53353 vma->vm_flags = newflags;
53355 +#ifdef CONFIG_PAX_MPROTECT
53356 + if (mm->binfmt && mm->binfmt->handle_mprotect)
53357 + mm->binfmt->handle_mprotect(vma, newflags);
53360 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
53361 - vm_get_page_prot(newflags));
53362 + vm_get_page_prot(vma->vm_flags));
53364 if (vma_wants_writenotify(vma)) {
53365 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
53366 @@ -237,6 +351,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53371 +#ifdef CONFIG_PAX_SEGMEXEC
53372 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
53373 + if (end > SEGMEXEC_TASK_SIZE)
53378 + if (end > TASK_SIZE)
53381 if (!arch_validate_prot(prot))
53384 @@ -244,7 +369,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53386 * Does the application expect PROT_READ to imply PROT_EXEC:
53388 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
53389 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
53392 vm_flags = calc_vm_prot_bits(prot);
53393 @@ -276,6 +401,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53394 if (start > vma->vm_start)
53397 +#ifdef CONFIG_PAX_MPROTECT
53398 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
53399 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
53402 for (nstart = start ; ; ) {
53403 unsigned long newflags;
53405 @@ -285,6 +415,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53407 /* newflags >> 4 shift VM_MAY% in place of VM_% */
53408 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
53409 + if (prot & (PROT_WRITE | PROT_EXEC))
53410 + gr_log_rwxmprotect(vma->vm_file);
53416 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
53420 @@ -300,6 +438,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53423 perf_event_mmap(vma);
53425 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
53429 if (nstart < prev->vm_end)
53430 diff -urNp linux-2.6.35.7/mm/mremap.c linux-2.6.35.7/mm/mremap.c
53431 --- linux-2.6.35.7/mm/mremap.c 2010-08-26 19:47:12.000000000 -0400
53432 +++ linux-2.6.35.7/mm/mremap.c 2010-09-26 22:02:10.000000000 -0400
53433 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
53435 pte = ptep_clear_flush(vma, old_addr, old_pte);
53436 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
53438 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
53439 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
53440 + pte = pte_exprotect(pte);
53443 set_pte_at(mm, new_addr, new_pte, pte);
53446 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
53447 if (is_vm_hugetlb_page(vma))
53450 +#ifdef CONFIG_PAX_SEGMEXEC
53451 + if (pax_find_mirror_vma(vma))
53455 /* We can't remap across vm area boundaries */
53456 if (old_len > vma->vm_end - addr)
53458 @@ -321,20 +332,25 @@ static unsigned long mremap_to(unsigned
53459 unsigned long ret = -EINVAL;
53460 unsigned long charged = 0;
53461 unsigned long map_flags;
53462 + unsigned long pax_task_size = TASK_SIZE;
53464 if (new_addr & ~PAGE_MASK)
53467 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
53468 +#ifdef CONFIG_PAX_SEGMEXEC
53469 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
53470 + pax_task_size = SEGMEXEC_TASK_SIZE;
53473 + pax_task_size -= PAGE_SIZE;
53475 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
53478 /* Check if the location we're moving into overlaps the
53479 * old location at all, and fail if it does.
53481 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
53484 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
53485 + if (addr + old_len > new_addr && new_addr + new_len > addr)
53488 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
53489 @@ -406,6 +422,7 @@ unsigned long do_mremap(unsigned long ad
53490 struct vm_area_struct *vma;
53491 unsigned long ret = -EINVAL;
53492 unsigned long charged = 0;
53493 + unsigned long pax_task_size = TASK_SIZE;
53495 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
53497 @@ -424,6 +441,17 @@ unsigned long do_mremap(unsigned long ad
53501 +#ifdef CONFIG_PAX_SEGMEXEC
53502 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
53503 + pax_task_size = SEGMEXEC_TASK_SIZE;
53506 + pax_task_size -= PAGE_SIZE;
53508 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
53509 + old_len > pax_task_size || addr > pax_task_size-old_len)
53512 if (flags & MREMAP_FIXED) {
53513 if (flags & MREMAP_MAYMOVE)
53514 ret = mremap_to(addr, old_len, new_addr, new_len);
53515 @@ -473,6 +501,7 @@ unsigned long do_mremap(unsigned long ad
53519 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
53523 @@ -499,7 +528,13 @@ unsigned long do_mremap(unsigned long ad
53524 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
53528 + map_flags = vma->vm_flags;
53529 ret = move_vma(vma, addr, old_len, new_len, new_addr);
53530 + if (!(ret & ~PAGE_MASK)) {
53531 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
53532 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
53536 if (ret & ~PAGE_MASK)
53537 diff -urNp linux-2.6.35.7/mm/nommu.c linux-2.6.35.7/mm/nommu.c
53538 --- linux-2.6.35.7/mm/nommu.c 2010-08-26 19:47:12.000000000 -0400
53539 +++ linux-2.6.35.7/mm/nommu.c 2010-09-17 20:12:09.000000000 -0400
53540 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
53541 int sysctl_overcommit_ratio = 50; /* default is 50% */
53542 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
53543 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
53544 -int heap_stack_gap = 0;
53546 atomic_long_t mmap_pages_allocated;
53548 @@ -762,15 +761,6 @@ struct vm_area_struct *find_vma(struct m
53549 EXPORT_SYMBOL(find_vma);
53553 - * - we don't extend stack VMAs under NOMMU conditions
53555 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
53557 - return find_vma(mm, addr);
53561 * expand a stack to a given address
53562 * - not supported under NOMMU conditions
53564 @@ -1491,6 +1481,7 @@ int split_vma(struct mm_struct *mm, stru
53566 /* most fields are the same, copy all, and then fixup */
53568 + INIT_LIST_HEAD(&new->anon_vma_chain);
53569 *region = *vma->vm_region;
53570 new->vm_region = region;
53572 diff -urNp linux-2.6.35.7/mm/page_alloc.c linux-2.6.35.7/mm/page_alloc.c
53573 --- linux-2.6.35.7/mm/page_alloc.c 2010-09-26 17:32:11.000000000 -0400
53574 +++ linux-2.6.35.7/mm/page_alloc.c 2010-09-26 17:32:50.000000000 -0400
53575 @@ -642,6 +642,10 @@ static bool free_pages_prepare(struct pa
53579 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
53580 + unsigned long index = 1UL << order;
53583 trace_mm_page_free_direct(page, order);
53584 kmemcheck_free_shadow(page, order);
53586 @@ -660,6 +664,12 @@ static bool free_pages_prepare(struct pa
53587 debug_check_no_obj_freed(page_address(page),
53588 PAGE_SIZE << order);
53591 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
53592 + for (; index; --index)
53593 + sanitize_highpage(page + index - 1);
53596 arch_free_page(page, order);
53597 kernel_map_pages(page, 1 << order, 0);
53599 @@ -774,8 +784,10 @@ static int prep_new_page(struct page *pa
53600 arch_alloc_page(page, order);
53601 kernel_map_pages(page, 1 << order, 1);
53603 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
53604 if (gfp_flags & __GFP_ZERO)
53605 prep_zero_page(page, order, gfp_flags);
53608 if (order && (gfp_flags & __GFP_COMP))
53609 prep_compound_page(page, order);
53610 @@ -3986,7 +3998,7 @@ static void __init setup_usemap(struct p
53611 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
53614 -static void inline setup_usemap(struct pglist_data *pgdat,
53615 +static inline void setup_usemap(struct pglist_data *pgdat,
53616 struct zone *zone, unsigned long zonesize) {}
53617 #endif /* CONFIG_SPARSEMEM */
53619 diff -urNp linux-2.6.35.7/mm/percpu.c linux-2.6.35.7/mm/percpu.c
53620 --- linux-2.6.35.7/mm/percpu.c 2010-09-26 17:32:11.000000000 -0400
53621 +++ linux-2.6.35.7/mm/percpu.c 2010-09-26 17:32:50.000000000 -0400
53622 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
53623 static unsigned int pcpu_last_unit_cpu __read_mostly;
53625 /* the address of the first chunk which starts with the kernel static area */
53626 -void *pcpu_base_addr __read_mostly;
53627 +void *pcpu_base_addr __read_only;
53628 EXPORT_SYMBOL_GPL(pcpu_base_addr);
53630 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
53631 diff -urNp linux-2.6.35.7/mm/rmap.c linux-2.6.35.7/mm/rmap.c
53632 --- linux-2.6.35.7/mm/rmap.c 2010-08-26 19:47:12.000000000 -0400
53633 +++ linux-2.6.35.7/mm/rmap.c 2010-09-17 20:12:09.000000000 -0400
53634 @@ -116,6 +116,10 @@ int anon_vma_prepare(struct vm_area_stru
53635 struct anon_vma *anon_vma = vma->anon_vma;
53636 struct anon_vma_chain *avc;
53638 +#ifdef CONFIG_PAX_SEGMEXEC
53639 + struct anon_vma_chain *avc_m = NULL;
53643 if (unlikely(!anon_vma)) {
53644 struct mm_struct *mm = vma->vm_mm;
53645 @@ -125,6 +129,12 @@ int anon_vma_prepare(struct vm_area_stru
53649 +#ifdef CONFIG_PAX_SEGMEXEC
53650 + avc_m = anon_vma_chain_alloc();
53652 + goto out_enomem_free_avc;
53655 anon_vma = find_mergeable_anon_vma(vma);
53658 @@ -138,6 +148,21 @@ int anon_vma_prepare(struct vm_area_stru
53659 /* page_table_lock to protect against threads */
53660 spin_lock(&mm->page_table_lock);
53661 if (likely(!vma->anon_vma)) {
53663 +#ifdef CONFIG_PAX_SEGMEXEC
53664 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
53667 + BUG_ON(vma_m->anon_vma);
53668 + vma_m->anon_vma = anon_vma;
53669 + avc_m->anon_vma = anon_vma;
53670 + avc_m->vma = vma;
53671 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
53672 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
53677 vma->anon_vma = anon_vma;
53678 avc->anon_vma = anon_vma;
53680 @@ -151,12 +176,24 @@ int anon_vma_prepare(struct vm_area_stru
53682 if (unlikely(allocated))
53683 anon_vma_free(allocated);
53685 +#ifdef CONFIG_PAX_SEGMEXEC
53686 + if (unlikely(avc_m))
53687 + anon_vma_chain_free(avc_m);
53691 anon_vma_chain_free(avc);
53695 out_enomem_free_avc:
53697 +#ifdef CONFIG_PAX_SEGMEXEC
53699 + anon_vma_chain_free(avc_m);
53702 anon_vma_chain_free(avc);
53705 @@ -179,7 +216,7 @@ static void anon_vma_chain_link(struct v
53706 * Attach the anon_vmas from src to dst.
53707 * Returns 0 on success, -ENOMEM on failure.
53709 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
53710 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
53712 struct anon_vma_chain *avc, *pavc;
53714 @@ -201,7 +238,7 @@ int anon_vma_clone(struct vm_area_struct
53715 * the corresponding VMA in the parent process is attached to.
53716 * Returns 0 on success, non-zero on failure.
53718 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
53719 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
53721 struct anon_vma_chain *avc;
53722 struct anon_vma *anon_vma;
53723 diff -urNp linux-2.6.35.7/mm/shmem.c linux-2.6.35.7/mm/shmem.c
53724 --- linux-2.6.35.7/mm/shmem.c 2010-08-26 19:47:12.000000000 -0400
53725 +++ linux-2.6.35.7/mm/shmem.c 2010-09-17 20:12:37.000000000 -0400
53727 #include <linux/module.h>
53728 #include <linux/swap.h>
53730 -static struct vfsmount *shm_mnt;
53731 +struct vfsmount *shm_mnt;
53733 #ifdef CONFIG_SHMEM
53735 diff -urNp linux-2.6.35.7/mm/slab.c linux-2.6.35.7/mm/slab.c
53736 --- linux-2.6.35.7/mm/slab.c 2010-08-26 19:47:12.000000000 -0400
53737 +++ linux-2.6.35.7/mm/slab.c 2010-09-17 20:12:37.000000000 -0400
53738 @@ -285,7 +285,7 @@ struct kmem_list3 {
53739 * Need this for bootstrapping a per node allocator.
53741 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
53742 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
53743 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
53744 #define CACHE_CACHE 0
53745 #define SIZE_AC MAX_NUMNODES
53746 #define SIZE_L3 (2 * MAX_NUMNODES)
53747 @@ -535,7 +535,7 @@ static inline void *index_to_obj(struct
53748 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
53750 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
53751 - const struct slab *slab, void *obj)
53752 + const struct slab *slab, const void *obj)
53754 u32 offset = (obj - slab->s_mem);
53755 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
53756 @@ -561,14 +561,14 @@ struct cache_names {
53757 static struct cache_names __initdata cache_names[] = {
53758 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
53759 #include <linux/kmalloc_sizes.h>
53765 static struct arraycache_init initarray_cache __initdata =
53766 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53767 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53768 static struct arraycache_init initarray_generic =
53769 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53770 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53772 /* internal cache of cache description objs */
53773 static struct kmem_cache cache_cache = {
53774 @@ -4558,15 +4558,66 @@ static const struct file_operations proc
53776 static int __init slab_proc_init(void)
53778 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
53779 + mode_t gr_mode = S_IRUGO;
53781 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53782 + gr_mode = S_IRUSR;
53785 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
53786 #ifdef CONFIG_DEBUG_SLAB_LEAK
53787 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
53788 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
53792 module_init(slab_proc_init);
53795 +void check_object_size(const void *ptr, unsigned long n, bool to)
53798 +#ifdef CONFIG_PAX_USERCOPY
53799 + struct kmem_cache *cachep;
53800 + struct slab *slabp;
53801 + struct page *page;
53802 + unsigned int objnr;
53803 + unsigned long offset;
53808 + if (ZERO_OR_NULL_PTR(ptr))
53811 + if (!virt_addr_valid(ptr))
53814 + page = virt_to_head_page(ptr);
53816 + if (!PageSlab(page)) {
53817 + if (object_is_on_stack(ptr, n) == -1)
53822 + cachep = page_get_cache(page);
53823 + slabp = page_get_slab(page);
53824 + objnr = obj_to_index(cachep, slabp, ptr);
53825 + BUG_ON(objnr >= cachep->num);
53826 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
53827 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
53832 + pax_report_leak_to_user(ptr, n);
53834 + pax_report_overflow_from_user(ptr, n);
53838 +EXPORT_SYMBOL(check_object_size);
53841 * ksize - get the actual amount of memory allocated for a given object
53842 * @objp: Pointer to the object
53843 diff -urNp linux-2.6.35.7/mm/slob.c linux-2.6.35.7/mm/slob.c
53844 --- linux-2.6.35.7/mm/slob.c 2010-08-26 19:47:12.000000000 -0400
53845 +++ linux-2.6.35.7/mm/slob.c 2010-09-17 20:12:09.000000000 -0400
53847 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
53848 * alloc_pages() directly, allocating compound pages so the page order
53849 * does not have to be separately tracked, and also stores the exact
53850 - * allocation size in page->private so that it can be used to accurately
53851 + * allocation size in slob_page->size so that it can be used to accurately
53852 * provide ksize(). These objects are detected in kfree() because slob_page()
53853 * is false for them.
53858 #include <linux/kernel.h>
53859 +#include <linux/sched.h>
53860 #include <linux/slab.h>
53861 #include <linux/mm.h>
53862 #include <linux/swap.h> /* struct reclaim_state */
53863 @@ -100,7 +101,8 @@ struct slob_page {
53864 unsigned long flags; /* mandatory */
53865 atomic_t _count; /* mandatory */
53866 slobidx_t units; /* free units left in page */
53867 - unsigned long pad[2];
53868 + unsigned long pad[1];
53869 + unsigned long size; /* size when >=PAGE_SIZE */
53870 slob_t *free; /* first free slob_t in page */
53871 struct list_head list; /* linked list of free pages */
53873 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
53875 static inline int is_slob_page(struct slob_page *sp)
53877 - return PageSlab((struct page *)sp);
53878 + return PageSlab((struct page *)sp) && !sp->size;
53881 static inline void set_slob_page(struct slob_page *sp)
53882 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
53884 static inline struct slob_page *slob_page(const void *addr)
53886 - return (struct slob_page *)virt_to_page(addr);
53887 + return (struct slob_page *)virt_to_head_page(addr);
53891 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
53893 * Return the size of a slob block.
53895 -static slobidx_t slob_units(slob_t *s)
53896 +static slobidx_t slob_units(const slob_t *s)
53900 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
53902 * Return the next free slob block pointer after this one.
53904 -static slob_t *slob_next(slob_t *s)
53905 +static slob_t *slob_next(const slob_t *s)
53907 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
53909 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
53911 * Returns true if s is the last free block in its page.
53913 -static int slob_last(slob_t *s)
53914 +static int slob_last(const slob_t *s)
53916 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
53918 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
53922 + set_slob_page(page);
53923 return page_address(page);
53926 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
53930 - set_slob_page(sp);
53932 spin_lock_irqsave(&slob_lock, flags);
53933 sp->units = SLOB_UNITS(PAGE_SIZE);
53936 INIT_LIST_HEAD(&sp->list);
53937 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
53938 set_slob_page_free(sp, slob_list);
53939 @@ -467,10 +470,9 @@ out:
53940 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
53943 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53944 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
53947 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53951 lockdep_trace_alloc(gfp);
53952 @@ -483,7 +485,10 @@ void *__kmalloc_node(size_t size, gfp_t
53957 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
53958 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
53959 + m[0].units = size;
53960 + m[1].units = align;
53961 ret = (void *)m + align;
53963 trace_kmalloc_node(_RET_IP_, ret,
53964 @@ -493,9 +498,9 @@ void *__kmalloc_node(size_t size, gfp_t
53966 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
53968 - struct page *page;
53969 - page = virt_to_page(ret);
53970 - page->private = size;
53971 + struct slob_page *sp;
53972 + sp = slob_page(ret);
53976 trace_kmalloc_node(_RET_IP_, ret,
53977 @@ -505,6 +510,13 @@ void *__kmalloc_node(size_t size, gfp_t
53978 kmemleak_alloc(ret, size, 1, gfp);
53982 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53984 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53986 + return __kmalloc_node_align(size, gfp, node, align);
53988 EXPORT_SYMBOL(__kmalloc_node);
53990 void kfree(const void *block)
53991 @@ -520,13 +532,84 @@ void kfree(const void *block)
53992 sp = slob_page(block);
53993 if (is_slob_page(sp)) {
53994 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53995 - unsigned int *m = (unsigned int *)(block - align);
53996 - slob_free(m, *m + align);
53998 + slob_t *m = (slob_t *)(block - align);
53999 + slob_free(m, m[0].units + align);
54001 + clear_slob_page(sp);
54002 + free_slob_page(sp);
54004 put_page(&sp->page);
54007 EXPORT_SYMBOL(kfree);
54009 +void check_object_size(const void *ptr, unsigned long n, bool to)
54012 +#ifdef CONFIG_PAX_USERCOPY
54013 + struct slob_page *sp;
54014 + const slob_t *free;
54015 + const void *base;
54020 + if (ZERO_OR_NULL_PTR(ptr))
54023 + if (!virt_addr_valid(ptr))
54026 + sp = slob_page(ptr);
54027 + if (!PageSlab((struct page*)sp)) {
54028 + if (object_is_on_stack(ptr, n) == -1)
54034 + base = page_address(&sp->page);
54035 + if (base <= ptr && n <= sp->size - (ptr - base))
54040 + /* some tricky double walking to find the chunk */
54041 + base = (void *)((unsigned long)ptr & PAGE_MASK);
54044 + while (!slob_last(free) && (void *)free <= ptr) {
54045 + base = free + slob_units(free);
54046 + free = slob_next(free);
54049 + while (base < (void *)free) {
54050 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
54051 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
54054 + if (ptr < base + align)
54057 + offset = ptr - base - align;
54058 + if (offset < m) {
54059 + if (n <= m - offset)
54068 + pax_report_leak_to_user(ptr, n);
54070 + pax_report_overflow_from_user(ptr, n);
54074 +EXPORT_SYMBOL(check_object_size);
54076 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
54077 size_t ksize(const void *block)
54079 @@ -539,10 +622,10 @@ size_t ksize(const void *block)
54080 sp = slob_page(block);
54081 if (is_slob_page(sp)) {
54082 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
54083 - unsigned int *m = (unsigned int *)(block - align);
54084 - return SLOB_UNITS(*m) * SLOB_UNIT;
54085 + slob_t *m = (slob_t *)(block - align);
54086 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
54088 - return sp->page.private;
54091 EXPORT_SYMBOL(ksize);
54093 @@ -597,17 +680,25 @@ void *kmem_cache_alloc_node(struct kmem_
54097 +#ifdef CONFIG_PAX_USERCOPY
54098 + b = __kmalloc_node_align(c->size, flags, node, c->align);
54100 if (c->size < PAGE_SIZE) {
54101 b = slob_alloc(c->size, flags, c->align, node);
54102 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
54103 SLOB_UNITS(c->size) * SLOB_UNIT,
54106 + struct slob_page *sp;
54108 b = slob_new_pages(flags, get_order(c->size), node);
54109 + sp = slob_page(b);
54110 + sp->size = c->size;
54111 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
54112 PAGE_SIZE << get_order(c->size),
54119 @@ -619,10 +710,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
54121 static void __kmem_cache_free(void *b, int size)
54123 - if (size < PAGE_SIZE)
54124 + struct slob_page *sp = slob_page(b);
54126 + if (is_slob_page(sp))
54127 slob_free(b, size);
54130 + clear_slob_page(sp);
54131 + free_slob_page(sp);
54133 slob_free_pages(b, get_order(size));
54137 static void kmem_rcu_free(struct rcu_head *head)
54138 @@ -635,15 +732,24 @@ static void kmem_rcu_free(struct rcu_hea
54140 void kmem_cache_free(struct kmem_cache *c, void *b)
54142 + int size = c->size;
54144 +#ifdef CONFIG_PAX_USERCOPY
54145 + if (size + c->align < PAGE_SIZE) {
54146 + size += c->align;
54151 kmemleak_free_recursive(b, c->flags);
54152 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
54153 struct slob_rcu *slob_rcu;
54154 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
54155 + slob_rcu = b + (size - sizeof(struct slob_rcu));
54156 INIT_RCU_HEAD(&slob_rcu->head);
54157 - slob_rcu->size = c->size;
54158 + slob_rcu->size = size;
54159 call_rcu(&slob_rcu->head, kmem_rcu_free);
54161 - __kmem_cache_free(b, c->size);
54162 + __kmem_cache_free(b, size);
54165 trace_kmem_cache_free(_RET_IP_, b);
54166 diff -urNp linux-2.6.35.7/mm/slub.c linux-2.6.35.7/mm/slub.c
54167 --- linux-2.6.35.7/mm/slub.c 2010-08-26 19:47:12.000000000 -0400
54168 +++ linux-2.6.35.7/mm/slub.c 2010-09-17 20:12:37.000000000 -0400
54169 @@ -1873,6 +1873,8 @@ void kmem_cache_free(struct kmem_cache *
54171 page = virt_to_head_page(x);
54173 + BUG_ON(!PageSlab(page));
54175 slab_free(s, page, x, _RET_IP_);
54177 trace_kmem_cache_free(_RET_IP_, x);
54178 @@ -1917,7 +1919,7 @@ static int slub_min_objects;
54179 * Merge control. If this is set then no merging of slab caches will occur.
54180 * (Could be removed. This was introduced to pacify the merge skeptics.)
54182 -static int slub_nomerge;
54183 +static int slub_nomerge = 1;
54186 * Calculate the order of allocation given an slab object size.
54187 @@ -2344,7 +2346,7 @@ static int kmem_cache_open(struct kmem_c
54188 * list to avoid pounding the page allocator excessively.
54190 set_min_partial(s, ilog2(s->size));
54192 + atomic_set(&s->refcount, 1);
54194 s->remote_node_defrag_ratio = 1000;
54196 @@ -2487,8 +2489,7 @@ static inline int kmem_cache_close(struc
54197 void kmem_cache_destroy(struct kmem_cache *s)
54199 down_write(&slub_lock);
54201 - if (!s->refcount) {
54202 + if (atomic_dec_and_test(&s->refcount)) {
54203 list_del(&s->list);
54204 up_write(&slub_lock);
54205 if (kmem_cache_close(s)) {
54206 @@ -2780,6 +2781,46 @@ void *__kmalloc_node(size_t size, gfp_t
54207 EXPORT_SYMBOL(__kmalloc_node);
54210 +void check_object_size(const void *ptr, unsigned long n, bool to)
54213 +#ifdef CONFIG_PAX_USERCOPY
54214 + struct page *page;
54215 + struct kmem_cache *s;
54216 + unsigned long offset;
54221 + if (ZERO_OR_NULL_PTR(ptr))
54224 + if (!virt_addr_valid(ptr))
54227 + page = get_object_page(ptr);
54230 + if (object_is_on_stack(ptr, n) == -1)
54236 + offset = (ptr - page_address(page)) % s->size;
54237 + if (offset <= s->objsize && n <= s->objsize - offset)
54242 + pax_report_leak_to_user(ptr, n);
54244 + pax_report_overflow_from_user(ptr, n);
54248 +EXPORT_SYMBOL(check_object_size);
54250 size_t ksize(const void *object)
54253 @@ -3049,7 +3090,7 @@ void __init kmem_cache_init(void)
54255 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
54256 sizeof(struct kmem_cache_node), GFP_NOWAIT);
54257 - kmalloc_caches[0].refcount = -1;
54258 + atomic_set(&kmalloc_caches[0].refcount, -1);
54261 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
54262 @@ -3158,7 +3199,7 @@ static int slab_unmergeable(struct kmem_
54264 * We may have set a slab to be unmergeable during bootstrap.
54266 - if (s->refcount < 0)
54267 + if (atomic_read(&s->refcount) < 0)
54271 @@ -3216,7 +3257,7 @@ struct kmem_cache *kmem_cache_create(con
54272 down_write(&slub_lock);
54273 s = find_mergeable(size, align, flags, name, ctor);
54276 + atomic_inc(&s->refcount);
54278 * Adjust the object sizes so that we clear
54279 * the complete object on kzalloc.
54280 @@ -3227,7 +3268,7 @@ struct kmem_cache *kmem_cache_create(con
54282 if (sysfs_slab_alias(s, name)) {
54283 down_write(&slub_lock);
54285 + atomic_dec(&s->refcount);
54286 up_write(&slub_lock);
54289 @@ -3953,7 +3994,7 @@ SLAB_ATTR_RO(ctor);
54291 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
54293 - return sprintf(buf, "%d\n", s->refcount - 1);
54294 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
54296 SLAB_ATTR_RO(aliases);
54298 @@ -4674,7 +4715,13 @@ static const struct file_operations proc
54300 static int __init slab_proc_init(void)
54302 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
54303 + mode_t gr_mode = S_IRUGO;
54305 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
54306 + gr_mode = S_IRUSR;
54309 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
54312 module_init(slab_proc_init);
54313 diff -urNp linux-2.6.35.7/mm/util.c linux-2.6.35.7/mm/util.c
54314 --- linux-2.6.35.7/mm/util.c 2010-08-26 19:47:12.000000000 -0400
54315 +++ linux-2.6.35.7/mm/util.c 2010-09-17 20:12:09.000000000 -0400
54316 @@ -245,6 +245,12 @@ EXPORT_SYMBOL(strndup_user);
54317 void arch_pick_mmap_layout(struct mm_struct *mm)
54319 mm->mmap_base = TASK_UNMAPPED_BASE;
54321 +#ifdef CONFIG_PAX_RANDMMAP
54322 + if (mm->pax_flags & MF_PAX_RANDMMAP)
54323 + mm->mmap_base += mm->delta_mmap;
54326 mm->get_unmapped_area = arch_get_unmapped_area;
54327 mm->unmap_area = arch_unmap_area;
54329 diff -urNp linux-2.6.35.7/mm/vmalloc.c linux-2.6.35.7/mm/vmalloc.c
54330 --- linux-2.6.35.7/mm/vmalloc.c 2010-08-26 19:47:12.000000000 -0400
54331 +++ linux-2.6.35.7/mm/vmalloc.c 2010-09-17 20:12:09.000000000 -0400
54332 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
54334 pte = pte_offset_kernel(pmd, addr);
54336 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
54337 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
54339 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
54340 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
54341 + BUG_ON(!pte_exec(*pte));
54342 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
54348 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
54349 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
54351 } while (pte++, addr += PAGE_SIZE, addr != end);
54354 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
54355 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
54358 + int ret = -ENOMEM;
54361 * nr is a running index into the array which helps higher level
54362 @@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
54363 pte = pte_alloc_kernel(pmd, addr);
54367 + pax_open_kernel();
54369 struct page *page = pages[*nr];
54371 - if (WARN_ON(!pte_none(*pte)))
54373 - if (WARN_ON(!page))
54375 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
54376 + if (pgprot_val(prot) & _PAGE_NX)
54379 + if (WARN_ON(!pte_none(*pte))) {
54383 + if (WARN_ON(!page)) {
54387 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
54389 } while (pte++, addr += PAGE_SIZE, addr != end);
54393 + pax_close_kernel();
54397 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
54398 @@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
54399 * and fall back on vmalloc() if that fails. Others
54400 * just put it in the vmalloc space.
54402 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
54403 +#ifdef CONFIG_MODULES
54404 +#ifdef MODULES_VADDR
54405 unsigned long addr = (unsigned long)x;
54406 if (addr >= MODULES_VADDR && addr < MODULES_END)
54410 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
54411 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
54417 return is_vmalloc_addr(x);
54420 @@ -217,8 +251,14 @@ struct page *vmalloc_to_page(const void
54422 if (!pgd_none(*pgd)) {
54423 pud_t *pud = pud_offset(pgd, addr);
54425 + if (!pud_large(*pud))
54427 if (!pud_none(*pud)) {
54428 pmd_t *pmd = pmd_offset(pud, addr);
54430 + if (!pmd_large(*pmd))
54432 if (!pmd_none(*pmd)) {
54435 @@ -292,13 +332,13 @@ static void __insert_vmap_area(struct vm
54436 struct rb_node *tmp;
54439 - struct vmap_area *tmp;
54440 + struct vmap_area *varea;
54443 - tmp = rb_entry(parent, struct vmap_area, rb_node);
54444 - if (va->va_start < tmp->va_end)
54445 + varea = rb_entry(parent, struct vmap_area, rb_node);
54446 + if (va->va_start < varea->va_end)
54447 p = &(*p)->rb_left;
54448 - else if (va->va_end > tmp->va_start)
54449 + else if (va->va_end > varea->va_start)
54450 p = &(*p)->rb_right;
54453 @@ -1224,6 +1264,16 @@ static struct vm_struct *__get_vm_area_n
54454 struct vm_struct *area;
54456 BUG_ON(in_interrupt());
54458 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
54459 + if (flags & VM_KERNEXEC) {
54460 + if (start != VMALLOC_START || end != VMALLOC_END)
54462 + start = (unsigned long)MODULES_EXEC_VADDR;
54463 + end = (unsigned long)MODULES_EXEC_END;
54467 if (flags & VM_IOREMAP) {
54468 int bit = fls(size);
54470 @@ -1449,6 +1499,11 @@ void *vmap(struct page **pages, unsigned
54471 if (count > totalram_pages)
54474 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
54475 + if (!(pgprot_val(prot) & _PAGE_NX))
54476 + flags |= VM_KERNEXEC;
54479 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
54480 __builtin_return_address(0));
54482 @@ -1558,6 +1613,13 @@ static void *__vmalloc_node(unsigned lon
54483 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
54486 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
54487 + if (!(pgprot_val(prot) & _PAGE_NX))
54488 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
54489 + node, gfp_mask, caller);
54493 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
54494 VMALLOC_END, node, gfp_mask, caller);
54496 @@ -1576,6 +1638,7 @@ static void *__vmalloc_node(unsigned lon
54501 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
54503 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
54504 @@ -1592,6 +1655,7 @@ EXPORT_SYMBOL(__vmalloc);
54505 * For tight control over page level allocator and protection flags
54506 * use __vmalloc() instead.
54509 void *vmalloc(unsigned long size)
54511 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
54512 @@ -1606,6 +1670,7 @@ EXPORT_SYMBOL(vmalloc);
54513 * The resulting memory area is zeroed so it can be mapped to userspace
54514 * without leaking data.
54516 +#undef vmalloc_user
54517 void *vmalloc_user(unsigned long size)
54519 struct vm_struct *area;
54520 @@ -1633,6 +1698,7 @@ EXPORT_SYMBOL(vmalloc_user);
54521 * For tight control over page level allocator and protection flags
54522 * use __vmalloc() instead.
54524 +#undef vmalloc_node
54525 void *vmalloc_node(unsigned long size, int node)
54527 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
54528 @@ -1655,10 +1721,10 @@ EXPORT_SYMBOL(vmalloc_node);
54529 * For tight control over page level allocator and protection flags
54530 * use __vmalloc() instead.
54533 +#undef vmalloc_exec
54534 void *vmalloc_exec(unsigned long size)
54536 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
54537 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
54538 -1, __builtin_return_address(0));
54541 @@ -1677,6 +1743,7 @@ void *vmalloc_exec(unsigned long size)
54542 * Allocate enough 32bit PA addressable pages to cover @size from the
54543 * page level allocator and map them into contiguous kernel virtual space.
54546 void *vmalloc_32(unsigned long size)
54548 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
54549 @@ -1691,6 +1758,7 @@ EXPORT_SYMBOL(vmalloc_32);
54550 * The resulting memory area is 32bit addressable and zeroed so it can be
54551 * mapped to userspace without leaking data.
54553 +#undef vmalloc_32_user
54554 void *vmalloc_32_user(unsigned long size)
54556 struct vm_struct *area;
54557 diff -urNp linux-2.6.35.7/mm/vmstat.c linux-2.6.35.7/mm/vmstat.c
54558 --- linux-2.6.35.7/mm/vmstat.c 2010-09-26 17:32:11.000000000 -0400
54559 +++ linux-2.6.35.7/mm/vmstat.c 2010-09-26 17:32:51.000000000 -0400
54560 @@ -76,7 +76,7 @@ void vm_events_fold_cpu(int cpu)
54562 * vm_stat contains the global counters
54564 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
54565 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
54566 EXPORT_SYMBOL(vm_stat);
54569 @@ -328,7 +328,7 @@ void refresh_cpu_vm_stats(int cpu)
54570 v = p->vm_stat_diff[i];
54571 p->vm_stat_diff[i] = 0;
54572 local_irq_restore(flags);
54573 - atomic_long_add(v, &zone->vm_stat[i]);
54574 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
54575 global_diff[i] += v;
54577 /* 3 seconds idle till flush */
54578 @@ -366,7 +366,7 @@ void refresh_cpu_vm_stats(int cpu)
54580 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
54581 if (global_diff[i])
54582 - atomic_long_add(global_diff[i], &vm_stat[i]);
54583 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
54587 @@ -1051,10 +1051,16 @@ static int __init setup_vmstat(void)
54588 start_cpu_timer(cpu);
54590 #ifdef CONFIG_PROC_FS
54591 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
54592 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
54593 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
54594 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
54596 + mode_t gr_mode = S_IRUGO;
54597 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
54598 + gr_mode = S_IRUSR;
54600 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
54601 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
54602 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
54603 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
54608 diff -urNp linux-2.6.35.7/net/8021q/vlan.c linux-2.6.35.7/net/8021q/vlan.c
54609 --- linux-2.6.35.7/net/8021q/vlan.c 2010-08-26 19:47:12.000000000 -0400
54610 +++ linux-2.6.35.7/net/8021q/vlan.c 2010-09-17 20:12:09.000000000 -0400
54611 @@ -618,8 +618,7 @@ static int vlan_ioctl_handler(struct net
54613 if (!capable(CAP_NET_ADMIN))
54615 - if ((args.u.name_type >= 0) &&
54616 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
54617 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
54618 struct vlan_net *vn;
54620 vn = net_generic(net, vlan_net_id);
54621 diff -urNp linux-2.6.35.7/net/atm/atm_misc.c linux-2.6.35.7/net/atm/atm_misc.c
54622 --- linux-2.6.35.7/net/atm/atm_misc.c 2010-08-26 19:47:12.000000000 -0400
54623 +++ linux-2.6.35.7/net/atm/atm_misc.c 2010-09-17 20:12:09.000000000 -0400
54624 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
54625 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
54627 atm_return(vcc, truesize);
54628 - atomic_inc(&vcc->stats->rx_drop);
54629 + atomic_inc_unchecked(&vcc->stats->rx_drop);
54632 EXPORT_SYMBOL(atm_charge);
54633 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
54636 atm_return(vcc, guess);
54637 - atomic_inc(&vcc->stats->rx_drop);
54638 + atomic_inc_unchecked(&vcc->stats->rx_drop);
54641 EXPORT_SYMBOL(atm_alloc_charge);
54642 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
54644 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
54646 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
54647 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
54649 #undef __HANDLE_ITEM
54651 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
54653 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
54655 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
54656 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
54658 #undef __HANDLE_ITEM
54660 diff -urNp linux-2.6.35.7/net/atm/proc.c linux-2.6.35.7/net/atm/proc.c
54661 --- linux-2.6.35.7/net/atm/proc.c 2010-08-26 19:47:12.000000000 -0400
54662 +++ linux-2.6.35.7/net/atm/proc.c 2010-09-17 20:12:37.000000000 -0400
54663 @@ -44,9 +44,9 @@ static void add_stats(struct seq_file *s
54664 const struct k_atm_aal_stats *stats)
54666 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
54667 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
54668 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
54669 - atomic_read(&stats->rx_drop));
54670 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
54671 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
54672 + atomic_read_unchecked(&stats->rx_drop));
54675 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
54676 @@ -190,7 +190,12 @@ static void vcc_info(struct seq_file *se
54678 struct sock *sk = sk_atm(vcc);
54680 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54681 + seq_printf(seq, "%p ", NULL);
54683 seq_printf(seq, "%p ", vcc);
54687 seq_printf(seq, "Unassigned ");
54689 diff -urNp linux-2.6.35.7/net/atm/resources.c linux-2.6.35.7/net/atm/resources.c
54690 --- linux-2.6.35.7/net/atm/resources.c 2010-08-26 19:47:12.000000000 -0400
54691 +++ linux-2.6.35.7/net/atm/resources.c 2010-09-17 20:12:09.000000000 -0400
54692 @@ -159,7 +159,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
54693 static void copy_aal_stats(struct k_atm_aal_stats *from,
54694 struct atm_aal_stats *to)
54696 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
54697 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
54699 #undef __HANDLE_ITEM
54701 @@ -167,7 +167,7 @@ static void copy_aal_stats(struct k_atm_
54702 static void subtract_aal_stats(struct k_atm_aal_stats *from,
54703 struct atm_aal_stats *to)
54705 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
54706 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
54708 #undef __HANDLE_ITEM
54710 diff -urNp linux-2.6.35.7/net/bridge/br_multicast.c linux-2.6.35.7/net/bridge/br_multicast.c
54711 --- linux-2.6.35.7/net/bridge/br_multicast.c 2010-08-26 19:47:12.000000000 -0400
54712 +++ linux-2.6.35.7/net/bridge/br_multicast.c 2010-10-11 22:41:44.000000000 -0400
54713 @@ -1461,7 +1461,7 @@ static int br_multicast_ipv6_rcv(struct
54714 nexthdr = ip6h->nexthdr;
54715 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
54717 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
54718 + if (nexthdr != IPPROTO_ICMPV6)
54721 /* Okay, we found ICMPv6 header */
54722 diff -urNp linux-2.6.35.7/net/bridge/br_stp_if.c linux-2.6.35.7/net/bridge/br_stp_if.c
54723 --- linux-2.6.35.7/net/bridge/br_stp_if.c 2010-08-26 19:47:12.000000000 -0400
54724 +++ linux-2.6.35.7/net/bridge/br_stp_if.c 2010-09-17 20:12:09.000000000 -0400
54725 @@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
54726 char *envp[] = { NULL };
54728 if (br->stp_enabled == BR_USER_STP) {
54729 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
54730 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
54731 br_info(br, "userspace STP stopped, return code %d\n", r);
54733 /* To start timers on any ports left in blocking */
54734 diff -urNp linux-2.6.35.7/net/bridge/netfilter/ebtables.c linux-2.6.35.7/net/bridge/netfilter/ebtables.c
54735 --- linux-2.6.35.7/net/bridge/netfilter/ebtables.c 2010-08-26 19:47:12.000000000 -0400
54736 +++ linux-2.6.35.7/net/bridge/netfilter/ebtables.c 2010-09-17 20:12:09.000000000 -0400
54737 @@ -1501,7 +1501,7 @@ static int do_ebt_get_ctl(struct sock *s
54738 tmp.valid_hooks = t->table->valid_hooks;
54740 mutex_unlock(&ebt_mutex);
54741 - if (copy_to_user(user, &tmp, *len) != 0){
54742 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
54743 BUGPRINT("c2u Didn't work\n");
54746 diff -urNp linux-2.6.35.7/net/core/dev.c linux-2.6.35.7/net/core/dev.c
54747 --- linux-2.6.35.7/net/core/dev.c 2010-08-26 19:47:12.000000000 -0400
54748 +++ linux-2.6.35.7/net/core/dev.c 2010-09-17 20:12:09.000000000 -0400
54749 @@ -2541,7 +2541,7 @@ int netif_rx_ni(struct sk_buff *skb)
54751 EXPORT_SYMBOL(netif_rx_ni);
54753 -static void net_tx_action(struct softirq_action *h)
54754 +static void net_tx_action(void)
54756 struct softnet_data *sd = &__get_cpu_var(softnet_data);
54758 @@ -3474,7 +3474,7 @@ void netif_napi_del(struct napi_struct *
54760 EXPORT_SYMBOL(netif_napi_del);
54762 -static void net_rx_action(struct softirq_action *h)
54763 +static void net_rx_action(void)
54765 struct softnet_data *sd = &__get_cpu_var(softnet_data);
54766 unsigned long time_limit = jiffies + 2;
54767 diff -urNp linux-2.6.35.7/net/core/ethtool.c linux-2.6.35.7/net/core/ethtool.c
54768 --- linux-2.6.35.7/net/core/ethtool.c 2010-08-26 19:47:12.000000000 -0400
54769 +++ linux-2.6.35.7/net/core/ethtool.c 2010-10-10 15:56:16.000000000 -0400
54770 @@ -366,7 +366,7 @@ static noinline_for_stack int ethtool_ge
54771 if (info.cmd == ETHTOOL_GRXCLSRLALL) {
54772 if (info.rule_cnt > 0) {
54773 if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
54774 - rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
54775 + rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
54779 diff -urNp linux-2.6.35.7/net/core/net-sysfs.c linux-2.6.35.7/net/core/net-sysfs.c
54780 --- linux-2.6.35.7/net/core/net-sysfs.c 2010-08-26 19:47:12.000000000 -0400
54781 +++ linux-2.6.35.7/net/core/net-sysfs.c 2010-09-17 20:12:09.000000000 -0400
54782 @@ -511,7 +511,7 @@ static ssize_t rx_queue_attr_store(struc
54783 return attribute->store(queue, attribute, buf, count);
54786 -static struct sysfs_ops rx_queue_sysfs_ops = {
54787 +static const struct sysfs_ops rx_queue_sysfs_ops = {
54788 .show = rx_queue_attr_show,
54789 .store = rx_queue_attr_store,
54791 diff -urNp linux-2.6.35.7/net/core/sock.c linux-2.6.35.7/net/core/sock.c
54792 --- linux-2.6.35.7/net/core/sock.c 2010-08-26 19:47:12.000000000 -0400
54793 +++ linux-2.6.35.7/net/core/sock.c 2010-09-17 20:12:09.000000000 -0400
54794 @@ -915,7 +915,7 @@ int sock_getsockopt(struct socket *sock,
54798 - if (copy_to_user(optval, address, len))
54799 + if (len > sizeof(address) || copy_to_user(optval, address, len))
54803 @@ -948,7 +948,7 @@ int sock_getsockopt(struct socket *sock,
54807 - if (copy_to_user(optval, &v, len))
54808 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
54811 if (put_user(len, optlen))
54812 diff -urNp linux-2.6.35.7/net/dccp/ccids/ccid3.c linux-2.6.35.7/net/dccp/ccids/ccid3.c
54813 --- linux-2.6.35.7/net/dccp/ccids/ccid3.c 2010-08-26 19:47:12.000000000 -0400
54814 +++ linux-2.6.35.7/net/dccp/ccids/ccid3.c 2010-09-17 20:12:09.000000000 -0400
54816 static int ccid3_debug;
54817 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
54819 -#define ccid3_pr_debug(format, a...)
54820 +#define ccid3_pr_debug(format, a...) do {} while (0)
54824 diff -urNp linux-2.6.35.7/net/dccp/dccp.h linux-2.6.35.7/net/dccp/dccp.h
54825 --- linux-2.6.35.7/net/dccp/dccp.h 2010-08-26 19:47:12.000000000 -0400
54826 +++ linux-2.6.35.7/net/dccp/dccp.h 2010-09-17 20:12:09.000000000 -0400
54827 @@ -44,9 +44,9 @@ extern int dccp_debug;
54828 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
54829 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
54831 -#define dccp_pr_debug(format, a...)
54832 -#define dccp_pr_debug_cat(format, a...)
54833 -#define dccp_debug(format, a...)
54834 +#define dccp_pr_debug(format, a...) do {} while (0)
54835 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
54836 +#define dccp_debug(format, a...) do {} while (0)
54839 extern struct inet_hashinfo dccp_hashinfo;
54840 diff -urNp linux-2.6.35.7/net/decnet/sysctl_net_decnet.c linux-2.6.35.7/net/decnet/sysctl_net_decnet.c
54841 --- linux-2.6.35.7/net/decnet/sysctl_net_decnet.c 2010-08-26 19:47:12.000000000 -0400
54842 +++ linux-2.6.35.7/net/decnet/sysctl_net_decnet.c 2010-09-17 20:12:37.000000000 -0400
54843 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
54845 if (len > *lenp) len = *lenp;
54847 - if (copy_to_user(buffer, addr, len))
54848 + if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
54852 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
54854 if (len > *lenp) len = *lenp;
54856 - if (copy_to_user(buffer, devname, len))
54857 + if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
54861 diff -urNp linux-2.6.35.7/net/ipv4/inet_hashtables.c linux-2.6.35.7/net/ipv4/inet_hashtables.c
54862 --- linux-2.6.35.7/net/ipv4/inet_hashtables.c 2010-08-26 19:47:12.000000000 -0400
54863 +++ linux-2.6.35.7/net/ipv4/inet_hashtables.c 2010-09-17 20:12:37.000000000 -0400
54864 @@ -18,11 +18,14 @@
54865 #include <linux/sched.h>
54866 #include <linux/slab.h>
54867 #include <linux/wait.h>
54868 +#include <linux/security.h>
54870 #include <net/inet_connection_sock.h>
54871 #include <net/inet_hashtables.h>
54872 #include <net/route.h>
54873 #include <net/ip.h>
54875 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
54878 * Allocate and initialize a new local port bind bucket.
54879 @@ -508,6 +511,8 @@ ok:
54880 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
54881 spin_unlock(&head->lock);
54883 + gr_update_task_in_ip_table(current, inet_sk(sk));
54886 inet_twsk_deschedule(tw, death_row);
54888 diff -urNp linux-2.6.35.7/net/ipv4/inetpeer.c linux-2.6.35.7/net/ipv4/inetpeer.c
54889 --- linux-2.6.35.7/net/ipv4/inetpeer.c 2010-08-26 19:47:12.000000000 -0400
54890 +++ linux-2.6.35.7/net/ipv4/inetpeer.c 2010-10-11 22:41:44.000000000 -0400
54891 @@ -386,8 +386,8 @@ struct inet_peer *inet_getpeer(__be32 da
54893 n->v4daddr = daddr;
54894 atomic_set(&n->refcnt, 1);
54895 - atomic_set(&n->rid, 0);
54896 - atomic_set(&n->ip_id_count, secure_ip_id(daddr));
54897 + atomic_set_unchecked(&n->rid, 0);
54898 + atomic_set_unchecked(&n->ip_id_count, secure_ip_id(daddr));
54899 n->tcp_ts_stamp = 0;
54901 write_lock_bh(&peer_pool_lock);
54902 diff -urNp linux-2.6.35.7/net/ipv4/ip_fragment.c linux-2.6.35.7/net/ipv4/ip_fragment.c
54903 --- linux-2.6.35.7/net/ipv4/ip_fragment.c 2010-08-26 19:47:12.000000000 -0400
54904 +++ linux-2.6.35.7/net/ipv4/ip_fragment.c 2010-10-11 22:41:44.000000000 -0400
54905 @@ -282,7 +282,7 @@ static inline int ip_frag_too_far(struct
54909 - end = atomic_inc_return(&peer->rid);
54910 + end = atomic_inc_return_unchecked(&peer->rid);
54913 rc = qp->q.fragments && (end - start) > max;
54914 diff -urNp linux-2.6.35.7/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.7/net/ipv4/netfilter/nf_nat_snmp_basic.c
54915 --- linux-2.6.35.7/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-08-26 19:47:12.000000000 -0400
54916 +++ linux-2.6.35.7/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-09-17 20:12:09.000000000 -0400
54917 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
54921 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
54922 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
54923 if (*octets == NULL) {
54924 if (net_ratelimit())
54925 pr_notice("OOM in bsalg (%d)\n", __LINE__);
54926 diff -urNp linux-2.6.35.7/net/ipv4/route.c linux-2.6.35.7/net/ipv4/route.c
54927 --- linux-2.6.35.7/net/ipv4/route.c 2010-09-26 17:32:11.000000000 -0400
54928 +++ linux-2.6.35.7/net/ipv4/route.c 2010-10-11 22:41:44.000000000 -0400
54929 @@ -2889,7 +2889,7 @@ static int rt_fill_info(struct net *net,
54930 error = rt->u.dst.error;
54931 expires = rt->u.dst.expires ? rt->u.dst.expires - jiffies : 0;
54933 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
54934 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
54935 if (rt->peer->tcp_ts_stamp) {
54936 ts = rt->peer->tcp_ts;
54937 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
54938 diff -urNp linux-2.6.35.7/net/ipv4/tcp_ipv4.c linux-2.6.35.7/net/ipv4/tcp_ipv4.c
54939 --- linux-2.6.35.7/net/ipv4/tcp_ipv4.c 2010-08-26 19:47:12.000000000 -0400
54940 +++ linux-2.6.35.7/net/ipv4/tcp_ipv4.c 2010-09-17 20:12:37.000000000 -0400
54942 int sysctl_tcp_tw_reuse __read_mostly;
54943 int sysctl_tcp_low_latency __read_mostly;
54945 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54946 +extern int grsec_enable_blackhole;
54949 #ifdef CONFIG_TCP_MD5SIG
54950 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
54951 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
54955 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54956 + if (!grsec_enable_blackhole)
54958 tcp_v4_send_reset(rsk, skb);
54961 @@ -1654,12 +1660,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
54962 TCP_SKB_CB(skb)->sacked = 0;
54964 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54967 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54970 goto no_tcp_socket;
54974 - if (sk->sk_state == TCP_TIME_WAIT)
54975 + if (sk->sk_state == TCP_TIME_WAIT) {
54976 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54982 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
54983 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54984 @@ -1709,6 +1722,10 @@ no_tcp_socket:
54986 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54988 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54989 + if (!grsec_enable_blackhole || (ret == 1 &&
54990 + (skb->dev->flags & IFF_LOOPBACK)))
54992 tcp_v4_send_reset(NULL, skb);
54995 @@ -2316,7 +2333,11 @@ static void get_openreq4(struct sock *sk
54996 0, /* non standard timer */
54997 0, /* open_requests have no inode */
54998 atomic_read(&sk->sk_refcnt),
54999 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55007 @@ -2366,7 +2387,12 @@ static void get_tcp4_sock(struct sock *s
55009 icsk->icsk_probes_out,
55011 - atomic_read(&sk->sk_refcnt), sk,
55012 + atomic_read(&sk->sk_refcnt),
55013 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55018 jiffies_to_clock_t(icsk->icsk_rto),
55019 jiffies_to_clock_t(icsk->icsk_ack.ato),
55020 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
55021 @@ -2394,7 +2420,13 @@ static void get_timewait4_sock(struct in
55022 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
55023 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
55024 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
55025 - atomic_read(&tw->tw_refcnt), tw, len);
55026 + atomic_read(&tw->tw_refcnt),
55027 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55036 diff -urNp linux-2.6.35.7/net/ipv4/tcp_minisocks.c linux-2.6.35.7/net/ipv4/tcp_minisocks.c
55037 --- linux-2.6.35.7/net/ipv4/tcp_minisocks.c 2010-08-26 19:47:12.000000000 -0400
55038 +++ linux-2.6.35.7/net/ipv4/tcp_minisocks.c 2010-09-17 20:12:37.000000000 -0400
55040 #include <net/inet_common.h>
55041 #include <net/xfrm.h>
55043 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55044 +extern int grsec_enable_blackhole;
55047 int sysctl_tcp_syncookies __read_mostly = 1;
55048 EXPORT_SYMBOL(sysctl_tcp_syncookies);
55050 @@ -700,6 +704,10 @@ listen_overflow:
55053 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
55055 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55056 + if (!grsec_enable_blackhole)
55058 if (!(flg & TCP_FLAG_RST))
55059 req->rsk_ops->send_reset(sk, skb);
55061 diff -urNp linux-2.6.35.7/net/ipv4/tcp_probe.c linux-2.6.35.7/net/ipv4/tcp_probe.c
55062 --- linux-2.6.35.7/net/ipv4/tcp_probe.c 2010-08-26 19:47:12.000000000 -0400
55063 +++ linux-2.6.35.7/net/ipv4/tcp_probe.c 2010-09-17 20:12:37.000000000 -0400
55064 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
55065 if (cnt + width >= len)
55068 - if (copy_to_user(buf + cnt, tbuf, width))
55069 + if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
55073 diff -urNp linux-2.6.35.7/net/ipv4/tcp_timer.c linux-2.6.35.7/net/ipv4/tcp_timer.c
55074 --- linux-2.6.35.7/net/ipv4/tcp_timer.c 2010-09-26 17:32:11.000000000 -0400
55075 +++ linux-2.6.35.7/net/ipv4/tcp_timer.c 2010-09-26 17:32:51.000000000 -0400
55077 #include <linux/gfp.h>
55078 #include <net/tcp.h>
55080 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55081 +extern int grsec_lastack_retries;
55084 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
55085 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
55086 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
55087 @@ -195,6 +199,13 @@ static int tcp_write_timeout(struct sock
55091 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55092 + if ((sk->sk_state == TCP_LAST_ACK) &&
55093 + (grsec_lastack_retries > 0) &&
55094 + (grsec_lastack_retries < retry_until))
55095 + retry_until = grsec_lastack_retries;
55098 if (retransmits_timed_out(sk, retry_until)) {
55099 /* Has it gone just too far? */
55101 diff -urNp linux-2.6.35.7/net/ipv4/udp.c linux-2.6.35.7/net/ipv4/udp.c
55102 --- linux-2.6.35.7/net/ipv4/udp.c 2010-09-26 17:32:11.000000000 -0400
55103 +++ linux-2.6.35.7/net/ipv4/udp.c 2010-09-26 17:32:51.000000000 -0400
55105 #include <linux/types.h>
55106 #include <linux/fcntl.h>
55107 #include <linux/module.h>
55108 +#include <linux/security.h>
55109 #include <linux/socket.h>
55110 #include <linux/sockios.h>
55111 #include <linux/igmp.h>
55112 @@ -107,6 +108,10 @@
55113 #include <net/xfrm.h>
55114 #include "udp_impl.h"
55116 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55117 +extern int grsec_enable_blackhole;
55120 struct udp_table udp_table __read_mostly;
55121 EXPORT_SYMBOL(udp_table);
55123 @@ -564,6 +569,9 @@ found:
55127 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
55128 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
55131 * This routine is called by the ICMP module when it gets some
55132 * sort of error condition. If err < 0 then the socket should
55133 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
55134 dport = usin->sin_port;
55138 + err = gr_search_udp_sendmsg(sk, usin);
55142 if (sk->sk_state != TCP_ESTABLISHED)
55143 return -EDESTADDRREQ;
55145 + err = gr_search_udp_sendmsg(sk, NULL);
55149 daddr = inet->inet_daddr;
55150 dport = inet->inet_dport;
55151 /* Open fast path for connected socket.
55152 @@ -1141,6 +1158,10 @@ try_again:
55156 + err = gr_search_udp_recvmsg(sk, skb);
55160 ulen = skb->len - sizeof(struct udphdr);
55163 @@ -1625,6 +1646,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
55166 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
55167 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55168 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
55170 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
55173 @@ -2051,7 +2075,12 @@ static void udp4_format_sock(struct sock
55174 sk_wmem_alloc_get(sp),
55175 sk_rmem_alloc_get(sp),
55176 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
55177 - atomic_read(&sp->sk_refcnt), sp,
55178 + atomic_read(&sp->sk_refcnt),
55179 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55184 atomic_read(&sp->sk_drops), len);
55187 diff -urNp linux-2.6.35.7/net/ipv6/exthdrs.c linux-2.6.35.7/net/ipv6/exthdrs.c
55188 --- linux-2.6.35.7/net/ipv6/exthdrs.c 2010-08-26 19:47:12.000000000 -0400
55189 +++ linux-2.6.35.7/net/ipv6/exthdrs.c 2010-09-17 20:12:09.000000000 -0400
55190 @@ -636,7 +636,7 @@ static struct tlvtype_proc tlvprochopopt
55191 .type = IPV6_TLV_JUMBO,
55192 .func = ipv6_hop_jumbo,
55198 int ipv6_parse_hopopts(struct sk_buff *skb)
55199 diff -urNp linux-2.6.35.7/net/ipv6/raw.c linux-2.6.35.7/net/ipv6/raw.c
55200 --- linux-2.6.35.7/net/ipv6/raw.c 2010-08-26 19:47:12.000000000 -0400
55201 +++ linux-2.6.35.7/net/ipv6/raw.c 2010-09-17 20:12:09.000000000 -0400
55202 @@ -601,7 +601,7 @@ out:
55206 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
55207 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
55208 struct flowi *fl, struct rt6_info *rt,
55209 unsigned int flags)
55211 diff -urNp linux-2.6.35.7/net/ipv6/tcp_ipv6.c linux-2.6.35.7/net/ipv6/tcp_ipv6.c
55212 --- linux-2.6.35.7/net/ipv6/tcp_ipv6.c 2010-08-26 19:47:12.000000000 -0400
55213 +++ linux-2.6.35.7/net/ipv6/tcp_ipv6.c 2010-09-17 20:23:25.000000000 -0400
55214 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
55218 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55219 +extern int grsec_enable_blackhole;
55222 static void tcp_v6_hash(struct sock *sk)
55224 if (sk->sk_state != TCP_CLOSE) {
55225 @@ -1641,6 +1645,9 @@ static int tcp_v6_do_rcv(struct sock *sk
55229 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55230 + if (!grsec_enable_blackhole)
55232 tcp_v6_send_reset(sk, skb);
55235 @@ -1720,12 +1727,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
55236 TCP_SKB_CB(skb)->sacked = 0;
55238 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
55241 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55244 goto no_tcp_socket;
55248 - if (sk->sk_state == TCP_TIME_WAIT)
55249 + if (sk->sk_state == TCP_TIME_WAIT) {
55250 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55256 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
55257 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
55258 @@ -1773,6 +1788,10 @@ no_tcp_socket:
55260 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
55262 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55263 + if (!grsec_enable_blackhole || (ret == 1 &&
55264 + (skb->dev->flags & IFF_LOOPBACK)))
55266 tcp_v6_send_reset(NULL, skb);
55269 diff -urNp linux-2.6.35.7/net/ipv6/udp.c linux-2.6.35.7/net/ipv6/udp.c
55270 --- linux-2.6.35.7/net/ipv6/udp.c 2010-09-26 17:32:11.000000000 -0400
55271 +++ linux-2.6.35.7/net/ipv6/udp.c 2010-09-26 17:32:51.000000000 -0400
55273 #include <linux/seq_file.h>
55274 #include "udp_impl.h"
55276 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55277 +extern int grsec_enable_blackhole;
55280 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
55282 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
55283 @@ -765,6 +769,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
55284 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
55285 proto == IPPROTO_UDPLITE);
55287 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55288 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
55290 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
55293 diff -urNp linux-2.6.35.7/net/irda/ircomm/ircomm_tty.c linux-2.6.35.7/net/irda/ircomm/ircomm_tty.c
55294 --- linux-2.6.35.7/net/irda/ircomm/ircomm_tty.c 2010-08-26 19:47:12.000000000 -0400
55295 +++ linux-2.6.35.7/net/irda/ircomm/ircomm_tty.c 2010-09-17 20:12:09.000000000 -0400
55296 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
55297 add_wait_queue(&self->open_wait, &wait);
55299 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
55300 - __FILE__,__LINE__, tty->driver->name, self->open_count );
55301 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
55303 /* As far as I can see, we protect open_count - Jean II */
55304 spin_lock_irqsave(&self->spinlock, flags);
55305 if (!tty_hung_up_p(filp)) {
55307 - self->open_count--;
55308 + atomic_dec(&self->open_count);
55310 spin_unlock_irqrestore(&self->spinlock, flags);
55311 - self->blocked_open++;
55312 + atomic_inc(&self->blocked_open);
55315 if (tty->termios->c_cflag & CBAUD) {
55316 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
55319 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
55320 - __FILE__,__LINE__, tty->driver->name, self->open_count );
55321 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
55325 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
55327 /* ++ is not atomic, so this should be protected - Jean II */
55328 spin_lock_irqsave(&self->spinlock, flags);
55329 - self->open_count++;
55330 + atomic_inc(&self->open_count);
55331 spin_unlock_irqrestore(&self->spinlock, flags);
55333 - self->blocked_open--;
55334 + atomic_dec(&self->blocked_open);
55336 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
55337 - __FILE__,__LINE__, tty->driver->name, self->open_count);
55338 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
55341 self->flags |= ASYNC_NORMAL_ACTIVE;
55342 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
55344 /* ++ is not atomic, so this should be protected - Jean II */
55345 spin_lock_irqsave(&self->spinlock, flags);
55346 - self->open_count++;
55347 + atomic_inc(&self->open_count);
55349 tty->driver_data = self;
55351 spin_unlock_irqrestore(&self->spinlock, flags);
55353 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
55354 - self->line, self->open_count);
55355 + self->line, atomic_read(&self->open_count));
55357 /* Not really used by us, but lets do it anyway */
55358 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
55359 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
55363 - if ((tty->count == 1) && (self->open_count != 1)) {
55364 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
55366 * Uh, oh. tty->count is 1, which means that the tty
55367 * structure will be freed. state->count should always
55368 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
55370 IRDA_DEBUG(0, "%s(), bad serial port count; "
55371 "tty->count is 1, state->count is %d\n", __func__ ,
55372 - self->open_count);
55373 - self->open_count = 1;
55374 + atomic_read(&self->open_count));
55375 + atomic_set(&self->open_count, 1);
55378 - if (--self->open_count < 0) {
55379 + if (atomic_dec_return(&self->open_count) < 0) {
55380 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
55381 - __func__, self->line, self->open_count);
55382 - self->open_count = 0;
55383 + __func__, self->line, atomic_read(&self->open_count));
55384 + atomic_set(&self->open_count, 0);
55386 - if (self->open_count) {
55387 + if (atomic_read(&self->open_count)) {
55388 spin_unlock_irqrestore(&self->spinlock, flags);
55390 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
55391 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
55395 - if (self->blocked_open) {
55396 + if (atomic_read(&self->blocked_open)) {
55397 if (self->close_delay)
55398 schedule_timeout_interruptible(self->close_delay);
55399 wake_up_interruptible(&self->open_wait);
55400 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
55401 spin_lock_irqsave(&self->spinlock, flags);
55402 self->flags &= ~ASYNC_NORMAL_ACTIVE;
55404 - self->open_count = 0;
55405 + atomic_set(&self->open_count, 0);
55406 spin_unlock_irqrestore(&self->spinlock, flags);
55408 wake_up_interruptible(&self->open_wait);
55409 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
55412 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
55413 - seq_printf(m, "Open count: %d\n", self->open_count);
55414 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
55415 seq_printf(m, "Max data size: %d\n", self->max_data_size);
55416 seq_printf(m, "Max header size: %d\n", self->max_header_size);
55418 diff -urNp linux-2.6.35.7/net/key/af_key.c linux-2.6.35.7/net/key/af_key.c
55419 --- linux-2.6.35.7/net/key/af_key.c 2010-08-26 19:47:12.000000000 -0400
55420 +++ linux-2.6.35.7/net/key/af_key.c 2010-09-17 20:12:37.000000000 -0400
55421 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
55422 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
55424 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
55425 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55430 atomic_read(&s->sk_refcnt),
55431 sk_rmem_alloc_get(s),
55432 sk_wmem_alloc_get(s),
55433 diff -urNp linux-2.6.35.7/net/mac80211/ieee80211_i.h linux-2.6.35.7/net/mac80211/ieee80211_i.h
55434 --- linux-2.6.35.7/net/mac80211/ieee80211_i.h 2010-08-26 19:47:12.000000000 -0400
55435 +++ linux-2.6.35.7/net/mac80211/ieee80211_i.h 2010-09-17 20:12:09.000000000 -0400
55436 @@ -649,7 +649,7 @@ struct ieee80211_local {
55437 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
55438 spinlock_t queue_stop_reason_lock;
55441 + atomic_t open_count;
55442 int monitors, cooked_mntrs;
55443 /* number of interfaces with corresponding FIF_ flags */
55444 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
55445 diff -urNp linux-2.6.35.7/net/mac80211/iface.c linux-2.6.35.7/net/mac80211/iface.c
55446 --- linux-2.6.35.7/net/mac80211/iface.c 2010-08-26 19:47:12.000000000 -0400
55447 +++ linux-2.6.35.7/net/mac80211/iface.c 2010-09-17 20:12:09.000000000 -0400
55448 @@ -183,7 +183,7 @@ static int ieee80211_open(struct net_dev
55452 - if (local->open_count == 0) {
55453 + if (atomic_read(&local->open_count) == 0) {
55454 res = drv_start(local);
55457 @@ -215,7 +215,7 @@ static int ieee80211_open(struct net_dev
55458 * Validate the MAC address for this device.
55460 if (!is_valid_ether_addr(dev->dev_addr)) {
55461 - if (!local->open_count)
55462 + if (!atomic_read(&local->open_count))
55464 return -EADDRNOTAVAIL;
55466 @@ -308,7 +308,7 @@ static int ieee80211_open(struct net_dev
55468 hw_reconf_flags |= __ieee80211_recalc_idle(local);
55470 - local->open_count++;
55471 + atomic_inc(&local->open_count);
55472 if (hw_reconf_flags) {
55473 ieee80211_hw_config(local, hw_reconf_flags);
55475 @@ -336,7 +336,7 @@ static int ieee80211_open(struct net_dev
55477 drv_remove_interface(local, &sdata->vif);
55479 - if (!local->open_count)
55480 + if (!atomic_read(&local->open_count))
55484 @@ -439,7 +439,7 @@ static int ieee80211_stop(struct net_dev
55485 WARN_ON(!list_empty(&sdata->u.ap.vlans));
55488 - local->open_count--;
55489 + atomic_dec(&local->open_count);
55491 switch (sdata->vif.type) {
55492 case NL80211_IFTYPE_AP_VLAN:
55493 @@ -542,7 +542,7 @@ static int ieee80211_stop(struct net_dev
55495 ieee80211_recalc_ps(local, -1);
55497 - if (local->open_count == 0) {
55498 + if (atomic_read(&local->open_count) == 0) {
55499 ieee80211_clear_tx_pending(local);
55500 ieee80211_stop_device(local);
55502 diff -urNp linux-2.6.35.7/net/mac80211/main.c linux-2.6.35.7/net/mac80211/main.c
55503 --- linux-2.6.35.7/net/mac80211/main.c 2010-09-20 17:33:09.000000000 -0400
55504 +++ linux-2.6.35.7/net/mac80211/main.c 2010-09-20 17:33:37.000000000 -0400
55505 @@ -148,7 +148,7 @@ int ieee80211_hw_config(struct ieee80211
55506 local->hw.conf.power_level = power;
55509 - if (changed && local->open_count) {
55510 + if (changed && atomic_read(&local->open_count)) {
55511 ret = drv_config(local, changed);
55514 diff -urNp linux-2.6.35.7/net/mac80211/pm.c linux-2.6.35.7/net/mac80211/pm.c
55515 --- linux-2.6.35.7/net/mac80211/pm.c 2010-08-26 19:47:12.000000000 -0400
55516 +++ linux-2.6.35.7/net/mac80211/pm.c 2010-09-17 20:12:09.000000000 -0400
55517 @@ -101,7 +101,7 @@ int __ieee80211_suspend(struct ieee80211
55520 /* stop hardware - this must stop RX */
55521 - if (local->open_count)
55522 + if (atomic_read(&local->open_count))
55523 ieee80211_stop_device(local);
55525 local->suspended = true;
55526 diff -urNp linux-2.6.35.7/net/mac80211/rate.c linux-2.6.35.7/net/mac80211/rate.c
55527 --- linux-2.6.35.7/net/mac80211/rate.c 2010-08-26 19:47:12.000000000 -0400
55528 +++ linux-2.6.35.7/net/mac80211/rate.c 2010-09-17 20:12:09.000000000 -0400
55529 @@ -355,7 +355,7 @@ int ieee80211_init_rate_ctrl_alg(struct
55533 - if (local->open_count)
55534 + if (atomic_read(&local->open_count))
55537 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
55538 diff -urNp linux-2.6.35.7/net/mac80211/rc80211_pid_debugfs.c linux-2.6.35.7/net/mac80211/rc80211_pid_debugfs.c
55539 --- linux-2.6.35.7/net/mac80211/rc80211_pid_debugfs.c 2010-08-26 19:47:12.000000000 -0400
55540 +++ linux-2.6.35.7/net/mac80211/rc80211_pid_debugfs.c 2010-09-17 20:12:09.000000000 -0400
55541 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
55543 spin_unlock_irqrestore(&events->lock, status);
55545 - if (copy_to_user(buf, pb, p))
55546 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
55550 diff -urNp linux-2.6.35.7/net/mac80211/tx.c linux-2.6.35.7/net/mac80211/tx.c
55551 --- linux-2.6.35.7/net/mac80211/tx.c 2010-08-26 19:47:12.000000000 -0400
55552 +++ linux-2.6.35.7/net/mac80211/tx.c 2010-09-17 20:12:09.000000000 -0400
55553 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
55554 return cpu_to_le16(dur);
55557 -static int inline is_ieee80211_device(struct ieee80211_local *local,
55558 +static inline int is_ieee80211_device(struct ieee80211_local *local,
55559 struct net_device *dev)
55561 return local == wdev_priv(dev->ieee80211_ptr);
55562 diff -urNp linux-2.6.35.7/net/mac80211/util.c linux-2.6.35.7/net/mac80211/util.c
55563 --- linux-2.6.35.7/net/mac80211/util.c 2010-08-26 19:47:12.000000000 -0400
55564 +++ linux-2.6.35.7/net/mac80211/util.c 2010-09-17 20:12:09.000000000 -0400
55565 @@ -1097,7 +1097,7 @@ int ieee80211_reconfig(struct ieee80211_
55566 local->resuming = true;
55568 /* restart hardware */
55569 - if (local->open_count) {
55570 + if (atomic_read(&local->open_count)) {
55572 * Upon resume hardware can sometimes be goofy due to
55573 * various platform / driver / bus issues, so restarting
55574 diff -urNp linux-2.6.35.7/net/netfilter/Kconfig linux-2.6.35.7/net/netfilter/Kconfig
55575 --- linux-2.6.35.7/net/netfilter/Kconfig 2010-08-26 19:47:12.000000000 -0400
55576 +++ linux-2.6.35.7/net/netfilter/Kconfig 2010-09-28 18:10:38.000000000 -0400
55577 @@ -693,6 +693,16 @@ config NETFILTER_XT_MATCH_ESP
55579 To compile it as a module, choose M here. If unsure, say N.
55581 +config NETFILTER_XT_MATCH_GRADM
55582 + tristate '"gradm" match support'
55583 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
55584 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
55586 + The gradm match allows to match on grsecurity RBAC being enabled.
55587 + It is useful when iptables rules are applied early on bootup to
55588 + prevent connections to the machine (except from a trusted host)
55589 + while the RBAC system is disabled.
55591 config NETFILTER_XT_MATCH_HASHLIMIT
55592 tristate '"hashlimit" match support'
55593 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
55594 diff -urNp linux-2.6.35.7/net/netfilter/Makefile linux-2.6.35.7/net/netfilter/Makefile
55595 --- linux-2.6.35.7/net/netfilter/Makefile 2010-08-26 19:47:12.000000000 -0400
55596 +++ linux-2.6.35.7/net/netfilter/Makefile 2010-09-28 18:05:52.000000000 -0400
55597 @@ -71,6 +71,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC
55598 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
55599 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
55600 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
55601 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
55602 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
55603 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
55604 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
55605 diff -urNp linux-2.6.35.7/net/netfilter/xt_gradm.c linux-2.6.35.7/net/netfilter/xt_gradm.c
55606 --- linux-2.6.35.7/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
55607 +++ linux-2.6.35.7/net/netfilter/xt_gradm.c 2010-09-28 18:05:52.000000000 -0400
55610 + * gradm match for netfilter
55611 + * Copyright © Zbigniew Krzystolik, 2010
55613 + * This program is free software; you can redistribute it and/or modify
55614 + * it under the terms of the GNU General Public License; either version
55615 + * 2 or 3 as published by the Free Software Foundation.
55617 +#include <linux/module.h>
55618 +#include <linux/moduleparam.h>
55619 +#include <linux/skbuff.h>
55620 +#include <linux/netfilter/x_tables.h>
55621 +#include <linux/grsecurity.h>
55622 +#include <linux/netfilter/xt_gradm.h>
55625 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
55627 + const struct xt_gradm_mtinfo *info = par->matchinfo;
55628 + bool retval = false;
55629 + if (gr_acl_is_enabled())
55631 + return retval ^ info->invflags;
55634 +static struct xt_match gradm_mt_reg __read_mostly = {
55637 + .family = NFPROTO_UNSPEC,
55638 + .match = gradm_mt,
55639 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
55640 + .me = THIS_MODULE,
55643 +static int __init gradm_mt_init(void)
55645 + return xt_register_match(&gradm_mt_reg);
55648 +static void __exit gradm_mt_exit(void)
55650 + xt_unregister_match(&gradm_mt_reg);
55653 +module_init(gradm_mt_init);
55654 +module_exit(gradm_mt_exit);
55655 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
55656 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
55657 +MODULE_LICENSE("GPL");
55658 +MODULE_ALIAS("ipt_gradm");
55659 +MODULE_ALIAS("ip6t_gradm");
55660 diff -urNp linux-2.6.35.7/net/netlink/af_netlink.c linux-2.6.35.7/net/netlink/af_netlink.c
55661 --- linux-2.6.35.7/net/netlink/af_netlink.c 2010-08-26 19:47:12.000000000 -0400
55662 +++ linux-2.6.35.7/net/netlink/af_netlink.c 2010-09-17 20:12:37.000000000 -0400
55663 @@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
55664 struct netlink_sock *nlk = nlk_sk(s);
55666 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
55667 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55674 nlk->groups ? (u32)nlk->groups[0] : 0,
55675 sk_rmem_alloc_get(s),
55676 sk_wmem_alloc_get(s),
55677 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55682 atomic_read(&s->sk_refcnt),
55683 atomic_read(&s->sk_drops),
55685 diff -urNp linux-2.6.35.7/net/packet/af_packet.c linux-2.6.35.7/net/packet/af_packet.c
55686 --- linux-2.6.35.7/net/packet/af_packet.c 2010-08-26 19:47:12.000000000 -0400
55687 +++ linux-2.6.35.7/net/packet/af_packet.c 2010-10-11 22:41:44.000000000 -0400
55688 @@ -1595,8 +1595,9 @@ static int packet_recvmsg(struct kiocb *
55691 vnet_hdr_len = sizeof(vnet_hdr);
55692 - if ((len -= vnet_hdr_len) < 0)
55693 + if (len < vnet_hdr_len)
55695 + len -= vnet_hdr_len;
55697 if (skb_is_gso(skb)) {
55698 struct skb_shared_info *sinfo = skb_shinfo(skb);
55699 @@ -2093,7 +2094,7 @@ static int packet_getsockopt(struct sock
55700 case PACKET_HDRLEN:
55701 if (len > sizeof(int))
55703 - if (copy_from_user(&val, optval, len))
55704 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
55708 @@ -2125,7 +2126,7 @@ static int packet_getsockopt(struct sock
55710 if (put_user(len, optlen))
55712 - if (copy_to_user(optval, data, len))
55713 + if (len > sizeof(st) || copy_to_user(optval, data, len))
55717 @@ -2604,7 +2605,11 @@ static int packet_seq_show(struct seq_fi
55720 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
55721 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55726 atomic_read(&s->sk_refcnt),
55729 diff -urNp linux-2.6.35.7/net/rds/page.c linux-2.6.35.7/net/rds/page.c
55730 --- linux-2.6.35.7/net/rds/page.c 2010-08-26 19:47:12.000000000 -0400
55731 +++ linux-2.6.35.7/net/rds/page.c 2010-10-19 18:14:31.000000000 -0400
55732 @@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page
55737 + addr = kmap(page);
55739 rds_stats_add(s_copy_to_user, bytes);
55741 + ret = copy_to_user(ptr, addr + offset, bytes);
55743 rds_stats_add(s_copy_from_user, bytes);
55745 - addr = kmap_atomic(page, KM_USER0);
55747 - ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
55749 - ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
55750 - kunmap_atomic(addr, KM_USER0);
55753 - addr = kmap(page);
55755 - ret = copy_to_user(ptr, addr + offset, bytes);
55757 - ret = copy_from_user(addr + offset, ptr, bytes);
55761 + ret = copy_from_user(addr + offset, ptr, bytes);
55766 + return ret ? -EFAULT : 0;
55768 EXPORT_SYMBOL_GPL(rds_page_copy_user);
55770 diff -urNp linux-2.6.35.7/net/rose/af_rose.c linux-2.6.35.7/net/rose/af_rose.c
55771 --- linux-2.6.35.7/net/rose/af_rose.c 2010-08-26 19:47:12.000000000 -0400
55772 +++ linux-2.6.35.7/net/rose/af_rose.c 2010-09-20 17:16:28.000000000 -0400
55773 @@ -679,7 +679,7 @@ static int rose_bind(struct socket *sock
55774 if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
55777 - if (addr->srose_ndigis > ROSE_MAX_DIGIS)
55778 + if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
55781 if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
55782 @@ -739,7 +739,7 @@ static int rose_connect(struct socket *s
55783 if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
55786 - if (addr->srose_ndigis > ROSE_MAX_DIGIS)
55787 + if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
55790 /* Source + Destination digis should not exceed ROSE_MAX_DIGIS */
55791 diff -urNp linux-2.6.35.7/net/sctp/auth.c linux-2.6.35.7/net/sctp/auth.c
55792 --- linux-2.6.35.7/net/sctp/auth.c 2010-08-26 19:47:12.000000000 -0400
55793 +++ linux-2.6.35.7/net/sctp/auth.c 2010-09-28 18:50:22.000000000 -0400
55794 @@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hma
55795 id = ntohs(hmacs->hmac_ids[i]);
55797 /* Check the id is in the supported range */
55798 - if (id > SCTP_AUTH_HMAC_ID_MAX)
55799 + if (id > SCTP_AUTH_HMAC_ID_MAX) {
55804 /* See is we support the id. Supported IDs have name and
55805 * length fields set, so that we can allocated and use
55806 * them. We can safely just check for name, for without the
55807 * name, we can't allocate the TFM.
55809 - if (!sctp_hmac_list[id].hmac_name)
55810 + if (!sctp_hmac_list[id].hmac_name) {
55817 diff -urNp linux-2.6.35.7/net/sctp/socket.c linux-2.6.35.7/net/sctp/socket.c
55818 --- linux-2.6.35.7/net/sctp/socket.c 2010-08-26 19:47:12.000000000 -0400
55819 +++ linux-2.6.35.7/net/sctp/socket.c 2010-09-17 20:12:09.000000000 -0400
55820 @@ -1483,7 +1483,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
55821 struct sctp_sndrcvinfo *sinfo;
55822 struct sctp_initmsg *sinit;
55823 sctp_assoc_t associd = 0;
55824 - sctp_cmsgs_t cmsgs = { NULL };
55825 + sctp_cmsgs_t cmsgs = { NULL, NULL };
55827 sctp_scope_t scope;
55829 @@ -4387,7 +4387,7 @@ static int sctp_getsockopt_peer_addrs(st
55830 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
55831 if (space_left < addrlen)
55833 - if (copy_to_user(to, &temp, addrlen))
55834 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
55838 diff -urNp linux-2.6.35.7/net/socket.c linux-2.6.35.7/net/socket.c
55839 --- linux-2.6.35.7/net/socket.c 2010-08-26 19:47:12.000000000 -0400
55840 +++ linux-2.6.35.7/net/socket.c 2010-09-17 20:12:37.000000000 -0400
55842 #include <linux/nsproxy.h>
55843 #include <linux/magic.h>
55844 #include <linux/slab.h>
55845 +#include <linux/in.h>
55847 #include <asm/uaccess.h>
55848 #include <asm/unistd.h>
55849 @@ -105,6 +106,8 @@
55850 #include <linux/sockios.h>
55851 #include <linux/atalk.h>
55853 +#include <linux/grsock.h>
55855 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
55856 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
55857 unsigned long nr_segs, loff_t pos);
55858 @@ -322,7 +325,7 @@ static int sockfs_get_sb(struct file_sys
55862 -static struct vfsmount *sock_mnt __read_mostly;
55863 +struct vfsmount *sock_mnt __read_mostly;
55865 static struct file_system_type sock_fs_type = {
55867 @@ -1291,6 +1294,16 @@ SYSCALL_DEFINE3(socket, int, family, int
55868 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
55869 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
55871 + if(!gr_search_socket(family, type, protocol)) {
55872 + retval = -EACCES;
55876 + if (gr_handle_sock_all(family, type, protocol)) {
55877 + retval = -EACCES;
55881 retval = sock_create(family, type, protocol, &sock);
55884 @@ -1403,6 +1416,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
55886 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
55888 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
55892 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
55896 err = security_socket_bind(sock,
55897 (struct sockaddr *)&address,
55899 @@ -1411,6 +1432,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
55900 (struct sockaddr *)
55901 &address, addrlen);
55904 fput_light(sock->file, fput_needed);
55907 @@ -1434,10 +1456,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
55908 if ((unsigned)backlog > somaxconn)
55909 backlog = somaxconn;
55911 + if (gr_handle_sock_server_other(sock->sk)) {
55916 + err = gr_search_listen(sock);
55920 err = security_socket_listen(sock, backlog);
55922 err = sock->ops->listen(sock, backlog);
55925 fput_light(sock->file, fput_needed);
55928 @@ -1480,6 +1512,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
55929 newsock->type = sock->type;
55930 newsock->ops = sock->ops;
55932 + if (gr_handle_sock_server_other(sock->sk)) {
55934 + sock_release(newsock);
55938 + err = gr_search_accept(sock);
55940 + sock_release(newsock);
55945 * We don't need try_module_get here, as the listening socket (sock)
55946 * has the protocol module (sock->ops->owner) held.
55947 @@ -1518,6 +1562,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
55948 fd_install(newfd, newfile);
55951 + gr_attach_curr_ip(newsock->sk);
55954 fput_light(sock->file, fput_needed);
55956 @@ -1550,6 +1596,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
55959 struct socket *sock;
55960 + struct sockaddr *sck;
55961 struct sockaddr_storage address;
55962 int err, fput_needed;
55964 @@ -1560,6 +1607,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
55968 + sck = (struct sockaddr *)&address;
55970 + if (gr_handle_sock_client(sck)) {
55975 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
55980 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
55982 diff -urNp linux-2.6.35.7/net/sunrpc/sched.c linux-2.6.35.7/net/sunrpc/sched.c
55983 --- linux-2.6.35.7/net/sunrpc/sched.c 2010-08-26 19:47:12.000000000 -0400
55984 +++ linux-2.6.35.7/net/sunrpc/sched.c 2010-09-17 20:12:09.000000000 -0400
55985 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
55987 static void rpc_task_set_debuginfo(struct rpc_task *task)
55989 - static atomic_t rpc_pid;
55990 + static atomic_unchecked_t rpc_pid;
55992 - task->tk_pid = atomic_inc_return(&rpc_pid);
55993 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
55996 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
55997 diff -urNp linux-2.6.35.7/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.35.7/net/sunrpc/xprtrdma/svc_rdma.c
55998 --- linux-2.6.35.7/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-26 19:47:12.000000000 -0400
55999 +++ linux-2.6.35.7/net/sunrpc/xprtrdma/svc_rdma.c 2010-09-17 20:12:37.000000000 -0400
56000 @@ -106,7 +106,7 @@ static int read_reset_stat(ctl_table *ta
56004 - if (len && copy_to_user(buffer, str_buf, len))
56005 + if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
56009 diff -urNp linux-2.6.35.7/net/sysctl_net.c linux-2.6.35.7/net/sysctl_net.c
56010 --- linux-2.6.35.7/net/sysctl_net.c 2010-08-26 19:47:12.000000000 -0400
56011 +++ linux-2.6.35.7/net/sysctl_net.c 2010-09-17 20:12:37.000000000 -0400
56012 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
56013 struct ctl_table *table)
56015 /* Allow network administrator to have same access as root. */
56016 - if (capable(CAP_NET_ADMIN)) {
56017 + if (capable_nolog(CAP_NET_ADMIN)) {
56018 int mode = (table->mode >> 6) & 7;
56019 return (mode << 6) | (mode << 3) | mode;
56021 diff -urNp linux-2.6.35.7/net/tipc/socket.c linux-2.6.35.7/net/tipc/socket.c
56022 --- linux-2.6.35.7/net/tipc/socket.c 2010-08-26 19:47:12.000000000 -0400
56023 +++ linux-2.6.35.7/net/tipc/socket.c 2010-09-17 20:12:09.000000000 -0400
56024 @@ -1451,8 +1451,9 @@ static int connect(struct socket *sock,
56029 - ; /* leave "res" unchanged */
56031 + /* leave "res" unchanged */
56033 sock->state = SS_DISCONNECTING;
56036 diff -urNp linux-2.6.35.7/net/unix/af_unix.c linux-2.6.35.7/net/unix/af_unix.c
56037 --- linux-2.6.35.7/net/unix/af_unix.c 2010-09-26 17:32:11.000000000 -0400
56038 +++ linux-2.6.35.7/net/unix/af_unix.c 2010-09-26 17:32:52.000000000 -0400
56039 @@ -745,6 +745,12 @@ static struct sock *unix_find_other(stru
56040 err = -ECONNREFUSED;
56041 if (!S_ISSOCK(inode->i_mode))
56044 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
56049 u = unix_find_socket_byinode(net, inode);
56052 @@ -765,6 +771,13 @@ static struct sock *unix_find_other(stru
56054 struct dentry *dentry;
56055 dentry = unix_sk(u)->dentry;
56057 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
56064 touch_atime(unix_sk(u)->mnt, dentry);
56066 @@ -850,11 +863,18 @@ static int unix_bind(struct socket *sock
56067 err = security_path_mknod(&nd.path, dentry, mode, 0);
56069 goto out_mknod_drop_write;
56070 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
56072 + goto out_mknod_drop_write;
56074 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
56075 out_mknod_drop_write:
56076 mnt_drop_write(nd.path.mnt);
56078 goto out_mknod_dput;
56080 + gr_handle_create(dentry, nd.path.mnt);
56082 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
56083 dput(nd.path.dentry);
56084 nd.path.dentry = dentry;
56085 @@ -872,6 +892,10 @@ out_mknod_drop_write:
56089 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
56090 + sk->sk_peercred.pid = current->pid;
56093 list = &unix_socket_table[addr->hash];
56095 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
56096 @@ -2170,7 +2194,11 @@ static int unix_seq_show(struct seq_file
56097 unix_state_lock(s);
56099 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
56100 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56105 atomic_read(&s->sk_refcnt),
56107 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
56108 diff -urNp linux-2.6.35.7/net/wireless/reg.c linux-2.6.35.7/net/wireless/reg.c
56109 --- linux-2.6.35.7/net/wireless/reg.c 2010-08-26 19:47:12.000000000 -0400
56110 +++ linux-2.6.35.7/net/wireless/reg.c 2010-09-17 20:12:09.000000000 -0400
56112 printk(KERN_DEBUG format , ## args); \
56115 -#define REG_DBG_PRINT(args...)
56116 +#define REG_DBG_PRINT(args...) do {} while (0)
56119 /* Receipt of information from last regulatory request */
56120 diff -urNp linux-2.6.35.7/net/wireless/wext-core.c linux-2.6.35.7/net/wireless/wext-core.c
56121 --- linux-2.6.35.7/net/wireless/wext-core.c 2010-09-20 17:33:09.000000000 -0400
56122 +++ linux-2.6.35.7/net/wireless/wext-core.c 2010-09-23 19:57:26.000000000 -0400
56123 @@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
56126 /* Support for very large requests */
56127 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
56128 - (user_length > descr->max_tokens)) {
56129 + if (user_length > descr->max_tokens) {
56130 /* Allow userspace to GET more than max so
56131 * we can support any size GET requests.
56132 * There is still a limit : -ENOMEM.
56133 @@ -782,22 +781,6 @@ static int ioctl_standard_iw_point(struc
56137 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
56139 - * If this is a GET, but not NOMAX, it means that the extra
56140 - * data is not bounded by userspace, but by max_tokens. Thus
56141 - * set the length to max_tokens. This matches the extra data
56143 - * The driver should fill it with the number of tokens it
56144 - * provided, and it may check iwp->length rather than having
56145 - * knowledge of max_tokens. If the driver doesn't change the
56146 - * iwp->length, this ioctl just copies back max_token tokens
56147 - * filled with zeroes. Hopefully the driver isn't claiming
56148 - * them to be valid data.
56150 - iwp->length = descr->max_tokens;
56153 err = handler(dev, info, (union iwreq_data *) iwp, extra);
56155 iwp->length += essid_compat;
56156 diff -urNp linux-2.6.35.7/net/xfrm/xfrm_policy.c linux-2.6.35.7/net/xfrm/xfrm_policy.c
56157 --- linux-2.6.35.7/net/xfrm/xfrm_policy.c 2010-08-26 19:47:12.000000000 -0400
56158 +++ linux-2.6.35.7/net/xfrm/xfrm_policy.c 2010-09-17 20:12:09.000000000 -0400
56159 @@ -1502,7 +1502,7 @@ free_dst:
56165 xfrm_dst_alloc_copy(void **target, void *src, int size)
56168 @@ -1514,7 +1514,7 @@ xfrm_dst_alloc_copy(void **target, void
56174 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
56176 #ifdef CONFIG_XFRM_SUB_POLICY
56177 @@ -1526,7 +1526,7 @@ xfrm_dst_update_parent(struct dst_entry
56183 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
56185 #ifdef CONFIG_XFRM_SUB_POLICY
56186 diff -urNp linux-2.6.35.7/scripts/basic/fixdep.c linux-2.6.35.7/scripts/basic/fixdep.c
56187 --- linux-2.6.35.7/scripts/basic/fixdep.c 2010-08-26 19:47:12.000000000 -0400
56188 +++ linux-2.6.35.7/scripts/basic/fixdep.c 2010-09-17 20:12:09.000000000 -0400
56189 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
56191 static void parse_config_file(char *map, size_t len)
56193 - int *end = (int *) (map + len);
56194 + unsigned int *end = (unsigned int *) (map + len);
56195 /* start at +1, so that p can never be < map */
56196 - int *m = (int *) map + 1;
56197 + unsigned int *m = (unsigned int *) map + 1;
56200 for (; m < end; m++) {
56201 @@ -371,7 +371,7 @@ static void print_deps(void)
56202 static void traps(void)
56204 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
56205 - int *p = (int *)test;
56206 + unsigned int *p = (unsigned int *)test;
56208 if (*p != INT_CONF) {
56209 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
56210 diff -urNp linux-2.6.35.7/scripts/kallsyms.c linux-2.6.35.7/scripts/kallsyms.c
56211 --- linux-2.6.35.7/scripts/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
56212 +++ linux-2.6.35.7/scripts/kallsyms.c 2010-09-17 20:12:09.000000000 -0400
56213 @@ -43,10 +43,10 @@ struct text_range {
56215 static unsigned long long _text;
56216 static struct text_range text_ranges[] = {
56217 - { "_stext", "_etext" },
56218 - { "_sinittext", "_einittext" },
56219 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
56220 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
56221 + { "_stext", "_etext", 0, 0 },
56222 + { "_sinittext", "_einittext", 0, 0 },
56223 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
56224 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
56226 #define text_range_text (&text_ranges[0])
56227 #define text_range_inittext (&text_ranges[1])
56228 diff -urNp linux-2.6.35.7/scripts/mod/file2alias.c linux-2.6.35.7/scripts/mod/file2alias.c
56229 --- linux-2.6.35.7/scripts/mod/file2alias.c 2010-08-26 19:47:12.000000000 -0400
56230 +++ linux-2.6.35.7/scripts/mod/file2alias.c 2010-09-17 20:12:09.000000000 -0400
56231 @@ -72,7 +72,7 @@ static void device_id_check(const char *
56232 unsigned long size, unsigned long id_size,
56238 if (size % id_size || size < id_size) {
56239 if (cross_build != 0)
56240 @@ -102,7 +102,7 @@ static void device_id_check(const char *
56241 /* USB is special because the bcdDevice can be matched against a numeric range */
56242 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
56243 static void do_usb_entry(struct usb_device_id *id,
56244 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
56245 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
56246 unsigned char range_lo, unsigned char range_hi,
56247 unsigned char max, struct module *mod)
56249 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
56250 for (i = 0; i < count; i++) {
56251 const char *id = (char *)devs[i].id;
56252 char acpi_id[sizeof(devs[0].id)];
56256 buf_printf(&mod->dev_table_buf,
56257 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
56258 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
56260 for (j = 0; j < PNP_MAX_DEVICES; j++) {
56261 const char *id = (char *)card->devs[j].id;
56263 + unsigned int i2, j2;
56267 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
56268 /* add an individual alias for every device entry */
56270 char acpi_id[sizeof(card->devs[0].id)];
56274 buf_printf(&mod->dev_table_buf,
56275 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
56276 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
56277 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
56281 + unsigned int i, j;
56283 sprintf(alias, "dmi*");
56285 diff -urNp linux-2.6.35.7/scripts/mod/modpost.c linux-2.6.35.7/scripts/mod/modpost.c
56286 --- linux-2.6.35.7/scripts/mod/modpost.c 2010-08-26 19:47:12.000000000 -0400
56287 +++ linux-2.6.35.7/scripts/mod/modpost.c 2010-09-17 20:12:09.000000000 -0400
56288 @@ -846,6 +846,7 @@ enum mismatch {
56289 ANY_INIT_TO_ANY_EXIT,
56290 ANY_EXIT_TO_ANY_INIT,
56291 EXPORT_TO_INIT_EXIT,
56295 struct sectioncheck {
56296 @@ -954,6 +955,12 @@ const struct sectioncheck sectioncheck[]
56297 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
56298 .mismatch = EXPORT_TO_INIT_EXIT,
56299 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
56301 +/* Do not reference code from writable data */
56303 + .fromsec = { DATA_SECTIONS, NULL },
56304 + .tosec = { TEXT_SECTIONS, NULL },
56305 + .mismatch = DATA_TO_TEXT
56309 @@ -1060,10 +1067,10 @@ static Elf_Sym *find_elf_symbol(struct e
56311 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
56313 - if (sym->st_value == addr)
56315 /* Find a symbol nearby - addr are maybe negative */
56316 d = sym->st_value - addr;
56320 d = addr - sym->st_value;
56321 if (d < distance) {
56322 @@ -1306,6 +1313,14 @@ static void report_sec_mismatch(const ch
56323 "or drop the export.\n",
56324 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
56326 + case DATA_TO_TEXT:
56329 + "The variable %s references\n"
56330 + "the %s %s%s%s\n",
56331 + fromsym, to, sec2annotation(tosec), tosym, to_p);
56335 fprintf(stderr, "\n");
56337 @@ -1629,7 +1644,7 @@ void __attribute__((format(printf, 2, 3)
56341 -void buf_write(struct buffer *buf, const char *s, int len)
56342 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
56344 if (buf->size - buf->pos < len) {
56345 buf->size += len + SZ;
56346 @@ -1841,7 +1856,7 @@ static void write_if_changed(struct buff
56347 if (fstat(fileno(file), &st) < 0)
56350 - if (st.st_size != b->pos)
56351 + if (st.st_size != (off_t)b->pos)
56354 tmp = NOFAIL(malloc(b->pos));
56355 diff -urNp linux-2.6.35.7/scripts/mod/modpost.h linux-2.6.35.7/scripts/mod/modpost.h
56356 --- linux-2.6.35.7/scripts/mod/modpost.h 2010-08-26 19:47:12.000000000 -0400
56357 +++ linux-2.6.35.7/scripts/mod/modpost.h 2010-09-17 20:12:09.000000000 -0400
56358 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
56364 + unsigned int pos;
56365 + unsigned int size;
56368 void __attribute__((format(printf, 2, 3)))
56369 buf_printf(struct buffer *buf, const char *fmt, ...);
56372 -buf_write(struct buffer *buf, const char *s, int len);
56373 +buf_write(struct buffer *buf, const char *s, unsigned int len);
56376 struct module *next;
56377 diff -urNp linux-2.6.35.7/scripts/mod/sumversion.c linux-2.6.35.7/scripts/mod/sumversion.c
56378 --- linux-2.6.35.7/scripts/mod/sumversion.c 2010-08-26 19:47:12.000000000 -0400
56379 +++ linux-2.6.35.7/scripts/mod/sumversion.c 2010-09-17 20:12:09.000000000 -0400
56380 @@ -455,7 +455,7 @@ static void write_version(const char *fi
56384 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
56385 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
56386 warn("writing sum in %s failed: %s\n",
56387 filename, strerror(errno));
56389 diff -urNp linux-2.6.35.7/scripts/pnmtologo.c linux-2.6.35.7/scripts/pnmtologo.c
56390 --- linux-2.6.35.7/scripts/pnmtologo.c 2010-08-26 19:47:12.000000000 -0400
56391 +++ linux-2.6.35.7/scripts/pnmtologo.c 2010-09-17 20:12:09.000000000 -0400
56392 @@ -237,14 +237,14 @@ static void write_header(void)
56393 fprintf(out, " * Linux logo %s\n", logoname);
56394 fputs(" */\n\n", out);
56395 fputs("#include <linux/linux_logo.h>\n\n", out);
56396 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
56397 + fprintf(out, "static unsigned char %s_data[] = {\n",
56401 static void write_footer(void)
56403 fputs("\n};\n\n", out);
56404 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
56405 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
56406 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
56407 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
56408 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
56409 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
56410 fputs("\n};\n\n", out);
56412 /* write logo clut */
56413 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
56414 + fprintf(out, "static unsigned char %s_clut[] = {\n",
56417 for (i = 0; i < logo_clutsize; i++) {
56418 diff -urNp linux-2.6.35.7/security/commoncap.c linux-2.6.35.7/security/commoncap.c
56419 --- linux-2.6.35.7/security/commoncap.c 2010-08-26 19:47:12.000000000 -0400
56420 +++ linux-2.6.35.7/security/commoncap.c 2010-09-17 20:12:37.000000000 -0400
56422 #include <linux/securebits.h>
56423 #include <linux/syslog.h>
56424 #include <linux/vs_context.h>
56425 +#include <net/sock.h>
56428 * If a non-root user executes a setuid-root binary in
56429 @@ -51,9 +52,11 @@ static void warn_setuid_and_fcaps_mixed(
56433 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
56435 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
56437 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
56438 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
56442 diff -urNp linux-2.6.35.7/security/integrity/ima/ima_api.c linux-2.6.35.7/security/integrity/ima/ima_api.c
56443 --- linux-2.6.35.7/security/integrity/ima/ima_api.c 2010-08-26 19:47:12.000000000 -0400
56444 +++ linux-2.6.35.7/security/integrity/ima/ima_api.c 2010-09-17 20:12:09.000000000 -0400
56445 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
56448 /* can overflow, only indicator */
56449 - atomic_long_inc(&ima_htable.violations);
56450 + atomic_long_inc_unchecked(&ima_htable.violations);
56452 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
56454 diff -urNp linux-2.6.35.7/security/integrity/ima/ima_fs.c linux-2.6.35.7/security/integrity/ima/ima_fs.c
56455 --- linux-2.6.35.7/security/integrity/ima/ima_fs.c 2010-08-26 19:47:12.000000000 -0400
56456 +++ linux-2.6.35.7/security/integrity/ima/ima_fs.c 2010-09-17 20:12:09.000000000 -0400
56457 @@ -28,12 +28,12 @@
56458 static int valid_policy = 1;
56459 #define TMPBUFLEN 12
56460 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
56461 - loff_t *ppos, atomic_long_t *val)
56462 + loff_t *ppos, atomic_long_unchecked_t *val)
56464 char tmpbuf[TMPBUFLEN];
56467 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
56468 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
56469 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
56472 diff -urNp linux-2.6.35.7/security/integrity/ima/ima.h linux-2.6.35.7/security/integrity/ima/ima.h
56473 --- linux-2.6.35.7/security/integrity/ima/ima.h 2010-09-20 17:33:09.000000000 -0400
56474 +++ linux-2.6.35.7/security/integrity/ima/ima.h 2010-09-20 17:33:37.000000000 -0400
56475 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
56476 extern spinlock_t ima_queue_lock;
56478 struct ima_h_table {
56479 - atomic_long_t len; /* number of stored measurements in the list */
56480 - atomic_long_t violations;
56481 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
56482 + atomic_long_unchecked_t violations;
56483 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
56485 extern struct ima_h_table ima_htable;
56486 diff -urNp linux-2.6.35.7/security/integrity/ima/ima_queue.c linux-2.6.35.7/security/integrity/ima/ima_queue.c
56487 --- linux-2.6.35.7/security/integrity/ima/ima_queue.c 2010-08-26 19:47:12.000000000 -0400
56488 +++ linux-2.6.35.7/security/integrity/ima/ima_queue.c 2010-09-17 20:12:09.000000000 -0400
56489 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
56490 INIT_LIST_HEAD(&qe->later);
56491 list_add_tail_rcu(&qe->later, &ima_measurements);
56493 - atomic_long_inc(&ima_htable.len);
56494 + atomic_long_inc_unchecked(&ima_htable.len);
56495 key = ima_hash_key(entry->digest);
56496 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
56498 diff -urNp linux-2.6.35.7/security/Kconfig linux-2.6.35.7/security/Kconfig
56499 --- linux-2.6.35.7/security/Kconfig 2010-08-26 19:47:12.000000000 -0400
56500 +++ linux-2.6.35.7/security/Kconfig 2010-09-17 20:12:37.000000000 -0400
56503 menu "Security options"
56505 +source grsecurity/Kconfig
56509 + config PAX_PER_CPU_PGD
56512 + config TASK_SIZE_MAX_SHIFT
56514 + depends on X86_64
56515 + default 47 if !PAX_PER_CPU_PGD
56516 + default 42 if PAX_PER_CPU_PGD
56518 + config PAX_ENABLE_PAE
56520 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
56523 + bool "Enable various PaX features"
56524 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
56526 + This allows you to enable various PaX features. PaX adds
56527 + intrusion prevention mechanisms to the kernel that reduce
56528 + the risks posed by exploitable memory corruption bugs.
56530 +menu "PaX Control"
56533 +config PAX_SOFTMODE
56534 + bool 'Support soft mode'
56535 + select PAX_PT_PAX_FLAGS
56537 + Enabling this option will allow you to run PaX in soft mode, that
56538 + is, PaX features will not be enforced by default, only on executables
56539 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
56540 + is the only way to mark executables for soft mode use.
56542 + Soft mode can be activated by using the "pax_softmode=1" kernel command
56543 + line option on boot. Furthermore you can control various PaX features
56544 + at runtime via the entries in /proc/sys/kernel/pax.
56547 + bool 'Use legacy ELF header marking'
56549 + Enabling this option will allow you to control PaX features on
56550 + a per executable basis via the 'chpax' utility available at
56551 + http://pax.grsecurity.net/. The control flags will be read from
56552 + an otherwise reserved part of the ELF header. This marking has
56553 + numerous drawbacks (no support for soft-mode, toolchain does not
56554 + know about the non-standard use of the ELF header) therefore it
56555 + has been deprecated in favour of PT_PAX_FLAGS support.
56557 + If you have applications not marked by the PT_PAX_FLAGS ELF
56558 + program header then you MUST enable this option otherwise they
56559 + will not get any protection.
56561 + Note that if you enable PT_PAX_FLAGS marking support as well,
56562 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
56564 +config PAX_PT_PAX_FLAGS
56565 + bool 'Use ELF program header marking'
56567 + Enabling this option will allow you to control PaX features on
56568 + a per executable basis via the 'paxctl' utility available at
56569 + http://pax.grsecurity.net/. The control flags will be read from
56570 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
56571 + has the benefits of supporting both soft mode and being fully
56572 + integrated into the toolchain (the binutils patch is available
56573 + from http://pax.grsecurity.net).
56575 + If you have applications not marked by the PT_PAX_FLAGS ELF
56576 + program header then you MUST enable the EI_PAX marking support
56577 + otherwise they will not get any protection.
56579 + Note that if you enable the legacy EI_PAX marking support as well,
56580 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
56583 + prompt 'MAC system integration'
56584 + default PAX_HAVE_ACL_FLAGS
56586 + Mandatory Access Control systems have the option of controlling
56587 + PaX flags on a per executable basis, choose the method supported
56588 + by your particular system.
56590 + - "none": if your MAC system does not interact with PaX,
56591 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
56592 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
56594 + NOTE: this option is for developers/integrators only.
56596 + config PAX_NO_ACL_FLAGS
56599 + config PAX_HAVE_ACL_FLAGS
56602 + config PAX_HOOK_ACL_FLAGS
56608 +menu "Non-executable pages"
56612 + bool "Enforce non-executable pages"
56613 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
56615 + By design some architectures do not allow for protecting memory
56616 + pages against execution or even if they do, Linux does not make
56617 + use of this feature. In practice this means that if a page is
56618 + readable (such as the stack or heap) it is also executable.
56620 + There is a well known exploit technique that makes use of this
56621 + fact and a common programming mistake where an attacker can
56622 + introduce code of his choice somewhere in the attacked program's
56623 + memory (typically the stack or the heap) and then execute it.
56625 + If the attacked program was running with different (typically
56626 + higher) privileges than that of the attacker, then he can elevate
56627 + his own privilege level (e.g. get a root shell, write to files for
56628 + which he does not have write access to, etc).
56630 + Enabling this option will let you choose from various features
56631 + that prevent the injection and execution of 'foreign' code in
56634 + This will also break programs that rely on the old behaviour and
56635 + expect that dynamically allocated memory via the malloc() family
56636 + of functions is executable (which it is not). Notable examples
56637 + are the XFree86 4.x server, the java runtime and wine.
56639 +config PAX_PAGEEXEC
56640 + bool "Paging based non-executable pages"
56641 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
56642 + select S390_SWITCH_AMODE if S390
56643 + select S390_EXEC_PROTECT if S390
56645 + This implementation is based on the paging feature of the CPU.
56646 + On i386 without hardware non-executable bit support there is a
56647 + variable but usually low performance impact, however on Intel's
56648 + P4 core based CPUs it is very high so you should not enable this
56649 + for kernels meant to be used on such CPUs.
56651 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
56652 + with hardware non-executable bit support there is no performance
56653 + impact, on ppc the impact is negligible.
56655 + Note that several architectures require various emulations due to
56656 + badly designed userland ABIs, this will cause a performance impact
56657 + but will disappear as soon as userland is fixed. For example, ppc
56658 + userland MUST have been built with secure-plt by a recent toolchain.
56660 +config PAX_SEGMEXEC
56661 + bool "Segmentation based non-executable pages"
56662 + depends on PAX_NOEXEC && X86_32
56664 + This implementation is based on the segmentation feature of the
56665 + CPU and has a very small performance impact, however applications
56666 + will be limited to a 1.5 GB address space instead of the normal
56669 +config PAX_EMUTRAMP
56670 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
56671 + default y if PARISC
56673 + There are some programs and libraries that for one reason or
56674 + another attempt to execute special small code snippets from
56675 + non-executable memory pages. Most notable examples are the
56676 + signal handler return code generated by the kernel itself and
56677 + the GCC trampolines.
56679 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
56680 + such programs will no longer work under your kernel.
56682 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
56683 + utilities to enable trampoline emulation for the affected programs
56684 + yet still have the protection provided by the non-executable pages.
56686 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
56687 + your system will not even boot.
56689 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
56690 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
56691 + for the affected files.
56693 + NOTE: enabling this feature *may* open up a loophole in the
56694 + protection provided by non-executable pages that an attacker
56695 + could abuse. Therefore the best solution is to not have any
56696 + files on your system that would require this option. This can
56697 + be achieved by not using libc5 (which relies on the kernel
56698 + signal handler return code) and not using or rewriting programs
56699 + that make use of the nested function implementation of GCC.
56700 + Skilled users can just fix GCC itself so that it implements
56701 + nested function calls in a way that does not interfere with PaX.
56703 +config PAX_EMUSIGRT
56704 + bool "Automatically emulate sigreturn trampolines"
56705 + depends on PAX_EMUTRAMP && PARISC
56708 + Enabling this option will have the kernel automatically detect
56709 + and emulate signal return trampolines executing on the stack
56710 + that would otherwise lead to task termination.
56712 + This solution is intended as a temporary one for users with
56713 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
56714 + Modula-3 runtime, etc) or executables linked to such, basically
56715 + everything that does not specify its own SA_RESTORER function in
56716 + normal executable memory like glibc 2.1+ does.
56718 + On parisc you MUST enable this option, otherwise your system will
56721 + NOTE: this feature cannot be disabled on a per executable basis
56722 + and since it *does* open up a loophole in the protection provided
56723 + by non-executable pages, the best solution is to not have any
56724 + files on your system that would require this option.
56726 +config PAX_MPROTECT
56727 + bool "Restrict mprotect()"
56728 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
56730 + Enabling this option will prevent programs from
56731 + - changing the executable status of memory pages that were
56732 + not originally created as executable,
56733 + - making read-only executable pages writable again,
56734 + - creating executable pages from anonymous memory,
56735 + - making read-only-after-relocations (RELRO) data pages writable again.
56737 + You should say Y here to complete the protection provided by
56738 + the enforcement of non-executable pages.
56740 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
56741 + this feature on a per file basis.
56743 +config PAX_ELFRELOCS
56744 + bool "Allow ELF text relocations (read help)"
56745 + depends on PAX_MPROTECT
56748 + Non-executable pages and mprotect() restrictions are effective
56749 + in preventing the introduction of new executable code into an
56750 + attacked task's address space. There remain only two venues
56751 + for this kind of attack: if the attacker can execute already
56752 + existing code in the attacked task then he can either have it
56753 + create and mmap() a file containing his code or have it mmap()
56754 + an already existing ELF library that does not have position
56755 + independent code in it and use mprotect() on it to make it
56756 + writable and copy his code there. While protecting against
56757 + the former approach is beyond PaX, the latter can be prevented
56758 + by having only PIC ELF libraries on one's system (which do not
56759 + need to relocate their code). If you are sure this is your case,
56760 + as is the case with all modern Linux distributions, then leave
56761 + this option disabled. You should say 'n' here.
56763 +config PAX_ETEXECRELOCS
56764 + bool "Allow ELF ET_EXEC text relocations"
56765 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
56766 + select PAX_ELFRELOCS
56769 + On some architectures there are incorrectly created applications
56770 + that require text relocations and would not work without enabling
56771 + this option. If you are an alpha, ia64 or parisc user, you should
56772 + enable this option and disable it once you have made sure that
56773 + none of your applications need it.
56776 + bool "Automatically emulate ELF PLT"
56777 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
56780 + Enabling this option will have the kernel automatically detect
56781 + and emulate the Procedure Linkage Table entries in ELF files.
56782 + On some architectures such entries are in writable memory, and
56783 + become non-executable leading to task termination. Therefore
56784 + it is mandatory that you enable this option on alpha, parisc,
56785 + sparc and sparc64, otherwise your system would not even boot.
56787 + NOTE: this feature *does* open up a loophole in the protection
56788 + provided by the non-executable pages, therefore the proper
56789 + solution is to modify the toolchain to produce a PLT that does
56790 + not need to be writable.
56792 +config PAX_DLRESOLVE
56793 + bool 'Emulate old glibc resolver stub'
56794 + depends on PAX_EMUPLT && SPARC
56797 + This option is needed if userland has an old glibc (before 2.4)
56798 + that puts a 'save' instruction into the runtime generated resolver
56799 + stub that needs special emulation.
56801 +config PAX_KERNEXEC
56802 + bool "Enforce non-executable kernel pages"
56803 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
56804 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
56806 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
56807 + that is, enabling this option will make it harder to inject
56808 + and execute 'foreign' code in kernel memory itself.
56810 +config PAX_KERNEXEC_MODULE_TEXT
56811 + int "Minimum amount of memory reserved for module code"
56813 + depends on PAX_KERNEXEC && X86_32 && MODULES
56815 + Due to implementation details the kernel must reserve a fixed
56816 + amount of memory for module code at compile time that cannot be
56817 + changed at runtime. Here you can specify the minimum amount
56818 + in MB that will be reserved. Due to the same implementation
56819 + details this size will always be rounded up to the next 2/4 MB
56820 + boundary (depends on PAE) so the actually available memory for
56821 + module code will usually be more than this minimum.
56823 + The default 4 MB should be enough for most users but if you have
56824 + an excessive number of modules (e.g., most distribution configs
56825 + compile many drivers as modules) or use huge modules such as
56826 + nvidia's kernel driver, you will need to adjust this amount.
56827 + A good rule of thumb is to look at your currently loaded kernel
56828 + modules and add up their sizes.
56832 +menu "Address Space Layout Randomization"
56836 + bool "Address Space Layout Randomization"
56837 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
56839 + Many if not most exploit techniques rely on the knowledge of
56840 + certain addresses in the attacked program. The following options
56841 + will allow the kernel to apply a certain amount of randomization
56842 + to specific parts of the program thereby forcing an attacker to
56843 + guess them in most cases. Any failed guess will most likely crash
56844 + the attacked program which allows the kernel to detect such attempts
56845 + and react on them. PaX itself provides no reaction mechanisms,
56846 + instead it is strongly encouraged that you make use of Nergal's
56847 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
56848 + (http://www.grsecurity.net/) built-in crash detection features or
56849 + develop one yourself.
56851 + By saying Y here you can choose to randomize the following areas:
56852 + - top of the task's kernel stack
56853 + - top of the task's userland stack
56854 + - base address for mmap() requests that do not specify one
56855 + (this includes all libraries)
56856 + - base address of the main executable
56858 + It is strongly recommended to say Y here as address space layout
56859 + randomization has negligible impact on performance yet it provides
56860 + a very effective protection.
56862 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
56863 + this feature on a per file basis.
56865 +config PAX_RANDKSTACK
56866 + bool "Randomize kernel stack base"
56867 + depends on PAX_ASLR && X86_TSC && X86_32
56869 + By saying Y here the kernel will randomize every task's kernel
56870 + stack on every system call. This will not only force an attacker
56871 + to guess it but also prevent him from making use of possible
56872 + leaked information about it.
56874 + Since the kernel stack is a rather scarce resource, randomization
56875 + may cause unexpected stack overflows, therefore you should very
56876 + carefully test your system. Note that once enabled in the kernel
56877 + configuration, this feature cannot be disabled on a per file basis.
56879 +config PAX_RANDUSTACK
56880 + bool "Randomize user stack base"
56881 + depends on PAX_ASLR
56883 + By saying Y here the kernel will randomize every task's userland
56884 + stack. The randomization is done in two steps where the second
56885 + one may apply a big amount of shift to the top of the stack and
56886 + cause problems for programs that want to use lots of memory (more
56887 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
56888 + For this reason the second step can be controlled by 'chpax' or
56889 + 'paxctl' on a per file basis.
56891 +config PAX_RANDMMAP
56892 + bool "Randomize mmap() base"
56893 + depends on PAX_ASLR
56895 + By saying Y here the kernel will use a randomized base address for
56896 + mmap() requests that do not specify one themselves. As a result
56897 + all dynamically loaded libraries will appear at random addresses
56898 + and therefore be harder to exploit by a technique where an attacker
56899 + attempts to execute library code for his purposes (e.g. spawn a
56900 + shell from an exploited program that is running at an elevated
56901 + privilege level).
56903 + Furthermore, if a program is relinked as a dynamic ELF file, its
56904 + base address will be randomized as well, completing the full
56905 + randomization of the address space layout. Attacking such programs
56906 + becomes a guess game. You can find an example of doing this at
56907 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
56908 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
56910 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
56911 + feature on a per file basis.
56915 +menu "Miscellaneous hardening features"
56917 +config PAX_MEMORY_SANITIZE
56918 + bool "Sanitize all freed memory"
56920 + By saying Y here the kernel will erase memory pages as soon as they
56921 + are freed. This in turn reduces the lifetime of data stored in the
56922 + pages, making it less likely that sensitive information such as
56923 + passwords, cryptographic secrets, etc stay in memory for too long.
56925 + This is especially useful for programs whose runtime is short, long
56926 + lived processes and the kernel itself benefit from this as long as
56927 + they operate on whole memory pages and ensure timely freeing of pages
56928 + that may hold sensitive information.
56930 + The tradeoff is performance impact, on a single CPU system kernel
56931 + compilation sees a 3% slowdown, other systems and workloads may vary
56932 + and you are advised to test this feature on your expected workload
56933 + before deploying it.
56935 + Note that this feature does not protect data stored in live pages,
56936 + e.g., process memory swapped to disk may stay there for a long time.
56938 +config PAX_MEMORY_UDEREF
56939 + bool "Prevent invalid userland pointer dereference"
56940 + depends on X86 && !UML_X86 && !XEN
56941 + select PAX_PER_CPU_PGD if X86_64
56943 + By saying Y here the kernel will be prevented from dereferencing
56944 + userland pointers in contexts where the kernel expects only kernel
56945 + pointers. This is both a useful runtime debugging feature and a
56946 + security measure that prevents exploiting a class of kernel bugs.
56948 + The tradeoff is that some virtualization solutions may experience
56949 + a huge slowdown and therefore you should not enable this feature
56950 + for kernels meant to run in such environments. Whether a given VM
56951 + solution is affected or not is best determined by simply trying it
56952 + out, the performance impact will be obvious right on boot as this
56953 + mechanism engages from very early on. A good rule of thumb is that
56954 + VMs running on CPUs without hardware virtualization support (i.e.,
56955 + the majority of IA-32 CPUs) will likely experience the slowdown.
56957 +config PAX_REFCOUNT
56958 + bool "Prevent various kernel object reference counter overflows"
56959 + depends on GRKERNSEC && (X86 || SPARC64)
56961 + By saying Y here the kernel will detect and prevent overflowing
56962 + various (but not all) kinds of object reference counters. Such
56963 + overflows can normally occur due to bugs only and are often, if
56964 + not always, exploitable.
56966 + The tradeoff is that data structures protected by an overflowed
56967 + refcount will never be freed and therefore will leak memory. Note
56968 + that this leak also happens even without this protection but in
56969 + that case the overflow can eventually trigger the freeing of the
56970 + data structure while it is still being used elsewhere, resulting
56971 + in the exploitable situation that this feature prevents.
56973 + Since this has a negligible performance impact, you should enable
56976 +config PAX_USERCOPY
56977 + bool "Bounds check heap object copies between kernel and userland"
56978 + depends on X86 || PPC || SPARC
56979 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
56981 + By saying Y here the kernel will enforce the size of heap objects
56982 + when they are copied in either direction between the kernel and
56983 + userland, even if only a part of the heap object is copied.
56985 + Specifically, this checking prevents information leaking from the
56986 + kernel heap during kernel to userland copies (if the kernel heap
56987 + object is otherwise fully initialized) and prevents kernel heap
56988 + overflows during userland to kernel copies.
56990 + Note that the current implementation provides the strictest checks
56991 + for the SLUB allocator.
56993 + If frame pointers are enabled on x86, this option will also
56994 + restrict copies into and out of the kernel stack to local variables
56995 + within a single frame.
56997 + Since this has a negligible performance impact, you should enable
57005 bool "Enable access key retention support"
57007 @@ -124,7 +623,7 @@ config INTEL_TXT
57008 config LSM_MMAP_MIN_ADDR
57009 int "Low address space for LSM to protect from user allocation"
57010 depends on SECURITY && SECURITY_SELINUX
57014 This is the portion of low virtual memory which should be protected
57015 from userspace allocation. Keeping a user from writing to low pages
57016 diff -urNp linux-2.6.35.7/security/min_addr.c linux-2.6.35.7/security/min_addr.c
57017 --- linux-2.6.35.7/security/min_addr.c 2010-08-26 19:47:12.000000000 -0400
57018 +++ linux-2.6.35.7/security/min_addr.c 2010-09-17 20:12:37.000000000 -0400
57019 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
57021 static void update_mmap_min_addr(void)
57024 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
57025 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
57026 mmap_min_addr = dac_mmap_min_addr;
57027 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
57029 mmap_min_addr = dac_mmap_min_addr;
57035 diff -urNp linux-2.6.35.7/security/security.c linux-2.6.35.7/security/security.c
57036 --- linux-2.6.35.7/security/security.c 2010-08-26 19:47:12.000000000 -0400
57037 +++ linux-2.6.35.7/security/security.c 2010-09-17 20:12:37.000000000 -0400
57038 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
57039 /* things that live in capability.c */
57040 extern void __init security_fixup_ops(struct security_operations *ops);
57042 -static struct security_operations *security_ops;
57043 -static struct security_operations default_security_ops = {
57044 +static struct security_operations *security_ops __read_only;
57045 +static struct security_operations default_security_ops __read_only = {
57049 @@ -67,7 +67,9 @@ int __init security_init(void)
57051 void reset_security_ops(void)
57053 + pax_open_kernel();
57054 security_ops = &default_security_ops;
57055 + pax_close_kernel();
57058 /* Save user chosen LSM */
57059 diff -urNp linux-2.6.35.7/security/selinux/hooks.c linux-2.6.35.7/security/selinux/hooks.c
57060 --- linux-2.6.35.7/security/selinux/hooks.c 2010-08-26 19:47:12.000000000 -0400
57061 +++ linux-2.6.35.7/security/selinux/hooks.c 2010-09-17 20:12:37.000000000 -0400
57063 #define NUM_SEL_MNT_OPTS 5
57065 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
57066 -extern struct security_operations *security_ops;
57068 /* SECMARK reference count */
57069 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
57070 @@ -5428,7 +5427,7 @@ static int selinux_key_getsecurity(struc
57074 -static struct security_operations selinux_ops = {
57075 +static struct security_operations selinux_ops __read_only = {
57078 .ptrace_access_check = selinux_ptrace_access_check,
57079 diff -urNp linux-2.6.35.7/security/smack/smack_lsm.c linux-2.6.35.7/security/smack/smack_lsm.c
57080 --- linux-2.6.35.7/security/smack/smack_lsm.c 2010-08-26 19:47:12.000000000 -0400
57081 +++ linux-2.6.35.7/security/smack/smack_lsm.c 2010-09-17 20:12:09.000000000 -0400
57082 @@ -3064,7 +3064,7 @@ static int smack_inode_getsecctx(struct
57086 -struct security_operations smack_ops = {
57087 +struct security_operations smack_ops __read_only = {
57090 .ptrace_access_check = smack_ptrace_access_check,
57091 diff -urNp linux-2.6.35.7/security/tomoyo/tomoyo.c linux-2.6.35.7/security/tomoyo/tomoyo.c
57092 --- linux-2.6.35.7/security/tomoyo/tomoyo.c 2010-08-26 19:47:12.000000000 -0400
57093 +++ linux-2.6.35.7/security/tomoyo/tomoyo.c 2010-09-17 20:12:09.000000000 -0400
57094 @@ -235,7 +235,7 @@ static int tomoyo_sb_pivotroot(struct pa
57095 * tomoyo_security_ops is a "struct security_operations" which is used for
57096 * registering TOMOYO.
57098 -static struct security_operations tomoyo_security_ops = {
57099 +static struct security_operations tomoyo_security_ops __read_only = {
57101 .cred_alloc_blank = tomoyo_cred_alloc_blank,
57102 .cred_prepare = tomoyo_cred_prepare,
57103 diff -urNp linux-2.6.35.7/sound/aoa/codecs/onyx.c linux-2.6.35.7/sound/aoa/codecs/onyx.c
57104 --- linux-2.6.35.7/sound/aoa/codecs/onyx.c 2010-08-26 19:47:12.000000000 -0400
57105 +++ linux-2.6.35.7/sound/aoa/codecs/onyx.c 2010-09-17 20:12:09.000000000 -0400
57106 @@ -54,7 +54,7 @@ struct onyx {
57111 + atomic_t open_count;
57112 struct codec_info *codec_info;
57114 /* mutex serializes concurrent access to the device
57115 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
57116 struct onyx *onyx = cii->codec_data;
57118 mutex_lock(&onyx->mutex);
57119 - onyx->open_count++;
57120 + atomic_inc(&onyx->open_count);
57121 mutex_unlock(&onyx->mutex);
57124 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
57125 struct onyx *onyx = cii->codec_data;
57127 mutex_lock(&onyx->mutex);
57128 - onyx->open_count--;
57129 - if (!onyx->open_count)
57130 + if (atomic_dec_and_test(&onyx->open_count))
57131 onyx->spdif_locked = onyx->analog_locked = 0;
57132 mutex_unlock(&onyx->mutex);
57134 diff -urNp linux-2.6.35.7/sound/core/control.c linux-2.6.35.7/sound/core/control.c
57135 --- linux-2.6.35.7/sound/core/control.c 2010-08-26 19:47:12.000000000 -0400
57136 +++ linux-2.6.35.7/sound/core/control.c 2010-10-12 10:28:04.000000000 -0400
57139 /* max number of user-defined controls */
57140 #define MAX_USER_CONTROLS 32
57141 +#define MAX_CONTROL_COUNT 1028
57143 struct snd_kctl_ioctl {
57144 struct list_head list; /* list of all ioctls */
57145 @@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(
57147 if (snd_BUG_ON(!control || !control->count))
57150 + if (control->count > MAX_CONTROL_COUNT)
57153 kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
57154 if (kctl == NULL) {
57155 snd_printk(KERN_ERR "Cannot allocate control instance\n");
57156 diff -urNp linux-2.6.35.7/sound/core/oss/pcm_oss.c linux-2.6.35.7/sound/core/oss/pcm_oss.c
57157 --- linux-2.6.35.7/sound/core/oss/pcm_oss.c 2010-08-26 19:47:12.000000000 -0400
57158 +++ linux-2.6.35.7/sound/core/oss/pcm_oss.c 2010-09-17 20:12:09.000000000 -0400
57159 @@ -2966,8 +2966,8 @@ static void snd_pcm_oss_proc_done(struct
57162 #else /* !CONFIG_SND_VERBOSE_PROCFS */
57163 -#define snd_pcm_oss_proc_init(pcm)
57164 -#define snd_pcm_oss_proc_done(pcm)
57165 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
57166 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
57167 #endif /* CONFIG_SND_VERBOSE_PROCFS */
57170 diff -urNp linux-2.6.35.7/sound/core/seq/seq_lock.h linux-2.6.35.7/sound/core/seq/seq_lock.h
57171 --- linux-2.6.35.7/sound/core/seq/seq_lock.h 2010-08-26 19:47:12.000000000 -0400
57172 +++ linux-2.6.35.7/sound/core/seq/seq_lock.h 2010-09-17 20:12:09.000000000 -0400
57173 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
57174 #else /* SMP || CONFIG_SND_DEBUG */
57176 typedef spinlock_t snd_use_lock_t; /* dummy */
57177 -#define snd_use_lock_init(lockp) /**/
57178 -#define snd_use_lock_use(lockp) /**/
57179 -#define snd_use_lock_free(lockp) /**/
57180 -#define snd_use_lock_sync(lockp) /**/
57181 +#define snd_use_lock_init(lockp) do {} while (0)
57182 +#define snd_use_lock_use(lockp) do {} while (0)
57183 +#define snd_use_lock_free(lockp) do {} while (0)
57184 +#define snd_use_lock_sync(lockp) do {} while (0)
57186 #endif /* SMP || CONFIG_SND_DEBUG */
57188 diff -urNp linux-2.6.35.7/sound/drivers/mts64.c linux-2.6.35.7/sound/drivers/mts64.c
57189 --- linux-2.6.35.7/sound/drivers/mts64.c 2010-08-26 19:47:12.000000000 -0400
57190 +++ linux-2.6.35.7/sound/drivers/mts64.c 2010-09-17 20:12:09.000000000 -0400
57191 @@ -66,7 +66,7 @@ struct mts64 {
57192 struct pardevice *pardev;
57193 int pardev_claimed;
57196 + atomic_t open_count;
57197 int current_midi_output_port;
57198 int current_midi_input_port;
57199 u8 mode[MTS64_NUM_INPUT_PORTS];
57200 @@ -696,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
57202 struct mts64 *mts = substream->rmidi->private_data;
57204 - if (mts->open_count == 0) {
57205 + if (atomic_read(&mts->open_count) == 0) {
57206 /* We don't need a spinlock here, because this is just called
57207 if the device has not been opened before.
57208 So there aren't any IRQs from the device */
57209 @@ -704,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
57213 - ++(mts->open_count);
57214 + atomic_inc(&mts->open_count);
57218 @@ -714,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
57219 struct mts64 *mts = substream->rmidi->private_data;
57220 unsigned long flags;
57222 - --(mts->open_count);
57223 - if (mts->open_count == 0) {
57224 + if (atomic_dec_return(&mts->open_count) == 0) {
57225 /* We need the spinlock_irqsave here because we can still
57226 have IRQs at this point */
57227 spin_lock_irqsave(&mts->lock, flags);
57228 @@ -724,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
57232 - } else if (mts->open_count < 0)
57233 - mts->open_count = 0;
57234 + } else if (atomic_read(&mts->open_count) < 0)
57235 + atomic_set(&mts->open_count, 0);
57239 diff -urNp linux-2.6.35.7/sound/drivers/portman2x4.c linux-2.6.35.7/sound/drivers/portman2x4.c
57240 --- linux-2.6.35.7/sound/drivers/portman2x4.c 2010-08-26 19:47:12.000000000 -0400
57241 +++ linux-2.6.35.7/sound/drivers/portman2x4.c 2010-09-17 20:12:09.000000000 -0400
57242 @@ -84,7 +84,7 @@ struct portman {
57243 struct pardevice *pardev;
57244 int pardev_claimed;
57247 + atomic_t open_count;
57248 int mode[PORTMAN_NUM_INPUT_PORTS];
57249 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
57251 diff -urNp linux-2.6.35.7/sound/oss/sb_audio.c linux-2.6.35.7/sound/oss/sb_audio.c
57252 --- linux-2.6.35.7/sound/oss/sb_audio.c 2010-08-26 19:47:12.000000000 -0400
57253 +++ linux-2.6.35.7/sound/oss/sb_audio.c 2010-09-17 20:12:09.000000000 -0400
57254 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
57255 buf16 = (signed short *)(localbuf + localoffs);
57258 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
57259 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
57260 if (copy_from_user(lbuf8,
57261 userbuf+useroffs + p,
57263 diff -urNp linux-2.6.35.7/sound/oss/soundcard.c linux-2.6.35.7/sound/oss/soundcard.c
57264 --- linux-2.6.35.7/sound/oss/soundcard.c 2010-08-26 19:47:12.000000000 -0400
57265 +++ linux-2.6.35.7/sound/oss/soundcard.c 2010-10-11 22:44:36.000000000 -0400
57266 @@ -389,11 +389,11 @@ static long sound_ioctl(struct file *fil
57268 case SND_DEV_DSP16:
57269 case SND_DEV_AUDIO:
57270 - return audio_ioctl(dev, file, cmd, p);
57271 + ret = audio_ioctl(dev, file, cmd, p);
57274 case SND_DEV_MIDIN:
57275 - return MIDIbuf_ioctl(dev, file, cmd, p);
57276 + ret = MIDIbuf_ioctl(dev, file, cmd, p);
57280 diff -urNp linux-2.6.35.7/sound/pci/ac97/ac97_codec.c linux-2.6.35.7/sound/pci/ac97/ac97_codec.c
57281 --- linux-2.6.35.7/sound/pci/ac97/ac97_codec.c 2010-08-26 19:47:12.000000000 -0400
57282 +++ linux-2.6.35.7/sound/pci/ac97/ac97_codec.c 2010-09-17 20:12:09.000000000 -0400
57283 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
57286 /* build_ops to do nothing */
57287 -static struct snd_ac97_build_ops null_build_ops;
57288 +static const struct snd_ac97_build_ops null_build_ops;
57290 #ifdef CONFIG_SND_AC97_POWER_SAVE
57291 static void do_update_power(struct work_struct *work)
57292 diff -urNp linux-2.6.35.7/sound/pci/ac97/ac97_patch.c linux-2.6.35.7/sound/pci/ac97/ac97_patch.c
57293 --- linux-2.6.35.7/sound/pci/ac97/ac97_patch.c 2010-08-26 19:47:12.000000000 -0400
57294 +++ linux-2.6.35.7/sound/pci/ac97/ac97_patch.c 2010-09-17 20:12:09.000000000 -0400
57295 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
57299 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
57300 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
57301 .build_spdif = patch_yamaha_ymf743_build_spdif,
57302 .build_3d = patch_yamaha_ymf7x3_3d,
57304 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
57308 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
57309 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
57310 .build_3d = patch_yamaha_ymf7x3_3d,
57311 .build_post_spdif = patch_yamaha_ymf753_post_spdif
57313 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
57317 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
57318 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
57319 .build_specific = patch_wolfson_wm9703_specific,
57322 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
57326 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
57327 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
57328 .build_specific = patch_wolfson_wm9704_specific,
57331 @@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
57335 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
57336 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
57337 .build_specific = patch_wolfson_wm9711_specific,
57340 @@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
57344 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
57345 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
57346 .build_specific = patch_wolfson_wm9713_specific,
57347 .build_3d = patch_wolfson_wm9713_3d,
57349 @@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
57353 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
57354 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
57355 .build_3d = patch_sigmatel_stac9700_3d,
57356 .build_specific = patch_sigmatel_stac97xx_specific
57358 @@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
57359 return patch_sigmatel_stac97xx_specific(ac97);
57362 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
57363 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
57364 .build_3d = patch_sigmatel_stac9708_3d,
57365 .build_specific = patch_sigmatel_stac9708_specific
57367 @@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
57371 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
57372 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
57373 .build_3d = patch_sigmatel_stac9700_3d,
57374 .build_specific = patch_sigmatel_stac9758_specific
57376 @@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
57380 -static struct snd_ac97_build_ops patch_cirrus_ops = {
57381 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
57382 .build_spdif = patch_cirrus_build_spdif
57385 @@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
57389 -static struct snd_ac97_build_ops patch_conexant_ops = {
57390 +static const struct snd_ac97_build_ops patch_conexant_ops = {
57391 .build_spdif = patch_conexant_build_spdif
57394 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
57395 { AC97_VIDEO, 0x9f1f },
57396 { AC97_AUX, 0x9f1f },
57397 { AC97_PCM, 0x9f1f },
57398 - { } /* terminator */
57399 + { 0, 0 } /* terminator */
57402 static int patch_ad1819(struct snd_ac97 * ac97)
57403 @@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
57407 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
57408 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
57410 .resume = ad18xx_resume
57412 @@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
57416 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
57417 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
57418 .build_specific = &patch_ad1885_specific,
57420 .resume = ad18xx_resume
57421 @@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
57425 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
57426 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
57427 .build_specific = &patch_ad1886_specific,
57429 .resume = ad18xx_resume
57430 @@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
57431 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
57434 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
57435 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
57436 .build_post_spdif = patch_ad198x_post_spdif,
57437 .build_specific = patch_ad1981a_specific,
57439 @@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
57440 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
57443 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
57444 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
57445 .build_post_spdif = patch_ad198x_post_spdif,
57446 .build_specific = patch_ad1981b_specific,
57448 @@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
57449 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
57452 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
57453 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
57454 .build_post_spdif = patch_ad198x_post_spdif,
57455 .build_specific = patch_ad1888_specific,
57457 @@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
57458 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
57461 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
57462 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
57463 .build_post_spdif = patch_ad198x_post_spdif,
57464 .build_specific = patch_ad1980_specific,
57466 @@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
57467 ARRAY_SIZE(snd_ac97_ad1985_controls));
57470 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
57471 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
57472 .build_post_spdif = patch_ad198x_post_spdif,
57473 .build_specific = patch_ad1985_specific,
57475 @@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
57476 ARRAY_SIZE(snd_ac97_ad1985_controls));
57479 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
57480 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
57481 .build_post_spdif = patch_ad198x_post_spdif,
57482 .build_specific = patch_ad1986_specific,
57484 @@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
57488 -static struct snd_ac97_build_ops patch_alc650_ops = {
57489 +static const struct snd_ac97_build_ops patch_alc650_ops = {
57490 .build_specific = patch_alc650_specific,
57491 .update_jacks = alc650_update_jacks
57493 @@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
57497 -static struct snd_ac97_build_ops patch_alc655_ops = {
57498 +static const struct snd_ac97_build_ops patch_alc655_ops = {
57499 .build_specific = patch_alc655_specific,
57500 .update_jacks = alc655_update_jacks
57502 @@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
57506 -static struct snd_ac97_build_ops patch_alc850_ops = {
57507 +static const struct snd_ac97_build_ops patch_alc850_ops = {
57508 .build_specific = patch_alc850_specific,
57509 .update_jacks = alc850_update_jacks
57511 @@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
57512 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
57515 -static struct snd_ac97_build_ops patch_cm9738_ops = {
57516 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
57517 .build_specific = patch_cm9738_specific,
57518 .update_jacks = cm9738_update_jacks
57520 @@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
57521 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
57524 -static struct snd_ac97_build_ops patch_cm9739_ops = {
57525 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
57526 .build_specific = patch_cm9739_specific,
57527 .build_post_spdif = patch_cm9739_post_spdif,
57528 .update_jacks = cm9739_update_jacks
57529 @@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
57530 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
57533 -static struct snd_ac97_build_ops patch_cm9761_ops = {
57534 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
57535 .build_specific = patch_cm9761_specific,
57536 .build_post_spdif = patch_cm9761_post_spdif,
57537 .update_jacks = cm9761_update_jacks
57538 @@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
57539 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
57542 -static struct snd_ac97_build_ops patch_cm9780_ops = {
57543 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
57544 .build_specific = patch_cm9780_specific,
57545 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
57547 @@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
57551 -static struct snd_ac97_build_ops patch_vt1616_ops = {
57552 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
57553 .build_specific = patch_vt1616_specific
57556 @@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
57560 -static struct snd_ac97_build_ops patch_it2646_ops = {
57561 +static const struct snd_ac97_build_ops patch_it2646_ops = {
57562 .build_specific = patch_it2646_specific,
57563 .update_jacks = it2646_update_jacks
57565 @@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
57569 -static struct snd_ac97_build_ops patch_si3036_ops = {
57570 +static const struct snd_ac97_build_ops patch_si3036_ops = {
57571 .build_specific = patch_si3036_specific,
57574 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
57575 { AC97_AUX, 0x1f1f },
57576 { AC97_PCM, 0x1f1f },
57577 { AC97_REC_GAIN, 0x0f0f },
57578 - { } /* terminator */
57579 + { 0, 0 } /* terminator */
57582 static int patch_lm4550(struct snd_ac97 *ac97)
57583 @@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
57587 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
57588 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
57589 .build_specific = patch_ucb1400_specific,
57592 diff -urNp linux-2.6.35.7/sound/pci/ens1370.c linux-2.6.35.7/sound/pci/ens1370.c
57593 --- linux-2.6.35.7/sound/pci/ens1370.c 2010-08-26 19:47:12.000000000 -0400
57594 +++ linux-2.6.35.7/sound/pci/ens1370.c 2010-09-17 20:12:09.000000000 -0400
57595 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
57596 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
57597 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
57600 + { 0, 0, 0, 0, 0, 0, 0 }
57603 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
57604 diff -urNp linux-2.6.35.7/sound/pci/hda/patch_hdmi.c linux-2.6.35.7/sound/pci/hda/patch_hdmi.c
57605 --- linux-2.6.35.7/sound/pci/hda/patch_hdmi.c 2010-08-26 19:47:12.000000000 -0400
57606 +++ linux-2.6.35.7/sound/pci/hda/patch_hdmi.c 2010-09-17 20:12:09.000000000 -0400
57607 @@ -670,10 +670,10 @@ static void hdmi_non_intrinsic_event(str
57622 diff -urNp linux-2.6.35.7/sound/pci/intel8x0.c linux-2.6.35.7/sound/pci/intel8x0.c
57623 --- linux-2.6.35.7/sound/pci/intel8x0.c 2010-08-26 19:47:12.000000000 -0400
57624 +++ linux-2.6.35.7/sound/pci/intel8x0.c 2010-09-17 20:12:09.000000000 -0400
57625 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
57626 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
57627 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
57628 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
57630 + { 0, 0, 0, 0, 0, 0, 0 }
57633 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
57634 @@ -2135,7 +2135,7 @@ static struct ac97_quirk ac97_quirks[] _
57635 .type = AC97_TUNE_HP_ONLY
57638 - { } /* terminator */
57639 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
57642 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
57643 diff -urNp linux-2.6.35.7/sound/pci/intel8x0m.c linux-2.6.35.7/sound/pci/intel8x0m.c
57644 --- linux-2.6.35.7/sound/pci/intel8x0m.c 2010-08-26 19:47:12.000000000 -0400
57645 +++ linux-2.6.35.7/sound/pci/intel8x0m.c 2010-09-17 20:12:09.000000000 -0400
57646 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
57647 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
57648 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
57651 + { 0, 0, 0, 0, 0, 0, 0 }
57654 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
57655 @@ -1264,7 +1264,7 @@ static struct shortname_table {
57656 { 0x5455, "ALi M5455" },
57657 { 0x746d, "AMD AMD8111" },
57663 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
57664 diff -urNp linux-2.6.35.7/usr/gen_init_cpio.c linux-2.6.35.7/usr/gen_init_cpio.c
57665 --- linux-2.6.35.7/usr/gen_init_cpio.c 2010-08-26 19:47:12.000000000 -0400
57666 +++ linux-2.6.35.7/usr/gen_init_cpio.c 2010-09-17 20:12:09.000000000 -0400
57667 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
57676 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
57677 *env_var = *expanded = '\0';
57678 strncat(env_var, start + 2, end - start - 2);
57679 strncat(expanded, new_location, start - new_location);
57680 - strncat(expanded, getenv(env_var), PATH_MAX);
57681 - strncat(expanded, end + 1, PATH_MAX);
57682 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
57683 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
57684 strncpy(new_location, expanded, PATH_MAX);
57685 + new_location[PATH_MAX] = 0;
57689 diff -urNp linux-2.6.35.7/virt/kvm/kvm_main.c linux-2.6.35.7/virt/kvm/kvm_main.c
57690 --- linux-2.6.35.7/virt/kvm/kvm_main.c 2010-09-26 17:32:11.000000000 -0400
57691 +++ linux-2.6.35.7/virt/kvm/kvm_main.c 2010-09-26 22:02:10.000000000 -0400
57692 @@ -1285,6 +1285,7 @@ static int kvm_vcpu_release(struct inode
57696 +/* cannot be const */
57697 static struct file_operations kvm_vcpu_fops = {
57698 .release = kvm_vcpu_release,
57699 .unlocked_ioctl = kvm_vcpu_ioctl,
57700 @@ -1739,6 +1740,7 @@ static int kvm_vm_mmap(struct file *file
57704 +/* cannot be const */
57705 static struct file_operations kvm_vm_fops = {
57706 .release = kvm_vm_release,
57707 .unlocked_ioctl = kvm_vm_ioctl,
57708 @@ -1836,6 +1838,7 @@ out:
57712 +/* cannot be const */
57713 static struct file_operations kvm_chardev_ops = {
57714 .unlocked_ioctl = kvm_dev_ioctl,
57715 .compat_ioctl = kvm_dev_ioctl,
57716 @@ -1845,6 +1848,9 @@ static struct miscdevice kvm_dev = {
57725 static void hardware_enable(void *junk)
57726 @@ -1945,7 +1951,7 @@ asmlinkage void kvm_handle_fault_on_rebo
57728 /* spin while reset goes on */
57732 /* Fault while not rebooting. We want the trace. */
57735 @@ -2179,7 +2185,7 @@ static void kvm_sched_out(struct preempt
57736 kvm_arch_vcpu_put(vcpu);
57739 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
57740 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
57741 struct module *module)